Skip to main content
Springer Nature Link
Log in

Floating-Point LLL: Theoretical and Practical Aspects

  • Chapter
  • First Online:
The LLL Algorithm

Part of the book series: Information Security and Cryptography ((ISC))

  • 3929 Accesses

Abstract

The text-book LLL algorithm can be sped up considerably by replacing the underlying rational arithmetic used for the Gram–Schmidt orthogonalisation by floating-point approximations. We review how this modification has been and is currently implemented, both in theory and in practice. Using floating-point approximations seems to be natural for LLL even from the theoretical point of view: it is the key to reach a bit-complexity which is quadratic with respect to the bit-length of the input vectors entries, without fast integer multiplication. The latter bit-complexity strengthens the connection between LLL and Euclid’s gcd algorithm. On the practical side, the LLL implementer may weaken the provable variants in order to further improve their efficiency: we emphasise on these techniques. We also consider the practical behaviour of the floating-point LLL algorithms, in particular their output distribution, their running-time and their numerical behaviour. After 25 years of implementation, many questions motivated by the practical side of LLL remain open.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. LIDIA 2.1.3. A C++ library for computational number theory. Available at http://www.informatik.tu-darmstadt.de/TI/LiDIA/.

  2. IEEE Standards Committee 754. ANSI/IEEE standard 754-1985 for binary floating-point arithmetic. Reprinted in SIGPLAN Notices, 22(2):9–25, 1987.

    Google Scholar 

  3. M. Ajtai. Random lattices and a conjectured 0-1 law about their polynomial time computable properties. In Proceedings of the 2002 Symposium on Foundations of Computer Science (FOCS 2002), pages 13–39. IEEE Computer Society Press, 2002.

    Google Scholar 

  4. M. Ajtai. The worst-case behavior of Schnorr’s algorithm approximating the shortest nonzero vector in a lattice. In Proceedings of the 35th Symposium on the Theory of Computing (STOC 2003), pages 396–406. ACM, 2003.

    Google Scholar 

  5. M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the 29th Symposium on the Theory of Computing (STOC 1997), pages 284–293. ACM, 1997.

    Google Scholar 

  6. A. Akhavi. Worst-case complexity of the optimal LLL algorithm. In Proceedings of the 2000 Latin American Theoretical Informatics conference (LATIN 2000), volume 1776 of Lecture Notes in Computer Science, pages 355–366. Springer, 2000.

    Google Scholar 

  7. A. Akhavi, J.-F. Marckert, and A. Rouault. On the reduction of a random basis. In Proceedings of the 4th Workshop on Analytic Algorithmics and Combinatorics. SIAM, 2007.

    Google Scholar 

  8. A. Akhavi and D. Stehlé. Speeding-up lattice reduction with random projections (extended abstract). In Proceedings of the 2008 Latin American Theoretical Informatics conference (LATIN’08), volume 4957 of Lecture Notes in Computer Science, pages 293–305. Springer, 2008.

    Google Scholar 

  9. W. Backes and S. Wetzel. Heuristics on lattice reduction in practice. ACM Journal of Experimental Algorithms, 7:1, 2002.

    Article  MathSciNet  Google Scholar 

  10. D. Boneh and G. Durfee. Cryptanalysis of RSA with private key d less than N 0. 292. IEEE Transactions on Information Theory, 46(4):233–260, 2000.

    Google Scholar 

  11. W. Bosma, J. Cannon, and C. Playoust. The Magma algebra system. I. The user language. Journal of Symbolic Computation, 24(3–4):235–265, 1997.

    Google Scholar 

  12. D. Cadé and D. Stehlé. fplll-2.0, a floating-point LLL implementation. Available at http://perso.ens-lyon.fr/damien.stehle.

  13. Z. Chen and A. Storjohann. A BLAS based C library for exact linear algebra on integer matrices. In Proceedings of the 2005 International Symposium on Symbolic and Algebraic Computation (ISSAC’02), pages 92–99. ACM, 2005.

    Google Scholar 

  14. D. Coppersmith. Finding a small root of a bivariate integer equation. In Proceedings of Eurocrypt 1996, volume 1070 of Lecture Notes in Computer Science, pages 178–189. Springer, 1996.

    Google Scholar 

  15. D. Coppersmith. Finding a small root of a univariate modular equation. In Proceedings of Eurocrypt 1996, volume 1070 of Lecture Notes in Computer Science, pages 155–165. Springer, 1996.

    Google Scholar 

  16. D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology, 10(4):233–260, 1997.

    Article  MATH  MathSciNet  Google Scholar 

  17. F. Eisenbrand and G. Rote. Fast reduction of ternary quadratic forms. In Proceedings of the 2001 Cryptography and Lattices Conference (CALC’01), volume 2146 of Lecture Notes in Computer Science, pages 32–44. Springer, 2001.

    Google Scholar 

  18. U. Fincke and M. Pohst. A procedure for determining algebraic integers of given norm. In Proceedings of EUROCAL, volume 162 of Lecture Notes in Computer Science, pages 194–202, 1983.

    Google Scholar 

  19. N. Gama and P. Q. Nguyen. Finding short lattice vectors within Mordell’s inequality. In Proceedings of the 40th Symposium on the Theory of Computing (STOC’08). ACM, 2008.

    Google Scholar 

  20. J. von zur Gathen and J. Gerhardt. Modern Computer Algebra, 2nd edition. Cambridge University Press, Cambridge, 2003.

    Google Scholar 

  21. O. Goldreich, S. Goldwasser, and S. Halevi. Public-key cryptosystems from lattice reduction problems. In Proceedings of Crypto 1997, volume 1294 of Lecture Notes in Computer Science, pages 112–131. Springer, 1997.

    Google Scholar 

  22. D. Goldstein and A. Mayer. On the equidistribution of Hecke points. Forum Mathematicum, 15:165–189, 2003.

    Article  MATH  MathSciNet  Google Scholar 

  23. T. Granlund. The GNU MP Bignum Library. Available at http://gmplib.org/.

  24. G. Hanrot. LLL: a tool for effective diophantine approximation. This book.

    Google Scholar 

  25. B. Helfrich. Algorithms to construct Minkowski reduced and Hermite reduced lattice bases. Theoretical Computer Science, 41:125–139, 1985.

    Article  MATH  MathSciNet  Google Scholar 

  26. N. Higham. Accuracy and Stability of Numerical Algorithms. SIAM, 2002.

    Google Scholar 

  27. J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU : a ring based public key cryptosystem. In Proceedings of the 3rd Algorithmic Number Theory Symposium (ANTS III), volume 1423 of Lecture Notes in Computer Science, pages 267–288. Springer, 1998.

    Google Scholar 

  28. E. Kaltofen. On the complexity of finding short vectors in integer lattices. In Proceedings of EUROCAL’83, volume 162 of Lecture Notes in Computer Science, pages 236–244. Springer, 1983.

    Google Scholar 

  29. R. Kannan. Improved algorithms for integer programming and related lattice problems. In Proceedings of the 15th Symposium on the Theory of Computing (STOC 1983), pages 99–108. ACM, 1983.

    Google Scholar 

  30. D. Knuth. The analysis of algorithms. In Actes du Congrès International des Mathématiciens de 1970, volume 3, pages 269–274. Gauthiers-Villars, 1971.

    Google Scholar 

  31. D. Knuth. The Art of Computer Programming, vol. 2, third edition. Addison-Wesley, Reading, MA, 1997.

    Google Scholar 

  32. H. Koy and C. P. Schnorr. Segment LLL-reduction of lattice bases. In Proceedings of the 2001 Cryptography and Lattices Conference (CALC’01), volume 2146 of Lecture Notes in Computer Science, pages 67–80. Springer, 2001.

    Google Scholar 

  33. H. Koy and C. P. Schnorr. Segment LLL-reduction of lattice bases with floating-point orthogonalization. In Proceedings of the 2001 Cryptography and Lattices Conference (CALC’01), volume 2146 of Lecture Notes in Computer Science, pages 81–96. Springer, 2001.

    Google Scholar 

  34. J. C. Lagarias and A. M. Odlyzko. Solving low-density subset sum problems. Journal of the ACM, 32:229–246, 1985.

    Article  MATH  MathSciNet  Google Scholar 

  35. A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovász. Factoring polynomials with rational coefficients. Mathematische Annalen, 261:515–534, 1982.

    Article  MATH  MathSciNet  Google Scholar 

  36. H. W. Lenstra, Jr. Flags and lattice basis reduction. In Proceedings of the third European congress of mathematics, volume 1. Birkhäuser, 2001.

    Google Scholar 

  37. J. Martinet. Perfect Lattices in Euclidean Spaces. Springer, Berlin, 2002.

    Google Scholar 

  38. A. May. Using LLL-reduction for solving RSA and factorization problems: a survey. This book.

    Google Scholar 

  39. A. May. New RSA Vulnerabilities Using Lattice Reduction Methods. PhD thesis, University of Paderborn, 2003.

    Google Scholar 

  40. J.-M. Muller. Elementary Functions, Algorithms and Implementation. Birkhäuser, 1997.

    Google Scholar 

  41. P. Nguyen and D. Stehlé. Low-dimensional lattice basis reduction revisited (extended abstract). In Proceedings of the 6th Algorithmic Number Theory Symposium (ANTS VI), volume 3076 of Lecture Notes in Computer Science, pages 338–357. Springer, 2004.

    Google Scholar 

  42. P. Nguyen and D. Stehlé. Floating-point LLL revisited. In Proceedings of Eurocrypt 2005, volume 3494 of Lecture Notes in Computer Science, pages 215–233. Springer, 2005.

    Google Scholar 

  43. P. Nguyen and D. Stehlé. LLL on the average. In Proceedings of the 7th Algorithmic Number Theory Symposium (ANTS VII), volume 4076 of Lecture Notes in Computer Science, pages 238–256. Springer, 2006.

    Google Scholar 

  44. P. Nguyen and D. Stehlé. An LLL algorithm with quadratic complexity. SIAM Journal on Computing, 39(3):874–903, 2009.

    Article  Google Scholar 

  45. A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Proceedings of Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics, pages 75–88. American Mathematical Society, 1989.

    Google Scholar 

  46. A. M. Odlyzko and H. J. J. te Riele. Disproof of Mertens conjecture. Journal für die reine und angewandte Mathematik, 357:138–160, 1985.

    Google Scholar 

  47. The SPACES Project. MPFR, a LGPL-library for multiple-precision floating-point computations with exact rounding. Available at http://www.mpfr.org/.

  48. C. P. Schnorr. Hot topics of LLL and lattice reduction. This book.

    Google Scholar 

  49. C. P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987.

    Article  MATH  MathSciNet  Google Scholar 

  50. C. P. Schnorr. A more efficient algorithm for lattice basis reduction. Journal of Algorithms, 9(1):47–62, 1988.

    Article  MATH  MathSciNet  Google Scholar 

  51. C. P. Schnorr. Fast LLL-type lattice reduction. Information and Computation, 204:1–25, 2006.

    Article  MATH  MathSciNet  Google Scholar 

  52. C. P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In Proceedings of the 1991 Symposium on the Fundamentals of Computation Theory (FCT’91), volume 529 of Lecture Notes in Computer Science, pages 68–85. Springer, 1991.

    Google Scholar 

  53. C. P. Schnorr and M. Euchner. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Mathematics of Programming, 66:181–199, 1994.

    Article  MathSciNet  Google Scholar 

  54. A. Schönhage. Schnelle Berechnung von Kettenbruchentwicklungen. Acta Informatica, 1: 139–144, 1971.

    Article  MATH  Google Scholar 

  55. A. Schönhage. Factorization of univariate integer polynomials by Diophantine approximation and improved basis reduction algorithm. In Proceedings of the 1984 International Colloquium on Automata, Languages and Programming (ICALP 1984), volume 172 of Lecture Notes in Computer Science, pages 436–447. Springer, 1984.

    Google Scholar 

  56. A. Schönhage. Fast reduction and composition of binary quadratic forms. In Proceedings of the 1991 International Symposium on Symbolic and Algebraic Computation (ISSAC’91), pages 128–133. ACM, 1991.

    Google Scholar 

  57. G. Schulz. Iterative Berechnung der reziproken Matrix. Zeitschrift für Angewandte Mathematik und Mechanik, 13:57–59, 1933.

    Article  MATH  Google Scholar 

  58. I. Semaev. A 3-dimensional lattice reduction algorithm. In Proceedings of the 2001 Cryptography and Lattices Conference (CALC’01), volume 2146 of Lecture Notes in Computer Science, pages 181–193. Springer, 2001.

    Google Scholar 

  59. V. Shoup. NTL, Number Theory C++ Library. Available at http://www.shoup.net/ntl/.

  60. A. Storjohann. Faster algorithms for integer lattice basis reduction. Technical report, ETH Zürich, 1996.

    Google Scholar 

  61. J.-G. Sun. Componentwise perturbation bounds for some matrix decompositions. BIT Numerical Mathematics, 31:341–352, 1992.

    Google Scholar 

  62. B. Vallée and A. Vera. Probabilistic analyses of lattice reduction algorithms. This book.

    Google Scholar 

  63. G. Villard. Certification of the QR factor R, and of lattice basis reducedness. In Proceedings of the 2007 International Symposium on Symbolic and Algebraic Computation (ISSAC’07), pages 361–368. ACM, 2007.

    Google Scholar 

  64. C. K. Yap. Fast unimodular reduction: planar integer lattices. In Proceedings of the 1992 Symposium on the Foundations of Computer Science (FOCS 1992), pages 437–446. IEEE Computer Society Press, 1992.

    Google Scholar 

Download references

Acknowledgements

The author gratefully thanks John Cannon, Claude-Pierre Jeannerod, Erich Kaltofen, Phong Nguyen, Andrew Odlyzko, Peter Pearson, Claus Schnorr, Victor Shoup, Allan Steel, Brigitte Vallée and Gilles Villard for helpful discussions and for pointing out errors on drafts of this work.

Author information

Authors and Affiliations

  1. CNRS/Universities of Macquarie, Sydney and Lyon/INRIA/ÉNS, Lyon, France

    Damien Stehlé

Authors
  1. Damien Stehlé
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Damien Stehlé .

Editor information

Editors and Affiliations

  1. Dépt. Mathématiques et d'Informatique, Ecole Normale Supérieure, rue d'Ulm 45, Paris CX 05, 75230, France

    Phong Q. Nguyen

  2. Dept. Informatique, Université de Caen, Caen CX, 14032, France

    Brigitte Vallée

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Stehlé, D. (2009). Floating-Point LLL: Theoretical and Practical Aspects. In: Nguyen, P., Vallée, B. (eds) The LLL Algorithm. Information Security and Cryptography. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02295-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-02295-1_5

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-02294-4

  • Online ISBN: 978-3-642-02295-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics