Advertisement

On Promise Problem of the Generalized Shortest Vector Problem

Conference paper
  • 1k Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9543)

Abstract

In 2009, Blömer and Naewe proposed the Generalized Shortest Vector Problem \((\text {GSVP})\). We initiate the study of the promise problem (\(\text {GAPSAM}\)) for \(\text {GSVP}\). It is a promise problem associated with estimating the subspace avoiding minimum. We show \(\text {GAPSAM}_{c\cdot n}\) lies in coNP, where c is a constant. Furthermore, we study relationships between \(\text {GAPSAM}\) of a lattice and the nth successive minimum, the shortest basis, and the shortest vector in the dual of the saturated sublattice, and obtain new transference theorems for \(\text {GAPSAM}\). Then, using the new transference theorems, we give various deterministic polynomial time reductions among the promise problems for some lattice problems. We also show \(\text {GAPSAM}_{\gamma }\) can be reduced to the promise problem associated to the Closest Vector Problem (\(\text {GAPCVP}_{\gamma }\)) under a deterministic polynomial time rank-preserving reduction.

Keywords

The generalized shortest vector problem The saturated sublattice Transference theorems Polynomial time reduction 

1 Introduction

A lattice is the set of all integer combinations of n linearly independent vectors in \(\mathbb {R}^{m}\), where n is the rank of the lattice, m is the dimension of the lattice, and the n linearly independent vectors are called a lattice basis. Let \(B=[\varvec{b}_{1},\varvec{b}_{2},\ldots ,\varvec{b}_{n}]\) be a basis of the lattice \(\varvec{L}\). The ith successive minimum \(\lambda _{i}(\varvec{L})\) of the lattice \(\varvec{L}\) is the least number r such that the sphere centered at the origin with radius r contains i linearly independent lattice vectors. The length of a basis \(\varvec{B}\) is \(g(\varvec{B})\), that is, \(g(\varvec{\varvec{B}})=\max \limits _{i}{\Vert \varvec{b}_{i}\Vert }\), and \(g(\varvec{L})\) is the minimum value of \(g(\varvec{B})\) over all bases \(\varvec{B}\) of \(\varvec{L}\). Some important lattice problems are defined below, where \(\gamma \ge 1\) is a function of rank:

\(\text {SVP}\) (Shortest Vector Problem): Given a lattice \(\varvec{L}\), find approximate nonzero lattice vector \(\varvec{v}\) such that \(\Vert \varvec{v}\Vert \le \gamma \cdot \lambda _{1}(\varvec{L})\).

\(\text {CVP}\) (Closest Vector Problem): Given a lattice \(\varvec{L}\) and a target vector \(\varvec{t}\), find a lattice point \(\varvec{v}\) such that \(dist(\varvec{v},\varvec{t})\le \gamma \cdot dist(\varvec{L},\varvec{t})\).

\(\text {SIVP}\) (Shortest Independent Vector Problem): Given a lattice \(\varvec{L}\) of rank n, find n linearly independent lattice vector \(\varvec{s}_{1},\varvec{s}_{2},\ldots ,\varvec{s}_{n}\) such that \(\Vert \varvec{s}_{i}\Vert \le \gamma \cdot \lambda _{n}(\varvec{L}),i=1,2,\ldots ,n\).

\(\text {SBP}\) (Shortest Basis Problem): Given a lattice \(\varvec{L}\), \(\varvec{L}\) is generated by basis \(\varvec{B}\), find an equivalent basis \(\varvec{B}^{\prime }\) such that \(g(\mathcal {\varvec{L}}(\varvec{B}^{\prime }))\le \gamma \cdot g(\varvec{L})\).

These lattice problems have been widely studied, and it is known that all of these problems are NP-hard [1, 7, 13, 14]. Aharonov and Regev [3] showed that approximating \(\text {SVP}\) and \(\text {CVP}\) lie in \(NP\cap coNP\) within a factor of \(\sqrt{n}\). Goldreich and Goldwasser [11] showed that approximating \(\text {SVP}\) and \(\text {CVP}\) lie in \(NP\cap coAM\) within a factor of \(\sqrt{n/O(\log n)}\). Boppana et al. [8] found that approximating \(\text {SVP}\) and \(\text {CVP}\) within a factor of \(\sqrt{n/O(\log n)}\) is not NP-hard unless the polynomial hierarchy collapses. Ajtai, Kumar and Sivakumar [2] proposed a sieve method for computing \(\text {SVP}\) under a randomized \(2^{O(n)}\) time algorithm. Blömer and Seifert [7] proved that approximating \(\text {SIVP}\) and \(\text {SBP}\) within any constant factor are NP-hard and within a factor of \(O(n/\sqrt{\log n})\) are \(NP\cap coAM\). Guruswami et al. [12] proved that \(\text {SIVP}\) lies in coAM within an improved approximation factor of \(O(\sqrt{n/\log n})\) and is in coNP within an approximation factor of \(O(\sqrt{n})\). Blömer and Naewe [5] proposed the Generalized Shortest Vector Problem (\(\text {GSVP}\)) and gave polynomial-time reductions from \(\text {SVP}\), \(\text {CVP}\), \(\text {SIVP}\), and \(\text {SMP}\) (Successive Minima Problem) to \(\text {GSVP}\). They also proved that there exists a randomized algorithm in single-exponential time which approximates the \(\text {GSVP}\) within a factor of \(1+\epsilon \), where \(0<\epsilon \le 2\), with success probability \(1-2^{-\varOmega (n)}\) for all \(\ell _{p}\) norms. This result implies that in single-exponential time there exists an approximation algorithm for all above-mentioned lattice problems for all \(\ell _{p}\) norms for \(1\le p\le \infty \). Micciancio [16] gave efficient reductions among approximation problems and showed that several lattice problems that are equivalent under polynomial-time rank-preserving reductions.

Transference theorems reflect relationships between the successive minima of a lattice and its dual lattice. As a consequence of transference theorems, it was shown in [15] that, under Karp reduction, \(\text {SVP}_{O(n)}\) can not be NP-hard unless \(NP=coNP\). Banaszczyk [4] proved that the following inequality: for a lattice \(\varvec{L}\) of rank n with dual lattice \(\varvec{L}^{*}\), \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{n}(\varvec{L}^{*})\le n\). Cai [9, 10] generalized the transference theorems of Banaszcyk to obtain the following bounds relating the successive minima of a lattice with the minimum length of generating vectors of its dual: for a lattice \(\varvec{L}\) of rank n with dual lattice \(\varvec{L}^{*}\), \(1\le \lambda _{n-i+1}(\varvec{L})\cdot g_{i}(\varvec{L}^{*})\le C\cdot n\) for all \(1\le i\le n\) and some universal constant C. The lattice quantity \(g_{i}(\varvec{L})\) is defined as follows. First, \(g(\varvec{L})\) is the minimum value r such that the ball \(\mathcal {\varvec{B}}(0,r)\) centered at 0 with radius r contains a set of linearly independent lattice vectors that generate the lattice \(\varvec{L}\). Define a saturated sublattice \(\varvec{L}^{\prime }\) such that a sublattice \(\varvec{L}^{\prime }\subset \varvec{L}\) satisfies \(\varvec{L}^{\prime }=\varvec{L}\cap span(\varvec{L}^{\prime })\) [10]. Then, \(g_{i}(\varvec{L})\) is the minimum value r such that the sublattice generated by \(\varvec{L}\cap \mathcal {\varvec{B}}(0,r)\) contains an i dimensional saturated sublattice \(\varvec{L}^{\prime }\) for \(1\le i\le dim(\varvec{L})\). From [10], \(\lambda _{i}(\varvec{L})\cdot g_{n-i+1}(\varvec{L}^{*})\le C\cdot n\) and \(g_{n}(\varvec{L})=g(\varvec{L})\) for all \(1\le i\le n\), the proof used the discrete Fourier transform and discrete potential functions.

Our Contributions. The first contribution is to present the promise problem \(\text {GAPSAM}\) associated with \(\text {GSVP}\) and construct new transference theorems for \(\text {GAPSAM}\) using the algorithm from [16] and properties of subspace. We obtain the following inequalities:
$$\begin{aligned} 1\le \lambda _{M}(\varvec{L})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\le c\cdot n, \end{aligned}$$
(1)
$$\begin{aligned} 1\le \lambda _{M}(\varvec{L})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n, \end{aligned}$$
(2)
where n is the rank \(\varvec{L}_{1}\) and \(\varvec{L}_{1}^{*}\) is the dual of \(\varvec{L}_{1}\), c and d are constants. The subspace avoiding minimum \(\lambda _{M}(\varvec{L})\) of a lattice \(\varvec{L}\) with respect to some subspace \(\varvec{M}\subset span(\varvec{L})\) is the smallest real number r such that there exists a vector in \(\varvec{L}\backslash \varvec{M}\) of length at most r.
By Regev’s result [17], we also prove that for a lattice \(\varvec{L}\) of rank l and a subspace \(\varvec{M}\subset span(\varvec{L})\),
$$\begin{aligned} 1\le \lambda _{M}(\varvec{L})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le n, \end{aligned}$$
(3)
where \(\varvec{L}_{1}^{*}\) is the dual of a saturated rank n sublattice \(\varvec{L}_{1}\) of \(\varvec{L}\).

The inequality (2) is similar to Cai’s, but our proof is simper. In [9, 10], Cai presented the inequality \(1\le \lambda _{1}(\varvec{L})\cdot g(\varvec{L}^{*})\le C\cdot n\), which reflects the relationship between the shortest lattice vector of \(\varvec{L}\) and the shortest basis of the dual lattice \(\varvec{L}^{*}\). Our result, \(1\le \lambda _{M}(\varvec{L})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n\), associates the minimum length of lattice vectors in \(\varvec{L}\backslash \varvec{M}\) to the shortest basis of dual saturated sublattice \(\varvec{L}_{1}\) generated by intersecting \(\varvec{L}\) with a subspace \(\varvec{V}\subset span(\varvec{L})\), where \(\varvec{V}\oplus \varvec{M}=span(\varvec{L})\).

By these results, we prove that \(\text {GAPSAM}_{cn}\) is in coNP, where c is a constant. We also give polynomial reductions between \(\text {GAPSVP}\), \(\text {GAPSIVP}\), and \(\text {GAPSBP}\) and \(\text {GAPSAM}\). We also obtain the following inequalities: \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\le c\cdot n\); \(1\le \lambda _{1}(\varvec{L})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n\); \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le n\), where \(\varvec{L}_{1}^{*}\) is the dual of a saturated rank n sublattice \(\varvec{L}_{1}\) of \(\varvec{L}\). These inequalities show the relationships between the lattice and the dual of the saturated sublattice.

The second contribution is that for any \(\gamma \ge 1\), we give a deterministic polynomial time rank-preserving reduction from \(\text {GAPSAM}_{\gamma }\) to \(\text {GAPCVP}_{\gamma }\).

Micciancio [16] considered \(\text {SVP}^{\prime }\) as a variant of \(\text {SVP}\) which is a new less standard problem on lattices. The problem \(\text {SVP}^{\prime }\) is to minimize the norm \(\Vert \varvec{Bx}\Vert \) where \(x=(x_{1},\ldots ,x_{i},\ldots ,x_{n})\) and \(x_{i}\ne 0\) for some i. Here, we propose the promise version \(\text {GAPSVP}^{\prime }\) for \(\text {SVP}^{\prime }\) and show that there exist rank and approximation preserving reductions from \(\text {GAPSAM}_{\gamma }\) to \(\text {GAPSVP}^{\prime }_{\gamma }\) and \(\text {GAPSVP}^{\prime }_{\gamma }\) to \(\text {GAPCVP}_{\gamma }\). Hence, \(\text {GAPSAM}_{\gamma }\) can be reduced to \(\text {GAPCVP}_{\gamma }\) under deterministic polynomial time rank-preserving reduction.

Organization. The paper is organized as follows. In Sect. 2, we introduce basic notations for lattices and some promise versions of lattice problems. In Sect. 3, we first study of the promise problem \(\text {GAPSAM}\) for \(\text {GSVP}\). Then, we present variants of transference theorems for \(\text {GAPSAM}\). From these relationships, we give polynomial time reductions from \(\text {GAPSAM}\) to other lattice problems. In Sect. 4, we show that \(\text {GAPSAM}_{\gamma }\) can be reduced to \(\text {GAPCVP}_{\gamma }\).

2 Preliminaries

Let \(\mathbb {R}^{m}\) be an m-dimensional Euclidean space. For every vector \(\varvec{x}=(x_{1},x_{2},\ldots , x_{m}) \in \mathbb {R}^{m}\), the \(\ell _{2}\)-norm of \(\varvec{x}\) is defined as \(\Vert \varvec{x}\Vert _{2}=\sqrt{\sum _{i=1}^{m}x_{i}^{2}}\). The scalar product of two vectors \(\varvec{x}\) and \(\varvec{y}\) is \(\langle \varvec{x},\varvec{y}\rangle =\sum _{i}x_{i}y_{i}\). dist(\(\varvec{x}\),\(\varvec{L}\)) is the minimum Euclidean distance from \(\varvec{x}\in \mathbb {R}^{m}\) to any vector in \(\varvec{L}\). All definitions and results in this paper are based on the \(\ell _{2}\) norm.

A lattice \(\varvec{L}\) is the set of all linear combinations generated by n linearly independent vectors \(\varvec{b}_{1},\ldots ,\varvec{b}_{n}\) in \(\mathbb {R}^{m}\)(\(m\ge n\)), that is,
$$\begin{aligned} \varvec{L}=\{\sum _{i=1}^{n}x_{i}\varvec{b}_{i}|x_{i}\in \mathbb {Z},1\le i\le n\}. \end{aligned}$$
The integer n is the rank of the lattice and m is the dimension of the lattice. The sequence of linearly independent vectors \(\varvec{b}_{1},\ldots ,\varvec{b}_{n}\in \mathbb {R}^{m}\) is called a basis of the lattice. We can represent \(\varvec{b}_{1},\ldots ,\varvec{b}_{n}\) as a matrix \(\varvec{B}\) with m rows and n columns, that is, \(\varvec{B}=[\varvec{b}_{1},\ldots ,\varvec{b}_{n}]\in \mathbb {R}^{m\times n}\). The lattice \(\varvec{L}\) generated by a basis \(\varvec{B}\) is denoted by \(\varvec{L}=\mathcal {\varvec{L}}(\varvec{B})=\{\varvec{B}\varvec{x}:\varvec{x}\in \mathbb {Z}^{n}\}\). A lattice has many different bases. Two matrices \(\varvec{B}\) and \(\varvec{B}^{\prime }\) are two bases of the same lattice \(\mathcal {\varvec{L}}\) if and only if \(\varvec{B}=\varvec{B}^{\prime }U\) for some unimodular matrix U. If \(\mathcal {\varvec{L}}(\varvec{S})\) is a sublattice of \(\mathcal {\varvec{L}}(\varvec{B})\), then any lattice point from the lattice \(\mathcal {\varvec{L}}(\varvec{S})\) also belongs to \(\mathcal {\varvec{L}}(\varvec{B})\). We denote this by \(\mathcal {\varvec{L}}(\varvec{S})\subseteq \mathcal {\varvec{L}}(\varvec{B})\).
For a lattice \(\varvec{L}\), the dual lattice \(\varvec{L}^{*}\) is a set of all vectors \(\varvec{y}\in span(\varvec{L})\) that satisfy \(\langle \varvec{x},\varvec{y}\rangle \in \mathbb {Z}\) for all \(\varvec{x}\in \varvec{L}\), that is,
$$\begin{aligned} \varvec{L}^{*}=\{\varvec{y}\in span(\varvec{L}):\forall \varvec{x}\in \varvec{L},\langle \varvec{x},\varvec{y}\rangle \in \mathbb {Z}\}. \end{aligned}$$
The dual lattice \(\varvec{L}^{*}\) is a lattice.

Successive minima are fundamental constants of a lattice. The first successive minimum of a lattice \(\varvec{L}\), denoted by \(\lambda _{1}(\varvec{L})\), is the length of the shortest non-zero lattice vector. Formally, \(\lambda _{1}(\varvec{L})=min\{\Vert \varvec{x}\Vert :\varvec{x}\in \varvec{L}\backslash \{0\}\} =min_{\varvec{x}\ne \varvec{y}\in \varvec{L}}\Vert \varvec{x}-\varvec{y}\Vert .\) The ith minimum \(\lambda _{i}(\varvec{L})\) of a lattice \(\varvec{L}\) is the smallest value r such that \(\mathcal {B}(0,r)\) contains i linearly independent lattice vectors, that is, \(\lambda _{i}(\varvec{L})=min\{r:dim(\varvec{L}\cap \mathcal {B}(0,r))\ge i\}\) where \(\mathcal {B}(0,r)\) is an open ball of radius r centered in \(\varvec{0}\).

Let \(g(\varvec{B})\) be the maximum length of vectors \(\varvec{b}_{i}\) in the basis \(\varvec{B}\), that is, \(g(\varvec{B})=\max \limits _{i}{\Vert \varvec{b}_{i}\Vert }\). We define \(g(\varvec{L})\) as the minimum value of \(g(\varvec{B})\) over all bases \(\varvec{B}\) of \(\varvec{L}\), that is, \(g(\varvec{L})=\min \limits _{\varvec{B}}{g(\varvec{B})}\).

The following are several important lattice problems. Here we only concentrate on promise problems for approximate lattice problems.

Definition 1

( \(\mathrm{GAPSVP}_{\gamma }\) ). \((\varvec{L},r)\) is an instance of \(\text {GAPSVP}_{\gamma }\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank n and \(r\in \mathbb {Q}\) is a rational number, such that
  • \((\varvec{L},r)\) is a YES instance if \(\lambda _{1}(\varvec{L})\le r\),

  • \((\varvec{L},r)\) is a NO instance if \(\lambda _{1}(\varvec{L})>\gamma \cdot r.\)

Definition 2

( \(\mathrm{GAPCVP}_{\gamma }\) ). \((\varvec{L},\varvec{t},r)\) is an instance of \(\text {GAPCVP}_{\gamma }\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank n, \(\varvec{t}\in \mathbb {Z}^{m}\) is a vector and \(r\in \mathbb {Q}\) is a rational number, such that
  • \((\varvec{L},\varvec{t},r)\) is a YES instance if \(dist(\varvec{L},\varvec{t})\le r\),

  • \((\varvec{L},\varvec{t},r)\) is a NO instance if \(dist(\varvec{L},\varvec{t})>\gamma \cdot r.\)

Definition 3

( \(\mathrm{GAPSIVP}_{\gamma }\) ). \((\varvec{L},r)\) is an instance of \(\text {GAPSIVP}_{\gamma }\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank n and \(r\in \mathbb {Q}\) is a rational number, such that
  • \((\varvec{L},r)\) is a YES instance if \(\lambda _{n}(\varvec{L})\le r\),

  • \((\varvec{L},r)\) is a NO instance if \(\lambda _{n}(\varvec{L})>\gamma \cdot r.\)

Definition 4

( \(\mathrm{GAPSBP}_{\gamma }\) ). \((\varvec{L},r)\) is an instance of \(\text {GAPSBP}_{\gamma }\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank n and generated by a basis \(\varvec{B}\) and \(r\in \mathbb {Q}\) is a rational number, such that
  • \((\varvec{L},r)\) is a YES instance if there exists an equivalent basis \(\varvec{B}^{\prime }\) to \(\varvec{B}\) such that \(g(\mathcal {\varvec{L}}(\varvec{B}^{\prime }))\le r\),

  • \((\varvec{L},r)\) is a NO instance if for all equivalent basis \(\varvec{B}^{\prime }\) to \(\varvec{B}\) has \(g(\mathcal {\varvec{L}}(\varvec{B}^{\prime }))>\gamma \cdot r\).

Definition 5

( \(\mathrm{SVP}^{\prime }\) [16]). Given a lattice \(\varvec{B}\in \mathbb {Z}^{m\times n}\) and an index \(i\in \{1,\ldots ,n\}\), find a lattice vector \(\varvec{Bx}\) with \(x_{i}\ne 0\) such that \(\Vert \varvec{Bx}\Vert \le \gamma min\{\Vert \varvec{Bx}\Vert :x_{i}\ne 0\}\).

We now propose the promise problem \(\text {GAPSVP}^{\prime }\) associated to the approximate problem \(\text {SVP}^{\prime }\).

Definition 6

( \(\mathrm{GAPSVP}^{\prime }_{\gamma }\) ). \((\varvec{L},i,r)\) is an instance of \(\text {GAPSVP}^{\prime }_{\gamma }\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank n and generated by a basis \(\varvec{B}\) and \(r\in \mathbb {Q}\) is a rational number, such that
  • \((\varvec{L},i,r)\) is a YES instance if \(\lambda _{1}^{(i)}(\varvec{L})\le r\), i.e. there exists a vector \(\varvec{x}\in \mathbb {Z}^{n}\) with \(x_{i}\ne 0\) such that \(\Vert \varvec{Bx}\Vert \le r\),

  • \((\varvec{L},i,r)\) is a NO instance if \(\lambda _{1}^{(i)}(\varvec{L})>\gamma \cdot r\), i.e. for all vectors \(\varvec{x}\in \mathbb {Z}^{n}\) with \(x_{i}\ne 0\) such that \(\Vert \varvec{Bx}\Vert >\gamma \cdot r\).

where \(\lambda _{1}^{(i)}(\varvec{L})=\min \limits _{\varvec{x}\in \mathbb {Z}^{n}} {\{\Vert \varvec{Bx}\Vert :x_{i}\ne 0\}}\).

The next definition is a new lattice problem proposed in [6] where reductions from \(\text {SVP}\), \(\text {CVP}\), \(\text {SIVP}\), and \(\text {SMP}\) to \(\text {GSVP}\) are given.

Definition 7

( \(\mathrm{GSVP}\) ). Given a lattice \(\varvec{L}\subseteq \mathbb {Z}^{m}\) and a linear subspace \(\varvec{M}\subset span(\varvec{L})\), the goal is to find a vector \(\varvec{v}\in \varvec{L}\backslash \varvec{M}\) such that \(\Vert \varvec{v}\Vert \le \gamma \cdot dist(0,\varvec{L}\backslash \varvec{M}).\)

We set
$$\begin{aligned} \lambda _{M}(\varvec{L})=min\{r\in \mathbb {R}|\exists \ \varvec{v}\in \varvec{L}\backslash \varvec{M}, \Vert \varvec{v}\Vert \le r\} \end{aligned}$$
and call this the subspace avoiding minimum (SAM).

It is clear that \(\text {SVP}\) is a special case of \(\text {GSVP}\) when \(\varvec{M}=\{0\}\), we have \(\lambda _{M}(\varvec{L})=\lambda _{1}(\varvec{L})\). So, there is a trivial reduction from \(\text {SVP}_{\gamma }\) to \(\text {GSVP}_{\gamma }\).

3 The Transference Theorems for \(\text {GAPSAM}\)

In this section, we first propose the promise problem \((\text {GAPSAM})\mathrm {}\) associated to \(\text {GSVP}\) and present new transference theorems for \(\text {GAPSAM}\).

3.1 The Variants of Cai’s Transference Theorems

Definition 8

( \(\mathrm{GAPSAM}_{\gamma }\) ). \((\varvec{L},\varvec{M},r)\) is an instance of \(\text {GAPSAM}_{\gamma }\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank n, \(\varvec{M}\) is a linear subspace of span(\(\varvec{L}\)), \(r\in \mathbb {Q}\) is a rational number, such that
  • \((\varvec{L},\varvec{M},r)\) is a YES instance if \(\lambda _{M}(\varvec{L})\le r\),

  • \((\varvec{L},\varvec{M},r)\) is a NO instance if \(\lambda _{M}(\varvec{L})>\gamma \cdot r.\)

Banaszcyk [4], Cai [10], and Regev [17] proved that the following theorem.

Theorem 1

For any rank-n lattice \(\varvec{L}\), its dual lattice is \(\varvec{L}^{*}\), there exist constants c, d such that
  • 1. \(\lambda _{1}(\varvec{L})\cdot \lambda _{n}(\varvec{L}^{*})\le c\cdot n.\)

  • 2. \(1\le \lambda _{1}(\varvec{L})\cdot g(\varvec{L}^{*})\le d\cdot n.\)

  • 3. \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{1}(\varvec{L}^{*})\le n.\)

We also need the following lemma.

Lemma 1

[16]. There is a polynomial time algorithm that on input a lattice basis \(\varvec{B}=[\varvec{b}_{1},\varvec{b}_{2},\ldots ,\varvec{b}_{n}]\in \mathbb {Q}^{m\times n}\) and a linear subspace \(\varvec{S}\), outputs a new basis \(\widetilde{\varvec{B}}=[\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{d}]\) for \(\mathcal {\varvec{L}}(\varvec{B})\) such that \(\mathcal {\varvec{L}}(\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{d})= \varvec{S}\cap \mathcal {\varvec{L}}(\varvec{B})\), where d is the dimension of \(\varvec{S}\cap span(\varvec{B}).\)

Combining Lemma 1 with Theorem 1, we immediately obtain the following theorem about \(\lambda _{M}(\varvec{L})\). The first two parts in the following theorem are variants of Cai’s result [10]. We prove this independently with a simple method.

Theorem 2

For any rank-l lattice \(\varvec{L}\) and a subspace \(\varvec{M}\subset span(\varvec{L})\), there exist constants \(c>0\), \(d>0\) such that
  • 1. \(1\le \lambda _{M}(\varvec{L})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\le c\cdot n.\)

  • 2. \(1\le \lambda _{M}(\varvec{L})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n.\)

  • 3. \(1\le \lambda _{M}(\varvec{L})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le n.\)

where \(\varvec{L}_{1}^{*}\) is the dual of saturated sublattice \(\varvec{L}_{1}\) with rank n of \(\varvec{L}\).

Proof

Assume the lattice \(\varvec{L}\) is generated by a basis \(\varvec{B}\in \mathbb {Z}^{m\times l}\). Because \(\varvec{M}\) is a subspace of span(\(\varvec{L}\)), \(rank(\varvec{M})<rank(span(\varvec{L}))\). Note that, by the properties of subspaces, there must exists a subspace \(\varvec{V}\) such that
$$\begin{aligned} \varvec{V}\oplus \varvec{M}=span(\varvec{L}). \end{aligned}$$
Run the algorithm from Lemma 1 on the lattice \(\varvec{L}\) and the subspace \(\varvec{V}\) to obtain a lattice basis \(\widetilde{\varvec{B}}=[\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{n}] \in \mathbb {Z}^{m\times n}\) for \(\varvec{L}\), such that \(\mathcal {\varvec{L}}(\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{n})=\varvec{V}\cap \varvec{L}\), where \(n=dim(\varvec{V}\cap span(\varvec{L}))\).
Clearly, the two bases \(\varvec{B}\) and \(\widetilde{\varvec{B}}\) are equivalent, that is, \(\widetilde{\varvec{B}}=\varvec{B}U\) for some unimodular matrix U. Let \(\mathcal {\varvec{L}}(\tilde{\varvec{b}}_{1},\ldots , \tilde{\varvec{b}}_{n})=\varvec{L}_{1}.\) Using Theorem 1 for a lattice \(\varvec{L}_{1}\) of rank n, we obtain the inequality:
$$\begin{aligned} \lambda _{1}(\varvec{L}_{1})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\le c\cdot n. \end{aligned}$$
Furthermore, we need to prove that \(1\le \lambda _{1}(\varvec{L}_{1})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\). Let \(v\in \varvec{L}_{1}\) be a vector such that \(\Vert v\Vert =\lambda _{1}(\varvec{L}_{1})\). By definition of \(\lambda _{n}(\varvec{L}_{1}^{*})\), there exist n linearly independent vectors \(x_{1},\ldots ,x_{n}\) in \(\varvec{L}_{1}^{*}\) such that \(\Vert x_{i}\Vert \le \lambda _{n}(\varvec{L}_{1}^{*})\). We clearly see that not all of them are orthogonal to v. Hence, there exists an i such that \(\langle x_{i},v\rangle \ne 0\). Since \(x_{i}\in \varvec{L}_{1}^{*}\) there must be \(\langle x_{i},v\rangle \in \mathbb {Z}\). We have \(1\le \langle x_{i},v\rangle \le \Vert x_{i}\Vert \cdot \Vert v\Vert \le \lambda _{n}(\varvec{L}_{1}^{*})\cdot \lambda _{1}(\varvec{L}_{1})\). Then,
$$\begin{aligned} \lambda _{1}(\varvec{L}_{1})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\ge 1. \end{aligned}$$
Because \(\lambda _{1}(\varvec{L}_{1})\) is the shortest non-zero vector of the saturated sublattice \(\varvec{L}_{1}\subset \varvec{L}\) generated by \(\varvec{L}\cap \varvec{V}\) and \(\lambda _{M}(\varvec{L})\) is the shortest non-zero vector of the lattice \(\varvec{L}\backslash \varvec{M}\), we have \(\lambda _{M}(\varvec{L})\le \lambda _{1}(\varvec{L}_{1})\). Therefore
$$\begin{aligned} 1\le \lambda _{M}(\varvec{L})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\le c\cdot n. \end{aligned}$$
The proofs of 2 and 3 similar. For the lattice \(\varvec{L}_{1}\), we have \(1\le \lambda _{1}(\varvec{L}_{1})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n\) and \(1\le \lambda _{1}(\varvec{L}_{1})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le d\cdot n\). Because \(\lambda _{M}(\varvec{L})\le \lambda _{1}(\varvec{L}_{1})\), the results follow. This completes the proof.

Since \(\lambda _{1}(\varvec{L})\le \lambda _{M}(\varvec{L})\), we obtain the following corollary.

Corollary 1

For any rank-l lattice \(\varvec{L}\) and a subspace \(\varvec{M}\subset span(\varvec{L})\), there exist constants c, d such that
  • 1. \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{n}(\varvec{L}_{1}^{*})\le c\cdot n.\)

  • 2. \(1\le \lambda _{1}(\varvec{L})\cdot g(\varvec{L}_{1}^{*})\le d\cdot n.\)

  • 3. \(1\le \lambda _{1}(\varvec{L})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le n.\)

where \(\varvec{L}_{1}^{*}\) is the dual of saturated sublattice \(\varvec{L}_{1}\) with rank n of \(\varvec{L}\).

This corollary reflects the relationships between the shortest lattice vector of \(\varvec{L}\) and the nth successive minimum, the shortest basis, and the first successive minimum of the dual of a saturated sublattice \(\varvec{L}_{1}\). That is, it connects the lattice with the dual lattice of a saturated sublattice.

Part 1 of Theorem 2 immediately implies reductions between \(\text {GAPSIVP}\) and \(\text {GAPSAM}\).

Theorem 3

There are the following cook reductions between problem \(\text {GAPSIVP}\) and \(\text {GAPSAM}\):
  • The problem \(\text {GAPSAM}_{cn}\) can be reduced to \(\text {GAPSIVP}_{1};\)

  • The problem \(\text {GAPSIVP}_{cn}\) can be reduced to \(\text {GAPSAM}_{1},\)

where c is a constant.

Proof

Let \((\varvec{L},\varvec{M},r)\) be an instance of \(\text {GAPSAM}_{cn}\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank l, and let \(\varvec{M}\subset span(\varvec{L})\) be a subspace of \(\varvec{L}\). Note that \((\varvec{L},\varvec{M},r)\) is a YES instance if \(\lambda _{M}(\varvec{L})\le r\), whereas \((\varvec{L},\varvec{M},r)\) is a NO instance if \(\lambda _{M}(\varvec{L})>cnr\).

From the proof of Theorem 2, we can obtain a lattice \(\varvec{L}_{1}\) of rank n with the dual \(\varvec{L}_{1}^{*}\). By Theorem 2, if \(\lambda _{M}(\varvec{L})\le r\) then \(\lambda _{n}(\varvec{L}_{1}^{*})\ge 1/\lambda _{M}(\varvec{L})>1/r\), if \(\lambda _{M}(\varvec{L})>cnr\) then \(\lambda _{n}(\varvec{L}_{1}^{*})\le cn/\lambda _{M}(\varvec{L})<cn/cnr<1/r\).

The reduction calls a \(\text {GAPSIVP}_{1}\) oracle on \((\varvec{L}_{1}^{*},1/r)\), which allows \(\text {GAPSAM}_{cn}\) to be solved. Indeed, if the \(\text {GAPSIVP}_{1}\) oracle on \((\varvec{L}_{1}^{*},1/r)\) answers YES, then \((\varvec{L},\varvec{M},r)\) is a NO instance of \(\text {GAPSAM}_{cn}\). On the other hand, if \(\text {GAPSIVP}_{1}\) oracle on \((\varvec{L}_{1}^{*},1/r)\) answers NO, then \((\varvec{L},\varvec{M},r)\) is a YES instance of \(\text {GAPSAM}_{cn}\).

The second reduction follows by a similar method.

Using Theorem 3, we can also show the non-approximability result for \(\text {GAPSAM}\), namely that there exists a constant c such that \(\text {GAPSAM}_{cn}\in coNP\).

Corollary 2

\(\text {GAPSAM}_{cn}\in coNP\) for some constant c.

Proof

Assume that \((\varvec{L},\varvec{M},r)\) is an instance of \(\text {GAPSAM}_{cn}\). Then \((\varvec{L},\varvec{M},r)\) is a YES instance if \(\lambda _{M}(\varvec{L})\le r\), and \((\varvec{L},\varvec{M},r)\) is a NO instance if \(\lambda _{M}(\varvec{L})>cn r\). Hence, we need to prove that if \((\varvec{L},\varvec{M},r)\) is a YES instance then there is no witness that the verifier accepts, and that if \((\varvec{L},\varvec{M},r)\) is a NO instance then there is a witness that the verifier accepts.

Indeed, using Theorem 3, when \((\varvec{L},\varvec{M},r)\) is a YES instance of \(\text {GAPSAM}_{cn}\) we have \(\lambda _{n}(\varvec{L}_{1}^{*})>1/r\), and when \((\varvec{L},\varvec{M},r)\) is a NO instance we have \(\lambda _{n}(\varvec{L}_{1}^{*})\le 1/r\).

We then obtain n vectors \(\varvec{v}_{1},\varvec{v}_{2},\ldots ,\varvec{v}_{n}\) non-deterministically, and check that they are linearly independent in \(\varvec{L}_{1}^{*}\) and that each length at most 1 / r. Hence, there exist n vectors for which we accept a NO instance of \(\text {GAPSAM}_{cn}\).

3.2 Relationships Between \(\text {GAPSAM}\) and Other Lattice Problems

In this section, we give polynomial time reductions between promise problems of \(\text {GAPSVP}\), \(\text {GAPSBP}\) and \(\text {GAPSAM}\).

Theorem 4

There are polynomial time Karp reductions between \(\text {GAPSVP}\) and \(\text {GAPSAM}\).

  • \(\text {GAPSVP}_{n}\) is reducible to \(\text {GAPSAM}_{1}.\)

  • \(\text {GAPSAM}_{n}\) is reducible to \(\text {GAPSVP}_{1}.\)

Proof

Let \((\varvec{L}_{1}^{*},r)\) be an instance of \(\text {GAPSVP}_{n}\), where \(\varvec{L}_{1}^{*}\subset \mathbb {Z}^{m}\) is a lattice. \(\varvec{b}_{1}^{*},\ldots ,\varvec{b}_{n}^{*}\) be a basis of the lattice \(\varvec{L}_{1}^{*}\), and let \(\varvec{L}_{1}\) be the dual lattice of \(\varvec{L}_{1}^{*}\). We may assume that \((\varvec{b}_{1},\ldots ,\varvec{b}_{n})\) is a basis of \(\varvec{L}_{1}\), so there must exist a lattice \(\varvec{L}\) of rank l such that \((\varvec{b}_{1},\ldots ,\varvec{b}_{n})\) is a basis of \(\varvec{L}\cap span(\varvec{b}_{1},\ldots ,\varvec{b}_{n})\), that is, \(\varvec{L}_{1}=\varvec{L}\cap span(\varvec{L}_{1})\). Thus L has a basis \(\varvec{b}_{1},\ldots ,\varvec{b}_{n},\varvec{b}_{n+1},\ldots ,\varvec{b}_{l}\).

Set \(\varvec{V}=span(\varvec{b}_{1},\ldots ,\varvec{b}_{n})\). Then \(\varvec{V}\) is a subspace of \(span(\varvec{L})\) and \(\varvec{L}_{1}\) is a saturated sublattice of \(\varvec{L}\). Define the orthogonal projection
$$\begin{aligned} \pi :span(\varvec{L})\longrightarrow span(\varvec{b}_{1},\ldots ,\varvec{b}_{n})^{\perp } \end{aligned}$$
as following, for all \(\varvec{b}\in span(\varvec{L})\),
$$\begin{aligned} \pi (\varvec{b})=\varvec{b}-\sum _{i=1}^{n}\frac{\langle \varvec{b}, \tilde{\varvec{b}_{i}}\rangle }{\langle \tilde{\varvec{b}_{i}},\tilde{\varvec{b}_{i}}\rangle }\tilde{\varvec{b}_{i}} \end{aligned}$$
where \(\tilde{\varvec{b}_{i}}\) is the Gram-Schmidt orthogonal vector of \(\varvec{b}_{i}\), \(i=1,\ldots ,n\). \(\pi (\varvec{L})\) is a lattice of rank \(l-n\) with basis \([\pi (\varvec{b}_{n+1}),\ldots ,\pi (\varvec{b}_{l})]\), where \(\varvec{b}_{n+1},\ldots ,\varvec{b}_{l}\in \varvec{L}\). Then, we see that \(\varvec{b}_{1},\ldots ,\varvec{b}_{n},\varvec{b}_{n+1},\ldots ,\varvec{b}_{l}\) is a basis of the lattice \(\varvec{L}\). In the linear span of lattice \(\varvec{L}\), we can find a subspace \(\varvec{M}\) such that \(\varvec{V}\oplus \varvec{M}=span(\varvec{L})\).

The output of the reduction is \((\varvec{L},\varvec{M},1/r)\). We next show this reduction is correct.

Assume that \((\varvec{L}_{1}^{*},r)\) is a YES instance of \(\text {GAPSVP}_{n}\), such that \(\lambda _{1}(\varvec{L}_{1}^{*})\le r\). From the Theorem 2, \(1\le \lambda _{M}(\varvec{L})\cdot \lambda _{1}(\varvec{L}_{1}^{*})\le n.\) We have \(\lambda _{M}(\varvec{L})\ge 1/r.\) Then, \((\varvec{L},\varvec{M},1/r)\) is a NO instance of \(\text {GAPSAM}_{\gamma }\).

Now assume that \((\varvec{L}_{1}^{*},r)\) is a NO instance of \(\text {GAPSVP}_{n}\), so that \(\lambda _{1}(\varvec{L}_{1}^{*})>nr\). By Theorem 2, we have \(\lambda _{M}(\varvec{L})<1/r.\) It follows that \((\varvec{L},\varvec{M},1/r)\) is a YES instance of \(\text {GAPSAM}_{\gamma }\).

The proof of the second part is similar.

Using Theorem 2, we obtain the following corollary.

Corollary 3

There are approximate reductions between \(\text {GAPSBP}\) and \(\text {GAPSAM}\), for some constant d.

  • \(\text {GAPSAM}_{dn}\) can be reduced to \(\text {GAPSBP}_{1}.\)

  • \(\text {GAPSBP}_{dn}\) can be reduced to \(\text {GAPSAM}_{1}.\)

4 The Rank and Approximation Preserving Reductions

In this section, we will establish the rank and approximation preserving reduction between \(\text {GAPSAM}\) and other lattice problems.

Theorem 5

For any approximation factor \(\gamma \), there is a deterministic polynomial time rank-preserving reduction from \(\text {GAPSVP}_{\gamma }\) to \(\text {GAPSAM}_{\gamma }\).

Proof

Let \((\varvec{L},r)\) be an instance of \(\text {GAPSVP}_{\gamma }\), and define \(\text {GAPSAM}_{\gamma }\) instance \((\varvec{L},\varvec{M},r)\), where \(\varvec{M}=\{0\}\subseteq span(\varvec{L})\). If we computer a shortest non-zero lattice vector in \(\varvec{L}\), we compute a shortest lattice vector in \(\varvec{L}\backslash \varvec{M}\), i.e., \(\lambda _{M}(\varvec{L})=\lambda _{1}(\varvec{L})\). So there is a trivial reduction from \(\text {GAPSVP}_{\gamma }\) to \(\text {GAPSAM}_{\gamma }\).

In the following, we will give a deterministic polynomial time rank-preserving reduction from \(\text {GAPSAM}\) to \(\text {GAPCVP}\) by an intermediate problem \(\text {GAPSVP}^{\prime }\).

Theorem 6

For any approximation factor \(\gamma \), there is a deterministic polynomial time rank-preserving reduction from \(\text {GAPSAM}_{\gamma }\) to \(\text {GAPSVP}^{\prime }_{\gamma }\).

Proof

Let \((\varvec{L},\varvec{M},r)\) be an instance of \(\text {GAPSAM}_{\gamma }\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank n and \(\varvec{L}\) is generated by a basis \(\varvec{B}=(\varvec{b_{1}},\ldots ,\varvec{b_{n}})\), and let \(\varvec{M}\subset span(\varvec{L})\) be a subspace. Using the algorithm from Lemma 1, the algorithm that on input a lattice \(\varvec{L}\) and a subspace \(\varvec{M}\), outputs a new basis \(\widetilde{\varvec{B}}=[\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{n}]\) for \(\varvec{L}\) such that \(\varvec{M}\cap \varvec{L}=\mathcal {\varvec{L}}(\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{d})\), where d is the dimension of \(\varvec{M}\cap span(\varvec{L})\), then \(\varvec{M}=span(\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{d})\). We have \(\varvec{L}=\mathcal {\varvec{L}}(\varvec{B})=\mathcal {\varvec{L}}(\widetilde{\varvec{B}})\), for any lattice vector in \(\varvec{L}\) can be represented by the integral combinations of n linearly independent vectors \(\tilde{\varvec{b}}_{1},\ldots ,\tilde{\varvec{b}}_{n}\). Hence, on input an \(\text {GAPSAM}_{\gamma }\) instance \((\varvec{L},\varvec{M},r)\), the reduction outputs the \(\text {GAPSVP}^{\prime }_{\gamma }\) instance \((\varvec{L},i,r)\) where \(i\in \{d+1,\ldots ,n\}\). We prove that the reduction is correct.

First assume that \((\varvec{L},\varvec{M},r)\) is a YES instance of \(\text {GAPSAM}_{\gamma }\), \(\lambda _{M}(\varvec{L})\le r\), i.e., there exists a vector \(\varvec{x}=(x_{1},\ldots ,x_{d},x_{d+1},\ldots ,x_{n})\in \mathbb {Z}^{n}\) with \(x_{i}\ne 0\), \(i\in \{d+1,\ldots ,n\}\) such that
$$\begin{aligned} \Vert \widetilde{\varvec{B}}\varvec{x}\Vert =\Vert x_{1}\tilde{\varvec{b}}_{1}+\ldots +x_{d}\tilde{\varvec{b}}_{d} +x_{d+1}\tilde{\varvec{b}}_{d+1}+\ldots +x_{n}\tilde{\varvec{b}}_{n}\Vert \le r. \end{aligned}$$
For any vector \(\varvec{x^{\prime }}=(x^{\prime }_{1},\ldots ,x^{\prime }_{d},x^{\prime }_{d+1},\ldots ,x^{\prime }_{n})\in \mathbb {Z}^{n}\) with \(x^{\prime }_{i}\ne 0\), \(i\in \{d+1,\ldots ,n\}\), we have
$$\begin{aligned} \lambda ^{(i)}_{1}(\varvec{L})=\min \limits _{x^{\prime }\in \mathbb {Z}^{n},x^{\prime }_{i}\ne 0} \{\Vert \widetilde{\varvec{B}}\varvec{x^{\prime }}\Vert \}\le \Vert \widetilde{\varvec{B}}\varvec{x}\Vert \le r. \end{aligned}$$
This prove that \((\varvec{L},i,r)\) is a YES instance.

Now assume that \((\varvec{L},\varvec{M},r)\) is a NO instance, \(\lambda _{M}(\varvec{L})>\gamma \cdot r\), i.e., for all vectors \(\varvec{x}=(x_{1},\ldots ,x_{d},x_{d+1},\ldots ,x_{n})\in \mathbb {Z}^{n}\) with \(x_{i}\ne 0\), \(i\in \{d+1,\ldots ,n\}\) such that \(\Vert \widetilde{\varvec{B}}\varvec{x}\Vert >\gamma \cdot r\). First assume for contradiction that \((\varvec{L},i,r)\) is not a NO instance, i.e., there exists a vector \(\varvec{x^{\prime }}=(x^{\prime }_{1},\ldots ,x^{\prime }_{d},x^{\prime }_{d+1},\ldots ,x^{\prime }_{n})\in \mathbb {Z}^{n}\) with \(x^{\prime }_{i}\ne 0\), \(i\in \{d+1,\ldots ,n\}\), hence, \(\Vert \widetilde{\varvec{B}}\varvec{x^{\prime }}\Vert \le \gamma \cdot r\). Since \((\varvec{L},\varvec{M},r)\) is a NO instance of \(\text {GAPSAM}_{\gamma }\), we have \(\Vert \widetilde{\varvec{B}}\varvec{x^{\prime }}\Vert >\gamma \cdot r\), contradicting the fact that \((\varvec{L},i,r)\) is not a NO instance of \(\text {GAPSVP}^{\prime }_{\gamma }\). Then, this proved that \((\varvec{L},i,r)\) is a NO instance.

Theorem 7

For any approximation factor \(\gamma \), there is a deterministic polynomial time rank-preserving reduction from \(\text {GAPSVP}^{\prime }_{\gamma }\) to \(\text {GAPCVP}_{\gamma }\).

Proof

Let \((\varvec{L},i,r)\) be an instance of \(\text {GAPSVP}^{\prime }_{\gamma }\), where \(\varvec{L}\subseteq \mathbb {Z}^{m}\) is a lattice of rank n and \(\varvec{L}\) is generated by a basis \(\varvec{B}=(\varvec{b_{1}},\ldots ,\varvec{b_{n}})\). We construct instances of \(\text {GAPCVP}_{\gamma }\) as follows. The ides is to use the reduction from \(\text {GCVP}_{\gamma }\) (Generalized Closest Vector Problem) to \(\text {CVP}_{\gamma }\) of [16]. The jth instance consists of a lattice \(\varvec{L}^{(j)}=\mathcal {\varvec{L}}(\varvec{B}^{(j)})=\mathcal {\varvec{L}}(\varvec{b_{1}},\ldots ,2^{j+1}\varvec{b_{i}},\ldots ,\varvec{b_{n}})\) and the target vector \(t^{(j)}=2^{j}\varvec{b_{i}}\), \(j=0,1,\ldots ,\lfloor \log _{2}A\rfloor \)(A is sufficiently large and the bound can be determined (see [16] (Theorem 3.2)). We use these instances of \(\text {GAPCVP}_{\gamma }\) corresponding queries to the \(\text {GAPCVP}_{\gamma }\) oracle. By call on all these instances \((\varvec{L}^{(j)},t^{(j)})\), the \(\text {GAPCVP}_{\gamma }\) oracle return the shortest difference vectors. Since r is given in \(\text {GAPSVP}^{\prime }_{\gamma }\) instance \((\varvec{L},i,r)\), and return YES if and only if at least one of the oracle calls is answered by YES. For example, the jth call on input \((\varvec{L}^{(j)},t^{(j)})\), the shortest of the vector \(\varvec{B}^{(j)}\varvec{x}-t^{(j)}\in \varvec{L}\) is returned where \(x=(x_{1},x_{2},\ldots ,x_{i},\ldots ,x_{n})\in \mathbb {Z}^{n}\) and
$$\begin{aligned} \Vert \varvec{B}^{(j)}\varvec{x}-t^{(j)}\Vert= & {} \Vert x_{1}\varvec{b}_{1}+x_{2}\varvec{b}_{2}+\ldots +x_{i}\cdot 2^{j+1}\varvec{b}_{i}+\ldots +x_{n}\varvec{b}_{n}-2^{j}\varvec{b}_{i}\Vert \\= & {} \Vert x_{1}\varvec{b}_{1}+x_{2}\varvec{b}_{2}+\ldots +2^{j}(2x_{i}-1)\varvec{b}_{i}+\ldots +x_{n}\varvec{b}_{n}\Vert \\\le & {} \gamma . \end{aligned}$$
Since \(x_{i}\in \mathbb {Z}^{n}\), we have \(2^{j}(2x_{i}-1)\ne 0\). There exists a vector \(\varvec{x}^{\prime }=(x_{1},x_{2},\ldots ,x^{\prime }_{i}, \ldots ,x_{n})\in \mathbb {Z}^{n}\) with \(x^{\prime }_{i}=2^{j}(2x_{i}-1)\ne 0\) for some \(i\in \{1,\ldots ,n\}\) such that \(\Vert \varvec{B}^{(j)}\varvec{x}-t^{(j)}\Vert =\Vert \varvec{B}\varvec{x}^{\prime }\Vert \le r\). Then, \((\varvec{L},i,r)\) is a YES instance of \(\text {GAPSVP}^{\prime }_{\gamma }\). And selecting j is the hight power of 2 such that \(2^{j}\) divides \(x_{i}\). The reduction outputs the \(\text {GAPCVP}_{\gamma }\) instance \((\varvec{L}^{(j)},t^{(j)},r)\).

We want to prove that if \((\varvec{L},i,r)\) is a YES instance then \((\varvec{L}^{(j)},t^{(j)},r)\) is a YES instance for some \(j=1,\ldots ,n\), while if \((\varvec{L},i,r)\) is a NO instance then \((\varvec{L}^{(j)},t^{(j)},r)\) is a NO instance for all \(j=1,\ldots ,n\).

First assume \((\varvec{L},i,r)\) is a YES instance, \(\lambda ^{(i)}_{1}({\varvec{L}})\le r\), i.e., there exists a vector \(\varvec{x}=(x_{1},x_{2},\ldots ,x_{i},\ldots ,x_{n})\in \mathbb {Z}^{n}\) with \(x_{i}\ne 0\), \(i\in \{1,\ldots ,n\}\) such that \(\Vert \varvec{B}\varvec{x}\Vert \le r\). Let j be the hight power of 2 such that \(2^{j}\) divides \(x_{i}\). Since \(x_{i}\) is nonzero, we define \(x_{i}=2^{j}(2a-1)\) for some integer a. We obtain the vector \(\varvec{x}^{\prime }\) by replacing the ith entry \(x_{i}\) with a, i.e., \(\varvec{x}^{\prime }=(x_{1},x_{2},\ldots ,a,\ldots ,x_{n})\in \mathbb {Z}^{n}\). Then,
$$\begin{aligned} dist(\varvec{L}^{(j)},t^{(j)})\le & {} \Vert \varvec{B}^{(j)}\varvec{x}^{\prime }-t^{(j)}\Vert \\= & {} \Vert x_{1}\varvec{b}_{1}+x_{2}\varvec{b}_{2}+\ldots +a\cdot 2^{j+1}\varvec{b}_{i}+\ldots +x_{n}\varvec{b}_{n}-2^{j}\varvec{b}_{i}\Vert \\= & {} \Vert x_{1}\varvec{b}_{1}+x_{2}\varvec{b}_{2}+\ldots +\cdot 2^{j}(2a-1)\varvec{b}_{i}+\ldots +x_{n}\varvec{b}_{n}\Vert \\= & {} \Vert \varvec{B}\varvec{x}\Vert \le r. \end{aligned}$$
This proves that \((\varvec{L}^{(j)},t^{(j)},r)\) is a YES instance.
Now assume that \((\varvec{L},i,r)\) is a NO instance, \(\lambda ^{(i)}_{1}({\varvec{L}})>\gamma \cdot r\), i.e., for any vector \(\varvec{x}=(x_{1},x_{2},\ldots ,x_{i},\ldots ,x_{n})\in \mathbb {Z}^{n}\) with \(x_{i}\ne 0\), \(i\in \{1,\ldots ,n\}\) such that \(\Vert \varvec{B}\varvec{x}\Vert >\gamma \cdot r\). For some j,
$$\begin{aligned} dist(\varvec{L}^{(j)},t^{(j)})= & {} \min \limits _{\varvec{x}\in \mathbb {Z}^{n}}{\Vert \varvec{B}^{(j)}\varvec{x}-t^{(j)}\Vert }\\= & {} \min \limits _{\varvec{x}\in \mathbb {Z}^{n}}{\Vert x_{1}\varvec{b}_{1}+x_{2}\varvec{b}_{2}+\ldots +x_{i}\cdot 2^{j+1}\varvec{b}_{i}+\ldots +x_{n}\varvec{b}_{n}-2^{j}\varvec{b}_{i}\Vert }\\= & {} \min \limits _{\varvec{x}\in \mathbb {Z}^{n}}{\Vert x_{1}\varvec{b}_{1}+x_{2}\varvec{b}_{2}+\ldots +2^{j}(2x_{i}-1)\varvec{b}_{i}+\ldots +x_{n}\varvec{b}_{n}\Vert }\\> & {} \gamma \cdot r. \end{aligned}$$
This proves that \((\varvec{L}^{(j)},t^{(j)},r)\) is a NO instance.

Combining the two theorem we get the following corollary.

Corollary 4

For any approximation factor \(\gamma \), there is a deterministic polynomial time rank-preserving reduction from \(\text {GAPSAM}_{\gamma }\) to \(\text {GAPCVP}_{\gamma }\).

5 Conclusions

In this paper, we propose the promise problem associated with \(\text {GSVP}\), namely \(\text {GAPSAM}\). We present variants of Cai’s transference theorems for \(\text {GAPSAM}\). From the relationship, we prove that \(\text {GAPSAM}_{cn}\) lies in coNP, where c is a constant. We also give the relationships between the shortest vector of a lattice, the nth successive minima, shortest basis, and the shortest vector of the dual of a saturated sublattice. Using these new relations, we reduce some lattice problems to \(\text {GAPSAM}\). We also reduce \(\text {GAPSAM}\) to \(\text {GAPCVP}\) under a deterministic polynomial time rank-preserving reduction.

References

  1. 1.
    Ajtai, M.: The shortest vector problem in l2 is NP-hard for randomized reductions. In: 30th ACM Symposium on Theory of Computing, pp. 10–19 (1998)Google Scholar
  2. 2.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of the 33th ACM Symposium on Theory of Computing, pp. 601–610 (2001)Google Scholar
  3. 3.
    Aharonov, D., Regev, O.: Lattice problems in NP intersect coNP. J. ACM 52(5), 749–765 (2005). Preliminary version in FOCS04MathSciNetCrossRefGoogle Scholar
  4. 4.
    Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296, 625–635 (1993)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Blömer, J., Naewe, S.: Sampling methods for shortest vectors, closest vectors and successive minima. Theor. Comput. Sci. 410, 1648–1665 (2009)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Blömer, J., Naewe, S.: Sampling methods for shortest vectors, closest vectors and successive minima. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 65–77. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Blöer, J., Seifert, J.P.: On the complexity of computing short linearly independent vectors and short bases in a lattice. In: Thirty-First Annual ACM Symposium on Theory of Computing, pp. 711–720. ACM (1999)Google Scholar
  8. 8.
    Boppana, R., Håstad, J., Zachos, S.: Does co-NP have short interactive proofs? Inf. Process. Lett. 25, 127–132 (1987)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Cai, J.Y.: A New Transference Theorem and Applications to Ajtais Connection Factor, Electronic Colloquium on Computational Complexity, TR, pp. 98–05 (1998)Google Scholar
  10. 10.
    Cai, J.Y.: A new transference theorem in the geometry of numbers and new bounds for Ajtais connection factor. Discrete Appl. Math. 126, 9–31 (2003)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci. 60(3), 540–563 (2000)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Guruswami, V., Micciancio, D., Regev, O.: The complexity of the covering radius problem on lattices and codes. Comput. Complexity 14(2), 90–121 (2005). Preliminary version in CCC 2004MathSciNetCrossRefGoogle Scholar
  13. 13.
    Haviv, I., Regev, O.: Tensor-based hardness of the shortest vector problem to within almost polynomial factors. Theory Comput. 8, 513–531 (2012)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Khot, S.: Hardness of approximating the shortest vector problem in lattices. J. ACM 52(5), 789–808 (2005)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Lgarias, C., Lenstra, H., Schnorr, C.P.: Korkin-Zolotarev bases and successive minima of a lattice and its reciprocial lattice. Combinatorica 10, 333–348 (1990)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Micciancio, D.: Efficient reductions among lattice problems. In: 19th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2008, pp. 84–93. Society for Industrial and Applied Mathematics (2008)Google Scholar
  17. 17.
    Regev, O.: Lecture Note on Lattices in Computer Science. Lecture 8: Dual Lattice (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Data Assurance Communication Security Research CenterChinese Academy of SciencesBeijingChina
  3. 3.University of Chinese Academy SciencesBeijingChina

Personalised recommendations