ABSTRACT
We study the complexity of lattice problems in a world where algorithms, reductions, and protocols can run in superpolynomial time. Specifically, we revisit four foundational results in this context—two protocols and two worst-case to average-case reductions. We show how to improve the approximation factor in each result by a factor of roughly √n/logn when running the protocol or reduction in 2є n time instead of polynomial time, and we show a novel protocol with no polynomial-time analog. Our results are as follows.
(1) We show a worst-case to average-case reduction proving that secret-key cryptography (specifically, collision-resistant hash functions) exists if the (decision version of the) Shortest Vector Problem (SVP) cannot be approximated to within a factor of Õ(√n) in 2є n time. This extends to our setting Ajtai’s celebrated polynomial-time reduction for the Short Integer Solutions (SIS) problem (1996),which showed (after improvements by Micciancio and Regev (2004, 2007)) that secret-key cryptography exists if SVP cannot be approximated to within a factor of Õ(n) in polynomial time.
(2) We show another worst-case to average-case reduction proving that public-key cryptography exists if SVP cannot be approximated to within a factor of Õ(n) in 2є n time. This extends Regev’s celebrated polynomial-time reduction for the Learning with Errors (LWE) problem (2005, 2009), which achieved an approximation factor of Õ(n1.5). In fact, Regev’s reduction is quantum, but we prove our result under a classical reduction, generalizing Peikert’s polynomial-time classical reduction (2009), which achieved an approximation factor of Õ(n2).
(3) We show that the (decision version of the) Closest Vector Problem (CVP) with a constant approximation factor has a coAM protocol with a 2є n-time verifier. We prove this via a (very simple) generalization of the celebrated polynomial-time protocol due to Goldreich and Goldwasser (1998, 2000). It follows that the recent series of 2є n-time and even 2(1−є)n-time hardness results for CVP cannot be extended to large constant approximation factors γ unless AMETH is false. We also rule out 2(1−є)n-time lower bounds for any constant approximation factor γ > √2, under plausible complexity-theoretic assumptions. (These results also extend to arbitrary norms, with different constants.)
(4) We show that O(√logn)-approximate SVP has a coNTIME protocol with a 2є n-time verifier. Here, the analogous (also celebrated!) polynomial-time result is due to Aharonov and Regev (2005), who showed a polynomial-time protocol achieving an approximation factor of √n (for both SVP and CVP, while we only achieve this result for CVP). This result implies similar barriers to hardness, with a larger approximation factor under a weaker complexity-theoretic conjectures (as does the next result).
(5) Finally, we give a novel coMA protocol for constant-factor-approximate CVP with a 2є n-time verifier. Unlike our other results, this protocol has no known analog in the polynomial-time regime.
All of the results described above are special cases of more general theorems that achieve time-approximation factor tradeoffs. In particular, the tradeoffs for the first four results smoothly interpolate from the polynomial-time results in prior work to our new results in the exponential-time world.
- Divesh Aggarwal, Huck Bennett, Zvika Brakerski, Alexander Golovnev, Rajendra Kumar, Zeyong Li, Spencer Peters, Noah Stephens-Davidowitz, and Vinod Vaikuntanathan. 2022. Lattice Problems Beyond Polynomial Time. arxiv:2211.11693. arxiv:2211.11693 Google Scholar
- Divesh Aggarwal, Huck Bennett, Alexander Golovnev, and Noah Stephens-Davidowitz. 2021. Fine-Grained Hardness of CVP(P)—Everything That We Can Prove (and Nothing Else). In SODA. arxiv:1911.02440 Google Scholar
- Divesh Aggarwal and Eldon Chung. 2021. A Note on the Concrete Hardness of the Shortest Independent Vector in Lattices. Inform. Process. Lett., 167 (2021). Google Scholar
- Divesh Aggarwal, Zeyong Li, and Noah Stephens-Davidowitz. 2021. A 2^n/2-Time Algorithm for √ n-SVP and √ n-Hermite SVP, and an Improved Time-Approximation Tradeoff for (H)SVP. In Eurocrypt. arxiv:2007.09556 Google Scholar
- Divesh Aggarwal and Noah Stephens-Davidowitz. 2018. (Gap/S)ETH Hardness of SVP. In STOC. arxiv:1712.00942 Google Scholar
- Dorit Aharonov and Oded Regev. 2005. Lattice Problems in NP ∩ coNP. J. ACM, 52, 5 (2005), 749–765. Preliminary version in FOCS, 2005. Google ScholarDigital Library
- Miklós Ajtai. 1996. Generating Hard Instances of Lattice Problems. In STOC. Google Scholar
- Miklós Ajtai. 1998. The Shortest Vector Problem in L_2 Is NP-hard for Randomized Reductions. In STOC. Google Scholar
- Roberto Avanzi, Joppe W. Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé. 2021. CRYSTALS-Kyber (Version 3.02) – Submission to Round 3 of the NIST Post-Quantum Project. https://pq-crystals.org/kyber/resources.shtml Google Scholar
- Wojciech Banaszczyk. 1993. New Bounds in Some Transference Theorems in the Geometry of Numbers. Math. Ann., 296, 4 (1993), 625–635. Google ScholarCross Ref
- Boaz Barak, Fernando G.S.L. Brandao, Aram W. Harrow, Jonathan Kelner, David Steurer, and Yuan Zhou. 2012. Hypercontractivity, Sum-of-Squares Proofs, and Their Applications. In STOC. Google Scholar
- Huck Bennett. 2022. The Complexity of the Shortest Vector Problem. Invited survey. To appear, SIGACT News Open Problems Column. Google Scholar
- Huck Bennett, Alexander Golovnev, and Noah Stephens-Davidowitz. 2017. On the Quantitative Hardness of CVP. In FOCS. arxiv:1704.03928 Google Scholar
- Huck Bennett, Chris Peikert, and Yi Tang. 2022. Improved Hardness of BDD and SVP under Gap-(S)ETH. In ITCS. Google Scholar
- Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehlé. 2013. Classical Hardness of Learning with Errors. In STOC. arxiv:1306.0281 Google Scholar
- Zvika Brakerski, Noah Stephens-Davidowitz, and Vinod Vaikuntanathan. 2021. On the Hardness of Average-Case k-SUM. In RANDOM. Google Scholar
- Jin-Yi Cai and Ajay Nerurkar. 1999. Approximating the SVP to within a factor (1+1/ dim^∊ ) is NP-hard under Randomized Reductions. J. Comput. System Sci., 59, 2 (1999), 221–239. Google ScholarDigital Library
- Irit Dinur, Guy Kindler, Ran Raz, and Shmuel Safra. 2003. Approximating CVP to within Almost-Polynomial Factors Is NP-Hard. Combinatorica, 23, 2 (2003), 205–243. Google ScholarDigital Library
- Nicolas Gama and Phong Q. Nguyen. 2008. Finding Short Lattice Vectors within Mordell’s Inequality. In STOC. Google ScholarDigital Library
- Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. 2008. Trapdoors for Hard Lattices and New Cryptographic Constructions. In STOC. https://eprint.iacr.org/2007/432 Google Scholar
- Oded Goldreich and Shafi Goldwasser. 2000. On the Limits of Nonapproximability of Lattice Problems. J. Comput. System Sci., 60, 3 (2000), 540–563. https://doi.org/10.1006/jcss.1999.1686 Preliminary version in STOC 1998. Google ScholarDigital Library
- Oded Goldreich, Shafi Goldwasser, and Shai Halevi. 2011. Collision-Free Hashing from Lattice Problems. In Studies in Complexity and Cryptography. Miscellanea on the Interplay between Randomness and Computation. Springer, 30–39. See also the original version https://eccc.weizmann.ac.il/eccc-reports/1996/TR96-042/index.html Google Scholar
- Oded Goldreich, Daniele Micciancio, Shmuel Safra, and Jean-Pierre Seifert. 1999. Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Inform. Process. Lett., 71, 2 (1999), 55–61. Google ScholarDigital Library
- Ishay Haviv and Oded Regev. 2012. Tensor-Based hardness of the Shortest Vector Problem to within Almost Polynomial Factors. Theory of Computing, 8, 23 (2012), 513–531. Google ScholarCross Ref
- Subhash Khot. 2005. Hardness of Approximating the Shortest Vector Problem in Lattices. J. ACM, 52, 5 (2005), 789–808. Google ScholarDigital Library
- Arjen K. Lenstra, Hendrik W. Lenstra, Jr., and László Lovász. 1982. Factoring Polynomials with Rational Coefficients. Math. Ann., 261, 4 (1982), 515–534. Google ScholarCross Ref
- Vadim Lyubashevsky and Daniele Micciancio. 2009. On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. In CRYPTO. Google Scholar
- Daniele Micciancio. 2001. The Shortest Vector Problem Is NP-hard to Approximate to within Some Constant. SIAM J. Comput., 30, 6 (2001), 2008–2035. Google ScholarDigital Library
- Daniele Micciancio. 2012. Inapproximability of the Shortest Vector Problem: Toward a deterministic reduction. Theory of Computing, 8 (2012), 487–512. Google ScholarCross Ref
- Daniele Micciancio and Chris Peikert. 2013. Hardness of SIS and LWE with Small Parameters. In CRYPTO. Google Scholar
- Daniele Micciancio and Oded Regev. 2007. Worst-Case to Average-Case Reductions Based on Gaussian Measures.. SIAM Journal of Computing, 37, 1 (2007), 267–302. Preliminary version in FOCS 2004. Google ScholarDigital Library
- NIST. 2022. Selected Algorithms 2022 - Post-Quantum Cryptography. https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022 Google Scholar
- Chris Peikert. 2009. Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. In STOC. Google Scholar
- Chris Peikert. 2016. A Decade of Lattice Cryptography. Foundations and Trends in Theoretical Computer Science, 10, 4 (2016), 283–424. Google ScholarDigital Library
- Chris Peikert, Oded Regev, and Noah Stephens-Davidowitz. 2017. Pseudorandomness of Ring-LWE for Any Ring and Modulus. In STOC. Google Scholar
- Oded Regev. 2009. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. J. ACM, 56, 6 (2009), Art. 34, 40. Preliminary version in STOC 2005. Google ScholarDigital Library
- Claus-Peter Schnorr. 1987. A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms. Theoretical Computer Science, 53, 23 (1987), 201–224. Google ScholarDigital Library
- Peter van Emde Boas. 1981. Another NP-Complete Problem and the Complexity of Computing Short Vectors in a Lattice. University of Amsterdam, Department of Mathematics, Netherlands. Google Scholar
- Ryan Williams. 2016. Strong ETH Breaks With Merlin and Arthur: Short Non-Interactive Proofs of Batch Evaluation. In CCC. Google Scholar
Index Terms
- Lattice Problems beyond Polynomial Time
Recommendations
The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant
We show that approximating the shortest vector problem (in any $\ell_p$ norm) to within any constant factor less than $\sqrt[p]2$ is hard for NP under reverse unfaithful random reductions with inverse polynomial error probability. In particular, ...
The inapproximability of lattice and coding problems with preprocessing
Special issue on computational complexity 2002We prove that the closest vector problem with preprocessing (CVPP) is NP-hard to approximate within any factor less than √5/3. More specifically, we show that there exists a reduction from an NP-hard problem to the approximate closest vector problem ...
The Projection Games Conjecture and the hardness of approximation of super-SAT and related problems
AbstractThe Super-SAT (SSAT) problem was introduced in [1,2] to prove the NP-hardness of approximation of two popular lattice problems - Shortest Vector Problem and Closest Vector Problem. SSAT is conjectured to be NP-hard to approximate to ...
Comments