The Shortest Vector Problem in L2 is NP-hard for Randomized
Reductions.
Extended Abstract
Mikl6s Ajtai
IBM Almaden ResearchCenter
SanJose,CA 95120
email: [email protected]
Abstract. We show that the shortestvector problem in
lattices with La norm is NP-hard for randomized reductions. Moreover we also show that there is an absoluteconstant E > 0 so that to find a vector which is longer than
the shortest non-zero vector by no more than a factor of
1 + 2’** (with respectto the Es norm) is also NP-hard for
randomized reductions. The correspondingdecision problem is NP-complete for randomizedreductions.
1. Introduction. A lattice in R* is the set of all integer linear combinationsof It fixed linearly independentvectors. T’he question of finding the shortest non-zero vector
in a lattice with repsectto the L, norm was proved to be
NP-hard by Van Emde Boas. However the corresponding problem for the Lz norm (or any other &norms for
1 5 p < OD)remained unsolved. Van Emde Boas conjectured almost twenty years ago (cf. [vEB]) that the L2
shortest vector problem for lattices in Z* is NP-hard and
the correspondingdecision problem is NP-complete.
The cr-approximateversion of the problem is the following: find a non-zerovector 11in the lattice 1; so that its length
is at most~1]vc]]where~0 is a shortestnon-zerovector of the
lattice. It has beenshown by J. Lagarias, H.W Lens&aand,
C. I? Schnorr (cf. [LLS]) that if the cr-appro,ximateproblem
is NP-hard for any Q > nl*a (where n is the dimension of
the lattice) than NP = co - NP. According to recent a
result of 0. Goldreich and S. Goldwasserit is unlikeley that
the a-approximation problem is NP-hard evenfor Q:= $,
since this problem is in NP tl coAM (see [GG]).
In this paperwe show that the shortestvector problem is
NP-hard for randomizedreductions.That is, thereis a probabilistic Turing-machine which in polynomial time reduces
any problem in NP to instancesof the shortestvector problem. In other words this probabilistic ‘Ruing machine can
solve in polynomial time any problem in NP, provided that
it can use an oracle which returns the solution of the shortest vector problem if an instanceof it presented(by giving a
basisof the correspondinglattice). We prove the sameresult
about the 1 + 2-*’ -approximate problem where E > 0 is n
sufficiently small absoluteconstantandn is the dimensionot
the lattice. (Recently J.-Y. Cai and A. Nerurkar has shown,
with a modification of the proof presenetedin this paper,that
the factor 1-k 2~*’ can be improved to 1 + It+ (see[CNJ)).
Adleman proved in 1995 (see [Adl]) that factoring integerscanbe reducedto the shortestvector problem in random
polynomial time, using somevery reasonablebut unproved
assumptions.The work of the present paper has startedas
an attemptto give a proof of Adleman’s theoremwithout the
unprovenassumptions.
Adleman has defined a lattice for his proof, using the
logarithms of primes. This lattice plays a crucial role in our
proof as well. Actually we use a modified and extendedvcrsion of the original lattice. Adleman has used his lattice to
factor the integer n. By finding a short vector in the lattice it
is possibleto find supersmoothcongruencesmodulo n,- that
is, different products of primes (not greater than a polynomial of log n) which are congruentmodulo n.
p, be the first m prime numbers,where m is
~tn,...,
polynomial in log n. Adleman has defined a lattice V whose
basis vectors are rational approximationsof the rows of the
following matrix:
d&z
..
il
(
0
...
*.
. . . ‘/‘F
...
0
M 101~~1
..
h&gp,
Mlogn
1
The number M is defined so that it balancesthe contribution of the last component to the norm against the contribution of all of the others. The essentialproperty of the
lattice V is that if the length of the shortest non-zero vector v is below a certain bound and its coefficients in the
given basis are 71, ....~.,,+l and P = n{py I ^/t 2 0},
Q = n(pT I ^/i < 0) then logn+ CE1 logpi is closeto 0,
10
The original motivation for the definition of L was the
following. We try to factor the integer w. Let us pick a random residueclassd modulo w (which is generatedas a random a product of random powers of the primes pl, .... pm.)
After that, we take a representativeb of appropriatesize (a
constantpower of w) from the residue class of d. The important point is that b does not give any information about
which representationof d (as a product of small primes) is
known to us. Then, by finding a short vector in the lattice,
we could get a congruenceb s nE”=, pp’ (mod w). By
taking enoughdifferent numbersb we could get enoughcongruencesto factor w. The problematicandstill not completed
part of this direct reduction of factoring to the shortestvector
problem,is to guaranteethat for a b generatedby this distribution therewill be a good numberin the arthmetic sequence
b + kw, 1 = 0, fl, .... f[bc]. While trying to fill this gap in
the proof we noticed that there is another distribution for b
where it can be proved easily that with a probability of at
least 4 there are always good numbersin the given segment
of the arithmetic sequence. Namely b will be the product
of h distinct elementsof the set (PI, . . ..p.,,}, for a suitably
chosenfixed h, with uniform distribtuion on the set of all
products with this property. (In this casethe number b reveals its known expressionas the product of small primes,
so we cannotgauranteethat we get enoughindependentcongruencesfor factoring.) However, for this distribution, we
havethat with a probability of at least 4, the lattice L hasan
exponentialnumberof vectorstl with ~~u~~2
< log b + n”.
that is TZ~is close to 1 and thereforea = nP - Q is so small
that all of its prime factors are among pl, ,,.,p,. Therefore from sucha small vector we get a congruencemodule n
amongthe productsof small primes. (An unprovedassumption, formulated in a different more natural way, guarantees
thnt the shortestvector is really below the given bound.)
F’orthe motivation of the defintion of our extendedlattice
we note that if n is squarefree andof the form n = nE”=,p?
then (with the right choice of M) (-71, .... -TV, 1) will be
a very short vector in the lattice. Of course this does not
help much becausein this casewe can find 71, .... 7m easily
without using the lattice, We add a new basis vector to the
lnttice in a way that evenif n haslarger prime factors,but one
of the numbersn-t Zw(w is a fixed intger 1 = 3~1,.... *[nl,
e > 0 ) is good, that is, it is squarefreeand of the form n +
Iw = n&#,
then thevector(-71, .... -“/m, 1,Z)isavery
short vector in the lattice. Actually we will be ableto this in a
way that the shortestvector must be of this form if thereis at
leastone good numberin the given segmentof the arithmetic
sequencen + lw. (We will prove that for a random choice
of n, with a suitable distribution, with a positive probability
thereis always at least 2”” good numbers.)
It may seemsurprising that the additive structureof the
arithmetic sequencen +lw fits in the multiplicativestructure
of numbersonly with small primes. The reasonis that n+Zw
can be very well approximatedby n( 1+ X)‘, so the structure
is approximately multiplicative. We may consider 1 + z as
a “new prime” and add the correspondingrow to the lattice.
Since finding the shortestvector in this extendedlattice
may be helpful in factoring w (and not n) we change the
notation somewhatin the following definition of the lattice
L, The dimension of the extendedlattice L is larger by one
than the dimension of V and we get it by essentiallyadding
a new basisvector to the lattice. More precisely the rows of
the following matrix will be the basisof the lattice .L:
t/E
:
i
.,.
‘. .
il
l
0
0..
.,
0
0,.
0
.
0
..
+-&i
B low1
B
0
0
w-”
At this point in the attemptedproof we haverealized that
the lattice L can be used to prove the NP-hardness of the
shortestvector problem (even in an approximatesense)for
randomizedreductions.Namely the lattice hasthe nice property that it hasa basiswhereall small vectorshave0,l coefficients only (with the exceptionof the last coefficient), moreoverthe numberof vectorsthat are small enoughto havethis
nice property is exponential (in the dimension of the lattice.)
This createsa possibility to reduce the subsetsum problem
to the shortestvector problem. (The NP-completeness of
the subsetsum problem was proved by Karp (see[K])). We
will look for a solution of the subset sum problem among
the coefficiemtsequencesof the short vectors. Although not
every 0,l sequencewill occur as a coefficient sequence,still
the numberof different 0,l coefficient sequencesis exponential in the size of the subsetsum problem. This will make it
possible to find the solution of the subsetsum problem embeddedin some way into a coefficient sequenceof a short
vector.We will be able to searchamongthesecoefficient sequencesfor a solution of the subsetsum problem, by embedding our lattice L into anotherlarger dimensionalEuclidean
spaceandthereforechangethe length of its vectors.According to this new (~52)norm every short vector will be short in
the original sensetoo, but they also have to satisfy someadditional requirements.By defining the embeddingin a suitable way this additional requirement can be that the coefficient sequence(in somemodified form) is a solution of the
kp, :
Blogb
’ T) I
B log(l+
As we will show, with the right choices for the various
parameters,this lattice will havethe following property:
Supposethat ~1, ..... urn+2are the rows of the given matrix and 21= Cgt2 yivi is a non-zero vector of the lattice generatedby ~1, .... urn+2 with +ym+l 3 0 and ~~~~~
5
(log b-1-w-l *, Thenv,+r = Lr1,..., -ymE (0, -1) andif
I
g=l-I,m=lPi r” theng = b+Zw for someI = 0,&l, .... rt[bc].
We show that the converseof this statementis also true, that
is, if g = b I- lw for someI = 0, fl, ..,, rt[bc] and g is of
the form describedabove then the correspondingvector is
shorter than (log b + w-l)+. It is also true that the length of
every nonzcro vector is at least (log b)*.
11
subsetsum problem. Therefore,by finding the shortestvector in the embeddedlattice (or one which is approximately
the shortest with an exponentially small error) we will be
able to solve the subsetsum problem.
the lattice whosebasisconsistsof the new longer rows), must
provide such a coefficient sequence+yi. Of course this is an
idealized situation, becausein general we do not get every
0,l sequenceof length m in the form of 71, ,.., y,n from a
short vector w. However combining this idea with the described generalizationof Sauer’stheorem we can conclude
the proof. (SeeLemma 2.2 and Corollary 2.2 for an exact
formulation of the related results. Corollary 2.1 is only included as an illustration basedon the simplified picture describedabove.)
We have describedthree parts of the proof, and as we
have said, the second one, the constructive annlogue of
Sauer’stheorem, is the most difficult in a technical sense.
Still we feel that the most difficult step in the proof was to
find the three different parts which together imply our main
result and not the proofs of the individual components.
Both the choice of the lattice L and the choice of the
sequenceCl, .... Ck which determinesthe lattice L’ is probabilistic. In the defintion of L we choose the number b at
random, with a given distribtuion, and we are able only to
provethat the lattice L hasthe required property with a probability greaterthan 8. (For the proof that L is good for every
choice of b we would needvery strong statementsabout the
uniformity of the distribution of numberswith small prime
factors.)The secondpart of the proof, the construction of L’
through Cl, .... Ck is also probabilistic. Still there is a possibility that a single sequence4, .... C& selectedat random
canbe replacedby a polynomial numberof deterministically
constructedsequencesso that for eachfixed subsetsumproblem at least one of them is good.
Remarks, 1. Adleman has defined the lattice V, so that
the coordinatesof the basisvectorsarerationals, they are approximations of the coordinatesof the rows of the first matrix. This way it is possibleto perform a computation whose
input is the lattice. We define the lattice L as a lattice in
Rm+2, that is, the coordinatesof the basis vectors can be
irrational. We will prove all the necessaryproperties of the
lattice L, and then show that L can be approximnted by a
lattice x C Qm+2 (that is, the basis vectors of E has rational coordiiates) and show that 1 still has the nice properties
of L that are neededfor the rest of the proof. Unfortunately
both approachescreatetechnical difficulties.
2. The lattice L has been originally defined for a completely different purpose than its final use in this paper.
Therefore it may easily happenthat other, perhapsin some
sensesimpler, lattices also have the properties that are required from L to completethe proof. In the next section we
collect these properties in Lemma 2.1. There are different
reasonswhich may motivate the searchfor such a lattice: to
make the proof deterministic; to improve the factor in the
approximationresult; to makethe proof simpler.
3. As we havedescribedabovewe breakdown the proof
into three different parts. We tried to makethe various parts
independent,so in eachpart we areusing aslittleinformation
from the other parts aspossible. E.g. we formulate what arc
As we mentionedabove, at somepoint in the proof, we
have to make a transition from an exponential number of
0, l-sequences(coefficient sequencesof short vectors),to all
0,l sequencesof a certain length, becauseotherwisewe cannot guaranteethat the solution of the subsetsum problem is
amongthem. As a model for such a transition we usea theorem of Sauerabout hypergraphs. (This theorem is related
to the notion of VC-dimension. We cannot use the theorem
itself in the proof becauseit is not constructiveenough,but
we give a constructiveanalogueof it, at leastin a probabilistic sense.) Sauer’stheorem (we give the exact statementin
the next section), statesthat if a set X is a set of subsets
of the set S and 1x1 is abovea certain bound dependingon
ISI and I: then there is a Y c X, IYl = 12so that every
subset of Y occurs among the sets Y rl 2, 2 E X. We
may think that S is the basisof the lattice (excluding the last
esceptional basis vector) and for each short vector w in the
lattice we have T, E X, where T, is the set of elementsof
S where the correspondingcoefficient of v is 1. (All of the
other coefficients are 0.) Therefore the theoremgaurantees
that there is a subsetY of the basisvectorswhere we get all
0, l-sequencesascoefficient sequencesof short vectors.We
may look for the solution of the subsetsum problem among
the 0, l-sequencesdefinedon Y. (Sauer’stheoremalso guaranteesthat IY I is large enough.) The only problem with this
approachis that we do not haveany methodwhich could find
such a Y in polynomial time. A randomchoice for Y is not
satisfactorybecauseX can be unevenly distributed in S. We
formulate an analogueof Sauer’stheorem where a random
Y is a good solution with a probability close to 1. Namely
insteadof taking a single subsetY we will take a sequence
of pair-wisedisjoint subsetsC = (C;, .... Ck) and for each
T E X we define a function f~(i) = ITrl Gil on {l, .... k}.
We show that if every elementof X is of the sameappropriate size, 1x1 contains sufficiently many setsand we take the
sequenceCl, .... Ck at random,then with a probability close
to one we get every 0,l functions on (1, .... k} in the form
of f~ for a suitable T E X. Theorem2.2 in the next section
is an esact formulation of this statement.The proof of this
theoremis the technically most difficult part of our paper.
There is a third part of the proof, the embeddingof L into
anotherEuclideanspacewhich definesa new norm on it. We
may think that we do this by simply adding new columns to
the matrix defining the lattice L. E.g. if we would want to
guaranteethat from a shortestvector v = CL”=, wvi we get
the solution of a subsetsum problem xzl ai~ci = b in the
form ai = ‘yi, i = 1, .... m, then we can add a last column
to the matrix whose elementsare -alK, .... -u&, bK, 0.
With the right choice of the number K we get that if there
is a solution of the subsetsum problem of the form xi = vi,
then the shortestvector in the extendedlattice 1;’ (that is in
12
the important properties of the lattice 1; and then use only
thesepropertiesin the other parts of the proof.
4, There arc many related problemsto the shortestvector problem, the nearestvector problem, the nearestcodeword problem etc. (for the definitions seee.g. [ABSS]). Van
Emdc Boas hasproved the NP-hardness of the nearestvector problem in all L,, norms 1 5 p 5 co. Arora, Babai,
Sternand Swecdyk(cf. [ABSS]), hasshown that evento approximate the nearestvector within a constantfactor is NPhard. A, Vardy has proved recently (cf. [Vl] or v2]) that
deciding whetherthereis a codewordwithin a given distance
ia NP-complete. More detailed information can be found
about theseand other related problemsin [ABSS] or yV2].
5, The motivation for proving that to find short vectors
in lattices is hard, in some sense,comespartly from cryptography. (See [Ajtl], [AD], [GGHl], [GGH2] ). There
arc cryptosystemswhosesecurity is basedon the assumtpion
that to lind short vectorsin lattices is computationally infeasiblc, Since these assumptionsimply the hardnessof even
an approximation of the shortest vector upto a polynomial
factor, we cannot really hope to prove their HP-hardness,
since, as WCnoted earlier, it would imply NP = co - NP,
nt least if the exponent is larger than .5. Still, the fact
that closely related lattice problems are NP-hard, makes
the hardnessassumptionsof the cryptographicsystemsmore
credible, Therefore it would be particularly important to improve the ar-approximateversion of our theoremby proving
it for greatervaluesof cI1.
2, The outline of the proof. In this section we break
down the proof of our main result (the theorembelow) into
csscntislly threedifferent lemmataand show how they imply
the theorem, (A full, detailed proof of eachlemma is given
in [Ajt2],)
Thcorcm 2.1, The shortestvectorproblem in 1;~ is NPhard for randomized reductions. Moreover there is an absolute constant E > 0 so that the (1 + 2+‘)-approximate
shortestvector problem is also NP-hard for randomizedreductions,
WCprove the NP-hardness (for randomizedreductions)
of the shortestvector problem. We get the approximateversion by minor modifications of the proof.
We will consider probabilistic ‘luring machinesthat are
using nn oracle which returns a solution of the shortestvector problem (in 1;~) if a lattice is presentedto the oracle
(representedby a basis), We will show that the subsetsum
problem can be solved in polynomial time by such a machine, Since the subset sum problem is known to be NPcomplete this will imply that the shortest vector problem
is NP-hard for probabilistic reductions. The subset sum
problem can be formulated in the following way: assume
that al , .,,, al, b arc integers, and we are Iooking for a solution of the equation &, ajai = b where ZENE (0,l)
for i = 1, .,,, t. We define the size of the problem as
logz(l6l + 1) + 1 + &, log2(larl + 1). We will not use
the subsetsum problem directly but we will use a special
caseof it, which is still NP-complete.
Definition.
The restricted subset sum problem.
Suppose that al , .... or, b are integers, max(log2(]bl -il), ma& log,(]ail + 1)) < l3 and we arelooking for a solution of the systemof equationsciZI ajz; = b, cf=, 2i =
[!J where zi E (0,l) for i = 1, .... 1. The size of the problem is P(l + 1).
It is easy to reduce the subset sum problem to the restrictedsubsetsumproblem, that is, the restrictedsubsetsum
problem is also NP-complete.
We will consider problems whose inputs are lattices
given in Q” where Q is the field of rational numbers. The
lattices will be presentedby a basis. So, to define the size of
the problem, we have to define the size of a basis.
Definitions. 1. If ~1, .... a, are linearly independent
vectors in Rm for some rn 2 n, then we call the set
{E"=,
cwi I QIl,..., Q~are integers3 a lattice. (Sometimes
thedefintion is given with the additional requirementrn = la.
Sincethe real subspacegeneratedby L can be isometrically
embeddedin Rm the two definitions are not essentially different.)
2. If r = t is a rational number, so that (p, Q) = 1,
then size(r) = log,(]pl + 1) + log,(lql -i- l), size(O) = 1.
If v = (r1 , ... . r,) E Q” then size(v) = Cy=‘=1size(ri).
If v1, .... vt is a sequenceof vectors then size(vl, .... vt) =
gzl size(vi).
3. ~~v~~
will denotethe La norm of the vector v unless it
is explicitly statedothenvise.
The motivation for the following lemmais to makesome
connectionbetweenthe shortestvector problem and the subset sumproblem. The essenceof the lemma is that that there
existsa lattice in Q” whereall of the nonzerovectorswhose
length does not exceeda certain limit has only 0,l coefficients in a fixed given basis, (with the possible exception of
the last coefficient for each vector). Moreover the number
of vectors below this limit is exponential in the dimension
of the lattice. Later we will look for the solution of a subset sum problem amongthe 0,l sequenceswhich occur as a
coefficient sequenceof such a short vector. By embedding
the lattice (linearly but not isometrically) into Qfi for some
iFL> m, that is defining a new Euclidean norm on it, we will
be ableto gauranteethat the shortestvector in the new lattice
hasa coefficient sequencewhich provides a solution for the
subsetsum problem.
Lemma 2.1. There arepositive ratioflak cl, c2, c3, c4 so
that for each sufficiently large positive integer n there is a
positive integer rn E [nC1,n2c1], apositivemtionalp
< 1, a
lattice L s Qm+2, and a basis VI, . . . . v,,,, v,,,+l, v,,,.+z of L
so that the followingholds:
(I)
(2)
zzryj
13
v E L, v # 0 implies ~~v~~
2 1,
if 2 is the set of all II E L, v = C~~“~ivi
with
= n, then I(v E 2 I ~~u~~2
< 1 -I- p3l2 2C3”*ogn,
y1
For all v E L, v # 0, if 11~11”< 1 + ~2~“~
Ll m+2 3;vj, and ~~+l 2 0, then ‘yi E {O,l} for
, . . . . m,-/m+1 = 1.
(4)
IfUl # ~2, 11UjI12< 1 f ~2~~’ anduj =
(3)
for all i E (1, .... I).
In the following Corollary we consider the subset sum
problem without the additional restriction xgl zi = [Q],
This Corollary and the following Theorem are not parts of
our final proof. We usethem only to illustrate the main idea
of the proof in a much simpler setup.
C~lri’j’Vj
forj=1,2thenthereisai=1,...,msotbat#)#~~2),
(5) size(p) < nca, 0 < p < 2-nC’, size(vl, ....v.+p) <
nc2.
(61 &i is rational.
h1oreoverthere is a probabilistic Turing machine which
for each input n gives the following output in time polynomial in n: an integer m, a rational p > 0 and linearly independent vectors VI, ....v.,,+z E Qm+2 so that
with a probability of at least 4 if L is the lattice generated
byvl, ,.., Urn+2 then m, p, Vi, . . . . vm+2,L satisfy conditions
Corollary
2.1.
Assume that cl, . . ..cG. m,
p, 211,.... vm+2, L are as in Lemma 2.2, ,1is an integer with
1 < I 5 m and Y = {yl, .... ~13E (1, ... . m), IYI = 1.
Supposethat x:=1 ai = b is a-n instance of the (not restricted) subsetsum problem SO that 0; = gy,,,(i) i = 1, .... I
is a solution of the problem for some v E 5’1, and Ir’ > 0
is sufficiently large. Let D = {&,j)i=l ,j-1,
m+l bc the (1
- a.*,
by m + 1) matrix defined by dl,y, = Kq for i = 1, .... b,
dl,m+l
= -Kb, and dl,i = 0 for all other j. Ifw E LtD)+
is a shortestnonzero vector in LtD), and w = $D(U), then
Zj = gy+(i), i = 1, .... 1is a solution of the given instance
of the subsetsumproblem.
(1),(2),(3),~4),(5),(6).
Our next goal is to define an embedding of the lattice
L (given by the previous lemma) into a higher dimensional
spaceso that any shortestnonzerovector of the new embedded lattice (which hasa different metric sincethe embedding
is only linear but not isometric), has a coefficient sequence
(in the embeddedimage of the basis (Vi}) which provides a
solution of the subsetsum problem. Under certain additional
assumptionswe will be able to do this asour next lemmawill
show.
Definitions. Assumethat m, p, ‘~1,.... vm+z, L are fised
with the propertieslisted in Lemma2.1.
1. We will use the following notation: So = (z G L 1
z # OS
11~11”
< 1+ A t ’ Vm+l2 0)s S2 = {Z E L 12 #
0, 1]~112
< 1 + pzne’ 8 2.2. urn+1 2 O}
2. For eacha: E Rmt2 if z = EL.” TjVj then let A(Z)
be them+ 1 dimensionalvector (rl&
.... 7ht+l&. (Note
that we do not use the last component of o in this definition.) Supposethat m’ is a positive integer and A is a matrix
with m’ rows and m + 1 columns. If z E Rm+2, then let
$4(z) be the m + 2 + m’ dimensional vector (z, AA(z)).
L(“) C Rm+m’+2 will be the lattice generatedby the vectors Il;;(vi), i = 1, .... m-t 2.
3. LtA)f will denote the set of all w E A with w =
dA(U) for someu E L, with u . v,+l 1 0. Clearly for all
w E LtA), at least one of the vectorsw, -w is in LtA)+.
We do not prove this Corollary, since it is not part of
our proof, but it easily can be proved even without Lemma
2.2. According to this Corollary we are able to solve the
non-restricted subset sum problem by solving the shortest
vector problem in LtD), provided that we can find an Y C
0 , -, nz),IV = I so that the subset sum problem has a
solution among the evaluationsZj = gy,Ji), v E Sl, The
following theoremof Sauerguaranteesthe existenceof such
a set Y provided that 1 5 2”‘, where 0 < 6 c 1 and n
is sufficiently large with repsect to 6 and cl, (For a proof
see[S] or [AS]. The theoremis related to the notion of VCdimesnion,see[VC].)
Definition. Assumethat S is a finite set, X is a set of
subsetsof S. The pair (S, X) is called a hypergraph.
Theorem (Sauer). If (S, X) is a hypergraphand 1x1 >
Cf=;’ (If’) then there is a Y E S with b elementssuch that
every subsetofY occurs among the sets Y fl 2, Z E X.
For eachv E Sl, v = Czt” yivi let TV = (i 5 m 1
=
1). We apply Sauer’stheorem with S = (1, .... m},
%
X = {T,Iv E Sl). We have that ISI < nc’ and by (1) and
(4) of Lemma 2.1 1x1 2 2CJn10gn.
Since 2 < n&,0 *: 6 < 1
and n is sufficiently large with respect to cl and S the requirements of Sauer’stheorem are met with b 3 1. (In&d ‘&
(If’) <l(nQ)’ <e610~nen6clloen <2Can*oEn,)
Therefore there is a set Y ,C S, IYl = I so that every 0,l
function on Y is of the form gy+ for some v E Sl. This
clearly implies that the solution of the subsetsum problem
is among them. (The requirement 1 < n8 does not cause
any problem since if 2 is given and we pick the smallest n
with I < n6, then the correspondingbasis of the lattice L
will bestill polynomial size in 1.) Sauer’stheoremtherefore
guaranteesthe existenceof the required setY, but it doesnot
provide any way for finding it (finding Y in polynomial time
would be necessaryto completethe proof this way). Unfortunately the proof of the theorem is not contstructive (from
Lemma 2.2. Assume that cl, ~2,ca,cq are fixed with the
properties in Lemma 2.1, c5 > 0, n is sufficiently large,
m,fhvl, .... vm+2,L satisfy the conditions of Lemma 2.1,
m’ 5 ncs is a positive integer A is a matrix with m’ rows
and m + 1 columns and all of the entries of A are integers
with absolutevalues no larger than ncs. If there is a v E 5’1,
so that IIAA(v)ll” = min{llAA(~)~~2~z E S2) and w is a
shortesr nonzero vector of L(“) with w E LIA)+, then there
is a u E 5’2 so that llAA(~)lj = llAA(v)ll and w = $A(%).
Definition.
Assume that Y C {l, ....m). Y =
= I and L, up, . .. . vm+2 are fixed with the
properties given in Lemma 2.1. For each v E L, u =
CE:” yivj, gy+, mill be a function definedby gy,, (i) = “/y,
(~1,..,,yl3,IYl
14
our point of view), To be able to usethe describedapproach
WCgeneralizethe theorem,namely we replacethe setY with
n more complicatedstructure in a way that makesthe proof
mom constructive.
First we note that it would be sufficient for our proof if
a randomchoice of Y would satisfy the requirementsof the
theoremwith a positive (polynomially large) probability. (In
this caseby taking many randomchoicesof Y we could get
at least one which is good for our purposes.)Unfortunately
this is not true if Y is uniformly distributed, sinceX can be
concentratedon a small subsetof S. In order to avoid this
difliculty, instead of taking a subsetY with I elements,we
will take a sequenceof disjoint subsetsCl, ... . Cl eachwith
P elements,where T will be a suitably chosenpositive integer. Now our goal is to get such a sequenceCl, .... Cl so
that for every O,l-function f on (1, ....I} there is a T E X
with f(i) = ICi rl TI for i = 1, ....Z. The original setup
can be considered as a special case of this, namely when
each C{ has exactly 1 clement. We will formulate an analogue of Snucr’stheoremwith this new representationof the
0, l-functions, We needsome additional restrictions on the
hypcrgraph (S, X), (which will hold in our case). Among
other conditions we will assumethat all of the setsin X has
the samenumber of elements. This is not a real restriction
sinceif X is of exponentialsize(in n) andS is of polynomial
size then X always has a subsetof exponential size which
contains sets of the same cardinality. Fixing this common
oisrehelps to fnd the right choice for the other parametersin
the theorem,
Defmition. A hypergraph(S, X) is called n-uniform if
~T~=nforallT~X.
Theorem 2.2. For all ~1 > 0, or2 > 0 there exist 0 <
61 < 1, 0 < 6s < 1,0 < Sa < 1 so that for aJJsufficiently
Jnrgcn the following holds:
Assume that (S, X) is an n-uniform hypergraph,n2 5
IS( 5 ~91, 1x1 2 Zaanlogn, Iz = [da] and Cl, .... Ci: is a
mndom scqucnccof pairwise disjoint subsetseach with exnctly [ISIn -l-ba] elements,with uniform distribution on the
sot of all sequenceswith lJ~osoproperties. Then, with aprobnbility of at least 1 - n 4 the following holds:
Soreach0, 1-valuedfunction f definedon (1, .... k) there
JsnTEXsotJJatf(j)=ICjnTIforalJj=l,...,Iz.
WCwill USCthis theoremto completeour proof. First we
formulatean analogueof Corollary 2.1 which is also a corollary of Lemma2,2 but will be usedtogetherwith Lemma2.2
(insteadof Saucr’stheorem). In this Corollary we will considcr the restrictedsubsetsum problem.
Dcllnitions. 1. Assume that C = (Cl, .... Cl) is a sequenceof disjoint subsetsof (1, .... ml and L, ~1, .... wm+2
arc given with the properties describedin Lemma 2.1. For
cnch ‘u E L, 21= C;n=?;2~iyi’u;,
gc+, will denote a function
defined by ga,u(i) = xjeoi Tj2. Let
D =
(4~)r=1,,,,,
~-2, j=l,...,
m+l
be a ma-ix
with
1I- 2 rows and m -l- 1 columns,defined by
(1) 4,j = ail3 for all j E Ci, &,,,,+I = -b13 and
15
dlj = 0 for all other valuesof j
(2) da,j = I3 for all j = uf-, Cj, ~Ja,~+l= -[$a3 and
d2,j = 0 for all other values of 7,
(3) For all i = 1, .... I, d&j = 1 if j E Ci and &+ad =
0 otherwise
If Cl, ...) Cl are consecutiveintervals of (1, .... m} then D is
the matrix on the top of the next page.
Corollary 2.2.
Assume that cl, ... . c5, m, p,
211,.... v,+2, L are as in Lemma 2.2, I is an integer witi
l_<Z~mandC=(C~,...,
Cl), is a sequenceofpahwise
disjoint subsetsof (1, ....m}. Supposethat Cfzl cai = b
is an instance of the restricted subsetsum problem so that
Xi = g+(i), a’ = 1, .... I is a solution of the problem for
somev E Sl. Let D be the (I + 2 by m + 1) matrix defined
above. Ifw E L(“)+ is a shortestnonzero vector in L(“),
anduI = $D(u), hen 2; = SC,=(i), i = 1, .... I is a solution
of the given instanceof the restricted subsetsumprobJem.
Now, accepting Lemma 2.1, Lemma 2.2, Corollary 2.2
and Theorem 2.2 we can prove our main theorem. We describe a probabilistic algorithm V using an oracle which
gives a shortest vector of the lattice presentedto the oracle. Each use of the oracle will be counted as 1 time unit.
V will find a solution of the restricted susbetsum problem
cf=, aixi = b (provided that such a solution exists) in time
polynomial in I, with a probability exponentially close to
one,
Assumenow that an instance cf,, &xi = b of the restricted subsetsum problem (which has a solution) is given
as an input. Let cl, ~2,ca,c4 be the constantswhose existenceis statedin Lemma 2.1. Let Sl, 62,153be the numbers
whose existenceis guaranteedby Theorem 2.2 with cyl --P
2~1, era + ca. Finally let n = r&l. We apply Lemma
2.1 for this n. According to the lemma p, m, ~lr, .... v,+a
can be computedin time polynomial in n, and so in I too,
with the propertieslisted in the lemma. (More precisely this
happenswith a probability of at least 3 only. So we will perform the algorithm describedbelow for the given values of
p, m, ~1, .... v,+s, if we do not get a solution of the subset
sum equation we repeat it with other random values. Performing this a polynomial numberof times, with a probability exponentially close to 1 it will happpenat at least once
thatp,m,vr ,..., ~,+a satisfy the conditions of Lemma 2.1
). We take a random sequenceC = (Cl, .... Cl) of pari;iS,e disjoint subets of S = (1, ....m} each with exactly
n-1-6a] elements,with uniform distribution on the sets
of all sequenceswith theseproperties. Clearly this randomization can be easily performed by picking the sets Ci recusrsively. n = r&l implies that I < [n”‘] therefore
we may apply Theorem 2.2 with al --P 2~1, CY~+ ca,
s + (1, .... m},I:-+Iand
X + (2 C {l, .... m) 1Zlu E Sr, ‘v = CL? ~ivi, 2 =
(i 1Tj = l,i = 1, ....ml).
According to the conclusion of the theoremwith a probability of at least 1 - n m&swe have that each 0,l function
all3
P
. ..
...
a#
P
1
..
Ii
..
il
. ..
-. .
...
*. .
...
1
.
:
0
..
i
. . . ail3
... P
.. .
. ..
a+P
P
...
*. .
...
-. .
...
...
*. .
...
*. .
...
0
.
:
1
..
il
0
.
:
1
..
i
. . . +P
... P
...
0
.
*. .
:
...
0
.
*. :
. . . a,13 0 ...
. ..
l3
0
...
0
0 :::
. *.
*. .:: .
.:
.,.
0
0 ...
..
.. ‘.
*. .
*
...
...
f(j) onil, ....m} is of the form f(i) = ICi tl !I’1for some
!I’ E X. If this is the casethen there is a T E X so that
pi = ]Ci tl TI is a solution of our subsetsum problem. (We
have assumedthat there is a solution). By the definition of
X and gc,il we have that there is a II E Sl so that pi = gcly
is a solution of the subsetsum problem. We may apply now
Corollary 2.2 and get that if w E .LtD)+ is a shortestvector in dD) and w = &(u), then oi = QCp i = 1, ..,l
is a solution of our susbetsum problem. 2, may find such
a w by asking the oracle for a shortest vector in .L(“). D
presentsthe lattice LtD) to the oracle by the basis $D(ui),
i= 1, .... m. (By the definition of ?c,D the size of this basis
is polynomial in 1.) The oracle gives a shortestvector w’ in
L(D) since either w’ or -w’ is in LID)+, ‘D finds a w with
the required property. Writing w as a linear combinationsof
the vectorsvi andusing the fact that $D is a homomorphism,
2, finds the vector u E L and so the solution of the subset
sumproblem. This way the algorithm hasfound the solution
only with a probability 1 - n-63. Repeatingthis a polynomial number of times independentlywe may ensurethat the
probability of successis esponentially close to one.
1
i
0
-bt3
0O -Tz3
.
0
.
:
i, ... 0
i
..
0
hypergraphdefined from the primes and adding the corresponding condition to the assumptionsof Theorem 2.2 is a
possibility for improvments. (It may result only in better
constants.)
Sketchof the proof of Theorem 2.2. We will randomize
the setsCl, .... ck sequentially.The elementsof the individual sets0; will be also randomizedsequentially, more precisely in bigger blocks. After eachrandomization we count
the number of setsT E X which intersect the already randomized(or partially radnomized)setsC!i in a given number
of elements, The “given number” will be only 0 or 1. In
other words assumethat f is a fixed 0, l-function definedon
L, and supposethat Cl, .... C+1 has been already randomized and Ci partially randomized(Cl will denotethe part of
C?iwhich has been alreadyselected). We count the number
of T E X with f(j) = ICj n TI for j = 1, .... i - 1 and
f(i) = ICl n TI. We prove the theorem by showing that
with a high probability this number g is always close to its
expectedvalue. More precisely this will not be necessarily
true for our original set X but we show that X has a subset
X’ with nice dispersionpropertieswhich still hassufficiently
manyelements(Lemma5.2) and for such an X, g and its cxpetted value will be always close.
The proof of Theorem 2.2. We give only a sketch of
the proof and a few details. The full proof is available in
[Ajt2]. (The numbering of lemmatahere is identical to the
numberingin the full version.)
Without somedispersionproperty we cannotexpect that
sucha statementis true. Indeed assumethat all of the setsin
X contain a single point a E S. If a is selectedas a memeber of a Cj then automatically IT n Cjl $ 0 for all E X
although the expectednumber of such sets T E X can be
quite large. Thereforewe needan assumtpionthat the number of setsin X containing any fixed point of S is not too
large comparedto 1x1 (lessthan a polynomial fraction). Actually we will usea similar assumptionabout the cardinality
of setscontaining two fixed points, This is equivalent to the
statementthat X is (1x1, n-“, 2) dispersed.Even if we start
with such an X our proof may breakdown, becauseafter selecting Cl, .... Ci we will need that if we replace X by Xi
the set of all T E X with f(j) = IT n C.jl for j = 1, .... i,
then Xi hasthe samedispersionproperty. Unfortunately the
Wb- a, 2) dispersion property is not inherited this way.
(We will not have a similar problem while selecting the elementsa single set C; becauseduring this processwe measure the error relative to the size of X at the beginning of
the selection process.)Assumenow that X is (1x1, n’“, 1)
dispersed,for somepositive integer 1 and let’s seewhat happens during the choice of Cl. If we are able to prove that
Definition. Assumethat (S, X) is a hypergraph. (S, X)
will be called (Al, a, b)-dispersed,if I(2 E XIB 2 T}I <
&nf holds for all i = 0, 1, .... X:andfor all B C S, JBj = i.
If 2 C S then we will saythat (S, X) is (itf, CY,k)-dispersed
on Z-if I{?’ E XIB C_T)I < CZ-~M holds for all i =
011, .... b and for all B 5 2, Il3I = i.
Remark. If S is the set of primes pi, ....pL (as defined
in Lemma 3.2) and X consists of those subsetsT C S
with I”IPETp E I where I is a fised interval, then X will
hwe very strong dispersion properties in the sensedefined
above. Namely if B C S then we have (appro?rimately)that
I(T E X I B E T)I 5 111nPeTp-l. We do not utilize this
property in our proof of the NP-hardness result (although
it was usedin an earlier version of the proof). Theorem2.2
does not assumeany dispersion property of the set X, we
have assumptionsonly about its cardinality. (We will show
that there is large a subsetof X with nice dispersionproperties.) Taking into accountthe dispersionpropertiesof the
16
the numberg is close to its expectedvalue using that X is s
WI, n-, 2) dispersed,then we may apply the sameproof
to the subsetof X containingl - 2 fixed points. (This subset
in (1X1,n’“, 2) dispersed,) This way we get (approximatley) that X1 is (IXlI,n-*, 1 - 2) dispersed. Continueing
selectionsof the setsCi we get that Xi is (IXil, nea, I - 24
dispersed,Lemma5.2 guaranteesthe dispersrionproperty of
the r;electcdX’ C X with a large I, so during the selections
of the setsCi, Iwill decreasebut it will remain alwayslarger
thnn 2.
The subsetX’ selectedin Lemma5.2 hasaspecial structure, namely all of it setscontain a common subsetB with
nt most (1 - P)n elcmetnsfor someconstant0 < /3 < 1. In
the rcmnining part of the proof we will consideronly setsCi
which hasan empty intersectionwith B. Sincethe probability thnt B tl U Cf = 0 is at least 1 - n-6 for someconstant
6 > 0 it doesnot causeany problem. End of sketch.
WC formulate now another weaker version of Theorem
2,2 where the statementsare made only about hypergraphs
(ISl,X) that are (IXl,n-a, n) dispersedfor someconstant
cy,Wealso give someindication aboutthe choiceof the numbers61,i = 1,2,3. Later we show that this waekerversion
implies the original theorem.
Notntion. 8 4 yl, .... yk will mean that 2 is sufficently
5mnll with respectto ~1, ..,, yk.
We claim that IBI 5 (1 - p)n. Indeed, otherwise the
number of elementsof X containing B is at most ISlfl* 5
(nal)B* = 2Sal*log*. The definition of B implies that
this number is at least IXln-fl* > 2aan*ogn-~n*ogn =
This
2h-BWw.
We got 2( aa-B)*lofi < 2h*log*.
is a contradiction since@is sufficiently &all with respectto
w,a2.
Now we show that B satisfies the conditions of the
lemma. According to (5.1) IX’1 > n-BIB1 1 n-fin >
2+*l”gn. Supposethat contrary to our assertion(S’, X’) Z ’
not (IX’l, n-p, n- IBI)-dispersed.Then thereis a D E IX’1
withIDI=j,lIjIn-IBIsofhatI(T’EX’IDC
T’}I > IX’ln-BJ. For eachset T’ in the last inequality we
have that B U T’ E X. Therefore if B’ = B U D then
I(T E X 1B’ E T}I 2 IX++
1 n-@I+@j = n-@lB’I
in contradictionto the maximality of B. Q.E..D.(Lemma5.2)
Lemma 5.2, For aJl~1 > 0, (~2> 0 thereexist a p > 0
80 Chatifn is sufficiently large then the followingholds. Assumetbnt (S, X) is an n-uniform hypergraph,ISI 5 nal and
1x1 > 2aanlogn. Then thereis a B C S, IBI 5 (1 - p)n,
=(T-B
ITEX,BCT}
00 r& if S = S-B,X’
lhen IX’1 > 2onlogn and (9,X’) is an n - IBI-unifbnn
(IX’], n-P, n - IB I)-dispersedhypergraph.
Now we show that Lemma5.1 implies Theorem2.2.
We apply Lemma 5.2 to the hypergraph (S, X) of theorem 2.2. Let (S’, X’) be the hypergraphdefined in Lemma
5.2. We have that it is (IX/l, n-p, n - IBI)-dispersed and
IX’] > 2@*l”gn. Let m = n - IBI. We may formulate some
cons&ences of thesepropertiesin terms of m. We get that
IX’1 2 2pm*ogmand (9,X’) is (IX/l, n-g, m) dispersed
(sincem 2 j3n 2 nf).
Now we may apply Lemma5.1 to the hypergraph(S, X),
with n + m, ~2 + p, ora + $. We pick the numbers
Si = 1,2,3 so that they meetthe requirementof Lemma5.1.
We claim that the requirementsof Lemma 2.2 are also met
with the same81,62 and Sa + +. Assume that we pick
CJ.at random with the distribution given in Lemma
$-;
; u”i=l (-ji is a random subset of S with exactly
[n6~]ISln-1-6s 5 ISln-1-6a+61 5 ISln-l-$
elements.
(& wassufficiently small withrepsect to 62). Since IBI 5 n,
we have that P(F fl B = 0) 5 nn-l-3
= n-2. The
distributionof Cl, .... Ck with the condition F fl B = fl is the
sameas the distribution of Cl, .... Ck according to Lemma
5.1. Therefore the probability that Cl, ... . Cr: satisfiesthe
conclusion of Lemma 5.1 and so the conclusion of Theorem
2.2aswellisatleast l-(n-~-(l-n’Q)n’b5)
2 l-n-+.
Q.E.D.(Theorem2.2)
Proof of Lemma 5.1. We do not give here a detailed
proof, we only formulate the key lemmataof the proof. We
will pick the sets Cl, .... Ck sequentially and describe the
distribution of the number of intersectionsT rl C;, T E X
with one or zero elements. The following lemma describes
what happensat the choice of a single Ci (C in the lemma
below). The hypergaph(S, 2) in the lemma will play both
the role of (9, X) (for someS’ c S) and (S’, XD), where
DcSandXD
=(TEXI
DET).
Proof, Assume that p > 0, is sufficiently small with
rcopcct to ry1 and cy2. Let B E X be maximal with the
following property:
(5.1) I(T E X 1B c T)I > n-@lBllXI.
Lemma53 Forall& > O,fls > 0 and71 > O,TZ> 0,
if+yz 4 71 % pl,p~ then the following holds. Assume that
M > 0 and (S, 2) is an n-uniform (M, n-pa, 2)-dispersed
hypergraph,an2 5 ISI 5 n@l and C is chosenat random
Lemma 5.1. For all ~1 > 0, cy2> 0, (~3> 0 and& > 0
62 > 0, 63 > 0 if 63 4 61 4 62 4 crl, (Y~,cY~,
and n is
suflicienlly huge then the following holds:
Assume that (S, X) is an n-uniform (IXl,n-aS,n)dispersedhypergraph,n2 5 ISI < 91, 1x1 2 2a~n’o~n,
k = [dl] and Cl, ..,, Ck is a random sequenceofpainvise
disjoint subsets each with exactly [lSln-1-6’] elements,
with uniform dislribution on the set of all sequenceswith
lhcscpropcrtics, Then with aprobability of at least 1-2-n6S
lhe following holds:
fore&O, 1-valucdfunctionf definedon(1, ....k)there
is a T E X SO that f(j) = IC’j II TI forallj = 1, .... k.
We will show that this lemma implies theorem2.2. The
following lemmais neededfor this proof.
17
with uniform distribution from the set of subsetsof ISI with
c.yactlyt elementswhere ISjn-1-27a < t < ISln-l-~~~.
Supposefurther that the numbersXi, i = 0,l are given so
thatfbr~~~~S~~~rtithI~l=n,Xi=P(ICflF;-l=i)
Assume further that Y is a random variable uniformly
distributedon theset ofsubsetsofA with esactly s elements.
Then with a probability of at least 1 - 2-t6, we have that
fori = 0,l.
Then with aprobabilityofat least 1-2-n71 we havethat
l(c
YEY
fori = 0,l
if 1215 M then, I{T E 2 I IT n Cl = i}l = XilZl + &
W(Y))
- sW1 c ~(415 Kt””
SEA
where II&l 5 n-‘t’lM
REFERENCES
Lemma 5.4. Forall& > O,& > 0 andqj > 0, if71 3
PI,& then fhe following holds. Assume that M > 0 and
S, 2 is (m n-uniform (iU, n -pa, 2)-dispersedhypergr&ph,
Isin2 5) ISI 5 n p1 and C is chosen at random with uniform
distribution from the set of subsets of ISI with exactly P elementswhere T = ISln-l-ya, 3’1 5 72 5 2~~. Suppose
further that the numbersui, i = 0,l are given so that for any
[ABSS] S. Arora, L. Babai, J. Stern, Z. Sweedyk,The hardnessof approximateoptima in lattices, codesand systemsof
linear equations,Proc. 34-th Annual Symp. Found. Computer Science,1993,pp. 724-733.
[AD] M. Ajtai, C. Dwork, A Public Key Cryptosystemwith
Worst-Case/Average-Case
Equivalence. Proc. 29-th Annual
ACM Symp. on the Theory of Computing, 1997, pp. 2S4293, and Electronic Colloquium on Computational Complexity, 1996,
http://www.eccc.uni-trier.deleccc/
[Adl] L. Adleman, Factoring andLattice Reduction,
Manuscript, 1995.
[Ajtl] M. Ajtai, GeneratingHard Instancesof Lattice Problems, Proc. 2%th Annual ACM Symp. on the Theory of
Computing, 1996,pp. 99-10s. For the full version see:Electronic Colloquium on ComputationalComplexity, 1996,
http://www.eccc.uni-trier.de/eccc/
F C S with IFI = n, ai = P(IC n FI = i) fori = 0, I.
Then with a probability of at least 1- 2+“’ we have that
fori = 0,l
if 121 5 M then, I{T E 2 I ITn Cl = i}l = qlZ
‘I +Ri
where l&l 5 10n-2raM.
In the proof of this lemma we estimate{T E 2
Cl 2 2). For this kveusethe following lemma.
I ITn
Lemma 5.5. For all sufficiently small 6 > 0 and for
all sufficiently large positive integers s and t the following
holds: assume that A is a finite set, w(z, y) is a real-valued
function of two variablesdefined on A and K > 0 is a real
number with the followingproperties:
(I) 0 5 w(z, y) forall 3cE A,
01 Ca&4 4% Y) 2 K forall y E A,
= w(y, z) forall a,y E A,
c3bJbY)
(4 ~214-2E&i C9J@I
4~3YN 5 Kt,
(5)IAl > st2
Assume further that Y is a random variable uniformly
distributedon the set ofsubsetsofA with esactlys elements.
Then with a probability of at least 1 - 2-tS, we have that
c
c
EEY YEY
+,
Y) I
[AjQ] M. Ajtai, The ShortestVector Problem in L2 is NPhard for RandomizedReductions.Electronic Colloquium on
ComputationalComplexity, 1997
http://www.eccc.uni-trier.delecccl
[AS] N. Alon, J. Spencer,The Probabilisitc Method, John
Wiley & Sons, 1992.
[AC] J.-Y. Cai, A. Nernrkar, Approximating SVP to within
a factor of (1 + dim’) is NP-hard under randomizedreductions, IEEE Conferenceon Computational Complesity (to
appear), so also Electronic Colloquium on Computational
Complexity, 1997,TR97-059
http:/lwww.eccc.uni-trier.de/eccc/
[Ch] H. Chemoff, A Measureof Asymptotic Efficiency for
Tests of a Hypothesis Based on the Sum of Observations,
Annals of MathematicalStatistics 1952,(23), pp 493-507.
[vEB] P. Van Emde Boas, Another NP-complete partition
problem and the complexity of computing short vectors in
a lattice, Tech. Report U-04, Dept. of hjathematics, Univ.
of Amsterdam,19SO.
[GG] 0. Goldreich, S. Goldwasser,On the Limits of NonApprolrimability of Lattice Problems, Electronic Colloquium, 1997,on ComputationalComplexity,
http://www.eccc.uni-trier.de/eccc/
2Kt
Lemma 5.6. For all sufficiently small 6 > 0 and for
all sufficiently large positive integers s and t the following
holds: assume that A is a finite set, w is a real-valued function on A and K > 0 is a real number with the following
properties:
CI)O~w(~)<KforaZlzcA,
(2) sIAI-~ CoEA W(X) < Kt,
(3) IAl > st2.
1s
[GGHl] 0. Goldreich,S. Goldwasser,S. Halevi,Collisionfree hashingfrom latticeproblems,ElectronicColloquium,
1996,on ComputationalComplexity,
http://www,eccc,uni-triezdeleccccl
[GGH2] 0, Goldreich, S. Goldwasser,S. Halevi, Publickey cryptosystemsfrom lattice reductionproblems,Electronic Colloquium on ComputationalComplexity, 1996,
http:l/www,eccc.uni-trierdeleccccl
[K] R, M. Karp, Reducibility amongcombinatorialproblems, in Complexity of Computer Computation, e.d.
R. E, Miller and J. W. Thatcher,New York: PlenumPress,
1972
[LLS] J, Lagarias,H.W Lenstraand,C. R Schnorr,KorkineZolotarevbasesand successiveminimaof a lattice and its
reciprocallattice,Combinatorics10 (1990),333-348
[S] N, SauerOn the densityof familiesof sets,Journalof
CombinatorialTheory,SeriesAl3,1972,145-147
[Vl] A, Vardy,The Intractability of Computingthe MinimumDistanceCode,Preprint
[V2] A, Vardy,Algorithmic Complexityin CodingTheory
nnd the Minimum DistanceProblem. Proceedingof the
Twenty-NinthAnnualSymposiumon Theoryof Computing,
May 4-6, El Paso,Texas,pp 92-109
[VC] V,N, Vapnik and Ya. Chervonenkis,On the uniform
convergence
of relativefrequenciesof events’to their probabilities,Theoryof ProbabilityApplications1971,(16),264
280,
19