Analyzing Blockwise Lattice Algorithms using Dynamical Systems

Transcription

1 Analyzng Blockwse Lattce Algorthms usng Dynamcal Systems Gullaume Hanrot, Xaver Pujol, and Damen Stehlé Laboratore LIP (U Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d Itale, Lyon Cedex 07, France gullaumehanrot,xaverpujol,damenstehle@ens-lyonfr n Abstract Strong lattce reducton s the key element for most attacks aganst lattce-based cryptosystems Between the strongest but mpractcal HKZ reducton and the weak but fast LLL reducton, there have been several attempts to fnd effcent trade-offs Among them, the BKZ algorthm ntroduced by Schnorr and Euchner [FCT 9] seems to acheve the best tme/qualty compromse n practce However, no reasonable complexty upper bound s known for BKZ, and Gama and Nguyen [Eurocrypt 08] observed expermentally that ts practcal runtme seems to grow exponentally wth the lattce dmenson In ths work, we show that BKZ can be termnated long before ts completon, whle stll provdng bases of excellent qualty More precsely, we show that f gven as nputs a bass (b ) n Q n n of a lattce L and a block-sze, and f termnated after n Ω 3 (log n + log log max b ) calls to a -dmensonal HKZ-reducton (or SVP) subroutne, then BKZ re- ( ) turns a bass whose frst vector has norm ν + 3 (det L) n, where ν s the maxmum of Hermte s constants n dmensons To obtan ths result, we develop a completely new elementary technque based on dscrete-tme affne dynamcal systems, whch could lead to the desgn of mproved lattce reducton algorthms Keywords Eucldean lattces, BKZ, lattce-based cryptanalyss Introducton A (full-rank) n-dmensonal lattce L R n s the set of nteger lnear combnatons n x b of some lnearly ndependent vectors (b ) n Such vectors are called a bass and we wrte L L[(b ) ] Snce L s dscrete, t contans a shortest non-zero lattce vector, whose norm λ (L) s called the lattce mnmum Computng such a vector gven a bass s referred to as the (computatonal) Shortest Vector Problem (SVP), and s NP-hard under randomzed reductons [,] The complextes of the best known SVP solvers are no less than exponental [,3,,5] (the record s held by the algorthm from [], wth complexty n+o(n) Poly(log max b )) Fndng a vector reachng λ (L) s polynomal-tme equvalent to computng a bass of L that s reduced n the sense of Hermte-Korkne-Zolotarev (HKZ) The aforementoned SVP solvers can all be used to compute HKZ-reduced bases, n exponental tme On the other hand, bases reduced n the sense of Lenstra-Lenstra-Lovász (LLL) can be computed n polynomal tme [6], but the frst vector s only guaranteed to satsfy the weaker nequalty b (4/3 + ε) n λ (L) (for an arbtrary ε > 0) In 987, Schnorr ntroduced tme/qualty trade-offs between LLL and HKZ [33] In the present work, we propose the frst analyss of the BKZ algorthm [36,37], whch s currently the most practcal such trade-off [40,9] Lattce reducton s a popular tool n cryptanalyss [7] For many applcatons, such as Coppersmth s method for computng the small roots of polynomals [5], LLL-reducton suffces However, reductons of much hgher qualty seem requred to break lattce-based cryptosystems Lattce-based cryptography orgnated wth Ajta s semnal hash functon [], and the GGH and NTRU encrypton schemes [0,4] Thanks to ts excellent asymptotc performance, provable securty guarantees, and flexblty, t s currently attractng wde nterest and developng at a steady pace We refer to [,3] for recent surveys A major obstacle to the real-lfe deployment of lattce-based cryptography s the lack of a precse understandng of the lmts of the best practcal attacks, whose man component s the computaton of strongly reduced lattce bases Ths prevents from havng a precse correspondence between specfc securty levels and practcal parameters Our work s a step towards a clearer understandng of BKZ, and thus of the best known attacks Strong lattce reducton has been studed for about 5 years (see among others [33,37,34,7,3,9,8]) From a theoretcal perspectve, the best known tme/qualty trade-off s due to Gama and Nguyen [8] By buldng upon the proof of Mordell s nequalty on Hermte s constant, they devsed the noton of slde reducton, and

2 proposed an algorthm computng slde-reduced bases: Gven an arbtrary bass B (b ) n of a lattce L, the slde-reducton algorthm fnds a bass (c ) n of L such that c (( + ε)γ ) n λ (L), () ( ) wthn τ slde : O n 4 ε log max b calls to a -dmensonal HKZ-reducton algorthm and a - dmensonal (computatonal-)svp solver, where γ s the -dmensonal Hermte constant If L Q n, the overall cost of the slde-reducton algorthm s Poly(n, sze(b)) C HKZ (), where C HKZ () O() s the cost of HKZ-reducng n dmenson The hgher, the lower the acheved SVP approxmaton factor, but the hgher the runtme Slde reducton also provdes a constructve varant of Mnkowsk s nequalty, as (lettng det L denote vol(r n /L)): c (( + ε)γ ) n ( ) (det L) n, () From a practcal perspectve, however, slde reducton seems to be (sgnfcantly) outperformed by the BKZ algorthm [9] BKZ also reles on a -dmensonal HKZ-reducton algorthm (resp SVP-solver) The worst-case qualty of the bases t returns has been studed n [34] and s comparable to that of the slde reducton algorthm The frst vector of the output bass (c ) n satsfes c (( + ε)γ ) n λ (L) Note that ths bound essentally concdes wth (), except for large values of A bound smlar to that of () also holds In practce, the qualty of the computed bases seems much hgher wth BKZ than wth the slde-reducton algorthm [9] Wth respect to run-tme, no reasonable bound s known on the number of calls to the -dmensonal HKZ reducton algorthm t needs to make before termnaton 3 In practce, ths number of calls does not seem to be polynomally bounded [9] and actually becomes huge when 5 Because of ts large (and somewhat unpredctable) runtme, t s folklore practce to termnate BKZ before the end of ts executon, when the soluton of the problem for whch t s used for s already provded by the current bass [38,4] Our result We show that f termnated wthn polynomally many calls to HKZ/SVP, a slghtly modfed verson of BKZ (see Secton 3) returns bases whose frst vectors satsfy a slghtly weaker varant of () Theorem There exsts 4 C > 0 such that the followng holds for all n and Let B (b ) n be a bass of a lattce L, gven ( as nput to the modfed BKZ ) algorthm of Secton 3 wth block-sze If termnated after τ BKZ : C n3 b log n + log log max calls to an HKZ-reducton (or SVP solver) n dmenson, (det L) /n the output (c ) n s a bass of L that satsfes (wth ν defned as the maxmum of Hermte s constants n dmensons ): n ( ) c (ν ) + 3 (det L) n If L Q n, then the overall cost s Poly(n, sze(b)) C HKZ () By usng [8, p 5], ths provdes an algorthm wth runtme bounded by Poly(n, sze(b)) C HKZ () that returns a bass whose frst vector satsfes c 4(ν ) +3 λ (L), whch s only slghtly worse than () These results ndcate that BKZ can be used to acheve essentally the same qualty guarantees as slde reducton, wthn a number of calls to HKZ n dmenson that s no larger than that of slde reducton Actually, note that τ BKZ s sgnfcantly smaller than τ slde, n partcular wth a dependence wth The component n4 n of ths upper bound s derved by adaptng the results from [8] to our notatons A more thorough analyss leads to a smaller term In [9], the bound c (γ ) n ( ) + (det L) n s clamed to hold, but wthout proof nor reference We prove a (slghtly) weaker bound, but we are able to mprove t f γ n s replaced by any lnear functon See appendx 3 A bound (n) n s mentoned n [9] For completeness, we gve a proof of a smlar result n appendx 4 The constant C s used to absorb lower-order terms n n, and could be taken small

3 respect to max b that s exponentally smaller It may be possble to obtan a smlar bound for the slde-reducton algorthm by adaptng our analyss To acheve our result, we use a completely new approach for analyzng lattce reducton algorthms The classcal approach to bound ther runtmes was to ntroduce a quantty, sometmes called potental, nvolvng the current Gram-Schmdt norms b, whch always strctly decreases every tme some elementary step s performed Ths technque was ntroduced by Lenstra, Lenstra and Lovász [6] for analyzng ther LLL algorthm, and s stll used n all complexty analyzes of (varants of) LLL we are aware of It was later adapted to stronger lattce reducton algorthms [33,7,3,8] We stll measure progress wth the b s, but nstead of consderng a sngle scalar combnng them all, we look at the full vector ( b ) More specfcally, we observe that each call to HKZ wthn BKZ has the effect of applyng an affne transformaton to the vector (log b ) : nstead of provdng a lower bound to the progress made on a potental, we are then led to analyze a dscrete-tme dynamcal affne system Its fxed-ponts encode nformaton on the output qualty of BKZ, whereas ts speed of convergence provdes an upper bound on the number of tmes BKZ calls HKZ Intutvely, the effect of a call to HKZ on the vector (log b ) n s to essentally replace consecutve coeffcents by ther average We formalze ths ntuton by makng a specfc assumpton (see Secton 4) Under ths assumpton, the executon of BKZ exactly matches wth a dynamcal system that we explct and fully analyze However, we cannot prove that ths assumpton s always correct (counter-examples can actually be constructed) To crcumvent ths dffculty, we nstead consder the vector µ ( j log b j ) n Ths amortzaton (also used n [] for analyzng HKZ-reduced bases) allows us to rgorously bound the evoluton of µ by the orbt of a vector under another dynamcal system Snce ths new dynamcal system happens to be a modfcaton of the dynamcal system used n the dealzed model, the analyss performed for the dealzed model can be adapted to the rgorous set-up Ths approach s lkely to prove useful for analyzng other lattce reducton algorthms As an llustraton of ts power, we provde two new results on LLL Frst, we show that the SVP approxmaton factor 4/3 n can be reached n polynomal tme usng only Gauss reductons Ths s closely related to the queston whether the optmal LLL (e, usng LLL parameter δ ) termnates n polynomal tme [3,7] Second, we gve a LLL-reducton algorthm of bt-complexty Poly(n) Õ(sze(B)) Such a complexty bound was only very recently acheved, wth a completely dfferent approach [9] Note that close-by results on LLL have been concurrently and ndependently obtaned by Schnorr [35] Practcal aspects Our result s a (possbly pessmstc) worst-case qualty bound on BKZ wth early termnaton In tself, ths does not gve a precse explanaton of the practcal behavor of BKZ In partcular, t does not explan why t outperforms slde reducton, but only why t does not behave sgnfcantly worse However, ths study llustrates the usefulness of early termnaton n BKZ: Much progress s done at the begnnng of the executon, and quckly the bass qualty becomes excellent; the rest of the executon takes much longer, for a sgnfcantly less dramatc qualty mprovement Ths behavor s very clear n practce, as llustrated by Fgure of Secton Snce most of the work performed by BKZ s completed wthn the frst few calls to HKZ, t shows that the BKZ performance extrapolatons used to estmate the hardness of cryptographc nstances should focus only on the cost of a sngle call to HKZ and on the acheved bass qualty after a few such calls For nstance, t ndcates that the strategy (adopted, eg, n [4,3]) consstng n measurng the full run-tme of BKZ mght be reconsdered Addtonally, parts of the analyss mght prove useful to better understand BKZ and devse reducton algorthms wth mproved practcal tme/qualty trade-offs In partcular, the heurstc modelsaton of BKZ as a dscrete-tme affne dynamcal system suggests that the block of vectors on whch HKZ-reducton s to be appled could be chosen adaptvely, so that the system converges faster to ts lmt It would not mprove the output qualty for BKZ, but t s lkely to accelerate ts convergence Also, the second phase of BKZ, the one that takes longer but durng whch some lttle progress s stll made, could be understood by ntroducng some randomness n the model: most of the tme, the norm of the frst vector found by the HKZ-reducton sub-routne s around ts expected value (a constant factor smaller than ts worst-case 3

4 bound), but t s sgnfcantly smaller every now and then If such a model could predct the behavor of BKZ durng ts second phase, then maybe t would explan why t outperforms slde reducton It mght gve ndcatons on the optmal tme for stoppng BKZ wth block-sze before swtchng to a larger block-sze Notatons All vectors wll be denoted n bold, and matrces n captal letters If b R n, the notaton b wll refer to ts Eucldean norm If B R n n, we defne B max x B x and we denote the spectral radus of B by ρ(b) If B s a ratonal matrx, we defne sze(b) as the sum of the bt-szes of the numerators and denomnators of ts entres All complexty statements refer to elementary operatons on bts We wll use the Landau notatons o( ), O( ), Õ( ) and Ω( ) The notatons log( ) and ln( ) respectvely stand for the base and natural logarthms Remnders For an ntroducton to lattce reducton algorthms, we refer to [8] Successve Mnma Let L be an n-dmensonal lattce Its -th mnmum λ (L) s defned as the mnmal radus r such that B(0, r) contans lnearly ndependent vectors of L Hermte s constant The n-dmensonal Hermte constant γ n s defned as the maxmum taken over all λ lattces L of dmenson n of the quantty (L) Let ν (det L) / dm(l) n max k n γ k, an upper bound on γ n whch ncreases wth n Very few values of ν n are known, but we have ν n + n 4 for all n (see [0, Re 75]) Gram-Schmdt orthogonalsaton Let (b ) n be a lattce bass Its Gram-Schmdt orthogonalzaton (b ) n s defned recursvely by b b j< µ,jb j wth µ,j (b, b j )/ b j for > j The b s are mutually orthogonal For j, we defne b () j as the projecton of b j orthogonally to Span(b k ) k< Note that f L s an n-dmensonal lattce, then det L n b, for any bass (b ) n of L A few notons of reducton Gven a bass (b ) n, we say that t s sze-reduced f the Gram-Schmdt coeffcents µ,j satsfy µ,j / for all j < n We say that (b ) n s δ-lll-reduced for δ f t s sze-reduced and the Lovász condtons δ b b + + µ +, b are satsfed for all < n For any δ <, a δ-lll-reduced bass of a ratonal lattce L can be computed n polynomal tme, gven an arbtrary bass of L as nput [6] We say that (b ) n s HKZ-reduced f t s sze-reduced and for all < n, we have b λ (L[(b () j ) j n]) An HKZ-reduced bass of a lattce L Q n can be computed n tme n+o(n) Poly(sze(B)), gven an arbtrary bass B of L as nput [] The followng s a drect consequence of the defntons of the HKZ-reducton and Hermte constant Lemma For any HKZ-reduced bass (b ) n, we have: < n, b ν n + ( n j b j ) n + The BKZ algorthm We recall the orgnal BKZ algorthm from [37] n Algorthm BKZ was orgnally proposed as a mean of computng bases that are almost -reduced -Reducton was proposed by Schnorr n [33], but wthout an algorthm for achevng t The BKZ algorthm proceeds by teratng tours consstng of n calls to a -dmensonal SVP solver called on the lattces L[(b (k) ) k k+ ] Its executon stops when no change occurs durng a tour Input : A (LLL-reduced) bass (b ) n, a blocksze and a constant δ < Output : A bass of L[(b ) n ] repeat for k to n do Fnd b such that b (k) λ (L[(b (k) ) k mn(k+,n) ]); f δ b k > b then LLL-reduce(b,, b k, b, b k,, b mn(k+,n) ) else LLL-reduce(b,, b mn(k+,n) ) untl no change occurs Algorthm : The Schnorr and Euchner BKZ algorthm 4

5 3 Termnatng BKZ In ths artcle, we wll not analyze the orgnal BKZ algorthm, but we wll focus on a slghtly modfed varant nstead, whch s gven n Algorthm It also performs BKZ tours, and durng a tour t makes n + calls to a -dmensonal HKZ-reducton algorthm It fts more closely to what would be the smplest BKZ-style algorthm, amng at producng a bass (b ) n such that the projected bass (b (k) ) k k+ s HKZ-reduced for all k n + Dfferences between the two varants of BKZ The dfferences between the two algorthms are the followng: In Algorthm, the executon can be termnated at the end of any BKZ tour In the classcal BKZ algorthm, the vector b found by the SVP solver s kept only f b (k) s smaller than δ b k Such a factor δ < does not appear n Algorthm It s unnecessary for our analyss to hold, complcates the algorthm, and leads to output bases of lesser qualty For each k wthn a tour, Algorthm only requres an SVP solver whle Algorthm calls an HKZreducton algorthm, whch s more complex We use HKZ-reductons for the ease of the analyss Our analyss would stll hold f the loop was done for k from to n and f the HKZ-reductons were replaced by calls to any algorthm that returns bases whose frst vector reaches the mnmum (whch can be obtaned by callng any SVP solver, puttng the output vector n front of the nput bass and callng LLL to remove the lnear dependency) Fnally, to nsert b n the current bass, Algorthm performs an LLL-reducton Indeed, applyng LLL nsde the projected block (e, to b (k), b (k) k,, b(k) k+ ) would be suffcent to remove the lnear dependency whle keepng b (k) n frst poston, but nstead t runs LLL from the begnnng of the bass untl the end of the next block to be consdered (e, up to ndex mn(k +, n) Ths reducton s performed even f the block s already reduced and no vector s nserted Expermentally, ths seems to mprove the speed of convergence of the algorthm by a small factor, but t does not seem easy to use our technques to analyze ths effect Input : A bass (b ) n and a blocksze Output : A bass of L[(b ) n ] repeat for k to n + do Modfy (b ) k k+ so that (b (k) ) k k+ s HKZ-reduced; Sze-reduce(b,, b n) untl no change occurs or termnaton s requested Algorthm : BKZ, the modfed BKZ algorthm On the practcal behavor of BKZ In order to gve an nsght on the practcal behavor of BKZ and BKZ, we gve expermental results on the evoluton of the quantty (the so-called Hermte b (det L) /n factor) durng ther executons The experment correspondng to Fgure s as follows: We generated 64 knapsack-lke bases [5] of dmenson n 08, wth non-trval entres of bt-length 00n; Each was LLLreduced usng fplll [4] (wth parameters δ 099 and η 05); Then for each we ran NTL s BKZ [40] and an mplementaton of BKZ n NTL, wth blocksze 4 Fgure only shows the begnnng of the executons For both algorthms, the executons of about half the samples conssted n 600 tours, whereas the longest executon stopped after 00 tours The average value of was 0 b (det L) /n at the end of the executons Cost of BKZ In order to bound the bt-complextes of BKZ and BKZ, t s classcal to consder several cost components separately In ths artcle, we wll focus on the number of tours The number of calls to an SVP solver (for BKZ) or an HKZ-reducton algorthm (n the case of BKZ ) s n tmes larger A tour conssts of effcent operatons (LLL, sze-reductons, etc) and of the more costly calls to SVP/BKZ The cost of the SVP solver or the HKZ-reducton algorthm s often bounded n terms of the number of 5

6 0 0 Qualty of BKZ output BKZ BKZ Hermte factor Number of tours Fg Evoluton of the Hermte factor b (det L) /n durng the executon of BKZ and BKZ arthmetc operatons t performs: For all known algorthms, ths quantty s (at least) exponental n the block-sze Fnally, one should also take nto account the bt-costs of the arthmetc operatons performed to prepare the calls to SVP/HKZ, durng these calls, and after these calls (when applyng the computed transforms to the bass, and callng LLL or a sze-reducton) These arthmetc costs are classcally bounded by consderng the bt-szes of the quanttes nvolved They can easly be shown to be polynomal n the nput bt-sze, by relyng on ratonal arthmetc and usng standard tools from the analyses of LLL and HKZ [6,5] It s lkely that these costs can be lowered further by relyng on floatng-pont approxmatons to these ratonal numbers, usng the technques from [6,30] To conclude, the overall cost s upper bounded by Poly(n, log B ) O() τ, where τ s the number of tours 4 Analyss of BKZ n the Sandple Model In ths secton, we (rgorously) analyze a heurstc model of BKZ In the followng secton, we wll show how ths analyss can be adapted to allow for a (rgorous) study of the genune BKZ algorthm We frst note that BKZ can be studed by lookng at the way the vector x : (log b ) changes durng the executon, rather than consderng the whole bass (b ) Ths smplfcaton s folklore n the analyzes of lattce reducton algorthms, and allows for an nterpretaton n terms of sandples [9] The study n the present secton s heurstc n the sense that we assume the effect of a call to HKZ on x s determned by x only, n a determnstc fashon 4 The model and ts dynamcal system nterpretaton Before descrbng the model, let us consder the shape of a -dmensonal HKZ-reduced bass Let (b ) be an HKZ-reduced bass, and defne x log b Then, by Lemma, we have:, x log ν Our heurstc assumpton conssts n replacng these nequaltes by equaltes x j (3) Heurstc Sandple Model Assumpton (SMA) We assume for any HKZ-reduced bass (b ), we have x log ν j x j for all, wth x (log b ) Under SMA, once x (e, det(b ) ) s fxed, an x of an HKZ-reduced bass s unquely determned Lemma Let (b ) be HKZ-reduced, x (log b ) and E[x] x Then, under SMA, x E[x] Γ ( ) and: j 6

7 wth Γ n (k) n log ν + n k for all 0 k < n <, x E[x] ( + )Γ ( ) + ( )Γ (), Proof SMA s equvalent to the followng trangular system of lnear equatons:, x + ( ) log ν + + Let y j x j, for Then y x and y + ( y+ + log ν ) + for all < By nducton: (, y ( + ) y + j j+ ) log ν j+ j Takng and notng that y E[x] gves y x E[x] Γ ( ) Now: ( <, y ( + ) E[x] Γ ( ) + j x j ) log ν j+ ( + ) (E[x] Γ ( )) j The result derves from the equalty x y y + We now explot SMA to nterpret BKZ as a dscrete-tme lnear dynamcal system Let (b ) n be a lattce bass and x (log b ) Let n be a block-sze and α n + When we apply an HKZ reducton algorthm to the projected sublattce (b (α) ) α <α+, we obtan a new bass (b ) n such that (wth x (log b ) ): Under SMA, we also have: α+ α x α+ α x and [α, α + ], x x [α, α + ], x log ν α+ + By applyng Lemma, we obtan x A (α) x + g (α), wth: A (α) (α) (α+ ) and g (α) 0 f < α α+ x α + j j ( + α )Γ ( α + ) ( + α )Γ ( α) f [α, α + ] Γ ( ) f α + 0 f α + We recall that a BKZ tour s the successve (n +) applcatons of an HKZ-reducton algorthm wth α,, n + (n ths order) Under SMA, the effect of a BKZ tour on x s to replace t by Ax + g 7

8 wth g g (n +) + A (n +) (g (n ) + A (n ) ( )) and: A A (n +) A () () () ( ) n n + ( ) n n + ( )n n + ( )n n + (n +) (n) We sum up the study of the dscrete-tme dynamcal system x A x + g n the followng Theorem The solutons and speed of convergence respectvely provde nformaton on the output qualty and runtme of BKZ (under SMA) Overall, we have: Theorem Under SMA, there exsts C > 0 such that the followng holds for all n and Let (b ) n be gven as nput to BKZ and L the lattce spanned by the b s If termnated after C n (log n+log log max tours, then the output (c ) n s a bass of L that satsfes x x, where x log c (det L) /n and x s the unque soluton of the equaton x A x + g wth E[x ] 0 Ths mples that: 5 n ( ) c (ν ) + 3 (det L) n b (det L) /n ) for all 4 Solutons of the dynamcal system Before studyng the solutons of x A x + g, we consder the assocated homogeneous system Lemma 3 If A x x, then x span(,, ) T Proof Let x R n such that A x x Let the largest ndex such that x max j x j We prove by contradcton that n Assume that < n We consder two cases, dependng on whether < or Recall that applyng A (α) to a vector y conssts n replacng y α,, y α+ by ther mean, and n leavng the others constant As a result, the maxmum of the y s cannot ncrease Assume frst that < Let x A () x By defnton of, we must have x + < x, and therefore max j x j < max j x j By choce of, we also have max j n x j < max j n x j But x A (n +) A () x, whch leads to the nequalty max j n x j max j n x j We obtaned a contradcton Now, assume that Let x A ( +) A () x and x A ( +) x We have max j n x j max j n x j x Moreover, we have x + x x and for all j >, x j x j < x Ths mples that max + j n x j < x Snce x A(n +) A ( +3) x, we obtan that max + j n x j < x In partcular, we obtan the contradcton x < x So far, we have proven that x n max j n x j Symmetrcally, we could prove that x n mn j n x j, whch provdes the result It thus suffces to fnd one soluton to x A x + g to obtan all the solutons We defne x as follows: { ( ) x log ν + + j+ x j f n g (n +) f > n 5 If we replace ν by a lnear functon that bounds t (eg, ν ), then the constant 3 (wth ε > 0 arbtrarly close to 0 and suffcently large) may be replaced by ln + ε 8

9 Lemma 4 We have x A x + g Proof Note frst that for any α and any x, we have n (A(α) x) n x and n g(α) 0 Ths mples that: n n (A (α) x + g (α) ) x (4) Let x (0) x and x (α) A (α) x (α ) + g (α), for α [, n + ] We prove by nducton that: α+ α+ α+ x (α) α+ x and x (α) x f [α +, α + ] ( ) Ths holds for α 0 snce x (0) x Let α By the nducton hypothess and equalty of the columns α,, α + of A (α), we have A (α) x (α ) A (α) x and hence x (α) A (α) x + g (α) Ths drectly mples that x (α) x when [α, α + ] Combnng ths wth (4) gves: Snce x (α) α log ν + α+ jα α+ α α+ x (α) α x (5) x (α) j, we obtan (usng (5) and the defnton of x): x (α) α log ν + α+ jα x j x α Combnng ths equalty and (5) allows to complete the proof of ( ) It remans to prove that x (n +) x for n + For n +, we have: x (n +) log ν n + + n + By Lemma and the defnton of g (n +), ths mples that x (n +) As a consequence (usng (5) and the defnton of x): x (n +) n jn + x j + g (n +) n jn + n j g (n +) j x (n +) j + g (n +) n jn + x(n +) j + g (n +) g (n +) x Overall, we have proven that A x + g x (n +) x Fact Gven M k R k k, a, b R k and c R, we defne M n R n n for n k, as follows: c c a T c c a T M n b b M k Then, for any n k, we have χ(m n )(t) (n k)t n k χ(m k+ ) (n k )t n k χ(m k ) 9

10 Proof of the fact We prove the result by nducton It clearly holds for n k and n k + Assume now that n > k + We have: (t c) c c a T t t 0 c (t c) c a T t (t c) c a T χ(m n )(t) c c c ti n M n 0 ti n M n b b b t χ(m n ) t χ(m n ) The result follows by elementary calculatons We now provde explct lower and upper bounds for the coordnates of the soluton x ( ) Lemma 5 For all n +, we have n 3 log ν x x n + n log ν Proof We prove these bounds by nducton on for n,, Recall that n, x ( ) log ν + + x j We frst consder the upper bound on x x n + Snce we defned Hermte s constant so that (ν ) s ncreasng, we have x n + x n Therefore: Usng the nducton hypothess, we obtan: x ( ) log ν + j+ > n, x x n + 0 n log ν + j+ ( ) n j log ν + x n + n log ν + x n + We now consder the lower bound on x x n + It clearly holds for n + We now prove t for [n ( ), n ] For that specfc stuaton, we use the dentty: [n ( ), n ], x ( ) log ν + ( n x j + j+ + jn + x j ) (6) As (x j ) j decreases, we have + + n jn + x j n jn + x j x n + log ν Ths mples: + n + jn + Usng the nducton hypothess, we also have: n n j+ Now, pluggng (7) and (8) nto (6) gves: x j x n + + log ν + n x j x n + + log ν n n j+ + jn + ( n j 3 ) (7) ( n j 3 ) (8) 0

11 x ( ) log ν + x n + + log ν + j+ ( n j 3 ) ( n 3 ) log ν + x n + When < n ( ), the proof for the lower bound s smlar to that of the upper bound As the set of solutons to x A x + g s x + Span(,, ) T, the value of x s only nterestng up to a constant vector, whch s why we bound x x n + rather than x In other words, snce x of Theorem s x (E[x]), the Lemma also apples to x It s also worth notng that the dfference between the upper and lower bounds 3 log ν s much smaller than the upper bound n log ν (for most values of ) If we replace ν by, then, va a tedous functon analyss, we can mprove both bounds so that ther dfference s lowered to log In the specal case, the expresson of x s x x n + (n ) log ν 43 Speed of convergence of the dynamcal system The classcal approach to study the speed of convergence (wth respect to k) of a dscrete-tme dynamcal system x k+ : A n x k + g n (where A n and g n are the n-dmensonal values of A and g respectvely) conssts n provdng an upper bound to the largest egenvalue of A T n A n It s relatvely easy to prove that t s (note that A n s doubly stochastc) We are to show that the second largest sngular value s <, n and that ths bound s sharp, up to changng the constant / and as long as n Ω(n) The asymptotc speed of convergence of the sequence (A k n x) k s n fact determned by the egenvalue(s) of A n of largest module 6 (ths s the prncple of the power teraton algorthm) However, ths classcal fact provdes no ndcaton on the dependency wth respect to x, whch s crucal n the present stuaton As we use the bound A k n x A n k x, we are led to studyng the largest sngular values of AT n A n We frst explct the characterstc polynomal χ n of A T n A n The followng lemma shows that t satsfes a second order recurrence formula Lemma 6 We have χ (t) t (t ), χ + (t) t (t )(t ) and, for any n : ( ) (( ) + )t χ n+ (t) χ n+ (t) t χ n (t) Proof We have A T A A and dm ker(a ), thus t χ (t) Snce Tr(A ) we have χ (t) t (t ) The computaton of A T + A + gves: +( ) A T + A + 3 If y + +y 0 and y + 0, then A T + A+ y 0, hence dm ker(at + A + ) and t χ + (t) It can be checked that A T + A + (,, )T (,, ) T Fnally, snce Tr(A T + A + ) + we have χ + (t) t (t )(t ) For n, let C n be the n n bottom-rght corner of A T n+ A n+ Note that for n,, j >, we have c nj c n,,j, whch means that we can wrte C n as: c n c n c nn c n C n C n c nn 6 whch can also be proved to be c /n for some constant c

12 ( ) Moreover, we have c n cn +, c n c n and c n c n for all > Subtractng tmes the second column of ti n C n from the frst column and subtractng tmes the second row from the frst row gves: χ(c n )(t) t ti n C n 0 + t t By expanson on the frst column and then on the frst row we obtan: ( ) χ(c n )(t) ( + )t χ(c n )(t) t χ(c n )(t) Snce the frst columns (resp rows) of A T n+ A n+ are dentcal, we obtan, by the prevous Fact, that χ n+ (t) t χ(c n )(t) ( )t χ(c n )(t) Ths mples that the χ n s satsfy the same second order relaton as the χ(c n ) s We fnally study the roots of χ n (t) The proof of the followng result reles on several changes of varables to lnk the polynomals χ n (t) to the Chebyshev polynomals of the second knd [ Lemma 7 For any n, the largest root of the polynomal χn(t) t belongs to π, ] (n ) n Proof Let χ n (t) be the polynomal t n χ n (/t) Then, by Lemma 6, we have χ (t) t, χ + (t) ( ( t) ), t and, for n : χ n+ (t) t n+ (( ) + ) t ( ) ( χ n+ t n+ t ( ) (( ) + ) t χ n+ (t) χ n (t) Let τ(t ) ( )(t ) and ψ n (t ) and, for n : ( ( ) n+ ψ n+ (t ) t χn+ ( τ(t )) τ(t ) t ψ n+ (t ) ψ n (t ) ) t χ n ( ) t ) n χ n ( τ(t )) τ(t ) We have ψ (t ), ψ + (t ) t ( ) n χn ( τ(t )) τ(t ) As a consequence, the ψ n s are polynomals (n t ) Now, let (U n ) n 0 be the sequence of Chebyshev polynomals of the second knd, e, U 0 0, U and U n+ (t ) t U n+ (t ) U n (t ) for n 0 These polynomals satsfy the followng property: n 0, x R \ {kπ; k Z}, U n (cos x) sn(nx) sn x It can be proven by nducton that ψ n U n + U n for all n By the Fact gven below, ths ] mples that there exsts t 0 [cos π n, cos π (n +) such that ψ n (t 0 ) 0 and ψ n(t ) > 0 for all t (t 0 ( ), ) n We have χ n ( τ(t 0 )) τ(t 0 )ψ n (t 0 ) 0, hence t 0 ( τ(t 0 )) s a root of χ n (t) Snce

13 the mage of (t 0, ) by t ( τ(t )) s (t 0, ), we obtan that t 0 s the largest root of χ n (t) smaller π than We now compute bounds for t 0 We have (n + ) n so cos n t 0 cos π n It can be checked that for u π 8 4, we have cos u 7 u, so π t (n ) 0 π Ths leads to 7n + π τ(t π (n ) 0 ) + ( ) + π, and thus π t 7n 7n (n ) 0 n To conclude, let φ n (t) be the polynomal χn(t) t By usng Lemma 6, t can be checked that φ n() ( ) n n, whch mples that φ n() 0 Ths proves that s never a multple root of χ n, whch completes the proof [ ] Fact Let n and f(x) sn((n+)x) sn x sn(nx) sn x The smallest postve root of f belongs to π (n+), π n Proof of the fact Snce sn s an ncreasng functon on [ 0, π ], we have sn(nx) < sn ((n + )x) for all 0 < x π (n+) Ths mples that f(x) > 0 on ths nterval We also have f ( π n) < 0 The result follows from the ntermedate value theorem Proof of Theorem The uncty and exstence of x come from Lemmata 3 and 4 Let (b (k) ) n be the bass after k tours of the algorthm BKZ and x (k) log b(k) The defnton (det L) /n of x and a smple nducton mply that x (k) x A k (x (0) x ) Both x (0) and x lve n the subspace E : Span(,, ), whch s stablzed by A Let us denote by ( A E the restrcton of A to ths subspace Then the largest egenvalue of A T E A E s bounded n Lemma 7 by ) Takng the norm n n the prevous equaton gves: The term x (0) x s bounded by x (k) x A E k x (0) x ρ(a T E A E ) k/ x (0) x ) k/ ( n x (0) x ( ) log max b (det L) /n b ) (det L) /n n+n O() Thus, there exsts C such that x (k) x when k C n (log n + log log max We now prove the last nequalty of the theorem By Lemma 5 and the fact that n x n + + n n + ( log ν (n ) 3 log ν x (n ) log ν n ( n ( ) + 3 ), we have: n ) log ν ( log ν (n ) 3 ) log ν n + x Usng the nequalty x (k) x + and takng the exponental (n base ) leads to the result 5 Analyss of BKZ We now show how the heurstc analyss of the prevous secton can be made rgorous The man dffculty stems from the lack of control on the b s of an HKZ-reduced bass (b ) More precsely, once the determnant and b are fxed, the b s are all below a specfc curve (explctly gven n Lemma ) However, f only the determnant s fxed, the pattern of the b s can vary sgnfcantly: as an example, takng orthogonal vectors of ncreasng norms shows that b (resp b ) can be arbtrarly small (resp large) Unfortunately, when applyng HKZ wthn BKZ, t seems we only control the determnant of the HKZ-reduced bass of the consdered block, although we would prefer to have an upper bound for each 3

14 Gram-Schmdt norm ndvdually We crcumvent ths dffculty by amortzng the analyss over the b s: as observed n [], we have a sharp control on each average of the frst b s For an arbtrary bass B : (b ) n, we defne µ (B) k k log b, for k n k Lemma 8 ([, Le 3]) If B (b ) s HKZ-reduced, then µ (B) k 5 A dynamcal system for (genune) BKZ tours k k log Γ (k) + µ (B) for all k We now reformulate the results of the prevous secton wth the µ (B) s nstead of the log b s Ths amounts to a base change n the dscrete-tme dynamcal system of Subsecton 4 We defne: P ( j),j n, à P AP and g P g Note that µ (B) P x (B), where x (B) (log b ) and µ (B) (µ (B) ) Lemma 9 Let B be the bass obtaned after a BKZ tour gven an n-dmensonal bass B as nput Then µ (B ) à µ(b) + g, where the nequalty holds componentwse Proof Let α n + We defne Ã(α) P A (α) P and g (α) P g (α) Let B (α) be the bass after the frst α calls to -HKZ (startng wth ndces,, α) We frst prove that we have: µ (B(α)) Ã(α) µ (B(α )) + g (α) (9) Ths vectoral nequalty can be checked by makng Ã(α) and g (α) explct: ( ) f j wth < α or α + à (α) α α+ f [α, α + ] and j α j (α+ )( α+) f [α, α + ] and j α + g (α) 0 otherwse, { +α log Γ ( α + ) f [α, α + ] 0 otherwse We provde more detals on the proof of (9) n appendx Now, let ν (0) µ (B(0)) µ and ν (α) Ã(α) ν (α ) + g (α) We prove by nducton that µ (B(α)) ν (α) For α, we have (successvely usng (9), the nducton hypothess and the fact that Ã(α) 0): µ (B(α)) Ã(α) µ (B(α )) + g (α) Ã(α) ν (α ) + g (α) ν (α) The result follows, by takng α d + 5 Analyss of the updated dynamcal system Smlarly to the analyss of the prevous secton, t may be possble to obtan nformaton on the speed of convergence of BKZ by estmatng the egenvalues of à T à However, the latter egenvalues seem sgnfcantly less amenable to study than those of A T A The followng lemma shows that we can shortcrcut the study of the modfed dynamcal system For a bass B R n n gven as nput to BKZ, we defne B [0] B and B [] as the current bass after the -th BKZ tour We also defne µ P x Lemma 0 Let B R n n a bass gven as nput to BKZ Wlog we assume that µ n (B) µ n (snce µ (B) n n log det B, ths can be acheved by multplyng B by a scalar) We have: ( ) k 0, n, µ (B[k] ) k/ µ + ( + log n) / n x (B [0]) x 4

15 Proof Frst, by usng Lemma 9 and notng that à µ µ + g, t can be shown by nducton that µ (B[k]) µ Ãk (µ (B[0]) µ ) (0) Now, we have Ãk (µ (B[0]) µ ) P A k P (µ (B[0]) µ ) P A k (x (B[0]) x ) Thanks to the assumpton on µ (B) n, we know that x (B[0]) x Span(,, ), whch s stable under A As n theorem, we ntroduce the restrcton A E of A to ths subspace By the results of Subsecton 43, we know that the largest egenvalue of A T E A E s ( ) Therefore: n Ãk (µ (B[0]) µ ) P A k E (x (B[0]) x ) P A E k x (B[0]) x ) k/ ρ(p T P ) / ( n x (B[0]) x, where ρ denotes the spectral radus Now, the sum of the coordnates of any row of P T P s n + ln n + log n Ths gves ρ(p T P ) + log n The result follows Lemma There exsts C > 0 such that the followng holds for all ntegers n, and ε (0, ] Let (b ) n be a bass of a lattce L, gven as nput to the modfed BKZ algorthm of Secton wth blocksze If termnated after C n3 (log n ε + log log max b ) calls to an HKZ-reducton (resp SVP solver) (det L) /n n dmenson, the output (c ) n s a bass of L that satsfes: n ( ) c ( + ε)ν + 3 (det L) n Proof Wlog we assume that µ n (B [0] ) µ n The proof s smlar to that of theorem We know that: µ µ n x ( n n (x + + x n ) ( ) + 3 ) log ν () We have log ( (+log n) x(b [0] ) x ) log(+ε) O(log n ε + log log max b ) so there exsts C 0 (ndependent of ) such that for any k C n (log n ε + log log max b ), we have: ( + log n) ( ) k n x(b [0] ) x log( + ε) Ths gves µ (B [k] ) µ (µ + log( + ε) n (B [0] ) + n ( ) + 3 base ) leads to the result ) log ν + Takng the exponental (n Theorem corresponds to takng ε n Lemma Also, when, usng the explct expresson of x leads to the mproved bound c ( + ε) (ν ) n (det L) n 6 Applcatons to LLL-Reducton In ths secton, we nvestgate the relatonshp between BKZ reducton and the noton of LLL-reducton [6] Note that analogues of some of the results of ths secton have been concurrently and ndependently obtaned by Schnorr [35] Remnders on the LLL algorthm The LLL algorthm wth parameter δ proceeds by successve loop teratons Each teraton has a correspondng ndex k, defned as the smallest such that (b ) k s not δ-lllreduced The teraton conssts n sze-reducng (b ) k and then checkng Lovász s condton δ b k b k + µ k,k b k If t s satsfed, then we proceed to the next loop teraton, and otherwse, we swap the vectors b k and b k Any such swap decreases the quantty Π((b ) ) n b (n +) by 5

16 a factor /δ whereas t remans unchanged durng sze-reductons Snce Π((b ) ) O(n sze(b)) ) and snce for any nteger bass Π((b ) ) s an nteger, ths allows to prove termnaton wthn O(n sze(b)) loop teratons when δ < When δ, we obtan the so-called optmal LLL algorthm Termnaton can stll be proven by usng dfferent arguments, but wth a much larger bound Poly(n) Poly(sze(B)) (see [3,7]) An terated verson of BKZ We consder the algorthm Iterated-BKZ (descrbed n Algorthm 3) whch gven as nput a bass (b ) n successvely apples BKZ to the projected bases (b ) n, (b () ) n,, (b (n ) ) n n By usng a quas-lnear tme Gauss reducton algorthm (see [39,4]) as the HKZ algorthm wthn BKZ, Algorthm Iterated-BKZ can be shown to run n quas-lnear tme Input : A bass (b ) n of a lattce L Output : A bass of L for k : to n do Apply BKZ to the bass (b (k) ) k n ; Let T be the correspondng transformaton matrx; Update (b ) n by applyng T to (b ) k n Return (b ) n Algorthm 3: Iterated-BKZ Algorthm Lemma Let B be a bass of an n-dmensonal lattce, and ε > 0 be arbtrary Then, usng Algorthm Iterated-BKZ, one can compute, n tme Poly(n) Õ(sze(B)), a bass (b ) n such that ( n, b 4 ( + ε) 3 ) n ( n ) b n + () j Proof We frst prove that () holds for the output of Iterated-BKZ The remark at the end of Secton 5 shows that () holds for after the frst step of the algorthm The followng steps do not modfy the frst vector of the bass, nor do they modfy the rght hand sde of (), hence the nequalty holds Now, Iterated-BKZ startng from Step s equvalent to applyng Iterated-BKZ to the bass (b () ) n It follows from the case and a drect nducton that () holds for all We turn to analyzng the complexty Frst, note that HKZ n dmenson, e, Gauss reducton, can be performed n tme Õ(sze(C)) gven bass C Q as nput (see [39,4]) Standard technques allow one to bound the bt-szes of all the vectors occurrng durng an executon of BKZ (and hence Iterated-BKZ ), by a lnear functon of the bt-sze of the nput Ths completes the proof A close analogue of the optmal LLL Let B (b ) n an ntegral bass output by Iterated-BKZ For n, we let p, q be coprme ratonal ntegers such that p q ( ) 3 (n +)(n ) 4 b Q (n +) n j b j By (), we know that p /q (+ε) n + Note that p /q s a ratonal number wth denomnator O(n +sze (B)) We can thus fnd a constant c such that, for all, the quantty p /q s ether 0 or c(n +sze (B)) Hence, f we choose ε < n c(n +sze(b )), all the nequaltes from () must hold wth ε 0 Overall, we obtan, n polynomal tme and usng only swaps and sze-reductons, a bass for whch () holds wth ε 0 A quas-lnear tme LLL-reducton algorthm BKZ can be used to obtan a varant of LLL whch gven as nput an nteger bass (b ) n and δ < returns a δ-lll-reduced bass of L[(b ) n ] n tme Poly(n) Õ(sze(B)) Frst, we apply the modfcaton from [8, p 5] to a termnated BKZ so that the modfed algorthm, when gven as nput an nteger bass (b ) n and ε > 0, returns n tme Poly(n) Õ(sze(B)) a bass (b ) n of L[(b ) n ] such that b ( + ε) (4/3) n λ (L) The complexty bound holds because the transformaton from [8, p 5] apples BKZ n tmes on bases whose bt-szes are Poly(n) Õ(sze(B)) We terate ths algorthm n tmes on the projected lattces (b (k) ) k n so that the output bass (c ) n of L[(b ) n ] satsfes: n, c ( + ε) (4/3) n λ (L[(b () j ) j n]) (3) 6

17 It follows from nequaltes and the sze-reducedness of (c ) n that sze(c) Poly(n) sze(b) We call δ-lll the successve applcaton of the above algorthm based on BKZ and LLL wth parameter δ We are to prove that the number of loop teratons performed by δ-lll s Poly(n) Theorem 3 Gven as nputs a bass B Z n n of a lattce L and δ <, algorthm δ-lll algorthm outputs a δ-lll-reduced bass of L wthn Poly(n) Õ(sze(B)) bt operatons Proof Wth the same notatons as above, t suffces to prove that gven as nput (c ) n, algorthm δ-lll termnates wthn Poly(n) Õ(sze(C)) bt operatons Let (c ) n be the output bass As sze-reductons can be performed n tme Poly(n) Õ(sze(C))), t suffces to show that the number of loop teratons of δ-lll gven (c ) n as nput s Poly(n) To do ths, t suffces to bound Π((c ) n ) Π((c ) n) by Poly(n) Frst of all, we have λ (L[(c () j ) j n]) λ (L), for all n Indeed, let v,, v L be lnearly ndependent such that max j v j λ (L); at least one of them, say v, remans non-zero when projected orthogonally to Span(c j ) j< We thus have λ (L[(c () j ) j n]) v λ (L) Now, usng (3), we obtan: n n Π((c ) n ) c (n +) O(n3 ) λ (L) (n +) On the other hand, we have (see [6, (7)]) λ (L) max j c j ( ) c δ /4, for all n As a consequence, we have Π((c ) n) O(n3) n λ (L) (n +) Ths completes the proof Acknowledgments We thank N Gama and P Q Nguyen for explanng to us ther bound on the number of tours of the orgnal BKZ algorthm We also thank C-P Schnorr for helpful dscussons The authors were partly supported by the LaRedA ANR grant and an ARC Dscovery Grant DP00068 References M Ajta Generatng hard nstances of lattce problems (extended abstract) In Proc of STOC, pages ACM, 996 M Ajta, R Kumar, and D Svakumar A seve algorthm for the shortest lattce vector problem In Proc of STOC, pages ACM, 00 3 A Akhav Worst-case complexty of the optmal LLL algorthm In Proceedngs of the 000 Latn Amercan Theoretcal Informatcs conference (LATIN 000), volume 776 of LNCS, pages Sprnger, D Cadé, X Pujol, and D Stehlé fplll-3, a floatng-pont LLL mplementaton stehle 5 D Coppersmth Small solutons to polynomal equatons, and low exponent RSA vulnerabltes Journal of Cryptology, 0(4):33 60, S Galbrath Mathematcs of Publc Key Cryptography, Verson 09 0 Avalable at nz/~sgal08/crypto-book/crypto-bookhtml 7 N Gama, N Howgrave-Graham, H Koy, and P Q Nguyen Rankn s constant and blockwse lattce reducton In Proc of CRYPTO, number 47 n LNCS, pages 30 Sprnger, N Gama and P Q Nguyen Fndng short lattce vectors wthn Mordell s nequalty In Proc of STOC, pages 07 6 ACM, N Gama and P Q Nguyen Predctng lattce reducton In Proceedngs of Eurocrypt 008, volume 4965 of LNCS, pages 3 5 Sprnger, O Goldrech, S Goldwasser, and S Halev Collson-free hashng from lattce problems Avalable at un-trerde/, TR96-056, 996 G Hanrot and D Stehlé Improved analyss of Kannan s shortest lattce vector algorthm (extended abstract) In Proc of CRYPTO, volume 46 of LNCS, pages Sprnger, 007 I Havv and O Regev Tensor-based hardness of the shortest vector problem to wthn almost polynomal factors In Proc of STOC, pages ACM, P S Hrschhorn, J Hoffsten, N Howgrave-Graham, and W Whyte Choosng NTRUEncrypt parameters n lght of combned lattce reducton and MITM approaches In Proc of ACNS, volume 5536 of LNCS, pages Sprnger, 009 7

18 4 J Hoffsten, J Ppher, and J H Slverman NTRU: a rng based publc key cryptosystem In Proc of ANTS, volume 43 of LNCS, pages Sprnger, R Kannan Improved algorthms for nteger programmng and related lattce problems In Proc of STOC, pages ACM, A K Lenstra, H W Lenstra, Jr, and L Lovász Factorng polynomals wth ratonal coeffcents Math Ann, 6:55 534, 98 7 H W Lenstra, Jr Flags and lattce bass reducton In Proceedngs of the thrd European congress of mathematcs, volume Brkhäuser, 00 8 L Lovász An Algorthmc Theory of Numbers, Graphs and Convexty SIAM, 986 CBMS-NSF Regonal Conference Seres n Appled Mathematcs 9 MG Madrtsch and B Vallée Modellng the LLL algorthm by sandples In Proc of LATIN, volume 6034 of LNCS, pages 67 8 Sprnger, 00 0 J Martnet Perfect Lattces n Eucldean Spaces Sprnger, 00 D Mccanco and O Regev Lattce-based cryptography In Post-Quantum Cryptography, D J Bernsten, J Buchmann, E Dahmen (Eds), pages 47 9 Sprnger, 009 D Mccanco and P Voulgars A determnstc sngle exponental tme algorthm for most lattce problems based on Vorono cell computatons In Proc of STOC, pages ACM, 00 3 D Mccanco and P Voulgars Faster exponental tme algorthms for the shortest vector problem In Proc of SODA ACM, 00 4 P Q Nguyen Cryptanalyss of the Goldrech-Goldwasser-Halev cryptosystem from Crypto 97 In Proc of CRYPTO, volume 666 of LNCS, pages Sprnger, P Q Nguyen and D Stehlé LLL on the average In Proc of ANTS, LNCS, pages Sprnger, P Q Nguyen and D Stehlé An LLL algorthm wth quadratc complexty SIAM J Comput, 39(3): , P Q Nguyen and J Stern The two faces of lattces n cryptology In Proceedngs of the 00 Cryptography and Lattces Conference (CALC 0), volume 46 of LNCS, pages Sprnger, 00 8 P Q Nguyen and B Vallée (edtors) The LLL Algorthm: Survey and Applcatons Informaton Securty and Cryptography Sprnger, A Novocn, D Stehlé, and G Vllard An LLL-reducton algorthm wth quas-lnear tme complexty, 0 To appear n the proceedngs of STOC Avalable at 30 X Pujol and D Stehlé Rgorous and effcent short lattce vectors enumeraton In Proc of ASIACRYPT, volume 5350 of LNCS, pages Sprnger, O Regev The learnng wth errors problem, 00 Invted survey n CCC 00, avalable at ~odedr/ 3 C P Schnorr Progress on LLL and lattce reducton Chapter of [8] 33 C P Schnorr A herarchy of polynomal lattce bass reducton algorthms Theor Comput Scence, 53:0 4, C P Schnorr Block reduced lattce bases and successve mnma Combnatorcs, Probablty and Computng, 3: , C P Schnorr Accelerated slde- and LLL-reducton Electronc Colloquum on Computatonal Complexty (ECCC), (50), 0 36 C P Schnorr and M Euchner Lattce bass reducton: Improved practcal algorthms and solvng subset sum problems In Proceedngs of the 99 Symposum on the Fundamentals of Computaton Theory (FCT 9), volume 59 of LNCS, pages Sprnger, C P Schnorr and M Euchner Lattce bass reducton: mproved practcal algorthms and solvng subset sum problems Mathematcs of Programmng, 66:8 99, C P Schnorr and H H Hörner Attackng the Chor-Rvest cryptosystem by mproved lattce reducton In Proc of Eurocrypt, volume 9 of LNCS, pages Sprnger, A Schönhage Fast reducton and composton of bnary quadratc forms In Proceedngs of the 99 Internatonal Symposum on Symbolc and Algebrac Computaton (ISSAC 9), pages 8 33 ACM, V Shoup NTL, Number Theory C++ Lbrary 4 S Wu and L Debnath Inequaltes for convex sequences and ther applcatons Computers & Mathematcs wth Applcatons, 54(4):55 534, C K Yap Fast unmodular reducton: planar nteger lattces In Proceedngs of the 99 Symposum on the Foundatons of Computer Scence (FOCS 99), pages IEEE Computer Socety Press, 99 A Boundng the number of tours n the orgnal BKZ algorthm A bound (n) n s clamed n [9] The authors kndly explaned to us how to prove a smlar upper bound We gve the proof, for the sake of completeness Frst, note that durng the executon of BKZ (Algorthm ), the bass (b (k) ) k mn(k+,n) gven as nput to the SVP solver s always LLL-reduced Now, we modfy the call to LLL followng the call to the 8

19 SVP, as follows If the SVP solver dd not fnd a suffcently short vector (e, δ b k b n Algorthm ), then we proceed as n Algorthm Otherwse, we frst call LLL on b, b (k), b (k) k,, b(k) mn(k+,n) to remove the lnear dependency, we apply the approprate transformaton matrx to b,, b n, and then we call LLL agan on the vectors b,, b mn(k+,n) Suppose the call to the SVP solver s successful The modfcaton above ensures that the projected bass b (k) k,, b(k) mn(k+,n) s reduced both before the call to the SVP solver and before the second call to LLL Furthermore, by a standard property of LLL, the vector found by the SVP solver s the frst vector of the bass before the second call to LLL Overall, the effect on the b s of a call to the SVP solver and the frst call to LLL s as follows: b k decreases by a factor δ, b j remans constant f j [k, mn(k +, n)], b j does not ncrease by a factor f j [k+, mn(k+, n)] (because the former and new b j s approxmate the successve mnma of L[(b (k) ) k mn(k+,n) ] (see, eg, [6, Th 8]) 3 To conclude, consder the quantty n b [ log(/δ) ]n + From the above, t always decreases by a factor durng a successful call to the SVP solver followed by the frst call to LLL It also always decreases durng a LLL swap (see [6]) Fnally, t never ncreases durng the executon of BKZ As the nput and output bases of BKZ are LLL-reduced, t always belongs to the nterval (λ n ) [ 3 log(/δ) ]n +, (λ n ) [ 3 log(/δ) ]n +, n n where the λ s are the successve mnma of the lattce under scope Ths mples that the number of calls to the SVP oracle s O() n B Improvng the constant 3 n Theorems and Theorem asserts the followng bound on the output of the modfed BKZ algorthm: n ( ) c (ν ) + 3 (det L) n We show that that there exsts a unversal (and effcently computable) constant K such that for suffcently large and n, we have: c K n ( ) + ln (det L) n The base of the power could be replaced by α (α < ) provded that ν < α holds for suffcently large Proof In the present work, we only used the facts that ν n s an upper bound on the Hermte constant and that ν n ν n+ Snce ν n n, the proofs also hold wth ν n replaced by n Let y 0 and y + j y j + + log( + ) for We have: y + y y j + + j j + y j + + log( + ) log log( + ) y log( + ) (log( + ) log ) + log( + ) y j + ( ) log j 9