Scribd
Upload
51 views15 pages

The LLL Algorithm For Lattices: Gebraic Number Theory, Springer, 1993

This document provides an overview of the LLL Algorithm and related algorithms for working with lattices. It defines key terms like lattices, bases, and reduced bases. It then summarizes the LLL Algorithm and how it uses Gram-Schmidt orthogonalization to find a reduced basis for a lattice in polynomial time. It also briefly mentions related algorithms like the MLLL Algorithm and Fincke-Pohst Algorithm.

Uploaded by

omertopuz
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
51 views15 pages

The LLL Algorithm For Lattices: Gebraic Number Theory, Springer, 1993

This document provides an overview of the LLL Algorithm and related algorithms for working with lattices. It defines key terms like lattices, bases, and reduced bases. It then summarizes the LLL Algorithm and how it uses Gram-Schmidt orthogonalization to find a reduced basis for a lattice in polynomial time. It also briefly mentions related algorithms like the MLLL Algorithm and Fincke-Pohst Algorithm.

Uploaded by

omertopuz
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

The LLL Algorithm for Lattices

G. Eric Moorhouse, UW Math

References

Henri Cohen, A Course in Computational Al-


gebraic Number Theory, Springer, 1993.

A.J. Menezes et al., Handbook of Applied Cryp-


tography, CRC Press, 1997.

A.K. Lenstra, H.W. Lenstra and L. Lovász,


‘Factoring polynomials with rational coeffi-
cients’, Math. Ann. 261 (1982), 515–534.

M. Pohst, ‘A modification of the LLL-algorithm’,


J. Symb. Comp. 4 (1987), 123–128.
Definitions

A lattice L is a pair (Zn, Q) where

Q : Zn → R
is a positive definite quadratic form, i.e. Q(x) =
x>Ax where the real n × n matrix A is sym-
metric positive definite. We call A a Gram
matrix of L.

Two lattices (Zn, Q), (Zn, Q0) are isometric if


there exists a unimodular integer transfor-
mation M ∈ GL(n, Z) (i.e. M and M −1 have
integer entries) such that

Q0(x) = Q(M x) for all x ∈ Zn;


equivalently, A0 = M>AM .
Every lattice L = (Zn, Q) is isometric to a
subset of Rm (for each m ≥ n) using the stan-
dard real inner product h , i. This gives an
alternative definition of a lattice:

A lattice L is a discrete additive subgroup


of Rm; that is, L is the Z-span of a linearly
independent subset of Rm:

L = Z b1 + Z b2 + · · · + Z bn
with the quadratic form Q(x) = hx, xi for x ∈
L. (Note: n ≤ m.) The vectors b1, b2, . . . , bn
are a basis for L, and A = [hbi, bj i]1≤i,j≤n is
the corresponding Gram matrix.

Two linearly independent sets of vectors gen-


erate the same lattice iff they are related by
a unimodular integer transformation on Rm.
Two Gram matrices represent isometric lat-
tices iff they are integrally congruent: A0 =
M>AM for some M ∈ GL(n, Z).
Reduced Bases

The lattice L ⊂ R2 with basis


 10   24 
b1 = , b2 =
14 33
and Gram matrix
" #
296 702
A=
702 1665

has reduced basis


2
0
b1 = −7b1+3b2 = ,
1
 −2 
0
b2 = 19b1−8b2 =
2
and Gram matrix
" #
5 −2
A0 = M>AM =
−2 8
h i
−7 19
where M = 3 −8 .

The technical definition of “reduced” later. . .


Important Algorithms

LLL Algorithm—Given a lattice L by way of


a basis b1, b2, . . . , bn for L ⊂ Rm, we find (in
polynomial time) a “reduced” basis b01, b02, . . . , b0n
for L in Rm.

Or given a Gram matrix A for L, we find (in


polynomial time) the Gram matrix A0 for L
with respect to a reduced basis.

In both cases, the unimodular integer matrix


M is also determined.

Often the shortest lattice vectors in L are


among the basis vectors found by LLL.

If A has integer entries, all computations can


be done exactly in Z using arbitrary precision
integer arithmetic.
MLLL Algorithm—Modified LLL algorithm
due to M. Pohst (1987). We are given an
m × n real matrix W whose columns generate
a lattice L ⊂ Rm. (The columns need not be
linearly independent.) We find (in polynomial
time) a reduced basis for L, and a (reduced)
basis for the kernel of the map W : Zn → Zm.

Or given the positive semidefinite Gram ma-


trix of a set of vectors b1, b2, . . . , bn ∈ Rm gen-
erating a lattice L, we find a reduced basis
for L (expressed as linear combinations of the
bi’s), and a reduced basis for the lattice of
relations
n
X
n
{(r1 , r2 , . . . , rn) ∈ Z : ribi = 0}.
i=1

A pure integer version exists.


Fincke-Pohst Algorithm—Given a lattice L =
(Zn, Q) and a constant C > 0, find all x ∈ Zn
such that Q(x) < C. The algorithm runs in
exponential time but works in many practical
situations. It makes use of LLL as a subalgo-
rithm.

The best way to determine with certainty the


shortest nonzero vectors in L is to let C be the
norm of the shortest basis vector in a reduced
basis (found using LLL); then to use Fincke-
Pohst to search for smaller vectors in L, if
any.
Determinants of Lattices

The determinant of L is
q
d(L) = det(A)
where A is a Gram matrix for L. Or equiva-
lently (if L ⊂ Rn has rank n), d(L) = |det(B)|
where B is an n × n matrix whose columns
form a basis b1, b2, . . . , bn for L.

Hadamard’s Inequality

Qn
d(L) ≤ j=1 ||bj ||, and equality holds iff the
bj ’s are orthogonal.

Q
A “reduced” basis should have n j=1 ||bj || rather
small; equivalently, the bj ’s should be close to
orthogonal.
Gram-Schmidt Process

We have

0 ⊂ L1 ⊂ L2 ⊂ · · · ⊂ L n = L
where

Lj = Z b 1 + Z b 2 + · · · + Z b j .
The orthogonal projection of bj onto L⊥
j−1 is
found recursively to be
X
b∗j = bj − µj,k b∗k
1≤k<j
where
bj · b∗k
µj,k = ∗ ∗.
bk · bk

Then {b∗1, b∗2, . . . , b∗n} is an orthogonal (not


necessarily orthonormal) basis of RL = R ⊗Z L.

Qn ∗
Note that d(L) = j=1 ||bj ||.
Definition of Reduced Basis

A basis {b1, b2, . . . , bn} for L is reduced if

(i) |µj,k | ≤ 1
2 for 1 ≤ j < k ≤ n, and

(ii) ||b∗j ||2 ≥ ( 3


4 − µ 2
j,j−1 ) || b ∗ ||2 for 1 < j ≤ n.
j−1

The latter inequality is equivalent to

(ii)’ ||b∗j + µj,j−1b∗j−1||2 ≥ 3 ||


4 j−1b ∗ ||2
| {z } | {z }
projL⊥ (bj ) projL⊥ (bj−1 )
j−2 j−2

Theorem. A reduced basis satisfies


n
Y
d(L) ≤ ||bj || ≤ 2n(n−1)/4d(L);
j=1

||b1|| ≤ 2(n−1)/2||x|| for all nonzero x ∈ L;

||b1|| ≤ 2(n−1)/4d(L).
LLL Algorithm

Input a basis b1, b2, . . . , bn for L. The fol-


lowing procedure replaces these vectors by a
reduced basis.

1. Set j = 1.

2. For each k = 1, 2, 3, . . . , j−1, if |µj,k | > 1


2,
replace bj by bj − r bk where r ∈ Z is chosen
so that
0 (bj − r bk ) · b∗k
µj,k = ∗ ∗ = µj,k − r ∈ [−0.5, 0.5].
bk · bk

3. If the Lovász condition (ii) is satisfied,


increment k by one and go to Step 2 (unless
k = n, in which case we are done).

Otherwise interchange bk−1 with bk , decrease


k by 1 and go to Step 2.
Why the Algorithm Terminates

Qn Qj
Let D = j=1 d(Lj ) where d(Lj ) = k=1 ||b∗k ||2.

The value of D changes only in Step 3, where

Lj changes only for j = k−1;

d(Lk−1 ) is replaced by
d(L0k−1 ) ≤ ( 3
4 ) 1/2d(L
k−1 ); and

D is replaced by D 0 ≤ ( 3
4 ) 1/2D.

1/2
Since d(Lk−1 ) ≥ (||x||/γk−1)k−1 where γk−1 is
Hermite’s constant (the maximum of min{||v|| :
0 6= v ∈ Λ} for all lattices Λ of rank k−1 and
determinant 1) and x is a shortest nonzero
vector in L, step 3 can be executed only a
finite number of times.

More careful analysis shows that the running


time is O(n6(log M )3) where M = max ||bi||2.
Implementations of LLL

1. MAPLE V Release 5. LLL only (no


MLLL or Fincke-Pohst). Very accessible. But
doesn’t use Gram matrices; requires an ex-
plicit list of generators.

2. Keith Matthews’ CALC. LLL, MLLL,


Fincke-Pohst and lots more number-theoretical
algorithms. Unsophisticated, quite accessible
and easily installed. Freely available at
http://www.maths.uq.edu.au/~krm/

3. LiDIA. The most comprehensive, but tricky


to install. LLL, MLLL, Fincke-Pohst but doesn’t
work with Gram matrices; needs an explicit
list of vectors. Freely available from Darm-
stadt at
http://www.informatik.tu-darmstadt.de
/TI/LiDIA/
4. Pate Williams has programmed many
of the algorithms in Cohen’s book, including
LLL (no MLLL or Fincke-Pohst).
http://www.mindspring.com/~pate/

He uses Arjen Lenstra’s LIP code for large


integer arithmetic in C, which is hard to read;
e.g. c=a+b; is written as
zmul(a,b,&c);

5. I have written my own code for LLL and


Fincke-Pohst in C++ using Owen Astrachan’s
code (1996) for arbitrary precision integer arith-
metic. This came out a little before LIP.
His bigint.h and bigint.cc are widely avail-
able over the WWW. This allows us to use +,
*, /, % etc. in class BigInt.
Kreher’s Komputations

Let G be a permutation group of degree v,


and let Atk be the ‘incidence matrix’ of G-
orbits on t-subsets of points, versus G-orbits
on k-subsets of points.

(The (O, O 0)-entry of Atk equals the number


of B ∈ O 0 containing a fixed A ∈ O.)

G-invariant t-(v, k, λ) designs are equivalent to


(0, 1)-solutions of

At,k x = λ1
which can be solved using LLL or MLLL.

This led Kreher et al. to discover many new


designs.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy