Worst-Case Hermite-Korkine-Zolotarev Reduced Lattice Bases

apport   de recherche ISSN 0249-6399 ISRN INRIA/RR--6422--FR+ENG Thème SYM INSTITUT N A TION AL DE RECHERCHE EN INFORMA TIQUE ET EN A UTOMA TIQUE W orst-Case Hermite-K orkine-Zolotarev Reduced Lattice Bases Guillaume Hanrot — Damien Stehlé N° 6422 Novembre 2007 Unité de recherche INRIA Lorraine LORIA, T echnop ôle de Nancy-Brabois, Campus scientifique, 615, rue du Jardin Botanique, BP 101, 54602 V illers-Lès-Na ncy (France) Téléphone : +33 3 83 59 30 00 — Télécopie : + 33 3 83 27 83 19 W orst-Cas e Hermite-K orkine-Z olotare v Reduced Lattice Bases Guillaume Hanrot, Damien Stehlé ∗ Thème SYM — Systèmes symboliques Projets Cacao et Arénaire Rapport de recherche n° 6422 — Novembre 2007 — 25 pages Abstract: The Hermite-K orkine-Zolotarev reduction plays a central role i n s trong lattice re- duction algo rithms. By building upon a technique in troduced by Ajtai, we show the existence of Hermite-K orkine-Zolotarev reduced bases that are arguably l east reduced. W e prove that for such bases, Kannan’ s algorithm solving the shortest latti ce vector problem requires d d 2e (1+ o (1)) bit operations in dimensio n d . This matches the best compl exity upper boun d known for this algorithm. These b ases als o provide lower bo unds on Schnorr’ s constant s α d and β d that are essentially equ al to the b est upper bounds. Finally , we als o s how the existence of particularly bad bases for Schnorr’ s hierarchy of reductions. Key-w ords: Lattice basis reduction, shortest vector problem, HKZ-re duction , BKZ-reduction ∗ CNRS and Univ ersité de L yo n / ÉNS L yon / LIP , 46 allée d’Italie, 69364 L yo n Cedex 07, France. Bases Hermite-Korkine-Zolotare v réduites “pires cas”. Résumé : La réduction d’Hermi te-K orkine-Zolotarev joue un rôle central dans l es algorith mes de réduction forte des réseaux. En utilisant une tec hniqu e due à Ajtai, nous prouvons l’existence de bases Herm ite-K orkine-Zolotarev réduites qui sont les plus mal rédui tes poss ible. Pour de telles bases, l’algorithme de Kannan pour la résolution du probl ème du vecteur le p lus court nécessite d d 2e (1+ o (1)) opérations élément aires en dimension d , ce qui coïncide ave c la meilleure borne supérieure connue po ur sa com plexité. Ces bases fournissent également des bornes in- férieures pour les constant es de Schnorr α d et β d , qui coïncident là encore avec les meilleures bornes sup érieures connues. Enfin, n ous montron s l’existence de m auvaises bases réduites pour les algorithmes de la hiérarchie de Schnorr . Mots-clés : Réduction des réseaux, problème du vecteur le plus court, réduction HKZ, réduction BKZ W orst-Case Hermite-K orkine-Zolotar ev Reduced Lattice Bases 3 1 Introduction A lattice L i s a discrete subgroup o f a euclidean space R n . Such an object can alw ays be written as the set of int eger li near relations of some linearly independent vectors b 1 , . . . , b d ∈ R n . The b i ’ s form a basis of L . Such a representation is not un ique, but all bases share the same cardinality d , called the lattice dimensi on . Another lattice in v ariant is the so-called lattice volume det( L ) , wh ich is defined as the geom etric d -dimensional volume of any paral- lelepiped P ( b i ) = { P i y i b i , y i ∈ [0 , 1] } spanned b y a lattice basis ( b i ) i . Wh en d ≥ 2 , a giv en lattice h as an infinity of bases, related to one another by unimodular transform ations. Some bases are b etter than others, in particular under t he light of applications such as algo rithmic nu mber theory [5 ] and cryptography [15, 13]. In these appl ications, one is mostly i nterested in lattice bases made of rather short and rather orth ogonal vectors. Such bases are call ed r educed . One often distinguishes between reductions that are ra ther weak but can be computing ef ficientl y and reductions that are strong but t hat require a m uch larger amount of computational resources. The m ain reducti on of the first family is th e celebrated LLL-reduction [12], whereas the mos t famous one in the second family i s the Hermi te-K orkine-Zolotarev reduction (HKZ for short). There exist compromises between LLL and HKZ reductions, such as Schnorr’ s Block-K orkine- Zolotarev (BKZ) reductions [19] d epending on a parameter k : t he 2 -BKZ reducti on is ess entially the LLL reductio n whereas th e d -BKZ reducti on is exactly the HKZ reduction. Ot her compro- mises hav e been considered in [19, 18, 7]. From the algorithmic point of view , LL L-reduction can be reached in ti me polynomial in the lattice dimension. The other parameters, such as the dim ension of th e embeddin g space and the bit-size of the in itial vectors are of small i nterest here since all the described algorithms hav e polynom ial com plexities with respect to them. On the other extreme, there are two main algorithms to compute an HKZ-reduced basis. The first one is due to Kannan [11] and was improved by Helfrich and Schnorr [9, 19]. Its complexity has been revised downw ards by Han- rot and Stehlé [8] who proved a d d 2e (1+ o (1)) upper bound. The oth er algorithm is due to Ajtai, Kumar and Siv akumar [2] and its complexity upp er bound was re-assessed recently by N guyen and V idick [16]: its cost is prov ably bound ed by 2 5 . 9 · d . Th e lat ter algo rithm has a much better asymptotic complexity u pper bound than Kannan’ s . Howe ver , it suffers from two drawbacks: firstly , it requires an exponential space whereas Kannan’ s space requirement is polynom ial; sec- ondly , i t i s probabilisti c in the sense that there is a tiny probabil ity that t he computed basis is not HKZ-reduced, whereas Kannan’ s algorithm is deterministic. In practice, for manageable problem sizes, it seems that adaptatio ns of Kannan’ s algorithm still outp erform the algorit hm of Ajtai, Kumar and Siv akumar . On e of th e results of th e present paper is to provide a worst-case complexity lower bo und to Kannan’ s algorithm which is essentially the s ame as the d d 2e (1+ o (1)) complexity upper bound: it prov es that from the w orst-case point of vie w , Kannan’ s algorithm is asymptoticall y worse that the one of Ajtai, Kumar and Si vakumar . In the compromis es between LLL and HKZ-reductio ns, an algorithm computing HKZ -reduced bases (eith er Kannan’ s or the one of Ajtai, Kumar and Siv akumar) is used on k -dimensional bases, where k is the parameter of the compromise. When k i s greater than c log d for some constant c , the compl exities of the compromise algorithms are k O ( k ) or 2 O ( k ) depending on the chosen HKZ-reduction algorithm. RR n° 642 2 4 Guillaume Hanr o t, Damien Stehlé The main result of t he present paper is to prove th e existence of HKZ-reduced bases which are arguably l east reduced possible. These bases are g ood corner cases for strong lattice reduc- tions. W e prove that give n them as in put, Kannan’ s algorith m costs at least d d 2e (1+ o (1)) binary operations in dimensi on d , thus completing the worst-case analysis of Kannan’ s algorithm. This proves that t he Ajtai-Kumar -Si vakumar algorit hm is strictly better than Kannan’ s from the worst- case asymptotic time complexity perspective. These lattice bases also provide lower b ounds o n Schnorr’ s constants α k and β k which play a central role to estimate the quality of Schnorr’ s hier - archies of reduct ions. As a by-product, we improve the best known upper bound for α k , and the lower and upper bounds essentially match. Our lower bound on β k match its best known upper bound, provided by [7]. This gi ves weight to th e fact that the prim al-dual reduction therein m ay be better than Schnorr’ s classical hierarchy . Finall y , we provide lattice bases that are par ticularly bad for Schnorr’ s hierarchy of reduction algorithms. T o achie ve these results, we sim plify and build upon a techniqu e introduced by Ajtai in [1] to show lo wer bounds on Schnorr’ s constants α k and β k . These lower bounds were of the same orders of magnitude as the best upper bounds, b u t with undetermined constants in the exponents. It consis ts in b uilding random l attice bases that are HKZ-reduced with non-zero probability and such that the quant ities under in vestigation (e.g., Schnorr’ s constants) are close to the best kno wn upper bounds. The random lattice bases are built from their Gram-Schmidt orthogonalisations. R OA D - M A P . In Section 2 we provide t he background that is necessary to the understandi ng to the rest of the article. In Section 3 we si mplify Ajtai’ s method to generate lattice bases. W e use it first i n Section 4 to sh ow the existence of worst-case HKZ-reduced bases wi th respect to the o rthogonality o f the basis vectors. Using these bases, we provide lower bounds to the worst-case cost of Kannan’ s algo rithm and t o Schnorr’ s constant s α k and β k , in Section 5 . W e use Ajtai’ s t echnique a second time in Section 6 to b uild latt ice bases that are particularly bad for Schnorr’ s hierarchy of reduction algorithms. Finally , in Section 7, we draw a lis t of possibl e natural extensions of our w ork. N O TA T I O N . If y i s a real number , we let ⌊ y ⌉ denot e its closest integer (wit h any rule for t he ambiguous cases), and we define { y } = y − ⌊ y ⌉ . If a ≤ b , we let J a, b K denote the set of integers belonging to the interval [ a, b ] . All logarithms used are in basi s e . Finally , for x a real number , we define ( x ) + := max( x, 0) . 2 Background on Lattices W e refer to [4] for a compl ete introduction to lattices. Gram-Schmidt orthogonalisatio n. Let b 1 , . . . , b d be linearly independent vectors. W e de- fine b ∗ i = b i − P j k k b ∗ i k 2 ! 1 k . The best known upper bo unds on α k and β k are k 1+log k and 1 10 k 2 log 2 (see [19, 7 ]). W e wil l im- prove the upper bound on α k in Section 5. Any k -BKZ-reduced basis ( b 1 , . . . , b d ) of a lattice L satisfies k b 1 k ≤ min  k d − 1 k − 1 , α d − 1 k − 1 − 1 k  λ ( L ) . Ajtai [1] showed th at α k ≥ k c l og k for some con- stant c , so that t he first u pper b ound is stronger t han the second one. Furthermore, e very block- 2 k -reduced basis ( b 1 , . . . , b mk ) of a lattice L satisfies k b 1 k ≤ √ k √ β k m − 1 λ ( L ) (see [19, 20]). 3 Ajtai’ s Drawing of HKZ-R educed Bases Consider a dimension d > 0 and a function f : J 1 , d K → R + \ { 0 } . By generalising an ar gument due to Ajtai [1], we prove t hat one c an b uild a d -dimensional lattice basis which is HKZ-reduced and such that k b ∗ i k = f ( i ) , under a “Minkowski-type” condition for the v alues of f . RR n° 642 2 6 Guillaume Hanr o t, Damien Stehlé Theor em 1 Let d > 0 and f : J 1 , d K → R + \ { 0 } . Assume that for any j ≤ d , one has j − 1 X i =1  2 π e j − i  j − i 2 1 −  f ( j ) f ( i )  2 ! j − i 2 + j Y k = i f ( i ) f ( k ) ! < 1 . Then ther e e xists an HKZ-r educed basis ( b 1 , . . . , b d ) with k b ∗ i k = f ( i ) . The condition above m ight seem in tricate at first glance, t hough it i s i n fact fairly natural. The t erm ( j − i ) − j − i 2 Q j k = i f ( i ) f ( k ) resembles Mi nko wski’ s inequ ality . It i s natural that it shou ld occur for all ( i, j ) , since for an HKZ-reduced basis Mi nko wski’ s i nequality is satisfied for all bases ( b i ( i ) , . . . , b j ( i )) . Another way of stati ng this is that a necessary conditio n for a basis to be HKZ-reduced would be ∀ j ≤ d, j − 1 X i =1 (4 γ j − i +1 ) − j − i 2 1 −  f ( j ) f ( i )  2 ! j − i 2 j Y k = i f ( i ) f ( k ) ! < 1 . This i s merely a restatement of the fact that, since Minkowski’ s inequali ty is verified for any pair ( i, j ) , the i -th term i s at m ost 2 − ( j − i ) , so t hat the sum is < 1 . In vi ew o f the fact that asymptoticall y γ d ≤ 1 . 744 d 2 π e (1 + o (1)) , we see that we are not far from an optimal condition. Lemma 1 is the core of the p roof of T heorem 1. It bounds the probability t hat when a random basis ( b 1 , . . . , b d ) is built appropriately , any lattice vector P i x i b i with x d 6 = 0 will be longer than b 1 . Lemma 1 Let ( b 1 , . . . , b d − 1 ) be a lattice basis and let b d be a random vec tor . W e suppose that: 1. F or any i ≤ d , we have k b ∗ i k = f ( i ) . 2. The µ d,i ’ s for i < d ar e independent random variab les un iformly distri buted i n [ − 1 / 2 , 1 / 2] . Let p be the pr obability that ther e exists ( x 1 , . . . , x d ) with x d 6 = 0 such t hat k P i x i b i k ≤ k b 1 k . Then: p ≤  2 π e d − 1  d − 1 2 X x> 0 1 −  xf ( d ) f (1)  2 ! d − 1 2 + Y i 0 . W e can writ e X i ≤ d x i b i = X i ≤ d x i + d X j = i +1 µ j,i x j ! b ∗ i . For i ≤ d , we define u i = x i + j P d j = i +1 µ j,i x j m and δ i = n P d j = i +1 µ j,i x j o . Notice that δ i = n µ d,i x d + P d − 1 j = i +1 µ j,i x j o is made of a random term ( µ d,i x d ) and a constant term ( P d − 1 j = i +1 µ j,i x j ). Since x d 6 = 0 and since the µ d,i ’ s are distributed independently and uniformly in [ − 1 / 2 , 1 / 2 ] , the INRIA W orst-Case Hermite-K orkine-Zolotar ev Reduced Lattice Bases 7 same holds for the δ i ’ s (for each fixed choice of ( x 1 , . . . , x d ) ). The ev ent d efining p can thus be re written as ∃ u d ∈ Z > 0 , ∃ ( u 1 , . . . , u d − 1 ) ∈ Z d − 1 , X i 0 be an arbitrary const ant. W e can estim ate th e last upp er b ound by usin g th e inequality Pr X i 0 yield s the bound th at we claimed. Recall that the terms corresponding to u d > f (1) /f ( d ) do not contribute. ✷ W e now proceed to prove Theorem 1. W e b uild the basis iterativ ely , starting wit h b 1 , cho- sen arbitrarily w ith k b 1 k = f ( 1) . Assume now th at b 1 , . . . , b j − 1 hav e already been chosen with k b ∗ i k = f ( i ) for i < j and that they are HKZ-reduced. W e choose b j as b ∗ j + P k 0 1 −  xf ( j ) f ( i )  2 ! j − i 2 + j − 1 Y k = i f ( i ) f ( k ) ! ≤  2 π e j − i  j − i 2  f ( i ) f ( j )  1 −  f ( j ) f ( i )  2 ! j − i 2 + j − 1 Y k = i f ( i ) f ( k ) ! ≤  2 π e j − i  j − i 2 1 −  f ( j ) f ( i )  2 ! j − i 2 + j Y k = i f ( i ) f ( k ) ! . W e conclude the proof by observing that the probability of non-HKZ-reducedness of ( b 1 , . . . , b j ) is at m ost P i 0 1 −  x f ( j ) f ( i )  2 ! j − i 2 + could be interpreted as a Riemann sum corresponding to the integral f ( i ) f ( j ) · Z π / 2 0 sin j − i +1 x d x ≈ f ( i ) f ( j ) · r π 2( j − i + 1) . Notice howe ver that if o ne us es the same technique to look fo r vectors of leng ths sm aller than √ c · d ·  Q ii µ j,i x j      · k b ∗ i k ≤ k b 1 k 2 − X j >i x j + X k >j µ k ,j x k ! k b ∗ j k 2 ! 1 / 2 , which giv es a finite number of possibilit ies to be considered for the integer x i . Overall, Equation (1) is so lved by enum erating all the integer points within the hyper-ellipsoids E i = n ( y i , . . . , y d ) ∈ R d − i +1 , k P j >i y j b j ( i ) k ≤ k b 1 k o . 5.2 On the cost of Kannan’ s algorithm In this subs ection, we provide a worst-case complexity lower bo und to Kannan’ s alg orithm by considering that the worst-case HKZ-reduced bases built in he previous section. For these, the first step of Kannan’ s algorithm has no ef fect, and we g iv e a lo wer -bound t o t he cost of the second one by providing a lo wer bound to the sum of the cardinalities of the sets E i ∩ Z d − i +1 . Lemma 2 Let ( b 1 , . . . , b d ) be a latt ice basis. The number of points enumerated by Kannan’ s algorithm is at least the sum of the number of inte ger points in eac h of the hyper elli psoids E ′ i = ( ( y i , . . . , y d ) ∈ ( R \ { 0 } ) d − i +1 , X j ≥ i y 2 j k b ∗ j k 2 ≤ 4 5 k b 1 k 2 ) . Pr oof. Let φ : R d − i +1 → R d − i +1 be defined by φ ( y i , . . . , y d ) = ( z i , . . . , z d ) such that z i = y i − j P k >j µ k ,j z j m . Th e functio n φ is injective. Indeed, φ ( y i , . . . , y d ) = ( z i , . . . , z d ) implies that y j = z j + j P k >j µ k ,j z j m , which means that ( z i , . . . , z d ) uniquely determines ( y i , . . . , y d ) . Furthermore, X j ≥ i z j b j ( i ) = X j ≥ i z j + X k >j µ k ,j z k ! b ∗ j = X j ≥ i ( y j + δ j ) b ∗ j , for some δ j ∈ [ − 1 / 2 , 1 / 2] . Hence, for ( y i , . . . , y d ) ∈ E ′ i ∩ Z d − i +1 , the z i ’ s are integers and      X j ≥ i z j b j ( i )      = X j ≥ i ( y j + δ j ) 2 k b ∗ j k 2 ≤ X j ≥ i 5 4 y 2 j k b ∗ j k 2 ≤ k b 1 k 2 . This implies that if ( y i , . . . , y d ) ∈ E ′ i ∩ Z d − i +1 then φ ( y i , . . . , y d ) ∈ E i ∩ Z d − i +1 is indeed consid- ered. ✷ W e can now provide a lower bound to the cost of Kannan’ s algorithm . This lower bound is essentially the best possible, since it m atches the upper bound of [8]. This also shows that the worst-case HKZ-reduced bases are w orst-case input s for Kannan’ s algorithm. INRIA W orst-Case Hermite-K orkine-Zolotar ev Reduced Lattice Bases 13 Theor em 3 Let ( b 1 , . . . , b d ) be a latt ice basi s. Let i be such tha t k b ∗ j k ≤ k b 1 k √ d for all j ≥ i . Then, the number of points consider ed by Kannan’ s al gorithm is at least 2 − d + i − 1 Y j ≥ i k b 1 k √ d k b ∗ j k . In particular , given as input the basis b uilt in the pr evious section, K annan’ s algorithm performs at least d d 2e (1+ o (1)) operations. Pr oof. The set E ′ i contains the subset d Y j ≥ i " − k b 1 k √ d k b ∗ j k , k b 1 k √ d k b ∗ j k # \ { 0 } ! . This means that the cardinality of E ′ i ∩ Z d − i +1 is greater than Y j ≥ i 2 $ k b 1 k √ d k b ∗ j k % − 1 ! ≥ Y j ≥ i 2 k b 1 k √ d k b ∗ j k − 3 2 ! ≥ 1 2 d − i +1 d Y j ≥ i k b 1 k √ d k b ∗ j k . This proves the first part of the theorem. It remains to e valuate this quantity f or the basis built in the previous section. For this basis, we ha ve, for an y i ≤ d , Y j ≥ i k b ∗ i k k b ∗ j k = ( p C ( d − i + 1)) d − i +1 . As a consequence, the number of op erations performed by Kannan’ s algorith m give n this basis as input is greater than  C ( d − i + 1) 4 d  d − i +1 2 ·  k b 1 k k b ∗ i k  d − i +1 , for any i such that k b ∗ j k ≤ k b 1 k √ d for j ≥ i . W e choose i = j d  1 − 1 e  + α d log d m , for some α to be fixed later . Let j ≥ i . According to Corollary 1, if d − j → + ∞ , we ha ve 2 lo g k b ∗ j k k b 1 k = log 2 ( d − j + 1) − log 2 d 2 + (1 + log C ) (log( d − j + 1) − log d ) + O (1) ≤ log d − j + 1 d (log d + 1 + log C ) + O ( 1) ≤ log d − i + 1 d (log d + 1 + log C ) + O ( 1) ≤ log  1 e − α log d + O  1 d  (log d + 1 + log C ) + O ( 1) ≤ − log d − α e + O (1) . For α and d large enough, we shall indeed have k b ∗ j k ≤ k b 1 k √ d for any j ≥ i . Hence, si nce for this value of i we ha ve  √ d − i +1 √ d  d − i +1 = 2 − O ( d ) and  k b 1 k k b ∗ i k  d − i +1 = d d 2e / 2 O ( d ) , the lower bound becomes d d 2e / 2 O ( d ) , which concludes the proof of the theorem. ✷ RR n° 642 2 14 Guillaume Hanr o t, Damien Stehlé 5.3 On Schnorr’ s Consta nts First of all, we improve the best known upper bound for α k from k log k +1 to k log k 2 + O (1) . W e will see below that this improved upper bound is essentially the best possible. Theor em 4 Let k ≥ 2 . Then α k ≤ k log k 2 + O (1) . Pr oof. Let ( b 1 , . . . , b k ) be an HKZ-reduced basis. For any i , we ha ve k b ∗ i k k − i ≤ √ k − i + 1 k − i +1 Y j >i k b ∗ j k Let the sequence u i be d efined by u k = k b ∗ k k and u k − i i = √ k − i + 1 k − i +1 Q j >i u j . Then the sequence u i dominates the sequence k b ∗ i k . Moreover , u i u i +1 = √ k − i + 1 √ k − i √ k − i + 1 1 k − i , which implies that k b 1 k k b ∗ k k ≤ u 1 u k ≤ √ k Y ik k b ∗ i k = det( L ) Q i>k k b ∗ i k 2 = √ 2 k √ k k b 1 k k b ∗ k +1 k ! 2 k . Furthermore,  k b 1 k k b ∗ k +1 k  4 = exp  log 2 (2 k ) − log 2 ( k ) + O (1 )  = k 2 log 2 exp( O (1) ) , as claimed. ✷ INRIA W orst-Case Hermite-K orkine-Zolotar ev Reduced Lattice Bases 15 6 Difficult Bases f or the BKZ Reductions In this section, we build latt ice bases that are k -BKZ reduced, but far from being fully HKZ- reduced. In the previous section, we showed lower bounds to Schnorr’ s constants appearing in the quali ty analysis of th e hierarchies of reductions. Here we prov e lower bounds on th e quality itself. Note that the lower bounds that we obt ain are of th e same order of magnit ude as the corresponding upper bounds, but the in volved cons tants are sm aller . This sugg ests that it may not be possible to combine w orst c ases for Schnorr’ s c onstant s in order to build bad bases f or the BKZ hierarchy of reductions and that better upper bounds may be proved by using an amortised analysis. In t he following, we fix a block-size k . The strategy used to prove the existence of t he basis is almost the same as in Section 3. Th e sole dif ference is that when we add a ne w basis vector b j , we only require ( b j − k +1 ( j − k + 1) , . . . , b j ( j − k + 1)) t o be HKZ-reduced instead of ( b 1 , . . . , b j ) . This modification provides us the follo wing result. Theor em 6 Let d > k and f : J 1 , d K → R + \ { 0 } . Assume that for any j ≤ d , one has j − 1 X i =max( j − k +1 , 1)  2 π e j − i  j − i 2 1 −  f ( j ) f ( i )  2 ! j − i 2 + j Y l = i f ( i ) f ( l ) ! < 1 . Then ther e e xists a k -BKZ-r educed basis ( b 1 , . . . , b d ) with k b ∗ i k = f ( i ) . W e now gi ve a function f that fulfils the requirements of Theorem 6. Corollary 3 Let k b e an inte ger and c < 1 be a constant such that k − 1 X l =1  4 π e lc sinh( − l log c )  l 2 < 1 . Then, ther e e xists a k-BKZ-r educed basis ( b 1 , . . . , b d ) with k b ∗ i k = c i . Pr oof. Let f ( i ) = c i for any i ≤ d . The cond ition of Theorem 6 becomes ∀ j ≤ d, j − 1 X i =max( j − k +1 , 1)  2 π e j − i  1 − c 2( j − i )  c − ( j − i +1)  j − i 2 < 1 , or equiv alently ∀ j ≤ d, min( k − 1 ,j − 1) X l =1  2 π e l  1 − c 2 l  c − ( l +1)  l 2 < 1 . Since k < d , this condition is equiv alent to the one stated in the corollary . ✷ Using the corollary above , on e can compute a suitable constant c for any given block-size. For k = 2 , one can take c = 0 . 972 , for k = 3 , one can take c = 0 . 985 and for k ≤ 10 , o ne can take c = 0 . 987 . Th e optimal v alue of c seems to grow very slo wly with k . Howe ver , it does gro w since for any fixed c , th e general term of the sum tends to + ∞ when l gro ws to + ∞ . W e can also deri ve the following general result, as soon as the block-size is lar ge enough: RR n° 642 2 16 Guillaume Hanr o t, Damien Stehlé Corollary 4 Let d > k > 8 π e . Ther e e xists a k -BKZ-r educed ba sis ( b 1 , . . . , b d ) of a lattice L with k b ∗ i k =  8 π e k − 1  i k . In particular , for any such basis, we have : k b 1 k λ ( L ) ≥ √ d  k − 1 8 π e  d − 1 2 k . Pr oof. Let c =  8 π e k − 1  1 k and φ : x 7→ 1 x sinh( x log c ) . W e hav e that φ ′ ( x ) = − 1 x 2 sinh( x log c ) + log c x cosh( x log c ) = cosh( x log c ) x 2 ( − tanh( x log c ) + x log c ) . Since tanh x ≤ x for any x < 0 , we have that the functi on φ decreases when x < 0 . As a consequence, we obtain that for any l < k , 4 π e lc sinh( − l log c ) ≤ 2 π e ( k − 1) c − k ≤ 1 / 4 . It follows that t he condit ion of Th eorem 6 is satisfied. It now remains to giv e a lower bound to k b 1 k /λ ( L ) . W e have k b 1 k =  8 π e k − 1  1 k and Minkowski’ s theorem gi ves us that λ ( L ) ≤ √ d Y i k b ∗ i k ! 1 d = √ d  8 π e k − 1  d +1 2 k . This directly provides the sec ond claim of the t heorem. ✷ By comparing to 1 the last term of the s um in Corollary 3, one sees that the following must hold: ( c − k − c k +2 ) ≤ k − 1 2 π e . This means that , apart from replacing 8 π e by 2 π e i n Corollary 4, o ne cannot hop e for a much better constant by using our technique. 7 Concludin g Remarks W e showed the existence of bases that are particul arly bad from diverse perspectiv es related to strong lattice reductions and strong lattice reduction al gorithms. A natural extension of our work would be to show how to generate such bases efficiently , for example by s howing that the probabil ities of obtaini ng bases of the desired properties can be made extremely close t o 1 . Another difficulty related to this goal w ill be to transfer the resul ts from the con tinuous model, i.e., R n , to a discrete space, e.g., Q n with a bound on denominators. Our results all ow to claim t hat some algorithm s/reductions are better than others from t he worst-case asymptotic complexity point of view . This only giv es a new insight on what s hould be d one in practice. It is well-known (see [14] about th e LLL algorithm ) that low-dimensional lattices may behav e quite dif ferently from predicted by the worst-case high-dimensio nal results. INRIA W orst-Case Hermite-K orkine-Zolotar ev Reduced Lattice Bases 17 Acknowledge ments This work was i nitiated d uring the July 2007 semi nar “Explicit methods in Num ber Theory” at M athematisches Forschungsinstitut Oberwolfach. T he auth ors are g rateful t o the MFO for the great working condi tions provided on this occasion. The authors would als o like to th ank Jacques Martinet for the interest he showed for a prelimi nary version of thos e results and for pointing [17]. The second autho r thanks John Cannon and the University of Sydney for having hosted him while some of the present work w as complet ed. References [1] M. Ajtai. The worst-case behavior of Schnorr’ s algori thm approxim ating the shortest nonzero vector in a lattice. In Pr oceedings of the 35th Symposi um on the Theory of Com- puting (ST OC 2003) , pages 396–40 6. A CM Press, 2003. [2] M. Aj tai, R. Kumar , and D. Siv akumar . A sieve algorithm for the short est l attice vector problem. In Pr oceedings of the 33r d Symposium on the Theory of Computing (ST OC 2001) , pages 601–610. A CM Press, 200 1. [3] H. Brönnimann, G. Melqu iond, and S. Pion . The desi gn of the Boost i nterval arithm etic library . Theor etical Computer Sci ence , 351:111–118, 2006. [4] J. W . S. Ca ssels. An Int r o duction to the Geometry o f Numbers, 2nd edition . Springer -V erlag, 1971. [5] H. Cohen. A Course in Comput ational Algebraic Number Theory , 2nd edition . Springer- V erlag, 1995. [6] CRLibm, a library of correctly rounded elementary functions in double-precisio n. http://lip forge.ens- ly on.fr/www/crlibm/ . [7] N. Gama, N. Howgra ve-Graham, H. Koy , and P . Nguyen. Rankin’ s constant and block- wise lattice reduction. In Pr oceedings of Crypto 2006 , n umber 4117 in Lecture Notes in Computer Science, pages 112–130. Springer -V erlag, 2006. [8] G. Hanrot and D. Stehlé. Improved analysis of Kannan’ s s hortest lattice vector algorithm (extended abstract). In Pr oceedings of Crypto 2007 , volume 4622 of Lectur e Notes in Computer Science , pages 170–186. Springer -V erlag, 20 07. [9] B. Helfrich. Algorithms to construct Mi nko wski reduced and Hermite reduced lattice bases. Theor eti cal Computer Science , 41:125–139, 1985. [10] A. Kabatyanski i and V . I. Le venshtein. Bounds for packings. on a sphere and in space. Pr oulcmy P er edacha informats ü , 14:1–17, 1978. RR n° 642 2 18 Guillaume Hanr o t, Damien Stehlé [11] R. Kannan. Improved algorithms for i nteger programm ing and related lattice prob lems. In Proce edings of the 15th Symposium on the Theory of Computing (ST OC 1983) , pages 99–108. A CM Press, 1983. [12] A. K. Lenstra, H. W . Lenstra, Jr ., and L. Lovász. Fa ctoring p olynomials with rational coef ficients. Mathematische Annalen , 261:513–534, 1982. [13] D. Micciancio and S. Goldwasser . Complexity of latti ce pr oblems : a cryptographic per- spective . Kluwer Academic Press, 2002. [14] P . Nguyen and D. Stehlé. LLL on the a verage. In Pr oceedings of the 7th Algorithmic Num- ber Theory Symposium (ANTS VII) , volume 4 076 of Lectur e Notes in Computer Science , pages 238–256. Springer -V erlag, 2006. [15] P . Nguyen and J. Stern. The two faces of l attices in cryptology . In Pr oceedings of the 2001 Cryptography and Lattices Confer ence (CALC’01) , volume 2146 of Lectur e Notes in Computer Science , pages 146–180. Springer -V erlag, 20 01. [16] P . Ngu yen and T . V idi ck. Siev e al gorithms for t he sh ortest vector problem are p ractical. Submitted. [17] R. A. Penda vingh and S. H. M. van Zwam. Ne w Ko rkin-Zolotarev inequalit ies. SIAM J ournal on Optimiz ation , 18(1):364–378, 2007. [18] C. P . Schnorr . Progress on LLL and lattice reduction . In Pr oceedings of the LLL+25 confer ence . T o appear . [19] C. P . Schnorr . A hierarchy of polynomi al lattice basis reduction alg orithms. Theor etical Computer Science , 53:201–224, 1987. [20] C. P . Schnorr . Block reduced lattice b ases and successi ve minima. Combi natorics, Proba- bility and Computing , 3:507–533, 1994. Pr oof of Theorem 2 This sec tion is dev o ted to pro ving Theorem 2. Since exp(5) > 2 π e( √ e + 1) 2 , it suf fices to prov e the following r esult. Theor em 7 Let ψ ( x ) = C · x with C = exp( − 6) . Then for all 1 ≤ i < j ≤ d , we have ( j − i + 1) − j − i 2 1 −  f ψ, d ( j ) f ψ, d ( i )  2 ! j − i 2 + j Y k = i f ψ, d ( i ) f ψ, d ( k ) ! ≤ exp  − 5 2 ( j − i )  , wher e f ψ, d ( d ) = 1 and f ψ, d ( i ) = p ψ ( d − i + 1) ·  Q d k = i f ψ, d ( k )  1 d − i +1 . INRIA W orst-Case Hermite-K orkine-Zolotar ev Reduced Lattice Bases 19 W e sh all work separately with the following tw o terms of the theorem: 1 −  f ψ, d ( j ) f ψ, d ( i )  2 ! j − i 2 + and j Y k = i f ψ, d ( i ) f ψ, d ( k ) ! . W e call these terms T 1 and T 2 . Another notation that we use is a = d − i + 1 and b = d − j + 1 , which is natural since the function x 7→ f ( d − x + 1) does not depend on d . Th e domain of v alid pairs ( a, b ) is 1 ≤ b < a ≤ d . Notice t hat i f j = d , then we can use t he definiti on of f ψ, d , and by bounding T 1 by 1 , we obtain the sufficient condition: √ d − i + 1 exp( − 3( d − i + 1)) ≤ exp  − 5 2 ( d − i )  , which is valid. In the following, we will assume that j < d . Our proof is made of four main steps. The first st ep consists in s implifyin g the expressions of the terms T 1 and T 2 . In th e second step, we try to obtain the result wit hout the first term, i .e., while bounding T 1 by 1 . W e re ach this goal for a ≥ 15 8000 along wi th b ≤ a − 1 . 65 log 3 a . In the third step, we use T 2 to obt ain the result for a ≥ 15800 0 along with b ≥ a − 1 . 65 log 3 a . Finally , we prove the result for 1 ≤ b < a ≤ 1580 00 wi th an exhausti ve check of the inequality to be satisfied. 7.1 Explicit F ormulas The results of this subsection remain correct for any function ψ . Lemma 3 The foll owing holds for any k > i : f ψ, d ( i ) f ψ, d ( k ) = s ψ ( d − i + 1) ψ ( d − k + 1) · k Y ℓ = i +1 ψ ( d − ℓ + 2) 1 2( d − ℓ +1) . Pr oof. W e have f ψ, d ( i ) d − i = ψ ( d − i + 1) d − i +1 2 · d Y k = i +1 f ψ, d ( k ) and f ψ, d ( i + 1) d − i = ψ ( d − i ) d − i 2 · d Y k = i +1 f ψ, d ( k ) . By taking the quotient, we obtain f ψ, d ( i ) f ψ, d ( i + 1) = s ψ ( d − i + 1) ψ ( d − i ) · ψ ( d − i + 1) 1 2( d − i ) . The lemma follows by induction. ✷ The following lemma simplifies the expression of the term T 2 . RR n° 642 2 20 Guillaume Hanr o t, Damien Stehlé Lemma 4 The foll owing holds for any j > i : j Y k = i +1 f ψ, d ( i ) f ψ, d ( k ) = j Y l = i +1 ψ ( d − i + 1) ψ ( d − l + 2) ψ ( d − l + 1)( d − l + 2) d − j d − l +1 ! 1 2 . Pr oof. W e have j Y k = i +1 f ψ, d ( i ) f ψ, d ( k ) = d Y k = i +1 f ψ, d ( i ) f ψ, d ( k ) ! · d Y k = j +1 f ψ, d ( j ) f ψ, d ( k ) ! − 1 ·  f ψ, d ( i ) f ψ, d ( j )  j − d . The fi rst two terms can be made explicit by using the definition of f ψ, d , and the last one has been studied in Lemma 3. W e get: j Y k = i +1 f ψ, d ( i ) f ψ, d ( k ) = ψ ( d − i + 1) d − i +1 2 ψ ( d − j + 1) d − j +1 2 ·  ψ ( d − i + 1) ψ ( d − j + 1)  j − d 2 · j Y l = i +1 ψ ( d − l + 2) j − d 2( d − l +1) ! = ψ ( d − i + 1) j − i +1 2 ψ ( d − j + 1) 1 2 · j Y l = i +1 ψ ( d − l + 2) j − d 2( d − l +1) = j Y l = i +1 ψ ( d − i + 1) ψ ( d − l + 2) ψ ( d − l + 1) ψ ( d − l + 2) d − j ( d − l +1) ! 1 2 , as claimed. ✷ Note that by writing a = d − i + 1 and b = d − j + 1 , the two lemmas abo ve gi ve us: T 1 = 1 − ψ ( b ) ψ ( a ) a − 1 Y l = b ψ ( l + 1) − 1 l ! a − b 2 + and T 2 = a − 1 Y l = b ψ ( a ) ψ ( l + 1) ψ ( l ) ψ ( l + 1) b − 1 l ! 1 2 . 7.2 T emptative Pr o of of Theor em 7 Without Using T 1 W e consider the logarithm of ( j − i + 1) − j − i 2 T 2 and try to show that it is smaller than − 5 2 ( j − i ) . Thanks to Lemma 4, this is equiv alent to sho wing that: − ( a − b ) log ( a − b + 1 ) + a − 1 X l = b  log ψ ( a ) − log ψ ( l ) + log ψ ( l + 1)  1 − b − 1 l  ≤ − 5( a − b ) . (2) W e first try to simpl ify the summand. Lemma 5 Let b ≥ 2 be an inte ger . The function x ∈ [ b, a − 1] 7→ − log x + log ( x + 1)  1 − b − 1 x  is incr eas ing for x ≥ b i f b ≥ 3 a nd for x ≥ 4 if b = 2 . INRIA W orst-Case Hermite-K orkine-Zolotar ev Reduced Lattice Bases 21 Pr oof. The deriv ative is log( x +1)( b − 1)( x +1) − bx x 2 ( x +1) . It follows that the function under study is increasing as so on as  1 + 1 x  log( x + 1) ≥ b b − 1 . The result follows f rom the facts that b b − 1 ≤ 2 , that 5 4 log 5 > 2 and that 4 3 log 4 > 3 2 . ✷ By using Lemma 5, we obtain an up per b ound to T 2 if we had t aken ψ ( x ) = x instead of ψ ( x ) = C · x . Lemma 6 The foll owing holds for a ≥ 8 : a − 1 X x = b  log a − log x + log( x + 1)  1 − b − 1 x  ≤ ( a − b ) log( a − b + 1) + ( a − b )  log a 2 ( a − 1)( a − b + 1) − b − 1 a − 1 log a  Pr oof. When b ≥ 3 , the resul t foll ows directly from L emma 5, by n oticing th at for all x ∈ [ b, a − 1] we hav e − log x + log( x + 1)  1 − b − 1 x  ≤ − log ( a − 1) + log( a ) a − b a − 1 . Suppose now that b = 2 . It can be checked numerically t hat the inequality hol ds for a = 8 . Suppose now that a > 8 . W e have: a − 1 X x = b  log a − log x + log ( x + 1)  1 − 1 x  ≤ 6 log 7 + 6  log 64 49 − 1 7 log 8  + a − 1 X x =8  log a − log( a − 1) + log( a ) a − b a − 1  = a − 1 X x =2  log a − log( a − 1) + log( a ) a − b a − 1  , which giv es the result. ✷ Notice that Lemma 6 implies that T 2 with ψ ( x ) = x instead of C · x already compensates the term “ ( a − b ) lo g( a − b + 1) ” o f Equation (2). Indeed, the function θ : b 7→ log a 2 ( a − 1)( a − b +1) − b − 1 a − 1 log a is con vex and θ (2) = 2 lo g a a − 1 − log a a − 1 and θ ( a − 1) = lo g a 2( a − 1) + log a a − 1 . Both θ (2) and θ ( a − 1) , and thus all θ ( x ) for x ∈ [2 , a − 1] , are ≤ 0 for a ≥ 8 . W e now consider the left hand-side of Equation (2) with ψ ( x ) = C · x . Lemma 7 Let α ( a, b ) = log a ( a − b ) − b − 1 a − 1 log a and β ( a, b ) = 1 − b a − b log a b . F or a ≥ 8 , we have: − ( a − b ) log( a − b + 1) + a − 1 X l = b  log ψ ( a ) − log ψ ( l ) + log ψ ( l + 1)  1 − b − 1 l  ≤ ( a − b ) ( α ( a, b ) + β ( a, b ) log C ) . RR n° 642 2 22 Guillaume Hanr o t, Damien Stehlé Pr oof. First of all, we have: − ( a − b ) log( a − b + 1) + a − 1 X l = b  log a − log l + log( l + 1)  1 − b − 1 l  ≤ α ( a, b ) . This fol lows from Lemma 6 and the fact that ( a − 1)( a − b + 1) ≥ a ( a − b ) . W e now c onsid er the terms depending on C . Since P a x = b +1 1 x ≤ log a b and log C < 0 , we have : a − 1 X l = b  log( C )  1 − b − 1 l  ≤ log ( C )  a − b − ( b − 1) log a b  ≤ log( C ) β ( a, b ) , which giv es the result. ✷ In the fol lowing, we study the function ( a, b ) 7→ α ( a, b ) + β ( a, b ) log C . W e would like to bound it by − 5 , be we wil l be able to do th is only for a subset of all poss ible values of the pair ( a, b ) . Lemma 8 Let 0 < κ < 1 be a real constant and suppos e that a ≥ 8 . T he functio n a 7→ α ( a, κa ) + β ( a, κa ) log C decr eases with r esp ect to a . Pr oof. W e have α ( a, κa ) + β ( a, κa ) log C = − log(1 − κ ) + log C  1 + κ log κ 1 − κ  − ( κa − 1) log a a − 1 . Hence, ∂ ∂ a ( α ( a, κa ) + log C β ( a, κa )) = − κa 2 + a log a ( κ − 1) + ( κ + 1) a − 1 a ( a − 1) 2 . For the numerator to be negati ve, it suf fices that a ≥ 1 + 1 κ (then the term in a 2 is lar ger than the term in a ) or that a ≥ exp  κ +1 1 − κ  (then the term in a log a is larger than the term in a ) . Since max κ ∈ [0 , 1] min  1 + 1 κ , exp  κ + 1 1 − κ  ≤ 6 , the result follows. ✷ In the results above, we did not need C = exp( − 6) . The only property we used about C was lo g C < 0 . In th e sequel, we d efine τ ( a, κ ) = α ( a, κa ) − 6 β ( a, κa ) . W e are to prove that τ ( a, κ ) ≤ − 5 as soon as κ is not very close to 1 . Lemma 9 F or any a ≥ 755 , the functio n κ 7→ τ ( a, κ ) incr eases to a local maximum in  0 , 1 2  , then decr eases to a local minimum in h 1 2 , 1 − 1 2 log a i and then incr eases. INRIA W orst-Case Hermite-K orkine-Zolotar ev Reduced Lattice Bases 23 Pr oof. W e first s tudy ∂ 3 ∂ κ 3 τ ( a, κ ) = 20 κ 2 + 10 κ 3 + 6 − 36 κ − 36 κ 2 log κ (1 − κ ) 4 κ 2 . Using t he fact that log κ ≤ ( κ − 1 ) − ( κ − 1) 2 / 2 + ( κ − 1) 3 / 3 for κ ∈ [0 , 1] , we find that the num erator can be lowe r bounded b y a p olynomial which is non-negativ e for κ ∈ [0 , 1] . As a consequence, τ ′ κ ( a, κ ) = ∂ ∂ κ τ ( a, κ ) is a con vex function with re spect to κ ∈ (0 , 1) . Notice now that τ ′ κ ( a, κ ) = − 6 log κ + o (log κ ) > 0 for κ close to 0 , that τ ′ κ ( a, 1 / 2 ) = − 10 + 24 log 2 − a log a a − 1 ≤ 0 for a ≥ 755 , and finally that τ ′ κ  a, 1 − 1 2 lo g a  = − 10 log a − 24 log  1 − 1 2 lo g a  log 2 a − a a − 1 log a ≥ 2 log a − a a − 1 log a, which is clearly positive for a ≥ 3 . ✷ The following lemma provides the result claimed in Theorem 7 for a ≥ 1580 00 and b ≤ a − 1 . 65 a log 3 a . Lemma 10 Sup pose t hat a ≥ 158000 . Then, for all κ ≤ 1 − 1 . 65 1 log 3 a , we have α ( a, κa ) − 6 β ( a, κa ) ≤ − 5 . Pr oof. Let a 0 = 1580 00 . W e have τ ′ κ ( a 0 , 0 . 0 8962) > 0 > τ ′ κ ( a 0 , 0 . 0 8963) . Furtherm ore, for κ ∈ [0 . 0937 , 0 . 0938] , we ha ve | τ ′ κ ( a 0 , κ ) | ≤ max ( | τ ′ κ ( a 0 , 0 . 0 8962) | , | τ ′ κ ( a 0 , 0 . 0 8963) | ) ≤ 3 · 10 − 4 . Hence, max κ ∈ [0 . 08962 , 0 . 08963] τ ( a 0 , κ ) ≤ τ ( a 0 , 0 . 0 8962) + 3 · 10 − 9 < − 5 . Thanks to Lemmas 8 and 9, we hav e, for a ≥ 158000 : max κ ∈ [0 , 1 / 2] ( α ( a, κa ) − 6 β ( a, κa )) ≤ − 5 . Furthermore, since 1 2 log a ≥ 1 . 65 log( a ) 3 and thanks to Lemma 9, we ha ve, for any a ≥ 15800 0 : max κ ∈ h 1 2 , 1 − 1 . 65 log 3 a i τ ( a, κ ) = max  τ  a, 1 2  , τ  a, 1 − 1 . 65 log 3 a  . Notice that τ  a, 1 − 1 . 65 log 3 a  ≤ α  a, a − 1 . 65 a log 3 a  = − log 1 . 65 + 3 log log a − log a + a a − 1 1 . 65 (log a ) 2 , which is decreasing with respect to a ≥ 1 58000 . M oreover , for a = 158 000 , i ts v alue is be- low − 5 . As a consequence, max κ ∈ h 1 2 , 1 − 1 . 65 log 3 a i τ ( a, κ ) ≤ max  τ  a, 1 2  , − 5  ≤ − 5 . ✷ RR n° 642 2 24 Guillaume Hanr o t, Damien Stehlé 7.3 Using T 1 When b > a − 1 . 65 a (log a ) 3 This section ends the proof of Theorem 7 for a ≥ 158000 . Lemma 11 Ass ume that ψ ( x ) = e − 6 · x . Then, for a > b ≥ a − 1 . 65 a (log a ) 3 and a ≥ a 1 ≥ 1782 , we have 1 −  f ψ, d ( d − b + 1) f ψ, d ( d − a + 1)  2 ≤ 1 − exp  − 1 . 65 log a 1 − 5 log 3 a 1 − 1 . 65  . Pr oof. According to Lemm a 3, we ha ve − 2 log f ψ, d ( d − b + 1) f ψ, d ( d − a + 1) = log  a b  + a − 1 X l = b − 6 + log( l + 1) l ≤ 1 . 65 log 3 a − 1 . 65 + ( a − b ) − 6 + log a b , ≤ 1 . 65 log a − 5 (log a ) 3 − 1 . 65 . This upper bound decreases with respect to a ≥ 1782 . ✷ By using Lemm a 10 and the fact t hat β ( a, b ) ≤ 0 , we see t hat t he left hand side o f Equa- tion (2) is upper bounded, for b ≥ a − 1 . 65 a (log a ) 3 and a ≥ a 1 ≥ 1782 , by: ( a − b ) log  1 − exp  − 1 . 65 log a 1 − 5 log 3 a 1 − 1 . 65  ≤ ( a − b ) log  1 . 65 log a 1 − 5 log 3 a 1 − 1 . 65  , and the constant in the right hand side is below − 5 when a 1 = 158000 . 7.4 Small V alues of a It only remains to prove Theorem 7 for s mall values of a . The following lemma was obtained numerically . In order to pro vide a reliable proof, we used the Boost interv al arit hmetic library [3] and CRlibm [6] as underlying floating-point libraries. Lemma 12 Let ψ ( x ) = e − 6 · x . F or any 2 ≤ b < a ≤ 158000 , we have ( j − i + 1) − j − i 2 1 −  f ψ, d ( j ) f ψ, d ( i )  2 ! j − i 2 + · j Y k = i +1 f ψ, d ( i ) f ψ, d ( k ) ≤ exp  − 5 j − i 2  , with i = d − a + 1 and j = d − b + 1 . INRIA W orst-Case Hermite-K orkine-Zolotar ev Reduced Lattice Bases 25 7.5 Concludin g Remarks The value of C = ex p( − 6) is not opti mal. Gi ven the lin e of proof used above (obtainin g a geometric decreasing o f th e general term of the sum in Theorem 1), the best value of C that one can expect is limit ed b y th e term corresponding to j = d , i = d − 1 , for which we must hav e (2 π e) · ( 2 C ) ≤ 1 ( √ e+1) 2 . Note howe ver that the probability p of Lemm a 1 i n v olved in our criterion can be comp uted more precisely for small dimensional lattices, thus improving the optimal v alue of C that can be reached. RR n° 642 2 Unité de recherche INRIA Lorraine LORIA, T echnop ôle de Nancy-Brabois - C ampu s scientifique 615, rue du Jardin Botanique - BP 101 - 5460 2 V illers-lès-Nancy Cedex (France) Unité de reche rche INRIA Futurs : Parc C lub Orsay Univ ersité - ZAC des V ignes 4, rue Jacques Monod - 91893 ORSA Y Cedex (Franc e) Unité de reche rche INRIA Rennes : IRISA, Campus uni versitaire de Beauli eu - 35042 Rennes Cedex (France) Unité de reche rche INRIA Rhône-Alpes : 655, a venue de l’Europe - 38334 Montbonnot Saint-Ismie r (France) Unité de recherch e INRIA Rocquencourt : Domaine de V oluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France ) Unité de reche rche INRIA Sophia Antipolis : 2004, route des Lucio les - BP 93 - 06902 Sophia Antipolis Cedex (France ) Éditeur INRIA - Domaine de V olucea u - Rocquenc ourt, BP 105 - 78153 Le Chesnay Cedex (France) http://www .inria.fr ISSN 0249 -6399