16. Lenstra-Lenstra-Lavász lattice reduction (LLL)

The (LLL) forms the basis of the Coppersmith attack (Section 15), and a brief explanation is given here with further reading and references for the reader. The Lenstra-Lenstra-Lavász (LLL) lattice basis reduction algorithm [13] calculates an LLL-reduced, short, nearly orthogonal lattice basis, in time O d<sup>5</sup> n log <sup>3</sup>B � �, where B is the largest length of bi under the Euclidean norm, given a basis B ¼ f g b1; b2; …; bd with n-dimensional integer coordinates, for a lattice L (a discrete subgroup of R<sup>n</sup> ) with d≤ n and giving polynomial-time factorization of polynomials with rational coefficients.

A thorough explanation is given by Bosma [14], and a summary of the example contained in the reference is given below.

INPUT: Let lattice basis b1, b2, b<sup>3</sup> ∈Z<sup>3</sup> be given by the columns of 1 �1 3 105 126 2 6 4 3 7 5 OUTPUT: LLL-reduced basis 0 1 �1 10 0 2 6 4 3 7 5

Using the Lenstra-Lenstra-Lavász lattice reduction (LLL), the short vectors in a lattice can be found. This is used by the Coppersmith attack. Coppersmith's algorithm uses the LLL to construct polynomials with small coefficients that all have the same root modulo. When a linear combination is found to meet inequality conditions, standard factorization methods can find the solutions over integers.

01 2
