SVP in Hard to Approximate to
within some constant
Based on Article by Daniele Micciancio - 1998
IEEE Symposium on Foundations of Computer Science (FOCS ‘98)
Overview
SVP
 app. alg.
1+1/n
1
CVP
2
O(1)
O(logn)
n1/loglogn
nO(1)
NP-hard to approximate
2loglogn

2n/2
 app. alg.
Approximate SVP & CVP
GapSVPg (B,d) B is a Lattice base in Rn, dR
– Yes Instances
zZn\{0} || Bz ||  d
– No Instances
zZn\{0} || Bz || > gd
We actually want to prove:
GapSVP2 is NP-Hard
GapCVPg (B,y,d) BZkxn , yRk, dR
•Yes Instances
zZn || Bz - y||  d
•No Instances
zZn || Bz - y|| > gd
Modified CVP

GapCVPg (B,y,d) BZkxn , yRk, dR
– Yes Instances
z{0,1}n
|| Bz - y||  d
– No Instances
zZn, wZn\{0}
|| Bz - wy|| > gd
GapCVP and GapCVP’ were proven NP-Hard
[Babai97]
We show a reduction
GapCVPc (B,y,d)
c= 2/)

GapSVPg (V,t)
g= 2(1+2)
t= 1+2
Sauer’s Lemma

There is a probabilistic ploy-time algorithm which creates>0, for
input 1k (input size k) the following:
Lattice
logP1
logP2
LR(m+1)xm
Vector s R(m+1)
L
0

Matrix C Zkxm

yZn, B Znxk
s.t. with probability arbitrarily close to 1
2
logP1


0 0 -s
logPm
logPm
Bnxk ° Ckxm
CVP lattice
>2
-
zZm || Lz||
-
x{0,1}m, zZm s.t. Cz=x and ||Lz-s||>1+
-b
-y
m+1xm+1
Sauer’s Lemma(visualization)
Copied from Micc98 article.
Proving GapSVP NP-hardness
(B,y,d) and c= (2/)

(V,t) and g=(2/1+2) t=(2/1+2)
 =/d
logP1
logP2
1. (B,y,d) is Yes Instance
 a s.t.
||Va||2
a=[z 1]Zm+1
t2
<
(for some z Zm)
||Va||2 = ||Lz-s||2 + 2||Bx-y||2

1+

/d2d2
 1+2  = t2
V=
0

/d
=
logP1


0 0
logPm
logPm
Bnxk ° Ckxm
b
-y
Proving GapSVP NP-hardness (cont)
(B,y,d) and c= (2/)

(V,t) and g= (2/1+2)
2. (B,y,d) is No Instance
a=[z w] zZm ||Va||2 > g2t2 = 2
I. w=0 without CVP help
z
!! z  0
0
II. w0 with CVP help
||Va||2 > 2||Bz-wy||2
 2c2d2 = 2
2/
logP1
/d
=
w]

logP1
logP2
||Va||2 > ||Lz||2 > 2
/d2
[


0 0
logPm
logPm
Bnxk ° Ckxm
b
-y