Page 1

Foundations of Software Technology and Theoretical Computer Science (Bangalore) 2008.

Editors: R. Hariharan, M. Mukund, V. Vinay; pp 25-36

Some Sieving Algorithms for Lattice

Problems

V. Arvind and Pushkar S. Joglekar

Institute of Mathematical Sciences

C.I.T Campus,Chennai 600 113, India

{arvind,pushkar}@imsc.res.in

ABSTRACT. We study the algorithmic complexity of lattice problems based on the sieving technique

due to Ajtai, Kumar, and Sivakumar [AKS01]. Given a k-dimensional subspace M ⊆ Rnand a full

rank integer lattice L ⊆ Qn, the subspace avoiding problem SAP, defined by Bl¨ omer and Naewe [BN07],

is to find a shortest vector in L \ M. We first give a 2O(n+klogk)time algorithm to solve the subspace

avoiding problem. Applying this algorithm we obtain the following results.

1. We give a 2O(n)time algorithm to compute ithsuccessive minima of a full rank lattice L ⊂ Qn

if i is O(

logn).

2. We give a 2O(n)time algorithm to solve a restricted closest vector problem CVP where the inputs

fulfil a promise about the distance of the input vector from the lattice.

3. We also show that unrestricted CVP has a 2O(n)exact algorithm if there is a 2O(n)time exact

algorithm for solving CVP with additional input vi∈ L,1 ≤ i ≤ n, where ?vi?pis the ith

successive minima of L for each i.

We also give a new approximation algorithm for SAP and the Convex Body Avoiding problem which

is a generalization of SAP. Several of our algorithms work for gauge functions as metric, where the

gauge function has a natural restriction and is accessed by an oracle.

n

1 Introduction

Fundamental algorithmic problems concerning integer lattices are the shortest vector prob-

lem (SVP) and the closest vector problem(CVP). Given a lattice L ⊂ Rnby a basis, the

shortest vector problem (SVP) is to find a shortest nonzero vector in L w.r.t. some metric

given by a gauge function in general (usually the ℓpnorm for some p). Likewise, the closest

vector problem (CVP) takes as input a lattice L ⊂ Rnand vector v ∈ Rnand asks for a

u ∈ L closest to v w.r.t. a given metric. These problems have polynomial-time approxima-

tion algorithms based on the celebrated LLL algorithm for basis reduction [LLL82].

The fastest known exact deterministic algorithms for SVP and CVP have running time

2O(nlogn)[Kan87] (also see [Bl00]). More recently, Ajtai, Kumar and Sivakumar in a semi-

nal paper [AKS01] gave a 2O(n)time randomized exact algorithm for SVP. Subsequently, in

[AKS02] they gave a 2O(n)time randomized approximation algorithm for CVP. Their al-

gorithms are based on a generic sieving procedure (introduced by them) that exploits the

underlying geometry. Recently, Bl¨ omer and Naewe [BN07] gave a different 2O(n)time ran-

domized approximation algorithm for CVP, also based on the AKS sieving technique.

For 1 ≤ i ≤ n, the ithsuccessive minima λi(L) is defined as the smallest r such that a

ball of radius r around origin contains at least i linearly independent lattice vectors. The

successive minimas λi(L) are important lattice parameters. A classical problem is the suc-

cessive minima problem SMP of finding for a given lattice L, n linearly independent vectors

c ?

V. Arvind and Pushkar S. Joglekar; licensed under Creative Commons License-NC-ND

FSTTCS 2008

IARCS Annual Conference on

Foundations of Software Technology and Theoretical Computer Science

http://drops.dagstuhl.de/opus/volltexte/2008/1738

Page 2

26

SOME SIEVING ALGORITHMS FOR LATTICE PROBLEMS

v1,v2,...,vn∈ L such that ?vi? is at most λi(L). This problem clearly subsumes the short-

est independent vectors problem SIVP where one wants to find linearly independent vectors

v1,v2,...,vn∈ L such that ?vi? ≤ λn(L). Given a k-dimensional subspace M ⊆ Rnand a

full rank integer lattice L ⊆ Qn, the subspace avoiding problem SAP, is to find a shortest vector

in L \ M. The paper [BN07] gives 2O(n)time approximation algorithm for these problems.

Noexact2O(n)timerandomizedalgorithmisknownforCVPorSMP.Recently, Miccian-

cio has shown [Mi08] that CVP is polynomial-time equivalent to several lattice problems,

including SIVP and SMP, under deterministic polynomial time rank-preserving reductions.

This perhaps explains the apparent difficulty of finding a 2O(n)time exact algorithm for CVP

or SMP, because SVP reduces to all of these problems but no reduction is known in the other

direction. In particular, the reductions in [Mi08] yield 2O(nlogn)time exact algorithms for

SAP, SMP and SIVP, whereas [BN07] gives 2O(n)time randomized approximation algorithm

for these problems.

Our results

In this paper we consider some natural restrictions of these problems that can be exactly

solved in 2O(n)time. We obtain these results giving a 2O(n+klogk)algorithm to solve SAP

where n is the rank of the lattice and k is the dimension of the subspace.

As our first result we show that given a full rank lattice L ⊂ Qnthere is 2O(n)time

randomized algorithm to compute linearly independent vectors v1,v2,...,vi∈ L such that

?vi? = λi(L) if i is O(

a 2O(n)time algorithm to solve CVP(L,v) if the input (v,L) fulfils the promise d(v,L) ≤

√3

2λO(

We show that CVP can be solved in 2O(n)time if there is a 2O(n)time algorithm to com-

pute a closest vector to v in L where v ∈ Qn, L ⊂ Qnis a full rank lattice and v1,v2,...,vn∈

L such that ?vi?pis equal to ithsuccessive minima of L for i = 1 to n are given as an ad-

ditional input to the algorithm. As a consequence, we can assume that successive minimas

are given for free as an input to the algorithm for CVP. We believe that using basis reduc-

tion techniques from [Kan87] one might be able to exploit the information about successive

minimas of the lattice to get a better algorithm for CVP.

We give a new 2O(n+klog1/ǫ)time randomized algorithm to solve 1 + ǫ approximation

of SAP, where n is rank of the lattice and k is the dimension of subspace. We get better

approximation guarantee than the one in [BN07] parametrised on k. We also consider a

generalization of SAP (the convex body avoiding problem) and give a singly exponential ap-

proximation algorithm for the problem.

n

logn). Given a full rank lattice L ⊂ Qnand v ∈ Qnwe also give

n

logn)(L).

2Preliminaries

A lattice L is a discrete additive subgroup of Rn, n is called dimension of the lattice. For

algorithmic purposes we can assume that L ⊆ Qn, and even in some cases L ⊆ Zn. A

lattice is usually specified by a basis B = {b1,···,bm}, where bi∈ Qnand bi’s are linearly

independent. m is called the rank of the lattice. If the rank is n the lattice is said to be a full

rank lattice. Although most results in the paper hold for general lattices, for convenience we

Page 3

V. ARVIND AND PUSHKAR S. JOGLEKARFSTTCS 2008

27

mainly consider only full-rank lattices. For x ∈ Qnlet size(x) denote the number of bits for

the standard binary representation as an n-tuple of rationals. Let size(L) denote ∑isize(bi).

Next we recall the definition of gauge functions.

DEFINITION 1.[Si45] A function f : Rn→ R is called a gauge function if it satisfies follow-

ing properties:

1. f(x) > 0 for all x ∈ Rn\ {0} and f(x) = 0 if x = 0.

2. f(λx) = λf(x) for all x ∈ Rnand λ ∈ R.

3. f(x + y) ≤ f(x) + f(y) for all x,y ∈ Rn.

For v ∈ Rnwe denote f(v) by ?v?fand call it norm of v with respect to the gauge

function f. It is easy to see that any lpnorm satisfies all the above properties. Thus gauge

functions generalize the usual lpnorms. A gauge function f defines a natural metric df

on Rnby setting df(x,y) = f(x − y) for x,y ∈ Rn. For x ∈ Rnand r > 0, let Bf(x,r)

denote the f-ball of radius r with center x with respect to the gauge function f, defined

as Bf(x,r) = {y ∈ Rn|f(x − y) ≤ r}. We denote the metric balls with respect to usual

lpnorm by Bp(x,r). Unless specified otherwise we always consider balls in Rn. The next

well-known proposition characterizes the class of all gauge functions.

PROPOSITION 2.[Si45] Let f : Rn→ R be any gauge function then a unit radius ball around

origin with respect to f is a n dimensional bounded O-symmetric convex body. Conversely,

for any n dimensional bounded O-symmetric convex body C, there is a gauge function

f : Rn→ R such that Bf(0,1) = C.

Given an f-ball of radius r around origin with respect to a gauge function f, from the

Proposition 2 it follows that Bf(0,r) is an O-symmetric convex body. It is easy to check that

for any r > 0 and any constant c we have vol(Bf(0,cr)) = cnvol(Bf(0,r)), where vol(C)

denotes the volume of the corresponding convex body C (see e.g. [Si45]).

We now place a natural restriction on gauge functions. A gauge function f, given by

oracle access, is a nice gauge function if it satisfies the following property: For some poly-

nomial p(n), B2(0,2−p(n)) ⊆ Bf(0,1) ⊆ B2(0,2p(n)), i.e. there exists a Euclidean sphere

of radius 2−p(n)inside the convex body Bf(0,1), and Bf(0,1) is contained inside a Eu-

clidean sphere of radius 2p(n). Note that if f is a nice gauge function and v ∈ Qnwe have

size(f(v))=poly(n,size(v)). For a nice gauge function f we can sample points from convex

body Bf(0,r) almost uniformly at random in poly(size(r),n) time using the Dyer-Frieze-

Kannan algorithm [DFK91]. It is easy to check that all lpnorms p ≥ 1 define nice gauge

functions. The ithsuccessive minima of a lattice L with respect to ℓpnorm is smallest r > 0

such that Bp(0,r) contains at least i linearly independent lattice vectors. It is denoted by

λp

i(L).

Remarks: In this paper we consider lattice problems with respect to nice gauge functions.

Let L be a lattice with basis {b1,b2,...,bn} and f be a nice gauge function. Suppose B is a

full rank n × n matrix with columns b1,b2,...,bn. Note that the linear transformation B−1

maps lattice L isomorphically to the standard lattice Zn. Furthermore, it is easy to see that

the set C = B−1(Bf(0,1)) is an O-symmetric convex body. Hence, by Proposition 2 it follows

that C = Bg(0,1) for some gauge function g. As f is a nice gauge function, it easily follows

that g is also a nice gauge function.

Page 4

28

SOME SIEVING ALGORITHMS FOR LATTICE PROBLEMS

Thus, our algorithms that work for nice gauge functions can be stated for the the stan-

dard lattice Znand a nice gauge function g. However, some of our results hold only for ℓp

norms. Thus, to keep uniformity we allow our algorithms to take arbitrary lattices as input

even when the metric is give by a nice gauge function.

3 A Sieving Algorithm for SAP

In this section we present a different analysis of the AKS sieving [AKS01, Re04] applied

to the Subspace Avoiding Problem (SAP). Our analysis is quite different from that due to

Bl¨ omer and Naewe [BN07] and gives us improved running time for computing a 1 + ǫ

approximate solution.

Recall that an input instance of the subspace avoiding problem (SAP) consists of (L, M)

where L ⊂ Qnis a full rank lattice and M ⊂ Rnis a subspace of dimension k. The SAP

problem is to find a vector v ∈ L \ M with least norm with respect to a nice gauge function

f.

We give an intuitive outline of our approximation algorithm: Our analysis of AKS siev-

ing will use the fact that the sublattice L ∩ M of L is of rank k. We will use the AKS sieving

procedure to argue that we can sample 2O(n+klog(1/ǫ))points from some coset of L ∩ M in

2O(n+klog(1/ǫ))time. We can then apply a packing argument in the coset (which is only k-

dimensional) to obtain points in the coset that are close to each other. Then, with a standard

argument following the original AKS result [AKS01] we can conclude that their differences

will contain a good approximation.

Suppose, without loss of generality, that the input lattice L ⊆ Rnis n-dimensional

given by a basis {b1,···,bn}, so that L = ∑n

let v ∈ L denote a shortest vector in L \ M with respect to gauge function f, i.e. f(x) for

x ∈ L\ M attains minimum value at x = v. Let s = size(L,M) denote the input size (which

is the number of bits for representing the vectors biand the basis for M). As v is a shortest

vectorinL\ M and f isanicegaugefunctionitisquiteeasytoseethat size(f(v)) isbounded

by a polynomial in s. Thus, we can scale the lattice L to ensure that 2 ≤ f(v) ≤ 3. More

precisely, we can compute polynomially many scaled lattices from L, so that 2 ≤ f(v) ≤ 3

holds for at least one scaled lattice. Thus, we can assume that 2 ≤ f(v) ≤ 3 holds for the

lattice L.

We first describe the AKS sieving procedure [AKS01] for any gauge function, analyze

its running time and explain its key properties. The following lemma is crucially used in

the algorithm.

i=1Z · bi. Let us fix a nice gauge function f and

LEMMA 3.[Sieving Procedure] Let f : Rn→ R be any gauge function. Then there is a

sieving procedure that takes as input a finite set of points {v1,v2,v3,...,vN} ⊆ Bf(0,r),

and in NO(1)time it outputs a subset of indices S ⊂ [N] such that |S| ≤ 5nand for each

i ∈ [N] there is a j ∈ S with f(vi− vj) ≤ r/2.

Proof.The sieving procedure is exactly as described in Regev’s lecture notes [Re04]. The

sieving procedure is based on a simple greedy strategy. We start with S = ∅ and run the

following step for all elements vi,1 ≤ i ≤ N. At the ithstep we consider vi. If f(vi− vj) >

r/2 for all j ∈ S include i in the set S and increment i. After completion, for all i ∈ [N]

Page 5

V. ARVIND AND PUSHKAR S. JOGLEKARFSTTCS 2008

29

there is a j ∈ S such that f(vi− vj) ≤ r/2. The bound on |S| follows from a packing

argument combined with the fact that vol(Bf(0,cr)) = cnvol(Bf(0,r)) for any r > 0 and

a constant c > 0. More precisely, for any two points vi,vj∈ S we have f(vi− vj) > r/2.

Thus, all the convex bodies Bf(vi,r/4) for vi∈ S are mutually disjoint and are contained

in Bf(0,r + r/4). Also note that vol(Bf(0,dr)) = dnvol(Bf(0,r)) for any constant d > 0. It

follows that 5nvol(Bf(vi,r/4)) ≥ vol(Bf(0,r +r/4)). Hence, |S| ≤ 5n. The second property

of S is guaranteed by the sieving procedure.

Next, our algorithm follows the usual AKS random sampling procedure. Let R =

n · maxi?bi?f. It is clear that size(R) is polynomial in s since f is a nice gauge function. Let

Bf(0,2) denote the f-ball of radius 2 around the origin. Since we have an oracle for mem-

bership in Bf(0,2) and f is a nice gauge function we can almost uniformly sample from

Bf(0,2) using the Dyer-Frieze-Kannan algorithm [DFK91]. Let x1,x2,···,xNdenote such

a random sample, for N = 2c·(n+klog(1/ǫ))· logR where the constant c > 0 will be suitably

chosen. Now, using the lattice L we can round off the points xi. More precisely, we express

xi= Σjαijbjfor rationals αij. Then, from each vector xiwe compute the vector yi= Σjβijbj,

where 0 ≤ βij< 1, by adding appropriate integral multiples of the bj’s to the expression

for xi. Thus, the points y1,···,yNare in the interior of the fundamental parallelepiped of L,

and each xi− yi∈ L. We denote this by yi= xi(mod L). We now have the set of N pairs

P = {(xi,yi) | i ∈ [N]}, where xi− yiare lattice points. Since yilie inside the fundamental

parallelepiped we have ?yi?f≤ n · maxi?bi?f= R for i = 1 to N.

Now, we apply the AKS sieving procedure in Lemma 3 to the set {y1,y2,···,yN}. The

result is a subset S ⊂ [N] of at most 5nindices such that for each i ∈ [N] there is some

j ∈ S such that f(yi− yj) ≤ R/2. We remove from P all (xj,yj) for j ∈ S and replace each

remaining (xi,yi) ∈ P by a corresponding (xi,yi− (yj− xj)), where j ∈ S is the first index

such that f(yi− yj) ≤ R/2. After the sieving round, the set P has the property that for each

(xi,zi) ∈ P we have xi− zi∈ L and f(xi− zi) ≤ 4 + R/2, and P has shrunk in size by at

most 5n. We continue with O(log R) sieving rounds so that we are left with a set P with

N − O(log R)5npairs (xi,zi) such that xi− zi∈ L and f(xi− zi) ≤ 8. We can ensure that

|P| ≥ 2c′(n+klog(1/ǫ))for an arbitrary constant c′by appropriately choosing constant c. The

vectors, xi−zifor (xi,zi) ∈ P follows some distribution among lattice points inside Bf(0,8).

Next, we need following simple proposition.

PROPOSITION 4. Let L ⊂ Rnbe a rank n lattice, v ∈ L such that 2 ≤ f(v) ≤ 3 for a

nice gauge function f. Consider the convex regions C = Bf(−v,2) ∩ Bf(0,2) and C′=

Bf(v,2) ∩ Bf(0,2). Then C′= C + v and vol(C) = vol(C′) = Ω(vol(Bf(0,2))

Proposition 4 is easy to prove since Bf(−v/2,1/2) ⊆ C,Bf(v/2,1/2) ⊆ C′. Note that

we have picked x1,...,xNuniformly at random from Bf(0,2),where N = 2c·(n+klog(1/ǫ))·

logR. By Proposition 4, the point xiis in C with probability at least 2−O(n). Hence by

choosing the constant c large enough we can ensure that with high probability there is a

subset Z ⊆ P such that |Z| ≥ 2c1(n+klog(1/ǫ))for a constant c1and for all (xi,zi) ∈ Z, xi∈ C.

We now prove the main theorem of this section.

2O(n)

).