1. On The Quantitative Hardness of the Closest Vector Problem
Huck BennetT (Northwestern University)
68th Midwest Theory Day (4/12/2018)
Based on Joint Work with: Alexander Golovnev (Columbia University and Yahoo Research) Noah Stephens-Davidowitz (Princeton University)

2. This talk Lattice-based cryptography Fine-grained complexity
Quantitative hardness of CVP

3. Lattices
A lattice is the set of all integer combinations of some linearly independent vectors 𝐵≔( 𝑏 1 ,…, 𝑏 𝑛 ).
𝐿 𝐵 ≔ 𝑖=1 𝑛 𝑎 𝑖 𝑏 𝑖 𝑎 1 , …, 𝑎 𝑛 ∈ℤ} is the lattice generated by basis 𝐵.

4. Lattices in Computer Science
Lattice-based cryptography:
Conjectured to be secure against quantum attacks.
Based on worst-case hardness of lattice problems.
Encryption/decryption use simple operations.
Allows for new applications.
E.g., Fully-homomorphic encryption.
Algorithmic applications of lattices:
Integer programming.
Cryptanalysis.
Coding theory.
Many more.

5. The Closest Vector Problem (CVP)
The ℓ 𝑝 -norm of 𝑥 ∈ ℝ d for 𝑝∈ 1, ∞ :
𝑥 𝑝 ≔ 𝑥 1 𝑝 + 𝑥 2 𝑝 +⋯+ 𝑥 𝑑 𝑝 1/𝑝 .
An instance of the Closest Vector Problem with respect to the ℓ 𝑝 -norm (CVPP) is a triple (𝐵, 𝑡 , 𝑟):
A basis matrix 𝐵=( 𝑏 1 , …, 𝑏 𝑛 )∈ ℝ d×𝑛 ,
A target vector 𝑡 ∈ ℝ d ,
A distance threshold 𝑟>0.
Goal: Decide whether there exists 𝑦 ∈ ℤ 𝑛 such that ‖𝐵 𝑦 − 𝑡 ‖ p ≤r.

6. The Closest Vector Problem (CVP)
The ℓ 𝑝 -norm of 𝑥 ∈ ℝ d for 𝑝∈ 1, ∞ :
𝑥 𝑝 ≔ 𝑥 1 𝑝 + 𝑥 2 𝑝 +⋯+ 𝑥 𝑑 𝑝 1/𝑝 .
An instance of the Closest Vector Problem with respect to the ℓ 𝑝 -norm (CVPP) is a triple (𝐵, 𝑡 , 𝑟):
A basis matrix 𝐵=( 𝑏 1 , …, 𝑏 𝑛 )∈ ℝ d×𝑛 ,
A target vector 𝑡 ∈ ℝ d ,
A distance threshold 𝑟>0.
Goal: Decide whether there exists 𝑦 ∈ ℤ 𝑛 such that ‖𝐵 𝑦 − 𝑡 ‖ p ≤r.

7. The Complexity of CVP
A long line of work has studied the complexity of CVP.
Security of lattice-based cryptography is based on the hardness of related, easier problems.
Quantitative hardness of CVP is necessary for practical security.
Important for picking key size.
E.g., a 2 𝑛/20 -time algorithm for CVP would break some cryptosystems [ADPS16, BCD+16].
𝑛 𝑂(𝑛) [Kan87]
4 𝑛 [MV13]
2 𝑛 [ADS15]
Our work!
2 𝑛 [BGS17]
The complexity of CVP: a long line of work.
Algorithms in green, hardness in red.
Our bound has a caveat (doesn’t apply to l_2).
Our work is a necessary not sufficient condition for the security of practical lattice-based cryptography.
𝑛 𝜔 1 [vEB81]

8. A fine-grained reduction from 𝑘-SAT to CVP
Strong Exponential Time Hypothesis (SETH): For every 𝜀>0, there exists 𝑘∈ ℤ + such that 𝑘-SAT has no 2 1−𝜀 𝑛 -time algorithm.
“Brute force 2 𝑛 -time is optimal for large 𝑘.”
Goal: Reduce a 𝑘-SAT instance Φ on 𝒏 variables to a CVP𝑝 instance of rank 𝒏 for every 𝑘.
Would prove that there is no 𝑛 -time algorithm for CVP𝑃 assuming SETH.
Reduction idea: A 0-1 combination of basis vectors will correspond to an assignment to Φ.
Combinations corresponding to satisfying assignments will be closer to 𝑡 .

9. A First Reduction: 2-SAT to CVP𝑝
𝑛 columns indexed by variables,
𝑚 rows indexed by clauses,
Two non-zero entries per row.
A First Reduction: 2-SAT to CVP𝑝
Map a 2-SAT formula Φ≔ 𝑖=1 𝑚 𝐶 𝑖 on variables 𝑥 1 , …, 𝑥 𝑛 to a CVP𝑝 instance.
Output instance: 𝐵≔ 𝐵 ′ 2𝛼 𝐼 𝑛 , 𝑡 ≔ 𝑡 ′ 𝛼 1 𝑛 , 𝑟.
𝐵’ 𝑖,𝑗 ≔ 2& if 𝐶 𝑖 contains 𝑥 𝑗 , −2& if 𝐶 𝑖 contains ¬𝑥 𝑗 , 0& otherwise.
𝑡 𝑖 ′ ≔3 − 2 (# of negative literals in 𝐶 𝑖 ).
𝑥 𝑥 𝑥 3 ⋯ 𝑥 𝑛
𝑡 ≔ 𝐵≔
𝐶 1 𝐶 2 𝐶 3 ⋮ 𝐶 𝑚 𝐵′
𝑡 ′
2𝛼 𝐼 𝑛
𝛼 1 𝑛
Only need to consider 0-1 combinations of basis vectors.

10. A First Reduction: 2-SAT to CVP𝑝
MAX- ^
Example Φ with:
C 1 ≔ 𝑥 1 ∨ 𝑥 3 and 𝐶 2 ≔ ¬ x 1 ∨ 𝑥 𝑛 .
Consider 𝑦 ∈ 0, 1 𝑛 with:
𝑦 1 ≔1, 𝑦 3 ≔0, 𝑦 𝑛 ≔0.
Want to analyze the contribution of each clause to 𝐵 𝑦 − 𝑡 𝑝 𝑝 :
Each satisfied clause contributes 1.
Each unsatisfied clause contributes 3 𝑝 .
𝐵 𝑦 − 𝑡 𝑝 𝑝 counts the number of clauses satisfied by 𝑦 !
𝑥 𝑥 𝑥 3 ⋯ 𝑥 𝑛
𝑡 ≔ 𝐵≔
𝐶 1 𝐶 2 𝐶 3 ⋮ 𝐶 𝑚 2 ⋯ 3 -2 1 𝐵′
𝑡 ′
2𝛼 𝐼 𝑛
𝛼 1 𝑛

11. Extending to larger 𝑘: Isolating Parallelepipeds
At most two numbers can be equidistant from a given number.
Idea: Many vectors can be equidistant to a given vector.
A collection of vectors 𝑉=( 𝑣 1 , …, 𝑣 𝑘 ) and shift 𝑡 ∗ form a (𝑝,𝑘)-isolating parallelepiped if:
‖ 𝑉 𝑥 − 𝑡 ∗ ​ 𝑝 =1 for all 𝑥 ∈ 0,1 𝑘 ∖ 0 ,
‖ 𝑡 ∗ 𝑝 >1.

12. A Generalized Reduction: 𝑘-SAT to CVP𝑝
Reduction from 2-SAT:
Map a 2-SAT formula Φ≔ 𝑖=1 𝑚 𝐶 𝑖 on variables 𝑥 1 , …, 𝑥 𝑛 to a CVP𝑝 instance.
Output instance: 𝐵≔ 𝐵 ′ 2𝛼 𝐼 𝑛 , 𝑡 ≔ 𝑡 ′ 𝛼 1 𝑛 , 𝑟.
𝐵’ 𝑖,𝑗 ≔ 2& if 𝐶 𝑖 contains 𝑥 𝑗 , −2& if 𝐶 𝑖 contains ¬𝑥 𝑗 , 0& otherwise.
𝑡 𝑖 ≔3 − 2 (# of negative literals in 𝐶 𝑖 ).
Reduction from 𝒌-SAT:
Assume a (𝑝, 𝑘)-isolating parallelepiped exists.
Formed by some 𝑉= 𝑣 1 , …, 𝑣 𝑘 , 𝑡 ∗ .
Map a 𝑘-SAT formula Φ≔ 𝑖=1 𝑚 𝐶 𝑖 on variables 𝑥 1 , …, 𝑥 𝑛 to a CVP𝑝 instance.
Output instance: 𝐵≔ 𝐵 ′ 2𝛼 𝐼 𝑛 , 𝑡 , 𝑟.
𝐵’ 𝑖,𝑗 ≔ 𝑣 𝑠 & if 𝑥 𝑗 is the 𝑠th literal in 𝐶 𝑖 , − 𝑣 𝑠 & if ¬𝑥 𝑗 is the 𝑠th literal in 𝐶 𝑖 , 0& otherwise.
𝑡 𝑖 ≔ 𝑡 ∗ − 𝑠 𝑣 𝑠 , summing over indices s of negative literals in 𝐶 𝑖 .
Warning: Abuse of notation. Each 𝑣 𝑠 is a vector.
Now each 𝐵’ 𝑖,𝑗 and 𝑡 𝑖 denotes a block.

13. Main Result
Theorem 1: If (𝑝, 𝑘)-isolating parallelepipeds exist for some 𝑝 and every 𝑘, then we can reduce 𝑘-SAT instances Φ on 𝒏 variables to CVP𝑝 instances of rank 𝒏 for every 𝑘.
But when do isolating parallelepipeds even exist?
Theorem 2: For every odd integer 𝑝∈ 1, ∞ and every 𝑘∈ ℤ + there exists a computable (𝑝, 𝑘)-isolating parallelepiped.
Corollary: For every odd integer 𝑝∈ 1, ∞ and for every constant 𝜀>0, there is no −𝜀 𝑛 -time algorithm for CVP𝑝 instances on lattices of rank 𝑛 assuming SETH.
Our approach extends to almost every 𝑝∈ 1, ∞ and to 𝑝=∞.
There is a 2 𝑛+𝑜(𝑛) -time algorithm for the important Euclidean case, CVP2 [ADS15].
Our approach (provably) does not extend to even integers.
Unfortunately 2 is as an even integer.

14. Conclusion and Open Questions
Our results:
Main result: There is no 𝑛 -time algorithm for CVPP assuming SETH for almost every 𝑝∈[1, ∞].
Including odd integers, excluding even integers 𝑝.
Hardness of approximation from (randomized) Gap-ETH for CVP𝑝 for all 𝑝.
Other quantitative hardness results for CVP𝑝, CVPP𝑝, and SVP∞.
Open questions:
SETH-hardness of CVP2.
Quantitative hardness of the Shortest Vector Problem (SVP).
Addressed in recent work of Aggarwal and Stephens-Davidowitz (STOC 2018).
Improved quantitative hardness of approximation.

15. Thank you!

16. Constructing isolating parallelepipeds
A sketch of the idea for constructing 𝑝, 𝑘 - isolating parallelepipeds:
Let 𝑉∈ ℤ 2 k ×𝑘 have a row for each element in −1, 1 𝑘 .
Set all entries of 𝑡 ∗ to 𝑡 ∗ .
Scale rows of 𝑉 of Hamming weight 𝑖 by 𝛼 𝑖 ≥0.
Also scale corresponding entries of 𝑡 ∗ .
𝑉≔ −1 −1 −1 −1 −1 1 −1 1 −1 1 −1 −1 − −1 − − , 𝑡 ∗ ≔ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ 𝑡 ∗ .

17. Constructing isolating parallelepipeds
A sketch of 𝑝, 𝑘 -isolating parallelepipeds construction:
Let 𝑉∈ ℤ 2 k ×𝑘 have a row for each element in −1, 1 𝑘 .
Set all entries of 𝑡 ∗ to 𝑡 ∗ .
Scale rows of 𝑉 of Hamming weight 𝑖 by 𝛼 𝑖 ≥0.
Also scale corresponding entries of 𝑡 ∗ .
Then 𝑉 𝑥 − 𝑡 𝑝 only depends on the Hamming weight of 𝑥 .
Use ideas from combinatorics and analysis to show that 𝑎 0 , 𝑎 1 ,…, 𝑎 𝑘 ≥0 and 𝑡 ∗ exist so that 𝑉, 𝑡 ∗ satisfy 𝑝, 𝑘 -isolating parallelepiped conditions.
𝑉≔ − 𝛼 0 − 𝛼 0 − 𝛼 0 − 𝛼 1 − 𝛼 1 𝛼 1 − 𝛼 1 𝛼 1 − 𝛼 1 𝛼 1 − 𝛼 1 − 𝛼 1 − 𝛼 2 𝛼 2 𝛼 2 − 𝛼 2 − 𝛼 2 𝛼 2 𝛼 2 𝛼 2 − 𝛼 2 𝛼 3 𝛼 3 𝛼 3 , 𝑡 ∗ ≔ 𝛼 0 ⋅𝑡 ∗ 𝛼 1 ⋅𝑡 ∗ 𝛼 1 ⋅𝑡 ∗ 𝛼 1 ⋅𝑡 ∗ 𝛼 2 ⋅𝑡 ∗ 𝛼 2 ⋅𝑡 ∗ 𝛼 2 ⋅𝑡 ∗ 𝛼 3 ⋅𝑡 ∗ .

18. The Closest Vector Problem (CVP)
The ℓ 𝑝 -norm of 𝑥 ∈ ℝ d for 𝑝∈ 1, ∞ :
𝑥 𝑝 ≔ 𝑥 1 𝑝 + 𝑥 2 𝑝 +⋯+ 𝑥 𝑑 𝑝 1/𝑝 .
An instance of the Closest Vector Problem with respect to the ℓ 𝑝 -norm (CVPP) is a triple (𝐵, 𝑡 , 𝑟):
A basis matrix 𝐵=( 𝑏 1 , …, 𝑏 𝑛 )∈ ℝ d×𝑛 ,
A target vector 𝑡 ∈ ℝ d ,
A distance threshold 𝑟>0.
Goal: Decide whether there exists 𝑦 ∈ ℤ 𝑛 such that ‖𝐵 𝑦 − 𝑡 ‖ p ≤r.

19. The Closest Vector Problem (CVP)
The ℓ 𝑝 -norm of 𝑥 ∈ ℝ d for 𝑝∈ 1, ∞ :
𝑥 𝑝 ≔ 𝑥 1 𝑝 + 𝑥 2 𝑝 +⋯+ 𝑥 𝑑 𝑝 1/𝑝 .
An instance of the Closest Vector Problem with respect to the ℓ 𝑝 -norm (CVPP) is a triple (𝐵, 𝑡 , 𝑟):
A basis matrix 𝐵=( 𝑏 1 , …, 𝑏 𝑛 )∈ ℝ d×𝑛 ,
A target vector 𝑡 ∈ ℝ d ,
A distance threshold 𝑟>0.
Goal: Decide whether there exists 𝑦 ∈ ℤ 𝑛 such that ‖𝐵 𝑦 − 𝑡 ‖ p ≤r.