Lattices and the Shortest Vector Problem

Similar documents
The Euclidean Algorithm and Multiplicative Inverses

The Shortest Vector Problem (Lattice Reduction Algorithms)

2 Elementary number theory

CS250: Discrete Math for Computer Science

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Econ Slides from Lecture 7

8 Primes and Modular Arithmetic

j=1 u 1jv 1j. 1/ 2 Lemma 1. An orthogonal set of vectors must be linearly independent.

Hermite normal form: Computation and applications

Lattices and Hermite normal form

CISC-102 Winter 2016 Lecture 11 Greatest Common Divisor

4 Powers of an Element; Cyclic Groups

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers Solutions

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

Intermediate Math Circles February 26, 2014 Diophantine Equations I

The following is an informal description of Euclid s algorithm for finding the greatest common divisor of a pair of numbers:

Elementary Properties of the Integers

ANALYTICAL MATHEMATICS FOR APPLICATIONS 2018 LECTURE NOTES 3

Notes for Lecture 15

Solutions Math 308 Homework 9 11/20/2018. Throughout, let a, b, and c be non-zero integers.

Homework 3, solutions

Primitive sets in a lattice

1 Shortest Vector Problem

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

16.1 Min-Cut as an LP

Chapter 2. Divisibility. 2.1 Common Divisors

CISC-102 Fall 2017 Week 6

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

MAT2342 : Introduction to Applied Linear Algebra Mike Newman, fall Projections. introduction

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

DS-GA 1002 Lecture notes 0 Fall Linear Algebra. These notes provide a review of basic concepts in linear algebra.

CSC 2414 Lattices in Computer Science September 27, Lecture 4. An Efficient Algorithm for Integer Programming in constant dimensions

Divisibility. Def: a divides b (denoted a b) if there exists an integer x such that b = ax. If a divides b we say that a is a divisor of b.

Intermediate Math Circles February 29, 2012 Linear Diophantine Equations I

1. multiplication is commutative and associative;

Lattice Basis Reduction and the LLL Algorithm

Math Circle Beginners Group February 28, 2016 Euclid and Prime Numbers

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

UNDERSTANDING THE DIAGONALIZATION PROBLEM. Roy Skjelnes. 1.- Linear Maps 1.1. Linear maps. A map T : R n R m is a linear map if

USA Mathematical Talent Search Round 1 Solutions Year 27 Academic Year

Greatest Common Divisor MATH Greatest Common Divisor. Benjamin V.C. Collins, James A. Swenson MATH 2730

Linear Algebra (part 1) : Vector Spaces (by Evan Dummit, 2017, v. 1.07) 1.1 The Formal Denition of a Vector Space

MATH10040 Chapter 1: Integers and divisibility

Proof 1: Using only ch. 6 results. Since gcd(a, b) = 1, we have

Solution Sheet (i) q = 5, r = 15 (ii) q = 58, r = 15 (iii) q = 3, r = 7 (iv) q = 6, r = (i) gcd (97, 157) = 1 = ,

Some Facts from Number Theory

Lecture 2: Lattices and Bases

Divisibility. Chapter Divisors and Residues

. The following is a 3 3 orthogonal matrix: 2/3 1/3 2/3 2/3 2/3 1/3 1/3 2/3 2/3

Mat Week 8. Week 8. gcd() Mat Bases. Integers & Computers. Linear Combos. Week 8. Induction Proofs. Fall 2013

Lecture #21. c T x Ax b. maximize subject to

Mathematical Foundations of Cryptography

6.S897 Algebra and Computation February 27, Lecture 6

Student Responsibilities Week 8. Mat Section 3.6 Integers and Algorithms. Algorithm to Find gcd()

NOTES ON SIMPLE NUMBER THEORY

Organization of a Modern Compiler. Middle1

19. Basis and Dimension

Linear Algebra. Preliminary Lecture Notes

Number Theory and Graph Theory. Prime numbers and congruences.

Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm

47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010

Example: This theorem is the easiest way to test an ideal (or an element) is prime. Z[x] (x)

WORKSHEET ON NUMBERS, MATH 215 FALL. We start our study of numbers with the integers: N = {1, 2, 3,...}

Prof. Ila Varma HW 8 Solutions MATH 109. A B, h(i) := g(i n) if i > n. h : Z + f((i + 1)/2) if i is odd, g(i/2) if i is even.

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Chapter 1 A Survey of Divisibility 14

Number Theory Proof Portfolio

4. Number Theory (Part 2)

Direct Proof MAT231. Fall Transition to Higher Mathematics. MAT231 (Transition to Higher Math) Direct Proof Fall / 24

Math (P)Review Part II:

Integers and Division

INVERSE OF A MATRIX [2.2]

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Linear Algebra. Preliminary Lecture Notes

The Fundamental Theorem of Arithmetic

Ma/CS 6a Class 2: Congruences

Lecture 7 Number Theory Euiseong Seo

Z Algorithmic Superpower Randomization October 15th, Lecture 12

Constructions with ruler and compass.

Introduction to Abstract Mathematics

PROBLEM SET 1 SOLUTIONS 1287 = , 403 = , 78 = 13 6.

With Question/Answer Animations. Chapter 4

Mathematical Optimisation, Chpt 2: Linear Equations and inequalities

Polynomials. In many problems, it is useful to write polynomials as products. For example, when solving equations: Example:

Looking back at lattice-based cryptanalysis

#26: Number Theory, Part I: Divisibility

1 Overview and revision

Lecture 19: The Determinant

Contents. 2.1 Vectors in R n. Linear Algebra (part 2) : Vector Spaces (by Evan Dummit, 2017, v. 2.50) 2 Vector Spaces

g(x) = 1 1 x = 1 + x + x2 + x 3 + is not a polynomial, since it doesn t have finite degree. g(x) is an example of a power series.

Number Theory Solutions Packet

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

LECTURE NOTES IN CRYPTOGRAPHY

MATH 145 Algebra, Solutions to Assignment 4

Well-Ordering Principle The set N of natural numbers is well-ordered, i.e.: every non-empty set of natural numbers has a least element.

Practice Number Theory Problems

Ph 219b/CS 219b. Exercises Due: Wednesday 21 November 2018 H = 1 ( ) 1 1. in quantum circuit notation, we denote the Hadamard gate as

October 25, 2013 INNER PRODUCT SPACES

Transcription:

Lecture 18 Lattices and the Shortest Vector Problem December, 004 Lecturer: Kamal Jain Notes: Chris Ré 18.1 Overview In this lecture, we will show first that every lattice has a basis that can be found in a polynomially amount of time from the original vector description. This allows us to assume that we are given a basis of a lattice as input. Then we will tackle a problem in lattices, the shortest vector problem. 18. Finding A Basis 18..1 Prelimiaries First we state some easy lemmas and give some intuition for the theoreom. A lattice of vectors v 1 v m will be denoted {v i } m for convenience. Lemma 18.1. Two lattices {v i } n and {u j } m are the same each v i can be written as an integer combination of the {u j } m and similarily each u j can be written as a combination of the {v i } n. Lemma 18.. Greatest common divisor of a and b (gcd(a,b)) (w.log) a < b, is the same as gcd(a,b-a). Proof. Let d = gcd(a, b), notice d a and d b a so it is a divisor. If there were a divisor greater of a, b a then it would be a divisor of b a + a = b, a contradiction. This lemma immediately gives euclid s algorithm for computing the gcd. This algorithm will be the intuition for much of this lecture. Lemma 18.. gcd(a 1,, a i,, a j, a m ) = gcd(a 1,, a i,, a j a i,, a m ) Proof. same argument Lemma 18.4. if gcd({a i }) = d x i xi a i = d. sketch. Just think of euclid s algorithm, when it terminates you get d = ax + y. Walk backward through the execution of the algorithm, you will be able to write the coefficients of the original terms by subsitution. 1

18.. Lattice Basis Theorem Theorem 18.5. Let L be a lattice {u i } m. In polynomial time L can be written as {v j } n where the v j are linearly independent. Remark. Notice this is a generalization of finding gcds of lists of numbers. Proof. We may assume {u i } m are linearly dependent, because otherwise we are done. By definition this means c i ci v i = 0 such that not all c i = 0. Notice these c i are in Q because all numbers involved are rational. The c i s are also of small (polynomial) size by a cramer s rule argument. We can set them up to form a matrix equation V c = 0 and solve for c. We now note some simplifying conditions. We can take gcd({c i }) = 1 because we can divide out any gcd from all the terms. Each c i can be taken 0. This is because we are dealing with an integer span and can swap the sign of vectors. This changes any negative c i to positive. Notice that if any c i = 1, we are done. This because j i c j( v j ) = v i. We can just drop v i from the list, since it is redundant. However there may be no such vector so that there is some c i = 1. Consider for example (, 5). We use our fact about gcds and try to reduce some c i to 1. Let 0 < c i c j. c i, c j exist because there is a non-trivial combination, this gives us that one such number exists. Also it is the case that their sum is equal to 0, which means there must be at least one other non-zero coefficent. We now perform the following substitution. c i v i + + c j v j c i (v i + v j ) + + (c j c i )v j Notice that we are decreasing the sum of the coefficient sizes and since they are integers we will terminate by well ordering. Like euclid we need to be careful to terminate in polynomial time. Notice, in an analgous way to euclid s algorithm we can take modulus of the smallest vector. This is sufficient but the proof is omitted. Also notice that we have not changed the lattice by this substitution. Only one vector changed: v i = (v i + v j ) + ( 1)v j. This means that the span is still as large because we can recover v i and we have not enlarged it because (v i + v j ) was in the span of the original. Remark. It is crucial that we take the basis vectors to be rational. For example {1, } is dense. We will know assume that all lattices are described by their basis. 18. Shortest Vector Problem Given a lattice with basis {v i } n, find the shortest non-zero vector with respect to the l norm. Figure 18.1(a) shows why this is non-trivial, we could be given a very long bases. Lemma 18.6. Suppose L has two different bases {u i } n and {v j } n then det({u i } n ) = det({u i } n ) Remark. We can take L to be in R n without loss, since that is the dimension of the lattice. 1 u 1 Definition 18.1. det({u i } n ) = det u

(a) A Lattice with two different bases (b) Reduction of angles between lattice vectors Figure 18.1: Angles and Basis Proof. Written as row vectors, we know that by our earlier lemma that we can write each basis in terms of v 1 v 1 the other concretely. u = M v 1 and v = M u v n v n Substuiting we can write: u = M 1M u Therefore, det(m 1)det(M ) = 1 and these matricies are over the integers, so this means their determinant is as well and det(m 1 ) = det(m ) = ±1. This proves the claim. 18..1 The method of Gauss for dimension Now we are going to start with a method of Gauss to compute the shortest vector in R. This will give the intuition for the method which works in higher dimensions. The algorithm looks very similiar to euclid s algorithm but is not a generalization. Some of the intuition comes from the fact that det(v 1 v n ) is the volume of the parallelpiped you get when you draw them. Our goal is to shrink the angle between the two vectors θ in order to get them perpindicular. As we reduce we get v 1 v sinθ v = u sinθ u as shown in figure 18.1(b). In an orthogonal basis we can simply choose the smallest vector in the basis. Our transformation at each stage is analagous to euclid: we take two vectors u, v u, u v and repeat. In two dimensions our algorithm looks like following. while ( v > v v 1 ) or ( v > v + v 1 ) do v := min( v v 1, v + v 1 ) if v < v 1 then swap(v 1, v ) done The important thing to verify is that the lattice does not change with the new vector. This is because we can recover the old v by the inverse of the vector we chose in the min. Also we not that this is a vector in

the old lattice since we have chosen the weights. This section was just for intuition. We have not shown that this is poly-time or exact. These are proofs are done by case analaysis and are not provided. 18.. An approximation algorithm In higher dimensions, we will use an approximation algorithm so that we can prove a polynomial running time. We will begin in dimension to get most of the key ideas. Also we will be using the l norm which has the property that its distances are preserved under rotation of[ bases. ] v11 0 Given {v 1, v } we write them in the following normal form. For convenience of notation, v 1 v we will talk about the vector v = (0, v ) and the vector v 1 = (v 1, 0). Note the determinant of this matrix is v 11 v. This also proves our parallelpiped result. It only takes poly time to get this form because it requires multiplying by a rotation matrix. Both the derivation and the multiplication are polytime. [ Definition 18.. We say a basis is weakly reduced if we can write it as The conditions for the exact algorithm are 1. the basis is weakly reduced. v 11 v We will relax the latter condition for our approximation. 1. the basis is weakly reduced. v 11 v v 11 0 µ 1 v 11 v ] with µ 1 < 1. We must now show that the vector we find by this process is almost shortest and the resulting algorithm runs in poly time. Lemma 18.7. Algorithm produces a basis such that v 11 min{ v 11, v } Proof. v 11 4 v = 4 ( v 1 + v ) (perpendicular) = 4 ( µ 1 v 11 + v ) This shows it is a approximation. v 11 4 v v 11 v Lemma 18.8. The vector found by this procedure v 11 has v 11 shortest vector. Proof. The shortest vector must be representable in the basis. Let it equal m 1 v 1 + m v. 4

case 1: m = 0 This means it s only shortest when m 1 = ±1 i.e. is equal to v 1. case : m 0 This means m 1. Evaluating its length: shortest vector = m 1 v 1 1 + m ( v ) = m 1 v 11 + m µ 1 v 11 + m v Notice that the underlined portions are perpendicular. We can conlcude SV m v SV v SV v 11, by previous lemma. Remark. Can choose other factors (1, ). Now we must show it is polytime. To do so we are going to define a potential function, θ = v 11 at each step of the iteration. v 11 is a non-zero integer vector 1. At each swap, we get that v 11 > v so it is cutdown by at each interval therefore it executes in log (v 11 ) Now we have the basic tools to generalize this algorithm to higher dimensions. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback