CSE 206A: Lattice Algorithms and Applications Winter 2012

1: Introduction to Lattices
Instructor: Daniele Micciancio UCSD CSE

Lattices are regular arrangements of points in Euclidean space. The simplest example
of lattice in n-dimensional space is Zn , the set of all n-dimensional vectors with integer
entries. More generally, a lattice is the result of applying a nonsingular1 linear transformation
B ∈ Rd×n to the integer lattice Zn , to obtain the set B(Zn ) = {Bx : x ∈ Zn }.
Despite the simplicity of their definition, lattices are powerful objects that allow to ap-
ply geometric techniques to the solution of hard combinatorial problems. Lattices naturally
occur in many settings, like crystallography, sphere packings (stacking oranges), commu-
nication theory, mathematics, etc. They have many applications in computer science and
mathematics, including the solution of integer programming problems, diophantine approx-
imation, cryptanalysis, the design of error correcting codes for multi antenna systems, and
many more. Recently, lattices have also attracted much attention as a source of computa-
tional hardness for the design of secure cryptographic functions, and they are a powerful
tool for the construction of the most advanced cryptographic primitives, including fully
homomorphic encryption schemes.
This course offers an introduction to lattices. We will study the best currently known
algorithms to solve the most important lattice problems, and how lattices are used in several
representative applications, focusing on cryptography. We begin with the definition of lattices
and their most important mathematical properties.

1. Lattices and Bases

Definition 1. Let B = [b1 , . . . , bk ] ∈ Rd×n be linearly independent vectors in Rd . The
lattice generated by B is the set
( n )
X
L(B) = {Bx : x ∈ Zn } = xi · bi : xi ∈ Z
i=1

of all the integer linear combinations of the columns of B. The matrix B is called a basis
for the lattice L(B). The integer n is called the dimension or rank of the lattice. If n = k
then L(B) is called a full rank lattice.
Definition 1 also gives a simple way to represent a lattice (which is an infinite set of
points) by a finite object: lattices can be represented by a basis matrix B. In computer
science applications, the basis matrix typically has integer or rational entries, and can be
easily represented as an array of integers.
Notice the similarity between the definition of a lattice
L(B) = {B · x : x ∈ Zn }.

1Here nonsingular means that the linear transformation x 7→ Bx from Rn to Rk defined by B is injective.
We recall that this is true if and only if the columns of B are linearly independent, i.e., the only x ∈ Rn
such that Bx = 0 is x = 0.
and the definition of vector space generated by B:
span(B) = {B · x : x ∈ Rn }.
The difference is that in a vector space you can combine the columns of B with arbitrary real
coefficients, while in a lattice only integer coefficients are allowed, resulting in a discrete set of
points. Notice that, since vectors b1 , . . . , bn are linearly independent, any point y ∈ span(B)
can be written as a linear combination y = x1 b1 + · · · xn bn with x ∈ Rn in a unique way.
Therefore y ∈ L(B) if and only if x ∈ Zn .
If B is a basis for the lattice L(B), then it is also a basis for the vector space span(B).
However, not every basis for the vector space span(B) is also a lattice basis for L(B). For
example 2B is a basis for span(B) as a vector space, but it is not a basis for L(B) as a lattice
because vector bi ∈ L(B) (for any i) is not an integer linear combination of the vectors in
2B.
Definition 2. A matrix U ∈ Zn×n is unimodular2 if it has a multiplicative inverse in Zn×n ,
i.e., there is a matrix V ∈ Zn×n such that VU = UV = I.
Proposition 3. Unimodular matrices satisfy the following properties:
(1) If U is unimodular, then U−1 is also unimodular
(2) If U and V are unimodular, then UV is also unimodular
(3) U ∈ Zn×n is unimodular if and only if det(U) = ±1
Proof. See Exercises. 
The same lattice can be represented by several different bases. Unimodular matrices can
be used to relate different bases of the same lattice.
Theorem 4. Let B and C be two bases. Then L(B) = L(C) if and only if there exists a
unimodular matrix U such that B = CU.
Proof. First assume B = CU for some unimodular matrix U. Notice that Proposition 3 if
U is unimodular, then U−1 is also unimodular. In particular, both U and U−1 are integer
matrices, and B = CU and C = BU−1 . It follows that L(B) ⊆ L(C) and L(C) ⊆ L(B),
i.e., the two matrices B and C generate the same lattice.
Now assume B and C are two bases for the same lattice L(B) = L(C). Then, by definition
of lattice, there exist integer square matrices V and U such that B = CU and C = BV.
Combining these two equations we get B = BVU, or equivalently, B(I − VU) = O. Since
B is nonsingular, it must be I − VU = O, i.e., VU = I and U is unimodular. 
A simple way to obtain a basis of a lattice from another is to apply (a sequence of)
elementary column operations, as defined below.
Definition 5. Elementary (integer) column operations on a matrix B ∈ Rd×k are:
(1) swap(i,j):(bi , bj ) ← (bj , bi ). (Exchange two basis bectors)
(2) invert(i): bi ← −bi . (Change the sign of a basis vector)
(3) add(i,c,j):bi ← (bi + c · bj ) where i 6= j and c ∈ Z. (Add an integer multiple of a
basis vector to another)
2Unimodular matrices are usually defined as integer square matrices with determinant ±1. The next
proposition shows that the two definitions are equivalent.
 It is easy to see that elementary column operations do not change the lattice generated
by the basis because they can be expressed as right multiplication by a unimodular matrix.
Exercise 6. Give unimodular matrices corresponding to the elementary column operations
swap(i,j), invert(i) and add(c,i,j) for c ∈ Z and i, j ∈ {1, ..., n},i 6= j. For each operation,
prove that your matrix is indeed unimodular by giving the inverse matrix and showing that
it has integer entries. Give also an English description of the operation specified by the
inverse matrix.
As we will prove later, any unimodular transformation can be expressed as a sequence
of elementary integer column operations. So, two bases of the same lattice can always be
related by a sequence of elementary column operations.
2. Gram-Schmidt orthogonalization
Any basis B can be transformed into an orthogonal basis for the same vector space using
the well-known Gram-Schmidt orthogonalization method. Suppose we have vectors B =
[b1 | . . . |bn ] ∈ Rd×n generating a vector space V = span(B). These vectors are not necessarily
orthogonal (or even linearly independent), but we can always find an orthogonal basis B∗ =
[b∗1 | . . . |b∗n ] for V where b∗i is the component of bi orthogonal to span(b1 , . . . , bi−1 ).
Definition 7. For any sequence of vectors B = [b1 , . . . , bn ], define the orthogonalized vectors
B∗ = [b∗1 | . . . |b∗n ] iteratively according to the formula
X hbi ,b∗ i
b∗i = bi − µi,j b∗j where µi,j = hb∗ ,bj∗ i .
j j
j<i

Exercise 8. Verify that the Gram-Schmidt vectors B∗ are indeed mutually orthogonal (i.e.,
hb∗i , b∗j i = 0 for all i 6= j) and they span the same space as B.
In matrix notation, B = B∗ T where T is the upper triangular matrix with 1 along the
diagonal and tj,i = µi,j for all j < i. It also follows that B∗ = BT−1 where T−1 is also upper
triangular with 1 along the diagonal. Since the columns of B∗ are mutually orthogonal, the
(non-zero) columns of B∗ are linearly independent and they form a basis for the vector space
span(B). However they are generally not a basis for the lattice L(B).
Example 9. The Gram-Schmidt orthogonalization of the basis B = [(2, 0)> , (1, 2)> ] is B∗ =
[(2, 0)> , (0, 2)> ]. However this is not a lattice basis for L(B) because the vector (0, 2)T does
not belong to the lattice. L(B) contains a sublattice generated by a pair of orthogonal vectors
(2, 0)> and (0, 4)> , but no pair of orthogonal vectors generate the entire lattice L(B).
So, while vector spaces always admit an orthogonal basis, this is not true for lattices.
3. The determinant
Definition 10. Given a basis B = [b1 , ..., bn ] ∈ Rk×n , the fundamental parallelepiped asso-
ciated to B is the set of points
P(B) = B[0, 1)n = {Σni=1 xi · bi : 0 ≤ xi < 1} .
Remark 11. Note that P(B) is half-open, so that the translates P(B) + v (for v ∈ L(B))
form a partition of the whole space span({)B}. More precisely, for any x ∈ span({)B}, there
exists a unique lattice point v ∈ L(B), such that x ∈ (v + P(B)).
 We now define a fundamental quantity associated to any lattice, the determinant.
Definition 12. Let B ∈ Rd×n be a basis. The determinant of a lattice det(L(B)) is defined
as the n-dimensional volume of the fundamental parallelepiped associated to B:
Y
det(L (B)) = vol(P(B)) = kb∗i k
i
∗
where B is the Gram-Schmidt orthogonalization of B.
The above formula for the determinant of a lattice is a generalization of the well known
formula for the area of a parallelepiped. Geometrically, the determinant represents the
inverse of the density of lattice points in space (e.g., the number of lattice points in a large
and sufficiently regular region of space A should be approximately equal to the volume of A
divided by the determinant.) In particular, the determinant of a lattice does not depent on
the choice of the basis. We will prove this formally later in this lecture.
The next simple upper bound on the determinant (Hadamard inequality) immediately
follows from the fact that kb∗i k ≤ kbi k.
Q
Theorem 13. For any lattice L(B), det(L(B)) ≤ kbi k.
In the next lecture we will prove that the Gram-Schmidt orthogonalization of a basis can
be computed in polynomial time. So, the determinant of a lattice can be computed in poly-
nomial time by first computing the orthogonalized vectors B∗ , and then taking the product
of their lengths. But there are simpler ways to express the determinant of a lattice that do
not involve the Gram-Schmidt orthogonalized basis. The following proposition shows that
the determinant of a lattice can be obtained from a simple matrix determinant computation.
3

Proposition 14. For any lattice basis B ∈ Rd×n

p
det(L(B)) = det(B> B).
In particular, if B ∈ Rn×n is a (non-singular) square matrix then det(L(B)) = | det(B)|.
Proof. Remember the Gram-Schmidt orthogonalization procedure. In matrix notation, it
shows that the orhogonalized vectors B∗ satisfy B = B∗ T, where T is an upper triangular
matrix with 1’s on the diagonal, and the µi,j coefficients at position (j, i) for all j < i. So,
our formula for the determinant of a lattice can be written as
p p p
det(B> B) = det(T> B∗> B∗ T) = det(T> ) det(B∗> B∗ ) det(T).
The matrices T> , T are triangular, and their determinant can be easily computed as the
product of the diagonal elements, which is 1. Now consider B∗> B∗ . This matrix is diagonal
because the columns of B∗ are orthogonal. So, its determinant can also be computed as the
product of the diagonal elements which is
Y Y
det(B∗> B∗ ) = hb∗i , b∗i i = ( kb∗i k)2 = det(L(B))2 .
i i
p
Taking the square root we get det(T> ) det(B∗> B∗ ) det(T) = det(L(B)). 
3Recall
that the determinant of a matrix can be computed in polynomial time by computing det(B)
modulo many small primes, and combining the results using the Chinese reminder theorem.
 Now it is easy to show that the determinant does not depend on the particular choice of
the basis, i.e., if two bases generate the same lattice then their lattice determinants have the
same value.
Theorem 15. Suppose B, C are bases of the same lattice L(B) = L(C). Then, det(B) =
± det(C).
Proof. Suppose L(B) = L(C). Then B = C · U where U ∈ Zn×n is a unimodular matrix.
Then det(B> B) = det((CU)> (CU)) = det(U> ) det(C> B) det(U) = det((C> B) because
det(U) = 1. 
We conclude this section showing that although not every lattice has an orthogonal basis,
every integer lattice contains an orthogonal sublattice.
Theorem 16. For any nonsingular B ∈ Zn×n , let d = | det(B)|. Then d · Zn ⊆ L(B).
Proof. Let v be any vector in d · Zn . We know v = d · y for some integer vector y ∈ Zn .
We want to prove that v ∈ L(B), i.e., d · y = B · x for some integer vector x. Since B is
non-singular, we can always find a solution x to the system B · x = d · y over the reals. We
would like to show that x is in fact an integer vector, so that dy ∈ L(B). We consider the
elements xi and use Cramer’s rule:

det ([b1 , ..., bi−1 , dy, bi+1 , ..., bn ])

xi =
det(B)
d · det ([b1 , ..., bi−1 , y, bi+1 , ..., bn ])
=
det(B)
= det ([b1 , ..., bi−1 , y, bi+1 , ..., bn ]) ∈ Z
So, x is an integer vector. 
We may say that any integer lattice L(B) is periodic modulo the determinant of the lattice,
in the sense that for any two vectors x, y, if x ≡ y (mod det(L(B))), then x ∈ L(B) if and
only if y ∈ L(B).

4. Minimum Distance
Definition 17. For any lattice Λ = L(B), the minimum distance of Λ is the smallest distance
between any two lattice points:
λ(Λ) = inf{kx − yk : x, y ∈ Λ, x 6= y}.
We observe that the minimum distance can be equivalently defined as the length of the
shortest nonzero lattice vector:
λ(Λ) = inf{kvk : v ∈ Λ \ {0}}.
This follows from the fact that lattices are additive subgroups of Rn , i.e., they are closed
under addition and subtraction. So, if x and y are distinct lattice points, then x − y is a
nonzero lattice point. The first thing we want to prove about the minimum distance is that
it is always achieved by some lattice vector, i.e., there is a lattice vector x ∈ Λ of length
exactly kxk = λ(Λ). To prove this, we need first to establish a lower bound on λ(Λ).
Theorem 18. For every lattice basis B and its Gram-Schmidt orthogonalization B∗ , λ(L(B)) ≥
minkb∗i k.
Proof. Note that b∗i are not lattice vectors. Let us consider a generic lattice vector
Bx ∈ L(B) \ {0},
where x ∈ Zn \ {0} and let k be the biggest index such that xk 6= 0. We prove that
(4.1) kBxk ≥ kb∗k k ≥ min kb∗i k.
i

In order to prove (4.1), we take the scalar product of our lattice vector and b∗k . Using the
orthogonality of b∗k and bi (for i < k) we get
X
hBx, b∗k i = hbi xi , b∗k i = xk hbk , b∗k i = xk kb∗k k2 .
i≤k

By Cauchy-Shwartz,
kBxk · kb∗k k ≥ |hBx, b∗k i| ≥ |xk | · kb∗k k2 .
Using |xk | ≥ 1 and dividing by kbk k∗ , we get kBxk ≥ kb∗k k. 
An immediate consequence of Theorem 18 is that the minimum distance of a lattice
λ(Λ) > 0 is strictly positive, and the lattice Λ is a discrete subgroup of Rn . In fact, lattices
can be alternatively defined as discrete subgroups of Rd , because, as we will prove later, any
discrete subgroup of Rn is a lattice.
Notice that the lower bound mini kb∗i k depends on the choice of the basis. We will see later
in the course that some bases give better lower bounds than others, but at this point any
nonzero lower bound will suffice. We want to show that there is a lattice vector of length λ.
Consider a sphere of radius 2λ > λ. Clearly, in the definition of λ = inf{kxk : x ∈ Λ \ {0}},
we can restrict x to range over all lattice vectors inside the sphere of radius 2λ. We observe
that (by a volume argument) the sphere contains only finitely many lattice points. (Details
below.) It follows that we can replace the inf operation with a min, and there is a point in
the set achieving the smallest possible norm.
How can we use a volume argument, when points have volume 0? Put an open sphere
of radius λ/2 around each lattice point. Since lattice points are at distance at least λ, the
spheres are disjoint. The spheres with centers in S are also contained in a sphere S 0 of radius
2.5λ. So, since the volume of the small spheres (which is proportional to 1/2n ) cannot exceed
the volume of the big sphere S 0 (which has volume proportional to 2.5n ), there are at most
5n lattice points.

5. Minkowski’s theorem
We now turn to estimating the value of λ from above. Clearly, for any basis B, we have
λ(B) ≤ mini kbi k, because each column of B is a nonzero lattice vector. We would like
to get a better bound, and, specifically, a bound that does not depend on the choice of
the basis. Clearly, lattices with arbitrarily large minimum distance can be easily obtained
simply by scaling an arbitrary lattice by a constant c > 0 to obtain λ(c · Λ) = c · λ(Λ).
What if we normalize the lattice so that det(Λ) = 1? By definition of determinant, these are
lattices with density 1, i.e., with about one lattice point per each unit volume of space. Can
the lattice still have arbitrarily large minimum distance? Equivalently, we are asking if it is
possible to bound the ratio λ(Λ)/ det(Λ)1/n for any n-dimensional lattice Λ. (Notice that the
quantity λ(Λ)/ det(Λ)1/n is invariant under linear scaling because det(c · Λ) = cn · det(Λ).)
For historical reasons4, mathematicians have defined and studied the square of this quantity,
which is called Hermite’s constant.
Definition 19. The Hermite constant of an n-dimensional lattice Λ is the quantity γ(Λ) =
(λ(Λ)/ det(Λ)1/n )2 . The Hermite constant in dimension n is the supremum γn = supΛ γ(Λ),
where Λ ranges over all n-dimensional lattices.
The upper bound on γn we are going to prove was originally proved by Minkowski. Here we
follow a different approach, by first proving a theorem of Blichfeldt from which Minkowski’s
theorem can be easily derived as a corollary.
Theorem 20. Given a lattice Λ and a set S ⊆ span(Λ) if vol(S) > det(Λ) then S contains
two points z1 , z2 ∈ S such that z1 − z2 ∈ Λ.
Proof. Let Λ = L(B). Consider the sets Sx = S ∩ (x + P(B)), where x ∈ Λ. Notice that
these sets form a partition of S, i.e., they are pairwise disjoint and
[
S= Sx .
x∈Λ

In particular we have
X
vol(S) = vol(Sx ).
x∈Λ

Notice that the shifted sets Sx − x = (S − x) ∩ P(B) are all contained in P(B). We want
to prove that the Sx cannot be all mutually disjoint. Since vol(Sx ) = vol(Sx − x), we have
X X
vol(P(B)) < vol(S) = vol(Sx ) = vol(Sx − x).
x∈Λ x∈Λ
P
The facts that Sx −x ⊆ P(B) and x∈Λ vol(Sx −x) > vol(P(B)) imply that these sets cannot
be disjoint, i.e. there exist two distinct vectors x 6= y ∈ Λ such that (Sx − x) ∩ (Sy − y) 6= 0.
Let z be any vector in the (non-empty) intersection (Sx − x) ∩ (Sy − y) and define
z1 = z + x ∈ S x ⊆ S
z2 = z + y ∈ Sy ⊆ S.
These two vectors satisfy
z1 − z2 = x − y ∈ Λ.

As a corollary to Blichfeldt theorem we immediately get a result originally due to Minkowski
that gives a bound on the length of the shortest vector in a lattice.
Corollary 21. [Minkowski’s convex body theorem] Let L(B) be a full dimensional lattice.
If S ⊂ span(L(B)) = Rn is a convex symmetric body of volume vol(S) > 2n det(B), then S
contains a nonzero lattice point.
4These problems were originally formulated and studied in the equivalent language of positive definite
quadratic forms.
Proof. Consider the set S/2 = {x : 2x ∈ S}. The volume of S/2 satisfies
vol(S/2) = 2−n vol(S) > det(B)
By Blichfeldt theorem there exist z1 , z2 ∈ S/2 such that z1 − z2 ∈ L (B) \ {0}. By definition
of S/2, 2z1 , 2z2 ∈ S. Since S is symmetric, also −2z2 ∈ S and by convexity,
2z1 − 2z2
z1 − z2 = ∈S
2
is a non-zero lattice vector contained in the set S. 
The relation between Minkowski theorem and bounding the length of the shortest vector in
a lattice is easily explained. Consider first the `∞ norm: kxk = maxi |xi |. We show that every
(full rank, n-dimensional) lattice Λ always contains a nonzero vector kxk ≤ det(Λ)1/n . Let
l = min{kxk∞ : x ∈ Λ \ {0}} and assume for contradition l > det(Λ)1/n . Take the hypercube
C = {x : kxk < l}. Notice that C is convex, symmetric, and has volume vol(C) = (2l)n >
2n det(Λ). So, by Minkowski’s theorem, C contains a nonzero lattice vector x. By definition
of C, we have kxk∞ < l, a contradiction to the minimality of l. This gives the following
corollary.
Corollary 22. For any full dimensionsional L (B) there exists a lattice point x ∈ L (B) /{0}
such that
kxk∞ ≤ det(B)1/n .
√
Using the inequality kxk ≤ nkxk∞ (valid for any n-dimensional vector x), we get a
corresponding bound in the `2 norm. It is easy to see that for Euclidean norm the full
dimensionality condition is not necessary because one can embed any lattice Λ ⊂ Rd of rank
n into Rn by a simple orthogonal projection operation.
Corollary 23. Hermite constant is at most γn ≤ n, i.e., for any lattice L (B) there exists a
lattice point x ∈ L (B) \ {0} such that
√
kxk2 ≤ n det(B)1/n .
We could have proved the bound for the Euclidean norm directly, using a sphere instead
of a cube, and then plugging in the formula for the volume of an n-dimensional sphere.
This can be useful to get slighly better bounds, but only by a constant (independent of n)
factor. For example, in two dimensions, for any lattice Λ, the disk S = {x : kxk < λ(Λ)}
contains no nonzero lattice point. So, by Minkowki’s theorem, the area of S canpbe at most
2n det(Λ) = 4 det(Λ). But we√know that the area of S is πλ2 . So, λ(Λ) ≤ 2 det(Λ)/π,
1/n
√ smaller than 2 det(Λ) . This yields the bound γ2 ≤ 4/π ≈ 1.27 < 2. In
which is strictly
fact, γ2 = 2/ 3 ≈ 1.15 is even smaller, but we will not prove this.
√ We remark that a lattice Λ can contain vectors arbitrarily shorter than Minkowski’s bound
n det(Λ)1/n . Consider for example the two dimensional lattice generated by the vectors
(1, 0)T and (0, N )T , where N is a large integer. The lattice contains a short vector√of length
λ = 1. However, the determinant of the lattice is N , and Minkowski’s bound 2N 1/2 is
much larger than 1.
It can also be shown that Minkowski’s bound cannot be asymptotically improved, in the
sense that there is a constant c such that for any dimension n there is a n-dimensional
√
lattice Λn such that γn > c · n. (See Exercises.) So, up to constant factors, O( n) det(Λ)1/n
is the best upper bound one can possibly prove on the length of the shortest vector of any
n-dimensional lattice as a function of the determinant.

6. A simple application
As an application of Minkowski’s theorem we show that any prime number p congruent
to 1 mod 4 can be written as the sum of two squares.
Theorem 24. For every prime p ≡ 1 mod 4 there exist integers a, b ∈ Z such that p = a2 +b2
Proof. Let p ∈ Z be a prime such that p ≡ 1 (mod 4). Then Z∗p is a group such that
4 | o(Z∗p ) = p − 1. Therefore, there exists an element of multiplicative order 4, and −1 is
a quadratic residue modulo p, i.e. there exists an integer i such that i2 ≡ −1 (mod p). It
immediately follows that
(6.1) p | i2 + 1.
Now define the lattice basis
 
1 0
B= .
i p
√
By Minkowski’s theorem there exists an integer vector x such that 0 < kBxk2 <
p 2·
det(B). Squaring this equation yields

(6.2) 0 < kBxk22 < 2 · det(B) = 2p.

The middle term expands to
  2
x1
= x21 + (ix1 + px2 )2
(6.3)
ix1 + px2

If we let a = x1 and b = ix1 + px2 , (2) becomes

(6.4) 0 < a2 + b2 < 2p
Hence if we can show that a2 + b2 ≡ 0 mod p, by necessity a2 + b2 = p. Expanding the right
side of (3) produces x21 + i2 x21 + p2 x22 + 2ix1 px2 , which can be factored into
p(px22 + 2ix1 x2 ) + x21 (i2 + 1)
Obviously p divides the first term, and by (1) p divides the second term. Thus a2 + b2 ≡ 0
mod p, and therefore by (4) a2 + b2 = p. 

This application shows how lattices can be used to prove non-trivial facts in number theory.
A similar theorem that can be proved with the same lattice techniques is the following.
Theorem 25. ∀n ∈ Z+ ∃a, b, c, d ∈ Z : n = a2 + b2 + c2 + d2 .
The proof is left to the reader as an excercise. As you can easily guess, the proofs involves
a 4-dimensional lattice.
 7. Successive Minima
Definition 26. For any n-dimensional lattice Λ and integer k < n, let λk (Λ) be the smallest
r > 0 such that Λ contains at least k linearly independent vectors of length at most r.
The successive minima of a lattice generalize the minimum distance λ = λ1 . By the same
volume argument used to show that there exists vectors of length λ, one can show that there
exist (linearly independent) lattice vectors v1 , . . . , vk of lengths λ1 , . . . , λk . Minkowski’s
theorem can also be generalized to provide a bound not just on λ1 , but on the geometric
mean of all successive minima.
n
Theorem 27. For any lattice Λ, ni=1 λi ≤ 2voldet(Λ)
Q
(Sn )
, where Sn is the n-dimensional unit ball.
Proof. Assume for contradiction this is not the case, i.e., i λi > 2n det(Λ)/vol(Sn ) and let
Q
x1 , . . . , xn be linearly independent vectors such that kxi k = λi . Consider the orthogonalized
vectors xi ∗ and define the transformation
X X
T( ci x i ∗ ) = λ i ci x i ∗
that expands coordinate xi ∗ by the factor λi . IfQwe apply T to the open unit ball Sn we
get a symmetric convex body T (Sn ) of volume ( i λi )vol(Sn ) > 2n det(Λ). By Minkowski’s
first theorem T (S Pn ) contains a lattice
P point y = T (x) (with kxk < 1) different from the
∗ ∗
origin. Let x = ci xi and y = λi ci xi . Since y is not zero, some ci is not zero. Let k
the largest index such that ci 6= 0. Notice that y is linearly independent from x1 , . . . , xk−1
because hxk ∗ , yi = λk ck kxk ∗ k2 > 0. We now show that kyk < λk , contradicting the definition
of λi for some i ≤ k.
X X
kyk2 = λ2i c2i kxi ∗ k2 ≤ λ2k c2i kxi ∗ k2 = λ2k kxk2 < λ2k
i≤k i≤k


8. Notes and Exercises
Lattices can be alternatively defined as discrete subgroups of Rn , i.e., subsets Λ ⊂ Rn
satisfying the following properties:
(subgroup) Λ is closed under addition and subtraction,5
(discrete) there is an  > 0 such that any two distinct lattice points x 6= y ∈ Λ are at
distance at least kx − yk ≥ .
Exercise 28. Prove that lattices (as defined in Definition 1) are discrete subgroups of Rn .
You will prove the other direction (i.e., any discrete subgroup of Rn is a lattice according
to Definition 1) in a later exercise. For now, we observe that not every subgroup of Rn is a
lattice.
Example 29. Qn is a subgroup of Rn , but not a lattice, because it is not discrete.
The definition L(B) = {Bx : x ∈ Zm } can be extended to matrices B whose columns are
not linearly independent. However, in this case, the resulting set of points is not always a
lattice because it may not be discrete. Still, we will see that if B is a matrix with integer or
rational entries, then L(B) is always a lattice.
5Technically, closure under subtraction is enough because addition can be expressed as a + b = a − (−b).
Exercise 30. Find a matrix B ∈ Rd×n such that L(B) is not a lattice. [Hint:B can be as
small as a 1-by-2 matrix.]

Exercise 31. Prove parts (1) and (2), and the “only if” direction of part (3) of Proposition
3

Exercise 32. Prove that any lattice achieving Hermite’s constant γn = (λ(Λ)/ det(Λ)1/n )2
must necessarily have n linearly independent vectors of length λ(Λ). (Equivalently, all its
successive minima are the same λ1 = λ2 = . . . = λn .) [Hint: Use Minkowski’s second theorem
and Hadamard bound]