Short Vectors of Planar Lattices via Continued Fractions. Friedrich Eisenbrand Max-Planck-Institut für Informatik

Size: px

Start display at page:

Download "Short Vectors of Planar Lattices via Continued Fractions. Friedrich Eisenbrand Max-Planck-Institut für Informatik"

Chloe Rice
6 years ago
Views:

1 Short Vectors of Planar Lattices via Continued Fractions Friedrich Eisenbrand Max-Planck-Institut für Informatik

2 Outline Lattices Definition of planar integral lattices Shortest Vectors Applications The Gaussian algorithm

3 Lattices Outline Definition of planar integral lattices Shortest Vectors Applications The Gaussian algorithm Short vectors and best approximations Hermite normal form Shortest vectors and best approximations Best approximations and convergents A naive shortest vector algorithm based on euclid

4 Lattices Outline Definition of planar integral lattices Shortest Vectors Applications The Gaussian algorithm Short vectors and best approximations Hermite normal form Shortest vectors and best approximations Best approximations and convergents A naive shortest vector algorithm based on euclid Fast basis reduction Identifying the shortest convergent Computing shortest convergent w.r.t. l -norm with Schönages speedup Reduced bases Fast basis reduction via (Schönhage 1971) and (Gauß 1801)

5 Lattices Lattice generated by A: Λ(A)={Ax x Z 2 }, where A Z 2 2 nonsingular

6 Lattices Lattice generated by A: Λ(A)={Ax x Z 2 }, where A Z 2 2 nonsingular A basis of Λ

7 Lattices Lattice generated by A: Λ(A)={Ax x Z 2 }, where A Z 2 2 nonsingular A basis of Λ b 2 b 1

8 Lattices Lattice generated by A: Λ(A)={Ax x Z 2 }, where A Z 2 2 nonsingular A basis of Λ b 2 b 1

9 Shortest vectors Shortest vector of Λ: v Λ with v 0and v u for all u Λ u 0

10 Shortest vectors Shortest vector of Λ: v Λ with v 0and v u for all u Λ u 0 Applications Integer programming in fixed dimension Lenstra (1983) Factorization of rational polynomials Lenstra, Lenstra & Lovász (1982) Strongly polynomial time algorithms in combinatorial optimization Frank & Tardosz (1987)

11 Shortest vectors Shortest vector of Λ: v Λ with v 0and v u for all u Λ u 0 Applications Integer programming in fixed dimension Lenstra (1983) Factorization of rational polynomials Lenstra, Lenstra & Lovász (1982) Strongly polynomial time algorithms in combinatorial optimization Frank & Tardosz (1987)

12 Shortest vectors Shortest vector of Λ: v Λ with v 0and v u for all u Λ u 0 Applications Integer programming in fixed dimension Lenstra (1983) Factorization of rational polynomials Lenstra, Lenstra & Lovász (1982) Strongly polynomial time algorithms in combinatorial optimization Frank & Tardosz (1987)

13 Unimodular transformations Unimodular transformation of basis A: A U, where U Z 2 2 with det(u)=±1,.i.e., U unimodular

14 Unimodular transformations Unimodular transformation of basis A: A U, where U Z 2 2 with det(u)=±1,.i.e., U unimodular Matrix A basis of Λ if and only if A U basis of Λ, U unimodular

15 Unimodular transformations Unimodular transformation of basis A: A U, where U Z 2 2 with det(u)=±1,.i.e., U unimodular Matrix A basis of Λ if and only if A U basis of Λ, U unimodular Examples of unimodular transformations swapping of columns

16 Unimodular transformations Unimodular transformation of basis A: A U, where U Z 2 2 with det(u)=±1,.i.e., U unimodular Matrix A basis of Λ if and only if A U basis of Λ, U unimodular Examples of unimodular transformations swapping of columns adding integral multiples of one column to another

17 The Gaussian reduction algorithm GAUSS(b 1,b 2 ) repeat arrange that b 1 is the shorter vector of b 1 and b 2 find k Z such that b 2 kb 1 is of minimal euclidean length b 2 (b 2 kb 1 ) (normalization step) until k = 0 return (b 1,b 2 ) k in repeat-loop is nearest integer to (b T 1 b 2)/(b T 1 b 1)

18 A normalization step b 2 b 1

19 A normalization step b 2 kb 1 b 2 b 1

20 A normalization step b 2 kb 1 b 1

21 Complexity of GAUSS Lagarias (1980): Complexity of GAUSS O(n 3 )

22 Complexity of GAUSS Lagarias (1980): Complexity of GAUSS O(n 3 ) Schönhage (1991) and Yap (1992) new reduction algorithm: Complexity O(M(n)logn) where M(n): complexity of n-bit integer multiplication;

23 Complexity of GAUSS Lagarias (1980): Complexity of GAUSS O(n 3 ) Schönhage (1991) and Yap (1992) new reduction algorithm: Complexity O(M(n)logn) where M(n): complexity of n-bit integer multiplication; algorithms fairly involved

24 Complexity of GAUSS Lagarias (1980): Complexity of GAUSS O(n 3 ) Schönhage (1991) and Yap (1992) new reduction algorithm: Complexity O(M(n)logn) where M(n): complexity of n-bit integer multiplication; algorithms fairly involved This talk: Fast basis reduction via Schönhage s (1971) classical gcd-speedup and GAUSS

25 The Hermite Normal Form Given lattice basis A = ( a 1 a 2 a 3 a 4 ) Z 2 2, compute integers x, y with gcd(a 3,a 4 )=d = xa 3 + ya 4 ( a4 /d x a 3 /dy) unimodular

26 The Hermite Normal Form Given lattice basis A = ( a 1 a 2 a 3 a 4 ) Z 2 2, compute integers x, y with gcd(a 3,a 4 )=d = xa 3 + ya 4 ( a4 /d x a 3 /dy) unimodular Then a 1 a 2 4/d a 3 a 4 a 3 /d x = y a b Z c

27 The Hermite Normal Form Given lattice basis A = ( a 1 a 2 a 3 a 4 ) Z 2 2, compute integers x, y with gcd(a 3,a 4 )=d = xa 3 + ya 4 ( a4 /d x a 3 /dy) unimodular Then a 1 a 2 4/d a 3 a 4 a 3 /d x = y a b Z c We can assume that c > 0anda > b 0 Hermite normal form

28 Complexity of Hermite normal form Given integers a and b one can compute integers x and y with gcd(a,b)=xa + yb in time O(M(n)logn) (Schönhage 1971) Complexity of HNF: O(M(n)logn)

29 Complexity of Hermite normal form Given integers a and b one can compute integers x and y with gcd(a,b)=xa + yb in time O(M(n)logn) (Schönhage 1971) Complexity of HNF: O(M(n)logn) Assuming: Lattice is given by its Hermite normal form

30 Best approximations For α Q, fraction x/y is best approximation if all other fractions x /y with y y satisfy y α x > yα x

31 Shortest vectors and best approximations Λ = a b x x,y Z 0 c y Theorem. There exists a shortest vector ( ) xa+yb yc, x N0, y N + of Λ such that at least one of the following conditions is satisfied.

32 Shortest vectors and best approximations Λ = a b x x,y Z 0 c y Theorem. There exists a shortest vector ( ) xa+yb yc, x N0, y N + of Λ such that at least one of the following conditions is satisfied. The fraction x/y is a best approximation to the number b/a.

33 Shortest vectors and best approximations Λ = a b x x,y Z 0 c y Theorem. There exists a shortest vector ( ) xa+yb yc, x N0, y N + of Λ such that at least one of the following conditions is satisfied. The fraction x/y is a best approximation to the number b/a. If the fraction p/q is the reduced representation of b/a, then p is odd, q is even, x { p/2, p/2 } and y = q/2.

34 Best approximations via euclidean algorithm x/y best approximation of b/a, then x/y is a convergent of b/a

35 Best approximations via euclidean algorithm x/y best approximation of b/a, then x/y is a convergent of b/a Convergents of α Q inductively defined

36 Best approximations via euclidean algorithm x/y best approximation of b/a, then x/y is a convergent of b/a Convergents of α Q inductively defined α

37 Best approximations via euclidean algorithm x/y best approximation of b/a, then x/y is a convergent of b/a Convergents of α Q inductively defined α α + 1/c,wherec convergent of 1/(α α )

38 The Gregorian calendar The earth turns around the sun in / days. First convergent is 365

39 The Gregorian calendar The earth turns around the sun in / days. First convergent is 365 Second convergent: /4, since 4 is first convergent of / = /104629

40 The Gregorian calendar The earth turns around the sun in / days. First convergent is 365 Second convergent: /4, since 4 is first convergent of / = / Leap year all 4 years

41 The Gregorian calendar Pope Gregor XIII (1582) used fifth convergent = /

42 The Gregorian calendar Pope Gregor XIII (1582) used fifth convergent = / Every 800 years skip 6 leap years; every year divisible by 100 but not by 400

43 The Gregorian calendar Pope Gregor XIII (1582) used fifth convergent = / Every 800 years skip 6 leap years; every year divisible by 100 but not by 400 The first year the in which calendar is 1 day ahead is 4915

44 Computing convergents Euclidean algorithm EXGCD(a,b) M n 0 while (b 0) do q a/b M M q (a,b) (b,a qb) n n + 1 return (d = a, x =( 1) n M 2,2, y =( 1) n+1 M 1,2 )

45 Computing convergents Let M (k), k 0, denote M after k-th iteration of while-loop

46 Computing convergents Let M (k), k 0, denote M after k-th iteration of while-loop Well known fact: k-th convergent of a/b is M (k) 1,1 /M(k) 2,1

47 Naive shortest vector algorithm Compute Hermite normal form ( ab 0 c ) of A

48 Naive shortest vector algorithm Compute Hermite normal form ( ab 0 c ) of A Compute reduced fraction p/q of b/a and vectors ( p/2 a + q/2 b, q/2 c) T and (a,0) T store shortest one in MIN

49 Naive shortest vector algorithm Compute Hermite normal form ( ab 0 c ) of A Compute reduced fraction p/q of b/a and vectors ( p/2 a + q/2 b, q/2 c) T and (a,0) T store shortest one in MIN Compute convergents g k /h k of b/a with EXGCD(b,a) and compare the length of the induced vector ( g k a + h k b,h k c) T with MIN. If shorter, replace MIN

50 Naive shortest vector algorithm Compute Hermite normal form ( ab 0 c ) of A Compute reduced fraction p/q of b/a and vectors ( p/2 a + q/2 b, q/2 c) T and (a,0) T store shortest one in MIN Compute convergents g k /h k of b/a with EXGCD(b,a) and compare the length of the induced vector ( g k a + h k b,h k c) T with MIN. If shorter, replace MIN In the end MIN contains a shortest vector

51 Naive shortest vector algorithm Compute Hermite normal form ( ab 0 c ) of A Compute reduced fraction p/q of b/a and vectors ( p/2 a + q/2 b, q/2 c) T and (a,0) T store shortest one in MIN Compute convergents g k /h k of b/a with EXGCD(b,a) and compare the length of the induced vector ( g k a + h k b,h k c) T with MIN. If shorter, replace MIN In the end MIN contains a shortest vector Linear search through all convergents of b/a

52 Finding shortest vector w.r.t l -norm Consider set of vectors g k a + h k b k = 0,...,t h k c, (1) where β k = g k /h k, 0 k t are the convergents of b/a. Proposition. Shortest vector in (1) w.r.t. l is last convergent of b/a outside the interval [(b c)/a,(b + c)/a] or first convergent of b/a inside [(b c)/a,(b + c)/a].

53 Finding shortest vector w.r.t l -norm Common convergent of interval [α 1,α 2 ]: Convergent β k of α 1 and α 2 where k maximal

54 Finding shortest vector w.r.t l -norm Common convergent of interval [α 1,α 2 ]: Convergent β k of α 1 and α 2 where k maximal Schönhage (1971): One can compute common convergent β k and corresponding matrix M (k) of two rationals α 1,α 2 Q in time O(M(n) logn)

55 Finding shortest vector w.r.t l -norm Common convergent of interval [α 1,α 2 ]: Convergent β k of α 1 and α 2 where k maximal Schönhage (1971): One can compute common convergent β k and corresponding matrix M (k) of two rationals α 1,α 2 Q in time O(M(n) logn) Proposition. Let β k = g k /h k common convergent of [(b c)/a,(b + c)/a]. Then k-th, k + 1-st or k + 2-nd convergent of b/a is shortest vector in (1) w.r.t. the l -norm.

56 Compute HNF ( ab 0 c ) of A Fast shortest vector algorithm

57 Compute HNF ( ab 0 c ) of A Fast shortest vector algorithm Compute reduced representation p/q of b/a and vectors (a,0) T, ( p/2 a + q/2 b, q/2 c) T ; store shortest nonzero one in a container MIN

58 Compute HNF ( ab 0 c ) of A Fast shortest vector algorithm Compute reduced representation p/q of b/a and vectors (a,0) T, ( p/2 a + q/2 b, q/2 c) T ; store shortest nonzero one in a container MIN Compute common convergent β k of [(b c)/a,(b + c)/a] and corresponding matrix M (k). Compute next two convergents of b/a with EXGCD; Replace MIN if one of convergents yields shorter vector

59 Reduced bases Lattice basis (b 1,b 2 ) is reduced if enclosed angle in range 90 ± 30 b 2 b 1

60 Reduced bases Lattice basis (b 1,b 2 ) is reduced if enclosed angle in range 90 ± 30 b 2 kb 1 b 2 α b 1

61 Reduced bases Lattice basis (b 1,b 2 ) is reduced if enclosed angle in range 90 ± 30 d h b 2 kb 1 α b 2 b 1 d 1/2 b 1 and h = sinα b 2 suppose α < 60

62 Reduced bases Lattice basis (b 1,b 2 ) is reduced if enclosed angle in range 90 ± 30 d h b 2 kb 1 α b 2 b 1 d 1/2 b 1 and h = sinα b 2 suppose α < 60 b 2 kb 1 2 = h 2 + d 2 = 1/4 b 1 2 +(sinα) 2 b 2 2 (1/4 +(sinα) 2 ) b 2 2

63 Reduced bases Lattice basis (b 1,b 2 ) is reduced if enclosed angle in range 90 ± 30 d h b 2 kb 1 α b 2 b 1 d 1/2 b 1 and h = sinα b 2 suppose α < 60 b 2 kb 1 2 = h 2 + d 2 = 1/4 b 1 2 +(sinα) 2 b 2 2 (1/4 +(sinα) 2 ) b 2 2 < b 2 2

64 Almost reduced basis Proposition. There exists O(M(n)logn) time algorithm that computes basis B of Λ defined by A Z 2 2, with property that the first column of B is shortest vector w.r.t. l -norm.

65 Almost reduced basis Proposition. There exists O(M(n)logn) time algorithm that computes basis B of Λ defined by A Z 2 2, with property that the first column of B is shortest vector w.r.t. l -norm. Analysis of Gaussian algorithm (Lagarias 1980) reveals this basis almost reduced

66 Almost reduced basis Proposition. There exists O(M(n)logn) time algorithm that computes basis B of Λ defined by A Z 2 2, with property that the first column of B is shortest vector w.r.t. l -norm. Analysis of Gaussian algorithm (Lagarias 1980) reveals this basis almost reduced Corollary. There exists O(M(n)logn) time algorithm that computes reduced basis B of Λ defined by A Z 2 2

67 Summary of results Shortest vector corresponds to best approximation of a rational defined by the lattice Shortest vectors can be found with the euclidean algorithm Fast basis reduction can be solely based on Schönhage s (1971) result and reduction algorithm of Gauss (1801)

68 Summary of results Shortest vector corresponds to best approximation of a rational defined by the lattice Shortest vectors can be found with the euclidean algorithm Fast basis reduction can be solely based on Schönhage s (1971) result and reduction algorithm of Gauss (1801)

69 Summary of results Shortest vector corresponds to best approximation of a rational defined by the lattice Shortest vectors can be found with the euclidean algorithm Fast basis reduction can be solely based on Schönhage s (1971) result and reduction algorithm of Gauss (1801)

70 Open Problem What about shortest vector problem in arbitrary fixed dimension?

71 Open Problem What about shortest vector problem in arbitrary fixed dimension? Fastest known algorithm of Kannan (1987) runs in time O(M(n)n)

72 Open Problem What about shortest vector problem in arbitrary fixed dimension? Fastest known algorithm of Kannan (1987) runs in time O(M(n)n) Challenge: Prove that shortest vector problem in arbitrary fixed dimension can be solved in time O(M(n) logn)

Fast Reduction of Ternary Quadratic Forms

1:01 Fast Reduction of Ternary Quadratic Forms 1:02 1:0 1:04 1:05 1:06 Friedrich Eisenbrand 1 and Günter Rote 2 1 Max-Planck-Institut für Informatik, Stuhlsatzenhausweg 85, 6612 Saarbrücken, Germany, eisen@mpi-sb.mpg.de