\documentclass[11pt]{article}
\usepackage{latexsym}
\usepackage{amsmath}
\usepackage{amssymb}
\usepackage{amsthm}
\usepackage{hyperref}
\usepackage{algorithmic}
\usepackage{algorithm}
\usepackage{complexity}
\usepackage{graphicx}
\newcommand{\handout}[5]{
\noindent
\begin{center}
\framebox[\textwidth]{
\vbox{
\hbox to \textwidth { {\bf Algebra and Computation } \hfill Course Instructor: #2 }
\vspace{4mm}
\hbox to \textwidth { {\Large \hfill #5 \hfill} }
\vspace{2mm}
\hbox to \textwidth { {\em #3 \hfill #4} }
}
}
\end{center}
\vspace*{4mm}
}
\newcommand{\lecture}[4]{\handout{#1}{#2}{Lecturer: #3}{Scribe: #4}{Lecture #1}}
\newtheorem{theorem}{Theorem}
\newtheorem{theorem*}{Theorem}
\newtheorem{corollary}[theorem]{Corollary}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{observation}[theorem]{Observation}
\newtheorem{proposition}[theorem]{Proposition}
\newtheorem{definition}[theorem]{Definition}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{fact}[]{Fact}
\newtheorem{subclaim}[theorem]{Subclaim}
% my custom commands
\newcommand{\inparen}[1]{\left(#1\right)} %\inparen{x+y} is (x+y)
\newcommand{\inbrace}[1]{\left\{#1\right\}} %\inbrace{x+y} is {x+y}
\newcommand{\insquar}[1]{\left[#1\right]} %\insquar{x+y} is [x+y]
\newcommand{\inangle}[1]{\left\langle#1\right\rangle} %\inangle{A} is
\newcommand{\abs}[1]{\left|#1\right|} %\abs{x} is |x|
\newcommand{\norm}[1]{\left\Vert#1\right\Vert} %\norm{x} is ||x||
\newcommand{\union}{\cup}
\newcommand{\Union}{\bigcup}
\newcommand{\intersection}{\cap}
\newcommand{\super}[2]{#1^{\inparen{#2}}} %\super{G}{i-1} is G^{(i-1)}
\newcommand{\setdef}[2]{\inbrace{{#1}\ : \ {#2}}}
\newcommand{\inv}[1]{#1^{-1}}
\newcommand{\inrpdt}[2]{\left\langle{#1},{#2}\right\rangle}%\inrpdt{x}{y} is .
\newcommand{\pderiv}[2]{\frac{\partial #1}{\partial #2}}
% Commands specific to this file
% TODO: Find the right way to typeset group index
\DeclareMathOperator{\Sym}{Sym}
\newcommand{\gpidx}[2]{\insquar{#1 : #2}} %\gpidx{H}{K} is [H : K]
\newcommand{\gpigs}[2]{\gpidx{\super{G}{#1}}{\super{G}{#2}}} %Group index of g super ...
\newcommand{\llhd}{\!\!\lhd\!\!\lhd}
\newcommand{\roundoff}[1]{\left\lfloor #1 \right\rceil}
% \newcommand{\ceil}[1]{\lceil #1 \rceil}
\newcommand{\floor}[1]{\lfloor #1 \rfloor}
\newcommand{\F}{\mathbb{F}}
\newcommand{\N}{\mathbb{N}}
\newcommand{\Q}{\mathbb{Q}}
\newcommand{\Z}{\mathbb{Z}}
%for algorithms
\renewcommand{\algorithmicrequire}{\textbf{Input:}}
% Problems we look at
\newcommand{\GIso}{\lang{Graph\text{-}Iso}} %Without \text, ugly minus instead of hyphen.
\newcommand{\GAut}{\lang{Graph\text{-}Aut}}
\newcommand{\SStab}{\lang{Set\text{-}Stab}}
\begin{document}
\lecture{18 and 19: LLL and Factorization over $\Q$}{V. Arvind}{V.
Arvind}{Ramprasad Saptharishi}
\section{Overview}
Another problem very essential for factoring univariate polynomials
over $\Q$ is the shortest vector problem. Of course, finding the
optimum solution is $NP$-hard and we only want an approximation
algorithm to this.
We shall discuss the LLL algorithm for the shortest vector and then
give the algorithm for factorizing univariate polynomials over $\Q.$
\section{The Shortest Vector Problem}
We are given a basis $\inbrace{b_i}_{0\leq i\leq n}$ in $\R^n$ and we
want to find a vector $v = \sum a_ib_i$, where $a_i\in \Z$, whose norm
(the usual euclidian norm) is minimum.
Solving this problem in full generality is $\NP$-hard and we do not
expect to find the optimal solution. LLL however allows us to find an
approximate solution, the approximation factor depending only on the
dimension.
The basic idea is in mimicking the Gram-Schmidt orthogonalization
method on a lattice.
\subsection{The Gram-Schmidt Orthogonalization}
We are given a basis $\inbrace{b_1, b_2, \cdots, b_n}$ and we want to
convert it into a new orthogonal basis $\inbrace{b_1^\star,
b_2^\star,\cdots, b_n^\star}.$
The GS algorithm is as follows:
\begin{eqnarray*}
b_1^\star & = & b_1\\
\forall 1* \norm{b_{i+1}^\star + \mu_{i+1,i}b_i^\star}^2
$$
then swap $b_i$ and $b_{i+1}$ and go to step $1$.
\STATE {\bf output} $b_1, b_2, \cdots, b_n.$
\end{algorithmic}
\subsection{The Reduction Step}
The reduction step is basically an approximation to the GS
orthogonalization, but staying on the lattice. We shall show that we
actually get pretty close to the orthogonal basis.
For the basis $\inbrace{b_i}$, let the GS basis is
$\inbrace{b_i^\star}.$ If we were to consider the matrix with columns
as $\inbrace{b_i}$ as vectors over the GS basis as the standard basis,
then $B$ would look like an upper triangular matrix with $1$s on the
diagonal.
The reduction step makes the other non-diagonal entries small (bounded
by $1/2$). We shall see how this is achieved. \\
The two {\em for} loops are designed cleverly so that you never undo
something that you have already done. The key point to note is that in
the reduction step, the GS basis is maintained. Look at an intermediate
step, say at $i,j.$ By induction, assume that all columns whose index
is less than $i$ has already been taken care of.
And since we have gone up to $j$, the $i$-th column is fixed from
bottom to top. Since the GS basis is fixed, if we had removed the
roundoff in $\alpha_{ij}$ when we did $b_i = b_i - \alpha_{ij}b_j$ we
would have actually got a vector orthogonal to $b_j^\star$ and hence
$b_ij$ would have become $0$. But since we are just rounding off, we
will atleast reduce that value to $1/2.$ Note that this works only
because the GS basis stays the same throughout.
Now we have fixed the index $b_{ij}$ and we can go on to $b_{i,j-1}.$
Thus by induction, we have proved that at the end of the reduction
step, we have an uppertriangular matrix with $1$s on the diagonal and
every non-zero entry is bounded by $1/2.$
\subsection{The Swap Step}
The swap step is like a 'check if reduced basis, else rectify' step.
The crucial point is that this step will happen for atmost
polynomially many steps. To show this, we will develop a certain value
(exponential sized) and show that decreases by a constant factor
($3/4$) and hence can happen atmost polynomially many times.
For a basis $B$, define
\begin{eqnarray*}
D_{B,i} &= &\prod_{j=1}^i \norm{b_i^\star}^2\\
D_B &= &\prod_{i=1}^n D_{B,i}
\end{eqnarray*}
It is easy to see that $D_B$ is a value that is at most
exponential. We will show that it goes down by $3/4$ each time we
swap.
Recall that
$$
MB^\star = \insquar{\begin{array}{cccc}
1 & & & \\
\mu_{21} & 1 & &\\
\vdots & & \ddots& \\
\mu_{n1} & \mu_{n2} &\cdots & 1
\end{array}
}B^\star = B
$$
We could do the same by restricting the above equation to just the
first $i$ rows and columns. As a notation, we will write this as
$$
B_i = M_iB_i^\star
$$
Since $M_i$ is a unimodular matrix,
$$
\det(B_iB_i^T) = \det(B_i^\star (B_i^\star)^T) = D_{B_i}
$$
Consider the case when you are to do the swap operation between $i$
and $i+1.$ Then the basis $B = \inbrace{b_1,\cdots, b_{i-1}, b_i,
b_{i+1}, \cdots, b_n}$ will now change to $\hat{B} = \inbrace{b_1,
\cdots, b_{i-1},b_{i+1}, b_i, b_{i+2}, \cdots, b_n}.$ The only
place where the GS basis will differ will be at the $i$-th index.
In the original basis $B$, we would have just $b_i^\star.$ But in
the other basis $\hat{B}$, it is easy to check that $\hat{b}_i^\star
= b_{i+1}^\star + \mu_{i+1,i}b_i^\star.$ The other vectors would be
the same in both cases.
Thus, clearly,
$$
\frac{D_{\hat{B}}}{D_B} = \frac{D_{\hat{B},i}}{D_{B,i}} =
\frac{\norm{b_{i+1}^\star +
\mu_{i+1,i}b_i^\star}^2}{\norm{b_i^\star}^2} \leq \frac{3}{4}
$$
And hence the swap step is executed only polynomially many times.
\subsection{Correctness}
The next thing we need to show is that at the end of the algorithm, we
do have a reduced basis. This is an easy observation. Since for all
indices
\begin{eqnarray*}
\frac{3}{4}\norm{b_i^\star}^2 & \leq & \norm{b_{i+1}^\star +
\mu_{i+1,i}b_i^\star}^2\\
& = & \norm{b_{i+1}^\star}^2 + \mu_{i+1,i}^2\norm{b_i^\star}^2\\
& \leq & \norm{b_{i+1}^\star}^2 + \frac{1}{4}\norm{b_i^\star}^2\\
\implies \norm{b_i^\star} & \leq & 2\norm{b_{i+1}^\star}
\end{eqnarray*}
And therefore, we indeed have a reduced basis, and hence solves the
approximation of the shortest vector problem.
\subsection{Sizes of Numbers}
Using the matrices that appeared in the reduction step section, we can
show using cramer's rule that the numbers do not become very large.
We leave this as an exercise.
\section{Factoring over $\Q$}
We will see a sketch of the factoring algorithm, and gaps are left as
an assignment. The working is very similar to the bivariate hensel
lifting.
The algorithm is as follows:
\begin{enumerate}
\item Assume $f(x) \in \Z[x]$ is square free.
\item Pick a small ($O(\log n)$ bits long) prime such that $f(x)$ is
square free modulo $p.$
\item Factor $f = gh\pmod{p}.$ where $g$ is irreducible and monic.
\item Hensel lift the factorization $k$ times to obtain $f =
g_kh_k\pmod{p^k}$.
\item Solve the linear equation $\tilde{g} = g_kl_k \pmod{p^k}$ for
polynomials $\tilde{g}$ and $l_k$ such that their degree is less
than $\deg f.$
\item Output $\gcd(f,\tilde{g})$, if trivial output irreducible.
\end{enumerate}
First catch is the following, does a polynomial necessarily have only
small factors? Can there be factors with huge numbers in them? The
following bound tells us that we are safe in this area.
\begin{lemma}[Mignotte's Bound]
If $f(x) = a_0 + a_1x + \cdots + a_nx^n$, then any root $\alpha$ of
$f$ is such that $|\alpha| < n \max|a_i|.$
\end{lemma}
Since all coefficients are symmetric polynomials over the roots, we
are in good shape.
For the proof of correctness, we need a suitable bound on $k$ to push
the proof of the bivariate case through the same this. But the issue
is that, we do not have any bounds on the coefficients of
$l_k,\tilde{g}$ to make it work. How do we make sure that the solution
to the system of equations is small? Enter LLL.
Look at $\tilde{g} = g_kl_k + p^kr_k$ for any polynomial $r.$ We can
easily induce a lattice structure on this by choosing a natural
basis. Over this lattice, we can now ask for a short vector. Note that
LLL will not give us the shortest vector but a $2^{\frac{n-1}{2}}$ is
good enough!
Using that, a bound on $k$ can be fixed and the same proof of
bivariate factorization will go through. The gaps are left to the
readers to fill in.
\end{document}
*