LLL for ideal lattices: re-evaluation of the security of Gentry–Halevi’s FHE scheme

Abstract

The LLL algorithm, named after its inventors, Lenstra, Lenstra and Lovasz, is one of the most popular lattice reduction algorithms in the literature. In this paper, we propose the first variant of LLL algorithm that is dedicated for ideal lattices, namely, the iLLL algorithm. Our iLLL algorithm takes advantage of the fact that within LLL procedures, previously reduced vectors can be re-used for further reductions. Using this method, we prove that the iLLL is at least as fast as the LLL algorithm, and it outputs a basis with the same quality. We also provide a heuristic approach that accelerates the re-use method. As a result, in practice, our algorithm can be approximately eight times faster than LLL algorithm for typical scenarios where lattice dimension is between 100 and 150. When applying our algorithm to the Gentry---Halevi's fully homomorphic challenges, we are able to solve the toy challenge within 24 days using a 2.66 GHz CPU, while with the classical LLL algorithm, it takes 32 days. Further, assuming a 4.0 GHz CPU, we predict to reduce the basis in 15.7 years for the small challenges, while previous best prediction was 45 years.