Why is finding the largest vector not a hard problem?

Question

As we know, finding the shortest vector in a lattice is a hard problem. We also know that there is a polynomial-time algorithm for finding SVP, which, of course, not have optimal performance in large dimensions. However, from a cryptographic perspective, why is finding the largest vector (of course, in a certain range) in a lattice not a hard problem? I googled this topic and some reasons were given, but I was not convinced, because the same reasons can be applied to some shortest vectors problem. There are also techniques that can increase the security of the largest vector, for example, using real space instead of integer space, etc.

Answer 1

I think LVP and SVP are related a certain degree.

Suppose we are working on q-ary lattice $\mathcal L^\perp_q(\mathbf A)$. Let your LVP solver be $\mathcal O_{lvp}$, which works as $\mathbf x\gets\mathcal O_{lvp}(\mathbf A,q)$ such that $\|\mathbf x\|=\max(\mathbf v:\mathbf v\in\mathcal L_q^\perp(\mathbf A))$. Given a SVP instance $(\mathbf A, q)$, our job is to find the shortest vector $\mathbf y$ such that $\|\mathbf y\|=\min(\mathbf v:{\mathbf v\in\mathcal L^\perp_q(\mathbf A)})$. We just feed $\mathbf A,q$ to $\mathcal O_{lvp}$ and get the output $\mathbf x$, then we output $\mathbf y=\mathbf q-\mathbf x$ where $\mathbf q=(q,q,\dots,q)\in\mathbb Z^n$.

Now we claim $\mathbf y$ is the shortest vector. If not, there exists a $\mathbf y'$ such that $\|\mathbf y'\|<\|\mathbf y\|$ and $\mathbf y'\in\mathcal L^\perp_q(\mathbf A)$. This gives us another "long" vector $\mathbf q-\mathbf y'$ such that $\|\mathbf q-\mathbf y'\|>\|\mathbf x\|$ with "high" probability. Suppose we are in 2-norm, we can be sure that $\|\mathbf q- \mathbf y'\|$ is bigger than $\|\mathbf x\|$ when $\|\mathbf y'\|\leq\sqrt n q-\|\sqrt n\mathbf q-\mathbf y\|=t$ (this ensures the original sphere with radius $\|\mathbf y'\|$ do not intersect the sphere with origin $\mathbf q$ and radius $\|\sqrt n\mathbf q-\mathbf y'\|$). For other cases, the advantage of success decreases as the ratio $t/\|\mathbf y'\|$ decreases. In other words, when $\|\mathbf y'\|$ is approaching $\|\mathbf y\|$, we have fewer chances to complete the reduction from SVP to LVP (and depends on where $\mathbf y$ lies).

Answer 2

@HaotianYin gave a reasoning of why LVP is as hard as SVP, which I currently cannot agree as I cannot review and verify the proof now.

As to "why not use LVP to build cryptosystems", because SVP are much easier to work with in terms of functionality and efficiency.

A typical lattice-based key agreement scheme depends on the secret vector and error vector to be small to make reconcile of error terms work, and to make it impossible to recover the private key of one side through lattice reduction.

A typical Fiat-Shamir-with-Abort signature, verifying that the signature component is short is as easy as verifying it being large, yet being short make the signature transcript compact (occupying less bytes), and make it difficult to forge arbitrary signature through lattice reduction.