Computing an LLL-reduced basis of the orthogonal lattice
CComputing an LLL-reduced basis of theorthogonal lattice
Jingwei ChenChongqing Key Lab of Automated Reasoning & Cognition,Chongqing Institute of Green and Intelligent Technology,Chinese Academy of Sciences, China [email protected]
Damien Stehl ´eENS de Lyon, Laboratoire LIP(UMR CNRS - ENS Lyon - UCB Lyon - INRIA ), France [email protected] Gilles VillardCNRS, Laboratoire LIP(UMR CNRS - ENS Lyon - UCB Lyon - INRIA ), France [email protected] May , Abstract
As a typical application, the Lenstra-Lenstra-Lov´asz lattice basis reduc-tion algorithm (LLL) is used to compute a reduced basis of the orthogonallattice for a given integer matrix, via reducing a special kind of lattice bases.With such bases in input, we propose a new technique for bounding fromabove the number of iterations required by the LLL algorithm. The maintechnical ingredient is a variant of the classical LLL potential, which couldprove useful to understand the behavior of LLL for other families of inputbases. a r X i v : . [ c s . S C ] M a y Introduction
Let k < n be two positive integers. Given a full column rank n × k integermatrix A = ( a i , j ) , we study the behaviour of the Lenstra-Lenstra-Lov ´asz al-gorithm Lenstra et al. ( ) for computing a reduced basis for the orthogonallattice of A L ⊥ ( A ) = (cid:110) m ∈ Z n : A T m = (cid:111) = ker ( A T ) ∩ Z n . ( )The algorithm proceeds by unimodular column transformations from the inputmatrix Ext K ( A ) ∈ Z ( n + k ) × n :Ext K ( A ) : = (cid:18) K · A T I n (cid:19) = K · a K · a · · · K · a n ,1 ... ... . . . ... K · a k K · a k · · · K · a n , k · · ·
00 1 · · · · · · . ( )where K is a sufficiently large positive integer. The related definitions and theLLL algorithm are given in Section . The reader may refer to Nguyen andVall´ee ( ) for a comprehensive review of LLL, and to Schmidt ( ) andNguyen and Stern ( ) concerning the orthogonal lattice.Usual techniques gives that LLL reduction requires O ( n log ( K · (cid:107) A (cid:107) )) swaps (see Step of Algorithm ) for a basis as in ( ), where (cid:107) A (cid:107) bounds from abovethe Euclidean norms of the rows and columns of A . We recall that most knownLLL reduction algorithms iteratively perform two types of vector operations:translations and swaps. The motivation for studying bounds on the number ofswaps comes from the fact that this number governs known cost analyses of thereduction.Folklore applications of the reduction of bases as in ( ) include, for example,the computation of integer relations between real numbers H ˚astad et al. ( );Chen et al. ( ), the computation of minimal polynomials Kannan et al.( ) (see also Nguyen and Vall´ee ( )). A main difficulty however, boththeoretically and practically, remains to master the scaling parameter K that canbe very large. Heuristic and practical solutions may for instance rely on adoubling strategy (successive trials with K =
2, 2 , 2 , . . .) for finding a suitablescaling. Or an appropriate value for K may be derived from a priori bounds suchas heights of algebraic numbers Kannan et al. ( ) and may overestimate thesmallest suitable value for actual inputs. Since the usual bound on the number f swaps is linear in log K , the overestimation could be a serious drawback. Weshow that this may not be always the case.We consider the reduction of a basis as in ( ) for obtaining a basis of theorthogonal lattice ( ). We establish a bound on the number of swaps that doesnot depend on K as soon as K is above a threshold value (as specified in ( )).This threshold depends only on the dimension and invariants of the orthogonallattice.O ur contribution . The analyses of LLL and many LLL variants bound thenumber of iterations using the geometric decrease of a potential that is definedusing the Gram-Schmidt norms of the basis vectors; see ( ). We are going tosee that this classical potential does not capture a typical unbalancedness ofthe Gram-Schmidt norms that characterizes bases in ( ). Taking into accountthe latter structure will lead us to a better bound for the number of iterations(see Table ). Intuitively, as the basis being manipulated becomes reduced, twogroups of vectors are formed: some with small Gram-Schmidt norms, and someothers with large Gram-Schmidt norms. As soon they are formed, the twogroups do not interfere much.In Section we introduce a new LLL potential function that generalizesthe classical one for capturing the previously mentioned unbalancedness. Itsgeometric decrease during the execution also leads to a bound on the numberof iterations (see Theorem . ). In Section , we specialize the potential to thecase of bases as in ( ) for computing the orthogonal lattice L ⊥ ( A ) . As discussedabove, we will see that at some point the number of iterations can be shown tobe independent of the scaling parameter K , or, in other words, independent ofa further increase of the input size. We note that this new potential is definedfor all lattice bases, but it may not always lead to better bounds on the numberof LLL iterations.R elated work . The extended gcd algorithm in Havas et al. ( ) uses a basisas in ( ) with k =
1. It is shown in (Havas et al., , Sec. , p. ) that if K is sufficiently large, then the sequence of operations performed by LLL isindependent of K . A somewhat similar remark had been made in Pohst ( ).We also note that in the analysis of the gradual sub-lattice reduction algorithmof van Hoeij and Novocin ( ), a similar separation of large and small basisvectors was used, also for a better bound on the number of iterations. Our newpotential function allows a better understanding of the phenomenon.We see our potential function for LLL as a new complexity analysis tool thatmay help further theoretical and practical studies of LLL and its applications.Various approaches exist for computing the orthogonal lattice A , or equivalentlyan integral kernel basis of A T . A detailed comparison of the methods remainsto be done and would be however outside the scope of this paper that focuses n the properties of the potential. An integral kernel basis may be obtainedfrom a unimodular multiplier for the Hermite normal form of A Storjohannand Labahn ( ) (see also Storjohann ( ) for the related linear systemsolution problem), which may be combined as in (Sims, , Ch. ) and Chenand Storjohann ( ) with LLL for minimizing the bit size of the output. Adirect application of LLL to Ext K ( A ) is an important alternative solution. Werefer to Stehl´e ( ) and references therein concerning existing LLL variants.F uture work . Future research directions are to apply this potential to bitcomplexity studies of the LLL basis reduction Storjohann ( ); Novocin et al.( ); Neumaier and Stehl´e ( ), especially for specific input bases. Indeed,an interesting problem is to design an algorithm for computing a reduced basisfor L ⊥ ( A ) that features a bit complexity bound independent of the scalingparameter, and to compare it to approaches based on the Hermite normal form.N otations . Throughout the paper, vectors are in column and denoted in bold.For x ∈ R m , (cid:107) x (cid:107) is the Euclidean norm of x . Matrices are denoted by uppercase letters in bold, such as A , B , etc. For a matrix A , A T is the transpose of A ,and (cid:107) A (cid:107) bounds the Euclidean norms of the columns and rows of A . The baseof logarithm is 2. Preliminaries
We give some basic definitions and results that are needed for the rest of thepaper. A comprehensive presentation of the LLL algorithm and its applicationsmay be found in Nguyen and Vall´ee ( ).G ram -S chmidt orthogonalization . Let b , · · · , b n ∈ R m be linearly inde-pendent vectors. Their Gram-Schmidt orthogonalization b ∗ , · · · , b ∗ n is defined asfollows: b ∗ = b and ∀ i > b ∗ i = b i − i − ∑ j = µ i , j b ∗ j ,where the µ i , j = (cid:104) b i , b ∗ j (cid:105)(cid:104) b ∗ j , b ∗ j (cid:105) for all i > j are called the Gram-Schmidt coefficients . Wecall the (cid:107) b ∗ i (cid:107) ’s the Gram-Schmidt norms of the b i ’s.L attices . A lattice Λ ⊆ R m is a discrete additive subgroup of R m . If ( b i ) i ≤ n is aset of generators for Λ , then Λ = L ( b , . . . , b n ) = (cid:40) n ∑ i = z i b i : z i ∈ Z (cid:41) . f the b i ’s are linearly independent, then they are said to form a basis of Λ . When n ≥
2, there exist infinitely many bases for a lattice. Every basis is related by anintegral unimodular transformation (a linear transformation with determinant ±
1) to any other. Further, the number of vectors of different bases of a lattice Λ is always the same, and we call this number the dimension of the lattice, denotedby dim ( Λ ) . If B = ( b , . . . , b n ) ∈ R m × n is a basis for a lattice Λ = L ( B ) , the determinant of the lattice is defined as det ( Λ ) = (cid:112) det ( B T B ) . It is invariantacross all bases of Λ .S uccessive minima . For a given lattice Λ , we let λ ( Λ ) denote the minimumEuclidean norm of vectors in Λ \ { } . From Minkowski’s first theorem, we have λ ( Λ ) ≤ √ n · det ( Λ ) n , where n = dim ( Λ ) . More generally, for all 1 ≤ i ≤ n ,we define the i -th minimum as λ i ( Λ ) = min v , · · · , v i ∈ Λ linearly independent max j ≤ i (cid:107) v j (cid:107) .Minkowski’s second theorem states that ∏ i ≤ n λ i ( Λ ) ≤ √ n n · det ( Λ ) .S ublattices . Let Λ ⊆ R n be a lattice. We say that Λ (cid:48) is a sublattice of Λ if Λ (cid:48) ⊆ Λ is a lattice as well. If Λ (cid:48) is a sublattice of Λ then λ i ( Λ ) ≤ λ i ( Λ (cid:48) ) for i ≤ dim ( Λ (cid:48) ) . A sublattice Λ (cid:48) of Λ ⊂ R n is said to be primitive if there exists asubspace E of R n such that Λ (cid:48) = Λ ∩ E .O rthogonal lattices . Given a full column rank matrix A ∈ Z n × k , the set L ⊥ ( A ) defined in ( ) forms a lattice, called the orthogonal lattice of A . We havedim ( L ⊥ ( A )) = n − k . Using ker ( A T ) ⊥ = Im ( A ) and (Schmidt, , Cor. p. )for primitive lattices we havedet ( L ⊥ ( A )) = det ( Z n ∩ ker ( A T )) = det ( Z n ∩ Im ( A )) ,then L ( A ) ⊆ Z n ∩ Im ( A ) and Hadamard’s inequality lead to:det ( L ⊥ ( A )) ≤ det ( L ( A )) ≤ (cid:107) A (cid:107) k . ( )LLL- reduced bases . The goal of lattice basis reduction is to find a basis withvectors as short and orthogonal to each other as possible. Among numerouslattice reduction notions, the LLL-reduction Lenstra et al. ( ) is one of themost commonly used. Let < δ <
1. Let B = ( b , . . . , b n ) ∈ R m × n be a basisof a lattice Λ . We say that B is size-reduced if all Gram-Schmidt coefficientssatisfy | µ ij | ≤ . We say that B satisfies the Lov´asz conditions if for all i wehave δ (cid:107) b ∗ i (cid:107) ≤ (cid:107) b ∗ i + (cid:107) + µ i + i (cid:107) b ∗ i (cid:107) . If a basis B is size-reduced and satisfies he Lov´asz conditions, then we say that B is LLL-reduced (with respect to theparameter δ ). If a basis B = ( b , . . . , b n ) of Λ is LLL-reduced, then we have: ∀ i < n , (cid:107) b ∗ i (cid:107) ≤ α (cid:107) b ∗ i + (cid:107) , ∀ i ≤ n , (cid:107) b i (cid:107) ≤ α i − (cid:107) b ∗ i (cid:107) , ( ) ∀ i ≤ j ≤ n , (cid:107) b i (cid:107) ≤ α n − λ j ( Λ ) , ( )where α = δ − . In particular, we have (cid:107) b (cid:107) ≤ α n − λ ( Λ ) . In this paper, we usethe original LLL parameter δ = and hence α = he LLL algorithm . We now sketch the LLL algorithm. Although there existmany LLL variants in the literature, most of them follow the following structure.Step is called an LLL swap . Algorithm (LLL)Input: A basis ( b i ) i ≤ n of a lattice Λ ⊆ Z n .Output: An LLL-reduced basis of Λ . : i : = : while i ≤ n do : Size-reduce b i by b , · · · , b i − ; : if Lov´asz condition holds for i then : Set i : = i + : else : (LLL swap) Swap b i and b i − ; set i : = max { i −
1, 2 } ; : end if : end while : Return ( b i ) i ≤ n .To clarify the structure of the algorithm, we omit some details in the abovedescription, e.g., the update of Gram-Schmidt coefficients. From the sketch, wesee that we can bound the running-time of LLL by the number of while loopiterations times the cost of each iteration. In fact, most cost bounds for LLLvariants proceed via this simple argument. It was showed in Lenstra et al. ( )that the number of LLL swaps is O ( n log (cid:107) B (cid:107) ) . The following lemma plays avery important role in the analysis of LLL; see Lenstra et al. ( ) for a proof. Lemma . . Let B and B (cid:48) be bases after and before an LLL swap between b i and b i + . hen max {(cid:107) b (cid:48)∗ i (cid:107) , (cid:107) b (cid:48)∗ i + (cid:107)} ≤ max {(cid:107) b ∗ i (cid:107) , (cid:107) b ∗ i + (cid:107)} ,min {(cid:107) b (cid:48)∗ i (cid:107) , (cid:107) b (cid:48)∗ i + (cid:107)} ≥ min {(cid:107) b ∗ i (cid:107) , (cid:107) b ∗ i + (cid:107)} , (cid:107) b ∗ i (cid:107) · (cid:107) b ∗ i + (cid:107) = (cid:107) b (cid:48)∗ i (cid:107) · (cid:107) b (cid:48)∗ i + (cid:107) , (cid:107) b (cid:48)∗ i + (cid:107)(cid:107) b ∗ i + (cid:107) = (cid:107) b ∗ i (cid:107)(cid:107) b (cid:48)∗ i (cid:107) ≥ √ ∀ j / ∈ { i , i + } : b (cid:48)∗ j = b ∗ j . A new potential
In this section, we introduce a variant of the classical LLL potential Π ( B ) = n − ∑ i = ( n − i ) log (cid:107) b ∗ i (cid:107) ( )of a lattice basis B . The variant we introduce is well-suited for analyzingthe number of LLL swaps for the case that both the input and output baseshave k large Gram-Schmidt norms and n − k small Gram-Schmidt norms, forsome k < n . This is for example the case for the input basis as ( ); see Section . . The new potential is aimed at accurately measuring the progress madeduring the LLL execution, for such unbalanced bases. Definition . . Let k ≤ n ≤ m be positive integers and B ∈ R m × n be fullcolumn rank. We let s < . . . < s n − k be the indices of the n − k smallest Gram-Schmidt norms of B (using the lexicographical in case there are several ( n − k ) -thsmallest Gram-Schmidt norms), and set S = { s i } i ≤ n − k . We let (cid:96) < . . . < (cid:96) k bethe indices of the other k Gram-Schmidt norms, and set L = { (cid:96) j } j ≤ k . The k-thLLL potential of B is defined as: Π k ( B ) = k − ∑ j = ( k − j ) log (cid:107) b ∗ (cid:96) j (cid:107) − n − k ∑ i = i log (cid:107) b ∗ s i (cid:107) + n − k ∑ i = s i .Note that for k = n , we recover the classical potential Π . The rationalebehind Π k is that in some cases we know that the output basis is made ofvectors of very unbalanced Gram-Schmidt norms. As this basis is reduced,this means the first vectors have a small Gram-Schmidt norm, while the lastvectors have large Gram-Schmidt norms. During the execution of LLL, suchshort and large vectors do not interfere much. This is an unusual phenomenon: ost often, long vectors are made shorter and short vectors are made longer, sothat they are all balanced at the end. But this can happen if the long vectorsare rather orthogonal to the short ones. When this is the case, LLL actuallyruns faster than usual, because it merely “sorts” the short vectors and the longvectors, without making them interact to create shorter vectors. Of course, itcan do more intense computations among the short vectors and among thelong vectors. Unbalancedness of Gram-Schmidt norms is not captured by theclassical potential, but it is with Π k . In particular, the new potential Π k allowsto not “pay” for the output unbalancedness in the analysis of the number ofLLL swaps.Similarly to the classical potential, the k -th LLL potential monotonicallydecreases with the number of LLL swaps. More precisely, we have the following Proposition . . Let B and B (cid:48) be the current n-dimensional lattice bases before andafter an LLL swap. Then for any k ≤ n, we have Π k ( B ) − Π k ( B (cid:48) ) ≥ log ( √ ) .Proof. Recall that S and L are the index sets for the n − k Gram-Schmidt normsand the other k Gram-Schmidt norms for the lattice basis B . We define S (cid:48) and L (cid:48) for B (cid:48) similarly.Suppose that this LLL swap occurs between b κ and b κ + . Then we must bein one of the following four cases.Case : κ ∈ S and κ + ∈ S .Let i ≤ n − k such that κ = s i and κ + = s i + . From Lemma . , we have S (cid:48) = S and L (cid:48) = L , and hence κ = s (cid:48) i and κ + = s (cid:48) i + . For the other indices,we have s (cid:48) i = s i (for i ≤ n − k ) and (cid:96) (cid:48) j = (cid:96) j (for j ≤ k ). Then Π k ( B ) − Π k ( B (cid:48) ) = k ∑ j = ( k − j ) log (cid:107) b ∗ (cid:96) j (cid:107)(cid:107) b (cid:48) (cid:96) (cid:48) j (cid:107) + n − k ∑ i = i log (cid:107) b (cid:48)∗ s (cid:48) i (cid:107)(cid:107) b ∗ s i (cid:107) + n − k ∑ i = (cid:0) s i − s (cid:48) i (cid:1) = i log (cid:107) b (cid:48)∗ s (cid:48) i (cid:107)(cid:107) b ∗ s i (cid:107) + ( i + ) log (cid:107) b (cid:48)∗ s (cid:48) i + (cid:107)(cid:107) b ∗ s i + (cid:107) = log (cid:107) b (cid:48)∗ κ + (cid:107)(cid:107) b ∗ κ + (cid:107) ≥ log (cid:18) √ (cid:19) ,where the last inequality follows from Lemma . .Case : κ ∈ L and κ + ∈ L .The treatment of Case can be adapted readily. ase : κ ∈ L , κ + ∈ S , S (cid:48) = S and L (cid:48) = L .Let j ≤ k such that κ = (cid:96) j , and i ≤ n − k such that κ + = s i . Thenwe have κ = (cid:96) (cid:48) j and κ + = s (cid:48) i . For the other indices, we have s (cid:48) i = s ( t ) i (for i ≤ n − k ) and (cid:96) (cid:48) j = (cid:96) ( t ) j (for j ≤ k ). Thus Π k ( B ) − Π k ( B (cid:48) ) = k ∑ j = ( k − j ) log (cid:107) b ∗ (cid:96) j (cid:107)(cid:107) b (cid:48)∗ (cid:96) (cid:48) j (cid:107) + n − k ∑ i = i log (cid:107) b (cid:48)∗ s (cid:48) i (cid:107)(cid:107) b ∗ s i (cid:107) + n − k ∑ i = (cid:0) s i − s (cid:48) i (cid:1) = ( k − j ) log (cid:107) b ∗ (cid:96) j (cid:107)(cid:107) b (cid:48)∗ (cid:96) (cid:48) j (cid:107) + i log (cid:107) b (cid:48)∗ s (cid:48) i (cid:107)(cid:107) b ∗ s i (cid:107) = ( k − j + i ) log (cid:107) b (cid:48)∗ κ + (cid:107)(cid:107) b ∗ κ + (cid:107) ≥ log (cid:18) √ (cid:19) ,where the last inequality follows from Lemma . and the fact that k − j + i ≥ : κ ∈ L , κ + ∈ S , S (cid:48) = S ∪ { κ } \ { κ + } and L (cid:48) = L ∪ { κ + } \ { κ } .Let j ≤ k such that κ = (cid:96) j , and i ≤ n − k such that κ + = s i . Then κ = s (cid:48) i and κ + = (cid:96) (cid:48) j . For other indices, we have s (cid:48) i = s i (for i ≤ n − k ) and (cid:96) (cid:48) j = (cid:96) j (for j ≤ k ). Then Π k ( B ) − Π k ( B (cid:48) ) = k ∑ j = ( k − j ) log (cid:107) b ∗ (cid:96) j (cid:107)(cid:107) b (cid:48)∗ (cid:96) (cid:48) j (cid:107) + n − k ∑ i = i log (cid:107) b (cid:48)∗ s (cid:48) i (cid:107)(cid:107) b ∗ s i (cid:107) + n − k ∑ i = (cid:0) s i − s (cid:48) i (cid:1) = ( k − j ) log (cid:107) b ∗ (cid:96) j (cid:107)(cid:107) b (cid:48)∗ (cid:96) (cid:48) j (cid:107) + i log (cid:107) b (cid:48)∗ s (cid:48) i (cid:107)(cid:107) b ∗ s i (cid:107) + = ( k − j ) log (cid:107) b ∗ κ (cid:107)(cid:107) b (cid:48)∗ κ + (cid:107) + i log (cid:107) b (cid:48)∗ κ (cid:107)(cid:107) b ∗ κ + (cid:107) + ≥ . . The observation that 1 ≥ log ( √ ) allows to complete the proof. ith the above property of the k -th LLL potential, we can bound the numberof LLL swaps that LLL performs. Theorem . . Let B ∈ R m × n be a full column rank matrix. Let B (cid:48) be the basis returnedby the LLL algorithm when given B as input. Then the number of swaps that LLLperforms is no greater than min ≤ k ≤ n Π k ( B ) − Π k ( B (cid:48) ) log (cid:16) √ (cid:17) . Orthogonal lattices
As an application of the k -th LLL potential Π k , we consider the problem ofcomputing an LLL-reduced basis of an orthogonal lattice. Let A ∈ Z n × k with n ≥ k . We aim at computing an LLL-reduced basis of the orthogonallattice L ⊥ ( A ) , by LLL-reducing Ext K ( A ) (as defined in ( )), for a sufficientlylarge integer K .In Subsection . , we provide a sufficient condition on the scaling parame-ter K so that a LLL-reduced basis of L ⊥ ( A ) can be extracted from a LLL-reducedbasis of L ( Ext K ( A )) . For such a sufficiently large K , we study the Gram-Schmidtorthogonalizations of the input and output bases of the LLL call to Ext K ( A ) inSubsection . , and we provide a bound on the number of required LLL swapswhich is independent of K in Subsection . . . Correctness
For n ≥ k , we define σ n , k as the map that embeds R n into R n + k by adding 0’s inthe first k coordinates. σ n , k : R n → R n + k ( x , · · · , x n ) T (cid:55)→ ( · · · , 0 (cid:124) (cid:123)(cid:122) (cid:125) k , x , · · · , x n (cid:124) (cid:123)(cid:122) (cid:125) n ) T .We also define δ n , k as the map that erases the first k coordinates of a vectorin R n + k . δ n , k : R n + k → R n ( x , · · · , x k , x k + , · · · , x k + n ) T (cid:55)→ ( x k + , · · · , x k + n ) T .We extend these functions to matrices in the canonical way. The following propo-sition is adapted from (Nguyen and Stern, , Theorem ) (see also (Nguyen, , Proposition . )). It shows that if K is sufficiently large, then calling theLLL algorithm on Ext K ( A ) provides an LLL-reduced basis of L ⊥ ( A ) . roposition . . Let A ∈ Z n × k be full column rank and B = Ext K ( A ) . If B (cid:48) is anLLL-reduced basis of L ( B ) andK > n − · λ n − k ( L ⊥ ( A )) , ( ) then δ n , k ( b (cid:48) ) , · · · , δ n , k ( b (cid:48) n − k ) is an LLL-reduced basis of L ⊥ ( A ) .Proof. As A ∈ Z n × k is full column rank, we have dim ( L ⊥ ( A )) = n − k . For anybasis C ∈ Z n × ( n − k ) of L ⊥ ( A ) , we have σ n , k ( C ) = B · C , and hence the lattice σ n , k ( L ⊥ ( A )) is a sublattice of L ( B ) . This implies that, for all i ≤ n − k , λ i ( L ( B )) ≤ λ i ( σ n , k ( L ⊥ ( A ))) = λ i ( L ⊥ ( A )) .It follows from ( ) that, for all i ≤ n − k , (cid:107) b (cid:48) i (cid:107) ≤ n − · λ n − k ( L ( B )) ≤ n − · λ n − k ( L ⊥ ( A )) . ( )We now assume (by contradiction) that δ n , k ( b (cid:48) i ) / ∈ L ⊥ ( A ) for some i ≤ n − k .Note that b (cid:48) i = B · δ n , k ( b (cid:48) i ) = ( K · δ n , k ( b i (cid:48) ) T · A | δ n , k ( b (cid:48) i ) T ) T .As the subvector K · δ n , k ( b (cid:48) i ) T · A is non-zero, and using the assumption on K ,we obtain that (cid:107) b (cid:48) i (cid:107) = (cid:107) K · δ n , k ( b (cid:48) i ) T · A (cid:107) + (cid:107) δ n , k ( b (cid:48) i ) (cid:107) ≥ K > n − · λ n − k ( L ⊥ ( A )) ,which contradicts ( ).From the above, we obtain that δ n , k ( b (cid:48) ) , · · · , δ n , k ( b (cid:48) n − k ) are linearly inde-pendent vectors in L ⊥ ( A ) . They actually form a basis of L ⊥ ( A ) . To see this,consider an arbitrary vector c ∈ L ⊥ ( A ) . The vector B · c belongs to the realspan of b (cid:48) , · · · , b (cid:48) n − k and to L ( B ) . As B (cid:48) is a basis of L ( B ) , vector B · c is aninteger combination of b (cid:48) , · · · , b (cid:48) n − k and vector c is an integer combinationof δ n , k ( b (cid:48) ) , · · · , δ n , k ( b (cid:48) n − k ) .Since B (cid:48) is LLL-reduced and the first k coordinates of each b (cid:48) i ( i ≤ n − k ) are 0,we obtain that δ n , k ( b (cid:48) ) , · · · , δ n , k ( b (cid:48) n − k ) form an LLL-reduced basis of L ⊥ ( A ) .To make this condition on K effective, we use some upper bounds on λ n − k ( L ⊥ ( A )) . For instance, from Minkowski’s second theorem, we have λ n − k ( L ⊥ ( A )) ≤ ( n − k ) n − k · det ( L ⊥ ( A )) ≤ ( n − k ) n − k · (cid:107) A (cid:107) k .Hence K > n − · ( n − k ) n − k · (cid:107) A (cid:107) k ( ) uffices to guarantee that ( ) holds.The bound in ( ) can be very loose. Indeed, in many cases, we expect theminima of L ⊥ ( A ) to be balanced, and if they are so, then the following boundwould suffice K > Ω ( n ) · (cid:107) A (cid:107) kn − k . ( )For such a scaling paramter K , according to Proposition . , after terminationof the LLL call with Ext K ( A ) as its input, the output matrix must be of thefollowing form: (cid:18) (cid:19) , ( )where the columns of C ∈ Z n × ( n − k ) form an LLL-reduced basis of the lattice L ⊥ ( A ) . . On the LLL input and output bases
To bound the number of LLL swaps, we first investigate the matrix B = Ext K ( A ) given as input to the LLL algorithm, and the output matrix B (cid:48) .Intuitively, from the shape of B and the fact that A is full rank, there mustbe k Gram-Schmidt norms of B that are “impacted” by the scaling parameter K ,and hence have large magnitude, while other n − k Gram-Schmidt norms of B should be of small magnitude.On the other hand, recall that B (cid:48) is of the form ( ). Since only the first k coordinates are related to the scaling parameter K , the submatrix C is “indepen-dent” of K . Thus, each of (cid:107) b (cid:48)∗ (cid:107) , · · · , (cid:107) b (cid:48)∗ n − k (cid:107) should be relatively small (for asufficiently large K ), while each of (cid:107) b (cid:48)∗ n − k + (cid:107) , · · · , (cid:107) b (cid:48)∗ n (cid:107) is “impacted” by K , andhence with large magnitude. The following result formalizes this discussion. Proposition . . Let A ∈ Z n × k be of full column rank and B (cid:48) the output basis of LLLwith B = Ext K ( A ) as input. If the scaling parameter K ∈ Z satisfies ( ) , then for theoutput matrix B (cid:48) we have ∀ i ≤ n − k , ∀ j > n − k , (cid:107) b (cid:48)∗ i (cid:107) < (cid:107) b (cid:48)∗ j (cid:107) . Proof.
From Proposition . , we know that B (cid:48) is of the form (cid:18) ∗ C ∗ (cid:19) , In fact, the resulting matrix gives more information than an LLL-reduced basis of L ⊥ ( A ) .For instance, the columns of K · M form a basis of the lattice generated by the rows of A . nd that the columns of C ∈ Z n × k form an LLL-reduced basis of L ⊥ ( A ) . Wethus have, for i ≤ n − k (cid:107) b (cid:48)∗ i (cid:107) ≤ (cid:107) b (cid:48) i (cid:107) = (cid:107) c i (cid:107) ≤ n − k − λ n − k ( L ⊥ ( A )) .Further, for n − k < j ≤ n , we have (cid:107) b (cid:48)∗ j (cid:107) ≥ − k (cid:107) b (cid:48)∗ n − k + (cid:107) ≥ − k K .The choice of K allows to complete the proof.We observe again that combining the condition of Proposition . togetherwith a general purpose bound on λ n − k ( L ⊥ ( A )) allows to obtain a sufficientbound on K that can be efficiently derived from A .Although (cid:107) b ∗ s i (cid:107) is relatively small with respect to K , it can be bounded frombelow. In fact, we have a more general lower bound: ∀ i ≤ n , (cid:107) b ∗ i (cid:107) ≥
1. ( )This is because that there is a coefficient in b i which is equal to 1 and 0 for allother b j ’s. This lower bound will be helpful in the proof of Theorem . . . Bounding the number of LLL swaps
Suppose that K is a sufficient large positive integer satisfying ( ). Proposition . guarantees that we can use LLL with B = Ext K ( A ) as input to compute an LLL-reduced basis for L ⊥ ( A ) . We now study the number of LLL swaps performedin this call to the LLL algorithm. Theorem . . Let A ∈ Z n × k with a non-zero k-th principal minor, and K an integersatisfying ( ) . Then, given B = Ext K ( A ) as its input, LLL computes (as a submatrix ofthe returned basis) an LLL-reduced basis of L ⊥ ( A ) after at most O ( k + k ( n − k )( + log (cid:107) A (cid:107) )) LLL swaps, where (cid:107) A (cid:107) is the maximum of the Euclidean norm of all rowsand columns of the matrix A .Proof. From Proposition . , the LLL algorithm allows to obtain a LLL-reducedbasis for L ⊥ ( A ) . We know from Theorem . that in order to obtain an upperbound on the number of LLL swaps, it suffices to find an upper bound to Π k ( B ) and a lower bound on Π k ( B (cid:48) ) , where B (cid:48) is the basis returned by LLL when iven B as input. From ( ) we have Π k ( B ) = k ∑ j = ( k − j ) log (cid:107) b ∗ (cid:96) j (cid:107) − n − k ∑ i = i log (cid:107) b ∗ s i (cid:107) + n − k ∑ i = s i ≤ k ∑ j = ( k − j ) log (cid:107) b ∗ (cid:96) j (cid:107) + n − k ∑ i = s i ≤ k ∑ j = ( k − j ) log (cid:107) b (cid:96) j (cid:107) + n − k ∑ i = ( k + i ) ≤ ( + log K + log (cid:107) A (cid:107) ) k ( k − ) + ( n − k )( n + k + ) . , we have Π k ( B (cid:48) ) = k ∑ j = ( k − j ) log (cid:107) b (cid:48)∗ (cid:96) (cid:48) j (cid:107) − n − k ∑ i = i log (cid:107) b (cid:48)∗ s (cid:48) i (cid:107) + n − k ∑ i = s (cid:48) i = k ∑ j = ( k − j ) log (cid:107) b (cid:48)∗ n − k + j (cid:107) − n − k ∑ i = i log (cid:107) b (cid:48)∗ i (cid:107) + n − k ∑ i = i .Since the first k coefficients of b (cid:48)∗ i are 0 (for i ≤ n − k ) and A is full-rank, wemust have (cid:107) b (cid:48)∗ n − k + (cid:107) ≥ K . Further, since B (cid:48) is LLL-reduced, combining with ( )we have, for j ≤ k (cid:107) b (cid:48)∗ n − k + j (cid:107) ≥ − j (cid:107) b (cid:48)∗ n − k + (cid:107) ≥ − j K ≥ − k K .We hence obtain Π k ( B (cid:48) ) ≥ (cid:18) log K + − k (cid:19) k ∑ j = ( k − j ) − n − k ∑ i = i log (cid:107) b (cid:48)∗ i (cid:107) + ( n − k )( n − k + ) ≥ k ( k − ) (cid:18) log K + − k (cid:19) − ( n − k ) n − k ∑ i = log (cid:107) b (cid:48)∗ i (cid:107) + ( n − k )( n − k + ) (cid:107) b (cid:48)∗ i (cid:107) ’s are ≥
1. This is true for the (cid:107) b ∗ i (cid:107) ’s andLLL cannot make the minimum Gram-Schmidt norm decrease. Using ( ), we btain: Π k ( B (cid:48) ) ≥ k ( k − ) (cid:18) log K + − k (cid:19) − ( n − k ) k log (cid:107) A (cid:107) + ( n − k )( n − k + ) . , we obtain that the number of LLL swaps is nogreater than Π k ( B ) − Π k ( B (cid:48) ) log (cid:16) √ (cid:17) ≤ k ( n − k ) log (cid:107) A (cid:107) + k + ( n − k ) k log (cid:16) √ (cid:17) ,which is of O ( k + k ( n − k )( + log (cid:107) A (cid:107) )) .In Table we compare favorably ( k = n /2) the result of Theorem . tothe bounds on the number of swaps using the classical potential ( ) and K fixed from the general threshold ( ) or the heuristic one ( ). We also consider k = n −
1. However, in the latter case the problem reduces to linear systemsolving, and different techniques such as those in Storjohann ( ) should beconsidered.Table : Upper bounds on the number of LLL swaps for different k ( K sufficientlylarge), α = log (cid:107) A (cid:107) .Classical analysis ( ) Heuristic ( ) New analysis k = O ( n log n + n α ) O ( n + n α ) O ( n α ) k = n /2 O ( n log n + n α ) O ( n + n α ) O ( n + n α ) k = n − O ( n α ) O ( n α ) O ( n + n α ) With the potential function Π of ( ), we have Π ( B ) ≤ log ∏ i ≤ n (cid:16) K (cid:107) A (cid:107) (cid:17) min ( k , i ) ≤ k ( n − k + ) ( K (cid:107) A (cid:107) ) .The bound on the number of LLL swaps obtained using the classical potentialis therefore O ( k ( n − k /2 )( + log K + log (cid:107) A (cid:107) ) . While we see from Theorem . that the actual number of swaps for computing an LLL-reduced basis for L ⊥ ( A ) does not grow with K when K is sufficiently large. cknowledgments Our thanks go to anonymous referees for helpful comments, which makethe presentation of the paper better. Jingwei Chen was partially supportedby NNSFC ( , , ) and Youth Innovation PromotionAssociation, CAS. Damien Stehl´e was supported by ERC Starting Grant ERC- -StG- -LATTAC. References
Chen, J., Stehl´e, D., Villard, G., . A new view on HJLS and PSLQ:Sums and projections of lattices. In: Kauers, M. (Ed.), Proceedings of IS-SAC’ (June - , , Boston, USA). ACM, New York, pp. – , doi: . / . . Chen, Z., Storjohann, A., . A BLAS based C library for exact linear al-gebra on integer matrices. In: Kauers, M. (Ed.), Proceedings of ISSAC’ (Beijing, China, July – , ). ACM, New York, pp. – , doi: . / . . H˚astad, J., Just, B., Lagarias, J. C., Schnorr, C.-P., . Polynomial timealgorithms for finding integer relations among real numbers. SIAM Jour-nal of Computing ( ), – , (Preliminary version in STACS’ ) doi: . / , erratum doi: . / . Havas, G., Majewski, B. S., Matthews, K. R., . Extended GCD and Hermitenormal form algorithms via lattice basis reduction. Experimental Mathematics ( ), – , doi: . / . . . van Hoeij, M., Novocin, A., . Gradual sub-lattice reduction and a new com-plexity for factoring polynomials. Algorithmica ( ), – , (Preliminaryversion in LATIN’ ) doi: . /s - - -y. Kannan, R., Lenstra, A. K., Lov´asz, L., . Polynomial factorization andnonrandomness of bits of algebraic and some transcendental numbers. In:DeMillo, R. A. (Ed.), Proceedings of the th Annual ACM Symposium onTheory of Computing (April - May , , Washington, DC, USA). ACM,New York, pp. – , doi: . / . . Lenstra, A. K., Lenstra, H. W., Lov´asz, L., . Factoring polynomialswith rational coefficients. Mathematische Annalen ( ), – , doi: . /BF . , , eumaier, A., Stehl´e, D., . Faster LLL-type reduction of lattice bases. In:Abramov, S. A., Zima, E. V., Gao, X.-S. (Eds.), Proceedings of ISSAC ’ (July – , , Waterloo, Ontario, Canada). ACM, New York, pp. – , doi: . / . . Nguyen, P., Stern, J., . Merkle-Hellman revisited: A cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In: Kaliski, B. S. (Ed.),Advances in Cryptology – CRYPTO ’ (August – , , Santa Barbara).Vol. of Lecture Notes in Computer Science. Springer, Heidelberg, pp. – , doi: . /BFb . , Nguyen, P. Q., . La g´eom´etrie des nombres en cryptologie. Ph.D. thesis, Uni-versit´e Paris , Paris, available at ftp://ftp.di.ens.fr/pub/users/pnguyen/PhD.pdf . Nguyen, P. Q., Vall´ee, B. (Eds.), . The LLL Algorithm: Survey and Applica-tions. Springer, Berlin, doi: . / - - - - . , Novocin, A., Stehl´e, D., Villard, G., . An LLL-reduction algorithm withquasi-linear time complexity: extended abstract. In: Fortnow, L., Vadhan, S. P.(Eds.), Proceedings of STOC ’ (June – , , San Jose, USA). ACM, NewYork, pp. – , doi: . / . . Pohst, M. E., . A modification of the LLL reduction algorithm. Journal ofSymbolic Computation ( ), – , doi: . /S - ( ) - . Schmidt, W. M., . Asymptotic formulae for point lattices of boundeddeterminant and subspaces of bounded height. Duke Mathematical Journal ( ), – , doi: . /S - - - - . , Sims, C. C., . Computation with Finitely Presented Groups. Vol. ofEncyclopedia of Mathematics and Its Application. Cambridge UniversityPress, Cambridge. Stehl´e, D., . Lattice reduction algorithms. In: Burr, M. A., Yap, C. K., SafeyEl Din, M. (Eds.), Proceedings of ISSAC ’ (July - , , Kaiserslautern,Germany). ACM, New York, USA, pp. – , doi: . / . . Storjohann, A., July . Faster algorithms for integer lattice basis reduction.Tech. Rep. , ETH, Department of Computer Scicence, Z ¨urich, Switzerland,available at ftp://ftp.inf.ethz.ch/pub/publications/tech-reports/2xx/249.ps.gz . torjohann, A., . The shifted number system for fast linear algebra on integermatrices. Journal of Complexity ( ), – , doi: . /j.jco. . . . , Storjohann, A., Labahn, G., . Asymptotically fast computation of hermitenormal forms of integer matrices. In: Engeler, E., Caviness, B. F., Lakshman,Y. N. (Eds.), Proceedings of ISSAC ’ (July – , , Zurich, Switzerland).ACM, New York, pp. – , doi: . / . ..