M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

Transcription

1 M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD Ha Tran, Dung H. Duong, Khuong A. Nguyen. SEAMS summer school 2015 HCM University of Science 1 / 31

2 1 The LLL algorithm History Applications of LLL Euclid s Algorithm The LLL algorithm: rank 2 lattices The LLL basis The LLL Algorithm 2 Analyzing the Running Time Why LLL is polynomial? 3 Coppersmith s Method Content 2 / 31

3 Review We have studied: Lattices and basic definitions: basis, determinant,... Problems on lattices: SVP, CVP,... Existence of a shortest vector. An upper bound for the shortest vector (Minkowski s theorem). 3 / 31

4 We have studied: Review Lattices and basic definitions: basis, determinant,... Problems on lattices: SVP, CVP,... Existence of a shortest vector. An upper bound for the shortest vector (Minkowski s theorem). Today: How to find the shortest vector of a given lattice? 3 / 31

5 We have studied: Review Lattices and basic definitions: basis, determinant,... Problems on lattices: SVP, CVP,... Existence of a shortest vector. An upper bound for the shortest vector (Minkowski s theorem). Today: How to find the shortest vector of a given lattice? LLL algorithm. 3 / 31

6 László Lovász What is LLL? Arjen Lenstra Hendrik Lenstra 4 / 31

7 The LLL algorithm A popular algorithm presented in a legendary article published in / 31

8 How popular LLL? A popular algorithm presented in a legendary article published in 1982 The LLL article has been cited x1000 times. The LLL algorithm and/or variants are implemented in: Maple, Mathematica, GP/Pari, Magma, Number Theory Library (NTL), SAGE, etc. A conference was organized in 2007 to celebrate the 25th anniversary of the LLL article. 6 / 31

9 What is LLL about? A popular algorithm presented in a legendary article published in 1982 It is an efficient algorithm. It s about finding short lattice vectors. It s about finding a short basis of a lattice. 7 / 31

10 Applications of LLL: Examples The two-square theorem: If p is a prime 1 mod 4, then p is a sum of two squares p = x 2 + y 2. This formula for π was found in 1995 using a variant of LLL: π = k=0 ( k 8k k k ). 8k + 6 Elkies used LLL in the 2000s to find: / 31

11 Applications of LLL: Examples Factoring polynomials over the integers or the rational number. Solve approximation to the SVP, as well as other lattice problems. Coppersmith s Method. Odlyzko and te Riele used LLL in 1985 to disprove the Mertens conjecture. Breaking the Merkle-Hellman cryptosystem. Since 1982, dozens of public-key cryptosystems have been broken using LLL / 31

12 Vectorial analogue of Euclid s algorithm LLL is a vectorial analogue of Euclid s algorithm to compute gcds. Instead of dealing with integers, it deals with vectors of integer coordinates. It performs similar operations, and is essentially as efficient. 10 / 31

13 Euclid s Algorithm Input: two integers a b 0. Output: gcd(a, b). While (b 0) a := a mod b Swap(a,b) Output(a) 11 / 31

14 A Vectorial Euclid s Algorithm? Since az + bz = gcd(a, b)z, Euclid computes the shortest non-zero linear combination of a and b. Given a finite set B of vectors in Z n, can one compute the shortest non-zero vector in the set L(B) of all linear combinations? 12 / 31

15 Reduction operations To improve a basis, we may: Swap two vectors. Slide: subtract to a vector a linear combination of the others. That s exactly what Euclid s algorithm does. 13 / 31

16 Lagrange s reduction: rank 2 lattices Let L be a lattice with a basis B = {b 1, b 2 }. Assume that b 1 b 2. Repeat b 2 := b 2 round(µ 2,1 )b 1 where µ 2,1 = b 1, b 2 b 1 2 and round(µ 2,1 ) is the is the closest integer to µ 2,1. Swap(b 1, b 2 ). Until b 1 b 2. Output b 1, b / 31

17 Lagrange s reduction: rank 2 lattices Let L be a lattice with a basis B = {b 1, b 2 }. Assume that b 1 b / 31

18 Lagrange s reduction: rank 2 lattices Exercise: Show that if a basis b 1, b 2 of L is Lagrange-reduced then: b 1 = λ 1 (L)-length of the shortest vector of L. 16 / 31

19 Lattices of rank 2: Lagrange-reduced A basis B = {b 1, b 2 } is called Lagrange-reduced if b 1 b 2. b 2,b 1 b Such bases exist since Lagrange s algorithm clearly outputs reduced bases. 17 / 31

20 LLL basis: general Let 1/4 < δ < 1. A basis b 1,..., b n is δ-lll reduced if and only if (Size-reduced) for j < i, µ i,j 1 2. (Lovász s conditions) δ b i 1 2 b i + µ i,i 1 b i 1 2. where µ i,j = b i,b j b j 2, i = 2,..., n and j < i. 18 / 31

21 LLL basis: general Let 1/4 < δ < 1. A basis b 1,..., b n is δ-lll reduced if and only if (Size-reduced) for j < i, µ i,j 1 2. (Lovász s conditions) δ b i 1 2 b i + µ i,i 1 b i 1 2. where µ i,j = b i,b j b j 2, i = 2,..., n and j < i. Note: b i δ µ 2 bi 2. i,i 1 Usually in practice, we take δ = 3/4. 18 / 31

22 LLL basis: general Exercise: Show that if a basis b 1, b 2 of L is Lagrange-reduced then it is LLL reduced for all 1 4 < δ < 1. Let δ = 3 4 and let L be a lattice with an LLL reduced basis B = {b 1,..., b n } Z n. Then: b 1 2 (n 1)/4 vol(l) 1/n and b 1 2 (n 1)/2 λ 1 (L). 19 / 31

23 Description of the LLL Algorithm While the basis is not LLL-reduced 1 Size-reduce the basis. 2 If Lovász s condition does not hold for some pair (i, i + 1): just swap b i and b i / 31

24 Size-reduction For i = 2 to d, For j = i 1 down to 1 Size-reduce b i with respect to b j : make µ i,j 1 2 by bi := b i round(µ i,j )b j. Update all µ i,j for j j. The translation does not affect the previous µ i,j where i < i or i = i and j > j. 21 / 31

25 LLL algorithm: general Exercise: Let L = L(B) with B = {b 1 = (10, 2, 3), b 2 = ( 3, 2, 9), b 3 = (0, 2, 7)}. Find an LLL-reduced basis of L. Find a shortest vector of L. (Hint: Use the last Corollary.) 22 / 31

26 Why LLL is polynomial? Our analysis consists of two steps. Bound the number of iterations. Bound the running time of a single iteration. 23 / 31

27 Why LLL is polynomial? Our analysis consists of two steps. Bound the number of iterations. Bound the running time of a single iteration. Let M := max{n, log(max i bi )}. Then the overall running time of the algorithm is polynomial in M. Lemma 1 The number of iterations is polynomial in M. Lemma 2 The running time of each iteration is polynomial in M. 23 / 31

28 Why LLL is polynomial? Lemma 1 The number of iterations is polynomial in M. 24 / 31

29 Why LLL is polynomial? Lemma 1 The number of iterations is polynomial in M. proof: Consider the quantity P = n i=1 b 1 b i = n i=1 D i = n i=1 b i n i+1 where D i is the volume of the lattice L(b 1,, b i ). If the b i s have integral coordinates, then P is a positive integer. Size-reduction does not modify P. But each swap of LLL makes P decrease by a factor δ. This implies that the number of swaps is polynomially bounded. 24 / 31

30 Why LLL is polynomial? Lemma 2 The running time of each iteration is polynomial in M. 25 / 31

31 Why LLL is polynomial? Lemma 2 The running time of each iteration is polynomial in M. proof: Each iteration we perform only a polynomial number of arithmetic operations. The numbers that arise in each iteration can be represented using a polynomial number of bits. (Exercise :)) 25 / 31

32 Enumerating short vectors Proposition Let L be a lattice with an LLL reduced basis b 1,..., b n. Let m 1,..., m n R, and put x = n i=1 m ib i. Then one has m i 2 (n 1)/2 ( 3 2 ) n i x b 1 for all i. 26 / 31

33 Enumerating short vectors Corollary Let L be a lattice with an LLL reduced basis b 1,..., b n. If x = n i=1 m ib i is a shortest vector of L then m i 2 (n 1)/2 ( 3 2) n i for all i. 27 / 31

34 Coppersmith s Method Proposed by Don Coppersmith. 28 / 31

35 Coppersmith s Method Proposed by Don Coppersmith. One nice application of LLL. Is a method to find small integer roots of polynomial equations. This technique has been a very powerful tool in cryptanalysis. 28 / 31

36 Coppersmith s Method Theorem 2.1 There is an efficient algorithm that, given any monic, degree d polynomial f (x) Z[x] and an integer N, outputs all integers x 0 such that x 0 B = N 1/d and f (x 0 ) = 0 mod N. 29 / 31

37 Recap: LLL algorithm Let L be a lattice with a basis B. Then LLL finds in polynomial time a basis whose first vector satisfies: b 1 2 (n 1)/4 vol(l) (1/n) and b 1 2 (n 1)/2 λ 1 (L). 30 / 31

38 Recap: LLL algorithm Let L be a lattice with a basis B. Then LLL finds in polynomial time a basis whose first vector satisfies: b 1 2 (n 1)/4 vol(l) (1/n) and b 1 2 (n 1)/2 λ 1 (L). Remark The constant 2 can be replaced by 4/3 + ε and the running time becomes polynomial in 1/ε. It performs much better than what the worst-case bounds suggest, especially in low dimension. LLL performs better in practice than predicted by theory, but the approximation factors remain exponential on the average and in the 30 / 31

39 References Eva Bayer-Fluckiger. Lattices and number fields. In Algebraic geometry: Hirzebruch 70 (Warsaw, 1998), volume 241 of Contemp. Math., pages Amer. Math. Soc., Providence, RI, Hendrik W. Lenstra, Jr. Lattices. In Algorithmic number theory: lattices, number fields, curves and cryptography, volume 44 of Math. Sci. Res. Inst. Publ., pages Cambridge Univ. Press, Cambridge, Chris Peikert. LLL, Coppersmith. Lecture note of the course CS 8803 LIC: Lattices in Cryptography (2013). Daniele Micciancio. Basis reduction. Lecture note of the course CSE206A: Lattices Algorithms and Applications (Spring 2014). Oded Regev. The LLL algorithm. Lecture note of the course Lattices in Computer Science (Fall 2009). Phong Nguyen. The LLL algorithm. 31 / 31