Lenstra–Lenstra–Lovász lattice basis reduction algorithm

The Lenstra–Lenstra–Lovász lattice basis reduction (LLL) is a polynomial time lattice reduction algorithm invented by Arjen Lenstra, Hendrik Lenstra and László Lovász. Given as input "d" lattice basis vectors with "n"-dimensional integer coordinates and a norm lesser than "B", the LLL algorithm outputs an "LLL-reduced" (short, nearly orthogonal) lattice basis in time

:$O(d^5nlog^3\; B).,$

The original applications were to give polynomial time algorithms for factorizing polynomials with rational coefficients into irreducible polynomials, and for solving the integer linear programming problem in fixed dimensions.

LLL reduction

The precise definition of LLL-reduced is as follows: the basis

:$mathbf\{B\}=\{\; mathbf\{b\}\_1,mathbf\{b\}\_2,\; dots,\; mathbf\{b\}\_N\; \}$,

with its Gram–Schmidt process orthogonal basis,

:$mathbf\{B\}\text{'}=\{\; mathbf\{b\}\text{'}\_1,\; mathbf\{b\}\text{'}\_2,\; dots,\; mathbf\{b\}\text{'}\_N\; \}$

is LLL-reduced if there exists a parameter "p" in (0.25,1] such that

#
#

where

:$mu\_\{i,j\}=frac\{langlemathbf\{b\}\_i,mathbf\{b\}\text{'}\_j\; angle\}\{langlemathbf\{b\}\text{'}\_j,mathbf\{b\}\text{'}\_j\; angle\}$, for any i>j.

Note that although LLL-reduction is well-defined for "p=1", the polynomial-time complexity is guaranteed onlyfor "p" in (0.25,1).

The LLL algorithm computes LLL-reduced bases. A reduced basis is one in which the basis vectors are as short as possible. There is no known efficient algorithm to compute such a basis except for lattices of dimensions up to 3. A basis which is nearly reduced, in the sense that that there are absolute bounds $c\_i\; >\; 1$ such that the first basis vector is no more than $c\_1$ times as long as a shortest vector in the lattice,the second basis vector is likewise within $c\_2$ of the second successive minimum, and so on, is computed by the LLL algorithm.

Applications

The LLL algorithm has found numerous other applications in MIMO detection algorithms and cryptanalysis of public-key encryption schemes: knapsack cryptosystems, RSA with particular settings, NTRUEncrypt, and so forth. The algorithm can be used to find integer solutions to many problems. For example, if it is believed that r=1.618034 is a (slightly rounded) root to a quadratic equation with integer coefficients, one may apply the LLL reduction to the lattice in $R^4$ spanned by $[1,0,0,10000r^2]\; ,\; [0,1,0,10000r]\; ,$ and $[0,0,1,10000]$. The first vector in the reduced basis will be an integer linear combination of these three, thus necessarily of the form $[a,b,c,10000(ar^2+br+c)]$; but such a vector is "short" only if a,b,c are small and $ar^2+br+c$ is very small. Thus the first three entries of this short vector are likely to be the coefficients of the integral quadratic polynomial which has r as a root. (In this application the LLL algorithm finds the shortest vector to be [1, -1, -1, 0.00025] and indeed $x^2-x-1$ has a root equal to 1.6180339887...)

Implementations

LLL is implemented in
* [http://www.unn.ru/cs/arageli/ Arageli] as the function "lll_reduction_int"
* [http://perso.ens-lyon.fr/damien.stehle/english.html fpLLL] as a stand-alone implementation
*GAP as the function "LLLReducedBasis"
* [http://www.informatik.tu-darmstadt.de/TI/LiDIA/ LiDIA] LT package as the function/method "lll"
*Macaulay2 as the function "LLL". (One must load the package "LLLBases")
*Magma as the functions "LLL" and "LLLGram" (taking a gram matrix)
*Maple as the function "IntegerRelations [LLL] "
*Mathematica as the function "LatticeReduce"
*PARI/GP as the function "qflll"
*SAGE as the method "LLL" driven by fpLLL and NTL
* [http://shoup.net/ntl Number Theory Library (NTL)] as the function "LLL"

References

*cite journal
author = Lenstra, A. K.; Lenstra, H. W., Jr.; Lovász, L.
title = Factoring polynomials with rational coefficients
journal = Mathematische Annalen
volume = 261
year = 1982
issue = 4
pages = 515–534
url = http://hdl.handle.net/1887/3810
doi = 10.1007/BF01457454
id = MathSciNet | id = 0682664

*cite book
last = Yap
first = Chee-Keng
title = Fundamental Problems of Algorithmic Algebra
url = http://www.cs.nyu.edu/yap/book/berlin/
accessdate = 2008-08-25
year = 2000
publisher = Oxford University Press
location = Oxford, New York
isbn = 0-19-512516-9
pages = pp. 219-257
chapter = Chap. 8 Gaussian Lattice Reduction - Chap. 9 Lattice Reduction and Applications

*Borwein, Peter. Computational Excursions in Analysis and Number Theory (ISBN 0-387-95444-9).