Improved Hardness of BDD and SVP Under Gap-(S)ETH

Huck Bennett ³³footnotemark: 3 Oregon State University. Email: [email protected]. The majority of this work was completed while the author was at the University of Michigan. Chris Peikert University of Michigan. Emails: {cpeikert,yit}@umich.edu.This material is based upon work supported by the National Science Foundation under Award CCF-2006857. The views expressed are those of the authors and do not necessarily reflect the official policy or position of the National Science Foundation. Yi Tang²²footnotemark: 2 ³³footnotemark: 3

(November 19, 2021)

Abstract

We show improved fine-grained hardness of two key lattice problems in the $\ell_{p}$ norm: Bounded Distance Decoding to within an $\alpha$ factor of the minimum distance ( $\mathrm{BDD}_{p,\alpha}$ ) and the (decisional) $\gamma$ -approximate Shortest Vector Problem ( $\mathrm{SVP}_{p,\gamma}$ ), assuming variants of the Gap (Strong) Exponential Time Hypothesis (Gap-(S)ETH). Specifically, we show:

1.

For all $p\in[1,\infty)$ , there is no $2^{o(n)}$ -time algorithm for $\mathrm{BDD}_{p,\alpha}$ for any constant $\alpha>\alpha_{\mathsf{kn}}$ , where $\alpha_{\mathsf{kn}}=2^{-c_{\mathsf{kn}}}<0.98491$ and $c_{\mathsf{kn}}$ is the $\ell_{2}$ kissing-number constant, unless non-uniform Gap-ETH is false.
2.

For all $p\in[1,\infty)$ , there is no $2^{o(n)}$ -time algorithm for $\mathrm{BDD}_{p,\alpha}$ for any constant $\alpha>\alpha^{\ddagger}_{p}$ , where $\alpha^{\ddagger}_{p}$ is explicit and satisfies $\alpha^{\ddagger}_{p}=1$ for $1\leq p\leq 2$ , $\alpha^{\ddagger}_{p}<1$ for all $p>2$ , and $\alpha^{\ddagger}_{p}\to 1/2$ as $p\to\infty$ , unless randomized Gap-ETH is false.
3.

For all $p\in[1,\infty)\setminus 2\mathbb{Z}$ and all $C>1$ , there is no $2^{n/C}$ -time algorithm for $\mathrm{BDD}_{p,\alpha}$ for any constant $\alpha>\alpha^{\dagger}_{p,C}$ , where $\alpha^{\dagger}_{p,C}$ is explicit and satisfies $\alpha^{\dagger}_{p,C}\to 1$ as $C\to\infty$ for any fixed $p\in[1,\infty)$ , unless non-uniform Gap-SETH is false.
4.

For all $p>p_{0}\approx 2.1397$ , $p\notin 2\mathbb{Z}$ , and all $C>C_{p}$ , there is no $2^{n/C}$ -time algorithm for $\mathrm{SVP}_{p,\gamma}$ for some constant $\gamma>1$ , where $C_{p}>1$ is explicit and satisfies $C_{p}\to 1$ as $p\to\infty$ , unless randomized Gap-SETH is false.

Our results for $\mathrm{BDD}_{p,\alpha}$ improve and extend work by Aggarwal and Stephens-Davidowitz (STOC, 2018) and Bennett and Peikert (CCC, 2020). Specifically, the quantities $\alpha_{\mathsf{kn}}$ and $\alpha^{\ddagger}_{p}$ (respectively, $\alpha^{\dagger}_{p,C}$ ) significantly improve upon the corresponding quantity $\alpha_{p}^{*}$ (respectively, $\alpha_{p,C}^{*}$ ) of Bennett and Peikert for small $p$ (but arise from somewhat stronger assumptions). In particular, Item 1 improves the smallest value of $\alpha$ for which $\mathrm{BDD}_{p,\alpha}$ is known to be exponentially hard in the Euclidean norm ( $p=2$ ) to an explicit constant $\alpha<1$ for the first time under a general-purpose complexity assumption. Items 1 and 3 crucially use the recent breakthrough result of Vlăduţ (Moscow Journal of Combinatorics and Number Theory, 2019), which showed an explicit exponential lower bound on the lattice kissing number. Finally, Item 4 answers a natural question left open by Aggarwal, Bennett, Golovnev, and Stephens-Davidowitz (SODA, 2021), which showed an analogous result for the Closest Vector Problem.

1 Introduction

Lattices are geometric objects that look like regular orderings of points in real space. More formally, a lattice $\mathcal{L}$ is the set of all integer linear combinations of some linearly independent vectors $\boldsymbol{b}_{1},\ldots,\boldsymbol{b}_{n}\in\mathbb{R}^{m}$ . The matrix $B=(\boldsymbol{b}_{1},\ldots,\boldsymbol{b}_{n})$ whose columns are these vectors is called a basis of $\mathcal{L}$ , and we denote the lattice it generates by $\mathcal{L}(B)$ , i.e., $\mathcal{L}=\mathcal{L}(B):=\{{\sum_{i=1}^{n}a_{i}\boldsymbol{b}_{i}:a_{1},\ldots,a_{n}\in\mathbb{Z}}\}$ . The number of vectors $n$ in a basis is an invariant of $\mathcal{L}$ , and is called its rank.

In recent years, lattices have played a central role in both cryptanalysis and the design of secure cryptosystems. One very attractive quality of many lattice-based cryptosystems (e.g., [Ajt98, AD97, MR07, Reg09, GPV08]) is that they are secure assuming that certain key lattice problems are sufficiently hard to approximate in the worst case. Motivated by this and myriad other applications of lattices in computer science, many works have studied the $\mathsf{NP}$ -hardness of both exact and approximate lattice problems (e.g., [vEB81, ABSS97, Ajt98, Mic00, Mic01, Kho06, Kho05, LLM06, HR12, Mic12]). More recently, motivated especially by the need to understand the concrete security of lattice-based cryptosystems, a number of works [BGS17, AS18, BP20, AC21, ABGS21] have studied the fine-grained complexity of lattice problems. That is, for a meaningful real-world security bound, it is not enough to say merely that there is no polynomial-time algorithm for a suitable lattice problem. Rather, a key goal is to show $2^{\Omega(n)}$ -hardness, or even $2^{Cn}$ -hardness for some explicit $C>0$ , of a problem under general-purpose complexity-theoretic assumptions, like variants of the (Strong) Exponential Time Hypothesis.

In this work, we extend the latter line of research by showing improved fine-grained complexity results for two key lattice problems, the Bounded Distance Decoding Problem ( $\mathrm{BDD}$ ) and the Shortest Vector Problem ( $\mathrm{SVP}$ ). To define these problems, we first recall some notation. Let $\lambda_{1}(\mathcal{L}):=\min_{\boldsymbol{v}\in\mathcal{L}\setminus\{{\boldsymbol{0}}\}}\lVert\boldsymbol{v}\rVert$ denote the minimum distance of $\mathcal{L}$ , i.e., the length of a shortest non-zero vector in $\mathcal{L}$ , and let $\mathrm{dist}(\boldsymbol{t},\mathcal{L}):=\min_{\boldsymbol{v}\in\mathcal{L}}\lVert\boldsymbol{t}-\boldsymbol{v}\rVert$ denote the distance between a target vector $\boldsymbol{t}$ and $\mathcal{L}$ . When using the $\ell_{p}$ norm, we denote these quantities by $\lambda^{(p)}_{1}(\mathcal{L})$ and $\mathrm{dist}_{p}(\boldsymbol{t},\mathcal{L})$ , respectively.

BDD and SVP.

The Bounded Distance Decoding Problem in the $\ell_{p}$ norm for relative distance $\alpha$ , denoted $\mathrm{BDD}_{p,\alpha}$ , is the search promise problem defined as follows: given a basis $B$ of a lattice $\mathcal{L}=\mathcal{L}(B)$ and a target vector $\boldsymbol{t}$ satisfying $\mathrm{dist}_{p}(\boldsymbol{t},\mathcal{L})\leq\alpha\cdot\lambda^{(p)}_{1}(\mathcal{L})$ as input, the goal is to find a closest lattice vector $\boldsymbol{v}\in\mathcal{L}$ to the target vector $\boldsymbol{t}$ such that $\lVert\boldsymbol{t}-\boldsymbol{v}\rVert_{p}=\mathrm{dist}_{p}(\boldsymbol{t},\mathcal{L})$ . (We note that $\boldsymbol{v}$ is guaranteed to be unique when $\alpha<1/2$ , but that $\mathrm{BDD}_{p,\alpha}$ is well-defined for any $\alpha=\alpha(n)>0$ .) The $\gamma$ -approximate Shortest Vector Problem in the $\ell_{p}$ norm, denoted $\mathrm{SVP}_{p,\gamma}$ , is the decision promise problem defined as follows: given a basis $B$ of a lattice $\mathcal{L}=\mathcal{L}(B)$ and a distance threshold $r>0$ as input, the goal is to decide whether $\lambda^{(p)}_{1}(\mathcal{L})\leq r$ (i.e., the input is a YES instance) or $\lambda^{(p)}_{1}(\mathcal{L})>\gamma r$ (i.e., the input is a NO instance), with the promise that one of the two cases holds.¹¹1In other literature, this decision problem is often called $\mathrm{GapSVP}_{p,\gamma}$ , whereas $\mathrm{SVP}_{p,\gamma}$ usually denotes the corresponding search problem (of finding a nonzero lattice vector $\boldsymbol{v}\in\mathcal{L}$ for which $\lVert\boldsymbol{v}\rVert\leq\gamma\cdot\lambda^{(p)}_{1}(\mathcal{L})$ , given an arbitrary lattice $\mathcal{L}$ .) There is a trivial reduction from the decision problem to the search problem, so any hardness of the former implies identical hardness of the latter.

Although it seems far out of reach using known techniques, proving that $\mathrm{SVP}_{p,\gamma}$ is hard for a sufficiently large polynomial approximation factor $\gamma=\gamma(n)$ , or that $\mathrm{BDD}_{p,\alpha}$ is hard for sufficiently small inverse-polynomial relative distance $\alpha=\alpha(n)$ , would imply the provable security of lattice-based cryptography.²²2We note that the relative distance $\alpha$ in $\mathrm{BDD}_{p,\alpha}$ is not an approximation factor per se, but it is analogous to one in a precise sense. Namely, for $p=2$ there is a rank-preserving reduction from $\mathrm{BDD}_{2,\alpha}$ to $\mathrm{SVP}_{2,\gamma}$ with $\gamma=O(1/\alpha)$ [LM09, BSW16], so sufficiently strong (fine-grained) hardness of the former problem translates to corresponding hardness for the latter problem. A similar reduction holds in reverse, but with a larger loss: $\alpha=\Omega(\sqrt{n/\log n}/\gamma)$ . On the other hand, most concrete security estimates for lattice-based cryptosystems are based on the runtimes of the fastest known (possibly heuristic) algorithms for exact or near-exact $\mathrm{SVP}$ . So, apart from its inherent theoretical interest, understanding the fine-grained complexity of (near-)exact $\mathrm{SVP}$ and $\mathrm{BDD}$ sheds light on questions of great practical importance.

1.1 Our Results

Refer to caption — Figure 1: Plots showing the smallest relative distance $\alpha$ for which fine-grained hardness of $\mathrm{BDD}_{p,\alpha}$ is known under variants of the (Strong) Exponential Time Hypothesis ((S)ETH); smaller $\alpha$ corresponds to stronger hardness results. The left plot shows the smallest values of $\alpha$ for which $2^{\Omega(n)}$ -hardness is known under variants of ETH; $\alpha_{\mathsf{kn}}$ and $\alpha^{\ddagger}_{p}$ are from this work, and “ $\alpha^{*}_{p}$ + NE”— $\alpha_{p}^{*}$ with norm embeddings—is from [BP20]. The right plot shows the smallest values of $\alpha$ for which $2^{n/C}$ -hardness is known under variants of SETH; $\alpha^{\dagger}_{p,C}$ is from this work and $\alpha_{p,C}^{*}$ is from [BP20]. The hardness results for the right plot only hold for $p\notin 2\mathbb{Z}$ due to a limitation in an “upstream” hardness result from [ABGS21], which in particular precludes using norm embeddings. (The curves for $\alpha^{*}_{p,50}$ , $\alpha^{*}_{p,100}$ , and $\alpha^{*}_{p,200}$ are essentially indistinguishable at the plot scale, so we include only $\alpha^{*}_{p,200}$ .)

In this work, we show improved fine-grained hardness of $\mathrm{BDD}_{p,\alpha}$ and $\mathrm{SVP}_{p,\gamma}$ , with an emphasis on results for smaller relative distance $\alpha$ and larger approximation factor $\gamma$ , and on analyzing the complexity of the problems as the underlying $\ell_{p}$ norm varies. (We note that $\mathrm{BDD}_{p,\alpha^{\prime}}$ trivially reduces to $\mathrm{BDD}_{p,\alpha}$ when $\alpha^{\prime}<\alpha$ , and so showing hardness results for $\mathrm{BDD}_{p,\alpha}$ for smaller $\alpha$ is showing something stronger.)

At a conceptual level, our work gives very general reductions to $\mathrm{BDD}$ (presented in Theorem 3.4), which reduce the task of showing hardness for $\mathrm{BDD}$ to analyzing properties of certain gadget lattices (described in Section 1.2.1). The few known hardness results for $\mathrm{BDD}$ (essentially just [LLM06, BP20] and this work) are all shown using this gadget lattice framework, but the previous works required separate reductions. The reductions in this work give a unified way to show hardness results using this framework.

At a technical level, our improved results for $\mathrm{BDD}$ follow from improved analysis of the techniques used in [AS18] and [BP20] together with our new framework. Aggarwal and Stephens-Davidowitz [AS18] presented three main results on the fine-grained hardness of $\mathrm{SVP}$ , summarized in Items 1 to 3 in its abstract. Bennett and Peikert [BP20] showed new hardness results for $\mathrm{BDD}$ by refining and adapting the analysis used to show [AS18], Item 1. Analogously, in this work we obtain two of our hardness results for $\mathrm{BDD}$ by refining and adapting the analysis used to show [AS18], Items 2 and 3. Specifically, Theorem 1.1 corresponds to [AS18], Item 3 and Theorem 1.2 to [AS18], Item 2. Our third hardness result for $\mathrm{BDD}$ , presented in Theorem 1.3, uses ideas from the other reductions together with our new framework. Finally, our improved result for $\mathrm{SVP}$ , presented in Theorem 1.4, answers a natural question left open by [AS18, ABGS21].

Our results assume (randomized or non-uniform) “gap” variants of the Exponential Time Hypothesis (ETH) and Strong Exponential Time Hypothesis (SETH). Recall that “plain” ETH asserts that solving the $3$ -SAT problem on $n$ variables requires $2^{\Omega(n)}$ time, and “plain” SETH asserts that for every $\varepsilon>0$ there exists $k\in\mathbb{Z}^{+}$ such that solving the $k$ -SAT problem on $n$ variables requires $2^{(1-\varepsilon)n}$ -time. The gap variants of these assumptions hypothesize that similar runtime lower bounds hold even for approximating the number of satisfiable clauses in a $k$ -SAT formula to within some small constant approximation factor; see Section 2.5 for the precise definitions. We sometimes informally use the terminology “(Gap-)ETH-hardness” to denote $2^{\Omega(n)}$ -hardness of a problem assuming a variant of (Gap-)ETH, and “(Gap-)SETH-hardness” to denote $2^{cn}$ -hardness of a problem assuming a variant of (Gap-)SETH for some explicit constant $c>0$ .

1.1.1 Hardness for BDD

Our first result shows improved exponential hardness of $\mathrm{BDD}_{p,\alpha}$ for all sufficiently small values of $p$ , including the important Euclidean case of $p=2$ , assuming a variant of Gap-ETH (see the left plot in Figure 1). Indeed, it improves the smallest value of $\alpha$ for which exponential hardness of $\mathrm{BDD}_{2,\alpha}$ is known under a general-purpose complexity-theoretic assumption to $\alpha<0.98491$ , showing such hardness for an explicit³³3Each of the quantities $\alpha_{\mathsf{kn}}$ , $\alpha^{\ddagger}_{p}$ , $\alpha^{\dagger}_{p,C}$ , $\alpha_{p,C}^{*}$ , $\alpha_{p}^{*}$ , and $C_{p}$ described in this section is “explicit” in the sense that it is expressible via some (not necessarily closed-form) expression. These expressions are easily computed to high accuracy in practice as shown, e.g., in Figure 1. Additionally, we emphasize that these quantities are constants in that they do not depend on the rank $n$ of the lattice in the corresponding problem. constant less than the $\alpha=1$ threshold for the first time.⁴⁴4Using the ideas in this paper and [AS18], showing exponential hardness of $\mathrm{SVP}$ essentially corresponds to showing exponential hardness of $\mathrm{BDD}$ with $\alpha=1-\varepsilon$ for some constant $\varepsilon>0$ . Additionally, using the $\mathrm{BDD}$ -hardness framework in this paper, it would be relatively straightforward to show exponential hardness of $\mathrm{BDD}$ with $\alpha=1+\varepsilon$ for any constant $\varepsilon>0$ . So, the $\alpha=1$ threshold is qualitatively quite natural, and trying to show hardness for an explicit constant $\alpha<1$ is a natural goal.

Theorem 1.1 (Gap-ETH-hardness of BDD, first bound).

For all $p\in[1,\infty)$ , there is no $2^{o(n)}$ -time algorithm for $\mathrm{BDD}_{p,\alpha}$ for any constant $\alpha>\alpha_{\mathsf{kn}}$ , unless non-uniform Gap-ETH is false. Here $\alpha_{\mathsf{kn}}=2^{-c_{\mathsf{kn}}}<0.98491$ , where $c_{\mathsf{kn}}$ is the $\ell_{2}$ kissing-number constant defined in Section 3.2.

Our second result shows improved exponential hardness of $\mathrm{BDD}_{p,\alpha}$ in a different regime and under a somewhat weaker assumption.

Theorem 1.2 (Gap-ETH-hardness of BDD, second bound).

For all $p\in[1,\infty)$ , there is no $2^{o(n)}$ -time algorithm for $\mathrm{BDD}_{p,\alpha}$ for any constant $\alpha>\alpha^{\ddagger}_{p}$ , unless randomized Gap-ETH is false. Here $\alpha^{\ddagger}_{p}$ is an explicit constant, defined in Equation 20, which satisfies $\alpha^{\ddagger}_{p}=1$ for $1\leq p\leq 2$ , $\alpha^{\ddagger}_{p}<1$ for all $p>2$ , and $\alpha^{\ddagger}_{p}\to 1/2$ as $p\to\infty$ .

In [AS18], Aggarwal and Stephens-Davidowitz showed SETH-hardness of $\mathrm{SVP}_{p,1}$ for all $p>p_{0}\approx 2.1397$ . To partially overcome the “ $p_{0}$ barrier,” they generalized their proof techniques to show Gap-ETH-hardness of $\mathrm{SVP}_{p,\gamma}$ for all $p>2$ . The results in [BP20] adapted the former techniques of [AS18] to show SETH-hardness of $\mathrm{BDD}$ , and similarly got stuck at the $p_{0}$ barrier in the sense that they could not prove hardness of $\mathrm{BDD}_{p,\alpha}$ with $p<p_{0}$ and $\alpha<1$ simultaneously. The proof of Theorem 1.2 can be thought of as adapting the latter, generalized techniques of [AS18] to $\mathrm{BDD}$ , and analogously allows us to prove Gap-ETH-hardness of $\mathrm{BDD}_{p,\alpha}$ with $\alpha<1$ for all $p>2$ .

Compared to related quantities, $\alpha^{\ddagger}_{p}$ is: at most “ $\alpha_{p}^{*}$ with norm embeddings” for all $p\in[1,\infty)$ ; strictly less than $\alpha_{p}^{*}$ for all sufficiently small $p$ ; strictly less than $\alpha_{\mathsf{kn}}$ for all sufficiently large $p$ ; and strictly less than the minimum of $\alpha_{p}^{*}$ and $\alpha_{\mathsf{kn}}$ for intermediate values of $p$ . That is, $\alpha^{\ddagger}_{p}$ improves on both $\alpha_{p}^{*}$ (even with norm embeddings) and $\alpha_{\mathsf{kn}}$ for intermediate values of $p$ ; again, see the left plot in Figure 1. (Recall that [BP20] shows exponential hardness of $\mathrm{BDD}_{p,\alpha}$ for $\alpha>\alpha_{p}^{*}$ assuming randomized ETH, and Theorem 1.1 above shows such hardness for $\alpha>\alpha_{\mathsf{kn}}$ assuming non-uniform Gap-ETH.) However, Theorem 1.2 relies on a somewhat stronger hardness assumption than the one used in [BP20], and a somewhat weaker hardness assumption than Theorem 1.1, so the prior and new results are formally incomparable.

Our third result shows $2^{n/C}$ -hardness of $\mathrm{BDD}_{p,\alpha}$ for any $C>1$ and $\alpha>\alpha^{\dagger}_{p,C}$ , where $\alpha^{\dagger}_{p,C}$ is an explicit constant. For all sufficiently small $p\geq 1$ and sufficiently large $C>1$ , $\alpha^{\dagger}_{p,C}$ not only improves on the corresponding quantity $\alpha_{p,C}^{*}$ in [BP20], but also on $\alpha_{p}^{*}=\inf_{C>1}\alpha_{p,C}^{*}$ . For example, we show that $\alpha^{\dagger}_{1.5,200}\approx 1.0247$ while [BP20] was only able to show $\alpha^{*}_{1.5,200}\approx 1.3624$ and $\alpha_{p}^{*}\approx 1.3554$ (see the right plot in Figure 1).

Theorem 1.3 (Gap-SETH-hardness of BDD).

For all $p\in[1,\infty)\setminus 2\mathbb{Z}$ and all $C>1$ , there is no $2^{n/C}$ -time algorithm for $\mathrm{BDD}_{p,\alpha}$ for any constant $\alpha>\alpha^{\dagger}_{p,C}$ , unless non-uniform Gap-SETH is false. Here $\alpha^{\dagger}_{p,C}$ is an explicit constant, defined in Equation 21, which satisfies $\alpha^{\dagger}_{p,C}\to 1$ as $C\to\infty$ for any fixed $p\in[1,\infty)$ .

Theorems 1.3 and 1.1 both crucially rely on the recent breakthrough work of Vlăduţ [Vlă19] showing an explicit exponential lower bound on the $\ell_{2}$ lattice kissing number, i.e., on the maximum number of vectors $\boldsymbol{v}\in\mathcal{L}$ achieving $\lVert\boldsymbol{v}\rVert=\lambda_{1}(\mathcal{L})$ . More specifically, [Vlă19] shows that there exists a lattice of every rank $n\in\mathbb{Z}^{+}$ with kissing number at least $2^{c_{\mathsf{kn}}n-o(n)}$ , where $c_{\mathsf{kn}}\geq 0.02194$ (see Definition 3.5 and Theorem 3.6).

Vlăduţ’s specific lower bound on $c_{\mathsf{kn}}$ translates to the bounds on $\alpha_{\mathsf{kn}}$ and $\alpha^{\dagger}_{p,C}$ that we obtain. Additionally, our use of “non-uniform” rather than “randomized” Gap-(S)ETH in the preceding results arises from the fact that it is not clear whether Vlăduţ’s exponential kissing number lattices can be efficiently constructed uniformly (even using randomness); an affirmative answer would relax the assumptions accordingly. Indeed, our results are agnostic to Vlăduţ’s specific construction, and an improved lower bound on $c_{\mathsf{kn}}$ would immediately imply improved upper bounds on the values $\alpha_{\mathsf{kn}}$ and $\alpha^{\dagger}_{p,C}$ . Additionally, in Section 3.4.1 we sketch an approach for removing the “gap” part of the assumption in Theorem 1.3, which would be a further relaxation.

1.1.2 Hardness for SVP

Our final result shows the same strong runtime lower bounds for $\mathrm{SVP}_{p,\gamma}$ with some constant $\gamma>1$ under (randomized) Gap-SETH as [AS18] showed for $\mathrm{SVP}_{p,1}$ under (randomized) SETH. This answers a natural question left open by [ABGS21], which analogously showed the same runtime lower bounds for $\mathrm{CVP}_{p,\gamma}$ with some constant $\gamma>1$ under Gap-SETH as [BGS17] showed for the Closest Vector Problem ( $\mathrm{CVP}$ ) under SETH.

Theorem 1.4 (Gap-SETH-hardness of SVP).

For all $p>p_{0}\approx 2.1397$ , $p\notin 2\mathbb{Z}$ , and all $C>C_{p}$ , there is no $2^{n/C}$ -time algorithm for $\mathrm{SVP}_{p,\gamma}$ for some constant $\gamma>1$ , unless randomized Gap-SETH is false. Here $C_{p}>1$ is an explicit constant, defined in Equation 23, which satisfies $C_{p}\to 1$ as $p\to\infty$ .

The reduction used to prove Theorem 1.4 is itself a natural modification of the reduction used in [AS18] to prove SETH-hardness of exact $\mathrm{SVP}$ , but its analysis is more nuanced. We emphasize that simply plugging an instance of $\mathrm{CVP}^{\prime}_{p,\gamma}$ with $\gamma>1$ rather than $\gamma=1$ into the reduction of [AS18] does not yield corresponding hardness of approximation for $\mathrm{SVP}_{p,\gamma^{\prime}}$ with $\gamma^{\prime}>1$ ; a modified reduction is necessary. Finally, we remark that the somewhat odd-looking $p\notin 2\mathbb{Z}$ requirement in Theorems 1.3 and 1.4 is an artifact of the “upstream” hardness results we employ for $\mathrm{CVP}^{\prime}_{p,\gamma}$ ; see Theorem 2.18.

1.2 Our Techniques

1.2.1 Locally Dense Lattices

As in nearly all prior work on the complexity of $\mathrm{BDD}$ and $\mathrm{SVP}$ (e.g., [Mic01, Kho05, LLM06, AS18, BP20]), a key component of our results is the construction of a family of “locally dense” lattices, which are specified by a lattice $\mathcal{L}^{\dagger}$ and corresponding target vector $\boldsymbol{t}^{\dagger}$ . For our purposes, a locally dense lattice $\mathcal{L}^{\dagger}$ is one with few “short” vectors, many vectors “close” to $\boldsymbol{t}^{\dagger}$ , but few vectors “too close” to $\boldsymbol{t}^{\dagger}$ . (Other works such as [Mic14] define locally dense lattices in a closely related but different way, e.g., without the requirement of few “too close” vectors.)

For a discrete set $S$ , which we will take to be a lattice or a subset of a lattice, define

	$\displaystyle N_{p}(S,r,\boldsymbol{t})$	$\displaystyle:=\left\|{\{{\boldsymbol{x}\in S:\lVert\boldsymbol{t}-\boldsymbol{x}\rVert_{p}\leq r}\}}\right\|\ \text{,}$
	$\displaystyle N_{p}^{o}(S,r,\boldsymbol{t})$	$\displaystyle:=\left\|{\{{\boldsymbol{x}\in S:\lVert\boldsymbol{t}-\boldsymbol{x}\rVert_{p}<r}\}}\right\|\ \text{.}$

Somewhat more formally, we define a locally dense lattice $\mathcal{L}^{\dagger}$ , $\boldsymbol{t}^{\dagger}$ with relative distance $\alpha_{G}$ in the $\ell_{p}$ norm to be one for which

N_{p}(\mathcal{L}^{\dagger},\alpha_{G},\boldsymbol{t}^{\dagger})\geq\nu^{n}\cdot N_{p}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{0})

(1)

for some $\nu>1$ . That is, $\mathcal{L}^{\dagger}$ , $\boldsymbol{t}^{\dagger}$ is such that the number $G$ of “close vectors” (within distance $\alpha_{G}$ of $\boldsymbol{t}^{\dagger}$ ) is an exponential factor larger than the number of short vectors (of norm at most one). Similarly, we require there to be an exponential factor more close vectors than “too close” vectors, along with some other technical conditions. We defer discussing these issues until the main body of the paper, and for the remainder of the introduction focus on the constraint in Equation 1.

A crux in showing hardness of $\mathrm{BDD}_{p,\alpha}$ and $\mathrm{SVP}_{p,\gamma}$ is constructing good locally dense lattices, and their parameters govern the precise hardness results that we can obtain. A family of locally dense lattices with smaller relative distance $\alpha_{G}$ and larger $\nu$ leads to stronger hardness results. To obtain ETH-type hardness results, we simply need $\nu$ to be a constant greater than $1$ , and then we can show $2^{\Omega(n)}$ -hardness of $\mathrm{BDD}_{p,\alpha}$ for any constant $\alpha>\alpha_{G}$ . For SETH-type hardness results, we get $2^{n/C}$ -hardness of $\mathrm{BDD}_{p,\alpha}$ whenever our reduction to $\mathrm{BDD}$ has a multiplicative rank-increase factor of $C$ . The value of $C$ depends on the gap factor $\nu$ in Equation 1, so to show such hardness for explicit $C>0$ we need an explicit lower bound on $\nu$ . Our reductions also give a tradeoff between $C$ and $\alpha$ , as shown in the right plot in Figure 1. The full situation is actually a bit more complicated when taking “too close” vectors into account, but we again defer discussing this for now. The situation for $\mathrm{SVP}$ is similar to the situation for $\mathrm{BDD}$ .

1.2.2 Sparsification

An important technique in our work is randomized lattice sparsification, an efficient algorithm that essentially does the following. Given (a basis of) a lattice $\mathcal{L}$ and an index $q\in\mathbb{Z}^{+}$ as input, the algorithm randomly samples a sublattice $\mathcal{L}^{\prime}\subseteq\mathcal{L}$ such that for any fixed, finite set of lattice points $S\subseteq\mathcal{L}$ satisfying some mild conditions, $\left|{S\cap\mathcal{L}^{\prime}}\right|\approx\left|{S}\right|/q$ with probability near $1$ . A variant of this algorithm, additionally given $\boldsymbol{t}\in\operatorname{span}(\mathcal{L})$ as input, randomly samples $\mathcal{L}^{\prime}\subseteq\mathcal{L}$ and $\boldsymbol{t}^{\prime}$ such that for any fixed, finite set of points $S\subseteq\mathcal{L}-\boldsymbol{t}$ satisfying some mild conditions, $\left|{S\cap(\mathcal{L}^{\prime}-\boldsymbol{t}^{\prime})}\right|\approx\left|{S}\right|/q$ with probability near $1$ .

Intuitively, some mild caveats aside, sparsification says that a lattice with few short vectors (and few “too close” vectors) is just as good as a lattice with no short non-zero vectors (and no “too close” vectors), since the latter can be efficiently obtained from the former. Indeed, sparsifying with index $q\approx N_{p}^{o}(\mathcal{L},r,\boldsymbol{0})$ allows us to turn a lattice $\mathcal{L}$ and target $\boldsymbol{t}$ satisfying, say, $N_{p}(\mathcal{L},\alpha r,\boldsymbol{t})\geq 100\cdot N_{p}^{o}(\mathcal{L},r,\boldsymbol{0})$ into a lattice $\mathcal{L}^{\prime}$ and target $\boldsymbol{t}^{\prime}$ with $N_{p}(\mathcal{L}^{\prime},\alpha r,\boldsymbol{t}^{\prime})\geq 1$ and $N_{p}^{o}(\mathcal{L}^{\prime}\setminus\{{\boldsymbol{0}}\},r,\boldsymbol{0})=0$ , so $\mathrm{dist}_{p}(\boldsymbol{t}^{\prime},\mathcal{L})\leq\alpha r$ and $\lambda^{(p)}_{1}(\mathcal{L}^{\prime})\geq r$ . That is, the output $\mathcal{L}^{\prime}$ , $\boldsymbol{t}^{\prime}$ satisfies the $\mathrm{BDD}$ promise $\mathrm{dist}_{p}(\boldsymbol{t}^{\prime},\mathcal{L})\leq\alpha\cdot\lambda^{(p)}_{1}(\mathcal{L}^{\prime})$ . See Section 2.2 for a formal description of sparsification.

1.2.3 A Transformation Using Locally Dense Lattices

Define $\mathrm{CVP}^{\prime}_{p,\gamma}$ to be the following variant of the decision version of the $\gamma$ -approximate Closest Vector Problem: given a basis $B$ of a rank- $n$ lattice $\mathcal{L}$ and a target vector $\boldsymbol{t}$ as input, decide whether there exists $\boldsymbol{x}\in\{{0,1}\}^{n}$ such that $\lVert B\boldsymbol{x}-\boldsymbol{t}\rVert_{p}\leq 1$ (i.e., the input is a YES instance), or whether $\mathrm{dist}_{p}(\boldsymbol{t},\mathcal{L})>\gamma$ (i.e., the input is a NO instance), under the promise that one of the two cases holds. In other words, $\mathrm{CVP}^{\prime}$ is the variant of $\mathrm{CVP}$ that asks whether there is a binary combination of basis vectors close to the target. Much is known about the (fine-grained) complexity of $\mathrm{CVP}^{\prime}$ , which will be useful for us (see Theorems 2.17 and 2.18).

Our reductions from $\mathrm{CVP}^{\prime}$ to $\mathrm{BDD}$ and to $\mathrm{SVP}$ have the same basic form. Given a rank- $n^{\prime}$ instance $B^{\prime},\boldsymbol{t}^{\prime}$ of $\mathrm{CVP}^{\prime}_{p,\gamma}$ for some $\gamma>1$ , we apply the following transformation with some scaling factors $s,\ell>0$ and some locally dense lattice $\mathcal{L}^{\dagger}=\mathcal{L}(B^{\dagger})$ of rank $n-n^{\prime}$ with target $\boldsymbol{t}^{\dagger}$ satisfying Equation 1:

B:=\begin{pmatrix}sB^{\prime}&0\\ I_{n^{\prime}}&0\\ 0&\ell B^{\dagger}\end{pmatrix}\ \text{,}\qquad\boldsymbol{t}:=\begin{pmatrix}s\boldsymbol{t}^{\prime}\\ \tfrac{1}{2}\boldsymbol{1}_{n^{\prime}}\\ \ell\boldsymbol{t}^{\dagger}\end{pmatrix}\ \text{.}

(2)

Essentially the same transformation appears in both [AS18] and [BP20], and similar ideas appear in a number of works before that. Our work differs in its constructions of locally dense lattice gadgets $(\mathcal{L}^{\dagger}$ , $\boldsymbol{t}^{\dagger})$ , its more general reductions, and its improved analysis.

Here we give a rough analysis of the transformation using two observations. First, we observe that appending $I_{n^{\prime}}$ to $B^{\prime}$ allows us to upper bound the number of short lattice vectors in $\mathcal{L}(B)$ by

N_{p}^{o}(\mathcal{L}(B),r^{\prime},\boldsymbol{0})\leq N_{p}^{o}(\mathbb{Z}^{n^{\prime}}\oplus\mathcal{L}(\ell B^{\dagger}),r^{\prime},\boldsymbol{0})

(3)

for any $r^{\prime}>0$ . Second, suppose that $B^{\prime}$ , $\boldsymbol{t}^{\prime}$ is a YES instance of $\mathrm{CVP}^{\prime}$ . Then there exists $\boldsymbol{x}\in\{{0,1}\}^{n^{\prime}}$ such that $\lVert B^{\prime}\boldsymbol{x}-\boldsymbol{t}^{\prime}\rVert\leq 1$ , and hence for each $\boldsymbol{y}\in\mathbb{Z}^{n-n^{\prime}}$ with $\lVert B^{\dagger}\boldsymbol{y}-\boldsymbol{t}^{\dagger}\rVert_{p}\leq\alpha_{G}$ we get that $\lVert B(\boldsymbol{x},\boldsymbol{y})-\boldsymbol{t}\rVert_{p}\leq r$ , where $r:=(s^{p}+n^{\prime}/2^{p}+(\alpha_{G}\cdot\ell)^{p})^{1/p}$ . So,

N_{p}(\mathcal{L}(B),r,\boldsymbol{t})\geq N_{p}(\mathcal{L}(B^{\dagger}),\alpha_{G},\boldsymbol{t}^{\dagger})\ \text{.}

(4)

To transform a YES instance of $\mathrm{CVP}^{\prime}_{p,\gamma}$ to a valid instance of $\mathrm{BDD}_{p,\alpha}$ for some $\alpha>0$ , it essentially suffices to set the parameters $r,s,\ell$ and use suitable $B^{\dagger}$ , $\boldsymbol{t}^{\dagger}$ so that, say,

N_{p}(\mathcal{L}(B^{\dagger}),\alpha_{G},\boldsymbol{t}^{\dagger})\geq 100\cdot N_{p}^{o}(\mathbb{Z}^{n^{\prime}}\oplus\mathcal{L}(\ell B^{\dagger}),r/\alpha,\boldsymbol{0})\ \text{.}

(5)

Indeed, if Equation 5 holds, then by Equations 3 and 4, $N_{p}(\mathcal{L}(B),r,\boldsymbol{t})\geq 100\cdot N_{p}^{o}(\mathcal{L}(B),r/\alpha,\boldsymbol{0})$ . We can then sparsify $\mathcal{L}(B)$ to obtain a lattice with no non-zero vectors of norm less than $r/\alpha$ , and at least one vector within distance $r$ of $\boldsymbol{t}$ , as needed.

We recall that by assumption, $N_{p}(\mathcal{L}(B^{\dagger}),\alpha_{G},\boldsymbol{t}^{\dagger})\geq\nu^{n-n^{\prime}}$ , which is important for satisfying Equation 5 since $N_{p}^{o}(\mathbb{Z}^{n^{\prime}}\oplus\mathcal{L}(\ell B^{\dagger}),r/\alpha,\boldsymbol{0})$ will typically be exponentially large in $n^{\prime}$ . We also need that if the input $\mathrm{CVP}^{\prime}$ instance is a NO instance, then there will be few vectors in $\mathcal{L}(B)$ that are close to $\boldsymbol{t}$ , which depends on $\mathcal{L}^{\dagger}$ having few vectors “too close” to $\boldsymbol{t}^{\dagger}$ , but again we defer discussing this. See Lemma 3.2 for a precise description of the useful properties of the transformation given in Equation 2.

When reducing to $\mathrm{SVP}_{p,\gamma^{\prime}}$ instead of $\mathrm{BDD}_{p,\alpha}$ we apply a further transformation to $B,\boldsymbol{t}$ before sparsifying. Namely, we apply Kannan’s embedding, which appends the vector $(\boldsymbol{t},u)$ , for some value $u>0$ , to $B$ to obtain a new basis:

B,\boldsymbol{t},u\mapsto\begin{pmatrix}B&\boldsymbol{t}\\ 0&u\end{pmatrix}\ \text{.}

The analysis in this case is a bit more subtle as well—we need to upper bound quantities of the form $N_{p}(\mathcal{L}(B),(r^{p}-(wu)^{p})^{1/p},w\cdot(\boldsymbol{t},u))$ not just for $w=0,1$ (corresponding to short and “too close” vectors in the $\mathrm{BDD}$ case, respectively) but for all integers $w\geq 2$ too—but the idea is similar. In fact, we use a result from [AS18] (presented in Theorem 4.2) that analyzes the combination of Kannan’s embedding and sparsification already, essentially reducing our task to bounding the quantities $N_{p}(\mathcal{L}(B),(r^{p}-(wu)^{p})^{1/p},w\cdot(\boldsymbol{t},u))$ .

1.2.4 Specific Locally Dense Lattices

We conclude this summary of techniques by describing the specific locally dense lattices $\mathcal{L}^{\dagger},\boldsymbol{t}^{\dagger}$ that we use to instantiate Equation 2. We use two main families of locally dense lattices for our results.

Exponential kissing number lattices.

The first family of locally dense lattices is derived from a family of “exponential kissing number” lattices $\{{\mathcal{L}_{n}}\}_{n=1}^{\infty}$ . Here, $\mathcal{L}_{n}$ is of rank $n$ and has exponential Euclidean kissing number, i.e., $N_{2}(\mathcal{L}_{n},\lambda_{1}(\mathcal{L}),\boldsymbol{0})=2^{\Omega(n)}$ . Previously, [AS18] showed how to use the existence of such a family to prove $2^{\Omega(n)}$ -hardness of $\mathrm{SVP}_{p,\gamma}$ for all $p\geq 1$ and some $\gamma>1$ (and in particular, for $1\leq p\leq 2$ , for which the result was not already known from other techniques), assuming non-uniform Gap-ETH. However, no such family of lattices was known at the time, and in fact proving the existence of such a family was a longstanding open question.

In seminal work appearing shortly after the publication of [AS18], Vlăduţ [Vlă19] succeeded in constructing such a family of lattices. Moreover, he proved the existence of such a family with an explicit exponential lower bound. More specifically, he showed the existence of $\{{\mathcal{L}_{n}}\}_{n=1}^{\infty}$ with $N_{2}(\mathcal{L}_{n},\lambda_{1}(\mathcal{L}_{n}),\boldsymbol{0})\geq 2^{c_{\mathsf{kn}}n-o(n)}$ where $c_{\mathsf{kn}}\geq 0.02194$ (see Theorem 3.6).

The proofs of Theorems 1.1 and 1.3 both use these “Vlăduţ lattices” to construct locally dense lattices, but in different ways. The proof of Theorem 1.1 constructs a locally dense lattice $\mathcal{L}^{\dagger}$ , $\boldsymbol{t}^{\dagger}$ with relative distance $\alpha\approx 2^{-c_{\mathsf{kn}}}\approx 0.98491$ , but with a non-explicit lower bound on the gap factor $\nu$ in Equation 1. The proof of Theorem 1.3 constructs a locally dense lattice $\mathcal{L}^{\dagger}$ , $\boldsymbol{t}^{\dagger}$ with relative distance $\alpha\approx 1$ but with an explicit lower bound on $\nu$ —essentially $\nu\geq 2^{c_{\mathsf{kn}}}$ . The values $\alpha^{\dagger}_{p,C}$ in Theorem 1.3 are defined to be a certain quantity relating the maximum possible kissing number in a lattice of rank $(C-1)n^{\prime}$ , roughly $2^{c_{\mathsf{kn}}\cdot(C-1)n^{\prime}}$ , and the number of vectors in $\mathbb{Z}^{n^{\prime}}$ of norm at most $r$ for some $r>0$ .

The proof of Theorem 1.3 is actually somewhat simpler than that of Theorem 1.1, so we first give a bit more detail on it. We note that taking $\mathcal{L}^{\dagger}:=\mathcal{L}_{n}$ and $\boldsymbol{t}^{\dagger}:=\boldsymbol{0}$ for a Vlăduţ lattice $\mathcal{L}_{n}$ almost yields a locally dense lattice family with $\nu^{n-o(n)}$ many close vectors for $\nu\geq 2^{c_{\mathsf{kn}}}$ and relative distance $\alpha=1$ , but there are two issues: (1) Vlăduţ lattices have exponential kissing number with respect to the $\ell_{2}$ norm rather than general $\ell_{p}$ norms, and (2) the origin is itself a “too close” vector.

We handle issue (1) by applying norm embeddings [RR06] with distortion $(1+\varepsilon)$ to $\{{\mathcal{L}_{n}}\}_{n=1}^{\infty}$ to obtain a family of lattices $\{{\mathcal{L}^{\prime}_{n}}\}_{n=1}^{\infty}$ with exponentially high “handshake number” in the $\ell_{p}$ norm:

N_{p}(\mathcal{L}^{\prime}_{n},(1+\varepsilon)\cdot\lambda^{(p)}_{1}(\mathcal{L}^{\prime}_{n}),\boldsymbol{0})\geq 2^{c_{\mathsf{kn}}n-o(n)}\ \text{,}

where applying the norm embedding is efficient for any $\varepsilon\geq 1/\operatorname{poly}(n)$ . We handle issue (2) by “sparsifying away the origin.” Specifically, for all sufficiently large $n$ we show how to sample a sublattice $\mathcal{L}_{n}^{\prime\prime}\subseteq\mathcal{L}_{n}^{\prime}$ and $\boldsymbol{t}^{\prime\prime}\in\mathcal{L}^{\prime}\setminus\mathcal{L}^{\prime\prime}$ satisfying

N_{p}(\mathcal{L}^{\prime\prime}_{n},(1+\varepsilon)\cdot\lambda^{(p)}_{1}(\mathcal{L}^{\prime\prime}_{n}),\boldsymbol{t}^{\prime\prime})\geq N_{p}(\mathcal{L}^{\prime}_{n},(1+\varepsilon)\cdot\lambda^{(p)}_{1}(\mathcal{L}^{\prime\prime}_{n}),\boldsymbol{0})/4\geq 2^{c_{\mathsf{kn}}n-o(n)}

with positive probability. In particular, this shows that such lattices exist.

For the proof of Theorem 1.1, we take $\mathcal{L}^{\dagger}$ to be $\mathcal{L}_{n}$ scaled so that $\lambda_{1}(\mathcal{L}_{n})=1$ , and take $\boldsymbol{t}^{\dagger}$ to be a uniformly random vector of norm $\delta$ for some appropriately chosen constant $0<\delta<1$ . We then analyze $N_{2}(\mathcal{L}^{\dagger},(1-\varepsilon)\cdot\lambda_{1}(\mathcal{L}^{\dagger}),\boldsymbol{t}^{\dagger})$ for some appropriately chosen constant $0<\varepsilon<\delta$ . Intuitively, there is a tradeoff between choosing smaller $\delta$ , which makes $N_{2}(\mathcal{L}^{\dagger},(1-\varepsilon)\cdot\lambda_{1}(\mathcal{L}^{\dagger}),\boldsymbol{t}^{\dagger})$ larger but requires $\varepsilon$ to be smaller, and larger $\delta$ , which makes $N_{2}(\mathcal{L}^{\dagger},(1-\varepsilon)\cdot\lambda_{1}(\mathcal{L}^{\dagger}),\boldsymbol{t}^{\dagger})$ smaller but allows for $\varepsilon$ to be larger. The relative distance $\alpha$ that our reduction achieves is essentially the smallest $\alpha=1-\varepsilon$ for which we can ensure that $N_{2}(\mathcal{L}^{\dagger},(1-\varepsilon)\cdot\lambda_{1}(\mathcal{L}^{\dagger}),\boldsymbol{t}^{\dagger})\geq 2^{\Omega(n)}$ . To translate these results to general $\ell_{p}$ norms, we again use norm embeddings. We also use additional techniques for dealing with “too close” vectors.

We note that the construction of locally dense lattices from lattices with exponential kissing number in [AS18] does not give explicit bounds on the relative distance $\alpha$ or gap factor $\nu$ achieved; the reduction there essentially just needs $\nu>1$ and $\alpha=1-\varepsilon$ for non-explicit $\varepsilon>0$ . On the other hand, the construction in Theorem 1.1 gives an explicit bound on $\alpha$ but not on $\nu$ , and the construction in Theorem 1.3 gives an explicit bound on $\nu$ but with $\alpha>1$ . Therefore, Theorems 1.1 and 1.3 can be seen as different refinements of the corresponding analysis in [AS18]. A very interesting question is whether it’s possible to get a construction that simultaneously achieves explicit $\nu$ and relative distance $\alpha=1-\varepsilon$ ; our current techniques do not seem to be able to achieve this. Such a construction would lead to new (Gap-)SETH-hardness results for $\mathrm{SVP}$ .

The integer lattice $\mathbb{Z}^{n}$ .

The second family of locally dense lattices that we consider, used to prove Theorems 1.2 and 1.4, simply takes $\mathcal{L}^{\dagger}$ to be the integer lattice $\mathbb{Z}^{n}$ , and $\boldsymbol{t}^{\dagger}$ to be the all- $t$ s vector for some constant $t$ (without loss of generality, $t\in[0,1/2]$ ):

\mathcal{L}^{\dagger}:=\mathbb{Z}^{n}\ \text{,}\qquad\boldsymbol{t}^{\dagger}:=t\cdot\boldsymbol{1}_{n}\ \text{.}

This family was also used in [AS18] and [BP20].

We will be especially interested in the case where $t=1/2$ . In this case $N_{p}(\mathbb{Z}^{n},\mathrm{dist}_{p}(1/2\cdot\boldsymbol{1}_{n},\mathbb{Z}^{n}),1/2\cdot\boldsymbol{1}_{n})=2^{n}$ , where $\mathrm{dist}_{p}(1/2\cdot\boldsymbol{1}_{n},\mathbb{Z}^{n})=n^{1/p}/2$ . So, for our analysis it essentially suffices to upper bound $N_{p}(\mathbb{Z}^{n},r,\boldsymbol{0})$ for some $r=n^{1/p}/(2\alpha)$ . We have good techniques for doing this; see Section 2.3. (We note that the “ $p_{0}$ barrier” mentioned earlier comes from $p_{0}$ being the smallest value of $p$ satisfying $N_{p}(\mathbb{Z}^{n},n^{1/p}/2,\boldsymbol{0})\leq 2^{n}$ .)

The SETH-hardness result for $\mathrm{SVP}_{1,p}$ for $p>p_{0}$ in [AS18], the hardness results for $\mathrm{BDD}$ in [BP20], and the Gap-SETH-hardness result for $\mathrm{SVP}_{\gamma,p}$ in Theorem 1.4 all take $\boldsymbol{t}^{\dagger}=1/2\cdot\boldsymbol{1}$ , and analyze $N_{p}(\mathbb{Z}^{n},n^{1/p}/2,1/2\cdot\boldsymbol{1})/N_{p}(\mathbb{Z}^{n},n^{1/p}/(2\alpha),\boldsymbol{0})=2^{n}/N_{p}(\mathbb{Z}^{n},n^{1/p}/(2\alpha),\boldsymbol{0})$ for some $\alpha>0$ . That is, they essentially just need to upper bound $N_{p}(\mathbb{Z}^{n},n^{1/p}/(2\alpha),\boldsymbol{0})$ for some $\alpha$ (with $\alpha=1$ for the $\mathrm{SVP}$ hardness results). As alluded to in the discussion after the statement of Theorem 1.2, the Gap-ETH-hardness result in [AS18] for $\mathrm{SVP}_{p,\gamma}$ essentially works by proving that for every $p>2$ there exist $t\in(0,1/2]$ and $r>0$ (not necessarily $t=1/2$ or $r=n^{1/p}/2$ ) such that

\frac{N_{p}(\mathbb{Z}^{n},r,t\cdot\boldsymbol{1})}{N_{p}(\mathbb{Z}^{n},r/\alpha,\boldsymbol{0})}\geq 2^{\Omega(n)}

(6)

for some non-explicit $\alpha<1$ .

We do something similar, but study the more refined question of what the minimum value of $\alpha$ is such that Equation 6 holds for some $t$ and $r$ . This minimum value of $\alpha$ is essentially how we define the quantities $\alpha^{\ddagger}_{p}$ used in Theorem 1.2; see Equation 20 for a precise definition. We note that, interestingly, in experiments this minimum value of $\alpha$ is always achieved by simply taking $t=1/2$ . That is, empirically it seems that we do not lose anything by fixing $t=1/2$ and only varying $r$ .⁵⁵5This is especially interesting since [EOR91] notes that $N_{p}(\mathbb{Z}^{n},r,t\cdot\boldsymbol{1})$ is not maximized by $t=1/2$ for some $p>2$ , including $p=3$ , and some fixed $r>0$ . For $1\leq p\leq 2$ , [MO90] and [EOR91] note that for any fixed $r>0$ , $N_{p}(\mathbb{Z}^{n},r,t\cdot\boldsymbol{1})$ is in fact minimized (up to a subexponential error term) by taking $t=1/2$ . We leave proving this as an interesting open question, but note that the strength of our results does not depend on its resolution either way.

1.3 Open Questions

One of the most interesting aspects of this and other work on the complexity of lattice problems is the interplay between geometric objects—here, lattices with exponential kissing number and locally dense lattices generally—and hardness results. Proving a better lower bound on $c_{\mathsf{kn}}$ would immediately translate into an improved bound on the values of $\alpha_{\mathsf{kn}}$ and $\alpha^{\dagger}_{p,C}$ , and more generally proving the existence of some family of gadgets with smaller relative distance $\alpha$ and at least $2^{\Omega(n)}$ close vectors would translate into a hardness result improving on both Theorems 1.1 and 1.2.

There is also the question of constructing locally dense lattices. The difference between existence and efficient randomized construction of locally dense lattices roughly corresponds to needing “non-uniform” versus “randomized” hardness assumptions. It is also an interesting question whether randomness is needed at all for showing hardness of $\mathrm{BDD}$ or $\mathrm{SVP}$ . In this work we crucially use randomness for sparsification in addition to using it to construct locally dense lattices. Indeed, derandomizing hardness reductions for $\mathrm{SVP}$ (and similarly, $\mathrm{BDD}$ ) is a notorious, decades-old open problem.

1.4 Acknowledgments

We thank Noah Stephens-Davidowitz for helpful comments.

2 Preliminaries

We denote column vectors by boldface, lowercase letters (e.g., $\boldsymbol{u},\boldsymbol{v},\boldsymbol{w}$ ). We occasionally abuse notation and write things like $\boldsymbol{w}=(\boldsymbol{u},\boldsymbol{v})$ instead of $\boldsymbol{w}=(\boldsymbol{u}^{\top},\boldsymbol{v}^{\top})^{\top}$ . We use $\boldsymbol{0}_{n}$ and $\boldsymbol{1}_{n}$ to denote the all- $0$ s and all- $1$ s vectors of dimension $n$ , respectively. We sometimes omit the subscript $n$ when it is clear from context. Finally, we occasionally abuse notation by mixing elements of a finite field $\mathbb{F}_{q}$ (for prime $q$ ) and integers when performing arithmetic. In this case, we are really associating elements of $\mathbb{F}_{q}$ with some distinguished set of integer representatives, e.g., $\{{0,1,\ldots,q-1}\}$ .

2.1 Lattices and Point Counting

A lattice $\mathcal{L}$ is a discrete additive subgroup of $\mathbb{R}^{m}$ ; concretely, a lattice is the set of all integer linear combinations of a set of linearly independent vectors in $\mathbb{R}^{m}$ . This set of vectors is called a basis of the lattice. Its cardinality $n$ is defined to be the rank of the lattice (which turns out to be independent of the choice of basis), and the dimension $m$ of the basis vectors is defined to be the dimension of the lattice. A basis is often represented by a matrix $B$ whose columns are the vectors in the basis, and the lattice generated by $B$ is denoted $\mathcal{L}(B)$ . Using this representation, a rank- $n$ lattice $\mathcal{L}\subset\mathbb{R}^{m}$ with basis $B\in\mathbb{R}^{m\times n}$ can be written as $\mathcal{L}=\mathcal{L}(B)=B\cdot\mathbb{Z}^{n}$ . We denote the Moore-Penrose pseudo-inverse of a matrix $B\in\mathbb{R}^{m\times n}$ by $B^{+}:=(B^{\top}B)^{-1}B^{\top}$ . When $B$ is a basis and $\boldsymbol{v}\in\mathcal{L}(B)$ is a lattice vector, $B^{+}\boldsymbol{v}=\boldsymbol{a}\in\mathbb{Z}^{n}$ is its coefficient vector.

We recall that for $p\in[1,\infty)$ the $\ell_{p}$ norm of a vector $\boldsymbol{x}\in\mathbb{R}^{m}$ is defined as $\lVert\boldsymbol{x}\rVert_{p}:=\bigl{(}\sum_{i=1}^{m}\left|{x_{i}}\right|^{p}\bigr{)}^{1/p}$ , and for $p=\infty$ it is defined as $\lVert\boldsymbol{x}\rVert_{\infty}:=\max_{i=1}^{m}\left|{x_{i}}\right|$ . The minimum distance $\lambda^{(p)}_{1}(\mathcal{L})$ of a lattice $\mathcal{L}$ in the $\ell_{p}$ norm is defined to be the minimum length of nonzero vectors in the lattice, i.e.,

\lambda^{(p)}_{1}(\mathcal{L}):=\min_{\boldsymbol{v}\in\mathcal{L}\setminus\{{\boldsymbol{0}}\}}\lVert\boldsymbol{v}\rVert_{p}\ \text{.}

Equivalently, as the name suggests, it is the minimum distance between any two distinct vectors in the lattice. For $p=2$ , we simply write $\lambda_{1}$ for $\lambda^{(2)}_{1}$ . We denote the distance between a vector $\boldsymbol{t}$ and a lattice $\mathcal{L}$ in the $\ell_{p}$ norm by

\mathrm{dist}_{p}(\boldsymbol{t},\mathcal{L}):=\min_{\boldsymbol{x}\in\mathcal{L}}\lVert\boldsymbol{t}-\boldsymbol{x}\rVert_{p}\ \text{.}

For $p\in[1,\infty]$ , a discrete set $S\subset\mathbb{R}^{m}$ , a target $\boldsymbol{t}\in\mathbb{R}^{m}$ , and a distance $r\geq 0$ , we define the following two point-counting functions:

	$\displaystyle N_{p}(S,r,\boldsymbol{t})$	$\displaystyle:=\left\|{\{{\boldsymbol{x}\in S:\lVert\boldsymbol{t}-\boldsymbol{x}\rVert_{p}\leq r}\}}\right\|\ \text{,}$
	$\displaystyle N_{p}^{o}(S,r,\boldsymbol{t})$	$\displaystyle:=\left\|{\{{\boldsymbol{x}\in S:\lVert\boldsymbol{t}-\boldsymbol{x}\rVert_{p}<r}\}}\right\|\ \text{.}$

We will typically use a lattice or a subset of a lattice as the discrete set $S$ .

In the the following claim we observe two simple bounds on point counts in lattices.

Claim 2.1.

For any lattice $\mathcal{L}$ , target $\boldsymbol{t}\in\operatorname{span}(\mathcal{L})$ , and $r\geq 0$ :

1.

$N_{p}^{o}(\mathcal{L},r,\boldsymbol{0})\geq 2r/\lambda^{(p)}_{1}(\mathcal{L})-1$ ;
2.

$N_{p}(\mathcal{L},r,\boldsymbol{t})\leq N_{p}(\mathcal{L},2r,\boldsymbol{0})$ .

Proof.

For Item 1, the inequality is trivial when $r=0$ . For $r>0$ , we have

N_{p}^{o}(\mathcal{L},r,\boldsymbol{0})\geq N_{p}^{o}(\mathcal{L}(\boldsymbol{v}),r,\boldsymbol{0})=1+2\cdot\Bigl{\lceil}\frac{r}{\lambda^{(p)}_{1}(\mathcal{L})}-1\Bigr{\rceil}\geq\frac{2r}{\lambda^{(p)}_{1}(\mathcal{L})}-1\ \text{,}

where $\boldsymbol{v}$ is an arbitrary shortest vector in $\mathcal{L}$ with $\lVert\boldsymbol{v}\rVert_{p}=\lambda^{(p)}_{1}(\mathcal{L})$ .

For Item 2, if $N_{p}(\mathcal{L},r,\boldsymbol{t})=0$ then the inequality is trivial. Otherwise fix $\boldsymbol{v}\in\mathcal{L}$ to be such that $\lVert\boldsymbol{t}-\boldsymbol{v}\rVert_{p}\leq r$ . Then for every $\boldsymbol{u}\in\mathcal{L}$ satisfying $\lVert\boldsymbol{t}-\boldsymbol{u}\rVert_{p}\leq r$ , we have $\boldsymbol{u}-\boldsymbol{v}\in\mathcal{L}$ and $\lVert\boldsymbol{u}-\boldsymbol{v}\rVert_{p}\leq 2r$ by the triangle inequality. Moreover, for $\boldsymbol{u}_{1}\neq\boldsymbol{u}_{2}$ , $\boldsymbol{u}_{1}-\boldsymbol{v}\neq\boldsymbol{u}_{2}-\boldsymbol{v}$ . Hence we know $N_{p}(\mathcal{L},r,\boldsymbol{t})\leq N_{p}(\mathcal{L},2r,\boldsymbol{0})$ , as desired. ∎

Given lattice-target pairs $(\mathcal{L}_{1},\boldsymbol{t}_{1})$ and $(\mathcal{L}_{2},\boldsymbol{t}_{2})$ , the following claim gives an upper bound on the number of close vectors in the “direct sum lattice” $\mathcal{L}_{1}\oplus\mathcal{L}_{2}$ to $(\boldsymbol{t}_{1},\boldsymbol{t}_{2})$ in terms of the product of the numbers of close vectors in $\mathcal{L}_{1}$ to $\boldsymbol{t}_{1}$ and in $\mathcal{L}_{2}$ to $\boldsymbol{t}_{2}$ .

Claim 2.2.

For lattices $\mathcal{L}_{1},\mathcal{L}_{2}$ , targets $\boldsymbol{t}_{1}\in\operatorname{span}(\mathcal{L}_{1}),\boldsymbol{t}_{2}\in\operatorname{span}(\mathcal{L}_{2})$ , and $r\geq\max\{{\mathrm{dist}_{p}(\boldsymbol{t}_{1},\mathcal{L}_{1}),\mathrm{dist}_{p}(\boldsymbol{t}_{2},\mathcal{L}_{2})}\}$ ,

\displaystyle N_{p}(\mathcal{L}_{1}\oplus\mathcal{L}_{2},r,(\boldsymbol{t}_{1},\boldsymbol{t}_{2}))

\displaystyle\leq N_{p}(\mathcal{L}_{1},(r^{p}-\mathrm{dist}_{p}(\boldsymbol{t}_{2},\mathcal{L}_{2})^{p})^{1/p},\boldsymbol{t}_{1})\cdot N_{p}(\mathcal{L}_{2},(r^{p}-\mathrm{dist}_{p}(\boldsymbol{t}_{1},\mathcal{L}_{1})^{p})^{1/p},\boldsymbol{t}_{2})\ \text{.}

Additionally, if $r<\mathrm{dist}_{p}(\boldsymbol{t}_{1},\mathcal{L}_{1})$ or $r<\mathrm{dist}_{p}(\boldsymbol{t}_{2},\mathcal{L}_{2})$ , $N_{p}(\mathcal{L}_{1}\oplus\mathcal{L}_{2},r,(\boldsymbol{t}_{1},\boldsymbol{t}_{2}))=0$ . Moreover, these results hold with $N^{o}_{p}$ in place of $N_{p}$ .

Proof.

For every lattice vector $(\boldsymbol{v}_{1},\boldsymbol{v}_{2})\in\mathcal{L}_{1}\oplus\mathcal{L}_{2}$ , $\mathrm{dist}_{p}((\boldsymbol{t}_{1},\boldsymbol{t}_{2}),(\boldsymbol{v}_{1},\boldsymbol{v}_{2}))\leq r$ (respectively $<r$ ) holds only if $\lVert\boldsymbol{t}_{1}-\boldsymbol{v}_{1}\rVert_{p}^{p}+\mathrm{dist}_{p}(\boldsymbol{t}_{2},\mathcal{L}_{2})^{p}\leq r^{p}$ (resp. $<r$ ) and $\lVert\boldsymbol{t}_{2}-\boldsymbol{v}_{2}\rVert_{p}^{p}+\mathrm{dist}_{p}(\boldsymbol{t}_{1},\mathcal{L}_{1})^{p}\leq r^{p}$ (resp. $<r$ ). Hence the desired inequalities follow. ∎

2.2 Sparsification

The following lemma shows that the number of vectors in a collection of $m$ pairwise linearly independent (respectively, distinct) vectors in $\mathbb{F}_{q}^{n}$ that satisfy a random linear constraint (respectively, random affine constraint) is relatively concentrated around its expectation $m/q$ . Similar results appear in [Kho05] and [Ste16].

Lemma 2.3.

Let $\delta>0$ , let $n\in\mathbb{Z}^{+}$ , let $q$ be a prime, and let $\boldsymbol{a}_{1},\ldots,\boldsymbol{a}_{m}\in\mathbb{F}_{q}^{n}$ .

If $\boldsymbol{a}_{i}\neq s\boldsymbol{a}_{j}$ for all $i\neq j$ and $s\in\mathbb{F}_{q}$ , then

\Pr_{\boldsymbol{x}\sim\mathbb{F}_{q}^{n}}[\left|{\{{i\in[m]:\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=0}\}}\right|\leq(1-\delta)m/q]\leq\frac{q}{\delta^{2}m}\ \text{.}

If $\boldsymbol{a}_{i}\neq\boldsymbol{a}_{j}$ for all $i\neq j$ , then

\Pr_{\begin{subarray}{c}\boldsymbol{x}\sim\mathbb{F}_{q}^{n},\\ y\sim\mathbb{F}_{q}\end{subarray}}[\left|{\{{i\in[m]:\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=y}\}}\right|\leq(1-\delta)m/q]\leq\frac{q}{\delta^{2}m}\ \text{.}

In particular, for $\delta=1$ , the probabilities are upper bounded by $q/m$ .

Proof.

We start by proving Item 1. Let $X_{i}$ be an indicator random variable for the event $\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=0$ , where $\boldsymbol{x}\sim\mathbb{F}_{q}^{n}$ . It holds that $\operatorname*{\mathrm{E}}[X_{i}]=1/q$ , that $\operatorname*{\mathrm{Var}}[X_{i}]=1/q\cdot(1-1/q)\leq 1/q$ , and that $X_{1},\ldots,X_{m}$ are pairwise independent. For the last point, because $\boldsymbol{a}_{i}$ and $\boldsymbol{a}_{j}$ for $i\neq j$ are linearly independent, the linear map $\boldsymbol{x}\mapsto(\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle,\langle\boldsymbol{a}_{j},\boldsymbol{x}\rangle)$ has a kernel of dimension $n-2$ . It follows that $\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=\langle\boldsymbol{a}_{j},\boldsymbol{x}\rangle=0$ for a $q^{n-2}/q^{n}=1/q^{2}$ fraction of vectors $\boldsymbol{x}\in\mathbb{F}_{q}^{n}$ , and hence that $X_{i},X_{j}$ are pairwise independent. The result then follows by applying Chebyshev’s inequality to $\sum_{i=1}^{m}X_{i}$ .

We next show that Item 1 implies Item 2. For each $i\in[m]$ , let $\boldsymbol{a}_{i}^{\prime}:=(\boldsymbol{a}_{i},-1)$ , and note that if $\boldsymbol{a}_{i}\neq\boldsymbol{a}_{j}$ then $\boldsymbol{a}_{i}^{\prime}\neq s\boldsymbol{a}_{j}^{\prime}$ for all $s\in\mathbb{F}_{q}$ . Moreover, for any $\boldsymbol{x}\in\mathbb{F}_{q}^{n},y\in\mathbb{F}_{q}$ , $\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=y$ if and only if $\langle\boldsymbol{a}_{i}^{\prime},\boldsymbol{x}^{\prime}\rangle=0$ , where $\boldsymbol{x}^{\prime}=(\boldsymbol{x},y)$ . Therefore by Item 1,

\Pr_{\begin{subarray}{c}\boldsymbol{x}\sim\mathbb{F}_{q}^{n},\\ y\sim\mathbb{F}_{q}\end{subarray}}[\left|{\{{i:\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=y}\}}\right|\leq(1-\delta)m/q]=\Pr_{\begin{subarray}{c}\boldsymbol{x}^{\prime}\sim\mathbb{F}_{q}^{n+1}\end{subarray}}[\lvert\{{i:\langle\boldsymbol{a}_{i}^{\prime},\boldsymbol{x}^{\prime}\rangle=0}\}\rvert\leq(1-\delta)m/q]\leq\frac{q}{\delta^{2}m}\ \text{.}\qed

The following lemma shows that when $q\gg m$ , it is probable that no vector in the collection satisfies a random affine constraint. This is similar to [BP20, Lemma 2.8].

Lemma 2.4.

Let $n\in\mathbb{Z}^{+}$ , let $q$ be a prime, and let $\boldsymbol{a}_{1},\ldots,\boldsymbol{a}_{m}\in\mathbb{F}_{q}^{n}$ . Then:

It holds that

\Pr_{\begin{subarray}{c}\boldsymbol{x}\sim\mathbb{F}_{q}^{n}\\ y\sim\mathbb{F}_{q}\end{subarray}}[\exists\ i\in[m]\text{ such that }\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=y]\leq\frac{m}{q}\ \text{.}

If $\boldsymbol{a}_{1},\ldots,\boldsymbol{a}_{m}\neq\boldsymbol{0}$ , then for fixed $y\in\mathbb{F}_{q}$ ,

\Pr_{\boldsymbol{x}\sim\mathbb{F}_{q}^{n}}[\exists\ i\in[m]\text{ such that }\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=y]\leq\frac{m}{q}\ \text{.}

Proof.

We have that $\Pr_{\boldsymbol{x}\sim\mathbb{F}_{q}^{n},y\sim\mathbb{F}_{q}}[\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=y]=1/q$ for each $\boldsymbol{a}_{i}$ . Moreover, if $\boldsymbol{a}_{i}\neq 0$ then $\Pr_{\boldsymbol{x}\sim\mathbb{F}_{q}^{n}}[\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle=y]=1/q$ for any fixed $y$ . The claims then follow by union bound. ∎

We next show how to sparsify a lattice and argue about vector counts in the resulting sparsified lattice. In particular, we use Lemmas 2.3 and 2.4 to lower bound the minimum distance, lower bound the number of close vectors (and hence also upper bound the close distance), and lower bound the too-close distance in the resulting sparsified lattice.

Proposition 2.5.

Let $p\in[1,\infty)$ , let $\mathcal{L}$ be a lattice of rank $n$ with basis $B$ , let $\boldsymbol{t}\in\operatorname{span}(\mathcal{L})$ , let $q$ be a prime, and let $r\geq 0$ . Let $\boldsymbol{x},\boldsymbol{z}\sim\mathbb{F}_{q}^{n}$ be sampled uniformly at random, and define

\mathcal{L}^{\prime}:=\{{\boldsymbol{v}\in\mathcal{L}:\langle B^{+}\boldsymbol{v},\boldsymbol{x}\rangle\equiv 0\ (\mathrm{mod}\ q)}\}\ \text{,}\quad\boldsymbol{t}^{\prime}:=\boldsymbol{t}-B\boldsymbol{z}\ \text{.}

Then the following hold:

1.

(Minimum distance.) If $r\leq q\cdot\lambda^{(p)}_{1}(\mathcal{L})$ , then $\Pr[\lambda_{1}(\mathcal{L}^{\prime})<r]\leq N_{p}^{o}(\mathcal{L}\setminus\{{\boldsymbol{0}}\},r,\boldsymbol{0})/q$ .

(Close vector count and distance.) If $r<q\cdot\lambda^{(p)}_{1}(\mathcal{L})/2$ , then for any $\delta>0$ ,

\Pr[N_{p}(\mathcal{L}^{\prime},r,\boldsymbol{t}^{\prime})\leq(1-\delta)N_{p}(\mathcal{L},r,\boldsymbol{t})/q]\leq\frac{q}{\delta^{2}\cdot N_{p}(\mathcal{L},r,\boldsymbol{t})}+\frac{1}{q^{n}}\ \text{.}

In particular, for $\delta=1$ , $\Pr[\mathrm{dist}_{p}(\boldsymbol{t}^{\prime},\mathcal{L}^{\prime})>r]\leq q/N_{p}(\mathcal{L},r,\boldsymbol{t})+1/q^{n}$ .

3.

(Too-close distance.) $\Pr[\mathrm{dist}_{p}(\boldsymbol{t}^{\prime},\mathcal{L}^{\prime})<r]\leq N_{p}^{o}(\mathcal{L},r,\boldsymbol{t})/q+1/q^{n}$ .

Proof.

For Item 1, let $m:=N_{p}^{o}(\mathcal{L}\setminus\{{\boldsymbol{0}}\},r,\boldsymbol{0})$ , let $\boldsymbol{v}_{1},\ldots,\boldsymbol{v}_{m}\in\mathcal{L}$ be the $m$ distinct non-zero lattice vectors satisfying $\lVert\boldsymbol{v}_{i}\rVert_{p}<r$ , and let $\boldsymbol{a}_{i}:=B^{+}\boldsymbol{v}_{i}$ for $i\in[m]$ . Because $r\leq q\cdot\lambda^{(p)}_{1}(\mathcal{L})$ , we know that $\boldsymbol{v}_{i}\notin q\mathcal{L}$ and thus $\boldsymbol{a}_{i}\not\equiv\boldsymbol{0}\ (\mathrm{mod}\ q)$ . Therefore by Lemma 2.4, Item 2 with $y=0$ ,

	$\displaystyle\Pr[\lambda_{1}(\mathcal{L}^{\prime})<r]$	$\displaystyle=\Pr[\exists\ i\in[m]\text{ such that }\boldsymbol{v}_{i}\in\mathcal{L}^{\prime}]$
		$\displaystyle=\Pr[\exists\ i\in[m]\text{ such that }\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle\equiv 0\ (\mathrm{mod}\ q)]$
		$\displaystyle\leq m/q\ \text{.}$

For Items 2 and 3 we will use the fact that the statistical distance between $(\boldsymbol{x},\langle\boldsymbol{z},\boldsymbol{x}\rangle)$ and $(\boldsymbol{x},y)$ with $y\sim\mathbb{F}_{q}$ sampled uniformly at random is $(q-1)/q^{n+1}<1/q^{n}$ . This follows by a direct computation and noting that $(\boldsymbol{x},y)$ and $(\boldsymbol{x},\langle\boldsymbol{z},\boldsymbol{x}\rangle)$ are identically distributed conditioned on $\boldsymbol{x}\neq\boldsymbol{0}$ . Additionally, we note that

\displaystyle N_{p}(\mathcal{L}^{\prime},r,\boldsymbol{t}^{\prime})=N_{p}(\mathcal{L}^{\prime}+B\boldsymbol{z},r,\boldsymbol{t})=N_{p}(\{{\boldsymbol{v}\in\mathcal{L}:\langle B^{+}\boldsymbol{v},\boldsymbol{x}\rangle\equiv\langle\boldsymbol{z},\boldsymbol{x}\rangle\ (\mathrm{mod}\ q)}\},r,\boldsymbol{t})\ .

(7)

For Item 2, let $m:=N_{p}(\mathcal{L},r,\boldsymbol{t})$ , let $\boldsymbol{v}_{1},\ldots,\boldsymbol{v}_{m}\in\mathcal{L}$ be the $m$ distinct lattice vectors satisfying $\lVert\boldsymbol{t}-\boldsymbol{v}_{i}\rVert_{p}\leq r$ , and let $\boldsymbol{a}_{i}:=B^{+}\boldsymbol{v}_{i}$ for $i\in[m]$ . By triangle inequality, $\lVert\boldsymbol{v}_{i}-\boldsymbol{v}_{j}\rVert_{p}\leq 2r$ for all $i,j\in[m]$ . Then, because $2r<q\cdot\lambda^{(p)}_{1}(\mathcal{L})$ , for $i\neq j$ we know that $\boldsymbol{v}_{i}-\boldsymbol{v}_{j}\notin q\mathcal{L}$ and thus $\boldsymbol{a}_{i}\not\equiv\boldsymbol{a}_{j}\ (\mathrm{mod}\ q)$ . Let $y\sim\mathbb{F}_{q}$ be sampled uniformly at random. Then by Equation 7 and Lemma 2.3, Item 2,

	$\displaystyle\Pr[N_{p}(\mathcal{L}^{\prime},r,\boldsymbol{t}^{\prime})\leq(1-\delta)m/q]$	$\displaystyle=\Pr[\left\|{\{{i\in[m]:\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle\equiv\langle\boldsymbol{z},\boldsymbol{x}\rangle\ (\mathrm{mod}\ q)}\}}\right\|\leq(1-\delta)m/q]$
		$\displaystyle\leq\Pr[\left\|{\{{i\in[m]:\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle\equiv y\ (\mathrm{mod}\ q)}\}}\right\|\leq(1-\delta)m/q]+\frac{1}{q^{n}}$
		$\displaystyle\leq\frac{q}{\delta^{2}m}+\frac{1}{q^{n}}\ \text{,}$

For Item 3, let $m:=N_{p}^{o}(\mathcal{L},r,\boldsymbol{t})$ , let $\boldsymbol{v}_{1},\ldots,\boldsymbol{v}_{m}\in\mathcal{L}$ be the $m$ distinct lattice vectors satisfying $\lVert\boldsymbol{t}-\boldsymbol{v}_{i}\rVert_{p}<r$ , and let $\boldsymbol{a}_{i}:=B^{+}\boldsymbol{v}_{i}$ for $i\in[m]$ . Let $y\sim\mathbb{F}_{q}$ be sampled uniformly at random. Then by Equation 7 and Lemma 2.4, Item 1,

	$\displaystyle\Pr[\mathrm{dist}_{p}(\boldsymbol{t}^{\prime},\mathcal{L}^{\prime})<r]$	$\displaystyle=\Pr[\exists i\in[m]\text{ such that }\langle\boldsymbol{a}_{i}-\boldsymbol{z},\boldsymbol{x}\rangle\equiv 0\ (\mathrm{mod}\ q)]$
		$\displaystyle\leq\Pr[\exists i\in[m]\text{ such that }\langle\boldsymbol{a}_{i},\boldsymbol{x}\rangle\equiv y\ (\mathrm{mod}\ q)]+\frac{1}{q^{n}}$
		$\displaystyle\leq\frac{m}{q}+\frac{1}{q^{n}}\ \text{.}\qed$

2.3 Point Counting via the Theta Function

Here we present results related to counting points in $\mathbb{Z}^{n}$ using theta functions $\Theta_{p}$ (which are the $\ell_{p}$ norm analogs of the Gaussian function). The main result presented in this section, Theorem 2.8, was originally proved in [MO90] and [EOR91]. Here we follow the nomenclature used in [AS18]. For $p\in[1,\infty)$ , $\tau>0$ , and $t\in\mathbb{R}$ , define

\Theta_{p}(\tau,t):=\sum_{z\in\mathbb{Z}}\exp(-\tau\left|{z-t}\right|^{p})\ \text{.}

We note that without loss of generality we may take $t\in[0,1/2]$ . For $\boldsymbol{t}\in\mathbb{R}^{n}$ , extend this to

\Theta_{p}(\tau,\boldsymbol{t}):=\prod_{i=1}^{n}\Theta_{p}(\tau,t_{i})=\sum_{z\in\mathbb{Z}^{n}}\exp(-\tau\lVert\boldsymbol{z}-\boldsymbol{t}\rVert_{p}^{p})\ \text{.}

For $p\in[1,\infty)$ , $\tau>0$ , and $t\in\mathbb{R}$ , define

\mu_{p}(\tau,t):=\operatorname*{\mathrm{E}}_{X\sim D_{p}(\tau,t)}[\left|{X}\right|^{p}]=\frac{1}{\Theta_{p}(\tau,t)}\cdot\sum_{z\in\mathbb{Z}}\left|{z-t}\right|^{p}\cdot\exp(-\tau\left|{z-t}\right|^{p})\ \text{.}

where $D_{p}(\tau,t)$ is the probability distribution over $\mathbb{Z}-t$ that assigns probability $\exp(-\tau\left|{x}\right|^{p})/\Theta_{p}(\tau,t)$ to $x\in\mathbb{Z}-t$ . For $\boldsymbol{t}\in\mathbb{R}^{n}$ , extend this to

\mu_{p}(\tau,\boldsymbol{t}):=\sum_{i=1}^{n}\mu_{p}(\tau,t_{i})=\sum_{i=1}^{n}\operatorname*{\mathrm{E}}_{X\sim D_{p}(\tau,t_{i})}[\left|{X}\right|^{p}]=\sum_{i=1}^{n}\frac{1}{\Theta_{p}(\tau,t_{i})}\cdot\sum_{z\in\mathbb{Z}}\left|{z-t_{i}}\right|^{p}\cdot\exp(-\tau\left|{z-t_{i}}\right|^{p})\ \text{.}

The following fact about $\mu_{p}$ is claimed but unproven in [AS18].

Claim 2.6.

For any $p\in[1,\infty)$ , $\boldsymbol{t}\in\mathbb{R}^{n}$ and $r>\mathrm{dist}_{p}(\boldsymbol{t},\mathbb{Z}^{n})$ , there exists a unique $\tau>0$ such that $r^{p}=\mu_{p}(\tau,\boldsymbol{t})$ .

Proof.

By calculation (see also [AS18, Lemma 6.2]),

	$\displaystyle\frac{\partial}{\partial\tau}\Theta_{p}(\tau,t_{i})$	$\displaystyle=\sum_{z\in\mathbb{Z}}-\left\|{z-t_{i}}\right\|^{p}\cdot\exp(-\tau\left\|{z-t_{i}}\right\|^{p})$
		$\displaystyle=-\Theta_{p}(\tau,t_{i})\cdot\mu_{p}(\tau,t_{i})\ \text{,}$
	$\displaystyle\frac{\partial}{\partial\tau}\mu_{p}(\tau,t_{i})$	$\displaystyle=\frac{1}{\Theta_{p}(\tau,t_{i})}\sum_{z\in\mathbb{Z}}-\left\|{z-t_{i}}\right\|^{2p}\cdot\exp(-\tau\left\|{z-t_{i}}\right\|^{p})+\mu_{p}(\tau,t_{i})^{2}$
		$\displaystyle=-\operatorname*{Var}_{X\sim D_{p}(\tau,t_{i})}[\left\|{X}\right\|^{p}]<0\ \text{.}$

Moreover, recalling that $\mu_{p}(\tau,t_{i})=\operatorname*{\mathrm{E}}_{X\sim D_{p}(\tau,t_{i})}[\left|{X}\right|^{p}]$ , we have $\lim_{\tau\to\infty}\mu_{p}(\tau,t_{i})=\min_{x\in\mathbb{Z}-t_{i}}[\left|{x}\right|^{p}]=\mathrm{dist}_{p}(t_{i},\mathbb{Z})^{p}$ and $\lim_{\tau\to 0}\mu_{p}(\tau,t_{i})=\infty$ (see 2.10). Then $\mu_{p}(\tau,\boldsymbol{t})=\sum_{i=1}^{n}\mu_{p}(\tau,t_{i})$ is strictly decreasing in $\tau$ for $\tau\in(0,\infty)$ , and $\lim_{\tau\to\infty}\mu_{p}(\tau,\boldsymbol{t})=\mathrm{dist}_{p}(\boldsymbol{t},\mathbb{Z}^{n})^{p}$ , $\lim_{\tau\to 0}\mu_{p}(\tau,\boldsymbol{t})=\infty$ . Hence for every $r>\mathrm{dist}_{p}(\boldsymbol{t},\mathbb{Z}^{n})$ , there exists a unique $\tau>0$ such that $\mu_{p}(\tau,\boldsymbol{t})=r^{p}$ , as desired. ∎

The following defines functions $\beta_{p,t}(a)$ that, as we will see, are equal to or closely approximate $N_{p}(\mathbb{Z}^{n},an^{1/p},t\cdot\boldsymbol{1})$ .

Definition 2.7.

For $p\in[1,\infty)$ , $t\in[0,1/2]$ , and $a\geq 0$ , we define $\beta_{p,t}(a)$ as follows.

1.

For $a<t$ , define $\beta_{p,t}(a):=0$ .
2.

For $a=t$ , define $\beta_{p,1/2}(1/2):=2$ and for $t\neq 1/2$ define $\beta_{p,t}(t):=1$ .
3.

For $a>t$ , define

$\beta_{p,t}(a):=\exp(\tau^{*}a^{p})\cdot\Theta_{p}(\tau^{*},t)\ \text{,}$

where $\tau^{*}>0$ is the unique solution to $\mu_{p}(\tau^{*},t)=a^{p}$ .

We note that $\beta_{p,t}(a)$ is well-defined in the $a>t$ case by 2.6. We will also work with the inverse function $\beta_{p,t}^{-1}(\nu)$ , which we show is well-defined in 2.9 for $\nu\geq\beta_{p,t}(t)$ .

The following theorem says that $\beta_{p,t}(a)^{n}$ is equal to the number of integer points in a $an^{1/p}$ -scaled, $(t\cdot\boldsymbol{1})$ -centered $\ell_{p}$ ball in $n$ dimensions up to a subexponential error term. This also implies that $a=\beta_{p,t}^{-1}(\nu)$ corresponds to the radius $an^{1/p}$ at which $N_{p}(\mathbb{Z}^{n},an^{1/p},t\cdot\boldsymbol{1})\approx\nu^{n}$ , where the approximation again holds up to a subexponential error term. This theorem will be very important for our analysis. We state the result using the notation of [AS18, Theorem 6.1], but again note that it was originally proven for $p=2$ in [MO90] and for general $p$ in [EOR91].

Theorem 2.8.

For any constants $p\in[1,\infty)$ and $\tau>0$ , there is another constant $C^{*}>0$ such that for any $n\in\mathbb{Z}^{+}$ and $\boldsymbol{t}\in\mathbb{R}^{n}$ ,

\exp(\tau\mu_{p}(\tau,\boldsymbol{t})-C^{*}\sqrt{n})\cdot\Theta_{p}(\tau,\boldsymbol{t})\leq N_{p}(\mathbb{Z}^{n},\mu_{p}(\tau,\boldsymbol{t})^{1/p},\boldsymbol{t})\leq\exp(\tau\mu_{p}(\tau,\boldsymbol{t}))\cdot\Theta_{p}(\tau,\boldsymbol{t})\ \text{.}

We conclude this subsection with two technical claims. 2.9 gives properties of the function $\beta_{p,t}(a)$ that we will frequently use in later sections. 2.10 argues about several limits involving the functions $\Theta$ , $\mu$ , and $\beta$ , and notes that they do not depend on the parameter $t$ . For readability, the proofs of these claims are deferred to Appendix A.

Claim 2.9.

For any $p\in[1,\infty)$ and $t\in[0,1/2]$ :

1.

For $a>t$ , $\beta_{p,t}(a)^{n}\cdot\exp(-C^{*}\sqrt{n})\leq N_{p}(\mathbb{Z}^{n},an^{1/p},t\cdot\boldsymbol{1})\leq\beta_{p,t}(a)^{n}$ for some constant $C^{*}>0$ ;
2.

For $a>t$ , $\beta_{p,t}(a)=\min_{\tau>0}\exp(\tau a^{p})\cdot\Theta_{p}(\tau,t)$ , i.e., the unique solution $\tau^{*}$ of $\mu_{p}(\tau^{*},t)=a^{p}$ minimizes $\exp(\tau a^{p})\cdot\Theta_{p}(\tau,t)$ ;
3.

$\beta_{p,t}(a)$ is strictly increasing for $a\geq t$ and differentiable (and hence continuous) for $a>t$ ;
4.

$\beta_{p,t}^{-1}(\nu)$ is well-defined and strictly increasing for $\nu\geq\beta_{p,t}(t)$ , and differentiable (and hence continuous) for $\nu>\beta_{p,t}(t)$ .

Claim 2.10.

For any $p\in[1,\infty)$ and $t\in[0,1/2]$ :

1.

$\lim_{\tau\to 0}\Theta_{p}(\tau,t)\cdot\tau^{1/p}=2\Gamma(1+1/p)$ ;
2.

$\lim_{\tau\to 0}\mu_{p}(\tau,t)\cdot\tau=1/p$ ;
3.

$\lim_{a\to\infty}\beta_{p,t}(a)/a=\lim_{\nu\to\infty}\nu/\beta_{p,t}^{-1}(\nu)=2\Gamma(1+1/p)\cdot(ep)^{1/p}$ .

In particular, none of the preceding limits depends on $t$ .

2.4 Lattice Problems

We next introduce the main lattice problems that we will work with, starting with a variant of the Closest Vector Problem ( $\mathrm{CVP}$ ).

Definition 2.11.

For $p\in[1,\infty]$ and $\gamma\geq 1$ , the decision promise problem $\mathrm{CVP}^{\prime}_{p,\gamma}$ is defined as follows. An instance consists of a basis $B\in\mathbb{R}^{d\times n}$ and a target vector $\boldsymbol{t}\in\mathbb{R}^{d}$ .

•

It is a YES instance if there exists $\boldsymbol{x}\in\{{0,1}\}^{n}$ such that $\lVert B\boldsymbol{x}-\boldsymbol{t}\rVert_{p}\leq 1$ .
•

It is a NO instance if $\mathrm{dist}_{p}(\boldsymbol{t},\mathcal{L}(B))>\gamma$ .

For $\gamma=1$ , we will simply write $\mathrm{CVP}^{\prime}_{p,1}$ as $\mathrm{CVP}^{\prime}_{p}$ . We note that for $\mathrm{CVP}^{\prime}$ , the distance threshold in the YES case is $1$ without loss of generality, because we can scale the lattice and target vector. (Our definition of $\mathrm{SVP}$ below uses an instance-dependent distance threshold $r>0$ , which will be convenient.) We also note that $\mathrm{CVP}^{\prime}_{p,\gamma}$ is trivially a subproblem of “standard” $\mathrm{CVP}_{p,\gamma}$ (which we do not define formally here), i.e., an instance of the former is also an instance of the latter.

We next introduce $\mathrm{BDD}$ , a search variant of $\mathrm{CVP}$ where the target vector is promised to be close to the lattice.

Definition 2.12.

For $p\in[1,\infty]$ and $\alpha=\alpha(n)>0$ , an instance of the search problem $\mathrm{BDD}_{p,\alpha}$ is a lattice basis $B\in\mathbb{R}^{d\times n}$ and a target $\boldsymbol{t}\in\mathbb{R}^{d}$ satisfying $\mathrm{dist}_{p}(\boldsymbol{t},\mathcal{L}(B))\leq\alpha\cdot\lambda^{(p)}_{1}(\mathcal{L}(B))$ , and the goal is to find a closest lattice vector $\boldsymbol{v}\in\mathcal{L}(B)$ to $\boldsymbol{t}$ such that $\lVert\boldsymbol{t}-\boldsymbol{v}\rVert_{p}=\mathrm{dist}_{p}(\boldsymbol{t},\mathcal{L}(B))$ .

We note that there is another frequently used version of $\mathrm{BDD}$ where the goal is instead to find a lattice vector $\boldsymbol{v}$ satisfying $\lVert\boldsymbol{t}-\boldsymbol{v}\rVert_{p}\leq\alpha\cdot\lambda^{(p)}_{1}(\mathcal{L}(B))$ , which is less demanding than the goal in the definition above. By [LM09, Lemma 2.6],⁶⁶6Formally, as stated, [LM09, Lemma 2.6] applies only to the case where $\alpha\geq 1$ and $p=2$ , but a very similar reduction works for all $\alpha>0$ and $p\geq 1$ . the version of $\mathrm{BDD}$ defined above (in rank $n$ ) efficiently reduces to this alternative version (in rank $n+1$ ), so the exponential-time hardness results we prove for the version defined above immediately apply to the alternative version as well.

Finally, we introduce the decision version of the Shortest Vector Problem ( $\mathrm{SVP}$ ).

Definition 2.13.

For $p\in[1,\infty]$ and $\gamma\geq 1$ , the decision promise problem $\mathrm{SVP}_{p,\gamma}$ is defined as follows. An instance consists of a basis $B\in\mathbb{R}^{d\times n}$ and a distance threshold $r>0$ .

•

It is a YES instance if $\lambda^{(p)}_{1}(\mathcal{L}(B))\leq r$ .
•

It is a NO instance if $\lambda^{(p)}_{1}(\mathcal{L}(B))>\gamma r$ .

We note that “ $\mathrm{SVP}$ ” and “ $\mathrm{CVP}$ ” are sometimes instead used to refer to the search versions of the Shortest and Closest Vector Problems, with their respective decision problems instead called “ $\mathrm{GapSVP}$ ” and “ $\mathrm{GapCVP}$ .” There is a trivial reduction from the decision versions to the corresponding search versions of these problems, so any hardness of the former implies identical hardness of the latter. In particular, our main hardness result for decisional $\mathrm{SVP}$ in Theorem 1.4 immediately implies corresponding hardness of search $\mathrm{SVP}$ as well.

2.5 Hardness Assumptions and Results

We will use the following hypotheses, which are “gap” variants of the celebrated (Strong) Exponential Time Hypothesis ((S)ETH) of Impagliazzo and Paturi [IP01]. Gap-ETH was introduced in works by Dinur [Din16] and by Manurangsi and Raghavendra [MR17], and Gap-SETH was introduced by Manurangsi in his Ph.D. thesis [Man19]. Recall that in the $(s,c)$ -Gap- $k$ -SAT problem with $0<s\leq c\leq 1$ , the goal is to distinguish between $k$ -SAT formulas in which at least a $c$ fraction of clauses are satisfiable, and ones in which strictly less than an $s$ fraction of clauses are satisfiable.

Definition 2.14 (Gap Exponential Time Hypothesis (Gap-ETH)).

There exists $\delta>0$ such that no $2^{o(n)}$ -time algorithm solves $(1-\delta,1)$ -Gap- $3$ -SAT on $n$ variables.

Definition 2.15 (Gap Strong Exponential Time Hypothesis (Gap-SETH)).

For every $\varepsilon>0$ there exist $k\in\mathbb{Z}^{+}$ and $\delta>0$ such that no $2^{(1-\varepsilon)n}$ -time algorithm solves $(1-\delta,1)$ -Gap- $k$ -SAT on $n$ variables.

We also define “plain” SETH.

Definition 2.16 (Strong Exponential Time Hypothesis (SETH)).

For every $\varepsilon>0$ there exists $k\in\mathbb{Z}^{+}$ such that no $2^{(1-\varepsilon)n}$ -time algorithm solves $k$ -SAT on $n$ variables.

We define “randomized” (respectively, “non-uniform”) versions of the above hypotheses analogously, but with “randomized algorithm” (respectively, “non-uniform algorithm”) in place of “algorithm.” Here by an $f(n)$ -time non-uniform algorithm for solving Gap- $k$ -SAT, we mean a family of circuits $\{{C_{n}}\}$ such that $C_{n}$ solves Gap- $k$ -SAT on $n$ variables and is of size at most $f(n)$ .

We note that, trivially, the randomized versions of these hypotheses are at least as strong as the normal (deterministic) versions, and that, by standard randomness preprocessing arguments such as those used in the proof of Adleman’s Theorem (which asserts that $\mathsf{BPP}\subseteq\mathsf{P}/\mathsf{Poly}$ ), the non-uniform versions are at least as strong as the randomized versions. See, e.g., [BP20].

2.5.1 Hardness of CVP’ Assuming (Gap-)(S)ETH

We next recall known hardness results about the complexity of $\mathrm{CVP}^{\prime}_{p,\gamma}$ assuming (Gap-)(S)ETH.

Theorem 2.17 ([BGS17, Corollary 5.2]).

For all $p\in[1,\infty)$ there exists a constant $\gamma=\gamma(p)$ such that $\mathrm{CVP}^{\prime}_{p,\gamma}$ has no $2^{o(n)}$ -time algorithm on lattices of rank $n$ assuming Gap-ETH.

Theorem 2.18 ([ABGS21, Theorem 4.2]).

For all $p\in[1,\infty)\setminus 2\mathbb{Z}$ and all $\varepsilon>0$ there exists a constant $\gamma=\gamma(p,\varepsilon)>1$ such that there is no $2^{(1-\varepsilon)n}$ -time algorithm for $\mathrm{CVP}^{\prime}_{p,\gamma}$ on lattices of rank $n$ assuming Gap-SETH.

We also present a variant of the preceding theorem which shows a similar runtime lower bound for $\mathrm{CVP}^{\prime}_{p,\gamma}$ assuming “plain” SETH, but for $\gamma$ of the form $\gamma=1+1/\operatorname{poly}(n)$ as opposed to constant $\gamma>1$ .

Theorem 2.19 ([ABGS21, Corollary 3.3]).

For all $p\in[1,\infty)\setminus 2\mathbb{Z}$ and all $\varepsilon>0$ there exists $\gamma=1+\Omega(1/n^{c})$ for some constant $c>0$ such that there is no $2^{(1-\varepsilon)n}$ -time algorithm for $\mathrm{CVP}^{\prime}_{p,\gamma}$ on lattices of rank $n$ assuming SETH.

We remark that all of these theorems are stated for $\mathrm{CVP}_{p,\gamma}$ rather than $\mathrm{CVP}^{\prime}_{p,\gamma}$ in the original work, but we note that inspection of their proofs shows that they in fact hold for $\mathrm{CVP}^{\prime}_{p,\gamma}$ . We also remark that the approximation factors $\gamma$ stated in the original versions of Theorems 2.17 and 2.18 have an explicit dependence on the soundness and completeness parameters $s$ and $c$ in the source Gap- $k$ -SAT problems from which the reductions are given. Gap-ETH and Gap-SETH as stated in Definitions 2.14 and 2.15 assume soundness $s=1-\delta$ for some non-explicit $\delta>0$ and perfect completeness ( $c=1$ ), resulting in the non-explicit constant $\gamma>1$ here. Finally, we remark that Theorem 2.19 is stated in its original version as only showing hardness for exact $\mathrm{CVP}^{\prime}$ , but inspection of its proof shows that the result holds with $\gamma=1+1/\operatorname{poly}(n)$ , as claimed.

3 Gap-(S)ETH-hardness of BDD

The goal of this section is to prove Theorems 1.1, 1.3 and 1.2, which show the Gap-(S)ETH-hardness of $\mathrm{BDD}_{p,\alpha}$ . The common proof idea is to construct reductions from $\mathrm{CVP}^{\prime}_{p,\gamma}$ (whose Gap-(S)ETH-hardness is known; see Theorems 2.17 and 2.18) to $\mathrm{BDD}_{p,\alpha}$ .

We start by introducing two intermediate problems used in our reductions. The first problem, $(A,G)$ - $\mathrm{BDD}_{p,\alpha}$ , is essentially a relaxation of the decision version of $\mathrm{BDD}_{p,a}$ in which there are at least $G$ (“good”) close vectors to the target (at distance at most $r$ ) in the YES case, at most $A$ (“annoying”) short non-zero vectors (of norm strictly less than $r/\alpha$ ) in the YES case, and at most $A$ “too close” vectors to the target (at distance at most $r$ ) in the NO case.

Definition 3.1.

Let $A=A(n)\geq 0$ , $G=G(n)>A$ , $p\in[1,\infty]$ , and $\alpha=\alpha(n)>0$ . An instance of the decision promise problem $(A,G)$ - $\mathrm{BDD}_{p,\alpha}$ is a lattice basis $B\in\mathbb{R}^{d\times n}$ , a target $\boldsymbol{t}\in\mathbb{R}^{d}$ , and a distance $r>0$ .

•

It is a YES instance if $N_{p}^{o}(\mathcal{L}(B)\setminus\{{\boldsymbol{0}}\},r/\alpha,\boldsymbol{0})\leq A$ and $N_{p}(\mathcal{L}(B),r,\boldsymbol{t})\geq G$ .
•

It is a NO instance if $N_{p}(\mathcal{L}(B),r,\boldsymbol{t})\leq A$ .

We note that $(0,1)$ - $\mathrm{BDD}_{p,\alpha}$ is essentially a decision version of $\mathrm{BDD}_{p,\alpha}$ , which is a search problem, and the decision-to-search reduction from $(0,1)$ - $\mathrm{BDD}_{p,\alpha}$ to $\mathrm{BDD}_{p,\alpha}$ is trivial: call the search oracle and verify if it outputs a lattice vector $\boldsymbol{v}$ satisfying $\lVert\boldsymbol{t}-\boldsymbol{v}\rVert_{p}\leq r$ .

3.1 General Reductions from CVP’ to BDD

Here we show the reductions from $\mathrm{CVP}^{\prime}_{p,\gamma}$ to $(A,G)$ - $\mathrm{BDD}_{p,\alpha}$ and $(A,G)$ - $\mathrm{BDD}_{p,\alpha}$ to $(0,1)$ - $\mathrm{BDD}_{p,\alpha}$ . Since we also have the trivial reduction from $(0,1)$ - $\mathrm{BDD}_{p,\alpha}$ to “ordinary,” search $\mathrm{BDD}_{p,\alpha}$ , composing these reductions gives us the overall desired reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ to $\mathrm{BDD}_{p,\alpha}$ .

We start with the following lemma analyzing a transformation involving $\mathrm{CVP}^{\prime}$ instances and a lattice-target gadget $(\mathcal{L}^{\dagger},\boldsymbol{t}^{\dagger})$ . This transformation can be regarded as a generalization of the techniques used in [AS18, BP20]; in particular the lemma generalizes [BP20, Lemma 3.5]. The transformation is versatile, and the lemma is used in the main reduction in this section as well as the main reduction in Section 4.

Lemma 3.2.

For any $n^{\prime}<n$ , define the following transformation from a basis $B^{\prime}$ of a rank- $n^{\prime}$ lattice $\mathcal{L}^{\prime}$ to a basis $B$ of a rank- $n$ lattice $\mathcal{L}$ , and from a target vector $\boldsymbol{t}^{\prime}\in\operatorname{span}(\mathcal{L}^{\prime})$ to a target vector $\boldsymbol{t}\in\operatorname{span}(\mathcal{L})$ , parameterized by a scaling factor $s>0$ and a gadget consisting of a rank- $(n-n^{\prime})$ lattice $\mathcal{L}^{\dagger}=\mathcal{L}(B^{\dagger})$ and a target vector $\boldsymbol{t}^{\dagger}$ :

B:=\begin{pmatrix}sB^{\prime}&0\\ I_{n^{\prime}}&0\\ 0&B^{\dagger}\end{pmatrix}\ \text{,}\qquad\boldsymbol{t}:=\begin{pmatrix}s\boldsymbol{t}^{\prime}\\ \tfrac{1}{2}\boldsymbol{1}_{n^{\prime}}\\ \boldsymbol{t}^{\dagger}\end{pmatrix}\ \text{.}

Then for any $p\in[1,\infty)$ , $r>0$ , and $\gamma\geq 1$ ,

1.

$N_{p}^{o}(\mathcal{L},r,(\boldsymbol{t}_{1},\boldsymbol{t}_{2}))\leq N_{p}^{o}(\mathbb{Z}^{n^{\prime}}\oplus\mathcal{L}^{\dagger},r,\boldsymbol{t}_{2})$ for any $\boldsymbol{t}_{1}\in\operatorname{span}(\mathcal{L}^{\prime}),\boldsymbol{t}_{2}\in\operatorname{span}(\mathbb{Z}^{n^{\prime}}\oplus\mathcal{L}^{\dagger})$ ;
2.

if there exists $\boldsymbol{x}\in\{{0,1}\}^{n^{\prime}}$ such that $\lVert B^{\prime}\boldsymbol{x}-\boldsymbol{t}^{\prime}\rVert_{p}\leq 1$ , then $N_{p}(\mathcal{L},(s^{p}+n^{\prime}/2^{p}+r^{p})^{1/p},\boldsymbol{t})\geq N_{p}(\mathcal{L}^{\dagger},r,\boldsymbol{t}^{\dagger})$ ;
3.

if $\mathrm{dist}_{p}(\boldsymbol{t}^{\prime},\mathcal{L}^{\prime})>\gamma$ , then $N_{p}(\mathcal{L},(\gamma^{p}s^{p}+r^{p})^{1/p},\boldsymbol{t})\leq N_{p}^{o}(\mathbb{Z}^{n^{\prime}}\oplus\mathcal{L}^{\dagger},r,(\tfrac{1}{2}\boldsymbol{1}_{n^{\prime}},\boldsymbol{t}^{\dagger}))$ .

Proof.

Item 1 follows from the observations that every vector $\boldsymbol{v}=(sB^{\prime}\boldsymbol{x},\boldsymbol{x},B^{\dagger}\boldsymbol{y})\in\mathcal{L}$ for $\boldsymbol{x}\in\mathbb{Z}^{n^{\prime}},\boldsymbol{y}\in\mathbb{Z}^{n-n^{\prime}}$ corresponds bijectively to the vector $\boldsymbol{v}^{\prime}=(\boldsymbol{x},B^{\dagger}\boldsymbol{y})\in\mathbb{Z}^{n^{\prime}}\oplus\mathcal{L}^{\dagger}$ and that $\lVert\boldsymbol{v}^{\prime}-\boldsymbol{t}_{2}\rVert_{p}\leq\lVert\boldsymbol{v}-(\boldsymbol{t}_{1},\boldsymbol{t}_{2})\rVert_{p}$ .

For Item 2, note that for every $\boldsymbol{y}\in\mathbb{Z}^{n-n^{\prime}}$ such that $\lVert B^{\dagger}\boldsymbol{y}-\boldsymbol{t}^{\dagger}\rVert_{p}\leq r$ , the lattice vector $\boldsymbol{v}=(sB^{\prime}\boldsymbol{x},\boldsymbol{x},B^{\dagger}\boldsymbol{y})\in\mathcal{L}$ satisfies

\lVert\boldsymbol{v}-\boldsymbol{t}\rVert_{p}^{p}=s^{p}\lVert B^{\prime}\boldsymbol{x}-\boldsymbol{t}^{\prime}\rVert_{p}^{p}+\lVert\boldsymbol{x}-\tfrac{1}{2}\boldsymbol{1}_{n^{\prime}}\rVert_{p}^{p}+\lVert B^{\dagger}\boldsymbol{y}-\boldsymbol{t}^{\dagger}\rVert_{p}^{p}\leq s^{p}+n^{\prime}/2^{p}+r^{p}\ \text{.}

Hence the claim follows.

For Item 3, similarly, for every $\boldsymbol{x}\in\mathbb{Z}^{n^{\prime}},\boldsymbol{y}\in\mathbb{Z}^{n-n^{\prime}}$ such that the lattice vector $\boldsymbol{v}=(sB^{\prime}\boldsymbol{x},\boldsymbol{x},\boldsymbol{y})\in\mathcal{L}$ satisfies $\lVert\boldsymbol{v}-\boldsymbol{t}\rVert_{p}\leq(\gamma^{p}s^{p}+r^{p})^{1/p}$ , we have

\lVert\boldsymbol{x}-\tfrac{1}{2}\boldsymbol{1}_{n^{\prime}}\rVert_{p}^{p}+\lVert B^{\dagger}\boldsymbol{y}-\boldsymbol{t}^{\dagger}\rVert_{p}^{p}=\lVert\boldsymbol{v}-\boldsymbol{t}\rVert_{p}^{p}-s^{p}\lVert B^{\prime}\boldsymbol{x}-\boldsymbol{t}^{\prime}\rVert_{p}^{p}<(\gamma^{p}s^{p}+r^{p})-s^{p}\cdot\gamma^{p}=r^{p}\ \text{.}

Hence the claim follows. ∎

We then show the reduction from $(A,G)$ - $\mathrm{BDD}$ to $(0,1)$ - $\mathrm{BDD}$ . A similar reduction exists in [BP20]. In particular, Lemma 3.3 uses sparsification in a similar way as [BP20, Theorem 3.3] while targeting the $(A,G)$ - $\mathrm{BDD}$ problem. We note in passing that the $\alpha\geq 1/2$ constraint in Lemma 3.3 is not essential but simplifies some expressions and suffices for our purposes.

Lemma 3.3.

For any $p\in[1,\infty)$ , $\alpha\geq 1/2$ , and $A=A(n)\geq 1$ , $G=G(n)\geq 400\alpha A$ , where $A(n)$ is computable in $\operatorname{poly}(n)$ time, there is a rank-preserving randomized Karp reduction with bounded error from $(A,G)$ - $\mathrm{BDD}_{p,\alpha}$ to $(0,1)$ - $\mathrm{BDD}_{p,\alpha}$ .

Proof.

The reduction works as follows. On input an $(A,G)$ - $\mathrm{BDD}_{p,\alpha}$ instance $(B,r,\boldsymbol{t})$ , it first samples a prime $20\alpha A\leq q\leq 40\alpha A$ , It next samples $\boldsymbol{x},\boldsymbol{z}\in\mathbb{F}_{q}^{n}$ uniformly at random and sets

\mathcal{L}^{\prime}:=\{\boldsymbol{v}\in\mathcal{L}:\langle B^{+}\boldsymbol{v},\boldsymbol{x}\rangle\equiv 0\ (\mathrm{mod}\ q)\}\ \text{,}\qquad\boldsymbol{t}^{\prime}:=\boldsymbol{t}-B\boldsymbol{z}\ \text{.}

Then, it computes a basis $B^{\prime}$ be a basis of $\mathcal{L}^{\prime}$ . Such a $B^{\prime}$ is efficiently computable given $B,q,\boldsymbol{x}$ ; see, e.g., [Ste16, Claim 2.15]). Finally, it outputs $(B^{\prime},r,\boldsymbol{t}^{\prime})$ . Clearly, the reduction is efficient so it remains to show correctness.

First note that by 2.1, Item 1, we know $A\geq 2r/(\alpha\cdot\lambda^{(p)}_{1}(\mathcal{L}(B)))-2$ and thus $r/\alpha\leq 2r\leq\alpha(A+2)\cdot\lambda^{(p)}_{1}(\mathcal{L}(B))<q\cdot\lambda^{(p)}_{1}(\mathcal{L}(B))$ . If $(B,r,\boldsymbol{t})$ is a YES instance, i.e., $N_{p}^{o}(\mathcal{L}(B)\setminus\{{\boldsymbol{0}}\},r/\alpha,\boldsymbol{0})\leq A$ and $N_{p}(\mathcal{L}(B),r,\boldsymbol{t})\geq G$ , then by Proposition 2.5, Item 1 (using $r/\alpha$ for $r$ ), $N_{p}^{o}(\mathcal{L}(B^{\prime})\setminus\{{\boldsymbol{0}}\},r/\alpha,\boldsymbol{0})>0$ with probability at most $A/q$ . Moreover, by Proposition 2.5, Item 2, $N_{p}(\mathcal{L}(B^{\prime}),r,\boldsymbol{t}^{\prime})=0$ with probability at most $q/G+1/q^{n}$ . Hence by union bound, $(B^{\prime},r,\boldsymbol{t}^{\prime})$ is a YES instance for $(0,1)$ - $\mathrm{BDD}_{p,\alpha}$ with probability at least

1-\frac{A}{q}-\frac{q}{G}-\frac{1}{q^{n}}\geq 1-\frac{A}{20\alpha A}-\frac{40\alpha A}{400\alpha A}-\frac{1}{20\alpha A}\geq 1-\frac{1}{10}-\frac{1}{10}-\frac{1}{10}>\frac{2}{3}\ \text{.}

If $(B,r,\boldsymbol{t})$ is a NO instance of $(A,G)$ - $\mathrm{BDD}_{p,\alpha}$ (i.e., $N_{p}(\mathcal{L}(B),r,\boldsymbol{t})\leq A$ ) then by Proposition 2.5, Item 3, $(B^{\prime},r,\boldsymbol{t}^{\prime})$ is a NO instance of $(0,1)$ - $\mathrm{BDD}_{p,\alpha}$ (i.e., $N_{p}(\mathcal{L}(B^{\prime}),r,\boldsymbol{t})=0$ ) with probability at least

1-\frac{A}{q}-\frac{1}{q^{n}}\geq 1-\frac{1}{10}-\frac{1}{10}>\frac{2}{3}\ \text{.}

In each case, the reduction succeeds with probability at least $2/3$ , as needed. ∎

We conclude this subsection with a theorem that analyzes the general class of reductions from $\mathrm{CVP}^{\prime}$ to $\mathrm{BDD}$ obtained by instantiating Lemma 3.2 with some lattice-target gadget $(\mathcal{L}^{\dagger},\boldsymbol{t}^{\dagger})$ and then applying Lemma 3.3. In particular, the theorem requires there to be roughly $\nu_{0}^{n}$ times as many close lattice vectors $N_{p}(\mathcal{L}^{\dagger},\alpha_{G},\boldsymbol{t}^{\dagger})$ in the gadget as short lattice vectors $N_{p}(\mathcal{L}^{\dagger},1,\boldsymbol{0})$ , and roughly $\nu_{1}^{n}$ times as many close lattice vectors as “too close” lattice vectors $N_{p}(\mathcal{L}^{\dagger},\alpha_{A},\boldsymbol{t}^{\dagger})$ .

More specifically, the theorem gives a reduction to $\mathrm{BDD}_{p,\alpha}$ with explicit multiplicative rank increase $C>1$ for any $\alpha$ larger than some expression involving the input $\mathrm{CVP}^{\prime}_{p,\gamma}$ instance approximation factor $\gamma$ , the gadget “close distance” $\alpha_{G}$ , the gadget “too close distance” $\alpha_{A}$ , the close/short vector count gap factor $\nu_{0}$ , and the close/“too close” vector count gap factor $\nu_{1}$ ; see Equation 9. (The gadget is normalized so that its “short distance” is equal to $1$ .) Additionally, the theorem gives a reduction to $\mathrm{BDD}_{p,\alpha}$ for any $\alpha$ larger than a simpler expression not depending on $\nu_{0}$ or $\nu_{1}$ with linear but non-explicit rank increase; see Equation 10. Equation 9 leads to SETH-type hardness results, while Equation 10 leads to ETH-type hardness results. All three of our main results for $\mathrm{BDD}$ , Theorems 1.1, 1.3 and 1.2, work by instantiating this theorem.

Theorem 3.4.

Suppose that for $p\in[1,\infty)$ there exist constants $\alpha_{G}\geq\alpha_{A}>0$ , $\nu_{0},\nu_{1}>1$ and a family of bases and targets $\{{(B^{\dagger}_{n},\boldsymbol{t}^{\dagger}_{n})}\}_{n=1}^{\infty}$ satisfying $B^{\dagger}_{n}\in\mathbb{R}^{m\times n}$ for $m=\operatorname{poly}(n)$ , $\boldsymbol{t}^{\dagger}_{n}\in\operatorname{span}(\mathcal{L}^{\dagger}_{n})$ where $\mathcal{L}^{\dagger}_{n}=\mathcal{L}(B^{\dagger}_{n})$ , and

N_{p}(\mathcal{L}^{\dagger}_{n},\alpha_{G}+o(1),\boldsymbol{t}^{\dagger}_{n})\geq\max\bigl{\{}\nu_{0}^{n-o(n)}\cdot N_{p}^{o}(\mathcal{L}^{\dagger}_{n},1,\boldsymbol{0}),\nu_{1}^{n-o(n)}\cdot N_{p}^{o}(\mathcal{L}^{\dagger}_{n},\alpha_{A},\boldsymbol{t}^{\dagger}_{n})\bigr{\}}\ \text{.}

(8)

Then for any constants $C>1$ , $\gamma>1$ , and

\alpha>\Bigl{(}\alpha_{G}^{p}+\frac{\alpha_{G}^{p}-\min\{\alpha_{A}^{p},((2d_{1})^{p}-1)/(2d_{0})^{p}\}}{\gamma^{p}-1}+\frac{1}{(2d_{0})^{p}}\Bigr{)}^{1/p}\ \text{,}

(9)

where $d_{0}=\beta_{p,0}^{-1}(\nu_{0}^{C-1})$ and $d_{1}=\beta_{p,1/2}^{-1}(\max\{{\nu_{1}^{C-1},2}\})$ ,⁷⁷7We note that $\beta_{p,1/2}^{-1}(\nu)$ is only defined for $\nu\geq\beta_{p,1/2}(1/2)=2$ , and that the second term in this max corresponds to $\beta_{p,1/2}^{-1}(2)=1/2$ . there exists an efficient non-uniform reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ in rank $n^{\prime}$ to $\mathrm{BDD}_{p,\alpha}$ in rank $Cn^{\prime}$ for all sufficiently large $n^{\prime}$ .

Moreover, for any constants $\gamma>1$ and

\alpha>\Bigl{(}\alpha_{G}^{p}+\frac{\alpha_{G}^{p}-\min\{\alpha_{A}^{p},1\}}{\gamma^{p}-1}\Bigr{)}^{1/p}\ \text{,}

(10)

there exist a constant $C>1$ and an efficient non-uniform reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ in rank $n^{\prime}$ to $\mathrm{BDD}_{p,\alpha}$ in rank $Cn^{\prime}$ for all sufficiently large $n^{\prime}$ .

Furthermore, if $(B_{n}^{\dagger},\boldsymbol{t}_{n}^{\dagger})$ can be computed in $\operatorname{poly}(n)$ randomized time and each term in Equation 8 can be approximated to within a $2^{o(n)}$ factor in $\operatorname{poly}(n)$ randomized time, then the preceding efficient non-uniform reductions can be replaced by efficient randomized reductions.

Proof.

By Lemma 3.3 as well as the trivial reduction from $(0,1)$ - $\mathrm{BDD}_{p,\alpha}$ to (ordinary, search) $\mathrm{BDD}_{p,\alpha}$ , it suffices to give a reduction that, on input a $\mathrm{CVP}^{\prime}_{p,\gamma}$ instance $(B^{\prime},\boldsymbol{t}^{\prime})$ of rank $n^{\prime}$ , outputs an $(A,G)$ - $\mathrm{BDD}_{p,\alpha}$ instance $(B,\boldsymbol{t},r)$ of rank $n:=Cn^{\prime}$ with $G\geq 400\alpha A$ for all sufficiently large $n^{\prime}$ . To do this, we apply the transformation in Lemma 3.2 with scale factor $s$ and basis-target gadget $(\ell B^{\dagger}_{n-n^{\prime}},\ell\boldsymbol{t}^{\dagger}_{n-n^{\prime}})$ . I.e, on input $(B^{\prime},\boldsymbol{t}^{\prime})$ the reduction sets

B:=\begin{pmatrix}sB^{\prime}&0\\ I_{n^{\prime}}&0\\ 0&\ell B^{\dagger}_{n-n^{\prime}}\end{pmatrix}\ \text{,}\qquad\boldsymbol{t}:=\begin{pmatrix}s\boldsymbol{t}^{\prime}\\ \tfrac{1}{2}\boldsymbol{1}_{n^{\prime}}\\ \ell\boldsymbol{t}^{\dagger}_{n-n^{\prime}}\end{pmatrix}\ \text{,}

and certain $r$ . We will give the choice of the parameters $r,s,\ell$ later. Note that the reduction is (non-uniformly) efficient given that the gadget $(\ell B^{\dagger}_{n-n^{\prime}},\ell\boldsymbol{t}^{\dagger}_{n-n^{\prime}})$ is provided as advice, $\mathcal{L}^{\dagger}_{n-n^{\prime}}$ has rank $n-n^{\prime}$ and dimension $m$ that are both polynomial in $n^{\prime}$ , and, as will be clear from their definitions later, the parameters $r,s,\ell$ are efficiently computable.

By Lemma 3.2 (using $r/\alpha$ , $(r^{p}-s^{p}-n^{\prime}/2^{p})^{1/p}$ , and $(r^{p}-\gamma^{p}s^{p})^{1/p}$ for $r$ in Items 1, 2 and 3 in the lemma, respectively), this reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ to $(A,G)$ - $\mathrm{BDD}_{p,\alpha}$ is correct for

	$\displaystyle A$	$\displaystyle:=\begin{aligned} \max\bigl{\{}&N_{p}^{o}(\mathbb{Z}^{n^{\prime}}\oplus\ell\mathcal{L}^{\dagger}_{n-n^{\prime}},r/\alpha,\boldsymbol{0}),\\ &N_{p}^{o}(\mathbb{Z}^{n^{\prime}}\oplus\ell\mathcal{L}^{\dagger}_{n-n^{\prime}},(r^{p}-\gamma^{p}s^{p})^{1/p},(\tfrac{1}{2}\boldsymbol{1},\ell\boldsymbol{t}^{\dagger}_{n-n^{\prime}}))\bigr{\}}\ \text{,}\end{aligned}$
	$\displaystyle G$	$\displaystyle:=N_{p}(\ell\mathcal{L}^{\dagger}_{n-n^{\prime}},(r^{p}-s^{p}-n^{\prime}/2^{p})^{1/p},\ell\boldsymbol{t}^{\dagger}_{n-n^{\prime}})\ \text{.}$

By 2.2, we have

	$\displaystyle A\leq\max\bigl{\{}$	$\displaystyle N_{p}^{o}(\mathbb{Z}^{n^{\prime}},r/\alpha,\boldsymbol{0})\cdot N_{p}^{o}(\ell\mathcal{L}^{\dagger}_{n-n^{\prime}},r/\alpha,\boldsymbol{0}),$		(11)
		$\displaystyle N_{p}^{o}(\mathbb{Z}^{n^{\prime}},(r^{p}-\gamma^{p}s^{p})^{1/p},\tfrac{1}{2}\boldsymbol{1})\cdot N_{p}^{o}(\ell\mathcal{L}^{\dagger}_{n-n^{\prime}},(r^{p}-\gamma^{p}s^{p}-n^{\prime}/2^{p})^{1/p},\ell\boldsymbol{t}^{\dagger}_{n-n^{\prime}})\bigr{\}}\ \text{.}$		(11)

Then in order for $G\geq 400\alpha A$ to hold, it suffices to set parameters $r,s,\ell$ so that the following inequalities hold:

$\displaystyle r/\alpha$	$\displaystyle\leq\ell\ \text{,}$	(12)
$\displaystyle(r^{p}-\gamma^{p}s^{p}-n^{\prime}/2^{p})^{1/p}$	$\displaystyle\leq\alpha_{A}\cdot\ell\ \text{,}$	(13)
$\displaystyle(r^{p}-s^{p}-n^{\prime}/2^{p})^{1/p}$	$\displaystyle\geq(\alpha_{G}+o(1))\cdot\ell\ \text{,}$	(14)
$\displaystyle\nu_{0}^{(C-1)n^{\prime}-o(n^{\prime})}$	$\displaystyle\geq 400\alpha\cdot N_{p}^{o}(\mathbb{Z}^{n^{\prime}},r/\alpha,\boldsymbol{0})\ \text{,}$	(15)
$\displaystyle\nu_{1}^{(C-1)n^{\prime}-o(n^{\prime})}$	$\displaystyle\geq 400\alpha\cdot N_{p}^{o}(\mathbb{Z}^{n^{\prime}},(r^{p}-\gamma^{p}s^{p})^{1/p},\tfrac{1}{2}\boldsymbol{1})\ \text{.}$	(16)

The three inequalities in Equations 12, 13 and 14 ensure that we can apply the condition given in Equation 8 to the $\ell$ -scaled gadget $(\ell B^{\dagger}_{n-n^{\prime}},\ell\boldsymbol{t}^{\dagger}_{n-n^{\prime}})$ . In particular, the expressions on the right-hand sides of these inequalities correspond to $\ell$ times the gadget “short distance” $1$ , the gadget “too close distance” $\alpha_{A}$ , and the gadget “close distance” $\alpha_{G}+o(1)$ , respectively. The two inequalities in Equations 15 and 16 correspond to the two terms in the upper bound on $A$ in Equation 11, and by Equations 8, 12, 13 and 14 suffice to ensure that $G\geq 400\alpha A$ .

Now let $r:=a{n^{\prime}}^{1/p}$ and $s:=b{n^{\prime}}^{1/p}$ for some constants $a,b>0$ to be determined later, and set $\ell:=d_{0}{n^{\prime}}^{1/p}$ . First, for Equation 15 to hold, by 2.9, Item 1, it suffices to have

\nu_{0}^{(C-1)n^{\prime}-o(n^{\prime})}\geq 400\alpha\cdot\beta_{p,0}(a/\alpha)^{n^{\prime}}\ \text{,}

which in turn holds for all sufficiently large $n^{\prime}$ if

\nu_{0}^{C-1}>\beta_{p,0}(a/\alpha)\ \text{.}

Equivalently, by the (strict) monotonicity of $\beta_{p,0}(\cdot)$ it suffices to have

a/\alpha<\beta_{p,0}^{-1}(\nu_{0}^{C-1})=d_{0}\ \text{.}

Similarly, for Equation 16 to hold for all sufficiently large $n^{\prime}$ , it suffices to have $(a^{p}-\gamma^{p}b^{p})^{1/p}<d_{1}$ .⁸⁸8Note that when $\nu_{1}^{C-1}<2$ we have $d_{1}=\beta_{p,1/2}^{-1}(2)=1/2$ by definition, in which case $(a^{p}-\gamma^{p}b^{p})^{1/p}<d_{1}$ ensures that $\beta_{p,1/2}((a^{p}-\gamma^{p}b^{p})^{1/p})=0<\nu_{1}^{C-1}$ . Moreover, Equation 14 holds for all sufficiently large $n^{\prime}$ as long as $(a^{p}-b^{p}-1/2^{p})^{1/p}>\alpha_{G}d_{0}$ .

Putting it all together, Equations 12, 13, 14, 15 and 16 hold for all sufficiently large $n^{\prime}$ if the following four constraints hold:

$\displaystyle a/\alpha$	$\displaystyle<d_{0}\ \text{,}$	(17)
$\displaystyle(a^{p}-\gamma^{p}b^{p}-1/2^{p})^{1/p}$	$\displaystyle<\alpha_{A}d_{0}\ \text{,}$
$\displaystyle(a^{p}-b^{p}-1/2^{p})^{1/p}$	$\displaystyle>\alpha_{G}d_{0}\ \text{,}$
$\displaystyle(a^{p}-\gamma^{p}b^{p})^{1/p}$	$\displaystyle<d_{1}\ \text{.}$

More specifically, the first constraint in Equation 17 implies both Equations 12 and 15 (since we set $\ell=d_{0}{n^{\prime}}^{1/p}$ ), the second constraint implies Equation 13, the third constraint implies Equation 14, and the last constraint implies Equation 16. The last three constraints in Equation 17 are equivalent to the single constraint that

\frac{a^{p}-\min\{{1/2^{p}+(\alpha_{A}d_{0})^{p},d_{1}^{p}}\}}{\gamma^{p}}<b^{p}<a^{p}-1/2^{p}-\alpha_{G}^{p}d_{0}^{p}\ ,

(18)

and one can check that for every

a>\Bigl{(}(\alpha_{G}d_{0})^{p}+\frac{(\alpha_{G}d_{0})^{p}-\min\{(\alpha_{A}d_{0})^{p},d_{1}^{p}-1/2^{p}\}}{\gamma^{p}-1}+\frac{1}{2^{p}}\Bigr{)}^{1/p}\ \text{,}

(19)

the left-hand side of Equation 18 is strictly less than the right-hand side of Equation 18. I.e., for every $a$ satisfying Equation 19 there exists $b>0$ such that $a$ and $b$ satisfy Equation 18. Dividing both sides of Equation 19 by $d_{0}$ and combining it with the first constraint in Equation 17 (i.e., $\alpha>a/d_{0}$ ), we get that for all $\alpha$ satisfying Equation 9 there exist $a$ and $b$ such that $G\geq 400\alpha A$ holds for all sufficiently large $n^{\prime}$ , as needed.

For the additional result associated with Equation 10, assume without loss of generality that $\nu_{0}=\nu_{1}$ , as otherwise one could use $\min\{{\nu_{0},\nu_{1}}\}$ in place of both $\nu_{0}$ and $\nu_{1}$ in Equation 8. Then the result follows by taking the limit $C\to\infty$ in Equation 9, and noting that by 2.10 we have $d_{0},d_{1}\to\infty$ and $d_{0}/d_{1}\to 1$ when $C\to\infty$ . ∎

3.2 Gap-ETH-hardness of BDD from Exponential Kissing Number Lattices

Definition 3.5 (Lattice kissing number).

The kissing number $\tau(\mathcal{L})$ of a lattice $\mathcal{L}$ is defined as

\tau(\mathcal{L}):=N_{2}(\mathcal{L}\setminus\{{\boldsymbol{0}}\},\lambda_{1}(\mathcal{L}),\boldsymbol{0})\ \text{.}

The maximum lattice kissing number $\tau^{l}_{n}$ for rank $n$ is defined as

\tau^{l}_{n}:=\max_{\operatorname{rank}(\mathcal{L})=n}\tau(\mathcal{L})\ \text{.}

It was a longstanding open question whether there exists an infinite family of lattices with exponential kissing number, i.e., whether there exist infinitely many $n$ such that $\log_{2}(\tau^{l}_{n})/n$ is greater than a constant. In recent breakthrough work, Vlăduţ [Vlă19] not only showed this, but also that there exists such a family with a lattice $\mathcal{L}_{n}$ of every rank $n$ such that $\log_{2}(\mathcal{L}_{n})/n\geq c-o(1)$ for some explicit constant $c>0$ . Accordingly, we define $c_{\mathsf{kn}}$ to be the largest value of $c$ such that $\log_{2}(\tau^{l}_{n})/n\geq c-o(1)$ for every $n\in\mathbb{Z}^{+}$ .

Theorem 3.6 ([Vlă19, Theorem 1.5]).

It holds that $c_{\mathsf{kn}}\geq 0.02194$ .

We call the constant $c_{\mathsf{kn}}$ in the preceding theorem the “ $\ell_{2}$ kissing-number constant.”

In this section, we show gadgets for instantiating the general reductions in Theorem 3.4 based on exponential kissing number lattices (see Corollary 3.11 for the resulting gadgets, which are obtained by sequentially applying Lemmas 3.7, 3.8 and 3.9 to the exponential kissing number lattices).

The following lemma shows that, given a rank- $n$ lattice $\mathcal{L}^{\dagger}$ and a target $\boldsymbol{t}^{\dagger}$ , by moving $\boldsymbol{t}^{\dagger}$ by a small distance $\delta$ in a random direction to some new target $\boldsymbol{t}^{\prime}$ and picking a distance that is $1-\varepsilon$ times smaller than the original distance, the number of vectors within (relative) distance $1-\varepsilon$ of $\boldsymbol{t}^{\prime}$ is in expectation roughly a $\sin(\theta)^{n}$ factor less than the number of vectors within the original distance of $\boldsymbol{t}$ , where $\theta$ is (only) a function of $\delta$ and $\varepsilon$ . This allows us to construct gadgets with smaller relative distances $\alpha_{G}$ (where $\alpha_{G}$ is as in Theorem 3.4) at the cost of an exponential decrease $\sin(\theta)^{n}$ in the number of close vectors $N_{p}(\mathcal{L}^{\dagger},\alpha_{G},\boldsymbol{t}^{\dagger})$ ; fortunately we can afford this decrease as long as the original count is exponential.

To remark, the lemma is similar to [AS18, Corollary 5.8], but has a larger parameter space for $\delta$ and $\varepsilon$ , and shows that a larger fraction (essentially $\sin(\theta)^{n}$ ) of close vectors is preserved.

Lemma 3.7.

For any lattice $\mathcal{L}^{\dagger}$ of rank $n$ , target $\boldsymbol{t}^{\dagger}\in\operatorname{span}(\mathcal{L}^{\dagger})$ , and constants $\varepsilon\in(0,1/2]$ and $\delta\in[\varepsilon,1-\varepsilon]$ , there exists $\boldsymbol{t}^{\prime}\in\operatorname{span}(\mathcal{L}^{\dagger})$ with $\lVert\boldsymbol{t}^{\prime}-\boldsymbol{t}^{\dagger}\rVert_{2}=\delta$ , such that

N_{2}(\mathcal{L}^{\dagger},1-\varepsilon,\boldsymbol{t}^{\prime})\geq\frac{\sin(\theta)^{n}}{\operatorname{poly}(n)}\cdot N_{2}(\mathcal{L}^{\dagger},1,\boldsymbol{t}^{\dagger})\ \text{,}

where $\theta:=\arccos(\frac{\delta^{2}+2\varepsilon-\varepsilon^{2}}{2\delta})$ .

Proof.

Without loss of generality suppose that $\mathcal{L}^{\dagger}$ has dimension $n$ so that $\operatorname{span}(\mathcal{L}^{\dagger})=\mathbb{R}^{n}$ . It suffices to show that the expectation of $N_{2}(\mathcal{L}^{\dagger},1-\varepsilon,\boldsymbol{t}^{\prime})$ for a uniformly random target $\boldsymbol{t}^{\prime}$ sampled from the sphere $\delta\cdot S^{n-1}+\boldsymbol{t}^{\dagger}$ is at least $(\sin(\theta)^{n}/\operatorname{poly}(n))\cdot N_{2}(\mathcal{L}^{\dagger},1,\boldsymbol{t}^{\dagger})$ , and therefore by linearity of expectation it suffices to show that the probability that $\lVert\boldsymbol{t}^{\prime}-\boldsymbol{v}\rVert_{2}\leq 1-\varepsilon$ is at least $\sin(\theta)^{n}/\operatorname{poly}(n)$ for any vector $\boldsymbol{v}$ with $\lVert\boldsymbol{v}-\boldsymbol{t}^{\dagger}\rVert\leq 1$ . Let $\boldsymbol{a}=\boldsymbol{t}^{\prime}-\boldsymbol{t}^{\dagger}$ , $\boldsymbol{b}=\boldsymbol{v}-\boldsymbol{t}^{\dagger}$ , and $\theta^{\prime}$ be the angle between $\boldsymbol{a}$ and $\boldsymbol{b}$ . We know $\lVert\boldsymbol{a}\rVert_{2}=\delta$ and $\lVert\boldsymbol{b}\rVert_{2}\leq 1$ . We calculate the probability as follows.

	$\displaystyle\Pr_{\boldsymbol{t}^{\prime}}[\lVert\boldsymbol{t}^{\prime}-\boldsymbol{v}\rVert_{2}\leq 1-\varepsilon]$	$\displaystyle=\Pr_{\boldsymbol{t}^{\prime}}[\lVert\boldsymbol{a}\rVert_{2}^{2}+\lVert\boldsymbol{b}\rVert_{2}^{2}-2\lVert\boldsymbol{a}\rVert_{2}\lVert\boldsymbol{b}\rVert_{2}\cos(\theta^{\prime})\leq(1-\varepsilon)^{2}]$
		$\displaystyle=\Pr_{\boldsymbol{t}^{\prime}}\Bigl{[}\cos(\theta^{\prime})\geq\frac{\lVert\boldsymbol{b}\rVert_{2}^{2}-((1-\varepsilon)^{2}-\delta^{2})}{2\delta\lVert\boldsymbol{b}\rVert_{2}}\Bigr{]}$
		$\displaystyle\geq\Pr_{\boldsymbol{t}^{\prime}}\Bigl{[}\cos(\theta^{\prime})\geq\frac{1-((1-\varepsilon)^{2}-\delta^{2})}{2\delta}\Bigr{]}$
		$\displaystyle=\Pr_{\boldsymbol{t}^{\prime}}[\theta^{\prime}\leq\theta]$
		$\displaystyle=C_{n-1}(1-\cos(\theta))/A_{n-1}\ \text{,}$

where $C_{n-1}(h)$ is the surface area of a spherical cap with height $h$ of the unit sphere $S^{n-1}$ , and $A_{n-1}$ is the surface area of the entire unit sphere $S^{n-1}$ . The ratio in the last quantity satisfies $C_{n-1}(1-\cos(\theta))/A_{n-1}=\sin(\theta)^{n}/\Theta(n^{3/2})$ ; see, e.g., [BDGL16, Lemma 2.1 and Appendix A]. ∎

The following lemma is implicit in [AS18, Lemma 5.2], with small changes regarding $N_{p}$ and $N_{p}^{o}$ . It uses an averaging argument to show that if there exists a gadget $(\mathcal{L}^{\dagger},\boldsymbol{t}^{\dagger})$ with at least $M$ times as many close vectors $N_{p}(\mathcal{L}^{\dagger},1-\varepsilon,\boldsymbol{t}^{\dagger})$ as short vectors $N_{p}(\mathcal{L}^{\dagger},1,\boldsymbol{0})$ , then there exist a (potentially different) target $\boldsymbol{t}^{\prime}$ and $\varepsilon^{\prime}\geq\varepsilon$ such that there are at least $M^{\prime}\approx M^{1/\log_{\eta}(2\varepsilon)}$ times as many close vectors $N_{p}(\mathcal{L}^{\dagger},1-\varepsilon^{\prime},\boldsymbol{t}^{\prime})$ as short vectors $N(\mathcal{L}^{\dagger},1,\boldsymbol{0})$ and in addition at least $M^{\prime}$ as many close vectors as “too close” vectors $N_{p}(\mathcal{L}^{\dagger},1-\varepsilon^{\prime}/\eta,\boldsymbol{t}^{\prime})$ . Here $\eta\in[2\varepsilon,1)$ is a parameter that controls the trade-off between $M^{\prime}$ and the difference $\varepsilon^{\prime}/\eta-\varepsilon^{\prime}$ of the distances for the close and the “too close” lattice vectors. In particular, taking larger $\eta$ allows us to decrease the difference between the “close distance” $\alpha_{G}$ and “too close distance” $\alpha_{A}$ in Theorem 3.4 at the cost of having a smaller factor $M^{\prime}$ in place of $M$ (this trade-off is analogous to the one in Lemma 3.7, which allowed us to decrease $\alpha_{G}$ ).

Lemma 3.8.

For any $p\in[1,\infty)$ , lattice $\mathcal{L}^{\dagger}$ , target $\boldsymbol{t}^{\dagger}\in\operatorname{span}(\mathcal{L}^{\dagger})$ , and constants $\varepsilon\in(0,1/2)$ and $\eta\in[2\varepsilon,1)$ satisfying $N_{p}(\mathcal{L}^{\dagger},1-\varepsilon,\boldsymbol{t}^{\dagger})\geq M\cdot N_{p}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{0})$ for some $M>1$ , there exist $\varepsilon^{\prime}\in[\varepsilon,1/2]$ and $\boldsymbol{t}^{\prime}\in\operatorname{span}(\mathcal{L}^{\dagger})$ , such that

N_{p}(\mathcal{L}^{\dagger},1-\varepsilon^{\prime},\boldsymbol{t}^{\prime})\geq M^{\prime}\cdot\max\bigl{\{}N_{p}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{0}),N_{p}(\mathcal{L}^{\dagger},1-\varepsilon^{\prime}/\eta,\boldsymbol{t}^{\prime})\bigr{\}}\ \text{,}

where $M^{\prime}:=M^{1/(k+1)}$ and $k:=\lfloor\log_{\eta}(2\varepsilon)\rfloor$ .

Proof.

For $i=0,1,\dots,k+1$ , define $\varepsilon_{i}=\varepsilon/\eta^{i}$ and $D_{i}=\max_{\boldsymbol{t}\in\operatorname{span}(\mathcal{L}^{\dagger})}N_{p}(\mathcal{L}^{\dagger},1-\varepsilon_{i},\boldsymbol{t})$ . Write $N=N_{p}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{0})$ for simplicity. By the given assumption, we know $D_{0}\geq N_{p}(\mathcal{L}^{\dagger},1-\varepsilon,\boldsymbol{t}^{\dagger})\geq M\cdot N$ . Moreover, $k=\lfloor\log_{\eta}(2\varepsilon)\rfloor$ indicates that $\varepsilon_{k}\leq 1/2$ and $\varepsilon_{k+1}>1/2$ . Then we know $D_{k+1}\leq N$ by 2.1, Item 2. Now that $D_{0}\geq M\cdot N$ and $D_{k+1}\leq N$ , there exists $i\in\{{0,1,\dots,k}\}$ such that $D_{i}\geq M^{\prime}\cdot\max\{N,D_{i+1}\}$ (for $M^{\prime}=M^{1/(k+1)}$ ). Then setting $\varepsilon^{\prime}=\varepsilon_{i}$ and $\boldsymbol{t}^{\prime}$ achieving $N_{p}(\mathcal{L}^{\dagger},1-\varepsilon_{i},\boldsymbol{t}^{\prime})=D_{i}$ satisfies the desired property. Note that this choice gives $\varepsilon^{\prime}\in[\varepsilon,1/2]$ . ∎

We use the following lemma about norm embeddings to extend our gadgets based on exponential kissing number lattices to arbitrary $\ell_{p}$ norms.

Lemma 3.9 ([FLM77], [RR06, Theorem 3.2]).

For any $n\in\mathbb{Z}^{+}$ , $p\in[1,\infty)$ , and $\varepsilon>0$ , there exists $m\in\mathbb{Z}^{+}$ and a linear map $f:\mathbb{R}^{n}\to\mathbb{R}^{m}$ , such that for all $\boldsymbol{x}\in\mathbb{R}^{n}$ ,

(1-\varepsilon)\lVert\boldsymbol{x}\rVert_{2}\leq\lVert f(\boldsymbol{x})\rVert_{p}\leq(1+\varepsilon)\lVert\boldsymbol{x}\rVert_{2}\ \text{.}

In particular, it suffices to take $m$ to be

m=\begin{cases}\varepsilon^{-2}n&\text{if}\ 1\leq p<2\ \text{,}\\ \varepsilon^{-p}(n/p)^{p/2}&\text{if}\ p\geq 2\ \text{.}\end{cases}

We remark that for fixed $p$ , the increased dimensionality of the norm embeddings given by Lemma 3.9 is $m=\operatorname{poly}(n,1/\varepsilon)$ , which is polynomial in $n$ for any $\varepsilon\geq 1/\operatorname{poly}(n)$ .

The following lemma allows us to adapt gadgets in $\ell_{2}$ norm to the requirements of Theorem 3.4; in particular, the lemma gives analogous gadgets $(\mathcal{L}^{\dagger},\boldsymbol{t}^{\dagger})$ in any $\ell_{p}$ norm by applying the norm embeddings in Lemma 3.9 and scaling properly, with the caveat that $\lambda^{(p)}_{1}(\mathcal{L}^{\dagger})$ and $\mathrm{dist}_{p}(\boldsymbol{t}^{\dagger},\mathcal{L}^{\dagger})$ may be distorted by a $1\pm\varepsilon$ factor.⁹⁹9Miller and Stephens-Davidowitz [MS19] referred to the number of non-zero vectors in a lattice $\mathcal{L}$ of length at most $(1+\varepsilon)\cdot\lambda^{(p)}_{1}(\mathcal{L})$ as its “ $(1+\varepsilon)$ -handshake number.” For our reductions, it essentially suffices to have a family of lattices $\{{\mathcal{L}_{n}}\}_{n=1}^{\infty}$ where $\mathcal{L}_{n}$ has rank $n$ and large $(1+\varepsilon)$ -handshake number (in the $\ell_{p}$ norm, with $\varepsilon$ satisying, say, $\varepsilon\leq 1+O(1/n)$ ), which is a weaker property than having large kissing number. Indeed, all of our reductions are just as strong quantitatively (in terms of the relative distance $\alpha$ and rank increase $C$ achieved) using lattices with large handshake number. The only issue with using lattices with large handshake number (rather than large kissing number) is qualitative. Their use leads us to rely on “Gap” variants of (S)ETH. However, in Section 3.4.1 we sketch why even this difference is likely not inherent. Additionally, we note that in follow-up work Vlăduţ [Vlă21] proved an exponential lower bound on the lattice kissing number in all $\ell_{p}$ norms. However, the lower bound from [Vlă21], which is independent of $p$ , is roughly $1.0013^{n}$ . This is weaker than the lower bound of roughly $2^{0.02194n}\approx 1.0153^{n}$ for $\ell_{2}$ stated in Theorem 3.6. By norm embeddings, a lower bound on the $\ell_{2}$ kissing number implies a lower bound on the $(1+\varepsilon)$ -handshake number in the $\ell_{p}$ norm for $\varepsilon\geq 1/\operatorname{poly}(n)$ in lattices of dimension $\operatorname{poly}(n)$ , and so, by the discussion in the preceding paragraph on kissing number versus handshake number, using [Vlă21] would not lead to quantitatively stronger results.

Lemma 3.10.

For any lattice $\mathcal{L}^{\dagger}$ of rank $n$ , target $\boldsymbol{t}^{\dagger}\in\operatorname{span}(\mathcal{L}^{\dagger})$ , and constants $0<\alpha_{A}\leq\alpha_{G}\leq 1$ , if, for some $M_{0},M_{1}>0$ ,

N_{2}(\mathcal{L}^{\dagger},\alpha_{G},\boldsymbol{t}^{\dagger})\geq\max\bigl{\{}M_{0}\cdot N_{2}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{0}),M_{1}\cdot N_{2}^{o}(\mathcal{L}^{\dagger},\alpha_{A},\boldsymbol{t}^{\dagger})\bigr{\}}\ \text{,}

then for any $p\in[1,\infty)$ , there exist a lattice $\mathcal{L}^{\prime}$ of rank $n$ and dimension $m=\operatorname{poly}(n)$ and a target $\boldsymbol{t}^{\prime}\in\operatorname{span}(\mathcal{L}^{\prime})$ , such that

N_{p}(\mathcal{L}^{\prime},\alpha_{G}+o(1),\boldsymbol{t}^{\prime})\geq\max\bigl{\{}M_{0}\cdot N_{p}^{o}(\mathcal{L}^{\prime},1,\boldsymbol{0}),M_{1}\cdot N_{p}^{o}(\mathcal{L}^{\prime},\alpha_{A},\boldsymbol{t}^{\prime})\bigr{\}}\ \text{.}

Proof.

Without loss of generality suppose that $\mathcal{L}^{\dagger}$ has dimension $n$ so that $\operatorname{span}(\mathcal{L}^{\dagger})=\mathbb{R}^{n}$ , and $\boldsymbol{0}$ is the closest lattice vector to $\boldsymbol{t}^{\dagger}$ so that $\lVert\boldsymbol{t}^{\dagger}\rVert_{2}\leq\alpha_{G}$ (note that $N_{2}(\mathcal{L}^{\dagger},\alpha_{G},\boldsymbol{t}^{\dagger})\geq M_{0}\cdot N_{2}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{0})\geq M_{0}>0$ ). We apply the norm embeddings in Lemma 3.9 to the gadget $(\mathcal{L}^{\dagger},\boldsymbol{t}^{\dagger})$ , with error bound $\varepsilon=1/n=o(1)$ . Let $(\mathcal{L},\boldsymbol{t})$ be the embedded gadget. By Lemma 3.9, we know $\mathcal{L}$ has rank $n$ and dimension $m=\operatorname{poly}(n)$ , and

	$\displaystyle N_{2}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{0})$	$\displaystyle\geq N_{p}^{o}(\mathcal{L},1-\varepsilon,\boldsymbol{0})\ \text{,}$
	$\displaystyle N_{2}(\mathcal{L}^{\dagger},\alpha_{G},\boldsymbol{t}^{\dagger})$	$\displaystyle\leq N_{p}(\mathcal{L},(1+\varepsilon)\cdot 2\alpha_{G}-(1-\varepsilon)\cdot\alpha_{G},\boldsymbol{t})$
		$\displaystyle=N_{p}(\mathcal{L},(1+3\varepsilon)\cdot\alpha_{G},\boldsymbol{t})\ \text{,}$
	$\displaystyle N_{2}^{o}(\mathcal{L}^{\dagger},\alpha_{A},\boldsymbol{t}^{\dagger})$	$\displaystyle\geq N_{p}^{o}(\mathcal{L},(1-\varepsilon)\cdot(\alpha_{A}+\alpha_{G})-(1+\varepsilon)\cdot\alpha_{G},\boldsymbol{t})$
		$\displaystyle=N_{p}^{o}(\mathcal{L},(1-\varepsilon\cdot(1+2\alpha_{G}/\alpha_{A}))\cdot\alpha_{A},\boldsymbol{t})\ \text{.}$

Then by normalizing with $\mathcal{L}^{\prime}=\mathcal{L}/(1-\varepsilon^{\prime})$ and $\boldsymbol{t}^{\prime}=\boldsymbol{t}/(1-\varepsilon^{\prime})$ , where $\varepsilon^{\prime}=\varepsilon\cdot(1+2\alpha_{G}/\alpha_{A})=o(1)$ , we get a desired gadget $(\mathcal{L}^{\prime},\boldsymbol{t}^{\prime})$ . ∎

By applying Lemmas 3.7 and 3.8 to exponential kissing number lattices along with targets $\boldsymbol{0}$ , and adapting the resulting gadgets to the requirements of Theorem 3.4 using Lemma 3.10, we get the following.

Corollary 3.11.

For any $n\in\mathbb{Z}^{+}$ , $p\in[1,\infty)$ , and constants $\varepsilon\in(0,1/2)$ , $\delta\in[\varepsilon,1-\varepsilon]$ and $\eta\in[2\varepsilon,1)$ , there exist $\varepsilon^{\prime}\in[\varepsilon,1/2]$ , a lattice $\mathcal{L}^{\dagger}$ with rank $n$ and dimension $m=\operatorname{poly}(n)$ , and a target $\boldsymbol{t}^{\dagger}\in\operatorname{span}(\mathcal{L}^{\dagger})$ , such that

N_{p}(\mathcal{L}^{\dagger},1-\varepsilon^{\prime}+o(1),\boldsymbol{t}^{\dagger})\geq(\sin(\theta)\cdot 2^{c_{\mathsf{kn}}})^{n/(k+1)-o(n)}\cdot\max\bigl{\{}N_{p}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{0}),N_{p}^{o}(\mathcal{L}^{\dagger},1-\varepsilon^{\prime}/\eta,\boldsymbol{t}^{\dagger})\bigr{\}}\ \text{,}

where $\theta:=\arccos(\frac{\delta^{2}+2\varepsilon-\varepsilon^{2}}{2\delta})$ and $k:=\lfloor\log_{\eta}(2\varepsilon)\rfloor$ .

Proof.

By Theorem 3.6 we know there exists lattice $\mathcal{L}^{\prime}$ of rank $n$ satisfying $\lambda_{1}(\mathcal{L}^{\prime})=1$ and $N_{2}(\mathcal{L}^{\prime},1,\boldsymbol{0})=2^{c_{\mathsf{kn}}n-o(n)}$ . Then by Lemma 3.7, there exists a target $\boldsymbol{t}\in\operatorname{span}(\mathcal{L}^{\prime})$ such that $N_{2}(\mathcal{L}^{\prime},1-\varepsilon,\boldsymbol{t})=\sin(\theta)^{n}/\operatorname{poly}(n)\cdot 2^{c_{\mathsf{kn}}n-o(n)}=(\sin(\theta)\cdot 2^{c_{\mathsf{kn}}})^{n-o(n)}$ . Therefore by Lemma 3.8, there exists $\varepsilon^{\prime}\in[\varepsilon,1/2]$ and target $\boldsymbol{t}^{\prime}\in\operatorname{span}(\mathcal{L}^{\prime})$ such that

N_{2}(\mathcal{L}^{\prime},1-\varepsilon^{\prime},\boldsymbol{t}^{\prime})\geq(\sin(\theta)\cdot 2^{c_{\mathsf{kn}}})^{n/(k+1)-o(n)}\cdot\max\bigl{\{}N_{2}^{o}(\mathcal{L}^{\prime},1,\boldsymbol{0}),N_{2}^{o}(\mathcal{L}^{\prime},1-\varepsilon^{\prime}/\eta,\boldsymbol{t}^{\prime})\bigr{\}}\ \text{.}

The result then follows by applying Lemma 3.10 to the gadget $(\mathcal{L}^{\prime},\boldsymbol{t}^{\prime})$ . ∎

Using the notation in Theorem 3.4, the family of gadgets given by Corollary 3.11 has $\alpha_{G}=1-\varepsilon^{\prime}\leq 1-\varepsilon$ , $\alpha_{A}=1-\varepsilon^{\prime}/\eta$ , and $\nu_{0}=\nu_{1}=(\sin(\theta)\cdot 2^{c_{\mathsf{kn}}})^{1/(k+1)}$ . For $\nu_{0},\nu_{1}>1$ , we need $\theta>\theta_{0}:=\arcsin(2^{-c_{\mathsf{kn}}})$ . By rearranging this is equivalent to $1-\varepsilon>\sqrt{(\cos(\theta_{0})-\delta)^{2}+\sin(\theta_{0})^{2}}$ , where the right-hand side is minimized by setting $\delta:=\cos(\theta_{0})$ .

Therefore, by taking $1-\varepsilon$ to be a constant sufficiently close to $\sin(\theta_{0})=2^{-c_{\mathsf{kn}}}$ and $\eta$ to be a constant sufficiently close to $1$ , we can take $\alpha_{G}$ to be an arbitrary constant greater than $2^{-c_{\mathsf{kn}}}$ and $\alpha_{A}$ to be an arbitrary constant less than $\alpha_{G}$ . Plugging such $\alpha_{G},\alpha_{A}$ into Equation 10 in Theorem 3.4, we get that it simplifies to $\alpha>2^{-c_{\mathsf{kn}}}$ . By applying this family of gadgets to Theorem 3.4, we then get the following.

Corollary 3.12.

For any $p\in[1,\infty)$ , $\gamma>1$ , and $\alpha>2^{-c_{\mathsf{kn}}}$ , there exists an efficient non-uniform reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ in rank $n$ to $\mathrm{BDD}_{p,\alpha}$ in rank $Cn$ for some constant $C>1$ for all sufficiently large $n$ .

Combining Corollary 3.12 with the Gap-ETH-hardness result for $\mathrm{CVP}^{\prime}$ in Theorem 2.17, we immediately get Theorem 1.1, restated below. We recall that the bound on $2^{-c_{\mathsf{kn}}}$ follows from Theorem 3.6.

Theorem 1.1.

3.3 Gap-ETH-hardness of BDD from the Integer Lattice

In this section we show Gap-ETH-hardness of BDD by instantiating the general reductions in Theorem 3.4 with gadgets based on the integer lattice $\mathbb{Z}^{n}$ as opposed to exponential kissing number lattices. More specifically, we will consider lattice-target gadgets $(\mathbb{Z}^{n},t\cdot\boldsymbol{1})$ .

For $p\in[1,\infty)$ , we define

\alpha^{\ddagger}_{p}:=\inf_{\begin{subarray}{c}t\in[0,1/2],\\ a\geq t\end{subarray}}\frac{a}{\beta_{p,0}^{-1}(\beta_{p,t}(a))}\ \text{.}

(20)

The numerator in Equation 20 corresponds to the resulting gadget’s “close distance,” and the denominator to the gadget’s “short distance.” More specifically, the value $b:=\beta_{p,0}^{-1}(\beta_{p,t}(a))$ corresponds to the largest radius $bn^{1/p}$ at which the number of “short” integer vectors of norms at most $bn^{1/p}$ is less than the number of “close” integer vectors within distance $an^{1/p}$ of the target $t\cdot\boldsymbol{1}$ . We note that $\alpha^{\ddagger}_{p}\leq 1$ since

\alpha^{\ddagger}_{p}=\inf_{\begin{subarray}{c}t\in[0,1/2],\\ a\geq t\end{subarray}}\frac{a}{\beta_{p,0}^{-1}(\beta_{p,t}(a))}\leq\inf_{t\in[0,1/2]}\lim_{a\to\infty}\frac{a}{\beta_{p,0}^{-1}(\beta_{p,t}(a))}=1\ \text{,}

where the last equality follows from 2.10. Moreover, we note that (provably) $\alpha^{\ddagger}_{p}<1$ for all $p>2$ by [AS18, Lemma 5.4], and that $\alpha^{\ddagger}_{p}\to 1/2$ as $p\to\infty$ (see the discussion at the end of this subsection). The left plot in Figure 1 shows explicit values of $\alpha^{\ddagger}_{p}$ for $p$ around $2$ , and how $\alpha^{\ddagger}_{p}$ compares to the related quantities $\alpha_{p}^{*}$ (with norm embeddings) and $\alpha_{\mathsf{kn}}$ .

The following lemma formally analyzes the gadgets based on the integer lattice.

Lemma 3.13.

For any $p\in[1,\infty)$ and $\alpha^{\ddagger}_{p}<\alpha_{A}<\alpha_{G}$ , there exist $t\in[0,1/2]$ , $a\geq t$ and $\nu_{0},\nu_{1}>1$ , such that for any $n\in\mathbb{Z}^{+}$ and for $r=an^{1/p}$ ,

N_{p}(\mathbb{Z}^{n},r,t\cdot\boldsymbol{1})\geq\max\bigl{\{}\nu_{0}^{n-o(n)}\cdot N_{p}^{o}(\mathbb{Z}^{n},r/\alpha_{G},\boldsymbol{0}),\nu_{1}^{n-o(n)}\cdot N_{p}^{o}(\mathbb{Z}^{n},(\alpha_{A}/\alpha_{G})\cdot r,t\cdot\boldsymbol{1})\bigr{\}}\ \text{.}

Proof.

By 2.9, Item 1, to have the desired inequality, it suffices to have

\beta_{p,t}(a)^{n}\cdot\exp(-C^{*}\sqrt{n})\geq\max\bigl{\{}\nu_{0}^{n-o(n)}\cdot\beta_{p,0}(a/\alpha_{G})^{n},\nu_{1}^{n-o(n)}\cdot\beta_{p,t}((\alpha_{A}/\alpha_{G})\cdot a)^{n}\bigr{\}}\ \text{,}

and then suffices to have

\beta_{p,t}(a)\geq\max\bigl{\{}\nu_{0}\cdot\beta_{p,0}(a/\alpha_{G}),\nu_{1}\cdot\beta_{p,t}((\alpha_{A}/\alpha_{G})\cdot a)\bigr{\}}\ \text{.}

Since $\alpha_{A}<\alpha_{G}$ , by the monotonicity of $\beta_{p,t}(\cdot)$ , we know that for any $a\geq t$ there exists $\nu_{1}>1$ such that $\beta_{p,t}(a)\geq\nu_{1}\cdot\beta_{p,t}((\alpha_{A}/\alpha_{G})\cdot a)$ . Moreover, as $\alpha_{G}>\alpha^{\ddagger}_{p}$ , by definition of $\alpha^{\ddagger}_{p}$ in Equation 20, we know there exists $t\in[0,1/2]$ and $a\geq t$ such that

\alpha_{G}>\frac{a}{\beta_{p,0}^{-1}(\beta_{p,t}(a))}\ \text{.}

Hence, by the monotonicity of $\beta_{p,0}(\cdot)$ , there exists $\nu_{0}>1$ so that $\beta_{p,t}(a)\geq\nu_{0}\cdot\beta_{p,0}(a/\alpha_{G})$ . ∎

By applying the normalized gadgets $((\alpha_{G}/r)\cdot\mathbb{Z}^{n},(\alpha_{G}t/r)\cdot\boldsymbol{1})$ to Theorem 3.4, and setting $\alpha_{G},\alpha_{A}$ to be arbitrarily close to $\alpha^{\ddagger}_{p}$ , we get the following. Note that this family of gadgets is efficiently computable as $(\mathbb{Z}^{n},t\cdot\boldsymbol{1})$ is efficiently computable and $r$ is set to be $an^{1/p}$ for some constant $a$ , and the associated point counting of the form $N_{p}(\mathbb{Z}^{n},a^{\prime}n^{1/p},t^{\prime}\cdot\boldsymbol{1})$ can be efficiently approximated to within a $2^{o(n)}$ factor by computing $\beta_{p,t^{\prime}}(a^{\prime})^{n}$ .

Corollary 3.14.

For any $p\in[1,\infty)$ , $\alpha>\alpha^{\ddagger}_{p}$ , and $\gamma>1$ , there exists an efficient randomized reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ in rank $n$ to $\mathrm{BDD}_{p,\alpha}$ in rank $Cn$ for some constant $C>1$ for all sufficiently large $n$ .

Combining Corollary 3.14 with the Gap-ETH-hardness result for $\mathrm{CVP}^{\prime}$ in Theorem 2.17, we immediately get Theorem 1.2, restated below.

Theorem 1.2.

Bennett and Peikert [BP20, Equation 3.5] define $\alpha^{*}_{p}:=\inf\{{\alpha^{*}>0:\min_{\tau>0}\exp(\tau/(2\alpha^{*})^{p})\cdot\Theta_{p}(\tau)\leq 2}\}$ and show an analogous result to Theorem 1.2 for all $\alpha>\alpha_{p}^{*}$ (assuming randomized “non-gap” ETH). By 2.9, Item 2, we know $\alpha^{*}_{p}=1/(2\beta_{p,0}^{-1}(2))$ . Note that $1/(2\beta_{p,0}^{-1}(2))=a/\beta_{p,0}^{-1}(\beta_{p,t}(a))$ for $a=t=1/2$ . As a result, we have $\alpha^{\ddagger}_{p}\leq\alpha^{*}_{p}$ (see Equation 20 for the definition of $\alpha^{\ddagger}_{p}$ ), and so Theorem 1.2 gives a result that is at least as strong quantitatively as the corresponding result in [BP20] for all $p$ (see the left plot in Figure 1). Moreover, the upper bounds on $\alpha^{*}_{p}$ obtained in [BP20, Lemma 3.11] immediately apply to our $\alpha^{\ddagger}_{p}$ as well. In addition, $\beta_{p,0}(2a)\geq\beta_{p,t}(a)$ holds for any $t\in[0,1/2],a\geq t$ by triangle inequality (see 2.1, Item 2), implying that $\alpha^{\ddagger}_{p}\geq 1/2$ . Combining these bounds, we get that $\lim_{p\to\infty}\alpha^{\ddagger}_{p}=1/2$ .

3.4 Gap-SETH-hardness of BDD from Exponential Kissing Number Lattices

In this section we show Gap-SETH-hardness of $\mathrm{BDD}_{p,\alpha}$ using the general reduction established in Section 3.1. We start by showing how to construct locally dense lattices with exponentially many close vectors, essentially the same close and short distances, and no too-close vectors by sparsifying exponential kissing number lattices.

Lemma 3.15.

For all sufficiently large $n\in\mathbb{Z}^{+}$ , there exists a lattice $\mathcal{L}^{\dagger}$ of rank $n$ and a target $\boldsymbol{t}^{\dagger}\in\operatorname{span}(\mathcal{L}^{\dagger})$ such that $\lambda_{1}(\mathcal{L}^{\dagger})\geq 1$ , $N_{2}(\mathcal{L}^{\dagger},1,\boldsymbol{t}^{\dagger})>\tau^{l}_{n}/4$ , and $N^{o}_{2}(\mathcal{L}^{\dagger},1,\boldsymbol{t}^{\dagger})=0$ .

Proof.

By definition, there exists a lattice $\mathcal{L}$ of rank $n$ with Euclidean kissing number $\tau^{l}_{n}$ . Suppose without loss of generality that $\mathcal{L}$ has dimension $n$ and $\lambda_{1}(\mathcal{L})=1$ . We will apply Proposition 2.5 to lattice $\mathcal{L}$ and target $\boldsymbol{t}:=\boldsymbol{0}$ with index $q=3$ . In particular, supposing $B\in\mathbb{R}^{n\times n}$ is an arbitrary basis of $\mathcal{L}$ , the sparsification samples $\boldsymbol{x},\boldsymbol{z}\in\mathbb{F}_{q}^{n}$ uniformly at random and sets

\mathcal{L}^{\dagger}:=\{{\boldsymbol{v}\in\mathcal{L}:\langle B^{-1}\boldsymbol{v},\boldsymbol{x}\rangle\equiv 0\ (\mathrm{mod}\ q)}\}\ \text{,}\qquad\boldsymbol{t}^{\dagger}:=\boldsymbol{t}-B\boldsymbol{z}=-B\boldsymbol{z}\ \text{.}

It is easy to see that by construction, $\lambda_{1}(\mathcal{L}^{\dagger})\geq\lambda_{1}(\mathcal{L})=1$ . Moreover, note that with $r=\lambda_{1}(\mathcal{L})=1$ , we have $r<q\cdot\lambda_{1}(\mathcal{L})/2$ . Then by Proposition 2.5, Item 2, $N_{2}(\mathcal{L}^{\dagger},1,\boldsymbol{t}^{\dagger})\leq\tau^{l}_{n}/(q+1)$ with probability at most $q(q+1)^{2}/\tau^{l}_{n}+1/q^{n}$ , and by Proposition 2.5, Item 3, $N^{o}_{2}(\mathcal{L}^{\dagger},1,\boldsymbol{t}^{\dagger})>0$ with probability at most $1/q+1/q^{n}$ . By union bound, $(\mathcal{L}^{\dagger},\boldsymbol{t}^{\dagger})$ satisfies the desired properties with probability at least

1-\frac{q(q+1)^{2}}{\tau^{l}_{n}}-\frac{1}{q}-\frac{2}{q^{n}}\ \text{,}

which is positive for $q=3$ and all sufficiently large $n$ . In particular, $\mathcal{L}^{\dagger}$ , $\boldsymbol{t}^{\dagger}$ with the claimed properties exist for all sufficiently large $n$ . ∎

Note that the gadgets constructed in Lemma 3.15 have, using the notation in Lemma 3.10, $\alpha_{A}=\alpha_{G}=1$ , $M_{0}=\Omega(\tau^{l}_{n})\geq 2^{c_{\mathsf{kn}}n-o(n)}$ (by Theorem 3.6) and arbitrarily large $M_{1}$ . By applying Lemma 3.10 to the gadgets we immediately get the following.

Corollary 3.16.

For any $n\in\mathbb{Z}^{+}$ , $p\in[1,\infty)$ , and $\nu_{1}>1$ , there exist a lattice $\mathcal{L}^{\dagger}$ of rank $n$ and dimension $m=\operatorname{poly}(n)$ and a target $\boldsymbol{t}^{\dagger}\in\operatorname{span}(\mathcal{L}^{\dagger})$ , such that

N_{p}(\mathcal{L}^{\dagger},1+o(1),\boldsymbol{t}^{\dagger})\geq\max\bigl{\{}2^{c_{\mathsf{kn}}n-o(n)}\cdot N_{p}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{0}),\nu_{1}^{n}\cdot N_{p}^{o}(\mathcal{L}^{\dagger},1,\boldsymbol{t}^{\dagger})\bigr{\}}\ \text{.}

For $p\in[1,\infty)$ , we define

\alpha^{\dagger}_{p,C}:=\Bigl{(}1+\frac{1}{(2\beta_{p,0}^{-1}(2^{c_{\mathsf{kn}}(C-1)}))^{p}}\Bigr{)}^{1/p}\ \text{,}

(21)

which we obtain by plugging $\alpha_{G}=\alpha_{A}=1$ , $\nu_{0}=2^{c_{\mathsf{kn}}}$ , and sufficiently large $\nu_{1}$ into Equation 9 in Theorem 3.4. Combining this with Corollaries 3.16 and 3.4, we get the following.

Corollary 3.17.

For any constants $p\in[1,\infty)$ , $C>1$ , $\gamma>1$ , and $\alpha>\alpha^{\dagger}_{p,C}$ , there exists an efficient non-uniform reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ in rank $n$ to $\mathrm{BDD}_{p,\alpha}$ in rank $Cn$ for all sufficiently large $n$ .

Combining Corollary 3.17 with the Gap-SETH-hardness result for $\mathrm{CVP}^{\prime}$ in Theorem 2.18, we immediately get Theorem 1.3, restated below.

Theorem 1.3.

We note that the extra $1-\varepsilon$ factor in the runtime lower bound exponent in Theorem 2.18 gets absorbed by the multiplicative rank increase factor $C$ in Corollary 3.17.

We remark that for any fixed $C>1$ , $\lim_{p\to\infty}\alpha^{\dagger}_{p,C}=1$ , and for any fixed $p\in[1,\infty)$ , $\lim_{C\to\infty}\alpha^{\dagger}_{p,C}=1$ . To show this, we consider the behavior of $\beta_{p,0}^{-1}(\cdot)$ . By 4.5 in Section 4 we know that $\beta_{p,0}(a)\leq f(a^{p})$ for some strictly increasing function $f$ with $\lim_{x\to\infty}f(x)=\infty$ (see 4.5 for the explicit formula for $f$ ), and consequently $\beta_{p,0}^{-1}(\nu)^{p}\geq f^{-1}(\nu)$ . Then, recalling the definition of $\alpha^{\dagger}_{p,C}$ in Equation 21, we have $1\leq\alpha^{\dagger}_{p,C}\leq(1+1/(2^{p}f^{-1}(2^{c_{\mathsf{kn}}(C-1)})))^{1/p}$ , which implies the claimed limits.

3.4.1 An Approach for Using a Weaker Hypothesis

We conclude with an approach for making the result in Theorem 1.3 depend on a weaker assumption, namely non-uniform SETH rather than non-uniform Gap-SETH. The approach considers a reduction akin to the main reduction in Theorem 3.4, which reduces an instance of $\mathrm{CVP}^{\prime}_{p,\gamma}$ of rank $n^{\prime}$ to an instance of $\mathrm{BDD}_{p,\alpha}$ of rank $Cn^{\prime}+1$ for some constant $C>1$ assuming the existence of a family of locally dense lattices parameterized by $\alpha_{G}$ , $\alpha_{A}$ , $\nu_{0}$ , and $\nu_{1}$ . Theorem 3.4 assumes that all of these parameters are constants, but this requirement is for simplicity and does not seems inherent. Here we will consider what happens if we disregard this requirement and allow $\gamma$ , $\alpha_{G}$ , and $\alpha_{A}$ to depend on $n^{\prime}$ . The approach uses three observations:

1.

Theorem 2.19 shows hardness of $\mathrm{CVP}^{\prime}_{p,\gamma}$ instances of rank $n^{\prime}$ with $\gamma\geq 1+1/\operatorname{poly}(n^{\prime})$ assuming (plain) SETH.
2.

Applying norm embeddings (Lemma 3.9) to lattices of rank $n$ with distortion $\varepsilon=\varepsilon(n)\geq 1/\operatorname{poly}(n)$ can be done in $\operatorname{poly}(n)$ time.
3.

Because we can take $\nu_{1}$ to be arbitrarily large in Corollary 3.16, when plugging the corresponding gadgets into Theorem 3.4 we can make $d_{1}$ arbitrarily large. In particular, we can make it so that the middle term in Equation 9 simplifies to $(\alpha_{G}^{p}-\alpha_{A}^{p})/(\gamma^{p}-1)$ .¹⁰¹⁰10In fact, this is essentially the same observation we already used to derive Corollary 3.17 from Corollary 3.16.

Combining these observations, if $\gamma=\gamma(n^{\prime})$ satisfies $\gamma^{p}-1\geq 1/\operatorname{poly}(n^{\prime})$ —which it does for the SETH-hard $\mathrm{CVP}^{\prime}_{p,\gamma}$ instances from Theorem 2.19—then we can efficiently apply norm embeddings with distortion $\varepsilon=o(\gamma^{p}-1)$ to obtain modified locally dense lattices of rank $(C-1)n^{\prime}$ with the same bounds on $\nu_{0}$ and $\nu_{1}$ as in Corollary 3.16, but with $\alpha_{G}=\alpha_{G}(n^{\prime}),\alpha_{A}=\alpha_{A}(n^{\prime})$ satisfying $\alpha_{G}^{p}-\alpha_{A}^{p}=o(\gamma^{p}-1)$ and hence $(\alpha_{G}^{p}-\alpha_{A}^{p})/(\gamma^{p}-1)=o(1)$ .

Naively plugging these modified locally dense lattices into Equation 9 and invoking Theorem 2.19 appears to yield a result with the same conclusion as in Theorem 1.3, but with the hypothesis weakened to rely only on non-uniform SETH instead of non-uniform Gap-SETH. However, we emphasize that this is not correct as is since we have violated the assumption that $\gamma$ , $\alpha_{G}$ , and $\alpha_{A}$ are constants in Theorem 3.4. Nevertheless, it seems very likely that we could remove this assumption (at least in the special case of the locally dense lattices used in this section) and obtain this result.

4 Gap-SETH-hardness of GapSVP

The goal of this section is to show Gap-SETH-hardness of $\mathrm{SVP}$ , stated in Theorem 1.4, using the integer lattice as a locally dense lattice as in Section 3.3. Here the proof idea is again to reduce from $\mathrm{CVP}^{\prime}_{p,\gamma}$ , whose Gap-SETH-hardness is known (see Theorem 2.18), to $\mathrm{SVP}_{p,\gamma^{\prime}}$ . We start by introducing the intermediate problem $(A,G)$ - $\mathrm{CVP}_{p,\gamma}$ , which was originally defined in [AS18] with a slightly different but equivalent parameterization.

Definition 4.1.

For $p\in[1,\infty]$ , $\gamma=\gamma(n)\geq 1$ , and $A=A(n),G=G(n)\geq 0$ , an instance of the decision promise problem $(A,G)$ - $\mathrm{CVP}_{p,\gamma}$ is a lattice basis $B\in\mathbb{R}^{d\times n}$ , a target $\boldsymbol{t}\in\mathbb{R}^{d}$ , and distances $r,u>0$ .

•

It is a YES instance if $N_{p}(\mathcal{L}(B),r,\boldsymbol{t})\geq G$ .

•

It is a NO instance if $A_{p,u}(\mathcal{L}(B),\gamma(r^{p}+u^{p})^{1/p},\boldsymbol{t})\leq A$ , where

A_{p,u}(\mathcal{L},r^{\prime},\boldsymbol{t}):=\sum_{z=0}^{\lfloor r^{\prime}/u\rfloor}N_{p}(\mathcal{L},((r^{\prime})^{p}-z^{p}u^{p})^{1/p},z\boldsymbol{t})-1\ \text{.}

The following result from [AS18] gives an essentially rank- and dimension-preserving reduction from $(A,G)$ - $\mathrm{CVP}_{p,\gamma}$ to $\mathrm{SVP}_{p,\gamma}$ for $G\geq 1000A$ . Although we will use it as a black box, we note in passing that it works by combining Kannan’s embedding and lattice sparsification, essentially reducing our task to upper bounding the terms $A_{p,u}(\mathcal{L},r^{\prime},\boldsymbol{t})$ .

Theorem 4.2 ([AS18, Theorem 3.2]).

For any $p\in[1,\infty)$ , $A=A(n)\geq 1$ and $G=G(n)\geq 1000A(n)$ computable in $\operatorname{poly}(n)$ time, and $\gamma=\gamma(n)\geq 1$ , there is an efficient randomized reduction from $(A,G)$ - $\mathrm{CVP}_{p,\gamma}$ instances of rank $n$ and dimension $d$ to $\mathrm{SVP}_{p,\gamma}$ instances of rank $n+1$ and dimension $d+1$ that runs in time $\operatorname{poly}(d,\log A,\log G)$ .

So, to show hardness of $\mathrm{SVP}_{p,\gamma^{\prime}}$ for some $\gamma^{\prime}\geq 1$ , it suffices to show hardness of $(A,G)$ - $\mathrm{CVP}_{p,\gamma^{\prime}}$ with $G\geq 1000A$ . To do this, we give a reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ to $(A,G)$ - $\mathrm{CVP}_{p,\gamma^{\prime}}$ similar to the one in [AS18, Corollary 4.2] but with different choice of parameters and analysis. We note that [AS18, Corollary 4.2] introduced a similar transformation to the one in Lemma 3.2, which we will again use.

The main idea behind the new choice of parameters is that scaling the input $\mathrm{CVP}^{\prime}_{p,\gamma}$ instance $(B^{\prime},\boldsymbol{t}^{\prime})$ by $s=(\varepsilon n)^{1/p}/2$ for some constant $\varepsilon>0$ makes it so that $s\cdot\mathrm{dist}_{p}(\boldsymbol{t}^{\prime},\mathcal{L}(B^{\prime}))$ —which is at most $s$ if $(B^{\prime},\boldsymbol{t}^{\prime})$ is a YES instance and at least $\gamma s$ if $(B^{\prime},\boldsymbol{t}^{\prime})$ is a NO instance—is within a multiplicative constant factor of $\mathrm{dist}_{p}(1/2\cdot\boldsymbol{1},\mathbb{Z}^{n})=n^{1/p}/2$ . This makes it so that, applying the transformation in Lemma 3.2 to ( $B^{\prime}$ , $\boldsymbol{t}^{\prime}$ ) to obtain ( $B$ , $\boldsymbol{t}$ ), we have that $\mathrm{dist}_{p}(\boldsymbol{t},\mathcal{L}(B))$ changes by a multiplicative constant factor depending on whether the input $\mathrm{CVP}^{\prime}$ instance is a YES instance or a NO instance. Similarly, we will set $u:=(\varepsilon_{u}n)^{1/p}/2$ for some constant $\varepsilon_{u}>0$ . This choice of parameters allows us to reduce from approximate $\mathrm{CVP}^{\prime}$ to approximate $(A,G)$ - $\mathrm{CVP}$ ; the corresponding result [AS18, Corollary 4.2] takes $s=1$ , $u=1$ and only works as a reduction to exact $(A,G)$ - $\mathrm{CVP}$ .¹¹¹¹11We also note that [AS18, Corollary 4.2] is only stated as a reduction from $\mathrm{CVP}$ instances of a more specific form than $\mathrm{CVP}^{\prime}$ . Here we observe that all that’s necessary there (respectively, here) is that the input $\mathrm{CVP}_{p}$ instances be $\mathrm{CVP}^{\prime}_{p}$ instances (respectively, that the input $\mathrm{CVP}_{p,\gamma}$ instances be $\mathrm{CVP}^{\prime}_{p,\gamma}$ instances with $\gamma>1$ ); $\mathrm{CVP}^{\prime}$ frequently appears in the study of the complexity of lattice problems, and so this shows that the reduction is quite natural.

Lemma 4.3.

Let $p\in[1,\infty)$ , $\varepsilon>0$ , and $\gamma>1$ be constants, and let $\varepsilon_{u}:=\gamma^{p}\varepsilon/(3^{p}-1)$ . Then for all

1\leq\gamma^{\prime}<\big{(}\frac{1+\varepsilon_{u}+\gamma^{p}\varepsilon}{1+\varepsilon_{u}+\varepsilon}\big{)}^{1/p}

and $n^{\prime},n\in\mathbb{Z}^{+}$ satisfying $n^{\prime}\leq n\leq\operatorname{poly}(n^{\prime})$ , there is a deterministic Karp reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ on lattices of rank $n^{\prime}$ to $(A,G)$ - $\mathrm{CVP}_{p,\gamma^{\prime}}$ on lattices of rank $n$ , where

A:=c\cdot N_{p}^{o}(\mathbb{Z}^{n},(1+\varepsilon_{u}+\gamma^{p}\varepsilon)^{1/p}\cdot n^{1/p}/2,\boldsymbol{0}),\qquad G:=2^{n-n^{\prime}}

for some constant $c=c(p,\varepsilon,\gamma,\gamma^{\prime})$ .

Proof.

Let $B^{\prime}$ , $\boldsymbol{t}^{\prime}$ be the input instance of $\mathrm{CVP}^{\prime}_{p,\gamma}$ . We will again use the transformation in Lemma 3.2 with $B^{\dagger}=I_{n-n^{\prime}}$ and $\boldsymbol{t}^{\dagger}=1/2\cdot\boldsymbol{1}$ . Specifically, we set

B:=\begin{pmatrix}sB^{\prime}&0\\ I_{n^{\prime}}&0\\ 0&I_{n-n^{\prime}}\end{pmatrix}\ \text{,}\qquad\boldsymbol{t}:=\begin{pmatrix}s\boldsymbol{t}^{\prime}\\ \frac{1}{2}\boldsymbol{1}\\ \frac{1}{2}\boldsymbol{1}\end{pmatrix}\ \text{,}

with $s:=(\varepsilon n)^{1/p}/2$ , set $r:=(s^{p}+n/2^{p})^{1/p}=((1+\varepsilon)\cdot n)^{1/p}/2$ , and set $u:=(\varepsilon_{u}n)^{1/p}/2$ (where $\varepsilon_{u}:=\gamma^{p}\varepsilon/(3^{p}-1)$ ). The output $(A,G)$ - $\mathrm{CVP}_{p,\gamma^{\prime}}$ instance consists of $B$ , $\boldsymbol{t}$ , $r$ , and $u$ . It is clear that the reduction runs in polynomial time, and remains to prove correctness of the reduction.

Let $\mathcal{L}=\mathcal{L}(B)$ . Suppose that the input $\mathrm{CVP}^{\prime}_{p,\gamma}$ instance is a YES instance. Then there exists $\boldsymbol{x}\in\{{0,1}\}^{n^{\prime}}$ such that $\lVert B^{\prime}\boldsymbol{x}-\boldsymbol{t}^{\prime}\rVert_{p}\leq 1$ , so applying Lemma 3.2, Item 2 we get

	$\displaystyle N_{p}(\mathcal{L},r,\boldsymbol{t})$	$\displaystyle=N_{p}(\mathcal{L},(s^{p}+n^{\prime}/2^{p}+(n-n^{\prime})/2^{p})^{1/p},\boldsymbol{t})$
		$\displaystyle\geq N_{p}(\mathbb{Z}^{n-n^{\prime}},(n-n^{\prime})^{1/p}/2,1/2\cdot\boldsymbol{1})$
		$\displaystyle=2^{n-n^{\prime}}=G\ \text{.}$

It follows that the output $(A,G)$ - $\mathrm{CVP}_{p,\gamma^{\prime}}$ instance is a YES instance.

Now, suppose that the input $\mathrm{CVP}^{\prime}_{p,\gamma}$ instance is a NO instance. Then

	$\displaystyle A_{p,u}(\mathcal{L},\gamma^{\prime}\cdot(r^{p}+u^{p})^{1/p},\boldsymbol{t})$	$\displaystyle=\sum_{z=0}^{\lfloor\gamma^{\prime}(r^{p}/u^{p}+1)^{1/p}\rfloor}N_{p}(\mathcal{L},((\gamma^{\prime})^{p}r^{p}+((\gamma^{\prime})^{p}-z^{p})u^{p})^{1/p},z\cdot\boldsymbol{t})-1$
		$\displaystyle=\sum_{z=0}^{\lfloor\gamma^{\prime}((1+\varepsilon+\varepsilon_{u})/\varepsilon_{u})^{1/p}\rfloor}N_{p}(\mathcal{L},((1+\varepsilon+\varepsilon_{u})\cdot(\gamma^{\prime})^{p}-\varepsilon_{u}\cdot z^{p})^{1/p}\cdot n^{1/p}/2,z\cdot\boldsymbol{t})-1$
		$\displaystyle\leq\sum_{z=0}^{\lfloor\gamma^{\prime}((1+\varepsilon+\varepsilon_{u})/\varepsilon_{u})^{1/p}\rfloor}N_{p}^{o}\big{(}\mathcal{L},\big{(}1+\gamma^{p}\varepsilon\big{(}1-\frac{z^{p}-1}{3^{p}-1}\big{)}\big{)}^{1/p}\cdot n^{1/p}/2,z\cdot\boldsymbol{t}\big{)}\ \text{,}$

where the inequality follows by the strict upper bound on the choice of $\gamma^{\prime}$ and the definition of $\varepsilon_{u}$ .

We will upper bound summands in the above sum according to three cases. First, consider summands in which $z$ is even. By Lemma 3.2, Item 1, and the fact that $z/2\cdot\boldsymbol{1}\in\mathbb{Z}^{n}$ ,

$\displaystyle N_{p}^{o}\big{(}\mathcal{L},\big{(}1+\gamma^{p}\varepsilon\big{(}1-\frac{z^{p}-1}{3^{p}-1}\big{)}\big{)}^{1/p}\cdot n^{1/p}/2,z\cdot\boldsymbol{t}\big{)}$	$\displaystyle\leq N_{p}^{o}(\mathcal{L},(1+\varepsilon_{u}+\gamma^{p}\varepsilon)^{1/p}\cdot n^{1/p}/2,z\cdot\boldsymbol{t})$
	$\displaystyle\leq N_{p}^{o}(\mathbb{Z}^{n},(1+\varepsilon_{u}+\gamma^{p}\varepsilon)^{1/p}\cdot n^{1/p}/2,z/2\cdot\boldsymbol{1})$
	$\displaystyle=N_{p}^{o}(\mathbb{Z}^{n},(1+\varepsilon_{u}+\gamma^{p}\varepsilon)^{1/p}\cdot n^{1/p}/2,\boldsymbol{0})\ \text{.}$	(22)

Second, consider the case where $z=1$ . Then using the fact that $\mathrm{dist}_{p}(\boldsymbol{t}^{\prime},\mathcal{L}(B^{\prime}))>\gamma$ and applying Lemma 3.2, Item 3 we have that

	$\displaystyle N_{p}^{o}\big{(}\mathcal{L},\big{(}1+\gamma^{p}\varepsilon\big{(}1-\frac{z^{p}-1}{3^{p}-1}\big{)}\big{)}^{1/p}\cdot n^{1/p}/2,z\cdot\boldsymbol{t}\big{)}$	$\displaystyle=N_{p}^{o}(\mathcal{L},(1+\gamma^{p}\varepsilon)^{1/p}\cdot n^{1/p}/2,\boldsymbol{t})$
		$\displaystyle\leq N_{p}^{o}(\mathbb{Z}^{n},((1+\gamma^{p}\varepsilon)\cdot n/2^{p}-\gamma^{p}s^{p})^{1/p},1/2\cdot\boldsymbol{1})$
		$\displaystyle=N_{p}^{o}(\mathbb{Z}^{n},n^{1/p}/2,1/2\cdot\boldsymbol{1})=0\ \text{,}$

where the last equality follows by noting that because $\mathrm{dist}_{p}(1/2\cdot\boldsymbol{1},\mathbb{Z}^{n})=n^{1/p}/2$ there is no integer point in the open ball of radius $n^{1/p}/2$ . Third, consider the case where $z$ is odd and $z\geq 3$ . Then, by Lemma 3.2, Item 1 and the fact that $\mathbb{Z}^{n}-z/2\cdot\boldsymbol{1}=\mathbb{Z}^{n}-1/2\cdot\boldsymbol{1}$ , we have

	$\displaystyle N_{p}^{o}\big{(}\mathcal{L},\big{(}1+\gamma^{p}\varepsilon\big{(}1-\frac{z^{p}-1}{3^{p}-1}\big{)}\big{)}^{1/p}\cdot n^{1/p}/2,z\cdot\boldsymbol{t}\big{)}$	$\displaystyle\leq N_{p}^{o}(\mathcal{L},n^{1/p}/2,z\cdot\boldsymbol{t})$
		$\displaystyle\leq N_{p}^{o}(\mathbb{Z}^{n},n^{1/p}/2,1/2\cdot\boldsymbol{1})=0\ \text{.}$

The fact that $A_{p,u}(\mathcal{L},\gamma^{\prime}\cdot(r^{p}+u^{p})^{1/p},\boldsymbol{t})\leq A$ then follows by noting that the sum $A_{p,u}(\mathcal{L},\gamma^{\prime}\cdot(r^{p}+u^{p})^{1/p},\boldsymbol{t})$ has a constant number of terms, that summands in which $z$ is even are upper bounded by the right-hand side in Equation 22, and that summands in which $z$ is odd are equal to $0$ . Hence the output $(A,G)$ - $\mathrm{CVP}_{p,\gamma^{\prime}}$ instance is a NO instance. ∎

It remains to set the parameters so that $G\geq 1000A$ in Lemma 4.3. Following [AS18],¹²¹²12Actually, [AS18] defines $C_{p}$ using the quantity $W_{p}:=\min_{\tau>0}\exp(\tau/2^{p})\Theta_{p}(\tau)$ . However, $W_{p}$ is equivalent to $\beta_{p,0}(1/2)$ by 2.9, Item 2, and therefore Equation 23 is equivalent to the definition of $C_{p}$ in [AS18]. let $p_{0}\approx 2.1397$ be the unique solution to the equation $\beta_{p,0}(1/2)=2$ , and for $p>p_{0}$ define

C_{p}:=\frac{1}{1-\log_{2}\beta_{p,0}(1/2)}\ \text{.}

(23)

This quantity is essentially the multiplicative rank-increase factor that our reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ to $\mathrm{SVP}_{p,\gamma^{\prime}}$ incurs, and hence it determines the quality of the best runtime lower bound on $\mathrm{SVP}_{p,\gamma^{\prime}}$ that we are able show (assuming randomized Gap-SETH). We note that although we do not have a closed-form expression for $C_{p}$ itself, we can compute it to high accuracy and also have a rather tight closed-form upper bound on it; see Figure 2 and Equation 24.

Lemma 4.4.

For every $p>p_{0}$ , $C>C_{p}$ , and $\gamma>1$ , there exists $\gamma^{\prime}=\gamma^{\prime}(p,C,\gamma)>1$ such that there is an efficient randomized reduction from $\mathrm{CVP}^{\prime}_{p,\gamma}$ in rank $n^{\prime}$ to $\mathrm{SVP}_{p,\gamma^{\prime}}$ in rank $Cn^{\prime}+1$ for all sufficiently large $n^{\prime}$ .

Proof.

By Theorem 4.2, it suffices to reduce $\mathrm{CVP}^{\prime}_{p,\gamma}$ in rank $n^{\prime}$ with $\gamma>1$ to $(A,G)$ - $\mathrm{CVP}_{p,\gamma^{\prime}}$ in rank $n=Cn^{\prime}$ for some $\gamma^{\prime}=\gamma^{\prime}(p,C,\gamma)>1$ so that $G\geq 1000A$ for all sufficiently large $n^{\prime}$ . To do this, by Lemma 4.3, it suffices to show the existence of $\varepsilon=\varepsilon(p,C,\gamma)>0$ so that $G\geq 1000A$ for all sufficiently large $n^{\prime}$ , where

	$\displaystyle A$	$\displaystyle=c\cdot N_{p}^{o}\big{(}\mathbb{Z}^{n},(1+\varepsilon_{u}+\gamma^{p}\varepsilon)^{1/p}\cdot n^{1/p}/2,\boldsymbol{0}\big{)}\leq c\cdot\beta_{p,0}((1+\varepsilon_{u}+\gamma^{p}\varepsilon)^{1/p}\cdot 1/2)^{n}\ \text{,}$
	$\displaystyle G$	$\displaystyle=2^{n-n^{\prime}}=2^{(1-1/C)n}\ \text{,}$

and $\varepsilon_{u}=\gamma^{p}\varepsilon/(3^{p}-1)$ . (Here the upper bound on $A$ is given by 2.9, Item 1.) Indeed, then we can take $\gamma^{\prime}$ to be any value in the range $1<\gamma^{\prime}<\big{(}\frac{1+\varepsilon_{u}+\gamma^{p}\varepsilon}{1+\varepsilon_{u}+\varepsilon}\big{)}^{1/p}$ .

By taking $n$ -th roots of $A$ and $G$ , we see that for $G\geq 1000A$ to hold for all sufficiently large $n^{\prime}$ , it suffices to have

\beta_{p,0}((1+\varepsilon_{u}+\gamma^{p}\varepsilon)^{1/p}\cdot 1/2)<2^{1-1/C}\ \text{.}

Then because $\beta_{p,0}(a)$ is strictly increasing in $a$ , it suffices to have

(1+\varepsilon_{u}+\gamma^{p}\varepsilon)^{1/p}\cdot 1/2<\beta_{p,0}^{-1}(2^{1-1/C})\ \text{.}

By recalling the definition of $C_{p}$ in Equation 23, we know that $\beta_{p,0}^{-1}(2^{1-1/C})>1/2$ holds for $C>C_{p}$ , and hence there exists $\varepsilon>0$ satisfying the inequality. More specifically, one can check that the inequality is satisfied by taking any $\varepsilon$ in the (non-empty) range

0<\varepsilon<\frac{(2\beta_{p,0}^{-1}(2^{1-1/C}))^{p}-1}{\gamma^{p}\cdot(1+1/(3^{p}-1))}\ \text{.}\qed

Combining Theorem 2.18 and Lemma 4.4 we immediately get Theorem 1.4, which we restate below.

Theorem 1.4.

We note that because the multiplicative rank increase factor $C$ in Lemma 4.4 is strictly greater than $C_{p}$ , the $1-\varepsilon$ factor in the runtime lower bound exponent in Theorem 2.18 gets absorbed by $C$ .

We conclude by showing a closed-form upper bound on $C_{p}$ based on the following bound on the function $\beta_{p,0}(a)$ .

Claim 4.5.

For any $p\in[1,\infty)$ and $a>0$ , $\beta_{p,0}(a)\leq\exp(\operatorname{arcsinh}(a^{p})+\operatorname{arcsinh}(a^{-p})\cdot a^{p})$ .

Proof.

The result is implicit in [BP20, Lemma 3.11], where it is shown that for any $\sigma>0$ ,

\min_{\tau>0}\exp(\tau/\sigma)\cdot\Theta_{p}(\tau,0)\leq\min_{\tau}\exp(\tau/\sigma)\cdot\Bigl{(}\frac{2}{1-\exp(-\tau)}-1\Bigr{)}\ \text{,}

and the minimizer for the right-hand side is $\tau=\operatorname{arcsinh}(\sigma)$ . Hence by setting $\sigma=a^{-p}$ we have

	$\displaystyle\beta_{p,0}(a)$	$\displaystyle=\min_{\tau>0}\exp(\tau a^{p})\cdot\Theta_{p}(\tau,0)$
		$\displaystyle\leq\exp(\tau a^{p})\cdot\Bigl{(}\frac{2}{1-\exp(-\tau)}-1\Bigr{)}\Big{\|}_{\tau=\operatorname{arcsinh}(a^{-p})}$
		$\displaystyle=\exp(\operatorname{arcsinh}(a^{p})+\operatorname{arcsinh}(a^{-p})\cdot a^{p})\ \text{.}\qed$

By 4.5 and the definition of $C_{p}$ in Equation 23, we get the following upper bound on $C_{p}$ for all sufficiently large $p$ (all $p$ greater than approximately $2.2241$ so that the denominator is positive):

C_{p}\leq\frac{\ln(2)}{\ln(2)-\operatorname{arcsinh}(1/2^{p})-\operatorname{arcsinh}(2^{p})/2^{p}}\ \text{.}

(24)

We remark that this gives a tighter closed-form bound on $C_{p}$ than the one in [AS18, Claim 4.4]; see Figure 2. Furthermore, $\lim_{x\to 0}\operatorname{arcsinh}(x)=0$ and $\lim_{x\to\infty}\operatorname{arcsinh}(x)/x=0$ , and it is easy to see $C_{p}\geq 1$ , so Equation 24 shows that $\lim_{p\to\infty}C_{p}=1$ .

References

[ABGS21] Divesh Aggarwal, Huck Bennett, Alexander Golovnev, and Noah Stephens-Davidowitz. Fine-grained hardness of CVP(P) — everything that we can prove (and nothing else). In SODA, 2021.
[ABSS97] Sanjeev Arora, László Babai, Jacques Stern, and Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. J. Comput. Syst. Sci., 54(2):317–331, 1997.
[AC21] Divesh Aggarwal and Eldon Chung. A note on the concrete hardness of the shortest independent vector in lattices. Inf. Process. Lett., 167:106065, 2021.
[AD97] Miklós Ajtai and Cynthia Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In STOC, pages 284–293, 1997.
[Ajt98] Miklós Ajtai. The shortest vector problem in $L_{2}$ is NP-hard for randomized reductions (extended abstract). In STOC, pages 10–19, 1998.
[AS18] Divesh Aggarwal and Noah Stephens-Davidowitz. (Gap/S)ETH hardness of SVP. In STOC, pages 228–238, 2018.
[BDGL16] Anja Becker, Léo Ducas, Nicolas Gama, and Thijs Laarhoven. New directions in nearest neighbor searching with applications to lattice sieving. In SODA, pages 10–24, 2016.
[BGS17] Huck Bennett, Alexander Golovnev, and Noah Stephens-Davidowitz. On the quantitative hardness of CVP. In FOCS, 2017.
[BP20] Huck Bennett and Chris Peikert. Hardness of bounded distance decoding on lattices in $\ell_{p}$ norms. In CCC, 2020.
[BSW16] Shi Bai, Damien Stehlé, and Weiqiang Wen. Improved reduction from the bounded distance decoding problem to the unique shortest vector problem in lattices. In ICALP, pages 76:1–76:12, 2016.
[Din16] Irit Dinur. Mildly exponential reduction from gap 3SAT to polynomial-gap label-cover. Electronic Colloquium on Computational Complexity (ECCC), 23:128, 2016.
[EOR91] N. D. Elkies, A. M. Odlyzko, and J. A. Rush. On the packing densities of superballs and other bodies. Inventiones mathematicae, 105:613–639, December 1991.
[FLM77] T. Figiel, J. Lindenstrauss, and V. D. Milman. The dimension of almost spherical sections of convex bodies. Acta Math., 139(1-2):53–94, 1977.
[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In STOC, pages 197–206, 2008.
[HR12] Ishay Haviv and Oded Regev. Tensor-based hardness of the shortest vector problem to within almost polynomial factors. Theory of Computing, 8(1):513–531, 2012. Preliminary version in STOC 2007.
[IP01] Russell Impagliazzo and Ramamohan Paturi. On the complexity of $k$ -SAT. J. Comput. Syst. Sci., 62(2):367–375, 2001.
[Kho05] Subhash Khot. Hardness of approximating the shortest vector problem in lattices. J. ACM, 52(5):789–808, 2005. Preliminary version in FOCS 2004.
[Kho06] Subhash Khot. Hardness of approximating the shortest vector problem in high $\ell_{p}$ norms. J. Comput. Syst. Sci., 72(2):206–219, 2006.
[LLM06] Yi-Kai Liu, Vadim Lyubashevsky, and Daniele Micciancio. On bounded distance decoding for general lattices. In RANDOM, pages 450–461, 2006.
[LM09] Vadim Lyubashevsky and Daniele Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In CRYPTO, pages 577–594, 2009.
[Man19] Pasin Manurangsi. Approximation and Hardness: Beyond P and NP. PhD thesis, University of California, Berkeley, 2019.
[Mic00] Daniele Micciancio. The shortest vector in a lattice is hard to approximate to within some constant. SIAM J. Comput., 30(6):2008–2035, 2000. Preliminary version in FOCS 1998.
[Mic01] Daniele Micciancio. The hardness of the closest vector problem with preprocessing. IEEE Trans. Information Theory, 47(3):1212–1215, 2001.
[Mic12] Daniele Micciancio. Inapproximability of the shortest vector problem: Toward a deterministic reduction. Theory of Computing, 8(1):487–512, 2012.
[Mic14] Daniele Micciancio. Locally dense codes. In CCC, pages 90–97, 2014.
[MO90] J. E. Mazo and A. M. Odlyzko. Lattice points in high-dimensional spheres. Monatshefte für Mathematik, 110:47–61, March 1990.
[MR07] Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput., 37(1):267–302, 2007. Preliminary version in FOCS 2004.
[MR17] Pasin Manurangsi and Prasad Raghavendra. A birthday repetition theorem and complexity of approximating dense CSPs. In ICALP, pages 78:1–78:15, 2017.
[MS19] Stephen D. Miller and Noah Stephens-Davidowitz. Kissing numbers and transference theorems from generalized tail bounds. SIDMA, 33(3), 2019.
[Reg09] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):1–40, 2009. Preliminary version in STOC 2005.
[RR06] Oded Regev and Ricky Rosen. Lattice problems and norm embeddings. In STOC, pages 447–456, 2006.
[Ste16] Noah Stephens-Davidowitz. Discrete Gaussian sampling reduces to CVP and SVP. In SODA, pages 1748–1764, 2016.
[vEB81] Peter van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical Report 81-04, University of Amsterdam, 1981.
[Vlă19] Serge Vlăduţ. Lattices with exponentially large kissing numbers. Mosc. J. Comb. Number Theory, 8(2):163–177, 2019.
[Vlă21] Serge Vlăduţ. On the lattice hadwiger number of superballs and some other bodies. Discrete & Computational Geometry, January 2021.

Appendix A Proofs of Claims in the Preliminaries

In this appendix, we restate and give proofs for two technical claims from the preliminaries.

See 2.9

Proof.

For Item 1, we note that because $a>t$ there exists a unique solution $\tau^{*}$ to $\mu_{p}(\tau^{*},t)=a^{p}$ by 2.6. The result then follows from the definition of $\beta_{p,t}(a)$ and from Theorem 2.8.

For Item 2, a calculation shows that $\frac{\partial}{\partial\tau}\ln(\exp(\tau a^{p})\cdot\Theta_{p}(\tau,t))=a^{p}-\mu_{p}(\tau,t)$ and $\frac{\partial^{2}}{\partial\tau^{2}}\ln(\exp(\tau a^{p})\cdot\Theta_{p}(\tau,t))=-\frac{\partial}{\partial\tau}\mu_{p}(\tau,t)>0$ (see e.g. the proof of 2.6 for relevant calculations). Hence $\tau=\tau^{*}$ , where $\tau^{*}$ is the unique solution to $\mu_{p}(\tau^{*},t)=a^{p}$ , is the global minimizer of $\exp(\tau a^{p})\cdot\Theta_{p}(\tau,t)$ , and therefore $\beta_{p,t}(a)=\exp(\tau^{*}a^{p})\cdot\Theta_{p}(\tau^{*},t)=\min_{\tau>0}\exp(\tau a^{p})\cdot\Theta_{p}(\tau,t)$ , as desired.

For Item 3, we start by proving that $\beta_{p,t}(a)$ is right-continuous at $a=t$ , i.e., that $\lim_{a\to t^{+}}\beta_{p,t}(a)=1$ for $t\in[0,1/2)$ and $\lim_{a\to t^{+}}\beta_{p,t}(a)=2$ for $t=1/2$ . By the definition of $\beta_{p,t}(a)$ , we have that for every $a>t$ there exists $\tau^{*}>0$ such that

	$\displaystyle\beta_{p,t}(a)$	$\displaystyle=\sum_{z\in\mathbb{Z}}\exp(\tau^{*}(a^{p}-\left\|{z-t}\right\|^{p}))$
		$\displaystyle=\exp(\tau^{}(a^{p}-t^{p}))+\exp(\tau^{}(a^{p}-(1-t)^{p}))+\sum_{z\in\mathbb{Z}\setminus\{{0,1}\}}\exp(\tau^{*}(a^{p}-\left\|{z-t}\right\|^{p}))\ \text{.}$		(25)

By examining the first two terms in Equation 25, it is clear that for $a>t$ we have $\beta_{p,t}(a)>1$ when $t\in[0,1/2)$ and $\beta_{p,t}(a)>2$ when $t=1/2$ .

We turn to showing that for every $t\in[0,1/2]$ , $\lim_{a\to t^{+}}\beta_{p,t}(a)\leq 1$ when $t\in[0,1/2)$ and $\lim_{a\to t^{+}}\beta_{p,t}(a)\leq 2$ when $t=1/2$ . We have that for any $\tau>0$ and $a\leq(t^{p}+1/2)^{1/p}$ ,

$\displaystyle\beta_{p,t}(a)$	$\displaystyle\leq\exp(\tau(a^{p}-t^{p}))+\exp(\tau(a^{p}-(1-t)^{p}))+\sum_{z\in\mathbb{Z}\setminus\{{0,1}\}}\exp(\tau(a^{p}-\left\|{z-t}\right\|^{p}))$
	$\displaystyle\leq\exp(\tau(a^{p}-t^{p}))+\exp(\tau(a^{p}-(1-t)^{p}))+2\sum_{z=1}^{\infty}\exp(\tau(1/2-z))$
	$\displaystyle=\exp(\tau(a^{p}-t^{p}))+\exp(\tau(a^{p}-(1-t)^{p}))+2\cdot\frac{\exp(-\tau/2)}{1-\exp(-\tau)}\ \text{.}$	(26)

The first inequality follows from Item 2 and Equation 25. The second inequality follows by noting that

	$\displaystyle a^{p}-\left\|{z-t}\right\|^{p}$	$\displaystyle\leq t^{p}+1/2-\left\|{z-t}\right\|^{p}$
		$\displaystyle\leq t^{p}+1/2-\left\|{z}\right\|^{p}-t^{p}$
		$\displaystyle\leq 1/2-\left\|{z}\right\|^{p}$
		$\displaystyle\leq 1/2-\left\|{z}\right\|$

for $z\leq-1$ , and

	$\displaystyle a^{p}-\left\|{z-t}\right\|^{p}$	$\displaystyle\leq t^{p}+1/2-((z-1)+(1-t))^{p}$
		$\displaystyle\leq t^{p}+1/2-(z-1)^{p}-(1-t)^{p}$
		$\displaystyle\leq 1/2-(z-1)^{p}$
		$\displaystyle\leq 1/2-(z-1)$

for $z\geq 2$ , where we used the fact that $\left|{x+y}\right|^{p}\geq\left|{x}\right|^{p}+\left|{y}\right|^{p}$ when $x$ and $y$ are both non-negative or both non-positive. The equality follows by using the formula for summing geometric series.

The desired bounds for $\lim_{a\to t^{+}}\beta_{p,t}(a)$ then follow by taking the limits $\lim_{\tau\to\infty}\lim_{a\to t^{+}}$ on both sides of Equation 26, where the limits applied to the terms on the right-hand side act as follows:

	$\displaystyle\lim_{\tau\to\infty}\lim_{a\to t^{+}}\exp(\tau(a^{p}-t^{p}))$	$\displaystyle=\lim_{\tau\to\infty}1=1\ \text{,}$
	$\displaystyle\lim_{\tau\to\infty}\lim_{a\to t^{+}}\exp(\tau(a^{p}-(1-t)^{p}))$	$\displaystyle=\begin{cases}\lim_{\tau\to\infty}\exp(\tau(t^{p}-(1-t)^{p}))=0\ \text{,}&t\in[0,1/2)\ \text{,}\\ \lim_{\tau\to\infty}1=1\ \text{,}&t=1/2\ \text{,}\end{cases}$
	$\displaystyle\lim_{\tau\to\infty}\lim_{a\to t^{+}}\frac{\exp(-\tau/2)}{1-\exp(-\tau)}$	$\displaystyle=0\ \text{.}$

We have shown that $\beta_{p,t}(a)$ is right-continuous at $t=a$ for every $t\in[0,1/2]$ . To finish proving Item 3, it then suffices to show that $\beta_{p,t}(a)$ is strictly increasing and differentiable for $a>t$ . Let $\tau^{*}=\tau^{*}(a)$ be the unique solution to $\mu_{p}(\tau^{*},t)=a^{p}$ . We calculate the derivative as follows:

	$\displaystyle\frac{\mathrm{d}}{\mathrm{d}a}\beta_{p,t}(a)$	$\displaystyle=\frac{\mathrm{d}\tau^{}(a)}{\mathrm{d}a}\frac{\partial}{\partial\tau^{}}\exp(\tau^{}a^{p})\cdot\Theta_{p}(\tau^{},t)+\frac{\partial}{\partial a}\exp(\tau^{}a^{p})\cdot\Theta_{p}(\tau^{},t)$
		$\displaystyle=0+\frac{\partial}{\partial a}\exp(\tau^{}a^{p})\cdot\Theta_{p}(\tau^{},t)$
		$\displaystyle=\tau^{*}(a)\cdot pa^{p-1}\cdot\beta_{p,t}(a)>0\ \text{,}$

where the first equality regards $\exp(\tau^{*}a^{p})\cdot\Theta_{p}(\tau^{*},t)$ as a function with two variables $a,\tau^{*}$ and uses the chain rule to get its total derivative at $(a,\tau^{*}(a))$ , and the zero term in the second equality follows from Item 2: $\tau^{*}=\tau^{*}(a)$ is the minimizer of $\exp(\tau^{*}a^{p})\cdot\Theta_{p}(\tau^{*},t)$ so $\frac{\partial}{\partial\tau^{*}}\exp(\tau^{*}a^{p})\cdot\Theta_{p}(\tau^{*},t)=0$ at $(a,\tau^{*}(a))$ .

Item 4 immediately follows from Item 3. ∎

See 2.10

Proof.

Let $S_{k}=\sum_{z\in Z}\exp(-\tau\left|{z-t}\right|^{p})\cdot\left|{z-t}\right|^{kp}$ . Then $\Theta_{p}(\tau,t)=S_{0}$ and $\mu_{p}(\tau,t)=S_{1}/S_{0}$ . Observe that by definition of integration, we have

	$\displaystyle\lim_{\tau\to 0}S_{k}\cdot\tau^{k+1/p}$	$\displaystyle=\lim_{\tau\to 0}\sum_{z\in Z}\exp(-\tau\left\|{z-t}\right\|^{p})\cdot(\tau\left\|{z-t}\right\|^{p})^{k}\cdot\tau^{1/p}$
		$\displaystyle=\int_{-\infty}^{\infty}\exp(-\left\|{\zeta}\right\|^{p})\cdot\left\|{\zeta}\right\|^{kp}\cdot\mathrm{d}\zeta$
		$\displaystyle=2\int_{0}^{\infty}\exp(-x)\cdot x^{k}\cdot(x^{1/p-1}/p)\mathrm{d}x$
		$\displaystyle=2\Gamma(k+1/p)/p\ \text{.}$

Therefore we immediately get Item 1 and Item 2 as

	$\displaystyle\lim_{\tau\to 0}\Theta_{p}(\tau,t)\cdot\tau^{1/p}$	$\displaystyle=\lim_{\tau\to 0}S_{0}\cdot\tau^{1/p}=2\Gamma(1/p)/p=2\Gamma(1+1/p)\ \text{,}$
	$\displaystyle\lim_{\tau\to 0}\mu_{p}(\tau,t)\cdot\tau$	$\displaystyle=\lim_{\tau\to 0}(S_{1}\cdot\tau^{1+1/p})/(S_{0}\cdot\tau^{1/p})=\Gamma(1+1/p)/\Gamma(1/p)=1/p\ \text{.}$

For Item 3 , note that $\beta_{p,t}(a)=\exp(\tau^{*}a^{p})\cdot\Theta_{p}(\tau^{*},t)$ where $\tau^{*}$ is the unique solution to $\mu_{p}(\tau^{*},t)=a^{p}$ . By Item 2, we know that $\lim_{\tau^{*}\to 0}\mu_{p}(\tau^{*},t)\cdot\tau^{*}=1/p$ is a constant, and therefore that $\lim_{\tau^{*}\to 0}\mu_{p}(\tau^{*},t)=\infty$ . Thus by the monotonicity of $\mu_{p}(\tau,t)$ in $\tau$ (see e.g. the proof of 2.6), we know that $\lim_{a\to\infty}\tau^{*}=0$ . Then $\lim_{a\to\infty}\tau^{*}a^{p}=1/p$ , and, using Item 1,

\lim_{a\to\infty}\beta_{p,t}(a)/a=\lim_{a\to\infty}\frac{\exp(\tau^{*}a^{p})\cdot\Theta_{p}(\tau^{*},t)\cdot(\tau^{*})^{1/p}}{(\tau^{*})^{1/p}\cdot a}=\frac{\exp(1/p)\cdot 2\Gamma(1+1/p)}{(1/p)^{1/p}}=2\Gamma(1+1/p)\cdot(ep)^{1/p}\ \text{.}\qed

We remark that Item 3 of 2.10 can also be derived using the generic fact that for any lattice coset $\mathcal{L}-\boldsymbol{t}$ and centrally symmetric convex body $K$ , $\lim_{a\to\infty}\left|{(\mathcal{L}-\boldsymbol{t})\cap aK}\right|/\operatorname{vol}(aK)=1/\det(\mathcal{L})$ ; here we can set $\mathcal{L}=\mathbb{Z}^{n}$ and $K$ to be the unit $\ell_{p}$ ball in $n$ dimensions.

	$\displaystyle a^{p}-\left\|{z-t}\right\|^{p}$	$\displaystyle\leq t^{p}+1/2-\left\|{z-t}\right\|^{p}$
		$\displaystyle\leq t^{p}+1/2-\left\|{z}\right\|^{p}-t^{p}$
		$\displaystyle\leq 1/2-\left\|{z}\right\|^{p}$
		$\displaystyle\leq 1/2-\left\|{z}\right\|$

Improved Hardness of BDD and SVP Under Gap-(S)ETH

Abstract

1 Introduction

BDD and SVP.

1.1 Our Results

1.1.1 Hardness for BDD

Theorem 1.1 (Gap-ETH-hardness of BDD, first bound).

Theorem 1.2 (Gap-ETH-hardness of BDD, second bound).

Theorem 1.3 (Gap-SETH-hardness of BDD).

1.1.2 Hardness for SVP

Theorem 1.4 (Gap-SETH-hardness of SVP).

1.2 Our Techniques

1.2.1 Locally Dense Lattices

1.2.2 Sparsification

1.2.3 A Transformation Using Locally Dense Lattices

1.2.4 Specific Locally Dense Lattices

Exponential kissing number lattices.

The integer lattice ℤn\mathbb{Z}^{n}.

1.3 Open Questions

1.4 Acknowledgments

2 Preliminaries

2.1 Lattices and Point Counting

Claim 2.1.

Proof.

Claim 2.2.

Proof.

2.2 Sparsification

Lemma 2.3.

Proof.

Lemma 2.4.

Proof.

Proposition 2.5.

Proof.

2.3 Point Counting via the Theta Function

Claim 2.6.

Proof.

Definition 2.7.

Theorem 2.8.

Claim 2.9.

Claim 2.10.

2.4 Lattice Problems

Definition 2.11.

Definition 2.12.

Definition 2.13.

2.5 Hardness Assumptions and Results

Definition 2.14 (Gap Exponential Time Hypothesis (Gap-ETH)).

Definition 2.15 (Gap Strong Exponential Time Hypothesis (Gap-SETH)).

Definition 2.16 (Strong Exponential Time Hypothesis (SETH)).

2.5.1 Hardness of CVP’ Assuming (Gap-)(S)ETH

Theorem 2.17 ([BGS17, Corollary 5.2]).

Theorem 2.18 ([ABGS21, Theorem 4.2]).

Theorem 2.19 ([ABGS21, Corollary 3.3]).

3 Gap-(S)ETH-hardness of BDD

Definition 3.1.

3.1 General Reductions from CVP’ to BDD

Lemma 3.2.

Proof.

Lemma 3.3.

Proof.

Theorem 3.4.

Proof.

3.2 Gap-ETH-hardness of BDD from Exponential Kissing Number Lattices

Definition 3.5 (Lattice kissing number).

Theorem 3.6 ([Vlă19, Theorem 1.5]).

Lemma 3.7.

Proof.

Lemma 3.8.

Proof.

Lemma 3.9 ([FLM77], [RR06, Theorem 3.2]).

Lemma 3.10.

Proof.

Corollary 3.11.

Proof.

Corollary 3.12.

Theorem 1.1.

3.3 Gap-ETH-hardness of BDD from the Integer Lattice

Lemma 3.13.

Proof.

Corollary 3.14.

Theorem 1.2.

The integer lattice $\mathbb{Z}^{n}$ .