Bounding basis reduction properties

The paper describes improved analysis techniques for basis reduction that allow one to prove strong complexity bounds and reduced basis guarantees for traditional reduction algorithms and some of their variants. This is achieved by a careful exploitation of the linear equations and inequalities relating various bit sizes before and after one or more reduction steps.

Early work by Lagrange [17] in two dimension and by Hermite [15] in general dimensions culminated in the LLL algorithm by Lenstra et al. [18], which produces in polynomial time in the bit size of an input basis a reduced basis whose basis vectors have bit sizes bounded by a fixed multiple of the dimension. Many variants of the original LLL algorithm exist, so we have in fact a whole class of LLL algorithms. These are characterized by working at any time on 2-dimensional projected subspaces only, and are sufficient for many applications.
Stronger basis reduction algorithms are needed in case the LLL reduced basis is still not short enough. Korkine and Zolotareff [16] introduced what are today (after them and Hermite) called HKZ reduced bases with excellent theoretical properties. But their computation is feasible at present only for low-dimensional lattices (up to dimensions around 75). Thus one uses in practice block algorithms; they apply strong and expensive reduction techniques on low-dimensional projected subspaces only. Currently the best practical algorithms are the BKZ algorithm (Schnorr and Euchner [32]) and the recent self-dual SDBKZ variant by Micciancio and Walter [21] (called DBKZ there). On the other hand, the best theoretical guarantees for block algorithms are provided by the (at currently practical block sizes apparently inferior) slide reduction algorithm of Gama and Nguyen [11].
In this paper, the approaches of Hanrot et al. [14] (used also in Micciancio and Walter [21]), Schnorr [31], and Gama and Nguyen [11] for the asymptotic worst-case analysis of LLL, BKZ, and SDBKZ are improved. The first improvement replaces the complicated dynamical system arguments of [14] by simpler and sharper induction arguments on a bound on the bit sizes. The second improvement is an analysis of a greedy variant of LLL that is quasilinear in the bit sizes and has a guarantee on the approximation factor. Based on the techniques of the present paper, Neumaier and Stehlé [23] present an analysis of another, recursive variant of LLL that gives the asymptotically fastest method so far.
To make the paper self-contained, we present the relevant background on lattices and basis reduction in a novel way, namely in terms of bit sizes and linear inequalities relating these. This form was inspired by Hanrot et al. [14] who reduced most of the complexity analysis of basis reduction methods to a study of linear equations and inequalities. Before their work, this underlying linear structure was invisible since the analysis was-with the single exception of Schönhage [33,Lemma 4.1]-always done in a multiplicative way.

Basic notions
This section provides basic definitions together with a collection of mostly well-known results put together in a form useful for the subsequent development. In view of further applications to be reported elsewhere, some of the results are presented in slightly greater generality than needed in this paper.

The bit profile
A lattice of dimension n is a nonempty subset L of the space R m of m-dimensional column vectors with real entries (for some m) that is closed under subtraction and has a basis, i.e., a matrix B = [b 1 , . . . , b n ] with n linearly independent columns b i generating L. Given the basis, conversely, if B ∈ R m×n has rank n then (1)  Here lg x = ln x/ ln 2 denotes binary logarithms, and the determinant of a 0 × 0 matrix is taken to be 1, so that g 0 = 0. The dual lattice L † consists of the linear combinations y of lattice vectors such that y T x is integral for all x ∈ L. If B is a basis of L then, with the permutation matrix J defined by Since the leading subdeterminants of G † satisfy det G † 1:i = det G 1:n−i / det G, its determinant bit sizes are given by The It is customary to denote the first basis vector of the blocks B i:n by b * i ; then with the projected bit sizes In particular, We also use the normalized projected bit sizes They are invariant under rescaling of the basis by a constant factor, and we have From the a i and g 1 we can recover We call the spread of the basis.
Proof We have Division by ik establishes the claim.
Daudé and Vallée [9] show that for a basis B of dimension n with random entries of sufficiently large bit sizes and under reasonable assumptions on the distribution, the spread σ (g) has an expected value of < 5 + ln n. This kind of random basis is relevant in signal processing. On the other hand, unreduced lattice bases from cryptography often-e.g., the Coppersmith lattices for polynomial factorization [8]-have a spread of order n 2 . LLL-reduced lattice bases have σ (g) = O(n); cf. (37) below. For graphical display, the bit profile g i usually looks unconspicuous; the interesting information is in various differences. Figure 1 displays dg i = g i − i n g n , e i , and u i : cf. (10), for the input basis and an LLL-reduced basis computed by fplll [37], for an example from the Coppersmith method and an example from a shortest vector problem from the SVP challenge page [4]. In the second problem, the entries e 1 ≈ 868 and u 1 ≈ 434 are not shown. By definition of the Rankin invariants γ ni of Gama et al. [10], every lattice has a basis for which the inequalities hold. The most important special case of the Rankin invariants is the Hermite constant γ n = γ n1 , the largest possible value of min 0 =z∈Z n Bz 2 for a matrix B of rank n with det(B T B) = 1. What is known about Hermite constants and other Rankin invariants is reviewed in Appendix; here we just note that γ 1 = 1, γ 2 = 2/ √ 3, and In the following we shall need the constants n := lg γ n , μ n := n n − 1 .

Primal and dual reduction
The goal of basis reduction is to construct from a given basis B of a lattice L another basis consisting of shorter vectors. Various criteria for reducedness quantify the extent to which this is achieved. We say that a basis B is size reduced if A basis B is primal reduced if the length of the first basis vector b 1 is a shortest nonzero lattice vector. Every leading block B 1:i is then also primal reduced. A basis B is dual reduced if the reversed dual basis is primal reduced. Every trailing block B i:n is then also dual reduced. The process of size reduction (resp. primal reduction, dual reduction) replaces an arbitrary basis by one that is size reduced (resp. primal reduced, dual reduced). Size reduction is achievable by subtracting for i = 2, . . . , n from b i an appropriate integral linear combination of b 1 , . . . , b i−1 . For block size s = 2, primal and dual reduction are equivalent. An efficient algorithm for performing the reduction of a block of size s = 2 goes back to the 18th century [17]. We therefore call this process Lagrange reduction. For primal or dual reduction of block size s > 2, one must first solve a shortest vector problem, then transform the basis accordingly; see Micciancio and Walter [21,Sect. 7] for economical procedures. The shortest vector problem (SVP) is the problem to find, given a basis B, a shortest nonzero vector z of the lattice L spanned by B, thus achieving the minimum length In particular, this always holds for m = n.
Proof We may write a shortest nonzero vector b as an integral linear combination of the basis vectors. Let k be the largest index with z k = 0. If k < m then while if i ≥ m then (ii) Upon dual reduction of a block B k−s+2:k+1 , the modified bit profile g i of B satisfies g i = g i unless k ≤ i ≤ k + s − 2, and we have Proof (i) We apply (12) to the primal reduction of the block B k:k+s−1 and find (13). As a consequence, (ii) follows from (i) applied to the dual basis with n −k in place of k, using (3) which implies e † i = −e n+1−i .
Rescaling an arbitrary lattice basis B to one whose Gram matrix has determinant 1, the definition of the Hermite constants gives Clearly, γ (B) is basis-independent and depends only on the lattice generated by B. For a basis B of a random lattice (drawn uniformly according to the Haar measure; cf. Goldstein and Meyer [13]), Rogers [28] (see also Södergren [35]) proved that in the limit n → ∞, the probability that γ (B) > γ is given by where π n := π n/2 (n/2 + 1) denotes the volume of the unit ball in R n . In particular, the median of γ (B) is and the median of with an error of O(n −1 ). This is monotone decreasing for n ≥ 12 and converges very slowly to 2eπ ≈ 17.094, and is approximately 20 for n between 60 and 75. The so-called Gaussian heuristic-obtained by a more informal sphere packing argument-assumes the slightly simpler formula γ (B) ≈ π −1 (1 + n/2) 2/n with the same asymptotics. Unless n is large, both formulas give values that are too small. It may be better to use instead the heuristic

Proposition 2.4 (i) If the block B k:k+s−1 is primal reduced then
(ii) If the block B k−s+2:k+1 is dual reduced then Proof Upon scaling the subbasis B 1:s , the definition of the Hermite constants implies that det G 1:1 ≤ γ s (det G 1:s ) 1/s . Take logarithms to get (22) applied to the block B k:k+s−1 gives (i). (ii) follows by applying (22) to the dual of the block B k−s+2:k+1 with bit sizes derived from (3).
Given a basis of dimension n + 1 and determinant 1 (so that g 0 = g n+1 = 0), we may alternate primal reduction of B 1:n and dual reduction of B 2:n+1 until g 1 no longer decreases. This is a finite process as there are only finitely many vectors in the lattice shorter than any given vector. The resulting basis satisfies (20) for i = 1, s = n and (21) for i = s = n, Multiplying the first inequality by n and adding the second inequality gives after division by Since n+1 is the supremum of the left hand side over all bases of dimension n + 1 and determinant 1, we find which is Mordell's inequality (Mordell [22]).

Basis quality
There are a number of indicators that quantify the quality of a reduced basis. Gama and Nguyen [12] define the Hermite factor we have If the basis is primal reduced then (17) gives (22). By definition of the Hermite constants, there are lattices of every dimension n for which no basis can have a better Hermite exponent.
The approximation factor (or length defect) of a basis B is the quotient denotes the approximation exponent. If B m:n is primal reduced then Proposition 2.2 implies the slightly stronger bound with the modified exponent In a signal processing context, is called the SIC proximity factor. The effective dimension is the smallest value of m for which (12) implies that the basis vectors with k > m cannot contribute to a vector shorter than the first basis vector. We call the vectors b i with i ≤ m the effective basis vectors, the Hermite exponent h(g 1:m ) the effective Hermite exponent, and the approximation exponent a(g 1:m ) the effective approximation exponent. By definition, we still have Of interest is also the normalized spread cf. (8). Note that thus proving a small bound on c(g) is the strongest form of reduction guarantee. If B is size reduced then (using QR factors) The orthogonality defect is the number Finally, we may also consider the mean slope e 1 − e n n − 1 = a n n − 1 of the sequence e 1 , . . . , e n , which is a mean curvature of the bit profile.

Block reduction
Limiting the size of the quality measures discussed in Sect. 2.3 is a key task to be achieved by basis reduction. In particular, one would like to have small, dimension-independent bounds for the numbers in (31).
The most frequently used algorithms for basis reduction are variants of the LLL algorithm of Lenstra et al. [18] and the BKZ algorithm of Schnorr and Euchner [32]. On the other hand, when primal or dual reductions are done for blocks of size at most s only (with fixed s), the currently best guarantees for the reduced basis are given-when s divides the dimension-by the slide reduction algorithm of Gama and Nguyen [11]. They showed that slide reduction yields a Hermite exponent bounded by the Mordell constant μ s and a modified approximation exponent (cf. (31)) bounded by 2μ s , appropriate since for a slide reduced basis B, the block B n−s+1:n is primal reduced. Similar, only slightly inferior results were proved by Li and Wei [19] when the maximal block size does not divide the dimension.
In this section we first discuss a new greedy LLL algorithm that is quasilinear in the bit sizes (when fast integer multiplication is used) and achieves the same guarantees for the shortest vector as all LLL algorithms. Previously, the only quasilinear time LLL algorithm were those of Novocin et al. [26] and Hanrot et al. [14], who obtained a provable constant bound for the Hermite exponent and (in [26]) for the approximation exponent.
We then introduce a simple way to analyze the self-dual SDBKZ variant of the BKZ reduction algorithm, recently introduced by Micciancio and Walter [21], improving on the dynamical system technique of Hanrot et al. [14]. We reprove their bound μ s for the Hermite exponent [matching the first slide inequality in (32)] and prove a polynomial complexity result conjectured in [21]. The known techniques seem not sufficient to prove a bound for the approximation exponent of SDBKZ.

LLL algorithms
An LLL algorithm is a block reduction algorithms that operates only on blocks of size 2. The acronym LLL refers to the initials of Lenstra, Lenstra and Lovász whose paper [18] contains the first such algorithm in arbitrary dimension and a proof of its polynomial complexity.
where Proof ε ≥ 0 since a Lagrange step on the block B k:k+1 cannot increase g k . By Proposition 2.4 it reduces c k to c k = c k − 2ε ≤ 2 k , giving the lower bound in (33). By Proposition 2.3, the new projected bit size is e k −ε = e k ≥ e k+1 , whence ε ≤ e k −e k+1 = 2g k −g k−1 −g k+1 = c k , giving the upper bound.
The first part of (ii) is an observation of Lenstra et al. [18, argument leading to (1.30)] that follows directly from (13). If e := max e for the initial basis then this also holds for all later bases, and by induction, g k ≥ g n − (n − k)e for all k. Since g n remains invariant, we have bounded all g k from below.
A possible measure of the quality of a Lagrange reduction step is the amount g k − g k by which g k is reduced. If this is too small, there is no point performing the Lagrange reduction. Except for part (ii), the following bounds are proved along the lines of [18].
(ii) If the final basis has effective dimension n eff = n then (iii) Given a basis whose components are integers of bit length at most β, an LLL algorithm performs successful Lagrange reductions.
Proof Proposition 3.1(ii) implies that g k can be reduced only finitely often by at least δ. Thus the algorithm stops necessarily.
(i) By Proposition 3.1(i), if c k > 2 * 2 for some k, the gain in a Lagrange reduction at position k is > δ, hence the reduction will be performed. Therefore no such k exists after convergence. This proves (35). (36) follows since (37) now follows from (31), (30), and (8). Finally, one verifies by substituting the definition of the c i into the sum and simplification. Since this gives the bound (38). (ii) If n eff = n then 0 < a n = g 1 + g n−1 − g n = c 2 + . . . + c n , hence which gives (39). (iii) Under the stated assumptions, the entries of G are bounded by 2 2β n. The positive definiteness of G and Cramer's rule therefore give where since k! ≤ k k . Since g k is nonnegative and decreases by at least δ with each reduction, it can be reduced at most g k /δ times. Hence the total number N tot of Lagrange reductions is bounded by

Greedy LLL algorithms
To turn the general recipe into an efficient algorithm we must decide upon the order in which Lagrange steps are performed. Traditionally, these are chosen in a way determined by a fixed loop structure. In this section we consider greedy choices where in each step some utility measure is maximized. The measure in which we want to be greedy must be chosen carefully, in view of the following statement by Lovász on greediness in basis reduction: "It seemed that the less greedy you were, the better it worked. So I only swapped neighboring vectors and only swapped when you really made progress by a constant factor." (Smeets [34, p.11]). Storjohann [36, p. 13] suggested to perform each Lagrange step on the block B k:k+1 for which the lower bound δ k from (33) on the amount that g k decreases in a Lagrange reduction is largest. We shall call an algorithm that completes this description by a tie-breaking rule a basic greedy LLL algorithm. The basic greedy strategy can be observed experimentally to outperform many others. It was rediscovered by Zhao et al. [39] in the context of (lowdimensional) signal processing applications. Another greedy variant of LLL (and of slide reduction) was considered by Schnorr [31].
When β is large and n is fixed, a basic greedy LLL algorithm typically performs only O(1+lg β) Lagrange reductions, which is much less than the bound (40). While a complexity bound of O(1 + lg β) Lagrange reductions was proved by Hanrot et al. [14] for a cyclic LLL algorithm that performs Lagrange reductions on the blocks B k:k+1 in increasing cyclic order, it seems to be impossible to prove for the basic greedy LLL algorithm an unconditional logarithmic complexity result. Schnorr [31] obtained only partial results, and had to assume an obscure technical condition with an early termination exit that endangers the quality of the reduced basis.
The main difficulty in the analysis is the possibility that the bit profile (which in the most typical cases has-apart from small randomly looking deviations-an essentially concave, nearly quadratic shape, reflected in a nearly monotone decreasing e i sequence) may exhibit large discontinuities. The top example of Fig. 1 illustrates such an atypical case from applications. Even more atypical cases arise when the effective dimension is less than the full dimension. Although one expects these cases to be reduced even more quickly than the regularly shaped ones, the tools presently available do not seem to allow one to demonstrate this. 2 The technical obstacles can be overcome by changing the measure according to which the greedy choice is made.
A special greedy LLL algorithm applies Lagrange reductions always to blocks B k:k+1 that maximize the scaling invariant number where c k is given by (34), until all k < , where > 0 is a small threshold. We may analyse the behavior of this greedy rule in terms of the potential The proof of Theorem 3.1 shows that (38), which is the area under the bit profile, is a reasonable measure of how far a basis is from being reduced. If all terms in the sum (44) are positive then p = 2 A(g) − (n − 1)g n is, up to a constant shift, twice this area; in general, p may be larger, accounting for an irregular behavior of the bit profile. The potential is a convex, nonnegative function of the g i . Therefore it attains its maximum at a vertex of any convex constraint set. Given only the dimension n and the maximal bit size β of a basis with integral coefficients, the maximum potential with the constraints (41) is attained for a profile where all g i ∈ {0, iβ i }. Writing K := {i | g i = 0 = g i−1 } we find 2 Using A(g) as potential, one could proceed at first as in the proof of Theorem 3.2 below. However, the difficulty is to find, after the analogue of p * has been reached, a bound for the number of iterations that depends on n only, in order to preserve the logarithmic complexity in β implicit in the log q term of Theorem 3.2.
To get this bound one can use Theorem 3.1(ii)-but only when its hypothesis applies. Thus everything is ok with the basic greedy strategy if the effective dimension equals the full dimension. However, if the effective dimension decreases during the iteration, control is lost, and one has only the general complexity bound from Theorem 3.1, which is linear in β, not logarithmic. This is counterintuitive since in practice, a problem with a decreased effective dimension tends to take less work than a "full" problem. that the worst case for the potential has the form p = i∈K 2i(i − 1)β i−1 . This is largest when K = {n, n − 2, n − 4, . . .}, leading to an initial bound of O(lg n)).
The following theorem shows that a special greedy LLL algorithm has a marginally better complexity than the cyclic LLL algorithm of Hanrot et al. [14], and at the same time gives stronger guarantees for the resulting reduced basis. (Hanrot et al. prove a constant bound on the Hermite exponent, but their method of analysis is unable to bound the approximation exponent.) where p init is the potential of the input basis to a special greedy LLL algorithm. Then the algorithm stops after N tot ≤ N 0 Lagrange reductions, where It returns a basis such that, for 1 ≤ i ≤ k ≤ n − 1, max 2h(g), a(g), a n n − 1 Proof We put Then the potential (44) takes the form and we have Therefore (34) implies and we find by induction that Summing these bounds for p i gives p ≤ n 3 − n 3 = 2L n . We conclude that at every iteration, By Proposition 3.1, Lagrange reduction of the block B k:k+1 gives The special greedy strategy guarantees that in particular, p k ≥ 0 by (51). Therefore, the gain in the potential (50) is To bound this from below we distinguish three cases. Case 1 Both p k−1 ≤ 0 and p k ≤ 0. Then p k−1 ≤ 0, hence Case 2 p k−1 > 0 but p k ≤ 0. Then, using (52) and (33), This covers all cases, and we conclude from (51), (55), and (53) that always . Therefore each Lagrange reduction produces a gain in the potential of at least k , and we have . Now suppose first that q > 1. Then after at most L := L n ln q ≤ 1 + L n ln q Lagrange reductions, hence p ≤ L n + p * . Therefore the algorithm stops after at most another (L n + p * )/ Lagrange reductions. It follows that the total number of Lagrange reductions is bounded by p * / + 1 + L n (1 + ln q). On the other hand, if q ≤ 1 then there is essentially no geometric decay, and the algorithm stops after at most p init / Lagrange reductions. This proves the complexity bound.
A basis is LLL reduced in the traditional sense if the second alternative in (45) holds for all k. This is guaranteed by our theorem only when no final p k is tiny or negative. In view of (43), tiny or negative p k indicate a temporary barrier for reduction, which may or may not be lifted in later iterations. The final reduced basis is LLL reduced only in case all such barriers are ultimately lifted. However, the greedy LLL reduction guarantees for the most important key quality measures the same bounds (48) as a fully LLL reduced basis. (If needed, a fully LLL reduced basis can be obtained by continuing the LLL reduction as long as at least one of the reductions improves some g k by > 1 2 .) If a basis B is greedy LLL reduced, the mean slope a n /(n−1) is bounded by the dimensionindependent constant 2 2 = 2 − lg 3 ≈ 0.415 obtained from (48). For random reduced bases, the factor is better. A Lagrange reduced and size reduced Cholesky factor r 1 sr 1 0 r 2 has r 2 1 /r 2 2 ≤ 1/(1 − s 2 ), hence a 2 = lg(r 2 1 /r 2 2 ) ≤ − lg(1 − s 2 ). Thus the expectation a 2 of a 2 is bounded by For example, The empirical bound 0.16 for LLL-reduced bases of random lattices, calculated from remarks in Nguyen and Stehlé [24], is somewhere in between.

SDBKZ reduction
In 2011, Hanrot et al. [14] introduced a variant of the BKZ algorithm of Schnorr and Euchner [32] that organized individual primal reduction steps into tours, in a way that the effect of a whole tour can be quantified. Hanrot et al. showed that exploiting the bit size inequalities introduced above reduces much of the complexity analysis to a study of linear equations and inequalities. Before their work, this underlying linear structure was invisible since the analysis was-with the single exception of Schönhage [33, Lemma 4.1]-always done in a multiplicative way.
Micciancio and Walter [21] use this technique to partially analyze a self-dual variant of the BKZ algorithm called SDBKZ. In this algorithm, given some block size s (2 < s < n), tours of primal reduction of the blocks B i:i+s−1 for i = 1, . . . , n − s and tours of dual reduction of the blocks B i−s+2:i+1 for i = n − 1, n − 2, , . . . , s alternate until no reduction gives an improvement. 3 Assuming termination of the algorithm (which apparently happens in practice but was not demonstrated in theory) they proved for the resulting reduced basis the same bound μ s on the Hermite exponent as one has for a slide reduced basis.
In the following, we simplify the complicated analysis of Hanrot et al. [14]. In particular, we present-as conjectured in [21]-a way to terminate the SDBKZ algorithm in polynomial time while essentially preserving the theoretical guarantees of the original SDBKZ. Moreover, the analysis suggests a way to skip certain reduction steps in the tours without compromising the quality of the output, thereby speeding up the algorithm.
Our analysis of the SDBKZ algorithm is based on a new global measure of the quality of a basis. As we saw in the analysis of the LLL algorithm, basis reduction amounts to shrinking the bit profile by making the bit sizes g i smaller. This can be done independently when the block size is s = 2, which allows an elegant analysis of LLL algorithms. However, reducing one of the g i by primal or dual reduction of a block of size s > 2 has an effect on some of the neighboring bit sizes that is not easy to quantify. One therefore needs to look for a suitable quality measure that has a predictable behavior under block primal or dual reduction.
The basic new idea is to consider the tightest parabolic dome that sits above the bit profile g 0 , . . . , g n and interpolates the two end points. By setting up the interpolation conditions one finds that the curvature of the dome is characterized by the bit defect In particular, μ is an upper bound for the Hermite exponent (24). When the bit defect is large, this dome is highly curved, and one expects to be able to gain a lot through reduction, while when the bit defect is tiny or even negative, this dome is flat or has a bowl shape, and only little can be gained.
One may now consider how the bit defect changes when one or more primal or dual reductions are applied to a basis. It turns out that this indeed works well for the cyclic BKZ algorithm analyzed in [14]; cf. the remarks further below. However, in order to apply the idea to the SDBKZ algorithm (which has the better theoretical bound on the Hermite exponent), we need to take into account that this algorithm does not perform any reductions of small blocks at the lower and upper end. For optimal results, one therefore needs to work with truncated versions of the bit defect, defined for a fixed block size s > 2. The primal bit defect is the smallest number μ such that In particular, the case i = 1 says that the Hermite exponent (24) satisfies h(g) ≤ μ. If at some point μ ≤ μ s , this implies the bound μ s on the Hermite exponent guaranteed for slide reduction. Similarly, the dual bit defect is the smallest number μ † such that A small dual bit defect implies a good Hermite exponent of the dual basis.
The following theorem implies that, when started from an LLL reduced basis, the SDBKZ algorithm comes in polynomial time arbitrarily close to satisfying μ ≤ μ s . Theorem 3.3 Let N tot (μ * ) be the number of (primal or dual) tours needed to reach (58) with μ ≤ μ * , when starting the SDBKZ algorithm with a dual tour. Then Proof We first note that Proposition 2.4 gives after primal reduction of the block B i:i+s−1 , and after dual reduction of the block B i−s+2:i+1 . We put and show by induction that if μ > μ s then at the end of the dual tour following the computation of μ, i.e., the dual bit defect is now bounded by μ . Indeed, this holds trivially for i = n. Suppose that i < n and (62) holds with i + 1 in place of i. In step i < n of the dual tour, g i+1 has already been changed to g i+1 . Noting that g n = g n , (61) gives We now put δ := μ − μ s > 0, substitute and simplify to get by choice of N . Thus (62) holds for i, and hence in general. If μ ≤ μ s , the goal is already achieved. Otherwise, we show that at the end of the subsequent primal tour we have with i.e., the primal bit defect is now bounded by μ . Again, this is proved by induction. Since g 0 = 0, (60) gives for i = 1 the inequality since, as one easily shows, N ≥ n − 1 s − 1 . This proves (63) for i = 1. Now suppose that (63) holds with i − 1 in place of i. In step i > 1 of the primal tour, g i−1 has already been changed to g i−1 . Hence (60) gives We now put δ := μ − μ s > 0, substitute and simplify to get by choice of N . Thus (63) holds for i, and hence in general. As a consequence of (64), as long as the value of μ − μ s remains positive, it decreases every N t tours by a factor of at least e t . This proves the theorem.
Without compromising the complexity order, one may run the algorithm in practice for up to O(n 2 ) additional tours beyond those needed to reach μ ≤ μ * , where μ * is taken slightly larger than μ s . Since the apriori bound derived above is somewhat pessimistic for most (or even all?) lattice bases, a significantly smaller μ can typically be achieved. It is clear from the argument that only those reductions must be carried out for which g i does not yet satisfy the bound guaranteed by the above analysis. Thus only those reductions are carried out where g i is nearly largest when measured in the correct units. This introduces an element of laziness into the algorithm and speeds it up without affecting the worst case bound for the number of tours. For getting the first basis vector small quickly, it is also beneficial to begin the reduction with a dual rather than a primal tour. The reason is that a dual tour transports poor basis vectors towards higher indices and thus improves the quality of the leading blocks, which is then immediately exploited in the first step of the primal tour.
The cyclic variant of the BKZ algorithm analyzed in Hanrot et al. [14] proceeds by using primal tours only, but these are extended to shorter blocks towards the end of the basis. In this case, a similar analysis works, with the same N but using the symmetric bit defect defined by (57). The resulting new proof (whose details are left to the reader) is far simpler than that of [14] and results in the same convergence rate as given above for SDBKZ, which is a factor of approximately 16 better the bound on the rate derived in [14]. The final bound on μ and hence the Hermite factor resulting for BKZ is slightly weaker than that for SDBKZ.
Unfortunately, neither the above technique nor the original technique of Hanrot et al. is able to bound the approximation exponent or the enumeration exponent. In particular, unlike BKZ (where Schnorr [30] gives bounds on the approximation exponent) and slide reduction, SDBKZ is (at present) not guaranteed to find a very short vector in case that λ 1 (B) is much smaller than the trivial Hermite bound γ n d 1/n n . (One could of course bound the approximation exponent by performing O(n) runs of SDBKZ according to the recipe of Lovász [20, p. 25].) Acknowledgements Open access funding provided by University of Vienna. Partial financial support by the ERC Starting Grant ERC-2013-StG-335086-LATTAC is gratefully acknowledged. Most of this work was done while the author was on sabbatical at the LIP Computer Science Laboratory of the École Normale Supérieure de Lyon. I want to thank Damien Stehlé for many interesting discussions during that time, and to Shi Bai for providing the data for the figures. Thanks also to Daniele Micciancio and Michael Walter for useful remarks on an earlier version of the paper.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Appendix: Hermite constants and Rankin invariants
The exact value of the Hermite constants γ n is known in dimensions n ≤ 8 [3] and n = 24 [6]. Table 1 contains these values, the derived constants n and μ n from (11), and the corresponding extremal lattices, which, in these dimensions, happen to be unique up to isomorphism [38].