\documentclass[11pt]{article}
\usepackage{amsmath}
%\usepackage{fullpage}
%\usepackage{epic}
%\usepackage{eepic}
%\usepackage{psfig}

%\newcommand{\proof}[1]{
%{\noindent {\it Proof.} {#1} \rule{2mm}{2mm} \vskip \belowdisplayskip}
%}


%\newtheorem{lemma}{Lemma}[section]
%\newtheorem{theorem}[lemma]{Theorem}
%\newtheorem{claim}[lemma]{Claim}
%\newtheorem{definition}[lemma]{Definition}
%\newtheorem{corollary}[lemma]{Corollary}

%Theorems and likes
\newtheorem{assumption}{Assumption}[section]
\newtheorem{theorem}{Theorem}[section]
\newtheorem{fact}{Fact}[section]
\newtheorem{claim}{Claim}[section]
\newtheorem{lemma}{Lemma}[section]
\newtheorem{example}{Example}[section]
\newtheorem{definition}{Definition}[section]
\newtheorem{corollary}{Corollary}[section]
\newtheorem{exercise}{Exercise}[section]
\newtheorem{observation}{Observation}[section]


\newcommand{\bproof}{\noindent{\it Proof}}
%\newcommand{\eproof}{\hspace*{\fill}$\Box$~~~~~\bigskip}
\newcommand{\eproof}{\hspace*{\fill}\rule{2mm}{2mm}~~~~~\bigskip}
\newenvironment{proof}{\bproof: }{\eproof}

% symbols and notation
\newcommand{\defeq}{\stackrel{\rm def}{=}}


\setlength{\oddsidemargin}{0in} \setlength{\topmargin}{0in}
\setlength{\textwidth}{6in} \setlength{\textheight}{8in}

\begin{document}

\setlength{\fboxrule}{.5mm}\setlength{\fboxsep}{1.2mm}
\newlength{\boxlength}\setlength{\boxlength}{\textwidth}
\addtolength{\boxlength}{-4mm}
\begin{center}\framebox{\parbox{\boxlength}{\bf
CS 681: Computational Number Theory and Algebra \hfill Lecture 27
\\\\
Short Vectors in Lattices
\\\\
Lecturer: Manindra Agrawal \hfill Scribe: Chandan Saha
%\\
\begin{flushright}
%date
Novembor 25, 2005
\end{flushright}
}}\end{center} \vspace{5mm}

\section{Introduction}
\begin{definition}
A lattice $\mathbf{L} \subseteq \mathbf{R}^n$ is a set of points
defined as: \\
\begin{equation*}
\mathbf{L} = \{ \sum_{i=1}^{m} \alpha_i u_i \mid \alpha_i \in
\mathbf{Z} \text{ and } u_i \in \mathbf{R}^n \}
\end{equation*}
\end{definition}
We will assume that $m=n$ and $u_i's$ are linearly independent.
The problem of computing a shortest vector in a given lattice is
$\mathbf{NP}$-hard. We define the volume of a lattice $\mathbf{L}$
as: \\
\begin{equation*}
Vol(\mathbf{L}) = \mid det [ u_1 \hspace{0.02 in} u_2 \hspace{0.02
in} \ldots \hspace{0.02in}u_n] \mid
\end{equation*}
If the $u_i's$ are linearly dependent then $Vol(\mathbf{L}) = 0$.
The vectors $u_1,u_2, \ldots, u_n$ are called a \emph{basis} for
$\mathbf{L}$.
\begin{lemma}
$Vol(\mathbf{L})$ is independent of the choice of the basis.
\end{lemma}
\begin{proof}
Let $v_1,v_2, \ldots, v_n$ be another basis for $\mathbf{L}$. We
have, $v_j = \sum_{i=1}^n \beta_{ij} u_i$, where $\beta_{ij} \in
\mathbf{Z}$.
\begin{align*}
& \hspace{0.54 in}[v_1 \hspace{0.02 in} v_2 \hspace{0.02 in}
\ldots \hspace{0.02 in} v_n] = [u_1 \hspace{0.02 in} u_2
\hspace{0.02 in} \ldots
\hspace{0.02 in} u_n] \cdot [\beta_{ij}]\\
& \Rightarrow \mid det[v_1 \hspace{0.02 in} v_2 \hspace{0.02 in}
\ldots \hspace{0.02 in} v_n] \mid \hspace {0.02 in} = \hspace{0.02
in}\mid det[u_1 \hspace{0.02 in}
u_2 \hspace{0.02 in} \ldots \hspace{0.02 in} u_n] \mid \cdot \mid det[\beta_{ij}] \mid\\
& \Rightarrow \mid det[u_1 \hspace{0.02 in} u_2 \hspace{0.02 in}
\ldots \hspace{0.02 in} u_n] \mid \textit{ divides } \mid det[v_1
\hspace{0.02 in} v_2 \hspace{0.02 in} \ldots \hspace{0.02 in} v_n]
\mid
\end{align*}
Similarly, $\mid det[v_1 \hspace{0.02 in} v_2 \hspace{0.02 in}
\ldots \hspace{0.02 in} v_n] \mid \textit{ divides } \mid det[u_1
\hspace{0.02 in} u_2 \hspace{0.02 in} \ldots \hspace{0.02 in} u_n]
\mid$. \\ Therefore, $\mid det[v_1 \hspace{0.02 in} v_2
\hspace{0.02 in} \ldots \hspace{0.02 in} v_n] \mid \hspace{0.02
in} = \hspace{0.02 in} \mid det[u_1 \hspace{0.02 in} u_2
\hspace{0.02 in} \ldots \hspace{0.02 in} u_n] \mid$.
\end{proof}
\section{Application of finding Short Vector in a Lattice}
Consider the scenario where the RSA cryptosystem is used. Let $p$
and $q$ be two large primes and $n=pq$. Let $(n,3)$ be the public
key. Suppose we encrypt message $m$ such that the initial part of
$m$ is a fixed header $h$ that is known, whereas the unknown
content of the message be $x$ that is $l$ bits long. Without loss
in generality assume that $0 \leq m < n$.

Let $m = h \cdot 2^l + x$ and $c = m^3 (mod \hspace{0.02 in} n)$.
Assume that the adversary knows $c$, $h$, $l$ and $(n,3)$. Since,
\begin{align*}
c &= (h \cdot 2^l + x)^3 \hspace{0.02 in}(mod \hspace{0.02 in}n) \\
\Rightarrow p(x) &= x^3 + a_2x^2 + a_1x + (a_0 - c) = 0
\hspace{0.02 in}(mod \hspace {0.02 in}n)
\end{align*}
The adversary computes $p(x)$ and tries to solve for $x$. Let a
lattice $\mathbf{L} \in \mathbf{R^6}$ be defined by the following
basis vectors:
\[ \left( \begin{array}{c}
a_0 - c \\
a_1 \\
a_2 \\
1 \\
0 \\
0 \end{array} \right ) , \left( \begin{array}{c}
0 \\
a_0 - c \\
a_1 \\
a_2 \\
1 \\
0 \end{array} \right ) , \left( \begin{array}{c}
0 \\
0 \\
a_0 - c \\
a_1 \\
a_2 \\
1 \end{array} \right ) , \left( \begin{array}{c}
n \\
0 \\
0 \\
0 \\
0 \\
0 \end{array} \right ) , \left( \begin{array}{c}
0 \\
n \\
0 \\
0 \\
0 \\
0 \end{array} \right ) , \left( \begin{array}{c}
0 \\
0 \\
n \\
0 \\
0 \\
0 \end{array} \right )\] Therefore, $Vol(\mathbf{L}) = n^3$.

\begin{theorem}
(Minkowski) Let $\mathbf{L} \in \mathbf{R}^d$ be a lattice. Then,
the length of the shortest vector in $\mathbf{L} \leq
d^{\frac{1}{2}} \cdot Vol(\mathbf{L})^{\frac{1}{d}}$.
\end{theorem}

From the above theorem we conclude that the shortest vector in our
lattice $\mathbf{L}$ has length $\leq \sqrt{6} n^{\frac{1}{2}}$.

Let $v = (v_0, v_1, \ldots ,v_5)$ be the shortest vector in
$\mathbf{L}$. Let the polynomial
\begin{align*}
v(x) &= \sum_{i=0}^5 v_i x^i \\
&= \gamma_1 p(x) + \gamma_2 x p(x) + \gamma_3 x^2 p(x) + \gamma_4
n + \gamma_5 n x + \gamma_6 n x^2 \\
&= (\gamma_1 + \gamma_2x + \gamma_3x^2)p(x) \hspace{0.02 in}(mod
\hspace{0.02 in} n)
\end{align*}
Suppose $x=m_0$ be the unknown message. Then
\begin{align*}
p(m_0) = 0 (mod \hspace{0.02 in} n) \\
\Rightarrow v(m_0) = 0 (mod \hspace{0.02 in} n) \\
\Rightarrow \text{$m_0$ is a root of $v(x)$ modulo $n$}
\end{align*}
\begin{align*}
\mid v(m_0) \mid &= \mid \sum_{i=0}^5 v_i m_0^i \mid \\
&\leq 6 \hspace{0.02 in} max \{\mid v_i \mid \} m_0^5 \\
&\leq 6 \hspace{0.02 in} max \{\mid v_i \mid \} 2^{5l} \\
&\leq 6 \sqrt{6} \cdot \sqrt{n} \cdot 2^{5l} \\
& < n \text{ if } l < \frac{1}{10} log \frac{n}{216}
\end{align*}
Therefore, $v(m_0) = 0$ over $\mathbf{Z}$. Thus if the actual
message $x$ is only about $\frac{1}{10}$-th of the total message
then the adversary can solve for $x$ by computing a shortest
vector $v$ in $\mathbf{L}$ and then solving for $v(x)=0$ over
$\mathbf{Z}$.

\end{document}