Some applications of LLL



Similar documents
The van Hoeij Algorithm for Factoring Polynomials

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

How To Prove The Dirichlet Unit Theorem

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao

7. Some irreducible polynomials

A number field is a field of finite degree over Q. By the Primitive Element Theorem, any number

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

Lecture 13: Factoring Integers

Homework until Test #2

Notes on Factoring. MA 206 Kurt Bryan

k, then n = p2α 1 1 pα k

Alex, I will take congruent numbers for one million dollars please

a 11 x 1 + a 12 x a 1n x n = b 1 a 21 x 1 + a 22 x a 2n x n = b 2.

Copy in your notebook: Add an example of each term with the symbols used in algebra 2 if there are any.

Primality - Factorization

March 29, S4.4 Theorems about Zeros of Polynomial Functions

Winter Camp 2011 Polynomials Alexander Remorov. Polynomials. Alexander Remorov

Polynomial Factoring. Ramesh Hariharan

Integer Factorization using the Quadratic Sieve

THE NUMBER OF REPRESENTATIONS OF n OF THE FORM n = x 2 2 y, x > 0, y 0

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Lecture 10: Distinct Degree Factoring

Polynomial Factorization Algorithms over Number Fields

Cubic Polynomials in the Number Field Sieve. Ronnie Scott Williams, Jr., B.S. A Thesis. Mathematics and Statistics

3. INNER PRODUCT SPACES

Prime Numbers and Irreducible Polynomials

minimal polyonomial Example

ON GALOIS REALIZATIONS OF THE 2-COVERABLE SYMMETRIC AND ALTERNATING GROUPS

Die ganzen zahlen hat Gott gemacht

Zeros of Polynomial Functions

Introduction to Finite Fields (cont.)

3 1. Note that all cubes solve it; therefore, there are no more

FACTORING SPARSE POLYNOMIALS

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Modern Algebra Lecture Notes: Rings and fields set 4 (Revision 2)

PYTHAGOREAN TRIPLES KEITH CONRAD

Lecture 3: Finding integer solutions to systems of linear equations

Optimal Algorithm for Algebraic Factoring

Collinear Points in Permutations

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

The degree of a polynomial function is equal to the highest exponent found on the independent variables.

Algebra 1 Course Title

it is easy to see that α = a

by the matrix A results in a vector which is a reflection of the given

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

Applied Cryptography Public Key Algorithms

Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013

PROBLEM SET 6: POLYNOMIALS

The Mathematical Cryptography of the RSA Cryptosystem

Factorization Algorithms for Polynomials over Finite Fields

An Overview of Integer Factoring Algorithms. The Problem

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

Monogenic Fields and Power Bases Michael Decker 12/07/07

On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples

HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Unique Factorization

Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses

0.4 FACTORING POLYNOMIALS

Study of algorithms for factoring integers and computing discrete logarithms

A Course on Number Theory. Peter J. Cameron

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)

a 1 x + a 0 =0. (3) ax 2 + bx + c =0. (4)

RSA Attacks. By Abdulaziz Alrasheed and Fatima

On the largest prime factor of x 2 1

Lecture 13 - Basic Number Theory.

FACTORING AFTER DEDEKIND

Congruent Number Problem

POLYNOMIAL RINGS AND UNIQUE FACTORIZATION DOMAINS

Factoring. Factoring 1

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

The Chinese Remainder Theorem

Finding Small Roots of Bivariate Integer Polynomial Equations Revisited

Recall that two vectors in are perpendicular or orthogonal provided that their dot

On prime-order elliptic curves with embedding degrees k = 3, 4 and 6

Integer roots of quadratic and cubic polynomials with integer coefficients

Practical polynomial factoring in polynomial time

A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers

Settling a Question about Pythagorean Triples

On the representability of the bi-uniform matroid

CONTINUED FRACTIONS AND PELL S EQUATION. Contents 1. Continued Fractions 1 2. Solution to Pell s Equation 9 References 12

Prime numbers and prime polynomials. Paul Pollack Dartmouth College

Factoring N = p r q for Large r

Factoring Polynomials

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

Groups in Cryptography

9. POLYNOMIALS. Example 1: The expression a(x) = x 3 4x 2 + 7x 11 is a polynomial in x. The coefficients of a(x) are the numbers 1, 4, 7, 11.

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

CS 103X: Discrete Structures Homework Assignment 3 Solutions

FACTORING IN QUADRATIC FIELDS. 1. Introduction. This is called a quadratic field and it has degree 2 over Q. Similarly, set

Factoring Polynomials

Zero: If P is a polynomial and if c is a number such that P (c) = 0 then c is a zero of P.

JUST THE MATHS UNIT NUMBER 1.8. ALGEBRA 8 (Polynomials) A.J.Hobson

Partial Fractions. Combining fractions over a common denominator is a familiar operation from algebra:

1.3 Algebraic Expressions

z 0 and y even had the form

Ideal Class Group and Units

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

Notes 11: List Decoding Folded Reed-Solomon Codes

Transcription:

Some applications of LLL a. Factorization of polynomials As the title Factoring polynomials with rational coefficients of the original paper in which the LLL algorithm was first published (Mathematische Annalen 261 (1982), 515 534) suggests, the initial motivation was the proof of the following result. Theorem There exists an algorithm that factors any primitive polynomial f Z[x] in polynomial time (O(n 12 + n 9 (log f ) 3 bit operations). 110

The main steps of the algorithm are 1. Use the subresultant algorithm to compute common factors of f and f, and replace f by its squarefree part. 2. Find a suitable prime p and factor f mod p in F p [x] into irreducibles using Berlekamp s algorithm. 3. For an irreducible factor h F p [x] and a suitable k use Hensel lifting modulo p k to find a factor of f mod p k ; now use LLL to find the unique factor h 0 Z[x] of f such that h 0 h mod p. Repeat this for remaining factors. An algorithm for the factorization of polynomials with coefficients in a number field uses two rounds of applications of LLL. 111

b. Diophantine approximation Another application that is found in the original LLL-paper is to the problem of (simultaneous) Diophantine approximation: given n N, real numbers α 1, α 2,..., α n and 0 < ǫ < 1, there exist integers p 1, p 2,..., p n and q such that p i qα i ǫ, 1 q ǫ n, or p i q α i 1 q n+1. 112

Applying LLL to the columns of 1 0 0 α 1 0 1 0...... α 2 0 0 1 α n 0 0 0 2 n(n+1)/4 ǫ n+1 we obtain a polynomial-time algorithm that produces an LLL-reduced basis b 1, b 2,..., b n+1. Then b 1 2 n/4 d 1/(n+1) = ǫ, and by construction b 1 = (p 1 qα 1, p 2 qα 2,..., p n qα n, q 2 n(n+1)/4 ǫ n+1 ) T, for certain integers p i, q. Then certainly all components are less than ǫ and q 2 n(n+1)/4 ǫ n. With n = 1 we find the (nearest integer) continued fraction convergents. 113

c. Sums of squares Every prime that is 1 mod 4 can be written as sum of two squares. Let h F p satisfy h 2 1 mod p; for example h = g p 1 4 F p if g is a primitive root modulo p. Consider the lattice L in R 2 spanned by the ( p ) ( h vectors v 1 =, and v 0 2 =. The determinant of this lattice is d(l) = p. 1 With ( u ) b 1 =, b v 2 an LLL-reduced basis for the lattice we get b 1 2 (2 1 4 p) 2 < 2p, so: u 2 + v 2 < 2p. On the other hand, for vectors w 1, w 2 in the lattice it holds that the inner product < w 1, w 2 > is divisible by p (as it holds for both basis vectors). Hence u 2 + v 2 0 mod p. Together these imply u 2 + v 2 = p. ) 114

d. Algebraic dependencies Suppose that real numbers approximated by α 1, α 2,..., α n are given. Choose a suitably big integer N and apply LLL-reduction to the lattice spanned by the columns of 1 0 0 0 1 0..... 0 0 1 Nα 1 Nα 2 Nα n in R n+1. Then the first vector in a reduced basis of this lattice will be the column (m 1, m 2,..., m n, N (m 1 α 1 +m 2 α 2 + +m n α n )) T of small length, which implies that the m i are not too large while the last component much be close to zero: the corresponding expression mi β i for the true real numbers β i will have to be zero. 115

Special case: minimal polynomials In the special case that α i = α i 1 for i = 1,2,..., n and n is the degree of the minimal irreducible polynomial f α, we will (most likely) recover this! If the degree of α is not known, we may start with a small choice and increment until we find a solution. There are slightly different algorithms, devised especially to solve this type of problem: PSLQ, and HJLS. Using this, identities like π = i=0 1 16 i were discovered. ( 4 8i + 1 2 8i 4 1 8i + 5 1 ), 8i + 6 116

e. Knapsack For a while, cryptographic systems based on a version of the knapsack problem have been popular. This particular version (called the subset sum problem) asks, for given positive integers m 1, m 2,..., m n and s for an answer to the decision problem: do there exist z 1, z 2,..., z n in {0,1} such that s = z 1 m 1 + + z n m n (is s a subset sum of the m i? In crypto applications the moduli were first chosen superincreasing, that is, for all i it holds that m i > j<i m j. Next this additional structure is hidden from the user by multiplication and modular reduction. 117

Now apply lattice basis reduction to the columns 1 0 0 0 0 1 0 0...... 0 0 1 0 N m 1 N m 2 N m n Ns for suitable N, will produce a linear combination z 1 N m 1 + z 2 N m 2 + + z n N m n = Ns as desired. 118

f. abc The abc-conjecture is a deep, yet easily formulated, problem in number theory. For positive integers a, b, c we define the radical rad(a, b, c) as the product of the distinct prime factors of a, b, c: rad(a, b, c) = p. The quality q of a, b, c is q(a, b, c) = p prime p abc log c lograd(a, b, c). We will assume that gcd(a, b, c) = 1. abc-conjecture For every η > 1 there exist only finitely many a, b, c with gcd(a, b, c) = 1 and a + b = c such that q(a, b, c) > η. 119

There exist infinitely many abc-triples of quality exceeding 1; for example 1+(9 n 1) = 9 n, then rad(abc) = 3 rad(b) < c. The best known example is 2+3 10 109 = 23 5 (Reyssat) with q = 1.629.... Triples with q(a, b, c) > 1.4 are commonly called good abc-triples. Similarly, one can define Szpiro triples as coprime a, b, c with a + b = c for which ρ(a, b, c) = log abc lograd(a, b, c) is large. Such triples are good when ρ > 4.4. The best known example was found by Nitaj and has ρ = 4.419...: 13 19 6 + 2 30 5 = 3 13 11 2 31. 120

One way to search for examples systematically uses LLL. First generate (many) numbers A, B, C built up from large powers of relatively small primes (to produce small radical) and of comparable size, Then use LLL to find small x, y, z (in absolute value) such that xa + yb + zc = 0. Dokchitser observes that the smallest x, y, z not necessarily produce the best abc triples; it may be necessary to look at small linear combinations in the lattice of solutions. 121

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information