Hardness of approximating the shortest vector problem in lattices

Research output: Contribution to journalArticle

Abstract

Let p > 1 be any fixed real. We show that assuming NP ⊈ RP, there is no polynomial time algorithm that approximates the Shortest Vector Problem (SVP) in ℓ p norm within a constant factor. Under the stronger assumption NP ⊈ RTIME(2 poly(log n)), we show that there is no polynomial-time algorithm with approximation ratio 2 (log n) 1/2-ε where n is the dimension of the lattice and ε > 0 is an arbitrarily small constant. We first give a new (randomized) reduction from Closest Vector Problem (CVP) to SVP that achieves some constant factor hardness. The reduction is based on BCH Codes. Its advantage is that the SVP instances produced by the reduction behave well under the augmented tensor product, a new variant of tensor product that we introduce. This enables us to boost the hardness factor to 2 (log n)1/2-ε.

Original languageEnglish (US)
Pages (from-to)789-808
Number of pages20
JournalJournal of the ACM
Volume52
Issue number5
DOIs
StatePublished - Sep 2005

Fingerprint

Hardness
Tensor Product
Polynomial-time Algorithm
Tensors
Polynomials
BCH Codes
Norm
Approximation

Keywords

  • Approximation algorithms
  • Cryptography
  • Hardness of approximation
  • Lattices
  • Shortest vector problem

ASJC Scopus subject areas

  • Hardware and Architecture
  • Information Systems
  • Computer Graphics and Computer-Aided Design
  • Software
  • Theoretical Computer Science
  • Computational Theory and Mathematics

Cite this

Hardness of approximating the shortest vector problem in lattices. / Khot, Subhash.

In: Journal of the ACM, Vol. 52, No. 5, 09.2005, p. 789-808.

Research output: Contribution to journalArticle

@article{22cba18bfb0b4a7b8bca5376c77747a0,
title = "Hardness of approximating the shortest vector problem in lattices",
abstract = "Let p > 1 be any fixed real. We show that assuming NP ⊈ RP, there is no polynomial time algorithm that approximates the Shortest Vector Problem (SVP) in ℓ p norm within a constant factor. Under the stronger assumption NP ⊈ RTIME(2 poly(log n)), we show that there is no polynomial-time algorithm with approximation ratio 2 (log n) 1/2-ε where n is the dimension of the lattice and ε > 0 is an arbitrarily small constant. We first give a new (randomized) reduction from Closest Vector Problem (CVP) to SVP that achieves some constant factor hardness. The reduction is based on BCH Codes. Its advantage is that the SVP instances produced by the reduction behave well under the augmented tensor product, a new variant of tensor product that we introduce. This enables us to boost the hardness factor to 2 (log n)1/2-ε.",
keywords = "Approximation algorithms, Cryptography, Hardness of approximation, Lattices, Shortest vector problem",
author = "Subhash Khot",
year = "2005",
month = "9",
doi = "10.1145/1089023.1089027",
language = "English (US)",
volume = "52",
pages = "789--808",
journal = "Journal of the ACM",
issn = "0004-5411",
publisher = "Association for Computing Machinery (ACM)",
number = "5",

}

TY - JOUR

T1 - Hardness of approximating the shortest vector problem in lattices

AU - Khot, Subhash

PY - 2005/9

Y1 - 2005/9

N2 - Let p > 1 be any fixed real. We show that assuming NP ⊈ RP, there is no polynomial time algorithm that approximates the Shortest Vector Problem (SVP) in ℓ p norm within a constant factor. Under the stronger assumption NP ⊈ RTIME(2 poly(log n)), we show that there is no polynomial-time algorithm with approximation ratio 2 (log n) 1/2-ε where n is the dimension of the lattice and ε > 0 is an arbitrarily small constant. We first give a new (randomized) reduction from Closest Vector Problem (CVP) to SVP that achieves some constant factor hardness. The reduction is based on BCH Codes. Its advantage is that the SVP instances produced by the reduction behave well under the augmented tensor product, a new variant of tensor product that we introduce. This enables us to boost the hardness factor to 2 (log n)1/2-ε.

AB - Let p > 1 be any fixed real. We show that assuming NP ⊈ RP, there is no polynomial time algorithm that approximates the Shortest Vector Problem (SVP) in ℓ p norm within a constant factor. Under the stronger assumption NP ⊈ RTIME(2 poly(log n)), we show that there is no polynomial-time algorithm with approximation ratio 2 (log n) 1/2-ε where n is the dimension of the lattice and ε > 0 is an arbitrarily small constant. We first give a new (randomized) reduction from Closest Vector Problem (CVP) to SVP that achieves some constant factor hardness. The reduction is based on BCH Codes. Its advantage is that the SVP instances produced by the reduction behave well under the augmented tensor product, a new variant of tensor product that we introduce. This enables us to boost the hardness factor to 2 (log n)1/2-ε.

KW - Approximation algorithms

KW - Cryptography

KW - Hardness of approximation

KW - Lattices

KW - Shortest vector problem

UR - http://www.scopus.com/inward/record.url?scp=27344453570&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=27344453570&partnerID=8YFLogxK

U2 - 10.1145/1089023.1089027

DO - 10.1145/1089023.1089027

M3 - Article

AN - SCOPUS:27344453570

VL - 52

SP - 789

EP - 808

JO - Journal of the ACM

JF - Journal of the ACM

SN - 0004-5411

IS - 5

ER -