A note on the concrete hardness of the shortest independent vector in lattices

https://doi.org/10.1016/j.ipl.2020.106065Get rights and content

Highlights

  • Approximating the shortest independent vectors for all p-norms within a constant factor is gap-ETH-hard.

  • Computing the shortest independent vectors exactly is SETH-hard.

  • Reduction from GapCVP with bounded minima to SIVP for any p-norm for some constant factor approximation greater than 1.

Abstract

Blömer and Seifert [1] showed that SIVP2 is NP-hard to approximate by giving a reduction from CVP2 to SIVP2 for constant approximation factors as long as the CVP instance has a certain property. In order to formally define this requirement on the CVP instance, we introduce a new computational problem called the Gap Closest Vector Problem with Bounded Minima. We adapt the proof of [1] to show a reduction from the Gap Closest Vector Problem with Bounded Minima to SIVP for any p norm for some constant approximation factor greater than 1.

In a recent result, Bennett, Golovnev and Stephens-Davidowitz [2] showed that under Gap-ETH, there is no 2o(n)-time algorithm for approximating CVPp up to some constant factor γ1 for any 1p. We observe that the reduction in [2] can be viewed as a reduction from Gap-3-SAT to the Gap Closest Vector Problem with Bounded Minima. This, together with the above mentioned reduction, implies that, under Gap-ETH, there is no randomised 2o(n)-time algorithm for approximating SIVPp up to some constant factor γ1 for any 1p.

Introduction

A lattice LRd is the set of integer linear combinationsL:=L(B)={z1b1++znbn:ziZ} of linearly independent basis vectors B=(b1,,bn)Rd×n. We call n the rank of the lattice L and d the dimension or the ambient dimension of the lattice L.

For i=1,,n, the ith successive minimum, denoted by λi(L), is the smallest such that there are i non-zero linearly independent lattice vectors that have length at most .

The Shortest Independent Vector Problem (SIVP) takes as input a basis for a lattice LRd and r>0 and asks us to decide whether the largest successive minima is at most r, i.e., λn(L)r. Typically, we define length in terms of the p norm for some 1p, defined asxp:=(|x1|p+|x2|p++|xd|p)1/p for finite p andx:=max|xi|. We will drop the subscript in xp, when p is clear from the context. We write SIVPp for SIVP in the p norm (and just SIVP when we do not wish to specify a norm).

Starting with the breakthrough work of Lenstra, Lenstra, and Lovász in 1982 [3], algorithms for solving lattice problems in both its exact and approximate forms have found innumerable applications, including factoring polynomials over the rationals [3], integer programming [4], [5], [6], cryptanalysis [7], [8], [9], [10], etc. More recently, many cryptographic primitives have been constructed whose security is based on the (worst-case) hardness of SIVP or closely related lattice problems [11], [12], [13], [14], [15]. In particular, the (worst-case) hardness of SIVP for poly(n) approximation factors implies the existence of several fundamental cryptographic primitives like one-way functions, collision-resistant hash functions, etc (see, for example, [16], [17]). Such lattice-based cryptographic constructions are likely to be used on massive scales (e.g., as part of the TLS protocol) in the not-too-distant future [18], [19], [20].

Blömer and Seifert [1] showed that SIVP is NP-hard to approximate for any constant approximation factor. While their result is shown only for the Euclidean norm, their proofs can easily be extended to arbitrary norms. As is true for many other lattice problems, SIVP is believed to be hard to approximate up to polynomial factors in n, the rank of the lattice. In particular, the best known algorithms for SIVP, even for poly(n) approximation factors run in time exponential in n [21], [22].

However, NP-hardness itself does not exclude the possibility of sub-exponential time algorithms since it merely shows that there does not exist a polynomial time algorithm unless P = NP.

To rule out such algorithms, we typically rely on a fine-grained complexity-theoretic hypothesis — such as the Strong Exponential Time Hypothesis (SETH), the Exponential Time Hypothesis (ETH), or the Gap-Exponential Time Hypothesis (Gap-ETH). These hypotheses were introduced in [23], and are by now quite standard in analyzing the concrete hardness of computational problems.

To that end, a few recent results have shown quantitative hardness for the Closest Vector Problem (CVPp) [2], [28], and the Shortest Vector Problem (SVPp) [24] which are closely related. In particular, assuming SETH, [2], [28] showed that there is no 2(1ε)n-time algorithm for CVPp or SVP for any ε>0 and for 1p such that p is not an even integer. Under ETH, [2] showed that there is no 2o(n)-time algorithm for CVPp for any 1p. Also, under Gap-ETH, [2] showed that there is no 2o(n)-time algorithm for approximating CVPp up to some constant factor γ1 for any 1p. Similar, but slightly weaker, results were obtained for SVPp in [24].

Blömer and Seifert [1] showed that SIVP2 is NP-hard by giving a reduction from CVP2 to SIVP2. This reduction can easily be extended to all p norms, and increases the rank of the lattice by 1. Thus, combined with the SETH hardness result from [2], [28], it implies the following observation.

Theorem 1

Under the SETH, there is no 2(1ε)n-time algorithm for SIVPp for any ε>0 and for all p1 such that p is not an even integer.

A closer look at their reduction reveals that it cannot be extended to showing NP-hardness of approximate SIVP directly (even though CVP is known to be NP-hard for almost polynomial approximation factors). The reason for this is that for the lattice L, when given as a part of a CVP instance, λn(L) might be much larger than the distance of the target from the lattice, in which case, an oracle for approximating SIVP up to a constant factor, does not tell anything about the distance of the target from the lattice.

To overcome this difficulty, it was shown in [1] that the CVP instance obtained from a reduction from the minimum label cover problem has a guarantee that for the CVP instance (L,t), λn(L) is “not much larger” than the distance of t from L.

We introduce a new computational problem called the Gap Closest Vector Problem with Bounded Minima (GapCVPτ), which captures the above mentioned requirement on the CVP instance that λn(L) has an upper bound depending on the parameter τ. We observe that the reduction from Gap-3-SAT to GapCVP in [2] (which implies hardness of GapCVP) is actually a reduction from Gap-3-SAT to GapCVPτ for an appropriate choice of τ. We then show a reduction similar to [1] from GapCVPτ to SIVP, which implies the following result.

Theorem 2

Under the (randomised) Gap Exponential Time Hypothesis, for any p1, there exists γ>1, ε>0 such that γ-SIVPp with rank n is not solvable in 2εn time.

Section snippets

Lattices

Let Rn be a real vector space, with an p-norm on the vectors such that vRn,vpp:=i=1n|vi|p.

A lattice LRd is the set of integer linear combinationsL:=L(B)={z1b1++znbn:ziZ} of linearly independent basis vectors B=(b1,,bn)Rd×n. We call B a basis of the lattice L, n the rank of the lattice, and d the dimension of the lattice L. If n=d, then we say that the lattice is full-rank.

Since we wish to have inputs of bounded size, we assume that the coordinates of lattice vectors are

Gap-ETH-hardness of approximating CVPp with Bounded Minima

In the following, we show that the reduction from [2] is in fact a reduction from Gap-2-SAT to GapCVPpτ.

Theorem 6

[2]

There exists a reduction from (δ,ε)-Gap-2-SAT with n variables and m clauses to γ-GapCVPpτ for any p-norm, so that the rank of the lattice in the resulting instance is the same as the number of variables in the original instance,γ=(δ+(1δ)3pε+(1ε)3p)1p, andτ=2pε+(1ε)3p

Proof

We will provide their construction of the γ-GapCVP instance, and show that it is actually a γ-GapCVPpτ instance. The target

Gap-ETH-hardness of approximating SIVPp within a constant factor

We now present our main contribution, that is showing hardness of approximating γ-SIVPp within a constant factor γ.

Theorem 7

For any p1, τ=τ(n)>0 with a polynomial size representation, and any γ1, there exists an efficient reduction from γ-GapCVPpτ to γ-GapSIVPp for any γ1 such thatγp<rp+γpαprp+αp, whereαp=max(rp(τ1),γprp2p1). Moreover, the rank of the lattice in the γ-GapSIVPp instance is equal to n+1 where n is the rank γ-GapCVPpτ instance.

Proof

Let (L,t,r) denote the given γ-GapCVPpτ instance,

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (28)

  • R. Impagliazzo et al.

    On the complexity of k-sat

    J. Comput. Syst. Sci.

    (2001)
  • M. Garey et al.

    Some simplified np-complete graph problems

    Theor. Comput. Sci.

    (1976)
  • J. Blömer et al.

    On the complexity of computing short linearly independent vectors and short bases in a lattice

  • H. Bennett et al.

    On the quantitative hardness of CVP

  • A.K. Lenstra et al.

    Factoring polynomials with rational coefficients

    Math. Ann.

    (1982)
  • H.W. Lenstra

    Integer programming with a fixed number of variables

    Math. Oper. Res.

    (1983)
  • R. Kannan

    Minkowski's convex body theorem and integer programming

    Math. Oper. Res.

    (1987)
  • D. Dadush et al.

    Enumerative lattice algorithms in any norm via M-ellipsoid coverings

  • A. Shamir

    A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem

    IEEE Trans. Inf. Theory

    (1984)
  • A.M. Odlyzko

    The rise and fall of knapsack cryptosystems

  • A. Joux et al.

    Lattice reduction: a toolbox for the cryptanalyst

    J. Cryptol.

    (1998)
  • P.Q. Nguyen et al.

    The two faces of lattices in cryptology

  • M. Ajtai

    Generating hard instances of lattice problems

  • O. Regev

    On lattices, learning with errors, random linear codes, and cryptography

    J. ACM

    (2009)
  • Cited by (10)

    View all citing articles on Scopus
    View full text