Worst-Case Complexity of the Optimal LLL Algorithm

@inproceedings{Akhavi2000WorstCaseCO,
  title={Worst-Case Complexity of the Optimal LLL Algorithm},
  author={Ali Akhavi},
  booktitle={LATIN},
  year={2000}
}
  • A. Akhavi
  • Published in LATIN 10 April 2000
  • Mathematics, Computer Science
In this paper, we consider the open problem of the complexity of the LLL algorithm in the case when the approximation parameter of the algorithm has its extreme value 1. This case is of interest because the output is then the strongest Lovasz-reduced basis. Experiments reported by Lagarias and Odlyzko [13] seem to show that the algorithm remain polynomial in average. However no bound better than a naive exponential order one is established for the worst-case complexity of the optimal LLL… 

The optimal LLL algorithm is still polynomial in fixed dimension

  • A. Akhavi
  • Mathematics, Computer Science
    Theor. Comput. Sci.
  • 2003

Another View of the Gaussian Algorithm

TLDR
This work introduces here a rewrite system in the group of unimodular matrices, i.e., matrices with integer entries and with determinant equal to ± 1, to precisely characterize the mechanism of the Gaussian algorithm, that finds shortest vectors in a two–dimensional lattice given by any basis.

The Beauty and the Beasts - The Hard Cases in LLL Reduction

TLDR
Experimental results show the Beasts bases derived from Beauty can withstand LLL reduction by a stable probability even for high dimensions, and the theoretical proof gives a direct explanation of this phenomenon.

Analyzing Blockwise Lattice Algorithms Using Dynamical Systems

TLDR
This work shows that BKZ can be terminated long before its completion, while still providing bases of excellent quality and develops a completely new elementary technique based on discrete-time affine dynamical systems, which could lead to the design of improved lattice reduction algorithms.

Analyzing Blockwise Lattice Algorithms Using

TLDR
It is shown that BKZ can be terminated long before its completion, while still providing bases of excellent quality, if given as inputs Q n×n of a lattice L and a block-size β.

Low-dimensional lattice basis reduction revisited

TLDR
This article studies a greedy lattice basis reduction algorithm for the Euclidean norm, and shows that up to dimension four, the bit-complexity of the greedy algorithm is quadratic without fast integer arithmetic, just like Euclid's gcd algorithm.

Chapter 1 Floating-Point LLL : Theoretical and Practical Aspects

TLDR
The text-book LLL algorithm can be sped up considerably by replacing the underlying rational arithmetic used for the Gram-Schmidt orthogonalisation by floating-point approximations, so the implementer may weaken the provable variants in order to further improve their efficiency.

Floating-Point LLL: Theoretical and Practical Aspects

TLDR
The text-book LLL algorithm can be sped up considerably by replacing the underlying rational arithmetic used for the Gram–Schmidt orthogonalisation by floating-point approximations, which seems to be natural for LLL even from the theoretical point of view.

Why 1.02? The root Hermite factor of LLL and stochastic sandpile models

In lattice-based cryptography, a disturbing and puzzling fact is that there exists such a conspicuous gap between the actual performance of LLL and what could be said of it theoretically. By now, no

Terminating BKZ

TLDR
This work shows that BKZ can be terminated long before its completion, while still providing bases of excellent quality and develops a completely new elementary technique based on discrete-time affine dynamical systems, which could lead to the design of improved lattice reduction algorithms.

References

SHOWING 1-10 OF 28 REFERENCES

The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract)

  • M. Ajtai
  • Mathematics, Computer Science
    STOC '98
  • 1998
TLDR
There is a prob-abilistic Turing-machine which in polynomial time reduces any problem in NP to instances of the shortest vector problem, provided that it can use an oracle which returns the solution of the longest vector problem if an instance of it is presented (by giving a basis of the corresponding lattice).

Improved algorithms for integer programming and related lattice problems

  • R. Kannan
  • Computer Science, Mathematics
    STOC
  • 1983
TLDR
The proposed algorithm first finds a “more orthogonal” basis for a lattice than those of Lenstra (1981) and Lenstra, Lenstra and Lovasz (1982), but in time 0(ndn poly (length of input)).

Solving low density subset sum problems

  • J. LagariasA. Odlyzko
  • Computer Science, Mathematics
    24th Annual Symposium on Foundations of Computer Science (sfcs 1983)
  • 1983
TLDR
This method gives a polynomial time attack on knapsack public key cryptosystems that can be expected to break them if they transmit information at rates below dc (n), as n → ∞.

On Lovász’ lattice reduction and the nearest lattice point problem

  • L. Babai
  • Mathematics, Computer Science
    Comb.
  • 1986
Answering a question of Vera Sós, we show how Lovász’ lattice reduction can be used to find a point of a given lattice, nearest within a factor ofcd (c = const.) to a given point in Rd. We prove that

The shortest vector in a lattice is hard to approximate to within some constant

  • Daniele Micciancio
  • Computer Science
    Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280)
  • 1998
TLDR
It is shown the shortest vector problem in the l/sub 2/ norm is NP-hard (for randomized reductions) to approximate within any constant factor less than /spl radic/2 and an alternative construction satisfying Ajtai's probabilistic variant of Sauer's lemma is given.

How to Break Okamoto's Cryptosystem by Reducing Lattice Bases

TLDR
It is shown here that it can, for any odd n, solve, in polynomial probabilistic time, quadratic equations modulo n, even if the factorisation of n is hidden, provided the authors are given a sufficiently good approximation of the solutions.

ALGORITHMIC GEOMETRY OF NUMBERS

TLDR
The development of algorithms like the Edmonds (1965) matching algorithm and the study of the underlying polyhedral structure have gone hand in hand, each benefiting the other.

Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction

TLDR
Algorithms for lattice basis reduction that are improvements of the famous L3-algorithm are introduced that solve random subset sum problems of arbitrary density with 74 and 82 many weights and by breaking Damgard's hash function.