A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian - - PowerPoint PPT Presentation

a fast jacobi type method for lattice basis reduction
SMART_READER_LITE
LIVE PREVIEW

A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian - - PowerPoint PPT Presentation

Feb 04, 2024 38 likes •309 views

Concepts Algorithms Experimental Results References A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian Department of Computing and Software McMaster University Hamilton, Ontario, Canada Concepts Algorithms Experimental

slide-1
SLIDE 1

Concepts Algorithms Experimental Results References

A Fast Jacobi-Type Method for Lattice Basis Reduction

Zhaofei Tian

Department of Computing and Software McMaster University Hamilton, Ontario, Canada

slide-2
SLIDE 2

Concepts Algorithms Experimental Results References

Lattice

A lattice is an infinite set of discrete points in Euclidean space. p = a1z1 +a2z2 +···+anzn

slide-3
SLIDE 3

Concepts Algorithms Experimental Results References

Lattice and Basis

Matrix Representation Given an m×n (m ≥ n) real matrix A of full column rank, a lattice generated by A is defined by the set: L(A) = {Az | z ∈ Zn}, where Zn is the set of integer n-vectors. The columns of A form a basis for the lattice L, and n is called the dimension of the lattice L. A is called a basis matrix, or a generator matrix.

slide-4
SLIDE 4

Concepts Algorithms Experimental Results References

A lattice of dimension at least 2 has infinite many bases. Basis matrices [a1,a2] and [b1,b2] generate the same lattice.

slide-5
SLIDE 5

Concepts Algorithms Experimental Results References

Why lattice?

Determining the shortest basis is NP-complete. Polytime algorithms to find sub-optimal solutions are widely used:

  • Public-key cryptography
  • Wireless communications
  • Integer linear programming
  • Shortest vector problem
slide-6
SLIDE 6

Concepts Algorithms Experimental Results References

Basis matrices [a1,a2] and [b1,b2] generate the same lattice. [b1,b2] is “better”: shorter, more orthogonal.

slide-7
SLIDE 7

Concepts Algorithms Experimental Results References

Lagrange/Gaussian Reduced Basis

  • Defined in two-dimensional lattices

We say A = [a1, a2] is Lagrange/Gaussian Reduced, if:

1

||a1||2 ≤ ||a2||2 ,

2

|aT

1 a2| ≤

||a1||2

2

2

. The angle between a1 and a2 is in [ π

3, 2π 3 ]

  • Can be found in polynomial time
slide-8
SLIDE 8

Concepts Algorithms Experimental Results References

Lagrange Iteration

A = [a1,a2] (assume ||a1||2 ≥ ||a2||2), one Lagrange iteration will:

  • Compute a scalar and round to integer q = ⌊aT

1 a2/||a2||2 2⌉;

  • Reduce a1 and swap two vectors;

t1 :

a1

a2

t2 :

a′

1 = a2

a′

2 = a1 −qa2

slide-9
SLIDE 9

Concepts Algorithms Experimental Results References

Lagrange Reduction Algorithm

Algorithm 1: Lagrange Reduction Algorithm Input : A basis {a1,a2} Output: Lagrange reduced basis {a1,a2}

1 if ||a1||2 < ||a2||2 then 2

SWAP(a1, a2) ;

3 repeat 4

Set q = ⌊aT

1 a2/||a2||2 2⌉ ; 5

Z12 = 1 1

−q

  • ;

6

[a1,a2] ← [a1,a2]Z12 ;

7 until ||a1||2 ≤ ||a2||2;

slide-10
SLIDE 10

Concepts Algorithms Experimental Results References

Generalize to n Dimention

Reduced Basis A basis matrix A = [a1,a2,..., an] is reduced, if :

||ai||2 ≤ ||aj||2

(for all 1 ≤ i < j ≤ n), (2.1a)

|aT

i aj| ≤ 1

2||aj||2

2

(for all 1 ≤ i < j ≤ n), (2.1b) Each pair of vectors in a reduced basis is Lagrange reduced.

slide-11
SLIDE 11

Concepts Algorithms Experimental Results References

Jacobi/Gaussian Method for n-dimensional Lattice

Given a basis A of dimension n (n ≥ 2), the Jacobi/Gaussian method:

  • Run Lagrange algorithm on each pair (ai,aj)
  • Terminate when all pairs (ai,aj) are Lagrange reduced
  • Use Gram matrix G = AT A to increase efficiency
slide-12
SLIDE 12

Concepts Algorithms Experimental Results References

Jacobi Method

  • Compute G = AT A

gii = ||ai||2

2,

gij = aT

i aj.

  • Check conditions

gjj ≥ gii , gii ≥ 2×|gij|. (2.2)

  • Run Lagrange algorithm
slide-13
SLIDE 13

Concepts Algorithms Experimental Results References

Algorithm 2: Jacobi Method Input : A basis A = {a1,a2,...,an} Output: Jacobi reduced basis

1 G = AT A ; 2 while not all off-diagonal elements gij satisfy condition (2.2) do 3

for i ← 1 to n −1 do

4

for j ← i +1 to n do

5

Run Lagrange algorithm to reduce (ai,aj) ;

6

Update G ;

slide-14
SLIDE 14

Concepts Algorithms Experimental Results References

Increase Efficiency

Increase the efficiency of the Jacobi method :

  • Unknown complexity

Introduce a reduction factor ω.

  • Includes unnecessary Lagrange calls

Reduce by Lagrange iteration directly.

slide-15
SLIDE 15

Concepts Algorithms Experimental Results References

Reduction Factor ω

A basis matrix A = [a1,a2] is ω-L-reduced, if:

|⌊aT

1 a2/as2 2⌉| ≤ 1,

(2.3a)

ωal2 ≤ al −ζ·as2,

(2.3b) where 1/

  • 3 ≤ ω < 1;

ζ = ±1 : the sign of aT

1 a2;

as, al : the shorter vector and the longer vector. Condition (2.3b) ensures a Lagrange iteration reduces al with a factor of at least ω.

slide-16
SLIDE 16

Concepts Algorithms Experimental Results References

An ω-Reduced Basis

An n-dimensional basis matrix A = [a1,a2,...,an] is ω-reduced, if :

|⌊aT

i aj/as2 2⌉| ≤ 1,

(2.4a)

ωal2 ≤ al −ζ·as2,

(2.4b) for all 1 ≤ i < j ≤ n, where

ζ = ±1 : the sign of aT

i aj,

as, al : the shorter and the longer of ai and aj.

slide-17
SLIDE 17

Concepts Algorithms Experimental Results References

An ω-Reduced Basis

Correspondingly,

|⌊gij/gss⌉| ≤ 1,

(2.5a)

ω2gll ≤ gii +gjj −2|gij|.

(2.5b) Since gij = aT

i aj and gjj = aj2 2.

slide-18
SLIDE 18

Concepts Algorithms Experimental Results References

Algorithm 3: Fast Jacobi Method Input : A basis A = {a1,a2,...,an}, and 1/

  • 3 ≤ ω < 1

Output: An ω-reduced basis

1 G = AT A ; 2 while not all off-diagonal elements gij satisfy condition (2.4a)

and (2.4b) do

3

for i ← 1 to n −1 do

4

for j ← i +1 to n do

5

Run Lagrange iteration to reduce (ai,aj) ;

6

Update G ; Complexity O(n4).

slide-19
SLIDE 19

Concepts Algorithms Experimental Results References

Experimental Results

Compared with the widely used LLL algorithm (O(n4)) on:

  • Hermite Factor

Defined by HF =

a12

Vol(L)1/n .

  • Orthogonality Defect

Defined by

δn(A) =

  • i ai2
  • det(AT A)

.

  • Efficiency
slide-20
SLIDE 20

Concepts Algorithms Experimental Results References

Hermite Factors

50 100 150 200 250 300 1.4 1.6 1.8 2 2.2 2.4 2.6 LLL FastJacobi

slide-21
SLIDE 21

Concepts Algorithms Experimental Results References

Orthogonality Defects

50 100 150 200 250 300 1.6 1.7 1.8 1.9 2 2.1 2.2 2.3 2.4 2.5 LLL FastJacobi

slide-22
SLIDE 22

Concepts Algorithms Experimental Results References

CPU Times

50 100 150 200 250 300 1 2 3 4 5 6 7 LLL FastJacobi

Implemented by MATLAB 2013a on a Dell desktop (i5 processor, 8G memories).

slide-23
SLIDE 23

Concepts Algorithms Experimental Results References

Logarithm of CPU Times

50 100 150 200 250 300 −7 −6 −5 −4 −3 −2 −1 1 2 LLL FastJacobi

slide-24
SLIDE 24

Concepts Algorithms Experimental Results References

Shortcomings

Compare with the LLL algorithm, the fast Jacobi-type method:

  • Cannot prove the good quality

vLLL ≤ 2nλ1.

  • Larger condition number
slide-25
SLIDE 25

Concepts Algorithms Experimental Results References

Conclusion

The fast Jacobi-type method for lattice basis reduction:

  • High efficiency
  • Inherently parallel
  • As a preprocessing method for other algorithms
slide-26
SLIDE 26

Concepts Algorithms Experimental Results References

Thanks !

slide-27
SLIDE 27

Concepts Algorithms Experimental Results References

[Qiao, 2012] S. Qiao A Jacobi Method for Lattice Basis Reduction An unpublished edited version, Apr. 2012. [Nguyen, 2009] P . Q. Nguyen and D. Stehle Low-dimensional lattice basis reduction revisited ACM Transactions on Algorithms, 2009. [Hoffstein, 2008] J. Hoffstein An introduction to mathematical cryptopgraphy Springer Science, 2008. [LLL, 1982] Lenstra, A. K.; Lenstra, H. W.; and Lovasz, L. Factoring Polynomials with Rational Coefficients

  • Math. Ann. 261, 515-534, 1982.