Content uploaded by Claus Peter Schnorr

Author content

All content in this area was uploaded by Claus Peter Schnorr on Sep 24, 2014

Content may be subject to copyright.

I: Lattices, QR-decomposition, LLL-bases 3

lattice basis B= [b1, . . . , bn]∈Zm×n

lattice L(B) = {Bx |x∈Zn}

norm kxk=hx,xi= (Pm

i=1x1

1)1/2

SV-length λ1(L) = min{kbk | b∈ L\{0}}

Successive minima λ1, ..., λn

QR-decomposition B=QR ⊂Rm×nsuch that

•the GNF — geom. normal form — R= [ri,j]∈Rn×nis

uppertriangular, ri,j=0 for j<iand ri,i>0,

•Q∈Rm×nisometric:hQx,Qyi=hx,yi.

LLL-basis B=QR for δ∈(1

4,1](Lenstra, Lenstra, Lovasz 82):

1. |ri,j| ≤ 1

2ri,ifor all j>i(size-reduced)

2. δr2

i,i≤r2

i,i+1+r2

i+1,i+1for i=1, . . . , n−1.

Average time fast SVP algorithm 4

Def. The relative density of L:rd(L):=λ1γ−1/2

n(det L)−1/n

rd(L) = λ1(L)/max λ1(L0)holds for the maximum of λ1(L0)

over all lattices L0such that dim L=dim L0and det L=det L0.

The HERMITE constant γn=max{λ2

1/det(L)2/n|dim L=n}.

We always have kb1k2=rd(L)2γn(det L)2/n.

Theorem 4.1 (GSA). Given a lattice basis such that

kb1k ≤ √2eπnbλ1,b≥0, NE W ENU M solves SVP in time

nO(1)+ (O(n2b−ε))n+1

4if rd(L) = n−1

2−ε,ε > 0.

This time bound is polynomial if 2b< ε.

GSA : Let B=QR =Q[ri,j]satisfy (for ri,i=kb∗

ik):

r2

i,i/r2

i−1,i−1=qfor i=2, ..., nand some q>0.

W.l.o.g. let q<1, otherwise kb1k=λ1.

We outline the proof of Thm 4.1 in part III.

Average time fast CVP algorithm 5

Corollary 6.1 (GSA). Given b1∈ L, 0 6=kb1k=O(λ1),

NEW ENUM ﬁnds b∈ L such that kb−tk=kL − tkin time

nO(1)+O(√n rd(L)kL − tk2λ−2

1)n+1

4.

This time bound is polynomial if

kL − tk=O(λ1)and rd(L)≤n−1

2−εfor ε > 0.

The required short vector b1can in practice be added to the

basis, extending the lattice by a short vector preserving rd(L).

An example will be given in part II for factoring integers using

the prime number lattice.

II: Factoring integers via easy CVP solutions 6

Let Nbe a positive integer that is not a prime power. Let

p1<··· <pnenumerate all primes less than (ln N)α. Then

n= (ln N)α/(αln ln N)(1+O(1)/α ln ln N).

Let the prime factors pof Nsatisfy p>pn.

We show how to factor Nby solving easy CVP’s for the prime

number lattice L(B), basis matrix B= [b1, . . . , bn]∈R(n+1)×n:

B=

pln p10 0

0...0

0 0 pln pn

Ncln p1··· Ncln pn

,N=

0

.

.

.

0

Ncln N0

,

and the target vector N∈Rn+1, where either N0=Nor

N0=Npn+jfor one of the next nprimes pn+j>pn,j≤n.

W.l.o.g. let N0=Nfor the analysis.

Outline of the factoring method 7

We identify the vector b=Pn

i=1eibi∈ L(B)with the pair (u,v)

of integers u=Qej>0pej

j,v=Qej<0p−ej

j∈N.

Then u,vare free of primes larger than pnand gcd(u,v) = 1.

We compute vectors b=Pn

i=1eibi∈ L(B)close to Nsuch that

|u−vN0|<u. The prime factorizations |u−vN 0|=Qn

i=1pe0

i

i

and of uyield a non-trivial relation

Qei>0pei

i=±Qn

i=1pe0

i

imod N. (7.1)

Given n+1 independent relations (7.1) we write these relations

with p0=−1 and ei,j,e0

i,j∈Nas Qn

i=0pei,j−e0

i,j

i=1 mod N

for j=1, ..., n+1. Any non trivial solution z1, ..., zn+1∈Zof the

equations Pn+1

j=1zj(ei,j−e0

i,j) = 0 mod 2 for i=0, ..., n

solves X2=Y2mod Nwith X=Qn+1

j=1pPn

i=0ziei,j

jmod N,

Y=Qn+1

j=1pPn

i=0zie0

i,j

jmod N.

Computing relations (7.1) from smooth (u,v) 8

Lemma If |u−vN0|=o(Nc),v= Θ(Nc−1),e1, ..., en∈ {0±1}

then kb−Nk2= (2c−1)ln N+ln(pn+j) + Θ(|u−vN0|2(N/N0)2).

Proof. We see from e1, ..., en∈ {0±1}that

kb−Nk2=ln u+ln v+N2c|ln u

vN0|2.

Clearly, v= Θ(Nc−1),|u−vN0|=o(Nc)implies

ln u+ln v= (2c−1)ln N+ln(N0/N) + Θ(1).

Moreover

|ln u

vN0|=|ln 1+u−vN 0

vN0|=|u−vN 0|

vN0(1+o(1)) = Θ( |u−vN0|

Nc−1N0).

Combining these equations proves the claim.

Theorem 7.2 kb−Nk2≤(2c−1)ln N+2δln pnimplies

|u−vN0| ≤ p

1

α+δ+o(1)

n.

The existence of b∈ L(B)such that |u−vN|=19

An integer zis called y-smooth, if all prime factors pof zsatisfy

p≤y. Let N0be either Nor Npn+jfor one of the next nprimes

pn+j>pn. We denote

Mα,c,N=n(u,v)∈N2u≤Nc,|u−vN0|=1,Nc−1/2<v<Nc−1

u,vare squarefree and (ln N)α−smooth o.

Theorem 7.4 [S93] If the equation |u− du/NcN|=1 is for

random uof order Ncnearly statistically independent from the

event that u,du/Ncare squarefree and (ln N)α-smooth then

#Mα,c,N=Nε+o(1)holds if α > 2c−1

c−1,c>1.

We will use this theorem for c=ln Nand α > 4.

Vectors b∈ L closest to Nyield relations (7.1) 10

Theorem 7.5 The vector b=Pn

i=1eibi∈ L(B)closest to N

provides a non-trivial relation (7.1) provided that Mα,c,N6=∅.

Theorem 7.6 If Mα,c,N6=∅for c=ln Nand α > 4 then we can

minimize kL(B)−Nkin polynomial time under GSA given

b∈ L(B)such that 0 6=kbk=O(λ1).

It follows from Mα,c,N6=∅for N0∈ {N,Npn+j}that

kL − Nk2≤(2c−1)ln N0+1= (2c−1+o(1)) ln N.

Lemma 5.3 of [MG02] proves that λ2

1≥2cln N−Θ(1)

Claim λ2

1=2cln N+O(1).

rd(L) = λ1/(√γn(det L)1

n).2eπ2cln N

(ln N)α1

2

=O(cln N)(1−α)/2=O((ln N)1−α).

Moreover, we have for c=ln N,α > 4 and ε=1

2−1/α > 0 that

n−1

2−ε=n−1+1/α ≈(αln ln N)1−1/α(ln N)1−α>rd (L).

Providing a nearly shortest vector of L(B)11

We extend the prime number basis Band L(B)by a nearly

shortest lattice vector of the extended lattice, preserving rd(L),

det(L)and the structure of the lattice.

We extend the prime base by a prime ¯

pn+1of order Θ(Nc)such

that |u−¯

pn+1|=O(1)holds for a squarefree (ln N)α-smooth u.

Then kPieibi−bn+1k2=2cln N+O(1)holds for u=Qipei

i

the additional basis vector bn+1corresponding to ¯

pn+1.

Pieibi−bn+1is a nearly shortest vector of L(b1, ..., bn+1).

Efﬁcient construction of ¯

pn+1. Generate uat random and

test the nearby ¯

pfor primality. If the density of primes near the

uis not exceptionally small ¯

pn+1and bn+1can be found in

probabilistic polynomial time. A single ¯

pn+1can be used to

solve all CVP’s for the factorization of all integers of order Θ(N).

III: A novel enumeration of short lattice vectors 12

Let πt:span(b1, ..., bn)→span(b1, ..., bt−1)⊥for t=1, ..., n

denote the orthogonal projections and let Lt=L(b1, ..., bt−1).

Stage (ut, ..., un)of ENUM. b := Pn

i=tuibi∈ L and

ut, ..., un∈Zare given. The stage searches exhaustively for all

Pt−1

i=1uibi∈ L such that kPn

i=1uibik2≤Aholds for a given

upper bound A≥λ2

1. We have

kPn

i=1uibik2=kζt+Pt−1

i=1uibik2+kπt(b)k2.

where ζt:= b−πt(b) = Qvt∈span Ltis the orthogonal

projection in span Ltof the given b=Pn

i=tuibiand

vt= (v1, ..., vt−1,0n−t+1)tfor vi=Pn

i=tri,juj. Stage (ut, ..., un)

exhaustively enumerates Bt−1(ζt, ρt)∩ Lt, the intersection of

the lattice Ltand the sphere Bt−1(ζt, ρt)⊂span Ltof dimension

t−1 with radius ρt:= (A− kπt(b)k2)1/2and center ζt.

The success rate βtof stages 13

The GAUSSIAN volume heuristics estimates |Bt−1(ζt, ρt)∩ Lt|

for t>1 to

βt=def vol Bt−1(ζt, ρt)/det Lt.

Here vol Bt−1(ζt, ρt) = Vt−1ρt−1

t,Vt−1=πt−1

2/(t−1

2)!

is the volume of the unit sphere of dimension t−1,

det Lt=Qt−1

i=1ri,i,ρ2

t:= A− kπt(Pn

i=tuibi)k2.

We call βtthe success rate of stage (ut, ..., un).

If ζtmod Ltis uniformly distributed over

{Pt−1

i=1ribi|0≤r1, ..., rt−1<1}

then Eζt[|Bt−1(ζt, ρt)∩ Lt|] = βt, where Eζtrefers to a random

ζtmod Lt. This holds because 1/det Ltis the number of

lattice points of Ltper volume in span Lt. The formal analysis of

NEW ENUM by Theorem 4.1 uses a proven version of the

volume heuristics without assuming that ζtmod Ltis random.

Outline of New Enum for SVP 14

INPUT LLL-basis B=QR ∈Zm×n,R∈Rn×n,A:= n

4(det BtB)2/n,

OUTPUT a sequence of b∈ L(B)of decreasing length

kbk2≤Aterminating with kbk=λ1.

1. s:= 1, Ls:= ∅, (we call sthe level)

2. Perform algorithm ENUM [SE94] pruned to stages with βt≥2−s:

Upon entry of stage (ut, ..., un)compute βt. If βt<2−sdelay

this stage and store (βt,ut, ..., un)in the list Lsof delayed stages

If βt≥2−sperform stage (ut, ..., un)on level s, and as soon

as some non-zero b∈ L of length kbk2≤Ahas been found

give out band set A:= kbk2−1.

3. Ls+1:= ∅, perform the stages (ut, ..., un)of Lswith βt≥2−s−1

in increasing order of tand for ﬁxed tin order of decreasing βt.

Collect the appearing substages (ut0, ..., ut, ..., un)

with βt0<2−s−1in Ls+1.

4. IF Ls+16=∅THEN [s:= s+1, GO TO 3 ]

ELSE terminate by exhaustion.

Proof of Theorem 4.1 15

Thm 4.1 NEW EN UM solves SVP in time nO(1)+ (O(n2b−ε)) n+1

4

if rd(L) = n−1

2−ε,ε > 0 and if b1k ≤ √2eπnb.

NEW ENUM essentially performs stages in decreasing order of

the success rate βt. Let b0=Pn

i=1u0

ibi∈ L denote the unique

vector of length λ1that is found by NEW ENUM.

Let β0

tbe the success rate of stage (u0

t, ..., u0

n).

NEW ENUM performs stage (u0

t, ..., u0

n)prior to all stages

(ut, ..., un)of success rate βt≤1

2β0

t

Simplifying assumption. We assume that NEW ENUM

performs stage (u0

t, ..., u0

n)prior to all stages of success rate

βt< β0

t, ( i.e., ρt< ρ0

t).

By deﬁnition ρ2

t=A− kπt(b)k2and ρ0

t

2=A− kπt(b0)k2.

Without using the simplifying assumption, the proven time

bound of Theorem 4.1 increases at most by the factor 2.

A proven version of the volume heuristics 16

Consider the number Mtof stages (ut, ..., un)with

kπt(Pn

i=tuibi)k ≤ λ1:Mt:= #Bn−t+1(0, λ1)∩πt(L).

Modulo the heuristic simpliﬁcations Mtcovers the stages that

precede (u0

t, ..., u0

n)and those that ﬁnally prove kb0k=λ1.

Lemma 4.2 Mt≤en−t+1

2Qn

i=t(1+√8π λ1

√n−t+1ri,i).

Proof. We use the method of Lemma 1 of [MO90] and follow

the adjusted proof of (2) in section 4.1 of [HS07]. We

abbreviate nt=n−t+1. Consider the ellipsoid

Et={(xt, ..., xn)t∈Rnt|kπt(Pn

i=txibi)k2≤λ2

1}, where

kπt(Pn

i=txibi)k2=Pn

i=tPn

j=i(ri,jxj)2=Pn

i=tPn

j=i(µj,ixj)2kb∗

ik2.

By deﬁnition Mt≤#(Et∩Znt). We set

Pix:= Pj>i

ri,j

ri,ixjand x0

i:= xi+dPixc,

{Pix}:= Pix− dPixc,

Ft:= {(x0

t, ..., x0

n)t∈Rnt|Pn

i=t(x0

i+{Pix})2r2

i,i≤λ2

1}.

Claim #(Et∩Znt)≤#(Ft∩Znt)17

Proof. The transformation (xt, ..., xn)7→ (x0

t, ..., x0

n)is injective.

[ If i≥tis the least index such that (yi, ..., yn)and (zi, ..., zn)

differ then y0

i6=z0

i. Moreover (x0

i+{Pix})ri,i=Pn

j=iri,jxj.]

We simplify Etto E0

t={x0∈Rnt|Pn

i=tx0

i

2r2

i,i≤4λ2

1}.

Since |{Pix}| ≤ 1

2,xi∈Zand |xi+ε|2≥x2

i/4 for |ε| ≤ 1

2we

see that Ft∩Znt⊂ E0

t∩Znt. Hence Mt≤#(E0

t∩Znt).

We bound #(E0

t∩Znt)using the method of [MO90, Lemma 1].

Denoting Nr:= #{(kt, ..., kn)t∈Znt|Pn

i=tr2

i,ik2

i=r}we have

#(E0

t∩Znt) = P

0≤r≤4λ2

1

Nres(4λ2

1−r)nt≤es4λ2

1ntP

r≥0

Nre−srnt

≤es4λ2

1nt

n

Q

i=tP

ki∈Z

e−sr2

i,ik2

int≤es4λ2

1nt

n

Q

i=t

(1+√π

√sntri,i)

since Pk∈Ze−Tk2=1+2P∞

k=1e−Tk2≤1+2R∞

0e−Tx2dx =

1+pπ/T. We get for s:= 1/(8λ2

1):

#(E0

t∩Znt)≤ent/2Qn

i=t(1+√8π λ1

√ntri,i).

Proof of Theorem 4.1 continued 18

Now r2

i,i=kb1k2qi−1,λ2

1/(γnrd(L)2) = (det L)2

n=kb1k2qn−1

2

hold by GSA and thus γn≥n

2eπdirectly imply for i=t, ..., n

√n−t+1ri,i≤√2eπrd(L)−1λ1q(2i−n−1)/4.

By Lemma 4.2 Mt≤Qn

i=t

e√πrd(L)−1λ1q(2i−n−1)/4+√8eπ λ1

√n−t+1ri,i.

For ¯η:= 2+√e,t:= n

2+1−c,

m(q,c) := [if c>0then q1−c2

4else 1]we get

Mt≤m(q,c)¯η√2eπ λ1

√n−t+1rd(L)n−t+1/det πt(L), (4.1)

because m(q,c) = q1−c2

4=q−Pc

i=0(2i−1)/4)≥Qn/2+1

i=t

√n−t+1ri,i

¯η√2eπ λ1

for c>0. We see from (4.1) and

det πt(L) = kb1kn−t+1qPn−1

i=t−1i/2that

Mt≤m(q,c)¯η√2eπ λ1

√n−t+1rd(L)kb1kn−t+1/qPn−1

i=t−1i/2(4.2)

19

Now γn≤1.744 (n+o(n))

2eπ[KL78] implies via GSA

eπ λ2

1

n rd(L)2kb1k2≤qn−1

2for n≥n0. (4.3)

(4.2), (4.3), 1

n−1Pn−1

i=t−1i=n

2−(t−1)(t−2)

2(n−1)yield

Mt≤m(q,c)¯η√2eπ λ1

√n−t+1rd(L)kb1kn−t+1√n rd(L)kb1k

√eπ λ1n−(t−1)(t−2)

n−1.

The difference of the exponents

de(t) = n−(t−1)(t−2)

n−1−n+t−1= (t−1)(1−t−2

n−1)

is positive for t≤nand maximal for tmax =n

2+1,

de(n

2+1−c) = n+1

4+1/4−c2

n−1. We get for kb1k ≤ √2eπnbλ1,

t=n

2+1−c:Mt≤m(q,c)O(n1

2+brd(L))n+1

4+1/4−c2

n−1.

Hence Mt= (O(n1

2+2brd(L) ) n+1

4.

Open problems 20

Main open problem

Can the factoring algorithm be improved by the method of the

number ﬁeld sieve ?

We factor Nvia easy CVP-solutions that correspond to

multiplicative relations mod N, related to the quadratic sieve.

The last coordinate of an CVP-solution yields a multiplicative

relation of the factor base, under the natural logarithm ln.

How to incorporate mod Nreductions under the ln transform ?

Refences 21

Ad95 L.A. Adleman, Factoring and lattice reduction.

Manuscript, 1995.

AEVZ02 E. Agrell, T. Eriksson, A. Vardy and K. Zeger,

Closest point search in lattices. IEEE Trans. on

Inform. Theory,48 (8), pp. 2201–2214, 2002.

Aj96 M. Ajtai, Generating hard instances of lattice

problems. In Proc. 28th Annual ACM Symposium

on Theory of Computing, pp. 99–108, 1996.

AD97 M. Ajtai and C. Dwork, A public-key cryptosystem

with worst-case / average-case equivalence. In

Proc 29-th STOC, ACM, pp. 284–293, 1997.

Ba86 L. Babai, On Lovasz’ lattice reduction and the

nearest lattice point problem. Combinatorica 6 (1),

pp.1–13, 1986.

BL05 J. Buchmann and C. Ludwig, Practical lattice basis

sampling reduction. eprint.iacr.org, TR 072, 2005.

References 22

Ca98 Y.Cai, A new transference theorem and

applications to Ajtai’s connection factor. ECCC,

Report No. 5, 1998.

CEP83 E.R. Canﬁeld, P. Erdös and C. Pomerance, On a

problem of Oppenheim concerning "Factorisatio

Numerorum". J. of Number Theory,17, pp. 1–28,

1983.

CS93 J.H. Conway and N.J.A. Sloane, Sphere Packings,

Lattices and Groups. third edition,

Springer-Verlag1998.

FP85 U. Fincke and M. Pohst, Improved methods for

calculating vectors of short length in a lattice,

including a complexity analysis. Math. of Comput.,

44, pp. 463–471, 1985.

Refences 23

HHHW09 P.Hirschhorn, J. Hoffstein, N. Howgrave-Graham,

W. Whyte, Choosing NTRUEncrypt parameters in

light of combined lattice reduction and MITM

approaches. In Proc. ACNS 2009, LNCS 5536,

Springer-Verlag,pp. 437–455, 2009.

HPS98 J. Hoffstein, J. Pipher and J. Silverman, NTRU: A

ring-based public key cryptosystem. In Proc.

ANTS III, LNCS 1423, Springer-Verlag, pp.

267–288, 1998.

H07 N. Howgrave-Graham, A hybrid lattice–reduction

and meet-in-the-middle attiack against NTRU. In

Proc, CRYPTO 2007, LNCS 4622,

Springer-Verlag, pp. 150–169, 2007.

HS07 G. Hanrot and D. Stehlé, Improved analysis of

Kannan’s shortest lattice vector algorithm. In Proc.

CRYPTO 2007, LNCS 4622, Springer-Verlag,pp.

170–186, 2007.

Refences 24

HS08 G. Hanrot and D. Stehlé, Worst-case

Hermite-Korkine-Zolotarev reduced lattice bases.

CoRR, abs/0801.3331,

http://arxix.org/abs/0801.3331.

Ka87 R. Kannan, Minkowski’s convex body theorem and

integer programming. Math. Oper. Res.,12, pp.

415–440, 1987.

KL78 G.A.Kabatiansky and V.I. Levenshtein, Bounds for

packing on a sphere and in space. Problems of

Information Transmission,14, pp. 1–17, 1978.

LLL82 H. W. Lenstra Jr., , A. K. Lenstra, and L. Lovász ,

Factoring polynomials with rational coefﬁcients,

Mathematische Annalen 261, pp. 515–534, 1982.

MO90 J. Mazo and A. Odlydzko, Lattice points in

high-dimensional spheres. Monatsh. Math. 110,

pp. 47–61, 1990.

Refences 25

MG02 D. Micciancio and S. Goldwasser, Complexity of

Lattice Problems: A Cryptographic Perspective.

Kluwer Academic Publishers, Boston, London,

2002.

S87 C.P. Schnorr, A Hierarchy of Polynomial Time

Lattice Basis Reduction Algorithms. Theoret.

Comput. Sci.,53, pp. 201–224, 1987.

S93 C.P.Schnorr, Factoring integers and computing

discrete logarithms via Diophantine approximation.

In Advances in Computational Complexity, AMS,

DIMACS Series in Discrete Mathematics and

Theoretical Computer Science,13, pp. 171–182,

1993. Preliminary version in Proc.

EUROCRYPT’91, LNCS 547, Springer-Verlag,pp.

281–293, 1991.

//www.mi.informatik.uni-frankfurt.de.

Refences 26

SE94 C.P. Schnorr and M. Euchner, Lattce basis

reduction: Improved practical algorithms and

solving subset sum problems. Mathematical

Programming 66, pp. 181–199, 1994.

SH95 C.P. Schnorr and H.H. Hörner, Attacking the

Chor–Rivest cryptosystem by improved lattice

reduction. In Proc. EUROCRYPT’95, LNCS 921,

Springer-Verlag, pp. 1–12, 1995.

S03 C.P. Schnorr, Lattice reduction by sampling and

birthday methods. Proc. STACS 2003: 20th

Annual Symposium on Theoretical Aspects of

Computer Science, LNCS 2007, Springer-Verlag,

pp. 146–156, 2003.

S06 C.P. Schnorr, Fast LLL-type lattice reduction.

Information and Computation, 204, pp. 1–25,

2006.