A Linear Space Algorithm for Computing the Hermite Normal Form

A Linear Space Algorithm for Computing the Hermite Normal Form Daniele Micciancio

Bogdan Warinschi

Department of Computer Science and Engineering University of California, San Diego fdaniele,[email protected] January 20, 2001

Abstract

Computing the Hermite Normal Form of an matrix using the best current algorithms typically requires ( 3 log ) space, where is a bound on the length of the columns of the input matrix. Although polynomial in the input size (which is ( 2 log )), this space blow-up can easily become a serious issue in practice when working on big integer matrices. In this paper we present a new algorithm for computing the Hermite Normal Form which uses only ( 2 log ) space (i.e., essentially the same as the input size). When implemented using standard integer arithmetic, our algorithm has the same time complexity of the asymptotically fastest (but space inecient) algorithms. We also suggest simple heuristics that when incorporated in our algorithm result in essentially the same asymptotic running time of the theoretically fastest solutions, still maintaining our algorithm extremely practical. n

O n

M

n

M

O n

O n

M

M

1 Introduction The Hermite Normal Form (HNF) is a standard form for integer matrices that is useful in many applications. For example, the HNF is used in the solution of systems of linear Diophantine equations [8], algorithmic problems in lattices [10], integer programming [13] and loop optimization techniques [17]. Recently, one more application of the HNF has been suggested [16]: the use of HNF to improve the security and eciency of lattice based cryptosystems. Lattice problems have attracted considerable interest in the design of public key cryptosystems because of the surprising average-case/worst-case connection discovered by Ajtai in 1996 [1]. Despite their theoretical appeal, the applicability of lattice based cryptosystems has been greatly reduced by the large size of their public keys. For example, the cryptosystems proposed in [9, 6] require public keys of several megabytes in size in order to be practically secure. In [16] it is demonstrated that the HNF can be used to substantially reduce the public key size of lattice based cryptosystems while preserving the security level. For example the public keys suggested in [9] can be reduced from several megabytes to few hundred kilobytes. Unfortunately, the best current HNF algorithms have superlinear space complexity, so although the HNF can be used to easily reduce the size of the public keys, the key generation process (and the HNF computation in particular) can be extremely space consuming, requiring hundreds of megabytes for typical values of the security parameter. In order to make key generation feasible on typical personal computers, a better, space ecient algorithm to compute HNF is required. A standard approach to save space in number theoretic 1

computations, is to compute the result modulo many small prime numbers, and combining the results using the Chinese Reminder Theorem. Unfortunately, this trick does not work for HNF computations: if p is a prime that does not divide the determinant of the matrix A, then one can always transform A into a diagonal matrix performing elementary column operations modulo p, so trying to compute the HNF of A modulo p does not give any useful information. The main contribution of this paper is a new practical algorithm to compute the HNF of integer matrices. The main advantage of the new algorithm is space eciency: when applied to an n n matrix with entries bounded by M , our algorithm provably uses only O(n2 log M ) space (i.e., essentially the same as the input size). When used on matrices that arise from cryptographic problems, this results in a saving factor of n = 400 or more for typical values of the security parameter, reducing the memory requirements from several hundreds of megabytes, to just a megabyte, or little more. Our algorithm is also ecient from the running time point of view. When implemented with standard matrix and integer multiplication, the running time is O(n5 polylog(n; M )), i.e. essentially the same as the fastest previously known algorithms. Fast matrix multiplication techniques apply to our algorithm (as well as to previous ones), asymptotically reducing the running time to O(n4:37 polylog(n; M )) in both cases without aecting the space complexity. Only when implemented using asymptotically fast integer multiplication, previous algorithms [11, 19] are asymptotically faster than ours (achieving O(n3:37 polylog(n; M )) running time), but at the price of a substantially larger space complexity. In practice, our algorithm can be easily augmented with several heuristics that reduce the running time to O(n4 polylog(n; M )) (or even O(n3:37 polylog(n; M )) using fast matrix multiplication), essentially matching the running time of the asymptotically fastest algorithms [11, 19], but achieving linear space complexity and avoiding the complications of fast integer multiplication. (See section 5 for details.) The structure of the paper is as follows. In Section 2 we give a synopsis of the previous algorithms and techniques used for computing HNF. Section 3 lists a series of facts used in the analysis of our algorithm. The algorithm itself is presented in Section 4 for the case of square matrices. In Section 5 we show how to extend the algorithm to cope with non square matrices, and how to improve the running time of our algorithms using fast matrix multiplication and/or some simple heuristics.

2 Previous algorithms The simplest way to compute HNF is a variant of the well known Gaussian elimination algorithm (aka. integer column reduction), where divisions are replaced by greatest common divisor computation. Unfortunately, it has been observed (and recently proved for a particular elimination strategy [5]) that although this algorithm performs a polynomial number of arithmetic operations, its complexity is exponential, since the size of numbers involved in the intermediate computations can grow exponentially during the execution of the algorithm. Numerous researchers have previously given algorithms for computing the Hermite normal form of integer matrixes by using dierent techniques to cope with the coecient explosion. The rst polynomial time algorithm, due to Frumkin [7], uses an algorithm for solving linear Diophantine equations combined with modular reduction. In [15], Kannan and Bachem prove a polynomial bound on the size of the entries that arise during the execution of an algorithm that performs only basic column operations over the integers. Their procedure is successively improved by Chou and Collins [2], who prove better bounds for both the time and space used, and Iliopoulos [14] who extends this procedure with modular 2

techniques. For the case of square matrices, Domich, Kannan and Trotter [4], limit the size of the entries by using computation modulo suitably chosen numbers. Essentially, they describe an algorithm which in a rst stage performs Gaussian elimination modulo the determinant, and later from the result that is obtained it recovers the Hermite normal form of the original matrix. A technique useful to improve the space eciency of all these algorithms is introduced [3] for the case when a factorization of the determinant of the input matrix is known. Hafner and McCurley [11] extend the results of [4] to nonsquare matrix, but the main result of their paper is an algorithm for matrix triangularization based on fast matrix multiplication. It is not shown how to eciently compute the Hermite normal form of such a matrix. Storjohann [19] gives a fast procedure which does this, and obtains the fastest running algorithm for HNF. The running time of this algorithm is O(n(2+) log2 M ), if a matrix multiplication algorithm that runs in O(n ) is used. Although the space eciency is not explicitly analyzed, it follows from the triangularization procedure that is used that the space is of order O(n3 log M ). The same space requirement seems to hold for all previous algorithms and this can be a serious bottleneck for practical applications. Our algorithm improves on this limitation still maintaining a good running time.

3 Preliminaries In this section we give a few de nitions and facts that are needed to present our algorithm. The Hermite Normal Form(HNF) is a standard form for matrices. For the special case of square matrixes a matrix A is in Hermite Normal Form if it is lower triangular, all of its nonzero entries are positive, and each o diagonal entry is reduced modulo the corresponding diagonal entry on the same row. The formal de nitions for the general case is the following:

De nition (Hermite Normal Form) A matrix H 2 Zmn is said to be in Hermite Normal Form if the following conditions hold:

There exists 1 i < : : : < in such that hi;j 6= 0 ) i > ij (strictly decreasing column height). For all k < j; 0 hi ;k < hi ;j (the top non-zero element of each column is the greatest 1

element in the row).

j

j

A classical result of Hermite [12], states that for every integer matrix A, there exists a unique matrix H that is in Hermite Normal Form and is column equivalent to A. Column equivalence is de ned as follows:

De nition (Generated lattice, Column equivalence) Given a matrix A 2 Znm, with integer entries, the lattice generated by A is the set of all vectors obtained as integer linear combinations of the columns of A. We denote the lattice generated by A with L(A). Two matrices A; B 2 Znm are said to be column equivalent i L(A) = L(B). The following number theoretic results are used in developing and analyzing the algorithm.

Proposition 1 (Hadamard bound) Let A be a matrix of size n and M an upper bound on the length of its columns. Then det(A) M n . 3

Proposition 2 (Chinese Reminder Theorem) Let m ; :::; mk be pairwise coprime integers, i.e. such thatQgcd(mi ; mj ) = 1 when i = 6 j . Then, for any integers xi there exists an integer x unique modulo mi , such that x xi (mod mi ) for 1 i k. 1

A procedure to compute the determinant of a matrix using modular computations is obtained from the Chinese Reminder Theorem combined with the following proposition:

Proposition 3 Let A be a square matrix and let p ; :::; ps be a sequence of distinct primes such that their product exceeds twice the Hadamard bound for det(A). Suppose that det(A) ai (mod pi ); 1 i s. Then, det(A) is the integer d with smallest absolute value satisfying d ai 1

(mod pi ) for all i.

Proof: Let b be the Hadamard bound for E . The numbers ei ; 1 i s determine the determinant of E modulo p ; p ; :::; ps . Since 2b < p p :::ps , no two integers between ?b and b are congruent 1

2

1 2

modulo p1 ; p2 ; :::; ps .

Proposition 4 Let A be a nonsingular matrix. Then there exists a permutation of the columns such det(A(i)) 6= 0 for all 1 i n. Proof: A constructive proof that gives an ecient algorithm to nd such a permutation is given

in [15].

Proposition 5 Let A 2 Znn be a nonsingular, lower triangular matrix with integer entries, and let d = det(A). Then there exists a matrix B with integer entries such that AB = dIn . Proposition 6 (Prime Number Theorem) pn = O(n log n), where pn represents the nth prime number.

4 Our Algorithm In this section we present our algorithm for the particular case when the input matrix is a square nonsingular matrix. In a later section we show how to extend the algorithm to the general case. We start with an informal description: Let A 2 Znn be the input of the algorithm. Without loss of generality, we may assume that all principal minors of A are nonsingular (see Proposition 4). Let B be the principal minor of rank n ? 1, aT the row vector given by the rst (n ? 1) elements of the last row of A, and b the nth column of A, i.e., we decompose the input matrix as follows:

A=

B b : aT

Our algorithm works in three major steps: 1. Compute (inductively) the Hermite normal form HB of B. (Notice that by assumption matrix B and all of it principal minors are non-singular.) 2. Extend HB to the Hermite normal form of B0 = H0 = HxTB for some vector xT .

4

B , which is necessarily of the form aT

3. Compute and return the HNF of [H0 jb]. Proving the correctness of the algorithm can be done along the following lines: if H0 is the HNF of B0 , then L(H0 ) = L(B0 ), i.e H0 and B0 generate the same lattice. It follows that L([H0 jb]) = L([A0 jb]) = L(A) Therefore the HNF of [H0jb] (returned by the algorithm) is also the HNF of A. To implement steps (2) and (3) of the algorithm we use two procedures, AddRow and AddColumn (respectively), that work as follows: AddRow (B; HB ; aT ) on input a nonsingular square matrix T T 0 B, its Hermite normal form HB , and a row vector a , computes the row vector x such that H is the Hermite normal form of B0 = aBT . The procedure AddColumn (H0 ; b) has as input H0 a matrix in HNF, and a column vector b, and returns the HNF of the matrix [H0 jb]. We now give a more precise description of the algorithm and prove its correctness. We use the following notation: for A 2 Znn we denote by A(i) the ith principal minor of A, i.e. the matrix formed by the rst i rows and columns of A. We also denote by aT (i) the i + 1 row of A truncated to the rst i elements, i.e., aT (i) = (ai+1;1 ; ai+1;2 ; :::; ai+1;i ).

Algorithm: (Hermite Normal Form) Input: A nonsingular matrix A 2 Znn such that di = det(A(i)) 6= 0 for all 1 i n. Output: H, The Hermite Normal Form of A (1) H(1) A(1); (2) for i 2 to n (3) xT (i ? 1) AddRow0(A2(i ? 1); H(i3?01); aT (1 i ?11)); H( ? 1) 1 5 @ A A; (4) H(i) AddColumn @ 4 x ( ? 1) (5) return H(n) i

a ;i

;

T

i

:::

ai;i

Correctness of the algorithm We prove by induction that H(i) is the Hermite normal form of A(i). This obviously holds for i = 1. For the inductive step assume that H(i ? 1) is the Hermite normal form of A(i ? 1), and let b be the vector (a ;i ; :::; ai;i )T at iteration i. Then, after step b . Since H(i) generates the (4) is executed, H(i) is the Hermite normal form of xHT((ii ?? 1) 1) b , from the uniqueness of the HNF, H(i) is the Hermite same lattice as A(i) = aAT((ii ?? 1) 1) Normal Form of A(i). 1

We can now state the main result of the paper:

Theorem 7 There exists a linear space algorithm that on input A, returns the Hermite Normal Form of A. Proof: It should be clear from the description of the algorithm that the space used is the maximum

between the space used in the AddColumn and AddRow . The running time is n times the running time of these procedures. To complete the proof, we further analyze the complexity of the two procedures. 5

4.1

The

AddRow procedure

The AddRow procedure takes as input a non-singular square matrix A, its Hermite normal form H and a row vector aT . The output is a vector xT such that the H0 = xHT is the Hermite Normal Form of A0 =

A . aT

To compute xT , observe that xT = aT U, where U is a unimodular transformation such that AU = B. Since A is invertible, we could simply compute U as BA?1. We avoid doing so, because the entries of U can be as big as the determinant of A which would lead to undesirable space usage. Instead, we proceed as follows. Express the vector xT directly in terms of A; H and aT as xT = aT A?1 H. Although aT A?1 is not generally an integer vector, xT is always integral and we can compute it by calculating xT (mod pi) for suciently many small primes pi that do not divide det(A), and then combine the results using the Chinese Reminder Theorem. For each prime pi this can be done as follows: First compute a solution yi to the system of equations AT yi = a (mod pi) Then compute xi = HTyi (mod pi). The number of primes for which we have to do so is upper bounded by 2 log V , where V is an upper bound on the entries of xT . If A 2 Znn and M is an upper bound on the length of its columns, then V = n2 M 2n+1 . Since storing one entry of xT requires log V space, we obtain an upper bound on the space required to stored xT of n log V = O(n2 log M ). For each prime pi , solving the corresponding system over GF (pi ) can be done in O(n3 log2 pi ) using the standard Gaussian elimination procedure. Using the Prime Number Theorem, we obtain that the time complexity of the AddRow procedure is O(n3 log V log log V ) = O(n4 polylog(n; M )). 4.2

The

AddColumn

Procedure

The AddColumn procedure takes as inputs a matrix A 2 Zn(n?1) in Hermite normal form and a vector b 2 Zn. The output is the Hermite normal form H 2 Znn of [Ajb]. The procedure works as follows. First we extend A to a square matrix H0 = [Ajc] in Hermite normal form such that [H0 jb] generates the same lattice as [Ajb]. This is simply done setting c = (0; : : : ; d)T where d is the determinant of matrix [Ajb]. We then compute a sequence of matrix-vector pairs Hj ; bj (for j = 0; : : : ; n), such that b0 = b Hj is in Hermite normal form L([Hj jbj ]) = L([Hj+1jbj+1]) the rst j elements of vector b are 0 It immediately follows by induction that H = Hn is the Hermite normal form of [Ajb]. Each pair Hj +1; bj +1 is obtained from the previous one Hj ; bj as follows. If the (j +1)th element of bj is zero, then we simply set Hj +1 = Hj and bj +1 = bj . Otherwise, we replace the (j + 1)th column of Hj and bj with two other columns obtained applying a unimodular transformation that clears the (j + 1)th element of bj . This is done executing the extended Euclidean algorithm to the top two elements of the two columns. Once this is done, the remaining elements of the two columns might 6

be bigger than the diagonal elements of Hj . So, we reduce the two columns modulo the diagonal elements of Hj using the last n ? j columns of Hj . During this modular reduction stage, entries are kept bounded performing the arithmetic modulo the determinants mk of the trailing minors of Hj . Matrix Hj and vector bj correspond to the values of H and b at the j th iteration of the following algorithm. Procedure (AddColumn ) Input: A matrix A 2 Zn(n?1) in Hermite normal form and a vector b. Output: The Hermite Normal Form H of the matrix [Ajb]. (0) Set H to the matrix [Ajc] where c = [0; : : : ; det([Ajb])]T (1) mn hn;n ; (2) for i n ? 1 downto 1 do mi mi+1 hi;i ; (3) for j 1 to n do (4) nd k; l; g such that khj;j + lbj = g = gcd(hj;j ; bj ); (5) for i j to n do (6) hi;j khi;j + lbj (mod mi); (7) bi bihj;j =g ? hi;j bj =g (mod mi) (8) for k j + 1 to n do (9) q hk;j div hk;k ; (10) for l k to n do (11) hl;j hl;j ? qhl;k (mod ml ); Given the matrix A and the column vector b the procedure eliminates the entries of b by performing column operations and reducing elements at row k modulo mk . In order to prove that these operations do not change the lattice we have to show that they correspond to sequences of elementary column operations. Regarding the modular reduction operations, notice that mk is the determinant of the submatrix corresponding to the non-zero rows of the last n ? k + 1 columns of Hj (for all k > j ). So, the vector (0; : : : ; 0; mk ; 0; : : : ; 0)T belongs to the lattice generated by the last n ? k + 1 columns of Hj . So reducing the kth entry of a vector modulo mk correspond to subtracting appropriate multiples of the last n ? k + 1 columns of Hj . Finally, notice that the column operations in step (4; 5; 6; 7) correspond to the linear transformation

k ?bj =g l hj;j =g which has determinant equal to 1 by de nition of k; l; g. So, this transformation is unimodular and

corresponds to a sequence of elementary column operations. This proves that the lattice generated by [Hn jbn ] at the end of the algorithm is the same as the original lattice [Ajb]. Moreover, Hn is in Hermite normal form and bn = 0, therefore H = Hn is the Hermite normal form of [Ajb]. To analyze the space complexity of AddColumn , assume that the size of the input matrix A, and consequently the size of H, is of order O(n2 log M ). It is easy to see that this assumption holds during the execution of our algorithm. During one iteration of the for in line (3) we only modify Hj , the j th column of H and the vector b. All computations on the elements of these vectors are Q done modulo mi , so, the total space needed to store b and Hj is of order log m1 +:::+log mn = log mi = log(det(Hn )) = n2 log M . Because of the triangular reduction of lines (8)-(11), the matrix [Hjb] needs O(n2 log M ) storage space at the beginning of the next iteration. All computations are done inplace, so the total space needed by AddColumn is of order O(n2 log M ). 7

The main computational part of the the procedure consists of lines (8)-(11). This is essentially the \Triangular Reduction" procedure of [18], where the running time is proved to be O(n3 log2 M ). Since the execution of the for loop in line (6) takes O(n2 log2 M ), the total execution time of AddColumn is O(n4 log2 M ).

5 Discussion We presented an algorithm to compute the Hermite Normal Form of a square non-integer matrix with O(n2 log M ) space complexity and O(n5 log2 M ) running time, where n is the dimension of the matrix and M is a bound on the length of the column vectors. Notice that the bit-size of the input is O(n2 log M ), so our algorithm has linear space complexity. In this section we rst show how our algorithm can be easily adapted to work on any (possibly non-square) matrix. Then we also describe various ways to speed up our algorithm. In particular we describe both a theoretical improvement that can lower the running time to O(n4:376 log2 M ), and a simple heuristics that results in a running time approximately of the order of O(n4 log2 M ), when input is chosen uniformly at random. . We remark that while the rst improvement gives a provably better worst case asymptotic upper bound on the running time, it is only of theoretical interest because of the big hidden constants. On the other hand, the second improvement, although only heuristics, can be quite eective in practice. Our algorithm can be easily extended to non-square matrices using the AddRow and AddColumn procedures described in section 4. In particular, if A 2 Znm is a non-square full rank matrix, one can rst run the algorithm on the square matrix consisting of the rst n linearly independent columns of A. (These columns can be easily found using a straightforward generalization of Proposition 3.) The matrix that is obtained is of the form [HjA0 ] where H is in Hermite normal form, and it is column equivalent to A. Next, run the AddColumn procedure to add the columns of A0 to H. It is easy to see that the space complexity of the algorithm does not change, while the running time becomes O(mn4 log2 M ). For the general case of not necessarily full rank matrices, one can rst nd a maximal set of linearly independent rows, then nd the Hermite normal form of the corresponding full rank matrix, and nally extend it to the Hermite normal form of the input matrix using the AddColumn procedure. Notice that the entries of these last rows of the Hermite normal form can be quite big, and in order to keep the space complexity of the algorithm low, these rows should be computed one at a time and immediately output. A better running time can be obtained by incorporating fast matrix multiplication algorithm in the AddRow procedure. Since matrix multiplication and matrix inversion are problems of the same complexity, solving the linear system in the procedure can be done in O(n log2 M ), where O(n ) is the running time of a matrix multiplication algorithm. Thus, we obtain an algorithm with complexity O(n2+ log2 M ). In practice one can obtain even better running time by using the following heuristic algorithm: c d B , with B 2 Z n? n? ; c; d 2 Zn? ; bT 2 Zn? ; 1. decompose A as bT a n;n? an;n 2. compute d = det([Bjc]) and d = det([Bjd]) and nd k; l such that kd + ld = gcd(d ; d ); B k c + l d 3. compute the Hermite normal form of bT ka ; n;n? + lan;n c d 4. run AddColumn twice to add the columns and .

(

2)

(

1)

1

2

1

1

2

1

1

an;n?1

8

an;n

2

1

2

This heuristic algorithm, with high probability runs faster by a factor n than the algorithm described in Section 4, while preserving optimality as far as space is concerned. This can be seen as follows: if the quantity d computed in step (2) of the algorithm is small, then one can use a modular reduction algorithm (for example the one of [4]) to execute step (3). Since this would take time of order O(n3 log2 d), with d small, the dominant part of the algorithm will be a single execution of the AddRow procedure, which is O(n4 log M ). Of course, there are cases when the heuristics fails. One such example is when in the original matrix, elements of one row have big gcd. Although the heuristic could be xed to take into account this case (factor out the common factor, execute the algorithm, reconsitute the result) there exist other cases for which this simple x does not work. However, for randomly chosen matrices, as it is most often the case in practice, (and for the cryptographic application in particular), one can easily prove that the probability that d = 1 is bounded away from zero and practical tests show that that d is a very small with very high probability (details will be given in the full version of the paper.)

References [1] M. Ajtai. Generating hard instances of lattice problems (extended abstract). In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pages 99{108, Philadelphia, Pennsylvania, 22{24 May 1996. [2] T. W. J. Chou and G. E. Collins. Algorithms for the solution of systems of linear Diophantine equations. SIAM Journal on Computing, 11(4):687{708, 1982. [3] P. D. Domich. Residual Hermite normal form computations. ACM Trans. Math. Software, 15(3):275{286, 1989. [4] P. D. Domick, R. Kannan, and L. T. Jr. Hermite normal form computation using modulo determinant arithmetic. Mathematics of Operations Research, 12(1):50{59, Feb. 1987. [5] X. G. Fang and G. Havas. On the worst-case complexity of integer gaussian elimination. In Proceedings of the 1997 22nd International Symposium on Symbolic and Algebraic Computation, ISSAC, pages 28{31, Maui, HI, USA, 1997. ACM. [6] R. Fischlin and J.-P. Seifert. Tensor-based trapdoors for CVP and their application to public key cryptography. In 7th IMA International Conference "Cryptography and Coding", volume 1746 of Lecture Notes in Computer Science, pages 244{257. Springer-Verlag, 1999. [7] M. A. Frumkin. Polynominal time algorithms in the theory of linear diophantine equations. In M. Karpinski, editor, Proceedings of the 1977 International Conference on Fundamentals of Computation Theory, volume 56 of LNCS, pages 386{392, Poznan-Kornik, Poland, Sept. 1977. Springer. [8] M. A. Frumkin. Complexity question in number theory. J. Soviet Math., 29, 29:1502{1517, 1985. [9] O. Goldreich, S. Goldwasser, and S. Halevi. Public-key cryptosystems from lattice reduction problems. In B. S. Kaliski Jr., editor, Advances in Cryptology|CRYPTO '97, volume 1294 of Lecture Notes in Computer Science, pages 112{131. Springer-Verlag, 17{21 Aug. 1997. 9

[10] J. L. Hafner and K. S. McCurley. A rigurous subexponential algorithm for computation of class groups. J. Amer. Math. Soc., 2:837{850, 1989. [11] J. L. Hafner and K. S. McCurley. Asymptotically fast triangularization of matrices over rings. SIAM Journal on Computing, 20(6):1068{1083, 1991. [12] C. Hermite. Sur l'introduction des variables continues dans la theorie des nombres. J. Reine Angew. Math., 41:191{216, 1851. [13] M. S. Hung and W. O. Rom. An application of the Hermite normal form in integer programming. Linear Algebra and its Applications, 140:163{179, 1990. [14] C. S. Iliopoulos. Worst-case complexity bounds on algorithms for computing the canonical structure of nite abelian groups and the Hermite and Smith normal forms of an integer matrix. SIAM Journal on Computing, 18(4):658{669, 1989. [15] R. Kannan and A. Bachem. Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix. SIAM Journal on Computing, 8(4):499{507, Nov. 1979. [16] D. Micciancio. Lattice based cryptography: A global improvement. (Theory of Cryuptography Library Report 99-05). Available at http://philby.ucsd.edu/cryptolib. [17] J. Ramanujam. Beyond unimodular transformation. The Journal of Supercomputing, 9(4):365{ 389, 1995. [18] A. Storjohann. Computing Hermite and Smith normal forms of triangular integer matrices. Linear Algebra and its Applications, 282(1-3):25{45, 1998. [19] A. Storjohann and G. Labahn. Asymptotically fast computation of Hermite normal forms of integer matrices. In ISSAC'96, pages 259{266, Zurich, Switzerland, 1996. ACM.

10