Approximate Voronoi cells for lattices, revisited

Theorem 1.1

(Volume of approximate Voronoi cells) Let α > 1, and let L ⊂ L ∖ { 0 } consist of the α^d shortest non-zero vectors of a lattice 𝓛. Then, assuming the Gaussian heuristic holds, with probability 1 − o(1) we have:

Assuming [12, Heuristic assumption 1] holds (which has been restated here as Heuristic 4.2), this result would then imply what are the exact asymptotic time and space complexities of the randomized slicer. However, under the same assumption, DLW derived the following asymptotic upper bound on the relative volume of approximate Voronoi cells, for α ∈ ( 1 , 2 )

Looking closely, (2) in fact contradicts the above upper bound for α > 1 3 10 ≈ 1.054 . The source of this contradiction can be found in [12, Heuristic assumption 1]: while this assumption states that the success probability p of the randomized slicer is exactly p = vol(𝒱)/ vol(𝒱_L), the randomized slicer is in fact more likely to converge to short solutions than to long solutions: we may well have p ≫ vol(𝒱)/ vol(𝒱_L), and the gap between both quantities may be exponentially large in d. A lower bound on p therefore does not necessarily translate to a lower bound on vol(𝒱)/ vol(𝒱_L), or to an upper bound on its reciprocal.

Theorem 1.2

(CVPP complexities) Let α ∈ ( 1 , 2 ) and u ∈ ( δ , 1 δ ) . Then we can heuristically solve CVPP with query space and time S and T, where:

The best query complexities (S, T) together form the blue curve in Figure 1.

Figure 1

Query complexities for solving CVPP. The labeled curves and points correspond to the papers [7, 12, 18, 21]. Our new upper bound on the query time complexity improves upon DLW when using less than ( 10 / 9 ) d / 2 + o ( d ) ≈ 2 0.076 d + o ( d ) memory. Note that, whereas the red DLW-curve diverges as the memory approaches the dashed asymptote 2 0.048 d + o ( d ) from above, our trade-offs heuristically continue all the way to the regime of subexponential memory.

As we can see in Figure 1, for the low-memory regime of less than 2 0.076 d + o ( d ) memory, we obtain strictly better query time complexities than [12]. The trade-offs from [12] were further limited to the regime of using at least 2 0.076 d + o ( d ) memory, whereas Theorem 1.2 describes a continuous trade-off between the query time and space complexities: for arbitrary memory complexities 2 ε d + o ( d ) with ε > 0, we obtain a query time complexity 2 Θ ( d ) Extending Theorem 1.2 to the regime of α = 1 + o ( 1 ) we obtain the following result.

Corollary 1.3

(Polynomial advice for CVPP). Using d Θ ( 1 ) memory, we can heuristically solve CVPP in time d d / 2 + o ( d )

This matches the asymptotic worst-case time complexities for solving CVP with enumeration of Hanrot– Stehlé [17], and with an average-case scaling for enumeration of d d / ( 2 e ) + o ( d ) this is only off by a factor 1/e in the exponent compared to practical enumeration methods. We further see that if we use a preprocessed list of size e.g. 2 Θ ( d γ ) for constant γ ∈ ( 0 , 1 ) we heuristically obtain a CVPP time complexity scaling as 2 1 2 ( 1 − γ ) d log 2 ⁡ d + o ( d log ⁡ d )

Outline.

Section 2 first defines notation and preliminary results. Section 3 studies the volume of intersections of random halfspaces. Section 4 describes the application of these results to solving CVPP and the resulting trade-offs. The appendices describe further details on prior work, to make the paper self-contained.

Theorem 3.1

(Random points from the sphere) Let α > 1, and let L ⊂ S consist of n = α d uniformly random vectors from 𝒮. Then, with probability 1 − o(1) over the randomness of L, we have:

Proof. To prove Theorem 3.1, we will prove the following, equivalent statement:

Note that v o l ( r B ) = r d v o l ( B ) for arbitrary r, hence the equivalence. Below we will further use the quantity V L ( r ) = V L ∩ r B ⊆ V L as the intersection of the polytope with the ball of radius r > 0. Observe that for sufficiently small r ≪ r₀ we have V L ( r ) = r B ⊂ V L while for large r ≫ r₀ we have r ≫ r 0 The quantity r₀ is intuitively the radius r for which vol( v o l ( V L ( r ) ) ≈ v o l ( V L ) ≈ v o l ( r B )

First, some simple manipulations give:

Note that the vectors v/r all have norm 1 /r, and the spherical caps C v / r thus have a fixed base radius of 1/(2r). To prove the lower bound on vol(𝒱_L),we will use elementary volume arguments to argue that vol(𝒦) ≈ vol(𝒝). For the upper bound, we have v o l ( K ) ≤ v o l ( B ) and we will argue that with high probability over the randomness of L, v o l ( V L ) ≈ v o l ( V L ( r ) )

Lower bound (≥): Ignoring spherical cap intersections, we have:

For 1 / α 2 = 1 − 1 / ( 4 r 2 ) + o ( 1 ) or equivalently r = r 0 − o ( 1 ) we thus get v o l ( K ≥ ( 1 − o ( 1 ) ) ⋅ v o l ( B )

Upper bound (≤): Clearly v o l ( V L ( r ) ) = r d v o l ( K ) ≤ r d v o l ( B ) ; the difficulty lies in showing that v o l ( V L ) ≈ v o l ( V L ( r ) ) . Note that when n is large, then the spherical caps in (19) will cover (almost) the entire surface of B – if e.g. only a fraction 2 − Θ ( d 2 ) of the sphere remains uncovered, then the parts of 𝒱_L extending beyond r B will contribute a negligible amount to the volume of V_L.

Given a point on 𝒮 the probability of it not being covered by one of n spherical caps C v / r is given by [ 1 − v o l ( C v / r ) / v o l ( B ) ] n For n = v o l ( B ) / v o l ( C v / r ) this can be upper bounded by 1/e, hence for n = 2 d 2 v o l ( B ) / v o l ( C v / r ) the expected quantity not covered on the sphere is at most e − 2 d 2 By Markov’s inequality, the probability that more than a fraction e − d 2 of the sphere is covered is at most e − 2 d 2 + d 2 = e − d 2 and so the upper bound follows.□

Theorem 3.2

(Random points from the unit ball) Let α > 1, and let L ⊂ B consist of n = α d uniformly random vectors from B. Then, with probability 1 − o ( 1 ) over the randomness of L, we have:

Proof. For γ < 1 close to 1, let us divide the set L into sets L i = { v ∈ L : γ i ≤ ∥ v ∥ ≤ γ i − 1 } for i = 0, 1, . . . , i.e.we partition Li according to a sequence of thin spherical shells. With high probability over the randomness of L, each of these lists L_i will contain ( γ i α ) d + o ( d ) vectors. The original polytope can now equivalently be described as V L = ⋂ i = 0 ∞ V L i . To estimate the volume of 𝒱_L, note that by Theorem 3.1, each of these cells V L i is roughly shaped like a ball of a certain radius r_i. As a result, the volume of 𝒱_L is determined by the smallest radius min i ∈ N r i of these balls, corresponding to one of the lists L_i.

To find the list defining the smallest polytope, recall that by L_i applying Theorem 3.1 with n i = ( γ i α ) d + o ( d ) vectors to a sphere of radius ϒⁱ, we have the following relation, where β = γ 2 i

To find the value β resulting in the smallest radius, note that the derivative of f (β) satisfies f ′ ( β ) = − β α 2 ( 2 − β α 2 ) / 4 ( β α 2 − 1 ) 2 , which is negative for small β < 2 / α 2 i.e. f (β) is decreasing with β, and the volume of the V L i increases with i. Now f ′ ( β ) = 0 has one solution at β = 2 / α 2 , which is attained by one of the lists L_i iff α ≥ 2 . In the regime α < 2 the smallest radius is obtained for the first list L₀, resulting in the same bound as in Theorem 3.1, while for α ≥ 2 the non-trivial minimum value lies at β = γ 2 i = 2 / α 2 resulting in f ( β ) = 1 / α 2 and v o l ( V L ) = α − d + o ( d ) v o l ( B )

Let us finally state separately what happens when we draw points uniformly at random from a ball of a different radius. This directly follows from Theorem 3.2.

Corollary 3.3

(Random points from the β-ball). Let α > 1, and let L ⊂ B consist of n = α d uniformly random vectors from β ⋅ B . Then, with probability 1 − o(1) over the randomness of L, we have:

Proof. Relative to the β-ball, we have v o l ( V L ) = r d + o ( d ) v o l ( β B ) with r as in Theorem 3.2. Noting that vol(βB) = β^d vol(B), the result follows.

Proposition 4.4

(Polynomially many points from the unit ball). Let L ⊂ B consist of n = d Θ ( 1 ) uniformly randomvectors from B , Then, with probability 1 −o(1) over the randomness of L, we have v o l ( V L ) = 2 1 2 d log 2 ⁡ d + o ( d log ⁡ d ) v o l ( B )

Proof. This follows from substituting α = d Θ ( 1 / d ) = 1 + Θ ( log ⁡ d ) / d □

In the application of CVPP algorithms, Proposition 4.4 shows that heuristically, we obtain a smooth trade-off between enumeration and using exact Voronoi cells – Hanrot–Stehlé [17, Theorem 4] previously showed that enumeration has a cost of d d / 2 + o ( d ) time for solving CVP in the worst case, with polynomial memory.

Proposition 4.5

(Subexponentially many points from the unit ball). Let L ⊂ B consist of n = 2 Θ ( d γ ) uniformly random vectors from B . Then, with probability 1 − o(1) over the randomness of L, we have v o l ( V L ) = 2 1 2 ( 1 − γ ) d log 2 ⁡ d + o ( d log ⁡ d ) v o l ( B )

Proof. This follows from substituting α = exp ⁡ Θ ( d γ − 1 ) = 1 + Θ ( d γ − 1 )

This matches results from e.g. [11]. To illustrate Proposition 4.5 with an example, we expect to be able to solve CVPP with query time d d / 4 + o ( d ) when using 2 Θ ( d ) memory, or we can match the average-case complexity of enumeration with a query time complexity of d d / ( 2 e ) + o ( d ) using 2 Θ ( d 1 − 1 / e ) ≈ 2 Θ ( d 0.63 ) memory.