Abstract

The Lenstra-Lenstra-Lovász lattice basis reduction algorithm (LLL or L3) is a very popular tool in public-key cryptanalysis and in many other fields. Given an integer d-dimensional lattice basis with vectors of norm less than B in an n-dimensional space, L3 outputs a so-called L3-reduced basis in polynomial time O(d 5 n log3 B), using arithmetic operations on integers of bit-length O(d log B). This worst-case complexity is problematic for lattices arising in cryptanalysis where d or/and log B are often large. As a result, the original L3 is almost never used in practice. Instead, one applies floating-point variants of L3, where the long-integer arithmetic required by Gram-Schmidt orthogonalisation (central in L3) is replaced by floating-point arithmetic. Unfortunately, this is known to be unstable in the worst-case: the usual floating-point L3 is not even guaranteed to terminate, and the output basis may not be L3-reduced at all. In this article, we introduce the L2 algorithm, a new and natural floating-point variant of L3 which provably outputs L3-reduced bases in polynomial time O(d 4 n (d + log B) log B). This is the first L3 algorithm whose running time (without fast integer arithmetic) provably grows only quadratically with respect to log B, like the well-known Euclidean and Gaussian algorithms, which it generalizes.

Keywords

LLL L3 Lattice Reduction Public-Key Cryptanalysis 

References

  1. 1.
    LIDIA 2.1.3. A C++ library for computational number theory, http://www.informatik.tu-darmstadt.de/TI/LiDIA/
  2. 2.
    IEEE 754. IEEE standard for binary floating-point arithmeticGoogle Scholar
  3. 3.
    Babai, L.: On Lovász lattice reduction and the nearest lattice point problem. Combinatorica 6, 1–13 (1986)MATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Batut, C., Belabas, K., Bernardi, D., Cohen, H., Olivier, M.: PARI/GP computer package version 2. Université de Bordeaux I, http://pari.math.u-bordeaux.fr/
  5. 5.
    Björck, Å.: Numerical Methods for Least Squares Problems. SIAM, Philadelphia (1996)MATHGoogle Scholar
  6. 6.
    Boneh, D.: Twenty years of attacks on the RSA cryptosystem. Notices of the AMS 46(2), 203–213 (1999)MATHMathSciNetGoogle Scholar
  7. 7.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than n 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)Google Scholar
  8. 8.
    Cohen, H.: A Course in Computational Algebraic Number Theory, 2nd edn. Springer, Heidelberg (1995)Google Scholar
  9. 9.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology 10(4), 233–260 (1997)MATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997)Google Scholar
  11. 11.
    Golub, G., van Loan, C.: Matrix Computations. Johns Hopkins Univ. Press, Baltimore (1996)MATHGoogle Scholar
  12. 12.
    Grötschel, M., Lovász, L., Schrijver, A.: Geometric Algorithms and Combinatorial Optimization. Springer, Heidelberg (1993)MATHGoogle Scholar
  13. 13.
    Hermite, C.: Extraits de lettres de M. Hermite à M. Jacobi sur différents objets de la théorie des nombres, deuxième lettre. J. Reine Angew. Math. 40, 279–290 (1850); Also available in, The first volume of Hermite’s complete works, pp. 122–135. Gauthier-VillarsGoogle Scholar
  14. 14.
    Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Design, Codes and Cryptography 23, 283–290 (2001)MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Koy, H., Schnorr, C.P.: Segment LLL-reduction of lattice bases. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 67–80. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Koy, H., Schnorr, C.P.: Segment LLL-reduction with floating point orthogonalization. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 81–96. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. Journal of the Association for Computing Machinery (January 1985)Google Scholar
  18. 18.
    Lawson, C.L., Hanson, R.J.: Solving Least Squares Problems. SIAM, Philadelphia (1995)MATHGoogle Scholar
  19. 19.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 513–534 (1982)CrossRefGoogle Scholar
  20. 20.
    Lenstra Jr., H.W.: Integer programming with a fixed number of variables. Technical report, Mathematisch Instituut, Universiteit van Amsterdam, Report 81-03 (April 1981)Google Scholar
  21. 21.
    Lenstra Jr., H.W.: Integer programming with a fixed number of variables. Math. Oper. Res. 8(4), 538–548 (1983)MATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Magma. The Magma computational algebra system for algebra, number theory and geometry, http://www.maths.usyd.edu.au:8000/u/magma/
  23. 23.
    Micciancio, D.: Improving lattice-based cryptosystems using the Hermite normal form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, p. 126. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Micciancio, D., Goldwasser, S.: Complexity of lattice problems: A cryptographic perspective. Kluwer Academic Publishers, Boston (2002)MATHGoogle Scholar
  25. 25.
    Nguyên, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto 1997. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)Google Scholar
  26. 26.
    Nguyên, P.Q., Shparlinski, I.E.: The insecurity of the Digital Signature Algorithm with partially known nonces. Journal of Cryptology 15(3), 151–176 (2002)MATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Nguyên, P.Q., Stehlé, D.: Low-dimensional lattice basis reduction revisited (extended abstract). In: Buell, D.A. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 338–357. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  28. 28.
    Nguyên, P.Q., Stehlé, D.: A 55-dimensional lattice which makes NTL [41]’s LLL_FP (with δ= 0.99) loop forever., Available at http://www.loria.fr/~stehle/FPLLL.html
  29. 29.
    Nguyên, P.Q., Stern, J.: Cryptanalysis of the Ajtai-Dwork Cryptosystem. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 223–242. Springer, Heidelberg (1998)Google Scholar
  30. 30.
    Nguyên, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  31. 31.
    Odlyzko, A.M.: The rise and fall of knapsack cryptosystems. In: Proc. of Symposia in Applied Mathematics, Cryptology and Computational Number Theory, vol. 42, pp. 75–88. A.M.S (1990)Google Scholar
  32. 32.
    The SPACES Project. MPFR, a LGPL-library for multiple-precision floating-point computations with exact rounding, http://www.mpfr.org/
  33. 33.
    Schnorr, C.P.: A hierarchy of polynomial lattice basis reduction algorithms. Th. Computer Science 53, 201–224 (1987)MATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    Schnorr, C.P.: A more efficient algorithm for lattice basis reduction. J. of algorithms 9(1), 47–62 (1988)MATHCrossRefMathSciNetGoogle Scholar
  35. 35.
    Schnorr, C.P.: Fast LLL-type lattice reduction (October 2004), Unpublished draft, available at http://www.mi.informatik.uni-frankfurt.de/research/papers.html
  36. 36.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. In: Budach, L. (ed.) FCT 1991. LNCS, vol. 529, pp. 68–85. Springer, Heidelberg (1991)Google Scholar
  37. 37.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming 66, 181–199 (1994)CrossRefMathSciNetMATHGoogle Scholar
  38. 38.
    Schönhage, A.: Factorization of univariate integer polynomials by diophantine aproximation and an improved basis reduction algorithm. In: Paredaens, J. (ed.) ICALP 1984. LNCS, vol. 172, pp. 436–447. Springer, Heidelberg (1984)Google Scholar
  39. 39.
    Schönhage, A.: Fast reduction and composition of binary quadratic forms. In: Proc. of ISSAC 1991, pp. 128–133. ACM Press, New York (1991)CrossRefGoogle Scholar
  40. 40.
    Schönhage, A., Strassen, V.: Schnelle Multiplikation grosser Zahlen. Computing 7, 281–292 (1971)MATHCrossRefGoogle Scholar
  41. 41.
    Shoup, V.: NTL, Number Theory C++ Library, http://www.shoup.net/ntl/
  42. 42.
    Storjohann, A.: Faster algorithms for integer lattice basis reduction. Technical report, ETH Zurich (1996)Google Scholar
  43. 43.
    Wilkinson, J.H.: The algebraic eigenvalue problem. Oxford University Press, New-York (1988)MATHGoogle Scholar
  44. 44.
    Yap, C.K.: Fast unimodular reduction: Planar integer lattices. In: Proc. of the 33rd Annual Symposium on Foundations of Computer Science, pp. 437–446. IEEE, Los Alamitos (1992)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Phong Q. Nguên
    • 1
  • Damien Stehlé
    • 2
  1. 1.CNRS/École normale supérieure, DIParisFrance
  2. 2.Univ. Nancy 1/LORIAVillers-lès-NancyFrance

Personalised recommendations