CSE 206A: Lattice Algorithms and Applications Fall 2017

Point Lattices
Instructor: Daniele Micciancio UCSD CSE

Lattices are regular arrangements of points in Euclidean space. The simplest example of
lattice in n-dimensional space is Zn , the set of all n-dimensional vectors with integer entries.
(See Figure 1, left.) More generally, a lattice is the result of applying an injective 1 linear
transformation B: Rn → Rd to the integer lattice Zn , to obtain the set L(B) = B(Zn ) =
{Bx: x ∈ Zn }. (See Figure 1, right.)PEquivalently, the lattice L(B) can be described as the
set of all integer linear combinations i bi xi (with xi ∈ Z) of the columns of B = [b1 , . . . , bn ].

(1, 2)
(0, 1)
(1, 0) B
0 0
  (1, −1)
1 1
B=
Z2 −1 2 B(Z2 )

Figure 1: The integer lattice Z2 , and the two dimensional lattice B(Z2 ).

Despite the simplicity of their definition, lattices are powerful mathematical objects that
allow to apply geometric techniques to the solution of hard combinatorial problems. Lattices
naturally occur in many settings, like crystallography, communication theory, (algebraic)
number theory, etc. They have many applications in computer science and mathematics,
including the solution of integer programming problems, diophantine approximation, crypt-
analysis, the design of error correcting codes for multi antenna systems, and many more.
Recently, lattices have also attracted much attention as a source of computational hard-
ness for the design of secure cryptographic functions, and they are a powerful tool for the
construction of advanced cryptographic primitives, like fully homomorphic encryption. This
course offers an introduction to lattices, and their relation to other areas of computer science,
like algorithms, computational complexity and cryptography. We begin with the definition
of lattices and their most important mathematical properties.
1
We recall that if the linear transformation is represented as a matrix B ∈ Rd×n , the injectivity of B is
equivalent to requiring the columns of B to be linearly independent.
1 Point Lattices
Definition 1 Let B = [b1 , . . . , bn ] ∈ Rd×n be linearly independent vectors in Rd . The lattice
generated by B is the set
( n )
X
n
L(B) = {Bx: x ∈ Z } = xi · bi : ∀i.xi ∈ Z
i=1

of all the integer linear combinations of the columns of B. The matrix B is called a basis
for the lattice L(B). The integer n is called the rank or dimension2 of the lattice. If n = d
then L(B) is called a full rank or full dimensional lattice in Rd .

Definition 1 gives a simple way to represent a lattice (which is an infinite set of points) by a
finite object: lattices can be represented by a basis matrix B. For example, the 2-dimensional
integer lattice Z2 (Figure 1, left) is represented by the basis I = [e1 , e2 ] where e1 = (1, 0), e2 =
(0, 1) are the standard unit vectors,
 while
 the lattice B(Z2 ) = L(B) (Figure 1, right) is
1 1
represented by the basis B = . In computer science applications, the basis matrix
−1 2
typically has integer or rational entries, and can be easily represented as an array of integers.
Notice the similarity between the definition of a lattice L(B) = {Bx: x ∈ Zn } and the
definition of vector space generated by B:

span(B) = {Bx: x ∈ Rn }.

The difference is that in a vector space you can combine the columns of B with arbitrary real
coefficients, while in a lattice only integer coefficients are allowed, resulting in a discrete set of
points. Notice that, since vectors b1 , . . . , bn are linearly independent, any point y ∈ span(B)
can be written as a linear combination y = Bx with x ∈ Rn in a unique way. Therefore
Bx ∈ L(B) if and only if x ∈ Zn .
If B is a basis for the lattice L(B), then it is also a basis for the vector space span(B)
spanned by the lattice. However, not every set of lattice vectors C ⊆ L(B) which is basis for
the vector space span(B) is a lattice basis for L(B). For example 2B = [2b1 , . . . , 2bn ] is a
basis for span(B) as a vector space, but it is not a lattice basis for Λ = L(B) because it only
generates the sublattice 2Λ = {2v: v ∈ Λ} ⊂ Λ. Another example can be seen in Figure 1
(right), where the matrix B ∈ Z2×2 is a basis for R2 (the vector space spanned by the integer
lattice Z2 ), but it only generates a sublattice of Z2 because the unit vectors e1 = (1, 0) and
e2 = (0, 1) do not belong to L(B) = B(Z2 ).
For any lattice Λ, a sublattice of Λ is a subset Λ0 ⊆ Λ which is itself a lattice, i.e., Λ0 =
L(B) for some matrix B with linearly indepedent columns. For example, the lattice B(Z2 )
in Figure 1 is a sublattice of Z2 because all of its (basis) vectors have integer coordinates.
Sublattices are easily characterized in terms of their bases.
2
Sometime, the term “dimension” is also used to refer to the number of coordinates of the lattice vectors,
i.e., the dimension d of the Euclidean space Rd containing the lattice.
Exercise 1 Show that for any two lattice bases B ∈ Rd×k and C ∈ Rd×n , the first generates
a sublattice of the second (L(B) ⊆ L(C)) if and only if there is an integer matrix U ∈ Zn×k
such that B = CU.

Two important special cases are full rank sublattices, i.e., sublattices Λ0 ⊆ Λ that have
the same rank as Λ, and full sublattices, i.e., sublattices Λ0 = Λ ∩ span(Λ0 ) obtained as the
intersection of the lattice with a linear subspace. Clearly, the only sublattice of Λ which is
both full and full rank, is Λ itself.

b2

b1
b1

0 0

Figure 2: Two sublattices of Z2 . L(B), on the left, is a full rank sublattice because it is also
2-dimensional. L(b1 ) on the right is a full sublattice of Z2 because it contains all lattice
points in its linear span. On the other hand L(B) is not a full sublattice of Z2 .

2 Bases
The same lattice can be represented by several  different
 bases. For example, the integer
1 1
lattice Z2 is also generated by the basis B = . (See Figure 3.)
1 2
To a large extent, most algorithmic problems on lattices reduce to the problem of trans-
forming an arbitrary basis for a lattice into another basis for the same lattice with some
special properties. So, in order to study lattice problems, we need first to get a good under-
standing of how lattice bases can be modified without changing the lattice they generate.
Different bases of the same lattice are related by invertible integer transformations.

Definition 2 A integer square matrix U ∈ Zn×n is invertible if there is some other matrix
V ∈ Zn×n (the inverse of U) such that VU = UV = I.
 b2

e2
b1 
1 0
 
1 1

[e1 , e2 ] = [b1 , b2 ] =
0 1 1 2
e1
0
e1 = 2b1 − b2
e2 = b2 − b1

Z2

Figure 3: [e1 , e2 ] and [b1 , b2 ] are two different bases for the integer lattice Z2 . Clearly,
L([b1 , b2 ]) ⊆ Z2 because b1 , b2 are integer vectors. We also have Z2 ⊆ L([b1 , b2 ]) becaue
both unit vectore e1 , e2 can be expressed as integer linear combinations of b1 , b2 .

The inverse matrix is necessarily unique, and it is denoted U−1 . The set of invertible
n × n integer matrices is denoted GL(n, Z), which stands for “general linear group”. It is
easy to check that GL(n, Z) is indeed a group under matrix multiplication.

Exercise 2 Prove that GL(n, Z) is a group with respect to matrix multiplication with the
identity matrix I as its neutral element, i.e., for all U,V ∈ GL(n, Z), the matrices U · V
and U−1 are also in GL(n, Z).

Theorem 3 Let B and C be two lattice bases. Then L(B) = L(C) if and only if there exists
an invertible matrix U ∈ GL(n, Z) such that B = CU.

Proof. First assume B = CU for some integer matrix U ∈ GL(n, Z). By assumption, there
is also an integer matrix U−1 such that C = BU−1 . It follows from Exercise 1 that

L(B) = L(CU) ⊆ L(C) = L(BU−1 ) ⊆ L(B).

This proves that L(B) = L(C), i.e., the two bases generate the same lattice.
Now assume B and C are two bases for the same lattice. Then, again by Exercise 1, there
exist integer matrices V and U such that B = CU and C = BV. Combining these two
equations we get B = CU = BVU, or equivalently, B(I − VU) = O. Since B is injective,
it must be I − VU = O, i.e., VU = I. The proof that UV = I is similar. This proves that
U ∈ GL(n, Z) is an invertible matrix, with inverse U−1 = V. 

Theorem 3 shows that invertible integer matrices U can be used to transform a lattice
basis B into any other basis for the same lattice. In practice, it is often easier or more conve-
nient to transform B into a different basis through a sequence of simpler “local” operations.
 Definition 4 An elementary (integer) column operation on a matrix B ∈ Rd×n is one of
the following:

swap(i,j): Exchange two basis vectors (bi , bj ) ← (bj , bi ) for any i 6= j.

invert(i): Change the sign of a basis vector bi ← (−bi ) for any i.

add(i,c,j): Add an integer multiple of a basis vector to another bi ← (bi + c · bj ) for any i 6= j
and c ∈ Z.

Notice that elementary column operations σ act on the right of matrices, so that for any
matrices B and A, σ(B · A) = B · σ(A). In particular, any elementary column operation σ
corresponds to right multiplication by an integer matrix σ(I) ∈ Zn×n because

σ(B) = σ(B · I) = B · σ(I).

It is easy to see that elementary column operations do not change the lattice generated by
the basis because they are invertible.

Exercise 3 Show that each elementary column operation σ ( swap(i,j), invert(i) or add(i,c,j)
for c ∈ Z and i, j ∈ {1, ..., n}, i 6= j) is invertible, and its inverse is also an elementary col-
umn operation. Conclude that for any elementary column operation σ, the corresponding
matrix is invertible, i.e., σ(I) ∈ GL(n, Z).

It follows from Exercises 2 and 3 that any sequence of elementary integer column op-
erations σ = [σ1 , . . . , σk ] can be expressed as right multiplication by a invertible matrix
σ(I) = σ1 (I) · σ2 (I) · · · σk (I) ∈ GL(n, Z). In particular, by Theorem 3, any sequence of ele-
mentary column operations σ turns a lattice basis B into an equivalent basis σ(B) for the
same lattice L(B) = L(σ(B)). At this point, it is natural to ask: can any invertible matrix
U ∈ GL(n, Z) be expressed as a sequence of elementary column operations? Equivalently,
can any basis of a lattice L(B) be obtained by applying a sequence of elementary column
operations to B? As we will see, the answer is yes. As a first step, we show that invertible
matrices must have unit determinant.

Definition 5 A matrix B ∈ Zn×n is unimodular if |det(B)| = 1.

Lemma 6 Any invertible matrix U ∈ GL(n, Z) is unimodular.

Proof. Recall that det(AB) = det(A) det(B) for any square matrices A, B. Therefore we
have det(U) · det(U−1 ) = det(UU−1 ) = det(I) = 1. Since U ∈ GL(n, Z), U−1 is also an
integer matrix, and det(U), det(U−1 ) are both integers. But for their product to be 1, it
must be either det(U) = det(U−1 ) = 1 or det(U) = det(U−1 ) = −1. 

At this point we have shown that elementary column operations define invertible matrices,
and that invertible matrices are unimodular. In order to close the circle, and prove that all
these properties are equivalent, we need to show that any unimodular matrix can be expressed
as a sequence of elementary column operations. To this end, it is useful to define the Hermite
normal form (HNF) of an integer matrix, which will also find more applications later in the
course. Here we define the HNF only for square nonsingular integer matrices, as this is all
we need for now. In pictures, an HNF matrix is an upper triangular matrix
 
h1,1 · · · · · · · · · · · · · · ·
..
.
 
 
hi,i · · · hi,j · · · 
 

H=  .. 
 . 


 . . .


hn,n

with positive diagonal elements hi,i > 0, and all other nonzero entries 0 ≤ hi,j < hi,i reduced
modulo the corresponding diagonal element hi,i on the same row.

Definition 7 A nonsingular square matrix H ∈ Rn×n is in Hermite normal form (HNF) iff

1. hi,j = 0 for all i > j, i.e., H is upper triangular

2. hi,i > 0 for all i, i.e., the diagonal elements are positive

3. 0 ≤ hi,j < hi,i for all i < j, i.e., the remaining elements are reduced modulo the
diagonal elements on the same row.

We will show that every nonsingular square integer matrix can be put in HNF using
elementary column operations. The core of the method is the following generalization of
Euclid’s algorithm to compute the greatest common divisor of two integers. Recall the
(centered) Euclidean algorithm for gcd computation:

 |a| if b = 0
gcd(a, b) = gcd(b, a) if |a| < |b|
gcd(a − cb, b) if 0 < |b| ≤ |a|, c = ba/be


The algorithm performs elementary operations swap(1,2) and add(1,-c,2) on a pair of inte-
gers (a, b), possibly followed by an invert(1) operation. The sequence of elementary column
operations transforms the initial input (a, b) into (g, 0) where g = gcd(a, b).

Exercise 4 Show that for any nonzero integer vector v = [v1 , . . . , vn ], there is a sequence of
elementary column operations σ such that σ(v) = [0, . . . , 0, g] where g = gcd(v1 , . . . , vn ) > 0.
[Hint: Use Euclid’s gcd algorithm for n = 2, and proceed by induction.]

Theorem 8 For any nonsingular square integer matrix B ∈ Zn×n there is a sequence of
elementary integer column operations σ such that σ(B) is in HNF.
Proof. Let σ be a sequence of elementary operations from Exercise 4 which, when applied
to the last row of B gives a vector of the form [0, . . . , 0, dn ] with dn ≥ 0. Apply σ to the
whole matrix to yield  0 
B b
σ(B) = .
0> dn
Notice that since B is nonsingular, det(B) = ± det(B0 ) · dn 6= 0, and it must be dn > 0 and
det(B0 ) 6= 0. By induction, there is a sequence of elementary column operations σ 0 such that
σ 0 (B0 ) = H0 is in HNF. Applying this sequence of operations to σ(B) one gets
 0 
0 H b
σ (σ(B)) = .
0> dn

At this point, we have a matrix that satisfies all properties of the HNF definition, except
that the entries of b may not be reduced modulo the corresponding diagonal elements. Let
d1 , . . . , dn−1 > 0 be the diagonal elements of σ 0 (B), and b = (b1 , . . . , bn−1 ). In order to satisfy
this last property, we start by reducing bn−1 modulo dn−1 by adding an appropriate multiple
of the last column of H0 , and proceed similarly for the other entries bi . More specifically,
for i = n − 1, n − 2, . . . , 1, we apply the operations add(n, −bbi /di c, i) sequentially to the
matrix. Each operation reduces bi modulo di , without modifying bj for j > i because H0 is
upper triangular. So, after all n − 1 operations, all bi satisfy 0 ≤ bi < di . 
 
3 2
As an example, the HNF of the matrix B from Figure 1 is H = and can be
0 1
obtained from B by applying the sequence of operations add(2,2,1), invert(1), swap(1,2),
add(2,1,1).

Corollary 9 For any unimodular matrix U, there is a sequence of elementary integer column
operations σ such that σ(U) = I.

Proof. Let σ be the sequence of operations such that σ(U) = H is in HNF. This matrix
has determinant det(H) = det(U) det(σ(I)) = ± det(U) = ±1. But H is upper triangular.
So, its determinant is the product of the diagonal elements. Since these diagonal elements
are positive integers, they must all be equal to hi,i = 1. Also, all other entries must be 0
because they are integers in the range [0, hi,i ) = [0, 1). So, H = I is the identity matrix. 

As an example, the matrix B = [b1 , b2 ] from Figure 3 has determinant det(B) = 2−1 = 1,
and it can be transformed into the identity matrix I = [e1 , e2 ] (the standard basis for
Z2 ) using the following sequence of elementary column operations: add(2,-2,1), swap(1,2),
invert(1), add(2,-1,1).

Corollary 10 For any matrix U ∈ Zn×n , the following conditions are equivalent:
1. U = σ(I) for some sequence of elementary column operations σ.

2. U is invertible, i.e., U ∈ GL(n, Z).

 3. U is unimodular, i.e., det(U) = ±1.

Proof. We have already seen that 1 → 2 (Exercises 2 and 3) and 2 → 3 (Lemma 6). It re-
mains to prove 3 → 1. So, let U be a unimodular matrix. By Corollary 9 there is a sequence
of elementary integer column operations σ such that σ(U) = I is the identity matrix. But
by Exercise 3 elementary column operations are invertible, so there is an inverse sequence σ 0
such that U = σ 0 (σ(U)) = σ 0 (I). 

Together with Theorem 3, this shows that any two bases of the same lattice can be related
by a sequence of elementary integer column operations.
The HNF can be very useful to check algebraic properties of lattices, e.g., two bases
generate the same lattice if and only if they have the same HNF. However, HNF typically
gives a basis with very bad geometric properties, as shown in the next exercise.

Exercise 5 Show that for any positive integer n, there is an n × n integer√ basis matrix
B = [b1 , . . . , bn ] with short vectors bi ∈ {0, 1, −1}n (in particular, kbi k ≤ n), while all
vectors in the HNF basis H = HN F (B) have length khi k ≥ 2Ω(n) that is exponentially bigger.

3 Gram-Schmidt orthogonalization
Any basis B can be transformed into an orthogonal basis for the same vector space us-
ing the well-known Gram-Schmidt orthogonalization method. Suppose we have vectors
B = [b1 , . . . , bn ] ∈ Rd×n generating a vector space V = span(B). These vectors are not
necessarily orthogonal (or even linearly independent), but we can always find an orthogonal
basis B∗ = [b∗1 , . . . , b∗n ] for V where b∗i is the component of bi orthogonal to the linear span
span([b1 , . . . , bi−1 ]) of the previous vectors. We recall the definition of orthogonal projection.

Definition 11 For any vector b ∈ Rd and subset S ⊆ Rd , let b⊥S be the component of
b orthogonal to S, i.e., the (necessarily unique) vector defined by the following conditions:
b + span(S) b⊥S b
1. (b⊥S) belongs to b + span(S),

2. (b⊥S) is orthogonal to all ele-

span(S)
ments of S.
0

Geometrically, b⊥S is the shortest vector in b + span(S), and can be thought of as

the standard representative for the coset b + span(S), or the result of reducing b modulo
span(S).

Definition 12 The Gram-Schmidt orthogonalization of a sequence of vectors B = [b1 , . . . , bn ]

is the sequence B∗ = [b∗1 , . . . , b∗n ] obtained by taking the component b∗i = bi ⊥[b1 , . . . , bi−1 ]
of each vector, orthogonal to the previous vectors in the sequence.
 b∗2 b2

b2 + span(b1 ) b∗2 b2

b1
span(b1 ) b1 0
0 b1 ⊥b2

L(B)

Figure 4: A basis b1 , b2 and its Gram-Schmidt orthogonalization b∗1 = b1 ,b∗2 . The orthogo-
nalized basis depends on the order of the basis vectors: the basis b2 , b1 has orthogonalization
b∗2 = b2 , b∗1 = b1 ⊥b2

When a basis B is clear from the context, the orthogonal projection modulo the first i − 1
basis vectors mapping x to x⊥span(b1 , . . . , bi−1 ) is usually denoted πi , so that b∗i = πi (bi ).
It immediately follows from the definition that if B∗ = [b∗1 , . . . , b∗n ] is the orthogonaliza-
tion of B = [b1 , . . . , bn ], then span([b∗1 , . . . , b∗i ]) = span([b1 , . . . , bi ]) for every i = 1, . . . , n.
Also, the vectors B are linearly independent if and only if B∗ are linearly independent. In
particular, if B is a lattice basis, then B∗ is a basis for the vector space span(B) spanned
by the lattice L(B). However, generally, B∗ is not a lattice basis for L(B) because the
orthogonalized vectors B∗ may not belong to the lattice.
As an example, consider the vectors b1 = (2, 0) and b2 = (1, 2). Then, the Gram-
Schmidt orthogonalization of [b1 , b2 ] is given by b∗1 = b1 and b∗2 = b2 ⊥b1 = (0, 2). (See
Figure 4.) Notice that the orthogonalized vector b∗2 does not belong to the lattice L(B).
So, B∗ is not a lattice basis for L(B). It is also important to notice that the Gram-Schmidt
orthogonalization of a basis depends on the order of the basis vectors. E.g., if we invert the
order of b1 , b2 in the above example, we get b∗2 = b2 = (1, 2) and b∗1 = b1 ⊥b2 = (8/5, −4/5).
Definition 11 can be naturally formulated as a recursive definition, setting the Gram-
Schmidt orthogonalization of [B, b] to the matrix [B∗ , b∗ ] where b∗ = b⊥B and B∗ is the
Gram-Schmidt orthogonalization of B. This recursive formulation admits a very natural
geometric description/interpretationS as follows: Any lattice with basis [B, b] can be decom-
posed into layers L([B, b]) = c∈Z (cb + L(B)), where each layer cb + L(B) ⊂ cb + span(B)
is a shifted copy of a lower dimensional lattice L(B) ⊂ span(B). (See Figure 5.) Then, the
Gram-Schmit vector b∗ is a vector orthogonal to these layers, and its length is precisely the
distance between any two consecutive layers cb + span(B) and (c + 1)b + span(B).
The following lemma gives some useful formulas for the computation of the Gram-Schmidt
orthogonalization.
 b∗2 b2

b1
0

L(B)

Figure 5: The lattice L(B) can be decomposed into layers orthogonal to b∗n , at distance kb∗n k
from each other. Each layer is a shifted copy of lower dimensional lattice L([b1 , . . . , bn−1 ]).

Lemma 13 The Gram-Schmidt orthogonalization of B = [b1 , . . . , bn ] is computed by the

following formulas X hbi ,b∗ i
b∗i = bi − µi,j b∗j where µi,j = hb∗ ,bj∗ i .
j j
j<i

Exercise 6 Verify that the vectors computed in Lemma 13 are indeed the Gram-Schmidt
orthogonalization of B, i.e., they satisfy the condition b∗i = bi ⊥[b1 , . . . , bi−1 ].

In matrix notation, the basis B and its orthogonalization B∗ satisfy

 
1 µ2,1 · · · µn,1
 ... .. 
B = B∗ T where T=
 . 

 1 µn,n−1 
1

i.e., T is the upper triangular matrix with 1 along the diagonal and tj,i = µi,j for all j < i.

4 The determinant
Definition 14 Given a basis B = [b1 , ..., bn ] ∈ Rd×n , the fundamental parallelepiped asso-
ciated to B is the set of points

P(B) = BTn = {Σni=1 xi · bi : ∀i.0 ≤ xi < 1}

where T = [0, 1) is the half-open unit interval.

 b2 b2

P(B)
P(B0 ) 0 b1 0 b1

Figure 6: The fundamental parallelepiped P(B) defined by a basis. Different bases define
different parallelepipeds, but they all have the same volume (area). The whole vector space
spanned by the lattice L(B) can be tiled with shifted copies of P(B), one per lattice vector.

Note that P(B) is half-open, so that the translates P(B) + v (for v ∈ L(B)) form a
partition of the whole space span(B). More precisely, for any x ∈ span(B) in the linear
span of the lattice, there exists a unique lattice point v ∈ L(B), such that x ∈ (v + P(B)).
(See Figure 6.) A region of space S ⊂ span(Λ) such that {x + S: x ∈ Λ} is a partition of
span(Λ) is called a “fundamental region” of the lattice Λ. Another important example of
fundamental region is the orthogonalized parallelepiped P(B∗ ). (See Figure 7.)

Exercise 7 Prove that for any basis B, the orthogonalized parallelepiped P(B∗ ) is a fun-
damental region of the lattice L(B), i.e., for any point in space t ∈ span(B), there exists
a unique lattice point v ∈ L(B∗ ) such that t ∈ v + P(B∗ ). [Hint: use induction on the
dimension of the lattice.]

Exercise 8 Prove that for any lattice Λ and vector x ∈ span(Λ), if S is a fundamental
region of Λ, then also x + S is a fundamental region.

It immediately follows from the previous exercise that other examples of fundamental
regions are given by the centered parallelepiped
 n
1 1 1X
C(B) = B − , =− bi + P(B)
2 2 2 i

or the centered orthogonalized parallelepiped C(B∗ ) = − 12 i b∗i + P(B∗ ).

P
We now define a fundamental quantity associated to any lattice, the determinant.
 b2 b2
b∗2

0 b1 0 b1

Figure 7: Other fundamental regions of a lattice are given by the orthogonalized paral-
lelepiped P(B∗ ) and the centered parallelepiped C(B). The orthogonalized parallelepipeds
are not face-to-face, but they still tile the plane.

Definition 15 Let B ∈ Rd×n be a basis with Gram-Schmidt orthogonalization B∗ = [b∗1 , . . . , b∗n ].

The determinant of a lattice Λ = L(B) is defined as the n-dimensional volume of the funda-
mental parallelepiped associated to the basis B
Y
det(Λ) = vol(P(B)) = kb∗i k
i

and does not depend (as we will prove) on the choice of the basis B.

The expression i kb∗i k for the determinant of a lattice is a generalization of the well
Q
known formula for the area of a parallelepiped. Geometrically, the determinant represents
the inverse of the density of lattice points in space (e.g., the number of lattice points in a
large and sufficiently regular region of space A is approximately equal to the volume of A
divided by the determinant.) The next simple upper bound on the determinant immediately
follows from the fact that kb∗i k ≤ kbi k.
Q
Theorem 16 (Hadamard Inequality) For any lattice Λ = L(B), det(Λ) ≤ i kbi k.

In the next lecture we will prove that the Gram-Schmidt orthogonalization of a basis
can be computed in polynomial time. So, the determinant of a lattice can be computed
in polynomial time by first computing the orthogonalized vectors B∗ , and then taking the
product of their lengths. But there are simpler ways to express the determinant of a lat-
tice that do not involve the Gram-Schmidt orthogonalized basis. The following proposition
shows that the determinant of a lattice can be obtained from a simple matrix determinant
computation.3 The matrix B> B used in the next proposition is called the Gram matrix of
the basis B.
Lemma 17 For any lattice basis B ∈ Rd×n
p
det(L(B)) = det(B> B).
In particular, if B ∈ Rn×n is a (nonsingular) square matrix then det(L(B)) = |det(B)|.
Proof. Remember the Gram-Schmidt orthogonalization procedure. In matrix notation, it
shows that the orhogonalized vectors B∗ satisfy B = B∗ T, where T is an upper triangular
matrix with ones on the diagonal. So, our formula for the determinant of a lattice can be
written as
p p p
det(B> B) = det(T> B∗> B∗ T) = det(T> ) det(B∗> B∗ ) det(T).
The matrices T> , T are triangular, and their determinant can be easily computed as the
product of the diagonal elements, which is 1. Now consider B∗> B∗ . This matrix is diagonal
because the columns of B∗ are orthogonal. So, its determinant can also be computed as the
product of the diagonal elements which is
Y Y
det(B∗> B∗ ) = hb∗i , b∗i i = ( kb∗i k)2 = det(L(B))2 .
i i
p
Taking the square root we get det(T> ) det(B∗> B∗ ) det(T) = det(L(B)). 

Now it is easy to show that the determinant does not depend on the particular choice of
the basis, i.e., if two bases generate the same lattice then their lattice determinants have the
same value.
Theorem 18 Suppose B, C are bases of the same lattice L(B) = L(C). Then, vol(P(B)) =
vol(P(C)).
Proof. Suppose B, C are two bases of the same lattice. Then B = C·U for some unimodular
matrix U ∈ Zn×n . It follows that
det(B> B) = det((CU)> (CU)) = det(U> ) det(C> C) det(U) = det(C> C)
because det(U) = ±1. 

Exercise 9 Let Λ be a full rank sublattice of Λ0 . Prove that

• det(Λ) divides det(Λ0 ).
• Λ = Λ0 if and only if det(Λ) = det(Λ0 ).

3
Recall that the determinant of an integer matrix can be computed in polynomial time by computing
det(B) modulo many small primes, and combining the results using the Chinese reminder theorem.