Short multipliers for the extended gcd problem

Similar documents
Extended gcd and Hermite normal form algorithms via lattice basis reduction

Complexity of the Havas, Majewski, Matthews LLL. Mathematisch Instituut, Universiteit Utrecht. P.O. Box

Minimal multipliers for consecutive Fibonacci numbers

Reduction of Smith Normal Form Transformation Matrices

Homework #2 Solutions Due: September 5, for all n N n 3 = n2 (n + 1) 2 4

Lattice Basis Reduction and the LLL Algorithm

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

A New Algorithm and Refined Bounds for Extended Gcd Computation

Math 324 Summer 2012 Elementary Number Theory Notes on Mathematical Induction

Short solutions for a linear Diophantine equation

1 Shortest Vector Problem

CSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio

Neville s Method. MATH 375 Numerical Analysis. J. Robert Buchanan. Fall Department of Mathematics. J. Robert Buchanan Neville s Method

12x + 18y = 30? ax + by = m

Problem Set 5 Solutions

Irreducible Polynomials over Finite Fields

47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010

MATH 324 Summer 2011 Elementary Number Theory. Notes on Mathematical Induction. Recall the following axiom for the set of integers.

The Shortest Vector Problem (Lattice Reduction Algorithms)

Mathematical Optimisation, Chpt 2: Linear Equations and inequalities

DS-GA 1002 Lecture notes 0 Fall Linear Algebra. These notes provide a review of basic concepts in linear algebra.

CHAPTER 8: EXPLORING R

Thus f is continuous at x 0. Matthew Straughn Math 402 Homework 6

Extended GCD and Hermite Normal Form Algorithms via Lattice Basis Reduction

The Abundancy index of divisors of odd perfect numbers Part III

1: Introduction to Lattices

1 2 3 style total. Circle the correct answer; no explanation is required. Each problem in this section counts 5 points.

Mathematical Induction

CSC 2414 Lattices in Computer Science September 27, Lecture 4. An Efficient Algorithm for Integer Programming in constant dimensions

Note that r = 0 gives the simple principle of induction. Also it can be shown that the principle of strong induction follows from simple induction.

BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS

A strongly polynomial algorithm for linear systems having a binary solution

Best approximation in the 2-norm

LECTURE NOTES ELEMENTARY NUMERICAL METHODS. Eusebius Doedel

Proof Terminology. Technique #1: Direct Proof. Learning objectives. Proof Techniques (Rosen, Sections ) Direct Proof:

RATIONAL REALIZATION OF MAXIMUM EIGENVALUE MULTIPLICITY OF SYMMETRIC TREE SIGN PATTERNS. February 6, 2006

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers Solutions

12. Perturbed Matrices

a s 1.3 Matrix Multiplication. Know how to multiply two matrices and be able to write down the formula

How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t

CSE 206A: Lattice Algorithms and Applications Spring Minkowski s theorem. Instructor: Daniele Micciancio

A Subrecursive Refinement of FTA. of the Fundamental Theorem of Algebra

Solutions to Second In-Class Exam: Math 401 Section 0201, Professor Levermore Friday, 16 April 2010

The Geometric Distribution

Topics in Basis Reduction and Integer Programming

Invertible Matrices over Idempotent Semirings

CHAPTER 10: POLYNOMIALS (DRAFT)

PYTHAGOREAN DESCENT KEITH CONRAD

LEGENDRE S THEOREM, LEGRANGE S DESCENT

Chapter 3 Transformations

Composition of Axial Functions of Product of Finite Sets

PYTHAGOREAN DESCENT KEITH CONRAD

Math 443 Differential Geometry Spring Handout 3: Bilinear and Quadratic Forms This handout should be read just before Chapter 4 of the textbook.

Definition 6.1 (p.277) A positive integer n is prime when n > 1 and the only positive divisors are 1 and n. Alternatively

Homework #2 solutions Due: June 15, 2012

Short Vectors of Planar Lattices via Continued Fractions. Friedrich Eisenbrand Max-Planck-Institut für Informatik

An LLL-Reduction Algorithm with Quasi-linear Time Complexity 1

Math 350 Fall 2011 Notes about inner product spaces. In this notes we state and prove some important properties of inner product spaces.

Bricklaying and the Hermite Normal Form

Notes on Systems of Linear Congruences

Linear Models Review

Primitive sets in a lattice

Journal of Integer Sequences, Vol. 5 (2002), Article

Short proofs of the universality of certain diagonal quadratic forms

Looking back at lattice-based cryptanalysis

Proof by Contradiction

MATRIX ALGEBRA. or x = (x 1,..., x n ) R n. y 1 y 2. x 2. x m. y m. y = cos θ 1 = x 1 L x. sin θ 1 = x 2. cos θ 2 = y 1 L y.

Plotkin s Bound in Codes Equipped with the Euclidean Weight Function

Topics in Graph Theory

j=1 u 1jv 1j. 1/ 2 Lemma 1. An orthogonal set of vectors must be linearly independent.

Note on shortest and nearest lattice vectors

Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis

A Course in Computational Algebraic Number Theory

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers

Section 19 Integral domains

Discrete Math, Second Problem Set (June 24)

Algorithms for Picture Analysis. Lecture 07: Metrics. Axioms of a Metric

12x + 18y = 50. 2x + v = 12. (x, v) = (6 + k, 2k), k Z.

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

10.1 Radical Expressions and Functions Math 51 Professor Busken

Homework 4, 5, 6 Solutions. > 0, and so a n 0 = n + 1 n = ( n+1 n)( n+1+ n) 1 if n is odd 1/n if n is even diverges.

Construction of latin squares of prime order

Math 109 HW 9 Solutions

Hard Instances of Lattice Problems

POSITIVE DEFINITE n-regular QUADRATIC FORMS

Definite Quadratic Forms over F q [x]

USING SHANKS BABY-STEP GIANT-STEP METHOD TO SOLVE THE GENERALIZED PELL EQUATION x 2 Dy 2 = N. Copyright 2009 by John P. Robertson. 1.

Mathematical Induction

Sydney University Mathematical Society Problems Competition Solutions.

6 Permutations Very little of this section comes from PJE.

198 VOLUME 46/47, NUMBER 3

Lecture 5. Symmetric Shearer s Lemma

When is n a member of a Pythagorean Triple?

MATH 51H Section 4. October 16, Recall what it means for a function between metric spaces to be continuous:

Number Theory Proof Portfolio

Dynamic Programming: Shortest Paths and DFA to Reg Exps

HOMEWORK 11 MATH 4753

Math 61CM - Solutions to homework 6

In N we can do addition, but in order to do subtraction we need to extend N to the integers

On the second smallest prime non-residue

Transcription:

Short multipliers for the extended gcd problem Keith Matthews Abstract For given non zero integers s 1,, s m, the problem of finding integers a 1,, a m satisfying s = gcd (s 1,, s m ) = a 1 s 1 + + a m s m, with a 1 + + a m minimal, is thought to be computationally hard In this paper, we present an algorithm which takes as its starting point the recent LLL based algorithm of Havas, Majewski and Matthews and which often finds a shorter vector (a 1,, a m ) 1 Introduction Let s 1,, s m be integers and s = gcd (s 1,, s m ) In a recent paper [Havas, Majewski, Matthews 1998], the author and his collaborators used variants of the LLL algorithm to find multiplier vectors (a 1,, a m ) of small Euclidean length X = (a 1 + + a m) 1/ such that s = a 1 s 1 + + a m s m In each case a unimodular m m matrix P is produced such that P [s 1,, s m ] t = [0,, 0, s] t Rows p 1,, p of P constitute a basis of short vectors for the (m 1) dimensional lattice Λ formed by the vectors X = (a 1,, a m ) with a 1,, a m Z, satisfying a 1 s 1 + + a m s m = 0 In particular, every such X can be expressed uniquely as an integer linear combination X = z 1 p 1 + + z p In addition, p m, the last row of P, is a short multiplier vector and the general multiplier vector p is given by p = p m + x 1 p 1 + + x p, where x 1,, x Z The matrix P has further properties: If the Gram Schmidt basis corresponding to rows p 1,, p m is denoted by p 1,, p m, where p 1 = p 1, k 1 p k = p k µ kj p j, µ kj = p k p j p j, (1) p j j=1 1

then (a) µ kj 1/ for 1 j < k m, (b) p k p k (α µ k k 1)p k 1 p k 1 for k m 1 () (Here 1/ < α 1) In what follows we assume α = 1, so that () becomes From the equations a multiplier vector p may be written as where p k p k (1 µ k k 1)p k 1 p k 1 () k 1 p 1 = p 1, p k = p k + µ kj p j, () p = p m + k=1 y k = x k + j=1 x k p k = p m + i=k+1 The orthogonality of p 1,, p m then implies where p = p m + k=1 k=1 y k p k, (5) µ ik x i + µ mk (6) x k p k = p m + Q(x 1,, x ) = B (x + µ m, ) and B k = p k for k = 1,, m k=1 y k p k = B m + Q(x 1,, x ), (7) + B m (x m + µ,m x + µ m,m ) + B 1 (x 1 + µ,1 x + + µ,1 x + µ m,1 ) (8)

The equation P [s 1,, s m ] t = [0,, 0, s] t and the fact that [s 1,, s m ] is orthogonal to each of p 1,, p together imply Hence p m = s (s s 1 + + s 1,, s m ) (9) m B m = p m = (10) s 1 + + s m From equations () and the fact that the determinant of the orthogonal matrix whose rows are p 1,, p m, is equal to det P = ±1, we also have Consequently B 1 B m = det(p i p j) = (det P ) = 1 s = (det Λ) = B 1 B = (s 1 + + s m)/s (11) Also () becomes for k m 1 B k (1 µ k k 1)B k 1, (1) The motivation for the algorithm Before we give our algorithm for generating possibly shorter multipliers than p m, we give some background The minimum value 0 of the quadratic expression in equation (8) occurs at the point (ρ 1,, ρ ) Q, where ρ = µ m, ρ k = ( i=k+1 µ ik ρ i + µ mk ), 1 k < m 1 (1) It is then an easy exercise in determinants to show that for 1 k m 1 ρ k = k /, (1) where k is the (m 1) (m 1) determinant formed from the Gram determinant = det(p i p j ), by replacing the k th column by (p m p 1 ),, (p m p )

Consequently k is an integer We remark that in practice all ρ k tend to be small We have also observed that each shortest multiplier is always associated via (5) with a point (x 1,, x ) Z in the vicinity of (ρ 1,, ρ ) Let D be the set of points (z 1,, z ) Q satisfying z k + i=k+1 µ ik z i + µ mk < 1, k = m 1,, 1 (15) Then (ρ 1,, ρ ) D Also (0,, 0) D Definition We say Property G holds if for each shortest multiplier p, the x 1,, x of equation (5) satisfy (x 1,, x ) D Remarks 1 In view of (15), if the integer vector (x 1,, x ) D, there are at most two possibilities for each x k So if property G holds for a given m tuple (s 1,, s m ), then the number N of shortest multipliers is at most Given that a shortest multiplier p satisfies p p m, (7) and (8) show that property G holds if B k > p m for 1 k m 1 This is the case in Example 1 below, but does not always hold, as Example shows The examples where s i = for 1 i m 1, s m = m if m is odd, but s m = m 1 if m is even, produce values ( ) ( and ) m, respectively for N We prove below that property G holds when m = The least value of m for which it fails to hold appears to be 11, as in Example 5 Failures occur extremely rarely 5 We remark that in contrast to our situation, [Rosser 19] gave an example of the quadratic expression ( 7x 1y) + ( 7x y), which assumes its minimum value for integers x and y at the point ( 11, 0), whereas the minimum value 0 for real numbers x, y occurs at ( /, 80/) The algorithm We construct a sequence of multiplier vectors X K, K = m 1,, 1, which correspond to points (x 1,, x ) in D, close to (ρ 1,, ρ ), as follows Define x = 0,, x K+1 = 0 Then define x K,, x 1 Z recursively by:

(i) 0 if µ mk = 0 x K = 1 if µ mk < 0 1 if µ mk > 0; (ii) for 1 k < K, x k = σ k, where σ k = i=k+1 µ ik x i + µ mk (16) and θ is the nearest integer symbol, with θ = θ 1, if θ is a non negative half integer, but θ + 1 if θ is a negative half integer We also let X 0 = p m Remark For m =, a perusal of the list of shortest multipliers in the Appendix reveals that our algorithm will produce all the shortest multipliers For m = the algorithm appears to deliver at least one shortest multiplier For 5 m 10, whenever the algorithm fails to deliver a shortest multiplier, the excess length squared is always observed to be 1, as in Example In example 5, the excess is The case m = Lemma Let (x 1,, x ) Z correspond to a shortest multiplier p via equation (7) Then x + µ m ( ( ) 1 m ) Proof The inequality p p m implies Q(x 1,, x ) Q(0,, 0) Then equation (8) gives (x + µ m ) B µ mb + + µ m1b 1 (x + µ m ) µ m + µ B m mm + + µ m1 B ( B1 B ) m 5

Now () gives B k (1 µ kk 1 )B k 1 B k 1 Hence (x + µ m ) µ m + µ mm ( + + µ m1 ) ) m 1 1 + ( + + = 1 ( ( ) ) 1 1 = ( ) m ( ) m Corollary Property G holds if m = Proof Assume m = and that (x 1, x ) Z defines a minimum point for Q(x 1, x ) = (x + µ ) B + (x 1 + µ 1 x + µ 1 ) B 1 Then from the Lemma, we have x + µ 7/1 (17) Also the inequalities x (x + µ ) 0 and Q(x 1, x ) Q(0, 0) give x 1 + σ 1 = x 1 + µ 1 x + µ 1 µ 1 (18) Remark From the Corollary, it follows that N if m = In fact N if m = For if N =, we see from (17) and (18) that µ = ɛ 1 = ±1, µ 1 = ɛ = ±1, µ 1 = 0 Then ɛ 1 p 1 1 = (det P ) = det (p i p j ) = p 1 0 0 p ɛ p ɛ 1 p 1 ɛ p p which gives = p 1 p ( p p 1 p p ) This leads to a contradiction, as the p i p j are integers The example (s 1, s, s ) = (1,, 9) shows that the bound N = is attained Here the quadratic expression in (8) is Q(x 1, x ) = 591(x 6 899 591 ) + 6(x 1 7 x 6 + 1 6 ) The unimodular matrix P = (ρ 1, ρ ) = ( 185, 899 591 Also X, X 1, X 0 are given by 591 ) 1 10 11 6 0 5 5, 6

K (x 1, x ) X K X K (0, 1) (,, 6) 61 1 ( 1, 0) (,, 6) 61 0 (0, 0) (6, 0, 5) 61 and are the shortest multiplier vectors 5 Numerical results Example 1 Take s 1, s, s to be, 6, 9 The unimodular matrix P = 0 0 0 1 The quadratic expression in (8) and the ρ k of (1) are given by ( ) Q(x 1, x ) = 1 x 6 (, 1 1 + 1 x1 6 x 1 1) 6 (ρ 1, ρ ) = ( 90, 6 1 1) Also X, X 1, X 0 are given by 5 K (x 1, x ) X K X K (1, 1) (1, 1, 1) 1 (1, 0) (1,, 1) 6 0 (0, 0) (, 0, 1) 5 The shortest multiplier is X = p + p 1 + p Example Take s 1,, s 5 to be 10, 51, 10, 177, 07 The unimodular matrix P = 6 The quadratic expression in (8) is Q(x 1,, x ) = 19095 770 (ρ 1, ρ, ρ, ρ ) = + 0 10 1 1 0 1 0 1 1 1 1 1 1 0 1 0 x 6885 «+ 770 x 10 19095 0 x + 96 0 x + 10 0 x + 9 0 858 19095, 5861 19095, 671 19095, 6885 19095 7 5 770 x + 1566 «770 10 x 1 10 x + 1 «10 ««+ 10 x 1 Also X,, X 0 are given by 7

K (x 1, x, x, x ) X K X K (0, 1, 0, 1) (1, 1,,, 0) 15 (0, 0, 1, 0) (0,, 1, 0, 1) 18 (0, 1, 0, 0) (, 0, 1,, ) 18 1 ( 1, 0, 0, 0) ( 1, 1,,, 0) 0 (0, 0, 0, 0) (, 0,, 1, 0) 1 The shortest multiplier is p = p 5 + p = [0, 1,,, ], with p = 1 Property G holds here Example (Example 7 of [Havas, Majewski, Matthews 1998]) Take s 1,, s 10 to be 7686, 1066557, 1119, 178510, 170060, 07775, 1179, 1675, 199717, 60018 The unimodular matrix P = Then X 9,, X 0 are given by 6 0 1 0 0 0 1 1 0 1 1 1 1 1 1 0 0 1 1 1 0 0 1 0 0 1 0 1 1 0 5 1 1 1 0 0 0 1 1 1 0 1 1 0 1 6 0 1 5 1 5 1 0 1 1 K (x 1,, x 9 ) X K X K 9 ( 1, 1, 1, 0, 1, 1, 0, 0, 1) (, 1, 1,, 1,,,,, ) 6 8 (0, 1, 0, 0, 1, 1, 0, 1, 0) (, 0,,,, 1, 1, 1, 1, 5) 6 7 (0, 0, 0, 0, 1, 1, 1, 0, 0) ( 1,, 1, 0, 0,,,,, ) 1 6 (0, 1, 0, 0, 1, 1, 0, 0, 0) ( 1,, 1, 0, 5, 0, 1, 0,, 1) 7 5 (0, 1, 1, 1, 1, 0, 0, 0, 0) (,, 1, 1,, 1, 5, 1,, 0) 55 (0, 1, 0, 1, 0, 0, 0, 0, 0) ( 1,, 1,,, 1, 1, 1,, 0) 50 (0, 0, 1, 0, 0, 0, 0, 0, 0) (, 0, 1,,, 0,, 0, 1, ) 51 (0, 1, 0, 0, 0, 0, 0, 0, 0) ( 1, 1, 1, 5,,, 0, 1,, 1) 59 1 ( 1, 0, 0, 0, 0, 0, 0, 0, 0) (1, 0,,, 1,,, 1, 1, 0) 5 0 (0, 0, 0, 0, 0, 0, 0, 0, 0) ( 1, 0, 1,, 1,,,,, ) Truncated to decimals, ρ = ( 01, 080, 0, 00, 076, 07, 05, 05, 00) X 9 is the shortest multiplier vector Property G holds here Example Take s 1,, s 0 to be 55, 7856756, 56, 567566857, 6565, 8957897589789789, 65656565, 67857965897897890, 656565, 6787867867, 65656, 67867867968, 565756, 555, 678678967967, 56668, 76867896796, 6576568678, 656758678768, 65675676, 567567568769898798, 56566656, 578578678679689689678, 6657567568578, 567567586798679689685, 5665656, 567567567567, 65656786, 8 7 5

87878678678, 66565758, 67867865786, 565656, 678657865857, 78989768978, 656565, 678678657879, 678, 678678678678, 6576756756867, 6575675678 Here LLL delivers a p 0 with p 0 = 0 and our algorithm gives a multiplier X 7 with X 7 = 18 There are shortest multipliers, lengthsquared 1: p 0 p p p 5 p 6 + p 8 p 1 + p 15 + p 16 p 17 + p 18 p 1 + p + p = ( 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1), p 0 p 1 p + p + p 5 + p 6 + p 8 p 9 + p 11 + p 1 + p 1 + p 16 p 17 + p 18 p 0 + p 1 + p + p 7 p 8 = (0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 1) Truncated to decimals, ρ = ( 01, 16, 007, 191, 07, 01, 06, 061, 09, 06, 0, 00, 185, 066, 009,\ 11, 167, 075, 06, 06, 019, 068, 019, 00, 015, 09, 0, 0, 000, 000, 000, 000,\ 000, 000, 000, 000, 000, 000, 000) Property G holds here Example 5 Take s 1,, s 11 to be 919655, 0586515, 595095, 07189, 570961, 10819565, 16769897, 816771, 909089, 6508191, 1819 The shortest X K is X[7] = p 11 + p p 7 = (,,,,, 0,, 0,, 1, 1) with X 7 = 81 The shortest multiplier is p = p 11 + p p p 5 p 10 = (, 1, 1,,, 0,, 6, 1,, 0), with p = 79 Property G does not hold, as x 10 = 1 and σ 10 = 6980708959190/16706610167 08 Example 6 The following random examples illustrate the improved multipliers X K that are produced by the algorithm in section The shortest multiplier vectors are unknown here 6 Appendix m p m X K 100 15 X 96 = 8 150 17 X 17 = 9 00 1 X 80 = 8 50 1 X 96 = 9 In this section we present a complete classification of the possible shortest multipliers when m =, based on inequalities (17) and (18): x + µ 7 1 and x 1 + µ 1 x + µ 1 µ 1 9

1 µ = 0, µ 1 < 1/: p µ = 0, µ 1 = 1/: p and p p 1 µ = 0, µ 1 = 1/: p and p + p 1 0 < µ 1/, 0 µ 1 < 1/: (i) µ 1 0: p or p p (ii) µ 1 < 0: p or p p 1 p 5 0 < µ 1/, µ 1 = 1/: (Here p = p p 1 ) (i) µ 1 > 0: p and p p 1, or p p (ii) µ 1 < 0: p and p p 1, or p p 1 p (iii) µ 1 = 0: p and p p 1 Note: µ < 1/ here For if µ = 1/, we have shortest multipliers: 6 0 < µ 1/, 1/ < µ 1 0: (i) µ 1 > 0: p or p + p 1 p (ii) µ 1 0: p or p p p, p p 1, p p, p p 1 p 7 0 < µ 1/, µ 1 = 1/: (Here p = p + p 1 ) (i) µ 1 > 0: p and p + p 1, or p + p 1 p (ii) µ 1 < 0: p and p + p 1, or p p (iii) µ 1 = 0: p and p + p 1 (µ < 1/) 8 1/ µ < 0, 1/ < µ 1 0: (i) µ 1 0: p or p + p (ii) µ 1 < 0: p or p + p 1 + p 9 1/ µ < 0, µ 1 = 1/: (Here p = p + p 1 ) (i) µ 1 > 0: p and p + p 1, or p + p 10

(ii) µ 1 < 0: p and p + p 1, or p + p 1 + p (iii) µ 1 = 0: p and p + p 1 ( 1/ < µ ) 10 1/ µ < 0, 0 µ 1 < 1/: (i) µ 1 0: p or p + p (ii) µ 1 > 0: p or p p 1 + p 11 1/ µ < 0, µ 1 = 1/: (Here p = p p 1 ) (i) µ 1 > 0: p and p p 1, or p p 1 + p (ii) µ 1 < 0: p and p p 1, or p + p (iii) µ 1 = 0: p and p p 1 ( 1/ < µ ) References [Havas, Majewski, Matthews 1998] G Havas, BS Majewski, KR Mat thews, Extended gcd and Hermite normal form algorithms via lattice reduction, Experimental Mathematics 7 No (1998) 15 16 [Rosser 19] JB Rosser, A generalization of the Euclidean algorithm to several dimensions, Duke Math 9 (19) 59 95 K R Matthews, http://wwwnumbertheoryorg/keithhtml 11

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback