![Page 1: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/1.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice reduction algorithms
Damien Stehle(Some slides courtesy of Shi Bai)(Bibliography: see proceedings)
ENS de Lyon
July 25th 2017
D. Stehle Lattice reduction algorithms 25/07/2017 1/56
![Page 2: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/2.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Goal and roadmap
An overview of the algorithmic aspects of lattice reduction
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
D. Stehle Lattice reduction algorithms 25/07/2017 2/56
![Page 3: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/3.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Euclidean lattices
Lattice ≡{∑
i≤n xibi : xi ∈ Z},
for linearly indep. bi ’s in Rn,referred to as lattice basis
Bases are not unique, but canbe obtained from one another byinteger transforms of determinant ±1:[−2 110 6
]=
[4 −32 4
]·[
1 12 1
]Lattice reduction
Find a short basis, given an arbitrary one
D. Stehle Lattice reduction algorithms 25/07/2017 3/56
![Page 4: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/4.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Euclidean lattices
Lattice ≡{∑
i≤n xibi : xi ∈ Z},
for linearly indep. bi ’s in Rn,referred to as lattice basis
Bases are not unique, but canbe obtained from one another byinteger transforms of determinant ±1:[−2 110 6
]=
[4 −32 4
]·[
1 12 1
]Lattice reduction
Find a short basis, given an arbitrary one
D. Stehle Lattice reduction algorithms 25/07/2017 3/56
![Page 5: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/5.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Euclidean lattices
Lattice ≡{∑
i≤n xibi : xi ∈ Z},
for linearly indep. bi ’s in Rn,referred to as lattice basis
Bases are not unique, but canbe obtained from one another byinteger transforms of determinant ±1:[−2 110 6
]=
[4 −32 4
]·[
1 12 1
]Lattice reduction
Find a short basis, given an arbitrary one
D. Stehle Lattice reduction algorithms 25/07/2017 3/56
![Page 6: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/6.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice invariants
Minimumλ(L) = min { ‖b‖ : b ∈ L \ 0 }
Determinantdet L = | det(bi)i |, for any basis
Minkowski theorem
λ(L) ≤√n · (det L)
1n , for any L of dim n
Lattice reduction
Find a basis that is short comparedto λ(L) and/or (det L)
1n
D. Stehle Lattice reduction algorithms 25/07/2017 4/56
![Page 7: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/7.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice invariants
Minimumλ(L) = min { ‖b‖ : b ∈ L \ 0 }
Determinantdet L = | det(bi)i |, for any basis
Minkowski theorem
λ(L) ≤√n · (det L)
1n , for any L of dim n
Lattice reduction
Find a basis that is short comparedto λ(L) and/or (det L)
1n
D. Stehle Lattice reduction algorithms 25/07/2017 4/56
![Page 8: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/8.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice invariants
Minimumλ(L) = min { ‖b‖ : b ∈ L \ 0 }
Determinantdet L = | det(bi)i |, for any basis
Minkowski theorem
λ(L) ≤√n · (det L)
1n , for any L of dim n
Lattice reduction
Find a basis that is short comparedto λ(L) and/or (det L)
1n
D. Stehle Lattice reduction algorithms 25/07/2017 4/56
![Page 9: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/9.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Lattice invariants
Minimumλ(L) = min { ‖b‖ : b ∈ L \ 0 }
Determinantdet L = | det(bi)i |, for any basis
Minkowski theorem
λ(L) ≤√n · (det L)
1n , for any L of dim n
Lattice reduction
Find a basis that is short comparedto λ(L) and/or (det L)
1n
D. Stehle Lattice reduction algorithms 25/07/2017 4/56
![Page 10: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/10.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The Shortest Vector Problem
SVPγ, γ ≥ 1
Given as input a basis matrix B of a lattice L, find x ∈ Zn s.t.
0 < ‖Bx‖ ≤ γ · λ(L)
HSVPγ, γ ≥ 1 (Hermite-SVP)
Given as input a basis matrix B of a lattice L, find x ∈ Zn s.t.
0 < ‖Bx‖ ≤ γ · (det L)1/(dim L)
The dimension drives computational hardness
SVP is NP-hard under prob. reductions for γ ≤ O(1)
The problems get easier when γ increases
HSVP and SVP reduce to one another (up to increases of γ)
D. Stehle Lattice reduction algorithms 25/07/2017 5/56
![Page 11: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/11.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The Shortest Vector Problem
SVPγ, γ ≥ 1
Given as input a basis matrix B of a lattice L, find x ∈ Zn s.t.
0 < ‖Bx‖ ≤ γ · λ(L)
HSVPγ, γ ≥ 1 (Hermite-SVP)
Given as input a basis matrix B of a lattice L, find x ∈ Zn s.t.
0 < ‖Bx‖ ≤ γ · (det L)1/(dim L)
The dimension drives computational hardness
SVP is NP-hard under prob. reductions for γ ≤ O(1)
The problems get easier when γ increases
HSVP and SVP reduce to one another (up to increases of γ)
D. Stehle Lattice reduction algorithms 25/07/2017 5/56
![Page 12: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/12.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Why do we care?
Lots of computational problems can be cast as findinga short vector in a lattice.
Communication theory: white Gaussian noise channel
Combinatorial optimization: integer linear programming
Number theory: invariants of number fields
Cryptanalysis: knapsacks, RSA variants, lattice-based crypto
Computer algebra: factorisation of integer polynomials
D. Stehle Lattice reduction algorithms 25/07/2017 6/56
![Page 13: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/13.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 1: Reconstructing an algebraic number
Let α ∈ R algebraic, and Pα its minimal polynomial.How to recover Pα from an approximation α of α?
L :=
1 α α2 . . . αd
ε 0 0 . . . 00 ε 0 . . . 00 0 ε . . . 0
. . .
0 0 0 . . . ε
· Zd+1
For d = degPα, ε small and |α− α| small,any short enough vector in L leads to Pα.
We want to be able to do that!
D. Stehle Lattice reduction algorithms 25/07/2017 7/56
![Page 14: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/14.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 1: Reconstructing an algebraic number
Let α ∈ R algebraic, and Pα its minimal polynomial.How to recover Pα from an approximation α of α?
L :=
1 α α2 . . . αd
ε 0 0 . . . 00 ε 0 . . . 00 0 ε . . . 0
. . .
0 0 0 . . . ε
· Zd+1
For d = degPα, ε small and |α− α| small,any short enough vector in L leads to Pα.
We want to be able to do that!
D. Stehle Lattice reduction algorithms 25/07/2017 7/56
![Page 15: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/15.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 1: Reconstructing an algebraic number
Let α ∈ R algebraic, and Pα its minimal polynomial.How to recover Pα from an approximation α of α?
L :=
1 α α2 . . . αd
ε 0 0 . . . 00 ε 0 . . . 00 0 ε . . . 0
. . .
0 0 0 . . . ε
· Zd+1
For d = degPα, ε small and |α− α| small,any short enough vector in L leads to Pα.
We want to be able to do that!
D. Stehle Lattice reduction algorithms 25/07/2017 7/56
![Page 16: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/16.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 2: Collisions in Ajtai’s hash function
Ajtai’s hash function
Let n� m, t � q and A ∈ (Z/qZ)n×m. We define:
hA :{−t, . . . ,+t}m → (Z/qZ)n
x 7→ A · x mod q
Finding a collision is finding x 6= 0 small in
L := {x ∈ Zm : A · x = 0 mod q}.
We want this to be intractable!
D. Stehle Lattice reduction algorithms 25/07/2017 8/56
![Page 17: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/17.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Example 2: Collisions in Ajtai’s hash function
Ajtai’s hash function
Let n� m, t � q and A ∈ (Z/qZ)n×m. We define:
hA :{−t, . . . ,+t}m → (Z/qZ)n
x 7→ A · x mod q
Finding a collision is finding x 6= 0 small in
L := {x ∈ Zm : A · x = 0 mod q}.
We want this to be intractable!
D. Stehle Lattice reduction algorithms 25/07/2017 8/56
![Page 18: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/18.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Solving SVPγ with γ = 1“Optimal reduction”: HKZ
D. Stehle Lattice reduction algorithms 25/07/2017 9/56
![Page 19: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/19.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
QR factorization
QTQ = IR up-triangular with positive diagonal entries‖Bx‖ = ‖Rx‖Rx =(∑
i≥1
r1ixi ,∑i≥2
r2ixi , . . . , rn−1,n−1xn−1 + rn−1,nxn, rnnxn
)D. Stehle Lattice reduction algorithms 25/07/2017 10/56
![Page 20: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/20.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
QR factorization
QTQ = IR up-triangular with positive diagonal entries‖Bx‖ = ‖Rx‖Rx =(∑
i≥1
r1ixi ,∑i≥2
r2ixi , . . . , rn−1,n−1xn−1 + rn−1,nxn, rnnxn
)D. Stehle Lattice reduction algorithms 25/07/2017 10/56
![Page 21: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/21.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
QR factorization
QTQ = IR up-triangular with positive diagonal entries‖Bx‖ = ‖Rx‖Rx =(∑
i≥1
r1ixi ,∑i≥2
r2ixi , . . . , rn−1,n−1xn−1 + rn−1,nxn, rnnxn
)D. Stehle Lattice reduction algorithms 25/07/2017 10/56
![Page 22: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/22.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Solving SVP by enumeration
(∑i≥1
r1ixi ,∑i≥2
r2ixi , . . . , rn−1,n−1xn−1 + rn−1,nxn, rnnxn
)
Set a norm bound S
List all xn ∈ Z s.t. |rnn · xn| ≤ S
For each xn, list all xn−1 ∈ Z s.t. the partial vector(rn−1,n−1xn−1 + rn−1,nxn, rnnxn) has norm ≤ S
etc
For each (xn, xn−1, . . . , x2), list all possible x1 ∈ Z
D. Stehle Lattice reduction algorithms 25/07/2017 11/56
![Page 23: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/23.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Enumeration
This is a search of leaves in a big tree:
Depth-first search ⇒ Poly(n) memoryZig-zag around the centerWell-suited for parallelizationCan do (heuristic) tree pruning
Huge cost, growing with S , 1/rnn, 1/(rnnrn−1,n−1), . . .
S can be chosen tightly in many casesThe last rii ’s can be increased with lattice reduction
D. Stehle Lattice reduction algorithms 25/07/2017 12/56
![Page 24: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/24.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Enumeration versus other SVP solvers
Timeupper bound
Spaceupper bound
via enumeration[FiPo’83,Kan’83,HaSt’07]
nn/(2e)+o(n) Poly(n) Deterministic
via sieving[AjKuSi’01,PuSt’09]
22.247n+o(n) 21.325n+o(n) Probabilistic
via heuristic sieving[MiVo’10,BDGL’16]
20.292n+o(n) 20.292n+o(n) Heuristic
via Voronoi cell[MiVo’10]
22n+o(n) 2n+o(n) Deterministic
via Gaussians[ADRS’16]
2n+o(n) 2n+o(n) Probabilistic
D. Stehle Lattice reduction algorithms 25/07/2017 13/56
![Page 25: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/25.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
In practice, enumeration wins
D. Stehle Lattice reduction algorithms 25/07/2017 14/56
![Page 26: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/26.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Interlude: implementations of lattice algorithms
MAGMA, PARI-GP, NTL, Maple, Mathematica, SAGE, etc
Reference implementation: fplll
C++, with a Python interface (fpylll)
GNU LGPL
hosted on github
enumeration, sieving, LLL, BKZ
D. Stehle Lattice reduction algorithms 25/07/2017 15/56
![Page 27: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/27.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
What if we want a full short basis?
Enumeration gives a single vector...
HKZ-reduction (Hermite Korkine Zolotarev)
R up-triangular is HKZ-reduced if
r11 = λ(L(R))
and (rij)i ,j>1 is HKZ-reduced
Minkowski’s theorem implies that for all i ≤ n:
rii ≤√n − i + 1 ·
(n∏j=i
rjj
) 1n−i+1
If these are equalities, then fixing the last one fixes them all.
D. Stehle Lattice reduction algorithms 25/07/2017 16/56
![Page 28: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/28.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
What if we want a full short basis?
Enumeration gives a single vector...
HKZ-reduction (Hermite Korkine Zolotarev)
R up-triangular is HKZ-reduced if
r11 = λ(L(R))
and (rij)i ,j>1 is HKZ-reduced
Minkowski’s theorem implies that for all i ≤ n:
rii ≤√n − i + 1 ·
(n∏j=i
rjj
) 1n−i+1
If these are equalities, then fixing the last one fixes them all.
D. Stehle Lattice reduction algorithms 25/07/2017 16/56
![Page 29: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/29.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Shape of HKZ-reduced bases
ρi := log rii ∼ log2(n − i + 1)
D. Stehle Lattice reduction algorithms 25/07/2017 17/56
![Page 30: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/30.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Open problems:
1 When does sieving beat enumeration?
2 Can we make heuristic sieving less heuristic?
3 Is HKZ-reduction “optimal”?
D. Stehle Lattice reduction algorithms 25/07/2017 18/56
![Page 31: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/31.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
D. Stehle Lattice reduction algorithms 25/07/2017 19/56
![Page 32: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/32.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
From n(n + 1)/2 to n variables: size-reduction
. . .... . . .
... . . .rii . . . rij . . .
. . .... . . .rjj . . .
. . .
·
. . .
1 −b rijriie
. . .
1
. . .
⇒ |r (new)
ij | ≤ rii2
( Go from left to right, and bottom to top )
Triangular linear system solving, with roundings
Number of arithmetic steps: O(n2) per column
The magnitudes of the rationals can grow by afactor 2O(n) during the computation
D. Stehle Lattice reduction algorithms 25/07/2017 20/56
![Page 33: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/33.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
From n(n + 1)/2 to n variables: size-reduction
. . .... . . .
... . . .rii . . . rij . . .
. . .... . . .rjj . . .
. . .
·
. . .
1 −b rijriie
. . .
1
. . .
⇒ |r (new)
ij | ≤ rii2
( Go from left to right, and bottom to top )
Triangular linear system solving, with roundings
Number of arithmetic steps: O(n2) per column
The magnitudes of the rationals can grow by afactor 2O(n) during the computation
D. Stehle Lattice reduction algorithms 25/07/2017 20/56
![Page 34: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/34.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
From n(n + 1)/2 to n variables: size-reduction
. . .... . . .
... . . .rii . . . rij . . .
. . .... . . .rjj . . .
. . .
·
. . .
1 −b rijriie
. . .
1
. . .
⇒ |r (new)
ij | ≤ rii2
( Go from left to right, and bottom to top )
Triangular linear system solving, with roundings
Number of arithmetic steps: O(n2) per column
The magnitudes of the rationals can grow by afactor 2O(n) during the computation
D. Stehle Lattice reduction algorithms 25/07/2017 20/56
![Page 35: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/35.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
From n(n + 1)/2 to n variables: size-reduction
. . .... . . .
... . . .rii . . . rij . . .
. . .... . . .rjj . . .
. . .
·
. . .
1 −b rijriie
. . .
1
. . .
⇒ |r (new)
ij | ≤ rii2
( Go from left to right, and bottom to top )
Triangular linear system solving, with roundings
Number of arithmetic steps: O(n2) per column
The magnitudes of the rationals can grow by afactor 2O(n) during the computation
D. Stehle Lattice reduction algorithms 25/07/2017 20/56
![Page 36: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/36.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Size-reduction: updating B
D. Stehle Lattice reduction algorithms 25/07/2017 21/56
![Page 37: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/37.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Where are we now?
Goal of lattice reduction
Given R ∈ Rn×n up-triangular, find U ∈ GLn(Z)s.t. the R-factor of R ·U has small diagonal coeffs
Constraint: the product of the rii ’s is constant.
We want to
make the first rii ’s small
prevent the rii ’s from decreasing fast
HKZ is too costly
D. Stehle Lattice reduction algorithms 25/07/2017 22/56
![Page 38: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/38.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Where are we now?
Goal of lattice reduction
Given R ∈ Rn×n up-triangular, find U ∈ GLn(Z)s.t. the R-factor of R ·U has small diagonal coeffs
Constraint: the product of the rii ’s is constant.
We want to
make the first rii ’s small
prevent the rii ’s from decreasing fast
HKZ is too costly
D. Stehle Lattice reduction algorithms 25/07/2017 22/56
![Page 39: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/39.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Where are we now?
Goal of lattice reduction
Given R ∈ Rn×n up-triangular, find U ∈ GLn(Z)s.t. the R-factor of R ·U has small diagonal coeffs
Constraint: the product of the rii ’s is constant.
We want to
make the first rii ’s small
prevent the rii ’s from decreasing fast
HKZ is too costly
D. Stehle Lattice reduction algorithms 25/07/2017 22/56
![Page 40: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/40.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The LLL strategy (Lenstra Lenstra Lovasz)
Take any i such that ri+1,i+1 � rii , and swap bi and bi+1
D. Stehle Lattice reduction algorithms 25/07/2017 23/56
![Page 41: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/41.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The LLL strategy (Lenstra Lenstra Lovasz)
Take any i such that ri+1,i+1 � ri ,i , and swap bi and bi+1
(rnewi ,i )2 = r 2i+1,i+1 + r 2
i ,i+1 ≤ r 2i+1,i+1 + r 2
i ,i/4
r 2i+1,i+1 ≤ (3/4) · r 2
i ,i ⇒ (rnewi ,i )2 ≤ r 2i ,i
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 24/56
![Page 42: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/42.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The LLL strategy (Lenstra Lenstra Lovasz)
Take any i such that ri+1,i+1 � ri ,i , and swap bi and bi+1
(rnewi ,i )2 = r 2i+1,i+1 + r 2
i ,i+1 ≤ r 2i+1,i+1 + r 2
i ,i/4
r 2i+1,i+1 ≤ (3/4) · r 2
i ,i ⇒ (rnewi ,i )2 ≤ r 2i ,i
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 24/56
![Page 43: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/43.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The LLL strategy (Lenstra Lenstra Lovasz)
Take any i such that ri+1,i+1 � ri ,i , and swap bi and bi+1
(rnewi ,i )2 = r 2i+1,i+1 + r 2
i ,i+1 ≤ r 2i+1,i+1 + r 2
i ,i/4
r 2i+1,i+1 ≤ (3/4) · r 2
i ,i ⇒ (rnewi ,i )2 ≤ r 2i ,i
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 24/56
![Page 44: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/44.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
![Page 45: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/45.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
![Page 46: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/46.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
![Page 47: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/47.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
![Page 48: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/48.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
![Page 49: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/49.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL as sandpile flattening
If rii � ri+1,i+1, do bi ↔ bi+1.
If ρi � ρi+1, decrease ρi by C and increase ρi+1 by C .
D. Stehle Lattice reduction algorithms 25/07/2017 25/56
![Page 50: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/50.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 51: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/51.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 52: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/52.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 53: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/53.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 54: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/54.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 55: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/55.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 56: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/56.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 57: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/57.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 58: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/58.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 59: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/59.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 60: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/60.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example
D. Stehle Lattice reduction algorithms 25/07/2017 26/56
![Page 61: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/61.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Convergence of LLL
The LLL potential
Π :=∑
i≤n(n − i + 1) · ρi
Weighted amount of sand to be moved to the right
For each swap, it decreases by at least a constant
Number of loop iterations of LLL
O(n2 log ‖B‖) loop iterations, if the input basis B is integral.
D. Stehle Lattice reduction algorithms 25/07/2017 27/56
![Page 62: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/62.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Convergence of LLL
The LLL potential
Π :=∑
i≤n(n − i + 1) · ρi
Weighted amount of sand to be moved to the right
For each swap, it decreases by at least a constant
Number of loop iterations of LLL
O(n2 log ‖B‖) loop iterations, if the input basis B is integral.
D. Stehle Lattice reduction algorithms 25/07/2017 27/56
![Page 63: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/63.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Convergence of LLL
The LLL potential
Π :=∑
i≤n(n − i + 1) · ρi
Weighted amount of sand to be moved to the right
For each swap, it decreases by at least a constant
Number of loop iterations of LLL
O(n2 log ‖B‖) loop iterations, if the input basis B is integral.
D. Stehle Lattice reduction algorithms 25/07/2017 27/56
![Page 64: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/64.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The BKZ-LLL strategy
For i = 1, 2, . . . , n − 1 and over and over again,
HKZ-reduce
(ri ,i ri+1,i
0 ri+1,i+1
)
D. Stehle Lattice reduction algorithms 25/07/2017 28/56
![Page 65: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/65.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The BKZ-LLL strategy
For i = 1, 2, . . . , n − 1 and over and over again,
HKZ-reduce
(ri ,i ri+1,i
0 ri+1,i+1
)
By Minkowski’s theorem:
rnewi ,i ≤√
4/3 · (ri ,i · ri+1,i+1)1/2
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 29/56
![Page 66: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/66.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The BKZ-LLL strategy
For i = 1, 2, . . . , n − 1 and over and over again,
HKZ-reduce
(ri ,i ri+1,i
0 ri+1,i+1
)
By Minkowski’s theorem:
rnewi ,i ≤√
4/3 · (ri ,i · ri+1,i+1)1/2
ri+1,i+1 cannot go wild, as rnewi+1,i+1 · rnewi ,i = ri+1,i+1 · ri ,i .
D. Stehle Lattice reduction algorithms 25/07/2017 29/56
![Page 67: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/67.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
A sandpile model for BKZ-LLL
Regularity assumption: Each HKZ-reduction gives
rnewi ,i =√
4/3 · (ri ,i · ri+1,i+1)1/2
ρ←
1/2 1/2 0 01/2 1/2 0 0
0 0 1 0
. . .
0 0 0 1
· ρ +
log√
4/3
− log√
4/30
.
.
.0
ρ←
1 0 0 00 1/2 1/2 00 1/2 1/2 0
. . .
0 0 0 1
· ρ +
0
log√
4/3
− log√
4/3
.
.
.0
etc
A full tour: ρ← A · ρ + Γ
D. Stehle Lattice reduction algorithms 25/07/2017 30/56
![Page 68: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/68.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Analyses of BKZ-LLL
Discrete-time affine dynamical system
A full tour: ρ← A · ρ + Γ
Output quality ← Fix-point
Speed of convergence ← Second largest eigenvalue
Neumaier’s potential
ν := maxi<n
1
n − i
(∑j≤i ρj
i−∑
j≤n ρj
n
).
(∑
j≤i ρj)/i is a smoothed proxy for ρi .
The definition is justified by the fact we expect the ρi ’sto decrease linearly after reduction
D. Stehle Lattice reduction algorithms 25/07/2017 31/56
![Page 69: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/69.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Analyses of BKZ-LLL
Discrete-time affine dynamical system
A full tour: ρ← A · ρ + Γ
Output quality ← Fix-point
Speed of convergence ← Second largest eigenvalue
Neumaier’s potential
ν := maxi<n
1
n − i
(∑j≤i ρj
i−∑
j≤n ρj
n
).
(∑
j≤i ρj)/i is a smoothed proxy for ρi .
The definition is justified by the fact we expect the ρi ’sto decrease linearly after reduction
D. Stehle Lattice reduction algorithms 25/07/2017 31/56
![Page 70: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/70.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost/quality of BKZ-LLL vs LLL
LLL BKZ-LLL
SVP’s γ (√
4/3 + ε)n−1 ?
HSVP’s γ (√
4/3 + ε)(n−1)/2 (√
4/3)(n−1)/2(1 + ε)Iterations n2 · log ‖B‖ n3 · log log ‖B‖
(SVP: γ = r11/λ1, HSVP: γ = r11/ det1/n)
D. Stehle Lattice reduction algorithms 25/07/2017 32/56
![Page 71: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/71.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Open problems:
1 SVP rather than HSVP for BKZ-LLL?
2 Can we prove a lower bound on the speed of convergence?
3 Algorithms that do not belong to this framework?
D. Stehle Lattice reduction algorithms 25/07/2017 33/56
![Page 72: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/72.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Blocking to improve efficiencyBlocking to improve reducedness
D. Stehle Lattice reduction algorithms 25/07/2017 34/56
![Page 73: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/73.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost of LLL
Text-book LLL:
O(n2 log ‖B‖) loop iterations
O(n2) arithmetic operations per iteration
R represented with rationals of bit-lengths O(n log ‖B‖)⇒ Cost is O(n5 log2 ‖B‖)
Using BKZ-LLL:
O(n3) · O(n2) · O(n log ‖B‖) = O(n6 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 35/56
![Page 74: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/74.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost of LLL
Text-book LLL:
O(n2 log ‖B‖) loop iterations
O(n2) arithmetic operations per iteration
R represented with rationals of bit-lengths O(n log ‖B‖)⇒ Cost is O(n5 log2 ‖B‖)
Using BKZ-LLL:
O(n3) · O(n2) · O(n log ‖B‖) = O(n6 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 35/56
![Page 75: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/75.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking allows to stay local
Local is more efficient
As long as i stays in a length k interval, then R-updates andsize-reductions have costs that depend on k and not on n.
. . . . . .ri,i . . . ri,i+k−1
. . ....
ri+k−1,i+k−1
...
. . .
Used to decrease the impact of n onthe cost
Cost depends on n only when ienters or exits the interval
May be combined with fastlinear algebra
D. Stehle Lattice reduction algorithms 25/07/2017 36/56
![Page 76: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/76.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking allows to stay local
Local is more efficient
As long as i stays in a length k interval, then R-updates andsize-reductions have costs that depend on k and not on n.
. . . . . .ri,i . . . ri,i+k−1
. . ....
ri+k−1,i+k−1
...
. . .
Used to decrease the impact of n onthe cost
Cost depends on n only when ienters or exits the interval
May be combined with fastlinear algebra
D. Stehle Lattice reduction algorithms 25/07/2017 36/56
![Page 77: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/77.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost of updating a block
To minimize cost, stay within a block for longMay use recursive blocking to reduce the cost furtherLocality seems incompatible with fast convergence
D. Stehle Lattice reduction algorithms 25/07/2017 37/56
![Page 78: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/78.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Cost of updating a block
To minimize cost, stay within a block for longMay use recursive blocking to reduce the cost furtherLocality seems incompatible with fast convergence
D. Stehle Lattice reduction algorithms 25/07/2017 37/56
![Page 79: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/79.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
![Page 80: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/80.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
![Page 81: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/81.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
![Page 82: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/82.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
![Page 83: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/83.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Neumaier-S.’16: both global and local
Global to limit the impact of log ‖B‖ on the cost
Local to limit the impact of n on the cost
Recursive calls in dim. k , withblocks that overlap by half
At the bottom of the recursion,use 2-dim. reduction
2-dim. reduction costsO(n log ‖B‖)
Total cost: O(n4 log ‖B‖)
D. Stehle Lattice reduction algorithms 25/07/2017 38/56
![Page 84: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/84.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking to improve reducedness
LLL and its variants achieve exponential (H)SVPapproximation factors in polynomial-time
Can we do better by paying more?
BKZ (Block Korkine-Zolotarev)
HKZ calls in dim. k , withblocks that overlap by k − 1
Quality improves as blocksare more reduced
Cost grows as 2O(k)
D. Stehle Lattice reduction algorithms 25/07/2017 39/56
![Page 85: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/85.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking to improve reducedness
LLL and its variants achieve exponential (H)SVPapproximation factors in polynomial-time
Can we do better by paying more?
BKZ (Block Korkine-Zolotarev)
HKZ calls in dim. k , withblocks that overlap by k − 1
Quality improves as blocksare more reduced
Cost grows as 2O(k)
D. Stehle Lattice reduction algorithms 25/07/2017 39/56
![Page 86: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/86.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking to improve reducedness
LLL and its variants achieve exponential (H)SVPapproximation factors in polynomial-time
Can we do better by paying more?
BKZ (Block Korkine-Zolotarev)
HKZ calls in dim. k , withblocks that overlap by k − 1
Quality improves as blocksare more reduced
Cost grows as 2O(k)
D. Stehle Lattice reduction algorithms 25/07/2017 39/56
![Page 87: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/87.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Blocking to improve reducedness
LLL and its variants achieve exponential (H)SVPapproximation factors in polynomial-time
Can we do better by paying more?
BKZ (Block Korkine-Zolotarev)
HKZ calls in dim. k , withblocks that overlap by k − 1
Quality improves as blocksare more reduced
Cost grows as 2O(k)
D. Stehle Lattice reduction algorithms 25/07/2017 39/56
![Page 88: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/88.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 89: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/89.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 90: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/90.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 91: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/91.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 92: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/92.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 93: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/93.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 94: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/94.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 95: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/95.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 96: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/96.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 97: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/97.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 98: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/98.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 99: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/99.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 100: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/100.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 101: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/101.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 102: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/102.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 103: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/103.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 104: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/104.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 105: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/105.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 106: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/106.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 107: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/107.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 108: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/108.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 109: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/109.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 110: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/110.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 111: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/111.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 112: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/112.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 113: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/113.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 114: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/114.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 115: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/115.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ40
D. Stehle Lattice reduction algorithms 25/07/2017 40/56
![Page 116: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/116.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 117: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/117.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 118: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/118.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 119: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/119.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 120: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/120.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 121: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/121.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 122: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/122.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 123: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/123.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 124: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/124.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 125: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/125.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 126: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/126.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 127: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/127.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 128: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/128.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 129: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/129.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 130: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/130.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 131: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/131.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 132: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/132.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 133: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/133.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 134: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/134.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 135: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/135.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 136: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/136.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 137: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/137.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 138: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/138.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 139: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/139.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 140: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/140.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 141: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/141.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 142: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/142.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 143: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/143.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
On a real example: BKZ70
D. Stehle Lattice reduction algorithms 25/07/2017 41/56
![Page 144: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/144.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
BKZ, asymptotically
HKZ BKZk LLL ≈ BKZ2
‖b1‖/(det L)1n√n ' k
n2k 2O(n)
Time∗ 2O(n) 2O(k) × Poly(n) Poly(n)∗Omitting arithmetic costs
Lattice reduction rule of thumb (neglecting poly. factors)
Time 2O(k) =⇒ approx. factor γ = kO(n/k)
or, equivalently
Approx. factor γ costs time(
1 + nlog γ
)O(1+ nlog γ )
.
D. Stehle Lattice reduction algorithms 25/07/2017 42/56
![Page 145: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/145.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
BKZ, asymptotically
HKZ BKZk LLL ≈ BKZ2
‖b1‖/(det L)1n√n ' k
n2k 2O(n)
Time∗ 2O(n) 2O(k) × Poly(n) Poly(n)∗Omitting arithmetic costs
Lattice reduction rule of thumb (neglecting poly. factors)
Time 2O(k) =⇒ approx. factor γ = kO(n/k)
or, equivalently
Approx. factor γ costs time(
1 + nlog γ
)O(1+ nlog γ )
.
D. Stehle Lattice reduction algorithms 25/07/2017 42/56
![Page 146: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/146.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Open problems:
1 Faster LLL-type reduction than O(n4 log ‖B‖)2 Accurate predictive model for BKZk with large k
3 Good code for BKZk with large k
D. Stehle Lattice reduction algorithms 25/07/2017 43/56
![Page 147: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/147.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
D. Stehle Lattice reduction algorithms 25/07/2017 44/56
![Page 148: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/148.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Bit-complexity of LLL and practical run-time
Text-book LLL terminates in O(n4 log2 ‖B‖) bit operations
With MAGMA V2.19:
> n := 35; B := RMatrixSpace(Integers(),n,n)!0;
> for i:=1 to n do
> B[i][i]:=1; B[i][1]:=RandomBits(5000);
> end for;
> time C := LLL(B:Method:=‘‘Integral’’);
Time: 70.380> time C := LLL(B);
Time: 1.560
D. Stehle Lattice reduction algorithms 25/07/2017 45/56
![Page 149: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/149.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The exact and approximate approaches
The exact approach
IntegralBasis
−→ RationalQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
We get a reduced basis... but
QR dominates the cost
The approximate approach
IntegralBasis
−→ Floating-ptQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
This is faster... but
This is highly unstable
D. Stehle Lattice reduction algorithms 25/07/2017 46/56
![Page 150: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/150.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The exact and approximate approaches
The exact approach
IntegralBasis
−→ RationalQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
We get a reduced basis... but
QR dominates the cost
The approximate approach
IntegralBasis
−→ Floating-ptQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
This is faster... but
This is highly unstable
D. Stehle Lattice reduction algorithms 25/07/2017 46/56
![Page 151: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/151.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The exact and approximate approaches
The exact approach
IntegralBasis
−→ RationalQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
We get a reduced basis... but
QR dominates the cost
The approximate approach
IntegralBasis
−→ Floating-ptQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
This is faster... but
This is highly unstable
D. Stehle Lattice reduction algorithms 25/07/2017 46/56
![Page 152: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/152.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
The exact and approximate approaches
The exact approach
IntegralBasis
−→ RationalQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
We get a reduced basis... but
QR dominates the cost
The approximate approach
IntegralBasis
−→ Floating-ptQR
⇓ ⇓⇓ Z-operations ⇓⇓ ←− ⇓⇓ ←− ⇓⇓ ←− ⇓...
......
This is faster... but
This is highly unstable
D. Stehle Lattice reduction algorithms 25/07/2017 46/56
![Page 153: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/153.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Odlyzko’s hybrid approach
IntegralBasis
−→ Floating-pointQR
⇓ ⇓⇓ Z-operations←− ⇓⇓ Numerical refreshing−→ ⇓⇓ ←−−→ ⇓
⇓ ←−−→ ⇓
⇓ ←−−→ ⇓...
......
D. Stehle Lattice reduction algorithms 25/07/2017 47/56
![Page 154: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/154.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Numerical QR-factorization
A rather well-studied topic:
Many backward stable algorithms:
Modified GS, Givens, Householder, ...
B −→ R, the R-factor of B + ∆B
Backward stability may be combined with perturbationanalysis, if the inputs are well-conditioned
B = QR =⇒ B + ∆B = (Q + ∆Q)(R + ∆R),
where ∆R grows as “cond”(R) ·∆B.
D. Stehle Lattice reduction algorithms 25/07/2017 48/56
![Page 155: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/155.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Numerical QR-factorization
A rather well-studied topic:
Many backward stable algorithms:
Modified GS, Givens, Householder, ...
B −→ R, the R-factor of B + ∆B
Backward stability may be combined with perturbationanalysis, if the inputs are well-conditioned
B = QR =⇒ B + ∆B = (Q + ∆Q)(R + ∆R),
where ∆R grows as “cond”(R) ·∆B.
D. Stehle Lattice reduction algorithms 25/07/2017 48/56
![Page 156: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/156.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning of R
Backward stability & sensitivity analysis⇒ approximation bounds
Householder & co are backward stable for column-wiseperturbations:
R is the R-factor of B + ∆B,maxi ‖∆bi‖/‖bi‖ ≤ Poly(n) · 2−p.
Perturbation analysis for columnwise perturbations
maxi‖∆ri‖/‖ri‖ ≤ ‖|R||R−1|‖ ·max
i‖∆bi‖/‖bi‖.
If computing with precision p � log ‖|R||R−1|‖,then the computed R is meaningful.
D. Stehle Lattice reduction algorithms 25/07/2017 49/56
![Page 157: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/157.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning of R
Backward stability & sensitivity analysis⇒ approximation bounds
Householder & co are backward stable for column-wiseperturbations:
R is the R-factor of B + ∆B,maxi ‖∆bi‖/‖bi‖ ≤ Poly(n) · 2−p.
Perturbation analysis for columnwise perturbations
maxi‖∆ri‖/‖ri‖ ≤ ‖|R||R−1|‖ ·max
i‖∆bi‖/‖bi‖.
If computing with precision p � log ‖|R||R−1|‖,then the computed R is meaningful.
D. Stehle Lattice reduction algorithms 25/07/2017 49/56
![Page 158: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/158.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning of R
Backward stability & sensitivity analysis⇒ approximation bounds
Householder & co are backward stable for column-wiseperturbations:
R is the R-factor of B + ∆B,maxi ‖∆bi‖/‖bi‖ ≤ Poly(n) · 2−p.
Perturbation analysis for columnwise perturbations
maxi‖∆ri‖/‖ri‖ ≤ ‖|R||R−1|‖ ·max
i‖∆bi‖/‖bi‖.
If computing with precision p � log ‖|R||R−1|‖,then the computed R is meaningful.
D. Stehle Lattice reduction algorithms 25/07/2017 49/56
![Page 159: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/159.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning of R
Backward stability & sensitivity analysis⇒ approximation bounds
Householder & co are backward stable for column-wiseperturbations:
R is the R-factor of B + ∆B,maxi ‖∆bi‖/‖bi‖ ≤ Poly(n) · 2−p.
Perturbation analysis for columnwise perturbations
maxi‖∆ri‖/‖ri‖ ≤ ‖|R||R−1|‖ ·max
i‖∆bi‖/‖bi‖.
If computing with precision p � log ‖|R||R−1|‖,then the computed R is meaningful.
D. Stehle Lattice reduction algorithms 25/07/2017 49/56
![Page 160: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/160.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning and reducedness
“cond”(R) ≤ ‖|R||R−1|‖
We are lucky! If B is LLL-reduced, then cond(R) ≤ 2O(n) andcomputing with p = O(n) suffices.
Need LLL-reducedness to LLL-reduce numerically...
Use a greedy LLL algorithm:
Take the first i s.t. (b1, . . . ,bi) is not LLL-reduced
⇒ (b1, . . . ,bi−1) is well-conditioned
Work on bi until (b1, . . . ,bi) is LLL-reducedor until we can decide to swap bi and bi−1
D. Stehle Lattice reduction algorithms 25/07/2017 50/56
![Page 161: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/161.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning and reducedness
“cond”(R) ≤ ‖|R||R−1|‖
We are lucky! If B is LLL-reduced, then cond(R) ≤ 2O(n) andcomputing with p = O(n) suffices.
Need LLL-reducedness to LLL-reduce numerically...
Use a greedy LLL algorithm:
Take the first i s.t. (b1, . . . ,bi) is not LLL-reduced
⇒ (b1, . . . ,bi−1) is well-conditioned
Work on bi until (b1, . . . ,bi) is LLL-reducedor until we can decide to swap bi and bi−1
D. Stehle Lattice reduction algorithms 25/07/2017 50/56
![Page 162: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/162.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Conditioning and reducedness
“cond”(R) ≤ ‖|R||R−1|‖
We are lucky! If B is LLL-reduced, then cond(R) ≤ 2O(n) andcomputing with p = O(n) suffices.
Need LLL-reducedness to LLL-reduce numerically...
Use a greedy LLL algorithm:
Take the first i s.t. (b1, . . . ,bi) is not LLL-reduced
⇒ (b1, . . . ,bi−1) is well-conditioned
Work on bi until (b1, . . . ,bi) is LLL-reducedor until we can decide to swap bi and bi−1
D. Stehle Lattice reduction algorithms 25/07/2017 50/56
![Page 163: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/163.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Bit complexity of hybrid LLL
Bit-complexity (left hand side is correct only in an amortized sense)
O(n2β)︸ ︷︷ ︸1
· O(n2)︸ ︷︷ ︸2
·[O(nβ)︸ ︷︷ ︸
3
+O(n2)︸ ︷︷ ︸4
]= O
(n5β(n + β)
)1- loop iterations
2- arithmetic operations per loop iteration
3- integer arithmetic (on the basis)
4- floating-point arithmetic (on QR)
Asymptotically: not much better than text-book LLLand worse than blocking
In practice: p = 53 for n up to 150-200.
Lengthy rationals −→ low-precision floating-points
D. Stehle Lattice reduction algorithms 25/07/2017 51/56
![Page 164: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/164.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Bit complexity of hybrid LLL
Bit-complexity (left hand side is correct only in an amortized sense)
O(n2β)︸ ︷︷ ︸1
· O(n2)︸ ︷︷ ︸2
·[O(nβ)︸ ︷︷ ︸
3
+O(n2)︸ ︷︷ ︸4
]= O
(n5β(n + β)
)1- loop iterations
2- arithmetic operations per loop iteration
3- integer arithmetic (on the basis)
4- floating-point arithmetic (on QR)
Asymptotically: not much better than text-book LLLand worse than blocking
In practice: p = 53 for n up to 150-200.
Lengthy rationals −→ low-precision floating-points
D. Stehle Lattice reduction algorithms 25/07/2017 51/56
![Page 165: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/165.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Going further with approximations
In hybrid-LLL, basis operations are dominating the cost.
The sensitivity bounds imply that we can work with anapproximation of B.
⇒ take the most significant bits!
The transformation matrix is also bounded by ‖|R||R−1|‖.
Round-reduce-update, recursively
L1
algorithm: O(n5 log ‖B‖) bit operations
D. Stehle Lattice reduction algorithms 25/07/2017 52/56
![Page 166: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/166.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Going further with approximations
In hybrid-LLL, basis operations are dominating the cost.
The sensitivity bounds imply that we can work with anapproximation of B.
⇒ take the most significant bits!
The transformation matrix is also bounded by ‖|R||R−1|‖.
Round-reduce-update, recursively
L1
algorithm: O(n5 log ‖B‖) bit operations
D. Stehle Lattice reduction algorithms 25/07/2017 52/56
![Page 167: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/167.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Going further with approximations
In hybrid-LLL, basis operations are dominating the cost.
The sensitivity bounds imply that we can work with anapproximation of B.
⇒ take the most significant bits!
The transformation matrix is also bounded by ‖|R||R−1|‖.
Round-reduce-update, recursively
L1
algorithm: O(n5 log ‖B‖) bit operations
D. Stehle Lattice reduction algorithms 25/07/2017 52/56
![Page 168: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/168.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
LLL-reduction: state of the art
[Stor96] [KoSc01] [NoStVi11] [NeSt16]slow dynamics
blockingexact R
slow dynamicsblockingexact R
slow dynamicsno blocking
approximate B and R
fast dynamicsblockingexact R
Cost O( n3.39β2 ) O( n3β2 ) O( n5β ) O( n4β )
HSVP (4/3 + ε)n−1
4 2O(n log n) (4/3 + ε)n−1
4 (1 + ε)(4/3)n−1
4
( β := log ‖B‖ )
D. Stehle Lattice reduction algorithms 25/07/2017 53/56
![Page 169: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/169.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Roadmap
1 Background on lattices
2 Solving the Shortest Vector Problem
3 The dynamics of lattice reduction
4 Blocking techniques
5 Approximations
Open problems:
1 Combine fast dynamics, blocking and approximations
2 Use less precision, in theory and in practice
D. Stehle Lattice reduction algorithms 25/07/2017 54/56
![Page 170: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/170.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Concluding remarks
Lattice reduction comes in two main flavours:
Fast, with exponential approximation factors
Slow, with shorter vectors
Both cases are very relevant for applications.
The set of algorithmic techniques is limited
Dynamics
Blocking
Approximations
This is in contrast to, e.g., SVP algorithms.
D. Stehle Lattice reduction algorithms 25/07/2017 55/56
![Page 171: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/171.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
Concluding remarks
Lattice reduction comes in two main flavours:
Fast, with exponential approximation factors
Slow, with shorter vectors
Both cases are very relevant for applications.
The set of algorithmic techniques is limited
Dynamics
Blocking
Approximations
This is in contrast to, e.g., SVP algorithms.
D. Stehle Lattice reduction algorithms 25/07/2017 55/56
![Page 172: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/172.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
My favourite open problems
SVP solvers: make theory, heuristics and practice match
Prove lower bounds on the necessary number of stepstowards reducedness
Combine fast dynamics, blocking and approximationsto obtain a faster LLL-type algorithm
D. Stehle Lattice reduction algorithms 25/07/2017 56/56
![Page 173: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/173.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
My favourite open problems
SVP solvers: make theory, heuristics and practice match
Prove lower bounds on the necessary number of stepstowards reducedness
Combine fast dynamics, blocking and approximationsto obtain a faster LLL-type algorithm
D. Stehle Lattice reduction algorithms 25/07/2017 56/56
![Page 174: Lattice reduction algorithms - ISSAC Conference · 2018. 1. 22. · IntroductionBackground on latticesSVPDynamicsBlockingApproximationsConclusion Lattice reduction algorithms Damien](https://reader036.vdocuments.net/reader036/viewer/2022081516/61032f4dd5e1e41c913a9d9d/html5/thumbnails/174.jpg)
Introduction Background on lattices SVP Dynamics Blocking Approximations Conclusion
My favourite open problems
SVP solvers: make theory, heuristics and practice match
Prove lower bounds on the necessary number of stepstowards reducedness
Combine fast dynamics, blocking and approximationsto obtain a faster LLL-type algorithm
D. Stehle Lattice reduction algorithms 25/07/2017 56/56