finding reduced basis for lattices
DESCRIPTION
Math/Csc 870. Finding Reduced Basis for Lattices. Ido Heskia. Introduction. Due to: A.K. L enstra H.W. L enstra L. L ovasz. LLL Algorithm. A Lattice. 1. 2. Let n be a positive integer. A subset L of the n-dimensional real vector space is - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/1.jpg)
Finding Reduced Basis for Lattices
Ido Heskia
Math/Csc 870
![Page 2: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/2.jpg)
Due to:
A.K. Lenstra
H.W. Lenstra
L. Lovasz
LLL Algorithm
Introduction
![Page 3: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/3.jpg)
A Lattice
1.
2. 1 1
|n n
i i i ii i
L b rb r
![Page 4: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/4.jpg)
Let n be a positive integer. A subset L of the n-dimensional real vector space iscalled a lattice if there exists a basis b1,b2,…,bn of such that
The bi’s span L. n is the rank of L.We will consider only
1 1
|n n
i i i ii i
L b rb r
n
n
nib
![Page 5: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/5.jpg)
Constructing lattices:
![Page 6: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/6.jpg)
1det , , nd L b b Determinant of L:
The bi’s are written as column
vectors. Apparently, this positive
real number doesn’t depend on the
choice of the basis.
![Page 7: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/7.jpg)
Let be linearly independent. Suppose it is a basis for
We perform the Gram-Schmidt process:
1,n
nb b
b1
b2 b2
2Lproj b0 0
L
0
*2 2 2Lb b proj b
nL
*1b
*1b
![Page 8: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/8.jpg)
Similarly, define:*
1 1b b* *
2 2 21 1b b b
* * *ij i j j jb b b b
1* *
1
i
i i ij jj
b b b
* *1 , , nb b Forms an orthogonal basis of L
Dividing by shortens our vectors.
2*jb
* * *3 3 31 1 32 2b b b b
![Page 9: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/9.jpg)
A basis b1,..,bn of a lattice is called reduced if :
1) for
2)
* ¾ can be replaced by any ¼<y<1
1
2ij
2 2* * *1 1 1
3,1
4i ii i ib b b i n
* | | is Euclidean length.
1 j i n
![Page 10: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/10.jpg)
Applications
Factoring polynomials with rational coeffecients
0
| , 0n
ii i
i
x a x a n
For example:
Lives in
5 2
42 73 2
x xf x x x
x
![Page 11: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/11.jpg)
An irreducible polynomial over a field is
non-constant and cannot be
represented as the product of at-least 2
non-constant Polynomials.
Reducible (over ):
Irreducible:
2 1 1 1x x x 2 1x
![Page 12: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/12.jpg)
How to find, for a given non-zero
polynomial in its decomposition into
Irreducibles?
Factor primitive polynomials
(gcd of all coeffecients of f is 1)
Into irreducible factors in
Use LLL
f x
x
x
![Page 13: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/13.jpg)
Simultaneous Diophantine approximations
Given , and
Find such that:
Or
n 1, n 0 1
1, , ,np p q
,1 ni ip q q
1
1ii n
p
q q
![Page 14: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/14.jpg)
Cryptography
For given positive
Do there exist such that:
(is s a subset sum of the mi’s)?
1, , ,nm m s
1, , 0,1nz z
1 1 n ns z m z m
![Page 15: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/15.jpg)
Sums of squares
Every prime that is 1mod4 can be
written as sum of two squares.
Those squares are found using LLL
![Page 16: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/16.jpg)
abc Conjecture
For define the radical
, ,a b c
p prime
|
, ,
p abc
rad a b c p
(That’s the product of distinct prime factors of a,b,c). suppose gcd(a,b,c)=1.
log
, ,log , ,
cq a b c
rad a b c
abc conjecture: For every x>1 there exists only finitely many a,b,c with gcd(a,b,c) = 1 and a + b = c such that
, ,q a b c x
The search for examples uses LLL
![Page 17: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/17.jpg)
Proposition:
B1,bn are reduced basis for a lattice L in b1*, bn* defined as before. Then:
1.
2.
3.
4.
(i.e. the 1st vector is “reasonably” short).
22 1 *2 ,1ij ib b j i n
1
4
1
2nn n
ii
d L b d L
1 1
41 2
n
nb d L
Reduced basis, what is it good for?
n
2 211 2 , , 0nb x x L x
![Page 18: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/18.jpg)
Algorithm.doc
Example.doc
![Page 19: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/19.jpg)
Algorithm terminates:
det ,1 ,i j ld b b j l i
*
1
,0i
i jj
d b i n
so each is a pos. real number
20 1, nd d d L
1
1
n
ii
D d
D changes only if some bi* is changed, which only occurs at case 1 of the algorithm. The number is reduced by a factor of ¾ since is, while the other
di’s are unchanged. Hence D reduced by factor of ¾ .
1kd *
1kb
![Page 20: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/20.jpg)
di’s are bounded from below which bounds D from below.
2min : , 0m L x x L x
iid m L
So there’s an upper bound for # of times we pass through case 1.
![Page 21: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/21.jpg)
In end of case 1, k = k-1
End of case 2, k = k+1
Start with k = 2, and 1k n
So # of times we pass through case 2
Is at most n-1 more than the # of times we pass through case 1,
Hence the algorithm terminates.
![Page 22: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/22.jpg)
Complexity:
Initialization step with rationales: 3O n
# of times pass through case 1:
# of times pass through case 2:
2 logO n B
2 logO n B
2, 2, iB B b B
Case 1 requires operations
Case 2 we have values of p
Each requires operations
O n
O n
O n
![Page 23: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/23.jpg)
Hence we get a total of
Operations.
Polynomial Time.
4 logO n B
![Page 24: Finding Reduced Basis for Lattices](https://reader035.vdocuments.mx/reader035/viewer/2022062409/56814c13550346895db91194/html5/thumbnails/24.jpg)
References:Factoring Polynomials with Rational Coeffecients-- A.K. Lenstra, H.W. Lenstra, Jr. and L. LovaszA Course in Convexity-- Alexander BarvinokLattice Basis Reduction Algorithms and Applications-- Matthew C. CarySome Applications of LLL-- http://www.math.ru.nl/~bosma/onderwijs/voorjaar07/compalg8.pdfLinear Algebra with Applications-- Otto BretcherLattices-- www.cs.tau.ac.il/~safra/ACT2/Lattices.ppt