Transcript continued fraction method

Diophantine Approximation
and Basis Reduction
By Shu Wang
CAS 746 Presentation
6th, Feb, 2006
Overview


Problem: Approximating real numbers by
rational numbers of low denominator and
finding a so-called reduced basis in a lattice
Content




The continued fraction method for approximating
one real number
Lovász’s basis reduction method for lattices
Applications
Notations
  ,   , g.c.d,
W.O.L.G
Dirichlet’s Theorem

Let  be a real number and let 0    1
Then there exist two integers p and q such
that


p


and 1  q   1
q
q
Example.
     0.2
p, q  ?
Answer: p  3 q  1
Proof of Dirichlet’s Theorem
0

1
M 1
…
M
M 1
1
1
Let M :   we find two different integers i and j where
0  i, j  M and {(i  j ) } 

2
M 1
1
M 1
Consider the following series {0 },{1 },{2 },{3 },...,{M  }
1

If (k | 0  k  M :{k } 
) then i : k , j : 0
M 1

Otherwise, according to pigeon-hole principle,
m
m 1
(k , l , m | (0  k , l  M )  (1  m  M ) :
 {k },{l } 
)
M 1
M 1
i : max(k , l ), j : min(k , l ) W.O.L.G Let i : l , j : k
{(i  j ) }  {l  j }  {l   {l }   k   {k }}  {l }  {k } 
1
M 1
Proof of Dirichlet’s Theorem continued
 Let q : i  j, p :  q  . Then
qa   q  {qa} {(i  j )a}
p
qa  p
 




q
q
q
q
1
Since M   
 
M 1   
So  

1
1

 

M 1
( M  1)q q
p 

q q
Exercises
q
1
( M  1)q
The Continued Fraction Method


Given a real number  , we compute its rational approximation by following a
series of steps as follows:
First we define
 1 : 
 2 : ( 1   1  )
1
 3 : ( 2   2  )
    1   1  
1
1
2
  1  
1
1
 2  


3
 4 : ( 3   3  ) 1


This sequence stops if  i becomes an integer
We define an sequences called convergents that approximate to the above
 1  ,  1  

1
 2 
,  1  
1
1
 2  
 3 
,
If  i becomes an integer then the last term of convergents equals to  . We
use ck ( ) to denote the k -th term of the convergents of 
The Continued Fraction Method (2)


We can determine a sequence
where i, g.c.d( pi , qi )  1 so that it corresponds
to the convergent series
Suppose the first two terms are as follows:
p3
p1
p2
,
,
,
q1
q2
q3
p1
p2
1
   ,
   +
q1
q2
(    ) 1 
What can we deduce from it?
p1
p2
q1 =1, p1    ,
 
, p2 q1  p1q2  1
q1
q2

If q1  1 then
g.c.d( pi , qi )  1 .
Contradiction exist.
Proof

p2
1
1
1
   +


+


+




 
 
q2
{a}1  {{ }1}
(    ) 1 
{ }1 
   +

1
   +{a}  
{a}1
p2 p1
1
1
    
   

1
q2 q1
(    ) 
(    ) 1 
q1q2
q2
p2 q1  p1q2 


1
(    )  (    ) 1 


1
  k 1
1
1




p2  q2 (   
)

k

(



)

k

k
(

(



)

1)





















(    ) 1 

p2 q1  p1q2  1
q2  k (    ) 1 
The Continued Fraction Method (3)

Suppose we have found nonnegative integers pk 1 , qk 1 , pk , qk
such that
pk 1
p
   k , pk qk 1  pk 1qk  1. Where k is even.
qk 1
qk

This implies g.c.d( pk 1 , qk 1 )  g.c.d( pk , qk )  1 why?
Suppose g.c.d.( pk , qk )  1
Let g.c.d.( pk , qk )  k  1, pk  ak , qk  bk , g.c.d.(a, b)  1
pk qk 1  pk 1qk  1 
akqk 1  pk 1bk  1 
k (aqk 1  bpk 1 )  1 
(k  1)  (aqk 1  bpk 1  1)
Contradiction exist
Similarly, we can prove g.c.d.( pk 1 , qk 1 )  1
The Continued Fraction Method (4)
pk 1  tpk

qk 1  tqk

We find the largest integer t such that

We define pk 1 : pk 1  tpk ; qk 1 : qk 1  tqk
pk qk 1  pk 1qk  pk (qk 1  tqk )  ( pk 1  tpk )qk  pk qk 1  pk 1qk  1
Which implies g.c.d(pk , qk )=1 !

If pk 1 / qk 1   then the sequence stop, otherwise we find the
largest t such that



pk  upk 1
qk  uqk 1
We define pk 2 : pk  upk 1; qk 2 : qk  uqk 1 and so on……
We can repeat the iteration and find the sequence
p3
p1
p2
,
,
,
q1
q2
q3
It turns out that this sequence is the same as the sequence of
convergents of real number  !
Proof



We use
pi
( )
qi
to denote the i-th term with respect to 
First we prove when 0    1
 Prove by induction
Then we prove
ck ( ) 

pk
( )
qk
i  1
pi 1
q
( )  i 1 ( )
qi 
pi 1
Prove by induction
Some Properties of pi / qi Sequence




pk 1 pk
p q  pk qk 1
1
1

 k 1 k


qk 1 qk
qk qk 1
qk qk 1 qk qk 1
Denominators

monotonically increasing
pk
p
p
1
1
 k 1  k 
 2
qk
qk 1 qk
qk qk 1 qk
For any real numbers  and  with   0, 0    1 , one of the
convergents pi / qi satisfy the Dirichlet’s theorem


p


and 1  q   1
q
q
Proof: Let pk / qk be the last convergent for which qk   1holds. Then


q1 , q2 , q3 ,... are
pk
1



qk
qk qk 1 qk
The sequence pi / qi converge to 

Proof by induction
Algorithm of Continued Fraction
Method

Initially

A0 :  1
 0
1
0 
1 
. Suppose
 k
Ak :   k
  k
k 
 k 
 k 
then we compute Ak 1
by using the following rule:

If k is even and  k  0, subtract k / k  times the second column of
Ak 1 from the first column;


If k is odd and  k  0, subtract  k / k  times the first column of
Ak 1 from the second column;
The matrices A0 , A1 , A2 ,... is in the following form:

1

 0


0  ,
1 
 1
 q
 1
  p1
1
0  ,
1 
 1
 q
 1
  p1
2 
q2  ,
p2 
 3
 q
 3
  p3
2 
q2  ,
p2 
 3
 q
 3
  p3
4 
q4 
p4 
The pk , qk found in this way are the same as pk , qk in the convergents

Proved by induction
Time complexity of Continued
Fraction Method

Corollary. Given rational number  , the continued fraction
method finds integers p and q as described in Dirichelet’s
theorem in time polynomially bounded by the size of 



Proved similar to Euclidean algorithm
Theorem. Let   0 be a real number, and let p and q be
natural numbers with   p / q  1/ 2q2. Then p / q occurs as
convergent for 
Corollary. There exist a polynomial algorithm which, for given
rational number  and natural number M, tests if there exists a
2
rational number p / q with   p / q  1/ 2M . If so, finds this
rational number.
Summary



Given a real number  , there exist a
rational number p / q with small q that
is close enough to 
Continued fraction method compute a
rational number p / q that equals to  if
 is a rational number. Otherwise p / q
converge to 
The algorithm for continued fraction
method is a polynomial Euclidean-like
algorithm
Basis Reduction in Lattices Overview


Problem: Given a lattice (represented by its
basis), finds a reduced “short” (nearly
orthogonal) basis.
Applications:




Finding a short nonzero vector in a lattice
Simultaneous Diophantine approximation
Finding the Hermite normal form
Basis reduction has numerous applications in
cryptanalysis of public-key encryption schemes:
knapsack cryptosystems, RSA with particular
settings, and so forth
Basic Concepts Review


Lattice. Given a sequence of vectors
a1 , a2 ,..., am
, and a group
we
a1 ,say
a2 ,..., am

generate  if   1a1  2 a2 ...  mam | 1 ,..., m  .
We call  a lattice and a1 , a2 ,..., am the basis
of  . In other words, a lattice can be seen as an
integer linear combinations of its basis. It is a
subset of the subspace generated by its basis.
A matrix can be seen as a sequence of column
(row) vectors, therefore a lattice can be
generated by columns (rows) of a matrix
Basic Concepts Review - 2



Let A and B both be a nonsingular matrix of order n, and whose column
both generate the same lattice  , then det A  det B and this is called the
det of lattice  . In other words, det  is independent to chose of basis
Proof:
Lemma 1: If B is obtained by interchanging two columns (rows) of A,
then det B = -det A.



Lemma 2: If A has two identical columns (rows), then det A = 0.

Proof: Let A be a matrix with two identical rows, let B be a matrix constructed
from A by interchanging these two column (rows). Then det B = det A because
these two matrices are equal. However, from Lemma 1 we know that det B = det A. So det B = det A = 0
Lemma 3: The determinant of an nxn matrix can be computed by
expansion of any row or column.


Proof: Complicated (component-wise) proof by induction
Also called Laplace Expansion Theorem, component-wisely proved by Laplace.
Lemma 4: If B is obtained by multiplying a column (row) of A by k, then
det B = k det A.

Proof. We can calculate det B by expanding the same column (row) of B as
that of A, which yields det B = k det A.
Basic Concepts Review - 3

Lemma 5: If A, B and C are identical except that the i-th
column (row) of C is the sum of the i-th columns (rows) of A
and B, then det C = det A + det B.
Proof. We can calculate det B by expanding the i-th column of C,
then we can prove det C = det A + det B by using the distributivity
of multiplication of matrices
Lemma 6: If B is obtained by adding a multiple of one column
(row) i of A to another column (row) j, then det B = det A.

Proof. Let A’ be the matrix that constructed by replacing column
(row) i of A to j, then det A’ = 0 because A’ has two identical
columns. Matrix A, A’ and B satisfy Lemma 5 so that det B = det A
+ det A’ = det A
Lemma 7: If If B is obtained by elementary column operations
from A, then |det B| = |det A|.

Proof. Directly from Lemma 1, 4 and 6.




From chapter 4, we know that if matrix A and B generate the
same lattice then they have the same Hermite Normal Form by
elementary column operations, therefore from Lemma 7 we
have |det B| = |det A|.
Geometric Meaning of Determinant


The determinant of  corresponds to the volume of the parallelepiped
1b1  2b2 ...  nbn | 0  i  1 for i  1,..., n
Where b1 ,...,bn is any basis for 
Hadamard Inequality theorem:
det   b1 b2
bn , where  denotes the Euclidean norm x 
When b1 ,...,bn are orthogonal to each other, the equality holds.

We now have the lower bound of b1 b2
bound?
Hermite showed that b1 b2
xT x
bn , what about the upper
bn  (4 / 3)n ( n1) / 4 det 
Minkowski showed that
b1 b2
bn  (2n / Vn ) det   (2n /  e)n / 2 det 
Schnorr proved that for each fixed   0 then there exist a polynomial
algorithm finding a basis satisfying
b1 b2
bn  (1   )n ( n1) det 
Basis Reduction Theorem

A matrix is called positive definite if
for all x  0, xT Ax  0


There exist a polynomial algorithm which, for given
positive definite rational matrix D, finds a basis
b1 , b2 ,..., bn for the lattice n satisfying
2n ( n 1) / 4 det D
‖b1‖ ‖b2‖…‖bn‖≤
T
where ‖x‖ : x Dx
We prove this theorem by showing the LLL algorithm
The Lenstra, Lenstra and Lovász
Algorithm



We construct a series of basis for n as follows:
The first basis is the unit basis.
We construct the next basis inductively using the following steps:

1. Denote Bi as the matrix with columns b1 , b2 ,..., bn , we calculate
bi*  bi  Bi 1 ( BiT1 DBi 1 ) 1 BiT1 Dbi

2. for i  2,..., n
for j  i  1, i  2,...,1
bi  1 b1* 
 i 1bi*1  bi*
bi  bi   j  1/ 2  b j

3. Choose, if possible, an index i such that ‖b2*‖2>2‖b*i+1‖2.
Exchange bi and bi+1, and start with step 1 again. If no such i
exists, the algorithm stops.
The Lenstra, Lenstra and Lovász
Algorithm - Continued


The LLL algorithm is an approximation of the GramSchmidt orthogonalization process which finds a
orthogonal basis in a subspace of n
The LLL algorithm terminates in polynomial time,
with intermediate numbers polynomially bounded by
the size of D

Complicated proof see p.68 – p.71
Finding a Short Nonzero Vector in
a Lattice

In 1891, Minkowski proved a classical result: any n-dimensional lattice 
contains a nonzero vector b with
b  2(

det  1/ n
)
Vn
where Vn denotes the volume of the n-dimensional unit ball. However,
no polynomial algorithm finding such a vector b is known.
With the basis reduction method, by taking the shortest vector one can
find a “longer short vector” in a lattice, which satisfy
b  2n( n1) / 4 (det D)1/ n
However, this vector is generally not the shortest one in the lattice


The CVP (Closest Vector Problem): “Given a lattice  and vector a, find
b with (any kind of) norm of b-a as small as possible” is proven to be
NP-complete
The SVP (Shortest Nonzero Vector Problem): “Given a lattice, finding a
vector in the lattice as small as possible” is even proven to be NP-hard
to approximate within some constant [Dan 2001]
Simultaneous Diophantine
Approximation

Dirichlet showed that Let 1 ,  2 ,...,  n ,  be real numbers with 0    1
Then there exist two integers p1 , p2 ,..., pn and q such that
i 
pi


for i  1,..., n and 1  q    n
q
q
No polynomial method is known for this problem, unless when n=1,
where we can use the continued fraction method

However, we can use basis reduction method to find a weaker
approximation of the problem in polynomial time
Finding the Hermite Normal Form


Given a matrix A, we can use basis reduction method to calculate
vector b1 , b2 ,..., bn and record it in such a way that it can be transform
to Hermite Normal Form by elementary column operations
Some of the other applications





Lenstra’s Integer Linear Programming algorithm
Factoring polynomials (over rationals) in polynomial time
Breaking cryptographic codes
Disproving Mertens’ conjecture
Solving low density subset sum problems
Summary



The continued fraction method for
approximating one real number by
rational numbers
Lovász’s basis reduction method for
finding a short basis in a lattice
Applications
Thank you 