On the Complexity of Computing
Short Linearly Independent Vectors
and
Short Bases in a Lattice
Johannes
BlGmer* and Jean-Pierre
Seifert*
for nice expositions). More precisely, for every n E N,
Ajtai defined a natural class A, of lattices, such that in
polynomial time a random lattice in A, can be generated. He proved the following theorem
Abstract
Motivated by Ajtai’s worst-case to average-case reduction for lattice problems, we study the complexity of
computing short linearly independent vectors (short basis) in a lattice. We show that approximating the length
of a shortest set of linearly independent vectors (shortest basis) within any constant factor is NP-hard. Under
the assumption that problems in NP cannot be solved
in DTIME(n p”‘y’og(n)) we show that no polynomial time
algorithm can approximate the length of a shortest set
of linearly independent vectors (shortest basis) within
a factor of 2’“g’-‘(“), E > 0 arbitrary, but fixed. Finally,
we obtain results on the limits of non-approximability
for computing short linearly independent vectors (short
basis). Our strongest result in this direction states that
under reasonable complexity-theoretic
assumptions, approximating the length of a shortest set of linearly independent vectors (shortest basis) within a factor of
n/a
is not NP-hard.
Theorem (Ajtai [Al]). Assume there is D probabilistic
polynomial time algorithm A that, for a uniformly chosen lattice from the class A,, finds a non-zero vector v
of length at most n. Then there is ~1probabilistic polynomial time algorithm B that, for any given lattice L C R”
and for some constants Q, q, ~2, with high probability
will solve either one of the following three problems.
SIVP(SHORTESTINDEPENDENTVECTORSPROBLEM)
Find n linearly independent vectors ~1,.
, v, in
L, whose length is up to some factor of n=o, smallest possible. Here the length of ~1set of vectors is
defined as mw<i<n
Ilvill.
SBP (SHORTEST
BASIS
PROBLEM)
Find (I basis [b,,.
,b,] for the lattice L, whose
length is up to some factor oJnC’ smallest possible.
The length of a basis is defined as max~<i5, Ilbill.
Key Words. Algorithmic
geometry of numbers, lattices, worst-case complexity, average-case complexity,
shortest lattice basis, shortest vector, closest vector,
hardness of approximations.
SVP(SHORTESTVECTOR
1
Find the length of a shortest non-xro
within a factor of ncz.
Introduction
Recently, interest in the geometry of numbers has increased due to Ajtai’s discovery of the connection between the average-case complexity and the worst-case
complexity of some lattice problems (see [A31 and [GGH]
PROBLEM)
vector in L
Improving upon Ajtai’s original values, Cai/Nerurkar
[CN] and Cai [Cal], showed that we may take any ~0 >
3,~ > 3.5, and c2 > 4. Based on the theorem and assuming that either one of the three problems SIVP, SW,
or SVP is hard to approximate within the appropriate
factors, Ajtai also showed how to construct a one-way
function.
These results clearly raise the question, how difficult the above mentioned lattice problems are. At the
time of Ajtai’s discovery none of these problems was
known to be NP-complete. For all three problems the
best polynomial time approximation algorithm is based
711
on the L3-algorithm (see for example [L]). The algorithms achieve approximation factors that are exponential in the dimension of the lattice. After Ajtai’s discovery most effort to prove hardness results for SIVP, SBP,
or SVP has been directed towards the problem SVP.
This is due to the importance of SVP in other areas of
computer science, its connection to cryptography as evidenced by the Ajtai/Dwork
cryptosystem [AD], and due
to its long history. It is also important to note that computing short vectors in a random lattice chosen from A,
cannot be difficult, unless computing a shortest vector
in a lattice is difficult in the worst-case. Currently, the
best hardness result for SVP is due to Micciancio [Ml.
Building on work of Ajtai [AZ], Micciancio proved that
approximating the length of a shortest vector within a
factor of zz fi is NP-hard under randomized reductions.
If combined with Ajtai’s theorem, this hardness result for approximating the length of a shortest vector
is still far from providing a reduction from a provably
worst-case difficult problem to an average-case problem.
Moreover, we have reason to believe that such a reduction cannot be achieved if one works with the problem
SVP. Let us elaborate this a little bit further. In Ajtai’s proof as well as in the subsequent improvements
by Cai/Nerurkar and Cai, the problem SIVP is directly
reduced to the problem SVP in a random instance of
A,. The algorithms for SBP and SVP are obtained from
the algorithm for SIVP by invoking general results from
the geometry of numbers. In particular, the only known
technique to obtain an algorithm for SVP from an algorithm for SIVP uses so-called transference theorems
[Ba,Cal]. These theorems relate a lattice and its socalled dual lattice. Examples of Conway and Thompson (see [MH]) show that using these theorems the best
we can hope for is to transfer an approximation algcrithm for SIVP with approximation factor f(n) into an
approximation algorithm for SVP with approximation
factor 11. f(n). Putting it another way, using transference theorems it is impossible to prove Ajtai’s theorem
for any Q < 1. On the other hand, Goldreich and Goldwmser [GG] show that SVP is probably not hard for
the approximation
factor dm.
Hence, a provable worst-case to average-case reduction based on Ajtai’s theorem and on the difficulty of SVP is not to be
expected.
Having said all this, it teems to be natural to study
the complexity of problems SIVP and SBP. This is the
purpose of this paper. Although the results we obtain
are far from establishing hardness results for these problems that are close to the hardness results required by
Ajtai’s theorem, our results are much stronger than the
known non-approximability
results for SVP. In particular, we first show that for every constant C, solving
SIVP or SBP within a factor of C is NP-hard. Using the
widely accepted assumption that problems in NP can-
not be solved in DTIME(nPn’y’og(n)), we also rule out
polynomial time algorithms solving the problem SIVP
or SBP within a factor of 2”g1-‘(“), where e > 0 is wbitrwily small, but fixed. A result of this form is often
understood as providing evidence that the corresponding problem is in fact hard to approximate within a
factor nc for sxne c > 0 (see [AL]). We believe that
SIVP and SBP are hard to approximate within a polynomial factor, but the methods we use do not seem capable of proving such a result. We note that compared
to the methods in [A2,M] our constructions and proofs
are relatively simple. Our methods are variations of the
methods used in [ABSS,AL] for the closest vector problem.
We also generalize methods in [Ca2], [LLS] and [GG]
to obtain results on the limits of non-approximability
for the problems SIVP and SBP. We show that there are
constants c, d such that under Karp-reductions approximating SIVP and SBP factors of cn and dn, respectively
is not NP-hard unless NP = co-NP. This result is obtained by using the above mentioned transference theorems. Combining methods from [LLS] and [GG], we also
show that, under Karp-reductions, approximating SIVP
and SBP within a factor of n/m
is not NP-hard
unless the polynomial hierarchy collapses to its second
level. Therefore, it is unlikely that non-approximability
results as required by the current versions of Ajtai’s the
orem are achievable (see also [GG]). This leads to one
of the main questions this paper raises. We believe that
a hardness result for approximating SIVP within a factor of n’-‘, t > 0 arbitrary, may be possible. Hence, in
Ajtai’s theorem, can the approximation factor for SIVP
be improved to nl-‘, t > O?
The paper is organized as follows. In Section 2 we
state the main definitions. Section 3 contains an NPcompleteness proof for problems SIVP and SBP. The
construction presented there is fundamental for the nonapproximability
results in Section 4. In Section 5, we
present our results on the limits of non-approximability
for problems SfVP and SBP.
2
Definitions
R’” is the m-dimensional Euclidean real vector space
endowed with the Euclidean inner product (., .) on Iw”
and the Euclidean norm llvl/’ = Cz”=, v,’ for v E R”‘.
A lattice L is a discrete additive subgroup of Wm. Its
rank, denoted by rank(L), is the dimension of the I%
subspace span(L) that it spans. Each lattice L of rank
n has a basis, i.e., a sequence [bl,
, b,] of n elements
of L that generate L as an abelian group. For a lattice
L, v(L) is the smallest real number T such that there
are rank(L) linear independent vectors in L of length
at most T that generate L. The rCh successive minimum
Xi(L) of a lattice L is the smallest real number T such
712
that there are i linear independent vectors in L of length
at most r. Furthermore, k(x,L) is the Euclidean distance from x E X3”’ to the closest vector in L. It may
be tempting to assume that Xlank(~) = v(L). However,
in general v(L) is strictly larger than X,,,k(,) (see for
example [LLS]). In [CN] it is shown that
NO-inStanCe
are pairs (L,r) where L C Q” is a
lattice of rank n, T E R+ and v(L) > g(n) T
For later purposes we also need to define the following problems. Previous research on the complexity of
lattice problems has focused on these problems.
Definition
5. SHORTEST VECTOR PROBLEM (SW)
GIVEN:A lattice L G Q”’ of rank n and a positive number
TER
DECIDE: Whether there exist a non-zero vector v E L
with
llvll 5 T
Examples in ILLS] show that this is best possible.
An important and easily computable invariant of a
lattice is the deteminant
d&(L) of a lattice L. It is
defined by choosing any basis [bl,
, b,] for L and
then setting
6. The promise problem GAPSVP~ where g
is a gap function, is defined as follows:
Definition
YES-instances are pairs (L,r) where L C p
lattice of rank n, T E l& and Xl(L) < P
Minkowski’s classical theorems on successive minima
provide simple upper bounds for the values of Xi in term
of the determinant of a lattice (see [Cl).
In the following definitions we state some fundamental computational problems related to lattices. The purpose of this paper is to study the complexity of these
problems. We always assume that a lattice L is given by
a basis [bl,
, b,] generating L.
Definition
VECTORS
1. SHORTEST LINEARLY
PROBLEM (SIVP)
NO-instances are pairs (L,r) where L & CJ” is a
lattice of rank n, r E R+ and Xl(L) > g(n) T
Definition
7. CLOSEST VECTOR PROBLEM (CVP)
GIVEN: A lattice L 5 p
of rank n, a vector x E Q”
and a positive number T E lR
DECIDE: Whether there exist a vector v E L with
INDEPENDENT
IIX--yII 57
GIVEN:A lattice L c Q”’ of rank R and a positive number
TEW
DECIDE:Whether there are n linear independent vectors
VI,... ,v, E L with
Definition
6. The promise problem GAPCVP~ where g
is a gap function, is defined as follows:
are triples (L, x, r) where L C @’ is
a lattice of rank n, x E Q”’ and T E R+ satisfying
PL(X>L) 5 T
YES-iIx&rICes
No-instances
are triples (L, x, r) where L C Q”’ is
a lattice of rank n, x E v
and r E lR+ satisfying
P(X> L) > s(n) .T
Definition
2. SHORTEST BASIS PROBLEM (Sep)
GIVEN: A lattice L c p of rank n and a positive number
TEIR
DECIDE: Whether there are n linear independent vectors
bl,
, b, E L that generate L and
Strictly speaking, to obtain well-defined decision problems the bound T in the definitions above has to be a
rational number. In our constructions and proofs naturally these bounds are square roots of rational numbers. It is always straightforward
to resolve the problems caused by real numbers. To keep the notation simple, for the rest of the paper, we will ignore these problems.
Definition
3. The promise problem GAPSIVPS, where
g is a gap function, is defined as follows:
uEs-instances are pairs (L, T), where L C_Q” is a
lattice of rank n, r E R+ and X,(L) < r
3
L C Q” is a
lattice of rank n, T E lR+ and X,(L) > g(n) T
No-instances
are pairs
(L,r),
is a
where
SIVP and SBP are NP-complete
In this section we show that the problems SIVP and SBP
are NP-complete. We include these proofs to motivate
the proofs for the non-approximability
results of the
following section.
Definition
4. The promise problem GAPSBP~, where
g is a gap function, is defined as follows:
yes-instances are pairs (L,r) where L c Q” is a
lattice of rank n, T E R+ and v(L) < T
Theorem
p1ete.
713
1. The problems SIVP and SBP ore NP-con-
Proof. Both problems are in NP, since in polynomial
time we can decide whether
(i) n vectors vl,
For any lattice X,(L)
of CVP will be mapped
see that a ws-instance
YES-instance
of SBP let
ljvilj 5 v(L) 5 D. Note
a linear combination of
, v, are linearly independent.
(ii) A vector v is an element of a given lattice L [K2].
(iii) n vectors v,,
, v, are a basis for a given lattice
[W.
(V1,O)T ,... ,(V”,O)T,(W--V,D)T
To show that Srw is NP-hard we reduce CVP to SIVP.
Clearly, we can restrict ourselves to lattices L c Z”.
Let (L, Y, r) be an instance of CVP. To reduce the instance of CVP to an instance of SWP, let [b,,
, b,]
be a basis of L. First we choose a constant D such that
D > max{r, X,(L)}. By Minkowski’s theorem on successive minima we may take D = max{r+l,
[n”/‘det(L)l}
(This is the only place where we need integral lattices.).
Since d&(L) can be computed in polynomial time, D
can be computed in polynomial time. Let M be the lattice generated by the columns of the matrix
bl
o
5 u(L). Therefore a No-instance
onto a NO-instance
of SBP. To
of CVP will be mapped onto a
VI,.
, v, be a basis of L with
that (v, D)T can be written as
the vectors
b,
o
_.
v
D
1[
=
4
.‘.
6,
dn+l
1
, (v,, OJT, (w - v, -D)T
The reduction in the previous proof can also be used to
show the following result.
Corollary
1. Given an oracle that solves SWP or SBP
exactly, in polynomial time SVP and CVP can be solved
exactly.
D > max{ [n(“+‘)‘2
d&(L)],
11vll}.
By the arguments from the proof of Theorem 1 it is
not difficult to see, that for the lattice constructed in
Theorem 1 and for the values of D defined above, the
exact solution for problem S~VP or SBP is given by
dp(v, L)* + Oz. This proves the corollary for CVP.
The result for SVP follows from the former result for
CVP and the result in [CMSS] or [II] showing a reduction from SvP to Cw.
0
> VFTE
If cn+l = +I, say cn+, = -1, then Ilw,+, Ij > a.
Otherwise, II C:=, c<b: -VII < T, contradicting the fact
that (L, Y, r) is a No-instance of CVP.
To show that SBP is NP-complete we use the same
reduction. We only need to increase D slightly. In [CN]
it is shown that for any lattice L we have
The construction
used above cannot be used to transform approximation algorithms for SIVP to approximation algorithms for CVP. Because D 2 [n+
d&(L)], in
general D is not at all related to p(v,L) for v E Wm.
Every approximation algorithm for SIVP, if applied to
the construction
above, will produce an estimate for
~(v, L) that depends on D. This will not be a useful
approximation for fi(v, ~5).
However, to obtain non-approximability
results for
SIVP, we do not work with arbitrary
lattices. In fact,
non-approximability
results for CVP shown in [ABSS]
5 (d=ml@P”W
Hence by Minkowski’s theorem on successive minima
n(“+‘)/* det(L) is an upper bound on v(L). To reduce
CVP to SBP we use the construction from above with
D = max{r + 1, [&+1)‘2
are a basis for M. The length of these vectors is bounded
by a.
0
if we want to reduce CVP to SIVP. If we want to reduce
CVP to SBP, we choose
If Ic,+~ I 2 2, then
4)
,(-~nro)~,(~--,D)~
D > m={r~“/2det(L)1,11~111,
are n+l linearly independent vectors in M, whose length
is bounded by w.
Now assume that (L, v, r) is a No-instance of CVP.
Then any vector w E L satisfies 117~- VII > r. In every
set of n+l linearly independent vectors {m,.
,w”+,}
of M at least one vector must depend on d,,,, say,
IIw,+1II >_ VZF
(“1,0)~,...
Proof. The result for CVP follows by a reduction identical to the one used above. In particular, we will use
the sane lattice construction as in the proof of Theorem 1. Assume we want to compute the distance p(v, L)
from v E Iw” to the lattice L c R”‘. We will choose D
such that D is an upper bound for XlankcL) (or v(L))
and such that D is an upper bound for &v, L) as well.
Since ~(v, L) 5 llvll, we can choose
The instance of SIVP is defined by (M, m),
Assume first that (L, v, r) is a YES-instance
of CVP.
Then there is a vector w = C:=, cibi E L such that
IIw-vjI 5 T. By construction of D, the lattice L contains
n linearly independent vectors vl,.
, v, with llv;ll 5
X,(L) 5 D for all i. Hence
(~1 ,OjT,.
with integer coefficients. Hence the vectors
d&(L)]}.
714
and in [AL] rely on very special lattices. For these lattices L we have more precise information about the successive minima and about the distance ~(v, L) of a specific vector v to the lattice L. Exploiting this information allows us to use a variant of the construction from
above to obtain non-approximability results for SIVP
and SBP. Keeping these remarks in mind will help understanding the constructions and proofs of the following section.
4
Non-approximability
results
2. IV, 1 is the number
3. The biparlite graph of the
stance T(rp) is (3,5)-regular.
4. The number
The
1. L' c%~,~=SKIEI+~~V~I,K:=QIV~I
Wil
COVER
andn=
+ 1, and b: has < 25K
1,. ,YX
3.
oPtMJ.vLC(O> 9 IX I
==c. v’PE~\{Ol:~L(Pb~+l,L’)>~,~.
Moreouer, in the first cnse, there is a vector v’ E
L' such that bi,, - v’ has ezactly Iv,\ non-zero
coordinates.
In the second case, for all v’ E L’ and all @ E
%\{O}, the di~erence vector/1.b;+,
-v’ has more
than 9 IV, / non-zero coordinates.
Non-approximability
to within
Factor for SIVP and SBP
some
Constant
Based on the previous lemma we can show the following lemma, which is the key to our non-approximability
results for SIVP and SBP.
(MINLC)
A (dl, &-regular bipartite graph G, a set of
labels A = {l,
, N}, N E IV+, and for every edge e E
E a partial relation n, : A + A such that 17,-‘(l) # 0
for the distinguished label 1 E A
SOLUTION: A cover (Pl,Pz)
of G. The minimal cost for
an instance I will be denoted by optMINLC(I).
INSTANCE:
Lemma 3. There is a constant c > 1, (1 polynomialtime computable Junction s(.), and (1 polynomial-time
transJmnation
from MIN LABEL COVER to SIVP that
all instances I = (V,, V,, E, A) O~MIN LABEL COVER
generates a lattice L = L(bl,
, b,+,) with the Jollowing properties:
for
In the above definition we can always ensure the existence of a cover with cost at most IVIIN; simply let
Pz(uz) = A for all ~2 E V, and P,(Q) = A for all ~1 E
VI. Therefore, optu,&l)
5 N(VI(, for all instances I.
The following lemma is due to Arora and Lund [AL].
1. L c Zm,m =QK(E~+8~V~~+26K,K
n=8/v~~+cs/v2/.
2. b; E {0, l}m,i
Lemma 1. There is a constant g > 1 and a polynomialtime transformation 7 from ~-SAT to MIN LABEL CoVER such that for all instances
is 8.
+ Slv,l.
2. b; E {0, l}m,i = 1,.
,n
non-zero coordinates, i =
4.2
LABEL
T(P)
stances I = (h, V,, E,d) of MIN LABEL COVER genmates a lattice L' = L(b;,
, b’,) and a target vector
with
the
following
properties:
‘C+,
MIN LABEL COVER Problem
9. MIN
N of labels of the instance
Lemma 2. Let 9 be the constant from the previous lemma. There is a polynomial-time transformation from the
problem MIN LABEL
COVER
to CVP that for all in-
for SIVP and SBP
In the following G = (VI, V,, E) denotes a bipartite
graph, A a set of labels for the vertices in VI U Vz, and
& a partial relation fle : A -+ A describing the admissible pairs of labels for every edge e E E. We adapt the
notation of (AL,ABSS]. A labeling of G = (&,Vz,E)
is a pair (P1,P2) of functions Pi : V, --t ZA, i = 1,2,
assigning each vertex in Vi U V, a possibly empty set of
labels.
Let (PI ,P2) a labeling of G = (VI, V., E) and e =
(u~,LJz),IJ, E I’,, ~12E v,, an edge of G. We call e =
(u,,u~) covered iff PI(q) # 0, PZ(UZ) # 0 and for all
labels bz E P2(u2) there is a label bl E PI (~1) such that
II,
= ba. A labeling (Pl,P,) of G = (V,, Vz,E) is
called a cows of G iff every edge of G is covered by the
labeling (P,, Pz). The cost of a labeling (PI, Pz) for a
graph G = (6, Vz, E) is defined as
DeRnition
MIN LABEL COVER in-
The following lemma can be shown by combining results
from [AL] and [ABSS]. Due to space limitations, the
proof is omitted.
In this section we prove the non-approximability results
for SIVP and SEP. First we need to review results from
[AL] and [ABSS].
4.1
of clauses in 9.
= 1,.
,n+l,
non-zero entries, i = 1,.
3.
‘P we ham:
~PtMrNLCu)
715
and
andbi has 5 s(lV~l)’
, n.
Iv,1 *
S~IVII ==+
= 1
OPtMINLCv) >
:=9lV,l
‘4Wl)
bank(L)
5
1
Xrank(L)
>
coma.
4. Let M be the sublattice generated by [bl,.
, b,].
and
Then
OPtMrNLCv) = 1 Iv, I
>
=
,/g,jV,f+26K
c’ml),
for c =
4 1 + !&. This proves the lemma, except for
the last claims in 4. One easily goes through the proof
q
to check that even these stronger claims are true.
From Lemma 3 we can derive the first non-approximability results for Srw and SBP.
In the second case, for all v E M and all 0 E
Z \ {0}, the difierence vector 0. b,+, -Y has more
than cz s(lV, 1)’ non-zero coordinates.
Theorem 2. There is a constant c > 1 such that the
problems GAPSIVP,
and GAPSBP, are NP-hard.
Proof. The function s(lV~ I) is defined as
s(lvll) = ?/zFqq
Proof. Let c be the constant in Lemma 3. This lemma
together with Lemma 1 proves the theorem for GAPSIVP,.
For GAPSBP,we also want to apply Lemma 1. First
note that v(L) 2 Xrank(~). Hence, for optM,,,&)
>
g. IV1 I the reduction in Lemma 3 shows
= &zjiq.
Let b: be the vectors from Lemma 2. For i = 1,. , n
let bi be the vector obtained from b: by adding 26K co.
ordinates to bi, each coordinate being zero. b,+I is obtained from b’n+l by adding 26K coordinates to b;,, ,
each coordinate being 1. Let L be the lattice generated
by the vectors b,,
, b,,, and let M be the sublattice generated by the vectors bl,
, b,. 1 and 2 are
immediate from the construction.
To prove 3 and 4 note that in any vector 0. b,,l - v
with v E M and p E Z \ {0}, the last 26K coordinates
are 4. Since llb;ll* 5 25K,i = 1,. ,n,
/?(b,+I,M)
=
min p~~~o~
IIP.bn+l -
>
26.K>llbiJ2,i=l
44 > c wll).
For the case optMINLc(I) = IV, I, Lemma 3 shows
that p(b,,l, M) 5 s(lV,/). Let v E M = L(bl,.
, b,)
be a vector with llb,,+l - VII 5 s(lV~l). The vectors
h,... ,bn,bn+l - v are a basis for L. Since l/bill 5
p(b,+l, M) (see the proof of Lemma 3), we conclude
that in this caze v(L) < s(/V, I), and the theorem follows.
0
d*
4.3
,__., n.
Since
any set of rank(L) linearly independent vectors of L contains at least one vector v that depends on b,+l. That
is, in the representation of v as a linear combination
of the vectors bi, the coefficient in front of b,+, is a
non-zero integer. Hence we are able to conclude
Therefore
mi*
~‘(4.
*
bL+, , L(b;,...
SIVP and SBP within
To improve the hardness results of the previous section we will use again a technique from [ABSS]. The
technique is based on an iterative construction that will
gradually increase the constant c in Lemma 3. We will
now describe the first step of the iteration.
Given an instance I of MIN LABEL COVER, denote
by bl,
, b,+l the vectors from Lemma 3. In these
vectors replace each entry a by a block of m coordinates
equal to the vector a b,+l. Call these new vectors
w;, i = 1,. , n + 1. Let B be the (m x n)-matrix whose
columns are the vectors bl,
, b, and let B be the
rank(L) = rank(M) + 1,
OEZ\lO)
where b;,
, b;,,
same corollary
Hardness of Approximating
Large Factors
,b;))+P2.26K,
are as in Lemma 2. Thus, by the
~PtMINL.C(I) = 1 Iv, I
kanq.) 5 dbntl,
Ml
0
'..
5
lj
0
,/‘w
= s(lhI)
I
716
B,
and
where each B; is a cow of B. By Lemma 3 the length
of the column vectors-in B is at most s(Lv, I). Let L-be
the lattice generated by the columns of B and the xctars w;,i = 1,.
, n + 1. Similarly, M is the sublattice
generated by the same vectors except for w,,+,.
Consider the craze where the instance I of MIN LABEL COVER satisfies optMINx
= IV,l. By Lemma 3
we can subtract a suitable integer linear combination of
the vectors w;, e’ # rz + 1, from VI,+‘ to obtain a new
vector wy,+l, which has only s(lVlj)” non-zero blocks
consisting of copies of b,+l. By Lemma 3 the vectors
wi,i = 1,.
,n, also have at most s(\Vlj)*
non-zero
blocks consisting of copies of b,,l.
For all IV; by subtracting suitable linear combinations of the columns of B we can eliminate all but
s(jV, I)* non-zero entries in the blocks consisting of a
copy of b,+l. Hence we can replace the vectors wi, i =
l,...,n+l,byvectorsvisuchthat
Xwmk(L)r4)> c2‘swllY.
Hence we have increased the gap c in Lemma 3 to c2 at
the expense of increasing the dimension of the Euclidean
space underlying the lattice from m to m2 and at the
expense of increasing the size of the generating set of
vectors of the lattice from n+l to n(m+l)+l.
Applying
the same construction once more, this time using wy,cl
to replace coordinates in the vectors w;, i = 1,. , n +
& and in the vectors corresponding to the columns of
B the gap c increases to c4. Iterating the construction
further we obtain
Lemma 4. Let n,m,c and the function s be the mme
OSin Lemma 3. Let e be an arbitrary integer. There is a
transfoormationthat given an instance I = (V,, V,, E, A)
of MIN LABEL COVER generates a lattice L with the
following properties:
1. L c .Z”, M = m”‘,rank(L)
OPtMrNLCv) = 1
We also conclude
2.
11knt1,M) 5 WI 1)‘.
+ 1)
IV1I 2(
==+ &ank(L)i
4-l i m I)
Iv, I
==+ &a”k(L)r4) > 2’ ~4Kl)“‘.
~PGmxA~)
The vectors vi, i = 1,.
, n + 1, together with the columns of B are still a basis for the lattice L. To prove
this observe that replacing IV”+, by w,,+~ - v, v E ML
still gives a basis. Next observe that the columns of B
have not been changed. But then replacing w; by v;
still gives a basis. We conclude that in the case a cover
with cost IV,1 exists,
&d”k(L),4)
= n~~~~(m2’
> g
The wnning time of the transformation is polynomial
where \I( is the description size of I.
in IIf,
From this we obtain our final non-approximability
sults.
re-
Theorem 3.
I. For every jized constant C > 1 the
problems GAPSIVPC and CAPSBPC are NP-hard.
5 ew.
Next we consider the case where the instance I of
MIN LABEL COVER satisfies optMIN&I)
> g/K/. Note
that the vector w,+1 is the only vector in the basis for
L whose last coordinate is non-zero. Hence any linearly
independent set with rank(L) many elements, and in
particular, any basis of L, must contain a vector of the
form bw,,+l - v with p E Z \ {0) and Y E M. Assume
that a non-zero integer p and a vector v E M exist such
that
2 For every c > 0, there is no polynomial time oppproximation algorithm approximating Arank
or
v(L) within a factor of Z’“g’-‘(‘a”*(L)) unless NP C_
DTIME(,zP~‘Y’~~(*)).
Proof. To prove the first statement we use Lemma 1
and Lemma 4 with
e = log log,(C)
IID Wn+l - VII 5 c2 s(lv, I)“.
Since c and C are constant, so is loglog,(
Hence the
overall reduction from S-SAT to GAPSIVP~ and GAPsBPc
is polynomial time.
To prove the second statement we can use the same
reasoning as in [ABSS]. Let ‘p be an instance of S-SAT.
By I’pI denote the size of this instance. Applying the
transformation in Lemma 1 we obtain an instance I of
MIN LABEL COVER with size 111= I&)@). Applying
the transformation in Lemma 4 with I? = f?((qj) such
that 2’(1vl) = logO(lipl) for some 0, we obtain a lattice
L with rank
This implies that the number of non-zero coordinates in
/3.w,+, --v is bounded by c”.~(lV,\)~. Then either there
is a non-zero block in p w,,+, consisting of a copy a
b,+t , in whichi_by subtracting a suitable combination
of columns of B, the number of non-zero coordinates
can be reduced below c* s(IV,I)~. Or by subtracting
a suitable combination of the vectors w;, i = 1,. ,n,
the number of non-zero blocks in xv,+, can be reduced
below cz s(lV, I)‘. Both cases contradict Lemma 3. So
we may conclude, that in this case for every p E Z \ {0},
717
The running time of the transformation
mial in 2°(‘og8+1(1~/)). We also have
is polyno-
[Cal]. To state these theorems we need the dual of a
lattice. Let L be a lattice in I+‘” with basis [bl,
, b,].
The dual lattice L* is the set of all vectors v* E Iwb, +
+ Iwb, that satisfy (v’, v) E Z for all v E L. The-set
L’ is also a lattice. If b;,
, b; are defined by
‘p satisfiable
==+
L3”,(,),4J
i wl/)‘“~a(‘~‘)
‘p not satisfiable
==+ A,,“,(,), Y(L) > c’ogB(IpI) s(lv, @(l~l),
The gap between satisfiable and non-satisfiable
‘p of S-SAT is
(b;, b;) =
instances
However, we have to measure this in terms of the rank
R of the lattice L. With respect to R the gap is
1. 1 5 x1 (L’)
X,(L) 5 c n.
2. 1 5 XI (L’)
Y(L) 5 d n.
for ev-
From this we obtain our first set of results on the limits
of non-approximability.
p/(p + 1) > 1 - fz.
Theorem 6. GAPSIVP,, and GAPSBP~, are in NP n
co-NP, where the constants c,d are as in the preuious
Then an approximation algorithm for XrankcL) or v(L)
with approximation factor 2’0g’-‘(‘a”k(L)) can be used
to distinguish between satisfiable and non-satisfiable instances ‘p of S-SAT. The theorem follows since we apply
the algorithm to a lattice L whose overall description
0
size is bounded by 2’(“ga+‘(l~l)).
theorem.
Proof. Both problems are in NP. Next we show that
GAPSIVP,, E co-NP. Using the first part of Theorem 5
one sees that for a YES-instance (L,r) of GAPSIVP,,
we have AI
2 l/r. On the other hand, for a NOinstance we obtain X,(L*) < I/T. Hence we obtain a
non-deterministic algorithm accepting only No-instances
of GAPSIVP,,, by guessing a vector v E L’ and accepting instance (L, T) iff llvll < l/r. The result for
GAPSBP~, follows similarly using the second part of
0
Theorem 5.
Recently we have been able to improve the theorem
above. Based on the inapproximability
results in [DKS]
and a new gap-preserving reduction of CVP to SIVP and
SBP we obtain the following theorem.
Theorem
then [b;,
, b,?,] is a basis of L’. It is called the basis
dual to [bl,
, b,].
The first part of the following theorem is due to Banaszcyk [Ba]. The second part is due to Cai [Cal],
Theorem
5. There are constants c, d sucht that
cry lattice L with rank(L) = 11
since log(R) = O(log’+‘(lipl)).
Now let E > 0. Choose 0 such that
problems
1 ifi+j=n+l
0 otherwise
4. There is a constant c < 1 such that the
GAPSIVP,r,,+s+j
and GAPSBP,c, ,og,o‘(n) are
NP-hard.
To prove our second set of results on the limits of nonapproximability
of SIVP and SBP we need a few definitions from the geometry of numbers. Given a lattice L in
R”’ with basis [bl,.
, b,], by [bl,.
, bjJ we denote
the Gram-Schmidt orthogonalization of h,
, b,] by
A proof of this theorem will be given in the full paper.
5
Limits of Non-Approximability
for SOP and SBP
In this section we first show that there exist constants
and GAP&P,+, are in NP n
co-NP. Combining results from [LLS] and [GG] we also
and CAPSBP
show that GAPSIVP
4O(&ii5)
40(&m
are in NP n cc-AM. The first result implies that under
Karp-reductions GAPSIVP,, and GAPSBP~, are not NPhard unless NP = co-NP. Again under Karp-reductions,
the second result implies that GAPSIVP
and
~/0(&m)
GAPSBP
are not NP-hard unless the polyne
axrn)
mial hierarchy collapses to its second level. For a thorough discussion of the complexity-theoretic
implications
of these results we refer to [GG].
To prove the first results we will use so-called transference theorems shown by Banaszcyk [Ba] and Cai
i--l
c,d such that GAPSIVP,,
b!=b;-~~Lijbj
j=1
forl<i<n,
with
forl<j<i<n
A basis [bl ,
, b,] is called weakly reduced iff 1~~~1 <
l/2 for 1 5 j < i 5 n. By replacing b; by b; mjbj, 1 I j < i 5 n for suitable integers mij every
basis can be transformed into a weakly reduced basis
ILL
718
For a lattice L in R”’ with basis [bl,.
define for 1 5 i 5 n the lattices
L(“-‘+‘)
basis of L and that maxi[lb;ll
> JSis(n)r. Then the
verifier computes the lattices L(“-‘+‘I, i = n,
, 1. For
i = 1,.
, n in parallel, the AM-protocol in (GG] for the
problem CO-GAPSVP~is used for (L(“-‘+‘), //bfl//g(n)).
The verifier accepts iff all these protocols lead to acceptance. Note that this is an MAM-protocol, but any
MAM-protocol can be transformed into an AM-protocol
,bn], we
d?f
- G(L),
where
PI.
denotes the orthogonal projection onto the orthogonal
complement of lwbl f.. .+!Rbi_l. L(“-‘+‘I is a lattice of
rank n-i
+ 1 with basis [x;(bg),
,R;(b”)]. In terms
of the Gram-Schmidt orthogonalization
we have
First let (L,r) be No-instance of GAPSIVP~~. By
sending a HKZ-basis [bt ,
, b,] of L the prover can
ensure that b! is a shortest vector in L(“-‘+‘I
Hence for
i = 1,. , n the verifier in the [GG]-protocol will accept
(L(“-“+‘), Ilbill/g(n))
with probability 1. Therefore, the
verifier in the protocol for CO-GAPSIVP~ will accept the
instance (L,T) with probability 1.
Now let (L,r) be a YES-instance of GAPSIVP~~. Assume that the vectors b, ,
, b, are a weakly-reduced
basis and satisfy maxi llbill > fig(n)v.
Since (L,r) is
a uw-instance, X,(L) 5 T. By Theorem 7, [b,,
, b,]
cannot be an g-approximate HKZ-basis of L. Hence there
is at least one i E { 1,
, n} such that the length of a
shortest vector in L(“-“f’)
is at most Ilblll/g(n).
By
the analysis in (GG], running the co-AM-protocol for
GAPSVP~ for this i, the verifier will accept the instance
(L(“-“f’),
llbll//g(n))
with probability at most l-n-*‘.
Hence the verifier will accept the input (L, r) with probability at most 1 - nFZc.
Since X,(L) 5 v(L) and since in the AM-protocol for
CO-GAPSIVP~~ described above the verifier checks that
Zhe vectors b,,
, b, sent by the prover form a basis,
we see that the sxne protocol is also an AM-protocol
0
for CO-GAPSBPfig.
and particularly
?r<(b;) = b;.
Definition
10. A basis [bl,.
,b,]
called a HKZ-basis (Hermite, Korkin,
(9 [la,...
of a lattice L is
Zolotarev) iff
, b,] is weakly reduced.
(ii) bf is a shortest non-zero vector in L(“-‘+‘),i
l,... ,n.
For a function 9 : N + R+ , a basis [bl ,
an g-approximate HKZ-basis of L iff
(9 [bl,
=
, b,J is called
, b”] is weakly reduced.
(ii) bf is within a factor of g(n) a shortest non-zero
vector in Len-“+‘), i = 1,. ,n.
Every lattice has a HKZ-basis of polynomial size. The
following crucial fact about HKZ-bases is an easy extension of a result in [LLS] and, using different notation, it
was proved in IL].
6
We combine this result with the technique in [GG] to
obtain the following theorem.
CAPSBP
8. The problems GAPSIVPnIOc~,
nmt/Gm
and Open Problems
The main open problem this paper raises is: What is
the complexity of computing short linearly independent
vectors and bases in a lattice? Is there some constant
c > Osuch that GAPSIVP,e and GAP&P,.
are NP-hard?
It is widely believed that any problem that is hard to approximate within a factor of 2’0~1-‘(“) actually is hard to
approximate within some polynomial factor (see [AL]).
Currently, a proof for this general statement seems to
be out of reach.
We were not able to generalize the known results on
the limits of non-approximability
of CVP to SIVP and
SEP. Instead our bounds are worse by a factor of 6.
That opens up the possibility that SIVP and SBP are
strictly harder than CVP or SVP. The current picture
is somewhat mixed. On the one hand, we have reductions that reduce the exact versions of SVP and CVP
to exact versions of SIVP and SEP. No such reductions
are known for the opposite direction. However, for the
corresponding approximate versions the situation is different. We have reductions of approximate versions of
Theorem
7. Let [b,,
, b,] be on g-approximate HKZbasis of the lattice L. Then
Theorem
Conclusions
and
are in NP n co-AM.
Proof. For fixed but arbitrary c > 0, let g(.) denote the
function from N to R+ , defined by g(1) = 1 and g(n) =
,/m,n
> 1. Hence n/m
= &g(n).
We
describe an AM-protocol for CC-GAPSIVP~~
based on
the AM-protocol for CO-GAPSVP~in [CC]. The protocol
is a.3follows.
Given an instance (L,r) of GAPSIVPJ~~~, first the
prover sends vectors bl,
, b, to the verifier. The verifier checks that these vectors form a weakly reduced
719
SIVP and SBP to an approximate version of SVP with
a loss of fi in the approximation factor (Theorem 7
and see [LLS]). These reductions actually compute a
relatively short basis, for example. For reductions of an
approximate version of SVP to approximate versions of
S~VP and SBP the corresponding loss in the approximation factor is n. This is based on Theorem 5 [Ba,Cal].
Moreover, in this case, we only get a numerical estimate for the length of a shortest vector, we do not get a
relatively short vector. In general, no such reduction is
known for an approximate version of CVP. It would be
nice to have a clearer picture of the relationship between
the various lattice problems.
[Ca2] J. Y. Cai, “A relation of primal-dual lattices and
the complexity of shortest lattice vector problem”,
Theoretical Computer Science Vol. 207, pp. 105-116,
1998.
[CN] J. Y. Cai, A. P. Nerurkar, “An Improved WorstCase to Average-Case Reduction for Lattice Problems”, Proc. 38th Symposium on Foundations
of
Computer Science 1997, pp. 468-477.
[DKS] I. Dinur, G. Kindler, S. Safra, “Approximating CVP to Within Almost-Polynomial
Factors is
NP-Hard”, Proc. 39th Symposium on Foundations of
Computer Science, pp. 99-109, 1998.
[GG] 0. Goldreich, S. Goldwasser, “On the Limits of Non-Approximability
of Lattice Problems”,
Proc. 30th Symposium on Theory of Computing
1998,
pp. 1-9.
References
Al] M. Ajtai, “Generating Hard Instances of Lattice Problems”, Proc. 28th Symposium on Theory of
Computing 1996, pp. 99-108.
[GGH] 0. Goldreich, S. Goldwassec, and S. H&vi,
“Collision-Free
Hashing from Lattice Problems”,
Electronic Colloquium on Computational
Complexity,
TR96-042, 1996.
A2] M. Ajtai, “The Shortest Vector Problem is NPHard for Randomized Reductions”, Proc. 30th Symposium on Theory of Computing
1998, pp. 10-19.
[GMSS] 0. Goldreich, D. Micciancio, S. S&a, J.-P.
Seifert, “Approximating
shortest lattice vectors is not
harder than approximating
closest lattice vectors”,
A3] M. Ajtti,
Complexity
“Worst-Case Complexity, Average-Case
and Lattice Problems”, Proc. Interna1998, Vol. III,
tional Congress of Mathematicians
pp. 421-428.
Electronic
[Kl] R. Kannan, “Minkowski’s Convex Body Theorem
and Integer Programming”,
Mathematics
of Operations Research Vol. 12, No. 3, pp. 415-440, 1987.
[K2] R. Kmnan,
“Trading
Group
Theory
on Theory
“Algorithmic Geometry of Numbers”,
Science Vol. 2, pp. 231.267,1987.
Ann. Reu. Comput.
[AL] S. Arora, C. Lund, “Hardness of Approximations”,
Algorithms
in D. S. Hochbaum (ed.), Approximation
for NP-Hard Problems, PWS Publishing, 1997.
Proc. 17th Symposium
Complezity,
[H] M. Henk, “Note on shortest and nearest lattice
vectors”, Infomation
Processing
Letters
Vol. 61,
pp. 183.188, 1997.
[AD] M. Ajtti, C. Dwork “A Public-Key Cryptosystern with Worst-Case/Average-Case
Equivalence”,
Proc. 29th Symposium on Theory of Computing 1997,
pp. 284-293.
ness”,
on Computational
TR99-002. 1999.
[ABSS] S. Arora, L. Babai, J. Stern, Z. Sweedyk, “The
Hardness of Approximate Optima in Lattices, Codes,
and Systems of Linear Equations”, Journal of Computer and System Sciences Vol. 54, pp. 317-331,1997.
[B] L. Babai,
Colloquium
[L] L. Lovasz, An Algorithmic
Theory of Graphs, Numhers and Convezity,
SIAM, 1986.
for Randomof Comput-
[LLS] J. Lagarias, H. W. Lenstra, C. P. Schnorr,
“Korkin-Zolotarev
Bases and Successive Minima of
a Lattice and its Reciprocal Lattice”, Combinatorics
Vol. 10, No. 4, pp. 333.348, 1990.
ing 1985, pp. 421.430.
[Ba] W. Banaszcyk, “New Bounds in Some Transference Theorems in the Geometry of Numbers”, Mathematische Annalen Vol. 296, pp. 625-635, 1993.
[M] D. Micciancio, “The Shortest Vector in a Lattice
is Hard to Approximate to within Some Constant”,
Proc. 39th Symposium
[C] J. W. S. Cassels, An Introduction
to the Geometry
of Numbers, Springer-Verlag, 1971.
on Foundations
of Computer
Science, pp. 92-98, 1998.
[MH] J. Milnor, D. Husemoller,
Forms, Springer-Verlag, 1973.
[Cal] J. Y. C&i, “A New Transference Theorem and Applications to Ajtai’s Connection Factor”, Electronic
Colloquium
on Computational
Complexity, TR98-05,
1998.
720
Symmetric
Bilinear