Lattice reduction

In mathematics, the goal of lattice basis reduction is to find a basis with short, nearly orthogonal vectors when given an integer lattice basis as input. This is realized using different algorithms, whose running time is usually at least exponential in the dimension of the lattice.

Nearly orthogonal

One measure of ''nearly orthogonal'' is the orthogonality defect. This compares the product of the lengths of the basis vectors with the volume of the parallelepiped they define. For perfectly orthogonal basis vectors, these quantities would be the same.

Any particular basis of $n$ vectors may be represented by a matrix $B$, whose columns are the basis vectors $b_i, i = 1, \ldots, n$. In the fully dimensional case where the number of basis vectors is equal to the dimension of the space they occupy, this matrix is square, and the volume of the fundamental parallelepiped is simply the absolute value of the determinant of this matrix $\det(B)$. If the number of vectors is less than the dimension of the underlying space, then volume is $\sqrt$. For a given lattice $\Lambda$, this volume is the same (up to sign) for any basis, and hence is referred to as the determinant of the lattice $\det(\Lambda)$ or lattice constant $d(\Lambda)$.

The orthogonality defect is the product of the basis vector lengths divided by the parallelepiped volume;

:$\delta(B) = \frac = \frac$

From the geometric definition it may be appreciated that $\delta(B) \ge 1$ with equality if and only if the basis is orthogonal.

If the lattice reduction problem is defined as finding the basis with the smallest possible defect, then the problem is NP-hard . However, there exist polynomial time algorithms to find a basis with defect $\delta(B) \le c$
where ''c'' is some constant depending only on the number of basis vectors and the dimension of the underlying space (if different). This is a good enough solution in many practical applications.

In two dimensions

For a basis consisting of just two vectors, there is a simple and efficient method of reduction closely analogous to the Euclidean algorithm for the greatest common divisor of two integers. As with the Euclidean algorithm, the method is iterative; at each step the larger of the two vectors is reduced by adding or subtracting an integer multiple of the smaller vector.

The pseudocode of the algorithm, often known as Lagrange's algorithm or the Lagrange-Gauss algorithm, is as follows:

Input: $(u,v)$ a basis for the lattice $L$. Assume that $, , v, , \leq , , u, ,$, otherwise swap them.
Output: A basis $(u,v)$ with $, , u, , = \lambda_1(L), , , v, , = \lambda_2(L)$.

While $, , v, , < , , u, ,$:
$q := \lfloor \rceil$
$r := u - qv$
$u := v$
$v := r$

See the section on Lagrange's algorithm in for further details.

Applications

Lattice reduction algorithms are used in a number of modern number theoretical applications, including in the discovery of a spigot algorithm for $\pi$. Although determining the shortest basis is possibly an NP-complete problem, algorithms such as the LLL algorithm can find a short (not necessarily shortest) basis in polynomial time with guaranteed worst-case performance. LLL is widely used in the cryptanalysis of public key cryptosystems.

When used to find integer relations, a typical input to the algorithm consists of an augmented $n \times n$ identity matrix with the entries in the last column consisting of the $n$ elements (multiplied by a large positive constant $w$ to penalize vectors that do not sum to zero) between which the relation is sought.

The LLL algorithm for computing a nearly-orthogonal basis was used to show that integer programming in any fixed dimension can be done in polynomial time.

Algorithms

The following algorithms reduce lattice bases; several public implementations of these algorithms are also listed.

References

{{Reflist

Theory of cryptography
Computational number theory
Lattice points
Linear algebra
Cryptography
Lattice-based cryptography
Post-quantum cryptography