aa r X i v : . [ c s . S C ] O c t Algebraic number fields and the LLLalgorithm
M. J. Uray (Uray M. J´anos)[email protected] – E¨otv¨os Lor´and University BudapestFaculty of InformaticsDepartment of Computer Algebra
Abstract
In this paper we analyze the computational cost of various operationsperformed symbolically in real algebraic number fields where the elementsare represented as polynomials of a primitive element of the field. We givebounds on the costs in terms of several parameters, including the degreeof the field and the representation size of the input. Beyond the basicfield operations we also analyze the cost of the less-than comparison andthe integer rounding functions. As an important application we give apolynomial bound on the running time of the LLL lattice reduction algorithmwhen the vector coordinates are from an algebraic number field and thecomputations are performed exactly.
Exact symbolic computation with algebraic expressions or specifically, algebraicnumbers is an important feature that most computer algebra systems provide.They use efficient algorithms for the calculations, described in several papers andbooks, for example: [1], [2], [3] or [4]. However, to our knowledge, no completeaccount of the computational costs is given in these works. Present paper providesexplicit bounds on the costs of many operations in algebraic number fields usingseveral parameters, including the size of the input and the parameters of thenumber field. The costs are computed in terms of word operations, taking intoaccount the increasing cost when multi-precision representation is needed for largeintegers. 1he obtained explicit formulas enable us to calculate the running time ofseveral well-known algorithms if they use exact arithmetic with algebraic numbers.For example consider Gaussian elimination, where the number of operations onthe entries is easily shown to be polynomial, but if we use exact arithmetic onrational numbers or algebraic numbers, then the growing size of the entries cancause concerns. The Bareiss algorithm [7] is a modification for rational numberswhich deals with this problem by certain simplifications to ensure polynomialrunning time (although with larger exponent). The idea has a straightforwardgeneralization to algebraic number fields, which this paper presents briefly.As a more important application of our algebraic number field results, we provethe polinomiality of the LLL lattice reduction algorithm when it is performedsymbolically with algebraic numbers. The analysis of the running time of the LLLalgorithm requires much more care than that of the Bareiss algorithm, and relieson several subproblems, which include finding a bound on the number of mainsteps, and examining how the sizes of the entries grow during these iterations. Theoriginal paper describing this algorithm [5] solves these problems for integer-valuedvectors, but these calculations fail when algebraic numbers are considered. Thepresent paper solves this by giving more general answers to these questions.For several practical purposes, the execution of the LLL algorithm with theusual (e.g. 64-bit) floating-point numbers seems sufficient, since the goal is findinga well-reduced basis or a short vector. Still, we think that the analysis of theLLL algorithm using symbolic algebraic numbers deserves interest. First, it isinteresting from a theoretical point of view. Second, there are applications whenthe exact values in the reduction are needed. For example in [6], algebraic integersare represented by ultimately periodic series of integer vectors, obtained by arepeated application of the LLL algorithm. This representation is a generalizationof continued fractions, and as with continued fractions, the exact representation isonly guaranteed to be obtained if we use symbolic calculation.The paper is built up as follows: Section 2 analyzes the computational costsof several operations in algebraic number fields; Section 3 gives a brief calculationabout the Bareiss algorithm with algebraic numbers; Section 4 covers the runningtime of the LLL algorithm; and in Section 5, we summarize the results.
In this section we discuss the complexity of various operations in algebraicnumber fields. Let F be a real algebraic number field of degree m and α ∈ F aprimitive element, i.e. F = Q ( α ). Without loss of generality we can assume that α is an algebraic integer. Denote its minimal polynomial by f ( x ) = x m + f m − x m − + . . . + f x + f ( f i ∈ Z ). We will consider f , α and m as fixed throughout this article.2lements in this field can be represented by rational linear combinations of1 , α, α , . . . , α m − . However in order to minimalize the problems with rationalnumbers like simplification, we use an integer linear combination and a commondenominator. Furthermore, we consider only the numerator, i.e. the ring Z [ α ],because dealing with the single denominator is trivial, and in many algorithmsusing algebraic numbers they can be cleared in the beginning.For most operations, representing α by its minimal polynomial suffices, becausethe algebraic properties do not change when different conjugates of α are used.However for some operations like the less-than comparision, additional informationis needed to distinguish conjugates. For this, we use isolating intervals, i.e. intervalswith rational endpoints that contain exactly one root of f ( x ), namely α .In subsection 2.1, we give bounds on the growth of the representation size ofthe numbers in Z [ α ] during the operations, and in 2.2, we give bounds on therunning time of these operations. For an algebraic integer a ∈ Z [ α ], a = a + a α + a α + . . . + a m − α m − ( a i ∈ Z ),we will use the following norm-like function to measure its coefficient size:(2.1) c( a ) := m − max i =0 | a i | . This quantity (or rather its logarithm) together with the field degree m (which isconstant for a fixed field) indicates the storage size needed by the algebraic integer a . The following result shows how this size can grow during several operations. Lemma 2.1.
Let a, b ∈ Z [ α ] and s ∈ Z . Write b ∈ Q ( α ) in the following form (if b = 0 ): b = ˜ bN ( b ) , ˜ b ∈ Z [ α ] , N ( b ) ∈ Z , where N ( b ) is the norm of b . Let A := log c( a ) , B := log c( b ) , S := log | s | and F := log k f k ∞ := max m − i =0 | f i | . Then there exist positive constants M α , P α , Q α , S α uch that: c(0) = 0;(2.2) c( s ) = | s | ;(2.3) c( a ± b ) ≤ c( a ) + c( b ) , log c( a ± b ) = O (max( A, B ));(2.4) c( sa ) = | s | c( a ) , log c( sa ) = O ( S + A );(2.5) c( ab ) ≤ M α c( a ) c( b ) , log c( ab ) = O ( A + B + mF );(2.6) c(˜ b ) ≤ P α c( b ) m − , log c(˜ b ) = O ( mB + m F );(2.7) | N ( b ) | ≤ Q α c( b ) m , log | N ( b ) | = O ( mB + mF + m log m );(2.8) | a | ≤ S α c( a ) , (2.9) | a | ≥ P α S α c( a ) m − , S α := 1 + | α | + | α | + . . . + | α | m − ;(2.10) and we have: M α ≤ m (1 + k f k ∞ ) m − , log M α = O ( mF );(2.11) P α ≤ m k f k m − (cid:0) M α + √ m (cid:1) m − , log P α = O ( m F );(2.12) Q α ≤ m m k f k m − , log Q α = O ( mF + m log m );(2.13) S α ≤ m max(1 , | α | ) m − , log S α = O ( mF ) . (2.14)(2.2), (2.3), (2.4) and (2.5) are trivial, the others are proved below. Proof of (2.6) and (2.11)
Let c := ab , and c = c + c α + c α + . . . + c m − α m − . Then: c = m − X i =0 m − X j =0 a i b j α i + j = m − X k =0 k X j =0 a j b k − j ! α k + m − X k =0 m − X j = k +1 a j b k + m − j ! α m + k In order to get the c i ’s, we need to write the α m + k ’s in terms of lower powers of α : α m + k = r k, + r k, α + r k, α + . . . + r k,m − α m − Substituting this to c above, we get: c l = l X j =0 a j b l − j + m − X k =0 m − X j = k +1 a j b k + m − j ! r k,l For calculating c( c ), we need upper bounds for c l ’s, and first for the r k,l ’s.By using that f is the minimal polynomial of α , one can get a recursive formulafor the r k,l coefficients [1, p. 159]: r ,l = − f l ,r k +1 ,l = r k,l − − f l r k,m − , (2.15)by defining the coefficients with negative indices to zero. Then one can easily show4y induction that:(2.16) | r k,l | ≤ k f k ∞ (1 + k f k ∞ ) k . We can get then a bound for c l ’s: | c l | ≤ l X j =0 | a j || b l − j | + m − X k =0 m − X j = k +1 | a j || b k + m − j | ! | r k,l | ≤≤ m c( a ) c( b ) + m − X k =0 m c( a ) c( b ) k f k ∞ (1 + k f k ∞ ) k == m c( a ) c( b ) + m c( a ) c( b ) k f k ∞ (1 + k f k ∞ ) m − − k f k ∞ ) − m (1 + k f k ∞ ) m − c( a ) c( b ) , and this is (2.6) with (2.11). Proof of (2.7), (2.8), (2.12) and (2.13)
Let g ( x ) be the polynomial for which b = g ( α ), and consider the followingpolynomial: h ( x ) := res y ( f ( y ) , x − g ( y )) = x m + h m − x m − + . . . + h x + h x + h , which is called the characteristic polynomial of b in Q ( α ), and it is either theminimal polynomial of b or its positive integer power [1, p. 162-164]. Therefore h ( b ) = 0, i.e.: b m + h m − b m − + . . . + h b + h b + h = 0 , which can be arranged as:(2.17) 1 b = − b m − − h m − b m − − . . . − h b − h h . We know that the constant term of the characteristic polynomial is the norm, i.e. h = N ( b ), therefore the numerator on the right hand side is ˜ b .First we give bounds on the coefficients of h . Using the Sylvester matrix5epresentation of resultants, h ( x ) = res y ( f ( y ) , x − g ( y )) can be written as: h ( x ) = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) f m − f m − · · · f f f m − · · · · · · f f . . . . . . . . . . . .1 f m − f m − · · · f f − g m − − g m − · · · − g x − g − g m − − g m − · · · − g x − g . . . . . . . . . . . . − g m − − g m − · · · − g x − g − g m − − g m − · · · − g x − g (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) Split this determinant into the sum of two by a g -row, where the first contains onlythe x and the second contains the − g k ’s. This can be done on each g -row, whichgives a sum of 2 m determinants. Then, for a specific k , the term h k x k is the sumof those determinants that contain x exactly k times. There are (cid:0) mk (cid:1) such, andeach can be bounded by Hadamard’s inequality [1, p. 51] for rows after removingthe rows and columns of the x ’es. This gives the following bound for the h k ’s: | h k | ≤ (cid:18) mk (cid:19) k f k m − k g k m − k ≤ (cid:18) mk (cid:19) m m − k k f k m − c( b ) m − k , using that k g k ≤ √ m k g k ∞ = √ m c( b ).For k = 0, since h = N ( b ), this is exactly (2.8) with (2.13).To bound ˜ b , we use the formula in the numerator of (2.17), and write it in arecursive way: d := 1 d k +1 := d k b + h m − k − ˜ b = − d m − Then we prove the following bounds by induction:c( d k ) ≤ k f k m − c( b ) k k X j =0 (cid:18) mj (cid:19) M k − jα m j .
6e use the coefficient bounds (2.4)-(2.6) for addition and multiplication:c( d ) = c(1) = 1 ≤ k f k m − c( d k +1 ) = c( d k b + h m − k − ) ≤ M α c( d k ) c( b ) + | h m − k − | ≤≤ k f k m − c( b ) k +1 M α k X j =0 (cid:18) mj (cid:19) M k − jα m j + (cid:18) mk + 1 (cid:19) m k +12 ! == k f k m − c( b ) k +1 k +1 X j =0 (cid:18) mj (cid:19) M k +1 − jα m j . Then we can get the bound for c(˜ b ):c(˜ b ) = c( d m − ) ≤ k f k m − c( b ) m − m − X j =0 (cid:18) mj (cid:19) M m − − jα m j ≤≤ m k f k m − c( b ) m − m − X j =0 (cid:18) m − j (cid:19) M m − − jα m j == m k f k m − c( b ) m − (cid:0) M α + √ m (cid:1) m − , which is (2.7) with (2.12). Proof of (2.9), (2.10) and (2.14)
Upper bound (2.9): | a | = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) m − X k =0 a k α k (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ m − X k =0 | a k || α | k ≤ c( a ) m − X k =0 | α | k = c( a ) S α , Lower bound (2.10) comes from the upper bound of the inverse: (cid:12)(cid:12)(cid:12)(cid:12) a (cid:12)(cid:12)(cid:12)(cid:12) = | ˜ a || N ( a ) | ≤ S α c(˜ a )1 ≤ P α S α c( a ) m − . A simple upper bound for S α : S α = m − X k =0 m − k − | α | k ≤ m − X k =0 max(1 , | α | ) m − = m max(1 , | α | ) m − . It is well-known that for any complex root α of the polynomial f ( x ) = x m + f m − x m − + . . . + f x + f : | α | ≤ {| f | , | f | , . . . , | f m − |} , therefore log | α | = O ( F ), and substituting this into the bound for S α , we get(2.14). 7 .2 Running time of field operations In this section we give bounds on the running time of several operations inalgebraic number fields. As the field elements are represented by integers, thesecalculations rely on the running time of integer operations, especially multiplicationand division, for which different algorithms exist with different time complexity.For the sake of generality, we give our results in terms of the complexity of integermultiplication, using the following notation.Let Mul(
A, B ) be the running time of the multiplication of two integers a, b ∈ Z whose sizes are bounded by A and B (i.e. log | a | ≤ A and log | b | ≤ B ), and letMul( A ) := Mul( A, A ). The value depends on the actual integer multiplicationalgorithm used, for example: • basic multiplication: Mul( A, B ) = O ( AB ), • Karatsuba multiplication: Mul( A ) = O ( A log ), • Sch¨onhage–Strassen algorithm: Mul( A ) = O ( A log A log log A ).In the running time calculations later in this paper we use only the followingassumptions about the Mul function:Mul( A, B ) = Mul(
B, A ) ,B ≤ C ⇒ Mul(
A, B ) ≤ Mul(
A, C ) , Mul(
A, B + C ) ≤ Mul(
A, B ) + Mul(
A, C ) , Mul(
A, nB ) ≤ n Mul(
A, B ) ( n ∈ Z + ) ,n Mul( A ) ≤ Mul( nA ) ,A ≤ Mul( A ) ≤ A . We assume furthermore that the exact division C := A/B of two integers (i.e.without remainder) can be performed in Mul(
B, C ) time.The following results use the Mul function to give running time bounds on theoperations in Z [ α ]. Lemma 2.2.
Let again a, b ∈ Z [ α ] and s ∈ Z . Let A := log c( a ) , B := log c( b ) , S := log | s | and F := log k f k ∞ := max m − i =0 | f i | . Then the operations in Z [ α ] can be alculated in the following time: a ± b : O ( m max( A, B ));(2.18) sa : O ( m Mul(
S, A ));(2.19) ab : O (cid:0) m Mul(
A, B ) + m Mul( mF, A + B + log m ) (cid:1) ;(2.20) 1 b : O (cid:0) m Mul( m ( B + F + log m )) (cid:1) ;(2.21) a < b : O (cid:0) m Mul( mA + mB + m F ) (cid:1) ;(2.22) j as k : O (cid:0) m Mul( m max( A, S ) + m F ) (cid:1) ;(2.23) j ab k : O (cid:0) m Mul( mA + m B + m F ) (cid:1) . (2.24)(2.18) and (2.19) are trivial, the others are proved below.Note that the same bounds work for ⌈·⌉ and ⌊·⌉ as for ⌊·⌋ . Proof of (2.20)
The product of a, b ∈ Z [ α ] can be computed by the following steps:1. Calculate the product of the polynomial of a and b , i.e. calculate: d l := X j a j b l − j (0 ≤ l ≤ m − .
2. Calculate its remainder modulo f by: c l := d l + m − X k =0 d m + k r k,l (0 ≤ l ≤ m − . The r k,l coefficients can be precalculated from f by (2.15).When calculating the running time, we ignore the additions and count only themultiplications, which dominate. The first step involves m multiplications between a and b coefficients: T = m Mul(
A, B )For the second step, we need a bound for the lengths of d l and r k,l (for the latter,we use (2.16)): log | d l | ≤ log X j | a j || b l − j | ! = O ( A + B + log m )log | r k,l | ≤ log k f k ∞ + k log (1 + k f k ∞ ) = O ( mF ) . Therefore: T = m − X l =0 m − X k =0 Mul (log | d m + k | , log | r k,l | ) = O (cid:0) m Mul( mF, A + B + log m ) (cid:1) . Putting the two together, T + T is (2.20).9 roof of (2.21) The multiplicative inverse of b ∈ Z [ α ] can be calculated by the extendedEuclidean algorithm (EEA). Let g ( x ) be the polynomial for which b = g ( α ), thenthe EEA for f and g computes s and t such that s ( x ) f ( x ) + t ( x ) g ( x ) = 1, thus t ( α ) g ( α ) = 1.The problem is that it can run in exponential time because of the growingcoefficients, but we can use one of its variants, the subresultant algorithm, whichruns in polynomial time. Brown calculated its running time in [8], which is forunivariate polynomials (using our notation) [8, p. 500]: T = O (cid:0) m log max( k f k ∞ , k g k ∞ ) (cid:1) . This form is however not suitable for our calculation for several reasons detailedbelow, therefore we need to make some modifications by which a similar calculationas in [8] gives a more appropriate result.First, that calculation uses the same bound for the coefficients of f ( x ) and g ( x ). But in our application, the two polynomials play different roles: f ( x ) is theminimal polynomial (which is fixed in a particular algebraic number field), and g ( x ) depends on the actual algebraic number. [8, (22)] bounds the coefficients ofthe intermediate polynomials by m (2 L + log m ), where L := log max( k f k ∞ , k g k ∞ ).We replace it by m (log k f k ∞ + log k g k ∞ + log m ), which is a more specific bound,and both come from the Hadamard’s lemma used to the Sylvester-like determinantform of those coefficients. Also, the original calculation (in [8, (74)]) ignored thelogarithmic term log m , but we preserve it to get the worst-case complexity. Withthese changes so far, the result is: T = O (cid:0) m (log k f k ∞ + log k g k ∞ + log m ) (cid:1) == O (cid:0) m ( B + F + log m ) (cid:1) . Our next problem is that Brown used the standard integer multiplicationalgorithm, and not the more general Mul() function. Multiplication first arisesin the running time of one pseudo-division, which is by [8, (68)]: T pdiv = O ( mdLL ′ ) , where L is the coefficient size bound of the inputs of the pseudo division, L ′ is ofthe pseudo-quotient, and d is the degree of the pseudo-quotient. It can be easilyseen that L ′ = O ( dL ). Then changing to the Mul() function, one pseudo-divisionis: T pdiv = O ( md Mul(
L, L ′ )) = O ( md Mul(
L, dL )) = O (cid:0) md Mul( L ) (cid:1) . Next problem is that Brown assumed that the polynomial remainder sequenceof the algorithm is always normal, i.e. the degree of the polynomials decrease byexactly one in each step. Abnormal sequences are rare, but we cannot ignore themin a worst-case complexity calculation. Removing that assumption and combining10he result with the improved bounds on T pdiv above we get: T = O (cid:18) m (cid:18) max j d j (cid:19) Mul( m ( B + F + log m )) (cid:19) , where d j ’s are the degree differences in the polynomial sequence (i.e. the degreesof the quotients). In the worst case, d = O ( m ), so: T = O (cid:0) m Mul( m ( B + F + log m )) (cid:1) . Our last problem is that Brown considers the basic subresultant algorithm,but we need the extended one. The latter maintains two auxiliary polynomialsequences. It follows from [3, p. 290-291] that the coefficients of these polynomialscan be written in similar Sylvester-like determinants as the basic polynomials, sotheir size have the same asymptotic bound: m ( B + F + log m ). Since they repeatall operations performed on the basic sequence, they need asymptotically the sametime, and thus does not change the asymptotic bounds on the final running time. Proof of (2.22)
Since a < b is equivalent to a − b <
0, we need to consider only the a < a = 0.Let g ( x ) be the polynomial for which a = g ( α ). We approximate α by a refinedisolating interval ud ≤ α ≤ vd where d ∈ Z + , u := ⌊ αd ⌋ and v = ⌈ αd ⌉ . We needa sufficiently accurate approximation so that when we substitute the endpoints to g ( x ) instead of α , its sign remains the same. For this, it suffices that d is so largethat for every positive ǫ ≤ d :(2.25) | g ( α ± ǫ ) − g ( α ) | < | a | . We prove that this holds if:(2.26) d ≥ ( m − (cid:0) a ) m P α S α (cid:1) . The proof proceeds by finding an upper bound for | g ( α ± ǫ ) − g ( α ) | : | g ( α ± ǫ ) − g ( α ) | = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) m − X k =0 a k (cid:0) ( α ± ǫ ) k − α k (cid:1)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) == (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) m − X k =0 a k k X j =1 (cid:18) kj (cid:19) α k − j ( ± ǫ ) j (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) ≤ c( a ) m − X k =0 k X j =1 (cid:18) kj (cid:19) | α | k − j | ǫ | j == c( a ) m − X j =1 m − j − X l =0 (cid:18) l + jj (cid:19) | α | l | ǫ | j ≤ c( a ) m − X j =1 ( m − j S α | ǫ | j << c( a ) S α ( m − ǫ − ( m − ǫ = c( a ) S α (cid:18) − ( m − ǫ − (cid:19) . Continuing this by substituting any ǫ ≤ d with d as in (2.26), and using (2.10),11e get: | g ( α ± ǫ ) − g ( α ) | < c( a ) S α (cid:18) a ) m P α S α (cid:19) = 1c( a ) m − P α S α ≤ | a | , which proves (2.25).We calculate g ( w/d ), where w is the smaller of u and v in absolute value,therefore: | w | = min( | u | , | v | ) = min( |⌊ αd ⌋| , |⌈ αd ⌉| ) ≤ | αd | = | α | d. Then: g (cid:16) wd (cid:17) = a d m − + a wd m − + . . . + a m − w m − d m − . Because d m − >
0, we need only the numerator (call it r ), which can be calculatedby the following recursive formula: r := 0 r k +1 := r k w + a m − k − d k r := r m One can easily bound the size of r k by induction: | r k | ≤ c( a ) d k − (cid:0) | α | + . . . + | α | k − (cid:1) ≤ c( a ) d k − S α , log | r k | = O ( A + mD + mF ) , where D := log d .The total cost of calculating r is, considering again only multiplications andincluding iteratively calculating d k : T = m − X k =0 (cid:0) Mul(log | r k | , log | w | ) + Mul(log | a i | , log d k ) + Mul(log d, log d k − ) (cid:1) ≤≤ m − X k =0 (Mul( A + mD + mF, F + D ) + Mul( A, kD ) + Mul( D, ( k − D )) . Then, by using the smallest d for which (2.26) holds, one can get an upper boundfor D : D = O (log m + mA + log P α + log S α ) = O (cid:0) mA + m F (cid:1) . Then T can be simplified by noticing that D dominates over A and F : T = m − X k =0 O (Mul( D, mD )) = O (cid:0) m Mul( D ) (cid:1) , which gives the running time of a <
0, and combining it with the subtraction a − b ,we obtain (2.22). 12 roof of (2.23) Let s > a and s by − a/s ∈ Z , the operation istrivial, so let a/s / ∈ Z .Note that since ⌈ a/s ⌉ = ⌊ a/s ⌋ + 1 if a/s / ∈ Z , and ⌊ a/s ⌉ = ⌊ a/s + 1 / ⌋ , theother rounding functions have the same asymptotic bounds as ⌊·⌋ .The proof is similar to the previous one, with the following differences. We need d to be so large that for every positive ǫ ≤ d , both of the following inequalitieshold: | g ( α ± ǫ ) − g ( α ) | < (cid:12)(cid:12)(cid:12) a − s j as k(cid:12)(cid:12)(cid:12) , | g ( α ± ǫ ) − g ( α ) | < (cid:12)(cid:12)(cid:12) a − s l as m(cid:12)(cid:12)(cid:12) . (2.27)We prove that this can be achieved if:(2.28) d ≥ ( m − (cid:0) a, s ) m P α S m +1 α (cid:1) , where c( a, s ) := max(c( a ) , s ).Let b be either a − s ⌊ a/s ⌋ or a − s ⌈ a/s ⌉ as in (2.27), and let us determinec( b ). Since b − a is an integer, i.e. the representations of a and b differ only intheir constant term, we need to calculate only | b | . b is either a − s ⌊ a/s ⌋ or a − s ⌈ a/s ⌉ , so: | b | ≤ | a − a | + s = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) m − X k =1 a k α k (cid:12)(cid:12)(cid:12)(cid:12)(cid:12) + s ≤ c( a ) ( S α −
1) + s ≤ c( a, s ) S α , therefore c( b ) ≤ c( a, s ) S α .In the same way as in the previous proof but with (2.28), we get: | g ( α ± ǫ ) − g ( α ) | < c( a, s ) S α (cid:18) a, s ) m P α S m +1 α (cid:19) ≤ b ) m − P α S α ≤ | b | , which proves (2.27).Then again, by using the smallest d for which (2.28) holds, we get an asymptoticbound for D: D = O (cid:0) m max( A, S ) + m F (cid:1) , and otherwise (2.23) is the same as (2.22). Proof of (2.24)
We write a/b as a ˜ b/N ( b ), and since N ( b ) ∈ Z , we can use the previous lemma(2.23). By using the (2.6)-(2.8) properties of c( · ):c( a ˜ b ) ≤ M α P α c( a ) c( b ) m − , | N ( b ) | ≤ Q α c( b ) m , c( a ˜ b, N ( b )) ≤ max( M α P α , Q α ) c( a ) c( b ) m . a ˜ b, | N ( b ) | ) = O (cid:0) max( mF + m F, mF + m log m ) + A + mB (cid:1) == O (cid:0) A + mB + m F (cid:1) , and substituting this to (2.23), we get (2.24). The Bareiss algorithm [7] is an integer-preserving modification of Gaussianelimination that maintains as small integers as generally possible by using provablyexact divisions to reduce their sizes. It can be used to perform Gaussian eliminationsymbolically on a matrix with rational coefficients (by first multiplying throughwith the common denominator) without exponential coefficient growth or extensiveGCD calculations for simplifications.In this section we apply the algorithm to Z [ α ] and calculate its running timeusing the results of the previous section, and compare it with the running timein Z . We consider the simpliest case, when a square matrix is converted into anupper triangular form (e.g. to calculate its determinant). Theorem 3.1.
Let A ∈ R n × n where R ∈ { Z , Z [ α ] } , and L := max ni,j =1 log c( a ij ) (in Z , c( · ) is equivalent to | · | ). Then the Bareiss algorithm on A runs in thefollowing time, depending on the ring R and the integer multiplication algorithmused ( Mul ): R = Z : O (cid:0) n Mul( n (log n + L )) (cid:1) ,R = Z [ α ] : O (cid:0) n m Mul( nm (log n + L + mF )) (cid:1) . Proof:
Only the case R = Z [ α ] is proved, since for Z it is well-known (at leastwhen Mul( X ) = O ( X )), furthermore it easily follows from a similar and easierargument than the following.The Bareiss algorithm uses the following formula [7, p. 570]: a (0)00 = 1 , a (1) ij = a ij ,a ( k +1) ij = a ( k ) kk a ( k ) ij − a ( k ) ik a ( k ) kj a ( k − k − ,k − (3.1)with 1 ≤ k ≤ n − k + 1 ≤ i, j ≤ n . It is known that the division is exact, i.e.the result remains in R . We calculate the running time of the recursive formula(3.1). Let D denote the maximum of log c( · ) of the variables in the formula. Thecalculation consists of the following main operations:1. two multiplications (see (2.20)): O (cid:0) m Mul( D ) + m Mul( mF, D + log m ) (cid:1) ;14. exact division:(a) calculating the inverse of a ( k − k − ,k − (in ˜ a ( k − k − ,k − /N ( a ( k − k − ,k − ) form) (see(2.21)): O (cid:0) m Mul( m ( D + F + log m )) (cid:1) ;(b) multiplying the numerator by ˜ a ( k − k − ,k − , whose c( · ) is by (2.7) O ( mD + m F ) (see (2.20)): O (cid:0) m Mul(
D, mD + m F ) + m Mul( mF, mD + m F ) (cid:1) ;(c) and dividing the resulting algebraic number exactly by N ( a ( k − k − ,k − ),which is an integer, and whose size is by (2.8) O ( mD + mF + m log m ): O (cid:0) m Mul( mD + m F, mD + mF + m log m ) (cid:1) . Now we give an asymptotic bound on D := max n − k =1 max ni,j = k +1 log c( a ( k ) ij ). Thevariables a ( k ) ij are determinants of order k ( ≤ n ) with the elements of A . Suchdeterminants can be written as a sum of k ! terms, each is a product of k elements(and possibly a sign). Therefore using (2.4) and (2.6):c( a ( k ) ij ) ≤ n ! M n − α (cid:18) n max i,j =1 c( a ij ) (cid:19) n , log c( a ( k ) ij ) = O ( n log n + nmF + nL ) . (3.2)The latter is D , and it shows that D dominates over mF , which can be used tosimplify the formulas above and to observe that step 2. (a) dominates over theothers, therefore the running time of the evaluation of formula (3.1) is:(3.3) T = O (cid:0) m Mul( mD ) (cid:1) This formula needs to be evaluated n times, which, after substituting (3.2) to D ,gives the result to be proved. The LLL algorithm is a lattice basis reduction algorithm invented by A. K.Lenstra, H. W. Lenstra and L. Lov´asz [5]. For a lattice Λ, it transforms any basis b , b , . . . , b n ∈ R n to a reduced basis of Λ. It is known that it runs in polynomialtime if the vectors are in Z n . In this section we show that it is also polynomial for Z [ α ] n vectors.The algorithm first performs the Gram–Schmidt orthogonalization on the input15ectors: b ∗ i := b i − i − X j =1 µ ij b ∗ j (1 ≤ i ≤ n )(4.1) µ ij := h b i , b ∗ j ih b ∗ j , b ∗ j i (1 ≤ j < i ≤ n )(4.2)When the algorithm terminates, the b i vectors are LLL-reduced, which meansthe following two properties: | µ ij | ≤
12 (1 ≤ j < i ≤ n ) , (4.3) k b ∗ i + µ i i − b ∗ i − k ≥ δ k b ∗ i − k (2 ≤ i ≤ n ) , (4.4)where δ is a parameter ( < δ <
1, usually δ = ).The skeleton of the LLL algorithm is the following. This contains only thechanges of b i ’s. The full algorithm updates the other variables after each b i -changeto preserve (4.1) and (4.2) above. k := 2 while k ≤ n do b k := b k − ⌊ µ k k − ⌉ b k − if k ≥ ∧ k b ∗ k + µ k k − b ∗ k − k < δ k b ∗ k − k then swap step: b k ↔ b k − k := k − else reduction step: for l := k − to do b k := b k − ⌊ µ kl ⌉ b l k := k + 1 Theorem 4.1.
Starting with any b , b , . . . , b n ∈ R n , the LLL algorithm performs O (cid:18) n K δ log nBL (cid:19) arithmetic operations in R (the meanings of the variables are described below). Ifthe implementation uses fixed-size numbers (e.g. floating-point numbers), then thebit complexity is the same. On the other hand, if it uses variable-length type likeintegers or exact algebraic numbers, the bit complexity is higher. It depends on the xact type ( Z or Z [ α ] ) and the integer multiplication algorithm used ( Mul( X ) ): Z :Mul( X ) : O (cid:0) n log B Mul( n log B ) K δ (cid:1) ,X : O (cid:0) n log BK δ (cid:1) ,X log : ∼ O (cid:0) n . log . BK δ (cid:1) ,X log X log log X : O (cid:0) n log B log( n log B ) log log( n log B ) K δ (cid:1) , Z [ α ] :Mul( X ) : O (cid:0) n mHK δ (cid:0) m Mul( m n H K δ ) + n HK δ Mul( n H ) (cid:1)(cid:1) ,X : O (cid:0) n m H K δ (cid:1) ,X log : ∼ O (cid:0) n . m . H . K . δ (cid:1) ,X log X log log X : O (cid:0) n ( n + m ) mH K δ log( mnHK δ ) log log( mnHK δ ) (cid:1) ,H := O (cid:0) log B + m log C + m log n + m F (cid:1) , where: n : the number and the dimension of the vectors ; B := n max i =1 k b i k ; C := n max i =1 c( b i ) , where c( x ) := n max j =1 c( x j ); L := min (cid:8) k x k | x ∈ Λ( b , b , . . . , b n ) \ { } (cid:9) , where Λ( b , b , . . . , b n ) := { c b + c b + . . . + c n b n | c , c , . . . , c n ∈ Z } ; δ : the parameter of the LLL algorithm (1 / < δ < K δ := 1log δ ; m : the degree of α ; F := k f k ∞ := m max i =0 | f i | , where f is the the minimal polynomial of α. Before the theorem is proved, some other lemmas follow. R n Lemma 4.2.
Consider the LLL algorithm over R n . Then the variables in thealgorithm after any number of iterations (at the beginning or end of the body ofthe main while -loop) can be bounded by expressions depending only of the initial alues (using the notations above): k b ∗ i k ≤ B (4.5) k b i k ≤ nB ( i = k )(4.6) | µ ij | ≤
12 ( i < k )(4.7) | µ ij | ≤ n − i √ n (cid:18) nBL (cid:19) n − ( i = k )(4.8) | µ ij | ≤ √ n (cid:18) jBL (cid:19) j ( i > k )(4.9) d j ≤ B j (4.10) d j ≥ (cid:18) L j (cid:19) j (4.11) where d j := k b ∗ k k b ∗ k . . . k b ∗ j k (4.12) Proof:
Most of these inequalities are similar to those in [5], especially to [5,(1.30)-(1.34)], but those are for vectors in Z n , and many of them uses the fact that d j ≥ d j is both integer and positive. But in our case d j is not neccessarilyan integer, so the first task is to prove a different lower bound for d j , namely (4.11).It follows from Minkowski’s theorem that if S is a j-dimensional convex bodythat is symmetrical to the origin, and has no other common point with the Λ j :=Λ( b , b , . . . , b j ) lattice than the origin, then:Vol( S ) ≤ j d (Λ j )where Vol( S ) is the j-dimensional hypervolume of S and d (Λ j ) is the determinantof Λ j , i.e. d (Λ j ) = p d j [9, III. 5.3. (p. 81.)]. Let S be a hypercube with side2 r/ √ j where r < L and r → L , then: d (Λ j ) ≥ (cid:18) r √ j (cid:19) j ,d j ≥ (cid:18) L j (cid:19) j , which is (4.11).(4.5), (4.6), (4.7) and (4.10) are either trivial or proved in [5] without the useof the integer property.Using the Cauchy–Schwarz inequality and the other inequalities of this lemma,we can give a bound for | µ ij | by k b i k : | µ ij | = (cid:12)(cid:12) h b i , b ∗ j i (cid:12)(cid:12) k b ∗ j k ≤ k b i k k b ∗ j k k b ∗ j k = d j − d j k b i k ≤ B j − (cid:16) L j (cid:17) j k b i k = (cid:18) jBL (cid:19) j k b i k B , (cid:4)
Lemma 4.3.
For any b , . . . , b n ∈ R n basis, their Gram–Schmidt coefficients ( µ ij )can be expressed explicitly with the b i ’s, by the quotient of the following two j × j determinants: µ ij = λ ij d j with d j = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) h b , b i · · · h b , b j − i h b , b j i ... . . . ... ... h b j − , b i · · · h b j − , b j − i h b j − , b j ih b j , b i · · · h b j , b j − i h b j , b j i (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) , λ ij = (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) h b , b i · · · h b , b j − i h b , b i i ... . . . ... ... h b j − , b i · · · h b j − , b j − i h b j − , b i ih b j , b i · · · h b j , b j − i h b j , b i i (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) . Note that the two determinants differ only in their last column.
Proof: [1, p. 93] shows that: h b , b i · · · h b , b j − i h b , b j i ... . . . ... ... h b j − , b i · · · h b j − , b j − i h b j − , b j ih b j , b i · · · h b j , b j − i h b j , b j i ξ ... ξ j − ξ j = h b , b i i ... h b j − , b i ih b j , b i i with ξ j = µ ij (although the other ξ l ’s might differ from the µ il ’s). Solving thesystem for ξ j by the Cramer’s rule gives the statement of the lemma. (cid:4) Note: this means that if b , b , . . . , b n ∈ R n , where R ⊆ R is an integral domain(e.g. R = Z or R = Z [ α ]), then λ ij , d j ∈ R as well. Lemma 4.4.
Consider the LLL algorithm on R n , and let t be the number of mainiterations (which are either reduction steps or swap steps). Then: (4.13) t = O (cid:18) n log nBL K δ (cid:19) Proof:
Let r be the number of reduction steps, and s be the number of swapsteps. Since the former adds, and the latter subtracts 1 from k , and since thealgorithm starts with k = 2 and finishes when k = n + 1, therefore r − s = n − t = r + s = 2 s + n − D := d d . . . d n , and let D ( s ) be the value of D after s swap steps.[5] proves that for integer values (i.e. for b , . . . , b n ∈ Z n ) there are at most O ( n log B ) iterations, but this uses the fact that D is an integer, hence D ≥ D . We also need an upper bound19or D , and for both cases we use the bounds of the d j ’s in (4.11) and (4.10): D = n Y j =1 d j ≥ n Y j =1 (cid:18) L j (cid:19) j ≥ n Y j =1 (cid:18) L n (cid:19) j = (cid:18) L n (cid:19) n ( n +1)2 D = n Y j =1 d j = n Y j =1 j Y i =1 k b ∗ i k ≤ B n ( n +1)2 These bounds are true after any number of iterations, i.e. for any D ( s ) . Further,we use the fact that a reduction step does not change D , and that a swap stepreduces D by at least δ : D ( s +1) < δD ( s ) – both are proved in [5] without the useof the integer property. By induction, it follows that D ( s ) < δ s D (0) . Putting theseinequalities together: (cid:18) L n (cid:19) n ( n +1)2 ≤ D ( s ) < δ s D (0) ≤ δ s B n ( n +1)2 . After taking logarithms from both ends and rearranging, we get: s < δ n ( n + 1)2 (ln n + ln B − ln L ) , and the statement follows from this, because t = 2 s + n − (cid:4) Z [ α ] n Lemma 4.5.
Consider the LLL algorithm for b , b , . . . b n ∈ Z [ α ] n . The coefficientsize of the variables after t iterations can be bounded as follows: c (cid:16) b ( t ) i (cid:17) ≤ C ( t ) ≤ n √ n (cid:18) nBL (cid:19) n − ! t C, (4.14) c (cid:16) d ( t ) j (cid:17) ≤ n j j ! M j − α (cid:0) C ( t ) (cid:1) j , (4.15) c (cid:16) λ ( t ) ij (cid:17) ≤ n j j ! M j − α (cid:0) C ( t ) (cid:1) j , (4.16) where C ( t ) := n max i =1 c (cid:16) b ( t ) i (cid:17) and C := C (0) . Proof:
Consider one reduction step of the algorithm. It performs the following k − µ ij ’s (in the full algorithm presentedearlier, the µ ij ’s are omitted, and the case for l = k − for l := k − to do b k := b k − ⌊ µ kl ⌉ b l for j := 1 to l − do µ kj := µ kj − ⌊ µ kl ⌉ µ lj b k and µ kj in the start of each l -iteration by b [ l ] k and µ [ l ] kj .The values in the beginning and the end of the reduction step are for l = k − l = 0, respectively. Then:c (cid:16) b [ l − k (cid:17) = c (cid:16) b [ l ] k − j µ [ l ] kl m b l (cid:17) ≤ c (cid:16) b [ l ] k (cid:17) + (cid:12)(cid:12)(cid:12)j µ [ l ] kl m(cid:12)(cid:12)(cid:12) c( b l ) (cid:12)(cid:12)(cid:12) µ [ l − kj (cid:12)(cid:12)(cid:12) = (cid:12)(cid:12)(cid:12) µ [ l ] kj − j µ [ l ] kl m µ lj (cid:12)(cid:12)(cid:12) ≤ (cid:12)(cid:12)(cid:12) µ [ l ] kj (cid:12)(cid:12)(cid:12) + (cid:12)(cid:12)(cid:12)j µ [ l ] kl m(cid:12)(cid:12)(cid:12) | µ lj | ≤≤ (cid:12)(cid:12)(cid:12) µ [ l ] kj (cid:12)(cid:12)(cid:12) + (cid:16) (cid:12)(cid:12)(cid:12) µ [ l ] kl (cid:12)(cid:12)(cid:12)(cid:17) ≤ k − max j ′ =1 (cid:12)(cid:12)(cid:12) µ [ l ] kj ′ (cid:12)(cid:12)(cid:12) . By induction, and using (4.8) (which was proved only for the beginning of thereduction step, i.e. for l = k − (cid:12)(cid:12)(cid:12) µ [ l ] kj (cid:12)(cid:12)(cid:12) ≤ k − l − k − max j ′ =1 (cid:12)(cid:12)(cid:12) µ [ k − kj ′ (cid:12)(cid:12)(cid:12) ≤ n − l − √ n (cid:18) nBL (cid:19) n − . Also by induction:c (cid:16) b [0] k (cid:17) ≤ c (cid:16) b [ k − k (cid:17) + k − X l =1 (cid:12)(cid:12)(cid:12)j µ [ l ] kl m(cid:12)(cid:12)(cid:12) c( b l ) ≤≤ c (cid:16) b [ k − k (cid:17) + k − X l =1 (cid:12)(cid:12)(cid:12) µ [ l ] kl (cid:12)(cid:12)(cid:12) c( b l ) ≤≤ c (cid:16) b [ k − k (cid:17) + k − X l =1 n − l √ n (cid:18) nBL (cid:19) n − c( b l ) ≤≤ (cid:0) n − n − k +1 (cid:1) √ n (cid:18) nBL (cid:19) n − ! k max l =1 c (cid:16) b [ k − l (cid:17) ≤≤ n √ n (cid:18) nBL (cid:19) n − k max l =1 c (cid:16) b [ k − l (cid:17) . In the last inequality we increased 1 to cancel out the negative part with 2 n − k +1 .That increasing would fail if nBL were too small, so we prove that BL ≥
1. Indeed,from (4.11) we know that L ≤ jd j j for any 1 ≤ j ≤ n , and using this for j = 1: L ≤ d ≤ B , i.e. BL ≥ b k as above andleft the others unchanged. Therefore, the maximum of c( b i )’s is increased at mostas c( b k ). A swap step however performs only the first of the k − b k and exchanges two b i ’s. The single reduction does not increase the maximumby more than the k − C ( t ) ≤ n √ n (cid:18) nBL (cid:19) n − C ( t − , λ ij and d j (omitting the ( t ) indices) are j × j determinants whose elements are of the form h b i ′ , b j ′ i . The coefficient size of eachelement is, using the properties of the c( · ) operator:c ( h b i ′ , b j ′ i ) ≤ nM α c ( b i ′ ) c ( b j ′ ) ≤ nM α C . A j × j determinant can be written as a sum of j ! terms, each is a product of j elements of the matrix (and a sign), therefore:c ( d j ) ≤ j ! M j − α max i ′ ,j ′ c ( h b i ′ , b j ′ i ) j ≤ j ! M j − α (cid:0) nM α C (cid:1) j , which is equivalent to (4.15). We get (4.16) in the same way. (cid:4) Corollary 4.6.
The coefficients of these variables have the following asymptoticbounds after any number of iterations: log c( b i ) = O (cid:0) n H K δ (cid:1) , (4.17) log c( d j ) = O (cid:0) n H K δ (cid:1) , (4.18) log c( λ ij ) = O (cid:0) n H K δ (cid:1) , (4.19) where: H := 1 n log (cid:18) nBL (cid:19) = O (cid:0) log B + m log C + m log n + m F (cid:1) . Proof: In Z [ α ], we can give a lower bound for L using the coefficient bound C of the initial b i vectors.It can easily be proved that L ≥ min ni =1 k b ∗ i k , and we know by (4.12) that k b ∗ i k = d i /d i − . By using the lower bound by coefficient size (2.10) and the upperbound for c( d i ) (4.15) at the beginning ( t = 0): d i ≥ P α S α c( d i ) m − ≥ P α S α ( n n n ! M n − α C n ) m − , so by the upper bound of d i − (4.10): L ≥ n min i =1 k b ∗ i k ≥ P α S α M (2 n − m − α ( n n n !) m − B n − C n ( m − . Taking the logarithm of this, and using the logarithmic bounds for the constants M α , P α and S α (see (2.11), (2.12) and (2.14)), we can conclude that:log nBL = O (cid:0) n (log B + m log C + m log n + m F ) (cid:1) . By taking the logarithm of (4.14), (4.15) and (4.16), substituting the iterationbound (4.13) and substituting the expression above for log nBL , we get (4.17), (4.18)and (4.19). (cid:4) .4 Running time of the LLL algorithm Now we have enough information to calculate the running time of the LLLalgorithm with algebraic numbers.The original version of the algorithm uses floating-point numbers, but thereis a modificiation for integer (or rational) input which uses only exact integerarithmetic [1, p. 94]. Instead of maintaining the µ ij and the B i := k b ∗ i k variables,which can be rational fractions, this modification maintains the λ ij ’s and the d j ’s,which are always integers, and their quotients give the original variables. We usethe same formulas but with algebraic integers in Z [ α ].First consider one swap step of the algorithm. It first swaps b k and b k − ,and then swaps λ k,j and λ k − ,j for each j ∈ { , , . . . , k − } . These are O ( nD )operations, where D is the bound of log c( d j ) after any number of iterations, i.e. D = O ( n H K δ ) as in (4.18) (which is greater than the bound of log c( b k )).Then we calculate the following expressions (here d ′ j etc. denote the new valueof the d j etc. variables): λ ′ i,k − := d k − λ i,k + λ k,k − λ i,k − d k − i ∈ { k + 1 , k + 2 , . . . , n } ; λ ′ i,k := d k λ i,k − − λ k,k − λ i,k d k − i ∈ { k + 1 , k + 2 , . . . , n } ; d ′ k − := d k d k − + λ k,k − d k − . Note that these formulas are very similar to the recursive formula of the Bareissalgorithm (3.1), so a similar calculation can be used to show that they require O ( m Mul( mD )) time, but now D is different (but it still dominates over mF ).The total time of one swap step is therefore:(4.20) T swap = O (cid:0) nm Mul( mD ) (cid:1) . Now consider one reduction step of the algorithm. Its main step is to calculate ⌊ µ kl ⌉ , i.e. ⌊ λ kl /d l ⌉ . After rounding, no matter how big c( λ kl ) and c( d l ) were, ⌊ λ kl /d l ⌉ is an integer, and by (4.8), its size can be much smaller:log (cid:12)(cid:12)(cid:12)(cid:12)(cid:22) λ kl d l (cid:25)(cid:12)(cid:12)(cid:12)(cid:12) = O (cid:18) n log nBL (cid:19) = O (cid:0) n H (cid:1) . The reduction step is performed as follows for each l from k − ⌊ µ kl ⌉ (see (2.24)): O (cid:0) m Mul( m D + m F ) (cid:1) ;2. multiplying ⌊ µ kl ⌉ by λ kj for each j ∈ { , , . . . , l − } (see (2.19)): O (cid:0) nm Mul( n H, D ) (cid:1) ;3. multiplying ⌊ µ kl ⌉ by b l : O (cid:0) nm Mul( n H, D ) (cid:1) .
23o the total reduction step is:(4.21) T red = O (cid:0) nm Mul( m D ) + n m Mul( n H, D ) (cid:1) . Since the number of iterations is t = O ( n HK δ ) by (4.13), the total runningtime of the LLL algorithm is: T Z [ α ] LLL = O ( t ( T swap + T red )) == O (cid:0) n mHK δ (cid:0) m Mul( m D ) + n Mul( n H, D ) (cid:1)(cid:1) == O (cid:0) n mHK δ (cid:0) m Mul( m n H K δ ) + n HK δ Mul( n H ) (cid:1)(cid:1) ,H = O (cid:0) log B + m log C + m log n + m F (cid:1) . For comparision, we can also calculate the running time for integers usingMul( X ). We know from [5, (1.26)] that all integer variables are of O ( n log B ) size,from which we can easily calculate that: t = O (cid:0) n log BK δ (cid:1) ,T swap = O ( n Mul( n log B )) ,T red = O (cid:0) n Mul( n log B ) (cid:1) , and we can conclude that: T Z LLL = O (cid:0) n log B Mul( n log B ) K δ (cid:1) . If we substitute the different possibilities for Mul( X ) into T Z LLL and T Z [ α ] LLL , itcompletes the proof of Theorem 4.1 about the running the of the LLL algorithm.
In this section we proved that the LLL algorithm is polynomial also for algebraicnumbers, but the result for T Z [ α ] LLL is a very pessimistic upper bound for the worst-casecomplexity. In practice the algorithm can be much faster. We describe somereasons of this difference.First, we calculated the maximum number of iterations in the algorithm (4.13),but this is only a theoretical limit, and in practice it can be often just a few (i.e. O ( n )) steps.Then, the calculation used L , the size of the shortest vector in the lattice. Weused a worst-case theoretical upper bound for log L using the coefficient size ofthe input, and it was greater than O ( n ) (see Corollary 4.6), but in practice it isoften not so small, and if we make an assumption that it is constant (i.e. O (1)),then the running time can be reduced by several powers.For rounding an algebraic number to integer, which is calculated by firstapproximating it with a rational number, we calculated how long integer coefficientsare needed for this approximation to provably get the correct result (in the proofof (2.23)). But that matters only when the number is very close to an integer,which is rare in practice, and usually much smaller coefficients suffice.24hen we calculated the running time of the extended Euclidean algorithm (inthe proof of (2.21)), we did not exclude the rare case of abnormal polynomialsequences, i.e. when the degree differences are not always one, but this possibilityincreased the power of m by one. In most of the cases however the polynomialsequences are normal, i.e. the degree difference is usually one in each step.If we assume these simplifications, the n factor in the running time for basicmultiplication (Mul( X ) = X ) can be reduced to n . In this paper we discussed symbolic computation in algebraic number fields.We represented field elements as polynomials of a primitive element, and calculatedcomputational costs of operations and algorithms using this representation. Wepresented our results in terms of several parameters, including the size of theinputs, some constants depending on the field like the degree, and the integermultiplication algorithm used. We used the bit length of the coefficients of therepresenting polynomial to measure the size of the numbers.First, we examined the field operations – addition, subtraction, multiplicationand division – and some other functions like the less-than comparison and integerrounding functions. We gave bounds on the size of the outputs as well as on thethe running time of these operations.Next, we used the Bareiss algorithm as a simple example to demonstrate anapplication of these results. We calculated the running time of the algorithm whenit is extended to algebraic integers, and compared this result to the original oneusing integers. We found the expected result that it has a similar asymptoticbound but with additional constants regarding the algebraic number field.The next main part of this paper was the proof of polinomiality of the LLLalgorithm when likewise extended to algebraic numbers and the calculations areexact. This generalization was, unlike the Bareiss algorithm, rather nontrivial andrequired new ideas. We generalized several known properties of the algorithm fornot necessarily integer inputs. A crucial problem with this was finding substitutesfor inequalities like d ≥ References [1] H. Cohen: A Course in Computational Algebraic Number Theory.
Springer-Verlag Berlin Heidelberg , 1996[2] M. Pohst, H. Zassenhaus: Algorithmic Algebraic Number Theory.
CambridgeUniversity Press , 1997[3] K. O. Geddes, S. R. Czapor, G. Labahn: Algorithms for Computer Algebra.
Kluwer Academic Publishers , 1992[4] N. P. Smart: The Algoritmic Resolution of Diophantine Equations.
CambridgeUniversity Press , 1998[5] A. K. Lenstra, H. W. Lenstra, L. Lov´asz: Factoring Polynomials with RationalCoefficients
Mathematische Annalen
Journal of Number Theory
Mathematics of Computation
22 (1968), p. 565-578[8] W. S. Brown: On Euclid’s Algorithm and the Computation of PolynomialGreatest Common Divisors
Journal of the Association for ComputingMachinery
18. (1971), p. 478-504[9] J. W. S. Cassels: An Introduction to the Geometry of Numbers.