Hardness of Bounded Distance Decoding on Lattices in ℓ_p Norms

1 Introduction

Lattices in $\Rn$ are a rich source of computational problems with applications across computer science, and especially in cryptography and cryptanalysis. (A lattice is a discrete additive subgroup of $\Rn$

, or equivalently, the set of integer linear combinations of a set of linearly independent vectors.) Many important lattice problems appear intractable, and there is a wealth of research showing that central problems like the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP) are

\NP

-hard, even to approximate to within various factors and in various

ℓ_{p}

norms [31, 8, 7, 22, 23, 17, 16, 14, 25]. (For the sake of concision, throughout this introduction the term “

\NP

-hard” allows for randomized reductions, which are needed in some important cases.)

Bounded Distance Decoding.

In recent years, the emergence of lattices as a powerful foundation for cryptography, including for security against quantum attacks, has increased the importance of other lattice problems. In particular, many modern lattice-based encryption schemes rely on some form of the Bounded Distance Decoding (BDD) problem, which is like the Closest Vector Problem with a promise. An instance of $\BDDα$ for relative distance $α > 0$ is a lattice $\lat$ and a target point $\to t$ whose distance from the lattice is guaranteed to be within an $α$ factor of the lattice’s minimum distance $λ1(\lat)=min→v∈\lat∖\set→0\norm→v$ , and the goal is to find a lattice vector within that distance of $\to t$ ; when distances are measured in the $ℓ_{p}$ norm we denote the problem $\BDDp,α$ . Note that when $α < 1 / 2$ there is a unique solution, but the problem is interesting and well-defined for larger relative distances as well. We also consider preprocessing variants of CVP and BDD (respectively denoted CVPP and BDDP), in which unbounded precomputation can be applied to the lattice before the target is available. For example, this can model cryptographic contexts where a fixed long-term lattice may be shared among many users.

The importance of BDD(P) to cryptography is especially highlighted by the Learning With Errors (LWE) problem of Regev [28], which is an average-case form of BDD that has been used (with inverse-polynomial $α$ ) in countless cryptosystems, including several that share a lattice among many users (see, e.g., [13]). Moreover, Regev gave a worst-case to average-case reduction from BDD to LWE, so the security of cryptosystems is intimately related to the worst-case complexity of BDD.

Compared to problems like SVP and CVP, the BDD(P) problem has received much less attention from a complexity-theoretic perspective. We are aware of essentially only one work showing its $\NP$ -hardness: Liu, Lyubashevsky, and Micciancio [19] proved that $\BDDp,α$ and even $\BDDPp,α$ are $\NP$ -hard for relative distances approaching $min\set1/√2,1/p√2$ , which is $1 / \sqrt{2}$ for $p \geq 2$ . A few other works relate BDD(P) to other lattice problems (in both directions) in regimes where the problems are not believed to be $\NP$ -hard, e.g., [24, 11, 9]. (Dadush, Regev, and Stephens-Davidowitz [11] also gave a reduction that implies $\NP$ -hardness of $\BDD2,α$ for any $α > 1$ , which is larger than the relative distance of $α=1/√2+\eps$ achieved by [19].)

Fine-grained hardness.

An important aspect of hard lattice problems, especially for cryptography, is their quantitative hardness. That is, we want not only that a problem cannot be solved in polynomial time, but that it cannot be solved in, say, $2^{o (n)}$ time or even $2^{n / C}$ time for a certain constant $C$ . Statements of this kind can be proven under generic complexity assumptions like the Exponential Time Hypothesis (ETH) of Impagliazzo and Paturi [15] or its variants like Strong ETH (SETH), via fine-grained reductions that are particularly efficient in the relevant parameters.

Recently, Bennett, Golovnev, and Stephens-Davidowitz [10] initiated a study of the fine-grained hardness of lattice problems, focusing on CVP; follow-up work extended to SVP and showed more for CVP(P) [5, 2]. The technical goal of these works is a reduction having good rank efficiency, i.e., a reduction from $k$ -SAT on $n^{'}$ variables to a lattice problem in rank $n = (C + o (1)) n^{'}$ for some constant $C \geq 1$ , which we call the reduction’s “rank inefficiency.” (All of the lattice problems in question can be solved in $2^{n + o (n)}$ time [3, 4, 6], so $C = 1$ corresponds to optimal rank efficiency.) We mention that Regev’s BDD-to-LWE reduction [28] has optimal rank efficiency, in that it reduces rank- $n$ BDD to rank- $n$ LWE. However, to date there are no fine-grained $\NP$ -hardness results for BDD itself; the prior $\NP$ -hardness proof for BDD [19] incurs a large polynomial blowup in rank.

1.1 Our Results

We show improved $\NP$ -hardness, and entirely new fine-grained hardness, for Bounded Distance Decoding (and BDD with preprocessing) in arbitrary $ℓ_{p}$ norms. Our work improves upon the known hardness of BDD in two respects: the relative distance $α$ , and the rank inefficiency $C$ (i.e., fine-grainedness) of the reductions. As $p$ grows, both quantities improve, simultaneously approaching the unique-decoding threshold $α = 1 / 2$ and optimal rank efficiency of $C = 1$ as $p \to \infty$ , and achieving those quantities for $p = \infty$ . We emphasize that these are the first fine-grained hardness results of any kind for BDD, for any $ℓ_{p}$ norm.

Our main theorem summarizing the $\NP$ - and fine-grained hardness of BDD (with and without preprocessing) appears below in Theorem 1. For $p \in [1, \infty)$ and $C > 1$ , the quantities $α_{p}^{*}$ and $α_{p, C}^{*}$ appearing in the theorem statement are certain positive real numbers that are decreasing in $p$ and $C$ , and approaching $1 / 2$ as $p \to \infty$ (for any $C$ ). See Figure 1 for a plot of their behavior, Equations 8 and 7 for their formal definitions, and Lemma 5 for quite tight closed-form upper bounds.

Theorem 1

The following hold for $\BDDp,α$ and $\BDDPp,α$ in rank $n$ :

[itemsep=0pt]
For every $p \in [1, \infty)$ and constant $α > α_{p}^{*}$ (where $α_{p}^{*} \leq \frac{1}{2} \cdot {4.6723}^{1 / p}$ ), and for $(p, α) = (\infty, 1 / 2)$ , there is no polynomial-time algorithm for $\BDDp,α$ (respectively, $\BDDPp,α$ ) unless $\NP⊆\RP$ (resp., $\NP⊆\ccP/\ccPoly$ ).
For every $p \in [1, \infty)$ and constant $α>min\setα∗p,α∗2$ , and for $(p, α) = (\infty, 1 / 2)$ , there is no $2^{o (n)}$ -time algorithm for $\BDDp,α$ unless randomized ETH fails.
For every $p∈[1,∞)∖\set2$ and constant $α > α_{p}^{*}$ , and for $(p, α) = (\infty, 1 / 2)$ , there is no $2^{o (n)}$ -time algorithm for $\BDDPp,α$ unless non-uniform ETH fails.

Moreover, for every $p \in [1, \infty]$ and $α > α_{2}^{*}$ there is no $2^{o (\sqrt{n})}$ -time algorithm for $\BDDPp,α$ unless non-uniform ETH fails.
For every $p∈[1,∞)∖2\Z$ and constants $C > 1$ , $α > α_{p, C}^{*}$ , and $ϵ > 0$ , and for $(p, C, α) = (\infty, 1, 1 / 2)$ , there is no $2^{n (1 - ϵ) / C}$ -time algorithm for $\BDDp,α$ (respectively, $\BDDPp,α$ ) unless randomized SETH (resp., non-uniform SETH) fails.

$_{□}$

Although we do not have closed-form expressions for $α_{p}^{*}$ and $α_{p, C}^{*}$ , we do get quite tight closed-form upper bounds (see Lemma 5). Moreover, it is easy to numerically compute close approximations to them, and to the values of $p$ at which they cross certain thresholds. For example, $α_{p}^{*} < 1 / \sqrt{2}$ for all $p > p_{1} \approx 4.2773$ , so Item 1 of Theorem 1 improves on the prior best relative distance of any $α > 1 / \sqrt{2}$ for the $\NP$ -hardness of $\BDDp,α$ in such $ℓ_{p}$ norms [19].

As a few other example values and their consequences under Theorem 1, we have $α_{2}^{*} \approx 1.05006$ , $α_{3, 2}^{*} \approx 1.1418$ , and $α_{3, 5}^{*} \approx 0.917803$ . So by Item 2, BDD in the Euclidean norm for any relative distance $α > 1.05006$ requires $2^{Ω (n)}$ time assuming randomized ETH. And by Item 4, for every $\eps>0$ there is no $2(1−\eps)n/2$ -time algorithm for $\BDD3,1.1418$ , and no $2(1−\eps)n/5$ -time algorithm for $\BDD3,0.917803$ , assuming randomized SETH.

Figure 1: Left: bounds on the relative distances $α = α (p)$ for which $\BDDα,p$ was proved to be $\NP$ -hard in the $ℓ_{p}$ norm, in this work and in [19]; the crossover point is $p_{1} \approx 4.2773$ . (The plots include results obtained by norm embeddings [27], hence they are maximized at $p = 2$ .) Right: our bounds $α_{p, C}^{*}$ on the relative distances $α > α_{p, C}^{*}$ for which there is no $2(1−\eps)n/C$ -time algorithm for $\BDDp,α$ for any $\eps>0$ , assuming randomized SETH.

1.2 Technical Overview

As in prior $\NP$ -hardness reductions for SVP and BDD (and fine-grained hardness proofs for the former) [7, 22, 16, 19, 14, 25, 5], the central component of our reductions is a family of rank- $n$ lattices $\lat⊂\Rd$ and target points $→t∈\Rd$ having a certain “local density” property in a desired $ℓ_{p}$ norm. Informally, this means that $\lat$ has “large” minimum distance $λ(p)1(\lat):=min→v∈\lat∖\set→0\norm→vp$ , i.e., there are no “short” nonzero vectors, but has many vectors “close” to the target $\to t$ . More precisely, we want $λ(p)1(\lat)≥r$ and $Np(\lat,αr,→t)=exp(nΩ(1))$ for some relative distance $α$ , where

Np(\lat,s,→t):=\abs\set→v∈\lat:\norm→v−→tp≤s

denotes the number of lattice points within distance $s$ of $\to t$ .

Micciancio [22] constructed locally dense lattices with relative distance approaching $2^{- 1 / p}$ in the $ℓ_{p}$ norm (for every finite $p \geq 1$ ), and used them to prove the $\NP$ -hardness of $γ$ -approximate SVP in $ℓ_{p}$ for any $γ < 2^{1 / p}$ . Subsequently, Liu, Lyubashevsky, and Micciancio [19] used these lattices to prove the $\NP$ -hardness of BDD in $ℓ_{p}$ for any relative distance $α > 2^{- 1 / p}$ . However, these works observed that the relative distance depends on $p$ in the opposite way from what one might expect: as $p$ grows, so does $α$ , hence the associated $\NP$ -hard SVP approximation factors and BDD relative distances worsen. Yet using norm embeddings, it can be shown that $ℓ_{2}$ is essentially the “easiest” $ℓ_{p}$ norm for lattice problems [27], so hardness in $ℓ_{2}$ implies hardness in $ℓ_{p}$ (up to an arbitrarily small loss in approximation factor). Therefore, the locally dense lattices from [22] do not seem to provide any benefits for $p > 2$ over $p = 2$ , where the relative distance approaches $1 / \sqrt{2}$ . In addition, the rank of these lattices is a large polynomial in the relevant parameter, so they are not suitable for proving fine-grained hardness.¹¹1We mention that Khot [16] gave a different construction of locally dense lattices with other useful properties, but their relative distance is no smaller than that of Micciancio’s construction in any $ℓ_{p}$ norm, and their rank is also a large polynomial in the relevant parameter.

Local density via sparsification.

More recently, Aggarwal and Stephens-Davidowitz [5] (building on [10]) proved fine-grained hardness for exact SVP in $ℓ_{p}$ norms, via locally dense lattices obtained in a different way. Because they target exact SVP, it suffices to have local density for relative distance $α = 1$ , but for fine-grained hardness they need $Np(\lat,r,→t)=2Ω(n)$ , preferably with a large hidden constant (which determines the rank efficiency of the reduction). Following [21, 12], they start with the integer lattice $\Zn$ and all- $\frac{1}{2}$ s target vector $→t=12→1∈\Rn$ . Clearly, there are $2^{n}$ lattice vectors all at distance $r = \frac{1}{2} n^{1 / p}$ from $\to t$ in the $ℓ_{p}$ norm, but the minimum distance of the lattice is only $1$ , so the relative distance of the “close” vectors is $α = r$ , which is far too large.

To improve the relative distance, they increase the minimum distance to at least $r = \frac{1}{2} n^{1 / p}$ using the elegant technique of random sparsification, which is implicit in [12] and was first used for proving $\NP$ -hardness of approximate SVP in [17, 16]. The idea is to upper-bound the number $Np(\Zn,r,→0)$ of “short” lattice points of length at most $r$ , by some $Q$ . Then, by taking a random sublattice $\lat⊂\Zn$ of determinant (index) slightly larger than $Q$

, with noticeable probability none of the “short” nonzero vectors will be included in

\lat

, whereas roughly

2^{n} / Q

of the vectors “close” to

\to t

will be in

\lat

. So, as long as

Q = 2^{(1 - Ω (1)) n}

, there are sufficiently many lattice vectors at the desired relative distance from

\to t

Bounds for $Np(\Zn,r,→0)$ were given by Mazo and Odlyzko [21], by a simple but powerful technique using the theta function $Θp(τ):=∑z∈\Zexp(−τ\abszp)$ . They showed (see Proposition 1) that

Np(\Zn,r,→0)≤minτ>0exp(τ⋅rp)⋅Θp(τ)n=\parens[]minτ>0exp(τ/2p)⋅Θp(τ)n ,

(1)

where the equality is by $r = \frac{1}{2} n^{1 / p}$ . So, Aggarwal and Stephens-Davidowitz need ${min}_{τ > 0} exp (τ / 2^{p}) \cdot Θ_{p} (τ) < 2$ , and it turns out that this is the case for every $p > p_{0} \approx 2.1397$ . (They also deal with smaller $p$ by using a different target point $\to t$ .)

This work: local density for small relative distance.

For the $\NP$ - and fine-grained hardness of BDD we use the same basic approach as in [5], but with the different goal of getting local density for as small of a relative distance $α < 1$ as we can manage. That is, we still have $2^{n}$ integral vectors all at distance $r = \frac{1}{2} n^{1 / p}$ from the target $→t=12→1∈\Rn$ , but we want to “sparsify away” all the nonzero integral vectors of length less than $r / α$ . So, we want the right-hand side of the Mazo-Odlyzko bound (Equation 1) to be at most $2^{(1 - Ω (1)) n}$ for as large of a positive hidden constant as we can manage. More specifically, for any $p \geq 1$ and $C > 1$ (which ultimately corresponds to the reduction’s rank inefficiency) we can obtain local density of at least $2^{n / C}$ close vectors at any relative distance greater than

α∗p,C:=inf\setα∗>0:minτ>0exp(τ/(2α∗)p)⋅Θp(τ)≤21−1/C .

The value of $α_{p, C}^{*}$ is strictly decreasing in both $p$ and $C$ , and for large $C$ and $p > p_{1} \approx 4.2773$ it drops below the relative distance of $1 / \sqrt{2}$ approached by the local-density construction of [22] for $ℓ_{2}$ (and also $ℓ_{p}$ by norm embeddings.) This is the source of our improved relative distance for the $\NP$ -hardness of BDD in high $ℓ_{p}$ norms.

We also show that obtaining local density by sparsifying the integer lattice happens to yield a very simple reduction to BDD from the exact version of CVP, which is how we obtain fine-grained hardness. Given a CVP instance consisting of a lattice and a target point, we essentially just take their direct sum with the integer lattice and the $\frac{1}{2} \to 1$ target (respectively), then sparsify. (See Lemma 4 and Theorem 5 for details.) Because this results in the (sparsified) locally dense lattice having $2^{Ω (n)}$ close vectors all exactly at the threshold of the BDD promise, concatenating the CVP instance either keeps the target within the (slightly weaker) BDD promise, or puts it just outside. This is in contrast to the prior reduction of [19], where the close vectors in the locally dense lattices of [22] are at various distances from the target, hence a reduction from approximate-CVP with a large constant factor is needed to put the target outside the BDD promise. While approximating CVP to within any constant factor is known to be $\NP$ -hard [8], no fine-grained hardness is known for approximate CVP, except for factors just slightly larger than one [2].

1.3 Discussion and Future Work

Our work raises a number of interesting issues and directions for future research. First, it highlights that there are now two incomparable approaches for obtaining local density in the $ℓ_{p}$ norm—Micciancio’s construction [22], and sparsifying the integer lattice [12, 5]—with each delivering a better relative distance for certain ranges of $p$ . For $p \in [1, p_{1} \approx 4.2773]$ , Micciancio’s construction (with norm embeddings from $ℓ_{2}$ , where applicable) delivers the better relative distance, which approaches $min\set1/p√2,1/√2$ . Moreover, this is essentially optimal in $ℓ_{2}$ , where $1 / \sqrt{2}$ is unachievable due to the Rankin bound, which says that in $\Rn$ we can have at most $2 n$ subunit vectors with pairwise distances of $\sqrt{2}$ or more.

A first question, therefore, is whether relative distance less than $1 / \sqrt{2}$ can be obtained for all $p > 2$ . We conjecture that this is true, but can only manage to prove it via sparsification for all $p > p_{1} \approx 4.2773$ . More generally, an important open problem is to give a unified local-density construction that subsumes both of the above-mentioned approaches in terms of relative distance, and ideally in rank efficiency as well. In the other direction, another important goal is to give lower bounds on the relative distance in general $ℓ_{p}$ norms. Apart from the Rankin bound, the only bound we are aware of is the trivial one of $α \geq 1 / 2$ implied by the triangle inequality, which is essentially tight for $ℓ_{1}$ and tight for $ℓ_{\infty}$ (as shown by [22] and our work, respectively).

More broadly, for the BDD relative distance parameter $α$ there are three regimes of interest: the local-density regime, where we know how to prove $\NP$ -hardness; the unique-decoding regime $α < 1 / 2$ ; and (at least in some $ℓ_{p}$ norms, including $ℓ_{2}$ ) the intermediate regime between them. It would be very interesting, and would seem to require new techniques, to show $\NP$ -hardness outside the local-density regime. One potential route would be to devise a gap amplification technique for BDD, analogous to how SVP has been proved to be $\NP$ -hard to approximate to within any constant factor [16, 14, 25]. Gap amplification may also be interesting in the absence of $\NP$ -hardness, e.g., for the inverse-polynomial relative distances used in cryptography. Currently, the only efficient gap amplification we are aware of is a modest one that decreases the relative distance by any $(1 - 1 / n)^{O (1)}$ factor [20].

A final interesting research direction is related to the unique Shortest Vector Problem (uSVP), where the goal is to find a shortest nonzero vector $\to v$ in a given lattice, under the promise that it is unique (up to sign). More generally, approximate uSVP has the promise that all lattice vectors not parallel to $\to v$ are a certain factor $γ$ as long. It is known that exact uSVP is $\NP$ -hard in $ℓ_{2}$ [18], and by known reductions it is straightforward to show the $\NP$ -hardness of $2$ -approximate uSVP in $ℓ_{\infty}$ . Can recent techniques help to prove $\NP$ -hardness of $γ$ -approximate uSVP, for some constant $γ > 1$ , in $ℓ_{p}$ for some finite $p$ , or specifically for $ℓ_{2}$ ? Do $\NP$ -hard approximation factors for uSVP grow smoothly with $p$ ?

Acknowledgments.

We thank Noah Stephens-Davidowitz for sharing his plot-generating code from [5] with us.

2 Preliminaries

For any positive integer $q$ , we identify the quotient group $\Zq=\Z/q\Z$ with some set of distinguished representatives, e.g., $\set0,1,…,q−1$ . Let $B^{+} := (B^{t} B)^{- 1} B^{t}$ denote the Moore-Penrose pseudoinverse of a real-valued matrix $B$ with full column rank. Observe that $B^{+} \to v$ is the unique coefficient vector $\to c$ with respect to $B$ of any $\to v = B \to c$ in the column span of $B$ .

2.1 Problems with Preprocessing

In addition to ordinary computational problems, we are also interested in (promise) problems with preprocessing. In such a problem, an instance $(x_{P}, x_{Q})$ is comprised of a “preprocessing” part $x_{P}$ and a “query” part $x_{Q}$ , and an algorithm is allowed to perform unbounded computation on the preprocessing part before receiving the query part.

Formally, a preprocessing problem is a relation $Π=\set((xP,xQ),y)$ of instance-solution pairs, where $Πinst:=\set(xP,xQ):∃y s.t. ((xP,xQ),y)∈Π$ is the set of problem instances, and $Π(xP,xQ):=\sety:((xP,xQ),y)∈Π$ is the set of solutions for any particular instance $(x_{P}, x_{Q})$ . If every instance $(x_{P}, x_{Q}) \in Π_{inst}$ has exactly one solution that is either YES or NO, then $Π$ is called a decision problem.

Definition 1

A preprocessing algorithm is a pair $(P, Q)$ where $P$ is a (possibly randomized) function representing potentially unbounded computation, and $Q$ is an algorithm. The execution of $(P, Q)$ on an input $(x_{P}, x_{Q})$ proceeds in two phases:

[itemsep=0pt]
first, in the preprocessing phase, $P$ takes $x_{P}$ as input and produces some preprocessed output $σ$ ;
then, in the query phase, $Q$ takes both $σ$ and $x_{Q}$ as input and produces some ultimate output.

The running time $T$ of the algorithm is defined to be the time used in the query phase alone, and is considered as a function of the total input length $\absxP+\absxQ$ . The length of the preprocessed output is defined as $A=\absσ$ , and is also considered as a function of the total input length. Note that without loss of generality, $A \leq T$ .

If $(P, Q)$ is deterministic, we say that it solves preprocessing problem $Π$ if $Q (P (x_{P}), x_{Q}) \in Π_{(x_{P}, x_{Q})}$ for all $(x_{P}, x_{Q}) \in Π_{inst}$ . If $(P, Q)$ is potentially randomized, we say that it solves $Π$ if

Pr [Q (P (x_{P}), x_{Q}) \in Π_{(x_{P}, x_{Q})}] \geq \frac{2}{3}

for all $(x_{P}, x_{Q}) \in Π_{inst}$ , where the probability is taken over the random coins of both $P$ and $Q$ .²²2Note that it could be the case that some preprocessed outputs fail to make the query algorithm output a correct answer on some, or even all, query inputs. $_{□}$

As shown below using a routine quantifier-swapping argument (as in Adleman’s Theorem [1]), it turns out that for $\NP$ relations and decision problems, any randomized preprocessing algorithm can be derandomized if the length of the query input $x_{Q}$ is polynomial in the length of the preprocessing input $x_{P}$ . So for convenience, in this work we allow for randomized algorithms, only switching to deterministic ones for our ultimate hardness theorems.

Lemma 1

Let preprocessing problem $Π$ be an $\NP$ relation or a decision problem for which $\absxQ=\poly(\absxP)$ for all $(x_{P}, x_{Q}) \in Π_{inst}$ . If $Π$ has a randomized $T$ -time algorithm, then it has a deterministic $T⋅\poly(\absxP+\absxQ)$ -time algorithm with $T⋅\poly(\absxP+\absxQ)$ -length preprocessed output. $_{□}$

Proof

Let $q (\cdot)$ be a polynomial for which $\absxQ≤q(\absxP)$ for all $(x_{P}, x_{Q}) \in Π_{inst}$ . Let $(P, Q)$ be a randomized $T$ -time algorithm for $Π$ , which by standard repetition techniques we can assume has probability strictly less than $exp(−q(\absxP))$ of being incorrect on any $(x_{P}, x_{Q}) \in Π_{inst}$ , with only a $\poly(\absxP+\absxQ)$ -factor overhead in the running time and preprocessed output length. Fix some arbitrary $x_{P}$ . Then by the union bound over all $(x_{P}, x_{Q}) \in Π_{inst}$ and the hypothesis, we have

Pr [\exists (x_{P}, x_{Q}) \in Π_{inst} : Q (P (x_{P}), x_{Q}) \notin Π_{(x_{P}, x_{Q})}] < 1.

So, there exist coins for $P$ and $Q$ for which $Q (P (x_{P}), x_{Q}) \in Π_{(x_{P}, x_{Q})}$ for all $(x_{P}, x_{Q}) \in Π_{inst}$ . By fixing these coins we make $P$ a deterministic function of $x_{P}$ , and we include the coins for $Q$ along with the preprocessed output $P (x_{P})$ , thus making $Q$ deterministic as well. The resulting deterministic algorithm solves $Π$ with the claimed resources, as needed. $_{■}$

Reductions for preprocessing problems.

We need the following notions of reductions for preprocessing problems. The following generalizes Turing reductions and Cook reductions (i.e., polynomial-time Turing reductions).

Definition 2

A Turing reduction from one preprocessing problem $X$ to another one $Y$ is a pair of algorithms $(R_{P}, R_{Q})$ satisfying the following properties: $R_{P}$ is a (potentially randomized) function with access to an oracle $P$ , whose output length is polynomial in its input length; $R_{Q}$ is an algorithm with access to an oracle $Q$ ; and if $(P, Q)$ solves problem $Y$ , then $(R_{P}^{P}, R_{Q}^{Q})$ solves problem $X$ . Additionally, it is a Cook reduction if $R_{Q}$ runs in time polynomial in the total input length of $R_{P}$ and $R_{Q}$ . $_{□}$

Similarly, the following generalizes mapping reductions and Karp reductions (i.e., polynomial-time mapping reductions) for decision problems.

Definition 3

A mapping reduction from one preprocessing decision problem $X$ to another one $Y$ is a pair $(R_{P}, R_{Q})$ satisfying the following properties: $R_{P}$ is a deterministic function whose output length is polynomial in its input length; $R_{Q}$ is a deterministic algorithm; and for any YES (respectively, NO) instance $(x_{P}, x_{Q})$ of $X$ , the output pair $(y_{P}, y_{Q})$ is a YES (resp., NO) instance of $Y$ , where $(y_{P}, y_{Q})$ are defined as follows:

[itemsep=0pt]
first, $R_{P}$ takes $x_{P}$ as input and outputs some $(σ^{'}, y_{P})$ , where $σ^{'}$ is some “internal” preprocessed output;
then, $R_{Q}$ takes $(σ^{'}, x_{Q})$ as input and outputs some $y_{Q}$ .

Additionally, it is a Karp reduction if $R_{Q}$ runs in time polynomial in the total input length of $R_{P}$ and $R_{Q}$ . $_{□}$

It is straightforward to see that if $X$ mapping reduces to $Y$ , and there is a deterministic polynomial-time preprocessing algorithm $(P_{Y}, Q_{Y})$ that solves $Y$ , then there is also one $(P_{X}, Q_{X})$ that solves $X$ , which works as follows:

[itemsep=0pt]
the preprocessing algorithm $P_{X}$ , given a preprocessing input $x_{p}$ , first computes $(σ^{'}, y_{P}) = R_{P} (x_{P})$ , then computes $σ_{Y} = P_{Y} (y_{P})$ and outputs $σ_{X} = (σ^{'}, σ_{Y})$ ;
the query algorithm $Q_{X}$ , given $σ_{X} = (σ^{'}, σ_{Y})$ and a query input $x_{Q}$ , computes $y_{Q} = R_{Q} (σ^{'}, x_{Q})$ and finally outputs $Q_{Y} (σ_{Y}, y_{Q})$ .

2.2 Lattices

A lattice is the set of all integer linear combinations of some linearly independent vectors ${\to b}_{1}, \dots, {\to b}_{n}$ . It is convenient to arrange these vectors as the columns of a matrix. Accordingly, we define a basis $B=(→b1,…,→bn)∈\Rd×n$ to be a matrix with linearly independent columns, and the lattice generated by basis $B$ as

\lat(B):=\set[]n∑i=1ai→bi:a1,…,an∈\Z .

Let $B_{p}^{d}$ denote the centered unit $ℓ_{p}$ ball in $d$ dimensions. Given a lattice $\lat⊂\Rd$ of rank $n$ , for $1 \leq i \leq n$ let

λ(p)i(\lat):=inf\setr>0:dim(\lspan(r⋅Bdp∩\lat))≥i

denote the $i$ th successive minimum of $\lat$ with respect to the $ℓ_{p}$ norm.

We denote the $ℓ_{p}$ distance of a vector $\to t$ to a lattice $\lat$ as

\distp(→t,\lat):=min→v∈\lat\norm→v−→tp .

2.3 Bounded Distance Decoding (with Preprocessing)

The primary computational problem that we study in this work is the Bounded Distance Decoding Problem (BDD), which is a version of the Closest Vector Problem (CVP) in which the target vector is promised to be relatively close to the lattice.

Definition 4

For $1 \leq p \leq \infty$ and $α = α (n) > 0$ , the $α$ -Bounded Distance Decoding problem in the $ℓ_{p}$ norm ( $\BDDp,α$ ) is the (search) promise problem defined as follows. The input is (a basis of) a rank- $n$ lattice $\lat$ and a target vector $\to t$ satisfying $\distp(→t,\lat)≤α(n)⋅λ(p)1(\lat)$ . The goal is to output a lattice vector $→v∈\lat$ that satisfies $\norm→v−→tp≤α(n)⋅λ(p)1(\lat)$ .

The preprocessing (search) promise problem $\BDDPp,α$ is defined analogously, where the preprocessing input is (a basis of) the lattice, and the query input is the target $\to t$ . $_{□}$

We note that in some works, $\BDD$ is defined to have the goal of finding a $→v∈\lat$ such that $\norm→v−→tp=\distp(→t,\lat)$ . This formulation is clearly no easier than the one defined above. So, our hardness theorems, which are proved for the definition above, immediately apply to the alternative formulation as well.

We also remark that for $α < 1 / 2$ , the promise ensures that there is a unique vector $\to v$ satisfying $\norm→v−→tp≤α⋅λ(p)1(\lat)$ . However, $\BDD$ is still well defined for $α \geq 1 / 2$ , i.e., above the unique-decoding radius. As in prior work, our hardness results for $\BDDp,α$ are limited to this regime.

To the best of our knowledge, essentially the only previous study of the $\NP$ -hardness of $\BDD$ is due to [19], which showed the following result.³³3Additionally, [11] gave a reduction from $\CVP$ to $\BDD2,α$ but only for some $α > 1$ . Also, [26, 20] gave a reduction from $\GapSVPγ$ to $\BDD$ , but only for large $γ = γ (n)$ for which $\GapSVP$ is not known to be $\NP$ -hard.

Theorem 2 ([19, Corollaries 1 and 2])

For any $p \in [1, \infty)$ and $α > 1 / 2^{1 / p}$ , there is no polynomial-time algorithm for $\BDDp,α$ (respectively, with preprocessing) unless $\NP⊆\RP$ (resp., unless $\NP⊆\ccP/\ccPoly$ ). $_{□}$

Regev and Rosen [27] used norm embeddings to show that almost any lattice problem is at least as hard in the $ℓ_{p}$ norm, for any $p \in [1, \infty]$ , as it is in the $ℓ_{2}$ norm, up to an arbitrarily small constant-factor loss in the approximation factor. In other words, they essentially showed that $ℓ_{2}$ is the “easiest” $ℓ_{p}$ norm for lattice problems. (In addition, their reduction preserves the rank of the lattice.) Based on this, [19] observed the following corollary, which is an improvement on the factor $α$ from Theorem 2 for all $p > 2$ .

Theorem 3 ([19, Corollary 3])

For any $p \in [1, \infty)$ and $α > 1 / \sqrt{2}$ , there is no polynomial-time algorithm for $\BDDp,α$ (respectively, with preprocessing) unless $\NP⊆\RP$ (resp., unless $\NP⊆\ccP/\ccPoly$ ). $_{□}$

Figure 1 shows the bounds from Theorems 3 and 2 together with the new bounds achieved in this work as a function of $p$ .

2.4 Sparsification

A powerful idea, first used in the context of hardness proofs for lattice problems in [17], is that of random lattice sparsification. Given a lattice $\lat$ with basis $B$ , we can construct a random sublattice $\lat′⊆\lat$ as

\lat′=\set→v∈\lat:\iprod→z,B+→v=0(mod∗)q

for uniformly random $→z∈\Znq$ , where $q$ is a suitably chosen prime.

Lemma 2

Let $q$ be a prime and let $→x1,…,→xN∈\Znq∖\set→0$ be arbitrary. Then

Pr→z←\Znq[∃i∈[N] such that \iprod→z,→xi=0(mod∗)q]≤Nq .

$_{□}$

Proof

We have $Pr[\iprod→z,→xi=0]=1/q$ for each ${\to x}_{i}$ , and the claim follows by the union bound. $_{■}$

The following corollary is immediate.

Corollary 1

Let $q$ be a prime and $\lat$ be a lattice of rank $n$ with basis $B$ . Then for all $r > 0$ and all $p \in [1, \infty]$ ,

Pr→z←\Znq[λ(p)1(\lat′)<r]≤Nop(\lat∖\set→0,r,→0)q ,

where $\lat′=\set→v∈\lat:\iprod→z,B+→v=0(mod∗)q$ . $_{□}$

Theorem 4 ([30, Theorem 3.1])

For any lattice $\lat$ of rank $n$ with basis $B$ , prime $q$ , and lattice vectors $→x,→y1,…,→yN∈\lat$ such that $B^{+} \to x \neq B^{+} {\to y}_{i} (mod *) q$ for all $i \in [N]$ , we have

1q−Nq2−Nqn−1≤Pr→z,→c←\Znq[\iprod→z,B+→x+→c=0(mod∗)q∧\iprod→z,B+→yi+→c≠0(mod∗)q∀i∈[N]]≤1q+1qn .

$_{□}$

We will use only the lower bound from Theorem 4, but we note that the upper bound is relatively tight for $q ≫ N$ .

Corollary 2

For any $p \in [1, \infty]$ and $r \geq 0$ , lattice $\lat$ of rank $n$ with basis $B$ , vector $\to t$ , prime $q$ , and lattice vectors $→v1,…,→vN∈\lat$ such that $\norm→vi−→tp≤r$ for all $i \in [N]$ and such that all the $B^{+} {\to v}_{i} mod q$ are distinct, we have

Pr→z,→c←\Znq[\distp(→t+B→c,\lat′)≤r]≥Nq−N(N−1)q2−N(N−1)qn−1 ,

where $\lat′=\set→v∈\lat:\iprod→z,B+→v=0(mod∗)q$ . $_{□}$

Proof

Observe that for each $i \in [N]$ , the events

Ei:=[\iprod→z,B+→vi=0(mod∗)q and \iprod→z,B+→vj≠0(mod∗)q for all j≠i]

are disjoint, and by invoking Theorem 4 with $\to x = {\to v}_{i}$ and the ${\to y}_{j}$ being the remaining ${\to v}_{k}$ for $k \neq i$ , we have

Pr \to z, \to c [E_{i}] \geq \frac{1}{q} - \frac{N - 1}{q^{2}} - \frac{N - 1}{q^{n - 1}} .

Also observe that if $E_{i}$ occurs, then $→vi+B→c∈\lat′$ (also $→vj+B→c∉\lat′$ for all $j \neq i$ , but we will not need this). Therefore,

\distp(→t+B→c,\lat′)≤\norm→t+B→c−(→vi+B→c)=\norm→t−→vi≤r .

So, the probability in the left-hand side of the claim is at least

Pr→z,→c\bracks[]⋃i∈[N]Ei=∑i∈[N]Pr→z,→c[Ei]≥Nq−N(N−1)q2−N(N−1)qn−1 .

$_{■}$

2.5 Counting Lattice Points in a Ball

Following [5], for any discrete set $A$ of points (e.g., a lattice, or a subset thereof), we denote the number of points in $A$ contained in the closed and open (respectively) $ℓ_{p}$ ball of radius $r$ centered at a point $\to t$ as

	$N_{p} (A, r, \to t)$	$:=\card\set→y∈A:\norm→y−→tp≤r ,$		(2)
	$N_{p}^{o} (A, r, \to t)$	$:=\card\set→y∈A:\norm→y−→tp<r .$		(3)

Clearly, $N_{p}^{o} (A, r, \to t) \leq N_{p} (A, r, \to t)$ .

For $1 \leq p < \infty$ and $τ > 0$ define

Θp(τ):=∑z∈\Zexp(−τ\abszp) .

We use the following upper bound due to Mazo and Odlyzko [21] on the number of short vectors in the integer lattice. We include its short proof for completeness.

Proposition 1 ([21])

For any $p \in [1, \infty)$ , $r > 0$ , and $n∈\N$ ,

Np(\Zn,r,→0)≤minτ>0exp(τrp)⋅Θp(τ)n .

$_{□}$

Proof

For $τ > 0$ we have

Θp(τ)n=∑→z∈\Znexp(−τ\norm→zpp)≥∑→z∈\Zn∩rBnpexp(−τ\norm→zpp)≥exp(−τrp)⋅Np(\Zn,r,→0) .

The result follows by rearranging and taking the minimum over all $τ > 0$ . $_{■}$

2.6 Hardness Assumptions

We recall the Exponential Time Hypothesis (ETH) of Impagliazzo and Paturi [15], and several of its variants. These hypotheses make stronger assumptions about the complexity of the $k$ -SAT problem than the assumption $\lx@paragraphsign≠\NP$ , and serve as highly useful tools for studying the fine-grained complexity of hard computational problems. Indeed, we will show that strong fine-grained hardness for $\BDD$ follows from these hypotheses.

Definition 5

The (randomized) Exponential Time Hypothesis ((randomized) ETH) asserts that there is no (randomized) $2^{o (n)}$ -time algorithm for $3$ -SAT on $n$ variables. $_{□}$

Definition 6

The (randomized) Strong Exponential Time Hypothesis ((randomized) SETH) asserts that for every $\eps>0$ there exists $k∈\Z+$ such that there is no (randomized) $2(1−\eps)n$ -time algorithm for $k$ -SAT on $n$ variables. $_{□}$

For proving hardness of lattice problem with preprocessing, we define (Max-) $k$ -SAT with preprocessing as follows. The preprocessing input is a size parameter $n$ , encoded in unary. The query input is a $k$ -SAT formula $ϕ$ with $n$ variables and $m$ (distinct) clauses, together with a threshold $W∈\set0,…m$ in the case of Max- $k$ -SAT. For $k$ -SAT, it is a YES instance if $ϕ$ is satisfiable, and is a NO instance otherwise. For Max- $k$ -SAT, it is a YES instance if there exists an assignment to the variables of $ϕ$ that satisfies at least $W$ of its clauses, and is a NO instance otherwise.

Observe that because the preprocessing input is just $n$ , a preprocessing algorithm for (Max-) $k$ -SAT with preprocessing is equivalent to a (non-uniform) family of circuits for the problem without preprocessing. Also, for any fixed $k$ , because there are only $O (n^{k})$ possible clauses on $n$ variables, the length of the query input for (Max-) $k$ -SAT instances having preprocessing input $n$ is $\poly(n)$ , so we get the following corollary of Lemma 1.

Corollary 3

If (Max-) $k$ -SAT with preprocessing has a randomized $T (n)$ -time algorithm, then it has a deterministic $T(n)⋅\poly(n)$ -time algorithm using $T(n)⋅\poly(n)$ -length preprocessed output. $_{□}$

Following, e.g., [29, 2], we also define non-uniform variants of ETH and SETH, which deal with the complexity of $k$ -SAT with preprocessing. More precisely, non-uniform ETH asserts that no family of size- $2^{o (n)}$ circuits solves $3$ -SAT on $n$ variables (equivalently, $3$ -SAT with preprocessing does not have a $2^{o (n)}$ -time algorithm), and non-uniform SETH asserts that for every $\eps>0$ there exists $k∈\Z+$ such that no family of circuits of size $2(1−\eps)n$ solves $k$ -SAT on $n$ variables (equivalently, $k$ -SAT with preprocessing does not have a $2(1−\eps)n$ -time algorithm). These hypotheses are useful for analyzing the fine-grained complexity of preprocessing problems.

One might additionally consider “randomized non-uniform” versions of (S)ETH. However, Corollary 3 says that a randomized algorithm for (Max-) $k$ -SAT with preprocessing can be derandomized with only polynomial overhead, so randomized non-uniform (S)ETH is equivalent to (deterministic) non-uniform (S)ETH, so we only consider the latter.

Finally, we remark that one can define weaker versions of randomized or non-uniform (S)ETH with Max- $3$ -SAT (respectively, Max- $k$ -SAT) in place of $3$ -SAT (resp., $k$ -SAT). Many of our results hold even under these weaker hypotheses. In particular, the derandomization result in Corollary 3 applies to both $k$ -SAT and Max- $k$ -SAT.

3 Hardness of $\BDDp,α$

In this section, we present our main result by giving a reduction from a known-hard variant $\GapCVP′p$ of the Closest Vector Problem (CVP) to $\BDD$ . We peform this reduction in two main steps.

First, in Section 3.1 we define a variant of $\BDDp,α$ , which we call $(S, T)$ - $\BDDp,α$ . Essentially, an instance of this problem is a lattice that may have up to $S$ “short” nonzero vectors of $ℓ_{p}$ norm bounded by some $r$ , and a target vector that is “close” to—i.e., within distance $α r$ of—at least $T$ lattice vectors. (The presence of short vectors prevents this from being a true $\BDDp,α$ instance.) We then give a reduction, for $S ≪ T$ , from $(S, T)$ - $\BDDp,α$ to $\BDDp,α$ itself, using sparsification.
Then, in Section 3.2 we reduce from $\GapCVP′p$ to $(S, T)$ - $\BDDp,α$ for suitable $S ≪ T$ whenever $α$ is sufficiently large as a function of $p$ (and the desired rank efficiency), based on analysis given in Section 3.3 and Lemma 5.

3.1 $(S, t)$ -BDD to BDD

We start by defining a special decision variant of BDD. Essentially, the input is a lattice and a target vector, and the problem is to distinguish between the case where there are few “short” lattice vectors but many lattice vectors “close” to the target, and the case where the target is not close to the lattice. There is a gap factor between the “close” and “short” distances, and for technical reasons we count only those “close” vectors having binary coefficients with respect to the given input basis.

Definition 7

Let $S = S (n), T = T (n) \geq 0$ , $p \in [1, \infty]$ , and $α = α (n) > 0$ . An instance of the decision promise problem $(S, T)$ - $\BDDp,α$ is a lattice basis $B∈\Rd×n$ , a distance $r > 0$ , and a target $→t∈\Rd$ .

It is a YES instance if $Nop(\lat(B)∖\set→0,r,→0)≤S(n)$ and $Np(B⋅\bitn,αr,→t)≥T(n)$ .
It is a NO instance if $\distp(→t,\lat(B))>αr$ .

The search version is: given a YES instance $(B, r, \to t)$ , find a $→v∈\lat(B)$ such that $\norm→v−→tp≤αr$ .

The preprocessing search and decision problems $(S, T)$ - $\BDDPp,α$ are defined analogously, where the preprocessing input is $B$ and $r$ , and the query input is $\to t$ . $_{□}$

We stress that in the preprocessing problems $\BDDP$ , the distance $r$ is part of the preprocessing input; this makes the problem no harder than a variant where $r$ is part of the query input. So, our hardness results for the above definition immediately apply to that variant as well. However, our reduction from $(S, T)$ - $\BDDP$ (given in Lemma 3) critically relies on the fact that $r$ is part of the preprocessing input.

Clearly, there is a trivial reduction from the decision version of $(S, T)$ - $\BDDp,α$ to its search version (and similarly for the preprocessing problems): just call the oracle for the search problem and test whether it returns a lattice vector within distance $α r$ of the target. So, to obtain more general results, our reductions involving $(S, T)$ - $\BDD$ will be from the search version, and to the decision version.

Reducing to BDD.

We next observe that for $S (n) = 0$ and any $T (n) > 0$ , there is almost a trivial reduction from $(S, T)$ - $\BDDp,α$ to ordinary $\BDDp,α$ , because YES instances of the former satisfy the $\BDDp,α$ promise. (See below for the easy proof.) The only subtlety is that we want the $\BDDp,α$ oracle to return a lattice vector that is within distance $α r$ of the target; recall that the definition of $\BDDp,α$ only guarantees distance $α⋅λ(p)1(\lat(B))$ . This issue is easily resolved by modifying the lattice to upper bound its minimum distance by $r$ , which increases the lattice’s rank by one. (For the alternative definition of $\BDD$ described after Definition 4, the trivial reduction works, and no increase in the rank is needed.)

Lemma 3

For any $T (n) > 0$ , $p \in [$

Hardness of Bounded Distance Decoding on Lattices in ℓ_p Norms

Authors

Related Research

Improved Hardness of BDD and SVP Under Gap-(S)ETH

Fine-grained hardness of CVP(P)— Everything that we can prove (and nothing else)

Hardness of the (Approximate) Shortest Vector Problem: A Simple Proof via Reed-Solomon Codes

The Fine-Grained Hardness of Sparse Linear Regression

Lattice (List) Decoding Near Minkowski's Inequality

(Gap/S)ETH Hardness of SVP

A time-distance trade-off for GDD with preprocessing---Instantiating the DLW heuristic

This week in AI

1 Introduction

Bounded Distance Decoding.

Fine-grained hardness.

1.1 Our Results

Theorem 1

1.2 Technical Overview

Local density via sparsification.

This work: local density for small relative distance.

1.3 Discussion and Future Work

Acknowledgments.

2 Preliminaries

2.1 Problems with Preprocessing

Definition 1

Lemma 1

Proof

Reductions for preprocessing problems.

Definition 2

Definition 3

2.2 Lattices

2.3 Bounded Distance Decoding (with Preprocessing)

Definition 4

Theorem 2 ([19, Corollaries 1 and 2])

Theorem 3 ([19, Corollary 3])

2.4 Sparsification

Lemma 2

Proof

Corollary 1

Theorem 4 ([30, Theorem 3.1])

Corollary 2

Proof

2.5 Counting Lattice Points in a Ball

Proposition 1 ([21])

Proof

2.6 Hardness Assumptions

Definition 5

Definition 6

Corollary 3

3 Hardness of \BDDp,α

3.1 (S,t)-BDD to BDD

Definition 7

Reducing to BDD.

Lemma 3

3 Hardness of $\BDDp,α$

3.1 $(S, t)$ -BDD to BDD