Some Sieving Algorithms for Lattice Problems

Page 1

Foundations of Software Technology and Theoretical Computer Science (Bangalore) 2008.
Editors: R. Hariharan, M. Mukund, V. Vinay; pp 25-36
Some Sieving Algorithms for Lattice
Problems
V. Arvind and Pushkar S. Joglekar
Institute of Mathematical Sciences
C.I.T Campus,Chennai 600 113, India
{arvind,pushkar}@imsc.res.in
ABSTRACT. We study the algorithmic complexity of lattice problems based on the sieving technique
due to Ajtai, Kumar, and Sivakumar [AKS01]. Given a k-dimensional subspace M ⊆ Rnand a full
rank integer lattice L ⊆ Qn, the subspace avoiding problem SAP, defined by Bl¨ omer and Naewe [BN07],
is to find a shortest vector in L \ M. We first give a 2O(n+klogk)time algorithm to solve the subspace
avoiding problem. Applying this algorithm we obtain the following results.
1. We give a 2O(n)time algorithm to compute ithsuccessive minima of a full rank lattice L ⊂ Qn
if i is O(
logn).
2. We give a 2O(n)time algorithm to solve a restricted closest vector problem CVP where the inputs
fulfil a promise about the distance of the input vector from the lattice.
3. We also show that unrestricted CVP has a 2O(n)exact algorithm if there is a 2O(n)time exact
algorithm for solving CVP with additional input vi∈ L,1 ≤ i ≤ n, where ?vi?pis the ith
successive minima of L for each i.
We also give a new approximation algorithm for SAP and the Convex Body Avoiding problem which
is a generalization of SAP. Several of our algorithms work for gauge functions as metric, where the
gauge function has a natural restriction and is accessed by an oracle.
n
1 Introduction
Fundamental algorithmic problems concerning integer lattices are the shortest vector prob-
lem (SVP) and the closest vector problem(CVP). Given a lattice L ⊂ Rnby a basis, the
shortest vector problem (SVP) is to find a shortest nonzero vector in L w.r.t. some metric
given by a gauge function in general (usually the ℓpnorm for some p). Likewise, the closest
vector problem (CVP) takes as input a lattice L ⊂ Rnand vector v ∈ Rnand asks for a
u ∈ L closest to v w.r.t. a given metric. These problems have polynomial-time approxima-
tion algorithms based on the celebrated LLL algorithm for basis reduction [LLL82].
The fastest known exact deterministic algorithms for SVP and CVP have running time
2O(nlogn)[Kan87] (also see [Bl00]). More recently, Ajtai, Kumar and Sivakumar in a semi-
nal paper [AKS01] gave a 2O(n)time randomized exact algorithm for SVP. Subsequently, in
[AKS02] they gave a 2O(n)time randomized approximation algorithm for CVP. Their al-
gorithms are based on a generic sieving procedure (introduced by them) that exploits the
underlying geometry. Recently, Bl¨ omer and Naewe [BN07] gave a different 2O(n)time ran-
domized approximation algorithm for CVP, also based on the AKS sieving technique.
For 1 ≤ i ≤ n, the ithsuccessive minima λi(L) is defined as the smallest r such that a
ball of radius r around origin contains at least i linearly independent lattice vectors. The
successive minimas λi(L) are important lattice parameters. A classical problem is the suc-
cessive minima problem SMP of finding for a given lattice L, n linearly independent vectors
c ?
V. Arvind and Pushkar S. Joglekar; licensed under Creative Commons License-NC-ND
FSTTCS 2008
IARCS Annual Conference on
Foundations of Software Technology and Theoretical Computer Science
http://drops.dagstuhl.de/opus/volltexte/2008/1738

Page 2

26
SOME SIEVING ALGORITHMS FOR LATTICE PROBLEMS
v1,v2,...,vn∈ L such that ?vi? is at most λi(L). This problem clearly subsumes the short-
est independent vectors problem SIVP where one wants to find linearly independent vectors
v1,v2,...,vn∈ L such that ?vi? ≤ λn(L). Given a k-dimensional subspace M ⊆ Rnand a
full rank integer lattice L ⊆ Qn, the subspace avoiding problem SAP, is to find a shortest vector
in L \ M. The paper [BN07] gives 2O(n)time approximation algorithm for these problems.
Noexact2O(n)timerandomizedalgorithmisknownforCVPorSMP.Recently, Miccian-
cio has shown [Mi08] that CVP is polynomial-time equivalent to several lattice problems,
including SIVP and SMP, under deterministic polynomial time rank-preserving reductions.
This perhaps explains the apparent difficulty of finding a 2O(n)time exact algorithm for CVP
or SMP, because SVP reduces to all of these problems but no reduction is known in the other
direction. In particular, the reductions in [Mi08] yield 2O(nlogn)time exact algorithms for
SAP, SMP and SIVP, whereas [BN07] gives 2O(n)time randomized approximation algorithm
for these problems.
Our results
In this paper we consider some natural restrictions of these problems that can be exactly
solved in 2O(n)time. We obtain these results giving a 2O(n+klogk)algorithm to solve SAP
where n is the rank of the lattice and k is the dimension of the subspace.
As our first result we show that given a full rank lattice L ⊂ Qnthere is 2O(n)time
randomized algorithm to compute linearly independent vectors v1,v2,...,vi∈ L such that
?vi? = λi(L) if i is O(
a 2O(n)time algorithm to solve CVP(L,v) if the input (v,L) fulfils the promise d(v,L) ≤
√3
2λO(
We show that CVP can be solved in 2O(n)time if there is a 2O(n)time algorithm to com-
pute a closest vector to v in L where v ∈ Qn, L ⊂ Qnis a full rank lattice and v1,v2,...,vn∈
L such that ?vi?pis equal to ithsuccessive minima of L for i = 1 to n are given as an ad-
ditional input to the algorithm. As a consequence, we can assume that successive minimas
are given for free as an input to the algorithm for CVP. We believe that using basis reduc-
tion techniques from [Kan87] one might be able to exploit the information about successive
minimas of the lattice to get a better algorithm for CVP.
We give a new 2O(n+klog1/ǫ)time randomized algorithm to solve 1 + ǫ approximation
of SAP, where n is rank of the lattice and k is the dimension of subspace. We get better
approximation guarantee than the one in [BN07] parametrised on k. We also consider a
generalization of SAP (the convex body avoiding problem) and give a singly exponential ap-
proximation algorithm for the problem.
n
logn). Given a full rank lattice L ⊂ Qnand v ∈ Qnwe also give
n
logn)(L).
2Preliminaries
A lattice L is a discrete additive subgroup of Rn, n is called dimension of the lattice. For
algorithmic purposes we can assume that L ⊆ Qn, and even in some cases L ⊆ Zn. A
lattice is usually specified by a basis B = {b1,···,bm}, where bi∈ Qnand bi’s are linearly
independent. m is called the rank of the lattice. If the rank is n the lattice is said to be a full
rank lattice. Although most results in the paper hold for general lattices, for convenience we

Page 3

V. ARVIND AND PUSHKAR S. JOGLEKAR FSTTCS 2008
27
mainly consider only full-rank lattices. For x ∈ Qnlet size(x) denote the number of bits for
the standard binary representation as an n-tuple of rationals. Let size(L) denote ∑isize(bi).
Next we recall the definition of gauge functions.
DEFINITION 1.[Si45] A function f : Rn→ R is called a gauge function if it satisfies follow-
ing properties:
1. f(x) > 0 for all x ∈ Rn\ {0} and f(x) = 0 if x = 0.
2. f(λx) = λf(x) for all x ∈ Rnand λ ∈ R.
3. f(x + y) ≤ f(x) + f(y) for all x,y ∈ Rn.
For v ∈ Rnwe denote f(v) by ?v?fand call it norm of v with respect to the gauge
function f. It is easy to see that any lpnorm satisfies all the above properties. Thus gauge
functions generalize the usual lpnorms. A gauge function f defines a natural metric df
on Rnby setting df(x,y) = f(x − y) for x,y ∈ Rn. For x ∈ Rnand r > 0, let Bf(x,r)
denote the f-ball of radius r with center x with respect to the gauge function f, defined
as Bf(x,r) = {y ∈ Rn|f(x − y) ≤ r}. We denote the metric balls with respect to usual
lpnorm by Bp(x,r). Unless specified otherwise we always consider balls in Rn. The next
well-known proposition characterizes the class of all gauge functions.
PROPOSITION 2.[Si45] Let f : Rn→ R be any gauge function then a unit radius ball around
origin with respect to f is a n dimensional bounded O-symmetric convex body. Conversely,
for any n dimensional bounded O-symmetric convex body C, there is a gauge function
f : Rn→ R such that Bf(0,1) = C.
Given an f-ball of radius r around origin with respect to a gauge function f, from the
Proposition 2 it follows that Bf(0,r) is an O-symmetric convex body. It is easy to check that
for any r > 0 and any constant c we have vol(Bf(0,cr)) = cnvol(Bf(0,r)), where vol(C)
denotes the volume of the corresponding convex body C (see e.g. [Si45]).
We now place a natural restriction on gauge functions. A gauge function f, given by
oracle access, is a nice gauge function if it satisfies the following property: For some poly-
nomial p(n), B2(0,2−p(n)) ⊆ Bf(0,1) ⊆ B2(0,2p(n)), i.e. there exists a Euclidean sphere
of radius 2−p(n)inside the convex body Bf(0,1), and Bf(0,1) is contained inside a Eu-
clidean sphere of radius 2p(n). Note that if f is a nice gauge function and v ∈ Qnwe have
size(f(v))=poly(n,size(v)). For a nice gauge function f we can sample points from convex
body Bf(0,r) almost uniformly at random in poly(size(r),n) time using the Dyer-Frieze-
Kannan algorithm [DFK91]. It is easy to check that all lpnorms p ≥ 1 define nice gauge
functions. The ithsuccessive minima of a lattice L with respect to ℓpnorm is smallest r > 0
such that Bp(0,r) contains at least i linearly independent lattice vectors. It is denoted by
λp
i(L).
Remarks: In this paper we consider lattice problems with respect to nice gauge functions.
Let L be a lattice with basis {b1,b2,...,bn} and f be a nice gauge function. Suppose B is a
full rank n × n matrix with columns b1,b2,...,bn. Note that the linear transformation B−1
maps lattice L isomorphically to the standard lattice Zn. Furthermore, it is easy to see that
the set C = B−1(Bf(0,1)) is an O-symmetric convex body. Hence, by Proposition 2 it follows
that C = Bg(0,1) for some gauge function g. As f is a nice gauge function, it easily follows
that g is also a nice gauge function.

Page 4

28
SOME SIEVING ALGORITHMS FOR LATTICE PROBLEMS
Thus, our algorithms that work for nice gauge functions can be stated for the the stan-
dard lattice Znand a nice gauge function g. However, some of our results hold only for ℓp
norms. Thus, to keep uniformity we allow our algorithms to take arbitrary lattices as input
even when the metric is give by a nice gauge function.
3A Sieving Algorithm for SAP
In this section we present a different analysis of the AKS sieving [AKS01, Re04] applied
to the Subspace Avoiding Problem (SAP). Our analysis is quite different from that due to
Bl¨ omer and Naewe [BN07] and gives us improved running time for computing a 1 + ǫ
approximate solution.
Recall that an input instance of the subspace avoiding problem (SAP) consists of (L, M)
where L ⊂ Qnis a full rank lattice and M ⊂ Rnis a subspace of dimension k. The SAP
problem is to find a vector v ∈ L \ M with least norm with respect to a nice gauge function
f.
We give an intuitive outline of our approximation algorithm: Our analysis of AKS siev-
ing will use the fact that the sublattice L ∩ M of L is of rank k. We will use the AKS sieving
procedure to argue that we can sample 2O(n+klog(1/ǫ))points from some coset of L ∩ M in
2O(n+klog(1/ǫ))time. We can then apply a packing argument in the coset (which is only k-
dimensional) to obtain points in the coset that are close to each other. Then, with a standard
argument following the original AKS result [AKS01] we can conclude that their differences
will contain a good approximation.
Suppose, without loss of generality, that the input lattice L ⊆ Rnis n-dimensional
given by a basis {b1,···,bn}, so that L = ∑n
let v ∈ L denote a shortest vector in L \ M with respect to gauge function f, i.e. f(x) for
x ∈ L\ M attains minimum value at x = v. Let s = size(L,M) denote the input size (which
is the number of bits for representing the vectors biand the basis for M). As v is a shortest
vectorinL\ M and f isanicegaugefunctionitisquiteeasytoseethat size(f(v)) isbounded
by a polynomial in s. Thus, we can scale the lattice L to ensure that 2 ≤ f(v) ≤ 3. More
precisely, we can compute polynomially many scaled lattices from L, so that 2 ≤ f(v) ≤ 3
holds for at least one scaled lattice. Thus, we can assume that 2 ≤ f(v) ≤ 3 holds for the
lattice L.
We first describe the AKS sieving procedure [AKS01] for any gauge function, analyze
its running time and explain its key properties. The following lemma is crucially used in
the algorithm.
i=1Z · bi. Let us fix a nice gauge function f and
LEMMA 3.[Sieving Procedure] Let f : Rn→ R be any gauge function. Then there is a
sieving procedure that takes as input a finite set of points {v1,v2,v3,...,vN} ⊆ Bf(0,r),
and in NO(1)time it outputs a subset of indices S ⊂ [N] such that |S| ≤ 5nand for each
i ∈ [N] there is a j ∈ S with f(vi− vj) ≤ r/2.
Proof. The sieving procedure is exactly as described in Regev’s lecture notes [Re04]. The
sieving procedure is based on a simple greedy strategy. We start with S = ∅ and run the
following step for all elements vi,1 ≤ i ≤ N. At the ithstep we consider vi. If f(vi− vj) >
r/2 for all j ∈ S include i in the set S and increment i. After completion, for all i ∈ [N]

Page 5

V. ARVIND AND PUSHKAR S. JOGLEKARFSTTCS 2008
29
there is a j ∈ S such that f(vi− vj) ≤ r/2. The bound on |S| follows from a packing
argument combined with the fact that vol(Bf(0,cr)) = cnvol(Bf(0,r)) for any r > 0 and
a constant c > 0. More precisely, for any two points vi,vj∈ S we have f(vi− vj) > r/2.
Thus, all the convex bodies Bf(vi,r/4) for vi∈ S are mutually disjoint and are contained
in Bf(0,r + r/4). Also note that vol(Bf(0,dr)) = dnvol(Bf(0,r)) for any constant d > 0. It
follows that 5nvol(Bf(vi,r/4)) ≥ vol(Bf(0,r +r/4)). Hence, |S| ≤ 5n. The second property
of S is guaranteed by the sieving procedure.
Next, our algorithm follows the usual AKS random sampling procedure. Let R =
n · maxi?bi?f. It is clear that size(R) is polynomial in s since f is a nice gauge function. Let
Bf(0,2) denote the f-ball of radius 2 around the origin. Since we have an oracle for mem-
bership in Bf(0,2) and f is a nice gauge function we can almost uniformly sample from
Bf(0,2) using the Dyer-Frieze-Kannan algorithm [DFK91]. Let x1,x2,···,xNdenote such
a random sample, for N = 2c·(n+klog(1/ǫ))· logR where the constant c > 0 will be suitably
chosen. Now, using the lattice L we can round off the points xi. More precisely, we express
xi= Σjαijbjfor rationals αij. Then, from each vector xiwe compute the vector yi= Σjβijbj,
where 0 ≤ βij< 1, by adding appropriate integral multiples of the bj’s to the expression
for xi. Thus, the points y1,···,yNare in the interior of the fundamental parallelepiped of L,
and each xi− yi∈ L. We denote this by yi= xi(mod L). We now have the set of N pairs
P = {(xi,yi) | i ∈ [N]}, where xi− yiare lattice points. Since yilie inside the fundamental
parallelepiped we have ?yi?f≤ n · maxi?bi?f= R for i = 1 to N.
Now, we apply the AKS sieving procedure in Lemma 3 to the set {y1,y2,···,yN}. The
result is a subset S ⊂ [N] of at most 5nindices such that for each i ∈ [N] there is some
j ∈ S such that f(yi− yj) ≤ R/2. We remove from P all (xj,yj) for j ∈ S and replace each
remaining (xi,yi) ∈ P by a corresponding (xi,yi− (yj− xj)), where j ∈ S is the first index
such that f(yi− yj) ≤ R/2. After the sieving round, the set P has the property that for each
(xi,zi) ∈ P we have xi− zi∈ L and f(xi− zi) ≤ 4 + R/2, and P has shrunk in size by at
most 5n. We continue with O(log R) sieving rounds so that we are left with a set P with
N − O(log R)5npairs (xi,zi) such that xi− zi∈ L and f(xi− zi) ≤ 8. We can ensure that
|P| ≥ 2c′(n+klog(1/ǫ))for an arbitrary constant c′by appropriately choosing constant c. The
vectors, xi−zifor (xi,zi) ∈ P follows some distribution among lattice points inside Bf(0,8).
Next, we need following simple proposition.
PROPOSITION 4. Let L ⊂ Rnbe a rank n lattice, v ∈ L such that 2 ≤ f(v) ≤ 3 for a
nice gauge function f. Consider the convex regions C = Bf(−v,2) ∩ Bf(0,2) and C′=
Bf(v,2) ∩ Bf(0,2). Then C′= C + v and vol(C) = vol(C′) = Ω(vol(Bf(0,2))
Proposition 4 is easy to prove since Bf(−v/2,1/2) ⊆ C,Bf(v/2,1/2) ⊆ C′. Note that
we have picked x1,...,xNuniformly at random from Bf(0,2),where N = 2c·(n+klog(1/ǫ))·
logR. By Proposition 4, the point xiis in C with probability at least 2−O(n). Hence by
choosing the constant c large enough we can ensure that with high probability there is a
subset Z ⊆ P such that |Z| ≥ 2c1(n+klog(1/ǫ))for a constant c1and for all (xi,zi) ∈ Z, xi∈ C.
We now prove the main theorem of this section.
2O(n)
).