Scribd
Upload
54 views

LLL Algorithm

The document discusses lattices and lattice basis reduction. It defines lattices and lattice bases and provides examples. It explains that some bases are easier to work with than others, and the goal of lattice basis reduction is to find efficient methods to transform bases into more "desirable" forms. Specifically, it discusses Minkowski reduction, which aims to make each basis vector as short as possible while maintaining independence, and Lagrange reduction, a simple reduction algorithm for 2D lattices. The document notes that finding the globally shortest basis is computationally difficult.

Uploaded by

crystalguardian
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
54 views

LLL Algorithm

The document discusses lattices and lattice basis reduction. It defines lattices and lattice bases and provides examples. It explains that some bases are easier to work with than others, and the goal of lattice basis reduction is to find efficient methods to transform bases into more "desirable" forms. Specifically, it discusses Minkowski reduction, which aims to make each basis vector as short as possible while maintaining independence, and Lagrange reduction, a simple reduction algorithm for 2D lattices. The document notes that finding the globally shortest basis is computationally difficult.

Uploaded by

crystalguardian
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

$

'

Lattice Basis Reduction


and the LLL Algorithm
Curtis Bright
May 21, 2009

&

'

Point Lattices
A point lattice is a discrete additive subgroup of Rn .
A basis for a lattice L Rn is a set of linearly independent
vectors b1 , . . . , bd Rn whose integer span generates L:
)
( d
X
xi bi : xi Z
L=
i=1

In particular, we will be concerned about the case when


bi Zn , so L Zn .
d is the dimension of the lattice.
&

'

2D Example Lattice

h
i
h
i
The lattice generated by b1 = 3 5 and b2 = 6 0 in Z2 :

&

bb

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

bb
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

bb
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

bb
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

bb
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

bb
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

bb
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

b
b

'

A Bad Basis
b

&

'

Changing Bases

The lattices in Z4 generated by the rows of


h 32 27 99 92 i
B = 74 8 29 31
4 69 44 67
h 4339936 682927 2330272 6748685 i
B = 268783718 42311760 144378994 418036006
47833660 7038229 23910075 72218282

are the same. This is shown by writing each row in B as a


Z-linear combination of the rows of B , and vice versa.

That is, there exist change-of-basis matrices U and U with


integer entries such that B = U B and B = U B .
Since U and U = U 1 both have integer entries, det U and
det U 1 = 1/det U are both integers.
Therefore det U = 1 (U is unimodular ).

&

'

Lattice Volume
b

vol L
b

We define the volume of a lattice L with basis B to be the


volume of the [0, 1)-span of its basis vectors.
If B is square then vol L = |det B|, and in general
p
vol L = det(BB T ).

This is well defined: if B is some other basis of L then


q
q
q
det(B B T ) = det(U BB T U T ) = det(BB T )

since U is unimodular.
&

'

Lattice Reduction
Some bases are much easier to work with than others. This
suggests we try to find:
A method of ranking the bases of a lattice in some desirable
order.
An efficient way to find desirable bases of a lattice when
given one of its other bases.

&

'

The Best Basis


The best possible basis b1 , . . . , bd of L would have b1 the
shortest possible nonzero vector in L and in general bi the
shortest possible nonzero vector such that b1 , . . . , bi are
linearly independent.
Of course such vectors always exist, but perhaps surprisingly
for d 4 they do not necessarily form a basis of L.

&

'
For example, the lattice generated by the following basis:

..

Znn

1 1 1

For n 5 the last vector is no longer the shortest possible


vector in the lattice; in this case the shortest possible vector
has norm 2 and there are exactly n vectors (up to sign) which
reach the minimum.

These vectors are linearly independent but generate (2Z)n


instead.
&

'

Minkowski Reduction
The next best thing:
Definition. A basis b1 , . . . , bd of L is Minkowski reduced if bi
is the shortest possible vector such that b1 , . . . , bi may be
extended into a basis of L for each 1 i d.
This is a greedy definition: it may concede a large increase in
later bi for a small decrease in an early bi .
Computationally, finding a Minkowski reduced basis leads to a
combinatorial problem with a search space exponential in d.
Even just computing b1 (the Shortest Vector Problem) is
NP-hard when the maximum norm is used.

&

10

'

Lagrange Reduction
Historically the first lattice reduction considered (by Lagrange
in 1773) was in two dimensions.
It gives rise to a simple algorithm, rather similar in style to
Euclids famous gcd algorithm: the norms of the input vectors
are continually decreased by subtracting appropriate multiples
of one vector from the other.
If kb1 k kb2 k then we want to replace b2 with b2 vb1 for
some v such that kb2 vb1 k is minimized.
&

11

'
b

b2 vb1
b

b2
b

b1

Optimally, the new value of kb2 vb1 k would be





b2 projb (b2 ) = b2 hb2 ,b12i b1 .
kb1 k
1

But it is essential that v Z, so take


j
m
hb2 ,b1 i
v := kb1 k2 .

hb2 ,b1 i 1
In the case kb1 k2 2 there is no multiplier we can use to
strictly decrease the norm.
Definition. A basis b1 , b2 of L is Lagrange reduced if
hb2 ,b1 i 1
kb1 k kb2 k and kb1 k2 2 .

&

12

'

Repeatedly applying this form of reduction yields Algorithm


1.3.14 in Cohens text:

Input: A basis b1 , b2 of a lattice L


Output: A Lagrange reduced basis of L
repeat
if kb1 k > kb
j 2 k then
m swap b1 and b2
b2 := b2

hb2 ,b1 i
kb1 k2

b1

until kb1 k kb2 k


return (b1 , b2 )

kb2 k decreases by at least a factor of


(except possibly the first and last).

3 on every iteration

Since kb2 k is always at least 1, there are O(log3 kb2 k)


iterations.
The arithmetic operations in each loop take O(log2 kb2 k), so
this algorithm runs in time O(log3 kb2 k).
&
13

'
Equivalently, we may consider Lagranges algorithm as if it was
using a projected lattice:
b

b
b

&

14

'
Let L be the lattice L projected orthogonally to b1 . Then
d = 1, so L has only one basis up to sign:
b

&

15

'
Now lift the basis for L into L. Of course, there are an
infinite number ways to lift; we choose the shortest.
b

b
b

&

16

'

Korkin-Zolotarev Reduction

The advantage to considering Lagranges algorithm this way is


that it generalizes to higher dimensions.
Let bi be the component of bi orthogonal to b1 , i.e.,
bi = projspan(b1 ) (bi ) = bi

hbi ,b1 i
kb1 k2 b1

= bi i,1 b1 .

Definition. A basis b1 , . . . , bd of L is Korkin-Zolotarev


reduced if
b1 is the shortest possible nonzero vector of L

b2 , . . . , bd is a Korkin-Zolotarev reduced basis of L

b2 , . . . , bd are lifted from L minimally: |i,1 |

1
2

for 2 i

Once again, this reduction notion requires solving SVP to find


a Korkin-Zolotarev reduced basisnot good computationally.
&
17

'

There are d recursive lattices in this definition:

L with basis b1 , . . . , bd
L with basis b2 , . . . , bd
(2)

(2)

L(2) with basis b3 , . . . , bd


..
.
(d1)

L(d1) with basis bd


(i1)

Denote bi

by bi . By induction it may be shown


bi = projspan(b1 ,...,bi1 ) (bi ).

These are the Gram-Schmidt orthogonalization vectors.


b1 , . . . , bi is an orthogonal basis for span(b1 , . . . , bi ).

&

18

'

Orthogonality Defect

By the Gram-Schmidt orthogonalization,


vol L =

d
Y

kbi k

i=1

d
Y

kbi k

i=1

with equality if and only if the bi are orthogonal.


Qd
The larger i=1 kbi k is compared to vol L the less orthogonal
Qd
the bi are. So i=1 kbi k/vol L is known as the orthogonality
defect, and is a method of ranking the bases of a lattice.
We would like a guarantee that the reductions we consider have
an orthogonality defect bounded by some function of d:

&

d
Y

kbi k f (d) vol L.

i=1

19

'

Hermite Reduction

Historically, Hermite was the first to consider lattice reduction


in arbitrary dimension in two letters sent to Jacobi in 1845.
Hermite reduction is weaker than Korkin-Zolotarev reduction,
but stronger than LLL reduction.
Nevertheless, the properties we will show for Hermite reduced
bases also apply to LLL reduced bases (with small
modifications).
Definition. A basis b1 , . . . , bd of L is Hermite reduced if
kb1 k kbi k for all i

b2 , . . . , bd is a Hermite reduced basis of L

b2 , . . . , bd are lifted from L minimally: |i,1 |

&

20

1
2

for 2 i

'

A Nice Bound
Hermite reduced bases satisfy the following bound:
kbi k2 43 kbi k2
Intuitively this says that the projected vector bi isnt that
much smaller than the original bi .
Actually follows from the Pythagorean Theorem in d
dimensions and the fact ki,1 b1 k 21 kbi k.
b

2,1 b1
b

&

b2
b2

b1
b

21

'

Using the Pythagorean Theorem,


kbi k2 = kbi k2 + ki,1 b1 k2
2
3
kb
k
i
4

kbi k2 + 14 kbi k2
kbi k2

kbi k2 43 kbi k2


4 2 (2) 2
bi
3
..
.


4 i1
3

kbi k2

by repeated application of the bound.


Intuitively, as i increases bi is allowed to become increasingly
smaller than bi , but not arbitrarily smaller.

&

22

'

From kbi k
defect:


4 (i1)/2

kb
ik
3
d
Y

kbi k

i=1

=
=

&

we can bound the orthogonality

d
Y

i=1

4 (i1)/2
kb
ik
3

Pd

4
i=1 (i1)/2
3

vol L


4 d(d1)/4
vol L
3

23

'

Approximate Shortest Vector Problem


Hermite reduced bases can also be used to approximate a
solution to SVP.
Pk
Let x = i=1 ri bi be a shortest nonzero vector in L (i.e., a
solution to SVP), where ri Z and rk 6= 0.
It is difficult to bound a sum of bi directly since they are not
orthogonal. So we rewrite using Gram-Schmidt:
!
i1
k
k1
X
X
X

i,j bj = rk bk +
ri bi +
si bi
x=
i=1

j=1

for some si Q.

&

24

i=1

'

Now we can use a generalization of the Pythagorean Theorem,


kxk2 = krk bk k2 +

k1
X

ksi bi k2 rk2 kbk k2 kbk k2 .

i=1

Using previous bounds on bi with i = k,



4 (k1)/2
kbk k
kb1 k kbk k 3
So b1 is at most a factor of
possible nonzero vector in L.

&


4 (d1)/2
3

25


4 (d1)/2
kxk.
3

longer than the shortest

'

Optimal-LLL Reduction
There is no algorithm known which can provably compute a
Hermite reduced basis efficiently (polynomial time in d). So,
we weaken the conditions again:
Definition. A basis b1 , . . . , bd of L is optimal-LLL reduced if
kb1 k kb2 k

b2 , . . . , bd is an optimal-LLL reduced basis of L

b2 , . . . , bd are lifted from L minimally: |i,1 |


&

26

1
2

for 2 i

'

Optimal-LLL reduced bases no longer satisfy the nice bound


kbi k2 43 kbi k2 , but do satisfy a similar one,

kbi k2 34 kbi+1 k2 .
In fact, with a little more work we can derive the same
properties as in the Hermite case:

4 (i1)/2
kbi k
kbi k 3
d
Y

kbi k

i=1

kb1 k


4 d(d1)/4
vol L
3


4 (d1)/2
kxk
3

There is no algorithm known which can provably compute an


optimal-LLL reduced basis efficiently (polynomial time in d).
&

27

'

LLL Reduction
We weaken optimal-LLL reduction by allowing some slack
room in the kb1 k kb2 k condition:
Definition. A basis b1 , . . . , bd of L is LLL reduced with
quality parameter c (1, 4) if

kb1 k c kb2 k

b2 , . . . , bd is an LLL reduced basis of L (with quality c)

b2 , . . . , bd are lifted from L minimally: |i,1 |

1
2

for 2 i

The smaller c is, the less slack room and the better the
reduction.
&

28

'

4c
; note that C >
Define C = 4c
arbitrarily close to 43 .

4
3

for c > 1 but we can set C

Analogously to the Hermite case, LLL reduced bases satisfy:


kbi k C (i1)/2 kbi k
d
Y

i=1

kbi k C d(d1)/4 vol L

kb1 k C (d1)/2 kxk

In the original LLL paper c =


&

29

4
3

was used, so C = 2.

'

The Punchline
The straightforward way of applying the definition of an LLL
reduced basis gives an algorithm for computing an LLL
reduced basis efficiently (polynomial time in d).
Input: A basis b1 , . . . , bd of a lattice L; a quality parameter c
Output: An LLL reduced basis of L (with quality c)
if d = 1 then return (b1 )
repeat

if kb1 k > c kb2 k then swap b1 and b2


(b2 , . . . , bd ) := liftb1 (LLLReducec (b2 , . . . , bd ))

until kb1 k c kb2 k


return (b1 , . . . , bd )

&

30

'

The Iterative LLL Definition: Size Reduction


The shortest-lift condition in the jth recursive lattice is
(j) 1
for j + 1 < i, where:
i
2

(j) (j)


Pj

bi , bj+1
bi k=1 i,k bk , bj+1
(j)
i = (j) 2 =
2
b
b
j+1
j+1


bi , bj+1
=

b 2
j+1

= i,j+1

So the shortest-lift condition implies |i,j |


This is called size-reduction.

&

31

1
2

for j < i.

'

The Iterative LLL Definition: Lov


asz Condition

The kb1 k c kb2 k condition in the ith recursive lattice:


(i) (i)
b c b
i+1
i+2
i

X



= c bi+2
i+2,j bj
j=1

= c kbi+2 + i+2,i+1 bi+1 k


So the b1 -bound condition implies
for i 1.

kbi k

c kbi+1 + i+1,i bi k

This is called the Lov


asz condition.
&

32

'

Non-recursive LLL Reduction

Putting these conditions together gives Definition 2.6.1 in


Cohens text:
Definition. A basis b1 , . . . , bd is LLL reduced with quality
parameter c (1, 4) if
|i,j |

1
2

for 1 j < i d

kbi1 k c kbi + i,i1 bi1 k for 1 < i d

Say we have some basis b1 , . . . , bk such that the first k 1


vectors form an LLL reduced basis. If
bk is size-reduced against the first k 1 vectors
the Lov
asz condition holds for i = k

then b1 , . . . , bk is also an LLL reduced basis.


&
33

'

The Iterative LLL Algorithm

Input: A basis b1 , . . . , bd of a lattice L; a quality parameter c


Output: An LLL reduced basis of L (with quality c)
k := 2
while k d do
size-reduce bk against b1 , . . . , bk1

if kbk1 k c kbk + k,k1 bk1 k then


k := k + 1
else
swap bk1 and bk
k := max(k 1, 2)
end if
end while
return (b1 , . . . , bd )
At the start of the loop, b1 , . . . , bk1 is an LLL reduced basis.
&
34

'

The Gram-Schmidt Vectors During LLL

Size reduction does not change the bi .

If ci are the Gram-Schmidt vectors after a swap, then:


Before
b1
..
.
bk1
bk
bk+1

&

After
kb1 k = kc1 k
..
.
kbk1 k = kck1 k

kbk k > c kck k

kbk+1 k < c kck+1 k

b1
..
.
bk1
bk+1
bk

bk+2
..
.

kbk+2 k = kck+2 k
..
.

bk+2
..
.

bd

kbd k = kcd k

bd

35

'

Bounding the Number of Swaps

Let Bk be the basis consisting of the first k basis vectors, Lk


the lattice formed by the basis Bk , and
dk = (vol Lk )2 = det(Bk BkT ) =

k
Y

kbi k2 .

i=1

If the bi are integer vectors then dk Z+ .


During LLL, a swap of bk and bk+1 decreases dk by a factor of
at least c, and doesnt change di for i 6= k.
Thus, if we define
D=

d
Y

di

i=1

then D decreases by a factor of at least c after every swap.


&
36

'

Thus, there are at most logc (D) swaps. Since


D=

d
Y

kbi k2(di+1)

i=1

d
Y

i=1

kbi k2(di+1) maxkbi kd(d+1)


i

there are O(log D) = O(d2 log B) swaps, where B = maxi kbi k


for the original bi .
The size of the numbers involved remain reasonable throughout
the algorithm:
kbi k B.

The denominators of bi and i,j divide vol L.

logkbi k and log|i,j | are O(d log B).

Size-reduction requires O(n) arithmetic operations, and there


are O(d) vectors to size-reduce against.
Total cost of LLL is therefore O(nd5 (log B)3 ) without fast
arithmetic.
&
37

'

Factoring Polynomials over the Integers


If f is an integer polynomial with an algebraic root, if we can
find the minimal polynomial of that root then we have an
irreducible factor of f .
Let C be an approximation to a algebraic root of f with a
minimal polynomial h of degree m.

&

38

'
For some constant N let L be the lattice generated by the rows
of the following basis:

0
0
b0
1
N ( ) N ( )

1
1
b1 1
N ( ) N ( )

2
2
b2 =
1
N ( ) N ( )

.

..
..
..
..

.
.
.

bm
1 N (m ) N (m )
Any x L has form x =

Pm

i=0 gi bi

for some gi Z.

Can think of (g0 , . . . , gm ) as g Zm or an integer polynomial


Pm
g(x) = i=0 gi xi .

&

39

'

Any x L has the form


h
x = g T N (g())

N (g()) ,

and it follows kxk2 = kgk2 + N 2 |g()|2 .

We can make h() arbitrarily small by increasing the precision


of .
So by taking N large enough, we can make the shortest
nonzero vector in L be
h
i
s = hT N (h()) N (h()) .

And then increasing N by a factor 2m/2 ensures that any


vector x L not a multiple of s will have kxk2 > 2m ksk2 .

LLL will always find a vector kb0 k2 2m ksk2 .

&

40

You might also like