See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/226499611

Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum
Problems

Article  in  Mathematical Programming · August 1994

DOI: 10.1007/BF01581144 · Source: DBLP

CITATIONS READS
933 825

2 authors, including:

Claus Peter Schnorr

Goethe-Universität Frankfurt am Main
149 PUBLICATIONS   9,621 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Claus Peter Schnorr on 24 September 2014.

The user has requested enhancement of the downloaded file.

 Lattice Basis Reduction: Improved Practical
Algorithms and Solving Subset Sum Problems.
C. P. Schnorr
M. Euchner
Universitat Frankfurt
Fachbereich Mathematik/Informatik
Postfach 111932
6000 Frankfurt am Main
Germany
July 1993

Abstract
We report on improved practical algorithms for lattice basis reduc-
tion. We propose a practical oating point version of the L3 {algorithm
of Lenstra, Lenstra, Lovasz (1982). We present a variant of the L3 {
algorithm with \deep insertions" and a practical algorithm for block
Korkin{Zolotarev reduction, a concept introduced by Schnorr (1987).
Empirical tests show that the strongest of these algorithms solves al-
most all subset sum problems with up to 66 random weights of arbi-
trary bit length within at most a few hours on a UNISYS 6000/70 or
within a couple of minutes on a SPARC 1+ computer.

1 Introduction and Survey

It is a major open problem to determine the exact complexity of nding
short vectors in a lattice. On the one hand the problem of nding a non{zero
lattice vector that is shortest in the sup{norm is known to be NP{complete
[4] (in its feasibility recognition form). On the other hand the L3 {lattice
basis reduction algorithm of Lenstra, Lenstra, Lovasz [17] is a polynomial
time algorithm that nds a non{zero vector in an m{dimensional lattice
that is guaranteed to be at most 2m=2{times the length of the shortest non{
zero vector in that lattice. The L3 {algorithm nds in practice much shorter
vectors than is guaranteed by the worst case 2m=2{bound. The performance
1
of the L3 has been further improved by suitable modications [5,15,22], and
new algorithms are being invented [19,23,24,27]. Possibly nding reasonably
short vectors in a random lattice is not so dicult on the average. This
would have important consequences for solving linear and non{linear integer
programming problems.
Several attempts have been made to improve on the performance of the
L3{algorithm for lattice reduction. Recently Seysen [27] and Schnorr [23,24]
have invented new algorithms for basis reduction in the square norm. Sey-
sen's method performs extremely well for lattices of dimension up to 30. It
operates on small integers, the intermediate integers for Seysen's algorithm
are not larger than the input integers. Schnorr [23] has extended the L3{
reduction to a hierarchy of polynomial time reduction algorithms that nd
a non{zero vector in an m{dimensional lattice that is guaranteed to be at
most (1 + ")m {times the length of the shortest non{zero vector in that lat-
tice. The degree of the polynomial that bounds the running time increases
as " converges to zero. A dierent approach to improve on lattice reduction
has been made by Lovasz and Scarf (1992). They propose a generalised
lattice reduction algorithm that works for an arbitrary norm. This general
approach is tailor{made for certain integer programming problems.
A bottleneck for the speed of the L3 {algorithm is the required exact arith-
metic on large integers. Most of these arithmetic steps occur in the process
of Gram{Schmidt orthogonalizing the basis vectors. It has been proposed
to perform this orthogonalization in oating point arithmetic while keeping
the basis vectors in exact integer representation. This however makes the
L3{algorithm unstable.
In this paper we present a practical oating point L3{algorithm, L3FP ,
having good stability according to empirical tests up to dimension 125 with
integer entries of bit length up to 300. We also propose a practical algo-
rithm for block Korkin{Zolotarev reduction and we introduce the variant
of the L3{algorithm that uses \deep insertions". These algorithms produce
considerably shorter lattice vectors than the original L3 {algorithm. They
perform well in practice but may be inecient in worst case. We report
on the performance of all these algorithms in solving subset sum problems.
These algorithms have also been applied to solve the diophantine approxi-
mation problem that yields the factorization of a given integer [25]. However

2
to make this approach work for large integers further progress in basis re-
duction is needed.
The knapsack or subset sum problem is to solve, given positive integers
a1; : : :; an and s, the equation
n
X
ai xi = s with x1 ; : : :; xn 2 f0; 1g:
i=1
The Brickell [1] and the Lagarias{Odlyzko [14] algorithms solve almost all
subset sum problems for which the density d = n = log2 max ai is suciently
small. Radziszowski and Kreher [17] evaluate the performance of an im-
proved variant of the Lagarias{Odlyzko algorithm. In this paper we replace
in the Lagarias{Odlyzko method the L3{algorithm, by more powerful reduc-
tion algorithms, namely by the L3{algorithm with \deep insertions" and by
block Korkin{Zolotarev reduction. We also replace the Lagarias{Odlyzko
lattice by a lattice (1) { see section 7 { that is better suited to produce
0; 1{solutions for the knapsack equation. Empirical tests show that these al-
gorithms solve almost all subset sum problems that have either suciently
low or suciently high density. The hardest subset sum problems turn out
to be those that have a density that is slightly larger than 1, i.e. a density
about 1 + (log2 (n=2))=n. The new lattice basis (1) and the stronger reduc-
tion algorithms lead to a substantially improved success rate of subset sum
algorithms. Using block Korkin{Zolotarev reduction with block size 20 we
can solve almost all subset sum problems of dimension up to 58 even if their
density is close to 1. It has been proved rigorously that for almost all subset
sum problems with density less that 0:9408 the shortest non{zero vector in
the associated lattice basis (1) yields a solution of the subset sum problem [3].
In section 6 we describe a particular practical algorithm for block Korkin{
Zolotarev reduction. Using the improved reduction algorithms we can solve
a much larger class of subset sum problems than was previously possible.
Some empirical data are given in section 7. Several alternative algorithms
for block Korkin{Zolotarev reduction and more empirical data are given in
the master thesis of M. Euchner [5]. Another empirical comparison of the
success rates for the new lattice basis (1) versus the Lagarias{Odlyzko lattice
has been done by LaMacchia [15]. His success rates roughly correspond to
our success rates using the weakest of our reduction methods, L3{reduction
in oating point arithmetic (algorithm L3 FP ), see the comments in section
7.

3
 Early versions of the new practical algorithms and the improved lattice
(1) have been developed during the courses on lattice basis reduction which
the rst author gave at Frankfurt University in summer 1990. This work
has been mentioned in the talk of the rst author at the workshop on cryp-
tography at Princeton University in September 1990 and has in uenced the
subsequent work in [3,10,15].

2 Basic concepts, L3{reduction

Let IRn be the n{dimensional real vector space with the ordinary inner
product < ; > and Euclidean length ky k = hy; y i1=2. A discrete, additive
subgroup L  IRn is called a lattice. Every lattice L is generated by some
set of linearly independent vectors b1 ; : : :; bm 2 L, called a basis of L,

L = ft1 b1 +


+ tn bm  t1; : : :; tm 2 ZZg:
Let L(b1; : : :; bm) denote the lattice with basis b1; : : :; bm. Its rank or dimen-
sion is m and the determinant is dened as d(L) = det[hbi; bj i1i;j m ]1=2.
The rank and the determinant of the lattice do not depend on the choice
of the basis. Let b1; : : :; bm 2 IRn be a basis of lattice L then b1 ; : : :; bm is
another basis of L if and only if there exists a matrix T 2 GLm (ZZ) such
that
[b1; : : :; bm] = [b1; : : :; bm] T:
Here [b1; : : :; bm] denotes the n  m matrix in Mn;m (IR) with column vectors
b1; : : :; bm. The goal of lattice basis reduction is to transform a given lattice
basis into a basis that consists of short vectors or, equivalently, into a basis
consisting of vectors that are pairwise nearly orthogonal.
With an ordered lattice basis b1; : : :; bm 2 IRn we associate the
Gram{Schmidt orthogonalization ^b1; : : :; ^bm 2 IRn which can be com-
puted from b1; : : :; bm together with the Gram{Schmidt coecients i;j =
hbi; ^bj i = h^bj; ^bj i by the recursion
i?1
X
^b1 = b1; ^bi = bi ? i;j^bj for i = 2; : : :; m:
j =1
We have i;i = 1 and i;j = 0 for i < j . The vectors ^b1; : : :; ^bm are linearly
independent, they are not necessarily in the lattice. If the basis b1 ; : : :; bm is
4
integral, i.e. b1; : : :; bm 2 ZZn , then the vectors ^b1 ; : : :; ^bm and the coecients
i;j are rational. We can write the above equations in matrix notation as
[b1; : : :; bm] = [^b1; : : :; ^bm] [i;j ]>1i;j m :
An ordered basis b1; : : :; bm 2 IRn is called size{reduced if
ji;j j  1=2 for 1  j < i  m:
An individual basis vector bi is size{reduced if ji;j j  1=2 for 1  j < i.
Let  be a constant, 1=4 <   1. Following [17] we call a basis
b1; : : :; bm 2 IRn L3{reduced with  if it is size{reduced and if
 k^bk?1 k2  k^bk + k;k?1 ^bk?1 k2 for k = 2; : : :; m:
For practical purposes we are interested in a constant  that is close to 1,
e.g.  = 0:99.
Let 1; : : :; m denote the successive minima of lattice L, i = i (L) is
dened as the smallest radius r of a ball that is centered at the origin and
which contains r linearly independent lattice vectors. Any L3 {reduced basis
consists of relatively short lattice vectors.
Theorem 1 [17] Every basis b1; : : :; bm that is L3{reduced with  satises
1?i  kbi k2 ?i 2  m?1 for i = 1; : : :; m with  = ( ? 1=4)?1:
The case  = 3=4 of Theorem 1 has been settled in [17]. This proof can
easily be extended to all  , 1=4 <   1.
We next describe some basic reduction algorithms. We restrict ourselves
to integer input bases. For a real number r let drc 2 ZZ denote the nearest
integer, drc = dr ? 1=2e, with drc = r ? 1=2 for half integers r 2 (2ZZ+1)=2.
Algorithm for size{reduction of the basis vector bk .
INPUT b1; : : :; bm 2 ZZn (a lattice basis)
i;j for 1  j < i  m (its Gram{Schmidt coecients)
FOR j = k ? 1; : : :; 1 DO
IF jk;j j > 1=2 THEN [ bk := bk ? dk;j c bj ,
FOR i = 1; : : :; m DO k;i := k;i ? dk;j c j;i ]
OUTPUT b1 ; : : :; bm (basis where bk is size{reduced)
i;j for 1  j < i  m (its Gram{Schmidt coecients)
5
 We obtain a size{reduced basis b1; : : :; bm by size{reducing each vector
individually. Size{reducing the vector bk does not aect the size{reduction
of the other vectors.
Algorithm for L3 {reduction (according to [17])
INPUT b1; : : :; bm 2 ZZn (a lattice basis),  with 1=4 <  < 1.
(initiation) k := 2 (k is the stage)
compute the Gram{Schmidt coecients i;j for
1  j < i  m and k^bik2 for i = 1; : : :; m.
WHILE k  m DO
size{reduce the vector bk and update k;j for j = 1; : : :; k ? 1.
IF  k^bk?1k2 > k^bk k2 + 2k;k?1 k^bk?1 k2
THEN [swap bk and bk?1 , k := max(k ? 1; 2)]
ELSE k := k + 1
OUTPUT b1; : : :; bm (a basis that is L3 {reduced with  ).
REMARKS 1. Upon entry of stage k the basis b1; : : :; bk?1 is L3{reduced
with  .
2. For every swap of bk?1 ; bk we must update k^bk k2; k^bk?1 k2 and i; ; ;i
for  = k; k ? 1 and i = 1; : : :; m, see [17].
3. In the original L3{algorithm only the rst step bk := bk ? dk;k?1 cbk?1
of size{reducing bk is done before the IF step and the size{reduction of bk is
completed before incrementing k to k + 1.
4. Let B denote max(kb1k2 ; : : :; kbmk2 ) for the input basis. Throughout the
algorithm the bit length of the numerators and denominators of the ratio-
nal numbers k^bik2 ; i;j is bounded as O(m log B ). The bit length of the
coecients of the bi 2 ZZn is also bounded as O(m log B ) throughout the
algorithm [17].
5. The algorithm terminates after at most ( m2 ) log1= B iterations. It per-
forms at most O(m3 n log B ) arithmetic operations on integers that are
O(m log B) bits long, see [17].
In practical applications the above L3 {algorithm is suering from the
slowness of the subroutines for long integer arithmetic. To speed up the
algorithm it has been proposed to operate the numbers i;j and k^bik2 in
oating point arithmetic. Then however the above algorithm becomes un-
stable and it has to be rewritten to minimize oating point errors. This will
be done in section 3.

6
3 L3{reduction using oating point arithmetic
In the following algorithm for L3 {reduction we keep the basis vectors
b1; : : :; bm 2 ZZn in exact representation and the numbers i;j ; k^bik2 in
oating point. The basis must be exact since errors in the basis change the
lattice and cannot be corrected. All other errors can be corrected using a
correct basis. The following provisions are taken to minimize the oating
point errors. We let v 0 denote the oating point value corresponding to an
exact value  . Let the integer  denote the number of precision bits in the
oating point arithmetic.
1. Whenever we enter stage k we compute from the actual basis vectors
b1 ; : : :; bk the numbers k;j for j = 1; : : :; k ? 1 and also ck = k^bk k2.
This will correct these values since the vectors b1; : : :; bk are exact.
2. If a large reduction coecient, jdk;j cj > 2=2, occurs during the size{
reduction of bk then we subsequently decrease the stage k to k ? 1.
This will correct the coecients k?1;j and k;j for j = 1; : : :; k ? 1 as
well as ck?1 ; ck ; b0k?1; b0k .
3. If jhb0k ; b0j ij < 2?=2 kb0k k kb0j k then we compute hbk ; bj i0 instead of
hb0k ; b0j i. Since the leading bits in the computation of hb0k ; b0j i cancel out
the value hb0k ; b0j i is too inexact.
Algorithm L3 FP, L3{reduction in oating point arithmetic
INPUT b1; : : :; bm 2 ZZn (a lattice basis),  with 1=2 <  < 1.
1. (initiation) k := 2, Fc := false
(k is the stage. The following values are available upon entry of stage
k: i;j for 1  j < i < k and ci = k^bik2 for i = 1; : : :; k ? 1)
FOR i = 1; : : :; m DO b0i := (bi )0
2. WHILE k  m DO
(computation of k;1 ; : : :; k;k?1 ; ck = k^bk k2)
ck := kb0kk2 , IF k = 2 THEN c1 := kb01k2
FOR j = 1; : : :; k ? 1 DO
IF jhb0k ; b0j ij < 2?=2 kb0k k kb0j k
THEN s := hbk ; bj i0
ELSE s := hb0k ; b0j i

7
 ?1
jP
k;j := (s ? j;i k;i ci)=cj
i=1
ck := ck ? 2k;j cj
3. (size{reduction of bk )
FOR j = k ? 1; : : :; 1 DO
IF jk;j j > 1=2 THEN
 := dk;j c
IF jj > 2=2 THEN Fc := true
FOR i = 1; : : :; j ? 1 DO k;i := k;i ? j;i
k;j := k;j ? ; bk := bk ?  bj ; b0k := (bk )0
END if jk;j j
IF Fc THEN [ Fc := false; k := max(k ? 1; 2), GOTO 2 ]
4. (swap bk?1 ; bk or increment k)
IF  ck?1 > ck + 2k;k?1 ck?1
THEN [ swap bk ; bk?1 swap b0k ; b0k?1
k := max(k ? 1; 2) ]
ELSE k := k + 1
OUTPUT b1; : : :; bm (a basis that is L3 {reduced with  ).
COMMENTS. 1. According to our experience the algorithm L3FP has
good stability even for single precision oating point arithmetic and for very
large input vectors. Double precision arithmetic results in a considerable de-
crease of the number of swaps and in a faster algorithm. The point is that
L3FP performs reduction with respect to the leading bits of the basis vec-
tors handling about  of these bits at the same time, where  is the number
of precision bits of the oating point arithmetic. Thus the number of swaps
in L3 FP is proportional to log2 B= times the number of swaps in the L3{
algorithm.
2. We cannot prove that L3 FP always terminates. If the oating point
precision is too small compared to the length of the input vectors L3 FP
might run into cycles that are caused by oating point errors. However the
algorithm was successful in several thousand applications with lattices of
rank up to 125 and where the bit length of the input integers was up to 300.
3. Schnorr [24] has given an algorithm for L3 {reduction with provably neg-
ligible oating point errors. Practical versions of this algorithm are about
10% slower than the above algorithm L3 FP . The reduction algorithm in
[24] uses the coecients i;j of the inverse matrix [i;j ] = [i;j ]?11i;j m . It

8
corrects oating point errors via the scalar products hbi; bj i.
4. The ag Fc is set true if a correction step has to be performed. In this
case k will be decreased to k ? 1 and the i;j ; kbik2 will be corrected for
i = k ? 1 and i = k.
5. To oset small oating point errors one has to use  {values that are larger
than 1=4, e.g.   1=2.
The following \deep insertion" step extends the swap bk $ bk?1 of the L3{
algorithm. By replacing Step 4 of algorithm L3FP by the \deep insertion"
step we obtain a variant of L3 FP that nds shorter lattice vectors.
New Step 4 (deep insertion of bk )
c := kb0kk2 ; i := 1
WHILE i < k DO
IF  ci  c
THEN [ c := c ? 2k;i ci ; i := i + 1 ]
ELSE [ (b1; : : :; bk ) := (b1; : : :; bi?1; bk ; bi; : : :; bk?1)
rearrange the b0j accordingly
k := max(i ? 1; 2), GOTO 2 ]
k := k + 1
COMMENTS. 1. A deep insertion possibly inserts bk at some position
i < k and increments the indices of the old vectors bi; : : :; bk?1 by 1. The
position i is chosen as the minimal i which results in decreasing ci = kbbi k2
by at least a factor  . Throughout Step 4 c is the length square of the
vector ^bnew
i in case that a deep insertion step of bk at position i is performed.
2. Algorithm L3 FP with deep insertions may be super{polynomial time in
worst case. If the deep insertions are only performed in case that either
i  co or k ? i  co for a xed constant co then the deep insertion variant
of L3 FP remains polynomial time.

4 L3{reduction of a linearly dependent generator

system
We can extend algorithm L3FP so that it transforms every generator sys-
tem b1; : : :; bm 2 ZZn of a lattice into an L3{reduced basis. If the vectors
b1; : : :; bm are linearly dependent then the associated Gram{Schmidt orthog-

9
onalization ^b1; : : :; ^bm contains at least one zero{vector, which leaves us with
another problem.
We must avoid increasing the stage to k +1 in case that ck = kbbk k2 is zero
because then a division with ck is done on the next stage k +1. Fortunately,
if ck is zero the condition ck?1 > ck + 2k;k?1 ck?1 for swapping bk?1 ; bk
is satised since we have 2k;k?1 < 1=4 and   1=2. If k > 2 this swap
of bk?1 ; bk and the decrease of k will avoid a subsequent division by zero.
However if k = 2 and c2 = 0 swapping b2; b1 may result in a zero{vector b1.
We can simply eliminate this zero{vector b1 from the basis. Going one step
further we check after each size{reduction of bk in Step 3 of L3 FP whether
the reduced vector bk is zero and in this case we eliminate bk from the basis.
This will correctly deal with all cases provided that initially b1 is not the
zero{vector.
Thus we insert into Step 3 of L3FP after the reduction of bk and before
changing k the following assignment:
Additional assignment for Step 3 of L3 FP
IF bk = 0 THEN [ eliminate bk ; m := m ? 1; k := 2, GOTO 2 ]
We suppose that this assignment is always included in L3 FP if the input
vectors b1 ; : : :; bm are linearly dependent. We call the algorithm L3FP with
the additional assignment the extended L3FP .
Remarks. 1. The initial comments and the termination of the extended
L3FP (which is proved in Theorem 2 below) show that the extended L3 FP
is correct up to oating point errors. It is sucient to note that the vectors
b1; : : :; bk?1 of Stage k are always L3 {reduced with  and that the algorithm
terminates on Stage m +1. Thus the output vectors b1; : : :; bm form a basis
that is L3 {reduced with  .
2. Since the vectors b1; : : :; bk?1 of Stage k are L3 {reduced with  we see
from Theorem 1 that cj  1?j kb1k2 holds for j = 1; : : :; k ? 1 where
 = 1=( ? 1=4)  4. Therefore the divisors cj of Step 2 are suciently
apart from 0. This helps to minimize oating point errors.
3. Resetting the stage k to 2, in the additional assignment for step 3, is a
precaution against oating point errors. The generation of a zero{vector bk

10
produces some oating point errors that are due to the fairly small vectors
bi
b occuring within this process.
We present an upper bound on the number of swaps bk?1 $ bk in the
extended L3 FP relying on the following integer quantity D:
Y
D= Di with Di = det L(b1; : : :; bi)2 ;
^bi 6=0

where i ranges over all indices 1  i  m ? 1 with bbi 6= 0. The quantity D

extends the corresponding D in [17] to the case of linearly dependent input
vectors b1 ; : : :; bm.
Theorem 2 If the extended L3FP is performed in exact arithmetic we have
that
1. every swap bk?1 $ bk achieves Dnew   Dold,
?

2. the total number of swaps bk?1 $ bk is at most m2 log1= B where
B is the maximum length square kbi k2 of the input vectors bi 2 ZZn
for i = 1; : : :; m.
Proof. 1. A swap of the vectors bk?1; bk leaves Di for i 6= k ? 1
unchanged. If bbnew 6 0 then bbnew
k?1 =
old
i ; bbi are zero for the same i. We have
Dnew = Dold kbbnew 2 old ?2
k?1 k kbbk?1k   D
old

since the swap reduces kbbk?1 k2 at least by a factor  . This proves the claim
for the case that bbnew 6 0.
k?1 =
In the case bbnew bold
k?1 = 0 we have bk = 0 and thus
Y Y
Dold = Diold; Dnew = Dinew
i6=k i6=k?1

Dnew = Dold = Dknew = Dkold?1:

Now the lattice L(b1; : : :; bold k?1) has the same rank as the lattice
L(b1; : : :; bk?1; bk ) = L(b1; : : :; bnew
old old new
k?1; bk ) and it is properly contained in
the latter lattice. This is because bold k 62 L(b1; : : :; bk?1), which holds since
old
bk is size{reduced and bk 6= 0. The proper inclusion of the above lattice
old old

11
and the integrality of Dk ; Dk?1 implies that Dknew  Dkold?1 = 2 and thus
Dnew  Dold=2.
2. This is an immediate consequence of (1) and the fact that the entity D
remains a positive integer throughout the computation. 2
Remarks. ? 1.
Due to oating point errors the extended L3FP performs
more than m2 log1= B many swaps bk?1 $ bk . The number of swaps is
about  ?1 log2 B times this bound.
2. A somewhat
Q
dierent entity D has been used in [23]. There we dened
D0 = mi=1?1 Di0 with
i
Y
Di0 = kbbj k2:
j =1
^bj =0
6

A detailed analysis shows that every exchange bk?1 $ bk achieves

D0new   D0old if bbnew k?1 6= 0
D0new  D0old if bbnew
k = 0:

5 Block Korkin Zolotarev reduction

Let L = L(b1; : : :; bm)  IRn be a lattice with ordered basis b1; : : :; bm. Let
i : IRn ! span(b1; : : :; bi?1)? denote the orthogonal projection so that
b ? i (b) 2 span(b1; : : :; bi?1). We let Li denote the lattice i (L), which is a
lattice of rank m ? i + 1.
An ordered basis b1; : : :; bm of lattice L is a Korkin{Zolotarev basis if it is
size{reduced and if
k^bik = 1(Li) for i = 1; : : :; m:
This denition is equivalent to the one given, in the language of quadratic
forms, by Hermite in his second letter to Jacobi (1845) and by Korkin and
Zolotarev (1873).

12
 Theorem 3 shows the strength of Korkin{Zolotarev reduction compared
to L3 {reduction, see Theorem 1.
Theorem 3 [13] Every Korkin{Zolotarev basis b1; : : :; bm satises
4  kb k2 = 2  i + 3 for i = 1; : : :; m:
(i + 3) i i 4
The fastest known algorithm for Korkin{Zolotarev reduction of a basis
b1; : : :; bm 2 ZZnpwith B = max(kb1k2; : : :; kbmk2) has a theoretic worst case
time bound of nn+o(n) + O(n4 log B ) arithmetic steps on O(n log B ){bit
integers [23]. This algorithm is an improved version of Kannan's shortest
lattice vector algorithm [11].
Schnorr [23] introduced the following notion of a block Korkin{Zolotarev
reduced basis. Let  be an integer, 2   < m.
A lattice basis b1; : : :; bm is  {reduced if it is size{reduced and if
k^bik  1(Li(b1; : : :; bmin(i+?1;m))) for i = 1; : : :; m ? 1:
Let  denote the maximum of kb1k = k^bk taken over all Korkin{Zolotarev
reduced basis b1; : : :; b . We have 2 = 34 ; 3 = 23 and    1+ln  ,
where ln  is the natural logarithm of  [23]. The constant 1=( ?1) slowly
converges to 1 as  increases. The corresponding constant  in Theorem 1
is at least 4=3. The strength of  {reduced bases compared to L3{reduced
bases can be seen from the following
Theorem 4 [23] Every {reduced basis b1; : : :; bm of lattice L satises
kb1k2  (m?1)=(?1)1(L)2 provided that  ? 1 divides m ? 1.
We call the basis b1; : : :; bm  {reduced with  , 1=4 <   1, if it is size{
reduced and if
 kbbi k2  1(Li (b1; : : :; bmin(i+?1;m) ))2 for i = 1; : : :; m ? 1:
Theorem 5 A basis b1; : : :; bm 2 IRn is 2{reduced with , 1=3    1,
if and only if it is L3 {reduced with  .

13
Proof. \ ) " If b1; : : :; bm is 2{reduced with  then we have
 kbbk k2  kk (vk bk + vk+1 bk+1 )k2
for all (vk ; vk+1 ) 2 ZZ2 ? 0 and for k = 1; : : :; m ? 1. With vk = 0; vk+1 = 1
this yields  kbbk k2  kk (bk+1 )k2.
\ ( " We show that the inequality
kk (vk bk + vk+1bk+1)k2 = (vk + k+1;k vk+1 )2 kbbk k2 + jvk+1j2kbbk+1k2
  kbbkk2
holds for all (vk ; vk+1) 2 ZZ2 ? (0; 0).
If vk+1 = 0 this inequality clearly holds.
If vk+1 = 1 the minimal value for jvk + k+1;k vk+1 j occurs at vk = 0.
This is because jk+1;k j  1=2. From this and since the basis is L3{reduced
with  we see that the desired lower bound kk (bk+1 )k2   kbbk k2 holds.
If jvk+1 j  2 the desired lower bound follows from
4 kbbk+1 k2  4( ? 1=4) kbbk k2   kbbk k2 :
Here we use that   1=3 and that the basis is L3{reduced with  . 2
The rst part of the above proof does not require that   1=3, thus any
basis that is 2{reduced with  is also L3{reduced with  .

6 A practical algorithm for block Korkin

Zolotarev reduction
The following algorithm BKZ performs a  {reduction with  . It uses L3 FP
and a subroutine ENUM (j; k) dened below which minimizes the expression
k X
X k
cj (uj ; : : :; uk ) := ( ui i;s )2cs
s=j i=s
for (uj ; : : :; uk ) 2 ZZk?j +1 ? 0k?j +1 .

14
Algorithm BKZ for block Korkin{Zolotarev reduction
INPUT b1; : : :; bm 2 ZZn ;  with 1=2 <  < 1;  with 2 <  < m.
1. L3 FP (b1 ; : : :; bm;  ); z := 0; j := 0
WHILE z < m ? 1 DO
j := j + 1; k := min(j +  ? 1; m)
IF j = m THEN [ j := 1; k :=  ]
2. ENUM (j; k)
(this nds the minimal place (uj ; : : :; uk ) 2 ZZk?j +1 ? 0k?j +1
and the P minimal value cj for cj (uj ; : : :; uk ) and also
bj := ks=j usbs).
new

3. h := min(k + 1; m)
IF cj > cj
THEN [ Fc := true, call L3 FP (b1 ; : : :; bj ?1; bnew j ; bj ; : : :; bh;  )
at stage j , z := 0 ]
ELSE [ z := z + 1, call L3 FP (b1 ; : : :; bh ; 0:99) at stage h ? 1 ]
OUTPUT b1; : : :; bm (a basis that is  {reduced with  ).
COMMENTS. 1. Throughout the algorithm the integer j is cyclically
shifted through the integers 1; 2; : : :; m ? 1. The variable z counts the num-
ber of positions j that satisfy the inequality  k^bj k2  1(j (L(bj ; : : :; bk )))2.
If this inequality does not hold for j then we insert bnew j into the basis, we
call L3 FP and we reset z to 0. The integer j = m is skipped since the in-
equality always holds for j = m. Obviously a basis b1; : : :; bm is  {reduced
with  if it is size{reduced and z = m ? 1. On termination the basis is size{
reduced by the calls of L3 FP in Step 3 and we have z = m ? 1. Therefore
the algorithm produces, up to oating point errors, a basis that is  {reduced
with  .
2. The rst call of L3 FP in Step 3 transforms the generator sys-
tem b1 ; : : :; bj ?1; bnew
j ; bj ; : : :; bh of lattice L(b1; : : :; bh) into a basis for
L(b1; : : :; bh) that is L3{reduced with . Alternatively we can ex-
tend b1 ; : : :; bj ?1 ; bnew new new
j to a basis b1; : : :; bj ?1; bj ; : : :; bh of the lattice
new Ph
L(b1; : : :; bh) using the coecients ui in the representation bj = i=j uibi.
For this we compute T 2 GLh?j +1 (ZZ) with [uj ; : : :; uh ]T = [1; 0; : : :; 0] and
we set [bnew new ?1
j ; : : :; bh ] := [bj ; : : :; bh]T .
3. Setting Fc to true in Step 3 before inserting the new vector bnew j into
the basis means that the j;i that are generated next on stage j will be
15
corrected. This correction is necessary since some precision bits will be lost
during the reduction in size of bnew
j .
4. The second call of L3FP in Step 3 makes sure that the vectors bj ; : : :; bk
are always L3 {reduced with  when calling ENUM (j; k).
5. We cannot prove that algorithm BKZ runs in polynomial time. However
the algorithm behaves well in practice, see section 7.

Algorithm ENUM
INPUT j; k with 1  j < k  m
(the following parameters of BKZ are used: bj ; : : :; bk ; ci = kbb0ik2 for i =
j; : : :; k and i;t for j  t < i  k)
1. cj := cj ; uej := uj := 1; yj := 4j := 0; s := t := j; j := 1
FOR i = j +1; : : :; k +1 DO [eci := ui := uei := yi := 4i := 0; i := 1]
2. WHILE t  k DO
ct := ect+1 + (yt + uet)2ct
e
IF ect < cj
THEN IF t > j
Ps
THEN [ t := t ? 1; yt := uei i;t,
i=t+1
uet := vt := d?yt c; 4t := 0
IF uet > ?yt THEN t := ?1
ELSE t := 1 ]
ELSE [cj := ecj ; ui := uei for i = j; : : :; k]
ELSE [ t := t + 1; s := max(s; t)
IF t < s THEN 4t := ?4t
IF 4tt  0 THEN 4t := 4t + t
uet := vt + 4t ]
Pk
bnew
j := ui bi
i=j
OUTPUT the minimal place (uj ; : : :; uk ) 2 ZZk?j +1 ? 0k?j +1
and the minimum cj of cj (uj ; : : :; uk ) and bnew
j .

COMMENTS. 1. The algorithm ENUM enumerates in depth rst search

all integer vectors (uet ; : : :; uek ) for t = k; : : :; j that satisfy ct(uet ; : : :; uek ) < cj

16
where cj is the current minimum for the function cj . The current minimal
place is (uj ; : : :; uk ). We always have that ect = ct (uet; : : :; uek ) for the current
vector (uet ; : : :; uek ). Redundancies have been eliminated so that the following
holds throughout the enumeration. The largest i with uei 6= 0 satises uei > 0.
This is because arriving at level t for the rst time from level t ? 1 we set
4t = 1 and uet = 1.
2. Throughout the enumeration s is the maximal previous value for t.
3. When initially we arrive at level t from level t ? 1 we have yt = 4t = 0 and
s = t. Then we set 4t to 1 and uet to 1. When subsequently level t is reached
from level t ? 1 we take for 4t the next value in order 1; ?1; 2; ?2; 3; ?3; : : :
as long as ect  cj . At this latter point we increment t to t +1 and s to s +1.
When level t is reached from level t + 1 we set 4t to 0 and we assign to t
the sign of ?yt + d?yt e. When subsequently level t is reached from level t ? 1
we take for 4t the next value in either the order 1; ?1; 2; ?2; 3; ?3


, or in
the order ?1; 1; ?2; 2; ?3; 3


, as long as ect  cj . (The choice of the order
depends on t and it is made so that the values (yt + d?yt c + 4t )2ct do not
decrease for the chosen sequence 4t .) At this latter point t is incremented
to t + 1.
4. Our original ENUM{algorithm, see [26], did not enumerate the values
(yt + d?yt c + 4t)ct in increasing order. The new ENUM{algorithm is slightly
better for block Korkin{Zolotarev reduction with pruning, see the end of
section 7.

7 Solving subset sum problems

Given
Pn
positive integers a1; : : :; an ; s we wish to solve the equation
i=1 i xi = s with x1 ; : : :; xn 2 fn+2
a 0; 1g. We associate to these integers
the following basis b1; : : :; bn+1 2 ZZ .
b1 = (2; 0; : : :; 0; na1; 0)
b2 = (0; 2; : : :; 0; na2; 0)
..
. (1)
bn = (0; 0; : : :; 2; nan; 0)
bn+1 = (1; 1; : : :; 1; ns ; 1):
Every lattice vector z = (z1; : : :; zn+2 ) 2 L(b1; : : :; bn+1) that satises
jzn+2 j = 1; zn+1 = 0; z1; : : :; zn 2 f1g (2)

17
yields the following solution for the subset sum problem
xi = jzi ? zn+2 j = 2 for i = 1; : : :; n: (3)
The following algorithm SUBSETSUM improves the Lagarias{Odlyzko
algorithm [14] for solving low density subset sum problems in various ways.
It uses the lattice basis (1) that is better suited than the Lagarias{Odlyzko
basis. It has been proved rigorously that for almost all subset sum problems
of density less than 0.9408 the shortest lattice vector yields a solution of
the subset sum problem [3]. SUBSETSUM also uses superior algorithms for
lattice basis reduction. Step 5 of the algorithm has already been used in
[22].
Algorithm SUBSETSUM
INPUT a1; : : :; an ; s 2 IN
1. Compute the basis (1), let bi = (bi;1; : : :; bi;n+2 ) for i = 1; : : :; n + 1.
2. Randomly permute b1; : : :; bn+1 so that the permuted basis starts with
the vectors bi satisfying bi;n+2 6= 0.
3. Reduce the basis b1; : : :; bn+1, using modications of
L3 FP (b1 ; : : :; bn+1; 0:99) or BKZ (b1 ; : : :; bn+1 ; 0:99; )
4. IF some vector (z1; : : :; zn+2 ) in the reduced basis satises (2) THEN
[OUTPUT xi = jzi ? zn+2 j = 2 for i = 1; : : :; n and stop ]
5. (reduce pairs of basis vectors)
Sort b1; : : :; bn+1 so that kb1k  kb2k 


 kbn+1 k
FOR j = 1; : : :; n FOR k = 1; : : :; j ? 1 DO
IF kbj  bk k < kbj k THEN [ bj := bj  bk ; F := true ]
IF F THEN [F := false, GOTO 5].
REPEAT steps 2 { 5 15{times.
M. Euchner has evaluated this algorithm as part of his master thesis. He
used the following reduction subroutines in Step 3:
1) L3 FP (b1 ; : : :; bn+1; 0:99),
2) L3 FP (b1 ; : : :; bn+1; 0:99) with deep insertions,
3) BKZ (b1 ; : : :; bn+1; 0:99; 10),
4) BKZ (b1 ; : : :; bn+1; 0:99; 20).
18
In order to optimize the program M. Euchner has added the following fea-
tures. He checks after each size{reduction whether the reduced vector bk
satises (2) and yields a solution. He incorporates the deep insertion rule
(b1; : : :; bk ) := (b1; : : :; bi?1; bk ; bi; : : :; bk?1)
P
for indices i  5 and arbitrary k. He assumes that ni=1 xi = n=2 holds
for the solution (x1 ; : : :; xn) and therefore extends the vectors bi in (1) by
adding the component bi;n+3 = n for i = 1; : : :; n and bn+1;n+3 = n2 =2.
Statistical evaluation of the algorithm Every row with rst entries
n; b in the following statistic corresponds to 20 random inputs for SUB-
SETSUM that are generated as follows. Pick random numbers a1 ; : : :; an
in thePinterval [1; 2b], pick a random subset I  f1; : : :; ng of size n=2, put
s = i2I ai . The numbers in columns suc1 ; #suc are the number of suc-
cesses in round 0 of steps 2 { 5 and the total number of successes in all
rounds for these 20 inputs. The number in column # rou gives the total
number of rounds of steps 2 { 5 for the 20 inputs. There is a minimum of
20 and a maximum of 16
20 = 320 rounds. The column hh : mm : ss
gives the average CPU{time per problem on a UNISYS 6000=70. The
times marked with * are on a SPARC 1+. On a SPARC 1+ computer our
programs are about 6 times faster.

19
 L3 F P ,  = 0:99 L3 F P ,  = 0:99, with deep insertions
n b suc1 #suc #rou hh:mm:ss suc1 #suc #rou hh:mm:ss
42 24 20 20 20 0:39 20 20 20 0:51
42 28 13 20 33 1:22 17 20 25 1:59
42 32 2 19 65 3:05 14 20 51 4:00
42 36 2 20 98 4:49 13 19 52 4:42
42 40 4 17 124 6:11 17 19 47 4:18
42 44 7 20 65 3:50 17 20 27 3:23
42 48 10 20 42 2:51 19 20 21 2:50
42 52 17 20 23 1:56 20 20 20 2:34
42 56 19 20 22 1:59 20 20 20 2:31
42 60 19 20 21 1:56 20 20 20 2:39
50 26 16 20 25 1:23 20 20 20 1:42
50 30 7 20 45 3:10 17 20 24 4:07
50 34 4 20 79 6:11 10 20 39 7:25
50 38 1 17 126 10:17 8 19 68 14:43
50 42 0 10 258 22:16 11 19 68 14:50
50 46 0 6 265 23:37 8 17 91 20:53
50 50 0 12 212 19:32 5 19 72 20:11
50 54 1 15 172 16:26 13 20 34 12:17
50 58 4 17 139 14:17 18 20 22 8:57
50 62 5 20 72 8:20 19 20 21 7:13
50 66 12 20 33 5:07 20 20 20 7:00
50 70 15 20 31 4:58 20 20 20 6:09
58 29 11 20 35 3:39 18 20 22 4:03
58 35 3 20 103 13:05 13 20 48 16:37
58 41 1 15 218 30:00 4 16 120 42:34
58 47 0 3 296 42:02 1 17 117 58:15
58 53 0 1 315 46:37 3 10 218 1:47:04
58 58 0 2 309 48:38 1 12 198 1:55:35
58 63 1 6 275 44:26 7 20 83 1:04:08
58 69 2 12 204 34:18 15 20 34 32:25
58 75 1 16 122 23:13 15 20 28 27:08
58 81 3 20 79 17:09 19 20 21 16:52
58 87 11 20 42 11:40 20 20 20 12:36
58 93 13 20 30 10:22 20 20 20 15:16

20
 L3FP;  = 0:99 L3FP;  = 0:99 with deep insertions
n b suc1 # suc # rou hh:mm:ss suc1 # suc # rou hh:mm:ss
66 18 20 20 20 1:11 20 20 20 1:34
66 26 19 20 21 2:03 20 20 20 2:58
66 34 5 20 50 9:05 12 20 33 15:53
66 42 1 16 210 44:01 3 19 124 1:10:43
66 50 0 0 320 10:14* 0 8 250 2:43:16
66 58 0 1 319 14:05* 0 4 291 4:55:39
66 66 0 0 320 11:03* 0 9 237 5:16:29
66 72 0 0 320 11:36* 1 19 125 3:45:28
66 80 0 2 315 1:23:50 9 20 69 2:35:15
66 88 1 13 203 58:18 10 20 46 2:15:07
66 96 0 16 173 51:44 17 20 23 57:32
66 104 3 17 144 46:17 20 20 20 25:51
66 112 11 20 39 20:29 20 20 20 33:36

21
 BKZ,  = 0:99;  = 10 BKZ,  = 0:99;  = 20
n b suc1 #suc #rou hh:mm:ss suc1 #suc #rou hh:mm:ss
42 24 20 20 20 0:40 20 20 20 0:40
42 28 20 20 20 1:49 18 20 22 2:28
42 32 17 20 39 4:52 20 20 20 2:58
42 36 11 18 59 8:53 15 19 45 7:27
42 40 15 20 31 5:50 18 20 30 7:05
42 44 14 20 41 8:02 19 20 25 4:46
42 48 19 20 21 2:38 20 20 20 2:40
42 52 20 20 20 2:07 20 20 20 2:19
42 56 20 20 20 2:02 20 20 20 2:05
42 60 20 20 20 2:03 20 20 20 2:07
50 26 19 20 21 2:30 20 20 20 2:11
50 30 19 20 22 3:32 20 20 20 4:25
50 34 15 20 26 7:55 18 20 22 7:54
50 38 4 19 73 19:20 17 20 25 15:24
50 42 8 19 74 25:22 14 19 53 30:51
50 46 4 11 200 58:33 10 20 77 48:15
50 50 8 20 48 25:09 16 19 41 26:28
50 54 14 20 46 18:04 19 20 22 16:57
50 58 17 20 26 10:48 20 20 20 12:28
50 62 19 20 23 9:10 20 20 20 8:45
50 66 20 20 20 7:12 20 20 20 7:11
50 70 20 20 20 6:19 20 20 20 5:53
58 29 19 20 21 4:23 20 20 20 5:45
58 35 16 20 25 9:35 17 20 26 18:38
58 41 3 18 111 50:58 10 20 34 48:20
58 47 0 14 213 1:38:43 10 17 89 16:31
58 53 0 8 242 2:06:24 6 15 130 31:49
58 58 9 16 105 2:10:52 2 16 155 3:45:43
58 63 11 19 68 1:44:42 15 20 35 1:14:38
58 69 16 20 27 49:25 19 20 21 42:52
58 75 20 20 20 19:57 20 20 20 28:39
58 81 19 20 21 23:02 20 20 20 16:55
58 87 20 20 20 12:52 20 20 20 12:05
58 93 20 20 20 15:40 20 20 20 11:30

22
 BKZ;  = 0:99;  = 10 BKZ;  = 0:99;  = 20
n b suc1 # suc # rou hh:mm:ss suc1 # suc # rou hh:mm:ss
66 18 20 20 20 0:12* 20 20 20 0:12*
66 26 20 20 20 0:31* 20 20 20 0:33*
66 34 16 20 25 1:55* 20 20 20 1:59*
66 42 2 17 92 8:32* 9 20 49 12:43*
66 50 1 6 269 24:07* 2 13 215 56:50*
66 58 0 1 310 30:05* 2 10 203 1:25:14*
66 66 0 0 320 35:43* 2 8 236 1:45:11*
66 72 3 10 209 27:40* 3 16 155 1:34:07*
66 80 10 20 69 4:55:40 17 20 39 5:37:05
66 88 13 20 42 3:13:48 18 20 22 1:13:37
66 96 19 20 21 1:39:04 20 20 20 54:01
66 104 20 20 20 26:30 20 20 20 31:54
66 112 20 20 20 34:26 20 20 20 26:45
The above statistic shows that L3 FP {reduction with deep insertions is
much stronger than straight L3FP {reduction. It is even stronger than
BKZ {reduction with block size 10 and nearly matches the performance
of BKZ {reduction with block size 20. The success rates of BKZ {reduction
improves greatly with increasing block size but the running time increases
as well.
Comparison with La Macchia's results. La Macchia [15] also used
the lattice basis (1) to solve subset sum problems. La Macchia minimizes
oating point errors in the L3 {reduction by using initially Seysen's reduction
algorithm. A comparison of La Macchia's and our success rates has to take
into account that La Macchia applies 5 independent randomizations to the
initial basis which increases the success rates by a factor between 1 and 5.
La Macchia's success rates for a single randomization of the initial basis are
consistently lower than ours for L3 FP . Our improved success rates are due
to the deep insertion rule that is used for indices i  5.
Block Korkin Zolotarev reduction with pruning. We can speed
up BKZ{reduction with large block size by pruning the enumeration tree
thatnis produced oby the procedure ENUM. For example we set t :=
min 1:05 k?k?t+1
j ; 1 and we replace in Step 2 of ENUM the predicate \IF

23
ct
e < cj " by \IF ect < tcj ". Note that t is rather small if t is close to k and
which is near 1 if t is close to j . Here are some performance data for solving
subset sum problems using this pruned variant of block Korkine Zolotarev
reduction. This algorithm improves the success rates of BKZ{reduction with
block size 20 as is shown by the rst block of the table. For dimension 106
we have reduced the number of problems per row. This number is given in
the last column.
 
BKZ;  = 0:99,  = 50, t = min 1:05 k?k?t+1
j ;1
n b suc1 # suc # rou hh : mm : ss # problems
per row
66 26 20 20 20 0:36* 20
66 34 20 20 20 3:54* 20
66 42 20 20 20 15:55* 20
66 50 10 19 78 1:30:19* 20
66 58 9 14 119 3:40:26* 20
66 66 10 19 70 3:05:43* 20
66 72 18 20 26 1:18:22* 20
66 80 20 20 20 38:10* 20
66 88 20 20 20 36:09* 20
66 96 20 20 20 28:40* 20
72 106 20 20 20 1:11:34* 20
72 118 20 20 20 1:19:14* 20
72 130 20 20 20 1:02:20* 20
82 134 20 20 20 1:25:20* 20
82 146 20 20 20 1:34:46* 20
82 158 20 20 20 1:23:02* 20
106 180 5 5 5 19:15:55* 5
106 210 10 10 10 7:30:27* 10
106 240 10 10 10 3:14:50* 10
106 270 10 10 10 2:49:52* 10
106 300 10 10 10 3:53:18* 10

Acknowledgement The rst author likes to thank the students of his

class in summer 1990 for evaluating early versions of the present algorithms
for lattice basis reduction and for evaluating early versions of the lattice
basis (1). He also wishes to thank SIEMENS/NIXDORF and the Frankfurt
24
department of Computer Science for their support.

References
[1] E.F. Brickell: Solving low density knapsacks. Advances in Cryp-
tology, Proceedings of CRYPTO'83, Plenum Press, New York (1984),
25{37.
[2] B. Chor and R. Rivest: A knapsack{type public key cryptosystem
based on arithmetic in nite elds. IEEE Trans. Information Theory
IT{34 (1988), 901{909.
[3] M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.P.
Schnorr and J. Stern: An improved low{density subset sum algo-
rithm. computational complexity 2, (1992), 97{186.
[4] P. van Emde Boas: Another NP{complete partition problem and the
complexity of computing short vectors in a lattice. Rept. 81{04, Dept.
of Mathematics, Univ. of Amsterdam, 1981.
[5] M. Euchner: Praktische Algorithmen zur Gitterreduktion und Fak-
torisierung. Diplomarbeit Uni. Frankfurt (1991).
[6] A. M. Frieze: On the Lagarias{Odlyzko algorithm for the subset sum
problem. SIAM J. Comput. 15 (2) (1986), 536{539.
[7] M. R. Garey and D. S. Johnson: Computers and Intractability: A
Guide to the Theory of NP{Completeness. W. H. Freeman and Com-
pany (1979).
[8] J. Hastad, B. Just, J. C. Lagarias and C. P. Schnorr: Polyno-
mial time algorithms for nding integer relations among real numbers.
SIAM J. Comput. 18 (5) (October 1989), 859{881.
[9] C. Hermite: Extraits de lettres de M. Ch. Hermite a M. Jacobi sur
dierents objects de la theorie des nombres. Deuxieme lettre du 6 ao^ut
1845. J. Reine Angew. Math. 40 (1850), 279{290.
[10] A. Joux and J. Stern: Improving the critical density of the Lagarias{
Odlyzko attack against subset sum problems. Proceedings of Funda-
mentals of Computation Theory, FCT'91, Ed. L. Budach, Springer
LNCS 529 (1991), pp. 258{264.
25
[11] R. Kannan: Minkowski's Convex Body Theory and Integer Program-
ming. Math. Oper. Res. 12 (1987), 415{440.
[12] A. Korkine and G. Zolotareff: Sur les formes quadratiques. Math.
Ann. 6 (1873), 366{389.
[13] J.C. Lagarias, H.W. Lenstra, Jr. and C.P. Schnorr: Korkin{
Zolotarev Bases and Successive Minima of a Lattice and its Reciprocal
Lattice. Combinatorica 10 (1990), pp. 333{348.
[14] J. C. Lagarias and A. M. Odlyzko: Solving low{density subset sum
problems. J. Assoc. Comp. Mach. 32(1) (1985), 229{246.
[15] B. A. LaMacchia: Basis Reduction Algorithms and Subset Sum
Problems. SM Thesis, Dept. of Elect. Eng. and Comp. Sci., Mas-
sachusetts Institute of Technology, Cambridge, MA (1991). In prepara-
tion.
[16] H. W. Lenstra, Jr.: Integer programming with a xed number of
variables. Math. Oper. Res. 8 (1983), pp. 538{548.
[17] A.K. Lenstra, H.W. Lenstra, and L. Lova sz: Factoring polyno-
mials with rational coecients. Math. Ann. 261 (1982), 515{534.
[18] L. Lova sz: An algorithmic theory of numbers, graphs and convexity.
SIAM Publications, Philadelphia (1986).
[19] L. Lova sz and H. Scarf: The generalized basis reduction algorithm.
Math. Oper. Res. (1992).
[20] A. M. Odlyzko: The rise and fall of knapsack cryptosystems. Cryp-
tology and Computational Number Theory, C. Pomerance, ed., Am.
Math. Soc., Proc. Symp. Appl. Math. 42 (1990), 75{88.
[21] A. Paz and C. P. Schnorr: Approximating integer lattices by lattices
with cyclic factor groups. Automata, Languages, and Programming:
14th ICALP, Lecture Notes in Computer Science 267, Springer{Verlag,
NY (1987), 386{393.
[22] S. Radziszowski and D. Kreher: Solving subset sum problems with
the L3 algorithm. J. Combin. Math. Combin. Comput. 3 (1988), 49{63.
[23] C. P. Schnorr: A hierarchy of polynomial time lattice basis reduction
algorithms. Theoretical Computer Science 53 (1987), 201{224.
26
 [24] C. P. Schnorr: A more ecient algorithm for lattice basis reduction.
J. Algorithms 9 (1988), 47{62.
[25] C. P. Schnorr: Factoring integers and computing discrete loga-
rithms via diophantine approximation. Proceedings EUROCRYPT'91,
Brighton, May 1991, Springer LNCS 547 (1991), pp. 281{293.
[26] C. P. Schnorr and M. Euchner: Lattice basis reduction: improved
algorithms and solving subset sum problems. Proceedings of Fundamen-
tals of Computation Theory, FCT'91, Ed. L. Budach, Springer LNCS
529, (1991), pp. 68{85.
[27] M. Seysen: Simultaneous reduction of a lattice basis and its reciprocal
basis. To appear in Combinatorica.

27

View publication stats