Two Sources of a Simple Idea
Take the integer points of the plane: all pairs \((a, b)\) with \(a, b \in \mathbb{Z}\). This
is among the most familiar infinite patterns in mathematics — a regular grid, repeating identically in
every direction. Replace the two unit steps that generate it, \((1,0)\) and \((0,1)\), with any
two other vectors that do not lie on a common line, and take all their integer combinations. The
result is again an evenly spaced array of points, sheared or stretched but still perfectly
periodic. Such a point set is a lattice, and this page studies its geometry in
\(\mathbb{R}^n\).
The definition that follows will look almost too plain to repay attention: a lattice is the set
of integer combinations of some independent vectors. Two independent historical currents explain
why this plain object rewards close study, and both feed the questions we raise in the sections
below.
The geometry of numbers
The first current is the study of whole numbers through geometry. A question in arithmetic —
which integers can be written as a sum of two squares, how well an irrational number can be
approximated by fractions — can be recast as a question about how the integer points of the plane
or of a higher-dimensional space are arranged relative to a region. Minkowski's insight, late in
the nineteenth century, was that a sufficiently large symmetric convex region must swallow a
lattice point other than the origin, purely for reasons of volume. This turns arithmetic
statements into statements about area and volume, and it is the reason a lattice carries a
genuine geometry rather than a mere combinatorial pattern. We take up this circle of ideas, and
the notion of the shortest lattice vector it controls, in a companion page.
The reduction of quadratic forms
The second current is the search for a good set of generating vectors. The same lattice
can be produced by many different pairs of vectors — some nearly orthogonal and short, others
long and skewed almost onto a single line. Lagrange and Gauss, studying binary quadratic forms,
developed a procedure to replace a skewed pair by a short and nearly orthogonal one generating the
same lattice. In the twentieth century this basis-reduction idea was extended to arbitrary
dimension, and it became one of the most widely used algorithms in computational mathematics.
The non-uniqueness of the generating set, which we make precise below, is exactly what gives this
search room to operate.
A third face of the lattice belongs to the physical sciences: the atoms of a crystal sit at
lattice points, and the densest way to stack equal spheres is a lattice arrangement. We note this
only to set it aside. The thread we follow is the mathematical one — the geometry of numbers and
the reduction of bases — because it is this thread that leads, much later, to the hard
computational problems on which a new generation of cryptography is built. That destination is
still several steps away; the immediate task is to fix the definitions with care.
Lattices and Their Bases
Fix a collection of \(k\) vectors \(\mathbf{b}_1, \dots, \mathbf{b}_k \in \mathbb{R}^n\) that are
linearly
independent. The lattice they generate is the set of all their integer combinations.
Definition: Lattice
Let \(\mathbf{b}_1, \dots, \mathbf{b}_k \in \mathbb{R}^n\) be linearly independent. The
lattice generated by them is
\[
\mathcal{L}(\mathbf{b}_1, \dots, \mathbf{b}_k)
= \left\{ \sum_{i=1}^{k} z_i \mathbf{b}_i : z_i \in \mathbb{Z} \right\}.
\]
The generating vectors are called a basis of the lattice. Collecting them as
the columns of a matrix \(\mathbf{B} \in \mathbb{R}^{n \times k}\), the same set is written
compactly as
\[
\mathcal{L}(\mathbf{B}) = \left\{ \mathbf{B}\mathbf{z} : \mathbf{z} \in \mathbb{Z}^k \right\}.
\]
Two integer parameters record the shape of the ambient data. The number \(k\) of basis vectors is
the rank of the lattice, and the dimension \(n\) of the surrounding space is its
dimension. When \(k = n\) — the basis vectors span all of \(\mathbb{R}^n\) — the
lattice is called full-rank. The integer grid \(\mathbb{Z}^n\), generated by the
standard basis, is the prototypical full-rank lattice; the single line of points
\(\mathcal{L}\big((2,1)^\top\big) \subset \mathbb{R}^2\) is a rank-\(1\) lattice sitting inside a
two-dimensional space, and is not full-rank. Unless stated otherwise, the lattices we treat are
full-rank, so that \(\mathbf{B}\) is a square invertible matrix; the general case differs in
bookkeeping rather than in substance.
An intrinsic description
The definition above builds a lattice from a chosen basis. There is a second, coordinate-free way
to say what a lattice is, one that names no generators at all and instead describes the point set
by two structural properties it possesses.
The first property is algebraic. A lattice is closed under the vector-space operations that keep it
inside itself: the origin belongs to it, and if \(\mathbf{x}\) and \(\mathbf{y}\) are lattice
points then so are \(-\mathbf{x}\) and \(\mathbf{x} + \mathbf{y}\). In the language of the algebra
track, a lattice is an additive
subgroup of
\(\mathbb{R}^n\). The second property is topological, and it is what separates a lattice from a
dense set of points such as \(\mathbb{Q}^n\): a lattice is discrete. Every lattice
point has a surrounding ball of some positive radius that contains no other lattice point. The
points do not merely fail to fill space — they stay uniformly apart.
These two properties characterize lattices exactly. A subset of \(\mathbb{R}^n\) arises as
\(\mathcal{L}(\mathbf{B})\) for some independent basis if and only if it is a discrete additive
subgroup of \(\mathbb{R}^n\). The forward direction is immediate: integer combinations of
independent vectors form an additive subgroup, and the independence forces the points apart, so
the set is discrete. The reverse direction — that every discrete additive subgroup admits a finite
independent generating set — is a standard fact in the geometry of numbers, which we take as known rather than prove
here; the two descriptions may be used interchangeably in what follows.
Why the intrinsic description matters
A basis is a convenient handle, but it is not part of the lattice: the same point set carries
many bases. The intrinsic description — discrete additive subgroup —
depends on none of them. Whenever we prove that some quantity attached to a lattice is
genuinely a property of the lattice rather than an accident of the chosen basis, it is
this coordinate-free viewpoint that makes the claim well-posed.
Change of Basis
The integer grid \(\mathbb{Z}^2\) is generated by the standard basis \((1,0)^\top, (0,1)^\top\).
It is equally generated by \((1,1)^\top, (2,1)^\top\): every integer point is an integer
combination of the second pair, and conversely. A single lattice therefore carries many bases, and
the freedom to pass between them is precisely what basis reduction exploits. We now make this
freedom exact — which changes of basis preserve the lattice, and which do not.
A change of basis is a matrix acting on the right of \(\mathbf{B}\): replacing \(\mathbf{B}\) by
\(\mathbf{B}\mathbf{U}\) re-expresses the same columns as combinations of one another. For the new
columns to be integer combinations of the old, and vice versa, both \(\mathbf{U}\) and its inverse
must have integer entries. Such matrices have a clean characterization.
Definition: Unimodular Matrix and Basis Equivalence
A matrix \(\mathbf{U} \in \mathbb{Z}^{n \times n}\) is unimodular if
\(\det(\mathbf{U}) = \pm 1\). Two bases \(\mathbf{B}_1, \mathbf{B}_2 \in \mathbb{R}^{n \times n}\)
of full-rank lattices are called equivalent when they generate the same
lattice, \(\mathcal{L}(\mathbf{B}_1) = \mathcal{L}(\mathbf{B}_2)\).
The connection between the two notions is that unimodular matrices are exactly the integer matrices
with an integer inverse. Suppose \(\det(\mathbf{U}) = \pm 1\). The
adjugate formula for the
inverse writes \(\mathbf{U}^{-1} = \det(\mathbf{U})^{-1} \operatorname{adj}(\mathbf{U})\),
where the adjugate
\(\operatorname{adj}(\mathbf{U})\) is built from
determinants of
integer submatrices of
\(\mathbf{U}\) and therefore has integer entries. Dividing integer entries by
\(\det(\mathbf{U}) = \pm 1\) leaves them integers, so \(\mathbf{U}^{-1}\) is again an integer matrix
— indeed itself unimodular. Conversely, if both \(\mathbf{U}\) and
\(\mathbf{U}^{-1}\) have integer entries, then \(\det(\mathbf{U})\) and \(\det(\mathbf{U}^{-1})\) are
both integers, and their product is \(\det(\mathbf{U}\mathbf{U}^{-1}) = \det(\mathbf{I}) = 1\); the
only integers whose product is \(1\) are \(\pm 1\), forcing \(\det(\mathbf{U}) = \pm 1\). The
unimodular matrices thus form a group under multiplication.
Theorem: Bases Generating the Same Lattice
Two bases \(\mathbf{B}_1, \mathbf{B}_2 \in \mathbb{R}^{n \times n}\) generate the same lattice
if and only if \(\mathbf{B}_2 = \mathbf{B}_1 \mathbf{U}\) for some unimodular matrix
\(\mathbf{U}\).
Proof
Suppose first that \(\mathcal{L}(\mathbf{B}_1) = \mathcal{L}(\mathbf{B}_2)\). Each column of
\(\mathbf{B}_2\) is a lattice point of \(\mathcal{L}(\mathbf{B}_1)\), hence an integer
combination of the columns of \(\mathbf{B}_1\); assembling these combinations column by column
gives an integer matrix \(\mathbf{U} \in \mathbb{Z}^{n \times n}\) with
\(\mathbf{B}_2 = \mathbf{B}_1 \mathbf{U}\). Symmetrically, each column of \(\mathbf{B}_1\) lies
in \(\mathcal{L}(\mathbf{B}_2)\), giving an integer matrix \(\mathbf{V}\) with
\(\mathbf{B}_1 = \mathbf{B}_2 \mathbf{V}\). Combining, \(\mathbf{B}_1 = \mathbf{B}_1 \mathbf{U}
\mathbf{V}\); since \(\mathbf{B}_1\) is invertible, \(\mathbf{U}\mathbf{V} = \mathbf{I}\). Then
\(\det(\mathbf{U})\det(\mathbf{V}) = 1\) with both determinants integers, so
\(\det(\mathbf{U}) = \pm 1\) and \(\mathbf{U}\) is unimodular.
Conversely, suppose \(\mathbf{B}_2 = \mathbf{B}_1 \mathbf{U}\) with \(\mathbf{U}\) unimodular.
Every column of \(\mathbf{B}_2\) is then an integer combination of the columns of
\(\mathbf{B}_1\), so \(\mathcal{L}(\mathbf{B}_2) \subseteq \mathcal{L}(\mathbf{B}_1)\). Because
\(\mathbf{U}\) is unimodular, \(\mathbf{U}^{-1}\) is also an integer matrix, and
\(\mathbf{B}_1 = \mathbf{B}_2 \mathbf{U}^{-1}\) shows the reverse inclusion
\(\mathcal{L}(\mathbf{B}_1) \subseteq \mathcal{L}(\mathbf{B}_2)\). The two lattices coincide.
One consequence settles a point left open earlier. The rank of a lattice was defined as the number
of vectors in a basis, and this is well-defined only if every basis has the same size. Since any
two bases are related by an invertible (indeed unimodular) matrix, they have equal cardinality, so
the rank is an invariant of the lattice and not of the basis. The same reasoning will return in a
sharper form once we attach a volume to a basis: that volume, unlike the basis itself, will depend
only on the lattice.
The fundamental parallelepiped
A basis carries with it a natural tile, the region swept out by combinations of the basis vectors
with coefficients in the half-open unit interval.
Definition: Fundamental Parallelepiped
For a basis \(\mathbf{B} \in \mathbb{R}^{n \times n}\), the fundamental
parallelepiped is
\[
\mathcal{P}(\mathbf{B}) = \left\{ \mathbf{B}\mathbf{x} : \mathbf{x} \in \mathbb{R}^n,\
0 \le x_i \lt 1 \text{ for all } i \right\}.
\]
The tile depends on the basis: a skewed basis produces a long, slanted parallelepiped, while a
nearly orthogonal one produces a nearly rectangular tile. What does not depend on the basis is the
way the tile fills space. Placing one copy of \(\mathcal{P}(\mathbf{B})\) at each lattice point
covers all of \(\mathbb{R}^n\) exactly once. To see this, write any point as
\(\mathbf{p} = \mathbf{B}\mathbf{y}\) with \(\mathbf{y} \in \mathbb{R}^n\), and split each
coordinate into its integer and fractional parts, \(y_i = \lfloor y_i \rfloor + \{y_i\}\) with
\(\lfloor y_i \rfloor \in \mathbb{Z}\) and \(\{y_i\} \in [0, 1)\). Then
\(\mathbf{p} = \mathbf{B}\lfloor \mathbf{y} \rfloor + \mathbf{B}\{\mathbf{y}\}\), where the first
term is a lattice point and the second lies in \(\mathcal{P}(\mathbf{B})\). This decomposition is
unique because the integer and fractional parts of a real number are, so every point of space lies
in exactly one translate — no gaps and no overlaps. This is the geometric content of the basis
being a set of generators: the lattice, together with a single tile, tiles the whole space by
translation. The common volume of these tiles, identical across all bases of the lattice, is the
quantity we turn to next, where it becomes the lattice's determinant.
The Shortest Vector
A lattice has a feature the integer grid hides from view. In \(\mathbb{Z}^n\) the nonzero points
nearest the origin are the standard basis vectors, all of length one. In a skewed lattice the
shortest nonzero vector may be far from any basis vector we happened to write down, and finding it
is not obvious from the basis at all. This shortest length is a central geometric
invariant of a lattice, and it is the quantity the rest of the lattice story circles back to.
Throughout, \(\|\cdot\|\) denotes the Euclidean norm
\(\|\mathbf{x}\| = \big(\sum_i x_i^2\big)^{1/2}\), unless another norm is named; the definitions
below adapt to any norm by substituting its unit ball for the Euclidean one.
Definition: Minimum Distance and Successive Minima
The minimum distance of a lattice \(\mathcal{L}\) is the length of a shortest
nonzero lattice vector,
\[
\lambda_1(\mathcal{L}) = \min_{\mathbf{v} \in \mathcal{L} \setminus \{\mathbf{0}\}}
\|\mathbf{v}\|.
\]
More generally, for a lattice of rank \(n\) and each \(i \in \{1, \dots, n\}\), the
\(i\)-th successive minimum \(\lambda_i(\mathcal{L})\) is the smallest radius
\(r\) such that the closed ball of radius \(r\) about the origin contains \(i\) linearly
independent lattice vectors:
\[
\lambda_i(\mathcal{L}) = \min \left\{ r : \dim \operatorname{span}\big(
\mathcal{L} \cap \overline{B}(\mathbf{0}, r) \big) \ge i \right\}.
\]
Setting \(i = 1\) recovers the minimum distance, so the successive minima are a graded refinement
of a single idea: \(\lambda_1\) measures the shortest vector, \(\lambda_2\) the shortest vector in a
new direction, and so on up to \(\lambda_n\), which measures how far one must
reach to capture a full set of \(n\) independent short vectors. The insistence on linear
independence is what keeps \(\lambda_2\) from collapsing back onto \(\lambda_1\): the vector
\(2\mathbf{v}\) is longer than a shortest vector \(\mathbf{v}\), but it points the same way, so it
adds no new direction and does not count toward \(\lambda_2\). Only a vector spanning a genuinely
new direction advances the dimension in the definition. The successive minima increase weakly,
\(\lambda_1 \le \lambda_2 \le \dots \le \lambda_n\), directly from the definition, since a ball
large enough to hold \(i\) independent vectors also holds \(i - 1\) of them.
Two facts make these quantities well-posed rather than formal. First, the minimum in the
definition is attained: because the lattice is discrete, only finitely many lattice points lie
within any fixed radius, so a shortest nonzero vector genuinely exists rather than being merely
approached. Second, the same discreteness guarantees a positive lower bound —
\(\lambda_1(\mathcal{L}) > 0\) — so the points of a lattice are separated by a definite gap, the
geometric expression of the discreteness we built into the definition of a lattice.
Existence versus construction
The minimum distance raises two very different questions, and the distance between them is a
seam that runs through the study of lattices. One is a question of existence: how short
must the shortest vector be — what bound does the geometry of the lattice force upon
\(\lambda_1\)? This is answered by the geometry of numbers, where a volume argument guarantees
a short vector without ever exhibiting one; we take it up in the companion page on Minkowski's
theorem. The other is a question of construction: given a basis, actually produce a
vector achieving, or even approximating, that length. Here the situation is entirely different
— no efficient procedure is known, and the presumed difficulty of this search is precisely
what later makes lattices a foundation for cryptography. That the shortest vector must exist,
yet appears computationally out of reach to find, is the tension carried forward into the
study of lattice problems.