On the hardness of the shortest vector problem

An n-dimensional lattice is the set of all integral linear combinations of n linearly independent vectors in Rm . One of the most studied algorithmic problems on lattices is the shortest vector problem (SVP): given a lattice, find the shortest non-zero vector in it. We prove that the shortest vector problem is NP-hard (for randomized reductions) to approximate within some constant factor greater than 1 in any lp norm (p ≥ 1). In particular, we prove the NP-hardness of approximating SVP in the Euclidean norm l2 within any factor less than 2 . The same NP-hardness results hold for deterministic non-uniform reductions. A deterministic uniform reduction is also given under a reasonable number theoretic conjecture concerning the distribution of smooth numbers. In proving the NP-hardness of SVP we develop a number of technical tools that might be of independent interest. In particular, a lattice packing is constructed with the property that the number of unit spheres contained in an n-dimensional ball of radius greater than 1+2 grows exponentially in n, and a new constructive version of Sauer's lemma (a combinatorial result somehow related to the notion of VC-dimension) is presented, considerably simplifying all previously known constructions. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

[1]  Arnold Schönhage Factorization of Univariate Integer Polynomials by Diophantine Aproximation and an Improved Basis Reduction Algorithm , 1984, ICALP.

[2]  Johan Håstad,et al.  Dual vectors and lower bounds for the nearest lattice point problem , 1988, Comb..

[3]  Guy Kindler,et al.  Approximating CVP to Within Almost-Polynomial Factors is NP-Hard , 2003, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[4]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[5]  A. Odlyzko,et al.  Disproof of the Mertens conjecture. , 1984 .

[6]  C. Shannon Probability of error for optimal codes in a Gaussian channel , 1959 .

[7]  W. Fischer,et al.  Sphere Packings, Lattices and Groups , 1990 .

[8]  R. Rankin The Closest Packing of Spherical Caps in n Dimensions , 1955, Proceedings of the Glasgow Mathematical Association.

[9]  Martin Henk Note on Shortest and Nearest Lattice Vectors , 1997, Inf. Process. Lett..

[10]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[11]  Arjen K. Lenstra Factoring Multivariate Polynomials over Finite Fields , 1985, J. Comput. Syst. Sci..

[12]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[13]  Arjen K. Lenstra Factoring Multivariate Integral Polynomials , 1983, ICALP.

[14]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[15]  Gary L. Miller,et al.  Solvability by radicals is in polynomial time , 1983, STOC.

[16]  U. Dieter,et al.  How to calculate shortest vectors in a lattice , 1975 .

[17]  Costas S. Iliopoulos,et al.  Worst-Case Complexity Bounds on Algorithms for Computing the Canonical Structure of Finite Abelian Groups and the Hermite and Smith Normal Forms of an Integer Matrix , 1989, SIAM J. Comput..

[18]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[19]  B Rosser,et al.  A generalization of the Euclidean algorithm to several dimensions , 1942 .

[20]  Hendrik W. Lenstra,et al.  Integer Programming with a Fixed Number of Variables , 1983, Math. Oper. Res..

[21]  R. Kannan ALGORITHMIC GEOMETRY OF NUMBERS , 1987 .

[22]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[23]  Jin-Yi Cai,et al.  An improved worst-case to average-case connection for lattice problems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[24]  Kenneth J. Giuliani Factoring Polynomials with Rational Coeecients , 1998 .

[25]  Claus-Peter Schnorr,et al.  The Generalized Gauss Reduction Algorithm , 1996, J. Algorithms.

[26]  Gérard P. Huet,et al.  An Algorithm to Generate the Basis of Solutions to Homogeneous Linear Diophantine Equations , 1978, Inf. Process. Lett..

[27]  Jacques Stern,et al.  A Converse to the Ajtai-Dwork Security Proof and its Cryptographic Implications , 1998, Electron. Colloquium Comput. Complex..

[28]  Jin-Yi Cai,et al.  A Relation of Primal-Dual Lattices and the Complexity of Shortest Lattice Vector Problem , 1998, Theor. Comput. Sci..

[29]  Arnold Schönhage,et al.  Fast reduction and composition of binary quadratic forms , 1991, ISSAC '91.

[30]  Johan Håstad,et al.  Solving Simultaneous Modular Equations of Low Degree , 1988, SIAM J. Comput..

[31]  Alan M. Frieze,et al.  On the Lagarias-Odlyzko Algorithm for the Subset Sum Problem , 1986, SIAM J. Comput..

[32]  Ravi Kannan,et al.  Polynomial Algorithms for Computing the Smith and Hermite Normal Forms of an Integer Matrix , 1979, SIAM J. Comput..

[33]  Ernest F. Brickell,et al.  A Preliminary Report on the Cryptanalysis of Merkle-Hellman Knapsack Cryptosystems , 1982, CRYPTO.

[34]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[35]  Leonard M. Adleman,et al.  On Breaking the Iterated Merkle-Hellman Public-Key Cryptosystem , 1982, CRYPTO.

[36]  Jeffrey C. Lagarias,et al.  Performance Analysis of Shamir's Attack on the Basic Merkle-Hellman Knapsack Cryptosystem , 1984, ICALP.

[37]  Philippe Flajolet,et al.  The lattice reduction algorithm of Gauss: an average case analysis , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[38]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[39]  George E. Collins,et al.  Algorithms for the Solution of Systems of Linear Diophantine Equations , 1982, SIAM J. Comput..

[40]  Michael Kaib,et al.  The Gauß Lattice Basis Reduction Algorithm Succeeds With Any Norm , 1991, FCT.

[41]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[42]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[43]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[44]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[45]  Claus-Peter Schnorr,et al.  Block Reduced Lattice Bases and Successive Minima , 1994, Combinatorics, Probability and Computing.

[46]  David Chaum,et al.  Advances in Cryptology: Proceedings Of Crypto 83 , 2012 .

[47]  Paul S. Wang Factoring multivariate polynomials over algebraic number fields , 1976 .

[48]  Alan M. Frieze,et al.  Reconstructing Truncated Integer Variables Satisfying Linear Congruences , 1988, SIAM J. Comput..

[49]  Oded Goldreich,et al.  On the limits of non-approximability of lattice problems , 1998, STOC '98.

[50]  Claus-Peter Schnorr,et al.  Factoring Integers and Computing Discrete Logarithms via Diophantine Approximation , 1990, Advances In Computational Complexity Theory.

[51]  Jin-Yi Cai,et al.  Approximating the SVP to within a Factor (1+1/dimxi) Is NP-Hard under Randomized Reductions , 1999, J. Comput. Syst. Sci..

[52]  Costas S. Iliopoulos Worst-Case Complexity Bounds on Algorithms for Computing the Canonical Structure of Infinite Abelian Groups and Solving Systems of Linear Diophantine Equations , 1989, SIAM J. Comput..

[53]  Arjen K. Lenstra,et al.  Factoring multivariate polynomials over finite fields , 1983, J. Comput. Syst. Sci..

[54]  Jeffrey C. Lagarias,et al.  Korkin-Zolotarev bases and successive minima of a lattice and its reciprocal lattice , 1990, Comb..

[55]  Adi Shamir,et al.  A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem , 1984, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[56]  Jacques Stern,et al.  The Hardness of Approximate Optima in Lattices, Codes, and Systems of Linear Equations , 1997, J. Comput. Syst. Sci..

[57]  Jeffrey C. Lagarias,et al.  Knapsack Public Key Cryptosystems and Diophantine Approximation , 1983, CRYPTO.

[58]  László Lovász,et al.  Algorithmic theory of numbers, graphs and convexity , 1986, CBMS-NSF regional conference series in applied mathematics.

[59]  Jacques Stern,et al.  Merkle-Hellman Revisited: A Cryptanalysis of the Qu-Vanstone Cryptosystem Based on Group Factorizations , 1997, CRYPTO.

[60]  R. R. Coveyou,et al.  Fourier Analysis of Uniform Random Number Generators , 1967, JACM.

[61]  Oded Goldreich,et al.  On the possibility of basing Cryptography on the assumption that P ≠ NP , 1998, IACR Cryptol. ePrint Arch..

[62]  A. Wyner Capabilities of bounded discrepancy decoding , 1965 .

[63]  Brigitte Vallée,et al.  Gauss' Algorithm Revisited , 1991, J. Algorithms.

[64]  Michael A. Frumkin,et al.  Polynomial Time Algorithms in the Theory of Linear Diophantine Equations , 1977, FCT.

[65]  Oded Goldreich,et al.  Eliminating Decryption Errors in the Ajtai-Dwork Cryptosystem , 1997, Electron. Colloquium Comput. Complex..

[66]  A. Korkine,et al.  Sur les formes quadratiques , 1873 .

[67]  Jeffrey C. Lagarias,et al.  The computational complexity of simultaneous Diophantine approximation problems , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[68]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[69]  Arjen K. Lenstra,et al.  Factoring Multivariate Polynomials over Algebraic Number Fields , 1984, SIAM J. Comput..

[70]  Schrutka Geometrie der Zahlen , 1911 .

[71]  Jeffrey C. Lagarias,et al.  Solving low density subset sum problems , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).