A 2 n/2 -Time Algorithm for n − − √ -SVP and n − − √ -Hermite SVP, and an Improved Time-Approximation Tradeoff for (H)SVP
aa r X i v : . [ c s . D S ] J u l A 2 n/ -Time Algorithm for √ n -SVP and √ n -Hermite SVP,and an Improved Time-Approximation Tradeoff for (H)SVP Divesh Aggarwal ∗ National University of Singapore [email protected]
Zeyong LiNational University of Singapore [email protected]
Noah Stephens-Davidowitz † Cornell University [email protected]
Abstract
We show a 2 n/ o ( n ) -time algorithm that finds a (non-zero) vector in a lattice L ⊂ R n with norm at most e O ( √ n ) · min { λ ( L ) , det( L ) /n } , where λ ( L ) is the length of a shortestnon-zero lattice vector and det( L ) is the lattice determinant. Minkowski showed that λ ( L ) ≤√ n det( L ) /n and that there exist lattices with λ ( L ) ≥ Ω( √ n ) · det( L ) /n , so that our algorithmfinds vectors that are as short as possible relative to the determinant (up to a polylogarithmicfactor).The main technical contribution behind this result is new analysis of (a simpler variant of) a2 n/ o ( n ) -time algorithm from [ADRS15], which was only previously known to solve less usefulproblems. To achieve this, we rely crucially on the “reverse Minkowski theorem” (conjecturedby Dadush [DR16] and proven by [RS17]), which can be thought of as a partial converse to thefact that λ ( L ) ≤ √ n det( L ) /n .Previously, the fastest known algorithm for finding such a vector was the 2 . n + o ( n ) -timealgorithm due to [LWXZ11], which actually found a non-zero lattice vector with length O (1) · λ ( L ). Though we do not show how to find lattice vectors with this length in time 2 n/ o ( n ) ,we do show that our algorithm suffices for the most important application of such algorithms:basis reduction. In particular, we show a modified version of Gama and Nguyen’s slide-reductionalgorithm [GN08], which can be combined with the algorithm above to improve the time-lengthtradeoff for shortest-vector algorithms in nearly all regimes—including the regimes relevant tocryptography. ∗ This work was partially supported in part by the Singapore National Research Foundation under NRF RF AwardNo. NRF-NRFF2013-13, the Ministry of Education, Singapore under grants MOE2012-T3-1-009, and MOE2019-T2-1-145. † Some of this work was done at MIT, supported by an NSF-BSF grant number 1718161 and NSF CAREER Awardnumber 1350619, at the Centre for Quantum Technologies at the National University of Singapore, and at the SimonsInstitute in Berkeley. ontents η ε ( L ) n ) · η ε ( L ) . . . . . . . . . . . . . . . . . . . . . . . . . 15 Introduction
A lattice
L ⊂ R n is the set of integer linear combinations L := L ( B ) = { z b + · · · + z n b n : z i ∈ Z } of linearly independent basis vectors B = ( b , . . . , b n ) ∈ R n × n . We define the length of a shortestnon-zero vector in the lattice as λ ( L ) := min x ∈L = k x k . (Throughout this paper, k · k is theEuclidean norm.)The Shortest Vector Problem (SVP) is the computational search problem whose input is a (basisfor a) lattice L ⊆ R n , and the goal is to output a shortest non-zero vector y ∈ L with k y k = λ ( L ).For δ ≥
1, the δ -approximate variant of SVP ( δ -SVP) is the problem of finding a non-zero vector y ∈ L of length at most δ · λ ( L ) given a basis of L . δ -SVP and its many relatives have found innumerable applications over the past forty years.More recently, many cryptographic constructions have been discovered whose security is based onthe (worst-case) hardness of δ -SVP or closely related lattice problems. See [Pei16] for a survey.Such lattice-based cryptographic constructions are likely to be used in practice on massive scales(e.g., as part of the TLS protocol) in the not-too-distant future [NIS18].For most applications, it suffices to solve δ -SVP for superconstant approximation factors. E.g.,cryptanalysis typically requires δ = poly( n ). However, our best algorithms for δ -SVP work via (non-trivial) reductions to δ ′ -SVP for much smaller δ ′ over lattices with smaller rank , typically δ ′ = 1 or δ ′ = O (1). E.g., one can reduce n c -SVP with rank n to O (1)-SVP with rank n/ ( c + 1) for constant c ≥ basis reduction algorithms [LLL82, Sch87, SE94].Therefore, even if one is only interested in δ -approximate SVP for large approximation factors,algorithms for O (1)-SVP are still relevant. (We make little distinction between exact SVP and O (1)-SVP in the introduction.) There is thus a very long line of work [Kan83, AKS01, NV08, PS09, MV13, LWXZ11, WLW15,ADRS15, AS18, AUV19] on this problem.The fastest known algorithms for O (1)-SVP run in time 2 O ( n ) . With one exception ([MV13]),all known algorithms with this running time are sieving algorithms . These algorithms work bysampling 2 O ( n ) not-too-long lattice vectors y , . . . , y M ∈ L from some nice distribution over theinput lattice L , and performing some kind of sieving procedure to obtain 2 O ( n ) shorter vectors x , . . . , x m ∈ L . They then perform the sieving procedure again on the x k , and repeat this processmany times.The most natural sieving procedure was originally studied by Ajtai, Kumar, and Sivaku-mar [AKS01]. This procedure simply takes x k := y i − y j ∈ L , where i, j are chosen so that k y i − y j k ≤ (1 − ε ) min ℓ k y ℓ k . In particular, the resulting sieving algorithm clearly finds progres-sively shorter lattice vectors at each step. So, it is trivial to show that this algorithm will eventuallyfind a short lattice vector. Unfortunately (and maddeningly), it seems very difficult to say nearlyanything else about the distribution of the vectors when this very simple sieving technique is used,and in particular, while we know that the vectors must be short, we do not know how to show thatthey are non-zero . [AKS01] used clever tricks to modify the above procedure into one for whichthey could prove correctness, and the current state-of-the-art is a 2 . n -time algorithm for γ -SVPfor a sufficiently large constant γ > n + o ( n ) -time algorithm for exact SVP. This sieving procedure takes x k := ( y i + y j ) / L is not closed under taking averages, so onemust choose i, j so that that ( y i + y j ) / ∈ L . This happens if and only if y i , y j lie in the same coset of 2 L , y i = y j mod 2 L . Equivalently, the coordinates of y i and y j in the input basis shouldhave the same parities. So, these algorithms pair vectors according to their cosets (and ignore allother information about the vectors) and take their averages x k = ( y i + y j ) / discrete Gaussian distribution D L ,s over alattice, given by Pr X ∼ D L ,s [ X = y ] ∝ e − π k y k /s for a parameter s > y ∈ L . When the starting vectors come from this distribution, we areable to say quite a bit about the distribution of the vectors at each step. (Intuitively, this is becausethis algorithm only uses algebraic properties of the vectors—their cosets—and entirely ignores thegeometry.) In particular, [ADRS15] used a careful rejection sampling procedure to guarantee thatthe vectors at each step are distributed exactly as D L ,s for some parameter s >
0. Specifically, ineach step the parameter lowers by a factor of √
2, which is exactly what one would expect, takingintuition from the continuous Gaussian. More closely related to this work is [AS18], which showedthat this rejection sampling procedure is actually unnecessary.In addition to the above, [ADRS15, Ste17] also present a 2 n/ o ( n ) -time algorithm that samplesfrom D L ,s as long as the parameter s > s to be “largeenough that D L ,s looks like a continuous Gaussian.” This algorithm is similar to the 2 n + o ( n ) -timealgorithms in that it starts with independent discrete Gaussian vectors with some high parameter,and it gradually lowers the parameter using a rejection sampling procedure together with a proce-dure that takes the averages of pairs of vectors that lie in the same coset modulo some sublattice(with index 2 n/ o ( n ) ). But, it fails for smaller parameters because the rejection sampling procedurethat it uses must throw out too many vectors in this case. (In [Ste17], a different rejection samplingprocedure is used that never throws away too many vectors, but it is not clear how to implementit in 2 n/ o ( n ) time for small parameters s < √ η / ( L ).) It was left as an open question whetherthere is a suitable variant of this algorithm that works for small parameters, which would lead to analgorithm to solve SVP in 2 n/ o ( n ) time. For example, perhaps we could show that this algorithmsolves SVP without doing any rejection sampling at all, as we showed for the 2 n + o ( n ) -time algorithmin [AS18]. We will also be interested in a variant of SVP called Hermite SVP (HSVP). HSVP is defined interms of the determinant det( L ) := | det( B ) | of a lattice L with basis B . (Though a lattice canhave many bases, one can check that | det( B ) | is the same for all such bases, so that this quantity iswell-defined.) Minkowski’s celebrated theorem says that λ ( L ) ≤ O ( √ n ) · det( L ) /n , and Hermite’sconstant γ n = Θ( n ) is the maximal value of λ ( L ) / det( L ) /n . (Hermite SVP is of course namedin honor of Hermite and his study of γ n . It is often alternatively called Minkowski SVP.)For δ ≥
1, it is then natural to define δ -HSVP as the variant of SVP that asks for any non-zerolattice vector x ∈ L such that k x k ≤ δ det( L ) /n . One typically takes δ ≥ √ γ n ≥ Ω( √ n ), in whichcase the problem is total. In particular, there is a trivial reduction from δ √ γ n -HSVP to δ -SVP.(There is also a non-trivial reduction from δ -SVP to δ -HSVP for δ ≥ √ γ n [Lov86].)2 -HSVP is an important problem in its own right. In particular, the random lattices most oftenused in cryptography typically satisfy λ ( L ) ≥ Ω( √ n ) · det( L ) /n , so that for these lattices δ -HSVPis equivalent to O ( δ/ √ n )-SVP. This fact is quite useful because the best known basis reductionalgorithms [GN08, MW16, ALNS20] yield solutions to both δ S -SVP and δ H -HSVP with, e.g., δ H := γ n − k − k ≈ k n/ (2 k ) δ S := γ n − kk − k ≈ k n/k − , (1)when given access to an oracle for (exact) SVP in dimension k ≤ n/
2. Notice that δ H is significantlybetter than the approximation factor √ γ n δ S ≈ √ nk n/k − that one obtains from the trivial reductionto δ S -SVP. (Furthermore, the approximation factor δ H in Eq. (1) holds for any k ≤ n .)In fact, it is easy to check that we will achieve the same value of δ H if the reduction is instantiatedwith a √ γ k -HSVP oracle in dimension k , rather than an SVP oracle. More surprisingly, a carefulreading of the proofs in [GN08, ALNS20] shows that a √ γ k -HSVP oracle is “almost sufficient” toeven solve δ S -SVP. (We make this statement a bit more precise below.) Our main contribution is a simplified version of the 2 n/ o ( n ) -time algorithm from [ADRS15] anda novel analysis of the algorithm that gives an approximation algorithm for both SVP and HSVP. Theorem 1.1 (Informal, approximation algorithm for (H)SVP) . There is a n/ o ( n ) -time algo-rithm that solves δ -SVP and δ -HSVP for δ ≤ e O ( √ n ) . Notice that this algorithm almost achieves the best possible approximation factor δ for HSVPsince there exists a family of lattices for which λ ( L ) ≥ Ω( √ n det( L ) /n ) (i.e., γ n ≥ Ω( n )). So, δ isoptimal for HSVP up to a polylogarithmic factor.As far as we know, this algorithm might actually solve exact or near-exact SVP, but we do notknow how to prove this. However, by adapting the basis reduction algorithms of [GN08, ALNS20],we show that Theorem 1.1 is nearly as good (when combined with known results) as a 2 k/ -timealgorithm for exact SVP in k dimensions, in the sense that we can already nearly match Eq. (1) intime 2 k/ o ( k ) with this.In slightly more detail, basis reduction procedures break the input basis vectors b , . . . , b n intoblocks b i +1 , . . . , b i + k of length k . They repeatedly call their oracle on (projections of) the latticesgenerated by these blocks and use the result to update the basis vectors. We observe that theprocedures in [GN08, ALNS20] only need to use an SVP oracle on the last block b n − k +1 , . . . , b n .For all other blocks, an HSVP oracle suffices. Since we now have a faster algorithm for HSVPthan we do for SVP, we make this last block a bit smaller than the others, so that we can solve(near-exact) SVP on the last block in time 2 k/ o ( k ) .When we instantiate this idea with the 2 . n -time algorithm for O (1)-SVP from [LWXZ11,WLW15, AUV19], it yields the following result. Together with Theorem 1.1, this yields the fastestknown algorithms for δ -SVP for all δ & n / . Theorem 1.2 (Informal) . There is a k/ o ( k ) -time algorithm that solves δ ∗ H -HSVP with δ ∗ H ≈ k n/ (2 k ) , for k ≤ n and δ ∗ S -SVP with δ ∗ S ≈ k ( n/k ) − . , for k ≤ n/ . . roblem Approximation factor Previous Best This workSVP Exact 2 n [*] [ADRS15] — O (1) 2 . n [*] [WLW15] — n c for c ∈ (0 . , . . nc [ALNS20] 2 n [*] n c for c ∈ (0 . ,
1] 2 . nc [ALNS20] — n c for c > . nc +1 [ALNS20] 2 n c +1 . HSVP √ n . n [*] [WLW15] 2 n [*] n c for c ≥ . nc [ALNS20] 2 n c Table 1: Proven running times for solving (H)SVP. We mark results that do not use basis reductionwith [*]. We omit 2 o ( n ) factors in the running time, and except in the first two rows, polylogarithmicfactors in the approximation factor.Notice that Theorem 1.2 matches Eq. (1) with block size k exactly for δ H , and up to a factorof k . for δ S . This small loss in approximation factor comes from the fact that our last block isslightly smaller than the other blocks.Together, Theorems 1.1 and 1.2 give the fastest proven running times for n c -HSVP for all c > / n c -SVP for all c >
1, as well as c ∈ (1 / , . Like the 2 n/ o ( n ) -time algorithm in [ADRS15], our algorithm for e O ( √ n )-(H)SVP constructs atower of lattices L ⊃ L ⊃ · · · ⊃ L ℓ = L such that for every i ≥
1, 2 L i − ⊂ L i . The index of L i over L i − is 2 α for an integer α = n/ o ( n ), and ℓ = o ( n ). For the purpose of illustratingour ideas, we make a simplifying assumption here that ℓα is an integer multiple of n , and hence L = L / αℓ/n is a scalar multiple of L .And, as in [ADRS15], we start by sampling X , . . . , X N ∈ L for N = 2 α + o ( n ) from D L ,s . Thiscan be done efficiently using known techniques, as long as s is large relative to, e.g., the lengthof the shortest basis of L [GPV08, BLP + L = L / αℓ/n , the parameter s can still besignificantly smaller than, e.g., λ ( L ). In particular, we can essentially take s ≤ poly( n ) λ ( L ) / αℓ/n .The algorithm then takes disjoint pairs of vectors that are in the same coset of L / L , andadds the pairs together. Since 2 L ⊂ L , for any such pair X i , X i , Y k = X i + X j is in L . (Thisadding is analogous to the averaging procedure from [ADRS15, AS18] described above. In thatcase, L = 2 L , so that it is natural to divide vectors in L by two, while here adding seems morenatural.) We thus obtain approximately N/ L (up to the loss due to the vectors thatcould not be paired), and repeat this procedure many times, until finally we obtain vectors in L ℓ = L , each the sum of 2 ℓ of the original X i .To prove correctness, we need to prove that with high probability some of these vectors will be both short and non-zero. It is actually relatively easy to show that the vectors are short—at leastin expectation. To prove this, we first use the fact that the expected squared norm of the X i isbounded by ns (which is what one would expect from the continuous Gaussian distribution). And,the original X i are distributed symmetrically, i.e., X i is as likely to equal − x as it is to equal x ).Furthermore, our pairing procedure is symmetric, i.e., if we were to replace X i with − X i , thepairing procedure would behave identically. (This is true precisely because 2 L ⊂ L —we are using4he fact that x = − x mod L for any x ∈ L .) This implies that E [ h X i , X j i | E i,j ] = E [ h X i , − X j i | E i,j ] = 0 , where E i,j is the event that X i is paired with X j . Therefore, E [ k X i + X j k | E i,j ] = E [ k X i k | E i,j ] + E [ k X j k | E i,j ] + 2 E [ h X i , X j i | E i,j ] ≈ E [ k X i k ] . The same argument works at every step of the algorithm. So, (if we ignore the subtle distinctionbetween E [ k X i k | E i,j ] and E [ k X i k ]), we see that our final vectors have expected squared norm2 ℓ E [ k X i k ] ≤ ℓ ns ≤ poly( n )2 ℓ (1 − αn ) · λ ( L ) . (2)By taking, e.g., α = n/ n/ log n < n + o ( n ) and ℓ = log n , we see that we can make thisexpectation small relative to λ ( L ).The difficulty, then, is “only” to show that the distribution of the final vectors is not heavilyconcentrated on zero. Of course, we can’t hope for this to be true if, e.g., the expectation in Eq. (2)is much smaller than λ ( L ) . And, as we will discuss below, if we choose α and ℓ so that thisexpectation is sufficiently large, then techniques from prior work can show that the probability ofzero is low. Our challenge is therefore to bound the probability of zero for the largest choices of α and ℓ (and therefore the lowest expectation in Eq. (2)) that we can manage. Peikert and Micciancio (building on prior work) showed what they called a “convolution theorem”for discrete Gaussians. Their theorem says that the sum of discrete Gaussian vectors is statisticallyclose to a discrete Gaussian (with parameter increased by a factor of √ s is a bit larger than the smoothing parameter η ( L ) of the lattice L [MP13]. This(extremely important) parameter η ( L ), was introduced by Micciancio and Regev [MR07], and hasa rather technical (and elegant) definition. (See Section 2.4.) Intuitively, η ( L ) is minimal such thatfor any s > η ( L ), D L ,s “looks like a continuous Gaussian distribution.” E.g., for s > η ( L ), themoments of the discrete Gaussian distribution are quite close to the moments of the continuousGaussian distribution (with the same parameter).In fact, [MP13] showed a convolution for lattice cosets , not just lattices, i.e., the sum of avector sampled from D L + t ,s and a vector sampled from D L + t ,s yields a vector distributed as D L + t + t , √ s . Since our algorithm sums vectors sampled from a discrete Gaussian over L , con-ditioned on their cosets modulo L , it is effectively summing discrete Gaussians over cosets of L .So, as long as we stay above the smoothing parameter of L ⊃ L , our vectors will be statisticallyclose to discrete Gaussians, allowing us to easily bound the probability of zero.However, [ADRS15] already showed how to use a variant of this algorithm to obtain samplesfrom exactly the discrete Gaussian above smoothing. And, more generally, there is a long line ofwork that uses samples from the discrete Gaussian above smoothing to find “short vectors” froma lattice, but the length of these short vectors is always proportional to η ( L ). The problem isthat in general η ( L ) can be arbitrarily larger than λ ( L ) and det( L ) /n . (To see this, consider thetwo-dimensional lattice generated by ( T, , (0 , /T ) for large T , which has η ( L ) ≈ T , λ ( L ) = 1 /T L ) = 1.) So, this seems useless for solving (H)SVP, instead yielding a solution to anothervariant of SVP called SIVP. Our solution is essentially to apply these ideas from [MP13] to an unknown sublattice L ′ ⊆ L .(Here, one should imagine a sublattice generated by fewer than n vectors. Jumping ahead a bit, thereader might consider the example L ′ = Z v = { , ± v , ± v , . . . , } , the rank-one sublattice generatedby v , a shortest non-zero vector in the lattice.) Indeed, the discrete Gaussian over L , D L ,s , can beviewed as a mixture of discrete Gaussians over cosets of L ′ , D L ,s = D L ′ + C ,s , where C ∈ L / L ′ issome random variable over cosets of L ′ . (Put another way, one could obtain a sample from D L ,s by first sampling a coset C ∈ L / L ′ from some appropriately chosen distribution and then samplingfrom D L ′ + C ,s .)The basic observation behind our analysis is that we can now apply (a suitable variant of) [MP13]’sconvolution theorem in order to see that the sum of two mixtures of Gaussians over L ′ , X , X ∼ D L ′ + C ,s , yields a new mixture of Gaussians D L ′ + C ′ , √ s for some C ′ , provided that s is sufficientlylarge relative to η ( L ′ ).Ignoring many technical details, this shows that our algorithm can be used to output a distri-bution of the form D L ′ + C ,s for some random variable C ∈ L / L ′ provided that s ≫ η ( L ′ ). Crucially,we only need to consider L ′ in the analysis; the algorithm does not need to know what L ′ is for thisto work. Furthermore, we do not care at all about the distribution of C ! We already know thatour algorithm samples from a distribution that is short in expectation (by the argument above), sothat the only thing we need from the distribution D L ′ + C ,s is that it is not zero too often. Indeed,when C is not the zero coset (i.e., C / ∈ L ′ ), then D L ′ + C ,s is never zero, and when C is zero, thenwe get a sample from D L ′ ,s for s ≫ η ( L ′ ), in which case well-known techniques imply that we areunlikely to get zero. So, in order to prove that our algorithm finds short vectors, it remains to show that there existssome sublattice L ′ ⊆ L with low smoothing parameter—a “smooth sublattice.” In more detail, ouralgorithm will find a non-zero vector with length less than √ n · η ( L ′ ) for any sublattice L ′ . Indeed,as one might guess, taking L ′ = Z v = { , ± v , ± v , . . . , } to be the lattice generated by a shortestnon-zero vector v , we have η ( L ′ ) = polylog( n ) k v k = polylog( n ) λ ( L ) (where the polylogarithmicfactor arises because of “how smooth we need L ′ to be”). This immediately yields our e O ( √ n )-SVPalgorithm.To solve e O ( √ n )-HSVP, we must argue that every lattice has a sublattice L ′ ⊆ L with η ( L ′ ) ≤ polylog( n ) · det( L ) /n . In fact, for very different reasons, Dadush conjectured exactly this statement(phrased slightly differently), calling it a “reverse Minkowski conjecture” [DR16]. (The reason forthis name might not be clear in this context, but one can show that this is a partial converse toMinkowski’s theorem.) Later, Regev and Stephens-Davidowitz proved the conjecture [RS17]. Ourresult then follows from this rather heavy hammer. It is not known how to use an SIVP oracle for basis reduction, which makes it significantly less useful than SVP.[MR07, MP13] and other works used these ideas to reduce SIVP to the problem of breaking a certain cryptosystem,in order to argue that the cryptosystem is secure. They were therefore primarily interested in SIVP as an exampleof a hard lattice problem, rather than as a problem that one might actually wish to solve. .5 Open questions and directions for future work We leave one obvious open question: Does our algorithm (or some variant) solve γ -SVP for a betterapproximation factor? It is clear that our current analysis cannot hope to do better than δ ≈ √ n ,but we see no fundamental reason why the algorithm cannot achieve, say, δ = polylog( n ) or even δ = 1! (Indeed, we have been trying to prove something like this for roughly five years.)We think that even a negative answer to this question would also be interesting. In particular, itis not currently clear whether our algorithm is “fundamentally an HSVP algorithm.” For example,if one could show that our algorithm fails to output vectors of length polylog( n ) · λ ( L ) for somefamily of input lattices L , then this would be rather surprising. Perhaps such a result would be ourfirst hint at a true algorithmic separation between the optimal running times for the two problems. We write log for the base-two logarithm. We use the notation a = 1 ± δ and a = e ± δ to denote thestatements 1 − δ ≤ a ≤ δ and e − δ ≤ a ≤ e δ , respectively. Definition 2.1.
We say that a distribution b D is δ -similar to another distribution D if for all x inthe support of D , we have Pr X ∼ b D [ X = x ] = e ± δ · Pr X ∼ D [ X = x ] . The following inequality gives a concentration result for the values of (sub-)martingales that havebounded differences.
Lemma 2.2 ([AS04, Azuma’s inequality, Chapter 7]) . Let X , X , . . . be a set of random variablesthat form a discrete-time sub-martingale, i.e., for all n ≥ , E [ X n +1 | X , . . . , X n ] ≥ X n . If for all n ≥ , | X n − X n − | ≤ c , then for all integers N and positive real t , Pr[ X N − X ≤ − t ] ≤ exp (cid:18) − t N c (cid:19) . We will need the following corollary of the above inequality.
Corollary 2.3.
Let α ∈ (0 , , and let Y , Y , Y , . . . be random variables in [0 , such that for all n ≥ E [ Y n +1 | Y , . . . , Y n ] ≥ α . Then, for all positive integers N and positive real t , Pr[ N X i =1 Y i ≤ N α − t ] ≤ exp (cid:18) − t N (cid:19) . Proof.
Let X = 0, and for all i ≥ X i := X i − + Y i − α = i X j =1 Y i − i · α . The statement then follows immediately from Lemma 2.2.7 .2 Lattices
A lattice
L ⊂ R n is the set of integer linear combinations L := L ( B ) = { z b + · · · + z k b k : z i ∈ Z } of linearly independent basis vectors B = ( b , . . . , b k ) ∈ R n × k . We call k the rank of the lattice.Given a lattice L , the basis is not unique. For any lattice L , we use rank( L ) to denote its rank.We use λ ( L ) to denote the length of the shortest non-zero vector in L , and more generally, for1 ≤ i ≤ k , λ i ( L ) := min { r : dim span( { y ∈ L : k y k ≤ r } ) ≥ i } . For any lattice
L ⊂ R n , its dual lattice L ∗ is defined to be the set of vectors in the span of L that have integer inner products with all vectors in L . More formally: L ∗ = { x ∈ span( L ) : ∀ y ∈ L , h x , y i ∈ Z } . We often assume without loss of generality that the lattice is full rank, i.e., that n = k , byidentifying span( L ) with R k . However, we do often work with sublattices L ′ ⊆ L with rank( L ′ ) < rank( L ).For any sublattice L ′ ⊆ L , L / L ′ denotes the set of cosets which are translations of L ′ by vectorsin L . In particular, any coset can be denoted as L ′ + c for c ∈ L . When there is no ambiguity, wedrop the L ′ and use c to denote a coset. For any parameter s >
0, we define Gaussian mass function ρ s : R n → R to be: ρ s ( x ) = exp (cid:16) − π k x k s (cid:17) , and for any discrete set A ⊂ R n , its Gaussian mass is defined as ρ s ( A ) = P x ∈ A ρ s ( x ).For a lattice L ⊂ R n , shift t ∈ R n , and parameter s >
0, we have the following convenientformula for the Gaussian mass of the lattice coset L + t , which follows from the Poisson SummationFormula ρ s ( L + t ) = s n det( L ) · X w ∈L ∗ ρ /s ( w ) cos(2 π h w , t i ) . (3)In particular, for the special case t = , we have ρ s ( L ) = s n ρ /s ( L ∗ ) / det( L ). Definition 2.4.
For a lattice
L ⊂ R n , u ∈ R n , the discrete Gaussian distribution D L + u ,s over L + u with parameter s > is defined as follows. For any x ∈ L + u , Pr X ∼D L + u ,s [ X = x ] = ρ s ( x ) ρ s ( L + u ) . We will need the following result about the discrete Gaussian distribution.
Lemma 2.5 ([DRS14, Lemma 2.13]) . For any lattice
L ⊂ R n , s > , u ⊂ R n , and t > √ π , Pr X ∼D L + u ,s ( k X k > ts √ n ) < ρ s ( L ) ρ s ( L + u ) (cid:16) √ πet exp( − πt ) (cid:17) n . .4 The smoothing parameter Definition 2.6.
For a lattice
L ⊂ R n and ε > , the smoothing parameter η ε ( L ) is defined as theunique value that satisfies ρ /η ε ( L ) ( L ∗ \{ } ) = ε . We will often use the basic fact that η ε ( α L ) = αη ε ( L ) for any α > η ε ( L ′ ) ≥ η ε ( L ) for any full-rank sublattice L ′ ⊆ L . Claim 2.7 ([MR07, Lemma 3.3]) . For any ε ∈ (0 , / , we have η ε ( Z ) ≤ p log(1 /ε ) . We will need the following simple results, which follows immediately from Eq. (3).
Lemma 2.8 ([Reg09, Claim 3.8]) . For any lattice L , s ≥ η ε ( L ) , and any vectors c , c , we havethat − ε ε ≤ ρ s ( L + c ) ρ s ( L + c ) ≤ ε − ε . Thus, for ε < / , e − ε ≤ ρ s ( L + c ) ρ s ( L + c ) ≤ e ε . We prove the following statement.
Theorem 2.9.
For any lattice
L ⊂ R n with rank k ≥ , η / ( L ) ≥ λ k ( L ) / √ k . Proof. If L is not a full-rank lattice, then we can project to a subspace given by the span of L . So,without loss of generality, we assume that L is a full-rank lattice, i.e., k = n .Suppose λ n ( L ) > √ nη / ( L ). Then there exists a vector u ∈ R n such that dist( u , L ) > √ nη / ( L ). Then, using Lemma 2.5 with t = 1 / s = η / ( L ), we have1 = Pr X ∼D L + u ,η / L ) (cid:2) k X k > st √ n (cid:3) < ρ s ( L ) ρ s ( L + u ) (cid:16) √ πet exp( − πt ) (cid:17) n ≤ / − / p πe/ · e − π/ ) n using Lemma 2.8 ≤ · (0 . n < k = n ≥ , which is a contradiction. Claim 2.10.
For any lattice
L ⊂ R n and any parameters s ≥ s ′ ≥ η / ( L ) , ρ s ( L ) ρ s ′ ( L ) ≥ s s ′ . roof. By the Poisson Summation Formula (Eq. (3)), we have ρ s ( L ) = s n · ρ /s ( L ∗ )det( L ) ≥ s n / det( L ) , and similarly, ρ s ′ ( L ) = ( s ′ ) n · ρ /s ′ ( L ∗ )det( L ) ≤ s ′ ) n / (2 det( L )) , since ρ /s ′ ( L ∗ ) ≤ / s ′ ≥ η / ( L ). Combining the two inequalities gives ρ s ( L ) ≥ s/s ′ ) n / ≥ s/s ′ ) /
3, as needed.
Claim 2.11.
For any lattice
L ⊂ R n and any s > , E X ∼ D L ,s [ k X k ] ≤ ns π . Lemma 2.12.
For s ≥ η ε ( L ) , and any real factor k ≥ , ks ≥ η ε k ( L ) .Proof. X w ∈L ∗ \{ } ρ / ( ks ) ( w ) = X w ∈L ∗ \{ } e − π k w k k s = X w ∈L ∗ \{ } ρ /s ( w ) k ≤ (cid:16) X w ∈L ∗ \{ } ρ /s ( w ) (cid:17) k ≤ ε k . Corollary 2.13.
For any lattice
L ⊂ R n and ε ∈ (0 , / , η ε ( L ) ≤ p log(1 /ε ) · η / ( L ) .Proof. Let k = p log(1 /ε ) and thus ( ) k = ε . By Lemma 2.12, kη / ( L ) ≥ η ε ( L ).We will need the following useful lemma concerning the convolution of two discrete Gaussiandistributions. See [GMPW20] for a very general result of this form (and a list of similar results).Our lemma differs from those in [GMPW20] and elsewhere in that we are interested in a strongernotion of statistical closeness: point-wise multiplicative distance, rather than statistical distance.One can check that this stronger variant follows from the proofs in [GMPW20], but we give aseparate proof for completeness. Lemma 2.14.
For any lattice
L ⊂ R n , ε ∈ (0 , / , parameter s ≥ √ η ε ( L ) , and shifts t , t ∈ R n ,let X i ∼ D L + t i ,s be independent random variables. Then the distribution of X + X is ε -similarto D L + t + t , √ s . roof. Let y ∈ L + t + t . We havePr[ X + X = y ] = 1 ρ s ( L + t ) ρ s ( L + t ) X x ∈L + t exp( − π ( k x k + k y − x k ) /s )= 1 ρ s ( L + t ) ρ s ( L + t ) X x ∈L + t exp( − π ( k y k / k x − y k / /s )= ρ √ s ( y ) ρ s ( L + t ) ρ s ( L + t ) ρ s/ √ ( L + t − y / e ± ε ρ √ s ( y ) · ρ s/ √ ( L ) ρ s ( L + t ) ρ s ( L + t ) , where the last step follows from Lemma 2.8. By applying this for all y ′ ∈ L + t + t , we see thatPr[ X + X = y ] = e ± ε · ρ √ s ( y ) P y ′ ∈L + t + t χ y ′ ρ √ s ( y ′ )for some χ y ′ = e ± ε . Therefore,Pr[ X + X = y ] = e ± ε · ρ √ s ( y ) ρ √ s ( L + t + t ) , as needed. In this paper, we study the algorithms for the following lattice problems.
Definition 2.15 ( r -HSVP) . For an approximation factor r := r ( n ) ≥ , the r -Hermite Approxi-mate Shortest Vector Problem ( r -HSVP) is defined as follows: Given a basis B for a lattice L ⊂ R n ,the goal is to output a vector x ∈ L\{ } with k x k ≤ r · det( L ) /n . Definition 2.16 ( r -SVP) . For an approximation factor r := r ( n ) ≥ , the r -Shortest VectorProblem ( r -SVP) is defined as follows: Given a basis B for a lattice L ⊂ R n , the goal is to outputa vector x ∈ L\{ } with k x k ≤ r · λ ( L ) . It will be convenient to define a generalized version of SVP, of which HSVP and SVP are specialcases.
Definition 2.17 ( η -GSVP) . For a function η mapping lattices to positive real numbers, the η -Generalized Shortest Vector Problem η -GSVP is defined as follows: Given a basis B for a lattice L ⊂ R n and a length bound d ≥ η ( L ) , the goal is to output a vector x ∈ L\{ } with k x k ≤ d . To recover r -SVP or r ′ -HSVP, we can take η ( L ) = rλ ( L ) or η ( L ) = r ′ det( L ) /n respectively.Below, we will set η to be a new parameter, which in particular will satisfy η ( L ) ≤ e O ( √ n ) · min { λ ( L ) , det( L ) /n } . 11 .6 Gram-Schmidt orthogonalization For any given basis B = ( b , . . . , b n ) ∈ R m × n , we define the sequence of projections π i := π { b ,..., b i − } ⊥ where π W ⊥ refers to the orthogonal projection onto the subspace orthogonal to W .As in [GN08, ALNS20], we use B [ i,j ] to denote the projected block ( π i ( b i ) , π i ( b i +1 ) , . . . , π i ( b j )).The Gram-Schmidt orthogonalization (GSO) B ∗ := ( b ∗ , . . . , b ∗ n ) of a basis B is as follows: forall i ∈ [1 , n ] , b ∗ i := π i ( b i ) = b i − P j
L ⊂ R n with basis B := ( b , . . . , b n ) andany ε ∈ (0 , / , η ε ( L ) ≤ p log( n/ε ) · max i k b ∗ i k . For γ ≥
1, a basis is γ -HKZ-reduced if for all i ∈ { , . . . , n } , k b ∗ i k ≤ γ · λ ( π i ( L )).We say that a basis B is size-reduced if it satisfies the following condition: for all i = j , | µ i,j | ≤ .A size-reduced basis B satisfies that k B k ≤ √ n k B ∗ k , where k B k is the length of the longest basisvector in B . It is known that we can efficiently transform any basis into a size-reduced basis whilemaintaining the lattice generated by the basis L ( B ) as well as the GSO B ∗ . We call such operation size reduction . Theorem 2.19 ([LLL82]) . Given a basis B ∈ Q n × n , there is an algorithm that computes a vector x ∈ L ( B ) of length at most n/ · λ ( L ( B )) in polynomial time. We will prove a strictly stronger result than the theorem below in the sequel, but this weakerresult will still prove useful.
Theorem 2.20 ([ADRS15, GN08]) . There is a r + o ( r ) · poly( n ) -time algorithm that takes as inputa (basis for a) lattice L ⊂ R n and ≤ r ≤ n and outputs a γ -HKZ-reduced basis for L , where γ := r n/r . Theorem 2.21 ([BLP + . There is a probabilistic polynomial-time algorithm that takes as input abasis B for an n-dimensional lattice L ⊂ R n , a parameter s ≥ k B ∗ k√
10 log n and outputs a vectorthat is distributed as D L ,s , where k B ∗ k is the length of the longest vector in the Gram-Schmidtorthogonalization of B . LLL reduction.
A basis B = ( b , . . . , b n ) is ε - LLL-reduced [LLL82] for ε ∈ [0 ,
1] if it is asize-reduced basis and for 1 ≤ i < n , the projected block B [ i,i +1] satisfies Lov´asz’s condition: k b ∗ i k ≤ (1 + ε ) k µ i,i − b ∗ i − + b ∗ i k . For ε ≥ / poly( n ), an ε -LLL-reduced basis for any given latticecan be computed efficiently. SVP reduction and its extensions.
Let B = ( b , . . . , b n ) be a basis of a lattice L and δ ≥ B is δ - SVP-reduced if k b k ≤ δ · λ ( L ). Similarly, we say that B is δ - HSVP-reduced if k b k ≤ δ · vol( L ) /n . 12 is δ -DHSVP-reduced [GN08, ALNS20] (where D stands for dual) if the reversed dual basis B − s is δ -HSVP-reduced and it implies thatvol( L ) /n ≤ δ · k b ∗ n k . Given a δ -(H)SVP oracle on lattices with rank at most n , we can efficiently compute a δ -(H)SVP-reduced basis or a δ -D(H)SVP-reduced basis for any rank n lattice L ⊆ Z m . Furthermore, this alsoapplies for a projected block of basis. More specifically, with access to a δ -(H)SVP oracle for latticeswith rank at most k , given any basis B = ( b , . . . , b n ) ∈ Z m × n of L and an index i ∈ [1 , n − k + 1],we can efficiently compute a size-reduced basis C = ( b , . . . , b i − , c i , . . . , c i + k − , b i + k , . . . , b n ) suchthat C is a basis for L and the projected block C [ i,i + k − is δ -(H)SVP-reduced or δ -D(H)SVPreduced. Moreover, we note the following: • If C [ i,i + k − is δ -(H)SVP-reduced, the procedures in [GN08, MW16] equipped with δ -(H)SVP-oracle ensure that k C ∗ k ≤ k B ∗ k ; • If C [ i,i + k − is δ -D(H)SVP-reduced, the inherent LLL reduction implies k C ∗ k ≤ k k B ∗ k .Indeed, the GSO of C [ i,i + k − satisfies k ( C [ i,i + k − ) ∗ k ≤ k/ λ k ( L ( C [ i,i + k − ))(by [LLL82, p. 518, Line 27]) and λ k ( L ( C [ i,i + k − )) ≤ √ k k B ∗ k . Here, λ k ( · ) denotes the k -thminimum.Therefore, with size reduction, performing poly( n, log k B k ) many such operations will increase k B ∗ k and hence k B k by at most a factor of 2 poly( n, log k B k ) . If the number of operations is boundedby poly( n, log k B k ), all intermediate steps and the total running time (excluding oracle queries)will be polynomial in the initial input size; Details can be found in e.g., [GN08, LN14]. Hence, wewill focus on bounding the number of calls to such block reduction subprocedures when we analyzethe running time of basis reduction algorithms. Twin reduction
The following notion of twin reduction and the subsequent fact comes from[GN08, ALNS20].A basis B = ( b , . . . , b d +1 ) is δ - twin-reduced if B [1 ,d ] is δ - HSVP-reduced and B [2 ,d +1] is δ - DHSVP-reduced . Fact 2.22. If B := ( b , . . . , b d +1 ) ∈ R m × ( d +1) is δ -twin-reduced, then k b k ≤ δ d/ ( d − k b ∗ d +1 k . (4) We augment Micciancio and Walter’s elegant DBKZ algorithm [MW16] with a δ H -HSVP-oracleinstead of an SVP-oracle since the SVP-oracle is used as a √ γ k -HSVP oracle everywhere in theiralgorithm. See [ALNS20] for a high-level sketch of the proof. Theorem 2.23.
For integers n > k ≥ , an approximation factor ≤ δ H ≤ k , an input basis B ∈ Z m × n for a lattice L ⊆ Z m , and N := ⌈ (2 n / ( k − ) · log( n log(5 k B k ) /ε ) ⌉ for some ε ∈ [2 − poly( n ) , , Algorithm 1 outputs a basis B of L in polynomial time (excluding oracle queries)such that k b k ≤ (1 + ε ) · ( δ H ) n − k − vol( L ) /n , by making N · (2 n − k + 1) + 1 calls to the δ H -HSVP oracle for lattices with rank k . lgorithm 1 The Micciancio-Walter DBKZ algorithm [MW16, Algorithm 1]
Input:
A block size k ≥
2, number of tours N , a basis B = ( b , · · · , b n ) ∈ Z m × n , and access to a δ H -HSVPoracle for lattices with rank k . Output:
A new basis of L ( B ). for ℓ = 1 to N do for i = 1 to n − k do δ H -HSVP-reduce B [ i,i + k − . end for for j = n − k + 1 to do δ H -DHSVP-reduce B [ j,j + k − end for end for δ H -HSVP-reduce B [1 ,k ] . return B . η ε ( L ) The analysis of our algorithm relies on the existence of a smooth sublattice L ′ ⊆ L of our inputlattice L ⊂ R n , i.e., a sublattice L ′ such that η ε ( L ′ ) is small (relative to, say, λ ( L ) or det( L ) /n ).To that end, for ε > L ⊂ R n , we define η ε ( L ) := min L ′ ⊆L η ε ( L ′ ) , where the minimum is taken over all sublattices L ′ ⊆ L . (It is not hard to see that the minimum is infact achieved. Notice that any minimizer L ′ must be a primitive sublattice, i.e., L ′ = L ∩ span( L ′ ).)We will now prove that η ε ( L ) is bounded both in terms of λ ( L ) and det( L ). Lemma 3.1.
For any lattice
L ⊂ R n and any ε ∈ (0 , / , λ ( L ) / √ n ≤ η ε ( L ) ≤ p log(1 /ε ) · min { λ ( L ) , n + 2) det( L ) /n } . The bounds in terms of λ ( L ) are more-or-less trivial. The bound η ε ( L ) . p log(1 /ε ) log n det( L ) /n follows from the main result in [RS17] (originally conjectured by Dadush [DR16]), which is calleda “reverse Minkowski theorem” and which we present below. (In fact, Lemma 3.1 is essentiallyequivalent to the main result in [RS17].) Definition 3.2.
A lattice
L ⊂ R n is a stable lattice if det( L ) = 1 and det( L ′ ) ≥ for all lattices L ′ ⊆ L . Theorem 3.3 ([RS17]) . For any stable lattice
L ⊂ R n , η / ( L ) ≤ n + 2) .Proof of Lemma 3.1. The lower bound on η ε ( L ) follows immediately from Theorem 2.9 togetherwith the fact that λ ( L ) ≤ λ ( L ′ ) ≤ λ n ( L ′ ) for any sublattice L ′ ⊆ L . The bound η ε ( L ) ≤ p log(1 /ε ) · λ ( L ) is immediate from Claim 2.7 applied to the one-dimensional lattice Z v generatedby v ∈ L with k v k = λ ( L ).So, we only need to prove that η / ( L ) ≤ n + 2) det( L ) /n . The result for all ε ∈ (0 , / n . The result is trivial for n = 1. (Indeed, for n = 1 we havedet( L ) /n = λ ( L ).) For n >
1, we first assume without loss of generality that det( L ) = 1. If14 ⊂ R n is stable, then the result follows immediately from Theorem 3.3. Otherwise, there existsa sublattice L ′ ⊂ L such that det( L ′ ) <
1. Notice that k := rank( L ′ ) < n . Therefore, by theinduction hypothesis, η / ( L ′ ) ≤ k + 2) det( L ′ ) /k < n + 2). The result then followsfrom the fact that η ε ( L ) ≤ η ε ( L ′ ) for any sublattice L ′ ⊆ L . poly( n ) · η ε ( L ) Lemma 3.4.
For any lattice
L ⊂ R n , γ ≥ , ε ∈ (0 , / , γ -HKZ-reduced basis B = ( b , . . . , b n ) of L , ε ∈ (0 , / , and index i ∈ { , . . . , n } such that k b ∗ i k > γ √ n · η ε ( L ) , we have η ε ( L ( b , . . . , b i − )) = η ε ( L ) . Proof.
Suppose that L ′ ⊆ L satisfies η ε ( L ′ ) = η ε ( L ) < k b ∗ i k / ( γ √ n ) with k := rank( L ′ ). We wishto show that L ′ ⊆ L ( b , . . . , b i − ), or equivalently, that π i ( L ′ ) = { } . Indeed, by Theorem 2.9, λ k ( L ′ ) ≤ √ k · η ε ( L ′ ) ≤ √ n · η ε ( L ). In particular, there exist v , . . . , v k ∈ L ′ with span( v , . . . , v k ) =span( L ′ ) and k π i ( v j ) k ≤ k v j k ≤ λ k ( L ′ ) ≤ √ n · η ε ( L ) < k b ∗ i k /γ for all j ∈ { , . . . , k } . Therefore, if π i ( v j ) = . Then, π i ( v j ) ∈ π i ( L ) is a non-zero vector with normstrictly less than k b ∗ i k /γ , which implies that λ ( π i ( L )) < k b ∗ i k /γ , contradicting the assumptionthat B is a γ -HKZ basis. Therefore, π i ( v j ) = for all j , which implies that π i ( L ′ ) = { } , i.e., L ′ ⊆ L ( b , . . . , b i − ), as needed. Proposition 3.5.
There is a (2 r + o ( r ) + M ) · poly( n, log M ) -time algorithm that takes as input a(basis for a) lattice L ⊂ R n , ≤ r ≤ n , an integer M ≥ , and a parameter s ≥ r n/r p n log n · η ε ( L ) for some ε ∈ (0 , / and outputs a (basis for a) sublattice b L ⊆ L with η ε ( b L ) = η ε ( L ) and X , . . . , X M ∈ b L that are sampled independently from D b L ,s .Proof. The algorithm takes as input a (basis for a) lattice
L ⊂ R n , 2 ≤ r ≤ n , M ≥
1, and aparameter s > γ -HKZ reduced basis b , . . . , b n , where γ := r n/r . Let i ∈ { , . . . , n } be maximal such that k b ∗ j k ≤ s/ √ log n for all j ≤ i , and let b L := L ( b , . . . , b i ). (If no such i exists, the algorithmsimply fails.) The algorithm then runs the procedure from Theorem 2.21 repeatedly to sample X , . . . , X M ∼ D b L ,s and outputs b L and X , . . . , X M .The running time of the algorithm is clearly (2 r + M ) · poly( n, log M ). By Theorem 2.21, the X i have the correct distribution. Notice that, if the algorithm fails, then k b k > s/ p log n ≥ γ √ n · η ε ( L ) . Recalling that k b k ≤ γλ ( L ), it follows that √ nη ε ( L ) < λ ( L ), which contradicts Lemma 3.1. So,the algorithm never fails (provided that the promise on s holds).It remains to show that η ε ( L ) = η ε ( L ( b , . . . , b i )). If i = n , then this is trivial. Otherwise, i ∈ { , . . . , n − } , and we have k b ∗ i +1 k > s/ p log n ≥ γ √ n · η ε ( L ) . The result follows immediately from Lemma 3.4.15
An approximation algorithm for HSVP and SVP
In this section, we present our algorithm that solves e O ( √ n )-HSVP and e O ( √ n )-SVP in 2 n/ o ( n ) time. More precisely, we provide a detailed analysis of a simple “pair-and-sum” algorithm, whichwill solve O ( √ n ) · η ε ( L )-GSVP for ε = 1 / poly( n ). This in particular yields an algorithm thatsimultaneously solves e O ( √ n )-SVP and e O ( √ n )-HSVP. We will be working with random variables X that are “mixtures” of discrete Gaussians, i.e., randomvariables that can be written as D L + C ,s for some lattice L ⊂ R n , parameter s >
0, and randomvariable C ∈ R n . In other words, X can be sampled by first sampling C ∈ R n from some arbitrarydistribution and then sampling X from D L + C ,s . E.g., the discrete Gaussian D L ,s itself is such adistribution, as is the discrete Gaussian D b L ,s for any superlattice b L ⊇ L . Indeed, in our applications,we will always have C ∈ b L for some superlattice b L ⊇ L , and we will initialize our algorithm withsamples from D b L ,s .Our formal definition below is a bit technical, since we must consider the joint distribution ofmany such random variables that are only δ -similar to these distributions and satisfy a certainindependence property. In particular, we will work with X , . . . , X M such that each X i is δ -similarto Y i ∼ D L + C i ,s , where C i is an arbitrary random variable (that might depend on the X j ) butonce C i is fixed, Y i is sampled from D L + C i ,s independently of everything else. Here and below, weadopt the convention that Pr[ A | B ] = 0 whenever Pr[ B ] = 0, i.e., all probabilities are zero whenconditioned on events with probability zero. Definition 4.1.
For (discrete) random variables X , . . . , X m ∈ R n and i ∈ { , . . . , m } , let X − i :=( X , . . . , X i − , X i +1 , . . . , X m ) ∈ R ( m − n . We say that X , . . . , X m are δ -similar to a mixture ofindependent Gaussians over L with parameter s > if for any i ∈ { , . . . , m } , y ∈ R n , and w ∈ R ( m − n , Pr[ X i = y | X − i = w ] = e ± δ · ρ s ( y ) ρ s ( L + y ) · Pr[ X i ∈ L + y | X − i = w ] . Additionally we will need the distribution we obtain at every step to be symmetric about theorigin as defined below.
Definition 4.2.
We say that a list of (discrete) random variables X , . . . , X m ∈ R n is symmetricif for any i ∈ { , . . . , m } , any y ∈ R n , and any w ∈ R ( m − n , Pr[ X i = y | X − i = w ] = Pr[ X i = − y | X − i = w ] . We need the following simple lemma that bounds the probability of X being , where X isdistributed as a mixture of discrete Gaussians over L . Lemma 4.3.
For any lattice
L ⊂ R n , let X , . . . , X m ∈ L be δ -similar to a mixture of independentGaussians over L with parameter s ≥ βη / ( L ) for some β > . Then, for any i , and any w ∈ R ( m − n Pr[ X i = | X − i = w ] ≤ e δ β . roof. Let s ′ := η / ( L ). We have thatPr[ X i = | X − i = w ] ≤ Pr[ X i = | X i ∈ L , X − i = w ] ≤ e δ ρ s ( L ) ≤ e δ · ρ s ′ ( L ) ρ s ( L ) . The result then follows from Claim 2.10.The following corollary shows that a mixture of discrete Gaussians must contain a short non-zerovector in certain cases.
Corollary 4.4.
For any lattices L ′ ⊆ L ⊂ R n , parameter s ≥ e δ η / ( L ′ ) , m ≥ , and ran-dom variables X , . . . , X m that are δ -similar to mixtures of independent Gaussians over L ′ withparameter s , Pr[ ∃ i ∈ [1 , m ] such that < k X i k < T ] ≥ / , where T := m P mi =1 E [ k X i k ] .Proof. By Markov’s inequality, we havePr h m X i =1 k X i k ≥ mT i ≤ . Hence, with probability at least , we have P mi =1 k X i k < mT .We next note that many of the X i must be non-zero with high probability. Let Y , . . . , Y m ∈{ , } such that Y i = 0 if and only if X i = . By Lemma 4.3, E [ Y i | Y = y , . . . , Y i − = y i − ] ≥ / y , . . . , y i − ∈ { , } . By Corollary 2.3, we have thatPr[ Y + · · · + Y m ≤ m/ ≤ e − m/ ≤ /e . Finally, by union bound, we see that with probability at least 1 − /e − / > /
10 the averagesquared norm will be at most 2 T and more than half of the X i will be non-zero. It follows fromanother application of Markov’s inequality that at least one of the non-zero X i must have squarednorm less than 4 T . Our algorithm will start with vectors X , . . . , X m ∈ L , where L ⊂ L is some very dense sublatticeof the input lattice L . It then takes sums Y k = X i + X j of pairs of these in such a way that theresulting Y k lie in some appropriate sublattice L ⊂ L , i.e., Y k ∈ L . It does this repeatedly,finding vectors in L , L , . . . , L ℓ until finally it obtains vectors in L ℓ := L .Here, we study a single step of this algorithm, as shown below.Notice that Algorithm 2 can be implemented in time m · poly( n, log m ). This can be done, e.g.,by creating a table of the X i sorted according to X i mod L . Then, for each i , such a j can be found(if it exists) by performing binary search on the table. Furthermore, the algorithm is guaranteedto find M = ⌈ ( m − |L / L | ) / ⌉ output vectors because at most |L / L | of the input vectors can beunpaired. 17 lgorithm 2 One step of the algorithm.
Input:
Lattices L , L ⊂ R n with 2 L ⊆ L ⊆ L , and lattice vectors X , . . . , X m ∈ L with m ≥ |L / L | . Output:
Lattice vectors Y , . . . , Y M ∈ L , with M := ⌈ ( m − |L / L | ) / ⌉ . Set
USED i := false for i = 1 , . . . , m , k = 1, and i = 1. while k ≤ M do if not USED i and ( ∃ j ∈ { , . . . , m } \ { i } such that X j ≡ X i mod L and USED j = false ) then Let j = i be minimal such that X j ≡ X i mod L and USED j = false . Set Y k = X i + X j . Set
USED i = USED j = true and increment k . end if Increment i . end while return Y , . . . , Y M The key property that we will need from Algorithm 2 is that for any (possibly unknown)sublattice L ′ ⊆ L ⊆ L , the algorithm maps mixtures of Gaussians over L ′ to mixtures of Gaussiansover L ′ , provided that the parameter s is significantly above η ε ( L ′ ). In other words, as long as thereexists some sublattice L ′ ⊆ L such that η ε ( L ′ ) . s , then the output of the algorithm will be amixture of Gaussians. Indeed, this is more-or-less immediate from Lemma 2.14. Lemma 4.5.
For any lattices L , L , L ′ ⊂ R n with L ⊆ L ⊆ L and L ′ ⊆ L , ε ∈ (0 , / , δ > , and parameter s ≥ √ η ε ( L ′ ) , if the input vectors X , . . . , X m ∈ L are sampled from thedistribution that is δ -similar to a mixture of independent Gaussians over L ′ with parameter s , thenthe output vectors Y , . . . , Y M ∈ L are (2 δ + 3 ε ) -similar to a mixture of independent Gaussiansover L ′ with parameter √ s .Proof. For a list of cosets d := ( c , . . . , c m ) ∈ ( L / L ′ ) m such that Pr[ X = c mod L ′ , . . . , X m = c m mod L ′ ] is non-zero, let Y d , , . . . , Y d ,M be the random variables obtained by taking Y , . . . , Y M conditioned on X i ≡ c i mod L ′ for all i . We similarly define X d ,i . Notice that Y , . . . , Y M is aconvex combination of random variables of the form Y d , , . . . , Y d ,M , and that the property of beingclose to a mixture of independent Gaussians is preserved by taking convex combinations. Therefore,it suffices to prove the statement for Y d , , . . . , Y d ,M for all fixed d .To that end, fix k ∈ { , . . . , M } and such a d ∈ ( L / L ′ ) m . Notice that X d ,i ∈ L ′ + c i ⊆ L + c i .Therefore, there exist fixed i, j such that Y d ,k = X d ,i + X d ,j . Furthermore, by assumption, for any w ∈ L m − and x ∈ L , Pr[ X d ,i = x | X d , − i = w ] = e ± δ ρ s ( x ) ρ s ( L ′ + c i ) , and likewise for j . It follows from Lemma 2.14 that for any y ∈ L and z ∈ L M − ,Pr[ X d ,i + X d j = y | Y d , − k = z ] = e ± (2 δ +3 ε ) ρ √ s ( y ) ρ √ s ( L ′ + c i + c j ) , as needed. Lemma 4.6.
For any lattices L , L ⊂ R n with L ⊆ L ⊆ L , if the input vectors X , . . . , X m ∈L are sampled from a symmetric distribution, then the distribution of the output vectors Y , . . . , Y M will also be symmetric. Furthermore, X E [ k Y k k ] ≤ X E [ k X i k ] . roof. Let d = ( c , . . . , c m ) ∈ ( L / L ) m be a list of cosets such that with non-zero probabilitywe have X ∈ L + c , . . . , X m ∈ L + c m . Let X d , , . . . , X d ,m be the distribution obtained bysampling the X i conditioned on this event, and let Y d , , . . . , Y d ,M be the corresponding output.Notice that the distribution of X d , , . . . , X d ,m is also symmetric, since L + c = − ( L + c ) forany c ∈ L / L . (Here, we have used the fact that 2 L ⊆ L ⊆ L .)And, for fixed d and k ∈ { , . . . , M } there exist fixed (distinct) i, j ∈ { , . . . , m } such that Y d ,k = X d ,i + X d ,j . But, since the X d , , . . . , X d ,m are distributed symmetrically, we see immediately that for any y ∈ L and w ∈ L M − , Pr[ Y d ,k = y | Y d , − k = w ] = Pr[ Y d ,k = − y | Y d , − k = w ] . In other words, the distribution of Y d , , . . . , Y d ,M is symmetric.Furthermore, E [ k X d ,i + X d ,j k ] = E [ k X d ,i k ] + E [ k X d ,j k ] + 2 E [ h X i , X j i ] = E [ k X d ,i k ] + E [ k X d ,j k ] , where in the last step we have used the symmetry of X d , , . . . , X d ,m . Since the Y d ,k are sums ofdisjoint pairs of the X d ,i , it follows immediately that M X k =1 E [ k Y d ,k k ] ≤ m X i =1 E [ k X d ,i k ] . The results for X , . . . , X m , Y , . . . , Y M then follow immediately from the fact that this dis-tribution can be written as a convex combination of X d , , . . . , X d ,m , Y d , , . . . , Y d ,M for differentcoset lists d ∈ ( L / L ) m , since both symmetry and the inequality on expectations are preserved byconvex combinations. We will repeatedly apply Algorithm 2 on a “tower” of lattices similar to [ADRS15]. We use (a slightmodification of) the definition and construction of the tower of lattices from [ADRS15].
Definition 4.7 ([ADRS15]) . For an integer α satisfying n/ ≤ α ≤ n , we say that ( L , . . . , L ℓ ) is a tower of lattices in R n of index α if for all i we have L i − ⊆ L i ⊂ L i − , L i / ⊆ L i − , |L i − / L i | = 2 α , and ⌈ iα/n ⌉ L ⊆ L i ⊆ ⌊ iα/n ⌋ L for all i . Theorem 4.8 ([ADRS15]) . There is a polynomial-time algorithm that takes as input integers ℓ ≥ and n/ ≤ α ≤ n as well as a lattice L ⊆ R n and outputs a tower of lattice ( L , . . . , L ℓ ) with L ℓ = L .Proof. We give the construction below. The desired properties are immediate from the construction.Let b , . . . , b n be a basis of L . The tower is then defined by “cyclically halving α coordinates”,namely, L ℓ = L ( b , . . . , b n ) , L ℓ − = L ( b / , . . . , b α / , b α +1 , . . . b n ) , L ℓ − = L ( b / , . . . , b α − n / , b α − n +1 / , . . . b n / , etc. The required properties can be easily verified.19he following proposition shows that starting with discrete Gaussian samples from L andthen repeatedly applying Algorithm 2 gives us a list of vectors in L ℓ that is close to a mixture ofGaussians, provided that there exists an appropriate “smooth sublattice” L ′ ⊆ L ℓ . Proposition 4.9.
There is an algorithm that runs in m · poly( n, ℓ, log m ) time; takes as input atower of lattices ( L , . . . , L ℓ ) in R n of index α , and vectors X , . . . , X m ∈ L with m := 2 ℓ + α +1 ;and outputs Y , . . . , Y M ∈ L ℓ with M := 2 α with the following properties. If the input vectors X , . . . , X m are symmetric and -similar to a mixture of Gaussians over L ′ ⊆ L with parameter s > · ( α/n − / ℓ η ε ( L ′ ) for some (possibly unknown) sublattice L ′ ⊆ L and ε ∈ (0 , / ; thenthe output distribution is (10 ℓ ε ) -similar to a mixture of independent Gaussians over ⌈ ℓα/n ⌉ L ′ ⊆ L ℓ with parameter ℓ/ s , and M X k =1 E [ k Y k k ] ≤ m X i =1 E [ k X i k ] . Proof.
The algorithm simply applies Algorithm 2 repeatedly, first using the input vectors in L to obtain vectors in L , then using these to obtain vectors in L , etc., until eventually it obtainsvectors Y , . . . , Y M ∈ L ℓ . The running time is clearly m · poly( n, ℓ, log m ), as claimed.By Lemma 4.6 and a simple induction argument, we see that every call to Algorithm 2 resultsin a symmetric distribution, and the sum of the expected squared norms is non-increasing aftereach step. In particular, M X k =1 E [ k Y k k ] ≤ m X i =1 E [ k X i k ] , as needed.We suppose for induction that the distribution of the output of the i th call to Algorithm 2 is10 i ε -similar to a mixture of independent Gaussians over 2 ⌈ iα/n ⌉ L ′ ⊆ ⌈ iα/n ⌉ L ⊆ L i with parameter2 i/ s (which is true by assumption for i = 0). Then, this distribution is also 10 i ε -similar to amixture of independent Gaussians over 2 ⌈ ( i +1) α/n ⌉ L ′ ⊆ ⌈ iα/n ⌉ L ′ (since a mixture of Gaussiansover a lattice is also a mixture of Gaussians over any sublattice). Furthermore, η ε (2 ⌈ ( i +1) α/n ⌉ L ′ ) =2 ⌈ ( i +1) α/n ⌉ η ε ( L ′ ) < i/ s/ √
2. Therefore, we may apply Lemma 4.5 to conclude that the distributionof the output of the ( i + 1)st call to Algorithm 2 is 10 i +1 ε -similar to a mixture of independentGaussians over 2 ⌈ ( i +1) α/n ⌉ L ′ ⊆ L i +1 with parameter 2 ( i +1) / s . In particular, the final outputvectors are 10 ℓ ε -similar to a mixture of independent Gaussians over 2 ⌈ ℓα/n ⌉ L ′ , as needed. Theorem 4.10.
For any ε = ε ( n ) ∈ (0 , n − ) , there is a n/ O ( n log( n ) / log(1 /ε ))+ o ( n ) -time algo-rithm that solves (100 √ nη ε ) -GSVP. In particular, if ε = n − ω (1) , then the running time is n/ o ( n ) .Proof. The algorithm takes as input a (basis for a) lattice
L ⊂ R n with n ≥
50 and behaves asfollows. Without loss of generality, we may assume that ε > − n and that the algorithm hasaccess to a parameter s > η ε ( L ) ≤ s ≤ η ε ( L ). Let ℓ := ⌊ log(1 /ε ) / log(10) ⌋ − α := ⌈ n/ n log n/ log(1 /ε ) ⌉ .The algorithm first runs the procedure from Theorem 4.8 on input ℓ , α , and L , receiving asoutput a tower of lattices ( L , . . . , L ℓ ) with L ℓ = L . The algorithm then runs the procedure fromProposition 3.5 on input L , r := n/ m := 2 ℓ + α +1 , and parameter s ′ := 2 − ℓ/ s , receiving asoutput a sublattice b L ⊆ L , and vectors X , . . . , X m ∈ b L ⊆ L . Finally, the algorithm runs20he procedure from Proposition 4.9 on input ( L , . . . , L ℓ ) and X , . . . , X m , receiving as output Y , . . . , Y M ∈ L ℓ = L . It then simply outputs the shortest non-zero vector amongst the Y i ∈ L .(If all of the Y i are zero, the algorithm fails.)The running time of the algorithm is clearly ( m +2 r + o ( r ) ) · poly( n, ℓ, log m ) = 2 n/ O ( n log n/ log(1 /ε ))+ o ( n ) .We first show that the promise s ′ ≥ r n/r √ n log n · η ε ( L ) needed to apply Proposition 3.5 is satisfied.Indeed, by the definition of a tower of lattices, we have L ⊆ ⌊ ℓα/n ⌋ L , so that s ′ ≥ · − ℓ/ · η ε ( L ) ≥ · ⌊ ℓα/n ⌋− ℓ/ · η ε ( L ) ≥ r n/r p n log n · η ε ( L ) , as needed. Therefore, the procedure from Proposition 3.5 succeeds, i.e. we have η ε ( b L ) = η ε ( L )and that the X i are distributed as independent samples from D b L ,s ′ .In particular, let L ′ ⊆ b L ⊆ L such that η ε ( L ′ ) = η ε ( b L ) = η ε ( L ). Then, the distribution of X , . . . , X m is symmetric and 0-similar to a mixture of Gaussians over L ′ with parameter s ′ > · ( α/n − / ℓ η ε ( L ′ ). We may therefore apply Proposition 4.9 and see that the Y , . . . , Y M ∈ L are δ -similar to a mixture of independent Gaussians over 2 ⌈ ℓα/n ⌉ L ′ with parameter s and δ := 10 ℓ ε ≤ / M X k =1 E [ k Y k k ] ≤ m X i =1 E [ k X i k ] ≤ nm ( s ′ ) π = 2 − ℓ · nms π , where the last inequality is Claim 2.11.Finally, we notice that s ≥ η ε ( L ) ≥ · ⌊ ℓα/n ⌋ η ε ( L ) = 50 η ε (2 ⌊ ℓα/n ⌋ L ′ ) ≥ η ε (2 ⌈ ℓα/n ⌉ L ′ ) ≥ e δ η / ((2 ⌈ ℓα/n ⌉ L ′ ) . Therefore, we may apply Corollary 4.4 to Y , . . . , Y M to conclude that with probability at least1 /
10, there exists k ∈ { , . . . , M } such that0 < k Y k k < M · M X i =1 E [ k Y i k ] ≤ − ℓ · nms πM ≤ ns ≤ nη ε ( L ) . In other words, Y k ∈ L is a valid solution to (100 √ nη ε )-GSVP, as needed. Corollary 4.11.
There is a n/ o ( n ) -time algorithm that solves γ -SVP for any γ = γ ( n ) >ω ( √ n log n ) .Proof. Theorem 4.10 gives an algorithm with the desired running time that finds a non-zero latticevector with norm bounded by 100 √ nη ε ( L ) for ε := 2 − γ / (100 n ) < n − ω (1) . The result follows from Lemma 3.1, which in particular tells us that η ε ( L ) ≤ p log(1 /ε ) λ ( L ) ≤ γ/ (100 √ n ) · λ ( L ) , as needed. Corollary 4.12.
There is a n/ o ( n ) -time algorithm that solves γ -HSVP for any γ = γ ( n ) >ω ( p n log n ) . roof. Theorem 4.10 gives an algorithm with the desired running time that finds a non-zero latticevector with norm bounded by 100 √ nη ε ( L ) for ε := 2 − γ / (10 n log n ) < n − ω (1) . The result follows from Lemma 3.1, which in particular tells us that η ε ( L ) ≤ p log(1 /ε )(log n + 2) det( L ) /n ≤ γ/ (100 √ n ) · det( L ) /n , as needed (where we have assumed without loss of generality that n is sufficiently large). Basis reduction algorithms solve δ -(H)SVP in dimension n by making polynomially many calls toa δ ′ -SVP algorithm on lattices in dimension k < n . We will show in this section how to modify thebasis reduction algorithm from [GN08, ALNS20] to prove Theorem 1.2. Here, we introduce our notion of a reduced basis. This differs from prior work in that we considerthe possibility that the length ℓ of the last block is not equal to k , and we use HSVP reductionwhere other works use SVP reduction. E.g., taking ℓ = k and replacing (D)HSVP reduction with(D)SVP reduction in Item 2 recovers the definition from [ALNS20]. (Taking ℓ = k and q = 0 andreplacing all (D)HSVP reduction with (D)SVP reduction recovers the original definition in [GN08].) Definition 5.1 (Slide reduction) . Let n, k, p, q, ℓ be integers such that n = pk + q + ℓ with p ≥ , k, ℓ ≥ and ≤ q ≤ k − . Let δ H ≥ and δ S ≥ . A basis B ∈ R m × n is ( δ H , k, δ S , ℓ ) -slide-reduced if it is size-reduced and satisfies the following four sets of constraints.1. The block B [1 ,k + q +1] is η -twin-reduced for η := δ k + q − k − H .2. For all i ∈ [1 , p − , the block B [ ik + q +1 , ( i +1) k + q +1] is δ H -twin-reduced.3. The block B [ pk + q +1 ,n ] is δ S -SVP-reduced. Theorem 5.2.
For any δ H , δ S ≥ , k ≥ , ℓ ≥ , if B ∈ R n × n is a ( δ H , k, δ S , ℓ ) -slide-reduced basisof a lattice L with λ ( L ( B [1 ,n − ℓ ] )) > λ ( L ) then k b k ≤ δ S ( δ H ) n − ℓk − λ ( L ) . Proof.
By Fact 2.22, k b k ≤ η k + q ) k + q − k b ∗ k + q +1 k = δ k + q ) k − H k b ∗ k + q +1 k . Also, for all i ∈ [1 , p − k b ∗ ik + q +1 k ≤ δ kk − H k b ∗ ( i +1) k + q +1 k . All together we have: k b k ≤ ( δ H ) k + q +( p − kk − k b ∗ pk + q +1 k = ( δ H ) n − ℓk − k b ∗ pk + q +1 k Lastly, since λ ( L ( B [1 ,n − ℓ ] )) > λ ( L ), k b ∗ pk + q +1 k ≤ δ S λ ( L ( B [ pk + q +1 ,n ] )) ≤ δ S λ ( L ). The resultdoes follow. 22 .2 The slide reduction algorithm We show our algorithm for generating a slide-reduced basis. We stress that this is essentially thesame algorithm as in [ALNS20] (which itself is a generalization of the algorithm in [GN08]) with thea slight modification that allows the last block to have arbitrary length ℓ . Our proof for boundingthe running time of the algorithm is therefore essentially identical to the proof in [GN08, ALNS20]. Algorithm 3
Our slide-reduction algorithm
Input:
Block size k ≥
2, slack ε >
0, approximation factor δ H , δ S ≥
1, basis B = ( b , . . . , b n ) ∈ Z m × n of alattice L of rank n = pk + q + ℓ for 0 ≤ q ≤ k −
1, and access to a δ H -HSVP oracle for lattices with rank k as well as a δ S -SVP oracle for lattices with rank ℓ . Output:
A ((1 + ε ) δ H , k, δ S , ℓ )-slide-reduced basis of L ( B ). while vol( B [1 ,ik + q ] ) is modified by the loop for some i ∈ [1 , p ] do (1 + ε ) η -HSVP-reduce B [1 ,k + q ] using Alg. 1 for η := ( δ H ) k + q − k − . for i = 1 to p − do δ H -HSVP-reduce B [ ik + q +1 , ( i +1) k + q ] . end for δ S -SVP-reduce B [ pk + q +1 ,n ] . if B [2 ,k + q +1] is not (1 + ε ) η -DHSVP-reduced then (1 + ε ) / η -DHSVP-reduce B [2 ,k + q +1] using Alg. 1. end if for i = 1 to p − do Find a new basis C := ( b , . . . , b ik + q +1 , c ik + q +2 , . . . , c ( i +1) k + q +1 , b ik + q +2 , . . . , b n ) of L by δ H -DHSVP-reducing B [ ik + q +2 , ( i +1) k + q +1] . if (1 + ε ) k b ∗ ( i +1) k + q +1 k < k c ∗ ( i +1) k + q +1 k then B ← C . end if end for end while return B . Theorem 5.3.
For ε ∈ [1 / poly( n ) , , Algorithm 3 runs in polynomial time (excluding oraclecalls), makes polynomially many calls to its δ H -HSVP oracle and δ S -SVP oracle, and outputs a ((1 + ε ) δ H , k, δ S , ℓ ) -slide-reduced basis of the input lattice L .Proof. First, notice that if Algorithm 3 ever terminates, the output must be ((1 + ε ) δ H , k, δ S , ℓ )-slide-reduced basis. It remains to show that the algorithm terminates in polynomially many steps(excluding oracle calls).Let B ∈ Z m × n be the input basis and let B ∈ Z m × n denote the current basis during theexecution of Algorithm 3. Following the analysis of basis reduction algorithms in [LLL82, GN08,LN14, ALNS20], we consider an integral potential of the form P ( B ) := p Y i =1 vol( B [1 ,ik + q ] ) ∈ Z + . At the beginning of the algorithm, the potential satisfies log P ( B ) ≤ n · log k B k . For each of theprimal steps (i.e., Steps 2, 4 and 6), the lattice L ( B [1 ,ik + q ] ) for any i ≥ P ( B )does not change. On the other hand, the dual steps (i.e., Steps 8 and 13) either leave vol( B [1 ,ik + q ] )unchanged for all i or decrease P ( B ) by a multiplicative factor of at least (1 + ε ).23herefore, there are at most log P ( B ) / log(1 + ε ) updates on P ( B ) by Algorithm 3. Thisdirectly implies that the algorithm makes at most 4 pn log k B k / log(1 + ε ) calls to the HSVPoracle, the SVP oracle, and Algorithm 1. We then conclude that Algorithm 3’s running time isbounded by some polynomial in the size of input (excluding the running time of oracle calls). Corollary 5.4.
For any constant c ≥ , there is a randomized algorithm that solves e O ( n c ) -SVPthat runs in k/ o ( k ) time for k := nc +5 / (8 . .Proof. Let ℓ = . k . and run Algorithm 3, instantiating the oracles with the O (polylog( n ) √ n )-HSVP algorithm from Corollary 4.12 and the O (1)-SVP algorithm from [LWXZ11] to get a ((1 + ε )polylog( k ) √ k, k, O (1) , ℓ )-slide-reduced basis B for any input lattice L . Now consider two cases: • λ ( L ( B [1 ,n − ℓ ] )) > λ ( L ): By Theorem 5.2, k b k ≤ δ S ( δ H ) n − ℓk − λ ( L ) ≤ O (polylog( k ) c n c ) λ ( L )as desired. • λ ( L ( B [1 ,n − ℓ ] )) = λ ( L ): Then we repeat the algorithm on the lattice L ( B [1 ,n − ℓ ] ) with lowerdimension. This can happen at most n/ℓ times, introducing at most a polynomial factor inthe running time.For the running time, the algorithm from Corollary 4.12 runs in time 2 . k + o ( k ) . The algorithmfrom [LWXZ11] runs in time 2 . ℓ + o ( ℓ ) , which is the same as 2 . k + o ( k ) , by our choice of ℓ . Thiscompletes the proof. References [ADRS15] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. Solv-ing the Shortest Vector Problem in 2 n time via Discrete Gaussian Sampling. In STOC ,2015. http://arxiv.org/abs/1412.7994 . 1, 2, 3, 4, 5, 12, 19[AKS01] Mikl´os Ajtai, Ravi Kumar, and D. Sivakumar. A sieve algorithm for the ShortestLattice Vector Problem. In
STOC , 2001. 1[ALNS20] Divesh Aggarwal, Jianwei Li, Phong Q. Nguyen, and Noah Stephens-Davidowitz. Slidereduction, revisited–Filling the gaps in SVP approximation. In
CRYPTO , 2020. 1, 3,4, 12, 13, 22, 23[AS04] Noga Alon and Joel H Spencer.
The probabilistic method . John Wiley & Sons, 2004. 7[AS18] Divesh Aggarwal and Noah Stephens-Davidowitz. Just take the average! Anembarrassingly simple 2 n -time algorithm for SVP (and CVP). In SOSA , 2018. http://arxiv.org/abs/1709.01535 . 1, 2, 4[AUV19] Divesh Aggarwal, Bogdan Ursu, and Serge Vaudenay. Faster siev-ing algorithm for approximate SVP with constant approximation factors. https://eprint.iacr.org/2019/1028 , 2019. 1, 3[BLP +
13] Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehl´e.Classical hardness of Learning with Errors. In
STOC , 2013. 4, 12[DR16] Daniel Dadush and Oded Regev. Towards strong reverse Minkowski-type inequalitiesfor lattices. In
FOCS , 2016. http://arxiv.org/abs/1606.06913 . 1, 6, 14[DRS14] Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. On the Closest VectorProblem with a distance guarantee. In
CCC , 2014. 8[GMPW20] Nicholas Genise, Daniele Micciancio, Chris Peikert, and Michael Walter. Improved24iscrete Gaussian and subgaussian analysis for lattice cryptography. In
PKC , 2020. https://eprint.iacr.org/2020/337 . 10[GN08] Nicolas Gama and Phong Q. Nguyen. Finding short lattice vectors within Mordell’sinequality. In
STOC , 2008. 1, 3, 12, 13, 22, 23[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoorsfor hard lattices and new cryptographic constructions. In
STOC , 2008. https://eprint.iacr.org/2007/432 . 4, 12[Kan83] Ravi Kannan. Improved algorithms for integer programming and related lattice prob-lems. In
STOC , 1983. 1[LLL82] Arjen K. Lenstra, Hendrik W. Lenstra, Jr., and L´aszl´o Lov´asz. Factoring polynomialswith rational coefficients.
Mathematische Annalen , 261(4), 1982. 1, 12, 13, 23[LN14] Jianwei Li and Phong Q. Nguyen. Approximating the densest sublattice from Rankin’sinequality.
LMS J. of Computation and Mathematics , 17(A), 2014. 13, 23[Lov86] L´aszl´o Lov´asz.
An algorithmic theory of numbers, graphs and convexity . Society forIndustrial and Applied Mathematics, 1986. 2[LWXZ11] Mingjie Liu, Xiaoyun Wang, Guangwu Xu, and Xuexin Zheng. Shortest lattice vectorsin the presence of gaps. http://eprint.iacr.org/2011/139 , 2011. 1, 3, 24[MP13] Daniele Micciancio and Chris Peikert. Hardness of SIS and LWE with small parameters.In
CRYPTO , 2013. 5, 6[MR07] Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based onGaussian measures.
SIAM Journal on Computing , 37(1):267–302, 2007. 5, 6, 9[MV13] Daniele Micciancio and Panagiotis Voulgaris. A deterministic single exponential timealgorithm for most lattice problems based on Voronoi cell computations.
SIAM J. onComputing , 42(3), 2013. 1[MW16] Daniele Micciancio and Michael Walter. Practical, predictable lattice basis reduction.In
Eurocrypt , 2016. http://eprint.iacr.org/2015/1123 . 3, 13, 14[NIS18] Computer Security Division NIST. Post-quantum cryptography. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography , 2018. 1[NV08] Phong Q. Nguyen and Thomas Vidick. Sieve algorithms for the Shortest Vector Prob-lem are practical.
J. Mathematical Cryptology , 2(2), 2008. 1[Pei16] Chris Peikert. A decade of lattice cryptography.
Foundations and Trends in TheoreticalComputer Science , 10(4), 2016. 1[PS09] Xavier Pujol and Damien Stehl´e. Solving the Shortest Lattice Vector Problem in time2 . n , 2009. http://eprint.iacr.org/2009/605 . 1[Reg09] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM (JACM) , 56(6):34, 2009. 9[RS17] Oded Regev and Noah Stephens-Davidowitz. A reverse Minkowski theorem. In
STOC ,2017. 1, 6, 14[Sch87] Claus-Peter Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms.
Theor. Comput. Sci. , 53(23), 1987. 1[SE94] Claus-Peter Schnorr and M. Euchner. Lattice basis reduction: Improved practicalalgorithms and solving subset sum problems.
Mathmatical Programming , 66, 1994. 1[Ste17] Noah Stephens-Davidowitz.
On the Gaussian measure over lattices . Phd thesis, NewYork University, 2017. 2[WLW15] Wei Wei, Mingjie Liu, and Xiaoyun Wang. Finding shortest lattice vectors in the25resence of gaps. In