- Email: [email protected]
Note on shortest and nearest lattice vectors
Information ~~;zr~ing Information Processing Letters 61 (1997) 183-188
Note on shortest and nearest lattice vectors Martin Henk’ Konrad-&se-Zentrum
(UB) Berlin, Division Scientijic Computing, Department Takustrasse 7, D-14195 Berlin, Germany
Discrete Methods,
Received 23 May 1995; revised 12 November 1996 Communicated by S. Z&s
Abstract We show that with respect to a certain class of norms the so-called shortest lattice vector problem is polynomial-time Turing (Cook) reducible to the nearest lattice vector problem. This gives a little more insight in the relationship of these two fundamental problems in the computational geometry of numbers. @ 1997 Elsevier Science B.V. Keywords: Computational geometry: Shortest lattice vector: Nearest lattice vector; Polar lattice
1. Introduction Throughout this paper let R” be the real n-dimensional is the gauge-body of the norm, i.e. K = {X E IV 1fK(X)
vector
space
equipped
with a norm
fK( .), where
K
< 1).
K is a centrally symmetric convex body with nonempty interior and f~(.) is also called the distance function where B is the of K because f~( n) = min{p E IK)’ 1 x E pK}. The Euclidean norm is denoted by fB(e), n-dimensional unit ball, and the associated with edge length 2 and center 0, and thus
inner product
smallest integer not less than x E JR. Let b’,... , b” E Q” be IZ linearly independent
A={XE~
1X=&b’, ZiEZ,
is denoted
by (a, e)_ Finally,
we denote
by C the cube
fc(.)denotes the maximum norm. As usual we denote by 1x1 the vectors. The set
1
i=l
is called the lattice generated by the basis b’ , . . . , b”. Now, the shortest lattice vector problem with respect (cf. [5]): ’ Email: [email protected]. OOZO-0190/97/$17.00 @ 1997 Elsevier Science B.V. All rights reserved. PII SOO20-0190(97)00019-7
to a norm
fK(a)- SVPK - is the following
task
184
M. Henk/Information Processing Letters 61 (1997) 183-188
SVPK. Let A c Q” be a lattice given by a basis b' , . . . , b”. Find a lattice vector b E A \ (0) distance to 0, i.e. fK( b) = min{fK( w) ) w E n \ (0)).
with minimal
The length of a shortest nonzero vector of a lattice A with respect to a norm f~( .) is denoted by AK(A). The nearest vector problem with respect to the norm f~( .) - NVPK - is in a certain sense the inhomogeneous counterpart to SVPK: iVK&. Let A C w be a lattice given by a basis b’, . . . , b” and let u E Q”. Find a lattice vector c E A with minimal distance to u, i.e. f~(c - u) = min{fK(w - v) 1w E A}. Observe that in the SVPK we are looking for a nonzero lattice vector, whereas in the NVPK the zero vector is a solution for all sufficiently small vectors u. Geometrically speaking the NVPK is the task to find a lattice point c such that the given point u is contained in the honeycomb c + HK( A), where HK( A) is given by HK(A)
= {X E R” 1OK
< ~K(X - w),
VW E
A}.
HK( A) is a centrally symmetric ray set, i.e. if x E HK (A), then pn E HK (A) for all p with - 1 < p 6 1. In the Euclidean case, but not in general, HK( A) is a convex set. Moreover, it is easy to see that the inradius of HK( A) with respect to f~( .) is one half of the length of a shortest lattice vector. Analogously, the circumradius pK (A) of a honeycomb is equal to the so called inhomogeneous minimum of A and fK ( .) (cf. [ 61) , which is defined as the maximal distance of a point to the lattice, i.e. ,UK( A) = maxyEnfl min,,+t f~( w - y) = m={fK(x) 1x c HK(A)}. Thus AK(A) TK
C HK(A)
G PK(A)K.
(1)
It is known that the nearest vector problem is NP-hard for the norms fn( .) and fc(.), see[3] and [7]. Probably the shortest vector problem is also NP-hard, but up to now this has only been established with respect to the maximum norm (cf. [ 31). The purpose of this note is to prove that for a certain class of norms SVPK is not harder than NVPK: Theorem 1. that fC(x)
Let A C Q” be a lattice given by a basis b’, . . . , b” and let
< fK(x)
With polynomially sv,?K.
<
fK( .) be a norm with the property
fB(x), x E R".
many calls to a subroutine
(2) solving NVPK and polynomial
additional
time we can solve
At a first sight this class of norms appears to very special, but for example all p-norms IxJp = (Cf,, IxilP) t/P are part of this class for p 3 2. We assume that the function fK(.)is computable in polynomial time. The input size of our problem is given by the input size of the vectors b’, . . . , b”. For detailed information about complexity and numerical computation we refer to the book [ 51 and for notation concerning lattices we refer to [ 61. Finally, we note that (2) is equivalent to B C K C C, and thus implies that
&fE(x) < fK(x) fK(e’>
=
1,
<
fB(x),
l
where ei denotes the ith unit vector.
(3) (4)
M. Henk/Information Processing Letters 61 (1997) 183-188
2. Proof of Theorem
185
1
Now we state an algorithm which reduces the problem SVPK to NVPK. Since the algorithm works inductively the input is given by an m-dimensional lattice A embedded in R”, where we assume m > 1. Otherwise it is trivial to compute a shortest nonzero lattice vector. The linear hull of A is denoted by lin(A). Procedure SVPKby_NVPK. Input: An m-dimensional lattice A generated by the basis b’ . . ..bmEQ”andanormfK(.)onIR”suchthat (2) is satisfied. Output: A shortest nonzero vector b of the lattice A with respect to fK( .>. (i) With respect to the Euclidean norm find an “almost” shortest nonzero lattice vector b* in the polar lattice A* = {z E lin(A)
1 (z, w) E Z, VW E A)
of A by calls of the subroutine AB(A*)
(ii)
(iv) (v) (vi)
vector b* E A* such that
> =$.
(5)
Findabasis6’,...,6mofAsuchthat (Et’,b*)=O,
(iii)
NVPK, i.e. find a primitive
l
and
(6”,b*)=l.
(6)
Let Hi = {x E lin(A) 1 (b*, x) = i}, i E Z. For 1 6 i < [2n312 . ml find a shortest lattice vector u”‘*~in the affine hyperplane Hi using the subroutine NVPK. Let u”’ be a lattice vector of minimal length among the vectors Ci. Find a shortest lattice vector u”*-l in the plane HO by applying the procedure SVPK_bylVVPK to the (m - 1 )-dimensional lattice An*-l generated by the vectors 6’) . . . , &“‘-I and the norm fK( .). Let b be the shorter one of u”’ and urn-‘. Then fK( b) = AK(A).
Proof of Theorem 1. Without loss of generality we may assume A C Z”. First we prove the correctness of the algorithm. Obviously, a shortest lattice vector of A is contained in Us Hi. It remains to show that it suffices to consider the planes Hi, 0 < i 6 [2r1~/~rn].By a result of Banaszczyk &(A). &(A*) < m. Since B c K by (2) we have &(A) 2 AK(A) and thus k(A)
[ l] (see also [ 21) we have
6 5. ABC/I*)
On account AK(A)
of (5) we obtain < 2n
(7)
fs(b*)'
On the other hand we have for each vector y E Hi that fs(y) J;(b)
b
’
&fib*)
> i/ fB( b*) and so (cf. (3))
’
Hence for i > [2n3i2 . ml the length of a shortest lattice vector in a plane Hi is greater than AK(A). In the sequel we show how the single steps of the algorithm can be done. , b” be an orthogonal basis of the orthogonal complement of lin( A). Such a basis can be Step(i):Letbmfl,... found in polynomial time via the Gram-Schmidt orthogonalization (cf. [ 51). Let B be the matrix with columns
186
M. Henk/lnformation Processing Letters 61 (1997) 183-188
b’, . . . , b”. Then the first m columns of the matrix (BT)-’ form a basis of A*. Let the columns of (BT)-’ be lattice generated by b'* , . . . , bm* , ubm+‘*, . . . , ab”* denoted by b’*, . . . , b”* and let 6* be the n-dimensional with 2n min{fs(bi*)
In what follows we construct
&(A*) >
fdb’*)
Im+l
(8)
+ 1. 1
a vector b* E A* \ (0) such that (5) holds with /i* instead of A*, i.e.
ql.
(9)
Then by the choice of CTwe will see that b* belongs to A* and thus the vector satisfies (5). Since the parallelepiped P* spanned by b'* , . . . , P , crbm+l*, . . . , c+b”* generates a lattice tiling with respect to A* the width w(P*) of P* is a lower bound for &(A*). Now w(P*)
=min{l/f~(b’),...,l/f~(b”),a/f~(bm”),...,a/fB(b”)}
and so &(A*)
> w(P)
With va = y/ 120 n
2 y :=min
l
1 ,jk;b’),
1
1
we obtain for 1 < i 6 n (cf. (4))
fdvoel) = vo 6
&(A*) < M/i*) 2J4;
,
-.
(10)
2
Thus the vectors vce’ belong to the honeycomb HK( A*) (cf. ( 1)) and the origin is the unique nearest lattice vector to vee’. Moreover for VI = CE, [f~ (b’*) + C~=m+l [_f~(ab~*)] we obtain (cf. [ 61) frr(vlei)
=VI > i(efK(@)
+ 2
fiK(gbi*))
2 OK.
(11)
i=m+ 1
i=l
Hence the vectors viei are not contained in HK(/~*). On account of (1) and since HK(/~*) is a ray set the output of the subroutine NVPK with input A and ve’ is a nonzero lattice vector for v 2 ~1. So by applying the subroutine NVPK to the sequence of points 2’vae’, k = 0,. . ., we can find after at most [log, (~1) - log2 (~a)] calls of NVPK a positive scalar ei with vc < ei 6 vt and a nonzero lattice vector ui* such that eiei E HK( ;i*)
and
2aiei E ui* + HK( 6*).
The last relation implies fK( 2eiei - ui* ) < fK( 2eie’) and thus f~( ui* ) < 4&i. Now let &k= min{si 1 1 < i 6 n} and let b* = vk*. In the sequel we show that b* satisfies (9). For abbreviation we write E instead of &k. On account of (3) we get fs(b*)
6 4+
HK( /I”*) is a centrally fB(ce’)
(12) symmetric
= E = fK(ee’)
< fK(ee’
ray set and thus fs -u*>
< fs(ae’
. ei E HK( A*>. Hence (cf. (4) ) - u*)
(13)
for all lattice vectors U* E /i*. That means that the vectors fee’, 1 < i < n, are contained in the honeycomb HB(/I*)which is a convex set. So the width of the cross polytope with vertices fs . ei is a lower bound for As(j’*):
hf. HenkIlnformation Processing Letters 61 (1997) 183-188
Together with (12)
we obtain
Now suppose b* $ A*. Then by the definition
fs(b*)
187
> cmin{fs(bi*)
1I+
1
of 2
and (+ we have
> 2nfs(b’*)
3 2n.&(/i*)
which contradicts the choice of b*. Obviously, we may assume that b’ is primitive. Step (ii) : In order to find a basis of A such that (6) is satisfied we first construct a basis b’* , , . . , gm* of A* containing b*. Furthermore, without loss of generality we may assume that the matrix M with columns , bm* has rank m. Let A be the integer (m x m)-matrix such that M = B* . A, where B* is the b*,b2*,... matrix with columns b'* , . . . , b"* . It is well known that the Hermite normal form of a A can be computed in polynomial time (cf. [4], [ 81 or [ 101) and thus we can find an unimodular matrix U and an integer upper triangle matrix T with A = (I. T. Hence M = (B* . U) . T and the columns A’*, . . . , @‘* of B* . U form a basis of A*. Since b* is primitive b* is the first column vector of B* . U. Now, let b*+‘*, . . . , b”* be an orthogonal basis of the orthogonal complement of lin( A) and B* be the matrix with columns g1 , . . . , grn*, bmfl*, . . . , b"* . Then the first m columns of (BT) -’ form a basis of A such that (6) is satisfied. Step (iii): Obviously, Hi fl A = {x E A 1x = ~~~’ ZjP + ihm}. Hence, for i 2 1 the shortest vector problem in the plane Hi is the task to find a lattice vector of Am-’ which is nearest to -iti. That can be done by applying the procedure NVPK to the input vector -ibm and a suitable n-dimensional lattice A. For example, let gnt,..., g” be an orthogonal basis of the orthogonal complement of lin( Am-l ) and let l
x = [2&l
[2n312 f ml
.fB(b”> min{_fB(gj) 11726 j < n} 1
+1
We claim that a nearest lattice vector of the lattice A generated by i’, . . . , hm-‘, xg”, . . . , ,&’ to -ib”’ belongs to A”?- l. Suppose the opposite and let zl b’+. . .+~,,-lb”*-~ +zmx8m+*. . + z,,,& be a nearest lattice vector to -ib”’ with some zj # 0, say zn, form < j < n. Then f~(zlbl+...+z,-~bm-‘+z,,xgt+.~.+z,x~-ibm) < if,y (b”‘) and on account of (3) we get
IZnIXfBW)_
ifK(bm)
J;; < f~(zlbl+.~.+z,-lbm-l \
+z,n,yg”‘+...+z,,yg”)
- ifdbm)
Jr;
~f~(~~b~+~~~+z~_~b~-~+z,xg’+~~~+z,,,yg’-ib”’)
w h’ic h contradicts the choice of x. It followsx < 2fiifB(bm)/fB(g”) < [2fl[2r~~/~.rn] .f~(b”)/.f~(g”) To analyze the encoding length of the numbers arising in the procedure let (A) be the input size of the algorithm and let A’ be the i-dimensional lattice constructed in the (m - i)th call of the procedure SVPK-by_NVPK. Furthermore, let b*l be the “almost” shortest lattice vector of the appropriate dual lattices A*; constructed in step (i). Then det(Aj-‘) = det(Aj)fs( b*J) and by (5) and Minkowski’s convex body theorem (cf. [51) det(Aj-‘)
= det(Aj)fs(b*‘)
6 det(Aj)2nhs(A*j)
< det(Aj)2n&det(A*J)“j
< det(Aj)2n.
&.
So det(Ai-‘) < det(A”*)(2n) 2m Before we call the procedure SVPK_byNVPK and obtain a basis cl, . . . ,d E in of /li with (cf. [5])
we can make an LLL-reduction
M. HenkIlnformation Processing Letters 61 (1997) 183-188
188 fB(cl)
. ..fs(cJ)
6
.2
25 det(AJ).
Hence, for each vector cj we have the bound fn(c’)
< 2mZ(2n)2”det(Am).
This implies that we can always find a basis of the lattice /li whose input size is bounded by 0( (A)3). Finally, it is easy to check that the numbers arising in the steps (i)-(iv) of the procedure SVPK_by_NVPK are bounded by a polynomial in the input size of the given basis at the beginning of the execution of the steps (i)-(iv) (cf. [5]). 0
3. Remarks The crucial point for the special choice of the norms given by (2) is relation ( 13). For example, if f~(.) is the l-norm, i.e., K is the cross polytope with edge length fi then, in general, it is not true that fK ( eei - U*) < fs ( eei - u*) . Hence we do not know whether fee’, 1 < i < n, are contained in Hn (/i*) and we can not show that b* is an “almost” shortest lattice vector as required in step (i) (cf. proof of Theorem 1) . On the other hand if K is an arbitrary centrally symmetric convex body and if we have oracles solving NVPK and NVPn, then SVPK can be solved in oracle polynomial time, because by the subroutine solving NVPB we can easily find such an “almost” shortest lattice vector. However, we believe that SVPK is polynomial reducible to NVPK at least for any p-norm. The above algorithm works also for any norm fz( .) for which an affine transformation L exists such that B c LE c C because fLz(x) = fR(L-‘x). Finally, we remark that in the Euclidean case the problem to find a Korkin-Zolotarev reduced basis of a lattice is polynomial reducible to the shortest lattice vector problem SVPB (cf. [ 93 ) . By Theorem 1 we obtain that this problem can also be reduced to NVPs in polynomial time.
References [ 1] W. Banaszczyk, New bounds in some transference theorems in the geometry of numbers, Math. Ann. 296 (4) ( 1993) 625-635. [ 21 J. Boutgain and V.D. Milman, Sections euclidiennes et volume des corps symetriques convexes dans Iw”, C.R. Acad. Sci. Paris Se+. I Math. 300 (1985) 435-438. [ 31 F? van Emde Boas, Another NP-complete partition problem and the complexity of computing short vectors in a lattice, Rept. 81-04, Mathematical Institute, University of Amsterdam, 198 1. [4] M.A. Frumkin, An algorithm for the reduction of a matrix of integers to triangular form with power complexity of the computations, ,!?konomika i Matematicheskie Metody 2 (1976) 173-178 (in Russian). [ 51 M. Grotschel, L. Lovasz and A. Schrijver, Geometric Algorithms and Combinatorial Optimization (Springer, Berlin, 1988). [6] PM. Gruber and C.G. Lekkerkerker, Geometry of Numbers (North-Holland, Amsterdam, 2nd ed., 1987). [7] R. Kannan, Minkowski’s convex body theorem ad integer programming, Math. Oper. Res. 12 (3) (1987) 415440. [ 81 R. Kannan and A. Bachem, Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix, SIAM J. Compur. 8 (1979) 499-507. [9] L. Lovdsz, An Algorithmic Theory of Numbers, Graphs and Convexity, CBMS-NSF Regional Conference Series in Applied Mathematics, Vol. 50 (SIAM, Philadelphia, PA, 1986). [ lo] M. Pohst and H. Zassenhaus, Algorithmic Algebraic Number Theory (Cambridge University Press, Cambridge, MA, 1989).
Note on shortest and nearest lattice vectors Martin Henk’ Konrad-&se-Zentrum
(UB) Berlin, Division Scientijic Computing, Department Takustrasse 7, D-14195 Berlin, Germany
Discrete Methods,
Received 23 May 1995; revised 12 November 1996 Communicated by S. Z&s
Abstract We show that with respect to a certain class of norms the so-called shortest lattice vector problem is polynomial-time Turing (Cook) reducible to the nearest lattice vector problem. This gives a little more insight in the relationship of these two fundamental problems in the computational geometry of numbers. @ 1997 Elsevier Science B.V. Keywords: Computational geometry: Shortest lattice vector: Nearest lattice vector; Polar lattice
1. Introduction Throughout this paper let R” be the real n-dimensional is the gauge-body of the norm, i.e. K = {X E IV 1fK(X)
vector
space
equipped
with a norm
fK( .), where
K
< 1).
K is a centrally symmetric convex body with nonempty interior and f~(.) is also called the distance function where B is the of K because f~( n) = min{p E IK)’ 1 x E pK}. The Euclidean norm is denoted by fB(e), n-dimensional unit ball, and the associated with edge length 2 and center 0, and thus
inner product
smallest integer not less than x E JR. Let b’,... , b” E Q” be IZ linearly independent
A={XE~
1X=&b’, ZiEZ,
is denoted
by (a, e)_ Finally,
we denote
by C the cube
fc(.)denotes the maximum norm. As usual we denote by 1x1 the vectors. The set
1
i=l
is called the lattice generated by the basis b’ , . . . , b”. Now, the shortest lattice vector problem with respect (cf. [5]): ’ Email: [email protected]. OOZO-0190/97/$17.00 @ 1997 Elsevier Science B.V. All rights reserved. PII SOO20-0190(97)00019-7
to a norm
fK(a)- SVPK - is the following
task
184
M. Henk/Information Processing Letters 61 (1997) 183-188
SVPK. Let A c Q” be a lattice given by a basis b' , . . . , b”. Find a lattice vector b E A \ (0) distance to 0, i.e. fK( b) = min{fK( w) ) w E n \ (0)).
with minimal
The length of a shortest nonzero vector of a lattice A with respect to a norm f~( .) is denoted by AK(A). The nearest vector problem with respect to the norm f~( .) - NVPK - is in a certain sense the inhomogeneous counterpart to SVPK: iVK&. Let A C w be a lattice given by a basis b’, . . . , b” and let u E Q”. Find a lattice vector c E A with minimal distance to u, i.e. f~(c - u) = min{fK(w - v) 1w E A}. Observe that in the SVPK we are looking for a nonzero lattice vector, whereas in the NVPK the zero vector is a solution for all sufficiently small vectors u. Geometrically speaking the NVPK is the task to find a lattice point c such that the given point u is contained in the honeycomb c + HK( A), where HK( A) is given by HK(A)
= {X E R” 1OK
< ~K(X - w),
VW E
A}.
HK( A) is a centrally symmetric ray set, i.e. if x E HK (A), then pn E HK (A) for all p with - 1 < p 6 1. In the Euclidean case, but not in general, HK( A) is a convex set. Moreover, it is easy to see that the inradius of HK( A) with respect to f~( .) is one half of the length of a shortest lattice vector. Analogously, the circumradius pK (A) of a honeycomb is equal to the so called inhomogeneous minimum of A and fK ( .) (cf. [ 61) , which is defined as the maximal distance of a point to the lattice, i.e. ,UK( A) = maxyEnfl min,,+t f~( w - y) = m={fK(x) 1x c HK(A)}. Thus AK(A) TK
C HK(A)
G PK(A)K.
(1)
It is known that the nearest vector problem is NP-hard for the norms fn( .) and fc(.), see[3] and [7]. Probably the shortest vector problem is also NP-hard, but up to now this has only been established with respect to the maximum norm (cf. [ 31). The purpose of this note is to prove that for a certain class of norms SVPK is not harder than NVPK: Theorem 1. that fC(x)
Let A C Q” be a lattice given by a basis b’, . . . , b” and let
< fK(x)
With polynomially sv,?K.
<
fK( .) be a norm with the property
fB(x), x E R".
many calls to a subroutine
(2) solving NVPK and polynomial
additional
time we can solve
At a first sight this class of norms appears to very special, but for example all p-norms IxJp = (Cf,, IxilP) t/P are part of this class for p 3 2. We assume that the function fK(.)is computable in polynomial time. The input size of our problem is given by the input size of the vectors b’, . . . , b”. For detailed information about complexity and numerical computation we refer to the book [ 51 and for notation concerning lattices we refer to [ 61. Finally, we note that (2) is equivalent to B C K C C, and thus implies that
&fE(x) < fK(x) fK(e’>
=
1,
<
fB(x),
l
where ei denotes the ith unit vector.
(3) (4)
M. Henk/Information Processing Letters 61 (1997) 183-188
2. Proof of Theorem
185
1
Now we state an algorithm which reduces the problem SVPK to NVPK. Since the algorithm works inductively the input is given by an m-dimensional lattice A embedded in R”, where we assume m > 1. Otherwise it is trivial to compute a shortest nonzero lattice vector. The linear hull of A is denoted by lin(A). Procedure SVPKby_NVPK. Input: An m-dimensional lattice A generated by the basis b’ . . ..bmEQ”andanormfK(.)onIR”suchthat (2) is satisfied. Output: A shortest nonzero vector b of the lattice A with respect to fK( .>. (i) With respect to the Euclidean norm find an “almost” shortest nonzero lattice vector b* in the polar lattice A* = {z E lin(A)
1 (z, w) E Z, VW E A)
of A by calls of the subroutine AB(A*)
(ii)
(iv) (v) (vi)
vector b* E A* such that
> =$.
(5)
Findabasis6’,...,6mofAsuchthat (Et’,b*)=O,
(iii)
NVPK, i.e. find a primitive
l
and
(6”,b*)=l.
(6)
Let Hi = {x E lin(A) 1 (b*, x) = i}, i E Z. For 1 6 i < [2n312 . ml find a shortest lattice vector u”‘*~in the affine hyperplane Hi using the subroutine NVPK. Let u”’ be a lattice vector of minimal length among the vectors Ci. Find a shortest lattice vector u”*-l in the plane HO by applying the procedure SVPK_bylVVPK to the (m - 1 )-dimensional lattice An*-l generated by the vectors 6’) . . . , &“‘-I and the norm fK( .). Let b be the shorter one of u”’ and urn-‘. Then fK( b) = AK(A).
Proof of Theorem 1. Without loss of generality we may assume A C Z”. First we prove the correctness of the algorithm. Obviously, a shortest lattice vector of A is contained in Us Hi. It remains to show that it suffices to consider the planes Hi, 0 < i 6 [2r1~/~rn].By a result of Banaszczyk &(A). &(A*) < m. Since B c K by (2) we have &(A) 2 AK(A) and thus k(A)
[ l] (see also [ 21) we have
6 5. ABC/I*)
On account AK(A)
of (5) we obtain < 2n
(7)
fs(b*)'
On the other hand we have for each vector y E Hi that fs(y) J;(b)
b
’
&fib*)
> i/ fB( b*) and so (cf. (3))
’
Hence for i > [2n3i2 . ml the length of a shortest lattice vector in a plane Hi is greater than AK(A). In the sequel we show how the single steps of the algorithm can be done. , b” be an orthogonal basis of the orthogonal complement of lin( A). Such a basis can be Step(i):Letbmfl,... found in polynomial time via the Gram-Schmidt orthogonalization (cf. [ 51). Let B be the matrix with columns
186
M. Henk/lnformation Processing Letters 61 (1997) 183-188
b’, . . . , b”. Then the first m columns of the matrix (BT)-’ form a basis of A*. Let the columns of (BT)-’ be lattice generated by b'* , . . . , bm* , ubm+‘*, . . . , ab”* denoted by b’*, . . . , b”* and let 6* be the n-dimensional with 2n min{fs(bi*)
In what follows we construct
&(A*) >
fdb’*)
Im+l
(8)
+ 1. 1
a vector b* E A* \ (0) such that (5) holds with /i* instead of A*, i.e.
ql.
(9)
Then by the choice of CTwe will see that b* belongs to A* and thus the vector satisfies (5). Since the parallelepiped P* spanned by b'* , . . . , P , crbm+l*, . . . , c+b”* generates a lattice tiling with respect to A* the width w(P*) of P* is a lower bound for &(A*). Now w(P*)
=min{l/f~(b’),...,l/f~(b”),a/f~(bm”),...,a/fB(b”)}
and so &(A*)
> w(P)
With va = y/ 120 n
2 y :=min
l
1 ,jk;b’),
1
1
we obtain for 1 < i 6 n (cf. (4))
fdvoel) = vo 6
&(A*) < M/i*) 2J4;
,
-.
(10)
2
Thus the vectors vce’ belong to the honeycomb HK( A*) (cf. ( 1)) and the origin is the unique nearest lattice vector to vee’. Moreover for VI = CE, [f~ (b’*) + C~=m+l [_f~(ab~*)] we obtain (cf. [ 61) frr(vlei)
=VI > i(efK(@)
+ 2
fiK(gbi*))
2 OK.
(11)
i=m+ 1
i=l
Hence the vectors viei are not contained in HK(/~*). On account of (1) and since HK(/~*) is a ray set the output of the subroutine NVPK with input A and ve’ is a nonzero lattice vector for v 2 ~1. So by applying the subroutine NVPK to the sequence of points 2’vae’, k = 0,. . ., we can find after at most [log, (~1) - log2 (~a)] calls of NVPK a positive scalar ei with vc < ei 6 vt and a nonzero lattice vector ui* such that eiei E HK( ;i*)
and
2aiei E ui* + HK( 6*).
The last relation implies fK( 2eiei - ui* ) < fK( 2eie’) and thus f~( ui* ) < 4&i. Now let &k= min{si 1 1 < i 6 n} and let b* = vk*. In the sequel we show that b* satisfies (9). For abbreviation we write E instead of &k. On account of (3) we get fs(b*)
6 4+
HK( /I”*) is a centrally fB(ce’)
(12) symmetric
= E = fK(ee’)
< fK(ee’
ray set and thus fs -u*>
< fs(ae’
. ei E HK( A*>. Hence (cf. (4) ) - u*)
(13)
for all lattice vectors U* E /i*. That means that the vectors fee’, 1 < i < n, are contained in the honeycomb HB(/I*)which is a convex set. So the width of the cross polytope with vertices fs . ei is a lower bound for As(j’*):
hf. HenkIlnformation Processing Letters 61 (1997) 183-188
Together with (12)
we obtain
Now suppose b* $ A*. Then by the definition
fs(b*)
187
> cmin{fs(bi*)
1I+
1
of 2
and (+ we have
> 2nfs(b’*)
3 2n.&(/i*)
which contradicts the choice of b*. Obviously, we may assume that b’ is primitive. Step (ii) : In order to find a basis of A such that (6) is satisfied we first construct a basis b’* , , . . , gm* of A* containing b*. Furthermore, without loss of generality we may assume that the matrix M with columns , bm* has rank m. Let A be the integer (m x m)-matrix such that M = B* . A, where B* is the b*,b2*,... matrix with columns b'* , . . . , b"* . It is well known that the Hermite normal form of a A can be computed in polynomial time (cf. [4], [ 81 or [ 101) and thus we can find an unimodular matrix U and an integer upper triangle matrix T with A = (I. T. Hence M = (B* . U) . T and the columns A’*, . . . , @‘* of B* . U form a basis of A*. Since b* is primitive b* is the first column vector of B* . U. Now, let b*+‘*, . . . , b”* be an orthogonal basis of the orthogonal complement of lin( A) and B* be the matrix with columns g1 , . . . , grn*, bmfl*, . . . , b"* . Then the first m columns of (BT) -’ form a basis of A such that (6) is satisfied. Step (iii): Obviously, Hi fl A = {x E A 1x = ~~~’ ZjP + ihm}. Hence, for i 2 1 the shortest vector problem in the plane Hi is the task to find a lattice vector of Am-’ which is nearest to -iti. That can be done by applying the procedure NVPK to the input vector -ibm and a suitable n-dimensional lattice A. For example, let gnt,..., g” be an orthogonal basis of the orthogonal complement of lin( Am-l ) and let l
x = [2&l
[2n312 f ml
.fB(b”> min{_fB(gj) 11726 j < n} 1
+1
We claim that a nearest lattice vector of the lattice A generated by i’, . . . , hm-‘, xg”, . . . , ,&’ to -ib”’ belongs to A”?- l. Suppose the opposite and let zl b’+. . .+~,,-lb”*-~ +zmx8m+*. . + z,,,& be a nearest lattice vector to -ib”’ with some zj # 0, say zn, form < j < n. Then f~(zlbl+...+z,-~bm-‘+z,,xgt+.~.+z,x~-ibm) < if,y (b”‘) and on account of (3) we get
IZnIXfBW)_
ifK(bm)
J;; < f~(zlbl+.~.+z,-lbm-l \
+z,n,yg”‘+...+z,,yg”)
- ifdbm)
Jr;
~f~(~~b~+~~~+z~_~b~-~+z,xg’+~~~+z,,,yg’-ib”’)
w h’ic h contradicts the choice of x. It followsx < 2fiifB(bm)/fB(g”) < [2fl[2r~~/~.rn] .f~(b”)/.f~(g”) To analyze the encoding length of the numbers arising in the procedure let (A) be the input size of the algorithm and let A’ be the i-dimensional lattice constructed in the (m - i)th call of the procedure SVPK-by_NVPK. Furthermore, let b*l be the “almost” shortest lattice vector of the appropriate dual lattices A*; constructed in step (i). Then det(Aj-‘) = det(Aj)fs( b*J) and by (5) and Minkowski’s convex body theorem (cf. [51) det(Aj-‘)
= det(Aj)fs(b*‘)
6 det(Aj)2nhs(A*j)
< det(Aj)2n&det(A*J)“j
< det(Aj)2n.
&.
So det(Ai-‘) < det(A”*)(2n) 2m Before we call the procedure SVPK_byNVPK and obtain a basis cl, . . . ,d E in of /li with (cf. [5])
we can make an LLL-reduction
M. HenkIlnformation Processing Letters 61 (1997) 183-188
188 fB(cl)
. ..fs(cJ)
6
.2
25 det(AJ).
Hence, for each vector cj we have the bound fn(c’)
< 2mZ(2n)2”det(Am).
This implies that we can always find a basis of the lattice /li whose input size is bounded by 0( (A)3). Finally, it is easy to check that the numbers arising in the steps (i)-(iv) of the procedure SVPK_by_NVPK are bounded by a polynomial in the input size of the given basis at the beginning of the execution of the steps (i)-(iv) (cf. [5]). 0
3. Remarks The crucial point for the special choice of the norms given by (2) is relation ( 13). For example, if f~(.) is the l-norm, i.e., K is the cross polytope with edge length fi then, in general, it is not true that fK ( eei - U*) < fs ( eei - u*) . Hence we do not know whether fee’, 1 < i < n, are contained in Hn (/i*) and we can not show that b* is an “almost” shortest lattice vector as required in step (i) (cf. proof of Theorem 1) . On the other hand if K is an arbitrary centrally symmetric convex body and if we have oracles solving NVPK and NVPn, then SVPK can be solved in oracle polynomial time, because by the subroutine solving NVPB we can easily find such an “almost” shortest lattice vector. However, we believe that SVPK is polynomial reducible to NVPK at least for any p-norm. The above algorithm works also for any norm fz( .) for which an affine transformation L exists such that B c LE c C because fLz(x) = fR(L-‘x). Finally, we remark that in the Euclidean case the problem to find a Korkin-Zolotarev reduced basis of a lattice is polynomial reducible to the shortest lattice vector problem SVPB (cf. [ 93 ) . By Theorem 1 we obtain that this problem can also be reduced to NVPs in polynomial time.
References [ 1] W. Banaszczyk, New bounds in some transference theorems in the geometry of numbers, Math. Ann. 296 (4) ( 1993) 625-635. [ 21 J. Boutgain and V.D. Milman, Sections euclidiennes et volume des corps symetriques convexes dans Iw”, C.R. Acad. Sci. Paris Se+. I Math. 300 (1985) 435-438. [ 31 F? van Emde Boas, Another NP-complete partition problem and the complexity of computing short vectors in a lattice, Rept. 81-04, Mathematical Institute, University of Amsterdam, 198 1. [4] M.A. Frumkin, An algorithm for the reduction of a matrix of integers to triangular form with power complexity of the computations, ,!?konomika i Matematicheskie Metody 2 (1976) 173-178 (in Russian). [ 51 M. Grotschel, L. Lovasz and A. Schrijver, Geometric Algorithms and Combinatorial Optimization (Springer, Berlin, 1988). [6] PM. Gruber and C.G. Lekkerkerker, Geometry of Numbers (North-Holland, Amsterdam, 2nd ed., 1987). [7] R. Kannan, Minkowski’s convex body theorem ad integer programming, Math. Oper. Res. 12 (3) (1987) 415440. [ 81 R. Kannan and A. Bachem, Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix, SIAM J. Compur. 8 (1979) 499-507. [9] L. Lovdsz, An Algorithmic Theory of Numbers, Graphs and Convexity, CBMS-NSF Regional Conference Series in Applied Mathematics, Vol. 50 (SIAM, Philadelphia, PA, 1986). [ lo] M. Pohst and H. Zassenhaus, Algorithmic Algebraic Number Theory (Cambridge University Press, Cambridge, MA, 1989).