The Shortest Vector Problem
A lattice was built as a geometric object: a
discrete additive
subgroup of \(\mathbb{R}^n\), the set of all integer combinations of a basis. From that
geometry the previous pages extracted a single number that measures how tightly the lattice packs
space near the origin — the length of its shortest nonzero vector, the
first
minimum \(\lambda_1(\mathcal{L})\). Everything on that page was about the
existence of a short vector. Minkowski's convex body theorem guaranteed one without ever
producing it, delivering the bound
\[
\lambda_1(\mathcal{L}) \leq \sqrt{n}\,(\det \mathcal{L})^{1/n}
\]
from a volume argument that never inspects a single lattice point. This page asks the question that
existence leaves open. A vector of that length is promised to be there; how hard is it to
find?
The gap between the two questions is the entire subject. Existence is settled by geometry in one
line; construction is, as far as anyone knows, intractable. Naming the construction problem precisely
is the first step.
Definition: The Shortest Vector Problem (SVP)
Given a basis \(\mathbf{B}\) of a lattice \(\mathcal{L} = \mathcal{L}(\mathbf{B}) \subseteq
\mathbb{R}^n\), the shortest vector problem asks for a nonzero lattice vector
\(\mathbf{v} \in \mathcal{L}\) of minimum length, that is, one satisfying
\[
\|\mathbf{v}\| = \lambda_1(\mathcal{L}).
\]
Two aspects of this definition repay a moment's attention, because both separate SVP from problems
that look superficially similar and are in fact easy. The first is that the input is a
basis, not the lattice as a set. The lattice is infinite; one never receives it directly.
One receives a finite list of vectors whose integer combinations generate it, and the same lattice
admits infinitely many such lists, related by the
unimodular
changes of basis catalogued earlier. Some bases are nearly orthogonal and reveal the short vectors at
a glance; others are long and skewed and hide them completely. The difficulty of SVP is precisely the
difficulty of recovering geometric information — the shortest vector — that a badly chosen basis
obscures. A cryptographic construction will later exploit exactly this: it publishes a bad basis and
keeps a good one secret.
The second aspect is that the length is measured in the Euclidean norm, and this is a genuine choice
rather than a formality. The same problem posed in the \(\ell_\infty\) norm — where a vector's length
is its largest coordinate in absolute value — behaves differently, and the difference will surface
when we come to hardness. Unless stated otherwise, \(\|\cdot\|\) means the Euclidean length
throughout, matching the norm in which \(\lambda_1\) was defined.
Why should finding \(\mathbf{v}\) be hard? The lattice is discrete, so a shortest vector exists and
is one of finitely many candidates below any fixed length. One might hope to simply enumerate them.
The obstruction is dimension. The number of lattice points inside a ball of fixed radius grows
exponentially with \(n\), and the shortest vector can hide among integer combinations whose
coefficients are individually large even when the vector they produce is small — a long, skewed basis
arranges precisely this cancellation. Searching the coefficients directly is exponential in \(n\), and
no method is known that avoids paying a cost of that order in the worst case. What replaces
enumeration in practice is basis reduction, which improves a bad basis toward an orthogonal one; we
return to its power and its limits at the end of the page.
In cryptographic settings one rarely needs the exact shortest vector. It is enough to find a vector
that is short to within a factor — and, on the other side, hardness is more naturally established for
the approximate problem than the exact one. Both considerations point to relaxing the definition by a
factor \(\gamma \geq 1\).
Definition: Approximate SVP (\(\mathrm{SVP}_\gamma\))
Let \(\gamma = \gamma(n) \geq 1\) be an approximation factor. Given a basis \(\mathbf{B}\) of
\(\mathcal{L} \subseteq \mathbb{R}^n\), the problem \(\mathrm{SVP}_\gamma\) asks for a nonzero
\(\mathbf{v} \in \mathcal{L}\) with
\[
\|\mathbf{v}\| \leq \gamma \cdot \lambda_1(\mathcal{L}).
\]
The exact problem is the case \(\gamma = 1\).
The approximation factor \(\gamma\) is written as a function of the dimension deliberately. The whole
story of lattice hardness is a story about how this factor scales with \(n\): the problem is
NP-hard for factors close to \(1\), lands in a benign complexity class for factors around
\(\sqrt{n}\), and becomes solvable in polynomial time only once \(\gamma\) is allowed to grow
exponentially. A single family of problems, indexed by one growing parameter, stretches from
intractable to easy. Locating the useful cryptographic regime within that stretch is the task of the
approximation hierarchy developed later on this page.
Before that, a word on the honest state of the exact problem's hardness, because it comes with a
subtlety that the definition's insistence on the Euclidean norm anticipated. That the exact shortest
vector problem is hard is not a folk belief but a theorem — with a caveat about the norm. In the
\(\ell_\infty\) norm, exact SVP is NP-hard, and the proof follows the same combinatorial route that
settles the nearest-vector problem, which the next section takes up. In the Euclidean norm the
question resisted for far longer; establishing NP-hardness there required substantially more
machinery and a reduction that succeeds only with high probability rather than with certainty. The
upshot is that exact SVP is hard, the Euclidean case genuinely harder to prove hard than the
\(\ell_\infty\) case, and — a point the hierarchy will make precise — the hardness that actually
supports cryptography is not this worst-case exact hardness at all, but the hardness of approximating
to within a factor that grows with the dimension.
Distances to a Lattice
The shortest vector problem asks about the lattice in isolation: how close to the origin does a
nonzero lattice point come? A second, equally natural question introduces an outside point. Given a
target \(\mathbf{t} \in \mathbb{R}^n\) that is typically not itself in the lattice, which lattice
point lies nearest to it? This is the closest vector problem, and it is in a precise
sense the more fundamental of the two: much of the hardness of SVP is inherited from it, as the next
section shows by reducing one to the other.
We state it, but — unlike SVP — we do not enshrine it as a named object the rest of the track will
link to. The reason is structural and worth making explicit, since it recurs. The cryptographic
constructions this track builds toward rest on the shortest-vector side and on two close relatives
defined below; the closest vector problem in its full generality serves here as the source of
hardness and the parent of those relatives, not as a load-bearing definition in its own right. It is
the conceptual hub, described precisely and then set to one side.
Given a basis \(\mathbf{B}\) of \(\mathcal{L} \subseteq \mathbb{R}^n\) and a target
\(\mathbf{t} \in \mathbb{R}^n\), the closest vector problem (CVP) asks for a lattice vector
\(\mathbf{v} \in \mathcal{L}\) minimizing \(\|\mathbf{v} - \mathbf{t}\|\); the minimum value itself
is the distance \(\operatorname{dist}(\mathbf{t}, \mathcal{L})\). Three versions of the question sit
at different strengths. The search version demands the nearest vector; the
optimization version asks only for the distance \(\operatorname{dist}(\mathbf{t},
\mathcal{L})\) without exhibiting the vector; the decision version is weaker still, asking
only whether \(\operatorname{dist}(\mathbf{t}, \mathcal{L}) \leq r\) for a supplied bound \(r\). These
look like three problems of decreasing difficulty, and the first implication is immediate: a nearest
vector hands you its own distance, and a distance settles any threshold question. The content is that
the implications also run backward. A procedure that answers only the yes-or-no decision question can
be called repeatedly — binary search over the distance, then a sequence of queries that sieves the
lattice to sparser and sparser sublattices — to recover first the distance and then the vector
itself, all in polynomially many calls. The three versions are therefore equivalent up to
polynomial-time computation, which is why hardness may be studied on whichever version is most
convenient, and why the decision version, being the simplest to reason about, is the one on which the
complexity results are proved.
That decision version is genuinely hard, and here the hardness is not norm-dependent or probabilistic
but flatly classical. Deciding whether a target lies within a given distance of a lattice is
NP-complete.
Membership in NP is
the easy half: a lattice vector within distance \(r\) of the target is a certificate of the "yes"
answer, checkable by a single distance computation, and short enough to write down because its
entries are bounded by the target's size plus \(r\). The hard half exhibits a
polynomial-time
reduction from a problem already known to be NP-complete — the subset-sum problem, which
asks whether some subset of a given list of integers \(a_1, \dots, a_n\) sums to a target \(S\). The
reduction is clean enough to state in full.
The subset-sum reduction
From integers \(a_1, \dots, a_n\) and target \(S\), build the \((n+1) \times n\) basis whose
first row is \((a_1, \dots, a_n)\) and whose remaining rows are \(2 \mathbf{I}_n\), take the
target \(\mathbf{t} = (S, 1, 1, \dots, 1)^{\!\top}\), and set the radius \(r = \sqrt{n}\):
\[
\mathbf{B} =
\begin{pmatrix}
a_1 & a_2 & \cdots & a_n \\\\
2 & 0 & \cdots & 0 \\\\
0 & 2 & \cdots & 0 \\\\
\vdots & & \ddots & \vdots \\\\
0 & 0 & \cdots & 2
\end{pmatrix},
\qquad
\mathbf{t} =
\begin{pmatrix} S \\\\ 1 \\\\ 1 \\\\ \vdots \\\\ 1 \end{pmatrix}.
\]
A lattice point is \(\mathbf{B}\mathbf{x}\) for integer \(\mathbf{x}\); its last \(n\) coordinates
are the even numbers \(2x_1, \dots, 2x_n\), each at distance at least \(1\) from the
corresponding entry of \(\mathbf{t}\). So \(\|\mathbf{B}\mathbf{x} - \mathbf{t}\|^2 \geq n\)
always, with equality only when every \(x_i \in \{0, 1\}\) — making each of those \(n\)
coordinates exactly distance \(1\) away — and when the first coordinate matches exactly,
\(\sum_i a_i x_i = S\). Thus a lattice point lands within \(\sqrt{n}\) of \(\mathbf{t}\) precisely
when the set \(\{i : x_i = 1\}\) is a subset summing to \(S\). The subset-sum instance is a "yes"
exactly when the constructed CVP instance is, and the construction is plainly polynomial-time.
The same combinatorial construction, adapted, yields NP-hardness of the exact shortest vector problem
in the \(\ell_\infty\) norm — the norm-dependent claim promised earlier now has its source. In the
Euclidean norm the corresponding statement for SVP demands considerably more, which is the
asymmetry the previous section flagged. For the closest vector problem, though, the Euclidean case
is already settled by the reduction above.
With CVP in hand as the hub, two specializations carry the actual cryptographic weight, and both are
named objects the track will reuse. The first restricts the target to lie unusually close to the
lattice — closer than half the minimum distance — so that the nearest vector is unique and the
problem becomes one of decoding a point known to be a slight perturbation of a lattice point.
Definition: Bounded Distance Decoding (\(\mathrm{BDD}_\gamma\))
Let \(\gamma = \gamma(n) \geq 1\). Given a basis \(\mathbf{B}\) of \(\mathcal{L} \subseteq
\mathbb{R}^n\) and a target \(\mathbf{t} \in \mathbb{R}^n\) promised to satisfy
\[
\operatorname{dist}(\mathbf{t}, \mathcal{L}) \lt \frac{\lambda_1(\mathcal{L})}{2\gamma},
\]
the bounded distance decoding problem asks for the unique lattice vector
\(\mathbf{v} \in \mathcal{L}\) with \(\|\mathbf{v} - \mathbf{t}\| = \operatorname{dist}(\mathbf{t},
\mathcal{L})\).
The promise is what distinguishes BDD from CVP. A general target may sit anywhere, with several
lattice points nearly tied for closest; BDD guarantees the target is a small displacement of one
particular lattice point, and asks only to recover it. The condition
\(\operatorname{dist}(\mathbf{t}, \mathcal{L}) \lt \lambda_1 / 2\) already forces uniqueness — two
lattice points within that distance of \(\mathbf{t}\) would sit within \(\lambda_1\) of each other,
contradicting the definition of the minimum distance — and the factor \(\gamma\) tightens the
promise further. This is the shape of a decryption problem: a ciphertext is a lattice point plus a
small error, and recovering the message is recovering the lattice point. The encryption schemes the
track builds toward are, at their core, instances of decoding under exactly such a promise.
The second specialization returns to the intrinsic geometry of the lattice, generalizing the first
minimum from one short vector to a full set of them. A lattice of rank \(n\) has not just a shortest
vector but a whole sequence of
successive
minima \(\lambda_1 \leq \lambda_2 \leq \dots \leq \lambda_n\), where \(\lambda_i\) is the
smallest radius within which the lattice contains \(i\) linearly independent vectors. Finding one
short vector is SVP; finding a full independent set of them, all short, is its natural generalization.
Definition: Shortest Independent Vectors Problem (\(\mathrm{SIVP}_\gamma\))
Let \(\gamma = \gamma(n) \geq 1\). Given a basis \(\mathbf{B}\) of a rank-\(n\) lattice
\(\mathcal{L} \subseteq \mathbb{R}^n\), the shortest independent vectors problem
asks for \(n\) linearly independent lattice vectors \(\mathbf{v}_1, \dots, \mathbf{v}_n \in
\mathcal{L}\) with
\[
\max_i \|\mathbf{v}_i\| \leq \gamma \cdot \lambda_n(\mathcal{L}).
\]
SIVP asks for a basis-like object that is short in the strong sense that even its longest member is
controlled by the \(n\)-th successive minimum. It is the problem that most directly captures "find a
good basis," and it is the worst-case problem to which the security of the lattice encryption schemes
will ultimately be tied. That tie — a guarantee that breaking the average-case encryption problem
would entail solving SIVP (and its decision-style companion, introduced next) in the worst case — is
the feature that sets lattice cryptography apart, and it is why SIVP earns a name here even though
nothing on this page yet uses it. The definitions of this section are the vocabulary; the hierarchy
that orders them by difficulty, and locates the cryptographic sweet spot among them, is the work of
the next.
The Approximation Hierarchy
The problems of the previous sections were posed as search or promise tasks with an approximation
factor \(\gamma\) attached. To speak about their complexity in the sharpest terms — membership in
classes like NP, and its complement — it helps to recast the approximate problems in decision form,
as promise problems. A promise problem does not partition all inputs into yes and no; it
guarantees that every input it is asked about falls into one of two well-separated cases, and asks an
algorithm only to tell those two apart. The gap between the cases is exactly the approximation factor.
Definition: The Decision Problem \(\mathrm{GapSVP}_\gamma\)
Let \(\gamma = \gamma(n) \geq 1\). An instance is a basis \(\mathbf{B}\) of \(\mathcal{L}
\subseteq \mathbb{R}^n\) together with a rational \(r \gt 0\). The promise is that the instance
falls into one of two cases, and the problem is to decide which:
• a YES instance satisfies \(\lambda_1(\mathcal{L}) \leq r\);
• a NO instance satisfies \(\lambda_1(\mathcal{L}) \gt \gamma \cdot r\).
Instances with \(r \lt \lambda_1(\mathcal{L}) \leq \gamma r\) are excluded by the promise; no
answer is required for them.
The companion problem \(\mathrm{GapCVP}_\gamma\) is defined identically but for a target: given
\(\mathbf{B}\), a target \(\mathbf{t}\), and a bound \(r\), a YES instance has
\(\operatorname{dist}(\mathbf{t}, \mathcal{L}) \leq r\) and a NO instance has
\(\operatorname{dist}(\mathbf{t}, \mathcal{L}) \gt \gamma r\). At \(\gamma = 1\) the promise gap
closes and \(\mathrm{GapCVP}_1\) is exactly the decisional closest vector problem shown NP-complete
above. Increasing \(\gamma\) widens the gap, weakens the problem, and is what makes the higher rungs
of the hierarchy tractable.
The first structural fact orders the two families against each other: approximating shortest vectors
is no harder than approximating closest ones. This is the promised inheritance of hardness, and the
reduction realizing it is short.
\(\mathrm{GapSVP}_\gamma\) reduces to \(\mathrm{GapCVP}_\gamma\)
A first instinct — feed the shortest vector problem to a closest-vector solver with target
\(\mathbf{0}\) — fails at once, since \(\mathbf{0}\) is itself a lattice point and its nearest
lattice vector is itself. The fix is to bar one basis vector from the combination. From a
\(\mathrm{GapSVP}_\gamma\) instance \((\mathbf{B}, r)\) with \(\mathbf{B} = (\mathbf{b}_1, \dots,
\mathbf{b}_n)\), build \(n\) instances of \(\mathrm{GapCVP}_\gamma\); the \(i\)-th uses the basis
\(\mathbf{B}_i = (\mathbf{b}_1, \dots, 2\mathbf{b}_i, \dots, \mathbf{b}_n)\) with the \(i\)-th
vector doubled, the target \(\mathbf{b}_i\), and the same bound \(r\). Answer YES if the
\(\mathrm{GapCVP}_\gamma\) oracle says YES on at least one instance.
If \((\mathbf{B}, r)\) is a NO instance, every nonzero lattice vector has length exceeding
\(\gamma r\). Doubling one basis vector only shrinks the lattice, so \(\mathcal{L}(\mathbf{B}_i)\)
is a sublattice of \(\mathcal{L}(\mathbf{B})\); every vector of \(\mathcal{L}(\mathbf{B}_i)\) is
therefore also a vector of \(\mathcal{L}(\mathbf{B})\), and its difference from
\(\mathbf{b}_i \in \mathcal{L}(\mathbf{B})\) is again an element of \(\mathcal{L}(\mathbf{B})\).
That difference cannot be zero: writing a vector of \(\mathcal{L}(\mathbf{B}_i)\) in the basis
\(\mathbf{B}\), the coefficient of \(\mathbf{b}_i\) is always even — it multiplies the doubled
vector \(2\mathbf{b}_i\) — so subtracting \(\mathbf{b}_i\) leaves that coefficient odd, and an
odd coefficient cannot vanish. The difference is thus a nonzero vector of \(\mathcal{L}(\mathbf{B})\),
and the NO promise makes its length exceed \(\gamma r\). Every point of
\(\mathcal{L}(\mathbf{B}_i)\) is therefore farther than \(\gamma r\) from \(\mathbf{b}_i\), and
each oracle answers NO. If instead \(\lambda_1(\mathcal{L}) \leq r\), write a shortest vector as
\(\mathbf{v} = a_1 \mathbf{b}_1 + \dots + a_n \mathbf{b}_n\). Some \(a_k\) is odd, since otherwise
\(\mathbf{v}/2\) would be a shorter lattice vector. For that \(k\), the point \(\mathbf{b}_k +
\mathbf{v}\) lies in \(\mathcal{L}(\mathbf{B}_k)\) and sits within \(\|\mathbf{v}\| \leq r\) of the
target \(\mathbf{b}_k\), so the \(k\)-th oracle answers YES.
The reduction preserves the gap \(\gamma\) exactly and calls the oracle on lattices of the same rank
as the input — it is gap-preserving and rank-preserving, features that make it a reliable tool
elsewhere. It calls the oracle \(n\) times rather than once, so it is a Turing-style reduction rather
than the single-instance mapping used for the NP-completeness above; whether a single-instance
reduction exists is not known. The consequence for the hierarchy is what matters: any complexity
upper bound proved for \(\mathrm{GapCVP}_\gamma\) transfers to \(\mathrm{GapSVP}_\gamma\), because a
solver for the former yields one for the latter.
With the two families linked, the hierarchy can be read off as a function of the one parameter
\(\gamma\). Three regimes divide the line, and the boundaries between them are where the whole
subject lives.
At the bottom, for small approximation factors, the problems are NP-hard. Exact
GapCVP is NP-complete, and the hardness
persists as the gap opens, degrading only slowly; approximating the closest vector to within
almost-polynomial factors — factors below any fixed power of the dimension — remains NP-hard. Any
algorithm solving the problem for these gaps would
solve every problem in NP.
At the top, for factors that grow exponentially in \(n\), the problems are solvable
in polynomial time. This is the domain of basis reduction, the subject of the final section: a
polynomial-time procedure exists that finds a vector within an exponential factor of the shortest,
and no better. The exponential-approximation regime is the easy end of the line.
Between these lies the regime that cryptography occupies, and its defining feature is a negative one:
for gaps around \(\sqrt{n}\), the problems are almost certainly not NP-hard. The evidence is
a containment. For \(\gamma = \sqrt{n}\), the problem \(\mathrm{GapCVP}_{\sqrt{n}}\) lies not only in
NP but in its complement coNP — meaning a NO instance, one where the target is far
from the lattice, admits a short certificate of its farness, just as a YES instance admits a nearby
lattice vector as certificate of its nearness. Certifying farness is the hard direction: a target can
have enormously many lattice points near it without any being within the bound, and exhibiting a
succinct proof that none is close is not obvious. The earliest arguments that farness can be
certified went through the
dual
lattice — the reciprocal lattice whose geometry, tied to the original by the
reciprocal
determinant relation, converts a statement about the absence of short vectors on one
side into the presence of a witness on the other. An early argument of this kind reached the smaller
gap \(\sqrt{n / \log n}\), placing the problem there in a probabilistic analogue of coNP; later work
sharpened the containment, widening the gap to \(\sqrt{n}\) and strengthening the class to coNP
proper. By the reduction just proved, all of this transfers to
\(\mathrm{GapSVP}\): the shortest vector problem at gap \(\sqrt{n}\) is likewise in \(\mathrm{NP}
\cap \mathrm{coNP}\).
The force of this containment is what it forbids. A problem that is NP-hard and simultaneously in coNP
would place all of NP inside coNP, collapsing the tower of complexity classes above them — the
polynomial hierarchy — to a low level, an outcome complexity theorists regard as most unlikely. So
the containment of \(\mathrm{GapSVP}_{\sqrt{n}}\) in \(\mathrm{NP} \cap \mathrm{coNP}\) is read in
reverse, as a ceiling on hardness: the NP-hardness that holds for small gaps cannot be pushed up to
the gap \(\sqrt{n}\) without collapsing the hierarchy. Approximating lattice vectors to within
\(\sqrt{n}\) is, in all likelihood, strictly easier than the NP-hard exact problem — and yet no
efficient algorithm for it is known.
Math \(\leftrightarrow\) CS: Why the Middle Is the Right Place to Build
A cryptographer reading the hierarchy wants neither end. The NP-hard bottom is tempting — what
stronger foundation than a problem as hard as all of NP? — but NP-hardness is a worst-case
guarantee, an assurance that some instances are hard, and encryption needs the typical
instance to be hard, drawn at random. The exponentially-approximable top is simply broken:
basis reduction solves it. The useful regime is the middle, at gaps polynomial in \(n\), where
two things hold at once. The problem is not known to be NP-hard, which sounds like a weakness but
is the price of the coNP containment that rules out the collapse; and no efficient algorithm,
classical or quantum, approaches these gaps. Security rests not on the peak of the hierarchy but
on a plateau partway up it — hard enough that decades of algorithms have not reached it,
structured enough that a worst-case instance can be transformed into the random-looking instances
an encryption scheme needs. That the foundations sit in \(\mathrm{NP} \cap \mathrm{coNP}\),
exactly where factoring sits, is not a coincidence but a signpost: it is the class of problems
hard enough to build on yet too structured to be NP-complete.
The hierarchy thus delivers a single object, \(\mathrm{GapSVP}_\gamma\) with its shadow
\(\mathrm{GapCVP}_\gamma\), whose difficulty is dialed by one parameter from NP-hard to
polynomial-time, and it locates the cryptographic regime as a plateau near \(\sqrt{n}\) — above the
reach of every known algorithm, below the NP-hardness ceiling that the polynomial hierarchy protects.
What remains is to see the one algorithm that does reach the lattice, understand exactly how far up
it climbs, and confront the fact that a quantum computer climbs no higher.
What the Quantum Attack Leaves Standing
The hierarchy left one algorithm unexamined: the procedure that actually reaches into a lattice and
returns a short vector. Every practical attack on a lattice problem, and every honest assessment of
how hard these problems are, passes through basis reduction, introduced above. The foundational
reduction algorithm runs in time
polynomial in the dimension and the size of the input, and it always succeeds in producing a reduced
basis. The question is how short the vector it returns actually is.
The answer is what everything downstream turns on. Basis reduction finds a vector guaranteed to be short —
but only to within a factor that grows exponentially with the dimension. In the language of
the hierarchy, the polynomial-time algorithm solves \(\mathrm{SVP}_\gamma\) for \(\gamma\)
exponential in \(n\), and no better. It sits exactly at the tractable top of the hierarchy and does
not descend into the middle. Improvements that trade running time for a smaller factor exist, but they
buy only modest reductions in the exponent at steep cost, and none brings the approximation factor
down to the polynomial range where the cryptographic problems live. The plateau near \(\sqrt{n}\)
remains, after decades, out of reach.
This is the observation on which the security of every lattice construction rests, and it must be
stated with care. The gap between
what basis reduction achieves — an exponential approximation — and what would break the cryptography
— a polynomial one — is not a theorem that the polynomial regime is hard. It is the absence of any
algorithm that closes the gap. Lattice hardness, like the hardness of factoring before it, is a
conjecture: the assertion that no efficient procedure approximates lattice vectors to within
polynomial factors, supported by the failure of sustained effort to find one, not by a proof that
none can exist.
What makes this conjecture the foundation for a post-quantum cryptography is a second fact,
and it is the one this whole track has been moving toward. The classical assumptions fell to a
quantum computer because factoring and the discrete logarithm carry a hidden periodic structure — an
abelian arithmetic that a quantum procedure detects in polynomial time, collapsing the asymmetry the
schemes depended on. Basis reduction is where one looks for the analogous quantum advantage against
lattices, and the finding is stark: the best quantum algorithms for the lattice problems achieve the
same exponential approximation as the best classical ones, and no better. Quantum computation buys no
improvement in the approximation factor. No quantum algorithm approaches the polynomial gaps either.
The reason is structural, and it closes a thread left hanging by the quantum attack itself. Shor's
algorithm succeeds by finding a period in an abelian group — the structure the number-theoretic
problems supply and the lattice problems do not. A lattice has no such abelian period for a quantum
procedure to seize; its shortest vectors are hidden by high-dimensional geometry, not by a hidden
subgroup of the kind the quantum Fourier transform is built to expose. This is why the migration
documented across the classical pages heads here specifically. It is not that lattices are provably
beyond quantum reach — the honest claim is narrower and is the same conjectural shape as before: no
efficient quantum algorithm for these problems is known, and the structure that made the classical
problems fall is absent. The absence of a known attack, classical or quantum, is precisely what a
post-quantum foundation is built from.
Math \(\leftrightarrow\) CS: The Same Complexity Class as Factoring
The classical assumptions
ended on an inventory of conjectures and a promise: that the search for a quantum-resistant foundation would
begin from a problem no known reduction connects to factoring or the discrete logarithm. The lattice problems
are that foundation, and the hierarchy places them with precision. Their cryptographic regime sits
in \(\mathrm{NP} \cap \mathrm{coNP}\) — the same class that houses factoring, hard enough to build
on yet too structured to be NP-complete.
The parallel is exact and instructive: both foundations are conjectured-hard problems in the same
complexity class, neither NP-hard nor known to be easy. The difference that matters is the one
Shor's algorithm draws. Factoring's place in that class comes with a hidden abelian structure a
quantum computer exploits; the lattice problems' place in it does not. Same class, same
conjectural status, different fate under quantum attack — and that difference is the entire case
for rebuilding cryptography on the geometry of lattices.
What remains is to build the encryption on this ground: to turn a worst-case lattice problem into the
random-looking, average-case problem an encryption scheme can sample from, and to show that breaking
the scheme would solve the worst-case problem underneath. That construction is where the geometry of
this page becomes a working cryptosystem.