THE PENNSYLVANIA STATE UNIVERSITY SCHREYER …THE PENNSYLVANIA STATE UNIVERSITY SCHREYER HONORS COLLEGE DEPARTMENT OF MATHEMATICS THE SHORTEST VECTOR PROBLEM IN IDEAL LATTICES KHANH

THE PENNSYLVANIA STATE UNIVERSITYSCHREYER HONORS COLLEGE

DEPARTMENT OF MATHEMATICS

THE SHORTEST VECTOR PROBLEM IN IDEAL LATTICES

KHANH (SIMON) T. HUYNHSPRING 2019

A thesissubmitted in partial fulfillment

of the requirementsfor baccalaureate degree

in Mathematicswith honors in Mathematics

Reviewed and approved* by the following:

A. Kirsten EisentragerProfessor of Mathematics

Associate Head for AdministrationThesis Supervisor

Mark LeviProfessor of Mathematics

Department HeadHonors Adviser

*Signatures are on file in the Schreyer Honors College.

i

ABSTRACT

In this thesis, we present a study of ideal lattices, their related cryptosystems, and the ShortestVector Problem. Our main goal is to study whether ideal lattices with added properties will lessenthe security measures of the corresponding cryptographic schemes. In our study, we found someexamples of cyclic sublattices of Zn where a shortest vector can be easily computed.

The Shortest Vector Problem in lattices plays an important role in Post-Quantum Cryptography.Due to the current rapid advances in the field of quantum computing, some of the currently usedcryptosystems can be broken. Therefore, it is an urgent task to develop practical quantum-resistantcryptographic algorithms as replacements for some of the currently used ones like RSA. Amongmany potential candidates, lattice-based cryptographic schemes are attractive for their strong prov-able security and resistance to quantum attacks. To improve the practicality of these systems, lat-tices with additional structures such as cyclic sublattices of Zn (a special case of general lattices)are employed. The extra properties allow faster computations and less space complexity. However,we have little knowledge about how secure the lattice problems like the Shortest Vector and Clos-est Vector problems are for them. In fact, there is concern that the added structures will reduce thelevel of security in these special cases.

ii

TABLE OF CONTENTS

LIST OF FIGURES iv

LIST OF TABLES v

ACKNOWLEDGEMENTS vi

1 Introduction 11.1 Quantum Attacks on Public-key Cryptosystems . . . . . . . . . . . . . . . . . . . 11.2 An Alternative: Lattice-based Cryptography . . . . . . . . . . . . . . . . . . . . . 61.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.4 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Mathematical Background 112.1 Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.1.1 Field Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.1.2 Splitting Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.1.3 Galois Extensions and Galois Groups . . . . . . . . . . . . . . . . . . . . 22

2.2 Rings of Integers and Ideals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.2.1 Rings and Ideals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.2.2 Rings of Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2.3 Field Embeddings and The Minkowski Embedding . . . . . . . . . . . . . . . . . 342.3.1 Field Embeddings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342.3.2 Minkowski Embeddings . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

2.4 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382.4.1 Lattice Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412.4.2 Gram-Schmidt Orthogonalization . . . . . . . . . . . . . . . . . . . . . . 462.4.3 Determinant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482.4.4 The Shortest Vector Problem . . . . . . . . . . . . . . . . . . . . . . . . . 522.4.5 LLL Basis Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552.4.6 The LLL Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

3 Ideal Lattices 663.1 Lattices from the Minkowski embeddings . . . . . . . . . . . . . . . . . . . . . . 663.2 Cyclic Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753.3 Shortest Vectors in Cyclic Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . 82

iii

Bibliography

iv

LIST OF FIGURES

1.1 ∆ = x + y − z denotes the period of time when information protected by public-key cryptosystems becomes vulnerable under the attacks of quantum algorithms[Mos15]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1 The n nth−roots of unity on the unit circle in the complex plane. . . . . . . . . . . 192.2 The 2-dimensional integer lattice Z2 with basis {(1, 0), (0, 1)}. . . . . . . . . . . . 392.3 A sublattice L(B) of Z2 with basis B = {(2, 0), (0, 1)}. . . . . . . . . . . . . . . . 402.4 A full rank lattice L(B) in R2 with basis B = {(1, π), (π, 1)}. . . . . . . . . . . . . 402.5 Two bases for the same lattice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452.6 The orthogonalization of a lattice basis may not generate the same lattice. . . . . . 472.7 The area of the parallelepiped is the same as the area of the rectangle in which the

edges are vectors in the Gram-Schmidt orthogonalization B∗. . . . . . . . . . . . . 502.8 The minimum distance of L is the length of the shortest nonzero vector in L. Note

that the shortest vector is not unique. . . . . . . . . . . . . . . . . . . . . . . . . . 53

3.1 The lattice L(Z[√

2]) with basis{

(1, 1), (√

2,−√

2)}

. . . . . . . . . . . . . . . . . 693.2 The lattice L(I), where I = (

√2), with basis

{(2, 2), (

√2,−√

2)}

. . . . . . . . . 703.3 The lattice L(I2), where I2 = (2 + 3

√2). . . . . . . . . . . . . . . . . . . . . . . 71

3.4 The lattice L(Z[ζ3]). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723.5 The sublattice L(I) of L(Z[ζ3]) where I = (2 + 3ζ3). . . . . . . . . . . . . . . . . 733.6 The 3-dimensional lattice L(Z[ 3

√2]). . . . . . . . . . . . . . . . . . . . . . . . . . 74

3.7 A cyclic lattice L(B) in R2 with basis B = {(1, π), (π, 1)}. . . . . . . . . . . . . . 763.8 A full-rank sublattice of Z2 with basis {(2,−3), (−3, 2)}. . . . . . . . . . . . . . . 85

v

LIST OF TABLES

1.1 Quantum-resistant cryptosystems in the second round of Post-Quantum Cryptog-raphy Standardization [NIS17] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1 The cyclotomic polynomials for n = 1, . . . , 12, and any prime p . . . . . . . . . . 25

3.1 Comparing the three groups of SVP solvers [HPS11]. . . . . . . . . . . . . . . . . 84

vi

ACKNOWLEDGEMENTS

First and foremost, I wish to express my deepest gratitude and appreciation to my thesis advisorDr. A. Kirsten Eisentrager. Her encouragement and strong support have helped me to push pastmy limitations and to realize my potential. Thank you for believing in me and looking after me forthe last two years. This project is the proudest achievement I have ever had during my years as anundergraduate student. Thank you for giving me the opportunity to challenge myself.

Secondly, I want to thank my parents for their selfless love and support. Thank you for alwaysstaying by my side to share not only my joyousness but also my hardship.

I also want to acknowledge the financial support from the Jack Kent Cooke foundation forfunding my education at Penn State.

Lastly, I am thankful for the care I have received from professors at Hagerstown CommunityCollege. Many thanks are due to Mr. Jozik, Mr. Lewis, Mrs. Szczesniak, and Mr. Wadel forkindling my passion for learning and teaching mathematics.

1

Chapter 1

Introduction

Lattice-based cryptography is recognized for its attractive properties such as strong provable

security based on the hardness of the Shortest Vector Problem [Pei14]. Therefore, it is presented

as an alternative for RSA in an era with quantum computers. However, “how secure these systems

are?” and “is the Shortest Vector Problem NP-hard in ideal lattices?” are still open unsolved

questions. There is concern that the Shortest Vector Problem is not hard in ideal lattices, which

mitigates the credibility of ideal lattice-based cryptosystems. In this thesis, we will study the

Shortest Vector Problem in ideal lattices and try to determine how hard it really is in this special

setting. Since this is an undergraduate thesis, which emphasizes on the learning progress of the

writer upon this topic of interest, the majority of results such as theorems, propositions, and lemmas

will be proven in detail. However, some proofs will be omitted because the required techniques

are out of the scope of this thesis. Our goal is to provide a well-rounded discussion of the topic.

1.1 Quantum Attacks on Public-key Cryptosystems

Internet cybersecurity plays an important role in protecting individual network users and pro-

viding a safe environment for e-commerce. Without effective protections, sensitive data can be

2

easily interfered which results in online fraud and theft. As a result, a large amount of money and

intelligence has been invested in improving the internet security.

Cryptosystems are developed for this very purpose. The first successful public-key algorithm

was RSA, presented by Ron Rivest, Adi Shamir, and Leonard Adleman in 1978 [RSA78]. Before

RSA, traditional crypto-algorithms were symmetric [Kal09]. That is, the secret key, which was

used to encode a message, was also used to decode the encrypted information. Thus, the commu-

nicators needed to have a private mean of interaction in real life for exchanging the secret key. This

was cumbersome and did not guarantee that the key would not be leaked to the public. Hence, the

applications of symmetric cryptosystems were very limited.

With RSA, however, the two sides of the communication need not interact in private. One

side will create the encryption and decryption keys, which are distinct. The encryption key is then

made public so that anyone who has access to it can encrypt his or her messages. An encrypted

message can only be decoded using the private key. This means that a third party cannot retrieve

the original message with only the encrypted data and the encryption key. With this property, RSA

allows a wide range of applications such as e-banking, online shopping, and exchanging sensitive

information.

The security of RSA relies upon the hardness of factoring integers into primes. Loosely speak-

ing, it is easy to multiply two prime numbers; however, given the product, it is very hard to find

its prime factors when the factors are very large [dS03]. To comprehend this idea, we must first

understand how RSA works.

We need the following theorem:

Theorem 1.1.1 (Generalized Fermat’s Little Theorem1). For any positive integer n greater than 1

and any integer a relatively prime to n,

aϕ(n) ≡ 1 mod n

1 The Generalized Fermat’s Little Theorem is also known as Euler’s Theorem

3

where ϕ is Euler’s function, which gives the number of positive integers less than n that are rela-

tively prime to n.

When n is a prime number, this theorem reduces to Fermat’s Little Theorem. That is, for any

a coprime to n,

an−1 ≡ 1 mod n

since ϕ(n) = n− 1 when n is a prime.

Proof. Refer to the proof of Theorem 1.6.7 in [HP04, p. 68-69]. Q.E.D

The following construction is referenced from [HP04, p. 71-72]. We begin by picking any two

prime numbers p and q in Z. In practice, these primes must be very large; each has more than 100

digits. Let n denote the product pq.

It is well-known that ϕ(n) = ϕ(p)ϕ(q) = (p− 1)(q − 1) [HP04, Theorem 1.6.6, p. 67].

We now pick an integer a relatively prime to ϕ(n). Since gcd(a, ϕ(n)) = 1, there exist x, y ∈ Z

such that

ax+ ϕ(n)y = 1. (*)

The encryption key is the tuple (n, a), which will be made public. Moreover, the private key is

(x, n), which is kept secret.

Given a message, it can be digitized into a finite list of positive integers upon a certain con-

vention. Suppose M is a message represented as an integer. We encrypt M by computing m such

that

m ≡Ma mod n.

Given the list of encrypted blocks, we can decode each encrypted term m by computing

mx mod n

4

where x is as in (∗). Since

mx ≡ (Ma)x mod n

= Max mod n

= M1−ϕ(n)y mod n

= M(Mϕ(n)

)−ymod n

≡M(1)−y mod n (by Theorem 1.1.1) (**)

= M mod n,

the result of mx mod n is the original value M . Note that (∗∗) is true only if M is relatively

prime to n. This is indeed the case since M is coprime to both p and q, the factors of n.

Example 1.1.1. Let p = 5, q = 7, and M = 4. So n = 35 and ϕ(n) = 24. Take a to be 11 which

is relatively prime to ϕ(n). Then the encrypted message m is

m = 9 ≡ 411 mod 35 = Ma mod n.

Note that for x = 11 and y = −5,

ax+ ϕ(n)y = 1.

Thus one can check that

M = 4 ≡ 911 mod 35 = mx mod n.

To break this encryption scheme, one must be able to compute the inverse of a mod ϕ(n),

given only n and a. On the surface, this may seem to be a very easy task. How hard could it be

to find a linear combination over Z of 1 in term of a and ϕ(n)? It is not hard indeed. However,

the real issue here is that the code constructor does not make ϕ(n) available to the public. So, the

question needed to be asked is how hard is it to compute ϕ(n) without knowing p and q? It is

5

believed that this is very difficult to do when the prime factors p and q are very large.

For the person who has the secret primes p and q, this task is simple. On the other hand, finding

the factors p and q of n is difficult when p and q are very large. According to [HP04, p. 72], solving

ϕ(n) for such n whose the number of digits is over 200 seems to be beyond the limitation of any

existing computers.

Historically, the problem of factoring was first considered by ancient Greek mathematicians.

The Sieve of Eratosthenes is a well-known algorithm for factoring integers. Faster algorithms were

developed, such as the number field sieve. However, no currently known classical algorithm runs

in polynomial time. The general number field sieve is the fastest one and its time complexity is

sub-exponential in the bit-size2 of the input [BL93]. These facts seem to be in favor of RSA’s

security. The main concern arises as we begin to consider the plausibility of quantum computers

in the near future. Shor’s algorithm is a quantum algorithm which factors integers in quantum

polynomial time [Sho95]. So a quantum computer could break RSA. Other famous schemes such

as elliptic-curve cryptosystems, which rely on the hardness of problems in elliptic-curve theory,

are also broken by Shor’s algorithm.

To address this, in 2015, the U.S. National Security Agency (NSA) announced their prepa-

ration for a transition to quantum resistant algorithms [NSA15]. In 2017, the National Institute

of Standards and Technology (NIST) initiated a progress of reviewing and standardizing existing

post-quantum cryptosystems [NIS17]. This movement is known as Post-Quantum Cryptography.

In [Mos15], Mosca provided a simple inequality demonstrating the seriousness of this situ-

ation. Suppose that it will take z years until quantum computers successfully break public-key

cryptosystems. This is the collapse time. In addition, let x be the migration time, which measures

the number of years needed to install new quantum-proof cryptosystems. If we are fortunate to

have a well developed system, then x could be 0. Otherwise, it is suggested that x might take at

least 15 years. Lastly, we must consider the security shelf-time, denoted by y, the number of years

that our current systems need to stay secure. This number varies depending on individual needs.

2The number of bits in the binary representation of the input.

6

Mosca stated that y might be between 10 and 100 years in regard to securing significant data such

as national security information. If one concerns only about real-time security, i.e., information

which is only important during a very short period of time of the presence, then y can be as small

as 0. If

x+ y > z,

this means that at the end of the next x years, it will only take less than y years for quantum algo-

rithms to break into our sensitive information protected by then outdated public-key cryptosystems

[Mos15].

time (years)

x y

z

x: migration timey: security shelf-timez: collapse time

today ∆

Figure 1.1: ∆ = x + y − z denotes the period of time when information protected by public-keycryptosystems becomes vulnerable under the attacks of quantum algorithms [Mos15].

1.2 An Alternative: Lattice-based Cryptography

Since we need alternatives for RSA or elliptic-curve discrete-log based systems, a variety of

quantum-resistant constructions were proposed based on several mathematical objects such as mul-

tivariate polynomials over a finite field, supersingular isogeny graphs, and lattices. Table 1.1 lists

the candidates, which successfully moved into the second round of Post-Quantum Cryptography

Standardization [NIS17], categorized by the families they belong to.

Among the suggestions, lattice-based cryptosystems are very popular and attractive. Appearing

frequently in the field of number theory, a lattice3 is a discrete additive subgroup of of the n-

3We will study lattices in Section 2.4 of Chapter 2.

7

Table 1.1: Quantum-resistant cryptosystems in the second round of Post-Quantum CryptographyStandardization [NIS17]

Family Cryptosystems

Lattice

• NTRU• NTRU Prime• NewHope• CRYSTALS-KYBER• FrodoKEM• LAC• SABER• Three Bears• CRYSTALS-DILITHIUM• FALCON• qTESLA

Code-based

• BIKE• Classic McEliece• HQC• LEDAcrypt and LEDApkc• NTS-KEM• ROLLO• RQC

Hash-based • SPHINCS+

Multivariate

• GeMSS• LUOV• MQDSS• Rainbow

Supersingular Elliptic Curve Isogeny • SIKE

Zero-knowledge proofs • Picnic

8

dimensional Euclidean space Rn. The security of these cryptosystems relies upon the hardness

of problems in lattices. Some examples of hard problems are the Shortest and Closest Vector

Problems as well as Learning With Errors (LWE) and its variations in lattices. Moreover, it is

common to use lattices constructed from ideals of number rings instead of general lattices [Sch11].

They are called ideal lattices. The algebraic structure of ideal lattices allows for fast arithmetic and

hence reduces the time and space complexities [LS19]. For example, an n-dimensional cyclic

lattice can be represented with 1 vector. However, it is of concern that in these special lattices,

problems like the Shortest Vector Problem might not be as hard, which makes them insecure to

implement.

A special class of ideal lattices are cyclic lattices, introduced by Micciancio in [Mic07]. Given

any vector (a1, . . . , an) in a cyclic lattice, the rotation of this vector, which is defined as

(an, a1, . . . , an−1), is also required to be a member of the same lattice. This type of lattice is used

in the NTRU4 cryptosystem. Even though it is considered to be a good practical alternative to

RSA, its security is not well understood.

The Shortest Vector Problem (SVP), the γ-approximate Shortest Vector Problem (γ-approx

SVP), the Short Integer Solution Problem (SIS), the Closest Vector Problem (CVP) in (ideal) lat-

tices, Learning With Errors (LWE), and Ring Learning With Errors (RLWE) are used to construct

quantum-resilient cryptosystems [LPR13]. In [Ajt98], Ajtai provided us with the fascinating result

that SVP in the usual Euclidean norm `2 is NP-hard. Moreover,√

2-approx SVP and c-approx

SVP5, for some constant c, are both proven to be NP-hard in `2 by Micciancio [Mic98] and Khot

[Kho04] respectively. Ajtai had also shown in [Ajt96] that SIS is at least as hard as the γ-approx

SVP for some polynomial γ = Poly(n) in the dimension n of the lattice. Regev then introduced

LWE and showed in [Reg09] that the existence of any effective algorithm for solving LWE implies

the existence of effective quantum algorithms for Poly(n)-SVP. In short, LWE and Poly(n)-SVP

share similar hardness properties [LPR13]. Despite being proven to be quite secure, cryptographic

4NTRU stands for N th Degree Truncated Polynomial Ring Units.5In [Kho04], Khot actually proved that c-approx SVP is NP-hard in `p for p > 1. However, we are only interested

in the case p = 2.

9

schemes based on SVP and LWE problems are not effective enough to be implemented in prac-

tice [LPR13]. As an attempt for creating LWE-related problems, which serve as foundations for

new effective cryptosystems, Lyubashevsky, Peikert, and Regev defined a variant of LWE based

on rings, namely Ring-LWE [LPR13]. They also proved in the same paper that solving Ring-LWE

is equivalent to finding a solution of γ-SVP for some γ = Poly(n). This result allowed the con-

structions of some impractical LWE-based cryptosystems to become more effective when adapting

them to Ring-LWE [LPR13].

1.3 Results

As the security of RSA relies on the hardness of factoring, ideal lattice-based cryptosystems

depend on the hardness of problems in ideal lattices. Even though SVP in general lattices is

NP-hard, we do not know how hard SVP and Poly(n)-SVP are in cyclic lattices. Based on the

results from our computations, we conjecture that SVP is not hard in a cyclic lattice when the

generating ideal is principal (See Conjecture 3.3.3). Another result that we discovered is that the

dimension of a cyclic lattice, constructed from a principal ideal I = (p(x)), is equal to the degree of

f(x) =xn − 1

gcd(p(x), xn − 1). We present this finding as Theorem 3.3.1 and follow with an original

proof in Section 3.3.

1.4 Organization

In Chapter 2, we will study some background in algebraic number theory and lattices needed

for our main topic: the Shortest Vector Problem in ideal lattices. In particular, Section 2.1 provides

results about algebraic number fields and Galois theory. Information about number rings and their

ideals can be found in Section 2.2. After that, we introduce the theoretical constructions of field

embeddings and the Minkowski embedding in Section 2.3. Lastly, we define the notion of lattices

as well as providing rudimentary properties of lattice bases and determinants in Section 2.4. The

Shortest Vector Problem and the LLL algorithm are also discussed at the end of this section.

10

The main content of this thesis is presented in Chapter 3 where we give examples of lattices

constructed from the Minkowski embedding (Section 3.1). We then define and construct cyclic

lattices in Section 3.2. Furthermore, examples of cyclic lattices will be given in Section 3.3. Using

the computer algebra system MAGMA, we will study SVP in cyclic lattices. At last, two original

results are provided: Theorem 3.3.1 and Conjecture 3.3.3.

11

Chapter 2

Mathematical Background

2.1 Number Fields

2.1.1 Field Extensions

Before studying ideal lattices, we must familiarize ourselves with number fields. They are

finite extensions of the field of rational numbers,Q, and play an important role in solving algebraic

problems in number theory [Mar77]. In this section, we will learn about their construction as well

as looking at two significant examples of number fields: quadratic fields and cyclotomic fields.

For the convenience of the reader, we will recall some of the main definitions in addition to

their properties. Let us begin with the definitions of a ring and a field.

Definition 2.1.1. A ring R is a set together with two binary operations + and × (called addition

and multiplication, respectively) such that the following axioms are satisfied:

(1) + is associative in R. That is (a+ b) + c = a+ (b+ c) for all a, b, c in R.

(2) + is commutative in R. That is a+ b = b+ a for all a, b in R.

(3) There is the additive identity in R, denoted 0, such that 0 + a = a+ 0 = a for all a in R.

12

(4) For each a inR, there is an unique element of R, denoted by−a, called the additive inverse

of a, so that a+ (−a) = (−a) + a = 0.

(5) × is associative in R. That is (a× b)× c = a× (b× c) for all a, b, c in R.

(6) The distributive laws hold in R. That is (a+ b)× c = (a× c) + (b× c) and a× (b+ c) =

(a× b) + (a× c) for all a, b, c in R.

It is a well-known fact that the additive and multiplicative identity are unique in a ring. Sim-

ilarly, for each nonzero element of the ring R, it has unique additive and multiplicative identities.

Hence, this explains the choice of articles being used in our definition. For example, please notice

that we say “the” identity rather than “an” identity; the same holds for inverses.

Definition 2.1.2. The ring R is commutative if the operation × is commutative; that is,

a× b = b× a for all a, b ∈ R.

Definition 2.1.3. If there exists an element 1 in the ring R such that

1× a = a× 1 = a for all a ∈ R,

then R is said to have the (multiplicative) identity.

Furthermore, the identity 1 is unique in R.

Example 2.1.1. The set of integers, Z, is a commutative ring with identity 1 under the usual

operations of addition and multiplication.

Example 2.1.2. The set of integers modulo n, Z/nZ, is also a commutative ring with identity

under addition and multiplication of residue classes. The multiplicative identity is the class 1.

Definition 2.1.4. Let R be a ring.

(i) A nonzero element a in R is called a zero divisor if there is a nonzero element b in R such

that a× b = 0 or b× a = 0.

13

(ii) Suppose that R contains the identity 1 6= 0. A nonzero element a is called a unit in R if

there is b in R such that ab = ba = 1.

Example 2.1.3. In the commutative ring Z/4Z, the class 2 is a zero divisor since 2 × 2 = 0 but

2 6= 0. In addition, the classes 1 and 3 are the units of Z/4Z since 1 × 1 = 1 and 3 × 3 = 1,

respectively.

Generally, in the ring Z/nZ, where n ≥ 2, an element a is a unit in Z/nZ if a and n are relatively

prime. On the other hand, if a nonzero integer a and n are not relatively prime, then a is a zero

divisor. Therefore, if n is a prime, then every nonzero element of Z/nZ is a unit.

Note that in the ring Z/nZ, for n ≥ 2, every nonzero element is either a unit or a zero divisor.

However, this is not true for all ring in general.

Example 2.1.4. The ring of integer, Z, has no zero divisor. In addition, its only units are 1 and−1.

Definition 2.1.5. A field F is a commutative ring with identity 1, where 1 6= 0, in which every

nonzero element a in F has a multiplicative inverse, that is, there exists a−1 in F such that

a× a−1 = 1.

By definition, every nonzero element in the field F is a unit. In other words, F does not

contain any zero divisors since a zero divisor can clearly never be a unit [DF04, p. 224-226]. Let

a be a unit in F . Suppose that there is a nonzero element b in F such that a × b = 0, that is,

a is a zero divisor. Since a is a unit, there exists c in F such that a × c = c × a = 1. Hence,

b = 1× b = (c× a)× b = c× (a× b) = c× 0 = 0, which is a contradiction.

From now on, we will usually denote the multiplication of two elements a and b in a field F as

ab instead of a × b for simplicity. Through the following example, we will see that the choice of

notation from our definitions is motivated by one of the most commonly known fields, namely the

field of rational numbers.

Example 2.1.5. Let us recall that the set of rational numbers, denoted by Q, is the set whose

members are of the formm

nwhere m,n are integers and n is not zero. The number zero, 0, and

14

one, 1, are respectively the additive and multiplicative identities of Q. For eacha

bin Q, where

a, b are integers and b is not 0, the additive inverse ofa

bis −a

b; in addition,

b

ais the multiplicative

inverse ofa

b, given that a is not 0 as well. One can check that Q satisfies all six axioms described

above. Thus, it is a field.

Example 2.1.6. Other examples of fields are the set of real numbers, R, and the set of complex

numbers, C. In both fields, 0 and 1 are the additive and multiplicative identities, respectively. Also,

for each element a of either field R or C, −a and1

a= a−1 (given that a 6= 0) are respectively the

additive and multiplicative inverses of a.

Note that Q, R, and C are examples of infinite fields. The following is an example of a finite

field.

Example 2.1.7. The set of integers modulo p, denoted Z/pZ for prime p, is a finite field.

Definition 2.1.6. Let F be a field with 0 and 1. The characteristic of F , denoted Char(F ), is

defined to be the smallest positive integer p such that p · 1 = 1 + · · ·+ 1︸︷︷︸p terms

= 0 if such p exists.

Otherwise, Char(F ) = 0.

Proposition 2.1.1. The characteristic of a field F is either 0 or a prime p. If Char(F ) = p, then

for any a ∈ F , p · a = 0.

Example 2.1.8. The characteristic of both fields Q and R is 0.

Example 2.1.9. For the finite field Z/pZ where p is any prime, its characteristic is p.

Definition 2.1.7. A subfield of the field F is a subset of F , which is a field under the same

operations of F .

We can now define an extension of a given field.

Definition 2.1.8. Let F be a field.

If K is a field containing F as its subfield, then K is said to be an extension field of F , denoted

15

by K/F (shorthand for “K over F ”) or by the diagram:

K

F .

Definition 2.1.9. The degree of a field extension K/F , denoted by [K : F ], is the dimension of

K as a vector space over the field F . Moreover, if [K : F ] is finite then K/F is said to be a finite

extension; otherwise, it is said to be an infinite extension.

It is also a well-known fact that extension degrees are multiplicative.

Theorem 2.1.1. Let F/K and K/L be field extensions. Then F/L is a field extension and

[F : L] = [F : K][K : L],

that is, extension degrees are multiplicative. Pictorially,

F

K

L

[F : K]

[K : L]

[F : L]

Proof. Refer to [DF04, Section 13.2, p. 523]. Q.E.D

We will mainly consider field extensions of Q that are subfields of C of finite degree over

Q. We shall call these extensions number fields and describe such fields in the form of Q(α).

Allowed by The Primitive Element Theorem [DF04, p. 595], Q(α) is the smallest field containing

Q and α, where α is a root of some irreducible polynomial with coefficients in Q.

Definition 2.1.10. Let K be an extension of a field F .

The element α ∈ K is said to be algebraic over F if α is a root of some nonzero polynomial with

16

coefficients in F . Otherwise, α is said to be transcendental over F .

If every element of K is algebraic over F , then the extension K/F is said to be algebraic.

Theorem 2.1.2 (The Primitive Element Theorem [DF04]). If K/F is finite and separable, then

K/F is simple. In particular, any finite extension of fields of characteristic 0 is simple.

Proof. See [DF04, Section 14.4, p.595]. Q.E.D

From this result and the fact that Char(Q) = 0, every number field is simple, that is, it can be

generated by a single element α over Q, where α is as described. Moreover, if α is a root of a

polynomial of degree n with coefficients in Q, each element of Q(α) can be uniquely written as

a0 + a1α + · · · + an−1αn−1 for some a0, a1, . . . , an−1 in Q. That is, the list {1, α, . . . , αn−1} is a

basis of Q(α) as a vector space over Q and

Q(α) ={a0 + a1α + · · ·+ an−1α

n−1 : ai ∈ Q}.

Since α is a root of some polynomial over Q, α is said to be algebraic over Q. Furthermore,

the succeeding theorem guarantees us that if α is algebraic over Q, then there is a unique monic1

irreducible polynomial with coefficient in Q which has α as a root.

Theorem 2.1.3. Let F be a field and α be algebraic over F . There exists a unique monic poly-

nomial with coefficients in F , called the minimal polynomial of α over F , which has α as a root.

Moreover, any polynomial with coefficients in F has α as a root if and only if it is divisible by the

minimal polynomial of α [DF04, Section 13.2, p. 520].

Proof. Let g(x) be a monic polynomial of smallest degree with coefficients in F such that g(α) =

0. We may assume that g(x) is monic since the leading coefficient can be scaled by a constant in

F . Suppose that g(x) factors into h(x)k(x) where h(x) and k(x) are polynomial with coefficients

in F of degree smaller than the degree of g(x). Hence, g(α) = h(α)k(α) = 0 in K. Since K is

a field, either h(α) = 0 or k(α) = 0, which contradict the assumption that g(x) is the smallest

1A monic polynomial has 1 as its leading coefficient.

17

degree nonzero polynomial that has α as a root. Therefore, g(x) is irreducible.

Suppose that f(x) is any polynomial with coefficients in F that has α as a root. By the Euclidean

Algorithm, there are polynomials q(x) and r(x) with coefficients in F such that

f(x) = q(x)g(x) + r(x),

with degree of r(x) is strictly less than the degree of g(x). Then f(α) = q(α)g(α) + r(α) in K.

Since f(α) = 0 and g(α) = 0, we have r(α) = 0. Because of the minimality of g(x), r(x) must

the the zero polynomial. Therefore, g(x) divides any polynomial having α as a root. Hence, g(x)

is the unique monic polynomial having α as a root [DF04, p. 520]. Q.E.D

In fact, the degree of the number field Q(α) over Q is the degree of the minimal polynomial of

α over Q [DF04, Proposition 11, Section 13.2, p. 521].

Let α be an algebraic element in C with minimal polynomial f(x) = xn + dn−1xn−1 + · · · +

d1x+ d0 of degree n where di ∈ Q for all i. We define Q[α] to be the smallest ring containing Q

and α, in which elements are of the form a1 +a2α+a3α2 + · · ·+an−1α

n−1 where ai ∈ Q for all i.

We have f(α) = αn+dn−1αn−1 + · · ·+α1x+d0 = 0, which means that αn can always be replace

by theQ−linear combination of 1, α, α2, . . . , αn−1 since αn = −(dn−1αn−1+· · ·+d1α+d0). This

explains why any elements ofQ[α] can be written as aQ−linear combination of 1, α, α2, . . . , αn−1.

In addition, let’s recall that Q(α) is the smallest field containing Q and α.

Theorem 2.1.4. Let α be algebraic over Q. Then the smallest ring containing Q and α is exactly

the smallest field containing Q and α, i.e.

Q[α] = Q(α).

[DF04, p. 521]

Proof. Let f be the minimal polynomial of α over Q. We want to show that the ring Q[α] is a

field, in which any nonzero element has an inverse. Let g(α) be a nonzero element of Q[α]. We

18

will consider the polynomial g(x) with coefficients in Q. By the Euclidean algorithm, there exist

polynomials q(x) and r(x) such that g(x) = q(x)f(x) + r(x) with degree of r(x) is lesser than the

degree of f(x). We have f(α) = 0. Thus, g(α) = q(α)0 + r(α) = r(α). So, g(α) = r(α).

Consider the polynomial r(x). We have f(x) is irreducible and deg(r(x)) < deg(f(x)). Thus,

the greatest common divisor of r(x) and f(x) must be 1. Hence, there exist polynomials a(x) and

b(x) such that a(x)f(x) + b(x)r(x) = 1. Again, this implies that a(α)f(α) + b(α)r(α) = 1. Since

f(α) = 0, b(α)r(α) = 1, which means that b(α) is the inverse of r(α) = g(α). Hence, g(α) has

an inverse; thus, Q[α] is a field. Q.E.D

We are now ready for the constructions of some interesting classes of number fields: quadratic

fields and cyclotomic fields.

Example 2.1.10 (Quadratic Fields Q(√d)). Let d be a square-free integer, that is, no perfect

square other than 1 divides d. It is clear that√d is a root of the polynomial x2 − d where x is the

variable. Thus,√d is algebraic over Q and Q(

√d) =

{a+ b

√d : a, b ∈ Q

}is a field.

Definition 2.1.11. For a square-free integer d, Q(√d) is called the quadratic field.

Moreover, the degree of Q(√d) over Q is 2 since the basis of Q(

√d) as a vector space over Q

is the list{

1,√d}

. By Eisenstein’s Criterion [DF04], the monic polynomial x2 − d of degree 2,

which has√d as a root, is irreducible. So, x2 − d is the minimal polynomial of

√d. Pictorially,

Q(√d)

Q

n

.

Another interesting class of examples are the cyclotomic fields, constructed by adjoining a

primitive nth-root of unity to Q.

Example 2.1.11 (The Cyclotomic Fields Q(ζn)).

19

Definition 2.1.12. Let n be a positive integer. An nth-root of unity is a complex number z ∈ C

such that zn = 1. In other words, the nth-roots of unity are the roots of the polynomial xn − 1.

Over C, the number of distinct nth-roots of unity is exactly n. They are

e2πik/n = cos

(2πk

n

)+ i sin

(2πk

n

)

for k = 0, 1, 2, . . . , n−1. We have above equality because of Euler formula, that is eiθ = cos(θ) +

i sin(θ). On the unit circle centered at the origin in the complex plane, these points are equally

spaced starting with the point 1 = 1 + 0i, which corresponding to k = 0. Each point is2π

nradian

apart from its adjacent points.

...

...

C

1

e2πi/n

2π/n

Figure 2.1: The n nth−roots of unity on the unit circle in the complex plane.

Definition 2.1.13. A primitive nth-root of unity, denoted ζn, is an nth-root of unity where n is

the smallest positive integer in the list {1, 2, · · · , n} such that (ζn))n = 1; that is for all positive

integer k < n, (ζn)k 6= 1.

Given a primitive nth−root of unity ζn, the other primitive roots are elements of the form ζmn

20

for an integer m that is relatively prime to n and 1 ≤ m < n. It is also well known that there

are ϕ(n) positive integers which are relatively prime to n and strictly less than n. Here, ϕ(n) is

the Euler ϕ−function. Thus, there are exactly ϕ(n) primitive nth−roots of unity. With np loss of

generality, we will let ζn to be the root e2πi/n and denote all other roots by power of ζn.

By construction, ζn is a root of xn − 1; thus, it is algebraic over Q. By Theorem 2.1.4, Q(ζn)

is a field. In particular, it is a field extension of Q.

Definition 2.1.14. For a primitive nth−root of unity ζn, the field Q(ζn) is called the cyclotomic

field of nth−roots of unity.

Theorem 2.1.5. Let p be a prime number. The degree of the cyclotomic fieldQ(ζp) overQ is p−1.

That is

[Q(ζp) : Q] = p− 1.

Proof. Recall that the degree of Q(ζp) is the degree of the minimal polynomial of ζn over Q.

The polynomial xn − 1 factors as (x − 1)(xp−1 + xp−2 + · · · + x + 1) since 1 is clearly a root of

xn − 1. Thus, ζn must be a root of the polynomial xp−1 + xp−2 + · · ·+ x+ 1 =xp − 1

x− 1=: f(x).

Consider replace variable x by x+ 1 in f , we get that

f(x+ 1) =(x+ 1)p − 1

(x+ 1)− 1=

(xp +(p1

)xp−1 + · · ·+

(p2

)x2 +

(p1

)x+ 1)− 1

x

= xp−1 + pxp−2 + · · ·+ p(p− 1)

2x+ p, (*)

which is a polynomial with coefficients in Z ⊂ Q. By the Binomial theorem, p divides all co-

efficients of (∗) except for the first one. Clearly, p2 does not divide p. Hence, by Eisenstein’s

Criterion, f(x + 1) is irreducible, which also implies that f(x) is irreducible. Thus, f(x) is the

minimal polynomial of degree p− 1 of ζn. So, [Q(ζp) : Q] = p− 1. Q.E.D

It is not a coincident that the degree of Q(ζp) over Q is the same as ϕ(p) = p − 1 where p is

prime. In general, [Q(ζn) : Q] = ϕ(n) [DF04, Corollary 42, Section 13.6, p.555]. Moreover, the

basis of Q(ζn) over Q is a list of all primitive nth−roots of unity.

21

2.1.2 Splitting Fields

Definition 2.1.15. Let f be a polynomial in the ring F [x] where F is a field.

An extension K of F is said to split f if f splits into linear factors in K[x], i.e.

f(x) =n∏i=1

(x− αi)

where αi ∈ K.

In addition, if K is the smallest field containing F and α1, . . . , αn, i.e.

K = F (α1, . . . , αn),

then K is said to be a splitting field for f .

In other words, an extensionK of a field F is the2 splitting field for f(x) ∈ F [x] if f(x) factors

completely into linear factors in K[x] and does not factor completely into linear factors over any

proper subfield of K containing F . Given any f ∈ F [x], it is well known that there exists a field

extension K over F such that K is a splitting field of f [DF04, Theorem 25, Section 13.4, p. 536];

furthermore, this splitting field of f is unique up to isomorphism [DF04, Corollary 28, Section

13.4, p. 542].

Definition 2.1.16. Let K be an algebraic extension over a field F .

The field K is said to be a normal extension over F if the minimal polynomial of every elements

of K splits in K[x].

Example 2.1.12. Consider the polynomial f(x) = x2 − 2 ∈ Q[x]. Since the roots of f are ±√

2

and ±√

2 are both in Q(√

2), Q(√

2) is the splitting field for f over Q.

Example 2.1.13. Let h be the polynomial x3 − 2 in Q[x]. Since the roots of h are 3√

2 and

3√

2

(−1± i

√3

2

), Q( 3√

2) is clearly not the splitting field of h. Now, suppose that K is the

2[DF04, Corollary 28, Section 13.4, p. 542] “Any two splitting fields for a polynomial f(x) ∈ F [x] over a field Fare isomorphic.”

22

splitting field of h over Q. Thus, K contains all the roots of h; hence, K must also contain−1 + i

√3

2= ( 3√

2)−1( 3√

2)

(−1± i

√3

2

). Thus, i

√3 ∈ K. This means that Q( 3

√2, i√

3) ⊆ K.

Therefore, by definition of the splitting field, K = Q( 3√

2, i√

3) since Q( 3√

2, i√

3) is a field that

contains all the roots of h.

Example 2.1.14. The splitting field of the polynomial xn−1 overQ isQ(ζn), the cyclotomic field

of nth-roots of unity (Example 2.1.11). To determine the degree of this extension, we will analyze

the minimal polynomial of ζn over Q and apply results from Galois Theory.

2.1.3 Galois Extensions and Galois Groups

Let F be a field and f be a polynomial in F [x]. By definition, f splits completely into linear

factors over its splitting field, i.e.,

f(x) = ak∏i=1

(x− αi)ni

where a is the leading coefficient of f , α1, . . . , αk are distinct elements in the splitting field for

f , and each of the ni is a nonzero natural number. For each i, We say that the root αi of f is a

multiple root if ni > 1; otherwise, the root is said to be a simple root if ni = 1.

Definition 2.1.17. Let F be a field. If all the roots of a polynomial f in F [x] are distinct, i.e. none

of its irreducible factors has a multiple root, we say that f is separable over F .

Definition 2.1.18. Let K be an algebraic extension over a field F .

The field K is said to be separable over F if the minimal polynomial of every element of F is

separable over F .

Recall from Definition 2.1.16 that an algebraic field extension K is normal over a field F if the

minimal polynomial of every element of K splits in K[x]. In other words, every polynomial that

is irreducible over F either splits completely into linear factors in K or has no roots in K.

23

Definition 2.1.19. An extension K over a field F is said to be a Galois extension if K is both

separable and normal over F .

Let K be a Galois extension over a field F . By definition, it is not hard to see that, for each α

in K, the minimal polynomial of α has exactly [F [α] : F ] = deg(mα,F ) distinct roots in K.

Let F be a field and E be a subfield of F . An F -automorphism is defined to be any isomor-

phismϕ fromE toE itself such that for all x ∈ F , ϕ(x) = x. The group of all the F -automorphism

of E is denoted Aut(E/F ).

Proposition 2.1.2. Let F be a field. If E is the splitting field of a monic separable polynomial

f ∈ F [x], then the order of Aut(E/F ) is equal to the degree of E over F , i.e.

|Aut(E/F )| = [E : F ].

[DF04, Proposition 5, Section 14.1, p. 562]

Proof. See [DF04, Section 14.1, p. 561-562]. Q.E.D

Definition 2.1.20. Let E be a Galois extension of a field F . The group Aut(E/F ) is called the

Galois group of E over F , denoted Gal(E/F ).

Theorem 2.1.6. If E/F is Galois, then |Gal(E/F )| = [E : F ].

Proof. By definition, E is Galois over F implies that E is separable and normal over F . Let α be

any element of F . Since E is separable, the minimal polynomial mα,F for α over F is separable

over F . In addition, mα,F splits in E[x] because E is normal over F . Therefore, |Gal(E/F )| =

|Aut(E/F )| = [E : F ] by Proposition 2.1.2. Q.E.D

With these pieces of information, we will now return to Example 2.1.11 and show that the

degree of the cyclotomic field Q(ζn) over Q is ϕ(n) where ϕ is the Euler’s phi-function.

Example 2.1.15 ([Q(ζn) : Q] = ϕ(n)). [DF04, p. 552-555] Recall from Example 2.1.11 that a

primitive nth-root of unity ζn is a root of the polynomial xn − 1 such that for all positive integer

24

k < n, (ζn)k 6= 1. Also, given a primitive root of unity ζ , we can find the other primitive roots by

raising ζ to the power m, where m is any positive integer which is relatively prime to n and less

than n.

Let F be a field of characteristic 0 or prime p which does not divide n. Let consider the

cyclotomic field extension Q(ζn) for some n ≥ 1. We have already examine the case when n is

prime.

Definition 2.1.21. We define the cyclotomic polynomial Φn(x) as

Φn(x) =∏

1≤i<ngcd(i,n)=1

(x− ζni),

i.e. the polynomial whose roots are the primitive nth roots of unity.

Since there are exactly ϕ(n) roots of unity, the degree of Φn(x) is ϕ(n). The reader might have

made the connection between the cyclotomic polynomial and the corresponding cyclotomic exten-

sion. Indeed, we will later show that Φn(x) is actually the minimal polynomial of Q(ζn) [DF04, p.

554-555].

Proposition 2.1.3. Let n be any positive integer. We have that

xn − 1 =∏d|n

Φd(x).

[DF04, p. 553]

Proof. Let Zn be the set of all nth-roots of unity, i.e. Zn = {ζ ∈ C : ζn = 1}. Note that Zn

contains exactly all the roots of the polynomial xn − 1. Thus, we have the factorization

xn − 1 =∏ζ∈Zn

(x− ζ). (1)

Now, let Dn be a set of all divisor of n, i.e. D = {d ∈ Z+ : d | n}. For each d in Dn, we want to

collect all the factors (z− ζ) in expression (1) where ζ is a primitive dth-root of unity; this process

25

Table 2.1: The cyclotomic polynomials for n = 1, . . . , 12, and any prime p

n The cyclotomic polynomial Φn(x)

1 Φ1(x) = x− 1

2 Φ2(x) = x+ 1

3 Φ3(x) = x2 + x+ 1

4 Φ4(x) = x2 + 1

5 Φ5(x) = x4 + x3 + x2 + x+ 1

6 Φ6(x) = x2 − x+ 1

7 Φ7(x) = x6 + x5 + x4 + x3 + x2 + x+ 1

8 Φ8(x) = x4 + 1

9 Φ9(x) = x6 + x3 + 1

10 Φ10(x) = x4 − x3 + x2 − x+ 1

12 Φ12(x) = x4 − x2 + 1

p Φp(x) = xp−1 + xp−1 + · · ·+ x2 + x+ 1

yields the fact that

xn − 1 =∏d∈Dn

∏ζ∈Zd

ζ is primitive

(x− ζ). (2)

In expression (2), it is not hard to see that∏ζ∈Zd

ζ is primitive

(x− ζ) is precisely Φd(x) by definition. Hence,

xn − 1 =∏d∈Dn

Φd(x). (3)

[DF04, p. 553] Q.E.D

Expression (3) in the proof of Proposition 2.1.3 provides us a method of recursively computing

Φn(x) for any n.

For example, it is not hard to see that Φ1(x) = x − 1. Using Proposition 2.1.3, we have that

x2 − 1 = Φ1(x)Φ2(x) = (x − 1)Φ2(x). Solving for Φ2(x) gives Φ2(x) = x + 1. Similarly,

x3− 1 = Φ1(x)Φ3(x) = (x− 1)Φ3(x), which implies that Φ3(x) = x2 +x+ 1. Table 2.1 provides

cyclotomic polynomials for some values of n as well as the case n = p, a prime.

26

Theorem 2.1.7. The cyclotomic polynomial Φn(x) is an irreducible monic polynomial in Z[x] of

degree φ(n) [DF04, Theorem 41, Section 13.6, p. 554]

Proof. [DF04, p. 554 - 555] First, it is not hard to see that Φn(x) is monic. Suppose for contrary

that the leading coefficient of Φn(x) is a 6= 1. Then by Proposition 2.1.3,

xn − 1 =∏d|n

Φd =

∏d|nd6=n

Φd

Φn.

Expanding the right hand side yields us a polynomial in which its leading coefficient is at least

a 6= 1. This contradicts the fact that xn − 1 is monic. Thus, Φn(x) must be monic.

By definition of the cyclotomic polynomial (Definition 2.1.21), it is clear that the degree of

Φn(x) is φ(n). This is true since there are exactly φ(n) primitive nth-roots of unity.

We will now show that Φn(x) has integer coefficients by providing a proof using induction on

n. For the base case of n = 1, the result is true since Φ1(x) = x − 1 ∈ Z[x]. Suppose that Φk(x)

is in Z[x] for all 1 ≤ k < n. By Proposition 2.1.3,

xn − 1 =

∏d|nd<n

Φd(x)

Φn(x).

For simplicity, let f(x) :=∏d|nd<n

Φd(x). By the induction hypothesis, f(x) must be a monic polyno-

mial in Z[x]. Note that f(x) divides xn − 1 in the polynomial ring Q(ζn)[x]. In addition, f(x) and

xn − 1 both have coefficients in Q. By the Division Algorithm, f(x) divides xn − 1 in Q[x]. By

Gauss’ Lemma (2.2.3), f(x) divides xn − 1 in Z[x]. Thus, Φn(x) has coefficients in Z.

Lastly, we want to show that Φn(x) is irreducible. Suppose for contrary that it is reducible, i.e.,

there are some monic polynomials h(x) and g(x) with coefficients in Z such that

Φn(x) = h(x)g(x). (*)

27

Without loss of generality, suppose that h(x) is irreducible. Furthermore, let ζ be a primitive nth-

root of unity which is also a root of h(x) and p be any prime in Z that does not divide n. Thus,

h(x) is the minimal polynomial for ζ over the field Q; also, ζp is also a primitive root. Hence, ζp

must be a root of either h(x) or g(x).

If ζp is a root of g(x), then ζ is a root of the polynomial g(xp). Since h(x) is the minimal

polynomial for ζ , h(x) must divide g(xp) in Z[x]. That is, there exists a polynomial t(x) ∈ Z[x]

such that

g(xp) = h(x)t(x).

Reducing this equation modulo p yields that

[g(xp)] = [h(x)][t(x)] in Zp[x],

where the notation [f(x)] denotes the congruent class of f(x) modulo p. It is also well-known that

in Zp[x], [g(xp)] = [g(x)]p [DF04, Section 13.5, p.545-551]. So, we have that

[g(x)]p = [h(x)][t(x)].

Since Zp[x] is a Unique Factorization Domain, it must be the case that [h(x)] and [g(x)] have a

common factor in Zp[x]

Reducing the equation (∗) modulo p yields that [Φn(x)] = [h(x)][g(x)]. Thus, the polynomial

[Φ(x)] in Zp[x] has at least one root with multiplicity greater than 1, i.e., it has a repeated (or

multiple) root. As a result, xn − 1 must also have multiple root over Zp since it is clear that [Φ(x)]

is a factor of xn − 1. This contradicts the fact that xn − 1 has n distinct roots. So, ζp can not be a

root of g(x).

Suppose that ζp is a root of h(x). This also apply to other roots ζ of h(x). Hence, ζm is a root

of h(x) for any m coprime to n. Expressing m as a product of primes that are not dividing n,

m = p1p2 · · · pk.

28

So, ζp1 as well as ζp1p2 ,. . . , etc. are roots of h(x).This implies that every primitive nth-root of unity

is a root of h(x). Ans so, it must be the case that h(x) = Φn(x).

Therefore, Φn(x) is irreducible. Q.E.D

By the result of the preceding theorem, the cyclotomic polynomial Φn(x) is the minimal poly-

nomial for any primitive nth-root of unity ζn as well as the cyclotomic field Q(ζn). Thus, we have

the following corollary.

Corollary 2.1.7.1. [DF04, Corollary 42, Section 13.6, p. 555] The degree of the cyclotomic field

of Q(ζn) over Q is ϕ(n).

2.2 Rings of Integers and Ideals

With the number fields constructed in the previous section, mathematicians are interested in

the construction of an integral ring extension contained within a number field, which is analogues

to Z as a subset of Q. Thus, given a field extension F of Q, we want to define its “integers” and

the ring of integers of F . Before doing so, it is worth reviewing properties of rings and ideals.

2.2.1 Rings and Ideals

A ring R is a set with two operations: addition + and multiplication × such that addition

is associative and commutative, there exists the additive identity in R, each elements of R has

an additive inverse (these preceding axioms is equivalent to saying that (R,+) is an Abelian

group [DF04]), multiplication is associative, and the distributive laws hold in R.

Note that it is not necessary for a ring to have the multiplicative identity. Besides, for each

nonzero element in R, its multiplicative inverse may not exist. We say that R has 1 if its mul-

tiplicative identity exists (Definition 2.1.3). Also recall that a nonzero element a of R is a zero

divisor if there exists a nonzero element b in R such that ab = 0.

Definition 2.2.1. An integral domain R is a commutative ring with 1 6= 0 such that no element

of R is a zero divisor.

29

Given a ring R, if a subset S of R is also a ring under the same operations of R, we say that

S is a subring of R. Equivalently, S ⊆ R is a subring of R if S is closed under subtraction and

multiplication [Gal06, Subring Test, p. 239].

Definition 2.2.2. Let R be a ring. A subring I of R is called an ideal if I is closed under both left

and right multiplication by elements of R, i.e., for all r ∈ R,

rI = I and Ir = I

where rI denotes the set {ra : a ∈ I} and Ir = {ar : ar ∈ I}.

In this thesis, we will mainly study commutative rings whose ideals are subrings that are closed

under multiplication by elements of the bigger rings. There is no need for the distinction between

left and right multiplication in this specific case.

Example 2.2.1. Given any ring R, R and {0} are always be ideals of R. This is true trivially since

R must be closed under multiplication by its elements and the product of anything by 0 is 0.

Example 2.2.2. Let R = Z. Ideals of Z are precisely the subrings nZ for any n ∈ Z [DF04, p.

243].

Let R be a ring and I be an ideal of R. For a, b ∈ R, we defines an equivalent relation of I on

the set of elements of R by saying that a ∼ b if and only if a − b ∈ I . This relation partitions R

into equivalent classes, which are called cosets and of the form a + I = {a+ x : x ∈ I} where

a ∈ R. Let’s denote the set of all cosets by R/I and define two binary operations addition and

multiplication as

(a+ I) + (b+ I) = (a+ b)I and (a+ I)× (b+ I) = (ab) + I

for all a, b ∈ R. Under these operations, R/I is a ring and called the quotient ring of R by I .

Definition 2.2.3. Let R be a commutative ring.

30

(a) A proper ideal M of R is a maximal ideal if, whenever I is an ideal of R such that M ⊆

I ⊆ R, then either I = M or I = R. In other words, M and R are the only ideals containing

M .

(b) A proper ideal P of R is a prime ideal if, for any a, b ∈ R, ab ∈ P implies that a ∈ P or

b ∈ P .

Theorem 2.2.1. Let R be a commutative ring.

(a) A proper ideal M of R is maximal if and only if the quotient ring R/M is a field [DF04,

Proposition 12, Section 7.4, p. 254].

(b) A proper ideal P of R is a prime ideal if and only if R/M is an integral domain [DF04,

Proposition 13, Section 7.4, p. 255].

The preceding theorem provides us useful methods for identifying maximal and prime ideals.

The proof can be found in [DF04, p. 254-255].

Definition 2.2.4. An ideal I of R is principal if there exists a ∈ R such that I = aR =

{ar : r ∈ R}. That is I is generated by a single element of R.

2.2.2 Rings of Integers

Given an extension field K of Q, we want to define the algebraic integers of K and study the

set of all such algebraic integers because it has “many properties analogous to those of the subring

of the integers Z in the field of rational numbers Q” [DF04, p. 695-696].

We say that an element α in a field extension K over Q to be an algebraic integer if there

exists a monic polynomial with coefficients in Z in which α is a root. The set of all algebraic

integers of K is called the ring of integers of K, denoted by OK .

Example 2.2.3 (The Ring of Integers in Quadratic Extension of Q). Let d be a square-free

integer. Consider the quadratic field K := Q(√d) of degree 2 over Q. It is clear that

√d and

31

−√d are algebraic integers in K since they are roots of the monic polynomial x2 − d which has

coefficients in Z. We shall see later that the ring of integers of K,OK = OQ(√d) is the integral ring

Z[ω] = {a+ b ω : a, b ∈ Z}, i.e., the smallest ring containing Z and ω with basis {1, ω} where

ω =

√d , if d ≡ 2 or 3 mod 4

1 +√d

2, if d ≡ 1 mod 4

.

[DF04, p. 229]

Before proving the result for the ring of integers OQ(√d) as stated above, we would like to es-

tablish the equivalent definition for an element α of K, a field extension over Q, to be an algebraic

integers.

Theorem 2.2.2. Let K be a field extension of Q. An element α of K is an algebraic integer if and

only if α is algebraic over Q and its minimal polynomial has coefficients in Z [DF04, Proposition

28, Section 15.3, p. 696].

Recall that α is algebraic over Q means that there exists some nonzero polynomial with coef-

ficients in Q which has α as a root (Definition 2.1.10).

Lemma 2.2.3 (Gauss’s Lemma). Let f be a monic polynomial with coefficients in Z. Suppose that

f = gh where g and h are monic polynomials with coefficients in Q. Then the coefficients of g and

h are actually in Z. That is, if f is reducible in the polynomial ring Q[x], then it is also reducible

in the polynomial ring Z[x] [DF04, Proposition 5, Section 9.3, p. 303-304].

Proof of Lemma 2.2.3. Suppose f , g, and h are as in the lemma’s statement. Let m and n be the

smallest positive integers such that mg and nh respectively have coefficients in Z. Hence, the

coefficients of mg must have no common factor since if it is so, m can be replaced by a positive

integer m′ such that m′ < m and m′g still have coefficients in Z, contradicting the minimality of

m. Similarly, the coefficients of nh also have no common factor.

We want to show that both m and n are 1.

32

Suppose that mn > 1. Let p be any prime number dividing mn. Consider the equation mnf =

mn(gh) = (mg)(nh). We will reducing the coefficients modulo p from both sides of the equa-

tion. Since p divides mn, we obtain 0 = mg nh using the bar notation as an indication that the

coefficients have been reduced modulo p. We now have that mg nh is a polynomial of coefficients

in Zp, the finite field of p elements. Since Zp is an integral domain, the ring of polynomials with

coefficients in Zp is also an integral domain. Thus, 0 = mg nh implies that either mg = 0 or

nh = 0. WLOG, suppose that mg = 0, which means that p divides all coefficients of mg, i.e.,

the coefficients of mg have a common factor p, which is not possible as shown earlier. Hence,

mn must be 1 and hence, m = n = 1. Therefore, the coefficients of polynomials g and h are in

Z [DF04, p.303-305]. Q.E.D

Proof of Theorem 2.2.2. (⇒) Suppose α is an algebraic integer. By definition, there exists a monic

polynomial f(x) with coefficients in Z such that α is one of its roots.

Suppose that f(x) is of minimal degree and that it is reducible in the polynomial ring Q[x], that

is, f(x) = g(x)h(x) where h, g are monic polynomials with coefficients in Z with degrees lesser

than the degree of f . By Gauss’s Lemma, the coefficients of g and h is in Z, i.e., f(x) is reducible

in Z[x]. Then α must be a root of either g or h, which contradicts the minimality of the degree of

f . Therefore, f must be irreducible in Q[x].

Hence, f , a monic polynomial with coefficients in Z, is the minimal polynomial of α over Q.

(⇐) Conversely, suppose that α is algebraic over Q and its minimal polynomial has coefficients

in Z. Then α is clearly a root of a monic polynomial with coefficients in Z; by definition, α is an

algebraic integer [DF04, p. 696]. Q.E.D

Corollary 2.2.3.1. The algebraic integers in Q are the integers Z, that is, OQ = Z.

Corollary 2.2.3.2. The ring of algebraic integers of the quadratic field K = Q(√d), where d is a

33

square-free integer, is Z[ω] = {a+ b ω} where

ω =

√d , if d ≡ 2 or 3 mod 4

1 +√d

2, if d ≡ 1 mod 4

.

Proof of Corollary 2.2.3.2. We want to show that OK = OQ(√d) = Z[ω] where ω is as in the

statement of Corollary 2.2.3.2. Thus, we will show that Z[ω] ⊂ OK and OK ⊂ Z[ω].

For d ≡ 2, 3 mod 4, ω =√d is a root of x2 − d. For the case d ≡ 1 mod 4, ω =

1 =√d

2is

a root of x2 − x +1− d

4. In both cases, x2 − d and x2 − x +

1− d4

are monic polynomials with

coefficients in Z. Thus, ω is an algebraic integer in Q(√d). Hence, Z[ω] ⊂ OK .

Conversely, let α = a+ b√d, a, b ∈ Q, be an element ofQ(

√d) and suppose that α is an algebraic

integer, i.e., α ∈ OK . (We can make this assumption since OK is a subset of Q(√d)).

If b = 0, then α = a ∈ Q, which implies that α = a is in Z since the algebraic integers of Q are

all of Z. Thus, α ∈ Z[ω].

Now, suppose that b 6= 0. Then the minimal polynomial of α is (x− (a+ b√d))(x− (a− b

√d)) =

x2 − 2ax + (a2 − b2d). By Theorem 2.2.2, α is an algebraic integer implies that its minimal

polynomial has coefficients in Z, i.e., 2a ∈ Z and a2 − b2d ∈ Z.

Since a2 − b2d ∈ Z, 4(a2 − b2d) ∈ Z and hence, (2a)2 − (2b)2d ∈ Z. Since 2a ∈ Z, (2a)2 ∈ Z.

Hence, 4b2d is in Z, which implies that 2b is also in Z since d is square-free.

Let a =x

2and b =

y

2for some x, y ∈ Z. Since a2 − b2d ∈ Z,

(x2

)2−(y

2

)2d ∈ Z. Hence,

x2 − y2d ∈ 4Z, i.e., x2 − y2d ≡ 0 mod 4. Since the only squares modulo 4 are 0 and 1 and d is

not divisible by 4, the only possible cases are:

1) d ≡ 2, 3 mod 4 and x, y are both even, or

2) d ≡ 1 mod 4 and x, y have the same partiality.

In the first case, a, b ∈ Z and α ∈ Z[ω]. In the later case, a+ b√d = r+ s ω where r =

x− y2

and

s = y are both integers; so, α ∈ Z[ω]. Thus, in either case, α ∈ Z[ω]. Hence, OK ⊂ Z[ω].

Therefore, OK = Z[ω] [DF04, p. 698]. Q.E.D

34

Example 2.2.4 (The Ring of Integers of the Cyclotomic Fields). Consider the cyclotomic field

K = Q(ζn) where ζn is a primitive nth−root of unity (Example 2.1.11). The ring of integers in K

is the integral ring Z[ζn] with an integral basis{

1, ζn, ζ2n, . . . , ζ

ϕ(n)−1n

}. In particular, when n = p,

a prime, the ring of integers of Q(ζp) is Z[ζp] with basis {1, ζn, ζ2n, . . . , ζp−1n }.

Since ζn is a root xn − 1, it is clearly an algebraic integer. Hence, the ring of integers OQ(ζn)

contains Z[ζn] [DF04, p.698-699]. For the other inclusion, one must use techniques from algebraic

number theory. James Milne provided a proof for the case n = pr where p is a prime in Z and r is

any positive integer [Mil17, Proposition 6.2(b), p. 95-98]. A complete proof for the general case

can be found at [Ash10, Chapter 7, p. 1-7].

2.3 Field Embeddings and The Minkowski Embedding

2.3.1 Field Embeddings

Let F and K be fields. A map φ : F → K is a field homomorphism if φ satisfies

(i) φ(a+ b) = φ(a) + φ(b) for all a, b ∈ F ,

(ii) φ(ab) = φ(a)φ(b) for all a, b ∈ F ,

(iii) φ(1F ) = 1K and φ(0F ) = 0K .

Given a field F , the zero ideal is a trivial ideal of F . Let I be another ideal of F that is not

the zero ideal. Hence, I contains a nonzero element a of F . By definition of a field, there exists

a−1 ∈ F such that aa−1 = 1. This means that 1 is in I since ideal I is closed under multiplication of

elements of F . Thus, by the same reason, I must contain everything in F , i.e., I = F . We have just

established that the only ideals in a field are the zero ideal and the whole field itself. Now, denote

the set {x ∈ F : φ(x) = 0 ∈ K} by ker(φ), which is called the kernel of the homomorphism φ.

It is not hard to show that ker(φ) is an ideal of F [DF04, p. 243]. Thus, ker(φ) must be either

{0} or F . If ker(φ) = F , then φ maps everything in F onto 0 ∈ K, i.e., φ is a trivial zero

homomorphism. On the other hand, if ker(φ) = {0}, then φ is an injective map. Therefore,

35

Proposition 2.3.1. Any nonzero field homomorphism is injective.

Definition 2.3.1. LetK and L be fields. An embedding ofK into L is an injective homomorphism

σ : K → L.

Since any embedding σ of K into L is an injective homomorphism of fields, there exists an

isomorphic copy of K in L. Conversely, suppose that there exists a subfield H of L such that H is

isomorphic to K. Thus, there exist an isomorphism χ : K → H and an inclusion homomorphism

τ : H ↪→ L such that τ(x) = x for all x ∈ H . Hence, σ := τ ◦ χ : K → L is a field

homomorphism, and thus an embedding of K into L.

Note that any embedding maps 1 to 1 and 0 to 0.

Example 2.3.1. Let d be any square-free integer and consider the quadratic field Q(√d). A basis

of this field over Q as a vector space is the set{

1,√d}

. For any embedding of Q(√d) into C, it

maps 1 to 1; so we must determine where the generator√d will be sent to. In fact, the embeddings

of Q(√d) into C are the homomorphisms

σ1 :√d 7→

√d and σ2 :

√d 7→ −

√d.

Example 2.3.2. Let n be a positive integer. Consider the cyclotomic field of nth-root of unity,

Q(ζn) where ζn = e2πi/n. The embeddings of Q(ζn) into C are homomorphisms that send the

primitive nth-root ζn to other primitive roots. That is, if σ is an embedding of Q(ζn) into C, then

σ(ζn) = (ζn)k,

where k is a positive integer at most n such that k is relatively prime to n. Thus, there are exactly

φ(n) embeddings from Q(ζn) into C.

In general, the number of embeddings from a number field K into C is the degree of K over

Q, that is, [K : Q] [DF04, Theorem 9, Section 14.2, p. 570-571].

36

2.3.2 Minkowski Embeddings

Given K, a number field of degree n over Q, there are exactly n embeddings from K into C.

Let σ1, . . . , σn denote these embeddings. It is convenient to separate them into real and complex

embeddings. Let r be the number of real embeddings and 2s be the number of complex embeddings

from K into C. Note that the complex embeddings always come in pairs and that n = r + 2s. So,

we will let the first r embeddings, σ1, . . . , σr, be the real embeddings and the remaining 2s ones

the complex embeddings.

We also define a norm on the number field K as

‖·‖ : K → R

such that

‖α‖ = |σ1(α)|2 + · · ·+ |σn(α)|2

for α ∈ K. In this definition, |z| denotes the modulus of a complex number z ∈ C.

Definition 2.3.2. We define the Minkowski embedding of the number field K of degree n over

Q into Rn to be the map

ψ : K → Rn

such that

ψ(α) = (σ1(α), . . . , σr(α),Re(σr+1(α)), Im(σr+1(α)), . . . ,Re(σr+t(α)), Im(σr+t(α)))

for α ∈ K [CBFS17].

Example 2.3.3. Let d be a square-free integer and consider the quadratic field K = Q(√d). The

embeddings of K into C are described in Example 2.3.1. Note that both embeddings are real in

37

this case. Thus, the Minkowski embedding of K into R2 is ψ : Q(√d)→ R2 such that

ψ(a+ b√d) = (a+ b

√d, a− b

√d),

for a, b ∈ Q.

Example 2.3.4. Let n > 2 be a positive integer and consider the cyclotomic field of the primitive

nth-root of unity, Q(ζn). There are exactly ϕ(n) embeddings from Q(ζn) into C, which are all

complex embeddings. Denote them by σ1, τ1, σ2, τ2, . . . , σs, τs in which for each i in {1, . . . , s},

σi(α) and τi(α) are complex conjugates of each other for all α ∈ Q(ζn). Note that 2s = ϕ(n). So,

the Minkowski embedding of Q(ζn) into Rϕ(n) is ψ : Q(ζn)→ Rϕ(n) such that

ψ(α) = (Re(σ1(α)), Im(σ1(α)), . . . ,Re(σs(α)), Im(σs(α))) ,

where α ∈ Q(ζn).

In particular, let n = 3. Then ζ3 and ζ23 are the primitive 3rd-roots of unity. Note that ζ3 and

ζ23 are complex conjugates of each other. A basis of Q(ζ3) is {1, ζ3}. So, the embeddings of Q(ζ3)

into C are

σ : a+ bζ3 7→ a+ bζ3 =

(a− 1

2b

)+

√3

2bi and

τ : a+ bζ3 7→ a+ bζ23 =

(a− 1

2b

)−√

3

2bi

for a, b ∈ Q.

Hence the Minkowski embedding of Q(ζ3) into R2 is ψ : Q(ζ3)→ R2 such that

ψ(a+ bζ3) =

((a− 1

2b

),

√3

2b

).

Specifically, ψ(1) = 1 and ψ(1 + ζ3) =

(1

2,

√3

2

).

38

With the construction of the Minkowski embedding ψ from a number field K to the corre-

sponding multidimensional Euclidean space, we will then restrict this Minkowski map to the ring

of algebraic integers of K, that is, OK . In the next chapter, we will show that ψ(OK) is a lattice.

Furthermore, given an ideal I of OK , ψ(I) is a sublattice of ψ(OK). We will prove the previous

claim and show examples of ideal lattices in the next chapter.

2.4 Lattices

In this thesis3, lattices (or point lattices) are “regular arrangements of points in Euclidean

space” [MR09]. In general, a lattice is abstractly defined as follow:

Definition 2.4.1. Let B ∈ Rm×n be a list {b1, . . . ,bn} of n linearly independent vectors in Rm.

The lattice generated by B, denoted L(B), is the set of all the integer linear combinations4 of the

vectors of B; that is,

L(B) = {B~x : ~x ∈ Zn} =

{n∑i=1

xi~bi = x1~b1 + · · ·+ xn~bn : xi ∈ Z∀i

}.

Equivalently, L(B) is a discrete additive subgroup of Rn, that is, L(B) satisfies the following

properties [Mic14c]:

• For any ~x, ~y ∈ L(B), ~x− ~y is also in L(B) (One-step Subgroup Test).

• There exists ε > 0 such that for any ~x, ~y ∈ L(B), ‖~x− ~y‖ ≥ ε. That is, L(B) is discrete.

The matrix B is called a basis for the lattice L(B). The rank or dimension of L(B) is the positive

integer n, which is the number of linearly independent vectors (columns) of matrix B.

If n = m, then L(B) is a full rank or full dimensional lattice in Rm.

Note that this definition of a lattice L(B) generated by a basis B is quite similar to the definition

of a vector space V spanned by B, i.e., V = span(B) = {B~x : ~x ∈ Rn}. The distinction between3In abstract algebra, a lattice is generally referred as an algebra with certain properties This type of lattices is

distinct from our (point) lattice’s definition.4We also often write Z-linear combination to denote the same concept.

39

L(B) and V = span(B) is that span(B) consists of all R-linear combinations of vectors in B;

however, in a lattice, the coefficients of the linear combinations can only be integers, “resulting in

a discrete set of points” within the m-dimensional Euclidean space. In addition, it is not hard to

see from the definitions that given a basis B, L(B) ⊂ span(B).

Definition 2.4.2. A subset L is a sublattice of a lattice L(B) if L is itself a lattice, i.e., L = L(B′)

for some basis B′.

If a sublattice L′ of L has the same dimension as L, then the sublattice is said to be a full rank

sublattice.

Example 2.4.1. The most basic example of a lattice in a 2-dimensional space is the set of all 2-

tuples with integer entries, i.e., {(a, b) : a, b ∈ Z} ⊂ R2, which has a basis {(1, 0), (0, 1)}. This

full rank lattice is called the integer lattice Z2.

In general, we can define an integral lattice Zn in an n-dimensional space in a similar fashion.

(0, 0) (1, 0)

(0, 1)

Figure 2.2: The 2-dimensional integer lattice Z2 with basis {(1, 0), (0, 1)}.

40

(0, 0) (2, 0)

(0, 1)

Figure 2.3: A sublattice L(B) of Z2 with basis B = {(2, 0), (0, 1)}.

Example 2.4.2. The entries of lattice bases do not need to be in Z. In fact, by our definition,

we can construct lattices with real basis. For example, let B = {(1, π), (π, 1)}. We then get the

following lattice in R2.

(0, 0)

(π, 1)

(1, π)

Figure 2.4: A full rank lattice L(B) in R2 with basis B = {(1, π), (π, 1)}.

41

This is an example of a cyclic lattice, which will be studied in Chapter 3.

Note that given a basis B of a lattice L(B), B is also a basis for the vector space span(B).

However, the converse is not true in general; that is, given a set C of lattice vectors in L(B)

such that it is a basis for the vector space span(B), it is not necessarily a basis of L(B). As a

counterexample, consider 2B ={

2~b1, . . . , 2~bn

}, a basis of span(B); however, L(2B) is only a

proper sublattice of L(B) and is not all of L(B). Note that with the list{

2~b1, . . . , 2~bn

}, we cannot

recover the original~bi since the only permitted operation is linear combination with coefficients in

Z.

2.4.1 Lattice Bases

Similar to vector spaces, a lattice basis needs not to be unique; that is, the same lattice can be

represented using different bases. We want to learn how distinct bases of a lattice relate; further-

more, given a basis, how can we get another basis for the same lattice? Hence, it is very useful

for us to be able to change a given basis to another one with desired special properties. We know

that any basis of a vector space can be reduced to an orthonormal one by using the Gram-Schmidt

process. Can we do something similar for lattice bases? Before answering this question, let’s first

develop an understanding for manipulating a lattice basis to get a new basis without changing the

original lattice.

The following proposition was given as an exercise in [Mic14c].

Proposition 2.4.1. [Mic14c, Excercise 1, p. 3] Let B ∈ Rd×k and C ∈ Rd×n be any two lattice

bases. The first basis generates a sublattice of the second, i.e., L(B) ⊆ L(C) if and only if there is

an integer matrix U ∈ Zn×k such that B = CU.

Proof. For the reverse direction (⇐), suppose that there exists an integer matrix U with B = CU.

Let B~x be an element of L(B) for some ~x ∈ Zk. Then B~x = (CU)~x = C(U~x). Since U is in Zn×k

and ~x is in Zk, U~x is a vector in Zn. Thus, B~x = C(U~x) is in {C~y : ~y ∈ Zn} = L(C). Therefore,

L(B) ⊆ L(C) as desired.

42

(⇒) Conversely, suppose that L(B) ⊆ L(C). Thus, given any lattice vector ~x in L(B), there exists

~y ∈ Zn such that ~x = C~y. In particular, for each ~bi ∈ B ={~b1, . . . ,~bk

}for i ∈ {1, . . . , k}, there

are ~y1, . . . , ~yk ∈ Zn such that

~bi = C ~yi ∀i ∈ {1, . . . , k} .

Let U = {~y1, . . . , ~yk} ∈ Zn×k. Note that

CU = C {~y1, . . . , ~yk} = {C~y1, . . . ,C~yk} ={~b1, . . . ,~bn

}= B

as we wanted. Q.E.D

With this theorem, we can show that different bases of the same lattice are related by invertible

integer transformations.

Definition 2.4.3. We define GL(n,Z) to be

GL(n,Z) :={

U ∈ Zn×n : ∃V ∈ Zn×n},UV = VU = I,

where I is the identity matrix (Ijk) with Ijk equals to 1 when j = k and 0 otherwise.

If such a matrix V exists, we say that V is an inverse of U and denote it by U−1. Furthermore, U−1

is necessarily unique.

Theorem 2.4.1. [Mic14c, Theorem 3, p. 4] Let B ∈ Rd×n and C ∈ Rd×n be two lattice bases.

They generate the same lattice, i.e. L(B) = L(C), if and only if there is U ∈ GL(n,Z) such that

B = CU.

Proof. [Mic14c, p. 4] (⇐) Suppose that there exists U ∈ GL(n,Z) such that B = CU. By

Proposition 2.4.1, L(B) ⊆ L(C). By definition of GL(n,Z), there exists U−1 ∈ GL(n,Z) such

that UU−1 = U−1U = I . Hence, B = CU implies that BU−1 = C by multiplying both sides of the

first equation by U−1. Again, by Proposition 2.4.1, L(C) ⊆ L(B).

43

(⇒) Conversely, suppose that L(B) = L(C). So, by Proposition 2.4.1, there exist integer matrices

U,W such that B = CU and C = BW. Thus, B = CU = (BW)U = BWU. So, B − BWU = 0,

which means that B(I−WU) = 0. Since B is a basis, it cannot be the zero matrix. Hence, it must

be true that I−WU = 0; that is, I = WU. Similarly, we can also show that UW = I. Therefore,

U is in GL(n,Z) and B = CU. Q.E.D

In other words, this theorem tells us that right-multiplying a lattice basis B by a matrix

U ∈ GL(n,Z) lets us transform the original basis to another one which generates the same lat-

tice. Note that multiplication by U is performed on the right side of B since vectors of B represents

its columns; hence, left-multiplication will not provide us a new basis. (Recall that matrix multi-

plication is not necessarily commutative).

Despite having a way of transforming lattice bases, it requires us to construct matrices in

GL(n,Z); however, given a matrix with entries in Z, it may not have an inverse. Fortunately,

there is a way for us to identify them. Suppose that U is in GL(n,Z). It is well-known that

det(AB) = det(A) det(B) for any square matrices A,B. Hence

1 = det(I) = det(UU−1) = det(U) det(U−1).

Since U,U−1 are integer matrices, their determinants must also be integers, i.e. det(U), det(U−1) ∈

Z. Thus, in order for det(U) det(U−1) = 1 with both det(U), det(U−1) ∈ Z, it must be that either

det(U) = det(U−1) = 1 or det(U) = det(U−1) = −1. This proves one direction of the following

proposition.

Proposition 2.4.2. [Mic14c, Corollary 10, p. 7] A square integer matrix U is in GL(n,Z) if and

only if det(U) = ±1.

Proof. We have already shown the forward direction. Refer to [Han82, p. 18-21] for the complete

proof. Q.E.D

This result is quite useful. Instead of looking for invertible integer matrices, we can simply

construct one such matrix with entries in Z of determinant±1. Transforming lattice bases can also

44

be done by applying elementary integer column operations on the bases. (In fact, the two methods

are equivalent).

Definition 2.4.4. The elementary integer column operations on a matrix B ={~b1, . . . ,~bn

}are:

• SWAP(i, j) interchanges two basis vectors~bi and~bj for any i 6= j,

• INVERT(i) replaces a basis vector~bi by the vector −~bi, and

• Add[c](i, j) replaces a basis vector~bi with~bi + c~bj for any i 6= j and c is in Z.

Just like the first method described in Theorem 2.4.1, these integer column operations act

on the right of matrices such that for any integer column operator σ and for any matrices A,B,

σ(AB) = Aσ(B). Hence, for any matrix A, σ(A) = σ(AI) = Aσ(I); that is, each of the elementary

integer column operators σ corresponds to right-multiplication by a square matrix σ(I) with entries

in Z. It is not hard to see that the inverse of SWAP(i, j) is SWAP(j, i) and that INVERT(i) is the

inverse of itself for any i, j with i 6= j. In addition, one can check that the inverse of Add[c](i, j)

is Add[−c](i, j) for i 6= j and c ∈ Z. Therefore, each of the elementary integer column operations

listed in Definition 2.4.4 is invertible; moreover, its inverse is also an element column operation.

Hence the correspondent matrix σ(I) of an elementary column operation σ is invertible. Thus, it

is not hard to see that these operations only scale the determinant of the input matrix by a factor of

±1.

As a result, any finite sequence of elementary integer column operations σ = (σi)ki=1 can be

expressed as right-multiplication by an invertible integer matrix σ(I) = σ1(I)σ2(I) · · ·σk(I). By

Theorem 2.4.1, any such sequence σ turns a lattice basis B into another basis which generates the

same lattice.

Conversely, it is true that any invertible square integer matrix can be expressed as a sequence

of elementary column operations [Mic14c, p. 5-6]. Therefore, any two bases of the same lattice

can be related by a sequence of elementary column operations.

Example 2.4.3. Consider the lattice L(B) given in Example 2.4.2 where B = {(1, π), (π, 1)}. It

45

is not hard to check that the matrix B′ = {(2 + 3π, 3 + 2π), (1 + π, 1 + π)} =

2 + 3π 1 + π

3 + 2π 1 + π

is another basis which generates L(B), i.e., L(B) = L(B′), since

2 + 3π 1 + π

3 + 2π 1 + π

=

1 π

π 1

2 1

3 1

,

where

2 1

3 1

is an integer matrix with determinant −1.

(0, 0)

(π, 1)

(1, π)

(2 + 3π, 3 + 2π)

(1 + π, 1 + π)

Figure 2.5: Two bases for the same lattice.

46

2.4.2 Gram-Schmidt Orthogonalization

Recall from the study of vector spaces that any basis B of an inner product space (V, 〈·, ·〉) can

be transformed into an orthogonal basis B∗ for the same vector space through the Gram-Schmidt

procedure. Here, two vectors ~a,~b ∈ Rd are orthogonal if its inner product is 0, i.e.

〈~a,~b〉 :=d∑i=1

aibi = 0.

A basis is orthogonal if each of its vectors is orthogonal to all other vectors in the list. Furthermore,

in the setting of a vector space, we can also rescale the norm of every vectors in an orthogonal basis

so that each vector has norm5 1. Such basis is called an orthonormal basis. They have many great

advantages and are easy to work with; in other words, orthonormal bases are very nice bases.

Definition 2.4.5. Let~b be a vector in Rn and S a subset of Rn. We define the orthogonal compo-

nent of~b to S to be the vector, denoted~b ⊥ S, which satisfies the following conditions:

(i) ~b ⊥ S ∈ (~b+ span(S)) and

(ii) ~b ⊥ S is orthogonal to every elements of S.

Definition 2.4.6. Given a basis B ={~b1, . . . ,~bn

}of a finite dimensional vector space V . Let ~x be

a vector in V . For i ∈ {1, . . . , n}, we define the orthogonal projection of ~x modulo{~b1, . . . ,~bi−1

}as the map

πi : ~x 7→ ~x ⊥ span(~b1, . . . ,~bi−1).

That is, πi maps ~x to its component which is orthogonal to the first i− 1 vectors in B.

Definition 2.4.7. Given a basis B ={~b1, . . . ,~bn

}of a finite dimensional vector space V . The

Gram-Schmidt orthogonalization of B is defined as B∗ :={~b∗1, · · · ,~b∗n

}where~b∗i = πi(~bi) =

~bi ⊥{~b1, · · · ,~bi−1

}for each i from 1 to n.

5There are several ways to define the notion of norm (or length) in a Euclidean space. In this study, the norm of avector will be usually understood as the square root of the sum of the components squared.

47

We shall make a remark that if B∗ ={~b1∗, . . . , ~bn

∗}is the orthogonalization of B =

{~b1, . . . , ~bn

},

then span(~b1∗, . . . , ~bi

∗) = span(~b1, . . . , ~bi) for all i = 1, . . . , n. Furthermore, the vectors in B∗ are

linearly independent if and only if those in B are linearly independent.

Given a lattice basis B, B∗ is a basis for the vector space span(B). However, it is important to

note that B∗ is not necessarily a lattice basis for L(B). In general, the vectors in B∗ may not even

be in L(B).

Example 2.4.4. Let B = {(2, 0), (1, 2)} be a lattice basis for L(B). The Gram-Schmidt orthogo-

nalization of B is B∗ = {(2, 0), (0, 2)}. Note that the vector (0, 2) is not in L(B).

(0, 0) ~b1∗

= ~b1 = (2, 0)

~b2 = (1, 2)

(0, 2) = ~b2∗

Figure 2.6: The orthogonalization of a lattice basis may not generate the same lattice.

It is useful for us to have a recursive formula for computing the Gram-Schmidt orthogonaliza-

tion of any sequence of vectors.

Proposition 2.4.3 (Gram-Schmidt Procedure). Given any sequence of vectors inRn, B ={~b1, . . . , ~bn

}.

48

The Gram-Schmidt orthogonalization of B is given by the following method:

~bi∗

= ~bi −∑j<i

µi,j ~bj∗,

where µi,j =〈~bi, ~bj

∗〉

〈~bj∗, ~bj∗〉.

Proof. The verification of this procedure can be found in any Linear Algebra texts. Please refer to

[Axl97, p. 108-110] for the complete proof. Q.E.D

Even though this procedure will not give us a new lattice basis for any given lattice, it serves

as a motivation and useful tool for developing similar techniques which may give us nice lattice

bases6. One such popular method for reducing lattice bases is the LLL algorithm, which will be

discussed in Section 2.4.5.

2.4.3 Determinant

For any lattice basis B ={~b1, . . . , ~bn

}, we define the fundamental parallelepiped of B, denoted

P(B) as the set of points

P(B) =

{n∑i=1

xi ~bi : 0 ≤ xi < 1,∀i

}.

From the definition above, the fundamental parallelepiped of B is half-open. So, the collection of

parallelepipeds

{P(B) + ~v : ~v ∈ L(B)}

is a partition of the whole vector space span(B).

Definition 2.4.8. Given a lattice basis B ={~b1, . . . , ~bn

}and its Gram-Schmidt orthogonalization

B∗, we define the determinant of the lattice L(B) generated by B, denoted det(L(B)), to be the

6In the lattice setting, it does not make sense to find orthogonal lattice vectors; however, we would like to find anice basis in which the angles between each vectors are as close to 90 degree as possible.

49

n-dimensional volume of the fundamental parallelepiped 7 of B. That is,

det(L(B)) = vol(P(B)) =n∏i=1

∥∥∥~bi∗∥∥∥ .The volume of any fundamental parallelepiped can be computed by taking the product of the

Euclidean norms of the vectors in the Gram-Schmidt orthogonalization B∗ of B. In a 2-dimensional

setting, the area (or 2-dimensional volume) of a parallelepiped is the product of the base length and

the height. Thus, we can change the parallelepiped into a rectangle and compute the area of the

rectangle. It is not hard to see, in fact, that they have the same area. In higher dimensional spaces,

the idea is the same: from the original basis that is associated with the fundamental parallelepiped,

we construct an associated n-dimensional “rectangle” via computing B∗. The n-dimensional vol-

ume of the original parallelepiped does not change by the Gram-Schmidt procedure [LLM15, p.

182-184].7The 1-dimensional volume is length, 2-dimensional volume is area, and 3-dimensional volume is just volume in

the traditional sense.

50

(2, 1) = ~b1

~b2 = (1, 2)

(2, 1) = ~b1∗

(−0.6, 1.2) = ~b2∗

∥∥∥~b1∗∥∥∥∥∥∥~b2∗∥∥∥

vol(P(B))

det(L(B)) = vol(P(B)) =n∏i=1

∥∥∥~bi∗∥∥∥

n∏i=1

∥∥∥~bi∗∥∥∥

(0, 0) (0, 0)

Figure 2.7: The area of the parallelepiped is the same as the area of the rectangle in which theedges are vectors in the Gram-Schmidt orthogonalization B∗.

The next theorem is well-known as the Hadamard Inequality, which gives us an upper bound

for the determinant of any lattice with respect to its basis.

Theorem 2.4.2. Let B be a lattice basis. Then

det(L(B)) ≤n∏i=1

∥∥∥~bi∥∥∥ .Proof. Since

∥∥∥~bi∗∥∥∥ ≤ ∥∥∥~bi∥∥∥ for all i, det(L(B)) =n∏i=1

∥∥∥~bi∗∥∥∥ ≤ n∏i=1

∥∥∥~bi∥∥∥ . Q.E.D

We will now show an important fact, namely that the lattice’s determinant is independent of

the lattice basis. That is,

Theorem 2.4.3. Let B and C be bases which generate the same lattice, i.e., L(B) = L(C). Then,

det(L(B)) = det(L(C)) = vol(P(B)) = vol(P(C)).

51

Lemma 2.4.4. Given any lattice basis B, det(L(B)) =√

det(B)>B. In particular, if B is a square

matrix, then det(L(B)) = |det(B)|.

Proof of Lemma 2.4.4. [Mic14c, p. 11-12] In matrix notation, we have that B = B∗T, where T is

an upper triangular matrix with ones on the diagonal. Thus,

√det(B>B) =

√det((B∗T)>(B∗T)) =

√det(T>B∗>B∗T) =

√det(T>) det(B∗>B∗) det(T).

It is well-known that the determinant of any upper diagonal matrices is the product of the diagonal

entries. Hence, det(T) = det(T>) = 1. Since each of the columns (vectors) in B∗ are orthogonal,

B∗>B∗ is a diagonal matrix. So, its determinant is also the product of diagonal entries. That is,

det(B∗>B∗) =n∏i=1

〈~bi∗, ~bi∗〉 =

(n∏i=1

∥∥∥~bi∗∥∥∥)2

= det(L(B))2.

Thus,

det(L(B)) =

√det(B∗>B∗) =

√det(B>B)

as desired. Q.E.D

Proof of Theorem 2.4.3. Since B and C are two bases of the same lattice, there exists an integer

matrix U of determinant ±1 such that B = CU.

Then

det(B>B) = det((CU)>(CU)) = det(U>) det(C>) det(C) det(U) = det(C>C)

since det(U) = det(U>) = ±1. By Lemma 2.4.4,

det(L(B)) =

√det(B>B) =

√det(C>C) = det(L(C)).

Q.E.D

52

2.4.4 The Shortest Vector Problem

Given a lattice L, we are interested in finding a vector in L whose its length is the shortest

among every other nonzero vector in L. This is a significant quality associated to L just like

the determinant of L. However, unlike the determinant, there is no known algorithm for finding

the shortest nonzero vectors in lattices in a general setting. For lattices with small dimensions,

this is not a very hard task as some current algorithms can do it in matter of seconds or minutes.

Nevertheless, the problem becomes hard as the dimension of the lattice gets large. In this section,

we will formally discuss the Shortest Vectors Problem and provide some bounds for this quality

[Mic14b].

Definition 2.4.9. Let L be a lattice. We define the minimum distance of L, denoted λ (L), to be

the smallest distance between any two distinct points in L. That is,

λ(L) = inf {‖~x− ~y‖ : ~x 6= ~y ∈ L} .

Since a lattice L is an additive subgroup of Rn, it is closed under addition and additive inverse.

Thus, for any ~x, ~y ∈ L, ~x − ~y is also a vector in L; that is, there is ~v ∈ L such that ~v = ~x − ~y.

Since we also suppose that ~x 6= ~y, ~v is a nonzero vector. Therefore, the minimum distance of L is

the length of the shortest nonzero vector in L. That is,

λ (L) = inf{‖~v‖ : ~v 6= ~0 ∈ L

}.

53

(0, 0)λ (L)

λ (L)

Figure 2.8: The minimum distance of L is the length of the shortest nonzero vector in L. Note thatthe shortest vector is not unique.

It is reasonable to question the existence of a vector ~v ∈ L with length λ (L).

Proposition 2.4.4. Given a lattice L, there exists a nonzero vector ~v ∈ L such that ‖~v‖ = λ (L).

Proof. [Mic14b, p. 2-3] Let B be a lattice basis of L and consider the Gram-Schmidt orthogonal-

ization B∗ of B. Let ~v be a nonzero vector in L(B). Thus, there exists a nonzero vector ~x ∈ Zn such

that ~v = B~x. Suppose that k is the largest index such that the entry xk of ~x is nonzero. Consider

the inner product 〈~v,~b∗k〉. Then

〈~v,~b∗k〉 = 〈B~x,~b∗k〉 =k∑i=1

〈~bixi,~b∗k〉 = 〈~bkxk,~b∗k〉 = xk〈~bk,~b∗k〉 ≥ xk

∥∥∥~b∗k∥∥∥2 .Note that 〈~bixi,~b∗k〉 = 0 for all i < k since ~bi is orthogonal to ~b∗k for i < k. Apply the Cauchy-

Schwartz inequality to get that

‖B~x‖∥∥∥~b∗k∥∥∥ ≥ ∣∣∣〈B~x,~b∗k〉∣∣∣ ≥ |xk| ∥∥∥~b∗k∥∥∥2 .

54

Since xk is nonzero and is in Z, |xk| ≥ 1. Thus,

‖B~x‖∥∥∥~b∗k∥∥∥ ≥ ∥∥∥~b∗k∥∥∥2 . (1)

Dividing both sides of (1) by∥∥∥~b∗k∥∥∥, we obtain

‖B~x‖ ≥∥∥∥~b∗k∥∥∥ .

Note that

‖B~x‖ ≥∥∥∥~b∗k∥∥∥ ≥ min

i=1,...,n

∥∥∥~b∗i∥∥∥ .Therefore, for any ~v ∈ L(B),

‖~v‖ ≥ mini=1,...,n

∥∥∥~b∗i∥∥∥ .That is, min

i=1,...,n

∥∥∥~b∗i∥∥∥ is a lower bound of any nonzero lattice points in L(B). Note that mini=1,...,n

∥∥∥~b∗i∥∥∥depends on the choice of basis B.

Let S be an n-dimensional sphere centered at (0, 0) with radius 1.5λ (L(B)). Since λ (L(B)) ={‖~v‖ : ~v 6= ~0 ∈ L(B)

}and 1.5λ (L(B)) > λ (L(B)), we can restrict those vectors of L(B) in the

definition of λ (L(B)) to just the vectors within the sphere S.

It is not hard to see that S has finite n-dimensional volume. Now, let us consider smaller n-

dimensional open spheres of radiusλ (L(B))

2centered at lattice points within S. Since λ (L(B))

is the shortest distance between any two lattice points, these small open spheres are disjoint with

finite volume. The volume of S is bounded from below by the volume of the n-dimensional square

of side length 1.5λ (L(B)) contained in S, that is, (1.5λ (L(B)))n; it is also bounded from above

by the volume of a n-dimensional square of side 3λ (L(B)) containing S, i.e., (3λ (L(B)))n. Sim-

ilarly, each of the small open spheres volume is at least(λ (L(B))

2

)nand is at most (λ (L(B)))n.

Thus, the number of lattice points contained in S must be between 1 and 3n. This means that

S contains finite number of lattice points. Hence, we can redefine the definition of λ (L(B)) as

55

follow:

λ (L(B)) = inf{‖~v‖ : ~v 6= ~0 ∈ L(B)

}= min

{~v : ~v 6= ~0 ∈ S

}.

Since there is at least one point in S, a point in S with norm λ (L(B)) must always exist. This

proves the existence of a shortest nonzero vector in the lattice L(B). Q.E.D

Given any lattice L, we have managed to show that there exists a nonzero vector with shortest

norm in L. This raises an important question in the study of lattice-based cryptography: how hard

is it to find such a vector in general lattices, especially when the lattice dimensions get very large?

Definition 2.4.10. Given a lattice L, the Shortest Vector Problem, or SVP, asks to find a nonzero

vector ~v in L such that ‖~v‖ = λ (L).

As the time this thesis is written, there is no known algorithm for solving SVP in general

lattices [Mic14b, p. 4]. A related problem of the exact SVP is the γ-approximate SVP, which is

defined as the following.

Definition 2.4.11. Given a lattice L and γ ≥ 1. The γ-approximate Shortest Vector Problem,

or γ-approx SVP, asks to find a nonzero vector ~v in L such that ‖~v‖ is at most γ · λ (L).

For γ = 1, the γ-approximate SVP is the same as the exact SVP.

It has been shown that the γ-approx SVP is NP-hard for γ = O(1) [Kho05] and for γ =

no(1) [Din01] where n is the dimension of the lattice. The hardness of SVP in lattices with addi-

tional properties and structures such as ideal lattices and cyclic lattices is currently unknown. It is

assumed that SVP on ideal lattices is as hard as the exact SVP for general lattices [MR09, p. 162],

which makes ideal lattices an idealistic sources for constructing new cryptosystems.

2.4.5 LLL Basis Reduction

Given a lattice L(B) with basis B, the Shortest Vector Problem asks us to find a nonzero lattice

vector ~x ∈ L(B) of shortest length λ, i.e., for all ~y ∈ L(B), ‖~x‖ ≤ ‖~y‖. At the time of this study,

“no effective algorithm is known to find the shortest vector in a lattice, or even just compute its

56

length λ” [MR09]. We are also interested in the problem of finding an approximate solution of

the shortest vector, i.e., a vector ~x in L(B) such that ‖~x‖ ≤ γλ for some approximation factor

γ = Poly(n) ∈ R where n is the dimension of the given lattice. Note that when γ = 1, ~x is the

shortest vector. An important tool for studying this problem is the LLL algorithm8 which runs

in polynomial time and finds the approximate solution ~x of the shortest vector problem [MR09,

p. 148]; the norm of the approximate solution ~x given by this algorithm is at most γλ for some

approximate factor γ, which (as we will see) is exponential in term of the dimension of the lat-

tice [MR09, p. 148]. In fact, the LLL algorithm transforms an input lattice basis B into another

basis of the same lattice in which the first vector of this new basis is our approximate solution ~x.

The output basis is said to be δ-LLL reduced for some parameter1

4< δ < 1.

Definition 2.4.12. Given a lattice basis B ={~b1, . . . ,~bn

}∈ Rm×n, let B∗ =

{~b∗1, . . . ,

~b∗n

}be

its Gram-Schmidt orthogonal basis and let µi,j =〈~bi,~b∗j〉〈~b∗j ,~b∗j〉

, for all 1 ≤ j < i ≤ n, be the Gram-

Schmidt coefficients.

For each 1 ≤ i ≤ n, we define πi to be the projection map πi(~x) =n∑j=i

〈~x,~b∗j〉〈~b∗j ,~b∗j〉

~b∗j for all vectors

~x ∈ Rm.

Then we say that B is δ-LLL reduced with1

4< δ < 1 if the two following conditions are both

satisfied:

• (“Size Reduction”) |µi,j| ≤1

2for all i > j, and

• (“the Lovasz Condition”) δ∥∥∥πi(~bi)∥∥∥2 ≤ ∥∥∥πi(~bi+1)

∥∥∥2 for any pair ~bi and ~bi+1 for all 1 ≤

i ≤ n.

Note that in this definition, ~b∗j is the j th vector of the orthogonal basis B∗, the output of the

Gram-Schmidt procedure with basis B as an input. In addition, the projection map πi(~x) sums up

components of ~x that are parallel to each of the~b∗j for j from i to n. Thus, it is not hard to see that

πi(~bi) = ~b∗i .

8The LLL (short for Lenstra-Lenstra-Lovasz ) algorithm is named after its three inventors Arjen Lenstra, HendrikLenstra, and Laszlo Lovasz [LLL82].

57

As mentioned, a LLL -reduced basis with respect to δ is interesting to study because the first

vector of this basis has length at most the shortest length λ scaled by some approximation factor γ.

Theorem 2.4.5. For any1

4< δ ≤ 1, if B is a δ-LLL reduced basis then

∥∥∥~b1∥∥∥ ≤ α(n−1)/2λ,

where α =1

δ − 14

≥ 4

3.

Proof. [Mic14a, p. 2-3]Let B ={~b1, . . . ,~bn

}be a δ-LLL reduced basis and denote by B∗ ={

~b∗1, . . . ,~b∗n

}the Gram-Schmidt orthogonal basis of the vector space spanned by B.

By using certain properties of the inner product, one can show that

∥∥∥πi(~bi+1)∥∥∥2 =

∥∥∥~b∗i+1

∥∥∥2 + (µi+1,i)2∥∥∥~b∗i∥∥∥2

as follows. Recall that given any vectors ~u,~v, ~w and any constant a ∈ R,

‖~u‖2 = 〈~u, ~u〉, (1)

〈~u+ ~v, ~w〉 = 〈~u, ~w〉+ 〈~v, ~w〉, (2)

and

‖a~u‖ = |a| ‖~u‖ . (3)

By definition, πi(~bi+1) =n∑j=i

〈~bi+1,~b∗j〉

〈~b∗j ,~b∗j〉~b∗j =

〈~bi+1,~b∗i 〉

〈~b∗i ,~b∗i 〉~b∗i +

n∑j=i+1

〈~bi+1,~b∗j〉

〈~b∗j ,~b∗j〉~b∗j = (µi+1,i)~b

∗i +

πi+1(~bi+1) = (µi+1,i)~b∗i +~b∗i+1. Hence,

∥∥∥πi(~bi+1)∥∥∥2 =

∥∥∥(~b∗i+1 + µi+1,i)~b∗i

∥∥∥2. The right-hand-side of

this equation can be unpacked with property (1) so that

∥∥∥(~b∗i+1 + µi+1,i)~b∗i

∥∥∥2 = 〈~b∗i+1 + (µi+1,i)~b∗i ,~b∗i+1 + (µi+1,i)~b

∗i 〉. (*)

58

After applying property (2) twice, we have

(∗) = 〈~b∗i+1,~b∗i+1〉+ 〈~b∗i+1, (µi+1,i)~b

∗i 〉+ 〈(µi+1,i)~b

∗i ,~b∗i+1〉+ 〈(µi+1,i)~b

∗i , (µi+1,i)~b

∗i 〉. (**)

In the right side of equation (∗∗), since~b∗i and~b∗i+1 are orthogonal, 〈~b∗i+1, (µi+1,i)~b∗i 〉 and 〈(µi+1,i)~b

∗i ,~b∗i+1〉

are equal to 0. Therefore,

(∗∗) = 〈~b∗i+1,~b∗i+1〉+〈(µi+1,i)~b

∗i , (µi+1,i)~b

∗i 〉 =

∥∥∥~b∗i+1

∥∥∥2+∥∥∥(µi+1,i)~b

∗i

∥∥∥2 =∥∥∥~b∗i+1

∥∥∥2+(µi+1,i)2∥∥∥~b∗i∥∥∥2

by properties (1) and (3). We have shown that

∥∥∥πi(~bi+1)∥∥∥2 =

∥∥∥~b∗i+1

∥∥∥2 + (µi+1,i)2∥∥∥~b∗i∥∥∥2 .

This is very useful since we now have a way to write the Lovasz Condition in term of ~b∗i and ~b∗i+1.

That is, δ∥∥∥~b∗i∥∥∥2 = δ

∥∥∥πi(~bi)∥∥∥2 ≤ ∥∥∥πi(~bi+1)∥∥∥2 =

∥∥∥~b∗i+1

∥∥∥2 + (µi+1,i)2∥∥∥~b∗i∥∥∥2. Thus,

(δ − (µi+1,i)

2) ∥∥∥~b∗i∥∥∥2 ≤ ∥∥∥~b∗i+1

∥∥∥2 ,which is an equivalent version of the Lovasz Condition. Note that (µi+1,i)

2 ≤ 1

4since size reduction

enforces that |µi+1,i| must be at most1

2for any i. Therefore, the Lovasz Condition makes sure that

each preceding vector’s length in B∗ will not decrease too quickly, i.e.∥∥∥~bi+1

∥∥∥2 must be greater

than or equal to some factor ≤ 1

4of∥∥∥~b∗i∥∥∥2 for all i. Furthermore,

∥∥∥~b∗i∥∥∥2 ≤ 1

δ − µ2i+1,i

∥∥∥~b∗i+1

∥∥∥2 ≤ 1

δ − 14

∥∥∥~b∗i+1

∥∥∥2 = α∥∥∥~b∗i+1

∥∥∥2 ,where α :=

1

δ − 14

>4

3since

1

4< δ < 1.

Recursively, we have that∥∥∥~b∗1∥∥∥2 ≤ α

∥∥∥~b∗2∥∥∥2 ≤ α2∥∥∥~b∗3∥∥∥2 ≤ · · · ≤ αi−1

∥∥∥~b∗i∥∥∥2 ≤ αn−1∥∥∥~b∗n∥∥∥2. In

59

addition, remember that~b∗1 = ~b1 by definition. Therefore,

∥∥∥~b1∥∥∥2 ≤ αi−1∥∥∥~b∗i∥∥∥2 ≤ αn−1

∥∥∥~b∗n∥∥∥2 (4)

for all i ∈ {1, . . . , n}.

Now, let~b∗i be a vector in B∗ such that

∥∥∥~b∗i∥∥∥ = minj∈{1,...,n}

{∥∥∥~b∗j∥∥∥} ,that is, ~b∗i is the shortest vector in the orthogonal set B∗. By (4),

∥∥∥~b1∥∥∥2 ≤ αi−1∥∥∥~b∗i∥∥∥ ≤ αn−1

∥∥∥~b∗i∥∥∥because α >

4

3> 1 and i ≤ n. Hence,

∥∥∥~b1∥∥∥ ≤ α(n−1)/2∥∥∥~b∗i∥∥∥ .

Recall from our prior study that the length of the shortest vector λ of a lattice is bounded from

below by minj∈{1,...,n}

{∥∥∥~b∗j∥∥∥}. Hence,

∥∥∥~b1∥∥∥ ≤ α(n−1)/2λ.

Q.E.D

Our journey has served us well as we have shown that the first vector of a δ-LLL reduced basis

B has length at most α(n−1)/2λ where n is the dimension of L(B), λ is the length of the shortest

vector in L(B), and α is a constant depending on1

4< δ ≤ 1. That is,

∥∥∥~b1∥∥∥ is a solution of the

γ-approx SVP for γ = α(n−1)/2.

2.4.6 The LLL Algorithm

In the previous section, we learned about δ-LLL reduced basis and why such basis is interesting

to study. In a sense, it provides us an approximate solution for the shortest vector problem. In this

60

section, we will explore the LLL algorithm named after A.K. Lenstra, H.W. Lenstra, and Lovasz.

This algorithmic program turns any lattice basis into a δ-LLL reduced one which generates the

same lattice. Briefly speaking, the algorithm performs two important tasks, namely size reducing

and maintaining the Lovasz Condition, so that the final output will satisfy both axioms in Definition

2.4.12 of an LLL reduced basis. The LLL algorithm was first presented in [LLL82] as a method

for factoring polynomials with rational coefficients. In this section, we will follow the exposition

provided by Micciancio in [Mic14a].

In order to achieve size reduction, we use a modified version of the Gram-Schmidt procedure

described as follows.

Size Reduction Procedure

Let B ={~b1, . . . ,~bn

}be a lattice basis. First, we compute the Gram-Schmidt orthogonal basis

B∗ ={~b∗1, . . . ,

~b∗n

}without normalizing9 the vectors in B∗.

For any vector ~bi in B with 2 ≤ i ≤ n, we will size reduce ~bi with respect to each vector ~bj

where 1 ≤ j < i. To reduce ~bi using ~b1, we compute bµi,1e =

bµi,1c , if |µi,1| < bµi,1c+ 0.5

dµi,1e , if |µi,1| ≥ bµi,1c+ 0.5

which is the nearest integer to µi,1 and then replace the original~bi with~bi − bµi,1e~b1, that is,

~bi ← ~bi − bµi,1e~b1

This gives us a new vector ~bi as well as a new basis B such that |µi,1| ≤1

2. Note that µi,1, as well

as each µi,j for all j < i, changes whenever we modified ~bi. On the other hand, if |µi,j| is already

less than or equal to1

2, then the vector~bi will not change.

If i = 2, we are done; otherwise, we will reduce this new~bi using~b2 by, similarly, replacing it with

~bi ← ~bi − bµi,2e~b29In this study, we will not normalize the vectors in the Gram-Schmidt orthogonal basis B∗.

61

This gives us a new~bi that satisfies size reduction condition for both~b1 and~b2.

Repeat this step for the remaining vector~bj with j < i; that is, for each of the~bj , j < i, we replace

the current~bi with

~bi ← ~bi − bµi,je~bj

After reducing~bi with respect to~bi−1, we are done with size reducing the vector~bi in the sense that

the final~bi has the property that

|µi,j| ≤1

2

for all 1 ≤ j < i.

We then recompute the Gram-Schmidt orthogonal basis B∗ with respect to the new lattice basis

B and continue size-reducing the next vector ~bi+1 in the new list. After each step, we will have to

update our Gram-Schmidt orthogonal basis.

Note that after size-reducing every vector in B, the final basis B generates the same lattice as

the original basis does because we only replace a basis vector with itself minus an integer multiple

of another vector throughout the whole procedure.

After taking care of size reduction, we will now describe the procedure for making sure that

our basis satisfies the Lovasz Condition.

The Lovasz Condition

Given a size reduced basis B, suppose that 1 ≤ i ≤ n − 1 is the smallest positive integer less

than n such that the Lovasz Condition does not hold, i.e.,

δ∥∥∥πi(~bi)∥∥∥2 > ∥∥∥πi(~bi+1)

∥∥∥2 .If there is no such i, we are done; otherwise, we swap~bi and~bi+1, that is,

SWAP(~bi,~bi+1)

62

in order to maintain the Lovasz Condition between ~bi and~bi+1. Unfortunately, the new basis ~B may

not be size reduced anymore after the swap. Hence, we then reapply the size reduction procedure

and repeat the Lovasz Condition process.

The LLL algorithm alternates these two tasks of size reducing and maintaining the Lovasz

Condition until it terminates. We will show that this algorithm will terminate. Given the input

lattice basis B, we denote Bδ-LLL the output of the LLL algorithm. Then, Bδ-LLL is δ-LLL reduced

and L(Bδ-LLL ) = L(B).

We summarize the result in the algorithm below.

Algorithm 1: LLL Algorithm

Input: A lattice basis B and1

4< δ < 1.

Step 1: Size Reduction;for i = 2, . . . , n do

Compute the Gram-Schmidt othorgonal basis B∗;for j = 1, . . . , i− 1 do

Compute µi,j;bµi,je ←− nearest integer of µi,j;~bi ←− ~bi − bµi,je~bj;

endendStep 2: the Lovasz Condition;for i = 1, . . . , n− 1 do

if δ∥∥∥πi(~bi)∥∥∥2 > ∥∥∥πi(~bi+1)

∥∥∥2 then

SWAP(~bi,~bi+1);endRepeat Step 1;else

Return B and terminate;end

endOutput: δ-LLL reduced basis B.

The following discussion provides an argument for why the LLL algorithm always terminate.

Theorem 2.4.6. Given a lattice basis B, the running time of the LLL algorithm on B is polynomial

in the lattice dimension n and log(

max{∥∥∥~bi∥∥∥ : ~bi ∈ B

})[LLL82, Mic14a, Reg04].

63

Lemma 2.4.7. The number of iterations of the LLL algorithm is polynomial in

max{n, log

(max

{∥∥∥~bi∥∥∥ : ~bi ∈ B})}

[Reg04, Section 3, p. 5].

Lemma 2.4.8. Each iterations in the LLL algorithm runs in polynomial time in

max{n, log

(max

{∥∥∥~bi∥∥∥ : ~bi ∈ B})}

[Reg04, Section 3, p. 6].

Proof of Theorem 2.4.6. [Reg04, Mic14a] Theorem 2.4.6 follows directly from the results of Lemma

2.4.7 and Lemma 2.4.8. Q.E.D

We will let M := max{n, log

(max

{∥∥∥~bi∥∥∥ : ~bi ∈ B})}

for simplicity.

Proof of Lemma 2.4.7. [Reg04, Section 3, p. 5-6] Given B, a lattice basis, we would like to asso-

ciate a positive integer to B. Let

D(B) :=n∏k=1

det(L(~b1, . . . ,~bk)

)2= det(L(~b1))

2 · det(L(~b1,~b2))2 · · · det(L(~b1, . . . ,~bn))2.

Note that if B is an integer basis, then det(L(B))2 is in Z. Thus, D(B) ∈ Z.

We will show that D(B) decreases at least by a factor of δ at each iterations of the algorithm.

Since det(L(~b1, . . . ,~bi)) =∏i

j=1

∥∥∥~b∗j∥∥∥ for all i, D(B) can be expressed as a product of the vectors

~b∗1, . . . ,~b∗n of the Gram-Schmidt orthogonalization of B. At each reduction steps, the Gram-Schmidt

basis does not change; thus, the valueD(B) does not affected by the reduction step. Thus, we must

consider the swap step due to the Lovasz Condition.

Let consider a specific instance of swapping~bi and~bi+1. For all j 6= i, the lattice L(~b1, . . . ,~bj)

remains the same before and after the swap. Thus, det(L(~b1, . . . ,~bj)) does not change because of

the swap. Only det(L(~b1, . . . ,~bi)

)changes as~bi is replaced by~bi+1.

Let denote the kth-iteration of B by B(k).

WLOG, suppose that B(k) ={~b1, . . . ,~bi,~bi+1, . . . ,~bn

}and B(k+1) =

{~b1, . . . ,~bi+1,~bi, . . . ,~bn

}.

Then, we have that

D(B(k))

D(B(k+1))=

det(L(~b1, . . . ,~bi))2

det(L(~b1, . . . ,~bi−1,~bi+1))2(*)

64

By Definition 2.4.8, we have that

det(L(~b1, . . . ,~bi))2 =

i∏j=1

∥∥∥~b∗j∥∥∥2 and det(L(~b1, . . . ,~bi−1,~bi+1))2 =

(i−1∏j=1

∥∥∥~b∗j∥∥∥2)∥∥∥πi(~bi+1)

∥∥∥2 .Hence,

D(B(k))

D(B(k+1))= (∗) =

∏ij=1

∥∥∥~b∗j∥∥∥2(∏i−1j=1

∥∥∥~b∗j∥∥∥2)∥∥∥πi(~bi+1)∥∥∥2 =

(∏i−1j=1

∥∥∥~b∗j∥∥∥2)∥∥∥~b∗i∥∥∥2(∏i−1j=1

∥∥∥~b∗j∥∥∥2)∥∥∥πi(~bi+1)∥∥∥2 =

∥∥∥πi(~bi)∥∥∥2∥∥∥πi(~bi+1)∥∥∥2 .

By the Lovasz Condition, swapping~bi and~bi+1 indicates that

δ∥∥∥πi(~bi)∥∥∥2 > ∥∥∥πi(~bi+1)

∥∥∥2 .Therefore,

D(B(k))

D(B(k+1))>

1

δ.

That is, after the swap, D(B(k)) is reduced by a factor at most δ. In particular,

D(B)

D(B(1))>

1

δ.

Inductively, it is not hard to see that after m steps,

D(B)

D(B(m))>

1

δm.

For any m, D(B(m)) > 1; thus,

δmD(B) > D(B(m)) > 1.

Therefore,

D(B) >1

δm=

(1

δ

)m.

65

It follows that

log1/δ(D(B)) > m,

which is true for all m. Thus, the number of iterations is bounded from above by

log1/δ(D(B)) =log(D(B))

log (1/δ)≤ 1

log (1/δ)log(

maxi

{∥∥∥~bi∥∥∥})n(n+1)2

=1

log (1/δ)

n(n+ 1)

2log(

maxi

{∥∥∥~bi∥∥∥})

since it is not hard to show that D(B) ≤(

maxi

{∥∥∥~bi∥∥∥})n(n+1)2

using the definition of D and the

fact that det(L(~b1, . . . ,~bi)) =∏i

j=1

∥∥∥~b∗j∥∥∥ for all i.

Since1

4< δ < 1,

1

log (1/δ)

n(n+ 1)

2log(

maxi

{∥∥∥~bi∥∥∥})is a polynomial in M . Q.E.D

Proof of Lemma 2.4.8. In the algorithm, the binary operations such as addition of multiplication

are clearly polynomial time in the inputs and it is not hard to see that the number of these operations

in each iteration is also a polynomial. Thus, it is enough to show that the numbers that arise in

each iteration can be represented using a polynomial number of bits [Reg04, p. 6]. We refer the

reader to [Mic14a, Section 3.2, p. 8] and [Reg04, p. 6-8] for the complete argument. Q.E.D

66

Chapter 3

Ideal Lattices

3.1 Lattices from the Minkowski embeddings

Let K be a number field of degree n and OK be the corresponding ring of integers of K. In

addition, let σ1, . . . , σn be the embeddings of K into C and ψ be the Minkowski embedding of K

into Rn as constructed in Definition 2.3.2.

Theorem 3.1.1. The image of OK by the Minkowski Embedding ψ is an n-dimensional lattice in

Rn.

Proof. [Mar77, p. 133-135] Let {α1, . . . , αn} be an integral basis of OK . By definition, the set

{α1, . . . , αn} generates OK over Z. Therefore, the image of OK , ψ(OK) in Rn, is generated over

Z by the set {ψ(α1), . . . , ψ(αn)}. To show that this set is a basis of ψ(OK), we must prove that

the set is R-linearly independent.

Consider the equation

0 = a1ψ(α1) + · · ·+ anψ(αn) ∈ Rn,

67

for ai ∈ R. By the construction of ψ in terms of field embeddings of K, we have that

0 = a1σ1(α1) + · · ·+ anσ1(αn) ∈ C.

Since σ1 is an injective homomorphism,

0 = σ1(a1α1 + · · ·+ anαn) ∈ C.

Thus,

0 = a1α1 + · · ·+ anαn ∈ K.

Since {α1, . . . , αn} is a basis, this set is linearly independent. Thus, ai = 0 for all i. Therefore, the

set {ψ(α1), . . . , ψ(αn)} is also linearly independent.

Since B := {ψ(α1), . . . , ψ(αn)} generates ψ(OK) over Z and B is linearly independent, ψ(OK) =

L(B) is an n-dimensional lattice with basis B. Q.E.D

Corollary 3.1.1.1. Let L(B) be the n-dimensional lattice constructed via the Minkowski embed-

ding ψ of the ring of integers OK into Rn. For any nonzero ideal I of OK , ψ maps I onto a full

rank sublattice of L(B).

Proof. Let I be a nonzero ideal of OK . By [AW04, Theorem 6.5.2, Section 6.5, p. 129] and

[Sam08, p. 21], there exists a basis {α1, . . . , αn} of OK and a1, . . . , an ∈ Z such that

{a1α1, . . . , anαn} is a basis of I . Let βi := aiαi. Similar to the proof of Theorem 3.1.1, we have

that ψ(I) is generated by {β1, . . . , βn}, which is linearly independent. As a set, ψ(I) is a subset of

ψ(OK). Thus, ψ(I) is an n-dimensional, thus full-rank, sublattice of L(B) in Rn. Q.E.D

Example 3.1.1. Let K be the quadratic field Q(√

2) of degree 2 over Q. Consider its ring of

integers OK . We have OK = Z[√

2] since 2 ≡ 2 mod 4 (Corollary 2.2.3.2).

68

The embeddings of K into C are:

σ1 : a+ b√

2 7→ a+ b√

2 and

σ2 : a+ b√

2 7→ a− b√

2,

which are both real embeddings. Thus, the Minkowski embedding of K into R2 is:

ψ : a+ b√

2 7→ (a+ b√

2, a− b√

2),

for a, b ∈ Q.

(1) (I = Z[√

2]) Let us consider the lattice generated by applying the Minkowski embedding ψ

to the whole ring Z[√

2].

The set{

1,√

2}

is a basis for Z[√

2]. As mentioned in the proof of Theorem 3.1.1, the set

{ψ(1), ψ(

√2)}

={

(σ1(1), σ2(1)), ((σ1(√

2), σ2(√

2))}

={

(1, 1), (√

2,√−2)

}

is a basis for the lattice in R2 corresponding to Z[√

2] via ψ. That is,

L(Z[√

2]) = L(B), where B ={

(1, 1), (√

2,−√

2)}.

Moreover, B is already LLL reduced. It is not hard to construct other bases for this lat-

tice. For example,{

(1 +√

2, 1−√

2), (2 +√

2, 2−√

2)}

generates the same lattice. How-

ever, the internal angle between (1 +√

2, 1 −√

2) and (2 +√

2, 2 −√

2) is very small in

comparison to the angle between (1, 1) and (√

2,−√

2). In fact, the LLL reduced basis of{(1 +

√2, 1−

√2), (2 +

√2, 2−

√2)}

is B.

69

(0, 0)

(1, 1)

(√

2,−√

2)

(1 +√

2, 1−√

2)

(2 +√

2, 2−√

2)

Figure 3.1: The lattice L(Z[√

2]) with basis{

(1, 1), (√

2,−√

2)}

.

(2) (I = (√

2)) Now, consider the principal ideal I generated by√

2.

A basis of I = (√

2) is{

2,√

2}

. Thus, a basis of L(I) is

{(2, 2), (

√2,−√

2)}.

It is not hard to see, as we expected, that L(I) is a full-rank sublattice of L(Z[√

2]).

70

(0, 0)

(2, 2)

(√

2,−√

2)

(2 + 2√

2, 2− 2√

2)

(2 +√

2, 2−√

2)

Figure 3.2: The lattice L(I), where I = (√

2), with basis{

(2, 2), (√

2,−√

2)}

.

(3) (I2 = (2 + 3√

2)) Let I2 be the principal ideal generated by 2 + 3√

2.

A basis of I2 = (2 + 3√

2) is{

2 + 3√

2, 6 + 2√

2}

. Thus, a basis of L(I2) is

{(2 + 3

√2, 2− 3

√2), (6 + 2

√2, 6− 2

√2)}.

The LLL reduced basis of this lattice is

{(2 + 3

√2, 2− 3

√2), (4−

√2, 4 +

√2)}

and one of the shortest vectors is the vector (4−√

2, 4 +√

2) whose length is 6.

71

(0, 0)

(6 + 2√

2, 6− 2√

2)

(2 + 3√

2, 2− 3√

2)

(4−√

2, 4 +√

2)

Figure 3.3: The lattice L(I2), where I2 = (2 + 3√

2).

Example 3.1.2. Consider the number field K = Q(ζn) where ζn is a primitive nth-root of unity.

There are exactly ϕ(n) embeddings from K into C.

For simplicity, let n = 3 and K = Q(ζ3). Its ring of integers is Z[ζ3] (Example 2.2.4). The

2 = ϕ(3) embeddings of K into C are:

σ1 : a+ bζ3 7→ a+ bζ3 and

σ2 : a+ bζ3 7→ a+ b(ζ3)2,

where a, b ∈ Q. Note that ζ3 and ζ23 are complex conjugates of each other. So, the Minkowski

72

embedding ψ : K → R2 is

ψ : a+ bζ3 7→ (Re(σ1(a+ bζ3)), Im(σ1(a+ bζ3))).

A basis of OK = Z[ζ3] is {1, ζ3}. Thus, a basis for the corresponding lattice is

{(1, 0),

(−1

2,

√3

2

)}.

This basis is already LLL reduced.

(0, 0)

(1, 0)

(2 + 3√

2, 2− 3√

2)

Figure 3.4: The lattice L(Z[ζ3]).

Let I be the ideal of Z[ζ3] generated by 2 + 3ζ3. A basis of I is {2 + 3ζ3,−3− ζ3}. Thus, a

basis for the corresponding lattice is

{(1

2,3√

3

2

),

(−5

2,−√

3

2

)}.

73

(0, 0)

(1/2, 3√

3/2)

(−5/2,−√

3/2)

Figure 3.5: The sublattice L(I) of L(Z[ζ3]) where I = (2 + 3ζ3).

Example 3.1.3. Let K = Q( 3√

2) ∼= Q[x]/(f) where f = x3 − 2. The degree of K over Q is 3.

There are 1 real embedding and 2 complex embeddings of K into C. They are:

σ1 : a+ b3√

2 + c3√

227→ a+ b

3√

2 + c3√

22,

σ2 : a+ b3√

2 + c3√

227→ a+ bζ3

3√

2 + c(ζ33√

2)2, and

σ3 : a+ b3√

2 + c3√

227→ a+ bζ23

3√

2 + cζ33√

22,

74

where ζ3 = e2πi/3, a primitive cube-root of unity.

The Minkowski embedding of K into R3 is

ψ : a+ b3√

2 + c3√

22

= α 7→ (σ1(α),Re(σ2(α)), Im(σ2(α))),

for α ∈ K.

A basis of the ring of integers OK = Z[ 3√

2] is{

1, 3√

2, ( 3√

2)2}

. Thus, the corresponding lattice

basis is {(1, 1, 0),

(3√

2,−1

( 3√

2)2,

√3

( 3√

2)2

),

((

3√

2)2,−13√

2,−√

33√

2

)}.

Figure 3.6: The 3-dimensional lattice L(Z[ 3√

2]).

75

3.2 Cyclic Lattices

Cyclic lattices were introduced by Micciancio in [Mic07] as an interesting special case of

lattices. With the additional structure of cyclic lattices, the hardness of problems on these lattices

is unknown. However, Let R be any ring and ~x = (x1, x2, . . . , xn) be an element of Rn where n is

a positive integer. We define the rotational shift operator acting on ~x, denoted rot(~x), to be such

that

rot(~x) := (xn, x1, x2, . . . , xn−1) ∈ Rn.

In other words, this operator moves the last entry of our input vector to the front and shifts every-

thing else back by one entry. For any positive integers k, rotk(~x) = rot(rot(· · · rot(~x) · · · ))︸︷︷︸k times

. Note

that rotkn(~x) is just the identity map for all positive integer k.

In addition, we define the rotational matrix of ~x, denoted ROT(~x) to be

ROT(~x) := [~x rot(~x) · · · rotn−2(~x) rotn−1(~x)],

i.e., the n× n matrix whose columns are the rotations of ~x.

Definition 3.2.1. We say that a lattice L is cyclic if and only if for all ~x ∈ L, rot(~x) ∈ L.

Equivalently, a lattice L is cyclic if and only if rot(L) = L where rot(L) = {rot(~x) : ~x ∈ L}.

Example 3.2.1. Let ~x = (1, π) ∈ R2. Since ~x and rot(~x) = (π, 1) are linearly independent,

we can construct a lattice L(B) with basis B = {~x, rot(~x)} =

1 π

π 1

. For any ~y ∈ L(B),

~x = a~x+ b rot(~x) =

a+ bπ

aπ + b

; so, rot(~y) =

aπ + b

a+ bπ

= b ~x+ a rot(~x), which is in L(B).

76

(0, 0)

(π, 1)

(1, π)

Figure 3.7: A cyclic lattice L(B) in R2 with basis B = {(1, π), (π, 1)}.

Definition 3.2.2. Let R be any commutative ring with 1 and ~x, ~y ∈ Rn.

We define the cyclic convolution product or the convolution of ~x by ~y, denoted ~x ⊗ ~y, to be the

result of the following matrix-vector multiplication:

~x⊗ ~y := ROT(~x) · ~y,

which is a vector in Rn with entries

(~x⊗ ~y)k =∑

i+j=k+1mod n

xi yj.

Here, we want to state that it is meaningful to define the convolution product of a vector in a

cyclic lattice L by another vector in Zn where n is the dimension of L. In this case, L is closed

under convolution product by vectors in Zn [PR05, p. 3]. Since L is cyclic, for all ~x ∈ L, the

77

columns of ROT(~x) are also in L; thus, it is not hard to see that, for any ~y ∈ Zn,

~x⊗ ~y = ROT(~x)~y = ~x y1 + rot(~x) y2 · · ·+ rotn−1(~x) yn

is also in L since a lattice is closed under Z-linear combinations.

The reason why we are interested in the convolution product is that it allows us to classify

a family of cyclic lattices with integer entries, i.e., sublattices of Zn. First, we will show that

the convolution product in Rn for any commutative ring R with 1 is commutative, associative,

and is distributive over vector addition in Rn. Note that vector addition in Rn is just the usual

component-wise addition.

To check commutativity, consider the convolution product of ~y by ~x for ~x, ~y ∈ Rn, we have

~x⊗ ~y = ROT(~x) ~y =

∑i+j=k+1

mod n

xi yj

k

=

∑j+i=k+1

mod n

yj xi

k

= ROT(~y) ~x = ~y ⊗ ~x.

This is true since R is a commutative ring.

Now, let ~z be another vector in Rn. We have that

(~x⊗~y)⊗~z =

∑k+l=m+1

mod n

∑i+j=k+1

mod n

xiyj

k

zl

m

=

∑i+k=m+1

mod n

xi

∑j+l=k+1

mod n

yizl

m

= ~x⊗(~y⊗~z).

Thus, ⊗ is associative. One can also check that the element (1, 0, . . . , 0) is the convolution-

multiplicative identity in Rn.

78

Finally, it is not hard to see that ⊗ is distributive over vector addition. Note that

~x⊗ (~y + ~z) =

∑i+j=k+1

mod n

xi(y + z)j

k

=

∑i+j=k+1

mod n

xi(yj + zj)

k

=

∑i+j=k+1

mod n

xi yj

k

+

∑i+j=k+1

mod n

xi zj

k

= ~x⊗ ~y + ~x⊗ ~z.

Therefore, for any commutative ring R with identity, (Rn,+,⊗) is also a commutative ring with

identity 1 := (1, 0, . . . , 0).

Now, we will show that the convolution product ⊗ in Rn and polynomial multiplication in

R[x]/(xn − 1), the quotient ring of polynomials in R[x] modulo the ideal (xn − 1), are related by

constructing a homomorphism from R[x]/(xn − 1) to Rn. Furthermore, this map is actually an

isomorphism of rings.

Definition 3.2.3. Let R be a commutative ring with identity 1.

Letn−1∑i=0

ai xi is in R[x] and look at its image in R[x]/(xn − 1), for ai ∈ R.

We define a map γ from the quotient ring R[x]/(xn − 1) to Rn as

γ

(n−1∑i=0

ai xi

)= (a0, a1, . . . , an−1) ∈ Rn.

In the quotient ring R[x]/(xn− 1), xn− 1 ≡ 0; thus, xn ≡ 1. This fact justifies the reason why

every element in our quotient ring can be uniquely represented by polynomial of degree at most

n− 1 with coefficients in R.

Recall that a map f from a ring (R,+, ·) to another ring (S,+,×) is said to be a homomorphism

if for all a, b ∈ R, we have that

79

(i) f(a+ b) = f(a) + f(b) and

(ii) f(a · b) = f(a)× f(b).

Furthermore, if a homomorphism f is a bijection between R and S, then f is said to be an isomor-

phism. If such an isomorphism exists between R and S, R is said to be isomorphic to S, denoted

R ∼= S.

Proposition 3.2.1. The map γ fromR[x]/(xn−1) toRn is an isomorphism of rings, i.e.,R[x]/(xn−

1) ∼= Rn.

Proof. [PR05, p. 6] It is not hard to see that γ satisfies the fist condition for being a homomorphism

due to the fact that addition in both rings is defined component-wise. Thus, we shall only prove

the second condition.

Let a(x) :=n−1∑i=0

ai xi and b(x) :=

n−1∑i=0

bi xi, where ai, bi ∈ R for all i ∈ {0, 1, . . . , n− 1}, be

two arbitrary elements in the quotient ring R[x]/(xn − 1). We want to show that γ(a(x)b(x)) =

γ(a(x)) ⊗ γ(b(x)). Note that γ(a(x)) and γ(b(x)) are n-dimensional vectors in Rn; thus, the

multiplication in Rn is the convolution product defined in Definition 3.2.2.

So, we have that a(x)b(x) = (a0+a1x+· · ·+an−1xn−1)(b0+b1x+· · ·+bn−1xn−1). Expanding

this product gives

a(x)b(x) = a0b0 + a0b1x+ · · ·+ a0bn−1xn−1

+ a1b0x+ · · ·+ a1bn−1xn−1 + a1bn−1x

n

+ a2b0x2 + · · ·+ a2bn−2x

n + a2bn−1xn+1

+ · · ·

+ an−1b0xn−1 + · · ·+ an−1bn−1x

2n−2.

In the above expansion, xn ≡ 1 since we are working in R[x]/(xn − 1). Hence, upon reducing

80

down the terms of degree larger than n as well as collecting terms, the result is

a(x)b(x) = (a0b0 + a1bn−1 + a2bn−2 + · · ·+ an−1b1)

+ (a0b1 + a1b0 + a2bn − 1 + · · ·+ an−1b2)x

+ · · ·

+ (a0bn−1 + a1bn−2 + · · ·+ an−1b0)xn−1

=∑i+j=0mod n

aibj +∑i+j=1mod n

aibjx+∑i+j=2mod n

aibjx2 + · · ·+

∑i+j=n−1

mod n

aibjxn−1

=n−1∑k=0

∑i+j=kmod n

aibj

xk.

Thus, the value of γ(a(x)b(x)) is the n-dimensional vector

γ(a(x)b(x)) =

∑i+j=0mod n

aibj,∑i+j=1mod n

aibj, . . . ,∑

i+j=n−1mod n

aibj

∈ Rn

Note that this matrix is the result of the matrix-vector multiplication

a0 an−1 an−2 · · · a1

a1 a0 an−1 · · · a2

a2 a1 a0 · · · a3...

...... . . . ...

an−1 an−2 an−3 · · · a0

b0

b2

b3...

bn−1

= ROT((a0, a1, . . . , an−1))(b0, b1, . . . , bn−1),

which by definition is equal to the convolution product

ROT(γ(a(x)))γ(b(x)) = γ(a(x))⊗ γ(b(x)).

Hence, γ(a(x)b(x) = γ(a(x))⊗ γ(b(x)).

81

Therefore, γ is a homomorphism from R[x]/(xn − 1) to Rn.

Now, it remains to show that γ is a bijection. The fact that γ is onto, i.e. surjective, is quite

trivial. For any vector in Rn, its preimage is simply the polynomial of degree at most n − 1

with coefficients are the terms of that vector. For injectivity, suppose that we have two elements

a(x) :=n−1∑i=0

ai xi and b(x) :=

n−1∑i=0

bi xi inR[x]/(xn−1) such that γ(a(x)) = γ(b(x)). By definition

of γ, ai = bi for all i. Thus, a(x) must be equal to b(x).

Hence, γ is an bijective homomorphism, that is, an isomorphism. I.e., R[x]/(xn − 1) is iso-

morphic to Rn. Q.E.D

By letting R to be the ring of integers, i.e., R = Z, we are able to construct a family of cyclic

lattices as sublattices of Zn.

Theorem 3.2.1. Let I be a subring of Z[x]/(xn − 1). Then γ(I) is a cyclic sublattice of Zn if and

only if I is an ideal of Z[x]/(xn − 1), where γ : Z[x]/(xn − 1)→ Zn is the isomorphism given by

Definition 3.2.3.

Proof. (⇐) Suppose that I is an ideal of Z[x]/(xn − 1). We want to show that γ(I) is a cyclic

lattice.

Let ~α, ~β ∈ γ(I). Then there exist α, β ∈ I such that γ(α) = ~α and γ(β) = ~β. Since I is a ring,

α + β ∈ I . Thus, γ(α + β) ∈ γ(I). Since γ is a homomorphism, γ(α) + γ(β) = ~α + ~β ∈ γ(I).

Similarly, it is not hard to show that −~α is in γ(I) for all ~α ∈ γ(I). Hence, γ(I), as a discrete

group, is closed under addition and additive inverse. Thus, γ(I) is a lattice.

Now, consider ~a = (a0, . . . , an−1) ∈ γ(I). So, a(x) = a0 + a1x + · · · + an−1xn−1 ∈ I . Note that

rot(~a) = γ(x · a(x)). Since I is an ideal, x · a(x) is in I; hence, γ(x · a(x)) = rot(~a) ∈ γ(I).

Therefore, γ(I) is a cyclic lattice. Note that γ(0) = 0.

(⇒) For the remaining direction, suppose that γ(I) is a cyclic lattice where I is a subring of

Z[x]/(xn − 1). Let a(x) be a polynomial in I . For any polynomial p(x) ∈ Z[x]/(xn − 1),

γ(p(x) · a(x)) = γ(p(x))⊗ γ(a(x)) (*)

82

by the definition of γ. Let ~a = γ(a(x)) ∈ γ(I). So,

(∗) = ~a⊗ γ(p(x)) = ROT( ~(a)) · γ(p(x)) =

[~a rot(~a) · · · rotn−1(~a)

]γ(p(x)). (**)

Since γ(I) is a cyclic lattice, the rotations of ~a are also in γ(I). In addition, γ(p(x)) is in Zn.

Hence, γ(p(x)) = (b1, . . . , bn) ∈ Zn. So,

(∗∗) = b1~a+ b2rot(~a) + · · ·+ bnrotn−1(~a),

which is in γ(I) since γ(I), being a lattice, is closed under linear combination over Z. Since

γ(p(x) · a(x)) is in γ(I), p(x) · a(x) ∈ I . Since p(x) ∈ Z[z]/(xn − 1) and a(x) ∈ I are arbitrary,

p(x)I = I for all p(x) ∈ Z[x]/(xn − 1). Therefore, the subring I of Z[x]/(xn − 1) is an ideal.

Q.E.D

3.3 Shortest Vectors in Cyclic Lattices

Using the MAGMA Computational Algebra System [BCP97] and the result of Theorem 3.2.1,

we will construct examples of cyclic sublattices of Zn. In addition, MAGMA also allows us to

compute the δ-LLL reduced basis for1

4< δ ≤ 1. The default value of δ in MAGMA is

3

4;

however, it is desired to use δ = 1 since this allows the basis to be the most reduced. On the other

hand, using δ = 1 may dramatically increase the running time of the LLL algorithm in MAGMA

[CBFS17, p. 686, 689]. Recall from Theorem 2.4.5 that if B is a δ-LLL reduced basis then

∥∥∥~b1∥∥∥ ≤ α(n−1)/2λ,

where α =1

δ − 14

≥ 4

3, λ is the shortest length in the lattice generated by B, and n is the dimension

of this lattice. Thus, picking δ = 1 implies that α is equal to4

3≈ 1.33. That is, the Euclidean

length of the vector~b1 of a 1-LLL reduced basis is at most(

4

3

)(n−1)/2

≈ (1.155)n−1 times λ.

83

With regard to finding a shortest vector in a given lattice, i.e, solving the SVP, there are three

main approaches: probabilistic sieving algorithms, Voronoi-cell based algorithms, and enumera-

tion algorithms [Sch11]. The first sieving algorithm is the AKS algorithm which was presented

in 2001 by Ajtai, Kumar, and Sivakumar in [AKS01]. According to [HPS11], the AKS algorithm

runs in exponential time in the lattice dimension. Other versions of this method were presented by

Regev [Reg04], by Nguyen and Vidick [NV08], by Micciancio and Voulgaris [MV10b], and by

Pujol and Stehle [PS09] with time complexities of 216n+o(n), 25.9n+o(n), 23.4n+o(n), and 22.7n+o(n)

respectively. The original sieving algorithm in [AKS01] is considered impractical since it requires

exponential space in the lattice dimension [Sch11]. Presented by Micciancio and Voulgaris in

[MV10a], the Voronoi-cell based algorithms are able to solve all problems, especially NP-hard

ones such as SVP, in general lattices. The running time and space complexity of these algorithms

is exponential in n, the lattice’s dimension. Despite having an improvement of the running time

compared to the sieving methods, algorithms based on Voronoi-cells still require exponential space

in n, which makes them more theoretical than practical.

Given a lattice L, MAGMA can find a shortest vector in L using enumeration-based algorithms

developed by Damien Stehle [CBFS17, p. 704]. This approach for solving SVP is the oldest among

the three. Moreover, the upper bound for the space complexity of these algorithms is polynomial in

the lattice dimension n. This makes enumeration-based solvers the most practical in comparison to

the other two approaches. However, the running time of enumeration-based algorithms is bounded

by nn

(2e)+o(n), where e is the Euler number [HPS11]. Hence, when the lattice’s dimension gets very

large, the running time will also dramatically increase.

The following table is given in [HPS11] for comparing the three groups of SVP solvers with

regard to their running times and space complexities.

84

Table 3.1: Comparing the three groups of SVP solvers [HPS11].

Time Complexity Space Complexity Others

Voronoi-cell 22n+o(n) 2n+o(n) Deterministic

Sieving 22.465n+o(n) 21.325n+o(n) Probabilistic

Enumeration nn/(2e)+o(n) Poly(n) Deterministic

In this thesis, we will find a shortest vector in any given lattice using the function provided

by the MAGMA Algebra System on a PC computer with 8.00 Gb of RAM memory, Intel Core

i5-7200U CPU at 2.50GHz and 2.71GHz.

Example 3.3.1. Consider Z2 ∼= R = Z[x]/(x2− 1). Let I be the principal ideal of R generated by

x− 1. Then the sublattice of Z2 corresponding to I = (x− 1) is a 1-dimensional lattice generated

by {(1,−1)}. Clearly, a shortest vector in this lattice is (1,−1) with length√

2.

Example 3.3.2. Using the same lattice Z2 ∼= R = Z[x]/(x2−1). We will now consider the ideal I

of R generated by 2x−3. The sublattice corresponding to this ideal has a basis {(2,−3), (−3, 2)}.

Its 1-LLL reduced basis is {(−1,−1), (2,−3)}. According to the MAGMA algorithm, the vector

(−1,−1) is a shortest vector in this lattice. It is not hard to see that this is true based on the graph

of the lattice which is shown below.

85

(0, 0)

(2,−3)

(−3, 2)

(−1,−1)

Figure 3.8: A full-rank sublattice of Z2 with basis {(2,−3), (−3, 2)}.

We will now consider cyclic sublattices of Z3.

Example 3.3.3. Let I be the principal ideal of R = Z[x]/(x3 − 1) generated by x+ 1. The lattice

corresponding to I is a full-rank proper sublattice ofZ3 with basis B = {(1, 1, 0), (0, 1, 1), (1, 0, 1)}.

In fact, this basis is already 1-LLL reduced. An example of a shortest vector in this lattice is

(1, 1, 0).

For the ideal I2 := (x− 1) of R, its corresponding lattice is not full-rank as a sublattice of Z3.

A basis for this lattice is {(−1, 1, 0), (0,−1, 1)}, which is also 1-LLL reduced. A shortest vector

in this lattice is (−1, 1, 0).

Another example of cyclic sublattices of Z3 is the one corresponding to I3 = (x2 + x + 1).

This lattice is only 1-dimensional with basis {(1, 1, 1)}.

Lastly, consider the ideal I4 of R generated by (3x2− 2). The corresponding lattice has a basis

{(−2, 0, 3), (3,−2, 0), (0, 3,−2)} which is not 1-LLL reduced. This lattice is full-rank in Z3. Its

86

1-LLL reduced basis is {(1, 1, 1), (−2, 0, 3), (3,−2, 0)}. According to MAGMA , a shortest vector

in this lattice is (1, 1, 1).

Given a cyclic lattice L = γ(I), a sublattice of Zn, where I = (p(x)) is a principal ideal

generated by p(x) ofZ[x]/(xn−1) where p(x) ∈ Z[x] and γ is the isomorphism fromZ[x]/(xn−1)

to Zn. By observing the previous examples, we noticed that the dimension of our cyclic lattice is

dependent on the choice of the generating polynomial of the ideal I . For instance, consider the

case when n = 3 in Example 3.3.3; we have that the lattices corresponding to the ideals (x + 1)

and (3x2 − 2) are full-rank in Z3. However, the lattices generated from the ideals (x − 1) and

(x2 + x + 1) are 2-dimensional and 1-dimensional sublattices of Z3, respectively. This result is

different than the case of lattices coming from Minkowski embeddings, whose sublattices are all

full-rank as shown in Corollary 3.1.1.1. Using the result of Lemma 2.2 presented in [PR05, p. 6],

we were able to establish the following theorem, which allows us to determine the dimensions of

cyclic sublattices of Zn.

Theorem 3.3.1. Let I be a principal ideal generated by p(x) of Z[x]/(xn − 1), for p(x) ∈ Z[x],

and f(x) :=xn − 1

gcd(p(x), xn − 1). Then the set

{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}is a basis of the cyclic sublattice γ(I) of Zn. It follows that the dimension of γ(I) is deg(f).

In particular, if p(x) is relatively prime to xn − 1 then γ(I) is a full-rank sublattice of Zn.

Note that the representative polynomial p(x) of the conjugacy class p(x) ∈ Z[x]/(xn − 1) is

not unique. However, for any q(x) ∈ Z[x] such that q(x) ≡ p(x) mod (xn − 1), we claim that

xn − 1

gcd(q(x), xn − 1)=

xn − 1

gcd(p(x), xn − 1)= f(x).

That is, f(x) in Theorem 3.3.1 is unique and independent on the choice of the representative of

p(x).

87

Proof of Claim. Since q(x) ≡ p(x) mod (xn − 1), we have that

q(x) = p(x) + a(x) · (xn − 1)

where a(x) is in Z[x]. Suppose that d(x) is a divisor of (xn − 1). Then

d(x) | (p(x) + a(x)(xn − 1)) ⇐⇒ d(x) | p(x).

Thus, the pairs (p(x), xn − 1) and (q(x), xn − 1) share the same collection of common divisors.

Therefore,

gcd(p(x), xn − 1) = gcd(q(x), xn − 1).

It follows thatxn − 1

gcd(q(x), xn − 1)=

xn − 1

gcd(p(x), xn − 1)= f(x).

Q.E.D

Lemma 3.3.2. [PR05, Lemma 2.2, p. 6] Let p(x) = a0 +a1x+ · · ·+an−1xn−1 be in Z[x]/(xn−1)

and ~p = γ(p(x)) = (a0, a1, . . . , an−1) ∈ Zn. If a polynomial f(x) ∈ Z[x] divides xn − 1 and is

relatively prime to p(x), then the set{~p, rot(~p), . . . , rotdeg(f(x))−1(~p)

}is linearly independent.

Proof. We refer the reader to the proof of Lemma 2.2 in [PR05, p. 7]. Q.E.D

Proof of Theorem 3.3.1. We showed in Proposition 2.1.3 that

xn − 1 =∏d|n

Φd(x),

where Φd(x) is the cyclotomic polynomial of the primitive dth-root of unity. Thus, any polynomial

f ∈ Z[x] dividing xn − 1 must be a product of some cyclotomic polynomials Φd(x) where d | n.

Let I be a principal ideal of Z[x]/(xn−1) generated by a nonzero element p(x) ∈ Z[x]/(xn−1)

88

where p(x) ∈ Z[x]. Let g(x) be the greatest common divisor of p(x) and xn − 1, i.e.,

g(x) = gcd(p(x), xn − 1).

By construction, it is not hard to see that g(x) is a product of some cyclotomic polynomials Φd(x)

with d | n. However, note that g(x) will never be equal to xn−1 since p(x) was a nonzero element

in Z[x]/(xn − 1). So, g(x) divides xn − 1 andxn − 1

g(x)6= 1 is a polynomial in Z[x]. Moreover,

xn − 1

g(x)is the product of the remaining cyclotomic polynomials Φd′(x) with d′ | n. Let f(x) in

Theorem 3.3.2 be the polynomialxn − 1

g(x). Since 0 ≤ deg(g) � n, 1 ≤ deg(f) = n− deg(g) ≤ n.

Furthermore, f(x) is relatively prime to p(x) by construction. Therefore, by Lemma 3.3.2, the set

{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}is linearly independent where ~p = γ(p(x)) ∈ Zn.

It remains to show that{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}is actually a lattice basis of γ(I). Since

we have shown that this set is linearly independent, it is enough to show that it spans the lattice.

Suppose that f(x) =xn − 1

g(x)= a0 + a1x + · · · + adeg(f)−1x

deg(f)−1 + xdeg(f) for some ai not

all 0 in Z. It is important to note that f(x) is monic since it is a product of monic cyclotomic

polynomials.

89

Now, consider the list{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}∪{

rotdeg(f)(~p)}

. We have

a0(~p) + a1(rot(~p)) + · · ·+ adeg(f)−1(rotdeg(f)−1(~p)) + 1(rotdeg(f)(~p))

= γ(a0(p(x)) + a1(xp(x)) + · · ·+ adeg(f)−1(x

deg(f)−1p(x)) + 1(xdeg(f)p(x)))

= γ((a0 + a1x+ · · ·+ adeg(f)−1x

deg(f)−1 + xdeg(f))p(x))

= γ (f(x)p(x))

= γ (f(x)g(x)q(x)) where q(x) ∈ Z[x]/(xn − 1) such that g(x)q(x) = p(x)

= γ ((xn − 1)q(x)) by definition of f(x)

= γ (0) since xn − 1 = 0 in Z[x]/(xn − 1)

= 0.

Therefore,

rotdeg(f)(~p) = −a0(~p)− a1(rot(~p))− · · · − adeg(f)−1(rotdeg(f)−1(~p)).

That is, rotdeg(f)(~p) can be written as a Z-linear combination of{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}.

By definition, the set{~p, rot(~p), . . . , rotdeg(f)−1(~p), rotdeg(f)(~p), . . . , rotn−1(~p)

}spans the lattice

γ(I). Thus for any ~v ∈ γ(I), ~v is a Z-linear combination of {~p, rot(~p), . . . , rotn−1(~p)}. We will

show that each vector in{

rotdeg(f)(~p), rotdeg(f)+1(~p), . . . , rotn−2(~p), rotn−1(~p)}

can be written as a

Z-linear combination of{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}. It will follow that

{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}spans γ(I).

Consider the vector rot(deg(f)−1)+k(~p) in the spanning list where 1 ≤ k ≤ n − deg(f). The

following is a proof by induction on k. For the base case k = 1, we have seen that rotdeg(f)(~p)

is a Z-linear combination of{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}. As the induction hypothesis, suppose

90

that rot(deg(f)−1)+k(~p) is a Z-linear combination of{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}where 1 < k ≤

n− deg(f). Consider the case k + 1, we have that

rot(deg(f)−1)+(k+1)(~p) = rotdeg(f)+k(~p)

= γ(xdeg(f)+kp(x)

)= γ

(xxdeg(f)+k−1p(x)

)= γ (x)⊗ γ

(x(deg(f)−1)+kp(x)

)= γ (x)⊗ (rot(deg(f)−1)+k(~p)). (*)

By induction hypothesis, there exist c0, . . . , cdeg(f)−1 ∈ Z such that

rot(deg(f)−1)+k(~p) = c0~p+ c1rot(~p) + · · ·+ cdeg(f)−1rotdeg(f)−1(~p).

Hence

(∗) = γ (x)⊗ (c0~p+ c1rot(~p) + · · ·+ cdeg(f)−1rotdeg(f)−1(~p))

= γ(x)⊗(c0γ(p(x)) + c1γ(xp(x)) + · · ·+ cdeg(f)−1γ(xdeg(f)−1p(x))

)= γ(x)⊗ γ

(c0p(x) + c1xp(x) + · · ·+ cdeg(f)−1x

deg(n)−1p(x))

= γ(x(c0p(x) + c1xp(x) + · · ·+ cdeg(f)−1x

deg(n)−1p(x)))

= γ(c0xp(x) + c1x

2p(x) + · · ·+ cdeg(f)−1xdeg(n)p(x)

)= c0rot(~p) + c1rot2(~p) + · · ·+ cdeg(f)−1rotdeg(f)(~p). (**)

Recall that rotdeg(f)(~p) is a Z-linear combination of{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}(base case).

Thus, there exist b0, . . . , bdeg(f)−1 such that

rotdeg(f)(~p) = b0~p+ b1rot(~p) + · · ·+ bdeg(f)−1rotdeg(f)−1(~p).

91

Therefore,

(∗∗) = c0rot(~p) + c1rot2(~p) + · · ·+ cdeg(f)−2rotdeg(f)−1(~p)

+ cdeg(f)−1(b0~p+ b1rot(~p) + · · ·+ bdeg(f)−1rotdeg(f)−1(~p)

)= (cdeg(f)−1b0)~p+ (c0 + cdeg(f)−1b1)rot(~p) + · · ·

+ (cdeg(f)−2 + cdeg(f)−1bdeg(f)−1)rotdeg(f)−1(~p).

We showed that

rot(deg(f)−1)+(k+1)(~p) = d0~p+ d1rot(~p) + · · ·+ ddeg(f)−1rotdeg(f)−1(~p)

for some d0, . . . , ddeg(f)−1 ∈ Z. That is, rot(deg(f)−1)+(k+1)(~p) can be written as a Z-linear com-

bination of the set{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}. By the principle of mathematical induction,

rot(deg(f)−1)+k(~p) is a Z-linear combination of{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}for all 1 ≤ k ≤

n− deg(f).

Since {~p, rot(~p), . . . , rotn−1(~p)} spans γ(I) and the above result,{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}spans γ(I). Since

{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}is linearly independent and spans γ(I), it is a

lattice basis of γ(I).

Consequently, the dimension of γ(I) is deg(f).

In particular, if p(x) is relatively prime to xn − 1, then f(x) = xn − 1. Thus, by Lemma 3.3.2,

{~p, rot(~p), . . . , rotn−1(~p)

}is a linearly independent set of length n in the lattice γ(I). Since γ(I) is a sublattice of Zn, its

dimension can not exceed n. Thus, the dimension of γ(I) must be n, i.e., γ(I) is a full-rank

sublattice of Zn. Q.E.D

Even though it is interesting to be able to determine the dimensions of cyclic sublattices of Zn

92

where the ideal is principal, the more important question is how can we find a shortest vector in

these lattices? Based on the previous discussion on the dimension of γ(I), given the generator

p(x) of an ideal I of Z[x]/(xn − 1) and the polynomial f(x) which we constructed for Theorem

3.3.2, the set{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}is a basis of γ(I). Since p(x) plays a main role for

constructing the corresponding lattice, it is reasonable to theorize that ~p is a shortest vector or that

the set{~p, rot(~p), . . . , rotdeg(f)−1(~p)

}will contain the shortest vector. However, this is not true in

general based on our results. Consider the following counterexample.

Example 3.3.4. Let I be the principal ideal of Z[x]/(x4 − 1) generated by 3x3 + 2x2. One can

check that 3x3 + 2x2 is relatively prime to x4 − 1. Thus, γ(I) is a lattice of full-rank and

{(0, 0, 2, 3), (3, 0, 0, 2), (2, 3, 0, 0), (0, 2, 3, 0)} is a basis for γ(I). However, none of the vectors in

this basis is a shortest vector of γ(I). Instead, the vector (1,−1, 1,−1) is a shortest vector.

An 1-LLL reduced basis of the lattice in Example 3.3.4 is the set

{(1,−1, 1,−1), (0, 0, 2, 3), (3, 0, 0, 2), (0, 2, 3, 0)}, which contains the same shortest vector

(1,−1, 1,−1) of this lattice. Thanks to this realization, we observe that in our examples of cyclic

sublattices γ(I) of Zn where I is a principal ideal of Z[x]/(xn − 1), the 1-LLL reduced basis of

γ(I) contains a shortest vector. Thus, we propose the following conjecture, which has not been

seen in papers on related topics (as far as the author of this thesis knows).

Conjecture 3.3.3. Let I be a principal ideal of Z[x]/(xn − 1) and consider the cyclic sublattice

γ(I) of Zn constructed via the isomorphism γ : Z[x]/(xn − 1) → Zn. Let B1-LLL be a 1-LLL

reduced basis for γ(I). Then the vector ~v ∈ B1-LLL , where

‖~v‖ = min{∥∥∥~b∥∥∥ : ~b ∈ B1-LLL

},

is a shortest vector in the lattice γ(I).

In other words, this conjecture states that a shortest vector in the 1-LLL reduced basis of γ(I),

where I is principal, is actually a shortest vector in the lattice. Under the assumption that this

93

conjecture is true, SVP becomes easy in this specific family of cyclic lattices. That is, we can use

the well-known LLL algorithm to solve SVP for the cyclic lattice γ(I) where I is a principal ideal

of Z[x]/(xn − 1).

Bibliography

[Ajt96] M. Ajtai. Generating hard instances of lattice problems. Quaderni di Matematica,

1996.

[Ajt98] M. Ajtai. The shortest vector problem in l2 is NP-hard for randomized reductions (ex-

tended abstract). Proceedings of the Thirtieth Annual ACM Symposium on the Theory

of Computing, pages 10–19, 1998.

[AKS01] M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector

problem. STOC ’01 Proceedings of the thirty-third annual ACM symposium on Theory

of computing, pages 601–610, 2001.

[Ash10] R. B. Ash. A Course In Algebraic Number Theory. Dover Publications, 2010. Available

at https://faculty.math.illinois.edu/ r-ash/ANT.html.

[AW04] S. Alaca and K. S. Williams. Introductory Algebraic Number Theory. Cambridge

University Press, first edition, 2004.

[Axl97] S. Axler. Linear Algebra Done Right. Springer-Verlag New York, Inc., second edition,

1997.

[BCP97] W. Bosma, J. Cannon, and C. Playoust. The Magma algebra system. I. The user lan-

guage. J. Symbolic Comput., 24(3-4):235–265, 1997. Computational algebra and num-

ber theory (London, 1993).

[BL93] D. J. Bernstein and A. K. Lenstra. A general number field sieve implementation. Lec-

ture Notes in Mathematics, 1554, 1993. Springer, Berlin, Heidelberg.

[CBFS17] J. Cannon, W. Bosma, C. Fieker, and A. Steel. Handbook of Magma Functions. School

of Mathematics and Statistics, University of Sydney, jul 2017.

[DF04] D. S. Dummit and R. M. Foote. Abstract Algebra. John Wiley & Sons, Inc., third

edition, 2004.

[Din01] I. Dinur. Approximating SVP to within almost-polynomial factors is NP-hard. Theo-

retical Computer Science, 285(1):55–71, may 2001.

[dS03] M. du Sautoy. The Music of the Primes: Searching to Solve the Greatest Mystery in

Mathematics. HarperCollins, 2003.

[Gal06] J. A. Gallian. Contemporary Abstract Algebra. Houghton Mifflin Company, sixth

edition, 2006.

[Han82] R. Hanson. Integer matrices whose inverse contain only integers. The Two-Year College

Mathematics Journal, 13(1):18–21, jan 1982.

[HP04] J. F. Humphreys and M. Y. Prest. Numbers, Groups and Codes. Cambridge University

Press, 2004.

[HPS11] G. Hanrot, X. Pujol, and D. Stehle. Algorithms for the shortest and

closest lattice vector problems. 2011. Available at http://perso.ens-

lyon.fr/guillaume.hanrot/Papers/iwcc.pdf.

[Kal09] B. Kaliski. The mathematics of the RSA public-key cryptosystem. 2009.

[Kho04] S. Khot. Hardness of approximating the shortest vector problem in lattices. 45th Sym-

posium on Foundations of Computer Science (FOCS 2004), 17(19):126–135, 2004.

[Kho05] S. Khot. Hardness of approximating the shortest vector problem in lattices. Journal of

the ACM, 52(5):789–808, sep 2005.

[LLL82] A. K. Lenstra, H. W. Lenstra, and L. Lovasz. Factoring polynomials with ra-

tional coefficients. Mathematische Annalen, 261:515–534, 1982. Available at

https://www.math.leidenuniv.nl/ hwl/PUBLICATIONS/1982f/art.pdf.

[LLM15] D. C. Lay, S. R. Lay, and J. J. McDonald. Linear Algebra and Its Applications. Pearson,

fifth edition, 2015.

[LPR13] V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors

over rings. Eurocrypt, 2013. Available at https://eprint.iacr.org/2012/230.pdf.

[LS19] V. Lyubashevsky and G. Seiler. NTTRU: Truly fast NTRU using NTT. Cryptology

ePrint Archive, Report 2019/040, 2019. https://eprint.iacr.org/2019/040.

[Mar77] D. A. Marcus. Number Fields. Springer, New York, 1977.

[Mic98] D. Micciancio. The shortest vector in a lattice is hard to approximate to within some

constant. 39th Annual Symposium on Foundations of Computer Science ( FOCS 1998),

8(11):92–98, 1998.

[Mic07] D. Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way

functions. Computational Complexity, 16(4):365–411, 2007.

[Mic14a] D. Micciancio. Basis reduction, 2014.

Available at http://cseweb.ucsd.edu/classes/sp14/cse206A-a/lec5.pdf.

[Mic14b] D. Micciancio. Minkowski’s theorem, 2014.


[Mic14c] D. Micciancio. Point lattices, 2014.


[Mil17] J. S. Milne. Algebraic number theory (v3.07), 2017. Available at

www.jmilne.org/math/.

[Mos15] M. Mosca. Cybersecurity in an era with quantum computers: will we be

ready? Cryptology ePrint Archive, Report 2015/1075, 2015. Available at

https://eprint.iacr.org/2015/1075.

[MR09] D. Micciancio and O. Regev. Lattice-based cryptography. In Johannes A Buchmann

Daniel J. Bernstein and Erik Dahmen, editors, Post-Quantum Cryptography, pages

147–187. Springer, Berlin Heidelberg, 2009.

[MV10a] D. Micciancio and P. Voulgaris. A deterministic single exponential time algorithm for

most lattice problems based on voronoi cell computations. Proc. of SODA, (351-358),

2010.

[MV10b] D. Micciancio and P. Voulgaris. Faster exponential time algorithms for the shortest

vector problem. Proc. of SODA, 2010.

[NIS17] Post-quantum cryptography standardization. National Institute of Standards and Tech-

nology, 2017.

[NSA15] Commercial national security algorithm suite. U.S. National Security Agency, 2015.

[NV08] P. Q. Nguyen and T. Vidick. Sieve algorithms for the shortest vector problem are

practical. Journal of Mathematical Cryptography, 2(2), 2008.

[Pei14] C. Peikert. Lattice cryptography for the internet, 2014.

[PR05] C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case assump-

tions on cyclic lattices. 2005.

[PS09] X. Pujol and D. Stehle. Solving the shortest lattice vector problem in time 22.465n.

Cryptology ePrint Archive, 2009. Available at https://eprint.iacr.org/2009/605.pdf.

[Reg04] O. Regev. Lattices in Computer Science. Lecture notes taught at the Computer Science

Tel Aviv University, 2004. Available at https://cims.nyu.edu/ regev/.

[Reg09] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J.

ACM, 56(6):1–40, 2009.

[RSA78] R.L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and

public-key cryptosystems. 1978.

[Sam08] P. Samuel. Algebraic Theory of Numbers. Dover Publications, 2008.

[Sch11] M. Schneider. Sieving for shortest vectors in ideal lattices. 2011. Available at

https://eprint.iacr.org/2011/458.pdf.

[Sho95] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms

on a quantum computer. 1995.

Academic Vita – Simon (Khanh) T. Huynh

Personal ProfileI am a student inmathematics at the Pennsylvania State University, University Park, expecting to graduate inMay 2019. My honors thesis advisor is Dr. Kirsten Eisenträger. I am interested in algebraic number theory,commutative algebra, algebraic geometry, and problems motivated by cryptography.

Education2017 – 2019 B.S. in Mathematics

The Pennsylvania State University – University Park, PASchreyer Honors CollegeHonors thesis: The Shortest Vector Problem in Ideal Lattices

2014 – 2017 A.S. in Mathematics, Computer Science, Physics, and EngineeringHagerstown Community College – Hagerstown, MDGraduated with High Honors

Grants, Scholarships, and Awards2019 – 2023 Jack Kent Cooke Foundation Graduate Scholarship.2017 – 2019 Jack Kent Cooke Foundation Undergraduate Transfer Scholarship.Spring 2018 The President’s Freshman Award,The Pennsylvania State University.Spring 2017 JohnM. Waltersdorf Family Scholarship, Hagerstown Community College.Fall 2017 All-Maryland Community College Academic Team, First Team.Spring 2016 Electromet Technical Excellence Scholarship, Hagerstown Community College.Fall 2016 Commendation for Academic Excellence in Mathematics and Science.

Employment HistoryJan 2018 – Eberly College of Science,The Pennsylvania State University, University Park, PAAug 2018 Math Grader

• Grade students’ homework assignments and provide constructive feedback.

Jan 2015 – Learning Support Center, Hagerstown Community College, Hagerstown, MDMay 2017 Peer Math Tutor

• Support students with their academic coursework in mathematics and sciences.

• Assist students to develop effective learning habits.

• Empower students to become independent, resourceful learners.

• Maintain, clean, and organize computer lab’s facilities in addition to refilling supplies.

• Enforce rules and regulations within the computer lab.

1 of 2

Jan 2015 – Hagerstown Community College, Hagerstown, MDAug 2015 Teaching Assistance

• Assist instructors during the lab portions of math courses.

• Emphasize and explain important concepts.

• Encourage and guide students to develop their own strategies for solving problems.

Technical and Personal SkillsProgramming LanguagesMagma – Computational Algebra SystemMATLABPythonC++LaTEX – Typesetting System

Industrial Software Skills:Adobe Creative Cloud – Photoshop, Illustrator, and DreamweaverMicrosoft Office – Word, Excel, and Powerpoint

Personal SkillsTutoring and TeachingProblem SolvingCommunicationPublic SpeakingCPR and First Aid

Professional Membership• Schreyer Honors College,The Pennsylvania State University, University Park, PA.

• Blue &White Society, Penn State Alumni Associate, University Park, PA.

• PhiTheta Kappa Honor Society, PiTheta Chapter, Hagerstown Community College, HagerstownMD.

• MAA, Mathematical Association of America.

Interests• Computer Programing

• Volunteering

• Traveling

• Snowboarding

• Swimming and Scuba-diving

2 of 2

Documents

THE PENNSYLVANIA STATE UNIVERSITY SCHREYER …THE PENNSYLVANIA STATE UNIVERSITY SCHREYER HONORS COLLEGE DEPARTMENT OF MATHEMATICS THE SHORTEST VECTOR PROBLEM IN IDEAL LATTICES KHANH