Score:2

Crypto

Base of $(n+1)$ elements in a lattice

Ievgeni

1/13/24, 4:58 PM

Does there exist a lattice in $\mathbb{R}^n$, with an independent generative family $(b_1, \dots, b_{n+1})$ of $(n+1)$ vectors (without any loss of generality I suppose $(b_1, \dots, b_{n})$ is a $\mathbb{R}$-basis), for no generative family of size $n$.

I know:

If these vectors are in $\mathbb{Q}^n$, then the answer is NO, because the lattice is included in $\frac{1}{q}\mathbb{Z}^n$ with $q\in \mathbb{N},$ and $\frac{1}{q}\mathbb{Z}^n$ is a free $\mathbb{Z}-$module of rank $n$, (and a sub module of a free module is free with rank lower than the bigger).
It exists $(\lambda_1, \lambda_2, \dots, \lambda_n, \lambda_{n+1})\in \mathbb{Z}^{n+1}$, such that $\sum^{n+1}_{i=1} \lambda_i b_i=0.$ (Else, we can create an infinite number of points in the fundamental parallepiped of $(b_1, \dots, b_n).)$

But I do neither know how deduce the existence of a generative family of size $n$, nor to show the existence of base (because a potential family of size $(n+1)$ is clearly not).

131

2 + 4

lattice-crypto

Don Freecs

1/17/24, 5:01 PM

what do you mean by independent generative family?

Ievgeni

1/18/24, 10:25 AM

It means for any $i$, $b_i$ is not $\mathbb{Z}$-generated by the others $b_j$'s.

Ievgeni

1/18/24, 2:04 PM

No. you can have $\mathbb{R}$-dependancy and $\mathbb{Z}$-independancy.

Don Freecs

1/18/24, 2:52 PM

oh you are right excuse me

Score:1

Crypto

Mark

1/14/24, 2:18 AM

Two things

One can always find a generating set of a lattice of size at most the dimension of the ambient space (so you can always find an $n$-dimensional generating set for a lattice in $\mathbb{R}^n$)
One can always reduce a generating set of a lattice to a basis (there are standard algorithms, namely for computing what is called the Hermite Normal Form).

Your question does have an interesting component to it though. In particular, many lattice problems (such as the Shortest Independent Vectors Problem) are phrased in terms of sets of independent vectors (that generate a subspace $E$ of a certain rank, but need not be a basis for $L\cap E$). For a particular example, there is an explicit 10-dimensional lattice known such that

that lattice is generated by its minimal vectors, but
it (provably) has no basis of minimal vectors.

It is known that 10 is the lowest dimension this can occur in. Note that one can bound the gap between the (product of the) norms of elements in a minimal generating set of a lattice, see Hermite vs Minkowski by Martinet.

This has some relevance to cryptography, as certain lattice algorithms (either Babai's nearest planes or Babai rounding, I forget) do not require a basis to function, but only a generating set. I've seen some authors (I believe one of Chris Peikert's papers) use this insight for a particular lattice, I believe $D_n^* = 2\mathbb{Z}^n + (1,1,\dots,1)^t\cdot\mathbb{Z}$, but I would have to check. Specifically, by instantiating the algorithm with a short set of independent vectors (vs a short basis), one can sometimes get better algorithmic performance.

+ 4

Ievgeni

1/14/24, 7:55 AM

Can you argue about the two things (especially the first one).

Mark

1/15/24, 3:03 AM

First note that one can reduce to the case of dimension 1 --- let $[b_1,\dots, b_m]$ be a family of independent generators of a lattice $\Lambda$ in $\mathbb{R}^m$. Projecting everything orthogonal to $b_1$ yields a family $[b_2',\dots, b_m']$ of independent generators of a lattice $\Lambda'$ in $\mathbb{R}^{n-1}$. Iterating this yields a family $[b_{n}'',\dots, b_m'']$ generating a 1 dimensional lattice in $\mathbb{R}$. Next, note that any lattice $L$ in $\mathbb{R}$ takes the form $a\mathbb{Z}$ for $a> 0$. Explicitly, the lattice $\lambda_1(L)\mathbb{Z}$ always works.

Mark

1/15/24, 3:03 AM

Essentially, this will always generate a sublattice at least. But if this sublattice is proper, it is easy to show that this implies that there exists a vector in $L$ shorter than $\lambda_1(L)$, which is clearly silly. Note that the reduction to dimension 1 does require some nuance, namely one needs a good understanding which orthogonal projections preserve the lattice being discrete (not all of them will!). The requirement (it is both sufficient and necessary) for projecting onto a subspace $E$ being discrete is that $L\cap E$ is discrete. So the whole problem reduces to proving this

Mark

1/15/24, 3:09 AM

characterization. I don't remember it being that bad, so I'll let you try first. Or, if you believe this characterization (it can be found in Proposition 1.1.4 of Martinet's "Perfect lattices in Euclidean Space", though the proof there would be circular in our context, as it relies on what you want to be true to be true), we're done. We could prove it like Martinet does (Theorem 1.1.2), but this punts things over to a general topological fact about closed subgroups of $\mathbb{R}^n$, which might be wrong pedagogically for a cryptographic audience.

Score:0

Crypto

constantine

3/29/24, 5:47 AM

You just need to use LLL algorithm for $(b_1, \dots, b_{n+1})$. More specifically, In BGPS21,the Algorithm 1 and Theorem 3.6 gave a more efficient algorithm than LLL.

+ 1

Ievgeni

4/12/24, 4:11 PM

Can you precise your answer?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Base of $(n+1)$ elements in a lattice

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.