 So, let's continue our discussion of how effectively LLL solves the shortest vector problem. And a quick review of our key results so far, suppose I have a lattice that has been reduced by LLL to a set of basis vectors and the corresponding Gram-Schmidt basis vectors, then in that case we have the following. First off, for any k, the square of the magnitude of the kth Gram-Schmidt basis vector is greater than or equal to the square of the magnitude of the preceding Gram-Schmidt basis vector times a half. Now, this is not necessarily saying that this is larger, but it's saying that it's larger than some fraction of the preceding vector. More generally, we can cascade down to that first Gram-Schmidt basis vector by repeatedly applying this inequality. And finally, the lattice basis vectors themselves are related to the Gram-Schmidt basis vectors by this inequality. The square of the magnitude of the lattice vector is strictly less than 2 to the power k minus 1 of the square of the magnitude of the kth Gram-Schmidt basis vector. And this leads to a rather surprising result. So let's take my lattice basis and our Gram-Schmidt basis vector and let's consider any vector v in the lattice. So this vector v is some linear combination of the basis vectors for the lattice, where the coefficients of that linear combination are all going to be integers. Now because the Gram-Schmidt basis is a basis, then this vector v, I must be able to express this as some linear combination of the Gram-Schmidt basis vectors, where the coefficients here are going to be real numbers. I have no guarantee they're going to be integers, and I suspect that they aren't going to be, because the Gram-Schmidt basis vectors do not consist of integer components. However, I would like to find the relationship between the coefficients of the lattice basis vectors and the coefficients of the Gram-Schmidt basis vectors. So let's start off by expressing this vector v as two different things. First off, as the linear combination of the lattice basis vectors, and then as a linear combination of the Gram-Schmidt basis vectors. And since it's the same vector in either case, then the two are equal. Now what I'm going to do is I'm going to take advantage of the fact that the dot product will help us isolate one of the coefficients here. So if I dot both products with some Gram-Schmidt basis vector, it doesn't really matter which one, because the Gram-Schmidt basis vectors are orthogonal, most of the dot products on the right hand side are going to go away. The only one I'll be left with is the dot product of vk star with vk star. And so that means that the dot product, right hand side, vk star, most of these dot products go away, and the other one I'm left with is this one. And vk star dot vk star is going to be vk star squared, the magnitude. Meanwhile, remember that my Gram-Schmidt basis reduction process gives me v i star as v i lattice basis vector minus the sum of the dot products with the preceding Gram-Schmidt basis vectors. So if I dot the value with vk star, well, v i vk star, v i dot vk star minus again this sum here, and again all of these vectors are in fact orthogonal. So this term drops out entirely. And so v i vk star is the same as v i vk star. The dot product of two Gram-Schmidt basis vectors is going to be exactly the same as the dot product of the Gram-Schmidt basis vector with the corresponding lattice basis vector. Well, most of those dot products here are going to be zero, because i and k are different numbers that the Gram-Schmidt basis vectors are orthogonal, which means that most of these products are also going to be zero. And the only time we don't get a zero value is when i and k are the same number. So if i is equal to k, vk dot vk star is the same as vk star dot vk star is the magnitude squared of vk star. Now what's interesting about this, this is not the surprise, but it's certainly one of the surprises, which is that we know that the Gram-Schmidt basis vectors are orthogonal. We know that the lattice basis vectors are not in general going to be perfectly orthogonal, but every lattice vector is going to be orthogonal to every one of the Gram-Schmidt basis vectors with the exception of the Gram-Schmidt basis vector that it's not going to be orthogonal to. And so now we're able to complete our surprise, and now if I find the same vector expressed in the Gram-Schmidt basis versus the same vector expressed using the lattice basis vector, I start with that, I form the dot product, and on the right hand side the dot products will all be zero, with the one exception of vk star. On the left hand side the dot products will all be zero with the exception of the dot product with vk. And so that gives me ak lattice vector, Gram-Schmidt basis vector, vk Gram-Schmidt basis vector square. However, we determine that these two, this dot product, was the same as that dot product. That was this result back here, vk vk star is vi dot vk star. So that tells me that those two are going to be the same, so again the dot product of the lattice basis with the Gram-Schmidt basis is going to be the same as the dot product of the Gram-Schmidt basis with the Gram-Schmidt basis. Well now that says these two dot products are going to be the same thing, and so that tells me that my a's are equal to my b's. In other words, surprise, if I have a vector that's a linear combination of my lattice vectors, then I can express that vector as a linear combination of my Gram-Schmidt basis vectors using exactly the same coefficients. So all of these are integers necessarily, which means that all of these must also be integers, even though in general these lattice basis vectors of these Gram-Schmidt basis vectors are not going to have integer components. So let's put everything together. Suppose I have some vector that actually solves the shortest vector problem for the lattice span by these, where I have the corresponding Gram-Schmidt basis vectors. Since it's a lattice vector, I have to have this vector as the sum of some linear combination of the lattice basis vectors, where at least one of the a's is non-zero, so that tells me a k squared is greater than or equal to one. Since the same coefficients can be used to obtain v using Gram-Schmidt basis, we also have that same vector as the sum of a linear combination of the Gram-Schmidt basis vectors, where I know at least one of these is an integer greater than, whose absolute value is greater than or equal to one. So that tells me that the square of the magnitude is greater than or equal to the square of a k vk squared. Well, a k squared is greater than or equal to one, so I know that the square of the magnitude has to be definitely greater than or equal to vk squared by itself, again replacing this with something smaller. And it tells me that the magnitude squared of my shortest vector is one over two to k power two k minus one v one square. For some value of k, we're not entirely sure of which one, but we know that such k must exist. Well, what's the smallest I could make this? Well, because the coefficient here gets smaller as k gets larger, the largest possible value of k is going to be n, so worst case scenario, v squared replacing this with something even smaller, one over two to power n minus one, v one star squared, magnitude. And one last note, again remember the Gram-Schmidt basis vectors are formed using the Gram-Schmidt reduction, but the very first of those Gram-Schmidt vectors is also the very first of the lattice vectors. So that tells me that whatever the shortest vector in the lattice is going to be, it is larger than some fraction of the first of the LLL lattice vectors. And so in general I come to the following conclusion. Any non-zero vector in the lattice has to satisfy this inequality, which means the shortest vector must also satisfy that inequality. In rearranging things a little bit, this means that our first lattice basis vector v one has to be within a power two to power n minus one over two times the length of whatever the actual shortest vector is going to be. And so the LLL reduced basis allows us to solve the SVP to within this factor of two to power n minus one over two.