Average Time Fast SVP and CVP Algorithms:
Factoring Integers in Polynomial Time
Claus P. SCHNORR
Fachbereich Informatik und Mathematik
Goethe-Universität
Frankfurt am Main
Workshop Factoring 2009, Sept. 11,12
RUHR-UNIVERSITÄT BOCHUM
http://www.mi.informatik.uni-frankfurt.de/research/papers.html
Road map
I Lattice notation, Time bound of new SVP/CVP algorithm
II Factoring integers via easy CVP solutions
III Outline and partial analysis of the new SVP algorithm
We survey how to use known proof elements and we focus on
novel proof elements that are not covered by published work.
2
I: Lattices, QR-decomposition, LLL-bases
lattice basis
lattice
norm
SV-length
Successive minima
B = [b1 , . . . , bn ] ∈ Zm×n
L(B) = {Bx | x ∈ Zn }
P
1 1/2
kxk = hx, xi = ( m
i=1 x1 )
λ1 (L) = min{kbk | b ∈ L\{0}}
λ1 , ..., λn
QR-decomposition B = QR ⊂ Rm×n such that
• the GNF — geom. normal form — R = [ri,j ] ∈ Rn×n is
uppertriangular, ri,j = 0 for j < i and ri,i > 0,
• Q ∈ Rm×n isometric: hQx, Qy i = hx, y i.
LLL-basis B = QR for δ ∈ ( 14 , 1](Lenstra, Lenstra, Lovasz 82):
1. |ri,j | ≤ 21 ri,i for all j > i (size-reduced)
2
2
2. δri,i2 ≤ ri,i+1
+ ri+1,i+1
for i = 1, . . . , n − 1.
3
Average time fast SVP algorithm
Def. The relative density of L:
4
−1/2
rd(L) := λ1 γn
(det L)−1/n
rd(L) = λ1 (L)/ max λ1 (L0 ) holds for the maximum of λ1 (L0 )
over all lattices L0 such that dim L = dim L0 and det L = det L0 .
The H ERMITE constant γn = max{λ21 / det(L)2/n | dim L = n}.
We always have kb1 k2 = rd(L)2 γn (det L)2/n .
Theorem
Given a lattice basis such that
√ 4.1 (GSA).
b
kb1 k ≤ 2eπ n λ1 , b ≥ 0, N EW E NUM solves SVP in time
n+1
1
nO(1) + (O(n2b−ε )) 4 if rd(L) = n− 2 −ε , ε > 0.
This time bound is polynomial if 2b < ε.
GSA : Let B = QR = Q[ri,j ] satisfy (for ri,i = kb∗i k):
2
ri,i2 /ri−1,i−1
= q for i = 2, ..., n and some q > 0.
W.l.o.g. let q < 1, otherwise kb1 k = λ1 .
We outline the proof of Thm 4.1 in part III.
Average time fast CVP algorithm
Corollary 6.1 (GSA). Given b1 ∈ L, 0 6= kb1 k = O(λ1 ),
N EW E NUM finds b ∈ L such that kb − tk = kL − tk in time
√
n+1
4 .
nO(1) + O( n rd(L) kL − tk2 λ−2
1 )
This time bound is polynomial if
1
kL − tk = O(λ1 ) and rd(L) ≤ n− 2 −ε for ε > 0.
The required short vector b1 can in practice be added to the
basis, extending the lattice by a short vector preserving rd(L).
An example will be given in part II for factoring integers using
the prime number lattice.
5
II: Factoring integers via easy CVP solutions
Let N be a positive integer that is not a prime power. Let
p1 < · · · < pn enumerate all primes less than (ln N)α . Then
n = (ln N)α /(α ln ln N)(1 + O(1)/α ln ln N).
Let the prime factors p of N satisfy p > pn .
We show how to factor N by solving easy CVP’s for the prime
number lattice L(B), basis matrix B = [b1 , . . . , bn ] ∈ R(n+1)×n :

 p


ln p1
0
0
0




..
..




.
0
0
.


,

B=
N=
p
,




0
0
0
ln pn 
c
0
c
c
N ln N
N ln p1 · · · N ln pn
and the target vector N ∈ Rn+1 , where either N 0 = N or
N 0 = Npn+j for one of the next n primes pn+j > pn , j ≤ n.
W.l.o.g. let N 0 = N for the analysis.
6
Outline of the factoring method
P
We identify the vector b = ni=1 ei bi ∈ L(B) with the pair (u, v )
Q
Q
e
−e
of integers
u = ej >0 pj j , v = ej <0 pj j ∈ N.
Then u, v are free of primes larger than pn and gcd(u, v ) = 1.
P
We compute vectors b = ni=1 ei bi ∈ L(B) close to N such that
Q
e0
|u − vN 0 | < u. The prime factorizations |u − vN 0 | = ni=1 pi i
and of u yield a non-trivial relation
Q
Qn
ei0
ei
p
=
±
p
mod N.
(7.1)
ei >0 i
i=1 i
Given n + 1 independent relations (7.1) we write these relations
0
Qn
ei,j −ei,j
0 ∈ N as
with p0 = −1 and ei,j , ei,j
= 1 mod N
i=0 pi
for j = 1, ..., n + 1. P
Any non trivial solution z1 , ..., zn+1 ∈ Z of the
n+1
0
equations
j=1 zj (ei,j − ei,j ) = 0 mod 2 for i = 0, ..., n
Qn+1 Pni=0 zi ei,j
2
2
solves X = Y mod N with X = j=1 pj
mod N,
Pn
0
Qn+1
i=0 zi ei,j
Y = j=1 pj
mod N.
7
Computing relations (7.1) from smooth (u,v)
8
Lemma If |u − vN 0 | = o(N c ), v = Θ(N c−1 ), e1 , ..., en ∈ {0 ± 1}
then kb − Nk2 = (2c − 1) ln N + ln(pn+j ) + Θ(|u − vN 0 |2 (N/N 0 )2 ).
Proof. We see from e1 , ..., en ∈ {0 ± 1} that
u 2
kb − Nk2 = ln u + ln v + N 2c | ln vN
0| .
Clearly, v = Θ(N c−1 ), |u − vN 0 | = o(N c ) implies
ln u + ln v = (2c − 1) ln N + ln(N 0 /N) + Θ(1).
Moreover
u
u−vN 0
| ln vN
|=
0 | = | ln 1+ vN 0
|u−vN 0 |
vN 0 (1+o(1))
Combining these equations proves the claim.
Theorem 7.2 kb − Nk2 ≤ (2c − 1) ln N + 2δ ln pn implies
1
|u − vN 0 | ≤ pnα
+δ+o(1)
.
0
|
= Θ( |u−vN
).
N c−1 N 0
The existence of b ∈ L(B) such that |u − vN| = 1
9
An integer z is called y -smooth, if all prime factors p of z satisfy
p ≤ y . Let N 0 be either N or Npn+j for one of the next n primes
pn+j > pn . We denote
n
u ≤ N c , |u − vN 0 | = 1, N c−1 /2 < v < N c−1 o
Mα,c,N = (u, v ) ∈ N2
.
u, v are squarefree and (ln N)α −smooth
Theorem 7.4 [S93] If the equation |u − du/NcN| = 1 is for
random u of order N c nearly statistically independent from the
event that u, du/Nc are squarefree and (ln N)α -smooth then
#Mα,c,N = N ε+o(1) holds if α > 2c−1
c−1 , c > 1.
We will use this theorem for c = ln N and α > 4.
Vectors b ∈ L closest to N yield relations (7.1)
P
Theorem 7.5 The vector b = ni=1 ei bi ∈ L(B) closest to N
provides a non-trivial relation (7.1) provided that Mα,c,N 6= ∅.
Theorem 7.6 If Mα,c,N 6= ∅ for c = ln N and α > 4 then we can
minimize kL(B) − Nk in polynomial time under GSA given
b ∈ L(B) such that 0 6= kbk = O(λ1 ).
It follows from Mα,c,N 6= ∅ for N 0 ∈ {N, Npn+j } that
kL − Nk2 ≤ (2c − 1) ln N 0 + 1 = (2c − 1 + o(1)) ln N.
Lemma 5.3 of [MG02] proves that λ21 ≥ 2c ln N − Θ(1)
Claim λ21 = 2c ln N + O(1).
1
√
rd(L) = λ1 /( γn (det L) n ) .
= O(c ln N)(1−α)/2 =
2eπ 2c ln N
(ln N)α
1−α
O((ln N)
).
1
2
1
2 − 1/α > 0 that
(α ln ln N)1−1/α (ln N)1−α > rd(L).
Moreover, we have for c = ln N, α > 4 and ε =
n− 2 −ε = n−1+1/α ≈
1
10
Providing a nearly shortest vector of L(B)
We extend the prime number basis B and L(B) by a nearly
shortest lattice vector of the extended lattice, preserving rd(L),
det(L) and the structure of the lattice.
We extend the prime base by a prime p̄n+1 of order Θ(N c ) such
that |u −
for a squarefree (ln N)α -smooth
Pp̄n+1 | = O(1) holds
Q eu.
2
Then k i ei bi − bn+1 k = 2c ln N + O(1) holds for u = i pi i
the
P additional basis vector bn+1 corresponding to p̄n+1 .
i ei bi − bn+1 is a nearly shortest vector of L(b1 , ..., bn+1 ).
Efficient construction of p̄n+1 . Generate u at random and
test the nearby p̄ for primality. If the density of primes near the
u is not exceptionally small p̄n+1 and bn+1 can be found in
probabilistic polynomial time. A single p̄n+1 can be used to
solve all CVP’s for the factorization of all integers of order Θ(N).
11
III: A novel enumeration of short lattice vectors
Let πt : span(b1 , ..., bn ) → span(b1 , ..., bt−1 )⊥ for t = 1, ..., n
denote the orthogonal projections and let Lt = L(b1 , ..., bt−1 ).
P
Stage (ut , ..., un ) of ENUM. b := ni=t ui bi ∈ L and
ut , ..., un ∈ Z are given. The
searches exhaustively for all
Pstage
P
n
t−1
2
u
b
u
b
∈
L
such
that
k
i=1 i i k ≤ A holds for a given
i=1 i i
upper bound A ≥ λ21 . We have
P
Pt−1
k ni=1 ui bi k2 = kζt + i=1
ui bi k2 + kπt (b)k2 .
where ζt := b − πt (b) = Qvt ∈ span LP
t is the orthogonal
projection in span Lt of the given bP
= ni=t ui bi and
vt = (v1 , ..., vt−1 , 0n−t+1 )t for vi = ni=t ri,j uj . Stage (ut , ..., un )
exhaustively enumerates Bt−1 (ζt , ρt ) ∩ Lt , the intersection of
the lattice Lt and the sphere Bt−1 (ζt , ρt ) ⊂ span Lt of dimension
t − 1 with radius ρt := (A − kπt (b)k2 )1/2 and center ζt .
12
The success rate βt of stages
13
The G AUSSIAN volume heuristics estimates |Bt−1 (ζt , ρt ) ∩ Lt |
for t > 1 to
βt =def vol Bt−1 (ζt , ρt )/ det Lt .
t−1
Here vol Bt−1 (ζt , ρt ) = Vt−1 ρt−1
, Vt−1 = π 2 /( t−1
t
2 )!
is the volume ofQthe unit sphere of dimension
t
−
1,
P
t−1
det Lt = i=1
ri,i , ρ2t := A − kπt ( ni=t ui bi )k2 .
We call βt the success rate of stage (ut , ..., un ).
If ζt mod Lt is uniformly distributed over
P
{ t−1
i=1 ri bi | 0 ≤ r1 , ..., rt−1 < 1}
then Eζt [ |Bt−1 (ζt , ρt ) ∩ Lt | ] = βt , where Eζt refers to a random
ζt mod Lt . This holds because 1/ det Lt is the number of
lattice points of Lt per volume in span Lt . The formal analysis of
N EW E NUM by Theorem 4.1 uses a proven version of the
volume heuristics without assuming that ζt mod Lt is random.
Outline of New Enum for SVP
14
INPUT LLL-basis B = QR ∈ Zm×n , R ∈ Rn×n , A := n4 (det B t B)2/n ,
OUTPUT a sequence of b ∈ L(B) of decreasing length
kbk2 ≤ A terminating with kbk = λ1 .
1. s := 1, Ls := ∅,
(we call s the level)
2. Perform algorithm E NUM [SE94] pruned to stages with βt ≥ 2−s :
Upon entry of stage (ut , ..., un ) compute βt . If βt < 2−s delay
this stage and store (βt , ut , ..., un ) in the list Ls of delayed stages
If βt ≥ 2−s perform stage (ut , ..., un ) on level s, and as soon
as some non-zero b ∈ L of length kbk2 ≤ A has been found
give out b and set A := kbk2 − 1.
3. Ls+1 := ∅, perform the stages (ut , ..., un ) of Ls with βt ≥ 2−s−1
in increasing order of t and for fixed t in order of decreasing βt .
Collect the appearing substages (ut 0 , ..., ut , ..., un )
with βt 0 < 2−s−1 in Ls+1 .
4. IF Ls+1 6= ∅ THEN [ s := s + 1, GO TO 3 ]
ELSE terminate by exhaustion.
Proof of Theorem 4.1
Thm 4.1 N EW E NUM solves SVP in time nO(1) + (O(n2b−ε ))
√
1
if rd(L) = n− 2 −ε , ε > 0 and if b1 k ≤ 2eπ nb .
15
n+1
4
N EW E NUM essentially performs
P stages in decreasing order of
the success rate βt . Let b0 = ni=1 ui0 bi ∈ L denote the unique
vector of length λ1 that is found by N EW E NUM.
Let βt0 be the success rate of stage (ut0 , ..., un0 ).
N EW E NUM performs stage (ut0 , ..., un0 ) prior to all stages
(ut , ..., un ) of success rate βt ≤ 21 βt0
Simplifying assumption. We assume that NEW ENUM
performs stage (ut0 , ..., un0 ) prior to all stages of success rate
βt < βt0 , ( i.e., ρt < ρ0t ).
By definition ρ2t = A − kπt (b)k2 and ρ0t 2 = A − kπt (b0 )k2 .
Without using the simplifying assumption, the proven time
bound of Theorem 4.1 increases at most by the factor 2.
A proven version of the volume heuristics
Consider
P the number Mt of stages (ut , ..., un ) with
kπt ( ni=t ui bi )k ≤ λ1 :
Mt := # Bn−t+1 (0, λ1 ) ∩ πt (L) .
Modulo the heuristic simplifications Mt covers the stages that
precede (ut0 , ..., un0 ) and those that finally prove kb0 k = λ1 .
√
n−t+1 Qn
√ 8π λ1
Lemma 4.2 Mt ≤ e 2
i=t (1 + n−t+1 r ).
i,i
Proof. We use the method of Lemma 1 of [MO90] and follow
the adjusted proof of (2) in section 4.1 of [HS07]. We
abbreviate nt = n − t + 1. Consider the ellipsoid
P
Et = {(xt , ..., xn )t ∈ Rnt | kπt ( ni=t xi bi )k2 ≤ λ21 }, where
P
P P
P P
kπt ( ni=t xi bi )k2 = ni=t nj=i (ri,j xj )2 = ni=t nj=i (µj,i xj )2 kb∗i k2 .
By definition Mt ≤ #(Et ∩ Znt ). We set
P
P ri,j
P
0
i x :=
j>i ri,i xj and xi := xi + d i xc,
P
P
P
{ i x} := i x − d i xc,
P
P
Ft := {(xt0 , ..., xn0 )t ∈ Rnt | ni=t (xi0 + { i x} )2 ri,i2 ≤ λ21 }.
16
Claim #(Et ∩ Znt ) ≤ #(Ft ∩ Znt )
17
Proof. The transformation (xt , ..., xn ) 7→ (xt0 , ..., xn0 ) is injective.
[ If i ≥ t is the least index such that (y
Pi , ..., yn ) and
Pn(zi , ..., zn )
0
0
0
differ then yi 6= zi . Moreover (xi + { i x})ri,i = j=i ri,j xj .]
P
We simplify Et to
Et0 = {x0 ∈ Rnt | ni=t xi0 2 ri,i2 ≤ 4λ21 }.
P
Since | { i x} | ≤ 21 , xi ∈ Z and |xi + ε|2 ≥ xi2 /4 for |ε| ≤ 12 we
see that Ft ∩ Znt ⊂ Et0 ∩ Znt . Hence Mt ≤ #(Et0 ∩ Znt ).
We bound #(Et0 ∩ Znt ) using the method
Lemma 1].
Pn of2[MO90,
t
n
2
t
Denoting Nr := #{(kt , ..., kn ) ∈ Z | i=t ri,i ki = r } we have
P
P
2
2
Nr e−srnt
Nr es(4λ1 −r )nt ≤ es4λ1 nt
#(Et0 ∩ Znt ) =
≤e
0≤r ≤4λ21
n
Q P −sr 2 k 2 nt
s4λ21 nt
i,i i
e
i=t ki ∈Z
2
−Tk
e
=1
2
≤ es4λ1 nt
n
Q
i=t
(1
r ≥0
√
+ √snπt r )
i,i
R
P
P
−Tk 2 ≤ 1 + 2 ∞ e−Tx 2 dx =
since
+2 ∞
k =1 e
0
p k ∈Z
1 + π/T . We get for s := 1/(8λ21 ) :
√
Q
λ1
#(Et0 ∩ Znt ) ≤ ent /2 ni=t (1 + √8π
).
nt r
i,i
Proof of Theorem 4.1 continued
18
2
n−1
Now ri,i2 = kb1 k2 q i−1 , λ21 /(γn rd(L)2 ) = (det L) n = kb1 k2 q 2
hold by GSA and thus γn ≥ 2 neπ directly imply for i = t, ..., n
√
√
n − t + 1 ri,i ≤ 2eπ rd(L)−1 λ1 q (2i−n−1)/4 .
√
√
−1 λ q (2i−n−1)/4 + 8eπ λ
Q
1
1
By Lemma 4.2
Mt ≤ ni=t e π rd(L) √
.
n−t+1 ri,i
√
For η̄ := 2 + e, t := n2 + 1 − c,
m(q, c) := [if c > 0 then q
1−c 2
4
else 1] we get
η̄ 2eπ λ1 n−t+1
Mt ≤ m(q, c) √n−t+1
/ det πt (L),
rd(L)
√
(4.1)
Pc
Qn/2+1 √n−t+1 ri,i
1−c 2
√
because m(q, c) = q 4 = q − i=0 (2i−1)/4) ≥ i=t
η̄ 2eπ λ1
for c > 0. We see from P
(4.1) and
n−1
n−t+1
det πt (L) = kb1 k
q i=t−1 i/2 that
√
n−t+1 Pn−1 i/2
η̄ 2eπ λ1
Mt ≤ m(q, c) √n−t+1
/q i=t−1
(4.2)
rd(L) kb k
1
19
Now γn ≤
1.744 (n+o(n))
[KL78] implies via GSA
2eπ
n−1
eπ λ21
≤ q 2 for n ≥ n0 .
n rd(L)2 kb1 k2
(4.2), (4.3),
(t−1)(t−2)
2(n−1) yield
√
n−t+1 √n rd(L) kb1 k n− (t−1)(t−2)
n−1
√ η̄ 2eπ λ1
√
.
eπ λ1
n−t+1 rd(L) kb1 k
1
n−1
Mt ≤ m(q, c)
(4.3)
Pn−1
i=t−1 i
=
n
2
−
The difference of the exponents
de(t) = n −
(t−1)(t−2)
n−1
− n + t − 1 = (t − 1)(1 −
is positive for t ≤ n and maximal for tmax =
n
2
+ 1,
√
We get for kb1 k ≤ 2eπ nb λ1 ,
n+1 + 1/4−c2
1
n−1
+ 1 − c : Mt ≤ m(q, c) O(n 2 +b rd(L)) 4
.
de( n2 + 1 − c) =
t=
n
2
t−2
n−1 )
Hence
n+1
4
+
1/4−c 2
n−1 .
1
Mt = (O(n 2 +2b rd(L) )
n+1
4
.
Open problems
Main open problem
Can the factoring algorithm be improved by the method of the
number field sieve ?
We factor N via easy CVP-solutions that correspond to
multiplicative relations mod N, related to the quadratic sieve.
The last coordinate of an CVP-solution yields a multiplicative
relation of the factor base, under the natural logarithm ln.
How to incorporate mod N reductions under the ln transform ?
20
Refences
Ad95 L.A. Adleman, Factoring and lattice reduction.
Manuscript, 1995.
AEVZ02 E. Agrell, T. Eriksson, A. Vardy and K. Zeger,
Closest point search in lattices. IEEE Trans. on
Inform. Theory, 48 (8), pp. 2201–2214, 2002.
Aj96 M. Ajtai, Generating hard instances of lattice
problems. In Proc. 28th Annual ACM Symposium
on Theory of Computing, pp. 99–108, 1996.
AD97 M. Ajtai and C. Dwork, A public-key cryptosystem
with worst-case / average-case equivalence. In
Proc 29-th STOC, ACM, pp. 284–293, 1997.
Ba86 L. Babai, On Lovasz’ lattice reduction and the
nearest lattice point problem. Combinatorica 6 (1),
pp.1–13, 1986.
BL05 J. Buchmann and C. Ludwig, Practical lattice basis
sampling reduction. eprint.iacr.org, TR 072, 2005.
21
References
Ca98 Y.Cai, A new transference theorem and
applications to Ajtai’s connection factor. ECCC,
Report No. 5, 1998.
CEP83 E.R. Canfield, P. Erdös and C. Pomerance, On a
problem of Oppenheim concerning "Factorisatio
Numerorum". J. of Number Theory, 17, pp. 1–28,
1983.
CS93 J.H. Conway and N.J.A. Sloane, Sphere Packings,
Lattices and Groups. third edition,
Springer-Verlag1998.
FP85 U. Fincke and M. Pohst, Improved methods for
calculating vectors of short length in a lattice,
including a complexity analysis. Math. of Comput.,
44, pp. 463–471, 1985.
22
Refences
HHHW09 P.Hirschhorn, J. Hoffstein, N. Howgrave-Graham,
W. Whyte, Choosing NTRUEncrypt parameters in
light of combined lattice reduction and MITM
approaches. In Proc. ACNS 2009, LNCS 5536,
Springer-Verlag,pp. 437–455, 2009.
HPS98 J. Hoffstein, J. Pipher and J. Silverman, NTRU: A
ring-based public key cryptosystem. In Proc.
ANTS III, LNCS 1423, Springer-Verlag, pp.
267–288, 1998.
H07 N. Howgrave-Graham, A hybrid lattice–reduction
and meet-in-the-middle attiack against NTRU. In
Proc, CRYPTO 2007, LNCS 4622,
Springer-Verlag, pp. 150–169, 2007.
HS07 G. Hanrot and D. Stehlé, Improved analysis of
Kannan’s shortest lattice vector algorithm. In Proc.
CRYPTO 2007, LNCS 4622, Springer-Verlag,pp.
170–186, 2007.
23
Refences
HS08 G. Hanrot and D. Stehlé, Worst-case
Hermite-Korkine-Zolotarev reduced lattice bases.
CoRR, abs/0801.3331,
http://arxix.org/abs/0801.3331.
Ka87 R. Kannan, Minkowski’s convex body theorem and
integer programming. Math. Oper. Res., 12, pp.
415–440, 1987.
KL78 G.A.Kabatiansky and V.I. Levenshtein, Bounds for
packing on a sphere and in space. Problems of
Information Transmission, 14, pp. 1–17, 1978.
LLL82 H. W. Lenstra Jr., , A. K. Lenstra, and L. Lovász ,
Factoring polynomials with rational coefficients,
Mathematische Annalen 261, pp. 515–534, 1982.
MO90 J. Mazo and A. Odlydzko, Lattice points in
high-dimensional spheres. Monatsh. Math. 110,
pp. 47–61, 1990.
24
Refences
MG02 D. Micciancio and S. Goldwasser, Complexity of
Lattice Problems: A Cryptographic Perspective.
Kluwer Academic Publishers, Boston, London,
2002.
S87 C.P. Schnorr, A Hierarchy of Polynomial Time
Lattice Basis Reduction Algorithms. Theoret.
Comput. Sci., 53, pp. 201–224, 1987.
S93 C.P.Schnorr, Factoring integers and computing
discrete logarithms via Diophantine approximation.
In Advances in Computational Complexity, AMS,
DIMACS Series in Discrete Mathematics and
Theoretical Computer Science, 13, pp. 171–182,
1993. Preliminary version in Proc.
EUROCRYPT’91, LNCS 547, Springer-Verlag,pp.
281–293, 1991.
//www.mi.informatik.uni-frankfurt.de.
25
Refences
SE94 C.P. Schnorr and M. Euchner, Lattce basis
reduction: Improved practical algorithms and
solving subset sum problems. Mathematical
Programming 66, pp. 181–199, 1994.
SH95 C.P. Schnorr and H.H. Hörner, Attacking the
Chor–Rivest cryptosystem by improved lattice
reduction. In Proc. EUROCRYPT’95, LNCS 921,
Springer-Verlag, pp. 1–12, 1995.
S03 C.P. Schnorr, Lattice reduction by sampling and
birthday methods. Proc. STACS 2003: 20th
Annual Symposium on Theoretical Aspects of
Computer Science, LNCS 2007, Springer-Verlag,
pp. 146–156, 2003.
S06 C.P. Schnorr, Fast LLL-type lattice reduction.
Information and Computation, 204, pp. 1–25,
2006.
26
References
S07 C.P. Schnorr, Progress on LLL and lattice
reduction, Proceedings LLL+25, Caen, France,
June 29–July 1, 2007, Final version to appear;
27