Average Time Fast SVP and CVP Algorithmsfor Low Density Lattices andthe Factorization of Integers

Claus P. SCHNORR

Fachbereich Informatik und MathematikGoethe-UniversitätFrankfurt am Main

Numbers, Sequences, Lattices:Dynamical Analysis of Algorithms.

Birthday of Brigitte ValléeCaen, June 3-4, 2010

Road map 2

I Outline of the new SVP / CVP algorithm

II Time bound of SVP/CVP algorithm for low density lattices

III Factoring integers via "easy" CVP solutions

IV Partial analysis of the new SVP / CVP algorithm

References

A technical report is available at

http://www.mi.informatik.uni-frankfurt.de/research/papers.html

We focus on novel proof elements that are not covered bypublished work and outline sensible heuristics towardspolynomial time factoring of integers.

I: Lattices, QR-decomposition, LLL-bases 3

lattice basis B = [b1, . . . , bn] ∈ Zm×n

lattice L(B) = {Bx | x ∈ Zn}norm ‖x‖2 = 〈x, x〉 =

∑mi=1 x2

i

SV-length λ1(L) = min{‖b‖ | b ∈ L\{0}}

QR-decomposition B = QR ⊂ Rm×n such that• the GNF — geom. normal form — R = [ri,j ] ∈ Rn×n is

uppertriangular, ri,j = 0 for j < i and ri,i > 0, ( ri,i = ‖b∗i ‖ )• Q ∈ Rm×n isometric: QtQ = In.

LLL-basis B = QR for δ ∈ (14 , 1] (Lenstra, Lenstra, Lovasz 82):

1. |ri,j | ≤ 12 ri,i for all j > i (size-reduced) ( ri,j/ri,i = µj,i )

2. δ r2i,i ≤ r2

i,i+1 + r2i+1,i+1 for i = 1, . . . , n − 1

3. α−i+1 ≤ ‖bi‖2λ−2i ≤ αn−1 for i = 1, ..., n

4. ‖b1‖2 ≤ αn−1

2 (detL)2/n, where α = 1/(δ − 1/4).

I: Recall ENUM 1994/95 4

Let Lt = L(b1, ..., bt−1) and πt : span(L) → span(Lt)⊥ for

t = 1, ..., n denote the orthogonal projection.

Stage (ut, ..., un) of ENUM.

b :=∑n

i=t uibi ∈ L and ut , ..., un ∈ Z are given. The stagesearches exhaustively for all

∑t−1i=1 uibi ∈ L such that

‖∑n

i=1 uibi‖2 ≤ A holds for some A ≥ λ21. Obviously

‖∑n

i=1 uibi‖2 = ‖ζt +∑t−1

i=1 uibi‖2 + ‖πt(b)‖2,goal: ≤ A to be minimized spent

where ζt := b− πt(b) ∈ spanLt is the orthogonal projection ofthe given b =

∑ni=t uibi .

Stage (ut , ..., un) exhausts Bt−1(ζt , ρt) ∩ Lt whereBt−1(ζt , ρt) ⊂ spanLt is the sphere of dimension t − 1 withcenter ζt and radius ρt := (A− ‖πt(b)‖2)1/2.

I: The success rate βt of stages 5

The GAUSSIAN volume heuristics estimates |Bt−1(ζt , ρt) ∩ Lt | toβt =def volBt−1(ζt , ρt)/ detLt .

Here volBt−1(ζt , ρt) = ρt−1t−1 Vt−1, Vt = π

t2 /( t

2)! ≈ (2eπt )

t2 /√

πtis the volume of the unit sphere of dimension t ,

detLt =∏t−1

i=1 ri,i , ρ2t := A− ‖πt(

∑ni=t uibi)‖2.

We call βt the success rate of stage (ut , ..., un).

If ζt mod Lt is uniformly distributed over the parallelepipedPt := {

∑t−1i=1 ribi |0 ≤ r1, ..., rt−1 < 1}

then Eζt [ |Bt−1(ζt , ρt) ∩ Lt | ] = βt for ζt ∈R Pt ,because 1/ detLt is the number of points per volume in Lt .

The center ζt = b− πt(b) ∈ spanLt changes continuously.If ζt mod Lt ∈ Pt distributes uniformly the estimate

|Bt−1(ζt , ρt) ∩ Lt | ≈ volBt−1(ζt , ρt)/ detLt

of the vol. heur. holds on the average.

I: Outline of New Enum for SVP 6

INPUT LLL-basis B = QR ∈ Zm×n, R ∈ Rn×n, A := n4(det BtB)2/n,

OUTPUT a sequence of b ∈ L(B) of decreasing length ‖b‖2 ≤ Aterminating with ‖b‖ = λ1.

1. s := 1, L := ∅, (we call s the level)2. Perform algorithm ENUM [SE94] pruned to stages with βt ≥ n−s:

Upon entry of stage (ut , ..., un) compute βt . If βt < n−s delaythis stage and store (βt , ut , ..., un) in the list L of delayed stages.Otherwise perform stage (ut , ..., un) on level s, and as soon assome b ∈ L of length 0 < ‖b‖2 ≤ A has been foundgive out b and set A := ‖b‖2 − 1. Recompute the stored βt

3. Perform the stages (ut , ..., un) of L with βt ≥ n−s−1 in increasingorder of t and for fixed t in order of decreasing βt .Collect the appearing substages (ut ′ , ..., ut , ..., un) withβt ′ < n−s−1 in L. IF L = ∅ THEN terminate by exhaustion.

4. s := s + 1, GO TO 3

II: Optimizing the implementation 7

We efficiently approximate βt using floating point arithmetic.

The space reservations for the list L are quite expensivecompared to the modest arithmetic costs per stage.

The condition βt < n−s has been tested in practice. It replacesthe original condition βt < 2−s. This reduces list L and thenumber of the list operations. Saving space is a main problem.

For the final exhaustive search that proves ‖b‖ = λ1 thesuccess rate and the list operations can be suppressed, theymerely slow down the computation.

The start of the final exhaustion can be guessed. If no shortervector comes up for an extended period then most likely thelast output b has length λ1.

II: Time Bound for the SVP algorithm 8

Def. The relative density of L: rd(L) := λ1γ−1/2n (detL)−1/n

rd(L) = λ1(L)/ max λ1(L′) holds for the maximum of λ1(L′)over all lattices L′ of dimL′ = n and detL = detL′.

The HERMITE constant γn = max{λ21/ det(L)2/n | dim L = n}.

We always have λ21 = rd(L)2 γn (detL)2/n.

Theorem 1 Given a lattice basis satisfying GSA and‖b1‖ ≤

√eπ nb λ1, b ≥ 0, NEW ENUM solves SVP in time

2O(n)(n1/2+brd(L))n/4, i.e. in time 2O(n)(√

n/rd(L))n/4 for b = 0.

The 2O(n) factor disappears under the volume heuristics.

GSA : Let B = QR = Q[ri,j ] satisfy: (for ri,i = ‖b∗i ‖)r2i,i/r2

i−1,i−1 = q for i = 2, ..., n and some q > 0.

W.l.o.g. let q < 1, otherwise ‖b1‖ = λ1.The condition ‖b1‖ ≤

√eπ nb λ1 can" easily" be met for CVP.

II: Polynomial Time bound under the vol. heuristics 9

Finding an unproved shortest vector b′ is easier than proving‖b′‖ = λ1. We study the time to find an SVP-solution b′ withoutproving λ1 = ‖b′‖ under the assumption:

SA ‖πt(b′)‖2 ≈ n−t+1n λ2

1 holds for all t and NEW ENUM’sSVP-solution b′, where πt(b′) ∈ span(b1, ..., bt−1)

⊥.

Proposition 1. Let a lattice basis be given that satisfies GSA,‖b1‖ ≤

√eπ/2 nb λ1 and rd(L) ≤ n−

1+2b4 . If NEW ENUM finds a

shortest lattice vector b′ satisfying SA it finds b′, withoutproving ‖b′‖ = λ1, under the volume heur. in polynomial time.

Polynomial time holds for b = 0, rd(L) ≤ n−1/4. But the time toprove ‖b′‖ = λ1 is under the volume heur. Θ(n1/2rd(L))n/4.

II: Polynomial CVP time under the volume heur. 10

Corollary 1. Given t ∈ Rn and B for L(B) satisfying GSA,‖b1‖ = λ1 and rd(L) ≤ n−1/2 then NEW ENUM solves the CVP‖t− b‖ = ‖t− L‖ under the volume heuristics in poly-time.

We adjust the assumption SA from SVP to CVP:

CA Let ‖πt(t− b̈)‖2 ≈ n−t+1n ‖t− L‖2 hold for all t and

NEW ENUM’s CVP-solution b̈.

Corollary 2. Let B = [b1, ..., bn] in Zm×n satisfy GSA,‖b1‖ = O(λ1) and let b̈ satisfy CA for B, t. If rd(L) = o(n−1/4)and ‖t− L‖ = O(λ1) then NEW ENUM finds the CVP- solutionb̈ ∈ L under the volume heuristics in polynomial time, butwithout proving ‖t− b̈‖ = ‖t− L‖.

All requirements of Cor. 2 can easily be satisfied for the CVP’sof the prime number lattice for factoring integers.

III: Factoring integers via CVP solutions 11

Let N be a positive integer that is not a prime power. Letp1 < · · · < pn enumerate all primes less than (ln N)α. Then

n = (ln N)α/(α ln ln N + O(1)).Let the prime factors p of N satisfy p > pn.

We show how to factor N by solving "easy" CVP’s for the primenumber lattice L(B), basis matrix B = [b1, . . . , bn] ∈ R(n+1)×n :

B =

√

ln p1 0 0

0. . . 0

0 0√

ln pnNc ln p1 · · · Nc ln pn

, N =

0...0

Nc ln N ′

,

and the target vector N ∈ Rn+1, where either N ′ = N orN ′ = Npn+j for one of the next n primes pn+j > pn, j ≤ n.

Lemma 5.3 [MG02] λ21 ≥ 2c ln N.

rd(L) = o(n−1/4) for c = (ln N)β, suitable α > 2β + 2 > 2.

III: Outline of the factoring method 12

We identify the vector b =∑n

i=1 eibi ∈ L(B) with the pair (u, v)

of integers u =∏

ej>0 pejj , v =

∏ej<0 p−ej

j ∈ N.

Then u, v are free of primes larger than pn and gcd(u, v) = 1.

We compute vectors b =∑n

i=1 eibi ∈ L(B) close to N such that

|u − vN ′| < pn. The prime factorizations |u − vN ′| =∏n

i=1 pe′ii

and u =∏

ej>0 pejj yield a non-trivial relation∏

ei>0 peii = ±

∏ni=1 pe′i

i mod N. (7.1)Given n + 1 independent relations (7.1) we write these relations

with p0 = −1 and ei,j , e′i,j ∈ N as∏n

i=0 pei,j−e′i,ji = 1 mod N

for j = 1, ..., n + 1. Any non-trivial solution z1, ..., zn+1 ∈ Z of∑n+1j=1 zj(ei,j − e′i,j) = 0 mod 2, i = 0, ..., n

solves X 2 = 1 mod N by X =∏n

i=0 p12

Pn+1j=1 zj (ei,j−e′i,j )

i mod N.Hence gcd(X ± 1, N) factors N if X 6= ±1 mod N.

III: Vectors b ∈ L closest to N yield relations (7.1) 13

An integer z is called y -smooth, if all prime factors p of zsatisfy p ≤ y . Let N ′ be either N or Npn+j for one of the next nprimes pn+j > pn. We denote

Mα,c,N ={

(u, v) ∈ N2 u ≤ Nc , |u − vN ′| = 1, Nc−1/2 < v < Nc−1

u, v are squarefree and (ln N)α−smooth

}.

Theorem 4 [S93/91] If the equation |u − du/NcN| = 1 is forrandom u of order Nc nearly statistically independent of theevent that u, du/Nc are squarefree and (ln N)α-smooth thenMα,c,N 6= ∅ holds if α

α−2β−2 < c ≤ (ln N)β and α > 2β + 2.

Theorem 4 extends the result of [S93/91] from a constant c > 0to c = (ln N)β , required for rd(L)) = o(n−1/4).

Theorem 5 The vector b =∑n

i=1 eibi ∈ L(B) closest to Nprovides a non-trivial relation (7.1) provided that Mα,c,N 6= ∅.

III: Vectors b ∈ L closest to N yield relations (7.1) 14

Theorem 6 If ‖b1‖ = O(λ1) and Mα,c,N 6= ∅ for c = (ln N)β ,α > 2β + 2 we can minimize ‖L(B)− N‖ in polynomial timeunder GSA, CA and the volume heuristics.

It follows from Mα,c,N 6= ∅ for N ′ ∈ {N, Npn+j} that‖L − N‖2 ≤ (2c − 1) ln N ′ + 1 = (2c − 1 + o(1)) ln N.

Lemma 5.3 of [MG02] proves that λ21 ≥ 2c ln N −Θ(1)

[ λ21 = 2c ln N + O(1) holds if 0 < α

α−2β−2 < c ≤ (ln N)β . ]

rd(L) = λ1/(√

γn(detL)1n ) .

(2eπ 2c ln N(ln N)α

) 12

= O(c ln N)(1−α)/2 = O((ln N)1−α).We have for c = (ln N)β , α > 2β + 2 that 2c ln N

(ln N)α = o(n−1/2)

Hence rd(L) = o(n−1/4).

III: Providing a nearly shortest vector for L(B) 15

For solving ‖t− b̈‖ = ‖t−L‖ heuristically in polynomial time weneed that ‖b1‖ = O(λ1) holds for the prime number lattice.

We extend the prime number basis B and L(B) by a nearlyshortest lattice vector for the extended lattice, preserving rd(L),det(L) and the structure of the lattice.

We extend the prime base by a prime p̄n+1 of order Θ(Nc) suchthat |u − p̄n+1| = O(1) holds for a squarefree (ln N)α-smooth u.Then ‖

∑i eibi − bn+1‖2 = 2c ln N + O(1) holds for u =

∏i pei

iand the additional basis vector bn+1 corresponding to p̄n+1.∑

i eibi − bn+1 is a nearly shortest vector of L(b1, ..., bn+1).

Efficient construction of p̄n+1 . Generate random u =∏

i piand test the nearby p̄ for primality. p̄n+1 and bn+1 can be foundin probabilistic polynomial time if the density of primes near theu is not exceptionally small. A single p̄n+1 can be used to solveall CVP’s for the factorization of all integers of order Θ(N).

IV: Proof of Theorem 1 16

Theorem 1 Given a lattice basis satisfying GSA and‖b1‖ ≤

√eπ nb λ1, b ≥ 0, NEW ENUM solves SVP in time

2O(n)(n1/2+brd(L))n/4.

NEW ENUM essentially performs stages in decreasing order ofthe success rate βt . Let b′ =

∑ni=1 u′i bi ∈ L denote the unique

vector of length λ1 that is found by NEW ENUM.Let β′t be the success rate of stage (u′t , ..., u′n).

NEW ENUM performs stage (u′t , ..., u′n) prior to all stages(ut , ..., un) of success rate βt ≤ 1

4β′t

Simplifying assumption. We assume that NEW ENUMperforms stage (u′t , ..., u′n) prior to all stages of success rateβt < β′t , ( i.e., ρt < ρ′t ).By definition ρ2

t = A− ‖πt(b)‖2 and ρ′t2 = A− ‖πt(b′)‖2.

Without using the simplifying assumption, the proven timebound of Theorem 4.1 increases at most by the factor n.

IV: A proven version of the volume heuristics 17

Consider the number Mt of stages (ut , ..., un) with‖πt(

∑ni=t uibi)‖ ≤ λ1: Mt := #

(Bn−t+1(0, λ1) ∩ πt(L)

).

Modulo the heuristic simplifications Mt covers the stages thatprecede (u′t , ..., u′n) and those that finally prove ‖b′‖ = λ1.Lemma 1 Mt ≤ e

n−t+12

∏ni=t(1 +

√8π λ1√

n−t+1 ri,i).

The proof uses the method of Lemma 1 of MAZO, ODLYZKO

[MO90] and follows the adjusted proof of inequality (2) insection 4.1 of HANROT, STEHLÉ [HS07]. For details see the TRhttp://www.mi.informatik.uni-frankfurt.de/research/papers.html

Now r2i,i = ‖b1‖2qi−1, λ2

1/(γn rd(L)2) = (det L)2n = ‖b1‖2q

n−12

hold by GSA and thus γn ≥ n2 eπ directly imply for i = t , ..., n

√n − t + 1 ri,i ≤

√2eπ rd(L)−1λ1 q(2i−n−1)/4.

By Lemma 1 Mt ≤∏n

i=te√

π rd(L)−1 λ1 q(2i−n−1)/4+√

8eπ λ1√n−t+1 ri,i

(4.0)

IV: Proof of Theorem 1 continued 18

For the remainder of the proof let t := n2 + 1− c and

m(q, c) := [if c > 0 then q1−c2

4 else 1]. Then

Mt ≤ m(q, c)( (2+

√e)√

2eπ λ1√n−t+1 rd(L)

)n−t+1/ det πt(L), (4.1)

where m(q, c) = q1−c2

4 = q−14

Pci=0(2i−1) covers in (4.0) the

factors q2i−n−1

4 > 1 for t < i < n2 + 1.

We see from (4.1) and det πt(L) = ‖b1‖n−t+1qPn

i=ti−1

2 that

Mt ≤ m(q, c)( (2+

√e)√

2eπ√n−t+1

λ1b1‖rd(L)

)n−t+1/q

Pn−1i=t−1 i/2 (4.2)

The [KL78] bound γn ≤ 1.744 (n+o(n))2eπ ≤ n

eπ for n ≥ n0 and1

n−1∑n−1

i=t−1 i = n2 −

(t−1)(t−2)2(n−1) and q

n−12 = λ2

1/(‖b‖2γn rd(L)2)

showMt ≤ m(q, c)

( (2+√

e)√

2eπ λ1√n−t+1 rd(L) ‖b1‖

)n−t+1(√n rd(L) ‖b1‖√eπ λ1

)n− (t−1)(t−2)n−1 .

IV: End of Proof of Theorem 1 19

The difference of the exponentsde(t) = n − (t−1)(t−2)

n−1 − n + t − 1 = (t − 1)(1− t−2n−1) is positive

for t ≤ n and de(n2 + 1− c) = n2/4−c2

n−1 . Hence for‖b1‖ ≤

√eπ nb λ1 and all t ≤ n :

Mt ≤ m(q, c)((√

8 +√

2e)√

nn−t+1)n−t+1 (

n12 +brd(L)

) n2/4−c2

n−1

For c > 0, t ≤ n2 we have

m(q, c) = q1−c2

4 =(‖b1‖

√γn rd(L)λ1

) c2−1n−1 ≤ (n

12 +brd(L))

c2−1n−1 , and

thus : Mt ≤ (4 + 2√

e)n−t+1 (n

12 +brd(L)

) n2/4−1n−1 =

2O(n)(n

12 +brd(L)

) n+14 , where n2/4−1

n−1 ≤ n+14 .

For c ≤ 0, t > n2 we have

Mt ≤((√

8 +√

2e)√

nn−t+1

)n−t+1 (n

12 +brd(L)

) n2/4n−1

= 2O(n)(n

12 +brd(L)

) n+24 where n2/4

n−1 ≤ n+24 . �

V: Failings of the volume heuristics 20

MAZO, ODLYZKO [MO90] show for the lattice L = Zn:

#{x ∈ Zn | ||x‖2 ≤ an} = 2Θ(n)

for a0 ≤ a ≤ 12eπ and any a0 > 0,

whereas the volume heur. estimates this cardinality to O(1).

The center ζ = 0 of the sphere is bad for the vol. heuristics.It can nearly maximize |Bn(ζ, ρ) ∩ L|.

NEW ENUM for SVP keeps the center ζt = b− πt(b) close to 0.

The analysis of NEW ENUM for CVP uses for center the vectorb− t− πt(b− t). For random πt(t) this may better justify thevolume heuristics in the analysis of NEW ENUM for CVP thanfor SVP.

V: Ajtai’s worst case / average case equivalence 21

nc-unique-SVP lattices: every lattice vector that is linearlyindependent of a shortest nonzero lattice vector has at leastlength λ1nc for some c > 1, i.e., λ2 ≥ λ1nc .

Proposition 1 shows that all nc-unique-SVP’s can be solvedunder GSA and the volume heuristics in polynomial time givena very short lattice vector.

Ajtai’s worst case / average case equivalence. AJTAI [Aj96,Thm 1] solves every nc-unique-SVP using an oracle that solvesSVP for a particular random lattice. However, allnc-unique-SVP’s are somewhat easy. This makes the worstcase / average case equivalence suspicious.

[MR07] reduces nc in Ajtai’s reduction to n lnO(1) n.

Refences 22

Ad95 L.A. Adleman, Factoring and lattice reduction.Manuscript, 1995.

AEVZ02 E. Agrell, T. Eriksson, A. Vardy and K. Zeger,Closest point search in lattices. IEEE Trans. onInform. Theory, 48 (8), pp. 2201–2214, 2002.

Aj96 M. Ajtai, Generating hard instances of latticeproblems. In Proc. 28th Annual ACM Symposiumon Theory of Computing, pp. 99–108, 1996.

AD97 M. Ajtai and C. Dwork, A public-key cryptosystemwith worst-case / average-case equivalence. InProc 29-th STOC, ACM, pp. 284–293, 1997.

AKS01 M. Ajtai, R. Kumar and D. Sivakumar, A sievealgorithm for the shortest lattice vector problem. InProc. 33th STOC, ACM, pp. 601–610, 2001.

Ba86 L. Babai, On Lovasz’ lattice reduction and thenearest lattice point problem. Combinatorica 6 (1),pp.1–13, 1986.

References 23

BL05 J. Buchmann and C. Ludwig, Practical lattice basissampling reduction. eprint.iacr.org, TR 072, 2005.

Ca98 Y.Cai, A new transference theorem andapplications to Ajtai’s connection factor. ECCC,Report No. 5, 1998.

CEP83 E.R. Canfield, P. Erdös and C. Pomerance, On aproblem of Oppenheim concerning "FactorisatioNumerorum". J. of Number Theory, 17, pp. 1–28,1983.

CS93 J.H. Conway and N.J.A. Sloane, Sphere Packings,Lattices and Groups. third edition,Springer-Verlag1998.

FP85 U. Fincke and M. Pohst, Improved methods forcalculating vectors of short length in a lattice,including a complexity analysis. Math. of Comput.,44, pp. 463–471, 1985.

Refences 24

GN08 N. Gama and P.Q. Nguyen, Predicting latticereduction, in Proc. EUROCRYPT 2008, LNCS4965, Springer-Verlag, pp. 31–51, 2008.

HHHW09 P.Hirschhorn, J. Hoffstein, N. Howgrave-Graham,W. Whyte, Choosing NTRUEncrypt parameters inlight of combined lattice reduction and MITMapproaches. In Proc. ACNS 2009, LNCS 5536,Springer-Verlag,pp. 437–455, 2009.

HPS98 J. Hoffstein, J. Pipher and J. Silverman, NTRU: Aring-based public key cryptosystem. In Proc.ANTS III, LNCS 1423, Springer-Verlag, pp.267–288, 1998.

H07 N. Howgrave-Graham, A hybrid lattice–reductionand meet-in-the-middle attiack against NTRU. InProc, CRYPTO 2007, LNCS 4622,Springer-Verlag, pp. 150–169, 2007.

Refences 25

HS07 G. Hanrot and D. Stehlé, Improved analysis ofKannan’s shortest lattice vector algorithm. In Proc.CRYPTO 2007, LNCS 4622, Springer-Verlag,pp.170–186, 2007.

HS08 G. Hanrot and D. Stehlé, Worst-caseHermite-Korkine-Zolotarev reduced lattice bases.CoRR, abs/0801.3331,http://arxix.org/abs/0801.3331.

Ka87 R. Kannan, Minkowski’s convex body theorem andinteger programming. Math. Oper. Res., 12, pp.415–440, 1987.

KL78 G.A.Kabatiansky and V.I. Levenshtein, Bounds forpacking on a sphere and in space. Problems ofInformation Transmission, 14, pp. 1–17, 1978.

LLL82 H. W. Lenstra Jr., , A. K. Lenstra, and L. Lovász ,Factoring polynomials with rational coefficients,Mathematische Annalen 261, pp. 515–534, 1982.

Refences 26

L86 L. Lovász, An Algorithmic Theory of Numbers,Graphs and Convexity, SIAM, 1986.

LM09 V. Lubashevsky and D. Micciancio, On boundeddistance decoding, unique shortest vectors andthe minimum distance problem. In Proc. CRYPTO2009, LNCS 5677, Springer-Verlag, pp. 577–594,2009.

MO90 J. Mazo and A. Odlydzko, Lattice points inhigh-dimensional spheres. Monatsh. Math. 110,pp. 47–61, 1990.

MG02 D. Micciancio and S. Goldwasser, Complexity ofLattice Problems: A Cryptographic Perspective.Kluwer Academic Publishers, Boston, London,2002.

MR07 D. Micciancio and O. Regev, Worst-case toaverage-case reduction based on gaussianmeasures. SIAM J. on Computing, 37(1), 2007.

Refences 27

NS06 P.Q. Nguyen and D. Stehlé, LLL on the average. InProc. of ANTS-VII, LNCS 4076, Springer-Verlag,2006.

N10 P.Q. Nguyen, Hermite’s Constant and LatticeAlgorithms. in The LLL Algorithm, Eds. P.Q.Nguyen, B. Vallée, Springer-Verlag, Jan. 2010.

S87 C.P. Schnorr, A hierarchy of polynomial time latticebasis reduction algorithms. Theoret. Comput. Sci.,53, pp. 201–224, 1987.

S93 C.P.Schnorr, Factoring integers and computingdiscrete logarithms via Diophantine approximation.In Advances in Computational Complexity, AMS,DIMACS Series in Discrete Mathematics andTheoretical Computer Science, 13, pp. 171–182,1993. Preliminary version Proc. EUROCRYPT’91,LNCS 547, Springer-Verlag, pp. 281–293, 1991.//www.mi.informatik.uni-frankfurt.de

Refences 28

SE94 C.P. Schnorr and M. Euchner, Lattce basisreduction: Improved practical algorithms andsolving subset sum problems. MathematicalProgramming 66, pp. 181–199, 1994.

S03 C.P. Schnorr, Lattice reduction by sampling andbirthday methods. Proc. STACS 2003: 20thAnnual Symposium on Theoretical Aspects ofComputer Science, LNCS 2007, Springer-Verlag,pp. 146–156, 2003.

S06 C.P. Schnorr, Fast LLL-type lattice reduction.Information and Computation, 204, pp. 1–25,2006.

S07 C.P. Schnorr, Progress on LLL and latticereduction, Proc. LLL+25, Caen, France, 2007,Final version in: The LLL Algorithm, Survey andApplications, Eds. P.Q.Nguyen and B. Vallée,Springer 2010.