Lattices. Mathematical background

Similar documents
4 Inner Product Spaces

QR Factorization and Singular Value Decomposition COS 323

Chapter 9 Jordan Block Matrices

Singular Value Decomposition. Linear Algebra (3) Singular Value Decomposition. SVD and Eigenvectors. Solving LEs with SVD

Special Instructions / Useful Data

Assignment 5/MATH 247/Winter Due: Friday, February 19 in class (!) (answers will be posted right after class)

MATH 247/Winter Notes on the adjoint and on normal operators.

α1 α2 Simplex and Rectangle Elements Multi-index Notation of polynomials of degree Definition: The set P k will be the set of all functions:

III-16 G. Brief Review of Grand Orthogonality Theorem and impact on Representations (Γ i ) l i = h n = number of irreducible representations.

Introduction to local (nonparametric) density estimation. methods

PTAS for Bin-Packing

10.1 Approximation Algorithms

Discrete Mathematics and Probability Theory Fall 2016 Seshia and Walrand DIS 10b

Chapter 4 Multiple Random Variables

18.413: Error Correcting Codes Lab March 2, Lecture 8

8.1 Hashing Algorithms

Chapter 5 Properties of a Random Sample

The Mathematical Appendix

CHAPTER 4 RADICAL EXPRESSIONS

F. Inequalities. HKAL Pure Mathematics. 進佳數學團隊 Dr. Herbert Lam 林康榮博士. [Solution] Example Basic properties

L5 Polynomial / Spline Curves

Homework 1: Solutions Sid Banerjee Problem 1: (Practice with Asymptotic Notation) ORIE 4520: Stochastics at Scale Fall 2015

Rademacher Complexity. Examples

Lecture 9: Tolerant Testing

Dimensionality Reduction and Learning

Derivation of 3-Point Block Method Formula for Solving First Order Stiff Ordinary Differential Equations

X ε ) = 0, or equivalently, lim

Algorithms Theory, Solution for Assignment 2

3D Geometry for Computer Graphics. Lesson 2: PCA & SVD

Mu Sequences/Series Solutions National Convention 2014

PROJECTION PROBLEM FOR REGULAR POLYGONS

CS286.2 Lecture 4: Dinur s Proof of the PCP Theorem

Application of Legendre Bernstein basis transformations to degree elevation and degree reduction

Random Variables and Probability Distributions

Ideal multigrades with trigonometric coefficients

Lecture 07: Poles and Zeros

Some Different Perspectives on Linear Least Squares

ρ < 1 be five real numbers. The

A conic cutting surface method for linear-quadraticsemidefinite

Summary of the lecture in Biostatistics

Hard Core Predicates: How to encrypt? Recap

MA 524 Homework 6 Solutions

Econometric Methods. Review of Estimation

( ) 2 2. Multi-Layer Refraction Problem Rafael Espericueta, Bakersfield College, November, 2006

Lecture 3. Sampling, sampling distributions, and parameter estimation

{ }{ ( )} (, ) = ( ) ( ) ( ) Chapter 14 Exercises in Sampling Theory. Exercise 1 (Simple random sampling): Solution:

AN UPPER BOUND FOR THE PERMANENT VERSUS DETERMINANT PROBLEM BRUNO GRENET

Investigating Cellular Automata

TESTS BASED ON MAXIMUM LIKELIHOOD

Unit 9. The Tangent Bundle

13. Dedekind Domains. 13. Dedekind Domains 117

. The set of these sums. be a partition of [ ab, ]. Consider the sum f( x) f( x 1)

A scalar t is an eigenvalue of A if and only if t satisfies the characteristic equation of A: det (A ti) =0

MOLECULAR VIBRATIONS

X X X E[ ] E X E X. is the ()m n where the ( i,)th. j element is the mean of the ( i,)th., then

C-1: Aerodynamics of Airfoils 1 C-2: Aerodynamics of Airfoils 2 C-3: Panel Methods C-4: Thin Airfoil Theory

Non-uniform Turán-type problems

D. VQ WITH 1ST-ORDER LOSSLESS CODING

n -dimensional vectors follow naturally from the one

ESS Line Fitting

Exercises for Square-Congruence Modulo n ver 11

Assignment 7/MATH 247/Winter, 2010 Due: Friday, March 19. Powers of a square matrix

6. Nonparametric techniques

Taylor s Series and Interpolation. Interpolation & Curve-fitting. CIS Interpolation. Basic Scenario. Taylor Series interpolates at a specific

Chapter 2 - Free Vibration of Multi-Degree-of-Freedom Systems - II

Training Sample Model: Given n observations, [[( Yi, x i the sample model can be expressed as (1) where, zero and variance σ

Lecture 3 Probability review (cont d)

A BASIS OF THE GROUP OF PRIMITIVE ALMOST PYTHAGOREAN TRIPLES

VARIABLE-RATE VQ (AKA VQ WITH ENTROPY CODING)

A Remark on the Uniform Convergence of Some Sequences of Functions

Computational Geometry

Maps on Triangular Matrix Algebras

Support vector machines

UNIT 2 SOLUTION OF ALGEBRAIC AND TRANSCENDENTAL EQUATIONS

A Study on Generalized Generalized Quasi hyperbolic Kac Moody algebra QHGGH of rank 10

CIS 800/002 The Algorithmic Foundations of Data Privacy October 13, Lecture 9. Database Update Algorithms: Multiplicative Weights

CS5620 Intro to Computer Graphics

Strong Convergence of Weighted Averaged Approximants of Asymptotically Nonexpansive Mappings in Banach Spaces without Uniform Convexity

Ordinary Least Squares Regression. Simple Regression. Algebra and Assumptions.

For combinatorial problems we might need to generate all permutations, combinations, or subsets of a set.

Lecture Notes 2. The ability to manipulate matrices is critical in economics.

Log1 Contest Round 2 Theta Complex Numbers. 4 points each. 5 points each

Introduction to Matrices and Matrix Approach to Simple Linear Regression

Lebesgue Measure of Generalized Cantor Set

Numerical Analysis Formulae Booklet

Algorithms Design & Analysis. Hash Tables

1 Onto functions and bijections Applications to Counting

Point Estimation: definition of estimators

2. Independence and Bernoulli Trials

means the first term, a2 means the term, etc. Infinite Sequences: follow the same pattern forever.

GG313 GEOLOGICAL DATA ANALYSIS

MATH 371 Homework assignment 1 August 29, 2013

NP!= P. By Liu Ran. Table of Contents. The P versus NP problem is a major unsolved problem in computer

arxiv: v1 [math.co] 14 Jul 2017

The Occupancy and Coupon Collector problems

NP!= P. By Liu Ran. Table of Contents. The P vs. NP problem is a major unsolved problem in computer

1 Convergence of the Arnoldi method for eigenvalue problems

Pinaki Mitra Dept. of CSE IIT Guwahati

å 1 13 Practice Final Examination Solutions - = CS109 Dec 5, 2018

Chapter 8. Inferences about More Than Two Population Central Values

Transcription:

Lattces Mathematcal backgroud

Lattces : -dmesoal Eucldea space. That s, { T x } x x = (,, ) :,. T T If x= ( x,, x), y = ( y,, y), the xy, = xy (er product of xad y) x = /2 xx, (Eucldea legth or orm of x) x y: Eucldea dstace betwee x ad y. Defto : A lattce L s a dscrete subgroup of. subgroup: f x, y L, the x y L. dscrete: ε > 0 s.t. x y ε for all x y L.

Defto 2: A -dmesoal lattce of rak m s a subset { b b } L of the form L= x + + x : x m m where b,, b are learly depedet vectors. m Every vector L s a teger lear combato of b,, b. m ( ) Bass: B= b,, b s called a bass of L. L has full rak f m=. We wll be mostly terested full rak lattces, ad call them m -dmetoal lattces. We deote by L( B) the lattce geerated by B. Thus, { m } f B s a bass, the L ( B) = B m = Bx : x.

Let b,, b (ot ecessarly learly depedet). ( b b ) { b + + b } Let L,, x x : x. m m m m ( b b ) Theorem. L,, s a lattce f b,, bm, or f b,, b are learly depedet. ( b b ) m m ( ) ( ) Whe L b,, b s a lattce, b,, b s sad to be m a geerator. If the b 's are further leraly depedet, the,, s a m ba ss. m

Example lattces Zero lattce: 0. Lattce of tegers:. Itegral lattces : sublattces of. { m q} m Λ ( A) x : Ax = 0 mod, where A s q a matrx of dmesos m, ad q a teger. L, ( ) = { x+ y xy } 2 2 :, s ot a lattce, for there ( ) exsts a sequece of ratoals x y s.t. x y 2.

A Lattce 2 dmesos Source: http://cseweb.ucsd.edu/~daele/lattce/lattce.html

A dfferet bass for the same lattce Source: http://cseweb.ucsd.edu/~daele/lattce/lattce.html

Lattce Bases Umodular matrx: determat = ±. square, havg teger etres, ad ( ) If A= a ad det 0, the ( ) j A A = cj, where det A + j c = ( ) det A, j A j = A j wth row j ad colum omted. det A Furthermore, det. A If A s umodular, the A s umodular. =

Theorem: Two bases B ad C geerate the same lattce,.e., L( B) = L( C), ff B = CU for some umodular matrx U. Proof: U ( ) Assume B = CU, U umodular. The C = BU umodular. B = CU L( B) L( C) C BU L( C) L( B) = L( B) = L( C). ( ) Assume L( B) = L( C). Each b B s the lattce, hece m b = C v for some v, m, ad B = CV, where V = ( v ). Smlarly, C= BW for some square teger matrx W. Hece ( ) ( l. dep.) B = BWV B I WV = 0 I WV = 0 B det W det V = det WV = det I = det W = det V = ±.,

For each >, there s a fte umber of -dmetoal umodular matrces. a a For example, s umodular for ay a. Each lattce of rak > has a fte umber of bases.

Fudametal Parallelepped ( ) Let B= b,, b be a full rak bass. Fudametal parallelepped assocated to B : { T B x x } P( B) = : = ( x,, x ), 0 x <. Cetered fudametal parallelepped: C( B) { T B x x x } x x = : = (,, ), 2 < 2. P( B) ad C( B) are half ope.

v L( B) { P B + v v L B } The traslates ( ) : ( ) form a partto of the whole space : ( P( B) v) = + For ay t, there exsts a uque pot r P( B) s.t. x r L( B). Ths uque r s deoted by tmod B. tmod B ca be computed effcetly as: tmod B= t B B t where x rouds x's coordates x to x.

v L( B) ( C( B) v) { C B + v v L B } Smlarly, the traslates ( ) : ( ) form a partto of the whole space : = + For ay t, there exsts a uque pot r C( B) s.t. x r L( B). Let's deote ths uque r s also by t mod B. tmod B ca be computed effcetly as: tmod B t B B t = where x rouds x's coordates to the earest teger.

Gram-Schmdt orthogoalzato ( ) A bass B= b,, b of a vector space s f b, b = 0 for j. B s orthoormal f b, b = δ, where s Kroecker's delta. Ay bass B= ( b,, b ) orthogoal j j δ j ca be trasformed to a ( ) orthogoal bass B = b,, b usg the well-kow Gram-Schmdt orthogoalzato process: b = b. b, b b, b j j = µ, j jwhere µ, j= =. 2 j< b j, b j b j b b b

Determat B, C : full rak bases. B : the Gram-Schmdt bass of B. Theorem : If are two bases of the same lattce, the det B= det C. Also, det B b. Defto: The B, C ± = determat of a lattce ( P ) L( B) s det Λ= det L( B) = vol ( B) = b = det B. Λ= Ths quatty s a varat of Λ, depedet of bases.

Hermte ormal form A square, o-sgular, teger or ratoal matrx B s Hermte ormal form (HNF) ff B s lower tragular ( b = 0 for < j) For all j<, 0 b < b. j j = ( b ) j Some authors prefer usg upper tragular matrces. Examples: 3 0 0 0 3 4 0 7 0 0 0 7 0 6 or 4 0 5 0 0 0 5 3 0 6 3 8 0 0 0 8

HNF for sgular or o-square matrces ( ) A teger or ratoal m matrx B = b s HNF f j 2, k, j ( ) ( ) < < < s.t. b 0 j h. For all k < j, 0 b < b. h j j j j Example: 3 0 0 0 0 0 2 8 0 0 0 0 3 5 0 0 2 0 0 0 4 3 5 0 0 9 0 2 0 0

The frst h colums are learly depedet. Theorem: lattce, the at the ed). If two matrces B, B HNF geerate the same B= B (except for the umber of zero-colums Theorem: Ay lattce L( B) has a uque bass H HNF, whch ca be costructed from B polyomal tme. HNF s useful for solvg may lattce problems. Bass Pro ble m: Gve a set of ratoal vectors bass for the lattce L( B). B, fd a

Good bases ad bad basses ( ) Let B= b,, b be a bass of lattce L. Roughly speakg, B s a good bass f the vectors b the equalty HNF( L) s a bad are reasoably short ad early orthogoal b bass ad s a good choce for the publc lattce bass. It reveals o more fo about L's structure tha ay other bass, because HNF( L) bass polyomal tme. det( L) comes close to equalty. ca be computed from ay

Dual Lattce The dual of a (full rak) lattce Λ= L( B) s the set { x xv v } Λ = :, for all Λ. Theorem: bass The dual of a lattce T ( ) ( T) Λ= L( B) s a lattce wth D= B = B. That s, L( D) = Λ. L ( ) D Λ D Λ db j db = D B= I T ( ) j, j. Λ L( D) : If x Λ, the xb, for all j, whch meas j T Bx x B = D = D ( T) L( )

Mmum dstace ad shortest vector Defto: The mmum dstace of a lattce Λ= L( B) s the smallest dstace betwee ay two lattce pots: { x y xy x y} λ( Λ ) = m :, Λ,. Note tha t λ( Λ) s equal to the legth of a shortest ozero lattce vector: { x x x 0} λ( Λ ) = λ ( Λ ) = m : Λ,. We ca use m because lattces are dscrete.

Successve mma Defto: For ay lattce Λ ad teger k rak( Λ), let λ ( Λ) be the smallest rs.t. the closed ball Br ( ) cotas at k least k learly depedet lattce vectors. That s, { x x x x Λ } λ ( Λ ) = m max,, :,, learly d. k k k //legth of the kth shortest learly depedet vector// Obvously, λ ( Λ) λ ( Λ) λ ( Λ). 2 k λ,, λ are called succesve mma of k frst mmum, secod mmum, ad so o. Λ :

Easy Lattce Problems Equvalece problem: Gve two bases B ad B, determe f they geerate Soluto: Sum of lattces: the same lattce, L( B) = L( B ). Compute ad check f HNF( B) = HNF( B ). Gve bases B ad B, fd a bass for the smallest lattce cotag both L( B) ad L( B ), whch s Soluto: { } L( B) + L( B ) = x+y: x L( B), y L( B ). Compute HNF( BB, ). Cotamet problem: Gve two bases B ad B, determe f L( B) L( B ). Soluto: Is HNF( B ) = HN F ( BB, )?

Membershp problem: Soluto: Is v L( B)? Check f HNF( Bv, ) = HNF( B). Dual lattce: Gve a lattce bass B, compute ts dual. Soluto: T ( ) ( T) D: = B or B. Itersecto of lattces: Gve two bases B ad B, fd a bass for the tersecto L( B) L( B ). Soluto: If D, D are the dual of B, B, the the dual lattce of L( B) L( B ) s L( DD, ). So, Compute the dual bases D, D of B, B. Compute a bass for L( DD, ) : H: = HNF( DD, ). Compute the dual of H.

Cyclc lattce: Let r( x) be the cyclc rotato of vector x,.e., r( x,, x ) = ( x, x,, x ). A lattce Λ s cyclc ff x Λ mples r( x) Λ. (, ) Problem: Gve B= b, b { } j ( x ) 0 ( b ) : 0,, where ( x) x ad m, fd the smallest cyclc lattce cotag L( B). Sol: The lattce geerated by all the vector rotatos r m j r = r ( x) = r r ( ). Problem: Is a gve lattce L( B) cyclc? Sol: ( ) L( B) cyclc r L( B) L( B) r( B) L( B).

Some Importat Hard Lattce Problems

Shortest Vector Problems Exact Shortest Vector Problem (SVP): Gve a bass for a lattce vector v L of legth λ ( L). of rak, fd a ozero Approxmate Shortest Vector Problem (SVP ): L Gve a bass for a lattce L of rak, fd a ozero vector v L of legth at most γ λ ( L). (The approxmato factor γ may be a fucto of.) γ SVP has bee studed sce the tme of Gauss (80).

Hardess of SVP γ NP-hard for ay costat γ. There s o polyomal algorthm uless P = NP. γ = c log log Hard for ( ) for some 0. There s o polyomal algorthm uless NP c > RSUBEXP. Caot be NP-hard for γ ( ) = log uless NP coam. Caot be NP-hard for γ ( ) = uless NP = conp. costat c log log log NP-hard hard ulkely NP-hard ulkely NP-hard

SVP ca be solved polyomal tme γ γ ( ) = 2 /2 LLL algorthm (982): for. Determstc algorthm. O( (log log ) log ) Schorr (985) : for γ ( ) = 2. Determstc algorthm. Olog log log Ajta, Kumar, ad Svakumar(200) : γ ( ) = 2. Ramdomzed algorthm wth bouded error. 2 ( ) ( ) 2 2 2 2 Olog log log O( (log log ) log ) /2 ulkely NP-hard BPP P P

SVP : ope problems γ It would be a breakthrough f oe ca: Solve SVP polyomal tme for some c > 0. c Prove SVP hard or NP-hard for ε some ε > 0.

Two other mportat problems: CVP ad SIVP Closest Vector Problem (CVP ): Gve a bass for a lattce (of rak ) L a vector t, fd a ozero vector v L s. t. t v γ ( ) dst( t, L). γ ad Shortest Idepedet Vectors Problem (SIVP ): Gve a bass for a lattce L of rak, fd learly depedet vectors v γ( ) λ ( ).,, v L of legth at most γ

CVP γ s at least as hard as SVP γ Theorem: SVP ca be reduced to CVP : SVP CVP. γ γ γ γ ( b b ) Proof (for γ = ) : Let B=,, be the put to SVP. Wsh to fd a shortest vector s ( L ) = x b L( B) by callg CVP. The dea s to cosder a sublattce L L( B) ad a pot c L L s.t. c+ s L, whch case, dst( c, L ) = s. Thus, f y CVP, c the y c s a a soluto to SVP( L). Based o ths dea, for each, cosder the pot b { } = ( ) ad the sublattce L geerated by B = b,, 2 b,, b. We have ( ) b L L, ad b + s L f x s odd. Let y CVP B, b. The shortest vector y b s a shortest vector L( B).

Relatoshp amog SVP, CVP SVP CVP. γ SIVP CVP. γ SVP SIVP. γ γ SIVP γ γ, γ Ope problem: SVP γ SIVP? γ

Bouded Dstace Decodg Problem ( BDDP ): Gve a lattce L ad a vector t satsfyg s.t. t ( + ) dst( t, L) < λ ( L) γ( ), v γ ( ) dst( t, L). fd a ozero vector v L γ Same as CVP γ except for the "bouded" codto o t, whch mples a uque soluto. Uqueess: The vector v L wth t v = dst( t, L)) s obvously a soluto, ad ay other w L s ot a soluto sce t w v w v t λ ( ) dst( t, L) ( γ ) > ( ) + dst( t, L) dst( t, L) = γ( ) dst( t, L).

Cetered Orthogoalzed Parallelepped ( ) m Let B= b,, b be a bass. ( ) Let B = b,, b be the Gram-Schmdt matrx of B. Cetered orthogoalzed parallelepped: T ( B ) = B x: x= (,, ), C x x { x } < 2 2. v L ( B) ( ) C( B ) s a fudametal rego: Spa( B) = C( B ) + v. Nearest plae algorthm: Gve a target pot t Spa( B), fd the uque cell C( B ) + v that cotas t.

A Lattce 2 dmesos Source: http://cseweb.ucsd.edu/~daele/lattce/lattce.html

Nearest Plae Algorthm Gve B ad t, fd a lattce pot v= cb + + c b L( B) 2 [ ) s.t. t v, b b 2, 2 for all. I partcular, f t Spa( B), the t C( B ) + v. Let L( B ) be the sublattce geerated by B = b,, b. L( B) ca be decomposed to "sublattces" ( ) ( ) L( B) = cb + L( B) cb + spa( B) c c ( ) The hyperplae cb + spa( B ) closest to t s whe c= 2 t, b b. We choose c = c.

( ) Algorthm NearestPlae( B= b,, b, t) f = 0 the retur 0 else B Gram-Schmdt( B) c t, b b 2 ( ) retur cb + NearestPlae( b,, b, t cb )

Correstess Proof By ducto. For = 0, the output meets the requremet. Assume the algorthm returs a correct aswer for raks <. ( ) ( ) ( ) Let C= b,, b ad B= C, b. The B = C, b. By IH, the recursve call returs a lattce pot v L( C) s.t. [ ) ( t cb ) v, b 2, 2 b for all =,...,. The output of the algorthm s v = v + cb. 2 [ ) Need to prove t v, b 2, 2 b for all. 2

For t v, b = t ( v + cb ), b = ( t cb ) v, b. For =,, t follows from the IH sce t ( v + cb ), b = t, b v, b c b, b b 2 2 b t, b = c 2 2 [, 2 ). b where we have used v, b = 0 ad b, b = b. 2

Nearest Plae Algorthm ad Closest Vector Problem ( L B ) Fact: λ ( ) m b. The fudametal rego C( B ) cotas a sphere cetered at ( L ) 0 of radus ρ = m b 2 λ ( B) 2. Thus, f a pot t s wth dstace ρ of a lattce pot v L( B), the v s the closest lattce pot to t. NearestPlae( Bt, ) wll solve the CVP.

Recall RSA Cryptosystem Key geerato: (a) Radomly geerate : = pq for large prmes p, q. (b) Publc key: e, coprme to ϕ( ). (c) Secret key: : mod ( ). d = e ϕ The securty of RSA requres that breakg RSA s hard for all (but a eglgble porto of) staces. By breakg RSA we mea fdg the secret key. It depeds o the assumpto that factorg g e erated semprme = pq s hard. a radomly

Ajta's worst-case to average-case reducto Worst-case to worst-case reducto, say P P2: If there s a algorthm that solves P2 the worst case, the there s a algorthm that slove P the worst case. Worst-case to average-case reducto, say P P2: If there s a algorthm that solves a radomly geerated stace of P2 wth oeglgble probablty, the there s a algorthm that solves the worst case of P wth probablty. I 996, Ajta establshed such a worst-case to average-case reducto for some lattce problems.

m Let A be a matrx of dmesos m, ad q a c2 teger, where log ad. Defe Λ q m= c q= ( A) x : Ax 0 mod. Ajta showed { m = q} c worst -case -uque-svp o a -dmetoal lattce average-case SVP o Λ q ( A) for some c ad c. 2 Based o ths reducto, Ajta ad Dwork 997 costructed a publc-key cryptosystem whose securty depeds o the (cojectured) worst-case hardess of uque-svp.

Later whe we study FHE schemes, t s mportat to ote whether the securty s based o worst-case or average-case hardess. Q: Is the securty of RSA based o the worst-case hardess or the average-case hardess of semprme factorzato?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback