1 Introduction

Lattice block reduction is a key tool in cryptanalysis, so understanding its potential and its limitations is essential for the security of many cryptosystems. The basic idea of lattice block reduction is to use an oracle that solves the shortest vector problem (SVP) on lattices with low dimension to find short vectors in lattices with larger dimension. Most work in lattice block reduction has focused on BKZ [Sch87, SE94] – the first generalization of the celebrated LLL [LLL82] algorithm, see e.g. [GN08b, HPS11, CN11, Wal15, ADH+19, AWHT16, ABF+20, LN20] to list just a few. Other reduction algorithms are known, like slide reduction [GN08a, ALNS20] and SDBKZ [MW16], which allow proving better bounds on the output quality, but in practice BKZ is still the go-to choice for finding short vectors. Block reduction algorithms are usually judged by the shortness of the vectors they are able to find within a given amount of time. The length of the vector found can be quantified in two different ways: by its ratio with either 1) the shortest non-zero vector of the lattice (the approximation factor) or 2) the (n-th root of the) volume/determinant of the lattice (the Hermite factor).

Slide Reduction. The focus of this work is slide reduction and, to some degree, its generalization to block-Rankin reduction [LN14]. When it was introduced, slide reduction provided the best-known bounds on the approximation and Hermite factor and was easily proved to terminate in a polynomial number of calls to the SVP oracle. Other algorithms achieving the same Hermite factor and terminating in a (smaller) polynomial number of SVP calls are known at this point [MW16, Neu17], but to date, slide reduction still achieves the best bound on the approximation factor. The basic idea of slide reduction is simple: given a basis \(\mathbf {B}\) for an n-dimensional lattice, a block size d that dividesFootnote 1 n and an oracle that solves SVP in dimension d, apply the SVP oracle to the n/d disjoint (projected) blocks \(\left( \mathbf {B}_{[id+1, (i+1)d]}\right) _i\) of the basis. Then apply the oracle to the dual of the blocks shifted by 1, i.e. to \(\left( \widehat{\mathbf {B}}_{[id+2, (i+1)d + 1]}\right) _i\). This results in “primal” and “dual” blocks that overlap by one index (and \(d-1\) indices). This process is repeated until no more progress is made. The generalization to block-Rankin reduction works similarly, but it solves a more general problem and uses a more general tool. It approximates the densest sublattice problem (DSP) [DM13], which is itself a generalization of SVP, by relying on an oracle that solves the k-DSP in dimension d. (SVP corresponds to 1-DSP.) In this variant, the dual blocks are shifted by k resulting in overlaps of size k. The analysis of this algorithm is a straightforward adaptation of the one for slide reduction. Unfortunately, initial experimental evaluations of slide reduction [GN08a, GN08b] found it to be not competitive in practice with BKZ and so far there has been no research into practical variants of slide reduction and block-Rankin reduction to the best of our knowledge. This is despite the fact that it offers some trivial parallelization, since the disjoint blocks can be processed independently. This is not true for other reduction algorithms and could give slide reduction a considerable advantage in practice, especially because modern SVP solvers are hard to distribute.

Dynamical Systems Analyses. Inspired by the analysis of LLL, [GN08a, LN14] used an analysis based on a potential function to bound the number of oracle calls in slide reduction and block-Rankin reduction. Such an analysis does not work well for BKZ and for a long time it was open if the number of oracle calls in BKZ may be polynomially bounded. This changed when [HPS11] proposed an analysis based on dynamical systems to study BKZ and showed that one can put a polynomial bound on the number of oracle calls while preserving its output quality. Interestingly, this bound was much stronger than the one proven for slide reduction (and block-Rankin reduction) using the potential function. It was conjectured in [HPS11] that applying their approach to slide reduction may give much better bounds than the ones proven in [GN08a, LN14].

A similar analysis was later used to study another reduction algorithm, SDBKZ [MW16], where the analysis was simpler and cleaner. Unfortunately, [MW16] left a gap, where for certain parameterizations of the algorithm the bound on the number of oracle calls was not polynomial. The gap was closed later by [Neu17], using a seemingly different analysis: “simple (and sharper) induction arguments on a bound on the bit sizes”. On closer inspection, it turns out that the analysis of [Neu17] can also be seen as an instance of the typical dynamical systems analysis, but with a small tweak. We make this tweak explicit in Sect. 5, which allows us to apply a similar tweak in our analysis of Slide-type reductions (see below).

1.1 Results

In this work, we consider a class of reduction algorithms that capture natural variants of slide reduction and block-Rankin reduction. We apply the dynamical systems analysis to the algorithms in this class and show that they converge quickly. This implies sharper polynomial-time running time bounds in the query model for slide reduction (when used to find short vectors in terms of the Hermite factor) and block-Rankin reduction.

Theorem 1 (Informal)

Let be an LLL-reduced lattice basis with \(\det (\mathcal {L}(\mathbf {B})) = 1\) and \(\epsilon > 0\) an arbitrary constant. After \(O\left( \frac{n^3}{d k(d-k)} \ln \left( \frac{n}{\epsilon }\right) \right) \) calls to the (kd)-DSP oracle, the output basis of block-Rankin reduction satisfies

$$ \det \left( \mathcal {L}\left( \mathbf {B}_{[1,k]}\right) \right) ^{1/k} \lesssim (1+\epsilon ) \gamma _{k,d}^{\frac{n-k}{2k(d-k)}}. $$

The best previous bound on the number of oracle queries proven in [LN14] is \(O\left( \frac{n^3 \log \max _i \Vert \mathbf {b}_i \Vert }{\epsilon d^2}\right) \). For degenerate cases, \(\max _i \Vert \mathbf {b}_i \Vert \) can be arbitrarily large (within the restriction that its logarithm is polynomial in the input size) even for LLL-reduced bases of lattices with determinant 1. (We focus on lattices with determinant 1 in this work for convenience. This is w.l.o.g. since one can always scale the lattice accordingly.) Theorem 1 confirms the conjecture of [HPS11]. Not only does it give a much stronger bound for slide reduction in case \(k=1\), it also gives a bound for block-Rankin reduction that depends on the overlap k and improves for increasing k. This can be viewed as formalizing the intuition that a larger overlap leads to faster propagation of information within the basis. Of course, solving the DSP for larger k is also harder and thus the complexity of the oracle itself will be larger and so will the overall running time.

In light of this it is natural to replace the DSP oracle by an oracle that approximates the DSP instead of solving it exactly. This suggests a variant, where the DSP problem is approximated using an HKZ oracle. We call this variant HKZ-slide reduction. It is inspired by recent observations in [ADH+19] that modern SVP solvers do not only find the shortest vector but approximately HKZ reduce the head of the basis essentially for free. Compared with slide reduction, increasing the overlap in HKZ-slide reduction decreases the running time at the cost of slightly increasing the length of the shortest vector found. We give heuristic arguments (Sect. 4.1) and experimental evidence (Sect. 4.2) that demonstrate that this trade-off can be very favorable in practice. A well chosen overlap yields a variant of slide reduction that we consider competitive with the state-of-the-art in lattice block reduction [ADH+19]. When interpreting this result, it should be kept in mind that we did not explore all options to fine-tune the oracle to our algorithm and that BKZ has received considerable research effort to arrive at the performance level it is at now. This is not the case for slide reduction. To the best of our knowledge, this work is the first attempt of improving the practical performance of slide reduction beyond speeding up the SVP oracle.

1.2 Techniques

We define a class of algorithms, which we call Slide-type reductions, and use the dynamical systems analysis introduced in [HPS11] to analyze their behavior by studying the properties of a system \(\mathbf {x} \mapsto \mathbf {A} \mathbf {x} + \mathbf {b}\). Here, the variable \(\mathbf {x}\) is a function of the current basis during the execution and \(\mathbf {A}\) and \(\mathbf {b}\) depend on the reduction algorithm (see Sect. 2.2 for details). The fixed point of the system determines the result of the reduction and the norm of \(\mathbf {A}\) its running time. After modeling Slide-type reductions in this way, we confirm that the fixed point yields the expected output quality as was proven in previous work for algorithms that fall into the class of Slide-type reductions, but we are actually more interested in the convergence of the system. Accordingly, we wish to study the norm of \(\mathbf {A}\), which in our case has the following form:

$$\begin{aligned} \mathbf {A} = \begin{pmatrix} 1- 2\beta &{} \beta &{} &{} &{} \\ \beta &{} 1-2\beta &{} \beta &{} &{} \\ &{} &{} \dots &{} \\ &{} &{} \beta &{} 1- 2\beta \end{pmatrix} \end{aligned}$$

for some \(0 < \beta \le 1/4\) that depends on the parameters of the algorithm. Our goal is to bound some norm (induced by some vector p-norm) of \(\mathbf {A}\) away from 1, i.e. show that \(\Vert \mathbf {A} \Vert _p \le 1-\epsilon \) for some large enough \(\epsilon > 0\). Clearly, this does not work for the row or column sum norm (\(p=\infty \) and \(p=1\), respectively), since they are 1. We conjecture that the spectral norm (\(p=2\)) is in fact smaller than 1, but this seems hard to prove directly. Instead, we apply a trick implicitly used by Neumaier [Neu17] to analyze SDBKZ: we apply a change of variable. We make Neumaier’s trick explicit in Sect. 5 and then apply a similar change to our system. This results in a new matrix, for which we can easily bound the row sum norm (\(p=\infty \)), which implies our results.

1.3 Open Problems

Our results show that slide reduction finds short vectors in terms of the Hermite factor much faster than was previously proven. By using a well-known reduction due to Lovász [Lov86], one can also find short vectors in terms of the approximation factor at the cost of calling slide reduction O(n) times, increasing the running time by this factor. However, the resulting approximation factor is somewhat worse than what is proved in [GN08a]. An interesting open problem is whether one can prove that the approximation factor of [GN08a] can also be achieved with a number of oracle calls similar to our bound. Conversely, it might be that achieving this approximation factor does indeed require many more oracle calls.

We show in Sect. 4.2 that our variant of slide reduction is competitive with state-of-the-art reduction algorithms, but does not outperform them. However, given the lack of research into practical variants of slide reduction, we believe this might well be possible. We outline some avenues in Sect. 4.2 to improve our variant.

2 Preliminaries

Notation. Numbers and reals are denoted by lower case letters. For we denote the set \(\{n_1, \dots , n_2\}\) by \([n_1,n_2]\). For vectors we use bold lower case letters and the i-th entry of a vector \(\mathbf {v}\) is denoted by \(v_i\). Let \(\langle \mathbf {v},\mathbf {w}\rangle = \sum _i v_i \cdot w_i\) be the scalar product of two vectors. If \(p \ge 1\) the p norm of a vector \(\mathbf {v}\) is \(\Vert \mathbf {v} \Vert _p = \left( \sum |v_i |^p \right) ^{1/p}\). We will only be concerned with the norms given by \(p = 1\), 2, and \(\infty \). Whenever we omit the subscript p, we mean the standard Euclidean norm, i.e. \(p=2\). Matrices are denoted by bold upper case letters. The i-th column of a matrix \(\mathbf {B}\) is denoted by \(\mathbf {b}_i\) and the entry in row i and column j by \(\mathbf {B}_{i,j}\). For any matrix \(\mathbf {B}\) and \(p \ge 1\) we define the induced norm to be \(\Vert \mathbf {B} \Vert _p = \max _{\Vert \mathbf {x}\Vert _p = 1}\left( \Vert \mathbf {B} \mathbf {x} \Vert _p\right) \). For \(p = 1\) (resp. \(\infty \)) this is often denoted by the column (row) sum norm, since \(\Vert \mathbf {B} \Vert _{1} = \max _{j} \sum _{i} |\mathbf {B}_{i,j}|\) and \(\Vert \mathbf {B} \Vert _{\infty } = \max _{i} \sum _{j} |\mathbf {B}_{i,j}|\); for \(p=2\) this is also known as the spectral norm, i.e. the largest singular value of \(\mathbf {B}\).

2.1 Lattices

A lattice \(\varLambda \) is a discrete subgroup of and is generated by a matrix , i.e. . If \(\mathbf {B}\) has full column rank, it is called a basis of \(\varLambda \) and \(\dim (\varLambda ) = n\) is the dimension (or rank) of \(\varLambda \). Any lattice of dimension larger than 1 has infinitely many bases, which are related to each other by right-multiplication with unimodular matrices. We use the notion of projected subblocks \(\mathbf {B}_{[i,j]}\) for \(i<j< n\), i.e. \(\mathbf {B}_{[i,j]}\) is the matrix consisting of the columns \(\mathbf {b}_i, \mathbf {b}_{i+1}, \dots , \mathbf {b}_j\) projected onto the space orthogonal to . We define the Gram-Schmidt-Orthogonalization (GSO) \(\mathbf {B}^*\) of \(\mathbf {B}\), where the i-th column \(\mathbf {b}^*_i\) of \(\mathbf {B}^*\) is defined as \(\mathbf {b}^*_i = \mathbf {b}_i - \sum _{j < i} \mu _{i,j} \mathbf {b}^*_j\) and \(\mu _{i,j} = \langle \mathbf {b}_i, \mathbf {b}^*_j \rangle / \Vert \mathbf {b}^*_j \Vert ^2 \) (and \(\mathbf {b}^*_1 = \mathbf {b}_1\)). In other words, \(\mathbf {b}_i^* = \mathbf {B}_{[i,i]}\). For every basis of a lattice with dimension larger than 1 there are infinitely many bases that have the same GSO vectors \(\mathbf {b}^*_i\), among which there is a (not necessarily unique) basis that minimizes \(\Vert \mathbf {b}_i \Vert \) for all i. Transforming a basis into this form is commonly known as size-reduction and is easily and efficiently done using a slight modification of the Gram-Schmidt process. In this work, we will implicitly assume all bases to be size-reduced. The reader can simply assume that any basis operation is followed by a size-reduction.

Every lattice \(\varLambda \) has invariants associated to it. One of them is its determinant \(\det \left( \mathcal {L}\left( \mathbf {B}\right) \right) = \prod _i \Vert \mathbf {b}^*_i\Vert \) for any basis \(\mathbf {B}\). Note that this implies that for any two bases \(\mathbf {B}\) and \(\mathbf {B}'\) of the same lattice we have \(\prod _i \Vert \mathbf {b}^*_i\Vert = \prod _i \Vert (\mathbf {b}'_i)^*\Vert \) and the determinant is efficiently computable given any basis. Furthermore, for every lattice \(\varLambda \) we denote the length of its shortest non-zero vector (also known as its first minimum) by \(\lambda _1\left( \varLambda \right) \), which is always well defined. We use the short-hand notations \(\det \left( \mathbf {B}\right) = \det \left( \mathcal {L}\left( \mathbf {B}\right) \right) \) and \(\lambda _1\left( \mathbf {B} \right) = \lambda _1\left( \mathcal {L}\left( \mathbf {B}\right) \right) \) if no confusion may arise.

Hermite’s constant is defined as \(\gamma _n = \sup _{\varLambda :\dim (\varLambda )=n}\left( \lambda _1\left( \varLambda \right) /\det \left( \varLambda \right) \right) ^2\). Minkowski’s theorem is a classic result that shows that \(\gamma _n \le n\). Viewing a shortest vector as the basis of a 1-dimensional sublattice of \(\varLambda \) leads to a straightforward generalization of the first minimum to the densest k-dimensional sublattice \(\mu _k\left( \varLambda \right) = \min _{\varLambda ' \subset \varLambda :\dim \left( \varLambda '\right) = k} \det \left( \varLambda '\right) \). The corresponding generalization of Hermite’s constant is known as Rankin’s constant \(\gamma _{k,n} = \sup _{\varLambda :\dim \left( \varLambda =n\right) }\left( \mu _k\left( \varLambda \right) /\det \left( \varLambda \right) ^{k/n}\right) ^2\).

There is a heuristic version of Minkowski’s bound based on the Gaussian heuristic which states that most lattices that arise in practice satisfy \(\lambda _1\left( \varLambda \right) \approx \sqrt{d/2\pi e} \det \left( \varLambda \right) ^{1/n}\), unless there is an explicit reason to believe otherwise (e.g. an unusually short vector is planted in the lattice). We note that there is a theory of random lattices, which allows to turn this bound into a rigorous average-case version of Minkowski’s bound, see e.g. [ALNS20] and references therein. For this work it is sufficient to know that the Gaussian heuristic is precise enough for lattices with dimension larger than 45 arising in lattice block reduction to predict its behavior in practice [CN11, GN08b, MW16].

Heuristic 1

[Gaussian Heuristic]. For any lattice \(\varLambda \) with \(\dim (\varLambda ) \ge 45\) arising in lattice reduction we assume that \(\lambda _1(\varLambda ) \approx \sqrt{d/2\pi e} \det \left( \varLambda \right) ^{1/n}\).

For every lattice \(\varLambda \), its dual is defined as . It is a classical fact that \(\det (\hat{\varLambda }) = \det \left( \varLambda \right) ^{-1}\). For a lattice basis \(\mathbf {B}\), let \(\widehat{\mathbf {B}}\) be the unique matrix that satisfies and \(\mathbf {B}^T \widehat{\mathbf {B}} = \widehat{\mathbf {B}}^T \mathbf {B} = \mathbf {R} \), where \(\mathbf {R}\) is the identity matrix with reversed columns (see Sect. 5). Then \(\widehat{ \mathcal {L}\left( \mathbf {B}\right) } = \mathcal {L}(\widehat{\mathbf {B}}) \) and we denote \(\widehat{\mathbf {B}}\) as the reversed dual basis of \(\mathbf {B}\). Note that \(\widehat{\mathbf {B}_{[i,j]}} = \widehat{\mathbf {B}}_{[n+1-j, n+1-i]}\).

Definition 1

Let be a lattice basis. We call \(\mathbf {B}\) k-partial HKZ reduced if \(\Vert \mathbf {b}_i^* \Vert = \lambda _1\left( \mathbf {B}_{[i,n]}\right) \) for all \(i \in [1,k]\).

An n-dimensional basis \(\mathbf {B}\) is SVP reduced (HKZ reduced), if it is 1-partial (n-partial, resp.) HKZ reduced. The root Hermite factor achieved by \(\mathbf {B}\) is defined as \((\Vert \mathbf {b}_1 \Vert /\det (\mathbf {B})^{1/n})^{1/n} \).

We use some notation from [HS07]:

Definition 2

For a lattice basis \(\mathbf {B}\) we define \(\pi _{[j,k]}\left( \mathbf {B}\right) = \left( \prod _{i = j}^k \Vert \mathbf {b}_i^* \Vert \right) ^{1/\left( k-j+1\right) }\) and \(\varGamma _{n}\left( k\right) = \prod _{i=d-k}^{d-1} \gamma _{i+1}^{\frac{1}{2i}}\). We sometimes omit \(\mathbf {B}\) and simply write \(\pi _{[j,k]}\) if \(\mathbf {B}\) is clear from context.

Using these definitions, [HS07] proves useful inequalities regarding the geometry of (k-partial) HKZ reduced bases. We will use the following:

Lemma 1

([HS07]). If \(\mathbf {B}\) is k-partial HKZ reduced, then

$$\pi _{[1,k]} \le \varGamma _d\left( k\right) ^{d/k} \pi _{k+1,d}.$$

The proof is pretty straightforward using Minkowski’s bound and induction.

Definition 3

A basis is called LLL-reducedFootnote 2 if \(\Vert \mathbf {b}_i^* \Vert = \lambda _1\left( \mathbf {B}_{[i,i+1]}\right) \), which implies \(\Vert \mathbf {b}_i^* \Vert \le \gamma _2 \Vert \mathbf {b}^*_{i+1} \Vert \), for all \(i \in [1,n-1]\).

We will need the following two facts about LLL.

Fact 1

If is LLL-reduced, then we have

$$ \pi _{[1,i]} \le \gamma _2^{\frac{n-i}{2}} \pi _{[1,n]} $$

for all \(i \in [1,n]\).

See e.g. [PT09] for a proof.

Fact 2

Let be a lattice basis and \(\mathbf {B}'\) be the result of applying LLL to \(\mathbf {B}\). Then we have

$$ \pi _{[1,i]}\left( \mathbf {B}'\right) \le \pi _{[1,i]}\left( \mathbf {B}\right) $$

for all \(i \in [1,n]\).

Fact 2 can be seen to be true from a similar argument to the one showing that the potential function used to analyze LLL may only decrease under the swaps that LLL performs. More specifically, LLL reduction only applies two types of operations: size-reduction, which does not change the value \(\pi _{[1,i]}\left( \mathbf {B}\right) \) for any i, and swapping consecutive vectors. Swapping vectors only affects the value \(\pi _{[1,i]}\left( \mathbf {B}\right) \) for exactly one i and the condition, under which such swaps are performed, ensures that this value can only decrease.

Finally, BKZ is a block-wise generalization of LLL.

Definition 4

A basis is called d-BKZ reduced if \(\Vert \mathbf {b}_i^* \Vert = \lambda _1\left( \mathbf {B}_{[i,\ell ]}\right) \), where \(\ell = \min \left( i+d, n\right) \), for all \(i \in [1,n]\).

2.2 Discrete-Time Affine Dynamical Systems

Consider some dynamical system

$$\begin{aligned} \mathbf {x} \mapsto \mathbf {A} \mathbf {x} + \mathbf {b} \end{aligned}$$
(1)

and assume that \(\Vert \mathbf {A}\Vert _p < 1\) for some p. This implies two facts:

  1. 1.

    Equation (1) has at most one fixed point \(\mathbf {x}^* = \mathbf {A} \mathbf {x}^* + \mathbf {b}\), and

  2. 2.

    if Eq. (1) has a fixed point \(\mathbf {x}^*\) it converges to \(\mathbf {x}^*\) exponentially fast in the number of iterations (with base \(e^{-\left( 1-\Vert \mathbf {A}\Vert _p\right) }\)).

To see , note that two distinct fixed points \(\mathbf {x}^*_1 \ne \mathbf {x}^*_2\) would imply

$$ 0 \ne \Vert \mathbf {x}^*_1 - \mathbf {x}_2^*\Vert _p = \Vert \mathbf {A} \left( \mathbf {x}^*_1 - \mathbf {x}_2^*\right) \Vert _p \le \Vert \mathbf {A}\Vert _p \Vert \mathbf {x}^*_1 - \mathbf {x}_2^* \Vert _p < \Vert \mathbf {x}^*_1 - \mathbf {x}_2^* \Vert _p $$

which is a contradiction. For , let \(\mathbf {x}^*\) be the unique fixed point of Eq. (1). We can write any input \(\mathbf {x}'\) as \(\mathbf {x}' = \mathbf {x}^* + \mathbf {e}\) for some “error vector” \(\mathbf {e}\). When applying the system to it, we get \(\mathbf {x}' \mapsto \mathbf {A} \mathbf {x}' + \mathbf {b} = \mathbf {x}^* + \mathbf {A} \mathbf {e}\). So the error vector \(\mathbf {e}\) is mapped to \(\mathbf {A} \mathbf {e}\). Applying this \(\ell \) times maps \(\mathbf {e}\) to \(\mathbf {A}^\ell \mathbf {e}\), which means after \(\ell \) iterations the error vector has norm \(\Vert \mathbf {A}^\ell \mathbf {e} \Vert _{p} \le \Vert \mathbf {A}^\ell \Vert _{p} \Vert \mathbf {e} \Vert _{p} \). Let \(\Vert \mathbf {A} \Vert _p \le 1 - \epsilon \) for some \(\epsilon >0\), then \(\Vert \mathbf {A}^\ell \Vert _p \le \Vert \mathbf {A} \Vert _p^\ell \le \left( 1-\epsilon \right) ^\ell \le e^{-\epsilon \ell }\), so the error vector will decay exponentially in \(\ell \) with base \(e^{-\epsilon }\) and the system converges to the fixed point \(\mathbf {x}^*\).

Let \(\mathbf {D}\) be an invertible matrix. We can use \(\mathbf {D}\) for a change of variable to \(\mathbf {y} = \mathbf {D} \mathbf {x}\), which allows to rewrite Eq. (1) to

$$\begin{aligned} \mathbf {y} = \mathbf {D} \mathbf {x} \mapsto \mathbf {D} \mathbf {A} \mathbf {D}^{-1} \mathbf {y} + \mathbf {D} \mathbf {b} \end{aligned}$$
(2)

It is easy to see that for any fixed point \(\mathbf {x}^*\) of Eq. (1), \(\mathbf {y}^* = \mathbf {D} \mathbf {x}^*\) is a fixed point of Eq.  (2). This can be useful as it is often more convenient to bound \(\Vert \mathbf {D} \mathbf {A} \mathbf {D}^{-1}\Vert _p\) for some \(\mathbf {D}\) and p than \(\Vert \mathbf {A} \Vert _p\) (as we will see). If additionally the condition number \(\kappa _p\left( \mathbf {D}\right) = \Vert \mathbf {D} \Vert _p \Vert \mathbf {D}^{-1} \Vert _p\) is small, then system (1) converges almost as quickly as system (2):

Fact 3

Let \(\mathbf {x}^\ell \) be a vector resulting from applying system (1) \(\ell \) times to the input \(\mathbf {x}^0\) and denote \(\mathbf {e}^\ell = \mathbf {x}^\ell - \mathbf {x}^*\). Let \(\mathbf {D}\) be an invertible matrix such that \(\Vert \mathbf {D} \mathbf {A} \mathbf {D}^{-1}\Vert _p = 1 - \epsilon \) for some \(\epsilon > 0\). Then \(\Vert \mathbf {e}^\ell \Vert _p \le \exp \left( -\ell \epsilon \right) \kappa _p\left( \mathbf {D}\right) \Vert \mathbf {e}^0\Vert _p\).

Proof

Let \(\mathbf {y}^0 = \mathbf {D} \mathbf {x}^0\) and \(\mathbf {y}^{\ell +1} = \mathbf {D} \mathbf {A} \mathbf {D}^{-1} \mathbf {y}^\ell + \mathbf {D} \mathbf {b}\) for all \(\ell > 0\). Induction shows that \(\mathbf {y}^\ell = \mathbf {D} \mathbf {x}^\ell \). By above argument, we have \(\Vert \mathbf {y}^\ell - \mathbf {y}^*\Vert _p \le \exp \left( -\ell \epsilon \right) \Vert \mathbf {y}^0 - \mathbf {y}^* \Vert _p \). Now the result follows from

$$\begin{aligned} \Vert \mathbf {e}^\ell \Vert _{p}&= \Vert \mathbf {x}^\ell - \mathbf {x}^* \Vert _{p} \\&= \Vert \mathbf {D}^{-1} \mathbf {y}^\ell - \mathbf {D}^{-1} \mathbf {y}^* \Vert _{p}\\&\le \Vert \mathbf {D}^{-1} \Vert _{p}\Vert \mathbf {y}^\ell - \mathbf {y}^* \Vert _{p}\\&\le \exp \left( -\ell \epsilon \right) \Vert \mathbf {D}^{-1} \Vert _{p} \Vert \mathbf {y}^0 - \mathbf {y}^* \Vert _{p}\\&\le \exp \left( -\ell \epsilon \right) \Vert \mathbf {D}^{-1} \Vert _{p} \Vert \mathbf {D} \Vert _{p} \Vert \mathbf {e}^0 \Vert _{p}. \end{aligned}$$

   \(\square \)

Application to Lattice Reduction. Dynamical systems are a useful tool to study lattice reduction algorithms. As was first observed in [HPS11], for an iteration of some lattice reduction algorithm we can often show that \(\mathbf {y} \le \mathbf {A} \mathbf {x} + \mathbf {b}\), where \(\mathbf {x}\) (\(\mathbf {y}\)) is some characterization of the input (output, resp.) basis for this iteration. If all entries in \(\mathbf {A}\) are non-negative, we can iterate this inequality to derive inequalities for consecutive iterations. So the system \(\mathbf {x} \mapsto \mathbf {A} \mathbf {x} + \mathbf {b}\) describes valid upper bounds for the vector \(\mathbf {x}\) characterizing the current basis during the execution of the algorithm.

3 Slide-Type Reductions

Let \(\mathsf {O}_{k,d}\) be an oracle that takes as input an n-dimensional basis \(\mathbf {B}\) and an index \(i < n-d\) and modifies \(\mathbf {B}\) such that \(\pi _{[i, i+k-1]} \le \alpha \cdot \pi _{[i,i+d-1]}\) (and leaves the rest unchanged). In Algorithm 1, we present a class of algorithms which resemble slide reduction and are parameterized by such an oracle \(\mathsf {O}_{k,d}\). The algorithm runs in primal and dual tours. During a primal tour, the n/d disjoint blocks of the basis are reduced using \(\mathsf {O}_{k,d}\). Then the reversed dual basis is computed and \(n/d - 1\) disjoint blocks are passed to the oracle. The blocks in the dual tour are chosen such that the corresponding primal blocks are shifted by k with respect to the blocks in the primal tour. Slide reduction itself (or rather a natural variant) can be recovered by instantiating \(\mathsf {O}_{k,d}\) with an SVP oracle in dimension d, hence \(k= 1\) and \(\alpha = \sqrt{\gamma _d} \). Block-Rankin reduction corresponds to using a (kd)-DSP oracle, in which case \(\alpha = \gamma _{k,d}^{1/2k}\). Finally, we can also define a new algorithm by letting \(\mathsf {O}_{k,d}\) be an algorithm that k-partial HKZ reduces a d-dimensional basis. In that case, Lemma 1 implies \(\alpha = \varGamma _d\left( k\right) ^{\left( d-k\right) /k}\).

Definition 5

Let \(\mathsf {O}_{k,d}\) be an algorithm that k-partial HKZ reduces a d-dimensional basis. We call Algorithm 1 instantiated with \(\mathsf {O}_{k,d}\) (k, d)-HKZ-slide reduction.

figure a

We remark that it is customary in lattice reduction theory to apply LLL reduction in between the calls to the oracle. This is important to control the size of the numbers, which in turn allows to bound the complexity of the oracle itself. Since we focus on the number of calls to the oracle, we chose to present Algorithm 1 without any calls to LLL. Note that none of such calls will have any effect on our bounds due to Fact 2, since we will work with upper bounds on the subdeterminants \(\pi _{[1,i]}\). These can only decrease during the application of LLL, so any upper bound that held before applying LLL also holds afterwards.

3.1 Convergence

The following theorem contains the main technical contribution of this work and the remainder of this subsection is devoted to proving it.

Theorem 2

Let be a lattice basis with \(\det \left( \mathcal {L}\left( \mathbf {B}\right) \right) = 1\). Let such that \(n = pd\) for some , \(p \ge 2\) and \(\mathsf {O}_{k,d}\) be an oracle that on input a basis \(\mathbf {B}'\) and index \(i < n-d\) produces a basis \(\mathbf {C}\) such that

  • \(\pi _{[i, i+k-1]}\left( \mathbf {C}\right) \le \alpha \cdot \pi _{[i,i+d-1]}\left( \mathbf {B}'\right) \) and

  • \(\mathbf {c}_j = \mathbf {b}'_j\) for all \(j \notin [i, i+d-1]\).

Let \(\mu _i = i \left( p-i\right) \frac{d}{d-k} \ln \alpha \), \(\mathbf {B}_\ell \) the basis after the \(\ell \)-th iteration and \(\epsilon _\ell = \max _{i \in [1,p]} |\ln \left( \pi _{[1,id]}\left( \mathbf {B}_\ell \right) \right) - \mu _i|\). Then we have

$$ \epsilon _\ell \le \exp \left( \frac{-4k\left( d-k\right) }{n^2}\ell \right) \frac{p^2}{4\left( p-1\right) } \epsilon _0 $$

after \(\ell \) iterations of Slide-type reduction with oracle \(\mathsf {O}_{k,d}\).

Proof

During a primal tour, Slide-type reduction turns a basis \(\mathbf {B}\) into a basis \(\mathbf {B}'\) such that

$$\begin{aligned} \ln \pi _{[id+1,id+k]}\left( \mathbf {B}'\right) \le \ln \pi _{[id+1,id+d]}\left( \mathbf {B}\right) + \ln \alpha \end{aligned}$$
(3)

for \(i \in [0,p-1]\). Similarly, a dual tour yields

$$\begin{aligned} \ln \pi _{[id+1,id+k]}\left( \mathbf {B}'\right) \ge \ln \pi _{[\left( i-1\right) d+2,id+1]}\left( \mathbf {B}\right) - \ln \alpha \end{aligned}$$
(4)

We consider the leading subdeterminants corresponding to the blocks considered by Algorithm 1. Let \(y_i = id \ln \pi _{[1,id]}\left( \mathbf {B}\right) \) for \(i \in [1, p-1]\). (Note that \(y_{p} = 0 \), since we assume that the lattice has unit determinant, so we may ignore this variable.) Now we apply a primal tour and denote \(x_i = \left( \left( i-1\right) d + k\right) \ln \pi _{[1,\left( i-1\right) d+k]}\left( \mathbf {B}'\right) \) for \(i \in [1, p] \) after that tour. Then we have by Eq. (3)

$$ x_i \le \frac{d-k}{d} y_{i-1} + \frac{k}{d} y_i + k \ln \alpha $$

for \(i \in [1, p]\), where we define \(y_{0} = y_{p} = 0\). In matrix form we have \(\mathbf {x} \le \mathbf {A}_p \mathbf {y} + \mathbf {b}_p\) with

figure b

where \(\omega = \frac{d-k}{d}\) and .

Now let \(y'_i\) as \(y_i\) above but after the next dual tour. From Eq. (4) we get

$$ x_i - y'_{i-1} \ge \frac{k}{d} \left( x_i - x_{i-1}\right) - k \ln \alpha $$

or equivalently

$$ y_i \le \omega x_{i+1} + \frac{k}{d} x_i + k \ln \alpha $$

for \(i \in [1,p-1]\). Again, in matrix form \(\mathbf {y} \le \mathbf {A}_d \mathbf {x} + \mathbf {b}_d\), where and

$$ \mathbf {A}_d = \begin{pmatrix} \frac{k}{d} &{} \omega &{} &{} &{} \\ &{} \frac{k}{d} &{} \omega &{} &{} \\ &{} &{} \dots &{} &{} \\ &{} &{} &{} \frac{k}{d}&{} \omega \end{pmatrix} = \mathbf {A}_p^T $$

By combining the two set of inequalities, we obtain:

$$ \mathbf {y}' \le \mathbf {A}_d \mathbf {x} + \mathbf {b}_d \le \mathbf {A}_d \left( \mathbf {A}_p \mathbf {y} + \mathbf {b}_p\right) + \mathbf {b}_d = \mathbf {A}_p^T \mathbf {A}_p \mathbf {y} + \left( \mathbf {A}_p^T \mathbf {b}_p + \mathbf {b}_d\right) $$

Thus, the general matrix that characterizes a primal and dual tour is

(5)

where \(\tilde{\omega }= \omega ^2 + \left( k/d\right) ^2\) and \(\beta = \frac{k\left( d-k\right) }{d^2}\). And with \(\mathbf {b} = \mathbf {A}_p^T \mathbf {b}_p + \mathbf {b}_d = 2 \cdot \mathbf {b}_d\) the dynamical system we are interested in is

$$\begin{aligned} \mathbf {y} \mapsto \mathbf {A} \mathbf {y} + \mathbf {b}. \end{aligned}$$
(6)

The theorem now follows from Lemma 2 and 3 below, in which we analyze the fixed point and the convergence of system (6), resp.    \(\square \)

Lemma 2

For the system in Eq. (6) and the vector with

$$ y_i^* = i\left( p-i\right) \frac{d^2}{d-k} \ln \alpha $$

we have \(\mathbf {A} \mathbf {y}^* + \mathbf {b} = \mathbf {y}^*\).

Proof

Note that we can extend the definition of \(y_i^*\) to \(i = 0\) and \(i=p\), in which case we have \(y_0^* = y_p^* = 0\). So the lemma follows if we can show that

$$ \beta y^*_{i-1} + \left( 1-2\beta \right) y^*_i + \beta y^*_{i+1} + 2k\ln \alpha = y^*_i $$

for all \(i \in [1,p-1]\). This is equivalent to

$$ \beta \left( y^*_{i-1} + y^*_{i+1} - 2 y^*_i\right) + 2k \ln \alpha = 0 $$

which is easily seen to be true by straightforward calculation.    \(\square \)

Lemma 3

Let \(\mathbf {A}\) as in Eq. (5). Then there exists an invertible matrix \(\mathbf {D}\) with \(\kappa _{\infty }\left( \mathbf {D}\right) = \frac{p^2}{4\left( p-1\right) }\) such that

$$ \Vert \mathbf {D} \mathbf {A} \mathbf {D}^{-1} \Vert _{\infty } \le 1 - \frac{4k\left( d-k\right) }{n^2} $$

for any \(p \ge 2\).

Proof

Let \(\mathbf {D}\) be the diagonal matrix such that

$$ \mathbf {D}^{-1} = \begin{pmatrix} p-1 &{} &{} &{} \\ &{} 2\left( p-2\right) &{} &{} \\ &{} &{} \dots &{} \\ &{} &{} &{} p-1 \end{pmatrix} $$

We now analyze the matrix

$$ \mathbf {D} \mathbf {A} \mathbf {D}^{-1} = \begin{pmatrix} 1-2\beta &{} \frac{2\left( p-2\right) }{p-1} \beta &{} &{} &{} \\ \frac{p-1}{2\left( p-2\right) }\beta &{} 1-2\beta &{} \frac{3\left( p-3\right) }{2\left( p-2\right) } \beta &{} &{} \\ &{} \frac{2\left( p-2\right) }{3\left( p-3\right) }\beta &{} 1-2\beta &{} \frac{4\left( p-4\right) }{3\left( p-3\right) } \beta &{} \\ &{} &{} &{} \dots &{} \\ &{} &{} &{} \frac{\left( p-2\right) 2}{p-1}\beta &{} 1-2\beta \end{pmatrix} $$

The sum of the i-th row is

$$\begin{aligned} S_i&= 1 - 2\beta + \beta \frac{\left( i-1\right) \left( p-i+1\right) + \left( i+1\right) \left( p-i-1\right) }{i\left( p-i\right) } \\&= 1 - 2\beta \left( 1 - \frac{ip - i^2 - 1}{ip - i^2}\right) \\&= 1 - \frac{2\beta }{ip-i^2} \\&\le 1 - \frac{8\beta }{p^2} \\&= 1 - \frac{8k\left( d-k\right) }{n^2} \end{aligned}$$

for \(i \in [2,\dots , p-2]\). Finally, we have

$$ S_1 = S_{p-1} \le 1 - \frac{2pk\left( d-k\right) }{n^2} $$

from which the lemma follows.    \(\square \)

3.2 Implications

We now show how Theorem 2 implies bounds for the running time of Slide-type reduction algorithms.

Corollary 1

Let be an LLL-reduced lattice basis with \(\det \left( \mathcal {L}\left( \mathbf {B}\right) \right) = 1\) and \(\epsilon > 0\) an arbitrary constant. After \(\ell \ge \frac{n^2}{4k\left( d-k\right) } \ln \left( \frac{\frac{n^2}{2d} + \frac{n^3}{4d^3} \ln \alpha }{\epsilon }\right) \) tours of Slide-type reduction with oracle \(\mathsf {O}_{k,d}\) such that \(\alpha \ge \gamma _2\), the output basis satisfies

$$ \pi _{[1,d]} = \prod _{i=1}^d \Vert \mathbf {b}^*_i \Vert ^{\frac{1}{d}} \le \exp \left( \epsilon + \mu _1\right) \approx \left( 1+\epsilon \right) \alpha ^{\frac{n-d}{d-k}}. $$

Accordingly, the number of oracle queries is bounded by \(\frac{n^3}{2 d k\left( d-k\right) } \ln \left( \frac{\frac{n^2}{2d} + \frac{n^3}{4d^3} \ln \alpha }{\epsilon }\right) \).

Proof

Theorem 2 shows that in order to obtain \(\epsilon _\ell \le \epsilon \) for arbitrary \(\epsilon > 0\), it is sufficient to set

$$ \ell \ge \frac{n^2}{4k\left( d-k\right) } \ln \left( \frac{p^2\epsilon _0}{4\left( p-1\right) \epsilon }\right) . $$

By Fact 1 we have

$$ \epsilon _0 = \max _{i \in [1,p]} |\ln \pi _{[1,id]}\left( \mathbf {B}\right) - \mu _i| \le \frac{n-1}{2} \ln \gamma _2 + \frac{n^2}{4d\left( d-k\right) } \ln \alpha \le n + \frac{n^2}{2d^2} \ln \alpha $$

where we assume that \(k \le d/2\). Finally, notice that \(p^2/\left( 4\left( p-1\right) \right) \le p/2 = n/2d\) for all \(p \ge 2\).    \(\square \)

Corollary 1 implies the following corollaries.

Corollary 2

Let be an LLL-reduced lattice basis with \(\det \left( \mathcal {L}\left( \mathbf {B}\right) \right) = 1\) and \(\epsilon > 0\) an arbitrary constant. After \(O\left( \frac{n^3}{d k\left( d-k\right) } \ln \left( \frac{n}{\epsilon }\right) \right) \) calls to the (kd)-DSP oracle, the output basis of block-Rankin reduction satisfies

$$ \pi _{[1,d]} = \prod _{i=1}^d \Vert \mathbf {b}^*_i \Vert ^{\frac{1}{d}} \le \exp \left( \epsilon + \mu _1\right) = \exp \left( \epsilon \right) \gamma _{k,d}^{\frac{n-d}{2k\left( d-k\right) }} \approx \left( 1+\epsilon \right) \gamma _{k,d}^{\frac{n-d}{2k\left( d-k\right) }}. $$

One more call to the oracle yields

$$ \pi _{[1,k]} \le \exp \left( \epsilon \right) \gamma _{k,d}^{\frac{n-k}{2k\left( d-k\right) }} \approx \left( 1+\epsilon \right) \gamma _{k,d}^{\frac{n-k}{2k\left( d-k\right) }}. $$

The case of slide reduction follows as a special case (\(k=1\)) and we note that the number of SVP calls matches the one proven for other lattice reduction algorithms using this technique [HPS11, LN20, MW16]. Recall that the bound on the number of oracle queries proven in [LN14] is \(O\left( \frac{n^3 \log \max _i \Vert \mathbf {b}_i \Vert }{\epsilon d^2}\right) \). For degenerate cases \(\max _i \Vert \mathbf {b}_i \Vert \) can be arbitrarily large (within the restriction that its logarithm is polynomial in the input size) even for LLL-reduced bases of lattices with determinant 1. Similar to the recent work of [LN20], we are able to achieve a bound that is independent of \(\max _i \Vert \mathbf {b}_i \Vert \) using the dynamical systems approach. The length of the vectors just contributes to the \(\log n\) factor in our bound. ([HPS11] does not claim to achieve this but obtains a bound with a doubly logarithmic dependence on \(\max _i \Vert \mathbf {b}_i \Vert \).) Furthermore, the dependence on \(\epsilon \) is much tighter in two ways: 1) in [LN14] the slack factor in the output quality is \(\left( 1+\epsilon \right) ^{\left( n-k\right) /\left( 4\left( d-k\right) \right) }\), while in Corollary 2 it is just \(\exp \left( \epsilon \right) \approx \left( 1+\epsilon \right) \). 2) The dependence of the bound on the number of oracle queries is linear in \(1/\epsilon \), while in our bound it is only logarithmic. Finally, the remaining polynomial factor matches in the two bounds for small values of k, but our bound depends on k and actually decreases with growing k up to an improvement of 1/d for \(k = d/2\). This seems to be a feature of the dynamical systems analysis as it is unclear if the LLL-style potential function analysis of [LN14] can be used to study the dependence of the number of calls on k.

Corollary 3

Let be an LLL-reduced lattice basis with \(\det \left( \mathcal {L}\left( \mathbf {B}\right) \right) = 1\) and \(\epsilon > 0\) an arbitrary constant. After \(O\left( \frac{n^3}{d k\left( d-k\right) } \ln \left( \frac{n}{\epsilon }\right) \right) \) calls to the k-partial HKZ oracle, the output basis of \(\left( k,d\right) \)-HKZ-slide reduction satisfies

$$ \pi _{[1,d]} = \prod _{i=1}^d \Vert \mathbf {b}^*_i \Vert ^{\frac{1}{d}} \le \exp \left( \epsilon + \mu _1\right) = \exp \left( \epsilon \right) \varGamma _d\left( k\right) ^{\frac{n-d}{k}} \approx \left( 1+\epsilon \right) \varGamma _d\left( k\right) ^{\frac{n-d}{k}}. $$

One more call to the oracle yields

$$ \Vert \mathbf {b}_1 \Vert \le \exp \left( \epsilon \right) \sqrt{\gamma _d} \varGamma _d\left( k\right) ^{\frac{n-d}{k}} \approx \left( 1+\epsilon \right) \sqrt{\gamma _d} \varGamma _d\left( k\right) ^{\frac{n-d}{k}}. $$

We can try to get bounds on the Hermite factor of (kd)-HKZ-slide reduction in terms of \(\gamma _d\) by using some straightforward bounds on \(\varGamma _d(k)\).

Lemma 4

For a (kd)-HKZ-slide reduced basis we have

$$\begin{aligned} \Vert \mathbf {b}_1 \Vert&\le \sqrt{d}^{1 + \frac{n-d}{k}\log \frac{d}{d-k}} \det \left( \mathbf {B}\right) ^{\frac{1}{n}} \le \sqrt{d}^{\frac{n-k}{d-k}} \det \left( \mathbf {B}\right) ^{\frac{1}{n}} \end{aligned}$$
(7)
$$\begin{aligned} \Vert \mathbf {b}_1 \Vert&\le \sqrt{\gamma _{d-k+1}}^{\frac{n-1}{d-k}} \det \left( \mathbf {B}\right) ^{\frac{1}{n}} \end{aligned}$$
(8)

Proof

Both follow from Corollary 3. For Eq. (7) use the bound \(\varGamma _d\left( k\right) \le \sqrt{d}^{\log \frac{d}{d-k}}\) proven in [HS07] and \(\log 1 + x \le x\).

For Eq. (8), recall Mordell’s inequality \(\gamma _n^{\frac{1}{n-1}} \le \gamma _k^{\frac{1}{k-1}}\), which shows that \(\varGamma _d\left( k\right) \le \sqrt{\gamma _{d-k+1}}^{\frac{k}{d-k}}\). So we have

$$ \Vert \mathbf {b}_1 \Vert \le \sqrt{\gamma _d} \sqrt{\gamma _{d-k+1}}^{\frac{n-d}{d-k}} \det \left( \mathbf {B}\right) ^{\frac{1}{n}}. $$

Finally, use Mordell’s inequality again to see that \(\sqrt{\gamma _d} \le \sqrt{\gamma _{d-k+1}}^{\frac{d-1}{d-k}}\) to conclude.    \(\square \)

The bound on the Hermite factor achieved by HKZ-slide reduction suggests that running (kd)-HKZ-slide reduction is no better than running \((1,d-k+1)\)-HKZ-slide reduction, i.e. vanilla slide reduction with block size \(d-k+1\). Since solving SVP in dimension \(d-k+1\) is easier by a factor \(2^{\Omega \left( k\right) }\) than k-partial HKZ reduction in dimension d, it stands to reason that using \(k=1\) is optimal. However, in the next sections we will make heuristic arguments and show experimental evidence that using larger k can be worthwhile in practice.

4 HKZ-Slide Reduction in Practice

In this section we give heuristic arguments (Sect. 4.1) and experimental evidence showing that HKZ-slide reduction can outperform slide reduction and yield a faster algorithm in practice.

4.1 Heuristic Analysis

Note that the convergence analysis in Sect. 3.1 is agnostic to the value \(\alpha \). So we can use the same analysis for a heuristic evaluation, but instead of using Minkowski’s inequality, we use the Gaussian heuristic. So by defining \(g_d = \sqrt{d/2 \pi e} \) and \(\alpha = G_d\left( k\right) = \prod _{i=d-k}^{d-1} g_{i+1}^{\frac{1}{i}}\) we can get a bound on the density of the first block of a \(\left( k,d\right) \)-HKZ-slide reduced basis based on Heuristic 1, which is

$$ \pi _{[1,d]} \approx G_d\left( k\right) ^{\frac{n-d}{k}} \det \left( \mathbf {B}\right) ^{\frac{1}{n}} $$

which implies

$$ \Vert \mathbf {b}_1 \Vert \approx g_d G_d\left( k\right) ^{\frac{n-d}{k}} \det \left( \mathbf {B}\right) ^{\frac{1}{n}}. $$

Now we can compare the quality that we achieve by using different overlaps and block sizes. See Fig. 1 for an example. Running (kd)-HKZ-slide reduction yields a better basis than running slide reduction with block size \(k-d+1\) (but also needs a partial HKZ oracle in larger dimension).

To estimate the practical behavior of HKZ-slide reduction and slide reduction, we make the following assumptions: 1) we assume that the dependence of the running time of (kd)-HKZ-slide reduction on the overlap k is \(1/k(d-k)\), and 2) that the complexity of the k-partial HKZ oracle is \(2^{d/3 + O\left( 1\right) }\) and independent of k. The first assumption is supported by our analysis in Sect. 3.1. The second assumption is supported by the observation in [ADH+19] that SVP oracles in practice tend to not only find the shortest vector in a lattice, but additionally HKZ reduce the head of the basis “for free”. The complexity of the oracle is a crude estimate of heuristic bounds on the complexity of sieving. More accurate estimates are a little smaller than what we assumed above. Adapting the following argument would thus provide slightly better results.

As a baseline for our comparison we select 90-slide reduction on a 270 dimensional lattice and analyze how reducing the block size to \(90-k'\) and increasing the overlap to k compare in terms of speed-up while ensuring that both yield similar output quality. Specifically, for every k we numerically compute \(k' < k\) such that \((90-k')\)-slide reduction achieves similar root Hermite factor as (k, 90)-HKZ-slide reduction. The speed-up of (k, 90)-HKZ-slide reduction over 90-slide reduction is \(k(d-k)/\left( d-1\right) \) given our assumptions. The speed-up achieved by \((90-k')\)-slide reduction is \(2^{k'/3}\left( d-k'+1\right) /d\). (We ignore the issue of divisibility of block size and lattice dimension here for simplicity.) The ratio of the two quantities is given in Fig. 2. The figure suggests that (k, 90)-HKZ-slide reduction with a well-chosen overlap k can be up to 4 times faster than slide reduction with similar output quality.

Fig. 1.
figure 1

Comparison of root Hermite factor for running (k, 90)-HKZ-slide reduction on a basis with dimension 270 vs \((90-k)\)-slide reduction

Full size image
Fig. 2.
figure 2

Speed-up factor of running (k, 90)-HKZ-slide reduction on a basis with dimension 270 vs \((90-k')\)-slide reduction with comparable Hermite factor.

Full size image

4.2 Experiments

We provide an implementation of HKZ-slide reductionFootnote 3 in the G6K framework of [ADH+19], which (among a lot of other things) provides an interface to an SVP algorithm based on sieving. The authors observe that, in fact, the output of this algorithm seems to approximate partial-HKZ reduction. Their work also shows that basic (called naive in [ADH+19]) BKZ based on sieving starts outperforming state-of-the-art enumeration based methods for block sizes below 80, and more carefully tuned variants well below 65.

For our implementation we treat the SVP algorithm of G6K as a k-partial-HKZ oracle for arbitrary \(k \le 15\), which seems justified by the observations made in [ADH+19]. To test the hypothesis of the previous section, we run (kd)-HKZ-slide reduction for \(k \in \{1,5,10,15\}\) and \(d \in \{60,85\}\) on lattices from the lattice challenge [BLR08]. To avoid issues with block sizes not dividing the dimension we select the dimension as the largest integer multiple of d such that the algorithm does not run into numerical issues. For \(d = 60\) and \(d=85\), this is \(n=180\) (i.e. \(p=3\) blocks) and \(n=170\) (i.e. \(p=2\) blocks), respectively. The results are shown in Figs. 3a and 3c. All data points are averaged (in both axes) over the same 10 lattices (challenge seeds 0 to 9), which are preprocessed using fplll [dt16] with block size 45 (for \(d=60\)) and 60 (for \(d=85\)).

Figure 3a demonstrates that for relatively small block sizes, the behavior of k-HKZ-slide reduction is actually better than expected: not only does a larger k lead to a faster convergence (which is expected), all of the tested k also lead to better output quality. This can at least in part be explained by the relatively small block size and the corresponding approximation error of the Gaussian heuristic. This is supported by Fig. 3c, where at least the overlaps \(k=5\) and \(k=15\) behave as expected: faster convergence but poorer output quality. (Note though that the difference in output quality between overlaps 1 and 5 is minor.) However, the case of \(k=10\) seems to be a special case that behaves exceptionally well even for large block size. We cannot explain this phenomenon beyond baseless speculation at this point and leave an in-depth investigation to future work. In summary, we believe that the results give sufficient evidence that the trade-off achieved by HKZ-slide reduction can indeed be very favorable when considering overlaps larger than 1 (i.e. beyond slide reduction).

To put the results into context, we also compare HKZ-slide reduction with the BKZ variants implemented in G6K on the same lattices. For HKZ-slide reduction we chose \(k=10\). We compared to three “standard” variants of BKZ: 1) naive BKZ, which treats the SVP algorithm as a black box; 2) the “Pump and Jump” (PnJ) variant, which recycles computation done during previous calls to the SVP algorithm to save cost in later calls; 3) a progressive variant of the PnJ strategy, which starts with smaller block sizes and successively runs BKZ tours with increasing block size. We leave all parameters for the PnJ versions at their default. [ADH+19] reported that some fine-tuning can improve the PnJ variant further, but since our goal is only to demonstrate the competitiveness of HKZ-slide reduction rather than a fine-grained comparison, we do not believe such fine-tuning is necessary here. Naive BKZ and the PnJ variant is called with the same block size (on the same bases as HKZ-slide reduction) and the number of tours is chosen such that the running time is roughly in the ballpark of the HKZ-slide reduction experiments. For progressive PnJ, we run 1 tour of each block size starting from \(d-10\) up to \(d+5\), where d is the block size chosen for the other algorithms. The results are shown in Fig. 3b and 3d respectively. They show that HKZ-slide reduction can outperform the naive version of BKZ significantly, but it also seems to be better than PnJ. However, progressive PnJ seems to have the edge over HKZ-slide reduction, but we consider the latter at least competitive.

Fig. 3.
figure 3

Comparison of HKZ-slide-reduction with different overlaps and with various BKZ variants

Full size image

Caveats. We focus our attention in these experiments on the root Hermite factor that the different algorithms achieve in a given amount of time. This has been established as the main measure of output quality for lattice reduction, since they are usually used to find short vectors. When targeting a short vector, (HKZ-) slide reduction has the advantage that it focuses on improving a set of pivot points distributed across the basis, while BKZ attempts to improve the entire basis. This seems to result in a lower cost for slide reduction. But finding short vectors is not the only use case: often one is interested in a basis that is reduced according to a more global measure, e.g. one wants all basis vectors to be short or the GSO vectors should not drop off too quickly. In this case, BKZ seems to be the more natural choice.

Potential Improvements. We do not make any attempts to fine-tune the SVP oracle to HKZ-slide reduction and its parameters. The SVP-oracle itself has several parameters which potentially influence how well it performs as a k-partial-HKZ oracle. We leave such a fine-tuning as interesting future work.

Furthermore, we note that applying BKZ/PnJ with increasing block sizes results in significant improvements. It stands to reason that including an element of “progressiveness” could significantly improve HKZ-slide reduction. However, the strength of HKZ-slide reduction of focusing its attention on pivot points instead of the entire basis could be a disadvantage here: it may not be as suitable as a preprocessing for other algorithms, possibly including itself. Still, finding an effective way of naturally progressing slide reduction might lead to improvements, but we believe simply increasing the block size is unlikely to be sufficient here. Finally, given the above observations, a natural approach seems to be to use progressive BKZ/PnJ as a preprocessing and only apply HKZ-slide reduction in the final step to find a short vector.

5 SDBKZ: Revisiting Neumaier’s Analysis

We conclude this work by revisiting Neumaier’s analysis [Neu17] of SDBKZ [MW16]. Using a change of variable allows us to recast it as a variant of the conventional dynamic analysis. The matrix used in Sect. 3 for the change of variable was inspired by this reformulation.

5.1 Reminders

We first give a brief description of the SDBKZ algorithm and the analysis from [MW16]. The algorithm can be viewed as iterating the following 2 steps:

  1. 1.

    perform a forward tour by applying the SVP oracle successively to the projected blocks of the basis (i.e. a truncated BKZ tour)

  2. 2.

    compute the reversed dual of the basis.

For convenience, the SDBKZ lattice reduction algorithm is provided as Algorithm 2.

figure c

Let \(\mathbf {B}\) be a lattice basis. In [MW16], the following variables were considered

$$ \mathbf {x} = (\log \det (\mathbf {b}_1, \dots , \mathbf {b}_{d+i-1}))_{1 \le i \le n-d}. $$

When applying the two steps of SDBKZ to a lattice basis, [MW16] showed that for the output basis \(\mathbf {B}'\) we have \(\mathbf {x}' \le \mathbf {R} \mathbf {A} \mathbf {x} + \mathbf {R} \mathbf {b}\), where

\(\alpha = \frac{1}{2} \log \gamma _d\) and \(\omega = (1-\frac{1}{d})\). This lead to the analysis of the dynamical system

$$\begin{aligned} \mathbf {x} \mapsto \mathbf {R} \mathbf {A} \mathbf {x} + \mathbf {R} \mathbf {b}. \end{aligned}$$
(9)

[MW16] showed that this system has exactly one fixed point \(\mathbf {x}^*\) with

$$ x^*_i = \frac{(d+i-1)(n-d-i+1)}{d-1} \alpha $$

which can be used to obtain bounds on the output quality of the algorithm. Here we are more interested in the convergence analysis. For this, note that

$$ \Vert \mathbf {R} \mathbf {A} \Vert _{\infty } = \Vert \mathbf {A} \Vert _{\infty } = 1-\omega ^{n-d} $$

which means that the number of tours required to achieve \(\Vert \mathbf {e} \Vert _{\infty } \le c\) for some constant c is proportional to \(\exp ((n-d)/d)\). This is polynomial as long as \(d = \Omega (n)\), but for \(d = o(n)\) this results in a superpolynomial bound.

5.2 Neumaier’s Analysis

As stated above, Neumaier’s analysis of SDBKZ [Neu17] can be viewed as a change of variable for \(\mathbf {x}\). Neumaier implicitly chose the diagonal matrix

$$ \mathbf {D^{-1}} = \left[ \begin{array}{cccc} d(n-d) &{} &{} &{} \\ &{} (d+1)(n-d-1) &{} &{} \\ &{} &{} \ddots &{} \\ &{} &{} &{} n-1 \end{array} \right] $$

which yields the new fixed point \(\mathbf {y}^* = \frac{\alpha }{d-1} \mathbf {1}\) (cf. \(\mu _s\) from [Neu17]). We now analyze the matrix \(\mathbf {A}' = \mathbf {D} \mathbf {R} \mathbf {A} \mathbf {D}^{-1}\): First, we observe that

$$ \mathbf {A}_{ij} = {\left\{ \begin{array}{ll} \frac{1}{d}\omega ^{i-j} &{} i \ge j \\ 0&{} i < j \end{array}\right. } $$

and so

$$ (\mathbf {R} \mathbf {A})_{ij} = {\left\{ \begin{array}{ll} \frac{1}{d} \omega ^{(n-d+1-i)-j} &{} i + j \le n-d+1 \\ 0&{} i + j > n-d+1 \end{array}\right. } $$

and finally

$$\begin{aligned} \mathbf {A}'_{ij} = (\mathbf {D} \mathbf {R} \mathbf {A} \mathbf {D}^{-1})_{ij}= {\left\{ \begin{array}{ll} \frac{(d+j-1)(n-d-j+1)}{d (d+i-1)(n-d-i+1)}\omega ^{(n-d+1-i)-j} &{} i + j \le n-d+1 \\ 0&{} i + j > n-d+1 \end{array}\right. } \end{aligned}$$
(10)

Lemma 5

Let \(\mathbf {A}'\) as defined in Eq. (10). Then, \(\Vert \mathbf {A}' \Vert _{\infty } \le 1-\epsilon \), where \(\epsilon = \left( 1+\frac{n^2}{4d(d-1)} \right) ^{-1}\).

Proof

Let \(S_i = \sum _{j} \mathbf {A}'_{ij}\) be the sum of every row in \(\mathbf {A}'\). We have

$$\begin{aligned} S_i&=\frac{1}{d(d+i-1)(n-d-i+1)} \sum _{j=1}^{n-d-i+1} (d+j-1)(n-d-j+1) \omega ^{n-d+1-i-j}\\&= \frac{(d+i)(n-d-i)}{(d+i-1)(n-d-i+1)} \omega S_{i+1} + \frac{i(n-i)}{d (d+i-1)(n-d-i+1)} \end{aligned}$$

(where we set \(S_{n-d+1} = 0\).) We now show by induction on i that \(S_i \le 1-\epsilon \). Clearly, the bound holds for \(S_{n-d+1}\) since \(\epsilon \le 1\). So now we have

$$\begin{aligned} S_i&= \frac{(d+i)(n-d-i)}{(d+i-1)(n-d-i+1)} \omega S_{i+1} + \frac{i(n-i)}{d (d+i-1)(n-d-i+1)} \\&\le \frac{(d+i)(n-d-i)}{(d+i-1)(n-d-i+1)} \omega (1-\epsilon ) + \frac{i(n-i)}{d (d+i-1)(n-d-i+1)} \\&= \frac{(d-1)(d+i)(n-d-i)}{d (d+i-1)(n-d-i+1)} (1-\epsilon ) + \frac{i(n-i)}{d (d+i-1)(n-d-i+1)} \end{aligned}$$

by assumption. Showing that the RHS is less than \(1-\epsilon \) is equivalent to showing that

$$ (d-1)(d+i)(n-d-i)(1-\epsilon ) + i(n-i) \le d (d+i-1)(n-d-i+1) (1-\epsilon ) $$

which is equivalent to

$$ i(n-i) \le \left[ d (d+i-1)(n-d-i+1) - (d-1)(d+i)(n-d-i) \right] (1-\epsilon ). $$

It is straightforward (though a little tedious) to verify that

$$ d (d+i-1)(n-d-i+1) - (d-1)(d+i)(n-d-i) = i(n-i) + d(d-1). $$

which yields the condition

$$ i(n-i) \le \left[ i(n-i) + d(d-1)\right] (1-\epsilon ) $$

which again is equivalent to

$$ \epsilon \left[ i(n-i) + d(d-1)\right] \le d(d-1) $$

and thus \(\epsilon \le \left( 1+\frac{i(n-i)}{d(d-1)}\right) ^{-1}\). We note this quantity is minimized for \(i=n/2\) and thus by definition of \(\epsilon \), this condition holds. Since all our transformations were equivalences, this proves the bound on \(S_i\).    \(\square \)

Readers familiar with Neumaier’s work will recognize the calculations. It is easy to see that \(\kappa (\mathbf {D}) = \frac{n^2}{4(n-1)}\), which is small enough so that the number of tours required for the algorithm is proportional to \(1+\frac{n^2}{4d(d-1)}\). This matches the bound obtained in [Neu17].