LenstraLenstraLovsz lattice basis reduction algorithm - Wikipedia, th... http://en.wikipedia.org/wiki/LenstraLenstraLovsz_lattice_basis_red...

LenstraLenstraLovsz lattice basis reduction algorithm

From Wikipedia, the free encyclopedia

The LLL-reduction algorithm (LenstraLenstraLovsz lattice basis reduction) is a polynomial time lattice reduction algorithm invented by Arjen Lenstra, Hendrik Lenstra and Lszl Lovsz in 1982, see Lenstra, Lenstra & Lovsz 1982. Given as input a basis with n-dimensional integer coordinates, for a lattice L in Rn with orthogonal) lattice basis in time . where B is the largest of the lengths of the bi under the Euclidean norm. The original applications were to give polynomial time algorithms for factorizing polynomials with rational coefficients into irreducible polynomials, for finding simultaneous rational approximations to real numbers, and for solving the integer linear programming problem in fixed dimensions. , the LLL algorithm outputs an LLL-reduced (short, nearly

Contents
1 LLL reduction 2 LLL Algorithm 3 Example 4 Applications 5 Implementations 6 See also 7 Notes 8 References

LLL reduction
The precise definition of LLL-reduced is as follows: Given a basis

with its GramSchmidt process orthogonal basis,

define , for any .

Then the basis B is LLL-reduced if there exists a parameter in (0.25,1] such that the following holds: 1. (size-reduced) For reduction of the ordered basis. . By definition, this property guarantees the length

1 de 7

03/02/2012 11:30

LenstraLenstraLovsz lattice basis reduction algorithm - Wikipedia, th... http://en.wikipedia.org/wiki/LenstraLenstraLovsz_lattice_basis_red...

2. (Lovsz condition) For k = 2,3,..,n

Here, estimating the value of the parameter, we can conclude how well the basis is reduced. Greater values of lead to stronger reductions of the basis. Initially, A. Lenstra, H. Lenstra and L. Lovsz demonstrated the LLL-reduction algorithm for . Note that although LLL-reduction is well-defined for = 1, the

polynomial-time complexity is guaranteed only for in (0.25,1). The LLL algorithm computes LLL-reduced bases. There is no known efficient algorithm to compute a basis in which the basis vectors are as short as possible for lattices of dimensions greater than 4. However, an LLL-reduced basis is nearly as short as possible, in the sense that there are absolute bounds ci > 1 such that the first basis vector is no more than c1 times as long as a shortest vector in the lattice, the second basis vector is likewise within c2 of the second successive minimum, and so on.

LLL Algorithm
The following description is based on (Cohen 2000, Algorithm 2.6.3), but currently is incorrect. INPUT: a lattice basis parameter with PROCEDURE: Perform Gram-Schmidt: ,

for i from 2 to n do for j from 1 to i 1 do

end for end for k: = 2 (k is the stage at which the vectors size-reduced property 1.) if then execute reduction subroutine RED(k,k-1): for l from k 1 to 1 do

are reduced according to

bk: = bk rbl for j from 1 to l 1 do k,j: = k,j rl,j

end for

k,l: = k,l r

2 de 7

03/02/2012 11:30

LenstraLenstraLovsz lattice basis reduction algorithm - Wikipedia, th... http://en.wikipedia.org/wiki/LenstraLenstraLovsz_lattice_basis_red...

end for end if Calculate i,j for 1 while and Bi for i from 1 to n

do Length reduce bk and correct k,j according to reduction subroutine in step 4, for j from 1 till k 1 if then Exchange bk and bk 1 k:= max (2,k 1) else

k: = k + 1
end if end while OUTPUT: LLL reduced basis

Example
The following presents an example due to W. Bosma.[1] INPUT: Let a lattice basis , be given by the columns of

Then according to the LLL algorithm we obtain the following:

1.

2.For i = 2 DO:

2.1.For j = 1 set

and

3 de 7

03/02/2012 11:30

LenstraLenstraLovsz lattice basis reduction algorithm - Wikipedia, th... http://en.wikipedia.org/wiki/LenstraLenstraLovsz_lattice_basis_red...

2.2

3. 4.Here the step 4 of the LLL algorithm is skipped as size-reduced property holds for 2,1

5.For i = 3 and for j = 1,2 calculate i,j and Bi:

hence

and

hence

and

6.While

DO

6.1 Length reduce b3 and correct 3,1 and 3,2 according to reduction subroutine in step 4: For EXECUTE reduction subroutine RED(3,1):

i.

and

ii.

iii.Set

4 de 7

03/02/2012 11:30

LenstraLenstraLovsz lattice basis reduction algorithm - Wikipedia, th... http://en.wikipedia.org/wiki/LenstraLenstraLovsz_lattice_basis_red...

For

EXECUTE reduction subroutine RED(3,2):

i.

and

ii.Set

iii.

6.2 As 6.2.1 Exchange b3 and b2 6.2.2 k:= 2

takes place, then

Apply a SWAP, continue algorithm with the lattice basis, which is given by columns

Implement the algorithm steps again. 1.

2.

3.

4.

5.For

EXECUTE reduction subroutine RED(2,1):

i.

and

5 de 7

03/02/2012 11:30

LenstraLenstraLovsz lattice basis reduction algorithm - Wikipedia, th... http://en.wikipedia.org/wiki/LenstraLenstraLovsz_lattice_basis_red...

ii.Set

6. As 7. Exchange b2 and b1 OUTPUT: LLL reduced basis

takes place, then

Applications
The LLL algorithm has found numerous other applications in MIMO detection algorithms and cryptanalysis of public-key encryption schemes: knapsack cryptosystems, RSA with particular settings, NTRUEncrypt, and so forth. The algorithm can be used to find integer solutions to many problems.[2] In particular, the LLL algorithm forms a core of one of the integer relation algorithms. For example, if it is believed that r=1.618034 is a (slightly rounded) root to a quadratic equation with integer coefficients, one 4 2 may apply the LLL reduction to the lattice in R spanned by [1,0,0,10000r ],[0,1,0,10000r], and [0,0,1,10000]. The first vector in the reduced basis will be an integer linear combination of these three, 2 thus necessarily of the form [a,b,c,10000(ar + br + c)]; but such a vector is "short" only if a, b, c are 2 small and ar + br + c is even smaller. Thus the first three entries of this short vector are likely to be the coefficients of the integral quadratic polynomial which has r as a root. In this example the LLL algorithm 2 finds the shortest vector to be [1, -1, -1, 0.00025] and indeed x x 1 has a root equal to 1.6180339887(The Golden Ratio)

Implementations
LLL is implemented in Arageli (http://www.arageli.org/) as the function lll_reduction_int fpLLL (http://perso.ens-lyon.fr/damien.stehle) as a stand-alone implementation GAP as the function LLLReducedBasis LiDIA (http://www.informatik.tu-darmstadt.de/TI/LiDIA/) as the function/method lll in the LT package Macaulay2 as the function LLL in the package LLLBases Magma as the functions LLL and LLLGram (taking a gram matrix) Maple as the function IntegerRelations[LLL] Mathematica as the function LatticeReduce Number Theory Library (NTL) (http://shoup.net/ntl) as the function LLL PARI/GP as the function qflll Sage as the method LLL driven by fpLLL and NTL

See also
Coppersmith method
6 de 7 03/02/2012 11:30

LenstraLenstraLovsz lattice basis reduction algorithm - Wikipedia, th... http://en.wikipedia.org/wiki/LenstraLenstraLovsz_lattice_basis_red...

Notes
1. ^ Bosma, Wieb. "4. LLL" (http://www.math.ru.nl/~bosma/onderwijs/voorjaar07/compalg7.pdf) . Lecture notes. http://www.math.ru.nl/~bosma/onderwijs/voorjaar07/compalg7.pdf. Retrieved 28 February 2010. 2. ^ D. Simon (2007). "Selected applications of LLL in number theory" (http://www.math.unicaen.fr/~simon/maths /lll25_Simon.pdf) . LLL+25 Conference (Caen, France). http://www.math.unicaen.fr/~simon/maths /lll25_Simon.pdf.

References
Borwein, Peter (2002). Computational Excursions in Analysis and Number Theory. ISBN 0-387-95444-9. Cohen, Henri (2000). A course in computational algebraic number theory. GTM. 138. Springer. ISBN 3540556400. Lenstra, A. K.; Lenstra, H. W., Jr.; Lovsz, L. (1982). "Factoring polynomials with rational coefficients". Mathematische Annalen 261 (4): 515534. doi:10.1007/BF01457454 (http://dx.doi.org/10.1007%2FBF01457454) . MR0682664 (http://www.ams.org/mathscinetgetitem?mr=0682664) . hdl:1887/3810 (http://hdl.handle.net/1887%2F3810) . Retrieved from "http://en.wikipedia.org/w/index.php?title=Lenstra%E2%80%93Lenstra%E2%80%93Lov %C3%A1sz_lattice_basis_reduction_algorithm&oldid=471181388" Categories: Theory of cryptography Computational number theory Lattice points This page was last modified on 13 January 2012 at 18:13. Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of use for details. Wikipedia is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.

7 de 7

03/02/2012 11:30