On The Quantitative Hardness of the Closest Vector Problem Huck BennetT (Northwestern University) 68th Midwest Theory Day (4/12/2018) Based on Joint Work with: Alexander Golovnev (Columbia University and Yahoo Research) Noah Stephens-Davidowitz (Princeton University)

This talk Lattice-based cryptography Fine-grained complexity Quantitative hardness of CVP

Lattices A lattice is the set of all integer combinations of some linearly independent vectors 𝐵≔( 𝑏 1 ,…, 𝑏 𝑛 ). 𝐿 𝐵 ≔ 𝑖=1 𝑛 𝑎 𝑖 𝑏 𝑖 𝑎 1 , …, 𝑎 𝑛 ∈ℤ} is the lattice generated by basis 𝐵.

Lattices in Computer Science Lattice-based cryptography: Conjectured to be secure against quantum attacks. Based on worst-case hardness of lattice problems. Encryption/decryption use simple operations. Allows for new applications. E.g., Fully-homomorphic encryption. Algorithmic applications of lattices: Integer programming. Cryptanalysis. Coding theory. Many more.

The Closest Vector Problem (CVP) The ℓ 𝑝 -norm of 𝑥 ∈ ℝ d for 𝑝∈ 1, ∞ : 𝑥 𝑝 ≔ 𝑥 1 𝑝 + 𝑥 2 𝑝 +⋯+ 𝑥 𝑑 𝑝 1/𝑝 . An instance of the Closest Vector Problem with respect to the ℓ 𝑝 -norm (CVPP) is a triple (𝐵, 𝑡 , 𝑟): A basis matrix 𝐵=( 𝑏 1 , …, 𝑏 𝑛 )∈ ℝ d×𝑛 , A target vector 𝑡 ∈ ℝ d , A distance threshold 𝑟>0. Goal: Decide whether there exists 𝑦 ∈ ℤ 𝑛 such that ‖𝐵 𝑦 − 𝑡 ‖ p ≤r.

The Closest Vector Problem (CVP) The ℓ 𝑝 -norm of 𝑥 ∈ ℝ d for 𝑝∈ 1, ∞ : 𝑥 𝑝 ≔ 𝑥 1 𝑝 + 𝑥 2 𝑝 +⋯+ 𝑥 𝑑 𝑝 1/𝑝 . An instance of the Closest Vector Problem with respect to the ℓ 𝑝 -norm (CVPP) is a triple (𝐵, 𝑡 , 𝑟): A basis matrix 𝐵=( 𝑏 1 , …, 𝑏 𝑛 )∈ ℝ d×𝑛 , A target vector 𝑡 ∈ ℝ d , A distance threshold 𝑟>0. Goal: Decide whether there exists 𝑦 ∈ ℤ 𝑛 such that ‖𝐵 𝑦 − 𝑡 ‖ p ≤r.

The Complexity of CVP A long line of work has studied the complexity of CVP. Security of lattice-based cryptography is based on the hardness of related, easier problems. Quantitative hardness of CVP is necessary for practical security. Important for picking key size. E.g., a 2 𝑛/20 -time algorithm for CVP would break some cryptosystems [ADPS16, BCD+16]. 𝑛 𝑂(𝑛) [Kan87] 4 𝑛 [MV13] 2 𝑛 [ADS15] Our work! 2 𝑛 [BGS17] The complexity of CVP: a long line of work. Algorithms in green, hardness in red. Our bound has a caveat (doesn’t apply to l_2). Our work is a necessary not sufficient condition for the security of practical lattice-based cryptography. 𝑛 𝜔 1 [vEB81]

A fine-grained reduction from 𝑘-SAT to CVP Strong Exponential Time Hypothesis (SETH): For every 𝜀>0, there exists 𝑘∈ ℤ + such that 𝑘-SAT has no 2 1−𝜀 𝑛 -time algorithm. “Brute force 2 𝑛 -time is optimal for large 𝑘.” Goal: Reduce a 𝑘-SAT instance Φ on 𝒏 variables to a CVP𝑝 instance of rank 𝒏 for every 𝑘. Would prove that there is no 1.99 𝑛 -time algorithm for CVP𝑃 assuming SETH. Reduction idea: A 0-1 combination of basis vectors will correspond to an assignment to Φ. Combinations corresponding to satisfying assignments will be closer to 𝑡 .

A First Reduction: 2-SAT to CVP𝑝 𝑛 columns indexed by variables, 𝑚 rows indexed by clauses, Two non-zero entries per row. A First Reduction: 2-SAT to CVP𝑝 Map a 2-SAT formula Φ≔ 𝑖=1 𝑚 𝐶 𝑖 on variables 𝑥 1 , …, 𝑥 𝑛 to a CVP𝑝 instance. Output instance: 𝐵≔ 𝐵 ′ 2𝛼 𝐼 𝑛 , 𝑡 ≔ 𝑡 ′ 𝛼 1 𝑛 , 𝑟. 𝐵’ 𝑖,𝑗 ≔ 2& if 𝐶 𝑖 contains 𝑥 𝑗 , −2& if 𝐶 𝑖 contains ¬𝑥 𝑗 , 0& otherwise. 𝑡 𝑖 ′ ≔3 − 2 (# of negative literals in 𝐶 𝑖 ). 𝑥 1 𝑥 2 𝑥 3 ⋯ 𝑥 𝑛 𝑡 ≔ 𝐵≔ 𝐶 1 𝐶 2 𝐶 3 ⋮ 𝐶 𝑚 𝐵′ 𝑡 ′ 2𝛼 𝐼 𝑛 𝛼 1 𝑛 Only need to consider 0-1 combinations of basis vectors.

A First Reduction: 2-SAT to CVP𝑝 MAX- ^ Example Φ with: C 1 ≔ 𝑥 1 ∨ 𝑥 3 and 𝐶 2 ≔ ¬ x 1 ∨ 𝑥 𝑛 . Consider 𝑦 ∈ 0, 1 𝑛 with: 𝑦 1 ≔1, 𝑦 3 ≔0, 𝑦 𝑛 ≔0. Want to analyze the contribution of each clause to 𝐵 𝑦 − 𝑡 𝑝 𝑝 : Each satisfied clause contributes 1. Each unsatisfied clause contributes 3 𝑝 . 𝐵 𝑦 − 𝑡 𝑝 𝑝 counts the number of clauses satisfied by 𝑦 ! 𝑥 1 𝑥 2 𝑥 3 ⋯ 𝑥 𝑛 𝑡 ≔ 𝐵≔ 𝐶 1 𝐶 2 𝐶 3 ⋮ 𝐶 𝑚 2 ⋯ 3 -2 1 𝐵′ 𝑡 ′ 2𝛼 𝐼 𝑛 𝛼 1 𝑛

Extending to larger 𝑘: Isolating Parallelepipeds At most two numbers can be equidistant from a given number. Idea: Many vectors can be equidistant to a given vector. A collection of vectors 𝑉=( 𝑣 1 , …, 𝑣 𝑘 ) and shift 𝑡 ∗ form a (𝑝,𝑘)-isolating parallelepiped if: ‖ 𝑉 𝑥 − 𝑡 ∗ ​ 𝑝 =1 for all 𝑥 ∈ 0,1 𝑘 ∖ 0 , ‖ 𝑡 ∗ 𝑝 >1.

A Generalized Reduction: 𝑘-SAT to CVP𝑝 Reduction from 2-SAT: Map a 2-SAT formula Φ≔ 𝑖=1 𝑚 𝐶 𝑖 on variables 𝑥 1 , …, 𝑥 𝑛 to a CVP𝑝 instance. Output instance: 𝐵≔ 𝐵 ′ 2𝛼 𝐼 𝑛 , 𝑡 ≔ 𝑡 ′ 𝛼 1 𝑛 , 𝑟. 𝐵’ 𝑖,𝑗 ≔ 2& if 𝐶 𝑖 contains 𝑥 𝑗 , −2& if 𝐶 𝑖 contains ¬𝑥 𝑗 , 0& otherwise. 𝑡 𝑖 ≔3 − 2 (# of negative literals in 𝐶 𝑖 ). Reduction from 𝒌-SAT: Assume a (𝑝, 𝑘)-isolating parallelepiped exists. Formed by some 𝑉= 𝑣 1 , …, 𝑣 𝑘 , 𝑡 ∗ . Map a 𝑘-SAT formula Φ≔ 𝑖=1 𝑚 𝐶 𝑖 on variables 𝑥 1 , …, 𝑥 𝑛 to a CVP𝑝 instance. Output instance: 𝐵≔ 𝐵 ′ 2𝛼 𝐼 𝑛 , 𝑡 , 𝑟. 𝐵’ 𝑖,𝑗 ≔ 𝑣 𝑠 & if 𝑥 𝑗 is the 𝑠th literal in 𝐶 𝑖 , − 𝑣 𝑠 & if ¬𝑥 𝑗 is the 𝑠th literal in 𝐶 𝑖 , 0& otherwise. 𝑡 𝑖 ≔ 𝑡 ∗ − 𝑠 𝑣 𝑠 , summing over indices s of negative literals in 𝐶 𝑖 . Warning: Abuse of notation. Each 𝑣 𝑠 is a vector. Now each 𝐵’ 𝑖,𝑗 and 𝑡 𝑖 denotes a block.

Main Result Theorem 1: If (𝑝, 𝑘)-isolating parallelepipeds exist for some 𝑝 and every 𝑘, then we can reduce 𝑘-SAT instances Φ on 𝒏 variables to CVP𝑝 instances of rank 𝒏 for every 𝑘. But when do isolating parallelepipeds even exist? Theorem 2: For every odd integer 𝑝∈ 1, ∞ and every 𝑘∈ ℤ + there exists a computable (𝑝, 𝑘)-isolating parallelepiped. Corollary: For every odd integer 𝑝∈ 1, ∞ and for every constant 𝜀>0, there is no 2 1−𝜀 𝑛 -time algorithm for CVP𝑝 instances on lattices of rank 𝑛 assuming SETH. Our approach extends to almost every 𝑝∈ 1, ∞ and to 𝑝=∞. There is a 2 𝑛+𝑜(𝑛) -time algorithm for the important Euclidean case, CVP2 [ADS15]. Our approach (provably) does not extend to even integers. Unfortunately 2 is as an even integer.

Conclusion and Open Questions Our results: Main result: There is no 1.99 𝑛 -time algorithm for CVPP assuming SETH for almost every 𝑝∈[1, ∞]. Including odd integers, excluding even integers 𝑝. Hardness of approximation from (randomized) Gap-ETH for CVP𝑝 for all 𝑝. Other quantitative hardness results for CVP𝑝, CVPP𝑝, and SVP∞. Open questions: SETH-hardness of CVP2. Quantitative hardness of the Shortest Vector Problem (SVP). Addressed in recent work of Aggarwal and Stephens-Davidowitz (STOC 2018). Improved quantitative hardness of approximation.

Thank you!

Constructing isolating parallelepipeds A sketch of the idea for constructing 𝑝, 𝑘 - isolating parallelepipeds: Let 𝑉∈ ℤ 2 k ×𝑘 have a row for each element in −1, 1 𝑘 . Set all entries of 𝑡 ∗ to 𝑡 ∗ . Scale rows of 𝑉 of Hamming weight 𝑖 by 𝛼 𝑖 ≥0. Also scale corresponding entries of 𝑡 ∗ . 𝑉≔ −1 −1 −1 −1 −1 1 −1 1 −1 1 −1 −1 −1 1 1 −1 −1 1 1 1 −1 1 1 1 , 𝑡 ∗ ≔ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ .

Constructing isolating parallelepipeds A sketch of 𝑝, 𝑘 -isolating parallelepipeds construction: Let 𝑉∈ ℤ 2 k ×𝑘 have a row for each element in −1, 1 𝑘 . Set all entries of 𝑡 ∗ to 𝑡 ∗ . Scale rows of 𝑉 of Hamming weight 𝑖 by 𝛼 𝑖 ≥0. Also scale corresponding entries of 𝑡 ∗ . Then 𝑉 𝑥 − 𝑡 𝑝 only depends on the Hamming weight of 𝑥 . Use ideas from combinatorics and analysis to show that 𝑎 0 , 𝑎 1 ,…, 𝑎 𝑘 ≥0 and 𝑡 ∗ exist so that 𝑉, 𝑡 ∗ satisfy 𝑝, 𝑘 -isolating parallelepiped conditions. 𝑉≔ − 𝛼 0 − 𝛼 0 − 𝛼 0 − 𝛼 1 − 𝛼 1 𝛼 1 − 𝛼 1 𝛼 1 − 𝛼 1 𝛼 1 − 𝛼 1 − 𝛼 1 − 𝛼 2 𝛼 2 𝛼 2 − 𝛼 2 − 𝛼 2 𝛼 2 𝛼 2 𝛼 2 − 𝛼 2 𝛼 3 𝛼 3 𝛼 3 , 𝑡 ∗ ≔ 𝛼 0 ⋅𝑡 ∗ 𝛼 1 ⋅𝑡 ∗ 𝛼 1 ⋅𝑡 ∗ 𝛼 1 ⋅𝑡 ∗ 𝛼 2 ⋅𝑡 ∗ 𝛼 2 ⋅𝑡 ∗ 𝛼 2 ⋅𝑡 ∗ 𝛼 3 ⋅𝑡 ∗ .

The Closest Vector Problem (CVP) The ℓ 𝑝 -norm of 𝑥 ∈ ℝ d for 𝑝∈ 1, ∞ : 𝑥 𝑝 ≔ 𝑥 1 𝑝 + 𝑥 2 𝑝 +⋯+ 𝑥 𝑑 𝑝 1/𝑝 . An instance of the Closest Vector Problem with respect to the ℓ 𝑝 -norm (CVPP) is a triple (𝐵, 𝑡 , 𝑟): A basis matrix 𝐵=( 𝑏 1 , …, 𝑏 𝑛 )∈ ℝ d×𝑛 , A target vector 𝑡 ∈ ℝ d , A distance threshold 𝑟>0. Goal: Decide whether there exists 𝑦 ∈ ℤ 𝑛 such that ‖𝐵 𝑦 − 𝑡 ‖ p ≤r.

The Closest Vector Problem (CVP) The ℓ 𝑝 -norm of 𝑥 ∈ ℝ d for 𝑝∈ 1, ∞ : 𝑥 𝑝 ≔ 𝑥 1 𝑝 + 𝑥 2 𝑝 +⋯+ 𝑥 𝑑 𝑝 1/𝑝 . An instance of the Closest Vector Problem with respect to the ℓ 𝑝 -norm (CVPP) is a triple (𝐵, 𝑡 , 𝑟): A basis matrix 𝐵=( 𝑏 1 , …, 𝑏 𝑛 )∈ ℝ d×𝑛 , A target vector 𝑡 ∈ ℝ d , A distance threshold 𝑟>0. Goal: Decide whether there exists 𝑦 ∈ ℤ 𝑛 such that ‖𝐵 𝑦 − 𝑡 ‖ p ≤r.