EECS 598: Lattices in Cryptography (2015)

Meeting: Mondays and Wednesdays, 10:30a-12p, G. G. Brown Lab 1363

First meeting: Wednesday, Sep 9
Instructor: Chris Peikert (cpeikert ATHERE umich DOTHERE edu)
Office Hours: Beyster 3601, by appointment

Resources

Syllabus
Course Canvas site
A Decade of Lattice Cryptography (Survey)

Homeworks

Homework 1, due Wed 23 Sep. [PDF, LaTeX template, macros]

Homework 2, due Wed 7 Oct. [PDF, LaTeX template, macros]
Homework 3, due Web 4 Nov. [PDF, LaTeX template, macros]
Homework 4, due Web 23 Nov. [PDF, LaTeX template, macros]

Lecture notes

Lecture 1: Mathematical Background

Lecture 2: SVP, Gram-Schmidt, LLL
Lecture 3: LLL, Coppersmith
Lecture 4: Coppersmith, Cryptanalysis
Lecture 5: Cryptanalysis of Knapsack Cryptography
Lecture 6: Algorithms for SVP, CVP

Course description
Point lattices are remarkably useful in cryptography, both for cryptanalysis (breaking codes) and, more recently, for
constructing cryptosystems with unique security and functionality properties. This seminar will cover classical results,
exciting recent developments, and several important open problems. Specific topics, depending on time and level of interest,
include:

Mathematical background and basic results

The LLL algorithm, Coppersmith's method, and applications to cryptanalysis
Complexity of lattice problems: NP-hardness, algorithms and other upper bounds
Gaussians, harmonic analysis, and the smoothing parameter
Worst-case/average-case reductions, and the SIS/LWE problems
Basic cryptographic constructions: one-way functions, encryption schemes, digital signatures
``Exotic'' cryptographic constructions: identity-based encryption, fully homomorphic encryption and more
Ring-based cryptographic reductions and primitives

Prerequisites
There are no formal prerequisite classes. However, this course is mathematically rigorous, hence the main requirement
ismathematical maturity. Students should be comfortable with devising and writing correct and clear formal proofs (and
finding the flaws in incorrect ones!), devising and analyzing algorithms, and working with probability. A previous course in
cryptography (e.g., Applied/Theoretical Cryptography) is helpful but is not required. No previous familiarity with lattices
will be assumed. Highly recommended courses (the more the better) include: EECS 477 or 586 (Algorithms), EECS 574
(Computational Complexity Theory), EECS 575 (Advanced Cryptography). The instructor reserves the right to limit
enrollment to students who have the necessary background.
Lattices in Cryptography Lecture 1 Instructor: Chris Peikert
Georgia Tech, Fall 2013 Mathematical Background Scribe: Sara Krehbiel

1 A Brief History of Lattices in Cryptography

Lattices have been used in mathematics going back at least to the 18th century. However, computational
aspects of lattices were not investigated much until the early 1980s, when they were successfully employed
for breaking several proposed cryptosystems (among many other applications). It was not until the late 1990s
that lattices were first used in the design of cryptographic schemes, and the last eight or so years have seen an
explosion of new systems and applications. Here is a timeline of some of the more significant developments
in the use of lattices in cryptography.

• 18th century through early 20th century: mathematicians such as Gauss and Lagrange use lattices in
number theory (e.g., to give proofs of the quadratic reciprocity and four-square theorems); Minkowski
greatly advances the study of lattices in his “geometry of numbers.”
• Early 1980s: Lenstra, Lenstra and Lovász discover their famous “LLL” basis-reduction algorithm,
whose applications include factoring integer polynomials and breaking several cryptosystems.
• Mid 1990s: Ajtai shows a remarkable “worst-case to average-case reduction” for lattice problems,
yielding a cryptographic one-way function based on worst-case hardness conjectures; his follow-up
work with Dwork gives a public-key encryption scheme with similar security guarantees. However,
due to their inefficiency and complexity, at the time these schemes are mainly of theoretical interest.
Concurrently, Hoffstein, Pipher and Silverman introduce the NTRU public-key encryption scheme (and
related digital signature scheme), which is practically quite efficient, but lacks any theoretical evidence
of security. After extensive cryptanalysis, some of the most efficient parameter sets are broken (and
various iterations of the signature schemes are completely broken), though NTRU encryption appears
to remain secure in an asymptotic sense.
• Early 2000s: researchers such as Regev and Micciancio dramatically simplify and improve the early
theoretical works, obtaining much stronger security guarantees and greatly improved efficiency.
• 2007-present: several researchers (e.g., Gentry, Brakerski, Vaikuntanathan, Lyubashevsky, and your
instructor) build a surprisingly rich toolbox of lattice-based cryptographic constructions, including
powerful objects like trapdoor functions, signature schemes, identity- and attribute-based encryption,
fully homomorphic encryption, and much more.

2 Mathematical Background
We start with the definition of a lattice.

Definition 2.1. An n-dimensional lattice L is a discrete additive subgroup of Rn .

Let’s unpack this definition. First, a lattice L is a subgroup of Rn , under standard component-wise
addition. Recall that L is a subgroup if it contains the identity element 0 ∈ Rn (the all-zeros vector), and if
for any x, y ∈ L, we have −x ∈ L and x + y ∈ L.
Second, a lattice is discrete: this means that every x ∈ L has some “neighborhood” in which x is the
only lattice point. Formally, for every x ∈ L there exists some ε > 0 such that (x + εB) ∩ L = {x}, where
(x + εB) denotes the (open) ball of radius ε centered at x. Note that when L is a group, this condition is
equivalent to one in which the quantifiers are reversed, i.e., there exists a single ε > 0 that works for all
x ∈ L. Moreover, this is equivalent to the existence of some ε > 0 that works for the origin 0 ∈ L.

1
Example 2.2. Let us consider several examples of lattices and non-lattices.

1. The singleton set {0} ⊂ Rn is a lattice (for any positive integer n).
2. The integers Z ⊂ R form a 1-dimensional lattice, and the integer grid Zn ⊂ Rn is an n-dimensional
lattice. The set Z × {0} = {(z, 0) : z ∈ Z} ⊆ R2 is a two-dimensional lattice, though its rank is only
one (see Definition 2.3 below).
3. For any lattice L, its scaling cL = {cx : x ∈ L} by any real c is also a lattice, e.g., the even integers 2Z.
More generally, any linear transformation applied to a lattice is also a lattice.
4. The set {x ∈ Zn : ni=1 xi ∈ 2Z} is a lattice; it is often called the “checkerboard” or “chessboard”
P
lattice, especially in two dimensions. (See Figure 1.)
5. The rationals Q ⊂ R do not form a lattice, because although they form a subgroup, it is not discrete:
there exist rational numbers that are arbitrarily close to zero.
6. The odd integers 2Z + 1 do not form a lattice, because although they are discrete, they do not form a
subgroup of R. (However, they do comprise a coset of the lattice 2Z; more on this point later.)
√ √
7. The group G = Z + 2Z is not a lattice, because it√is not discrete: since 2 admits arbitrarily good
rational approximations a/b, there are values a − b 2 ∈ G that are arbitrarily close to zero.

O
−3 −2 −1 0 1 2 3

Figure 1: The integer and checkerboard lattices.

Definition 2.3. The rank k of a lattice L ⊂ Rn is the dimension of its linear span, i.e., k = dim(span(L)).
When k = n, the lattice is said to be full rank.

In this course, all lattices are implicitly full rank unless stated otherwise. This assumption is usually
without loss of generality, since we can restrict our attention to the subspace span(L), which can be mapped
bijectively to Rk under a linear transformation that preserves inner products (and thus Euclidean norms,
volumes, etc.).
Of particular interest are rational and√integer lattices, which are subsets of Qn and Zn , respectively.
(Note that not all lattices are rational, e.g., 2Z.) Up to scale, rational and integer lattices are equivalent: the
discreteness of a rational lattice L guarantees a finite “common denominator” d such that the scaled lattice dL
is integral. Rationality is important for computational purposes, because we need to be able to represent
the lattice in an algorithm. However, most of the mathematical results in this course will apply to arbitrary
(potentially non-rational) lattices, so we will explicitly identify when we are restricting to integral lattices.

2.1 Lattice Bases

Except for the degenerate case {0}, a lattice is always an infinite set. However, a basic fact (which we will
not prove) is that a lattice can always be finitely represented by a basis.

2
Definition 2.4. A basis B = {b1 , . . . , bn } ⊂ Rn of a lattice L is a set of linearly independent vectors whose
integer linear combinations generate the lattice:
X n 
L = L(B) := z i bi : z i ∈ Z .
i=1
Equivalently, if we interpret B ∈ Rn×n as a nonsingular matrix whose (ordered) columns are b1 , . . . , bn ,
then L = B · Zn = {Bz : z ∈ Zn }.
Another way of reading the above definition is that any lattice can be obtained by applying some
nonsingular linear transformation to the integer lattice Zn .
While a lattice always has a basis, such a basis is not unique. Essentially, the existence of multiple lattice
bases is what makes lattice-based cryptography possible! (More on this later.) Recall that an integer matrix is
said to be unimodular if it determinant is ±1, i.e., if U−1 exists and is also an integer matrix.
Lemma 2.5. Bases B1 , B2 generate the same lattice L if and only if there exists a unimodular U ∈ Zn×n
such that B1 = B2 U.
Proof. Suppose L(B1 ) = L(B2 ), or equivalently, B1 · Zn = B2 · Zn . Then each column of B1 is an integer
combination of the columns of B2 , and vice-versa. That is, there exist U, V ∈ Zn×n such that B1 = B2 U
and B2 = B1 V = B2 UV. Because B2 is invertible, we have UV = I and therefore det(U) det(V) = 1,
so det(U), det(V) = ±1 because both matrices are integral.
For the other direction, suppose B1 = B2 U for some unimodular U. Then we have
L(B1 ) = B1 · Zn = B2 · (U · Zn ) = B2 · Zn = L(B2 ),
where the equality U · Zn = Zn follows from the fact that Ux = y ⇐⇒ x = U−1 y, and that U, U−1 are
both integral.
Corollary 2.6. The bases of Zn are exactly the unimodular matrices U ∈ Zn×n .
Corollary 2.7. We can efficiently test whether two given matrices B1 , B2 generate the same lattice, by
checking whether B−1
1 · B2 is unimodular.

2.2 Fundamental Regions

Since lattice is an infinite periodic “grid” in Rn , it is often useful to consider a corresponding periodic “tiling”
of Rn by copies of some body. For example, consider the typical tiling of bricks in a wall (which corresponds
to the checkerboard lattice), or a tiling of the plane by regular hexagons (with lattice points at their centers).
The notion of a fundamental region formalizes this concept.
Definition 2.8. A set F ⊆ Rn is a fundamental region of a lattice L if its translates x+F = {x+y : y ∈ F},
taken over all x ∈ L, form a partition of Rn .
For example, the half-open unit intervals [0, 1) and [− 21 , 12 ) are fundamental regions of the integer lattice Z:
any x ∈ R is in the unique translate bxc + [0, 1) or bxe + [− 12 , 12 ), respectively (where bxe := bx + 12 c
denotes rounding to the nearest integer, with ties broken upward). Similarly, the half-open cubes [0, 1)n and
[− 12 , 21 )n are fundamental regions of Zn . Note that in general, a fundamental region need not be convex or
even consist of a single connected component (though all the fundamental regions we consider in this course
will satisfy both of those properties).
A lattice basis naturally yields a fundamental region:

3
Definition 2.9. The fundamental parallelepiped of a lattice basis B is defined as
X n 
1 1 n 1 1
P(B) := B · [− 2 , 2 ) = ci bi : ci ∈ [− 2 , 2 ) . (2.1)
i=1

Alternatively, the fundamental parallelepiped is sometimes defined as P(B) = B · [0, 1)n . However, in
this course we will typically use the formulation from Equation (2.1), since it has the convenient property of
being essentially symmetric about the origin (ignoring its boundary).
Lemma 2.10. Let F be a fundamental region of Zn and B be a lattice basis. Then B · F = {Bx : x ∈ F }
is a fundamental region of L = L(B). In particular, P(B) is a fundamental region of L.
Proof. We need to show that each x ∈ Rn is in exactly one translate v + B · F where v = Bz ∈ L for
some z ∈ Zn . Because B is nonsingular, we have x ∈ Bz + B · F if and only if B−1 x ∈ z + F. Since
B−1 x ∈ Rn and F is a fundamental region of Zn , there is exactly one z ∈ Zn for which the latter inclusion
holds, which proves the claim.

b2
b1

Figure 2: A lattice basis with a (partial) tiling by its fundamental parallelepiped.

Another useful fundamental region is given by the Voronoi cell of a lattice, which is the set of all points
in Rn that are closer to the origin than to any other lattice point:
V(L) := {x ∈ Rn : kxk < kx − vk ∀ v ∈ L \ {0}}.

Actually, the open set V(L) itself is not quite a fundamental region: its translates by lattice points are pairwise
disjoint and cover all of Rn , except for those points on the boundaries of the translates (which form a set of
measure zero). The Voronoi cell can be made into a true fundamental region by making it “half-open” in
some appropriate sense, but this involves some technical subtleties.
A basic fact is that all fundamental regions of a lattice have the same volume; this volume is an essential
lattice invariant.
Definition 2.11. The volume (or determinant) of a lattice L, denoted det(L), is defined as vol(F) where F
is any fundamental region of L.
Claim 2.12. The volume of a lattice L is det(L) = |det(B)|, where B is any basis of L.
Proof. By Lemma 2.10, P(B) is a fundamental region of L, and by basic linear algebra, vol(P(B)) =
|det(B)|.
Note that |det(B)| is invariant under choice of lattice basis B, because by Lemma 2.5, any other basis is
of the form B0 = BU for some unimodular U, and |det(B0 )| = |det(B)| · |det(U)| = |det(B)|.

4
2.3 Minimum Distance
Because a lattice L is discrete, it has a nonzero element v ∈ L of minimum length under, say, the Euclidean
norm. (This element is not unique, because also −v ∈ L.)

Definition 2.13. The minimum distance of a lattice L is defined as

λ1 (L) := min kvk = min kx − yk.

v∈L\{0} distinct x,y∈L

(The second equality follows from the fact that x − y is itself a nonzero lattice vector.)

A central result of Minkowski relates the minimum distance of a lattice to its determinant. Recall that a
centrally symmetric body S is one for which x ∈ S ⇐⇒ −x ∈ S, and a convex body S is one for which
x, y ∈ S ⇒ αx + (1 − α)y ∈ S for any α ∈ [0, 1], i.e., the line segment connecting x and y is entirely
contained in S.

Theorem 2.14 (Minkowski). Any convex, centrally symmetric body S of volume vol(S) > 2n · det(L)
contains a nonzero lattice point.

Proof. Let S 0 = S/2, so vol(S 0 ) > det(L). By a “volumetric pigeonhole argument,” we claim that there
exist distinct x, y ∈ S 0 such that x − y ∈ L. To see this, consider any fundamental region F of L, and
partition S 0 into sets Sv0 = S 0 ∩ (v + F) for each v ∈ L. Then the translates Sv0 − v ⊆ F have total volume
vol(S 0 ) > vol(F), so they must overlap somewhere, i.e., there exists some z ∈ (Su0 − u) ∩ (Sv0 − v) for
distinct lattice points u, v ∈ L. It follows that x = z + u, y = z + v ∈ S 0 are two distinct points in S 0
whose difference x − y = u − v ∈ L is a lattice point.
Finally, we have 2x, −2y ∈ S by definition of S 0 and central symmetry of S, and their midpoint
(2x − 2y)/2 = x − y ∈ S by convexity.
√
Corollary 2.15 (Minkowski’s First Theorem). For any lattice L, we have λ1 (L) ≤ n · det(L)1/n .

Notice that this bound “scales properly:” if we scale the lattice (and hence its minimum distance) by a c
factor, the determinant scales by a cn factor, hence the bound also scales by a c factor.

Proof. Without loss of generality, assume that det(L) = 1 by scaling the lattice by a det(L)−1/n factor,
√ √
which scales λ1 by the same factor. Now take S = n · B̄, the (closed) Euclidean ball of radius n. The cube
[−1, 1]n , which has side length 2 and therefore volume 2n , is strictly contained in S, and so vol(S) > 2n .
Therefore, S contains a nonzero lattice point by Theorem 2.14, and the bound on λ1 follows.

Note that the bound we used on the volume of a ball was somewhat loose. Using pthe exact formula for
the volume of an n-dimensional ball, we can obtain a slightly tighter bound λ1 (L) ≤ n/(2πe) · det(L)1/n ,
which is better by only a constant factor.
Also notice that Minkowski’s bound can be arbitrarily loose: for example, consider the lattice L ⊂√ R2
100
of unit determinant generated by the basis vectors (2 , 0), (0, 2 −100 ). Then λ1 (L) = 2 −100  2.
However, it is known that in general, Minkowski’s bound cannot be improved beyond small constant factors:
√
exist infinite families of n-dimensional, unit-determinant lattices L for which λ1 (L) ≥ C n, where
there p
C ≈ 1/(πe) is some universal positive constant.

5
Lattices in Cryptography Lecture 2 Instructor: Chris Peikert
University of Michigan, Fall 2015 SVP, Gram-Schmidt, LLL Scribe: Hank Carter

1 Shortest Vector Problem

Last time we defined the minimum distance λ1 (L) of a lattice L, and showed that it is upper bounded by
√
n · det(L)1/n (Minkowski’s theorem), but this bound is often very loose. Some natural computational
questions are: given a lattice (specified by some arbitrary basis), can we compute its minimum distance?
Can we find a vector that achieves this distance? Can we find good approximations to these? These are all
versions of the Shortest Vector Problem, which we now define formally.

Definition 1.1 (Shortest Vector Problem, exact form). The exact form of SVP has three common variants,
which we restrict to integer lattices (and so integral bases) without loss of generality:

1. Decision: given a lattice basis B and a real d > 0, distinguish between the cases λ1 (L(B)) ≤ d and
λ1 (L(B)) > d.1
2. Calculation: given a lattice basis B, find λ1 (L(B)).
3. Search: given a lattice basis B, find a (nonzero) v ∈ L(B) such that kvk = λ1 (L(B)).

It is obvious that the ability to solve the Calculation version immediately implies the ability to solve
the Decision version. More formally, we say that “Decision reduces to Calculation” and write Decision ≤
Calculation (note the directionality of the statements). The converse (Calculation ≤ Decision) also holds,
since using an oracle for Decision we can solve Calculation via binary search by varying the choice of d.
The only subtlety is that the number of possible values for λ1 must be bounded by 2poly(|B|) , where B is
the bit length of the given basis, in order for the search to succeed in polynomial time. This is indeed the
√
case, because the minimum distance is the square root of an integer, and is between 1 and n det(B)1/n
by Minkowski’s theorem. The latter is bounded by 2poly(|B|) because the determinant can be computed in
polynomial time. It also turns out that the Search version of the problem is also equivalent to the other two
versions; we will see the proof of this later.
Also of great interest and wide applicability are approximate versions of SVP.

Definition 1.2 (Approximate SVP). The γ-approximate Shortest Vector Problem, where γ = γ(n) ≥ 1 is
a function of the dimension n, has the following variants (again restricted to integer lattices):

1. Decision (GapSVPγ ): given a lattice basis B and a positive integer d, distinguish between the cases
λ1 (L(B)) ≤ d and λ1 (L(B)) > γ · d.2
2. Estimation (EstSVPγ ): given a lattice basis B, compute λ1 (L(B)) up to a γ factor, i.e., output some
d ∈ [λ1 (L(B)), γ · λ1 (L(B))].
3. Search (SVPγ ): given a lattice basis B, find a (nonzero) v ∈ L(B) such that 0 < kvk ≤ γ · λ1 (L(B)).

Observe that taking γ = 1 corresponds to the exact versions of the problems, and also that the problems
can only become easier as γ increases. Formally, GapSVPγ 0 ≤ GapSVPγ for any γ 0 ≥ γ (note the
directionality of the reduction), and similarly for SVP.
It is easy to check that
GapSVPγ ≤ EstSVPγ ≤ SVPγ ,
1
Notice that because the lattice is integral, we can restrict to d which are square roots of positive integers, and represent them
by d2 .
2
If λ1 (L(B)) falls between d and γ · d, either answer is acceptable. Alternatively, this version can be considered as a “promise
problem,” where the input B is guaranteed to satisfy one of the two cases.

1
i.e., being able to solve Search implies being able to solve Estimation, which implies being able to solve
Decision. It can also be seen that EstSVPγ ≤ GapSVPγ , again using a binary search technique. So these
two variants are equivalent, and we usually deal with just GapSVPγ . However, and perhaps surprisingly, for
“interesting” γ > 1 it is currently unknown if solving decision is equivalent to solving search! The “interesting”
qualifier is needed to rule out very large γ ≈ 2n , for which both versions are solvable in polynomial time (as
we will see shortly), and hence trivially equivalent.

Open Problem 1.3. Prove or disprove that SVPγ ≤ GapSVPγ for some (or all) nontrivial γ > 1.

In the remainder of the lecture we will develop tools that allow us to efficiently compute bounds on the
minimum distance, and even find relatively short nonzero lattice vectors.

2 Gram-Schmidt Orthogonalization
For linearly independent vectors b1 , . . . , bn ∈ Rn , we define the Gram-Schmidt orthogonalized vectors
b
e1, . . . , b e 1 = b1 , and then for j = 2, . . . , n, we define b
e n via an iterative process. First we define b e j to
be the component of bj orthogonal to span(b1 , . . . , bj−1 ) = span(b1 , . . . , bj−1 ), the linear span of the
e e
previous vectors. Symbolically, we define

b
e 1 := b1 ,
e 2 := b2 − µ1,2 · b
b e1 where µ1,2 = hb2 , b
e 1 i/hb e 1 i,
e1, b
..
.
X
e j := bj −
b µi,j · b
ej where µi,j = hbj , b
e i i/hb e j i.
ej , b
i<j

We can verify that the vectors b

e j are mutually orthogonal. For example,

hb e 1 i = hb2 , b
e2, b e 1 i − µ1,2 · hb e 1 i = 0.
e1, b

The general case can then be proved by induction.

b2
b
e 1 = b1
b
e2

Figure 1: An example of Gram-Schmidt orthogonalization and a (partial) tiling by the fundamental paral-
lelepiped of the resulting vectors.

2
 It is often very convenient to view the orthogonalization process as corresponding to the following
(unique) matrix factorization:
   
1 µ1,2 · · · µ1,n
   1 · · · µ2,n 
B = b 1 b2 · · · bn  ·  .. ,
e e e   
. .
   . . 
1
| {z } | {z }
B
e U

where the matrix U ∈ Rn×n is upper unitriangular (i.e., upper triangular with 1s on the diagonal) and hence
has determinant one.3
We can further factor out the lengths of the columns b
e i of B,e obtaining
 e 
kb1 k
 kb
e2k 
e =Q·
B

 . .

 . 
kbn k
e
| {z }
D
where Q is an orthogonal matrix, i.e., Qt Q
= I. This is because its columns are the mutually orthogonal
unit vectors b e i k. Altogether, we have the (unique) factorization
e i /kb

B = QDU (2.1)

for orthogonal Q, diagonal D with positive diagonal entries, and upper-unitriangular U. This also corresponds
to the so-called “QR” factorization B = QR, where R = DU is an upper-triangular real matrix having
diagonal entries kb
e i k.
In the context of lattices, we can usually ignore the orthogonal matrix Q, taking it to be the identity
matrix without loss of generality. This is because Q simply acts as a rigid rotation of Rn , and therefore
preserves all the main geometrical properties of the space (Euclidean norms, volumes, etc.). Therefore, we
can usually focus on just D and U.4
The Gram-Schmidt vectors have many important connections with the geometry of the lattice.

Lemma 2.1. For any lattice L = L(B), we have det(L) = ni=1 kb

Q e i k.
Qn
Proof. We have det(L) = det(B) = det(Q) det(D) det(U) = det(D) = i=1 kbi k.
e

Lemma 2.2. For any lattice L = L(B), the body P(B) e · [− 1 , 1 )n is a fundamental region of L.
e =B
2 2

e is Q kb
Proof. You will prove this in the homework. (Notice that the volume of P(B) e i k, as expected.)
i

A very useful fact is that the Gram-Schmidt vectors gives a lower bound on the lattice minimum distance.
3
However, U is not necessarily unimodular because the µi,j are not necessarily integers. Therefore, Be is not necessarily a basis
of the lattice generated by B.
4
This all can be made formal by working with the so-called Gram matrix Bt B = Ut D(Qt Q)DU = Ut D2 U of the basis B,
which characterizes B up to rigid rotations. Essentially all lattice algorithms and mathematical analyses can be made to work with a
Gram matrix instead of a basis.

3
Lemma 2.3. For any lattice L = L(B), we have λ1 (L) ≥ mini kb
e i k.

Proof. Let’s first develop some intuition in the two-dimensional case. We can partition the lattice points
v = Bz into “slices” according to the integer coefficient z2 of b2 . If this coefficient is zero, then v is in
the sublattice L(b1 ), which obviously has minimum distance kb1 k = kb e 1 k. Otherwise, v lies in the affine
subspace z2 b2 + span(b1 ), which is at distance |z2 | · kb2 k ≥ kb2 k from the origin, and hence kvk ≥ kb
e e e 2 k.
So altogether, kvk ≥ min{kb e 1 k, kb
e 2 k}.

b2
b
e2

b1

Figure 2: A two-dimensional lattice partitioned into “slices” according to the integer coefficient of b2 .

To prove the claim formally (in n dimensions), let B = DU be the unique factorization from Equa-
tion (2.1), where as noted above we can assume Q = I without loss of generality. Let v = Bz for nonzero
z ∈ Zn be an arbitrary nonzero lattice point, and let zi be the last nonzero entry of z. Then, letting ?s denote
arbitrary real numbers, we have
     
  ? ? ?
1 ? ? ··· ?   ?  ? 
 1 ? · · · ?  ?     
  zi  zi  kb e i kzi 
v = Bz = D 
 1 · · · ? 0 = D0 =  0 ,
     
 ..       
. ?  . .  . 
 ..   ..   .. 

1
0 0 0

which, because |zi | ≥ 1, implies that kvk ≥ kb

e i k.

Combining Minkowski’s inequality with Lemmas 2.1 and 2.3, we have now have the following bounds
on the minimum distance:
n 1/n
√ √
Y
minkb e i k ≤ λ1 (L(B)) ≤ n · kbeik = n · GM(kbk e ),
i (2.2)
i
i=1

where GM denotes the geometric mean. While this allows us to bound λ1 from above and below in terms of
the Gram-Schmidt vectors, in the homework you will show that in general, these bounds can be arbitrarily
loose (simultaneously), even in small dimensions.

3 Lenstra-Lenstra-Lovász (LLL) Algorithm

The LLL algorithm yields a polynomial-time solution to search-SVPγ with an approximation factor γ =
2(n−1)/2 , which is exponential in the dimension.5 While such a large factor may seem unimpressive at
√
5
Actually, the algorithm can be tuned to yield an approximation factor as small as γ = (2/ 3)n , but this is still exponential in n.

4
first, it is nontrivial because it depends only on the dimension n of the lattice; by contrast, the bounds from
Equation (2.2) depend on the lengths of the given basis vectors, which can be arbitrarily large. Also, an
exponential approximation factor can be very useful when the dimension n is small, or when a shortest
nonzero lattice vector is much shorter than all other non-parallel lattice vectors, which are the case in many
applications of LLL.
The LLL algorithm converts an arbitrary lattice basis into one that generates the same lattice, and which
is “reduced” in the following sense (the notations µi,j and b
e i refer to the Gram-Schmidt orthogonalization as
in the previous section):

Definition 3.1. A lattice basis B is LLL-reduced if the following two conditions are met:

1. For every i < j, we have |µi,j | ≤ 12 . (Such a basis is said to be “size reduced.”)
e i k2 ≤ kµi,i+1 b
2. For every 1 ≤ i < n, we have 43 kb e i+1 k2 .
ei + b (This is the “Lovász condition.”)

The LLL conditions ensure that the lengths of the Gram-Schmidt vectors do not “decrease too quickly:”
e i+1 k2 ≥ 1 kb
Lemma 3.2. In an LLL-reduced basis B, we have kb e i k2 for all 1 ≤ i < n.
2

Proof. Since the Gram-Schmidt vectors are mutually orthogonal, by the Pythagorean theorem we have
3 e 2 e i+1 k2
kbi k ≤ kµi,i+1 bei + b
4
e i k2 + kb
= µ2i,i+1 · kb e i+1 k2
1 e 2 2
≤ kb i k + kbi+1 k .
e
4
The claim follows by collecting like terms.

Because the Gram-Schmidt vectors give a lower bound on the lattice minimum distance, it follows that
the first vector in an LLL-reduced basis approximates a shortest lattice vector:

Corollary 3.3. In an LLL-reduced basis B, we have kb1 k ≤ 2(n−1)/2 · λ1 (L(B)).

e 1 , so kb1 k = kb
Proof. Recall that b1 = b e 1 k. By Lemma 3.2, we also have kb
e i+1 k ≥ √1 kb
eik for every
2
1 ≤ i < n. Therefore,
kb1 k ≤ 2(i−1)/2 · kb
e i k ≤ 2(n−1)/2 · kb
eik

for all i. From this and Lemma 2.3 we conclude that kb1 k ≤ 2(n−1)/2 · mini kb
e i k ≤ 2(n−1)/2 · λ1 (L(B)).

We will describe the LLL algorithm itself (and its analysis) in the next lecture.

5
Lattices in Cryptography Lecture 3 Instructor: Chris Peikert
University of Michigan, Fall 2015 LLL, Coppersmith Scribe: Yan Wang

1 The LLL Algorithm

Recall the definition of an LLL-reduced lattice basis.

Definition 1.1. A lattice basis B is LLL-reduced if the following two conditions are met:

1. For every i < j, we have |µi,j | ≤ 12 . (Such a basis is said to be “sized reduced.”)
e i k2 ≤ kµi,i+1 b
2. For every 1 ≤ i < n, we have 43 kb e i+1 k2 .
ei + b (This is the “Lovász condition.”)

The LLL algorithm works as follows: given an integral input basis B ∈ Zn×n (the integrality condition is
without loss of generality), do the following:

1. Compute B,
e the Gram-Schmidt orthogonalized vectors of B.
2. Let B ← SizeReduce(B).
(This algorithm, defined below, ensures that the basis is size reduced, and does not change L(B) or B.) e
e i k2 > kµi,i+1 b
3. If there exists 1 ≤ i < n for which the Lovász condition is violated, i.e., 34 kb e i+1 k2 ,
ei + b
then swap bi and bi+1 and go back to Step 1. Otherwise, output B.

The idea behind the SizeReduce(B) subroutine is, in the Gram-Schmidt decomposition B = B e · U, to
shift the entries in the upper triangle of U by integers (via unimodular transformations), so that they lie in
[− 12 , 21 ). Because changing an entry of U may affect the ones above it (but not below it) in the same column,
we must make the changes upward in each column. Formally, the algorithm works as follows:

• For each j = 2, . . . , n (in any order) and i = j − 1 down to 1, let bj ← bj − bµi,j e · bi , where
µi,j = hbj , b
e i i/hb e i i is the (i, j)th entry of the upper-unitriangular matrix in the Gram-Schmidt
ei, b
decomposition of the current basis B. (Note that previous iterations can change this matrix.)
In matrix form, in the (i, j)th iteration we are letting B ← B · W, where W is the upper unitriangular
matrix with just one potentially nonzero off-diagonal entry −bµi,j e, at position (i, j).

We make a few important observations about the SizeReduce algorithm. First, it clearly runs in time poly-
nomial in the bit length of the input basis B. Second, even though B may change, the Gram-Schmidt vectors
B
e are preserved throughout, because the only changes to B are via multiplication by upper-unitriangular
matrices, i.e., if B = B e · U is the Gram-Schmidt decomposition prior to some iteration, then B = B e · (UW)
is the decomposition afterward, since UW is upper unitriangular. Finally, the (i, j)th iteration ensures that
the value hbj , be i i/hb e i i ∈ [− 1 , 1 ) (by definition of µi,j ), and following the iteration, that value never
ei, b
2 2
changes, because bk is orthogonal to b e i for all k < i. (This is why it important that we loop from i = j − 1
down to 1; bk may not be orthogonal to b e i for k > i.) Putting these observation together, we have the
following lemma on the correctness of SizeReduce.

Lemma 1.2. Given an integral basis B ∈ Zn×n with Gram-Schmidt decomposition B = B e · U, the
SizeReduce algorithm outputs a basis B of L = L(B) having Gram-Schmidt decomposition B0 = B
0 e · U0 ,
0 1 1
where every entry ui,j for i < j is in [− 2 , 2 ).

We now state the main theorem about the LLL algorithm.

Theorem 1.3. Given an integral basis B ∈ Zn×n , the LLL algorithm outputs an LLL-reduced basis of
L = L(B) in time poly(n, |B|), where |B| denotes the bit length of the input basis.

1
 The remainder of this section is dedicated to an (almost complete) proof of this theorem. First, it is clear
that the LLL algorithm, if it ever terminates, is correct: all the operations on the input basis preserve the
lattice it generates, and the algorithms terminates only when the basis is LLL-reduced.
We next prove that the number of iterations is O(N ) for some N = poly(n, |B|). This uses a clever
“potential argument,” which assigns a value to all the intermediate bases produced by the algorithm. We show
three facts: that the potential starts out no larger than 2N , that itp
never drops below 1, and that each iteration
of the algorithm decreases the potential by a factor of at least 4/3 > 1. This implies that the number of
iterations is at most log√4/3 2N = O(N ).
The potential function is defined as follows: for a basis B = (b1 , . . . , bn ), let Li = L(b1 , . . . , bi ) for
each 1 ≤ i ≤ n. The potential is the product of these lattices’ determinants:
n
Y n 
Y  Yn
Φ(B) := det(Li ) = kb
e 1 k · · · kb
eik = e i kn−i+1 .
kb
i=1 i=1 i=1

Claim 1.4. The potential of the initial input basis B is at most 2N where N = poly(n, |B|), and every
intermediate basis the algorithm produces has potential at least 1.
2
Proof. The potential of the original basis B is clearly bounded by ni=1 kbi kn ≤ maxi kbi kn = 2poly(n,|B|) .
Q
Every intermediate basis is integral and has positive integer determinant, hence so do the lattices Li associated
with that basis. Therefore, the potential of that basis is at least 1.

We next analyze how the potential changes when we perform a swap in Step 3.

Claim 1.5. Suppose bi and bi+1 are swapped in Step 3, and let the resulting basis be denoted B0 . Then
e0 = b
b e 0 = µi,i+1 b
e j for all j 6∈ {i, i + 1}, and b ei + b
e i+1 .
j i

Proof. For j < i, the vector b e 0 is unaffected by the swap, because by definition it is the component of
j
bj = bj orthogonal to span(b1 , . . . , b0j−1 ) = span(b1 , . . . , bj−1 ). Similarly, for j > i + 1, the vector b
0 0 e0
j
0 0 0
is the component of bj = bj orthogonal to span(b1 , . . . , bj−1 ) = span(b1 , . . . , bj−1 ), where the equality
holds because both bi and bi+1 are in the span. Finally, b e 0 is the component of b0 = bi+1 orthogonal to
i i
span(b01 , . . . , b0i−1 ) = span(b1 , . . . , bi−1 ), which is µi,i+1 b
ei + b e i+1 by construction.

Lemma 1.6. Suppose bi and bi+1 are swapped in Step 3, and let the resulting basis be denoted B0 . Then
Φ(B0 )/Φ(B) < 3/4.
p

Proof. Let Li = L(b1 , . . . , bi−1 , bi ) and L0i = L(b1 , . . . , bi−1 , bi+1 ). By Claim 1.5, we have

Φ(B0 ) det(L0i ) kb
e 1 k · · · kbe i−1 kkµi,i+1 b e i+1 k
ei + b kµi,i+1 b e i+1 k p
ei + b
= = = < 3/4,
Φ(B) det(Li ) kb e 1 k · · · kb
e i−1 kkb
eik kbeik

where the last inequality follows from the Lovász condition.

This completes the proof that the number of iterations is O(N ) = poly(n, |B|). Moreover, each iteration
of the algorithm is polynomial time in the bit length of the current basis. However, this does not necessarily
guarantee that the LLL algorithm is polynomial time overall, since the bit length of the intermediate bases
could increase with each iteration. (For example, if the bit length doubled in each iteration, then by the end

2
the bit length would be exponential in n.) To it suffices to show that the sizes of all intermediate bases are
polynomial in the size of the original basis. This turns out to be the case, due to the size-reduction step. The
proof of this fact is somewhat grungy and uninteresting, though, so we won’t cover it.
We conclude with some final remarks about the LLL algorithm. The factor 3/4 in the Lovász condition
is just for convenience of analysis. We can use any constant between 1/4 and 1, which yields a tradeoff
between the final approximation factor and the number of iterations, but these will still remain exponential
(in n) and polynomial,
√ respectively. By choosing the factor very close to 1, we can obtain an approximation
factor of (2/ 3)n in polynomial time, but we cannot do any better using LLL. We can get slightly better
2
approximation factors of 2O(n(log log n) )/(log n ) (still in polynomial time) using Schnorr’s generalization of
LLL, where the analogue of the Lovász condition deals with blocks of k ≥ 2 consecutive vectors.

2 Coppersmith’s Method
One nice application of LLL is a technique of Coppersmith that finds all small roots of a polynomial modulo
a given number N (even when the factorization of N is unknown). This technique has been a very powerful
tool in cryptanalysis, as we will see next time.

Theorem 2.1. There is an efficient algorithm that, given any monic, degree-d integer polynomial f (x) ∈ Z[x]
and an integer N , outputs all integers x0 such that |x0 | ≤ B = N 1/d and f (x0 ) = 0 mod N .

We make a few important remarks about the various components of this theorem:

1. When N is prime, i.e., ZN is a finite field, there are efficient algorithms that output all roots of a
given degree-d polynomial f (x) modulo N , of which there are at most d. Similarly, there are efficient
algorithm that factor polynomials over the rationals (or integers). Therefore, the fact that the theorem
handles a composite modulus N is a distinguishing feature.
2. For composite N , the number of roots of f (x) modulo N can be nearly exponential in the bit length
of N , even for quadratic f (x). For example, if N is the product of k distinct primes, then any
square modulo N has exactly 2k distinct square roots. (This follows from the Chinese Remainder
Theorem, since there are two square roots modulo each prime divisor of N .) Since k can be as large as
≈ log N/ log log N , the number of roots can be nearly exponential in log N . Therefore, in general no
efficient algorithm can output all roots of f (x) modulo N ; the restriction to small roots in the theorem
statement circumvents this problem.1
3. The size restriction appears necessary for another reason: knowing two square roots r1 6= ±r2 of a
square modulo a composite N reveals a nontrivial factor of N , as gcd(r1 − r2 , N ). So even if the
number of roots is small, finding them all is still at least as hard as factoring. However, it is easy
to show that a square cannot have more than one “small” square root, of magnitude at most N 1/2 .
Therefore, the theorem does appear to yield an efficient factoring algorithm.2

To highlight the heart of the method, in the remainder of the section we prove the theorem for a weaker
bound of B ≈ N 2/(d(d+1)) . P (We prove the bound B ≈ N 1/d next time.) The strategy is to find another
nonzero polynomial h(x) = hi xi ∈ Z[x] such that:
1
Indeed, the theorem implies that the number of small roots is always polynomially bounded. Surprisingly, this fact did not
appear to be known before Coppersmith’s result!
2
However, it can be used to factor when some partial information about a factor is known.

3
 1. every root of f (x) modulo N is also a root of h(x), and
2. the polynomial h(Bx) is “short,” i.e., |hi B i | < N/(deg(h) + 1) for all i.

For any such h(x), and for any x0 such that |x0 | ≤ B, we have |hi xi0 | ≤ |hi B i | < N/(deg(h) + 1), which
implies that |h(x0 )| < N . Hence, for every small root x0 (such that |x0 | ≤ B) of f (x) modulo N , we have
that h(x0 ) = 0 over the integers (not modulo anything). To find the small roots of f (x) modulo N , we can
therefore factor h(x) over the integers, and test whether each of its (small) roots is a root of f (x) modulo N .
We now give an efficient algorithm to find such an h(x). The basic idea is that adding integer multiples of
the polynomials gi (x) = N xi ∈ Z[x] to f (x) certainly preserves the roots of f modulo N . So we construct
a lattice whose basis corresponds to the coefficient vectors of the polynomials gi (Bx) and f (Bx), find a
short nonzero vector in this lattice, and interpret it as the polynomial h(Bx). The lattice basis is
 
N a0
 BN a1 B 
B2N a2 B 2
 
 
B=

.

 
 B d−1 N d−1
ad−1 B 
Bd

Note that the lattice dimension is d + 1, and that det(B) = B d(d+1)/2 · N d . By running the LLL algorithm
on this basis, we obtain a 2d/2 -approximation v to a shortest vector in L(B). By Minkowski’s bound,
√
kvk ≤ 2d/2 d + 1 · B d/2 · N d/(d+1) = cd · B d/2 · N 1−1/(d+1) ,
√
where cd = 2d/2 d + 1 depends only on the degree d.
Define h(Bx) to be the polynomial whose coefficients are given by v, i.e., h(x) = v0 + (v1 /B)x + · · · +
(vd /B d )xd . Notice that h(x) ∈ Z[X], because B i divides vi for each i by construction of the lattice basis,
and that every root of f (x) modulo N is also a root of h(x) by construction. Finally, we see that

N
|hi B i | = |vi | ≤ kvk < ,
d+1

if we take B < N 2/d(d+1) /c0d where c0d = (cd (d + 1))2/d = O(1) is bounded by a small constant. This
concludes the proof.

4
Lattices in Cryptography Lecture 4 Instructor: Chris Peikert
University of Michigan, Fall 2015 Coppersmith, Cryptanalysis Scribe: Jacob Alperin-Sheriff

1 Coppersmith’s Theorem
Today we prove the “full version” of Coppersmith’s Theorem, stated here.
Theorem 1.1. Let N be a positive integer and f (x) ∈ Z[x] be a monic, degree-d polynomial. There is an
algorithm that, given N and f , efficiently (i.e., in time polynomial in the bit length of the inputs) finds all
integers x0 such that f (x0 ) = 0 mod N and |x0 | ≤ B ≈ N 1/d .

In the theorem statement and what follows, for simplicity of analysis we use ≈ to hide factors which are
polynomial in d and N ε for some arbitrarily small constant ε > 0.1 The remainder of this section is dedicated
to the proof of the theorem.
Last time we considered adding multiples of N · xi to f (x), which preserves the roots of f (x) modulo N .
2
But this only let us obtain a bound of B ≈ N 2/d . To do better, we consider higher powers P of f (x) and N .
That is, our strategy will be to use LLL to efficiently find a nonzero polynomial h(x) = i hi xi ∈ Z[x] of
degree at most n = d(m + 1), for some positive integer m to be determined, such that:
1. Any mod-N root of f is a mod-N m root of h, i.e., if f (x0 ) = 0 mod N then h(x0 ) = 0 mod N m .
2. The polynomial h(Bx) is “short,” i.e., its coefficients hi B i are all less than N m /(n + 1) in magnitude.
From the second property it follows that if |x0 | ≤ B, then
X
|h(x0 )| ≤ |hi B i | < N m .
i

Therefore, by the first property, any small mod-N root of f is a root of h(x) over the integers (not modulo
anything). So, having found h(x), we can efficiently factor it over the integers and check whether each of its
small roots is indeed a root of f (x) modulo N .
To construct a lattice basis that lets us find such an h(x), the first helpful insight is that f (x0 ) = 0 mod N
implies f (x0 )k = 0 mod N k for any positive integer k. To create our lattice basis, we define n = d(m + 1)
polynomials gu,v (x) whose mod-N m roots will include all of the mod-N roots of f (x). Concretely,
gu,v (x) = N m−v f (x)v xu for u ∈ {0, . . . , d − 1}, v ∈ {0, . . . , m}.
We use two important facts about these polynomials. First, f (x) is monic and of degree d, so gu,v (x) has
leading coefficient N m−v and is of degree exactly u + vd. Second, if x0 is a mod-N root of f (x), then x0 is
a mod-N m root of gu,v (x) for all u, v, because N m divides N m−v f (x0 )v .
The basis vectors for our lattice are defined by the coefficients of gu,v (Bx) where, as above, B corresponds
to the bound on the absolute value of the roots. Specifically, the basis is B = [b0 , . . . , bn−1 ], where bu+vd
is the coefficient vector of gu,v (Bx) represented as a polynomial in x. Since gu,v (x) is of degree u + vd with
leading coefficient N m−v , and u + vd runs over {0, . . . , n − 1} as u, v run over their respective ranges, the
basis is triangular, with diagonal entries N m−v B u+vd . A simple calculation then reveals that
det(B) = B n(n−1)/2 · N dm(m+1)/2 .

Running the LLL algorithm on B yields a nonzero vector v ∈ L(B) of length

 1/n
kvk ≤ 2(n−1)/2 det(B)1/n = 2(n−1)/2 B n(n−1)/2 · N dm(m+1)/2
≤ (2B)n/2 · N m/2 .
1
This yields a true bound of B = N 1/d−ε , though with more work the theorem can be proved for B = N 1/d .

1
Setting B ≈ (N 1/d )m/(m+1) , which is N 1/d−ε for large enough (but still polynomially bounded) m, we can
ensure that (2B)n/2 < N m/2 /(n + 1) and therefore that kvk < N m /(n + 1), as required. Reading off the
entries of v as the coefficients of h(Bx) yields a satisfactory polynomial h(x).

2 Cryptanalysis of RSA Variants

One of the most interesting applications of Coppersmith’s algorithm is to attack variants of RSA.

2.1 RSA Recap

The RSA function and cryptosystem (named after its inventors Rivest, Shamir and Adleman) is one of the
most widely used public-key encryption and digital signature schemes in practice.
It is important to differentiate between the RSA function and an RSA-based cryptosystem. The RSA
function is defined as follows. Let N = pq, where p and q are distinct very large primes (according to
current security recommendations, they should be at least 1,000 bits each). Let e be a public “encryption
exponent” such that gcd(e, ϕ(N )) = 1, where ϕ(N ) = |Z∗N | = (p − 1)(q − 1) is the totient function. The
RSA function fe,N : Z∗N → Z∗N is defined by the public values (N, e) as follows:

fe,N (x) := xe mod N.

It is conjectured that, given just N, e, and y = fe,N (x) for a uniformly random x ∈ Z∗N , it is computationally
infeasible to find x. However, one can efficiently invert the RSA function using some extra “trapdoor”
information. Let d be the “decryption exponent” defined by e · d = 1 mod ϕ(N ), which is efficiently
computable given the factorization of N . Then the inverse RSA function is defined as
−1
fe,N (y) := y d mod N.

This indeed inverts the function because, for y = fe,N (x) = xe mod N , we have

y d = (xe )d = (xe·d mod ϕ(N ) ) = x mod N,

where the first inequality holds because the order of the group Z∗N is ϕ(N ). It follows that fe,N is a bijection
(also called a permutation) on Z∗N .

2.2 Low-Exponent Attacks

Because exponentiation modulo huge integers is somewhat computationally expensive, many early proposals
advocated using encryption exponents as small as e = 3 with RSA, due to some significant efficiency
benefits.2 For example, using an encryption exponent of the form e = 2k + 1, one can compute xe using
only k + 1 modular multiplications via the standard “repeated squaring” method. Moreover, the basic RSA
function still appears to be hard to invert (on uniformly random y ∈ Z∗N ) for small e.
Like any other deterministic public-key encryption scheme, the RSA function itself is not a secure
cryptosystem. This is because if an attacker had a guess about the message in a ciphertext c (say, because the
number of possible messages was small), it could easily test whether its guess was correct by encrypting the
message and checking whether the resulting ciphertext matched c. Therefore, one needs to use a randomized
2
Note that one cannot use e = 2 (or any other even e) because it is never coprime with ϕ(N ), which is also even.

2
encryption algorithm. The most obvious way to randomize the RSA function is to append some “padding”
of random bits to the end of the message before encrypting. However, devising a secure padding scheme is
quite difficult and subtle, due to the existence of clever attacks using tools like LLL. Here we describe one
such attack: when e is small and the padding is not long enough, the attack efficiently recovers an encrypted
message M given just two encryptions of M with different paddings.3
We start with a simple “related-message attack,” which is interesting in its own right and will also be a key
component of the padding attack. Note that this attack is on the deterministic version of the RSA function.
Lemma 2.1. Let e = 3 and M1 , M2 ∈ Z∗N satisfy M1 = `(M2 ) mod N , where `(x) = ax + b for some
a, b 6= 0 is a known linear function. Then one can efficiently recover M1 , M2 from C1 = M1e mod N and
C2 = M2e mod N (and the other public information N, e, f ).4

Proof. Define polynomials g1 (x) = `(x)e − C1 , g2 (x) = xe − C2 ∈ ZN [x]. Notice that M2 is a root of
both g1 and g2 , and thus (x − M2 ) is a common divisor of g1 and g2 (here is where we need a 6= 0). If it is
in fact the greatest common divisor (i.e., the common divisor of largest degree), then we can find it using
Euclid’s algorithm.5 We show next that (x − M2 ) is indeed the greatest common divisor.
First observe that for any C ∈ Z∗N , the polynomial x3 − C has only one root modulo N , because the
RSA function is a bijection. As a result, we have g2 (x) = x3 − C2 = (x − M2 )(x2 + β1 x + β0 ), where the
quadratic term is irreducible, so gcd(g1 , g2 ) is either (x − M2 ) or g2 . Since b 6= 0, we have that g2 (x) - g1 (x),
and therefore the greatest common divisor is indeed x − M2 .

We now consider a potential padding method: to encrypt a message M , one appends m uniformly random
bits r ∈ {0, 1}m (for some publicly known value of m), and applies the RSA function:

C = fN,e (M kr).

(Upon decryption, the pad bits are ignored.) Mathematically, this corresponds with transforming M to
2m · M + r for uniformly random r ∈ {0, . . . , 2m − 1}. Note that M must be short enough, and m small
enough, so that the result can be interpreted as an element of Z∗N and unambiguously represents M .
The following theorem shows that if the pad length is too short (as determined by the size of e), then it is
possible to efficiently recover the message M from two distinct encryptions of it. Notice that for e = 3, a
pad length of n/9 ≈ 2,000/9 ≈ 222 is large enough to prevent any repeated pad values with overwhelming
probability, yet it stil provides essentially no security.
Theorem 2.2. Let N have bit length n, and let m ≤ bn/e2 c for e = 3 be the bit length of the pad. Given
two encryptions C1 , C2 of the same message M with arbitrary distinct pads r1 , r2 ∈ {0, . . . , 2m − 1}, one
can efficiently recover M .

Proof. We have M1 = 2m · M + r1 and M2 = 2m · M + r2 for some distinct r1 , r2 ∈ {0, . . . , 2m − 1}. We

define two bivariate polynomials g1 (x, y), g2 (x, y) ∈ ZN [x] as

g1 (x, y) = xe − C1 = xe − M1e
g2 (x, y) = (x + y)e − C2 = (x + y)e − M2e
3
In real-life applications it is quite common to encrypt the same message more than once, e.g., via common protocol headers or
retransmission.
4
It turns out that theorem is “usually” true even for e > 3, but there are rare exceptions.
5
Strictly speaking, Euclid’s algorithm would normally require ZN to be a field, which it is not. However, if Euclid’s algorithm
fails in this setting then it reveals the factorization of N as a side effect, which lets us compute the decryption exponent and the
messages.

3
Essentially, x represents the unknown message, and y represents the unknown pads. Since g1 is independent
of y, we have that (x = M1 , y = ?) is a root of g1 for any value of y. Similarly, (x = M1 , y = r2 − r1 ) is a
root of g2 .
To take the next step, we need a concept called the resultant of two polynomials in a variable x, which is
defined as the product of all the differences between their respective roots:
Y
resx (p(x), q(x)) = (x0 − x1 ).
p(x0 )=q(x1 )=0

In our setting, we treat the bivariate polynomials gi (x, y) as polynomials in x whose coefficients are
polynomials in y (i.e., elements of ZN [y]), which is why resx (g1 , g2 ) is a polynomial in y.
We use a few important facts about the resultant. First, it is clear that resx (p(x), q(x)) = 0 when p, q
have a common root. Second, resx (p, q) = det(Sp,q ), where Sp,q is a square (deg p + deg q)-dimensional
matrix called the Sylvester matrix, whose entries are made up of various shifts of the coefficient vectors of p
and q. Therefore, the resultant can be computed efficiently. Finally, in our setting the x-coefficients of g1
are degree-0 polynomials in y, while the x-coefficients of g2 are polynomials of degree at most e in y. By
definition of the Sylvester matrix, the resultant h(y) = resx (g1 , g2 ) has degree at most e2 in y.
2
We claim that ∆ = r2 − r1 6= 0, which has absolute value |∆| ≤ 2m < N 1/e , is a root of the resultant
h(y) = resx (g1 , g2 ). This is because the univariate polynomials g1 (x, ∆) and g2 (x, ∆) have a common root
x = M1 .
Armed with this information, our attack proceeds as follows. We construct the polynomials g1 , g2 , and
compute the resultant h(y) = resx (g1 , g2 ). Then deg(h(y)) ≤ e2 , and we know that h(y) has ∆ = r2 − r1 6=
2
0 as a root modulo N . We run Coppersmith’s algorithm on h(y), and since |∆| ≤ 2m < N 1/e , we get a
polynomial-length list containing ∆. Trying each element of the list as a candidate ∆, we have a known
(candidate) linear function `(x) = x − ∆ such that M1 = `(M2 ), and we can run the related message attack
from Lemma 2.1.6 One of these runs involves the correct value of ∆ and thus reveals M1 , M2 , and we can
confirm which run does so by re-encrypting and checking against C1 , C2 .

The above is just one of countless Coppersmith-style attacks against variants of RSA and problems
related to factoring, such as:

• Small decryption exponent d: so far the best known attack recovers d if it is less than N 0.292 . This
uses a bivariate version of Coppersmith that lacks a rigorous proof of correctness, but seems to work
well in practice. Important open questions are whether d < N 1/2−ε is attackable (the conjecture is
that it should be), and whether there are rigorously provable variants of Coppersmith for bivariate or
multivariate polynomials.
• Partial secret key exposure: when certain bits of d or the factors p, q of N are exposed, it is often
possible to recover them completely.

6
Note that we have rigorously proved Lemma 2.1 only for the case e = 3, but the attack will work as long as the algorithm from
the lemma actually succeeds.

4
Lattices in Cryptography Lecture 5 Instructor: Chris Peikert
University of Michigan, Fall 2015 Cryptanalysis of Knapsack Crypto Scribe: Eric Crockett

1 The Subset-Sum Problem

We begin by recalling the definition of the subset-sum problem, also called the “knapsack” problem, in its
search form.
Pn
Definition 1.1 (Subset-Sum). Given positive integer weights a = (a1 , . . . , an ) and s = i=1 ai xi =
ha, xi ∈ Z for some bits xi ∈ {0, 1}, find x = (x1 , . . . , xn ).

The subset-sum problem (in its natural decision variant) is NP-complete. However, recall that NP-
completeness is a worst-case notion, i.e., there does not appear to be an efficient algorithm that solves every
instance of subset-sum. Whether or not “most instances” can be solved efficiently, and what “most instances”
even means, is a separate question. As we will see below, certain “structured” instances of subset-sum are
easily solved. Moreover, we will see that if the bit length of the ai is large enough relative to n, subset-sum is
easy to solve for almost every choice of a, using LLL.

2 Knapsack Cryptography
Motivated by the simplicity and NP-completeness of subset-sum, in the late 1970’s there were proposals to
use it as the basis of public-key encryption schemes. In these systems, the public key consists of weights
a = (a1 , . . . an ) chosen from some specified distribution, and to encrypt a message x ∈ {0, 1}n one computes
the ciphertext
s = Enca (x) = ha, xi.
A major advantage of this kind of encryption algorithm is its efficiency: encrypting involves just summing up n
integers, which is much faster than operations like modular exponentiation, as used in other cryptosystems.
As for security, recovering the message x from the ciphertext is equivalent to solving the subset-sum instance
(a, s), which we would like to be hard.1 Of course, the receiver who generated the public key needs to have a
way of decrypting the message. This is achieved by embedding a secret “trapdoor” into the weights, which
allows the receiver to convert the subset-sum instance into an easily solvable one.
One class of easily solved subset-sum instances involves weights of the following type.
Pi−1
Definition 2.1. A superincreasing sequence a = (a1 , . . . , an ) is one where ai > j=1 aj for all i.

Given any
Pn−1 superincreasing sequence a and s = ha, xi, it is easy to find x: observe that xn = 1 if and only
if s > j=1 ai . Having found xn , we can then recursively solve the instance (a0 = (a1 , . . . , an−1 ), s0 =
s − an xn ), which still involves superincreasing weights.
Of course, we cannot use a superincreasing sequence as the public key, or it would be trivial for an
eavesdropper to decrypt. The final idea is to embed a superincreasing sequence into a “random-looking”
public key, along with a trapdoor that lets us convert the latter back to the former. The original method of
doing so, proposed by Merkle and Hellman, works as follows:

1. Start with some superincreasing sequence b = (b1 , . . . , bn ).

2. Choose some modulus m > ni=1 bi , uniformly random w ← Z∗m , and uniformly random permuta-
P
tion π on {1, . . . , n}.
1
We ignore the fact that accepted notions of security for encryption require much more than hardness of recovering the entire
message. However, if the message is easy to recover by an eavesdropper, then the scheme is clearly insecure.

1
 3. Let ai = w · bπ(i) mod m. The public key is a = (a1 , . . . , an ), and the trapdoor is (m, w, π).
The encryption of a message x ∈ {0, 1}n is then
n
X
s = Enca (x) = hveca, xi = w · bπ(i) xi .
i=1

Given the trapdoor (m, w, π), we can decrypt s as follows: simply compute
n
X
0 −1
s =w s= bπ(i) xi mod m,
i=1

and then solve the subset-sum problem for the (permuted) superincreasing b and 0 0
Pns , where we identify0 s
with its canonical integer representative in {0, . . . , m − 1}. This works because i=1 bπ(i) xi < m, so s is
the true subset-sum (not modulo anything).
It turns out that some care is needed in choosing the superincreasing sequence b1 , . . . , bn . For example,
the natural choice of bi = 2i−1 ends up admitting some simple attacks. We won’t discuss this issue in any
detail, because it turns out that the Merkle-Hellman scheme (and almost all of its subsequent variants) can be
broken using tools like LLL, regardless of what superincreasing sequence is used.

3 Lattice Attacks on Knapsack Cryptography

In 1982, Shamir showed how to break the basic Merkle-Hellman class of schemes. His attack used Lenstra’s
polynomial-time algorithm for fixed-dimension integer programming, which uses LLL as a subroutine.
(Shamir’s attack has been extended to break many subsequent versions of the Merkle-Hellman system.)
Shortly thereafter, Lagarias and Odlyzko gave an incomparable attack, later simplified by Frieze, that solves
almost all instances of “low-density” subset-sum problems.
Definition 3.1. The density of a subset-sum instance is n/ maxi log ai .
Theorem 3.2 (Lagarias-Odlyzko, Frieze). There is an efficient algorithm that, given uniformly random and
2
independent weights a1 , . . . , an ∈ {1, . . . , X}, where X ≥ 2n (1/2+ε) for some arbitrary constant ε > 0,
2
and s = ha, xi for some arbitrary x ∈ {0, 1}n , outputs x with probability 1 − 2−n (ε−o(1)) over the choice
of the ai .
Notice that the density of the above subset-sum instances is roughly 2/n.
Proof. We are given a subset-sum instance (a =P(a1 , . . . , an ), s = ha, xi) for some Px ∈ {0, 1}n . Without
loss of generality, we may assume that s ≥ ( i ai )/2: if not, we replace s by ( ni=1 ai ) − s, which
corresponds to flipping all the bits of x. Note that this assumption implies that x 6= 0.
The main idea is to define a lattice where not only is x a shortest nonzero lattice vector, but all lattice
vectors not parallel to x are vastly longer, by a factor of 2n/2 or more. Then because LLL gives a 2n/2 -factor
approximation√to the shortest lattice vector, it must yield x.
Let B = d n · 2n e, and define the lattice L = L(B) using the basis
 
1

 1 

B=
 . ..  ∈ Z(n+1)×(n+1) .

 
 1 
−Ba1 −Ba2 . . . −Ban Bs

2
Clearly, ( x0 ) ∈ L. As we will see in a moment, the B factor in the last row serves to amplify the norms of
lattice vectors that do not correspond to exact equalities s = ha, zi for z ∈ Zn .
The algorithm simply runs LLL on the above basis B to obtain a nonzero lattice vector whose length is
within a 2n/2 factor of λ1 (L). The following analysis shows that with high probability, the obtained vector is
of the form k( x0 ) for some nonzero integer k, which reveals the solution x ∈ {0, 1}n .
√
Notice that Bz = ( x0 ) ∈ L is a nonzero lattice vector, and has norm at most n. Also, any lattice vector
has a final coordinate divisible by B, and if this coordinate is nonzero, then the vector has length at least
B > 2n/2 · kxk ≥ 2n/2 · λ1 (L). Therefore, LLL always yields some nonzero lattice vector whose final
√
coordinate is zero, and whose norm is at most 2n/2 n. We next show that with high probability, nonzero
integer multiples of ( x0 ) are the only such lattice vectors; therefore, LLL must return one of these.
√
Consider an arbitrary nonzero vector ( z0 ) ∈ Zn+1 , where kzk ≤ 2n/2 n and z is not an integer multiple
z
of x. We want to bound the probability that this vector is in L, i.e., the probability that ( z0 ) = B( zn+1 ) for
some zn+1 ∈ Z. In such an event, we have
n
X
s · |zn+1 | = |s · zn+1 | = |ha, zi| ≤ kzk ai ≤ 2kzks,
i=1

so |zn+1 | ≤ 2kzk. Fix any such zn+1 . In order for ( z0 ) to be in L, it must be the case that

ha, zi = zn+1 · s = zn+1 ha, xi,

which implies that ha, yi = 0 where y = z−zn+1 x. Since z is not an integer multiple of x, some
P yi 6= 0, and
we can assume that without loss of generality that i = 1. Therefore, we must have a1 = −( ni=2 ai yi )/y1 .
With these observations, for any fixed z, zn+1 satisfying the above constraints, the probability that
( z0 ) ∈ L is bounded by
n
" #
X
Pr[ha, yi = 0] = Pr a1 = −( ai yi )/y1 ≤ 1/X,
ai a1
i=2

because the ai are chosen uniformly from {1, . . . , X}. Finally, we apply the union bound over all legal
√
choices of z, zn+1 . Because kzk ≤ 2n/2 n ≤ B, each coordinate of z has magnitude at most B, and
similarly, |zn+1 | ≤ 2kzk ≤ 2B. Therefore, the number of choices for z, zn+1 is at most
2 (1/2+o(1))
(2B + 1)n · (4B + 1) ≤ (5B)n+1 ≤ 2n .
2
Because X = 2n (1/2+ε) for some constant ε > 0, the probability that there exists any ( z0 ) ∈ L satisfying
2
the above constraints is at most 2−n (ε−o(1)) , as claimed.
√
Variants. We showed that, except for integer multiples of ( x0 ), no lattice vector has length less than 2n/2 n.
So, LLL’s approximation factor of 2n/2 guarantees that it returns k( x0 ) for some nonzero integer k. Inspecting
the analysis, the 2n/2 factor accounts for the density bound of 2/n.
What if we had an algorithm that achieves a better approximation factor, e.g., one that solves SVP exactly,
or to within a poly(n) factor? For a density of about 1/1.6, following the same kind of argument, but with
tighter bounds on the number of allowed z, one can show that ±( x0 ) are the only shortest vectors in the lattice
(with high probability). Similarly, for density 1/Θ(log n), one can show that all lattice vectors not parallel to
( x0 ) are some poly(n) factor longer than it. However, at densities above 2/3 or so, ( x0 ) may no longer be a
shortest nonzero vector in the lattice, so even an exact-SVP oracle might not reveal a subset-sum solution.

3
Lattices in Cryptography Lecture 6 Instructor: Chris Peikert
University of Michigan, Fall 2015 Algorithms for SVP, CVP Scribe: Sam Kim

1 The Shortest and Closest Vector Problems

Recall the definition of the approximate Shortest Vector Problem. (The exact version is obtained by taking
γ = 1, which is implicit when γ is omitted.)

Definition 1.1. For γ = γ(n) ≥ 1, the γ-approximate Shortest Vector Problem SVPγ is: given a basis B of
a lattice L = L(B) ⊂ Rn , find some nonzero v ∈ L such that kvk ≤ γ(n) · λ1 (L).

A closely related inhomogeneous variant is the approximate Closest Vector Problem.

Definition 1.2. For γ = γ(n) ≥ 1, the γ-approximate Closest Vector Problem CVPγ is: given a basis B
of a lattice L = L(B) ⊂ Rn and a point t ∈ Rn , find some v ∈ L such that kt − vk ≤ γ(n) · dist(t, L).
Equivalently, find an element of the lattice coset t + L having norm at most γ(n) · λ(t + L), where
λ(t + L) := minx∈t+L kxk = dist(t, L).

Above we have used the fact that dist(t, L) = minv∈L kt − vk = minx∈t+L kxk, because L = −L.
The two versions of CVP are equivalent by associating each v ∈ L with t − v ∈ t + L, and vice versa.
Although the former version of the problem is the more “obvious” formulation, the latter version is often
more convenient in algorithmic settings, so we will use it throughout these notes.
We first show that SVPγ is no harder than CVPγ ; more specifically, given an oracle for CVPγ we can
solve SVPγ efficiently.

Theorem 1.3. For any γ ≥ 1, we have SVPγ ≤ CVPγ via a Cook reduction.

Proof. Consider the following algorithm that, given a lattice basis B = (b1 , . . . , bn ), and CVP oracle O,
outputs some v ∈ L = L(B):

• For each i = 1, . . . , n, compute basis Bi = (b1 , . . . , bi−1 , 2bi , bi+1 , . . . , bn ) and let vi = O(Bi , bi ).
• Output one of the vi that has minimal length kvi k.

We claim that this algorithm solves SVPγ , i.e., it returns some nonzero lattice vector of length at most
γ · λ1 (L).
First observe that for each i, the lattice Li = L(Bi ) ⊂ L consists of all those vectors in L whose
bi -coordinate is even, whereas the coset bi + Li ⊂ L consists of all those whose bi -coordinate is odd.
Therefore, 0 6∈ bi + Li for all i, so λ(bi + Li ) ≥ λ1 (L). Moreover, if v ∈ L is any shortest nonzero lattice
vector, then at least one of its coefficients with respect to B must be odd, otherwise v/2 ∈ L would be a
shorter nonzero lattice vector. Therefore, v ∈ bi + Li for at least one i, and so λ(bi + Li ) = λ1 (L) for all
such i.
Now by hypothesis on O, for every i we have vi ∈ bi + Li ⊂ L \ {0} and kvi k ≤ γ · λ(bi + Li ). Since
λ(bi + Li ) = λ1 (L) for at least one i, some kvi k ≤ γ · λ1 (L), and correctness follows.

We note that essentially the same reduction works for the decisional variants GapSVPγ and GapCVPγ of
the problems, where instead of returning vectors vi , the oracle O returns yes/no answers, and the reduction
outputs the logical OR of all the answers.

1
1.1 Algorithms for SVP and CVP
The following are some historical milestones in algorithms for SVP and CVP (for simplicity, we ignore
polynomial factors in the dimension n and bit length of the input basis):
• Using the LLL algorithm and brute-force search over coefficient vectors, one can get an algorithm that
2
solves SVP and CVP in 2O(n ) time and poly(n) space.
• In 1983, Kannan gave deterministic algorithms that solve SVP and CVP in nO(n) = 2O(n log n) time
and poly(n) space.
• In 2001, Ajtai, Kumar, and Sivakumar (AKS) gave randomized “sieve” algorithms that solve SVP
and CVP1+ε (for any constant ε > 0) in singly exponential 2O(n) time and space. (For CVP1+ε , the
exponent in the running time depends inversely on ε.)
• In 2010, Micciancio and Voulgaris (MV) gave a deterministic algorithm that solves CVP (and hence
SVP and other problems) in 22n time and 2n space.
• In 2015, Aggarwal, Dadush, Regev, and Stephens-Davidowitz gave a randomized algorithm that solves
SVP in 2n time and space (note that the exponent here is exactly one). A follow-up work by Aggarwal,
Dadush, and Stephens-Davidowitz obtained a similar result for CVP.
It is an important open question whether there exists a singly exponential-time (or better) algorithm that uses
only polynomial space, or even subexponential space.

2 The Micciancio-Voulgaris Algorithm for CVP

The MV algorithm solves CVP on any n-dimensional lattice in 2O(n) time (for simplicity, we ignore
polynomial factors in the input length). It is based around the (closed) Voronoi cell of the lattice, which, to
recall, is the set of all points in Rn that are as close or closer to the origin than to any other lattice point:

V̄(L) = {x ∈ Rn : kxk ≤ kx − vk ∀ v ∈ L \ {0}}.

We often omit the argument L when it is clear from context. From the definition it can be seen that for any
coset t + L, the set (t + L) ∩ V̄ consists of all the shortest elements of t + L. For any lattice point v, define
the halfspace

Hv = {x : kxk ≤ kx − vk}
= {x : 2hx, vi ≤ hv, vi}.

It is easy to seeTthat V̄ is the intersection of Hv over all v ∈ L \ {0}. The minimal set V of lattice vectors
such that V̄ = v∈V Hv is called the set of Voronoi-relevant vectors; we often call them relevant vectors for
short. The following characterizes the relevant vectors of a lattice:
Fact 2.1 (Voronoi). A nonzero lattice vector v ∈ L \ {0} is relevant if and only if ±v are the only shortest
vectors in the coset v + 2L.

Corollary 2.2. An n-dimensional lattice has at most 2(2n − 1) ≤ 2n+1 relevant vectors.

Proof. Every relevant vector belongs to some nonzero coset of L/2L, of which there exactly 2n − 1. By the
above, there are at most two relevant vectors in each such coset.

2
 The MV algorithm has the following high-level structure. Given a basis B of a lattice L = L(B) and a
target point t defining a coset t + L, the algorithm works as follows:

1. Compute a description of the Voronoi cell V̄(L), as a list containing all the relevant vectors v ∈ L, of
which there are at most 2n+1 = 2O(n) . (The possibly exponential number of relevant vectors is the
sole reason for the algorithm’s exponential space complexity.)
Note that this “preprocessing” phase depends only on the lattice L, not the target t, so it can be
performed before the target is known, and the result can be reused for additional targets.

2. Use the relevant vectors to “walk,” starting from t, through a sequence of vectors in the coset t + L
by adding appropriately chosen lattice vectors to the target. The walk finally terminates at a point in
(t + L) ∩ V̄, which is a solution to the CVP instance.
The walk proceeds in phases, where each phase starts with some tk ∈ (t + L) ∩ 2k · V̄, and outputs
some tk−1 ∈ (t + L) ∩ 2k−1 · V̄. We show below that each phase takes 2O(n) time, and by using LLL
we can ensure that the initial target point t is in 2O(n) · V̄, so the total number of phases is only O(n).
Therefore, the overall runtime of this step is 2O(n) .

2.1 The Walk

We first describe how Step 2, the “walk,” is performed. The first observation is that by a scaling argument, it
suffices to show how to perform the final phase of the walk, which takes some t2 ∈ (t + L) ∩ 2V̄ and outputs
some t1 ∈ (t + L) ∩ V̄. Then all prior phases can be performed using this procedure with a suitable scaling
of the lattice: since 2k · V̄(L) = 2 · V̄(2k−1 L), we can use the procedure on the lattice 2k−1 L (whose relevant
vectors are just 2k−1 -factor scalings of L’s relevant vectors) to go from some tk ∈ (t + L) ∩ 2k · V̄(L) to
some tk−1 ∈ (t + L) ∩ 2k−1 · V̄(L).
The walk from 2V̄ to V̄ works as follows: first, check if our current target t ∈ V̄, by testing if t ∈ Hv for
all v ∈ V ; if so, then simply output t. Otherwise, subtract an appropriately chosen relevant vector v ∈ V
from t and loop. The main question is, which relevant vector should we subtract to ensure that we make
progress, and terminate within 2O(n) iterations?
Recall that if t 6∈ V̄(L), then it lies outside the halfspace Hv , i.e., it violates the inequality 2ht, vi ≤
hv, vi, for some relevant vector v. The MV algorithm greedily chooses a relevant vector v whose inequality
is “most violated,” i.e., it maximizes the ratio 2ht, vi/hv, vi, and subtracts v from t. Observe that for
such v, if we define α = 2ht, vi/hv, vi, then α is the smallest positive real number such that t ∈ αV̄(L); by
assumption, we have 1 < α ≤ 2.

Lemma 2.3. The walk from t2 ∈ (t + L) ∩ 2V̄ to t1 ∈ (t + L) ∩ V̄ terminates within at most 2n iterations.

The above lemma follows by combining two lemmas that we state and prove next. The first shows that
subtracting the chosen v brings the target closer to the origin, while staying within the same multiple of the
Voronoi cell.

Lemma 2.4. For any t ∈

/ V̄, if v ∈ L is a relevant vector maximizing α = 2ht, vi/hv, vi, then t − v ∈ αV̄
and kt − vk < ktk.

Proof. Below we show that t and t − αv have equal norms, and hence that both lie in αV̄. Then because
α > 1, it follows that t − v is on the interior of the line segment between t and t − αv, so kt − vk < ktk
and t − v ∈ αV̄ by convexity of V̄, as claimed.

3
 Because α = 2ht, vi/hv, vi, we have

ktk2 = ht, ti = ht, ti − 2αht, vi + α2 hv, vi = kt − αvk2 .

Now because t ∈ αV̄(L) = V̄(αL), it must be that t is a shortest element of t + αL. Since αv ∈ αL, we
also have t − αv ∈ t + αL. Then because ktk = kt − αvk, we conclude that t − αv is also a shortest
element in t + αL, and so t − αv ∈ αV̄(L).
Finally, because α > 1 and v 6= 0 we have

kt − vk = ktk2 + kvk2 − 2ht, vi = ktk2 − (α − 1)kvk2 < ktk2 .

The second lemma bounds the number of distinct lengths our intermediate target vectors can have.

Lemma 2.5. For any t, let U = (t + L) ∩ 2V̄(L). Then |{kuk : u ∈ U }| ≤ 2n .

Proof. For any t0 ∈ Rn , the points in (t0 + 2L) ∩ 2V̄(L) are the shortest vectors in the coset t0 + 2L, and
therefore all have the same length. Because L is the union of 2n distinct cosets t0 + 2L, we see that t + L is
also the union of 2n cosets of 2L. By partitioning the vectors in U according to these cosets, we conclude
that these vectors have at most 2n distinct lengths overall.

We can now prove Lemma 2.3: since each step strictly decreases the length of the target while keeping it
in 2V̄, and the intermediate targets can take on at most 2n distinct lengths overall, the walk must terminate
within 2n steps. This completes the analysis of the “walk” step.

2.2 Computing the Voronoi Cell

We only summarize the main ideas behind the computation of the Voronoi-relevant vectors of the lattice
L = L(B). The basic idea is the compute them in a “bottom-up” fashion, by iteratively computing the
relevant vectors of the lower-rank lattices L1 = L(b1 ), L2 = L(b1 , b2 ), L3 = L(b1 , b2 , b3 ), etc. Clearly,
the relevant vectors of L1 = L(b1 ) are just {±b1 }.
To iteratively compute the relevant vectors of Li , we use a CVP oracle for Li−1 , which we can implement
using the “walk” step with the already-computed relevant vectors of Li−1 . Here we use Fact 2.1, which says
that every relevant vector v ∈ Li is the (unique, up to sign) shortest vector of some coset t + 2Li for t ∈ Li .
So if we find a shortest vector of each of the 2n such cosets t + 2Li , we will find every relevant vector. (We
might find other non-relevant vectors as well, but these do not interfere with the “walk” step, so they can
safely be retained. In fact, there is a way to check for relevance if desired.)
For each coset t + 2Li , we find a shortest element using our CVP oracle for Li−1 . This is done by
partitioning the coset t+2Li according to the bi coefficient, which yields several “slices” that each correspond
to some coset of 2Li−1 . By using an LLL-reduced basis B we can ensure that the number of slices we need
to inspect is only 2O(n) . For each of the slices we find a shortest element in the corresponding coset, and then
take a shortest one overall to get a shortest element of t + 2Li .
Overall, to find the relevant vectors of Li given those of Li−1 , we need to solve CVP on 2n cosets of
2Li , each of which reduces to solving CVP on 2O(n) cosets of 2Li−1 , each of which takes 2O(n) time using
the “walk” step. So the relevant vectors of Li can be computed in 2O(n) time overall, and hence so can the
relevant vectors of L = L(B).