Lecture 2: Gram-Schmidt Vectors and the LLL Algorithm

Similar documents
U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016

Lectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix

Problem Set 9 Solutions

n α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0

APPENDIX A Some Linear Algebra

8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS

Errors for Linear Systems

Notes on Frequency Estimation in Data Streams

Chapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009

Difference Equations

Example: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41,

Lecture 4: Constant Time SVD Approximation

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

2.3 Nilpotent endomorphisms

Inner Product. Euclidean Space. Orthonormal Basis. Orthogonal

For now, let us focus on a specific model of neurons. These are simplified from reality but can achieve remarkable results.

Lecture 5 Decoding Binary BCH Codes

Grover s Algorithm + Quantum Zeno Effect + Vaidman

More metrics on cartesian products

Finding Primitive Roots Pseudo-Deterministically

Cryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm

Lecture 20: Lift and Project, SDP Duality. Today we will study the Lift and Project method. Then we will prove the SDP duality theorem.

Some basic inequalities. Definition. Let V be a vector space over the complex numbers. An inner product is given by a function, V V C

Stanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011

a b a In case b 0, a being divisible by b is the same as to say that

Section 8.3 Polar Form of Complex Numbers

Linear Feature Engineering 11

Communication Complexity 16:198: February Lecture 4. x ij y ij

Lecture 17: Lee-Sidford Barrier

Foundations of Arithmetic

Poisson brackets and canonical transformations

Lecture Space-Bounded Derandomization

Lecture 3. Ax x i a i. i i

Feature Selection: Part 1

Approximate Smallest Enclosing Balls

NOTES ON SIMPLIFICATION OF MATRICES

1 Matrix representations of canonical matrices

Calculation of time complexity (3%)

DIFFERENTIAL FORMS BRIAN OSSERMAN

First day August 1, Problems and Solutions

U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 2/21/2008. Notes for Lecture 8

Finding Dense Subgraphs in G(n, 1/2)

Affine transformations and convexity

FINITELY-GENERATED MODULES OVER A PRINCIPAL IDEAL DOMAIN

MA 323 Geometric Modelling Course Notes: Day 13 Bezier Curves & Bernstein Polynomials

Lecture 12: Discrete Laplacian

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X

The Order Relation and Trace Inequalities for. Hermitian Operators

BOUNDEDNESS OF THE RIESZ TRANSFORM WITH MATRIX A 2 WEIGHTS

Lecture 4. Instructor: Haipeng Luo

5 The Rational Canonical Form

THE WEIGHTED WEAK TYPE INEQUALITY FOR THE STRONG MAXIMAL FUNCTION

Stanford University Graph Partitioning and Expanders Handout 3 Luca Trevisan May 8, 2013

Lecture 10: May 6, 2013

A combinatorial problem associated with nonograms

Eigenvalues of Random Graphs

p 1 c 2 + p 2 c 2 + p 3 c p m c 2

Workshop: Approximating energies and wave functions Quantum aspects of physical chemistry

CSCE 790S Background Results

Quantum Mechanics for Scientists and Engineers. David Miller

A New Refinement of Jacobi Method for Solution of Linear System Equations AX=b

Supplement: Proofs and Technical Details for The Solution Path of the Generalized Lasso

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7

Bezier curves. Michael S. Floater. August 25, These notes provide an introduction to Bezier curves. i=0

Dynamic Programming. Preview. Dynamic Programming. Dynamic Programming. Dynamic Programming (Example: Fibonacci Sequence)

Edge Isoperimetric Inequalities

Exercises. 18 Algorithms

LECTURE 9 CANONICAL CORRELATION ANALYSIS

Bernoulli Numbers and Polynomials

THE SUMMATION NOTATION Ʃ

Norms, Condition Numbers, Eigenvalues and Eigenvectors

Structure and Drive Paul A. Jensen Copyright July 20, 2003

Remarks on the Properties of a Quasi-Fibonacci-like Polynomial Sequence

Complete subgraphs in multipartite graphs

Lecture 21: Numerical methods for pricing American type derivatives

Bézier curves. Michael S. Floater. September 10, These notes provide an introduction to Bézier curves. i=0

CSci 6974 and ECSE 6966 Math. Tech. for Vision, Graphics and Robotics Lecture 21, April 17, 2006 Estimating A Plane Homography

Affine and Riemannian Connections

Maximizing the number of nonnegative subsets

C/CS/Phy191 Problem Set 3 Solutions Out: Oct 1, 2008., where ( 00. ), so the overall state of the system is ) ( ( ( ( 00 ± 11 ), Φ ± = 1

Homework Notes Week 7

COS 521: Advanced Algorithms Game Theory and Linear Programming

The Geometry of Logit and Probit

U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 6 Luca Trevisan September 12, 2017

Time-Varying Systems and Computations Lecture 6

Computing Correlated Equilibria in Multi-Player Games

GELFAND-TSETLIN BASIS FOR THE REPRESENTATIONS OF gl n

1 Generating functions, continued

THEOREMS OF QUANTUM MECHANICS

The Feynman path integral

763622S ADVANCED QUANTUM MECHANICS Solution Set 1 Spring c n a n. c n 2 = 1.

Lecture 5 September 17, 2015

LINEAR REGRESSION ANALYSIS. MODULE IX Lecture Multicollinearity

Density matrix. c α (t)φ α (q)

CS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016

Analyzing Blockwise Lattice Algorithms using Dynamical Systems

arxiv: v1 [quant-ph] 6 Sep 2007

Numerical Properties of the LLL Algorithm

9 Characteristic classes

Transcription:

NYU, Fall 2016 Lattces Mn Course Lecture 2: Gram-Schmdt Vectors and the LLL Algorthm Lecturer: Noah Stephens-Davdowtz 2.1 The Shortest Vector Problem In our last lecture, we consdered short solutons to modular equatons. We showed how to fnd such solutons n two dmensons, and we proved that relatvely short solutons always exst. We then generalzed to arbtrary lattces, L := {a 1 b 1 + + a n b n : a Z} for arbtrary lnearly ndependent bass vectors b 1,..., b n. We defned λ 1 (L) to be the length of the shortest non-zero vector (n the Eucldean norm) and showed Mnkowsk s bound, λ 1 (L) n det(l) 1/n. But, we are computer scentsts. So, we re not only nterested n the exstence of short lattce vectors; we want algorthms that fnd them. We therefore defne the followng computatonal problem, whch s the central computatonal problem on lattces. Defnton 2.1. For any approxmaton factor γ = γ(n) 1, the γ-shortest Vector Problem (γ-svp) s defned as follows. The nput s a bass for a lattce L R n. The goal s to output a non-zero lattce vector x L \ {0} wth x γ λ 1 (L). SVP s extremely well-studed for many dfferent approxmaton factors. It turns out to be NP-hard (under randomzed reductons) for any constant approxmaton factor, and t s hard for approxmaton factors up to n c/ log log n for some constant c > 0 under reasonable complexty-theoretc assumptons [Mc01, Kho05, HR12]. Even for polynomal approxmaton factors γ = n C for any constant C, the fastest known algorthm for γ-svp has runnng tme that s exponental n the dmenson! In ths lecture, we wll show the celebrated LLL algorthm, whch effcently solves γ-svp for γ = 2 O(n). Ths mght not sound very mpressve, but t s undoubtedly the most mportant result n the study of computatonal lattce problems. 2.2 The Gram-Schmdt Orthogonalzaton In order to present the LLL algorthm, we need to ntroduce the Gram-Schmdt orthogonalzaton (whch wll turn out to be useful throughout ths course). We start wth two natural defntons. Gven any set S R n, we wrte S for the subspace of vectors perpendcular to all vectors n S. For any subspace W R n and x R n, we wrte π W (x) to be the orthogonal projecton of x onto W. In other words, π W (x) s the unque vector n W such that x π W (x) s n W. Formally, π W (x) := x v, x v / v 2, where the v are any orthogonal bass of W, but the pcture should be clearer than the formal defnton: 2-1

W x π W (x) x π W (x) Gven a bass (b 1,..., b n ), we defne ts Gram-Schmdt orthogonalzaton (or just the Gram-Schmdt vectors) ( b 1,..., b n ) such that b := π {b1,...,b 1 } (b ).. In other words, b s the component of b that s orthogonal to the precedng vectors n the bass. Note that the Gram-Schmdt vectors are mutually orthogonal wth b 1 = b 1. 1 And, notce that the Gram-Schmdt vectors depend crucally on the order of the bass vectors. Clam 2.2. For any lattce L R n wth bass (b 1,..., b n ), λ 1 (L) mn b. Proof. Let x = a b L be a shortest non-zero vector. Snce x s non-zero, t has a non-zero coordnate. Let j be maxmal such that a j 0. Then, snce a = 0 for all > j, x π {b1,...,b j 1 } (x) = a j b j b j mn b, where we have used the fact that a j s a non-zero nteger. It s often convenent to rotate our coordnates so that the Gram-Schmdt vectors are algned wth the standard bass. In these coordnates, our bass (b 1,..., b n ) becomes upper trangular, b 1 µ 1,2 b 1 µ 1,3 b 1 µ 1,n b 1 0 b 2 µ 2,3 b 2 µ 2,n b 2 0 0 b 3 µ 3,n b 3. (2.1)....... 0 0 0 b n 1 Some authors choose to work wth the Gram-Schmdt orthonormalzaton, whch n our notaton s ( b 1/ b 1,..., b n/ b n ). I.e., they normalze so that the Gram-Schmdt vectors have unt length. We ntentonally do not do ths, as the lengths of the Gram-Schmdt vectors wll play a key role n our study of bases. 2-2

By conventon, we wrte the off-dagonal entres as µ,j b. I.e., for < j, we defne µ,j := b, b j b 2. (2.2) In partcular, note that we can trvally modfy the bass to make µ,j 1/2 by smply subtractng an nteger multple of b from b j. We say that a bass s sze-reduced f µ,j 1/2 for all < j. The above representaton mmedately shows that det(l) = b. Combnng ths wth Mnkowsk s theorem from the prevous lecture and Clam 2.2, we have mn b λ 1 (L) n ( 1/n b ). (2.3) One farly natural noton of a good bass for a lattce s one that yelds relatvely tght bounds n Eq. (2.3). In partcular, such a bass mmedately mples a good estmate for λ 1 (L). (And, wth a bt more work, one can show that t yelds a short vector.) Clearly, Eq. (2.3) becomes tghter f the Gram-Schmdt vectors have relatvely smlar lengths. So, ths suggests that we mght prefer bases whose Gram-Schmdt vectors all have roughly the same length. We also have the bound mn b λ 1 (L) b 1, (2.4) snce b 1 = b 1 s a non-zero lattce vector. In other words, the frst vector n our bass wll be a good soluton to SVP f the lengths of the Gram-Schmdt vectors decay slowly. I.e., max b 1 / b bounds the rato of b 1 to λ 1 (L). Ths decay rate of the Gram-Schmdt vectors, max b 1 / b (and the smlar expresson max j b j / b ) turns out to be a very good way to judge a bass, and t leads naturally to the LLL algorthm. (We wll later see that the performance of Baba s nearestplane algorthm also depends on ths rate.) In partcular, as we wll see, the LLL algorthm works by attemptng to control ths decay. 2.3 The LLL Algorthm 2.3.1 LLL-reduced bases The dea behnd the LLL algorthm, due to Lenstra, Lenstra, and Lovász [LLL82], s qute smple and elegant. Instead of lookng at the global decay of the Gram-Schmdt vectors b 1 / b, we consder the local decay b / b +1. We try to mprove ths local decay by swappng adjacent vectors n the bass. I.e., we swtch the places of the vectors b and b +1 f b / b +1 would become sgnfcantly lower as a result. By only consderng adjacent pars of vectors, the LLL algorthm effectvely reduces the problem of fndng a good lattce bass to a smple two-dmensonal lattce problem. So, let s look at the two-dmensonal case, wth a bass (b 1, b 2 ) and correspondng Gram- Schmdt vectors ( b 1, b 2 ). Let b 1 and b 2 be the Gram-Schmdt vectors of the swapped 2-3

bass (b 2, b 1 ). (I.e., b 1 = b 2 and b 2 = π b 2 (b 1 ).) We would lke to know when the decay of the frst bass s no worse than the decay of the second bass. I.e., when do we have b 1 / b 2 b 1 / b 2? Note that det(l) = b 1 b 2 = b 1 b 2. After rearrangng a bt, we see that b 1 / b 2 b 1 / b 2 f and only f b 1 b 1. Recallng that b 1 = b 1 and b 1 = b 2, we see that swappng wll fal to mprove the decay f and only f b 1 b 2. That s a very smple condton! To extend ths to hgher dmensons, t s convenent to wrte ths smple condton usng the µ,j notaton from Eq. (2.2). In ths notaton, b 2 2 = b 2 2 + µ 2 1,2 b 1 2. So, we see that a swap wll fal to mprove the decay of the Gram-Schmdt vectors f and only f b 1 2 b 2 2 + µ 2 1,2 b 1 2. Lenstra, Lenstra, and Lovász extended ths condton to an n-dmensonal bass (b 1,..., b n ) and added a relaxaton parameter δ (1/4, 1] to obtan the Lovász condton: (It s common to take δ = 3/4.) δ b 2 b +1 2 + µ 2,+1 b 2. (2.5) Defnton 2.3. For δ (1/4, 1], we say that a bass (b 1,..., b n ) s δ-lll reduced (or just δ-lll) f (1) t s sze-reduced (.e., µ,j 1/2 for all < j); and (2) t satsfes the Lovász condton n Eq. (2.5). The next theorem shows that a δ-lll bass yelds a relatvely short vector. (It also shows why we take δ > 1/4.) Theorem 2.4. If a bass (b 1,..., b n ) s δ-lll reduced for some δ (1/4, 1], then b 1 (δ 1/4) n/2 λ 1 (L). Proof. By Eq. (2.5), we have δ b 2 b +1 2 + µ 2,+1 b 2 b +1 2 + 1 4 b 2, where we have used the fact that the bass s sze-reduced. After rearrangng, we have b 2 (δ 1/4) 1 b +1 2, and applyng ths repeatedly, we see that b 1 2 (δ 1/4) n b 2 for all. The result then follows from Clam 2.2. 2.3.2 The actual algorthm Of course, Theorem 2.4 s only nterestng f we can fnd LLL-reduced bases. A very smple algorthm actually suffces! Here s the full LLL algorthm, whch takes as nput a bass (b 1,..., b n ): 2-4

1. Sze-reduce the bass. 2. If the bass s δ-lll-reduced, halt and output the bass. 3. Otherwse, pck any ndex such that the Lovasz condton n Eq. (2.5) s not satsfed, and swtch the postons of b and b +1. 4. Repeat. Theorem 2.5. The LLL algorthm termnates n tme poly(s)/ log(1/δ), where S s the bt length of the nput bass. Proof. We assume for smplcty that the nput bass s ntegral. (If the nput s ratonal, then ths s wthout loss of generalty, as we can smply scale the bass by the least common multple of the denomnators n the nput. If there are rratonal entres n the nput bass, then one needs to frst choose a representaton of rratonal numbers.) We wll not bother to prove that the numbers encountered by the algorthm reman bounded by 2 poly(s). (I.e., we wll only bound the arthmetc complexty of the algorthm.) Consder the rather strange potental functon Notce that Φ(b 1,..., b n ) := Φ(b 1,..., b n ) = n b 1 b 2 b. (2.6) =1 n b j n j+1 = det(l) n j=1 n b j 1 j gets larger as the later Gram-Schmdt vectors get shorter. So, we can thnk of Φ as some sort of measure of the decay of the Gram-Schmdt vectors. We observe some basc propertes about Φ. If the b are ntegral, then Φ(b 1,..., b n ) s a product of determnants of ntegral lattces, so that Φ(b 1,..., b n ) 1. 2 Furthermore, Φ(b 1,..., b n ) 2 poly(s) for the nput bass. Fnally, note that Φ only depends on the Gram-Schmdt vectors, so that sze-reducton does not affect Φ. It therefore suffces to show that Φ(B )/Φ(B) poly(δ), where B := (b 1,..., b +1, b,..., b n ) s the bass that results from applyng a sngle swappng step of the LLL algorthm to B := (b 1,..., b n ). Let the Gram-Schmdt vectors of B be ( b 1,..., b n). Notce that for j, the lattce generated by the frst j vectors of B s the same as the lattce generated by the frst j vectors of B. So, the determnants of these prefxes must be the same. I.e., b 1 b j = b 1 b j. It follows from Eq. (2.6) that Φ(B ) Φ(B) = b 1 b b 1 b = b b. 2 Here, we are glossng over the subtlety of what we mean by the determnant of a lattce spanned by a bass B = (b 1,..., b d ) for d < n. Formally, we can take the square root of the determnant of the Gram matrx B T B. Snce the Gram matrx s ntegral, the determnant must be the square root of an nteger. j=1 2-5

Fnally, we note that b = b + µ,+1 b+1. Therefore, b 2 = b 2 + µ 2,+1 b +1 2. Snce the algorthm swapped b and b +1, we must have Therefore, Φ(B )/Φ(B) < δ, as needed. b 2 = b 2 + µ 2,+1 b +1 2 < δ b 2. The followng corollary s an mmedate consequence of Theorems 2.4 and 2.5. Corollary 2.6. For any constant δ (1/4, 1), there s an effcent algorthm that solves γ-svp wth γ := (δ 1/4) n/2. For completeness, we note that a slghtly better algorthm s known the so-called Block Korkne-Zolotarev algorthm, or BKZ. The BKZ algorthm generalzes the LLL algorthm by consderng k-tuples of adjacent vectors n the bass, as opposed to just pars. Theorem 2.7 ([Sch87, AKS01]). For any constant C > 0, there s an effcent algorthm that solves γ-svp wth γ := 2 Cn log log n/ log n. More generally, for any 2 k n, there s an algorthm that solves γ k -SVP n tme 2 O(k) tmes a polynomal n the nput length wth γ k := k n/k 1. 2.3.3 A note on the mportance of ths algorthm An approxmaton factor that s exponental n the dmenson mght not seem very mpressve. But, the LLL algorthm has found nnumerable applcatons. Lenstra, Lenstra, and Lovász orgnally used t to gve an effcent algorthm for factorng ratonal polynomals an applcaton wth obvous mportance. The LLL algorthm s also used to solve computatonal lattce problems and nteger programmng exactly n low dmensons; to fnd nteger relatons and near-nteger relatons of rratonal numbers; to dentfy unknown constants from ther decmal approxmatons; etc. And, t s used as a subroutne n a huge number of lattce algorthms. In the next lecture, we wll see how to use the LLL algorthm to break a large class of knapsack-based encrypton schemes. References [AKS01] Mklós Ajta, Rav Kumar, and D. Svakumar. A seve algorthm for the shortest lattce vector problem. In STOC, pages 601 610, 2001. [HR12] Ishay Havv and Oded Regev. Tensor-based hardness of the shortest vector problem to wthn almost polynomal factors. Theory of Computng, 8(23):513 531, 2012. Prelmnary verson n STOC 07. [Kho05] Subhash Khot. Hardness of approxmatng the shortest vector problem n lattces. Journal of the ACM, 52(5):789 808, September 2005. Prelmnary verson n FOCS 04. [LLL82] A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovász. Factorng polynomals wth ratonal coeffcents. Math. Ann., 261(4):515 534, 1982. 2-6

[Mc01] Danele Mccanco. The shortest vector problem s NP-hard to approxmate to wthn some constant. SIAM Journal on Computng, 30(6):2008 2035, March 2001. Prelmnary verson n FOCS 1998. [Sch87] C.P. Schnorr. A herarchy of polynomal tme lattce bass reducton algorthms. Theoretcal Computer Scence, 53(23):201 224, 1987. 2-7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback