Lattices in Cryptography Lecture 3 Instructor: Chris Peikert

University of Michigan, Fall 2015 LLL, Coppersmith Scribe: Yan Wang

1 The LLL Algorithm

Definition 1.1. A lattice basis B is LLL-reduced if the following two conditions are met:

1. For every i < j, we have |µi,j | ≤ 12 . (Such a basis is said to be “sized reduced.”)
e i k2 ≤ kµi,i+1 b
2. For every 1 ≤ i < n, we have 43 kb e i+1 k2 .
ei + b (This is the “Lovász condition.”)

The LLL algorithm works as follows: given an integral input basis B ∈ Zn×n (the integrality condition is
without loss of generality), do the following:

1. Compute B,
e the Gram-Schmidt orthogonalized vectors of B.
2. Let B ← SizeReduce(B).
(This algorithm, defined below, ensures that the basis is size reduced, and does not change L(B) or B.) e
e i k2 > kµi,i+1 b
3. If there exists 1 ≤ i < n for which the Lovász condition is violated, i.e., 34 kb e i+1 k2 ,
ei + b
then swap bi and bi+1 and go back to Step 1. Otherwise, output B.

The idea behind the SizeReduce(B) subroutine is, in the Gram-Schmidt decomposition B = B e · U, to
shift the entries in the upper triangle of U by integers (via unimodular transformations), so that they lie in
[− 12 , 21 ). Because changing an entry of U may affect the ones above it (but not below it) in the same column,
we must make the changes upward in each column. Formally, the algorithm works as follows:

• For each j = 2, . . . , n (in any order) and i = j − 1 down to 1, let bj ← bj − bµi,j e · bi , where
µi,j = hbj , b
e i i/hb e i i is the (i, j)th entry of the upper-unitriangular matrix in the Gram-Schmidt
ei, b
decomposition of the current basis B. (Note that previous iterations can change this matrix.)
In matrix form, in the (i, j)th iteration we are letting B ← B · W, where W is the upper unitriangular
matrix with just one potentially nonzero off-diagonal entry −bµi,j e, at position (i, j).

We make a few important observations about the SizeReduce algorithm. First, it clearly runs in time poly-
nomial in the bit length of the input basis B. Second, even though B may change, the Gram-Schmidt vectors
B
e are preserved throughout, because the only changes to B are via multiplication by upper-unitriangular
matrices, i.e., if B = B e · U is the Gram-Schmidt decomposition prior to some iteration, then B = B e · (UW)
is the decomposition afterward, since UW is upper unitriangular. Finally, the (i, j)th iteration ensures that
the value hbj , be i i/hb e i i ∈ [− 1 , 1 ) (by definition of µi,j ), and following the iteration, that value never
ei, b
2 2
changes, because bk is orthogonal to b e i for all k < i. (This is why it important that we loop from i = j − 1
down to 1; bk may not be orthogonal to b e i for k > i.) Putting these observation together, we have the
following lemma on the correctness of SizeReduce.

Lemma 1.2. Given an integral basis B ∈ Zn×n with Gram-Schmidt decomposition B = B e · U, the
SizeReduce algorithm outputs a basis B of L = L(B) having Gram-Schmidt decomposition B0 = B
0 e · U0 ,
0 1 1
where every entry ui,j for i < j is in [− 2 , 2 ).

We now state the main theorem about the LLL algorithm.

Theorem 1.3. Given an integral basis B ∈ Zn×n , the LLL algorithm outputs an LLL-reduced basis of
L = L(B) in time poly(n, |B|), where |B| denotes the bit length of the input basis.

1
 The remainder of this section is dedicated to an (almost complete) proof of this theorem. First, it is clear
that the LLL algorithm, if it ever terminates, is correct: all the operations on the input basis preserve the
lattice it generates, and the algorithms terminates only when the basis is LLL-reduced.
We next prove that the number of iterations is O(N ) for some N = poly(n, |B|). This uses a clever
“potential argument,” which assigns a value to all the intermediate bases produced by the algorithm. We show
three facts: that the potential starts out no larger than 2N , that itp
never drops below 1, and that each iteration
of the algorithm decreases the potential by a factor of at least 4/3 > 1. This implies that the number of
iterations is at most log√4/3 2N = O(N ).
The potential function is defined as follows: for a basis B = (b1 , . . . , bn ), let Li = L(b1 , . . . , bi ) for
each 1 ≤ i ≤ n. The potential is the product of these lattices’ determinants:
n
Y n 
Y  Yn
Φ(B) := det(Li ) = kb
e 1 k · · · kb
eik = e i kn−i+1 .
kb
i=1 i=1 i=1

Claim 1.4. The potential of the initial input basis B is at most 2N where N = poly(n, |B|), and every
intermediate basis the algorithm produces has potential at least 1.
2
Proof. The potential of the original basis B is clearly bounded by ni=1 kbi kn ≤ maxi kbi kn = 2poly(n,|B|) .
Q
Every intermediate basis is integral and has positive integer determinant, hence so do the lattices Li associated
with that basis. Therefore, the potential of that basis is at least 1.

We next analyze how the potential changes when we perform a swap in Step 3.

Claim 1.5. Suppose bi and bi+1 are swapped in Step 3, and let the resulting basis be denoted B0 . Then
e0 = b
b e 0 = µi,i+1 b
e j for all j 6∈ {i, i + 1}, and b ei + b
e i+1 .
j i

Proof. For j < i, the vector b e 0 is unaffected by the swap, because by definition it is the component of
j
bj = bj orthogonal to span(b1 , . . . , b0j−1 ) = span(b1 , . . . , bj−1 ). Similarly, for j > i + 1, the vector b
0 0 e0
j
0 0 0
is the component of bj = bj orthogonal to span(b1 , . . . , bj−1 ) = span(b1 , . . . , bj−1 ), where the equality
holds because both bi and bi+1 are in the span. Finally, b e 0 is the component of b0 = bi+1 orthogonal to
i i
span(b01 , . . . , b0i−1 ) = span(b1 , . . . , bi−1 ), which is µi,i+1 b
ei + b e i+1 by construction.

Lemma 1.6. Suppose bi and bi+1 are swapped in Step 3, and let the resulting basis be denoted B0 . Then
Φ(B0 )/Φ(B) < 3/4.
p

Proof. Let Li = L(b1 , . . . , bi−1 , bi ) and L0i = L(b1 , . . . , bi−1 , bi+1 ). By Claim 1.5, we have

Φ(B0 ) det(L0i ) kb
e 1 k · · · kbe i−1 kkµi,i+1 b e i+1 k
ei + b kµi,i+1 b e i+1 k p
ei + b
= = = < 3/4,
Φ(B) det(Li ) kb e 1 k · · · kb
e i−1 kkb
eik kbeik

where the last inequality follows from the Lovász condition.

This completes the proof that the number of iterations is O(N ) = poly(n, |B|). Moreover, each iteration
of the algorithm is polynomial time in the bit length of the current basis. However, this does not necessarily
guarantee that the LLL algorithm is polynomial time overall, since the bit length of the intermediate bases
could increase with each iteration. (For example, if the bit length doubled in each iteration, then by the end

2
the bit length would be exponential in n.) To it suffices to show that the sizes of all intermediate bases are
polynomial in the size of the original basis. This turns out to be the case, due to the size-reduction step. The
proof of this fact is somewhat grungy and uninteresting, though, so we won’t cover it.
We conclude with some final remarks about the LLL algorithm. The factor 3/4 in the Lovász condition
is just for convenience of analysis. We can use any constant between 1/4 and 1, which yields a tradeoff
between the final approximation factor and the number of iterations, but these will still remain exponential
(in n) and polynomial,
√ respectively. By choosing the factor very close to 1, we can obtain an approximation
factor of (2/ 3)n in polynomial time, but we cannot do any better using LLL. We can get slightly better
2
approximation factors of 2O(n(log log n) )/(log n ) (still in polynomial time) using Schnorr’s generalization of
LLL, where the analogue of the Lovász condition deals with blocks of k ≥ 2 consecutive vectors.

2 Coppersmith’s Method
One nice application of LLL is a technique of Coppersmith that finds all small roots of a polynomial modulo
a given number N (even when the factorization of N is unknown). This technique has been a very powerful
tool in cryptanalysis, as we will see next time.

Theorem 2.1. There is an efficient algorithm that, given any monic, degree-d integer polynomial f (x) ∈ Z[x]
and an integer N , outputs all integers x0 such that |x0 | ≤ B = N 1/d and f (x0 ) = 0 mod N .

We make a few important remarks about the various components of this theorem:

1. When N is prime, i.e., ZN is a finite field, there are efficient algorithms that output all roots of a
given degree-d polynomial f (x) modulo N , of which there are at most d. Similarly, there are efficient
algorithm that factor polynomials over the rationals (or integers). Therefore, the fact that the theorem
handles a composite modulus N is a distinguishing feature.
2. For composite N , the number of roots of f (x) modulo N can be nearly exponential in the bit length
of N , even for quadratic f (x). For example, if N is the product of k distinct primes, then any
square modulo N has exactly 2k distinct square roots. (This follows from the Chinese Remainder
Theorem, since there are two square roots modulo each prime divisor of N .) Since k can be as large as
≈ log N/ log log N , the number of roots can be nearly exponential in log N . Therefore, in general no
efficient algorithm can output all roots of f (x) modulo N ; the restriction to small roots in the theorem
statement circumvents this problem.1
3. The size restriction appears necessary for another reason: knowing two square roots r1 6= ±r2 of a
square modulo a composite N reveals a nontrivial factor of N , as gcd(r1 − r2 , N ). So even if the
number of roots is small, finding them all is still at least as hard as factoring. However, it is easy
to show that a square cannot have more than one “small” square root, of magnitude at most N 1/2 .
Therefore, the theorem does appear to yield an efficient factoring algorithm.2

To highlight the heart of the method, in the remainder of the section we prove the theorem for a weaker
bound of B ≈ N 2/(d(d+1)) . P (We prove the bound B ≈ N 1/d next time.) The strategy is to find another
nonzero polynomial h(x) = hi xi ∈ Z[x] such that:
1
Indeed, the theorem implies that the number of small roots is always polynomially bounded. Surprisingly, this fact did not
appear to be known before Coppersmith’s result!
2
However, it can be used to factor when some partial information about a factor is known.

3
 1. every root of f (x) modulo N is also a root of h(x), and
2. the polynomial h(Bx) is “short,” i.e., |hi B i | < N/(deg(h) + 1) for all i.

For any such h(x), and for any x0 such that |x0 | ≤ B, we have |hi xi0 | ≤ |hi B i | < N/(deg(h) + 1), which
implies that |h(x0 )| < N . Hence, for every small root x0 (such that |x0 | ≤ B) of f (x) modulo N , we have
that h(x0 ) = 0 over the integers (not modulo anything). To find the small roots of f (x) modulo N , we can
therefore factor h(x) over the integers, and test whether each of its (small) roots is a root of f (x) modulo N .
We now give an efficient algorithm to find such an h(x). The basic idea is that adding integer multiples of
the polynomials gi (x) = N xi ∈ Z[x] to f (x) certainly preserves the roots of f modulo N . So we construct
a lattice whose basis corresponds to the coefficient vectors of the polynomials gi (Bx) and f (Bx), find a
short nonzero vector in this lattice, and interpret it as the polynomial h(Bx). The lattice basis is
 
N a0
 BN a1 B 
B2N a2 B 2
 
 
B=

.

 
 B d−1 N d−1
ad−1 B 
Bd

Note that the lattice dimension is d + 1, and that det(B) = B d(d+1)/2 · N d . By running the LLL algorithm
on this basis, we obtain a 2d/2 -approximation v to a shortest vector in L(B). By Minkowski’s bound,
√
kvk ≤ 2d/2 d + 1 · B d/2 · N d/(d+1) = cd · B d/2 · N 1−1/(d+1) ,
√
where cd = 2d/2 d + 1 depends only on the degree d.
Define h(Bx) to be the polynomial whose coefficients are given by v, i.e., h(x) = v0 + (v1 /B)x + · · · +
(vd /B d )xd . Notice that h(x) ∈ Z[X], because B i divides vi for each i by construction of the lattice basis,
and that every root of f (x) modulo N is also a root of h(x) by construction. Finally, we see that

N
|hi B i | = |vi | ≤ kvk < ,
d+1

if we take B < N 2/d(d+1) /c0d where c0d = (cd (d + 1))2/d = O(1) is bounded by a small constant. This
concludes the proof.