On Promise Problem of the Generalized Shortest Vector Problem
 1k Downloads
Abstract
In 2009, Blömer and Naewe proposed the Generalized Shortest Vector Problem \((\text {GSVP})\). We initiate the study of the promise problem (\(\text {GAPSAM}\)) for \(\text {GSVP}\). It is a promise problem associated with estimating the subspace avoiding minimum. We show \(\text {GAPSAM}_{c\cdot n}\) lies in coNP, where c is a constant. Furthermore, we study relationships between \(\text {GAPSAM}\) of a lattice and the nth successive minimum, the shortest basis, and the shortest vector in the dual of the saturated sublattice, and obtain new transference theorems for \(\text {GAPSAM}\). Then, using the new transference theorems, we give various deterministic polynomial time reductions among the promise problems for some lattice problems. We also show \(\text {GAPSAM}_{\gamma }\) can be reduced to the promise problem associated to the Closest Vector Problem (\(\text {GAPCVP}_{\gamma }\)) under a deterministic polynomial time rankpreserving reduction.
Keywords
The generalized shortest vector problem The saturated sublattice Transference theorems Polynomial time reduction1 Introduction
A lattice is the set of all integer combinations of n linearly independent vectors in \(\mathbb {R}^{m}\), where n is the rank of the lattice, m is the dimension of the lattice, and the n linearly independent vectors are called a lattice basis. Let \(B=[\varvec{b}_{1},\varvec{b}_{2},\ldots ,\varvec{b}_{n}]\) be a basis of the lattice \(\varvec{L}\). The ith successive minimum \(\lambda _{i}(\varvec{L})\) of the lattice \(\varvec{L}\) is the least number r such that the sphere centered at the origin with radius r contains i linearly independent lattice vectors. The length of a basis \(\varvec{B}\) is \(g(\varvec{B})\), that is, \(g(\varvec{\varvec{B}})=\max \limits _{i}{\Vert \varvec{b}_{i}\Vert }\), and \(g(\varvec{L})\) is the minimum value of \(g(\varvec{B})\) over all bases \(\varvec{B}\) of \(\varvec{L}\). Some important lattice problems are defined below, where \(\gamma \ge 1\) is a function of rank:
\(\text {SVP}\) (Shortest Vector Problem): Given a lattice \(\varvec{L}\), find approximate nonzero lattice vector \(\varvec{v}\) such that \(\Vert \varvec{v}\Vert \le \gamma \cdot \lambda _{1}(\varvec{L})\).
\(\text {CVP}\) (Closest Vector Problem): Given a lattice \(\varvec{L}\) and a target vector \(\varvec{t}\), find a lattice point \(\varvec{v}\) such that \(dist(\varvec{v},\varvec{t})\le \gamma \cdot dist(\varvec{L},\varvec{t})\).
\(\text {SIVP}\) (Shortest Independent Vector Problem): Given a lattice \(\varvec{L}\) of rank n, find n linearly independent lattice vector \(\varvec{s}_{1},\varvec{s}_{2},\ldots ,\varvec{s}_{n}\) such that \(\Vert \varvec{s}_{i}\Vert \le \gamma \cdot \lambda _{n}(\varvec{L}),i=1,2,\ldots ,n\).
\(\text {SBP}\) (Shortest Basis Problem): Given a lattice \(\varvec{L}\), \(\varvec{L}\) is generated by basis \(\varvec{B}\), find an equivalent basis \(\varvec{B}^{\prime }\) such that \(g(\mathcal {\varvec{L}}(\varvec{B}^{\prime }))\le \gamma \cdot g(\varvec{L})\).
These lattice problems have been widely studied, and it is known that all of these problems are NPhard [1, 7, 13, 14]. Aharonov and Regev [3] showed that approximating \(\text {SVP}\) and \(\text {CVP}\) lie in \(NP\cap coNP\) within a factor of \(\sqrt{n}\). Goldreich and Goldwasser [11] showed that approximating \(\text {SVP}\) and \(\text {CVP}\) lie in \(NP\cap coAM\) within a factor of \(\sqrt{n/O(\log n)}\). Boppana et al. [8] found that approximating \(\text {SVP}\) and \(\text {CVP}\) within a factor of \(\sqrt{n/O(\log n)}\) is not NPhard unless the polynomial hierarchy collapses. Ajtai, Kumar and Sivakumar [2] proposed a sieve method for computing \(\text {SVP}\) under a randomized \(2^{O(n)}\) time algorithm. Blömer and Seifert [7] proved that approximating \(\text {SIVP}\) and \(\text {SBP}\) within any constant factor are NPhard and within a factor of \(O(n/\sqrt{\log n})\) are \(NP\cap coAM\). Guruswami et al. [12] proved that \(\text {SIVP}\) lies in coAM within an improved approximation factor of \(O(\sqrt{n/\log n})\) and is in coNP within an approximation factor of \(O(\sqrt{n})\). Blömer and Naewe [5] proposed the Generalized Shortest Vector Problem (\(\text {GSVP}\)) and gave polynomialtime reductions from \(\text {SVP}\), \(\text {CVP}\), \(\text {SIVP}\), and \(\text {SMP}\) (Successive Minima Problem) to \(\text {GSVP}\). They also proved that there exists a randomized algorithm in singleexponential time which approximates the \(\text {GSVP}\) within a factor of \(1+\epsilon \), where \(0<\epsilon \le 2\), with success probability \(12^{\varOmega (n)}\) for all \(\ell _{p}\) norms. This result implies that in singleexponential time there exists an approximation algorithm for all abovementioned lattice problems for all \(\ell _{p}\) norms for \(1\le p\le \infty \). Micciancio [16] gave efficient reductions among approximation problems and showed that several lattice problems that are equivalent under polynomialtime rankpreserving reductions.
Transference theorems reflect relationships between the successive minima of a lattice and its dual lattice. As a consequence of transference theorems, it was shown in [15] that, under Karp reduction, \(\text {SVP}_{O(n)}\) can not be NPhard unless \(NP=coNP\). Banaszczyk [4] proved that the following inequality: for a lattice \(\varvec{L}\) of rank n with dual lattice \(\varvec{L}^{*}\), \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{n}(\varvec{L}^{*})\le n\). Cai [9, 10] generalized the transference theorems of Banaszcyk to obtain the following bounds relating the successive minima of a lattice with the minimum length of generating vectors of its dual: for a lattice \(\varvec{L}\) of rank n with dual lattice \(\varvec{L}^{*}\), \(1\le \lambda _{ni+1}(\varvec{L})\cdot g_{i}(\varvec{L}^{*})\le C\cdot n\) for all \(1\le i\le n\) and some universal constant C. The lattice quantity \(g_{i}(\varvec{L})\) is defined as follows. First, \(g(\varvec{L})\) is the minimum value r such that the ball \(\mathcal {\varvec{B}}(0,r)\) centered at 0 with radius r contains a set of linearly independent lattice vectors that generate the lattice \(\varvec{L}\). Define a saturated sublattice \(\varvec{L}^{\prime }\) such that a sublattice \(\varvec{L}^{\prime }\subset \varvec{L}\) satisfies \(\varvec{L}^{\prime }=\varvec{L}\cap span(\varvec{L}^{\prime })\) [10]. Then, \(g_{i}(\varvec{L})\) is the minimum value r such that the sublattice generated by \(\varvec{L}\cap \mathcal {\varvec{B}}(0,r)\) contains an i dimensional saturated sublattice \(\varvec{L}^{\prime }\) for \(1\le i\le dim(\varvec{L})\). From [10], \(\lambda _{i}(\varvec{L})\cdot g_{ni+1}(\varvec{L}^{*})\le C\cdot n\) and \(g_{n}(\varvec{L})=g(\varvec{L})\) for all \(1\le i\le n\), the proof used the discrete Fourier transform and discrete potential functions.
The inequality (2) is similar to Cai’s, but our proof is simper. In [9, 10], Cai presented the inequality \(1\le \lambda _{1}(\varvec{L})\cdot g(\varvec{L}^{*})\le C\cdot n\), which reflects the relationship between the shortest lattice vector of \(\varvec{L}\) and the shortest basis of the dual lattice \(\varvec{L}^{*}\). Our result, \(1\le \lambda _{M}(\varvec{L})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n\), associates the minimum length of lattice vectors in \(\varvec{L}\backslash \varvec{M}\) to the shortest basis of dual saturated sublattice \(\varvec{L}_{1}\) generated by intersecting \(\varvec{L}\) with a subspace \(\varvec{V}\subset span(\varvec{L})\), where \(\varvec{V}\oplus \varvec{M}=span(\varvec{L})\).
By these results, we prove that \(\text {GAPSAM}_{cn}\) is in coNP, where c is a constant. We also give polynomial reductions between \(\text {GAPSVP}\), \(\text {GAPSIVP}\), and \(\text {GAPSBP}\) and \(\text {GAPSAM}\). We also obtain the following inequalities: \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\le c\cdot n\); \(1\le \lambda _{1}(\varvec{L})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n\); \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le n\), where \(\varvec{L}_{1}^{*}\) is the dual of a saturated rank n sublattice \(\varvec{L}_{1}\) of \(\varvec{L}\). These inequalities show the relationships between the lattice and the dual of the saturated sublattice.
The second contribution is that for any \(\gamma \ge 1\), we give a deterministic polynomial time rankpreserving reduction from \(\text {GAPSAM}_{\gamma }\) to \(\text {GAPCVP}_{\gamma }\).
Micciancio [16] considered \(\text {SVP}^{\prime }\) as a variant of \(\text {SVP}\) which is a new less standard problem on lattices. The problem \(\text {SVP}^{\prime }\) is to minimize the norm \(\Vert \varvec{Bx}\Vert \) where \(x=(x_{1},\ldots ,x_{i},\ldots ,x_{n})\) and \(x_{i}\ne 0\) for some i. Here, we propose the promise version \(\text {GAPSVP}^{\prime }\) for \(\text {SVP}^{\prime }\) and show that there exist rank and approximation preserving reductions from \(\text {GAPSAM}_{\gamma }\) to \(\text {GAPSVP}^{\prime }_{\gamma }\) and \(\text {GAPSVP}^{\prime }_{\gamma }\) to \(\text {GAPCVP}_{\gamma }\). Hence, \(\text {GAPSAM}_{\gamma }\) can be reduced to \(\text {GAPCVP}_{\gamma }\) under deterministic polynomial time rankpreserving reduction.
Organization. The paper is organized as follows. In Sect. 2, we introduce basic notations for lattices and some promise versions of lattice problems. In Sect. 3, we first study of the promise problem \(\text {GAPSAM}\) for \(\text {GSVP}\). Then, we present variants of transference theorems for \(\text {GAPSAM}\). From these relationships, we give polynomial time reductions from \(\text {GAPSAM}\) to other lattice problems. In Sect. 4, we show that \(\text {GAPSAM}_{\gamma }\) can be reduced to \(\text {GAPCVP}_{\gamma }\).
2 Preliminaries
Let \(\mathbb {R}^{m}\) be an mdimensional Euclidean space. For every vector \(\varvec{x}=(x_{1},x_{2},\ldots , x_{m}) \in \mathbb {R}^{m}\), the \(\ell _{2}\)norm of \(\varvec{x}\) is defined as \(\Vert \varvec{x}\Vert _{2}=\sqrt{\sum _{i=1}^{m}x_{i}^{2}}\). The scalar product of two vectors \(\varvec{x}\) and \(\varvec{y}\) is \(\langle \varvec{x},\varvec{y}\rangle =\sum _{i}x_{i}y_{i}\). dist(\(\varvec{x}\),\(\varvec{L}\)) is the minimum Euclidean distance from \(\varvec{x}\in \mathbb {R}^{m}\) to any vector in \(\varvec{L}\). All definitions and results in this paper are based on the \(\ell _{2}\) norm.
Successive minima are fundamental constants of a lattice. The first successive minimum of a lattice \(\varvec{L}\), denoted by \(\lambda _{1}(\varvec{L})\), is the length of the shortest nonzero lattice vector. Formally, \(\lambda _{1}(\varvec{L})=min\{\Vert \varvec{x}\Vert :\varvec{x}\in \varvec{L}\backslash \{0\}\} =min_{\varvec{x}\ne \varvec{y}\in \varvec{L}}\Vert \varvec{x}\varvec{y}\Vert .\) The ith minimum \(\lambda _{i}(\varvec{L})\) of a lattice \(\varvec{L}\) is the smallest value r such that \(\mathcal {B}(0,r)\) contains i linearly independent lattice vectors, that is, \(\lambda _{i}(\varvec{L})=min\{r:dim(\varvec{L}\cap \mathcal {B}(0,r))\ge i\}\) where \(\mathcal {B}(0,r)\) is an open ball of radius r centered in \(\varvec{0}\).
Let \(g(\varvec{B})\) be the maximum length of vectors \(\varvec{b}_{i}\) in the basis \(\varvec{B}\), that is, \(g(\varvec{B})=\max \limits _{i}{\Vert \varvec{b}_{i}\Vert }\). We define \(g(\varvec{L})\) as the minimum value of \(g(\varvec{B})\) over all bases \(\varvec{B}\) of \(\varvec{L}\), that is, \(g(\varvec{L})=\min \limits _{\varvec{B}}{g(\varvec{B})}\).
The following are several important lattice problems. Here we only concentrate on promise problems for approximate lattice problems.
Definition 1

\((\varvec{L},r)\) is a YES instance if \(\lambda _{1}(\varvec{L})\le r\),

\((\varvec{L},r)\) is a NO instance if \(\lambda _{1}(\varvec{L})>\gamma \cdot r.\)
Definition 2

\((\varvec{L},\varvec{t},r)\) is a YES instance if \(dist(\varvec{L},\varvec{t})\le r\),

\((\varvec{L},\varvec{t},r)\) is a NO instance if \(dist(\varvec{L},\varvec{t})>\gamma \cdot r.\)
Definition 3

\((\varvec{L},r)\) is a YES instance if \(\lambda _{n}(\varvec{L})\le r\),

\((\varvec{L},r)\) is a NO instance if \(\lambda _{n}(\varvec{L})>\gamma \cdot r.\)
Definition 4

\((\varvec{L},r)\) is a YES instance if there exists an equivalent basis \(\varvec{B}^{\prime }\) to \(\varvec{B}\) such that \(g(\mathcal {\varvec{L}}(\varvec{B}^{\prime }))\le r\),

\((\varvec{L},r)\) is a NO instance if for all equivalent basis \(\varvec{B}^{\prime }\) to \(\varvec{B}\) has \(g(\mathcal {\varvec{L}}(\varvec{B}^{\prime }))>\gamma \cdot r\).
Definition 5
( \(\mathrm{SVP}^{\prime }\) [16]). Given a lattice \(\varvec{B}\in \mathbb {Z}^{m\times n}\) and an index \(i\in \{1,\ldots ,n\}\), find a lattice vector \(\varvec{Bx}\) with \(x_{i}\ne 0\) such that \(\Vert \varvec{Bx}\Vert \le \gamma min\{\Vert \varvec{Bx}\Vert :x_{i}\ne 0\}\).
We now propose the promise problem \(\text {GAPSVP}^{\prime }\) associated to the approximate problem \(\text {SVP}^{\prime }\).
Definition 6

\((\varvec{L},i,r)\) is a YES instance if \(\lambda _{1}^{(i)}(\varvec{L})\le r\), i.e. there exists a vector \(\varvec{x}\in \mathbb {Z}^{n}\) with \(x_{i}\ne 0\) such that \(\Vert \varvec{Bx}\Vert \le r\),

\((\varvec{L},i,r)\) is a NO instance if \(\lambda _{1}^{(i)}(\varvec{L})>\gamma \cdot r\), i.e. for all vectors \(\varvec{x}\in \mathbb {Z}^{n}\) with \(x_{i}\ne 0\) such that \(\Vert \varvec{Bx}\Vert >\gamma \cdot r\).
The next definition is a new lattice problem proposed in [6] where reductions from \(\text {SVP}\), \(\text {CVP}\), \(\text {SIVP}\), and \(\text {SMP}\) to \(\text {GSVP}\) are given.
Definition 7
( \(\mathrm{GSVP}\) ). Given a lattice \(\varvec{L}\subseteq \mathbb {Z}^{m}\) and a linear subspace \(\varvec{M}\subset span(\varvec{L})\), the goal is to find a vector \(\varvec{v}\in \varvec{L}\backslash \varvec{M}\) such that \(\Vert \varvec{v}\Vert \le \gamma \cdot dist(0,\varvec{L}\backslash \varvec{M}).\)
It is clear that \(\text {SVP}\) is a special case of \(\text {GSVP}\) when \(\varvec{M}=\{0\}\), we have \(\lambda _{M}(\varvec{L})=\lambda _{1}(\varvec{L})\). So, there is a trivial reduction from \(\text {SVP}_{\gamma }\) to \(\text {GSVP}_{\gamma }\).
3 The Transference Theorems for \(\text {GAPSAM}\)
In this section, we first propose the promise problem \((\text {GAPSAM})\mathrm {}\) associated to \(\text {GSVP}\) and present new transference theorems for \(\text {GAPSAM}\).
3.1 The Variants of Cai’s Transference Theorems
Definition 8

\((\varvec{L},\varvec{M},r)\) is a YES instance if \(\lambda _{M}(\varvec{L})\le r\),

\((\varvec{L},\varvec{M},r)\) is a NO instance if \(\lambda _{M}(\varvec{L})>\gamma \cdot r.\)
Banaszcyk [4], Cai [10], and Regev [17] proved that the following theorem.
Theorem 1

1. \(\lambda _{1}(\varvec{L})\cdot \lambda _{n}(\varvec{L}^{*})\le c\cdot n.\)

2. \(1\le \lambda _{1}(\varvec{L})\cdot g(\varvec{L}^{*})\le d\cdot n.\)

3. \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{1}(\varvec{L}^{*})\le n.\)
We also need the following lemma.
Lemma 1
[16]. There is a polynomial time algorithm that on input a lattice basis \(\varvec{B}=[\varvec{b}_{1},\varvec{b}_{2},\ldots ,\varvec{b}_{n}]\in \mathbb {Q}^{m\times n}\) and a linear subspace \(\varvec{S}\), outputs a new basis \(\widetilde{\varvec{B}}=[\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{d}]\) for \(\mathcal {\varvec{L}}(\varvec{B})\) such that \(\mathcal {\varvec{L}}(\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{d})= \varvec{S}\cap \mathcal {\varvec{L}}(\varvec{B})\), where d is the dimension of \(\varvec{S}\cap span(\varvec{B}).\)
Combining Lemma 1 with Theorem 1, we immediately obtain the following theorem about \(\lambda _{M}(\varvec{L})\). The first two parts in the following theorem are variants of Cai’s result [10]. We prove this independently with a simple method.
Theorem 2

1. \(1\le \lambda _{M}(\varvec{L})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\le c\cdot n.\)

2. \(1\le \lambda _{M}(\varvec{L})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n.\)

3. \(1\le \lambda _{M}(\varvec{L})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le n.\)
Proof
Since \(\lambda _{1}(\varvec{L})\le \lambda _{M}(\varvec{L})\), we obtain the following corollary.
Corollary 1

1. \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\le c\cdot n.\)

2. \(1\le \lambda _{1}(\varvec{L})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n.\)

3. \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le n.\)
This corollary reflects the relationships between the shortest lattice vector of \(\varvec{L}\) and the nth successive minimum, the shortest basis, and the first successive minimum of the dual of a saturated sublattice \(\varvec{L}_{1}\). That is, it connects the lattice with the dual lattice of a saturated sublattice.
Part 1 of Theorem 2 immediately implies reductions between \(\text {GAPSIVP}\) and \(\text {GAPSAM}\).
Theorem 3

The problem \(\text {GAPSAM}_{cn}\) can be reduced to \(\text {GAPSIVP}_{1};\)

The problem \(\text {GAPSIVP}_{cn}\) can be reduced to \(\text {GAPSAM}_{1},\)
Proof
Let \((\varvec{L},\varvec{M},r)\) be an instance of \(\text {GAPSAM}_{cn}\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank l, and let \(\varvec{M}\subset span(\varvec{L})\) be a subspace of \(\varvec{L}\). Note that \((\varvec{L},\varvec{M},r)\) is a YES instance if \(\lambda _{M}(\varvec{L})\le r\), whereas \((\varvec{L},\varvec{M},r)\) is a NO instance if \(\lambda _{M}(\varvec{L})>cnr\).
From the proof of Theorem 2, we can obtain a lattice \(\varvec{L}_{1}\) of rank n with the dual \(\varvec{L}_{1}^{*}\). By Theorem 2, if \(\lambda _{M}(\varvec{L})\le r\) then \(\lambda _{n}(\varvec{L}_{1}^{*})\ge 1/\lambda _{M}(\varvec{L})>1/r\), if \(\lambda _{M}(\varvec{L})>cnr\) then \(\lambda _{n}(\varvec{L}_{1}^{*})\le cn/\lambda _{M}(\varvec{L})<cn/cnr<1/r\).
The reduction calls a \(\text {GAPSIVP}_{1}\) oracle on \((\varvec{L}_{1}^{*},1/r)\), which allows \(\text {GAPSAM}_{cn}\) to be solved. Indeed, if the \(\text {GAPSIVP}_{1}\) oracle on \((\varvec{L}_{1}^{*},1/r)\) answers YES, then \((\varvec{L},\varvec{M},r)\) is a NO instance of \(\text {GAPSAM}_{cn}\). On the other hand, if \(\text {GAPSIVP}_{1}\) oracle on \((\varvec{L}_{1}^{*},1/r)\) answers NO, then \((\varvec{L},\varvec{M},r)\) is a YES instance of \(\text {GAPSAM}_{cn}\).
The second reduction follows by a similar method.
Using Theorem 3, we can also show the nonapproximability result for \(\text {GAPSAM}\), namely that there exists a constant c such that \(\text {GAPSAM}_{cn}\in coNP\).
Corollary 2
\(\text {GAPSAM}_{cn}\in coNP\) for some constant c.
Proof
Assume that \((\varvec{L},\varvec{M},r)\) is an instance of \(\text {GAPSAM}_{cn}\). Then \((\varvec{L},\varvec{M},r)\) is a YES instance if \(\lambda _{M}(\varvec{L})\le r\), and \((\varvec{L},\varvec{M},r)\) is a NO instance if \(\lambda _{M}(\varvec{L})>cn r\). Hence, we need to prove that if \((\varvec{L},\varvec{M},r)\) is a YES instance then there is no witness that the verifier accepts, and that if \((\varvec{L},\varvec{M},r)\) is a NO instance then there is a witness that the verifier accepts.
Indeed, using Theorem 3, when \((\varvec{L},\varvec{M},r)\) is a YES instance of \(\text {GAPSAM}_{cn}\) we have \(\lambda _{n}(\varvec{L}_{1}^{*})>1/r\), and when \((\varvec{L},\varvec{M},r)\) is a NO instance we have \(\lambda _{n}(\varvec{L}_{1}^{*})\le 1/r\).
We then obtain n vectors \(\varvec{v}_{1},\varvec{v}_{2},\ldots ,\varvec{v}_{n}\) nondeterministically, and check that they are linearly independent in \(\varvec{L}_{1}^{*}\) and that each length at most 1 / r. Hence, there exist n vectors for which we accept a NO instance of \(\text {GAPSAM}_{cn}\).
3.2 Relationships Between \(\text {GAPSAM}\) and Other Lattice Problems
In this section, we give polynomial time reductions between promise problems of \(\text {GAPSVP}\), \(\text {GAPSBP}\) and \(\text {GAPSAM}\).
Theorem 4
There are polynomial time Karp reductions between \(\text {GAPSVP}\) and \(\text {GAPSAM}\).

\(\text {GAPSVP}_{n}\) is reducible to \(\text {GAPSAM}_{1}.\)

\(\text {GAPSAM}_{n}\) is reducible to \(\text {GAPSVP}_{1}.\)
Proof
Let \((\varvec{L}_{1}^{*},r)\) be an instance of \(\text {GAPSVP}_{n}\), where \(\varvec{L}_{1}^{*}\subset \mathbb {Z}^{m}\) is a lattice. \(\varvec{b}_{1}^{*},\ldots ,\varvec{b}_{n}^{*}\) be a basis of the lattice \(\varvec{L}_{1}^{*}\), and let \(\varvec{L}_{1}\) be the dual lattice of \(\varvec{L}_{1}^{*}\). We may assume that \((\varvec{b}_{1},\ldots ,\varvec{b}_{n})\) is a basis of \(\varvec{L}_{1}\), so there must exist a lattice \(\varvec{L}\) of rank l such that \((\varvec{b}_{1},\ldots ,\varvec{b}_{n})\) is a basis of \(\varvec{L}\cap span(\varvec{b}_{1},\ldots ,\varvec{b}_{n})\), that is, \(\varvec{L}_{1}=\varvec{L}\cap span(\varvec{L}_{1})\). Thus L has a basis \(\varvec{b}_{1},\ldots ,\varvec{b}_{n},\varvec{b}_{n+1},\ldots ,\varvec{b}_{l}\).
The output of the reduction is \((\varvec{L},\varvec{M},1/r)\). We next show this reduction is correct.
Assume that \((\varvec{L}_{1}^{*},r)\) is a YES instance of \(\text {GAPSVP}_{n}\), such that \(\lambda _{1}(\varvec{L}_{1}^{*})\le r\). From the Theorem 2, \(1\le \lambda _{M}(\varvec{L})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le n.\) We have \(\lambda _{M}(\varvec{L})\ge 1/r.\) Then, \((\varvec{L},\varvec{M},1/r)\) is a NO instance of \(\text {GAPSAM}_{\gamma }\).
Now assume that \((\varvec{L}_{1}^{*},r)\) is a NO instance of \(\text {GAPSVP}_{n}\), so that \(\lambda _{1}(\varvec{L}_{1}^{*})>nr\). By Theorem 2, we have \(\lambda _{M}(\varvec{L})<1/r.\) It follows that \((\varvec{L},\varvec{M},1/r)\) is a YES instance of \(\text {GAPSAM}_{\gamma }\).
The proof of the second part is similar.
Using Theorem 2, we obtain the following corollary.
Corollary 3
There are approximate reductions between \(\text {GAPSBP}\) and \(\text {GAPSAM}\), for some constant d.

\(\text {GAPSAM}_{dn}\) can be reduced to \(\text {GAPSBP}_{1}.\)

\(\text {GAPSBP}_{dn}\) can be reduced to \(\text {GAPSAM}_{1}.\)
4 The Rank and Approximation Preserving Reductions
In this section, we will establish the rank and approximation preserving reduction between \(\text {GAPSAM}\) and other lattice problems.
Theorem 5
For any approximation factor \(\gamma \), there is a deterministic polynomial time rankpreserving reduction from \(\text {GAPSVP}_{\gamma }\) to \(\text {GAPSAM}_{\gamma }\).
Proof
Let \((\varvec{L},r)\) be an instance of \(\text {GAPSVP}_{\gamma }\), and define \(\text {GAPSAM}_{\gamma }\) instance \((\varvec{L},\varvec{M},r)\), where \(\varvec{M}=\{0\}\subseteq span(\varvec{L})\). If we computer a shortest nonzero lattice vector in \(\varvec{L}\), we compute a shortest lattice vector in \(\varvec{L}\backslash \varvec{M}\), i.e., \(\lambda _{M}(\varvec{L})=\lambda _{1}(\varvec{L})\). So there is a trivial reduction from \(\text {GAPSVP}_{\gamma }\) to \(\text {GAPSAM}_{\gamma }\).
In the following, we will give a deterministic polynomial time rankpreserving reduction from \(\text {GAPSAM}\) to \(\text {GAPCVP}\) by an intermediate problem \(\text {GAPSVP}^{\prime }\).
Theorem 6
For any approximation factor \(\gamma \), there is a deterministic polynomial time rankpreserving reduction from \(\text {GAPSAM}_{\gamma }\) to \(\text {GAPSVP}^{\prime }_{\gamma }\).
Proof
Let \((\varvec{L},\varvec{M},r)\) be an instance of \(\text {GAPSAM}_{\gamma }\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank n and \(\varvec{L}\) is generated by a basis \(\varvec{B}=(\varvec{b_{1}},\ldots ,\varvec{b_{n}})\), and let \(\varvec{M}\subset span(\varvec{L})\) be a subspace. Using the algorithm from Lemma 1, the algorithm that on input a lattice \(\varvec{L}\) and a subspace \(\varvec{M}\), outputs a new basis \(\widetilde{\varvec{B}}=[\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{n}]\) for \(\varvec{L}\) such that \(\varvec{M}\cap \varvec{L}=\mathcal {\varvec{L}}(\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{d})\), where d is the dimension of \(\varvec{M}\cap span(\varvec{L})\), then \(\varvec{M}=span(\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{d})\). We have \(\varvec{L}=\mathcal {\varvec{L}}(\varvec{B})=\mathcal {\varvec{L}}(\widetilde{\varvec{B}})\), for any lattice vector in \(\varvec{L}\) can be represented by the integral combinations of n linearly independent vectors \(\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{n}\). Hence, on input an \(\text {GAPSAM}_{\gamma }\) instance \((\varvec{L},\varvec{M},r)\), the reduction outputs the \(\text {GAPSVP}^{\prime }_{\gamma }\) instance \((\varvec{L},i,r)\) where \(i\in \{d+1,\ldots ,n\}\). We prove that the reduction is correct.
Now assume that \((\varvec{L},\varvec{M},r)\) is a NO instance, \(\lambda _{M}(\varvec{L})>\gamma \cdot r\), i.e., for all vectors \(\varvec{x}=(x_{1},\ldots ,x_{d},x_{d+1},\ldots ,x_{n})\in \mathbb {Z}^{n}\) with \(x_{i}\ne 0\), \(i\in \{d+1,\ldots ,n\}\) such that \(\Vert \widetilde{\varvec{B}}\varvec{x}\Vert >\gamma \cdot r\). First assume for contradiction that \((\varvec{L},i,r)\) is not a NO instance, i.e., there exists a vector \(\varvec{x^{\prime }}=(x^{\prime }_{1},\ldots ,x^{\prime }_{d},x^{\prime }_{d+1},\ldots ,x^{\prime }_{n})\in \mathbb {Z}^{n}\) with \(x^{\prime }_{i}\ne 0\), \(i\in \{d+1,\ldots ,n\}\), hence, \(\Vert \widetilde{\varvec{B}}\varvec{x^{\prime }}\Vert \le \gamma \cdot r\). Since \((\varvec{L},\varvec{M},r)\) is a NO instance of \(\text {GAPSAM}_{\gamma }\), we have \(\Vert \widetilde{\varvec{B}}\varvec{x^{\prime }}\Vert >\gamma \cdot r\), contradicting the fact that \((\varvec{L},i,r)\) is not a NO instance of \(\text {GAPSVP}^{\prime }_{\gamma }\). Then, this proved that \((\varvec{L},i,r)\) is a NO instance.
Theorem 7
For any approximation factor \(\gamma \), there is a deterministic polynomial time rankpreserving reduction from \(\text {GAPSVP}^{\prime }_{\gamma }\) to \(\text {GAPCVP}_{\gamma }\).
Proof
We want to prove that if \((\varvec{L},i,r)\) is a YES instance then \((\varvec{L}^{(j)},t^{(j)},r)\) is a YES instance for some \(j=1,\ldots ,n\), while if \((\varvec{L},i,r)\) is a NO instance then \((\varvec{L}^{(j)},t^{(j)},r)\) is a NO instance for all \(j=1,\ldots ,n\).
Combining the two theorem we get the following corollary.
Corollary 4
For any approximation factor \(\gamma \), there is a deterministic polynomial time rankpreserving reduction from \(\text {GAPSAM}_{\gamma }\) to \(\text {GAPCVP}_{\gamma }\).
5 Conclusions
In this paper, we propose the promise problem associated with \(\text {GSVP}\), namely \(\text {GAPSAM}\). We present variants of Cai’s transference theorems for \(\text {GAPSAM}\). From the relationship, we prove that \(\text {GAPSAM}_{cn}\) lies in coNP, where c is a constant. We also give the relationships between the shortest vector of a lattice, the nth successive minima, shortest basis, and the shortest vector of the dual of a saturated sublattice. Using these new relations, we reduce some lattice problems to \(\text {GAPSAM}\). We also reduce \(\text {GAPSAM}\) to \(\text {GAPCVP}\) under a deterministic polynomial time rankpreserving reduction.
References
 1.Ajtai, M.: The shortest vector problem in l2 is NPhard for randomized reductions. In: 30th ACM Symposium on Theory of Computing, pp. 10–19 (1998)Google Scholar
 2.Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of the 33th ACM Symposium on Theory of Computing, pp. 601–610 (2001)Google Scholar
 3.Aharonov, D., Regev, O.: Lattice problems in NP intersect coNP. J. ACM 52(5), 749–765 (2005). Preliminary version in FOCS04MathSciNetCrossRefGoogle Scholar
 4.Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296, 625–635 (1993)MathSciNetCrossRefGoogle Scholar
 5.Blömer, J., Naewe, S.: Sampling methods for shortest vectors, closest vectors and successive minima. Theor. Comput. Sci. 410, 1648–1665 (2009)MathSciNetCrossRefGoogle Scholar
 6.Blömer, J., Naewe, S.: Sampling methods for shortest vectors, closest vectors and successive minima. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 65–77. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 7.Blöer, J., Seifert, J.P.: On the complexity of computing short linearly independent vectors and short bases in a lattice. In: ThirtyFirst Annual ACM Symposium on Theory of Computing, pp. 711–720. ACM (1999)Google Scholar
 8.Boppana, R., Håstad, J., Zachos, S.: Does coNP have short interactive proofs? Inf. Process. Lett. 25, 127–132 (1987)MathSciNetCrossRefGoogle Scholar
 9.Cai, J.Y.: A New Transference Theorem and Applications to Ajtais Connection Factor, Electronic Colloquium on Computational Complexity, TR, pp. 98–05 (1998)Google Scholar
 10.Cai, J.Y.: A new transference theorem in the geometry of numbers and new bounds for Ajtais connection factor. Discrete Appl. Math. 126, 9–31 (2003)MathSciNetCrossRefGoogle Scholar
 11.Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci. 60(3), 540–563 (2000)MathSciNetCrossRefGoogle Scholar
 12.Guruswami, V., Micciancio, D., Regev, O.: The complexity of the covering radius problem on lattices and codes. Comput. Complexity 14(2), 90–121 (2005). Preliminary version in CCC 2004MathSciNetCrossRefGoogle Scholar
 13.Haviv, I., Regev, O.: Tensorbased hardness of the shortest vector problem to within almost polynomial factors. Theory Comput. 8, 513–531 (2012)MathSciNetCrossRefGoogle Scholar
 14.Khot, S.: Hardness of approximating the shortest vector problem in lattices. J. ACM 52(5), 789–808 (2005)MathSciNetCrossRefGoogle Scholar
 15.Lgarias, C., Lenstra, H., Schnorr, C.P.: KorkinZolotarev bases and successive minima of a lattice and its reciprocial lattice. Combinatorica 10, 333–348 (1990)MathSciNetCrossRefGoogle Scholar
 16.Micciancio, D.: Efficient reductions among lattice problems. In: 19th Annual ACMSIAM Symposium on Discrete Algorithms, SODA 2008, pp. 84–93. Society for Industrial and Applied Mathematics (2008)Google Scholar
 17.Regev, O.: Lecture Note on Lattices in Computer Science. Lecture 8: Dual Lattice (2004)Google Scholar