The closest vector problem in tensored root lattices of type A and in their duals

In this work we consider the closest vector problem (CVP)—a problem also known as maximum-likelihood decoding—in the tensor of two root lattices of type A ($$A_m \otimes A_n$$Am⊗An), as well as in their duals ($$A^*_m \otimes A^*_n$$Am∗⊗An∗). This problem is mainly motivated by lattice based cryptography, where the cyclotomic rings $${\mathbb {Z}}[\zeta _c]$$Z[ζc] (resp. its co-different $${\mathbb {Z}}[\zeta _c]^\vee $$Z[ζc]∨) play a central role, and turn out to be isomorphic as lattices to tensors of $$A^*$$A∗ lattices (resp. A root lattices). In particular, our results lead to solving CVP in $${\mathbb {Z}}[\zeta _c]$$Z[ζc] and in $${\mathbb {Z}}[\zeta _c]^\vee $$Z[ζc]∨ for conductors of the form $$c = 2^\alpha p^\beta q^\gamma $$c=2αpβqγ for any two odd primes p, q. For the primal case $$A_m \otimes A_n$$Am⊗An, we provide a full characterization of the Voronoi region in terms of simple cycles in the complete directed bipartite graph $$K_{m+1,n+1}$$Km+1,n+1. This leads—relying on the Bellman-Ford algorithm for negative cycle detection—to a CVP algorithm running in polynomial time. Precisely, our algorithm performs $$O(l\ m^2 n^2 \min \{m,n\})$$O(lm2n2min{m,n}) operations on reals, where l is the number of bits per coordinate of the input target. For the dual case, we use a gluing-construction to solve CVP in sub-exponential time $$O(n m^{n+1})$$O(nmn+1).