A Mixed Integer Quadratic Formulation for the Shortest Vector Problem

Abstract

Lattice-based cryptography is based on the hardness of the lattice problems, e.g., the shortest vector problem and the closed vector problem. In fact, these mathematical optimization problems are known to be NP-hard. Our interest is to know how large-scale shortest vector problems can be solved. For this, we provide a mixed integer quadratic programming formulation for the shortest vector problem and propose a technique to restrict the search space of the shortest vector problem. This approach is a potential technique to improve the performance of the state-of-the-art software for mixed integer programming problems. In fact, we observe that this technique improves the numerical performance for TU Darmstadt’s benchmark instances with the dimension up to 49.

Appendices

Appendix 1 : A Second-Order Cone Program Problem

We provide a brief introduction of a second-order cone program (SOCP) problem. Denote the set K by

$$ K = \left\{ x = \begin{pmatrix} x_1\\ x_2 \end{pmatrix}\in \mathbb {R}^{n} : x_1\in \mathbb {R}, x_2\in \mathbb {R}^{n-1}, x_1 \ge \Vert x_2\Vert _2 \right\} , $$

where \(\Vert \cdot \Vert _2\) stands for the 2-norm and K is called the second-order cone. For given \(A\in \mathbb {R}^{m\times n}\), \(b\in \mathbb {R}^m\) and \(c\in \mathbb {R}^n\), the SOCP problem (14) and its dual (15) are formulated as follows:

$$\begin{aligned} \theta ^*_P&:= \inf _{x}\left\{ c^Tx : Ax = b, x\in K \right\} , \end{aligned}$$

(14)

$$\begin{aligned} \theta ^*_D&:= \sup _{y}\left\{ b^Ty : c-A^Ty\in K^*, y\in \mathbb {R}^m \right\} . \end{aligned}$$

(15)

Here \(K^*\) stands for the dual cone of K and is defined by \(K^* = \{s = (s_1, s_2)\in \mathbb {R}^n : s_1\ge \Vert s_2\Vert _2\}\). We remark that the SOCP problem (14) and its dual (15) may not have any optimal solutions even if their optimal values are finite. Such examples are given in [11]. For this, we use the terminology “\(\inf \)” and “\(\sup \)” instead of “\(\min \)” and “\(\max \)” in (14) and (15), respectively. We define \(\theta ^*_P = -\infty \) when (14) has no feasible solutions. Similarly, we define \(\theta ^*_D = -\infty \) when (15) has no feasible solutions.

For any pair (x, y) of feasible solutions of (14) and (15), we have

$$ c^Tx \ge b^Ty. $$

This inequality is called the weak duality and implies \(\theta ^*_P\ge \theta ^*_D\). It follows from the weak duality that if there exist a pair of feasible solutions x of (14) and y of (15) such that \(c^Tx=b^Ty\), \(\theta ^*_P=\theta ^*_D\) holds and thus the pair (x, y) of the feasible solution is a pair of optimal solutions for (14) and (15). The strong duality theorem ensures \(\theta ^*_P=\theta ^*_D\) under an assumption to (14) and (15). To this end, we introduce the strong feasibility for (14) and (15). (14) is said to be strongly feasible or strictly feasible if there exists a feasible solution \(\hat{x}\) of (14) such that \(A\hat{x} = b\) and \((\hat{x})_1 > \Vert \hat{x}_2\Vert _2\). (15) is said to be strongly feasible or strictly feasible if there exists a feasible solution \(\hat{y}\) of (15) such that \(c-A^T\hat{y} \in \text{ int }(K^*)\). Here \(\text{ int }(K^*)\) stands for the interior of \(K^*\).

Theorem 7.1

(Strong duality; see, e.g., [11]) If (14) is strongly feasible and (15) is feasible, then \(\theta ^*_P=\theta ^*_D\) and (15) has an optimal solution. Similarly, if (15) is strongly feasible and (14) is feasible, then \(\theta ^*_P=\theta ^*_D\) and (14) has an optimal solution.

The theoretical convergence of most of algorithms to solve (14) requires the strong feasibility for both (14) and (15). In fact, primal–dual interior-point methods approximately compute \((x, y)\in \mathbb {R}^n\times \mathbb {R}^n\) that satisfies

$$ \left\{ \begin{array}{l} Ax = b, x\in K, \\ c-A^Ty \in K^*, \\ c^Tx -b^Ty=0. \end{array} \right. $$

If (14) and (15) are strongly feasible, it follows from Theorem 7.1 that the above system has an solution, which is optimal for (14) and (15).

Finally, we give a characterization for (14) and (15) to be strongly feasible.

Theorem 7.2

(See [10, 13]) The exactly one of the following two statements is true:

1. 1.

   (14) is strongly feasible.

2. 2.

   There exists \(y\in \mathbb {R}^m\setminus \{0\}\) such that \(-A^Ty \in K^*\) and \(b^Ty \ge 0\).

In particular, if there exists \(y\in \mathbb {R}^m\setminus \{0\}\) such that \(-A^Ty \in K^*\) and \(b^Ty > 0\), (14) is infeasible. Similarly, the exactly one of the following two statements is true:

1. 1.

   (15) is strongly feasible.

2. 2.

   There exists \(x\in \mathbb {R}^n\setminus \{0\}\) such that \(Ax = 0\), \(x \in K\) and \(c^Tx \le 0\).

In particular, if there exists \(y\in \mathbb {R}^m\setminus \{0\}\) such that \(Ax =0\), \(x \in K\) and \(c^Tx < 0\), (15) is infeasible.

Appendix 2 : An SOCP Formulation for (9) and (10), and Its Strong Feasibility

In this section, we provide an SOCP formulation for (9) and (10), and prove that both the SOCP problem and its dual are strongly feasible under a mild assumption. The latter implies that both problems have optimal solutions, and that algorithms to solve SOCP problems, e.g., primal–dual interior-point methods converge an optimal solution.

We assume that (3) has a feasible solution \(\hat{\beta }\). In addition, we allow \(\ell _i = -\infty \) and \(u_I = +\infty \), but assume \(\ell _i\le u_i\) for all \(i=1, \ldots , n\).

To restrict the search space of a given SVP, we choose \(M=\Vert B\hat{\beta }\Vert _2^2\). The SOCP formulation for (9) and (10) are

$$\begin{aligned}&\sup _{y} \left\{ f^Ty : \begin{array}{l} \ell _j\le y_j \ (i\in L), y_j\le u_j \ (j\in U), e^Ty \ge 1, \\ \Vert By\Vert _2\le \sqrt{M}, y\in \mathbb {R}^n \end{array} \right\} , \end{aligned}$$

(16)

where we define

$$ L = \left\{ j\in \{1, \ldots , n\} : \ell _j \text{ is } \text{ finite } \right\} \text{ and } U = \left\{ j\in \{1, \ldots , n\} : u_j \text{ is } \text{ finite } \right\} , $$

and e stands for the n-dimensional ones vector and f is \(\pm e_i\) for (9) and \(\pm e\) for (10). Its dual can be formulated as follows:

$$\begin{aligned}&\displaystyle \inf _{\begin{array}{l}s_j, t_j, w, \\ x_1, x_2\end{array}} \left\{ \begin{array}{l} \displaystyle \sum _{j\in U} u_j s_j -\sum _{j\in L}\ell _jt_j \\ {} - w +\sqrt{M}x_1 \end{array} : \begin{array}{l} s_j -t_j -w -b_j^Tx_2 = f_j \ (j\in U\cap L), \\ s_j -w -b_j^Tx_2 = f_j \ (j\in U\setminus L), \\ -t_j -w -b_j^Tx_2 = f_j \ (j\in L\setminus U), \\ -w -b_j^Tx_2 = f_j \ (j\in \{1, \ldots , n\}\setminus (U\cup L)), \\ s_j\ge 0 \ (j\in U), t_j\ge 0 \ (j\in L), \\ w\ge 0, x_1\ge \Vert x_2\Vert _2 \end{array} \right\} . \end{aligned}$$

(17)

By applying Theorem 7.2 to (17), we can prove the strong feasibility of (17).

Proposition 8.1

(17) is strongly feasible.

Proof

We consider the following system

$$\begin{aligned}&\left\{ \begin{array}{l} f^Ty \ge 0, \\ 0\le y_j \ (j\in L), y_j\le 0 \ (j\in U), e^Ty \ge 0, \\ \Vert By\Vert _2\le 0, y\in \mathbb {R}^n \end{array} \right. \end{aligned}$$

(18)

As B is nonsingular, \(\Vert By\Vert _2\le 0\) implies \(y=0\) and (18) does not have any nonzero solutions. It follows from Theorem 7.2 that (17) is strongly feasible.   \(\square \)

It should be noted that the strong feasibility of (17) is independent of the choice of f, L, and U although the feasible region of the dual (17) depends on them.

By applying Theorem 7.2 to (16) for the strong feasibility of (16), it is sufficient to consider the following system:

$$\begin{aligned}&\left\{ \begin{array}{l} \displaystyle \sum _{j\in U} u_j s_j -\sum _{j\in L}\ell _jt_j - w +\sqrt{M}x_1\le 0, \\ s_j -t_j -w -b_j^Tx_2 = 0 \ (j\in U\cap L), \\ s_j -w -b_j^Tx_2 = 0 \ (j\in U\setminus L), \\ -t_j -w -b_j^Tx_2 = 0 \ (j\in L\setminus U), \\ -w -b_j^Tx_2 = 0 \ (j\in \{1, \ldots , n\}\setminus (U\cup L)), \\ s_j\ge 0 \ (j\in U), t_j\ge 0 \ (j\in L), w\ge 0, x_1\ge \Vert x_2\Vert _2 \end{array} \right. \end{aligned}$$

(19)

We prove that (19) has only the zero solution under a mild assumption. This implies (16) is strongly feasible.

Proposition 8.2

Assume \(\ell< \hat{\beta } < u\), i.e., \(\ell _i< \hat{\beta }_i < u_i\) for all \(i=1, \ldots , n\). Moreover, we assume that there exists \(j\in \{1, \ldots , n\}\) such that \((B\hat{\beta })^Tb_j \ne M\). Then (19) does not have any nonzero solutions.

Proof

From (19), we obtain

$$ \hat{\beta }_jw = \left\{ \begin{array}{cl} \hat{\beta }_j(s_j -t_j -b_j^Tx_2) &{} \text{ if } j\in U\cap L, \\ \hat{\beta }_j(s_j -b_j^Tx_2) &{} \text{ if } j\in U\setminus L, \\ \hat{\beta }_j(-t_j -b_j^Tx_2) &{} \text{ if } j\in L\setminus U, \\ -\hat{\beta }_jb_j^Tx_2 &{} \text{ if } j\in \{1, \ldots , n\}\setminus (U\cup L), \end{array} \right. (j=1, \ldots , n). $$

Then we obtain \(w(\hat{\beta }^Te) = \sum _{j\in U}\hat{\beta }_j s_j - \sum _{j\in L}\hat{\beta }_j t_j -(B\hat{\beta })^Tx_2\), and thus

$$ \displaystyle \sum _{j\in U} u_j s_j -\sum _{j\in L}\ell _jt_j +\sqrt{M}x_1\le w \le w(\hat{\beta }^Te) = \sum _{j\in U}\hat{\beta }_j s_j - \sum _{j\in L}\hat{\beta }_j t_j -(B\hat{\beta })^Tx_2. $$

It follows from \(x_1\ge \Vert x_2\Vert _2\) that the left hand side can be replaced by

$$ \displaystyle \sum _{j\in U} u_j s_j -\sum _{j\in L}\ell _jt_j +\sqrt{M}\Vert x_2\Vert _2. $$

We have \(\sqrt{M}\Vert x_2\Vert _2 = \Vert B\hat{\beta }\Vert _2\Vert x_2\Vert _2 \ge |(B\hat{\beta })^Tx_2|\ge -(B\hat{\beta })^Tx_2\) due to the Cauchy-Schwarz inequality. In addition, the assumption on bounds u and \(\ell \) implies

$$ \displaystyle \sum _{j\in U} u_j s_j -\sum _{j\in L}\ell _jt_j \ge \sum _{j\in U}\hat{\beta }_j s_j - \sum _{j\in L}\hat{\beta }_j t_j. $$

As both s and t are nonnegative, we obtain the following equalities from these inequalities:

$$ s_j = 0 \ (j\in U), t_j = 0 \ (j\in L), x_1 = \Vert x_2\Vert _2, \sqrt{M}\Vert x_2\Vert _2 = -(B\hat{\beta })^Tx_2. $$

It follows from the last equality that we have \(x_2 = -\alpha B\hat{\beta }\) for some \(\alpha \ge 0\). Substituting them into (19), we can rewrite (19) into the following system:

$$\begin{aligned}&\left\{ \begin{array}{l} -w + |\alpha |M = 0, \alpha \ge 0, \\ w = \alpha b_j^TB\hat{\beta } \ (j=1, \ldots , n), \\ w\ge 0, x_1 = |\alpha | \sqrt{M}. \end{array} \right. \end{aligned}$$

(20)

From \(w\ge 0\), the first and second equalities, we have \(M = b_j^TB\hat{\beta }\) for all \(j=1, \ldots , n\) if \(\alpha \ne 0\). This contradicts the assumption. Hence \(\alpha =0\) and \(w=x_1 = 0\) and \(x_2 = 0_{n-1}\), and (16) is strongly feasible under the assumption.   \(\square \)