Diophantine Approximation and Basis Reduction

1
Diophantine Approximation and Basis Reduction

• By Shu Wang
• CAS 746 Presentation
• 6th, Feb, 2006

2
Overview

• Problem Approximating real numbers by rational
  numbers of low denominator and finding a
  so-called reduced basis in a lattice
• Content
• The continued fraction method for approximating
  one real number
• Lovászs basis reduction method for lattices
• Applications
• Notations

3
Dirichlets Theorem

• Let be a real number and let Then
  there exist two integers p and q such that
• Example.

4
Proof of Dirichlets Theorem

0
1

• Let we find two different
  integers i and j where
• Consider the following series
• Otherwise, according to pigeon-hole principle,
  

5
Proof of Dirichlets Theorem - continued

• Exercises

6
The Continued Fraction Method

• Given a real number , we compute its rational
  approximation by following a series of steps as
  follows
• First we define
• This sequence stops if becomes an integer
• We define an sequences called convergents that
  approximate to the above
• If becomes an integer then the last term of
  convergents equals to . We use to denote
  the term of the convergents of

7
The Continued Fraction Method (2)

• We can determine a sequence where
  so that it corresponds to the
  convergent series
• Suppose the first two terms are as follows
• What can we deduce from it?
• If then . Contradiction exist.

8
Proof

9
The Continued Fraction Method (3)

• Suppose we have found nonnegative integers
  such that
• This implies why?

10
The Continued Fraction Method (4)

• We find the largest integer such that
• We define
• If then the sequence stop,
  otherwise we find the largest such that
• We define and so on
• We can repeat the iteration and find the sequence
• It turns out that this sequence is the same
  as the sequence of convergents of real number
  !

11
Proof

• We use to denote the term with respect to
• First we prove when
• Prove by induction
• Then we prove
• Prove by induction

12
Some Properties of Sequence

• Denominators are monotonically increasing
• For any real numbers and with
  , one of the convergents satisfy the
  Dirichlets theorem
• Proof Let be the last convergent for
  which holds. Then
• The sequence converge to
• Proof by induction

13
Algorithm of Continued Fraction Method

• Initially . Suppose then we
  compute by
  using the following rule
• If k is even and , subtract
  times the second column of from the
  first column
• If k is odd and , subtract
  times the first column of from
  the second column
• The matrices is in the following form
• The found in this way are the same as
  in the convergents
• Proved by induction

14
Time complexity of Continued Fraction Method

• Corollary. Given rational number , the
  continued fraction method finds integers and
  as described in Dirichelets theorem in time
  polynomially bounded by the size of
• Proved similar to Euclidean algorithm
• Theorem. Let be a real number, and let
  and be natural numbers with . Then
  occurs as convergent for
• Corollary. There exist a polynomial algorithm
  which, for given rational number and natural
  number M, tests if there exists a rational
  number with . If so, finds this rational
  number.

15
Summary

• Given a real number , there exist a rational
  number with small that is close enough to
• Continued fraction method compute a rational
  number that equals to if is a
  rational number. Otherwise converge to
• The algorithm for continued fraction method is a
  polynomial Euclidean-like algorithm

16
Basis Reduction in Lattices - Overview

• Problem Given a lattice (represented by its
  basis), finds a reduced short (nearly
  orthogonal) basis.
• Applications
• Finding a short nonzero vector in a lattice
• Simultaneous Diophantine approximation
• Finding the Hermite normal form
• Basis reduction has numerous applications in
  cryptanalysis of public-key encryption schemes
  knapsack cryptosystems, RSA with particular
  settings, and so forth

17
Basic Concepts Review

• Lattice. Given a sequence of vectors
  , and a group we say
  generate if . We call a
  lattice and the basis of . In other
  words, a lattice can be seen as an integer linear
  combinations of its basis. It is a subset of the
  subspace generated by its basis.
• A matrix can be seen as a sequence of column
  (row) vectors, therefore a lattice can be
  generated by columns (rows) of a matrix

18
Basic Concepts Review - 2

• Let A and B both be a nonsingular matrix of order
  n, and whose column both generate the same
  lattice , then and this is
  called the det of lattice . In other words,
  det is independent to chose of basis
• Proof
• Lemma 1 If B is obtained by interchanging two
  columns (rows) of A, then det B -det A.
• Proof Complicated (component-wise) proof by
  induction
• Lemma 2 If A has two identical columns (rows),
  then det A 0.
• Proof Let A be a matrix with two identical rows,
  let B be a matrix constructed from A by
  interchanging these two column (rows). Then det B
  det A because these two matrices are equal.
  However, from Lemma 1 we know that det B -det
  A. So det B det A 0
• Lemma 3 The determinant of an nxn matrix can be
  computed by expansion of any row or column.
• Also called Laplace Expansion Theorem,
  component-wisely proved by Laplace.
• Lemma 4 If B is obtained by multiplying a column
  (row) of A by k, then det B k det A.
• Proof. We can calculate det B by expanding the
  same column (row) of B as that of A, which yields
  det B k det A.

19
Basic Concepts Review - 3

• Lemma 5 If A, B and C are identical except that
  the i-th column (row) of C is the sum of the i-th
  columns (rows) of A and B, then det C det A
  det B.
• Proof. We can calculate det B by expanding the
  i-th column of C, then we can prove det C det A
  det B by using the distributivity of
  multiplication of matrices
• Lemma 6 If B is obtained by adding a multiple of
  one column (row) i of A to another column (row)
  j, then det B det A.
• Proof. Let A be the matrix that constructed by
  replacing column (row) i of A to j, then det A
  0 because A has two identical columns. Matrix A,
  A and B satisfy Lemma 5 so that det B det A
  det A det A
• Lemma 7 If If B is obtained by elementary column
  operations from A, then det B det A.
• Proof. Directly from Lemma 1, 4 and 6.
• From chapter 4, we know that if matrix A and B
  generate the same lattice then they have the same
  Hermite Normal Form by elementary column
  operations, therefore from Lemma 7 we have det
  B det A.

20
Geometric Meaning of Determinant

• The determinant of corresponds to the volume
  of the parallelepiped
• Where is any basis for
• Hadamard Inequality theorem
• When are orthogonal to each other, the
  equality holds.
• We now have the lower bound of
  , what about the upper bound?
• Hermite showed that
• Minkowski showed that
• Schnorr proved that for each fixed then there
  exist a polynomial algorithm finding a basis
  satisfying

21
Basis Reduction Theorem

• A matrix is called positive definite if
• There exist a polynomial algorithm which, for
  given positive definite rational matrix D, finds
  a basis
• for the lattice
  satisfying
• ?b1? ?b2??bn?
• where ?x?
• We prove this theorem by showing the LLL algorithm

22
The Lenstra, Lenstra and Lovász Algorithm

• We construct a series of basis for as
  follows
• The first basis is the unit basis.
• We construct the next basis inductively using the
  following steps
• 1. Denote as the matrix with columns
  , we calculate
• 2.
• 3. Choose, if possible, an index i such that
  ?b2?2gt2?bi1?2. Exchange bi and bi1, and start
  with step 1 again. If no such i exists, the
  algorithm stops.

23
The Lenstra, Lenstra and Lovász Algorithm -
Continued

• The LLL algorithm is an approximation of the
  Gram-Schmidt orthogonalization process which
  finds a orthogonal basis in a subspace of
• The LLL algorithm terminates in polynomial time,
  with intermediate numbers polynomially bounded by
  the size of D
• Complicated proof see p.68 p.71

24
Finding a Short Nonzero Vector in a Lattice

• In 1891, Minkowski proved a classical result any
  n-dimensional lattice contains a nonzero vector b
  with
  
  
  where denotes the volume
  of the n-dimensional unit ball. However, no
  polynomial algorithm finding such a vector b is
  known.
• With the basis reduction method, by taking the
  shortest vector one can find a longer short
  vector in a lattice, which satisfy
• However, this vector is generally not the
  shortest one in the lattice
• The CVP (Closest Vector Problem) Given a
  lattice and vector a, find b with (any kind
  of) norm of b-a as small as possible is proven
  to be NP-complete
• The SVP (Shortest Nonzero Vector Problem) Given
  a lattice, finding a vector in the lattice as
  small as possible is even proven to be NP-hard
  to approximate within some constant Dan 2001

25
Simultaneous Diophantine Approximation

• Dirichlet showed that Let
  be real numbers with Then there exist two
  integers and q such that
• No polynomial method is known for this
  problem, unless when n1, where we can use the
  continued fraction method
• However, we can use basis reduction method to
  find a weaker approximation of the problem in
  polynomial time

26
Finding the Hermite Normal Form

• Given a matrix A, we can use basis reduction
  method to calculate vector and
  record it in such a way that it can be transform
  to Hermite Normal Form by elementary column
  operations
• Some of the other applications
• Lenstras Integer Linear Programming algorithm
• Factoring polynomials (over rationals) in
  polynomial time
• Breaking cryptographic codes
• Disproving Mertens conjecture
• Solving low density subset sum problems

27
Summary

• The continued fraction method for approximating
  one real number by rational numbers
• Lovászs basis reduction method for finding a
  short basis in a lattice
• Applications

28

• Thank you ?