What Is a Lattice?

Given n linearly independent vectors b1 , . . . , bn ∈ Rm (n ≤ m), the

lattice generated by them is the set of vectors
n
X
L(b1 , . . . , bn ) = { xi bi : xi ∈ Z}
i=1

The vectors b1 , . . . , bn form a basis of the lattice.

Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Lattices and Codes
Shortest Vector and Minimum Distance, Closet Vector and
Maximum Likelyhood Decoding, Unambiguous decoding, List
Decoding and BDD, Deep Holes
Minkowski Convex Body Theorem
Minkowski Convex Body Theorem
Minkowski Convex Body Theorem
Minkowski Convex Body Theorem
Minkowski Convex Body Theorem
Minkowski Convex Body Theorem
Minkowski Convex Body Theorem
Minkowski Convex Body Theorem
The shortest vector

√
▶ Hermite bound: ndet(L)1/n (uniform)
p n
▶ On average has length (1 + o(1)) 2eπ det(L)1/n (Gauss
Heuristic)
q
2n
▶ Must have length less than (1 + o(1)) eπ det(L)1/n . (The
Minkowski Convex Body Theorem)
Lattice reduction at dimension 2
Lattice reduction at dimension 2
Lattice reduction at dimension 2

b2∗ µ2,1
b1∗
Lattice reduction at dimension 2
Lattice reduction at dimension 2
Lattice reduction at dimension 2
Lattice reduction at dimension 2
Lattice reduction at dimension 2
Lattice reduction at dimension 2
Closest Vector Problem

For one dimensional lattices, rounding works.

Closest Vector Problem–Dimension two
Closest Vector Problem–Dimension two
Closest Vector Problem–Dimension two
Closest Vector Problem–Dimension two
Closest Vector Problem–Dimension two
Closest Vector Problem–Dimension two
Closest Vector Problem–Dimension two
The LLL reduction

There is a polynomial time √ algorithm to find a vector b1 in the

lattice such that |b1 | ≤ (2/ 3)n λ1 , where λ1 denotes the length of
the shortest vector.
LLL explained

b1 = b1∗

b2 = µ2,1 b1∗ + b2∗

b3 = µ3,1 b1∗ + µ3,2 b2∗ + b3∗

b4 = µ4,1 b1∗ + µ4,2 b2∗ + µ4,3 b3∗ + b4∗

LLL explained

b1 = b1∗

b2 = µ2,1 b1∗ + b2∗

b3 = µ3,1 b1∗ + µ3,2 b2∗ + b3∗

b4 = µ4,1 b1∗ + µ4,2 b2∗ + µ4,3 b3∗ + b4∗

LLL explained

b1 = b1∗

b2 = µ2,1 b1∗ + b2∗

b3 = µ3,1 b1∗ + µ3,2 b2∗ + b3∗

b4 = µ4,1 b1∗ + µ4,2 b2∗ + µ4,3 b3∗ + b4∗

LLL explained

b1 = b1∗

b2 = µ2,1 b1∗ + b2∗

b3 = µ3,1 b1∗ + µ3,2 b2∗ + b3∗

b4 = µ4,1 b1∗ + µ4,2 b2∗ + µ4,3 b3∗ + b4∗

LLL explained

b1 = b1∗

b2 = µ2,1 b1∗ + b2∗

b3 = µ3,1 b1∗ + µ3,2 b2∗ + b3∗

b4 = µ4,1 b1∗ + µ4,2 b2∗ + µ4,3 b3∗ + b4∗

Do
1. Calculate bi∗
2. Apply integral linear operations so |µij | ≤ 1/2
3. Swap if δ|bi∗ | > |µi+1,i bi∗ + bi+1
∗ |

Until no swapping in the last step

LLL explained

b1 = b1∗

b2 = µ2,1 b1∗ + b2∗

b3 = µ3,1 b1∗ + µ3,2 b2∗ + b3∗

b4 = µ4,1 b1∗ + µ4,2 b2∗ + µ4,3 b3∗ + b4∗

It is δLLL-reduced (1/4 < δ < 1) if |µi,j | ≤ 1/2 and

δ|b1∗ | ≤ |µ2,1 b1∗ + b2∗ |

δ|b2∗ | ≤ |µ3,2 b2∗ + b3∗ |
δ|b3∗ | ≤ |µ4,3 b3∗ + b4∗ |
···
More algorithms for SVP

▶ Can be found in 4n+o(1) arithmetic operations

deterministically. (Micciancio-Voulgaris 2010),
▶ or random 2(1+ϵ)n time (Divesh Aggarwal, Daniel Dadush,
Oded Regev, Noah Stephens-Davidowitz 2015).
▶ For approximation factor 2k , need time 2O(n/k) .
Complexity of approx-SVP

p
1 n/ log n exp(n)

nO(1/ log log n) poly (n)

Complexity of approx-SVP

p
1 n/ log n exp(n)

P
nO(1/ log log n) poly (n)
Complexity of approx-SVP

p
1 n/ log n exp(n)
NP-hard

P
nO(1/ log log n) poly (n)
Complexity of approx-SVP

p
1 n/ log n exp(n)
NP-hard NP ∩ co-NP

P
nO(1/ log log n) poly (n)
Complexity of approx-SVP

p
1 n/ log n exp(n)
NP-hard NP ∩ co-NP

Conjecturely quantum hard P

nO(1/ log log n) poly (n)