Average Time Fast SVP and CVP Algorithms for Low Density Lattices and the Factorization of Integers. Claus P. SCHNORR

Average Time Fast SVP and CVP Algorithms for Low Density Lattices and the Factorization of Integers Claus P. SCHNORR Fachbereich Informatik und Mathematik Goethe-Universität Frankfurt am Main Numbers, Sequences, Lattices: Dynamical Analysis of Algorithms. Birthday of Brigitte Vallée Caen, June 3-4, 2010

Road map 2 I Outline of the new SVP / CVP algorithm II III IV Time bound of SVP/CVP algorithm for low density lattices Factoring integers via "easy" CVP solutions Partial analysis of the new SVP / CVP algorithm References A technical report is available at http://www.mi.informatik.uni-frankfurt.de/research/papers.html We focus on novel proof elements that are not covered by published work and outline sensible heuristics towards polynomial time factoring of integers.

I: Lattices, QR-decomposition, LLL-bases 3 lattice basis B = [b 1,..., b n ] Z m n lattice L(B) = {Bx x Z n } norm x 2 = x, x = m i=1 x i 2 SV-length λ 1 (L) = min{ b b L\{0}} QR-decomposition B = QR R m n such that the GNF geom. normal form R = [r i,j ] R n n is uppertriangular, r i,j = 0 for j < i and r i,i > 0, ( r i,i = b i ) Q R m n isometric: Q t Q = I n. LLL-basis B = QR for δ ( 1 4, 1] (Lenstra, Lenstra, Lovasz 82): 1. r i,j 1 2 r i,i for all j > i (size-reduced) ( r i,j /r i,i = µ j,i ) 2. δ ri,i 2 ri,i+1 2 + r i+1,i+1 2 for i = 1,..., n 1 3. α i+1 b i 2 λ 2 i α n 1 for i = 1,..., n 4. b 1 2 α n 1 2 (det L) 2/n, where α = 1/(δ 1/4).

I: Recall ENUM 1994/95 4 Let L t = L(b 1,..., b t 1 ) and π t : span(l) span(l t ) for t = 1,..., n denote the orthogonal projection. Stage (u t,..., u n ) of ENUM. b := n i=t u ib i L and u t,..., u n Z are given. The stage searches exhaustively for all t 1 i=1 u ib i L such that n i=1 u ib i 2 A holds for some A λ 2 1. Obviously n i=1 u ib i 2 = ζ t + t 1 i=1 u ib i 2 + π t (b) 2, goal: A to be minimized spent where ζ t := b π t (b) span L t is the orthogonal projection of the given b = n i=t u ib i. Stage (u t,..., u n ) exhausts B t 1 (ζ t, ρ t ) L t where B t 1 (ζ t, ρ t ) span L t is the sphere of dimension t 1 with center ζ t and radius ρ t := (A π t (b) 2 ) 1/2.

I: The success rate β t of stages 5 The GAUSSIAN volume heuristics estimates B t 1 (ζ t, ρ t ) L t to β t = def vol B t 1 (ζ t, ρ t )/ det L t. Here vol B t 1 (ζ t, ρ t ) = ρ t 1 t 1 V t 1, V t = π t 2 /( t 2eπ 2 )! ( t ) t 2 / πt is the volume of the unit sphere of dimension t, det L t = t 1 i=1 r i,i, ρ 2 t := A π t ( n i=t u ib i ) 2. We call β t the success rate of stage (u t,..., u n ). If ζ t mod L t is uniformly distributed over the parallelepiped P t := { t 1 i=1 r ib i 0 r 1,..., r t 1 < 1} then E ζt [ B t 1 (ζ t, ρ t ) L t ] = β t for ζ t R P t, because 1/ det L t is the number of points per volume in L t. The center ζ t = b π t (b) span L t changes continuously. If ζ t mod L t P t distributes uniformly the estimate B t 1 (ζ t, ρ t ) L t vol B t 1 (ζ t, ρ t )/ det L t of the vol. heur. holds on the average.

I: Outline of New Enum for SVP 6 INPUT LLL-basis B = QR Z m n, R R n n, A := n 4 (det Bt B) 2/n, OUTPUT a sequence of b L(B) of decreasing length b 2 A terminating with b = λ 1. 1. s := 1, L :=, (we call s the level) 2. Perform algorithm ENUM [SE94] pruned to stages with β t n s : Upon entry of stage (u t,..., u n ) compute β t. If β t < n s delay this stage and store (β t, u t,..., u n ) in the list L of delayed stages. Otherwise perform stage (u t,..., u n ) on level s, and as soon as some b L of length 0 < b 2 A has been found give out b and set A := b 2 1. Recompute the stored β t 3. Perform the stages (u t,..., u n ) of L with β t n s 1 in increasing order of t and for fixed t in order of decreasing β t. Collect the appearing substages (u t,..., u t,..., u n ) with β t < n s 1 in L. IF L = THEN terminate by exhaustion. 4. s := s + 1, GO TO 3

II: Optimizing the implementation 7 We efficiently approximate β t using floating point arithmetic. The space reservations for the list L are quite expensive compared to the modest arithmetic costs per stage. The condition β t < n s has been tested in practice. It replaces the original condition β t < 2 s. This reduces list L and the number of the list operations. Saving space is a main problem. For the final exhaustive search that proves b = λ 1 the success rate and the list operations can be suppressed, they merely slow down the computation. The start of the final exhaustion can be guessed. If no shorter vector comes up for an extended period then most likely the last output b has length λ 1.

II: Time Bound for the SVP algorithm 8 Def. The relative density of L: rd(l) := λ 1 γ 1/2 n (det L) 1/n rd(l) = λ 1 (L)/ max λ 1 (L ) holds for the maximum of λ 1 (L ) over all lattices L of dim L = n and det L = det L. The HERMITE constant γ n = max{λ 2 1 / det(l)2/n dim L = n}. We always have λ 2 1 = rd(l)2 γ n (det L) 2/n. Theorem 1 Given a lattice basis satisfying GSA and b 1 eπ n b λ 1, b 0, NEW ENUM solves SVP in time 2 O(n) (n 1/2+b rd(l)) n/4, i.e. in time 2 O(n) ( n/rd(l)) n/4 for b = 0. The 2 O(n) factor disappears under the volume heuristics. GSA : Let B = QR = Q[r i,j ] satisfy: (for r i,i = b i ) ri,i 2 /r i 1,i 1 2 = q for i = 2,..., n and some q > 0. W.l.o.g. let q < 1, otherwise b 1 = λ 1. The condition b 1 eπ n b λ 1 can" easily" be met for CVP.

II: Polynomial Time bound under the vol. heuristics 9 Finding an unproved shortest vector b is easier than proving b = λ 1. We study the time to find an SVP-solution b without proving λ 1 = b under the assumption: SA π t (b ) 2 n t+1 n λ 2 1 holds for all t and NEW ENUM s SVP-solution b, where π t (b ) span(b 1,..., b t 1 ). Proposition 1. Let a lattice basis be given that satisfies GSA, b 1 eπ/2 n b λ 1 and rd(l) n 1+2b 4. If NEW ENUM finds a shortest lattice vector b satisfying SA it finds b, without proving b = λ 1, under the volume heur. in polynomial time. Polynomial time holds for b = 0, rd(l) n 1/4. But the time to prove b = λ 1 is under the volume heur. Θ(n 1/2 rd(l)) n/4.

II: Polynomial CVP time under the volume heur. 10 Corollary 1. Given t R n and B for L(B) satisfying GSA, b 1 = λ 1 and rd(l) n 1/2 then NEW ENUM solves the CVP t b = t L under the volume heuristics in poly-time. We adjust the assumption SA from SVP to CVP: CA Let π t (t b) 2 n t+1 n t L 2 hold for all t and NEW ENUM s CVP-solution b. Corollary 2. Let B = [b 1,..., b n ] in Z m n satisfy GSA, b 1 = O(λ 1 ) and let b satisfy CA for B, t. If rd(l) = o(n 1/4 ) and t L = O(λ 1 ) then NEW ENUM finds the CVP- solution b L under the volume heuristics in polynomial time, but without proving t b = t L. All requirements of Cor. 2 can easily be satisfied for the CVP s of the prime number lattice for factoring integers.

III: Factoring integers via CVP solutions 11 Let N be a positive integer that is not a prime power. Let p 1 < < p n enumerate all primes less than (ln N) α. Then n = (ln N) α /(α ln ln N + O(1)). Let the prime factors p of N satisfy p > p n. We show how to factor N by solving "easy" CVP s for the prime number lattice L(B), basis matrix B = [b 1,..., b n ] R (n+1) n : ln p1 0 0 0. B = 0.. 0 0 0 ln pn, N =. 0, N c ln p 1 N c ln p n N c ln N and the target vector N R n+1, where either N = N or N = Np n+j for one of the next n primes p n+j > p n, j n. Lemma 5.3 [MG02] λ 2 1 2c ln N. rd(l) = o(n 1/4 ) for c = (ln N) β, suitable α > 2β + 2 > 2.

III: Outline of the factoring method 12 We identify the vector b = n i=1 e ib i L(B) with the pair (u, v) of integers u = e j >0 pe j j, v = e j <0 p e j j N. Then u, v are free of primes larger than p n and gcd(u, v) = 1. We compute vectors b = n i=1 e ib i L(B) close to N such that u vn < p n. The prime factorizations u vn = n i=1 pe i i and u = e j >0 pe j j yield a non-trivial relation e i >0 pe i i = ± n i=1 pe i i mod N. (7.1) Given n + 1 independent relations (7.1) we write these relations n i=0 pe i,j e i,j with p 0 = 1 and e i,j, e i,j N as i = 1 mod N for j = 1,..., n + 1. Any non-trivial solution z 1,..., z n+1 Z of n+1 j=1 z j(e i,j e i,j ) = 0 mod 2, i = 0,..., n solves X 2 = 1 mod N by X = n 2 i mod N. Hence gcd(x ± 1, N) factors N if X ±1 mod N. i=0 p 1 P n+1 j=1 z j (e i,j e i,j )

III: Vectors b L closest to N yield relations (7.1) 13 An integer z is called y-smooth, if all prime factors p of z satisfy p y. Let N be either N or Np n+j for one of the next n primes p n+j > p n. We denote M α,c,n = {(u, v) N 2 u N c, u vn = 1, N c 1 /2 < v < N c 1 u, v are squarefree and (ln N) α smooth Theorem 4 [S93/91] If the equation u u/n N = 1 is for random u of order N c nearly statistically independent of the event that u, u/n are squarefree and (ln N) α -smooth then α M α,c,n holds if α 2β 2 < c (ln N)β and α > 2β + 2. Theorem 4 extends the result of [S93/91] from a constant c > 0 to c = (ln N) β, required for rd(l)) = o(n 1/4 ). Theorem 5 The vector b = n i=1 e ib i L(B) closest to N provides a non-trivial relation (7.1) provided that M α,c,n. }.

III: Vectors b L closest to N yield relations (7.1) 14 Theorem 6 If b 1 = O(λ 1 ) and M α,c,n for c = (ln N) β, α > 2β + 2 we can minimize L(B) N in polynomial time under GSA, CA and the volume heuristics. It follows from M α,c,n for N {N, Np n+j } that L N 2 (2c 1) ln N + 1 = (2c 1 + o(1)) ln N. Lemma 5.3 of [MG02] proves that λ 2 1 2c ln N Θ(1) [ λ 2 1 = 2c ln N + O(1) holds if 0 < α α 2β 2 < c (ln N)β. ] rd(l) = λ 1 /( γ n (det L) 1 n ) ( ) 1 2eπ 2c ln N (ln N) α 2 = O(c ln N) (1 α)/2 = O((ln N) 1 α ). We have for c = (ln N) β 2c ln N, α > 2β + 2 that (ln N) = o(n 1/2 ) α Hence rd(l) = o(n 1/4 ).

III: Providing a nearly shortest vector for L(B) 15 For solving t b = t L heuristically in polynomial time we need that b 1 = O(λ 1 ) holds for the prime number lattice. We extend the prime number basis B and L(B) by a nearly shortest lattice vector for the extended lattice, preserving rd(l), det(l) and the structure of the lattice. We extend the prime base by a prime p n+1 of order Θ(N c ) such that u p n+1 = O(1) holds for a squarefree (ln N) α -smooth u. Then i e ib i b n+1 2 = 2c ln N + O(1) holds for u = i pe i i and the additional basis vector b n+1 corresponding to p n+1. i e ib i b n+1 is a nearly shortest vector of L(b 1,..., b n+1 ). Efficient construction of p n+1. Generate random u = i p i and test the nearby p for primality. p n+1 and b n+1 can be found in probabilistic polynomial time if the density of primes near the u is not exceptionally small. A single p n+1 can be used to solve all CVP s for the factorization of all integers of order Θ(N).

IV: Proof of Theorem 1 16 Theorem 1 Given a lattice basis satisfying GSA and b 1 eπ n b λ 1, b 0, NEW ENUM solves SVP in time 2 O(n) (n 1/2+b rd(l)) n/4. NEW ENUM essentially performs stages in decreasing order of the success rate β t. Let b = n i=1 u i b i L denote the unique vector of length λ 1 that is found by NEW ENUM. Let β t be the success rate of stage (u t,..., u n). NEW ENUM performs stage (u t,..., u n) prior to all stages (u t,..., u n ) of success rate β t 1 4 β t Simplifying assumption. We assume that NEW ENUM performs stage (u t,..., u n) prior to all stages of success rate β t < β t, ( i.e., ρ t < ρ t ). By definition ρ 2 t = A π t (b) 2 and ρ t 2 = A π t (b ) 2. Without using the simplifying assumption, the proven time bound of Theorem 4.1 increases at most by the factor n.

IV: A proven version of the volume heuristics 17 Consider the number M t of stages (u t,..., u n ) with π t ( n i=t u ib i ) λ 1 : M t := # ( B n t+1 (0, λ 1 ) π t (L) ). Modulo the heuristic simplifications M t covers the stages that precede (u t,..., u n) and those that finally prove b = λ 1. Lemma 1 M t e n t+1 2 n i=t (1 + n t+1 8π λ1 ri,i ). The proof uses the method of Lemma 1 of MAZO, ODLYZKO [MO90] and follows the adjusted proof of inequality (2) in section 4.1 of HANROT, STEHLÉ [HS07]. For details see the TR http://www.mi.informatik.uni-frankfurt.de/research/papers.html Now ri,i 2 = b 1 2 q i 1, λ 2 1 /(γ n rd(l) 2 ) = (det L) 2 n = b 1 2 q n 1 2 hold by GSA and thus γ n n 2 eπ directly imply for i = t,..., n n t + 1 ri,i 2eπ rd(l) 1 λ 1 q (2i n 1)/4. By Lemma 1 M t n e π rd(l) 1 λ 1 q (2i n 1)/4 + 8eπ λ n t+1 1 i=t ri,i (4.0)

IV: Proof of Theorem 1 continued 18 For the remainder of the proof let t := n 2 + 1 c and m(q, c) := [if c > 0 then q 1 c2 4 else 1]. Then M t m(q, c) ( (2+ e) 2eπ λ 1 n t+1 rd(l) ) n t+1/ det πt (L), (4.1) where m(q, c) = q 1 c2 4 = q 1 4 P c i=0 (2i 1) covers in (4.0) the factors q 2i n 1 4 > 1 for t < i < n 2 + 1. We see from (4.1) and det π t (L) = b 1 n t+1 q P n i=t M t m(q, c) ( (2+ e) 2eπ n t+1 λ 1 b 1 rd(l) 1.744 (n+o(n)) 2eπ i 1 2 that ) n t+1/q P n 1 i=t 1 i/2 (4.2) The [KL78] bound γ n eπ for n n 0 and 1 n 1 n 1 i=t 1 i = n 2 (t 1)(t 2) 2(n 1) and q n 1 2 = λ 2 1 /( b 2 γ n rd(l) 2 ) show M t m(q, c) ( (2+ e) 2eπ λ n t+1 1 n t+1 ( rd(l) b1 ) n rd(l) b 1 ) (t 1)(t 2) n n 1. n eπ λ1

IV: End of Proof of Theorem 1 19 The difference of the exponents de(t) = n (t 1)(t 2) n 1 n + t 1 = (t 1)(1 t 2 n 1. Hence for for t n and de( n 2 + 1 c) = n2 /4 c 2 n 1 b 1 eπ n b λ 1 and all t n : ) is positive M t m(q, c) ( ( 8 + 2e) n n t+1 )n t+1 ( n 1 2 +b rd(l) ) n For c > 0, t n 2 we have m(q, c) = q 1 c2 4 = ( b 1 γ n rd(l) thus : λ 1 ) c 2 1 n 1 M t (4 + 2 e) n t+1 ( n 1 2 +b rd(l) ) n 2 O(n)( n 1 2 +b rd(l) ) n+1 4, where n2 /4 1 For c 0, t > n 2 we have M t ( ( 8 + 2e) n n t+1 n 1 n+1 4. 2 /4 c 2 n 1 (n 1 2 +b rd(l)) c2 1 n 1, and 2 /4 1 n 1 = ) n t+1 ( 1 n 2 +b rd(l) ) n 2 /4 n 1 = 2 O(n)( n 1 2 +b rd(l) ) n+2 4 where n2 /4 n 1 n+2 4.

V: Failings of the volume heuristics 20 MAZO, ODLYZKO [MO90] show for the lattice L = Z n : #{x Z n x 2 an} = 2 Θ(n) for a 0 a 1 2eπ and any a 0 > 0, whereas the volume heur. estimates this cardinality to O(1). The center ζ = 0 of the sphere is bad for the vol. heuristics. It can nearly maximize B n (ζ, ρ) L. NEW ENUM for SVP keeps the center ζ t = b π t (b) close to 0. The analysis of NEW ENUM for CVP uses for center the vector b t π t (b t). For random π t (t) this may better justify the volume heuristics in the analysis of NEW ENUM for CVP than for SVP.

V: Ajtai s worst case / average case equivalence 21 n c -unique-svp lattices: every lattice vector that is linearly independent of a shortest nonzero lattice vector has at least length λ 1 n c for some c > 1, i.e., λ 2 λ 1 n c. Proposition 1 shows that all n c -unique-svp s can be solved under GSA and the volume heuristics in polynomial time given a very short lattice vector. Ajtai s worst case / average case equivalence. AJTAI [Aj96, Thm 1] solves every n c -unique-svp using an oracle that solves SVP for a particular random lattice. However, all n c -unique-svp s are somewhat easy. This makes the worst case / average case equivalence suspicious. [MR07] reduces n c in Ajtai s reduction to n ln O(1) n.

Refences 22 Ad95 L.A. Adleman, Factoring and lattice reduction. Manuscript, 1995. AEVZ02 E. Agrell, T. Eriksson, A. Vardy and K. Zeger, Closest point search in lattices. IEEE Trans. on Inform. Theory, 48 (8), pp. 2201 2214, 2002. Aj96 M. Ajtai, Generating hard instances of lattice problems. In Proc. 28th Annual ACM Symposium on Theory of Computing, pp. 99 108, 1996. AD97 M. Ajtai and C. Dwork, A public-key cryptosystem with worst-case / average-case equivalence. In Proc 29-th STOC, ACM, pp. 284 293, 1997. AKS01 M. Ajtai, R. Kumar and D. Sivakumar, A sieve algorithm for the shortest lattice vector problem. In Proc. 33th STOC, ACM, pp. 601 610, 2001. Ba86 L. Babai, On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica 6 (1), pp.1 13, 1986.

References 23 BL05 J. Buchmann and C. Ludwig, Practical lattice basis sampling reduction. eprint.iacr.org, TR 072, 2005. Ca98 Y.Cai, A new transference theorem and applications to Ajtai s connection factor. ECCC, Report No. 5, 1998. CEP83 E.R. Canfield, P. Erdös and C. Pomerance, On a problem of Oppenheim concerning "Factorisatio Numerorum". J. of Number Theory, 17, pp. 1 28, 1983. CS93 J.H. Conway and N.J.A. Sloane, Sphere Packings, Lattices and Groups. third edition, Springer-Verlag1998. FP85 U. Fincke and M. Pohst, Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. of Comput., 44, pp. 463 471, 1985.

Refences 24 GN08 N. Gama and P.Q. Nguyen, Predicting lattice reduction, in Proc. EUROCRYPT 2008, LNCS 4965, Springer-Verlag, pp. 31 51, 2008. HHHW09 P.Hirschhorn, J. Hoffstein, N. Howgrave-Graham, W. Whyte, Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In Proc. ACNS 2009, LNCS 5536, Springer-Verlag,pp. 437 455, 2009. HPS98 J. Hoffstein, J. Pipher and J. Silverman, NTRU: A ring-based public key cryptosystem. In Proc. ANTS III, LNCS 1423, Springer-Verlag, pp. 267 288, 1998. H07 N. Howgrave-Graham, A hybrid lattice reduction and meet-in-the-middle attiack against NTRU. In Proc, CRYPTO 2007, LNCS 4622, Springer-Verlag, pp. 150 169, 2007.

Refences 25 HS07 G. Hanrot and D. Stehlé, Improved analysis of Kannan s shortest lattice vector algorithm. In Proc. CRYPTO 2007, LNCS 4622, Springer-Verlag,pp. 170 186, 2007. HS08 G. Hanrot and D. Stehlé, Worst-case Hermite-Korkine-Zolotarev reduced lattice bases. CoRR, abs/0801.3331, http://arxix.org/abs/0801.3331. Ka87 R. Kannan, Minkowski s convex body theorem and integer programming. Math. Oper. Res., 12, pp. 415 440, 1987. KL78 G.A.Kabatiansky and V.I. Levenshtein, Bounds for packing on a sphere and in space. Problems of Information Transmission, 14, pp. 1 17, 1978. LLL82 H. W. Lenstra Jr.,, A. K. Lenstra, and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen 261, pp. 515 534, 1982.

Refences 26 L86 L. Lovász, An Algorithmic Theory of Numbers, Graphs and Convexity, SIAM, 1986. LM09 V. Lubashevsky and D. Micciancio, On bounded distance decoding, unique shortest vectors and the minimum distance problem. In Proc. CRYPTO 2009, LNCS 5677, Springer-Verlag, pp. 577 594, 2009. MO90 J. Mazo and A. Odlydzko, Lattice points in high-dimensional spheres. Monatsh. Math. 110, pp. 47 61, 1990. MG02 D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective. Kluwer Academic Publishers, Boston, London, 2002. MR07 D. Micciancio and O. Regev, Worst-case to average-case reduction based on gaussian measures. SIAM J. on Computing, 37(1), 2007.

Refences 27 NS06 P.Q. Nguyen and D. Stehlé, LLL on the average. In Proc. of ANTS-VII, LNCS 4076, Springer-Verlag, 2006. N10 P.Q. Nguyen, Hermite s Constant and Lattice Algorithms. in The LLL Algorithm, Eds. P.Q. Nguyen, B. Vallée, Springer-Verlag, Jan. 2010. S87 C.P. Schnorr, A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci., 53, pp. 201 224, 1987. S93 C.P.Schnorr, Factoring integers and computing discrete logarithms via Diophantine approximation. In Advances in Computational Complexity, AMS, DIMACS Series in Discrete Mathematics and Theoretical Computer Science, 13, pp. 171 182, 1993. Preliminary version Proc. EUROCRYPT 91, LNCS 547, Springer-Verlag, pp. 281 293, 1991. //www.mi.informatik.uni-frankfurt.de

Refences 28 SE94 C.P. Schnorr and M. Euchner, Lattce basis reduction: Improved practical algorithms and solving subset sum problems. Mathematical Programming 66, pp. 181 199, 1994. S03 C.P. Schnorr, Lattice reduction by sampling and birthday methods. Proc. STACS 2003: 20th Annual Symposium on Theoretical Aspects of Computer Science, LNCS 2007, Springer-Verlag, pp. 146 156, 2003. S06 C.P. Schnorr, Fast LLL-type lattice reduction. Information and Computation, 204, pp. 1 25, 2006. S07 C.P. Schnorr, Progress on LLL and lattice reduction, Proc. LLL+25, Caen, France, 2007, Final version in: The LLL Algorithm, Survey and Applications, Eds. P.Q.Nguyen and B. Vallée, Springer 2010.