Page 1
Foundations of Software Technology and Theoretical Computer Science (Bangalore) 2008.
Editors: R. Hariharan, M. Mukund, V. Vinay; pp 25-36
Some Sieving Algorithms for Lattice
Problems
V. Arvind and Pushkar S. Joglekar
Institute of Mathematical Sciences
C.I.T Campus,Chennai 600 113, India
{arvind,pushkar}@imsc.res.in
ABSTRACT. We study the algorithmic complexity of lattice problems based on the sieving technique
due to Ajtai, Kumar, and Sivakumar [AKS01]. Given a k-dimensional subspace M ⊆ Rnand a full
rank integer lattice L ⊆ Qn, the subspace avoiding problem SAP, defined by Bl¨ omer and Naewe [BN07],
is to find a shortest vector in L \ M. We first give a 2O(n+klogk)time algorithm to solve the subspace
avoiding problem. Applying this algorithm we obtain the following results.
1. We give a 2O(n)time algorithm to compute ithsuccessive minima of a full rank lattice L ⊂ Qn
if i is O(
logn).
2. We give a 2O(n)time algorithm to solve a restricted closest vector problem CVP where the inputs
fulfil a promise about the distance of the input vector from the lattice.
3. We also show that unrestricted CVP has a 2O(n)exact algorithm if there is a 2O(n)time exact
algorithm for solving CVP with additional input vi∈ L,1 ≤ i ≤ n, where ?vi?pis the ith
successive minima of L for each i.
We also give a new approximation algorithm for SAP and the Convex Body Avoiding problem which
is a generalization of SAP. Several of our algorithms work for gauge functions as metric, where the
gauge function has a natural restriction and is accessed by an oracle.
n
1 Introduction
Fundamental algorithmic problems concerning integer lattices are the shortest vector prob-
lem (SVP) and the closest vector problem(CVP). Given a lattice L ⊂ Rnby a basis, the
shortest vector problem (SVP) is to find a shortest nonzero vector in L w.r.t. some metric
given by a gauge function in general (usually the ℓpnorm for some p). Likewise, the closest
vector problem (CVP) takes as input a lattice L ⊂ Rnand vector v ∈ Rnand asks for a
u ∈ L closest to v w.r.t. a given metric. These problems have polynomial-time approxima-
tion algorithms based on the celebrated LLL algorithm for basis reduction [LLL82].
The fastest known exact deterministic algorithms for SVP and CVP have running time
2O(nlogn)[Kan87] (also see [Bl00]). More recently, Ajtai, Kumar and Sivakumar in a semi-
nal paper [AKS01] gave a 2O(n)time randomized exact algorithm for SVP. Subsequently, in
[AKS02] they gave a 2O(n)time randomized approximation algorithm for CVP. Their al-
gorithms are based on a generic sieving procedure (introduced by them) that exploits the
underlying geometry. Recently, Bl¨ omer and Naewe [BN07] gave a different 2O(n)time ran-
domized approximation algorithm for CVP, also based on the AKS sieving technique.
For 1 ≤ i ≤ n, the ithsuccessive minima λi(L) is defined as the smallest r such that a
ball of radius r around origin contains at least i linearly independent lattice vectors. The
successive minimas λi(L) are important lattice parameters. A classical problem is the suc-
cessive minima problem SMP of finding for a given lattice L, n linearly independent vectors
c ?
V. Arvind and Pushkar S. Joglekar; licensed under Creative Commons License-NC-ND
FSTTCS 2008
IARCS Annual Conference on
Foundations of Software Technology and Theoretical Computer Science
http://drops.dagstuhl.de/opus/volltexte/2008/1738
Page 2
26
SOME SIEVING ALGORITHMS FOR LATTICE PROBLEMS
v1,v2,...,vn∈ L such that ?vi? is at most λi(L). This problem clearly subsumes the short-
est independent vectors problem SIVP where one wants to find linearly independent vectors
v1,v2,...,vn∈ L such that ?vi? ≤ λn(L). Given a k-dimensional subspace M ⊆ Rnand a
full rank integer lattice L ⊆ Qn, the subspace avoiding problem SAP, is to find a shortest vector
in L \ M. The paper [BN07] gives 2O(n)time approximation algorithm for these problems.
Noexact2O(n)timerandomizedalgorithmisknownforCVPorSMP.Recently, Miccian-
cio has shown [Mi08] that CVP is polynomial-time equivalent to several lattice problems,
including SIVP and SMP, under deterministic polynomial time rank-preserving reductions.
This perhaps explains the apparent difficulty of finding a 2O(n)time exact algorithm for CVP
or SMP, because SVP reduces to all of these problems but no reduction is known in the other
direction. In particular, the reductions in [Mi08] yield 2O(nlogn)time exact algorithms for
SAP, SMP and SIVP, whereas [BN07] gives 2O(n)time randomized approximation algorithm
for these problems.
Our results
In this paper we consider some natural restrictions of these problems that can be exactly
solved in 2O(n)time. We obtain these results giving a 2O(n+klogk)algorithm to solve SAP
where n is the rank of the lattice and k is the dimension of the subspace.
As our first result we show that given a full rank lattice L ⊂ Qnthere is 2O(n)time
randomized algorithm to compute linearly independent vectors v1,v2,...,vi∈ L such that
?vi? = λi(L) if i is O(
a 2O(n)time algorithm to solve CVP(L,v) if the input (v,L) fulfils the promise d(v,L) ≤
√3
2λO(
We show that CVP can be solved in 2O(n)time if there is a 2O(n)time algorithm to com-
pute a closest vector to v in L where v ∈ Qn, L ⊂ Qnis a full rank lattice and v1,v2,...,vn∈
L such that ?vi?pis equal to ithsuccessive minima of L for i = 1 to n are given as an ad-
ditional input to the algorithm. As a consequence, we can assume that successive minimas
are given for free as an input to the algorithm for CVP. We believe that using basis reduc-
tion techniques from [Kan87] one might be able to exploit the information about successive
minimas of the lattice to get a better algorithm for CVP.
We give a new 2O(n+klog1/ǫ)time randomized algorithm to solve 1 + ǫ approximation
of SAP, where n is rank of the lattice and k is the dimension of subspace. We get better
approximation guarantee than the one in [BN07] parametrised on k. We also consider a
generalization of SAP (the convex body avoiding problem) and give a singly exponential ap-
proximation algorithm for the problem.
n
logn). Given a full rank lattice L ⊂ Qnand v ∈ Qnwe also give
n
logn)(L).
2Preliminaries
A lattice L is a discrete additive subgroup of Rn, n is called dimension of the lattice. For
algorithmic purposes we can assume that L ⊆ Qn, and even in some cases L ⊆ Zn. A
lattice is usually specified by a basis B = {b1,···,bm}, where bi∈ Qnand bi’s are linearly
independent. m is called the rank of the lattice. If the rank is n the lattice is said to be a full
rank lattice. Although most results in the paper hold for general lattices, for convenience we
Page 11
V. ARVIND AND PUSHKAR S. JOGLEKAR FSTTCS 2008
35
compute linearly independent vectors v1,v2,...,vi∈ L such that ?vj?p= λp
to i.
j(L) for j = 1
The CVP problem is polynomial-time reducible to SAP, as noted in [BN07]. Miccian-
cio [Mi08] has shown that CVP, SAP and SMP are all polynomial-time equivalent. Our
algorithm computes v ∈ L \ M with least norm by solving 2O(n)instances of CVP. We have
basically given a randomized 2O(n)time Turing reduction from SAP to CVP. An interesting
property of our reduction is that we are solving instance (L, M) of SAP by solving 2O(n)
many CVP instances (L ∩ M,v) where L ∩ M is a rank k lattice, where k is dimension of M.
In contrast, for the CVP instance (N,v) produced by the SAP to CVP reduction in [BN07]
the lattice N has rank O(n).
As a consequence of this property of our reduction we obtain Corollary 14 which states
that it suffices to look for a 2O(n)randomized exact algorithm for CVP that can access all
successive minimas of the input lattice.
COROLLARY 14. Suppose for all m there is a 2O(m)randomized exact algorithm for CVP
that takes as input a CVP instance (M,v) where M is full rank lattice of rank m and v ∈ Rm
(along with the extra input vi∈ M such that |vi|p= λp
ithsuccessive minima in M). Then, in fact, there is a 2O(n)randomized exact algorithm for
solving CVP on any rank n lattice.
i(M) for i = 1 to m where λp
i(M) is
Proof. By [Mi08], CVP is polynomial-time equivalent to SMP (the successive minima prob-
lem). Consider the full rank lattice L ⊂ Qnas input to SMP. It suffices to compute linearly
independent vectors v1,...,vn ∈ L with ?vi?p = λp
proceed as in the proof of Corollary 13. Inductively assume that we have computed linearly
independent vectors v1,...,vk∈ L with ?vi?p= λp
v1,...,vk. As in proof of Theorem 12 we can solve the SAP instance (L, M) by solving 2O(n)
many instances of CVP (L ∩ M,v′). Note that L ∩ M is rank k lattice and it is clear that
?vi?pλp
L∩ M is not full rank lattice, but it is not difficult to convert all these instances of CVP to full
rank by applying a suitable linear transformation). This takes time 2O(n+k)which is at most
2O(n). Hence, it is clear that we can compute linearly independent vectors v1,...,vn ∈ L
such that ?vi?p= λp
i(L) for i = 1 to n in 2O(n)time. We
i(L). Let M be the space generated by
i(L ∩ M) for i = 1 to k. Hence we can solve these instances in 2O(n)time (although
i(L) in time n · 2O(n).
In the next corollary we give a 2O(n)time algorithm to solve certain CVP instances
(L,v) for any ℓpnorm. We prove the result only for ℓ2norm and it is easy to generalize it
for general ℓpnorms. Let λi(L) denote i th successive minima of the lattice L with respect
to ℓ2norm.
COROLLARY 15. Let (L,v) be a CVP instance such that L is full rank with the promise
that d(v,L) <√3/2λt(L), t ≤
algorithm that solves such a CVP instance exactly.
cn
logn. Then there is a 2O(n)· poly(size(L)) time randomized
Proof.
SVP reduction [Kan87]. Let b1,b2,···,bnbe a basis for L. We obtain new vectors ci∈ Qn+1
for i = 1 to n by letting cT
M be the lattice generated by the n + 1 vectors u,c1,c2,···cn. Compute the vectors vj∈ M
By Corollary 13 we first compute λt(L). We now use ideas from Kannan’s CVP to
i= (bT
i,0). Likewise, define u ∈ Qn+1as uT= (vT,λt/2). Let
Page 12
36
SOME SIEVING ALGORITHMS FOR LATTICE PROBLEMS
such that ?vj?2= λj(M) for j = 1 to t using Corollary 13 in time 2O(n)· poly(size(L)). Write
vectors vjas vj= uj+ αju, uj∈ L(c1,···,cn) and αj∈ Z. Clearly, |αj| ≤ 1 since u has λt/2
as its (n + 1)thentry. As d(v,L) <
is at least one index i, 1 ≤ i ≤ t such that |αi| = 1. Consider the set S = {ui| 1 ≤ i ≤
t,|αi| = 1}and let ujbe the shortest vector in S. Writing uj= (wT
vector −wj∈ L is closest vector to v if αj= 1 and wjis a closest vector to v if αj= −1.
√3/2λt(L) we have d(u,M) < λt(L). Hence, there
j,0), it is clear that the
References
[AKS01] M. AJTAI, R. KUMAR, D. SIVAKUMAR, A sieve algorithm for the shortest lattice
vector. In Proceedings of the 30th Annual ACM Symposium on Theory of Computing,
266-275, 2001.
[AKS02] M. AJTAI, R. KUMAR, D. SIVAKUMAR, Sampling short lattice vectors and the clos-
est lattice vector problem. In Proceedings of the 17th IEEE Annual Conference on Com-
putational Complexity-CCC, 53-57, 2002.
[Bl00] J. BL¨ OMER, Closest vectors, successive minima, and dual HKZ-bases of lattices. In
Proceedingsofth17thICALP,LectureNotesinComputerScience1853, 248-259, Springer,
2000.
[BN07] J. BL¨ OMER, S. NAEWE Sampling Methods for Shortest Vectors, Closest Vectors and
Successive Minima of lattices. In Proceedings of ICALP, 65-77, 2007.
[DFK91] M. DYER, A. FRIEZE, R. KANNAN A random polynomial time algorithm for ap-
proximating the volume of convex bodies. Journal of the ACM , 38(1):1-17, 1991.
[Kan87] R. KANNAN Minkowski’s convex body theorem and integer programing. Mathe-
matics of Operational Rearch ,12(3):415-440, 1987.
[LLL82] A. K. LENSTRA, H. W. LENSTRA, JR. AND L. LOVASZ, Factoring Polynomials with
Rational Coefficients, Mathematische Annalen, 261:515-534, 1982.
[MG02] D. MICCIANCIO, S. GOLDWASSER, Complexity of Lattice Problems. A Crypto-
graphic Perspective, Kluwer Academic Publishers, 2002.
[Mi08] D. MICCIANCIO, Efficient reductions among lattice problems,SODA,2008,84-93
[Re04] O. REGEV, Lecture Notes — Lattices in Computer Science, lecture 8. Available at the
website: http://www.cs.tau.ac.il/ odedr/teaching/lattices fall 2004/index.html.
[Si45] C. L. SIEGEL Lectures on Geometry of Numbers. Springer-Verlag publishing com-
pany, 1988.
This work is licensed under the Creative Commons Attribution-
NonCommercial-No Derivative Works 3.0 License.