Lightweight Introduction to Lattices

(Miroslav Dimitrov, Harald Ritter, Bernhard Esslinger, April 2020, v.1.0.6)

1 Introduction

In the following sections, our goal is to cover the basic theory behind lattices in a
lightweight fashion. The covered theory will be accompanied with lots of practical ex-
amples, SageMath code, and cryptographic challenges.
Sections 2 to 8 introduce the notation and methods needed to deal with and understand
lattices (this makes up around one third of this chapter). Sections 9 to 10 deal in more
detail with lattices and their application to attack RSA. Section 11 is considered as a
deeper outlook providing some algorithms for lattice basis reduction and their usage to
break cryptosystems. The appendix contains screenshots where to find lattice algorithms
in the CrypTool programs.

2 Preliminaries

You are not required to have any advanced background in any mathematical domain
or programming language. Nevertheless, expanding your knowledge and learning new
mathematical concepts and programming techniques will give you a great boost towards
your goal as a future expert in cryptology. This chapter is built in an independent way
– you are not required to read the previous chapters in the book. The examples and the
practical scenarios will be implemented in SageMath (a computer-algebra system (CAS),
which uses Python as scripting language). We believe that the code in this chapter is
very intuitive and even if you don’t have any experience with Python syntax you will
grasp the idea behind it. However, if you want to learn Python or just polish up your
current skills we recommend the freely available book of Charles Severance1 .

1
Charles Severance: Python for Informatics from http://www.pythonlearn.com/, Version 2.7.3, 2015.
At www.py4e.com, there is also a version about Python 3 from Charles Severance called Python for
Everybody. From version v9.0 of the open-source CAS SageMath it is based on Python 3.
3. EQUATIONS 2

3 Equations

According to an English dictionary2 “equation” means “statement that the values of two
mathematical expressions are equal (indicated by the sign =)”.
The equations could be trivial (without an unknown variable involved):

0=0
1=1
1+1=2
1.9 = 2

... or with variables (also called indeterminates) which leads to a set of solutions or
“the” one solution or no solution (unsolvable):

x + x = 10
x + y = 10
x+y =z
x1 + x2 + x3 + · · · + x10 = z

Equations help us to mathematically describe a relationship between some objects. In

some cases, the solution is straightforward and unique, but in some other cases we have
a set of possible solutions. By domain we define the set of input values for which the
equation is defined. As example, the equation x + 1 = 10 has one solution over the
positive integer numbers and no solutions over the negative integer numbers. From now
on till the end of this chapter we are going to work only with the set of integer numbers
Z.
In SageMath we can easily define variables. The following declaration defines the special
symbol x as a variable:
sage: x = var(’x’)
Now, we can construct our equation. Let’s say that we want to find the solution of
the following equation x + x2 + x3 = 100. First, we need to define our left side of the
equation. The declaration using SageMath is straightforward. We will name the left side
of our equation as leq.
Here is an example3 with coefficients (they need the times operator ∗).
2
https://en.oxforddictionaries.com/definition/equation
Equations are mathematical statements which might be wrong or right. E.g. 1.9 = 2 is right despite
many people at first don’t think so. But: 0.3 = 13 ⇒ 0.9 = 3 · 0.3 = 3 · 31 = 1
3
The symbols ∗∗ mean in both SageMath and Python powered to.
The expression on the right side is called a polynomial. A polynomial P consists of variables and
coefficients, that involve only the operations of addition, subtraction, multiplication, and non-negative
3. EQUATIONS 3

sage: leq1 = x + 2*x**2 + x**3

For our example we use a term without coefficients:
sage: leq2 = x + x**2 + x**3
We are ready to solve the equation and find the solutions.
sage: eq_sol = solve(leq2==100, x)
The last command of SageMath will try to find all x for which x + x2 + x3 = 100. If you
try this on your machine, you will notice a list of possible solutions which don’t look
like integer numbers. This is, because we defined x as variable without restrictions of its
domain. So, let’s predefine the symbol x as variable in the domain of integer numbers:4
sage: x = var(’x’, domain=ZZ)
Now, when we try to solve the equation we receive as list of solutions the empty list5 .
This means that there is no such x which satisfies the defined equation. And indeed,
let’s see the values of the equation for consecutive values of x.

sage: for i in range(-6,6):

....: print(leq2(x=i), "for", "x=", i)
-186 for x= -6
-105 for x= -5
-52 for x= -4
-21 for x= -3
-6 for x= -2
-1 for x= -1
0 for x= 0
3 for x= 1
14 for x= 2
39 for x= 3
84 for x= 4
155 for x= 5
258 for x= 6

We can notice two characteristics of our equation. First, the left side of the equation
becomes larger when the variable x grows. Second, the solution for our equation is some
non-integer number between 4 and 5.

integer exponents of variables. An example of a polynomial of a single variable x is x2 − 4x + 7. The

highest exponent in the variable is called the degree of the polynomial. Every polynomial P in a
single variable x defines a function x → P (x), and is also called a univariate polynomial. An integer
polynomial allows its variables and coefficients to be only integer values.
See https://en.wikipedia.org/wiki/Polynomial.
4
ZZ means the domain of integer numbers Z. Integers can be further limited to the Boolean type (true
or false) or the integers modulo n (IntegerModRing(n) or GF(n), if n is prime).
5
[] defines an empty list.
4. SYSTEM OF LINEAR EQUATIONS 4

Remark: Normally, the term on the left contains also the number on the right side, if
it’s different from 0. So the usual way to write this equation is: x3 + x2 + x − 100 = 0.

Challenge 1 We found this strange list of (independent) equations. Can you find the
hidden message? Consider the found values for the variable of each equation as the ascii
value of a character. The correct ascii values build the correct word in the same order
as the 8 equations appear here. A copy-and-paste-ready version of this equation system
is also available, see page 75.

x40 − 150x30 + 4389 x20 − 43000 x0 + 131100 = 0

x10 9 8 7 6 5
1 − 177 x1 + 9143 x1 − 228909 x1 + 3264597 x1 − 28298835 x1 +
+152170893 x41 − 502513551 x31 + 974729862 x21 − 995312448 x1 + 396179424 = 0
x10 9 8 7 6 5
2 − 196 x2 + 12537 x2 − 397764 x2 + 7189071 x2 − 77789724 x2 +
+506733203 x42 − 1941451916 x32 + 4165661988 x22 − 4501832400 x2 + 1841875200 = 0
x53 − 153 x43 + 5317 x33 − 77199 x23 + 510274 x3 − 1269840 = 0
x84 − 194 x74 + 11791 x64 − 352754 x54 + 6011644 x44 −
−61295576 x34 + 370272864 x24 − 1222050816 x4 + 1696757760 = 0
x65 − 169 x55 + 7702 x45 − 153082 x35 + 1477573 x25 − 6672349 x5 + 11042724 = 0
x86 − 202 x76 + 12936 x66 − 406082 x56 + 7170059 x46 −
−74124708 x36 + 439747164 x26 − 1365683328 x6 + 1701311040 = 0
x97 − 206 x87 + 13919 x77 − 467924 x67 + 8975099 x57 − 102829454 x47 +
+699732361 x37 − 2673468816 x27 + 4956440220 x7 − 2888395200 = 0

4 System of Linear Equations

We already introduced the concepts of variables, equations and the domain of an equa-
tion. We showed how to declare variables in SageMath and how to find solutions of
single-variable equations automatically with solve. What if we have two different vari-
ables in our equation? Let’s take as an example the following equation x + y = 10. Let’s
try to solve this equation using SageMath:6

sage: x = var(’x’, domain=ZZ)

sage: y = var(’y’, domain=ZZ)
sage: solve(x+y==10, (x,y))
(t_0, -t_0 + 10)

6
This time we require as solution of solve() the tuple (x, y).
4. SYSTEM OF LINEAR EQUATIONS 5

We get as solution x = t0 and y = −t0 + 10 and indeed x + y = t0 + (−t0 + 10) =

t0 − t0 + 10 = 10. This notation is used by SageMath to show us that there are infinite
many integer solutions to the given equation.
What if we have another restrictions of x and y. As example, what if we know that
they are equal? Equality defines another equation which is related to the first one, so
we can form a system of equations (in a system of equations the single equations are
not independent from each other):

x + y = 10


x=y

Let’s solve this system of equations using SageMath. We can easily organize all the
equations from this 2-equation system using a list array.

sage: x = var(’x’, domain=ZZ)

sage: y = var(’y’, domain=ZZ)
sage: solve([x+y==10,x==y], (x,y))
[[x == 5, y == 5]]

As we see, we have only one solution x = y = 5.

A rich collection of mathematical problems can be solved by using systems of linear
equations. Let’s take as example the simple puzzle in fig. 4.1 and solve it with SageMath.

15

20

30

Figure 4.1: Visual Puzzle

As usual, each row consists of three different items and their corresponding total price.
Usually, the goal in such puzzles is to find the price of each distinct item. We have 3 dis-
tinct items. Let’s define the price of each pencil as x, the price of each computer display
as y and the price of each bundle of servers as z. Following the previous declarations we
can write down the following system of linear equations:

 2x + y = 15


x + y + z = 20

3z = 30
4. SYSTEM OF LINEAR EQUATIONS 6

We can easily solve this puzzle by using pen and paper only. The last equation reveals
the value of z = 10. Eliminating the variable z by replacing its value in the previous
equations, we reduce the system to system of two unknown variables:

2x + y = 15


x + y = 10

z = 10

We can now subtract the second equation from the first one to receive:

2x + y − (x + y) = 15 − 10 = 5
x=5

Therefore, we ended up with the following solution of the puzzle:

x = 5


y=5

z = 10

Now, let’s try to solve the same puzzle by using SageMath.

sage: x = var(’x’, domain=ZZ)

sage: y = var(’y’, domain=ZZ)
sage: z = var(’z’, domain=ZZ)
sage: solve([x + x + y == 15, x+y+z == 20, z+z+z == 30],
(x,y,z))
[[x == 5, y == 5, z == 10]]

Challenge 2 Can you recover the hidden message in the picture puzzle in fig. 4.2 on the
next page? Each symbol represents a distinct decimal digit. There is a balance that each
left side equals the corresponding right side. Automate the process by using SageMath.
Hint: ASCII (American Standard Code for Information Interchange) is involved.
5. MATRICES 7

Figure 4.2: Puzzle Challenge (picture created by the author)

In the next sections we are going to introduce the definition of matrices, which will help
us describe a given system of linear equations in a much more compact way.

5 Matrices

Is there more convenient way to write down huge systems of linear equations? We are
going to introduce this way by using augmented matrices. You can consider a matrix
as a rectangular or square array of numbers. The numbers are arranged in rows and
columns. For example, let’s analyze the following matrix:
 
1 2 3
M=
3 4 5

We have 2 rows and 3 columns, and a total of 6 elements. We define an element as

ai,j when we want to emphasize that the element is located on the i-th row and j-th
column7 . For example, a1,1 = 1, a1,3 = 3, a2,2 = 4.
In the following system of linear equations the independent variables are called a, b, c,
d, e, and f. 
 6a + 7b + 11c + 18d + 4e + 7f = 5




 8a + 14b + 2c + 13d + 2e + f = 19


 a + b + 3c + 4d + 4e + 7f = 15


 3a + 4b + c + d + 14e + 17f = 1

 5a + 5b + 2c + 2d + 2e + 6f = 2




11a + 17b + c + d + e + f = 9
7
Here we use the indexing starting from 1 as usual in mathematics. However, later in the SageMath
samples the index of row and column start from 0 (as usual in computer languages like C or Python).
5. MATRICES 8

We can easily write down this system of linear equations as a matrix. Let’s write down all
coefficients in front of the variable a in the first column of our new matrix, all coefficients
in front of the variable b in the second column and so on. This forms the coefficient
matrix.
The right side of each equation forms another column – the last one. For clarity we are
going to separate it from other columns with a vertical line. We call such matrix an
augmented matrix.  
6 7 11 18 4 7 5
 8 14 2 13 2 1 19 
 
 1 1 3 4 4 7 15 
 
 3 4 1 1 14 17 1 
 
 5 5 2 2 2 6 2 
11 17 1 1 1 1 9

Let’s analyze the behavior of a system of linear equations. We can make the following
observations:

• Swapping the positions of two equations doesn’t affect the solution of the system
of the linear equations.
• Multiplying the equation by a nonzero number doesn’t affect the solution of the
system of the linear equations.
• Adding one randomly chosen equation to another randomly chosen equation doesn’t
affect the solution of the system of the linear equations.

We can easily transform those properties as properties in the augmented matrix. Fur-
thermore, those properties allow us to build a complete automatic system of finding
solutions to a given augmented matrix. In linear algebra, Gaussian elimination (also
known as row reduction) is an algorithm for solving systems of linear equations. It is
usually understood as a sequence of operations performed on the corresponding aug-
mented matrix. Once all of the leading coefficients (the leftmost nonzero entry in each
row) are 1, and every column containing a leading coefficient has zeros elsewhere, the
matrix is said to be in reduced row echelon form.8
Let’s apply Gaussian elimination on the following system of linear equations:

4x + 8y + 3z = 10

5x + 6y + 2z = 15

9x + 5y + z = 20


8
See https://en.wikipedia.org/wiki/Row_echelon_form
5. MATRICES 9

We can easily transform this system of linear equations to an augmented matrix.

 
4 8 3 10
 5 6 2 15 
9 5 1 20

Then, we start to transform the matrix to row echelon form. We first divide the first
row by 4.    
4 8 3 10 1 2 0.75 2.5
 5 6 2 15  →  5 6 2 15 
9 5 1 20 9 5 1 20

The reason for dividing the first row by 4 is simple – we need the first element of the first
row to be equal to 1, which allows us to multiply the first row by consequently 5 and 9
and to subtract it from respectively the second and the third row. Let’s recall that we
are trying to transform the augmented matrix to reduced row echelon form. Now, let’s
apply the previously made observations.
     
1 2 0.75 2.5 1 2 0.75 2.5 1 2 0.75 2.5
 5 6 2 15  →  0 −4 −1.75 2.5  →  0 −4 −1.75 2.5 
9 5 1 20 9 5 1 20 0 −13 −5.75 −2.5
Now, we divide the second row with −4. This will transform the second element of
the second row to 1 and will allow us to continue with our strategy of reducing the
augmented matrix to the required row echelon form.
   
1 2 0.75 2.5 1 2 0.75 2.5
 0 −4 −1.75 2.5  →  0 1 0.4375 −0.625 
0 −13 −5.75 −2.5 0 −13 −5.75 −2.5

And again following the previous strategy we applied on the first row, we multiply the
second row by 2 and subtracts it from the first row. Right after this operation we
multiply the second row by 13 and add it to the last row.
   
1 2 0.75 2.5 1 0 −0.125 3.75
 0 1 0.4375 −0.625  →  0 1 0.4375 −0.625 
0 −13 −5.75 −2.5 0 −13 −5.75 −2.5

   
1 0 −0.125 3.75 1 0 −0.125 3.75
 0 1 0.4375 −0.625  →  0 1 0.4375 −0.625 
0 −13 −5.75 −2.5 0 0 −0.0625 −10.625
5. MATRICES 10

We are almost ready. Now, we normalize the last row by dividing it by −0.0625.
   
1 0 −0.125 3.75 1 0 −0.125 3.75
 0 1 0.4375 −0.625  →  0 1 0.4375 −0.625 
0 0 −0.0625 −10.625 0 0 1 170

We are following the same steps as the previously applied operations. First, we multiply
the last row by 0.125 and add it to the first row. Afterwards, we multiply again the last
row by 0.4375 and this time subtracts it from the second one.
   
1 0 −0.125 3.75 1 0 0 25
 0 1 0.4375 −0.625  →  0 1 0.4375 −0.625 
0 0 1 170 0 0 1 170

   
1 0 0 25 1 0 0 25
 0 1 0.4375 −0.625  →  0 1 0 −75 
0 0 1 170 0 0 1 170

We reduced the augmented matrix to the reduced row echelon form. Let’s transform
back the problem to the system of linear equations.

1 · x + 0 · y + 0 · z = x = 25

0 · x + 1 · y + 0 · z = y = −75

0 · x + 0 · y + 1 · z = z = 170


We now do posses a tool (algorithm) for solving a system of linear equations.9

Challenge 3 We discovered a solution to the system of linear equations by just following

an algorithm and by using only 3 main operations. As an exercise, and by applying
the newly discovered method of solving system of linear equations, can you solve this
challenge? The system of equations is listed in fig. 5.1 on the next page.

Definition 1 Some but not all quadratic matrices have inverses, that is for A = (ai,j )
a matrix A−1 such that
1 0 ... 0 !
0 1 ... 0
A · A−1 = .. .. . . ..
. . . .
0 0 ... 1
is called the inverse of A. If A has an inverse matrix, A is said to be invertible.

9
How to do that with SageMath is described below in section 7 on page 16.
5. MATRICES 11


115 b + 111 h + 108 f = 2209

118 b + 101 h + 115 f = 2214

111 b + 114 h + 116 f = 2286


 97 q + 100 m + 100 a = 1582

111 q + 110 m + 101 a = 1748

116 q + 111 m + 101 a = 1786


 97 r + 99 n + 104 t = 910

108 r + 101 n + 116 t = 1005

116 r + 101 n + 114 t = 1019


Figure 5.1: Puzzle Challenge 3

If A has such an inverse, it is unique and the outcome of the product A · A−1 = A−1 · A
doesn’t depend on the order of the factors. Mind that matrix multiplication in general
is not commutative.
Of course we can easily compute the inverse of a matrix in SageMath, if it exists:

sage: A=matrix([[0,2,0,0],[3,0,0,0],[0,0,5,0],[0,0,0,7]])
sage: A
[0 2 0 0]
[3 0 0 0]
[0 0 5 0]
[0 0 0 7]
sage: A.inverse()
[ 0 1/3 0 0]
[1/2 0 0 0]
[ 0 0 1/5 0]
[ 0 0 0 1/7]
sage: B=matrix([[1,0],[0,0]])
sage: B.inverse()
#... lines of error info, ending with:
ZeroDivisionError: matrix must be nonsingular

Definition 2 A diagonal matrix is a matrix A = (aij ) where aij = 0 for all i, j with
i 6= j. That is, all entries outside the diagonal are zero.

Note that matrix multiplication, restricted to diagonal matrices, is commutative. Note

6. VECTORS 12

Figure 6.1: Example of a vector

also that transposition operates trivially on diagonal matrices: AT = A for every diago-
nal matrix A.
In order to continue our path to the definition of lattices and their properties, we need
to introduce some basic definitions and notations about vectors, which – depending on
the context – sometimes can be viewed as special matrices either with only one column
or with only one row.

6 Vectors

A scalar quantity is a one dimensional measurement of a quantity, like temperature

or mass. A vector has more than one number associated with it. A simple example is
velocity. It has a magnitude, called speed, as well as a direction, like North or Southwest
or 10 degrees west of North. You can have more than two numbers associated with a
vector.10 We often draw a vector as an arrow as shown in fig. 6.1 – here a vector v is
drawn starting from the origin (0, 0) and terminating on point (1, 1). But how to write
down the vector?

Definition 3 A directed line from the point P (x1 , x2 ) to the point Q(y1 , y2 ) is a vector
# » # »
with the following components: P Q = OS = (s1 , s2 ) = (y1 − x1 , y2 − x2 ).
# »
The initial point of the vector OP = (x1 , x2 ) is at the origin O = (0, 0) and the terminal
point is P = (x1 , x2 ).11

# » # »
Let’s express the vectors P Q and RQ having the three points P (0, 1), Q(2, 2) and
R(1.5, 1.5) as shown in fig. 6.2 on the next page.
10
This explanation is taken from van.physics.illinois.edu.
11
This and some other useful definitions and notations are taken from the freely available book “Linear
Algebra with Sage” from Sang-Gu Lee[6].
6. VECTORS 13

Q
R
P
# »
RQ # »
PQ
x

Figure 6.2: Finding vectors

We can easily do that by following the definition:

# »
P Q = (2 − 0, 2 − 1) = (2, 1)
# »
RQ = (2 − 1.5, 2 − 1.5) = (0.5, 0.5)

Moreover, if we define the origin point as O(0, 0) and some random point Z(x, y) we
# »
can easily define the vector OZ = (x − 0, y − 0) = (x, y). Using this observation we can
easily calculate the desired vectors using SageMath.

sage: vOP = vector([0,1])

sage: vOQ = vector([2,2])
sage: vOR = vector([1.5,1.5])
sage: vPQ = vOQ - vOP
sage: vRQ = vOQ - vOR
sage: print(vPQ, vRQ)
(2,1) (0.5, 0.5)

# »
Intuitively, we can easily check that results. P Q = (2, 1) means that if we start moving
from point P and move 2 times on the right and 1 time up, we are going to reach the
# »
point Q. Following the same interpretation, RQ = (0.5, 0.5) means that if we start
moving from point R and move 0.5 on the right and 0.5 up, we are going to reach the
point Q.

Definition 4 (Addition of vectors, multiplication of a scalar with a vector)

6. VECTORS 14

   
x1 y
For any two vectors x = , y = 1 in R2 and a scalar k, the sum of x + y and the
x2 y2
   
x 1 + y1 kx1
product kx are defined as follows: x + y = and kx = .
x 2 + y2 kx2

Definition 5 The zero vector is a vector where all its components are equal to 0 (its
initial point is taken to be the origin).

Definition 6 An ordered n-tuple of (real) numbers (x1 , x2 , ..., xn ) is called a n-dimensional

vector and can be written as
 
x1
 x2 
 
 x3 
x = (x1 , x2 , ..., xn ) =  
 ... 
xn

We call x1 , x2 , ..., xn the components of x.

We sum n-dimensional vectors and multiply n-dimensional vectors by some scalar the
same way as we did with the 2-dimensional ones.

Definition 7 For vectors v1 , v2 , ..., vk in Rn and scalars c1 , c2 , ..., ck ,

x = c1 v1 + c2 v2 + ...ck vk

is called a linear combination of vectors v1 , v2 , ..., vk .

Definition 8 Given a vector x = (x1 , x2 , ..., xn ) in Rn

q
kxk = x21 + x22 + ... + x2n

is called the norm (or length) of x.

You can easily calculate the norm of the vector by using SageMath:

sage: v = vector([3,6,2])
sage: v.norm() # square root of (9 + 36 + 4)
7
6. VECTORS 15

Challenge 4 As an exercise, find the hidden word in the puzzle challenge, given in fig. 6.3.
Hint: 0xASCII.
y

11

10
A4
9
A6
8
A5
7
A0
6
A8
5
A9 A7
4
A3
3
A2
2
A1
1

x
1 2 3 4 5 6 7 8 9 10 11

Figure 6.3: Puzzle Challenge 4

Definition 9 For vectors x = (x1 , x2 , ..., xn ), y = (y1 , y2 , ..., yn ) in Rn ,

x1 y1 + x2 y2 + ... + xn yn

is called the dot product or scalar product or inner product12 of x and y and is
denoted by x · y.

We are not going to use the following 3 definitions 10, 11, and 12 in the sections to come,
12
To be precise, the dot product is a subset of the inner product, but this difference isn’t used here.
7. EQUATIONS – REVISITED 16

but they are handy consequences of the previous definitions.

Definition 10 For nontrivial vectors x = (x1 , x2 , ..., xn ), y = (y1 , y2 , ..., yn ) in Rn there

x·y
exists θ with 0 ≤ θ ≤ π or 0◦ ≤ θ ≤ 180◦ and ||x||·||y|| = cos θ. Then θ is called the angle
between x and y.

Definition 11 If x · y = 0, then x is orthogonal to y. If x is a scalar multiple of y,

then x is parallel to y.

We can easily calculate the inner product of two vectors via SageMath.

sage: x = vector([5,4,1,3])
sage: y = vector([6,1,2,3])
sage: x*y
45
sage: x.inner_product(y)
45

We can either use the multiply operator or be more strict and use the second syntax.
Indeed, x · y = 5 · 6 + 4 · 1 + 1 · 2 + 3 · 3 = 45. Now, it’s time to define the building blocks
of one vector space.

1
Definition 12 For an arbitrary, non-zero vector v ∈ Rn , u = kvk · v is a unit vector.
In Rn , unit vectors of the form:

e1 = (1, 0, 0, ..., 0), e2 = (0, 1, 0, ..., 0), ..., en = (0, 0, 0, ..., 1)

are called standard unit vectors or coordinate vectors.

The previous definition allows us to make the following observation: If x = (x1 , x2 , ..., xn )
is an arbitrary vector of Rn , using standard unit vectors, we can express x as follows:

x = x1 e1 + x2 e2 + ... + xn en

7 Equations – revisited

We introduced the concept of matrices and more precisely – the coefficient matrix and
the augmented matrix (see section 5 on page 7). We examined the Gaussian elimination
and how to solve a system of linear equations by using it.
7. EQUATIONS – REVISITED 17

So, let’s solve the following system of linear equations using SageMath:

96x1 + 11x2 + 101x3 = 634

97x1 + 15x2 + 99x3 = 637

88x1 + 22x2 + 100x3 = 654


Let’s first define the coefficient matrix A.

sage: A = matrix([[96,11,101],[97,15,99],[88,22,100]])
sage: A
[ 96 11 101]
[ 97 15 99]
[ 88 22 100]

Then, we define the right sides of the equations as a vector b and construct the augmented
matrix.

sage: b = vector([634,637,654])
sage: b
(634, 637, 654)
sage: B = A.augment(b)
sage: B
[ 96 11 101 634]
[ 97 15 99 637]
[ 88 22 100 654]

Now, all we need to do is to directly calculate the reduced row echelon form.

sage: B.rref()
[1 0 0 1]
[0 1 0 3]
[0 0 1 5]

As a final solution, we have x1 = 1, x2 = 3, x3 = 5.

We already defined operations for dealing with vectors (see definition 4 on page 13
and definition 9 on page 15). Let’s apply the same operations when we are dealing with
matrices.

Definition 13 (Addition) Given two matrices A = [aij ]m×n and B = [bij ]m×n the sum
of A + B is defined by
A + B = [aij + bij ]m×n
7. EQUATIONS – REVISITED 18

Definition 14 Given a matrix A = [aij ]m×n and a real number k, the scalar multiple
kA is defined by
kA = [kaij ]m×n

Let’s try some examples with SageMath:

sage: A = matrix([[9,7,0],[0,5,6],[1,3,3]])
sage: B = matrix([[8,5,2],[8,2,2],[0,0,1]])
sage: A
[9 7 0]
[0 5 6]
[1 3 3]
sage: B
[8 5 2]
[8 2 2]
[0 0 1]
sage: A+B
[17 12 2]
[ 8 7 8]
[ 1 3 4]
sage: A-B
[ 1 2 -2]
[-8 3 4]
[ 1 3 2]
sage: 2*A
[18 14 0]
[ 0 10 12]
[ 2 6 6]
sage: A.row(0) # get first row of a matrix
(9, 7, 0)
sage: A.column(0) # get first col of a matrix
(9, 0, 1)

Definition 15 Given two matrices A = [aij ]m×p and B = [bij ]p×n , we define the prod-
uct AB of A and B, s.t. AB = [cij ]m×n , where

cij = ai1 b1j + ai2 b2j + ai3 b3j + .. + aip bpj

Remark: Please note that the number of columns of the first factor must be equal to the
number of rows in the second factor.
7. EQUATIONS – REVISITED 19

sage: A*B
[128 59 32]
[ 40 10 16]
[ 32 11 11]

We can conclude with the following observations from the definition of a product of two
matrices: The inner product (see definition 9 on page 15) of the i-th row vector of A and
the j-th column vector of B is the (i, j) entry of AB. To demonstrate this observation
we first need to introduce another simple definition:

Definition 16 The transpose of a matrix is a new matrix whose rows are the columns
of the original, i.e. if A = [aij ]m×n , then AT , the transpose of A, is AT = [aji ]n×m .

sage: B.transpose()
[8 8 0]
[5 2 0]
[2 2 1]
sage: B.T
[8 8 0]
[5 2 0]
[2 2 1]

Using this handy SageMath method we can easily calculate the product of two matrices:

sage: for a in A:
....: for b in B.transpose():
....: print(a*b)
....: print()
....:
128
59
32

40
10
16

32
11
11
7. EQUATIONS – REVISITED 20

or directly in SageMath 13

sage: A*B
[128 59 32]
[ 40 10 16]
[ 32 11 11]

In order to introduce the concept of lattices we need some more definitions. Considering
the next system of equations, let’s try to express each of the variables x, y and z as an
expression of the coefficients a, b, c, d, e, f, g, h, i, r1 , r2 , r3 .

ax + by + cz = r1
dx + ey + f z = r2 (1)
gx + hy + iz = r3

Let’s multiply the first equation in system 1 with ei, the second equation with hc and
the last equation with bf .

aeix + beiy + ceiz = eir1

dhcx + ehcy + f hcz = hcr2 (2)
gbf x + hbf y + ibf z = bf r3

Again, using system 1, we multiply the first equation with f h, the second equation with
bi and the last equation with ce.

af hx + bf hy + cf hz = f hr1
dbix + ebiy + f biz = bir2 (3)
gcex + hcey + icez = cer3

Now we derive a new equation by subtracting from the sum of all the equations in system
2 the sum of all the equations in system 3:

(aei + dhc + gbf − af h − dbi − gce) · x+

+ (bei + ehc + hbf − bf h − ebi − hce) · y+
+ (cei + f hc + ibf − cf h − f bi − ice) · z =
= (ei − f h) · r1 + (hc − bi) · r2 + (bf − ce) · r3

13
Please note the preference of the SageMath operators: A*B.transpose() = A*(B.transpose()) and
not (A*B).transpose()
7. EQUATIONS – REVISITED 21

Simplifying the equation by removing the equal expressions:

(aei + dhc + gbf − af h − dbi − gce) · x =

= (ei − f h) · r1 + (hc − bi) · r2 + (bf − ce) · r3

So, we are ready to express x:

(ei − f h) · r1 + (hc − bi) · r2 + (bf − ce) · r3

x= (4)
aei + dhc + gbf − af h − dbi − gce

Following the same procedure, and choosing carefully the coefficients to multiply the
equations with, we can express y and z as well. But what if we have had system of 100
equations with 100 variables? Moreover, how to use a more elegant way of recovering
the variables? It’s time to introduce the definitions of minors and determinants.

Definition 17 A minor Mij of a square matrix A with size n, is the (n − 1) × (n − 1)

matrix made by the rows and columns of A except the i’th row and the j’th column.



a b c
Example 1 Let’s have a matrix A = d e f . Following the definitions of minors,
g h i
 
we have M11 = h i , M12 = g i or M22 = ( ag ci ).
e f df

Let’s take the general case of a matrix A with size n.

 
a1,1 a1,2 a1,3 ... a1,j ... a1,n
 a2,1 a2,2 a2,3 ... a2,j ... a2,n 
 
 a3,1 a3,2 a3,3 ... a3,j ... a3,n 
 
A=  ... ... ... ... ... ... ... 

 ai,1 ai,2 ai,3 ... ai,j ... ai,n 
 
 ... ... ... ... ... ... ... 
an,1 an,2 an,3 ... an,j ... an,n

Then, the minor Mij of A is equal to:

 
a1,1 a1,2 a1,3 ... a1,j−1 a1,j+1 ... a1,n
 a2,1 a 2,2 a2,3 ... a2,j−1 a2,j+1 ... a2,n 
 
 a3,1 a 3,2 a3,3 ... a3,j−1 a3,j+1 ... a3,n 
 
 ... ... ... ... ... ... ... 
Mij = 
ai−1,1 ai−1,2 ai−1,3

 ... ai−1,j−1 ai−1,j+1 ... ai−1,n 

ai+1,1 ai+1,2 ai+1,3 ... ai+1,j−1 ai+1,j+1 ... ai+1,n 
 
 ... ... ... ... ... ... ... 
an,1 an,2 an,3 ... an,j−1 an,j+1 ... an,n
7. EQUATIONS – REVISITED 22

Now, having the definitions of minors, we can finally define the determinant of a
matrix.

Definition 18 Let’s have a square matrix A with real number elements and some   fixed
integers r ∈ {1, . . . , n} and c ∈ {1, . . . , n}. Then, its determinant, det(A) = A is a
real number, which can be calculated either by column c or by row r:
n
  X
(−1)i+c ai,c Mic 
 
A = (expansion along column c)
i=1
Xn
(−1)r+i ar,i Mri 
   
A = (expansion along row r)
i=1

Let’s calculate the determinants of a 2 × 2 matrix B and of a 3 × 3 matrix C by using

minors respectively on row 1 and column 2.

Example 2 Expansion along row 1:

 
a b 
 = (−1)1+1 · a · d + (−1)1+2 · b · c = ad − bc
   
det(B) = 

c d 

Note that in the above computation, |d| and |c| do not denote the absolute value of the
numbers d and c, but the determinant of the 1 × 1-Matrices consisting of d or c, the
minors d = M11 and c = M12 of the Matrix B.

Example 3 Expansion along column 2:

 
a b c 
 
det(C) = d e f 
g h i 
     
1+2
d f  2+2
a c 3+2
a c 
= (−1) · b ·   + (−1) · e ·   + (−1) · h ·  
g i g i d f
= −b(di − f g) + e(ai − cg) − h(af − cd) =
= aei + dhc + gbf − af h − dbi − gce

The determinant of this example is exactly equal to the denominator of the right side
of equation 4 on page 21. What about the numerator? We  can easily
 verify that the
r1 b c 
 
numerator is equal to the determinant of matrix B1 = r2 e f . If we define the
r3 h i 
7. EQUATIONS – REVISITED 23

   
a r1 c  a b r 1 
   
matrices B2 = d r2 f  and B3 = d e r2 , we can easily calculate the variables x,
g r3 i   g h r3 
y, and z.

det(B1 ) det(B2 ) det(B3 )

x= , y= , z= (5)
det(C) det(C) det(C)

The same method can be applied when looking for some solution of a system of n
equations with n variables. SageMath provides easy way to calculate a determinant, as
well as sub-matrices of our choice.

sage: M = matrix([[1,2,3], [4,5,6], [7,8,9]])

sage: M
[1 2 3]
[4 5 6]
[7 8 9]
 
1 2 3
 4 5 6 
7 8 9

sage: M.determinant()
0
sage: det(M)
0
sage: M.det()
0

# consider row 1 and 3, and col 1 and 3 (row 1 has index 0]

sage: M.matrix_from_rows_and_columns([0,2],[0,2])
[1 3]
[7 9]
 
1 3
M22 =
7 9
The constructor matrix_from_rows_and_columns takes two lists as arguments. The
first list defines which rows of a matrix A should be taken to construct the new matrix,
while the second list defines the columns. For example, to construct the minor (see def.
17) Mij of matrix A with size n, we call:

A.matrix_from_rows_and_columns([0,...,i-1,i+1,...,n-1],[0,...,j-1,j+1,...,n-1])
7. EQUATIONS – REVISITED 24

Now, with all this information we can automate the process of solving a large system
of equations. For example, we can construct a matrix from all the coefficients in the
equations. Then, we calculate each minor and it’s corresponding determinant, which
will help us recovering all the variables as shown in 5 on 23. Let’s consider the following
system of equations: 
 x + 9y + 3z = 61

2x + 4y + 8z = 94

5x + 7y + 6z = 128


We can transfer the same system of equations into a product of matrices:

     
1 9 3 x 61
2 4 8 · y  =  94 
5 7 6 z 128

Now, for example, we can use determinants to calculate the unknowns. On the other
hand, we can further automate this process by using SageMath:

sage: M = matrix([[1,9,3], [2,4,8], [5,7,6]])

sage: M
 
1 9 3
 2 4 8 
5 7 6

sage: r = matrix([[61],[94],[128]])
sage: r
 
61
 94 
128

sage: M.solve_right(r)
 
13
 3 
7
Which yields the final solutions x = 13, y = 3 and z = 7.

Challenge 5 Alice and Bob established an interesting (but insecure) encryption scheme.
Alice creates n equations with n variables and sends them to Bob over an insecure channel
using two packets. The first packet consists of all the coefficients used in the equations
7. EQUATIONS – REVISITED 25

in form of a matrix without any changes. However, the second packet consists of all the
right sides of the equations in scrambled order. Their shared secret key consists of the
original indexes of the scrambled right sides of the equations.
Having the secret key, Bob can unscramble the right sides of the equations and recover the
unknown variables. Then, he multiplies all the recovered variables and the final number
is the decrypted message. They were using leet language to create or read the final
number. For example, the word sage in leet language is 5463.
Eve captured the following two packets P1 and P2 :
 
33 79 29 41 47
79 27 39 79 44
 
90 83 58 1 90 ;
P1 =  P2 = [ 73 300, 167 887, 243 754, 254 984, 458 756 ]

38 32 13 15 96
72 82 88 83 23
Can you recover the original message?
8. VECTOR SPACES 26

8 Vector Spaces

We need to introduce another important building block of linear algebra – vector spaces.
Let’s first define what a vector space is.

Definition 19 A vector space over the real numbers R consists of a set V and two
operators ⊕ and , subject to the following conditions/properties/axioms:14
1. closure under addition: ∀~x ∀~y ∈ V : ~x ⊕ ~y ∈ V
2. commutativity of addition: ∀~x ∀~y ∈ V : ~x ⊕ ~y = ~y ⊕ ~x
3. associativity of addition: ∀~x ∀~y ∀~z ∈ V : (~x ⊕ ~y ) ⊕ ~z = ~x ⊕ (~y ⊕ ~z)
4. neutral element under addition: ∃ ~o ∈ V : (∀~x ∈ V : ~x ⊕ ~o = ~x) We call ~o the zero
vector.
5. additive inverse: ∀~x ∈ V ∃~y ∈ V : ~x ⊕ ~y = ~o (We call ~y the additive inverse or
inverse element of addition of ~x, and vice versa.)
6. closure under scalar multiplication: ∀r ∈ R, ∀~x ∈ V : r  ~x ∈ V
7. distributivity: ∀r, s ∈ R, ∀~x ∈ V : (r + s)  ~x = r  ~x ⊕ s  ~x
8. distributivity: ∀r ∈ R, ∀~x, ~y ∈ V : r  (~x ⊕ ~y ) = r  ~x ⊕ r  ~y
9. associativity: ∀r, s ∈ R, ∀~x ∈ V : (rs)  ~x = r  (s  ~x)
10. neutral or identity element of scalar multiplication: ∀~x ∈ V : 1  ~x = ~x

Usually, one does not use the symbol , but just the multiplication dot or even no dot.
But sometimes, like in this definition, we want to point out that the scalar multiplication
is a mapping from R × V to V while the “regular” multiplication is something else, i.e.
a mapping from R × R to R. Also note that there is some danger of confusion when
we use the same multiplication symbol (or no symbol at all) for scalar multiplication as
well as for the scalar product (vector product, inner product, see page 15). This can
cause some trouble when looking at more complicated formulas containing both types
of products.
We can further define vector spaces over larger sets, for example the set of complex
numbers. It is also possible to define structures like above over smaller sets, for example
the set of integer numbers. In this case – when the set of scalars is a so called ring 15 and
not a so called field – these algebraic structures are not called vector spaces, but modules.
Our vectors, as well as our choice of the two operators ⊕ and  play an important role
whether our space is a vector space or not.
14
See the good Wikipedia article https://en.wikipedia.org/wiki/Vector_space about that topic.
15
We will not go into detail here and define what a field or a ring is. Basically, a field is something like
R and a ring is something like Z. The main difference is that a field has multiplicative inverses for
all elements except zero and a ring doesn’t.
8. VECTOR SPACES 27

Example 4 Let’s define the set M of all 2 × 2 matrices with entries of real numbers.
Furthermore, we choose the operator ⊕ as a regular additive operator on matrices, i.e.,
     
a1 a2 b1 b2 a1 + b1 a2 + b2
⊕ =
a3 a4 b3 b4 a3 + b3 a4 + b4

We choose the operation  to be the already known scalar multiplication of matrices, i.e.
   
a1 a2 ra1 ra2
r =
a3 a4 ra3 ra4

We can easily check that all the conditions apply and this is indeed a vector space, in
which the zero vector is ( 00 00 ).

Example 5 The set P of polynomials with real coefficients is a vector space with the
operator ⊕ defined
P to be regular additive operator on polynomials and the operator 
the P
defined via r  ( ai x ) := rai xi . For example, if ai , bi , r ∈ R, then:
i

(a0 + a1 x + ... + an xn ) ⊕ (b0 + b1 x + ... + bn xn ) =

= (a0 + b0 ) + (a1 + b1 )x + ... + (an + bn )xn
r  (a0 + a1 x + ... + an xn ) = (ra0 ) + (ra1 )x + ... + (ran )xn

Definition 20 For any vector space V over a given field with operations ⊕ and , a
subspace U is a subset of V that is itself a vector space over the same field under the
inherited operations ⊕ and . This means that U is closed under addition ⊕ and scalar
multiplication .

Example 6 A subspace of R2 is the set of the zero vector {(0, 0)}. We call such
subspaces trivial subspaces.

Example 7 Let’s define the vector space of cubic polynomials

Cu = {a + bx + cx2 + dx3 | a, b, c, d ∈ R}

and the vector space of linear polynomials Li = {e+f x|e, f ∈ R}. Then, Li is a subspace
of Cu .

Definition 21 The span (or linear closure) of a nonempty subset S of a vector space
V is the set of all linear combinations of vectors from S.
8. VECTOR SPACES 28

In short, we can write down the span of a subset S of a vector space V in the following
way:
span(S) = {c1 v~1 ⊕ ... ⊕ cn v~n | ci ∈ R, v~i ∈ S}
Note that S itself does not have to be a subspace, but span(S) always is a subspace of
V . If span(S) = U , we say that S generates U .

Example 8 For any nonzero vector ~x ∈ R3 , the span of ~x is a line through the origin
(0, 0, 0).

2 . We will show that span(S) = R2 .



Example 9 Let’s define S = ( 22 ), −2

If this is the case, then each vector ( xy ) ∈ R2 can be represented as a linear combination
of vectors in S. Therefore ∃ r1 , r2 ∈ R :
     
2 2 x
r1 · + r2 · =
2 −2 y

So, we can express every possible vector ( xy ) ∈ R2 by choosing r1 and r2 such that
r1 = x+y x−y 5
4 and r2 = 4 . For example, if x = 9 and y = 1, we have r1 = 2 and r2 = 2.
         
5 2 2 5 4 9
· +2· = + =
2 2 −2 5 −4 1

The previous example is one possibility of spanning R2 . Can the set R2 be spanned
by 3 or more vectors? Sure, we can just
 2duplicate

one of the elements in the previous
example, namely we can take the set ( 2 ), −2 , −1 . But can R2 be spanned by
2 1

using only one vector?

Definition 22 A subset of a vector space is said to be linearly independent if none

of its elements is a linear combination of the others. Otherwise it is called linearly
dependent.

Definition 23 A basis for a vector space is a set B of vectors that is linearly indepen-
dent and spans the space. If |B| = n for some n ∈ N we define the dimension of B to be
dim(B) := n. If |B| = ∞, the concept of dimension is also well defined, but the theory is
somewhat more complicated because of different “types” of infinity in mathematics. We
will not go into detail here.

2 is a basis of R2 . Another one



Example 10 We already showed that the set ( 22 ), −2
is {( 10 ), ( 01 )}.
8. VECTOR SPACES 29

Example 11 We can easily construct the basis ξn of Rn for any n:

     

 1 0 0  


  0
   
  1   0
 



0 0 0
ξn =   ,   , . . . ,   =: {e1 , . . . , en }
. .  . 
 ..   ..   .. 



 

 
0 0 1
 

We say that this is the standard or canonical basis of Rn .

Every invertible Matrix B = (bij ) !

induces a mapping from this standard basis to another
b1i
basis {b1 , . . . , bn } with bi = .. , that is, every column of the matrix B can be seen
.
bni
as the the image of one of the canonical basis vectors. Using matrix multiplication, we
have B · ei = bi .
One special class of mappings between bases are the permutations. If we just change
the order of the canonical basis vectors ei , this is called a permutation and the corre-
sponding matrix has only entries 0 or 1, exactly one 1 per row and line. For example
mapping e1 to e3 , e3 to e2 and e2 to e1 is done by
 
0 1 0
0 0 1 .
1 0 0

Such a matrix is called a permutation matrix. In algebra, permutations are sometimes

written in parentheses like (1, 3, 2) meaning to map the first element to the third, the
third element to the second and the second element to the first. This notation is also
used by sage. But be careful! The tuple (1, 3, 2) in this context – sage notation [1,3,2]
– can also mean map the first element to the first element, the second element to the
third element and the third element to the second.
8. VECTOR SPACES 30

sage: per=Permutation((1,3,2))
sage: per
[3, 1, 2]
sage: matrix(per)
[0 1 0]
[0 0 1]
[1 0 0]
sage: grelt=PermutationGroupElement([1,3,2])
sage: grelt.matrix()
[1 0 0]
[0 0 1]
[0 1 0]

One interesting thing about those permutation matrices is that their inverse is identical
with their transposed matrix:

sage: matrix(per).inverse()==matrix(per).T
True

Challenge 6 Inspired by the concept of a basis of a vector space, Alice and Bob invented
yet another cryptosystem. This time they use an encoding Ξ, which first encodes each
letter to a predefined number. This number is equal to the index of the corresponding
letter in the English alphabet. For instance, the word Bob is encoded in a number array
[ 2, 15, 2 ].
Alice and Bob carefully chose a set of private keys K, they share as common pre-
knowledge. Depending on the length of the message that should be sent, a distinct key is
used. Let’s define the key km ∈ K as the key used for encrypting messages with length
m.
Each key km is a m × m matrix, generated by the following rules:
• Each element of the matrix is either 0 or a prime number between 100 and 999.
• The row vectors of the matrix are linearly independent.
• There are exactly m numbers that are different from 0.
Now, the encryption E of a message M with length m is a straightforward procedure.
For example, let’s say that Alice encrypts this message M and sends it to Bob.
1. Alice encodes M , so she has Ξ(M ).
2. Alice encrypts the encoded message with the corresponding key km , i.e.

E(Ξ(M ), km ) = km ∗ Ξ(M ).
8. VECTOR SPACES 31

3. The message E(Ξ(M ), km ) is send via the insecure channel.

Then, the decryption D of a message E(Ξ(M ), km ) is done by Bob following those simple
steps:
1. The length of the encrypted message uniquely defines the key km Bob should use.
2. Bob constructs the decryption key dm , by substituting each greater than zero ele-
ment in the secret key km with it’s reciprocal value.16
3. Then, Bob applies the decryption, i.e. D(E(Ξ(M ), km )) = E(Ξ(M ), km ) ∗ dm .
4. Bob decodes back the decrypted message to recover the original one.
Can you verify the correctness of this encryption scheme? Why or why not this decryp-
tion works? Can you recover the following encrypted word:
(6852, 3475, 17 540, 3076, 12 217, 6383, 745, 1347, 661, 6088, 15 354, 2384, 2097, 11 415, 3143)

16
This so constructed matrix is not the inverse of km ! The matrix km can be written as a product
−1
km = P · D with a diagonal matrix D and a permutation matrix P . Then km = (P · D)−1 =
−1 −1 −1 T
D ·P = D · P . Now when we construct the matrix dm by substituting in km every nonzero
element by its reciprocal value, we have dm = P · D−1 . If we look at the transposed matrix dTm ,
we have dTm = (P · D−1 )T = (D−1 )T · P T = D−1 · P −1 = (P · D)−1 = km −1
. Instead of letting the
matrix dTm operate from the left on a column vector, we can let the matrix dm operate from the right
on a row vector, since in general for matrices A and column vectors v and b there is an equivalence
Av = b ⇔ (Av)T = bT ⇔ v T AT = bT . This corresponds to the notation from above, where in the
encryption process, E(Ξ(M ), km ) = km ∗ Ξ(M ) means km · Ξ(M ) and Ξ(M ) is treated as a column
vector while in the decryption process, dm is written on the right of E(Ξ(M ), km ), so in this case
E(Ξ(M ), km ) is treated as a row vector and E(Ξ(M ), km ) ∗ dm means E(Ξ(M ), km ) · dm .
9. LATTICES 32

9 Lattices

Now, we have all the building blocks in order to introduce the concept of lattices.

Definition 24 Let v1 , ..., vn ∈ Zm , m ≥ n be linearly independent vectors. An integer

lattice L spanned by {v1 , ..., vn } is the set of all integer linear combinations of v1 , ..., vn ,
such that:
n
( )
X
L = v ∈ Zm | v = ai vi , a i ∈ Z (6)
i=1

Remark: Linear combination means that all ai are integers. Integer lattice means that
all vij (components of the vectors vi ) are integers, and so all dots in the infinite graphic
have integer coordinates.
SageMath uses the notion of an integral lattice, which is a somewhat more compli-
cated concept. Roughly speaking, in this case the components of the vectors v1 , . . . , vn
are not restricted to Z, but can be arbitrary real numbers, while the “allowed” linear
combinations
Pn still have to be integer linear combinations, that is, the coefficients ai in
a v
i=1 i i have to be integers. Every integer lattice is an integral lattice.
The set of vectors B = {v1 , ..., vn } is called a basis of the lattice L. We also say that
L = L(B) is spanned by the vectors of the basis B.
We define the dimension of L as dim(L) := n.
In the case where n = m we can canonically construct a quadratic matrix from the
vectors of a lattice basis by writing them down row by row (or column by column). If
we denote this matrix by M , we can compute the product M · M T , which is sometimes
called the Gram matrix of the lattice. If this Gram matrix has only integer entries,
the lattice is integral. Note that for going into detail here, we would have to introduce
some more math, especially the theory of quadratic forms, symmetric bilinear forms etc.,
which are a kind of generalizition of the vector product introduced on page 15.
The example in figure 9.1a presents a 2-dimensional lattice with

Ba = {v1 , v2 } = {(1, 2), (−1, 1)} ,

while the example in figure 9.1b presents a 2-dimensional lattice with

Bb = {v1 , v2 } = {(−1, −2), (−1, −1)} .17

We can informally generalize this definition by saying that the lattice L is formed by
collecting all the points that are linear combinations of the defined basis B. In fact, the
integer lattice is just the span of a regular integer matrix.
17
Later on we show by comparing two spans of different lattices how the vectors of one basis can be
converted to another one.
9. LATTICES 33

y y

v1
v2
x O
O x
v2
v1

(a) A 2-dimensional lattice with basis Ba (b) A 2-dimensional lattice with basis Bb

Figure 9.1: Example of lattices with different basis

Let’s see how we can construct a lattice using SageMath:

sage: M = matrix(ZZ, [[1,2], [-1,1]])

sage: M
 
1 2
−1 1
Now, we can easily check if a given point (z1 , z2 ) belongs to the lattice. If (z1 , z2 ) ∈ L,
then it belongs to the span of L.

sage: vector([1,1]) in span(M)

False

sage: vector([1,2]) in span(M) # true because [1,2]=1*x+0*y

True

sage: vector([-1,2]) in span(M)

False

sage: vector([-101,5]) in span(M)

True
9. LATTICES 34

What if we want to see the exact linear combination that generates the point (z1 , z2 )?
This means we want to know how this point z is uniquely built by the given basis vectors
x=[1,2] and y=[-1,1].

sage: M.solve_left(vector([-101,5]))
(-32, 69)

And indeed:

sage: -32*M[0] + 69*M[1]

(-101, 5)

We can define the same lattice using different bases. For example, let’s introduce a
lattice M2 with the following basis:

sage: M2 = matrix(ZZ, [[1,2], [0,3]])

sage: M2
 
1 2
0 3
Now, by using the span function we can easily compare the identity of two objects
defined by different bases.

sage: span(M) == span(M2)

True

Screenshots from CT2 showing how vectors span 2-dim bases can be found in section 15.2
on page 81.

9.1 Merkle-Hellman knapsack cryptosystem

Now, let’s create another definition, before we take a look into the Merkle-Hellman
knapsack cryptosystem.

Definition 25 Any set of different nonzero natural numbers is called a knapsack. Fur-
thermore, if this set can be arranged in an increasing list, in such a way that every number
is greater than the sum of all the previous numbers, we will call this list a superincreas-
ing knapsack.18

18
See https://en.wikipedia.org/wiki/Superincreasing_sequence
9. LATTICES 35

Challenge 7 Inspired by the definition of the superincreasing knapsack, Alice and Bob
constructed another insecure own cryptosystem. Can you find the hidden word in this
intercepted message shown in the following number sequence? Hint: Is the knapsack
superincreasing? Why or why not? Each number is keeping a secret bit. (A copy-and-
paste-ready version of these numbers is also available, see page 75.)

0, 0, 1, 2, 3, 6, 12, 25, 49, 98, 197, 394, 787, 1574, 3148, 6296,
12 593, 25 185, 50 371, 100 742, 201 484, 402 967, 805 935, 1 611 870,
3 223 740, 6 447 479, 12 894 959, 25 789 918, 51 579 835, 103 159 670,
206 319 340, 412 638 681, 825 277 361, 1 650 554 722, 3 301 109 445,
6 602 218 890, 13 204 437 779, 26 408 875 558, 52 817 751 117, 105 635 502 233,
211 271 004 467, 422 542 008 933, 845 084 017 867, 1 690 168 035 734,
3 380 336 071 467, 6 760 672 142 934, 13 521 344 285 869, 27 042 688 571 737,
54 085 377 143 475

The Merkle-Hellman knapsack cryptosystem is another asymmetric cryptosys-

tem, theoretically interesting because it basically allows sending sensitive information
over an insecure channel.
It consists of two knapsack keys:
• Public key – it’s used only for encryption. It’s called hard knapsack.
• Private key – it’s used only for decryption. It consists of a superincreasing
knapsack, a multiplier and a modulus. Multiplier and modulus can be used to
convert the superincreasing knapsack into the hard knapsack.
The key generation algorithm performs the following steps:

• We first create a superincreasing knapsack W = [w1 , w2 , · · · , wn ].

• We choose an integer number q which is greater than the sum of all elements in
W , i.e.
Xn
q> wi
i=1

We define q as the modulus of our cryptosystem.

• We pick a number r, s.t.

r ∈ [1, q)
(r, q) = 1

where (r, q) is notation for the greatest common divisor (gcd) of r and q. We define
r as the multiplier of our cryptosystem.
9. LATTICES 36

• The private key of the cryptosystem consists of the tuple (W, r, q).
• We generate the sequence H = [h1 , h2 , · · · , hn ], s.t. hj = wj ∗ r mod q, for
1 ≤ j ≤ n. We define H as the public key of the cryptosystem.

If we want to encrypt a message m, we first take its bit representation Bm = m1 m2 ...mn ,

where mi denotes the i–th bit, i.e. mi ∈ {0, 1}. In order to ensure correctness of the
algorithm, our superincreasing knapsack K should have at least n elements. Let’s define
it as W = [w1 , w2 , ..., wn , ...]. Following the keys generation procedure, we generate its
corresponding public key H, i.e. H = [h1 , h2 , ..., hn , ...] with some appropriate q and r.
Then, the encryption c of m is the sum
n
X
c= mi hi
i=1

If we want to decrypt the message c, we first calculate c0 = c ∗ r−1 mod q, where r−1
is the modular inverse of r in q. Then, we start a procedure of decomposing c0 by
selecting the largest elements in W , which are less or equal to the remaining value which
is currently being decomposed. Finally, we recover m = m1 m2 ...mn by substituting mj
with 1 if the element wj was chosen in the previous step. Otherwise mj is equal to 0.
We intentionally only describe the pure algorithm as a cryptographic scheme (because of
its weakness against lattice attacks) and do not discuss practical implementation issues
like ensuring that the length of Bm is shorter or equal to the length of H or how and
when padding has to be applied.

Example 12 Let’s say that Alice wants to encrypt and send the message crypto to
Bob by using the Merkle-Hellman knapsack cryptosystem. Throughout this example all
letters are to be handled independently. So n is always 8, as each letter has a binary
representation of 8 bits.
First, Bob needs to generate his private and public key. Bob initiates the process of
creation of the private key by first generating a superincreasing knapsack W :

W = [11, 28, 97, 274, 865, 2567, 7776, 23253]

Then, Bob generates the corresponding modulus q and multiplier r:

n
X
q = 48433 > wi = 34871
i=1

r = 2333 < q
(2333, 48433) = 1
9. LATTICES 37

So, Bob composes the private key Pr = (W, r, q) :

Pr = ([11, 28, 97, 274, 865, 2567, 7776, 23253], 2333, 48433)

The final step for Bob is to generate the hard knapsack H and the public key Pu = (H)
and deliver it to Alice:

H = [25663, 16891, 32569, 9613, 32292, 31552, 27466, 4289]

Pu = ([25663, 16891, 32569, 9613, 32292, 31552, 27466, 4289])

Before encrypting the message M = crypto, Alice divides the message into single letters
and substitutes each letter with its own bit representation, i.e:

c = 01100011
r = 01110010
y = 01111001
p = 01110000
t = 01110100
o = 01101111

Now, Alice calculates for the bit representation of each letter the corresponding encrypted
number by using the public key H. So the algorithm has to be applied 6 times. Finally,
the list of encrypted numbers C of the word crypto is:

C = [81215, 86539, 95654, 59073, 90625, 145059]

When Bob receives C he first calculates C 0 by using r and q from the Pr .

C 0 = [31154, 8175, 24517, 399, 2966, 34586]

Then, by using W from Pr , he represents each element in C 0 as a sum of elements in

W , following the above-mentioned algorithm. For example, let’s decompose 31154. With
3 we will denote those elements in W which participate in the decomposition of 31154
and with 7 those which don’t. The sign * will denote the unknowns. We have:

[11, 28, 97, 274, 865, 2567, 7776, 23253]

(7)
[*, *, *, *, *, *, *, * ], 31154

The largest number in W smaller than 31154 is 23253. We mark it as an element used
in the decomposition of 31154 and we continue with the decomposition of the remaining
9. LATTICES 38

value 7901 = 31154 − 23253:

[11, 28, 97, 274, 865, 2567, 7776, 23253]

[*, *, *, *, *, *, *, 3 ], 7901

The largest element smaller than 7901 is 7776. We proceed with this algorithm until
reaching 0.

[11, 28, 97, 274, 865, 2567, 7776, 23253]

[*, *, *, *, *, *, 3, 3 ], 125
[11, 28, 97, 274, 865, 2567, 7776, 23253]
[*, *, *, *, *, 7, 3, 3 ], 125
[11, 28, 97, 274, 865, 2567, 7776, 23253]
[*, *, *, *, 7, 7, 3, 3 ], 125
[11, 28, 97, 274, 865, 2567, 7776, 23253]
[*, *, *, 7, 7, 7, 3, 3 ], 125
[11, 28, 97, 274, 865, 2567, 7776, 23253]
[*, *, 3, 7, 7, 7, 3, 3 ], 28
[11, 28, 97, 274, 865, 2567, 7776, 23253]
[*, 3, 3, 7, 7, 7, 3, 3 ], 0

So, at the end 31154 is decomposed to 01100011, which is the bit representation of the
letter c. By applying the same decrypting algorithm to all the elements of C, Bob finally
recovers the encrypted message crypto.

Challenge 8 Encrypting long messages by repeatedly using small length hard knapsack
yield some risks. In the next puzzle, you have to recover the encrypted message Alice sent
to Bob. The private and public key are different from the one generated in the previous
example. However, you know that the length of H is the same as before: n = 8. Can
9. LATTICES 39

you recover the message even without knowing the public key?

333644, 560458, 138874, 389938, 472518, 394128, 138874, 472518, 560458,

138874, 465914, 384730, 550286, 138874, 462498, 472518, 638226, 560458,
138874, 634810, 389938, 138874, 628828, 472518, 465914, 384730, 550286,
628828, 472518, 465914, 551060, 478500, 560458, 138874, 394128, 550286,
389938, 550286, 394128, 138874, 465914, 634810, 138874, 394128, 550286,
472518, 462498, 551060, 465914, 633018, 295184, 138874, 465914, 384730,
550286, 633018, 138874, 472518, 394128, 550286, 138874, 468480, 634810,
465914, 138874, 478500, 550286, 394128, 465914, 472518, 551060, 468480,
295184, 138874, 472518, 468480, 383956, 138874, 472518, 560458, 138874,
389938, 472518, 394128, 138874, 472518, 560458, 138874, 465914, 384730,
550286, 633018, 138874, 472518, 394128, 550286, 138874, 478500, 550286,
394128, 465914, 472518, 551060, 468480, 295184, 138874, 465914, 384730,
550286, 633018, 138874, 383956, 634810, 138874, 468480, 634810, 465914,
138874, 394128, 550286, 389938, 550286, 394128, 138874, 465914, 634810,
138874, 394128, 550286, 472518, 462498, 551060, 465914, 633018, 301166

A screenshot with a visualization of the Merkle-Hellman knapsack cryptosystem in JCT

can be found in fig. 15.13 on page 88.
Screenshots from CT2 about a ready-to-run lattice-based attack against the Merkle-
Hellman knapsack cryptosystem can be found in section 15.2 on page 81.

9.2 Lattice-based cryptanalysis

Encrypting a message using hard knapsack with length at least the length of the message
is far more secure, but still vulnerable. We will demonstrate this vulnerability by using
a specially designed lattice.
Having a public key with hard knapsack H and an encrypted message C, we can represent
each element of H as a vector in |H| dimensional lattice. We need |H| dimensions in order
to guarantee they form a basis of the lattice L. In order to guarantee they are linearly
independent, we just augment the transpose H to the identity matrix with dimension
|H| − 1.
As example, let’s take H with length 8:

H = [h1 , h2 , · · · , h8 ]
9. LATTICES 40

Then, the constructed lattice will have the form:

 
1 0 0 0 0 0 0 0 h1
0 1 0 0 0 0 0 0 h2 
 
0 0 1 0 0 0 0 0 h3 
 
0 0 0 1 0 0 0 0 h4 
L= 0

 0 0 0 1 0 0 0 h5 

0 0 0 0 0 1 0 0 h6 
 
0 0 0 0 0 0 1 0 h7 
0 0 0 0 0 0 0 1 h8

All the rows are linearly independent. Furthermore, we add another row in the lattice
by plugging in the encrypted number c as its last element.

1 0 0 0 0 0 0 0 h1
 
0 1 0 0 0 0 0 0 h2 
 
0 0 1 0 0 0 0 0 h3 
 
0 0 0 1 0 0 0 0 h4 
 
0
L= 0 0 0 1 0 0 0 h5 

0 0 0 0 0 1 0 0 h6 
 
0 0 0 0 0 0 1 0 h7 
 
0 0 0 0 0 0 0 1 h8 
0 0 0 0 0 0 0 0 c

Again, all the rows are linearly independent. However, we know that c is an exact
sum of some h’s. Our strategy is to find another basis of this lattice, consisting of a
vector with a last element equal to 0. Moreover, since it can be represented as a linear
combination of the vectors of the current basis, we know that this specific vector will
only have elements equal to 0 or −1. A value of 0 on column i will give us feedback that
hi doesn’t participate in the decomposition of c, while −1 indicate that hi is used in the
construction of c.
But how to find such basis? The following algorithm will help us:

Theorem 1 (Lenstra, Lenstra, Lovász. [1] [2]) Let L ∈ Zn be a lattice spanned by

B = {v1 , ..., vn }. The L3 -algorithm outputs a reduced lattice basis {v1 , ..., vn } with
n(n−1) 1
kvi k ≤ 2 4(n−i+1) det(L) n−i+1 f or i = 1, ..., n (8)

in time polynomial in n and in the bit-size of the entries of the basis matrix B.

In other words, the L3 algorithm will yield another basis on the lattice, which consists
of vectors with restrained norms defined in equation 8. The L3 algorithm is already
built-in SageMath.
9. LATTICES 41

Let’s say that Eve intercepts a message between Alice and Bob, which is encrypted with
Merkle-Hellman knapsack cryptosystem. Since everyone has access to the public key of
the cryptosystem Eve possesses it too. The intercepted message C is:

C = [318668, 317632, 226697, 388930, 357448, 297811,

344670, 219717, 388930, 307414, 220516, 281175]

The corresponding public key hard knapsack H is the vector:

H = [106507, 31482, 107518, 60659, 80717, 81516, 117973, 87697]

In order to recover the message Eve has to decrypt each element in C. For example,
let’s start with 318668. First, we need to initialize C and H:

sage: H = [106507, 31482, 107518, 60659,

80717, 81516, 117973, 87697]
sage: c = 318668

Then, we start the construction of the lattice by first constructing the identity matrix:

sage: I = identity_matrix(8)
sage: I
 
1 0 0 0 0 0 0 0

 0 1 0 0 0 0 0 0 


 0 0 1 0 0 0 0 0 


 0 0 0 1 0 0 0 0 


 0 0 0 0 1 0 0 0 


 0 0 0 0 0 1 0 0 

 0 0 0 0 0 0 1 0 
0 0 0 0 0 0 0 1
We add another row full with zeroes:

sage: I = I.insert_row(8, [0 for x in range(8)])

sage: I
9. LATTICES 42

1 0 0 0 0 0 0 0
 

 0 1 0 0 0 0 0 0 


 0 0 1 0 0 0 0 0 


 0 0 0 1 0 0 0 0 


 0 0 0 0 1 0 0 0 


 0 0 0 0 0 1 0 0 


 0 0 0 0 0 0 1 0 

 0 0 0 0 0 0 0 1 
0 0 0 0 0 0 0 0
Finally, we add the last column with H transposed and c. However, we will flip the sign
of c – this way the first vector of the reduced basis should have a last element equal to
0 and all other elements equal to 1 (instead of −1).

sage: L_helper = [[x] for x in H] # vector of vectors

sage: L_helper.append([-c])
sage: L = I.augment(matrix(L_helper))
sage: L

1 0 0 0 0 0 0 0 106507
 

 0 1 0 0 0 0 0 0 31482 


 0 0 1 0 0 0 0 0 107518 


 0 0 0 1 0 0 0 0 60659 


 0 0 0 0 1 0 0 0 80717 


 0 0 0 0 0 1 0 0 81516 


 0 0 0 0 0 0 1 0 117973 

 0 0 0 0 0 0 0 1 87697 
0 0 0 0 0 0 0 0 −318668
Now, in order to reduce the basis, we will apply the L3 algorithm19 by just calling the
SageMath LLL() function.

sage: L.LLL()

19
See https://en.wikipedia.org/wiki/Lenstra%E2%80%93Lenstra%E2%80%93Lov%C3%A1sz_lattice_
basis_reduction_algorithm
9. LATTICES 43

0 1 0 0 0 1 1 1 0
 

 −1 1 0 1 −1 −2 −2 2 1 


 3 1 2 −1 1 1 −1 1 1 


 1 −1 −2 −1 −3 −1 1 1 1 


 2 −2 −1 1 0 2 −3 1 1 


 0 0 3 −4 −2 1 0 0 0 


 −1 3 −1 3 0 0 −1 −3 2 

 0 −1 1 4 0 0 0 0 4 
−2 −1 −2 −3 1 −1 2 1 3
The first candidate (the shortest vector in the reduced basis) is the one we were looking
for:

sage: L.LLL()[0][:-1].dot_product(vector(H))
318668

So, the binary representation of the encrypted character is 01000111. By again using
SageMath, we can easily check the corresponding letter:

sage: bs = ’’.join([str(x) for x in L.LLL()[0][:-1]])

sage: bs
’01000111’

sage: chr(int(bs,2))
’G’

Challenge 9 So, G is the first letter from the recovered text. By using SageMath,
lattices and LLL algorithm, can you recover the remaining text?

Screenshots from CT2 in section 15.2 on page 81 show a visualization using the mouse
how to reduce a 2-dim basis with Gauss and a ready-to-run LLL implementation to
reduce the basis of higher-dimensional bases.
10. LATTICES AND RSA 44

10 Lattices and RSA

RSA is one of the earliest asymmetric cryptosystems. This section assumes that you are
already familiar how the RSA cryptosystem works. However, we will briefly recall the
basics of the key generation of the RSA algorithm.

10.1 Textbook RSA

• Two large distinct primes p and q are generated.

• Their product n = pq is called the modulus.
• Then, we pick a number e, s.t. e is relatively prime to φ(n).20 We define e as the
public key exponent.
• We calculate d as the modular multiplicative inverse of e modulo φ(n). We define
d as the private key exponent.
• The pair (n, e) forms the public key.
• The pair (n, d) forms the private key.

In order to avoid some known attacks to RSA, we need to choose our parameters wisely.
Some of the requirements and recommendations are available in [3].
Now, let’s encrypt the word “asymmetric” using SageMath and the RSA cryptosys-
tem. First, we need to think of encoding strategy, i.e. translating strings to numbers.
Throughout this section, we will use the following encoding procedure:
• Let’s denote the string to be encoded as S = s1 s2 · · · sn .
• We replace each symbol si in the string to it’s decimal ascii code representation.
For example, the symbol “g” is replaced with “103”.
• Then, each decimal ascii code is replaced with it’s binary representation. For re-
versibility purposes, while the length of the binary representation is less than 8,
we append at the beginning as many 0 as needed. For example, the binary repre-
sentation of “103” is “1100111”. However, the length of the binary representation
is 7, so we append one more zero at the beginning to get “01100111”.
• Finally, we convert S to decimal integer.

20
φ(n) denotes the Euler’s totient function. Since p and q are primes, we have φ(n) = (p − 1)(q − 1)
10. LATTICES AND RSA 45

For example, let’s encode the word “asymmetric”. First, we replace each symbol of S
with its corresponding decimal ascii value:

sage: S = "asymmetric"
sage: S_ascii = [ord(x) for x in S]
sage: S_ascii
[97, 115, 121, 109, 109, 101, 116, 114, 105, 99]

Now, we continue by replacing each element in S ascii by it’s binary-padded equivalent:

sage: S_bin = [bin(x)[2:].zfill(8) for x in S_ascii]

sage: S_bin

01100001, 01110011, 01111001, 01101101, 01101101,

01100101, 01110100, 01110010, 01101001, 01100011
Finally, we concatenate all the elements in S bin and convert it to a decimal number:

sage: SS = Integer(’’.join(S_bin),2)
sage: SS
460199674176765747685731

For checking the reversibility of the encoding procedure, let’s decode the result back:

sage: SS_bin = bin(SS)[2:]

sage: while len(SS_bin) % 8 != 0:
....: SS_bin = ’0’ + SS_bin
sage: SS_ascii = [chr(int(SS_bin[x*8:8*(x+1)],2))
....: for x in range(len(SS_bin)/8)]
sage: ’’.join(SS_ascii)
’asymmetric’

When we are ready with the encoding procedure, we initialize the RSA parameters
generation step. It’s time to generate p, q and n:

sage: b = 512
sage: p = random_prime(2**b-1, lbound=2**(b-1)+2**(b-2))

With the previous example we generated a random prime number contained in the
interval 2b−1 + 2b−2 , 2b − 1 . Let’s say we have two prime numbers in this interval, i.e.:

p = 2b−1 + 2b−2 + ρ1

q = 2b−1 + 2b−2 + ρ2
10. LATTICES AND RSA 46

for some ρ1 and ρ2 . Then, when we multiply them we will have:

p · q = (2b−1 + 2b−2 + ρ1 )(2b−1 + 2b−2 + ρ2 ) =

= 22b−2 + 22b−3 + 2b−1 ρ2 + 22b−3 + 22b−4 +
+ 2b−2 ρ2 + ρ1 2b−1 + ρ1 2b−2 + ρ1 ρ2 =
= 22b−2 + 2 · 22b−3 + Ω =
= 22b−2 + 22b−2 + Ω =
= 2 · 22b−2 + Ω = 22b−1 + Ω > 22b−1

This guarantees that the bit length of their multiplication is 2b.

sage: p.nbits()
512

The method nbits() returns the bit length of a number.

sage: q = random_prime(2**b-1, lbound=2**(b-1)+2**(b-2))

sage: N = p*q
sage: N.nbits()
1024

It’s time to choose the public exponent e. Common choice of value of e is 216 + 1.

sage: e = 2**16 + 1
sage: e
65537

SageMath has a built-in function euler_phi(). However, if we directly type euler_phi(N),

SageMath will try to factor N.

sage: phi_N = (p-1)*(q-1)

Now, having φ(n) we can calculate d by using the built-in function inverse_mod():

sage: d = inverse_mod(e,phi_N)

Let’s assure that ed ≡ 1 mod φ(n):

sage: e*d % phi_N

1
10. LATTICES AND RSA 47

We are ready to encrypt the encoding SS of the message “asymmetric”. The encryption
can be directly calculated by using SS**e%N. However, we will use the built-in function
power_mod(), which is considerably faster than the direct calculation.

sage: encrypted = power_mod(SS,e,N)

In order to decrypt the message:

sage: decrypted = power_mod(encrypted,d,N)

sage: decrypted
460199674176765747685731

Challenge 10 Alice and Bob again decided to use their own encoding scheme and RSA
implementation to secure their communication. The used encoding scheme is pretty
straightforward – Alice translates each letter from the plaintext to its decimal ascii rep-
resentation. In this way, Alice sends as many encrypted messages as the length of the
original unencrypted message.
This scheme has one major drawback – when large plaintexts are encrypted, the collection
of the intercepted encrypted messages are vulnerable to frequency analysis attacks. To
get around this, Alice and Bob renew their RSA keys when a threshold of sent messages
is reached.
However, they made another mistake. The RSA public key is:
N = 68421763258426820318471259682647346897299270457991365227523187215179279
93776878211790146955615938091152726743120686152933384202585716854144646470442
80508081145003017193806309189089357804891172726923520981641104138226426702986
57847312225801755784399864594975116547815856011474793429956418177277806187836
101061
e = 127
Eve intercepted the following 11 messages (sent in this order):
c1 = 20842273115788965044434568911351496365025941709963878891654635864614247
25059541533787767041288429738064580955622451305616498186131307715129465784375
45536576877295737412743269079289912212463717642252956693458647654491632543974
2396928355234712078183
c2 = 20893454506753506195646780042379588087816651548061669824679147298111722
46521053196269736493675888244684173898988722302290793814087306806212626014865
44038910178129194905885355015942356215299224086980857408596226394217331686336
2277246322130097359903249313
c3 = 15351988337964905099701960376347076532439043589617467841763029200910162
25867008339499789389756629361807066970996087640185785892959509059061040916309
10. LATTICES AND RSA 48

82529066789402703485786453670870793472161292337901735432249537804080402136934
90500724979084761978285646999197843456
c4 = 27904208858505919506689042950498726643957813119400643293322771534900822
43092358584878184845560361208122657510080122657048421202659485825208921784032
88379067082760163061148428972365747014347422463111426643282478901705205928511
61647470983489359620795002699
c5 = 14562438053393942865563565506076319964337086564418653275680839364685346
35834826387270812896842341268168773581646273040911274525651721561895389722762
72568985334548580452979319583763949556104718677562444987251916556842741346577
00794939801031701760045360349184
c6 = 37370666535363066168961624931547694539547602092327751979114535130065929
11544853295308247797277717029030440472567012693658669860452964879358165926306
09705469382599448389529111704782654486148224951776772202527043405452517854349
55476627944717241828329
c7 = 57018830572739461491984788995673407709179639540390781558806685226845173
00158225274094629999215259149699283194431626990778523591567618587926423246578
36728763420346368859823437648126969582351550608121196862632026728341156577890
06658553081283546825372990992701071
c8 = 45667206025566800148122417818312587397117202643844088800399634507595677
53981253180438980063337356363520302653029580826718653786950185499999758581316
56104599450993230414498900762580089539033609899986220988174975272614559184976
90247104725594122565082035057621175773
c9 = 16862273135393186478865050591393354467469966242203319758781467127096457
94810888946761963350628222465151134851313061316471360362284419753231478405415
98536447723972579574310778871467128935482251020376648105571007577805771225894
0862586529599570943303841410139029504
c10 = 3418491651580535268325058631927829312241628227597886128328917486594860
26106737910383076021602844922593096922368623753010447251025423582399396141954
45946828676877046447283198287558063565991815659276510974935030424657301835847
3129678989
c11 = 5112410579669852183534608382871115572785704026088086397778432135886054
19098258110942799596774222498729431095652955025535198037264822351140404848680
83820518213957229951896984714307442480128197133794284384933664621660968181357
52055667353488388471305370330810546875
Can you decrypt each of these messages and reconstruct the original message?

Screenshots from CT1 about a ready-to-run implementation of an attack against text-

book RSA can be found in section 15.1 on page 77.
10. LATTICES AND RSA 49

10.2 Lattices versus RSA

In [4] and [5] a whole new family of attacks on RSA are published – attacks which are
using lattices and lattice reduction algorithms.
As we showed earlier, it is easy to to find the roots of a polynomial in a single variable
over the integers. However, finding the roots of a modular polynomial is hard, i.e:

f (x) ≡ 0 mod N

Let’s denote N as a large composite integer of unknown factorization, and let’s have an
univariate integer polynomial (a polynomial in a single variable) f (x) with degree n, i.e:

f (x) = xn + an−1 xn−1 + an−2 xn−2 + · · · + a1 n + a0

Furthermore, suppose there is an integer solution x0 for the modular equation f (x) ≡ 0
1
mod N , s.t. x0 < N n . D. Coppersmith showed how we can recover this value in
polynomial time by using the following theorem of Howgrave-Graham:

Theorem 2 Let g(x) be an univariate polynomial with n monomials (a polynomial with

just one term) and m be a positive integer. If we have some restraint X and the following
equations hold:
g(x0 ) ≡ 0 mod N m , |x0 | ≤ X (9)
Nm
||g(xX)|| < √ (10)
n

then g(x0 ) = 0 holds over the integers.

The reasoning to use lattices:
• If we have some polynomials, which share the same root x0 over N m , we can
represent each of them as a row from a lattice. Then, each linear combination of
rows from the lattice will yield another polynomial having a root x0 .
• Then, by using the LLL algorithm on the specially designed lattice, in polynomial
time we can find another reduced lattice basis, such that the norm of the shortest
vector from the reduces basis will successfully satisfy the inequality in 10.
• Let’s define the shortest vector in the reduces basis as v = (v0 , v1 , · · · , vn ). We
construct the polynomial g(x), s.t.:
v1 v2 vn
g(x) = v0 + x + 2 x2 + · · · + n xn
X X X
10. LATTICES AND RSA 50

Since g(x) is on the lattice, we know that

g(x0 ) ≡ 0 mod N m
|x0 | ≤ X
deg(g) = n
Nm
||g(xX)|| < √
n+1

Following the results from theorem 2 we can conclude that g(x) = 0 holds over the
integers.
We can easily create polynomials sharing the same root x0 over N m . Consider the family
of polynomials gi,j (x), s.t:

gi,j (x) = xj N m−i f i (x)

0≤i<m
0 ≤ j < deg(f )

By design, they all share the same root x0 over N m , i.e. gi,j (x0 ) ≡ 0 mod N m . The
greater the value of m is, the more polynomials we can construct. The more polynomials
we constructed, the bigger the lattice is and the greater the time to reduce the lattice
will be.
Now, imagine Eve intercepted a set of messages in plaintext between Alice and Bob.
The messages were:

The password for AES usage is: 4{8dXY!

The password for AES usage is: 31kTbwj
The password for AES usage is: 2rr#ETh
···
The password for AES usage is: &H,45zU

Then, Alice and Bob start exchanging files encrypted with AES using the communicated
password. If new password is received, they immediately start using it. However, they
realized that this is totally insecure and increased their security by using RSA.
They were using the same encoding procedure demonstrated at the beginning in this
section. As we showed, the word asymmetric is encoded to the decimal number
460199674176765747685731.
Let’s say Alice wants to send an RSA encrypted string message s to Bob. She first
encodes it to the decimal integer m. Then, she encrypts it by using Bob public key
(N, e), i.e. c = (me ) mod N and sends the encrypted message c through the insecure
10. LATTICES AND RSA 51

channel. Bob recovers the original message by using his private exponent, i.e. cd = m
mod N .
The public key of Bob has parameters (N, 3), where the bit length of N is 512. The pre-
dictive nature of the message (popular as stereotyped messages) can lead to devastating
attack. Eve knows that the structure of the string message S 0 is:

S 0 = ”The password for AES usage is: C1 C2 · · · C7 ”

for some characters Ci . Before encrypting, Alice has to translate each character to its
ascii binary string representation. Let’s denote the binary translating function as T1 (A)
for some character or string A, i.e. T1 (”xy”) = T1 (”x”)||T1 (”y”), where symbol || denotes
the symbol for concatenation of strings.
Having this in mind, we can write down:
T1 (S 0 ) = T1 (”The password for AES usage is: ”)||T1 (”C1 C2 · · · C7 ”)
After this translation, Alice reads the final binary string as a decimal number. Let’s
denote this function as T2 (S 0 ).
Each ascii decimal representation of Ci is in the interval [0, 255]. Let’s denote as C00 the
symbol with ascii decimal representation 0, and as Cf f the symbol with ascii decimal
representation 255. For simplicity, let’s denote

B = ”The password for AES usage is: ”

Having the encoding procedure in mind, we can conclude that:

T2 (T1 (B||C00 C00 · · · C00 )) <

< T2 (T1 (B||C1 C2 · · · C7 )) <
< T2 (T1 (B||Cf f Cf f · · · Cf f ))

Let’s introduce two new variables: a and X, s.t.:

a = T2 (T1 (B||C00 C00 · · · C00 ))

X = T2 (T1 (Cf f Cf f · · · Cf f ))

We are looking for such x, s.t.

(a + x)3 ≡ c mod N

or
(a + x)3 − c ≡ 0 mod N
10. LATTICES AND RSA 52

In fact, x is denoting the difference between T2 (T1 (C1 C2 · · · C7 )) and

T2 (T1 (C00 C00 · · · C00 )).
Let’s stop for a while and implement the current polynomial by using SageMath. First,
we introduce the function encode() – it is an equivalent to T2 (T1 (m)). Here is a sample
how to call this function and what it outputs: encode(”A”): 65, encode(”AB”): 16706,
encode(”ABC”): 4276803.

sage: def encode(m):

....: return Integer(’’.join([bin(ord(x))[2:].
....: zfill(8) for x in m]),2)

We introduce the expected starting characters of the encrypted message.

sage: B = "The password for AES usage is: "

Now, we plug-in the values of C00 C00 · · · C00 and Cf f Cf f · · · Cf f .

sage: padding = ’’.join([’\x00’ for x in range(7)])

sage: X_str = ’’.join([’\xff’ for x in range(7)])

We continue by calculating the values of a and X:

sage: a_str = B + padding

sage: a_const = encode(a_str)
sage: X_const = encode(X_str)

In order to illustrate the attack better, we will construct a multivariate polynomial over
the integer ring, instead of a univariate.

sage: R.<X,N,a,c> = ZZ[]

Now, we are ready to construct the polynomial f (X):

sage: f = (X+a)**3 - c
sage: f
X^3 + 3*X^2*a + 3*X*a^2 + a^3 - c

We don’t know x0 . However, we know a good upper limit for x0 , i.e. x0 < X. Since
e = 3, the degree of our polynomial is 3. For this particular case, let’s fix m with the
smallest possible value, i.e. m = 1:
10. LATTICES AND RSA 53

sage: f.degree()
3
sage: m = 1

Our lattice will be with dimension 4 - we have exactly 3 polynomials gi,j , as well as the
final polynomial f .

sage: dim = 4
sage: M = matrix(dim,dim)

Now, we start the construction of the polynomials accordingly. Following the strategy
of the construction of the lattice, we need to define the following lattice:
 
N 0 0 0

 0 NX 0 0 
 0 0 NX 2 0 
a3 − c 3a2 X 3aX 2 X 3
For achieving this, we first need to define the helper function get_ext_monoms(). It will
help us to extract all the monomials from a given polynomial, but with the coefficients
included.

sage: def get_ext_monoms(ff):

....: ff_m = ff.monomials()
....: ff_coefs = [ff.monomial_coefficient(x) for x in ff_m]
....: ff_monoms_ext = [ff_m[x]*ff_coefs[x]
....: for x in range(len(ff_m))]
....: return ff_monoms_ext

For example:

sage: get_ext_monoms(f)
[X^3, 3*X^2*a, 3*X*a^2, a^3, -c]

However, there is an issue here – a3 and c are treated as separated monomials. That’s why
we should apply a final substitution right before calling the function get_ext_monoms():
10. LATTICES AND RSA 54

sage: for i in range(m):

....: for j in range(e):
....: g = X**j * N**(m-i) * (f**i)
....: g = g.subs({N:N_const, a:a_const})
....: g_monoms_ext = get_ext_monoms(g)
....: for monom in g_monoms_ext:
....: row_pos = e*i+j
....: column_pos = monom.degree()
....: M[row_pos,column_pos] = monom.subs({X:X_const})

Finally, we append the final row of the lattice – the polynomial f itself:

sage: fg = f**m
sage: fg = fg.subs({N:N_const, a:a_const})
sage: fg_monoms_ext = get_ext_monoms(fg)
sage: for fg_monom in fg_monoms_ext:
....: pos = fg_monom.degree()
....: M[dim-1, pos] = fg_monom.subs({X:X_const})

Our lattice is ready. We can initiate the lattice reduction algorithm:

sage: B = M.LLL()

The shortest vector B[0] in our reduced basis holds the coefficients we need in order
to construct the polynomial g over the rational ring. We can easily construct it using
SageMath:

sage: R.<x> = QQ[]

sage: Q = sum([B[0][i]*(x**i)/(X_const**i) for i in range(dim)])

Following theorem 2 the last polynomial should have a solution over the integers. And
indeed:

sage: sol = Q.roots(ring=ZZ)[0][0]

sage: type(sol)
<type ’sage.rings.integer.Integer’>

Now, let’s define another helper function decode(), which will translate back an encoded
message Z, i.e. T1−1 (T2−1 (Z)):
10. LATTICES AND RSA 55

sage: def decode(n):

....: nn = str(bin(n)[2:])
....: while len(nn) % 8 != 0:
....: nn = ’0’ + nn
....: return ’’.join([chr(int(nn[x*8:8*(x+1)],2))
....: for x in range(len(nn)/8)])

Our final step is to just decode the solution:

sage: decode(sol)

Challenge 11 Eve inspected the public key of Bob and intercepted the encrypted mes-
sage c:
N = 87105263120665488502276714807618005091167547295414522403403858260445937
97820258419597692701154128696972650359076718923667674207764635845821959411262
760499
e=3
c = 533247982598794633956287465571096863623160823801198491330126244714226132
25752245493713055662721650611249304697332495775034762824144533122780929199516
4455
As an exercise, can you recover the original message by using the lattice attack provided
above?

Challenge 12 Soon after Eve’s successful lattice-reduction attack, Alice and Bob had
been aware of the insecure scheme they are using to encrypt their correspondence. How-
ever, they thought that this was possible because they were using too short passwords.
They increased the passwords from a length of 7 to a length of 13.
The public key of Bob was left intact. The newly intercepted message c is:
c = 748758986280819242952309588632327379932656416576622148476384836034880068
86812559351998510022388544254768721487918947883514843899598628979968735140562
82948

Can you recover the newly exchanged password? Here are some things to consider:
• First let’s try with m = 1. Why the attack fails?
• Now, let’s try with m = 2. The dimension of the new lattice will be em + 1.
10. LATTICES AND RSA 56

• The polynomial f is always the same. However, we need more helper polynomials
gi,j in order to construct our bigger lattice. At then end, you should construct the
following lattice:
N2
 
0 0 0 0 0 0
 0 N 2X 0 0 0 0 0 
2 2
 

 0 0 N X 0 0 0 0 


 N (a3 − c) 3N a2 X 3N aX 2 N X3 0 0 0 


 0 N (a3 − c)X 3N a2 X 2 3N aX 3 N X4 0 0 

 0 0 N (a3 − c)X 2 3N a2 X 3 3N aX 4 N X 5 0 
f0 f1 f2 f3 15a2 X 4 6aX 5 X 6

f0 = (a3 − c)2
f1 = 6a2 (a3 − c)X
f2 = a(15a3 − 6c)X 2
f3 = (20a3 − 2c)X 3

Challenge 13 For the next stereotype challenge, you have the following parameters:
N = 11225354852531229312705821542018938144842129865964887302659527454109100
72681138663483074618935128265451387560973724847297085037894275160093985827338
65515455177790394159554613094757808985408328307994023228782530102763869568783
56093590307746836948987210933431011897995020707110828021962036273746776030822
7448837
e=7
c = 106706540962449303066961088771648119758177846211060908301336144240289688
37154232320341636292740214826278191136787096724376919541317293439292857379222
72207153114174438757138142540189592431327528606195874021248932484514678389202
73794758310827554392841573679450441556883666302722319029010463140829183505391
092171
This time, the degree of the polynomial f is 7. You need to try different values of m in
order to construct a large enough, but still compact lattice.

Screenshots from CT1 and CT2 about ready-to-run lattice-based implementations of

attacks against RSA can be found in section 15.1 on page 77 and in section 15.2 on
page 81.
11. LATTICE BASIS REDUCTION 57

11 Lattice Basis Reduction

A given lattice has infinitely many different bases. The main goal of lattice basis reduc-
tion is to find (by using some lattice basis as an input) a basis that consists of short
vectors, or, equivalently, a basis consisting of vectors that are pairwise nearly orthogonal.
Thus, the reduced basis may lead to a solution of an underlying problem, like breaking
a knapsack cryptosystem, as we have already shown in section 9.2 on page 39.
Let’s first introduce the notion of Gram-Schmidt orthogonalization named after the
mathematicians Jørgen Pedersen Gram and Erhard Schmidt.

Definition 26 With an ordered lattice basis b1 , · · · , bm ∈ Rn we associate the Gram-

Schmidt orthogonalization b̂1 , ..., b̂m ∈ Rn which can be computed from b1 , · · · , bm together
b ·b̂
with the Gram-Schmidt coefficients µi,j = i j by the recursion b̂1 = b1 , b̂i = bi −
b̂j ·b̂j
Pi−1
j=1 µi,j b̂j for i = 2, ..., m.
Let span(b1 , ..., bi−1 )⊥ be the set of all vectors orthogonal to span(b1 , ..., bi−1 ), i.e.
i−1
X
span(b1 , ..., bi−1 )⊥ = {v ∈ Rn |v · xj bj = 0 ∀xj ∈ R}.
j=1

The orthogonal projections of vectors bj to span(b1 , ..., bi−1 )⊥ are named πi

πi : Rn → span(b1 , ..., bi−1 )⊥ , πi (bj ) := jt=i µj,t b̂t , i = 1, · · · , m.
P

We have µi,i = 1 and µi,j = 0 for i < j. If the basis b1 , · · · , bm is integral, then the
vectors b̂1 , · · · , b̂m and the Gram-Schmidt coefficients are rational. We can write the
above equations in matrix notation as:

(b1 , · · · , bm ) = (b̂1 , · · · , b̂m )(µi,j )T1≤i,j≤m

Definition 27 The i-th successive minimum λi of a lattice L is defined as the mini-

mum radius r ∈ R of a n-dimensional sphere B with center 0 that contains i linearly
independent lattice vectors:

λi (L) = min{r|dim(spanL ∩ Br,0 ) ≥ i}.

Obviously λ1 is the norm of the shortest nonzero lattice vector.

One of the strongest notions of lattice reduction is based on the work of Hermite [7],
Korkine and Zolotarev [8, 9, 10]:
11. LATTICE BASIS REDUCTION 58

Definition 28 A lattice basis b1 , ..., bm is called reduced in the sense of Hermite, Korkine
and Zolotarev or short HKZ-reduced if the following holds:
1. |µi,j | ≤ 21 for 1 ≤ j < i ≤ m,
2. ||b̂i || = λ1 (L(πi (bi ), ..., πi (bm )) for 1 ≤ i ≤ m.

The first vector of any HKZ-reduced lattice basis is a shortest lattice vector.
Let’s take a look at two-dimensional lattices where we can easily find a shortest lattice
vector with respect to the Euclidean norm by using the Gauss reduction algorithm.
The process is similar to the process of calculating the greatest common divisior of two
integers by applying the Euclidean algorithm.

Input: lattice basis {a, b}

REPEAT  
a·b
{a, b} = {b − ∗ a, a}
a·a
UNTIL ||a|| ≤ ||b|| ≤ ||a − b||
Output: Gauss reduced lattice basis {a, b}

For any real number x, dxc denotes the closest integer, i.e. dxc = bx + 0.5c.

Example 13 Let’s run the Gauss reduction algorithm on a basis B = {a, b} = {(1, 7), (−1, 1)}
of a given lattice L in Z2 .
Input: Lattice basis {a, b} = {(1, 7), (−1, 1)}
 
a·b
{a, b} = {b − · a, a}
a·a
 
(1, 7) · (−1, 1)
= {(−1, 1) − · (1, 7), (1, 7)}
(1, 7) · (1, 7)
 
6
= {(−1, 1) − · (1, 7), (1, 7)}
50
= {(−1, 1), (1, 7)}
√ √
Since ||b|| = 50 > 40 = ||a − b|| we need to run another iteration:
11. LATTICE BASIS REDUCTION 59

 
a·b
{a, b} = {b − · a, a}
a·a
 
(−1, 1) · (1, 7)
= {(1, 7) − · (−1, 1), (−1, 1)}
(−1, 1) · (−1, 1)
 
6
= {(1, 7) − · (−1, 1), (−1, 1)}
2
= {(1, 7) − 3 · (−1, 1), (−1, 1)}
= {(4, 4), (−1, 1)}

√ √
Now ||a|| = 32 > 2 = ||b|| and we need another iteration:

 
a·b
{a, b} = {b − · a, a}
a·a
 
(4, 4) · (−1, 1)
= {(−1, 1) − · (4, 4), (4, 4)}
(4, 4) · (4, 4)
 
0
= {(−1, 1) − · (−1, 1), (4, 4)}
32
= {(−1, 1), (4, 4)}

√ √ √
Since ||a|| = 2< 32 = ||b|| < 34 = ||a − b||, the algorithm ends.
Output: {a, b} = {(−1, 1), (4, 4)}
(−1, 1) is a shortest non-zero vector in L and (4, 4) is a shortest vector of L that is linear
independent from (−1, 1)

In hgher dimensions the calculation of an HKZ-reduced bases (see page 58) is very
inefficient (no polynomial time algorithm is known) we define a hierarchy of notions that
approximate HKZ-reduced bases in reasonable time.

Definition 29 An ordered lattice basis b1 , · · · , bm ∈ Rn is called size-reduced if |µi,j | ≤

1 1
2 for 1 ≤ j < i ≤ m. An individual basis vector bi is size-reduced if |µi,j | ≤ 2 for
1 ≤ j < i.

A size reduced lattice basis consists of vectors that are almost orthogonal to each other.
In 9.2 we already used the LLL algorithm in SageMath in order reduce a basis and solve
a knapsack (see 41). We now give a formal definition of LLL-reduction as well as the
details of the algorithm as this is used as a subroutine in further algorithms described
later in this chapter.
11. LATTICE BASIS REDUCTION 60

Definition 30 Let δ be a constant, 0 < δ ≤ 1. We call a basis b1 , ..., bm ∈ Rn LLL-

reduced with δ if it is size-reduced, s.t.

δ||b̂k−1 ||2 ≤ ||b̂k + µk,k−1 b̂k−1 ||2 for k = 2, · · · , m

The two algorithms for calculating respectively the ordered lattice basis and LLL-reduced
δ basis, are summarized below.

Algorithm for size reduction of basis vector bk

Input: b1 , ..., bm ∈ Rn (lattice basis)
µi,j for 1 ≤ j < i ≤ m its Gram-Schmidt coefficients)
FOR j = k − 1, ..., 1
IF |µk,j | > 21 THEN
bk := bk − dµk,j c bj
FOR i = 1, ..., k − 1 DO µk,i := µk,i − dµk,j c µj,i
END IF
END FOR j
Output: b1 , ..., bm ∈ Rn (lattice basis where bk is size-reduced)
µi,j for 1 ≤ j < i ≤ m (its Gram-Schmidt coefficients)
11. LATTICE BASIS REDUCTION 61

Algorithm for LLL reduction

Input: b1 , ..., bm ∈ Rn (lattice basis), δ with 0 < δ ≤ 1.
1. k := 2 (k is the stage; when entering stage k, the basis b1 , ..., bk−1
is already LLL-reduced with δ, the Gram-Schmidt coefficients
µi,j are calculated for 1 ≤ j < i < k
as well as the normsquares ci = ||b̂i ||22 for i = 1, ..., k − 1)
2. WHILE k ≤ m
FOR j = 1, ..., k − 1 P
µk,j := (bk · bj − j−1i=1 µj,i µk,i ci )/cj
Pk−1
ck := bk · bk − j=1 µk,j cj
3. (size-reduce bk )
FOR j = k − 1, ..., 1
µ := dµk,j c
FOR i = 1, ..., j − 1
µk,i := µk,i − µµj,i
µk,j := µk,j − µ
bk := bk − µbj
4. IF δck−1 > ck + µ2k,k−1 ck−1
THEN exchange bk and bk−1
k := max(k − 1, 2)
ELSE k := k + 1
END WHILE
Output: basis b1 , ..., bm which is LLL-reduced with δ
Gram-Schmidt coefficients µi,j for 1 ≤ j < i ≤ m
normsquares ci = ||b̂i ||22 for i = 1, ..., m

In practice, replacement of step 4 with the deep insertion rule proposed by Schnorr and
Euchner [11] proofed to be more efficient (by still being polynomial in n, m and input
length) for any fixed value t:
11. LATTICE BASIS REDUCTION 62

4. (t deep insertions)
c := ||bk ||22 , T :=min(t, k − 1), i := 1
WHILE i < T
IF δci > c
THEN (b1 , ..., bk ) := (b1 , ..., bi−1 , bk , bi , ..., bk−1 )
k := max(i − 1, 2)
GOTO 2.
ELSE c := c − µ2k,i ci
i := i + 1
END WHILE
IF δck−1 > ck + µ2k,k−1 ck−1
THEN exchange bk and bk−1
k := max(k − 1, 2)
ELSE k := k + 1

Furthermore, Schnorr and Euchner [11] invented the notion of blockwise Korine Zolotarev
reduced bases with block size β. For a lattice basis b1 , ..., bm and β = 2 the notion is
equivalent to LLL-reduced basis and it is equivalent to the notion of HKZ reduced bases
for β = m.

Definition 31 Let β ≥ 2 be an integer and δ ∈ (0, 1] be real. A basis b1 , ..., bm of a

lattice L ⊂ Rn is called (β, δ)− block reduced21 , if the following holds for i = 1, ..., m:
1. |µi,j | ≤ 21 for all j < i,
2. δ||b̂i ||2 ≤ λ21 (L(πi (bi ), ..., πi (bmin(i+β−1,m ))).

Although there is no proven polynomial bound for the number of operations of any
algorithm √ to calculate a (β, δ)- block reduced basis for β > 2 (except for β = 3 and
1 1
δ ∈ [ 2 , 2 3), see [13]) the following algorithm proved to be efficient in practice for small
bock sizes (β ≤ 30). Its core component is the enumeration algorithm ENUM(j,k) which
finds an integer, non-zero minimum (uj , ..., uk ) of
k
X
cj (ũj , ..., ũk ) := ||πj ( ũi bi )||22 , (ũj , ..., ũk ) ∈ Zk−j+1 (11)
i=j

Before going into the details of ENUM(j,k) let’s have a look at the block reduction
algorithm below. It cyclically iterates over all positions j, ensures that the basis is size-
reduced and enforces δ||b̂j ||2 ≤ λ21 (L(πj (bj ), ..., πj (bmin(j+β−1,m ))) until this holds for all
j:

21
in the literature, also the notion of BKZ-reduced bases is used for block reduced bases
11. LATTICE BASIS REDUCTION 63

Algorithm for (β, δ) block reduction

Input: basis b1 , ..., bm ∈ Rn of L, β ∈ N, 2 ≤ β ≤ m, δ ∈ R, 0 ≤ δ ≤ 1
1. LLL-reduce b1 , ..., bβ , j := m, z := 0
2. WHILE z < m − 1
j := j + 1, IF j = m THEN j := 1
k :=min(j + β − 1, m)
ENUM(j,k) (this enumeration outputs integer coefficients
(uj , ..., uk ) of a lattice vector bnew = ki=j ui bi and
P
j
c̄j := ||πj (bnew
j )||2 = λ21 (L(πj (bj ), ..., πj (bk ))))
h :=min(k + 1, m)
IF c̄j < δcj
THEN extend b1 , ..., bj−1 , bnew j to a basis
new new
b1 , ..., bj−1 , bj , ..., bk , bk+1 , ..., bm of L
LLL-reduce b1 , ..., bnew h
z := 0
ELSE LLL-reduce b1 , ..., bh
z := z + 1
END WHILE
Output: (β, δ) block reduced basis b1 , ..., bm

The extension of b1 , ..., bj−1 , bnew

j to a basis b1 , ..., bj−1 , bnew
j , ..., bnew
k , bk+1 , ..., bm of L is
done with the following algorithm:

Algorithm BASIS
Input: basis b1 , ..., bm , (uj , ..., uk )
1. bnew = ki=j ui bi
P
j
2. g := max{t : j ≤ t ≤ k, ut 6= 0}
3. WHILE |ug | > 1
i := max{t : j ≤ t < g : ut 6= 0}
q := dug /ui c
ui := ug − q · ui
ug := uold
i
bg := q · bg + bi
bi := bold
g
4. FOR i = g, ..., j + 1 bi := bi−1
5. bj := bnew
j
Output: b1 , ..., bm

By introducing the naming conventions c̃t := ||πt ( ki=t ũi bi ||2 and ct := ||b̂t ||2 = ||πt (bt )||2 ,
P

we get c̃t = c̃t+1 + (ũt + ki=t+1 ũi µi,t )2 ct . For fixed ũt+1 , ..., ũk ) we can easily enumer-
P
ate all
l integers ũt , s.t.
k corresponding values of c̃t are non-decreasing, starting with
Pk
ũt = − i=t+1 ũi µi,t . The following (basic) variant of algorithm ENUM traverses the
11. LATTICE BASIS REDUCTION 64

resulting search tree in depth-first search order. Other variants (e.g. traversing the tree
in breadth-first search order or incomplete - pruned - traversals) are given in [13].

Algorithm ENUM(j,k)
Input: j, k, ci for i = j, ..., k and µi,t for j ≤ t < i ≤ k
1. s := t := j, c̄j := cj , ũj := uj := 1,
vj := yj := ∆j := 0, δj := 1,
FOR i = j + 1, ..., k + 1
c̃i := ui := ũi := vi := yi := ∆i := 0, δi := 1
2. WHILE t ≤ k
c̃t := c̃t+1 + (yt + ũt )2 ct
IF c̃t < c̄j
THEN IF t > j
THEN t := t − 1, yt := si=t+1 ũi µi,t ,
P
ũt := vt := d−yt c , ∆t := 0
IF ũt > −yt
THEN δt := −1
ELSE δt := 1
ELSE c̄j := c̃j , ui := ũi for i = j, ..., k
ELSE t := t + 1
s :=max(s, t)
IF t < s THEN ∆t := −∆t
IF ∆t δt ≥ 0 THEN ∆t := −∆t + δt
ũt := vt + ∆t
END WHILE
Output: (uj , ..., uk ), c̄j

11.1 Breaking knapsack cryptosystems using lattice basis reduction

algorithms

For given natural numbers n, a1 , ..., an and s, Pan knapsack problem consists of either find-
n
ing a vector (x1 , ..., xn ) ∈ {0, 1} such that i=1 xi ai = s or to prove that no such solu-
tion exists. x = (x1 , ..., xn ) is called a solution of the knapsack problem (n, a1 , ..., an , s).
As the corresponding decision problem is NP-complete, several cryptosystems based on
the knapsack problem were proposed. In section 9.1 we already described and attacked
the Merkle-Hellman knapsack cryptosystem. In the following we sketch the attacks on
cryptosystems proposed by Chor and Rivest [14] and by Orton [15].
11. LATTICE BASIS REDUCTION 65

Breaking the Chor-Rivest cryptosystem

Chor and Rivest construct n special

Pn weights ai and code a binary message x = x1 ...xn
with q 1s and n − q 0s by s := i=1 xi ai . Let’s have a look at the following lattice basis
B:
1 q q ... q n2 s n2 q
   
b1
   0 n 0 ... 0 n2 a1 n2 
  
0 n2 a2 n2 

 ..
B :=  .  :=  0 0 n
 

 . .. .. .. .. .. 
 ..
 
  . . . . . 
bn+1 0 ... n n 2 an n2

Any lattice vector v = (v0 , ..., vn+2 ) = n+1

P
i=1 ui bi with v0 = ±1 and vn+1 = vn+2 = 0
decodes the message x in case exactly q of the coefficients vj have value v0 · (q − n) and
n − qcoefficients have value v0 · q. In this case we get
1, ifvi = v0 · (q − n),
xi =
0, ifvi = v0 · q
In his Diploma thesis H. Hörner uses variants of the block reduction algorithm to find
such vectors for parameters (n, q) = (103, 12) and (151, 16). Main results are published
in [16]. We’re not going to go into that here.

Breaking the Orton cryptosystem

In [15] Orton proposed the following public key cryptosystem based on so-called dense,
compact and modular knapsack problems:

Public parameters: natural numbers r, n, s. (Messages consist of n blocks with

s bits, r is the number of rounds to create the keys).

(0) (0) (0) (0)

Secret key: integers ai with a1 = 1, ai > (2s − 1) i−1
P
j=1 aj for i = 1, ..., n
(k) (k) (r)
and natural numbers q2 , p , w for k=1,...,r, where q1 := p /q2 is an integer.

(0)
The part {ai } of the secret key represents an “easy” knapsack. It is transformed in a
“hard” knapsack by the following transformations:
(k) (k−1) (k) (k) (k)
ai := ai j mod p for ik= 1, ..., n + k − 1, an+k := −p ,
w(k)
(k) (k)
fi := 2−prec(k) ai 2prec(k) /p(k) for i = 1, ..., n + k − 1, k = 1, ..., r,
(r)
ai,j := ai mod qj for i = 1, ..., n + r − 1, j = 1, 2.
The cryptosystem uses the secret “trapdoor” q2 , p(k) , w(k) (k = 1, ..., r). prec(k) is the
(k)
number of precision bits for calculating the quotients fi in round k. Orton proposed
11. LATTICE BASIS REDUCTION 66

to use prec(k) = s + log2 n + k + 2 in order to ensure unique decryption and prevent

attacks known before.

Public key: natural numbers q1 , prec(k) for k = 1, ..., r − 1

non-negative integers ai,j for i = 1, ..., n + r − 1, j = 1, 2
(k)
rational numbers fi ∈ 2−prec(k) [0, 2prec(k) ) for k = 1, ..., r − 1, i = 1, ..., n + k − 1.

Encryption
s n
jP key, messagek (x1 , ..., xn ) ∈ [0, 2 )
Input: public
n+k−1 (k)
1. xn+k := i=1 xi fi for k = 1, ..., r − 1
2. y1 := i=1 xi ai,1 mod q1 , y2 := n+r−1
Pn+r−1 P
i=1 xi ai,2
Output: encrypted message (y1 , y2 )

Decryption
Input: public and secret key, encrypted message (y1 , y2 )
1. recombine y (r) ≡ yj mod qj (j=1,2) using Chinese remainder theorem:
y (r) := q2 ((y1 − y2 )q2−1 mod q1 ) + y2
2. y (k−1) := y (k) (w(k) )−1 mod p(k) for k = r, ..., 1
(0)
3. solve ni=1 xi ai = y (0) with xi ∈ [0, 2s ).
P
(0) Pi−1 (0)
(this can easily be done since ai > (2s − 1) j=1 aj )
Output: decrypted message (x1 , ..., xn )

In the following we show by using lattice algorithms how to break any message encrypted
by the Orton cryptosystem. We first construct a lattice basis b1 , ..., bm+2 ∈ Zm+r+2 s.t.
the original message can easily be recovered from lattice vector with l∞ -norm 1. The
l∞ -norm ||v||∞ of a vector v = (v1 , ..., vn ) is defined the maximal absolute value of its
coefficients vi .
||v||∞ = max(|v1 |, . . . , |vn |), v ∈ Rn (12)
We then show how such a lattice vector can be found efficiently.
The decryption problem is stated as follows: Given the public parameters (r, n, s) the
public key (q1 , prec(k), a( , j, fik ) and the encrypted message ( y1 , y2 ), find the clear text
message (x1 , ..., xn ), i.e find integers x1 , ..., xn ∈ [0, 2s ), xn+k ∈ [0, 2s+k+log2 n+1 ) satisfy-
ing
n+r−1
X
xi ai,1 = y1 mod q1 (13)
i=1
n+r−1
X
xi ai,2 = y2 (14)
i=1
11. LATTICE BASIS REDUCTION 67

$n+k−1 %
(k)
X
xn+k = xi fi for k = 1, ..., r − 1 (15)
i=1

Let’s transform these equations into a set of r+1 integer linear

P equations with m 0-1-
unknowns, where m := ns + (r − 1)(r/2 + s + dlog2 ne − 1) + r−1 k=1 prec(k).
(k)
Since fi 2prec(k) ∈ [0, 2prec(k) ) is integral we can write equations 15 as

n+k−1
(k)
X
prec(k)
xn+k 2 = xi fi 2prec(k) − xn+r+k−1 for k = 1, ..., r − 1, (16)
i=1

where the additional variables xn+r+k−1 are integers in [0, 2prec(k) ).


(k)


 fi 2prec(k) for i = 1, ..., n + k − 1
 −2prec(k) for i=n+k


With ai,k+2 := 0 for i = n + k + 1, ..., n + r + k − 2




 −1 for i=n+r+k−1
 0 for i = n + r + k, ..., n + 2r − 2
equations 16 simplify to
n+2r−2
X
xi ai,k+2 = 0 for k = 1, ..., r − 1, (17)
i=1

The unique solution of 13, 14, 17 directly transforms into the unique solution of 13 - 15.
To get 0 − 1−variables we use the binary representation of the integer variables:

 s for 1 ≤ i ≤ n
We set di := s + i + dlog2 ne − n − 1 for n + 1 ≤ i ≤ n + r − 1
prec(i − (n + r − 1)) for n + r ≤ i ≤ n + 2r − 2

Pi−1
and Di := j=1 dj .
Let tDi +1 , ..., tDi +di ∈ {0, 1} be the binary representation of xi , i.e.
Pdi −1
xi = l=0 tDi +l+1 2l , and set
ADi +l+1,j := ai,j 2l for i = 1, ..., n + 2r − 2, j = 1, ..., r + 1, l = 0, ..., di − 1, where
ai,1 := ai,2 := 0 for i > n + r − 1.
With y3 := ... := yr+1 := 0 equations 13, 14, 17 simplify to
Pm
Pi=1 ti Ai,1 = y1 + zq1
m
i=1 ti Ai,j = yj for j = 2, ..., r + 1, (18)
where ti ∈ {0, 1}, z ∈ Z

The row vectors b1 , ..., bm+2 ∈ Zm+r+2 of the following matrix form the basis of lattice
11. LATTICE BASIS REDUCTION 68

L:
0 2 · · · 0 N A1,1 N A1,2
0 · · · N A1,r+1
 
..
. 0 N A2,1 N A2,2
 
 0 0 2 · · · N A2,r+1 
 .. .. . . . . .. .. .. ..
 

 . . . . . . . . 
  (19)
 .
 0 0 . . 0 2 N A2,1 N A2,2

 · · · N A2,r+1 

 0 0 . . . 0 0 N q1
 
0 ··· 0 
1 1 · · · 1 1 N y1 N y2 ··· N yr+1

For every integer N ≥ 2 we P can obtain the unique solution t1 , ..., tm of 18 from each
vector v = (v0 , ..., vm+r+1 ) = m+2
i=1 ci bi with l∞ -norm 1:

v has the form {±1}m+1 × {0}r+1 , where cm+2 ∈ {±1}, cm+1 ∈ Z and c1 , ..., cm ∈
{0, −cm+2 }. The zero in the last r + 1 coefficients imply
m
X
ci Ai,1 + cm+2 y1 = 0 mod q1 (20)
i=1

m
X
ci Ai,j + cm+2 yj = 0 for j = 1, ..., r + 1. (21)
i=1

With ti := |ci | = (|vi − v0 |)/2 for i = 1, ..., m we obtain the unique solution of 18 and we
directly get the original message from v:
s−1
X
xi := |vs(i−1)+j+1 − v0 |2j−1 for i = 1, . . . , n. (22)
j=0

To find a vector with l∞ -norm 1 we modify algorithm ENUM in order to search for
short vectors in l∞ -norm instead of the Euclidean norm ||.||2 . To do that we make use
of Hoelder’s inequality22 :

|x · y| ≤ ||x||∞ ||y||1 forall x, y ∈ Rn . (23)

||y||1 is the l1 -norm of y defined as

n
X
||y||1 = |yi |, y ∈ Rn . (24)
i=1

For t = m, ..., 1 we define the following functions wt , c̄t with integer arguments ũt , ..., ũm 23 :

22
for some background on Hoelders inequality see e.g. https://en.wikipedia.org/w/index.php?
title=Hoelder_inequality
23
using the notions of Definition 26
11. LATTICE BASIS REDUCTION 69

wt := wt (ũt , ..., ũm ) := πt ( m

P Pm
t+1 + ( i=t ũi µi,t ) b̂t
i=t ũi bi ) = wP
2
c̃t := c̃t (ũt , ..., ũm ) := ||wt ||22 = c̃t+1 + ( m 2
i=t ũi µi,t ) ||b̂t ||2

Let’s have a look into the algorithm ENUM described above (see page 64). It enumerates
in depth-first search order all nonzero integer vectors (ũt , ..., ũm ) for t = m, ..., 1 satisfying
c̃t (ũt , ..., ũm ) < c̄1 , where c̄1 is the current minimum for the function c̃1 (ũ1 , ..., ũm ). In
order to find a shortest lattice vector with respect to the l∞ -norm we modify this and
recursively enumerate all nonzero integer vectors (ũt , ..., ũm ) satisfying c̃t (ũt , ..., ũm ) <
nB̄ 2 , where B̄ is the current minimal l∞ -norm of all lattice vectors w1 enumerated so far.
The resulting enumeration area is illustrated in figure 11.1. We enumerate all vectors
√
wt inside the sphere B with radius nB̄ centered at the origin. We can prune the
enumeration using the following observations:
Since, for fixed ũt , ..., ũm we can only reach lattice vectors in the hyperplane H orthogonal
to wt , we can prune the enumeration as soon as this hyperplane doesn’t intersect with
the set M of all points with l∞ -norm less or equal B̄. Using Hoelder’s inequality we get
c̃t > B̄||wt ||1 whenever the intersection is empty. The inequality can be tested in linear
time and restricts the enumeration to the shaded area U , i.e. the union of all balls with
√
radius 12 nB̄ centered in {±B̄/2}n .
The number of vectors wt to be enumerated and therefore the running time of the
enumeration can roughly be approximated by the volume of the area that needs to be
traversed. As a consequence the running time of the pruned enumeration algorithm
ENUM∞ below is faster by the factor volume(U )/volume(B). For dimension 2 this
factor is exactly π+2 π+2 n−1
2π and in dimension n it is approximately ( 2π ) . This means that
ENUM∞ is faster by a factor exponential in the dimension of the lattice. For more
details see [13].

Figure 11.1: Pruning based on Hoelder’s inequality (picture cre-

ated by the author)

We are now able to formulate the attack algorithm:

11. LATTICE BASIS REDUCTION 70

Algorithm ATTACK-Orton
Input: public key, encrypted message y1 , y2
1. build the basis b1 , ..., bm+2 with N := n2 according to 19
2. LLL-reduce b1 , ..., bm+2 with δ = 0.99
3. call ENUM
Ps−1 ∞ ; we get a vectorl−1 v with ||v||∞ = 1
4. xi := l=0 |vs(i−1)+l+1 − v0 |2 for i = 1, ..., n
Output: original message x1 , ..., xn

Algorithm ENUM∞
Input: b̂i , ci := ||b̂i ||22 , µi,t for 1 ≤ t ≤ i ≤ m
1. s := t := 1, ũ1 := u1 := 1, b̄ := b1 , c̄ := n||b1 ||2∞ , B̄ := ||b1 ||∞
vj := yj := ∆j := 0, δj := 1,
FOR i = 1, ..., m + 1
c̃i := ui := ũi := vi := yi := ∆i := 0, ηi := δi := 1, wi := (0, ..., 0)
2. WHILE t ≤ m
c̃t := c̃t+1 + (yt + ũt )2 ct
IF c̃t < c̄
THEN wt := wt+1 + (yt + ũt )b̂t
IF t > 1
THEN IF c̃t ≥ B̄||wt ||1
THEN IF ηt = 1 THEN INCREASE t()
ELSE ηt := 1, ∆t := −∆t
IF ∆t δt ≥ 0
THEN ∆t := ∆t + δt
ũt := vt + ∆t
ELSE t := tP − 1, ηt := ∆t := 0,
yt := si=t+1 ũi µi,t , ũt := vt := d−yt c
IF ũt > −yt
THEN δt := −1
ELSE δt := 1
ELSE IF ||w1 ||∞ < B̄
THEN b̄ := w1 , c̄ := n||b̄||2∞ ,
ui := ũi for i = 1, ..., m
ELSE INCREASE t()
END WHILE
Output: (uj , ..., uk ), b̄
11. LATTICE BASIS REDUCTION 71

Subroutine INCREASE t()

t := t + 1
s := max(t, s)
IF ηt = 0
THEN ∆t := −∆t
IF ∆t δt ≥ 0 THEN ∆t := ∆t + δt
ELSE ∆t := ∆t + δt
ũt := vt + ∆t

With the following modifications of ENUM∞ we can further improve the running time
of the attack:
Since ||v||22 = m + 1 and ||v||∞ = 1, we initialize c̄ := m + 1.0001, B̄ := 1.0001 and stop
the algorithm as soon as we have found v. We also cut the enumeration for ũt as soon
as there is an index j ∈ [0, m] with bi,j = 0 for i = 1, ..., t − 1 and bt,j 6= 0, |wt,j | 6= 1.
We don’t miss the solution since w1,j = wt,j 6= ±1 for all choices of ũ1 , ..., ũt−1 . As the
original basis vectors b1 , ..., bm+1 only depend on the public key, we can pre-compute the
LLL-reduced basis b01 , ..., b0m+1 of b1 , ..., bm+1 once for every public key we want to attack.
For all messages which are encrypted with the same public key we use the precomputed
vectors b01 , ..., b0m+1 together with bm+2 instead of the original basis. More details on the
attack including practical results may be found in [12] and [13]
11. LATTICE BASIS REDUCTION 72

11.2 Factoring

Many public key cryptosystems are based on the assumption that factoring large natural
numbers is hard. In 1993 C.P. Schnorr [17] proposed to use lattice basis reduction to
factorize natural numbers:

Input: N (a natural number with at least two prime factors), α, c ∈ Q with

α, c > 1
1. calculate the list p1 , ..., pt of the first t primes, pt = (ln N )α
2. use lattice basis reduction in order to find m ≥ t + 2 pairs (ui , vi ) ∈ N2 with
t
pjai ,j with ai,j ∈ N
Y
ui = (25)
j=1

|ui − vi N | can be factorized over prime factors p1 , ..., pt (26)

3. factorize ui − vi N over primes p1 , ..., pt and p0 = −1
b
Let ui − vi N = tj=0 pji,j , bi = (bi,0 , ..., bi,t ) and
Q
ai = (ai,0 , ..., ai,t ) with ai,0 = 0
4. find a 0-1-solution (c1 , ..., cm ) 6= (0, ..., 0) of equation
Pm
i=1 ci (ai + bi ) = 0 (mod 2)
Pm
i=1 ci (ai,j +bi,j )/2
Qt
5. x := j=0 pj (mod N )
Pm Pm
i=1 ci bi,j ca
Qt
(mod N )= tj=0 pj i=1 i i,j (mod N )
Q
y := j=0 pj
(this construction implies x2 = y 2 (mod N ))
6. if x 6= y (mod N ), then output ggT(x + y, N ) and stop,
else goto 4. and find another solution (c1 , ..., cm )

In [18] enumeration of short lattice vectors in l1 -norm (similar to ENUM∞ ) is used to

find the solutions more efficiently. However, those algorithms are still far away from
being efficient for large numbers.
11. LATTICE BASIS REDUCTION 73

11.3 Usage of lattice algorithms in post quantum cryptography and

new developments (Eurocrypt 2019)

As it is hard to find the shortest vector in a high-dimensional lattice (in cases when no
special “structures” exist, like those found in the Chor-Rivest and Orton cryptosystem),
several cryptosystems based on the shortest vector problem are proposed.
The basic idea for constructing lattice-based public-key encryption schemes is to use a
“well-formed” high-dimensional lattice basis B as secret key and a scrambled version P
of B as public key. For encryption, the sender of a message m maps the message to a
point m in the lattice, by using the public basis P, and then adds a random error to
m, s.t. the resulting point c is still closer to m than to any other point in the lattice.
Then, c is sent to the receiver who can use the “well-formed” basis B in order to find m
efficiently and obtain the original message.
The security of the scheme is based on the assumption, that an attacker who is not
in the possession of the “well-formed” basis B, needs to spend an infeasible amount
of computational time in order to decipher the message, even with an aid of quantum
computers. However, the security of lattice-based schemes against quantum-computer
attacks is not yet well-understood. At Eurocrypt 2019 in Darmstadt, several aspects of
post quantum cryptography based on lattices were discussed:
A. Pellet-Mary, G. Hanrot, and D. Stehlé [19] describe an algorithm to solve the ap-
proximate shortest vector problem for lattices corresponding to ideals of integers of an
arbitrary number field K. The running time is still exponential in the input size, but
improved compared to previous results.
C. Bǎetu, F. B. Durak, L. Huguenin-Dumittan, A. Talayhan, and S. Vaudenay [20]
describe misuse attacks on several post-quantum cryptosystems proposed by the National
Institute of Standards and Technology (NIST) standardization process, including several
lattice-based schemes.
M.R. Albrecht, L. Ducas, G. Herold, E. Kirshanova, E.W. Postlethwaite, and M. Stevens
[21] propose a sieve method in order to find a shortest lattice vector, or a lattice vector
nearest to a given (non-lattice) vector as an alternative to the enumeration algorithms
described in this chapter. It would be interesting to check the performance of the enumer-
ation algorithms on modern computers, rather than the implementations on machines
as of the late nineties.
12. APPENDIX: LIST OF THE DEFINITIONS IN THIS CHAPTER 74

12 Appendix: List of the definitions in this chapter

Short description Page

Definition 3 vector 12
Definition 4 addition of vectors 13
Definition 5 zero vector 14
Definition 6 vector with dim n 14
Definition 7 linear combination 14
Definition 8 vector norm 14
Definition 9 dot product 15
Definition 10 inner product angel 16
Definition 12 unit vectors 16
Definition 13 sum of matrices 17
Definition 14 scalar multiplies 18
Definition 15 product of matrices 18
Definition 16 transposed matrix 19
Definition 17 minor 21
Definition 18 determinant 22
Definition 19 vector space 26
Definition 20 vector subspace 27
Definition 21 span 27
Definition 22 linear independence 28
Definition 23 vector basis 28
Definition 24 lattice 32
Definition 25 knapsack 34
Definition 26 ordered lattice basis (Gram-Schmidt orthogonalization) 57
Definition 27 i-th-successive minimum 57
Definition 28 HKZ-reduced 58
Definition 29 size-reduced 59
Definition 30 LLL-reduced with δ 60
Definition 31 (β, δ) block-reduced 62
13. APPENDIX: LIST OF EXAMPLES IN THIS CHAPTER 75

13 Appendix: List of examples in this chapter

Short description Page

Example 1 minor 21
Example 2 determinant 2x2 22
Example 3 determinant 3x3 22
Example 4 vector space matrices 27
Example 5 vector space polynomials 27
Example 6 trivial subspace 27
Example 7 polynomial subspace 27
Example 8 geometric subspace 28
Example 9 span 28
Example 10 different basis 28
Example 11 standard basis 29
Example 12 knapsack 36
Example 13 Gauss reduction 58

14 Appendix: List of the challenges in this chapter

Short description Page

Challenge 1 hidden message; root polynomials 4
Challenge 2 balanced graph puzzle 6
Challenge 3 system of equations puzzle 10
Challenge 4 coordinates puzzle 15
Challenge 5 the leet challenge 24
Challenge 6 vector space challenge 30
Challenge 7 the superincreasing puzzle 35
Challenge 8 knapsack challenge 38
Challenge 9 LLL algorithm challenge 43
Challenge 10 custom RSA puzzle 47
Challenge 11 Stereotype RSA, e=3, weak pass 55
Challenge 12 Stereotype RSA, e=3, strong pass 55
Challenge 13 Stereotype RSA, e=7, strong pass 56

For challenges, where the input is longer, there are text files with the according input.
They are bundled in a zip file called chal_i_helper.zip. See at the CT website https:
//www.cryptool.org/en/ctp-documentation/ctbook.
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 76

15 Appendix: Screenshots and related plugins in the

CrypTool programs

The following subsections contain screenshots from CrypTool 1 (CT1), CrypTool 2

(CT2), and JavaCrypTool (JCT) showing plugins dealing with lattices in a didacti-
cal manner.

All functions in all CrypTool programs are listed at https://www.cryptool.org/en/

ctp-documentation/functionvolume. Specifying a category or a filter string or un-
boxing programs allows to search for a special function.
Figure 15.1 shows the result, when the selection was restricted to the two programs CT1
and CT2, and the filter string “lattice” was set.

Figure 15.1: Restricted selection from the overview of all Cryp-

Tool functions
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 77

15.1 Dialogs in CrypTool 1 (CT1)

CT1 contains 4 dialogs dealing with attacks on RSA: The first one is a typical oracle
attack (caused by missing padding in plain textbook RSA implementations). The next
three use lattices to attack RSA under certain circumstances.24
• Textbook RSA
• Factoring with a Hint
• Attack on Stereotyped Messages
• Attack on Small Secret Keys

Figure 15.2: CT1 dialog: Side-channel against textbook RSA

used in a hybrid encryption protocol (Kuehn 2003)

24
Within CT1 you can call the first one (Textbook RSA) using the menu path
Analysis->Asymmetric Encryption->Side-Channel Attack on "Textbook RSA".
The next three can be found either below the menu Indiv. Procedures->RSA Cryptosystem->
Lattice-Based Attacks or below Analysis->Asymmetric Encryption->Lattice-Based Attacks on RSA.
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 78

Figure 15.3: CT1 dialog: Factoring N with a hint (you know a

fraction of p)
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 79

Figure 15.4: CT1 dialog: Attack on stereotyped messages (you

know a part of the plaintext message)
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 80

Figure 15.5: CT1 dialog: Factoring N when the private exponent

is too small (Bloemer/May 2001)
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 81

15.2 Lattice tutorial in CrypTool 2 (CT2)

CT2 contains a plugin “Lattice-based cryptography” with the following playful intro-
ductory programs.25
• Algorithms to reduce lattice basis for shortest vector problem (SVP):
– Gauss (nice visualization in 2-dim)
– LLL
• Closest vector problem (CVP)
– Find closest vector (nice visualization in 2-dim)
• Lattice-based attacks against:
– Merkle-Hellman knapsack
– RSA (Coppersmith attack)
• Lattice-based cryptography:
– GGH
– LWE

25
CT2 contains visualizations of these methods within the crypto tutorial Lattice-based cryptogra-
phy below the main menu Crypto tutorials. Please note, that most of the plugins in CT2 appear
in the workspace manager as templates and components to be started from the Startcenter (and
not via the menu Crypto tutorials).
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 82

Figure 15.6: CT2 tutorial “Lattice-based cryptography”: SVP

via Gauss

Figure 15.7: CT2 tutorial “Lattice-based cryptography”: SVP

via LLL algorithm
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 83

Figure 15.8: CT2 tutorial “Lattice-based cryptography”: CVP

– Find closest vector
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 84

Figure 15.9: CT2 tutorial “Lattice-based cryptography”: attack

against the Merkle-Hellman knapsack cryptosystem
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 85

Figure 15.10: CT2 tutorial “Lattice-based cryptography”: at-

tack against RSA (Coppersmith)
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 86

Figure 15.11: CT2 tutorial “Lattice-based cryptography”: the

GGH cryptosystem
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 87

Figure 15.12: CT2 tutorial “Lattice-based cryptography”: the

LWE cryptosystem
15. APPENDIX: RELATED PLUGINS IN CRYPTOOL PROGRAMS 88

15.3 Plugin in JCrypTool (JCT)

JCT contains a visualization of the Merkle-Hellman knapsack cryptosystem.26 This

is just a didactical visualization showing all the necessary steps for private keys with
maximum 20 elements.

Figure 15.13: JCT plugin: Merkle-Hellman knapsack cryptosys-

tem: step-by-step calculations

26
JCT offers this within the Default Perspective in the menu Visuals \ Merkle-Hellman Knapsack
Cryptosystem.
16. AUTHORS OF THIS CHAPTER 89

16 Authors of this Chapter

This appendix lists the authors of this document.

Please refer to the top of each individual chapter for their contribution.

Miroslav Dimitrov
PhD student at the Bulgarian Academy of Sciences
E-mail: [email protected]
Harald Ritter
Member of IACR, PhD thesis on lattice basis reduction at the University of Frank-
furt.
Senior Consultant at NOVOSEC AG, Frankfurt/Main.
E-mail: [email protected], [email protected]
Bernhard Esslinger
Initiator of the CrypTool project, editor and main author of this book. Professor
for IT security and cryptography at the University of Siegen.
E-mail: [email protected], [email protected]

The authors want to thank Dr. Doris Behrendt for proof reading and correcting this
chapter.
Bibliography

[1] Lenstra, Arjen Klaas, Hendrik Willem Lenstra, and László Lovász: Factoring poly-
nomials with rational coefficients. Mathematische Annalen 261.4 (1982): 515-534.
[2] May, Alexander: Using LLL-Reduction for Solving RSA and Factorization Problems.
The LLL algorithm. Springer, Berlin, Heidelberg, 2009. 315-348.
[3] NIST: FIPS PUB 186-4: Digital Signature Standard (DSS), 2013, https://nvlpubs.
nist.gov/nistpubs/fips/nist.fips.186-4.pdf
[4] Coppersmith, Don: Small Solutions to Polynomial Equations, and Low Exponent
RSA Vulnerabilities. Journal of Cryptology 10.4 (1997): 233-260.
[5] Howgrave-Graham, Nicholas A.: Computational Mathematics Inspired by
RSA. Dissertation, University of Bath, 1998, https://cr.yp.to/bib/1998/
howgrave-graham.pdf
[6] Sang-Gu Lee: Linear Algebra with Sage, 2018, https://www.researchgate.
net/publication/327362474_Linear_Algebra_seonhyeongdaesuhag_e-_book_-_
2018_version.
[7] Hermite, C.: Extraits de lettres de M. Ch. Hermite à M. Jacobi sur differents objets
de de la théorie des nombres, deuxième lettre. Journal reine angewandte Mathematik,
40:279-290, 1850.
[8] Korkine, A. and G. Zolotarev: Sur les formes quadratiques positives quaternaires.
Math. Annalen, 5:581-583, 1872.
[9] Korkine, A. and G. Zolotarev: Sur les formes quadratiques. Math. Annalen, 6:366-
389, 1873.
[10] Korkine, A. and G. Zolotarev: Sur les formes quadratiques positives. Math. An-
nalen, 11:242-292, 1877.
[11] Schnorr, C.P. and M. Euchner: Lattice Basis Reduction: Improved Practical Algo-
rithms and Solving Subset Sum Problems. Mathematical Programming (1994), 66:181-
199.
[12] Ritter, H.: Breaking knapsack cryptosystems by l∞ -norm enumeration. In J. Pribyl,
editor, Proceedings of the 1st International Conference on the Theory and Applica-
tions of Cryptology, PRAGOCRYPT ’96, Prague, Czech Republic, 30 September-3
October, 1996, CTU Publishing House, pp. 480-492, 1996.
Bibliography 91

[13] Ritter, H.: Aufzählung von kurzen Gittervektoren in allgemeiner Norm. Dissertation
zur Erlangung des Doktorgrades der Naturwissenschaften, Fachbereich Mathematik
der Johann Wolfgang Goethe-Universität in Frankfurt am Main, 1997.
[14] Chor, B and R.L. Rivest: A Knapsack Type Public-Key Cryptosystem Based on
Arithmetic in Finite Fields. IEEE Transactions on Information Theory, 34(5):901-999,
September 1988.
[15] Orton, G.: A Multiple-Iterated Trapdoor for Dense Compact Knapsacks. In Proc.
EUROCRYPT 94, pp. 112-130. Springer Lecture Notes in Computer Science, No. 950,
1994.
[16] Schnorr, C.P. and H.H. Hörner: Attacking the Chor-Rivest Cryptosystem by Im-
proved Lattice Reduction. In Proc. EUROCRYPT 95, pp. 1-12. Springer Lecture Notes
in Computer Science, No. 921, 1995.
[17] Schnorr, C.P.: Factoring Integers and Computing Discrete Logarithms via Diophan-
tine Approximations. In Advances of Computational Complexity, DIMACS Series in
Discrete Mathematics and Theoretical Science, AMS; 1993.
[18] Ritter, H. and C. Rössner: Factoring via Strong Lattice Reduction Algorithms,
Technical Report, available at https://www.researchgate.net/publication/
2266562_Factoring_via_Strong_Lattice_Reduction_Algorithms,1997.
[19] Pellet-Mary, A., G. Hanrot, and D. Stehlé: Approx-SVP in Ideal Lattices with Pre-
processing. In Proc. EUROCRYPT 19, pp. 685-716. Springer Lecture Notes in Com-
puter Science, 2019. Also available at https://eprint.iacr.org/2019/215.pdf.
[20] Bǎetu, C., F.B. Durak, L. Huguenin-Dumittan, A. Talayhan, and S. Vaudenay:
Misuse Attacks on Post-Quantum Cryptosystems. In Proc. EUROCRYPT 19, pp.
747-776. Springer Lecture Notes in Computer Science, 2019. Also available at https:
//eprint.iacr.org/2019/525.
[21] Albrecht, M.R., L. Ducas, G. Herold, E. Kirshanova, E.W. Postlethwaite, and M.
Stevens: The General Sieve Kernel and New Records in Lattice Reduction. In Proc.
EUROCRYPT 19, pp. 717-746. Springer Lecture Notes in Computer Science, 2019.
Also available at https://eprint.iacr.org/2019/089.