A Novel Lattice Reduction Algorithm
Dipayan Das
1
and Vishal Saraswat
2
1
Department of Mathematics, National Institute of Technology (NIT), Durgapur, India
2
Department of Computer Science and Engineering, Indian Institute of Technology (IIT), Jammu, India
Keywords:
Lattice Based Crypto, CVP, SVP, Lattice Reduction.
Abstract:
The quantum threats have made the traditional number theoretic cryptography weak. Lattice based crypto-
graphic constructions are now considered as an alternative of the number theoretic cryptography which resists
the quantum threats. The cryptographic hardness of the lattice based constructions mainly lies on the difficulty
of solving two problems, namely, shortest vector problem (SVP) and closest vector problem (CVP). Solving
these problems become “somewhat” easier if the lattice basis is almost orthogonal. Given any basis, finding
an almost orthogonal basis is termed as lattice basis reduction (or simply lattice reduction). The SVP has been
shown to be reducible to the CVP but the other way is still an open problem. In this paper, we work towards
proving the equivalence of the CVP and SVP and provide a history of the progress made in this direction. We
do a brief review of the existing lattice reduction algorithms and present a new lattice basis reduction algorithm
similar to the well-studied Korkine-Zolotareff (KZ) reduction which is used frequently for decoding lattices.
The proposed algorithm is very simple it calls the shortest vector oracle for n 1 times and outputs an
almost orthogonal lattice basis with running time O(n
3
), n being the rank of the lattice.
1 INTRODUCTION
The two main hard problems of interest in the
lattices are SVP and CVP. Many cryptographic
schemes (Goldreich et al., 1997; Ajtai and Dwork,
1997; Hoffstein et al., 1998) have been developed
based on the hardness of either of the two problems
or some variants of it.
Both CVP and SVP were shown to be NP
hard (van Emde Boas, 1981; Khot, 2005). But, CVP
is considered to be the hardest of all the lattice prob-
lems. Let us discuss it briefly. In (Goldreich et al.,
1999a; Micciancio, 2008), it is shown that an oracle
solving CVP can be used to solve SVP and SIVP re-
spectively. In the other direction, solving CVP with
an oracle that solves the other hard lattice problem
is not known properly. For example, it is still un-
known whether SVP oracle can be used to solve CVP.
Though in (Kannan, 1987a), it has been shown that if
we have an oracle that solves SVP exactly, it can be
used to solve CVP with an approximation factor of
O(
n) using homogenization technique in a higher
dimension. Though in (Micciancio and Goldwasser,
2012), it is suggested that approximating CVP within
the same factor as of (Kannan, 1987a) can be achieved
making O(n logn) calls to an oracle which solves an
approximate solution of SVP, approximation factor
less than
2.
The best known deterministic algorithm to solve
CVP in a general lattice is given in (Micciancio and
Voulgaris, 2013) which takes
˜
O(2
2n
) operations and
˜
O(2
n
) space. The algorithm uses a description of
the Voronoi cell of the lattice as a pre-processing
function before the target vector is revealed. Prior
to (Micciancio, 2001), the best deterministic algo-
rithm to solve CVP was due to Kannan (Kannan,
1987b) which takes n
O(n)
running time. In (Hanrot
and Stehl
´
e, 2007), the Kannan method was improved,
which solves CVP in running time n
0.5n
.
There are randomized algorithms which perform
better than the deterministic ones. For example in (Aj-
tai et al., 2001), a sieve algorithm was introduced
known as AKS Sieve”, which solves SVP in run-
ning time 2
O(n)
. The AKS method is based on an im-
proved sampling method that generates short vectors
from the given lattice. In (Ajtai et al., 2002), the AKS
Sieve was reformulated to solve CVP with an approx-
imation factor 1 + ε in running time 2
O(1+ε
1)
. The
running time was improved using a variant of AKS
method in (Bl
¨
omer and Naewe, 2007) and (Arvind
and Joglekar, 2008) keeping the approximation fac-
tor same. Another randomized technique used to
solve the hard problems of the lattice is Sampling
496
Das, D. and Saraswat, V.
A Novel Lattice Reduction Algorithm.
DOI: 10.5220/0006862104960501
In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications (ICETE 2018) - Volume 2: SECRYPT, pages 496-501
ISBN: 978-989-758-319-3
Copyright © 2018 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
Gaussian distribution with proper parameter. Agar-
wal et al. have given a randomized algorithm that
solves an exact version of SVP using discrete Gaus-
sian sampling in 2
n+O(n)
time and space (Aggarwal
et al., 2015a). In (Aggarwal et al., 2015b), the simi-
lar type of sampling technique is used to solve exact
CVP. Though the work is a bit complicated and uses
almost all previously known methods like basis re-
duction, Voronoi description, and sieving along with
the sampling of shifted discrete Gaussian distribution
with the proper parameter to solve CVP exactly. A
nice survey of solving CVP of the known methods
are given in (Agrell et al., 2002).
1.1 Basis Reduction and Related Work
A lattice has an infinite number of basis of rank
greater than 1. If B,
˜
B are the two basis that generates
the same lattice L, then it can be shown that
˜
B = U B
for some uni-modular matrix U, that is integer matrix
with absolute determinant value 1.
Given any lattice, finding an orthogonal basis (if
exists) is hard. Even, deciding whether there exist an
orthogonal basis is not known for general lattices. But
in “lattices with symmetry”, which is a special type of
lattice, Gentry-Szydlo algorithm given in (Gentry and
Szydlo, 2002) can determine this problem with high
probability. It gives an efficient method to achieve an
orthogonal basis (if there is) for an ideal lattice.
Basis reduction algorithms have many applica-
tions. It is important in areas like communica-
tions (Agrell et al., 2002; Wubben et al., 2011), com-
binatorial optimization (Eisenbrand, 2010), cryptog-
raphy (Hanrot et al., 2011a), number theory (Goldre-
ich et al., 1999b), etc. A nice survey in this regard is
given in (Wubben et al., 2011).
Hermite (1850) has given the idea of basis reduc-
tion but unfortunately, he doesn’t provide any such
algorithm for basis reduction. According to Hermite
a basis B = {b
1
,b
2
,..., b
n
} is reduced if kb
i
k kb
0
i
k
for all basis B
0
of the same lattice and kb
j
k = kb
0
j
k,
j = 1, 2,.. .,i 1 (Hermite, 1850). Later in 1905,
Minkowski (Minkowski, 1905) has defined criteria of
basis reduction known as Minkowski reduction which
is very similar to that of Hermite. He made a slight
change of the second criteria of Hermite. Instead of
kb
j
k= kb
0
j
k, he has directly taken b
j
= b
0
j
. Two types
of basis reduction that have gained fame and popular-
ity is LLL reduction and KZ reduction. Let us define
these reduced basis. Before that, some special basis
is considered in which the KZ reduction and LLL re-
duction is well understood.
It can be shown that every lattice has a basis
which can be represented as an upper triangular ma-
trix (Agrell et al., 2002). We consider such a basis.
The basis B is called KZ reduced if b
1
is a short-
est vector of the lattice and the modulus of non-zero
non-diagonal elements of each column is less than or
equal to the modulus of half of diagonal elements of
the corresponding column. That is |b
ki
|
1
2
|b
ii
| for
each i = 1, 2,.. .,n and k = 1,2,. .., n. Geometrically
the last criteria says that the angle made by any two
basis vectors is at least 60 degree. That is any two
basis vectors are highly orthogonal. Let us illustrate
this in dimension 2. Let B be the KZ reduced basis in
dimension and rank 2. Let
B =
b
1
b
2
=
b
11
0
b
21
b
22
and | b
21
|≤
1
2
| b
11
|. This implies that kb
2
kcos θ
1
2
kb
1
k, where θ is the angle between b
1
and b
2
, that
is,
cosθ
1
2
kb
1
k/kb
2
k
1
2
The last inequality is due to the fact that B is KZ re-
duced and so b
1
is the shortest vector in the lattice.
Similarly, for any dimension and rank, we can rede-
fine the second criteria of KZ reduced basis as the cri-
teria that any two bases element is highly orthogonal.
Like KZ reduced basis, there exist another famous
basis reduction criteria known as LLL reduction. The
only difference LLL reduction criteria have that in-
stead of b
1
to be the shortest lattice vector, it has the
criteria that kb
1
k
2
3
kb
2
k. The second condition of
LLL reduction criteria is same as that of KZ.
It is easy to see that any basis which is KZ reduced
is also LLL reduced. The reason for the superiority
of the LLL reduction criteria is that there exists an
efficient tool to achieve a LLL reduced basis (Lenstra
et al., 1982). Later, there have been algorithms for
reduction based on both KZ and LLL (Schnorr, 1987).
It is known as the BKZ reduction algorithm.
The current best lattice basis reductions (theoreti-
cally and practically) can be classified by a pair algo-
rithms. Firstly, the rational BKZ algorithm (Schnorr
and Euchner, 1994; Schnorr, 1987), in its updated
BKZ 2.0 form (Chen and Nguyen, 2011) doing some
modifications like repetitive preprocessing and rapid
aborting strategies (Gama et al., 2010; Hanrot et al.,
2011b). Secondly, the Slide reduction algorithm pro-
posed (Gama and Nguyen, 2008b), a novel general-
ization of LLL (Lenstra et al., 1982; Nguyen, 2009)
which almost approximates SVP within small factors.
The two algorithms call the SVP oracle for di-
mension of lower order sublattices which are char-
acterized by a bound k (termed as the “block size”)
on the lattice dimensions. The algorithm of Slide
reduction has qualities like it makes only a polyno-
mial number of calls to the shortest vector oracle, all
A Novel Lattice Reduction Algorithm
497
the shortest vector calls are applied on the sublattices
projected in the dimension k, and it obtains the cur-
rent best worst-case upper bound on the length of
the outputted shortest vector: γ
(n1)/2(k1)
k
det(L)
1/n
,
the constant γ
k
= Θ(k) is known as the Hermite con-
stant. Lamentably, it has been stated in (Gama and
Nguyen, 2008b; Gama and Nguyen, 2008a) that the
experimental results of the algorithm which follows
Slide reduction perform better than BKZ, which out-
puts shorter vectors for some standard block size.
On the other hand, the BKZ algorithm has its own
flaws too. There is no guarantee for the termina-
tion of the algorithm even after a polynomial num-
ber of shortest vector oracle call, and its experimental
time complexity has appeared in (Gama and Nguyen,
2008a) and is reported to increase super-polynomially
in the dimension of the lattice with fixed small block
size.
Micciancio et al. have given new methods that
can be changed to define better reduction methods
in (Micciancio and Walter, 2016). They have ana-
lyzed their theoretical performance with block size
comparatively high.
The LLL algorithm can be processed very quickly
under a few conditions and has some characteristics
which are studied recently in (Chang et al., 2013; Wen
et al., 2016; Wen and Chang, 2017b). In some appli-
cations of communication theory, one needs to get so-
lutions of a sequence of CVP’s, where the target vec-
tors are different on the same lattice. Here, instead of
adapting the LLL algorithm, one usually adapts the
KZ reduction to do the pre-processing step, as it be-
comes more efficient in practice.
There are many variations of KZ basis reduction
available today. They are given in (Agrell et al., 2002;
Schnorr, 1987; Wen and Chang, 2017a).
1.2 Our Contribution
We have proposed an algorithm for generating a new
basis for a given lattice, which is very orthogonal. It is
kind of similar to KZ reduction (Korkine and Zolotar-
eff, 1873), but not exactly the same. One holding the
SVP oracle first finds out the shortest vector (up to
sign) of the lattice corresponding to the given basis
and then transforms the original basis into a new ba-
sis where the first row is the shortest vector. In prac-
tice, this can be implemented by calling the LLL al-
gorithm. But, while the LLL reduction algorithm exe-
cutes each iteration in such a way that the final output
is a basis in which the basis vectors are at most 30
degrees from being orthogonal, our proposed reduc-
tion algorithm tries to maximize the orthogonality be-
tween the resulting basis vectors and simultaneously
ensuring that the basis vectors are shortest possible by
calling the SVP oracle iteratively.
We call the SVP oracle and size reduce the basis
formed by the remaining basis vectors (other than the
shortest one) and continue iteratively as follows. We
first reduce the n 1 basis vectors by a suitable in-
teger combination of the shortest vector (size reduce
the n 1 basis vectors similar to what is done in LLL
or KZ), such that the resulting n 1 basis vectors are
short with respect to the shortest vector. Details of the
size reduction algorithms can be found in (Laarhoven
et al., 2012). Then the SVP oracle is called on the “re-
duced” n 1 basis vectors. We iterate the reduction in
this fashion until we obtain last shortest vector in one
dimensional sublattice.
Let us describe briefly about the difference be-
tween the KZ reduction and the algorithm proposed
by us. For KZ reduction, in the second step right after
we use the SVP oracle to find out the shortest vector,
we need to project the remaining n1 basis vectors to
the subspace that is orthogonal to the shortest vector,
and then call the SVP oracle on the projected n 1
vectors. The output of the SVP oracle will help to de-
cide the second KZ reduced basis vector, and the KZ
reduction moves on in this style.
2 PRELIMINARIES
We use R, Z to define the sets of Reals and Integers
respectively. Let R
m
be the Euclidean vector space
of dimension m, and k·k is the Euclidean norm `
2
.
Let B = {b
1
,b
2
,. .., b
k
}, 1 k < m, be vectors of R
m
which are linearly independent. We define a lattice
L R
m
generated by an arbitrary basis B as
L(B) or L{B} =
n
k
i=1
c
i
b
i
c
i
Z
o
.
We define the dimension of the lattice to be m and
the rank to be k. For the sake of simplicity, we are
considering the integral lattice that is lattice which is
generated by integer basis. A lattice L is a discrete
additive subgroup of R
m
. We can represent a basis of
a lattice of rank k and dimension m as a k ×m matrix
B where every row b
i
is the basis vector of the lattice.
If m = k we call it full rank lattice.
Definition 1 (Shortest vector problem (SVP)). Given
a lattice L = L(B), SVP is to find a non-zero vector
x L such that kxk kvk for all v L \{0}.
Definition 2 (Closest vector problem (CVP)). Given
a lattice L = L(B) and a target vector t R
m
(not nec-
essarily in the lattice L), CVP is to find a vector x L
such that kx tk kv tk for all v L.
SECRYPT 2018 - International Conference on Security and Cryptography
498
3 SOME IMPORTANT RESULTS
Here we provide some important results that are re-
lated to our basis reduction algorithm.
Proposition 1. Any pair of bases of a lattice L are
connected by a uni-modular matrix.
Proposition 2. Let B = {b
1
,b
2
,. .., b
n
} be a basis
of the lattice L and let v be a shortest vector in L.
Then v can be written uniquely as v =
n
i=1
α
i
b
i
where
gcd(α
1
,α
2
,. .., α
n
) = 1.
Proof. Let d = gcd(α
1
,α
2
,. .., α
n
). Then, for i =
1,. .., n, α
i
/d is an integer so that v
0
=
n
i=1
(α
i
/d)b
i
is another vector in the lattice L and kv
0
k = kvk/d.
Since v is a shortest vector in L, d = 1.
Proposition 3 ((Newman, 1972; Magliveras
et al., 2008)). Let α
1
,α
2
,. .., α
n
Z be such that
gcd(α
1
,α
2
,. .., α
n
) = d
n
. Then there exists an integer
matrix U having the initial row as (α
1
,α
2
,. .., α
n
)
and determinant value d
n
.
Proof. Let α
1
,α
2
,. .., α
n
Z be such that all α
i
s
are not zero. By doing permutation (if required),
we can have α
1
6= 0. Let us define d
1
= α
1
,d
i
=
gcd(α
1
,α
2
,. .., α
i
)(2 i n), d = d
n
. All d
i
s are
well defined (because we have considered α
1
6= 0)
and d
i
= gcd(d
i1
,α
i
) (2 i n). By Euclidean
algorithm, we can find t
i
, s
i
efficiently such that d
i
=
t
i1
d
i1
+ s
i1
α
i
where |s
i1
| d
i1
.
We can construct a matrix U such that
U :=(U
i, j
):=
α
1
α
2
α
3
.. . α
n
s
1
t
1
0 .. . 0
α
1
s
2
d
2
α
2
s
2
d
2
t
2
.. . 0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
α
1
s
n1
d
n1
α
2
s
n1
d
n1
α
3
s
n1
d
n1
.. . t
n1
Thus, U is an integral matrix and using simple induc-
tion it can be shown that det(U) = d
n
= d.
Proposition 4. Let L = L(B) where B =
{b
1
,b
2
,. .., b
n
} is a basis of L. Let v =
n
i=1
α
i
b
i
be a shortest vector in L(B). Then v and n 1 vectors
in L can be extended to form a basis of L.
Proof. We can create n 1 vectors as
n
j=1
U
i, j
b
j
, 2
i n, where
U
i, j
=
α
j
s
i1
d
i1
1 j i 1,2 i n,
U
i,i
= t
i1
2 i n,
U
i, j
= 0 i + 1 j n,2 i n
The result now follows from the Propositions 2 and 3.
4 BASIS REDUCTION
ALGORITHM
Here we propose the basis reduction algorithm (Fig-
ure 1) and provide the main result of this paper in the
Section 4.1. We discuss the time complexity of the
algorithm in Subsection 4.2.
Algorithm for basis reduction
Input L(B)
for(i = 1;i < n; i + +)
Run the SVP oracle O on L(B)
to get the shortest lattice vector σ
i1
in rank n i + 1
L(B) L(B/σ
i1
)
L(B) size reduce L(B)
Output
˜
B = {σ
0
,σ
1
,. .., σ
n1
}
Figure 1: Our Proposed lattice basis reduction.
4.1 Analysis of the Proposed Algorithm
Theorem 3. Let L = L{B}be a given lattice. Suppose
we have an oracle O that solves SVP in any rank of a
lattice, then we have an efficient algorithm to reduce
it to a basis
˜
B that is the highly orthogonal one using
n 1 oracle calls such that L = L{B} = L{
˜
B}.
Proof. Let B
0
be a given lattice basis which generates
L = L{B
0
}. We run the oracle O on L{B
0
} and get
the shortest vector as σ
0
. By Proposition 4, we can
generate a new basis B
0
0
= {σ
0
,b
1
,b
2
,. .., b
n1
} such
that L = L{B} = L{B
0
0
}.
Let L{B
1
} = L{B
0
0
\{σ
0
}} be a new lattice gen-
erated by eliminating all the integer linear combina-
tions of σ
0
. The rank of the lattice L{B
1
} is n 1
with basis B
1
= {b
1
,b
2
,. .., b
n1
}. We size-reduce
the elements of B
1
which can be done efficiently such
that B
1
has short vectors with respect to σ
0
. We
now run the oracle O on L{B
1
} to get the shortest
vector σ
1
in rank n 1. By Proposition 4, we can
create a new basis B
0
1
= {σ
1
,b
0
2
,. .., b
0
n1
} such that
L = L{B
1
} = L{B
0
1
}.
Let L{B
2
}= L{B
0
1
\{σ
1
}} be a new lattice gener-
ated by eliminating all the integer linear combinations
of σ
1
. The rank of the lattice L{B
2
}is n2 with basis
B
2
= {b
0
2
,b
0
3
,. .., b
0
n1
}. We size-reduce the elements
of B
2
such that B
2
has short vectors with respect to σ
1
.
We now run the oracle O on L{B
2
} to get the shortest
vector σ
2
in rank n 2.
Doing accordingly, let L{B
n1
} = L{B
0
n2
\
{σ
n2
}}, where σ
n2
is the oracle output of shortest
vector in rank 2, B
0
n2
is the basis of rank 2 including
the shortest vector.
A Novel Lattice Reduction Algorithm
499
After reduction, we now run the oracle O on
L{B
n1
} to get σ
n1
, the shortest vector in rank 1.
Let
˜
B = {σ
0
,σ
1
,. .., σ
n1
}. We can see that
˜
B
and B generate the same lattice that is L{B} = L{
˜
B}.
Since σ
i
s are the shortest vector of rank n i, so we
can conclude that
˜
B is the “good” basis, that is vectors
are sufficiently orthogonal to one another.
4.2 Running Time Analysis
Let B = {b
1
,b
2
,. .., b
n
} is a basis of the lattice L and
let v =
n
i=1
α
i
b
i
be a shortest vector in L. Let α
0
and
α
1
be the two maximum absolute values of all |α
i
|.
Then, the worst-case time complexity of computing
basis with the shortest vector is O(n
2
logα
0
logα
1
).
For one oracle call, constructing the new
basis, the number of bit operations needed is
O(n
2
logα
0
logα
1
). So, for n 1 oracle calls, worst-
case running time is O(n
3
logα
0
logα
1
) bit operations
which is the required worst-case time complexity for
our new basis construction as in Theorem 3.
5 DISCUSSIONS AND OPEN
PROBLEMS
We have described a polynomial time algorithm for
lattice basis reduction by calling the shortest vector
oracle using simple geometry and linear algebra. In
general, the best known algorithms take an exponen-
tial time to find the shortest vector but in some re-
stricted lattices like root lattices, SVP can be found
in polynomial time. So in lattices with special struc-
tures, our algorithm can be a practical use which is
yet to be analyzed.
In Section 1.1, we have stated that in general lat-
tices deciding whether a lattice has an orthogonal ba-
sis is hard. Nothing much is known in this regard. Can
we construct some algorithm that will decide whether
the lattice has an orthogonal basis using an SVP or-
acle? This question is yet to be answered. Can we
make some tweak in our algorithm so that it can an-
swer the above question? Then it will imply that solv-
ing the shortest vector problem is as hard as deciding
whether a lattice has an orthogonal basis.
ACKNOWLEDGEMENTS
We thank the anonymous reviewers for the construc-
tive and helpful comments. Part of the work was
carried out while visiting the R.C.Bose Centre for
Cryptology and Security, Indian Statistical Institute,
Kolkata. We are thankful to Kajla Basu for her sup-
port.
REFERENCES
Aggarwal, D., Dadush, D., Regev, O., and Stephens-
Davidowitz, N. (2015a). Solving the shortest vec-
tor problem in 2 n time using discrete gaussian sam-
pling. In Proceedings of the forty-seventh annual
ACM symposium on Theory of computing, pages 733–
742. ACM.
Aggarwal, D., Dadush, D., and Stephens-Davidowitz, N.
(2015b). Solving the closest vector problem in n
time–the discrete gaussian strikes again! In Founda-
tions of Computer Science (FOCS), 2015 IEEE 56th
Annual Symposium on, pages 563–582. IEEE.
Agrell, E., Eriksson, T., Vardy, A., and Zeger, K. (2002).
Closest point search in lattices. IEEE transactions on
information theory, 48(8):2201–2214.
Ajtai, M. and Dwork, C. (1997). A public-key cryptosystem
with worst-case/average-case equivalence. In Pro-
ceedings of the twenty-ninth annual ACM symposium
on Theory of computing, pages 284–293. ACM.
Ajtai, M., Kumar, R., and Sivakumar, D. (2001). A sieve
algorithm for the shortest lattice vector problem. In
Proceedings of the thirty-third annual ACM sympo-
sium on Theory of computing, pages 601–610. ACM.
Ajtai, M., Kumar, R., and Sivakumar, D. (2002). Sampling
short lattice vectors and the closest lattice vector prob-
lem. In Computational Complexity, 2002. Proceed-
ings. 17th IEEE Annual Conference on, pages 53–57.
IEEE.
Arvind, V. and Joglekar, P. S. (2008). Some sieving algo-
rithms for lattice problems. In LIPIcs-Leibniz Interna-
tional Proceedings in Informatics, volume 2. Schloss
Dagstuhl-Leibniz-Zentrum f
¨
ur Informatik.
Bl
¨
omer, J. and Naewe, S. (2007). Sampling methods for
shortest vectors, closest vectors and successive min-
ima. In International Colloquium on Automata, Lan-
guages, and Programming, pages 65–77. Springer.
Chang, X., Wen, J., and Xie, X. (2013). Effects of
the LLL reduction on the success probability of the
Babai point and on the complexity of sphere de-
coding. IEEE Transactions on Information Theory,
59(8):4915–4926.
Chen, Y. and Nguyen, P. Q. (2011). BKZ 2.0: Better lattice
security estimates. In International Conference on the
Theory and Application of Cryptology and Informa-
tion Security, pages 1–20. Springer.
Conway, J. and Sloane, N. (1982). Fast quantizing and
decoding and algorithms for lattice quantizers and
codes. IEEE Transactions on Information Theory,
28(2):227–232.
Eisenbrand, F. (2010). Integer programming and algorith-
mic geometry of numbers. 50 Years of Integer Pro-
gramming 1958-2008, pages 505–559.
Gama, N. and Nguyen, P. (2008a). Predicting lattice reduc-
tion. Advances in Cryptology–EUROCRYPT 2008,
pages 31–51.
SECRYPT 2018 - International Conference on Security and Cryptography
500
Gama, N. and Nguyen, P. Q. (2008b). Finding short lattice
vectors within Mordell’s inequality. In Proceedings
of the fortieth annual ACM symposium on Theory of
computing, pages 207–216. ACM.
Gama, N., Nguyen, P. Q., and Regev, O. (2010). Lattice
enumeration using extreme pruning. In Annual In-
ternational Conference on the Theory and Applica-
tions of Cryptographic Techniques, pages 257–278.
Springer.
Gentry, C. and Szydlo, M. (2002). Cryptanalysis of the re-
vised NTRU signature scheme. In International Con-
ference on the Theory and Applications of Crypto-
graphic Techniques, pages 299–320. Springer.
Goldreich, O., Goldwasser, S., and Halevi, S. (1997).
Public-key cryptosystems from lattice reduction prob-
lems. In Advances in Cryptology-CRYPTO’97: 17th
Annual International Cryptology Conference, Santa
Barbara, California, USA, August 1997. Proceedings,
page 112. Springer.
Goldreich, O., Micciancio, D., Safra, S., and Seifert, J.-P.
(1999a). Approximating shortest lattice vectors is not
harder than approximating closest lattice vectors. In-
formation Processing Letters, 71(2):55–61.
Goldreich, O., Ron, D., and Sudan, M. (1999b). Chinese
remaindering with errors. In Proceedings of the thirty-
first annual ACM symposium on Theory of computing,
pages 225–234. ACM.
Hanrot, G., Pujol, X., and Stehl
´
e, D. (2011a). Algorithms
for the shortest and closest lattice vector problems. In
International Conference on Coding and Cryptology,
pages 159–190. Springer.
Hanrot, G., Pujol, X., and Stehl
´
e, D. (2011b). Analyzing
blockwise lattice algorithms using dynamical systems.
In CRYPTO, volume 6841, pages 447–464. Springer.
Hanrot, G. and Stehl
´
e, D. (2007). Improved analysis of
kannans shortest lattice vector algorithm. In Annual
International Cryptology Conference, pages 170–186.
Springer.
Hermite, C. (1850). Extraits de lettres de M. Ch. Hermite
`
a
M. Jacobi sur diff
´
erents objects de la th
´
eorie des nom-
bres. Journal f
¨
ur die reine und angewandte Mathe-
matik, 40:261–277.
Hoffstein, J., Pipher, J., and Silverman, J. H. (1998). NTRU:
A ring-based public key cryptosystem. In Interna-
tional Algorithmic Number Theory Symposium, pages
267–288. Springer.
Kannan, R. (1987a). Algorithmic geometry of numbers. An-
nual review of computer science, 2(1):231–267.
Kannan, R. (1987b). Minkowski’s convex body theorem
and integer programming. Mathematics of operations
research, 12(3):415–440.
Khot, S. (2005). Hardness of approximating the short-
est vector problem in lattices. Journal of the ACM
(JACM), 52(5):789–808.
Korkine, A. and Zolotareff, G. (1873). Sur les formes
quadratiques. Mathematische Annalen, 6(3):366–389.
Laarhoven, T., van de Pol, J., and de Weger, B. (2012).
Solving hard lattice problems and the security of
lattice-based cryptosystems. IACR Cryptology EPrint
Archive, 2012:533.
Lenstra, A. K., Lenstra, H. W., and Lov
´
asz, L. (1982). Fac-
toring polynomials with rational coefficients. Mathe-
matische Annalen, 261(4):515–534.
Magliveras, S. S., van Trung, T., and Wei, W. (2008). Prim-
itive sets in a lattice. Australasian Journal of Combi-
natorics, 40:173.
Merkle, R. and Hellman, M. (1978). Hiding information
and signatures in trapdoor knapsacks. IEEE transac-
tions on Information Theory, 24(5):525–530.
Micciancio, D. (2001). The hardness of the closest vector
problem with preprocessing. IEEE Transactions on
Information Theory, 47(3):1212–1215.
Micciancio, D. (2008). Efficient reductions among lattice
problems. In Proceedings of the nineteenth annual
ACM-SIAM symposium on Discrete algorithms, pages
84–93. Society for Industrial and Applied Mathemat-
ics.
Micciancio, D. and Goldwasser, S. (2012). Complexity of
lattice problems: a cryptographic perspective, volume
671. Springer Science & Business Media.
Micciancio, D. and Voulgaris, P. (2013). A determinis-
tic single exponential time algorithm for most lattice
problems based on voronoi cell computations. SIAM
Journal on Computing, 42(3):1364–1391.
Micciancio, D. and Walter, M. (2016). Practical, predictable
lattice basis reduction. In Annual International Con-
ference on the Theory and Applications of Crypto-
graphic Techniques, pages 820–849. Springer.
Minkowski, H. (1905). Diskontinuit
¨
atsbereich f
¨
ur arith-
metische
¨
aquivalenz. Journal f
¨
ur die reine und ange-
wandte Mathematik, 129:220–274.
Newman, M. (1972). Integral matrices, volume 45. Aca-
demic Press.
Nguyen, P. Q. (2009). Hermite’s constant and lattice algo-
rithms. In The LLL Algorithm, pages 19–69. Springer.
Schnorr, C.-P. (1987). A hierarchy of polynomial time lat-
tice basis reduction algorithms. Theoretical computer
science, 53(2):201–224.
Schnorr, C.-P. and Euchner, M. (1994). Lattice basis reduc-
tion: Improved practical algorithms and solving sub-
set sum problems. Mathematical programming, 66(1-
3):181–199.
van Emde Boas, P. (1981). Another NP-complete partition
problem and the complexity of computing short vec-
tors in a lattice. Universiteit van Amsterdam. Mathe-
matisch Instituut.
Wen, J. and Chang, X. (2017a). A KZ reduction algorithm.
arXiv preprint arXiv:1702.08152.
Wen, J. and Chang, X. (2017b). Success probability of
the Babai estimators for box-constrained integer lin-
ear models. IEEE Transactions on Information The-
ory, 63(1):631–648.
Wen, J., Tong, C., and Bai, S. (2016). Effects of some
lattice reductions on the success probability of the
zero-forcing decoder. IEEE Communications Letters,
20(10):2031–2034.
Wubben, D., Seethaler, D., Jald
´
en, J., and Matz, G. (2011).
Lattice reduction. IEEE Signal Processing Magazine,
28(3):70–91.
A Novel Lattice Reduction Algorithm
501