On Basing Search SIVP on NP-Hardness

The possibility of basing cryptography on the minimal assumption NP * BPP is at the very heart of complexity-theoretic cryptography. The closest we have gotten so far is lattice-based cryptography whose average-case security is based on the worst-case hardness of approximate shortest vector problems on integer lattices. The state-of-the-art is the construction of a one-way function (and collision-resistant hash function) based on the hardness of the Õ(n)-approximate shortest independent vector problem SIVPÕ(n). Although SIVP is NP-hard in its exact version, Guruswami et al (CCC 2004) showed that gapSIVP√ n/ logn is in NP ∩ coAM and thus unlikely to be NP-hard. Indeed, any language that can be reduced to gapSIVPÕ( √ n) (under general probabilistic polynomial-time adaptive reductions) is in AM ∩ coAM by the results of Peikert and Vaikuntanathan (CRYPTO 2008) and Mahmoody and Xiao (CCC 2010). However, none of these results apply to reductions to search problems, still leaving open a ray of hope: can NP be reduced to solving search SIVP with approximation factor Õ(n)? We show that any language that can be reduced to solving search SIVP with approximation factor Õ(n) lies in AM intersect coAM, eliminating the possibility of basing current constructions on NP-hardness.