1 Introduction

Define the rotational shift operator on \({\mathbb {R}}^N,\, N \ge 2\), by

$$\begin{aligned} \mathrm{rot }(x_1,x_2,\ldots ,x_{N-1},x_N) = (x_N, x_1,x_2,\ldots ,x_{N-1}) \end{aligned}$$

for every \({\varvec{x}}= (x_1,x_2,\ldots ,x_{N-1},x_N) \in {\mathbb {R}}^N\). We will write \(\mathrm{rot }^k\) for iterated application of \(\mathrm{rot }\,k\) times for each \(k \in {\mathbb {Z}}_{>0}\) (then \(\mathrm{rot }^0\) is just the identity map, and \(\mathrm{rot }^k = \mathrm{rot }^{N+k}\)). It is also easy to see that \(\mathrm{rot }\) (and hence each iteration \(\mathrm{rot }^k\)) is a linear operator. A sublattice \(\Gamma \) of \({\mathbb {Z}}^N\) is called cyclic if \(\mathrm{rot }(\Gamma ) = \Gamma \), i.e. if for every \({\varvec{x}}\in \Gamma \), \(\mathrm{rot }({\varvec{x}}) \in \Gamma \). Clearly, \({\mathbb {Z}}^N\) itself is a cyclic lattice. In fact, cyclic lattices come from ideals in the quotient polynomial ring \({\mathbb {Z}}[x]/(x^N -1)\). Let \(p(x) \in {\mathbb {Z}}[x]/(x^N -1)\), then \(p(x) = \sum _{n=0}^{N-1} a_n x^n\) for some \(a_0,\ldots ,a_{N-1} \in {\mathbb {Z}}\). Define a \({\mathbb {Z}}\)-module isomorphism \(\rho : {\mathbb {Z}}[x]/(x^N -1) \rightarrow {\mathbb {Z}}^N\) given by

$$\begin{aligned} \rho (p(x)) = (a_0,\ldots ,a_{N-1}) \in {\mathbb {Z}}^N, \end{aligned}$$

then for any ideal \(I \subseteq {\mathbb {Z}}[x]/(x^N -1),\,\Gamma _I := \rho (I)\) is a sublattice of \({\mathbb {Z}}^N\). Notice that for every \(p(x) = \sum _{n=0}^{N-1} a_n x^n \in I\),

$$\begin{aligned} xp(x) = a_{N-1} + a_0x + a_1x^2 + \cdots + a_{N-2}x^{N-1} \in I, \end{aligned}$$

and so

$$\begin{aligned} \rho (xp(x)) = (a_{N-1},a_0,a_1,\ldots ,a_{N-2}) = \mathrm{rot }(\rho (p(x))) \in \Gamma _I, \end{aligned}$$

and for any \((a_0,\ldots ,a_{N-1}) \in \Gamma _I\),

$$\begin{aligned} \mathrm{rot }(a_0,\ldots ,a_{N-1}) = \rho \Big ( x \sum _{n=0}^{N-1} a_n x^n \Big ) \in \Gamma _I, \end{aligned}$$

since \(x \sum _{n=0}^{N-1} a_n x^n \in I\). In other words, \(\Gamma \subseteq {\mathbb {Z}}^N\) is a cyclic lattice if and only if \(\Gamma = \Gamma _I\) for some ideal \(I \subseteq {\mathbb {Z}}[x]/(x^N -1)\). Cyclic lattices were introduced by Micciancio in [16, 17] in the context of cryptographic algorithms and were further studied in [12, 19], among other sources. In fact, cyclic lattices are used in the well known NTRU cryptosystem [9, 10] (also see, for instance [22, 23] for some details) and are further discussed in the context of post-quantum cryptography [3].

On the other hand, given a lattice \(\Gamma \subset {\mathbb {R}}^N\) of rank \(r\), we define its successive minima by

$$\begin{aligned} \lambda _i = \lambda _i(\Gamma ) := \inf \{ \lambda \in {\mathbb {R}}_{>0} : \Gamma \cap \lambda B_N \text { contains } i \text { linearly independent vectors} \}, \end{aligned}$$

where \(B_N\) is a unit ball centered at the origin in \({\mathbb {R}}^N\), and so

$$\begin{aligned} 0 < \lambda _1 \le \cdots \le \lambda _r. \end{aligned}$$

Let us write \(\Vert \ \Vert \) for the usual Euclidean norm on \({\mathbb {R}}^N\). There exists a collection of linearly independent vectors \({\varvec{x}}_1,\ldots ,{\varvec{x}}_r\) in \(\Gamma \) such that \(\Vert {\varvec{x}}_i\Vert = \lambda _i\) for each \(1 \le i \le r\); we will refer to them as vectors corresponding to successive minima. When \(r \le 4\), there exists a basis for \(\Gamma \) consisting of vectors corresponding to successive minima, which is a Minkowski reduced basis for \(\Gamma \); this is not necessarily true for \(r \ge 5\) (see for instance [20]), but there are many lattices in higher dimensions as well for which it is true. Notice also that \(\lambda _1\) is the minimal norm of nonzero vectors in \(\Gamma \) and define the set of minimal vectors

$$\begin{aligned} S(\Gamma ) = \{ {\varvec{x}}\in \Gamma : \Vert {\varvec{x}}\Vert = \lambda _1 \}. \end{aligned}$$

The lattice \(\Gamma \) is called well-rounded (abbreviated WR) if \(\lambda _1 = \cdots = \lambda _r\), which is equivalent to saying that \(S(\Gamma )\) spans a subspace of \({\mathbb {R}}^N\) of dimension \(r\). WR lattices are important in discrete optimization, in particular in the investigation of sphere packing, sphere covering, and kissing number problems (see [14]), as well as in coding theory (see [1]). Properties of WR lattices have also been investigated in [15] in connection with Minkowski’s conjecture and in [8] in connection with the linear Diophantine problem of Frobenius.

Lattice-based cryptographic algorithms heavily rely on the fact that the problem of finding \(\lambda _1(\Gamma )\) given an arbitrary basis matrix for \(\Gamma \) is NP-hard. For most lattices, the problem of finding all successive minima is strictly harder, however if the lattice is WR then the two problems are the same. On the other hand, the set of WR lattices has measure zero in the space of all lattices in a given dimension \(N\). The advantage of using cyclic lattices is that many of them can be constructed from a single vector (using its rotations), and hence the size of the input for a basis matrix of the lattice reduces from \(N^2\) to \(N\). While it is not clear whether the problem of finding \(\lambda _1(\Gamma )\) still remains NP-hard, there are reasons to expect that for many cyclic lattices this problem is the same as that of finding all successive minima, i.e. many cyclic lattices are WR. In particular, in [19] the authors proved that in prime dimensions \(N\), the shortest independent vectors problem SIVP on cyclic lattices reduces to (a slight variant of) the shortest vector problem SVP by a polynomial-time algorithm with only a factor of 2 loss in approximation factor (compare to the factor of \(\sqrt{N}\) loss on general lattices; see Figure 1 on p. 140 of [18]). Our main result asserts that in all dimensions \(N\), the problem of finding the first successive minimum is equivalent to the problem of finding all successive minima for a positive proportion of cyclic lattices. More specifically, let \({\mathcal {C}}_N\) be the set of full-rank cyclic sublattices of \({\mathbb {Z}}^N\). In this paper we discuss some geometric properties of lattices from \({\mathcal {C}}_N\), in particular establishing the following result.

Theorem 1.1

Let \(R \in {\mathbb {R}}_{> 0}\), then there exists a constant \(0 < \varepsilon (N) \le 1\) depending only on dimension \(N\) such that

$$\begin{aligned} \liminf _{R \rightarrow \infty } \dfrac{\# \{ \Gamma \in {\mathcal {C}}_N: \lambda _N(\Gamma ) \le R,\ \Gamma \mathrm {\,is\,WR} \}}{\# \{ \Gamma \in {\mathcal {C}}_N: \lambda _N(\Gamma ) \le R \}} \ge \varepsilon (N). \end{aligned}$$
(1)

In other words, Theorem 1.1 asserts that WR lattices comprise a positive proportion of lattices in \({\mathcal {C}}_N\), which is certainly not true among all sublattices of \({\mathbb {Z}}^N\). When \(N=2\) a more direct argument can be applied to obtain stronger results.

Theorem 1.2

Let \(R \in {\mathbb {R}}_{> 0}\), then

$$\begin{aligned} 0.261386\ldots&\le \liminf _{R \rightarrow \infty } \frac{\# \{ \Gamma \in {\mathcal {C}}_2 : \lambda _2(\Gamma ) \le R,\ \Gamma \mathrm {\,is\,WR} \}}{\# \{ \Gamma \in {\mathcal {C}}_2 : \lambda _2(\Gamma ) \le R \}} \nonumber \\&\le \limsup _{R \rightarrow \infty } \frac{\# \{ \Gamma \in {\mathcal {C}}_2 : \lambda _2(\Gamma ) \le R,\ \Gamma \mathrm {\,is\,WR} \}}{\# \{ \Gamma \in {\mathcal {C}}_2 : \lambda _2(\Gamma ) \le R \}} \le 0.348652\ldots \end{aligned}$$
(2)

The paper is organized as follows. In Sect. 2 we establish some preliminary results on distribution properties of cyclic lattices. We obtain an upper bound on the number of cyclic lattices with bounded successive minima in Sect. 3. In Sect. 4 we give a lower bound on the number of WR cyclic lattices with bounded successive minima, and then use the two bounds to prove Theorem 1.1. Among WR cyclic lattices spanned by their shortest vectors, we specifically focus on those that are in fact spanned by rotations of a single shortest vector: for many such lattices all rotations of any shortest vector are linearly independent, and hence SIVP on these lattices is solved by taking a solution to SVP and all of its rotations. This observation along with our estimates implies that SVP is in fact equivalent to the SIVP for a positive proportion of cyclic lattices in every dimension \(N\) (see Remark 4.4 for details). In fact, we can demonstrate explicit constructions of cyclic WR lattices in every dimension on which this equivalence holds (see Corollary 4.5 and Remark 4.5). We then prove Theorem 1.2 in Sect. 5. Here we follow the tactic of Sect. 4, but make the estimates more precise in dimension 2.

In Sect. 6 we extend our results to a more general class of lattices. Specifically, let \(S_N\) be the group of permutations on \(N \ge 2\) elements. We can define an action of \(S_N\) on \({\mathbb {R}}^N\) by

$$\begin{aligned} \tau {\varvec{x}}= \left( \begin{array}{c} x_{\tau (1)} \\ \vdots \\ x_{\tau (N)} \end{array}\right) \end{aligned}$$
(3)

for each \(\tau \in S_N\) and \({\varvec{x}}= (x_1,\ldots ,x_N)^t \in {\mathbb {R}}^N\). We say that a lattice \(\Lambda \subset {\mathbb {R}}^N\) is \(\tau \)-invariant (or invariant under \(\tau \)) for a fixed \(\tau \in S_N\) if \(\tau \Lambda = \Lambda \). In particular, cyclic lattices are precisely the full-rank sublattices of \({\mathbb {Z}}^N\) invariant under the \(N\)-cycle \((1\ 2\ldots N)\). The following statement about lattices invariant under arbitrary \(N\)-cycles follows from our Theorem 1.1.

Corollary 1.3

Let \(N \ge 2\), let \(\tau \in S_N\) be an \(N\)-cycle, and let \({\mathcal {C}}_N(\tau )\) be the set of all \(\tau \)-invariant full-rank sublattices of \({\mathbb {Z}}^N\). Then

$$\begin{aligned} \liminf _{R \rightarrow \infty } \frac{\# \{ \Gamma \in {\mathcal {C}}_N(\tau ) : \lambda _N(\Gamma ) \le R,\ \Gamma \mathrm {\,is\,WR} \}}{\# \{ \Gamma \in {\mathcal {C}}_N(\tau ) : \lambda _N(\Gamma ) \le R \}} \ge \varepsilon (N) \end{aligned}$$

for the same value of \(\varepsilon (N)\) as in (1).

We prove Corollary 1.3 in Sect. 6 and conclude with some further questions about more general permutation invariant lattices. We are now ready to proceed.

2 Basic Properties of Cyclic Lattices

Let \({\mathcal {G}}_N\) be the set of full-rank cyclic sublattices of \({\mathbb {Z}}^N\) spanned by vectors corresponding to their successive minima (when \(N \le 4,\, {\mathcal {G}}_N = {\mathcal {C}}_N\)). In this section we start out by looking at the cyclic lattices generated by rotations of a single vector. Notice that for every \({\varvec{a}}\in {\mathbb {Z}}^N,\, \Vert {\varvec{a}}\Vert = \Vert \mathrm{rot }({\varvec{a}})\Vert \), therefore if \(\Gamma \subseteq {\mathbb {Z}}^N\) is a cyclic lattice and \({\varvec{a}}\in S(\Gamma )\), then \(\mathrm{rot }^n({\varvec{a}}) \in S(\Gamma )\) for every \(1 \le n \le N-1\) (clearly \(\mathrm{rot }^N({\varvec{a}}) = {\varvec{a}}\)). Therefore cyclic lattices have large sets of minimal vectors, and so it is natural to expect that they are WR fairly often. In fact, it is clear that if \({\varvec{a}}\in S(\Gamma )\) and \({\varvec{a}},\mathrm{rot }({\varvec{a}}),\ldots ,\mathrm{rot }^{N-1}({\varvec{a}})\) are linearly independent, then \(\Gamma \) is WR. To state our first observation in this direction, we need some more notation.

Let \({\varvec{a}}= (a_0,\ldots ,a_{N-1})^t \in {\mathbb {R}}^N\), and define \({\varvec{a}}(x) = \sum _{n=0}^{N-1} a_n x^n\) to be the polynomial of degree \( \le N-1\) in \(x\) whose coefficient vector is \({\varvec{a}}\). Let also

$$\begin{aligned} M({\varvec{a}}) = ({\varvec{a}}\ \mathrm{rot }({\varvec{a}})\ \ldots \ \mathrm{rot }^{N-1}({\varvec{a}})) \end{aligned}$$

be an \(N \times N\) matrix. Consider the lattice

$$\begin{aligned} \Lambda ({\varvec{a}}) = \mathrm{span }_{{\mathbb {Z}}} \{ {\varvec{a}}, \mathrm{rot }({\varvec{a}}), \ldots , \mathrm{rot }^{N-1}({\varvec{a}}) \} = M({\varvec{a}}) {\mathbb {Z}}^N, \end{aligned}$$

and define the cyclic order of \({\varvec{a}}\), denoted \(\mathrm{co }({\varvec{a}})\), to be the rank of \(\Lambda ({\varvec{a}})\). This means that precisely \(\mathrm{co }({\varvec{a}})\) of the vectors \({\varvec{a}}, \mathrm{rot }({\varvec{a}}), \ldots , \mathrm{rot }^{N-1}({\varvec{a}})\) are linearly independent, and so \(M({\varvec{a}})\) is a matrix of rank \(\mathrm{co }({\varvec{a}})\). While not every \(\Lambda ({\varvec{a}})\) is necessarily generated by the vectors corresponding to its successive minima, lattices of the form \(\Lambda ({\varvec{a}})\) for \({\varvec{a}}\in {\mathbb {Z}}^N\) are very common among cyclic lattices.

Lemma 2.1

The vectors \({\varvec{a}},\mathrm{rot }({\varvec{a}}),\ldots ,\mathrm{rot }^{N-1}({\varvec{a}}) \in {\mathbb {Z}}^N\) are linearly independent if and only if the polynomial \({\varvec{a}}(x)\) does not have any common factors with \(x^N-1\).

Proof

In this case \(M({\varvec{a}})\) is an \(N \times N\) circulant matrix corresponding to a vector \({\varvec{a}}\in {\mathbb {Z}}^N\). It is a well-known fact (see for instance [24]) that

$$\begin{aligned} \mathrm{det }(M({\varvec{a}})) = \prod _{n=0}^{N-1} {\varvec{a}}(\omega _j), \end{aligned}$$

where \(\omega _j = e^{{2\pi ij}/{N}}\) is an \(N\)-th root of unity. Hence \(\mathrm{det }(M({\varvec{a}})) = 0\) if and only if \({\varvec{a}}(\omega _j) = 0\) for some \(0 \le j \le N-1\), which happens if and only if \({\varvec{a}}(x)\) is divisible by the minimal polynomial of \(\omega _j\) – that is, by some cyclotomic polynomial dividing \(x^N-1\).\(\square \)

Remark 2.1

An immediate consequence of Lemma 2.1 is that when \(N\) is prime, the vectors \({\varvec{a}},\mathrm{rot }({\varvec{a}}),\ldots ,\mathrm{rot }^{N-1}({\varvec{a}}) \in {\mathbb {Z}}^N\) are linearly independent if and only if \({\varvec{a}}(x)\) is not a multiple of \(x-1\) or \(\sum _{n=0}^{N-1} x^n\). See Section 2 of [19] for further results of this kind.

Let

$$\begin{aligned} C_R^N = \{ {\varvec{x}}\in {\mathbb {R}}^N : |{\varvec{x}}| := \max \{|x_1|,\ldots ,|x_N|\} \le R \} \end{aligned}$$

for every \(R \in {\mathbb {R}}_{>0}\), i.e., \(C_R^N\) is a cube of side-length \(2R\) centered at the origin in \({\mathbb {R}}^N\). Recall that \(d\)-th cyclotomic polynomial \(\Phi _d(x)\) divides \(x^N-1\) if and only if \(d\) is a divisor of \(N\). For each divisor \(d\) of \(N\), define the \(d\)-th cyclotomic subspace to be

$$\begin{aligned} H_{\Phi _d} = \{ {\varvec{a}}\in {\mathbb {R}}^N : \Phi _d(x) \text { divides } {\varvec{a}}(x) \text { in } {\mathbb {R}}[x] \}. \end{aligned}$$
(4)

By Lemmas 2.3 and 2.4 of [19], \(H_{\Phi _d}\) is a subspace of \({\mathbb {R}}^N\) of dimension

$$\begin{aligned} \mathrm{dim }_{{\mathbb {R}}} (H_{\Phi _d}) = N-\deg (\Phi _d) = N-\varphi (d), \end{aligned}$$

where \(\varphi \) is Euler’s \(\varphi \)-function. Then \(\Lambda _{\Phi _d} := H_{\Phi _d} \cap {\mathbb {Z}}^N\) is a sublattice of \({\mathbb {Z}}^N\) of rank \(N-\varphi (d)\). Therefore

$$\begin{aligned} \Big | C_R^N \cap \Big ( {\mathbb {Z}}^N {\setminus } \bigcup _{d \mid N} \Lambda _{\Phi _d} \Big ) \Big |&= \big | C_R^N \cap {\mathbb {Z}}^N \big | - \sum _{d \mid N} \big | C_R^N \cap \Lambda _{\Phi _d} \big | \nonumber \\&\ge \big | C_R^N \cap {\mathbb {Z}}^N \big | - \sum _{d \mid N} \big | C_R^{N-\varphi (d)} \cap {\mathbb {Z}}^{N-\varphi (d)} \big | \nonumber \\&\ge \big | C_R^N \cap {\mathbb {Z}}^N \big | - \big | C_R^{N-1} \cap {\mathbb {Z}}^{N-1} \big | \sum _{d \mid N} \varphi (d) \nonumber \\&= (2R+1)^N - N(2R+1)^{N-1} \nonumber \\&= (2R+1-N)(2R+1)^{N-1}. \end{aligned}$$
(5)

The lattice \(\Lambda ({\varvec{a}}) \subseteq {\mathbb {Z}}^N\) has rank \(N\) if and only if the vectors \({\varvec{a}},\mathrm{rot }({\varvec{a}}),\ldots ,\mathrm{rot }^{N-1}({\varvec{a}})\) are linearly independent, which happens if and only if the polynomial \({\varvec{a}}(x)\) is not divisible by any cyclotomic polynomial \(\Phi _d(x)\) for any \(d \mid N\), by Lemma 2.1. How often does this happen?

Lemma 2.2

Let \(R > \frac{N-1}{2}\), then

$$\begin{aligned} \mathrm{Prob }_{\infty ,R} \big ( \mathrm{rk }(\Lambda ({\varvec{a}})) = N \big ) \ge 1 - \frac{N}{2R+1}, \end{aligned}$$
(6)

where probability \(\mathrm{Prob }_{\infty ,R}( \cdot )\) is with respect to the uniform distribution among all points \({\varvec{a}}\) in the set \(C_R^N \cap {\mathbb {Z}}^N\).

Proof

By Lemma 2.1,

$$\begin{aligned} \mathrm{Prob }_{\infty ,R} \big ( \mathrm{rk }(\Lambda ({\varvec{a}})) = N \big ) = \frac{\big | C_R^N \cap \big ( {\mathbb {Z}}^N {\setminus } \bigcup _{d \mid N} \Lambda _{\Phi _d} \big ) \big |}{\big | C_R^N \cap {\mathbb {Z}}^N \big |}, \end{aligned}$$

and the statement of the lemma follows by (5) combined with the observation that \(\big | C_R^N \cap {\mathbb {Z}}^N \big | = (2R+1)^N\).\(\square \)

3 Counting Cyclic Lattices

In this section we produce a counting estimate for the number of cyclic lattices with bounded successive minima as the bound tends to infinity. Recall that \({\mathcal {C}}_N\) is the set of all cyclic full-rank sublattices of \({\mathbb {Z}}^N\), and for each \(R \in {\mathbb {R}}_{>0}\) define

$$\begin{aligned} {\mathcal {C}}_N(R) = \{ \Gamma \in {\mathcal {C}}_N : \lambda _N(\Gamma ) \le R \}. \end{aligned}$$

We establish the following result.

Proposition 3.1

As \(R \rightarrow \infty \),

$$\begin{aligned} |{\mathcal {C}}_N(R)| \le O(R^N), \end{aligned}$$

where the constant in \(O\)-notation depends only on \(N\).

To prove this proposition, we represent \({\mathcal {C}}_N\) as a union of two disjoint subsets: \({\mathcal {C}}_N = {\mathcal {C}}^1_N \sqcup {\mathcal {C}}^2_N\), where

$$\begin{aligned} {\mathcal {C}}^1_N = \{ \Gamma \in {\mathcal {C}}_N : \Gamma = \Lambda ({\varvec{a}}) \text { for some } {\varvec{a}}\in {\mathbb {Z}}^N \}, \end{aligned}$$

and \({\mathcal {C}}^2_N = {\mathcal {C}}_N {\setminus } {\mathcal {C}}^1_N\). To produce an estimate on \({\mathcal {C}}_N(R)\), we give upper bounds on \({\mathcal {C}}^1_N(R),\, {\mathcal {C}}^2_N(R)\) and add them together.

Lemma 3.2

As \(R \rightarrow \infty \),

$$\begin{aligned} |{\mathcal {C}}^1_N(R)| \le O(R^N), \end{aligned}$$

where the constant in \(O\)-notation depends only on \(N\).

Proof

Suppose \(\Gamma \in {\mathcal {C}}^1_N\) is equal to \(\Lambda ({\varvec{a}})\) for some \({\varvec{a}}\in {\mathbb {Z}}^N\), then

$$\begin{aligned} {\varvec{a}},\mathrm{rot }({\varvec{a}}),\ldots ,\mathrm{rot }^{N-1}({\varvec{a}}) \in \Gamma \end{aligned}$$

are linearly independent vectors, and so \(\lambda _N(\Gamma ) \le \Vert {\varvec{a}}\Vert \). Conversely, if \(\Gamma \in {\mathcal {C}}^1_N\) satisfies \(\lambda _N(\Gamma ) \le R\), then \(\Gamma = \Lambda ({\varvec{a}})\) for some \({\varvec{a}}\in {\mathbb {Z}}^N\) with \(\Vert {\varvec{a}}\Vert \le R\). Therefore

$$\begin{aligned} |{\mathcal {C}}^1_N(R)| \le |B_N(R) \cap {\mathbb {Z}}^N|, \end{aligned}$$

where \(B_N(R)\) is the ball of radius \(R\) centered at the origin in \({\mathbb {R}}^N\). The result then follows by Theorem 2 on p. 128 of [11].\(\square \)

Let us write \(Z = {\mathbb {Z}}[x]/(x^N-1)\), and define

$$\begin{aligned} {\mathcal {I}}_Z = \{ I \subseteq Z : |Z/I| < \infty ,\ \Phi _d(x) Z \subseteq I \text { for some } d \mid N \}, \end{aligned}$$

that is \({\mathcal {I}}_Z\) is the set of all full-rank ideals in the ring \(Z\) containing an ideal generated by some cyclotomic factor of \(x^N-1\). Then \(\Gamma \in {\mathcal {C}}^2_N\) if and only if \(\Gamma = \rho (I)\) for some \(I \in {\mathcal {I}}_Z\), in which case \(|Z/I| = \mathrm{det }(\Gamma )\). For each \(T \in {\mathbb {Z}}_{>0}\), define

$$\begin{aligned} {\mathcal {I}}_Z(T) = \{ I \in {\mathcal {I}}_Z : |Z/I| \le T \}. \end{aligned}$$

By Minkowski Successive Minima Theorem (see, for instance Theorem 2.6.8 on p. 50 of [14]),

$$\begin{aligned} \mathrm{det }(\Gamma ) \le O(\lambda _N(\Gamma )^N). \end{aligned}$$

Suppose now that \(\Gamma \in {\mathcal {C}}^2_N(R)\), then \(\lambda _N(\Gamma ) \le R\), and so \(\rho ^{-1}(\Gamma ) \in {\mathcal {I}}_Z(t_N R^N)\) for some dimensional constant \(t_N\). Therefore

$$\begin{aligned} |{\mathcal {C}}^2_N(R)| \le | {\mathcal {I}}_Z(t_N R^N)|. \end{aligned}$$
(7)

Lemma 3.3

As \(T \rightarrow \infty \),

$$\begin{aligned} |{\mathcal {I}}_Z(T)| \le O(T). \end{aligned}$$

Proof

Let us write \(\{d_1,\ldots ,d_k\}\) for the set of all divisors of \(N\). For each \(1 \le i \le k\) define \(Z_i = {\mathbb {Z}}[x]/< \Phi _{d_i}(x) >\), and let \(\phi _i : Z \rightarrow Z_i\) be the standard reduction modulo \(\Phi _{d_i}(x)\) map, i.e. for each \(h(x) \in Z\), \(\phi _i(h(x)) = h(x)\ (\mathrm{mod }\Phi _{d_i}(x))\). Then \(\phi _i\) is a surjective ring homomorphism with \(\mathrm{Ker }(\phi _i) = \Phi _{d_i}(x) Z\).

Let \(I \in {\mathcal {I}}_Z(T)\), then \(\Phi _{d_i}(x) Z \subseteq I\) for some \(1 \le i \le k\). Then the Third Isomorphism Theorem (see, for instance Theorem 8 on p. 246 of [7]) guarantees that \(Z/I \cong Z_i/\phi _i(I)\), and so

$$\begin{aligned} |Z_i/\phi _i(I)| = |Z/I| \le T. \end{aligned}$$

In other words, since all ideals of \(Z_i\) are images of ideals of \(Z\) under \(\phi _i\), the map \(\phi _i\) carries the set \({\mathcal {I}}_Z(T)\) onto the set \({\mathcal {I}}_{Z_i}(T)\) for each positive integer \(T\). On the other hand, it is possible that images of two distinct ideals \(I\) and \(J\) in \(Z\) are the same in \(Z_i\), i.e. \(\Phi _{d_i}(x) \mid I - J\). Hence \(I\) and \(J\) are the same in \(Z_i\) for every \(1 \le i \le k\) if and only if \(x^N-1 = \Phi _{d_1}(x) \cdots \Phi _{d_k}(x) \mid I - J\), which happens if and only if \(I\) and \(J\) are the same in \(Z\). Therefore

$$\begin{aligned} |{\mathcal {I}}_Z(T)| \le \sum _{i=1}^k |{\mathcal {I}}_{Z_i}(T)|. \end{aligned}$$

It is known (Lemma 3 of [12]) that every ideal of each \(Z_i\) has full rank. Furthermore, by Theorem 2 of [4], \(|{\mathcal {I}}_{Z_i}(T)| \le O(T)\) for each \(i\). The result follows.\(\square \)

Proof of Proposition 3.1

The result follows by combining Lemmas 3.2 and 3.3 with (7).\(\square \)

4 General Cyclic Lattices

The main goal of this section is to prove Theorem 1.1. Recall that \({\mathcal {C}}_N\) is the set of all cyclic full-rank sublattices of \({\mathbb {Z}}^N\), while \({\mathcal {G}}_N \subset {\mathcal {C}}_N\) is the subset consisting of all lattices in \({\mathcal {C}}_N\) which are spanned by the vectors corresponding to successive minima. Naturally, every lattice \(\Gamma \in {\mathcal {C}}_N\) has a sublattice \(\Gamma _1 \in {\mathcal {G}}_N\) which is spanned by the vectors corresponding to successive minima of \(\Gamma \); it is called a Minkowskian sublattice of \(\Gamma \). While Minkowskian sublattice may not be unique, there can only be finitely many of them, where an upper bound on this number depends only on \(N\). On the other hand, the index \(|\Gamma : \Gamma _1|\) of a Minkowskian sublattice is also bounded above by a constant depending only on \(N\), and hence a given lattice in \({\mathcal {G}}_N\) can be a Minkowskian sublattice for only finitely many lattices in \({\mathcal {C}}_N\) (see [13] and subsequent works of J. Martinet and his co-authors for more information on the index of Minkowskian sublattices). This means that a positive proportion of lattices in \({\mathcal {C}}_N\) is WR if and only if a positive proportion of lattices in \({\mathcal {G}}_N\) is WR. Here we will construct large families of WR lattices in \({\mathcal {G}}_N\).

For a subspace \(V \subseteq {\mathbb {R}}^N\) which is closed under the rotational shift operator, define the set

$$\begin{aligned} {\mathcal {D}}^V_N = \{ {\varvec{a}}\in V : \mathrm{co }({\varvec{a}}) = \mathrm{dim }_{{\mathbb {R}}}(V),\ {\varvec{a}}\in S(\Lambda ({\varvec{a}})),\ \Lambda ({\varvec{a}}) \text { spanned by } S(\Lambda ({\varvec{a}})) \}, \end{aligned}$$
(8)

and let us write \({\mathcal {D}}_N\) for \({\mathcal {D}}_N^{{\mathbb {R}}^N}\).

Lemma 4.1

A lattice \(\Lambda ({\varvec{a}}) \subset V \subseteq {\mathbb {R}}^N\) is of rank \(= \mathrm{dim }_{{\mathbb {R}}}(V)\) with \({\varvec{a}}\in S(\Lambda ({\varvec{a}}))\) if and only if \({\varvec{a}}\in {\mathcal {D}}^V_N\). Moreover, \(\Lambda ({\varvec{a}}) = \Lambda ({\varvec{b}})\) for only finitely many \({\varvec{b}}\in {\mathcal {D}}^V_N\) with an upper bound on their number, call it \(\beta (V)\), depending only on the dimension of \(V\); we will write \(\beta _N\) for \(\beta ({\mathbb {R}}^N)\).

Proof

The first assertion is clear from the definition of \({\mathcal {D}}^V_N\). The second assertion follows from a well known fact in the reduction theory of positive definite quadratic forms (see, for instance, Theorems 1.1–1.2 in Chapter 12 of [5]).\(\square \)

For each \(R \in {\mathbb {R}}_{>0}\), let \(B^V_N(R)\) be a ball of radius \(R\) centered at the origin in \(V\), and let

$$\begin{aligned} {\mathcal {D}}^V_N(R) = \{ {\varvec{a}}\in {\mathcal {D}}^V_N : \Vert {\varvec{a}}\Vert \le R \} = {\mathcal {D}}^V_N \cap B^V_N(R). \end{aligned}$$

It is easy to notice that \({\varvec{a}}\in {\mathcal {D}}^V_N\) if and only if \(R{\varvec{a}}\in {\mathcal {D}}^V_N\), and hence \({\mathcal {D}}^V_N(R) = R{\mathcal {D}}^V_N(1)\) is a homogeneously expanding domain. Moreover, \({\mathcal {D}}_N^V(R)\) is a symmetric bounded star body, and hence is Jordan-measurable. We write \({\mathcal {D}}_N(R)\) for \({\mathcal {D}}_N \cap B_N(R)\), where \(B_N(R)\) is a ball of radius \(R\) centered at the origin in \({\mathbb {R}}^N\).

Given a vector \({\varvec{a}}\in {\mathbb {R}}^N\) with \(\mathrm{co }({\varvec{a}})=k\), let \({\varvec{a}}_1,\ldots ,{\varvec{a}}_k\) be some fixed ordering of the vectors \({\varvec{a}},\mathrm{rot }({\varvec{a}}),\ldots ,\mathrm{rot }^{k-1}({\varvec{a}})\). Define the angle sequence \(\{ \theta _1,\ldots ,\theta _{k-1} \}\) of this ordering as follows: for each \(1 \le i \le k-1\), let \(\theta _i\) be the angle between \({\varvec{a}}_{i+1}\) and the subspace spanned by \({\varvec{a}}_1,\ldots ,{\varvec{a}}_i\).

Lemma 4.2

Let \(V \subseteq {\mathbb {R}}^N\) be an \(L\)-dimensional subspace closed under the rotational shift operator. Assume that \(V\) contains a vector \({\varvec{a}}\) with \(\mathrm{co }({\varvec{a}})=L\) such that some ordering of its \(L\) linearly independent rotations has the corresponding angle sequence satisfying the condition

$$\begin{aligned} \pi /3 + {\varepsilon }\le \theta _i \le 2\pi /3 - {\varepsilon }\end{aligned}$$
(9)

for each \(1 \le i \le k-1\), for some \({\varepsilon }> 0\). Then \(\mathrm{Vol }_L({\mathcal {D}}^V_N(R)) = O(R^L)\), where the constant in the \(O\)-notation depends on \(V,\, L\), and \(N\).

Proof

Let \({\varvec{a}}_1,\ldots ,{\varvec{a}}_L\) be the ordering of \(L\) linearly independent rotations of \({\varvec{a}}\) with the corresponding angle sequence as in (9). Notice that \(\Vert {\varvec{a}}_1\Vert = \cdots = \Vert {\varvec{a}}_L\Vert = \Vert {\varvec{a}}\Vert \), and so Theorem 1 of [2] guarantees that \({\varvec{a}}_1,\ldots ,{\varvec{a}}_L\) are minimal vectors in \(\Lambda ({\varvec{a}})\), hence \({\varvec{a}}\in {\mathcal {D}}^V_N\).

Let \(\delta > 0\) and let

$$\begin{aligned} B(V,\delta ) = \{ {\varvec{x}}\in V : \Vert {\varvec{x}}\Vert \le \delta \} \end{aligned}$$

be the closed ball of radius \(\delta \) centered at the origin in \(V\). Let \({\varvec{t}}\in B(V,\delta )\) and \({\varvec{a}}^{\prime } = {\varvec{a}}+{\varvec{t}}\). Let \({\varvec{a}}^{\prime }_1,\ldots ,{\varvec{a}}^{\prime }_L\) be the rotations of \({\varvec{a}}^{\prime }\) corresponding to the rotations \({\varvec{a}}_1,\ldots ,{\varvec{a}}_L\) of \({\varvec{a}}\). There exists a \(\delta > 0\), depending on \({\varepsilon }\), small enough so that for every \({\varvec{t}}\in B(V,\delta )\) the angle sequence \(\{ \theta ^{\prime }_1,\ldots ,\theta ^{\prime }_{k-1} \}\) of \({\varvec{a}}^{\prime }_1,\ldots ,{\varvec{a}}^{\prime }_L\) still satisfies (9) with \({\varepsilon }\) replaced by some \({\varepsilon }^{\prime } > 0\). Then, as above, Theorem 1 of [2] guarantees that \({\varvec{a}}^{\prime } \in {\mathcal {D}}^V_N\), i.e., \({\varvec{a}}+ B(V,\delta ) \subseteq {\mathcal {D}}^V_N\), and so \({\mathcal {D}}^V_N\) must have positive \(L\)-dimensional volume. Since \({\mathcal {D}}^V_N\) is a homogeneously expanding domain, we must have

$$\begin{aligned} 0 < \mathrm{Vol }_L({\mathcal {D}}^V_N(R)) = \mathrm{Vol }_L(R {\mathcal {D}}^V_N(1)) = O(R^L), \end{aligned}$$

which completes the proof of the lemma.\(\square \)

Remark 4.1

We will apply Lemma 4.2 to \({\mathbb {R}}^N\). Notice that the angle sequence of the rotations of the first standard basis vector \({\varvec{e}}_1 \in {\mathbb {R}}^N\) satisfies the assumption of Lemma 4.2. Hence \(\mathrm{Vol }_N({\mathcal {D}}_N(R)) = O(R^N)\) for every \(N \ge 2\), by Lemma 4.2.

Remark 4.2

There is also another way to look at the set \({\mathcal {D}}^V_N\) with \(V\) as in the statement of Lemma 4.2. For each \({\varvec{a}}\in V\), all rotations of \({\varvec{a}}\) have to be in \(V\), and so \(\mathrm{co }({\varvec{a}}) \le L\). Let

$$\begin{aligned} M_V({\varvec{a}}) = ({\varvec{a}}\ \mathrm{rot }({\varvec{a}})\ \ldots \ \mathrm{rot }^{L-1}({\varvec{a}})), \end{aligned}$$
(10)

and notice that \(M_V({\varvec{a}}) = M({\varvec{a}})\) when \(V={\mathbb {R}}^N\). Define the corresponding \(L \times L\) Gram matrix

$$\begin{aligned} Q_V({\varvec{a}}) = M_V({\varvec{a}})^t M_V({\varvec{a}}), \end{aligned}$$

and let us write \(q_{ij}\) for the entires of this matrix, then

$$\begin{aligned} q_{ij} = q^V_{ij}({\varvec{a}}) := \mathrm{rot }^{i-1}({\varvec{a}}) \cdot \mathrm{rot }^{j-1}({\varvec{a}}). \end{aligned}$$

Notice that

$$\begin{aligned} \mathrm{rot }^{i-1}({\varvec{a}}) \cdot \mathrm{rot }^{j-1}({\varvec{a}}) = \mathrm{rot }^i({\varvec{a}}) \cdot \mathrm{rot }^j({\varvec{a}}), \end{aligned}$$
(11)

and so all the distinct entries \(q_{ij}\) are represented in the first row. Furthermore,

$$\begin{aligned} {\varvec{a}}\cdot \mathrm{rot }^{i-1}({\varvec{a}}) = {\varvec{a}}\cdot \mathrm{rot }^{N-i+1}({\varvec{a}}) \end{aligned}$$
(12)

for each \(2 \le i \le N-1\), and hence the total number of distinct off-diagonal entries in the matrix \(Q_V({\varvec{a}})\) is at most \([N/2]\); all the diagonal entries \(q_{ii} = \Vert {\varvec{a}}\Vert ^2\). Now, \({\varvec{a}}\in {\mathcal {D}}^V_N\) if and only if \(Q_V({\varvec{a}})\) is in the corresponding Minkowski reduction domain, which is known to be a convex polyhedral cone in \({\mathbb {R}}^{{L(L+1)}/{2}}\) with a finite number of facets (see, for instance, Chapter 12 of [5] or [21]), and conditions (10), (11), (12) imply that \(Q_V({\varvec{a}})\) would have to be in a specific section of this cone. On the other hand, given a Gram matrix \(Q\), the basis matrix \(M\) such that \(Q=M^tM\) is uniquely determined up to an orthogonal transformation.

Lemma 4.3

Let \(R \in {\mathbb {R}}_{>0}\), and define

$$\begin{aligned} f_N(R) = \# \{ \Lambda ({\varvec{a}}) \in {\mathcal {C}}_N : \Vert {\varvec{a}}\Vert = \lambda _1(\Lambda ({\varvec{a}})) = \lambda _N(\Lambda ({\varvec{a}})) \le R \}, \end{aligned}$$
(13)

then

$$\begin{aligned} O(R^N) \le f_N(R) \le O(R^N), \end{aligned}$$
(14)

where the constants in the \(O\)-notation depend only on \(N\).

Proof

Let \(\beta _N\) be as in Lemma 4.1, then

$$\begin{aligned} \frac{1}{\beta _N} \# \big ( {\mathbb {Z}}^N \cap {\mathcal {D}}_N(R) \big ) \le f_N(R) \le \# \big ( {\mathbb {Z}}^N \cap {\mathcal {D}}_N(R) \big ) \end{aligned}$$
(15)

by Lemma 4.1. Theorem 2 on p. 128 of [11] asserts that

$$\begin{aligned} \# \big ( {\mathbb {Z}}^N \cap {\mathcal {D}}_N(R) \big ) = \mathrm{Vol }_N({\mathcal {D}}_N(R)) + O(R^{N-1}). \end{aligned}$$
(16)

and so (14) follows by combining (16) with Lemma 4.2 and (15).\(\square \)

Remark 4.3

The boundary of the set \({\mathcal {D}}_N(R)\) is Lipschitz parameterizable, however that is not important for the application of Theorem 2 on p. 128 of [11] in the argument above, since we are only using the main term of the asymptotic formula in our inequalities, and Lemma 4.2 implies that there exist sets \(C_1,\, C_2\) with Lipschitz parameterizable boundaries (in fact, convex sets) such that \(RC_1 \subseteq {\mathcal {D}}_N^V(R) \subseteq RC_2\) for all \(R > 0\).

Proof of Theorem 1.1

By the results of Lemma 4.3 and Proposition 3.1, we see that

$$\begin{aligned} \frac{\# \{ \Gamma \in {\mathcal {C}}_N: \lambda _N(\Gamma ) \le R,\ \Gamma \mathrm {\,is\,WR} \}}{\# \{ \Gamma \in {\mathcal {C}}_N: \lambda _N(\Gamma ) \le R \}} \ge \frac{f_N(R)}{|{\mathcal {C}}_N(R)|} \ge O(1), \end{aligned}$$

where the constant in the \(O\)-notation depends only on \(N\). The statement of Theorem 1.1 follows.\(\square \)

Now we comment on the connection of our results to the equivalence of SVP and SIVP on a positive proportion of cyclic lattices. Let

$$\begin{aligned} {\mathcal {R}}_N = \{ \Lambda ({\varvec{a}}) \in {\mathcal {C}}_N : \Vert {\varvec{a}}\Vert = \lambda _1(\Lambda ({\varvec{a}})) = \lambda _N(\Lambda ({\varvec{a}})) \}, \end{aligned}$$

and let \(\Gamma \in {\mathcal {R}}_N\). Suppose that \({\varvec{c}}, \mathrm{rot }({\varvec{c}}),\ldots ,\mathrm{rot }^{N-1}({\varvec{c}})\) are linearly independent for every \({\varvec{c}}\in S(\Gamma )\), then SIVP is equivalent to SVP on \(\Gamma \). In the next lemma we prove that this is true for a positive proportion of lattices in \({\mathcal {R}}_N\). Specifically, let

$$\begin{aligned} {\mathcal {R}}^{\prime }_N = \{ \Gamma \in {\mathcal {R}}_N : \mathrm{co }({\varvec{c}}) = N\ \forall \ {\varvec{c}}\in S(\Gamma ) \}, \end{aligned}$$

and define

$$\begin{aligned} f^{\prime }_N(R) = \# \{ \Gamma \in {\mathcal {R}}^{\prime }_N : \lambda _N(\Gamma ) \le R \} \end{aligned}$$

for any \(R \in {\mathbb {R}}_{> 0}\).

Lemma 4.4

As \(R \rightarrow \infty \), we have

$$\begin{aligned} \frac{f^{\prime }_N(R)}{f_N(R)} \ge O(1), \end{aligned}$$

where the constant in \(O\)-notation depends only on \(N\).

Proof

Let \(\Gamma \in {\mathcal {R}}_N\), and suppose that \({\varvec{c}}\in S(\Gamma )\) is such that \(\mathrm{co }({\varvec{c}}) < N\). Then \({\varvec{c}}\in \Gamma \cap H_{\Phi _d}\) for some \(d \mid N\). In other words, \(\Gamma \in {\mathcal {R}}_N {\setminus } {\mathcal {R}}^{\prime }_N\) if and only if

$$\begin{aligned} S(\Gamma ) \cap \Big ( \bigcup _{d \mid N} H_{\Phi _d} \Big ) \ne \emptyset . \end{aligned}$$
(17)

Then

$$\begin{aligned} f^{\prime }_N(R) \asymp \# \{ {\varvec{a}}\in {\mathbb {Z}}^N \cap {\mathcal {D}}_N(R) : \Gamma = \Lambda ({\varvec{a}}) \hbox { does not satisfy (17)} \}, \end{aligned}$$

and since (17) is given by finitely many polynomial conditions, we have \(f^{\prime }_N(R) \asymp f_N(R)\).\(\square \)

Remark 4.4

Now combining Lemma 4.4 with Theorem 1.1, we see that

$$\begin{aligned} \frac{\# \{ \Gamma \in {\mathcal {R}}^{\prime }_N: \lambda _N(\Gamma ) \le R \}}{\# \{ \Gamma \in {\mathcal {C}}_N: \lambda _N(\Gamma ) \le R \}} \ge O(1) \text { as } R \rightarrow \infty . \end{aligned}$$
(18)

By our observation above, SVP and SIVP are equivalent on \({\mathcal {R}}^{\prime }_N\), and so the two problems are equivalent on a positive proportion of cyclic lattices.

In fact, we can use the idea in the proof of Lemma 4.2 and Remark 4.1 to explicitly construct full-rank WR lattices of the form \(\Lambda ({\varvec{a}})\) in \({\mathbb {R}}^N\) on which SVP and SIVP are equivalent.

Corollary 4.5

Let \(k_1,\ldots ,k_{N-1} \in {\mathbb {Z}}\) be nonzero integers, \(m = \mathrm{lcm }(k_1, \ldots , k_{N-1})\), and

$$\begin{aligned} {\varvec{a}}= \Big ( m, \frac{m}{k_1},\ldots ,\frac{m}{k_{N-1}} \Big )^t \in {\mathbb {Z}}^N. \end{aligned}$$

There exists a sufficiently large positive integer \(l\), depending only on the dimension \(N\), such that whenever \(|k_1|,\ldots ,|k_{N-1}| \ge l\), the lattice \(\Lambda ({\varvec{a}}) \in {\mathcal {R}}^{\prime }_N\).

Proof

Let \(l\) be a positive integer, the choice of which is to be specified below, and let the rest of the notation be as in the statement of the corollary. Let \({\varvec{b}}= \frac{1}{m} {\varvec{a}}= {\varvec{e}}_1 + {\varvec{\varepsilon }}\), where

$$\begin{aligned} {\varvec{\varepsilon }}= (0, 1/k_1,\ldots ,1/k_{N-1}). \end{aligned}$$

Taking \(l\) sufficiently large, we can ensure that the angle sequence of the rotations of the vector \({\varvec{b}}\) satisfies condition (9) for some \({\varepsilon }>0\), in which case \(\Lambda ({\varvec{b}})\) is a lattice of rank \(N\) with minimal norm equal to \(\Vert {\varvec{b}}\Vert \) by the same argument as in the proof of Lemma 4.2 and Remark 4.1.

We can assume that \(l > 10N\) so that \((1- N/l)^2 > 81/100\). We will now show that

$$\begin{aligned} S(\Lambda ({\varvec{b}})) = \{ \pm {\varvec{b}}, \pm \mathrm{rot }({\varvec{b}}),\ldots , \pm \mathrm{rot }^{N-1}({\varvec{b}}) \}. \end{aligned}$$
(19)

Indeed, suppose

$$\begin{aligned} {\varvec{c}}= \sum _{i=1}^{N} \alpha _i \mathrm{rot }^{i-1}({\varvec{b}}) \in S(\Lambda ({\varvec{b}})), \end{aligned}$$

where \(\alpha _1,\ldots ,\alpha _{N} \in {\mathbb {Z}}\), not all zero. Let \(\alpha = \max _{1 \le i \le N} |\alpha _i|\), so for each \(1 \le n \le N\)

$$\begin{aligned} \big | \alpha _1 + \cdots + \alpha _{n-1} + \alpha _{n+1} + \cdots + \alpha _N \big | \le N \alpha . \end{aligned}$$

Then \(c_n\), the \(n\)-th coordinate of \({\varvec{c}}\), satisfies the inequalities

$$\begin{aligned} \max \{ 0, |\alpha _n| - N \alpha /l \} \le |c_n| \le |\alpha _n| + N \alpha /l, \end{aligned}$$

and so we have

$$\begin{aligned} \Vert {\varvec{c}}\Vert ^2 \ge \alpha ^2 (1- N/l)^2. \end{aligned}$$

Assume first that \(\alpha > 1\), then we have

$$\begin{aligned} \Vert {\varvec{c}}\Vert ^2 > 2 > 1 + (N-1)/l^2 \ge \Vert {\varvec{b}}\Vert ^2. \end{aligned}$$

Therefore we must have \(\alpha =1\). If \(\alpha _n = \pm 1\) for only one \(n\), then \({\varvec{c}}= \pm \mathrm{rot }^{n-1}({\varvec{b}})\). Hence assume there exist \(1 \le j < n \le N\) such that \(\alpha _j, \alpha _n = \pm 1\), then

$$\begin{aligned} \Vert {\varvec{c}}\Vert ^2 \ge 2 (1- N/l)^2 > 1 + (N-1)/l^2 = \Vert {\varvec{b}}\Vert ^2, \end{aligned}$$

which establishes (19). Then \(\Lambda ({\varvec{a}}) = m \Lambda ({\varvec{b}})\), and hence

$$\begin{aligned} S(\Lambda ({\varvec{a}})) = \{ \pm {\varvec{a}}, \pm \mathrm{rot }({\varvec{a}}),\ldots , \pm \mathrm{rot }^{N-1}({\varvec{a}}) \}, \end{aligned}$$

meaning that each vector in \(S(\Lambda ({\varvec{a}}))\) has cyclic order \(=N\). Thus \(\Lambda ({\varvec{a}}) \in {\mathcal {R}}^{\prime }_N\).\(\square \)

Remark 4.5

To summarize, the main idea of Corollary 4.5 is to pick a rational vector \({\varvec{b}}\) from a small ball centered at \({\varvec{e}}_1\). Then the set of minimal vectors of \(\Lambda ({\varvec{b}})\) will consist only of \(\pm \) rotations of \({\varvec{b}}\) due to the fact that one coordinate of \({\varvec{b}}\) strongly dominates others. Hence SVP and SIVP are equivalent on \(\Lambda ({\varvec{b}})\), and \(\Lambda ({\varvec{b}})\) is similar to some full-rank WR cyclic sublattice of \({\mathbb {Z}}^N\) because coordinates of \({\varvec{b}}\) are rational. Since a ball of positive radius centered at \({\varvec{e}}_1\) contains infinitely many rational points, infinitely many mutually non-similar lattices with this equivalence property can be constructed this way.

5 Cyclic Lattices in the Plane

In this section we prove Theorem 1.2. Recall that every planar cyclic lattice is spanned by vectors corresponding to its successive minima. Furthermore, for a sublattice \(\Gamma \) of \({\mathbb {Z}}^2\), \(|S(\Gamma )|=2\) or 4, and \(\Gamma \) is WR if and only if \(|S(\Gamma )| = 4\). If \(\Gamma \) is not WR, then \(|S(\Gamma )|=2\) and the vectors corresponding to first and second successive minima are unique (up to \(\pm \) sign): this follows, for instance, from the second Theorem and discussion after it on p. 203 of [6].

Lemma 5.1

A lattice \(\Gamma \in {\mathcal {C}}_2\) is WR if and only if either \(\Gamma = \Lambda ({\varvec{a}})\) for some \({\varvec{a}}\in S(\Gamma )\) or \(\Gamma = \alpha \Big (\begin{array}{c@{\quad }c} 1 &{} 1 \\ 1 &{} -1 \end{array}\Big ) {\mathbb {Z}}^2\) for some \(\alpha \in {\mathbb {Z}}_{>0}\). On the other hand, \(\Gamma \in {\mathcal {C}}_2\) is not WR if and only if \(\Gamma = \Big (\begin{array}{c@{\quad }c} \alpha &{} \beta \\ \alpha &{} -\beta \end{array}\Big ) {\mathbb {Z}}^2\) for some distinct positive integers \(\alpha , \beta \).

Proof

If \(\Gamma = \Lambda ({\varvec{a}})\) for some \({\varvec{a}}\in S(\Gamma )\), then \(S(\Gamma ) = \{ \pm {\varvec{a}}, \pm \mathrm{rot }({\varvec{a}})\}\) and the vectors \({\varvec{a}}, \mathrm{rot }({\varvec{a}})\) are linearly independent. If \( \Gamma = \alpha \Big (\begin{array}{c@{\quad }c} 1 &{} 1 \\ 1 &{} -1 \end{array}\Big ) {\mathbb {Z}}^2\) for some \(\alpha \in {\mathbb {Z}}\), then

$$\begin{aligned} S(\Gamma ) = \Big \{ \pm \Big (\begin{array}{l} 1 \\ 1 \end{array}\Big ), \pm \Big (\begin{array}{c} 1 \\ -1 \end{array}\Big ) \Big \}. \end{aligned}$$

In both cases, it is clear that \(\Gamma \) is WR.

Suppose then that \(\Gamma \) is WR, then \(|S(\Gamma )| = 4\) and \(S(\Gamma )\) contains a basis for \(\Gamma \). Let \({\varvec{a}}\in S(\Gamma )\). First assume \(\Lambda ({\varvec{a}})\) has rank 2, then \({\varvec{a}}, \mathrm{rot }({\varvec{a}}) \in S(\Gamma )\) are linearly independent, and hence form a basis for \(\Gamma \). Therefore \(\Gamma =\Lambda ({\varvec{a}})\). Next suppose that \(\Lambda ({\varvec{a}})\) has rank 1, then \({\varvec{a}}= c \mathrm{rot }({\varvec{a}})\) for some \(c \in {\mathbb {Z}}\), which easily implies that \(a_1=a_2\), and so \({\varvec{a}}= \alpha \small {\big (\begin{array}{l} 1 \\ 1 \end{array}\big )}\) for some \(\alpha \in {\mathbb {Z}}\). Since \(\Gamma \) is WR, there must exist \({\varvec{c}}\in S(\Gamma )\) such that \({\varvec{c}}\ne \pm {\varvec{a}}\). Then \(\mathrm{rot }({\varvec{c}})\) is also in \(S(\Gamma )\), and since \(|S(\Gamma )| = 4\), we must have \(-{\varvec{c}}= \mathrm{rot }({\varvec{c}})\) and \(\Vert {\varvec{c}}\Vert = \Vert {\varvec{a}}\Vert \), meaning that \({\varvec{c}}= \alpha \small {\big (\begin{array}{c} -1 \\ 1 \end{array}\big )}\). Then \(S(\Gamma ) = \{ \pm {\varvec{a}}, \pm {\varvec{c}}\}\), and so

$$\begin{aligned} \Gamma = \alpha \Big (\begin{array}{l@{\quad }c} 1 &{} 1 \\ 1 &{} -1 \end{array}\Big ) {\mathbb {Z}}^2. \end{aligned}$$

This completes the proof of the first statement.

The second statement follows immediately from the observation that \({\mathbb {R}}^2\) has precisely two cyclotomic subspaces:

$$\begin{aligned} H_{\Phi _1} = \mathrm{span }_{{\mathbb {R}}} \Big \{ \Big (\begin{array}{l} 1 \\ 1 \end{array}\Big ) \Big \},\qquad H_{\Phi _2} = \mathrm{span }_{{\mathbb {R}}} \Big \{ \Big (\begin{array}{c} 1 \\ -1 \end{array}\Big ) \Big \}. \end{aligned}$$

\(\square \)

For \(R \in {\mathbb {R}}_{>0}\), let \(f_2(R)\) be as in (13) for \(N=2\), and define

$$\begin{aligned} g_2(R) = \# \{ \Gamma \in {\mathcal {C}}_2 : \Gamma \ne \Lambda ({\varvec{a}})\ \forall \ {\varvec{a}}\in {\mathbb {Z}}^2,\ \lambda _1(\Gamma ) = \lambda _2(\Gamma ) \le R \}, \end{aligned}$$

and

$$\begin{aligned} h_2(R) = \# \{ \Gamma \in {\mathcal {C}}_2 : \Gamma \text { is not WR},\ \lambda _2(\Gamma ) \le R \}. \end{aligned}$$

We can now use Lemma 5.1 to estimate the functions \(f_2(R), g_2(R), h_2(R)\).

Lemma 5.2

Let \(R \in {\mathbb {R}}_{>0}\), then

$$\begin{aligned}&0.200650\ldots \times R^2 - 3.742382\ldots \times R \le f_2(R) \le 0.267638\ldots \times R^2\nonumber \\&\quad + 0.965925\ldots \times R,\end{aligned}$$
(20)
$$\begin{aligned}&g_2(R) = \Big [ \frac{R}{\sqrt{2}} \Big ],\end{aligned}$$
(21)
$$\begin{aligned}&h_2(R) = \Big [ \frac{R}{\sqrt{2}} \Big ]^2 - \Big [ \frac{R}{\sqrt{2}} \Big ]. \end{aligned}$$
(22)

Proof

First assume \(\Gamma = \Lambda ({\varvec{a}})\) for some \({\varvec{a}}= \small {\big (\begin{array}{l} a_1 \\ a_2 \end{array}\big )} \in S(\Gamma )\). Notice that we can assume without loss of generality that \(|a_1| > |a_2|\). The condition that \({\varvec{a}},\mathrm{rot }({\varvec{a}})\) form a Minkowski reduced basis amounts to satisfying the following condition (see, for instance, Note 1 on p. 257 of [5]):

$$\begin{aligned} a_1^2+a_2^2 \ge 4|a_1a_2|. \end{aligned}$$

This means that either

$$\begin{aligned} a_1^2+a_2^2-4a_1a_2 \ge 0,\quad a_1a_2 \ge 0, \end{aligned}$$
(23)

or

$$\begin{aligned} a_1^2+a_2^2+4a_1a_2 \ge 0,\quad a_1a_2 < 0. \end{aligned}$$
(24)

First consider the (23) situation, then there are the following two options:

  1. (1)

    \(a_1 \ge [(2+\sqrt{3})a_2] +1 > a_2 \ge 0\),

  2. (2)

    \(0 \ge a_2 > [(2+\sqrt{3})a_2] - 1 \ge a_1\).

Notice that \(a_1,a_2\) satisfy option (1) if and only if \(-a_1,-a_2\) satisfy option (2), hence they correspond to the same lattice \(\Lambda ({\varvec{a}})\). Next consider the (24) situation, then there are the following two options:

  1. (3)

    \(a_1 \le -[(2+\sqrt{3})a_2] -1 < 0 < a_2\),

  2. (4)

    \(a_1 \ge -[(2+\sqrt{3})a_2] + 1 > 0 > a_2\).

Again, \(a_1,a_2\) satisfy option (3) if and only if \(-a_1,-a_2\) satisfy option (4), hence they correspond to the same lattice \(\Lambda ({\varvec{a}})\). Notice also that for each pair \(a_1,a_2\) satisfying options (1) and (2), there is precisely one pair satisfying options (3) and (4). Hence we will only count vectors \({\varvec{a}}\in {\mathbb {Z}}^2\) with \(\Vert {\varvec{a}}\Vert \le R\) satisfying (1) and multiply this number by 2. Therefore:

$$\begin{aligned} f_2(R) = 2 \sum _{a_2=1}^{A(R)} \Big ( \big [ \sqrt{R^2-a_2^2} \big ] - \big [ (2+\sqrt{3})a_2 \big ] - 1 \Big ), \end{aligned}$$
(25)

where

$$\begin{aligned} A(R) = \Big [ \frac{R}{2\sqrt{2+\sqrt{3}}} \Big ]. \end{aligned}$$

Using (25), we now give quick estimates on \(f_2(R)\). A higher degree of precision is easily possible here, but we choose in favor of simplicity. Notice that

$$\begin{aligned} f_2(R)&\ge 2 R A(R) - 2(3+\sqrt{3}) \sum _{a_2=1}^{A(R)} a_2 - 2A(R) \nonumber \\&= 2RA(R) - (3+\sqrt{3}) A(R)^2 - (5+\sqrt{3})A(R) \nonumber \\&\ge \frac{\big ( 4\sqrt{2+\sqrt{3}} - 3 - \sqrt{3} \big ) R^2}{8+4\sqrt{3}} - \frac{\big ( 5+\sqrt{3} + 4 \sqrt{2+\sqrt{3}} \big )R}{2\sqrt{2+\sqrt{3}}} \nonumber \\&= 0.200650\ldots \times R^2 - 3.742382\ldots \times R. \end{aligned}$$
(26)

On the other hand,

$$\begin{aligned} f_2(R)&\le 2RA(R) - (2+\sqrt{3})A(R)(A(R)+1) \nonumber \\&\le \frac{R^2}{\sqrt{2+\sqrt{3}}} - \frac{R^2}{4} + \frac{\sqrt{2+\sqrt{3}}\ R}{2} \nonumber \\&= 0.267638\ldots \times R^2 + 0.965925\ldots \times R. \end{aligned}$$
(27)

Next suppose \(\Gamma \in {\mathcal {C}}_2\) is WR, but not of the form \(\Gamma = \Lambda ({\varvec{a}})\) for some \({\varvec{a}}\in S(\Gamma )\), then \(\Gamma = \alpha \Big (\begin{array}{l@{\quad }c} 1 &{} 1 \\ 1 &{} -1 \end{array}\Big ) {\mathbb {Z}}^2\) for some \(\alpha \in {\mathbb {Z}}_{>0}\), by Lemma 5.1. Now, \(\lambda _1(\Gamma ) \le R\) if and only if

$$\begin{aligned} 0 < \alpha \le \frac{R}{\sqrt{2}}, \end{aligned}$$

and so \(\alpha \) can be equal to \(1,2,\ldots ,[R/\sqrt{2}]\). Since \(\alpha \) identifies \(\Gamma \) uniquely, (21) follows.

Finally, assume \(\Gamma \in {\mathcal {C}}_2\) is not WR. Then \(\Gamma = \Big (\begin{array}{l@{\quad }c} \alpha &{} \beta \\ \alpha &{} -\beta \end{array}\Big ) {\mathbb {Z}}^2\) for some distinct positive integers \(\alpha , \beta \). Since \(\Gamma \) is a rectangular lattice, there are two possibilities:

  1. (1)

    \(\lambda _1(\Gamma ) = \sqrt{2} \alpha < \sqrt{2} \beta = \lambda _2(\Gamma ) \le R\),

  2. (2)

    \(\lambda _1(\Gamma ) = \sqrt{2} \beta < \sqrt{2} \alpha = \lambda _2(\Gamma ) \le R\).

Hence we can count the number of lattices satisfying (1) and multiply it by 2. Thus

$$\begin{aligned} h_2(R) = 2 \sum _{\beta =1}^{[R/\sqrt{2}]} (\beta -1) = \Big [ \frac{R}{\sqrt{2}} \Big ]^2 - \Big [ \frac{R}{\sqrt{2}} \Big ]. \end{aligned}$$
(28)

This completes the proof.\(\square \)

We are now ready to prove Theorem 1.2.

Proof of Theorem 1.2

Notice that

$$\begin{aligned} \frac{\# \{ \Gamma \in {\mathcal {C}}_2: \lambda _2(\Gamma ) \le R,\ \Gamma \mathrm {\,is\,WR} \}}{\# \{ \Gamma \in {\mathcal {C}}_2: \lambda _2(\Gamma ) \le R \}} = \frac{f_2(R)+g_2(R)}{f_2(R)+g_2(R)+h_2(R)} \end{aligned}$$

and

$$\begin{aligned} \frac{\# \{ \Gamma \in {\mathcal {C}}_2: \lambda _2(\Gamma ) \le R,\ \Gamma \mathrm {\,is\,not\,WR} \}}{\# \{ \Gamma \in {\mathcal {C}}_2: \lambda _2(\Gamma ) \le R \}} = \frac{h_2(R)}{f_2(R)+g_2(R)+h_2(R)}. \end{aligned}$$

The result now follows directly from Lemma 5.2.\(\square \)

6 Permutation Invariance

Let \(S_N\) be the group of permutations on \(N \ge 2\) elements and define the action of \(S_N\) on \({\mathbb {R}}^N\) as in (3). In fact, for each \(\tau \in S_N\) define \(E_{\tau }\) to be the \(N \times N\) matrix obtained from the \(N \times N\) identity matrix \(I_N\) by permuting its rows with \(\tau \); in other words, \(E_{\tau } = (e_{ij})_{1 \le i,j \le N}\) where \(e_{ij}=1\) whenever \(j=\tau (i)\) and \(e_{ij}=0\) otherwise. These are the well-known permutation matrices. Then for every \({\varvec{x}}\in {\mathbb {R}}^N\),

$$\begin{aligned} \tau {\varvec{x}}= E_{\tau } {\varvec{x}}. \end{aligned}$$

It is easy to check that the map \(\psi : S_N \rightarrow \mathrm{GL }_N({\mathbb {Z}})\) given by \(\tau \mapsto E_{\tau }\) is a faithful representation of \(S_N\) in \(\mathrm{GL }_N({\mathbb {R}})\), and we write \(\psi (S_N)\) for its image. Notice that the rotational shift operator is given precisely by the \(N\)-cycle \((1\ 2\ldots N) \in S_N\):

$$\begin{aligned} \mathrm{rot }({\varvec{x}}) = E_{(1\ 2 \ldots N)} {\varvec{x}}= \left( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c} 0 &{} \ldots &{} 0 &{} 1\\ 1 &{} \ldots &{} 0 &{} 0\\ \vdots &{} \ldots &{} \vdots &{} \vdots \\ 0 &{} \ldots &{} 1 &{} 0 \end{array}\right) {\varvec{x}}. \end{aligned}$$
(29)

Observe also that each matrix \(E_{\tau }\) is orthogonal, and hence lattices \(\Lambda \) and \(\tau \Lambda := E_{\tau } \Lambda \) are isometric. This in particular means that \(\Lambda \) is WR if and only if \(\tau \Lambda \) is invariant for every \(\tau \in S_N\).

As in Sect. 1, we say that a lattice \(\Lambda \subset {\mathbb {R}}^N\) is \(\tau \)-invariant (or invariant under \(\tau \)) for a fixed \(\tau \in S_N\) if \(E_{\tau } \Lambda = \Lambda \). It is clear that \(\Lambda \) is \(\tau \)-invariant if and only if it is \(\sigma \)-invariant for every permutation \(\sigma \) in \(\langle \tau \rangle \), the cyclic group generated by \(\tau \). This observation together with (29) readily implies that cyclic lattices are precisely the sublattices of \({\mathbb {Z}}^N\) which are invariant under the cyclic permutation group \(\langle (1\ 2 \ldots N) \rangle \). Further notice that if \(\Lambda \) is \(\tau \)-invariant and \(\sigma \)-invariant for some two elements \(\sigma ,\tau \in S_N\), then it is \((\sigma \tau )\)-invariant. Recall that the transposition \((1\ 2)\) and \(N\)-cycle \((1\ 2\ldots N)\) together generate \(S_N\), and hence any cyclic lattice that is also \((1\ 2)\)-invariant is invariant under the entire group \(S_N\). We can now extend our results on cyclic lattices to \(\tau \)-invariant full-rank sublattices of \({\mathbb {Z}}^N\) for any \(N\)-cycle \(\tau \).

Proof of Corollary 1.3

Let \(\tau \in S_N\) be an \(N\)-cycle, and let us write \(\sigma \) for the \(N\)-cycle \((1\ 2\ \ldots \ N)\). Since all \(N\)-cycles are in the same conjugacy class, there exists \(g \in S_N\) such that \(\tau = g \sigma g^{-1}\). Then a lattice \(\Gamma \) is \(\tau \)-invariant if and only if the lattice \(g^{-1} \Gamma \) is \(\sigma \)-invariant, i.e., cyclic. Since lattices \(\Gamma \) and \(g^{-1} \Gamma \) are isometric, it follows that the sets

$$\begin{aligned} \{ \Gamma \in {\mathcal {C}}_N : \lambda _N(\Gamma ) \le R \},\ \{ \Gamma \in {\mathcal {C}}_N(\tau ) : \lambda _N(\Gamma ) \le R \} \end{aligned}$$

are in bijective correspondence, as are the sets

$$\begin{aligned} \{ \Gamma \in {\mathcal {C}}_N : \lambda _N(\Gamma ) \le R,\ \Gamma \text { is WR} \},\ \{ \Gamma \in {\mathcal {C}}_N(\tau ) : \lambda _N(\Gamma ) \le R,\ \Gamma \mathrm {\,is\,WR} \}, \end{aligned}$$

for each \(R \in {\mathbb {R}}_{>0}\). The statement of the corollary now follows from Theorem 1.1.\(\square \)

Since permutation invariant sublattices of \({\mathbb {Z}}^N\) are a natural generalization of cyclic lattices, we conclude with two questions about them.

Question 1

Do permutation invariant full-rank sublattices of \({\mathbb {Z}}^N\) have some underlying algebraic structure? More specifically, which of them, if any, can be obtained from ideals in some polynomial rings, analogously to the construction of cyclic lattices from ideals in \({\mathbb {Z}}[x]/(x^N -1)\)?

To state the second question, let us introduce some more notation. Let us say that an infinite set of lattices \({\mathcal {S}}\) in \({\mathbb {R}}^N\) is WR-dense if

$$\begin{aligned} \frac{\# \{ \Gamma \in {\mathcal {S}}: \lambda _N(\Gamma ) \le R,\ \Gamma \mathrm {\,is\,WR} \}}{\# \{ \Gamma \in {\mathcal {S}}: \lambda _N(\Gamma ) \le R \}} \ge O(1) \quad \text { as } R \rightarrow \infty . \end{aligned}$$

Our results above show that \(\tau \)-invariant full-rank sublattices of \({\mathbb {Z}}^N\) are WR-dense for each \(N\)-cycle \(\tau \), which leads to the following more general question.

Question 2

For which permutations \(\tau \in S_N\) are the \(\tau \)-invariant sublattices of \({\mathbb {Z}}^N\) WR-dense?

The answer to Question 2 by means of extending the current method and studying automorphism groups of lattices is the subject of a forthcoming paper.

Both of the above questions can also be extended to signed permutation invariant lattices. Let \({\mathcal {J}}_N \cong ({\mathbb {Z}}/2{\mathbb {Z}})^N\) be the finite abelian subgroup of \(\mathrm{GL }_N({\mathbb {Z}})\) consisting of diagonal matrices with all diagonal entries being \(\pm 1\). For a fixed \(g \in {\mathcal {J}}_N\) and \(\tau \in S_N\), we will say that a lattice \(\Lambda \subset {\mathbb {R}}^N\) is \(g\)-signed \(\tau \)-invariant if \(g E_{\tau } \Lambda = \Lambda \). Now we can ask Questions 1 and 2 for signed permutation invariant lattices. As an example, let

$$\begin{aligned} g = \left( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c} -1 &{} 0 &{} \ldots &{} 0 \\ 0 &{} 1 &{} \ldots &{} 0 \\ \vdots &{} \vdots &{} \ldots &{} \vdots \\ 0 &{} 0 &{} \ldots &{} 1 \end{array}\right) \in {\mathcal {J}}_N,\ \tau = (1\ 2\ldots N) \in S_N, \end{aligned}$$

then \(g\)-signed \(\tau \)-invariant sublattices of \({\mathbb {Z}}^N\) are images of ideals in the quotient polynomial ring \({\mathbb {Z}}[x]/(x^N +1)\) under the same map \(\rho \) as for cyclic lattices in Sect. 1; we will call these the signed cyclic lattices. For instance, the signed cyclic lattices in dimension 2 are of the form

$$\begin{aligned} \Big (\begin{array}{c@{\quad }c} a &{} -b \\ b &{} a \end{array}\Big ) {\mathbb {Z}}^2,\quad a,b \in {\mathbb {Z}}. \end{aligned}$$

These are orthogonal sublattices of \({\mathbb {Z}}^2\), which come from ideals in \({\mathbb {Z}}[x]/(x^2 +1)\) (alternatively, from ideals in Gaussian integers \({\mathbb {Z}}[i]\) under the standard Minkowski embedding of \({\mathbb {Q}}(i)\) into the real plane), and are always WR. This observation suggests that signed cyclic lattices in higher dimensions may also have good chances of being WR-dense.