Mathlib-side correctness of the executable LLL reducers. The per-step
Valid/independence preservation, the potential strict-decrease and fuel
sufficiency, and the loop-invariant induction culminate in the reducedness,
lattice, and rational short-vector capstones for Hex.lllNative and
Hex.lll.
The identity matrix is independent: every executable leading Gram
determinant is positive. Used by Phase 4 benchmarks of
lll.firstShortVector, where the identity basis is the degenerate BZ-style
recombination input with all-zero lift coefficients.
Size reduction preserves the executable Gram-determinant independence predicate. This public theorem lives in the Mathlib-side library so the Mathlib-free LLL core does not expose determinant-bound preservation surfaces.
Adjacent swap preserves the executable Gram-determinant independence
predicate. Mirrors sizeReduce_independent for the swap step of the LLL
inner loop.
Prefix LLL invariants under swapStep #
For row indices strictly below k - 1, both the Gram-Schmidt basis row and
the rational coefficient entries are preserved by swapStep s k, because
the swap only touches rows k - 1 and k. These prefix lemmas package
that observation as the building blocks for the prefixLLLReduced
preservation corollary below.
For i + 1 < k, the squared norm of the i-th Gram-Schmidt basis row
is unchanged by swapStep s k.
The prefix δ-LLL-reduced predicate: the first k Gram-Schmidt rows
satisfy size reduction (for all i < k, j < i) and the adjacent Lovász
condition at (i, i + 1) (for all i + 1 < k). At k = n this coincides
with isLLLReduced; at k ≤ 1 it is vacuously true.
Equations
- One or more equations did not get rendered due to their size.
Instances For
Shrinking the row prefix weakens the predicate.
Extending the prefix by one row: given prefixLLLReduced b k δ, the new
size-reducedness data for row k and the new Lovász data at the pair
(k - 1, k) (vacuous when k = 0) jointly yield prefixLLLReduced b (k + 1) δ.
This is the "add one row to the certified prefix" lemma consumed by the
lllLoop advance branch.
At the empty prefix k = 1, prefixLLLReduced holds vacuously: the
i < 1 (so i = 0, then j < 0 impossible) and i + 1 < 1 quantifiers are
empty. This is the starting state for the lllLoop invariant induction.
At the full prefix k = n, prefixLLLReduced upgrades to
isLLLReduced b δ (1/2): prefixLLLReduced always carries the algorithm's
classical |μ| ≤ 1/2 size-reduction guarantee, which is the
η = 1/2 instance of the size-reduced condition μ² ≤ η².
swapStep s k preserves the prefix LLL-reduced predicate, with the
prefix shrunk by one (clamped below by 1 to stay in the trivially-true
regime when k ≤ 2). Mechanism: the swap only touches rows k - 1 and
k, so every Gram-Schmidt quantity at indices strictly below k - 1 is
preserved (swapStep_basisNormSq_below, swapStep_coeffs_below).
Size-reduce Valid preservation #
The single-column update sizeReduceColumn edits b, ν at row k,
and leaves d alone. Validity is preserved because the integer
(b, ν) update mirrors the Mathlib-side scaledCoeffs updates
(scaledCoeffs_sizeReduce_pivot/_lower/_above_pivot/_other_row)
and the Gram-determinants are unchanged (gramDet_sizeReduce).
The single-column size reduction preserves Valid.
The size-reduction outer foldl preserves Valid.
Size-reduce size-reducedness #
After LLLState.sizeReduce s k, the row k of the integer scaled coefficients
satisfies 2 * |ν[k][j]| ≤ d[j+1] for every j < k (the integer formulation
of the rational size-reducedness bound |μ[k][j]| ≤ 1/2). Pair with
scaledCoeffs_eq to get the rational bound 4 * μ[k][j]² ≤ 1 on the
post-reduction Gram-Schmidt coefficients. Closes the size-reduction half of
the LLL loop invariant.
Integer formulation: after s.sizeReduce k, every column j < k of
row k of the scaled coefficients satisfies 2 * |ν[k][j]| ≤ d[j+1].
The size-reduce size-reducedness theorem (Sub-issue A of #6576).
After LLLState.sizeReduce s k, the row k of the rational Gram-Schmidt
coefficients is size-reduced: 4 * μ[k][j]² ≤ 1 for every j < k.
Potential strict-decrease under failing Lovász #
These lemmas package the multiplicative termination potential
d_1 · … · d_{n-1} behaviour under the two inner-loop updates:
sizeReduce_potential: size reduction is potential-neutral (it only editsν, neverd).swapStep_d_pivot: the post-swap Gram-determinant slot readsInt.toNat ⌊(d_{k+1}·d_{k-1} + B²)/d_k⌋directly offswapStep's definition (pairs withswapStep_d_eqto identify this slot withgramDet (adjacentSwap b k) k).swapStep_potential_lt: when the integer Lovász test fails at rowk(the swap branch oflllLoop), the potential strictly decreases.
Size reduction leaves the multiplicative termination potential unchanged, since it does not modify the stored Gram determinants.
Value lemma for the post-swap Gram-determinant slot at the pivot
index. Reads swapStep directly: at index k, the updated d holds
Int.toNat ⌊(d_{k+1}·d_{k-1} + B²)/d_k⌋, where B = ν[k][k-1]. Pairs
with swapStep_d_eq to identify this slot with the post-swap basis'
Gram determinant via gramDet_adjacentSwap_pivot.
Strict decrease of the LLL termination potential across a swap that
fails the integer Lovász test at row k.
Hypotheses:
s.Valid,s.b.independent: the proof-facing interpretation of the state. Independence gives positivity of alld_jfactors.0 < k < n: the swap acts on adjacent rowsk - 1, k.0 < δnumandδnum ≤ δden: the Lovász parameterδ ∈ (0, 1]as an integer inequality on its numerator and denominator (in the formlllLoop's integer Lovász test consumes; follows from1/4 < δ ≤ 1).hfail: the failing integer Lovász condition atk, exactly the testlllLoopevaluates before dispatching the swap branch.
Conclusion: (s.swapStep k).potential < s.potential.
Fuel sufficiency for lllLoop #
The outer LLL loop lllLoop was made total in #6564 by structural
recursion on a fuel argument, with fuel = 0 returning the current
basis as a pipeline-unreachable fallback (per SPEC §8). This section
proves the fallback unreachable for valid input: the bound
lllFuel s = (s.potential + 1) * (n + 1) is sufficient for the loop
started at k = 1 on s = ofBasis b.
The argument tracks the lexicographic measure
s.potential * (n + 1) + (n - k):
- size reduction is potential-neutral (
sizeReduce_potential) and is immediately followed by either an advance (decreasesn - kby 1) or a swap; - swaps strictly decrease the potential (
swapStep_potential_lt), swallowing then - kreset.
So each loop iteration strictly decreases the measure by ≥ 1, and the
measure starts strictly below lllFuel s, so the loop hits the
k = n base case before fuel exhausts.
Fuel sufficiency for lllLoop. For a valid state s with an
independent basis, started at row k = 1, the bound
lllFuel s = (s.potential + 1) * (n + 1) is enough fuel to reach the
k = n base case. Equivalently, lllLoop is fuel-stable above this
threshold: running with any fuel' ≥ lllFuel s returns the same matrix.
This discharges the SPEC §8 "unreachable-by-pipeline-invariant"
classification for the fuel = 0 fallback in lllLoop (introduced by
the Route A totality refactor #6564).
Size-reduce coefficient-row preservation #
Size reduction at row k rewrites only that row's coefficients; rows at
indices i ≠ k are preserved by every iteration of the inner foldl. This
packages the preservation as a single statement so the loop-invariant proof
below can quote it without re-running the inductive coeffs_sizeReduce_other_row
chain.
Size reduction preserves prefixLLLReduced at the same prefix length: rows
strictly below k are unaffected by the row-k update, so the prefix invariant
on the input transfers to the output.
Loop invariant induction #
The prefixLLLReduced predicate is preserved by every iteration of lllLoop
under the standard validity / independence hypotheses, and at the k = n
base case it coincides with isLLLReduced. This packages those two facts
into a single fuel-bounded induction.
With enough fuel and a starting state carrying prefixLLLReduced s.b k δ,
lllLoop produces a δ-LLL-reduced basis. The fuel hypothesis
s.potential * (n + 1) + (n - k) < fuel matches the measure used by
lllLoop_eq_of_fuel_gt_measure.
lllLoop preserves the independence of the starting basis: every iteration
is either a sizeReduce (preserved by sizeReduce_independent) or an adjacent
swap (preserved by swapStep_independent).
Capstones #
The unconditional LLL guarantees split across two surfaces:
- Native (
Hex.lllNative, classical bound, precondition1/4 < δ). CarriesisLLLReduced … δ (1/2)because the integer size-reduction step inside the loop produces exact|μ| ≤ 1/2. The short-vector denominator isδ − 1/4. - Public (
Hex.lll, precondition121/400 < δ). WrapslllNativeand carriesisLLLReduced … δ (11/20)(the η = 1/2 native bound weakens to η = 11/20 byisLLLReduced.mono_η). The short-vector denominator isδ − 121/400. This is the uniform bound an external reducer can promise.
The native LLL body produces a (δ, 1/2)-LLL-reduced matrix. Combines the
fuel-sufficiency theorem (lllLoop_fuel_sufficient) with the loop invariant
induction (lllLoop_isLLLReduced_of_fuel_gt_measure).
Independence is preserved by Hex.lllNative.
Classical native LLL short-vector bound at η = 1/2. For any independent
integer basis b, the first row of Hex.lllNative b δ ... has squared norm
at most (1 / (δ − 1/4))^(n − 1) times the squared norm of any nonzero
lattice vector.
Property triple for an accepted dispatch result: a B' returned by
LLLProvider.dispatch b δ generates the same lattice as b, is independent,
and is (δ, 11/20)-LLL-reduced. Composes dispatch_some_certCheck with
HexLLLMathlib.certCheck_sound, the single trusted property-level bridge of
hex-lll §"Certified external dispatch".
The public LLL lll produces a (δ, 11/20)-LLL-reduced matrix. On the
native path this is lllNative_isLLLReduced (η = 1/2) lifted to η = 11/20
by isLLLReduced.mono_η. On the certified-dispatch path it follows from
certCheck_sound via dispatch_some_property.
Independence is preserved by Hex.lll.
Public LLL short-vector bound at η = 11/20. For any independent
integer basis b, the first row of Hex.lll b δ ... hind has squared norm at
most (1 / (δ − 121/400))^(n − 1) times the squared norm of any nonzero
lattice vector.