Paper 2016/906

On Basing Search SIVP on NP-Hardness

Tianren Liu

Abstract

The possibility of basing cryptography on the minimal assumption NP$⊈$BPP is at the very heart of complexity-theoretic cryptography. The closest we have gotten so far is lattice-based cryptography whose average-case security is based on the worst-case hardness of approximate shortest vector problems on integer lattices. The state-of-the-art is the construction of a one-way function (and collision-resistant hash function) based on the hardness of the $\tilde{O}(n)$-approximate shortest independent vector problem ${\text{SIVP}}_{\tilde{O}(n)}$. Although SIVP is NP-hard in its exact version, Guruswami et al (CCC 2004) showed that $$ is in NP$$coAM and thus unlikely to be NP-hard. Indeed, any language that can be reduced to $$ (under general probabilistic polynomial-time adaptive reductions) is in AM$$coAM by the results of Peikert and Vaikuntanathan (CRYPTO 2008) and Mahmoody and Xiao (CCC 2010). However, none of these results apply to reductions to search problems, still leaving open a ray of hope: can NP be reduced to solving search SIVP with approximation factor $$? We eliminate such possibility, by showing that any language that can be reduced to solving search $$ with any approximation factor $$ lies in AM intersect coAM. As a side product, we show that any language that can be reduced to discrete Gaussian sampling with parameter $$ lies in AM intersect coAM.

Note: The intro is rewritten for eurocrypt