Average Time Fast SVP and CVP Algorithms for Low Density Lattices and the Factorization of Integers. Claus P. SCHNORR

Average Time Fast SVP and CVP Algorithms for Low Density Lattices and

the Factorization of Integers Claus P. SCHNORR

Fachbereich Informatik und Mathematik Goethe-Universität

Frankfurt am Main

Numbers, Sequences, Lattices:

Dynamical Analysis of Algorithms.

Birthday of Brigitte Vallée Caen, June 3-4, 2010

Road map 2

I Outline of the new SVP / CVP algorithm

II Time bound of SVP/CVP algorithm for low density lattices III Factoring integers via "easy" CVP solutions

IV Partial analysis of the new SVP / CVP algorithm References

A technical report is available at

http://www.mi.informatik.uni-frankfurt.de/research/papers.html We focus on novel proof elements that are not covered by published work and outline sensible heuristics towards polynomial time factoring of integers.

I: Lattices, QR-decomposition, LLL-bases 3

lattice basis B = [b₁, . . . ,b_n] ∈ Z^m×n lattice L(B) = {Bx | x ∈ Zⁿ}

norm kxk²= hx, xi =Pm

i=1x_i² SV-length λ1(L) =min{kbk | b ∈ L\{0}}

QR-decomposition B = QR ⊂ R^m×nsuch that

• the GNF — geom. normal form — R = [r_i,j] ∈ R^n×n is

uppertriangular, r_i,j =0 for j < i and r_i,i >0, ( r_i,i = kb^∗_ik )

• Q ∈ R^m×n isometric: Q^tQ = In.

LLL-basis B = QR for δ ∈ (¹₄,1] (Lenstra, Lenstra, Lovasz 82):

1. |r_i,j| ≤ ¹₂r_i,i for all j > i (size-reduced) ( r_i,j/r_i,i = µ_j,i ) 2. δ r_i,i² ≤ r_i,i+1² +r_i+1,i+1² for i = 1, . . . , n − 1

3. α⁻ⁱ⁺¹≤ kbik²λ⁻²_i ≤ αⁿ⁻¹ for i = 1, ..., n

4. kb₁k²≤ αⁿ⁻¹² (det L)^2/n, where α = 1/(δ − 1/4).

I: Recall ENUM 1994/95 4

Let Lt = L(b₁, ...,b_t−1)and πt : span(L) → span(Lt)^⊥ for t = 1, ..., n denote the orthogonal projection.

Stage (u_t, ...,u_n)of ENUM.

b :=Pn

i=tu_ib_i ∈ L and u_t, ...,u_n∈ Z are given. The stage searches exhaustively for allPt−1

i=1u_ib_i ∈ L such that kPn

i=1u_ib_ik²≤ A holds for some A ≥ λ²₁. Obviously kPn

i=1u_ib_ik²= kζ_t +Pt−1

i=1u_ib_ik²+ kπ_t(b)k², goal: ≤ A to be minimized spent

where ζ_t :=b − π_t(b) ∈ span L_t is the orthogonal projection of the givenb =Pn

i=tu_ib_i.

Stage (ut, ...,un)exhausts B_t−1(ζt, ρt) ∩ Lt where

B_t−1(ζ_t, ρ_t) ⊂ span L_t is the sphere of dimension t − 1 with center ζ_t and radius ρ_t := (A − kπ_t(b)k²)^1/2.

I: The success rate β

of stages 5

The GAUSSIANvolume heuristics estimates |B_t−1(ζt, ρt) ∩ Lt| to βt =_def vol B_t−1(ζt, ρt)/det Lt.

Here vol B_t−1(ζ_t, ρ_t) = ρ^t−1_t−1V_t−1, V_t = π^2t/(₂^t)! ≈ (^2eπ_t )^2t/√ πt is the volume of the unit sphere of dimension t,

det Lt =Qt−1

i=1r_i,i, ρ²_t :=A − kπt(Pn

i=tu_ib_i)k². We call β_t thesuccess rate of stage (u_t, ...,u_n).

If ζ_t mod L_t is uniformly distributed over the parallelepiped P_t := {Pt−1

i=1r_ib_i| 0 ≤ r₁, ...,r_t−1<1}

then Eζt[ |Bt−1(ζt, ρt) ∩ Lt| ] = β_t for ζ_t ∈_R P_t, because 1/ det Lt is the number of points per volume in Lt. The center ζt =b − π_t(b) ∈ span L_t changes continuously.

If ζt mod Lt ∈ P_t distributes uniformly the estimate

|B_t−1(ζt, ρt) ∩ Lt| ≈ vol Bt−1(ζt, ρt)/det L_t of the vol. heur. holds on the average.

I: Outline of New Enum for SVP 6

INPUT LLL-basisB = QR ∈ Z^m×n,R ∈ R^n×n, A := ⁿ₄(detB^tB)^2/n, OUTPUT a sequence ofb ∈ L(B) of decreasing length kbk²≤ A

terminating with kbk = λ₁.

1. s := 1, L := ∅, (we call s the level)

2. Perform algorithm ENUM[SE94] pruned to stages with β_t ≥ n^−s: Upon entry of stage (u_t, ...,u_n)compute β_t. If β_t <n^−s delay this stage and store (βt,ut, ...,un)in the list L of delayed stages.

Otherwise perform stage (u_t, ...,u_n)on level s, and as soon as someb ∈ L of length 0 < kbk²≤ A has been found

give outb and set A := kbk²− 1. Recompute the stored βt

3. Perform the stages (u_t, ...,u_n)of L with β_t ≥ n^−s−1in increasing order of t and for fixed t in order of decreasing βt.

Collect the appearing substages (u_t⁰, ...,u_t, ...,u_n)with βt⁰ <n^−s−1 in L.IF L = ∅ THEN terminate by exhaustion.

4. s := s + 1, GO TO 3

II: Optimizing the implementation 7

We efficiently approximate β_t using floating point arithmetic.

The space reservations for the list L are quite expensive compared to the modest arithmetic costs per stage.

The condition β_t <n^−shas been tested in practice. It replaces the original condition β_t <2^−s. This reduces list L and the number of the list operations. Saving space is a main problem.

For the final exhaustive search that proves kbk = λ₁the success rate and the list operations can be suppressed, they merely slow down the computation.

The start of the final exhaustion can be guessed. If no shorter vector comes up for an extended period then most likely the last outputb has length λ₁.

II: Time Bound for the SVP algorithm 8

Def. The relative density of L: rd (L) := λ₁γ_n^−1/2(det L)^−1/n rd (L) = λ₁(L)/max λ₁(L⁰) holds for the maximum of λ₁(L⁰) over all lattices L⁰ of dim L⁰ =n and det L = det L⁰.

The HERMITEconstant γ_n=max{λ²₁/det(L)^2/n| dim L = n}.

We always have λ²₁=rd (L)²γn(det L)^2/n. Theorem 1 Given a lattice basis satisfying GSA and kb1k ≤√

eπ n^bλ₁, b ≥ 0, NEWENUM solvesSVP in time 2^O(n)(n^1/2+brd (L))^n/4, i.e. in time 2^O(n)(√

n/rd (L))^n/4 for b = 0.

The 2^O(n)factor disappears under the volume heuristics.

GSA : Let B = QR = Q[r_i,j]satisfy: (for r_i,i = kb^∗_ik) r_i,i²/r_i−1,i−1² =q for i = 2, ..., n and some q > 0.

W.l.o.g. let q < 1, otherwise kb₁k = λ₁. The condition kb₁k ≤√

eπ n^bλ₁can" easily" be met forCVP.

II: Polynomial Time bound under the vol. heuristics 9

Finding an unproved shortest vectorb⁰is easier than proving kb⁰k = λ₁. We study the time to find anSVP-solution b⁰ without proving λ₁= kb⁰k under the assumption:

SA kπ_t(b⁰)k²≈ ^n−t+1_n λ²₁holds for all t and NEW ENUM’s SVP-solution b⁰, where πt(b⁰) ∈ span(b₁, ...,b_t−1)^⊥. Proposition 1. Let a lattice basis be given that satisfies GSA, kb1k ≤peπ/2 n^bλ1and rd (L) ≤ n^−1+2b4 . If NEWENUMfinds a shortest lattice vectorb⁰ satisfyingSA it finds b⁰, without proving kb⁰k = λ₁, under the volume heur. in polynomial time.

Polynomial time holds for b = 0, rd (L) ≤ n^−1/4. But the time to prove kb⁰k = λ₁is under the volume heur. Θ(n^1/2rd (L))^n/4.

II: Polynomial CVP time under the volume heur. 10

Corollary 1. Given t ∈ RⁿandB for L(B) satisfying GSA, kb1k = λ₁and rd (L) ≤ n^−1/2then NEWENUMsolves theCVP kt − bk = kt − Lk under the volume heuristics in poly-time.

We adjust the assumptionSA from SVP to CVP:

CA Let kπt(t − ¨b)k²≈ ^n−t+1_n kt − Lk²hold for all t and NEWENUM’sCVP-solution ¨b.

Corollary 2. Let B = [b₁, ...,b_n]in Z^m×nsatisfyGSA,

kb₁k = O(λ₁)and let ¨b satisfy CA for B, t. If rd (L) = o(n^−1/4) and kt − Lk = O(λ₁)then NEW ENUM finds theCVP- solution

¨b ∈ L under the volume heuristics in polynomial time, but without proving kt − ¨bk = kt − Lk.

All requirements of Cor. 2 can easily be satisfied for theCVP’s of the prime number lattice for factoring integers.

III: Factoring integers via CVP solutions 11

Let N be a positive integer that is not a prime power. Let p₁< · · · <p_nenumerate all primes less than (ln N)^α. Then

n = (ln N)^α/(αln ln N + O(1)).

Let the prime factors p of N satisfy p > pn.

We show how to factor N by solving "easy"CVP’s for the prime number lattice L(B), basis matrix B = [b₁, . . . ,bn] ∈ R^(n+1)×n :

B =













pln p₁ 0 0

0 . .. 0

0 0 pln p_n

N^cln p₁ · · · N^cln p_n













, N =











 0

... 0 N^cln N⁰











 ,

and the target vectorN ∈ Rⁿ⁺¹, where either N⁰ =N or N⁰=Np_n+j for one of the next n primes p_n+j >pn, j ≤ n.

Lemma 5.3 [MG02] λ²₁≥ 2c ln N.

rd (L) = o(n^−1/4) for c = (ln N)^β, suitable α > 2β + 2 > 2.

III: Outline of the factoring method 12

We identify the vectorb =Pn

i=1e_ib_i ∈ L(B) with the pair (u, v ) of integers u =Q

ej>0p_j^ej, v =Q

ej<0p^−e_j ^j ∈ N.

Then u, v are free of primes larger than pnand gcd(u, v ) = 1.

We compute vectorsb =Pn

i=1e_ib_i ∈ L(B) close to N such that

|u − vN⁰| < pn. The prime factorizations |u − vN⁰| =Qn i=1p^e

0 i

i

and u =Q

e_j>0p^e_j^j yield a non-trivial relation Q

ei>0p_i^ei = ±Qn i=1p^e

0 i

i mod N. (7.1)

Given n + 1 independent relations (7.1) we write these relations with p₀= −1 and e_i,j,e⁰_i,j ∈ N as Qn

i=0p^ei,j−e

0 i,j

i =1 mod N

for j = 1, ..., n + 1. Any non-trivial solution z₁, ...,z_n+1∈ Z of Pn+1

j=1 z_j(e_i,j− e_i,j⁰ ) =0 mod 2, i = 0, ..., n solves X²=1 mod N by X =Qn

i=0p

1 2

Pn+1

j=1zj(ei,j−e_i,j⁰ )

i mod N.

Hence gcd(X ± 1, N) factors N if X 6= ±1 mod N.

III: Vectors b ∈ L closest to N yield relations (7.1) 13

An integer z is called y-smooth, if all prime factors p of z satisfy p ≤ y . Let N⁰ be either N or Np_n+j for one of the next n primes p_n+j >pn. We denote

M_α,c,N =n

(u, v ) ∈ N² u ≤ N^c, |u − vN⁰| = 1, N^c−1/2 < v < N^c−1 u, v are squarefree and (ln N)^α−smooth

o . Theorem 4 [S93/91] If the equation |u − du/NcN| = 1 is for

random u of order N^c nearly statistically independent of the event that u, du/Nc are squarefree and (ln N)^α-smooth then M_α,c,N 6= ∅ holds if _α−2β−2^α <c ≤ (ln N)^β and α > 2β + 2.

Theorem 4 extends the result of [S93/91] from a constant c > 0 to c = (ln N)^β, required for rd (L)) = o(n^−1/4).

Theorem 5 The vector b =Pn

i=1e_ib_i ∈ L(B) closest to N provides a non-trivial relation (7.1) provided that M_α,c,N 6= ∅.

III: Vectors b ∈ L closest to N yield relations (7.1) 14

Theorem 6 If kb₁k = O(λ₁)and M_α,c,N 6= ∅ for c = (ln N)^β, α >2β + 2 we can minimize kL(B) − Nk in polynomial time underGSA, CA and the volume heuristics.

It follows from M_α,c,N 6= ∅ for N⁰ ∈ {N, Npn+j} that

kL − Nk²≤ (2c − 1) ln N⁰+1 = (2c − 1 + o(1)) ln N.

Lemma 5.3 of [MG02] proves that λ²₁≥ 2c ln N − Θ(1) [ λ²₁=2c ln N + O(1) holds if 0 < _α−2β−2^α <c ≤ (ln N)^β. ]

rd (L) = λ₁/(√

γ_n(det L)¹ⁿ) . 2eπ 2c ln N (ln N)^α

¹₂

=O(c ln N)^(1−α)/2=O((ln N)^1−α).

We have for c = (ln N)^β, α > 2β + 2 that _{(ln N)}^{2c ln N}α =o(n^−1/2) Hence rd (L) = o(n^−1/4).

III: Providing a nearly shortest vector for L(B) 15

For solving kt − ¨bk = kt − Lk heuristically in polynomial time we need that kb₁k = O(λ₁)holds for the prime number lattice.

We extend the prime number basisB and L(B) by a nearly shortest lattice vector for the extended lattice, preserving rd (L), det(L) and the structure of the lattice.

We extend the prime base by a prime ¯p_n+1 of order Θ(N^c)such that |u − ¯p_n+1| = O(1) holds for a squarefree (ln N)^α-smooth u.

Then kP

ie_ib_i− b_n+1k²=2c ln N + O(1) holds for u =Q

ip^e_iⁱ and the additional basis vectorb_n+1corresponding to ¯p_n+1. P

ie_ib_i − bn+1 is a nearly shortest vector of L(b₁, ...,b_n+1).

Efficient construction of ¯p_n+1 . Generate random u =Q

ip_i and test the nearby ¯p for primality. ¯p_n+1 andb_n+1 can be found in probabilistic polynomial time if the density of primes near the u is not exceptionally small. A single ¯p_n+1 can be used to solve allCVP’s for the factorization of all integers of order Θ(N).

IV: Proof of Theorem 1 16

Theorem 1 Given a lattice basis satisfying GSA and kb₁k ≤√

eπ n^bλ₁, b ≥ 0, NEW ENUM solvesSVP in time 2^O(n)(n^1/2+brd (L))^n/4.

NEWENUMessentially performs stages in decreasing order of the success rate β_t. Letb⁰ =Pn

i=1u_i⁰b_i ∈ L denote the unique vector of length λ₁that is found by NEWENUM.

Let β⁰_t be the success rate of stage (u_t⁰, ...,u_n⁰).

NEWENUMperforms stage (u_t⁰, ...,u_n⁰)prior to all stages (u_t, ...,u_n)of success rate β_t ≤ ¹₄β_t⁰

Simplifying assumption. We assume that NEW ENUM performs stage (u⁰_t, ...,u_n⁰)prior to all stages of success rate βt < β_t⁰, ( i.e., ρt < ρ⁰_t).

By definition ρ²_t =A − kπt(b)k²and ρ_t⁰²=A − kπt(b⁰)k². Without using the simplifying assumption, the proven time bound of Theorem 4.1 increases at most by the factor n.

IV: A proven version of the volume heuristics 17

Consider the number M_t of stages (u_t, ...,u_n)with kπ_t(Pn

i=tu_ib_i)k ≤ λ₁: M_t := # B_n−t+1(0, λ₁) ∩ πt(L)
.

Modulo the heuristic simplifications M_t covers the stages that precede (u⁰_t, ...,u_n⁰)and those that finally prove kb⁰k = λ₁. Lemma 1 M_t ≤ e^n−t+12 Qn

i=t(1 +

√8π λ₁

√n−t+1 r_i,i).

The proof uses the method of Lemma 1 of MAZO, ODLYZKO

[MO90] and follows the adjusted proof of inequality (2) in section 4.1 of HANROT, STEHLÉ [HS07]. For details see the TR http://www.mi.informatik.uni-frankfurt.de/research/papers.html Now r_i,i² = kb₁k²qⁱ⁻¹, λ²₁/(γnrd (L)²) = (det L)²ⁿ = kb₁k²qⁿ⁻¹² hold by GSA and thus γ_n ≥ _{2 eπ}ⁿ directly imply for i = t, ..., n

√n − t + 1 r_i,i ≤√

2eπ rd (L)⁻¹λ₁q^{(2i−n−1)/4}. By Lemma 1 M_t ≤Qn

i=t e√

πrd (L)⁻¹λ1q^{(2i−n−1)/4}+√ 8eπ λ1

√n−t+1 r_i,i (4.0)

IV: Proof of Theorem 1 continued 18

For the remainder of the proof let t := ⁿ₂+1 − c and m(q, c) := [if c > 0 then q^1−c24 else1]. Then

M_t ≤ m(q, c) ⁽²⁺

√e)√ 2eπ λ1

√n−t+1 rd (L)

n−t+1

/det π_t(L), (4.1) where m(q, c) = q^1−c24 =q^{−14Pci=0(2i−1)}covers in (4.0) the factors q^2i−n−14 >1 for t < i < ⁿ₂+1.

We see from (4.1) and det πt(L) = kb₁k^n−t+1q^Pni=ti−12 that M_t ≤ m(q, c) ⁽²⁺

√e)√

√ 2eπ n−t+1

λ1

b1krd (L)

n−t+1

/q

Pn−1 i=t−1i/2

(4.2) The [KL78] bound γn≤ 1.744 (n+o(n))

2eπ ≤ _eπⁿ for n ≥ n₀ and

1 n−1

Pn−1

i=t−1i = ⁿ₂− ^{(t−1)(t−2)}_2(n−1) and qⁿ⁻¹² = λ²₁/(kbk²γnrd (L)²) show

M_t ≤ m(q, c) ⁽²⁺

√e)√ 2eπ λ₁

√n−t+1 rd (L) kb₁k

n−t+1 √

n rd (L) kb√ ₁k eπ λ1

n−^{(t−1)(t−2)}_n−1

.

IV: End of Proof of Theorem 1 19

The difference of the exponents

de(t) = n −^{(t−1)(t−2)}_n−1 − n + t − 1 = (t − 1)(1 − _n−1^t−2)is positive for t ≤ n andde(ⁿ₂+1 − c) = ⁿ²_n−1^/4−c2. Hence for

kb₁k ≤√

eπ n^bλ₁and all t ≤ n : M_t ≤ m(q, c) (√

8 +√ 2e)q

n

n−t+1)^n−t+1 n^12+brd (L)
^n2/4−c2_n−1 For c > 0, t ≤ ⁿ₂ we have

m(q, c) = q^1−c24 = ^kb1k

√γnrd (L) λ1

^c2−1_n−1

≤ (n^12+brd (L))^c2−1n−1, and thus : M_t ≤ (4 + 2√

e)^n−t+1 n^12+brd (L)
^n2/4−1_n−1

= 2^O(n) n^12+brd (L)
ⁿ⁺¹₄

, where ⁿ²_n−1^/4−1 ≤ ⁿ⁺¹₄ . For c ≤ 0, t > ⁿ₂ we have

M_t ≤ (√ 8 +√

2e)q

n n−t+1

n−t+1

n^12+brd (L)
^n2/4_n−1

=2^O(n) n^12+brd (L)
ⁿ⁺²₄

where ⁿ_n−1^2/4 ≤ ⁿ⁺²₄ . 

V: Failings of the volume heuristics 20

MAZO, ODLYZKO[MO90] show for the lattice L = Zⁿ:

#{x ∈ Zⁿ| ||xk²≤ an} = 2^Θ(n) for a₀≤ a ≤ _2eπ¹ and any a₀>0,

whereas the volume heur. estimates this cardinality to O(1).

The center ζ =0 of the sphere is bad for the vol. heuristics.

It can nearly maximize |B_n(ζ, ρ) ∩ L|.

NEWENUMforSVP keeps the center ζ_t =b − π_t(b) close to 0.

The analysis of NEWENUM forCVP uses for center the vector b − t − π_t(b − t). For random π_t(t) this may better justify the volume heuristics in the analysis of NEWENUMforCVP than forSVP.

V: Ajtai’s worst case / average case equivalence 21

n^c-unique-SVP lattices: every lattice vector that is linearly independent of a shortest nonzero lattice vector has at least length λ₁n^c for some c > 1, i.e., λ₂≥ λ₁n^c.

Proposition 1 shows that all n^c-unique-SVP’s can be solved under GSA and the volume heuristics in polynomial time given a very short lattice vector.

Ajtai’s worst case / average case equivalence. AJTAI[Aj96, Thm 1] solves every n^c-unique-SVP using an oracle that solves SVP for a particular random lattice. However, all

n^c-unique-SVP’s are somewhat easy. This makes the worst case / average case equivalence suspicious.

[MR07] reduces n^c in Ajtai’s reduction to n ln^O(1)n.

Refences 22

Ad95 L.A. Adleman, Factoring and lattice reduction.

Manuscript, 1995.

AEVZ02 E. Agrell, T. Eriksson, A. Vardy and K. Zeger, Closest point search in lattices. IEEE Trans. on Inform. Theory,48 (8), pp. 2201–2214, 2002.

Aj96 M. Ajtai, Generating hard instances of lattice problems. In Proc. 28th Annual ACM Symposium on Theory of Computing, pp. 99–108, 1996.

AD97 M. Ajtai and C. Dwork, A public-key cryptosystem with worst-case / average-case equivalence. In Proc 29-th STOC, ACM, pp. 284–293, 1997.

AKS01 M. Ajtai, R. Kumar and D. Sivakumar, A sieve algorithm for the shortest lattice vector problem. In Proc. 33th STOC, ACM, pp. 601–610, 2001.

Ba86 L. Babai, On Lovasz’ lattice reduction and the nearest lattice point problem. Combinatorica6 (1), pp.1–13, 1986.

References 23

BL05 J. Buchmann and C. Ludwig, Practical lattice basis sampling reduction. eprint.iacr.org, TR 072, 2005.

Ca98 Y.Cai, A new transference theorem and

applications to Ajtai’s connection factor. ECCC, Report No. 5, 1998.

CEP83 E.R. Canfield, P. Erdös and C. Pomerance, On a problem of Oppenheim concerning "Factorisatio Numerorum". J. of Number Theory,17, pp. 1–28, 1983.

CS93 J.H. Conway and N.J.A. Sloane, Sphere Packings, Lattices and Groups. third edition,

Springer-Verlag1998.

FP85 U. Fincke and M. Pohst, Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. of Comput., 44, pp. 463–471, 1985.

Refences 24

GN08 N. Gama and P.Q. Nguyen, Predicting lattice reduction, in Proc. EUROCRYPT 2008, LNCS 4965, Springer-Verlag, pp. 31–51, 2008.

HHHW09 P.Hirschhorn, J. Hoffstein, N. Howgrave-Graham, W. Whyte, Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In Proc. ACNS 2009, LNCS 5536, Springer-Verlag,pp. 437–455, 2009.

HPS98 J. Hoffstein, J. Pipher and J. Silverman, NTRU: A ring-based public key cryptosystem. In Proc.

ANTS III, LNCS 1423, Springer-Verlag, pp.

267–288, 1998.

H07 N. Howgrave-Graham, A hybrid lattice–reduction and meet-in-the-middle attiack against NTRU. In Proc, CRYPTO 2007, LNCS 4622,

Springer-Verlag, pp. 150–169, 2007.

Refences 25

HS07 G. Hanrot and D. Stehlé, Improved analysis of Kannan’s shortest lattice vector algorithm. In Proc.

CRYPTO 2007, LNCS 4622, Springer-Verlag,pp.

170–186, 2007.

HS08 G. Hanrot and D. Stehlé, Worst-case

Hermite-Korkine-Zolotarev reduced lattice bases.

CoRR, abs/0801.3331,

http://arxix.org/abs/0801.3331.

Ka87 R. Kannan, Minkowski’s convex body theorem and integer programming. Math. Oper. Res.,12, pp.

415–440, 1987.

KL78 G.A.Kabatiansky and V.I. Levenshtein, Bounds for packing on a sphere and in space. Problems of Information Transmission,14, pp. 1–17, 1978.

LLL82 H. W. Lenstra Jr., , A. K. Lenstra, and L. Lovász , Factoring polynomials with rational coefficients, Mathematische Annalen 261, pp. 515–534, 1982.

Refences 26

L86 L. Lovász, An Algorithmic Theory of Numbers, Graphs and Convexity, SIAM, 1986.

LM09 V. Lubashevsky and D. Micciancio, On bounded distance decoding, unique shortest vectors and the minimum distance problem. In Proc. CRYPTO 2009, LNCS 5677, Springer-Verlag, pp. 577–594, 2009.

MO90 J. Mazo and A. Odlydzko, Lattice points in high-dimensional spheres. Monatsh. Math. 110, pp. 47–61, 1990.

MG02 D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective.

Kluwer Academic Publishers, Boston, London, 2002.

MR07 D. Micciancio and O. Regev, Worst-case to average-case reduction based on gaussian measures. SIAM J. on Computing,37(1), 2007.

Refences 27

NS06 P.Q. Nguyen and D. Stehlé, LLL on the average. In Proc. of ANTS-VII, LNCS 4076, Springer-Verlag, 2006.

N10 P.Q. Nguyen, Hermite’s Constant and Lattice Algorithms. in The LLL Algorithm, Eds. P.Q.

Nguyen, B. Vallée, Springer-Verlag, Jan. 2010.

S87 C.P. Schnorr, A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci., 53, pp. 201–224, 1987.

S93 C.P.Schnorr, Factoring integers and computing discrete logarithms via Diophantine approximation.

In Advances in Computational Complexity, AMS, DIMACS Series in Discrete Mathematics and Theoretical Computer Science,13, pp. 171–182, 1993. Preliminary version Proc. EUROCRYPT’91, LNCS 547, Springer-Verlag, pp. 281–293, 1991.

//www.mi.informatik.uni-frankfurt.de

Refences 28

SE94 C.P. Schnorr and M. Euchner, Lattce basis reduction: Improved practical algorithms and solving subset sum problems. Mathematical Programming66, pp. 181–199, 1994.

S03 C.P. Schnorr, Lattice reduction by sampling and birthday methods. Proc. STACS 2003: 20th Annual Symposium on Theoretical Aspects of Computer Science, LNCS 2007, Springer-Verlag, pp. 146–156, 2003.

S06 C.P. Schnorr, Fast LLL-type lattice reduction.

Information and Computation,204, pp. 1–25, 2006.

S07 C.P. Schnorr, Progress on LLL and lattice reduction, Proc. LLL+25, Caen, France, 2007, Final version in: The LLL Algorithm, Survey and Applications, Eds. P.Q.Nguyen and B. Vallée, Springer 2010.