Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Average hardness of SIVP for module lattices of fixed rank

Koen de Boer, Aurel Page, Radu Toma, Benjamin Wesolowski

TL;DR

The paper proves a polynomial-time worst-case to average-case reduction for γ-SIVP on module lattices of fixed rank under ERH, using a discretized invariant measure and a rounding mechanism to enable computation. It develops a robust automorphic-form–based approach with Hecke operators to achieve quantitative equidistribution of random sublattices, while addressing higher-rank noncompactness via a bulk–cusp–flare trichotomy. A rounding procedure Round_LAT and a sampling scheme Round_LAT are introduced to discretize and sample module lattices without distorting short-vector structure, preserving the hardness transfer. The results establish average-case hardness for structured lattices beyond rank-one ideals, enabling broader cryptographic security assurances and shedding light on the complexity landscape of lattice problems with algebraic structure.

Abstract

The problem of finding short vectors in Euclidean lattices is a central hard problem in complexity theory. The case of module lattices (i.e., lattices which are also modules over a number ring) is of particular interest for cryptography and computational number theory. The hardness of finding short vectors in the asymptotic regime where the rank (as a module) is fixed is supporting the security of quantum-resistant cryptographic standards such as ML-DSA and ML-KEM. In this article we prove the average-case hardness of this problem for uniformly random module lattices (with respect to the natural invariant measure on the space of module lattices of any fixed rank). More specifically, we prove a polynomial-time worst-case to average-case self-reduction for the approximate Shortest Independent Vector Problem ($γ$-SIVP) where the average case is the (discretized) uniform distribution over module lattices, with a polynomially-bounded loss in the approximation factor, assuming the Extended Riemann Hypothesis. This result was previously known only in the rank-1 case (so-called ideal lattices). That proof critically relied on the fact that the space of ideal lattices is a compact group. In higher rank, the space is neither compact nor a group. Our main tool to overcome the resulting challenges is the theory of automorphic forms, which we use to prove a new quantitative rapid equidistribution result for random walks in the space of module lattices.

Average hardness of SIVP for module lattices of fixed rank

TL;DR

The paper proves a polynomial-time worst-case to average-case reduction for γ-SIVP on module lattices of fixed rank under ERH, using a discretized invariant measure and a rounding mechanism to enable computation. It develops a robust automorphic-form–based approach with Hecke operators to achieve quantitative equidistribution of random sublattices, while addressing higher-rank noncompactness via a bulk–cusp–flare trichotomy. A rounding procedure Round_LAT and a sampling scheme Round_LAT are introduced to discretize and sample module lattices without distorting short-vector structure, preserving the hardness transfer. The results establish average-case hardness for structured lattices beyond rank-one ideals, enabling broader cryptographic security assurances and shedding light on the complexity landscape of lattice problems with algebraic structure.

Abstract

The problem of finding short vectors in Euclidean lattices is a central hard problem in complexity theory. The case of module lattices (i.e., lattices which are also modules over a number ring) is of particular interest for cryptography and computational number theory. The hardness of finding short vectors in the asymptotic regime where the rank (as a module) is fixed is supporting the security of quantum-resistant cryptographic standards such as ML-DSA and ML-KEM. In this article we prove the average-case hardness of this problem for uniformly random module lattices (with respect to the natural invariant measure on the space of module lattices of any fixed rank). More specifically, we prove a polynomial-time worst-case to average-case self-reduction for the approximate Shortest Independent Vector Problem (-SIVP) where the average case is the (discretized) uniform distribution over module lattices, with a polynomially-bounded loss in the approximation factor, assuming the Extended Riemann Hypothesis. This result was previously known only in the rank-1 case (so-called ideal lattices). That proof critically relied on the fact that the space of ideal lattices is a compact group. In higher rank, the space is neither compact nor a group. Our main tool to overcome the resulting challenges is the theory of automorphic forms, which we use to prove a new quantitative rapid equidistribution result for random walks in the space of module lattices.

Paper Structure

This paper contains 109 sections, 100 theorems, 472 equations, 1 figure, 5 algorithms.

Table of Contents

  1. Introduction
  2. Motivation
  3. Results
  4. Technical overview
  5. The problem of imbalancedness.
  6. A trichotomy.
  7. The bulk
  8. The cusp
  9. The flare
  10. Acknowledgments
  11. Preliminaries
  12. Notation
  13. Number fields
  14. Lattices
  15. Euclidean $K_\mathbb{R}$-modules
  16. ...and 94 more sections

Key Result

Theorem 1

Let $K$ be a number field of degree $d$ and discriminant $\Delta_K$. Fix a rank $r \in \mathbb{Z}_{>1}$, and let $n = rd$. Assume ERH for the $L$-function of every Hecke character of $K$ of trivial modulus. Let $\mathscr O$ be an oracle for $\gamma'$-SIVP which succeeds with probabilityThe oracle is

Figures (1)

  • Figure 1: Schematic illustration of a single connected component of the space of module lattices.

Theorems & Definitions (226)

  • Theorem 1
  • Theorem 2: Hecke equidistribution theorem: special case
  • Example 2.1
  • Example 2.2
  • Lemma 2.3: Rules on sizes of elements
  • proof
  • Definition 2.4
  • Lemma 2.5
  • proof
  • Definition 2.6
  • ...and 216 more