lattice reduction algorithms - issac conference · 2018. 1. 22. · introductionbackground on...
TRANSCRIPT
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice reduction algorithms
Damien Stehle(Some slides courtesy of Shi Bai)(Bibliography: see proceedings)
ENS de Lyon
July 25th 2017
D. Stehle Lattice reduction algorithms 25/07/2017 1/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Goal and roadmap
An overview of the algorithmic aspects of lattice reduction
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
D. Stehle Lattice reduction algorithms 25/07/2017 2/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Euclidean lattices
Lattice ≡{∑
i≤n xibi : xi ∈ Z},
for linearly indep. bi ’s in Rn,referred to as lattice basis
Bases are not unique, but canbe obtained from one another byinteger transforms of determinant ±1:[−2 110 6
]=
[4 −32 4
]·[
1 12 1
]Lattice reduction
Find a short basis, given an arbitrary one
D. Stehle Lattice reduction algorithms 25/07/2017 3/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Euclidean lattices
Lattice ≡{∑
i≤n xibi : xi ∈ Z},
for linearly indep. bi ’s in Rn,referred to as lattice basis
Bases are not unique, but canbe obtained from one another byinteger transforms of determinant ±1:[−2 110 6
]=
[4 −32 4
]·[
1 12 1
]Lattice reduction
Find a short basis, given an arbitrary one
D. Stehle Lattice reduction algorithms 25/07/2017 3/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Euclidean lattices
Lattice ≡{∑
i≤n xibi : xi ∈ Z},
for linearly indep. bi ’s in Rn,referred to as lattice basis
Bases are not unique, but canbe obtained from one another byinteger transforms of determinant ±1:[−2 110 6
]=
[4 −32 4
]·[
1 12 1
]Lattice reduction
Find a short basis, given an arbitrary one
D. Stehle Lattice reduction algorithms 25/07/2017 3/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice invariants
Minimumλ(L) = min { ‖b‖ : b ∈ L \ 0 }
Determinantdet L = | det(bi)i |, for any basis
Minkowski theorem
λ(L) ≤√n · (det L)
1n , for any L of dim n
Lattice reduction
Find a basis that is short comparedto λ(L) and/or (det L)
1n
D. Stehle Lattice reduction algorithms 25/07/2017 4/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice invariants
Minimumλ(L) = min { ‖b‖ : b ∈ L \ 0 }
Determinantdet L = | det(bi)i |, for any basis
Minkowski theorem
λ(L) ≤√n · (det L)
1n , for any L of dim n
Lattice reduction
Find a basis that is short comparedto λ(L) and/or (det L)
1n
D. Stehle Lattice reduction algorithms 25/07/2017 4/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice invariants
Minimumλ(L) = min { ‖b‖ : b ∈ L \ 0 }
Determinantdet L = | det(bi)i |, for any basis
Minkowski theorem
λ(L) ≤√n · (det L)
1n , for any L of dim n
Lattice reduction
Find a basis that is short comparedto λ(L) and/or (det L)
1n
D. Stehle Lattice reduction algorithms 25/07/2017 4/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice invariants
Minimumλ(L) = min { ‖b‖ : b ∈ L \ 0 }
Determinantdet L = | det(bi)i |, for any basis
Minkowski theorem
λ(L) ≤√n · (det L)
1n , for any L of dim n
Lattice reduction
Find a basis that is short comparedto λ(L) and/or (det L)
1n
D. Stehle Lattice reduction algorithms 25/07/2017 4/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The Shortest Vector Problem
SVPγ, γ ≥ 1
Given as input a basis matrix B of a lattice L, find x ∈ Zn s.t.
0 < ‖Bx‖ ≤ γ · λ(L)
HSVPγ, γ ≥ 1 (Hermite-SVP)
Given as input a basis matrix B of a lattice L, find x ∈ Zn s.t.
0 < ‖Bx‖ ≤ γ · (det L)1/(dim L)
The dimension drives computational hardness
SVP is NP-hard under prob. reductions for γ ≤ O(1)
The problems get easier when γ increases
HSVP and SVP reduce to one another (up to increases of γ)
D. Stehle Lattice reduction algorithms 25/07/2017 5/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The Shortest Vector Problem
SVPγ, γ ≥ 1
Given as input a basis matrix B of a lattice L, find x ∈ Zn s.t.
0 < ‖Bx‖ ≤ γ · λ(L)
HSVPγ, γ ≥ 1 (Hermite-SVP)
Given as input a basis matrix B of a lattice L, find x ∈ Zn s.t.
0 < ‖Bx‖ ≤ γ · (det L)1/(dim L)
The dimension drives computational hardness
SVP is NP-hard under prob. reductions for γ ≤ O(1)
The problems get easier when γ increases
HSVP and SVP reduce to one another (up to increases of γ)
D. Stehle Lattice reduction algorithms 25/07/2017 5/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Why do we care?
Lots of computational problems can be cast as findinga short vector in a lattice.
Communication theory: white Gaussian noise channel
Combinatorial optimization: integer linear programming
Number theory: invariants of number fields
Cryptanalysis: knapsacks, RSA variants, lattice-based crypto
Computer algebra: factorisation of integer polynomials
D. Stehle Lattice reduction algorithms 25/07/2017 6/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 1: Reconstructing an algebraic number
Let α ∈ R algebraic, and Pα its minimal polynomial.How to recover Pα from an approximation α of α?
L :=
1 α α2 . . . αd
ε 0 0 . . . 00 ε 0 . . . 00 0 ε . . . 0
. . .
0 0 0 . . . ε
· Zd+1
For d = degPα, ε small and |α− α| small,any short enough vector in L leads to Pα.
We want to be able to do that!
D. Stehle Lattice reduction algorithms 25/07/2017 7/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 1: Reconstructing an algebraic number
Let α ∈ R algebraic, and Pα its minimal polynomial.How to recover Pα from an approximation α of α?
L :=
1 α α2 . . . αd
ε 0 0 . . . 00 ε 0 . . . 00 0 ε . . . 0
. . .
0 0 0 . . . ε
· Zd+1
For d = degPα, ε small and |α− α| small,any short enough vector in L leads to Pα.
We want to be able to do that!
D. Stehle Lattice reduction algorithms 25/07/2017 7/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 1: Reconstructing an algebraic number
Let α ∈ R algebraic, and Pα its minimal polynomial.How to recover Pα from an approximation α of α?
L :=
1 α α2 . . . αd
ε 0 0 . . . 00 ε 0 . . . 00 0 ε . . . 0
. . .
0 0 0 . . . ε
· Zd+1
For d = degPα, ε small and |α− α| small,any short enough vector in L leads to Pα.
We want to be able to do that!
D. Stehle Lattice reduction algorithms 25/07/2017 7/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 2: Collisions in Ajtai’s hash function
Ajtai’s hash function
Let n� m, t � q and A ∈ (Z/qZ)n×m. We define:
hA :{−t, . . . ,+t}m → (Z/qZ)n
x 7→ A · x mod q
Finding a collision is finding x 6= 0 small in
L := {x ∈ Zm : A · x = 0 mod q}.
We want this to be intractable!
D. Stehle Lattice reduction algorithms 25/07/2017 8/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 2: Collisions in Ajtai’s hash function
Ajtai’s hash function
Let n� m, t � q and A ∈ (Z/qZ)n×m. We define:
hA :{−t, . . . ,+t}m → (Z/qZ)n
x 7→ A · x mod q
Finding a collision is finding x 6= 0 small in
L := {x ∈ Zm : A · x = 0 mod q}.
We want this to be intractable!
D. Stehle Lattice reduction algorithms 25/07/2017 8/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Solving SVPγ with γ = 1“Optimal reduction”: HKZ
D. Stehle Lattice reduction algorithms 25/07/2017 9/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
QR factorization
QTQ = IR up-triangular with positive diagonal entries‖Bx‖ = ‖Rx‖Rx =(∑
i≥1
r1ixi ,∑i≥2
r2ixi , . . . , rn−1,n−1xn−1 + rn−1,nxn, rnnxn
)D. Stehle Lattice reduction algorithms 25/07/2017 10/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
QR factorization
QTQ = IR up-triangular with positive diagonal entries‖Bx‖ = ‖Rx‖Rx =(∑
i≥1
r1ixi ,∑i≥2
r2ixi , . . . , rn−1,n−1xn−1 + rn−1,nxn, rnnxn
)D. Stehle Lattice reduction algorithms 25/07/2017 10/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
QR factorization
QTQ = IR up-triangular with positive diagonal entries‖Bx‖ = ‖Rx‖Rx =(∑
i≥1
r1ixi ,∑i≥2
r2ixi , . . . , rn−1,n−1xn−1 + rn−1,nxn, rnnxn
)D. Stehle Lattice reduction algorithms 25/07/2017 10/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Solving SVP by enumeration
(∑i≥1
r1ixi ,∑i≥2
r2ixi , . . . , rn−1,n−1xn−1 + rn−1,nxn, rnnxn
)
Set a norm bound S
List all xn ∈ Z s.t. |rnn · xn| ≤ S
For each xn, list all xn−1 ∈ Z s.t. the partial vector(rn−1,n−1xn−1 + rn−1,nxn, rnnxn) has norm ≤ S
etc
For each (xn, xn−1, . . . , x2), list all possible x1 ∈ Z
D. Stehle Lattice reduction algorithms 25/07/2017 11/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Enumeration
This is a search of leaves in a big tree:
Depth-first search ⇒ Poly(n) memoryZig-zag around the centerWell-suited for parallelizationCan do (heuristic) tree pruning
Huge cost, growing with S , 1/rnn, 1/(rnnrn−1,n−1), . . .
S can be chosen tightly in many casesThe last rii ’s can be increased with lattice reduction
D. Stehle Lattice reduction algorithms 25/07/2017 12/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Enumeration versus other SVP solvers
Timeupper bound
Spaceupper bound
via enumeration[FiPo’83,Kan’83,HaSt’07]
nn/(2e)+o(n) Poly(n) Deterministic
via sieving[AjKuSi’01,PuSt’09]
22.247n+o(n) 21.325n+o(n) Probabilistic
via heuristic sieving[MiVo’10,BDGL’16]
20.292n+o(n) 20.292n+o(n) Heuristic
via Voronoi cell[MiVo’10]
22n+o(n) 2n+o(n) Deterministic
via Gaussians[ADRS’16]
2n+o(n) 2n+o(n) Probabilistic
D. Stehle Lattice reduction algorithms 25/07/2017 13/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
In practice, enumeration wins
D. Stehle Lattice reduction algorithms 25/07/2017 14/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Interlude: implementations of lattice algorithms
MAGMA, PARI-GP, NTL, Maple, Mathematica, SAGE, etc
Reference implementation: fplll
C++, with a Python interface (fpylll)
GNU LGPL
hosted on github
enumeration, sieving, LLL, BKZ
D. Stehle Lattice reduction algorithms 25/07/2017 15/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
What if we want a full short basis?
Enumeration gives a single vector...
HKZ-reduction (Hermite Korkine Zolotarev)
R up-triangular is HKZ-reduced if
r11 = λ(L(R))
and (rij)i ,j>1 is HKZ-reduced
Minkowski’s theorem implies that for all i ≤ n:
rii ≤√n − i + 1 ·
(n∏j=i
rjj
) 1n−i+1
If these are equalities, then fixing the last one fixes them all.
D. Stehle Lattice reduction algorithms 25/07/2017 16/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
What if we want a full short basis?
Enumeration gives a single vector...
HKZ-reduction (Hermite Korkine Zolotarev)
R up-triangular is HKZ-reduced if
r11 = λ(L(R))
and (rij)i ,j>1 is HKZ-reduced
Minkowski’s theorem implies that for all i ≤ n:
rii ≤√n − i + 1 ·
(n∏j=i
rjj
) 1n−i+1
If these are equalities, then fixing the last one fixes them all.
D. Stehle Lattice reduction algorithms 25/07/2017 16/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Shape of HKZ-reduced bases
ρi := log rii ∼ log2(n − i + 1)
D. Stehle Lattice reduction algorithms 25/07/2017 17/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Open problems:
1 When does sieving beat enumeration?
2 Can we make heuristic sieving less heuristic?
3 Is HKZ-reduction “optimal”?
D. Stehle Lattice reduction algorithms 25/07/2017 18/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
D. Stehle Lattice reduction algorithms 25/07/2017 19/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
From n(n + 1)/2 to n variables: size-reduction
. . .... . . .
... . . .rii . . . rij . . .
. . .... . . .rjj . . .
. . .
·
. . .
1 −b rijriie
. . .
1
. . .
⇒ |r (new)
ij | ≤ rii2
( Go from left to right, and bottom to top )
Triangular linear system solving, with roundings
Number of arithmetic steps: O(n2) per column
The magnitudes of the rationals can grow by afactor 2O(n) during the computation
D. Stehle Lattice reduction algorithms 25/07/2017 20/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
From n(n + 1)/2 to n variables: size-reduction
. . .... . . .
... . . .rii . . . rij . . .
. . .... . . .rjj . . .
. . .
·
. . .
1 −b rijriie
. . .
1
. . .
⇒ |r (new)
ij | ≤ rii2
( Go from left to right, and bottom to top )
Triangular linear system solving, with roundings
Number of arithmetic steps: O(n2) per column
The magnitudes of the rationals can grow by afactor 2O(n) during the computation
D. Stehle Lattice reduction algorithms 25/07/2017 20/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
From n(n + 1)/2 to n variables: size-reduction
. . .... . . .
... . . .rii . . . rij . . .
. . .... . . .rjj . . .
. . .
·
. . .
1 −b rijriie
. . .
1
. . .
⇒ |r (new)
ij | ≤ rii2
( Go from left to right, and bottom to top )
Triangular linear system solving, with roundings
Number of arithmetic steps: O(n2) per column
The magnitudes of the rationals can grow by afactor 2O(n) during the computation
D. Stehle Lattice reduction algorithms 25/07/2017 20/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
From n(n + 1)/2 to n variables: size-reduction
. . .... . . .
... . . .rii . . . rij . . .
. . .... . . .rjj . . .
. . .
·
. . .
1 −b rijriie
. . .
1
. . .
⇒ |r (new)
ij | ≤ rii2
( Go from left to right, and bottom to top )
Triangular linear system solving, with roundings
Number of arithmetic steps: O(n2) per column
The magnitudes of the rationals can grow by afactor 2O(n) during the computation
D. Stehle Lattice reduction algorithms 25/07/2017 20/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Size-reduction: updating B
D. Stehle Lattice reduction algorithms 25/07/2017 21/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Where are we now?
Goal of lattice reduction
Given R ∈ Rn×n up-triangular, find U ∈ GLn(Z)s.t. the R-factor of R ·U has small diagonal coeffs
Constraint: the product of the rii ’s is constant.
We want to
make the first rii ’s small
prevent the rii ’s from decreasing fast
HKZ is too costly
D. Stehle Lattice reduction algorithms 25/07/2017 22/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Where are we now?
Goal of lattice reduction
Given R ∈ Rn×n up-triangular, find U ∈ GLn(Z)s.t. the R-factor of R ·U has small diagonal coeffs
Constraint: the product of the rii ’s is constant.
We want to
make the first rii ’s small
prevent the rii ’s from decreasing fast
HKZ is too costly
D. Stehle Lattice reduction algorithms 25/07/2017 22/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Where are we now?
Goal of lattice reduction
Given R ∈ Rn×n up-triangular, find U ∈ GLn(Z)s.t. the R-factor of R ·U has small diagonal coeffs
Constraint: the product of the rii ’s is constant.
We want to
make the first rii ’s small
prevent the rii ’s from decreasing fast
HKZ is too costly
D. Stehle Lattice reduction algorithms 25/07/2017 22/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The LLL strategy (Lenstra Lenstra Lovasz)
Take any i such that ri+1,i+1 � rii , and swap bi and bi+1
D. Stehle Lattice reduction algorithms 25/07/2017 23/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The LLL strategy (Lenstra Lenstra Lovasz)
Take any i such that ri+1,i+1 � ri ,i , and swap bi and bi+1
(rnewi ,i )2 = r 2i+1,i+1 + r 2
i ,i+1 ≤ r 2i+1,i+1 + r 2
i ,i/4
r 2i+1,i+1 ≤ (3/4) · r 2
i ,i ⇒ (rnewi ,i )2 ≤ r 2i ,i
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 24/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The LLL strategy (Lenstra Lenstra Lovasz)
Take any i such that ri+1,i+1 � ri ,i , and swap bi and bi+1
(rnewi ,i )2 = r 2i+1,i+1 + r 2
i ,i+1 ≤ r 2i+1,i+1 + r 2
i ,i/4
r 2i+1,i+1 ≤ (3/4) · r 2
i ,i ⇒ (rnewi ,i )2 ≤ r 2i ,i
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 24/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The LLL strategy (Lenstra Lenstra Lovasz)
Take any i such that ri+1,i+1 � ri ,i , and swap bi and bi+1
(rnewi ,i )2 = r 2i+1,i+1 + r 2
i ,i+1 ≤ r 2i+1,i+1 + r 2
i ,i/4
r 2i+1,i+1 ≤ (3/4) · r 2
i ,i ⇒ (rnewi ,i )2 ≤ r 2i ,i
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 24/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Convergence of LLL
The LLL potential
Π :=∑
i≤n(n − i + 1) · ρi
Weighted amount of sand to be moved to the right
For each swap, it decreases by at least a constant
Number of loop iterations of LLL
O(n2 log ‖B‖) loop iterations, if the input basis B is integral.
D. Stehle Lattice reduction algorithms 25/07/2017 27/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Convergence of LLL
The LLL potential
Π :=∑
i≤n(n − i + 1) · ρi
Weighted amount of sand to be moved to the right
For each swap, it decreases by at least a constant
Number of loop iterations of LLL
O(n2 log ‖B‖) loop iterations, if the input basis B is integral.
D. Stehle Lattice reduction algorithms 25/07/2017 27/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Convergence of LLL
The LLL potential
Π :=∑
i≤n(n − i + 1) · ρi
Weighted amount of sand to be moved to the right
For each swap, it decreases by at least a constant
Number of loop iterations of LLL
O(n2 log ‖B‖) loop iterations, if the input basis B is integral.
D. Stehle Lattice reduction algorithms 25/07/2017 27/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The BKZ-LLL strategy
For i = 1, 2, . . . , n − 1 and over and over again,
HKZ-reduce
(ri ,i ri+1,i
0 ri+1,i+1
)
D. Stehle Lattice reduction algorithms 25/07/2017 28/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The BKZ-LLL strategy
For i = 1, 2, . . . , n − 1 and over and over again,
HKZ-reduce
(ri ,i ri+1,i
0 ri+1,i+1
)
By Minkowski’s theorem:
rnewi ,i ≤√
4/3 · (ri ,i · ri+1,i+1)1/2
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 29/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The BKZ-LLL strategy
For i = 1, 2, . . . , n − 1 and over and over again,
HKZ-reduce
(ri ,i ri+1,i
0 ri+1,i+1
)
By Minkowski’s theorem:
rnewi ,i ≤√
4/3 · (ri ,i · ri+1,i+1)1/2
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 29/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
A sandpile model for BKZ-LLL
Regularity assumption: Each HKZ-reduction gives
rnewi ,i =√
4/3 · (ri ,i · ri+1,i+1)1/2
ρ←
1/2 1/2 0 01/2 1/2 0 0
0 0 1 0
. . .
0 0 0 1
· ρ +
log√
4/3
− log√
4/30
.
.
.0
ρ←
1 0 0 00 1/2 1/2 00 1/2 1/2 0
. . .
0 0 0 1
· ρ +
0
log√
4/3
− log√
4/3
.
.
.0
etc
A full tour: ρ← A · ρ + Γ
D. Stehle Lattice reduction algorithms 25/07/2017 30/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Analyses of BKZ-LLL
Discrete-time affine dynamical system
A full tour: ρ← A · ρ + Γ
Output quality ← Fix-point
Speed of convergence ← Second largest eigenvalue
Neumaier’s potential
ν := maxi<n
1
n − i
(∑j≤i ρj
i−∑
j≤n ρj
n
).
(∑
j≤i ρj)/i is a smoothed proxy for ρi .
The definition is justified by the fact we expect the ρi ’sto decrease linearly after reduction
D. Stehle Lattice reduction algorithms 25/07/2017 31/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Analyses of BKZ-LLL
Discrete-time affine dynamical system
A full tour: ρ← A · ρ + Γ
Output quality ← Fix-point
Speed of convergence ← Second largest eigenvalue
Neumaier’s potential
ν := maxi<n
1
n − i
(∑j≤i ρj
i−∑
j≤n ρj
n
).
(∑
j≤i ρj)/i is a smoothed proxy for ρi .
The definition is justified by the fact we expect the ρi ’sto decrease linearly after reduction
D. Stehle Lattice reduction algorithms 25/07/2017 31/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost/quality of BKZ-LLL vs LLL
LLL BKZ-LLL
SVP’s γ (√
4/3 + ε)n−1 ?
HSVP’s γ (√
4/3 + ε)(n−1)/2 (√
4/3)(n−1)/2(1 + ε)Iterations n2 · log ‖B‖ n3 · log log ‖B‖
(SVP: γ = r11/λ1, HSVP: γ = r11/ det1/n)
D. Stehle Lattice reduction algorithms 25/07/2017 32/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Open problems:
1 SVP rather than HSVP for BKZ-LLL?
2 Can we prove a lower bound on the speed of convergence?
3 Algorithms that do not belong to this framework?
D. Stehle Lattice reduction algorithms 25/07/2017 33/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Blocking to improve efficiencyBlocking to improve reducedness
D. Stehle Lattice reduction algorithms 25/07/2017 34/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost of LLL
Text-book LLL:
O(n2 log ‖B‖) loop iterations
O(n2) arithmetic operations per iteration
R represented with rationals of bit-lengths O(n log ‖B‖)⇒ Cost is O(n5 log2 ‖B‖)
Using BKZ-LLL:
O(n3) · O(n2) · O(n log ‖B‖) = O(n6 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 35/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost of LLL
Text-book LLL:
O(n2 log ‖B‖) loop iterations
O(n2) arithmetic operations per iteration
R represented with rationals of bit-lengths O(n log ‖B‖)⇒ Cost is O(n5 log2 ‖B‖)
Using BKZ-LLL:
O(n3) · O(n2) · O(n log ‖B‖) = O(n6 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 35/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking allows to stay local
Local is more efficient
As long as i stays in a length k interval, then R-updates andsize-reductions have costs that depend on k and not on n.
. . . . . .ri,i . . . ri,i+k−1
. . ....
ri+k−1,i+k−1
...
. . .
Used to decrease the impact of n onthe cost
Cost depends on n only when ienters or exits the interval
May be combined with fastlinear algebra
D. Stehle Lattice reduction algorithms 25/07/2017 36/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking allows to stay local
Local is more efficient
As long as i stays in a length k interval, then R-updates andsize-reductions have costs that depend on k and not on n.
. . . . . .ri,i . . . ri,i+k−1
. . ....
ri+k−1,i+k−1
...
. . .
Used to decrease the impact of n onthe cost
Cost depends on n only when ienters or exits the interval
May be combined with fastlinear algebra
D. Stehle Lattice reduction algorithms 25/07/2017 36/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost of updating a block
To minimize cost, stay within a block for longMay use recursive blocking to reduce the cost furtherLocality seems incompatible with fast convergence
D. Stehle Lattice reduction algorithms 25/07/2017 37/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost of updating a block
To minimize cost, stay within a block for longMay use recursive blocking to reduce the cost furtherLocality seems incompatible with fast convergence
D. Stehle Lattice reduction algorithms 25/07/2017 37/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking to improve reducedness
LLL and its variants achieve exponential (H)SVPapproximation factors in polynomial-time
Can we do better by paying more?
BKZ (Block Korkine-Zolotarev)
HKZ calls in dim. k , withblocks that overlap by k − 1
Quality improves as blocksare more reduced
Cost grows as 2O(k)
D. Stehle Lattice reduction algorithms 25/07/2017 39/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking to improve reducedness
LLL and its variants achieve exponential (H)SVPapproximation factors in polynomial-time
Can we do better by paying more?
BKZ (Block Korkine-Zolotarev)
HKZ calls in dim. k , withblocks that overlap by k − 1
Quality improves as blocksare more reduced
Cost grows as 2O(k)
D. Stehle Lattice reduction algorithms 25/07/2017 39/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking to improve reducedness
LLL and its variants achieve exponential (H)SVPapproximation factors in polynomial-time
Can we do better by paying more?
BKZ (Block Korkine-Zolotarev)
HKZ calls in dim. k , withblocks that overlap by k − 1
Quality improves as blocksare more reduced
Cost grows as 2O(k)
D. Stehle Lattice reduction algorithms 25/07/2017 39/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking to improve reducedness
LLL and its variants achieve exponential (H)SVPapproximation factors in polynomial-time
Can we do better by paying more?
BKZ (Block Korkine-Zolotarev)
HKZ calls in dim. k , withblocks that overlap by k − 1
Quality improves as blocksare more reduced
Cost grows as 2O(k)
D. Stehle Lattice reduction algorithms 25/07/2017 39/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
BKZ, asymptotically
HKZ BKZk LLL ≈ BKZ2
‖b1‖/(det L)1n√n ' k
n2k 2O(n)
Time∗ 2O(n) 2O(k) × Poly(n) Poly(n)∗Omitting arithmetic costs
Lattice reduction rule of thumb (neglecting poly. factors)
Time 2O(k) =⇒ approx. factor γ = kO(n/k)
or, equivalently
Approx. factor γ costs time(
1 + nlog γ
)O(1+ nlog γ )
.
D. Stehle Lattice reduction algorithms 25/07/2017 42/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
BKZ, asymptotically
HKZ BKZk LLL ≈ BKZ2
‖b1‖/(det L)1n√n ' k
n2k 2O(n)
Time∗ 2O(n) 2O(k) × Poly(n) Poly(n)∗Omitting arithmetic costs
Lattice reduction rule of thumb (neglecting poly. factors)
Time 2O(k) =⇒ approx. factor γ = kO(n/k)
or, equivalently
Approx. factor γ costs time(
1 + nlog γ
)O(1+ nlog γ )
.
D. Stehle Lattice reduction algorithms 25/07/2017 42/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Open problems:
1 Faster LLL-type reduction than O(n4 log ‖B‖)2 Accurate predictive model for BKZk with large k
3 Good code for BKZk with large k
D. Stehle Lattice reduction algorithms 25/07/2017 43/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
D. Stehle Lattice reduction algorithms 25/07/2017 44/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Bit-complexity of LLL and practical run-time
Text-book LLL terminates in O(n4 log2 ‖B‖) bit operations
With MAGMA V2.19:
> n := 35; B := RMatrixSpace(Integers(),n,n)!0;
> for i:=1 to n do
> B[i][i]:=1; B[i][1]:=RandomBits(5000);
> end for;
> time C := LLL(B:Method:=‘‘Integral’’);
Time: 70.380> time C := LLL(B);
Time: 1.560
D. Stehle Lattice reduction algorithms 25/07/2017 45/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The exact and approximate approaches
The exact approach
IntegralBasis
−→ RationalQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
We get a reduced basis... but
QR dominates the cost
The approximate approach
IntegralBasis
−→ Floating-ptQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
This is faster... but
This is highly unstable
D. Stehle Lattice reduction algorithms 25/07/2017 46/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The exact and approximate approaches
The exact approach
IntegralBasis
−→ RationalQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
We get a reduced basis... but
QR dominates the cost
The approximate approach
IntegralBasis
−→ Floating-ptQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
This is faster... but
This is highly unstable
D. Stehle Lattice reduction algorithms 25/07/2017 46/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The exact and approximate approaches
The exact approach
IntegralBasis
−→ RationalQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
We get a reduced basis... but
QR dominates the cost
The approximate approach
IntegralBasis
−→ Floating-ptQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
This is faster... but
This is highly unstable
D. Stehle Lattice reduction algorithms 25/07/2017 46/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The exact and approximate approaches
The exact approach
IntegralBasis
−→ RationalQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
We get a reduced basis... but
QR dominates the cost
The approximate approach
IntegralBasis
−→ Floating-ptQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
This is faster... but
This is highly unstable
D. Stehle Lattice reduction algorithms 25/07/2017 46/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Odlyzko’s hybrid approach
IntegralBasis
−→ Floating-pointQR
⇓ ⇓⇓ Z-operations←− ⇓⇓ Numerical refreshing−→ ⇓⇓ ←−−→ ⇓
⇓ ←−−→ ⇓
⇓ ←−−→ ⇓...
......
D. Stehle Lattice reduction algorithms 25/07/2017 47/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Numerical QR-factorization
A rather well-studied topic:
Many backward stable algorithms:
Modified GS, Givens, Householder, ...
B −→ R, the R-factor of B + ∆B
Backward stability may be combined with perturbationanalysis, if the inputs are well-conditioned
B = QR =⇒ B + ∆B = (Q + ∆Q)(R + ∆R),
where ∆R grows as “cond”(R) ·∆B.
D. Stehle Lattice reduction algorithms 25/07/2017 48/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Numerical QR-factorization
A rather well-studied topic:
Many backward stable algorithms:
Modified GS, Givens, Householder, ...
B −→ R, the R-factor of B + ∆B
Backward stability may be combined with perturbationanalysis, if the inputs are well-conditioned
B = QR =⇒ B + ∆B = (Q + ∆Q)(R + ∆R),
where ∆R grows as “cond”(R) ·∆B.
D. Stehle Lattice reduction algorithms 25/07/2017 48/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning of R
Backward stability & sensitivity analysis⇒ approximation bounds
Householder & co are backward stable for column-wiseperturbations:
R is the R-factor of B + ∆B,maxi ‖∆bi‖/‖bi‖ ≤ Poly(n) · 2−p.
Perturbation analysis for columnwise perturbations
maxi‖∆ri‖/‖ri‖ ≤ ‖|R||R−1|‖ ·max
i‖∆bi‖/‖bi‖.
If computing with precision p � log ‖|R||R−1|‖,then the computed R is meaningful.
D. Stehle Lattice reduction algorithms 25/07/2017 49/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning of R
Backward stability & sensitivity analysis⇒ approximation bounds
Householder & co are backward stable for column-wiseperturbations:
R is the R-factor of B + ∆B,maxi ‖∆bi‖/‖bi‖ ≤ Poly(n) · 2−p.
Perturbation analysis for columnwise perturbations
maxi‖∆ri‖/‖ri‖ ≤ ‖|R||R−1|‖ ·max
i‖∆bi‖/‖bi‖.
If computing with precision p � log ‖|R||R−1|‖,then the computed R is meaningful.
D. Stehle Lattice reduction algorithms 25/07/2017 49/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning of R
Backward stability & sensitivity analysis⇒ approximation bounds
Householder & co are backward stable for column-wiseperturbations:
R is the R-factor of B + ∆B,maxi ‖∆bi‖/‖bi‖ ≤ Poly(n) · 2−p.
Perturbation analysis for columnwise perturbations
maxi‖∆ri‖/‖ri‖ ≤ ‖|R||R−1|‖ ·max
i‖∆bi‖/‖bi‖.
If computing with precision p � log ‖|R||R−1|‖,then the computed R is meaningful.
D. Stehle Lattice reduction algorithms 25/07/2017 49/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning of R
Backward stability & sensitivity analysis⇒ approximation bounds
Householder & co are backward stable for column-wiseperturbations:
R is the R-factor of B + ∆B,maxi ‖∆bi‖/‖bi‖ ≤ Poly(n) · 2−p.
Perturbation analysis for columnwise perturbations
maxi‖∆ri‖/‖ri‖ ≤ ‖|R||R−1|‖ ·max
i‖∆bi‖/‖bi‖.
If computing with precision p � log ‖|R||R−1|‖,then the computed R is meaningful.
D. Stehle Lattice reduction algorithms 25/07/2017 49/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning and reducedness
“cond”(R) ≤ ‖|R||R−1|‖
We are lucky! If B is LLL-reduced, then cond(R) ≤ 2O(n) andcomputing with p = O(n) suffices.
Need LLL-reducedness to LLL-reduce numerically...
Use a greedy LLL algorithm:
Take the first i s.t. (b1, . . . ,bi) is not LLL-reduced
⇒ (b1, . . . ,bi−1) is well-conditioned
Work on bi until (b1, . . . ,bi) is LLL-reducedor until we can decide to swap bi and bi−1
D. Stehle Lattice reduction algorithms 25/07/2017 50/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning and reducedness
“cond”(R) ≤ ‖|R||R−1|‖
We are lucky! If B is LLL-reduced, then cond(R) ≤ 2O(n) andcomputing with p = O(n) suffices.
Need LLL-reducedness to LLL-reduce numerically...
Use a greedy LLL algorithm:
Take the first i s.t. (b1, . . . ,bi) is not LLL-reduced
⇒ (b1, . . . ,bi−1) is well-conditioned
Work on bi until (b1, . . . ,bi) is LLL-reducedor until we can decide to swap bi and bi−1
D. Stehle Lattice reduction algorithms 25/07/2017 50/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning and reducedness
“cond”(R) ≤ ‖|R||R−1|‖
We are lucky! If B is LLL-reduced, then cond(R) ≤ 2O(n) andcomputing with p = O(n) suffices.
Need LLL-reducedness to LLL-reduce numerically...
Use a greedy LLL algorithm:
Take the first i s.t. (b1, . . . ,bi) is not LLL-reduced
⇒ (b1, . . . ,bi−1) is well-conditioned
Work on bi until (b1, . . . ,bi) is LLL-reducedor until we can decide to swap bi and bi−1
D. Stehle Lattice reduction algorithms 25/07/2017 50/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Bit complexity of hybrid LLL
Bit-complexity (left hand side is correct only in an amortized sense)
O(n2β)︸ ︷︷ ︸1
· O(n2)︸ ︷︷ ︸2
·[O(nβ)︸ ︷︷ ︸
3
+O(n2)︸ ︷︷ ︸4
]= O
(n5β(n + β)
)1- loop iterations
2- arithmetic operations per loop iteration
3- integer arithmetic (on the basis)
4- floating-point arithmetic (on QR)
Asymptotically: not much better than text-book LLLand worse than blocking
In practice: p = 53 for n up to 150-200.
Lengthy rationals −→ low-precision floating-points
D. Stehle Lattice reduction algorithms 25/07/2017 51/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Bit complexity of hybrid LLL
Bit-complexity (left hand side is correct only in an amortized sense)
O(n2β)︸ ︷︷ ︸1
· O(n2)︸ ︷︷ ︸2
·[O(nβ)︸ ︷︷ ︸
3
+O(n2)︸ ︷︷ ︸4
]= O
(n5β(n + β)
)1- loop iterations
2- arithmetic operations per loop iteration
3- integer arithmetic (on the basis)
4- floating-point arithmetic (on QR)
Asymptotically: not much better than text-book LLLand worse than blocking
In practice: p = 53 for n up to 150-200.
Lengthy rationals −→ low-precision floating-points
D. Stehle Lattice reduction algorithms 25/07/2017 51/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Going further with approximations
In hybrid-LLL, basis operations are dominating the cost.
The sensitivity bounds imply that we can work with anapproximation of B.
⇒ take the most significant bits!
The transformation matrix is also bounded by ‖|R||R−1|‖.
Round-reduce-update, recursively
L1
algorithm: O(n5 log ‖B‖) bit operations
D. Stehle Lattice reduction algorithms 25/07/2017 52/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Going further with approximations
In hybrid-LLL, basis operations are dominating the cost.
The sensitivity bounds imply that we can work with anapproximation of B.
⇒ take the most significant bits!
The transformation matrix is also bounded by ‖|R||R−1|‖.
Round-reduce-update, recursively
L1
algorithm: O(n5 log ‖B‖) bit operations
D. Stehle Lattice reduction algorithms 25/07/2017 52/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Going further with approximations
In hybrid-LLL, basis operations are dominating the cost.
The sensitivity bounds imply that we can work with anapproximation of B.
⇒ take the most significant bits!
The transformation matrix is also bounded by ‖|R||R−1|‖.
Round-reduce-update, recursively
L1
algorithm: O(n5 log ‖B‖) bit operations
D. Stehle Lattice reduction algorithms 25/07/2017 52/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL-reduction: state of the art
[Stor96] [KoSc01] [NoStVi11] [NeSt16]slow dynamics
blockingexact R
slow dynamicsblockingexact R
slow dynamicsno blocking
approximate B and R
fast dynamicsblockingexact R
Cost O( n3.39β2 ) O( n3β2 ) O( n5β ) O( n4β )
HSVP (4/3 + ε)n−1
4 2O(n log n) (4/3 + ε)n−1
4 (1 + ε)(4/3)n−1
4
( β := log ‖B‖ )
D. Stehle Lattice reduction algorithms 25/07/2017 53/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Open problems:
1 Combine fast dynamics, blocking and approximations
2 Use less precision, in theory and in practice
D. Stehle Lattice reduction algorithms 25/07/2017 54/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Concluding remarks
Lattice reduction comes in two main flavours:
Fast, with exponential approximation factors
Slow, with shorter vectors
Both cases are very relevant for applications.
The set of algorithmic techniques is limited
Dynamics
Blocking
Approximations
This is in contrast to, e.g., SVP algorithms.
D. Stehle Lattice reduction algorithms 25/07/2017 55/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Concluding remarks
Lattice reduction comes in two main flavours:
Fast, with exponential approximation factors
Slow, with shorter vectors
Both cases are very relevant for applications.
The set of algorithmic techniques is limited
Dynamics
Blocking
Approximations
This is in contrast to, e.g., SVP algorithms.
D. Stehle Lattice reduction algorithms 25/07/2017 55/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
My favourite open problems
SVP solvers: make theory, heuristics and practice match
Prove lower bounds on the necessary number of stepstowards reducedness
Combine fast dynamics, blocking and approximationsto obtain a faster LLL-type algorithm
D. Stehle Lattice reduction algorithms 25/07/2017 56/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
My favourite open problems
SVP solvers: make theory, heuristics and practice match
Prove lower bounds on the necessary number of stepstowards reducedness
Combine fast dynamics, blocking and approximationsto obtain a faster LLL-type algorithm
D. Stehle Lattice reduction algorithms 25/07/2017 56/56
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
My favourite open problems
SVP solvers: make theory, heuristics and practice match
Prove lower bounds on the necessary number of stepstowards reducedness
Combine fast dynamics, blocking and approximationsto obtain a faster LLL-type algorithm
D. Stehle Lattice reduction algorithms 25/07/2017 56/56