BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS

Transcription

1 BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS KONSTANTINOS A. DRAZIOTIS Abstract. We use lattice based methods in order to get an integer solution of the linear equation a x + +a nx n = a 0, which satisfies the bound constraints x X. Further we study the corresponding homogeneous linear equation under constraints and finally we apply our method to Knapsack problem.. Introduction-Statement of results Let a Z {0}, (0 n). We consider the linear equation n (.) f(x,..., x n ) = a x = a 0. We are interested in the integer solutions of (.) under the constraints x X, for some X Z >0. This is an NP-complete problem, but without the bound constraints is solved in polynomial time. This problem has some important applications in discrete optimization, in designing integrated circuits [] and is also applied in Merkle-Hellman and the Chor-Rivest knapsack cryptography systems [, 3]. Further we shall apply our method to the knapsack problem of density and dimension 40. In [] the authors found a method for the solutions of equation (.) under the bound constraints 0 < x < X. Their method contain two parts, one deterministic (application of LLL) having polynomial time complexity and the other heuristic. Further, in [6] the method of Rosser, starts with the matrix M = (I n, a T ), a = (a,..., a n ) and a new matrix M is obtained (using linear integer transformations) with M = (U, d T ), d = (0, 0,..., gcd(a,..., a n )) and U SL n (Z). Then the general solution can be expressed in terms of the row vectors of M. Many recent methods are based on the original idea of Rosser. Also there is another approach to this problem which is based to the Closest Vector Problem (CVP). Let y = (y, y,..., y n ) (the target vector) be a solution of (.), not necessarily small (for instance one can use Euclidean algorithm). Let L be the lattice generated by the solutions of the homogeneous equation n = a x = 0. We solve the CVP instance CV P (L, y) and we get the solution, say t = (t, t,.., t n ) (cvp vector). Then x = {target vector} {cvp vector} = y t is an integer solution of (.) and has small absolute value x. For this approach for instance see [4]. Implementations of CVP can be found in fplll [5] and in Magma [3]. Here we use fplll. We shall provide some examples which compare the CVP approach with our algorithm and we shall conclude (based on experiments) that the better strategy is to combine the two methods (for n 60). For large values of n, say n 80, the 000 Mathematics Subect Classification. Primary D04; Secondary Y50. Key words and phrases. Linear Diophantine Equation, Lattice, LLL, CVP. =

2 KONSTANTINOS A. DRAZIOTIS CVP-solver of fplll (and Magma) is (relatively) slow. So in this case our strategy is to apply our algorithm which is fast for large values of n. For instance, we made some tests for n = 00 and our algorithm terminated (with a small solution) in less than 5 seconds in all the examples while fplll needed at least three hours of running time in a 3Ghz Dual Core Pc (without getting any solution). Further, the algorithm given in [] is also fast for large values of n (since it uses LLL) but in general it gives longest vectors than ours (see example (ii) in section 6). Before we state our basic result we must set up some notation. Let {e,..., e n+ } be the standard basis of R n+, that is e = (..., δ i,...), where δ i is the delta of Kronecker and is located in the th entry of the vector e. We define the vectors b = X e + a e n+ ( n). Let L be the lattice of R n+ spanned by the vectors {b,..., b n }. In matrix form L is spanned by the rows of the n (n + ) matrix B = [b,.., b n ] = X 0 a 0 X a Xn (For reasons that later will become clear, we added the column with zeros). Let {b,..., b n} be its LLL-reduced basis. We set b = (b,..., b,n+ ). We consider the Gram-Schmidt orthogonalization process (.) b = b, b i where i = b i = 0 an µ i b, µ i = b i b B, B = b. Also if is the floor function, we define x = x with x R. That is the closest integer to x. We shall prove the following Theorem. Theorem.. Let gcd(a,..., a n ) =. If the following two assumptions hold A. (a n X n ) + (a X ) < n+ (X nx ), =,,..., n, X Z >0, a0 A. = a 0, B n then there is an integer solution (x,..., x n ) of equation (.), such that (.3) x < c(n). n X i, =,,..., n, c(n) = 3(.5) (n )/. i= Further, we obtain this solution in polynomial time. Assumption A guarantees that LLL reduction will generate (some) solutions of the homogeneous linear equation (thus balanced multipliers for the gcd(a,..., a n )).

3 BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS 3 Further, this assumption is crucial for the computation of integer solutions of equation (.). Assumption A can be rewritten thus, a 0 a 0 Bn + < a 0 +, (.4) Bn ( a0 ) a0 < B ( n a0 + ). This assumption guarantees that our procedure will end up with a solution to equation (.). The type of lattice we used here it looks like the one used by Coppersmith in [4], which are used in order to attack the RSA cryptosystem. Although the bound is seemingly theoretical, in practice we get the desire solution ( if there is any) x X, without the strong assumption A. As far as I know, the methods given in the bibliography for the solution of the problem (.) under x X provide us with a small solution but there is not any theoretical result that guarantees that the method will work. Our method provides a theoretical result, in the sense that if assumptions A, A are fulfilled, then the method shall work and also experiments show that the method will end up with solutions satisfying x < X, instead of inequality (.3). If x N and a 0 = 0 (i.e. the homogeneous version of our problem) then the problem of deciding if there is any integer solution is NP-complete []. We study a variant of this problem [see Lemma 4. and Proposition 4. ]. In fact we prove that if there is a Shortest Vector Problem (SVP) oracle then we can find an integer solution of n = a x = 0, with x < max i n { a i } ( n). Finally, If a > 0 and we restrict the solutions x {0, }, then we have the 0 Knapsack or subset sum problem. The decisional version is NP-complete [7]. This has many applications in public key cryptography. We shall apply our method in this problem We give a brief outline of the paper. In the next section we give some preliminaries propositions about LLL and in section 3 some basic auxiliary results which we shall use for the proof of our Theorem in section 5. In section 4 we study the homogeneous linear equation and in section 6 we provide some examples. In the last section we use our approach to knapsack problem and give some examples.. Preliminaries on LLL Our method uses LLL reduction algorithm, but with a different lattice than the one used in []. Lattices have many applications in cryptanalysis, for example [4, 0]. Here we shall not provide analytically the theory of lattices and LLL algorithm. For instance, the reader can study [8, 8]. Definition. A subset L R n is called a lattice if there exists linearly independent vectors b, b,..., b k of R n such that { k } L = α b : α Z, k := L(b, b,..., b k ). = The vectors b, b,..., b k are called a lattice basis of L. All the bases have the same number of elements, this common number is called dimension or rank of the lattice.

4 4 KONSTANTINOS A. DRAZIOTIS Lemma.. Let b, b,..., b k be an LLL reduced basis of the lattice L R n and x, x,..., x t linearly independent vectors in L. Then for all t we have Proof. [8, Theorem 7.0]. b n max{ x,..., x t }. 3. auxiliary results Let L be the lattice of R n+ spanned by the vectors {b,..., b n } and let {b,..., b n} be its LLL-reduced basis. We set b = (b,..., b n, b,n+, b,n+). Further, from Gramm-Schimdt orthogonalization process we get the vectors, where ˆb i = b i X Lemma 3.. b i = (ˆb i,..., ˆb in, ˆb i,n+, ˆb i,n+), ( i n), and  = [ˆb i ] i, n. We shall prove the following Lemma. n X = det Â. = Proof. Let B, B be the matrices [b,..., b n ] T, [b,..., b n] T, respectively (we work row-wise). Then there is a matrix U = [λ i ] i, n SL n (Z) such that B = UB. Indeed, we consider the n n matrix U = diag ( ) X,..., X n. We apply LLL to the rows of B, thus we get B. The linear changes and swaps of rows made by LLL in B also applied to U, since B = [U, a T ] where, a = (a,..., a n ). Then we get a new n n matrix U which is equals to [ λ i X ] i,, n. So det U = det U = n = X. Also, det U = n = X det U, thus det U =. Now we shall prove that (3.) det[b i] = det[λ i ] =. Indeed, from B = UB we get n b i = λ i b = ( b i,..., b in,, ), = where λ i, b i are related by λ i = X b i. From relations (.) we get thus, multiplying by X we get ˆb = b, ˆb = b µ b,...( n) b = λ, b = λ µ λ,...( n), so (3.) is proved. We conclude that det  = n = X det[b i] = n = X.

5 BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS 5 Also we get the following Proposition. Proposition 3.. Assume that (3.) (a n X n ) + (a X ) < n+ (X nx ), for all such that n. Then Further, b,n+ = b,n+ = 0 for n. b n,n+ = 0, b n,n+ =. Proof. We set r = a n b a b n. These are independent in L, so from Lemma. we get { a b n+ max { r } n+ max n + a } n n Xn. Since we get (a n X n ) + (a X ) < n+ (X nx ) n+( a n X X + a ) Xn < ( n ). 0 for r {n+, n+} and n. Thus b <. Now we assume that b,r Since b,n, b,n+ Z we get b, contradicting to the previous inequality. The first part of the Proposition follows. Since LLL algorithm makes only linear transformation of the form b b i or b b rb i, r Z, > i and the (n + )th column consists only from zeros, we get b n,n+ = 0. Further, the gcd of the last column remain the same in every step of the LLL process. Since we assumed that gcd(a,..., a n ) = we get = gcd(a,..., a n ) = gcd(b,n+, b,n+,..., b n,n+) = gcd(0, 0,..., 0, b n,n+) = b n,n+. Remark 3.3. From assumption (3.) we get a n < X, ( n ) and a (n+)/ < X n. (n+)/ We shall show that, under the assumption (3.), we have ˆb i,n+ = ˆb i,n+ = 0 for i n and ˆb n,n+ = 0, ˆb n,n+ = ±. Indeed, it is easy for b since it is equal to b = (..., 0, 0). Also for b = b µ b = (,,..., 0, 0) µ (,,..., 0, 0) = (,,..., 0, 0). Inductively we can show that b i = (,,..., 0, 0), for i n. For b n = (,,..., 0, ±) µ n (,,..., 0, 0) µ n,n (,,..., 0, 0) = (,,..., 0, ±). So we proved the following.

6 6 KONSTANTINOS A. DRAZIOTIS Corollary 3.4. Under the assumption (3.) we get b i = (ˆb i,..., ˆb in, 0, 0) ( i n ) and ˆb n,n+ = 0, ˆb n,n+ =. 4. the homogeneous case We get the following Lemma concerning the integer solutions of the corresponding homogeneous linear equation. Lemma 4.. Under the assumption A, we can find an integer solution (x,..., x n ) of the homogeneous linear equation n = a x = 0, with x < X, in polynomial time. Proof. Every vector of the LLL reduced basis of the lattice L is of the form ( λ,..., λ n n, β, λ a βa 0 ), X X n = with λ, β Z (note also that the two last coordinates are integers). From the previous Proposition we get β = 0 and n = λ a = 0 for the first n vectors of the LLL reduced basis. Thus, the n tuples { λi : n } for i =,,..., n, are solutions of the equation a x + + a n x n = 0. Where λ i are as in Lemma 3.. Moreover, since b i < for each i =,,..., n, we conclude that λ i < X for each {,,..., n }. In the previous Lemma we used LLL reduction. It is known that LLL runs in polynomial time and it provides vectors that are exponentially longer than the shortest vectors. Assume now that we have a SVP oracle. That is a probabilistic algorithm which computes with high probability a shortest vector of a lattice in polynomial time. LLL algorithm behave as a SVP oracle for small dimensions ( 40) and further BKZ 0 reduction algorithm for dimensions 50 (see [6], Figure ) (remark that we do not have any proof that BKZ runs in polynomial time, but in practice for dimensions 50 is fast). Assuming the existence of a SVP oracle, let b, a shortest vector of our lattice, which has the form ( λ,..., λ n n, β, λ a βa 0 ), λ Z. X X n = Assume that there is some 0 with a 0 a n and set X = X = = X n = max n a. Since b r, ( n ) we get b r 0 = a n + a 0 X <. Thus necessarily, β = 0, since if not b. So β = 0 and λ n <, λ a = 0. X So we proved the following. =

7 BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS 7 Proposition 4.. Assume that there is a SVP oracle and at least one a a n. Then we can compute in polynomial time an integer solution (x,..., x n ) of the homogeneous equation n = a x = 0, with x < max a i. i n 5. proof of the theorem We set b n+ = e n+ a 0 e n+. As usual L = L(b,..., b n ) and L = L (b,..., b n) be the LLL reduced basis of L. We consider the lattice ˆL generated by the set {b,..., b n, b n+ }. We apply size reduction to ˆL that is (5.) row(n + ) row(n + ) µ n+,n row(n). Note that at this stage µ n+, = 0, for n. Also, from Proposition 3. we get µ n+,n = Bn (b n+ b n) = ( (0, 0,...,, a0 Bn ) (,,..., 0, ±) ) = ±a 0 Bn. From assumption A, we get µ n+,n = a 0 if b n,n+ = and µ n+,n = a 0 if b n,n+ =. That is always We continue with b n+,n+ = a 0 µ n+,n b n,n+ = 0. row(n + ) row(n + ) µ n+, row() for =,,..., n. Let b n+ the size reduced (last) row. Then b n+ has the form (ˆx,..., ˆx n,, 0). The new basis {b,..., b n, b n+} has the property µ n+, < / for n. Since µ n+, = b n+ b B, B = b we get (using Corollary (3.4)) the system, (5.) ˆx ˆb + + ˆx nˆb n = ε, n where ˆb i = b i X Since B = b < b, we get and ε = µ n+, B < B. ε < b For the case = n we get < ( n ). (5.3) ε n = µ n+,n B n < B n < =. We used that B n <. Indeed, from the first part of inequality (.4) we get Since a 0 Z {0}, we get B n < a 0 a 0. 0 < a 0 a 0 <,

8 8 KONSTANTINOS A. DRAZIOTIS thus Bn <. Let  be the matrix of the system, that is  = [ˆb i ] i, n. If we substitute the th column of  with the column vector (ε,..., ε n ) T we get the matrix Â. Then det  ˆx = det Â. From Lemma (3.), the system (5.) has determinant det  = n i= X. Thus i (5.4) ˆx = det  n X i. i= We apply Hadamard inequality to det Â. We shall get n (5.5) det  < row[â] i. The ith row of the matrix  is ( b ) row[â] i = i,..., ε i,..., b in, X X n where ε i is in the entry. The square of its length for n is For the case = n we get i= row[â] i < B i + ε i < + ε i < + 4 = 5 4 =.5. row[â] n = Thus, from inequality (5.5) we get So from relation (5.4) we get ( b n X ) + + ( b n,n X n ) + ε n < B n + < 3. det  < 3(.5) (n )/ = c(n). ˆx < c(n) n X i, =,,..., n. i= Since all the previous computations can be done in polynomial time (LLL and size reduction), the Theorem follows. Remark 5.. In the case where a 0 < 0, instead of relation (5.3) we have the better inequality ε n < /, since B n <. Thus c(n) = (.5) n/. 6. examples The first example is given only to explicitly show how we apply our method. (i). Let x x x x 4 + 5x 5 = This is example of [] and they get the solution x = (36, 7, 39, 8, ), with x Assumption A is fulfilled if max 4 a < 8 X 5, a 5 < 8 max 5 X.

9 BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS 9 So it is enough to choose X = X = = X 5 = We consider the matrix M = Applying LLL to the rows of M we get M LLL = ˆM LLL = Then applying size reduction to the lattice ˆL generated by the set {b,..., b 5, b 6 }, where b 6 = (0, 0, 0, 0, 0,, a 0 ), we get We take the 6th row and multiply each entry with X, then we shall get the vector x. If we want the coordinates of the solution vector to satisfy x < 30, x < 50 ( 5), then taking X = 30, X = X 3 = X 4 = X 5 = 50 we get the following solution x = (6, 38, 39, 8, ). This solution has absolute value Notice that is larger (with respect to euclidean length) than the previous solution, but it has the advantage that satisfies our constraints. (ii). We consider now n = 50. {a } = [ , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ] a 0 = Using our algorithm with X = 3 ( n) we get (using Sage [7]) x = [, 0,,, 0, 0,,, 0, 0,,,, 0, 0, 0, 0, 0,,,, 0, 0,,, 0, 0,,,,,, 0, 0,, 0,,,,,, 0,, 0,, 0, 0,,, 0]

10 0 KONSTANTINOS A. DRAZIOTIS with euclidean length It took less than 5 seconds in order to find it. This solution satisfies our bound x X = 3. Using the algorithm of [] we get x = [0, 0, 0,,,,, 3, 0,,,,,, 0, 0, 0, 0,,, 0,, 0,,, 0, 0,,, 0,, 0,, 0, 0, 0,, 0,,, 0, 0, 0, 0,, 0, 0,,, 0] which has euclidean length 7.4. Now using CVP method (as implemented in fplll) we manage to get the vector x 3 = [0, 0, 0,, 0,,, 0,, 0,, 0,, 0, 0, 0,,,, 0, 0, 0, 0,, 0, 0, 0,, 0, 0, 0, 0,,,, 0, 0,, 0, 0, 0,,, 0, 0, 0,, 0, 0, ] which has norm 5. It took almost 4 minutes in order to compute it. We worked as follows. Let L be the lattice generated by the homogeneous equation n = a x = 0. Then we choose as target vector, a vector t which is a solution of n = a x = a 0. If c is the output of the CVP instance CV P (L, t), then a small solution is given by x = t c. We noticed that, if the target vector has large length then fplll provide us with a large solution x (but smaller than the length of target vector). That is the CVP solvers are sensitive to the choice of the target vector. In order to get the previous solution x 3 we used as target vector, the vector x from the application of our method. So it seems that a nice strategy in order to get a small solution is to combine the CVP solvers and our algorithm (which shall give us the target vector). In case we have large n, say n 80 then the CVP solver of fplll(and Magma) is slow. Thus, we conclude (at least experimentally) that for large dimensions is better to use our algorithm and for smaller say n < 80 a combination of CVP and our method. 7. An application to Knapsack problem The subset sum or knapsack problem is the following. Given a list of n positive integers {a,..., a n } and an integer s such that max{a i } i s n i= a i find a binary vector x = (x i ) i such that n i= x ia i = s. The decisional version is known to be NP-complete [7]. The variant, multiple knapsack problem is used in many loading and scheduling problems in operational research. We use the following lattice B = [b,.., b n+ ] = N X 0 N a 0 N X N a N Xn 0 Nan 0 N N s for some positive integers N, N. When we apply LLL algorithm to the previous lattice we get vectors of the form ( λ N,..., λ nn ( n, βn, N λ a βs )). X X n =, This is because LLL algorithm uses transformations of the form b b i or b b rb i, r Z, > i. Since we expect small vectors from LLL, we probable get vectors of the form ( λ N,..., λ ) nn, N, 0 X X n For a detailed account how these solvers work see [9].

11 BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS with λ {0, } (in fact for small dimensions n 40 is very probable, at least experimentally, to get vectors of the previous form). Then a solution of the knapsack is (λ,..., λ n ). We shall fix N, N and we randomly choose X,..., X n {,,..., k} with k say 0. After making many experiments with dimension n 40 we concluded that whenever the algorithm of Coster et al. [5] is working is faster than ours. But there are cases where the algorithm of [5] is not working as we will see below. For large values of n say n > 40 and density very close to our algorithm is slow. All the examples below have density very close to. Example (n = 0). Let a = [3578, 90066, 4678, 98954, 48396, 86588, 36646, 4304, 396, 99869, 79689, 884, 96676, 447, 04059, 74, 6575, 336, 54857, ] and s = Using the algorithm of Coster et al. with N = 5 we did not manage to get a solution. Our algorithm with N = 90, N = 80 and using random denominators from the set {,, 3, 4, 5}, in the 38th round we got the solution x = (0,,,,,,, 0, 0, 0, 0,,,,, 0,, 0, 0, 0). Example (n = 30). We set a = [ , , , , , , 79987, , , , , , , , , , , , , , , , , , , 59674, , , , ] and s = Again using Coster et al, with N = 0 we did not manage to get any solution. Using our algorithm with N = 50, N = 30 and using random denominators from the set {,, 3}, we got x = (, 0,,, 0,, 0,, 0, 0, 0, 0,,, 0, 0, 0,,,, 0,, 0,,, 0,, 0, 0, 0) in the 439th round. We got this results in some minutes. Example 3 (n = 35). We set [ , , , 48308, , , , , , , , , , , , , , , , , , , , , , , , 64645, , , , , , , ]. and s = Again using Coster et al, with various values of N {5, 0, 5} we did not get any solution. Using our algorithm with N = 5000, N = 0000 and using random denominators from the set {,, 3, 4}, we got x = (,, 0,, 0, 0, 0, 0,, 0,, 0,,,, 0, 0, 0, 0, 0, 0,, 0, 0,, 0, 0,,, 0, 0, 0,, 0, 0) after 63. min.

12 KONSTANTINOS A. DRAZIOTIS References [] Aardal, Karen; Hurkens, Cor.; Lenstra, Aren K.; Solving a linear Diophantine equation with lower and upper bounds on the variables. Integer programming and combinatorial optimization p.9-4, Lecture Notes in Comput. Sci., 4, Springer, Berlin, 998. [] Beihoffer, Dale; Hendry, Jemimah; Nienhuis, Albert; Wagon, Stan; Faster algorithms for Frobenius numbers. Electron. J. Combin. (005), Research Paper 7, 38 pp. [3] Bosma, Wieb, Cannon, John and Playoust, Catherine; The Magma algebra system. I. The user language, J. Symbolic Comput.Vol. 4 (997). [4] Coppersmith, D.: Finding small solutions to small degree polynomials. Lecture Notes in Computer Science 46 (00) p.0-3. [5] Coster J.M., Joux A., LaMacchia B.A., Odlyzko A.M., Schnorr C-P., and Stern J., Improved low-density subset sum algorithms. Computational Complexity, :-8, 99. [6] Gama N. and Nguyen P.Q., Predicting Lattice reduction, Eurocrypt 008, LNCS 4965, p.3-5 (008) [7] Garey, M.R.;Johnson, D.S.; Computers and intractability : A guide to the theory of NPcompleteness. W.H.Freeman and Company, NY (979). [8] Galbraith, S.; Mathematics of Public Key Cryptography, Version., December, 0, sgal08/crypto-book/crypto-book.html. [9] Hanrot G., Puol X. and D.Stehle. Algorithms for the Shortest and Closest Lattice Vector Problems. IWCC. [0] Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. J. Assoc.Comput. Mach. 3() (985) 946. [] Lenstra, H.W.; On the Chor-Rivest knapsack cryptosystem; Journal of Cryptology, Volume 3, Number 3 (99), p [] Lueker, G.S; Two NP-complete problems in nonnegative integer programming, report 78 CSL, Princeton University (975). [3] Merkle, R., Hellman, M.; Hiding information and Signatures in trapdoor cryptosystem, IEEE Trans.Inf.Theory IT-4(978), p [4] Nguyen, P.Q., Stern, J., The two faces of Lattices in Cryptography, Cryptography and lattices. st international conference, CaLC 00, Providence, RI, USA, March 9-30, 00. Revised papers. Berlin: Springer. Lect. Notes Comput. Sci. 46, (00). [5] Puol X., Stehle D., fplll mathematic software (version 4.0), [6] Rosser, J. B.; A note on the linear Diophantine Equation, American Maths. Monthly 48(94). [7] Stein, W.A. et al. Sage Mathematics Software (Version 4.5.), The Sage Development Team, 0, [8] Vasilenko, O.N.; Number-Theoretic Algorithms in Cryptography, Translations of Mathematical Monographs (AMS), Volume 3,Translated by Alex Martsinkovsky. address: drazioti@csd.auth.gr Aristotle University of Thessaloniki, Department of Informatics, 544 Thessaloniki, Greece