(Gap/S)ETH hardness of SVP

We prove the following quantitative hardness results for the Shortest Vector Problem in the ℓp norm (SVP_p), where n is the rank of the input lattice. For “almost all” p > p0 ≈ 2.1397, there is no 2n/Cp-time algorithm for SVP_p for some explicit (easily computable) constant Cp > 0 unless the (randomized) Strong Exponential Time Hypothesis (SETH) is false. (E.g., for p ≥ 3, Cp < 1 + (p+3) 2−p + 10 p2 2−2p.) For any 1 ≤ p ≤ ∞, there is no 2o(n)-time algorithm for SVP_p unless the non-uniform Gap-Exponential Time Hypothesis (Gap-ETH) is false. Furthermore, for each such p, there exists a constant γp > 1 such that the same result holds even for γp-approximate SVP_p. For p > 2, the above statement holds under the weaker assumption of randomized Gap-ETH. I.e., there is no 2o(n)-time algorithm for γp-approximate SVP_p unless randomized Gap-ETH is false. See http://arxiv.org/abs/1712.00942 for a complete exposition.

[1]  N. J. A. Sloane,et al.  Sphere Packings, Lattices and Groups , 1987, Grundlehren der mathematischen Wissenschaften.

[2]  Russell Impagliazzo,et al.  Complexity of k-SAT , 1999, Proceedings. Fourteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat.No.99CB36317).

[3]  Noam D. Elkies,et al.  On the packing densities of superballs and other bodies , 1991 .

[4]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[5]  M. Ajtai The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[6]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[7]  Jin-Yi Cai,et al.  Approximating the Svp to within a Factor ? , 2007 .

[8]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[9]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[10]  Oded Goldreich,et al.  On the Limits of Nonapproximability of Lattice Problems , 2000, J. Comput. Syst. Sci..

[11]  Daniele Micciancio,et al.  Practical, Predictable Lattice Basis Reduction , 2016, EUROCRYPT.

[12]  Daniel Dadush,et al.  Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract , 2014, STOC.

[13]  Nicolas Gama,et al.  Finding short lattice vectors within mordell's inequality , 2008, STOC.

[14]  Vikraman Arvind,et al.  Some Sieving Algorithms for Lattice Problems , 2008, FSTTCS.

[15]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[16]  Andrew Odlyzko,et al.  The Rise and Fall of Knapsack Cryptosystems , 1998 .

[17]  Antoine Joux,et al.  Lattice Reduction: A Toolbox for the Cryptanalyst , 1998, Journal of Cryptology.

[18]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[19]  Jianqing Fan,et al.  Distributions of angles in random packing on spheres , 2013, J. Mach. Learn. Res..

[20]  Santosh S. Vempala,et al.  Enumerative Lattice Algorithms in any Norm Via M-ellipsoid Coverings , 2010, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[21]  Chris Peikert,et al.  Limits on the Hardness of Lattice Problems in ell _p Norms , 2007, CCC.

[22]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[23]  Alexander Golovnev,et al.  On the Quantitative Hardness of CVP , 2017, 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS).

[24]  Xiaoyun Wang,et al.  Finding Shortest Lattice Vectors in the Presence of Gaps , 2015, CT-RSA.

[25]  Hendrik W. Lenstra,et al.  Integer Programming with a Fixed Number of Variables , 1983, Math. Oper. Res..

[26]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[27]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[28]  Phong Q. Nguyen The Two Faces of Lattices in Cryptology , 2001, Selected Areas in Cryptography.

[29]  Dorit Aharonov,et al.  Lattice problems in NP ∩ coNP , 2005, JACM.

[30]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[31]  Irit Dinur,et al.  Mildly exponential reduction from gap 3SAT to polynomial-gap label-cover , 2016, Electron. Colloquium Comput. Complex..

[32]  Oded Regev,et al.  Lattice problems and norm embeddings , 2006, STOC '06.

[33]  A. Odlyzko,et al.  Lattice points in high-dimensional spheres , 1990 .

[34]  T. Figiel,et al.  The dimension of almost spherical sections of convex bodies , 1976 .

[35]  Fernando Virdia,et al.  Estimate all the {LWE, NTRU} schemes! , 2018, IACR Cryptol. ePrint Arch..

[36]  Daniele Micciancio The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant , 2000, SIAM J. Comput..

[37]  Divesh Aggarwal,et al.  Faster algorithms for SVP and CVP in the $\ell_{\infty}$ norm , 2018, 1801.02358.

[38]  Thijs Laarhoven,et al.  Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing , 2015, LATINCRYPT.

[39]  Noga Alon Packings with large minimum kissing numbers , 1997, Discret. Math..

[40]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[41]  N. Elkies ABC implies Mordell , 1991 .

[42]  Noah Stephens-Davidowitz,et al.  Discrete Gaussian Sampling Reduces to CVP and SVP , 2015, SODA.

[43]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[44]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[45]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[46]  Chris Peikert,et al.  Limits on the Hardness of Lattice Problems in ℓp Norms , 2008, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[47]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[48]  KannanRavi Minkowski's Convex Body Theorem and Integer Programming , 1987 .

[49]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[50]  Daniele Micciancio,et al.  Inapproximability of the Shortest Vector Problem: Toward a Deterministic Reduction , 2012, Theory Comput..

[51]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[52]  Jin-Yi Cai,et al.  Approximating the SVP to within a factor (1-1/dim/sup /spl epsiv//) is NP-hard under randomized conditions , 1998, Proceedings. Thirteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat. No.98CB36247).

[53]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[54]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[55]  Xiaoyun Wang,et al.  Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem , 2011, ASIACCS '11.

[56]  Chris Peikert,et al.  A Decade of Lattice Cryptography , 2016, Found. Trends Theor. Comput. Sci..

[57]  Thijs Laarhoven,et al.  Sieving for Shortest Vectors in Lattices Using Angular Locality-Sensitive Hashing , 2015, CRYPTO.

[58]  Oded Regev,et al.  Tensor-based Hardness of the Shortest Vector Problem to within Almost Polynomial Factors , 2012, Theory Comput..

[59]  Adi Shamir,et al.  A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem , 1984, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[60]  Divesh Aggarwal,et al.  Just Take the Average! An Embarrassingly Simple $2^n$-Time Algorithm for SVP (and CVP) , 2017, SOSA.

[61]  Johannes Blömer,et al.  Sampling Methods for Shortest Vectors, Closest Vectors and Successive Minima , 2007, ICALP.

[62]  Prasad Raghavendra,et al.  A Birthday Repetition Theorem and Complexity of Approximating Dense CSPs , 2016, ICALP.

[63]  Serge Vluaduct Lattices with exponentially large kissing numbers , 2018, Moscow Journal of Combinatorics and Number Theory.