lattice basis reduction part 1 concepts
play

Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department - PowerPoint PPT Presentation

Mar 29, 2024 •238 likes •757 views

Introduction Applications Notions of Reduced Bases Examples Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25,

  1. Introduction Applications Notions of Reduced Bases Examples Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ ˜ qiao October 25, 2011, revised February 2012 Joint work with W. Zhang and Y. Wei, Fudan University

  2. Introduction Applications Notions of Reduced Bases Examples Outline 1 Introduction 2 Applications 3 Notions of Reduced Bases 4 Examples

  3. Introduction Applications Notions of Reduced Bases Examples Outline 1 Introduction 2 Applications 3 Notions of Reduced Bases 4 Examples

  4. Introduction Applications Notions of Reduced Bases Examples An optimization problem Integer least squares (ILS) problem x ∈ Z n � Ax − b � 2 min 2 A : real, full column rank b : real

  5. Introduction Applications Notions of Reduced Bases Examples Example � − 1 � − 0 . 4 � � 4 A = b = , − 2 3 4

  6. Introduction Applications Notions of Reduced Bases Examples Example � − 1 � − 0 . 4 � � 4 A = b = , − 2 3 4

  7. Introduction Applications Notions of Reduced Bases Examples A naive approach Solve for the real solution, then round it to its nearest integer. � − 3 . 44 � − 3 � � A − 1 b = → − 0 . 96 − 1

  8. Introduction Applications Notions of Reduced Bases Examples A naive approach Solve for the real solution, then round it to its nearest integer. � − 3 . 44 � − 3 � � A − 1 b = → − 0 . 96 − 1

  9. Introduction Applications Notions of Reduced Bases Examples A naive approach Solve for the real solution, then round it to its nearest integer. � − 3 . 44 � − 3 � � A − 1 b = → − 0 . 96 − 1 Is this the ILS solution?

  10. Introduction Applications Notions of Reduced Bases Examples Lattices and Bases A brute force approach:

  11. Introduction Applications Notions of Reduced Bases Examples Lattices and Bases A brute force approach: The set L = { Az | z ∈ Z n } is call the lattice generated by A . Basis: Formed by the columns of A (generator matrix).

  12. Introduction Applications Notions of Reduced Bases Examples Lattices and bases For a given lattice, its basis is not unique. � − 1 � 2 B = − 2 − 1

  13. Introduction Applications Notions of Reduced Bases Examples Lattices and bases Two bases are related by AZ = B : � − 1 � � 1 � − 1 � � 4 2 2 = − 2 − 2 − 1 3 0 1 Z : Unimodular matrix, a nonsingular integer matrix whose inverse is also integer. (An integer matrix whose determinant is ± 1.)

  14. Introduction Applications Notions of Reduced Bases Examples Lattices and bases Two bases are related by AZ = B : � − 1 � � 1 � − 1 � � 4 2 2 = − 2 − 2 − 1 3 0 1 Z : Unimodular matrix, a nonsingular integer matrix whose inverse is also integer. (An integer matrix whose determinant is ± 1.) For any two generator matrices A and B of the same lattice, | det ( A ) | = | det ( B ) | , called the determinant (volume) of the lattice.

  15. Introduction Applications Notions of Reduced Bases Examples Naive approach revisited � − 1 . 52 � − 2 � � B − 1 b = → − 0 . 96 − 1

  16. Introduction Applications Notions of Reduced Bases Examples Naive approach revisited � − 1 . 52 � − 2 � � B − 1 b = → − 0 . 96 − 1 A closer (closest) lattice point (1.077 vs 1.166).

  17. Introduction Applications Notions of Reduced Bases Examples Naive approach revisited � − 1 . 52 � − 2 � � B − 1 b = → − 0 . 96 − 1 A closer (closest) lattice point (1.077 vs 1.166). Finding a closest vector (CVP) is an NP problem.

  18. Introduction Applications Notions of Reduced Bases Examples Lattice basis reduction Lattice basis reduction problem: Given a basis for a lattice, find a basis consisting of short vectors. Lattice basis reduction algorithm: Given a basis matrix A , compute a unimodular matrix Z that transforms the basis into a new basis matrix B = AZ whose column vectors (basis vectors) are short.

  19. Introduction Applications Notions of Reduced Bases Examples Outline 1 Introduction 2 Applications 3 Notions of Reduced Bases 4 Examples

  20. Introduction Applications Notions of Reduced Bases Examples Wireless communication Source signal (code) s , integer vector. Communication channel is represented by H , real/complex matrix. Noise is represented by v , real vector. The received signal y = Hs + v Given H and y , find s (decoding) using the naive approach called zero forcing (fast).

  21. Introduction Applications Notions of Reduced Bases Examples Wireless communication Source signal (code) s , integer vector. Communication channel is represented by H , real/complex matrix. Noise is represented by v , real vector. The received signal y = Hs + v Given H and y , find s (decoding) using the naive approach called zero forcing (fast). When H is reduced, we have better chance of recovering s (lattice aided decoding).

  22. Introduction Applications Notions of Reduced Bases Examples Cryptography Lattice based cryptosystems: GGH (Goldreich, Goldwasser, Halevi) public-key cryptosystem. Private key: A reduced basis matrix, e.g., diagonal, A . Public key: An ill-conditioned basis matrix B = AZ .

  23. Introduction Applications Notions of Reduced Bases Examples Cryptography Lattice based cryptosystems: GGH (Goldreich, Goldwasser, Halevi) public-key cryptosystem. Private key: A reduced basis matrix, e.g., diagonal, A . Public key: An ill-conditioned basis matrix B = AZ . Encrypt: e = Bc + v , c clear text, v noise. Decrypt: A − 1 e → Zc . ( B − 1 e gives wrong result.)

  24. Introduction Applications Notions of Reduced Bases Examples Cryptography Lattice based cryptosystems: GGH (Goldreich, Goldwasser, Halevi) public-key cryptosystem. Private key: A reduced basis matrix, e.g., diagonal, A . Public key: An ill-conditioned basis matrix B = AZ . Encrypt: e = Bc + v , c clear text, v noise. Decrypt: A − 1 e → Zc . ( B − 1 e gives wrong result.) Lattice basis reduction is an NP problem.

  25. Introduction Applications Notions of Reduced Bases Examples Outline 1 Introduction 2 Applications 3 Notions of Reduced Bases 4 Examples

  26. Introduction Applications Notions of Reduced Bases Examples Matrix representation Given a generator matrix A , compute the QRZ decomposition A = QRZ − 1 Q : orthonormal columns, preserving vector length R : upper triangular Z : unimodular

  27. Introduction Applications Notions of Reduced Bases Examples Matrix representation Given a generator matrix A , compute the QRZ decomposition A = QRZ − 1 Q : orthonormal columns, preserving vector length R : upper triangular Z : unimodular Thus QR is the QR decomposition of AZ , reduced (the columns of R or AZ are short).

  28. Introduction Applications Notions of Reduced Bases Examples Hermite reduction Hermite-reduced, also called size-reduced. Hermite, 1850. Hermite-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called size-reduced if its QR decomposition satisfies | r i , i | ≥ 2 | r i , j | , 1 ≤ i < j ≤ n , for all

  29. Introduction Applications Notions of Reduced Bases Examples Hermite reduction Hermite-reduced, also called size-reduced. Hermite, 1850. Hermite-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called size-reduced if its QR decomposition satisfies | r i , i | ≥ 2 | r i , j | , 1 ≤ i < j ≤ n , for all The off-diagonal of R is small.

  30. Introduction Applications Notions of Reduced Bases Examples HKZ reduction HKZ-reduced, strengthened Hermite-reduced. Korkine and Zolotarev, 1873. HKZ-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called HKZ-reduced if it is size-reduced and for each trailing ( n − i + 1 ) × ( n − i + 1 ) , 1 ≤ i < n , submatrix of R in the QR decomposition, its first column is a shortest nonzero vector in the lattice generated by the submatrix.

  31. Introduction Applications Notions of Reduced Bases Examples HKZ reduction HKZ-reduced r i , i r i , i + 1 r i , n · · · r i + 1 , i + 1 r i + 1 , n · · · . ... . . r n , n

  32. Introduction Applications Notions of Reduced Bases Examples LLL reduction LLL-reduced Lenstra, Lenstra, and Lov´ asz, 1982 LLL-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called LLL-reduced if it is size-reduced and R in the QR decomposition satisfies r 2 i + 1 , i + 1 + r 2 i , i + 1 ≥ ω r 2 i , i

  33. Introduction Applications Notions of Reduced Bases Examples HKZ and LLL HKZ-reduced and LLL-reduced r i , i r i , i + 1 r i , n · · · r i + 1 , i + 1 r i + 1 , n · · · . ... . . r n , n

  34. Introduction Applications Notions of Reduced Bases Examples HKZ and LLL HKZ-reduced and LLL-reduced r i , i r i , i + 1 r i , n · · · r i + 1 , i + 1 r i + 1 , n · · · . ... . . r n , n LLL-reduced is weaker than HKZ-reduced, HKZ-reduced implies LLL-reduced for any ω : 0 ; . 25 < ω < 1 . 0 Easier to compute (fast). Practically, it produces reasonably short bases.

  35. Introduction Applications Notions of Reduced Bases Examples Minkowski minima Minkowski, 1891 Short vectors Minkowski minima We say that λ k , 1 ≤ k ≤ n , is the k -th successive minimum wrt a lattice if λ k is the lower bound of the radius λ of the sphere || B z || 2 ≤ λ that contains k linearly independent lattice points.

Recommend

Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software

Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software

Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca

758 views • 63 slides
A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian Department of Computing and

A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian Department of Computing and

Concepts Algorithms Experimental Results References A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian Department of Computing and Software McMaster University Hamilton, Ontario, Canada Concepts Algorithms Experimental

308 views • 27 slides
The (gimmicky) Road Map Gradual Sub-Lattice Reduction The Old Stuff Lattice Reduction

The (gimmicky) Road Map Gradual Sub-Lattice Reduction The Old Stuff Lattice Reduction

The Old Stuff The New Concepts The Bottom Line Gradual Sub-Lattice Reduction (now with more applications!) Andy Novocin andy@novocin.com LIRMM, Montpellier June 22nd The Old Stuff The New Concepts The Bottom Line The (gimmicky) Road

1.46k views • 99 slides
a ; 90 o c -face centered lattice, having the

a ; 90 o c -face centered lattice, having the

PH-409 (2015) Tutorial Sheet No. 2 * Problems shall be discussed in tutorial class 20*. A two dimensional lattice has basis vectors 2 ; 2 . Find the a i b i j basis vectors of the reciprocal lattice. 21. (a) Show

214 views • 5 slides
Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Background on lattice reduction Our results Our technical ideas and argument Conclusion and open problems Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL, UK London-ish Lattice Coding &amp;

1.91k views • 167 slides
Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong

Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong

Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong University. Wenling Liu @ SJTU Table of Contents Lattice Backgrounds LenstraLenstraLov asz Reduction Hemite SVP reduction and DBKZ Algorithm

930 views • 49 slides
What You Need to Know Definitions e.g., linear independence, basis, null space Concepts

What You Need to Know Definitions e.g., linear independence, basis, null space Concepts

What You Need to Know Definitions e.g., linear independence, basis, null space Concepts (including Theorems) e.g., A basis is (by definition) a linearly independent spanning set. Related concepts: Spanning Set Theorem Basis

591 views • 3 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Background on Euclidean lattices Hybrid algorithms for LLL-reduction The fplll library Conclusion Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e http://perso.ens-lyon.fr/damien.stehle/ LIP

766 views • 74 slides
Part I - Basic concepts of thermochronology Basic concepts of thermochronology

Part I - Basic concepts of thermochronology Basic concepts of thermochronology

Class overview today - December 2, 2019 Part I - Basic concepts of thermochronology Basic concepts of thermochronology Estimating closure temperatures Part II - Low-temperature thermochronology (online only) Definition

815 views • 35 slides
Part I - Basic concepts of thermochronology Basic concepts of thermochronology

Part I - Basic concepts of thermochronology Basic concepts of thermochronology

Class overview today - December 2, 2019 Part I - Basic concepts of thermochronology Basic concepts of thermochronology Estimating closure temperatures Part II - Low-temperature thermochronology (online only) Definition of

951 views • 51 slides
Part I - Basic concepts of thermochronology Basic concepts of thermochronology

Part I - Basic concepts of thermochronology Basic concepts of thermochronology

Class overview today - December 2, 2019 Part I - Basic concepts of thermochronology Basic concepts of thermochronology Estimating closure temperatures Part II - Low-temperature thermochronology (online only) Definition of

695 views • 31 slides
Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y.

Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y.

Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y. Xiao and X. Xie Computer Science, McGill University, Montreal, Canada Fields Institute Workshop on Hybrid Methodologies for Symbolic-Numeric

1.3k views • 76 slides
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V.

The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V.

The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm in R 2 - Lower bound via

295 views • 13 slides
Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o (

Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o (

Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o ( k ) Martin R. Albrecht 1 , Shi Bai 2 , Pierre-Alain Fouque 3 , Paul Kirchner 3 , Damien Stehl 4 and Weiqiang Wen 3 1 Royal Holloway, University of

985 views • 50 slides
Computing an LLL-reduced Basis of the Orthogonal Lattice Jingwei Chen Damien Stehl e Gilles

Computing an LLL-reduced Basis of the Orthogonal Lattice Jingwei Chen Damien Stehl e Gilles

Computing an LLL-reduced Basis of the Orthogonal Lattice Jingwei Chen Damien Stehl e Gilles Villard Chongqing Institute of Green and Intelligent Technology, Chinese Academy of Sciences Laboratoire LIP (UMR CNRS - ENS Lyon - UCB Lyon 1 -

1.33k views • 93 slides
A Reduced-Basis Approach to the Reduction of Computations in Multiscale Models &amp; Uncertainty

A Reduced-Basis Approach to the Reduction of Computations in Multiscale Models &amp; Uncertainty

A Reduced-Basis Approach to the Reduction of Computations in Multiscale Models &amp; Uncertainty Quantification Sbastien Boyaval 1 , 2 , 3 1 Univ. Paris Est , Laboratoire dhydraulique Saint-Venant (EDF R&amp;D Ecole des Ponts Paristech

597 views • 46 slides
Lattice Reduction, Integer Programming, and Knapsacks Daniel Lichtblau danl@wolfram.com Wolfram

Lattice Reduction, Integer Programming, and Knapsacks Daniel Lichtblau danl@wolfram.com Wolfram

Lattice Reduction, Integer Programming, and Knapsacks Daniel Lichtblau danl@wolfram.com Wolfram Research, Inc. 100 Trade Centre Dr. Champaign IL USA, 61820 ICMS, Castro Urdiales, Spain September 13, 2006 Abstract We will discuss

755 views • 31 slides
DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/ thomaspl

458 views • 22 slides
Algebraic reduction for low-complexity lattice decoding L AURA L UZZI Laboratoire ETIS (ENSEA -

Algebraic reduction for low-complexity lattice decoding L AURA L UZZI Laboratoire ETIS (ENSEA -

Algebraic reduction for low-complexity lattice decoding L AURA L UZZI Laboratoire ETIS (ENSEA - Universit Cergy-Pontoise - CNRS) L ATTICE C ODING AND C RYPTO M EETING I MPERIAL C OLLEGE L ONDON - S EPTEMBER 24, 2018 Laura Luzzi Algebraic

1.34k views • 116 slides
219451: Web Services: Concepts, Design and Implementation Lecture 2 XML Basis XML, HTML and

219451: Web Services: Concepts, Design and Implementation Lecture 2 XML Basis XML, HTML and

219451: Web Services: Concepts, Design and Implementation Lecture 2 XML Basis XML, HTML and SGML : A big picture XML Overview DTD Parser DOM Original slides by Dr.Benchaporn Limthammaporn (blt@cs.kmitnb.ac.th) 1 Edited by Dr.Monchai

476 views • 28 slides
A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal,

A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal,

A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal, Thomas Wunderer 29.06.2017 | 1 Motivation Primal BKW Embedding LWE Hybrid Dual Embedding Make it quantum! Faster More versatile

553 views • 28 slides
Reduced basis method for the reliable model reduction of Navier-Stokes equations in cardiovascular

Reduced basis method for the reliable model reduction of Navier-Stokes equations in cardiovascular

Introduction Navier-Stokes equations Reduced basis approximation Application in cardiovascular modelling Reduced basis method for the reliable model reduction of Navier-Stokes equations in cardiovascular modelling Toni Lassila, Andrea Manzoni,

488 views • 22 slides
Solid State Physics 460- Lecture 5 Diffraction and the Reciprocal Lattice Continued (Kittel Ch.

Solid State Physics 460- Lecture 5 Diffraction and the Reciprocal Lattice Continued (Kittel Ch.

Solid State Physics 460- Lecture 5 Diffraction and the Reciprocal Lattice Continued (Kittel Ch. 2) Ewald Construction k out G k in 2 Physics 460 F 2006 Lect 5 1 Recall from previous lectures Definition of a crystal Lattice + Basis

300 views • 28 slides

More recommend