1. LLL reduction

2. LLL algorithm

3. Properties of LLL-reduced basis

4. Example

5. Applications

6. Implementations

7. See also

8. Notes

9. References

The Lenstra–Lenstra–Lovász (LLL) lattice basis reduction algorithm is a polynomial time lattice reduction algorithm invented by Arjen Lenstra, Hendrik Lenstra and László Lovász in 1982.^[1] Given a basis with n-dimensional integer coordinates, for a lattice L (a discrete subgroup of Rⁿ) with , the LLL algorithm calculates an LLL-reduced (short, nearly orthogonal) lattice basis in time

where B is the largest length of under the Euclidean norm.

The original applications were to give polynomial-time algorithms for factorizing polynomials with rational coefficients, for finding simultaneous rational approximations to real numbers, and for solving the integer linear programming problem in fixed dimensions.

LLL reduction

The precise definition of LLL-reduced is as follows: Given a basis

define its Gram–Schmidt process orthogonal basis

and the Gram-Schmidt coefficients

, for any .

Then the basis is LLL-reduced if there exists a parameter in (0.25,1] such that the following holds:

1. (size-reduced) For . By definition, this property guarantees the length reduction of the ordered basis.
2. (Lovász condition) For k = 1,2,..,n .

Here, estimating the value of the parameter, we can conclude how well the basis is reduced. Greater values of lead to stronger reductions of the basis.

Initially, A. Lenstra, H. Lenstra and L. Lovász demonstrated the LLL-reduction algorithm for .

Note that although LLL-reduction is well-defined for , the polynomial-time complexity is guaranteed only

for in .

The LLL algorithm computes LLL-reduced bases. There is no known efficient algorithm to compute a basis in which the basis vectors are as short as possible for lattices of dimensions greater than 4.{{citation needed|date=August 2016}} However, an LLL-reduced basis is nearly as short as possible, in the sense that there are absolute bounds such that the first basis vector is no more than times as long as a shortest vector in the lattice,

the second basis vector is likewise within of the second successive minimum, and so on.

LLL algorithm

The following description is based on {{harv|Hoffstein|Pipher|Silverman|2008|loc=Theorem 6.68}}, with the corrections from the errata.^[2]

INPUT:

a lattice basis ,

parameter with , most commonly

PROCEDURE:

    Perform Gram-Schmidt, but do not normalize:    {{nowrap|}}    {{nowrap|'''Define''' ,}} which must always use {{nowrap|the most current values of .}}    {{nowrap|'''Let''' }}    {{nowrap|'''while'''  '''do'''}}        '''for''' {{mvar|j}}  {{nowrap|'''from'''  '''to''' {{math|0}} '''do'''}}            {{nowrap|'''if'''  '''do'''}}                {{nowrap|}}                Update {{mvar|ortho}} entries {{nowrap|and related 's as needed.}}                 {{anchor|naivemethod}}(The naive method is {{nowrap|to recompute }} {{nowrap|whenever a  changes.}})            '''end if'''        '''end for'''        {{nowrap|'''if'''  '''then'''}}            {{nowrap|}}        '''else'''            {{nowrap|Swap  and .}}            Update {{mvar|ortho}} entries {{nowrap|and related 's as needed.}} (See above comment.)            {{nowrap|}}        '''end if'''    '''end while'''

OUTPUT: LLL reduced basis

Properties of LLL-reduced basis

Let be a -LLL-reduced basis of a lattice . From the definition of LLL-reduced basis, we can derive several other useful properties about .

1. The first vector in the basis cannot be much larger than the shortest non-zero vector: . In particular, for , this gives .^&91;3&93;
2. The first vector in the basis is also bounded by the determinant of the lattice: . In particular, for , this gives .
3. The product of the norms of the vectors in the basis cannot be much larger than the determinant of the lattice: let , then .

Example

The following presents an example due to W. Bosma.^[4]

INPUT:

Let a lattice basis , be given by the columns of

Then according to the LLL algorithm we obtain the following:

and

hence

and

hence and

according to reduction subroutine in step 4:

For EXECUTE reduction subroutine RED(3,1):

For EXECUTE reduction subroutine RED(3,2):

and

Apply a SWAP, continue algorithm with the lattice basis, which is given by columns

Implement the algorithm steps again.

and

then

OUTPUT: LLL reduced basis

Applications

The LLL algorithm has found numerous other applications in MIMO detection algorithms ^[5] and cryptanalysis of public-key encryption schemes: knapsack cryptosystems, RSA with particular settings, NTRUEncrypt, and so forth. The algorithm can be used to find integer solutions to many problems.^[6]

In particular, the LLL algorithm forms a core of one of the integer relation algorithms. For example, if it is believed that r=1.618034 is a (slightly rounded) root to an unknown quadratic equation with integer coefficients, one may apply LLL reduction to the lattice in spanned by and . The first vector in the reduced basis will be an integer linear combination of these three, thus necessarily of the form ; but such a vector is "short" only if a, b, c are small and is even smaller. Thus the first three entries of this short vector are likely to be the coefficients of the integral quadratic polynomial which has r as a root. In this example the LLL algorithm finds the shortest vector to be [1, -1, -1, 0.00025] and indeed has a root equal to the golden ratio, 1.6180339887….

Implementations

LLL is implemented in

• Arageli as the function lll_reduction_int
• [https://github.com/fplll/fplll fpLLL] as a stand-alone implementation
• GAP as the function LLLReducedBasis
• Macaulay2 as the function LLL in the package LLLBases
• Magma as the functions LLL and LLLGram (taking a gram matrix)
• Maple as the function IntegerRelations[LLL]
• Mathematica as the function LatticeReduce
• Number Theory Library (NTL) as the function LLL
• PARI/GP as the function qflll
• Pymatgen as the function analysis.get_lll_reduced_lattice
• SageMath as the method LLL driven by fpLLL and NTL

See also

• Coppersmith method

Notes

References

• {{cite journal|first1=Huguette |last1=Napias

• {{Cite book|last=Cohen|first=Henri|title=A course in computational algebraic number theory|publisher=Springer|year=2000|series=GTM|volume=138|ref=harv|isbn=3-540-55640-0}}
• {{Cite book| last=Borwein | first=Peter | author-link=Peter Borwein | title=Computational Excursions in Analysis and Number Theory | isbn=0-387-95444-9 | year=2002}}
• {{cite journal|first1=Franklin T. |last1=Luk| first2=Sanzheng |last2=Qiao|title=A pivoted LLL algorithm|journal=Lin. Alg. Appl. |year=2011

• {{cite book

• Brazil's Next Top Model, Cycle 1
• Brazil's Next Top Model, Cycle 2
• Brazil's Next Top Model, Cycle 3
• Brazil (song)
• Brazil South Africa relations
• Brazil space agency
• Brazil Spain relations
• Brazil - Spain relations
• Brazil-Spain relations
• Brazil Spring
• Brazil's reaction to the 2008 Kosovo declaration of independence
• Brazil Straker
• Brazil, Straker & Co
• Brazil (surname)
• Brazil-Taiwan relations
• Brazil, Tennessee
• Brazil (The Ritchie Family album)
• Brazil time
• Brazil Township, Indiana
• Brazil Turkey relations
• Brazil - Ukraine relations
• Brazil-Ukraine relations
• Brazil Ukraine relations
• Brazil-UK relations
• Brazil - UK relations