Information Security and Cryptography Texts and Monographs Series Editors David Basin Ue li Maurer Advisory Board Martín Abadi Ross Anderson Michael Backes Ronald Cramer Virgil D. Gligor Oded Goldreich Joshua D. Guttman Arjen K. Lenstra John C. Mitchell Tatsuaki Okamoto Kenny Paterson Bart Preneel Phong Q. Nguyen • Brigitte Vallée Editors The LLL Algorithm Survey and Applications 123 Editors Dr. Phong Q. Nguyen Dr. Brigitte Vallée INRIA Research Director CNRS Research Director École Normale Supérieure anØ d Research Director (cid:23)Département d'Informatique Département d'Informatique Paris, France Université de Caen, France [email protected] [email protected] ISSN1619-7100 ISBN978-3-642-02294-4 e-ISBN978-3-642-02295-1 DOI10.1007/978-3-642-02295-1 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber: 2009934498 ACM Computing Classification (1998): F.2, F.1, E.3, G.1 ©Springer-VerlagBerlinHeidelberg2010 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation,broadcasting, reproductiononmicrofilmorinanyotherway,andstorageindatabanks.Duplicationofthispublicationor partsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965,in itscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliableto prosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelawsand regulationsandthereforefreeforgeneraluse. Cover design: KuenkelLopka GmbH Printedonacid-freepaper SpringerisapartofSpringerScience+BusinessMedia(www.springer.com) Preface Computational aspects of geometry of numbers have been revolutionized by the Lenstra–Lenstra–Lova´szlatticereductionalgorithm(LLL),whichhasledtobreak- throughs in fields as diverse as computer algebra, cryptology, and algorithmic number theory. After its publication in 1982, LLL was immediately recognized as one of the most important algorithmic achievements of the twentieth century, because of its broad applicability and apparent simplicity. Its popularity has kept growing since, as testified by the hundredsof citations of the originalarticle, and theevermorefrequentuseofLLLasasynonymtolatticereduction. As an unfortunate consequence of the pervasiveness of the LLL algorithm, researchersstudyingandapplyingit belongto diversescientific communities,and seldommeet.While discussingthatparticularissue withDamienStehle´ atthe 7th AlgorithmicNumberTheorySymposium(ANTSVII)heldinBerlininJuly2006, JohnCremonaaccuratelyremarkedthat2007wouldbethe25thanniversaryofLLL andthisdeservedameetingtocelebratethatevent.Theyear2007wasalsoinvolved inanotherarithmeticalstory.In2003and2005,AliAkhavi,FabienLaguillaumie, and Brigitte Valle´e with other colleaguesorganizedtwo workshopson cryptology andalgorithmswithastrongemphasisonlatticereduction:CAEN’03andCAEN ’05, CAEN denoting both the location and the content (Cryptologie et Algorith- miqueEnNormandie).VeryquicklyaftertheANTSconference,AliAkhavi,Fabien Laguillaumie, and Brigitte Valle´e were thus readily contacted and reacted very enthusiastically about organizing the LLL birthday conference. The organization committeewasformed. Withinacoupleofmonths,thethreeL’s,ArjenandHendrikLenstra,andLa´szlo´ Lova´sz,kindlyacceptedtoparticipate,whichprovidedconfidencetotheorganizing team. At the same time, a program committee was created. Its members – Karen Aardal,ShafiGoldwasser,PhongNguyen,ClausSchnorr,DenisSimon,andBrigitte Valle´e–comefromdiversefields,soastorepresentasmanyLLL-practitionersas possible.Theyinvitedspeakerstogiveoverviewtalksattheconference. The anniversary conference eventually took place between 29th June and 1st July2007,attheUniversityofCaen.Duringthesethreedays,14invitedtalkswere givenontopicscloselyrelatedtotheLLLalgorithm.Apostersessiongathered12 presentationsonongoingresearchprojects.Overall,120researchersfrom16coun- tries and very diverse scientific backgrounds attended the event. And naturally, v vi Preface abirthdaypartywassetandthethreeL’sblewoutthecandlesoftheiralgorithm’s birthdaycake! Unlikemanyotherdomains,thecommunitymissesareferencebookdealingwith almostallaspectsoflatticereduction.Oneimportantgoaloftheconferencewasto providesuchmaterial,whichmaybeusedbybothjuniorandseniorresearchers,and hopefullyevenusefulforundergraduatestudents.Thecontributorswereselectedto make such a collective bookpossible. This book is a brief (and inevitably incom- plete) snapshotof the research, which was sparked by the publication of the LLL algorithmin1982.Thesurveyarticleswerewrittentobeaccessiblebyalargeaudi- ence,withdetailedmotivations,explanations,andexamples.Wehopetheywillhelp pursuingfurtherresearchonthisveryrichtopic.Eacharticleofthepresentbookcan bereadindependentlyandprovidesanintroductoryoverviewoftheresultsobtained ineachparticularareainthepast25years. The first contributionof this book, by Ionica Smeets and in collaborationwith ArjenLenstra,HendrikLenstra,La´szlo´Lova´sz,andPetervanEmdeBoas,describes thegenesisofthe LLLalgorithm.Therestofthebookmaybe informallydivided into five chapters, each one essentially matching a session of the anniversary conference. The first chapter deals with algorithmic aspects of lattice reduction, indepen- dentlyofapplications.Thefirstarticleofthatchapter,byPhongNguyen,introduces lattices, and surveys the main provable algorithms for finding the shortest vector ina lattice,eitherexactlyorapproximately.Itemphasizesasomewhatoverlooked connectionbetweenlatticealgorithmsandHermite’sconstant,thatis,betweencom- putational and mathematical aspects of the geometry of numbers. For instance, LLL is presented as an (efficient) algorithmic version of Hermite’s inequality on Hermite’sconstant.Thesecondarticle,byBrigitteValle´eandAntonioVera,surveys the probabilisticanalysisofseverallattice reductionalgorithms,inparticularLLL andGauss’algorithm.Differentrandommodelsfortheinputbasesareconsidered andtheresultintroducessophisticatedanalytictoolsascomplexandfunctionalanal- ysis.Thethirdarticle,byClausSchnorr,surveysprovableandheuristicalgorithmic variationsaroundLLL,tomakethealgorithmmoreefficientorwithbetteroutputs. For example,the fruitfulnotionof blockwise reductionis a naturalgeneralization ofLLL.Thefourtharticle,byDamienStehle´,surveysallaspectsoffloating-point latticereduction.Thedifferentanalysesexhibittheparametersthatplayanimpor- tantrolewhenrelatingtheexecutiontime ofthefloating-pointversionsofLLLto thequalityoftheoutput.Bothprovableandheuristicversionsofthealgorithmare considered. The second chapter is concerned with the applications of lattice reduction in the vast field of algorithmic number theory. Guillaume Hanrot’s article describes severalefficientalgorithmsto solve diverse Diophantineapproximationproblems. For example, these algorithms relying on lattice reduction tackle the problems of approximating real numbers by rational and algebraic numbers, of disclosing linearrelationsandofsolvingseveralDiophantineequations.DenisSimon’spaper contains a collection of examples of problems in number theory that are solved efficientlyvialatticereduction.Amongothers,itintroducesageneralizationofthe Preface vii LLL algorithm to reduce indefinite quadratic forms. Finally, the article by Ju¨rgen Klu¨nerssurveystheoriginalapplicationoftheLLL,namelyfactoringpolynomials with rational coefficients. It compares the original LLL factoring method and the recentonedevelopedbyMarkvonHoeij,whichreliesontheknapsackproblem. The third chapter contains a single article, by Karen Aardal and Friedrich Eisenbrand. It surveys the application of the LLL algorithm to integer program- ming,recallingHendrikLenstra’smethod–anancestoroftheLLLalgorithm,and describingrecentadvances. The fourth chapter is devoted to an important area where lattices have been applied with much success, both in theory and practice: cryptology. Historically, LLL and lattices were first used in cryptology for “destructive” purposes: one of the very first applications of LLL was a practical attack on the Merkle–Hellman knapsack public-key cryptosystem. The success of reduction algorithms at break- ing various cryptographic schemes since the discovery of LLL have arguably establishedlatticereductiontechniquesasthemostpopulartoolinpublic-keycrypt- analysis.AlexanderMay’sarticle surveysoneofthe majorapplicationsof lattices to cryptanalysis: lattice attacks on the RSA cryptosystem, which started in the late eighties with Ha˚stad’s work, and has attracted much interest since the mid- ninetieswith Coppersmith’smethodto find small rootsof polynomials.The other two articles of the chapter deal instead with “positive” applications of lattices to cryptography. The NTRU paper by Jeff Hoffstein, Nick Howgrave-Graham, Jill Pipher, and William Whyte gives an excellent example of an efficient cryptosys- tem whose security relies on the concrete hardnessof lattice problems.The paper by Craig Gentry surveys security proofs of non-lattice cryptographic schemes in whichlatticesmakeasurprisingappearance.Itisperhapsworthnotingthatlattices areusedbothtoattackRSAincertainsettings,andtoprovethesecurityofindustrial usesofRSA. Thefinalchapterofthebookfocusesonthecomplexityoflatticeproblems.This areahasattractedmuchinterestsince1996,whenMiklo´sAjtaidiscoveredafasci- nating connection between the worst-case and average-case complexityof certain latticeproblems.ThecontributionofDanieleMiccianciodealswith(lattice-based) cryptography from worst-case complexity assumptions. It presents recent crypto- graphicprimitiveswhosesecuritycanbeprovenunderworst-caseassumptions:any instance of some well-known hard problem can be solved efficiently with access toan oraclebreakingrandominstancesofthe cryptosystem.DanieleMicciancio’s article contains an insightful discussion on the concrete security of lattice-based cryptography.Thelasttwoarticlesofthebook,byrespectivelySubhashKhotand Oded Regev, are complementary.The article by Subhash Khot surveys inapprox- imability results for lattice problems. And the article by Oded Regev surveys the so-calledlimitstoinapproximabilityresultsforlatticeproblems,suchastheproofs that some approximation lattice problems belong to the complexity class coNP. Italsoshowshowonecandeducezero-knowledgeproofsystemsfromtheprevious proofs. viii Preface Acknowledgements We, the editors, express our deep gratitude to the organizing committee comprised ofAliAkhavi,FabienLaguillaumie,andDamienStehle´.Wealsoacknowledge with gratitudethevariousformsofsupportreceivedfromoursponsors;namely,CNRS,INRIA,Univer- site´deCaen,MairiedeCaen,PoˆleTES,aswellasseverallaboratoriesandresearchgroups(LIP, GREYC,LIAFA,Laboratoire ElieCartan,LIENS,GDRIM,ECRYPT,OrangeLabs). Together withallparticipants,wewerenaturallyextremelyhappytobenefitfromthepresenceofthethree L’sandourthanksareextendedtoPetervanEmdeBoasforprovidinginvaluablehistoricalmate- rial.WealsowishtothankallthespeakersandparticipantsoftheconferenceLLLC25.Finally, weareindebtedtoLoickLhoteforhisextensivehelpinthematerialpreparationofthisbook. Paris, PhongNguyenandBrigitteValle´e August2009 Caen Foreword I havebeen askedby mytwo co-L’sto write a few wordsby way ofintroduction, andconsentedontheconditionofbeingallowedtoofferapersonalperspective. On 1 September 2006, the three of us received an e-mail from Brigitte Valle´e. John Cremona, she wrote, had suggested the idea of celebrating the 25th anniver- sary of the publication of “the LLL paper,” and together with Ali Akhavi, Fabien Laguillaumie,andDamienStehle´,shehaddecidedtofollowuponhissuggestion. As it was “notpossible to celebrate this anniversarywithout(...) the three L’s of LLL,”shewasconsultingusaboutsuitabledates.IwasoneofthetwoL’swhowere sufficientlyflatteredtorespondimmediately,andthedateschosenturnedouttobe convenientfornumberthreeaswell. Inherveryfirste-mail,Brigittehadannouncedtheintentionofincludingahistor- icalsessioninthemeeting,sothatwewouldhavesomethingtodootherthancutting cakesandposingforphotographers.Hintsthatsomeofmyowncurrentworkrelates tolatticeswerefirstpolitelydisregarded,andnext,whenIshowedsomeinsistence, IwasreferredtotheProgramCommittee,consistingofKarenAardal,ShafiGold- wasser,PhongNguyen,ClausSchnorr,DenisSimon,andBrigitteherself.Thismade merealizewhichroleIwasexpectedtoplay,andIresolvedtowaitanother25years withthenewmaterial. Asthemeetingcamenearer,ittranspiredthathistoricalexpertisewasnotrepre- sentedontheProgramCommittee,andwithaquickmaneuverIseizedunrestricted responsibility for organizingthe historical session. I did have the wisdom of first securing the full cooperationof LLL’s court archivistPeter van Emde Boas. How successful the historical session was, reported on by Ionica Smeets in the present volume,isnotformetosay.IdidmyselflearnafewthingsIwasnotawareof,and donotfeelashamedofthewayIplayedmyrole. All three L’s extended their stay beyond the historical session. Because of the exemplaryway in whichthe ProgramCommitteehadacquittedthemselvesin this job,wecannowcontinuetoregardourselvesasuniversalexpertsonallaspectsof latticebasisreductionanditsapplications. ix x Foreword JohnCremona,apparentlymortifiedatthewayhispracticaljokehadrunoutof hand,didnotshowup,andhewaswrong.John,itismypleasuretothankyoumost cordially on behalf of all three L’s. Likewise, our thanksare extendednot only to everybodymentionedabove,butalsotoallotherswhocontributedtothesuccessof themeeting,asspeakers,asparticipants,assponsors,orinvisiblybehindthescenes. Leiden, August2008 HendrikLenstra