Self-dual DeepBKZ for finding short lattice vectors

(Primal) lattices and bases

Let b₁, …, b_n be linearly independent vectors in ℝⁿ. The set of all integral linear combinations of the b_i’s is a (full-rank) lattice

of dimension n with basis B = [b₁, …, b_n] ∈ ℝ^n×n. Every lattice has infinitely many bases if n ≥ 2; If two bases B₁ and B₂ span the same lattice, there exists a unimodular matrix V ∈ GL_n(ℤ) with B₁ = B₂V. The volume of L is defined as vol(L) = ∣det(B)∣ > 0, which is independent of the choice of bases. The Gram-Schmidt orthogonalization (GSO) for an ordered basis B is the orthogonal family B∗=[b1∗,…,bn∗], recursively defined by b1∗ := b₁ and

for 2 ≤ i ≤ n. Then vol(L)=∏i=1n∥bi∗∥. For 2 ≤ ℓ ≤ n, let π_ℓ denote the orthogonal projection over the orthogonal supplement of the ℝ-vector space 〈b₁, …, b_ℓ−1〉_ℝ (note that π_ℓ depends on a basis, and set π₁ = id). For 1 ≤ i ≤ j ≤ n, we denote by B_[i,j] the local projected block [π_i(b_i), π_i(b_i+1), …, π_i(b_j)], and by L_[i,j] the lattice spanned by B_[i,j]. The first successive minimum is the length of a shortest non-zero vector in a lattice L, denoted by λ₁(L).

Dual lattices and dual bases

The dual of a lattice L is defined as

where span_ℝ(L) denotes the ℝ-vector space spanned by the vectors in L. The dual of a full-rank lattice with basis B has a basis D = (B⁻¹)^⊤. In other words, the relation D^⊤B = I is always maintained, where I is the identity matrix. This tells how the dual basis D changes with respect to changes of the primal basis B.

LLL

For a parameter 14 < δ < 1, a basis B = [b₁, …, b_n] is called δ-LLL-reduced if it satisfies the two conditions; (i) It is size-reduced, namely, the GSO coefficients satisfy ∣μ_i,j∣ ≤ 12 for all j < i. (ii) It satisfies Lovász’ condition, namely, δ∥bk−1∗∥2≤∥πk−1(bk)∥2 for all k. An LLL-reduced basis can be found by the LLL algorithm [10], in which adjacent basis vectors b_k−1 and b_k are swapped if Lovász’ condition does not hold.

DeepLLL

It is a straightforward generalization of LLL, in which non-adjacent vectors can be changed; If the deep exchange condition ∥ π_i(b_k) ∥² < δ∥bi∗∥2 is satisfied for some i < k, the vector b_k is inserted between b_i−1 and b_i as

This is called a deep insertion. Every output basis of DeepLLL satisfies the following condition; For 14 < δ < 1, a basis B = [b₁, …, b_n] is called δ-DeepLLL-reduced if it is size-reduced and it also satisfies δ∥bi∗∥2 ≤ ∥ π_i(b_k) ∥² for all i < k.

BKZ

A basis B = [b₁, …, b_n] of a lattice L is called HKZ-reduced if it is size-reduced and it satisfies ∥bi∗∥ = λ₁(π_i(L)) for every 1 ≤ i ≤ n. The notion of BKZ-reduction is a local block version of HKZ-reduction, defined as follows [14, 15, 16]; For β ≥ 2, a basis B = [b₁, …, b_n] of a lattice L is called β-BKZ-reduced (simply called β-reduced in [14, 16]) if it is size-reduced and every local block B_[j,j+β−1] is HKZ-reduced for 1 ≤ j ≤ n−β+1. The second condition means ∥bj∗∥ = λ₁ (L_[j,k]) for every 1 ≤ j ≤ n-1 with k = min(j + β − 1, n). The original BKZ algorithm [16] finds an almost β-BKZ-reduced basis, and it calls LLL to reduce every local block before enumeration of a shortest vector over the block lattice. Efficient variants of BKZ have been proposed such as BKZ 2.0 [3], and some of them have been implemented in software (e.g., [5]).

Self-dual BKZ

Motivated from the slide reduction algorithm [6], an elegant generalization of LLL (see also Section 3.3 below), the self-dual BKZ algorithm was proposed by Micciancio and Walter [11]. Their algorithm is based on a new notion [11, Definition 1] of block reduction using lattice duality (cf., the slide reduction algorithm is based on classical proofs of Mordell’s inequality, see also [12] for details). The output quality of self-dual BKZ in the worst case is proven to be at least as the worst case behavior of BKZ [11, Theorem 1]. The self-dual BKZ algorithm calls primal SVP and dual SVP oracles over local blocks in forward and backward tours, respectively, and it calls forward and backward tours alternately. Like BKZ, self-dual BKZ is a proper block generalization of the LLL algorithm.

DeepBKZ

It was proposed in [18], which calls DeepLLL as a subroutine alternative to LLL in BKZ. Every output basis of DeepBKZ satisfies the following condition of reduction; For 14 < δ < 1 and β ≥ 2, a basis is called (δ, β)-DeepBKZ-reduced if it is both δ-DeepLLL-reduced and β-BKZ-reduced. In Algorithm 1, we give a detailed algorithm of DeepBKZ with early-abort strategy, adopted in BKZ 2.0; For an input basis B = [b₁, …, b_n] of a lattice L, we terminate DeepBKZ with blocksize β after

tours, where C is a small constant. Since it is proven in [9] that the output basis of BKZ after N tours has an enough quality, we expect that a similar result would hold for DeepBKZ (we took different values for C in our experiments).

Dual DeepBKZ

It is a dual version of DeepBKZ proposed in [19]. It consists of the dual enumeration in self-dual BKZ [11] and a dual version of DeepLLL to reduce the dual basis of an input basis. In particular, in dual DeepLLL [19, Algorithm 1], a basis transformation is performed as

called a dual deep insertion (this is opposite to the primal deep insertion (1)).

Forward tour

As in the original self-dual BKZ [11], we call SVP oracles in dimension β to reduce every local block B_[j,j+β−1] from j = 1 to n−β. In our self-dual DeepBKZ, we additionally call DeepLLL for the sub-basis [b₁, …, b_n−1] before enumeration to find a shortest vector over every block lattice L_[j,j+β−1]. Note that this part does not change the last basis vector b_n.

Backward tour

As in [11], we call dual SVP oracles in dimension β to reduce the dual basis of every local block B_[j−β+1,j] from j = n down to β + 1. Similarly to the above part, we call dual DeepLLL [19, Algorithm 1], a dual variant of DeepLLL, before the dual enumeration [11, Algorithm 2] (see also Appendix A for the dual enumeration). As in the above part, we restrict the index i in every dual deep insertion (3) from i = n − 1 to 2 in order not to change the first basis vector b₁ by dual DeepLLL. This means that it reduces the local block B_[2,n] by dual DeepLLL, equivalently, it reduces its dual basis by (primal) DeepLLL.

Output quality

The Hermite factor is a good index to measure the (practical) output quality of a reduction algorithm [7]. The factor of an algorithm for a basis of an n-dimensional lattice L is defined as

where b is a shortest non-zero basis vector output by the algorithm. Smaller γ means that the algorithm can find a shorter lattice vector. For practical algorithms such as LLL and BKZ, Gama and Nguyen [7] experimentally showed that the root Hermite factor γ1n converges a constant for high dimensions. In Table 1 (resp., Table 2), we show the average of the root Hermite factor of DeepBKZ (resp., self-dual DeepBKZ), for random bases on the SVP challenge [4] in dimensions from n = 100 to 115 with seeds 0–9. We took C = 1.0 and 4.0 for two different early-abort constants in (2) and (4) (cf., C = 0.25, 2.0 and 8.0 were taken in [20]). As in [18, 19], we set δ = 0.99 as reduction parameters of both DeepLLL and its dual variant. We took as input bases reduced by BKZ with blocksize 20, implemented in the fplll library [5]. We increased blocksizes β by every 5 from 20 up to 45 for both DeepBKZ and its self-dual variant (it becomes very slow for β ≥ 50 since we did not use any pruning in [8]). We see from Tables 1 and 2 that the root Hermite factor (i.e., the output quality) of DeepBKZ is slightly better than that of self-dual DeepBKZ for β ≥ 30. In Table 1, we also show the average of the root Hermite factor of DeepBKZ without early-abort, which data are from [18, Table 2]. As seen from Table 1, the root Hermite factor of DeepBKZ with early-abort is pretty worse than without early-abort for β ≥ 30.

Performance

In Tables 3 (resp., Table 4), we show the average of the running time of DeepBKZ (resp., self-dual DeepBKZ) for the SVP challenge in dimensions from n = 100 to 115 with seeds 0–9. From Tables 3 and 4, our self-dual DeepBKZ is at least 3 times slower than DeepBKZ for β ≥ 30. In particular, DeepBKZ is much faster for 20 ≤ β ≤ 30 due to that a DeepBKZ-reduced basis can be found by tours less than the terminating condition (2). Moreover, DeepBKZ with early-abort is much faster than without early-abort; For example, it took 5242 seconds ≈ about 1.5 hours to run DeepBKZ with early-abort constant C = 4.0 in n = 115 for blocksizes up to β = 45, while a few days are required to run DeepBKZ without early-abort.

Output quality

A prediction of limiting value of the root Hermite factor γ1n achieved by BKZ is given in Chen’s thesis [2] (it is based on Gaussian Heuristic, and it seems to hold for β ≥ 40 in practice);

Actually, as seen from [11, Figure 2], the output quality of both BKZ and self-dual BKZ approximately follows the prediction (5) for β ≥ 40. As discussed in Subsection 3.5, the output quality of our self-dual DeepBKZ is slightly worse than that of DeepBKZ for every β ≥ 30. This is the same as the relation between BKZ and self-dual BKZ, shown in [11]. While the prediction (5) implies that β ≥ 85 is required for BKZ to achieve γ1n = 1.01, it requires only β ≥ 40 for both DeepBKZ and our self-dual DeepBKZ with early-abort from Tables 1 and 2 (cf., only β ≥ 30 is required for DeepBKZ without early-abort).

Performance

Since DeepLLL and dual DeepLLL are somewhat costly, DeepBKZ and our self-dual DeepBKZ are more costly than BKZ and self-dual BKZ. However, for blocksizes β ≥ 30, SVP and dual SVP oracles (i.e., enumerations) are dominant in DeepBKZ and our self-dual DeepBKZ. Hence DeepBKZ and its variants have comparable running time to BKZ and its variants for high blocksizes.