Lattices and Their Application to Cryptography.pdf - BeKnowledge

LatticesandTheirApplicationtoCryptography LectureNotes:
StanfordUniversity,SpringQuarter,1998 -Version
IBMAlmadenResearchCenter CynthiaDwork June13,1998

ThesenotesareforthecourseLatticesandTheirApplicationtoCryptography,taughtatStanford duringtheSpringQuarter,1998.ThematerialonroundingnumbersistakenmostlyfromLovasz' undalgorithmischeGeometrie,ReduktionvonGitterbasenunPolynomidealen",deliveredatJohannWolfgangGoetheUniversity,Frankfurt/MainduringtheSummersemesterof1994andthe
Wintersemesterof1994/95,compiledbyRogerFischlin,whohasgraciouslysharedwithmehis LATEXles.Inparticular,thePreliminariesandChapters2{6aretranslationsofthesenotes(with ThematerialonlatticetheoryfollowsthenotesfromClausSchnorr'sLectures\Gittertheorie monographAnAlgorithmicTheoryofNumbers,GraphsandConvexity[Lovasz86].
somemodications).
CynthiaDwork dwork@almaden.ibm.com

Contents
Preface Preliminaries 5
1OnRoundingNumbers 1.1LengthsofRationals...................................13 13 9
2Complexity,NP-Completeness 1.2DiophantineApproximationandRelatedProblems..................14 2.1NP-Completeness....................................21 2.2HardAlgorithmicLatticeProblems...........................23 21
3IntroductiontoLatticeTheory 3.2FundamentalsandProperties..............................28 3.1Terminology........................................27
4Succ.Minima,Minkowski'sTheorems,HermiteConstant 3.3Length-andWeight-ReducedLatticeBases......................48 3.4Examples.........................................51
4.2HermiteConstantandCriticalLattice.........................61 4.1SuccessiveMinimaandtheFirstMinkowskiTheorem................55
5Gauss'BasisReductionProcedure 4.3GaugeFunctionsandMinkowski'sTheorems.....................69 5.1ReducedBasis......................................73 5.2Algorithms........................................76
3

46LLLReducedLatticeBasis 6.1DenitionandProperties................................79 CONTENTS
6.2TheLLLReductionAlgorithm.............................85
7Babai'sApproximationtoCVP 7.1ApproximateCVP....................................95 7.2InhomogeneousDiophantineApproximation......................98
8BreakingtheLinearCongruentialGenerator 8.2AGeneralReconstructionResult............................102 8.1LinearCongruentialSequences.............................101 101
8.3ApplicationtotheLinearCongruentialGenerator...................106 Bibliography 8.4ModernDenitionsofPseudo-Randomness......................107 109

Preface
Alatticeisaregulararrangementofpointsinspace.Inparticular,forlinearlyindependent abasisofthelattice.Aswewillsee,therearemanydierentbasesforanygivenlattice.The b1;b2;:::;bn2Rn,thelatticeL=L(b1;b2;:::;bn)isthesetofallintegerlinearcombinations a1b1++anbn,a1;a2;:::;an2Z,oftheelmentsb1;b2;:::;bn.Thevectorsb1;b2;:::;bnform lengthofabasisisthelengthofthelongestbasisvector.
ticular, Copper,CFJP,H,LaOd85,Shamir82].Wewillcoverseveralofthese\negative"results;inpar-
Lenstra,andLovasz,wereusedincryptographyprincipallytoprovecryptographicinsecurity[Adel83, Priorto1996,lattices,andinparticular,thelatticebasisreductionalgorithmofLenstra,
1.breakingofknapsack-basedcryptosystems
3.breakingthesupposedsemanticsecurityofpaddedRSA. 2.breakingthelinearcongruentialpseudo-randomgenerator
N=pq,wherepandqarelargeprimes.IfanadversarycanfactorNthenthesystemisinsecure. reliesontheintractabilityofarandominstanceoftheproblemonwhichtheconstructionisbased. Forexample,inthecaseoftheRSApublickeycryptosystem,thepublickeycontainsamodulus akeyweredeterministic,thenthekeycouldnotbesecret.Thus,thesecurityoftheconstruction Cryptographicconstructionsnecessarilyrequirerandomchoices:if,forexample,thechoiceof
particular,therelativedicultyofthehardestinsancesoffactoringandrandominstancesof factoringisnotknown.Indeed,eveniffactoringwereNP-hard(itprobablyisnot),andevenif PwereknowntobedierentfromNP,thiswouldsaynothingaboutthehardnessofrandom WhenauserpicksarandomN,itisnotenoughthatsometwo-primemoduliarehardtofactor:
instancesoffactoring. theuserwantsthatarandominstanceshouldbehardtofactor.Nosuchresultisknown;in
onecanestablishanexplicitconnectionbetweenthehardnessofrandominstancesandthehardness ofthehardest,orworst-case,instances.Suchaconnectionisthecontributionofthecelebrated thepaperpresentsarandomprobleminvolvingacertainclassofrandomlattices,whosesolution paperofAjtai,\GeneratingHardInstancesofLatticeProblems"[Ajtai96](1996).Specically, Ithasthereforebeenalongstandinggoalincryptographytonda\hard"problemforwhich
wouldimplythesolutionofthreefamousworst-caseproblems: 5

61.Findthelengthofashortestnonzerovectorinann-dimensionallatticeapproximately,up
toapolynomialfactor. CONTENTS
3.Findabasisb1;:::;bninthen-dimensionallatticeLwhoselength,denedasmaxni=1kbik, 2.Findtheshortestnonzerovectorinann-dimensionallatticeLwheretheshortestvectorv
isthesmallestpossibleuptoapolynomialfactor. wherecisasucientlylargeabsoluteconstant. isuniqueinthesensethananyothervectorwhoselengthisatmostnckvkisparalleltov,
latticestocryptography: problems.Thiseorthasbeenfruitful.Wecoveratleastthefollowing\positive"applicationsof tionofcryptographicprimitivesontheassumedhardnessofsolvingtheabove-mentionedlattice MotivatedbyAjtai's1996paper,peoplebegantoexplorethepossibilitybasingtheconstruc-
1.Ajtai'sproofshowsthatthatcertaincryptographichashfunctionsenjoyworst-case/averagecaseequivalence.
3.Theconstructionofthecryptosystemyieldsanaturalpseudo-randomgeneratorwithworstcase/average-caseequivalence.
2.Thereexistsapublickeycryptosystemwithworst-case/average-caseequivalence.
RoughOutlineoftheCourse
ity[Lovasz86]. inChapter1ofLovasz'monographAnAlgorithmicTheoryofNumbers,GraphsandConvex-
Wewillbeginwithsomeclassicalmotivationfromthegeometryofnumbers,basedonthematerial
1994andtheWintersemesterof1994/95.Inparticular,Ihavetranslatedfromthesenotesthe deliveredatJohannWolfgangGoetheUniversity,Frankfurt/MainduringtheSummersemesterof gorithm,followingtheRogerFischlin'scompilationofthenotesfromClausSchnorr'sLectures \GittertheorieundalgorithmischeGeometrie,ReduktionvonGitterbasenundPolynomidealen", Wethendiscussthefundamentalsoflatticetheory,andtheLLLlatticebasisreductional-
followingmaterial.
2.SuccessiveMinimaandTwoTheoremsofMinkowski 1.IntroductiontoLatticeTheory:terminology,basicpropertiesofalattice,lengthreduction,
3.Gauss'BasisReductionProcedure(for2-dimensionallattices) weightreduction;
onproposedcryptographicprimitives.Followingourstudyoflatticetheory,wewillcoversome oftheseattacks. 4.LLLLatticeBasisReduction Asmentionedearlier,theLLLlatticebasisreductionalgorithmisattheheartofseveralattacks

CONTENTS withthelastdayreservedforoneortwooutstandingnewerresultsrelatedtothematerialofthe Thelastpartofthecoursewilldiscussthepositiveapplicationsoflatticestocryptography, 7
course.

8 CONTENTS

Preliminaries
Notation WeletMm;n(S)denotethesetofallmnmatriceswithentriesfromthesetS.Forexample, Mm;n(Z)isthesetofallintegermnmatrices.WemayalsousethealternatenotationSmn.
fx2Rjx>0gforthesetofpositiverealnumbers. Zn,Rn,etc.,denotecolumnvectors. Forrealnumbersrweletdrc:=r12denotetheintegerclosesttor.WewriteR+= FormatrixBweletBTdenotethetransposeofB.Unlessotherwiseindicated,elementsof
ScalarProduct Ascalarproducth;i:RnRn!Risamappingwithfollowingproperties:Forallu;v;w2Rn and2R: h;iisbilinear:
hu;v+wi=hu;vi+hu;wi hu+w;vi=hu;vi+hw;vi hu;vi=hu;vi hu;vi=hu;vi
h;iissymmetric:
h;iispositivedenite: hu;vi=hv;ui
hu;ui>0 9 foru6=0

10 Foru=0itfollowsfromthelinearityineachcomponentthathu;ui=0.Thestandardscalar productisdenedas:D(u1;u2;:::;un)T;(v1;v2;:::;vn)TE:=nXi=1uivi canbewrittenas: Mostapplicationsuseonthestandardscalarproduct.Everyscalarproducth;i:RnRn!R
productthematrixSistheidentitymatrix. onlyifSissymmetricandxTSx>0forallx2Rnnf0g.)Inthecaseofthestandardscalar forsomeapositivedenitematrixS2Mn;n(R).(AnnnmatrixSispositivedeniteifand hu;vi:=uTSv
Norms Amappingkk:Rn!Riscalledanorm,ifforallu;v2Rnand2R:
Therealnumberkukiscalledthenorm(orlength)ofthevectoru=(u1;u2;:::;un).Forevery ku+vkkuk+kvk kvk=jjkvk kuk>0 foru6=0 (positivehomogeneous)
scalarproductweobtainacorrespondingEuclideannormasfollows: (triangleinequality)
kuk:=phu;ui(positivedeniteness)
The`1normis:
The`2normisobtainedfromthestandardscalarproduct: (u1;u2;:::;un)T1:=nXi=1juij
Ingeneral,the`pNormis: (u1;u2;:::;un)T2:=phu;ui= nXi=1u2i!12
Thesupnorm,maximumnormor`1normis: (u 1;u2;:::;un)Tp:= nXi=1juijp!1p
(u1;u2;:::;un)T1:=max i=1;2;:::;njuij

Inequalities 11
Forthesup-,`1-and`2-norm,ofavectoru2Rnwehave: kuk1kuk2pnkuk1 kuk1kuk1nkuk1 kuk2kuk1pnkuk2
ity(foru;v2Rn): Everyscalarproductandcorrespondingnormkuk:=phu;uisatisfytheCauchy-SchwarzInequal-
Equalityholdsonlywhenthetwovectorsarelinearlyindependent. Letb1;b2;:::;bn2Rnbethecolumnvectors(orrowvectors)ofthematrixB2Mn;n(R). jhu;vijkukkvk
Hadamard'sInequalitysays:
Equalityholdswhenthevectorsb1;b2;:::;bnareorthogonal. jdetBjnYi=1kbik2

Chapter1
OnRoundingNumbers
ThematerialherefollowsSections1.0and1.1of[Lovasz86]andChapter5of[GLLS88].We discusstwonaturalhardware-independentmodelsofnumbersandasetofproblemsinvolvingthe
1.1 rounding,orapproximation,ofrationals.
Wedenethebinaryencodinglengthofniteobjectsasfollows: LengthsofRationals
`(0):=1
`(A)=Pi;j`(aij)forA=[aij]2Mm;n(Q) `(n):=1+dlog2(jnj+1)eforn2Z `pq:=`(p)+`(q)wherep;q2Z,q6=0,andgcd(p;q)=1
Lemma1.1.1 2.Foreveryvectorx2Qn,1+kxk1+kxk12`(x)n 1.Foreveryrationalnumberr,1+jrj2`(r)1
allu2Rnwehavekuk2kuk1,inparticularkxk2kxk1.Thenfrom1.wehave: Proof.1.followsdirectlyfromthedenition.Toprove2.,letx=(x1;x2;:::;xn)T.Sincefor 3.ForeverymatrixD2Qnn,jdetDj2`(D)n21
1+kxk1=1+nXi=1jxijnYi=1(1+jxij)nYi=12`(xi)1=2`(x)n: 13

14Letd1;d2;:::;dnbetherowsofD.ByHadamard'sInequalityand2.wehave:
CHAPTER1.ONROUNDINGNUMBERS
1+jdetDj1+nYi=1kdik2nYi=1(1+kdik2)nYi=12`(di)n=2`(D)n2
contributesonetothelengthoftheinput.Thebinaryencodingallowstheinputsto\appear" Incontrasttothebinaryencoding,wecouldusethearithmeticencoding,inwhicheachinteger
arithmeticencodingthelengthsoftheargumentsdonotgrowduringexecutionofthealgorithm. thearithmeticencodinglength(thatis,itdoesnotrunintimepolynomialin2).Conversely,inthe commondivisoroftwointegersrunsintimepolynomialinthebinaryencodinglength,butnotin functionoftheinputlength).Forexample,theEuclideanalgorithmforcomputingthegreatest longerthantheydointhearithmeticencoding,makingalgorithmsappeartorunfaster(asa
polynomial.Everystronglypolynomialalgorithmispolynomial. takespolynomialtimeinthearithmeticsensewhilethelengthofthebinaryencodingremains butthelengthoftheargumentgrowsexponentially.Analgorithmisstronglypolynomialifit Forexample,nrepeatedsquaringsofannbitnumberonlyrequiresnarithmeticoperations
1.2 Incomputationsinvolvingrealnumberswereplacethenumbersbyrationalapproximations.For example,ifwexanintegerqthenthebestchoiceofpsuchthatpqapproximatesisp=bqc DiophantineApproximationandRelatedProblems
orp=dqe.Theresultingerrorisboundedby
Supposeweallowthedenominatorqtovary,subjecttotheconstraintqQ.Wehave: pq12q
Proposition1.2.1(Dirichelet) Forall2RandintegerQ1,thereexistp;q2Z,0

1.2.DIOPHANTINEAPPROXIMATIONANDRELATEDPROBLEMS p=jidisaninteger.Thenforq=jiwehavejqpj=d1 Q+10,arepositive:
)1< )0ixi

16 wherek>0isanintegerand(ri;qi)=1.Thenbydenition CHAPTER1.ONROUNDINGNUMBERS
Thus,pi+qi>pi+1+qi+1>0,soeventuallytheprocedureterminates. i+1= ixi=qi 1 ri=pi+1
Toseehowquicklyitterminates,denetwoauxiliarysequences,gkandhk,asfollows. qi+1
gi=xigi1+gi2,fori=0;1;::: hi=xihi1+hi2,fori=0;1;::: g2=0,g1=1,h2=1,h1=0
Notethat1=h0h1

1.2.DIOPHANTINEAPPROXIMATIONANDRELATEDPROBLEMS Definition1.2.3(BestApproximationProblem) Given:2QandintegerQ>0 17
Theproblemissometimesgiveninanequivalentbut\reverse"form: Find:rationalp=qsuchthat00
Form: Toproveequivalence,wewillprovethatbothformsareequivalenttothefollowingGeneral Findintegersp;qsuchthatq>0,pq

183711=0:6363:::
CHAPTER1.ONROUNDINGNUMBERS
betondaroundingprocedureresultinginapproximationsp1 While1+2+3=1,thisisnottrueofthesumoftherespectiveapproximations.Thetrickwill
Definition1.2.6(SimultaneousDiophantineApproximationProblem) denominator,q. q;p2 q;:::;pnqwithasinglecommon
Given1;2;:::;n2Q,">02Q,andQ2Z,Q>0,ndintegersp1;p2;:::;pnandq suchthat0

1.2.DIOPHANTINEAPPROXIMATIONANDRELATEDPROBLEMS Thus 19
foranychoiceofp1andq. Kroneneckergaveageneralconditionforthesolvabilityofthisproblem(see[Cassels71]): j(q1p1)1j16
Proposition1.2.9 Forany2nrealnumbers1;2;:::;n;1;2;:::;n,either 1.Foreach">0thereexistintegersp1;p2;:::;pn;qsuchthatq>0and 2.Thereexistintegersu1;u2;:::;unsuchthatPi=1nuiiisanintegerwhilePi=1nuiiis not. jqipiij":
Wewillreturntothisproblem,andinparticularthespecialcaseinwhichtheiandiare rationals,afterweseetheLLLlatticebasisreductionalgorithm.

20 CHAPTER1.ONROUNDINGNUMBERS

Chapter2
Complexity,NP-Completeness
Wereviewthebasicconceptsofcomplexitytheoryrelatingtolatticetheory,especiallyNPcompleteness.
2.1 Recallthatwehavedenedthelengthofthebinaryencodinglengthofniteobjectsasfollows: NP-Completeness
`(0):=1
`(A)=Pi;j`(aij)forA=[aij]2Mm;n(Q) `(n):=1+dlog2(jnj+1)eforn2Z
Wedenetherunningtimeofanalgorithmasafunctionofthelengthsoftheinputs.Weare `pq:=`(p)+`(q)wherep;q2Z,q6=0,andgcd(p;q)=1
Definition2.1.1(PolynomialTime) interestedinpolynomialtime:
operations)ispolynomiallyboundedinthelengthoftheinputs: Analgorithmrunsinpolynomialtimeifthenumberofsteps(Turingmachineornumberofbit
Intheoreticalcomputersciencepolynomialtimealgorithmsaresometimesreferredtoasecient. NumberofSteps(Inputs)=poly(`(Inputs))
andonlyifa2A. Definition2.1.2(CharacteristicFunction) ForasetAf0;1gthecharacteristicfunctionA:f0;1g!f0;1gisdenedas:A(a)=1if 21

Usingcharacteristicfunctions,wedenetheclassofpolynomialtimelanuages: 22 CHAPTER2.COMPLEXITY,NP-COMPLETENESS
Definition2.1.3(ClassPofPolynomialTimeLanguages)
TheclassNPcontainsthelanguagesforwhich,foreachwordinthelanguagethereisashort, characteristicfunctionAispolynomialtimecomputable. TheclassPofpolynomialtimelanguagesisthesetoflanguagesAf0;1gforwhichthe
ecientlyveriableproofofmembershipinthelanguage. Definition2.1.4(ClassNP) TheclassNPofnondeterministicpolynomialtimelanguagesAf0;1gisdenedas:
Let(x;y)2B.Thenyiscalledawitnessforx2A. A2NP() 9B2f0;1gf0;1g;B2P:
Cook'sthesisisthatP6=NP,thatis,thereexistsalanguageinNPthatisnotrecognizablein A=x2f0;1g9y2f0;1gpoly(`(x))with(x;y)2B
deterministicpolynomialtime. Definition2.1.5(KarpReduction) LetA;Bf0;1g:
IfApolBandBpolCthenApolC.ApolBthenitispossibleinpolynomialtimeto ApolB() 9polynomialtimetransformationhwith:
decideifx2AwithasinglequerytoanoracleforB. 8x2f0;1g:x2A,h(x)2B
theoracleforB,providedthatthetotalcomputationtime,includingthesettingupofthecalls totheoracle(eachoraclecallitselfhasunitcost)andanysubsequentanalysis,ispolynomially bounded. Amoregeneraltypeofpolynomialtimereduction(aCookreduction),allowsmultiplecallsto
Definition2.1.6(NP-Complete) timemachineMthat,usinganoracleforB,candecidemembershipinA. Wewillalsobeinterestedinrandomizedreductions,inwhichthereisaprobabilisticpolynomial
Af0;1gissaidtobeNP-complete,if:
IfthereisapolynomialtimealgorithmforanyNP-completeproblem,thenP=NP.Thiswould 2.8B2NP:BpolA 1.A2NP
contradictCook'sThesis.Hence,theNP-completeproblemsarethehardestproblemsinNP.

2.2.HARDALGORITHMICLATTICEPROBLEMS HardAlgorithmicLatticeProblems 23
Programming): InthissectionwementionproblemsrelatedtolatticetheorythatareeitherNP-completeorfor
Definition2.2.1(IntegerLinearProgramming) whichnoecientalgorithmisknown.Onesuchproblemisintegerlinearprogramming(Integer
Theproblemofinteger,linearprogrammingis: Given:m;n2N,A2Mm;n(Z)andb2Zm
Integerlinerarprogrammingis\hard".WeshowinProposition2.2.5thatthecorresponding decisionproblemisNP-complete: Findx2ZnwithAxborshowthatnosuchvectorexists.
Definition2.2.2(DecisionProblemforIntegerLinearProgramming) Thedecisionproblemforintegerlinearprogrammingis: Given:m;n2N,A2Mm;n(Z)andb2Zm
polynomialtimealgorithmfortheanalogousproblemofrationallinearprogramming: IfP6=NP,thennopolynomialtimealgorithmsolvesthisproblem.Incontrast,thereisa Decideifthereexistsx2ZnwithAxb.
Theproblemofrationallinearprogrammingis: Definition2.2.3(RationalLinearProgramming) Given:m;n2N,A2Mm;n(Z)andb2Qm
Therstpolynomialtimealgorithmforrationallinearprogrammingistheellipsoidmethodof L.G.Khachiyan[Khach79,Khach80].Thismethodis,however,impractical.AprovablypolynomialtimealgorithmthatalsoappearstobepracticalwasdevelopedbyM.Karmarkar[Karma84],
whosestartingpointwastheclassicalinteriorpointmethod.Anotherpolynomialtimealgorithmis
Findx2QnwithAxborshowthatnosuchvectorexists.
duetoY.Ye[Ye91].Asimple,practicalprocedureisthesimplexalgorithm[Dantzig63,Schrijver86] ofG.B.Dantzig,whichhasexponentialrunningtimeintheworstcase.Thefollowingproblem
Givenm;n2N,A2Mm;n(Z)andb2Zm,inpolynomialtimeonecan: Proposition2.2.4(Sieveking1976) canbesolvedinpolynomialtime:

24a)SolveAx=b,x2Znorshowthatnosolutionexists.
b)FindaZ-Basisb1;b2;:::;bkforfx2ZnjAx=0g,theZ-kernel.AZ-Basisisasetof CHAPTER2.COMPLEXITY,NP-COMPLETENESS
linearlyindependentvectorsb1;b2;:::;bk,where: fx2ZnjAx=0g=(kXi=1tibit1;t2;:::;tk2Z)
Proposition2.2.5 [KaBa79]. Proof.ModicationofGaussianelimination(M.Sievekingin[SpStr76]).Alternateproofin
ThefollowinglanguagesareNP-complete:
1.Integer-Programming:IP:=(m;n;A;b)A2Mm;n(Z);b2Zm; 2.KnapsackorSubsetSum: 9x2Zn:Axb
SubsetSum:=((n;a1;a2;:::;an;b)2Nn+29x2f0;1gn:nXi=1aixi=b)
3.f0;1g-Integer-Programming:
4.WeakDependence: f0;1g-IP:=(m;n;A;b)A2Mn;m(Z);b2Zm; 9x2f0;1gn:Axb
((n;a1;a2;:::;an)2Nn+19(x1;x2;:::;xn)2f0;1gnnf0ng:nXi=1aixi=0)
Proof.For1,2,3see[GaJo79,SpStr76],for4see[EmBoas81].InProposition2.2.6weprove thatintegerprogramminghasapolynomiallengthwitnessandhenceIP2NP. Proposition2.2.6(vonzurGathen,Sieveking1978) IP2NP.
ifsuchanxexists,then(m;n;A;b)2IP.Weneedonlyshowthatthewitnesshaspolynomial Proof.Thewitnessfor(m;n;A;b)2IPwillbeasuitablex2ZnwithAxb.Obviously, length.LetA=:(aij)andb=:(b1;b2;:::;bm)T.SetM:=maxi;jfjaijj;jbijg.VonzurGathen andSieveking[GaSi78]prove: (9x2Zn:Axb)()9x2Zn:Axb;kxk1(n+1)nn2Mn

thelengthofAundb.Since`(m;n;A;b)nm+log2Mwehave: 2.2.HARDALGORITHMICLATTICEPROBLEMS Theupperboundonkxk1impliesthatthelengthofthewitnessxispolynomiallyboundedin 25
`(x)=On2(logn+logM=O`(m;n;A;b)3
Wemakethefollowingdenitions,whichwillbeneededinthenextChapter.
Definition2.2.7(Lattice,Basis,Dimension,Rank) Letb1;b2;:::;bn2Rmbelinearlyindependentvectors.Wecalltheadditivesubgroup
ofRmalatticewithbasisb1;b2;:::;bn.Whenthesequenceofthebasisvectorsisxed,speakof L(b1;b2;:::;bn):=nXi=1biZ=(nXi=1tibit1;t2;:::;tm2Z)
anorderedbasis.Therankorthedimensionofthelatticeisrank(L):=n. Weconsideranexample:
A2Mm;n(Z)thesetfx2ZnjAx=0gisalatticeofranknrank(A);byProposition2.2.4we Example2.2.8(Lattice) canconstructabasisinpolynomialtime. Zmisalatticeofrankm,thestandardunitvectorse1;:::;emformabasis.Giventhematrix
supnormthiscannotbedoneecientlyundertheassumptionthatP6=NP: Throughlatticereductionwesearchforashortest,non-trivial,latticevector.Inthecaseofthe
Corollary2.2.9 Theproblemofndingtheshortestlatticevectorwithrespecttothekk1norm:
isNP-complete. L1-SVP:=(m;n;b1;b2;:::;bn)m;n2N;b1;b2;:::;bn2Zm; 9x2L(b1;b2;:::;bn):kxk1=1
bershipisavectorx2L(b1;b2;:::;bn)nf0gwithkxk1=1.TheNP-completeproblem\weak Proof.Theproblemofndingthekk1-shortestlatticevectorisinNP:Thewitnessofmem-
dependence"fromProposition2.2.5canbereducedinpolynomialtimetothekk1-shortestlattice
k,decidewhetherthereisalatticevectorz2L(b1;b2;:::;bn)withz6=0andkzk2pk. Theproblemoftheshortestlatticevectorinthe`2normis,givenalatticebasisb1;b2;:::;bnand vector.

Definition2.2.10(ShortestVectorProblemSVP) 26 Thelanguageoftheshortestlatticevectorsinthe`2-normis: CHAPTER2.COMPLEXITY,NP-COMPLETENESS
L2-SVP:=(k;m;n;b1;b2;:::;bn)k;m;n;2N;b1;b2;:::;bn2Zm; 9x2L(b1;b2;:::;bn)nf0g:kxk2k
Thestatusofthisproblemisopen.EortstoshowthatL2-SVPisNP-hard,incontrasttothe sup-norm-SVP(seeCorollary2.2.9)havefailed(see[Kannan87]).However,Ajtai[Ajtai98]has shownthatthisproblemisNP-hardwithrespecttorandomizedreductions.
Proposition2.2.11(ClosestVectorProblemCVP) theclosestlatticevector,which,however,isknowntobeNP-completeforanynorm: Theproblemoftheshortestlatticevectoristhehomogeneousspecialcaseoftheproblemof
Theproblemofthe`2-closestlatticevector
isNP-complete. L2-CVP:=(k;m;n;b1;b2;:::;bn;z)k;m;n;2N;b1;b2;:::;bn;z2Zm; 9x2L(b1;b2;:::;bn):kzxk2k
avectorinthelatticethatisnearestwithinafactorofcn,foraxedconstantc. Proof.See[Kannan87,Theorem6.2]. LaterwewillseeanapproximatesolutionduetoBabai,basedontheLLLalgorithm,yielding
hardalgorithmiclatticeproblems: Findashortnon-triviallatticevector. Summarizing:givenalatticebasisb1;b2;:::;bn2Zm,thefollowingtasksarethoughttobe
Incontrast,givenasystemofgeneratorsb1;b2;:::;bn2ZmforalatticeL,nrank(L),itis Findabasiscomprisedofshortlatticevectors.
possibletoconstructabasisforLinpolynomialtime. Findforagivenz2span(b1;b2;:::;bn)theclosestlatticevector.

Chapter3
IntroductiontoLatticeTheory
integermatrixisunique.Wecharacterizelatticesasdiscrete,addititve,subgroupsofRm.We discussthesetofallbasesofalattice,primitivesystemsoflatticevectors,thelatticedeterminant, andtheGram-Schmidtorthogonalizationofalattice.Wedenelengthreductionandweight WedenetheHermitenormalformofamatrixandshowthattheHermitenormalformofan
bases. reductionofalatticebasis,andshowthateverylatticehasalengthreducedandaweightreduced
phx;xiiscalledthelengthofthevectorx.Forlinearlyindependentvectorsb1;b2;:::;bn2Rm Leth;i:RmRm!RbeanarbitraryscalarproductonthevectorspaceRm.Thenkxk= 3.1 Terminology
welet
denotethelatticewithbasisb1;b2;:::;bn.Forarbitraryvectorsb1;b2;:::;bnlet L(b1;b2;:::;bn):=nXi=1biZ
bethespacespannedbyb1;b2;:::;bnandlet span(b1;b2;:::;bn):=nXi=1biR
denotetheorthogonalcomplementofthisspaceinRm. Anintegermatrixwithdeterminant1issaidtobeunimodular.Thesetofallunimodular span(b1;b2;:::;bn)?:=fy2Rmjhy;bii=0fori=1;2;:::;ng
matricesisdenotedGLn(Z): 27

Definition3.1.1(GLn(Z)) 28 GLn(Z)isthegroupofintegernnmatriceswithdeterminant1: CHAPTER3.INTRODUCTIONTOLATTICETHEORY
S;T2GLn(Z)thendet(ST)=detSdetT,weseethattheproductSTisaunimodularmatrix. WearguethatGLn(Z)isagroup.Theidentitymatrixisunimodularandfromthatfactthatif GLn(Z):=fA2Mn;n(Z)jdetA=1g
LetT2GLn(Z).From
wehavethatdetT1=1,andbyCramer'srulethe(i;j)entryinthematrixT1is: detT1=1
(1)i+jdetTijdetT
followsthatdetTij2Z.Thus,forT2GLn(Z)wehaveT12GLn(Z). whereTijdenotesTwiththeithrowandj-thcolumndeleted.SinceTijisanintegermatrix,it
=detTij;
withanappropriatelychosenunimodularmatrix: Thefollowingelementarycolumnoperationscanbeperformedonamatrixbyright-multiplication Exchangetwocolumns Mulitiplicationofacolumnby1
operations. multiplicationbyaunimodularmatrixcorrespondstocarryingoutasetofelementarycolumn Itcanbeshownthateveryunimodularmatrixistheproductofthesethreematrixtypes.So Additionofanintegermultipleofonecolumntoanother
3.2 Inthissectionwedenethefundamentalsoflatticetheoryandshowsomeelmentaryproperties. FundamentalsandProperties
Definition3.2.1(DiscreteSet) 3.2.1Discrete,AdditiveSubgroupsofRmandLattices
Wehave: AsetSRmiscalleddiscrete,whenShasnolimitpointinRm.
Lemma3.2.2 LetGRmbeanadditivegroup.Thenthefollowingstatementsareequivalent:

3.2.FUNDAMENTALSANDPROPERTIES a)Gisdiscrete. b)0isisnotalimitpointofG. 29
d)inffkxyk:x6=y;x;y2Gg>0;thatis,thereisapositive,real,suchthat8x;y2G, c)fx2G:kxk0.
Proposition3.2.3 LRmisalatticeifandonlyifLisadiscrete,additive,subgroupofRm. kxyk.
Proof.Weshowbothdirections: independent,isdiscrete.Let':Rn!span(L)thelinearmapping \)"WemustshowthateverylatticeL:=L(b1;b2;:::;bn)Rm,whereb1;b2;:::;bnarelinearly
Znisdiscreteand'1iscontinuousonspan(L),itfollowsthatLisdiscrete. 'isanisomorphismwith'(Zn)=L.Thus,intuitively,'and'1preservelocalstructure.Since '(t1;t2;:::;tn)=nXi=1tibi
\("LetLRmbeadiscrete,additive,subgroup.Letnbethemaximumnumberoflinearly rankn.NotethatthisimpliesthattherankofalatticeListhemaximalnumberoflinearly independentvectorsinL.Thennm.ByinductiononnwewillshowthatLisalatticeof
n=1
n>1 ofL).ThenitisnothardtoverifythatL(b)=L. Letb2Lbeashortestvectorwithb6=0(suchavectorexists,since0isnotalimitpoint
Chooseb12Lnf0gwith1kb162Lforallk2.Then Theorthogonalprojection:Rm!span(b1)?isdenedby: (3.1)
(b)=bhb1;bi L(b1)=L\span(b1)
Theinductivestepfollowsfromthefollowingassertions: 1.(L)isdiscreteandisalatticeofrankn1. hb1;b1ib1
2.Foreverybasis(b2);(b3);:::;(bn)for(L)withb2;b3;:::;bn2Lwehave: L=L(b1;b2;:::;bn)

30vectors.ThesevectorsarenecessarilytheimagesofvectorsinL,say,b2;:::;bn.Solet
Therstassertionsaysthatthereexistsabasisfor(L)ofn1linearlyindependent CHAPTER3.INTRODUCTIONTOLATTICETHEORY
(b2);:::;(bn)beabasisfor(L).Thesecondassertionsaysthatforeverysuchbasisfor (L),ifweaddb1tothesetofpre-images,thenL=L(b1;b2;:::;bn)andsobydenition isalattice.Proofofthetwoassertions: 1.Weshowthat0isnotalimitpointof(L).Forthesakeofcontradiction,assumethat arepairwisedistinctandlim 0isalimitpointof(L).Lety(i)i2NbeasequenceinL,sothatthevectorsy(i) i!1y(i)=0.Forthesevectors
wecomputey(i)denedby:y(i):=y(i)&y(i);b1 y(i)=y(i)y(i);b1
hb1;b1i% hb1;b1ib1
| integer {z } b1 Theny(i)2Ly(i)=y(i),and:
Sincelim i!1y(i)=0,thereareinnitelymanyvectorsy(i)2Lwith: y(i)y(i)12kb1k
ThiscontradictsthefactthatLisdiscrete,andhencetheassumptionthaty(i)are pairwisedistinctandy(i)=y(i).Thus0isnotalimitpointof(L),andby y(i)kb1k
2.Let(b2);(b3);:::;(bn)beabasisfor(L)withb2;b3;:::;bn2L.Wewillshow in(L)isn1.Bytheinductivehypothesis(L)isalatticeofrankn1. thatLL(b1;b2;:::;bn).Letb2L.From Lemma3.2.2(L)isdiscrete.Themaximumnumberoflinearlyindependentvectors
thereisab2L(b2;b3;:::;bn)with(b)=b.Wehavebb2span(b1).Bythe choiceofb1andfrom(b)2(L)=L((b2);(b3);:::;(bn))
itfollowsthatbb2L(b1).Thus,b2L(b1;b2;:::;bn). bb2(L\span(b1))(3.1) =L(b1)

3.2.FUNDAMENTALSANDPROPERTIES pendentlatticevectors.ItfollowsfromthenextPropositionthateverylatticehasmanydierent Theaboveproofalsoshowsthattherankofalatticeisthemaximumnumberoflinearlyinde-
31
Proposition3.2.4 bases.Let[b1;b2;:::;bn]bethematrixwithcolumnvectorsb1;b2;:::;bn.RecallthatGLn(Z)is
Thevectorsb1;b2;:::;bn2RmformabasisofthelatticeL(b1;b2;:::;bn)ifandonlyifthere thegroupofintegernnmatriceswithdeterminant1.
existsamatrixT2GLn(Z)suchthat: Proof.Weprovebothdirections: b1;b2;:::;bn=[b1;b2;:::;bn]T
\)"Sinceb1;b2;:::;bn2L(b1;b2;:::;bn)thereisaT2Mn;n(Z)with: Sinceb1;b2;:::;bnarelinearlyindependent,wehavedetT6=0.Itfollowsthat b1;b2;:::;bnT1=[b1;b2;:::;bn]
b1;b2;:::;bn=[b1;b2;:::;bn]T
\("LetussupposeforsomeT2GLn(Z)that Sincebi2Lb1;b2;:::;bnfori=1;2;:::;n,T1hasintegerentries.SincedetT detT1=1anddetT,detT1arebothinteger,itfollowsthatjdetTj=1.
Itfollowsthatb1;b2;:::;bn2L(b1;b2;:::;bn).Similarly,itfollowsfrom b1;b2;:::;bnT1=[b1;b2;:::;bn];
b1;b2;:::;bn=[b1;b2;:::;bn]T
thatb1;b2;:::;bn2Lb1;b2;:::;bn.Thus, Lb1;b2;:::;bn=L(b1;b2;:::;bn)
byaunimodularmatrix,thissaysthatifwemodifybasisB=[b1;b2;:::;bn]by Sinceelementarycolumnoperationscanbeachievedbyrightmultiplicationofthebasismatrix
1.reorderingthecolumns
thentheresultingmatrixisabasismatrixforthesamelattices. 3.addingintegermultiplesofsomecolumnstoothercolumns 2.multiplyinganynumberofcolumnsby1

3.2.2DefinitionofHermiteNormalForm 32 CHAPTER3.INTRODUCTIONTOLATTICETHEORY
Definition3.2.5(HermiteNormalForm) WeintroducetheHermiteNormalFormofamatrixandproveitsuniqueness.InChapter??on
Amatrix[aij]2Mm;n(R)withmnisinHermiteNormalForm(HNF)when: Page??wewillshowanalgorithmforobtainngtheHermiteNormalFormofanarbitrarymatrix.
a)aij=0forj>i,i.e.,Aislowertriangular. b)aii>0fori=1;2;:::;m.
ItisarbitrarytorequirethattheHermiteNormalFormwillbelowertriangularratherthanupper triangular(seeCorollary3.2.8).AlternativesforPointc)appearintheliterature.In[DKT87] c)0aij

3.2.FUNDAMENTALSANDPROPERTIES HermiteNormalFormsforAcanbeobtainedfromeachotherbymultiplicationwithunimodular LetB1;B2;:::;BnandC1;C2;:::;CnbethecolumnvectorsforBandC,respectively.Sinceboth 33
conversely,socmm=bmm. L(B).Sincethediagonalelementsareallnon-zero,BmmustbeanintegermultipleofCmand matrices,wehavebyProposition3.2.4thatL(B)=L(C).Inparticular,Bm2L(C)andCm2
wehave(note:cik=0fork>i): L(B)=L(C)thereexistintegercoecientstj;tj+1;:::;tm2Z,sothatforeveryiwithjim LetjbethemaximalindexwithBj6=Cj.Sincecmm=bmm,wehavej+1m.Since
(3.2) Asinthecaseofthemthcolumnvectors,weobtainbjj=cjj,sotj=1.Fori=j+1wehave bij=iXk=jtkcik
(3.3) andweobtain bj+1;j=tjcj+1;j+tj+1cj+1;j+1=cj+1;j+tj+1cj+1;j+1
SinceBisinHermiteNormalForm,wehavebythechoiceofjthemaximumindexwithBj6=Cj: (3.4) cj+1;j+1jtj+1cj+1;j+1=(bj+1;jcj+1;j)
SinceCisalsoinHermiteNormalForm,wehave0cj+1;j

NotethatthecolumnvectorsofAandHNF(A)yieldthesamelattice,namely 34 nXi=1Zai=Zgcd(a1;a2;:::;an)
CHAPTER3.INTRODUCTIONTOLATTICETHEORY
InProposition3.2.4wewillseethatthisisnotacoincidence.TheEuclideanAlgorithmisthe basisfortheprocedureinChapter??toobtaintheHermiteNormalFormofanarbitrarymatrix A2Mm;n(Z). forL=L(b1;b2;:::;bn)arelinearlyindependent.Clearly,whenm

3.2.FUNDAMENTALSANDPROPERTIES 3.2.3DeterminantandBasicBlock 35
Definition3.2.9(Determinant) ThedeterminantdetLoflatticeL=(b1;b2;:::;bn)Rmisdenedby: Wedenethedeterminantofalattice:
Forthescalarproducthu;vi=uTSvwehave:detL=det(BTSB)12,whereB:=[b1;b2;:::;bn]. detL=det[hbi;bji]1i;jn12
Proof.LetB;BbebasismatricesofthelatticeandletT2GLn(Z)satisfyB=BT(theproof Proposition3.2.10 Thedeterminantofalatticeisindependentofthechoiceofbasisb1;b2;:::;bn2Rm. holdsingeneralforT2GLn(R)).LetS2Mm;m(R)bethesymmetricmatrixwithhu;vi=uTSv. >FromdetT=1wehave: detL=det[hbi;bji]1i;jn12
=detTTBTSBT12 =det(BT)TS(BT)12 =detBTSB12
SinceB=BTitfollowsthat:detL=detBTSB12 =detbi;bj1i;jn12 =detL
withrespecttothegivenbasis.Figure3.2.1showsthebasicblockofthelatticedeterminedby a;binR2. Theparallelepipeddeterminedbythebasisvectorsofthelatticeisthebasicblockofthelattice
Definition3.2.11(BasicBlock) Letb1;b2;:::;bnbeabasisofthelatticeL.Theparallelepiped (nXi=1tibi0t1;t2;:::;tn

36 CHAPTER3.INTRODUCTIONTOLATTICETHEORY
-- -
--
-
---
b ppppppppppppppppppppppppppppppppppppppppppp
0 a -
thedimensionofthelatticeLRmisequaltom. isthebasicblockwithrespecttobasisb1;b2;:::;bn.Wearemostlyinterestedinthecasethat Figure3.2.1:BasicBlockoftheLatticeL(a;b)
Definition3.2.12(FullDimensionalLattice) AlatticeLRmisfulldimensionalwhenrank(L)=m.
Lemma3.2.13 ForeverylatticeL=L(b1;b2;:::;bn)Rmandthestandardscalarproductwehave(note: Thefollowinglemmarelatesthestandardscalarproducttothedeterminantofalattice:
volumeimplicitlyreliesonthescalarproduct): detL=voln (nXi=1tibi0t1;t2;:::;tn

3.2.FUNDAMENTALSANDPROPERTIES thelemmatothefulldimensionallatticeT(L)andusethefactthatTpreservesthevolumeand scalarproduct: 37
detL=detT(L)=det[hT(bi);T(bj)i]1i;jn12=det[hbi;bji]1i;jn12
mensionallatticeswhenconsideringgeometricinvariants.Thisisbecausetheinvariantsremain unchangedbyisometricmappings.Examplesofgeometricinvariantsarevolumes,determinants, AsintheproofofLemma3.2.13wecanalwaysrestrictourattentiontothecaseoffulldi-
mappingfromspan(L)toRn.Thisisometricmappingdoesnotingeneralmaintaintheintegrality ofvectors.Combinatoricandalgorithmicinvestigationshouldthusnotberestrictedtothecase metricconsiderationsdependsonthefactthatforeverylatticeLofranknthereisanisometric scalarproducts,andvectorlengths.Theprinciplethatfulldimensionallatticessuceforgeo-
offulldimensionallattices. 3.2.4Sub-Lattices Wedeneasub-latticeasasubsetoflatticepointsthatformalatticeofthesamerank:
Example3.2.15(Sub-Lattice) LetL1;L2belatticesofthesamerankwithL1L2.ThenwesaythatL1isasub-latticeofL2. Definition3.2.14(Sub-Lattice)
Weconsiderasub-latticeofthelatticeZn(whichhasbasismatrixthe22identitymatrixI2).
L(A)Z2isasub-latticeofZ2withrank(L(A))=2(seeFigure3.2.2).Thereisamatrix Let A:=20 02
T2M2;2(Z)withA=I2T: 20 02=10 0120 |{z} 02
detL1=detL2jdetTj. WewillseeinProposition3.2.16thatsuchaTalwaysexists,andmoreover(Lemma3.2.18),that =:T
Proposition3.2.16 LetL1beasub-latticeofL2Rm. a)Foreverybasisa1;a2;:::;anofL1thereexistsabasisb1;b2;:::;bnforL2with (3.5) foranuppertriangularmatrixT2Mn;n(Z). [a1;a2;:::;an]=[b1;b2;:::;bn]T

38 CHAPTER3.INTRODUCTIONTOLATTICETHEORY
sss
sss
sss
sss
s(0;0) (0;2) (0;4) (0;6)
s(2;0) (2;2) (2;4) (2;6)
s(4;0) (4;2) (4;4) (4;6)
s(6;0)
(6;2) (6;4) (6;6)
b)Conversely,foreverybasisb1;b2;:::;bnforL2thereisabasisa1;a2;:::;anforL1with Figure3.2.2:Sub-LatticeL(A)ofZ2
Remark3.2.17 >FromProperty(3.5)withuppertriangularmatrixT,wehavethat: property(3.5).
Proof(ofProposition3.2.16).Weshowbothstatements: span(a1;a2;:::;ai)=span(b1;b2;:::;bi) fori=1;2;:::;n
a)Letb1;b2;:::;bnbeanarbitrarybasisforL2.ThensinceL1L2eachelementofL1can amatrixS2Mn;n(Z)withdetS6=0and: beexpressedasanintegerlinearcombinationofthebasiselementsofL2.Thus,thereexists
(US)Tislowertriangular.DeneT:=US(anuppertriangularmatrix)andbasismatrix (3.6) TheHNF-Proposition3.2.6ensuresthatforSTthereexistsaU2GLn(Z),suchthatSTUT= [a1;a2;:::;an]=b1;b2;:::;bnS
forL2: By(3.6)weobtain: [b1;b2;:::;bn]:=b1;b2;:::;bnU1
[a1;a2;:::;an]=b1;b2;:::;bnS=[b1;b2;:::;bn]US

3.2.FUNDAMENTALSANDPROPERTIES b)Leta1;a2;:::;anbeanarbitrarybasisforL1.ThereisamatrixS2Mn;n(Z)withdetS6=0 and: 39
ByCorollary3.2.8thereisaU2GLn(Z)suchthatSUisuppertriangular.Thestatement followsforthebasis [a1;a2;:::;an]=[b1;b2;:::;bn]S
andT:=SU. [a1;a2;:::;an]:=[a1;a2;:::;an]U
classes Contintuingourpreviousexample,thefactorgroupZ2=L(A)consistsofthefourequivalence
ThusZ2:L(A)=4.InLemma3.2.18weshowthatingeneraltheindex(i.e.,thenumberof 0+L(A);10+L(A);01+L(A);1+L(A)
Lemma3.2.18 representatives,whichlieinthebasicblock. distinctcosets)isequaltojdetTj.Werepresenttheequivalenceclassesthroughtheirrespective
LetL2=L(b1;b2;:::;bn)bealatticeandL1=L(a1;a2;:::;an)asub-latticeofL2.LetT2
Mn;n(Z)withA=BTforA:=[a1;a2;:::;an]andB:=[b1;b2;:::;bn].Then:
Proof.LetS2Mm;m(R)bethesymmetricmatrixwithhu;vi=uTSv.Then: detL1=detL2jdetTj
detL1=detATSA12 =det(BT)TS(BT)12 =detTTBTSBT12 =jdetTjdetBTSB12 =detTTT12detBTSB12 =jdetTjdetL2
Definition3.2.19(IndexofaSub-Lattice) TheintegerjdetTj=detL1 detL2fromLemma3.2.18iscalledtheindexofthesublatticeL1inL2.

additivegroupL2ofindexjdetTj. Theindexisindependentofthechoiceoflatticebasis.Inparticular,L1isasubgroupofthe 40 CHAPTER3.INTRODUCTIONTOLATTICETHEORY
andb1;b2;:::;bnsatisfyequation(3.5)withT=[tij].ThenL2=L1isanitegroup,theindex [L2:L1]ofL1inL2satises:[L2:L1]=detL1
LetL1=L(a1;a2;:::;an)beasub-latticeofL2=L(b1;b2;:::;bn),sothatbasesa1;a2;:::;an
Inparticular,L1=L2ifandonlyifjdetTj=1.Thisrelationcanbeusedtoprovethat a1;a2;:::;anformabasisforL2.LetL1bethelatticedenedbya1;a2;:::;an.Thenwe (3.7) detL2=detT=nYi=1jtiij
Property(3.5).Thus:L2=L(a1;a2;:::;an)() knowdetL1 detL2andabasisb1;b2;:::;bnforL2.Further,thesystemofvectorsa1;a2;:::;ansatises
Itfollowsfrom(3.7)that: nYi=1jtiij=detL1 detL2=1
Corollary3.2.20 Leta=(a1;a2;:::;an)T2Znnf0gandb2N.IfLa;bistheintegerlattice (whereh;iisthestandardscalarproduct),then La;b=fx2Znjhx;ai0(modb)g
Proof.WerstshowthatLa;bisasub-latticeofZn,thatis,thelatticeLa;bZnhasfullrank. detLa;b= gcd(a1;a2;:::;an;b) b
Letvn=(1;:::;1)T2Zn.Choosen1integervectorsv1;v2;:::;vn1,sothatbv1;bv2;:::;bvn2 Znarelinearlyindependent(forexample,therstn1identityvectors).Since
sub-latticeofZn.>FromdetZn=1itfollowsfrom(3.7)that: itfollowsthatbv1;bv2;:::;bvn2ZnareinthelatticeLa;bandformabasis.ThusLa;bisa hbvi;aibhvi;ai0(modb) fori=1;2;:::;n
ThefactorgroupZn/La;bhasatmostbresidueclasses,namelyR0;R1;:::;Rb1with: (3.8) Ri:=fx2Znjhx;aii(modb)g detLa;b=[Zn:La;b]
(3.9) Weshowthatthefactorgrouphasexactlythesebresidueclasses.Werstconsiderthecase gcd(a1;a2;:::;an;b)=1

3.2.FUNDAMENTALSANDPROPERTIES Thenthereexistintegercoecientst1;t2;:::;tn+12Zwith: nXj=1tjaj+tn+1b=1
41
Forthevectorsci:=it2Znwithi=0;1;:::;b1weobtain: Forthevectort:=(t1;t2;:::;tn)2Znwehave: ht;ai1tn+1b1(modb)
TheresidueclassesR0;R1;:::;Rb1arethusnon-empty.From(3.9)weobtainby(3.8): hci;aiiht;aii(modb)
Wealsoconsiderthecase detLa;b=[Zn:La;b]=b1= gcd(a1;a2;:::;an;b) b
Thenforallx2Znwehave hx;ai0(modb) d:=gcd(a1;a2;:::;an;b)>1
bjhx;ai
soLa;b=Lad;bd.Sincegcda1 d;a2 d;:::;and;bd=1weobtain: () x;ad0(modbd); bdjx;ad
detLa;b=detLad;bd=bd= gcd(a1;a2;:::;an;b) b
3.2.5PrimitiveSystem
abasisforthelattice.Thesecriteriaareusefulfortheconstructionofspeciallatticebases. Definition3.2.21(PrimitiveSystem) InProposition3.2.22wecharacterizesystemsoflatticevectors,whichcanbecompletedtoobtain
LetLRnbealattice.Thevectorsb1;b2;:::;bk2LformaprimitivesystemforLif 1.b1;b2;:::;bkarelinearlyindependent. 2.span(b1;b2;:::;bk)\L=L(b1;b2;:::;bk)

whatissignicantisthatspan(b1;b2;:::;bk)\LL(b1;b2;:::;bk).Asinglevectorb2Lforms Sincetheinclusionspan(b1;b2;:::;bk)\LL(b1;b2;:::;bk)forarbitrarylatticevectorsb1;b2;:::;bk, 42 CHAPTER3.INTRODUCTIONTOLATTICETHEORY
aprimitivesystemwhen1kb62Lforallk2Zwithjkj2,sothegreatestcommondivisorofthe Proposition3.2.22 LetLRnbealatticewithrank(L)=nandb1;b2;:::;bk2L.Thevectorsb1;b2;:::;bkform vectorentriesis1.
Proof.Weshowbothdirections: aprimitivesystemforLifandonlyiftheycanbecompletedforformabasisforL.
\)"Letb1;b2;:::;bk;bk+1;:::;bnbeabasisofthelatticeL.Thevectorsb1;b2;:::;bkare t1;t2;:::;tn2Z.Wehave, linearlyindependent.Eachvectorb2Lcanbeuniquelydescribedasb=Pni=1tibiwith
\("Letb1;b2;:::;bkbeaprimitivesystemandletbetheorthogonalprojection:span(L)! Sospan(b1;b2;:::;bk)\LL(b1;b2;:::;bk). b2span(b1;b2;:::;bk)()tk+1=tk+2==tn=0
Thelattice(L)hasbasis(bk+1);(bk+2);:::;(bn)withbk+1;bk+2;:::;bn2L. WeshowthatL=L(b1;b2;:::;bn).Letb2L.From span(b1;b2;:::;bk)?.BytheproofofProposition3.2.3,(L)isalatticeofdimensionnk.
thereisab2L(bk+1;bk+2;:::;bn)with(b)=(b).Let (b)2L(bk+1);(bk+2);:::;(bn)
Thenbb2span(b1;b2;:::;bk).Sinceb1;b2;:::;bkformbyassumptionaprimitivesystem, (b)=nX i=k+1ti(bi) und b=nX
wehavebb2L(b1;b2;:::;bk).Thusb2L(b1;b2;:::;bn). i=k+1tibi
Thefollowingnotion,ofaMinkowski-reducedbasis,isnotalgorithmicallymotivatedandismentionedhereonlyforcompleteness(foraproceduretoobtaineaMinkowski-reducedbasissee
B.HelfrichsArbeit[Helfrich85]): Definition3.2.23(Minkowski-Reduced) Letb1;b2;:::;bn2RmbeanorderedbasisforatticeL;thatis,theorderofthevectorsisxed. TheorderedbasisissaidtobeMinkowski-reducediffori=1;2;:::;n: kbik=minkbkb2Land(b1;b2;:::;bi1;b) isaprimitivesystemforL

3.2.FUNDAMENTALSANDPROPERTIES Definition3.2.24(IsometricLattices) TwolatticesLRmandLRmareisometric,whenthereisanisometricmappingT:Rm!Rn 43
LetLandLbeisometriclatticesandletTbeanisometricmappingwithT(L)=Lsothat withT(L)=L. b1;b2;:::;bnisabasisforL.Thenforthebasisbi:=T(bi),i=1;2;:::;n: hbi;bji=bi;bj
isometryclassofalatticebasisB=[b1;b2;:::;bn]ischaracterizedbythematrixBTSB.In Wesaythattwosuchbasesareisometric.Forthescalarproducthu;vi=uTSvwehave:The for1i;jn
particular,twolatticesareisometricifandonlyiftheyhaveisometricbases.Forexample,inthe caseofthestandardscalarproduct:
B:=p21=p2 0p3=2 B:=2410 11 01 3 5 BTB=BTB=21 12
3.2.6OrthogonalSystems
Definition3.2.25(OrthogonalSystem,OrthogonalProjectioni) Thegoaloflatticebasisreductionis,givenanarbitrarylatticebasis,obtainabasisofshortest
Letb1;b2;:::;bn2RmbeanorderedlatticebasiswhereL=L(b1;b2;:::;bn)isofrankn.Dene possiblevectors;thatis,vectorsascloseaspossibletomutuallyorthogonal.
tobetheorthogonalprojection,thatis,forallb2Rm: i:Rm!span(b1;b2;:::;bi1)?
Wewritebi:=i(bi). bi(b)2span(b1;b2;:::;bi1) i(b)2span(b1;b2;:::;bi1)?
Wecanobtainb1;b2;:::;bnbytheGram-Schmidtprocedure:
(3.11) (3.10) b1:=b1 bi:=i(bi)=bii1 Xj=1i;jbj fori=2;3;:::;n

wheretheGram-Schmidtcoecientsi;jaredenedby: 44
i;j:=Dbi;bjE CHAPTER3.INTRODUCTIONTOLATTICETHEORY
Dbj;bjE=Dbi;bjE
vectorbiintermsoftheorthogonalsystem: Inparticular,i;i=1andforj>i,i;j=0.Bydenition(3.10)and(3.11)wecanexpressthe kbjk2
(3.12) ThenPkj=1i;jbjistheprojectionofbiontospan(b1;b2;:::;bk)andPij=k+1i;jbjtheprojection bi=bi+i1 Xj=1i;jbj ofbiontospan(b1;b2;:::;bk)?.Moreover,fori=1;2;:::;nwehave
Thedescription(3.12)ofthebasisvectorsb1;b2;:::;bncanbeexpressedinmatrixform: span(b1;b2;:::;bi)=spanb1;b2;:::;bi
Notethatifm=nthenbBissquarewithnon-zerodeterminantandwehave [b1;b2;:::;bn]=hb1;b2;:::;bni[i;j]T1i;jn
becausedet[i;j]T1i;jn=1(uppertriangularwith1'sonthediagonal).Thelastequalityholds becausethecolumnsofbBaremutuallyorthogonal.Ifm>n,thenconsiderthemappingT: detB=detbBdet[i;j]T1i;jn=detbB=nYi=1kbik
Tiseasilyshowntobeisisometric,sothematrix span(L)!Rnwith T(bi)=hi;1kb1k;i;2kb2k;:::;i;nkbnkiT
[T(b1);T(b2);:::;T(bn)]= 2 64 kb 1kkb2k... 0 0. 0kbnk 0.
3 75 2 640 1 102;13;1 3;2 1 n;1 n;2 0 . ......n;n1 0 1.
375 isabasisforalatticeinRnthatisisometrictoL(b1;b2;:::;bn).Wecannowproceedasinthe (3.13) casem=n:Sincedet[i;j]T1i;jn=1,wehavefromtheproofofProposition3.2.10: detL(b1;b2;:::;bn)=nYi=1kbik

3.2.FUNDAMENTALSANDPROPERTIES Proposition3.2.26 LetL=L(b1;b2;:::;bn)andletb1;b2;:::;bndenotetheGram-Schmidtorthogonalizationof 45
b1;b2;:::;bn.Let(L)denotethelength,usingthe`2norm,oftheshortestnon-zerolattice vectorinL.Then(L)minibi2.
eachbiintermsoftheGram-Schmidtorthogonalizationweget: vectorinL.Sincea2Lwecanwritea=Pni=1ibi,wherei2Zfori=1;2;:::;n.Expressing Proof.Intheproof,weletkkdenotethe`2norm.Leta2Lbeaminimumlengthlattice
Letkbethelastindexforwhichk6=0,soj=0forallj>k.Letusdenejfor1jnby a=nXi=1iiXj=1ijbj
(Notethatbychoiceofk,k=k.)Thena=Pnj=1jbj.Sincethebjaremutuallyorthogonal, wehave j=nXi=jiij
Thus,kakjkjbk=jkjbk.Sincek2Znf0gwehavejkj1,andtheproofiscomplete. kak2=nXj=1(j)2bj2(k)2bk2
mutuallyorthogonal: Wedenetheorthogonalitydefect,ameasureofhowfarthebasisvectorsarefrombeing
Definition3.2.27(OrthogonalityDefect) Theorthogonalitydefectofabasisb1;b2;:::;bnofthelatticeLis:
Sincekbikkbik,theorthogonalitydefectisgreaterthanorequalto1.Itis1preciselywhenthe OrthDefect(L):=Qni=1kbik detL;
basisvectorsaremutuallyorthogonal,andthusbi=bifori=1;2;:::;n(see(3.13)). 3.2.7QuadraticForms Inthissectionthescalarproductalwaysdenotesthestandardscalarproduct.Abasismatrix B=[b1;b2;:::;bn]yieldsthefollowingquadraticformQFBintherealvariablesx1;x2;:::;xn: QFB(x1;x2;:::;xn):=X 1i;jnhbi;bjixixj

ThisquadraticformQFBispositivedenite,thatis,QFB(x1;x2;:::;xn)0andQFB(x1;x2;:::;xn)= 46 0ifandonlyifx1=x2=:::xn=0.QFBispositivedenitimplies: CHAPTER3.INTRODUCTIONTOLATTICETHEORY
andPni=1xibiisthenullvectorexactlywhenx1=x2=:::xn=0.Forintegerx1;x2;:::;xnQFB QFB(x1;x2;:::;xn)=nXi=1xibi2
takesthevalueofthesquareofthelengthofthecorrespondinglatticevectorinL(b1;b2;:::;bn). Conversely,foreverypositivedenite,symmetrische,quadraticform
thereisalatticebasisb1;b2;:::;bn,sothathbi;bji=qijfor1i;jn.Theneverypositive QF=X
denit,symmetricmatrix(qij)2Mn;n(R)canbewrittenas(qij)=BTBwithB2Mn;n(R). 1i;jnqijxixj
anisometricmappingthattransformsBintoB.Thequadratic,positivedeniteformsexpress formsisinthissenseequivalent.Theoldercontributions,ofJ.L.Lagrange,C.F.Gau,C.Hermite, A.Korkine,G.ZolotareundH.Minkowski,wereexpressedintermsofquadraticforms.Two uniquelytheisometryclassesofthelatticebasis.Thetheoryoflatticebasesandpositivedenite TwolatticebasesB;ByieldthesamequadraticformQFB=QFB,preciselywhenthereis
arecongruent,whentheycanbetransformedintooneanotherthroughunimodulartransformations,thatis,thereexistsamatrixU2GLn(Z)with:
1i;jnqijxixj QFQ=X 1i;jnqijxixj and QFQ=X
Forexample,fortwobasesBandBofthesamelattice,thecorrespondingquadraticformsQFB andQFBarecongruent. [qij]1i;jn=UTqij1i;jnU
Inthissectionthescalarproductisthestandardscalarproduct.Wedenetheduallattice: 3.2.8DualandWholeLattice
LetLbealattice.Thedual(polar,reciprocal)latticeiddenedas: Definition3.2.28(Dual(polar,reciprocal)Lattice)
Proposition3.2.29 LetLRnbealatticeoffullrankwithbasismatrixB:=[b1;b2;:::;bn].ThenB1Tisabasis L:=fx2span(L)j8b2L:hx;bi2Zg
matrixoftheduallatticeL.Inparticular,(L)=L.

3.2.FUNDAMENTALSANDPROPERTIES Proof.Let B:=[b1;b2;:::;bn]:=B1T 47
WemustshowthatL=L(B).Weshowbothinclusions: L(B)L:FortheidentitymatrixI I=B1B=B1TTB=(B)TB=264hb1;b1ihb1;b2ihb1;bni hb2;b1ihb2;b2ihb2;bni
Thushbi;bji2f0;1gfori;j=1;2;:::;n.Forx=Pni=1tibi2L(B)witht1;t2;:::;tn2Z hbn;b1ihbn;b2ihbn;bni . . ... . 3 75 wehave:
Sincebi2Rn=span(L)fori=1;2;:::;n,itfollowsforallx2L(B),thatx2L. hx;bji=nXi=1tihbi;bji2Z forj=1;2;:::;n
L(B)L:Foreverya2Lwemustshowthata2L(B).Sinceb1;b2;:::;bn2L,we obtainfromthedenitionoftheduallattice: BTa=264b1 bn b2. 3 75a=264hb1;ai hb2;ai
Further, hbn;ai . 3 752Zn
Letti:=hbi;ai2Zfori=1;2;:::;n.Thenacanbeexpressedas a=Ea=BB1Ta=B1TBTa=BBTa |{z} 2Zn
anda2L(B). a=nXi=1tibi
Moreover,(L)=L,sincetheoperationsofinvertingandtranspositioncommute. Definition3.2.30(Self-DualLattice) AlatticeLiscalledself-dualwhenL=L.
Forexample,Znisaself-duallattice.Toconlcudethissection,wedeneawholelattice:

AlatticeLiscalledwholewhenha;bi2Zforalla;b2L. Definition3.2.31(WholeLattice) 48 CHAPTER3.INTRODUCTIONTOLATTICETHEORY
Proposition3.2.32 ForeverywholelatticeL,LL1 Proof.Theproofislefttothereader. detL2L.
3.3 Length-andWeight-ReducedLatticeBases
Inthissectionwedenetwoalgorithmicallymotivatedtypesofreducedness:lengthreducedand weightreducedlatticebases. Definition3.3.1(LengthReducedBasis) Theorderedbasisb1;b2;:::;bnislengthreducedwhenji;jj12for1jFromEquation(3.12)onPage44wehavefori=1;2;:::;n: fori=1;2;:::;n
bi=bi+i1
Thevectorsb1;b2;:::;bnoftheorthogonalsystemaremutuallyorthogonal,soitfollowsthat: Xj=1i;jbj
kbik2=bbi2+i1
Sincethebasisisbyassumptionlengthreduced,wehaveji;jj12,whencetheProposition Xj=12i;jkbjk2
follows. Toprovecorrectnessofthelengthreductionalgorithmweconsiderthebasisvectorsexpressedin Algorithm3.3.1transformsagivenlatticebasisintoalengthreducedbasisforthesamelattice.

3.3.LENGTH-ANDWEIGHT-REDUCEDLATTICEBASES Algorithm3.3.1LengthReduction INPUT:OrderedLatticeBasisb1;b2;:::;bn2Rm 49
1.FORi=2;3;:::;nDO FORj=i1;i2;:::;1DO
ENDfori ENDforj bi:=bidi;jcbj
termsoftheircoordinatesintheorthogonalsystem: OUTPUT:LengthReducedBasisb1;b2;:::;bn
b1 b2 b3 b1 1 b2 0 b3 bn1bn
. 2;1 3;1 . 3;2 1 01 ... 0 Weobservethat: bn1=(n1;1n1;2n1;3 n;1 n;2 n;3 n;n11) 1 0) .)
Thisisaweakformofreduction. Thestepbi:=bidi;jcbjcausesnew Inparticular,new i;j12,andthei;remainunchangedfor>j. i;j:=old i;j1old i;j.
Theorderedbasisb1;b2;:::;bnisweightreducedwhen: Definition3.3.3(WeightReducedBasis) a)jhbi;bjij b)kbikkbi+1k kbjk212 for1j

50Propertyb)ofweightreducednesssaysthatthebasisvectorsareinascendingorderoflength:
kb1kkb2kkb3kkbn1kkbnk CHAPTER3.INTRODUCTIONTOLATTICETHEORY
Propertya)isequivalenttokbikkbibjk From kbibjk2=hbibj;bibji=kbik22hbi;bji+kbjk2 for1j12THENbi:=bidrcbjandF:=true r:=hbi;bjikbjk2 =reductionstep=
ENDwhile ENDfori ENDforj
OUTPUT:WeightReducedBasisb1;b2;:::;bn Proposition3.3.4 Everylatticehasaweightreducedbasis. TheproofofthePropositionisimmediatefromthecorrectnessofAlgorithm3.3.2,whichtransformsanarbitrarylatticebasisintoaweightreducedbasisforthesamelattice.Thecorrectness
ofthealgorithmfollowsfromthetwoobservations:

3.4.EXAMPLES Thealgorithmterminates,sinceeveryreductionstepreducesthelengthofonebasisvector Itisclearbyinspectionthattheouptutisaweightreducedbasis. 51
thesequenceofthevectors,andinparticulartheshortestbasisvectoristherstone.However, thealgorithmisnotecient.Inthefollowingchapterswewillstudystrongernotionsofreduction: IncontrastwithAlgorithm3.3.1forlengthreduction,theweightreductionprocedureexchanges whileleavingtheremainingbasisvectorsunchanged,andeverylatticeisdiscrete.
3.4 LLLreductioninchapter6andHKZ-and-reductioninChapter??.
standardone.Therstsuccessiveminimum1isthelengthoftheshortestnon-zerolatticevector Inthissectionwedescribesomelatticesandtheirrespectivebases.Thescalarproductisthe Examples
(aformaldenitionfollowslater). Forthelattice
thefollowingrowvectorsformabasis: An:=((x0;x1;:::;xn)2Zn+1nXi=0xi=0)
264 bn1 b b2. 1
3 75:= 2 64 01+10 . ...... 0 0
Clearly,L(b1;b2;:::;bn)isasub-latticeofAn,sinceb1;b2;:::;bn2Anandtheyarelinearly
0 01+100 . 3 75
i=n;n1;:::;2,subtractthevectorbifromx,untilthe(i+1)thcomponentiszero.Onlythe rsttwoentriesofthevectorx0arenon-zero,anditisinAn.Moreover,x0=x01,andthevector isanintegermultipleofb1. independent.Conversely,letx=(x0;x1;:::;xn)2AnbeanarbitraryelementofAn.For
Thelattice
hasabasiscomprisedofthefollowingrowvectors: Dn:=((x1;x2;:::;xn)2ZnnXi=0xi0(mod2))
264 b b2 b3. 1
bn1
3 75:= 2 64
+20 0+110 0 . ...... 0 0+1100 0.
3 75

L(b1;b2;:::;bn)isasublatticeofDn,sinceb1;b2;:::;bn2Dnandtheyarelinearlyindependent. Alternatively,b01=(1;1;0;:::;0).Sinceb1=b01+b2oneobtainsthesamelattice.Clearly 52 CHAPTER3.INTRODUCTIONTOLATTICETHEORY
removefromxthevectorbiuntiltheithcomponentis0.Theonlynon-zeroentryinthevector Conversely,letx=(x1;x2;:::;xn)2DnbeanarbitraryvectorinDn.Fori=n;n1;:::;2,
Letn0mod4.Thelattice istherstone,andthevectorliesinDn.Thusx10(mod2),andthevectorisaninteger multipleofb1.NotethatdetDn=2.Clearlythereisnolatticevectorshorterthanthebasis vectors,so1(Dn)=p2.
hasabasiscomprisedofthefollowingrowvectors: En:=(x1;x2;:::;xn)2ZnPni=0xi0(mod4)and xjxj+1(mod2)for1j4,v:=(2;2;0;:::;0)isa 8else
x2En,xn1xn(mod2)).
Weshow: Leta=(a1;a2;:::;an)2Znnf0g.Considerthelatticeofintegervectorsorthognaltoa: La:=span(a)?\Zn=ft2Znjha;ti=0g
ThelatticeLaclearlyhasdimensionn1.Letc2;c3;:::;cnbeabasisforLa.Since detLa= gcd(a1;a2;:::;an) kak
span(La)\Zn=La

existsavectorc12Zwith: 3.4.EXAMPLES thevectorsofthebasisformaprimitivesystemforthelatticeZnandbyProposition3.2.22there 53
Thepartofc1orthogonaltoLais Theentriesofthevectorc1arerelativelyprime,sincec1isaprimitivevectorwithrespecttoZn. L(c1;c2;:::;cn)=Zn
andhaslength hc1;ai
*hc1;ai kak2a
block(\surfaceareadetLatimesheightjhc1;aij Weobtainfromthegeometricinterpretationofthelatticedeterminantasthevolumeofthebasic kak2a;hc1;ai kak2a+12=hc1;ai kak2ha;ai12=hc1;ai
kak"):
thatjhc1;aijistheleastpositivewholenumberintheprincipalidealPni=1Zai=Zgcd(a1;a2;:::;an), forwhichthereexistsac12Znwith detZn=1=detLajhc1;aij kak
thatjkj=1.Wethusobtain andc1=kc1forsomek2Z.Sincetheentriesofthevectorc1arerelativelyprime,itfollows hc1;ai=gcd(a1;a2;:::;an)
andtheclaimfollows. hc1;ai=gcd(a1;a2;:::;an);

54 CHAPTER3.INTRODUCTIONTOLATTICETHEORY

Chapter4
SucessiveMinima,Minkowski's Theorems,andtheHermite Constant
denotestheEuclideannorm. Inthischapterwedenethesuccessiveminimaofalattice.Wepresenttwowellknowntheorems ofMinkowski.WedenetheHermiteconstantnandpresentlowerandupperboundsforthis value.Unlessotherwisestate,thescalarproductisthestandardone:h;iandkxk=phx;xi
minimaaredenedby: Inchapter3.4weinformallyintroducedtherstsuccessiveminimum.Ingeneral,thesuccessive 4.1 SuccessiveMinimaandtheFirstMinkowskiTheorem
Letkkbeanarbitrarynorm.ForeverylatticeLRmofranknthesuccessiveminima Definition4.1.1(SuccessiveMinima1;2;:::;n) 1;2;:::;nwithrespecttothenormkkaredenedas: i=i(L):=inf80Thereareilinearlyindependent
ThedenitionofsuccessiveminimaisduetoH.Minkowski.Figure4.1.1illustratestheconcept withkcjkrforj=1;2;:::;i9=; vectorsc1;c2;:::;ci2L fori=1;2;:::;n
phu;uiaregeometriclatticeinvariants;thatis,thesevaluesremainunchangedunderisometric x.12n.ThesuccessiveminimawithrespecttoaEuclideannormkuk:= foralatticeL(a;b):TherstsuccessiveminimumwithrespecttotheEuclideannormisthevector
55

56 CHAPTER4.SUCC.MINIMA,MINKOWSKI'STHEOREMS,HERMITECONSTANT
x
0 -b
1
a
transformationsofthelattice.Foreverylatticebasisb1;b2;:::;bn,fori=1;2;:::;n: Figure4.1.1:Exampleoftherstsuccessiveminimum1(L(a;b))
whenthevalueskbik Thesuccessiveminimayieldameasureofthereducednessofalatticebasis.Abasisis\reduced", ifori=1;2;:::;nare\small"(\close"to1).Thevectorsofareducedbasis j=1;2;:::;ikbjki max
arenearlyorthogonal.Ingeneralthereisnobasisb1;b2;:::;bnwithkbik=ifori=1;2;:::;n. Considerforexamplethelattice
andtheEuclideannorm.Forn5,1=2==n=1andthecanonicalunitvectors(the L:=Zn+Z12;:::;12 |{z} nT
onlyvectorswithlength1)donotformabasis. cessiveminimumintheEuclideannorm Thesuccessiveminimadependontheunderlyingnorm.Inparticular,considertherstsuc-
andinthesup-norm: kLk1:=1;1(L)=minfkbk1:b2Lnf0gg kLk:=1(L)=minfkbk:b2Lnf0gg
ForlatticeLRmitfollowsfromkxk1kxkpnkxk1forallx2Rm,that:
Proposition4.1.2(Minkowski1896) ThequantitykLk1isnotageometricinvariant.However,wehavethefollowingtightbound: 1;1(L)1(L)pn1;1(L)
LetLRmbealatticeofrankn.ThenkLk1(detL)1n.

ThisboundistightsincekZnk1=1=(detZn)1n. 4.1.SUCCESSIVEMINIMAANDTHEFIRSTMINKOWSKITHEOREM Werstgivetheproofsketchappearingin[Lovasz86]forthecasen=m.LetQdenotethe 57
cube ThenQhasn-dimensionalvolumedetL.ConsiderthecubesQ+b,whereb2L.Ifallthese cubeswerepairwisedisjoint,thenthedensityoftheirunionwouldbelessthan1;however,a Q:=nx2Rn:kxk112(detL)1=no
(Q+b1)\(Q+b2)6=;.Lety2Q+b1\Q+b2.Thenkyb1k1;kb2yk112(detL)1=n.It simplecountingargumentshowsthatitisexactlyone.Thus,thereexistb1;b22Lsuchthat followsfromthetriangleinequalitythat
everyfulldimensionallatticeL,thereexistsb2Lwithkbk2pn(detL)1=n.(Thesamefollows Sinceb2b12Lwearedone.Asasimplecorollary,sincekbk2pnkbk1,wehavethatfor kb2b1k1kyb1k1+kb2yk1(detL)1=n
fromProposition4.1.2forthegeneralcasenm.) suchthatQ+b0intersectsQ.Forsimplicity,letusassumedetA=1.IfL=L(a1;a2;:::;an), thenwe\only"needtoconsidervectorsb=1a1++nanwhere Followingtheproofsketch,wecanndb2Lwithkbk1(detL)1=nbysearchingforb02L
(TheequalitycomesfromCramer'srule.Theinequalityrequiresproof.Thekeypointsarethat, assumingkbk1

58 yi: sothatthefollowingintersectionisnon-emptyandwecantherforechoosefromtheintersection CHAPTER4.SUCC.MINIMA,MINKOWSKI'STHEOREMS,HERMITECONSTANT
pointofasubsequencey(i)i2N.Thesequenceb(i)i2NLconvergestoy.Thesequence b(i)i2NLisboundedandrunsthroughonlynitelymanylatticepoints.Atleastonelattice SinceQiscompact,thesequence(yi)i2Nhasalimitpointy2Q.Lety2Qbeaboundary yi21+1iQ\1+1iQ+bi i=1;2;:::
is,n=m.WeapplyLemma4.1.3totheset Proof(ofProposition4.1.2).WerstconsiderthecaseinwhichLisfulldimensional,that pointb2Lnf0gappearsinnitelyoften.Itfollowsthaty2Q\(Q+b).
Q:=nx2Rm:kxk112(detL)1mo
Qisanm-dimensionalcubewithsidelength(detL)1m.Thenvol(Q)=detL.ByLemma4.1.3 thereexistsab2Lnf0gandy2Q\(Q+b).Sincey;yb2Qwehave:
Itfollowsfromthetriangleinequalitythat: kybk112(detL)1m kyk112(detL)1m
inmlet: Thecasen

f:Rm!Rmbedenedasfollows.Forb2Rmthevalueoff(b)isthevectorinRmthat 4.1.SUCCESSIVEMINIMAANDTHEFIRSTMINKOWSKITHEOREM Weconcludetheproofoftheclaimbyshowingthatdet'I(bB)T'I(bB)=det'I(B)T'I(B).Let 59
hf(x);f(y)i=h'I(x);'I(y)i.Thus, coordinatesnotinI.Thenkf(b)k=k'I(b)kforallb2Rm,andingeneral,forallx;y2Rm, agreeswithbonallthecoordinatesintheindexsetI(so'I(f(b))='I(b))andiszeroonallthe
anditremainstoprovethatdet'I(bB)T'I(bB)=detf(bB)Tf(bB)
det'I(B)T'I(B)=detf(B)Tf(B)
afterright-multiplicationbyTandobtainthesameresult).Thus, Now,sincebB=BT,wehavef(bB)=f(BT)=f(B)T(wecanzerooutagivenrowbeforeor detf(bB)Tf(bB)=detf(B)Tf(B)
detf(bB)Tf(bB)=det((f(B)T)Tf(B)T)
andtheproofoftheclaimiscomplete. =detf(B)Tf(B) =det(TTf(B)Tf(B)T)
jxjj=kxk1.ThenthereexistsachoiceforIsuchthatj2Iand'I(L)isoffullrank.Forthis Letx2Lhavesup-norm1;1(L).Writex=(x1;x2;:::;xn)T,andletjbesuchthat
choiceofI: kLk1=kxk1=k'I(b)k1det'I(L)1n(detL)1n
Wedene:
Definition4.1.5(Convex,Null-SymmetricSet) SRmisconvex,ifwhenx;y2Sand2[0;1]itisalsothecasethatx+(1)y2S.Sis callednull-symmetric,orsimply,symmetric,ifxisinSwheneverxisinS. Proposition4.1.2withn=misaspecialcaseofthefollowingtheorem,commonlyknownas Proposition4.1.6(Minkowski'sFirstTheorem1893) LetLRmbeafulldimensionallatticeandSRmaconvex,symmetric,compactsetwith \Minkowski'sTheoremforConvexBodies."
vol(S)2mdetL.ThenjS\Lj3,thatis,Scontainsatleasttwonon-zerovectorsy2L.

60 Proof.Wetake: CHAPTER4.SUCC.MINIMA,MINKOWSKI'STHEOREMS,HERMITECONSTANT
Thenvol(Q)=2mvol(S)detL.ByBlichfeldt'sLemma4.1.3,thereexistsb2Lnf0gwith: Q:=12S=12xx2S 12S\12S+b6=; Rm
f0;bgS\L. Letybeinthisintersection.Theny212Sandy=x+bwithx212S.Letw=2xandz=2y. Thenw;z2S.Moreover,sinceSisconvex,12w+(112)z2S.Thus,b=xy2S.Inparticular,
m,sincevol(S)=2mdetL.AfurtherconsequenceofProposition4.1.6isaproofG.L.Dirichlet's Proposition4.1.6appliedtoS=x2Rm:kxk1(detL)1=m yieldsProposition4.1.2forn=
Chapter1: Proposition4.1.7(Dirichlet1842) [Di1842]theoremregardingsimultaneousapproximationofrealnumbersbyrationalsdiscussedin
Let1;2;:::;nberealnumbersand2(0;12).Thenthereexistintegersp1;p2;:::;pnandq with0

4.2.HERMITECONSTANTANDCRITICALLATTICE andthelatticeL(A)generatedbythecolumnsofA.Everyvectorb2L(A)canbewrittenas b=Ap,wherep=p1;p2;:::;pTn+12Zn+1.Letb2L(A)benon-zerowithkbk2".Then 61
pn+16=0.Assumewithoutlossofgeneralitythatpn+1

62 Inthefollowingweimprovethisupperbound.Wedenoteby CHAPTER4.SUCC.MINIMA,MINKOWSKI'STHEOREMS,HERMITECONSTANT
thendimensionalballwithrRadiusrcenteredattheorigin.Thevolumeofthendimensional ballwithradius1is Sn(r):=fx2Rn:kxkrg
(4.1) TheGammafunctionisdenedby12=p,(n+1)=n!forn2Nandingeneralforx2R+: vol(Sn(1))= 1+n2=2n2
n12n
WeobtainfromthisanupperboundfortheHermitconstantn: Proposition4.2.3 (x+1)=x(x)
Proof.LetLRmbeafulldimensionallatticewithn=1(L)2 nvol(Sn(1))2n=41+n22n2n
4 e+O(1)0;2342n+O(1)
Proposition4.1.6totheballSn(r).Wechooseradius: r:= 2 (detL)2nanddetL=1.Weapply
with(4.1): Thenvol(Sn(r))=2n.ByProposition4.1.6thereexistsb2Sn(r)\Lwithb6=0.Weobtain vol(Sn(1))1n
ByStirling'sapproximation[Knuth71,1.2.11.2,Aufgabe5]: (x+1)=p2xxex1+O1x 1(L)kbkr= vol(Sn(1))1n=2 2 p1+n21n
andx=n2followsfromthefactthatdetL=1: (4.2)
n=1(L)2 forx2R+;
4pnn2en21+O1n2n (detL)2n
=4n 2e(n)1n1+O1n2n

4.2.HERMITECONSTANTANDCRITICALLATTICE Sincelim n!1n1n=1,thatis,n1n=1+O(1),weobtain: 63
n2n e+O(1)
1=2
qppppppppppppppppppppppppp ]
q pppppppppppppppppppppppppp
qq
radiusr:=121oneverypointofthefulldimenionallatticeLRnThisyieldsthegittertige??? TheproofofProposition4.2.3canbeillustratedasfollows(seeFigure4.2.1):Placeaballof Figure4.2.1:IllustrationfortheProofofProposition4.2.3
Definition4.2.4(GitterartigeSpherePacking) spherepackingofL,denedasfollows. LetMRnbeanon-emptydiscretesetandr>0.ThespherepackingforMandris:
ballsm1+Sn(r)andm2+Sn(r)sharenointeriorpoint. Thespherepackingiscalledgitterartig,whenforeverypairofneighboringpointsm1;m22Mthe fm+Sn(r)jm2Mg
(4.3) ofthelatticeyieldtogetheroneballofradius121.Itfollowsthat: LetusconsiderthegitterartigespherepackingforLand121.The2npartialballsinabasicblock
Definition4.2.5(WidthofaLattice) detLvolSn121=n1vol(Sn(1))
ThewidthofafulldimensionallatticeLRnisthewidthofthegitterartigespherepackingfor 2n
L,thatis,thevolume|volumenanteil???oftheballofthegitterartigespherepackinginRn. ThewidthofthespherepackingoflatticeLis: volSn121 detL =n1 detLvol(Sn(1)) 2n

64 oftheHermiteconstant Forxedn,thewidthismaximalwhenthefactorn1 CHAPTER4.SUCC.MINIMA,MINKOWSKI'STHEOREMS,HERMITECONSTANT
n=max1(L0)2 (detL0)2nL0Rnfulldimensionallattice detLisaslargeaspossible.Bythedenition
weobtainthatthewidthofthelatticeLRnismaximalexactlywhen
Wedenethegloballyextreme,orcriticallattice: detL!=(n)n2=max1(L0)n n1 detL0L0Rnfulldimensionallattice
Definition4.2.6(GloballyExtreme(orCritical)Lattice) AfulldimensionallatticeLRniscalledgloballyextreme,orcritical,when
thatis,1(L)2 (detL)2nistheabsolutemaximumforlatticesofrankn. (detL)2n=n; 1(L)2
Alatticeiscriticalexactlywhentheballofradius121aroundthelatticepointsformsthewidest
AfulldimensionallatticeL=L(b1;b2;:::;bn)Rnissaidtobelocallyextremewhen Definition4.2.7(LocallyExtremeLattice) gitterartigespherepackingofRn.
doesnotincreasewithinnitesimallysmallchangestothebasisvectors. (detL)2n 1(L)2
treme,buttheconverseisnottrue.DiederBasisb1;b2;:::;bnzugeordneteFormF(x1;x2;:::;xn):= Pni=1hbi;bjixixjnenntmandannExtremform???. ThispropertydoesnotdependonthechoiceofbasisforL.Everycriticallatticeislocallyex-
wasimprovedbyH.F.Blichfeldt[Blich14]: Theupperboundn2n e+O(1)fortheHermiteconstantfromProposition4.2.3onpage62
ofthespaceoftheballwithradius121overlapsandestimatesthisportionbyp2+o(1)nform (4.4) ThisboundtakesintoconsiderationthatintheproofofProposition4.2.3onlyaverysmallportion n21+n22nn e+o(n):

4.2.HERMITECONSTANTANDCRITICALLATTICE above.Forexample,102(6!)0;22;373.G.A.KabatianskyundV.I.Levenshtein[KaLe78] showedin1978,that: 65
TheseimprovementsshowthattherstMinkowskiTheoremforconvexbodies(Proposition4.1.6, page59)isnotoptimalforballs.ForalowerboundfortheHermitconstantnwehave: n1;744 2en+o(n)0;1021n+o(n)
E.Hlawka[Hlawka44]forballsS:=Sn(r).Theproofis,however,notconstructive,itshows ThislowerboundisobtainedbyapplicationofthefollowingtheoremofH.Minkowskiund n11+n2=n 2e+o(n)
Proposition4.2.8(Minkowski,Hlawka) onlytheexistenceofcertainlattices;explicitconstructionsarenotknown. LetSRnhaveJordanvolumelessthan1.ThenthereisafulldimensionallatticeLRnwith Proof.See[GrLek87,Theorem1,Paragraph19,Chapter3]. detL=1and(L\S)nf0g6=;.
Takentogether,wehavefortheHermiteconstantthefollowingestimates: 2e+o(n)nn n
Chapter6)thefollowingestimatesappear: Itisconjecturedthatngrowsmonotonicallyasafunctionofn.In[GrLek87](Paragraph38, e+o(n)
Itisnotknowniflimn!1nnexists. 2eliminf 1 n!1nnlimsup n!1nn1
TheHermiteconstants2;3;4;5wereobtainedinthesecondhalfofthe1900'sbyA.Korkine e
6;7;8: undG.Zolotare[KoZo1872,KoZo1873,KoZo1877].In1935,H.F.Blichfeldt[Blich35]obtained
n.21+n22n0;9070;8870;9070;8920;9070;9180;949 (n)n n 234 32 4 58 26 63 27 72 28 8
ThelastrowshowstherelationndividedbyBlichfeldt'sestimate(4.4).Blichfeldt'sproofis complicatedandwasimprovedbyG.L.Watson[Watson66]andN.M.Vetchinkin[Vetchin82].For n=9;10onlytheupperbounds(9)929and(10)1013210areknown.

66 isometry(withouttherequirement1=1theyareuniquelydetermineduptoisometryandscaling, Forn=2;3;:::;8thecriticallatticeofranknwith1=1isuniquelydeterminedupto CHAPTER4.SUCC.MINIMA,MINKOWSKI'STHEOREMS,HERMITECONSTANT
Weshowthattheselatticeshaveabasisb1;b2;:::;bnwihthepropertythat: hencesimilarity).ThiswasshownbyE.S.Barnes[Barnes59]andN.M.Vetchinkin[Vetchin82]. hbi;bji=8>:1fori=j
Thescalarproductshbi;bjideterminethecorrespondinglatticebasisb1;b2;:::;bnuptoisometry. (4.5) 0forjijj>2 12forjijj2undi6=j Intheisometryclassoflatticebaseswiththescalarproductshbi;bjidescribedabove,thereis exactlyoneuppertriangularmatrix[b1;b2;:::;bn]withpositivediagonalelements.Thecorresdpondinglowertriangularmatrix[b1;b2;:::;bn]Thasthefollowingrowvectors:
264 b b2 b3 b4 b51
b6 b7 b8 3 75:= 21 12q34 p12q23 1
p12323 1p3 p6 2
0 64 q38 1p2 1p8 1p2 1p8q38 p6 01
0 3p300
LetL(n):=(b1;b2;:::;bn)forn8.Sincekb1k=1wehave11.Letb:=Pni=1tibiwith 0 0 0 0 0q23 1 7
t1;:::;tn2Zbeanarbitrarynon-zerolatticevectorinL(n).Wewishtoshowthatkbk1.From 5
itfollwsfrom(4.5)thathbi;bji20;12;1 kbk2=DXni=1tibi;Xnj=1tjbjE=nXi=1tiDbi;Xnj=1tjbjE=nXi=1tinXj=1hbi;bjitj
kbk2=nXi=1 tihbi;bii+nXj=1 j6=itjhbi;bji!=nXi=1 andkbik2=1,sothatweobtain | tihbi;bii+2Xj

4.2.HERMITECONSTANTANDCRITICALLATTICE Definition4.2.9(DeepHole) LetLbealattice.Thepointx2span(L)iscalledadeepholeofthelatticeL,when 67
Definition4.2.10(LaminatedLattice) minfkxyk:y2Lg=max p2span(L)(minfkpyk:y2Lg)
isadeepholeofthelatticeL(b1;b2;:::;bn). ThelatticeL(b1;b2;:::;bn+1)islaminatedwithrespecttoL(b1;b2;:::;bn),when bn+1n+1(bn+1)2span(b1;b2;:::;bn)
Figure4.2.2showsthisconstructionforthetwolatticesL(2)andL(3). L(b1;b2;:::;bi)islaminatedwithrespecttoL(b1;b2;:::;bi1)andkbik=1fori=2;3;:::;n. ToconstructthelatticeL(n),wechoose(1;0;:::;0)2Rnandb2;b3;:::;bnsothat,respectively
tiefesLochL(b1) b2qqq
qqqqqqq
tiefeL"ocher L(b1;b2)
foralllatticesLofrankn. ThefollowinginequalityofH.Minkowskisharpenstheinequaltiy21n(detL)2n,andholds Figure4.2.2:ConstructionofL(2)andL(3)
Proposition4.2.11(Minkowski'sInequality) ForeverylatticeLofrankn, nYi=1i(L)(n)n2detL Remark4.2.12 Sinceforacriticallattice(n)n2detL=n1andingeneralQni=1in1,foracriticallattice Proof(ofProposition4.2.11).Leta1;a2;:::;an2Lbelinearlyindependentvectorssuch that: 1=2==n.
kaik=i fori=1;2;:::;n

68 Proposition3.2.16(page37)yields:thereexistsanuppertriangularmatrixT2Mn;n(Z)with: L1=L(a1;a2;:::;an)isasub-latticeofL.Choosebasisb1;b2;:::;bnforL,sothatforL2:=L CHAPTER4.SUCC.MINIMA,MINKOWSKI'STHEOREMS,HERMITECONSTANT
(4.6) Forallb2L(b1;b2;:::;bn)ands=1;2;:::;n: b=2L(b1;b2;:::;bs1)=)kbks [b1;b2;:::;bn]T=[a1;a2;:::;am]
Thus,fromb=2L(b1;b2;:::;bs1)andb2Litfollowsthatb=2span(b1;b2;:::;bs1),andsince
sothata1;a2;:::;as1;barelinearlyindependent.Fori=1;2;:::;nwelet TisuppertriangularwehavefromRemark3.2.17onpage38: span(b1;b2;:::;bs1)=span(a1;a2;:::;as1);
andconsiderthelatticeL:=Lb1;b2;:::;bn.Claim: bi:=iXj=1i;jbj j
(4.7) Letb:=Pni=1tibibeanarbitraryvectorinLnf0gands:=maxifijti6=0g.Then, 1L1
sothatfrom(4.6)andts6=0itfollowsthat: nXi=1tibi2=sXj=1 sXi=jtii;j!2kbjk2 2jsXj=1 sXi=jtii;j!2kbjk2 2s;
FromdetL=detL Qni=1i,inequality(4.7)andthedenitionoftheHermiteconstant nXi=1tibi212ssXj=1 sXi=jtii;jkbjk!2=12ssXi=1tibi21
weget: (detL)2nn 21
Byraisingtothepowern2andmultiplyingbyQni=1iwegettheassertion: 11L2ndetL2n=n(detL)2n nYi=1i!2n
nYi=1i(L)(n)n2detL

Thelatticedeterminantyieldsalowerboundontheproductofthesuccessiveminima: 4.3.GAUGEFUNCTIONSANDMINKOWSKI'STHEOREMS 69
Proposition4.2.13(Minkowski'sSecondTheorem) ForeverylatticeLofrankn: nYi=1idetL
(4.8) SinceL(a1;a2;:::;an)isasub-latticeofL: Proof.Leta1;a2;:::;anbelinearlyindependentlatticevectorswithkaik=ifori=1;2;:::;n.
Moreover,byHadamard'sinequality: nYi=1kaikdetL(a1;a2;:::;an)
detL(a1;a2;:::;an)detL
(4.9)
4.3 >Fromtheestimates(4.8)and(4.9)wegettheclaimedboundQni=1idetL. GaugeFunctionsandMinkowski'sTheorems
convexbody. Minkowski'stheoremsforthelatticeZnandgeneralizethem.Werstdenethenotionofa Weintroducetheguagefunction(seeforexample[GrLek87,Siegel89])andformulatebothof
Definition4.3.1(ConvexBody) AconvexbodyBRnisabounded,convex,openset. Theset@Bforaconvexbodyisthesetofallpointsp2RmnB,sothateveryneighborhoodofp containsapointoutsideofB.
y2@B 0qqq
B
Figure4.3.1:IllustrationoftheGaugeFunction x=y

70 Definition4.3.2(GaugeFunction) LetBRmbeaconvexbodywith02B.Theguagefunctionf:Rn![0;1)isdenedas CHAPTER4.SUCC.MINIMA,MINKOWSKI'STHEOREMS,HERMITECONSTANT
follows: f(x):=8>:0ifx=0
Aguagefunctionfissymmetricifforallx2Rnf(x)=f(x). ifx6=0,x=2@B,x=ywithy2@Band>0 1ifx2@B
Weobtainthe`2-normwith andthesup-NormwithB:=(x1;x2;:::;xn)2Rn:x21+x2+:::x2n0forx6=0andf(0)=0 c)f(x+y)f(x)+f(y).
Proposition4.3.4 Letf:Rn!Rbeafunctionwith:
a)f(x)=f(x)for>0andx2Rn
ThenthereexistsaconvexbodyBRnwithguagefunctionf. b)f(x)>0forx6=0 c)f(x+y)f(x)+f(y).
Proof.See[Siegel89,Theorem7]mitB:=fx2Rmjf(x)

Proposition4.3.5 LetfbeaguagefunctionofaconvexbodyB.Then0isthecenterofB,ifandonlyiffsymmetric. 4.3.GAUGEFUNCTIONSANDMINKOWSKI'STHEOREMS 71
Proof.See[Siegel89,Theorems8and9]. Symmetricguagefunctionscorrespondtonorms.TherstMinkowskitheoremcanbeexpressed intermsofguagefunctionasfollows(seeProposition4.1.6onpage59):
Letf:Rn![0;1)beasymmetricguagefunctionfortheconvexbodyBRn.Ifvol(B)2n, thenthereexistsg2Znnf0gwithf(g)1. Proposition4.3.6(FirstMinkowskiTheorem)
Proof.See[Siegel89,Theorems10and11]. Corollary4.3.7 Letf:Rn![0;1)beasymmetricguagefunctionfortheconvexbodyBRn,:=min x2Znnf0gf(x)
Proof.For>0letB:=fx2Rnjf(x)g.Thenvol(B)=nVandfor00,thatis,thereisan>0 (0)nV2n
g2B0+exists.Thisyieldsacontradiction:
Remark:Itfollowsfromthedenitionof0thatsince

72 of[Siegel89]withproof,inLectureIV. Proof.SeeParagraph9.1inChapter2of[GrLek87].FortheupperboundseealsoTheorem16 CHAPTER4.SUCC.MINIMA,MINKOWSKI'STHEOREMS,HERMITECONSTANT
Let1;2;:::;nbethesuccessiveminimaofthefulldimensionallatticeLRnaccording Proposition4.3.9(SecondMinkowskiTheoremforGeneralLattice)
B:=fx2Rnjf(x)

Chapter5
Gauss'BasisReductionProcedure
InthischapterwepresentGauss'basisreductionprocedurefortwodimensionallattices.The procedureisageneralizationoftheEuclideanAlgorithm.Wewillstudythereductionprocedure
casesuchabasisalwaysexists. forthespecialcaseoftheEuclideannormandthenconsiderthegeneralcaseofanarbitrarynorm. vectorshavethelengths,respectively,ofthesuccessivemimima;however,inthetwodimensional WhileinChapter4.1wesawbyanexamplethatinthegeneralcasethereisnobasiswhose
Weintroduceanotionofreducednessfortwo-vectorbases: 5.1 ReducedBasis
Anorderedlatticebasisa;b2Rnis(Gau)reducedwithrespecttonormkk,when: Definition5.1.1(GauReducedBasis)
Gram-Schmidtcoecients2;1=ha;bi Weconsiderthecasethatthenormisgivenbythescalarproductkxk=phx;xi.Forthe kakkbkkabkka+bk
2;112() kak2wehave:
Thusthebasisa;bisreducedifandonlyif: 2;10()kabkka+bk kbkkabk
b)02;112 a)kakkbk 73

Incontrastwithaweightreducedbasis,werequirethatnotonlydoestheabsolutevalueof2;1 74 liebetween0and12,but2;1itselfdoes.Thiscanbeensuredbyreplacingbwithb.Figure5.1.1 CHAPTER5.GAUSS'BASISREDUCTIONPROCEDURE
showstheGaussreducednessconditioninthecaseofthestandardscalarproduct.Theangle 2;1=0 Rppppppppppppppppppp
b Y2;1=12
a-) kak=kbk
ppppppppppppppppppp
betweenthetwolatticevectorsofthereducedbasisisbetween60and90: Figure5.1.1:ReducedBasisforStandardScalarProduct
Since02;112andkakkbk: cos=ha;bi kakkbk=2;1kak
0cos12 kbk
reduced.Intheremainingcaseswehaveonlythereducedbasisa;b. with2;1=12,thena;abisalsoreduced.Ifa;bisreducedwithkak=kbk,thenb;aisalso Ifa;bisreducedwith2;1=0,thena;bisalsoareducedbasis.Similarly,ifa;bisreduced
Proof.Withoutlossofgenerality,assumekakkbk.Theclaimsays: Proposition5.1.2 Forareducedbasisa;b2Rn,kakandkbkarethetwosuccessiveminimaofthelatticeL=Za+Zb. kakkra+sbk kbkkra+sbk 8r2Zands2Znf0g 8(r;s)2Z2nf(0;0)g

5.1.REDUCEDBASIS Theseinequalitiesfollowtogetherfromthefollowingproperties,whichweprovebelow. 75
(5.1) kakkbk
Wenowproveinequalities(5.1).ConsiderFigure5.1.2:Intheunionofthefour\quadrants" kakkrak kbkka+bk 8r2Znf0g 8,2Rwithjj;jj1
rr
ppppppp
rrrrr
rrrrr rrrr
pppp r
ppp 0 a pppppppp s
-1 pp
ba ba+b
ppp ab a a+b
rr
indicatedbysmalldots,thenormtakesitsminimumonsomesubsetofthefourpointsab. Ofthelatticepointslyingonthethickerlines,thenormisminimizedinthemiddlepoints.That Figure5.1.2:ReducedBasisa;b
is,fromtheGaussreducednessconditionsitiseasy(buttedious)toverifythat
Bytheconvexityofthenorm,forjj1: kabkkakka+bk kabkkbk kabk
minimizedontheboundary,henceonthethicklines. Thusthepointsabhavetheminimalnormonthethicklines.Byconvexity,thenormis kabkkabkkak kabkkabkkbk
Anorderedlatticebasisa;b2Rniswellorderedreducedaccordingtonormkkwhen: Definition5.1.3(WellOrdered,ReducedBasis)
kakkabkkbk

5.2 76 Algorithms CHAPTER5.GAUSS'BASISREDUCTIONPROCEDURE
Wepresenttwoalgorithmsforobtainingareducedbasisforatwodimensionallattice:onefor generalnormsandoneforthespecialcaseoftheEuclideannorm.
Algorithm5.2.1Gau'ReductionProcedurefortheEuclideanNorm 5.2.1ReductionAlgorithmfortheEuclideanNorm
INPUT:LatticeBasisa;b2Rnwithkakkbk 1.WHILEj2;1j>12DO 1.2.IFkak>kbkTHENexchangeaandb 1.1.[a;b]:=[a;b]d2;1c1 1 0
OUTPUT:ReducedBasisa;b 2.b:=bsign(2;1) ENDwhile =2;10=
correct. Algorithm5.2.1reducesbbyb:=bd2;1caandthenexchangesaundb.Theoutputisclearly Algorithm5.2.1producesareducedbasisaccordingtotheEuclideannorm.Aniterationof
Proposition5.2.1 Oninputa;bwithkakkbk,Algorithm5.2.1terminatesinatmost
iterations. log1+p2kak 2+3
Proof.SeeProposition4.4of[Schnorr94b]. 5.2.2ReductionAlgorithmforArbitraryNorm
[Kaib94],whichdescribesecientimplementationsofStep1.1inthel1-andsup-norms. detailedanalysisappearsin[KaSchn96]byM.KaibundC.P.SchnorrinM.Kaib'sDissertation Gau'ReductionProcedurefortheEuclideanNormcanbegeneralized(Algorithm5.2.2).A

5.2.ALGORITHMS 77
Algorithm5.2.2Gau'ReductionProcedureforArbitraryNorm INPUT:LatticeBasisa;b2Rnwithkakkbk 1.WHILEkbk>kabkDO
1.3.exchangeaundb 1.2.IFka+bk

78 CHAPTER5.GAUSS'BASISREDUCTIONPROCEDURE

Chapter6
LLLReducedLatticeBasis
nwasproposedin1982byA.K.Lenstra,H.W.LenstraundL.Lovasz[LLL82].Itusesthe Thefollowingnotionofreducednessfororderedlatticebasisb1;b2;:::;bn2Rmofarbitraryrank Euclideannorm.
particularweconsiderhowwellthelengthoftherstreducedbasisvectorapproximatestherst 6.1 WeintroducethenotionofLLLreducedbasisandshowpropertiesofanLLLreducedbasis;in DenitionandProperties
Definition6.1.1(LLLReducedBasis) thebasisb1;b2;:::;bn,andleti;j(1i;jn)bethecorrespondingGram-Schmidtcoecients. successiveminimumofthelattice.Letb1;b2;:::;bnbetheGram-Schmidtorthogonalizationof
Anorderedlatticebasisb1;b2;:::;bn2RmiscalledLLLreduced(L3-reduced)withparameter, 14

T:span(b1;b2;:::;bn)!Rnbetheisometricmappingwith Ifthebasisconsistsoftwovectors,thenwhen=1weobtainaGaureducedbasis.Let 80 CHAPTER6.LLLREDUCEDLATTICEBASIS
whereeiistheithunitvectorinRm.Thebasismatrix[T(b1);T(b2);:::;T(bn)]forthelattice T(L),isometrictoL,isanuppertriangularmatrix: T(bi)=kbikeifori=1;2;:::;n;
[T(b1);:::;T(bn)]= 64 kb 1kkb2k... 0 0. 0kbnk 0.
3 75 2 640 1 012;13;1 3;2 1 n;2 n;1
0 . ......n;n1 0 1.
375
= 2 64 kb 1k ..."kbk1kk;k1kbk1k
0 kbkk # ... kbnk
3 Thebasisb1;b2;:::;bn2RmisLLLreducedwithifandonlyif: 75
b)the22matricesonthediagonal a)thebasisb1;b2;:::;bnislengthreduced; "kbk1kk;k1kbk1k 0 kbkk #
for1k

6.1.DEFINITIONANDPROPERTIES Proof.>FromPropertiesa)undb)ofLLLreducednessitfollowsthat: kbik2b) kbi+1k2+2i+1;ikbik2a) 81
andthus: 14 kbi+1k2+14kbik2
Theclaimfollowsbyinductionoverji. |{z} =1=kbik2kbi+1k2
Corollary6.1.3 Letb1;b2;:::;bnbeLLLreducedwithparameter.Thenfor=1 14,kb1k2(n1)=21(L).
Proof.ByProposition3.2.26,wehave1(L)minfkb1k;:::;kbnkg.Lettheminimumlength basisvectorbebk.Thenkb1k2k1kbkk2byLemma6.1.2
BytakingsquarerootsweobtainthestatementoftheCorollary. n1(1(L))2 n1kbkk2because1andkn
ThenextlemmaisageneralizationofProposition3.2.26.
Lemma6.1.4 Letb1;b2;:::;bnbeabasisofthelatticeL.Thenfori=1;2;:::;n:
j=1;2;:::;n.Let Proof.Therearelinearlyindependentvectorsa1;a2;:::;an2L,sothatkajk=j(L)for ji=j;j+1;:::;nkbik
min
Hencethecoecientstikareintegersandthetikarereals.Let ak=nXi=1tikbi=nXi=1tikbifork=1;2;:::;n
contrary.Thenbytheassumptionthat(k)Fromthelinear (k):=maxfi:tik6=0g
a1;a2;:::;aj2span(b1;b2;:::;bj1);

sothata1;a2;:::;ajarelinearlydependent,whichyieldsacontradiction.Wethereforeobtain 82 CHAPTER6.LLLREDUCEDLATTICEBASIS
2j2k=kakk2t2(k);kkb(k)k2kb(k)k2i=j;j+1;:::;nkbik2 min
showsthatthelengthskbjkinanLLLreducedbasisare\rough"approximationstothesuccessive WhilethelowerboundonjinLemma6.1.4appliestoarbitrarybases,thefollowingtheorem
Proposition6.1.5(Lenstra,Lenstra,Lovasz1982) minimaj. Letb1;b2;:::;bnbeanLLLreducedlatticebasiswithparameter.Thenfor=1 a)1jkbjk2
forj=1;2;:::;n 14:
b)kbjk2 c)kbkk2j1kbjk2forkj 2jn1forj=1;2;:::;n
Proof.9k,1kj,suchthatjkbkk.Itfollowsthat: 2jkbkk2+14k1
jk+14k1 Xi=1kbik2 Xi=1ji! (bytheLLLreducednessproperties)
kbjk2j1 1k+14k1 Xi=11i! (byLemma6.1.2)
Weshow:
Fork=1theinequalityisobvious.Fork2,since1=1434: 1k+14k1 Xi=11i1
1k+14k1 geom.series34k1+14134k1 |{z} Xi=11i 134 =141 134=1

6.1.DEFINITIONANDPROPERTIES Thus, 2jkbkk2kbjk2j1 83
andsowehaveprovedtherstandthirdassertions.ByLemma6.1.4thereisakj,sothat jkbkk.ItfollowsfromLemma6.1.2that: 2jkbkk2
n+1kbjk2 k+1kbjk2 k+jkbjk2 (fromLemma6.1.2) (fromAssertion(c)withk=j) (fromLemma6.1.4)
(sinceknand1)
Corollary6.1.6 Letb1;b2;:::;bnbeanLLLreducedbasisofthelatticeL.Thenfor=1 14:
a)kb1k2n1 b)nYi=1kbik2(n2)(detL)2 2(detL)2n
Proof.WehaveQni=1kbik2=(detL)2.BythethirdAssertionofTheorem6.1.5:
Itfollowsthat: kb1k2kbik2i1
Thusweobtainpart(a):kb1k2n1 kb1k2n12n1nYi=1kbik2=(n2)(detL)2
Theorem6.1.5. Part(b)followsfromQni=1kbik2=(detL)2andkbik2kbik2i1,thethirdAssertionof 2(detL)2n.
Remark6.1.7 TheproofofCorollary6.1.3usesonlythefactthattheji+1;ij12,andnotthefullpower
ofweak-reducedness.Moreover,sincetheproofofCorollary6.1.3(a)onlyusescasek=1of Proposition6.1.5,thesameistruethere.However,theproofofCorollary6.1.3(b)usesthefull strengthofweakreducedness.Lovaszremarksthattoguaranteethatthenumbersoccurringinthe proceduredonotgrowtoobigthefullpowerofweakreducednessseemstobenecessary[Lovasz86].

6.1.1TwoApplicationsofLLLReducedness 84 CHAPTER6.LLLREDUCEDLATTICEBASIS
obtainsanLLLreducedbasiswith=34(the\`LLLalgorithm,"describedinSection6.2,has ProblemsdescribedinChapter1.Letusassumetheexistenceofanalgorithmthateciently latticedenedbythecolumnsofthematrixA: thisproperty).AttheendofSection4.1wecasttheSDAintermsofndingashortvectorinthe WereturnbrieytotheSimultaneousDiophantineApproximationandSmallIntegerCombination
A= 2 6400:::1n
01:::02 10:::0 . ... . 1
detL(A)="=Q.LetQ=2n(n+1)=4"n.UsingtheLLLalgorithm,wecanobtainavector 00:::0"=Q 3 75 b2L(A)suchthat Sinceb2L(A)thereexistintegersp1;p2;:::;pn;qsuchthat kbk22n=4(detL(A))1 n+1=2n=4"Q1 n+1 b= 2 64p2qn
p 1q1
Sincekbk1kbk2itfollowsthat pnqn q"Q . 3 75
andmoreoverq"Q",orinotherwords,jqjQ.Thusweobtainanapproximatesolutionto thesimultaneousdiophantineapproximationproblem,inwhichthedenominatorqisatmosta jpiqij"
factorof2n(n+1)=4greaterthanoptimal. Recallthattheproblemis,givenrationals0;1;2;:::;n,andrationals";Q>0,tond q0;q1;q2;:::;qn2Z,notall0,suchthat WemaycasttheSmallIntegerCombinationproblemintermsofalatticeproblemasfollows.
andqiQfor1in.Traditionally,0=1,sowewillmakethatassumptionhere.Wedene nXi=0qii"
B=26401:::n 0"=Q::: . ... 0 :::"=Q 0.
3 75

6.2.THELLLREDUCTIONALGORITHM b=Bq,q2Zn+1,satisfykbk2",b6=0.Thenkbk1"andso ThendetB=0("=Q)n,or,sinceweareassuming0=1,wehavesimplydetB=("=Q)n.Let 85
andqi"Q",orinotherwordsjqijQ. Choosing"=2n=4(detB)1 n+1,i.e.,Q=2(n+1)=4"1=n,wehavebyCorollary6.1.6(b)thatthe jq00++qnnj"
6.2 LLLalgorithmwillndsuchavectorb2L(B)inpolynomialtime.
Givenanarbitrarylatticebasis,wepresentaproceduretoobtainanLLLreducedbasisforthe samelattice.Weanalyzetherunningtimeandsizeofthecoecientsinthecalculations.We TheLLLReductionAlgorithm
generalizetheproceduretosystemsErzeugendensysteme???{systemsofgenerators,inwhichthe vectorsneednotbelinearlyindependent.
Algorithm6.2.1,transforms,foragiven,14

86 Algorithm6.2.1LLLReductionAlgorithm INPUT:.LatticeBasisb1;b2;:::;bn2ZmCHAPTER6.LLLREDUCEDLATTICEBASIS
1.k:=2 .Parameterwith14

6.2.THELLLREDUCTIONALGORITHM tobounddEndfrombelow,togetherwiththesimpleboundjj. proofofthefollowinglemmaissimilartothatofLemma6.2.1,butweuseMinkowski'sinequality 87
terminatesafteratmost Lemma6.2.2 Letb1;b2;:::;bn2RmbearealinputbasisandM:=maxikbik2.Thenfor

Lemma6.2.3 Theexchangebk1$bkresultsin:=k;k1andnew:=new 88 CHAPTER6.LLLREDUCEDLATTICEBASIS
a)kbnew k1k2=kbkk2+2kbk1k2 k;k1,suchthat:
b)kbnew
c)new=kbnewk1k2 kk2=kbkk2kbk1k2
kk2
d)new ijTk1i;jk=new1new
k1k21 [i;j]Tk1i;jk01 10
Proof.Weshowthefourclaimstogether(notethatbkundbk1aremutuallyorthogonal).
b)Thisfollowsbecausetheproductkbkkkbk1kremainsunchangedbytheexchangebk1$bk. a)Thisfollowsfrombnew k1=bk+k;k1bk1.
c)Since new=Dbnew kbnewk1E k;bnew k1k2=Dbk1;bk+bk1E
weobtain: kbnew
new=Dbk1;bkE+Dbk1;bk1E
kbnew k1k2 =kbk1k2
d)bnew k1=bk+bk1andaccordingtothebackwardsexchangebk1=bnew kbnew k1k2
thesetwoequalitiesitfollowsthat: hbk1;bki=hbnew k1;bnew kinew1newk+newbnew
k1.From
1

6.2.THELLLREDUCTIONALGORITHM Onethusobtains(onthediagonaldotsare1's;theotherentriesareall0): b1;b2;:::;bk2;bnew k1;bnew k;bk+2;:::;bm 89
=hb1;:::;bmi[i;j]T1i;jn 2 64 . ..01 10 . .. 3 75
=hbnew 1;:::;bnew mi2 6 4 . ..new1new 1 . .. 3 75[i;j]T1i;jn 2 64 . ..01 10
=hbnew 1;:::;bnew mi[new ij]T1i;jn . .. 3 75
Weboundfromabovethenumberofarithmeticoperationsforanexchangeby: Theclaimfollows.
Proposition6.2.4
Proof.TherstclaimfollowsfromLemma6.2.3.Thesecondclaimisfollowsfromthefactthat Anexchangebk1$bkrequiresatmostO(k)arithmeticoperations.Thelengthreductionofbk requiresatmostO(nk)arithmeticoperations. theoperationbk=bkbjalterstheGram-Schmidtcoecientsby: k;i:=k;ij;i fori=1;2;:::;j
cangrowduringthecalculation. numbersgrow?Westudythisquestionandobtainanupperboundonhowlargethecoecients WehaveanalyzedthenumberofarithmeticstepsintheLLLAlgorithm.Howlargecanthe
Foranintegerinputbasisb1;b2;:::;bn2Zm: Lemma6.2.5
Moreover,Dj=detL(b1;b2;:::;bj)2=jQ a)Di1bi2Zm b)Dji;j2Z i=1kbik2isaninteger.

Proof.Thesecondclaimwillfollowfromtherst. 90 CHAPTER6.LLLREDUCEDLATTICEBASIS
a)From[b1;b2;:::;bn]=hb1;b2;:::;bni[i;j]Titfollowsfor[ij]:=[i;j]1:
Moreover,[ij]Tlike[i;j]isanuppertriangularmatrixwith1'sonthediagonal.Since Dbi;bjE=0forj=1;2;:::;i1itfollowsfrombi=bi+Pi1 hb1;b2;:::;bni=[b1;b2;:::;bn][ij]T
hbi;bji=i1 Xt=1ithbt;bji forj=1;2;:::;i1 t=1itbtandii=1that:
Thesei1inequalitiesdenei1;i2;:::;i;i1.Thedeterminantofthesystemofequations is: SinceDi16=0,itfollowsfromCramer'srulethat: Di1ij2Z Di1=det[hbj;bki]1j;ki1
b)Bydenition(6.1)ofthedeterminantsDj=Qjs=1kbsk2wehave: Sincebi=bi+Pi1 j=1ijbjandb1;b2;:::;bn2Zm,theclaimDi1bi2Zmfollows. forj=1;2;:::;i1
Dji;j=DjDbi;bjE
Fromtherstclaim,bjDj12Zm,itfollowsthatDbi;Dj1bjE2Z.Wethusobtainthe kbjk2=Dj1Dbi;bjE=Dbi;Dj1bjE
claimDji;j2Z.
executionoftheLLLAlgorithm.Therstclaimholds,sinceforeachexchangebk1$bk: Thevaluemaxikbik2doesnotgrow,andthevalueminikbik2doesnotshrinkduringthe
b)kbnew a)kbnew kk2kbold k1k2kbold
k1k2
Thesecondclaimfollowsfrom: b)kbnew a)kbnew kk21kbold k1k2kbold
kk2

6.2.THELLLREDUCTIONALGORITHM Wegiveboundsforthecoecientsi;jthatoccurintheLLLAlgorithm.Foranintegerinput basisb1;b2;:::;bn2Zmlet 91
inthefollowing. M:=max i=1;2;:::;nkbik2
Lemma6.2.6 IntheLLLAlgorithm,atthebeginningofStagekwith:=1 a)kbik2i+3
1fori=1;2;:::;n:
Proof.Weshowbothclaims: b)ji;jj2i+3 4Mj1 forj

92 CHAPTER6.LLLREDUCEDLATTICEBASIS Lemma6.2.7 DuringexecutionofStagek,forj=1;2;:::;k1,itisalwaysthecasethat:
Proof.Instagekthelengthreductionstep jk;jj2k+3 4M94k1
yields,forj=1;2;:::;k1: k;j:=k;jdk;ici;j bk:=bkdk;icbi
wecanboundthenewMkfromaboveby: Eachofthek1operations(6.4)changesMk:=maxj=1;2;:::;k1jk;jjsothatfromdk;icMk+12 ji;jj1=2 |{z}
(6.5) ByLemma6.2.6atthebeginningofStagek Mnew kMold
Mkrk+3 k+12Mold k+1232Mold
4Mk1k+14
negligible).Thus: >Fromthebound(6.5)thevalueMkgrowsbyatmostthefactor32k1(thesummand14becomes
duringStagek.Theclaimfollows. jk;jj2322(k1)k+3 4Mk1=k+3 4M94k1
isnolongerstable.Forj>k,fromthetwoclaimsofLemma6.2.6wecanonlygetthebound AtthestartofStagekthevaluesi;jwithj>kcanbeverylarge,inwhichcasetheprocedure
>Fromtheinequality ji;jj2n+3
ji;jj2kbik2 4Mj:
fromDj=Qji=1kbik2,andfromLemma6.2.6onPage91wehave: kbjk2;
ji;jj2kbik2Dj1 Djn+3 4MDj1n+3 4Mj

6.2.THELLLREDUCTIONALGORITHM TheLLLAlgorithmwithiterativeorthogonalization(Algorithm6.2.2)avoidsthevaluesi;jwith j>k,andcalculatesinStagekonlywiththevaluesi;jwhere1j

Proposition6.2.8 Oninputanintegerlatticebasisb1;b2;:::;bn2ZmwithM:=maxi=1;2;:::;nkbik2,Algorithm 94 CHAPTER6.LLLREDUCEDLATTICEBASIS
6.2.2performs
arithmeticstepsonrationalsji;jjqn+3 On2m1+nlog1=M
oftheserationalsareboundedby andvectorsbiwithkbik2n+3 4M.Theabsolutevaluesofthesenumeratorsanddenominators 4Mjandjk;jjqn+3 4M94k1,kbjk2M,
Proof.ByLemma6.2.1: Mn12sn+3 494n
Sincethestagekis2atthebeginningofthealgorithmandn+1attheend,itisclearthat #Exchangesn2log1=M=On2log2M
exchange.EveryiterationrequiesatmostO(nm)arithmeticsteps.Theupperboundonthe Everyiterationwithanexchangeandstagereductionyieldsatmostoneiterationwithoutan numberofstepsfollows. #Iterationsn1+2#Exchanges
BythesecondclaimofLemma6.2.6andbyLemma6.2.7wehave: ByLemma6.2.5thedenominatorsofthenumbersijforj

Chapter7
Babai'sApproximationtoCVP
InthischapterwepresentBabai'sapplicationoftheLLLalgorithmtotheproblemofapproximatingtheclosestlatticevectortoagivenpointinRn.Weshowanapplicationtotheinhomogeneous
7.1 Diophantineapproximationproblem.Allthematerialinthischapterappearsin[Babai86].
Considerthefollowing\inhomogeneous"versionoftheshortestvectorproblem: ApproximateCVP
ClosestVectorProblem(CVP) Definition7.1.1
Find:x2Rnsuchthatkxbkisminimized. Given:LRnoffullrankandx2Rn
vectorproblem,CVPcanbeapproximatedtowithinafactorofninpolynomialtime[Kannan83]. CVPcanbesolvedinO(ncn)arithmeticoperations;moreover,givenanoraclefortheshortest hard[DKS98].Inthischapterweconsideronlythe2-norm. CVPisNP-hardforanynorm;indeed,approximatingCVPwithinafactorof2lg1"nisNP-
ApproximateCVP Definition7.1.2 Given:basis(b1;b2;:::;bn)forlatticeLoffullrankandx2Rn Find:w2Lsuchthatkxwkcnkxuk,whereuisanearestneighborofxinLand cndependsonlyonn. 95

96Let=34.AnLLL-reducedbasiswith=34satises
CHAPTER7.BABAI'SAPPROXIMATIONTOCVP
1p2kbk1kkbkk,k=2;:::;n jijj12
Babai[Babai86]presentstwosimpleproceduresforsolvingtheapproximateCVPyielding,respectively,cn=2n=2andcn=1+2n(9=2)n=2.
w=Pni=1ibi. Solvetheequationx=Pni=1ibi,forreals1;2;:::;n.Fori=1;:::;n,seti=dic.Output Procedure1:RoundingO Procedure2:NearestPlane 1.LetU=Pn1
2.Find(detailsexplainedbelow)v2LsuchthatthedistancefromxtoU+visminimal.Let L0=L\U. L0=L\span(b1;b2;:::;bn1)bethe(n1)-dimensionalsublatticeofLcontainedinU: i=1RbidenotethelinearsubspaceofRnequaltospan(b1;b2;:::;bn1).Let
3.Recursivelyndy2L0nearx0v. 4.Outputw=y+v. x0betheorthogonalprojectionofxontoU+v.
1;2;:::;n2Rn.Let=dnc.Letx0=Pn1 ForStep2,writexasareallinearcombinationoftheorthogonalizedvectorsx=Pni=1ibi,where
solution. inLisinU+v.Inthiswaythealgorithm\makesamistake"andsoweonlygetanapproximate cosetofUintersectingLnearesttox,itisnotnecessarilythecasethatthenearestneighborofx i=1ibi+bn.NotethatalthoughU+visthe
Proposition7.1.3 IfBisLLL-reducedwith=34,thenProcedureRoundingOndsalatticepointwnearesttox
latticeparallelepipeds,whichisofindependentinterest. withinafactorof1+2n(9=2)=2.
Proposition7.1.4 Proof.TheproofofthePropositionusesthefollowingresultregardingtheshapeofLLL-reduced
Letb1;b2;:::;bnbeLLL-reduced.Fork=1;:::;n,letUk=Pj6=kRbj,andletkbetheangle betweenbkandUk.Thensink(p2=3)n. Proof.See[Babai86].

Since 7.1.APPROXIMATECVP 97
anequivalentstatementofProposition7.1.4isthat,forallm2Uk, sink=min m2Ukkmbkk
(7.1) kbkk(9=2)n=2kmbkk kbkk
(7.2) Letdn=(9=2)n=2.LetwbetheoutputofProcedureRoundingO.Letuswrite
wherefori=1;:::;n,jij12becauseweroundedtherealcoecientsinx=Pibitogetw. wx=nXi=1ibi
points,'1;'2;:::;'n2Z. Lemma7.1.5 Letubeanearestlatticepointtox.Writeuw=Pni=1'ibi.Sinceuandwarebothlattice
Proof.Assumeu6=w.Letksatisfy kuwk2ndnkuxk.
Then k'kbkk=max 1jnfk'jbjkg:
But (7.3) kuwknXj=1k'jbjknk'kbkk
Letting ux=(uw)+(wx)=nXi=1('i+i)bi
wehavem2Uk,andwecanwritem='k+kXj6=k('j+j)bj
1
ux=nXi=1('i+i)bi=('k+k)(bkm)

98 'k2Znf0gwehave: Thus,byInequality7.1,andthefactthatthei'sareallboundedinabsolutevalueby12,and CHAPTER7.BABAI'SAPPROXIMATIONTOCVP
Thus, kuxk=j'k+kjkbkmkj'k+kjkbkk dnj'kj 2dnkbkk
Frominequalities7.3and7.4wehave (7.5) (7.4) kuwknj'jkbkkn2dnkuxk kuxk2dnj'kjkbkk
BythetriangleinequalityandLemma7.1.5wehave: ThiscompletestheproofoftheLemma.
ThiscompletestheproofofProposition7.1.3. kxwkkxuk+kuwkkxuk(1+2ndn):
7.2 InhomogeneousDiophantineApproximation
RecallthedenitionoftheinhomogeneousDiophantineapproximationproblemfromChapter1: InhomogeneousDiophantineApproximation Given:1;2;:::;n;1;2;:::;n,";Q>0 Findintegersp1;p2;:::;pn;qsuchthat and00thereexistintegersp1;p2;:::;pn;qsuchthatq>0and
2.Thereexistintegersu1;u2;:::;unsuchthatPni=1uiiisanintegerwhilePni=1uiiisnot. jqipiij":

7.2.INHOMOGENEOUSDIOPHANTINEAPPROXIMATION theoremsaysthatthereexistp1;p2;:::;pn;qsuchthatqipi=ifori=1;:::;i.This Suppose1;2;:::;nand1;2;:::;nareallrationals.ThentherstchoiceinKronecker's 99
denominatorqatmost3ntimeslargerthanoptimal,yieldinganerrorofatmost3n"[Babai86]. hard[EmBoas81].WenextdescribeapoylnomialtimealgorithmduetoBabaiforobtaininga polynomialtime(see,e.g.,[Frumkin76]).Tondaleastcommondenominatorq=q(")isNP-
isaspecialkindoflineardiophantineequationwhich,withoutaboundonq,canbesolvedin
Proposition7.2.1 Given1;2;:::;n;1;2;:::;n,and">0,allinQ,intimepolynomialinthelengthsofthe inputsonecanndeither 1.integersp1;p2;:::;pn;qs.t. jqipiijcn"
2.aproofthatq=q(")isinnite(nosolutionexists). wherecn=4pn2n=2,or: jqjcnq(")
wecanassumetheseareallpositive). DeneQtobetheproductofthedenominatorsofthei,i=1;2;:::;n(withoutlossofgenerality Proof.Replace"bysuchthat"2(=2;]and=2ifori2Z,sothat`()

100 ApproximatesatisesInequality7.6,ifany.Ifnosuchsexiststhenq()isinnite.Moreover, sinceifthereisasolutionwitherroratmost"thenthereisasolutionwitherroratmost>", CHAPTER7.BABAI'SAPPROXIMATIONTOCVP
ifnosuchsexiststhenq(")isinnite. equalities7.6with"replacedby.Then (q() p2;p2q()].Letu=Pni=1pibi+qibi+1,wherep1;p2;:::;pn;qsatisfytheconstraintsinIn-
Assumenowthatq(")isnite.Thenwehavejustarguedthatsoisq().Lets=2i2
kuxk1=max maxf1;jqj ifjqipiij;jqj sg sg
Now,sq() p2andjqjq(),so
Thuskuxk1p2,whence jqj sq() q()=p2=p2
TheNearestPlaneprocedureisshownin[Babai86]toobtainanapproximationtowithin2d=2of theclosestvectorinlatticesofdimensiond.Thus, kuxk2p2n
(7.7) (7.6) (7.8) kwxk22n+1 =2pn2n=2
2kuxk2
Moreover, 2pn212
(7.9) so kwxk2kwxk1=max ifjqipiij;jqj
jqipiij2pn2n=2

Chapter8
BreakingtheLinearCongruential Generator
WepresentageneraltechniqueofFrieze,Hastad,Kannan,Lagarias,andShamirforreconstructing truncatedintegervariablessatisfyinggivenlinearcongruences,andtheapplicationofthistechniquetobreakingpseudo-randomgeneratorsbasedonlinearcongruentialsequences.Thematerial
8.1 forthischapterappearsin[FHKLS88].
sequencegeneratortoD.H.Lehmerin1948.Thegeneratorhasfourparameters: Knuth[Knuth80]attributestheideaofusingalinearcongruentialsequenceasapseudo-random LinearCongruentialSequences
2.themultipliera0; 1.theseedx00;
Thecorrespondinglinearcongruentialsequenceis: 3.theincrementc0; 4.themodulusM>x0;a;c.
shorter,butthecomputationalcostislower.Otherrestrictionsonthechoiceofparameters arestudiedextensivelyin[Knuth80],wherethereisalsoalongandinterestingdiscussionofthe Thesequencealwayscycles(wewantcyclestobelong).Ifc=0thentheperiodisgenerally xn+1=(axn+c)modM
ofpseudo-randomsequencesintermsofpolynomialtimestatisticaltests[Yao82].Analternative \right"denitionofapseudorandomsequence.ThisdiscussionmotivatedYao'smoderndenition 101

102 denition,involvingunpredictability,hadpreviouslybeenproposedbyBlumandMicali[BluMi]. Forcompleteness,thesetwodenitions,provedequivalentbyYao[Yao82],arestatedinSection8.4. CHAPTER8.BREAKINGTHELINEARCONGRUENTIALGENERATOR
of)theparametersaresecret. predictabilityofthesequencewithhighaccuracyevenforrelativelysmallvaluesofk[Boyar82]. Ifa;c,andMareunknown,butallofthebitsofxi,1ikareknown,thenBoyarshowed Asusual,weassumethatthemethodforgeneratingthesequenceisknown;thevaluesof(some
accordingly.BoyarshowsthatatmostO(logM)disagreementscaneveroccur. extrapolatedsequencediersfromtheactualsequence,thentheguessedvaluesarecorrected Inparticular,shendsba;bc,andcM,consistentwiththeavailabledata,andextrapolates.Ifthe
O(n222`=k2)steps[Knuth80]. known,1ik,thenKnuthgivesanattackwhichusuallyreconstructsa,c,andtheseedin Ifcisunknown,Mandaareknown,andthehighorderbitsyiofeachxi,1ik,aregiven Ifaandcareunknown,M=2nisknown,andthen`highorderbitsyiofeachxiare
asdata,thenanattackduetoFrieze,Hastad,Kannan,Lagarias,andShamir[FHKLS88]yields: apolynomialtimereconstructionorpredictionprocedure(seebelow),provedtobesuccessful
anearlyalwayspolynomialtimereconstructionprocedureforallMprovided`(yi) onnearlyallproblemsinwhichsucientlymanybitsofdataareknowntopermitunique reconstructioninformation-theoretically,providedMissquare-free;
Whileuniquereconstructionofx0maybepossibleifc=0,thecasec6=0isdierent.Ifweset givenonlythreesamples(i.e.,k=3). `(xi)13,
x0i=xi+1xiandy0i=yi+1yi,thenx0isatisestherecurrence
x0iforanydyetbotharelinearcongruentialsequences;indeed,forsmalldthesequencesfxigand andy0iisessentiallyatruncatedversionofx0i.Thisisbecausexiandxi+dyieldthesamesequence x0i+1ax0i(modM)
fxi+dgwillusuallyhavethesamehighorderbits.Inthiscasefuturevaluesofthegenerator maybepredictedwithgreataccuracy,evenifexactreconstructionisnotpossible. unknown,inthatinpolynomialtimetheyobtainavaluecMandaheuristicargumentthatcM decreasesquicklytoM,togetherwithatechniquethat,givenM,ndsa. JouxandStern[JoSt94]extendtheresultsof[FHKLS88]tothecaseinwhichaandMare
Friezeetal.giveageneralresult,ofwhichthereconstructionofthecongruentialgeneratorisa 8.2 simplespecialcase.Thegeneralproblemis: AGeneralReconstructionResult

8.2.AGENERALRECONSTRUCTIONRESULT Definition8.2.1(ReconstructionProblem) Given:aijfor1i`and1jk,cifor1i`,M,and`modularequations103
kXj=1aijxjcimodM bitsofthexj,specically,blocksofconsecutivebinarydigits: (8.1) where0xj

Thesystem 104 Proposition8.2.2(Frieze,Hastad,Kannan,Lagarias,andShamir) CHAPTER8.BREAKINGTHELINEARCONGRUENTIALGENERATOR
kXj=1aijxjcimodM \smallsolution).Iftheaij,ci,andMareknown,thenthereexistsapolynomialtimealgorithm hasatmostonesolutionx2Zksatisfyingkxk2Mk(L(A;M))12(k=2)1(i.e.,atmostone 1i`
thateitherndsxorprovesthatnosuchxexists. Remark8.2.3 LetusgivesomeintuitionfortheapplicationofProposition8.2.2.Ifthexiarelargebutwe knowthemostsignicantbits,thenwecanrewritethemodularrelationsinsuchawaythat thenewunknownsare\small."Assumethishasalreadybeendone.IfL(A;M)hasverysmall kthsuccessiveminimumk,thentheclaimedpolynomialtimealgorithmcanndrelativelylarger
Aischosenatrandom(asinmostcryptographicapplications).Muchdependsonthestructureof oftheproofofapplicabilityofthetheoremisinanalyzingtheexpectedvalueofk(L(A;M))when bitsoftheoriginalxi's,sothatwhenwerewritetheequationstheunknownsaresmaller.Thebulk smallerinorderforthealgorithmtobesuretondthem.Intuitively,thismeansthatweneedmore unknowns(Mkislargerwhenkissmaller).If,however,k(L(A;M))islarge,thentheximustbe
Schnorr[LLS90]: M.See[FHKLS88]fordetails. Proof.(Sketch)TheupperboundkisfoundviathefollowingresultofLenstra,Lenstra,and
andthekthsuccessiveminimumoftheprimalisboundedabovebyk2. Thatis,forfulldimensionallatticesinRk,theproductoftherstsuccessiveminimumofthedual 1kk2
1.ReducethebasisforL=L(A;M)usingtheLLLalgorithmtogetmodularrelationswth ThestructureoftheproofofProposition8.2.2isasfollows:
2.Usethe(assumed)sizeconstraintsonthexj'stotransformthesemodularequationsto smallcoecients.
Wenowexplainthesestepsinmoredetail. 3.Solvetheseequationsovertheintegerstorecovertheexactvaluesofx1;x2;:::;xk. equationsovertheintegers.
GLk+`(Z)suchthatVBisinHermiteNormalFormwithnon-zerorowsz1;z2;:::;zk.Thus, Next,deneX2Zk(k+`)suchthatX(VB)=Z. z1;z2;:::;zkisabasisforthelatticeL(A;M).LetZbethekkmatrixwithrowsz1;z2;:::;zk. Fortherststep,startingwiththematrixBdenedabove,inpolynomialtimendV2

obtainaunimodularmatrixU2GLk(Z)andthereducedbasisw1;w2;:::;wksuchthat,ifWis 8.2.AGENERALRECONSTRUCTIONRESULT ApplytheLLLalgorithmwith=34tothek-dimensionallatticewithbasisz1;z2;:::;zkto 105
LetY=UXV.ThenW=YB. thekkmatrixwithrowsw1;w2;:::;wkwehaveUZ=Wand,bythereducednessofW,
Whathashappenedtoourinitialsetofequations?Wehad: kwik22k=2k 1ik
andso Y(Bx)YbCmodM BxbCmodM
andhence
LetC0=YbCmodM(sinceYandbCareknownwecaneasilyndC0).ThensinceW=YBwe havethemodularequalities (YB)xYbCmodM
(8.3)Letuswritex=(x1;x2;:::;xk)T.Forthesecondstepofthealgorithm(transformationtoa systemofequationsoverZ)observethat,for1i`, WxC0modM
jc0ij=kXj=1wijxj =jhwi;xij
=M2 kwikkxk

106 Corollary8.2.4 Lets0=logk+k2+12logk+1.Thesystem CHAPTER8.BREAKINGTHELINEARCONGRUENTIALGENERATOR
hasatmostonesolutionxinwhichthes0mostsignicantbitsofeachxjarespecied. kXj=1aijxjcimodM 1i`
Proof.Writexi=x(1) i+x(2) iwherex(1) x(2) iM2s0=M1 iaretheknowns0mostsignicantbitsofxiand
x(1) SincethisisimpliestheboundonkxkassumedinProposition8.2.2wecansubstituteintheknown iandthenapplytheProposition. k2(k=2)1k1=2
Remark8.2.5 WecanactuallyapplythealgorithmofProposition8.2.2(andtheCorollary)withoutknowingk.
checkifthenumberofbitsknownineachxjisatleast Wefollowthestepsofthealgorithmuntilweobtainthereducedbasisw1;w2;:::;wk.Wethen
Thisprovidesasucientconditionforthealgorithmtowork,becausemaxilog2kwiklog2k since,bydenitionofthekthsuccessiveminimum,foranybasisb1;b2;:::;bkforL(A;M), max iflog2kwikg+12logk+1
8.3 maxikbik2k.
Forreasonsdiscussedabove,wemayrestrictdiscussiontothecaseinwhichc=0.Thusthereare unknownsx1;x2;:::;xkthatsatisfythecongruencesxi+1aximodM,andwearegiventhe ApplicationtotheLinearCongruentialGenerator
L=L(A;M)tobethesetofallintegerlinearcombinationsoftherowsofthefollowingmatrix: highorderbitsofthexi's. Itiseasytoseebyinductionthatai1x1xi0modM,for2ik.Wedenethelattice 264 ak10 M a2 a 01::: 0 .:::1 0
NotethatdetL=M.
3 75

Forsquare-freeM>c(";k)thereisanexceptionalsetE(M;";k)ofmultipliersofcardinality Proposition8.3.1(Frieze,Hastad,Kannan,Lagarias,andShamir) 8.4.MODERNDEFINITIONSOFPSEUDO-RANDOMNESS 107
where jE(M;";k)jM1"suchthatforanymultipliernotinE(M;";k)thefollowingistrue.Thexiare uniquelydeterminedbyknowledgeofthe(1=k+")logM+c(k)leadingbitsofallfxi:1ikg,
Furthermore,thereisanalgorithmwhichrunsintimepolynomialinlogM+kwhichndsthexi. c(k)=k2+(k1)log3+72logk+2:
Remark8.3.2 2.a=1isclearlyexceptional(althoughextrapolationiseasyinthiscase!). 1.Thenumberofbitsneededforreconstructionisalmostoptimaloninformation-theoretic grounds.
3.Theproofactuallyshowsthat"approaches 4.Thexjaretreatedasindependentunknowns. loglogMasMapproachesinnity. c
5.Forthespecialcasek=3[FHKLS88]areabletoshowthat,forany">0,forallM, knowledgeof(13+")logM+c(k)leadingbitsofx1;x2,andx3,allowsrecoveryinpolynomial
8.4timeforallmultipliersaexceptasetofcardinalityc(")M1"=2.
andMicali[BluMi]andtoYao[Yao82]. Wepresenttwoequivalentdenitionsofpseudor-randomsequences,due,respectively,toBlum ModernDenitionsofPseudo-Randomness
Definition8.4.1(ensemble) thateachSkisaprobabilitydistributiononk.TherandomensembleR=fRkgisthesequence Letkdenotethesetofallbinarystringsoflengthk.AnensembleSisasequencefSkgsuch
Apolynomial-sizefamilyofcircuitsisasequenceofcircuitsC=fCkgsuchthatforsomepositive ofuniformdistributionsi.e.,Rk(x)=2kforallx2k.
integerd,Ckhasatmostkinputsandatmostkdgates. Definition8.4.2(polynomial-sizefamilyofcircuits)
Definition8.4.3(predictingcollection) Apredictingcollectionisapolynomial-sizefamilyofcircuitsCsuchthateachCkhasi

108 Definition8.4.4(unpredictablebyC) Fori

Bibliography
[Ajtai96] [Adel83] 412 M.Ajtai,GeneratingHardInstancesofLatticeProblems,Proceedings28th L.Adleman,OnBreakingGeneralizedKnapsackPublicKeyCryptosystems,Proceedings15thAnnualACMSymposiumonTheoryofComputing,1983,pp.402{
[Ajtai98] M.Ajtai,TheShortestVectorProbleminL2isNP-HardforRandomizedReductions,toappear,Proceedings30thAnnualACMSymposiumonTheoryotrier.de/eccc-local/Lists/TR-1996.htmtronicColloquiumonComputationalComplexityTR96-007,http://www.eccc.uni-
AnnualACMSymposiumonTheoryofComputing,1996,pp.99{108Elec-
[AjtDw97] M.Ajtai,C.Dwork,APublic-KeyCryptosystemwithAverage-Case/Worst-Case Equivalence,Proceedings29thAnnualACMSymposiumonTheoryofComputing, Computing,1998
[Babai86] L.Babai(1986):OnLovasz'LatticeReductionandthenearestLattice 1997;seealsoElectronicColloquiumonComputationalComplexityTR96-065, http://www.eccc.uni-trier.de/eccc-local/Lists/TR-1996.html
[Barnes59] Arithmetica,Band5,Seiten205-222. E.S.Barnes(1959):TheContructionofperfectandextremeFormsII,Acta PointProblem,Combinatorica,Band6,Seiten1{13.
[BeWe93] [BaKa84] ApproachtocommutativeAlgebra,GraduateTextsinMathematics,Band Th.BeckerundV.Weispfennig(1993):Gr"obnerBases|acomputational rithm,TechnischerReport,Carnegie-Mellon-Universit"at(USA). A.BachemundR.Kannan(1984):LatticesandtheBasisReductionAlgo-
[Blich14] 141,Springer-Verlag,Berlin/Heidelberg.
[Blich29] someApplications,TransactionoftheAmericanMathematicalSociety,Band 15,Seiten227{235. H.F.Blichfeldt(1914):AnewPrincipleintheGeometryofNumberswith H.F.Blichfeldt(1929):TheMinimumValueofquadraticFormsandthe closetPackingofSphere,MathematischeAnnalen,Band101,Seiten366-389. 109

110 [Blich35] H.F.Blichfeldt(1935):TheminimumValueofpositiveQuadraticForms insix,sevenandeightVariables,MathematischeZeitschrift,Band39,Seiten BIBLIOGRAPHY
[BluMi] 1{15.
[BoHi89] M.BlumandS.Micali(1984):HowtoGenerateCryptographicallyStrong SequencesofPseudo-RandomBits,SIAMJ.Computing,Vol.13,No.4, pp.850{864
[Boyar82] plexityClasses,inRandomnessandComputation,Vol.5,S.MicaliEditor,Ad-
vancesinComputingResearch,JAIPress,Greenwich,pp.1{26. J.Boyar(1982):InferringSequencesProducedbyPseudo-RandomNum-
R.B.BoppanaandR.Hirschfeld(1989),PseudorandomGeneratorsandCom-
[Bb65] B.Buchenberger(1965):EinAlgorithmuszumAundenderBasiselemente desRestklassenringsnacheinemnulldimensionalenPolynomideal,Dissertation,FachbereichMathematik,Universit"atInsbruck("Osterreich)ence,pp.153{159berGenerators,Proc.23rdIEEEConferenceonFoundationsofComputerSci-
[Cassels71] [Cohen93] GraduateTextsinMathematics,Band138,Springer-Verlag,Berlin/Heidelberg. J.W.S.Cassels(1971):AnIntroductiontotheGeometryofNumbers, H.Cohen(1993):ACourseinComputationalAlgebraicNumberTheory,
[Copper] [CoSl88] Springer-Verlag,NewYork.
D.Coppersmith,FindingaSmallRootofaUnivariateModularEquation,Proc. J.H.ConwayundN.J.Sloane(1988):SpherePackings,LatticesandGroups,
[CFJP] [CJLOSS92]M.J.Coster,A.Joux,B.A.LaMacchina,A.M.Odlyzko,C.P.SchnorrundJ.Stern D.Coppersmith,M.Franklin,J.Patarin,andM.Reiter,LowExponentRSAwith RelatedMessages,Proc.EUROCRYPT'96
[CR88] Complexity,Band2,Seiten111{128. basedonArithmeticinniteFields,IEEETransactionInformationTheory, B.ChorundR.L.Rivest(1988):AKnapsacktypePublicKeyCryptosystem (1992):Animprovedlow-densitySubsetSumAlgorithm,Computational
[Di1842] G.L.Dirichlet(1842):VerallgemeinerungeinesSatzesausderLehrerevon BandIT-34,Seiten901{909.
[Damgard89]I.B.Damgard(1989):ADesignPrincipleforHashFunctions,Advancesin Bericht"uberdiezurBekanntmachunggeeigneterVerhandlungenderK"oniglich PreussischenAkademiederWissenschaftenzuBerlin,Seiten93{95. Kettenbr"uchennebsteinigenAnwendungenaufdieTheoriederZahlen,
Cryptology|ProceedingsEuroCrypt'89,LectureNotesinComputerScience, Band435(1990),Springer-Verlag,Berlin/Heidelberg,Seiten416{427.

BIBLIOGRAPHY [Dantzig63] versityPress,Princeton,NewJersey(dt."Ubersetzung"`LineareProgrammierung G.B.Dantzig(1963):LinearProgrammingandExtensions,PrincetonUni-
111
[DKS98] undErweiterungen"'1966imSpringer-Verlag,Berlin/Heidelberg,erschienen).
[DKT87] I.Dinur,G.Kindler,S.Safra,ApproximatingCVPtoWithinAlmost-
Research,Band12,Nr.1(Februar),Seiten50{59. putationusingmoduloDeterminantArithmetic,MathematicsofOperation P.D.Domich,R.KannanundL.E.Trotter(1987):HermitenormalFormCom-
PolynomialFactorsisNP-Hard,manuscript1998.
[EmBoas81]P.vanEmdeBoas(1981):AnotherNP-completePartitionProblemandthe [Euchner91]M.Euchner(1991):PraktischeAlgorithmenzurGitterreduktionundFak-
ComplexityofComputingshortVectorsinaLattice,TechnischerReport
Universit"at,Frankfurt/Main. torisierung,Diplomarbeit,FachbereichInformatikderJohann-Wolfgang-Goethe- 81-04,FachbereichMathematikderUniversit"atAmsterdam.
[Frieze86] [Feller68] A.M.Frieze(1986):OntheLagarias-OdlyzkoAlgorithmfortheSubset SumProblem,SIAMJournalonComputing,Band15,Nr.2,Seiten536{539. tion,BandI,3.Auage,JohnWiley&Sons,NewYork. W.Feller(1968):AnIntroductiontoProbabilityTheoryanditsApplica-
[Frumkin76]M.A.Frumkin(1976):PolynomialTimeAlgorithmsintheTheoryofLin-
[FHKLS88] SIAMJournalonComputing,Volume17,No.2,pp262{280. structingTruncatedIntegerVariablesSatisfyingLinearCongruences, A.Frieze,J.Hastad,R.Kannan,J.Lagarias,andA.Shamir(1988):Recon-
[GaSi78] J.vonzurGathenundM.Sieveking(1978):ABoundonSolutionoflinearIntegerEquationsandInequations,ProceedingsoftheAmericanMathematicaski,ed.,LectureNotesinComputerScience56,Springer,Berlin,pp.386{392earDiophantineEquations,FundamentalsofComputationTheory,M.Karpin-
[GaJo79] M.R.GareyundD.S.Johnson(1979):ComputerandIntractability:AGuide totheTheoryofNP-Completness,W.H.FreemanandCompany,SanFrancisco.
Society,Band72,Seiten155{158.
[Gau1801] [GrLek87] C.F.Gau(1801):DisquisitionesArithmeticae,GerhardFleischer,Leipzig.
North-Holland,Amsterdam. Deutsche"Ubersetzung(1889):"`Untersuchung"uberh"ohereArithmetik"', M.GruberundC.G.Lekkerkerker(1987):GeometryofNumbers,2.Auage, Springer-Verlag,Berlin/Heidelberg.
[GLLS88] Verlag,Berlin/Heidelberg. combinatorialOptimization,AlgorithmsandCombinatorics,Band2,Springer- M.Grotschel,L.LovaszundA.Schrijver(1988):GeometricAlgorithmsand

112 [HaMcC91] cesoverRing,SIAMJournalonComputing,Band20,Nr.6,Seiten1068{1083. J.HafnerundK.McCurley(1991):AsymptoticFastTriangulationofMatri-
BIBLIOGRAPHY
[HJLS89] [H] AlgorithmsforFindingIntegerRelationsamongrealNumbers,SIAM J.Hastad,B.Just,J.C.LagariasundC.P.Schnorr(1989):PolynomialTime puting17(2),pp.336{341,1988 J.Hastad,SolvingSimultaneousModularEquationsofLowDegree,SIAMJ.Com-
[Helfrich85] B.Helfrich(1985):AlgorithmstoconstructMinkowskireducedandHermitereducedLatticeBases,TheoreticalComputerScience,Band41,Seiten
125{139. JournalonComputing,Band18,Nr.5,Seiten859{881.
[Hermite1850]C.Hermite(1850):ExtraitsdelettresdeM.Ch.HermiteaM.Jacobi [Hlawka44] surdierentsobjetsdelatheoriedesnombres,Deuxiemelettre,Reine AngewandteMathematik,Band40,Seiten279{290.
[Horner94] 49,Seiten285{312. H.H.H"orner(1994): E.Hlawka(1944):ZurGeometriederZahlen,MathematischeZeitschrift,Band
lemen,Diplomarbeit,FachbereichMathematikderJohann-Wolfgang-Goethe- amChor-Rivest-KryptosystemundanallgemeinenRucksackprob-
Universit"at,Frankfurt/Main. VerbesserteGitterbasenreduktion;getestet
[John48] [ImpNa96] ditions,inK.O.Friedrichs,O.E.NeugebauerundJ.J.Stoker(Ed.):"`Studiesand F.John(1948):ExtremumProblemswithInequalitiesassubsidiaryCon-
asSubsetSum,J.Cryptology9,pp.199{216,1996 R.ImpagliazzoandM.Naor,EcientCryptographicSchemesProvablyasSecure
[JoSt94] EssayspresentedtoR.Courantonhis60thBirthdayJanuar8,1948"',Interscience Publisher,NewYork,Seiten187{204.
[KaLe78] A.JouxundJ.Stern(1994):LatticeReduction:AToolboxfortheCryptanalyst,TechnischerReport,DGA/CELAR,Bruz(Frankreich).Toappear,Journal
SphereandinSpace,ProblemsofInformationTransmission,Band14,Seiten G.A.KabatianskyundV.I.Levenshtein(1978):BoundsforPackingsona 1{17. ofCryptology.
[Kaib91] [Kaib94] M.Kaib(1991):TheGauLatticeBasisReductionsucceedswithany Norm,ProceedingsofFundamentalsofComputationTheory(FCT'91),Springer
furt/Main. LectureNotesinComputerScience,Band591,Seiten275{286. tion,FachbereichMathematikderJohann-Wolfgang-Goethe-Universit"at,Frank-
M.Kaib(1994):Gitterbasenreduktionf"urbeliebigeNormen,Disserta-

BIBLIOGRAPHY [KaSchn96] M.KaibundC.P.Schnorr(1996):TheGeneralizedGaussReductionAlgorithm,JournalofAlgorithms,Band21,Nr.3(November),Seiten565{578.
113
[Kannan83] [KaBa79] R.Kannan(1983):ImprovedAlgorithmsforIntegerProgrammingand theSmithandtheHermiteNormalFormofanIntegerMatrix,SIAM JournalonComputing,Band8,Seiten499{507. R.KannanundA.Bachem(1979):PolynomialAlgorithmforComputing
[Kannan87] gramming,MathematicsofOperationResearch,Band12,Nr.3(August),Seiten RelatedLatticeProblems,Proceedingsofthe15thACMSymposiumonTheory
415{440. R.Kannan(1987):Minkowski'sConvexBodyTheoremandIntegerPro-
ofComputing,pp.193{206
[Karma84] [Khach79] M.Karmarkar(1984):AnewPolynomial-TimeAlgorithmforLinearProgramming,Combinatorica,Band4,Seiten373{395.
[Khach80] L.G.Khachiyan(1979):APolynomialAlgorithminLinearProgramming, L.G.Khachiyan(1980):PolynomialAlgorithmsinLinearProgramming, SovietMathmaticsDoklady,Band20,Seiten191{194. U.S.S.R.ComputationalMathematicsandMathematicalPhysics,Band20,Seiten
[KoZo1872] [Khin35] 53{72.
quaternaires,MathematischeAnnalen,Band5,Seiten366-389. A.KorkineundG.Zolotare(1872):Surlesformesquadratiquepositive A.Khintchine(1935):ContinuedFractions,Moscow-Leningrad
[KoZo1873] [KoZo1877] A.KorkineundG.Zolotare(1873):Surlesformesquadratique,MathematischeAnnalen,Band6,Seiten366{389.
[Knuth71] MathematischeAnnalen,Band11,Seiten242{292. D.E.Knuth(1971):TheArtofComputerProgramming,FundamentalAlgorithms,BandI,Addison-Wesley,Reading.
A.KorkineundG.Zolotare(1877):Surlesformesquadratiquepositive,
[Knuth80] D.E.Knuth(1980):TheArtofComputerProgramming,FundamentalAlgorithms,VolumeII,Addison-Wesley,Reading,MA.
[LARIFARI]M.Kaib,R.Mirwald,C.R"ossner,H.H.H"orner,H.Ritter(1994):Program-
[La1773] l'AcademieRoyaledesSciencesetBelles-Lettres,Berlin,Seiten265{312. J.L.Lagrange(1773):Recherchesd'arithmetique,NouveauxMemoiresde matikundInformatikderJohann-Wolfgang-Goethe-Universit"at,Frankfurt/Main. mieranleitungf"urLARIFARI|Version13.07.1994,FachbereicheMathe-
[Lang93] S.Lang(1993):Algebra,3.Auage,Addison-Wesley,Reading.

114 [LLS90] J.C.Lagarias,H.W.LenstraundC.P.Schnorr(1990):Korkin-ZolotarevBases andsuccessiveMinimaofaLatticeanditsreciprocallattice,Combinatorica,Band10,Seiten333{348.
BIBLIOGRAPHY
[LaOd85] [LLL82] Problems,JournalofACM,Band32,Nr.1,Seiten229{246. A.K.Lenstra,H.W.LenstraundL.Lovasz(1982):FactoringPolynomialswith J.C.LagariasundA.M.Odlyzko(1985):Solvinglow-densitySubsetSum
[Lenstra83] 534. H.W.Lenstra(1983):IntegerProgramminginaxedNumberofVariables, RationalCoecients,SpringerMathematischeAnnalen,Band261,Seiten515{
[Lovasz86] MathematicsofOperationResearch,Band8,Nr.4(November),Seiten538{548
[LoSc92] vexity,CBMS-NSFRegionalConferenceSeriesinAppliedMathematics,Band50, L.Lovasz(1986):AnalgorithmicTheoryofNumbers,GraphsandCon-
MathematicsofOperationResearch,Band17,Nr.3(August),Seiten751{764. L.LovaszundH.Scarf(1992):TheGeneralizedBasisReductionAlgorithm, SIAMPublications,Philadelphia.
[MaOd90] [Mink1896] J.E.MazoundA.M.Odlyzko(1990):LatticePointsinhigh-dimensional Sphere,MonatsheftMathematik,Band110,Seiten47{61.
[Mink1911] H.Minkowski(1896):GeometriederZahlen,ersteAuage,Teubner-Verlag,
[Mishra93] H.Minkowski(1911):GesammelteAbhandlungen,BandIundII,Teubner- B.Mishra(1993):AlgorithmicAlgebra,TextsandMonographsinComputer Verlag,Leipzig.
[Orton1994]G.Orton(1994):Amultiple-iteratedTrapdoorfordensecompactKnapsacks,AdvancesinCryptology|ProceedingsEuroCrypt'94,LectureNotesin
Science,Springer-Verlag,New-York.
[PaSchn87] ComputerScience,Band950(1995),Springer-Verlag,Berlin/Heidelberg,Seiten 112{130. A.PazundC.P.Schnorr(1987):ApproximatingIntegerLatticesbyLatticeswithcyclicFactorGroup,14.thInternationalColloquiumonAutomata,
[Rieger78] G.J.Rieger(1978):"uberdiemittlereSchrittzahlbeiDivisionsalgorithmen,MathematischeNachrichten,Band82,Seiten157{180.
267,Springer-Verlag,Berlin/Heidelberg,Seiten386{393. LanguagesandProgramming(ICALP),LectureNotesinComputerScience,Band
[Ritter96] ApplicationsofCryptography|PragoCrypt'96,CTUPublishingHouse,Prag, Seiten480{492. H.Ritter(1996):BreakingKnapsackCryptosystemsby`1-normEnumeration,Proceedingsofthe1.stInternationalConferenceontheTheoryand

BIBLIOGRAPHY [Ritter97] Dissertation,FachbereichMathematikderJohann-Wolfgang-Goethe-Universit"at, H.Ritter(1997):Aufz"ahlungkurzerGittervektoreninallgemeinerNorm, 115
[Rogers64] bridge. C.A.Rogers(1964):PackingandCovering,CambridgeUniversityPress,Cam-
Frankfurt/Main.
[Schnorr87] [Schnorr88] tionAlgorithms,TheoreticalComputerScience,Band53,Seiten201{224. C.P.Schnorr(1987):AHierarchyofpolynomialtimeLatticeBasisReduc-
[Schnorr91a]C.P.Schnorr(1991):GittertheorieundganzzahligeOptimierung,Skriptzur Vorlesung,Johann-Wolfgang-Goethe-Universit"at,Frankfurt/Main. tion,JournalofAlgorithms,Band9,Seiten47{62. C.P.Schnorr(1988):AmoreecientAlgorithmforLatticeBasisReduc-
[Schnorr91b]C.P.Schnorr(1991):FactoringIntegersandComputingDiscreteLoga-
[SchnEu91] ingsEuroCrypt'91,LectureNotesinComputerScience,Band547,Springer- Verlag,Berlin/Heidelberg,Seiten171{181. rithmsviaDiophantineApproximation,AdvancesinCryptology{Proceed-
Springer-Verlag,Berlin/Heidelberg,Seiten68{85. ofComputationTheory(FCT'91),LectureNotesinComputerScience,Band591, AlgorithmsandsolvingSubsetSumProblems,ProceedingsofFundamentals C.P.SchnorrundM.Euchner(1991):LatticeBasisReduction:improved
[Schnorr93] oreticalComputerScience,Band13,Seiten171{182. plexity,Ed.Jim-YiCai,AMSDIMACSSeriesinDiscreteMathematicsandThe-
rithmsviaDiophantineApproximation,AdvancesinComputationalCom-
C.P.Schnorr(1993):FactoringIntegersandComputingDiscreteLoga-
[Schnorr94b]C.P.Schnorr(1994):GittertheorieundKryptographie,Ausarbreitung, [Schnorr94a]C.P.Schnorr(1994):BlockReducedLatticeBasesandSuccessiveMinima, Johann-Wolfgang-Goethe-Universit"at,Frankfurt/Main. Combinatorics,ProbabilityandComputing,Band3,Seiten507{522.
[SchnHo95] tosystembyimprovedLatticeReduction,AdvancesinCryptology|Pro-
ceedingsEuroCrypt'95,LectureNotesinComputerScience,Band921,Springer- Verlag,Berlin/Heidelberg,Seiten1{12. C.P.SchnorrundH.H.H"orner(1995):AttackingtheChor-RivestCryp-
[Schrijver86]A.Schrijver(1986):TheoryofLinearandIntegerProgramming,Wiley- [Seysen93] InterscienceSeriesindiscreteMathematicsandOptimization,JohnWiley&Son Ltd. M.Seysen(1993):SimultaneousReductionofaLatticeanditsreciprocal Basis,Combinatorica,Band13,Seiten363{376.

116 [Shamir82] Cryptosystem,Proc.23rdAnnualSymposiumonFoundationsofComputerScience,1982,pp.145{152
A.Shamir,APolynomial-TimeAlgorithmforBreakingtheBasicMerkle-Hellman BIBLIOGRAPHY
[Siegel89] Berlin/Heidelberg. C.L.Siegel(1989):LecturesontheGeometryofNumbers,Springer-Verlag,
[SpStr76] [Smith1861]H.J.S.Smith(1861):OnSystemsoflinearindeterminateEquationsand E.SpeckerundV.Strassen(1976):Komplexit"atvonEntscheidungsproblemem,LectureNotesinComputerScience,Band43,Springer-Verlag,
151,Seiten293{326. Congruences,PhilosophicalTransactionoftheRoyalSocietyofLondon,Band
[Vetchin82] Berlin/Heidelberg.
[Watson66] N.M.Vetchinkin(1982):UniquenessofClassesofpositivequadraticForms onwhichValuesoftheHermiteConstantsareattainedfor6n8,
oftheCambrigdePhilosophicalSociety(MathematicalandPhysicalScience),Band G.L.Watson(1966):OntheMinimumofapositivQuadraticForminn (n8)Variables(VericationofBlichfeldt'sCalculations),Proceeedings ProceedingsoftheSteklovInstituteofMathematics,Nr.3,Seiten37{95.
[Ye91] 62,Seite719.
[Yao82] MathematicalProgramming,Band51,Seiten239{258. ofthe23rdIEEESymposiumonFoundationsofComputerScience Y.Ye(1991):PotentialReductionAlgorithmforLinearProgramming, A.Yao(1982):TheoryandApplicationsofTrapdoorFunctions,Proceedings