* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Shortest and Closest Vectors
Survey
Document related concepts
Genetic algorithm wikipedia , lookup
Eigenvalues and eigenvectors wikipedia , lookup
Pattern recognition wikipedia , lookup
Knapsack problem wikipedia , lookup
Computational complexity theory wikipedia , lookup
Algorithm characterizations wikipedia , lookup
Expectation–maximization algorithm wikipedia , lookup
Linear algebra wikipedia , lookup
Mathematics of radio engineering wikipedia , lookup
Laplace–Runge–Lenz vector wikipedia , lookup
Dijkstra's algorithm wikipedia , lookup
Bra–ket notation wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Transcript
Lattices Aug-Dec 2014 Notes 1 Guide: Partha Mukhopadhyay 1 Scribe: Aditya Potukuchi Basics A brilliant introduction to lattices can be found in Oded Regev’s notes (lecture 1). We define two problems as follows: Definition 1 (Shortest Vector Problem). Given a lattice Λ by its basis B = {b1 , b2 , . . . bn }, and a number d, does there exist a vector v ∈ Λ such that kv − Λk ≤ d?. Definition 2 (Closest Vector Problem). Given a lattice Λ by its basis B = {b1 , b2 , . . . bn }, a vector s, and a number d, does there exist a vector v ∈ Λ such that kv − sk ≤ d?. We give approximation algorithms for both these problems. 2 Shortest Vector Problem Problem definition: Definition 3 (SV Pγ ). Given a lattice Λ by its basis B = {b1 , b2 , . . . bn }, find a vector v ∈ Λ such that kvk ≤ γλ1 (Λ) The approach to the Shortest Vector Problem is through constructing a basis that is, in some sense, ’close’ to orthogonal. Recall that for a lattice Λ spanned by a basis B = {b1 , b2 , . . . bn }, λ1 (Λ) ≥ min (kb̃i k) 1≤i≤n The problem is that Λ need not even have a set of orthogonal bases. For this reason, we shall define a notion that basically means that a basis is ’nearly’ orthogonal. Definition 4 (δ−reduced LLL basis). A basis B is said to be a δ−reduced LLL basis if there exist µi,j 1 ≤ i, j ≤ n 1. ∀1 ≤ i < j ≤ n, |µi,j | ≤ 1 2 2. δkb̃i k2 ≤ kµi+1,i b̃i + b̃i+1 k2 δ is normally some number between 1/4 and 1. The first condition is easier to understand as we want the basis to be clse to orthogonal. The second condition, however, is more interesting. Since the Gram-Schmidt basis are orthogonal, we may rewrite the rule as follows: 1 kb̃i+1 k2 ≥ (δ − µ2i+1,i )kb̃i k2 or, since µi+1,i ≤ 12 , 2 p kb̃i+1 k ≥ kb̃i k (4δ − 1) (1) Claim 5. Let B = {b1 , b2 , . . . bn } be a δ−reduced basis. Then, kb1 k ≤ ( √ 2 )n λ1 (L(B)). (4δ−1) Proof. Using (1), for any i ≥ 1, 2 2 kb̃1 k = kb1 k ≤ ( p )i kb̃i k ≤ ( p )n kb̃i k (4δ − 1) (4δ − 1) The second inequality holds because √ 2 (4δ−1) ≥ 1. Therefore, 2 2 kb1 k ≤ min ( p )n kb̃i k = ( p )n λ1 (L(B)) 1≤i≤n (4δ − 1) (4δ − 1) Note that the above inequality immediately gives us a ( √ 2 )n (4δ−1) factor approximation algorithm if we are given a δ−reduced LLL basis. So that is what our problem reduces to. 2.1 The Algorithm Algorithm 1: LLL finds the (approximately) shortest vector Input: (L(b1 , b2 , . . . , bn )) Output: vector v such that v ≤ ( √ 2 )n λ1 (L(B)) (4δ−1) 1 2 3 for i ← 2 to n do for j ← i − 1 to 1 do hb̃ ,b̃ i bi ← bi − ci,j bj where c = d hb̃ i ,b̃j i c j j 6 if ∃i such that δkb̃i k2 > kµi+1,i b̃i + b̃i+1 k2 then bi ↔ bi+1 Goto Start 7 return {b1 , b2 , . . . , bn } 4 5 2 2.2 Correctness Claim 6. At the end of the reduction for bi , for every j < i, µj,i ≤ 1/2. Proof. First, note that th Gram-Schmidt basis doesn’t change during this process becuse we are doing operations of the form bi → bi − tbj .So, consider bi in the Gram-Schmidt basis. bi = b̃i + i−1 X µi,k b̃k k=1 After the tth step, bi = b̃i + i−1 X ci,k b̃k + k=i−t Where wi,k = µi,k − Pi−1 x=i−t−1 bµi,k eµx,k i−t−1 X wi,k b̃k k=1 (this term is not really important). It is easy to check that for all i − t ≤ k ≤ i − 1, µi,k = ci,k ≤ 21 . Since this is true for any t ≤ i − 1, and in particular t = i − 1, we have the proof of the claim. Another way of looking at it is through the Gram-Schmidt matrix after t steps for bi shown(hopefully) below: kb̃1 k ≤ 12 kb̃1 k . . . ∗ ... 0 kb̃2 k ... ∗ ... .. .. .. 1 . ≤ 2 kb̃i−t k . . .. . kb̃i k .. . Once the reduction step is proved, it is clear that once the algorithm terminates, it must be a δ−reduced LLL basis. But it is not clear at this point if the algorithm even terminates. 2.3 Running Time is Polynomial in n Gram-Schmidt Orthogonalization and the reduction step can both, be done in polynomial (in n) number of operations. We shall prove that the swap step will not occor too many times. To do this, we define a measure as follows: DB = n Y kb̃i kn−i+1 = i=1 n Y i=1 3 Di where Di = L(b1 , b2 , . . . bi ). First, we shall bound this value. D ≤ max kb̃i kn(n+1)/2 1≤i≤n Which takes space polynomial in n to represent. Then, we shall prove this measure drops by a constant factor after every swap. During the reduction step, the Gram-Schmidt basis doesn’t change, so D doesn’t change. When bi and bi+1 are swapped, notice that only Di changes (say, to Di0 ). So, we shall look only at this change. Di0 = Di Qi−1 ˜ kb̃i+1 k + µi+1,i kb̃i k √ j=1 kbj k.(kb̃i+1 k + µi+1,i kb̃i k) < δ = Qi−1 kb̃i k j=1 kb̃j k.kb̃i k Therefore, Di , and hence DB drops by a factor of at least the reduction step is executed, i.e. log √1 DB ≤ max1≤i≤n δ n. p (δ). This bounds the number of times n(n+1) log √1 kb̃i k which is polynomial in 2 δ Tough it looks like we have bound the running time as a polynomial in n at this point, we are not quite done yet. We have only proved that the algorithm executes a polynomial number of steps. We also need to show that the numbers involved in the algorithm do not get too big. We shall do this in two steps, i.e. bounding the numbers in b̃i and bi . The numbers in b̃i are rational numbers that need not be integers. We need to bound both the numerators and denominators of these entries. First demoninator: Claim 7. ∀ 1 ≤ i ≤ n,DB2 .kbi k ∈ Zn Proof. Since b̃i ∈ span(b1 , b2 , . . . bi ), we may write b̃i = bi − i−1 X ai,j bj j=1 where each ai,j ∈ R. Since bi is also orthogonal to all vectors bk such that 1 ≤ k ≤ i − 1, we write: hb̃i , bk i = bi − i−1 X ai,j bj , bk = hbi , bk i + j=1 i X j=1 or i X ai,j hbj , bk i = −hbi , bk i j=1 4 ai,j hbj , bk i = 0 Let is turn this into a system of linear equations using k from 1 to i in order to computer ai,j ’s for all j < i. i X ai,j hbj , b1 i = −hbi , b1 i j=1 i X ai,j hbj , b2 i = −hbi , b2 i j=1 .. . i X ai,j hbj , bi−1 i = −hbi , bi−1 i j=1 Each ai,j is given by Cramer’s rule det(some ai,j = hb1 , b1 i .. . hb1 , bi−1 i integer integer = = 2 T Di−1 det(Bi−1 Bi−1 ) . . . hbi−1 , bi−1 i integer matrix) . . . hbi−1 , b1 i .. .. . . 2 b̃ is an integer and therefore D 2 b̃ is an Since b̃i is an integer linear combination of ai,j ’s, Di−1 i B i integer. This shows us that after each step, the denominator of every number in b̃i can be represented in polynomial number of bits. Now we bound the value of kb̃i k, thus bounding the numerators too. Claim 8. kb̃i k ≤ DB2 Proof. Di = kb̃i k. Qi−1 j=1 kb̃j k. So, kb̃i k = D Qi−1 i j=1 kb̃j k ≤ Di . Qi−1 2 j=1 Di ≤ DB2 where the first inequality is due to the previous claim. To bound the entries of bi , it is sufficient to bound the value of kbi k since all the are integers. Pvalues i−1 It is not difficult to see that when we use Gram-Schmidt formula bi = b̃i + j=1 µi, j b̃j and the previous two claims, we can bound it by max1≤i≤n 4nDB4 kbi k which is still polynomial number of bits in n. This finally proves that the LLL algorithm runs in polynomial time. 3 Closest Vector Problem Search variant of the Cloeset Vector Problem Definition 9 (CV Pγ ). Given a lattice Λ by its basis B = {b1 , b2 , . . . bn }, and a vector s, find a vector v ∈ Λ such that ∀y ∈ Λ, kv − sk ≤ γkv − yk. This is a generalization of the Shortest Vector Problem, as the shortest vector in a lattice is nothing but the vector closest to 0 (or is it? think about it). We shall use the LLL algorithm as a subroutine in what is known as the Nearest Plane Algorithm to solve CV Pγ . 5 3.1 The Algorithm Algorithm 2: CVP finds the (approximately) closest vector to t Input: (L(b1 , b2 , . . . , bn ), t) n Output: vector x such that ∀y ∈ L, kx − tk ≤ 2 2 ky − tk 1 if basis is empty then 2 return t 3 4 Run LLL((L(b1 , b2 , . . . , bn )) let the projection of t on span(b1 , b2 , . . . bn ) be s 5 b̃n i s0 ← s − cbn where c = d hhs, c b̃ ,b̃ i 6 return CV P ((L)(b1 , b2 , . . . , bn−1 ), s0 ) n 3.2 n Correctness and Running Time We shall build up to it by a series of steps (and hopefully give a slightly intuitive picture in the process). Let the algorithm, on input of a vector t, and a lattice Λ = L(b1 , b2 , . . . bn ) output a vector x, and let the closest vector to t be y. P Claim 10. kx − sk2 ≤ 21 ni=1 kb̃2i k. n Claim 11. kx − sk ≤ 12 2 2 kb̃n k. n Lemma 12. kx − sk ≤ 2 2 ky − sk. Proof. Proof is by induction on n. For the base case, CV P computes x exactly. Let the rank be n, we look at two cases. kb̃n k 2 , then y ∈ cb̃n + span(b1 , b2 , . . . bn−1 ), and in particular, y ∈ cbn + L(b1 , b2 , . . . bn−1 ) hx,b̃n i where c = d hb̃ ,b̃ i c, since other planes parallel to this are at a distance of at least kb̃2n k . Therefore, n n y = y 0 + cbn , where y 0 is the closest vector to s0 = s − cbn , therefore, y − s is the same as y 0 − s0 . Let and x0 = x − cbn and s00 be the projection of s0 on L(b1 , b2 , . . . bn−1 ) (note that induction hyothesis holds for s00 on L(b1 , b2 , . . . bn−1 )). So, we write: If ks − yk < ks − xk = ks0 − x0 k = ks0 − s00 k2 + ks00 − x0 k2 ≤ ks − s0 k2 + 2n−1 ks00 − y 0 k2 ≤ 2n−1 ks0 − s00 k2 + 2n−1 ks00 − y 0 k2 ≤ 2n−1 ks0 − y 0 k2 ≤ 2n ks0 − y 0 k2 = ks − yk2 Where the first inequality is due to induction hypothesis. 6 In the first case, the intuition is that the algorithm picked the right plane for y. On the other hand, if ks − yk > kb̃2n k , using Claim 9, 1 n kx − tk ≤ 2 2 kb̃n k2 2 n ≤ 2 2 ky − sk . And finally, n Claim 13. kx − tk ≤ 2 2 ky − tk. Proof. kx − tk2 = ks − tk2 + kx − sk2 By using Lemma 10 , kx − tk2 ≤ kt − sk2 + 2n ky − sk2 ≤ 2n (kt − sk2 + ky − sk2 ) = 2n ky − tk2 . This completes the proof of correctness of the CVP algorithm. For running time, it is easy to see that the algorithm calls itself n times and each time the computation takes time O(n2 ) (O(n) computations, each taking O(n) time). Therefore, this algorithm terminates in O(n3 ) time. 7