Eldar and Shor have posted a new paper that claims to solve the
following lattice problem efficiently on a quantum computer:
given a lattice L, a vector v, and numbers b = lambda_1(L)/n^17,
a = lambda_1(L)/n^13 decide if v's distance from L is in the range
[a/2,a] or at most b, where lambda_1(L) is the length of L's
shortest non-zero vector.
Regarding "efficient": the theorem statement appears to claim polynomial
time for this GapBDD problem for exponents 13+epsilon, 17+epsilon.
For comparison, Regev says that the hardness of LWE for exponential q
"is based on the standard assumption that GapSVP is hard to approximate
to within polynomial factors", and that the hardness of LWE for poly q
"is based on slightly less standard (but still quite believable)
assumptions".
Eldar and Shor comment that the GapBDD requirement on v having distance
in [a/2,a] union [b,infty] "yields some implicit information about the
length of the shortest vector of the input lattice". Calling this
"implicit" seems to say that a,b aren't actually required as input, but
I haven't dug into the details yet. Anyway, it's hard to see how anyone
can be confident in GapSVP hardness---or the hardness of "less standard"
assumptions---if GapBDD is broken.
If this paper holds up then it shreds the picture of
approx factor | hardness
---------------+---------------
tiny | NP-hard
poly | hard
subexponential | subexponential
exponential | poly
that is frequently claimed in lattice advertising. Developments in the
last few years have already severely damaged this picture for various
ideal-lattice problems, but the Eldar--Shor attack gets down to poly
time for a poly approximation factor in arbitrary lattices.
This doesn't imply that lattice-based cryptography is broken, but it
does mean that many people were wildly overestimating the importance of
huge approximation factors for breakability. It is no longer defensible,
even in purely asymptotic papers, to say just "polynomial approximation
factor" as if any polynomial were safe. The exponent of the polynomial
is important!
Figuring out the approximation factors in existing systems might be a
nice project for an enterprising student. A simple encryption system is
analyzed in Section 6.5 of
https://eprint.iacr.org/2016/360 (with
details in a supplemental PDF on
http://anotherlook.ca) but there are
many other systems in the literature---often with much larger
approximation factors.
---Dan