When is this lattice skewed after LLL reduction

Question

Let $n,m$ be positive integers and $0 < m < n$. Construct the following knapsack-style lattice

$$L = \begin{bmatrix} n & 0 & m^2 & 2m^3 & \cdots & (d-1)m^d \\ 0 & n & -2m & -3m^2 & \cdots & -dm^{d-1} \\ 0 & 0 & 1 & 0 & \cdots & 0 \\ 0 & 0 & 0 & 1 & \cdots & 0 \\ \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & 0 & 0 & \cdots & 1 \end{bmatrix}.$$

Given $n$, for most random choices of $m$ we will get a 'balanced' basis after LLL reduction, meaning the $\ell_2$ norms of the vectors will be of comparable size. But for some choices of $m$ the lattice will be skewed.

Can we say in advance which $m \in \mathbb{Z}$ will give a skewed reduced basis, given only $n$?

For example, if $n = 2522074980498295369056421$, then choosing $m = 1518898506677454448608895$ gives this basis after LLL reduction, where the first (column) vector is much smaller:

$$\begin{bmatrix} -6391 & -200608887 & -256054283821 & 258574831920 & 843304484233 \\ -4825 & 321360148 & -78537369815 & -31687413331 & 826669466953 \\ -9273 & -72129022 & 316001720336 & -235205122060 & -16815912584 \\ 6091 & -69173660 & 95782359862 & -402041943588 & 1459051804163 \\ -1467 & -14291663 & -225963066098 & -1204799105656 & -228507560164 \end{bmatrix}.$$

What is so special about this $m$ here? There are others which give a skewed basis, they seem random but maybe there is some common trait.

Just to reference where this structure comes from, it's this https://math.stackexchange.com/questions/5024055/polynomials-with-a-given-discriminant. A solution to this problem in general would solve the polynomial selection problem of a tentative new factoring algorithm. I thought I would ask about a more specific/concrete aspect here, the skewness, in the hope that those more experienced with lattice-based cryptography might recognize some structure.

Answer 1

I suspect a positive answer to this question would also significantly improve regular nonlinear polynomial selection for the number field sieve. Consider one of the first polynomial selection methods proposed by Buhler et al.: select small $t_1$ and $t_2$, set $m=t_1/t_2 \bmod n$, and find a short vector of the lattice $$ \begin{pmatrix} n & 0 & 0 & 0 & 0 \\ -m & 1 & 0 & 0 & 0 \\ -m^2 & 0 & 1 & 0 & 0 \\ \dots & 0 & 0 & \ddots & 0 \\ -m^d & 0 & 0 & 0 & 1 \\ \end{pmatrix}\,. $$ We expect a short vector corresponding to the polynomial $f$ to have norm $\approx n^\frac{1}{d+1}$, and if $t_1, t_2 \approx n^\frac{1}{d+1}$ both $f$ and $xt_2 - t_1$ have a common root $m$. A natural variant of this method produces pairs of degree $d$ polynomials: simply choose two short independent vectors from the reduced basis, each of which has expected length $\approx n^\frac{1}{d+1}$.

But we know that there must be roots $m$ for which there are significantly shorter polynomials. In particular, the lower bound is $\|f\|\cdot\|g\|\ge n^{1/d}$ instead of the $n^{\frac{2}{d+1}}$ we are easily able to get. If we were able to find, or produce, such roots, we might be able to improve the polynomial selection step of the NFS. Montgomery related the problem to finding short geometric progressions modulo $n$, and derived an optimal method for $d=2$. Wiliams, Prest-Zimmermann, Koo-Jo-Kwon, and Coxon generalized and extended the method for higher degrees, but they are still not optimal.

The present method here seems to be related to the above, but somewhat trickier because one has to control both polynomial and derivative simultaneously. In particular, with the geometric progression approach one can have small $(d-1)m^4 - n$ or small $dm^3 - n$, but not both.

Here's an attempt to adapt the Prest-Zimmermann approach to this setting. I'll start from a slightly worse lattice to make things easier to play with: $$ \begin{pmatrix} nK & 0 & 0 & 0 & 0 & 0 \\ 0 & n & 0 & 0 & 0 & 0 \\ -K & -r^1 & 1 & 0 & 0 & 0 \\ -2r^1K & -r^2 & 0 & 1 & 0 & 0 \\ -3r^2K & -r^3 & 0 & 0 & 1 & 0 \\ -4r^3K & -r^4 & 0 & 0 & 0 & 1 \\ \end{pmatrix} $$ $K$ is a constant to force the leftmost column—the evaluation at the derivative—to be $0$ on short vectors. Setting $K \approx n^{2/5}$ leads the expected shortest vector to be $\approx n^{2/5}$, same as the original lattice.

Now we select $r\approx n^{1/d}$ and tweak the lattice to have a small geometric progression on the main polynomial: $$ \begin{pmatrix} -K & -r^1 & S & 0 & 0 & 0 \\ -2r^1K & -r^2 & 0 & S^2 & 0 & 0 \\ -3r^2K & -r^3 & 0 & 0 & S^3 & 0 \\ -4r^3K & -r^4-n & 0 & 0 & 0 & S^4 \\ \end{pmatrix} $$ The parameter selection here is still undetermined; for the time being I selected $r\approx n^{1/4}$, $K=n^{2/5}$, and $S=1$. For $n=2522074980498295369056421$, $r=1260200$, $d=4$, one of the vectors in the resulting basis is $$ \begin{pmatrix} 97269663579 & 733265012800 &-3176210261232 & 1 & 1 \end{pmatrix}\,, $$ corresponding to the polynomial $$ x^4 + x^3 - 3176210261232x^2 + 733265012800x + 97269663579\,. $$ Looking at the reduced basis the shortest vectors correspond to polynomials of lower degree, so I think the parameterization here is suboptimal, but nevertheless we are able to control the higher degree coefficients to be small.

Answer 2

Can I just post an `extended comment' to mention one interesting detail since @SamuelNeves mentioned Montgomery's method of geometric progressions.

I had actually seen Montgomery's method of producing two optimal quadratics for the classic NFS. It produces two quadratic polynomials with coefficients bounded by $O(n^{1/4})$, and also provides the common root $m$.

I was curious to see what would happen if I fed this $m$ (obtained by Mongomery's two quadratics method) into my `discriminant lattice' shown above, and something very interesting happens.

Not always for the random parameter of the algorithm, but often enough that it can be reproduced in practice for any $n$, when we use the $m$ from Montgomery's method we get a polynomial with discriminant divisible by $n$, and a huge square cofactor.

Here is an illustration.

Let $n = 437256732647720373392867051041$, a random $30$ digit integer.

Montgomery's two quadratics method produces $m = 218628366323860517323388206971$ and the two polynomials

$$f=880619x^2 + 454524x - 19923672,\\ g=32898890x^2 + 16980482x + 6571759$$

which share the root $m$ mod $n$. Now using this $m$ for producing a cubic polynomial with discriminant divisible by $n$, we get the cubic

$$f_2 = 79590001839022x^3 + 61619552830239x^2 + 15902203808121x + 53091733105523$$

which has discriminant

$$\Delta = -3\cdot n\cdot 18676765968045^2$$

which seems like a very unusual thing to happen.