Short multipliers for the extended gcd problem

Transcription

1 Short multipliers for the extended gcd problem Keith Matthews Abstract For given non zero integers s 1,, s m, the problem of finding integers a 1,, a m satisfying s = gcd (s 1,, s m ) = a 1 s a m s m, with a a m minimal, is thought to be computationally hard In this paper, we present an algorithm which takes as its starting point the recent LLL based algorithm of Havas, Majewski and Matthews and which often finds a shorter vector (a 1,, a m ) 1 Introduction Let s 1,, s m be integers and s = gcd (s 1,, s m ) In a recent paper [Havas, Majewski, Matthews 1998], the author and his collaborators used variants of the LLL algorithm to find multiplier vectors (a 1,, a m ) of small Euclidean length X = (a a m) 1/ such that s = a 1 s a m s m In each case a unimodular m m matrix P is produced such that P [s 1,, s m ] t = [0,, 0, s] t Rows p 1,, p of P constitute a basis of short vectors for the (m 1) dimensional lattice Λ formed by the vectors X = (a 1,, a m ) with a 1,, a m Z, satisfying a 1 s a m s m = 0 In particular, every such X can be expressed uniquely as an integer linear combination X = z 1 p z p In addition, p m, the last row of P, is a short multiplier vector and the general multiplier vector p is given by p = p m + x 1 p x p, where x 1,, x Z The matrix P has further properties: If the Gram Schmidt basis corresponding to rows p 1,, p m is denoted by p 1,, p m, where p 1 = p 1, k 1 p k = p k µ kj p j, µ kj = p k p j p j, (1) p j j=1 1

2 then (a) µ kj 1/ for 1 j < k m, (b) p k p k (α µ k k 1)p k 1 p k 1 for k m 1 () (Here 1/ < α 1) In what follows we assume α = 1, so that () becomes From the equations a multiplier vector p may be written as where p k p k (1 µ k k 1)p k 1 p k 1 () k 1 p 1 = p 1, p k = p k + µ kj p j, () p = p m + k=1 y k = x k + j=1 x k p k = p m + i=k+1 The orthogonality of p 1,, p m then implies where p = p m + k=1 k=1 y k p k, (5) µ ik x i + µ mk (6) x k p k = p m + Q(x 1,, x ) = B (x + µ m, ) and B k = p k for k = 1,, m k=1 y k p k = B m + Q(x 1,, x ), (7) + B m (x m + µ,m x + µ m,m ) + B 1 (x 1 + µ,1 x + + µ,1 x + µ m,1 ) (8)

3 The equation P [s 1,, s m ] t = [0,, 0, s] t and the fact that [s 1,, s m ] is orthogonal to each of p 1,, p together imply Hence p m = s (s s s 1,, s m ) (9) m B m = p m = (10) s s m From equations () and the fact that the determinant of the orthogonal matrix whose rows are p 1,, p m, is equal to det P = ±1, we also have Consequently B 1 B m = det(p i p j) = (det P ) = 1 s = (det Λ) = B 1 B = (s s m)/s (11) Also () becomes for k m 1 B k (1 µ k k 1)B k 1, (1) The motivation for the algorithm Before we give our algorithm for generating possibly shorter multipliers than p m, we give some background The minimum value 0 of the quadratic expression in equation (8) occurs at the point (ρ 1,, ρ ) Q, where ρ = µ m, ρ k = ( i=k+1 µ ik ρ i + µ mk ), 1 k < m 1 (1) It is then an easy exercise in determinants to show that for 1 k m 1 ρ k = k /, (1) where k is the (m 1) (m 1) determinant formed from the Gram determinant = det(p i p j ), by replacing the k th column by (p m p 1 ),, (p m p )

4 Consequently k is an integer We remark that in practice all ρ k tend to be small We have also observed that each shortest multiplier is always associated via (5) with a point (x 1,, x ) Z in the vicinity of (ρ 1,, ρ ) Let D be the set of points (z 1,, z ) Q satisfying z k + i=k+1 µ ik z i + µ mk < 1, k = m 1,, 1 (15) Then (ρ 1,, ρ ) D Also (0,, 0) D Definition We say Property G holds if for each shortest multiplier p, the x 1,, x of equation (5) satisfy (x 1,, x ) D Remarks 1 In view of (15), if the integer vector (x 1,, x ) D, there are at most two possibilities for each x k So if property G holds for a given m tuple (s 1,, s m ), then the number N of shortest multipliers is at most Given that a shortest multiplier p satisfies p p m, (7) and (8) show that property G holds if B k > p m for 1 k m 1 This is the case in Example 1 below, but does not always hold, as Example shows The examples where s i = for 1 i m 1, s m = m if m is odd, but s m = m 1 if m is even, produce values ( ) ( and ) m, respectively for N We prove below that property G holds when m = The least value of m for which it fails to hold appears to be 11, as in Example 5 Failures occur extremely rarely 5 We remark that in contrast to our situation, [Rosser 19] gave an example of the quadratic expression ( 7x 1y) + ( 7x y), which assumes its minimum value for integers x and y at the point ( 11, 0), whereas the minimum value 0 for real numbers x, y occurs at ( /, 80/) The algorithm We construct a sequence of multiplier vectors X K, K = m 1,, 1, which correspond to points (x 1,, x ) in D, close to (ρ 1,, ρ ), as follows Define x = 0,, x K+1 = 0 Then define x K,, x 1 Z recursively by:

5 (i) 0 if µ mk = 0 x K = 1 if µ mk < 0 1 if µ mk > 0; (ii) for 1 k < K, x k = σ k, where σ k = i=k+1 µ ik x i + µ mk (16) and θ is the nearest integer symbol, with θ = θ 1, if θ is a non negative half integer, but θ + 1 if θ is a negative half integer We also let X 0 = p m Remark For m =, a perusal of the list of shortest multipliers in the Appendix reveals that our algorithm will produce all the shortest multipliers For m = the algorithm appears to deliver at least one shortest multiplier For 5 m 10, whenever the algorithm fails to deliver a shortest multiplier, the excess length squared is always observed to be 1, as in Example In example 5, the excess is The case m = Lemma Let (x 1,, x ) Z correspond to a shortest multiplier p via equation (7) Then x + µ m ( ( ) 1 m ) Proof The inequality p p m implies Q(x 1,, x ) Q(0,, 0) Then equation (8) gives (x + µ m ) B µ mb + + µ m1b 1 (x + µ m ) µ m + µ B m mm + + µ m1 B ( B1 B ) m 5

6 Now () gives B k (1 µ kk 1 )B k 1 B k 1 Hence (x + µ m ) µ m + µ mm ( + + µ m1 ) ) m ( + + = 1 ( ( ) ) 1 1 = ( ) m ( ) m Corollary Property G holds if m = Proof Assume m = and that (x 1, x ) Z defines a minimum point for Q(x 1, x ) = (x + µ ) B + (x 1 + µ 1 x + µ 1 ) B 1 Then from the Lemma, we have x + µ 7/1 (17) Also the inequalities x (x + µ ) 0 and Q(x 1, x ) Q(0, 0) give x 1 + σ 1 = x 1 + µ 1 x + µ 1 µ 1 (18) Remark From the Corollary, it follows that N if m = In fact N if m = For if N =, we see from (17) and (18) that µ = ɛ 1 = ±1, µ 1 = ɛ = ±1, µ 1 = 0 Then ɛ 1 p 1 1 = (det P ) = det (p i p j ) = p p ɛ p ɛ 1 p 1 ɛ p p which gives = p 1 p ( p p 1 p p ) This leads to a contradiction, as the p i p j are integers The example (s 1, s, s ) = (1,, 9) shows that the bound N = is attained Here the quadratic expression in (8) is Q(x 1, x ) = 591(x ) + 6(x 1 7 x ) The unimodular matrix P = (ρ 1, ρ ) = ( 185, Also X, X 1, X 0 are given by 591 ) , 6

7 K (x 1, x ) X K X K (0, 1) (,, 6) 61 1 ( 1, 0) (,, 6) 61 0 (0, 0) (6, 0, 5) 61 and are the shortest multiplier vectors 5 Numerical results Example 1 Take s 1, s, s to be, 6, 9 The unimodular matrix P = The quadratic expression in (8) and the ρ k of (1) are given by ( ) Q(x 1, x ) = 1 x 6 (, x1 6 x 1 1) 6 (ρ 1, ρ ) = ( 90, 6 1 1) Also X, X 1, X 0 are given by 5 K (x 1, x ) X K X K (1, 1) (1, 1, 1) 1 (1, 0) (1,, 1) 6 0 (0, 0) (, 0, 1) 5 The shortest multiplier is X = p + p 1 + p Example Take s 1,, s 5 to be 10, 51, 10, 177, 07 The unimodular matrix P = 6 The quadratic expression in (8) is Q(x 1,, x ) = (ρ 1, ρ, ρ, ρ ) = x 6885 «+ 770 x x x x , , , x « x 1 10 x + 1 «10 ««+ 10 x 1 Also X,, X 0 are given by 7

8 K (x 1, x, x, x ) X K X K (0, 1, 0, 1) (1, 1,,, 0) 15 (0, 0, 1, 0) (0,, 1, 0, 1) 18 (0, 1, 0, 0) (, 0, 1,, ) 18 1 ( 1, 0, 0, 0) ( 1, 1,,, 0) 0 (0, 0, 0, 0) (, 0,, 1, 0) 1 The shortest multiplier is p = p 5 + p = [0, 1,,, ], with p = 1 Property G holds here Example (Example 7 of [Havas, Majewski, Matthews 1998]) Take s 1,, s 10 to be 7686, , 1119, , , 07775, 1179, 1675, , The unimodular matrix P = Then X 9,, X 0 are given by K (x 1,, x 9 ) X K X K 9 ( 1, 1, 1, 0, 1, 1, 0, 0, 1) (, 1, 1,, 1,,,,, ) 6 8 (0, 1, 0, 0, 1, 1, 0, 1, 0) (, 0,,,, 1, 1, 1, 1, 5) 6 7 (0, 0, 0, 0, 1, 1, 1, 0, 0) ( 1,, 1, 0, 0,,,,, ) 1 6 (0, 1, 0, 0, 1, 1, 0, 0, 0) ( 1,, 1, 0, 5, 0, 1, 0,, 1) 7 5 (0, 1, 1, 1, 1, 0, 0, 0, 0) (,, 1, 1,, 1, 5, 1,, 0) 55 (0, 1, 0, 1, 0, 0, 0, 0, 0) ( 1,, 1,,, 1, 1, 1,, 0) 50 (0, 0, 1, 0, 0, 0, 0, 0, 0) (, 0, 1,,, 0,, 0, 1, ) 51 (0, 1, 0, 0, 0, 0, 0, 0, 0) ( 1, 1, 1, 5,,, 0, 1,, 1) 59 1 ( 1, 0, 0, 0, 0, 0, 0, 0, 0) (1, 0,,, 1,,, 1, 1, 0) 5 0 (0, 0, 0, 0, 0, 0, 0, 0, 0) ( 1, 0, 1,, 1,,,,, ) Truncated to decimals, ρ = ( 01, 080, 0, 00, 076, 07, 05, 05, 00) X 9 is the shortest multiplier vector Property G holds here Example Take s 1,, s 0 to be 55, , 56, , 6565, , , , , , 65656, , , 555, , 56668, , , , , , , , , , , , , 8 7 5

9 , , , , , , , , 678, , , Here LLL delivers a p 0 with p 0 = 0 and our algorithm gives a multiplier X 7 with X 7 = 18 There are shortest multipliers, lengthsquared 1: p 0 p p p 5 p 6 + p 8 p 1 + p 15 + p 16 p 17 + p 18 p 1 + p + p = ( 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1), p 0 p 1 p + p + p 5 + p 6 + p 8 p 9 + p 11 + p 1 + p 1 + p 16 p 17 + p 18 p 0 + p 1 + p + p 7 p 8 = (0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 1) Truncated to decimals, ρ = ( 01, 16, 007, 191, 07, 01, 06, 061, 09, 06, 0, 00, 185, 066, 009,\ 11, 167, 075, 06, 06, 019, 068, 019, 00, 015, 09, 0, 0, 000, 000, 000, 000,\ 000, 000, 000, 000, 000, 000, 000) Property G holds here Example 5 Take s 1,, s 11 to be , , , 07189, , , , , , , 1819 The shortest X K is X[7] = p 11 + p p 7 = (,,,,, 0,, 0,, 1, 1) with X 7 = 81 The shortest multiplier is p = p 11 + p p p 5 p 10 = (, 1, 1,,, 0,, 6, 1,, 0), with p = 79 Property G does not hold, as x 10 = 1 and σ 10 = / Example 6 The following random examples illustrate the improved multipliers X K that are produced by the algorithm in section The shortest multiplier vectors are unknown here 6 Appendix m p m X K X 96 = X 17 = X 80 = X 96 = 9 In this section we present a complete classification of the possible shortest multipliers when m =, based on inequalities (17) and (18): x + µ 7 1 and x 1 + µ 1 x + µ 1 µ 1 9

10 1 µ = 0, µ 1 < 1/: p µ = 0, µ 1 = 1/: p and p p 1 µ = 0, µ 1 = 1/: p and p + p 1 0 < µ 1/, 0 µ 1 < 1/: (i) µ 1 0: p or p p (ii) µ 1 < 0: p or p p 1 p 5 0 < µ 1/, µ 1 = 1/: (Here p = p p 1 ) (i) µ 1 > 0: p and p p 1, or p p (ii) µ 1 < 0: p and p p 1, or p p 1 p (iii) µ 1 = 0: p and p p 1 Note: µ < 1/ here For if µ = 1/, we have shortest multipliers: 6 0 < µ 1/, 1/ < µ 1 0: (i) µ 1 > 0: p or p + p 1 p (ii) µ 1 0: p or p p p, p p 1, p p, p p 1 p 7 0 < µ 1/, µ 1 = 1/: (Here p = p + p 1 ) (i) µ 1 > 0: p and p + p 1, or p + p 1 p (ii) µ 1 < 0: p and p + p 1, or p p (iii) µ 1 = 0: p and p + p 1 (µ < 1/) 8 1/ µ < 0, 1/ < µ 1 0: (i) µ 1 0: p or p + p (ii) µ 1 < 0: p or p + p 1 + p 9 1/ µ < 0, µ 1 = 1/: (Here p = p + p 1 ) (i) µ 1 > 0: p and p + p 1, or p + p 10

11 (ii) µ 1 < 0: p and p + p 1, or p + p 1 + p (iii) µ 1 = 0: p and p + p 1 ( 1/ < µ ) 10 1/ µ < 0, 0 µ 1 < 1/: (i) µ 1 0: p or p + p (ii) µ 1 > 0: p or p p 1 + p 11 1/ µ < 0, µ 1 = 1/: (Here p = p p 1 ) (i) µ 1 > 0: p and p p 1, or p p 1 + p (ii) µ 1 < 0: p and p p 1, or p + p (iii) µ 1 = 0: p and p p 1 ( 1/ < µ ) References [Havas, Majewski, Matthews 1998] G Havas, BS Majewski, KR Mat thews, Extended gcd and Hermite normal form algorithms via lattice reduction, Experimental Mathematics 7 No (1998) [Rosser 19] JB Rosser, A generalization of the Euclidean algorithm to several dimensions, Duke Math 9 (19) K R Matthews, 11