Annual International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2005: Advances in Cryptology – EUROCRYPT 2005 pp 215-233

Floating-Point LLL Revisited

  • Phong Q. Nguên
  • Damien Stehlé
Conference paper

DOI: 10.1007/11426639_13

Volume 3494 of the book series Lecture Notes in Computer Science (LNCS)

Abstract

The Lenstra-Lenstra-Lovász lattice basis reduction algorithm (LLL or L3) is a very popular tool in public-key cryptanalysis and in many other fields. Given an integer d-dimensional lattice basis with vectors of norm less than B in an n-dimensional space, L3 outputs a so-called L3-reduced basis in polynomial time O(d5n log3B), using arithmetic operations on integers of bit-length O(d log B). This worst-case complexity is problematic for lattices arising in cryptanalysis where d or/and log B are often large. As a result, the original L3 is almost never used in practice. Instead, one applies floating-point variants of L3, where the long-integer arithmetic required by Gram-Schmidt orthogonalisation (central in L3) is replaced by floating-point arithmetic. Unfortunately, this is known to be unstable in the worst-case: the usual floating-point L3 is not even guaranteed to terminate, and the output basis may not be L3-reduced at all. In this article, we introduce the L2 algorithm, a new and natural floating-point variant of L3 which provably outputs L3-reduced bases in polynomial time O(d4n (d + log B) log B). This is the first L3 algorithm whose running time (without fast integer arithmetic) provably grows only quadratically with respect to log B, like the well-known Euclidean and Gaussian algorithms, which it generalizes.

Keywords

LLLL3Lattice ReductionPublic-Key Cryptanalysis
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Phong Q. Nguên
    • 1
  • Damien Stehlé
    • 2
  1. 1.CNRS/École normale supérieure, DIParisFrance
  2. 2.Univ. Nancy 1/LORIAVillers-lès-NancyFrance