On the Quantitative Hardness of CVP
Huck Bennett, Alexander Golovnev, Noah Stephens-Davidowitz

TL;DR
This paper establishes strong conditional lower bounds on the time complexity of solving the Closest Vector Problem (CVP) in various $oldsymbol{ extit{l}_p}$ norms, showing it cannot be done in subexponential time unless widely believed complexity hypotheses fail.
Contribution
It proves SETH-based hardness for $ ext{CVP}_p$ for odd $p eq 2$, extending to almost all $p eq 2$, and provides related hardness results for $ ext{SVP}_ ext{infinity}$ and approximation problems.
Findings
$ ext{CVP}_p$ cannot be solved in $2^{(1- ext{eps})n}$ time for odd $p eq 2$ unless SETH fails.
Hardness results extend to almost all $p eq 2$, approaching the Euclidean case.
Additional hardness results for $ ext{SVP}_ ext{infinity}$ and approximation variants under different hypotheses.
Abstract
For odd integers (and ), we show that the Closest Vector Problem in the norm () over rank lattices cannot be solved in time for any constant unless the Strong Exponential Time Hypothesis (SETH) fails. We then extend this result to "almost all" values of , not including the even integers. This comes tantalizingly close to settling the quantitative time complexity of the important special case of (i.e., in the Euclidean norm), for which a -time algorithm is known. In particular, our result applies for any that approaches as .…
Click any figure to enlarge with its caption.
Figure 1
Figure 2| Problem | Upper Bound | Lower Bounds | Notes | |||
| SETH | Max--SAT | ETH | Gap-ETH | |||
| () | * | “almost all” | ||||
| — | * | |||||
| / | * | — | * | |||
| () | — | — | ||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
On the Quantitative Hardness of CVP
Huck Bennett
[email protected] Courant Institute of Mathematical Sciences, New York University.
Alexander Golovnev
[email protected] Yahoo Research.Part of this work was done while the author was at Courant Institute of Mathematical Sciences, and was supported by the National Science Foundation under Grant No. CCF-1320188. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Noah Stephens-Davidowitz11footnotemark: 1
[email protected] Supported by the National Science Foundation (NSF) under Grant No. CCF-1320188, and the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236.
Abstract
For odd integers (and ), we show that the Closest Vector Problem in the norm () over rank lattices cannot be solved in time for any constant unless the Strong Exponential Time Hypothesis (SETH) fails. We then extend this result to “almost all” values of , not including the even integers. This comes tantalizingly close to settling the quantitative time complexity of the important special case of (i.e., in the Euclidean norm), for which a -time algorithm is known. In particular, our result applies for any that approaches as .
We also show a similar SETH-hardness result for ; hardness of approximating to within some constant factor under the so-called Gap-ETH assumption; and other quantitative hardness results for and for any under different assumptions.
1 Introduction
A lattice is the set of all integer combinations of linearly independent basis vectors ,
[TABLE]
We call the rank of the lattice and the dimension or the ambient dimension.
The two most important computational problems on lattices are the Shortest Vector Problem () and the Closest Vector Problem (). Given a basis for a lattice , asks us to compute the minimal length of a non-zero vector in , and asks us to compute the distance from some target point to the lattice. Typically, we define length and distance in terms of the norm for some , given by
[TABLE]
for finite and
[TABLE]
In particular, the norm is the familiar Euclidean norm, and it is by far the best studied in this context. We write and for the respective problems in the norm. is known to be at least as hard as (in any norm, under an efficient reduction that preserves the rank and approximation factor) [GMSS99] and appears to be strictly harder.
Starting with the breakthrough work of Lenstra, Lenstra, and Lovász in 1982 [LLL82], algorithms for solving these problems in both their exact and approximate forms have found innumerable applications, including factoring polynomials over the rationals [LLL82], integer programming [Len83, Kan87, DPV11], cryptanalysis [Sha84, Odl90, JS98, NS01], etc. More recently, many cryptographic primitives have been constructed whose security is based on the worst-case hardness of these or closely related lattice problems [Ajt04, Reg09, GPV08, Pei08, Pei16]. Given the obvious importance of these problems, their complexity is quite well studied. Below, we survey some of these results. We focus on algorithms for the exact and near-exact problems since these are most relevant to our work and because the best known algorithms for the approximate variants of these problems typically use algorithms for the exact problems as subroutines [Sch87, GN08, MW16]. (Many of the results described below are also summarized in Table 1.)
1.1 Algorithms for SVP and CVP
The AKS algorithm and its descendants.
The current fastest known algorithms for solving all use the celebrated randomized sieving technique due to Ajtai, Kumar, and Sivakumar [AKS01]. The original algorithm from [AKS01] was the first -time algorithm for , and it worked for both and .
In the case, a sequence of works improved upon the constant in the exponent [NV08, PS09, MV10, LWXZ11], and the current fastest running time of an algorithm that provably solves exactly is [ADRS15].111The algorithm in [ADRS15] is quite a bit different than the other algorithms in this class, but it can still be thought of as a sieving algorithm. While progress has slowed, this seems unlikely to be the end of the story. Indeed, there are heuristic sieving algorithms that run in time [NV08, WLTB11, Laa15, BDGL16], and there is some reason to believe that the provably correct [ADRS15] algorithm can be improved. In particular, there is a provably correct -time algorithm that approximates up to a small constant approximation factor [ADRS15].
A different line of work extended the randomized sieving approach of [AKS01] to obtain -time algorithms for in additional norms. In particular, Blömer and Naewe extended it to all norms [BN09]. Subsequent work extended this further, first to arbitrary symmetric norms [AJ08] and then to the “near-symmetric norms” that arise in integer programming [Dad12].
Finally, a third line of work extended the [AKS01] approach to approximate . Ajtai, Kumar, and Sivakumar themselves showed a -time algorithm for approximating to within any constant approximation factor strictly greater than one [AKS02]. Blömer and Naewe obtained the same result for all norms [BN09], and Dadush extended it further to arbitrary symmetric norms and again to “near-symmetric norms” [Dad12]. We stress, however, that none of these results apply to exact , and indeed, there are some barriers to extending these algorithms to exact . (See, e.g., [ADS15].)
Exact algorithms for .
Exact appears to be a much more subtle problem than exact .222In particular, there can be arbitrarily many lattice points that are approximate closest vectors, which makes sieving techniques seemingly useless for solving exact . (See, e.g., [ADS15] for a discussion of this issue.) We note, however, that hardness results (including ours) tend to produce instances with a bounded number of approximate closest vectors (e.g., . Indeed, progress on exact has been much slower than the progress on exact . Over a decade after [AKS01], Micciancio and Voulgaris presented the first -time algorithm for exact [MV13], using elegant new techniques built upon the approach of Sommer, Feder, and Shalvi [SFS09]. Specifically, they achieved a running time of , and subsequent work even showed a running time of for with Preprocessing (in which the algorithm is allowed access to arbitrary advice that depends on the lattice but not the target vector; see Section 2.1) [BD15]. Later, [ADS15] showed a -time algorithm for , so that the current best known asymptotic running time is actually the same for and .
However, for , progress for exact has been minimal. Indeed, the fastest known algorithms for exact with are still the -time enumeration algorithms first developed by Kannan in 1987 [Kan87, DPV11, MW15]. Both algorithms for exact mentioned in the previous paragraph use many special properties of the norm, and it seems that substantial new ideas would be required to extend them to arbitrary norms.
1.2 Hardness of SVP and CVP
Van Emde Boas showed the NP-hardness of for any and in 1981 [vEB81]. Extending this to for finite was a major open problem until it was proven (via a randomized reduction) for all by Ajtai in 1998 [Ajt98]. There has since been much follow-up work, showing the hardness of these problems for progressively larger approximation factors, culminating in NP-hardness of approximating up to a factor of for some constant [ABSS93, DKRS03] and hardness of with the same approximation factor under plausible complexity-theoretic assumptions [CN98, Mic01b, Kho05, HR12]. These results are nearly the best possible under plausible assumptions, since approximating either problem up to a factor of is known to be in [GG00, AR05, Pei08].
However, such results only rule out the possibility of polynomial-time algorithms (under reasonable complexity-theoretic assumptions). They say very little about the quantitative hardness of these problems for a fixed lattice rank .333 One can derive certain quantitative hardness results from known hardness proofs, but in most cases the resulting lower bounds are quite weak. The only true quantitative hardness results known prior to this work were a folklore ETH-hardness result for and an unpublished result due to Samuel Yeom, showing that cannot be solved in time under plausible complexity-theoretic assumptions [Vai15]. (In Section 6.2, we present a similar proof of a stronger statement.)
This state of affairs is quite frustrating for two reasons. First, in the specific case of , algorithmic progress has reached an apparent barrier. In particular, both known techniques for solving exact in singly exponential time are fundamentally unable to produce algorithms whose running time is asymptotically better than the current best of [MV13, ADS15].444 Both techniques require short vectors in each of the cosets of mod (though for apparently different reasons).
Second, some lattice-based cryptographic constructions are close to deployment [ADPS16, BCD*+*16, NIS16]. In order to be practically secure, these constructions require the quantitative hardness of certain lattice problems, and so their designers rely on quantitative hardness assumptions [APS15]. If, for example, there existed a -time algorithm for or , then these cryptographic schemes would be insecure in practice.
We therefore move in a different direction. Rather than trying to extend non-quantitative hardness results to larger approximation factors, we show quantitative hardness results for exact (or nearly exact) problems. To do this, we use the tools of fine-grained complexity.
1.3 Fine-grained complexity
Impagliazzo and Paturi [IP99] introduced the Exponential Time Hypothesis (ETH) and the Strong Exponential Time Hypothesis (SETH) to help understand the precise hardness of -SAT. Informally, ETH asserts that -SAT takes -time to solve in the worst case, and SETH asserts that -SAT takes essentially -time to solve for unbounded . I.e., SETH asserts that brute-force search is essentially optimal for solving -SAT for large .
Recently, the study of fine-grained complexity has leveraged ETH, SETH, and several other assumptions to prove quantitative hardness results about a wide range of problems. These include both problems in (see, e.g., [CLR*+*14, BI15, ABW15] and the survey by Vassilevska Williams [Wil15]), and -hard problems (see, e.g., [PW10, CDL*+*12, CFK*+*15]). Although these results are all conditional, they help to explain why making further algorithmic progress on these problems is difficult—and suggest that it might be impossible. Namely, any non-trivial algorithmic improvement would disprove a very well-studied hypothesis.
One proves quantitative hardness results using fine-grained reductions (see [Wil15] for a formal definition). For example, there is an efficient mapping from -SAT formulas on variables to Hitting Set instances with universes of elements [CDL*+*12]. This reduction is fine-grained in the sense that for any constant , a -time algorithm for Hitting Set implies a -time algorithm for -SAT, breaking SETH.
Despite extensive effort, no faster-than--time algorithm for -SAT with unbounded has been found. Nevertheless, there is no consensus on whether SETH is true or not, and recently, Williams [Wil16] refuted a very strong variant of SETH. This makes it desirable to base quantitative hardness results on weaker assumptions when possible, and indeed our main result holds even assuming a weaker variant of SETH based on the hardness of Weighted Max--SAT (except for the case of ).
1.4 Our contribution
We now enumerate our results. See also Table 1.
SETH-hardness of .
Our main result is the SETH-hardness of for any odd integer and (and ). Formally, we prove the following. (See Sections 3 and 4 for finite and Section 6.3 for .)
Theorem 1.1**.**
For any constant integer and any odd integer or , there is an efficient reduction from -SAT with variables and clauses to (or ) on a lattice of rank (with ambient dimension ).
In particular, there is no -time algorithm for for any odd integer or (or ) and any constant unless SETH is false.
Unfortunately, we are unable to extend this result to even integers , and in particular, to the important special case of . In fact, this is inherent, as we show that our approach necessarily fails for even integers . In spite of this, we actually prove the following result that generalizes Theorem 1.1 to “almost all” (including non-integer ).
Theorem 1.2**.**
For any constant integer , there is an efficient reduction from -SAT with variables and clauses to on a lattice of rank (with ambient dimension ) for any such that
* is an odd integer or ;* 2. 2.
, where is some finite set (containing all even integers ); or 3. 3.
* for any and any that converges to zero as .*
In particular, if SETH holds then for any constant , there is no -time algorithm for for any such that
* is an odd integer or ;* 2. 2.
* for some sufficiently large (depending on ); or* 3. 3.
.
Notice that this lower bound (Theorem 1.2) comes tantalizingly close to resolving the quantitative complexity of . In particular, we obtain a -time lower bound on for any , and the fastest algorithm for run in time . But, formally, Theorems 1.1 and 1.2 say nothing about . (Indeed, there is at least some reason to believe that is easier than for [RR06].)
We note that our reductions actually work for Weighted Max--SAT for all finite , so that our hardness result holds under a weaker assumption than SETH, namely, the corresponding hypothesis for Weighted Max--SAT.
Finally, we note that in the special case of , our reduction works even for approximate , or even approximate , with an approximation factor of . In particular, is constant for fixed . This implies that for every constant , there is a constant such that no -time algorithm approximates or to within a factor of unless SETH fails.
Quantitative hardness of approximate .
As we discussed above, many -time algorithms for only work for -approximate for constant approximation factors . However, the reduction described above only works for exact (except when ).555One can likely show that our “exact” reductions actually work for -approximate with some approximation factor . But, this is not very interesting because standard techniques for “boosting” the approximation factor are useless for us. (They increase the rank far too much.)
So, it would be preferable to show hardness for some constant approximation factor . One way to show such a hardness result is via a fine-grained reduction from the problem of approximating Max--SAT to within a constant factor. Indeed, in the case, we show that such a reduction exists, so that there is no -time algorithm for approximating to within some constant factor unless a -time algorithm exists for approximating Max--SAT. We also note that a -time algorithm for approximating Max--SAT to within a constant factor would imply one for Max--SAT as well. (See Proposition 2.12.)
We present this result informally here (without worrying about specific parameters and the exact definition of approximate Max--SAT). See Section 5 for the formal statement.
Theorem 1.3**.**
There is an efficient reduction from approximating Max--SAT with variables and clauses to within a constant factor to approximating to within a constant factor on a lattice of rank (with ambient dimension ) for any finite .
Quantitative hardness of with Preprocessing.
with Preprocessing () is the variant of in which we are allowed arbitrary advice that depends on the lattice, but not the target vector. and its variants have potential applications in both cryptography (e.g., [GPV08]) and cryptanalysis. And, an algorithm for is used as a subroutine in the celebrated Micciancio-Voulgaris algorithm for [MV13, BD15]. The complexity of is well studied, with both hardness of approximation results [Mic01a, FM04, Reg04, AKKV11, KPV14], and efficient approximation algorithms [AR05, DRS14].
We prove the following quantitative hardness result for . (See Section 6.1.)
Theorem 1.4**.**
For any , there is no -time algorithm for unless there is a (non-uniform) -time algorithm for Max--SAT. In particular, no such algorithm exists unless (non-uniform) ETH fails.
Additional quantitative hardness results for .
We also observe the following weaker hardness result for for any based on different assumptions. The ETH-hardness of was already known in folklore, and even written down by Samuel Yeom in unpublished work [Vai15]. We present a slightly stronger theorem than what was previously known, showing a reduction from Max--SAT on variables to on a lattice of rank . (Prior to this work, we were only aware of reductions from -SAT on variables to on a lattice of rank for some very large constant .)
Theorem 1.5**.**
For any , there is an efficient reduction from Max--SAT with variables to on a lattice of rank (and dimension , where is the number of clauses).
In particular, for any constant , there is no -time algorithm for unless there is a -time algorithm for Max--SAT, and there is no -time algorithm for unless ETH fails.
The fastest known algorithm for the Max--SAT problem is the -time algorithm due to Williams [Wil05], where is the matrix multiplication exponent [Wil12, LG14]. This implies that a faster than -time algorithm for (and in particular) would yield a faster algorithm for Max--SAT. (See, e.g., [Woe08] Open Problem 4.7 and the preceding discussion.)
1.5 Techniques
Max--SAT.
We first show a straightforward reduction from Max--SAT to for any . I.e., we prove Theorem 1.5. This simple reduction will introduce some of the high-level ideas needed for our more difficult reductions.
Given a Max--SAT instance with variables and clauses, we construct the lattice basis
[TABLE]
where is some very large number and is given by
[TABLE]
I.e., the rows of correspond to clauses and the columns correspond to variables. Each entry encodes whether the relevant variable is included in the relevant clause unnegated, negated, or not at all, using , , and [math] respectively. (We assume without loss of generality that no clause contains repeated literals or a literal and its negation simultaneously.) The target is given by
[TABLE]
where
[TABLE]
where is the number of negated variables in the th clause.
Notice that the copy of at the bottom of together with the sequence of ’s in the last coordinates of guarantee that any lattice vector with is at distance at least away from . Furthermore, if , then this distance increases to at least . This is a standard gadget, which will allow us to ignore the case (as long as is large enough). I.e., we can view as an assignment to the variables of .
Now, suppose does not satisfy the th clause. Then, notice that the th coordinate of will be exactly , so that . If, on the other hand, exactly one literal in the th clause is satisfied, then the th coordinate of will be , so that . Finally, if both literals are satisfied, then the th coordinate will be , so that . In particular, if the th clause is not satisfied, then . Otherwise, .
It follows that the distance to the target is exactly , where is the maximal number of satisfied clauses of . So, the distance tells us exactly the maximum number of satisfiable clauses, which is what we needed.
Difficulties extending this to -SAT.
The above reduction relied on one very important fact: that . In particular, a -SAT clause can be satisfied in two different ways; either one variable is satisfied or two variables are satisfied. We designed our instance above so that the th coordinate of is if two literals in the th clause are satisfied by , if one literal is satisfied, and if the clause is unsatisfied. Since , the “contribution” of this th coordinate to the distance is the same for any satisfied clause. Since , the contribution to the th coordinate is larger for unsatisfied clauses than satisfied clauses.
Suppose we tried the same construction for a -SAT instance. I.e., suppose we take to encode the literals in each clause as in Eq. (2) and construct our lattice basis as in Eq. (1) and target as in Eq. (3), perhaps with the number in the definition of replaced by an arbitrary . Then, the th coordinate of would be , where is the number of literals satisfied in the th clause.
No matter how cleverly we choose , some satisfied clauses will contribute more to the distance than others as long as . I.e., there will always be some “imbalance” in this contribution. As a result, we will not be able to distinguish between, e.g., an assignment that satisfies all clauses but has far from for all and an assignment that satisfies fewer clauses but has whenever corresponds to a satisfying clause.
In short, for , we run into trouble because satisfying assignments to a clause may satisfy anywhere between and literals, but distinct numbers obviously cannot all be equidistant from some number . (See Section 6.2 for a simple way to get around this issue by adding to the rank of the lattice. Below, we show a more technical way to do this without adding to the rank of the lattice, which allows us to prove SETH-hardness.)
A solution via isolating parallelepipeds.
To get around the issue described above for , we first observe that, while many distinct numbers cannot all be equidistant from some number , it is trivial to find many distinct vectors in that are equidistant from some vector .
We therefore consider modifying the reduction from above by replacing the scalar values in our matrix with vectors in for some . In particular, for some vectors , we define as
[TABLE]
where we have abused notation and taken to be a column vector in dimensions. By defining appropriately,666In particular, we replace the scalars in Eq. (4) with vectors
where the sum is over such that the th literal in the th clause is negated.
we will get that the “contribution of the th clause to the distance” is exactly for some , where such that if and only if satisfies the th literal of the relevant clause. (See Table 2 for a diagram showing the output of the reduction and Theorem 3.2 for the formal statement.) We stress that, while we have increased the ambient dimension by nearly a factor of , the rank of the lattice is still .
This motivates the introduction of our primary technical tool, which we call isolating parallelepipeds. For , a -isolating parallelepiped is represented by a matrix and a shift vector with the special property that one vertex of the parallelepiped is “isolated.” (Here, is an affine transformation of the hypercube, i.e., a parallelepiped.) In particular, every vertex of the parallelepiped, for has unit length except for the vertex , which is longer, i.e., . (See Figure 1.)
In terms of the reduction above, an isolating parallelepiped is exactly what we need. In particular, if we plug and into the above reduction, then all satisfied clauses (which correspond to non-zero in the above description) will “contribute” to the distance , while unsatisfied clauses (which correspond to ) will contribute for some . Therefore, the total distance will be exactly , where is the number of clauses satisfied by . So, the distance exactly corresponds to the maximal number of satisfied clauses, as needed.
Constructing isolating parallelepipeds.
Of course, in order for the above to be useful, we must show how to construct these -isolating parallelepipeds. Indeed, it is not hard to find constructions for all when , and even for all in the special case when (see Figure 1). Some other fairly nice examples can also be found for small , as shown in Figure 2. For and large , these objects seem to be much harder to find. (In fact, in Section 4.2, we show that there is no -isolating parallelepiped for any even integer .) Our solution is therefore a bit technical.
At a high level, in Section 4, we consider a natural class of parallelepipeds parametrized by some weights and a scalar shift . These parallelepipeds are constructed so that the length of the vertex for depends only on the Hamming weight of and is linear in the for fixed . In other words, there is a matrix such that encodes the value of for each possible Hamming weight of . (See Lemma 4.2.)
We show that, in order to find weights such that and define a -isolating parallelepiped, it suffices to find a such that is invertible. For each odd integer and each , we show an algorithm that finds such a . (See Section 4.1.)
To extend this result to other , we consider the determinant of for fixed and , viewed as a function of . We observe that this function has a rather nice form—it is a Dirichlet polynomial. I.e., for fixed and , the determinant can be written as for some . Such a function has finitely many roots unless it is identically zero. So, we take the value of from above such that, say, is invertible. Since does not have zero determinant, the Dirichlet polynomial corresponding to cannot be identically zero and therefore has finitely many roots. This is how we prove Theorem 1.2. (See Section 4.3.)
Extension to constant-factor approximation.
In order to extend our hardness results to approximate for finite , we can try simply using the same reduction with -SAT replaced by approximate Max--SAT. Unfortunately, this does not quite work. Indeed, it is easy to see that the “identity matrix gadget” that we use to restrict our attention to lattice vectors whose coordinates are in (Eq. (1)) cannot tolerate an approximation factor larger than (for finite ).
However, we observe that when , this identity matrix gadget is actually unnecessary. In particular, even without this gadget, it “never helps” to consider a lattice vector whose coordinates are not all in . It then follows immediately from the analysis above that Gap--SAT reduces to approximate with a constant approximation factor strictly greater than one. We note that we do not know how to extend this result to larger (except when , see Theorem 5.3). We show that the case is sufficient for proving Gap-ETH-hardness (see Proposition 2.12), but we suspect that one can just “remove the identity matrix gadget” from all of our reductions for finite . If this were true, it would show Gap-ETH-hardness of approximation for slightly larger constant approximation factors and imply even stronger hardness results under less common assumptions.
1.6 Open questions
The most important question that we leave open is the extension of our SETH-hardness result to arbitrary . In particular, while our result applies to that approaches asymptotically, it does not apply to the specific case . An extension to would settle the time complexity of up to a factor of (assuming SETH). However, we know that our technique does not work in this case (in that -parallelepipeds do not exist for ), so substantial new ideas might be needed to resolve this issue.
Another direction would be to strengthen our hardness of approximation results in one of two possible directions. First, one could try to increase the approximation factor. (Prior techniques for amplifying the approximation factor increase the rank of the lattice quite a bit, so they do not yield very interesting quantitative hardness results.) Second, one could try to show a reduction from Gap--SAT to approximate for . For , we already have such a reduction, and as we mentioned above, we suspect that we can simply “remove the identity matrix gadget” in our current reduction to achieve this for . But, we do not know how to prove that this works.
Finally, we note that our main reduction constructs lattices of rank , but the ambient dimension can be significantly larger. (Specifically, , where is the number of clauses in the relevant SAT instance, and where the hidden constant depends on and can be very large.) Lattice problems are typically parameterized in terms of the rank of the lattice (and for the norm, one can assume without loss of generality that ), but it is still interesting to ask whether we can reduce the ambient dimension .
Organization
In Section 2, we review some necessary background knowledge. In Section 3, we show how to use a -isolating parallelepiped (for finite ) to reduce any -variable instance of -SAT to a instance with rank , and we show that this immediately gives SETH-hardness for . In Section 4, we show how to construct -isolating parallelepipeds, first for odd integers and then for “almost all” . In Section 5, we show -hardness of approximating up to a constant factor. In Section 6, we prove a number of additional hardness results: ETH- and Max--SAT-hardness of (Section 6.1), ETH- and Max--SAT-hardness of (Section 6.2), and SETH-hardness of and (Section 6.3).
2 Preliminaries
Throughout this paper, we work with lattice problems over for convenience. Formally, we must pick a suitable representation of real numbers and consider both the size of the representation and the efficiency of arithmetic operations in the given representation. But, we omit such details throughout to ease readability.
2.1 Computational lattice problems
Let denote the distance of to . In addition to SVP and CVP, we also consider a variant of CVP called the Closest Vector Problem with Preprocessing (CVPP), which allows arbitrary preprocessing of a lattice.
Definition 2.1**.**
For any and , the -approximate Shortest Vector Problem with respect to the norm (-) is the promise problem defined as follows. Given a lattice (specified by a basis ) and a number , distinguish between a ‘YES’ instance where there exists a non-zero vector such that , and a ‘NO’ instance where for all non-zero .
Definition 2.2**.**
For any and , the -approximate Closest Vector Problem with respect to the norm (-) is the promise problem defined as follows. Given a lattice (specified by a basis ), a target vector , and a number , distinguish between a ‘YES’ instance where , and a ‘NO’ instance where .
When , we refer to the problems simply as and , respectively.
Definition 2.3**.**
The Closest Vector Problem with Preprocessing with respect to the norm ( is the problem of finding a preprocessing function and an algorithm which work as follows. Given a lattice (specified by a basis ), outputs a new description of . Given , a target vector , and a number , decides whether .
When we measure the running time of a algorithm, we only count the running time of , and not of the preprocessing algorithm .
2.2 Satisfiability problems and the Max-Cut problem
A -SAT formula on Boolean variables and clauses is a conjunction of clauses , where the literals denote a variable or its negation . The goal is to decide whether there exists an assignment to the variables of such that all clauses have at least one “true” literal, i.e., so that all clauses are satisfied.
The value of a -SAT formula , denoted , is the maximum fraction of clauses satisfied by an assignment to .
Definition 2.4**.**
Given a -SAT formula and constants , the -Gap--SAT problem is the promise problem defined as follows. The goal is to distinguish between a ‘YES’ instance in which , and a ‘NO’ instance in which .
Definition 2.5**.**
Given a -SAT formula with clauses , a clause weight function , and a weight threshold , the Weighted Max--SAT problem is to decide whether there exists an assignment to the variables of such that \sum_{\textrm{C_{i}\boldsymbol{a}}}w(C_{i})\geq W.
Definition 2.6**.**
Given an undirected graph , an edge weight function , and a weight threshold , the Weighted Max-CUT problem is defined as follows. The goal is to decide whether can be partitioned into sets and such that .
There exists a folklore reduction from an instance of Weighted Max-Cut on a graph with vertices to an instance of Weighted Max 2-SAT on a formula with variables. See, e.g., [GHNR03].
2.3 Exponential Time Hypotheses
Impagliazzo and Paturi [IP99] introduced the following two hypotheses (ETH and SETH), which are now widely used to study the quantitative hardness of computational problems.
Definition 2.7**.**
The Exponential Time Hypothesis (ETH) is the hypothesis defined as follows. For every there exists a constant such that no algorithm solves -SAT formulas with variables in -time. In particular, there is no -time algorithm for 3-SAT.
Definition 2.8**.**
The Strong Exponential Time Hypothesis (SETH) is the hypothesis defined as follows. For every constant there exists such that no algorithm solves -SAT formulas with variables in -time.
An important tool in the study of the exact complexity of -SAT is the Sparisification Lemma of Impagliazzo, Paturi, and Zane [IPZ01] which roughly says that any -SAT formula can be replaced with formulas each with clauses for some .
Proposition 2.9** (Sparsification Lemma, [IPZ01]).**
For every and there exists a constant such that any -SAT formula with variables can be expressed as where and each is a -SAT formula with at most clauses. Moreover, this disjunction can be computed in -time.
In this paper we also consider the W-Max-SAT-SETH hypothesis, which corresponds to SETH but with Weighted Max--SAT in place of -SAT. Our main result only relies on this weaker variant of SETH, and is therefore more robust.
Dinur [Din16] and Manurangsi and Raghavendra [MR17] recently introduced a “gap” version of ETH, which asserts that Gap--SAT takes -time.
Definition 2.10**.**
The (randomized) Gap-Exponential Time Hypothesis ((randomized) Gap-ETH) is the hypothesis that there exist constants and such that no (randomized) algorithm solves -Gap--SAT instances with variables in -time.
As Dinur [Din16] notes, one can sparsify a Gap-SAT instance simply by sampling clauses. Therefore, we can assume (almost) without loss of generality that Gap-ETH applies only to formulas with clauses. The caveat is that the sampling is randomized, so finding a -time algorithm for sparse Gap--SAT only implies a randomized -time algorithm for general Gap--SAT.
We give a variant of Dinur’s sampling argument in Proposition 2.11. The idea is to show that both the total number of sampled clauses and the number of sampled clauses that are satisfied by any given assignment are highly concentrated around their expectation by using the Chernoff bound, and then to take a union bound over the bad events where these quantities deviate substantially from their expectation.
We will use the following multiplicative Chernoff bounds (see, e.g., [HP]). Let be independent identically distributed Bernoulli random variables with expectation , so that the expectation of is . Then:
[TABLE]
[TABLE]
Proposition 2.11** (Sparsification for Gap-SAT).**
For any , there is a polynomial-time randomized reduction from a -Gap--SAT instance with variables and clauses to a -Gap--SAT instance with variables and clauses.
Proof.
Let be the formula obtained by sampling each clause of independently with probability , where is fixed so that . Clearly, if then as well. We analyze the case where .
In expectation has clauses. Furthermore, because , in expectation any fixed assignment will satisfy fewer than clauses of . Therefore by Equation (6),
[TABLE]
Furthermore, by Equation (7), we have that for each fixed assignment ,
[TABLE]
By applying Equations (8) and (9), and taking a union bound we get that the probability that has at least clauses and that no assignment to satisfies more than clauses is at least . Therefore,
[TABLE]
with high probability. ∎
Additionally, we will use a reduction of Garey et al. [GJS76] from -SAT to Max--SAT which also works as a reduction from Gap--SAT to Gap--SAT. The reduction works by outputting ten - and -clauses for each -clause in the original formula. Any assignment which satisfies the original clause corresponds to an assignment which satisfies of the output clauses, and any assignment which does not satisfy the original clause corresponds to an assignment which satisfies of the output clauses.
Proposition 2.12** ([GJS76, Theorem 1.1]).**
For every , there is a polynomial-time reduction from every instance of -Gap--SAT with variables and clauses to an instance of -Gap--SAT with variables and clauses.
3 SETH-hardness from isolating parallelepipeds
We start by giving a reduction from instances of weighted Max--SAT on formulas with variables to instances of with rank for all that uses a certain geometric object, which we define next. Let and denote the all 1s and all 0s vectors of length respectively, and let denote the identity matrix.
Definition 3.1**.**
For any and integer , we say that and define a -isolating parallelepiped if and for all .
In order to give the reduction, we first introduce some notation related to SAT. Let be a -SAT formula on variables and clauses . Let denote the index of the variable underlying a literal . I.e., if or . Call a literal positive if and negative if for some variable . Given a clause , let and let denote the indices of positive and negative literals in respectively. Given an assignment to the variables of , let denote the indices of literals in satisfied by . I.e., . Finally, let denote the number of clauses of satisfied by the assignment , i.e., the number of clauses for which .
Theorem 3.2**.**
If there exists a computable -isolating parallelepiped for some and integer , then there exists a polynomial-time reduction from any (weighted-)Max--SAT instance with variables to a instance of rank .
Proof.
For simplicity, we give a reduction from unweighted Max--SAT, and afterwards sketch how to modify our reduction to handle the weighted case as well. Namely, we give a reduction from any Max--SAT instance to an instance of . Here, the formula is on variables and clauses . is a ‘YES’ instance if there exists an assignment such that .
By assumption, there exist computable , , and such that for some and for all .
We define the output instance as follows. Let . The basis and target vector in the output instance have the form
[TABLE]
with blocks and for and . Note that is the maximum possible contribution of the clauses to when is a ‘YES’ instance. For every and , set the th column of block (corresponding to the clause ) as
[TABLE]
and set . Set .
Clearly, the reduction runs in polynomial time. We next analyze for which it holds that . Given ,
[TABLE]
so we only need to analyze the case when . Consider an assignment to the variables of . Then,
[TABLE]
By assumption, the last quantity is equal to if , and is equal to otherwise. Because if and only if is satisfied, it follows that
[TABLE]
Therefore, if and only if , and therefore there exists such that if and only if is a ‘YES’ instance of Max--SAT, as needed.
To extend this to a reduction from weighted Max--SAT to , simply multiply each block and the corresponding target vector by , where denotes the weight of the clause . Then, by adjusting to depend on the weights we obtain the desire reduction. ∎
Because the rank of the output instance matches the number of variables in the input SAT formula, we immediately get the following corollary.
Corollary 3.3**.**
For any efficiently computable if there exists a computable -isolating parallelepiped for infinitely many , then, for every constant there is no -time algorithm for assuming W-Max-SAT-SETH. In particular there is no -time algorithm for assuming SETH.
It is easy to construct a (degenerate) family of isolating parallelepipeds for , and therefore we get hardness of as a simple corollary. (See Figure 1.)
Corollary 3.4**.**
For every constant there is no -time algorithm for assuming W-Max-SAT-SETH, and in particular there is no -time algorithm for assuming SETH.
Proof.
Let , let with , and let . Then, for every , and . The result follows by Corollary 3.3. ∎
4 Finding isolating parallelepipeds
We now show how to find a -isolating parallelepiped given by and as in Definition 3.1. We will first show a general strategy for trying to find such an object for any and integer . In Section 4.1, we will show how to successfully implement this strategy in the case when is an odd integer. In Section 4.2, we show that -isolating parallelepipeds do not exist for even integers . Finally, in Section 4.3 we show how to mostly get around this issue in order to find -isolating parallelepipeds for “almost all” .
It will actually be convenient to find a slightly different object that “works with instead of .” We observe below that this suffices.
Lemma 4.1**.**
There is an efficient algorithm that takes as input a matrix and vector such that for any and and outputs a matrix and vector that form a -isolating parallelepiped.
Proof.
Define and . Now consider the affine transformation defined by , which maps to and to . Then, for and , we have
[TABLE]
as needed. ∎
Intuitively, a “reasonable” matrix should act symmetrically on bit strings. I.e., if have the same number of positive entries, then should be a permutation of . This implies that any row of must be accompanied by all possible permutations of this row. If we further require that each row in is for some and , then we arrive at a very general construction that is still possible to analyze.
For weights , we define as follows. The rows of are indexed by the strings , and row is , where
[TABLE]
is the number of positive entries in . For a shift , we set such that the coordinate of corresponding to is . (Figure 2 is an example of this construction. In particular, it shows with , and and with , where we have omitted the last row, whose weight is zero.)
In what follows, we will use the binomial coefficient extensively, and we adopt the convention that if or or .
Lemma 4.2**.**
For any , weights , and shift ,
[TABLE]
where and as above.
In other words, depends only on , and if is the vector such that for all with , then
[TABLE]
where is given by
[TABLE]
Proof.
We have
[TABLE]
Notice that depends only on how many of the negative entries of align with the positive entries of . In particular,
[TABLE]
as needed. ∎
Lemma 4.3**.**
For any , the matrix defined in Eq. (10) is stochastic. I.e., for some . Furthermore, .
Proof.
We rearrange the sum corresponding to the th entry of , setting to obtain
[TABLE]
Finally, we recall Vandermonde’s identity, which says that
[TABLE]
Therefore, the summation does not depend on (and is clearly positive), as needed. ∎
Lemma 4.3 tells us that for any , for some . We wish to show that, for some , we can find such that for some , where . In order to do this, it suffices to show that is invertible. Then, we can take
[TABLE]
If , then the must be non-negative. We make this formal in the next proposition.
Proposition 4.4**.**
There is an efficient algorithm that takes as input any , an integer , and such that , where is defined as in Eq. (10) and outputs and that define a -isolating parallelepiped.
Proof.
By Lemma 4.1, it suffices to construct a matrix that works for . The algorithm behaves as follows on input and and . By Lemma 4.3, for some . Since we are promised that , we see that is invertible. The algorithm therefore sets
[TABLE]
where is chosen to be small enough such that the are all non-negative. Finally, it outputs and as defined above.
To prove correctness, we note that and have the desired property. Indeed, it follows from the definition of in Lemma 4.2 that is the th coordinate of , where . But, by Eq. (11), we see that the th coordinate of is if and is otherwise, as needed. ∎
4.1 Finishing the proof for odd integer
We now handle the case when is an odd integer. Notice that, if is an integer, then is some piecewise combination of polynomials of degree at most in . In particular, it is a polynomial in if we restrict our attention to the interval . We wish to argue that this is not the zero polynomial when is odd. To prove this, it suffices to show that the coefficient of is non-zero, which we do below by studying a matrix whose determinant is this coefficient (when is odd).
We first show an easy claim concerning matrices that can be written as sums of the identity plus a certain kind of rank-one matrix.
Claim 4.5**.**
For any matrix with constant columns given by for some and any ,
[TABLE]
Proof.
Notice that is a rank-one stochastic matrix with one non-zero eigenvalue given by . Therefore, the characteristic polynomial of is , as needed. ∎
Lemma 4.6**.**
For an integer and an odd integer , the function , where is defined as in Eq. (10), is a polynomial of degree at most when restricted to the interval . Furthermore, the coefficient of of this polynomial is exactly .
In particular, is a non-zero polynomial of degree on the interval for .
Proof.
For any , the matrix is given by
[TABLE]
where if and otherwise. (Here, we have used the fact that is only non-zero when . Therefore, , so that unless .)
The coefficient of in the polynomial is therefore given by , where is defined as
[TABLE]
where we have again applied Vandermonde’s identity. Notice that the first term is non-zero if and only if , in which case it is equal to . In other words, , where . The result then follows from Claim 4.5. ∎
Corollary 4.7**.**
There is an efficient algorithm that takes as input an integer and odd integer and outputs such that , with defined as in Eq. (10).
Proof.
The algorithm works as follows. It chooses distinct points arbitrarily. (E.g., it chooses .) For each , it computes . It outputs the first such that the determinant is non-zero.
We claim that for at least one index . Indeed, by Lemma 4.6, is a non-zero polynomial of degree . The result then follows from the fact that such a polynomial can have at most roots. ∎
Theorem 1.1 for finite now follows immediately from Theorems 3.2 together with Proposition 4.4, and Corollary 4.7.
4.2 Limitations of the approach
In the previous section, we showed that for every odd and every integer , there exists a -isolating parallelepiped. This allowed us to conclude that is SETH-hard for odd values of . Now, we show that this approach necessarily fails for even . Namely, we show that for every even , there is no -isolating parallelepiped for any .777When , it is possible to construct -isolating parallelepiped for even . See, e.g., Figure 1. For simplicity, we show this for , but a straightforward generalization works for all even .
Lemma 4.8**.**
For any integer and vectors , we have
[TABLE]
Proof.
We have
[TABLE]
where the penultimate equality uses the fact that
[TABLE]
for . ∎
Corollary 4.9**.**
There is no -isolating parallelepiped for any integer .
Proof.
Assume and form a -isolating parallelepiped. For any , by the definition of an isolating parallelepiped. Thus, applying Lemma 4.8, we have
[TABLE]
which contradicts the assumption that and form an isolating parallelepiped. ∎
4.3 Extending our result to almost all
We now wish to extend Theorem 1.1 to arbitrary . Unfortunately, we know that we cannot do this for all , since we showed in Section 4.2 that no such construction is possible when is an even integer. However, we show a construction that works for “almost all values of .” In particular, for any fixed , the construction works for all but finitely many choices of . We also observe that this implies that, for every fixed , there is an such that the construction works for every or . In particular, for any non-zero , the construction works for for sufficiently large integers .
In Section 4.1, we observed that the function is a piecewise polynomial when is an integer. This is what allowed us to analyze this case relatively easily (in both Section 4.1 and in Section 4.2). For non-integer , the function is much less nice. So, instead of holding fixed and varying , we will be interested in studying the function for fixed and . We first observe that this function has a fairly nice structure.
Lemma 4.10**.**
For any , integer , and , let
[TABLE]
where is as defined in Eq. (10). Then, for fixed , is a Dirichlet polynomial. I.e., there are some real numbers (depending on and ) such that
[TABLE]
for some finite .
Proof.
To see that is a Dirichlet polynomial for fixed , it suffices to note that (1) each entry of is a Dirichlet polynomial; (2) the determinant of a matrix can be written as a polynomial in the coordinates; and (3) a polynomial of Dirichlet polynomials is itself a Dirichlet polynomial. ∎
Corollary 4.11**.**
There is an efficient algorithm that takes as input and any and either fails or outputs and that define a -isolating parallelepiped. Furthermore, for any fixed , the algorithm only fails for finitely many choices of .
Proof.
By Corollary 4.7, for any , we can find a such that, say, , where is defined as in Eq. (12). Clearly, is non-zero as a function of for these values of . Furthermore, by Lemma 4.10, is a Dirichlet polynomial. The result follows by the fact that any non-zero Dirichlet polynomial has finitely many roots (see, e.g., Theorem 3.1 in [Jam06]). ∎
Theorem 4.12**.**
There is an efficient algorithm that takes as input an integer and any and either fails or outputs and that define a -isolating parallelepiped. Furthermore, for any fixed , the algorithm only fails on finitely many values of .888As we observed in Section 4.2, the set of failure points necessarily includes all even integers .
Proof.
The result follows immediately from Proposition 4.4 and Corollary 4.11. ∎
Item 2 of Theorem 1.2 now follows immediately from Theorem 3.2 and Theorem 4.12.
We now provide what amounts to a different interpretation of the above.
Lemma 4.13**.**
There is an efficient algorithm that takes as input any and an integer and outputs a value such that and are non-zero for sufficiently small , where is as defined in Eq. (12).
Proof.
The algorithm simply calls the procedure from Corollary 4.7 with, say, and outputs the result. I.e., it suffices to choose any such that . As in the proof of Corollary 4.11, we observe that the function is zero on a finite set of values . The result then follows by taking if is non-empty, and for any otherwise.
∎
Finally, we derive the main theorem of this section.
Theorem 4.14**.**
For any efficiently computable that converges to zero as and , there is an efficient algorithm that takes as input an integer and sufficiently large positive integer and outputs a matrix and vector that define a -isolating parallelepiped.
Proof.
The result follows immediately from Proposition 4.4 and Lemma 4.13. In particular, the algorithm runs the procedure from Lemma 4.13, receiving as output some such that is non-zero for sufficiently small . In particular, if is sufficiently large, then will be non-zero. The result then follows from Proposition 4.4. ∎
Item 3 of Theorem 1.2 now follows from Theorem 3.2 and Theorem 4.14.
5 Gap-ETH-based Hardness of Approximation
In this section we prove Gap-ETH-based hardness of approximation for for every . We also show a stronger hardness of approximation result for . (In Section 6.3, we additionally show a stronger result for .) The main idea behind our proof is to use the reduction from Max--SAT to described in Section 1.5 without the “identity matrix gadget” that we used to force any closest vector to be a 0-1 combination of basis vectors. We will show that this is permissible because the resulting CVP instance always has a 0-1 combination of basis vectors that is at least as close to the target as any other lattice vector.
Theorem 5.1**.**
For every and every , there is a polynomial-time reduction from any -Gap--SAT instance with variables to an instance of - of rank , where
[TABLE]
In particular, when , the corresponding approximation factor is .
Proof.
Given a -Gap--SAT instance with variables and clauses , we construct a instance for some fixed as follows. Let be the basis defined by
[TABLE]
Let be the target vector defined by , and let .
We claim that there is always a 0-1 combination of basis vectors which is a closest vector to . Assuming this claim, we analyze only for without loss of generality, while deferring the proof of the claim until the end.
Let be an assignment to the variables of . For every ,
[TABLE]
The last expression is equal to if satisfies (i.e. if ) and if not. We therefore have
[TABLE]
Therefore, if then there exists such that , and if , then for every , it holds that . It follows that the reduction achieves the claimed approximation factor of .
It remains to prove the claim that there is always a 0-1 combination of basis vectors which is a closest vector to . We show this by demonstrating that for every there exists such that . Given , let denote the vector whose th coordinate is set to 1 if and is set to 0 otherwise.
Fix and , and refer to Equation (14). If satisfies then . On the other hand, if does not satisify , then for all and for all so that and therefore . Combining these cases it follows that for all and , , and therefore , proving the claim. ∎
Corollary 5.2**.**
For every and , there is no -time algorithm for - with
[TABLE]
unless randomized Gap-ETH (with respect to -Gap--SAT) fails.
Proof.
Concatenate the reductions described in Proposition 2.11, Proposition 2.12, and Theorem 5.1.999Note that the Gap-2-SAT instance output by Proposition 2.12 contains -clauses as well as -clauses. We therefore stress that the reduction described in Theorem 5.1 works for this case as well. ∎
5.1 A stronger result for
In Theorem 5.1 we showed that there was no need to use the identity matrix gadget in our reduction from Gap--SAT to . An interesting question is whether the identity matrix gadget is also unnecessary in our reduction in Theorem 3.2 from Gap--SAT to using -isolating parallelepipeds. If so, then we get stronger “Gap-SETH-hardness” for for all for which there exist -isolating parallelepipeds for infinitely many .
Although we do not know how to show this in general, we are able to get stronger hardness of approximation for in this way by using the family of -isolating parallelepipeds described in Corollary 3.4. The analysis is similar to the analysis in Theorem 5.1. In particular, a 0-1 combination of basis vectors will always be at least as close to the target vector as any other lattice vector will.
Theorem 5.3**.**
For every , there is a polynomial-time reduction from any -Gap--SAT instance with variables to an instance of - of rank , where
[TABLE]
Proof.
Given a -Gap--SAT instance with variables and clauses , we construct a instance as follows. The basis and target vector in the output instance have the form
[TABLE]
with blocks and for . For every and , set the th column of block (corresponding to the clause ) as
[TABLE]
and set . Set .
We claim that there is always a 0-1 combination of basis vectors that is closest to . Assuming the claim, we analyze only for without loss of generality, while deferring the proof of the claim until the end.
Let be an assignment to the variables of . For every ,
[TABLE]
The last expression is equal to if satisfies (i.e. if ) and if not. We therefore have
[TABLE]
Therefore, if then there exists such that , and if then for every , it holds that . It follows that the reduction achieves the claimed approximation factor of .
It remains to prove the claim that there is always a 0-1 combination of basis vectors that is a closest vector to . We show this by demonstrating that for every there exists such that . Given , let denote the vector whose coordinate is set to if and is set to [math] otherwise.
Note that for all , and for all . Fix and , and refer to Equation (15). If satisfies then . On the other hand, if does not satisfy , then for all and for all so that . Combining these cases it follows that for all and , , and therefore , proving the claim.
∎
6 Additional hardness results
In this section we prove a number of additional results about the quantitative hardness of and related problems. In Section 6.1, we give a reduction from Max--SAT to for all , proving Theorem 1.4. In Section 6.2, we give a reduction from Max--SAT (and in particular Max--SAT) to for all , proving Theorem 1.5. Finally, in Section 6.3 we give a reduction from -SAT to and , proving the special case of Theorem 1.1 for .
Our reductions all use the same high-level idea as the reduction given in Theorem 3.2, but each uses new ideas as well. Throughout this section we adopt the notation from Section 3.
6.1 Hardness of
In this section, we prove ETH-hardness of . To do this, for every , we construct a single lattice of rank , such that for every -variable instance of Max--SAT, there exists an efficiently computable that is close to the lattice if and only if is satisfiable. Clearly, any efficient algorithm for on this lattice would imply a similarly efficient algorithm for Max--SAT (and also -SAT, as described below).
Our basis for will encode all possible clauses of a Max--SAT instance on variables, together with a gadget that will allow us to “switch on or off” each clause by only changing the coordinates of the target vector . (This gadget costs us a quadratic blow-up in the lattice rank.) Then, given an instance of Max--SAT, we define the target vector such that it “switches on” all clauses from and “switches off” all the remaining clauses.
Lemma 6.1**.**
For every , there is a pair of polynomial-time algorithms (in analogy to the definition of ) that behave as follows.
On input an integer , outputs a basis of a rank lattice , where and . 2. 2.
On input a Max--SAT instance with variables, outputs a target vector and a distance bound such that if and only if the input is a ‘YES’ instance.
Proof.
Let be the total possible number of -clauses on variables, and let denote those clauses.
The algorithm constructs the basis , where , as
[TABLE]
with rows of satisfying and for , and where . For every and , set the th coordinate of (corresponding to the clause ) as
[TABLE]
For every , set , i.e., set .
Given an instance of Max--SAT with clauses, the algorithm outputs
[TABLE]
and defined as
[TABLE]
where for , , and if the clause appears in the formula and otherwise.
Clearly both algorithms are efficient. We now analyze for which we have . Note that the vector has exactly coordinates equal to zero, and coordinates equal to . Given , we have
[TABLE]
Furthermore, if has a non-zero coordinate (for ) at a position corresponding to a in (i.e., ), then again . So, we can restrict our attention to with whenever .
Consider an assignment to the variables of . Take , and set . Then, for ,
[TABLE]
If , then there exists , such that . Moreover, the choice of does not affect for . If and for , then . On the other hand, if and , then implies .
Because if and only if is satisfied, we see that the following holds if and only if the number of satisfied clauses is at least :
There exists a such that, setting , we have
[TABLE]
Therefore, there exists with if and only if is a ‘YES’ instance of Max--SAT. ∎
Proof of Theorem 1.4.
The main statement follows from Lemma 6.1. The “in particular” part follows from Lemma 6.1 and the existence of a reduction from -SAT with variables clauses to (many) Max--SAT instances with variables. Indeed, such a reduction follows by applying the Sparsification Lemma (Proposition 2.9), and then reducing each sparse -SAT instance to a Max--SAT instance with only a linear blow-up in the number of variables (see, e.g., the reduction in [GJS76, Theorem 1.1]). ∎
6.2 ETH- and Max--SAT-hardness for all
Theorem 6.2**.**
For every and there is a polynomial-time reduction from any (Weighted-)Max--SAT instance with variables and clauses to a instance of rank .
Proof.
For simplicity we give a reduction from unweighted Max--SAT. The modification sketched for reducing from Weighted Max--SAT in Theorem 3.2 works here as well. Namely, we give a reduction from a Max--SAT instance to an instance of . Here the formula is on variables and clauses . is a ‘YES’ instance if there exists an assignment such that . We assume without loss of generality that each variable appears at most once per clause. We define the output instance as follows. Let and let . The basis in the output instance has the form
[TABLE]
with rows of satisfying and for , and where . For every and , set the th coordinate of (corresponding to the clause ) as
[TABLE]
For every , set . I.e., each has a block of s of length , and , are coordinate-wise disjoint for . For every set . Finally, set .
We next analyze for which it holds that . Given , , so we only need to analyze the case when .
Consider an assignment to the variables of , take with for , and set . Then, for ,
[TABLE]
It follows that if then . On the other hand, if , then there exists such that . Indeed, picking any with Hamming weight or achieves this. Moreover, the choice of does not affect for .
Because if and only if is satisfied, we see that the following holds if and only if the number of satisfied clauses is at least :
There exists a such that, setting , we have
[TABLE]
Therefore, there exists such that if and only if is a ‘YES’ instance of Max--SAT. ∎
We remark that a straightforward modification of the preceding reduction gives a reduction from an instance of Max--SAT with on variables and clauses to a instance of rank (as opposed to rank ). The idea is to encode the value (corresponding to the row-specific blocks used in the reduction) in binary rather than unary.
Corollary 6.3**.**
For every there is no -time algorithm for assuming ETH.
Proof.
The claim follows by combining the Sparsification Lemma (Proposition 2.9) with the reduction in Theorem 6.2.101010As a technical point, we must reduce from -SAT rather than Max--SAT to show hardness under ETH because the Sparsification Lemma works for -SAT. ∎
When , the rank of the instance output by the reduction in Theorem 6.2 is . Therefore, we get the following corollary.
Corollary 6.4**.**
If there exists a -time (resp. -time and polynomial space) algorithm for for any and for any constant , then there exists a -time (resp. -time and polynomial space) algorithm for (Weighted-)Max-2-SAT and (Weighted-)Max-Cut.
6.3 The hardness of and
Theorem 6.5**.**
There is a polynomial-time reduction from a -SAT instance with variables to a instance of rank .
Proof.
We give a reduction from a -SAT formula with variables and clauses to an instance of . We assume without loss of generality that each variable appears at most once per clause. We define the output instance as follows. Let . The basis in the output instance has the form
[TABLE]
with rows of satisfying for . For every , set as in the proof of Theorem 6.2 and set . Set .
We next analyze for which it holds that . Given , , so we only need to analyze the case when . Consider an assignment to the variables of . Then
[TABLE]
It follows that if then , and otherwise . Because if and only if is satisfied, we then have that if satisfies , and otherwise. Therefore there exists such that if and only if is satisfiable. ∎
Lemma 6.6**.**
There is a polynomial-time reduction from a -SAT instance with variables to an instance of rank .
Proof.
We give a reduction from a -SAT formula with variables and clauses to an instance of . Define the basis as
[TABLE]
where and are as defined in the proof of Theorem 6.5, and set . We consider for which it holds that . It is not hard to check that if for some , or if the signs of and differ for some , then . Therefore we need only consider of the form where . But for such a we have that , and if and only if is a satisfying assignment to by the analysis in the proof of Theorem 6.5. ∎
Corollary 6.7**.**
For any constant there is no -time algorithm for or assuming SETH, and there is no -time algorithm for or assuming ETH.
Proof.
Combine Theorem 6.5 and Lemma 6.6. ∎
Note that the preceding reduction in fact achieves an approximation factor of . This implies that for every constant , there is a such that no -time algorithm that approximates or to within a factor of unless SETH fails.
Finally, we remark that the reduction given in Theorem 6.2 is parsimonious when used as a reduction from -SAT. I.e., there is a one-to-one correspondence between satisfying assignments in the input instance and close vectors in the output instance. The reductions given in Theorem 6.5 and Lemma 6.6 are also parsimonious.111111Actually, in the case of , each satisfying assignment to the SAT formula corresponds to a pair of shortest non-zero vectors, so that there are exactly twice as many such vectors as there are satisfying assignments.
Because -SAT is -hard, our reductions therefore show that the counting version of (called the Vector Counting Problem) is -hard for all , and that the counting version of is -hard. This improves (and arguably simplifies the proof of) a result of Charles [Cha07], which showed that the counting version of is -hard.
Acknowledgments
We would like to thank Oded Regev for many fruitful discussions and for helpful comments on an earlier draft of this work. We also thank Vinod Vaikuntanathan for recommending that we consider Gap-ETH.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[ABSS 93] Sanjeev Arora, László Babai, Jacques Stern, and Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. In FOCS , 1993.
- 2[ABW 15] Amir Abboud, Arturs Backurs, and Virginia Vassilevska Williams. Tight hardness results for LCS and other sequence similarity measures. In FOCS , 2015.
- 3[ADPS 16] Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. Post-quantum key exchange — A new hope. In USENIX Security Symposium , 2016.
- 4[ADRS 15] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. Solving the Shortest Vector Problem in 2 n superscript 2 𝑛 2^{n} time via discrete Gaussian sampling. In STOC , 2015.
- 5[ADS 15] Divesh Aggarwal, Daniel Dadush, and Noah Stephens-Davidowitz. Solving the Closest Vector Problem in 2 n superscript 2 𝑛 2^{n} time— The discrete Gaussian strikes again! In FOCS , 2015.
- 6[AJ 08] V. Arvind and Pushkar S. Joglekar. Some sieving algorithms for lattice problems. In IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science , 2008.
- 7[Ajt 98] Miklós Ajtai. The Shortest Vector Problem in L 2 is NP-hard for randomized reductions. In STOC , 1998.
- 8[Ajt 04] Miklós Ajtai. Generating hard instances of lattice problems. In Complexity of computations and proofs , volume 13 of Quad. Mat. , pages 1–32. Dept. Math., Seconda Univ. Napoli, Caserta, 2004. Preliminary version in STOC’96.
