1 Introduction
Given n linearly independent column vectors 𝐛1,…,𝐛n∈ℝm, the set of all integral linear combinations of the 𝐛i’s defines a lattice of dimension n.
The matrix 𝐁=[𝐛1,…,𝐛n]∈ℝm×n is called a basis of the lattice.
Given a lattice basis, the shortest vector problem (SVP) is to find a non-zero shortest lattice vector, and it has been a landmark problem in complexity theory for a long time.
No efficient algorithm is currently known to find very short vectors in high dimensional lattices.
Ajtai [1] proved that SVP is NP-hard under randomized reduction (see [13] for the NP-hardness of approximate SVP).
In cryptography, the computational hardness of SVP assures the security of lattice-based cryptography such as [9, 10], to which has recently been paid attention as a candidate of post-quantum cryptography.
There are four main approaches for solving SVP: lattice reduction, enumeration, sieving, and finally random sampling.
Given a basis of a lattice L, lattice reduction finds a basis with short and nearly orthogonal
vectors; e.g., the Lenstra–Lenstra–Lovász (LLL) [11] and the block Korkine–Zolotarev (BKZ) [18] algorithms.
Enumeration performs to enumerate all lattice points within a sphere S around a target vector; e.g., Schnorr–Euchner’s enumeration [18] and Gama–Nguyen–Regev’s pruned enumeration [8].
Sieving aims to do a randomized sampling of L∩S while enumeration performs an exhaustive search of L∩S; e.g., the Ajtai–Kumar–Sivakumar algorithm [2]. Random sampling randomly enumerates a number of short lattice vectors until a very short lattice vector is found.
We focus on random sampling. Schnorr [17] first proposed a random sampling algorithm, called
random sampling reduction (RSR).
Given a basis 𝐁=[𝐛1,…,𝐛n], the sampling algorithm (SA) in RSR generates a number of short lattice vectors to find 𝐯 with ∥𝐯∥2<0.99∥𝐛1∥2.
Buchmann and Ludwig [4] proposed simple sampling reduction (SSR) to make RSR practical.
In 2015, Fukase and Kashiwabara [5] proposed a method for SVP.
Their method has been applied to solve Darmstadt SVP problems of dimensions 134 to 150 by Kashiwabara and Teruya (see http://www.latticechallenge.org/svp-challenge/).
Their method is based on RSR, but their preprocessing is different from others.
Before describing their method, we define the following notation.
Definition 1.1Given a lattice basis 𝐁=[𝐛1,…,𝐛n], let [𝐛1*,…,𝐛n*] denote its Gram–Schmidt vectors.
Then we define by
SS(𝐁)=∑i=1n∥𝐛i*∥2
the sum of the squared lengths of the Gram–Schmidt vectors [𝐛1*,…,𝐛n*].
Fukase and Kashiwabara [5] decrease SS(𝐁) before executing random sampling.
The smaller the squared-sum SS(𝐁) becomes, the shorter lattice vectors can be sampled.
To decrease SS(𝐁), Fukase and Kashiwabara insert a short lattice vector 𝐯 into 𝐁 to obtain a new basis 𝐂, and then reduce 𝐂 by LLL to obtain a basis 𝐁′=[𝐛1′,…,𝐛n′].
Then we sometimes have
(1.1)SS(𝐁′)<SS(𝐁).
By repeating the procedures, they attempt to decrease SS(𝐁) as much as possible.
However, there is no guarantee to strictly decrease SS(𝐁).
In this paper, we analyze which lattice vectors 𝐯 can decrease the squared-sum SS(𝐁), and give a condition of 𝐯 such that the squared-sum SS(𝐁) is strictly decreased.
Specifically, we consider the following:
Given an LLL-reduced basis 𝐁=[𝐛1,…,𝐛n] of a lattice L and a vector 𝐯=∑i=1nνi𝐛i*∈L with νn=1 and insertion index k, we consider
(1.2)𝐁=[𝐛1,…,𝐛n]→insertion of 𝐯𝐂=[𝐜1,…,𝐜n]→LLL reduction𝐁′=[𝐛1′,…,𝐛n′],
where 𝐂=[𝐛1,…,𝐛k-1,𝐯,𝐛k,…,𝐛n-1].
Note that 𝐂 is a basis of the whole lattice L due to νn=1 (see Proposition 4.3 below).
We focus on the LLL-reduction for 𝐂 as in [5].
Our main contributions are as follows:
We compute the Gram–Schmidt vectors [𝐜1*,…,𝐜n*] of 𝐂, and give their explicit lengths ∥𝐜i*∥ for 1≤i≤n.
Thus we obtain the explicit gap between two squared-sums SS(𝐁) and SS(𝐂).
We study the behavior of the LLL algorithm for a general basis 𝐒, and show that swaps of the LLL algorithms can strictly decrease SS(𝐒).
In particular, we estimate how much SS(𝐒) is decreased by one time swap, and study the total number of swaps in the LLL algorithm.
We estimate the gap between SS(𝐂) and SS(𝐁′), by applying the estimates of (ii) for the basis 𝐂.
Specifically, we estimate the average of decreasing values of SS(𝐂) by one time swap in the LLL algorithm, and the number of swaps.
We give a heuristic but practical condition of a candidate lattice vector 𝐯 satisfying condition (1.1).
We call such 𝐯 a mutant vector.
We also verify our analysis by experiments.
Our experimental results imply that the condition of mutant vectors gives a good criterion to strictly decrease SS(𝐁).
Thereby we expect that mutant vectors could help to monotonically decrease SS(𝐁), and it would make it easier to find a very short lattice vector.
The paper is organized as follows:
In Section 2, we review lattices and lattice reduction.
In Section 3, we review random sampling algorithms and present some results by Fukase and Kashiwabara [5].
In Section 4, we compute the Gram–Schmidt vectors of the basis 𝐂, and give the explicit gap between SS(𝐁) and SS(𝐂).
In Section 5, we review some basic properties of the LLL algorithm for a general basis 𝐒, and study the behavior of the LLL algorithm for 𝐒.
In Section 6, we analyze the LLL-reduction for 𝐂 by using results obtained in Section 5.
In Section 7, we estimate the gap between SS(𝐁) and SS(𝐁′), and define mutant vectors to strictly decrease SS(𝐁).
In Section 8, we verify our analysis by experiments.
In Section 9, we conclude this work and outline some future issues.
Notation.
For a vector 𝐚=(a1,…,an)∈ℝn, let ∥𝐚∥ denote its Euclidean norm defined by ∥𝐚∥2=∑i=1nai2.
For two vectors 𝐚=(a1,…,an) and 𝐛=(b1,…,bn)∈ℝn,
let 〈𝐚,𝐛〉 denote the inner product ∑i=1naibi.
2 Preliminaries
In this section, we briefly review lattices and lattice reduction.
2.1 Lattices
For two positive integers m and n, let 𝐛1,…,𝐛n be n column vectors of ℤm (we only consider integral vectors).
Set 𝐁=[𝐛1,…,𝐛n]∈ℤm×n, and let
L=ℒ(𝐁):={∑i=1nxi𝐛i∣xi∈ℤ, 1≤i≤n}
denote the set of all integral linear combinations of the 𝐛i’s.
The set L gives a subgroup of ℝm.
We say that L is a lattice of dimension n if all the 𝐛’s are linearly independent over ℝ.
When n=m, the lattice L is called full-dimensional or full-rank (in this paper, we only consider full-rank lattices).
In this case, the matrix 𝐁 is called a basis of L.
Every lattice has infinitely many bases. If 𝐁1 and 𝐁2 are two bases, then there exists a unimodular matrix 𝐕∈GLn(ℤ) such that 𝐁1=𝐁2⋅𝐕.
The volume of L, denoted by vol(L), is defined as
vol(L)=(det(〈𝐛i,𝐛j〉)1≤i,j≤n)1/2>0,
where (〈𝐛i,𝐛j〉)1≤i,j≤n denotes the n×n Gram-matrix of a basis 𝐁.
The volume vol(L) is independent of the choice of the bases.
The Gram–Schmidt orthogonalization of a basis 𝐁=[𝐛1,…,𝐛n] is the orthogonal family [𝐛1*,…,𝐛n*], recursively defined by
(2.1)𝐛i*=𝐛i-∑j=1i-1μi,j𝐛j*,where μi,j=〈𝐛i,𝐛j*〉∥𝐛j*∥2 for 1≤j<i≤n.
Let 𝐁*=[𝐛1*,…,𝐛n*]∈ℝm×n and 𝐔=(μi,j)1≤i,j≤n∈ℝn×n, where μi,i=1 for all i and μi,j=0 for all j>i.
Then 𝐁=𝐁*⋅𝐔T and
vol(L)=∏i=1n∥𝐛i*∥.
2.2 Lattice reduction
Given a basis of a lattice L, lattice reduction outputs a basis 𝐁=[𝐛1,…,𝐛n] of L with short and nearly orthogonal vectors 𝐛1,…,𝐛n.
Lattice reduction gives a powerful tool to break lattice-based cryptosystems such as [9, 10].
The Hermite factor γ of a lattice reduction algorithm is defined by
γ=∥𝐛1∥vol(L)1/n
with the output basis [𝐛1,…,𝐛n] (we assume ∥𝐛1∥≤∥𝐛2∥≤⋯).
This factor is a good index to measure the output quality of a lattice reduction algorithm.
Note that the output quality becomes better as γ is smaller.
Here we introduce two practical algorithms:
LLL is a polynomial-time algorithm [11].
Gama–Nguyen’s experimental results [7, Figure 4] show that the Hermite factor of LLL is practically 1.022n on average in high dimension n≥100.
BKZ is a blockwise generalization of LLL with sub-exponential complexity [18].
No good upper bound on the complexity is currently known.
BKZ uses a blockwise parameter β, and larger β improves the output quality but increases the running time. In practice, β≈20 can achieve the best time/quality compromise.
It follows from [7, Section 5.2] that the Hermite factor with β=20 is 1.0128n on average. Currently, BKZ 2.0 is known as the state-of-the-art implementation of the BKZ algorithm.
Geometric Series Assumption (GSA).
Except when a lattice has a special structure, practical reduction algorithms output a basis 𝐁=[𝐛1,…,𝐛n] such that
∥𝐛i*∥∥𝐛i+1*∥≈q for any 1≤i≤n-1
(i.e. ∥𝐛i*∥≈q1-i∥𝐛1∥ for 1≤i≤n),
where the constant q depends on algorithms (this assumption was first introduced in [17]).
Under GSA, the values log2(∥𝐛1∥/∥𝐛i*∥) are on a straight line
(see, e.g., [17, Figure 1]).
According to [11], we have
q≈1.022≈1.04 (resp. q≈1.025) for LLL (resp. BKZ with β=20) for random lattices in practice.
3 Random sampling of short lattice vectors
In this section, we mainly present some results by Fukase and Kashiwabara [5].
Before presenting their work, let us review previous work on random sampling.
3.1 Review of previous work
For a lattice L of dimension n, fix a constant u of search space bound with 1≤u<n. Let a basis 𝐁=[𝐛1,…,𝐛n] of L be given.
As a main subroutine of Schnorr’s RSR [17], SA samples 𝐯=∑i=1nνi𝐛i*∈L satisfying
(3.1)νi∈{(-12,12]if 1≤i<n-u,(-1,1]if n-u≤i<n,{1}if i=n.
Let Su,𝐁 denote the set of 𝐯=∑i=1nνi𝐛i* satisfying condition (3.1).
Since the number of candidates for νi with |νi|≤12 (resp. |νi|≤1) is 1 (resp. 2), there are 2u lattice vectors in Su,𝐁.
By calling SA up to 2u times, RSR generates 𝐯 satisfying ∥𝐯∥2<0.99∥𝐛1∥2 (see [17, Theorem 1]).
In [4], Buchmann and Ludwig proposed SSR to get rid of two RSR assumptions, namely,
the randomness assumption (RA) and GSA (they claim that both RA and GSA do not hold strictly in practice).
Ludwig [12] gave a more detailed view about the behavior of SSR.
Schneider and Göttert [16] presented a GPU implementation of SSR with the BKZ algorithm.
In 2015, Fukase and Kashiwabara [5] proposed a method for SVP.
Their method is based on Schnorr’s RSR, and it has two extensions:
The first one is to represent a lattice vector by a sequence of natural numbers via the Gram–Schmidt orthogonalization, and to sample lattice vectors on an appropriate distribution of the representation.
The second one is to decrease the sum of the squared lengths of Gram–Schmidt vectors to make it easier to sample very short lattice vectors.
The effectiveness of their extensions is guaranteed by their statistical analysis on lattices, which we shall describe in the next subsection.
3.2 Statistical analysis of Fukase and Kashiwabara on lattices
In [5, Definiton 3], Fukase and Kashiwabara extend Schnorr’s search space Su,𝐁 to define a wider search space V𝐁(𝐬,𝐭) for 𝐬,𝐭∈ℕc with some c.
Given 𝐯=∑i=1nνi𝐛i*∈V𝐁(𝐬,𝐭), they first assume
E[∥𝐯∥2]≈112∑i=1n∥𝐛i*∥2=112SS(𝐁)
(see [5, Assumption 2]).
Under this assumption, they apply the generalized central limit theorem to obtain the following assumption on the distribution of ∥𝐯∥2 (see [5, Assumption 3]).
Assumption 3.1The distribution of the length ∥v∥2=∑i=1nνi2∥bi*∥2 with v∈VB(s,t) follows the normal distribution N(μ,σ2) with
μ=∑i=1n∥𝐛i*∥212=SS(𝐁)12 𝑎𝑛𝑑 σ=(∑i=1n∥𝐛i*∥4180)1/2.
Assumption 3.1 shows that shorter lattice vectors are sampled as the squared-sum SS(𝐁) becomes smaller. Fukase and Kashiwabara verified Assumption 3.1 by experiments, and showed that it does not hold strictly, but it is close enough for finding very short vectors (see [5, Figure 1]).
Their experiments were performed over a random lattice of dimension 120.
Assumption 3.1 enables one to estimate the probability of finding a lattice vector shorter than a given constant η.
Specifically, the probability of finding 𝐯=∑i=1nνi𝐛i*∈V𝐁(𝐬,𝐭) shorter than η is
12πσ∫-∞η2exp(-(x-μ)22σ2)𝑑x=12(1+erf(η2-μ2σ)),
where erf(x)=2π∫0xexp(-t2)𝑑t is the error function.
3.3 Basic strategy of Fukase and Kashiwabara for finding short lattice vectors
Assumption 3.1 implies an importance of decreasing the sum of the squared lengths of Gram–Schmidt vectors to find a short lattice vector.
Once we obtain a basis 𝐁 of L with smaller squared-sum SS(𝐁), we can generate a short vector 𝐯=∑i=1nνi𝐛i*∈L with higher probability.
The basic strategy in [5] for finding a short vector consists of the following two steps:
Step 1. Given a basis of a lattice L, we first decrease the sum of the squared lengths of its Gram–Schmidt vectors as much as possible, and obtain a basis 𝐁 of L with small SS(𝐁).
Step 2. With such basis 𝐁, we find a short lattice vector by randomly sampling 𝐯=∑i=1νi𝐛i*∈V𝐁(𝐬,𝐭).
To decrease SS(𝐁) in Step 1, Fukase and Kashiwabara insert a certain lattice vector 𝐯 into a given basis 𝐁=[𝐛1,…,𝐛n] at a certain position k to obtain a new basis 𝐂, as in (1.2).
The insertion index k is determined as follows (see [5, Definition 4]).
Definition 3.2Definition 3.2 (Insertion index)
Let 𝐁=[𝐛1,…,𝐛n] be a basis of L.
For a fixed constant 0<α≤1, the insertion index k of a vector 𝐯∈L is defined by
min{1≤j≤n∣∥πj(𝐯)∥2<α∥𝐛j*∥2},
where for 2≤j≤n we let πj:ℝn→Vj-1⊥ denote the orthogonal projection over the orthogonal supplement of
Vj-1=〈𝐛1,…,𝐛j-1〉ℝ=〈𝐛1*,…,𝐛j-1*〉ℝ.
In particular, let π1 denote the identity map.
If ∥πj(𝐯)∥2≥α∥𝐛j*∥2 for all 1≤j≤n, we do not insert 𝐯 into 𝐁.
4 Gram–Schmidt orthogonalization for 𝐂
In this section, we compute the Gram–Schmidt vectors of the basis 𝐂 defined in (1.2)
and their explicit lengths.
Given a basis 𝐁=[𝐛1,…,𝐛n] of a lattice L, let [𝐛1*,…,𝐛n*] be its Gram–Schmidt vectors.
The basis 𝐁 is not necessarily LLL-reduced.
Let 𝐯=∑i=1nνi𝐛i*∈L.
At the beginning of this section, we do not assume νn=1.
Let k be the insertion index of 𝐯.
We consider the Gram–Schmidt orthogonalization for the n+1 vectors [𝐛1,…,𝐛k-1,𝐯,𝐛k,…,𝐛n].
Let
[𝐛1*,…,𝐛k-1*,𝐜k*,𝐜k+1*,…,𝐜n+1*]
denote its Gram–Schmidt vectors.
By formula (2.1), it is clear that the first k-1 vectors are the same as the first k-1 vectors of [𝐛1*,…,𝐛n*].
Lemma 4.1For the vectors ck*,ck+1*,…,cn+1*,
we have the following:
The vectors [𝐜k*,𝐜k+1*,…,𝐜n+1*] are the same as the Gram–Schmidt orthogonalization for
[πk(𝐯),πk(𝐛k),…,πk(𝐛n)].
The Gram–Schmidt orthogonalization for [πk(𝐯),πk(𝐛k),…,πk(𝐛n)] is the same as that for
[πk(𝐯),𝐛k*,…,𝐛n*].
Proof.
Assertion (i) is clear from recursive formula (2.1). For (ii), we let
[𝐚0,𝐚1,…,𝐚n-k+1]=[πk(𝐯),πk(𝐛k),…,πk(𝐛n)],
=[πk(𝐯),𝐛k*,…,𝐛n*].
It is sufficient to show 𝐚i*=𝐚i′* for any 0≤i≤n-k+1. The case i=0 is clear since 𝐚0=𝐚0′.
The case i=1 is also clear since πk(𝐛k)=𝐛k*, and we have 𝐛k*∈〈𝐚0*,𝐚1*〉ℝ.
For some 1≤ℓ≤n-k, we assume
𝐚i*=𝐚i′* and 𝐛k+i-1*∈Wi for all 1≤i≤ℓ,
where Wi=〈𝐚0*,…,𝐚i*〉ℝ for each 0≤i≤n-k+1.
Now we consider the case i=ℓ+1.
By the assumption, we have
𝐚ℓ+1*-𝐚ℓ+1′*=(𝐚ℓ+1-𝐚ℓ+1′)*=πk(𝐛k+ℓ)-𝐛k+ℓ*-∑j=0ℓ〈πk(𝐛k+ℓ)-𝐛k+ℓ*,𝐚j*〉∥𝐚j*∥2𝐚j*.
Since πk(𝐛k+ℓ)-𝐛k+ℓ*∈〈𝐛k*,…,𝐛k+ℓ-1*〉ℝ and 𝐛k*,…,𝐛k+ℓ-1*∈Wℓ=〈𝐚0*,…,𝐚ℓ*〉ℝ, we have
𝐚ℓ+1*-𝐚ℓ+1′*∈Wℓ.
We also have
𝐚ℓ+1*-𝐚ℓ+1′*∈Wℓ⊥,
and hence 𝐚ℓ+1*=𝐚ℓ+1′* since Wℓ∩Wℓ⊥={}.
Furthermore, 𝐛k+ℓ*∈Wℓ+1, which completes the proof by induction.
∎
By Lemma 4.1, we obtain the following result on 𝐜k*,𝐜k+1*,…,𝐜n+1*.
Proposition 4.2Set m=max{k≤i≤n∣νi≠0}.
Then we have
𝐜j*={∑i=kmνi𝐛i*for j=k,DjDj-1𝐛j-1*-∑i=jmνiνj-1∥𝐛j-1*∥2Dj-1𝐛i*for k+1≤j≤m+1,𝐛j-1*for m+2≤j≤n+1,
where for 1≤ℓ≤m we set
(4.1)Dℓ=∑i=ℓmνi2∥𝐛i*∥2.
In particular, we have cm+1*=0.
Moreover, we have ∥ck*∥2=Dk, and for k+1≤j≤m,
∥𝐜j*∥2=DjDj-1∥𝐛j-1*∥2.
Proof.
By Lemma 4.1, we have 𝐜k*=πk(𝐯)=∑i=kmνi𝐛i*.
For the case m+2≤j≤n+1, since
〈𝐜k*,𝐛k*,…,𝐛m*〉ℝ=〈𝐛k*,…,𝐛m*〉ℝ,
the ℝ-vector space 〈𝐛m+1*,…,𝐛n*〉ℝ is orthogonal to 〈𝐛k*,…,𝐛m*〉ℝ. Therefore the vectors 𝐛m+1*,…,𝐛n* are unchanged after the insertion of 𝐯.
For the case k+1≤j≤m+1, let us begin with the simple case j=k+1.
By Lemma 4.1, we have
𝐜k+1*=𝐛k*-〈𝐛k*,𝐜k*〉∥𝐜k*∥𝐜k*
=𝐛k*-νk∥𝐛k*∥2Dk∑i=kmνi𝐛i*
=(1-νk2∥𝐛k*∥2Dk)𝐛k*-∑i=k+1mνkνi∥𝐛k*∥2Dk𝐛i*
=Dk+1Dk𝐛k*-∑i=k+1mνkνi∥𝐛k*∥2Dk𝐛i*.
This completes the proof of the case j=k+1.
For each k+1≤j≤m+1, set
𝐚j=DjDj-1𝐛j-1*-∑i=jmνiνj-1∥𝐛j-12∥2Dj-1𝐛i*
and we shall show 𝐜j*=𝐚j.
For k+1≤ℓ≤m, we assume 𝐜j*=𝐚j for all k+1≤j≤ℓ.
Now let us consider the case j=ℓ+1.
Set Wℓ=〈𝐜k*,…,𝐜ℓ*〉ℝ as in the proof of Lemma 4.1, and we begin to show that 𝐚ℓ+1 is orthogonal to Wℓ.
Actually, we have
〈𝐚ℓ+1,𝐜k*〉=〈Dℓ+1Dℓ𝐛ℓ*-∑i=ℓ+1mνiνℓ∥𝐛ℓ*∥2Dℓ𝐛i*,∑j=kmνj𝐛j*〉
=νℓDℓ+1∥𝐛ℓ*∥2Dℓ-∑i=ℓ+1mνℓνi2∥𝐛ℓ*∥2∥𝐛i*∥2Dℓ
=νℓ∥𝐛ℓ*∥2Dℓ×(Dℓ+1-∑i=ℓ+1mνi2∥𝐛i*∥2)=0.
Furthermore, for any k+1≤j≤ℓ, we have
〈𝐚ℓ+1,𝐜j*〉=〈Dℓ+1Dℓ𝐛ℓ*-∑i=ℓ+1mνiνℓ∥𝐛ℓ*∥2Dℓ𝐛i*,DjDj-1𝐛j-1*-∑i=jmνiνj-1∥𝐛j-1*∥2Dj-1𝐛i*〉
=-Dℓ+1νℓνj-1∥𝐛j-1*∥2∥𝐛ℓ*∥2DℓDℓ-1+∑i=ℓ+1mνi2νℓνj-1∥𝐛ℓ*∥2∥𝐛j-1*∥2∥𝐛i*∥2DℓDℓ-1
=νℓνj-1∥𝐛j-1*∥2∥𝐛ℓ∥2DℓDℓ-1(∑i=ℓ+1mνi2∥𝐛i*∥2-Dℓ+1)=0.
Therefore 𝐚ℓ+1 is orthogonal to Wℓ.
On the other hand, since
𝐜ℓ+1*=𝐛ℓ*-∑i=kℓ〈𝐛ℓ*,𝐜i*〉∥𝐜i*∥2𝐜i*
by Lemma 4.1, we have
𝐜ℓ+1*-𝐚ℓ+1=(𝐛ℓ*-∑i=kℓ〈𝐛ℓ*,𝐜i*〉∥𝐜i*∥2𝐜i*)-(Dℓ+1Dℓ𝐛ℓ*-∑i=ℓ+1mνiνℓ∥𝐛ℓ*∥2Dℓ𝐛i*)
=Dℓ-Dℓ+1Dℓ𝐛ℓ*+∑i=ℓ+1mνiνℓ∥𝐛ℓ*∥2Dℓ𝐛i*-∑i=kℓ〈𝐛ℓ*,𝐜i*〉∥𝐜i*∥2𝐜i*
=νℓ∥𝐛ℓ*∥2Dℓ∑i=ℓmνi𝐛i*-∑i=kℓ〈𝐛ℓ*,𝐜i*〉∥𝐜i*∥2𝐜i*
=νℓ∥𝐛ℓ*∥2Dℓ(𝐜k*-∑i=kℓ-1νi𝐛i*)-∑i=kℓ〈𝐛ℓ*,𝐜i*〉∥𝐜i*∥2𝐜i*.
Since 𝐛i*∈Wℓ for any k≤i≤ℓ-1 by the proof of Lemma 4.1, we have 𝐜ℓ+1*-𝐚ℓ+1∈Wℓ.
By the above arguments, we have
𝐜ℓ+1*-𝐚ℓ+1∈Wℓ⊥∩Wℓ={}
and hence 𝐜ℓ+1*=𝐚ℓ+1.
This shows 𝐜j*=𝐚j for k+1≤j≤m+1 by induction.
Finally, for k+1≤j≤m, we have
∥𝐜j*∥2=Dj2Dj-12∥𝐛j-1*∥2+∑i=jmνi2νj-12∥𝐛j-1∥4Dj-12∥𝐛i*∥2
=∥𝐛j-1*∥2Dj-12(Dj2+νj-12∥𝐛j-1*∥2Dj)
=Dj∥𝐛j-1*∥2Dj-12Dj-1
=DjDj-1∥𝐛j-1*∥2,
where the second equation is by Dj=∑i=jmνi2∥𝐛i*∥2,
and the third by Dj-1=Dj+νj-12∥𝐛j-1*∥2.
This completes the proof of Proposition 4.2.
∎
By inserting 𝐯=∑i=1nνi𝐛i* into 𝐁=[𝐛1,…,𝐛n] at the k-th position, the n vectors
(4.2)[𝐛1,…,𝐛k-1,𝐯,𝐛k,…,𝐛m-1,𝐛m+1,…,𝐛n]
give a basis of a sub-lattice of L (recall m=max{k≤i≤n∣νi≠0}). In contrast, we have the following result on a basis of the whole lattice L.
Proposition 4.3If νm=1, the vectors (4.2) give a basis of the whole lattice L.
Proof.
Let L′ denote the sub-lattice with basis (4.2).
By Proposition 4.2, we have
vol(L′)2vol(L)2=∏i=km∥𝐜i*∥2∥𝐛i*∥2
=Dk×Dk+1Dk×⋯×DmDm-1×1∥𝐛m*∥2
=Dm∥𝐛m*∥2.
If νm=1, we have Dm=∥𝐛m*∥2 by definition.
In this case, we have vol(L′)=vol(L), and hence L=L′.
∎
Henceforth, as in (1.2), we always take 𝐯=∑i=1nνi𝐛i* with νn=1.
By Proposition 4.3, the n vectors [𝐛1,…,𝐛k-1,𝐯,𝐛k,…,𝐛n-1] give a basis of L.
Then we take the basis 𝐂=[𝐜1,…,𝐜n] as in (1.2), namely, 𝐜i=𝐛i for 1≤i≤k-1, 𝐜k=𝐯, and 𝐜j=𝐛j-1 for k+1≤j≤n.
By Proposition 4.2, we obtain the explicit gap between two squared-sums SS(𝐁) and SS(𝐂) as follows.
Theorem 4.4The explicit gap between SS(B) and SS(C) is given by
(4.3)E(𝐯,k):=SS(𝐁)-SS(𝐂)=∑j=kn-1νj2∥𝐛j*∥2(∥𝐛j*∥2Dj-1).
Proof.
By Proposition 4.2, we have
E(𝐯,k)=∑i=kn∥𝐛i*∥2-(Dk+∑j=k+1nDjDj-1∥𝐛j-1*∥2)
=-Dk+∑j=k+1n(1-DjDj-1)∥𝐛j-1*∥2+∥𝐛n*∥2
=-∑j=kn-1νj2∥𝐛j*∥2+∑j=k+1nνj-12∥𝐛j-1*∥2Dj-1∥𝐛j-1*∥2
=∑j=kn-1νj2∥𝐛j*∥2(∥𝐛j*∥2Dj-1)
since Dn=∥𝐛n*∥2 by setting νn=1.
∎
Remark 4.5To strictly decrease the squared-sum SS(𝐁), we may take 𝐯∈L satisfying E(𝐯,k)>0.
However, in most cases, the value E(𝐯,k) is negative when the inserted vector 𝐯 is generated by Schnorr’s SA.
Below, we shall consider only the case E(𝐯,k)≤0.
For the original basis 𝐁=[𝐛1,…,𝐛n], let
μi,j=〈𝐛i,𝐛j*〉∥𝐛j*∥2
be as in (2.1).
For 𝐂=[𝐜1,…,𝐜n] with 𝐜k=𝐯=∑i=1nνi𝐛i*∈L, we set
(4.4)ξi,j=〈𝐜i,𝐜j*〉∥𝐜j*∥2 for i>j.
For simplicity, we set ξi,i=1 for all 1≤i≤n.
Proposition 4.6We have the following on ξi,j:
For 1≤i≤k-1, we have ξi,j=μi,j for i≥j.
For i=k, we have ξk,j=νj for 1≤j≤k-1.
For i≥k+1, we have
ξi,j={μi-1,jfor j≤k-1,∑ℓ=ki-1μi-1,ℓνℓ∥𝐛ℓ*∥2Dkfor j=k,μi-1,j-1-∑ℓ=ji-1μi-1,ℓνℓνj-1∥𝐛ℓ*∥2Djfor k<j<i.
Proof.
Cases (i) and (ii) are trivial.
Case (iii) is trivial for j≤k.
For k<j<i, by Proposition 4.2, we have
ξi,j=Dj-1Dj∥𝐛j-1*∥2〈𝐛i-1,DjDj-1𝐛j-1*-∑ℓ=jnνℓνj-1∥𝐛j-1*∥2Dj-1𝐛ℓ*〉
=μi-1,j-1-νj-1Dj〈𝐛i-1,∑ℓ=jnνℓ𝐛ℓ*〉
=μi-1,j-1-νj-1Dj∑ℓ=ji-1μi-1,ℓνℓ∥𝐛ℓ*∥2.
This completes the proof of Proposition 4.6.
∎
5 LLL-reduction for general bases
Before analyzing the LLL-reduction for the basis 𝐂, we study the behavior of the LLL-reduction for general bases and give some basic properties in this section.
Let 𝐒=[𝐬1,…,𝐬n] be a basis of a lattice L.
The LLL algorithm for 𝐒 consists of the following two steps
(see, e.g., [15, Chapter 2, Algorithm 6]):
From i=2 to n, do:
Step 1.
Size-reduce 𝐒=[𝐬1,…,𝐬n] (see, e.g., [15, Chapter 2, Algorithm 3]).
Note that this procedure does not change the lengths of the Gram–Schmidt vectors
[𝐬1*,…,𝐬n*] by [6, Lemma 17.4.1].
Step 2. Swap 𝐬i with 𝐬i-1 if the Lovász condition
(5.1)∥𝐬i*∥2≥(δ-ηi,i-12)∥𝐬i-1*∥2
is not satisfied, where δ is the reduction parameter of LLL satisfying 14<δ<1 (we used δ=0.99 in our experiments) and
ηi,j=〈𝐬i,𝐬j*〉∥𝐬j*∥2 for i>j.
In this case, set i←max{2,i-1}.
Otherwise set i←i+1.
Then go back to Step 1.
In the following, we give a key lemma [6, Lemma 17.4.3] on our analysis of the behavior of the LLL algorithm.
Lemma 5.1Given a basis S=[s1,…,sn] and an integer 1≤ℓ≤n-1, assume that the pair (sℓ,sℓ+1) does not satisfy the Lovász condition.
Let T=[t1,…,tn] be the new basis obtained by swapping sℓ and sℓ+1, namely, tℓ=sℓ+1 and tℓ+1=sℓ.
Then the Gram–Schmidt vectors [t1*,…,tn*] of T are as follows:
For 1≤i<ℓ and ℓ+1<i≤n, the vector 𝐬i* is unchanged (i.e. 𝐭i*=𝐬i*).
The Gram–Schmidt vector 𝐭ℓ*
and its squared-length are given, respectively, by
𝐭ℓ*=𝐬ℓ+1*+ηℓ+1,ℓ𝐬ℓ* 𝑎𝑛𝑑 Tℓ=Sℓ+1+ηℓ+1,ℓ2Sℓ,
where we set Si=∥𝐬i*∥2 and Ti=∥𝐭i*∥2 for 1≤i≤n.
The Gram–Schmidt vector 𝐭ℓ+1*
and its squared-length are given, respectively, by
𝐭ℓ+1*=Sℓ+1Tℓ𝐬ℓ*-ηℓ+1,ℓSℓTℓ𝐬ℓ+1* 𝑎𝑛𝑑 Tℓ+1=SℓSℓ+1Tℓ.
Moreover, if we set
(5.2)δℓ:=TℓSℓ=Sℓ+1Sℓ+ηℓ+1,ℓ2,
then δℓ<δ since we assume that the pair (sℓ,sℓ+1) does not satisfy (5.1).
Now we consider the LLL-reduction for 𝐒.
Recall that the size-reduce procedure does not change the lengths of the Gram–Schmidt vectors.
By Lemma 5.1,
we see that each swap in the LLL algorithm can strictly decrease the sum SS(𝐒).
Specifically, the decreasing value of SS(𝐒)=∑i=1nSi by one time swap at the ℓ-th index is estimated as follows:
Lemma 5.2Let S and T be as in Lemma 5.1.
Then we have
SS(𝐒)-SS(𝐓)=ηℓ+1,ℓ2(1-δℓ)δℓSℓ>ηℓ+1,ℓ2(1-δ)δSℓ>0,
by δℓ<δ<1.
Namely, the squared-sum SS(S) strictly decreases by each swap in the LLL algorithm.
Proof.
By Lemma 5.1, we have
SS(𝐒)-SS(𝐓)=(1-ηℓ+1,ℓ2)Sℓ-SℓSℓ+1Tℓ
=SℓTℓ{(1-ηℓ+1,ℓ2)Tℓ-Sℓ+1}
=SℓTℓ{(1-ηℓ+1,ℓ2)(Sℓ+1+ηℓ+1,ℓ2Sℓ)-Sℓ+1}
=ηℓ+1,ℓ2SℓTℓ{(1-ηℓ+1,ℓ2)Sℓ-Sℓ+1}
=ηℓ+1,ℓ2Sℓδℓ{1-(ηℓ+1,ℓ2+Sℓ+1Sℓ)}
=ηℓ+1,ℓ2(1-δℓ)δℓSℓ>ηℓ+1,ℓ2(1-δ)δSℓ>0.
This completes the proof of Lemma 5.2.
∎
In the following, let us give the definition of the loop invariant of a lattice basis [3, Definition 4.15].
Definition 5.3Definition 5.3 (Loop invariant)
The loop invariant of a basis 𝐒=[𝐬1,…,𝐬n] is defined as the quantity
ℒℐ(𝐒)=∏i=1n-1(∏ℓ=1i∥𝐬ℓ*∥2)=∏i=1n-1∥𝐬i*∥2n-2i.
The loop invariant plays an important role in estimating the number of swaps in the LLL algorithm.
As in Lemma 5.1, for 1≤ℓ≤n-1, we consider a case of swapping (𝐬ℓ,𝐬ℓ+1) to obtain a new basis 𝐓=[𝐭1,…,𝐭n] with 𝐭ℓ=𝐬ℓ+1 and 𝐭ℓ+1=𝐬ℓ.
In this case, we clearly have
∥𝐭ℓ*∥2⋅∥𝐭ℓ+1*∥2=∥𝐬ℓ*∥2⋅∥𝐬ℓ+1*∥2.
Then we have
(5.3)ℒℐ(𝐓)=ℒℐ(𝐒)×∥𝐭ℓ*∥2∥𝐬ℓ*∥2=ℒℐ(𝐒)×δℓ.
Thus the loop invariant ℒℐ(𝐒) is reduced by the factor of δℓ by each swap in the LLL algorithm.
5.1 Whole LLL procedure
In this subsection, we consider the whole LLL procedure for a basis 𝐀.
Now we assume the following on the whole LLL procedure for 𝐀,
where we denote the output by 𝐀′←LLL(𝐀):
In total, N swaps occur in the LLL procedure.
For 0≤s≤N, by 𝐀(s)=[𝐚1(s),…,𝐚n(s)]
we denote the basis obtained by the s-th swap and size-reduced, and
set 𝐀(0)=𝐀.
Let Ai(s)=∥𝐚i(s)*∥2 for 1≤i≤n,
where 𝐚1(s)*,…,𝐚n(s)*
denote the Gram–Schmidt vectors of 𝐀(s).
Then 𝐀=𝐀(0) and 𝐀′=𝐀(N)←LLL(𝐀).
By ℓ(s) we denote
the index where the s-th swap occurs, that is,
the ℓ(s)-th vector 𝐚ℓ(s)(s-1)
and (ℓ(s)+1)-st vector 𝐚ℓ(s)+1(s-1) is swapped.
We call ℓ(s) the s-th swap index.
For 1≤s≤N, we let
ξℓ(s)+1,ℓ(s)(s)=〈𝐚ℓ(s)+1(s-1),𝐚ℓ(s)(s-1)*〉∥𝐚ℓ(s)(s-1)*∥2 and δℓ(s)(s)=Aℓ(s)(s)Aℓ(s)(s-1).
We call ξℓ(s)+1,ℓ(s)(s) the normalized inner product of the swap vectors and
δℓ(s)(s)the swap ratio at the s-th swap (see equation (5.2) for the swap ratio), and
write ξ(s) and δ(s) for simplicity.
Lemma 5.4For each 1≤s≤N and 1≤i≤n, there exist indices m(s,i)
and M(s,i) in the set {1,…,n}
such that
AM(s,i)≥Ai(s)≥Am(s,i).
We have M(s,ℓ(s))=M(s,ℓ(s)+1)=M(s-1,ℓ(s)) and
m(s,ℓ(s))=m(s,ℓ(s)+1)=m(s-1,ℓ(s)+1).
Proof.
We use an induction argument on s.
By setting m(0,i)=M(0,i)=i, the case s=0 is clear.
We assume that Lemma 5.4 holds for the case s
and now consider the case s+1.
For i≠ℓ(s+1),ℓ(s+1)+1, we have Ai(s+1)=Ai(s) and
hence m(s+1,i)=m(s,i) and M(s+1,i)=M(s,i).
By Lemma 5.1,
we clearly have
Aℓ(s+1)(s+1)=δ(s+1)Aℓ(s+1)(s)<Aℓ(s+1)(s),
Aℓ(s+1)+1(s+1)=Aℓ(s+1)(s)Aℓ(s+1)+1(s)Aℓ(s+1)(s+1)=1δ(s+1)Aℓ(s+1)+1(s)>Aℓ(s+1)+1(s),
Aℓ(s+1)(s+1)=Aℓ(s+1)+1(s)+ξ(s+1)2Aℓ(s+1)(s)≥Aℓ(s+1)+1(s),
Aℓ(s+1)+1(s+1)=Aℓ(s+1)(s)Aℓ(s+1)+1(s)Aℓ(s+1)(s+1)≤Aℓ(s+1)(s)Aℓ(s+1)+1(s)Aℓ(s+1)+1(s)=Aℓ(s+1)(s).
Thus, we may set
m(s+1,ℓ(s+1))=m(s+1,ℓ(s+1)+1)=m(s,ℓ(s+1)+1),
M(s+1,ℓ(s+1))=M(s+1,ℓ(s+1)+1)=M(s,ℓ(s+1)).
This completes the proof of Lemma 5.4 by induction.
∎
Recall that the basis 𝐀(s+1) is obtained by swapping the
ℓ(s+1)-th and (ℓ(s+1)+1)-st vectors of 𝐀(s).
We obtain the following result on the gap of squared-sums of Gram–Schmidt lengths of 𝐀(s) and 𝐀(s+1).
Lemma 5.5The gap SS(A(s))-SS(A(s+1))
is greater than
ξ(s+1)2(1-δ(s+1))δ(s+1)Am(s,ℓ(s+1)) 𝑜𝑟 ξ(s+1)2(1-δ)δAm(s,ℓ(s+1)),
where Am=∥am*∥2 with index m=m(s,ℓ(s+1)).
Proof.
By Lemmas 5.2 and 5.4, the gap
SS(𝐀(s))-SS(𝐀(s+1)) is given by
SS(𝐀(s))-SS(𝐀(s+1))=(Aℓ(s+1)(s)+Aℓ(s+1)+1(s))-(Aℓ(s+1)(s+1)+Aℓ(s+1)+1(s+1))
=ξ(s+1)2(1-δ(s+1))δ(s+1)Aℓ(s+1)(s)
>ξ(s+1)2(1-δ(s+1))δ(s+1)Am(s,ℓ(s+1))
>ξ(s+1)2(1-δ)δAm(s,ℓ(s+1))
since δ(s+1)<δ by Lemma 5.1.
∎
Recall that each ξ(s) is reduced to the range
[-12,12] in every time
of the size-reducing procedure in the LLL algorithm.
We let the symbol E[x] denote the expected value of x in the distribution.
Let E[ξ(s)2] denote the expected value
of ξ(s)2 for 1≤s≤N.
Assumption 5.6We assume that the value ξ(s) for 1≤s≤N
is uniformly distributed over the range
[-12,12].
Under Assumption 5.6, we have
(5.4)E[ξ(s)2]=112
by [17, Lemma 1].
Although this may not hold strictly as pointed out
in [4], we assume it for simple discussion.
Under Assumption 5.6, we may estimate the average gap between SS(𝐀(s)) and SS(𝐀(s+1)) as follows:
Let A0 be the minimum value among {A1,…,An}.
By Lemma 5.5, we have
SS(𝐀(s))-SS(𝐀(s+1))>ξ(s+1)2(1-δ)δAm(s,ℓ(s+1))≥ξ(s+1)2(1-δ)δA0,
and hence, for its average, we have
E[SS(𝐀(s))-SS(𝐀(s+1))]>(1-δ)12δA0.
Note that A0 is very small compared to Am(s,ℓ(s+1)).
To get more precise estimation, we will introduce other
assumptions on distributions on ℓ(s) and m(s,ℓ(s+1)) when we analyze the LLL-reduction for the basis 𝐂 in Section 6 below.
5.2 Estimation of bounds for N
Recall that by equation (5.3), the loop invariant ℒℐ(𝐀) is reduced by each swap ratio δ(s) by the s-th swap in the LLL algorithm for 𝐀.
Since δ(s)<δ<1 by Lemma 5.1, an upper bound of the total number N of swaps is given by -logδ(ℒℐ(𝐀)) (see, e.g., [3, Theorem 4.19] for details).
In contrast, we study a lower bound of N in this subsection.
Since by Lemma 5.1 each swap ratio δ(s) is
defined as
(5.5)δ(s)=ξ(s)2+Aℓ(s)+1(s-1)Aℓ(s)(s-1),
we have to deal with the second term of (5.5) to estimate N in more detail. Since
Aℓ(s)+1(s-1)<AM(s-1,ℓ(s)+1)
and Aℓ(s)(s-1)>Am(s-1,ℓ(s)) by Lemma 5.4, we have
(5.6)Aℓ(s)+1(s-1)Aℓ(s)(s-1)<AM(s-1,ℓ(s)+1)Am(s-1,ℓ(s))
and it can be bounded
by the minimal ratio
T=min1≤i≠j≤n{AiAj}
among the squared lengths Ai=∥𝐚i*∥2 of Gram–Schmidt vectors of 𝐀.
Then we have
δ(s)≥ξ(s)2+T, and we may consider ξ(s)2+T instead of
δ(s) for an approximate lower bound for N.
On the other hand, by equation (5.3), we have
ℒℐ(𝐀(s))=ℒℐ(𝐀(s-1))×δ(s),
and thus
ℒℐ(𝐀′)=ℒℐ(𝐀(N))=ℒℐ(𝐀)×∏s=1Nδ(s).
Therefore
(5.7)∑s=1Nlog(δ(s))=log(ℒℐ(𝐀′))-log(ℒℐ(𝐀)).
Lemma 5.7The total number N of swaps is not smaller than
log(ℒℐ(𝐀′))-log(ℒℐ(𝐀))log(T).
Proof.
By δ(s)≥T,
we have Nlog(T)≤∑s=1Nlog(δ(s)).
Then Lemma 5.7 follows by equation (5.7).
∎
By Lemma 5.7, if we calculated the difference log(ℒℐ(𝐀′))-log(ℒℐ(𝐀)) and the value log(T), we could obtain an lower bound of N.
Now we give a more precise estimate on the total number N of swaps.
Under Assumption 5.6,
the left-hand side of equation (5.7) can be expressed
as N×E[log(δ(s))]. Thus,
we estimate the expected value E[log(δ(s))]=E[log(ξ(s)2+T)] as
E[log(η2+T):|η|≤12]≈∫-1212log(x2+T)dx=log(14+T)-2+4Tarctan(12T).
Now we set
(5.8)β=exp(log(14+T)-2+4Tarctan(12T)).
Then
log(β)≈E[log(ξ(s)2+T)]<0 and ∑s=1Nlog(δ(s))≈N⋅log(β).
Under Assumption 5.6, the total number N of swaps in the LLL algorithm for
𝐀 is roughly estimated as
N⪰log(ℒℐ(𝐀′))-log(ℒℐ(𝐀))log(β),
where A⪰B means A≈B or A>B.
Remark 5.8The values of β can be calculated from T as in Table 1.
In this remark, we assume that 𝐀 is LLL-reduced.
As to an estimation of T, it follows from GSA
that T could be very small for larger n, since T is expected as
1q2(n-1)≈0.962(n-1) when q=1.04.
For a more precise estimation of (5.6), the difference between
m(s-1,ℓ(s)) and M(s-1,ℓ(s)+1) could not be so large.
Thus, we may introduce a heuristic bound on the difference
such as
|m(s-1,ℓ(s))-M(s-1,ℓ(s)+1)|≤a,
for a small number a.
In this case, the minimal ration Ta with parameter a
could be
Ta=min1≤i≠j≤n|i-j|≤a{AiAj}
and it is expected as 1q2a≈0.962a.
Table 1
| T | 0 | 0.1 | 0.2 | 0.3 | 0.4 | 0.5 | 0.6 | 0.7 |
| β | 0.034 | 0.170 | 0.274 | 0.376 | 0.478 | 0.579 | 0.680 | 0.780 |
6 Analysis of LLL-reduction for 𝐂
In the previous section, we analyzed the behavior of the LLL-reduction for a general basis.
In contrast, in this section, we analyze the LLL-reduction for the basis 𝐂=[𝐜1,…,𝐜n] defined in (1.2), by using the results in the previous section.
We assume that 𝐁 is LLL-reduced.
As in (1.2), let 𝐁′=[𝐛1′,…,𝐛n′]←LLL(𝐂) denote the output basis of the LLL algorithm for 𝐂.
6.1 Initial swap of the LLL algorithm for 𝐂
In this subsection, we consider the initial swap in the LLL algorithm for 𝐂.
We assume that the inserted vector 𝐯=∑i=1nνi𝐛i*∈L satisfies |νi|≤12 for i=1,…,n-u as in (3.1), and for the insertion index k of 𝐯, it satisfies
(6.1){∥πi(𝐯)∥2≥∥𝐛i*∥2 for i=1,…,k-1,∥πk(𝐯)∥2<∥𝐛k*∥2,
where we set α=1 in Definition 3.2 for simple and practical discussion (see Remark 6.2 below).
We assume k<n-u.
Then we obtain the following:
Lemma 6.1The first k-1 vectors of C=[c1,…,cn] are unchanged at the beginning of the LLL algorithm.
Proof.
By the assumption k<n-u, the first k vectors of 𝐂=[𝐜1,…,𝐜n] are unchanged by the size-reducing procedure since |ξi,i-1|=|μi,i-1|≤12 for i=2,…,k-1 and |ξk,k-1|=|νk|<12 by Proposition 4.6 (recall that ξi,j is defined by (4.4)).
Since the original basis 𝐁 is assumed to be LLL-reduced, the first k-2 vectors of 𝐂 are also unchanged at the beginning of the LLL algorithm.
For the pair (𝐜k-1,𝐜k)=(𝐛k-1,𝐯), we have
∥𝐜k*∥=Dk-1-νk-12∥𝐛k-1*∥2≥(1-ξk,k-12)∥𝐛k-1*∥2
since Dk-1=∥πk-1(𝐯)∥2≥∥𝐛k-1*∥2 by condition (6.1) and ξk,k-1=νk-1 by Proposition 4.6 (recall that Dℓ is defined by (4.1)).
Hence the pair (𝐜k-1,𝐜k) satisfies the Lovász condition (5.1), and hence it cannot be swapped at the beginning of the LLL algorithm.
∎
Remark 6.2While we set α=1 for our analysis, Fukase and Kashiwabara [5] set α=0.99 for their experiments. Note that it is harder to find a candidate vector for insertion as α is smaller than 1.
Hence α≈1 seems to be useful in practice.
In [5, Section 8], they also consider up to α=1.4 for the second candidate vectors for insertion (they call such vectors stock vectors, see [5, Algorithm 3] for details).
Proposition 6.3The first k vectors of C cannot be swapped at the beginning of the LLL algorithm.
Proof.
By Lemma 6.1, it is sufficient to consider the pair (𝐜k,𝐜k+1).
If the pair (𝐜k,𝐜k+1)=(𝐯,𝐛k) is swapped, then we obtain a new basis 𝐂′=[𝐜1′,…,𝐜n′] with
(𝐜k′,𝐜k+1′)=(𝐛k,𝐯).
Set Ci=∥𝐜i*∥2 and Ci′=∥𝐜i′*∥2 for 1≤i≤n.
Then Ck′=∥𝐛k*∥2 and Ck+1′=Dk+1.
The gap SS(𝐂)-SS(𝐂′) is given by
(Ck+Ck+1)-(Ck′+Ck+1′)=(Dk+Dk+1Dk∥𝐛k*∥2)-(∥𝐛k*∥2+Dk+1)
=(Dk-Dk+1)+(Dk+1-DkDk)∥𝐛k*∥2
=(Dk-Dk+1Dk)(Dk-∥𝐛k*∥2)<0
since Dk<∥𝐛k*∥2 by condition (6.1) and Dk-Dk+1=νk2∥𝐛k*∥2>0.
This is a contradiction to Lemma 5.2.
∎
6.2 Swaps in the LLL algorithm for 𝐂
In this subsection, we consider all swaps in the LLL algorithm for the basis 𝐂.
As in Section 5.1, we fix the following notations on the LLL-reduction for 𝐂:
Let N be the total number of swaps.
For 0≤s≤N, denote by 𝐂(s)=[𝐜1(s),…,𝐜n(s)] the basis obtained by s times swaps and size-reduced, and
set 𝐂(0)=𝐂.
Let Ci(s)=∥𝐜i(s)*∥2 for 1≤i≤n,
where 𝐜1(s)*,…,𝐜n(s)*
denote the Gram–Schmidt vectors of 𝐂(s).
Then 𝐁′=𝐁(N)←LLL(𝐂).
By ℓ(s) we denote the index where the s-th swap occurs, that is,
the ℓ(s)-th vector 𝐜ℓ(s)(s-1)
and (ℓ(s)+1)-st vector 𝐜ℓ(s)+1(s-1) are swapped.
For 1≤s≤N, we let
ξℓ(s)+1,ℓ(s)(s)=〈𝐜ℓ(s)+1(s-1),𝐜ℓ(s)(s-1)*〉∥𝐜ℓ(s)(s-1)*∥2 and δℓ(s)(s)=Cℓ(s)(s)Cℓ(s)(s-1).
As in Section 5.1, we write ξ(s) and δ(s) for simplicity.
By Proposition 6.3, the first swap index ℓ(1) should be larger than k+1.
We assume the following for simple analysis (see Figures 1 and 2 for examples).
Assumption 6.4For any 1≤s≤N, the s-th swap index ℓ(s) is not less than the insertion index k in the LLL algorithm for C (see also Assumption 6.6 below).
By Lemma 5.5, we obtain the following result on the decreasing value of the squared-sum SS(𝐂) by one time swap in the LLL algorithm for 𝐂.
Proposition 6.5If a swap occurs at the ℓ-th index,
then SS(C)=∑i=1nCi is reduced by at least
ξℓ+1,ℓ2(1-δℓ)δℓCm 𝑜𝑟 ξℓ+1,ℓ2(1-δ)δCm,
for m=m(s,ℓ(s+1)),
where
ξℓ+1,ℓ=ξ(s), ℓ=ℓ(s), and
δℓ=δ(s) for some 1≤s≤N.
Furthermore, by the proof of Lemma 5.4, we expect m=ℓ in most cases (sometimes m=ℓ+1, ℓ+2 or so on).
6.2.1 Average of decreasing values by swaps
Here we estimate the average of decreasing values
of the squared-sum SS(𝐂)
by one time swap in the LLL algorithm for 𝐂.
It follows by Proposition 6.5 that decreasing values of SS(𝐂) depend mainly on
swap indices ℓ(s).
In Figures 1 and 2, we show two examples of the
number of swaps and the swap indices ℓ(s) in the LLL algorithm for
𝐂=[𝐜1,…,𝐜n] with insertion
index k=5 and 10 (the inserted vector
𝐜k=𝐯 is generated by Schnorr’s SA).
The lattice used for Figures 1 and 2 is a lattice of
dimension 100, chosen from Darmstadt SVP challenge problems.
It is hard to grasp all the swap indices ℓ(s) accurately.
However, we see from Figures 1 and 2 that
swap indices ℓ(s) are roughly distributed over the range from k to n-1evenly.
Then we assume the following for simple analysis.
Assumption 6.6We assume that
swap indices ℓ(s)
are distributed over the range from k to n-1 evenly
(uniformly) and independently to the distribution of ξ(s).
Under Assumption 6.6, we obtain the following estimate on the average of decreasing values of SS(𝐂) by the LLL algorithm for 𝐂.
Proposition 6.7Under Assumptions 5.6 and 6.6,
the average of decreasing values of SS(C)
by one time swap in the LLL algorithm for C is estimated to be greater than
1-δ12δ⋅vol(πk(L))2/(n-k).
Proof.
Due to the independence of ξ(s) in Assumption 6.6, it follows from (5.4) and Proposition 6.5 that SS(𝐂)=∑i=1nCi is reduced at least by
E[ξℓ+1,ℓ2(1-δ)δCm]≈(1-δ)δ⋅E[ξℓ+1,ℓ2]⋅E[Cm]≈1-δ12δE[Cm]
by a swap at the ℓ-th index for some m with k≤ℓ≤m≤n-1.
Moreover, under Assumption 6.6, the value E[Cm] is estimated as
1(n-k)∑m=kn-1Cm≥(∏m=kn-1Cm)1/(n-k)
=(Dk⋅(Dk+1Dk∥𝐛k*∥2)⋯(DnDn-1∥𝐛n-1*∥2))1/(n-k)
(6.2)=vol(πk(L))2/(n-k)
by the inequality of arithmetic and geometric means and
Proposition 4.2.
Note that Dn=∥𝐛n*∥2 by setting νn=1 and
vol(πk(L))2=∏i=kn∥𝐛i*∥2,
where πk(L) is the lattice of dimension n-k+1 with basis [πk(𝐛k),…,πk(𝐛n)].
∎
6.2.2 Expected number of swaps
The total number N of swaps in the LLL algorithm for 𝐂 is the most important to analyze the gap between two squared-sums SS(𝐂) and SS(𝐁′).
Here we give an estimate of the number N.
For the two bases 𝐁 and 𝐂 defined in (1.2), let Bi=∥𝐛i*∥2 as Ci=∥𝐜i*∥2 for 1≤i≤n.
A relation between two loop invariants ℒℐ(𝐁) and ℒℐ(𝐂) is given as follows (recall that Dℓ is defined by (4.1)).
Lemma 6.8We have
ℒℐ(𝐂)=ℒℐ(𝐁)×Dk⋯Dn-1Bk⋯Bn-1.
Proof.
By Proposition 4.2, we have
Ck=Dk and Cj=DjDj-1Bj-1 for k+1≤j≤n.
By definition, the loop invariant is given by
ℒℐ(𝐂)=∏i=1k-1Bin-i×Dkn-k×∏i=k+1n-1(DiDi-1Bi-1)n-i.
Then we obtain
ℒℐ(𝐂)ℒℐ(𝐁)=Dkn-k×∏i=k+1n-1(DiDi-1Bi-1)n-i∏i=kn-1Bin-i
=Dkn-k×(Dk+1Dk)n-k-1×(Dk+2Dk+1)n-k-2×⋯×(Dn-1Dn-2)Bk⋯Bn-1
=Dk⋯Dn-1Bk⋯Bn-1.
This completes the proof of Lemma 6.8.
∎
Recall that the loop invariant ℒℐ(𝐂)
is reduced by the factor of the swap ratio δ(s)
at the s-th swap for 1≤s≤N.
For 𝐁′←LLL(𝐂), we have
ℒℐ(𝐁′)=∏s=1Nδ(s)×ℒℐ(𝐂).
By combining this with Lemma 6.8, we obtain
(6.3)ℒℐ(𝐁′)=∏s=1Nδ(s)×∏j=kn-1DjBj×ℒℐ(𝐁).
For simple analysis, we assume the following.
Assumption 6.9Set R:=LI(B′)LI(B).
We assume 1⪰R, that is, LI(B)⪰LI(B′).
This assumption is based on GSA for 𝐁 and 𝐁′.
Since both 𝐁 and 𝐁′ are LLL-reduced, we roughly expect
BiBi+1≈Bi′Bi+1′≈q2 for all 1≤i≤n-1,
where we set Bi′=∥𝐛i′*∥2 for the Gram–Schmidt vectors [𝐛1′*,…,𝐛n′*] of 𝐁′ (see Section 2.2 for the q-value).
Hence we can roughly expect that R would be approximately equal to 1 under GSA for 𝐁 and 𝐁′.
As Example 6.11 below implies, we expect that R would be much smaller than 1 in practice when we take a shorter lattice vector 𝐯 as the inserted vector into 𝐁.
By equation (6.3), we have
(6.4)∑s=1Nlog(δ(s))=∑j=kn-1log(BjDj)+log(R).
By Lemma 5.1, we have
δ(s)<δ for any 1≤s≤N.
However, the parameter δ gives just an upper bound of each factor δ(s).
Since each δ(s) is
defined as
δ(s)=ξ(s)2+Cℓ(s)+1(s-1)Cℓ(s)(s-1),
we estimate that
E[δ(s)]⪰E[ξ(s)2]=112
for 1≤s≤N by (5.4).
We take a constant 0<ϵ<1 satisfying
E[log(δ(s))]⪰log(ϵ).
Then by equation (6.4), we obtain the following estimate on the number N.
Proposition 6.10Under Assumption 6.9, the total number N of swaps in the LLL algorithm for the basis C is roughly estimated as
(6.5)N⪰∑j=kn-1logϵ(BjDj)+logϵ(R)⪰∑j=kn-1logϵ(BjDj).
As discussed in Section 5.2, we may take ϵ as β defined in (5.8), and it satisfies β≥0.034 from Table 1.
However, for simple analysis, we may take
ϵ=E[ξ(s)2]=112
to obtain a lower bound of N under Assumption 5.6 (this ϵ is experimentally chosen, see Example 6.11 below for details).
Example 6.11As an example, we take a lattice L of dimension n=100, chosen from Darmstadt SVP challenge problems (using seed 0).
Let 𝐁 be an LLL-reduced basis of L with reduction parameter δ=0.99.
We also take a lattice vector 𝐯∈L with insertion index k=4, which is generated by Schnorr’s SA.
Let 𝐂,𝐁′ be two lattice bases constructed by (1.2) (note 𝐁′←LLL(𝐂)).
In Figure 3, we give the GSA behavior of three lattices 𝐁,𝐂 and 𝐁′.
More specifically, for three lattice bases 𝐁=[𝐛1,…,𝐛n], 𝐂=[𝐜1,…,𝐜n] and 𝐁′=[𝐛1′,…,𝐛n′], the values log2(∥𝐛1∥2/∥𝐛i*∥2), log2(∥𝐜1∥2/∥𝐜i*∥2) and log2(∥𝐛1′∥2/∥𝐛i′*∥2) for 1≤i≤n=100 are plotted. We have
SS(𝐁′)<SS(𝐁)<SS(𝐂).
We give some numerical data related with our assumptions.
In this example, we have ℒℐ(𝐁)≈4.99×1032973 and ℒℐ(𝐁′)≈2.43×1032899 (cf. vol(L)2≈5.0×10601), and
R=ℒℐ(𝐁′)ℒℐ(𝐁)≈4.86×10-75≪1.
Note that we have R≤1 in most examples, which implies that Assumption 6.9 holds in practice.
For our estimation (6.5), we have
∑j=kn-1logϵ(BjDj)≈54.96 and logϵ(R)≈68.86.
Then our estimation (6.5) gives N≈54.96+68.86=123.82.
In contrast, the actual total number of swaps in the LLL algorithm for 𝐂 is equal to 132, close to our estimation.
On the other hand, if we take δ=0.99 as the base of logarithm, then
∑j=kn-1logδ(BjDj)≈13588 and logδ(R)≈17026,
which are much larger than the actual total number of swaps.
If we take the minimum value β=0.034 as the base of logarithm, then
∑j=kn-1logβ(BjDj)≈40.39 and logβ(R)≈50.60,
which are about 1.36 times smaller than our estimation with ϵ=112.
6.3 Estimate of gap between SS(𝐂)
and SS(𝐁′)
In this subsection, we give an estimate of the gap between two squared-sums
SS(𝐂) and
SS(𝐁′).
By Proposition 6.5, the gap is
estimated as
(6.6)SS(𝐂)-SS(𝐁′)>∑s=1Nξ(s)2(1-δ(s))δ(s)Cm
(6.7)>∑s=1Nξ(s)2(1-δ)δCm,
for m=m(s,ℓ(s+1)).
Gap (6.7) is approximately determined by both the average of decreasing values of SS(𝐂) and the total number N of swaps in the LLL algorithm for the basis 𝐂.
By Propositions 6.7 and 6.10, we obtain the following estimate on gap (6.7).
Theorem 6.12Under Assumptions 5.6, 6.6 and 6.9,
the gap SS(C)-SS(B′) is estimated to be greater than
(6.8)(1-δ12δ⋅vol(πk(L))2/(n-k))⏟Average of decreasing values⋅∑j=kn-1logϵ(BjDj)⏟Estimation of N.
6.4 Alternative estimate for gap between
SS(𝐂) and SS(𝐁′)
In this subsection, we give an alternative heuristic estimation for the gap between two squared-sums SS(𝐂) and SS(𝐁′).
In Theorem 6.12, although the total number N of swaps plays
an important role, it is rather difficult to give its precise estimation.
Moreover, the term 1-δδ in gap (6.7) seems much smaller than
1-δ(s)δ(s) in gap (6.6), that might cause our estimation
of the gap very small.
In order to overcome such defects, we use an approximation
of ∑s=1Nlog(δ(s)) directly.
Specifically, we give a certain estimation of gap (6.6)
under the following settings,
where we assume that three distributions of ξ(s), Cm
and δ(s) are independent:
For estimation of each ξ(s)2,
we use its average112
given in equation (5.4).
For estimation of each Cm,
we use its averagevol(πk(L))2/(n-k)
given in equation (6.2).
For estimation of each 1-δ(s)δ(s),
we use its average1N⋅∑s=1N1-δ(s)δ(s).
Proposition 6.13Proposition 6.13 (Alternative estimate)
Under Assumptions 5.6, 6.6 and 6.9,
the gap SS(C)-SS(B′) is estimated to be greater than (cf. equation (6.8))
-(112⋅vol(πk(L))2/(n-k))⋅∑j=kn-1log(BjDj).
Proof.
Under the above settings, gap (6.6) can be estimated as
∑s=1Nξ(s)2(1-δ(s))δ(s)Cm≈112⋅vol(πk(L))2/(n-k)⋅∑s=1N1-δ(s)δ(s).
Since (1-x)x≥-log(x) for 0<x<1,
we have 1-δ(s)δ(s)≥-log(δ(s))
with 0<δ(s)<δ<1.
Under Assumption 6.9, we have
∑s=1N1-δ(s)δ(s)≥∑s=1N-log(δ(s))
=-∑j=kn-1log(BjDj)-log(R)
⪰-∑j=kn-1log(BjDj)
by equation (6.4).
This completes the proof of Proposition 6.13.
∎
7 Estimated gap between SS(𝐁) and
SS(𝐁′) and mutant vectors
Let 𝐁, 𝐂 and 𝐁′←LLL(𝐂) as in (1.2).
In this section, we estimate the gap between two squared-sums SS(𝐁) and SS(𝐁′), and define mutant vectors in order to definitely decrease the squared-sum SS(𝐁) of the original basis 𝐁.
By combining Theorems 4.4 and 6.12, we obtain the following estimate.
Theorem 7.1Under Assumptions 5.6, 6.6 and 6.9,
the gap SS(B)-SS(B′) is estimated to be greater than
(7.1)E(𝐯,k)+1-δ12δlog(ϵ)⋅vol(πk(L))2/(n-k)⋅∑j=kn-1log(BjDj).
If the total value of (7.1) is positive, then the squared-sum SS(𝐁) can be strictly decreased (i.e. condition (1.1) is satisfied).
However, we cannot find 𝐯∈L such that the total value of (7.1) is positive, due to that the constant term 1-δ12δlog(ϵ)<0 seems too small (see Section 8 below for our experimental results).
Then we give the following definition of candidate lattice vectors 𝐯∈L which enable us to strictly decrease SS(𝐁) in practice.
Definition 7.2Definition 7.2 (Mutant vectors)
Given an LLL-reduced basis 𝐁=[𝐛1,…,𝐛n] of a lattice L, let
𝐯=∑i=1nνi𝐛i*∈L
be a lattice vector sampled by Schnorr’s SA. Given a constant c>0, we call 𝐯 a mutant vector with factor c if
the insertion index k of 𝐯 is smaller than n-u (where u is the constant of search space bound for SA), and
the following condition is satisfied:
(7.2)E(𝐯,k)>c⋅vol(πk(L))2/(n-k)⋅∑j=kn-1log(BjDj).
Remark 7.3The alternative estimation in Proposition 6.13 may require us to set c=112≈0.083 in Definition 7.2.
However, compared to the experimental constants in (8.1) below, the value c=112 is still 3 to 4 times smaller for practical use.
This seems due to the ignorance of the value log(R).
In fact, as Example 6.11 implies, the value logϵ(R) gives a valuable information about the number N of swaps.
However, the value can be obtained after computing 𝐁′←LLL(𝐂).
In this paper, we set logϵ(R)=0.
We leave the analysis of logϵ(R) as our future work.
As mentioned in Remark 4.5, we consider only the case E(𝐯,k)≤0.
In this case, we expect from equation (4.3) that Bj≤Dj for most j=k,…,n-1, and hence
∑j=kn-1log(DjBj)>0
with high probability. Then, in Definition 7.2, we estimate the gap between two squared-sums SS(𝐂) and SS(𝐁′) as
O(vol(πk(L))2/(n-k)⋅∑j=kn-1log(DjBj)).
If we set a suitable constant c>0, a mutant vector 𝐯 with factor c can definitely decrease SS(𝐁) (with high probability).
In Section 8 below, we give a suitable constant c in practice.
In this paper, we focus on Schnorr’s SA to generate a number of short lattice vectors 𝐯.
Note that Definition 7.2 can be applied to more general short lattice vectors.
Given a lattice vector 𝐯 sampled by Schnorr’s SA, we expect
Bj≈Dj for j=k,…,n-1 (it is verified by our experiments).
Then we approximately have
log(BjDj)=log((BjDj-1)+1)≈(BjDj-1)
since log(1+x)≈x if x∈ℝ is sufficiently close to 0.
Therefore the right-hand side of (7.2) can be replaced with (cf. equation (4.3) for E(𝐯,k))
c⋅vol(πk(L))2/(n-k)⋅∑j=kn-1(BjDj-1).
Remark 7.4Given a basis 𝐁=[𝐛1,…,𝐛n] of a lattice L, we have
∑i=1n∥𝐛i*∥2n≥(∏i=1n∥𝐛i*∥2)1/n=vol(L)2/n.
Hence a theoretical lower bound of SS(𝐁)=∑i=1n∥𝐛i*∥2 is given by n⋅vol(L)2/n.
However, this lower bound seems considerably small in practice.
On the other hand, if 𝐁 is reduced by LLL or BKZ, we approximately have
SS(𝐁)=∥𝐛1∥2⋅∑i=1n(q2)1-i=∥𝐛1∥2⋅1-q-2n1-q-2
under GSA, where the q-value depends on the lattice reduction algorithm.
In case of the LLL algorithm, we can estimate from Section 2.2 that q≈1.04 and ∥𝐛1∥2≈1.0222n⋅vol(L)2/n in average for high dimension n≥100.
8 Experimental verification
In this section, we verify our analysis by experiments.
Specifically, we verify that a mutant vector 𝐯 with certain factor c>0 (see Definition 7.2) can decrease the squared-sum SS(𝐁) for an LLL-reduced basis 𝐁.
In our experiments, we used Schnorr’s SA with search space bound u=30 to generate a number of short lattice vectors (i.e. the search space size #Su,𝐁=230).
We also used the PARI library (http://pari.math.u-bordeaux.fr/) for the LLL algorithm with reduction parameter δ=0.99.
We took three lattices of dimensions n=100,110 and 120 from Darmstadt SVP challenge problems.
In particular, we set
(8.1)c={0.25for n=100,0.35for n=110,120.
Note that these constants are determined by our experiments.
Given an LLL-reduced basis 𝐁=[𝐛1,…,𝐛n] of a lattice L of dimensions n=100,110 and 120, we repeatedly performed the following procedures and computed ∑i=1n∥𝐛i*∥2:
Step 1.
Randomly generate a vector 𝐯=∑i=1nνi𝐛i*∈L by Schnorr’s SA with u=30 (see Section 3.1), and compute the insertion index k of 𝐯 by checking ∥πi(𝐯)∥2<∥𝐛i*∥2 for i=1,…,n (see Definition 3.2).
If ∥πi(𝐯)∥2≥∥𝐛i*∥2 for all 1≤i≤n, generate another lattice vector 𝐯.
Step 2.
Compute E(𝐯,k) from 𝐁 and 𝐯=∑i=1nνi𝐛i* (see equation (4.3) for E(𝐯,k)).
If condition (7.2) is satisfied, insert 𝐯 into 𝐁 at the k-th position to obtain a basis 𝐂 as in (1.2). Otherwise, go back to Step 1.
Step 3.
Set 𝐁=[𝐛1,…,𝐛n]←LLL(𝐂), and compute the squared-sum SS(𝐁).
8.1 Experimental results
In Figures 4–6, we give our experimental results on the transition of SS(𝐁) and the value log2(∥𝐛1∥2/∥𝐛i*∥2) for 1≤i≤n, which represents the GSA behavior of 𝐁.
Note that the value k in the left side figure denotes the insertion index of each mutant vector.
From Figures 4–6, we see the following:
Mutant vectors with factor c given by equation (8.1) can decrease SS(𝐁) in most cases.
Since it requires small factor c, condition (7.2) gives a good criterion of choosing candidate lattice vectors 𝐯 to decrease SS(𝐁).
In particular, mutant vectors with smaller factor c can decrease SS(𝐁) more greatly (but it is harder to generate mutant vectors with smaller factor c).
By repeatedly inserting a mutant vector, we can obtain better GSA behavior of 𝐁.
Namely, the values log2(∥𝐛1∥2/∥𝐛i*∥2) for 1≤i≤n
become to lie on a straight line gradually.
Moreover, there is a trade-off between the size of SS(𝐁) and the required number of sampling short lattice vectors 𝐯 to find a mutant vector.
More specifically, as the squared-sum SS(𝐁) becomes smaller, it requires to sample more short lattice vectors by Schnorr’s SA to find a mutant vector.
Note that we can easily find mutant vectors 𝐯 with small insertion index k after the latter half of vectors of 𝐁 are shortened (see [14] for such phenomenon).
8.2 Comparison to the RR algorithm by Fukase and Kashiwabara
Fukase and Kashiwabara [5] propose the RR algorithm in order to steadily decrease the squared-sum SS(𝐁).
The strategy of the RR algorithm is similar to the strategy of the BKZ algorithm, and it restricts insertion positions.
More specifically, given a restriction index 1≤r≤n, the RR algorithm does not insert a short lattice vector 𝐯 with insertion index k≤r.
Different from the RR algorithm, our criterion (7.2) for mutant vectors does not enforce us to restrict insertion positions.
Therefore we expect that our criterion (7.2) would enable us to search mutant vectors more flexibly and hence to decrease SS(𝐁) more efficiently.
Figure 4Transition of the squared-sum SS(𝐁) and the GSA behavior by insertion of mutant vectors in a lattice of dimension n=100.
Figure 5Same as Figure 4, but for lattice dimension n=110.
Figure 6Same as Figure 4, but for lattice dimension n=120.
9 Conclusion and future work
Given an LLL-reduced basis 𝐁=[𝐛1,…,𝐛n] of a lattice L, we gave an attempt to estimate a lower bound of the total number of swaps in the LLL algorithm.
In Definition 7.2, we also gave a condition of mutant vectors 𝐯=∑i=1nνi𝐛i*∈L.
Our experiments showed that although the constant c should be determined experimentally, our condition of mutant vectors gives a good criterion to decrease the sum SS(𝐁)=∑i=1n∥𝐛i*∥2 of the squared lengths of the Gram–Schmidt vectors [𝐛1*,…,𝐛n*] of 𝐁.
Compared to the RR algorithm of [5], our condition enables us to search mutant vectors more flexibly, and hence we expect that we could decrease SS(𝐁) more efficiently.
Our future work is to study how to search and sample mutant vectors efficiently.
Specifically, while in this paper we focused on Schnorr’s SA for sampling short lattice vectors, we would like to improve the method in [5] to efficiently sample a number of mutant vectors.
With our condition, we also would like to try to solve SVP in lattices of high dimensions.
Acknowledgements
The authors would like to thank Phong Nguyen and the anonymous reviewers for their helpful comments.
References
[1]
Ajtai M.,
The shortest vector problem in L2 is NP-hard for randomized reductions,
Proceedings of the 30th Annual ACM Symposium on Theory of Computing – STOC 1998,
ACM, New York (1998), 10–19.
10.1145/276698.276705Search in Google Scholar
[2]
Ajtai M., Kumar R. and Sivakumar D.,
A sieve algorithm for the shortest lattice vector problem,
Proceedings of the 33rd Annual ACM Symposium on Theory of Computing – STOC 2001,
ACM, New York (2001), 601–610.
10.1145/380752.380857Search in Google Scholar
[3]
Bremner M. R.,
Lattice Basis Reduction: An Introduction to the LLL Algorithm and its Applications,
CRC Press, Boca Raton, 2011.
10.1201/b11066Search in Google Scholar
[4]
Buchmann J. and Ludwig C.,
Practical lattice basis sampling reduction,
Algorithmic Number Theory – ANTS 2006,
Lecture Notes in Comput. Sci. 4076,
Springer, Berlin (2006), 222–237.
10.1007/11792086_17Search in Google Scholar
[5]
Fukase M. and Kashiwabara K.,
An accelerated algorithm for solving SVP based on statistical analysis,
J. Inform. Process. 23 (2015), no. 1, 1–15.
10.2197/ipsjjip.23.67Search in Google Scholar
[6]
Galbraith S. D.,
Mathematics of Public Key Cryptography,
Cambridge University Press, Cambridge, 2012.
10.1017/CBO9781139012843Search in Google Scholar
[7]
Gama N. and Nguyen P. Q.,
Predicting lattice reduction,
Advances in Cryptology – EUROCRYPT 2008,
Lecture Notes in Computer Sci. 4965,
Springer, Berlin (2008), 31–51.
10.1007/978-3-540-78967-3_3Search in Google Scholar
[8]
Gama N., Nguyen P. Q. and Regev O.,
Lattice enumeration using extreme pruning,
Advances in Cryptology – EUROCRYPT 2010,
Lecture Notes in Computer Sci. 6110,
Springer, Berlin (2010), 257–278.
10.1007/978-3-642-13190-5_13Search in Google Scholar
[9]
Goldreich O., Goldwasser S. and Halevi S.,
Public-key cryptosystems from lattice reduction problems,
Advances in Cryptology – CRYPTO 1997,
Lecture Notes in Computer Sci. 1294,
Springer, Berlin (1997), 112–131.
10.1007/BFb0052231Search in Google Scholar
[10]
Hoffstein J., Pipher J. and Silverman J. H.,
NTRU: A ring-based public key cryptosystem,
Algorithmic Number Theory – ANTS III,
Lecture Notes in Computer Sci. 1423,
Springer, Berlin (1998), 267–288.
10.1007/BFb0054868Search in Google Scholar
[11]
Lenstra A. K., Lenstra H. W. and Lovász L.,
Factoring polynomials with rational coefficients,
Math. Ann. 261 (1982), no. 4, 515–534.
10.1007/BF01457454Search in Google Scholar
[12]
Ludwig C.,
Practical lattice basis sampling reduction,
Ph.D thesis, Technische Universität Darmstadt, 2005.
Search in Google Scholar
[13]
Micciancio D.,
The shortest vector in a lattice is hard to approximate to within some constant,
SIAM J. Comput. 30 (2001), no. 6, 2008–2035.
10.1109/SFCS.1998.743432Search in Google Scholar
[14]
Micciancio D. and Michael W.,
Fast lattice point enumeration with minimal overhead,
Proceedings of the Twenty-Sixth Annual ACM-SIAM Symposium on Discrete Algorithms – SODA 2015,
SIAM, Philadelphia (2015), 276–294.
10.1137/1.9781611973730.21Search in Google Scholar
[15]
Nguyen P. Q. and Vallée B.,
The LLL algorithm,
Inf. Secur. Cryptography,
Springer, Berlin, 2010.
10.1007/978-3-642-02295-1Search in Google Scholar
[16]
Schneider M. and Göttert N.,
Random sampling for short lattice vectors on graphics cards,
Cryptographic Hardware and Embedded Systems – CHES 2011,
Lecture Notes in Computer Sci. 6917,
Springer, Berlin (2011), 160–175.
10.1007/978-3-642-23951-9_11Search in Google Scholar
[17]
Schnorr C. P.,
Lattice reduction by random sampling and birthday methods,
20th Annual Symposium of Theoretical Aspects on Computer Science – STACS 2003,
Lecture Notes in Computer Sci. 2606,
Springer, Berlin (2003), 145–156.
10.1007/3-540-36494-3_14Search in Google Scholar
[18]
Schnorr C. P. and Euchner M.,
Lattice basis reduction: Improved practical algorithms and solving subset sum problems,
Math. Program. 66 (1994), 181–199.10.1007/3-540-54458-5_51Search in Google Scholar
