Download Shortest and Closest Vectors

Lattices
Aug-Dec 2014
Notes 1
Guide: Partha Mukhopadhyay
1
Scribe: Aditya Potukuchi
Basics
A brilliant introduction to lattices can be found in Oded Regev’s notes (lecture 1). We define two
problems as follows:
Definition 1 (Shortest Vector Problem). Given a lattice Λ by its basis B = {b1 , b2 , . . . bn }, and a
number d, does there exist a vector v ∈ Λ such that kv − Λk ≤ d?.
Definition 2 (Closest Vector Problem). Given a lattice Λ by its basis B = {b1 , b2 , . . . bn }, a vector
s, and a number d, does there exist a vector v ∈ Λ such that kv − sk ≤ d?.
We give approximation algorithms for both these problems.
2
Shortest Vector Problem
Problem definition:
Definition 3 (SV Pγ ). Given a lattice Λ by its basis B = {b1 , b2 , . . . bn }, find a vector v ∈ Λ such
that kvk ≤ γλ1 (Λ)
The approach to the Shortest Vector Problem is through constructing a basis that is, in some sense,
’close’ to orthogonal. Recall that for a lattice Λ spanned by a basis B = {b1 , b2 , . . . bn },
λ1 (Λ) ≥ min (kb̃i k)
1≤i≤n
The problem is that Λ need not even have a set of orthogonal bases. For this reason, we shall define
a notion that basically means that a basis is ’nearly’ orthogonal.
Definition 4 (δ−reduced LLL basis). A basis B is said to be a δ−reduced LLL basis if there exist
µi,j 1 ≤ i, j ≤ n
1. ∀1 ≤ i < j ≤ n, |µi,j | ≤
1
2
2. δkb̃i k2 ≤ kµi+1,i b̃i + b̃i+1 k2
δ is normally some number between 1/4 and 1. The first condition is easier to understand as we
want the basis to be clse to orthogonal. The second condition, however, is more interesting. Since
the Gram-Schmidt basis are orthogonal, we may rewrite the rule as follows:
1
kb̃i+1 k2 ≥ (δ − µ2i+1,i )kb̃i k2
or, since µi+1,i ≤ 12 ,
2
p
kb̃i+1 k ≥ kb̃i k
(4δ − 1)
(1)
Claim 5. Let B = {b1 , b2 , . . . bn } be a δ−reduced basis. Then, kb1 k ≤ ( √
2
)n λ1 (L(B)).
(4δ−1)
Proof. Using (1), for any i ≥ 1,
2
2
kb̃1 k = kb1 k ≤ ( p
)i kb̃i k ≤ ( p
)n kb̃i k
(4δ − 1)
(4δ − 1)
The second inequality holds because √
2
(4δ−1)
≥ 1. Therefore,
2
2
kb1 k ≤ min ( p
)n kb̃i k = ( p
)n λ1 (L(B))
1≤i≤n
(4δ − 1)
(4δ − 1)
Note that the above inequality immediately gives us a ( √
2
)n
(4δ−1)
factor approximation algorithm
if we are given a δ−reduced LLL basis. So that is what our problem reduces to.
2.1
The Algorithm
Algorithm 1: LLL finds the (approximately) shortest vector
Input: (L(b1 , b2 , . . . , bn ))
Output: vector v such that v ≤ ( √ 2
)n λ1 (L(B))
(4δ−1)
1
2
3
for i ← 2 to n do
for j ← i − 1 to 1 do
hb̃ ,b̃ i
bi ← bi − ci,j bj where c = d hb̃ i ,b̃j i c
j
j
6
if ∃i such that δkb̃i k2 > kµi+1,i b̃i + b̃i+1 k2 then
bi ↔ bi+1
Goto Start
7
return {b1 , b2 , . . . , bn }
4
5
2
2.2
Correctness
Claim 6. At the end of the reduction for bi , for every j < i, µj,i ≤ 1/2.
Proof. First, note that th Gram-Schmidt basis doesn’t change during this process becuse we are
doing operations of the form bi → bi − tbj .So, consider bi in the Gram-Schmidt basis.
bi = b̃i +
i−1
X
µi,k b̃k
k=1
After the tth step,
bi = b̃i +
i−1
X
ci,k b̃k +
k=i−t
Where wi,k = µi,k −
Pi−1
x=i−t−1 bµi,k eµx,k
i−t−1
X
wi,k b̃k
k=1
(this term is not really important).
It is easy to check that for all i − t ≤ k ≤ i − 1, µi,k = ci,k ≤ 21 . Since this is true for any t ≤ i − 1,
and in particular t = i − 1, we have the proof of the claim.
Another way of looking at it is through the Gram-Schmidt matrix after t steps for bi shown(hopefully)
below:












kb̃1 k ≤ 12 kb̃1 k . . .
∗
...
0
kb̃2 k
...
∗
... 


..
..
..
1

. ≤ 2 kb̃i−t k
.
.


..

.


kb̃i k

..
.
Once the reduction step is proved, it is clear that once the algorithm terminates, it must be a
δ−reduced LLL basis. But it is not clear at this point if the algorithm even terminates.
2.3
Running Time is Polynomial in n
Gram-Schmidt Orthogonalization and the reduction step can both, be done in polynomial (in n)
number of operations. We shall prove that the swap step will not occor too many times. To do
this, we define a measure as follows:
DB =
n
Y
kb̃i kn−i+1 =
i=1
n
Y
i=1
3
Di
where Di = L(b1 , b2 , . . . bi ). First, we shall bound this value.
D ≤ max kb̃i kn(n+1)/2
1≤i≤n
Which takes space polynomial in n to represent.
Then, we shall prove this measure drops by a constant factor after every swap. During the reduction
step, the Gram-Schmidt basis doesn’t change, so D doesn’t change. When bi and bi+1 are swapped,
notice that only Di changes (say, to Di0 ). So, we shall look only at this change.
Di0
=
Di
Qi−1 ˜
kb̃i+1 k + µi+1,i kb̃i k √
j=1 kbj k.(kb̃i+1 k + µi+1,i kb̃i k)
< δ
=
Qi−1
kb̃i k
j=1 kb̃j k.kb̃i k
Therefore, Di , and hence DB drops by a factor of at least
the reduction step is executed, i.e. log √1 DB ≤ max1≤i≤n
δ
n.
p
(δ). This bounds the number of times
n(n+1)
log √1 kb̃i k which is polynomial in
2
δ
Tough it looks like we have bound the running time as a polynomial in n at this point, we are not
quite done yet. We have only proved that the algorithm executes a polynomial number of steps.
We also need to show that the numbers involved in the algorithm do not get too big. We shall do
this in two steps, i.e. bounding the numbers in b̃i and bi .
The numbers in b̃i are rational numbers that need not be integers. We need to bound both the
numerators and denominators of these entries. First demoninator:
Claim 7. ∀ 1 ≤ i ≤ n,DB2 .kbi k ∈ Zn
Proof. Since b̃i ∈ span(b1 , b2 , . . . bi ), we may write
b̃i = bi −
i−1
X
ai,j bj
j=1
where each ai,j ∈ R. Since bi is also orthogonal to all vectors bk such that 1 ≤ k ≤ i − 1, we write:
hb̃i , bk i = bi −
i−1
X
ai,j bj , bk = hbi , bk i +
j=1
i
X
j=1
or
i
X
ai,j hbj , bk i = −hbi , bk i
j=1
4
ai,j hbj , bk i = 0
Let is turn this into a system of linear equations using k from 1 to i in order to computer ai,j ’s for
all j < i.
i
X
ai,j hbj , b1 i = −hbi , b1 i
j=1
i
X
ai,j hbj , b2 i = −hbi , b2 i
j=1
..
.
i
X
ai,j hbj , bi−1 i = −hbi , bi−1 i
j=1
Each ai,j is given by Cramer’s rule
det(some
ai,j = hb1 , b1 i
..
.
hb1 , bi−1 i
integer
integer
=
=
2
T
Di−1
det(Bi−1 Bi−1 )
. . . hbi−1 , bi−1 i integer matrix)
. . . hbi−1 , b1 i
..
..
.
.
2 b̃ is an integer and therefore D 2 b̃ is an
Since b̃i is an integer linear combination of ai,j ’s, Di−1
i
B i
integer.
This shows us that after each step, the denominator of every number in b̃i can be represented in
polynomial number of bits. Now we bound the value of kb̃i k, thus bounding the numerators too.
Claim 8. kb̃i k ≤ DB2
Proof. Di = kb̃i k.
Qi−1
j=1 kb̃j k.
So, kb̃i k =
D
Qi−1 i
j=1 kb̃j k
≤ Di .
Qi−1
2
j=1 Di
≤ DB2 where the first inequality is
due to the previous claim.
To bound the entries of bi , it is sufficient to bound the value of kbi k since all the
are integers.
Pvalues
i−1
It is not difficult to see that when we use Gram-Schmidt formula bi = b̃i + j=1 µi, j b̃j and the
previous two claims, we can bound it by max1≤i≤n 4nDB4 kbi k which is still polynomial number of
bits in n. This finally proves that the LLL algorithm runs in polynomial time.
3
Closest Vector Problem
Search variant of the Cloeset Vector Problem
Definition 9 (CV Pγ ). Given a lattice Λ by its basis B = {b1 , b2 , . . . bn }, and a vector s, find a
vector v ∈ Λ such that ∀y ∈ Λ, kv − sk ≤ γkv − yk.
This is a generalization of the Shortest Vector Problem, as the shortest vector in a lattice is nothing
but the vector closest to 0 (or is it? think about it). We shall use the LLL algorithm as a subroutine
in what is known as the Nearest Plane Algorithm to solve CV Pγ .
5
3.1
The Algorithm
Algorithm 2: CVP finds the (approximately) closest vector to t
Input: (L(b1 , b2 , . . . , bn ), t)
n
Output: vector x such that ∀y ∈ L, kx − tk ≤ 2 2 ky − tk
1 if basis is empty then
2
return t
3
4
Run LLL((L(b1 , b2 , . . . , bn ))
let the projection of t on span(b1 , b2 , . . . bn ) be s
5
b̃n i
s0 ← s − cbn where c = d hhs,
c
b̃ ,b̃ i
6
return CV P ((L)(b1 , b2 , . . . , bn−1 ), s0 )
n
3.2
n
Correctness and Running Time
We shall build up to it by a series of steps (and hopefully give a slightly intuitive picture in the
process). Let the algorithm, on input of a vector t, and a lattice Λ = L(b1 , b2 , . . . bn ) output a
vector x, and let the closest vector to t be y.
P
Claim 10. kx − sk2 ≤ 21 ni=1 kb̃2i k.
n
Claim 11. kx − sk ≤ 12 2 2 kb̃n k.
n
Lemma 12. kx − sk ≤ 2 2 ky − sk.
Proof. Proof is by induction on n. For the base case, CV P computes x exactly. Let the rank be
n, we look at two cases.
kb̃n k
2 , then y ∈ cb̃n + span(b1 , b2 , . . . bn−1 ), and in particular, y ∈ cbn + L(b1 , b2 , . . . bn−1 )
hx,b̃n i
where c = d hb̃ ,b̃ i c, since other planes parallel to this are at a distance of at least kb̃2n k . Therefore,
n n
y = y 0 + cbn , where y 0 is the closest vector to s0 = s − cbn , therefore, y − s is the same as y 0 − s0 . Let
and x0 = x − cbn and s00 be the projection of s0 on L(b1 , b2 , . . . bn−1 ) (note that induction hyothesis
holds for s00 on L(b1 , b2 , . . . bn−1 )). So, we write:
If ks − yk <
ks − xk = ks0 − x0 k
= ks0 − s00 k2 + ks00 − x0 k2
≤ ks − s0 k2 + 2n−1 ks00 − y 0 k2
≤ 2n−1 ks0 − s00 k2 + 2n−1 ks00 − y 0 k2
≤ 2n−1 ks0 − y 0 k2 ≤ 2n ks0 − y 0 k2
= ks − yk2
Where the first inequality is due to induction hypothesis.
6
In the first case, the intuition is that the algorithm picked the right plane for y. On the other hand,
if ks − yk > kb̃2n k , using Claim 9,
1 n
kx − tk ≤ 2 2 kb̃n k2
2
n
≤ 2 2 ky − sk
.
And finally,
n
Claim 13. kx − tk ≤ 2 2 ky − tk.
Proof.
kx − tk2 = ks − tk2 + kx − sk2
By using Lemma 10 ,
kx − tk2 ≤ kt − sk2 + 2n ky − sk2
≤ 2n (kt − sk2 + ky − sk2 )
= 2n ky − tk2
.
This completes the proof of correctness of the CVP algorithm. For running time, it is easy to
see that the algorithm calls itself n times and each time the computation takes time O(n2 ) (O(n)
computations, each taking O(n) time). Therefore, this algorithm terminates in O(n3 ) time.
7