Lattice Basis Reduction Part II: Algorithms

Size: px

Start display at page:

Download "Lattice Basis Reduction Part II: Algorithms"

Darleen Carter
5 years ago
Views:

1 Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao November 8, 2011, revised February 2012 Joint work with W. Zhang and Y. Wei, Fudan University

2 Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

3 Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

4 Hermite reduction (size reduction) Hermite-reduced A lattice basis {b 1, b 2,..., b n } is called size-reduced if its QR decomposition satisfies r i,i 2 r i,j, for all 1 i < j n,

5 Hermite reduction (size reduction) Hermite-reduced A lattice basis {b 1, b 2,..., b n } is called size-reduced if its QR decomposition satisfies r i,i 2 r i,j, for all 1 i < j n, Procedure Reduce(i, j) [ ri,i r i,j r j,j ri,j r i,i 2 r i,j r i,i r i,i ] [ 1 ri,j r i,i 0 1 ] = [ r i,i r i,j r i,i ri,j r i,i r j,j ]

6 Gauss reduction A unimodular transformation [ ] 1 µ 0 1 or [ 1 0 µ 1 ] Also called Integer Gauss transformation Integer elementary matrix

7 Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

8 LLL reduction LLL-reduced A lattice basis {b 1, b 2,..., b n } is called LLL-reduced if it is size-reduced and R in the QR decomposition satisfies r 2 i+1,i+1 + r 2 i,i+1 ω r 2 i,i

9 LLL reduction LLL-reduced A lattice basis {b 1, b 2,..., b n } is called LLL-reduced if it is size-reduced and R in the QR decomposition satisfies r 2 i+1,i+1 + r 2 i,i+1 ω r 2 i,i Procedure SwapRestore(i) Find a Givens plane rotation G: [ ] [ ] [ ri 1,i 1 r G i 1,i 0 1 ˆr = i 1,i 1 ˆr i 1,i 0 r i,i ˆr i,i ]. Unimodular transformation: Permutation

10 LLL algorithm k = 2; while k <= n { if r(k-1,k) / r(k-1,k-1) > 1/2 if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { } else { } }

11 LLL algorithm k = 2; while k <= n { if r(k-1,k) / r(k-1,k-1) > 1/2 Reduce(k-1,k); if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { } else { } }

12 LLL algorithm k = 2; while k <= n { if r(k-1,k) / r(k-1,k-1) > 1/2 Reduce(k-1,k); if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { SwapRestore(k); k = max(k-1, 2); } else { } }

13 LLL algorithm k = 2; while k <= n { if r(k-1,k) / r(k-1,k-1) > 1/2 Reduce(k-1,k); if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { SwapRestore(k); k = max(k-1, 2); } else { for i = k-2 downto 1 if r(i,k) / r(i,i) > 1/2 Reduce(i,k); k = k+1; } }

14 LLL algorithm k = 2; while k <= n { if r(k-1,k) / r(k-1,k-1) > 1/2 Reduce(k-1,k); if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { SwapRestore(k); k = max(k-1, 2); } else { for i = k-2 downto 1 if r(i,k) / r(i,i) > 1/2 Reduce(i,k); k = k+1; } } Redundant size reductions.

15 An improvement: Delayed size reduction k = 2; while k <= n g = round(r(k-1,k) / r(k-1,k-1)); if r(k,k)ˆ2 + (r(k-1,k) - g*r(k-1,k-1))ˆ2 < w*r(k-1,k-1)ˆ2 ReduceSwapRestore(k); k = max(k-1, 2); else k = k + 1; for k = 2 to n for i = k-1 downto 1 if r(i,k) / r(i,i) > 1/2 Reduce(i,k);

16 An improvement: Delayed size reduction k = 2; while k <= n g = round(r(k-1,k) / r(k-1,k-1)); if r(k,k)ˆ2 + (r(k-1,k) - g*r(k-1,k-1))ˆ2 < w*r(k-1,k-1)ˆ2 ReduceSwapRestore(k); k = max(k-1, 2); else k = k + 1; for k = 2 to n for i = k-1 downto 1 if r(i,k) / r(i,i) > 1/2 Reduce(i,k); Produces identical results at 50% cost.

17 Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

18 HKZ reduction HKZ-reduced A lattice basis {b 1, b 2,..., b n } is called HKZ-reduced if it is size-reduced and for each trailing (n i + 1) (n i + 1), 1 i < n, submatrix of R in the QR decomposition, its first column is a shortest nonzero vector in the lattice generated by the submatrix.

19 HKZ reduction HKZ-reduced A lattice basis {b 1, b 2,..., b n } is called HKZ-reduced if it is size-reduced and for each trailing (n i + 1) (n i + 1), 1 i < n, submatrix of R in the QR decomposition, its first column is a shortest nonzero vector in the lattice generated by the submatrix. Two problems Shortest vector problem (SVP) Expansion to a basis

20 SVP min z Bz 2 2

21 SVP Sphere decoding Determine a search sphere min z Bz 2 2 Bz 2 2 ρ2

22 SVP Sphere decoding Determine a search sphere min z Bz 2 2 Bz 2 2 ρ2 A simple choice of ρ: the length of the first (or shortest) column of B.

23 Example ρ = 4 Rz = z 1 z 2 z 3

24 Example ρ = 4 Rz = A necessary condition for z 3 : 3z 3 4. Possible values of z 3 : 0, 1, 1 z 1 z 2 z 3

25 Example For each possible values of z 3, say z 3 = 0, Rz = z 1 z 2 z 3 = [ z1 z 2 ] The problem size is reduced.

26 Example For each possible values of z 3, say z 3 = 0, Rz = z 1 z 2 z 3 = [ z1 z 2 ] The problem size is reduced. The necessary condition for z 2 : 4z 2 4 Possible values of z 2 : 0, 1, 1

27 Example The search tree z z z 1 The solution Rz = = 0 0 3

28 Expanding to a basis Problem: Transform the basis matrix A = into a new basis matrix whose first column is the shortest vector Az = 0 0 3

29 Expanding to a basis Problem: Transform the basis matrix A = into a new basis matrix whose first column is the shortest vector Az = That is, find a unimodular matrix Z : Az = AZ e 1 or z = Z e 1, Z 1 z = e 1 Unimodular transformation that introduces zeros into an integer vector.

30 A plane unimodular transformation A unimodular transformation (Luk, Zhang, and Q, 2010). gcd(p, q) = ±d, ap + bq = ±d. Form the unimodular matrix [ a b q/d p/d ] [ p q ] = [ d 0 ]

31 A plane unimodular transformation A unimodular transformation (Luk, Zhang, and Q, 2010). gcd(p, q) = ±d, ap + bq = ±d. Form the unimodular matrix [ a b q/d p/d ] [ p q ] = [ d 0 ] Its inverse [ p/d b q/d a ]

32 Example = =

33 Example = =

34 Improving Kannan s algorithm Kannan, 1987 Expansion method In the kth, k = 1,..., n, recursion, solve a k-dim system (O(k 3 )). Total O(n 4 )

35 Improving Kannan s algorithm Kannan, 1987 Expansion method In the kth, k = 1,..., n, recursion, solve a k-dim system (O(k 3 )). Total O(n 4 ) Determine whether a set of vectors are linearly dependent.

36 Improving Kannan s algorithm Kannan, 1987 Expansion method In the kth, k = 1,..., n, recursion, solve a k-dim system (O(k 3 )). Total O(n 4 ) Determine whether a set of vectors are linearly dependent. Our method Efficient, O(n 2 ) Accurate, unimodular (integer) transformations.

37 Properties Efficient. Exact, integer arithmetic. Include permutation and identity as special cases. Can triangularize an integer matrix. Any unimodular can be decomposed into a product of this plan unimodular and integer Gauss transformations.

38 Application Cryptography Find a large vector v = , gcd(v i ) = 1

39 Application Cryptography Find a large vector v = , gcd(v i ) = 1 Determine a unimodular matrix Z 1 v = v = cond(z) =

40 Application Cryptography Find a large vector v = , gcd(v i ) = 1 Determine a unimodular matrix Z 1 v = v = cond(z) = Choose a diagonal A as a private key B = AZ (ill-conditioned) as public key

41 Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

42 Minkowski reduction Minkowski-reduced A lattice basis {b 1, b 2,..., b n } is called Minkowski-reduced if for each b i, i = 1, 2,...,n, its length b i 2 = min( ˆb i 2, ˆb i+1 2,..., ˆb n 2 ) over all sets {ˆb i, ˆb i+1,..., ˆb n } of lattice points such that {b 1, b 2,..., b i 1, ˆb i, ˆb i+1,..., ˆb n } form a basis for the lattice.

43 Existing Minkowski reduction algorithms Lagrange, 1773, dimension two Semaev, 2001, dimension three Nguyen and Stehleé, 2009, dimension four Afflerbach and Grothe, 1985, up to dimension seven Helfrish, 1985, theoretical value, very expensive

44 Existing Minkowski reduction algorithms Lagrange, 1773, dimension two Semaev, 2001, dimension three Nguyen and Stehleé, 2009, dimension four Afflerbach and Grothe, 1985, up to dimension seven Helfrish, 1985, theoretical value, very expensive Zhang, Q, Wei, 2011

45 Problem For p = 1, 2,..., n, find b p : a shortest vector such that {b 1,..., b p } can be extended to a basis for the lattice.

46 Problem For p = 1, 2,..., n, find b p : a shortest vector such that {b 1,..., b p } can be extended to a basis for the lattice. Algorithm: for p = 1...n find a shortest v = Bz such that {b 1,..., b p 1, v} is expandable to a basis; set b p = v and expand {b 1,..., b p } to a basis; end

47 Minkowski reduction algorithm A proposition: Let B = [b 1,..., b n ] be a generator matrix for a lattice L and a lattice vector v = Bz, then {b 1,..., b p 1, v} is expandable to a basis for L if and only if gcd(z p,..., z n ) = ±1.

48 Minkowski reduction algorithm A proposition: Let B = [b 1,..., b n ] be a generator matrix for a lattice L and a lattice vector v = Bz, then {b 1,..., b p 1, v} is expandable to a basis for L if and only if gcd(z p,..., z n ) = ±1. Constrained minimization problem: min z Bz 2 subject to gcd(z p,..., z n ) = ±1

49 Minkowski reduction algorithm A proposition: Let B = [b 1,..., b n ] be a generator matrix for a lattice L and a lattice vector v = Bz, then {b 1,..., b p 1, v} is expandable to a basis for L if and only if gcd(z p,..., z n ) = ±1. Constrained minimization problem: min z Bz 2 subject to gcd(z p,..., z n ) = ±1 Modified sphere decoding: While searching for short lattice vectors, enforce the condition gcd(z p,..., z n ) = ±1.

50 Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

51 Measuring orthogonality Lattice reduction is to transform a lattice basis into another that becomes more orthogonal.

52 Measuring orthogonality Lattice reduction is to transform a lattice basis into another that becomes more orthogonal. How do we measure the degree of orthogonality of a basis?

53 Measuring orthogonality Lattice reduction is to transform a lattice basis into another that becomes more orthogonal. How do we measure the degree of orthogonality of a basis? Usual choice: condition number of matrix.

54 Measuring orthogonality Lattice reduction is to transform a lattice basis into another that becomes more orthogonal. How do we measure the degree of orthogonality of a basis? Usual choice: condition number of matrix. [ ] 1 0 Consider the matrix 0 10 k.

55 Measuring orthogonality Lattice reduction is to transform a lattice basis into another that becomes more orthogonal. How do we measure the degree of orthogonality of a basis? Usual choice: condition number of matrix. [ ] 1 0 Consider the matrix 0 10 k. Its condition number is 10 k, but the columns are orthogonal.

56 Measuring orthogonality Lattice reduction is to transform a lattice basis into another that becomes more orthogonal. How do we measure the degree of orthogonality of a basis? Usual choice: condition number of matrix. [ ] 1 0 Consider the matrix 0 10 k. Its condition number is 10 k, but the columns are orthogonal. Condition # ignores intermediate singular values of n n matrix.

57 An interpretation r 1,1 r 1,2 r 1,3 r 1,4 0 r 2,2 r 2,3 r 2,4 0 0 r 3,3 r 3, r 4,4 sin θ i = r i,i r :,i 2

58 Measurement In particular, the geometric mean σ: σ n = n sin θ i = i=1 Hadamard s inequality n i=1 det(b) r i,i r :,i 2 = n b i 2 i=1 d(l) n i=1 b i 2 The equality holds if and only if b i are orthogonal. Also called Hadamard ratio or orthogonality defect.

59 Measurement Note that 0 σ 1, σ = 1 for any diagonal matrix, and σ = 0 for any singular matrix.

60 Measurement Note that 0 σ 1, σ = 1 for any diagonal matrix, and σ = 0 for any singular matrix. Since V n = n i=1 r i,i = d(l) is a constant for a given L, we can improve σ by reducing b i 2.

61 Measurement Note that 0 σ 1, σ = 1 for any diagonal matrix, and σ = 0 for any singular matrix. Since V n = n i=1 r i,i = d(l) is a constant for a given L, we can improve σ by reducing b i 2. Possible measurements other than the geometric mean?

62 Thank you!

63 Thank you! Questions?

Lattice Basis Reduction Part 1: Concepts

Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25, 2011, revised February 2012