Extended GCD and Hermite Normal Form Algorithms via Lattice Basis Reduction

Size: px

Start display at page:

Download "Extended GCD and Hermite Normal Form Algorithms via Lattice Basis Reduction"

Sydney Hunt
6 years ago
Views:

1 Extended GCD and Hermite Normal Form Algorithms via Lattice Basis Reduction George Havas, Bohdan S. Majewski, and Keith R. Matthews CONTENTS 1. Introduction. The LLL Algorithm. Analysis of Algorithm. Algorithm 5. Multiplier Estimates 6. A LLL-Based Hermite Normal Form Algorithm 7. Examples Acknowledgments Electronic Availability References Extended gcd calculation has a long history and plays an important role in computational number theory and linear algebra. Recent results have shown that finding optimal multipliers in extended gcd calculations is difficult. We present an algorithm which uses lattice basis reduction to produce small integer multipliers x 1,..., x m for the equation s = gcd (s 1,..., s m ) = x 1 s x m s m, where s 1,..., s m are given integers. The method generalises to produce small unimodular transformation matrices for computing the Hermite normal form of an integer matrix. 1. INTRODUCTION Let s 1 ; : : : ; s m be integers and s = gcd (s 1 ; : : : ; s m ). It is easy to nd integer multipliers x 1 ; : : : ; x m such that s = x 1 s x m s m, but not so easy to nd multiplier vectors X of small Euclidean length kxk = (x x m) 1= [Majewski and Havas 199; Rossner and Seifert 1996]. Such multipliers may be found by performing, for example, Euclid's algorithm on s 1 ; s, to get gcd (s 1 ; s ) = g, then on g ; s and so on. If the corresponding sequence of integer row operations is performed on the identity matrix I m, the result will be an m m unimodular matrix P such that P S = [0; : : : ; 0; s] T, where S = [s 1 ; : : : ; s m ] T. Such a P is implicit in [Jacobi 1868, pages 6{8]. For some variations on this theme see [Kertzner 1981], as well as [Ford and Havas 1996] (where it is shown that one can ensure jx i j 1 max(s 1; : : : ; s m )) and [Majewski and Havas 1995] (the sorting gcd algorithm). Also see [Brentjes 1981, pages {] for references to older work. c A K Peters, Ltd /1998 $0.50 per page Experimental Mathematics 7:, page 15

2 16 Experimental Mathematics, Vol. 7 (1998), No. With a little matrix algebra, the equation P S = [0; : : : ; 0; s] T tells us that rows p 1 ; : : : ; p m 1 of P form a lattice basis for the (m 1)-dimensional lattice formed by the vectors X = (x 1 ; : : : ; x m ) with x 1 ; : : : ; x m Z, satisfying x 1 s 1 + +x m s m = 0. In other words, every such X can be expressed as an integer linear combination X = z 1 p z m 1 p m 1. The general multiplier vector is p m + z 1 p z m 1 p m 1 ; with z 1 ; : : : ; z m 1 Z. Lattice basis reduction can be used to nd good multipliers. Such an approach dates back at least to [Rosser 191] and [Ficken 19], where it was used for some small examples. A particularly eective algorithm for lattice basis reduction is due to Lenstra, Lenstra and Lovasz [Lenstra et al. 198]. For a brief description of the LLL algorithm, see Section. Of importance in the LLL algorithm is a parameter, which is in the range ( 1 ; 1]. The complexity of the algorithm increases with, as does the quality guarantee on the basis vectors. Earlier Approaches: Algorithm 1 One approach to the extended gcd problem, proposed by Babai [Grotschel et al. 1988, page 1] and Sims [199, page 81], is to perform the LLL algorithm on p 1 ; : : : ; p m 1 to produce a lattice basis of short vectors. Then size-reduce p m, by adding suitable multiples of these short vectors to p m ; this reduces its entries in practice to small size. We call this Algorithm 1. It has the drawback that an initial unimodular transforming matrix P has to be calculated. Preview of Algorithms and Another approach to the problem is to apply the LLL algorithm to the lattice L spanned by the rows of the matrix C = [I m js], where is a positive integer. It is not dicult to show that if > y (m )= ksk, with y = =( 1) for 1 < 1, the reduced basis for C must satisfy c 1 m+1 = 0,..., c m 1 m+1 = 0 and c m m+1 = s. Then c m1 ; : : : ; c mm will in practice be a small multiplier vector of similar size to that produced by Algorithm 1. We call this Algorithm. It has the drawback that multiplying the entries in the last column of the matrix by leads to an increase in the theoretical complexity and practical running time of the algorithm. Experimentally one nds that if is large, Algorithm seems to settle down to the same sequence of row operations. It is not dicult to identify these operations and perform them instead on the matrix [I m js]. This is justied in Section. Our limiting algorithm is called Algorithm and is described explicitly in Section. In Section 5, we show that with 1 the 8 smallest multiplier for numbers is one of the 7 values b +" 1 b 1 +" b, with j" i j 1, (" 1 ; " ) 6= (1; 0), where multiplier b and lattice basis b 1 ; b for are produced by Algorithm. We also derive an upper estimate in the general case of m numbers for the length of the multiplier produced by Algorithm with 1 < 1. Section 6 describes a LLL-based Hermite normal form algorithm, which we also arrive at by limiting considerations. In practice the method yields transformation matrices with very small entries. Such algorithms have applications in class group calculations; see [Cohen 199, pages 5, 88]. The paper nishes with some examples which show how well the algorithms perform.. THE LLL ALGORITHM In order to analyse Algorithms and we need to briey outline the LLL algorithm. More complete descriptions are given in [Grotschel et al. 1988, pages 19{150; Sims 199, pages 60{8; Cohen 199, pages 8{10; Pohst and Zassenhaus 1989, pages 00{0]. Let C be an m n matrix of integers, with linearly independent rows c 1 ; : : : ; c m. The Gram{ Schmidt basis is denoted by c 1; : : : ; c m, where c 1 = c 1 ; c k = c k k 1 X j=1 kj c j; kj = c k c j : c j c j

3 Havas, Majewski, and Matthews: Extended GCD and Hermite Normal Form Algorithms via Lattice Basis Reduction 17 We say c 1 ; : : : ; c m is reduced if j kj j 1 j < k m and for 1 are linearly independent in L and satisfy kx i k ksk, so c k c k ( k k 1)c k 1 c k 1 ( 1) for 1 < k m. (Here 1 < 1.) We say c k is size-reduced if j kj j 1 for 1 j < k. Assume that rows 1 to k 1 have been processed. The inductive step is as follows: Do a partial size-reduction by c k c k d k k 1 cc k 1 ; where dc is the nearest integer symbol, with dc = 1, if is a half-integer. If inequality ({1) holds, size-reduce c k completely by performing c k c k d kj cc j for j = k ; : : : ; 1 and increment k. Otherwise swap c k and c k 1 and decrement k.. ANALYSIS OF ALGORITHM Algorithm works for the following reasons. consists of the vectors (X; a) = (x 1 ; : : : ; x m ; (x 1 s x m s m )); where x 1 ; : : : ; x m Z. Hence X, (X; 0) L. Also, if (X; a) L and X does not belong to, then a 6= 0 and k(x; a)k : ( 1) Further, the lemma of [Pohst and Zassenhaus 1989, page 00] implies that if b 1 ; : : : ; b m 1 form a reduced basis for L, then kb j k y (m )= max kx 1 k; : : : ; kx m 1 k ; ( ) if X 1 ; : : : ; X m 1 are linearly independent vectors in L. But the m 1 vectors X 1 = ( s ; s 1 ; 0; : : : ; 0; 0) X = ( s ; 0; s 1 ; 0; : : : ; 0; 0) : : : : : : : : : : : : : : : : : : : : : : : : : : : : : X m 1 = ( s m ; 0; 0; : : : ; s 1 ; 0) L max kx 1 k; : : : ; kx m 1 k ksk: ( ) Hence if > y (m )= ksk, it follows from inequalities ({1){({) that the rst m 1 rows of a reduced basis for L have the form (b j1 ; : : : ; b jm ; 0). The last vector of the reduced basis then has the form (b m1 ; : : : ; b mm ; g) for some g, and the equations P S = 0 g ; S = P 1 0 g (where P is a unimodular matrix) imply sjg and gjs, respectively, and hence g = s. Now we justify our earlier assertion that if is suciently large and the LLL algorithm is performed on [I m js], then the sequence of operations is independent of. Let c i m+1 = a i and let C = [BjA], where initially B = I m and A = S. Let us assume that the rst k 1 rows of C are LLL-reduced (which implies a 1 = 0; : : : ; a k = 0 by the above argument) and examine the inductive step of LLL. First, from the equation c r = c r r 1 X j=1 rj c j ; ( ) we have c 1 m+1 = 0; : : : ; c k m+1 = 0. Also from equation ({), with r = k 1, we have c k 1 m+1 = a k 1. Further, kj = c k c j c j c j P m q=1 = c kqc jq + a k c j m+1 P m q=1 (c jq) + (c j m+1) : ( 5) So, c 1 m+1 = 0; : : : ; c k m+1 = 0 and equation ({5) give P m q=1 kj = c kqc jq P m for j = 1; : : : ; k ; q=1 (c jq) the Gram{Schmidt coecient for C with the last column ignored.

4 18 Experimental Mathematics, Vol. 7 (1998), No. Next k k 1 = P m q=1 c kqc k 1 q + a k a k 1 P m q=1 (c k 1 q ) + a k 1 a k a k 1 as! 1 if a k 1 6= 0: (If a k 1 = 0, k;k 1 reduces to the Gram{Schmidt coecient for C with the last column ignored.) Then (for a k 1 6= 0) if t = da k =a k 1 c, d k k 1 c = t if a k =a k 1 is not an odd multiple of 1, or t or t + 1 otherwise, as! 1. Thus in the partial sizereduction, t or t + 1 times row k 1 is subtracted from row k. We now discuss the possible interchange of rows k 1 and k. This takes place if the inequality ({1) fails to hold. If a k 1 = 0 = a k, then condition ({1) becomes the standard LLL condition involving k k 1. If a k 1 = 0 but a k 6= 0, then c k m+1 = a k and condition ({1) will be satised for large and no interchange of rows takes place. If a k 1 6= 0, then since the c j did not change under partial size-reduction, we see from c k = c k k X j=1 kj c j k k 1 c k 1; that with c j m+1 = 0; j = 1; : : : ; k and the limiting form of the old k;k 1, we have c k 0. m+1 Consequently, as k k 1 > 0 if > 1, ({1) will not be satised for large, if > 1, thereby resulting in an interchange of rows. The kj are rational functions of and, if not constant, will tend to a limit strictly monotonically, thereby resulting in a limiting sequence of row operations for large. Thus, for large, the LLL algorithm will perform a version of the leastremainder gcd algorithm (LRA) on a 1 = s 1 ; a = s, until it arrives at a 1 = 0; a = g = gcd (s 1 ; s ), with (b 1 ; b ) being the shortest multiplier vector for gcd (s 1 ; s ). It then eventually performs a version of the LRA on a = g ; a = s, punctuated by updating of the rst three rows of B, till it arrives at a 1 = 0; a = 0; a = g = gcd (g ; s ), with (b 1 ; b ; b ) being a short multiplier vector for gcd (s 1 ; s ; s ); and so on.. ALGORITHM The analysis of Section leads to Algorithm below, the nal LLL-based extended gcd algorithm. Our implementation is a modication of de Weger's LLL algorithm [1987, pages 9{], simplied in that initial construction of the Gram{Schmidt basis is not needed, as we start with the identity matrix I m. De Weger works in terms of integers and writes kb i k = D i =D i 1, D 0 = 1 and ij = D j ij. This allows algorithms to be implemented using only integers, avoiding explicit calculation with rationals. The algorithm works by successively producing for k = ; : : : ; m, a multiplier vector (b k1 ; : : : ; b kk ) for s 1 ; : : : ; s k which is size-reduced with respect to a LLL-reduced lattice basis (b 11 ; : : : ; b 1k ),..., (b k 11 ; : : : ; b k 1k ) for the lattice dened by x 1 s x k s k = 0. Algorithm. (We denote by bi the i-th row of B.) Input: Positive integers s 1 ; : : : ; s m Output: a m = gcd(s 1 ; : : : ; s m ); small multipliers b m1 ; : : : ; b mm ; small null space basis B I m ; for r = ; : : : ; m do for s = 1; : : : ; r 1 do rs 0; for i = 0; : : : ; m do D i 1; for i = 1; : : : ; m do a i s i ; m 1 ; n 1 ; = = m 1 =n 1 = k ; while k m do Reduce1(k; k 1); if a k 1 6= 0 or a k 1 = 0 and a k = 0 and n 1 (D k D k + k k 1) < m 1 Dk 1 then Swap(k); if k > then k k 1; else for i = k ; : : : ; 1 do Reduce(k; i); k k + 1; if a m < 0 then a m a m ; bm bm;

5 Havas, Majewski, and Matthews: Extended GCD and Hermite Normal Form Algorithms via Lattice Basis Reduction 19 Reduce1(k; i) if a i 6= 0 then q da k =a i c; else if j ki j > D i then q d ki =D i c; else q 0; if q 6= 0 then a k a k qa i ; bk bk qbi; ki ki qd i ; for j = 1; : : : ; i 1 do kj kj q ij ; Swap(k) a k $ a k 1 ; bk $ bk 1; for j = 1; : : : ; k do kj $ k 1 j ; for i = k + 1; : : : ; m do t i k 1 D k ik k k 1 ; i k 1 ( i k 1 k k 1 + ik D k )=D k 1 ; ik t=d k 1 ; D k 1 (D k D k + k k 1)=D k 1 ; 5. MULTIPLIER ESTIMATES Even when m =, our LLL-based gcd algorithm does not always produce the shortest multiplier: 1 in the example ; 6; 9, LLL (for all < 1) produces the multiplier b = ( ; 0; 1), whereas the shortest is b + b + b 1 = (1; 1; 1). After much numerical experiment we were led to the following result: Theorem 5.1. If B is a unimodular integer matrix such that the rst rows b 1 ; b form a LLLreduced basis for the lattice with 8 1, while b is size-reduced and is a multiplier vector for s 1 ; s ; s, then the smallest multiplier is one of seven vectors b + " 1 b 1 + " b, where " i = 1; 0; 1 for i = 1; and (" 1 ; " ) 6= (1; 0). Proof. We have and b = b + b + 1 b 1 b = b + 1 b 1 ; where j ij j 1. Then, if u; v Z, recalling that b + ub 1 + vb is the general multiplier, we have the following expression for the square of its length: f(u; v) = kb +ub 1 +vb k = kb +(u+ 1 +v 1 )b 1+(v+ )b k = kb k +(u+ 1 +v 1 ) kb 1k +(v+ ) kb k : Suppose f(x; y) < f(0; 0). Then or, equivalently, kb + xb 1 + yb k < kb k ; kb k +(x+ 1 y+ 1 ) kb 1 k +(y+ ) kb k < kb k + 1 kb 1 k + kb k : Hence, noting that kb k kb 1 k ( 1), we have kb (y + ) < 1k 1 kb k + ; (y + ) < = 9 ; if 8 ; jy + j < ) jyj < ) jyj 1: Then, since y(y + ) 0 if y Z, (x + 1 y + 1 ) kb 1 k hence < (x + 1 y + 1 ) kb 1 k + y(y + )kb k < 1kb 1k ; jx + 1 y + 1 j < j 1 j; jxj < j 1 y + 1 j + j 1 j; (5 1) jxj < j 1 j + j 1 j 1 + 1; jxj 1: Also from inequality (5{1), y = 0 implies x = 0.

6 10 Experimental Mathematics, Vol. 7 (1998), No. Remarks. 1. We can be more specic about the optimum multipliers, in terms of the signs of 1, 1, and : 1 1 Optimum multiplier b or b b + b or b + b + b or b + b + b or b b b or b b or b + b 1 + b + + b or b b or b b 1 + b + + b or b + b or b b 1 b + + b or b + b or b + b 1 b All cases occur for suitable choices of (s 1 ; s ; s ).. The theorem is not true for all > 1. For with (s 1 ; s ; s ) = (100000; ; ) and = , the optimum multiplier is b b 1 1b = (11088; 06; 159); where b 1 = ( ; 19; 1), b = ( ; 11109; 5), and b = ( 55551; 5558; ). Corollary 5.. Our LLL extended gcd algorithm is the basis of a practical polynomial-time algorithm for nding an optimal solution to the extended gcd problem for numbers. Proof. Apply Algorithm (with =, say) and 8 then check which of the possibilities is optimal. Theorem 5.. Let B be a unimodular m m integer matrix such that the rst m 1 rows form a LLLreduced basis for the lattice with 1 < 1, while b m is size-reduced and is a multiplier vector for s 1 ; : : : ; s m. Then with y = =( 1), we have kb m k (m 1)ym ksk : P Proof. We have b m = b m 1 m + j=1 mjb j. The vector S T is orthogonal to b 1 ; : : : ; b m 1 and we see from BS = [0; : : : ; 0; s] T that b m = ss T =ksk. Then X b m = sst m 1 ksk + mj b j j=1 with j mj j 1 for j = 1; : : : ; m 1. But kb i k kb ik. Hence kb m k m 1 X j=1 kb j k m 1 X j=1 kb j k : (5 ) Repeating the argument for inequalities ({) and ({) we deduce that kb j k y (m )= ksk; for j = 1; : : : ; m 1; and inequality (5{) gives as required. kb m k (m 1)ym ksk ; Remark. Knuth [1969, Section.5., Problem ; 1981, Section.5., Problem 5] posed researchlevel problems on the analysis of algorithms for computing the greatest common divisor of three or more integers. The theorems and corollary of this section resolve aspects of these problems. Algorithm and its analysis provide much further information. 6. A LLL-BASED HERMITE NORMAL-FORM ALGORITHM An m n integer matrix H is said to be in row Hermite normal form if (i) the rst r rows of H are nonzero; (ii) for 1 i r, if h iji is the rst nonzero entry in row i of H, then j 1 < j < < j r ; (iii) h iji > 0 for 1 i r; (iv) if 1 k < i r, then 0 h kji < h iji. Let G be an m n integer matrix. Then there are various algorithms for nding a unimodular matrix P such that P G = H is in row Hermite normal form. These include those of Kannan{Bachem [199, pages 9{57] and Havas{Majewski [199], which attempt to reduce coecient explosion during their execution.

7 Havas, Majewski, and Matthews: Extended GCD and Hermite Normal Form Algorithms via Lattice Basis Reduction 11 By considering the limiting behaviour of the LLL algorithm on the matrix G() = [I m j n G 1 j n 1 G j j G n ] (where G i is the i-th column of G) as! 1, we are led to the following LLL-based Hermite normal form algorithm, generalising the earlier gcd case where n = 1. (We have omitted Swap(k) because it is the same as in Algorithm, with ai replacing a i.) It is an easy extension of the argument in Section 1 to show that for large, on LLL reducing G(), the last n columns form a matrix whose rows, starting from the bottom, are in row echelon form, corresponding to the indices j 1 ; : : : ; j r. This algorithm gives as output A, which is the Hermite normal form of G, but in reverse order. It is trivial to turn A and the transforming matrix B into the standard H and P. Algorithm (LLL-based Hermite normal form). Input: An m n integer matrix G Output: A, the Hermite normal form of G (upside down), and B, the corresponding transformation matrix B I m ; for r = ; : : : ; m do for s = 1; : : : ; r 1 do rs 0; A G; for i = 0; : : : ; m do D i 1; m 1 ; n 1 ; = = m 1 =n 1 = if there is exactly one nonzero element a ij in the rst nonzero column of A and i = m and a mj < 0 then am am; b m;m = 1; k ; while k m do Reduce(k; k 1); if col1 min(col; n) or col1 = col = n+1 and n 1 (D k D k + k k 1) < m 1 D k 1 then Swap(k); if k > then k k 1; else for i = k ; : : : ; 1 do Reduce(k; i); k k + 1; Reduce(k; i) if there is j such that a i;j 6= 0 then col1 least j such that a i;j 6= 0; if a i;col1 < 0 then Minus(i); ai ai; bi bi; else col1 n + 1; if there is j such that a k;j 6= 0 then col least j such that a k;j 6= 0; else col n + 1; if col1 n then q ba k;col1 =a i;col1 c; else if j ki j > D i then q d ki =D i c; else q 0; if q 6= 0 then ak ak qai; bk bk qbi; ki ki qd i ; for j = 1; : : : ; i 1 do kj kj q ij ; Minus(j) for r = ; : : : ; m do for s = 1; : : : ; r 1 do if r = j or s = j then rs rs ; We remark that if a row of G has to be multiplied by 1, there is a necessary adjustment for the ij. Hence the function Minus(i). Let C denote the submatrix of H formed by the Q r nonzero rows and write P = R, where Q and R have r and m r rows, respectively. (Q corresponds to the bottom r rows of A in reverse order. comprises the top m r rows of A.) Then QG = C and RG = 0 and the rows of R will form a Z basis of short vectors for the sublattice N(G) of Z m formed by the vectors X satisfying XG = 0. The rows of Q are size-reduced with respect to the short lattice basis vectors for N(G). 7. EXAMPLES We have applied the methods described here to numerous examples, all with excellent performance. Note that there are many papers which study explicit input sets for the extended gcd problem and a number of these are listed in the references of R

8 1 Experimental Mathematics, Vol. 7 (1998), No. [Brentjes 1981] and [Majewski and Havas 199]. We illustrate algorithm performance with a small selection of interesting examples and make some performance comparisons. Many parameters can aect the performance of LLL lattice basis reduction algorithms (this has been observed by many others; see [Schnorr and Euchner 1991], for example). Foremost is the value of. Smaller values of tend to give faster execution times but worse multipliers; however this is by no means uniform. Also, the order of input may have an eect. Example 7.1. As input to an extended gcd algorithm, take s 1 = , s = , s = 1591, s = Algorithm produces a nal matrix B = : The multiplier vector ( 88; 5; 167; 101) is the unique multiplier vector of least length. In fact, LLL-based methods give this optimal multiplier vector for all 1 ; 1. Earlier algorithms which aim to improve on the multipliers do not fare particularly well. Blankinship's algorithm [196] gives the multiplier vector (0; ; 1; ): The algorithm of [Bradley 1970] gives (7759, 17609, 1, 0). (This shows that Bradley's definition of minimal is not useful.) Example 7.. Take s 1 = 7686; s = ; s = 1119; s = ; s 5 = ; s 6 = 07775; s 7 = 1179; s 8 = 1675; s 9 = ; s 10 = 60018: Algorithm gives, for various values of, the multiplier vectors shown at the top of the next column. Also shown are the lengths-squared. multiplier vector x kxk The unique shortest multiplier vector is (; 1; 1; ; 1; ; ; ; ; ); with length-squared 6. Other methods give the following results: Jacobi: ( 1; 5; ; ; 1; ; ; 0; ; 0); kxk = 59 recursive gcd: (19670; ; 1; 0; 0; 0; 0; 0; 0; 0; 0) Kannan{Bachem: ( ; ; 0; 0; 0; 0; 0; 0; 0; 1) Blankinship: (85869; 1; ; 0; 0; 0; 0; 0; 0; 0) Bradley: ( 158; 96885; 1; 0; 0; 0; 0; 0; 0; 0) Example 7.. The following example involving the Fibonacci number F i and the Lucas numbers L i = F i 1 + F i+1 [Hoggatt 1969] has theoretical signicance. Take s 1 ; : : : ; s m to be the Fibonacci numbers F n ; F n+1 ; : : : ; F n F n ; F n+1 ; : : : ; F n 1 for n 5 odd, for n even. Using the identity F i L j = F i+j + ( 1) j F i j, it can be shown that the vectors and ( L n ; L n ; : : : ; L ; L 1 ; 1; 1; 0; 0) (L n ; L n ; : : : ; L ; L 1 +1; 1; 0; 0)

9 Havas, Majewski, and Matthews: Extended GCD and Hermite Normal Form Algorithms via Lattice Basis Reduction Input matrix G of Example 7.. are multipliers in the case of n odd or even, respectively. These multipliers are the unique vectors of least length. (This is a special case of a more general result from [Matthews 1996], where F n ; : : : ; F n+m is treated.) The length-squared of the multipliers is L n 5 +1 in both cases. (In practice, the LLL-based algorithms compute these minimal multipliers.) These results give bounds for extended gcd multipliers in terms of Euclidean norms. Since L n ' n 5 ' 5p 5 F n ; where ' = p 5, a general upper bound for the Euclidean norm of the multiplier vector in terms of the initial numbers s i must be at least O p maxfsi g : Also, the length of the vector (F n ; F n+1 ; : : : ; F n ) is of the same order of magnitude as F n, so a general upper bound for the length of the multipliers in terms of the Euclidean length of the input, ksk, is at least O p ksk. A range of random type extended gcd examples is presented in [Havas and Majewski 1995], showing excellent performance. Example 7.. For a Hermite normal form example, take G = [g ij ] to be the matrix dened by g ij = i j + i + j, and spelled out at the top of the page. The Hermite normal form H of G has three nonzero rows: : The unimodular matrix provided by the Kannan{ Bachem algorithm is whereas that supplied by our algorithm is ; :

10 1 Experimental Mathematics, Vol. 7 (1998), No. Kannan{Bachem LLL HNF M M M M M M Entry of maximal magnitude for the transforming matrices obtained by applying the Kannan{Bachem algorithm and ours to the matrices of Example 7.5. Example 7.5. An interesting family of matrices arises in the work of Daberkow [1995]. In some situations involving ideal class groups, matrices arise with k rows and 10 columns for k ranging from 100 to 150 in steps of 10. We designate the matrix with k rows by M k. The maximal magnitude entry in M k is of the order 11 (k 90)=10. Daberkow needs to compute both the Hermite normal form and a transforming matrix. We tabulate above the maximal magnitude entry in the transforming matrix (which includes many entries of this size) for our algorithm using = 1 in comparison with that of Kannan{Bachem. It can be seen from these examples that the algorithm we propose here often dramatically outperforms earlier methods in the search for good multipliers and transforming matrices. ACKNOWLEDGMENTS Havas and Majewski were supported by the Australian Research Council. We are grateful to Jean- Pierre Seifert and Clemens Wagner for helpful discussions and to a referee for improvements to the manuscript. ELECTRONIC AVAILABILITY Implementations of these algorithms are available in Matthews' number theory calculator program CALC at ~ krm/. Variants of the algorithms are available in GAP [Schonert et al. 1996] and Magma [Bosma et al. 1997]. REFERENCES [Blankinship 196] W. A. Blankinship, \A new version of the Euclidean algorithm", Amer. Math. Monthly 70 (196), 7{75. [Bosma et al. 1997] W. Bosma, J. Cannon, and C. Playoust, \The Magma algebra system, I: The user language", J. Symbolic Comput. :- (1997), 5{65. See comp/magma/overview.html. [Bradley 1970] G. H. Bradley, \Algorithm and bound for the greatest common divisor of n integers", Comm. ACM 1 (1970), {6. [Brentjes 1981] A. J. Brentjes, Multidimensional continued fraction algorithms, Mathematical Centre Tracts 15, Mathematisch Centrum, Amsterdam, [Cohen 199] H. Cohen, A course in computational algebraic number theory, Graduate Texts in Mathematics 18, Springer, Berlin, 199. [Daberkow 1995] M. Daberkow, Uber die Bestimmung der ganzen Elemente in Radikalerweiterungen algebraischer Zahlkorper, Dissertation, Tech. Univ. Berlin, Berlin, [de Weger 1987] B. M. M. de Weger, \Solving exponential Diophantine equations using lattice basis reduction algorithms", J. Number Theory 6: (1987), 5{67. Erratum in 1:1 (1989), 88{89. [Ficken 19] F. A. Ficken, \Rosser's generalization of the Euclid algorithm", Duke Math. J. 10 (19), 55{79. [Ford and Havas 1996] D. Ford and G. Havas, \A new algorithm and rened bounds for extended GCD computation", pp. 15{150 in Algorithmic number

11 Havas, Majewski, and Matthews: Extended GCD and Hermite Normal Form Algorithms via Lattice Basis Reduction 15 theory (Talence, 1996), edited by H. Cohen, Lecture Notes in Comput. Sci. 11, Springer, Berlin, [Grotschel et al. 1988] M. Grotschel, L. Lovasz, and A. Schrijver, Geometric algorithms and combinatorial optimization, Algorithms and Combinatorics, Springer, Berlin, [Havas and Majewski 199] G. Havas and B. S. Majewski, \Hermite normal form computation for integer matrices", Congr. Numer. 105 (199), 87{ 96. [Havas and Majewski 1995] G. Havas and B. S. Majewski, \Extended gcd calculation", Congr. Numer. 111 (1995), 10{11. [Hoggatt 1969] V. E. Hoggatt, Jr., Fibonacci and Lucas Numbers, Houghton Miin Co., Boston, [Jacobi 1868] C. G. J. Jacobi, \ Uber die Auosung der Gleichung 1 x 1 + x + + n x n = f u", J. Reine Angew. Math. 69 (1868), 1{8. [Kertzner 1981] S. Kertzner, \The linear Diophantine equation", Amer. Math. Monthly 88: (1981), 00{ 0. [Knuth 1969] D. E. Knuth, The art of computer programming, Vol. : Seminumerical algorithms, 1st ed., Addison-Wesley, Reading, MA, [Knuth 1981] D. E. Knuth, The art of computer programming, Vol. : Seminumerical algorithms, nd ed., Addison-Wesley, Reading, MA, [Lenstra et al. 198] A. K. Lenstra, H. W. Lenstra Jr., and L. Lovasz, \Factoring polynomials with rational coecients", Math. Ann. 61: (198), 515{5. [Majewski and Havas 199] B. S. Majewski and G. Havas, \The complexity of greatest common divisor computations", pp. 18{19 in Algorithmic number theory (Ithaca, NY, 199), edited by L. M. Adleman and M.-D. Huang, Lecture Notes in Comput. Sci. 877, Springer, Berlin, 199. [Majewski and Havas 1995] B. S. Majewski and G. Havas, \A solution to the extended gcd problem", pp. 8{5 in ISSAC'95: Proceedings of the 1995 International Symposium on Symbolic and Algebraic Computation (Montreal, 1995), edited by A. H. M. Levelt, ACM Press, New York, [Matthews 1996] K. R. Matthews, \Minimal multipliers for consecutive Fibonacci numbers", Acta Arith. 75: (1996), 05{18. [Pohst and Zassenhaus 1989] M. Pohst and H. Zassenhaus, Algorithmic algebraic number theory, Encyclopedia of Mathematics and its Applications 0, Cambridge University Press, Cambridge, [Rosser 191] B. Rosser, \A note on the linear Diophantine equation", Amer. Math. Monthly 8 (191), 66{666. [Rossner and Seifert 1996] C. Rossner and J.-P. Seifert, \The complexity of approximate optima for greatest common divisor computations", pp. 07{ in Algorithmic number theory (Talence, 1996), edited by H. Cohen, Lecture Notes in Comput. Sci. 11, Springer, Berlin, [Schnorr and Euchner 1991] C.-P. Schnorr and M. Euchner, \Lattice basis reduction: improved practical algorithms and solving subset sum problems", pp. 68{85 in Fundamentals of computation theory (Gosen, 1991), edited by L. Budach, Lecture Notes in Comput. Sci. 59, Springer, Berlin, [Schonert et al. 1996] M. Schonert et al., GAP: Groups, algorithms, and programming, Lehrstuhl D fur Mathematik, RWTH Aachen, See ftp:// dimacs.rutgers.edu/pub/ or st-and.ac.uk/ ~ gap. [Sims 199] C. C. Sims, Computation with nitely presented groups, Encyclopedia of Mathematics and its Applications 8, Cambridge University Press, Cambridge, 199. (addresses overleaf)

12 16 Experimental Mathematics, Vol. 7 (1998), No. George Havas, George Havas, Centre for Discrete Mathematics and Computing, Department of Computer Science and Electrical Engineering, The University of Queensland, Queensland 07, Australia (havas@csee.uq.edu.au, ~ havas/) Bohdan S. Majewski, Department of Computer Science and Software Engineering, University of Newcastle, Callaghan, NSW 08, Australia (bohdan@cs.newcastle.edu.au, Keith R. Matthews, Centre for Discrete Mathematics and Computing, Department of Mathematics, The University of Queensland, Queensland 07, Australia (krm@maths.uq.edu.au, ~ krm/) Received May 1, 1997; accepted in revised form July 18, 1997

Extended gcd and Hermite normal form algorithms via lattice basis reduction

Extended gcd and Hermite normal form algorithms via lattice basis reduction George Havas School of Information Technology The University of Queensland Queensland 4072, Australia URL: http://www.it.uq.edu.au/personal/havas/