ECCC FTP:

WWW:
ftp.eccc.uni-trier.de:/pub/eccc/
http://www.eccc.uni-trier.de/eccc/
TR96-007 Email: ftpmail@ftp.eccc.uni-trier.de with subject help eccc

Generating Hard Instances of Lattice Problems

Extended abstract
M. Ajtai
IBM Almaden Research Center
650 Harry Road, San Jose, CA, 95120
e-mail: ajtai@almaden.ibm.com
ABSTRACT. We give a random class of lattices in Zn so that, if there is a
probabilistic polynomial time algorithm which nds a short vector in a random lattice
with a probability of at least 21 then there is also a probabilistic polynomial time
algorithm which solves the following three lattice problems in every lattice in Zn with
a probability exponentially close to one. (1) Find the length of a shortest nonzero
vector in an n-dimensional lattice, approximately, up to a polynomial factor. (2) Find
the shortest nonzero vector in an n-dimensional lattice L where the shortest vector v
is unique in the sense that any other vector whose length is at most nckvk is parallel
to v, where c is a suciently large absolute constant. (3) Find a basis b1 ; :::; bn in the
n-dimensional lattice L whose length, dened as maxni=1 kbi k, is the smallest possible
up to a polynomial factor.
A large number of the existing techniques of cryptography include the generation
of a specic instance of a problem in NP (together with a solution) which for some
reason is thought to be dicult to solve. As an example we may think about factor-
ization. Here a party of a cryptographic protocol is supposed to provide a composite
number m so that the factorization of m is known to her but she has some serious
reason to believe that nobody else will be able to factor m. The most compelling
reason for such a belief would be a mathematical proof of the fact that the prime fac-
tors of m cannot be found in less then k step in some realistic model of computation,
where k is a very large number. For the moment we do not have any proof of this
type, neither for specic numerical values of m and k, nor in some assymptotic sense.
In spite of the lack of mathematical proofs, in two cases at least, we may expect
that a problem will be dicult to solve. One is the class of NP -complete problems.
Here we may say that if there is a problem at all which is dicult to solve, then
an NP -complete problem will provide such an example. The other case is, if the
problem is a very famous question (e.g. prime factorization), which for a long time
were unsuccesfully attacked by the most able scientists. In both cases it is reasonable
to expect that the problem is dicult to solve. Unfortunately the expression \dicult
to solve" means dicult to solve in the worst case. If our task is to provide a specic
1
instance of the problem, these general principles do not provide any guidence about
how to create one.
It has been realized a long time ago that a possible solution would be to nd
a set of randomly generated problems and show that if there is an algorithm which
nds a solution of a random instance with a positive probability, then there is also
an algorithm which solves one of the famous unsolved problems in the worst case.
(It does not really matter whether this \positive probability" is 21 ,  or n1c , because
taking many instances of the problem and asking for a solution for each of them,
we may create a new problem so that even if it can be solved with an exponentially
small positive probability then the \famous" worst case problem can be solved with
a probability exponentially close to one.)
In this paper we give such a class of random problems. In fact we give a random
problem: nd a short vector in a certain class of random lattices (whose elements can
be generated together with a short vector in them), whose solution in the mentioned
sense would imply the solution of a group of related \famous" problems in the worst
case. We mention here three of these worst-case problems:
(P1) Find the length of a shortest nonzero vector in a n dimensional lattice,
approximately, up to a polynomial factor.
(P2) Find the shortest nonzero vector in an n dimensional lattice L where the
shortest vector v is unique in the sense that any other vector whose length is at most
nckvk is parallel to v, where c is a suciently large absolute constant.
(P3) Find a basis b1 ; :::; bn in the n-dimensional lattice L whose length, dened as
maxni=1 kbi k, is the smallest possible up to a polynomial factor.
Remarks. 1. (P2) can be given in a more general form. If a lattice L  Zn is
given, then nd all sublattices L0 = V \ L (by giving a basis in them), where V is a
d-dimensional subspace of Zn so that minfd; n ? dg is smaller than a constant and
V \ L has a basis v1 ; :::; vd so that for all w 2 LnV , n maxi=1 kvik  kwk, where
c d d
cd > 0 is suciently large with respect to d, but does not depend on anything else.
2. The random problem can be also formulated as a linear simultaneous Dio-
phantine approximation problem.
3. Although (P1) is not in NP (we are not able to check whether our estimate
is good), still, our algorithm will give a one-sided certicate. Namely we may get a
certicate which shows that there is no shorter vector than the lower bound in our
estimate. (This certicate will be a basis with small length in the dual lattice.) In
problem (P3) we get an estimate on the minimal basis length of the lattice. Since
2
we get it together with a basis, we have a cericate for the upper bound. We get no
certicate on the lower bound.
4. There are problems, e.g. nd the discrete logarithm of a number modulo p
or decide wether a number is quadratic residue modulo m = pq, where it is known
that for any xed choice of p resp. m the worst case problem can be easily reduced
to the average case problem. For the choice of p resp. m however, there is no known
method wich would guarantee that we get a problem as hard as the worst case.
Notation. R is the eld of real numbers, Z is the ring of integers, Rn is the
Euclidean space of n-dimensional real vectors with the usual Euclidean norm kak. Zn
is the set of vectors in Rn with integer coordinates.
P
Denitions. 1. If a1; :::; an are linearly independent vectors in an Rn , then we
n
say that the set f i=1 ki ai jk1; :::; kn are integers g is a lattice in Rn. We will denote
this lattice by L(a1 ; :::; an). The set a1 ; :::; an is called a basis of the lattice. The
determinant of a lattice L will be the absolute value of the determinant whose rows
are the vectors a1 ; :::; an. sh(L) will be the length of a shortest nonzero vector in L,
and bl(L) the length of the shortest basis as dened in (P3)
Historical remarks. We give here only a few facts to show that the mentioned
lattice problems are suciently \famous" for our purposes. The question of nding
a short vector in a lattice was already formulated by Dirichlet in 1842 in the form
of simultaneous Diophantine approximation problems. Although the lattices where
these Diophatine problems can be formulated in terms of nding a short vector or
estimating the length of a short vector, form only a special class of lattices in Rn the
random class that we will dene later is an element of this special class. Moreover
Dirichlet's theorem about the existence of a good approximation, as we will see is
very relevant to our topic. His theorem is actually an upper bound on sh(L). His
proof is non-constructive.
Minkowski's theorem about convex, central symmetric bodies (published in 1896)
is also an esitmate about the length of the shortest non-zero vector (with repsect to a
norm dened by the convex body). In the case of Euclidean norm, when the convex
body is a sphere, it gives the upper bound sh(L)  cn (det L) n where det L is the
1
2
1

determinant of the lattice. This inequality and its consequences play an important
role in our proof. Minkowski's proof is also nonconstructive. Minkowski's theory of
successive minima formulates (as the two extreme cases) the problem of nding the
length of a shortest vector and the length of the shortest basis (in the sense given in
our problems).
A.K. Lenstra, H.W. Lenstra and L. Lovasz gave a deterministic polynomial time
algorithm (the basis reduction or L3 algorithm) which nds a vector in each lattice
3
L  Rn whose length is at most 2 n? sh(L). C.P. Schnorr proved that the factor 2 n?
2
1
2
1

can be replaced by (1 + )n for any nxed ?

 > 0. These algorithms naturally give an
esitmate on sh(L) up to a factor of 2 resp. (1+ )n . The L3 algorithm was used in
2
1

successfull attacks on dierent knapsack cryptosystems. (Cf. Adleman [Ad], Lagarias

and Odlyzko [LaOd], Brickell [Br]). Lattices, where the shortest vector is unique in a
sense similar to that of (P2), play an important role (see [LaOd]). (The polynomial
factor of (P2) is substituted by an exponential one.)
The denition of the random class. Since a lattice is an innite set we have to x
a nite representation of the lattices in the random class, that can serve as an input
for our algorithm. The lattices of the random class will consist of vectors with integer
coordinates. Moreover these lattices will be dened modulo q (where q will be an
integer depending only on n), in the sense that if two vectors are congruent modulo q
then either both of them or neither of them belong to the lattice. Finally the lattices
of the random class will be dened as the set of all sequences of integers of length
m, (m will depend only on n) which are orthogonal to a given sequence of vectors
u1; ::::; um 2 Zm modulo q. More precisely if  = hu1 ; :::; umi where P ui 2 Zn then
let (; q) be the lattice of all sequences of integers h1 ; ::::; hm so that mi=1 hiui  0
(mod q) where the mod q congruence of two vectors means that all of their coordinates
are congruent. Every lattice in our random class will be of the form (; q) for some
 and for a single xed q (depending only on n).
Our denition of the random class will depend on the choice of two absolute
constant c1 and c2. If n is given let m = [c1n log n] and q = [nc ]. For each n we
2

will give a single random variable  so that  = (; q) is a lattice with dimension
m. (The existence of a polynomial time algorithm which nds a short vector in 
will imply the existence of such an algorithm which solves the mentioned problems in
every lattice L  Rn.)
First we dene an \idealized" version 0 of , whom we can dene in a simpler
way. The disadvantage of 0 is that we do not know how to generate 0 together with
short vector in (0 ; q). Then we dene  (in a somewhat more complicated way) so
that we can generate it together with a short vector in (; q) and we will also have
that P ( 6= 0 ) is exponentially small. This last inequality implies that if we prove
our theorem for (0 ; q) then it will automatically hold for (; q) too.
Let 0 = hv1 ; :::; vmi where v1; :::; vm are chosen independently and with uniform
distribution from the set of all vectors hx1 ; :::; xn i where x1 ; :::; xn are integers and
0  xi < q. To nd a short vector in the lattice (0 ; q) is equivalent of nding a
solution for a linear simultaneous Diophantine approximation problem. Dirichlet's
theorem implies that if c1 is suciently large with respect to c2 then there is always
4
a vector shorter than n. (The proof of Dirichlet's theorem is not constructive, it is
based on the Pigeonhole Principle applied to a set of exponential size.)
Denition of . We randomize the vectors v1 ; :::; vm?1 independently and with
uniform distribution on the set of all vectors hx1 ; :::; xni 2 Zn, with 0  xi < q.
Independently of this randomization we also randomize a 0; 1-sequence 1 ; :::; m?1
where the numbers i are chosen P independently and with uniform distribution from
f0; 1g. We dene vm by vm  ? im=1?1 i vi (mod q) with the additional constraint
that every component of vm is an integer in the interval [0; q ? 1]. Let  = hv1 ; :::; vmi.
(If we want to emphasize the dependence of  on n, c1, c2 then we will write n;c ;c .)
1 2

We prove that theP distribution of  is exponentially close to the uniform distribution

in the sense that a2A jP ( = a) ? jAj?1j  2?cn, where A is the set of possible
values of . This will imply that the random variable 0 with the given distribution
can be chosen in a way that P (0 6= ) is exponentially small.
With this denition our theorem will be formulated in the following way: \if
there is an algorithm which nds a short vector in (; q) given  as an input, then
etc." That is, we allow the algorithm whose existense is assumed in the theorem to
use .
The representation of the lattice vectors. To give an exact formulation of
our results we have to x some representation of the lattice vectors in problems
(P1),(P2),(P3). As we have seen already, the vectors in the random lattice  have
integer coordinates, that is, they are in Zm . We will formulate problems (P1), (P2),
(P3) in terms of vectors in Zn as well. (Another possible approach would be to have
lattice vectors in Rn given by oracles. In that case it is natural (and possible) to give
the random class in terms of vectors whose components are random real numbers.
The modulo q arithmetic can be substituted by arithmetic modulo 1.) The simplest
approach is to assume that the lattices in Zn are presented with a basis where each
coordinate of each vector is an integer given by a polynomial (in n) number of bits.
However our results remain valid even if the numbers are longer. Naturally in this
case the input size is not n (the dimension of the lattice) but the total number of bits
in the presentation of the lattice, so our algorithm will be polynomial in this number.
Denitions. 1. If v is a shortest nonzero vector in the lattice L  Rn, and  > 1,
we say that v is -unique if for any w 2 L, kwk  kvk implies that v and w are
parallel.
P
2. If k is an integer then size(k) will denote the number of bits in the binary rep-
n
resentation of k, (size(0) = 1). If v = hx1 ; :::; xni 2 Z then size(v) = i=1 size(xi ).
n
Our denition implies that for all v 2 Zn, size(v)  n.
5
 Theorem 1 . There are absolute constants c1; c2; c3 so that the following holds.
Suppose that there is a probabilistic polynomial time algorithm A which given a value
of the random variable n;c ;c as an input, with a probability of at least 1=2 outputs a
1 2

vector of (n;c ;c ; [nc ]) of length at most n. Then, there is a probabilistic algorithm

1 2
2

B with the following properties. If the linearly independent P vectors a1 ; :::; an 2 Zn are
given as an input, then B, in time polynomial in  = ni=1 size(ai ), gives the outputs
z; u, hd1 ; :::; dni so that, with a probability of greater than 1 ? 2? , the following three
requirements are met:
(1.1) if v is a shortest non-zero vector in L(a1 ; :::; an) then z  kvk  nc z 3

(1.2) if v is an nc -unique shortest nonzero vector in L(a1 ; :::; an ) then u = v or

3

u = ?v
(1.3) d1 ; :::; dn is a basis with maxni=1 kdi k  nc bl(L):
3

Remarks. 1. The probability 1=2 in the assumption about A can be replaced by

?
n . This will increase the running time of B by a factor of at most nc but does not
c
aect the constants c1; c2 and c3.
2. If we assume that A produces a vector of length at most nc0 for some c0 > 1
then the theorem remains true but c1; c2 and c3 will depend on c0.
Sketch of the proof. (We give a detailed the proof in the attached appendix.)
We show rst that there is an algorithm B so that (1.3) holds. By (1.3) we have an
estimate H on the minimal basis length up to a polynomial factor. It is a consequence
of Minkowski's upper bound on sh(L) that H ?1 is an estimate (up to a polynomial
factor) on sh(L ), where L is the dual lattice of L  Rn. (The dual lattice is the
lattice of all linear functionals on Rn that take integer values on every vectors of L.
Each element of L is identied, in the natural way, with an element of the Euclidean
space Rn.) Therefore by estimating the minimal basis length of L we get also an
estimate on sh((L ) ) = sh(L).
We will construct an algorithm which produces the output with property (1.2) by
using an algorithm which satises (1.3). In this step we will not use the assumption
about our random class directly. Therefore, the critical part of the proof is the proof
of (1.3).
First we note that it is easy to see that from a set of n linearly independent
vectors r1 ; :::; rn 2 L we can construct in polynomial time a basis of s1; :::; sn of L so
that maxni=1 ksi k  n maxni=1 kri k. Therefore it is enough to construct a set of linearly
independent elements of L so that each of them is shorter than nc ?1 bl(L).3

Assume now that we have a lattice L  Zn and assume that we have a set
of linearly independent elements a1 ; :::; an 2 L so that maxni=1 kai k = M . If M 
6
nc ?1 bl(L) then we have already found a basis with the required properties. Assume
3

that M > nc ?1bl(L). We will construct another set of linearly independent elements,
3

b1 ; :::; bn 2 L so that maxni=1 kbi k  M2 . Iterating this procedure we nd a linearly

independent set of elements d01 ; :::; d0n with maxni=1 kd0i k  nc ?1bl(L) in less than
3

log2 M  2 steps.
Starting from the set a1 ; :::; an, we construct a set of linearly independent el-
ements in L, f1 ; :::; fn so that maxni=1 kfi k  n3M and the parallelepiped W =
P (f1 ; :::; fn) dened by the vectors f1; :::; fn is very close to a cube. Closeness will
mean that the distance of each vertex of P (f1 ; :::; fn) from the vertices of a xed cube
will be at most nM and as a consequence the volume, the width and the surface area
of W will be about the same as that of a cube of similar size. This will imply that
if we cover the space with the cells of the lattice determined by a short basis, then
most of the cells intersecting W will be compltetely in its interior. (The number of
exceptional cells is polynomially small compared to the total.) As a consequence we
get that all of the parallelepipeds u + W where u is an arbitrary element of Rn have
about the same number of lattice points. The error again will be polynomially small
fraction of the total. These remain true even if we consider all of the parallelepipeds
u + q1 W where q = [nc ] and c3 is suciently large with respect to c2. This fact
2

will ensure that if we pick a lattice point at random from a set D of almost disjoint
parallelepipeds of type u + 1q W , then the distribution induced on D is very close to
the uniform distribution. (We will consider to parallelepiped almost disjoint if their
interiors are disjoint.) P
Now we cut W into qn small parallelepipeds each of the form ( ni=1 tqi fi ) + 1q W ,
where 0  ti < q, i = 1; :::; n is a sequence of integers. We take a random sequence
of lattice points 1; :::; m, m = [c1n log n] from the parallelepiped W = P (f1 ; :::; fn)
independently and with (almost) uniform distribution. (Such a random sequence can
P
be generated
n
in the following way. Let b1 ; :::; bn be a basis. We take random sums
s = i=1 ibi with random integer coecients i 2 [0; T ], where T is a very large
integer, and then we reduce s into a point in W modulo (f1 ; :::; fn).)
P j
Assume that j 2 ( ni=1 tiq fi ) + 1q W . Let vj = ht1(j); :::; tn(j)i. We will consider
( )

the sequence v1 ; :::; vm as a value of the random variable . (The distribution of

v1; :::; vm is not identical to that of , still we will prove that it is so close to it that
this identication does not change our conclusions.) Applying algorithm A to the
input v1; :::; vn we get a vector hh1 ; :::;
P hmi 2 Zn so that with a probability of at
least 1=2 its length is at most n and nj=1 hj vj = 0. We claim that with a positive
P
probability u = nj=1 hj j 6= 0 and kuk  M2 . Indeed if j = ni=1 tiq fi then
P j ( )

7
 P P P P
u = hj j =( nj=1 hj (j ? j ))+( nj=1 hj j ). nj=1 hj vj = 0 implies P that the
second term is 0. We may get an estimate on the rst term using that j nj=1 h2j j  n
and since j and j are in the same parallelepiped j + 1q W we have that kj ? j k <
nn3M q1  n4n?c M . Therefore we get kuk  n4n?c Mn2 = n6?c M if c3  7 this
3 3 3

implies that kuk  M2 .

We prove that u 6= 0 with a positive probability by performing the randomization
of the vectors j in a dierent way. First we randomize the sequence of vectors
v1; :::; vm . This will uniquely determine both the numbers h1; :::; hm and the vectors
j . Now we have to randomize the vectors j ? j . Assume that we have randomized
them for j = 1; :::; m ? 1, and assume that hm 6=P0. The distribution of j ? j is
almost uniform in q1 W . Since u ? (m ? m ) =j + jm=1?1 hj j is already xed, we get
that with high probability u is not 0. By the same argument we also get that with
high probability u is not in any xed hyperplane. Therefore if we are getting many
(say n2 ) independent values of u then with high probability there will be n linearly
independent among them and so we have constructed n linearly independent elements
in L each of length at most M=2.
(1.3)!(1.2). Let L0 = L be the dual lattice of L. We show that if L has an
nc -unique shortest vector then L0 has an n ? 1-dimensional sublattice L0 = L0 \ F
3

where F is an n ? 1 dimensional subspace, so that the distances between the cosets

of F intersecting L0 are at least ncbl(L0 ). We prove that it is possible to compute a
basis of L0 , and using that, a shortest vector v in L. (v will be orthogonal to L0 .)
Although we give a deterministic algorithm for nding L0 (using the algorithm
of (1.3) as a black box), it is easier to sketch the idea of a probabilistic one. Assume
that we take points of L0 at0 random from a parallelepiped whose center is 0 and
whose diameter is at most nc bl(L0 ), where c0 is large with respect to c. (An inductive
argument shows that we are able to construct such a parallelepiped.) If we take
enough, but still a polynomial number, of random points then at least two of them
will be in the same coset of L0. With high probability they will be distinct. Therefore
taking all of the dierences of the random lattice points we get, among them, a non-
zero lattice vector u1 in L0 = L0 \ F . The most important part of this proof is to
show that we are able to decide whether a vector is an L0 , that is, we are able to
select the vector u1 from the set of dierences. If this can be done, then by repeating
this procedure many times we will get a sequence u1; :::; u2n. The independence of
the vectors ui implies that there will be n linearly independent among them.
To decide whether u is in L0 we consider the lattice L1 generated by the vectors
of L0 and the vector 1t u, where t  nc is a prime number. (It is easy to see that this
is indeed a lattice.) Using (1.3) we estimate bl(L0 ) and bl(L1). If the estimates do
8
not dier more than allowed by the error, then u is in L0. If the estimate decreases
more than that, then u 2= L0 . This follows from the fact that in the case of u 2 L0 ,
L1 will be covered by the cosets of F intersecting L0, and so bl(L1 ) will be at least
the distance of these cosets. In the case u 2= L0 there will be new cosets of F which
intersect L1 but not L0 . Between two consecutive cosets intersecting L0 there will be
t ? 1 intersecting only L1 . We get a short basis of L1 from a short basis of L0 and a
lattice vector of minimal length connecting two consecutive cosets of F intersecting
L1.

9
REFERENCES
[Ad] L. Adleman, \On breaking the iterated Merkle-Hellman public key cryptosys-
tem", in: Advances in Cryptology, Proceedings of CRYPTO 82, Plenum Press, New
York, 1983, 303-308.
[Br] E.F. Brickell, \Breaking iterated knapsacks", in: Advances in Cryptology, Pro-
ceedings of CRYPTO 84, Springer, Berlin, 1985
[LaOd] J.C. Lagarias, A.M. Odlyzko (1983), \Solving low-density subset sum prob-
lems", Journal of the Association for Computing Machinery 32 (1985) 229-246.
[LGS] M. Grotschel, L. Lovasz, A. Schrijver, \Geometric Algorithms and Combina-
torial Optimization", Springer, Algorithms and Combinatorics, 1988
[LG] P.M. Gruber, C.G.Lekkerkerker, \Geometry of Numbers", North-Holland, 1987
[LLL] A.K. Lenstra, H.W. Lenstra, L. Lovasz \Factoring polynomials with rational
coecients", Math. Ann. 261, 515-534 (1982)

10
 APPENDIX
Generating Hard Instances of Lattice Problems
M. Ajtai
IBM Almaden Research Center
650 Harry Road, San Jose, CA, 95120
e-mail: ajtai@almaden.ibm.com
We give here the proof of the theorem formulated in the abstract in a detailed
but preliminary form. We will prove the theorem for the random variable 0 instead
of . As we will show the corollary of lemma 1 implies that P ( = 0 )  1 ? 2?cn for
some absolute constant c, therefore if we have an algortihm which solves the random
problem dened by 0 with probability p then we also have a algorithm which solved
the problem dened by 0 with probability p ? 2?cn. (Although we formulate our
theorem for p = 1=2 the proof is actually the same for any p 2 [n ; 1 ? n 0 ].)
? c 0 ? c
We formulate the statement of the theorem again in lemmata 11,12,14 with a slight
notational dierence.
Notation. R is the eld of real numbers, Z is the ring of integers, Rn is the
Euclidean space of n dimensional real vectors with the inner porduct a
b and the
Euclidean norm kak = (a
a)1=2 . Zn is the set of vectors in Rn with integer coordinates,
we frequently will consider it as a Z-module.
P
Denitions. 1. If a1; :::; an are linearly independent vectors in an n dimensional
n
Euclidean space E , then we say that the set f i=1 kiai jk1; :::; kn are integers g is a
lattice in E . We will denote this lattice by L(a1 ; :::; an). The set a1; :::; an is called a
basis of the lattice. The determinant of a lattice L, det L will be the absolute value
of the determinant whose rows are the coordinates of the vectors a1 ; :::; an in some
orthonormal basis of E .
2. If k is an integer then size(k) will denote the number of bits in theP binary rep-
n
resentation of k, (size(0) = 1). If v = hx1 ; :::; xni 2 Z then size(v) = i=1 size(xi ).
n
Our denition implies that for all v 2 Zn, size(v)  n.
Some of the technical lemmata of the proof are probably known, but we have not
yet located an appropriate reference. We give the complete proof for these statements.
(Lemmata 1, 2, 4, 8, 9, 10 belong to this category.)
11
 The following lemma and its corollary implies that if 0 is the random variables
dened in the abstract, then for a suitable choice of  (with the distribution dened
there) we have P (n;c ;c = n;c ;c )  1 ? 2?cn where c > 0 depends only on c1 and
1 2 1 2

c2.
Lemma 1. There exists a c > 0 so that if A is a nite Abelian group with n
elements and k is a positive integer and b = hb1 ; :::; bk i is a sequence of length k whose
elements are chosen independently and with uniform distribution from A, then with
a probability of at least 1 ? 2?ck the following holds:
Assume that b is xed and we randomize a 0; 1-sequence 1 ; :::k , where the
P
numbers i are chosen independetly and with uniform distribution from f0; 1g. For
k
each a 2 A let pa = P (a = i=1 ibi )). Then
(a)
Pa2A(pa ? jAj?1)2  2?2ck and
(b)
Pa2A jpa ? jAj?1j  jAj 2?ck.
1
2

Corollary. There is a c0 > 0 so that the following holds. Suppose that

b1 ; :::; bk ;1 ; :::; k are mutally independent random variables with the distributions
given in the lemma. Then there is a random variable  with uniform distribution on
A so that the P k
random variables b1 ; :::;0bk ;  are mutually independent and
P ( = i=1 ibi ) 1 ? jAj1=2 2?c k .
First we show how can we use the corllary to prove our claim about  and 0 .
We apply the corollary with A ! Zn=(q), k ! m = [c1n log n], bi ! vi, i ! i ,
where q, n, vi, i were given in the denition of . Let 0 = hv1 ; :::; vm?1 ; ?i.
By the assumption of the corollary 0 has the required uniform distribution on A.
(We may always take the smallest nonnegative
0k
residues mod q.) By the corollary
1 2
0 1=2 ?
P (n;c ;c = n;c ;c )  1 ?jAj 2 . jAj = q  nc n 2c n log n . Therefore if c1 is
c n 2 2

suciently large with respect to c2 and c then we have P (n;c ;c = 0n;c ;c )  2?cn.
1 2

1 2 1 2

As a rst step in the proof of the lemma we prove the following.

Lemma 2. There are absolute constants 0 < c1 < 1, 0 < c2P< 1 so that if
A is a nite Abelian group, f is a real-valued function
P on A and a2A f (a) = 0,
P
then the following holds. For any b 2 A we have a2A f (a)2  a2A( f (a)+2f (a+b) )2 .
Moreover P P
if we pick a random element b of A with uniform distribution then
P (c1 a2A f (a)  a2A( f (a)+2f (a+b) )2 ) > c2.
2

12
 Proof. Our rst inequality can be written in the form of
P P P
(1) 12 ( a2A f (a)2 + a2A f (a + b)2 )  a2A( f (a)+2f (a+b) )2 .
This holds since for any xed a and b the dierence of the two sides is 41 (f (a) ?
f (a + b))2  0. This also implies that if e.g. f (a)  0 and f (a)  2f (a + b) then
the diernce of the two sides is at least 41 ( f (2a) )2 = f (16a) . We will use P this in the
2

of the second inequality which can be written in the form. P ( 2 ( a2A f (a)2 +c
Pproof
a2A f (a + b) )  a2A(
2 P f (a)+f (a+b) )2) > c2 1

2
We will show that there are constants 0 < c3 < 1, 0 < c4 < 1, 0 < c5 < 1 and
sets D  A, F  A so that for each a 2 D, b 2 F we have
(2) c2 (f (a)2 + f (a + b)2 ) P( f (a)+2f (a+b) )2 , P
3

morevover jF j  c4jAj and A2D f (a)2  c5 a2A f (a)2 . This together with the
inequality 12 (f (a)2 + f (a + b)2 )  ( f (a)+2f (a+b) )2 , which holds for all a; b 2 A will
imply our statement. Indeed jF j  c4jAj implies that it is enough to prove the
with thePcondition b 2 F . PWe claim that for each xed b 2 F we have
c (P
inequality
f (a)+f (a+b) )2 . This is a consequence of
a2A f (a) + a2A f (a + b) )  a2A(
1 2 2
2 2
the fact that for each a 62 D we have (1) and for the ramaining ones we P have (ei).
Pa2Let P = fa 2 Ajf (a) > 0g. We may assume that e.g. a2P f (a)2 
AnP f (a) . As we have seen inequality (2) holds if f (a)  0 and f (a)  2f (a + b).
2
(This includes the f (b) < 0 case too.) Let  > 0 be a small constant. If
jAnP j > jAj then with D = P , F = AnP our conditions are satised. P As-
sume P now that jAnP j < P jAj. This implies that if M = jAj a2P f (a) = ? 1
?
jAj a2AnP ?f (a), then a2AnP f (a)2  ?2 jAjjM 2j. We claim that the sets
1

PD=f (faa)j2f (a)P>P f4(Ma)g2 ,?FP=P nfDaf 2(a)A2 jand

D f (a) P< 2M g meet our requirements. Indeed
P nDPf (a)  16P jAjM 2 . If  > 0 is su-
P 2
ciently small, this implies that D f (a)2  c5 A f (a)2 . (AnF )\P f (a)  jAjjM j
implies that j(AnF ) \ P j  21 jAj and so jF j  j 12 ? jjAj. Q.E.D.(Lemma 2)
Proof of lemma 1. By the Cauchy-Scwarz inequality, (b) follows from (a) so
we will prove only (a). Suppose
? P i
that we randomize both P
Let fi (a) = jAj ? P (a = r=1 ibi ) and let H (i) = a2A fi (a)2 . We prove that
1
bi and i independently.
H (i0)  H (i + 1) for all i = 1; :::; k, H (1)  2 and with a probability greater than
2?c k
(3) there are at least c00 k numbers i 2 [1; k] so that H (i + 1) < c1H (i),
where c0 > 0, c00 > 0 and 0 < c1 < 1 are absolute constants. This would imply 0
that if we randomize b1 ; :::; bk only, then with a probability of at least 1 ? 2? c k we 2

get a sequence b1; :::; bk so that for the randomization of 1 ; :::; k with a probability
13
 0
of at least 1 ? 2? c k we get a sequence so that with (3). This clearly will imply the
2

assertion of the lemma.

Assume now that b1; :::; bi , 1; :::; i has been randomized. Lemma 2 implies that
for the randomization of bi+1 ; i+1 the probability of H (i + 1) < c000 H (i) is at least
c2 where c2 > 0 is an absolute constant. Therefore Cherno's inequality implies our
statement. Q.E.D.(Lemma 1)
Proof of the corollary. We dene  separately on each subset of the probability
space where b1 ; :::; bk take some xed value. Assume that these xed b1; :::; bk do not
staisfy condition (b) of lemma 1. In this case let  be an arbitrary P k
random variable
with uniform distribution. Suppose now that (b) holds Let  = i=1 ibi . For each
a 2 A let Ba be the event  = a. We choose a Ba0  Ba for all a 2 A so that either
P (Ba0 ) = jAj?1 or P (Ba0 ) = P (Ba ) < jAj?1 . Let  be a random variable with uniform
distribution on A so that Ba0 implies  = a. b1; :::; bk are mutually independent since
with any condition on b1 ; :::; bk ,  is uniform on A. If we randomize b1; :::; bk rst
then the probability that (b) does not hold is smaller the 2?ck therefore we may
assume that  is dened in the second way. In this case however (b) implies that
P ( 6= ) < jAj 21 2?ck . Q.E.D.(Corollary)
P Denition. 1. If b1; :::; bn 2 Rn then P (b1 ; :::; bn ) will denote the parallelepiped
n
f i=1 ibi j0  j  1g.
2. The minimal height (or width) of P (b1 ; :::; bn ) will be the minimum of the
heights belonging to the various faces of P (b1 ; :::; bn).
Lemma 3. Suppose that a1 ; :::; an are vectors in Rn and maxni=1 kai k 
M . Then there are linearly independent elements b1; :::; bn 2 L(a1 ; :::; an) so that
maxni=1 kbi k  (n3 + 21 n)M and the volume of P (b1 ; :::; bn ) is between 12 (n3 M )n and
2(n3 M )n , its surface area is at most 6n(n3 M )n?1 and its minimal height is at least
3 nPMn. Moreover if a1 ; :::; an 2 Z then b1 ; :::; bn can be computed in time polynomial
2 3 n
in i=1 size(ai ).
Proof. The assumption about the lengths of the basis vectors ai imply that for
each vector v there is a v0 2 L(a1 ; :::; an ) so that kv ? v0 k  12 Mn. Indeed we may get
such a v0 by expressing v as a linear combination of the vectors ai with real coecients
end then rounding o each coecient to the closest integer. Assume now that f1 ; :::; fn
are pairwise orthogonal n-dimensional vectors with length exactly n3M . For each
i = 1; :::; n let bi be a lattice vector so that kfi ?bik  21 nM . (Clearly this construction
which only involves the solution of a linear system of equations and rounding can
be completed in polynomial time.) Let Q = P (f1 ; :::; fn ), Q0 = P (b1 ; :::; bn). The
14
distance of each vertex of Q0 from the corresponding vertex of Q is at most 12 n2M .
Therefore if we enlarge the cube Q from its center by a factor of 1 + 21n then it
will contain Q0 . Q0 will denote the enlarged cube. In a similar way if we reduce it
into a cube Q1 by the same factor than it will be contained in Q0 . volume(Q1 ) 
volume(Q0 )  volume(Q0 ) and the inequalities 21  (1 + 21n )?n and (1 + 21n )n 
2 imply our assertion about the volume. Q1  P (b1; :::; bn ) therefore P (b1 ; :::; bn)
contains a sphere of radius at least 12 (n3 M (1 ? 21n ))  31 n3M and so the minimal
height of P (b1; :::; bn ) is at least 23 n3M . We get the upper bound on the surface
area by estimating the area of each face using the upper bound (n3 + 12 n)M on the
lengths of their edge vectors. These yields the upper bound 2n(n3 + 21 n)n?1M n?1 =
2n(n3M )n?1 (1 + 2n1 )n?1  6n(n3M )n?1 . Q.E.D.(Lemma 3)
2

Denitions. 1. Suppose that n; m and q are positive integers. Let Vn;m;q be

the set of all sequences v1; :::; vm so that each vi is an n dimensional vector whose
coecients are nonnegative integers in the interval [0; q). If s 2 V then we will denote
by (s; q) = (s) the set of allPsequences of integers h1; :::; hm so that each coordinate
of the n-dimensional vector mi=1 hivi is divisible by q. For any choice of s 2 Vn;m;q
the set (s) is a lattice in Rm .
2. Zn;m;q will be a random variable which takes its values with uniform distribu-
tion from Vn;m;q . This denition implies that (Zn;m;q ; q) is a random variable which
takes its values on certain lattices in Rm . With the notation of the extended abstract
0n;c ;c = Zn;[c n log n];[nc ] .
1 2 1 2

Lemma 4. Assume that a1 ; :::; an 2 Rn are linearly independent vectors,

d1; :::; dn 2 L(a1 ; :::; an ) are also linearly independent and kdik  M . Then there
is a basis of L(a1 ; :::; an) consisting of vectors no longer than nM . Moreover if ai ; di
arePintegers for i = 1; :::; n then the required basis can be found in time polynomial
in ni=1(size(ai ) + size(di ))
We prove the lemma by induction on n. The n = 1 case is trivial. Suppose
that our assertion holds for lattices of dimension n ? 1. Let F be the hyperplane
generated by a1 ; :::; an?1 and let L0 = L(a1 ; :::; an) \ F . Since a1 ; :::; an are linearly
independent we have L0 = L(a1 ; :::; an?1). According to our inductive assumption L0
?1 kdi k 6= (n ? 1)M . Clearly d1 ; :::; dn?1 ; an is a
has a basis d1 ; :::; dn?1 with maxni=1
basis of L. Let a0 be the vector that we get from an by projecting it orthogonally to
F . By expressing a0 as a linear combination of the vectors d1; :::; dn, then rounding
o the coecients to the nearestP integer we may write a in the form of w + a00 , where
?1 kd k  (n ? 1)M . Therefore d ; :::; d ; a ? w
w 2 L(d1 ; :::; dn?1) and ka00 k  ni=1 i 1 i n
15
is a basis of L(a1 ; :::; an) and kan ? wk  (k(an ? a0 k2 + ka0 ? wk2)1=2 (kan k2 +
ka00 k)1=2 (1 + (n ? 1)2)1=2 M <nM implies that every element of this basis is of
length at most (n ? 1)M . The inequality jan ? wj  (n2 ? 2n)1=2 M < nM shows that
even if we compute a0 only approximately with a precision greater than, say, n1 M 2

the vector an ? w 2 L that we get from this approximate value will be shorter than
(n ? 1)M . Q.E.D.(4)
We need the following lemma to show that if a parallelepiped W is not very
skewed and it is large with respect to bl(L) (e.g. the one constructed in lemma 3),
then the number of lattice points in all of the parallelepipeds b + W , b 2 Rn is about
the same and is roughly proportional to the volume of the parallelepiped. Moreover
for any xed hyperplane F the number of lattice points in F \ (b + W ) is small with
respect to the number of lattice points in b + W .
Lemma 5. Assume that L = L(a1 ; :::; an) is a lattice in Rn, where jai j  M ,
i = 1; :::; n and g1; :::; gn are linearly independent vectors in Rn (not necessarily in
L) and b 2 Rn. Let k0 resp. k1 be the number of lattice points in the closed set
b + P (g1; :::; gn) resp. in its interior. Let H be the minimal height, let V be the
volume and let S be the surface area of P (g1; :::; gn)). Then
(a) (det L)?1 (1 ? 2Mn ?1
H ) V  kj  (det L) (1 + H ) V , j = 0; 1
n 2Mn n
(b) If F is a hyperplane then the number of lattice points in F \ (b + P (g1; :::; gn))
is at most 2SMn(1 + 2Mn n?1 ?1
H ) (det L) .

Proof. (a) Let W = b + P (g1; :::; gn), let W 0 be the set that we get from W by
enlarging it from its center by a factor of 1 + 2Mn H and W 00 be the set that we get
from it by reducing it by 1 ? 2Mn H . Let B be the set of all parallelepipeds of the form
v + P (a1 ; :::; an), where v is a lattice point and (v + P (a1 ; :::; an) \ W is non-empty.
The denitions of W 0 ; W 00 imply that every element of B is contained in W 0 and
every element of B intersecting W 00 is contained in W . Therefore we get the upper
bounds from the fact that the number of elements of B contained in W 0 can be at
most volume(W 0 )= det(L). We get the lower bound on k0 in the following way. Let D
be the set of those elements of B that intersect W 00 . Clearly jDj  k0. The denition
of W 00 implies that the elements of D cover W 00 so jDj  volume(W 00 )(det L)?1 . To
get the lower bound on k1, we may repeat our argument for each  > 0 with W00
instead of W 00 where we get W00 by reducing W with a factor of 1 ? 2Mn H ? . This
way the elements of the set D will be in the interior of W . Taking the limit for all of
the resulting lower bounds for k1 we get (a).
16
 (b). Let G be the set of those elements of B which intersect F . The dention
of W 0 implies that the distance of F nW 0 from F \ W is at least Mn. (Any pair of
points from them are separated by a pair of corresponding parallel faces of W and
W 0 whose distance is at least Mn.) Therefore if  is the orthogonal projection of Rn
to F and T 2 G then (T ) is in F \ W 0 . Consequently each T 2 G is contained in
the body that consist of all points x with x 2 W 0 \ F whose distance from F is at
most Mn. The volume of this body is 2area(W 0 \ F )Mn and area(W 0 \ F ) is at most
the surface area of W 0 which implies our inequality.Q.E.D.(Lemma 5 )
; :::; an 2 Rn are linearly independent vectors then P ? (a1 ; :::; an)
Denition. If a1P
will denote the set f ni=1 ibi j0  j < 1g.
Lemma 6. Assume that L = L(a1 ; :::; an) is a lattice in Rn, kai k  M for
i = 1; :::; n, b1; :::; bn are linearly independent elements of L, kbik  Y for i = 1; :::; n,
V is the volume, S is the surface area and H is the minimial height of P (b1 ; :::; bn ), q
is a positive integer and the following inequalities hold
(i) MH  4n1 4

(ii) 5SMn  V .
Suppose further that  is a random variable that takes its values with uniform
distribution on the set R of lattice points of P ? (b1 ; :::; bn). Then there P are random
n
variables ;  with  =  +  so that  has uniform distribution on E = f i=0 ibi ji 2
f0; q1 ; :::; q?q 1 g; i = 1; :::; ng, and for each xed t 2 E the conditional distribution of 
with the condition  = t meets the following requirements:
(a) P ( 2 P ?( q1 b1 ; :::; 1q bn)j = t) > 1 ? n1 2

(b) for any xed hyperplane F in Rn, P ( 2 F j = t) < 1=2

Proof. Let T be the set of all sequences t1 ; :::; tn soPthat ti 2 f0; 1; :::; q ? 1g and
for each t = ht1; :::; tni 2 T let Wt = P ( q1 b1 ; :::; 1q bn) + ni=1 tqi bi . Lemma 5 gives the
following estimate on wt the number of lattice points in Wt:
(det L)?1 (1 ? 2Mn ?1
H ) V  wt  (det L) (1 + H ) V .
n 2Mn n
Inequality (i) implies that 1 ? 3n1  (1 ? 2Mn
2 H )  1  (1 + H )  1 + 3n
n 2Mn n 1
2

and so
(4) (1 ? 3n1 )(det L)?1 V  wt  (1 + 3n1 )(det L)?1 V .
2 2

Let  = [(1 ? 3n1 )(det L)?1V ] and for each t 2 X let Wt0 be an arbitrary but
2

xed subset of Wt with exactly  elements. For the dention of  we will use another
random variable  which is independent of  and has uniform distribution on E .
17
 S
Suppose that both  and  has been randomized. If  2 Pt2T Wt0 then there is a
S
unique t = ht1 ; :::; tni 2 T with  2 Wt0 . In this case let  = ni=1 tqi bi . If  is outside
of t2T Wt0 then let  = . Since jWt0j does not depend on t and ;  are independent,
we have that  has uniform distribution on E .
(a) (4) and the denition of  implies that the probability of  2 t2T Wt0 is
S
greater than 1 ? n1 . In this case the denition of  implies that if  2 Wt then then
2

Wt =  + P ( q1 b1 ; :::; q1 bn), and so  =  ?  2 P ( q1 b1 ; :::; 1q bn ).

(b) According to (a) it is enough to show that P ( 2 F j = t;  =  ) < 21 ? n1 . 2

By Lemma 5 and inequalities (i),(ii), the number of lattice points on F \ Wt0  F \ Wt

is at most 25 V (det L)?1 . Therefore the denition of  = jWtj and the fact that with
the condition  =  ,  is uniform on Wt implies (b). Q.E.D.(Lemma 6)
Lemma 7. Assume that a1 ; :::; an 2 Rn are linearly independent. Then, for each
b 2 Rn, there is a unique b0 2 P ? (a1 ; :::; an) so that b ? b0 2 L(a1 ; :::; an) moreover,
if b 2 ZnPand ai ; 2 Zn, i = 1; :::; n then b0 can be computed in polynomial time in
size(b) + ni=1 size(ai )
Proof. We express b as a linear combination of the vectorsPai then take the integral
part of the coecients. Assume that we get the vector v = ni=1 ri ai . b0 = b ? v will
satisfy our requirement. The uniqueness of b0 is trivial. Q.E.D.(Lemma 7)
Denition. Assume that a1 ; :::; an; b are as in lemma 6. We will denote the unique
0
b described in the lemma by b(mod a ;:::;an).
1

Lemma 8. For all c1 > 0 there is a c2 > 0 so that the following holds. Assume
that d1; :::; dn are linearly independent vectors in Zn,   n and a1; :::; an 2 L c=
L(d1 ; :::; dn) is a set of clinearly independent vectors as well, with maxni=1 kai k  2 1

and maxni=1 kdik  2 . Suppose further that 1 ; :::; n are independent random
1

variables which
 c P
take their values
n
with uniform distribution on the integers in the
interval [0; 2 ]. Let  = ( i=1 i di)(mod a ;:::;an). Then the distribution of  on
2
1

the points of L \ P ? (a1 ; :::; an) is almost uniform in the following sense:
if for each v 2 P ?(a1 ; :::; an ), pv = P ( = v) and k is the number of lattice
pointsPin P ?(a1 ; :::; an), then
?c .
v2P ? (a ;:::;an ) jpv ? k j  2
1 1
1

Proof. We will need the following observations in the proof. For each real number
 let W = P ?(d1 ; :::; dn). Since d1; :::; dn is a basis of L we have that if  is a
18
positive integer then the number of lattice points in W is n. Since the volume of
W1 is at least 1, (the value of aQnonzero determinant with integer entries) and the
area of any Qface of it is at most ni=1 kdi k we have that the minimal height H of W1
is at least ( ni=1 di )?1  2?c .
1 +1

Let t = [c ]. Let X 0 be the set of all parallelepipeds J of the form J = u +

2

P ?(a1 ; :::; an ) with u 2 L and J \ Wt 6= ;. Let X be the set of all setsc J 2 X 0 with
J  Wt. If we enlarge Wt from its center by a factor of = 1 + 22tH then the
1 +1

resulting set W 0 will contain every element of Xc 0 . By lemma 5 the number of lattice
0 ? c n n n
points in W ? W is at most (det L) ((1 + tH ) t ? (1 ? tH ) t ). If c2 is
1 22  n n n n 22
1 1

suciently large with respect to c1 then this is at most 2? c tn. 2 1 +1

Let Pbe the unique element of X 0 containing . The elements S S

of X are disjoint,
so pv = ( J 2X P ( = vj 2 J )P ( 2 J )) + P ( 2 V j 2= X )P ( 2= X ). The
distribution of  is uniform on P ? (a1 ; :::; an) with the condition  2 J for each xed
J 2 X therefore the rst term is k1 jXtnjk whichS does not depend on v.
The second term S isSat most P ( 2= X ). This is smaller thanc the number of
lattice points in X n X divided by tn that is smaller than 2? . Since the
0 2 1 +1

number of lattice points in P ? (a1 ; :::; an) is at most volume(a1 ; :::; an)(det L)?1 
2c this implies our statement.Q.E.D.(Lemma 8)
1 +1

Denitions. 1. cM will denote a xed positive real number so that for all n =
1; 2; ::: and for all lattice L in Rn there exists a v 2 L, v 6= 0 with kvk  cM n (det L) n .
1
2
1

Minkowski's theorem about closed, convex, central-symmetric bodies applied to a

sphere implies the existence of such a constant.
2. If L is a lattice in Rn then unit(L) will denote the number (det L) n . 1

3. Suppose that L is a lattice in Rn and H is a k-dimensional subspace of Rn

so that L0 = H \ L is a (k-dimensional) lattice in H . The factor lattice L=L0 will be
the lattice that we get from L by orthogonally projecting it onto H ?. (We have to
prove that L=L0 is indeed a lattice, that is, it has a basis consisting of n ? k elements
(over the integers). We may pick a basis a1; :::; an for L so that a1 ; :::; ak is in L0
(the assumption that H \ L is a k-dimensional lattice implies the existence of such a
basis). If  is the orthogonal projection of Rn onto H ? then ak+1 ; :::; an will be
the required basis of L=L0 .)

Lemma 9 . Suppose that L is a lattice in Rn and K > 0. Then either L has a

PL1 with unit(L1)  K or L1 has a basis whose each vector is not longer
factor lattice
than cM K ni=1 i . 1
2

19
 Proof. It is enough to prove the lemma for K = 1 since we may replace L by
1 L.
K We prove the lemma by induction on n. For n = 1, unit(L) is the length of a
shortest vector and so cM  1, therefore our statement trivially holds.
Assume now that the lemma holds for n ? 1. If unit(L)  1, then our statement
holds with L1 = L. Suppose that unit(L) < 1, then by Minkowski's theorem there
is a v 2 L, v 6= 0 so that kvk  cM n1=2 unit(L) <cM n1=2. Let W be the subspace
orthogonal to v. Let Lv be the one dimensional lattice generated by v and L1 be the
factor lattice L=Lv . According to the inductive assumption either L1 has a factor
lattice L01Pwith unit(L01)  1 or L1 has a basis B0 with vector lengths no longer
then cM ni=1 ?1 i1=2 . In the former case we are done since a factor lattice of L is
1
also a factor lattice of L. In the latter case we may construct a basis B of L in the
following way. B will contain v and for each element b0 2 B we take an element b
of L so that b ? b0 6= 0 is in the one dimensional vectorspace generated by v and
kb ? b0 k is minimal with this condition. We may pick such a b from those elements
whose image is b0 under the orthogonal projection of L onto v?. Moreover we may
asssume that P k1b ? b0 k  kP
vk. Therefore the length of each element of B is at most
?
kvk + cM i=1 i < cM ni=1 i1=2 :
n 1=2
Denitions. 1. With each v 2 Rn we associate a linear functional v on Rn
dened by v (u) = v
u, for all u 2 Rn, where
is the inner product dened on Rn
in the usual way.
2. Let L be a lattice in Rn. We dene a subset L  Rn in the following way:
v 2 L i the functional v takes integer values on every element of L. It is easy to
see that L is a lattice in Rn. If a1 ; :::; an is basis of L then the set of those functionals
which take the value 1 on exactly one ai and the value 0 on all of the others form a
basis of L . This is called the dual basis of a1; :::; an). This construction also shows
that (det L)(det L ) = 1 and so unit(L)unit(L ) = 1.
3. If L is a lattice in Rn, then sh(L) will denote the length of the shortest non-
zero vector in L and bl(L) will be the smallest real number K so that L has a basis
a1 ; :::; an with maxni=1 kai k = K .
Lemma 10. If L is a latticePnin Rn then
1  sh(L )bl(L)  c2M n1=2 i=1 i1=2  cn2, where c is an absolute constant.
Proof of the lower bound. Assume that v 2 L, kvk = sh(L ) and a1 ; :::; an is a
basis of L with maxni=1 kai k = bl(L). Since v? is an n ? 1-dimensional subspace, there
is an aj so that aj and v are not orthogonal and so aj
v 6= 0. By the dention of L ,
aj
v is an integer and therefore jaj
vj  1 and so kaj kkvk  1 and bl(L)sh(L )  1.
20
 Proof of the upper bound. For the proof we need the following trivial observation:
the dual space of the factorspace (L=L0 ) is a subspace of L . Indeed assume that
u 2 (L=L0 ) . Then u is a vector in Rn, it is orthogonal to L0 and for each v 2 L=L0 ,
u
v is an integer. Let w 2 L be arbitrary. By the denition of L=L0 , w can be written
in the form of v + v0 , where v 2 L=L0 and v0 is in the real vectorspace generated by
L0 . Therefore u
w = u
Pv + u
v0 =u
v is an integer and so u 2 L .
Suppose that cM K ni=1 i = bl(L). Then by Lemma 9 for any K 0 < K , K 0 > 0
1
2

there is a factor lattice L1 of L so that unit(L1 )  K 0 . Assume that the dimension of

L1 is m  n. Since unit(L1 )unit(L1 ) = 1, we have unit(L1 )  K10 and so Minkowski's
theorem implies that there is a non-zero vector v 2 L1 so that P kvk  cM K10 m1=2. As
we have seen L1  L , therefore sh(L )bl(L)  KK0 cM n1=2cM ni=1 ii=2 . This holds
for any K 0 < K , which implies our upper bound. Q.E.D.(Lemma 10)

Lemma 11 . There are absolute constants c1; c2 with the following property.
Suppose that there is a probabilistic polynomial time algorithm A which given a
value of the random variable Zn;[c n log n];[nc ] as input with a probability of at least
1 2

1=2 outputs a vector of (Zn;[c n log n];[nc ]) of length at most n. Then there is a
1 2

probabilistic algorithm B which given the linearly independent vectorsPa1 ; :::; an 2

Zn  Rn as input will output an integer z in time polynomial in  = ni=1 size(ai )
so that if v is the shortest non-zero vector in L(a1 ; :::; an) then with a probability
greater than 1 ? 2? we have z  kvk  nc z. 3

Remarks. 1. The probability 1=2 in the theorem can be replaced by n?c . This
will increase the running time of B by a factor of at most nc but does not aect the
constants c1 and c2.

Lemma 12. There are absolute constants c1; c2 ; c3 with the following property.
Suppose that there is a probabilistic polynomial time algorithm which given a value of
the random variable Zn;[c n log n];[nc ] as input with a probability of at least 1=2 outputs
1 2

a vector of (Zn;[c n log n];[nc ] ) of length at most n. Then there is a probabilistic

1 2

algorithm which given the linearly independent vectors a1 ; :::; an 2 Zn PRn as input
will output a basis b1 ; :::; bn of L(a1 ; :::; an) in time polynomial in  = ni=1 size(ai )
so that if d1; :::; dn is an arbitrary set of linearly independent vectors in L(a1 ; :::; an)
then with a probability greater than 1 ? 2?s we have maxni=1 kbi k  nc maxni=1 kdik.
3

21
 Lemma 13 . There are absolute constants c1; c2 with the following property.
Suppose that there is a probabilistic polynomial time algorithm A which given a value
of the random variable Zn;[c n log n];[nc ] as input with a probability of at least 1=2 out-
1 2

puts a vector of (Zn;[c n log n];[nc ] ) of length at most n. Then there is a probabilistic
1 2

algorithm which given two sets of linearly independent vectors a1 ; :::; an 2 Zn  Rn,
u1; :::; un 2 L(a1 ; :::; an) as input will outputPn linearly independent vector b1; :::; bn
of L(a1 ; :::; an) in time polynomial in  = ni=1(size(ai ) + size(ui)) so that with a
probability of greater than 1 ? 2? , either b1; :::; bn meets the requirement of lemma
12 or maxni=1 kbi k  21 maxni=1 kuik.
Proof. First we describe the algorithm.
Using lemma 3 with ai ! ui and M ! maxni=1 kuik we construct a set of linearly
independent vectors v1 ; :::; vn 2 L(a1 ; :::; an) so that maxni=1 kvik  (n3 + 21 n)M and
for the volume V , surface area S and minimal height H of P (v1 ; :::; vn) we have certain
bounds. Now we take a random point of L(a1; :::; an ) with almost uniform distribution
in W = P ?(v1 ; :::; vn). More precisely lemma 8 guarantees that we can compute in
polynomial time the value of a random variable Pwhich takes its values from R0 , the
set of lattice points in W and P has the property v2R jP ( = v) ? R1 j  2?nc . We
may write  in the form of ni=1 i vi where 0  i < 1. By solving a system of linear
equations we may nd the rational numbers i in polynomial time. Let q = [nc ] and 2

ti = [qi ], i = 1; :::; n and  = ht1 ; :::; tni. Repeating this procedure with independent
values of  we get a sequence of values j ; j , j = 1; :::; m, where m = [c1nP log n]. Let
L1 be the lattice of m dimensional integer vectors hh1 ; :::; hmi so that qj mi=1 hi i .
Now we apply our probabilistic algorithm A, whose existence was assumed, with the
lattice L1 and in polynomial time we either get a vector s1 2 L1 with ks1 k  n2 or
we recognize that the algorithm failed to produce the required result. In this case
let s1 = 0 2 Rm. In P either case s1 = hz1 ; :::; zm i is a sequence of integers. Next we
nd the vector f1 = mi=1 zi i and g1 = (f1 )(mod v ;:::;vn) . (That is g1 is the unique
1

element of P ?(v1 ; :::; vn) with f1 ? g1 2 L(v1 ; :::; vn)). We repeat this whole procedure
3n times and get a sequence of vectors g1 ; :::; g3n. Let G be the set of those vectors
gi, i = 1; :::; 3n which are nonzero and are shorter than (n3 + 21 n)M nq  M2 . We try
to select n linearly independent vectors from G. If we succeed then the set of these
vectors b1; :::; bn is the output. If we do not succeed then we apply the algorithm given
in lemma 4 with di ! ui and we get a basis b1 ; :::; bn with maxni=1 kbi k n maxni=1 kuik.
In this case the sequence b1 ; :::; bn dened in this shorter alternative way will be the
output.
22
 Now we prove the correctness of our algorithm. If for any basis d1; :::; dn of
L(a1 ; :::; an) we have maxni=1 kuik  maxni=1 nc +1kdik then the vectors b1; :::; bn de-
3

ned by the short alternative way using lemma tv (described at the very end of
the algorithm) satisfy the requirements of the lemma. Therefore we may assume in
the following that there is a basis d1; :::; dn 2 L(a1 ; :::; an) so that maxni=1 kuik >
maxni=1 nc +1kdi k.
3

When we sart the algorithm we have n linearly independent vector u1; :::; un
in the lattice L(a1 ; :::; an ). We try to construct from them an other set of vectors
whose maximal norm is smaller by a factor of two. To start our construction we
replace u1; :::; un by an other set of vectors v1 ; :::; vn which are not essentially longer
(only by about a factor of n3) but whose prallelepiped P (v1 ; :::; vn) is as close to
a cube as possible. Lemma 3 with ai ! ui gives such a construction. Therefore
we get a set of vectors v1 ; :::; vn 2 L(a1 ; :::; an) so that if maxni=1 kuik = M then
maxni=1 kvi k  (n3 + 21 n)M and if V is the volume, S is the surface area and H is
the minimal height of P (v1 ; :::; vn) then 21 (n3 M )n  V  2(n3M )n , S  6n(n3M )n?1
and H  32 n3M . The role of these inequalities will be that they guarantee that if we
take parallelepipeds x + P (v1; :::; vn) for dierent elements x 2 Rn then the number
of lattice points in them will be about the same in the sense that the diernces will
be small relative to the total number of lattice points. Another consequence of the
inequalities that there will be realtively few lattice points in a parallelepiped of this
type which lies on any single xed hyperplane. These properties do not necessarily
hold if the the parallelepiped is either small relative to the maximal length of any basis
of the lattice, or it is very much distorted e.g. one of its heights is very small. Actually
we will need these properties in the case of parallelepipeds of the form P ( 1q v1; :::; q1 vn)
where q = [nc ].
2

For the next step we need the following observation. Lemma 8 gives a random
variable  which has only an almost uniform distribution on the set R. However
in our proof wePmay assume that the distribution of  is actually uniform. Indeed
? c0
we know that v2R jP ( = v) ? jRj j  2 . This means that there is a random
1 n
0
variable 0 so that 0 has uniform distribution and P ( 6= 0 )  2?nc . Therefore we
may assume that we work with 0 0 and with high probability its value is the same as
. This will lead only to a 2?nc failure rate in the algorithm. (Even if the failure
rate would be higher we may decrease it exponentially by repeating the algorithm).
Assume now that the vectors g1 ; :::; gj has been already constructed for some
0  j < c4n and we now start the conrstructcion of gj+1. Let Gj be a maximal
subset of linearly independent vectors of fg1; :::; gj g with the property that for all
23
g 2 G we have g 6= 0 and kgk < (n3 + 21 n)M nq . Let F be a hyperplane in Rn
containing Gj . We will prove that (for the randomizations involved in the selection
of gj+1 only and considering F as xed), we have
(5) P (gj+1 2= F and kgj+1k  (n3 + 12 n)M nq )  12 ? 2nm  13 .
2

First we notice that (5) implies the lemma. Indeed (5) and Cherno's inequality
imply that the set G as dened in the algorithm will contain n elements.
Now we prove (5). First we prove that
(6) P (kgj+1k  (n3 + 12 n)M nq )  1 ? nm . 2

We apply lemma 6 with b1 ! v1; :::; bn ! vn and  ! . (As we have explained

above we may assume that  has uniform distribution on the set of lattice points in
P ?(v1 ; :::; vn)). According to lemma 6,  can be written in the form of  +  where
 is uniform on E and we also know something about the conditional distribution of
. We claim that if we repeat this process and get the sequences 1; :::; m, 1; :::; m
then with a probability of at least 1 ? nm ,2

(7) 1 = 1 ,...,m = m and kik  n2(n3 + 12 M ) nq for i = 1; :::; m.

Indeed, (a) of lemma 6 implies that for all i = 1; :::; m with a probability of
at least 1 ? n1 , we have i = i and the vector i is inside the parallelepipedon
2

P ( 1q v1; :::; 1q vn) and so the upper bound on the vectors v1; :::; vn imply the required
upper bound on i. The vector z = hz1 ; :::; zni is no longer than n. We show that
P
(7) implies that kgP
j k  (n3 +
P 1 n)M n . Indeed by (7) the denition of fj we have
2 qP P
fj = mi=1 zi i = ( zi i) ? zi i =( zi i ) ? zii . We know that either P z=0
or we get z as the output of A. In either case we havePkzk  n and qj i=1 zi i . m
The latter relation and the denitionP of  implies that mi=1 zi i 2 L(v1 ; :::; vn) and
so gj = (fj )(mod v ;:::;vn) = ? mi=1 zi i  (n3 + 21 n)M nq which completes the proof
1
of (6).
We continue the proof of (5) by showing that
(8) P (gj+1 2= F )  12 ? 2nm .
2

As we have seen the probability of 1 = 1; :::; m = m is at least 1 ? nm . 2

Therefore it is enough to show that if we change our algorithm so that instead of i ,

i = 1; :::; m we use i , i = 1; :::; m in the dention of the vector h1; :::; hm and so in
the dention of z, fj+1 and gj+1 then (8) holds if we change the right-hand side into
2?n .
1 m 2

We may randomize all of the random variables 1; :::; m by rst randomizing
1; :::; m and then 1; :::; m . Since the denition of the number hi depend only on i
(and not on i ), the values 1; :::; n already determine whether algorithm A succeeds
in nding a short vector. The probability (for the randomization of 1; :::; m only)
24
that it does not succeed is at most 1=2. Therefore it is sucient to show that for any
possible values t(1); :::; t(m) of the sequence 1; :::; m , if 1 = t(1); :::; n = t(m) implies
that if A nds a short vector then
(9) P (gj+1 2= F j1 = t(1); :::;  (m) = t(m))  21 ? 2nm .2

Assume now that 1 = t(1); :::;  (m) = t(m) for such a sequence t(1); :::; t(n). Since
A nds a short vector we have z 6= 0. Let  be the smallest positive integer with z 6= 0.
We consider  as a random variable, it determined by i and by the randomization
included in A. Now we randomize . (b) of Lemma 6 implies for any xed r we have
P ( 2 F j = t(1); :::;  (m) = t(m);  = r) < 1=2 Since this is true for any choice of r
we have (9). Q.E.D.(Lemma 13)
Proof of lemma 12. Assume that max kai k = M . If we apply the algo-
rithm whose existence is stated in lemma 4 then we either get the required out-
put immediately or get a linearly independent system u(1) (1)
1 ; :::; un in polynomial
time with maxni=1 ku(1) i k  2 . Iterating this procedure we get a sequence of lin-
M

P
early independent sets of vectors u1(j); :::; un(j) so that maxni=1 kui(j)k  2Mi . Since
( )

log2 M  ni=1 size(ai ) we get the output after a polynomial number of iterations,
that is in polynomial time. Q.E.D.(Lemma 12)
Proof of lemma 11. Let L be the dual lattice of L = L(a1 ; :::; an). We can
get a basis of L be taking the dual of the basis (a1 ; :::; an ) that is a set of vectors
d1; :::; dn so that for all 1  i; j  n ai
dj = i;j . The coordinates of the vectors
d1; :::; dn 2 Rn are rationals since they are the unique solution of a linear system of
equations with rational coecients. Since the number of unknowns in this system is
n2 we get that the number of bits in the value of determinant of the system remains
below a polynomial bound (in the size of our input). Therefore all of the coordinates
in the vectors di i = 1; :::; n can be written as fractions whith the same common
denominator r where size(r) is polynomial in the size of the input. (The numerators
are also of polynomial lengths.)
Consequently we may apply the algortihm lemma 12 to the vectors rd1 ; :::; rdn 2
R . The ouptut of this algorithm determines bl(L(rd1 ; :::; rdn )) and so
n
bl(L(d1; :::; dn)) upto a factor of nc . According to Lemma 10 this gives the re-
3

quired estimate on the length of a shortest vector in (L(d1 ; :::; dn)) = L(a1 ; :::; an).
Q.E.D.(Lemma 11)

Lemma 14. Assume that c1; c2; c3 are the constants given in lemma 13. Then
there is an absolute constant c with the following property. Suppose that there is
25
a probabilistic polynomial time algorithm which given a value of the random vari-
able Zn;[c n log n];[nc ] as input with a probability of at least 1=2 outputs a vector of
2

(Zn;[c n log n];[nc ] ) of length at most n. Then there are probabilistic algorithms B1,
1

B2 with the following properties:

1

(a) assume that a1; :::; an 2 Zn and v 2 L(a1 ; :::; an), v 6= 0 and for all w 2 L we
have that if w is not in the subspace generated by v then kwk  nchvi.
Then given a1 ; :::; an as input, B1 will output a vector v~ in time polynomial in
P
 = ni=1 size(ai ) so that with a probability greater than 1 ? 2?s, v~ is either v or ?v.
(b) assume that a1; :::; an 2 Zn and there is a basis g1; :::; gn of L(a1 ; :::; an ) so
that maxni=1 ?1 kgi k  M and the distance of gn from the hyperplane F generated by
g1; :::; gn?1 is at least ncM .
Then, given a1 ; :::; aP n as input, B2 nds a basis d1 ; :::; dn?1 of F \ L(a1 ; :::; an ) in
time polynomial in  = i=1 nsize(ai ) and with a probability of at least 1 ? 2? :
Proof. (b). Let K = maxni=1 kai k. By Lemma 12 we may assume that K 
n bl(L). If D is the distance of gn from D, then bl(L)  D + (n ? 1)M and so
c
3

K  nc D for some absolute constant c4. (We will assume that c is suciently
4

large with respect to c4.) According to Lemma 4 it is enough to nd n ? 1 linearly

independent elements d1; :::; dn?1 in F . We choose the elements dk k = 1; :::; n ? 1 by
recursion on k with the additional property that kdk k  2nc +5D. Assume that the
4

linearly independent elements d1; :::; dk 2 F , kdik  2nK has been already selected
for some 0  k  n ? 2 (that is, we include the fd1; :::; dk g =; case). We may
pick a basis d1; :::; dk ; b1 ; :::; bn?k of L(a1 ; :::; an) so that fb1; :::; bn?k g  P
fa1n;?:::; ang.
c +4
Let N = n D. We consider the set YN of all linear combinations j=1 k bk ,
4 k
where j , j = 1; :::; n ? k are integers with 0  j  N . The assumption that
d1; :::; dk ; b1 ; :::; bn?k is a basis implies that if Fk is the vectorspace generated by
d1; :::; dk over R, then all of the elements of YN are in dierent cosets of Fk . Clearly
jYN j  jN jn?k  (nc +3D)n?k . For each u 2 YN we have kuk  (n ? k)N . Therefore
4

YN is contained in a sphere S with radius (n ? k)N . Since the distance between the
neighboring cosets of F (which has nonempty intersection with L) is D we have that
the number of cosets of F which intersects S \L is at most 1+2(n?k)ND?1 < 2n2+c . 4

Since YN  n3+c if we start to list the points of YN in some arbitrary order, then we
4

will not run out of points in the rst 2n2+c steps and actually among these points
4

there will be two that are in the same coset of F . Suppose that y1 ; :::; ys , s = n2+c 4

are the list of these points and for some k 6= l yk ? yl 2 F . (Later we will show
that we can actually decide in polynomial time whether a v 2 L is also an element
in F if size(v) is polynomial in the input.) We claim that dk+1 = yk ? yl meets our
requirement. Indeed dk+1 2 F and since yk and yl are in dierent cosets of Fk we
26
have dk+1 2= Fk and so d1 ; :::; dk ; dk+1 are linearly independent. By the dention of
YN we have kdk+1k  2(n ? k)N  2nc +5D. 4

Finally we show how is it possible to decide whether a v 2 L(a1 ; :::; an ) is also an

element of F , provided that size(v)  U where U is polynomial in the size of the input.
Let t be a prime in the interval = [2U ; 2U +1] where c3 is the constant given in lemma
11. (We can nd such a number t so that with a probability exponentially close to 1
it meets this requirements.) We may assume that U > nc and 2U > 2nND?1 . Let
3

w = 1t v. We consider the Z-module A generated by the vectors a1; :::; an ; w. Since

tA  Zn, A, as a Z-module, can be generated by n elements so it is a lattice. By
lemma 4 we can give an estimate zA on bl(A) = 1t bl(tA) in polynomial time with an
error not greater then a factor nc (in the sense of lemma 4). We may get a similar
3

esitmate zL for bl(L). We claim that if v 2 F then zL =zA  nc and if v 2= F then

3

zL =zA > nc .
3

Indeed, if v 2 F and D is the distance of the hyperlane F from gn then

(10) D  bl(A)  D + nM
Since D  ncM where c is suciently large with respect to c3, this implies zL =zA 
nc .
3

Assume now that v 2= F and that e.g. v and gn are in the same halfspace
determined by the hyperplane F . Since g1; :::; gn is a basis of L and fg1; :::; gn?1g  F ,
we may write each vector iw, i = 1; :::; t in the form xi + iv where 0  i < 1 and
xi 2 jgn + F for some positive integer j . Since v 2 kgn + F for some integer k. The
choice of U and t imply that t > k and so the primality of t implies that i > 0 for
i = 1; :::; t ? 1 and trivially t = 0. Since i is the fractional part of i1 this implies
that 1 = s=t for some integer s and therefore there is a j , 0 < j < t with j = 1t . Let
xj 2 k0 gn + F and let u be the point that we get from jw by orthogonally projecting
it on k0 gn + F . Clearly kjv ? uk  1t D. Since kgik  M , i = 1; :::; n ? 1, there
is a y 2 k0 gn + F so that ku ? yknM . g1 ; :::; gn?1; jw ? y are linearly independent
vectors in A, kjw ? yk  nM + 1t D, kgik  M for i = 1; :::; n ? 1 therefore lemma
4 implies that bl(A)  n2M + nt D. This togehter with (10) and t  n2c imply that
3

zL =zA > nc . Q.E.D.(b)

3

The only probabilistic step involved in this proof was the choice 0 of the prime 00t.
Even this can be avoided if we perform the described test for all t = rnc , r = 1; :::; nc .
If v 62 F for at least one value of t, (when k is not divisible by t) the test will show
this fact.
(a). Let L be the dual lattice of L(a1 ; :::; an). We will show that L satises
the assumption of (b) with a suitable choice of g1; :::; gn 2 L . First we note that
27
the assumption about the element v implies that if Lv is the one dimensional lattice
generated by v then
(11) the factor lattice L=Lv has no shorter non-zero vector than (nc ? 1)kvk
Let v = v1; v2 ; :::; vn be a basis of L, let h1; :::; hn be the corresponding dual basis

of L and let gn = h1. This denition of gn implies that v
gn = 1. Let F be the
hyperplane orthogonal to v. v
gn = 1 implies that the distance of gn from F is
kvk?1. We0 claim that F \ L = L(h2; :::; hn) has a basis whose elements are shorter
then n?c kvk?1. Indeed, this lattice is the dual of L=Lv therefore lemma 10 and
property (11) implies our claim. 0
Let g1; :::; gn?1 be an arbitrary basis of F \ L0  with
elements no longer than n?c kvk?1. This way (b) is satised with M = n?c kvk?1 .
Therefore using the algorithm whose existence was stated in (b) we are able to nd
a basis u1; :::; un?1 for F \ L in polynomial time, if a1 ; :::; an given as an input.
The computational problem that the vectors in the dual space may have non-integer
coecient, can be handled in the same way as in the proof of lemma 11. We may pick
a un so that u1; :::; un is a basis of L . Let d1 ; :::; dn be the dual basis in L. We claim
that d1 is v or ?v. Indeed d1 is orthogonal to u1; :::; un?1 therefore it is parallel to v.
Since v is a shortest vector in L we have d1 = kv for some integer k. k must be 1 or
?1 otherwise L(d1 ; :::; dn) could not contain v. Q.E.D.(Lemma 14)
The following lemma is not necessary for the proof of our main result. It shows
that the random lattice has a short basis with high probability. (To make the proof
simpler we prove it only the case when q is odd, but it is easy to modify the proof for
an arbitrary q. The smallest prime p which is not a divisor of q may take the role of
the number 2.)
Lemma 15 . For each positive integer u and  > 0 there is a c > 0 so that if n
is a positive integer and q  n is an odd positive integer then the probability of the
following event is at least 1 ? n?u:
(Zn;[cn log n];q ) has a basis d1 ; :::; dn so that kdik  n2 for all i = 1; :::; n
Proof. Assume that c is suciently large with respect to the constant c of lemma
1 and let m = cn log n. We dene di in the following way. We will write di in the
form of di = hh(1i); :::; h(mi)i. Let h(ii) = 1. Now we apply lemma 1 with k = m ? 1
and hb1 ; :::; bk i ! hv1 ; :::; vi?1; vi ; :::; vi+1i. According to lemma 1 with a probability
of at least 1 ? 2?c(m?1) the sequence vj has the following property: if we take the
P
numbers j 2 f0; 1g independently and with uniform distribution then the distribution
of 1jm;j6=i vj is almost uniform on (Z=(q))m , where Z=(q) is the ring of residue
28
classes mod q. (We apply lemma 1 so that A is the additive group ofPthis structure).
According to the lemma there is a choice for the sequence j so that 1jm;j6=i vj 
? v2 (mod q). (Since q is odd v2 is uniquely dened mod q). Let h(ji) = 2j for all
j = 1; :::; i ? 1; i + 1; :::; m. The element bP
i dened by this sequence is certainly in
(Zn;m;q ) since our denition implies that mj=1 hj(i)vj  0, (mod q). The denition
also implies that kbi k  (4m+1)1=2. We claim that the m vectors b1 ; :::; bm are linearly
independent in Rm . This is an immediate consequence of the fact that their matrix
is the unit matrix (mod 2) and therefore their determinant cannot be 0. Finally
according to Lemma 4 the existence of a linearly independent system of dimension m
and of length at most M = (4m + 1)1=2 implies the existence of a basis in the lattice
whose vectors have length at most nM . Q.E.D.(Lemma 15)

29