On the reduction of a random basis Ali Akhavi

∗

Jean-Fran¸cois Marckert

†

Alain Rouault

‡

Abstract

for example [6, 14, 5]. Solving even approximately the lattice basis reduction problem has numerous theoretFor g < n, let b1 , . . . , bn−g be n−g independent vectors in R with a same distribution invariant by rotation and without ical and practical applications in integer optimization mass in 0. These vectors form a.s. a basis for the Euclidean [9], computational number theory [8] and cryptography lattice they generate. The aim of this paper is to provide [12]. asz [8] introduced for asymptotic results when n → +∞ concerning the property In 1982, Lenstra, Lenstra and Lov´ the first time an efficient (polynomial with respect to that such a random basis is reduced in the sense of Lenstra, (n) (n) the length of the input) approximation reduction algob b ´ sz (LLL). If b1 , · · · , bp is the new Lenstra and Lova rithm. It depends on a real approximation parameter basis obtained by the Gram–Schmidt orthogonalization, the √ 3/2[ and is called LLL(s). The output basis of s ∈]0, quality of reduction depends on the ratios of squared lengths (n) ∗ ∗ the LLL algorithm is called an LLL(s) reduced or sof consecutive vectors rj = bn−j+1 /bn−j , 1 ≤ n−j ≤ p−1. reduced basis. In this paper we are concerned with the (n) We show that, as n → +∞, the process (rj − 1)j tends in probability that a random basis under a spherical model distribution in some sense to an explicit process (Rj − 1)j ; is LLL(s) reduced, (i.e. is already an output basis of the some properties of this latter are provided. LLL(s)-algorithm). 1 LLL reduction of a random lattice basis: The Roughly speaking the LLL reduction procedure is an reduction level and the index of worst local approximation algorithm following a divide and conquer paradigm: Indeed for i ∈ {1 . . . p−1}, the following conreduction dition (1.1) ensures that some “local two dimensional The space Rn with its classical Euclidean structure basis” is s-reduced. This two dimensional basis is the is called the ambient space. The Euclidean norm is projections of b(n) and b(n) into the orthogonal H ⊥ of i i i+1 denoted by . and the scalar product by , . Let (n) (n) (n) the vector space Hi spanned by b1 , b2 , . . . , bi−1 . [8] (n) (n) (n) b1 , b2 , . . . , bp (for p ≤ n) be a linearly independent showed that when all these two–dimensional bases are ssystem of p vectors of Rn . The set of all their integer reduced then the whole basis has nice enough Euclidean linear combinations is an additive discrete subgroup of properties. For instance, the length of the first vector (n) (n) (n) Rn called a lattice. The system b1 , b2 , . . . , bp is then of an LLL-reduced basis is not longer than (1/s)(p−1) a basis of the lattice. The superscript (n) is used when times the length of a shortest vector in the lattice genneeded to stress the dimension of the ambient space. (n) (n) (n) erated by b1 , b2 , . . . , bp . The integer p is the dimension of the lattice or the To characterize an LLL(s) reduced basis, let us redimension of the basis. The quantity call the Gram-Schmidt orthogonalization procedure. The procedure computes from the independent system g = n − p, (n) (n) (n) (n) (n) b1 , b2 , . . . , bp ,the orthogonal system b1 , · · · , bp is often used in this paper and referred to as the defined by the recursion codimension of the independent system. (n) (n) j−1  bj , bi  (n) b b(n) = b(n) , b(n) = b(n) − for j ≥ 2. The lattice basis reduction problem deals with finding 1 1 j j i (n) bi 2 i=1 a basis of a given lattice, whose vectors are “short” and “almost orthogonal”. The problem is old and there are If B = [b(n) , · · · , b(n) ] is the n × p matrix with colp 1 numerous notions of reduction. For a general survey, see (n) (n) umn vectors b1 , · · · , bp in the canonical basis, this orthogonalization corresponds to the QR decomposition ∗ LIAFA, Universit´ e Denis Diderot- Case 7014, 2 place Jussieu, B = QR where F-75251 Paris Cedex 05 [[email protected]] † LABRI, Universit´   e Bordeaux I, 351 cours de la Lib´eration (n) Q = b1 , · · · , b(n) 33405-Talence cedex. [[email protected]] p n

‡ LMV, UMR 8100, Universit´ e de Versailles-Saint-Quentin, 45 Avenue des Etats-Unis, 78035-Versailles. [[email protected]]

is an orthogonal n × p matrix and R is an upper

triangular p × p matrix (Rk,j = 0 , 1 ≤ j < k ≤ n), and The variable Mgn is the supremum of the set of those s for which the basis is s2 -reduced. As mentioned earlier (n) (n) an LLL(s) reduced basis satisfies a set of local condibk , bj  , 1 ≤ k < j ≤ n. Rjj = 1 , Rk,j = tions. The second variable Ing is the place where the (n) bk 2 satisfied local condition is the weakest. This indicates Now the next definition characterizes an LLL(s) reduced where the limitation of the reduction comes from locally. basis.

(n)

(n)

(n)

Theorem 1.1. Let b1 , b2 , . . . , bn−g be a random ba(n) (n) (n) Definition 1.1. Let b1 , b2 , . . . , bp (for p ≤ n) be sis with codimension g under a spherical model (νn ) sata linearly independent system of p vectors of Rn . It is isfying Assumption (1). Let s ∈ (0, 1) be a real paraman LLL(s)-reduced1 basis of the lattice that it generates eter. (i) If g = g(n) tends to infinity, then the probability that if and only if for all 1 ≤ i ≤ p − 1, a random basis is s–reduced tends to 1. (n) (ii) If g is constant then the probability that a random bi+1 2 > s2 . (1.1) basis is s–reduced converges to a constant in (0, 1) (n) bi 2 (depending on s and g). (iii) If g is constant, the index of worst local reduction Ing converges in distribution. (n) (n) (n) Definition 1.2. Let b1 , b2 , . . . , bp be a linearly independent system of vectors of Rn whose codimension Theorem 1.1 answers positively to a conjecture of proba. (n) (n) −→ is g = n − p. Let b1 , · · · , bp be the associated Gram- Akhavi [1] (which says that for c ∈ [0, 1), Mncn−1 −−− n cn−1 Schmidt orthogonalized system. We call reduction level 1 ). In his Lemma 3 p. 376, he proved that IP(M ≤ n (n) (n) (n) 1−c 1 1 of b1 , b2 , . . . , bp the quantity c c s) → 0 , as soon as s < (1−c) (1+c) , and that this 2

convergence is exponentially fast. The proof of Theorem 1.1 relies on some properties of random basis under the spherical model which are of interest by their own; these results are over-viewed in the next section.

(n) bi+1 2 Mgn := min , (n) i∈{1,...,n−(g+1)}  b 2 i

We call index of worst local reduction (n) (n) (n) b1 , b2 , . . . , bp the quantity   (n) bn−i 2 g g In := min i : = Mn . (n) b 2

of

n−i−1

(n)

(n)

(n)

When the vectors b1 , b2 , . . . , bp are chosen at random, the reduction level and the index of worst local reduction are two random variables, well defined (n) (n) (n) whenever b1 , b2 , . . . , bp is a linearly independent system. This paper is essentially devoted to the study of the asymptotics (with respect to the dimension n of the ambient space) of the random variables Mgn and Ing under spherical models and for general codimensions of the random basis. The spherical models for the (n) (n) (n) vectors b1 , b2 , . . . , bp , is precisely defined in the next section. Observe that these models include the “uniform model” where the p vectors are chosen independently and uniformly inside the n-dimensional unit ball.The uniform model for lattice bases has been first considered in [3]. 1 There are two minor differences between the definition of LLL reduction we consider here and the original definition introduced in [8]. Our main Theorem 1.1 is still true with the original definition of a LLL reduced basis as detailed in appendix of [2].

Notice that in [4], Donaldson proved a phenomenon similar to the assertion (i) of Theorem 1.1. He considered (n) (n) a different random model: The basis b1 , · · · , bn−g is (n)

(n)

picked up uniformly in the set {b1 2 +· · ·+bn−g 2 = 1} (Euclidean sphere in Rn×(n−g) ). He proved that as n → ∞ with n − g(n) a fixed constant , the basis is asymptotically reduced in the sense of Minkowski, i.e. (n) each bi is a shortest vector among all vectors of the lat(n) (n) tice that complete b1 , · · · , bi−1 to form a bigger subset of a lattice basis. So his result is about a stronger notion of reduction but he considered a much more restricted class of basis.

To end this Section about lattice basis reduction, observe that our Theorem 1.1 about LLL reduction can be generalized to other reductions: In [13] Schnorr introduces a new type of reduction by segments. He fixes an integer k and partitions a basis whose vectors are in Rn and whose codimension is g into m segments of k consecutive basis vectors such that n − g = km. A basis (n) (n) (n) b1 , b2 , . . . , bn−g with codimension g is called (s, k)– reduced if the quantity g Mk,n

=

inf

r:(k+1)r≤n−g

(n) (n) bkr+1 2 · · · b(k+1)r 2 (n) (n) bk(r−1)+1 2 · · · bkr 2

is bigger than s. As in Theorem 1.1, if g = g(n) tends to infinity and the block size k is fixed, then for any s ∈ [0, 1] the probability that a random basis is (s, k)– reduced in the sense introduced by Schnorr tends to 1 with n. If g is constant then this probability tends to a constant in [0, 1] (depending on s, g and k). 2 2 Models of random bases Let νn be a distrubution on IRn invariant by rotation (n) (n) (n) and to satisfying νn (0) = 0. Let b1 , b2 , . . . , bn n be picked up randomly from IR , independently, and with the same distribution νn . We call such a model a “simple spherical model”. It is well–known that under (n) (n) (n) this model b1 , b2 , . . . , bp (for p ≤ n) are almost surely linearly independent. We call it a (p-dimensional) random basis. It is then also well known (see [11] Th. 1.5.6 (n) p.38 and Letac [10]) that the radial part bi  and (n) (n) (n) the angular parts θi := bi /bi  are independent, and that the angular parts are uniformly distributed on Sn−1 := {x ∈ IRn : x = 1}. Since we are interested in the asymptotic behavior of a random basis in Rn when n goes to +∞, a “spherical model” will be a sequence of distributions (νn ), each νn being a simple spherical model in Rn . Now let us give some properties and examples of spherical models. The uniform distribution Un in the ball Bn := {x ∈ IRn : x ≤ 1} – called the “random ball model” – is a particular case of spherical model. Under Un , the distribution of the radial part is (2.2)

(n)

Un ({x : x ≤ r}) = Un (b1  ≤ r) = rn ,

for all r ∈ [0, 1]. Our main results hold under assumption (1). This is a technical condition (Chernov bound) on the distribution (νn ) which allows to transfer results concerning the uniform distribution on Sn−1 to more general spherical distributions.

This implies in that particular b(n) 2 proba sup ian − 1 , i ∈ {1, . . . , n} −−−→ 0. n Here are three natural examples of model νn where such a sequence (an ) exists: • νn is the uniform distribution on Sn−1 . In this case (n) b1 2 = 1, and an = 1. • νn = Un . In this case, an = 1 and by (2.2), (n) Un (|b1 2 /an − 1| ≥ ρ) = (1 − ρ)n/2 ≤ e−nρ/2 . • νn is the n-variate standard normal (the coordinates (n) are i.i.d. N (0, 1)). Then b1 2 /2 is γn/2 -distributed. It can be shown that for an = n, Assumption (1) holds in this case with α = 2. Notice that these three models are cited in the book of Knuth ([7, Section 3.4.1]). 3 Random bases issued from spherical models For any j = 1, . . . , n, let (n)

Yj

(n) (n) := bj 2 /bj 2 .

We denote by γa and βa,b respectively the gamma distribution with parameter a, and the beta distribution with parameter a and b. In the sequel γ(a) and β(a, b) stand for generic random variables with respective distribution γa and βa,b . We first recall some facts concerning the spherical models, facts that are more or less part of the folklore, and which have been proved several times (e.g. [11], [1]). Theorem 3.1. For each n, under the simple spherical (n) model, the variables bj 2 , j = 1, · · · , n are independent. For every j = 2, . . . , n,

 n−j+1 j−1 (n) (d) , Yj = β , 2 2 (n)

and the random variables Yj independent.

(n)

, j ≥ 1, bj 2 , j ≥ 1 are

Corollary 3.1. Under the random ball model Un , the (n) variables bj 2 , j = 1, · · · , n are independent and for 1≤j≤n Assumption 1. There exists a deterministic sequence

 n−j +1 j +1 (n) 2 (d) (an )n and constants d1 , d2 , α > 0, ρ0 ∈ (0, 1) such that, (3.4)  ,  bj  = β . 2 2 for every n and ρ ∈ (0, ρ0 )

 b(n) 2 Let us recall that for (a, b) ∈ R+ , the beta distribution 1 −nd2 ρα (2.3) νn − 1 ≥ ρ ≤ d1 e . of parameters (a, b) denoted by βa,b is an Γ(a + b) a−1 x βa,b (dx) = (1 − x)b−1 1l(0,1) (x) dx. 2 Of course there is a choice of approximation parameters such Γ(a)Γ(b) that when a basis is LLL(s) reduced then for any fixed k, it is also s, k-reduced in the sense introduced by Schnorr. But our approach here shows the existence of limit probabilities (with n) for the reduceness of a random basis in the sense introduced by Schnorr.

As an easy consequence of the properties of the beta distribution, under Un , (d) (n) (n) bn−j 2 = 1 − bj 2 .

The statement of Corollary 3.1 in this formulation where for a ∈ RIN , argmin a = {i : inf j≥1 aj = ai }. is due to Daud´e and Vall´ee ([3]). Actually, (3.4) We denote by .q the classical norm on the set q is a consequence of Theorem 3.1 and the identity of sequences of real numbers with finite qth moment: (d) of real numbers x = (xi )i≥1 , xq β(a, b)β(c, a − c) = β(c, a + b − c) , since (2.2) means forany sequence 1/q  (d) q (n) is and q is {x, xq < +∞}. The that bi 2 = β(n/2, 1). i≥1 |xi | following proposition gives the limit behavior of the 4 Convergence of the reduction level and process (rk(n) )k≥1 when n goes to +∞. Notice that the (n) related quantities proposition deals with the processes (rk − 1)k≥1 and (n) As described in the introduction we are interested by (R − 1) k k≥1 , since the process (rk )k≥1 and (Rk )k≥1 the random variable Mgn that has the representation: are not in q . Mgn =

(4.5)

min

g+1≤j≤n−1

(n) rj

(n)

rj

, with

Proposition 4.1. For any p > 2, the following convergence in distribution holds in the metric space q :

(n) bn−j+1 2 := . (n) 2 b 

(d)

(rkn − 1)k≥1 −−→ (Rk − 1)k≥1 . n

n−j

Idea of the proof. For any p > 2, the  process Let us recall that for a > 0, the gamma distribution of (R − 1) is a.s. in , i.e. almost surely k q k |Rk − parameter a is (n) p 1| < ∞ .We define an intermediate process (Rk )k≥1 (n) e−x xa−1 with the following property: (Rk )k≥1 has the same γa (dx) = 1l[0,∞) (x) dx , (n) (n) Γ(a) distribution than (rk )k≥1 , but unlike (rk )k≥1 it is and its mean is a. As a direct consequence of Theo- defined on a unique probability space, i.e. r(n) (d) = R(n) . rem 3.1 together with classical results about Gamma This unique probability space is not related with some distributed random variables and the weak law of large embedding of Rn in some larger space: the proof is not (n) numbers, under νn , for each j, rj converges in distri- geometrical. Thanks to that framework, the strong law      j+1   j  and γ 2j are of large numbers can be used to show the almost sure bution to γ 2 /γ 2 , where γ j+1 2 (n) independent. by the strong law of large numbers, convergence to 0 of the process (Rk − Rk )k≥1 in q .  j+1   j Still a.s. γ 2 /γ 2 −−→ 1; this suggests that the minimum The previous proposition is the key result here and j (n) Mgn is reached by the firsts rj and motivated the “time it will entail all the convergence results given in the next theorem. The application x → 1 + mini≥k xi is inversion” done in (4.5). continuous from q onto R. It follows that Mgn ∧ 1 But the variable Mgn is a function of the (n − g)-tuple converges in distribution to Mg . More precisely, (n) (n) (rg+1 , · · · rn−1 ) and the convergence of each coordinate separately does not yield that of Mgn . The variables Theorem 4.1. If νn is spherical and satisfies Assump(n) tion 1 then, (rj )j≤n−1 are not only dependent, but even their (d) −−→ MK . number is growing. It is not hard to see that for the (i) For each K, MK n − n (d) (n) “last” indices (n−i with i fixed), rn−i −−−→ 1. Hence, it (ii) Let g : N → N such that g(n) ≤ n and g(n) → ∞. n

g(n) proba.

(n) (n) −→ 1 . is convenient to embed the (n − 1)-tuple (r1 , · · · rn−1 ) We have Mn −−− n IN (d) into R+ (the set of infinite sequences of positive real (iii) For any k ≥ 1, I k −− −→ I k . n n numbers). This is done by setting Notice that Proposition 4.1 and Theorem 4.1 have their (n) rk := 1 , k ≥ n . analogous for the reduction introduced by Schnorr in (n) Let (η ) be a sequence of independent random vari- [13]. Let us fix k ≥ 1, n ≥ 2, g ≤ n and define rk,j by i i≥1

(d)

ables such that ηi = γi/2 and set Rk = ηk /ηk+1 , k ≥ 1 , Mk = min{Rk , k ≥ 1} , and Ik = min{argmin{Rk , k ≥ 1}},

(n) rk,j

:=

(n) (n) bn−(j+1)k+1 2 . . . bn−jk 2 (n) (n) bn−(j+2)k+1 2 . . . bn−(j+1)k 2 (n)

for j such that g+1 ≤ kj ≤ n−1 and rk,j := 1 for j such that kj ≥ n. Then when n → ∞, we have convergence

(n)

of (rk,j )j to a process (Rk,j )j with Rk,j =

ηk,j (d) , ηk,j = γ(j/2)γ((j+1)/2 · · · γ((j+k−1)/2) , ηk,j+1

where the ηk,j , j ≥ 1 are independent, and the gamma variables too. Then by setting Mgk,n =

min

j:g+1≤kj≤n−1

  (n) g := inf Rk,j , kj ≥ g+1 . 12 rk,j , M k

one obtains also an analogous to Theorem 4.1 (d) g ). (Mg −−−→ M

8

5

4

k,n

k

n

Some precisions on the limit process

We end this paper by stating some properties of the limiting process (Rk )k≥1 . First of all, in statistics the distribution of j+1 j Rj is known as the Fisher Fj,j+1 distribution with the following distribution   Γ(a + b) xa−1 IP γ(a)/γ(b) ∈ dx = 1l[0,∞[ (x) dx . Γ(a)Γ(b) (1 + x)a+b

0

0.2

0.4

0.6

0.8

1

Figure 1: Simulation of the density of M0∞ with 108 data.

a.s.

the mean of Rj is j/(j −1) and, as said above, Rk −−−→ k

1. Here are some sharper results (see also simulations on Figures 1 and 2). Proposition 5.1. (i) For each k, the distribution of Mk has a density, which is positive on (0, 1) and zero outside. (ii) For each k,

 k+2 lim x−(k+1)/2 IP(Mk ≤ x) = 1/Γ . x↓0 2 (iii) There exists τ > 0 such that for each k ≥ 0,

4000

3000

τ

lim sup e (1−y)2 IP(Mk ≥ y) < ∞ . y↑1

2000

(iv) For each k, : #{j, j > k, Rj = Mk } = 1. 1000

6

Conclusion 0

10 50 This paper provides asymptotic results about the probability that a random basis under a simple spherical model (including the random ball model) is LLL re- Figure 2: The histogram provided by 10000 simulations of I∞ . The sequence k → P (I g = k) seems to be duced. All detailed proofs are available in [2]. decreasing.

References [1] A. Akhavi. Random lattices, threshold phenomena and efficient reduction algorithms. Theoretical Computer Science, 287:359–385, 2002.

[2] A. Akhavi, J.-F. Marckert, and A. Rouault. On the reduction of a random basis. arXiv:math.PR/0604331, available at http://arxiv.org/abs/math.PR/0604331, April 2006. [3] H. Daud´e and B. Vall´ee. An upper bound on the average number of iterations of the LLL algorithm. Theor. Comput. Sci., 123(1):95–115, 1994. [4] J.L. Donaldson. Minkowski reduction of integral matrices. Mathematics of Computation, 33(145):201–216, 1979. [5] Jr. H.W. Lenstra. Flags and lattice basis reduction. In European Congress of Mathematics, Vol. I (Barcelona, 2000), volume 201 of Progr. Math., pages 37–51. Birkh¨ auser, Basel, 2001. [6] R. Kannan. Algorithmic geometry of numbers. In Annual review of computer science, Vol. 2, pages 231– 267. Annual Reviews, Palo Alto, CA, 1987. [7] D. E. Knuth. The art of computer programming. Vol. 2. Addison-Wesley Publishing Co., Reading, Mass., second edition, 1981. Seminumerical algorithms, AddisonWesley Series in Computer Science and Information Processing. [8] A. K. Lenstra, H. W. Lenstra, Jr., and L. Lov´ asz. Factoring polynomials with rational coefficients. Math. Ann., 261(4):515–534, 1982. [9] H. W. Lenstra, Jr. Integer programming and cryptography. Math. Intelligencer, 6(3):14–19, 1984. [10] G. Letac. Isotropy and sphericity: some characterisations of the normal distribution. Ann. Statist., 9(2):408–417, 1981. [11] R. J. Muirhead. Aspects of multivariate statistical theory. John Wiley, 1982. [12] P. Q. Nguyen and J. Stern. The two faces of lattices in cryptology. In Cryptography and lattices (Providence, RI, 2001), volume 2146 of Lecture Notes in Comput. Sci., pages 146–180. Springer, 2001. [13] C.P. Schnorr. Fast LLL-Type Lattice Reduction. Information and Computation, 204:1–25, 2006. [14] B. Vall´ee. Un probl`eme central en g´eometrie algorithmique des nombres: la r´eduction des r´eseaux. Autour de l’algorithme de Lenstra Lenstra Lovasz. In Informatique Thorique et Applications, volume 3, pages 345– 376. 1989. English translation by E. Kranakis CWIQuaterly - 1990 - 3.