Codes and Lattices in Cryptography

We compare Schnorr's algorithm for semi block 2k-reduction of lattice bases with Koy's primal-dual reduction for blocksize 2k. Koy's algorithm guarantees within the same time bound under known proofs better approximations of the shortest lattice vector. Under reasonable heuristics both algorithms are equally strong and much better than proven in worst-case. We combine primal-dual reduction with Schnorr's random sampling reduction (RSR) to a highly parallel reduction algorithm that is on the average more e cient than previous algorithms. It reduces the approximation factor 43n=2 guaranteed by the LLL-algorithm to 1:025n=2 using feasible lattice reduction. SUMMARY. A (lattice) basis of rank n consists of n linearly independent real vectors b1; :::;bn 2 Rm which form the basis matrix B = [b1; :::;bn] 2 Rm n. The basis B generates the lattice L = L(B) = fBx jx 2 Zng Rm which is the set of all integer linear combinations of the basis vectors. The goal of lattice reduction is to transform a given basis B into a nice basis BT , T 2 SLn(R), consisting of short and nearly orthogonal vectors. Notation. B = [b1; :::;bn] 2 Rm n, Bt 2 Rn m is the transpose of B 2 Rm n, inverse transpose of R 2 Rn n, di = det([b1; :::;bi]t[b1; :::;bi]), d0 = 1, D` = dk`=dk` k for given k;B, detL(B) = det(BtB)1=2 = d1=2 n , the `2-length kbk = jbtbj1=2 of b 2 Rm, i : Rm ! span(b1; :::;bi 1)? is the orthogonal projection, 1(L) = the minimal length of the nonzero vectors of the lattice L, k = max 21(L(B))=detL(B)2=k over all bases B 2 Rm n of rank k, Q 2 Rm n is isometric if hQx; Qyi = hx;yi = xty for all x;y 2 Rm, SLn(Z) = fT 2 Zn n j detT = 1g, In 2 Zn n denotes the unit matrix. The QR-decomposition B = QR, R = [r1; : : : ; rn] = [ri;j ] 2 Rn n of a basis B 2 Rm n consists of an isometric matrix Q 2 Rm n and an uppertriangular matrixR 2 Rn n with positive diagonal entries. TheQR-decomposition is unique, R is preserved under isometric transforms of B. We call R the geometric normal form (GNF) of B, R = GNF(B). We describe basis reduction in terms of the GNF R. This yields the Gram-Schmidt coe cients j;i = ri;j=ri;i and ri;i = k i(bi)k is the length of the orthogonal vector i(bi). We see from [b1; :::;bn] = QR that kbik2 = ij=1 r2 j;i, kb1k = r1;1. Standard reductions. 1. B = QR 2 Rm n is size-reduced if jri;j j 12ri;i for all j > i. 2. B = QR is LLL-reduced [LLL82] for 2 ( 14 ; 1] if B is size-reduced and r2 i;i r2 i;i+1 + r2 i+1;i+1 for i = 1; :::; n 1. Such LLL-bases satisfy r2 i;i r2 i+1;i+1 for := 1=( 1 4 ). This yields the classic result on the performance of LLL-bases that we are going to improve: Theorem 1. [LLL82] An LLL-basis B 2 Rm n of lattice L satis es 1. kb1k2 n 1 2 (detL)2=n, 2. kb1k2 n 1 21. LLL-reduction is due to Lenstra, Lenstra, Lov asz [LLL82]. The LLL-algorithm transforms a given basis B into an LLL-basis BT , T 2 SLn(Z). It runs in O(n3m log1= kBk) arithmetic steps using integers of bit length O(n log2 kBk, where kBk = maxfkb1k; :::; kbnkg for the input basis b1; :::;bn. The basis B = QR is HKZ-reduced (we call it an HKZ-basis) if B is sizereduced, and each coe cient ri;i of the GNF R is minimal for all bases of the given lattice that coincide with B in the rst i 1 vectors. Survey, background and perspectives of our results. We compare feasible basis reduction algorithms that replace in Theorem 1 by smaller constants. The approximation factor n 1 2 for kb1k= 1 has been improved to 2O((n log logn)2= logn) in [S87] and combined with [AKS01] to 2O(n log logn= logn). Here we focus on reductions of achievable in feasible lattice reduction time for practical dimensions. Some reductions are proven by heuristics to be feasible on the average. We assume 1 so that 4=3. LLL-bases approximate 1 up to a factor n 1 2 . 1:155n. They approximate 1 much better for lattices of high density where 21 n(detL)2=n, namely up to a factor . n 1 4 =p n . 1:075n. Moreover, Nguyen and Stehl e [NS06] report that decreases on average to about 1:024 1:08 for the random lattices of [NS06]. The constant can be further decreased within polynomial reduction time by blockwise basis reduction. We compare semi block 2k-reduction [S87] and Koy's primal-dual reduction [K04] with blocksize 2k. Both algorithms perform HKZ-reductions in dimension 2k, HKZ-reducing segments b +1; :::;b +2k of B under +1, and have similar polynomial time bounds. They are feasible for 2k 50. Semi block 2k-reduction (Alg. 1) replaces in Theorem 1 by ( k= )1=k for a constant k (Theorem 2) that satis es k=12 < k < (1 + k2 )2 ln 2 1=k [GHKN06] Koy's primal-dual reduction (Alg. 2) replaces by ( 2 2k)1=2k (Theorem 3). Since 2k = (k) the second bound outperforms the rst, unless k is close to its lower bound k=12. Primal-dual reduction for blocks of length 48 replaces in Theorem 1 within feasible reduction time by ( 2 48)1=48 1:084. Both algorithms are equally powerful in approximating 1 under the worst-case GSA-heuristic of [S03], they both replace by 1=(k 1) k .