ebook img

Worst-Case Hermite-Korkine-Zolotarev Reduced Lattice Bases PDF

0.25 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Worst-Case Hermite-Korkine-Zolotarev Reduced Lattice Bases

INSTITUTNATIONALDERECHERCHEENINFORMATIQUEETENAUTOMATIQUE Worst-Case Hermite-Korkine-Zolotarev Reduced 8 Lattice Bases 0 0 2 n a GuillaumeHanrot —Damien Stehlé J 4 2 ] T N . h t a m [ N° 6422 2 v 1 Novembre2007 3 3 3 ThèmeSYM . 1 0 8 0 : v i X r a (cid:13) G N apport E + R F de recherche(cid:13) 2-- (cid:13) 2 4 6 R-- R A/ RI N I N R S I 9 9 3 6 9- 4 2 0 N S S I Worst-Case Hermite-Korkine-Zolotarev Reduced Lattice Bases Guillaume Hanrot, Damien Stehlé ∗ ThèmeSYM —Systèmes symboliques Projets Cacao etArénaire Rapport derecherche n°6422— Novembre2007— 25pages Abstract: The Hermite-Korkine-Zolotarev reduction plays a central role in strong lattice re- duction algorithms. By building upon a technique introduced by Ajtai, we show the existence of Hermite-Korkine-Zolotarev reduced bases that are arguably least reduced. We prove that for such bases, Kannan’s algorithm solving the shortest lattice vector problem requires dd(1+o(1)) 2e bit operations in dimension d. This matches the best complexity upper bound known for this algorithm. These bases also provide lower bounds on Schnorr’s constants α and β that are d d essentially equal to the best upper bounds. Finally, we also show the existence of particularly bad basesfor Schnorr’shierarchy ofreductions. Key-words: Latticebasisreduction,shortestvectorproblem,HKZ-reduction,BKZ-reduction ∗ CNRSandUniversitédeLyon/ÉNSLyon/LIP,46alléed’Italie,69364LyonCedex07,France. UnitéderechercheINRIALorraine LORIA,TechnopôledeNancy-Brabois,Campusscientifique, 615,rueduJardinBotanique,BP101,54602Villers-Lès-Nancy(France) Téléphone:+33383593000—Télécopie:+33383278319 Bases Hermite-Korkine-Zolotarev réduites “pires cas”. Résumé : La réduction d’Hermite-Korkine-Zolotarevjoue un rôle central dans les algorithmes deréductionfortedesréseaux. EnutilisantunetechniquedueàAjtai,nousprouvonsl’existence de bases Hermite-Korkine-Zolotarev réduites qui sont les plus mal réduites possible. Pour de telles bases, l’algorithme de Kannan pour la résolution du problème du vecteur le plus court nécessite dd(1+o(1)) opérations élémentaires en dimension d, ce qui coïncide avec la meilleure 2e borne supérieure connue pour sa complexité. Ces bases fournissent également des bornes in- férieures pour les constantes de Schnorr α et β , qui coïncident là encore avec les meilleures d d bornes supérieures connues. Enfin, nous montrons l’existencede mauvaises bases réduites pour les algorithmesdelahiérarchiedeSchnorr. Mots-clés: Réductiondesréseaux,problèmeduvecteurlepluscourt,réductionHKZ,réduction BKZ Worst-CaseHermite-Korkine-ZolotarevReduced LatticeBases 3 1 Introduction A lattice L is a discrete subgroup of a euclidean space Rn. Such an object can always be written as the set of integer linear relations of some linearly independent vectors b ,...,b 1 d ∈ Rn. The b ’s form a basis of L. Such a representation is not unique, but all bases share i the same cardinality d, called the lattice dimension. Another lattice invariant is the so-called lattice volume det(L), which is defined as the geometric d-dimensional volume of any paral- lelepiped (b ) = y b ,y [0,1] spanned by a lattice basis (b ) . When d 2, a given P i { i i i i ∈ } i i ≥ latticehasaninfinityofbases,relatedtooneanotherbyunimodulartransformations. Somebases P are better than others, in particular under the light of applications such as algorithmic number theory [5] and cryptography [15, 13]. In these applications, one is mostly interested in lattice bases made of rather short and rather orthogonal vectors. Such bases are called reduced. One oftendistinguishesbetweenreductionsthatareratherweak butcanbecomputingefficientlyand reductions that are strong but that require a much larger amount of computational resources. The main reduction of the first family is the celebrated LLL-reduction [12], whereas the most famous one in the second family is the Hermite-Korkine-Zolotarev reduction (HKZ for short). There exist compromises between LLL and HKZ reductions, such as Schnorr’s Block-Korkine- Zolotarev(BKZ)reductions[19]dependingonaparameterk: the2-BKZreductionisessentially the LLL reduction whereas the d-BKZ reduction is exactly the HKZ reduction. Other compro- miseshavebeen considered in[19, 18,7]. From the algorithmic point of view, LLL-reduction can be reached in time polynomial in the lattice dimension. The other parameters, such as the dimension of the embedding space and the bit-sizeof the initial vectors are of small interest here since all the described algorithms have polynomial complexities with respect to them. On the other extreme, there are two main algorithms to compute an HKZ-reduced basis. The first one is due to Kannan [11] and was improved by Helfrich and Schnorr [9, 19]. Its complexityhas been revised downwards by Han- rot and Stehlé [8] who proved a dd(1+o(1)) upper bound. The other algorithm is due to Ajtai, 2e Kumar and Sivakumar [2] and its complexity upper bound was re-assessed recently by Nguyen and Vidick [16]: its cost is provably bounded by 25.9d. The latter algorithm has a much better · asymptotic complexity upper bound than Kannan’s. However, it suffers from two drawbacks: firstly,it requires an exponentialspace whereas Kannan’s space requirementis polynomial;sec- ondly, it is probabilistic in the sense that there is a tiny probability that the computed basis is not HKZ-reduced, whereas Kannan’s algorithm is deterministic. In practice, for manageable problem sizes, it seems that adaptations of Kannan’s algorithmstilloutperform the algorithmof Ajtai, Kumar and Sivakumar. One of the results of the present paper is to provide a worst-case complexity lower bound to Kannan’s algorithm which is essentially the same as the dd(1+o(1)) 2e complexityupperbound: itprovesthatfromtheworst-casepointofview,Kannan’salgorithmis asymptoticallyworse that the one ofAjtai, Kumarand Sivakumar. In the compromisesbetween LLL and HKZ-reductions, an algorithm computing HKZ-reduced bases (either Kannan’s or the one of Ajtai, Kumar and Sivakumar) is used on k-dimensional bases, where k is the parameter of the compromise. When k is greater than clogd for some constant c, the complexities of the compromisealgorithmsarekO(k) or2O(k) dependingonthechosenHKZ-reduction algorithm. RR n°6422 4 GuillaumeHanrot,Damien Stehlé The main result of the present paper is to prove the existence of HKZ-reduced bases which are arguably least reduced possible. These bases are good corner cases for strong lattice reduc- tions. We prove that given them as input, Kannan’s algorithm costs at least dd(1+o(1)) binary 2e operationsin dimensiond, thuscompletingtheworst-caseanalysisof Kannan’salgorithm. This provesthattheAjtai-Kumar-SivakumaralgorithmisstrictlybetterthanKannan’sfromtheworst- case asymptotic time complexity perspective. These lattice bases also provide lower bounds on Schnorr’sconstantsα andβ whichplayacentralroletoestimatethequalityofSchnorr’shier- k k archies of reductions. As a by-product, we improvethebest knownupperbound for α , and the k lower and upper bounds essentially match. Our lower bound on β match its best known upper k bound, providedby [7]. This gives weight to thefact that theprimal-dual reduction therein may bebetterthanSchnorr’sclassicalhierarchy. Finally,weprovidelatticebasesthatareparticularly bad forSchnorr’s hierarchyofreductionalgorithms. To achieve these results, we simplify and build upon a technique introduced by Ajtai in [1] to show lower bounds on Schnorr’s constants α and β . These lower bounds were of the same k k ordersofmagnitudeasthebestupperbounds,butwithundeterminedconstantsintheexponents. It consists in buildingrandom lattice bases that are HKZ-reduced with non-zero probabilityand suchthatthequantitiesunderinvestigation(e.g.,Schnorr’sconstants)areclosetothebestknown upperbounds. Therandomlatticebases arebuiltfromtheirGram-Schmidtorthogonalisations. ROAD-MAP. In Section 2 we provide the background that is necessary to the understanding to the rest of the article. In Section 3 we simplify Ajtai’s method to generate lattice bases. We use it first in Section 4 to show the existence of worst-case HKZ-reduced bases with respect to the orthogonality of the basis vectors. Using these bases, we provide lower bounds to the worst-case cost of Kannan’s algorithm and to Schnorr’s constants α and β , in Section 5. We k k use Ajtai’s technique a second time in Section 6 to build lattice bases that are particularly bad for Schnorr’s hierarchy of reduction algorithms. Finally, in Section 7, we draw a listof possible natural extensionsofourwork. NOTATION. If y is a real number, we let y denote its closest integer (with any rule for the ⌊ ⌉ ambiguouscases),andwedefine y = y y . Ifa b,weletJa,bKdenotethesetofintegers { } −⌊ ⌉ ≤ belonging to the interval [a,b]. All logarithms used are in basis e. Finally, for x a real number, wedefine(x) := max(x,0). + 2 Background on Lattices Werefer to [4]foracompleteintroductiontolattices. Gram-Schmidt orthogonalisation. Let b ,...,b be linearly independent vectors. We de- 1 d fine b = b µ b with µ = hbi,b∗ji. The b ’s are orthogonal and, for any i, we have t∗ihat thei −linearj<sipain,j o∗jf the b i’,sj for jkb∗jk2 i is exa∗ictly the span of the b ’s for j i. P ∗j ≤ j ≤ If j i, we denote by b (j) the projection of b orthogonally to the vectors b ,...,b . We i i 1 j 1 have≤bi(j) = b∗i + ik−=1jµi,kb∗k. − P INRIA Worst-CaseHermite-Korkine-ZolotarevReduced LatticeBases 5 Minkowski’s inequality. Forall integerd 1, there existsa constant γ , called Hermite’s con- d ≥ stant, such that for any d-dimensionallatticeL there existsa non-zero vectorb L with b ∈ k k ≤ γ1/2 (detL)d1. The latter relation is known as Minkowski’s inequality. Hermite’s constant sat- d · isfies γ d. Asymptotically, one has 1.744d(1 +o(1)) γ d (1+ o(1)) (see [10] for the d ≤ 2πe ≥ d ≥ 2πe upper bound). We define the minimum of a lattice L as the length of a shortest non-zero vector, and we let it be denoted by λ(L). Minkowski’sinequality can be easily restated in terms of the Gram-Schmidtorthogonalisationofany basis(b ) ofLsincedet(L) = b : i i ik ∗ik 1 d d Q λ(L) √d b . ≤ · k ∗ik ! i=1 Y Hermite-Korkine-Zolotarev reduction. A basis (b ) of a lattice L is said to be HKZ-reduced i i ifitsfirstvectorreachestheminimumofLandiforthogonallytob theotherb ’sarethemselves 1 i 1 HKZ-reduced. This implies that for any i we have b √d i+1 d b d−i+1. We k ∗ik ≤ − · j=ik ∗jk call these d 1 inequalities the primary Minkowski inequalities. Many(cid:16)other Mink(cid:17)owski-type − Q inequalities are satisfied by an HKZ-reduced basis since the HKZ-reducedness of (b ,...,b ) 1 d impliestheHKZ-reducedness ofanybasis(b (i),...,b (i)) foranyi j. i j ≤ Schnorr’s hierarchies of reductions. A basis (b ,...,b ) is called Block-Korkine-Zolotarev 1 d reduced with block-size k (k-BKZ for short) if for any i d k + 1 the k-dimensional ba- ≤ − sis(b (i),...,b (i))isHKZ-reduced. Thisreductionwasinitiallycalledk-reductionin[19]. i i+k 1 Schnorr also introd−uced the block-2k-reduction: a basis (b ,...,b ) is block-2k-reduced if for 1 d any i d/k 2, the basis (b (ik + 1),...,b (ik + 1)) with j = min(d,(i + 2)k) is ik+1 j ≤ ⌈ ⌉ − HKZ-reduced. Any2k-BKZ-reduced basisisblock-2k-reduced and anyblock-2k-reduced basis isk-BKZ-reduced. In thefollowing,we willconcentrate ontheBKZ hierarchyofreductions. Schnorr’s constants. In order to analyze the quality of the k-BKZ and block-2k reductions, Schnorrintroducedtheconstants 1 b 2 b 2 k αk = (bi)i≤kmHKaZx-reduced kkb∗k1kk2 and βk = (bi)i≤2kmHaKZx-reduced Qii≤>kkkkb∗i∗ikk2! . The best known upper bounds on α and β are k1+logk and 1 k2log2Q(see [19, 7]). We will im- k k 10 provethe upper bound on α in Section 5. Any k-BKZ-reduced basis (b ,...,b ) of a lattice L k 1 d satisfies kb1k ≤ min kkd−−11,αkkd−−11−1 λ(L). Ajtai [1] showed that αk ≥ kclogk for some con- (cid:18) (cid:19) stant c, so that the first upper bound is stronger than the second one. Furthermore, every block- 2k-reduced basis(b ,...,b ) ofalatticeL satisfies b √k√β m−1λ(L) (see[19,20]). 1 mk 1 k k k ≤ 3 Ajtai’s Drawing of HKZ-Reduced Bases Consideradimensiond > 0andafunctionf : J1,dK R+ 0 . Bygeneralisingan argument → \{ } duetoAjtai[1],weprovethatonecanbuildad-dimensionallatticebasiswhichisHKZ-reduced and suchthat b = f(i),undera“Minkowski-type”conditionforthevaluesoff. k ∗ik RR n°6422 6 GuillaumeHanrot,Damien Stehlé Theorem 1 Let d > 0 andf : J1,dK R+ 0 . Assumethatforanyj d,onehas → \{ } ≤ j−i j−1 2πe j−2i f(j) 2 2 j f(i) 1 < 1. j i − f(i) f(k) ! ! Xi=1 (cid:18) − (cid:19) (cid:18) (cid:19) + Yk=i Then thereexistsan HKZ-reduced basis(b ,...,b ) with b = f(i). 1 d k ∗ik The condition above might seem intricate at first glance, though it is in fact fairly natural. The term (j i) j−i j f(i) resembles Minkowski’s inequality. It is natural that it should − − 2 k=i f(k) occur for all (i,j), since for an HKZ-reduced basis Minkowski’s inequality is satisfied for all Q bases (b (i),...,b (i)). Another way of stating this is that a necessary condition for a basis to i j beHKZ-reduced wouldbe j−i j−1 j−i f(j) 2 2 j f(i) j d, (4γj i+1)− 2 1 < 1. ∀ ≤ − − f(i) ! f(k)! i=1 (cid:18) (cid:19) k=i X Y This is merely a restatement of the fact that, since Minkowski’s inequality is verified for any pair (i,j), the i-th term is at most 2 (j i), so that the sum is < 1. In view of the fact that − − asymptoticallyγ 1.744d(1+o(1)), weseethatweare notfar froman optimalcondition. d ≤ 2πe Lemma1isthecoreoftheproofofTheorem1. Itboundstheprobabilitythatwhenarandom basis (b ,...,b ) is built appropriately, any lattice vector x b with x = 0 will be longer 1 d i i i d 6 thanb . 1 P Lemma 1 Let (b ,...,b ) bea latticebasisandlet b bea randomvector. Wesupposethat: 1 d 1 d − 1. Foranyi d,we have b = f(i). ≤ k ∗ik 2. Theµ ’sfori < dareindependentrandomvariablesuniformlydistributedin[ 1/2,1/2]. d,i − Let p be the probability that there exists (x ,...,x ) with x = 0 such that x b b . 1 d d 6 k i i ik ≤ k 1k Then: d−1 P 2πe d−21 xf(d) 2 2 f(1) p 1 . ≤ d 1 − f(1) f(i) ! ! (cid:18) − (cid:19) Xx>0 (cid:18) (cid:19) + Yi<d Proof. Wlogwecan assumex > 0. We can write d d x b = x + µ x b . i i i j,i j ∗i ! i d i d j=i+1 X≤ X≤ X For i d, we define u = x + d µ x and δ = d µ x . Notice that δ = ≤ i i j=i+1 j,i j i j=i+1 j,i j i µd,ixd + dj=−i1+1µj,ixj ismadjePofarandomtemrm(µd,ixd)annPdaconstantteorm( dj=−i1+1µj,ixj). Snincex = 0andsincethoeµ ’saredistributedindependentlyanduniformlyin[ 1/2,1/2],the d 6 P d,i P− INRIA Worst-CaseHermite-Korkine-ZolotarevReduced LatticeBases 7 same holds for the δ ’s (for each fixed choice of (x ,...,x )). The event defining p can thus be i 1 d rewrittenas u Z , (u ,...,u ) Zd 1, (u +δ )2f(i)2 f(1)2 u2f(d)2. ∃ d ∈ >0 ∃ 1 d−1 ∈ − i i ≤ − d i<d X Theprobabilityofthiseventis0 iff(1)2 u2f(d)2 < 0. Weshallthusassumeinthesequel − d that0 < u f(1)/f(d). Theprobabilityp is thenboundedby d ≤ Pr (u +δ )2f(i)2 f(1)2 u2f(d)2 . i i ≤ − d ! ud∈XZ\{0} (u1,...,uXd−1)∈Zd−1 Xi<d Let c > 0 be an arbitrary constant. We can estimate the last upper bound by using the inequality (u +δ )2f(i)2 Pr (u +δ )2f(i)2 f(1)2 u2f(d)2 exp c c i<d i i dδ. Xi<d i i ≤ − d ! ≤ Zδ∈[−21,12]d−1 (cid:18) − Pf(1)2 −u2df(d)2 (cid:19) Summingovertheu ’s,weobtaintheestimate i (u +δ )2f(i)2 exp c c i<d i i dδ = u∈XZd−1Zδ∈[−12,12]d−1 (cid:18) − Pf(1)2 −u2df(d)2 (cid:19) δ2f(i)2 exp c c i<d i dδ − f(1)2 u2f(d)2 ZRd−1 (cid:18) P − d (cid:19) δ2f(i)2 = ec exp c i dδ − f(1)2 u2f(d)2 i i<dZR (cid:18) − d (cid:19) Y d−1 π d−1 u f(d) 2 2 f(1) = ec 2 1 d . c − f(1) f(i) ! (cid:16) (cid:17) (cid:18) (cid:19) Yi<d Taking c = (d 1)/2and summingoverx = u > 0 yields thebound that weclaimed. Recall d d − thatthetermscorrespondingto u > f(1)/f(d)do notcontribute. 2 d We now proceed to prove Theorem 1. We build the basis iteratively, starting with b , cho- 1 sen arbitrarily with b = f(1). Assume now that b ,...,b have already been chosen 1 1 j 1 with b = f(i) forki <k j and that they are HKZ-reduced. We ch−oose b as b + µ b k ∗ik j ∗j k<j j,k ∗k such that b = f(j) and the random variables (µ ) are chosen uniformly and indepen- dently in [k ∗j1k/2,1/2]. Let p be the probability thaj,tktkh<ejvector b is not a shortePst non-zero − i,j ∗i vectorofL(b (i),...,b (i)). Thismeansthatthereexistintegers(x ,...,x ) suchthat i j i j j x b (i) < b . k k k ∗ik (cid:13) (cid:13) (cid:13)Xk=i (cid:13) (cid:13) (cid:13) (cid:13) (cid:13) (cid:13) (cid:13) RR n°6422 8 GuillaumeHanrot,Damien Stehlé Since (b ,...,b ) is HKZ-reduced, so is (b (i),...,b (i)) and thus we must have x = 0. 1 j 1 i j j − 6 Lemma1 givesus j−i 2πe j−2i xf(j) 2 2 j−1 f(i) p 1 i,j ≤ j i − f(i) f(k) ! ! (cid:18) − (cid:19) Xx>0 (cid:18) (cid:19) + Yk=i j−i 2πe j−2i f(i) f(j) 2 2 j−1 f(i) 1 ≤ j i f(j) − f(i) f(k) ! ! (cid:18) − (cid:19) (cid:18) (cid:19) (cid:18) (cid:19) + Yk=i j−i 2πe j−2i f(j) 2 2 j f(i) 1 . ≤ j i − f(i) f(k) ! ! (cid:18) − (cid:19) (cid:18) (cid:19) + Yk=i Weconcludetheproofbyobservingthattheprobabilityofnon-HKZ-reducednessof(b ,...,b ) 1 j isatmost p . Byhypothesis,thisquantityis< 1. Overall,thismeansthatthereexistµ ’s i<j i,j i,j such that(b ,...,b ) isHKZ-reduced. 2 1 j P The proof of the lemmaand the derivation of the theorem may not seem tight. For instance, summing over all possible (u ,...,u ) might seem pessimistic in the proof of the lemma. We 1 d donotknowhowtoimprovetheargumentapartfromthex part,forwhich,whenj iislarge, d − theterm j−i f(j) 2 2 1 x − f(i) ! Xx>0 (cid:18) (cid:19) + couldbeinterpreted as aRiemannsumcorrespondingto theintegral f(i) π/2 f(i) π sinj i+1xdx . − f(j) · ≈ f(j) · 2(j i+1) Z0 r − Notice however that if one uses the same technique to look for vectors of lengths smaller 1 than √c d f(i) d instead of f(1), one finds that there exists a lattice where there is · · i<d no vector shorter than this length (with x = 0) as soon as c < 1 . We thus recover, up to (cid:0)Q (cid:1) d 6 2πe the restriction x = 0, the asymptotic lower bound on Hermite’s constant. As a consequence, d 6 it seems that the main hope of improvement would be to replace the sum (in the proof of the theorem) by a maximum, or something intermediate. Replacing by a maximum seems quite difficult. It would require to prove that, if vectors of lengths b exist, then one of them 1 ≤ k k has x = 0, at least almost surely. A deeper understanding of that kind of phenomenon would d 6 allowonetoobtainrefined versionsofTheorem1. 4 Worst-Case HKZ-reduced Bases This section is devoted to the construction of an explicit function f satisfying the conditions of Theorem 1 as tightly as possible. In order to make explicit the fact that f depends on the underlying dimensiond, we shall write f instead of f. Note that though f(i) will depend on d, d INRIA

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.