On polynomial approximations to the shortest lattice vector length
Ravi Kumar *
D. S i v a k u m a r t
THEOREM 2. ([1, 4, 3]) Let c > 2 and m be such
We obtain a 2°('~/') time algorithm to approximate the that there is a probabilistic algorithm ..,4 that computes
length of the shortest vector in an n-dimensional lattice a non-zero vector of length nC-2/2 in a random lattice
in A(n, m, n c) with non-negligible probability. Then
to within a factor of n 3+'.
there is an algorithm 13 that, for any 5 > O, and
any lattice L E R n, computes a number X such that
In this note we consider the complexity of ~ l ( i ) l n c+1+~ < ~ < ~ l ( i ) , where ~ l ( i ) is the length
approximating the shortest lattice vector length of the shortest non-zero vector in L. Furthermore,
(called SVP-Length) when the approximation fac- if .A runs in time t ( n , m ) , then 13 runs in time
tor is poly(n). An obvious candidate for produc- poly(t(n, m ) / 3 ) .
ing polynomial approximations to SVP-Length - Remark 1: In [1], c ~ 8, m = O ( n l o g n ) ; in [4],
Schnorr's improvement of the Lovgsz basis reduce
=
3, m = O(n). The parameter m in Theorem 2
tion algorithm [6] - - turns out to be uninteresting:
has
only one role: it should be suitably large to
Schnorr's algorithm takes O ( n 2 (k k / 2+o( k)+n 2)) arithensure
that with non-negligible probability, a random
metic steps ion polynomial-sized operands) to prolattice
in A(n, m, n c) does have a non-zero vector of
duce a (v/6k) "/k approximation. To obtain poly(n)
length
at most nC-2/2. This is shown in [1, 4] (for
approximation factors, k = f~(n), so the running
every
lattice
in A(n, m, he)) by applying Minkowski's
time is .2.a('~l°gn), which is pointless in the light of
theorem.
Other
than that, m has no bearing on the
an O(n'~~ algorithm to solve it exactly [5]. We show:
approximation factor. It does, however, figure in the
THEOREM 1. There exists an absolute constant "7 > running time of B, given ..4.
1 such that for any e > O, SVP-Length can be
Remark 2: Note that for m > n, for every
approximated to within n TM in probabilistic time lattice in A(n, m, nO), Gaussian elimination only gives
1
1
a vector of length O(nC+(1/2)).
2~'~(~+;).
Abstract
Proof. Our algorithm uses Ajtai's [1] reduction of
SVP-Length to the problem of finding a short vector
in a special class of lattices; we solve the latter
problem by adapting an idea of Blum, Kalai, and
Wasserman [2]. To obtain the best approximation
factors, we use the sharpest form of the reduction,
due to Cai and Nerurkar [4, 3].
For integers n, m, and q, Ajtai [1] defines a family
of lattices in Z '~ defined by A ( n , m , q ) = {L(A)},
where A is an n x m matrix over Zq, and L(A) -{z G Z m I Az ~ 0(modq)}. T h e main result o f [ l ]
is that if there is an algorithm A that, with certain
settings of q and m, computes a non-zero vector of
length n in a random lattice from A(n, m, q) with
non-negligible probability, then there is a randomized
algorithm B that computes poly(n) approximations
to SVP-Length for any n-dimensional lattice. The
improved version of Ajtai's reduction [4, 3] gives t h e
following:
A l m a d e n Research Center; rav i@nlamden,ibm. corn
t I B M A l m a d e n Research Center; siva@almaden, ibm. corn
126
In our application, say we want to produce an
n TM approximation to SVP-Length. We choose c =
2 + e / 2 a n d l e t q = n c. Set a = e l o g n a n d b = n / a ,
and let m = (a + n + ln(aqb))q b ~ 2(]+~)dn for any
constant d > 1. The rest of this note is devoted
to showing that with these settings, "given a random
lattice L ( A ) from A(n, m, q), with high probability,
we will be able to find a non-zero vector of length n ~/2
in L ( A ) in poly(m) time. Thus, applying Theorem 2
with ~ = e/2, we obtain n 3+~ approximations to SVPLength in 2 °(n/~) time.
Suppose we are given a random n x m m a t r i x A
over Zq. The multiset S that consists of the columns
of A gives us a uniform sample (with replacement)
of m vectors in Z~. We will show how to express
any vector u G Z~ as a sum of at most n ~ vectors
from S; the coefficient vector clearly has Euclidean
length n ~/2. A non-zero vector in L ( A ) is obtained
by considering the case u = 0. The arguments below
are adaptations of the arguments by Blum, Kalai, and
Wasserman [2].
Divide the n coordinates into a groups of b
coordinates each. (Recall t h a t a = e l o g n and b =
n / a . ) Number the groups 1 through a. We will create
a 4- 1 sample sets So, $ 1 , . . . , S,~ C_ Z~ such that the
following properties hold:
(1) for every i, 0 < i < a, every v E Si agrees
with u on every coordinate in the groups 1 , . . . , i;
(2) for every i, 0 < i < a, the projection of Si to
the coordinates in groups i 4 - 1 , . . . , a is a collection of
m - iq b independent and uniformly distributed points
f r o m ~q
7.b(a-0 (with replacement - - thus there could
be repetitions);
(3) for every i, 1 < i < a, every v E Si can be
written as the sum of two vectors in Si-1Thus, in particular, S~ = ~u} (with certain multiplicity), and u can be written as the sum of 2 a vectors
in S0. We will define So = S. The key step is to create Si from Si-1, which is done as follows. Partition
Si-1 into qb multisets, one for each a E Z~, defined
by S~_ 1 = {v 6 Si-1 [ v agrees with a in group i}.
Let ui denote the projection of u to the coordinates
in the i-th group. For each a, pick (arbitrarily) a
representative r~_ 1 E S~_ 1, and define the multiset
s, =
° +
I , e S a \ f r a "t't It is easy
to see that if the construction proceeds successfully,
then properties (1) and (3) mentioned above are satisfied.~We prove property (2) by induction; the base
case i = 0 is trivial. Assume inductively for i > 0 that
the projection of Si-1 to the coordinates in groups i
through a gives a collection of m - (i - 1)q b independent and uniformly distributed points in Z~(G-(i-t)).
Note that ]S/-1[ = m - ( i - 1 ) q
b > m-aq b =
= (
+ln(aqb)M. Since S -i
contains > n + ln(aqb)q b samples whose projection to
group i gives uniform and independent vectors in Zqb ,
for any fixed a E Z~, the probability S¢'i-1 is e m p t y
References
[1] M. Ajtai. Generating hard instances of lattice
problems. Proc. ~8th STOC, pages 99-108, 1996.
[2] A. Blum, A. Kalal, and H. Wasserman. Noisetolerant learning, the parity problem, and the statistical query model. Proc. 3and STOC, pages 435440, 2000.
[3] J.-Y. Cai. Applications of a new transference theorem to Ajtai's connection factor. Proc. l~th Complexity, pages 205-214, 1999.
[4] J.-Y. Cal and A. Nerurkar.
An improved worst-
case to average-case connection for lattice problems.
Proc. 38th FOCS, pages 468-477, 1997.
[5] R. K a n n a n . Minkowski's convex body theorem a n d
integer programming. Mathematics of Operations
Research, vol. 12, No. 3, S. 415-440, 1987.
[6] C.P. Schnorr. A hierarchy of polynomial time lattice
basis reduction algorithms. Theoretical Computer
Science, vol. 53, pages 201-224, 1987.
is at most (1 l/qb) cn+ln(aqb))qb~ e-V~/(aqb). Summing this error probability over all a and over all a
stages of the construction, the total error probability
is at most e -~. Thus whp. every S i--1
~ is non-empty;
furthermore, since the projection of Si-1 to the coordinates in groups i through a is uniform, the value
of rf'_ 1 in groups i + 1 through a is uniformly distributed. Therefore, the projection of every sample
in S/ to the coordinates in groups i + 1 through a
is uniform. For independence, let x, y E S i--1"
a
The
projection of z and y to groups i 4- 1 through a axe
independent r.v.'s, and so ~4-r and y4-r are independent, where r = r i~_- 1~ . (Note that it is to maintain
stochastic independence t h a t the representatives are
thrown out in going from S i - t to Si.) This completes
the induction step. Finally, note t h a t the running
time is poly(m), which is 2°("/~).
-
-
127