# Lenstra–Lenstra–Lovász lattice basis reduction algorithm (LLL)

<b>Input:</b> Let $B\in\mathbb{Q}^{n\times n}$  be an invertible matrix representing the basis of a lattice $L$, i.e., $L = B\cdot\mathbb{Z}^n$.

<b>Output:</b> A vector $b = Bx\in L-\{0\}$ such that $||b||$ is small.

Minkowski's theorem tells that the length of the shortest vector $\lambda_1(L)$ in the lattice $L$ is bounded by $\lambda_1(L)\leq \sqrt{n}\cdot det(L)^{\frac{1}{n}}$.

LLL tries to find a vector in $L$ such that $||b||\leq 2^{\frac{n-1}{2}}\cdot det(L)^{\frac{1}{n}}$.

There are geometrical explanations to LLL. But we will use the matrices to demonstrate the functioning of LLL as it is easy to understand.

LLL uses two tools **QR-Factorization** and **Size-reduction**.

## QR-Factorization

Let $B\in \mathbb{R}^{n\times n}$ be nonsingular. Then there exist
1. an orthogonal matrix $Q\in \mathbb{R}^{n\times n}$ and
2. an upper triangular matrix $R\in \mathbb{R}^{n\times n}$ with positive diagonal entries.

such that the $B = QR$. 

<b>Proof: </b>Let $B = (b_1, b_2, \ldots, b_n)$ and we perform the Gram-Schmidt orthogonalization on $B$ to obtain $B^* = (b_1^*, b_2^*,\ldots, b_n^*)$, where

1. $b_1^* = b_1$.
2. $b_2^* = b_2 - \frac{<b_2, b_1^*>}{||b_1^*||^2}b_1^*$.
3. $b_j^* = b_j - \sum_{i=1}^{j-1}\frac{<b_j, b_i^*>}{||b_i^*||^2}b_i^*$ for $j=3,4,\ldots,n$.

Let $\mu_{ij} = \frac{<b_j, b_i^*>}{||b_i^*||^2}$ for $i<j$ and $\mu_{ii} = 1$ for $i=1,2,\ldots,n$.

Let $Q = \left(\frac{b_1^*}{||b_1^*||},\frac{b_2^*}{||b_2^*||},\ldots,\frac{b_n^*}{||b_n^*||}\right)$ and $R =\begin{pmatrix} 
||b_1^*|| & \mu_{12}||b_1^*|| & \mu_{13}||b_1^*|| & \mu_{14}||b_1^*|| & \ldots & \mu_{1n}||b_1^*||\\
0 & ||b_2^*|| & \mu_{23}||b_2^*|| & \mu_{24}||b_2^*|| &\ldots & \mu_{2n}||b_2^*||\\
0 & 0 & ||b_3^*|| & \mu_{34}||b_3^*|| & \ldots & \mu_{3n}||b_3^*||\\
\vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 0 & \ldots & ||b_n^*||\\
\end{pmatrix}.$


Then one can clearly see that $Q$ is an orthogonal matrix and $R$ is an upper triangular matrix with positive diagonal elements such that $B = QR$. Further, it is not difficult to prove that the QR-Factorization is unique. The matrix $R$ is called the R-factor of $B$. 

It should also be noted that GSO and QR-Factorization can be performed in polynomial time.

Since, $Q$ is orthogonal so its inverse $Q^{-1} = Q^{T}$ where $Q^{T}$ is the transpose of $Q$. Therefore, $Q^T$ corresponds to either a reflection or a rotation of $\mathbb{R}^n$, thus for every $x\in \mathbb{R}^n$, we have $||x|| = ||Q^{T}x||$.

**Goal:** To find a nonzero $x\in \mathbb{R}^n$ such that $Bx$ is small. Since $||Bx|| = ||Q^{T}Bx|| = ||Rx||$. It is equivalent to finding a nonzero $x$ such that $||Rx||$ is small. It is comparatively easier to do since $R$ is an upper triangular matrix.

**Remark:** 
\begin{align}det(L) &= det(B)\\ 
                                &= det(QR)\\
                                &= det(R)\\
                                &= \prod_{i=1}^{n}R_{ii}\\
                                &= \prod_{i=1}^{n}||b_i^*||\\
                                    \end{align}
                                    

We know that, given a basis matrix $B$ of a lattice $L$, the matrix $B' = BU$ where $U$ is a unimodular transformation, i.e., $|det(U)| = 1$, with integer entries generates the same lattice. Therefore, we rephrase our goal. Now, given $B$ we want to find a unimodular matrix $U$ such that $BU$ has columns of small norms. Or, we say that $BU$ is small. But since norm of columns of $BU = QRU$ is equal to the norm of columns of $RU$. 

**New Goal:** To find integral unimodular matrix $U$ such that $RU$ has columns of small norms.

Given $B$ we first compute $R$ in polynomial time and then keep on updating $R$ by multiplying it with integral unimodular matrices $U$ such that norm of columns of $RU$ is small.

# Size reduction

A nonsingular matrix $B = QR$ is called size-reduced if $|R_{ij}|<\frac{R_{ii}}{2}$ for all $i<j$. 

Remember our goal is to find a unimodular matrix $U$ such that columns of $RU$ are small. In other words, we wish to make the nonzero entries of $R$ to be smallest possible with help of integral unimodular transformations.

Suppose we wish to make $(i,j)$-th entry, for $i<j$, of $R$ to be effectively 0.


Let $U_{ij} = \begin{pmatrix}
1 & 0 &\ldots & 0 & \ldots & 0 & \ldots & 0\\
0 & 1 &\ldots & 0 & \ldots & 0 & \ldots & 0\\
\vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 1 & \ldots & -\frac{R_{ij}}{R_{ii}} & \ldots & 0\\
\vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots \\
0 & 0 & 0 & 0 & 0 & 1 & 0 & 0\\
\vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 0 & 0 & 0 & 0 & 1\\
\end{pmatrix}.$

$U_{ij}$ is a unimodular matrix that when multiplied with $R$ makes $R_{ij}$ to be 0. But the problem is that $U_{ij}\notin \mathbb{Z}^{n\times n}.$ So we try to do the best possible. Take

$U_{ij} = \begin{pmatrix}
1 & 0 &\ldots & 0 & \ldots & 0 & \ldots & 0\\
0 & 1 &\ldots & 0 & \ldots & 0 & \ldots & 0\\
\vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 1 & \ldots & -\big\lfloor\frac{R_{ij}}{R_{ii}}\big\rceil & \ldots & 0\\
\vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots \\
0 & 0 & 0 & 0 & 0 & 1 & 0 & 0\\
\vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 0 & 0 & 0 & 0 & 1\\
\end{pmatrix}.$

Now we try to observe what changes occur to entries of $R$ in $RU_{ij}$.


$RU_{ij} = \begin{pmatrix}
R_{11} & R_{12} &\ldots & R_{1i} & \dots & R_{1j-1} & R_{1j}^{new} & \ldots & R_{1n}\\
0 & R_{22} &\ldots & R_{2i} & \ldots & R_{2j-1} & R_{2j}^{new} & \ldots & R_{2n}\\
\vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \vdots &  \vdots \\
0 & 0 & 0 & R_{ii}  & \ldots & R_{ij-1} & R_{ij}^{new} & \ldots & R_{in}\\
0 & 0 & 0 & 0  & \ddots & R_{i+1j-1} & R_{i+1j} & \ldots & R_{i+1n}\\
\vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots & \vdots & \vdots \\
0 & 0 & 0 & 0 & 0 & 0 & R_{jj} & 0 & 0\\
\vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & R_{nn}\\
\end{pmatrix}.$

It is same as performing 

$R_j \rightarrow R_j - \big\lfloor\frac{R_{ij}}{R_{ii}}\big\rceil R_i$. 

Further $|R_{ij}^{new}| = \big|R_{ij} - \big\lfloor\frac{R_{ij}}{R_{ii}}\big\rceil R_{ii}\big| < \frac{R_{ii}}{2}.$

Therefore, we apply this step/transformation for $i = 2,3\ldots,n$ and $j = i-1,i-2,\ldots,1.$

This size reduces $R$ in polynomial time $O(n^3).$

Let $U' = U_{21}U_{32}U_{31}\cdots U_{nn-1}\cdots U_{n1}$, then $U'$ is a integral unimodular matrix such that $RU'$ is size reduced. Since $RU' = I(RU')$ where I is orthogonal and $RU'$ is upper triangular with positive diagonal entries. Therefore, by uniqueness of the QR-factorization, the R-factor of $RU'$ is $RU'$ itself. So for fixed diagonal element, size reduction allows us to make the off diagonal elements small.

Therefore, now our goal is to make the diagonal elements smaller.

We have an upper triangular matrix $R$ with positive diagonal elements. We need to find some integral unimodular matrix $U$ such that the diagonal elements of $RU$ are small.

But we face one problem. That is, given any integral unimodular matrix $U$ 

\begin{align}det(L)             &= det(RU)\\
                                &= det(R)\\
                                &= \prod_{i=1}^{n}R_{ii}\\
                                &= \prod_{i=1}^{n}||b_i^*||\\
                                &= Constant.
                                    \end{align}
                                    
This means that we cannot make the diagonal elements.

The best we can do is to make them somewhat balanced.

In general what happens is that given arbitrary basis $(b_1, b_2, \ldots, b_n)$, the norms of the Gram-Schmidt basis $(b_1^*, b_2^*,\ldots, b_n^*)$ decrease too fast. So we try to prevent them decreasing rapidly.




### Consider the $2\times 2$ case.

Let $R = \begin{pmatrix} R_{11} & R_{12} \\ 
                         0 & R_{22} \end{pmatrix}$ where $R_{ii}>0.$
                         
                         
Assume that $R$ is size reduced, i.e., $|R_{12}| \leq \frac{R_{11}}{2}$ and $R_{ii}$ decreases very fast. Let $R_{22}<<< R_{11}$, in particular $R_{22} < \frac{R_{11}}{2}.$

So to prevent fast decrement we swap them using unimodular transformation 

$\begin{pmatrix} R_{11} & R_{12} \\ 
                         0 & R_{22} \end{pmatrix}\begin{pmatrix} 0 & 1 \\ 
                         1 & 0 \end{pmatrix} = \begin{pmatrix} R_{12} & R_{11} \\ 
                         R_{22} & 0 \end{pmatrix}.$
                         
But doing this we end up in non-upper traingular matrix. So we do the QR-Factorization to get the R-factor

$\begin{pmatrix} \sqrt{R_{12}^2+R_{22}^2} & * \\ 
                         0 & \frac{R_{11}R_{22}}{\sqrt{R_{12}^2+R_{22}^2}} \end{pmatrix}.$
                         
Since $R$ is size reduced This gives $R_{11}^{new} = \sqrt{R_{12}^2+R_{22}^2} \leq \sqrt{\frac{R_{11}^2}{4}+\frac{R_{11}^2}{4}} = \frac{R_{11}}{\sqrt{2}}.$         

So we managed to decrease $R_{11}$ by some factor and increase $R_{22}$ by the same factor.

Repeat untill $R_{22} \geq \frac{R_{11}}{2}$.
                         
This can be generalized to $n\times n$ matrix R that is size reduced and $R_{ii} > 2R_{i+1i+1}$.

$R = \begin{pmatrix}
R_{11} & R_{12} &\ldots & R_{1i} & R_{1i+1} &  \ldots & R_{1n}\\
0 & R_{22} &\ldots & R_{2i} & R_{2i+1} & \ldots & R_{2n} \\
\vdots & \vdots & \ddots & \vdots & \vdots & \ddots & \vdots\\
0 & 0 & \ldots & R_{ii}  & R_{ii+1} & \ldots & R_{in}\\
0 & 0 & \ldots & 0 & R_{i+1i+1} & \ldots & R_{i+1n}\\
\vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 0 & 0 & 0 &  R_{nn}\\
\end{pmatrix}.$

$U = \begin{pmatrix}
1 & 0 &\ldots & 0 & 0&  \ldots & 0\\
0 & 1 &\ldots & 0 & 0 & \ldots & 0 \\
\vdots & \vdots & \ddots & \vdots & \vdots & \ddots & \vdots\\
0 & 0 & \ldots & 0 & 1 & \ldots & 0\\
0 & 0 & \ldots & 1 & 0 & \ldots & 0\\
\vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 0 & 0 & 0 &  1\\
\end{pmatrix}.$ 

Then $RU = \begin{pmatrix}
R_{11} & R_{12} &\ldots  & R_{1i+1}& R_{1i} &  \ldots & R_{1n}\\
0 & R_{22} &\ldots  & R_{2i+1}& R_{2i} & \ldots & R_{2n} \\
\vdots & \vdots & \ddots & \vdots & \vdots & \ddots & \vdots\\
0 & 0 & \ldots  & R_{ii+1}& R_{ii}  & \ldots & R_{in}\\
0 & 0 & \ldots  & R_{i+1i+1} & 0 & \ldots & R_{i+1n}\\
\vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 0 & 0 & 0 &  R_{nn}\\
\end{pmatrix}.$
            

Then we find the R-factor
 
$\begin{pmatrix}
R_{11} &  &\ldots  & & &  \ldots & \\
0 & R_{22} &\ldots  & &  & \ldots &  \\
\vdots & \vdots & \ddots & \vdots & \vdots & \ddots & \vdots\\
0 & 0 & \ldots  & \sqrt{R_{ii+1}^2+R_{i+1i+1}^2} & *  & \ldots \\
0 & 0 & \ldots  & 0 & \frac{R_{ii}R_{i+1i+1}}{\sqrt{R_{ii+1}^2+R_{i+1i+1}}} & \ldots & \\
\vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\
0 & 0 & 0 & 0 & 0 & 0 &  R_{nn}\\
\end{pmatrix}$.


We get $R_{ii}^{new}\leq \frac{R_{ii}^{old}}{\sqrt{2}}$ and $R_{ij}^{new} = R_{ij}^{old}$ for all $j\in \{i,i+1\}$.


This step is polynomial time. 


Then we again size reduce the obtained R-factor.

If we can show that the number of swaps required to prevent all the diagonals from decreasing rapidly is polynomially bounded then the whole process is polynomially bounded.

For that we define a quantity. Let      

$\pi = \prod_{i=1}^n R_{ii}^{n-i+1} = \prod_{i=1}^n\prod_{j=1}^{i}R_{jj}$.

Observe that the size reduction does not change the value of $\pi$ but the swaps do.

Swaps between $i$ and $i+1$ leaves $\prod_{j<i'}R_{jj}$ for all $i'<i$ and $\prod_{j<i}R_{jj}$ for all $i'>i$ constant.

And $\left(\prod_{j<i}R_{jj}\right)^{new} \leq \frac{1}{\sqrt{2}}\left(\prod_{j<i}R_{jj}\right)^{old}$, i.e.m only $R_{ii}$ changes the product.

For one swap $\pi^{new}\leq \frac{\pi^{old}}{\sqrt{2}}$.


#### At start 

\begin{align} \pi &= \prod_{i=1}^n R_{ii}^{n-i+1}\\ 
&= \prod_{i=1}^n ||b_i^*||^{n-i+1}\\ 
&\leq \prod_{i=1}^n ||b_i||^{n-i+1}\\
&\leq \left(max||b_i||\right)^{O(n^2)},
\end{align} since norm projection is less than the norm of the vector.



Further, $ \prod_{j<i} R_{jj} = det(L(b_1,b_2,\ldots,b_i))$.
Therefore, $0\neq \left(\prod_{j<i}R_{jj}\right)^2\geq 1 \in \mathbb{Z}$ when $b_{ij}$ are integral. Therefore, $\pi = \prod_{i=1}^n\prod_{j=1}^{i}R_{jj}\geq 1.$


Therefore, the number of swaps is bounded by $O(n^2 log max||b_i||)$. Hence, the overall time complexity is polynomially bounded in $n$.


**Definition:** A basis $B = QR$ is said to be LLL reduced if
1. $R_{ij}\leq \frac{R_{ii}}{2}$ for all $i<j$.
2. $R_{i+1i+1}\geq \frac{R_{ii}}{2}$.

The output of the LLL algorithm gives a LLL reduced basis and if $B$ is LLL reduced then

\begin{align}
||b_1|| &= ||b_1^*|| \\
        &=  R_{11}\\
        &\leq 2^{i-1}R_{ii}       
\end{align}

This gives $R_{11}^n\leq \prod_{i\leq n}2^{i-1}\cdot \prod_{i\leq n}R_{ii}$.

Finally, $R_{11}\leq 2^{\frac{n-1}{2}}(det(L))^{\frac{1}{n}}.$