Approximating-CVP to Within Almost-Polynomial Factors is NP-Hard

This paper shows the closest vector in a lattice to be NPhard to approximate to within any factor up to 2(logn)1 where = (log logn) c for any constant c < 12 . Introduction A lattice L = L(v1; ::; vn), for vectors v1; ::; vn 2 Rn is the set of all integer linear combinations of v1; ::; vn, that is, L = fP aivi j ai 2 Zg. Given a lattice L and an arbitrary vector y, the Closest Vector Problem (CVP) is to find a vector in L closest to y. The Shortest Vector Problem (SVP) is the homogeneous analog of CVP, i.e. finding the shortest non-zero vector in L. These lattice problems have been introduced in the previous century, and have been studied since. Minkowsky and Dirichlet tried, with little success, to come up with lattice approximation algorithms. It was much later that the lattice reduction algorithm was presented by Lenstra, Lenstra and Lovász [LLL82] , achieving a polynomial-time algorithm approximating the Shortest Lattice Vector to within an exponential factor 2 dim 2 . Babai [5] applied LLL’s methods to present an algorithm that approximates CVP to within a similar factor. Schnorr [13] improved on LLL’s technique, reducing the factor of approximation to (1 + )n, for any constant > 0, for both CVP and SVP. These positive approximation results are still quite weak, achieving only extremely large (exponential) factors. The question naturally arises: What are the factors of approximation to within which these problems can be approximated in polynomial time? Interest in lattice problems has been recently renewed due to a result of Ajtai [1], showing a reduction, from the worst-case of a restricted version of SVP, to the averagecase of the same problem. Finding a problem whose average case complexity is known to be as hard as the worstcase of some other problem is quite an achievement by itself from complexity theoretic perspective. Yet such a result has significant cryptographic applications, as shown in [3]. Showing NP-hardness for that specific restriction of SVP – although unlikely as discussed below – would imply a cryptosystem whose breaking would imply P=NP. CVP was shown to be NP-hard for any lp norm in [14], where it was also conjectured that SVP is NP-hard. Arora et al. [4] utilized the PCP characterization of NP to show that CVP is NP-hard to approximate to within any constant, and quasi-NP-hard to approximate to within 2(logn)1 for any constant > 0. As to SVP, only recently, Ajtai [2] showed a randomized reduction from the NP-complete problem Subset-Sum to SVP. This has been improved [6], showing approximation hardness for some small factor (1 + 1 dim ). Very recently Micciancio [12] has significantly strengthened Ajtai’s result, showing SVP hard to approximate to within some constant factor. The proof in [12] relies on the PCP characterization of NP and is carried out via a reduction from gap-CVP (shown NP-hard for any constant gap in [4]). Using gap-CVP allows, in addition to the significant improvement in the gap, a major simplification of the main technical lemma from [2]. Better hardness results for gap-CVP may result in hardness results for gap-SVP for larger gaps. So far there is still a huge gap between the positive results, approximating these problems to within exponential factors, and the above hardness results. Nevertheless, some other results provide a discouraging indication for improving the hardness result beyond a certain factor. Lagarias et al. [10] showed that approximating CVP to within dim1:5 is in co-NP, and recently Goldreich and Goldwasser [9] showed that approximating both SVP and CVP to within pdim is in NP\co-AM. Hence showing NP-hardness for these problems is unlikely. The strongest hardness result likely to be true for these problems hence, is that they are hard to approximate to within a constant power of the dimension. The proof of [4] utilizes amplification techniques that cause the size of the instance, hence the dimension, to grow faster than the factor for which hardness of approximation is obtained. It is therefore unlikely that using this technique, even if allowing a super-polynomial blow-up, one can obtain such strong results. It seems that it will always be the case that the factor for which hardness of approximation is proven never reaches beyond the barrier of 2(logdim)1 for constant > 0.