Low-dimensional lattice basis reduction revisited

International audienceLattice reduction is a geometric generalization of the problem of computing greatest common divisors. Most of the interesting algorithmic problems related to lattice reduction are NP-hard as the lattice dimension increases. This article deals with the low-dimensional case. We study a greedy lattice basis reduction algorithm for the Euclidean norm, which is arguably the most natural lattice basis reduction algorithm, because it is a straightforward generalization of an old two-dimensional algorithm of Lagrange, usually known as Gauss' algorithm, and which is very similar to Euclid's gcd algorithm. Our results are two-fold. From a mathematical point of view, we show that up to dimension four, the output of the greedy algorithm is optimal: the output basis reaches all the successive minima of the lattice. However, as soon as the lattice dimension is strictly higher than four, the output basis may be arbitrarily bad as it may not even reach the first minimum. More importantly, from a computational point of view, we show that up to dimension four, the bit-complexity of the greedy algorithm is quadratic without fast integer arithmetic, just like Euclid's gcd algorithm. This was already proved by Semaev up to dimension three using rather technical means, but it was previously unknown whether or not the algorithm was still polynomial in dimension four. We propose two different analyzes: a global approach based on the geometry of the current basis when the length decrease stalls, and a local approach showing directly that a significant length decrease must occur every O(1) consecutive steps. Our analyzes simplify Semaev's analysis in dimensions two and three, and unify the cases of dimensions two to four. Although the global approach is much simpler, we also present the local approach because it gives further information on the behavior of the algorithm

Seiberg-Witten Curve for E-String Theory Revisited

We discuss various properties of the Seiberg-Witten curve for the E-string theory which we have obtained recently in hep-th/0203025. Seiberg-Witten curve for the E-string describes the low-energy dynamics of a six-dimensional (1,0) SUSY theory when compactified on R^4 x T^2. It has a manifest affine E_8 global symmetry with modulus \tau and E_8 Wilson line parameters {m_i},i=1,2,...,8 which are associated with the geometry of the rational elliptic surface. When the radii R_5,R_6 of the torus T^2 degenerate R_5,R_6 --> 0, E-string curve is reduced to the known Seiberg-Witten curves of four- and five-dimensional gauge theories. In this paper we first study the geometry of rational elliptic surface and identify the geometrical significance of the Wilson line parameters. By fine tuning these parameters we also study degenerations of our curve corresponding to various unbroken symmetry groups. We also find a new way of reduction to four-dimensional theories without taking a degenerate limit of T^2 so that the SL(2,Z) symmetry is left intact. By setting some of the Wilson line parameters to special values we obtain the four-dimensional SU(2) Seiberg-Witten theory with 4 flavors and also a curve by Donagi and Witten describing the dynamics of a perturbed N=4 theory.Comment: 35 pages, 2 figures, LaTeX2

Generalised Mersenne Numbers Revisited

Generalised Mersenne Numbers (GMNs) were defined by Solinas in 1999 and feature in the NIST (FIPS 186-2) and SECG standards for use in elliptic curve cryptography. Their form is such that modular reduction is extremely efficient, thus making them an attractive choice for modular multiplication implementation. However, the issue of residue multiplication efficiency seems to have been overlooked. Asymptotically, using a cyclic rather than a linear convolution, residue multiplication modulo a Mersenne number is twice as fast as integer multiplication; this property does not hold for prime GMNs, unless they are of Mersenne's form. In this work we exploit an alternative generalisation of Mersenne numbers for which an analogue of the above property --- and hence the same efficiency ratio --- holds, even at bitlengths for which schoolbook multiplication is optimal, while also maintaining very efficient reduction. Moreover, our proposed primes are abundant at any bitlength, whereas GMNs are extremely rare. Our multiplication and reduction algorithms can also be easily parallelised, making our arithmetic particularly suitable for hardware implementation. Furthermore, the field representation we propose also naturally protects against side-channel attacks, including timing attacks, simple power analysis and differential power analysis, which is essential in many cryptographic scenarios, in constrast to GMNs.Comment: 32 pages. Accepted to Mathematics of Computatio

Supersymmetric lattices

Discretization of supersymmetric theories is an old problem in lattice field theory. It has resisted solution until quite recently when new ideas drawn from orbifold constructions and topological field theory have been brought to bear on the question. The result has been the creation of a new class of lattice gauge theory in which the lattice action is invariant under one or more supersymmetries. The resultant theories are local and free of doublers and in the case of Yang-Mills theories also possess exact gauge invariance. In principle they form the basis for a truly non-perturbative definition of the continuum supersymmetric field theory. In this talk these ideas are reviewed with particular emphasis being placed on ${\cal N}=4$ super Yang-Mills theory.Comment: Plenary talk at the symposium Quantum Theory and Symmetries, Lexington, Kentucky, July 2009. References adde

Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians

The first step in elliptic curve scalar multiplication algorithms based on scalar decompositions using efficient endomorphisms-including Gallant-Lambert-Vanstone (GLV) and Galbraith-Lin-Scott (GLS) multiplication, as well as higher-dimensional and higher-genus constructions-is to produce a short basis of a certain integer lattice involving the eigenvalues of the endomorphisms. The shorter the basis vectors, the shorter the decomposed scalar coefficients, and the faster the resulting scalar multiplication. Typically, knowledge of the eigenvalues allows us to write down a long basis, which we then reduce using the Euclidean algorithm, Gauss reduction, LLL, or even a more specialized algorithm. In this work, we use elementary facts about quadratic rings to immediately write down a short basis of the lattice for the GLV, GLS, GLV+GLS, and Q-curve constructions on elliptic curves, and for genus 2 real multiplication constructions. We do not pretend that this represents a significant optimization in scalar multiplication, since the lattice reduction step is always an offline precomputation---but it does give a better insight into the structure of scalar decompositions. In any case, it is always more convenient to use a ready-made short basis than it is to compute a new one

String Islands

We discuss string theories with small numbers of non-compact moduli and describe constructions of string theories whose low-energy limit is described by various pure supergravity theories. We also construct a D=4,N=4 compactification of type II string theory with 34 vector fields.Comment: An erroneous example removed. We thank Massimo Bianchi and Cumrun Vafa for pointing out this erro

On the Proximity Factors of Lattice Reduction-Aided Decoding

Lattice reduction-aided decoding features reduced decoding complexity and near-optimum performance in multi-input multi-output communications. In this paper, a quantitative analysis of lattice reduction-aided decoding is presented. To this aim, the proximity factors are defined to measure the worst-case losses in distances relative to closest point search (in an infinite lattice). Upper bounds on the proximity factors are derived, which are functions of the dimension $n$ of the lattice alone. The study is then extended to the dual-basis reduction. It is found that the bounds for dual basis reduction may be smaller. Reasonably good bounds are derived in many cases. The constant bounds on proximity factors not only imply the same diversity order in fading channels, but also relate the error probabilities of (infinite) lattice decoding and lattice reduction-aided decoding.Comment: remove redundant figure