Lenstra–Lenstra–Lovász lattice basis reduction algorithm

  (Redirected from LLL algorithm)

The Lenstra–Lenstra–Lovász (LLL) lattice basis reduction algorithm is a polynomial time lattice reduction algorithm invented by Arjen Lenstra, Hendrik Lenstra and László Lovász in 1982.[1] Given a basis with n-dimensional integer coordinates, for a lattice L (a discrete subgroup of Rn) with , the LLL algorithm calculates an LLL-reduced (short, nearly orthogonal) lattice basis in time

where is the largest length of under the Euclidean norm, that is, .[2][3]

The original applications were to give polynomial-time algorithms for factorizing polynomials with rational coefficients, for finding simultaneous rational approximations to real numbers, and for solving the integer linear programming problem in fixed dimensions.

LLL reductionEdit

The precise definition of LLL-reduced is as follows: Given a basis


define its Gram–Schmidt process orthogonal basis


and the Gram-Schmidt coefficients

 , for any  .

Then the basis   is LLL-reduced if there exists a parameter   in (0.25,1] such that the following holds:

  1. (size-reduced) For  . By definition, this property guarantees the length reduction of the ordered basis.
  2. (Lovász condition) For k = 2,3,..,n  .

Here, estimating the value of the   parameter, we can conclude how well the basis is reduced. Greater values of   lead to stronger reductions of the basis. Initially, A. Lenstra, H. Lenstra and L. Lovász demonstrated the LLL-reduction algorithm for  . Note that although LLL-reduction is well-defined for  , the polynomial-time complexity is guaranteed only for   in  .

The LLL algorithm computes LLL-reduced bases. There is no known efficient algorithm to compute a basis in which the basis vectors are as short as possible for lattices of dimensions greater than 4.[4] However, an LLL-reduced basis is nearly as short as possible, in the sense that there are absolute bounds   such that the first basis vector is no more than   times as long as a shortest vector in the lattice, the second basis vector is likewise within   of the second successive minimum, and so on.


An early successful application of the LLL algorithm was its use by Andrew Odlyzko and Herman te Riele in disproving Mertens conjecture.[5]

The LLL algorithm has found numerous other applications in MIMO detection algorithms[6] and cryptanalysis of public-key encryption schemes: knapsack cryptosystems, RSA with particular settings, NTRUEncrypt, and so forth. The algorithm can be used to find integer solutions to many problems.[7]

In particular, the LLL algorithm forms a core of one of the integer relation algorithms. For example, if it is believed that r=1.618034 is a (slightly rounded) root to an unknown quadratic equation with integer coefficients, one may apply LLL reduction to the lattice in   spanned by   and  . The first vector in the reduced basis will be an integer linear combination of these three, thus necessarily of the form  ; but such a vector is "short" only if a, b, c are small and   is even smaller. Thus the first three entries of this short vector are likely to be the coefficients of the integral quadratic polynomial which has r as a root. In this example the LLL algorithm finds the shortest vector to be [1, -1, -1, 0.00025] and indeed   has a root equal to the golden ratio, 1.6180339887....

Properties of LLL-reduced basisEdit

Let   be a  -LLL-reduced basis of a lattice  . From the definition of LLL-reduced basis, we can derive several other useful properties about  .

  1. The first vector in the basis cannot be much larger than the shortest non-zero vector:  . In particular, for  , this gives  .[8]
  2. The first vector in the basis is also bounded by the determinant of the lattice:  . In particular, for  , this gives  .
  3. The product of the norms of the vectors in the basis cannot be much larger than the determinant of the lattice: let  , then  .

LLL algorithm pseudocodeEdit

The following description is based on (Hoffstein, Pipher & Silverman 2008, Theorem 6.68), with the corrections from the errata.[9]

    a lattice basis  
    a parameter   with  , most commonly  
       and do not normalize
        using the most current values of   and  
    while   do
        for   from   to   do
            if   then
               Update   and the related  's as needed.
               (The naive method is to recompute   whenever   changes:
            end if
        end for
        if   then
            Swap   and   
            Update   and the related  's as needed.
        end if
    end while
    return   the LLL reduced basis of  
    the reduced basis  


Example from  Edit

Let a lattice basis  , be given by the columns of


then the reduced basis is


which is size-reduced, satisfies the Lovász condition, and is hence LLL-reduced, as described above. See W. Bosma.[10] for details of the reduction process.

Example from  Edit

Likewise, for the basis over the complex integers given by the columns of the matrix below,


then the columns of the matrix below give an LLL-reduced basis.



LLL is implemented in

  • Arageli as the function lll_reduction_int
  • fpLLL as a stand-alone implementation
  • GAP as the function LLLReducedBasis
  • Macaulay2 as the function LLL in the package LLLBases
  • Magma as the functions LLL and LLLGram (taking a gram matrix)
  • Maple as the function IntegerRelations[LLL]
  • Mathematica as the function LatticeReduce
  • Number Theory Library (NTL) as the function LLL
  • PARI/GP as the function qflll
  • Pymatgen as the function analysis.get_lll_reduced_lattice
  • SageMath as the method LLL driven by fpLLL and NTL
  • Isabelle/HOL in the 'archive of formal proofs' entry LLL_Basis_Reduction. This code exports to efficiently executable Haskell.[11]

See alsoEdit


  1. ^ Lenstra, A. K.; Lenstra, H. W., Jr.; Lovász, L. (1982). "Factoring polynomials with rational coefficients". Mathematische Annalen. 261 (4): 515–534. CiteSeerX doi:10.1007/BF01457454. hdl:1887/3810. MR 0682664. S2CID 5701340.
  2. ^ Galbraith, Steven (2012). "chapter 17". Mathematics of Public Key Cryptography.
  3. ^ Nguyen, Phong Q.; Stehlè, Damien (September 2009). "An LLL Algorithm with Quadratic Complexity". SIAM J. Comput. 39 (3): 874–903. doi:10.1137/070705702. Retrieved 3 June 2019.
  4. ^ Nguyen, Phong Q.; Stehlé, Damien (1 October 2009). "Low-dimensional lattice basis reduction revisited". ACM Transactions on Algorithms. 5 (4): 1–48. doi:10.1145/1597036.1597050. S2CID 10583820.
  5. ^ Odlyzko, Andrew; te Reile, Herman J. J. "Disproving Mertens Conjecture" (PDF). Journal für die reine und angewandte Mathematik. 357: 138–160. doi:10.1515/crll.1985.357.138. S2CID 13016831. Retrieved 27 January 2020.
  6. ^ Shahabuddin, Shahriar et al., "A Customized Lattice Reduction Multiprocessor for MIMO Detection", in Arxiv preprint, January 2015.
  7. ^ D. Simon (2007). "Selected applications of LLL in number theory" (PDF). LLL+25 Conference. Caen, France.
  8. ^ Regev, Oded. "Lattices in Computer Science: LLL Algorithm" (PDF). New York University. Retrieved 1 February 2019.
  9. ^ Silverman, Joseph. "Introduction to Mathematical Cryptography Errata" (PDF). Brown University Mathematics Dept. Retrieved 5 May 2015.
  10. ^ Bosma, Wieb. "4. LLL" (PDF). Lecture notes. Retrieved 28 February 2010.
  11. ^ Divasón, Jose (2018). "A Formalization of the LLL Basis Reduction Algorithm". Conference Paper. Lecture Notes in Computer Science. 10895: 160–177. doi:10.1007/978-3-319-94821-8_10. ISBN 978-3-319-94820-1. Retrieved 3 May 2020.