A note on the concrete hardness of the shortest independent vector in lattices
Introduction
A lattice is the set of integer linear combinations of linearly independent basis vectors . We call n the rank of the lattice and d the dimension or the ambient dimension of the lattice .
For , the ith successive minimum, denoted by , is the smallest ℓ such that there are i non-zero linearly independent lattice vectors that have length at most ℓ.
The Shortest Independent Vector Problem () takes as input a basis for a lattice and and asks us to decide whether the largest successive minima is at most r, i.e., . Typically, we define length in terms of the norm for some , defined as for finite p and We will drop the subscript in , when p is clear from the context. We write for in the norm (and just when we do not wish to specify a norm).
Starting with the breakthrough work of Lenstra, Lenstra, and Lovász in 1982 [3], algorithms for solving lattice problems in both its exact and approximate forms have found innumerable applications, including factoring polynomials over the rationals [3], integer programming [4], [5], [6], cryptanalysis [7], [8], [9], [10], etc. More recently, many cryptographic primitives have been constructed whose security is based on the (worst-case) hardness of or closely related lattice problems [11], [12], [13], [14], [15]. In particular, the (worst-case) hardness of for approximation factors implies the existence of several fundamental cryptographic primitives like one-way functions, collision-resistant hash functions, etc (see, for example, [16], [17]). Such lattice-based cryptographic constructions are likely to be used on massive scales (e.g., as part of the TLS protocol) in the not-too-distant future [18], [19], [20].
Blömer and Seifert [1] showed that is NP-hard to approximate for any constant approximation factor. While their result is shown only for the Euclidean norm, their proofs can easily be extended to arbitrary norms. As is true for many other lattice problems, is believed to be hard to approximate up to polynomial factors in n, the rank of the lattice. In particular, the best known algorithms for , even for approximation factors run in time exponential in n [21], [22].
However, NP-hardness itself does not exclude the possibility of sub-exponential time algorithms since it merely shows that there does not exist a polynomial time algorithm unless P = NP.
To rule out such algorithms, we typically rely on a fine-grained complexity-theoretic hypothesis — such as the Strong Exponential Time Hypothesis (SETH), the Exponential Time Hypothesis (ETH), or the Gap-Exponential Time Hypothesis (Gap-ETH). These hypotheses were introduced in [23], and are by now quite standard in analyzing the concrete hardness of computational problems.
To that end, a few recent results have shown quantitative hardness for the Closest Vector Problem () [2], [28], and the Shortest Vector Problem () [24] which are closely related. In particular, assuming SETH, [2], [28] showed that there is no -time algorithm for or for any and for such that p is not an even integer. Under ETH, [2] showed that there is no -time algorithm for for any . Also, under Gap-ETH, [2] showed that there is no -time algorithm for approximating up to some constant factor for any . Similar, but slightly weaker, results were obtained for in [24].
Blömer and Seifert [1] showed that is NP-hard by giving a reduction from to . This reduction can easily be extended to all norms, and increases the rank of the lattice by 1. Thus, combined with the SETH hardness result from [2], [28], it implies the following observation. Theorem 1 Under the SETH, there is no -time algorithm for for any and for all such that p is not an even integer.
A closer look at their reduction reveals that it cannot be extended to showing NP-hardness of approximate directly (even though is known to be NP-hard for almost polynomial approximation factors). The reason for this is that for the lattice , when given as a part of a instance, might be much larger than the distance of the target from the lattice, in which case, an oracle for approximating up to a constant factor, does not tell anything about the distance of the target from the lattice.
To overcome this difficulty, it was shown in [1] that the instance obtained from a reduction from the minimum label cover problem has a guarantee that for the CVP instance , is “not much larger” than the distance of t from .
We introduce a new computational problem called the Gap Closest Vector Problem with Bounded Minima (), which captures the above mentioned requirement on the CVP instance that has an upper bound depending on the parameter τ. We observe that the reduction from to in [2] (which implies hardness of ) is actually a reduction from to for an appropriate choice of τ. We then show a reduction similar to [1] from to , which implies the following result.
Theorem 2 Under the (randomised) Gap Exponential Time Hypothesis, for any , there exists , such that - with rank n is not solvable in time.
Section snippets
Lattices
Let be a real vector space, with an -norm on the vectors such that .
A lattice is the set of integer linear combinations of linearly independent basis vectors . We call B a basis of the lattice , n the rank of the lattice, and d the dimension of the lattice . If , then we say that the lattice is full-rank.
Since we wish to have inputs of bounded size, we assume that the coordinates of lattice vectors are
Gap-ETH-hardness of approximating CVPp with Bounded Minima
In the following, we show that the reduction from [2] is in fact a reduction from to .
Theorem 6 There exists a reduction from - with n variables and m clauses to γ- for any p-norm, so that the rank of the lattice in the resulting instance is the same as the number of variables in the original instance, and Proof We will provide their construction of the γ- instance, and show that it is actually a γ- instance. The target [2]
Gap-ETH-hardness of approximating SIVPp within a constant factor
We now present our main contribution, that is showing hardness of approximating γ- within a constant factor γ.
Theorem 7 For any , with a polynomial size representation, and any , there exists an efficient reduction from γ- to - for any such that where Moreover, the rank of the lattice in the - instance is equal to where n is the rank γ- instance.
Proof Let denote the given γ- instance,
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (28)
- et al.
On the complexity of k-sat
J. Comput. Syst. Sci.
(2001) - et al.
Some simplified np-complete graph problems
Theor. Comput. Sci.
(1976) - et al.
On the complexity of computing short linearly independent vectors and short bases in a lattice
- et al.
On the quantitative hardness of CVP
- et al.
Factoring polynomials with rational coefficients
Math. Ann.
(1982) Integer programming with a fixed number of variables
Math. Oper. Res.
(1983)Minkowski's convex body theorem and integer programming
Math. Oper. Res.
(1987)- et al.
Enumerative lattice algorithms in any norm via M-ellipsoid coverings
A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem
IEEE Trans. Inf. Theory
(1984)The rise and fall of knapsack cryptosystems
Lattice reduction: a toolbox for the cryptanalyst
J. Cryptol.
The two faces of lattices in cryptology
Generating hard instances of lattice problems
On lattices, learning with errors, random linear codes, and cryptography
J. ACM
Cited by (10)
mR<inf>LWE</inf>-CP-ABE: A revocable CP-ABE for post-quantum cryptography
2024, Journal of Mathematical CryptologyCryptanalysis with Countermeasure on the SIS Based Signature Scheme
2024, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Lattice Problems beyond Polynomial Time
2023, Proceedings of the Annual ACM Symposium on Theory of ComputingWhy we couldn't prove SETH hardness of the Closest Vector Problem for even norms!
2023, Proceedings - Annual IEEE Symposium on Foundations of Computer Science, FOCSLattice Problems Beyond Polynomial Time
2022, arXiv