Basic Segment LLL

Segment LLL uses an idea of Sch¨onhage [71] to do most of the LLL-reduction locally in segments of low dimensionkusingklocal coordinates. It guarantees that the determinants of the segments do not decrease too fast, see Definition 5. Here, we present the basic algorithm SLLL0. Theorem 12 bounds the number of local LLL-reductions within SLLL0. Lemma 4 and Corollary 5 bound the norm of and the fpa-errors induced by local LLL-transforms. The algorithm SLLL0is faster by a factorn in the number of arithmetic steps compared to LLLH, but uses longer integers and fpa numbers, a drawback that will be repaired by SLLL.

Segments and local coordinates. Let the basis B D Œb1; : : : ;bn 2 Z^{m n} have dimension n D k h and GNF R 2 R^{n n}. We partition B into m seg-mentsBl;k D ŒblkkC1; : : : ;blkforl D 1; : : : ; h. Local LLL-reduction of two consecutive segments Bl;k; BlC1;k is done in local coordinates of the principal submatrix

R_l;kWDŒr_{lkCi;lkCjk<i;jk} 2R^{2k 2k}

ofR. LetH D Œh1; : : : ;hn D Œhi;j 2 R^{m n}be the lower triangular matrix of Householder vectors andHl;k D ŒhlkCi;lkCjk<i;jk H, the submatrix for Rl;k. We control the calls, and minimize the number of local LLL-reductions of the Rl;kby means of the local squared determinant ofBl;k

Dl;kDdefkqlkkC1k² kqlkk²:

We havedlkD kq1k² kqlkk² DD1;k Dl;k. Moreover, we will use D^.k/ D_def

h1Y

lD1

dlkD

h1Y

lD1

D_l;k^hl; M_l;k D_def max

lkk<ijlkCkkqik=kqjk:

For the input basisBDQR, we denoteM1WDmax1ijnkqik=kqjk.Ml;kis theM1-value ofRl;k when callinglocLLL.Rl;k/; obviouslyMl;k M1. Recall thatM Dmax.d1; : : : ; dn; 2ⁿ/.

Definition 4. A basis b1; : : : ;bn 2 Z^m,n D kh, is an SLLL0-basis (or SLLL0 -reduced) for givenk,ı ²,˛D1=.ı³₄/if it is size-reduced and

1. ıkqik²²_iC1;ikqik²C kqiC1k²fori2Œ1; n1nkZ, 2.Dl;k .˛=ı/^k2DlC1;kforlD1; : : : ; h1.

Size-reducedness under fpa is defined by clause 1 of Theorem 5. Segment Bl;k of an SLLL0-basis is LLL-reduced in the sense that the k k-submatrix ŒrlkCi;lkCjk<i;j0 Ris LLL-reduced. Clause 1 does not bridge distinct seg-ments since the i 2 kZ are excepted. Clause 2 relaxes the inequality Dl;k

˛^k2DlC1;k of LLL-bases, and this makes it possible to bound the number of local LLL-reductions, see Theorem 12.

We could have used two independentı-values for the two clauses of Definition 4.

Theorem 9 shows that the first vector of an SLLL0-basis of latticeLis almost as short relative to.detL/¹⁼ⁿas for LLL-bases.

Theorem 9. Theorem 3 of [70].kb1k .˛=ı/ⁿ⁴¹.detL/¹ⁿ holds for all SLLL0 -bases b1; : : : ;bn.

The dual of Theorem 9. Clause 2 of Definition 4 is preserved under duality. If it holds for a basis b1; : : : ;bn, it also holds for the dual basis b₁; : : : ;b_nof the lattice L. We havekb₁k D kqnk¹and det.L/D.detL/¹. Hence, Theorem 9 implies that every SLLL0-basis satisfies kqnk .ı=˛/ⁿ⁴¹.detL/¹ⁿ.

Local LLL-reduction. The procedure locLLL.Rl;k/of [S06] locally LLL-reducesRl;k R givenHl;k H. Initially, it produces a copy Œb⁰₁; : : : ;b⁰_2k ofRl;k. It LLL-reduces the local basisŒb⁰₁; : : : ;b⁰_2kconsisting of fpa-vectors. It updates and stores the local transform Tl;k 2 Z^{2k 2k} so that Œb⁰₁; : : : ;b⁰_2k D Rl;kTl;k always holds for the current local basisŒb⁰₁; : : : ;b⁰_2kand the initialRl;k, e.g., it does col.l⁰; Tl;k/WDcol.l⁰; Tl;k/col.i; Tl;k/along with b⁰_l0WDb⁰_l0b⁰_i withinTriCol_l. It freshly computes b⁰_l0from the updatedTl;k. Using a correctTl;k

this correction of b⁰_l0limits fpa-errors of the local basis, see Corollary 5. Local LLL-reduction ofRl;k is done in local coordinates of dimension2k. A local LLL-swap merely requiresO.k²/arithmetic steps and update ofRl;k, local triangulation and size-reduction viaTriCol_l included, compared toO.nm/arithmetic steps for an LLL-swap in global coordinates.

SLLL0-algorithm. SLLL0transforms a given basis into an SLLL0-basis. It iter-ateslocLLL.R_l;k/for submatricesR_l;k R, followed by a global update that transports T_l;k to B and triangulates B_l;k; B_l;kC1 via TriSeg_l;k. Transporting T_l;k toB; R; T_1;n=2 and so on means multiplying the submatrix consisting of2k columns ofB; R; T1;n=2corresponding toRl;kfrom the right byTl;k.

SLLL0

INPUT b₁; : : : ;b_n2_Z^d(a basis withM0; M1; M), k; m; ı OUTPUT b1; : : : ;bn SLLL0-basis fork,ı

WHILE 9l; 1l < msuch that either Dl;k > .˛=ı/^k2DlC1;k

or TriSeg_l;khas not yet been executed

DO for the minimal suchl:TriSeg_l;k,locLLL.R_l;k/

# global update:ŒB_l;k; B_lC1;kWDŒB_l;k; B_lC1;k T_l;k,TriSeg_l;k. The procedureTriSeg_l;ktriangulates and size-reduces two adjacent segments Bl;k; BlC1;k. Given thatBl;k; BlC1;kand h1; : : : ;hlkk, it computesŒrlkkC1; : : : ; rlkCkRandŒhlkkC1; : : : ;hlkCkH.

TriSeg_l;k

1. FOR l⁰DlkkC1; : : : ; lkCk DO TriColl0 (including updates ofTl;k) 2. Dj;kWDQk1

iD0r_kj²_i;kji forj Dl; lC1.

Correctness in ideal arithmetic. All inequalitiesDl;k .˛=ı/^k2DlC1;k hold upon termination of SLLL0. All segmentsBl;kare locally LLL-reduced and glob-ally size-reduced, and thus, the terminal basis is SLLL0-reduced.

The number of rounds of SLLL0. Let #k denote the number ofloclll.R_l;k /-executions as a result of Dl;k > .˛=ı/^k2DlC1;k for alll. The firstloclll.Rl;k /-executions for eachlare possibly not counted in #k; this yields at mostn=k1 additional rounds.

#kcan be bounded by the Lov´asz volume argument.

Theorem 10. Theorem 4 of [70]. #k 2 n k³log_1=ıM.

All intermediateMl;k-values within SLLL0 are bounded by the M1-value of the input basis of SLLL0. Consider the local transform Tl;k 2 Z^{2k 2k} within locLLL.Rl;k/. LetkTl;kk1denote the maximalk k1-norm of the columns ofTl;k. Lemma 4. [70] WithinlocLLL.Rl;k/we havekTl;kk16k.³₂/^2kMl;k.

Next considerlocLLL.Rl;k/under fpa, based on the iterative fpa-version of TriCol_l. LetkŒri;jkF D.P

i;jr_i;j² /¹⁼²denote the Frobenius norm. [S06] shows Corollary 4. [fpa-Heur.]

1. WithinlocLLL.Rl;k/the currentR⁰_l;k WDRl;kTl;kand its approximationRN⁰_l;k satisfyk NR_l;k⁰ R_l;k⁰ kF k NRl;kRl;kkF2^2kMl;kC7nkRl;kkF2^t.

2. LetTriSegl;k andlocLLLuse fpa with precision2^t 2¹⁰d ⁿM₁². IfRNl;k

is computed byTriSegl;kthenlocLLL.RNl;k/computes a correctTl;k so that Rl;kTl;kis LLL-reduced withı.

Theorem 11. Theorem 5 of [70] using fpa-Heur. LetkD.p

n/. Given a basis withM0; M1; M, SLLL0 computes under fpa with precision2^t 2¹⁰m ⁿM₁² an SLLL0-basis forı. It runs in O.nmlog_1=ıM / arithmetic steps using 2nC log₂.M0M₁²/-bit integers.

SLLL0 saves a factornin the number of arithmetic steps compared to LLLH

but uses longer integers and fpa numbers. SLLL0runs forM0 D 2^O.n/, and thus forM D 2^O.n2/, inO.n³m/arithmetic steps usingO.n²/bit integers. Algorithm SLLL of Section “First steps in the Probabilistic Analysis of the LLL Algorithm”

reduces the bit lengthO.n²/toO.n/.