A Novel Reduction Algorithm

Dipayan Das1 and Vishal Saraswat2 1Department of Mathematics, National Institute of Technology (NIT), Durgapur, India 2Department of Computer Science and Engineering, Indian Institute of Technology (IIT), Jammu, India

Keywords: Lattice Based Crypto, CVP, SVP, .

Abstract: The quantum threats have made the traditional number theoretic cryptography weak. Lattice based crypto- graphic constructions are now considered as an alternative of the number theoretic cryptography which resists the quantum threats. The cryptographic hardness of the lattice based constructions mainly lies on the difficulty of solving two problems, namely, shortest vector problem (SVP) and closest vector problem (CVP). Solving these problems become “somewhat” easier if the lattice is almost orthogonal. Given any basis, finding an almost orthogonal basis is termed as lattice basis reduction (or simply lattice reduction). The SVP has been shown to be reducible to the CVP but the other way is still an open problem. In this paper, we work towards proving the equivalence of the CVP and SVP and provide a history of the progress made in this direction. We do a brief review of the existing lattice reduction algorithms and present a new lattice basis reduction algorithm similar to the well-studied Korkine-Zolotareff (KZ) reduction which is used frequently for decoding lattices. The proposed algorithm is very simple — it calls the shortest vector oracle for n 1 times and outputs an − almost orthogonal lattice basis with running time O(n3), n being the rank of the lattice.

1 INTRODUCTION less than √2. The best known deterministic algorithm to solve The two main hard problems of interest in the CVP in a general lattice is given in (Micciancio and lattices are SVP and CVP. Many cryptographic Voulgaris, 2013) which takes O˜(22n) operations and schemes (Goldreich et al., 1997; Ajtai and Dwork, O˜(2n) space. The algorithm uses a description of 1997; Hoffstein et al., 1998) have been developed the Voronoi cell of the lattice as a pre-processing based on the hardness of either of the two problems function before the target vector is revealed. Prior or some variants of it. to (Micciancio, 2001), the best deterministic algo- Both CVP and SVP were shown to be NP rithm to solve CVP was due to Kannan (Kannan, hard (van Emde Boas, 1981; Khot, 2005). But, CVP 1987b) which takes nO(n) running time. In (Hanrot is considered to be the hardest of all the lattice prob- and Stehle,´ 2007), the Kannan method was improved, lems. Let us discuss it briefly. In (Goldreich et al., which solves CVP in running time n0.5n. 1999a; Micciancio, 2008), it is shown that an oracle solving CVP can be used to solve SVP and SIVP re- There are randomized algorithms which perform spectively. In the other direction, solving CVP with better than the deterministic ones. For example in (Aj- an oracle that solves the other hard tai et al., 2001), a sieve algorithm was introduced is not known properly. For example, it is still un- known as “AKS Sieve”, which solves SVP in run- O(n) known whether SVP oracle can be used to solve CVP. ning time 2 . The AKS method is based on an im- Though in (Kannan, 1987a), it has been shown that if proved sampling method that generates short vectors we have an oracle that solves SVP exactly, it can be from the given lattice. In (Ajtai et al., 2002), the AKS used to solve CVP with an approximation factor of Sieve was reformulated to solve CVP with an approx- 1) O(√n) using homogenization technique in a higher imation factor 1 + ε in running time 2O(1+ε− . The dimension. Though in (Micciancio and Goldwasser, running time was improved using a variant of AKS 2012), it is suggested that approximating CVP within method in (Blomer¨ and Naewe, 2007) and (Arvind the same factor as of (Kannan, 1987a) can be achieved and Joglekar, 2008) keeping the approximation fac- making O(nlogn) calls to an oracle which solves an tor same. Another randomized technique used to approximate solution of SVP, approximation factor solve the hard problems of the lattice is Sampling

496

Das, D. and Saraswat, V. A Novel Lattice Reduction Algorithm. DOI: 10.5220/0006862104960501 In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications (ICETE 2018) - Volume 2: SECRYPT, pages 496-501 ISBN: 978-989-758-319-3 Copyright © 2018 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved A Novel Lattice Reduction Algorithm

Gaussian distribution with proper parameter. Agar- trix (Agrell et al., 2002). We consider such a basis. wal et al. have given a randomized algorithm that The basis B is called KZ reduced if b1 is a short- solves an exact version of SVP using discrete Gaus- est vector of the lattice and the modulus of non-zero sian sampling in 2n+O(n) time and space (Aggarwal non-diagonal elements of each column is less than or et al., 2015a). In (Aggarwal et al., 2015b), the simi- equal to the modulus of half of diagonal elements of 1 lar type of sampling technique is used to solve exact the corresponding column. That is bki 2 bii for CVP. Though the work is a bit complicated and uses each i = 1,2,...,n and k = 1,2,...,n|. Geometrically| ≤ | | almost all previously known methods like basis re- the last criteria says that the angle made by any two duction, Voronoi description, and sieving along with basis vectors is at least 60 degree. That is any two the sampling of shifted discrete Gaussian distribution basis vectors are highly orthogonal. Let us illustrate with the proper parameter to solve CVP exactly. A this in dimension 2. Let B be the KZ reduced basis in nice survey of solving CVP of the known methods dimension and rank 2. Let are given in (Agrell et al., 2002). b b 0 B = 1 = 11 b2 b21 b22     1.1 Basis Reduction and Related Work 1 and b21 2 b11 . This implies that b2 cosθ 1 | |≤ | | k k ≤ 2 b1 , where θ is the angle between b1 and b2, that A lattice has an infinite number of basis of rank is,k k greater than 1. If B,B˜ are the two basis that generates 1 1 cosθ b / b the same lattice L, then it can be shown that B˜ = UB ≤ 2k 1k k 2k ≤ 2 for some uni-modular matrix U, that is integer matrix The last inequality is due to the fact that B is KZ re- with absolute value 1. duced and so b1 is the shortest vector in the lattice. Given any lattice, finding an orthogonal basis (if Similarly, for any dimension and rank, we can rede- exists) is hard. Even, deciding whether there exist an fine the second criteria of KZ reduced basis as the cri- orthogonal basis is not known for general lattices. But teria that any two bases element is highly orthogonal. in “lattices with symmetry”, which is a special type of Like KZ reduced basis, there exist another famous lattice, Gentry-Szydlo algorithm given in (Gentry and basis reduction criteria known as LLL reduction. The Szydlo, 2002) can determine this problem with high only difference LLL reduction criteria have that in- probability. It gives an efficient method to achieve an stead of b1 to be the shortest lattice vector, it has the orthogonal basis (if there is) for an . criteria that b 2 b . The second condition of k 1k ≤ √3 k 2k Basis reduction algorithms have many applica- LLL reduction criteria is same as that of KZ. tions. It is important in areas like communica- It is easy to see that any basis which is KZ reduced tions (Agrell et al., 2002; Wubben et al., 2011), com- is also LLL reduced. The reason for the superiority binatorial optimization (Eisenbrand, 2010), cryptog- of the LLL reduction criteria is that there exists an raphy (Hanrot et al., 2011a), number theory (Goldre- efficient tool to achieve a LLL reduced basis (Lenstra ich et al., 1999b), etc. A nice survey in this regard is et al., 1982). Later, there have been algorithms for given in (Wubben et al., 2011). reduction based on both KZ and LLL (Schnorr, 1987). Hermite (1850) has given the idea of basis reduc- It is known as the BKZ reduction algorithm. tion but unfortunately, he doesn’t provide any such The current best lattice basis reductions (theoreti- algorithm for basis reduction. According to Hermite cally and practically) can be classified by a pair algo- a basis B = b ,b ,...,bn is reduced if bi b0 rithms. Firstly, the rational BKZ algorithm (Schnorr { 1 2 } k k ≤ k ik for all basis B0 of the same lattice and b j = b0 , and Euchner, 1994; Schnorr, 1987), in its updated k k k jk j = 1,2,...,i 1 (Hermite, 1850). Later in 1905, BKZ 2.0 form (Chen and Nguyen, 2011) doing some − Minkowski (Minkowski, 1905) has defined criteria of modifications like repetitive preprocessing and rapid basis reduction known as Minkowski reduction which aborting strategies (Gama et al., 2010; Hanrot et al., is very similar to that of Hermite. He made a slight 2011b). Secondly, the Slide reduction algorithm pro- change of the second criteria of Hermite. Instead of posed (Gama and Nguyen, 2008b), a novel general- b j = b0 , he has directly taken b j = b0 . Two types ization of LLL (Lenstra et al., 1982; Nguyen, 2009) k k k jk j of basis reduction that have gained fame and popular- which almost approximates SVP within small factors. ity is LLL reduction and KZ reduction. Let us define The two algorithms call the SVP oracle for di- these reduced basis. Before that, some special basis mension of lower order sublattices which are char- is considered in which the KZ reduction and LLL re- acterized by a bound k (termed as the “block size”) duction is well understood. on the lattice dimensions. The algorithm of Slide It can be shown that every lattice has a basis reduction has qualities like it makes only a polyno- which can be represented as an upper triangular ma- mial number of calls to the shortest vector oracle, all

497 SECRYPT 2018 - International Conference on Security and Cryptography

the shortest vector calls are applied on the sublattices ensuring that the basis vectors are shortest possible by projected in the dimension k, and it obtains the cur- calling the SVP oracle iteratively. rent best worst-case upper bound on the length of We call the SVP oracle and size reduce the basis (n 1)/2(k 1) 1/n formed by the remaining basis vectors (other than the the outputted shortest vector: γk − − det(L) , the constant γk = Θ(k) is known as the Hermite con- shortest one) and continue iteratively as follows. We first reduce the n 1 basis vectors by a suitable in- stant. Lamentably, it has been stated in (Gama and − Nguyen, 2008b; Gama and Nguyen, 2008a) that the teger combination of the shortest vector (size reduce experimental results of the algorithm which follows the n 1 basis vectors similar to what is done in LLL or KZ−), such that the resulting n 1 basis vectors are Slide reduction perform better than BKZ, which out- − puts shorter vectors for some standard block size. short with respect to the shortest vector. Details of the On the other hand, the BKZ algorithm has its own size reduction algorithms can be found in (Laarhoven flaws too. There is no guarantee for the termina- et al., 2012). Then the SVP oracle is called on the “re- duced” n 1 basis vectors. We iterate the reduction in tion of the algorithm even after a polynomial num- − ber of shortest vector oracle call, and its experimental this fashion until we obtain last shortest vector in one has appeared in (Gama and Nguyen, dimensional sublattice. 2008a) and is reported to increase super-polynomially Let us describe briefly about the difference be- in the dimension of the lattice with fixed small block tween the KZ reduction and the algorithm proposed size. by us. For KZ reduction, in the second step right after Micciancio et al. have given new methods that we use the SVP oracle to find out the shortest vector, we need to project the remaining n 1 basis vectors to can be changed to define better reduction methods − in (Micciancio and Walter, 2016). They have ana- the subspace that is orthogonal to the shortest vector, and then call the SVP oracle on the projected n 1 lyzed their theoretical performance with block size − comparatively high. vectors. The output of the SVP oracle will help to de- The LLL algorithm can be processed very quickly cide the second KZ reduced basis vector, and the KZ under a few conditions and has some characteristics reduction moves on in this style. which are studied recently in (Chang et al., 2013; Wen et al., 2016; Wen and Chang, 2017b). In some appli- cations of communication theory, one needs to get so- 2 PRELIMINARIES lutions of a sequence of CVP’s, where the target vec- tors are different on the same lattice. Here, instead of We use , to define the sets of Reals and Integers adapting the LLL algorithm, one usually adapts the R Z respectively. Let m be the Euclidean KZ reduction to do the pre-processing step, as it be- R of dimension m, and is the Euclidean norm ` . comes more efficient in practice. 2 Let B = b ,b ,...,b k, · 1k k < m, be vectors of m There are many variations of KZ basis reduction 1 2 k R which are{ linearly independent.} ≤ We define a lattice available today. They are given in (Agrell et al., 2002; L Rm generated by an arbitrary basis B as Schnorr, 1987; Wen and Chang, 2017a). ⊂ k ( ) = . L B or L B ∑i=1 cibi ci Z 1.2 Our Contribution { } ∈ n o

We define the dimension of the lattice to be m and We have proposed an algorithm for generating a new the rank to be k. For the sake of simplicity, we are basis for a given lattice, which is very orthogonal. It is considering the integral lattice that is lattice which is kind of similar to KZ reduction (Korkine and Zolotar- generated by integer basis. A lattice L is a discrete eff, 1873), but not exactly the same. One holding the additive subgroup of Rm. We can represent a basis of SVP oracle first finds out the shortest vector (up to a lattice of rank k and dimension m as a k m matrix × sign) of the lattice corresponding to the given basis B where every row bi is the basis vector of the lattice. and then transforms the original basis into a new ba- If m = k we call it full rank lattice. sis where the first row is the shortest vector. In prac- (Shortest vector problem (SVP)) Given tice, this can be implemented by calling the LLL al- Definition 1 . a lattice L = L(B), SVP is to find a non-zero vector gorithm. But, while the LLL reduction algorithm exe- x L such that x v for all v L 0 . cutes each iteration in such a way that the final output ∈ k k ≤ k k ∈ \{ } is a basis in which the basis vectors are at most 30 Definition 2 (Closest vector problem (CVP)). Given degrees from being orthogonal, our proposed reduc- a lattice L = L(B) and a target vector t Rm (not nec- tion algorithm tries to maximize the orthogonality be- essarily in the lattice L), CVP is to find∈ a vector x L tween the resulting basis vectors and simultaneously such that x t v t for all v L. ∈ k − k ≤ k − k ∈

498 A Novel Lattice Reduction Algorithm

3 SOME IMPORTANT RESULTS 4 BASIS REDUCTION ALGORITHM Here we provide some important results that are re- lated to our basis reduction algorithm. Here we propose the basis reduction algorithm (Fig- Proposition 1. Any pair of bases of a lattice L are ure 1) and provide the main result of this paper in the connected by a uni-modular matrix. Section 4.1. We discuss the time complexity of the Proposition 2. Let B = b1,b2,...,bn be a basis algorithm in Subsection 4.2. of the lattice L and let v{ be a shortest} vector in L. n Algorithm for basis reduction Then v can be written uniquely as v = ∑i=1 αibi where gcd(α ,α ,...,α ) = 1. Input L(B) 1 2 n ← for(i = 1;i < n;i + +) Proof. Let d = gcd(α1,α2,...,αn). Then, for i = n 1,...,n, αi/d is an integer so that v0 = ∑i=1(αi/d)bi Run the SVP oracle O on L(B) is another vector in the lattice L and v0 = v /d. to get the shortest lattice vector σi 1 Since v is a shortest vector in L, d = 1.k k k k in rank n i + 1 − − L(B) L(B/σi 1) Proposition 3 ((Newman, 1972; Magliveras ← − L(B) L(B) et al., 2008)). Let α1,α2,...,αn Z be such that size reduce ∈ ← gcd(α1,α2,...,αn) = dn . Then there exists an integer Output B˜ = σ0,σ1,...,σn 1 ← { − } matrix U having the initial row as (α1,α2,...,αn) Figure 1: Our Proposed lattice basis reduction. and determinant value dn.

Proof. Let α1,α2,...,αn Z be such that all αi’s 4.1 Analysis of the Proposed Algorithm are not zero. By doing∈ permutation (if required), we can have α1 = 0. Let us define d1 = α1,di = Theorem 3. Let L = L B be a given lattice. Suppose 6 { } gcd(α1,α2,...,αi)(2 i n),d = dn. All di’s are we have an oracle O that solves SVP in any rank of a well defined (because≤ we≤ have considered α = 0) lattice, then we have an efficient algorithm to reduce 1 6 and di = gcd(di 1,αi)(2 i n). By Euclidean it to a basis B˜ that is the highly orthogonal one using − ≤ ≤ algorithm, we can find ti, si efficiently such that di = n 1 oracle calls such that L = L B = L B˜ . − { } { } ti 1di 1 + si 1αi where si 1 di 1. − We− can construct− a matrix| − | ≤U such− that Proof. Let B0 be a given lattice basis which generates L = L B0 . We run the oracle O on L B0 and get α1 α2 α3 ... αn { } { } the shortest vector as σ0. By Proposition 4, we can s1 t1 0 ... 0 −α1s2 α2s2 generate a new basis B0 = σ0,b1,b2,...,bn 1 such  t2 ... 0  { − } U :=(Ui, j):= − d2 − d2 that L = L B = L B0 . . . . . 0  ......  Let L {B } = L{B } σ be a new lattice gen-  . . . . .  { 1} { 0 \{ 0}}  α1sn 1 α2sn 1 α3sn 1  erated by eliminating all the integer linear combina- − − − ... tn  dn 1 dn 1 dn 1 1 − − − − − − −  tions of σ . The rank of the lattice L B is n 1   0 { 1} − Thus, U is an integral matrix and using simple induc- with basis B1 = b1,b2,...,bn 1 . We size-reduce { − } tion it can be shown that det(U) = dn = d. the elements of B1 which can be done efficiently such that B has short vectors with respect to . We Proposition 4. Let L = L(B) where B = 1 σ0 n now run the oracle O on L B to get the shortest { 1} b1,b2,...,bn is a basis of L. Let v = ∑ αibi vector σ1 in rank n 1. By Proposition 4, we can { } i=1 − be a shortest vector in L(B). Then v and n 1 vectors create a new basis B10 = σ1,b20 ,...,bn0 1 such that − L = L B = L B . { − } in L can be extended to form a basis of L. { 1} { 10 } Let L B2 = L B10 σ1 be a new lattice gener- n ated by eliminating{ } { all\{ the integer}} linear combinations Proof. We can create n 1 vectors as ∑ Ui, jb j, 2 − j=1 ≤ of σ . The rank of the lattice L B is n 2 with basis 1 { 2} − i n, where B2 = b20 ,b30 ,...,bn0 1 . We size-reduce the elements ≤ { − } α jsi 1 of B2 such that B2 has short vectors with respect to σ1. Ui, j = − 1 j i 1,2 i n, − di 1 ≤ ≤ − ≤ ≤ We now run the oracle O on L B2 to get the shortest − { } vector σ2 in rank n 2. Ui,i = ti 1 2 i n, − − ≤ ≤ Doing accordingly, let L Bn 1 = L Bn0 2 Ui, j = 0 i + 1 j n,2 i n { − } { − \ σn 2 , where σn 2 is the oracle output of shortest ≤ ≤ ≤ ≤ { − }} − The result now follows from the Propositions 2 and 3. vector in rank 2, Bn0 2 is the basis of rank 2 including the shortest vector. −

499 SECRYPT 2018 - International Conference on Security and Cryptography

After reduction, we now run the oracle O on Kolkata. We are thankful to Kajla Basu for her sup- L Bn 1 to get σn 1, the shortest vector in rank 1. port. { − } − Let B˜ = σ0,σ1,...,σn 1 . We can see that B˜ and B generate{ the same lattice− } that is L B = L B˜ . { } { } Since σi’s are the shortest vector of rank n i, so we REFERENCES can conclude that B˜ is the “good” basis, that− is vectors are sufficiently orthogonal to one another. Aggarwal, D., Dadush, D., Regev, O., and Stephens- Davidowitz, N. (2015a). Solving the shortest vec- 4.2 Running Time Analysis tor problem in 2 n time using discrete gaussian sam- pling. In Proceedings of the forty-seventh annual ACM symposium on Theory of computing, pages 733– Let B = b1,b2,...,bn is a basis of the lattice L and 742. ACM. {n } let v = ∑i=1 αibi be a shortest vector in L. Let α0 and Aggarwal, D., Dadush, D., and Stephens-Davidowitz, N. α1 be the two maximum absolute values of all αi . (2015b). Solving the closest vector problem in 2ˆ n Then, the worst-case time complexity of computing| | time–the discrete gaussian strikes again! In Founda- 2 basis with the shortest vector is O(n logα0 logα1). tions of Computer Science (FOCS), 2015 IEEE 56th For one oracle call, constructing the new Annual Symposium on, pages 563–582. IEEE. basis, the number of bit operations needed is Agrell, E., Eriksson, T., Vardy, A., and Zeger, K. (2002). 2 Closest point search in lattices. IEEE transactions on O(n logα0 logα1). So, for n 1 oracle calls, worst- 3 − information theory, 48(8):2201–2214. case running time is O(n logα0 logα1) bit operations Ajtai, M. and Dwork, C. (1997). A public-key cryptosystem which is the required worst-case time complexity for with worst-case/average-case equivalence. In Pro- our new basis construction as in Theorem 3. ceedings of the twenty-ninth annual ACM symposium on Theory of computing, pages 284–293. ACM. Ajtai, M., Kumar, R., and Sivakumar, D. (2001). A sieve algorithm for the shortest lattice vector problem. In 5 DISCUSSIONS AND OPEN Proceedings of the thirty-third annual ACM sympo- PROBLEMS sium on Theory of computing, pages 601–610. ACM. Ajtai, M., Kumar, R., and Sivakumar, D. (2002). Sampling We have described a polynomial time algorithm for short lattice vectors and the closest lattice vector prob- lem. In Computational Complexity, 2002. Proceed- lattice basis reduction by calling the shortest vector ings. 17th IEEE Annual Conference on, pages 53–57. oracle using simple geometry and linear algebra. In IEEE. general, the best known algorithms take an exponen- Arvind, V. and Joglekar, P. S. (2008). Some sieving algo- tial time to find the shortest vector but in some re- rithms for lattice problems. In LIPIcs-Leibniz Interna- stricted lattices like root lattices, SVP can be found tional Proceedings in Informatics, volume 2. Schloss in polynomial time. So in lattices with special struc- Dagstuhl-Leibniz-Zentrum fur¨ Informatik. tures, our algorithm can be a practical use which is Blomer,¨ J. and Naewe, S. (2007). Sampling methods for yet to be analyzed. shortest vectors, closest vectors and successive min- ima. In International Colloquium on Automata, Lan- In Section 1.1, we have stated that in general lat- guages, and Programming, pages 65–77. Springer. tices deciding whether a lattice has an orthogonal ba- Chang, X., Wen, J., and Xie, X. (2013). Effects of sis is hard. Nothing much is known in this regard. Can the LLL reduction on the success probability of the we construct some algorithm that will decide whether Babai point and on the complexity of sphere de- the lattice has an orthogonal basis using an SVP or- coding. IEEE Transactions on Information Theory, acle? This question is yet to be answered. Can we 59(8):4915–4926. make some tweak in our algorithm so that it can an- Chen, Y. and Nguyen, P. Q. (2011). BKZ 2.0: Better lattice swer the above question? Then it will imply that solv- security estimates. In International Conference on the ing the shortest vector problem is as hard as deciding Theory and Application of Cryptology and Informa- tion Security, pages 1–20. Springer. whether a lattice has an orthogonal basis. Conway, J. and Sloane, N. (1982). Fast quantizing and decoding and algorithms for lattice quantizers and codes. IEEE Transactions on Information Theory, ACKNOWLEDGEMENTS 28(2):227–232. Eisenbrand, F. (2010). and algorith- mic geometry of numbers. 50 Years of Integer Pro- We thank the anonymous reviewers for the construc- gramming 1958-2008, pages 505–559. tive and helpful comments. Part of the work was Gama, N. and Nguyen, P. (2008a). Predicting lattice reduc- carried out while visiting the R.C.Bose Centre for tion. Advances in Cryptology–EUROCRYPT 2008, Cryptology and Security, Indian Statistical Institute, pages 31–51.

500 A Novel Lattice Reduction Algorithm

Gama, N. and Nguyen, P. Q. (2008b). Finding short lattice Lenstra, A. K., Lenstra, H. W., and Lovasz,´ L. (1982). Fac- vectors within Mordell’s inequality. In Proceedings toring polynomials with rational coefficients. Mathe- of the fortieth annual ACM symposium on Theory of matische Annalen, 261(4):515–534. computing, pages 207–216. ACM. Magliveras, S. S., van Trung, T., and Wei, W. (2008). Prim- Gama, N., Nguyen, P. Q., and Regev, O. (2010). Lattice itive sets in a lattice. Australasian Journal of Combi- enumeration using extreme pruning. In Annual In- natorics, 40:173. ternational Conference on the Theory and Applica- Merkle, R. and Hellman, M. (1978). Hiding information tions of Cryptographic Techniques, pages 257–278. and signatures in trapdoor knapsacks. IEEE transac- Springer. tions on Information Theory, 24(5):525–530. Gentry, C. and Szydlo, M. (2002). Cryptanalysis of the re- Micciancio, D. (2001). The hardness of the closest vector vised NTRU signature scheme. In International Con- problem with preprocessing. IEEE Transactions on ference on the Theory and Applications of Crypto- Information Theory, 47(3):1212–1215. graphic Techniques, pages 299–320. Springer. Micciancio, D. (2008). Efficient reductions among lattice Goldreich, O., Goldwasser, S., and Halevi, S. (1997). problems. In Proceedings of the nineteenth annual Public-key cryptosystems from lattice reduction prob- ACM-SIAM symposium on Discrete algorithms, pages lems. In Advances in Cryptology-CRYPTO’97: 17th 84–93. Society for Industrial and Applied Mathemat- Annual International Cryptology Conference, Santa ics. Barbara, California, USA, August 1997. Proceedings, Micciancio, D. and Goldwasser, S. (2012). Complexity of page 112. Springer. lattice problems: a cryptographic perspective, volume Goldreich, O., Micciancio, D., Safra, S., and Seifert, J.-P. 671. Springer Science & Business Media. (1999a). Approximating shortest lattice vectors is not Micciancio, D. and Voulgaris, P. (2013). A determinis- harder than approximating closest lattice vectors. In- tic single exponential time algorithm for most lattice formation Processing Letters, 71(2):55–61. problems based on voronoi cell computations. SIAM Goldreich, O., Ron, D., and Sudan, M. (1999b). Chinese Journal on Computing, 42(3):1364–1391. remaindering with errors. In Proceedings of the thirty- Micciancio, D. and Walter, M. (2016). Practical, predictable first annual ACM symposium on Theory of computing, lattice basis reduction. In Annual International Con- pages 225–234. ACM. ference on the Theory and Applications of Crypto- Hanrot, G., Pujol, X., and Stehle,´ D. (2011a). Algorithms graphic Techniques, pages 820–849. Springer. for the shortest and closest lattice vector problems. In Minkowski, H. (1905). Diskontinuitatsbereich¨ fur¨ arith- International Conference on Coding and Cryptology , metische aquivalenz.¨ Journal fur¨ die reine und ange- pages 159–190. Springer. wandte Mathematik, 129:220–274. ´ Hanrot, G., Pujol, X., and Stehle, D. (2011b). Analyzing Newman, M. (1972). Integral matrices, volume 45. Aca- blockwise lattice algorithms using dynamical systems. demic Press. In CRYPTO, volume 6841, pages 447–464. Springer. Nguyen, P. Q. (2009). Hermite’s constant and lattice algo- Hanrot, G. and Stehle,´ D. (2007). Improved analysis of rithms. In The LLL Algorithm, pages 19–69. Springer. kannans shortest lattice vector algorithm. In Annual International Cryptology Conference, pages 170–186. Schnorr, C.-P. (1987). A hierarchy of polynomial time lat- Springer. tice basis reduction algorithms. Theoretical computer science, 53(2):201–224. Hermite, C. (1850). Extraits de lettres de M. Ch. Hermite a` M. Jacobi sur differents´ objects de la theorie´ des nom- Schnorr, C.-P. and Euchner, M. (1994). Lattice basis reduc- bres. Journal fur¨ die reine und angewandte Mathe- tion: Improved practical algorithms and solving sub- matik, 40:261–277. set sum problems. Mathematical programming, 66(1- 3):181–199. Hoffstein, J., Pipher, J., and Silverman, J. H. (1998). NTRU: A ring-based public key cryptosystem. In Interna- van Emde Boas, P. (1981). Another NP-complete partition tional Algorithmic Number Theory Symposium, pages problem and the complexity of computing short vec- 267–288. Springer. tors in a lattice. Universiteit van Amsterdam. Mathe- matisch Instituut. Kannan, R. (1987a). Algorithmic geometry of numbers. An- nual review of computer science, 2(1):231–267. Wen, J. and Chang, X. (2017a). A KZ reduction algorithm. arXiv preprint arXiv:1702.08152. Kannan, R. (1987b). Minkowski’s convex body theorem and integer programming. Mathematics of operations Wen, J. and Chang, X. (2017b). Success probability of research, 12(3):415–440. the Babai estimators for box-constrained integer lin- ear models. IEEE Transactions on Information The- Khot, S. (2005). Hardness of approximating the short- ory, 63(1):631–648. est vector problem in lattices. Journal of the ACM (JACM), 52(5):789–808. Wen, J., Tong, C., and Bai, S. (2016). Effects of some lattice reductions on the success probability of the Korkine, A. and Zolotareff, G. (1873). Sur les formes zero-forcing decoder. IEEE Communications Letters, quadratiques. Mathematische Annalen, 6(3):366–389. 20(10):2031–2034. Laarhoven, T., van de Pol, J., and de Weger, B. (2012). Wubben, D., Seethaler, D., Jalden,´ J., and Matz, G. (2011). Solving hard lattice problems and the security of Lattice reduction. IEEE Signal Processing Magazine, lattice-based cryptosystems. IACR Cryptology EPrint 28(3):70–91. Archive, 2012:533.

501