On Basing Search SIVP on NP-Hardness

Liu, Tianren

doi:10.1007/978-3-030-03807-6_4

Tianren Liu¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11239))

Included in the following conference series:

Theory of Cryptography Conference

920 Accesses

Abstract

The possibility of basing cryptography on the minimal assumption $\mathbf{NP }\nsubseteq \mathbf{BPP }$ is at the very heart of complexity-theoretic cryptography. The closest we have gotten so far is lattice-based cryptography whose average-case security is based on the worst-case hardness of approximate shortest vector problems on integer lattices. The state-of-the-art is the construction of a one-way function (and collision-resistant hash function) based on the hardness of the $\tilde{O}(n)$-approximate shortest independent vector problem ${\textsf {SIVP}}_{\tilde{O}(n)}$.

Although ${\textsf {SIVP}}$ is NP-hard in its exact version, Guruswami et al. (CCC 2004) showed that ${\textsf {gapSIVP}}_{\sqrt{n/\log n}}$ is in $\mathbf{NP } \cap \mathbf{coAM }$ and thus unlikely to be $\mathbf{NP }$-hard. Indeed, any language that can be reduced to ${\textsf {gapSIVP}}_{\tilde{O}(\sqrt{n})}$ (under general probabilistic polynomial-time adaptive reductions) is in $\mathbf{AM } \cap \mathbf{coAM }$ by the results of Peikert and Vaikuntanathan (CRYPTO 2008) and Mahmoody and Xiao (CCC 2010). However, none of these results apply to reductions to search problems, still leaving open a ray of hope: can $\mathbf{NP }$ be reduced to solving search SIVP with approximation factor $\tilde{O}(n)$?

We eliminate such possibility, by showing that any language that can be reduced to solving search ${\textsf {SIVP}}$ with any approximation factor $\lambda (n) = \omega (n\log n)$ lies in AM intersect coAM.

Research supported in part by NSF Grants CNS-1350619 and CNS-1414119..

You have full access to this open access chapter, Download conference paper PDF

On Average-Case Hardness in $$\mathsf {TFNP}$$ from One-Way Functions

Structural Lattice Reduction: Generalized Worst-Case to Average-Case Reductions and Homomorphic Cryptosystems

On Basing Private Information Retrieval on NP-Hardness

1 Introduction

It is a long-standing open question whether cryptography can be based on the minimal assumption that $\mathbf{NP } \nsubseteq \mathbf{BPP }$. More precisely, one would hope to construct cryptographic primitives such that given a polynomial-time algorithm breaking the security of the primitive, one can efficiently solve ${\textsf {SAT}}$.

The closest we have gotten so far is lattice cryptography. This approach was born out of the breakthrough result of Ajtai [Ajt96], which constructs a one-way function family based on the worst-case hardness of certain lattice problems such as the $\gamma $-approximate shortest independent vectors problem (${\textsf {SIVP}}_\gamma $), which can be stated as follows: given an n-dimensional lattice, find a set of n linearly independent vectors whose length^{Footnote 1} is at most $\gamma (n)$ (polynomial in n) times the length of the shortest such vector set. Since the work of Ajtai, the state of the art is a construction of a family of collision resistant hash functions (CRHF) based on the hardness of the shortest independent vectors problem with an approximation factor $\tilde{O}(n)$ [MR04]. One would hope that this approach is viable for constructing cryptography based on NP-hardness since Blömer and Seifert showed that ${\textsf {SIVP}}_{\gamma }$ is NP-hard for any constant factor [BS99]. Presumably, if one could construct cryptographic primitives based on the hardness of ${\textsf {SIVP}}_{O(1)}$, we would be golden. Alternatively, if one could extend the result of Blömer and Seifert to show the NP-hardness of ${\textsf {SIVP}}_\gamma $ for larger $\gamma (n)$, we would be closer to the goal of basing cryptography on NP-hardness.

However, there are some negative results when one considers the corresponding gap version of the same lattice problem. The gap problem, denoted by ${\textsf {gapSIVP}}_{\gamma }$, is to estimate the length of the short independent vector set within a factor of $\gamma (n)$. Peikert and Vaikuntanathan show that ${\textsf {gapSIVP}}_{\omega (\sqrt{n \log n})}$ is in $\mathbf{SZK }$ [PV08]. Thus there is no Cook reduction from SAT to ${\textsf {gapSIVP}}_{\tilde{O}(\sqrt{n})}$ unless the polynomial hierarchy collapses (as $\mathbf{BPP }^\mathbf{SZK } \subseteq \mathbf{AM } \cap \mathbf{coAM }$ [MX10]).

Fortunately, the hardness of SIVP is not contradicted by the fact that the gap problem with the same approximation factor is easy. For instance, if one considers any ideal lattice in the field ${\mathbb {Z}}[x]/\langle x^{2^k}+1\rangle $, its successive minima satisfy $\lambda _1 = \ldots = \lambda _n$, thus ${\textsf {gapSIVP}}_{\sqrt{n}}$ can be trivially solved using Minkowski’s inequality. However, finding a set of short independent vectors in such ideal lattices is still believed to be hard. As none of these negative results apply to reductions to search SIVP, there is still a ray of hope: can $\mathbf{NP }$ be reduced to solving search SIVP with approximation $\tilde{O}(n)$?

Thus, in order to really understand the viability of the approach begun by the work of Ajtai, it seems one must study the search versions of lattice problems. In this work, we relate the hardness of the search version ${\textsf {SIVP}}_{\gamma }$, to the gap version gapSIVP. Informally, we show that if ${\textsf {gapSIVP}}_{\gamma }$ is not hard, neither is ${\textsf {SIVP}}_{\sqrt{n} \cdot \gamma }$.

Main Theorem 1

If ${\textsf {gapSIVP}}_{\gamma } \in \mathbf{SZK}$ and there exists a probabilistic polynomial-time adaptive reduction from a language L to ${\textsf {SIVP}}_{\sqrt{n\log n} \cdot \gamma }$, then ${\textsf {L}} \in \mathbf{AM } \cap \mathbf{coAM }$.

As a quick corollary, combining our result with ${\textsf {gapSIVP}}_{\omega (\sqrt{n\log n})} \in \mathbf{SZK }$ [PV08], any language that can be reduced to ${\textsf {SIVP}}_{\omega (n\log n)}$ lies in AM intersect coAM and thus it is not NP-hard unless the polynomial hierarchy collapses.

Corollary 1.1

If there exists a probabilistic polynomial-time adaptive reduction from a language L to ${\textsf {SIVP}}_{\gamma }$ for any $\gamma (n) = \omega (n\log n)$, then ${\textsf {L}} \in \mathbf{AM } \cap \mathbf{coAM }$.

1.1 Proof Overview

The first step is to shift from a search problem to a sampling problem. Our goal is to obtain a black-box separation between ${\textsf {SIVP}}_{\gamma }$ and NP-hardness by showing that any language L that can be reduced to ${\textsf {SIVP}}_{\gamma }$ is in AM intersect coAM. Let $\mathcal R$ be the reduction from L to ${\textsf {SIVP}}_{\gamma }$. We will construct an AM protocol for L using reduction $\mathcal R$. For a first attempt, the naïve verifier samples a random tape and sends it to the prover. The prover simulates the reduction $\mathcal R$ and resolves any query to ${\textsf {SIVP}}_\gamma $ using its unbounded computational power. The simulation, including the answers to the reduction’s query to ${\textsf {SIVP}}_\gamma $, is sent to the naïve verifier, so that the verifier can check its correctness. But ${\textsf {SIVP}}_{\gamma }$ is a search problem and there is no unique right answer. The prover has the freedom to decide which answer is chosen upon each query. This freedom allows a malicious prover to fool the naïve verifier. Similar difficulty were faced by Bogdanov and Brzuska, which is resolved by inherently shifting to sampling problems. In order to separate size-verifiable one-way functions from NP-Hardness [BB15], they force the prover to sample a random answer uniformly among all correct ones. Thus the correct answer distribution for each query is unique.

Inspired by the work of Bogdanov and Brzuska, we consider a sampling problem related to ${\textsf {SIVP}}_\gamma $, called the discrete Gaussian distribution. A discrete Gaussian over a lattice is a distribution such that the probability of any vertex $\mathbf {v}$ is proportional to $e^{-\pi \Vert \mathbf {v}- \mathbf {c}\Vert ^2 /s^2}$, where $\mathbf {c}$ is its “center” and parameter s is its “width”. Lemma 4.3 shows that discrete Gaussian sampling is as hard as ${\textsf {SIVP}}_{\gamma }$ in the sense that there is a black-box reduction from ${\textsf {SIVP}}_{\gamma }$ to discrete Gaussian sampling with “width” $\gamma (n) / \sqrt{n}$. Therefore, if language L can be reduced to ${\textsf {SIVP}}_\gamma $, then it can also be reduced to discrete Gaussian sampling on lattices with “width” $s \le \lambda _n / \sqrt{n}$.

Lemma 4.3

(Informal). ${\textsf {SIVP}}_{\gamma }$ can be efficiently reduced to discrete Gaussian sampling on lattices with “width” $\sigma = \frac{\gamma }{\sqrt{n}} \lambda _n$.

Lemma 4.3 is a generalization of [Reg09, Lemma 3.17]. Its proof is quite intuitive. Repeatedly sample from the discrete Gaussian over the same lattice centered at $\mathbf {0}$. With good probability, the newly sampled vertex is short and is linearly independent from previously sampled verteces.

The next natural question is, which property separates a sampling problem from NP-hardness? Here we introduce the notion of “probability-verifiability”. Informally, a distribution family is probability-verifiable if for any distribution $\mathcal D$ in this family and for any possible value v, $\Pr [v \leftarrow \mathcal D]$, the probability that v is sampled from $\mathcal D$, can be lower bounded within an arbitrarily good precision in AM.

Lemma 4.4

(Informal). If a language ${\textsf {L}}$ can be reduced to a probability-verifiable sampling problem ${\textsf {S}}$, then ${\textsf {L}} \in \mathbf{AM } \cap \mathbf{coAM }$.

Lemma 4.4 is a generalization of [BB15]. Assume language L can be reduced to sampling problem ${\textsf {S}}$. The input of S is interpreted as the description of a distribution, let $\mathcal P_{\mathsf {pd}}$ denote the distribution specified by input $\mathsf {pd}$.

Let $\mathcal R$ be the reduction from L to sampling problem S. On each input x, an execution $\mathcal R^{{\textsf {S}}}(x)$ is determined by the random tape of reduction $\mathcal R$, denoted by r, and the answers to the reduction’s queries to S. The transcript is defined as $\sigma = (r,\mathsf {pd}_1,v_1, \ldots , \mathsf {pd}_T,v_T)$ where $\mathsf {pd}_t$ is the t-th query to S and $v_t$ is the corresponding response. Note that $r,v_1,\ldots ,v_T$ determine the execution, since $\mathsf {pd}_t$ is determined by $r,v_1,\ldots ,v_{t-1}$. Then

(1)

For simplicity, assume for now that there is an efficient algorithm that computes the probability $\mathcal P_{\mathsf {pd}}(v)$ given $\mathsf {pd}$ and value v. This property is stronger than probability-verifiability. Then the probability that $\mathcal R^{{\textsf {S}}}(x)$ accepts, which equals a sum (Eq. (1)) where each term can be efficient computed, can be lower bounded using the set lower bound protocol of Goldwasser and Sipser [GS86], so ${\textsf {L}}\in \mathbf{AM }$. Symmetrically, ${\textsf {L}}\in \mathbf{coAM }$. The proof of Lemma 4.4 shows the same result from the weaker condition that ${\textsf {S}}$ is probability-verifiable.

There is one last step missing between Lemmas 4.3 and 4.4: Is discrete Gaussian sampling probability-verifiable? What is the smallest factor $\gamma $ such that discrete Gaussian sampling with “width” $\le \gamma \lambda _n$ is probability-verifiable? Lemma 4.5 answers this question, and it connects the hardness of discrete Gaussian sampling with the hardness of ${\textsf {gapSIVP}}$.

Lemma 4.5

(Informal). Assume ${\textsf {gapSIVP}}_{\gamma }$ is in SZK. There exists a real valued function $s(\mathbf {B}) \in [\lambda _n,\tilde{O}(\gamma ) \cdot \lambda _n]$ such that given a lattice basis $\mathbf {B}$, discrete Gaussian sampling over lattice $\mathcal L(\mathbf {B})$ with “width” $s(\mathbf {B})$ is probability-verifiable.

Lemma 4.5 has an easier proof assuming the stronger condition that ${\textsf {gapSIVP}}_{\gamma }$ is in P. If there were some deterministic polynomial time algorithm solving ${\textsf {gapSIVP}}_{\gamma }$, there would exist $s(\mathbf {B}) \in [\lambda _n(\mathbf {B}), \gamma \lambda _n(\mathbf {B})]$ that can be efficiently computed by binary search. As $s(\mathbf {B}) \ge \lambda _n(\mathbf {B})$, the verifier can ask the prover to provide a set of n linearly independent vectors $\mathbf {w}_1,\ldots ,\mathbf {w}_n$ whose length is no longer than $s(\mathbf {B})$. Given the lattice basis $\mathbf {B}$ and a set of short linearly independent vectors, there exists an efficient algorithm that samples from the discrete Gaussian with the desired parameter [BLP+13]. When the verifier can sample from a distribution, he can lower bound the probability of each value using the set lower bound protocol [GS86].

This informal proof assumes ${\textsf {gapSIVP}}_{\gamma }\in \mathbf{P }$ in order to compute a function $s(\mathbf {B})$ that $s(\mathbf {B}) \approx \lambda _n(\mathbf {B})$. As the verifier only needs to compute such a function $s(\mathbf {B})$ in an AM protocol, this assumption can be weakened to ${\textsf {gapSIVP}}_{\gamma }\in \mathbf{SZK }$, by combining with Lemma 3.1.

Lemma 3.1

(Informal). Assume ${\textsf {gapSIVP}}_{\gamma }$ is in SZK. There exists a real valued function $s(\mathbf {B}) \in [\lambda _n,\tilde{O}(\gamma ) \cdot \lambda _n]$ that can be efficiently computed in Arthur-Merlin protocol.

The proof technique of Lemma 3.1 crucially relies on the fact that ${\textsf {gapSIVP}}_{\gamma } \in \mathbf{SZK }$. As a result, we can hardly make use of previous results such as ${\textsf {gapSIVP}}_{\sqrt{n/\log n}} \in \mathbf{NP }\cap \mathbf{coAM }$ [GMR04].

1.2 Related Works

Prior work exploring the problem of basing cryptography on worst-case $\mathbf{NP }$-hardness has obtained several negative results for black-box reduction. Brassard [Bra79] first showed that one-way permutations cannot be based on NP-hardness. Goldreich and Goldwasser [GG98] showed that public-key encryption schemes satisfying certain very specific properties cannot be based on NP-hardness. The required properties include the ability to certify an invalid key.

Work of Akavia, Goldreich, Goldwasser and Moshkovitz [AGGM06] and Bogdanov and Brzuska [BB15] showed that a special class of one-way functions called size-verifiable one-way functions cannot be based on $\mathbf{NP }$-hardness. A size-verifiable one-way function is one in which the size of the set of pre-images can be efficiently approximated via an $\mathbf{AM }$ protocol.

Bogdanov and Lee [BL13] showed that homomorphic encryption schemes satisfying a special property cannot be based on $\mathbf{NP }$-hardness. The required property is that the homomorphic evaluation produces a ciphertext whose distribution is statistically close to that of a fresh encrypted ciphertext.

Recently, Liu and Vaikuntanathan [LV16] showed that single-server private information retrieval (PIR) schemes cannot be based on NP-hardness.

Several works have also obtained a separation results for restricted types of reductions, most notably non-adaptive reductions which make all oracle queries simultaneously. The work of Feigenbaum and Fortnow [FF91], subsequently strengthened by Bogdanov and Trevisan [BT06], showed that there cannot be a non-adaptive reduction from SAT to the average-case hardness of any problem in $\mathbf{NP }$, unless the polynomial hierarchy collapses.

On basing lattice problems on NP-hardness, the work of Goldreich and Goldwasser [GG00], subsequently strengthened by Micciancio and Vadhan [MV03], showed that ${\textsf {gapSVP}}_{\sqrt{n/\log n}}$ and ${\textsf {gapCVP}}_{\sqrt{n/\log n}}$ are both contained in $\mathbf{NP } \cap \mathbf{SZK }$. The shortest vector problem (SVP) and the closest vector problem (CVP), roughly speaking, is the problem of finding the shortest non-zero vector in a lattice or finding the lattice vector that is closest to a given point. The corresponding gap problem ${\textsf {gapSVP}}_\gamma ,{\textsf {gapCVP}}_\gamma $ is to estimate within a factor of $\gamma (n)$ the length of the shortest non-zero vector or the distance to the closest lattice vector from a given point. The problem gapSVP is connected to gapSIVP via so-called “transference theorems” for lattices [Ban93]. Aharonov and Regev [AR04] explored a slightly looser approximation factor and showed that ${\textsf {gapSVP}}_{\sqrt{n}}$ and ${\textsf {gapCVP}}_{\sqrt{n}}$ are both contained in $\mathbf{NP } \cap \mathbf{coNP }$.

In prior work on the gap version of the SIVP problem, Guruswami, Micciancio and Regev [GMR04] showed that ${\textsf {gapSIVP}}_{\sqrt{n/\log n}} \in \mathbf{NP } \cap \mathbf{coAM }$. Peikert and Vaikuntanathan [PV08] showed that ${\textsf {gapSIVP}}_{\gamma } \in \mathbf{SZK }$ for any $\gamma (n) = \omega (\sqrt{n\log n})$. In contrast to these results for promise problems, our work explores the approximate SIVP problem. With an approximation factor $\gamma (n) = \tilde{O}(n)$, this search problem is the basis of lattice-based collision resistant hash function (CRHF) constructions [Ajt96, MR04]. In particular, Micciancio and Regev constructed CRHF from the worst-case hardness of ${\textsf {SIVP}}_{\gamma (n)}$ for any $\gamma (n) = \omega (n\log n)$ [MR04]. We separate ${\textsf {SIVP}}_\gamma $ from NP-hardness for the same approximation factor.

2 Preliminaries

Lattice A lattice in ${\mathbb {R}}^n$ is an additive subgroup of ${\mathbb {R}}^n$

$$\begin{aligned} \biggl \{ \sum _{i=1}^n x_i \mathbf {b}_i : x_i \in {\mathbb {Z}} \text { for } 1\le i\le n \biggr \} \end{aligned}$$

generated by n linearly independent vectors $\mathbf {b}_1,\ldots ,\mathbf {b}_n \in {\mathbb {R}}^n$. The set of vectors $\mathbf {b}_1,\ldots ,\mathbf {b}_n$ is called a basis for the lattice. A basis can be represented by matrix $\mathbf {B}\in {\mathbb {R}}^{n\times n}$ whose columns are the basis vectors. The lattice generated by the columns of $\mathbf {B}$ is denoted by $\mathcal L(\mathbf {B})$.

$$\begin{aligned} \mathcal L(\mathbf {B}) = \{\mathbf {B}\mathbf {x}: \mathbf {x}\in {\mathbb {N}}^n\}. \end{aligned}$$

The i-th successive minimum of a lattice $\mathcal L$, denoted by $\lambda _i(\mathcal L)$, is defined as the minimum length that $\mathcal L$ contains i linearly independent vectors of length at most $\lambda _i(\mathcal L)$. Formally,

$$\begin{aligned} \lambda _i(\mathcal L) \mathrel {:=}\min \{r : \dim (\mathcal L \cap r \mathcal B) \ge i \}, \end{aligned}$$

where $r \mathcal B$ is the radius r ball centered at the origin defined as $r \mathcal B \mathrel {:=}\{\mathbf {x}\in {\mathbb {R}}^n : \Vert \mathbf {x}\Vert _2 \le r\}$. We abuse notations and write $\lambda _i(\mathbf {B})$ instead of $\lambda _i(\mathcal L(\mathbf {B}))$.

Shortest Independent Vectors Problem (SIVP). ${\textsf {SIVP}}$ is a computational problem. Given a basis $\mathbf {B}$ of an n-dimensional lattice, find a set of n linearly independent vectors $\mathbf {v}_1,\ldots ,\mathbf {v}_n \in \mathcal L(\mathbf {B})$ such that $\max _i\Vert \mathbf {v}_i\Vert $ is minimized, i.e., $\Vert \mathbf {v}_i\Vert \le \lambda _n(\mathbf {B})$ for all $1\le i\le n$.

${\textsf {SIVP}}_\gamma $ is the approximation version of ${\textsf {SIVP}}$ with factor $\lambda $. Given a basis $\mathbf {B}$ of an n-dimensional lattice, find a set of n linearly independent vectors $\mathbf {v}_1,\ldots ,\mathbf {v}_n \in \mathcal L(\mathbf {B})$ such that $\Vert \mathbf {v}_i\Vert \le \gamma (n) \cdot \lambda _n(\mathbf {B})$ for all $1\le i\le n$. The approximation factor $\gamma $ is typical a polynomial in n.

${\textsf {gapSIVP}}_\gamma $ is the decision version of ${\textsf {SIVP}}_\gamma $. An input to ${\textsf {gapSIVP}}_\gamma $ is a basis $\mathbf {B}$ of a n-dimensional lattice and a scalar s. It is a YES instance if $\lambda _n(\mathbf {B}) \le s$, and is a NO instance if $\lambda _n(\mathbf {B}) \ge \gamma (n) \cdot s$.

Discrete Gaussian. For any vector $\mathbf {c}$ and any $s > 0$, let

$$\begin{aligned} \rho _{\mathbf {c},s}(\mathbf {v}) = e^{-\pi \Vert \mathbf {v}-\mathbf {c}\Vert _2^2 / s^2} \end{aligned}$$

be a Gaussian function with mean $\mathbf {c}$ and width s. Functions are extends to sets in usual way, $\rho _{\mathbf {c},s}(\mathcal L) = \sum _{\mathbf {v}\in \mathcal L} \rho _{\mathbf {c},s}(\mathbf {v})$. The discrete Gaussian distribution over lattice $\mathcal L$ with mean $\mathbf {c}$ and width s, denoted by $\mathcal N_{\mathcal L, \mathbf {c}, s}$, is defined by

$$\begin{aligned} \forall \mathbf {v}\in \mathcal L, \; \mathcal N_{\mathcal L,\mathbf {c},s}(\mathbf {v}) = \frac{\rho _{\mathbf {c},s}(\mathbf {v})}{\rho _{\mathbf {c},s}(\mathcal L)}. \end{aligned}$$

In this work, most discrete Gaussian distributions considered are centered at the origin. Let $\rho _{s}, \mathcal N_{\mathcal L,s}$ denote $\rho _{\mathbf {0},s}, \mathcal N_{\mathcal L,\mathbf {0},s}$ respectively.

Lemma 2.1

(Lemma 1.4 in [Ban93]). For each $a\ge 1$, for any n-dimensional lattice $\mathcal L$, $\rho _{as}(\mathcal L) \le a^n \rho _{s}(\mathcal L)$

Lemma 2.2

(Lemma 1.5 in [Ban93]). For any $c > 1/\sqrt{2\pi }$, n-dimensional lattice $\mathcal L$

$$\begin{aligned} \rho _s(\mathcal L \setminus cs\sqrt{n}\mathcal B) < C^n \cdot \rho _s(\mathcal L) \end{aligned}$$

(2)

where $C = c \sqrt{2\pi e} \cdot e^{-\pi c^2}$.

Sampling Problems. Besides computational problems and decision problems, we define sampling problems. The input of a sampling problem specifies a distribution, let $\mathcal P_\mathsf {pd}$ denote the distribution specified by input $\mathsf {pd}$. The goal is to sample from the distribution $\mathcal P_\mathsf {pd}$. A probabilistic polynomial-time algorithm $\mathcal S$ perfectly solves the sampling problem if for any input $\mathsf {pd}$

$$\begin{aligned} \forall v, \Pr [ \mathcal S(\mathsf {pd}) \rightarrow v ] = \mathcal P_\mathsf {pd}(v). \end{aligned}$$

The probability is over the random input tape of $\mathcal S$. In a more practical definition, $\mathcal S$ solves the sampling problem if the output distribution of $\mathcal S(\mathsf {pd})$ is close to $\mathcal P_\mathsf {pd}$, i.e.

$$\begin{aligned} \varDelta _\mathrm{sd} (\mathcal S(\mathsf {pd},1^\ell ), \mathcal P_\mathsf {pd}) \le \frac{1}{\ell } \end{aligned}$$

where $\varDelta _\mathrm{sd}$ denotes the statistical distance.

For example, in this work, discrete Gaussian is considered as a sampling problem. For any function $s(\cdot )$ mapping lattice bases to positive real numbers, define sampling problem . The input of is a lattice basis $\mathbf {B}$. The target output distribution $\mathcal P_\mathbf {B}$ is the discrete Gaussian distribution $\mathcal N_{\mathcal L(\mathbf {B}),s(\mathbf {B})}$, where each vector $v\in \mathcal L(\mathbf {B})$ is sampled with probability

$$\begin{aligned} \mathcal P_\mathbf {B}(\mathbf {v}) = \mathcal N_{\mathcal L(\mathbf {B}), s(\mathbf {B})}(\mathbf {v}) = \frac{\rho _{s(\mathbf {B})}(\mathbf {v})}{\rho _{s(\mathbf {B})}(\mathcal L(\mathbf {B}))}. \end{aligned}$$

Probability-Verifiable. A sampling problem is probability-verifiable if there exists an AM protocol to lower bound $\mathcal P_\mathsf {pd}(v)$ for any $\mathsf {pd}$ and v. More precisely, there exists a family of error function $\{\eta _{\mathsf {pd},m}\}$ such that for any $\mathsf {pd},m$, the error function $\eta _{\mathsf {pd},m}:\{0,1\}^* \rightarrow [0,+\infty )$ satisfies $\sum _v \eta _{\mathsf {pd},m}(v) \le \frac{1}{m}$, and the promise problem

YES instance: $(\mathsf {pd},v,\hat{p},1^m)$ such that $\hat{p} = \mathcal P_\mathsf {pd}(v)$
NO instance: $(\mathsf {pd},v,\hat{p},1^m)$ such that $\hat{p} \ge \mathcal P_\mathsf {pd}(v) + \eta _{\mathsf {pd},m}(v)$

is in AM.

Sampling Oracles. In order to formalize the (probabilistic) Turing reduction to a sampling problem, we also define sampling oracles, which is a generalization of traditional oracles studied by complexity theorists. Let $\mathcal S$ be a sampling oracle for a fixed sampling problem. $\mathcal S$ can be queried on any valid $\mathsf {pd}$; upon query $\mathsf {pd}$, sampling oracle $\mathcal S(\mathsf {pd})$ would always output a fresh sample from distribution $\mathcal P_\mathsf {pd}$. E.g. if the sampling oracle $\mathcal S$ is queried for the same $\mathsf {pd}$ multiple times, it would output i.i.d. samples from distribution $\mathcal P_\mathsf {pd}$.

A probabilistic Turing reduction from a language ${\textsf {L}}$ to a sampling problem ${\textsf {S}}$ is a probabilistic poly-time oracle Turing machine $\mathcal R$, such that $\mathcal R$ can solve ${\textsf {L}}$ given a sampling oracle of ${\textsf {S}}$ in the sense that

$$\begin{aligned} x \in {\textsf {L}}&\implies \mathcal R^{\mathcal S}(x) \rightarrow 1 \text { w.p.} \ge 2/3, \\ x \notin {\textsf {L}}&\implies \mathcal R^{\mathcal S}(x) \rightarrow 1 \text { w.p.} \le 1/3. \end{aligned}$$

If such a reduction exists, we say ${\textsf {L}}$ can be reduced to sampling problem ${\textsf {S}}$, denoted by ${\textsf {L}} \in \mathbf{BPP }^{{\textsf {S}}}$.

Similarly, a computational problem or a search problem can be reduced to a sampling problem ${\textsf {S}}$ if they can be efficiently solved given the sampling oracle of ${\textsf {S}}$.

${\mathbb {R}}$-TFAM and ${\mathbb {R}}_\eta $-TFAM The complexity class ${\mathbb {R}}$-TFAM is introduced by Mahmoody and Xiao [MX10]. Informally, it’s consist of real-valued functions that can be efficiently computed in AM. A function $f:\{0,1\}^* \rightarrow {\mathbb {R}}$ is in ${\mathbb {R}}$-TFAM if the following promise problem is in AM:

YES instance: $(x,f(x),1^m)$.
NO instance: $(x,y,1^m)$ such that $|y - f(x)| > \frac{1}{m}$.

The definition of ${\mathbb {R}}$-TFAM emphasize on the absolute error. The complexity class ${\mathbb {R}}_\eta $-TFAM is defined to capture those functions that can be efficiently computed in AM with small relative error. A function $g:\{0,1\}^* \rightarrow {\mathbb {R}}^+$ is in ${\mathbb {R}}_\eta $-TFAM if the following promise problem is in AM:

YES instance: $(x,g(x),1^m)$.
NO instance: $(x,y,1^m)$ such that $|y - g(x)| > \frac{1}{m} \cdot g(x)$.

It follows directly from the definitions that $g \in {\mathbb {R}}_\eta -\mathbf{TFAM }$ if and only if $\log g \in {\mathbb {R}}-\mathbf{TFAM }$ for any function $g:\{0,1\}^* \rightarrow {\mathbb {R}}^+$.

Statistical Zero Knowledge. Statistical zero knowledge (SZK) is the class of decision problems that can be verified by a statistical zero-knowledge proof protocol. Entropy Difference (ED) is a complete problem for SZK [GV99], which is defined as the following: Given two polynomial-size circuits, C and D, let $\mathcal C$ and $\mathcal D$ be the distributions of their respective outputs when C, D are fed with uniform random inputs. The problem is to distinguish between

YES instance: (C, D) such that $H(\mathcal C) - H(\mathcal D) \ge 1$;
NO instance: (C, D) such that $H(\mathcal C) - H(\mathcal D) \le - 1$.

Where H is the Shannon entropy. Moreover, the mapping $H:C \mapsto H(\mathcal C)$ is in ${\mathbb {R}}$-TFAM.

3 Gap Problems

The lattice problem ${\textsf {gapSIVP}}$ is essentially estimating $\lambda _n(\mathbf {B})$ given a lattice basis $\mathbf {B}$. This definition can be generalized to any real valued functions. Define the gap problem of function $f:\{0,1\}^*\rightarrow {\mathbb {R}}^+$ with gap $\gamma :\{0,1\}^*\rightarrow [1,+\infty )$, denoted by ${\textsf {gap}}f_{\gamma }$, as the promise problem

YES instance: (x, y) such that $y\le f(x)$;
NO instance: (x, y) such that $y > \gamma (x) \cdot f(x)$.

In this work, estimating $\lambda _n(\mathbf {B})$ is of critical importance. Its gap problem, ${\textsf {gapSIVP}}_\gamma $, alone is not sufficient for the proof. Instead, a stronger form of approximation is defined. Say $g:\{0,1\}^*\rightarrow {\mathbb {R}}^+$ is an approximation of function f within factor $\gamma $ if $f(x) \le g(x) \le \gamma (x) \cdot f(x)$ for all x. Clearly, computing g is a harder problem than ${\textsf {gap}}f_{\gamma }$, in the sense that there is a trivial reduction from ${\textsf {gap}}f_{\gamma }$ to computing g.

The following Lemma shows a reduction in the other direction: if ${\textsf {gap}}f_{\gamma }$ is in SZK, then there exists an approximation of f within almost the same factor, which can be computed in AM.

Lemma 3.1

For any real valued function $f:\{0,1\}^*\rightarrow {\mathbb {R}}^+$ and any gap $\gamma :\{0,1\}^*\rightarrow [1,+\infty )$ that $\log \gamma (x) \le \mathop {{\text {poly}}}(|x|)$, if ${\textsf {gap}}f_{\gamma } \in \mathbf{SZK }$, then for any constant $\mu > 1$, there exists $g:\{0,1\}^*\rightarrow {\mathbb {R}}^+$ such that $\forall x, g(x) \in [f(x),\mu \gamma (x) f(x)]$ and g is in ${\mathbb {R}}_\eta $-TFAM.

Lemma 3.1 can be combined with previous results about gapSIVP. Peikert and Vaikuntanathan [PV08] showed that ${\textsf {gapSIVP}}_\gamma \in \mathbf{NISZK } \subseteq \mathbf{SZK }$ for any $\gamma = \omega (\sqrt{n \log n})$. Thus there exists an approximation of $\lambda _n$ within a factor $\tilde{O}(\sqrt{n})$ that can be computed in AM.

Corollary 3.2

For any $\gamma (n) = \omega (\sqrt{n\log n})$, there exists a function g maps lattice bases to real numbers such that $g\in {\mathbb {R}}_\eta -\mathbf{TFAM }$ and $\lambda _n(\mathbf {B}) \le g(\mathbf {B}) < \gamma (n) \cdot \lambda _n(\mathbf {B})$.

Proof (Lemma 3.1)

Entropy Difference (ED) is a complete problem for SZK, so ${\textsf {gap}}f_{\gamma } \in \mathbf{SZK }$ implies the existence of a reduction $(x,y)\mapsto (C_{x,y}, D_{x,y})$ that maps input x together with a real number y to random circuits $C_{x,y}, D_{x,y}$. Let $\mathcal C_{x,y}$ and $\mathcal D_{x,y}$ be the output distributions of $C_{x,y},D_{x,y}$. The reduction from ${\textsf {gap}}f_{\gamma }$ to ED satisfies the following properties:

There is an efficient deterministic algorithm computing $C_{x,y},D_{x,y}$ given input (x, y).
$H(\mathcal C_{x,y}) - H(\mathcal D_{x,y}) > 2$ for any x, y that $y\le f(x)$.
$H(\mathcal C_{x,y}) - H(\mathcal D_{x,y}) < -1$ for any x, y that $y > \gamma (x) \cdot f(x)$.

Define the clamp function

$$\begin{aligned} {\text {clamp}}(y) \mathrel {:=}{\left\{ \begin{array}{ll} 1, &{}\text { if } y \ge 1;\\ y, &{}\text { if } y \in (0,1);\\ 0, &{}\text { if } y \le 0. \end{array}\right. } \end{aligned}$$

For any fixed constant $\mu > 1$, define

$$\begin{aligned} g(x) = \exp \left( \ln \mu \cdot \sum _{i=0}^{+\infty } {\text {clamp}}(H(\mathcal C_{x,\mu ^i})-H(\mathcal D_{x,\mu ^i})) + \ln \mu \cdot \sum _{i=1}^{+\infty } \Bigl ({\text {clamp}}(H(\mathcal C_{x,\mu ^{-i}})-H(\mathcal D_{x,\mu ^{-i}})) -1\Bigr )\right) . \end{aligned}$$

As ${\text {clamp}}(H(\mathcal C_{x,y})-H(\mathcal D_{x,y})) = 1$ for $y \le f(x)$,

$$\begin{aligned} g(x) \ge \exp \bigl (\ln \mu \cdot \lceil \log _\mu (f(x)) \rceil \bigr ) \ge f(x). \end{aligned}$$

As ${\text {clamp}}(H(\mathcal C_{x,y})-H(\mathcal D_{x,y})) = 0$ for $y > \gamma (x) \cdot f(x)$,

$$\begin{aligned} g(x) \le \exp \bigl (\ln \mu \cdot \lceil \log _\mu (\gamma (x) \cdot f(x)) \rceil \bigr ) \le \mu \gamma (x) \cdot f(x). \end{aligned}$$

In order to complete the proof, we show that g is in ${\mathbb {R}}_\eta $-TFAM. For any input $x,\hat{g}$, the prover can prove $\hat{g} \approx g(x)$ if $\hat{g} = g(x)$.

Consider the following protocol, $\varepsilon = 1/\mathop {{\text {poly}}}(m,\ln \gamma )$ will be fixed later.

On any input x, define $d_i = H(\mathcal C_{x,\mu ^i})-H(\mathcal D_{x,\mu ^i})$. And the honest prover should send $\hat{d}_i = d_i$. The prover have to prove that $d_i - \varepsilon< \hat{d}_i < d_i + \varepsilon $. For $\mu ^i \le f(x)$, $\hat{d}_i \ge d_i - \varepsilon \ge 1$, then ${\text {clamp}}(\hat{d}_i) = 1 = {\text {clamp}}(d_i)$. For $\mu ^i \ge \mu \gamma (x) f(x)$, $\hat{d}_i \le d_i + \varepsilon \le 0$, then ${\text {clamp}}(\hat{d}_i) = 0 = {\text {clamp}}(d_i)$. For $f(x)< \mu ^i < \mu \gamma (x) f(x)$, $|{\text {clamp}}(\hat{d}_i) - {\text {clamp}}(d_i)| \le |\hat{d}_i-d_i| < \varepsilon $.

Thus

$$\begin{aligned} \begin{aligned} \Bigl |\frac{\ln \hat{g} - \ln g(x)}{\ln \mu }\Bigr |&\le \sum _{i\in {\mathbb {Z}}} \bigl |{\text {clamp}}(\hat{d}_i)-{\text {clamp}}(d_i)\bigr | \\&= \sum _{f(x)< \mu ^i< \mu \gamma (x) f(x)} \bigl |{\text {clamp}}(\hat{d}_i)-{\text {clamp}}(d_i)\bigr | \\&< \lceil \log _{\mu } (\mu \gamma (x))\rceil \varepsilon \\&< \frac{\ln \gamma (x) + 2}{\ln \mu } \varepsilon . \end{aligned} \end{aligned}$$

If $\varepsilon $ is sufficiently small, $\hat{g}$ would be close to g(x). To ensure $|\hat{g} - g(x)| \le \frac{1}{m} g(x)$, it is sufficient to set $\varepsilon = O(\frac{1}{m(\ln \gamma (x) + 2)})$.

The above “protocol” is not a real protocol, as it requires the prover to send an infinite sequence to the verifier. To compress the proof, the prover need a succinct interactive proof that $d_j > 1$ for all $j\le i_L$ and $d_j < 0$ for all $j \ge i_H$.

For an index i, if the prover can convince the verifier that $d_i = H(\mathcal C_{x,\mu ^i})-H(\mathcal D_{x,\mu ^i}) < 2$, the verifier also learns that $\mu ^i > g(x)$, thus for any $j \ge i + \lceil \log _\mu \gamma (x) \rceil $, $\mu ^j > \gamma (x) g(x)$ and $d_j \le -1$. Similarly, if the prover can convince the verifier that $d_i = H(\mathcal C_{x,\mu ^i})-H(\mathcal D_{x,\mu ^i}) > -1$ , the verifier also knows that $d_j \ge 2$ for any $j \le i - \lceil \log _\mu \gamma (x) \rceil $.

Thus the real AM protocol that proves $\hat{g} \in (g(x)-\frac{1}{m},g(x)+\frac{1}{m})$ is the following:

$\square $

4 Search SIVP and NP-Hardness

Theorem 4.1

For any factor $\gamma :{\mathbb {N}}\rightarrow \mathbb R$, if ${\textsf {gapSIVP}}_{\gamma } \in \mathbf{SZK }$ and there exists a probabilistic polynomial-time adaptive reduction from a language L to ${\textsf {SIVP}}_{\sqrt{n \ln n} \cdot \gamma }$, then ${\textsf {L}} \in \mathbf{AM } \cap \mathbf{coAM }$.

The smallest factor $\gamma $ we knows that makes problem ${\textsf {gapSIVP}}_{\gamma }$ be in $\mathbf{SZK }$ comes from [PV08]: for any factor $\gamma (n) = \omega (\sqrt{n \log n})$, problem ${\textsf {gapSIVP}}_{\gamma }$ is in SZK.

Corollary 4.2

For any factor $\gamma (n) = \omega (n \log n)$, if there exists a probabilistic polynomial-time adaptive reduction from a language L to ${\textsf {SIVP}}_{\gamma }$, then ${\textsf {L}} \in \mathbf{AM } \cap \mathbf{coAM }$.

The proof of Theorem 4.1 is the combination of Lemmas 4.3, 4.4 and 4.5. Problem ${\textsf {gapSIVP}}_{\gamma }$ is in $\mathbf{SZK }$ and there is a reduction from language ${\textsf {L}}$ to search problem ${\textsf {SIVP}}_{\sqrt{n \ln n} \cdot \gamma }$. Lemma 4.3 shows that there is another reduction from ${\textsf {L}}$ to sampling problem for any s satisfying

$$\begin{aligned} s(\mathbf {B}) \in [\lambda _n(\mathbf {B}), \sqrt{\ln n} \cdot \gamma \lambda _n(\mathbf {B})]. \end{aligned}$$

(3)

Lemma 4.5 shows that there exists a function s satisfying (3) such that the sampling problem is probability-verifiable. Therefore, there exists a reduction from ${\textsf {L}}$ to a probability-verifiable sampling problem. Finally, Lemma 4.4 shows that such a language ${\textsf {L}}$ must live in $\mathbf{AM } \cap \mathbf{coAM }$.