Discrete Gaussian Sampling Reduces to CVP and SVP
DDiscrete Gaussian Sampling Reduces to CVP and SVP
Noah Stephens-Davidowitz ∗ † [email protected] Abstract
The discrete Gaussian D L− t , s is the distribution that assigns to each vector x in a shifted lattice L − t probability proportional to e − π (cid:107) x (cid:107) / s . It has long been an important tool in the study oflattices. More recently, algorithms for discrete Gaussian sampling (DGS) have found many appli-cations in computer science. In particular, polynomial-time algorithms for DGS with very highparameters s have found many uses in cryptography and in reductions between lattice problems.And, in the past year, Aggarwal, Dadush, Regev, and Stephens-Davidowitz showed 2 n + o ( n ) -timealgorithms for DGS with a much wider range of parameters and used them to obtain the currentfastest known algorithms for the two most important lattice problems, the Shortest Vector Problem(SVP) and the Closest Vector Problem (CVP).Motivated by its increasing importance, we investigate the complexity of DGS itself and itsrelationship to CVP and SVP. Our first result is a polynomial-time dimension-preserving reduc-tion from DGS to CVP. There is a simple reduction from CVP to DGS, so this shows that DGSis equivalent to CVP. Our second result, which we find to be more surprising, is a polynomial-time dimension-preserving reduction from centered DGS (the important special case when t = )to SVP. In the other direction, there is a simple reduction from γ -approximate SVP for any γ = Ω ( (cid:112) n / log n ) , and we present some (relatively weak) evidence to suggest that this might be thebest achievable approximation factor.We also show that our CVP result extends to a much wider class of distributions and even toother norms. A lattice
L ⊂ Q n is the set of all integer linear combinations of some linearly independent basisvectors b , . . . , b n ∈ Q n .The two central computational problems on lattices are the Shortest Vector Problem (SVP) and theClosest Vector Problem (CVP). Given a lattice L ⊂ Q n , the SVP is to find a shortest non-zero vector in L . Given a lattice L ⊂ Q n and a target vector t ∈ Q n , the CVP is to find a vector in L whose distanceto t is minimal.Algorithms for SVP and CVP, in both their exact and approximate versions, have found manydiverse applications in computer science. They have been used to factor polynomials over the ratio-nals [LLL82], solve integer programming [Len83, Kan87, DPV11], and break cryptographic schemes [Odl90,JS98, NS01]. And, over the past twenty years, a wide range of strong cryptographic primitives havebeen constructed with their security based on the worst-case hardness of the approximate versions ofthese problems [Ajt96, MR07, GPV08, Gen09, Pei09, Reg09, LPR10, BV11, BV14]. ∗ New York University † Work done while at the Simons Institute 2015 cryptography summer program. This material is based upon workpartially supported by the National Science Foundation under Grant No. CCF-1320188. Any opinions, findings, and con-clusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views ofthe National Science Foundation. a r X i v : . [ c s . CC ] A p r oth problems are known to be hard, even to approximate to within the nearly polynomial factorof n c / log log n for some constant c [ABSS93, Ajt98, CN98, BS99, DKRS03, Mic01, Kho05, Mic12, HR12].Indeed, CVP is in some sense “lattice complete” in that nearly all well-studied lattice problemsare reducible to CVP via dimension-preserving (and approximation-factor-preserving) reductions.(See [Mic08] for a list of such problems.) In particular, a dimension-preserving reduction from SVPto CVP has long been known [GMSS99]. However, the best-known dimension-preserving reductionin the other direction only reduces O ( √ n ) -approximate CVP to SVP.A powerful tool for studying lattices is the discrete Gaussian, the probability distribution D L− t , s that assigns to each vector x ∈ L − t probability proportional to its Gaussian mass, e − π (cid:107) x (cid:107) / s , fora lattice L ⊂ Q n , shift vector t ∈ Q n , and parameter s >
0. The discrete Gaussian and the closelyrelated theta functions have been used to prove transference theorems on lattices [Ban93, Cai03]; toshow that √ n -approximate CVP and SVP are in co-NP [AR05]; to embed flat tori in a Hilbert spacewith low distortion [HR13]; to solve the Bounded Distance Decoding Problem [LLM06]; and even inthe study of the Riemann zeta function (e.g., in [BPY01]). - -
10 0 100.0000.0050.010 - - Figure 1: Two very different discrete Gaussian distributions in two dimensions. On the left is D Z ,10 .On the right is D L− t ,5 , where L is spanned by 3 e and e /2, and t = e /2 + e /4 is a “deep hole.”Note that the discrete Gaussian is concentrated on relatively short vectors. In particular, in theimportant special case when the discrete Gaussian is centered so that t = , D L , s assigns higher weightto shorter lattice vectors. This suggests a connection between D L , s and SVP. In the more general case, D L− t , s is concentrated on short vectors in the shifted lattice L − t . By translating this distribution by t (i.e., considering the distribution of D L− t , s + t ), we obtain a distribution over the lattice that assignshigher weight to the vectors that are closest to t , suggesting a connection between D L− t , s and CVP. Asthe parameter s becomes lower, the distribution becomes more concentrated. Indeed, one can showthat samples from D L− t , s (when suitably translated) yield ( + α √ n ) -approximate solutions to CVPwhen s ≈ dist ( t , L ) / α . (See Figure 1 for two examples of the discrete Gaussian in two dimensions.)Largely because of its connection to other lattice problems, algorithms for discrete Gaussiansampling (DGS) have recently played an important role in computer science. Gentry, Peikert, andVaikuntanathan introduced a polynomial-time trapdoor algorithm for sampling from the discreteGaussian with very high parameters s in order to construct a secure signature scheme [GPV08]. And,many reductions between lattice problems use a DGS algorithm as a subroutine [Reg09, Pei10, MP13,BLP + s . In particular, all previ-ously known polynomial-time algorithms (even those with access to trapdoors and oracles) can onlysample from D L− t , s when s is significantly above the “smoothing parameter” of the lattice, in whichcase the discrete Gaussian “looks like a continuous Gaussian distribution” in a certain precise sensethat we do not define here. (See [MR07] for the formal definition.)In the past year, Aggarwal, Dadush, Regev, and Stephens-Davidowitz introduced an exponential-time algorithm for sampling from the discrete Gaussian with much lower parameters in order tosolve exact SVP [ADRS15], and [ADS15] showed how to extend this result to CVP. These are the2hift Parameter Time NotesAny t s ≥ n log n / log log n · λ n poly ( n ) [AKS01, GPV08]Any t s ≥ γ (cid:112) log n · λ n – Reduces to γ -approx. SVP [GPV08, BLP + t s (cid:29) √ n · η – Quantum reduction to LWE [Reg09].Any t s ≥ √ · η n /2 + o ( n ) Outputs 2 n /2 samples [ADRS15].Any t s (cid:38) − n / log n dist ( t , L ) n + o ( n ) Outputs many samples [ADS15].* Any t Any s – Equivalent to CVP.* Any t Any s n + o ( n ) Follows from equivalence and [ADS15]. t = Any s n + o ( n ) Outputs 2 n /2 samples [ADRS15].* t = Any s – Reduces to SVP.Table 1: Known results concerning the problem of sampling from D L− t , s . Lines marked with a * arenew results. We have omitted some constants. η is the smoothing parameter, as defined in [MR07],and λ n is the n th successive minimum. (They are related by η / (cid:112) log n (cid:46) λ n (cid:46) √ n · η , where theupper bound is tight for the lattices that are relevant for cryptography. We also have have dist ( t , L ) ≤√ n λ n /2.)current fastest-known algorithms for SVP and CVP. In particular, [ADRS15] showed how to sampleexponentially many vectors from the centered discrete Gaussian for any parameter s in 2 n + o ( n ) time,which yields a solution to SVP. [ADS15] extended this work to show how to sample many vectorsfrom D L− t , s for very small parameters s ≈ dist ( t , L ) /2 n , also in 2 n + o ( n ) time. Surprisingly, theyshowed how to use such an algorithm to construct a 2 n + o ( n ) -time algorithm for CVP. (In Table 1, wesummarize the previous known algorithms for discrete Gaussian sampling, together with the resultsof this work.)All of these results reflect the increasing prominence of discrete Gaussian sampling algorithms incomputer science. However, they left open a natural question: what is the complexity of DGS itself?In particular, prior to this work, DGS was one of the only prominent lattice problems not known to bereducible to CVP via a dimension-preserving reduction. (Another important example is the LatticeIsomorphism Problem.) In fact, previously, there was simply no known algorithm that sampled from D L− t , s for an arbitrary shift t and parameter s >
0, and it was not even known whether samplingfrom the centered distribution D L , s could be reduced to a problem in NP. (Since DGS is a samplingproblem, it technically cannot be placed directly in classes of decision problems or search problemslike NP or FNP. But, we can still reduce it to such problems. See, e.g., [Aar14] for a discussion of thecomplexity of sampling problems and their relationship to search problems.) Our first main result is a dimension-preserving reduction from discrete Gaussian sampling to CVP.(See Theorem 3.6.) This immediately implies two important corollaries. First, together with therelatively straightforward reduction from CVP to DGS (see Section 7), this shows that CVP and DGSare equivalent via efficient dimension-preserving reductions. In particular, this suggests that theapproach of [ADS15] is in some (weak) sense the “correct” way to attack CVP, since we now knowthat any faster algorithm for CVP necessarily implies a similarly efficient discrete Gaussian sampler,and vice versa. Second, together with the result of [ADS15], this gives a 2 n + o ( n ) -time algorithm fordiscrete Gaussian sampling that works for any parameter s and shift t , the first known algorithm for It is easy to see that a discrete Gaussian sampler that works for any t and any s is sufficient to solve CVP efficient. (Weinclude a proof in Section 7 for completeness.) The difficulty in [ADS15] is that the sampler only works for parameters s greater than roughly dist ( t , L ) /2 n . While this minimum value is very small, this does not seem to be enough to efficientlysolve exact CVP on its own. [ADS15] manage to solve exact CVP in spite of this difficulty because their DGS algorithmoutputs very many samples, which they use to recursively find an exact closest vector. centered DGS to SVP. (See The-orem 4.6.) As we describe below, this result requires quite a bit more work, and we consider it to bemore surprising, since, in a fixed dimension, an SVP oracle seems to be significantly weaker than aCVP oracle. In contrast to the CVP case, we know of no efficient reduction from SVP to centered DGS,and we do not even know whether centered DGS is NP-hard. (While [ADRS15] use centered DGS tosolve SVP, they require exponentially many samples to do so.) We present only a much weaker re-duction from γ -approximate SVP to centered DGS for any γ = Ω ( (cid:112) n / log n ) . We also show that, forany γ = o ( (cid:112) n / log n ) , no “simple” reduction from γ -SVP to centered DGS will work. (See Section 6.)Finally, we note that our proofs do not make use of any unique properties of the discrete Gaussianor of the (cid:96) norm. We therefore show a much more general result: any distribution that is close toa weighted combination of uniform distributions over balls in some norm reduces to CVP in thisnorm. (See Section 5.) In particular, sampling from the natural (cid:96) q analogue of the discrete Gaussianis equivalent to CVP in the (cid:96) q norm, under efficient dimension-preserving reductions. We imaginethat a similar result holds for SVP, but since we know of no application, we do not endeavor to provesuch a result in the more difficult setting of SVP. We now provide a high-level description of our techniques.
Reduction from DGS to CVP.
Our basic idea is to sample from the discrete Gaussian D L− t , s intwo natural steps. We first sample some radius r from a carefully chosen distribution. We thensample a uniformly random point in ( L − t ) ∩ rB n . In particular, the distribution on the radiusshould assign probability to each radius r that is roughly proportional to e − π r / s · | ( L − t ) ∩ rB n | .(See the proof of Theorem 3.6 for the exact distribution.) So, in order to solve DGS, it suffices to (1)compute | ( L − t ) ∩ rB n | for arbitrary r , and (2) sample a uniformly random point from ( L − t ) ∩ rB n .We actually use the same technical tool to solve both problems: lattice sparsification, as intro-duced by Khot [Kho05] (though our analysis is more similar to that of Dadush and Kun [DK13] and[DRS14]). Intuitively, sparsification allows us to sample a random sublattice L (cid:48) ⊂ L of index p suchthat for any vector x ∈ L , we have Pr [ x ∈ L (cid:48) ] ≈ p . Suppose we could find a sublattice L (cid:48) suchthat for the closest N ≈ p points to t in L , we have Pr [ x ∈ L (cid:48) ] = p , independently of the otherpoints. Then, this would suffice for our two use cases. In particular, if the lattice has N points inthe ball of a given radius around t , then L (cid:48) − t would have a point in this ball with probability veryclose to N / p . We can use a CVP oracle to approximate this probability empirically, and we thereforeobtain a good approximation for the number of lattice points in any ball. (We achieve an approxima-tion factor of 1 + f ( n ) for any f ( n ) = poly ( n ) . See Theorem 3.5.) Similarly, if we know that thenumber of lattice points in a ball of radius r around t is roughly N , then we can take p = poly ( n ) · N and repeatedly sample L (cid:48) until L (cid:48) has a point inside the ball of radius r around t . The resulting pointwill be a nearly uniformly random sample from the lattice points in the ball of radius r around t .Combining these two operations allows us to sample from the discrete Gaussian using a CVP oracle,as described above. (See Theorem 3.6.)Unfortunately, sparsification does not give us exactly this distribution. More specifically, sparsifi-cation works as follows. Given a prime p and lattice basis B , we sample z ∈ Z np uniformly at randomand define the corresponding sparsified sublattice as L (cid:48) : = { x ∈ L : (cid:104) z , B − x (cid:105) ≡ p } . (1)Then, for any vector x ∈ L , we have Pr [ x ∈ L (cid:48) ] = p unless x ∈ p L (in which case x is always in L (cid:48) ). Unfortunately, even if we ignore the issue that points in p L do not behave properly, it is easyto see that these probabilities are not at all independent. For example, if x = α y , then x ∈ L (cid:48) if andonly if y ∈ L (cid:48) . And of course, more complex dependencies can exist as well. Fortunately, we can4et around this by using an idea from [DRS14] (and implicit in [DK13]). In particular, we can showthat the probabilities are close to independent if we also shift the sublattice L (cid:48) by a “random latticevector” w ∈ L . I.e., while the distribution of the points in L (cid:48) ∩ ( rB n + t ) might be very complicated,each point in L ∩ ( rB n + t ) will land in L (cid:48) − w with probability ≈ p , and their distributions arenearly independent. (See Theorem 3.1 for the precise statement.) Our CVP oracle makes no distinc-tion between lattices and shifted lattices (we can just shift t by w ), so this solution suffices for ourpurposes. Reduction from centered DGS to SVP.
Our reduction from centered DGS to SVP uses the samehigh-level ideas described above, but the details are a bit more complicated. As in the CVP case,our primary tool is lattice sparsification, in which we choose a sparsified sublattice as in Eq. (1). Asbefore, we wish to control the distribution of the shortest vector in L (cid:48) , and we note that, ignoringdegenerate cases, x is a shortest vector of L (cid:48) if and only if x ∈ L (cid:48) and y , . . . , y N / ∈ L (cid:48) where the y i ∈ L are the non-zero lattice vectors shorter than x (up to sign). However, as in the CVP case,this probability can be affected by linear dependencies. In the CVP case, we solved this problem byconsidering a random shift of L (cid:48) . But, this solution clearly does not work here because an SVP oraclesimply “cannot handle” shifted lattices. We therefore have to deal explicitly with these dependencies.The most obvious type of dependency occurs when x is not primitive , so that x = α y i for | α | > y i is shorter than x and y i ∈ L (cid:48) if and only if x ∈ L (cid:48) , so x will never be a shortest non-zero vector in L (cid:48) . We therefore are forced to work with only primitivevectors (i.e., lattice vectors that are not a scalar multiple of a shorter lattice vector). Even if we onlyconsider primitive vectors, it can still be the case that two such vectors are scalar multiples of eachother mod p , x ≡ α y i mod p L . Luckily, we show that this can only happen if there are (cid:101) Ω ( p ) primitivevectors shorter than x in the lattice, so that this issue does not affect the (cid:101) Ω ( p ) shortest primitivevectors. (See Lemma 2.18.) We also show that higher-order dependencies (e.g., equations of the form x ≡ α y i + β y j mod p L ) have little effect. (See Lemma 2.16.) So, the shortest non-zero vector in thesparsified lattice will be distributed nearly uniformly over the (cid:101) Ω ( p ) shortest primitive vectors in theoriginal lattice. (See Theorem 4.1 and Proposition 4.2 for the precise statement, which might be usefulin future work.)As in the CVP case, this suffices for our purposes. In particular, if there are N primitive latticevectors in the ball of radius r centered at the origin for N ≤ ˜ O ( p ) , then there will be a non-zerovector in L (cid:48) ∩ rB n with probability very close to N / p . With an SVP oracle, we can estimate thisprobability, and this allows us to approximate the number of primitive lattice vectors in a ball withvery good accuracy. (See Theorem 4.5.) And, the sparsification algorithm and SVP oracle also allowus to sample a primitive lattice vector in the ball of radius r around the origin with nearly uniformprobability, as in the CVP case. (See Lemma 4.3.)Then, the same approach as before would allow us to use an SVP oracle to sample from thediscrete Gaussian over the primitive lattice vectors. In order to obtain the true discrete Gaussian,we first “add in” by estimating the total Gaussian mass ρ s ( L ) and returning with probability1/ ρ s ( L ) . Second, after sampling a primitive vector x using roughly the above idea, we sample aninteger coefficient z ∈ Z \ { } according to a one-dimensional discrete Gaussian (using an algorithmintroduced by [BLP + z x . If we choose the primitive vector appropriately, we showthat the resulting distribution is D L , s . Interestingly, the problem of sampling from the centered discrete Gaussian over the primitive lattice vectors, or evenjust the discrete Gaussian over
L \ { } might be strictly harder than centered DGS. In particular, in Section 6, we show afamily of lattices for which D L , s almost never returns a o ( (cid:112) n / log n ) -approximate shortest vector. However, it is easy tosee that the discrete Gaussian over the primitive lattice vectors or even just over the lattice without will output the shortestvector with overwhelming probability if the parameter s is sufficiently small. Therefore, both of these sampling problemsare actually polynomial-time equivalent to SVP, while we have some evidence to suggest that sampling from D L , s is not.Indeed, we know of no application of centered DGS in which non-primitive vectors are actually desirable. .3 Related work DGS algorithms.
There are now many very different algorithms for sampling from the discreteGaussian. (See Table 1.) The procedure of [GPV08] (which was originally introduced by Klein ina different context [Kle00] and was later improved by Brakerski et al. [BLP + n one-dimensionalGaussians generated by the Gram-Schmidt orthogonalization of the basis vectors. Peikert showed asimilar algorithm that uses the one-dimensional Gaussians generated by the basis vectors themselvesinstead of their Gram-Schmidt orthogonalizations [Pei09]. This yields an elliptical discrete Gaussian,and Peikert convolves this with an elliptical continuous Gaussian in a clever way to obtain a sphericaldiscrete Gaussian. Both of these algorithms are useful for building trapdoor primitives because theycan sample from lower parameters if the input basis is shorter.From our perspective, the algorithms of [Kle00, GPV08, BLP +
13] and [Pei10] can be viewed as re-ductions from DGS with high parameters s to approximate SVP, where a better approximation factorallows us to sample with a lower parameter s by finding a better basis. And, Regev [Reg09] explicitlyshowed a quantum reduction from DGS with large s to a different lattice problem. Indeed, many re-ductions between lattice problems start by sampling vectors from D L , s for some large s using one ofthese algorithms and then using an oracle for some lattice problem to find small combinations of thesamples whose average lies in the lattice (e.g., [Reg09, MP13]). One can show that the distribution ofthe resulting average will be close to D L , s (cid:48) for some s (cid:48) < s (as long as certain conditions are met).However, all of the above-mentioned algorithms only work above the smoothing parameter ofthe lattice because they incur error that depends on “how smooth” the distribution is. Recently,[ADRS15] showed that the averages of pairs of vectors sampled from the centered discrete Gaussianwill be distributed exactly as discrete Gaussians with a lower parameter, as long as we conditionon the averages lying in the lattice. They then showed how to choose such pairs efficiently andproved that this is sufficient to sample from any centered discrete Gaussian in 2 n + o ( n ) time—even forparameters s below smoothing. [ADS15] then extended this idea to arbitrary Gaussians (as opposedto just centered Gaussians) with very low parameters s (cid:38) dist ( t , L ) /2 n . In both cases, the sampleractually outputs exponentially many vectors from the desired distribution. Sparsification.
The samplers in this work approach discrete Gaussian sampling in a completelydifferent way. (Indeed, the author repeatedly tried and failed to modify the above techniques to workin our context.) Instead, as we described above, we use a new method of sampling based on latticesparsification. This tool was originally introduced by Khot for the purposes of proving the hardnessof approximating SVP [Kho05]. Khot analyzed the behavior of sparsification only on the specificlattices that arose in his reduction, which were cleverly designed to “behave nicely” when sparsi-fied. Later, Dadush and Kun analyzed the behavior of sparsification over general lattices [DK13] andintroduced the idea of adding a random shift to the target in order to obtain deterministic approxi-mation algorithms for CVP in any norm. Dadush, Regev, and Stephens-Davidowitz used a similaralgorithm to obtain a reduction from approximate CVP to the same problem with an upper bound onthe distance to the lattice (and a slightly smaller approximation factor) [DRS14]. Our sparsificationanalysis in the CVP case is most similar to that of [DRS14], though our reduction requires tighteranalysis.However, in the SVP case our analysis is quite different from that of prior work. In particular,we deal explicitly with primitive lattice vectors, which allows us to tightly analyze the behaviorof sparsification without a random shift. This seems necessary for studying the distribution of theshortest vector of an arbitrary sparsified lattice, but prior work managed to avoid this by eitherworking with a specific type of lattice or adding a random shift.Our use case for sparsification is also novel. In all prior work, sparsification was used to “filterout annoying short vectors, leaving only desirable vectors behind.” We instead use it specifically tosample from the resulting distribution of the shortest or closest vector in the sparsified lattice. We6uspect that this technique will have additional applications.
Dimension-preserving reductions.
More generally, this paper can be considered as part of along line of work that studies the relationships between various lattice problems under dimension-preserving reductions. Notable examples include [GMSS99], which showed that SVP reduces toCVP; [Mic08], which gave a reduction from SIVP to CVP; and [LM09], which showed the equiva-lence of uSVP, GapSVP, and BDD up to polynomial approximation factors. In particular, this worktogether with [Mic08] shows that exact SIVP, exact CVP, and DGS are all equivalent under dimension-preserving reductions. (See [Ste15] for a summary of such reductions.)
Centered DGS.
In this work, we completely characterize the complexity of arbitrary discrete Gaus-sian sampling by showing that it is equivalent to CVP under dimension-preserving reductions. But,the complexity of centered DGS is still unknown. This is therefore the most natural direction for fu-ture work. In particular, we show that centered DGS is no harder than SVP (and therefore no harderthan NP), but our lower bound only shows that it is at least as hard as γ -approximate SVP for any γ = Ω ( (cid:112) n / log n ) . The decision version of SVP is not NP-hard for such high approximation factorsunless the polynomial hierarchy collapses, so there is a relatively large gap between our lower andupper bounds. Indeed, for γ = Ω ( (cid:112) n / log n ) , the decision version of γ -approximate SVP is knownto be in co-AM, and even in SZK [GG98]. We provide some (relatively weak) evidence to suggestthat γ = Ω ( (cid:112) n / log n ) is the best achievable approximation factor (see Section 6), and we thereforeask whether centered DGS can be reduced to an easier problem—perhaps even the search variant ofa problem in NP ∩ co - AM .A related and arguably much more important question is whether there is an algorithm for cen-tered DGS that is faster than the 2 n + o ( n ) -time algorithm of [ADRS15]—perhaps a sampler that out-puts only one sample, as opposed to exponentially many. Indeed, [ADRS15] discuss possible ways toimprove their techniques to achieve a roughly 2 n /2 + o ( n ) -time algorithm for centered DGS, and theymake some progress towards this goal. It seems that entirely new techniques would be needed toachieve running times below 2 n /2 . Any algorithm with a substantially better constant in the expo-nent would be the asymptotically fastest algorithm to break nearly all lattice-based cryptographicschemes. Reductions to approximate lattice problems.
We note that the sampling algorithm of [Kle00,GPV08, BLP +
13] and many of the DGS subroutines used in hardness proofs can be seen as dimension-preserving reductions from DGS with very high parameters to approximate lattice problems. If onesimply plugs an exact SVP solver into these reductions, they will still only work for very high pa-rameters. (More specifically, these works can be seen as reducing DGS with s (cid:38) γ (cid:112) log n λ n ( L ) to γ -approximate SVP or SIVP.) Our reductions, on the other hand, can handle any parameter but onlywork with exact solvers.We therefore ask if there are better reductions from DGS to approximate lattice problems witha better lower bound on the parameter s than the one obtained in [GPV08, BLP + γ and the lower bound on the pa-rameter s that matches our result that works for any s in the exact case when γ =
1. But, anynon-trivial improvement over [GPV08, BLP +
13] would be a major breakthrough. (A dimension-preserving reduction from DGS with parameter s (cid:38) (cid:112) ( γ − ) / n · dist ( t , L ) to γ -approximate CVPwould show that the two problems are equivalent and therefore completely characterize DGS. Fur-thermore, [LLM06, DRS14] show that it actually suffices to handle cases when either dist ( t , L ) (cid:38) (cid:112) log n / n · λ ( L ) or s is above the smoothing parameter.) The search problem could still potentially be NP-hard for such high approximation factors without violating anywidely believed complexity-theoretic conjectures. However, this seems unlikely. centered
DGS to γ -approximate SVP for some 1 < γ (cid:46) (cid:112) n / log n . A reduction with γ = Ω ( (cid:112) n / log n ) wouldcompletely characterize the complexity of centered DGS, but it seems far out of reach. However, anynon-trivial γ > For x ∈ R n , we write (cid:107) x (cid:107) to represent the (cid:96) norm of x . (Except for the last section, this is the onlynorm that we consider.) We write rB n to represent the (closed) ball of radius r in R n , rB n : = { x ∈ R n : (cid:107) x (cid:107) ≤ r } . We will make repeated use of the simple fact that ( + ( n )) C = + ( n ) forany constant C . A lattice
L ⊂ R n is the set of all integer linear combinations of linearly independent vectors B =( b , . . . , b n ) ∈ R n . B is called a basis of the lattice. As the basis is not unique, we often refer to thelattice itself, as opposed to its representation by a basis.We write λ ( L ) for the length of a shortest non-zero vector in the lattice, and λ ( L ) is the length ofa shortest vector in the lattice that is linearly independent from a vector of length λ ( L ) . For any t ∈ R n , we define dist ( t , L ) : = min x ∈L (cid:107) x − t (cid:107) , and the covering radius is then µ ( L ) : = max t dist ( t , L ) .We will need basic bounds on λ ( L ) and µ ( L ) for rational lattices in terms of the bit length ofthe basis. (Many of our results are restricted to lattices and targets in Q n entirely for the sake ofbounds like this. We could instead work over the reals, provided that the chosen representation ofreal numbers leads to similar bounds.) Lemma 2.1.
For any lattice
L ⊂ Q n with basis B = ( b , . . . , b n ) , let m be a bound on the bit length of b i forall i in the natural representation of rational numbers. Then, − nm ≤ λ ( L ) ≤ m , and − nm − ≤ µ ( L ) ≤ n m . Proof.
The first upper bound is trivial, as λ ( L ) ≤ (cid:107) b (cid:107) ≤ m . For the lower bound, let q i be a theminimal positive integer such that q i b i ∈ Z n . Note that q i ≤ m . Then, for any vector x ∈ L , we have x · ∏ i q i ∈ Z n . Therefore, λ ( L ) ≥ ∏ i q − i ≥ − nm .Similarly, the lower bound on µ ( L ) is trivial, as µ ( L ) ≥ λ ( L ) /2 ≥ − nm − . For the upper bound,we have µ ( L ) ≤ ∑ (cid:107) b i (cid:107) ≤ n m .The following Lemma is due to [BHW93]. Lemma 2.2.
For any lattice
L ⊂ R n and r > , |L ∩ rB n | ≤ + (cid:16) r λ ( L ) (cid:17) n . Corollary 2.3.
For any lattice
L ⊂ Q n with basis ( b , . . . , b n ) , t ∈ Q n , and r > , let m be a bound on thebit length of the b i for all i in the natural representation of rational numbers. Then, | ( L − t ) ∩ rB n | ≤ + ( + r ) poly ( n , m ) . Proof.
It suffices to bound |L ∩ ( r + µ ( L )) B n ) | . The result then follows by applying Lemma 2.1 andLemma 2.2. 8 .2 The discrete Gaussian distribution For x ∈ R n and s >
0, we write ρ s ( x ) : = e − π (cid:107) x (cid:107) / s . For A ⊂ R n , a discrete set, we write ρ s ( A ) : = ∑ x ∈ A ρ s ( x ) , and we define the discrete Gaussian distribution over A with parameter s , D A , s , as thedistribution that assigns probability ρ s ( x ) / ρ s ( A ) to all x ∈ A . When s =
1, we omit it and simplywrite ρ ( x ) , D L , etc.Banaszczyk proved the following two useful bounds on the discrete Gaussian over lattices [Ban93]. Lemma 2.4.
For any lattice
L ⊂ R n , s > , and t ∈ R n , ρ s ( L − t ) ≥ e − π dist ( t , L ) / s ρ s ( L ) . Lemma 2.5 ([DRS14, Lemma 2.13]) . For any lattice
L ⊂ R n , s > , t ∈ R n , and r ≥ √ π , Pr X ∼ D L− t , s [ (cid:107) X (cid:107) ≥ rs √ n ] < ρ s ( L ) ρ s ( L − t ) (cid:0) √ π er exp ( − π r ) (cid:1) n .With this, we derive a corollary similar to [ADS15, Corollary 2.7]. Corollary 2.6.
For any lattice
L ⊂ R n , s > , t ∈ R n , and r ≥ √ π , Pr X ∼ D L− t , s [ (cid:107) X (cid:107) ≥ dist ( t , L ) + r s n ] < (cid:0) √ π er (cid:48) exp ( − π r ) (cid:1) n , where r (cid:48) : = (cid:112) dist ( t , L ) / ( s n ) + r . In particular, ifr ≥ (cid:113) log (cid:0) + dist ( t , L ) / ( s √ n ) (cid:1) , then Pr X ∼ D L− t , s [ (cid:107) X (cid:107) ≥ dist ( t , L ) + r s n ] < e − r n . Proof.
Combining the above two lemmas, we havePr X ∼ D L− t , s [ (cid:107) X (cid:107) ≥ dist ( t , L ) + r s n ] < e π (cid:107) t (cid:107) / s · (cid:0) √ π er (cid:48) exp ( − π r (cid:48) ) (cid:1) n = (cid:0) √ π er (cid:48) exp ( − π r ) (cid:1) n ,as needed.Now, suppose, r ≥ (cid:113) log (cid:0) + dist ( t , L ) / ( s √ n ) (cid:1) . We consider two cases. First, suppose dist ( t , L ) s √ n <
1. Then, we have r (cid:48) < r < e r π e , and the result follows. Otherwise, we have r (cid:48) = dist ( t , L ) s n · ( + r s n / dist ( t , L ) ) < dist ( t , L ) s n · exp (cid:16) r s n dist ( t , L ) (cid:17) .So, √ π er (cid:48) exp ( − π r ) < dist ( t , L ) s · √ π e / n · exp (cid:16) r s n ( t , L ) − π r (cid:17) < dist ( t , L ) s · √ π e / n · e ( − π ) r < e − r ,as needed.The following lemma is actually true for “almost all lattices,” in a certain precise sense that isoutside the scope of this paper. (See, e.g., [Sie45].) Lemma 2.7.
For any n ≥ , there is a lattice L ⊂ Q n such that for any s > , ρ s ( L ) ≥ + s n and λ ( L ) > √ n /10 . .3 Lattice problems Definition 2.8.
For any parameter γ ≥ , γ -SVP (the Shortest Vector Problem) is the search problem definedas follows: The input is a basis B for a lattice L ⊂ Q n . The goal is to output a lattice vector x with < (cid:107) x (cid:107) ≤ γλ ( L ) . Definition 2.9.
For any parameter γ ≥ , γ -CVP (the Closest Vector Problem) is the search problem definedas follows: The input is a basis B for a lattice L ⊂ Q n and a target vector t ∈ Q n . The goal is to output alattice vector x with (cid:107) x − t (cid:107) ≤ γ dist ( t , L ) . We will mostly be interested in the exact case, when γ =
1, in which case we simply write SVPand CVP respectively. Note that there may be many shortest lattice vectors or closest lattice vectorsto t . Definition 2.10.
For γ ≥ and ε ≥ , we say that a distribution X is ( γ , ε ) -close to a distribution Y if thereis another distribution X (cid:48) with the same support as Y such that1. the statistical distance between X and X (cid:48) is at most ε ; and2. for all x in the support of Y, Pr [ Y = x ] / γ ≤ Pr [ X (cid:48) = x ] ≤ γ Pr [ Y = x ] . Definition 2.11.
For any parameters ε ≥ and γ ≥ , ( γ , ε ) -DGS (the Discrete Gaussian Sampling problem)is defined as follows: The input is a basis B for a lattice L ⊂ Q n , a shift t ∈ Q n , and a (rational) parameters > . The goal is to output a vector whose distribution is ( γ , ε ) -close to D L− t , s . Definition 2.12.
For any parameters ε ≥ and γ ≥ , ( γ , ε ) -cDGS (the centered Discrete Gaussian Sam-pling problem) is defined as follows: The input is a basis B for a lattice L ⊂ Q n and a (rational) parameters > . The goal is to output a vector whose distribution is ( γ , ε ) -close to D L , s . DGS is typically defined with an additional parameter σ ≥
0, such that the algorithm only needsto output discrete Gaussian samples if s > σ . Since both of our reductions achieve σ =
0, we omitthis parameter.
Brakerski, Langlois, Peikert, Regev, and Stehl´e show how to efficiently sample from the one-dimensionaldiscrete Gaussian D Z + c , s for any c ∈ R and s > + D Z \{ } , s . Lemma 2.13.
There is an algorithm that samples from D Z \{ } , s for any s > in (expected) polynomial time.Proof. We describe an algorithm that samples from D Z + , s , which is clearly sufficient. Let Z : = e − π / s + (cid:82) ∞ e − π x / s d x . The algorithm outputs 1 with probability e − π / s / Z . Otherwise, it samples x from the one-dimensional continuous Gaussian with parameter s restricted to the interval ( ∞ ) . Let y : = (cid:100) x (cid:101) . With probability e − π ( y − x ) / s , the algorithm outputs y . Otherwise, it repeats.On a single run of the algorithm, for any integer z ≥
2, the probability that the algorithm outputs z is 1 Z · (cid:90) zz − e − π x / s · e − π ( z − x ) / s d x = e − π z / s Z .And, the probability that the algorithm outputs 1 is of course e − π / s / Z . So, the algorithm outputsthe correct distribution.It remains to bound the expected running time. After a single run, the algorithm outputs aninteger with probability ρ s ( Z + ) Z = ρ s ( Z + ) e − π / s + (cid:82) ∞ e − π x / s d x ≥
12 .It follows that it runs in expected polynomial time.10urthermore, we will need to efficiently compute ρ s ( Z \ { } ) for arbitrary s . Brakerski et al. givea simple algorithm for this problem as well. (Here, we ignore the bit-level concerns of what it meansto “efficiently compute” a real number, as this will not be an issue for us.) Claim 2.14.
There is an efficient algorithm that computes ρ s ( Z \ { } ) . p and Z np Our primary technical tool will be lattice sparsification, in which we consider the sublattice L (cid:48) : = { x ∈ L : (cid:104) z , B − x (cid:105) ≡ p } ,where p is some prime, z ∈ Z np is uniformly random, and B is a basis of the lattice L ⊂ Q n . As such,we will need some lemmas concerning the behavior of lattice vectors mod p L . We first simply notethat we can compute L (cid:48) efficiently. Claim 2.15.
There is a polynomial-time algorithm that takes as input a basis B for a lattice L ⊂ R n , a numberp ∈ Z + , and a vector z ∈ Z np and outputs a basis B (cid:48) for L (cid:48) : = { x ∈ L : (cid:104) z , B − x (cid:105) ≡ p } . Proof.
On input B = ( b , . . . , b n ) , p ∈ Z + , and z = ( z , . . . , z n ) ∈ Z np , if z = , the algorithmsimply outputs B . Otherwise, we assume without loss of generality that z n (cid:54) =
0. The algorithm thencomputes B − T = ( b ∗ , . . . , b ∗ n ) . It setsˆ B : = (cid:16) b ∗ , . . . , b ∗ n − , 1 q ∑ z i b ∗ i (cid:17) .Finally, it outputs B (cid:48) : = ˆ B − T .A quick computation shows that ˆ B has full rank and that B (cid:48) is indeed a basis for L (cid:48) .Since we will only be concerned with the coordinates of the vectors mod p , it will suffice to workover Z np . Lemma 2.16.
For any prime p and collection of vectors x , v , . . . , v N ∈ Z np \ { } such that x is not a scalarmultiple of any of the v i , we have p − Np ≤ Pr (cid:2) (cid:104) z , x (cid:105) ≡ p and (cid:104) z , v i (cid:105) (cid:54)≡ p ∀ i (cid:3) ≤ p , where z is sampled uniformly at random from Z np .Proof. For the upper bound, it suffices to note that, since x is non-zero, (cid:104) z , x (cid:105) is uniformly distributedover Z p . Therefore, Pr [ (cid:104) z , x (cid:105) ≡ p ] = p . For the lower bound, note that A : = { y ∈ Z np : (cid:104) y , x (cid:105) ≡ p } and B i : = { y ∈ Z np : (cid:104) y , v i (cid:105) ≡ p } are distinct subspaces of dimension n −
1. Therefore, A ∩ B i is a subspace of dimension n − p n − elements. Let B : = (cid:83) B i . Itfollows that Pr (cid:2) (cid:104) z , x (cid:105) ≡ p and (cid:104) z , v i (cid:105) (cid:54)≡ p (cid:3) = | A \ B || Z np |≥ | A | − ∑ i | A ∩ B i || Z np | = p n − − N p n − p n = p − Np .11 orollary 2.17. For any prime p, collection of vectors v , . . . , v N ∈ Z np , and x ∈ Z np with x (cid:54) = v i for any i,we have p − Np − Np n − ≤ Pr (cid:2) (cid:104) z , x + c (cid:105) ≡ p and (cid:104) z , v i + c (cid:105) (cid:54)≡ p ∀ i (cid:3) ≤ p + p n , where z and c are sampled uniformly and independently at random from Z np .Proof. For the upper bound, it suffices to note that Pr [ (cid:104) z , x + c (cid:105) ≡ p ] ≤ p + p n .Turning to the lower bound, note that for any i , we have Pr [ v i + c = ] = p n . By union bound,the probability that v i + c = for any i is at most N / p n . Now, fix i , and note that if there exists some α ∈ Z p \ { } such that α ( v i + c ) = x + c , then we must have c = α v i − x − α .There are therefore at most p − c that satisfy the above—one for each value of α . So,the probability that c will satisfy the above equation for any α is at most ( p − ) / p n . Taking a unionbound over all i , we see that the probability that x + c is a multiple of any of the v i + c is at most N ( p − ) / p n . The result then follows from Lemma 2.16 and union bound. For a lattice
L ⊂ R n , we say that x ∈ L is non-primitive in L if x = k y for some y ∈ L and k ≥ x is primitive in L . Let L prim be the set of primitive vectors in L . For a radius r > ξ ( L , r ) : = |L prim ∩ rB n | /2 be the number of primitive lattice vectors in a (closed) ball of radius r around the origin (counting x and − x as a single vector).We will need the following technical lemma, which shows that relatively short primitive vectorscannot be scalar multiples of each other mod p . Lemma 2.18.
For any lattice
L ⊂ R n with basis B , suppose x , x ∈ L are primitive with x (cid:54) = ± x and (cid:107) x (cid:107) ≥ (cid:107) x (cid:107) such that B − x ≡ α B − x mod pfor any number p ≥ and α ∈ Z p . Then, ξ ( L , (cid:107) x (cid:107) ) > p / (
20 log p ) .Proof. We assume α (cid:54) =
0, since otherwise x is not even primitive. So, we have that x − q x ∈ p L \ { } for some integer q ≡ α mod p with 0 < | q | ≤ p /2. Let y : = ( x − q x ) / p ∈ L and notethat y is not a multiple of x . It suffices to find at least (cid:100) p / (
20 log p ) (cid:101) primitive vectors in the latticespanned by y and x that are at least as short as x .We consider two cases. If q = ±
1, then for i =
0, . . . , p −
1, the vectors i y + q x are clearlyprimitive in the lattice spanned by y and x , and we have (cid:107) i y + q x (cid:107) = (cid:107) i x + q ( p − i ) x (cid:107) / p ≤ (cid:107) x (cid:107) ,as needed.Now, suppose | q | >
1. Then, for i = (cid:100) p /4 (cid:101) , . . . , (cid:98) p /2 (cid:99) , let k i be an integer such that | k i − iq / p | ≤ < | k i | < i . (Note that such an integer exists, since 1/2 ≤ | iq / p | ≤ i /2). Then, (cid:107) i y + k i x (cid:107) = (cid:107) i x / p + ( k i − iq / p ) x (cid:107) ≤ (cid:107) x (cid:107) .When i is prime, then since 0 < | k i | < i , we must have gcd ( i , k i ) =
1. Therefore, the vector i y + k i x must be primitive in the lattice spanned by y and x when i is prime. It follows from a suitableeffective version of the Prime Number Theorem that there are at least (cid:100) p / (
20 log p ) (cid:101) primes between (cid:100) p /4 (cid:101) and (cid:98) p /2 (cid:99) (see, e.g., [Ros41]), as needed. 12e next show that we can find many primitive lattice vectors in a suitably large ball around . Lemma 2.19.
For any lattice
L ⊂ R n and radius r ≥ λ ( L ) , ξ ( L , r ) > (cid:112) r − λ ( L ) λ ( L ) + (cid:106) r − λ ( L ) λ ( L ) (cid:107) . Proof.
Let v , v ∈ L with (cid:107) v i (cid:107) = λ i ( L ) and (cid:104) v , v (cid:105) ≥
0. Then, for k =
0, . . . , (cid:98) (cid:112) r − λ ( L ) / λ ( L ) (cid:99) , (cid:107) v − k v (cid:107) = λ ( L ) + k λ ( L ) − k (cid:104) v , v (cid:105) ≤ r .Similarly, for k =
1, . . . , (cid:98) ( r − λ ( L )) / λ ( L ) (cid:99) , (cid:107) v + k v (cid:107) ≤ λ ( L ) + k λ ( L ) ≤ r The result follows by noting that all of these vectors are distinct and primitive in the lattice generatedby v , v (as is v ). We will also need the Chernoff-Hoeffding bound [Hoe63].
Lemma 2.20 (Chernoff-Hoeffding bound) . Let X , . . . , X N be independent and identically distributed ran-dom variables with ≤ X i ≤ and X : = E [ X i ] . Then, for s > (cid:104) NX − ∑ X i ≥ s (cid:105) ≤ e − s / N , and Pr (cid:104) ∑ X i − NX ≥ s (cid:105) ≤ e − s / N . We now present the main sparsification result that we require. In particular Theorem 3.1 (whichis immediate from the work done in Section 2.5, and is presented in this form here for the reader’sconvenience) shows the generic behavior of the sparsification procedure. Proposition 3.2 then appliesthe theorem to show how sparsification interacts with a CVP oracle.
Theorem 3.1.
For any lattice
L ⊂ R n with basis B , prime p, and lattice vectors x , y , . . . , y N ∈ L such that B − x (cid:54)≡ B − y i mod p for all i, we have p − Np − Np n − ≤ Pr [ (cid:104) z , B − x + c (cid:105) ≡ and (cid:104) z , B − y i + c (cid:105) (cid:54)≡ p ∀ i ] ≤ p + p n , where z , c ∈ Z np are chosen uniformly and independently at random.Proof. Simply apply Corollary 2.17 to B − x and B − y i . Proposition 3.2.
There is a polynomial-time algorithm that takes as input a basis B for a lattice L ⊂ R n anda prime p and outputs a full-rank sublattice L (cid:48) ⊆ L and shift w ∈ L such that, for any t ∈ R n , x ∈ L withN : = | ( L − t ) ∩ (cid:107) x − t (cid:107) · B n | − < p, and any CVP oracle, p − Np − Np n − ≤ Pr [ CVP ( t + w , L (cid:48) ) = x + w ] ≤ p + p n . In particular, Np − N p − N p n − ≤ Pr [ dist ( t + w , L (cid:48) ) ≤ (cid:107) x − t (cid:107) ] ≤ Np + Np n .13 roof. On input
L ⊂ R n with basis B and p , the algorithm samples z , c ∈ Z np uniformly and indepen-dently at random. It then returns the sublattice L (cid:48) : = { x ∈ L : (cid:104) z , B − x (cid:105) ≡ p } ,and the shift w : = Bc .By Claim 2.15, the algorithm can be run in polynomial time. Let y , . . . , y N ∈ L be the uniquevectors such that (cid:107) y i − t (cid:107) ≤ (cid:107) x − t (cid:107) with y i (cid:54) = x . Note that CVP ( L (cid:48) , t + w ) must be x + w if (cid:104) z , B − y i + c (cid:105) (cid:54)≡ p for all i and (cid:104) z , B − x + c (cid:105) ≡ p . We therefore wish to apply The-orem 3.1, which requires showing that B − y i (cid:54)≡ B − x mod p for all i .Suppose on the contrary that B − y i ≡ B − x mod p for some i . Then, y : = y i − x ∈ p L \ { } ,and there are therefore p + y i and x (including the twoendpoints). Note that all of these vectors are at least as close to t as x . But, there can be at most N + < p + t . This relatively straightforward algorithm is thecore idea behind our reduction. For simplicity, we provide the algorithm with an estimate of thenumber of points inside the ball as input. (In the next section, we show how to obtain this estimateusing roughly the same techniques.) Lemma 3.3.
For any efficiently computable f ( n ) with ≤ f ( n ) ≤ poly ( n ) , there is an algorithm with accessto a CVP oracle that takes as input a lattice L ⊂ Q n , shift t ∈ Q n , radius r > , and integer N ≥ andoutputs a vector y such that, if N ≤ |L ∩ ( rB n + t ) | ≤ f ( n ) N , then the algorithm runs in expected polynomial time, and for any x ∈ L ∩ ( rB n + t ) , γ − |L ∩ ( rB n + t ) | ≤ Pr [ y = x ] ≤ γ |L ∩ ( rB n + t ) | , where γ : = + f ( n ) . Furthermore, all of the algorithm’s oracle calls are on full-rank sublattices of theinput lattice.Proof. We assume without loss of generality that n ≥
2. On input
L ⊂ Q n , t ∈ Q n , r >
0, and N ≥
1, the algorithm chooses a prime p with 10 f ( n ) N ≤ p ≤ f ( n ) N and calls the procedure fromProposition 3.2 on input L and p , receiving as output a sublattice L (cid:48) ⊆ L and a shift w ∈ L . It thencalls its CVP oracle on input L (cid:48) and t + w , receiving as output y (cid:48) . If (cid:107) y (cid:48) − w − t (cid:107) ≤ r , it outputs y : = y (cid:48) − w . Otherwise, it repeats.From Proposition 3.2, we have that, after a single run of the algorithm,1 √ γ · p ≤ p − Np − Np n − ≤ Pr [ y (cid:48) = x + w ] ≤ p + p n ≤ √ γ p .Correctness follows immediately. Furthermore, note that the reduction outputs something on eachrun with probability at least N √ γ f ( n ) p ≥ f ( n ) . So, in particular, the expected number of runs ispolynomial in n . It is clear that a single run takes polynomial time, and the result follows. We now show how to use the sparsification algorithm to approximate the number of lattice points ina ball, given access to a CVP oracle. We will use this both to instantiate the procedure from Lemma 3.3and directly in our DGS sampling procedure. 14 efinition 3.4.
For any parameter γ ≥ , γ -GapVCP (the Vector Counting Problem) is the promise problemdefined as follows: the input is a lattice L ⊂ Q n (represented by a basis), shift t ∈ Q n , radius r > , and aninteger N ≥ . It is a NO instance if | ( L − t ) ∩ rB n | ≤ N and a YES instance if | ( L − t ) ∩ rB n | > γ N. Theorem 3.5.
For any efficiently computable function f ( n ) with ≤ f ( n ) ≤ poly ( n ) , there is a polynomial-time reduction from γ -GapVCP to CVP where γ : = + f ( n ) . The reduction preserves dimension and onlycalls the CVP oracle on sublattices of the input lattice.Proof. We assume without loss of generality that n ≥
20 and f ( n ) ≥
20. On input a lattice
L ⊂ Q n with basis B , target t ∈ Q n , r >
0, and N ≥
1, the reduction behaves as follows. First, it finds a prime p with 200 f ( n ) N ≤ p ≤ f ( n ) N . Then, for i =
1, . . . , (cid:96) : = (cid:100) f ( n ) p / N (cid:101) , the reduction callsthe procedure from Proposition 3.2 on L , t , and p . It receives as output L i and w i . It then calls theCVP oracle on L i and t + w i , receiving as output a vector whose distance from t + w i is r i . Finally, itreturns yes if r ≤ r i for all but at most (cid:96) N / p + √ (cid:96) values of r i and no otherwise.It is clear that the reduction runs in polynomial time. Now, suppose |L ∩ ( rB n + t ) | ≤ N . ByProposition 3.2, we have that for each i ,Pr [ r i ≤ r ] ≤ Np + Np n < Np + √ (cid:96) .Then, applying the Chernoff-Hoeffding bound (Lemma 2.20), we havePr [ |{ i : r i ≤ r }| > (cid:96) N / p + √ (cid:96) ] < e .So, the reduction returns the correct answer in this case with probability at least 1 − e .On the other hand, suppose that |L ∩ ( rB n + t ) | > γ N . Using the lower bound in Proposition 3.2,Pr [ r i ≤ r ] ≥ γ Np − γ N p − γ N p n − > Np + √ (cid:96) .Applying the Chernoff-Hoeffding bound again, we havePr [ |{ i : r i ≤ r }| ≤ (cid:96) N / p + √ (cid:96) ] < e ,as needed. Theorem 3.6.
For any efficiently computable function f ( n ) with ≤ f ( n ) ≤ poly ( n ) , there exists an(expected) polynomial-time reduction from ( γ , ε ) -DGS to CVP, where ε : = − f ( n ) and γ : = + f ( n ) . Thereduction preserves dimension and only calls the CVP oracle on full-rank sublattices of the input lattice.Proof. We assume without loss of generality that n ≥ s =
1. (If s (cid:54) =
1, we can simply rescale thelattice.) On input
L ⊂ Q n and t ∈ Q n , the reduction behaves as follows. It first calls its CVP oracleto compute d : = dist ( t , L ) . For i =
0, . . . , (cid:96) : = (cid:100) n f ( n ) log ( + d ) (cid:101) , let r i : = (cid:112) d + i / ( f ( n )) .For each i , the reduction uses its CVP oracle together with the procedure given in Theorem 3.5 tocompute N i such that γ − · | ( L − t ) ∩ r i B n | ≤ N i ≤ | ( L − t ) ∩ r i B n | .Let w (cid:96) : = e − π r (cid:96) , and for i =
0, . . . , (cid:96) −
1, let w i : = e − π r i − e − π r i + . Let W : = ∑ (cid:96) i = N i w i . Thereduction then chooses an index 0 ≤ k ≤ (cid:96) , from the distribution that assigns to index i probability N i w i / W . It then runs the procedure from Lemma 3.3 with input L , t , r k , and N k , receiving as outputa vector y ∈ ( L − t ) ∩ r k B n whose distribution is ( γ , 0 ) -close to the uniform distribution over ( L − t ) ∩ r k B n . It then simply returns y .To see that the reduction runs in polynomial time, first note that Lemma 2.1 implies that (cid:96) ispolynomial in the length of the input. Similarly, Corollary 2.3 implies that the N i have bit lengthspolynomial in the length of the input. It follows that the reduction runs in expected polynomial time.15e now prove correctness. Let A : = ( L − t ) ∩ r (cid:96) B n be the support of y . By Corollary 2.6, D A iswithin statistical distance ε of D L− t , so it suffices to show that the output of the reduction is ( γ , 0 ) -close to D A . In order to show this, it suffices to show that, for any x ∈ A , Pr [ y = x ] is proportional to ρ ( x ) , up to a factor of γ ± . Note thatPr [ y = x ] = W ∑ i : r i ≥(cid:107) x − t (cid:107) w i N i · Pr [ y = x | k = i ] . (2)For any i such that x ∈ ( L − t ) ∩ r i B n , by Lemma 3.3 we have that γ − N i ≤ γ − | ( L − t ) ∩ r i B n | ≤ Pr [ y = x | k = i ] ≤ γ | ( L − t ) ∩ r i B n | ≤ γ N i .Let j be minimal such that x ∈ ( L − t ) ∩ r j B n . Plugging in the upper bound to Eq. (2), we havePr [ y = x ] ≤ γ W · ∑ i ≥ j w i = γ W · e − π r j ≤ √ γ W · ρ ( x ) .A nearly identical computation shows that Pr [ y = x ] ≥ ρ ( x ) / ( √ γ W ) , as needed. Since we are now interested in the SVP case, we can no longer handle the shifts used in Theorem 3.1and Proposition 3.2 (neither the input shift t nor the output shifts w and c ). As a result, we are forcedto consider the effect of sparsification on primitive vectors only, which requires new analysis. Recallthat ξ ( L , r ) : = |L prim ∩ rB n | /2 is the number of primitive lattice vectors in a ball of radius r (counting ± x as a single vector). Theorem 4.1.
For any lattice
L ⊂ R n with basis B , primitive lattice vectors y , y , . . . , y N ∈ L prim with y i (cid:54) = ± y for all i > , and prime p ≥ , if ξ ( L , (cid:107) y i (cid:107) ) ≤ p / (
20 log p ) for all i, then p − Np ≤ Pr (cid:2) (cid:104) z , B − y (cid:105) ≡ p and (cid:104) z , B − y i (cid:105) (cid:54)≡ p ∀ i > (cid:3) ≤ p , where z ∈ Z np is chosen uniformly at random.Proof. Let v i : = B − y i . By Lemma 2.18, we have that v is not a scalar multiple of v i mod p for any i >
0. The result then follows from Lemma 2.16.
Proposition 4.2.
There is a polynomial-time algorithm that takes as input a basis B for a lattice L ⊂ R n and a prime p ≥ and outputs a full-rank sublattice L (cid:48) ⊆ L such that for every x ∈ L with N : = ξ ( L , (cid:107) x (cid:107) ) − ≤ p / (
20 log p ) and λ ( L ) > (cid:107) x (cid:107) / p, we have that for any SVP oracle, p − Np ≤ Pr [ SVP ( L (cid:48) ) = ± x ] ≤ p . In particular, Np − N p ≤ Pr (cid:2) λ ( L (cid:48) ) ≤ (cid:107) x (cid:107) (cid:3) ≤ Np .16 roof. On input
L ⊂ R n with basis B and p , the algorithm samples z ∈ Z np uniformly at random. Itthen returns the sublattice L (cid:48) : = { x ∈ L : (cid:104) z , B − x (cid:105) ≡ p } .It is clear that the algorithm runs in polynomial time. Since Pr [ x ∈ L (cid:48) ] = p , the upper boundon the probability is immediate as well.For the lower bound, let y , . . . , y N ∈ L prim such that (cid:107) y i (cid:107) ≤ (cid:107) x (cid:107) , y i (cid:54) = ± y j , and y : = x . Let v i : = B − y i . Note that, if v ∈ L (cid:48) and v i / ∈ L (cid:48) for i >
0, then SVP ( L (cid:48) ) = ± x . (Here, we have used thefact that λ ( L ) > (cid:107) x (cid:107) / p .) The result then follows from Theorem 4.1. Lemma 4.3.
For any efficiently computable f ( n ) with ≤ f ( n ) ≤ poly ( n ) , there is an (expected) polynomial-time algorithm with access to a SVP oracle that takes as input a lattice L ⊂ Q n , radius r > , and integerN ≥ and outputs a vector y ∈ L such that, if N ≤ ξ ( L , r ) ≤ f ( n ) N and λ ( L ) > r / ( f ( n ) ξ ( L , r )) , thenfor any x ∈ L prim ∩ rB n , γ − ξ ( L , r ) ≤ Pr [ y = ± x ] ≤ γξ ( L , r ) , where γ : = + f ( n ) . Furthermore, the algorithm preserves dimension and only calls its oracle on full-ranksublattices of L .Proof. We assume without loss of generality that n ≥
10. On input
L ⊂ Q n , r >
0, and N ≥
1, thealgorithm chooses a prime p with 100 f ( n ) N log ( f ( n ) N ) ≤ p ≤ f ( n ) N log ( f ( n ) N ) and callsthe algorithm from Proposition 4.2 on input L and p , receiving as output a sublattice L (cid:48) ⊂ L . It thencalls its SVP oracle on input L (cid:48) , receiving as output y . If (cid:107) y (cid:107) ≤ r , it outputs y . Otherwise, it repeats.From Proposition 4.2, we have that, after a single run of the algorithm γ − p ≤ p − Np − Np n − ≤ Pr [ y = ± x ] ≤ p .Correctness follows immediately. Furthermore, note that the algorithm terminates after a given runwith probability at least γ − N / ( f ( n ) p ) ≥ ( f ( n ) log ( N f ( n ))) . By Corollary 2.3, log ( N ) ispolynomial in the length of the input. So, in particular, the expected number of runs is polynomial inthe length of the input. It is clear that a single run takes polynomial time, and the result follows. Definition 4.4.
For any parameters β ≥ , γ ≥ , ( β , γ ) -GapPVCP (the Primitive Vector Counting Prob-lem) is the promise problem defined as follows: the input is a lattice L ⊂ Q n (represented by a basis), radiusr > , and an integer N ≥ . It is a NO instance if ξ ( L , r ) ≤ N or if λ ( L ) < β r / N and a YES instance if ξ ( L , r ) > γ N. Intuitively, the condition that λ ( L ) < β r / N handles the degenerate case in which there aremany non-primitive vectors that may “hide” the primitive vectors in the lattice. It is not clear thatthis should be treated as a degenerate case in general, but it is clear that our methods fail in this case. Theorem 4.5.
For any efficiently computable f ( n ) with ≤ f ( n ) ≤ poly ( n ) , there is a polynomial-timereduction from ( β , γ ) -GapPVCP to SVP where β : = f ( n ) and γ : = + f ( n ) . The reduction preservesdimension and only calls the SVP oracle on sublattices of the input lattice.Proof. On input
L ⊂ Q n with basis B , r >
0, and N ≥
1, the reduction behaves as follows. It firstcalls its SVP oracle on L to compute λ ( L ) . If λ ( L ) > r or λ ( L ) < β r / N , it returns no. Thereduction then finds a prime p with 200 f ( n ) N log ( f ( n ) N ) ≤ p ≤ f ( n ) N log ( f ( n ) N ) , and for i =
1, . . . , (cid:96) : = (cid:100) f ( n ) p / N (cid:101) , it calls the procedure from Proposition 4.2 on L and p , receiving as17utput L i . It then calls the SVP oracle on each L i , receiving as output a vector of length r i . Finally, itreturns yes if r ≤ r i for all but at most (cid:96) N / p + √ (cid:96) values of r i and no otherwise.It is clear that the reduction runs in polynomial time. We assume λ ( L ) ≥ β r / N > r / p (sinceotherwise the reduction clearly outputs the correct answer).Suppose m : = ξ ( L , r ) ≤ N . By Proposition 4.2, we have Pr [ r i ≤ r ] ≤ mp ≤ Np , for each i . Applyingthe Chernoff-Hoeffding bound (Lemma 2.20), we havePr (cid:104) |{ i : r i ≤ r }| > N (cid:96) p + √ (cid:96) (cid:105) < e .So, the reduction returns the correct answer in this case with probability at least 1 − e .Now, suppose ξ ( L , r ) > γ N . We again apply Proposition 4.2 to obtainPr [ r i ≤ r ] ≥ γ Np − γ N p > Np + √ (cid:96) Applying the Chernoff-Hoeffding bound again, we havePr (cid:104) |{ i : r i ≤ r }| ≤ N (cid:96) p + √ (cid:96) (cid:105) < e .The result follows. Theorem 4.6.
For any efficiently computable function f ( n ) with ≤ f ( n ) ≤ poly ( n ) , there is an (expected)polynomial-time reduction from ( γ , ε ) -cDGS to SVP, where ε : = − f ( n ) and γ : = + f ( n ) . The reductionpreserves dimension and only calls the SVP oracle on sublattices of the input lattice.Proof. We assume without loss of generality that s =
1. (If s (cid:54) =
1, we can simply scale the lattice.)On input
L ⊂ Q n , the reduction behaves as follows. First, it computes λ ( L ) using its SVP oracle.For i =
0, . . . , (cid:96) : = (cid:100) n f ( n ) (cid:101) , let r i : = (cid:112) λ ( L ) + i / ( n f ( n )) . For each i , the reduction uses itsSVP oracle together with the procedure given in Theorem 4.5 to compute N i such that γ − · ξ ( L , r i ) ≤ N i ≤ ξ ( L , r i ) , (3)or N i : = λ ( L ) < r i / ( n f ( n ) ξ ( L , r i )) . Let w (cid:96) : = ρ r (cid:96) ( Z \ { } ) , and for i =
0, . . . , (cid:96) −
1, let w i : = ρ r i ( Z \ { } ) − ρ r i + ( Z \ { } ) . (Claim 2.14 shows one way to compute w i efficiently.)Let W : = ∑ (cid:96) i = N i w i . Then, the reduction outputs with probability 1/ ( + W ) . Otherwise, itchooses an index 0 ≤ k ≤ (cid:96) , assigning to each index i probability N i w i / W . If N k >
1, the reductionthen calls the procedure from Lemma 4.3 on input L , r k , and N k , receiving as output a vector x ∈ L prim that is distributed uniformly over L prim ∩ r k B n , up to a factor of γ ± . If N k =
1, the reductionsimply sets x = SVP ( L ) . Finally, it uses the procedure from Lemma 2.13 to sample an integer z from D Z \{ } ,1/ (cid:107) x (cid:107) and returns ¯ x : = z · x .First, we note that the reduction runs in expected polynomial time. In particular, the N i havepolynomial bit length by Corollary 2.3, and the various subprocedures have expected running timesthat are polynomial in the length of their input.We now prove correctness. Let L † be the set of all points that are integer multiples of a latticevector whose length is at most r (cid:96) > (cid:112) n f ( n ) . By Lemma 2.5, it suffices to consider the distribution D L † , as this is within statistical distance ε of D L . Then, ρ ( L † \ { } ) = ∑ y ∈L † \{ } ρ ( y ) = ∑ y ∈L prim ∩√ nB n ρ (cid:107) y (cid:107) ( Z \ { } ) .18 quick computation shows that for any y with r i − ≤ (cid:107) y (cid:107) ≤ r i , we have ρ r i ( Z \ { } ) ≤ ρ (cid:107) y (cid:107) ( Z \ { } ) ≤ γ · ρ r i ( Z \ { } ) .Recalling the definition of the w i , it follows that (cid:96) ∑ i = ξ ( L , r i ) w i ≤ ρ ( L † \ { } ) ≤ γ · (cid:96) ∑ i = ξ ( L , r i ) w i .Now, we would like to say that N i ≈ ξ ( L , r i ) , as in Eq. (3). This is of course true by definition ex-cept when N i = ξ ( L , r i ) >
1, i.e., when λ ( L ) < r i / ( n f ( n ) ξ ( L , r i )) and λ ( L ) ≤ r i . But, inthis case, a quick computation together with Lemma 2.19 shows that ξ ( L , r i + ) > ( n f ( n ) λ ( L )) ,and therefore N j satisfies Eq. (3) for all j > i . (In other words, the N i can only be “wrong” for at mostone value of i .) It follows that, for any i < (cid:96) , we have γ − · ∑ j ≥ i ξ ( r j , L j ) w j ≤ ∑ j ≥ i N j w j ≤ ∑ j ≥ i ξ ( r j , L j ) w j .(The case N (cid:96) = γ − · ρ ( L † \ { } ) ≤ W ≤ γ · ρ ( L † \ { } ) .So, in particular, the probability that the reduction outputs is 1/ ( + W ) , which is a good approxi-mation to the correct probability of 1/ ρ ( L † ) .Now, for any y ∈ L prim , it follows from Lemma 4.3 and the argument above that γ − · ρ (cid:107) y (cid:107) ( Z \ { } ) ρ ( L † ) ≤ Pr [ x = ± y ] ≤ γ · ρ (cid:107) y (cid:107) ( Z \ { } ) ρ ( L † ) . (4)Finally, for any w ∈ L † \ { } , let y be one of the two primitive lattice vectors that are scalar multiplesof w , and let ¯ z such that w = ¯ z y . Then,Pr [ ¯ x = w ] = Pr [ x = ± y ] · Pr [ z = ¯ z | x = ± y ]= Pr [ x = ± y ] · ρ ( w ) ρ (cid:107) y (cid:107) ( Z \ { } ) The result follows from plugging the above equation into Eq. (4).
We note that our reductions from Sections 3 and 4 do not use any unique properties of the discreteGaussian distribution or of the (cid:96) norm. Above, we focused on this particular case because it hasso many applications, while other distributions on lattices seem to be of much less interest. In thissection, we show that a much larger class of sampling problems can be reduced to CVP in variousdifferent norms.First, we show that the sparsification result in Proposition 3.2 naturally extends to arbitrary norms K . In particular, for any norm K , we can use a CVP oracle in norm K to sample (nearly) uniformlyfrom the lattice points in a K -ball. (See below for the definitions.) We can naturally extend this toany distribution that can be efficiently written as the weighted average of uniform distributions overthe lattice points in K -balls. For example, this will be enough to show how to use a CVP oracle inthe (cid:96) q norm to sample from the natural (cid:96) q generalization of the discrete Gaussian, which assigns to x ∈ L − t probability proportional e −(cid:107) x (cid:107) qq , where (cid:107) x (cid:107) q : = ( ∑ | x i | q ) q for 1 ≤ q < ∞ is the (cid:96) q norm.Below, we make this precise. For simplicity, we will not worry about the more difficult analogousproblem of reducing sampling from centered distributions to SVP.19 .1 Arbitrary distributions and norms Recall that any norm (cid:107) · (cid:107) K over R n is uniquely represented by a compact symmetric convex bodywith non-empty interior K ⊂ R n , its unit ball. The norm itself is then simply (cid:107) x (cid:107) K : = min { r : x ∈ rK } .(Since we are interested in asymptotics, we formally identify K : = ( K , K , . . . ) with a sequence ofsuch bodies with K n ⊂ R n , but we will ignore such details.) A K -ball with center c and radius r is rK + c , the set of all points within distance r of c in the norm (cid:107) · (cid:107) K .We define the general problem that interests us below, together with the natural generalization ofCVP to arbitrary norms. Definition 5.1.
For any γ ≥ , ε > , and function χ mapping a shifted lattice L − t to a distribution over L − t , the sampling problem ( γ , ε ) - LSP χ (the Lattice Sampling Problem) is defined as follows: The input is (abasis of) a lattice L ⊂ Q n and a shift t ∈ Q n . The goal is to output a vector whose distribution is ( γ , ε ) -closeto χ ( L − t ) . Definition 5.2.
For any norm (cid:107) · (cid:107) K , the search problem CVP K (the Closest Vector Problem in norm K) isdefined as follows: The input is (a basis of) a lattice L ⊂ Q n and a target vector t ∈ Q n . The goal is to outputa lattice vector x such that (cid:107) x − t (cid:107) K is minimal. We now observe that Proposition 3.2 generalizes to arbitrary norms. (One can simply check that theproof of Proposition 3.2 does not use any special properties of the (cid:96) norm.) Proposition 5.3.
There is a polynomial-time algorithm that takes as input a basis B for a lattice L ⊂ R n anda prime p and outputs a sublattice L (cid:48) ⊆ L and shift w ∈ L such that, for any norm (cid:107) · (cid:107) K , t ∈ R n , x ∈ L with N : = | ( L − t ) ∩ (cid:107) x − t (cid:107) · K | < p, and any CVP K oracle, p − Np − Np n − ≤ Pr [ CVP K ( t + w , L (cid:48) ) = x + w ] ≤ p + p n .And, from this, we obtain a generalization of Lemma 3.3 and Theorem 3.5. Definition 5.4.
For any parameter γ ≥ and norm (cid:107) · (cid:107) K , γ -GapVCP K (the Vector Counting Problem innorm K) is the promise problem defined as follows: the input is (a basis of) a lattice L ⊂ Q n , shift t ∈ Q n ,radius r > , and an integer N ≥ . It is a NO instance if | ( L − t ) ∩ rK | ≤ N and a YES instance if | ( L − t ) ∩ rK | > γ N. Theorem 5.5.
For any efficiently computable norm (cid:107) · (cid:107) K and efficiently computable function f ( n ) with ≤ f ( n ) ≤ poly ( n ) , there is a polynomial-time reduction from γ -GapVCP K to CVP K , where γ : = + f ( n ) .Furthermore, there is an (expected) polynomial-time reduction from ( γ , 0 ) - LSP χ to CVP K , where χ ( L − t ) isthe uniform distribution on ( L − t ) ∩ K (or χ is constant on − t if ( L − t ) ∩ K is empty). Both reductionspreserve dimension and only make calls to the
CVP K oracle on sublattices of the input lattice. Recall that the sampling algorithm from Theorem 3.6 works by computing a finite sequence of balls B , . . . , B (cid:96) such that the discrete Gaussian distribution is ( γ , ε ) -close to a weighted average of theuniform distributions over these balls. This motivates the following definition and theorem. Definition 5.6.
For a norm K, γ = γ ( n ) ≥ , and ε = ε ( n ) > , we say that a function χ that maps ashifted lattice L − t to a distribution over L − t is ( γ , ε , K ) -ball decomposable if it is ( γ , ε ) -close to a weightedaverage of uniform distributions over the lattice points inside K-balls, and these balls and weightings can becomputed efficiently with access to a CVP K oracle. heorem 5.7. For any efficiently computable norm K, γ = γ ( n ) ≥ , and ε = ε ( n ) > , if χ is ( γ , ε , K ) -balldecomposable, then for any efficiently computable function ≤ f ( n ) ≤ poly ( n ) , there is a polynomial-timereduction from ( γ (cid:48) , ε ) - LSP χ to CVP K , where γ (cid:48) : = ( + f ( n )) γ . The reduction preserves dimension andonly calls its oracle on sublattices of the input lattice.Proof. On input
L ⊂ Q n and t ∈ Q n , the reduction first calls the procedure guaranteed by Defini-tion 5.6 to obtain a sequence of K -balls B , . . . , B (cid:96) and weights w , . . . , w (cid:96) . It then selects an index i with probability w i . Finally, it uses the sampling procedure from Theorem 5.5 to sample a vector thatis ( γ , 0 ) -close to uniform over | ( L − t ) ∩ B i | and outputs the result.It is clear that the reduction runs in polynomial time. Correctness follows from the correctness ofthe various subprocedures and some simple calculations. Corollary 5.8.
For any efficiently computable function ≤ f ( n ) ≤ poly ( n ) and constant ≤ q < ∞ , thereis an efficient reduction from ( γ , ε ) - LSP χ q to CVP (cid:96) q , where γ : = + f ( n ) , ε : = e − f ( n ) , and χ q ( L − t ) isthe distribution that assigns to each x ∈ L − t probability proportional to e −(cid:107) x (cid:107) qq .Proof. It suffices to show that χ q is ( √ γ , ε , (cid:96) q ) -ball decomposable, i.e., that there is an efficient algo-rithm with access to a CVP q oracle that outputs balls and weights as in Definition 5.6. The algorithmfirst computes d : = min y ∈L (cid:107) y − t (cid:107) q using its CVP q oracle. For i =
0, . . . , (cid:96) : = n q f ( n ) q + , let r i : = ( d q + i / ( f ( n ))) q , c i : = , and B i : = r i K + c i . Let ˆ w (cid:96) : = e − r q (cid:96) , and for 0 ≤ i < (cid:96) , letˆ w i : = e − r qi − e − r qi + . The algorithm then uses the counting procedure from Theorem 5.5 to approxi-mate | ( L − t ) ∩ B i | = | ( L − t − c ) ∩ r i K | up to a factor of γ , receiving as output N i . Finally, let w i : = N i ˆ w i . The algorithm then simply outputs the B i and w i .A simple calculation shows that this is a valid ( √ γ , ε , (cid:96) q ) -ball decomposition of χ q . (cid:112) n / log n -SVP to centered DGS reduction and a lower bound It is an immediate consequence of Lemma 2.5 that O ( √ n ) -SVP reduces to DGS. In fact, we can do abit better. Proposition 6.1.
For any efficiently computable function ≤ f ( n ) ≤ poly ( n ) , there is a polynomial-timereduction from γ -SVP to ( f , ε ) -DGS, where γ : = (cid:113) n log f ( n ) , and ε : = f ( n ) . The reduction only calls theoracle on the input lattice.Proof. We assume without loss of generality that n is large enough so that f ( n ) < n − . On input L ⊂ Q n , the reduction behaves as follows. Let d min , d max > d min ≤ λ ( L ) ≤ d max suchthat the bit lengths of d min and d max are polynomially bounded. (E.g., we can take d min and d max tobe the values guaranteed by Lemma 2.1.) For i =
0, . . . , 100 n (cid:100) log ( d max / d min ) (cid:101) , let s i : = ( + n ) i · d min (cid:112) log f ( n ) .The reduction calls the DGS oracle on input L and s i for each i , (cid:100) n f ( n ) (cid:101) times. It then returns theshortest resulting non-zero vector.It is clear that the reduction runs in polynomial time. Let i such that s i − ≤ (cid:113) f ( n ) · λ ( L ) < s i . Note that Pr X ∼ D L , si [ X = ] < + f ( n ) < − f ( n ) . Interestingly, [ADRS15] achieves nearly identical parameters in a different context with a very different algorithm.They work over the dual and only solve the decisional variant of γ -SVP. Though they are interested in exponential-timealgorithms, it is easy to see that their approach yields a polynomial-time reduction from (the decisional variant of) γ -SVP toDGS for any γ = Ω ( (cid:112) n / log n ) . See [ADRS15, Theorem 6.5]. Their reduction only requires samples above the smoothingparameter, which is in some sense the reason that they only solve the decisional variant of SVP.
21y Lemma 2.5, Pr X ∼ D L , si (cid:2) (cid:107) X (cid:107) > γ · λ ( L ) (cid:3) ≤ Pr X ∼ D L , si [ (cid:107) X (cid:107) > s i √ n ] < − n .Therefore, if the samples were truly from D L , s i , each would be a valid approximation with probabilityat least 2/ f ( n ) − − n . It follows that each sample from the DGS oracle is a valid approximation withprobability at least 1/ f ( n ) − − n / f ( n ) > ( f ( n ) ) , and the result follows.We now show a lower bound on the length of non-zero discrete Gaussian vectors. In particular,for any approximation factor γ = o ( (cid:112) n / log n ) , we show a lattice (technically, a family of latticesindexed by the dimension n ) such that the probability that D L , s yields a γ -approximate shortestvector is negligible for any s . This shows that any efficient reduction from γ -SVP to DGS with γ = o ( (cid:112) n / log n ) must output a vector not returned by the DGS oracle and/or make DGS calls on alattice other than the input lattice. Theorem 6.2.
For any sufficiently large n and < t < √ n /10 , there exists a lattice L ⊂ Q n with λ ( L ) = tsuch that for any s > , Pr X ∼ D L , s [ < (cid:107) X (cid:107) ≤ √ n /10 ] < e − t . In particular, for any t = ω ( (cid:112) log n ) , D L , s will yield a √ n / ( t ) -approximate shortest vector with at mostnegligible probability.Proof. Fix n . Let L (cid:48) ⊂ Q n − be an ( n − ) -dimensional lattice with ρ s ( L (cid:48) ) ≥ + s n − and λ ( L ) > √ n − L : = L (cid:48) ⊕ t Z be the lattice obtained by “appending”a vector of length t to L (cid:48) . Note that the only vectors of length at most √ n − L are those thatare multiples of the “appended” vector. So,Pr X ∼ D L , s [ < (cid:107) X (cid:107) ≤ √ n − ] ≤ ρ s ( t Z \ { } ) ρ s ( L (cid:48) ) ≤ ρ s / t ( Z \ { } ) + s n − .Now, if s ≤ t , then the numerator is less than e − t . If s > t , then we have ρ s / t ( Z \ { } ) + s n − < s + s n − < s n /2 < t n /2 < e − t ,where we have used the fact that ρ s (cid:48) ( Z \ { } ) < s (cid:48) , and the fact that 2 < t < √ n /10. For completeness, we give a simple reduction from CVP to DGS. It suffices to find a parameter s thatis small enough so that the weight of a closest vector to the target is much larger than the weight ofall non-closest vectors. The only slightly non-trivial observation necessary is that we can take s largeenough that it still has polynomial bit length. Proposition 7.1.
For any efficiently computable function ≤ f ( n ) ≤ poly ( n ) , there is a polynomial-timereduction from CVP to ( f , ε ) -DGS where ε : = − f ( n ) . The reduction succeeds with probability at least ( f ( n ) ) and only makes one oracle call on L − t where L is the input lattice and t is the input target.Proof. On input
L ⊂ Q n and t ∈ Q n , the reduction behaves as follows. Let q ≥ L ⊆ Z n / q and t ∈ Z n / q . Let d be the upper bound on µ ( L ) guaranteed byLemma 2.1 (which in particular has polynomial bit length), and let s : = ( f ( n ) nq log ( + d )) − .The reduction simply samples y from D L− t , s and returns y + t ∈ L .It is clear that the reduction runs in polynomial time. Note that for any point x ∈ L that is not aclosest point to t , we must have (cid:107) x − t (cid:107) ≥ dist ( t , L ) + q . By Corollary 2.6, we havePr X ∼ D L− t , s [ (cid:107) X (cid:107) ≥ dist ( t , L ) + q ] < e − ( ns q ) < e − f ( n ) n .22herefore, any distribution within statistical distance ε of D L− t , s + t must output a closest point withprobability at least 1/ f ( n ) − e − f ( n ) n > ( f ( n )) . It follows that the oracle outputs a closest pointwith probability at least 1/ ( f ( n ) ) , as needed. Corollary 7.2.
CVP is equivalent to DGS under polynomial-time, dimension-preserving reductions.Proof.
Combine Theorem 3.6 with Proposition 7.1.
Acknowledgments
I would like to thank Divesh Aggarwal, Daniel Dadush, and Oded Regev for many enlightening dis-cussions and for their helpful comments on early drafts of this work; Daniele Micciancio for findinga bug in an earlier version of Proposition 7.1; and the SODA reviewers for their very helpful andthorough reviews.
References [Aar14] Scott Aaronson. The equivalence of sampling and searching.
Theory of Computing Systems ,55(2):281–298, 2014.[ABSS93] Sanjeev Arora, L´aszl ´o Babai, Jacques Stern, and Z Sweedyk. The hardness of approximateoptima in lattices, codes, and systems of linear equations. In
FOCS , pages 724–733. IEEE,1993.[ADRS15] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. Solvingthe Shortest Vector Problem in 2 n time via discrete Gaussian sampling. In STOC , 2015.[ADS15] Divesh Aggarwal, Daniel Dadush, and Noah Stephens-Davidowitz. Solving the ClosestVector Problem in 2 n time— The discrete Gaussian strikes again! In FOCS , 2015.[Ajt96] Mikl ´os Ajtai. Generating hard instances of lattice problems. In
STOC , pages 99–108. ACM,1996.[Ajt98] Mikl ´os Ajtai. The shortest vector problem in (cid:96) is NP-hard for randomized reductions. In STOC , pages 10–19. ACM, 1998.[AKS01] Mikl ´os Ajtai, Ravi Kumar, and D. Sivakumar. A sieve algorithm for the shortest latticevector problem. In
STOC , pages 601–610, 2001.[AR05] Dorit Aharonov and Oded Regev. Lattice problems in NP intersect coNP.
Journal of theACM , 52(5):749–765, 2005. Preliminary version in FOCS’04.[Bab86] L. Babai. On Lov´asz’ lattice reduction and the nearest lattice point problem.
Combinatorica ,6(1):1–13, 1986.[Ban93] W. Banaszczyk. New bounds in some transference theorems in the geometry of numbers.
Mathematische Annalen , 296(4):625–635, 1993.[BHW93] U. Betke, M. Henk, and J.M. Wills. Successive-minima-type inequalities.
Discrete & Com-putational Geometry , 9(1):165–175, 1993.[BLP +
13] Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehl´e. Clas-sical hardness of learning with errors. In
STOC , pages 575–584, 2013.23BPY01] Philippe Biane, Jim Pitman, and Marc Yor. Probability laws related to the Jacobi theta andRiemann zeta functions, and Brownian excursions.
Bull. Amer. Math. Soc. (N.S.) , 38(4):435–465, 2001.[BS99] Johannes Bl ¨omer and Jean-Pierre Seifert. On the complexity of computing short linearlyindependent vectors and short bases in a lattice. In
STOC , pages 711–720. ACM, 1999.[BV11] Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from(standard) LWE. In
FOCS , pages 97–106. IEEE, 2011.[BV14] Zvika Brakerski and Vinod Vaikuntanathan. Lattice-based FHE as secure as PKE. In
ITCS ,pages 1–12, 2014.[Cai03] Jin-Yi Cai. A new transference theorem in the geometry of numbers and new bounds forAjtai’s connection factor.
Discrete Applied Mathematics , 126(1):9 – 31, 2003.[CN98] Jin-Yi Cai and Ajay Nerurkar. Approximating the SVP to within a factor ( +
1/ dim ε ) isNP-hard under randomized conditions. In CCC , pages 46–55. IEEE, 1998.[DK13] Daniel Dadush and Gabor Kun. Lattice sparsification and the approximate closest vectorproblem. In
SODA , 2013.[DKRS03] Irit Dinur, Guy Kindler, Ran Raz, and Shmuel Safra. Approximating CVP to withinalmost-polynomial factors is NP-hard.
Combinatorica , 23(2):205–243, 2003.[DPV11] Daniel Dadush, Chris Peikert, and Santosh Vempala. Enumerative lattice algorithms inany norm via M-ellipsoid coverings. In
FOCS , pages 580–589. IEEE, 2011.[DRS14] Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. On the Closest VectorProblem with a distance guarantee. In
CCC , pages 98–109, 2014.[Gen09] Craig Gentry. Fully homomorphic encryption using ideal lattices. In
STOC’09—Proceedings of the 2009 ACM International Symposium on Theory of Computing , pages 169–178.ACM, New York, 2009.[GG98] Oded Goldreich and Shafi Goldwasser. On the limits of non-approximability of latticeproblems. In
STOC , pages 1–9. ACM, 1998.[GMSS99] Oded Goldreich, Daniele Micciancio, Shmuel Safra, and Jean-Paul Seifert. Approximatingshortest lattice vectors is not harder than approximating closest lattice vectors.
InformationProcessing Letters , 71(2):55 – 61, 1999.[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices andnew cryptographic constructions. In
STOC , pages 197–206, 2008.[Hoe63] W. Hoeffding. Probability inequalities for sums of bounded random variables.
Journal ofthe American Statistical Association , 58:13–30, 1963.[HR12] Ishay Haviv and Oded Regev. Tensor-based hardness of the shortest vector problem towithin almost polynomial factors.
Theory of Computing , 8(23):513–531, 2012. Preliminaryversion in STOC’07.[HR13] Ishay Haviv and Oded Regev. The Euclidean distortion of flat tori.
J. Topol. Anal. , 5(2):205–223, 2013.[JS98] Antoine Joux and Jacques Stern. Lattice reduction: A toolbox for the cryptanalyst.
Journalof Cryptology , 11(3):161–185, 1998. 24Kan87] Ravi Kannan. Minkowski’s convex body theorem and integer programming.
Mathematicsof Operations Research , 12(3):pp. 415–440, 1987.[Kho05] Subhash Khot. Hardness of approximating the shortest vector problem in lattices.
Journalof the ACM , 52(5):789–808, September 2005. Preliminary version in FOCS’04.[Kle00] Philip Klein. Finding the closest lattice vector when it’s unusually close. In
SODA , pages937–941, 2000.[Len83] Hendrik W Lenstra Jr. Integer programming with a fixed number of variables.
Mathematicsof operations research , 8(4):538–548, 1983.[LLL82] A. K. Lenstra, H. W. Lenstra, Jr., and L. Lov´asz. Factoring polynomials with rationalcoefficients.
Math. Ann. , 261(4):515–534, 1982.[LLM06] Yi-Kai Liu, Vadim Lyubashevsky, and Daniele Micciancio. On bounded distance decodingfor general lattices. In
RANDOM , 2006.[LM09] Vadim Lyubashevsky and Daniele Micciancio. On bounded distance decoding, uniqueshortest vectors, and the minimum distance problem. In
CRYPTO , pages 577–594.Springer, 2009.[LPR10] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning witherrors over rings. In
EUROCRYPT , 2010.[Mic01] Daniele Micciancio. The shortest vector problem is NP-hard to approximate to withinsome constant.
SIAM Journal on Computing , 30(6):2008–2035, March 2001. Preliminaryversion in FOCS 1998.[Mic08] Daniele Micciancio. Efficient reductions among lattice problems. In
SODA , pages 84–93.ACM, New York, 2008.[Mic12] Daniele Micciancio. Inapproximability of the shortest vector problem: Toward a deter-ministic reduction.
Theory of Computing , 8(22):487–512, 2012.[MP13] Daniele Micciancio and Chris Peikert. Hardness of SIS and LWE with small parameters.In
CRYPTO , pages 21–39. Springer, 2013.[MR07] Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based onGaussian measures.
SIAM Journal on Computing , 37(1):267–302, 2007.[NS01] Phong Q Nguyen and Jacques Stern. The two faces of lattices in cryptology. In
Cryptogra-phy and lattices , pages 146–180. Springer, 2001.[Odl90] Andrew M Odlyzko. The rise and fall of knapsack cryptosystems.
Cryptology and compu-tational number theory , 42:75–88, 1990.[Pei09] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem. In
STOC , pages 333–342. ACM, 2009.[Pei10] Chris Peikert. An efficient and parallel Gaussian sampler for lattices. In
CRYPTO , pages80–97. Springer, Berlin, 2010.[Reg09] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography.
Journal of the ACM , 56(6):Art. 34, 40, 2009.[Ros41] Barkley Rosser. Explicit bounds for some functions of prime numbers.
American Journal ofMathematics , 63(1):pp. 211–232, 1941. 25Sie45] Carl Ludwig Siegel. A mean value theorem in geometry of numbers.
Annals of Mathemat-ics , 46(2):pp. 340–347, 1945.[Ste15] Noah Stephens-Davidowitz. Dimension-preserving reductions between lattice problems. http://noahsd.com/latticeproblems.pdfhttp://noahsd.com/latticeproblems.pdf