Sorry if my question is trivial. My question is related to a post "Paillier Homomorphic encryption to calculate the means" where a member suggests Lagrange Gauss Reduction Algorithm for reducing a decrypted value to a rational number. How to use Lagrange Gauss Reduction Algorithm for reducing numbers? Here is the link to the original post: Paillier Homomorphic encryption to calculate the means.
Asked
Active
Viewed 720 times
1 Answers
1
Lagrange-Gauss algorithm can also be seen as LLL in dimension 2. Here is an implementation using GP/Pari:
\\ Given A modulo N, it returns a fraction u/v s.t. A = u/v (mod N)
Gauss(A,N) = {
local(L,L3);
L = [1,0;lift(A),N];
L3 = L*qflll(L);
return(L3[2,1]/L3[1,1]);
}
EDIT: Consider the lattice defined by the two column vectors $\begin{pmatrix}1\\A\end{pmatrix}$ and $\begin{pmatrix}0\\N\end{pmatrix}$. The vectors in the lattice are: $$\alpha \begin{pmatrix}1\\A\end{pmatrix} + \beta \begin{pmatrix}0\\N\end{pmatrix} = \begin{pmatrix}\alpha\\ \alpha A + \beta N\end{pmatrix}$$ As we are in dimension 2, LLL will return the shortest (non-zero) vector in the lattice.
Let's call $$\vec{v} := \begin{pmatrix}v_1\\v_2\end{pmatrix} = \begin{pmatrix}\alpha^*\\ \alpha^* A + \beta^* N\end{pmatrix} \in \mathbb{Z}^2$$ the vector returned by LLL: $v_1$ and $v_2$ are small. Clearly, we have $$v_2 = \alpha^* A + \beta^* N \equiv \alpha^* A \equiv v_1 A \pmod N$$ and thus $$A \equiv \frac{v_2}{v_1} \pmod N$$ with $v_1$ and $v_2$ small.
user94293
- 1,779
- 11
- 13
-
Can you elaborate this implementation a bit more as I am not used to GP/Pari or can you suggest some material about this algorithm? – Mosen Feb 02 '18 at 13:04
-
@Mosen: See the EDIT. Does it answer your question? – user94293 Feb 02 '18 at 17:38
-
Now I understand the algorithm. My question is about the implementation code you have given above in which some terms (lift(A), qflll) are not clear to me as it is written in GP/Pari. I am more familiar with MATLAB. Anyhow nice explanation. – Mosen Feb 03 '18 at 02:59
-
can you please explain the programming terms lift(A), qflll(L), and L3 in the above implementation? – Mosen Feb 05 '18 at 04:19
-
See http://pari.math.u-bordeaux.fr/ – user94293 Feb 05 '18 at 05:22
-
It worked. I did it by using the Extended Euclidean Algorithm. – Mosen Feb 23 '18 at 03:17
-
@ user94293 the computational complexity of Lagrange Gauss reduction algorithm is O(log(v)^) where v is the second vector and the computational complexity of the extended Euclidean algorithm is O(log(b)^2) (b being the second integer) as referenced by Wikipedia. How to compute the complexity of the modified extended Euclidean algorithm for basis reduction? I know that the complexity of equal to the number of iterations multiplied by the cost of all iterations. I can compute the cost of iteration but I am not sure how to deal with the number of iterations. Can you please explain this to me? – Mosen Sep 10 '18 at 10:52