On polynomial approximations to the shortest lattice vector length

We obtain a 2 O(n==) time algorithm to approximate the length of the shortest vector in an n-dimensional lattice to within a factor of n 3+. In this note we consider the complexity of approximating the shortest lattice vector length (called SVP-Length) when the approximation factor is poly(n). An obvious candidate for producing polynomial approximations to SVP-Length | Schnorr's improvement of the Lovv asz basis reduction algorithm 6] | turns out to be uninteresting: Schnorr's algorithm takes O(n 2 (k k=2+o(k) + n 2)) arithmetic steps (on polynomial-sized operands) to produce a (p 6k) n=k approximation. To obtain poly(n) approximation factors, k = (n), so the running time is 2 (n log n) , which is pointless in the light of an O(n n) algorithm to solve it exactly 5]. We show: Theorem 1 There exists an absolute constant > 1 such that for any > 0, SVP-Length can be approximated to within n 3+ in probabilistic time 2 n(1 2 + 1). Proof. Our algorithm uses Ajtai's 1] reduction of SVP-Length to the problem of nding a short vector in a special class of lattices; we solve the latter problem by adapting an idea of Blum, Kalai, and Wasserman 2]. To obtain the best approximation factors, we use the sharpest form of the reduction, due to Cai and Nerurkar 4, 3]. For integers n; m; and q, Ajtai 1] deenes a family of lattices in Z m deened by (n; m; q) = fL(A)g, where A is an n m matrix over Z q , and L(A) = fx 2 Z m j Ax 0(mod q)g. The main result of 1] is that if there is an algorithm A that, with certain settings of q and m, computes a non-zero vector of length n in a random lattice from (n; m; q) with non-negligible probability, then there is a randomized algorithm B that computes poly(n) approximations to SVP-Length for any n-dimensional lattice. The improved version of Ajtai's reduction 4, 3] gives the following: Theorem 2 ((1, 4, 3]) Let c > 2 and m be such that there is a probabilistic algorithm A that computes a non-zero vector of length n c?2 =2 in a random lattice in (n; m; n c) with non-negligible probability. Then there is an algorithm B that, for any > 0, and any lattice L 2 R n , computes a number e such …