Content uploaded by Claus Peter Schnorr
Author content
All content in this area was uploaded by Claus Peter Schnorr on Sep 24, 2014
Content may be subject to copyright.
I: Lattices, QR-decomposition, LLL-bases 3
lattice basis B= [b1, . . . , bn]∈Zm×n
lattice L(B) = {Bx |x∈Zn}
norm kxk=hx,xi= (Pm
i=1x1
1)1/2
SV-length λ1(L) = min{kbk | b∈ L\{0}}
Successive minima λ1, ..., λn
QR-decomposition B=QR ⊂Rm×nsuch that
•the GNF — geom. normal form — R= [ri,j]∈Rn×nis
uppertriangular, ri,j=0 for j<iand ri,i>0,
•Q∈Rm×nisometric:hQx,Qyi=hx,yi.
LLL-basis B=QR for δ∈(1
4,1](Lenstra, Lenstra, Lovasz 82):
1. |ri,j| ≤ 1
2ri,ifor all j>i(size-reduced)
2. δr2
i,i≤r2
i,i+1+r2
i+1,i+1for i=1, . . . , n−1.
Average time fast SVP algorithm 4
Def. The relative density of L:rd(L):=λ1γ−1/2
n(det L)−1/n
rd(L) = λ1(L)/max λ1(L0)holds for the maximum of λ1(L0)
over all lattices L0such that dim L=dim L0and det L=det L0.
The HERMITE constant γn=max{λ2
1/det(L)2/n|dim L=n}.
We always have kb1k2=rd(L)2γn(det L)2/n.
Theorem 4.1 (GSA). Given a lattice basis such that
kb1k ≤ √2eπnbλ1,b≥0, NE W ENU M solves SVP in time
nO(1)+ (O(n2b−ε))n+1
4if rd(L) = n−1
2−ε,ε > 0.
This time bound is polynomial if 2b< ε.
GSA : Let B=QR =Q[ri,j]satisfy (for ri,i=kb∗
ik):
r2
i,i/r2
i−1,i−1=qfor i=2, ..., nand some q>0.
W.l.o.g. let q<1, otherwise kb1k=λ1.
We outline the proof of Thm 4.1 in part III.
Average time fast CVP algorithm 5
Corollary 6.1 (GSA). Given b1∈ L, 0 6=kb1k=O(λ1),
NEW ENUM finds b∈ L such that kb−tk=kL − tkin time
nO(1)+O(√n rd(L)kL − tk2λ−2
1)n+1
4.
This time bound is polynomial if
kL − tk=O(λ1)and rd(L)≤n−1
2−εfor ε > 0.
The required short vector b1can in practice be added to the
basis, extending the lattice by a short vector preserving rd(L).
An example will be given in part II for factoring integers using
the prime number lattice.
II: Factoring integers via easy CVP solutions 6
Let Nbe a positive integer that is not a prime power. Let
p1<··· <pnenumerate all primes less than (ln N)α. Then
n= (ln N)α/(αln ln N)(1+O(1)/α ln ln N).
Let the prime factors pof Nsatisfy p>pn.
We show how to factor Nby solving easy CVP’s for the prime
number lattice L(B), basis matrix B= [b1, . . . , bn]∈R(n+1)×n:
B=
pln p10 0
0...0
0 0 pln pn
Ncln p1··· Ncln pn
,N=
0
.
.
.
0
Ncln N0
,
and the target vector N∈Rn+1, where either N0=Nor
N0=Npn+jfor one of the next nprimes pn+j>pn,j≤n.
W.l.o.g. let N0=Nfor the analysis.
Outline of the factoring method 7
We identify the vector b=Pn
i=1eibi∈ L(B)with the pair (u,v)
of integers u=Qej>0pej
j,v=Qej<0p−ej
j∈N.
Then u,vare free of primes larger than pnand gcd(u,v) = 1.
We compute vectors b=Pn
i=1eibi∈ L(B)close to Nsuch that
|u−vN0|<u. The prime factorizations |u−vN 0|=Qn
i=1pe0
i
i
and of uyield a non-trivial relation
Qei>0pei
i=±Qn
i=1pe0
i
imod N. (7.1)
Given n+1 independent relations (7.1) we write these relations
with p0=−1 and ei,j,e0
i,j∈Nas Qn
i=0pei,j−e0
i,j
i=1 mod N
for j=1, ..., n+1. Any non trivial solution z1, ..., zn+1∈Zof the
equations Pn+1
j=1zj(ei,j−e0
i,j) = 0 mod 2 for i=0, ..., n
solves X2=Y2mod Nwith X=Qn+1
j=1pPn
i=0ziei,j
jmod N,
Y=Qn+1
j=1pPn
i=0zie0
i,j
jmod N.
Computing relations (7.1) from smooth (u,v) 8
Lemma If |u−vN0|=o(Nc),v= Θ(Nc−1),e1, ..., en∈ {0±1}
then kb−Nk2= (2c−1)ln N+ln(pn+j) + Θ(|u−vN0|2(N/N0)2).
Proof. We see from e1, ..., en∈ {0±1}that
kb−Nk2=ln u+ln v+N2c|ln u
vN0|2.
Clearly, v= Θ(Nc−1),|u−vN0|=o(Nc)implies
ln u+ln v= (2c−1)ln N+ln(N0/N) + Θ(1).
Moreover
|ln u
vN0|=|ln 1+u−vN 0
vN0|=|u−vN 0|
vN0(1+o(1)) = Θ( |u−vN0|
Nc−1N0).
Combining these equations proves the claim.
Theorem 7.2 kb−Nk2≤(2c−1)ln N+2δln pnimplies
|u−vN0| ≤ p
1
α+δ+o(1)
n.
The existence of b∈ L(B)such that |u−vN|=19
An integer zis called y-smooth, if all prime factors pof zsatisfy
p≤y. Let N0be either Nor Npn+jfor one of the next nprimes
pn+j>pn. We denote
Mα,c,N=n(u,v)∈N2u≤Nc,|u−vN0|=1,Nc−1/2<v<Nc−1
u,vare squarefree and (ln N)α−smooth o.
Theorem 7.4 [S93] If the equation |u− du/NcN|=1 is for
random uof order Ncnearly statistically independent from the
event that u,du/Ncare squarefree and (ln N)α-smooth then
#Mα,c,N=Nε+o(1)holds if α > 2c−1
c−1,c>1.
We will use this theorem for c=ln Nand α > 4.
Vectors b∈ L closest to Nyield relations (7.1) 10
Theorem 7.5 The vector b=Pn
i=1eibi∈ L(B)closest to N
provides a non-trivial relation (7.1) provided that Mα,c,N6=∅.
Theorem 7.6 If Mα,c,N6=∅for c=ln Nand α > 4 then we can
minimize kL(B)−Nkin polynomial time under GSA given
b∈ L(B)such that 0 6=kbk=O(λ1).
It follows from Mα,c,N6=∅for N0∈ {N,Npn+j}that
kL − Nk2≤(2c−1)ln N0+1= (2c−1+o(1)) ln N.
Lemma 5.3 of [MG02] proves that λ2
1≥2cln N−Θ(1)
Claim λ2
1=2cln N+O(1).
rd(L) = λ1/(√γn(det L)1
n).2eπ2cln N
(ln N)α1
2
=O(cln N)(1−α)/2=O((ln N)1−α).
Moreover, we have for c=ln N,α > 4 and ε=1
2−1/α > 0 that
n−1
2−ε=n−1+1/α ≈(αln ln N)1−1/α(ln N)1−α>rd (L).
Providing a nearly shortest vector of L(B)11
We extend the prime number basis Band L(B)by a nearly
shortest lattice vector of the extended lattice, preserving rd(L),
det(L)and the structure of the lattice.
We extend the prime base by a prime ¯
pn+1of order Θ(Nc)such
that |u−¯
pn+1|=O(1)holds for a squarefree (ln N)α-smooth u.
Then kPieibi−bn+1k2=2cln N+O(1)holds for u=Qipei
i
the additional basis vector bn+1corresponding to ¯
pn+1.
Pieibi−bn+1is a nearly shortest vector of L(b1, ..., bn+1).
Efficient construction of ¯
pn+1. Generate uat random and
test the nearby ¯
pfor primality. If the density of primes near the
uis not exceptionally small ¯
pn+1and bn+1can be found in
probabilistic polynomial time. A single ¯
pn+1can be used to
solve all CVP’s for the factorization of all integers of order Θ(N).
III: A novel enumeration of short lattice vectors 12
Let πt:span(b1, ..., bn)→span(b1, ..., bt−1)⊥for t=1, ..., n
denote the orthogonal projections and let Lt=L(b1, ..., bt−1).
Stage (ut, ..., un)of ENUM. b := Pn
i=tuibi∈ L and
ut, ..., un∈Zare given. The stage searches exhaustively for all
Pt−1
i=1uibi∈ L such that kPn
i=1uibik2≤Aholds for a given
upper bound A≥λ2
1. We have
kPn
i=1uibik2=kζt+Pt−1
i=1uibik2+kπt(b)k2.
where ζt:= b−πt(b) = Qvt∈span Ltis the orthogonal
projection in span Ltof the given b=Pn
i=tuibiand
vt= (v1, ..., vt−1,0n−t+1)tfor vi=Pn
i=tri,juj. Stage (ut, ..., un)
exhaustively enumerates Bt−1(ζt, ρt)∩ Lt, the intersection of
the lattice Ltand the sphere Bt−1(ζt, ρt)⊂span Ltof dimension
t−1 with radius ρt:= (A− kπt(b)k2)1/2and center ζt.
The success rate βtof stages 13
The GAUSSIAN volume heuristics estimates |Bt−1(ζt, ρt)∩ Lt|
for t>1 to
βt=def vol Bt−1(ζt, ρt)/det Lt.
Here vol Bt−1(ζt, ρt) = Vt−1ρt−1
t,Vt−1=πt−1
2/(t−1
2)!
is the volume of the unit sphere of dimension t−1,
det Lt=Qt−1
i=1ri,i,ρ2
t:= A− kπt(Pn
i=tuibi)k2.
We call βtthe success rate of stage (ut, ..., un).
If ζtmod Ltis uniformly distributed over
{Pt−1
i=1ribi|0≤r1, ..., rt−1<1}
then Eζt[|Bt−1(ζt, ρt)∩ Lt|] = βt, where Eζtrefers to a random
ζtmod Lt. This holds because 1/det Ltis the number of
lattice points of Ltper volume in span Lt. The formal analysis of
NEW ENUM by Theorem 4.1 uses a proven version of the
volume heuristics without assuming that ζtmod Ltis random.
Outline of New Enum for SVP 14
INPUT LLL-basis B=QR ∈Zm×n,R∈Rn×n,A:= n
4(det BtB)2/n,
OUTPUT a sequence of b∈ L(B)of decreasing length
kbk2≤Aterminating with kbk=λ1.
1. s:= 1, Ls:= ∅, (we call sthe level)
2. Perform algorithm ENUM [SE94] pruned to stages with βt≥2−s:
Upon entry of stage (ut, ..., un)compute βt. If βt<2−sdelay
this stage and store (βt,ut, ..., un)in the list Lsof delayed stages
If βt≥2−sperform stage (ut, ..., un)on level s, and as soon
as some non-zero b∈ L of length kbk2≤Ahas been found
give out band set A:= kbk2−1.
3. Ls+1:= ∅, perform the stages (ut, ..., un)of Lswith βt≥2−s−1
in increasing order of tand for fixed tin order of decreasing βt.
Collect the appearing substages (ut0, ..., ut, ..., un)
with βt0<2−s−1in Ls+1.
4. IF Ls+16=∅THEN [s:= s+1, GO TO 3 ]
ELSE terminate by exhaustion.
Proof of Theorem 4.1 15
Thm 4.1 NEW EN UM solves SVP in time nO(1)+ (O(n2b−ε)) n+1
4
if rd(L) = n−1
2−ε,ε > 0 and if b1k ≤ √2eπnb.
NEW ENUM essentially performs stages in decreasing order of
the success rate βt. Let b0=Pn
i=1u0
ibi∈ L denote the unique
vector of length λ1that is found by NEW ENUM.
Let β0
tbe the success rate of stage (u0
t, ..., u0
n).
NEW ENUM performs stage (u0
t, ..., u0
n)prior to all stages
(ut, ..., un)of success rate βt≤1
2β0
t
Simplifying assumption. We assume that NEW ENUM
performs stage (u0
t, ..., u0
n)prior to all stages of success rate
βt< β0
t, ( i.e., ρt< ρ0
t).
By definition ρ2
t=A− kπt(b)k2and ρ0
t
2=A− kπt(b0)k2.
Without using the simplifying assumption, the proven time
bound of Theorem 4.1 increases at most by the factor 2.
A proven version of the volume heuristics 16
Consider the number Mtof stages (ut, ..., un)with
kπt(Pn
i=tuibi)k ≤ λ1:Mt:= #Bn−t+1(0, λ1)∩πt(L).
Modulo the heuristic simplifications Mtcovers the stages that
precede (u0
t, ..., u0
n)and those that finally prove kb0k=λ1.
Lemma 4.2 Mt≤en−t+1
2Qn
i=t(1+√8π λ1
√n−t+1ri,i).
Proof. We use the method of Lemma 1 of [MO90] and follow
the adjusted proof of (2) in section 4.1 of [HS07]. We
abbreviate nt=n−t+1. Consider the ellipsoid
Et={(xt, ..., xn)t∈Rnt|kπt(Pn
i=txibi)k2≤λ2
1}, where
kπt(Pn
i=txibi)k2=Pn
i=tPn
j=i(ri,jxj)2=Pn
i=tPn
j=i(µj,ixj)2kb∗
ik2.
By definition Mt≤#(Et∩Znt). We set
Pix:= Pj>i
ri,j
ri,ixjand x0
i:= xi+dPixc,
{Pix}:= Pix− dPixc,
Ft:= {(x0
t, ..., x0
n)t∈Rnt|Pn
i=t(x0
i+{Pix})2r2
i,i≤λ2
1}.
Claim #(Et∩Znt)≤#(Ft∩Znt)17
Proof. The transformation (xt, ..., xn)7→ (x0
t, ..., x0
n)is injective.
[ If i≥tis the least index such that (yi, ..., yn)and (zi, ..., zn)
differ then y0
i6=z0
i. Moreover (x0
i+{Pix})ri,i=Pn
j=iri,jxj.]
We simplify Etto E0
t={x0∈Rnt|Pn
i=tx0
i
2r2
i,i≤4λ2
1}.
Since |{Pix}| ≤ 1
2,xi∈Zand |xi+ε|2≥x2
i/4 for |ε| ≤ 1
2we
see that Ft∩Znt⊂ E0
t∩Znt. Hence Mt≤#(E0
t∩Znt).
We bound #(E0
t∩Znt)using the method of [MO90, Lemma 1].
Denoting Nr:= #{(kt, ..., kn)t∈Znt|Pn
i=tr2
i,ik2
i=r}we have
#(E0
t∩Znt) = P
0≤r≤4λ2
1
Nres(4λ2
1−r)nt≤es4λ2
1ntP
r≥0
Nre−srnt
≤es4λ2
1nt
n
Q
i=tP
ki∈Z
e−sr2
i,ik2
int≤es4λ2
1nt
n
Q
i=t
(1+√π
√sntri,i)
since Pk∈Ze−Tk2=1+2P∞
k=1e−Tk2≤1+2R∞
0e−Tx2dx =
1+pπ/T. We get for s:= 1/(8λ2
1):
#(E0
t∩Znt)≤ent/2Qn
i=t(1+√8π λ1
√ntri,i).
Proof of Theorem 4.1 continued 18
Now r2
i,i=kb1k2qi−1,λ2
1/(γnrd(L)2) = (det L)2
n=kb1k2qn−1
2
hold by GSA and thus γn≥n
2eπdirectly imply for i=t, ..., n
√n−t+1ri,i≤√2eπrd(L)−1λ1q(2i−n−1)/4.
By Lemma 4.2 Mt≤Qn
i=t
e√πrd(L)−1λ1q(2i−n−1)/4+√8eπ λ1
√n−t+1ri,i.
For ¯η:= 2+√e,t:= n
2+1−c,
m(q,c) := [if c>0then q1−c2
4else 1]we get
Mt≤m(q,c)¯η√2eπ λ1
√n−t+1rd(L)n−t+1/det πt(L), (4.1)
because m(q,c) = q1−c2
4=q−Pc
i=0(2i−1)/4)≥Qn/2+1
i=t
√n−t+1ri,i
¯η√2eπ λ1
for c>0. We see from (4.1) and
det πt(L) = kb1kn−t+1qPn−1
i=t−1i/2that
Mt≤m(q,c)¯η√2eπ λ1
√n−t+1rd(L)kb1kn−t+1/qPn−1
i=t−1i/2(4.2)
19
Now γn≤1.744 (n+o(n))
2eπ[KL78] implies via GSA
eπ λ2
1
n rd(L)2kb1k2≤qn−1
2for n≥n0. (4.3)
(4.2), (4.3), 1
n−1Pn−1
i=t−1i=n
2−(t−1)(t−2)
2(n−1)yield
Mt≤m(q,c)¯η√2eπ λ1
√n−t+1rd(L)kb1kn−t+1√n rd(L)kb1k
√eπ λ1n−(t−1)(t−2)
n−1.
The difference of the exponents
de(t) = n−(t−1)(t−2)
n−1−n+t−1= (t−1)(1−t−2
n−1)
is positive for t≤nand maximal for tmax =n
2+1,
de(n
2+1−c) = n+1
4+1/4−c2
n−1. We get for kb1k ≤ √2eπnbλ1,
t=n
2+1−c:Mt≤m(q,c)O(n1
2+brd(L))n+1
4+1/4−c2
n−1.
Hence Mt= (O(n1
2+2brd(L) ) n+1
4.
Open problems 20
Main open problem
Can the factoring algorithm be improved by the method of the
number field sieve ?
We factor Nvia easy CVP-solutions that correspond to
multiplicative relations mod N, related to the quadratic sieve.
The last coordinate of an CVP-solution yields a multiplicative
relation of the factor base, under the natural logarithm ln.
How to incorporate mod Nreductions under the ln transform ?
Refences 21
Ad95 L.A. Adleman, Factoring and lattice reduction.
Manuscript, 1995.
AEVZ02 E. Agrell, T. Eriksson, A. Vardy and K. Zeger,
Closest point search in lattices. IEEE Trans. on
Inform. Theory,48 (8), pp. 2201–2214, 2002.
Aj96 M. Ajtai, Generating hard instances of lattice
problems. In Proc. 28th Annual ACM Symposium
on Theory of Computing, pp. 99–108, 1996.
AD97 M. Ajtai and C. Dwork, A public-key cryptosystem
with worst-case / average-case equivalence. In
Proc 29-th STOC, ACM, pp. 284–293, 1997.
Ba86 L. Babai, On Lovasz’ lattice reduction and the
nearest lattice point problem. Combinatorica 6 (1),
pp.1–13, 1986.
BL05 J. Buchmann and C. Ludwig, Practical lattice basis
sampling reduction. eprint.iacr.org, TR 072, 2005.
References 22
Ca98 Y.Cai, A new transference theorem and
applications to Ajtai’s connection factor. ECCC,
Report No. 5, 1998.
CEP83 E.R. Canfield, P. Erdös and C. Pomerance, On a
problem of Oppenheim concerning "Factorisatio
Numerorum". J. of Number Theory,17, pp. 1–28,
1983.
CS93 J.H. Conway and N.J.A. Sloane, Sphere Packings,
Lattices and Groups. third edition,
Springer-Verlag1998.
FP85 U. Fincke and M. Pohst, Improved methods for
calculating vectors of short length in a lattice,
including a complexity analysis. Math. of Comput.,
44, pp. 463–471, 1985.
Refences 23
HHHW09 P.Hirschhorn, J. Hoffstein, N. Howgrave-Graham,
W. Whyte, Choosing NTRUEncrypt parameters in
light of combined lattice reduction and MITM
approaches. In Proc. ACNS 2009, LNCS 5536,
Springer-Verlag,pp. 437–455, 2009.
HPS98 J. Hoffstein, J. Pipher and J. Silverman, NTRU: A
ring-based public key cryptosystem. In Proc.
ANTS III, LNCS 1423, Springer-Verlag, pp.
267–288, 1998.
H07 N. Howgrave-Graham, A hybrid lattice–reduction
and meet-in-the-middle attiack against NTRU. In
Proc, CRYPTO 2007, LNCS 4622,
Springer-Verlag, pp. 150–169, 2007.
HS07 G. Hanrot and D. Stehlé, Improved analysis of
Kannan’s shortest lattice vector algorithm. In Proc.
CRYPTO 2007, LNCS 4622, Springer-Verlag,pp.
170–186, 2007.
Refences 24
HS08 G. Hanrot and D. Stehlé, Worst-case
Hermite-Korkine-Zolotarev reduced lattice bases.
CoRR, abs/0801.3331,
http://arxix.org/abs/0801.3331.
Ka87 R. Kannan, Minkowski’s convex body theorem and
integer programming. Math. Oper. Res.,12, pp.
415–440, 1987.
KL78 G.A.Kabatiansky and V.I. Levenshtein, Bounds for
packing on a sphere and in space. Problems of
Information Transmission,14, pp. 1–17, 1978.
LLL82 H. W. Lenstra Jr., , A. K. Lenstra, and L. Lovász ,
Factoring polynomials with rational coefficients,
Mathematische Annalen 261, pp. 515–534, 1982.
MO90 J. Mazo and A. Odlydzko, Lattice points in
high-dimensional spheres. Monatsh. Math. 110,
pp. 47–61, 1990.
Refences 25
MG02 D. Micciancio and S. Goldwasser, Complexity of
Lattice Problems: A Cryptographic Perspective.
Kluwer Academic Publishers, Boston, London,
2002.
S87 C.P. Schnorr, A Hierarchy of Polynomial Time
Lattice Basis Reduction Algorithms. Theoret.
Comput. Sci.,53, pp. 201–224, 1987.
S93 C.P.Schnorr, Factoring integers and computing
discrete logarithms via Diophantine approximation.
In Advances in Computational Complexity, AMS,
DIMACS Series in Discrete Mathematics and
Theoretical Computer Science,13, pp. 171–182,
1993. Preliminary version in Proc.
EUROCRYPT’91, LNCS 547, Springer-Verlag,pp.
281–293, 1991.
//www.mi.informatik.uni-frankfurt.de.
Refences 26
SE94 C.P. Schnorr and M. Euchner, Lattce basis
reduction: Improved practical algorithms and
solving subset sum problems. Mathematical
Programming 66, pp. 181–199, 1994.
SH95 C.P. Schnorr and H.H. Hörner, Attacking the
Chor–Rivest cryptosystem by improved lattice
reduction. In Proc. EUROCRYPT’95, LNCS 921,
Springer-Verlag, pp. 1–12, 1995.
S03 C.P. Schnorr, Lattice reduction by sampling and
birthday methods. Proc. STACS 2003: 20th
Annual Symposium on Theoretical Aspects of
Computer Science, LNCS 2007, Springer-Verlag,
pp. 146–156, 2003.
S06 C.P. Schnorr, Fast LLL-type lattice reduction.
Information and Computation, 204, pp. 1–25,
2006.