Why 1.02? The root Hermite factor of LLL and stochastic sandpile models
share
In lattice-based cryptography, a disturbing and puzzling fact is that there exists such a conspicuous gap between the actual performance of LLL and what could be said of it theoretically. By now, no plausible mathematical explanation is yet proposed. In this paper, we provide compelling evidence that LLL behaves essentially identically to a certain stochastic variant of the sandpile model that we introduce. This allows us to explain many observations on the LLL algorithm that have so far been considered mysterious. For example, we can now present a mathematically well- substantiated explanation as to why LLL has the root Hermite factor (RHF) ≈ 1.02 and why the LLL algorithm can not hit the basis with the root Hermite factor (RHF) ≈ 1.074, the theoretical upper bound. Our approach also shows strongly that minor modifications of LLL without incurring a significant increase in computational cost to boost its RHF is very unlikely to occur. This should boost very much our confidence on how we can use LLL to help us to select practical parameters for lattice-based cryptosystems, a critical and practical problem we must resolve in order to select the best post-quantum cryptographic standards in the near future.
READ FULL TEXT