Analysis of DeepBKZ reduction for finding short lattice vectors

Abstract

Lattice basis reduction is a mandatory tool for solving lattice problems such as the shortest vector problem. The Lenstra–Lenstra–Lovász reduction algorithm (LLL) is the most famous, and its typical improvements are the block Korkine–Zolotarev algorithm and LLL with deep insertions (DeepLLL), both proposed by Schnorr and Euchner. In BKZ with blocksize \(\beta \), LLL is called many times to reduce a lattice basis before enumeration to find a shortest non-zero vector in every block lattice of dimension \(\beta \). Recently, “DeepBKZ” was proposed as a mathematical improvement of BKZ, in which DeepLLL is called as a subroutine alternative to LLL. In this paper, we analyze the output quality of DeepBKZ in both theory and practice. Specifically, we give provable upper bounds specific to DeepBKZ. We also develop “DeepBKZ 2.0”, an improvement of DeepBKZ like BKZ 2.0, and show experimental results that it finds shorter lattice vectors than BKZ 2.0 in practice.

Appendices

Efficient update algorithm of Gram–Schmidt information

Let \(\mathbf {B} = [\mathbf {b}_1, \dots , \mathbf {b}_n]\) be a basis of a lattice L, and let \(\mathbf {w} = \sum _{i=1}^r v_i \mathbf {b}_i \in L\) be a lattice vector with \(v_i \in \mathbb {Z}\) for \(1 \le i \le r-1\) and \(v_r = \pm 1\). For an insertion index k with \(1 \le k \le r \le n\), the n linearly independent vectors

$$\begin{aligned} {[}\mathbf {b}_1, \dots , \mathbf {b}_{k-1}, \mathbf {w}, \mathbf {b}_k, \dots , \mathbf {b}_{r-1}, \mathbf {b}_{r+1}, \dots , \mathbf {b}_n] \end{aligned}$$

(12)

give a new basis of L. In Algorithm 2, we show an efficient algorithm to update Gram-Schmidt information of the new basis (12). This is available after every insertion of a new lattice vector in DeepBKZ (or BKZ). The algorithm is based on the formula of [34, Proposition 4.2] on Gram-Schmidt information, and it is a generalization of the update algorithm in DeepLLL [30, Algorithm 4]. (When \(\mathbf {w} = \mathbf {b}_r\), the basis (12) coincides with the ordered basis \(\sigma _{k, r}(\mathbf {B})\) by a deep insertion.)

Short lattice vectors in the SVP challenge

In this appendix, we list short lattice vectors in the SVP challenge [29] for dimensions 100, 105, 110 and 115 with seeds 0–9. These lattice vectors were found mainly by DeepBKZ with blocksizes up to 45 (and pruned enumeration [13]). For every vector \(\mathbf {v}\) in an n-dimensional lattice L, we show its Euclidean norm \(\Vert \mathbf {v} \Vert \) and its approximation factor defined by

$$\begin{aligned} \dfrac{ \Vert \mathbf {v} \Vert \sqrt{\pi }}{\left( \varGamma (n/2 + 1) \cdot \mathrm {vol}(L) \right) ^{1/n}} \end{aligned}$$

where \(\varGamma \) is the Gamma function. If the factor is less than 1.05, the lattice vector can be submitted to the hall of fame in the SVP challenge. Furthermore, to enter the hall of fame, the vector is required to be shorter than a previous one in the same dimension with possibly different seed. We hope that these data would be a target to find a shorter lattice vector in every dimension and seed. (The below vectors are not necessarily the shortest.)

1.1 Dimension 100

• Seed 0: Norm 2571 (Approximation Factor 1.01252)

  

• Seed 1: Norm 2526 (Approximation Factor 0.99609)

  

• Seed 2: Norm 2590 (Approximation Factor 1.02146)

  

• Seed 3: Norm 2532 (Approximation Factor 0.99715)

  

• Seed 4: Norm 2481 (Approximation Factor 0.97400)

  

• Seed 5: Norm 2554 (Approximation Factor 1.00344)

  

• Seed 6: Norm 2555 (Approximation Factor 1.00179)

  

• Seed 7: Norm 2555 (Approximation Factor 1.00391)

  

• Seed 8: Norm 2509 (Approximation Factor 0.98725)

  

• Seed 9: Norm 2598 (Approximation Factor 1.02173)

  

1.2 Dimension 105

• Seed 0: Norm 2648 (Approximation Factor 1.01586)

  

• Seed 1: Norm 2604 (Approximation Factor 1.00237)

  

• Seed 2: Norm 2644 (Approximation Factor 1.01482)

  

• Seed 3: Norm 2617 (Approximation Factor 1.00450)

  

• Seed 4: Norm 2652 (Approximation Factor 1.01729)

  

• Seed 5: Norm 2622 (Approximation Factor 1.00824)

  

• Seed 6: Norm 2544 (Approximation Factor 0.97655)

  

• Seed 7: Norm 2621 (Approximation Factor 1.00747)

  

• Seed 8: Norm 2656 (Approximation Factor 1.02005)

  

• Seed 9: Norm 2641 (Approximation Factor 1.01238)

  

1.3 Dimension 110

• Seed 0: Norm 2647 (Approximation Factor 0.99636)

  

• Seed 1: Norm 2716 (Approximation Factor 1.01894)

  

• Seed 2: Norm 2636 (Approximation Factor 0.99285)

  

• Seed 3: Norm 2630 (Approximation Factor 0.99003)

  

• Seed 4: Norm 2621 (Approximation Factor 0.98360)

  

• Seed 5: Norm 2710 (Approximation Factor 1.01887)

  

• Seed 6: Norm 2685 (Approximation Factor 1.01055)

  

• Seed 7: Norm 2682 (Approximation Factor 1.00640)

  

• Seed 8: Norm 2690 (Approximation Factor 1.00976)

  

• Seed 9: Norm 2659 (Approximation Factor 0.99626)

  

1.4 Dimension 115

• Seed 0: Norm 2727 (Approximation Factor 1.00244)

  

• Seed 1: Norm 2742 (Approximation Factor 1.00949)

  

• Seed 2: Norm 2729 (Approximation Factor 1.00407)

  

• Seed 3: Norm 2699 (Approximation Factor 0.99339)

  

• Seed 4: Norm 2704 (Approximation Factor 0.99570)

  

• Seed 5: Norm 2788 (Approximation Factor 1.02803)

  

• Seed 6: Norm 2769 (Approximation Factor 1.02161)

  

• Seed 7: Norm 2775 (Approximation Factor 1.02310)

  

• Seed 8: Norm 2720 (Approximation Factor 1.00291)

  

• Seed 9: Norm 2752 (Approximation Factor 1.01189)