Block Korkin{Zolotarev Bases. and Successive Minima. C.P. Schnorr TR September Abstract

Transcription

1 Block Korkin{Zolotarev Bases and Successive Minima P Schnorr TR-9-0 September 99 Abstract A lattice basis b ; : : : ; b m is called block Korkin{Zolotarev with block size if for every consecutive vectors b i ; : : : ; b i+ the orthogonal projections of b i ; : : : ; b i+ in span(b ; : : : ; b i )? are reduced in the sense of Hermite and Korkin{Zolotarev Let i denote the successive minima of lattice L and let b ; : : : ; b m be a basis of L that is block Korkin{Zolotarev with block size We prove that for i = ; : : : ; m i +? i kb i k? i m i + where is the Hermite constant for dimension For block size = and odd m we show that max kb k? m? =, where the maximum is taken over all block Korkin{Zolotarev bases of lattices L We present \critical" block Korkin{Zolotarev bases achieving this maximum Using block Korkin{Zolotarev bases we improve Babai's construction of a nearby lattice point Given a block Korkin{Zolotarev basis with block size of the lattice L and given a point x in the span of L, a lattice point v can be found in time O() m satisfying kx? vk m min ul kx? uk These results also bear improvements for the method of solving integer programming problems via basis reduction Fachbereich Mathematik/Informatik, Universitat Frankfurt, Postfach 9, D{000 Frankfurt am, Germany e{mail : schnorr@informatikuni-frankfurtde

2 ii

3 Introduction The problem of selecting from all bases for a lattice a canonical basis consisting of short vectors is called reduction theory lassical reduction theory was developed in the language of uadratic forms by Lagrange (), Hermite (850) and Korkin and Zolotarev (8) in order to determine the minima of positive denite integral uadratic forms Recently there has been renewed interest in reduction theory stimulated by a new method in integer programming (HW Lenstra, Jr 98) and by Lovasz' lattice basis reduction algorithm, see AK Lenstra, HW Lenstra Jr and L Lovasz (98), which has had various applications For survey papers and background information see Lovasz (98) and (988) and Groetschel, Lovasz, Schrijver (988) The uality of a reduced basis b ; : : :; b m can be characterized by the ratios kb i k? i, i = ; : : :; m where i is the i{th successive minimum of the lattice These ratios are polynomial in m if the basis is reduced in the sense of Hermite and Korkin, Zolotarev whereas kb i k? i may be exponential in m for the L {reduced bases introduced by Lenstra, Lenstra, Lovasz (98) From the computational point of view the reduction theory introduced by Hermite (850) and by Korkin and Zolotarev (8) is the most natural one On the other hand Korkin{Zolotarev bases are not easy to nd for lattices of higher dimensions, see Kannan (98) and Schnorr (98) for algorithms This led Schnorr (98) to introduce a hierarchy of block Korkin{Zolotarev bases comprising for block size the L {reduced bases and for the maximal block size the Korkin{Zolotarev bases In this paper we prove new upper and lower bounds for the ratio kb i k? i that hold true for block Korkin{Zolotarev bases For a lattice basis b ; : : :; b m that is block Korkin{ Zolotarev with block size we show for i = ; : : :; m that i i +? kb i k? i m i + where is the Hermite constant for dimension It is known from Schnorr (98) that the base of the exponential bound on kb i k? converges to for! The new result shows that the base i decreases noticeably even as increases for small values, eg, 0, 0,,, 9, 89 for = ; ; ; 5; ; ; 8 This explains in theory the experimental results of Schnorr, Euchner (99) that show a considerably improved success rate in solving subset sum problems using block Korkin{Zolotarev bases of block size = 0 and = 0 versus = According to their experiments almost all subset sum problems of dimension up to can be solved via block Korkin{Zolotarev bases within a couple of hours The new bounds on kb i k? i are not optimal for block size We show that the optimal upper bound for = and odd m is r m? kb k? : The base :5 of this exponential bound is smaller than =5, which is the base of the general bound for = We present block Korkin{Zolotarev bases b ; : : :; b m with odd

4 m and block size = satisfying kb k? m? = These lattice bases are derived from the lattice packing D that has maximal density for dimension We recursively extend D in a \periodic way" to arbitrary dimensions m The new bounds on kb i k? i also yield good bounds for the nearest lattice point obtained from block Korkin{Zolotarev bases Given a block Korkin{Zolotarev basis b ; : : :; b m with block size and given a point x in the span of the lattice L, a lattice point v can be found in time O() satisfying kx? vk m m min ul kx? uk : This improves and extends to arbitrary the bound proven by Babai (98) for = Babai shows that kx? vk m min ul kx? uk holds for = He poses the problem to improve this bound for > The shortest lattice vector algorithm and the nearby lattice point algorithm are crucial parts of the method to solve integer programming problems via basis reduction (see eg Lenstra 98 and Kannan 98) Our improved variants for these algorithms also improve the basis reduction method for general integer programming The power of the improved method has been demonstrated by Schnorr, Euchner (99) for the particular case of subset sum problems We state in Section, Theorems and the new lower and upper bounds for the ratios kb i k? i We prove these bounds in Section In Section we apply block Korkin{ Zolotarev bases to the problem of nding approximate nearest lattice points In Section 5 we prove that the upper bound kb k m? is optimal for block Korkin{Zolotarev bases of block size We present block Korkin{Zolotarev bases for which this bound is tight Reduced Bases and Successive Minima Let IR n be the n{dimensional real vector space with the Euclidean inner product < ; > and the Euclidean norm, called the length, kyk = hy; yi = A lattice L IR n is a discrete, additive subgroup of the IR n Its rank is the dimension of the minimal subspace span(l) that contains L Each lattice L of rank m has a basis, ie a set b ; : : :; b m of linearly independent vectors that generate L as an abelian group, L = ft b + : : : + t m b m j t ; : : :; t m ZZg: Let L(b ; : : :; b m ) denote the lattice with basis b ; : : :; b m Its determinant d(l) is dened as d(l) = det[hb i ; b j i] = i;jm : This does not depend on the choice of the basis The i{th successive minimum i (L) of a lattice L (with respect to the Euclidean norm) is the smallest real number r such that there are i linearly independent vectors in L of length at most r

5 With an ordered lattice basis b ; : : :; b m IR n we associate the Gram{Schmidt orthogonalization b b ; : : :;b bm IR n which can be computed together with the Gram{Schmidt coecients i;j = hb i ;b bj i = hb bj ;b bj i by the recursion b b = b ; b Xi bi = b i? j= i;j b bj for i = ; : : :; m: We have i;i = and i;j = 0 for i < j From the above euations we have the Gram{ Schmidt decomposition [b ; : : :; b m ] = [b b ; : : :;b bm ] [ i;j ] > i;jm; where [b ; : : :; b m ] denotes the matrix with column vectors b ; : : :; b m and A > is the transpose of the matrix A With an ordered lattice basis b ; : : :; b m of the lattice L we associate the orthogonal projections i : span(b ; : : :; b m )! span(b ; : : :; b i )? i = ; : : :; m ; where span(b ; : : :; b m ) denotes the linear space generated by the vectors b ; : : :; b m and span(b ; : : :; b i )? is the orthogonal complement of span(b ; : : :; b i ) We let L i denote the lattice L i = i (L) : The lattice L i has rank m? i + and basis i (b i ); i (b i+ ); : : :; i (b m ) We have i (b i ) = b bi and i (b j ) = P m k=i b j;k k An ordered basis b ; : : :; b m of the lattice L IR n is a Korkin{Zolotarev basis if it satises the conditions j i;j j = for j < i m; () kb bi k = (L i ) for i = ; : : :; m: () This denition is euivalent to the one given, in the language of uadratic forms, by Hermite (850) in his second letter to Jacobi and by Korkin and Zolotarev (8) Let b ; : : :; b m be an ordered basis of the lattice L IR n ; m We call the basis b ; : : :; b m an {BKZ basis, ie a block Korkin{Zolotarev basis with block size, if it satises () and if i (b i ); i (b i+ ); : : :; i (b i+ ) are Korkin{Zolotarev bases for i = ; : : :; m? + : () Obviously every ( + ){BKZ basis is also a {BKZ basis The condition () means that the vector b bi = i (b i ) is a shortest non{zero vector in the lattice i (L(b ; : : :; b min(i+;m) )) for i = ; : : :; m If () holds ondition with = is euivalent to kb bi k k i (b i+ )k = kb bi+ k + i+;ikb bi k for i = ; : : :; m? : () We see that a basis b ; : : :; b m is - BKZ i it has Properties and These bases have been introduced by AK Lenstra, HW Lenstra, Jr and L Lovasz (98) We call a basis b ; : : :; b m L -reduced with ( ; ] if it has Property and if kb bi k kb bi+ k + i+;ikb bi k for i = ; : : :; m? : (5)

6 Lenstra et alii (98) have in particular considered = = From their work we have the following Theorem Every basis b ; : : :; b m of lattice L that is L {reduced with ( ; ] satises with = =(? ):?i kb bi k i (L)? kb i k i (L)? m for i = ; : : :; m: In the limit case = we have = =, and thus every - BKZ basis b ; : : :; b m of lattice L satises for i = ; : : :; m i m kb bi k i (L)? kb i k i (L)? : () A {BKZ basis b ; : : :; b m with maximal block size = m is a Korkin{Zolotarev basis For these bases we have the following bounds on kb i k? i, where the upper bound is essentially due to Mahler (98) and the lower bound is from Lagarias, HW Lenstra, Jr, Schnorr (990) Theorem Every Korkin{Zolotarev basis b ; : : :; b m of lattice L satises kb i+ ik i (L)? i+ for i = ; : : :; m We are going to extend Theorems and to arbitrary {BKZ bases For this we use the Hermite constant m which is dened as m = supf (L) d(l)?=m : for lattices L of rank mg: Its value is known for m 8, see assels (9), Appendix We have = ; = ; = ; 5 5 = 8; = =; = ; 8 8 = 8 It is known that m m for m and m e ( + o()) m 0:8m ( + o()) as m! ; e where the upper bound is due to Kabatyanskii and Levenshtein (98), see onway and Sloane (988), and the lower bound follows from the Minkowski{Hlawka theorem, see assels (9), VI Theorems and below will be proved in Section Theorem Every -BKZ basis b ; : : :; b m of lattice L satises kb bi k i (L)? m?i for i = ; : : :; m kb i k i (L)? m i + for i = ; : : :; m: Theorem improves and extends the ineuality kb k ( ) m (L) of Schnorr (98) For =, = it yields m?i kb bi k i (L)? for i = ; : : :; m

7 m kb i k i (L)? i + for i = ; : : :; m which is close to the upper bound of Ineuality It is remarkable that if the block size is a xed fraction of the rank, ie if m= is xed, then the upper bounds of Theorem are polynomial in We next consider lower bounds for kb i k i (L)?, ie upper bounds for i (L) kb i k? Theorem Every -BKZ basis b ; : : :; b m of lattice L satises i (L) kb i k? i i + for i = ; : : :; m: For i the bounds of Theorems and can be replaced by the stronger bounds of Theorem If the block size is a xed fraction of the rank m the upper bounds in Theorem are polynomial in For block size =, = Theorem yields i i + which is almost the lower bound from Ineuality kb bi k i (L) for i = ; : : :; m The values, appearing in Theorems and, are known for = ; : : :; 8 : 5 8 = = 0 5? 5 = = : :0 :0 : : :9 :89 It is interesting to nd the minimal constants c ;m for which kb k (L)? c ;m holds for all {BKZ bases b ; : : :; b m of rank m Bachem and Kannan (98) show that c ;m = m m? We prove in Section 5 that c;m = holds for odd m Notice that the upper bounds in Theorem are not optimal for Proofs for Theorems and Proposition 5 For every {BKZ basis b ; : : :; b m with m we have for M = max(kb bm?+ k; : : :; kb bm k) m that kb k M 5

8 Proof We extend the basis b ; : : :; b m by? additional vectors to such that the following holds: b?+ ; : : :; b ; b 0 ; b ; : : :; b m () kb i k = kb k for i 0 hb i ; b j i = 0 for i 0, i = j and for j =? + ; : : :; m Basis is a {BKZ basis of rank at least (? ) By denition of the Hermite constant we have kb bi k = kb bi kkb bi+ k kb bi+ k for i =? + ; : : :; m? + : Multiplication of these m? ineualities yields kb b?+ k kb b?+ k kb bm?+ k (m)= kb b?+ k kb b?+ k kb b k kb b k kb bm?+ k kb bm?+ k kb bm k kb bm k : This implies kb b?+ k kb b?+ k? kb b0 k kb b k We have kb b?+ k = = kb b k = kb k, hence (m)= kb bm?+ k kb bm k kb bm k : kb k ( ) (m)= M ( m ) and thus kb k M: orollary Every -BKZ basis b ; : : :; b m of the lattice L satises kb k m (L) : Proof If m we have kb k = (L) and the claim holds Now let m > and let v be a shortest non{zero lattice vector Wlog we can assume that v L(b ; : : :; b m ) for otherwise we can reduce m and the claim holds by induction on m If v L(b ; : : :; b m ) we have (L) = kvk (L i ) = kb bi k for i = m? + ; : : :; m: This shows that (L) max(kb bm?+ k; : : :; kb bm k) and thus the claim follows from Proposition 5

9 Proof of Theorem orollary applied to the lattice L i = i (L) yields the ineualities kb bi k m?i (L i ) for i = ; : : :; m: (8) Moreover we have (L i ) i (L) This is because there are i linearly independent vectors of length at most i (L) in L and at least one of these vectors v satises i (v) = 0 Hence (L i ) k i (v)k i (L) Using Ineuality 8 and i;j = we obtain for i = ; : : :; m kb i k = kb bi k + Xi j= i;j kb bj k m?i i (L) + m m + i + Xi j= i (L) : Xi j= m?j j (L)?j A i (L) This proves the second ineualities of Theorem The rst ineualities in Theorem follows from 8 and (L i ) i (L) Note that the factor i+ in Theorem can be replaced by the smaller factor? with = This follows from an explicit evaluation of the last sum in the proof of Theorem Proof of Theorem By denition of i = i (L) we have i maxfkb jk for j = ; : : :; ig : It follows from kb j k kb bj k + P j k= j;k k b bk k and i;j = that i i + maxfkb bj k for j = ; : : :; ig : (9) Proposition 5 applied to the {BKZ basis j (b j ); : : :; j (b i ) yields the ineualities kb bj k i?j maxfkb bi?+ k; : : :; kb bi kg for j i? + (0) On the other hand we have for i? + j i From this and in Euality 0 we see that kb bj k kb bj k k j (b i )k kb i k : i?j kb i k for j i : These ineualities and Ineuality 9 yield Theorem : i i + i kb i k for i = ; : : :; m :

10 Finding nearby lattice points Babai (98) shows how Lovasz basis reduction can be used to nd a point of a given lattice L that is nearest within a factor m= to a given point in span(l) Babai poses the uestion whether the factor m= can be improved using block Korkin{Zolotarev bases We answer this uestion in the armative We let denote the maximum of kb k =kb b k over all Korkin{Zolotarev bases b ; : : :; b The ineuality +ln has been shown in Schnorr (98) Theorem Let b ; : : :; b m ZZ n be a {BKZ basis of lattice L and let x = P m i= x ib i be in span(b ; : : :; b m ) If the lattice point v = P m j= v j b j satises jx j? P m i=j v i i;j j = for j = ; : : :; m, then we have kx? vk m; min kx? ul uk ; where m; = m m : Proof The denition of v implies that From Proposition 5 we have the ineuality kx? vk (k^b k + + k^b m k )= : This yields k^b i k m?i max(k^b m?+ k ; : : :; k^b m k ) for i m? + : kx? vk m mx j= mx j= j max(k^b m?+ k ; : : :; k^b m k ) j k^b m k m k^b m k : () Let u L be the lattice point that is nearest to x Following Babai we consider two cases ASE a: u? v L(b ; : : :; b m ) Then u? v is a nearest lattice point to x 0? v in L(b ; : : :; b m ) where x 0 span(b ; : : :; b m ) is the orthogonal projection of x, x 0 = x? m (x) Induction on m yields kx? vk = kx? x 0 k + kx 0? vk ( + m; ) kx? uk m; kx? uk ASE b: u? v L(b ; : : :; b m ) In this case we have k^b m k = kx? uk : 8

11 Hence we have from Ineuality that kx? vk m m kx? uk = m; kx? uk : We nally reduce with a dierent construction for v the constant m; of Theorem to m m The improved constant m m is polynomial in if is a xed fraction of m Theorem 8 Let b ; : : :; b m ZZ n be a {BKZ basis and x = P m i= x i b i Suppose that kb bk k = max(kb bm?+ k; : : :; kb bm k); m? + k m Let v = P m i= v i b i be a lattice point P such that P mj=k m jx j? i=j v i i;j j k^b j k is minimal for all v k ; : : :; v m ZZ and let jx j? P mi=j v i i;j j for j = k; : : :; Then we have kx? vk m m min ul kx? uk Proof Let u L be the lattice point that is nearest to x ASE a: u? v L(b ; : : :; b m ) Then u? v is a nearest lattice point to x 0? v in L(b ; : : :; b m ) where x 0 span(b ; : : :; b m ) is the orthogonal projection of x, x 0 = x? m (x) Induction on m yields kx? vk = kx? x 0 k + kx 0? vk ( + (m? ) m? ) kx? uk m m kx? uk : ASE b: u? v L(b ; : : :; b m ) It follows from the choice of v and k that kx? uk (L k ) = k b bk k max( k^b m?+ k ; : : :; k^b m k ) : As in the proof of Theorem we have onseuently kx? vk ( k^b k + + k^b m k ) = mx j= j max(k^b m?+ k ; : : :; k^b m k ) : kx? vk mx j= j kx? uk m m kx? uk : 9

12 omputational bounds omputing a lattice vector v = P m i= v i b i as in Theorem 8 can be done using the Nearest Vector Algorithm of Kannan (98) Given a { BKZ basis b ; : : :; b m this algorithm enumerates O() many lattice vectors close to x and nds integers v m?+ ; : : :; v m that minimize P P m m j=m?+ jx j? i=j v i i;j j k^b i k An \approximate" {BKZ basis can be computed from an arbitrary lattice basis b ; : : :; b m ZZ n by the algorithm of Schnorr (98) This algorithm nds an \approximate" {BKZ basis using O(nm( O() + m ) log B) arithmetic operations on O(m log B) bit integers where B is the maximal length of the given basis vectors This algorithm is theoretical For practical algorithms performing block Korkin{Zolotarev reduction see Schnorr, Euchner (99) The Schnorr, Euchner algorithm transforms an arbitrary lattice basis into a {approximate {BKZ basis, for some xed <, which by denition satises for i = ; : : :; m kb bi k ( i L(b ; : : :; b min(i+;m) )) : The Schnorr, Euchner algorithm is not proven to be polynomial time, but in practice its time bound appears to be O(nm( O() + m ) log B) No polynomial time algorithm is known for =, not even in the case that is 5 ritical {BKZ bases for block size and We call a {BKZ basis b ; : : :; b m of the lattice L critical for and m if the ratio kb k = (L) is maximal for all {BKZ bases of rank m Bachem and Kannan (98) present critical {BKZ bases b ; : : :; b m We establish critical {BKZ bases b ; : : :; b m We evaluate the constant = max kb k = kb b k, where the maximum is taken over all Korkin{Zolotarev bases b ; b ; b We prove = We describe a slight variant of the critical {BKZ bases of Bachem, Kannan (98) Let = We dene the basis matrix A m = [b ; : : :; b m ] M m;m (IR) as A m = = O = O m? m? = m 5 () 0

13 The matrices A m satisfy the recursion A m = O : : : : : : : : : : : O A m Theorem 9 (Bachem, Kannan 98) The column vectors of the matrix A m form a critical {BKZ basis 5 : Proof It can easily be seen that the vector b m is a shortest non{zero vector in L(b ; : : :; b m )? L(b ; : : :; b m ) It follows that b m is the shortest non{zero vector in the lattice L(b ; : : :; b m ) We have Therefore = (L(b ; : : :; b m )) satises = kb m k = m? ( + ) = ( )m? : kb k? = m? : Now let b ; : : :; b m be an arbitrary {BKZ basis Let v = P m i= t i b i be a shortest non{zero lattice vector and = maxfi j t i = 0g Then = (L(b ; : : :; b m )) satises : k (v)k : kb b k :? kb k : holds since (v) = 0, holds since (b ) is minimal in the lattice L(b ; b ) which contains (), follows from the ineuality We now see that kb k?? m? : This shows that the columns of Matrix form a critical basis A seuence of {BKZ bases The column vectors b ; b of the basis matrix A form a lattice packing of maximal density for rank, ie L () = L(b ; b ) satises (L () ) (det L () ) = = The matrices A m extend A periodically with period to arbitrary rank m The following construction of {BKZ bases starts with a basis matrix B = [b ; b ; b ] of the lattice L () = L(b ; b ; b ) that forms a lattice packing of maximal density for dimension, ie (L () ) (det L () )? = = p We extend B periodically with period to arbitrary dimension m For arbitrary m = ; ; : : : we dene the m m matrices B m = diag(d ; : : :; d m )M m with M m = [ i;j ] > i;jm

14 where diag(d ; : : :; d m ) is the m m diagonal matrix with positive diagonal entries d ; : : :; d m and M m is an upper triangular matrix with ones on the diagonal It follows that the i;j are the Gram{Schmidt coecients of the basis b ; : : :; b m consisting of the column vectors of B m The matrices M m ; B m are upper triangular matrices with three non{zero diagonals They satisfy for m the following recursion M m = 0 0 : : :? 0 : : : : : : : : : : : : : : : : : O M m? 5 B m = 0 0 : : : p p p 0 : : : : : : : : : : : : : : : : : : : : : : : O B m? 5 Also the matrix M m (B m, resp) has the submatrix M m? (B m?, res p) in its upper left corner For example, we have B = p O O p 5 0? O 5 = 0 p p p O p 5 ()

15 The diagonal coecients d j and the Gram-Schmidt coecients satisfy for i = ; ; : : : r i p d i = ; d i = d i i;i = i+;i = ; i+k;i = 0 for k? i+;i = i+;i = ; i+k;i = 0 for k : Let b ; : : :; b m be the column vectors of B m, B m = [b ; : : :; b m ] and let L (m) = L(b ; : : :; b m ) denote the lattice with basis b ; : : :; b m Theorem 0 The column vectors b ; : : :; b m of B m form a {BKZ basis Proof The vectors b ; b ; b and the vectors (b ); (b ); (b ) form Korkin{Zolotarev bases This can easily be veried We see from the recursive structure of B m that the triple of vectors ( i (b i ); i (b i+ ); i (b i+ )) is isometric to the triple r (i)= (b ; b ; b ) for odd i ; r (i?)= ( (b ); (b ); (b )) for even i : Hence i (b i ); i (b i+ ); i (b i+ ) is a Korkin{Zolotarev basis for i = ; : : :; m? Lemma The lattices L (m) satisfy (L (m) ) = kb m k for m = ; ; : : :; where kb m k = m? for odd m and kbm k = m? for even m Proof It is sucient to show that b m is a shortest non{zero vector in the lattice L (m) = L(b ; : : :; b m ) This claim follows from (L (m) ) ( m? (L (m) )) = kb bm? k = kb m k : The ineuality holds because of the periodic structure of the basis matrix B m The rst euality holds since b ; : : :; b m is a {BKZ basis In order to show that the basis b ; : : :; b m of lattice L (m) is a critical {BKZ basis we need an upper bound on kb k = (L) which holds for all {BKZ bases of all lattices L Let be the lattice constant = max kb k kb b k? where the maximum is taken over all Korkin{Zolotarev bases b ; : : :; b The following theorem improves the upper bound kb k (L)? k from Schnorr (98) Theorem Every {BKZ basis b ; : : :; b m integer, satises kb k (L)? k of lattice L, where k = (m? )=(? ) is

16 Proof Let v = P m i= t i b i be a shortest non{zero vector in L We can assume that v L(b ; : : :; b m?+ ) since otherwise we can reduce k and the induction hypothesis for k? yields kb k (L)? k? From v L(b ; : : :; b m?+ ) we see that m?+ (v) = 0 Since m?+ (b m?+ ); : : :; m?+ (b m ) is a Korkin{Zolotarev basis we have kb bm?+ k k m?+ (v)k (L) : Moreover kb b+()(j) k kb b+()j k b ; : : :; b m is {BKZ Therefore holds for j = ; : : :; k? since the basis kb k k kb bm?+ k k (L) : Theorem =, ie = is the height of the tetrahedron with side length Proof Let b ; b ; b be a Korkin{Zolotarev basis with kb k = and minimal kb b k, ie = kb k kb b k? = kb b k? onsider the orthogonal projection ; b + ; b b of b in span (b ; b ) We claim that ; b + ; b b must be a deep hole for the lattice L(b ; b ), ie a point that has maximal distance from the lattice points If ; b + ; b b is not a deep hole for the lattice L(b ; b ) we can change ; ; ; such that the minimal distance of ; b + ; b b from L(b ; b ) increases This permits to decrease kb b k without violating the properties of Korkin{Zolotarev bases There are at most two deep holes in the ground mesh of the basis b ; b, namely the points that have eual distance to 0; b ; b (b ; b ; b + b, respectively) b b + b 0 b deep holes in the ground mesh

17 Wlog we can assume that ; b + ; b b has eual distance from 0; b and b It follows from kb k = ; + kb b k kb k = ; j ; j that kb b k p : () Let kb b k = p + " with " 0 We have k ; b b k = k ; b b k p if " = 0 p (5) + " for " 0 : This is because " = 0 implies that kb k = kb k = kb?b k = and thus ; b + ; b b = b +b Moreover the b b {coordinate of the deep hole ; b + ; b b does not increase faster in " than kb b k We see from k (b )k kb b k that kb b k + ; k b b k kb b k, and thus kb b k kb b k? ; kb b k 5; p! + "?? = p + "! holds for the basis matrix [b ; b ; b ] This proves that = : Theorem The lattice basis b ; : : :; b k+ dened by the basis matrix B k+ is a critical {BKZ basis for k = ; ; : : : Proof Lemma shows that kb k = (L (k+) ) = k On the other hand every {BKZ basis b 0 ; : : :; b0 k+ of lattice L satises kb0 k = (L) p k by Theorem, where = by Theorem This shows that kb k = (L (k+) ) is maximal for {BKZ bases of rank k + We conjecture that the lattice bases B m = [b ; : : :; b m ] are critical {BKZ bases for even m, too Theorem only solves the case of odd m Acknowledgement The author wishes to thank Brigitte Vallee for her participation in starting this work He also thanks Michael Kalb for proofreading this paper References [] L Babai: On Lovasz' lattice reduction and the nearest lattice point problem ombinatorica, (98), { 5

18 [] A Bachem and R Kannan: Lattices and the basis reduction algorithm TR, arnegie Mellon University (98), pages [] JWS assels: An introduction to the geometry of numbers Springer-Verlag, Berlin, New York (9) [] JH onway and HJA Sloane: Sphere Packings, Lattices and Groups Springer{ Verlag, New York Berlin (988) [5] MJ oster, A Joux, BA LaMacchia, AM Odlyzko, P Schnorr and J Stern: An improved low{density subset sum algorithm To appear in computational complexity [] M Grtschel, L Lovasz, and A Schrijver: Geometric algorithms and combinatorial optimization Springer{Verlag, Berlin, 988 [] Hermite: Extraits de lettres de M h Hermite a M Jacobi sur dierents objets de la theorie des nombres, Deuxieme lettre du ao^ut 85 J Reine Angew Math 0 (850), 9{90 [8] R Kannan: Minkowski's convex body theorem and integer programming Math Oper Res (98), 5{0 [9] A Korkine, and G Zolotareff: Sur les formes uadratiues Math Ann (8), {89 [0] J Lagarias, HW Lenstra, Jr, and P Schnorr: Korkin{Zolotarev bases and successive minima of a lattice and its reciprocal lattice ombinatorica, 0 (990), {8 [] JL Lagrange: Recherches d'arithmetiue, Nouv Mem Acad Berlin (), 5{ vres, vol VIII, 9{5 [] AK Lenstra, HW Lenstra, Jr, and L Lovasz: Factoring polynomials with rational coecients Math Ann (98), 55{5 [] HW Lenstra, Jr: Integer programming with a xed number of variables Math Oper Res 8 (98), 58{58 [] L Lovasz: An algorithmic theory of numbers, graphs and convexity BMS{NSF Regional onference Series in Applied Mathematics 50, SIAM, Philadelphia, Pennsylvania, 98 [5] L Lovasz: Geometry of numbers and integer programming Proceedings th Annual Symp on Mathematical Programming (988), {0 [] K Mahler: A theorem on inhomogeneous diophantine ineualities Nederl Akad Wetensch, Proc (98), { [] P Schnorr: A hierarchy of polynomial time lattice basis reduction algorithms Theoret omput Sci 5 (98), 0{

19 [8] P Schnorr and M Euchner: Lattice basis reduction: improved algorithms and solving subset sum problems Proceedings of Fundamentals of omputation Theory, FT'9, Ed L Budach, Springer LNS 59, (99), 8{85