Damien Stehlé
ABSTRACT
Lattice reduction aims at finding a basis consisting of rather short vectors, from an arbitrary basis of a Euclidean lattice. The importance of lattice reduction stems from the observation that many computational problems can be cast as finding short non-zero vectors in specific lattices (e.g., in computer algebra, cryptography and algorithmic number theory).
In this tutorial, we give an overview of lattice reduction algorithms. We will consider both polynomial-time algorithms that find relatively short bases, such as the LLL algorithm, and more expensive algorithms that find shorter bases, such as the BKZ algorithm. The algorithms will be illustrated using the fplll library.
- Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. 2015. Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling. In Proc. of STOC. ACM, pages 733--742. Google Scholar
Digital Library
- Erik Agrell, Thomas Eriksson, Alexander Vardy, and Kenneth Zeger. 2002. Closest point search in lattices. IEEE Trans. Inf. Th. 48, 8 (2002), pages 2201--2214. Google ScholarDigital Library
- Miklós Ajtai. 1998. The shortest vector problem in L_2 is NP-hard for randomized reductions. In Proc. of STOC. ACM, pages 284--293. Google ScholarDigital Library
- M. Ajtai, R. Kumar, and D. Sivakumar. 2001. A sieve algorithm for the shortest lattice vector problem. In Proc. of STOC. ACM, pages 601--610. Google ScholarDigital Library
- Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, and Christine van Vredendaal. 2017. Short Generators Without Quantum Computers: The Case of Multiquadratics. In Proc. of EUROCRYPT (LNCS), Vol. 10210. Springer, pages 27--59.Google Scholar
- Anja Becker, Léo Ducas, Nicolas Gama, and Thijs Laarhoven. 2016. New directions in nearest neighbor searching with applications to lattice sieving. In Proc. of SODA. SIAM, pages 10--24. Google ScholarDigital Library
- Peter Campbell, Michael Groves, and Dan Shepherd. 2014. Soliloquy: A cautionary tale. In ETSI 2nd Quantum-Safe Crypto Workshop. pages 1--9.Google Scholar
- Xiao-Wen Chang, Damien Stehlé, and Gilles Villard. 2012. Perturbation Analysis of the QR factor R in the context of LLL lattice basis reduction. Math. Comput. 81, 279 (2012), pages 1487--1511.Google Scholar
- Yuanmi Chen and Phong Q. Nguyen. 2011. BKZ 2.0: Better Lattice Security Estimates. In Proc. of ASIACRYPT (LNCS), Vol. 7073. Springer, pages 1--20. Google ScholarDigital Library
- Henri Cohen. 1995. A Course in Computational Algebraic Number Theory, 2nd edition. Springer.Google Scholar
- Ronald Cramer, Léo Ducas, Chris Peikert, and Oded Regev. 2016. Recovering Short Generators of Principal Ideals in Cyclotomic Rings. In Proc. of EUROCRYPT (LNCS), Vol. 9666. Springer, pages 559--585.Google Scholar
- Ronald Cramer, Léo Ducas, and Benjamin Wesolowski. 2017. Short Stickelberger Class Relations and Application to Ideal-SVP. In Proc. of EUROCRYPT (LNCS), Vol. 10210. Springer, pages 324--348.Google Scholar
- The FPLLL development team. 2016. fplll, a lattice reduction library. (2016). Available at https://github.com/fplll/fplll.Google Scholar
- Ulrich Fincke and Michael Pohst. 1983. A procedure for determining algebraic integers of given norm. In Proc. of EUROCAL (LNCS), Vol. 162. Springer, pages 194--202. Google ScholarDigital Library
- Nicolas Gama, Nick Howgrave-Graham, Henrik Koy, and Phong Q. Nguyen. 2006. Rankin's Constant and Blockwise Lattice Reduction. In Proc. of CRYPTO (LNCS), Vol. 4117. Springer, pages 112--130. Google ScholarDigital Library
- Nicolas Gama and Phong Q. Nguyen. 2008. Finding Short Lattice Vectors within Mordell's Inequality. In Proc. of STOC. ACM, pages 207--216. Google ScholarDigital Library
- Nicolas Gama, Phong Q. Nguyen, and Oded Regev. 2010. Lattice Enumeration Using Extreme Pruning. In Proc. of EUROCRYPT (LNCS), Vol. 6110. Springer, pages 257--278. Google ScholarDigital Library
- Guillaume Hanrot, Xavier Pujol, and Damien Stehlé. 2011. Analyzing Blockwise Lattice Algorithms Using Dynamical Systems. In Proc. of CRYPTO (LNCS), Vol. 6841. Springer, pages 447--464. Google ScholarDigital Library
- Hoeijvan Hoeij. 2001. Factoring polynomials and 0--1 vectors. In Proc. of CALC (LNCS), Vol. 2146. Springer, pages 45--50. Google ScholarDigital Library
- Johan Hastad, Bettina Just, Jeffrey C. Lagarias, and Claus-Peter Schnorr. 1989. Polynomial Time Algorithms for Finding Integer Relations Among Real Numbers. SIAM J. Comput 18, 5 (1989), pages 859--881. Google ScholarDigital Library
- Ravi Kannan. 1983. Improved algorithms for integer programming and related lattice problems. In Proc. of STOC. ACM, pages 99--108. Google ScholarDigital Library
- Henrik Koy and Claus-Peter Schnorr. 2001. Segment LLL-reduction of lattice bases. In Proc. of CALC (LNCS), Vol. 2146. Springer, pages 67--80. Google ScholarDigital Library
- Thijs Laarhoven. 2015. Search problems in cryptography. Ph.D. Dissertation. Eindhoven University of Technology. http://www.thijs.com/docs/phd-final.pdf.Google Scholar
- Arjen K. Lenstra, Hendrik W. Lenstra, Jr., and László Lovász. 1982. Factoring polynomials with rational coefficients. Math. Ann 261 (1982), pages 515--534.Google Scholar
- Alexander May. 2009. Using LLL-Reduction for Solving RSA and Factorization Problems: A Survey. (2009). Chapter ofciteLLL25.Google Scholar
- Daniele Micciancio and Panagiotis Voulgaris. 2010. A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In Proc. of STOC. ACM, pages 351--358. Google ScholarDigital Library
- Ivan Morel, Damien Stehlé, and Gilles Villard. 2009. H-LLL: using Householder inside LLL. In Proc. of ISSAC. ACM, pages 271--278. Google ScholarDigital Library
- Arnold Neumaier and Damien Stehlé. 2016. Faster LLL-type Reduction of Lattice Bases. In Proc. of ISSAC. ACM, pages 373--380. Google ScholarDigital Library
- Phong Q. Nguyen and Damien Stehlé. 2009. An LLL algorithm with quadratic complexity. SIAM J. Comput 39, 3 (2009), pages 874--903. Google ScholarDigital Library
- P. Q. Nguyen and J. Stern. 2001. The Two Faces of Lattices in Cryptology. In Proc. of CALC (LNCS), Vol. 2146. Springer, pages 146--180. Google ScholarDigital Library
- Phong Q. Nguyen and Brigitte Vallée. 2009. The LLL Algorithm: Survey and Applications. Springer. Google ScholarDigital Library
- Andrew Novocin, Damien Stehlé, and Gilles Villard. 2011. An LLL-reduction algorithm with quasi-linear time complexity. In Proc. of STOC. ACM, pages 403--412. Google ScholarDigital Library
- Andrew M. Odlyzko. 1989. The Rise and Fall of Knapsack Cryptosystems. In Proceedings of Cryptology and Computational Number Theory (Proceedings of Symposia in Applied Mathematics), Vol. 42. American Mathematical Society, pages 75--88.Google Scholar
- Chris Peikert. 2016. A Decade of Lattice Cryptography. Foundations and Trends in Theoretical Computer Science 10, 4 (2016), pages 283--424. Google ScholarDigital Library
- Xavier Pujol and Damien Stehlé. 2009. Solving the Shortest Lattice Vector Problem in Time 2 2.465n. Cryptology ePrint Archive. (2009). http://eprint.iacr.org/2009/605.Google Scholar
- Claus-Peter Schnorr. 2011. Accelerated Slide- and LLL-Reduction. Electronic Colloquium on Computational Complexity (ECCC) 18 (2011), pages 50. http://eccc.hpi-web.de/report/2011/050Google Scholar
- Claus-Peter Schnorr. 1987. A Hierarchy of Polynomial Lattice Basis Reduction Algorithms. Theor. Comput. Science 53 (1987), pages 201--224. Google ScholarDigital Library
- Claus-Peter Schnorr. 1988. A more efficient algorithm for lattice basis reduction. Journal of Algorithms 9, 1 (1988), pages 47--62. Google ScholarDigital Library
- Claus-Peter Schnorr and Michael Euchner. 1994. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Mathematics of Programming 66 (1994), pages 181--199. Google ScholarDigital Library
- Arnold Schönhage. 1984. Factorization of univariate integer polynomials by Diophantine approximation and improved basis reduction algorithm. In Proc. of ICALP (LNCS), Vol. 172. Springer, pages 436--447. Google ScholarDigital Library
- Arne Storjohann. 1996. Faster algorithms for integer lattice basis reduction. (1996). Technical report, ETH Zürich.Google Scholar
Index Terms
- Lattice Reduction Algorithms
Recommendations
Computing an LLL-reduced Basis of the Orthogonal Latice
ISSAC '18: Proceedings of the 2018 ACM International Symposium on Symbolic and Algebraic ComputationAs a typical application, the Lenstra-Lenstra-Lovász lattice basis reduction algorithm (LLL) is used to compute a reduced basis of the orthogonal lattice for a given integer matrix, via reducing a special kind of lattice bases. With such bases in input, ...
Analysis of DeepBKZ reduction for finding short lattice vectors
AbstractLattice basis reduction is a mandatory tool for solving lattice problems such as the shortest vector problem. The Lenstra–Lenstra–Lovász reduction algorithm (LLL) is the most famous, and its typical improvements are the block Korkine–Zolotarev ...
Predicting lattice reduction
EUROCRYPT'08: Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptologyDespite their popularity, lattice reduction algorithms remain mysterious cryptanalytical tools. Though it has been widely reported that they behave better than their proved worst-case theoretical bounds, no precise assessment has ever been given. Such ...
Comments