A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian - PowerPoint PPT Presentation

Concepts Algorithms Experimental Results References A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian Department of Computing and Software McMaster University Hamilton, Ontario, Canada

Concepts Algorithms Experimental Results References Lattice A lattice is an infinite set of discrete points in Euclidean space. p = a 1 z 1 + a 2 z 2 +···+ a n z n

Concepts Algorithms Experimental Results References Lattice and Basis Matrix Representation Given an m × n ( m ≥ n ) real matrix A of full column rank, a lattice generated by A is defined by the set: L ( A ) = { Az | z ∈ Z n } , where Z n is the set of integer n -vectors. The columns of A form a basis for the lattice L , and n is called the dimension of the lattice L . A is called a basis matrix, or a generator matrix.

Concepts Algorithms Experimental Results References A lattice of dimension at least 2 has infinite many bases. Basis matrices [ a 1 , a 2 ] and [ b 1 , b 2 ] generate the same lattice.

Concepts Algorithms Experimental Results References Why lattice? Determining the shortest basis is NP-complete. Polytime algorithms to find sub-optimal solutions are widely used: • Public-key cryptography • Wireless communications • Integer linear programming • Shortest vector problem

Concepts Algorithms Experimental Results References Basis matrices [ a 1 , a 2 ] and [ b 1 , b 2 ] generate the same lattice. [ b 1 , b 2 ] is “better”: shorter, more orthogonal.

Concepts Algorithms Experimental Results References Lagrange/Gaussian Reduced Basis • Defined in two-dimensional lattices We say A = [ a 1 , a 2 ] is Lagrange/Gaussian Reduced, if: || a 1 || 2 ≤ || a 2 || 2 , 1 || a 1 || 2 | a T 1 a 2 | ≤ 2 . 2 2 3 , 2 π The angle between a 1 and a 2 is in [ π 3 ] • Can be found in polynomial time

Concepts Algorithms Experimental Results References Lagrange Iteration A = [ a 1 , a 2 ] (assume || a 1 || 2 ≥ || a 2 || 2 ), one Lagrange iteration will: • Compute a scalar and round to integer q = ⌊ a T 1 a 2 / || a 2 || 2 2 ⌉ ; • Reduce a 1 and swap two vectors; � a 1 � a ′ 1 = a 2 t1 : t2 : ⇒ a ′ a 2 2 = a 1 − q a 2

Concepts Algorithms Experimental Results References Lagrange Reduction Algorithm Algorithm 1: Lagrange Reduction Algorithm Input : A basis { a 1 , a 2 } Output : Lagrange reduced basis { a 1 , a 2 } 1 if || a 1 || 2 < || a 2 || 2 then S WAP (a 1 , a 2 ) ; 2 3 repeat Set q = ⌊ a T 1 a 2 / || a 2 || 2 2 ⌉ ; 4 � 0 1 � Z 12 = ; 5 1 − q [ a 1 , a 2 ] ← [ a 1 , a 2 ] Z 12 ; 6 7 until || a 1 || 2 ≤ || a 2 || 2 ;

Concepts Algorithms Experimental Results References Generalize to n Dimention Reduced Basis A basis matrix A = [ a 1 , a 2 ,..., a n ] is reduced, if : (for all 1 ≤ i < j ≤ n ) , || a i || 2 ≤ || a j || 2 (2.1a) i a j | ≤ 1 | a T 2 || a j || 2 (for all 1 ≤ i < j ≤ n ) , (2.1b) 2 Each pair of vectors in a reduced basis is Lagrange reduced.

Concepts Algorithms Experimental Results References Jacobi/Gaussian Method for n-dimensional Lattice Given a basis A of dimension n ( n ≥ 2 ) , the Jacobi/Gaussian method: • Run Lagrange algorithm on each pair ( a i , a j ) • Terminate when all pairs ( a i , a j ) are Lagrange reduced • Use Gram matrix G = A T A to increase efficiency

Concepts Algorithms Experimental Results References Jacobi Method • Compute G = A T A g ii = || a i || 2 2 , g ij = a T i a j . • Check conditions g jj ≥ g ii , g ii ≥ 2 ×| g ij | . (2.2) • Run Lagrange algorithm

Concepts Algorithms Experimental Results References Algorithm 2: Jacobi Method Input : A basis A = { a 1 , a 2 ,..., a n } Output : Jacobi reduced basis 1 G = A T A ; 2 while not all off-diagonal elements g ij satisfy condition (2.2) do for i ← 1 to n − 1 do 3 for j ← i + 1 to n do 4 Run Lagrange algorithm to reduce ( a i , a j ) ; 5 Update G ; 6

Concepts Algorithms Experimental Results References Increase Efficiency Increase the efficiency of the Jacobi method : • Unknown complexity Introduce a reduction factor ω . • Includes unnecessary Lagrange calls Reduce by Lagrange iteration directly.

Concepts Algorithms Experimental Results References Reduction Factor ω A basis matrix A = [ a 1 , a 2 ] is ω -L-reduced , if: |⌊ a T 1 a 2 / � a s � 2 2 ⌉| ≤ 1 , (2.3a) ω � a l � 2 ≤ � a l − ζ · a s � 2 , (2.3b) where � 1 / 3 ≤ ω < 1; ζ = ± 1 : the sign of a T 1 a 2 ; a s , a l : the shorter vector and the longer vector. Condition (2.3b) ensures a Lagrange iteration reduces a l with a factor of at least ω .

Concepts Algorithms Experimental Results References An ω -Reduced Basis An n -dimensional basis matrix A = [ a 1 , a 2 ,..., a n ] is ω -reduced , if : |⌊ a T i a j / � a s � 2 2 ⌉| ≤ 1 , (2.4a) ω � a l � 2 ≤ � a l − ζ · a s � 2 , (2.4b) for all 1 ≤ i < j ≤ n , where ζ = ± 1 : the sign of a T i a j , a s , a l : the shorter and the longer of a i and a j .

Concepts Algorithms Experimental Results References An ω -Reduced Basis Correspondingly, |⌊ g ij / g ss ⌉| ≤ 1 , (2.5a) ω 2 g ll ≤ g ii + g jj − 2 | g ij | . (2.5b) Since g ij = a T i a j and g jj = � a j � 2 2 .

Concepts Algorithms Experimental Results References Algorithm 3: Fast Jacobi Method � Input : A basis A = { a 1 , a 2 ,..., a n } , and 1 / 3 ≤ ω < 1 Output : An ω -reduced basis 1 G = A T A ; 2 while not all off-diagonal elements g ij satisfy condition (2.4a) and (2.4b) do for i ← 1 to n − 1 do 3 for j ← i + 1 to n do 4 Run Lagrange iteration to reduce ( a i , a j ) ; 5 Update G ; 6 Complexity O ( n 4 ) .

Concepts Algorithms Experimental Results References Experimental Results Compared with the widely used LLL algorithm ( O ( n 4 ) ) on: • Hermite Factor Defined by � a 1 � 2 HF = Vol ( L ) 1 / n . • Orthogonality Defect Defined by � i � a i � 2 δ n ( A ) = . � det ( A T A ) • Efficiency

Concepts Algorithms Experimental Results References Hermite Factors 2.6 LLL 2.4 FastJacobi 2.2 2 1.8 1.6 1.4 0 50 100 150 200 250 300

Concepts Algorithms Experimental Results References Orthogonality Defects 2.5 2.4 2.3 2.2 2.1 2 1.9 1.8 LLL 1.7 FastJacobi 1.6 0 50 100 150 200 250 300

Concepts Algorithms Experimental Results References CPU Times 7 LLL 6 FastJacobi 5 4 3 2 1 0 0 50 100 150 200 250 300 Implemented by MATLAB 2013a on a Dell desktop (i5 processor, 8G memories).

Concepts Algorithms Experimental Results References Logarithm of CPU Times 2 1 0 −1 −2 −3 −4 −5 LLL −6 FastJacobi −7 0 50 100 150 200 250 300

Concepts Algorithms Experimental Results References Shortcomings Compare with the LLL algorithm, the fast Jacobi-type method: • Cannot prove the good quality � v LLL � ≤ 2 n λ 1 . • Larger condition number

Concepts Algorithms Experimental Results References Conclusion The fast Jacobi-type method for lattice basis reduction: • High efficiency • Inherently parallel • As a preprocessing method for other algorithms

Concepts Algorithms Experimental Results References Thanks !

Concepts Algorithms Experimental Results References [Qiao, 2012] S. Qiao A Jacobi Method for Lattice Basis Reduction An unpublished edited version , Apr. 2012. [Nguyen, 2009] P . Q. Nguyen and D. Stehle Low-dimensional lattice basis reduction revisited ACM Transactions on Algorithms , 2009. [Hoffstein, 2008] J. Hoffstein An introduction to mathematical cryptopgraphy Springer Science , 2008. [LLL, 1982] Lenstra, A. K.; Lenstra, H. W.; and Lovasz, L. Factoring Polynomials with Rational Coefficients Math. Ann. 261, 515-534 , 1982.