Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [lenstra-lenstra-lovasz]

The Lenstra–Lenstra–Lovász (LLL) lattice basis reduction algorithm efficiently finds a short, nearly orthogonal lattice basis form an arbitrary one

See related Wikipedia article.

21 questions
11
votes
2 answers

Why is the Lovász condition used in the LLL algorithm?

The LLL algorithm is used to approximate the Shortest Vector Problem, i.e., it outputs a reduced basis. Such a basis will satisfy two conditions: $$ \forall i \gt j. \quad \lvert\mu_{ij}\rvert \le \frac{1}{2} \qquad\text{[size-reduced]} $$ $$…
preethi
  • 951
  • 7
  • 24
10
votes
1 answer

Problem with LLL reduction on truncated LCG schemes

I am struggling to apply Freize et al. paper to break a truncated LCG. A truncated LCG is a pseudo random generator that outputs the $n$ leading bits $y_i$ of $x_i$, where $(x_i)$ is such that $x_{i+1} = \alpha \cdot x_i + \beta\mod M$, and…
Mariuslp
  • 295
  • 2
  • 12
9
votes
1 answer

Introduction to LLL algorithm applied to linear modular inequalities

What is the Lenstra–Lenstra–Lovász lattice basis reduction algorithm about? How is it applied to solve for $x\pmod m$ a system of modular inequalities $(u_i\,x+v_i\bmod m)
fgrieu
  • 149,326
  • 13
  • 324
  • 622
5
votes
1 answer

Gram-Schmidt coefficients in LLL algorithm

To my understanding the LLL lattice reduction algorithm starts with a set of integer vectors $\{b_1, \dots, b_2\}$, which span a lattice, and tries to generate a new basis of shorter vectors of the same lattice. It first defines the Gram-Schmidt…
Severin
  • 51
  • 1
5
votes
1 answer

$L^3$ Grover search of NTRU variants

I was reading a text on cryptology by Wayne Patterson and came across the $L^3$ algorithm which reduces integer lattices with respect to their base. I've also read on the NIST CFP A8 that attacks based on Grover's algorithm aren't really seen as…
floor cat
  • 214
  • 2
  • 22
5
votes
1 answer

Significance of Gram-Schmidt coefficients in LLL algorithm

Let $\{ {\bf v}_1,{\bf v}_2 \}$ be two linearly independent vectors. An orthogonal base $\{{\bf u}_1,{\bf u}_2 \}$ of the vector space $\mathrm{span}\{ {\bf v}_1,{\bf v}_2 \}$ can be computed using Gram-Schmidt Orthogonalization process (GSO) which…
preethi
  • 951
  • 7
  • 24
3
votes
1 answer

Lattice reduction question regarding the capability of LLL and BKZ

I've been reading How to estimate the hardness of SIS instances? and following some of its sources, and I want to confirm a few things. LLL algorithm runs in polynomial time, but isn't capable of producing arbitrarily small basis, and is therefore…
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
3
votes
1 answer

LLL - Lattice Reduced Basis Algorithm question?

I have two related questions: Version 1: Let $B=\{b_1,b_2,\dots,b_n\}$ be an orthogonal basis for $R^n$. What is the associated reduced basis obtained by applying LLL algorithm to $B$? I know how to apply LLL algorithm and I can apply it for $R^3$…
esra
  • 889
  • 10
  • 21
3
votes
2 answers

When is this lattice skewed after LLL reduction

Let $n,m$ be positive integers and $0 < m < n$. Construct the following knapsack-style lattice $$L = \begin{bmatrix} n & 0 & m^2 & 2m^3 & \cdots & (d-1)m^d \\ 0 & n & -2m & -3m^2 & \cdots & -dm^{d-1} \\ 0 & 0 & 1 & 0 & \cdots & 0 \\ 0 & 0 & 0 & 1 &…
Oisin Robinson
  • 216
  • 5
3
votes
1 answer

Algorithm to solve SVP (shortest vector problem) using LLL reduction

I'm trying to write a C++ program to solve the shortest vector problem. The program is given a basis of a vector space $V$ and needs to find the shortest non-zero vector in the lattice generated by the given basis. Right now I'm using the…
Valéry Giscard d'Estaing
  • 31
  • 1
3
votes
1 answer

How does the lengths of the Gram-Schmidt orthogonal basis of a lattice basis change after lll reduction?

Assuming there is a lattice basis $B=\{b_1,...,b_n\}$, we use $B^*=\{b_1^*,...,b_n^*\}$ to denote the Gram-Schmidt orthogonal basis, where $b_i^*=\pi_i(b_i)$ and $\pi_i(b_i)$ denotes the projection of $b_i$ on the orthogonal complement of the space…
kangli
  • 75
  • 5
2
votes
0 answers

Howgrave-Graham lattice attack on NTRU

I am lookin for a good example to illustrate this attack on NTRU using low parameters but I failed to do that, The attack consist to use LLL reduction on A basis of NTRU Lattice, let us use the column convention, how Can I use the first vector to…
Don Freecs
  • 617
  • 5
  • 16
2
votes
1 answer

LLL on Knapsack-eque problem

Given integers $s_1, \dots , s_n$ and target integer $t$, I'm trying to find small integer coefficients $x_1, \dots , x_n$ such that: $$ t \approx x_1 s_1 + \dots +x_ns_n $$ Taking inspiration from the Knapsack problem, I was trying to use LLL on…
user348382
  • 123
  • 3
2
votes
2 answers

Example of bad basis for lattices (worst-case for LLL)

Summary. Given some dimension $n$ (say $n=50$), is it possible to describe explicitly a lattice $L$ and a basis $B$ of $L$ such that $$ \frac{ \| LLL(B)_1 \| }{ \lambda_1(L) } > 1.02^n $$ where $LLL(B)_1$ is the first vector of the LLL-reduced basis…
Watson
  • 151
  • 7
1
vote
0 answers

What is the minimal angle between two LLL reduced vectors?

What is the minimal angle between two LLL reduced vectors? It seems it should be 60 degree as $|\mu_{i,j}| \leq \frac{1}{2}$. If we make the upper bound of $\mu_{i,j}$ by 1/3, can we get better reduction?
user15864
  • 229
  • 1
  • 7
1
2