lattice basis reduction part ii algorithms
play

Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao - PowerPoint PPT Presentation

Oct 28, 2023 •127 likes •758 views

Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca

  1. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ ˜ qiao November 8, 2011, revised February 2012 Joint work with W. Zhang and Y. Wei, Fudan University

  2. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

  3. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

  4. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Hermite reduction (size reduction) Hermite-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called size-reduced if its QR decomposition satisfies | r i , i | ≥ 2 | r i , j | , 1 ≤ i < j ≤ n , for all

  5. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Hermite reduction (size reduction) Hermite-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called size-reduced if its QR decomposition satisfies | r i , i | ≥ 2 | r i , j | , 1 ≤ i < j ≤ n , for all Procedure Reduce ( i , j ) � r i , j � r i , j � r i , i � � r i , j � � � � r i , i r i , j − r i , i � 1 − r i , i r i , i = r j , j r j , j 0 1 � r i , j � �� | r i , i | ≥ 2 � r i , j − r i , i � � r i , i �

  6. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Gauss reduction A unimodular transformation � 1 � � � − µ 1 0 or 0 1 − µ 1 Also called Integer Gauss transformation Integer elementary matrix

  7. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

  8. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement LLL reduction LLL-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called LLL-reduced if it is size-reduced and R in the QR decomposition satisfies r 2 i + 1 , i + 1 + r 2 i , i + 1 ≥ ω r 2 i , i

  9. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement LLL reduction LLL-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called LLL-reduced if it is size-reduced and R in the QR decomposition satisfies r 2 i + 1 , i + 1 + r 2 i , i + 1 ≥ ω r 2 i , i Procedure SwapRestore ( i ) Find a Givens plane rotation G : � r i − 1 , i − 1 � � 0 � ˆ r i − 1 , i r i − 1 , i − 1 r i − 1 , i � ˆ � 1 G = . r i , i r i , i ˆ 0 1 0 0 Unimodular transformation: Permutation

  10. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement LLL algorithm k = 2; while k <= n { if |r(k-1,k) / r(k-1,k-1)| > 1/2 if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { } else { } }

  11. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement LLL algorithm k = 2; while k <= n { if |r(k-1,k) / r(k-1,k-1)| > 1/2 Reduce(k-1,k); if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { } else { } }

  12. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement LLL algorithm k = 2; while k <= n { if |r(k-1,k) / r(k-1,k-1)| > 1/2 Reduce(k-1,k); if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { SwapRestore(k); k = max(k-1, 2); } else { } }

  13. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement LLL algorithm k = 2; while k <= n { if |r(k-1,k) / r(k-1,k-1)| > 1/2 Reduce(k-1,k); if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { SwapRestore(k); k = max(k-1, 2); } else { for i = k-2 downto 1 if |r(i,k) / r(i,i)| > 1/2 Reduce(i,k); k = k+1; } }

  14. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement LLL algorithm k = 2; while k <= n { if |r(k-1,k) / r(k-1,k-1)| > 1/2 Reduce(k-1,k); if r(k,k)ˆ2 + r(k-1,k)ˆ2 < w*r(k-1,k-1)ˆ2 { SwapRestore(k); k = max(k-1, 2); } else { for i = k-2 downto 1 if |r(i,k) / r(i,i)| > 1/2 Reduce(i,k); k = k+1; } } Redundant size reductions.

  15. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement An improvement: Delayed size reduction k = 2; while k <= n g = round(r(k-1,k) / r(k-1,k-1)); if r(k,k)ˆ2 + (r(k-1,k) - g*r(k-1,k-1))ˆ2 < w*r(k-1,k-1)ˆ2 ReduceSwapRestore(k); k = max(k-1, 2); else k = k + 1; for k = 2 to n for i = k-1 downto 1 if |r(i,k) / r(i,i)| > 1/2 Reduce(i,k);

  16. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement An improvement: Delayed size reduction k = 2; while k <= n g = round(r(k-1,k) / r(k-1,k-1)); if r(k,k)ˆ2 + (r(k-1,k) - g*r(k-1,k-1))ˆ2 < w*r(k-1,k-1)ˆ2 ReduceSwapRestore(k); k = max(k-1, 2); else k = k + 1; for k = 2 to n for i = k-1 downto 1 if |r(i,k) / r(i,i)| > 1/2 Reduce(i,k); Produces identical results at 50% cost.

  17. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Outline 1 Hermite Reduction 2 LLL Reduction 3 HKZ Reduction 4 Minkowski Reduction 5 A Measurement

  18. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement HKZ reduction HKZ-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called HKZ-reduced if it is size-reduced and for each trailing ( n − i + 1 ) × ( n − i + 1 ) , 1 ≤ i < n , submatrix of R in the QR decomposition, its first column is a shortest nonzero vector in the lattice generated by the submatrix.

  19. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement HKZ reduction HKZ-reduced A lattice basis { b 1 , b 2 , . . . , b n } is called HKZ-reduced if it is size-reduced and for each trailing ( n − i + 1 ) × ( n − i + 1 ) , 1 ≤ i < n , submatrix of R in the QR decomposition, its first column is a shortest nonzero vector in the lattice generated by the submatrix. Two problems Shortest vector problem (SVP) Expansion to a basis

  20. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement SVP � Bz � 2 min 2 z

  21. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement SVP � Bz � 2 min 2 z Sphere decoding Determine a search sphere � Bz � 2 2 ≤ ρ 2

  22. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement SVP � Bz � 2 min 2 z Sphere decoding Determine a search sphere � Bz � 2 2 ≤ ρ 2 A simple choice of ρ : the length of the first (or shortest) column of B .

  23. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Example z 1  4 1 5    Rz = z 2 0 4 4     z 3 0 0 3 ρ = 4

  24. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Example z 1  4 1 5    Rz = z 2 0 4 4     z 3 0 0 3 ρ = 4 A necessary condition for z 3 : | 3 z 3 | ≤ 4. Possible values of z 3 : 0, − 1, 1

  25. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Example For each possible values of z 3 , say z 3 = 0, � z 1 z 1         4 1 5 4 1 5 � Rz = z 2  = 0 4 4 0 4 + 0 4 z 2        z 3 0 0 3 0 0 3 The problem size is reduced.

  26. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Example For each possible values of z 3 , say z 3 = 0, � z 1 z 1         4 1 5 4 1 5 � Rz = z 2  = 0 4 4 0 4 + 0 4 z 2        z 3 0 0 3 0 0 3 The problem size is reduced. The necessary condition for z 2 : | 4 z 2 | ≤ 4 Possible values of z 2 : 0, − 1, 1

  27. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Example The search tree 0 −1 1 z 3 0 −1 1 0 −1 1 z 2 −1 1 1 z 1 The solution       4 1 5 1 0 Rz =  = 0 4 4 1 0      0 0 3 − 1 − 3

  28. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Expanding to a basis Problem: Transform the basis matrix   4 1 5 A = 0 4 4   0 0 3 into a new basis matrix whose first column is the shortest vector  0  A z = 0   − 3

  29. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Expanding to a basis Problem: Transform the basis matrix   4 1 5 A = 0 4 4   0 0 3 into a new basis matrix whose first column is the shortest vector  0  A z = 0   − 3 That is, find a unimodular matrix Z : A z = AZ e 1 or z = Z e 1 , Z − 1 z = e 1 Unimodular transformation that introduces zeros into an integer vector.

  30. Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement A plane unimodular transformation A unimodular transformation (Luk, Zhang, and Q, 2010). gcd ( p , q ) = ± d , ap + bq = ± d . Form the unimodular matrix � � p � d a b � � � = − q / d p / d q 0

Recommend

A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian Department of Computing and

A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian Department of Computing and

Concepts Algorithms Experimental Results References A Fast Jacobi-Type Method for Lattice Basis Reduction Zhaofei Tian Department of Computing and Software McMaster University Hamilton, Ontario, Canada Concepts Algorithms Experimental

308 views • 27 slides
Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software

Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software

Introduction Applications Notions of Reduced Bases Examples Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25,

757 views • 50 slides
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V.

The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V.

The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm in R 2 - Lower bound via

295 views • 13 slides
Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Background on Euclidean lattices Hybrid algorithms for LLL-reduction The fplll library Conclusion Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e http://perso.ens-lyon.fr/damien.stehle/ LIP

766 views • 74 slides
a ; 90 o c -face centered lattice, having the

a ; 90 o c -face centered lattice, having the

PH-409 (2015) Tutorial Sheet No. 2 * Problems shall be discussed in tutorial class 20*. A two dimensional lattice has basis vectors 2 ; 2 . Find the a i b i j basis vectors of the reciprocal lattice. 21. (a) Show

214 views • 5 slides
Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Background on lattice reduction Our results Our technical ideas and argument Conclusion and open problems Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL, UK London-ish Lattice Coding &amp;

1.91k views • 167 slides
Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong

Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong

Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong University. Wenling Liu @ SJTU Table of Contents Lattice Backgrounds LenstraLenstraLov asz Reduction Hemite SVP reduction and DBKZ Algorithm

930 views • 49 slides
Algorithms for Lattice Transforms and 2348 2349 Lattice Transforms for 234 248 239

Algorithms for Lattice Transforms and 2348 2349 Lattice Transforms for 234 248 239

Algorithms for Lattice Transforms and 2348 2349 Lattice Transforms for 234 248 239 Algorithms 23 39 24 Thore Husfeldt 2 Lund University and IT University of Copenhagen 3 This Talk in 60 Seconds In Prefix sum Out y i = x

1.39k views • 111 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
The (gimmicky) Road Map Gradual Sub-Lattice Reduction The Old Stuff Lattice Reduction

The (gimmicky) Road Map Gradual Sub-Lattice Reduction The Old Stuff Lattice Reduction

The Old Stuff The New Concepts The Bottom Line Gradual Sub-Lattice Reduction (now with more applications!) Andy Novocin andy@novocin.com LIRMM, Montpellier June 22nd The Old Stuff The New Concepts The Bottom Line The (gimmicky) Road

1.46k views • 99 slides
Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts ttts Tenerife PQCrypto Conference (January 31, 2018) Lattices What is a lattice? O Lattices What

1.59k views • 136 slides
Applications of Lattices in Telecommunications Amin Sakzad Dept of Electrical and Computer

Applications of Lattices in Telecommunications Amin Sakzad Dept of Electrical and Computer

Sphere Decoder Algorithm Lattice Reduction Algorithms Integer-Forcing Linear Receiver Lattice-based Cryptography Applications of Lattices in Telecommunications Amin Sakzad Dept of Electrical and Computer Systems Engineering Monash University

772 views • 76 slides
Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore

Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore

Lattice Coding &amp; Crypto Meeting Antonio Campello Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore (Huawei Technologies France) Discrete Gaussian Measures f : R n R + D : [0 , 1] is a

917 views • 33 slides
Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y.

Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y.

Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y. Xiao and X. Xie Computer Science, McGill University, Montreal, Canada Fields Institute Workshop on Hybrid Methodologies for Symbolic-Numeric

1.3k views • 76 slides
Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol,

Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol,

Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol, Damien Stehl e ENS Lyon, LIP (CNRS ENSL INRIA UCBL - ULyon) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 1/16

939 views • 61 slides
6.1 Dimensionality reduction Previously in the course, we have discussed algorithms suited for a

6.1 Dimensionality reduction Previously in the course, we have discussed algorithms suited for a

CS/CNS/EE 253: Advanced Topics in Machine Learning Topic: Dimensionality Reduction Lecturer: Andreas Krause Scribe: Matt Faulkner Date: 25 January 2010 6.1 Dimensionality reduction Previously in the course, we have discussed algorithms suited for

442 views • 6 slides
Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o (

Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o (

Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o ( k ) Martin R. Albrecht 1 , Shi Bai 2 , Pierre-Alain Fouque 3 , Paul Kirchner 3 , Damien Stehl 4 and Weiqiang Wen 3 1 Royal Holloway, University of

985 views • 50 slides
Computing an LLL-reduced Basis of the Orthogonal Lattice Jingwei Chen Damien Stehl e Gilles

Computing an LLL-reduced Basis of the Orthogonal Lattice Jingwei Chen Damien Stehl e Gilles

Computing an LLL-reduced Basis of the Orthogonal Lattice Jingwei Chen Damien Stehl e Gilles Villard Chongqing Institute of Green and Intelligent Technology, Chinese Academy of Sciences Laboratoire LIP (UMR CNRS - ENS Lyon - UCB Lyon 1 -

1.33k views • 93 slides
A Reduced-Basis Approach to the Reduction of Computations in Multiscale Models &amp; Uncertainty

A Reduced-Basis Approach to the Reduction of Computations in Multiscale Models &amp; Uncertainty

A Reduced-Basis Approach to the Reduction of Computations in Multiscale Models &amp; Uncertainty Quantification Sbastien Boyaval 1 , 2 , 3 1 Univ. Paris Est , Laboratoire dhydraulique Saint-Venant (EDF R&amp;D Ecole des Ponts Paristech

597 views • 46 slides
Dimensionality Reduction Algorithms (and how to interpret their output) Dalya Baron (Tel Aviv

Dimensionality Reduction Algorithms (and how to interpret their output) Dalya Baron (Tel Aviv

Dimensionality Reduction Algorithms (and how to interpret their output) Dalya Baron (Tel Aviv University) XXX Winter School, November 2018 What is Dimensionality Reduction? Dimensionality Reduction algorithm 28 x 28 features per object 2

437 views • 33 slides
Lattice Reduction, Integer Programming, and Knapsacks Daniel Lichtblau danl@wolfram.com Wolfram

Lattice Reduction, Integer Programming, and Knapsacks Daniel Lichtblau danl@wolfram.com Wolfram

Lattice Reduction, Integer Programming, and Knapsacks Daniel Lichtblau danl@wolfram.com Wolfram Research, Inc. 100 Trade Centre Dr. Champaign IL USA, 61820 ICMS, Castro Urdiales, Spain September 13, 2006 Abstract We will discuss

755 views • 31 slides
DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/ thomaspl

458 views • 22 slides
Algebraic reduction for low-complexity lattice decoding L AURA L UZZI Laboratoire ETIS (ENSEA -

Algebraic reduction for low-complexity lattice decoding L AURA L UZZI Laboratoire ETIS (ENSEA -

Algebraic reduction for low-complexity lattice decoding L AURA L UZZI Laboratoire ETIS (ENSEA - Universit Cergy-Pontoise - CNRS) L ATTICE C ODING AND C RYPTO M EETING I MPERIAL C OLLEGE L ONDON - S EPTEMBER 24, 2018 Laura Luzzi Algebraic

1.34k views • 116 slides
A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal,

A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal,

A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal, Thomas Wunderer 29.06.2017 | 1 Motivation Primal BKW Embedding LWE Hybrid Dual Embedding Make it quantum! Faster More versatile

553 views • 28 slides

More recommend