Average Time Fast SVP and CVP Algorithmsfor Low Density Lattices andthe Factorization of Integers

Claus P. SCHNORR

Fachbereich Informatik und MathematikGoethe-UniversitätFrankfurt am Main

B-IT Bonn, 27-29.5. 201060 Birthday of Joachim von zur Gathen

Road map 2

I Outline of the new SVP / CVP algorithm

II Time bound of SVP/CVP algorithm for low density lattices

III Factoring integers via "easy" CVP solutions

IV Partial analysis of the new SVP / CVP algorithm

References

There is a TR available athttp://www.mi.informatik.uni-frankfurt.de/research/papers.html

We focus on novel proof elements that are not covered bypublished work and outline sensible heuristics towardspolynomial time factoring of integers.

I: Lattices, QR-decomposition, LLL-bases 3

lattice basis B = [b1, . . . , bn] ∈ Zm×n

lattice L(B) = {Bx | x ∈ Zn}norm ‖x‖2 = 〈x, x〉 =

∑mi=1 x2

i

SV-length λ1(L) = min{‖b‖ | b ∈ L\{0}}

QR-decomposition B = QR ⊂ Rm×n such that• the GNF — geom. normal form — R = [ri,j ] ∈ Rn×n is

uppertriangular, ri,j = 0 for j < i and ri,i > 0, ( ri,i = ‖b∗i ‖ )• Q ∈ Rm×n isometric: QtQ = In.

LLL-basis B = QR for δ ∈ (14 , 1] (Lenstra, Lenstra, Lovasz 82):

1. |ri,j | ≤ 12 ri,i for all j > i (size-reduced) ( ri,j/ri,i = µj,i )

2. δ r2i,i ≤ r2

i,i+1 + r2i+1,i+1 for i = 1, . . . , n − 1.

3. α−i+1 ≤ ‖bi‖2λ−2i ≤ αn−1 for i = 1, ..., n,

4. ‖b1‖2 ≤ αn−1

2 (detL)2/n, where α = 1/(δ − 14).

I: Recall ENUM 1994/95 4

Let Lt = L(b1, ..., bt−1) and πt : span(L) → span(Lt)⊥ for

t = 1, ..., n denote the orthogonal projection.

Stage (ut, ..., un) of ENUM.

b :=∑n

i=t uibi ∈ L and ut , ..., un ∈ Z are given. The stagesearches exhaustively for all

∑t−1i=1 uibi ∈ L such that

‖∑n

i=1 uibi‖2 ≤ A holds for some A ≥ λ21. Obviously

‖∑n

i=1 uibi‖2 = ‖ζt +∑t−1

i=1 uibi‖2 + ‖πt(b)‖2,goal: ≤ A to be minimized spent

where ζt := b− πt(b) ∈ spanLt is the orthogonal projection ofthe given b =

∑ni=t uibi .

Stage (ut , ..., un) exhausts Bt−1(ζt , ρt) ∩ Lt whereBt−1(ζt , ρt) ⊂ spanLt is the sphere of dimension t − 1 withcenter ζt and radius ρt := (A− ‖πt(b)‖2)1/2.

I: The success rate βt of stages 5

The GAUSSIAN volume heuristics estimates |Bt−1(ζt , ρt) ∩ Lt | toβt =def volBt−1(ζt , ρt)/ detLt .

Here volBt−1(ζt , ρt) = ρt−1t−1 Vt−1, Vt = π

t2 /( t

2)! ≈ (2eπt )

t2 /√

πtis the volume of the unit sphere of dimension t ,

detLt =∏t−1

i=1 ri,i , ρ2t := A− ‖πt(

∑ni=t uibi)‖2.

We call βt the success rate of stage (ut , ..., un).

If ζt mod Lt is uniformly distributed over the parallelepipedPt := {

∑t−1i=1 ribi |0 ≤ r1, ..., rt−1 < 1}

then Eζt [ |Bt−1(ζt , ρt) ∩ Lt | ] = βt for ζt ∈R Pt ,because 1/ detLt is the number of points of Lt per volume.

The center ζt = b− πt(b) ∈ spanLt changes rapidly within NEW

ENUM. It is natural to assume that ζt ∈ span(Lt) distributesnearly randomly, and thus the estimate |Bt−1(ζt , ρt) ∩ Lt | ≈volBt−1(ζt , ρt)/ detLt of the vol. heur. holds on the average.

I: Outline of New Enum for SVP 6

INPUT LLL-basis B = QR ∈ Zm×n, R ∈ Rn×n, A := n4(det BtB)2/n,

OUTPUT a sequence of b ∈ L(B) of decreasing length‖b‖2 ≤ A terminating with ‖b‖ = λ1.

1. s := 1, L := ∅, (we call s the level)2. Perform algorithm ENUM [SE94] pruned to stages with βt ≥ n−s:

Upon entry of stage (ut , ..., un) compute βt . If βt < n−s delaythis stage and store (βt , ut , ..., un) in the list L of delayed stages.Otherwise perform stage (ut , ..., un) on level s, and as soon assome non-zero b ∈ L of length ‖b‖2 ≤ A has been foundgive out b and set A := ‖b‖2 − 1. Recompute the stored βt .

3. Perform and delete the stages (ut , ..., un) of L with βt ≥ n−s−1

in increasing order of t and for fixed t in order of decreasing βt .Collect the called substages (ut ′ , ..., ut , ..., un) with βt ′ < n−s−1

in L. IF L = ∅ THEN terminate by exhaustion.4. s := s + 1, GO TO 3

II: Optimizing the implementation 7

We efficiently approximate βt using floating point arithmetic.

The space reservations for the list L are quite expensivecompared to the modest arithmetic costs per stage.

The condition βt < n−s has been tested in practice. It replacesour original condition βt < 2−s. This reduces the list L and thenumber of list operations.

For the final exhaustive search that proves ‖b‖ = λ1 thesuccess rate and the list operations can be suppressed, theymerely slows down the computation.

The start of the final exhaustion can be guessed: if no shortervector comes up for an extended period then most likely thelast output b has length λ1.

II: Time Bound for the SVP algorithm 8

Def. The relative density of L: rd(L) := λ1γ−1/2n (detL)−1/n

rd(L) = λ1(L)/ max λ1(L′) holds for the maximum of λ1(L′)over all lattices L′ of dimL′ = n and detL = detL′.

The HERMITE constant γn = max{λ21/ det(L)2/n | dim L = n}.

We always have λ21 = rd(L)2 γn (detL)2/n.

Theorem 1 Given a lattice basis satisfying GSA and‖b1‖ ≤

√eπ nb λ1, b ≥ 0, NEW ENUM solves SVP in time

2O(n)(n1/2+brd(L))n/4. In particular in time 2O(n)nn/8 for b = 0.

The 2O(n) factor disappears under the volume heuristics.

GSA : Let B = QR = Q[ri,j ] satisfy (for ri,i = ‖b∗i ‖):r2i,i/r2

i−1,i−1 = q for i = 2, ..., n and some q > 0.

W.l.o.g. let q < 1, otherwise ‖b1‖ = λ1.The condition ‖b1‖ ≤

√eπ nb λ1 can "easily" be met for CVP.

II: Polynomial SVP time under the vol. heuristics 9

Finding an unproved shortest vector b′ is easier than proving‖b′‖ = λ1. We study the time to find an SVP-solution b′ withoutproving λ1 = ‖b′‖ under the assumption:

SA ‖πt(b′)‖2 ≈ n−t+1n λ2

1 holds for all t and NEW ENUM’sSVP-solution b′, where πt(b′) ∈ span(b1, ..., bt−1)

⊥.

Proposition 1. Let a lattice basis be given that satisfies GSA,‖b1‖ ≤

√eπ/2 nbλ1 and rd(L) ≤ n−

1+2b4 . If NEW ENUM finds a

shortest lattice vector b′ satisfying SA it finds b′, withoutproving ‖b′‖ = λ1, under the vol. heuristics in polynomial time.

Polynomial time holds for b = 0, rd(L) ≤ n−1/4. But the time toprove ‖b′‖ = λ1 is under the vol. heuristics Θ(n

12 rd(L))n/4.

II: Polynomial CVP time under the vol. heuristics 10

Corollary 1. Given t ∈ Rn and B of L(B) satisfying GSA, if‖b1‖ = λ1 and rd(L) ≤ n−1/2 then NEW ENUM solves the CVP‖t− b‖ = ‖t− L‖ under the volume heuristics in poly-time.

A random center ζ = πt(t) of Bn(ζ, ρ) provides a good basis forthe volume heuristics, much better than for solving SVP wherethe center ζ = 0 nearly maximizes |Bn(ζ, ρ) ∩ L|.

We adjust the assumption SA from SVP to CVP:

CA Let ‖πt(t− b̈)‖2 ≈ n−t+1n ‖t− L‖2 hold for all t and

NEW ENUM’s CVP-solution b̈.

Corollary 2. Let B = [b1, ..., bn] in Zm×n satisfy GSA,‖b1‖ = O(λ1) and let b̈ satisfy CA for B, t. If rd(L) = o(n−1/4)and ‖t− L‖ = O(λ1) then NEW ENUM finds the CVP-solutionb̈ ∈ L under the volume heuristics in polynomial time, butwithout proving ‖t− b̈‖ = ‖t− L‖.

III: Factoring integers via CVP solutions 11

Let N be a positive integer that is not a prime power. Letp1 < · · · < pn enumerate all primes less than (ln N)α. Then

n = (ln N)α/(α ln ln N + O(1)).Let the prime factors p of N satisfy p > pn.

We show how to factor N by solving "easy" CVP’s for the primenumber lattice L(B), basis matrix B = [b1, . . . , bn] ∈ R(n+1)×n :

B =

√

ln p1 0 0

0. . . 0

0 0√

ln pnNc ln p1 · · · Nc ln pn

, N =

0...0

Nc ln N ′

,

and the target vector N ∈ Rn+1, where either N ′ = N orN ′ = N pn+j for one of the next n primes pn+j > pn, j ≤ n.

Lemma 5.3 [ MG02] λ21 ≥ 2c ln N.

rd(L) = o(n−1/4) for c = (ln N)β , some α > 2β + 2, β > 0.

III: Outline of the factoring method from [S93/91] 12

We identify the vector b =∑n

i=1 eibi ∈ L(B) with the pair (u, v)

of integers u =∏

ej>0 pejj , v =

∏ej<0 p−ej

j ∈ N.

Then u, v are free of primes larger than pn and gcd(u, v) = 1.

We compute vectors b =∑n

i=1 eibi ∈ L(B) close to N such that

|u − vN ′| < pn. The prime factorizations |u − vN ′| =∏n

i=1 pe′ii

and u =∏

ej>0 pejj yield for "suitable" α, c a non-trivial relation∏

ei>0 peii = ±

∏ni=1 pe′i

i mod N. (7.1)Given n + 1 independent relations (7.1) we write these relations

with p0 = −1 and ei,j , e′i,j ∈ N as∏n

i=0 pei,j−e′i,ji = 1 mod N

for j = 1, ..., n + 1. Any non-trivial solution z1, ..., zn+1 ∈ Z of∑n+1j=1 zj(ei,j − e′i,j) = 0 mod 2, i = 0, ..., n

solves X 2 = 1 mod N by X =∏n

i=0 p12

Pn+1j=1 zj (ei,j−e′i,j )

i mod N.Hence gcd(X ± 1, N) factors N if X 6= ±1 mod N.

V: Vectors b ∈ L closest to N yield relations (7.1) 13

An integer z is called y -smooth, if all prime factors p of zsatisfy p ≤ y . Let N ′ be either N or Npn+j for one of the next nprimes pn+j > pn. We denote

Mα,c,N ={

(u, v) ∈ N2 u ≤ Nc , |u − vN ′| = 1, Nc−1/2 < v < Nc−1

u, v are squarefree and (ln N)α−smooth

}.

Theorem 4 [S93/91] If the equation |u − du/NcN| = 1 is forrandom u of order Nc nearly statistically independent from theevent that u, du/Nc are squarefree and (ln N)α-smooth thenMα,c,N 6= ∅ holds if α

α−2β−2 < c ≤ (ln N)β and α > 2β + 2.

Theorem 4 extends the result of [S93/91] from a constant c > 0to c = (ln N)β , required for rd(L) = o(n1/4).

Theorem 5 The vector b =∑n

i=1 eibi ∈ L(B) closest to Nprovides a non-trivial relation (7.1) provided that Mα,c,N 6= ∅.

V: Solving the CVP’s for factoring N in poly-time 14

Theorem 6 If ‖b1‖ = O(λ1) and Mα,c,N 6= ∅ for c = (ln N)β ,α > 2β + 2 we can minimize ‖L(B)− N‖ under GSA, CA andthe volume heuristics in polynomial time.

Proof. It follows from Mα,c,N 6= ∅ for N ′ ∈ {N, Npn+j} that‖L − N‖2 ≤ (2c − 1) ln N ′ + 1 = (2c − 1 + o(1)) ln N.

Lemma 5.3 of [MG02] proves that λ21 ≥ 2c ln N −Θ(1)

[ λ21 = 2c ln N + O(1) holds if 0 < α

α−2β−2 < c ≤ (ln N)β . ]

rd(L) = λ1/(√

γn(detL)1n ) .

(2eπ 2c ln N(ln N)α

) 12

= O(c ln N)(1−α)/2 = O((ln N)1−α).We have for c = (ln N)β , α > 2β + 2 that 2c ln N

(ln n)α = o(n−1/2)

Hence rd(L) = o(n−1/4). �

III: Providing a nearly shortest vector for L(B) 15

For solving ‖t− b̈‖ = ‖t− L‖ heur. in poly-time Theorem 6requires some ‖b1‖ = O(λ1).

We extend the prime number basis B and L(B) by a nearlyshortest lattice vector for the extended lattice, preserving rd(L),det(L) and the structure of the lattice.

We extend the prime base by a prime p̄n+1 of order Θ(Nc) suchthat |u − p̄n+1| = O(1) holds for a squarefree (ln N)α-smooth u.Then ‖

∑i eibi − bn+1‖2 = 2c ln N + O(1) holds for u =

∏i pei

iand the additional basis vector bn+1 corresponding to p̄n+1.∑

i eibi − bn+1 is a nearly shortest vector of L(b1, ..., bn+1).

Efficient construction of p̄n+1 . Generate random u =∏

i piand test the nearby p̄ for primality. p̄n+1 and bn+1 can be foundin probabilistic polynomial time if the density of primes near theu is not exceptionally small. A single p̄n+1 can be used to solveall CVP’s for the factorization of all integers of order Θ(N).

IV: Proof of Theorem 1 16

Theorem 1 Given a lattice basis satisfying GSA and‖b1‖ ≤

√eπ nb λ1, b ≥ 0, NEW ENUM solves SVP in time

2O(n)(n1/2+brd(L))n/4.

NEW ENUM essentially performs stages in decreasing order ofthe success rate βt . Let b′ =

∑ni=1 u′i bi ∈ L denote the unique

vector of length λ1 that is found by NEW ENUM.Let β′t be the success rate of stage (u′t , ..., u′n).

NEW ENUM performs stage (u′t , ..., u′n) prior to all stages(ut , ..., un) of success rate βt ≤ 1

nβ′t

Simplifying assumption. We assume that NEW ENUMperforms stage (u′t , ..., u′n) prior to all stages of success rateβt < β′t , ( i.e., ρt < ρ′t ).By definition ρ2

t = A− ‖πt(b)‖2 and ρ′t2 = A− ‖πt(b′)‖2.

Without using the simplifying assumption, the proven timebound of Theorem 4.1 increases at most by the factor n.

IV: A proven version of the volume heuristics 17

Consider the number Mt of stages (ut , ..., un) with‖πt(

∑ni=t uibi)‖ ≤ λ1: Mt := #

(Bn−t+1(0, λ1) ∩ πt(L)

).

Modulo the heuristic simplifications Mt covers the stages thatprecede (u′t , ..., u′n) and those that finally prove ‖b′‖ = λ1.

Lemma 1 Mt ≤ en−t+1

2∏n

i=t(1 +√

8π λ1√n−t+1 ri,i

).

The proof uses the method of Lemma 1 of MAZO, ODLYZKO

[MO90] and follows the adjusted proof of inequality (2) insection 4.1 of HANROT, STEHLÉ [HS07].

Now r2i,i = ‖b1‖2qi−1, λ2

1/(γn rd(L)2) = (det L)2n = ‖b1‖2q

n−12

hold by GSA and thus γn ≥ n2 eπ directly imply for i = t , ..., n

√n − t + 1 ri,i ≤

√2eπ rd(L)−1λ1 q(2i−n−1)/4.

By Lemma 1 Mt ≤∏n

i=te√

π rd(L)−1 λ1 q(2i−n−1)/4+√

8eπ λ1√n−t+1 ri,i

(4.0)

IV: Proof of Theorem 1 continued 18

For the remainder of the proof let t := n2 + 1− c and

m(q, c) := [if c > 0 then q1−c2

4 else 1]. Then

Mt ≤ m(q, c)( (2+

√e)√

2eπ λ1√n−t+1 rd(L)

)n−t+1/ det πt(L), (4.1)

where m(q, c) = q1−c2

4 = q−14

Pci=0(2i−1) covers in (4.0) the

factors q2i−n−1

4 > 1 for t < i < n2 + 1.

We see from (4.1) and det πt(L) = ‖b1‖n−t+1qPn

i=ti−1

2 that

Mt ≤ m(q, c)( (2+

√e)√

2eπ√n−t+1

λ1b1‖rd(L)

)n−t+1/q

Pn−1i=t−1 i/2 (4.2)

The [KL78] bound γn ≤ 1.744 (n+o(n))2eπ ≤ n

eπ for n ≥ n0 and1

n−1∑n−1

i=t−1 i = n2 −

(t−1)(t−2)2(n−1) and q

n−12 = λ2

1/(‖b‖2γn rd(L)2)

showMt ≤ m(q, c)

( (2+√

e)√

2eπ λ1√n−t+1 rd(L) ‖b1‖

)n−t+1(√n rd(L) ‖b1‖√eπ λ1

)n− (t−1)(t−2)n−1 .

IV: End of Proof of Theorem 1 19

The difference of the exponentsde(t) = n − (t−1)(t−2)

n−1 − n + t − 1 = (t − 1)(1− t−2n−1) is positive

for t ≤ n and de(n2 + 1− c) = n2/4−c2

n−1 . Hence for‖b1‖ ≤

√eπ nb λ1 and all t ≤ n :

Mt ≤ m(q, c)((√

8 +√

2e)√

nn−t+1)n−t+1 (

n12 +brd(L)

) n2/4−c2

n−1

For c > 0, t ≤ n2 we have

m(q, c) = q1−c2

4 =(‖b1‖

√γn rd(L)λ1

) c2−1n−1 ≤ (n

12 +brd(L))

c2−1n−1 , and

thus : Mt ≤ (4 + 2√

e)n−t+1 (n

12 +brd(L)

) n2/4−1n−1 =

2O(n)(n

12 +brd(L)

) n+14 , where n2/4−1

n−1 ≤ n+14 .

For c ≤ 0, t > n2 we have

Mt ≤((√

8 +√

2e)√

nn−t+1

)n−t+1 (n

12 +brd(L)

) n2/4n−1

= 2O(n)(n

12 +brd(L)

) n+24 where n2/4

n−1 ≤ n+24 . �

II: Failings of the volume heuristics 20

MAZO, ODLYZKO [MO90] show for the lattice L = Zn :#{x ∈ Zn | ||x‖2 ≤ an} = 2Θ(n)

for a0 ≤ a ≤ 12eπ and any a0 > 0,

whereas the vol. heuristics estimates this cardinality to O(1).

The center ζ = 0 of the sphere is bad for the vol. heur.:It can nearly maximize |Bn(ζ, ρ) ∩ L|.

NEW ENUM for SVP tries to keep the center ζt = b− πt(b)∈span Lt close to 0 ∈ Rt−1. Can this in practice generatesubstantial errors of the volume heuristics?.NEW ENUM for CVP keeps for center ζt = b− t− πt(b− t)close to πt(t). For random t this better justifies the volumeheuristics in the analysis of NEW ENUM for CVP.

II: Ajtai’s worst case / average case equivalence 21

5.2 nc-unique-SVP lattices: every lattice vector that is linearlyindependent of a shortest nonzero lattice vector has at leastlength λ1nc for some c > 1, i.e., λ2 ≥ λ1nc .

Proposition 1 shows that all nc-unique-SVP’s can be solvedunder GSA and the volume heuristics in polynomial time givena very short lattice vector.

5.3 Ajtai’s worst case / average case equivalence. AJTAI

[Aj96, Thm 1] solves every nc-unique-SVP using an oracle thatsolves SVP for a particular random lattice. However, allnc-unique-SVP’s are somewhat easy. This makes the worstcase / average case equivalence suspicious.

[MR07] reduces nc in Ajtai’s reduction to n lnO(1) n.

Refences 22

Ad95 L.A. Adleman, Factoring and lattice reduction.Manuscript, 1995.

AEVZ02 E. Agrell, T. Eriksson, A. Vardy and K. Zeger,Closest point search in lattices. IEEE Trans. onInform. Theory, 48 (8), pp. 2201–2214, 2002.

Aj96 M. Ajtai, Generating hard instances of latticeproblems. In Proc. 28th Annual ACM Symposiumon Theory of Computing, pp. 99–108, 1996.

AD97 M. Ajtai and C. Dwork, A public-key cryptosystemwith worst-case / average-case equivalence. InProc 29-th STOC, ACM, pp. 284–293, 1997.

AKS01 AKS01M. Ajtai, R. Kumar and D. Sivakumar, Asieve algorithm for the shortest lattice vectorproblem. In Proc. 33th STOC, ACM, pp. 601–610,2001.

Ba86 L. Babai, On Lovasz’ lattice reduction and thenearest lattice point problem. Combinatorica 6 (1),pp.1–13, 1986.

References 23

BL05 J. Buchmann and C. Ludwig, Practical lattice basissampling reduction. eprint.iacr.org, TR 072, 2005.

Ca98 Y.Cai, A new transference theorem andapplications to Ajtai’s connection factor. ECCC,Report No. 5, 1998.

CEP83 E.R. Canfield, P. Erdös and C. Pomerance, On aproblem of Oppenheim concerning "FactorisatioNumerorum". J. of Number Theory, 17, pp. 1–28,1983.

CS93 J.H. Conway and N.J.A. Sloane, Sphere Packings,Lattices and Groups. third edition,Springer-Verlag1998.

FP85 U. Fincke and M. Pohst, Improved methods forcalculating vectors of short length in a lattice,including a complexity analysis. Math. of Comput.,44, pp. 463–471, 1985.

Refences 24

GN08 N. Gama and P.Q. Nguyen, Predicting latticereduction, in Proc. EUROCRYPT 2008, LNCS4965, Springer-Verlag, pp. 31–51, 2008.

HHHW09 P.Hirschhorn, J. Hoffstein, N. Howgrave-Graham,W. Whyte, Choosing NTRUEncrypt parameters inlight of combined lattice reduction and MITMapproaches. In Proc. ACNS 2009, LNCS 5536,Springer-Verlag,pp. 437–455, 2009.

HPS98 J. Hoffstein, J. Pipher and J. Silverman, NTRU: Aring-based public key cryptosystem. In Proc.ANTS III, LNCS 1423, Springer-Verlag, pp.267–288, 1998.

H07 N. Howgrave-Graham, A hybrid lattice–reductionand meet-in-the-middle attiack against NTRU. InProc, CRYPTO 2007, LNCS 4622,Springer-Verlag, pp. 150–169, 2007.

Refences 25

HS07 G. Hanrot and D. Stehlé, Improved analysis ofKannan’s shortest lattice vector algorithm. In Proc.CRYPTO 2007, LNCS 4622, Springer-Verlag,pp.170–186, 2007.

HS08 G. Hanrot and D. Stehlé, Worst-caseHermite-Korkine-Zolotarev reduced lattice bases.CoRR, abs/0801.3331,http://arxix.org/abs/0801.3331.

Ka87 R. Kannan, Minkowski’s convex body theorem andinteger programming. Math. Oper. Res., 12, pp.415–440, 1987.

KL78 G.A.Kabatiansky and V.I. Levenshtein, Bounds forpacking on a sphere and in space. Problems ofInformation Transmission, 14, pp. 1–17, 1978.

LLL82 H. W. Lenstra Jr., , A. K. Lenstra, and L. Lovász ,Factoring polynomials with rational coefficients,Mathematische Annalen 261, pp. 515–534, 1982.

Refences 26

L86 L. Lovász, An Algorithmic Theory of Numbers,Graphs and Convexity, SIAM, 1986.

LM09 V. Lubashevsky and D. Micciancio, On boundeddistance decoding, unique shortest vectors andthe minimum distance problem. In Proc. CRYPTO2009, LNCS 5677, Springer-Verlag, pp. 577–594,2009.

MO90 J. Mazo and A. Odlydzko, Lattice points inhigh-dimensional spheres. Monatsh. Math. 110,pp. 47–61, 1990.

M04 D. Micciancio, Almost perfect lattices, the coveringradius problem, and applications to Ajtai’sconnection factor. SIAM J. on Computing, 37(1),pp. 118–169, 2004.

Refences 27

MR07 D. Micciancio and O. Regev, Worst-case toaverage-case reduction based on gaussianmeasures. SIAM J. on Computing, 37(1), pp.267–302, 2007.

MG02 D. Micciancio and S. Goldwasser, Complexity ofLattice Problems: A Cryptographic Perspective.Kluwer Academic Publishers, Boston, London,2002.

NS06 P.Q. Nguyen and D. Stehlé, LLL on the average. InProc. of ANTS-VII, LNCS 4076, Springer-Verlag,2006.

N10 P.Q. Nguyen, Hermite’s Constant and LatticeAlgorithms. in The LLL Algorithm, Eds. P.Q.Nguyen, B. Vallée, Springer-Verlag, Jan. 2010.

S87 C.P. Schnorr, A Hierarchy of Polynomial TimeLattice Basis Reduction Algorithms. Theoret.Comput. Sci., 53, pp. 201–224, 1987.

References 28

S93 C.P.Schnorr, Factoring integers and computingdiscrete logarithms via Diophantine approximation.In Advances in Computational Complexity, AMS,DIMACS Series in Discrete Mathematics andTheoretical Computer Science, 13, pp. 171–182,1993. Preliminary version in Proc.EUROCRYPT’91, LNCS 547, Springer-Verlag,pp.281–293, 1991.//www.mi.informatik.uni-frankfurt.de.

SE94 C.P. Schnorr and M. Euchner, Lattce basisreduction: Improved practical algorithms andsolving subset sum problems. MathematicalProgramming 66, pp. 181–199, 1994.

SH95 C.P. Schnorr and H.H. Hörner, Attacking theChor–Rivest cryptosystem by improved latticereduction. In Proc. EUROCRYPT’95, LNCS 921,Springer-Verlag, pp. 1–12, 1995.

References 29

S03 C.P. Schnorr, Lattice reduction by sampling andbirthday methods. Proc. STACS 2003: 20thAnnual Symposium on Theoretical Aspects ofComputer Science, LNCS 2007, Springer-Verlag,pp. 146–156, 2003.

S06 C.P. Schnorr, Fast LLL-type lattice reduction.Information and Computation, 204, pp. 1–25,2006.

S07 C.P. Schnorr, Progress on LLL and latticereduction, Proceedings LLL+25, Caen, June29–July 1, 2007, Final version in: The LLLAlgorithm Survey and Applications. Eds. P.Q.Phong and B. Vallée, Springer Verlag, pp.145–178, 2010.