New Practical Algorithms for the Approximate Shortest Lattice Vector

Transcription

1 New Practical Algorithms for the Approximate Shortest Lattice Vector Claus Peter Schnorr Fachbereiche Mathemati/Informati, Universität Franfurt, PSF 493, D Franfurt am Main, Germany. Preliminary Report Abstract. We present a practical algorithm that given an LLL-reduced lattice basis of dimension n, runs in time O(n 3 (/6) /4 +n 4 ) and approximates the length of the shortest, non-zero lattice vector to within a factor (/6) n/(). This result is based on reasonable heuristics. Compared to previous practical algorithms the new method reduces the proven approximation factor achievable in a given time to less than its fourthth root. We also present a sieve algorithm inspired by Ajtai, Kumar, Sivaumar [AKS0]. Introduction and Summary History. The problem of finding a shortest, non-zero lattice vector in a lattice of dimension n is a landmar problem in complexity theory. This problem is polynomial time for fixed dimension n, it is NP-complete for varying n. For simplicity, we consider integer lattices of dimension n in Z n, given by a lattice basis consisting of vectors of Euclidean length O(n). Using the famous LLL-algorithm of Lenstra, Lenstra, Lovász (98), Kannan (983) proposed an algorithm that finds the shortest lattice vector in time n O(n), Helfrich (985) improved the time bound to n n/+o(n). Recently [AKS0] present a probabilistic algorithm with time and space bound O(n), at present that method is still impractical. We present a novel algorithm that produces an approximate shortest lattice vector by iterating random sampling of short lattice vectors. It finds a shortest lattice vector to within the factor (/6) n/() and runs in time O(n 3 (/6) /4 + n 4 ). This algorithm is practical and space efficient, theoretically it outperforms all other nown algorithms. We show how to speed up random sampling via the birthday paradox. This reduces the time to O(n 3 (/3) /8 + n 4 ) at the expense of storing n(/3) /8 lattice vectors. We also present, a nearly practical sieve algorithm, inspired by [AKS0] and adapted to the problem of approximating the shortest lattice vector. Our analysis uses reasonable heuristic assumptions.

2 Summary and Comparison of the New Algorithms. The next table shows and compares the performance of the new algorithms for approximating the shortest lattice vector. Approximating the shortest lattice vector to within an approximation factor c means to find a non-zero lattice vector with at most c-times the minimal possible length. time space/n approx. factor. random sampling n 3 (/6) /4 (/6) n/ for n 60 n n. birthday sampl. n 3 (/3) /8 (/3) /8 (/3) n/ 3. our sieve n n/4 for = 60 n n 4. primal/dual (Koy) n /+o() n (/6) n/ for = n n 5. Schnorr 987 n +o() (/3) n/ for = 4 n 53. n 6. AKS 00 n O() O() (/6) n/ The time bounds count arithmetic steps using integers of bit length O(n), assuming a given basis consisting of integer vectors of length O(n). More precisely, all time bounds are of the form O( + n 4 ) with a constant factor and an additive term n 4 related to LLL-type reduction. The constants 3, 50, 49, 53 are method specific. The parameter, < n can be freely chosen. The entry c under space/n means that c + O(n) lattice vectors, consisting of c n + O(n ) integers, need to be stored. This requires to store O(c n + n 3 ) bits. The proven approximation factor (/6) n/ of random sampling is about the fourth-th root of the proven factor achievable in the same time by Koy s primal-dual method, the best practical, previous algorithm. Algorithms 4. and 5. yield in practice smaller approximation factors than the proven ones. The approximation factors of methods 4, assume the unproven bound γ /6 for 4 for the Hermite constant γ of dimension. Random sampling is still to be implemented. Its theoretical performance beats by far all other nown practical methods. Surprisingly, the proven approximation factor.06 n of n 3 3 -time random sampling is pretty near to the ones observed in practice by the algorithms 4. and 5. Possibly, this explains why methods 4. and 5. perform better in practice than expected from the theoretic analysis. Our sieve yields for = n the approximation factor n within average time n+o(n) under the assumption that there are many short The Hermite constant γ is the maximum value λ (L) (det(l) /, where L ranges over all lattices of dimension and λ (L) denotes the length of the shortest, non-zero vector in L.

3 lattice vectors. A drawbac is the space requirement, n+o(n) lattice vectors must be stored. Asymptotically the new sieve performs for = n 3 on average O(n n+o(n) ) steps and approximates the shortest lattice vector to within a factor n 9/4. This indicates that approximating the shortest lattice vector to within a factor n 9/4 is easier than computing the shortest lattice vector exactly. Our sieve finds a basis with the remarable property that b / b n n. That property seems not even to hold for lattice bases that are reduced in the very strong sense of Hermite and Korin-Zolotarev. The latter bases merely satisfy that b / b n n (+ln )/, see [S87],[LLS 90]. The [AKS0] algorithm has the best assymptotic time bound O(n) for a probabilistic algorithm that finds the shortest lattice vector. At present this method is impractical as the exponent O(n) is about 30 n. Method 4. is impractical for 3 as it requires to find shortest lattice vectors for lattices of dimension while Koy s primal/dual method (unpublished) uses shortest lattice vectors in dimension. The approximation factor (/6) n/ of 6. comes from combining the AKS-sieve with 4. The following cryptosystems may be affected by current and further progress in lattice basis reduction: NTRU, RSA, Factoring based cryptosystems, DL-cryptosystems with groups of unity. These cryptosystems can be broen by very short lattice vectors in high dimensional lattices, see [HPS98] for NTRU and [S9] for factoring and the DL. LLL-type reduction is now feasible in these dimensions due to Koy, Schnorr [KS0a,KS0b]. The random sampling method mars an important progress towards our goal of finding very short lattice vectors efficiently. Notation. An ordered set of linearly independent vectors b,..., b n Z m is a basis of the lattice n i= biz Zm, consisting of all linear integer combinations of b,..., b n. For simplicity we will focus on the case n = m. The orthogonalization vectors b,..., b n and the Gram-Schmidt coefficients µ i,j, i, j n, associated with the basis b,..., b n satisfy for i =,..., n: b i = i j= µi,j b j, µ i,i =, µ i,j = 0 for j > i. For the Euclidean inner product, we have that µ i,j = b i, b j / b j, b j, b i, b j = 0 for i j. Let b = b, b denote the Euclidean length of a vector b R n. A vector b = n i= µi b i satifies b = n i= µi b i. Let λ denote the length of the shortest non-zero lattice vector of a given lattice. For simplicity, let the given lattice basis be nicely bounded so that max i b i = O(n). It is nown from [LLL8] that a given lattice basis can be transformed into an LLL-reduced lattice basis b,..., b n satisfying b n λ in 3

4 polynomial time n O(). Actually, an approximation factor ( 4 +ε) n 3 can be achieved in polynomial time for arbitrary small ε > 0. Recently [KS0a] proposes an LLL-type reduction in time O(n 3 log n) realizing the approximation factor ( 4 + ε) n 3. Random Sampling of Short Vectors Previous algorithms for the approximate shortest lattice vector generate lattice vectors b = j i= µi b i for some < j < n such that µ j,..., µ j are particularly small, and µ j 0. The goal is to find some b L so that j i=j µi b i < b j. In that case replacing b j by b yields a shorter vector b j. The new method generates lattice vectors b = n i= µi b i such that µ, µ,..., µ are particularly small. The goal is to find some b L so that b = n i= µi b i < b. In that case the basis vector b is replaced by the shorter vector b. Importantly, the initial vectors b,..., b are longer than vectors b i for large i, so small coefficients µ i for small i have a bigger impact than those for large i. The Sampling Method. Let < n be constant. Suppose we are given an LLL reduced lattice basis of dimension n. We sample lattice vectors b = n i= tibi = n i= µi b i satisfying µ i { for i n for n, µn {, }. () < i < n There are at least distinct lattice vectors b of this form. The sampling algorithm (SAL) below generates a vector b in time O(n ). If the sampled vector satisfies b δ b for some constant δ < we extend b to an LLL-reduced basis with b = b and we iterate the sampling. As an LLLreduced basis satisfies b n λ there are at most n log (/δ) () iterations. Sampling Algorithm (SAL). Given a lattice basis b,..., b n with coefficients µ i,j the algorithm generates a lattice vector b = n i= µi b i satisfying ().. Select µ n {, }, b := µ n b n µ j := µ n µ n,j for j =,..., n.. FOR i = n,..., DO Select µ Z such that { µ i µ for i n, () for i > n b := b µ b i, µ j := µ j µ µ i,j for j =,..., i. OUTPUT b, µ,..., µ n satisfying b = n i= µi b i. 4

5 The coefficient µ i is updated n i times. We assume that this leads to a nearly uniform distribution of the µ i, at least for small i. That near uniformity is crucial for our method. The random behaviour for large i is less important as the contribution µ i b i to the length square of b is minor. We mae the heuristic Randomness Assumption (RA). Let the µ i of the sampled vectors b = n i= µi b i be uniformly distributed over the interval [, ] for i n resp. the interval [, ] for i > n, and let the µ i be mutually statistically independent for distinct i. Lemma. For uniformly distributed µ i, µ i R [, ] we have the following mean values :. E[ µ i ] =,. E[ µi ] =. 4 Proof.. E[ µ i ] = 0 x dx =,. E[ µi ] = 0 x dx = 4. The Geometric Series Asumption (GSA). We assume that the b i form a geometric series, b i = b q i for i =,..., n with some quotient q <. Justification of the GSA. We merely use the GSA to simplify the analysis. Typically, the GSA holds in an approximate way b i b q i if the basis has been reduced in a primal/dual way. Moreover, the GS property means that the lattice basis has the following worst case property b / b n = max ( b i / b j ) (n )/(j i) = q (n )/. i<j n If GSA does not hold there exists i < j n such that b i / b j > ( b / b n ) (j i)/(n ) and j i < n. Then it suffices to reduce the subbasis π i(b i),..., π i(b j), where π i is the orthogonal projection into span(b,..., b i ). Reducing that subbasis of dimension j i + is an easier problem as its dimension j i + is smaller than n. Such a low dimensional approach is excluded under the GSA. Sampling Short Vectors. Let, be constants, + < n. Consider the event that a sampled vector b = n i= µi b i satisfies µ i q( i)/ for i =,...,. (3) Under RA that event has probability q ( i)/ = q ()/ = q ( )/4. i= We study the probability that b < b holds under RA and the conditions (), (3). 5

6 Lemma. SAL samples vectors b that satisfy under GSA and RA that Pr[ b b [ q +(q +3 q n 4q n )/( q)] q ( )/4. Proof. By Lemma we have under (), (3) the mean value E[ µ i q i for i =,..., (3) ] = / for i = +,..., n. /3 for i = n +,..., n Under GSA this yields E[ b b (3) ] [ i= q i b i + n i=+ b i + 4 n i=n + b i ] [ = i= q i+i + q n i= q i + 4 q n [ ] q + q ( q n ) + 4q n ( q ))/( q) = i= qi ] = [ q + (q + 3 q n 4 q n )/( q)]. Now the claim follows as (3) holds with probability q ( )/4. Theorem. Let 3 and n + ln(/6). There is an algorithm which runs under GSA and RA in average time O(n 3 (/6) /4 +n 4 ) 4 ln and which transforms a given LLL-reduced basis into a basis with an approximation factor less than (/6) n/. Proof. The algorithm performs the following steps.. Sample distinct lattice vectors b via SAL until b < b, where = ln(/6) in SAL. 4 ln. Extend the short vector b to an LLL-reduced basis with b = b. This is done by one LLL-type reduction. This LLL-type reduction requires not more than O(n 3 ) steps because it remodels a given LLL-reduced lattice basis. 3. If b / b n (/4) (n )/() then terminate and output the basis. Otherwise go to and iterate the algorithm. Analysis. We apply Lemma to the geometric series b i = b q i of the lattice basis given in Step. We show that [ q + (q + 3 q n 4 q n )/( q)] < holds for q = ln(/6). If q is smaller then SAL succeeds even better. We have that q ln(/6) ( ) < e ln(/6) = We get from q < and n that 6 =. (q + 3q n 4q n )/( q) q ( + 3/) < ln(/6) +3/. ln(/6) Hence [ q +(q +3 q n 4 q n )/( q)] ( +3/ +/q) < 0.94, ln(/6) as +3/ ln(/6) + /q < 0.94 holds for 3 and q =. ln(/6) We let ln denote the natural logarithm with base e.78. 6

7 Lemma shows that b b < 0.94 holds at least with probability q( )/4, where q ( )/4 = ( ln(/6) ) ( )/4 > e ( ) ln(/6)/4 = (/6) ( +)/4. Hence Pr[ b < 0.94 b ] > (/6)( +)/4. Therefore SAL suceeds with a short b in average time O(n (/6) ( )/4 ). The algorithm performs at most O(n) iterations, an iteration requires O(n (/6) /4 ) steps for SAL and O(n 3 ) steps for the LLL-reduction. Therefore the entire algorithm runs in average time O(n 3 (/6) /4 + n 4 ). Upon termination we have that q > ln(/6). The resulting approximation factor is bounded by q n/ < ( ln(/6) ) ln(/6) n ln(/6) < e n ln(/6) = (/6) n. We need that q ( )/4 so that enough vectors can be sampled. It is sufficient that log 4 (/q) ln(/6). 4 ln Remar. We can replace in Theorem the fraction (/6) by /( ε) for an arbitrary ε > 0, provided that is sufficiently large, i.e., 0(ε). This follows from ε = o() for sufficiently large. ln(/) Refined Analysis. While the inequalities (3) are sufficient to mae b b small they are not necessary. We show that Pr[ b b < ] e/8 q ( )/4 for q = ln(/6), thus increasing the probability that SAL generates a short vector by the factor e /8. We liberalize the Inequalities (3) by allowing a few larger coefficiens µ i. We balance the larger values µ i by requiring that the remaining µ i are even smaller than q( i)/ so that i= µi b i q as before. We allow /4 larger coefficients µ ji satisfying q( j i)/ < µ ji q ( j i)/ for j i /, i =,..., /4. ( we require that j i / so that q ( j i)/.) These larger µj i can be balanced by requiring that µ i q( i)/ ( )/4 for i {j,..., j /4 }, i. For a constant selection of j,..., j /4 the modified inequalities (3) imply under RA that E[ i= µi b i ] = q [ + O( )]. Moreover, these inequalities hold with probability q ( )/4 ( )/4( /4) q ( )/4 e 3/4. The number of choices for the /4 values j,..., j /4 is ) e /8. Different choices correspond to disjoint events so that ( /4 7

8 the probabilities add up. This yields Pr[ i= µi b i q ] e/8 q ( )/4. For = 3, n 60 we get the following performance values: proven q time approx. factor n n n n n n n n n n 0.93 n n For example, we have for = 54, = 3, n 60, q = that E[ b b (3) ] = [ q + q +3 q n 4q n q ] < As (3) holds with probability q ( )/ this yields Pr[ b 0.94 b ] e54/8 q ( )/ Therefore, the algorithm of Theorem yields the quotient q > Such q corresponds to an approximation factor q (n )/ <.09 n. In the cases of = 40, 30, 5, 0, we proceed accordingly. Birthday Sampling. The birthday paradox is a well nown heuristic that reduces the number of vectors to be sampled to its square root. Instead of searching for a lattice vector b with b < b we sample distinct vectors until two vectors b, b arise with b b < b. We study the probability that b b b < for distinct vectors b, b generated by SAL. We assume in addition to RA that the coefficients µ i of b and µ i of b are statistically independent. Lemma 3. Let µ i, µ i R [, ] be uniformly distributed and statistically independent. Then we have the following mean values :. E[ µ i ± µ i ] = 6 for either sign ±,. E[ µ i µ i ] = 3 8. Proof.. E[ µ i ± µ i ] = [x 3 /3 + x y ± x y] dy = + x + y ± xy dx dy =. We have that E[µ i µ i µ i 0 µ i] = y dy = + = 6. 0 ( 4 + x)dx =. With probability we either have µi 0 µ i or µ i 0 µ i. Also with probability we either have µi, µ i 0 or µ i, µ i 0. We infer that E[ µ i µ i ] = + E[ µi µ i ] = =

9 Lemma [ 4. Distinct vectors b, b sampled via SAL satisfy under ] RA that Pr b b b 6 [q +(q +3q n 4q n )/( q)] q()/. Proof. We proceed as in the proof of Lemma. However, we use that E[ µ i ± µ i ] = 6 = E[ µi ] due to Lemma and 4. Consider the event that two vectors b = n i= µi b i, b = n i= µ i b i sampled by SAL satisfy i= µi µ i q i 6 q. (3 ) By Lemma 3, the probability of the event (3 ) is at least q ()/ under RA. [ Moreover, ] Pr b b b 6 [q + (q + 3q n 4q n )/( q)] (3 ). Hence the claim. Theorem. Let 3 and n + ln(/3). There is an algorithm which runs under GSA and RA in average time O(n 3 (/3) /8 +n 4 ) ln and which transforms a given LLL-reduced basis into a basis with an approximation factor less than (/3) n/. Setch of Proof. Proceed as in the proof of Theorem. However, set q := ln(/3) to offset the additional factor from E[ µ i ± µ i ] = E[ µ i ]. Generate O(n(/3) /8 ) lattice vectors b via SAL and search for short vectors b b so that (3 ) holds. Such vectors b b can be found efficiently. This algorithm needs to store O(n(/3) /8 ) lattice vectors. Theorem shows that birthday sampling is for large values superior to random sampling. The crossover point, where birthday sampling gets more efficient, is for a large. Birthday sampling is more efficient for q = 0.98, = 75 with an n time algorithm. 3 Towards a Practical Sieve Algorithm The Goal of the Sieve. Our method is inspired by Aijtai, Kumar, Sivaumar [AKS0]. Consider a lattice basis b,..., b n Z n of dimension n with orthogonalization vectors b,..., b n. Let be some integer < < n, = 4 t, throughout the following will be a power of 4. We present a novel, efficient deterministic algorithm that transforms an LLL-reduced basis into a basis satisfying n i=+ b i > 4 b. (4) We bound in Lemma 5 the approximation factor b /λ for lattice bases having property (4). Our time bounds count arithmetic steps using integers bounded by max i b i. 9

10 The Basic Sieve. Suppose we are given an LLL reduced lattice basis satisfying n i=+ b i 4 b for some such that 3 + n. We proceed in t stages, s = 0,..., t. Initially, at stage 0 we generate + lattice vectors b = n i= tibi = n i= µi b i satisfying { µ i for i, µn {, }. (5) for < i < n There are at least n distinct lattice vectors b of this form. We let n 3 + so that there are + vectors for stage 0. The vectors of stage 0 are positive, i.e., µ i > 0 for the largest i with µ i 0 and b 0. A vector b of stage 0 can easily be generated in time O(n ), which yields the time bound O(n + ) for stage s = 0. Stage s requires only O(n + ) steps. As the number of stages t is small compared to n the total time for the sieve is essentially the time for stage 0. Stage s. By induction on s we generate + positive vectors b = n i= µi b i of stage s satisfying µ i s for i, (6) µ i s for < i < n, 0 µ n s. (7) We partition the vectors b of stage s into classes. We divide the range ], ] s of the µ i for i into 4 intervals ]j, j + ] s of equal size for j =,, 0,. A class is given by j i {,, 0, } for i =,..., and consists of the vectors b = n i= µi b i satisfying µ i ]j i, j i + ] s for i =,...,. The vectors of stage s+ are positive vectors b b, where b, b are vectors of stage s, b ±b such that b, ±b are in the same class. As there are classes, the + vectors ±b of stage sgenerate at least + collision pairs (b, ±b ), where b, ±b fall into the same class and b b is positive. These collisions provide at least (4 ) vectors b b for stage s + counted with multiplicities, and satisfying b b = n i= (µi µ i) b i such that µ i µ i s for i =,...,. This shows the induction claim for (3) while the induction for (4) is trivial. In particular, we have that 0 µ n s as µ n {, } for stage 0. We eep from all possible vectors b b of stage s + at most + distinct, positive vectors, we discard repetitions of the same vector. The number of distinct vectors of stage s + is at least (4 ) minus the number of repetitions, where b b = b b holds for two collision pairs (b, b ), (b, b ). We mae the heuristic Few Repetitions Assumption (FRA). We assume that the number of repetitions at stage s is not greater than the number of classes. Under the FRA there are for each stage s at least (4 ) = + distinct, non-zero vectors. We will see that all vectors b of stage t satisfy 0

11 b b. Therefore, the FRA requires that there are plenty of lattice vectors b satisfying b b. Conversely, we justify below the FRA for the case that b n b n. At the final stage t := log we have that µ i { t = for i 4 t = for i >. Using that (4) is violated and b = max i b i we have that n i= µi b i b i= µi + n i=+ b i b This shows that the vectors b of stage t satisfy b b, hence: Theorem 3. Given a lattice basis satisfying n i=+ b i 4 b for n 3 + the basic sieve finds in deterministic time O(n + ) under FRA + distinct lattice vectors b, all satisfying b b. Suppose we are given an LLL-reduced basis satisfying b n λ. Then we can halve b at most n times. Iterating the basic sieve at most n times we get a basis satisfying (4). The time bound for this procedure is O(n 3 + ). Assuming the GSA. In order to interpret property (4) in terms of the approximation factor b /λ we assume that the b i form a geometric series, b i = b q i for i =,..., n with some quotient q <. Lemma 5. For α < / ln, < < n, a geometric series b i with quotient q = α ln satisfies n i=+ b i b /(α α ln ). Proof. We have that n i=+ b i b = q q n q < q /( q) = ( α ln ) α ln α ln < e = α ln /(αα ln ), where we use that ( ) < e. Corollary. A lattice basis satisfying (4) has under the GSA an approximation less than factor ( + ε) n/, ε = O( ln ). Proof. A geometric series b i satisfying (4) has by Lemma 5 a quotient q ln provided that ln. Hence b /λ b / b n = q n/ ( ln ) n/ = (e + O( )) (n/) ln = ( + O( ln )) n/.

12 The Tailored Sieve. Instead of distributing the µ i to 4 subintervals for every i we adjust the number of subintervals to the length of b i. We need more subintervals for µ i over all stages the longer b i, so that upon termination we have that µ i b i. As we need no subintervals for i > and only a few intervals for the i near to we can save 4 about half of the intervals for the average i, and thus reduce the number of classes per stage from to. We outline the construction, we tailor the sieve assuming for simplicity the GSA. Let a given lattice basis satisfy n i=+ b i 4 b. Lemma 3 with α =, > e shows that q < α ln and thus b i / b = q i i α <. We let n + so that there are + vectors b = n i= µi b i with µ i for i = +,..., n, µ n {, }. We tailor the sieve so that the µ i of stage s range over an interval ], ] η i,s where the integers η i,s are recursively defined so that η i,0 = 0 and η i,s+ η i,s {, 0, } for i =,..., η i,s = s + for i = +,..., n. Upon termination at stage t = log, we want to have that η i i,t +α for i which implies that i= µi b i b 4 = 4. At stage s we partition the range ], ] η i,s of the µ i into ν i,s intervals of equal length where ν i,s is either 0,,. Then the vectors b b of stage s + with b, ±b in the same class satisfy µ i µ i ], ] η i,s ν i,s +. We see that η i,s+ = η i,s ν i,s +, and thus η i,t = t t s=0 νi,s. We select the ν i,s as to minimize the number i ν i,s of equivalence classes of stage s. The ν i,s must satisfy for i =,..., t i s=0 νi,s t α t (8) so that η i i i,t t+α t +α holds upon termination for t = log. To meet Inequality (8) for the average i we select the νi,j such that t i s=0 νi,s = t αt, where r denotes the nearest integer to r. Moreover, we balance the sums i νi,s so that two sums for different stages differ at most by. We see from i i= t αt t t for α = that i= νi,s +. Then there are i ν i,s + classes per stage. Therefore it suffices to generate + vectors per stage which yields a time bound O(n + ) for the sieve. This proves the following Theorem 4. Given a lattice basis satisfying n i=+ b i 4 b, for n + o(), the tailored sieve finds in average time O(n + ) under FRA and GSA lattice vectors b all satisfying b b. Iteration of the taylored sieve yields for n by Theorem 4 and Corollary the approximation factor n = ( n ) in time O( n +o(n) ).

13 How to Justify FRA under GSA for the Taylored Sieve. The Gaussian volume heuristics tells us that the number of lattice points b such that b b is on average V n( b / ) b... b = n/ b n ( eπ ) n n Γ ( n + ) b... b b n n n b... b, n where V n(r) is the volume of the n-dimensional sphere with radius r. Under the GSA we have that n n ( ) i ( n n b / b i = b / b n = b / b n ). i= i= Thus the number of lattice points b such that b b is on average ( ) n eπ b (eπ) n n b.9 n, n provided that b n b n. Thus the number of lattice points b such that b b is much larger than the number +, required for the taylored sieve. This justifies the FRA for the taylored sieve in the case that b n b n. The Approximation Factor n. Theorem 4 requires that < n. Now we remove this conditions that is used to provide enough vectors for stage 0 of the taylored sieve. This yields under FRA and GSA the approximation factor n within average time O( n+o(n) ). Theorem 5. There is an algorithm that transforms under FRA and GSA an LLL-reduced lattice basis of dimension n = 4 t + in determinisitic time n+o(n) into a basis satisfying b n b n. Proof. We proceed as in the taylored sieve for = n, α =, t = log. However, we allow for the vectors of stage 0 that µ i +δ i for i =,..., n, µ n {, }. We let the integers δ i satisfy n/t + i δi < n so that we get at least n+n/t+ vectors for stage 0. We compensate for the larger µ i, µ i >, by additionally halving these µ i via the sieve + δ i-times over the t stages. This increases the number of classes per stage by the factor (n+ i δi)/t < n/t from n to at most n+n/t. Thus, the number of classes per stage, the number of vectors per stage and the time are all boundedby n+o(n). The final vectors vectors b = n i= µi b i at stage t = log satisfy for i =,..., n that Hence µ i +δ i δ i log = /, µ n log =. b = n i= µi b i n 4 n b + n b 4 n < b, where we use that b n b n and that b = max i b i. 3

14 Applying the sieve iteratively n-times to an LLL-reduced basis results in a basis satisfying b n b n. The property max i=,...,n b i / b i n implies that b approximates λ to within a factor n. Thus, the taylored sieve realizes by Theorem 5 and Corollary the approximation factor n. The Randomized Sieve. So far our worst case analysis uses that µ i µ i holds for µi, 4 µ i [, ]. Now we give an average case analysis for random µ i, µ i R [, ]. Randomnesss Assumption * (RA*). Let the µ i of the vectors of stage 0 be uniformly distributed over the invervals [, ] for i resp., [, ] for i >, and statistically independent for distinct vectors and distinct i. We get from Lemma and Lemma 4 the following Corollary. For random µ i, µ i R [, ] we have that. E[ µ i ± µ i ] = E[ µ i ],. E[ µ i µ i ] = 3 E[ µi ]. As E[ µ i ± µ i ] = E[ µ i ] it follows that E[ n i=+ µi ± µ i b i ] E[ n i=+ µi b i ], which is half the bound required for the proofs of Theorems 3 and 4. We show that Inequality (4) can be replaced by the stronger inequality n b i > 4 b. (4 ) i=+ If Inequality (4 ) is violated then we have by Corollary at the final stage t = log that E[ n i=+ µ i b i b ] t E[ n i=+ b i b ] 4 = 4. Therefore, Inequality (4) can be replaced on the average by (4 ), hence Theorem 6. Given a lattice basis satisfying n i=+ b i 4 b and < n the tailored, randomized sieve finds under FRA, GSA and RA +o() lattice vectors b all satisfying b b. Corollary 3. A lattice basis satisfying (4 ) approximates under GSA the shortest lattice vector to within a factor 3 4 n. Proof. Replacing in (4) by 4 4 amounts by Lemma 5 under GSA.5 ln to replace the quotient q = ln by q = α = by α =.5. By Corollary a quotient q approximation factor ( b /λ b / b n = q n/.5 ln ) n/ e 3 4 n ln = 3 4 n., i.e., replacing yields an.5 ln 4

15 The Time Bound Under RA*. Under RA* we can tailor the sieve using smaller intervals and fewer vectors per stage. We setch how to speed up the sieve so that there are on average vectors per stage requiring a total of O(n o() ) arithmetic steps. Suppose that the µ i for i of stage s range over the interval ], ] η i,s. We partition that interval into ν i,s subintervals of equal length. Two random µ i, µ i in the same subinterval satisfy Corollary 3 on the average that µ i µ i [, ] η i,s ν i,s 3. 3 Hence η i,s+ = η i,s ν i,s + log where ηi,s+ is non-integer and 3 log and thus ηi,t t s νi,s for t = log. Using α =.5 the worst case inequality (8) translates into an averaged inequality i s νi,s.585 t αt. (9) To meet Inequality (9) for the average i we select the ν i,s such that i s νi,s =.585 t αt. Moreover we balance the sums i= νi,s so that two sums for two stages s differ at most by. We see from α =.5, i i=.585 t αt.585 t α t t that there are on average classes per stage which yields an average time bound O(n ) for the randomized sieve. References [AKS0] M. Aijtai, R. Kumar, and D. Sivaumar, A Sieve Algorithm for the Shortest Lattice Vector Problem, Proceedings of the Thirty- Third ACM Symposium on Theory of Computing, 00. [H85] B. Helfrich, Algorithms to construct Minowsi reduced and Hermite reduced bases. Theoretical Computer Science 4, pp. 5 39, 985. [HPS98] J. Hoffstein, J. Pipher, and J. Silvermann, NTRU: A new high speed public ey cryptosystem, Proceedings of Algorithmic Number Theory (ANTS III), LNCS 43, Springer-Verlag, pp , 999. [K83] R. Kannan, Minowsi s convex body theorem and integer programming. Mathematics of Operations Research pp , 983. [KS0a] H. Koy and C.P. Schnorr, Segment LLL-Reduction of Lattice Bases. Proceedings CaLC 00, LNCS 46, Springer-Verlag, pp , 00. [KS0b] H. Koy and C.P. Schnorr, Segment LLL-Reduction of Lattice Bases with Floating Point Orthogonalization. Proceedings CaLC 00, LNCS 46, Springer-Verlag,pp. 8 96, 00. [KuSi] R. Kumar and D. Sivaumar, On polynomial approximations to the shortest lattice vector length. Proc. th Symposium on Discrete Algorithms, 00, [LLL8] A. K. Lenstra, H. W. Lenstra, and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 6, pp , 98. 5

16 [LLS90] J.C. Lagarias, H.W. Lenstra Jr, and C.P. Schnorr, Korin- Zolotarev bases and successive minima of a lattice and its reciprocal lattice. Combinatoria 0 4, pp , 990. [S87] C.P. Schnorr, A hierarchy of polynomial time lattice basis reduction algorithms, Theoretical Computer Science 53, pp. 0 4, 987. [S9] C.P. Schnorr, Factoring Integers and computing discrete logarithms via diophantine approximation, Proceedings os Eurocrypt 9, LNCS 547, Springer-Verlag, pp. 8-93, 99. Final paper in AMS DIMACS Series in Discr. Math. and Theor. Comp. Sc., 3, 7 8,