A Note on the Concrete Hardness of the Shortest Independent Vectors Problem in Lattices
aa r X i v : . [ c s . CC ] M a y A Note on the Concrete Hardness of the Shortest IndependentVectors Problem in Lattices
Divesh Aggarwal ∗ Eldon Chung † May 26, 2020
Abstract
Bl¨omer and Seifert [BS99] showed that
SIVP is NP-hard to approximate by giving a reduc-tion from CVP to SIVP for constant approximation factors as long as the CVP instance has acertain property. In order to formally define this requirement on the
CVP instance, we introducea new computational problem called the Gap Closest Vector Problem with Bounded Minima.We adapt the proof of [BS99] to show a reduction from the Gap Closest Vector Problem withBounded Minima to
SIVP for any ℓ p norm for some constant approximation factor greater than1. In a recent result, Bennett, Golovnev and Stephens-Davidowitz [BGS17] showed that underGap-ETH, there is no 2 o ( n ) -time algorithm for approximating CVP p up to some constant factor γ ≥ ≤ p ≤ ∞ . We observe that the reduction in [BGS17] can be viewed as a reductionfrom Gap - - SAT to the Gap Closest Vector Problem with Bounded Minima. This, together withthe above mentioned reduction, implies that, under Gap-ETH, there is no 2 o ( n ) -time algorithmfor approximating SIVP p up to some constant factor γ ≥ ≤ p ≤ ∞ . A lattice L is the set of all integer combinations of linearly independent basis vectors b , . . . , b n ∈ R d , L = L ( b , . . . , b n ) := n n X i =1 z i b i : z i ∈ Z o . We call n the rank of the lattice L and d the dimension or the ambient dimension of the lattice L .For i = 1 , . . . , n , the i th successive minimum, denoted by λ i ( L), is the smallest ℓ such that thereare i linearly independent lattice vectors that have length at most ℓ .The Shortest Independent Vector Problem ( SIVP ) takes as input a basis for a lattice
L ⊂ R d and r > r , i.e., λ n ( L) ≤ r .Typically, we define length in terms of the ℓ p norm for some 1 ≤ p ≤ ∞ , defined as k ~x k p := ( | x | p + | x | p + · · · + | x d | p ) /p for finite p and k ~x k ∞ := max | x i | . ∗ Department of Computer Science and Centre for Quantum Technologies, NUS. Email: [email protected] . † Department of Computer Science, NUS. Email: [email protected] .
1n particular, the ℓ norm is the familiar Euclidean norm, and it is the most interesting case fromour perspective. We write SIVP p for SIVP in the ℓ p norm (and just SIVP when we do not wish tospecify a norm).Starting with the breakthrough work of Lenstra, Lenstra, and Lov´asz in 1982 [LLL82], al-gorithms for solving lattice problems in both its exact and approximate forms have found in-numerable applications, including factoring polynomials over the rationals [LLL82], integer pro-gramming [Len83, Kan87, DPV11], cryptanalysis [Sha84, Odl90, JS98, NS01], etc. More recently,many cryptographic primitives have been constructed whose security is based on the (worst-case)hardness of
SIVP or closely related lattice problems [Ajt04, Reg09, GPV08, Pei10, Pei16]. In par-ticular, the (worst-case) hardness of
SIVP for poly( n ) approximation factors implies the existence ofseveral fundamental cryptographic primitives like one-way functions, collision-resistant hash func-tions, etc (see, for example, [GGH96], [Ajt98]). Such lattice-based cryptographic constructionsare likely to be used on massive scales (e.g., as part of the TLS protocol) in the not-too-distantfuture [ADPS16, BCD +
16, NIS].Bl¨omer and Seifert [BS99] showed that
SIVP is NP-hard to approximate for any constant ap-proximation factor. Whille their result is shown only for the Euclidean norm, there proofs caneasily be extended to arbitrary norms. As is true for many other lattice problems,
SIVP is believedto be hard to approximate up to factors polynomial in n , the rank of the lattice. In particular, thebest known algorithms for SIVP , even for poly( n ) approximation factors run in time exponential in n [ADRS15, ADS15].However, NP-Hardness itself does not exclude the possibility of sub-exponential time algorithmssince it merely shows that there does not exist a polynomial time algorithm unless P = NP. Torule out such algorithms, we typically rely on a fine-grained complexity-theoretic hypothesis—suchas the Strong Exponential Time Hypothesis (SETH), the Exponential Time Hypothesis (ETH), orthe Gap-Exponential Time Hypothesis (Gap-ETH). To that end, a few recent results showed quan-titative hardness results for the Closest Vector Problem ( CVP p ) [BGS17], and the Shortest VectorProblem ( SVP p ) [AS18] which are closely related problems. In particular, assuming SETH, [BGS17]showed that there is no 2 (1 − ε ) n -time algorithm for CVP p or SVP ∞ for any ε > ≤ p ≤ ∞ ( not including p = 2). Under ETH, [BGS17] showed that there is no 2 o ( n ) -time algo-rithm for CVP p for any 1 ≤ p ≤ ∞ . Under Gap-ETH, [BGS17] showed that there is no 2 o ( n ) -timealgorithm for approximating CVP p up to some constant factor γ ≥ ≤ p ≤ ∞ . Similar,but slightly weaker, results were obtained for SVP p in [AS18]. Bl¨omer and Seifert [BS99] showed that
SIVP is NP-hard by giving a reduction from CVP to SIVP .This reduction can easily be extended to all ℓ p norms, and increases the rank of the lattice by 1.Thus, combined with the SETH hardness result from [BGS17], it implies the following. Theorem 1.
Under the SETH, there is no (1 − ε ) n -time algorithm for SIVP p for any ε > andfor all but finitely many values of p in [1 , ∞ ) . Furthermore, under randomized ETH, There is no o ( n ) -time algorithm for SIVP p for any ≤ p ≤ ∞ . Note that the latter result is due to [BGS17].A closer look at their reduction reveals that it cannot be extended to showing NP-hardnessof approximate
SIVP directly (even though
CVP is known to be NP-hard for almost polynomialapproximation factors) in that for the lattice L when given as a part of a CVP instance, λ n ( L )might be much larger than the distance of the target from the lattice, in which case, an oracle for2pproximating SIVP up to a constant factor, does not tell anything about the distance of the targetfrom the lattice.To overcome this difficulty, [BS99], the
CVP instance obtained from a reduction from the min-imum label cover problem has a guarantee that for the CVP instance ( L , t ), λ n ( L ) is “not muchlarger” than the distance of t from L .We introduce a new computational problem called the Gap Closest Vector Problem withBounded Minima( GapCVP τ ), which captures the above mentioned requirement on the CVP instancethat λ n ( L ) has an upper bound depending on the parameter τ . We observe that the reduction from Gap - - SAT to GapCVP in [BGS17] (which implies approximate hardness of approximate-CVP is ac-tually a reduction from
Gap - - SAT to GapCVP τ for an appropriate choice of τ . We then show areduction similar to [BS99] from GapCVP τ to SIVP , which implies the following result.
Theorem 2.
Under the (randomised) Gap Exponential Time Hypothesis, for any p ≥ , thereexists γ ′ > , ǫ > such that γ ′ − SIVP p with rank n is not solvable in ǫn time. Lattices
Let R n be a real vector space, with an ℓ p -norm on the vectors such that v ∈ R n , k v k pp := P ni =1 | v i | p .Then a lattice L is defined as the set of all integer linear combinations of a finite set B = { b , b , . . . , b n } of linearly independent vectors in R n : L = ( m X i =1 c i · b i | c i ∈ Z ) We will then call such a set B the basis of the lattice. Note that the dimension of the subspacespanned by B (called the rank of the lattice) is a subspace of the space in which the basis vectorsare obtained. Thus the rank of the lattice may be less than the dimension of the lattice. Caseswhere the rank of the lattice is equals to the dimension of the lattice are referred to as full-ranklattices.Since we wish to have inputs of bounded size, we can assume that an n -dimensional lattice Lis generated by basis vectors from Q n . Additionally, this can be scaled to integral values. Thus wemay assume that lattices are generated by vectors from Z n . Successive Minima
Denoted by λ i ( L), the i th successive minimum denotes the minimum length such that there areexactly i linearly independent lattice vectors that are at most this length.Minkowski’s second theorem states the following with regards to the successive minima: Theorem 3.
For any full-rank lattice L we have that: ( n Y i =1 λ i ( L )) n ≤ n p ( det ( L )) n .1 Computational problems Gap-Closest Vector Problem ( γ - GapCVP p ) : Given a lattice L, a target vector t ∈ Z n (whichmay or may not be in the lattice) and a value d output YES if there exists a vector v in the latticesuch that k v − t k p ≤ d (i.e. the closest vector in the lattice to the vector t has a distance to thetarget of less than d ), and output NO if all the vectors in the lattice are of distance greater than γ · d to the target. Gap-Closest Vector Problem with Bounded Minima ( γ - GapCVP τp ) : Given a lattice L,a target vector t ∈ Z n (which may or may not be in the lattice), and a value d output YES ifthere exists a vector v in the lattice such that k v − t k p ≤ d (i.e. the closest vector in the latticeto the vector t has a distance to the target of less than d ), and output NO if all the vectors in thelattice are of distance greater than γ · d to the target with the added guarantee that there existsa τ > λ n ( L) p ≤ τ d p . Note that the bound on the minima hold for both the YES andNO instances. Gap-Shortest Independent Vector Problem ( γ - SIVP p ) : Given a lattice L, and value d ,output YES if there exists a set of linearly independent vectors { b , b , ..., b n } that are in L suchthat the longest vector in the set has length less than d , and output NO if all such sets have avector of length greater than γ · d .For the above gap problems, the non-gap variants are the exact cases where γ = 1, and thusthe γ - prefix will be omitted. k - SAT : Given a boolean formula in conjunctive normal form over n variables, i.e. as a conjunc-tion of m clauses where each clause is a disjunction of k literals, decide if there is a assignment (ofeither true or false) to the variables such that the boolean formula evaluates to true.( δ, ǫ )- Gap - k - SAT : Given a boolean formula in conjunctive normal form and a two constants0 ≤ δ < ǫ ≤
1, output YES if there exists an assignment such that it satisfies at least ǫ fraction ofthe clauses, and output NO if for all assignments they only satisfy at most δ fraction of the clauses.For convenience at times the ( δ , ǫ )- prefix may be omitted when unnecessary. [IP01] introduced conjectures that will be used as main assumptions to derive the hardness resultsthat we have. Definition 1 (Exponential Time Hypothesis) . The Exponential Time Hypothesis (ETH) statesthat for every k ≥ there is exists a constant ǫ > such that no algorithm solves k - SAT formulaswith n variables in ǫn deterministic time. Definition 2 (Strong Exponential Time Hypothesis) . The Strong Exponential Time Hypothesis(SETH) states that for all ǫ > , there exists a k ≥ such that no algorithm solves k - SAT formulaswith n variables in (1 − ǫ ) n deterministic time. Additionally, [Din16] and [MR17] introduced an equivalent version for
Gap - k - SAT . Definition 3 (Gap Exponential Time Hypothesis) . There exists constants δ < and ǫ > suchthat no algorithm solves ( δ, − Gap - - SAT instances with n variables in ǫn deterministic time. The above formulation is from [BGS17]. 4
Related Results
The main result that has led to subsequent hardness proofs in other lattice problems was derivedby [BGS17] through the construction of isolating parallelepipeds that encode assignments frominstances of
Gap - k - SAT to choices of vectors such that each clause contributes the same distanceregardless of how many literals are as long at least one literal is satisfied, however unsatisfied clauseswould contribute a much greater distance.
CVP under also any p -norm Theorem 4.
Solving exact CVP p under all p -norms where p is not even and ≤ k − is not possiblein time (1 − ǫ ) n where ǫ > . The same proof works for p in general instead of 2. p within a constant factor Theorem 5 ([BGS17]) . There exists a reduction from ( δ, ǫ ) - Gap - - SAT with n variables and m clauses to γ - GapCVP τp for any p -norm, so that the rank of the lattice in the resulting instance isthe same as the number of variables in the original instance. Furthermore, γ is given as: (cid:18) δ + (1 − δ )3 p ǫ + (1 − ǫ )3 p (cid:19) p We will provide their construction of the γ -CVP τp instance here. Let t be a target vector definedby the following: t i = 3 − η i where η i denotes the number of negated literals in the i th clause, the distance d be ( ǫ +(1 − ǫ )3 p ) p ,and B a set of basis (column) vectors { b , b , . . . , b k } defined by the following: b i,j = x j ∈ C j − ¬ x j ∈ C j else We will make the following claim about the reduction that was proposed in their paper as theywill be useful to us in our reduction: In the resulting lattice, both λ pn and the length of the targetvector is upper bounded by p ǫ +(1 − ǫ )3 p · d p , where d p is proportional to the number of clauses inthe ( δ, ǫ )- Gap - - SAT instance. Thus we can say that the resulting instance is also an instance of γ -CVP τp , where τ = p ǫ +(1 − ǫ )3 p · d p . Proof.
Consider the construction provided in [BGS17], the basis vectors that are then providedhave values of either − , ,
0, thus in the worst case, we obtain a set of linearly independent vectorswith the longest vector having all 2 or − .3 Gap-ETH-hardness of ( δ, ǫ ) - Gap - - SAT
Theorem 6 ([GJS76]) . ∀ δ, ǫ such that ≤ δ < ǫ ≤ , there exists a a polynomial time reductionfrom ( δ, ǫ ) - Gap - - SAT with n variables and m clauses to an instance of ( δ , ǫ ) - Gap - - SAT , with n + m variables and m clauses. Additionally, Bennett et al. used Dinur’s result in [Din16] to derive the following result:
Theorem 7 ([BGS17]) . ∀ δ, δ ′ such that < δ < δ ′ < , there is a polynomial time-randomisedreduction from a ( δ, - Gap - k - SAT with n variables and m clauses, to instances of ( δ ′ , - Gap - k - SAT with n variables and O ( n ) clauses. This implies it is almost always possible to reduce the number of clauses in ( δ, Gap - k - SAT instances so that reductions that run linear in m may also be considered linear in n , so that Gap-ETH may still apply. However, since the reduction is randomised, existence of sub-exponential timealgorithms that solve the resulting instances only imply existence of randomised sub-exponentialtime algorithms for ( δ, Gap - k - SAT in the general case (i.e. when m = ω ( n )). p under almost any p-norm Theorem 8 ([BGS17]) . There exists a polynomial time reduction from k - SAT to CVP p such that therank of the resulting lattice is the same as the number of variables in the original k - SAT instance,for all p that is not even and less or equals to k − . Corollary 1.
Solving exact CVP p under all p -norms where p is not even is not possible in time (1 − ǫ ) n where ǫ > . [BS99] had also previously constructed a reduction that was tight in the resulting instance sizesince it only increased the rank by 1 by intuitively treating the target vector as the ( n + 1) th vectorin an SIVP instance. To do this, an extra value that was large enough was padded to the bottomof the target vector to ensure it would be long enough to be considered the ( n + 1) th successiveminima. We now present our main contribution, that is showing hardness of approximating γ - SIVP p withina constant factor γ . Theorem 9.
For any τ = τ ( n ) > , and γ ≥ there exists an efficient reduction from γ - GapCVP τp to γ ′ - SIVP p for any p -norm where p ∈ [1 , ∞ ) , with γ ′ p ≤ p γ p p − γ p . Moreover, the rank of the latticein the γ ′ - SIVP p instance is equals to n + 1 where n is the rank γ - CVP τp instance.Proof. We will let ( L , t , d ) denote a γ - GapCVP τp instance and ( L ′ , d ′ ) denote a γ ′ - SIVP p instance.Likewise, we will let λ n = λ n ( L ) denote the n th minimum for the γ - GapCVP p whereas λ ′ n +1 = λ ′ n +1 ( L ′ ) denotes the ( n + 1) th minimum for the γ ′ - SIVP p .Given a basis for the γ - CVP τp instance as b , b , . . . , b n and the target vector t , we constructthe basis for L ′ : (cid:20) b b . . . b n t . . . r (cid:21) r is some value that we are able to tweak — we will choose r such that r p = p γ p p − γ p .We will firstly analyse how the YES and NO instances of γ - CVP τp translate into the correspondingYES and NO instances of γ ′ - SIVP p , and will then show that there exist possible values for r suchthat the reduction holds.Recall that in γ - CVP τp , in the YES instances are when the shortest possible distance from thetarget vector t to the given lattice is less than or equals to d , and otherwise in the NO instances theshortest possible distance from the target vector t is at least γd . Then in the resulting instance,we obtain the following inequalities: YES : dist ( L , t ) ≤ d NO : dist ( L , t ) > γd Let v be the vector closest to the target t . Let v , . . . , v n be a set of linearly independentvectors in L such that max( k v k , . . . , k v n k )is minimized.Notice that v , . . . , v n , ( v − t , r ) T is a set of linearly independent vectors in L ′ . Thus, if the CVP instance is a YES instance, λ ′ n +1 is upper bounded by the maximum of ( d p + r p ) /p and λ n .Also, any set of linearly independent vectors must have at least one vector with a non-zero co-efficient for the last vector ( t , r ) T . So, if the CVP instance is a NO instance, then if the coefficient is1 or −
1, then the length of the vector is at least ( γ p · d p + r p ) /p , and if the coefficient has absolutevalue at least 2, then the length is at least 2 r .From this we obtain: YES : λ ′ pn +1 ≤ max( d p · τ, d p + r p )NO : λ ′ pn +1 > min(( γd ) p + r p , (2 r ) p )For all cases, we will pick r p to be p γ p p − γ p , it will always be the case that γ ′ p ≤ min (cid:18) γ p d p + r p d p + r p , p r p d p + r p (cid:19) . CASE 1: τ ≤ . Since r p + d p ≥ d p τ , then we get that γ ′ p ≤ γ p p p − γ p . CASE 2: γ p p − ≥ τ > . The in the YES case, we have that λ ′ pn +1 ≤ max( d p + d p γ p p − , d p + r p ).Ergo, by our choice of r p again, we get γ ′ p ≤ γ p p p − γ p . CASE 3: τ > γ p p − . In this case we have that r p ≥ d p ( τ − d p + r p ≥ τ d p . Then we havethat γ ′ p is upper bounded by: min { γ p + τ − τ , p ( τ − τ } This reduction is clearly runs in polynomial time..From this, we can conclude that if we were to set r p to γ p d p p − , we would get that γ ′ p < p γ p p − γ p .7 heorem 10. Under the randomised Gap Exponential Time Hypothesis, there exists γ ′ > , ǫ > such that γ ′ - SIVP p with rank n is not solvable in ǫn time.Proof. This can be achieved by considering of of the instances throughout the chain of reductionsfrom ( δ, ǫ )- Gap - - SAT to ( δ ′ , ǫ ′ )- Gap - - SAT to γ - GapCVP τp and finally γ ′ - SIVP p .In the original ( δ, ǫ )- Gap - - SAT instance with n variables and m clauses, we obtain a γ ′ - SIVP p with rank n + m + 1 with high probability. Thus under the randomised Gap-ETH, there is nosub-exponential time algorithm for γ ′ - SIVP p , for all p ∈ [1 , ∞ ). References [ADPS16] Erdem Alkim, L´eo Ducas, Thomas P¨oppelmann, and Peter Schwabe. Post-quantum keyexchange — A new hope. In
USENIX Security Symposium , 2016.[ADRS15] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. Solvingthe Shortest Vector Problem in 2 n time via discrete Gaussian sampling. In STOC , 2015.[ADS15] Divesh Aggarwal, Daniel Dadush, and Noah Stephens-Davidowitz. Solving the ClosestVector Problem in 2 n time— The discrete Gaussian strikes again! In FOCS , 2015.[Ajt98] Miklos Ajtai. Worst-case complexity, average-case complexity and lattice problems.1998.[Ajt04] Mikl´os Ajtai. Generating hard instances of lattice problems. In
Complexity of compu-tations and proofs , volume 13 of
Quad. Mat. , pages 1–32. Dept. Math., Seconda Univ.Napoli, Caserta, 2004. Preliminary version in STOC’96.[AS18] Divesh Aggarwal and Noah Stephens-Davidowitz. (gap/s) eth hardness of svp. In
Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing ,pages 228–238. ACM, 2018.[BCD +
16] Joppe W. Bos, Craig Costello, L´eo Ducas, Ilya Mironov, Michael Naehrig, Valeria Niko-laenko, Ananth Raghunathan, and Douglas Stebila. Frodo: Take off the ring! Practical,quantum-secure key exchange from LWE. In
CCS , 2016.[BGS17] Huck Bennett, Alexander Golovnev, and Noah Stephens-Davidowitz. On the quantita-tive hardness of CVP. In
FOCS , 2017.[BS99] Johannes Bl¨omer and Jean-Pierre Seifert. On the complexity of computing short linearlyindependent vectors and short bases in a lattice. In
Proceedings of the Thirty-first AnnualACM Symposium on Theory of Computing , STOC ’99, pages 711–720, New York, NY,USA, 1999. ACM.[Din16] Irit Dinur. Mildly exponential reduction from gap 3sat to polynomial-gap label-cover.
Electronic Colloquium on Computational Complexity (ECCC) , 23:128, 2016.[DPV11] Daniel Dadush, Chris Peikert, and Santosh Vempala. Enumerative lattice algorithms inany norm via M-ellipsoid coverings. In
FOCS , 2011.[GGH96] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Collision-free hashing from latticeproblems.
IACR Cryptology ePrint Archive , 1996:9, 1996.8GJS76] M.R. Garey, D.S. Johnson, and L. Stockmeyer. Some simplified np-complete graphproblems.
Theoretical Computer Science , 1(3):237 – 267, 1976.[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard latticesand new cryptographic constructions. In
STOC , 2008.[IP01] Russell Impagliazzo and Ramamohan Paturi. On the complexity of k-sat.
Journal ofComputer and System Sciences , 62(2):367 – 375, 2001.[JS98] Antoine Joux and Jacques Stern. Lattice reduction: A toolbox for the cryptanalyst.
Journal of Cryptology , 11(3):161–185, 1998.[Kan87] Ravi Kannan. Minkowski’s convex body theorem and integer programming.
Math. Oper.Res. , 12(3):415–440, 1987.[Len83] H. W. Lenstra, Jr. Integer programming with a fixed number of variables.
Math. Oper.Res. , 8(4):538–548, 1983.[LLL82] A. K. Lenstra, H. W. Lenstra, Jr., and L. Lov´asz. Factoring polynomials with rationalcoefficients.
Math. Ann. , 261(4):515–534, 1982.[MR17] Pasin Manurangsi and Prasad Raghavendra. A Birthday Repetition Theorem and Com-plexity of Approximating Dense CSPs. 80:78:1–78:15, 2017.[NIS] NIST post-quantum standardization call for proposals.[NS01] Phong Q Nguyen and Jacques Stern. The two faces of lattices in cryptology. In
Cryp-tography and lattices , pages 146–180. Springer, 2001.[Odl90] Andrew M Odlyzko. The rise and fall of knapsack cryptosystems.
Cryptology andcomputational number theory , 42:75–88, 1990.[Pei10] Chris Peikert. An efficient and parallel Gaussian sampler for lattices. In
CRYPTO .2010.[Pei16] Chris Peikert. A decade of lattice cryptography.
Foundations and Trends in TheoreticalComputer Science , 10(4):283–424, 2016.[Reg09] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography.
Journal of the ACM , 56(6):Art. 34, 40, 2009.[Sha84] Adi Shamir. A polynomial-time algorithm for breaking the basic Merkle-Hellman cryp-tosystem.