Minkowski's convex body theorem and integer programming

Body

in a lattice yields a polynomial time algorithm for factoring polynomials over the rationals.All these ideas were first published in an important paper of Lenstra, Lenstra and Lovasz (1983).This paper is referred to henceforth as the LLL paper.Here, the following result from the LLL paper is used : Given a set of vectors 61,62?• • • &n> we can find in polynomial time a nonzero integer linear combination of them whose length is at most 2 n / 2 times the length of any (other) nonzero integer linear combination.In addition, we will need a technical result from H.W.Lenstra's paper which is due to Lovasz.This result is stated in the section on integer programming.
Section 1 introduces lattices and proves Minkowski's theorem.Section 2 presents an algorithm for finding a "more reduced basis"1 of a lattice than the LLL algorithm.While the end product of this algorithm is better because it is "more reduced", it also takes more time (0(n n s) arithmetic operations) than the LLL algorithm.The first vector of the "more reduced basis" will be a shortest nonzero vector in the lattice.This solves the SVP mentioned in the abstract.Section 2 closes with a proof of correctness and a bound on the number of arithmetic operations.Section 3, the most technical section of the paper, proves bounds on the size of numbers produced by the algorithm in section 2.
The second major algorithm in the paper is for solving the CVP and is given in section 4. It uses as a subroutine the algorithm for finding the "more reduced basis".After these, the algorithm for Integer Programming is given.It performs 0(n2 n s) arithmetic operations for an n variable problem and produces numbers with 0(n 2n s) bits where s is the length of the input.This is section 5.In a recent paper, Frank and Tardos (1985) show that all the numbers can be kept polynomially bounded in their number of bits.Their improvement also brings down the number of arithmetic operations of the algorithm to 0{nl n s).
Here is a brief overview of the algorithms : The algorithm for the SVP first solves it approximately, then enumerates a bounded number of candidates for the shortest nonzero vector and chooses the best.Minkowski's theorem implies that this set of candidates suffices.In the algorithm for the CVP and integer programming, the original problem is transformed so that by appealing to the Minkowski's theorem, the transformed problem can be reduced to a bounded number of lower dimensional problems.
The last section of the paper contains some results on complexity.The Closest Vector Problem is shown to be NP-hard by reducing 3-dimensional matching to it.Then the Yes/No question that corresponds to the Shortest Vector Problem in a natural way is defined -it is namely the question of whether there is a nonzero integer linear combination of a set of given vectors of length less than or equal to a given number.The SVP is shown to be polynomial-time reducible to the Yes/No question.Then using a technique called "homogenization" from polyhedral theory, it is shown that the problem of solving the CVP to within a factor of y/n/2 is polynomial-time reducible to the Yes/No question.I conjecture that this approximate version of the CVP is NP-hard.If the conjecture is proved , it would be the case that the Yes/No question is NP-complete in the sense of Cook (1971) and the reduction essentially is a Cook (Turing) reduction rather than a many-one reduction.At present, every language that is known to be NP-complete in the sense of Cook, is also NP-complete in the sense of Karp (1972), i.e., in all the known cases the reductions are many-one.Thus, the proof of NP-hardness of the approximate version of the CVP is an interesting open problem.
After the preliminary version of this paper appeared, Helfrich (1985) has made some improvements in the running time of some of the algorithms.I refer the reader to her paper for the improvements.Schnorr (1984) uses the algorithm presented here for solving the SVP to obtain polynomial time algorithms for finding better approximations to the shortest vector than the LLL paper.Lenstra and Schnorr (1984)  For amy set of vectors 6i,6 2 ,.. .6 n , we reserve the notation 6 f (j) for the real numbers defined in (1.7) and 6(t, j) for the vectors defined in (1.7)'.
For any lattice L, (see definition in the next section) Ai(L) will denote the length of a shortest nonzero vector in the lattice.
The programs in this paper will be written in "pidgin" ALGOL.The language is close enough to English that the reader should have no problem with it.I adopt the convention that the statement "Return x" means Stop execution and output x.Thus making a unimodular transformation of the basis leaves the lattice unchanged.Indeed the converse is also true.

Lemma
(1*1) Suppose B and B 1 are n X m and k x m matrices each with independent rows and suppose the rows of B and B 9 generate the same lattice.
Then k equals n and there is a unimodular matrix U such that UB = B 1 . . .

• b n {n)J
The lower triangular representation of the basis matrix I caution that these entries may be irrational and cannot be exactly computed in general.So, in the algorithms I do not change the coordinate system, but conceptually it is easier to think of the basis matrix being written in this form.
The determinant of £(&i,6 2 ,...,6 n ) denoted d(L(&i,6 2 ,4 n )) is defined to be the absolute value of the determinant of the lower triangular nxn matrix whose entries are bi(j).Clearly, this equals the product of the lengths of the 6 t *, t = 1,2,... ,n.Thus while the determinant may not be rational even if the coordinates of 61,6 2 , • • • ?b n are, the square of the determinant is and it can be computed in polynomial-time.
We are often interested in "projecting" and "lifting" vectors.Projecting a vector b onto the hyperplane through the origin with v as the normal yields the vector 6-((6, v)/(v, v)) v.The projection of 6 in the direction of v is the vector ((6, v))v.To project perpendicular to a subspace we find an orthogonal basis of the subspace and project perpendicular to each basis vector successively -this is the Gram-Schmidt procedure described in (1.2) and (1.3).To project onto a subspace, means to project perpendicular to its orthogonal complement.The projection of a set is the set of projections of its elements.Suppose v is a nonzero element of a lattice L and L is the projection of L perpendicular to v. If w is any vector in the L, we may "lift" it to a vector in L as follows : it is easy to see that there is a unique vector w in L such that w projects onto w and (iu, v) £ (-(v, v)/2, (v, v)/2].To see this note that we may take any vector u which projects onto w and add a suitable integer multiple of v into u to get a u 1 whose projection in the direction of v is at most \v\/2 which is exactly what the dot product condition above stipulates.Indeed, let r = [(u,v)/(v, v)} where [x] stands for the integer nearest to the real number x.Let v! = u -rv.Then |(tt',v)| < (1/2) (v,v).The process described here will be called lifting w to w.
A set S in R n is said to be discrete if there is a positive real number 6 so that \v -u| > 5Vu,v G5,«^v .S'isa Z-module if it forms a group under vector addition.
Proposition 1.8 : A set S in Z n is a lattice if and only if it is a discrete Z-module.Proof : Suppose S is a lattice with basis &i,6 2 ,...6 m -Then clearly it is a Z-module.If it is not a discrete set, then it contains points arbitrarily close to and not equal to the origin (since it is a Z-module ).This is impossible since the lattice does not have any points inside the parallelpiped {x : x = £JLi Ay6y; |Ay| < |} other than the origin because 61,6 2 ,. ..6 m are independent.The converse will be proved by induction on the dimension of the vector space span of the set S. If this dimension is 1, 5 must be the set of integer multiples of a single vector.Suppose 5 is a discrete Z-module of dimension m greater than 1.Suppose 6 > 0 is the greatest lower bound on |u -v| for u,v G S. There must be a t; G S such that |v| = 6.(Otherwise, there is an infinite sequence of distinct elements ui,U2,... in S so that |u t | converges from above to 5, there is then a convergent subsequence of it.The distance between elements of the subsequence goes to zero, violating the fact that 6 is positive.)I will construct a basis of S with v as the first basis vector.Towards this end, define 5 as the projection of S perpendicular to v. It is obvious that 5 is a Z-module.I claim that it is a discrete set: If not, there is a sequence of elements ui, U2,... in S such that they converge to the origin.By the paragraph preceding the proposition, they can be lifted to vi,t/2,... 1X1 & so that projections of the v t -in the direction of v is at most \v\/2.Hence, the v t -form a bounded sequence and so, there is a subsequence of the t;,-that converges.This violates the discreteness of 5. So, S is a  The algorithm for finding the shortest vector In this section , I describe an algorithm to find a shortest nonzero3 vector in a lattice given by a basis 6l5 b 2j ... 6n.This algorithm actually finds a "reduced basis"of the lattice of which the first vector will be the shortest vector in the lattice (the definition of a reduced basis used in this paper is found in (2.6)).The algorithm of this section will be used in the Integer Programming algorithm in two ways -it is needed as a subroutine there , perhaps more importantly, this section will develop a technique that is used both in the integer programming algorithm as well as the algorithm for the closest vector problem.I will describe an overview of this technique in the next paragraph.
The algorithm is a recursive procedure -it works by calling subroutines for lattices of dimension n -1 or less when n is the dimension of the given lattice.It will be shown that an "approximately'' reduced basis can be found by these recursive calls.Then the shortest vector is found by enumerating all of a finite set of candidates.That this finite set is not too large will follow from Minkowski's theorem on convex bodies.The paper of Helfrich(1985) referred to earlier, improves the bound on the size of the finite set.
Here is how the algorithm works : Suppose we are given a basis 6i,62,...6n of a lattice L = 1,(61,62,...6n).Using polynomially (in n alone) calls to lower dimensional subroutines, the algorithm finds a basis ai,a 2 ,...a n for the lattice L which satisfies the following properties : Whereas in the reduced basis of LLL (1982), the length of the first vector is guaranteed to be at most 2 n / 2 d(L) 1 / n , for the basis here , one can prove (2.4) below using Minkowski's theorem, conditions (2.1), (2.2) and (2.3) and the fact that d(L) = \a 1 \d(L 2 {a lj a 2 ,.. .an )).

\ai\ < d{LY' n (2.4)
In other words, our a x is much a shorter vector than theirs -but of course we will spend more time finding it.
Having obtained such a basis ai, a 2 ,... a n , I show that the shortest vector in the lattice must be of the form y = E?=i otiOi where (a u a 2 ,... a n ) e T where T is a subset of Z n .I show that it is enough to consider a set T of cardinality at most

d(L)
(2 '5) (2.4) is used to bound the expression (2.5) in terms of n alone.We enumerate all elements of T, find the corresponding y and take the shortest of these which must then be the shortest vector in the lattice.Intuitively, here is how (2.5) is derived.Let A be the basis matrix with rows ai, a 2 ,..., a n and A = (Ai, A 2 ,..., A n ) be a row vector of integers so that XA is a shortest nonzero vector of the lattice.Since ai is obviously a nonzero vector in the lattice, the shortest vector must have length at most |ai|, thus A A must belong to a cube of side 2|ai| with the origin as center and edges parallel to the axes.This cube has volume 2 n |ai| n .Applying the linear transformation A"" 1 to the cube we get a parallelpiped P of volume 2 n |a 1 | n rfet(A" 1 ) which equals the expression (2.5) and the integer vector A must belong to P for XA to belong to the cube.So, we can enumerate all the integer vectors in P and find the one that leads to the shortest nonzero vector of the lattice.We would expect the number of integer vectors in P to be equal to the volume of P.This describes the idea behind (2.5),I caution that a proper argument involves several delicate points which will be dealt with later.
We find an entire reduced basis instead of just the shortest vector to facilitate the recursion.First, here is the definition of reduced basis with which we will work.Definition 2.6 : A basis t/i, v 2 ,.. .vn of the lattice £(t>i, v 2 ,... v n ) ls called a reduced basis if (2.7) and (2.8) below are satisfied.
Note the difference between (2.1) and (2.7) is that (2.7) includes j = 1 also whereas (2.1) does not.Thus in the lower triangular representation, every diagonal entry is the length of the shortest vector in the lattice generated by the rows of the square submatrix of which it is the top left entry .The essential feature of the LLL reduced basis is that in the lower triangular representation, the j th diagonal entry is the length of the shortest vector in the 2-dimensional lattice generated by the rows of the submatrix containing the rows j 9 j + 1 and columns j\j + 1 of the basis matrix.Here instead the submatrix is not 2x2, but (n -j + 1) x (n -j + 1).Schnorr (1984) generalizes the LLL reduced basis to allow k x k submatrices for any fixed k.Schnorr's algorithm uses the algorithm SHORTEST of this section as a subroutine to make the k x k matrices reduced in the sense defined here.

. & n +i) in the direction of & x must thus be an integer multiple of (M/^)bi
= {p/q)bi.Thus any vector of L(6 X ,& 2 ,.. .&n ,6 n + x ) in the direction of & x is an integer multiple of (l/g)6 x .Conversely, {p/q)bi and (q/q)bi belong to L and p,q are relatively prime implies that (l/g)&i does too.By proposition 2.15, the vector vi at the end of step 12 is indeed a shortest vector of the lattice.Using proposition 2.9 and the inductive assumption on step 14, the current lemma follows.0 This completes the proof of correctness.As for the time bound, I will split it into two parts : a bound on the number of arithmetic operations -additions, subtractions, multiplications, divisions and comparisons with operands that are rational numbers, and a bound on the operand sizes.The number of axithmetic operations will depend on the dimension n of the problem as well as the length s of the input.However, going through the procedure SHORTEST step by step, we see that the total number of arithmetic operations performed while the procedure is not inside a call to LLL basis reduction algorithm is bounded by a function of n alone -it does not depend on s.This is seen by an inductive proof using proposition 2.12.Unfortunately, the same does not hold for LLL.In the next section (proposition 3.8), I show that the total number of arithmetic operations performed by SHORTEST in all the c Jls to LLL is n n s.For now, I will assume this proposition.

SHORTEST{n\...) finds a reduced basis satisfying (2.7) and (2.8) in 0(n n s) arithmetic operations where s is the length of the input.
Note: In common usage, we might call this a 0(n n s) -algorithm.This, however, counts only the number of arithmetic operations, and ignores the size of the operands.In an algorithm such as this one which manipulates numbers and keeps them all precisely, it is important to prove bounds on the size of the numbers.I do so in the next section.
Proof : Let T(n) be the maximum number of arithmetic operations performed by SHORTEST(n;...) while not inside a call to LLL.It is easily seen that all steps of the algorithm except recursive calls to shortest, the enumeration and calls to LLL call for a number of arithmetic operations bounded by a polynomial in n alone.Thus we have (by proposition 2.12 and lemma 2.14), We assume that the original input consists of integers.It is easy to see then that all the numbers produced by the algorithm are rational numbers.In what follows, I will derive bounds on the size of the numerators and denominators of all these numbers.The numerator of a rational is of course bounded in absolute value by its magnitude, so really the bounds will be on the magnitude and the denominator of each rational .
First,we will observe that even though the algorithm works on various projected lattices, there is always an implicit "current basis" of the original input n-dimensional lattice.This is true of step 2 (of SHORTEST) from the Lenstra, Lenstra and Lovasz algorithm.In step 4, we work on the projected lattice £2(61,62?• • • 6"), but since there is a natural way to "lift" any element of £2(61,62, • • -&n) to £(61,62,.• -6») (in section 1), we can assume that implicitly we have a basis of the whole lattice L(b u 62,... 6n) provided we can assume that during step 4, while the algorithm is working on Zf2(6i,62,...6n), has a basis of £2(61,62, • • -6n).By induction, we may indeed assume this and thus there is always an implicit basis of the whole lattice during step 4. Step 5 explicitly computes this implicit basis.By the definition of lifting, note that the basis constructed in step 5,6,7 satisfies (2.8) -we will refer to any such basis as "proper".The LLL algorithm always explicitly maintains a basis of the input lattice.Unfortunately, however this basis is not proper at all times.However, when the LLL algorithm terminates, the basis will be proper.

Running through the algorithm SHORTEST,
we see that at the end of step 9, there is a "current basis"of the whole lattice which is not disturbed until SELECT -BASIS is executed in step 13.At the end of step 13, we have a different current basis , but it is easy to see by induction and the definition of "lifting" applied to Proposition 3.2: Maxf=16t(t) never increases during the execution of SHORTEST.Proof : We consider the algorithm step by step.The proof is by induction on n.For n = 1, the proof is trivial.So assume n > 2. For step 2, the LLL algorithm never increases the quantity as seen from their proof of their proposition (1.26).For step 4, the inductive hypothesis suffices.In step 8, 6i(l) strictly decreases, the new 6 2 (2) is at most the old |6i| and 63(3),..., 6 n (n) remain the same.For steps 11 through 13, the enumeration and basis selection processes, the proof is a little harder and is dealt with in proposition 3.3.For step 14 again, we invoke the inductive hypothesis, completing the proof of this proposition.

.).
For each such call, I will consider the execution of steps 1 through 3 and steps 5 through 13 .( In other words, I do not consider the steps invoking the recursive calls since I have in the first place picked any arbitrary call to the procedure inside of the main program.) Step 1 is trivial, step 2 is covered by lemma 3.7.In step three we have to project vectors -1 * 3 , 1 * 3 , . ..«t perpendicular to a vector u x where of course, these Uj form the basis of some projected lattice.Arguing as in lemma 3.6, we see that the Uj are all bounded in length by y/nB.By (3.5), their denominators are bounded by B n ~l .
Since projecting perpendicular to a vector involves taking certain dot products and simple arithmetic operations, it is easy to see that step 3 never involves more than 0(n(logn + log£)) bit integers.Step 6 is a little harder to analyze partly because I have not specified exactly how the lifting is done.I will do so presently.Suppose tii,U2,...Uj is the basis of the lattice in step 3 and suppose Uy, j = 2,3,...i are the projections perpendicular to Uiin step 3, let C7* be a matrix with these i -1 vectors as its t -1 rows.Further, let u 2 , tT 3 ,.. .Hi is the basis returned in step 4 after the call to SHORTEST(i -1;....) and let U be the matrix with these i -1 vectors as its i -1 rows. .To lift these vectors, we do the following : We solve a linear system of equations in (i -l) 2 variables to find a (i -1) x (i -1) matrix T so that

U = TUt
Clearly, T so found will have integer entries and the determinant of it will be 1 in absolute value.Now let V equal TV where U is the matrix with u 2 , t* 3 ,... u t -as its i -1 rows.Then the rows of V are nearly what we want.We need to ensure that for each row of V, the projection of the row onto Ui is at most (1/2)|ui| in length.This is done without much difficulty.The solution of the simultaneous equations with a coefficient matrix with entries of 0(n(log n + log J5)) bits does not produce any numbers larger than 0(n 2 (logn + logJ3)) bits.( Edmonds such that |6 0 -6| is as small as possible.This is called the inhomogeneous problem (corresponding to the homogeneous problem called the Shortest Vector Problem earlier).The reason for this terminology is that in the SVP we had to find the closest lattice point to 0, excluding itself whereas here we have to find the closest lattice point to an arbitrary &o.Note however that here if 6o itself belongs to the lattice, then the answer to be returned is 6o -in other words, here we do not exclude b 0 as an answer.We can test in polynomial time whether b 0 in fact belongs to the lattice by using the algorithm of von zur Gathen and Sieveking (1976) or Kannan and Bachem (1979) to solve simultaneous diophantine equations , so I assume this is done at the outset and in what follows 6o does not belong to the lattice.
Whereas as I remarked in the introduction, the complexity of the SVP is unknown at present, the CVP (closest vector problem) is easily shown to be NP-hard.I will argue this in section 6.So it is the case that the CVP is at least as hard as the SVP (since the latter obviously is in NP when properly coded as a language as was done in the introduction).I give an algorithm here to solve the CVP.This serves two purposes -it of course gives a solution to the problem on hand and secondly, it introduces an idea that will be useful in the integer programming algorithm.

Then,
T{n) < n< nf ' +1 >T(t -1) + q{n) where q(n) is a polynomial (Note that this does not depend upon s).Using the fact that the maximum of ( ! ^i)^"" 1 ^ for 1 < i < n is attained at t = n and that the limit of ( 2 ^i)^n~1^ is c, we can establish by induction on n that T(n) is 0(n n ).
The proof is similar to that of theorem (2.17) and I omit the details.So, the number of arithmetic operations performed by CLP(n;...) is 0(n n ) plus the number performed by SHORTEST.Applying theorem 2.17, we get the current theorem.The bound on the number of bits of all numbers is similar to the proof in section 3.
• One can also find the Li closest and the closest vectors.See remark (2.18).The number of candidates wiU have to be suitably adjusted.

Integer Programming
Integer programming again is the following problem: (5.1) Given m x n and m x 1 matrices A and b of integers, determine whether there is a x in Z n such that Ax < b.
We will do some "preprocessing" on the problem.First, we will modify the problem so that the set {x : Ax < 6} is bounded, i.e., is a polytope.Second, we ensure that the polytope has positive volume by projecting down to some lower dimensional set if necessary.Then, we will apply an invertible linear transformation to both the polytope and the lattice simultaneously so that the polytope becomes "well-rounded".I will define "well-rounded" more rigorously in (5.2) below.Intuitively, it means that there are two concentric spheres with the smaller one contained in the polytope and the larger one containing the polytope so that the ratio of their radii is bounded above by a function of the dimension alone.Lovasz has devised an ingenious polynomial time algorithm to make the polytope "well-rounded".This and the rest of the preprocessing are also part of Lenstra's algorithm.He gives a complete description of this in his paper, so I will say nothing more here except to state precisely the problem at the end of the preprocessing : (5.2) Given independent vectors 6x,6 2 ,...,6 n in Z n , an m x n integer matrix A and an mxl integer matrix 6, determine whether there is an x in £(61,62,..., 6*) such that Ax < 6, where the following additional conditions are satisfied by the input: 3 p G £ n , r and R reals such that R/r < 2n 3 / 2 (5.2a)B{p,r) C{xe Z n ,Ax < 6} C B{p,R) (5.2b) where (B(q, s) is the ball of radius s with q as center).Case 2: r < ^|6,(t)| whence R < n J |6,(t)|.In this case, we argue as in the last section that there are not too many integer values of A,-, A t+1 ,..., A n for which there exist integers Ai, A 2 ,...A t _i so that 2y = iAy6y belongs to S(p, R).We then enumerate all these values of A t ,..., A n and for each, solve a (i -1) dimensional problem.So the algorithm is going to be a recursive procedure.procedure.

b 0 ^EU X i b i
Now, a candidate {A,-, A t +i,..., A n } G Z n ~%+ X i s fixed.We want to determine whether there is a point z in L(bi, 6 2j • • • fti-i) such that z+b 0 satisfies Ax < 6, equivalently z satisfies Az < b -Abo.Letting z = otjbj, and B to be the n x (t -1) matrix with 6 X , 6 2 ,... 6 t _i as its columns, we want ABa < (6-Ab 0 ) where a is required to be a * -1 vector of integers.Proof We can easily reduce the 3DM problem to an integer program as follows : We set up one variable x t for each 3-tuple t in T. This variable will be forced to take on only the values 0 or 1.The interpretation is that x% = 1 iff t is included in M. Then the 3DM problem is equivalent to the following problem.I leave the proof of this to the reader.Proof : Suppose x (considered as a vector with \T\ components) is a solution to (6.3a),(6.3b),(6.3c)and (6.3d).If x has less than n nonzero components (which are each of course one), then one of the equations (6.3a) will be violated because (6.3a) comprises of n different equations in disjoint sets of variables; also if x has more than n components with value 1, one of the left hand sides in (6.3a) will be at least 2. Thus x must have precisely n l's and so it satisfies (6.5).Conversely, suppose x satisfies (6.3a),(6.3b),(6.3c)and (6.5).To satisfy (6.3a) for example, x must have at least n nonzero components .Each of the nonzero components is of course an integer, so to satisfy the inequality in (6.5), there must be precisely n nonzero components in x and each of these must be ±1.But if even one of them is -1, there is no way to satisfy (6.3a) say.So they must all be +1 and we have proved the proposition.The reduction given is essentially a Cook reduction -it invokes more than one call to the subroutine.

With
We show first that given a subroutine that accepts L 2 -shortest, we can actually find a shortest vector in a lattice.Suppose L = L(6i,... ,6 n ), 6 t -£ Z n independent is the lattice in which we want to find a shortest nonzero vector.Define

I = (VZ(d(L))±y
(6.9) Let r be the linear transformation given by the nxn diagonal matrix containing entries t zn + £n+i-t in the ^ ^ th p OS i t i on for i = 1,2,... n (6.10) (r multiplies the i th coordinate by (£ n+1 -* + l Zn ).

Lemma (6.11)
Suppose L = L(6i,...,6 n ) where 6 f -G Z n and are independent and define I and r as in (6.9) and ( 6 Remark: A lemma similar to the one above holds for most known NP-complete languages and several other ones-like linear programming.For example, it is easy to see by using self-reducibility that given an algorithm to test whether a given Boolean formula is satisfiable, we may use it to find a satisfying assignment.This speaks for the versatility of the language SAT.(the set of satisfiable Boolean formulas).It is interesting that the language L 2 -SHORTEST not yet known to be NP-complete has this versatility.
We now study the relationship between the problem of finding a closest vector of a lattice in £ n , to a given point in Z n (called the "inhomogeneous problem") to that of finding a shortest nonzero vector of a lattice (called the "homogeneous problem").The device we use to relate these two may be called the process of "homogenization".The technique is used in polyhedral theory.The idea is to relate the inhomogeneous problem for a lattice L in n dimensions to a homogeneous problem for a lattice V constructed from L in (n + 1) dimensions.
Suppose we are given 61,62?••• 56n,6o in Z n and are asked to find a point 6 of L = L(6i,... ,6n) which is approximately (to be defined later) closest (in Euclidean distance) point of L to 60.We first check whether 60 is in L by using a polynomial-time algorithm to solve linear diophantine equations.If so, we may stop.Otherwise we find (using the subroutines for the homogeneous problem) Ai(jL) (the length of a shortest nonzero vector of L: Caution: this may be irrational, so we will only find an approximation to it in the actual algorithm, but to simplify the current discussion, assume we know Ai(L) exactly).We then consider the lattice V in £ n+1 generated by b\ = (6 t -,0) for i = 1,2,...,n and 6'n+1 = (60, (.51)|Ai(Z/)|).We find a shortest nonzero vector v = (vi,.r., v n +i) of V (Lemma 6.15).This gives us information about the vector closest to 60 in L as summarized by the following lemma:

D
The lemma leads to the following recursive algorithm for approximating the closest vector.The recursion will be on the dimension of the lattice.The factor of approximation will be yJn/2 as asserted in theorem 6.8.For n = 2, the algorithm is obvious.So assume we are given a lattice L of dimension n > 2 and a point &o-First, we find the shortest vector v in the lattice V used in the lemma.If v n +i ^ 0, then we have already found the closest vector and we may stop.In the other case, the distance of 6 0 to L (henceforth denoted rf(6o, L)) is at least .8Ai(L).We obtain a basis 6 l5 6 2 ... b n of L with &i as a shortest vector using the subroutine for L 2 -SHORTEST (cf.Lemma 6.15 and the procedure SELECT -BASIS of section 2).In the rest of this proof, we let the superscript * denote the projection perpendicular to b\.Recursively we find an element b G L so that |S -&o| < ^/^^(So?L).Now, find 6 in L so that 6 projects to 6 and 6 -6 0 has a projection along the direction of 6 Another interesting open problem is to devise polynomial time algorithms that come within a subexponential factor of the shortest vector.In this connection, it is also interesting to consider lattices over other rings than the integers.Lattices over GF(2) which are of course just vector spaces are of particular interest in coding theory and cryptography, so, I state the "Shortest Vector Problem " for such lattices below : The length of a vector with 0,1 components is defined to be the number of l's in it for this discussion.This is also called the "Hamming length".The question is : Given n 0,1 vectors 61,625 • • • 56n find the (Hamming) shortest nonzero linear combination of them where all operations are done modulo 2. We can also define an analogous "closest vector problem" for these .The CVP is easily shown to be NP-hard (Berlekamp, McElicee and van Tilborg (1978)) , however the complexity of the SVP is still open.The CVP is equivalent to the question of finding the shortest circuit containing a particular edge in a binary matroid (Tutte (1959)).In very special cases when the binary matroid is graphic, the problem is the shortest path problem for graphs, which is , of course, polynomial time solvable.A complicated and clever argument of Seymour's (1980) gives a polynomial time algorithm for a broader class of binary matroids.The SVP is equivalent to the problem of finding the shortest circuit in a binary matroid.It is trivial to solve the SVP in 2 n steps where n is the dimension of the lattice.A slightly better algorithm is possible when we wish to determine whether there is a nonzero vector in the lattice of (Hamming) length at most k where k is small compared to n.In this case, we can do with (fy steps as follows : we do Gaussian elimination on the basis vectors (since we are in a field) to ensure that there are n distinct components *i, **2,.i n such that the j th basis vector in the new basis is 1 in the ij th position and zero in the other n -1 positions of the set {ij,t 2 ,.. .i"}.Then it is clear that any vector in the lattice of length at most k must be the mod 2 sum of at most k of the new basis vectors.Obviously, this does better than the naive algorithm when k < n/2.This case is of interest in certain situations in cryptography.However, to my knowledge, no subexponential algorithm is known for the problem in general.It is not clear prima facie that any of the techniques for integer lattices will carry over to these lattices.
One of the essential ideas for all the three algorithms in this paper is the argument bounding the number of candidates for the enumeration.It seems possible that this argument will be of more general use.There is a context other than those in this paper where it has been shown to be useful.(Furst and Kannan 1985).I mention this briefly : Suppose we are given a basis 6i,62,...6n of a lattice with MinJ l =16f(i) = t.Then for any vector v, we can determine in polynomial time whether there is a point u in the lattice ^uch that |u -v| < t/2.To see this, let u = £ At6t-satisfy |u -v| < t/2.It is not difficult to see that there is at most one candidate for A", since 6 n (n) > t.Similarly, if A n .A n _i,...A t +i are fixed, there is at most one candidate for A,.This helps us determine quickly whether or not there is such a u.This is one of the ideas used by Furst and me to develop a proof system that yields polynomial length proofs of the infeasibility of subset sum problems in almost all instances.
prove very nice properties of the successive minima of lattices from the concept of "more reduced basis" used in this paper.They have traced this concept back to Korkhine and Zolotoreff (1873).Babai (1985) is an interesting related development to some of the algorithmic questions discussed in this paper

1
Basic definitions and facts about latticesA lattice L in R n is the set of all integer linear combinations of a set of linearly independent vectors in Z n .The independent vectors are called a basis of the lattice.If 6i,6 2 ,... ,6 n are independent vectors in £ m , m > n, the basis matrix of the lattice I,(6i, 62,..., 6 n ) is the nxm matrix B with 61,6 2 ,..., 6 n as its n rows.Now suppose U is any nxn unimodular matrix (integer matrix with determinant ±1).Clearly, the inverse of U exists and has integer entries.Then for any y in £ m , y is in L[b u 6 2 ,..., 6 n ) iff 3x 6 Z n : y = xB <==$> 3x' G Z n : xf(UB) = y (because U^U' 1 have integer entries y G the lattice generated by the rows of UB.

:
Since the lattices generated by the rows of B and B 1 axe the same, so axe the subspaces.Hence k = n = the dimension of the subspace.The rows of B' are integer combinations of the rows B and vice versa.Thus there are nxn matrices of integers U and U 9 such that UB = B 1 and U'B' = B. So, UU'B' = since B' has independent rows UU 1 = J.U and U 9 have integer determinants and axe inverses of each other, so they must both have determinant ±1.The dimension of a lattice is the number of basis vectors that generate it.If a lattice is full dimensional, i.e., it is a lattice in Z n of dimension n and is generated by the rows of an n x n matrix 2?, the determinant of the lattice is defined to be the absolute value of the determinant of B (by the lemma above it is an invariant of the lattice ) Geometrically, it is the volume of the parallelpiped spanned by 61,62,63,... ,6 n .We also have to deal with lattices which are not full dimensional.Thus suppose 61,6 2 ,..., 6 n are independent vectors in Z m , m > n Then the determinant of L(6 l5 6 2 ,..., 6 n ) is defined to be the n volume of the n-dimensional parallelpiped spanned by 6 X , 6 2 ,..., 6 n .To make this definition computationally more explicit as well for other purposes, we define unit vectors Ui, U2,..., u n which are mutually orthogonal as follows: if 6i,..., b n have rational coordinates, so do the 6 t * and they can be computed in polynomial time from 6i,&2,...,6 n .This is not obvious from (1.2) and (1.3) since |6y| may be irrational.The Gram-Schmidt procedure described by (1 Then w 1 = At; for some A G k. Since Xv and [(A)Jv are both in S their difference is and if A is not an integer, this would yield a shorter nonzero vector than v contradicting its definition.So A must be an integer and by the definition of w 1 , we see that w G L(v, 625^35 • • 'b m ).This completes the proof of the proposition.0 Proposition 1.9 : Suppose t; is a nonzero element of the lattice L, such that Av does not belong to the lattice for any A in (0,1).Then there is a basis of the lattice containing v. (Such a vector v is called primitive).Proof Let L be the projection of L perpendicular to v. Then L is a lattice (from positive real A such that At; is in the lattice L obtained by projecting L onto the orthogonal complement of the span of {61,..., b^i} Find w in L such that w projects onto At; in L. greater than 2 n , then S contains a nonzero point of Z n .Proof : Define S/2 = {x : x G Z n ,2x G S}. Clearly, S/2 has volume greater than 1.Consider the convex bodies v + S/2 = {x : x G £ n ,x = v + s for some s G S/2} as v ranges over Z n .There is one such body for each point of Z n and their volumes are strictly greater than 1.Therefore, two of them must intersect.(I leave it to the reader to make this intuitive argument into a rigorous one.)Suppose v + S/2 and u + S/2 intersect, then so do S/2 and (u -v) + 5/2.Let y be in their intersection.Then, y and y -u + v both belong to S/2.So, 2y,2(y -u + v) both belong to S. The symmetry of S implies that -2y belongs to it, the convexity then implies that the average of -2y and 2(y -u + v) which is v -u belongs to S. Of course, v -u is in Z n proving the theorem.x = yB for some y G Z n }, B an n x n matrix with a basis of L as its rows.Consider the sphere T with the origin as center and radius \y/n{d{L)) l l n .T has volume ?r n / 2 /r(n/2 + \)R n where R is its radius.So the volume of T is greater than 2 a y in Z n -{0} fl TB" 1 .v = yB is then a nonzero element of T n L. Clearly v is short enough to prove the theorem.D Remark (1*13) The factor y/n/2 in the theorem can be improved by reckoning the volume of the n-sphere more accurately.T n fact, more sophisticated upper bounds on Ai(L)/(d(Z,)) 1 / n are known.This is of course the ratio theorem (1.12) is bounding from above.The supremum value of the square of this ratio over all n-dimensional lattices is called Hermite's constant and the best upper bound on it is ~(1 + o(l)) due to Blichfeldt (1929).See also Lekkerkerker (1969) -section 38.The general references on the subject of Geometry of Numbers are Cassels (1959) and Lekkerkerker (1969).An expository survey of lattice basis reduction algorithms can be found in Kannan (1984). 2 "approximately reduced " basis.Intuitively, these conditions can be understood by appealing to the representation of the basis ax,a 2 ,.. .an , as a lower triangular matrix.In such a representation, condition (2.1) says that for j = 2,3,...n, the j th diagonal entry is the length of the shortest vector in the lattice generated by the rows of the (n -j + 1) x (n -j + 1) matrix consisting of the last n -j + 1 rows and columns of the basis matrix.
Proposition 2.10 : The vectors returned by the procedure SHORTEST(n; bx, b 2 ,... b n ) form a basis of £(& x , 6 2 ,... 6 n ).Proof : For n = 1, the proof is clear.I proceed by induction on n.At the end of step 4 of the procedure, b 2j ...b n form a basis of the lattice £ 2 (&i,& 2 ,.. .6 n ) a *id thus by proposition 1.10, &i,6 2 ,...6 n form a basis of L{b\,b 2 ,.. .& n ) at the end of step 7.By repeating the argument, they form a basis of L at the end of step 9.By proposition 2.9, procedure SELECT -BASIS works correctly to produce a basis of the lattice.Hence, the current proposition is proved.D Proposition 2.11: Let j 0 be as defined in step 10 of SHORTEST.Then a shortest vector of L(b u 6 2 , • • • *j 0 -i) a ^so a shortest vector of L(b u 6 2 ,... b n ).Proof : Suppose v = &ibi is a shortest nonzero vector of L(6i,6 2 ,.. .6 n ) and one of a j0 , ay 0+ i,... a n is nonzero.Then the projection v 1 of t; onto the vector space V =the orthogonal complement of Span (6 X , 6 2 ,... 6 JO -i) is nonzero.Therefore we must have |t;'| > A 1 (i yo (6 1 ,6 2 ,...6 w )) .Then clearly, |v| > > 6j 0 (,7o) > |&i|.Thus bi is a shortest vector of L. 0 Proposition 2.12 : The procedure SHORTEST executes recursive call of step 4 at most (5/2)n times when started on an n-dimensional lattice.Proof : By Lenstra, Lenstra and Lovasz, the execution of their basis reduction algorithm in step 2 of procedure SHORTEST yields a basis of L with |fr x | < 2 n / 2 A!(L) .Each execution but the first of the loop steps 3-9 of SHORTEST cuts down by a factor of at least y/Z/2.Thus each 5 iterations of the loop cuts it down by a factor of 2. We cannot reduce |&i| further once it reaches Ai(£f).Thus at most 5n/2 executions of the loop suffice.D Description of procedure ENUMERATE The crucial reason that we can complete the recursion is that we can enumerate relatively few candidates to determine the shortest vector.This fact is proved now.Suppose j 0 -1 = m in step 10 of procedure SHORTEST and suppose a shortest vector of 6 2 ,... ,6 m ) is y = ££i Oik.Then since y must be of length at most |6i|, the projection of y onto V m , the orthogonal complement in R n of the span of {6i, 6 2 ,..., 6 m _i} must be of length at most |&i|.This projection has length |a m 6 m (m)|, so we must have |am|<|6i|/|6 m (m)| More generally, we have the following proposition.The reader might want to use the lower triangular representation of the basis matrix to understand the proposition.Proposition 2.13 With the above notation, suppose /? t +!,/? t + 2 ,... ,/? m are fixed integers.Then there is an easily computed integer /?? such that for all integers a x , a 2 ..., a t -_i and i=l j=i+l Proof : For any vector v, I denote by t>, the projection of v along the direction of &, * in this proof.Let u = E£=i+i /?A and u; = oijbj + + u.Clearly, w = ftft,* + u = fab] + tbi(say) where t is some fixed real number (since /? t -+1 ,/? t -+ 2 , • • • 5 /?m and hence u are fixed01 < W/ft! =>• -* -M ^ A < -* +ft-So the proposition follows with polynomial).I will derive the bound T(n) 6 0(n n ).Lim n -+oo (l~^) n ~1 = 1/eand £ is less than .93,so there exists an Ni such that for all n > Ni, we have |(1 -^)n_1 < .95.Further, let N 2 be a natural number so that Vn > JV 2 , {2n) n l 2 q{n) < .05nn .Let N be the maximum of Ni, N 2 .Choose a constant c > 1 such that T(n) < cn n Vra < N. Now, I argue by induction on n that T(n) < cn n for all n.For n < iV, this is true by definition.So, assume n > N and suppose it is true for n -1.Then T(ncompletes the inductive proof.The total number of arithmetic operations performed by the algorithm is T(n)+ the number of operations performed while executing calls to LLL.From proposition 3.8, then the current theorem follows.D Remark (2.18) : Here, I considered the shortest vector in the Euclidean (L 2 ) norm.We can also define the shortest vector according to other norms in the obvious fashion.To find the L\ shortest vector in a lattice, we proceed as follows : We apply SHORTEST to the basis.Then, analogous to proposition 2.11,1 claim now that if we choose j 0 = Min{j : bj{j) > y/nbi(l)}, then a L\ shortest vector of L(6i,6 2 ,.. .6y0 -i) is also an L\ shortest vector of the whole lattice.This is because any vector in £(&i, 6 2 ,... b n ) \ £(&i, 6 2 ,... 6y 0 -i) must have L 2 norm at least y/nbi(l) and therefore L\ norm at least y/nbi(l) which is clearly at least the L\ norm of b\.Let m = j 0 -1.In any candidate, £yLi Ay&y for the Li shortest vector, we must have A m 6 m (m) < |6x|i ^ V^^i(l)-Thus there are at most 2y/nbi(l)/b m (m^ candidates for A m .Arguing in this vein, the total number of candidates is at most 2 m na n IlyLi which is at most n n by Minkowski's theorem.This will give an algorithm for finding the L\ shortest vector in 0

D
possibly in the middle of the execution of the LLL algorithm.In what follows I talk about certain properties of the "current basis" which I will refer to as 61,621 • • • 6n.With this we can associate the quantities 6,(7) as defined in (1.7).
61,62,..., 6n is the basis of the lattice at the beginning of step 11.Let 6t(i),l < j < i < n be defined as in (1.7).Suppose v x is found to be shortest nonzero vector of L(b l9 62,...,6n) by enumeration.Define Ui = Vi, u 2 = 61,u 3 = 62,..., u n+i = 6n.Let u«-(j),l < j < i < n + 1 be defined again as in (1.7), i.e., by performing Grahm-Schmidt on ui,u 2 ,.. .un +i .Clearly, precisely one of the u,-(t)'s is zero.Let this be Let v u t/ 2 ,..., v n be the basis returned by SELECT-BASIS in step 13.Again define v f -(j) by (1.7).Then for / = 2,3,..., j -1, v t 's projection onto the orthogonal complement of span of {vi, v 2 ,..., vj_i} must be a scalar multiple of uj's projection onto the same space.Thus by induction on Z, span {vi, v 2 ,..., vi_i} equals span {u u u 2 the length of the projection of 6j_i orthogonal to the span of {vi, 6l9 62,... 6j-2}-6j_i(Z -1) is the length of the projection of 6/_i orthogonal to the span of {61,625 • • -6j_2}.So, we must have uj(Z) < 6j_i(Z -1).So, vi{l) < 6,_i(Z -1) for / = 2,3... J -1Further, since uj(Z) ^ 0 for Z = j +1, j + 2,..., n + 1 , u(Z, Z) (see (1.7)') is independent of u(Z + 1,/), u(l + 2,Z),... u(n + 1,/) and so SELECT -It is not difficult to see that di is the determinant of the i x i matrix with entries (6y, 6/) for 1 < j,Z < i.Since our original basis vectors had integer coordinates, this is also true of any other basis.Thus the d t -are all integers.Clearly, numbers produced by the algorithm are rationals of the form P/QI p,q in Z where q is one of the eZ,'s corresponding to the current basis .Proof : Let 6(j,t) be the projection of 6y orthogonal to 61,... , 6 t _i(for j > i > 2).(See (1.7)') Then b(j\i) = 6y -£JL\ ^6* where Sj k are some real numbers.Taking a dot product with 6/(1 < Z < i -1) and noting that (6/,6(y,i)) = 0, we have «-i (*i> M = £ M**> *i) for Z = 1,2,..., 1 -1.k=l These are (i -1) independent equations in the (t -1) variables Sj^ with a coefficient matrix whose determinant is rft-i-Thus di-i^y* are all integers.Hence dt_i6(y, *) is an integral vector.Now, the algorithm SHORTEST keeps these vectors b(j\i) for some t as it works on projected lattices.In addition, it has to keep some auxiliary quantities at various times -the /x t y's during LLL, certain other quantities during the execution of the enumeration and select-basis steps.The proof of the proposition for other quantities proposition 3.1, the current basis is always proper in these situations whichimplies of course that if we did Grahm-Schmidt on the current basis, the /x« of (1.6) are all at most 1/2 in magnitude.Further, the initial 6 f (t) is at most y/B by hypothesis and so by proposition 3.2, they are all always bounded by this quantity.the LLL algorithm is called, all the input vectors to it -say -a l5 a 2 ,..., a t have rational components with common denominator d where by Proposition 3.5, d is one of the di and hence by (3.4) and by proposition (3.2), is bounded by J9\ Also, by the previous lemma, the lengths of the vectors are all bounded by (y/nB).Further, it is easily seen that the LLL algorithm behaves identically on input (da l5 da 2 ..., da { ) as it does on input ai,a 2 ,...,ai except that in the second case all vectors are divided by d.(da u ...,rfa t ) are integral vectors and thus the bounds proved in the LLL paper apply to them.For these input, we have (from their Proposition (1to the LLL algorithm is 0(n n log B).Proof First, let us bound the total number of times LLL is called.By proposition 2.12, this is at most (|) n n!.Using the argument in lemma 3.7, each call to LLL performs at most as many arithmetic operations as a call to LLL with integer input vectors each of length at most B n ~l y/nB which is at most y/nB n .Using their proposition 1.26 then, we have that each call to LLL performs at most 0(n 4 log(y/nB n )) = 0(n 5 log B + n 4 logn) arithmetic operations.So the total number of operations performed by all calls to LLL is (|) n n!(n 5 log B+n 4 log n).Using Stirling's approximation and the fact that | is strictly less than e, the base of the natural logarithm, we see that this is asymptotically 0(n n log B).VB, all numbers produced by the algorithm SHORTEST(n; 61,..., 6n) can be represented in 0(n 2 (logn + log B)) bits.Proof : The proof will be based on lemma 3.6.It is not by induction on n -I will actually consider the execution of the recursive calls in detail.Let us consider any call to the procedure SHORTEST(i;ui,u 2 ,.. .ut ) (where i is less than n) occurring inside the main call to SHORTEST{n\...
1967) All other steps are easily handled.In fact the only other step in which the size of numbers exceeds 0(n(logn + logS)) bits is in the SELECT -BASIS step when we have to solve equations with the coefficient matrix entries with O(nlogS) bits -in this case the number of bits still remains 0(n 2 log B). • 4 Finding the closest vector In this section, I consider the following closest vector problem : (4-1) Given 6 l5 6 2 ,... b n independent vectors in Q n and b 0 in £ n , find 6 in L{b u b 2 ,... 6 n ) between any 6 0 and its closest lattice point.(This bound will be proved in proposition (4.2).)Because of this I can argue that there are not too many values of (<*i, a 2 ,... a n ) integers such that | £y =1 a ; 6y -bo\ is within the upper bound.Arguing as in the case of shortest vector problem, (lemma (2.14)), this gives us a bound of M n /d(L) on the number of possible n-tuples (a x , a 2 ,... a n ) to enumerate.Unfortunately, this will not in general be bounded by a function of n alone.So we have to use another idea : If bi(%) is the largest among all the bj(j), then I will show that not too many values of (o^Ot+i,.. .an ) are candidates to be tried.The bound on the number of candidates will be n,( n ~i+l \ For each such candidate, we project to a (t -1) dimensional problem and solve these recursively.The details are explained after the algorithm.ProcedureCLP(n; bo, 6i, 6 2 ,... 6 n ) Comment : This procedure returns the vector in L(bi, b 2 ,... b n ) that is closest in Euclidean norm to 6 0 -We assume that b u b 2 ,.. ,b n are independent vectors with integer coordinates.{b u &2, •. • b n } <-SHORTEST(n; b u b 2 ,... b n )for some fixed real number t.Thus there are at most ^bi(i)/b n (n) candidates for A n .Now, one can show a similar bound for A,-, A,-+ i,...A n using an argument similar to proposition 2.13.So suppose A J+ i,...A n are fixed integers, for some j > i + 1.Then arguing as in that proposition there are at Ay such that the length of v -6 0 in the direction of bj(j) remains bounded by ^Aj(t)-Note that I have used the fact that 6 t -(t) > Since the basis was reduced in the sense of (2. 7) and (2.8), 6, -(t ) is the length of the shortest vector in the lattice Lt(&i,&2> ••-&n)-Further, the denominator of the expression in (4.4) is obviously the determinant of the lattice L t (6 1 ,6 2j ---6n)-Thus by Minkowski's theorem, |r| < (v^n" t+1 (n -i + l)*(-'+ l > = n<»-* +1 >. r > ^|6 t -(t)|.Then the answer to question (5.2) is Yes since the inner sphere itself contains a lattice point.So we can return Yes and stop the algorithm.It is easy to see that in this case, we can in fact find the lattice point.
5.1) above.A is an m x n matrix of integers and b an m x 1 matrix of integers.The procedure returns Yes or No to the question (5.1) l.Ensure boundedness of the feasible set in Z n .Then ensure positive volume.Use Lov&sz's algorithm which applies a suitable linear transformation on the space and ensures conditions (5.2a) and (5.2b).Apply the same linear transformation to the lattice.So now we have independent vectors &i, 6 2 , • • • b n , an m x n matrix A and an mx 1 matrix 6 satisfying the conditions of problem (5.2) and we must solve this problem.(Of course, n, m may not be the same as in the original input.bi(i)= max?^ bj{j).4.if r > ^|fc(t)| then return YesComment.We may now assume that r < f |6j(t)| and R < n 5 / 2 |6 t (t)|.5.ifi = 1 then do.6.for each candidate Ai, A 2 ,..., A n integers do.Comment.Enumeration is explained later.7 .if]C* =1 Xjbj = x satisfies Ax < b then return M*'l values of A n M n ) Arguing in a similar vein to Proposition 2.13 and Proposition 4.3, the number of candidates for A,-, A f -+i,..., A n is at most subspace V, spanned by integer vectors such that the number of translates of V containing integer points that intersect K is at most c n *.The bound was improved to c n by Babai (1985).Based on the results of Lenstra and Schnorr (1984), Hastad (1985) improved it to a polynomial -C(n 5 / 2 ).Grotschel, Lovasz and Schrijver (1982) have extended this to unbounded convex bodies.Cook, Collurd and Turan (1985) use this to derive bounds on the number of cutting planes needed to prove the infeasibility of integer programs.By not restricting only to n -1 dimensional subsapces, theorem (5.5) is able to get a 2 in the exponent.It is likely that both Has tad's result and theorem (5.5) can be improved giving us further improvement in the running time of the integer programming algorithm.in Lenstra (1981) that the problem of finding a shortest vector in a lattice L = 1,(6!,..., 6 n ) given 6i,..., 6 n is NP-hard.The conjecture is still open.Van Emde Boas has proved the language L 2 -CLOSEST defined below (which is the natural language corresponding to the Closest Vector Problem) to be NP-complete.Van Emde Boas's proof is complicated and technical.It is also not published.So I will give here a more natural NP-completeness proof of this language.The reduction will be from 3-dimensional matching (3DM) described below which is known to be NP-complete.(Karp 1972) (6.1)Given a set T C {1,2, ...n} 3 , determine whether there is a subset M of T such that for each i € {1,2,... n} , M has precisely one 3-tuple containing i in the first coordinate, precisely one 3-tuple containing i in the second coordinate and precisely one 3-tuple containing it in the third coordinate.(These 3-tuples do not have to be distinct Does there exist a feasible solution to the following integer program : Yl x (iJ,k) = 1 for t = 1,2,... n iU>k):(iJ,k)eT}

D
the proposition, I have shown the following problem to be NP-complete : (by reducing 3DM to it) (6.6)Given m x n and m x 1 matrices of integers A and 6 respectively and an integer if, determine whether there is a n-vector x satisfying : the Euclidean length.I will now show that this problem is polynomial time many-one reducible to the Closest Vector Problem (CVP).By using the Hermite Normal form algorithm of Kannan and Bachem (1979), one can find the general integer solution of a system of linear equations in polynomial time.We use this to obtain 6The inequality (6.5a) may be replaced by £ \x t \ < n.This proves that the corresponding language for the L x norm is also NP-complete.A similar proof works for the norm too.Now, let us turn our attention to the Shortest Vector Problem (SVP).First, it is convenient to define a language corresponding to the SVP.I will call this language L theorem asserts that the problem of finding an approximate closest vector to within a factor of yJn/2 is polynomial-time Turing(Cook) reducible to L 2 -SHORTEST.

(
In other words (|t/i|,..., |y n |) is the lexicographically least among the shortest vectors of L).Proof : Clearly, A^L*) < (£ 3n + £") A X (L) (6.14) Suppose now Y is a shortest vector in L* and the corresponding (y 1} y 2 ,... ,y") (according to (6.12)) is not a shortest vector of L. Then noting that the y,-are all integers, I*T > H\(yuV2^..,yn)| 2 ) > t? n {A>i(L) 2 +1) L and (6.13) is violated.Then |y t0 | > |y t 'J + 1.It can be seen easily that this together with the fact that |yj| < I for all j (by the definition of I in (6.9) and Minkowski) implies that Y 9 = ry' is shorter than Y in L* -a contradiction.Thus (|j/i|) • • • > \Vn\) must be lexicographically least among all the shortest vectors of L. • From (6.12) and the fact that a shortest nonzero vector y = (yi,...,y n ) of L must satisfy |yy| < £*/ 4 for all j, we see easily that if \Y\ 2 is given, then (|yi|, |y 2 |,..., |y n |) can be determined: Expand the integer \Y\ 2 to the base I to write 6n then y\ = a 2n , y| = oc2(n-i)?• • • > !/ n = a 2-Now further, given a subroutine for L 2 SHORTEST, we can find \Y\ 2 using binary search in polynomial time.Thus we can find (|yi|, |y 2 |,..., |y n |) using the subroutine and polynomial additional time .Using this, of course, we could also find |yi|,...|y n |.We still need the signs of the components of y.Towards this end, first note that L* has the property that if Y is a shortest vector of L*, then for any other shortest vector Y' of L*, = | 17| (by (6.13)).Let (|Yi|, |y 2 |,...,\Y n \) be the magnitudes of the coordinates of a shortest vector Y of L* already found as described above.Consider the (n (Xr*) iff there is a shortest vector of L* with the first two coordinates positive.Let L" = L* fl {x : x x \Y 2 \ + x 2 \Y x \ = 0}.Then Ai(£") = A X (L*) iff there is a shortest vector of L* with the first two coordinates of opposite signs.So, we do the following: using our subroutine for L 2 -Shortest, we check if Ai(L') = Ai(L*).If so we find (recursively) a shortest vector in L 9 and hence figure out a shortest vector of £*, then of L. If not, we find (recursively) a shortest vector of L" and do like-wise.Note that to solve the problem of Lading a shortest vector in n-dimensions, we solve one instance of the ssponding (n -1) dimensional problem plus polynomially many calls to Z^and polynomial additional time, we can find a shortest nonzero vector in a lattice.
open problem in the area is of course the complexity of the shortest vector problem which has been discussed in the body of the paper.It is conjectured that this problem is NP-hard at least under Cook (Turing) reductions.One approach to proving this is to prove that the approximate version of the Closest vector problem is NPhard.Approximate versions of Integer Programming, Traveling Salesman problem etc. are known to be NP-hard.The difficulty with the CVP is that it is asking for an integer point within a sphere -a very special object.This also raises another interesting question -in proving NP-completeness of the CVP in section 4, I reduced the 3-dimensional matching problem to it.Suppose now, we wish to reduce Integer Programming to the CVP.If the IP has n variables and has a total description of length s (the number of bits), then the reduction to the 3DM in general will lead to a problem where the number of variables will depend on n as well as s polynomially.The question is : Can we reduce integer programming in polynomial time to CVP so that the number of dimensions of the CVP is a small function of n, the number of variables of the IP ?Geometrically, can the question of whether a polytope in Z n has an integer point be reduced in polynomial time to questions of whether certain spheres in Z m have integer points for some m close to n.It seems possible that we can achieve a polynomial bound on m in terms of n alone.For the reasons stated earlier in the paragraph, the answer to this question should shed some light on the NP-hardness of the SVP.