Phong Q. Nguyen Brigitte Vallée (Eds.)
||||| | |||||| | || ||| || ||| ||||||||||| || ||||||
| || ||| || ||| ||||||||||||| |||||| | ||| ||||||||||| |
|||||| | |||||| ||| ||| || ||| ||||||||||| || |||||| |||
||| || ||| ||||||||||| || |||||| | ||| ||||||| ||||||||||| |
|||||| |||| ||| || ||| ||||||||||| || ||||||| ||| |||||||||| The LLL Algorithm
Survey and Applications
123 Information Security and Cryptography Texts and Monographs
Series Editors David Basin Ue li Maurer
Advisory Board Martín Abadi Ross Anderson Michael Backes Ronald Cramer Virgil D. Gligor Oded Goldreich Joshua D. Guttman Arjen K. Lenstra John C. Mitchell Tatsuaki Okamoto Kenny Paterson Bart Preneel Phong Q. Nguyen • Brigitte Vallée Editors
The LLL Algorithm Survey and Applications
123 Editors Dr. Phong Q. Nguyen Dr. Brigitte Vallée INRIAResearch Director CNRS Research Director École Normale Supérieure and Research Director Département d'Informatique Département d'Informatique Paris, France Université de Caen, France [email protected] [email protected]
ISSN 1619-7100 ISBN 978-3-642-02294-4 e-ISBN 978-3-642-02295-1 DOI 10.1007/978-3-642-02295-1 Springer Heidelberg Dordrecht London New York
Library of Congress Control Number: 2009934498
ACM Computing Classification (1998): F.2, F.1, E.3, G.1
© Springer-Verlag Berlin Heidelberg 2010 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproductiononmicrofilmorinanyotherway,andstorageindatabanks.Duplicationofthispublicationor parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.
Cover design: KuenkelLopka GmbH
Printed on acid-free paper
Springer is a part of Springer Science+Business Media (www.springer.com) Preface
Computational aspects of geometry of numbers have been revolutionized by the Lenstra–Lenstra–Lov´asz lattice reduction algorithm (LLL), which has led to break- throughs in fields as diverse as computer algebra, cryptology, and algorithmic number theory. After its publication in 1982, LLL was immediately recognized as one of the most important algorithmic achievements of the twentieth century, because of its broad applicability and apparent simplicity. Its popularity has kept growing since, as testified by the hundreds of citations of the original article, and the ever more frequent use of LLL as a synonym to lattice reduction. As an unfortunate consequence of the pervasiveness of the LLL algorithm, researchers studying and applying it belong to diverse scientific communities, and seldom meet. While discussing that particular issue with Damien Stehl´e at the 7th Algorithmic Number Theory Symposium (ANTS VII) held in Berlin in July 2006, John Cremona accurately remarked that 2007 would be the 25th anniversary of LLL and this deserved a meeting to celebrate that event. The year 2007 was also involved in another arithmetical story. In 2003 and 2005, Ali Akhavi, Fabien Laguillaumie, and Brigitte Vall´ee with other colleagues organized two workshops on cryptology and algorithms with a strong emphasis on lattice reduction: CAEN ’03 and CAEN ’05, CAEN denoting both the location and the content (Cryptologie et Algorith- mique En Normandie). Very quickly after the ANTS conference, Ali Akhavi, Fabien Laguillaumie, and Brigitte Vall´ee were thus readily contacted and reacted very enthusiastically about organizing the LLL birthday conference. The organization committee was formed. Within a couple of months, the three L’s, Arjen and Hendrik Lenstra, and L´aszl´o Lov´asz, kindly accepted to participate, which provided confidence to the organizing team. At the same time, a program committee was created. Its members – Karen Aardal, Shafi Goldwasser, Phong Nguyen, Claus Schnorr, Denis Simon, and Brigitte Vallee ´ – come from diverse fields, so as to represent as many LLL-practitioners as possible. They invited speakers to give overview talks at the conference. The anniversary conference eventually took place between 29th June and 1st July 2007, at the University of Caen. During these three days, 14 invited talks were given on topics closely related to the LLL algorithm. A poster session gathered 12 presentations on ongoing research projects. Overall, 120 researchers from 16 coun- tries and very diverse scientific backgrounds attended the event. And naturally,
v vi Preface a birthday party was set and the three L’s blew out the candles of their algorithm’s birthday cake! Unlike many other domains, the community misses a reference book dealing with almost all aspects of lattice reduction. One important goal of the conference was to provide such material, which may be used by both junior and senior researchers, and hopefully even useful for undergraduate students. The contributors were selected to make such a collective book possible. This book is a brief (and inevitably incom- plete) snapshot of the research, which was sparked by the publication of the LLL algorithm in 1982. The survey articles were written to be accessible by a large audi- ence, with detailed motivations, explanations, and examples. We hope they will help pursuing further research on this very rich topic. Each article of the present book can be read independently and provides an introductory overview of the results obtained in each particular area in the past 25 years. The first contribution of this book, by Ionica Smeets and in collaboration with Arjen Lenstra, Hendrik Lenstra, L´aszl´oLov´asz, and Peter van Emde Boas, describes the genesis of the LLL algorithm. The rest of the book may be informally divided into five chapters, each one essentially matching a session of the anniversary conference. The first chapter deals with algorithmic aspects of lattice reduction, indepen- dently of applications. The first article of that chapter, by Phong Nguyen, introduces lattices, and surveys the main provable algorithms for finding the shortest vector in a lattice, either exactly or approximately. It emphasizes a somewhat overlooked connection between lattice algorithms and Hermite’s constant, that is, between com- putational and mathematical aspects of the geometry of numbers. For instance, LLL is presented as an (efficient) algorithmic version of Hermite’s inequality on Hermite’s constant. The second article, by Brigitte Vall´ee and Antonio Vera, surveys the probabilistic analysis of several lattice reduction algorithms, in particular LLL and Gauss’ algorithm. Different random models for the input bases are considered and the result introduces sophisticated analytic tools as complex and functional anal- ysis. The third article, by Claus Schnorr, surveys provable and heuristic algorithmic variations around LLL, to make the algorithm more efficient or with better outputs. For example, the fruitful notion of blockwise reduction is a natural generalization of LLL. The fourth article, by Damien Stehl´e, surveys all aspects of floating-point lattice reduction. The different analyses exhibit the parameters that play an impor- tant role when relating the execution time of the floating-point versions of LLL to the quality of the output. Both provable and heuristic versions of the algorithm are considered. The second chapter is concerned with the applications of lattice reduction in the vast field of algorithmic number theory. Guillaume Hanrot’s article describes several efficient algorithms to solve diverse Diophantine approximation problems. For example, these algorithms relying on lattice reduction tackle the problems of approximating real numbers by rational and algebraic numbers, of disclosing linear relations and of solving several Diophantine equations. Denis Simon’s paper contains a collection of examples of problems in number theory that are solved efficiently via lattice reduction. Among others, it introduces a generalization of the Preface vii
LLL algorithm to reduce indefinite quadratic forms. Finally, the article by J¨urgen Kl¨uners surveys the original application of the LLL, namely factoring polynomials with rational coefficients. It compares the original LLL factoring method and the recent one developed by Mark von Hoeij, which relies on the knapsack problem. The third chapter contains a single article, by Karen Aardal and Friedrich Eisenbrand. It surveys the application of the LLL algorithm to integer program- ming, recalling Hendrik Lenstra’s method – an ancestor of the LLL algorithm, and describing recent advances. The fourth chapter is devoted to an important area where lattices have been applied with much success, both in theory and practice: cryptology. Historically, LLL and lattices were first used in cryptology for “destructive” purposes: one of the very first applications of LLL was a practical attack on the Merkle–Hellman knapsack public-key cryptosystem. The success of reduction algorithms at break- ing various cryptographic schemes since the discovery of LLL have arguably established lattice reduction techniques as the most popular tool in public-key crypt- analysis. Alexander May’s article surveys one of the major applications of lattices to cryptanalysis: lattice attacks on the RSA cryptosystem, which started in the late eighties with H˚astad’s work, and has attracted much interest since the mid- nineties with Coppersmith’s method to find small roots of polynomials. The other two articles of the chapter deal instead with “positive” applications of lattices to cryptography. The NTRU paper by Jeff Hoffstein, Nick Howgrave-Graham, Jill Pipher, and William Whyte gives an excellent example of an efficient cryptosys- tem whose security relies on the concrete hardness of lattice problems. The paper by Craig Gentry surveys security proofs of non-lattice cryptographic schemes in which lattices make a surprising appearance. It is perhaps worth noting that lattices are used both to attack RSA in certain settings, and to prove the security of industrial uses of RSA. The final chapter of the book focuses on the complexity of lattice problems. This area has attracted much interest since 1996, when Mikl´os Ajtai discovered a fasci- nating connection between the worst-case and average-case complexity of certain lattice problems. The contribution of Daniele Micciancio deals with (lattice-based) cryptography from worst-case complexity assumptions. It presents recent crypto- graphic primitives whose security can be proven under worst-case assumptions: any instance of some well-known hard problem can be solved efficiently with access to an oracle breaking random instances of the cryptosystem. Daniele Micciancio’s article contains an insightful discussion on the concrete security of lattice-based cryptography. The last two articles of the book, by respectively Subhash Khot and Oded Regev, are complementary. The article by Subhash Khot surveys inapprox- imability results for lattice problems. And the article by Oded Regev surveys the so-called limits to inapproximability results for lattice problems, such as the proofs that some approximation lattice problems belong to the complexity class coNP. It also shows how one can deduce zero-knowledge proof systems from the previous proofs. viii Preface
Acknowledgements We, the editors, express our deep gratitude to the organizing committee comprised of Ali Akhavi, Fabien Laguillaumie, and Damien Stehl´e. We also acknowledge with gratitude the various forms of support received from our sponsors; namely, CNRS, INRIA, Univer- sit´e de Caen, Mairie de Caen, Pˆole TES, as well as several laboratories and research groups (LIP, GREYC, LIAFA, Laboratoire Elie Cartan, LIENS, GDR IM, ECRYPT, Orange Labs). Together with all participants, we were naturally extremely happy to benefit from the presence of the three L’s and our thanks are extended to Peter van Emde Boas for providing invaluable historical mate- rial. We also wish to thank all the speakers and participants of the conference LLLC25. Finally, we are indebted to Loick Lhote for his extensive help in the material preparation of this book.
Paris, Phong Nguyen and Brigitte Vallee´ August 2009 Caen Foreword
I have been asked by my two co-L’s to write a few words by way of introduction, and consented on the condition of being allowed to offer a personal perspective. On 1 September 2006, the three of us received an e-mail from Brigitte Vall´ee. John Cremona, she wrote, had suggested the idea of celebrating the 25th anniver- sary of the publication of “the LLL paper,” and together with Ali Akhavi, Fabien Laguillaumie, and Damien Stehl´e, she had decided to follow up on his suggestion. As it was “not possible to celebrate this anniversary without (...) thethreeL’sof LLL,” she was consulting us about suitable dates. I was one of the two L’s who were sufficiently flattered to respond immediately, and the dates chosen turned out to be convenient for number three as well. In her very first e-mail, Brigitte had announced the intention of including a histor- ical session in the meeting, so that we would have something to do other than cutting cakes and posing for photographers. Hints that some of my own current work relates to lattices were first politely disregarded, and next, when I showed some insistence, I was referred to the Program Committee, consisting of Karen Aardal, Shafi Gold- wasser, Phong Nguyen, Claus Schnorr, Denis Simon, and Brigitte herself. This made me realize which role I was expected to play, and I resolved to wait another 25 years with the new material. As the meeting came nearer, it transpired that historical expertise was not repre- sented on the Program Committee, and with a quick maneuver I seized unrestricted responsibility for organizing the historical session. I did have the wisdom of first securing the full cooperation of LLL’s court archivist Peter van Emde Boas. How successful the historical session was, reported on by Ionica Smeets in the present volume, is not for me to say. I did myself learn a few things I was not aware of, and do not feel ashamed of the way I played my role. All three L’s extended their stay beyond the historical session. Because of the exemplary way in which the Program Committee had acquitted themselves in this job, we can now continue to regard ourselves as universal experts on all aspects of lattice basis reduction and its applications.
ix x Foreword
John Cremona, apparently mortified at the way his practical joke had run out of hand, did not show up, and he was wrong. John, it is my pleasure to thank you most cordially on behalf of all three L’s. Likewise, our thanks are extended not only to everybody mentioned above, but also to all others who contributed to the success of the meeting, as speakers, as participants, as sponsors, or invisibly behind the scenes.
Leiden, August 2008 Hendrik Lenstra Contents
1 The History of the LLL-Algorithm ...... 1 Ionica Smeets
2 Hermite’s Constant and Lattice Algorithms...... 19 Phong Q. Nguyen
3 Probabilistic Analyses of Lattice Reduction Algorithms ...... 71 Brigitte Vall´ee and Antonio Vera
4 Progress on LLL and Lattice Reduction ...... 145 Claus Peter Schnorr
5 Floating-Point LLL: Theoretical and Practical Aspects ...... 179 Damien Stehl´e
6 LLL: A Tool for Effective Diophantine Approximation ...... 215 Guillaume Hanrot
7 Selected Applications of LLL in Number Theory...... 265 Denis Simon
8 The van Hoeij Algorithm for Factoring Polynomials ...... 283 J¨urgen Kl¨uners
9 The LLL Algorithm and Integer Programming ...... 293 Karen Aardal and Friedrich Eisenbrand
10 Using LLL-Reduction for Solving RSA and Factorization Problems ...... 315 Alexander May
xi xii Contents
11 Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign...... 349 Jeff Hoffstein, Nick Howgrave-Graham, Jill Pipher, and William Whyte
12 The Geometry of Provable Security: Some Proofs of Security in Which Lattices Make a Surprise Appearance ...... 391 Craig Gentry
13 Cryptographic Functions from Worst-Case Complexity Assumptions ...... 427 Daniele Micciancio
14 Inapproximability Results for Computational Problems on Lattices ...... 453 Subhash Khot
15 On the Complexity of Lattice Problems with Polynomial Approximation Factors ...... 475 Oded Regev List of Contributors
Karen Aardal Delft Institute of Applied Mathematics, TU Delft, Mekelweg 4, 2628 CD Delft, The Netherlands and CWI, Science Park 123, 1098 XG Amsterdam, The Netherlands, [email protected] Friedrich Eisenbrand EPFL, MA C1 573 (Bˆatiment MA), Station 8, CH-1015 Lausanne, Switzerland, friedrich.eisenbrand@epfl.ch Peter van Emde Boas ILLC, Depts. of Mathematics and Computer Science, Fac- ulty of Sciences, University of Amsterdam, The Netherlands, [email protected] Craig Gentry Stanford University, USA, [email protected] Guillaume Hanrot INRIA/LORIA, Projet CACAO - Bˆatiment A, 615 rue du jardin botanique, F-54602 Villers-l`es-Nancy Cedex, France, [email protected] Jeff Hoffstein NTRU Cryptosystems, 35 Nagog Park, Acton, MA 01720, USA, [email protected] Nick Howgrave-Graham NTRU Cryptosystems, 35 Nagog Park, Acton, MA 01720, USA, [email protected] Subhash Khot New York University, New York, NY-10012, USA, [email protected] J¨urgen Kl¨uners Mathematisches Institut, Universit¨at Paderborn, Warburger Str. 100, 30098 Paderborn, Germany. [email protected] Arjen K. Lenstra EPFL IC LACAL, Station 14, Lausanne, Switzerland, arjen.lenstra@epfl.ch Hendrik W. Lenstra Mathematisch Instituut, Universiteit Leiden, Postbus 9512, 2300 RA Leiden, The Netherlands, [email protected] Laszl´ oLov´ asz´ E¨otv¨os Lor´and Tudom´anyegyetem, Sz´amit´og´eptudom´anyi Tanszek, ´ P´azm´any P´eter s´et´any 1/C, H-1117 Budapest, Hungary, [email protected] Alexander May Horst G¨ortz Institute for IT-Security, Faculty of Mathematics, Ruhr-University Bochum, Germany, [email protected]
xiii xiv List of Contributors
Daniele Micciancio Department of Computer Science and Engineering, Univer- sity of California at San Diego, La Jolla CA 92093, USA, [email protected] Phong Nguyen Department of Computer Science, Ecole Normale Sup´erieure de Paris, 45 rue d’Ulm, 75230 Paris Cedex 05, France, [email protected] Jill Pipher NTRU Cryptosystems, 35 Nagog Park, Acton, MA 01720, USA, [email protected] Oded Regev School of Computer Science, Tel-Aviv University, Tel-Aviv 69978, Israel, [email protected] Claus Peter Schnorr Fachbereich Informatik und Mathematik, Uni- versit¨at Frankfurt, PSF 111932, D-60054 Frankfurt am Main, Germany, [email protected] Ionica Smeets Mathematisch Institut, Universiteit Leiden, Niels Bohrweg 1, 2333 CA Leiden, Netherlands, [email protected] Denis Simon Universit´e de Caen, LMNO, Bd Mar´echal Juin BP 5186 – 14032 Caen Cedex, France, [email protected] Damien Stehle´ CNRS/Universities of Macquarie, Sydney and Lyon/INRIA/ENS´ Lyon, Dept of Mathematics and Statistics, University of Sydney, NSW 2008, Australia, [email protected] Brigitte Vallee´ Laboratoire GREYC, CNRS UMR 6072, Universit´e de Caen and ENSICAEN, F-14032 Caen, France, [email protected] Antonio Vera Laboratoire GREYC, CNRS UMR 6072, Universit´e de Caen and ENSICAEN, F-14032 Caen, France, [email protected] William Whyte NTRU Cryptosystems, 35 Nagog Park, Acton, MA 01720, USA, [email protected] Chapter 1 The History of the LLL-Algorithm
Ionica Smeets In collaboration with Arjen Lenstra, Hendrik Lenstra, Laszl´ oLov´ asz,´ and Peter van Emde Boas
Abstract The 25th birthday of the LLL-algorithm was celebrated in Caen from 29th June to 1st July 2007. The three day conference kicked off with a historical session of four talks about the origins of the algorithm. The speakers were the three L’s and close bystander Peter van Emde Boas. These were the titles of their talks. A tale of two papers – Peter van Emde Boas. The early history of LLL – Hendrik Lenstra. The ellipsoid method and basis reduction –L´aszl´oLov´asz. Polynomial factorization and lattices in the very early 1980s – Arjen Lenstra. This chapter is based on those talks, conversations with these four historic charac- ters, the notes that Peter van Emde Boas and Arjen Lenstra wrote for the prepro- ceedings, and many artifacts from the phenomenal archive of Van Emde Boas.
Fig. 1.1 On both pictures you see from left to right Peter van Emde Boas, L´aszl´oLov´asz, Hendrik Lenstra, and Arjen Lenstra. Alexander Schrijver took the first picture in Bonn on 27th February 1982. For the poster of the conference, Van Emde Boas was digitally removed from this picture. The second picture was taken by Ghica van Emde Boas at Le moulin de Bully on 29th June 2007
I. Smeets (B) Mathematisch Instituut, Universiteit Leiden, Niels Bohrweg 1, 2333 CA Leiden, the Netherlands, e-mail: [email protected]
P.Q. Nguyen and B. Vall´ee (eds.), The LLL Algorithm, Information Security 1 and Cryptography, DOI 10.1007/978-3-642-02295-1 1, c Springer-Verlag Berlin Heidelberg 2010 2 I. Smeets Skinny Triangles and Lattice Reduction
One possible starting point for the LLL-algorithm is May 1980. At that time, Peter van Emde Boas was visiting Rome. While he was there he discussed the following problem with Alberto Marchetti-Spaccamela. Question 1 Given three points with rational coordinates in the plane, is it possible to decide in polynomial time whether there exists a point with integral coefficients lying within the triangle defined by these points? This question seemed easy to answer: for big triangles the answer will be “yes” and for small triangles there should be only a small number of integer points close to it that need checking. But for extremely long and incredibly thin triangles this does not work; see Fig. 1.2. It is easy to transform such a skinny triangle into a “rounder” one, but this transformation changes the lattice too; see Fig. 1.3. Van Emde Boas and Marchetti- Spaccamela did not know how to handle these skewed lattices. Back in Amsterdam, Van Emde Boas went to Hendrik Lenstra with their question. Lenstra immediately replied that this problem could be solved with lattice reduction as developed by Gauss almost two hundred years ago. The method is briefly explained below.
Fig. 1.2 The problematic triangles almost look like a line: they are incredibly thin and very, very long. This picture should give you an idea; in truly interesting cases the triangle is much thinner and longer. In the lower left corner you see the standard basis for the integer lattice 1 The History of the LLL-Algorithm 3
A
B C
Fig. 1.3 The triangle from Fig. 1.2 transformed into a right-angled isosceles triangle, the skewed lattice and the transformed standard basis. Now the transformed basis looks thin and long
Method for Answering Question 1. First apply a linear transformation that changes the triangle into a right-angled isosceles triangle. This transforms the integer lattice into a lattice with some given basis of two rational vectors. Find a reduced basis .b1;b2/ for this new lattice: b1 is a shortest nonzero vector in the lattice and b2 is a shortest vector in the lattice that is linearly independent hb1;b2i of b1. Compute b D b2 b1. 2 hb1;b1i If the triangle is sufficiently large compared to jjb2 jj, then there is a lattice point in the triangle. Otherwise, check if lines parallel to b1 (with successive distances jjb2 jj) con- tain points in the triangle. Remember that in this case the size of the triangle is small compared to jjb2 jj, so the number of lines to be checked is small.
Van Emde Boas wrote to Marchetti in the summer of 1980: “Solution: the answer is yes.” In his letter he explained how the method worked. When Marchetti- Spaccamela was visiting Amsterdam in October of the same year, he paid Hendrik Lenstra a visit to talk about the solution. Together with Van Emde Boas, he went to Lenstra’s office. Hendrik Lenstra vividly remembers his initial feelings about this visit: “I felt a bit like a dentist. I had dealt with this problem before, so why were they asking the same question again? I told them the solution and they apparently understood it, but then they refused to walk out of my office. I had work to do and I felt that they were imposing upon my time. I was too naive to realize that this was my real work.” 4 I. Smeets
A
b 2 b∗ 2
b 1
B C