MonashUniversity,November2012 DamienStehl´e ComputingwithEuclideanlattices

(1)

Euclidean lattices Applications of lattices The LLL algorithm A numeric-symbolic LLL Conclusion

Computing with Euclidean lattices

Damien Stehl´ e

ENS de Lyon´

Monash University, November 2012

Damien Stehl´e Computing with Euclidean lattices 01/11/2012 1/24

(2)

Goals and plan of the talk

Goals:

An introduction to the computational aspects of lattices An example of how floating-point arithmetic can be used to accelerate an algebraic computation

Plan of the talk:

1

Euclidean lattices

2

Applications of lattices

3

The LLL algorithm

4

Speeding up LLL

(3)

Goals and plan of the talk

Goals:

An introduction to the computational aspects of lattices An example of how floating-point arithmetic can be used to accelerate an algebraic computation

Plan of the talk:

1

Euclidean lattices

2

Applications of lattices

3

The LLL algorithm

4

Speeding up LLL

(4)

Euclidean lattices

Lattice ≡ discrete subgroup of R

ⁿ

≡ { P

i ≤n

x

_i

b

_i

: x

_i

∈ Z}

If the b

_i

’s are linearly independent, they are called a basis.

Bases are not unique, but they can be obtained from each other by integer transforms of determinant ±1:

−2 1 10 6

=

4 −3

2 4

· 1 1 2 1

.

(5)

Euclidean lattices

Lattice ≡ discrete subgroup of R

ⁿ

≡ { P

i ≤n

x

_i

b

_i

: x

_i

∈ Z}

If the b

_i

’s are linearly independent, they are called a basis.

Bases are not unique, but they can be obtained from each other by integer transforms of determinant ±1:

−2 1 10 6

=

4 −3

2 4

· 1 1 2 1

.

(6)

Euclidean lattices

Lattice ≡ discrete subgroup of R

ⁿ

≡ { P

i ≤n

x

_i

b

_i

: x

_i

∈ Z}

If the b

_i

’s are linearly independent, they are called a basis.

Bases are not unique, but they can be obtained from each other by integer transforms of determinant ±1:

−2 1 10 6

=

4 −3

2 4

· 1 1 2 1

.

(7)

Lattice invariants

Minimum:

λ(L) = min(kbk : b ∈ L \ 0) Determinant:

det L = | det(b

ⁱ

)

i

|, for any basis Minkowski theorem:

λ(L) ≤ √ n · (det L)

^1/n

Algorithmic approach: lattice reduction Start from a basis, and progressively improve its norm/orthogonality

(8)

Lattice invariants

Minimum:

λ(L) = min(kbk : b ∈ L \ 0) Determinant:

det L = | det(b

ⁱ

)

i

|, for any basis Minkowski theorem:

λ(L) ≤ √ n · (det L)

^1/n

Algorithmic approach: lattice reduction Start from a basis, and progressively improve its norm/orthogonality

(9)

Lattice invariants

Minimum:

λ(L) = min(kbk : b ∈ L \ 0) Determinant:

det L = | det(b

ⁱ

)

i

|, for any basis Minkowski theorem:

λ(L) ≤ √ n · (det L)

^1/n

Algorithmic approach: lattice reduction Start from a basis, and progressively improve its norm/orthogonality

(10)

Lattice invariants

Minimum:

λ(L) = min(kbk : b ∈ L \ 0) Determinant:

det L = | det(b

ⁱ

)

i

|, for any basis Minkowski theorem:

λ(L) ≤ √ n · (det L)

^1/n

Algorithmic approach: lattice reduction Start from a basis, and progressively improve its norm/orthogonality

(11)

Why do we care about lattices?

Computer algebra: factorisation of rational polynomials.

Cryptanalysis of variants of RSA.

Lattice-based cryptography.

Communications theory: MIMO, GPS.

Combinatorial optimisation, algorithmic group theory, algorithmic number theory, computer arithmetic, etc.

Lattices tend to pop out when one wants to use linear algebra but is restricted to discrete transformations.

(12)

Why do we care about lattices?

Computer algebra: factorisation of rational polynomials.

Cryptanalysis of variants of RSA.

Lattice-based cryptography.

Communications theory: MIMO, GPS.

Combinatorial optimisation, algorithmic group theory, algorithmic number theory, computer arithmetic, etc.

Lattices tend to pop out when one wants to use linear algebra but is restricted to discrete transformations.

(13)

Main computational problem: SVP

SVP

_γ

: Given a basis of L, find b ∈ L with 0 < kbk ≤ γ · λ(L).

Dec-SVP

γ

: Given a basis of L and t > 0, reply:

YES if λ(L) ≤ t and NO if λ(L) > γ · t.

Dec-SVP

_γ

on the hardness scale

NP-hard for any γ ≤ O(1), under randomized reductions In NP∩coNP for γ ≥ √ n

In P for γ ≥ 2

ⁿ^{log log n}^{log n}

(14)

Main computational problem: SVP

SVP

_γ

: Given a basis of L, find b ∈ L with 0 < kbk ≤ γ · λ(L).

Dec-SVP

γ

: Given a basis of L and t > 0, reply:

YES if λ(L) ≤ t and NO if λ(L) > γ · t.

Dec-SVP

_γ

on the hardness scale

NP-hard for any γ ≤ O(1), under randomized reductions In NP∩coNP for γ ≥ √ n

In P for γ ≥ 2

(15)

Main computational problem: SVP

SVP

_γ

: Given a basis of L, find b ∈ L with 0 < kbk ≤ γ · λ(L).

Dec-SVP

γ

: Given a basis of L and t > 0, reply:

YES if λ(L) ≤ t and NO if λ(L) > γ · t.

Dec-SVP

_γ

on the hardness scale

NP-hard for any γ ≤ O(1), under randomized reductions In NP∩coNP for γ ≥ √ n

In P for γ ≥ 2

(16)

SVP is easy in small dimensions!

b

⁽⁰⁾₁

b

⁽⁰⁾₂

0 That’s almost Euclid’s algorithm!

Returns a vector reaching λ(L) Runs in polynomial time

(17)

SVP is easy in small dimensions!

b

⁽⁰⁾₁

b

⁽⁰⁾₂

0 That’s almost Euclid’s algorithm!

Returns a vector reaching λ(L) Runs in polynomial time

(18)

SVP is easy in small dimensions!

(0)

b

⁽¹⁾₁

b

⁽¹⁾₂

0 That’s almost Euclid’s algorithm!

Returns a vector reaching λ(L) Runs in polynomial time

(19)

SVP is easy in small dimensions!

(0)

b

⁽¹⁾₁

b

⁽¹⁾₂

0 That’s almost Euclid’s algorithm!

Returns a vector reaching λ(L) Runs in polynomial time

(20)

SVP is easy in small dimensions!

(0)

b

⁽²⁾₁

b

⁽²⁾₂

0 That’s almost Euclid’s algorithm!

Returns a vector reaching λ(L) Runs in polynomial time

(21)

SVP is easy in small dimensions!

(0)

b

⁽²⁾₁

b

⁽²⁾₂

0 That’s almost Euclid’s algorithm!

Returns a vector reaching λ(L) Runs in polynomial time

(22)

SVP is easy in small dimensions!

(0)

b

⁽³⁾₁

b

⁽³⁾₂

0 That’s almost Euclid’s algorithm!

Returns a vector reaching λ(L) Runs in polynomial time

(23)

SVP is easy in small dimensions!

(0)

b

⁽³⁾₁

b

⁽³⁾₂

0 That’s almost Euclid’s algorithm!

Returns a vector reaching λ(L) Runs in polynomial time

(24)

Plan of the talk

Plan of the talk:

1

Euclidean lattices

2

Applications of euclidean lattices

3

The LLL algorithm

4

Speeding up LLL

Integer relation detection Polynomial factorisation Cryptanalysis

(25)

Plan of the talk

Plan of the talk:

1

Euclidean lattices

2

Applications of euclidean lattices

3

The LLL algorithm

4

Speeding up LLL

Integer relation detection Polynomial factorisation Cryptanalysis

(26)

Finding small integer relations between real numbers

BBP formula: π = X

i ≥0

1 16

ⁱ

4 8i + 1 − 2

8i + 4 − 1

8i + 5 − 1 8i + 6

To compute a base-16 digit of π at any given position.

Assume we search a small Z-relation between y

₁

, . . . , y

_d

∈ R

Take L := L[(b

_i

)

_i

], with B =



 

 

y

₁

y

₂

. . . y

_d

1 0 . . . 0 0 1 . . . 0 .. . . .. ...

0 0 . . . 1



 

 

A Z-relation P

x

_i

y

_i

= 0 leads to a small vector (0, x

1

, . . . , x

d

)

^T

Using a large C makes it a shortest vector of L \ 0

(27)

Finding small integer relations between real numbers

BBP formula: π = X

i ≥0

1 16

ⁱ

4 8i + 1 − 2

8i + 4 − 1

8i + 5 − 1 8i + 6

To compute a base-16 digit of π at any given position.

Assume we search a small Z-relation between y

₁

, . . . , y

_d

∈ R

Take L := L[(b

_i

)

_i

], with B =



 

 

y

₁

y

₂

. . . y

_d

1 0 . . . 0 0 1 . . . 0 .. . . .. ...

0 0 . . . 1



 

 

A Z-relation P

x

_i

y

_i

= 0 leads to a small vector (0, x

1

, . . . , x

d

)

^T

Using a large C makes it a shortest vector of L \ 0

(28)

Finding small integer relations between real numbers

BBP formula: π = X

i ≥0

1 16

ⁱ

4 8i + 1 − 2

8i + 4 − 1

8i + 5 − 1 8i + 6

To compute a base-16 digit of π at any given position.

Assume we search a small Z-relation between y

₁

, . . . , y

_d

∈ R

Take L := L[(b

_i

)

_i

], with B =



 

 

y

₁

y

₂

. . . y

_d

1 0 . . . 0 0 1 . . . 0 .. . . .. ...

0 0 . . . 1



 

 

A Z-relation P

x

_i

y

_i

= 0 leads to a small vector (0, x

1

, . . . , x

d

)

^T

Using a large C makes it a shortest vector of L \ 0

(29)

Finding small integer relations between real numbers

BBP formula: π = X

i ≥0

1 16

ⁱ

4 8i + 1 − 2

8i + 4 − 1

8i + 5 − 1 8i + 6

To compute a base-16 digit of π at any given position.

Assume we search a small Z-relation between y

₁

, . . . , y

_d

∈ R

Take L := L[(b

_i

)

_i

], with B =



 

 

y

₁

y

₂

. . . y

_d

1 0 . . . 0 0 1 . . . 0 .. . . .. ...

0 0 . . . 1



 

 

A Z-relation P

x

_i

y

_i

= 0 leads to a small vector (0, x

1

, . . . , x

d

)

^T

Using a large C makes it a shortest vector of L \ 0

(30)

Finding small integer relations between real numbers

BBP formula: π = X

i ≥0

1 16

ⁱ

4 8i + 1 − 2

8i + 4 − 1

8i + 5 − 1 8i + 6

To compute a base-16 digit of π at any given position.

Assume we search a small Z-relation between y

₁

, . . . , y

_d

∈ R

Take L := L[(b

_i

)

_i

], with B =



 

 

C y

₁

C y

₂

. . . C y

_d

1 0 . . . 0

0 1 . . . 0

.. . . .. .. .

0 0 . . . 1



 

 

A Z-relation P

x

_i

y

_i

= 0 leads to a small vector (0, x

1

, . . . , x

d

)

^T

Using a large C makes it a shortest vector of L \ 0

(31)

Factoring integer polynomials

The previous idea may be used to factor polynomials in Z[x]

Factoring polynomials with rational coefficients,

A. K. Lenstra, H. W. Lenstra Jr. and L. Lov´ asz. Math. Ann., 1982

⇒ Cited ≥ 2500 times!!!

Given P ∈ Z[x]:

0- If deg P ≤ 1, then stop 1- Compute a root α ∈ C of P

2- Find the minimal polynomial P

_α

(x) of α, by searching for Z-combinations between 1, α, . . . , α

ⁱ

for increasing i 3- Divide P by P

_α

and restart

(32)

Factoring integer polynomials

The previous idea may be used to factor polynomials in Z[x]

Factoring polynomials with rational coefficients,

A. K. Lenstra, H. W. Lenstra Jr. and L. Lov´ asz. Math. Ann., 1982

⇒ Cited ≥ 2500 times!!!

Given P ∈ Z[x]:

0- If deg P ≤ 1, then stop 1- Compute a root α ∈ C of P

2- Find the minimal polynomial P

_α

(x) of α, by searching for Z-combinations between 1, α, . . . , α

ⁱ

for increasing i 3- Divide P by P

_α

and restart

(33)

Cryptographic design and cryptanalysis

Lattice-based cryptography:

Secret key: very short basis of a lattice Public key: long basis of the same lattice Relies on the assumed hardness of SVP Very popular research topic:

More secure: post-quantum

More efficient: no modular exponentiation More versatile: fully homomorphic encryption

Lattice reduction algorithms are the best known attack.

(34)

Cryptographic design and cryptanalysis

Lattice-based cryptography:

Secret key: very short basis of a lattice Public key: long basis of the same lattice Relies on the assumed hardness of SVP Very popular research topic:

More secure: post-quantum

More efficient: no modular exponentiation More versatile: fully homomorphic encryption

Lattice reduction algorithms are the best known attack.

(35)

Cryptographic design and cryptanalysis

Lattice-based cryptography:

Secret key: very short basis of a lattice Public key: long basis of the same lattice Relies on the assumed hardness of SVP Very popular research topic:

More secure: post-quantum

More efficient: no modular exponentiation More versatile: fully homomorphic encryption

Lattice reduction algorithms are the best known attack.

(36)

Plan of the talk

Plan of the talk:

1

Euclidean lattices

2

Applications of euclidean lattices

3

The LLL algorithm

4

Speeding up LLL

(37)

Gram-Schmidt orthogonalization (GSO)

(b

i

)

i

linearly independent The GSO (b

^∗_i

)

_i

is defined by:

∀i : b

^∗i

= b

_i

− X

j<i

µ

_ij

b

^∗_j

∀i > j : µ

ij

= (b

_i

, b

^∗_j

) kb

^∗j

k

²

Triangularisation of B = (b

_i

)

_i

b₂ b₃

b₁

For any basis (b

i

)

i

of L, we have λ(L) ≥ min

ⁱ

kb

^∗i

k

(38)

Gram-Schmidt orthogonalization (GSO)

(b

i

)

i

linearly independent The GSO (b

^∗_i

)

_i

is defined by:

∀i : b

^∗i

= b

_i

− X

j<i

µ

_ij

b

^∗_j

∀i > j : µ

ij

= (b

_i

, b

^∗_j

) kb

^∗j

k

²

Triangularisation of B = (b

_i

)

_i

=

b^∗₂ b^∗₃

b₂ b₃

b₁ b^∗₁

For any basis (b

i

)

i

of L, we have λ(L) ≥ min

ⁱ

kb

^∗i

k

(39)

Gram-Schmidt orthogonalization (GSO)

(b

i

)

i

linearly independent The GSO (b

^∗_i

)

_i

is defined by:

∀i : b

^∗i

= b

_i

− X

j<i

µ

_ij

b

^∗_j

∀i > j : µ

ij

= (b

_i

, b

^∗_j

) kb

^∗j

k

²

Triangularisation of B = (b

_i

)

_i

=

b^∗₂ b^∗₃

b₂ b₃

b₁ b^∗₁

For any basis (b

i

)

i

of L, we have λ(L) ≥ min

ⁱ

kb

^∗i

k

(40)

Gram-Schmidt orthogonalization (GSO)

(b

i

)

i

linearly independent The GSO (b

^∗_i

)

_i

is defined by:

∀i : b

^∗i

= b

_i

− X

j<i

µ

_ij

b

^∗_j

∀i > j : µ

ij

= (b

_i

, b

^∗_j

) kb

^∗j

k

²

Triangularisation of B = (b

_i

)

_i

=

b^∗₂ b^∗₃

b₂ b₃

b₁ b^∗₁

For any basis (b

i

)

i

of L, we have λ(L) ≥ min

ⁱ

kb

^∗i

k

(41)

The Lenstra-Lenstra-Lov´asz reduction

Let δ ∈ (1/4, 1). A basis B = (b

i

)

_{i ≤n}

∈ R

^n×n

is said LLL-reduced if

∀i, j : |µ

ij

| ≤ 1/2

[Size-reduction]

∀i : δ · kb

^∗i

k

²

≤ kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

² ^[Lov´asz’ condition]

(42)

The Lenstra-Lenstra-Lov´asz reduction

Let δ ∈ (1/4, 1). A basis B = (b

i

)

_{i ≤n}

∈ R

^n×n

is said LLL-reduced if

∀i, j : |µ

ij

| ≤ 1/2

[Size-reduction]

∀i : δ · kb

^∗i

k

²

≤ kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

The kb

^∗i

k’s can’t drop too fast:

∀i : kb

^∗i+1

k

²

≥ (δ −

¹₄

)kb

^∗i

k

²

⇒ λ(L) ≤ kb

1

k ≤ 2

^O⁽ⁿ⁾

· λ(L)

δ < 1 is important to get a polynomial complexity

00000 00000 00000 00000 00000 11111 11111 11111 11111 11111

00000 00000 00000 00000 11111 11111 11111 11111

0 b

₁

b

₂

(43)

The Lenstra-Lenstra-Lov´asz reduction

Let δ ∈ (1/4, 1). A basis B = (b

i

)

_{i ≤n}

∈ R

^n×n

is said LLL-reduced if

∀i, j : |µ

ij

| ≤ 1/2

[Size-reduction]

∀i : δ · kb

^∗i

k

²

≤ kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

The kb

^∗i

k’s can’t drop too fast:

∀i : kb

^∗i+1

k

²

≥ (δ −

¹₄

)kb

^∗i

k

²

⇒ λ(L) ≤ kb

1

k ≤ 2

^O⁽ⁿ⁾

· λ(L)

δ < 1 is important to get a polynomial complexity

00000 00000 00000 00000 00000 11111 11111 11111 11111 11111

00000 00000 00000 00000 11111 11111 11111 11111

0 b

₁

b

₂

(44)

The Lenstra-Lenstra-Lov´asz reduction

Let δ ∈ (1/4, 1). A basis B = (b

i

)

_{i ≤n}

∈ R

^n×n

is said LLL-reduced if

∀i, j : |µ

ij

| ≤ 1/2

[Size-reduction]

∀i : δ · kb

^∗i

k

²

≤ kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

The kb

^∗i

k’s can’t drop too fast:

∀i : kb

^∗i+1

k

²

≥ (δ −

¹₄

)kb

^∗i

k

²

⇒ λ(L) ≤ kb

1

k ≤ 2

^O⁽ⁿ⁾

· λ(L)

δ < 1 is important to get a polynomial complexity

00000 00000 00000 00000 00000 11111 11111 11111 11111 11111

00000 00000 00000 00000 11111 11111 11111 11111

0 b

₁

b

₂

(45)

The Lenstra-Lenstra-Lov´asz reduction

Let δ ∈ (1/4, 1). A basis B = (b

i

)

_{i ≤n}

∈ R

^n×n

is said LLL-reduced if

∀i, j : |µ

ij

| ≤ 1/2

[Size-reduction]

∀i : δ · kb

^∗i

k

²

≤ kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

The kb

^∗i

k’s can’t drop too fast:

∀i : kb

^∗i+1

k

²

≥ (δ −

¹₄

)kb

^∗i

k

²

⇒ λ(L) ≤ kb

1

k ≤ 2

^O⁽ⁿ⁾

· λ(L)

δ < 1 is important to get a polynomial complexity

00000 00000 00000 00000 00000 00000

11111 11111 11111 11111 11111 11111

00000 00000 00000 00000 11111 11111 11111 11111

0 b

₁

b

₂

(46)

The Lenstra-Lenstra-Lov´asz algorithm

Let δ ∈ (1/4, 1). A basis B = (b

i

)

_{i ≤n}

∈ R

^n×n

is said LLL-reduced if

∀i, j : |µ

ij

| ≤ 1/2

[Size-reduction]

∀i : δ · kb

^∗i

k

²

≤ kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

1

Enforce size-reduction, using a modified Gaussian elimination

2

If there is an i with δ · kb

^∗i

k

²

> kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

²

, then swap b

_i

and b

_i+1

, and go to Step 1

3

Return the current basis (b

₁

, . . . , b

n

)

⇒ Correctness is trivial

⇒ Termination is much less so:

O(n

²

β) loop iterations, with β = max

i

kb

^initi

k

(47)

The Lenstra-Lenstra-Lov´asz algorithm

Let δ ∈ (1/4, 1). A basis B = (b

i

)

_{i ≤n}

∈ R

^n×n

is said LLL-reduced if

∀i, j : |µ

ij

| ≤ 1/2

[Size-reduction]

∀i : δ · kb

^∗i

k

²

≤ kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

1

Enforce size-reduction, using a modified Gaussian elimination

2

If there is an i with δ · kb

^∗i

k

²

> kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

²

, then swap b

_i

and b

_i+1

, and go to Step 1

3

Return the current basis (b

₁

, . . . , b

n

)

⇒ Correctness is trivial

⇒ Termination is much less so:

O(n

²

β) loop iterations, with β = max

i

kb

^initi

k

(48)

The Lenstra-Lenstra-Lov´asz algorithm

Let δ ∈ (1/4, 1). A basis B = (b

i

)

_{i ≤n}

∈ R

^n×n

is said LLL-reduced if

∀i, j : |µ

ij

| ≤ 1/2

[Size-reduction]

∀i : δ · kb

^∗i

k

²

≤ kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

1

Enforce size-reduction, using a modified Gaussian elimination

2

If there is an i with δ · kb

^∗i

k

²

> kb

^∗i+1

k

²

+ µ

²_i+1,i

kb

^∗i

k

²

, then swap b

_i

and b

_i+1

, and go to Step 1

3

Return the current basis (b

₁

, . . . , b

n

)

⇒ Correctness is trivial

⇒ Termination is much less so:

O(n

²

β) loop iterations, with β = max

i

kb

^initi

k

(49)

Bit-complexity of LLL and practical run-time

[LLL82,Kaltofen83]

LLL terminates in O(n

⁴

β

²

(n + β)) operations, with β = log max

_i

kb

^initi

k With MAGMA V2.16:

> n := 25; B := RMatrixSpace(Integers(),n,n)!0;

> for i:=1 to 25 do

> B[i][i]:=1; B[i][1]:=RandomBits(2000);

> end for;

> time C := LLL(B:Method:=‘‘Integral’’);

Time: 11.700

> time C := LLL(B);

Time: 0.240

(50)

Plan of the talk

Plan of the talk:

1

Euclidean lattices

2

Applications of euclidean lattices

3

The LLL algorithm

4

Speeding up LLL

Section based on joint works with X.-W. Chang, I. Morel, P. Q. Nguyen, A. Novocin, X. Pujol and G. Villard

(51)

LLL in practice: the numeric-symbolic approach

The Gram-Schmidt computations dominate the cost Odlyzko’s hybrid approach

Replace the rational computations on the GSO by floating-point approximations, but keep the basis operations exact

Floating-point numbers: x

₁

.x

₂

x

₃

. . . x

_p

· B

^e

, where:

p is the precision

B is the base, and x

_i

∈ {0, . . . , B − 1}

e ∈ Z is the exponent Floating-point arithmetic:

fl (a op b) is a nearest fp number to a op b, for any op ∈ {+, −, /, ×}

(52)

LLL in practice: the numeric-symbolic approach

The Gram-Schmidt computations dominate the cost Odlyzko’s hybrid approach

Replace the rational computations on the GSO by floating-point approximations, but keep the basis operations exact

Floating-point numbers: x

₁

.x

₂

x

₃

. . . x

_p

· B

^e

, where:

p is the precision

B is the base, and x

_i

∈ {0, . . . , B − 1}

e ∈ Z is the exponent Floating-point arithmetic:

fl (a op b) is a nearest fp number to a op b, for any op ∈ {+, −, /, ×}

(53)

LLL in practice: the numeric-symbolic approach

The Gram-Schmidt computations dominate the cost Odlyzko’s hybrid approach

Replace the rational computations on the GSO by floating-point approximations, but keep the basis operations exact

Floating-point numbers: x

₁

.x

₂

x

₃

. . . x

_p

· B

^e

, where:

p is the precision

B is the base, and x

_i

∈ {0, . . . , B − 1}

e ∈ Z is the exponent Floating-point arithmetic:

fl (a op b) is a nearest fp number to a op b, for any op ∈ {+, −, /, ×}

(54)

Odlyzko’s hybrid approach is only heuristic

Odlyzko’s hybrid approach

Replace the rational computations on the GSO by floating-point approximations, but keep the basis operations exact

Principle: For p small, fp arith. may efficiently simulate rational arith.

⇒ In practice: we aim for 53-bit machine precision But Odlyzko’s approach is heuristic:

Fp arithmetic is inexact Small errors can be amplified

⇒ Infinite loops

⇒ Incorrect outputs

(55)

Odlyzko’s hybrid approach is only heuristic

Odlyzko’s hybrid approach

Replace the rational computations on the GSO by floating-point approximations, but keep the basis operations exact

Principle: For p small, fp arith. may efficiently simulate rational arith.

⇒ In practice: we aim for 53-bit machine precision But Odlyzko’s approach is heuristic:

Fp arithmetic is inexact Small errors can be amplified

⇒ Infinite loops

⇒ Incorrect outputs

(56)

Odlyzko’s hybrid approach is only heuristic

Odlyzko’s hybrid approach

Replace the rational computations on the GSO by floating-point approximations, but keep the basis operations exact

Principle: For p small, fp arith. may efficiently simulate rational arith.

⇒ In practice: we aim for 53-bit machine precision But Odlyzko’s approach is heuristic:

Fp arithmetic is inexact Small errors can be amplified

⇒ Infinite loops

⇒ Incorrect outputs

(57)

Making the numeric-symbolic approach rigorous

Underlying mathematical phenomenon

[CSV12]

Any LLL-reduced basis is well-conditioned with respect to GSO Well-conditioned? The GSO computed in small precision is close to the genuine GSO

⇒ We’d like to rely on LLL-reduced bases as much as we can Use a greedy LLL algorithm

[NS05,MSV09]

:

Consider the first i s.t. b

1

, . . . , b

i

is not LLL-reduced

⇒ b

₁

, . . . , b

_{i −1}

is well-conditioned

Iterate on b

_i

until nothing happens (iterative refinement)

(58)

Making the numeric-symbolic approach rigorous

Underlying mathematical phenomenon

[CSV12]

Any LLL-reduced basis is well-conditioned with respect to GSO Well-conditioned? The GSO computed in small precision is close to the genuine GSO

⇒ We’d like to rely on LLL-reduced bases as much as we can Use a greedy LLL algorithm

[NS05,MSV09]

:

Consider the first i s.t. b

1

, . . . , b

i

is not LLL-reduced

⇒ b

₁

, . . . , b

_{i −1}

is well-conditioned

Iterate on b

_i

until nothing happens (iterative refinement)

(59)

Bit complexity of floating-point LLL

Small precision? O(n) bits suffice for correctness.

Bit-complexity:

O(n

²

β)

| {z }

1

· O(n

²

)

| {z }

2

· O(nβ)

| {z }

3

+ O(n

²

)

| {z }

4

= O n

⁵

β(n + β) .

1

loop iterations

2

size-reduction arithmetic steps

3

integer arithmetic

4

floating-point arithmetic

Asymptotically not much better than LLL’s O(n

⁴

β

²

(n + β)), but much better in practice

(60)

Bit complexity of floating-point LLL

Small precision? O(n) bits suffice for correctness.

Bit-complexity:

O(n

²

β)

| {z }

1

· O(n

²

)

| {z }

2

· O(nβ)

| {z }

3

+ O(n

²

)

| {z }

4

= O n

⁵

β(n + β) .

1

loop iterations

2

size-reduction arithmetic steps

3

integer arithmetic

4

floating-point arithmetic

Asymptotically not much better than LLL’s O(n

⁴

β

²

(n + β)), but much better in practice

(61)

Can we do better?

[NSV10,PSV13?]

The totally numeric approach

LLL can be accelerated further by using approximations for the bases too!

⇒ e O(n

⁵

β

^1.5

) operations

The totally numeric approach, continued Do the same with several levels of recursion

⇒ e O(n

⁵

β) operations

The totally numeric approach with blocking Consider sub-matrices of the GSO

⇒ e O(n

⁴

β) operations

(62)

Can we do better?

[NSV10,PSV13?]

The totally numeric approach

LLL can be accelerated further by using approximations for the bases too!

⇒ e O(n

⁵

β

^1.5

) operations

The totally numeric approach, continued Do the same with several levels of recursion

⇒ e O(n

⁵

β) operations

The totally numeric approach with blocking Consider sub-matrices of the GSO

⇒ e O(n

⁴

β) operations

(63)

Can we do better?

[NSV10,PSV13?]

The totally numeric approach

LLL can be accelerated further by using approximations for the bases too!

⇒ e O(n

⁵

β

^1.5

) operations

The totally numeric approach, continued Do the same with several levels of recursion

⇒ e O(n

⁵

β) operations

The totally numeric approach with blocking Consider sub-matrices of the GSO

⇒ e O(n

⁴

β) operations

(64)

Plan of the talk

Plan of the talk:

1

Euclidean lattices

2

Applications of euclidean lattices

3

The LLL algorithm

4

Speeding up LLL

5

Conclusion

(65)

Open problems

On LLL:

Lower the cost further: as fast as matrix multiplication?

Improve current implementations In the general area of lattices

Faster algorithms computing shorter vectors than LLL Quantum algorithms

Hardness proofs for worst-case lattice problems Hardness proofs for average-case lattice problems (crucial for lattice-based cryptography)

(66)

Open problems

On LLL:

Lower the cost further: as fast as matrix multiplication?

Improve current implementations In the general area of lattices

Faster algorithms computing shorter vectors than LLL Quantum algorithms

Hardness proofs for worst-case lattice problems Hardness proofs for average-case lattice problems (crucial for lattice-based cryptography)

(67)

Open problems

On LLL:

Lower the cost further: as fast as matrix multiplication?

Improve current implementations In the general area of lattices

Faster algorithms computing shorter vectors than LLL Quantum algorithms

Hardness proofs for worst-case lattice problems Hardness proofs for average-case lattice problems (crucial for lattice-based cryptography)

(68)

Open problems

On LLL:

Lower the cost further: as fast as matrix multiplication?

Improve current implementations In the general area of lattices

Faster algorithms computing shorter vectors than LLL Quantum algorithms

Hardness proofs for worst-case lattice problems Hardness proofs for average-case lattice problems (crucial for lattice-based cryptography)

(69)

MonashUniversity,November2012 DamienStehl´e ComputingwithEuclideanlattices

Computing with Euclidean lattices

Damien Stehl´ e

Monash University, November 2012

Goals and plan of the talk

Goals:

An introduction to the computational aspects of lattices An example of how floating-point arithmetic can be used to accelerate an algebraic computation

Plan of the talk:

Euclidean lattices

Applications of lattices

The LLL algorithm

Speeding up LLL

Goals and plan of the talk

Goals:

An introduction to the computational aspects of lattices An example of how floating-point arithmetic can be used to accelerate an algebraic computation

Plan of the talk:

Euclidean lattices

Applications of lattices

The LLL algorithm

Speeding up LLL

Euclidean lattices

Lattice ≡ discrete subgroup of R

≡ { P

x

b

: x

∈ Z}

If the b

’s are linearly independent, they are called a basis.

Bases are not unique, but they can be obtained from each other by integer transforms of determinant ±1:

 −2 1 10 6



=

 4 −3

2 4



·

 1 1 2 1

 .

Euclidean lattices

Lattice ≡ discrete subgroup of R

≡ { P

x

b

: x

∈ Z}

If the b

’s are linearly independent, they are called a basis.

Bases are not unique, but they can be obtained from each other by integer transforms of determinant ±1:

 −2 1 10 6



=

 4 −3

2 4



·

 1 1 2 1

 .

Euclidean lattices

Lattice ≡ discrete subgroup of R

≡ { P

x

b

: x

∈ Z}

If the b

’s are linearly independent, they are called a basis.

Bases are not unique, but they can be obtained from each other by integer transforms of determinant ±1:

 −2 1 10 6



=

 4 −3

2 4



·

 1 1 2 1

 .

Lattice invariants

Minimum:

λ(L) = min(kbk : b ∈ L \ 0) Determinant:

−2 1 10 6

4 −3

1 1 2 1

.

−2 1 10 6

4 −3

1 1 2 1

.

−2 1 10 6

4 −3

1 1 2 1

.