New Practical Algorithms for the Approximate Shortest Lattice Vector
|
|
- Augustus Stevens
- 6 years ago
- Views:
Transcription
1 New Practical Algorithms for the Approximate Shortest Lattice Vector Claus Peter Schnorr Fachbereiche Mathemati/Informati, Universität Franfurt, PSF 493, D Franfurt am Main, Germany. Preliminary Report Abstract. We present a practical algorithm that given an LLL-reduced lattice basis of dimension n, runs in time O(n 3 (/6) /4 +n 4 ) and approximates the length of the shortest, non-zero lattice vector to within a factor (/6) n/(). This result is based on reasonable heuristics. Compared to previous practical algorithms the new method reduces the proven approximation factor achievable in a given time to less than its fourthth root. We also present a sieve algorithm inspired by Ajtai, Kumar, Sivaumar [AKS0]. Introduction and Summary History. The problem of finding a shortest, non-zero lattice vector in a lattice of dimension n is a landmar problem in complexity theory. This problem is polynomial time for fixed dimension n, it is NP-complete for varying n. For simplicity, we consider integer lattices of dimension n in Z n, given by a lattice basis consisting of vectors of Euclidean length O(n). Using the famous LLL-algorithm of Lenstra, Lenstra, Lovász (98), Kannan (983) proposed an algorithm that finds the shortest lattice vector in time n O(n), Helfrich (985) improved the time bound to n n/+o(n). Recently [AKS0] present a probabilistic algorithm with time and space bound O(n), at present that method is still impractical. We present a novel algorithm that produces an approximate shortest lattice vector by iterating random sampling of short lattice vectors. It finds a shortest lattice vector to within the factor (/6) n/() and runs in time O(n 3 (/6) /4 + n 4 ). This algorithm is practical and space efficient, theoretically it outperforms all other nown algorithms. We show how to speed up random sampling via the birthday paradox. This reduces the time to O(n 3 (/3) /8 + n 4 ) at the expense of storing n(/3) /8 lattice vectors. We also present, a nearly practical sieve algorithm, inspired by [AKS0] and adapted to the problem of approximating the shortest lattice vector. Our analysis uses reasonable heuristic assumptions.
2 Summary and Comparison of the New Algorithms. The next table shows and compares the performance of the new algorithms for approximating the shortest lattice vector. Approximating the shortest lattice vector to within an approximation factor c means to find a non-zero lattice vector with at most c-times the minimal possible length. time space/n approx. factor. random sampling n 3 (/6) /4 (/6) n/ for n 60 n n. birthday sampl. n 3 (/3) /8 (/3) /8 (/3) n/ 3. our sieve n n/4 for = 60 n n 4. primal/dual (Koy) n /+o() n (/6) n/ for = n n 5. Schnorr 987 n +o() (/3) n/ for = 4 n 53. n 6. AKS 00 n O() O() (/6) n/ The time bounds count arithmetic steps using integers of bit length O(n), assuming a given basis consisting of integer vectors of length O(n). More precisely, all time bounds are of the form O( + n 4 ) with a constant factor and an additive term n 4 related to LLL-type reduction. The constants 3, 50, 49, 53 are method specific. The parameter, < n can be freely chosen. The entry c under space/n means that c + O(n) lattice vectors, consisting of c n + O(n ) integers, need to be stored. This requires to store O(c n + n 3 ) bits. The proven approximation factor (/6) n/ of random sampling is about the fourth-th root of the proven factor achievable in the same time by Koy s primal-dual method, the best practical, previous algorithm. Algorithms 4. and 5. yield in practice smaller approximation factors than the proven ones. The approximation factors of methods 4, assume the unproven bound γ /6 for 4 for the Hermite constant γ of dimension. Random sampling is still to be implemented. Its theoretical performance beats by far all other nown practical methods. Surprisingly, the proven approximation factor.06 n of n 3 3 -time random sampling is pretty near to the ones observed in practice by the algorithms 4. and 5. Possibly, this explains why methods 4. and 5. perform better in practice than expected from the theoretic analysis. Our sieve yields for = n the approximation factor n within average time n+o(n) under the assumption that there are many short The Hermite constant γ is the maximum value λ (L) (det(l) /, where L ranges over all lattices of dimension and λ (L) denotes the length of the shortest, non-zero vector in L.
3 lattice vectors. A drawbac is the space requirement, n+o(n) lattice vectors must be stored. Asymptotically the new sieve performs for = n 3 on average O(n n+o(n) ) steps and approximates the shortest lattice vector to within a factor n 9/4. This indicates that approximating the shortest lattice vector to within a factor n 9/4 is easier than computing the shortest lattice vector exactly. Our sieve finds a basis with the remarable property that b / b n n. That property seems not even to hold for lattice bases that are reduced in the very strong sense of Hermite and Korin-Zolotarev. The latter bases merely satisfy that b / b n n (+ln )/, see [S87],[LLS 90]. The [AKS0] algorithm has the best assymptotic time bound O(n) for a probabilistic algorithm that finds the shortest lattice vector. At present this method is impractical as the exponent O(n) is about 30 n. Method 4. is impractical for 3 as it requires to find shortest lattice vectors for lattices of dimension while Koy s primal/dual method (unpublished) uses shortest lattice vectors in dimension. The approximation factor (/6) n/ of 6. comes from combining the AKS-sieve with 4. The following cryptosystems may be affected by current and further progress in lattice basis reduction: NTRU, RSA, Factoring based cryptosystems, DL-cryptosystems with groups of unity. These cryptosystems can be broen by very short lattice vectors in high dimensional lattices, see [HPS98] for NTRU and [S9] for factoring and the DL. LLL-type reduction is now feasible in these dimensions due to Koy, Schnorr [KS0a,KS0b]. The random sampling method mars an important progress towards our goal of finding very short lattice vectors efficiently. Notation. An ordered set of linearly independent vectors b,..., b n Z m is a basis of the lattice n i= biz Zm, consisting of all linear integer combinations of b,..., b n. For simplicity we will focus on the case n = m. The orthogonalization vectors b,..., b n and the Gram-Schmidt coefficients µ i,j, i, j n, associated with the basis b,..., b n satisfy for i =,..., n: b i = i j= µi,j b j, µ i,i =, µ i,j = 0 for j > i. For the Euclidean inner product, we have that µ i,j = b i, b j / b j, b j, b i, b j = 0 for i j. Let b = b, b denote the Euclidean length of a vector b R n. A vector b = n i= µi b i satifies b = n i= µi b i. Let λ denote the length of the shortest non-zero lattice vector of a given lattice. For simplicity, let the given lattice basis be nicely bounded so that max i b i = O(n). It is nown from [LLL8] that a given lattice basis can be transformed into an LLL-reduced lattice basis b,..., b n satisfying b n λ in 3
4 polynomial time n O(). Actually, an approximation factor ( 4 +ε) n 3 can be achieved in polynomial time for arbitrary small ε > 0. Recently [KS0a] proposes an LLL-type reduction in time O(n 3 log n) realizing the approximation factor ( 4 + ε) n 3. Random Sampling of Short Vectors Previous algorithms for the approximate shortest lattice vector generate lattice vectors b = j i= µi b i for some < j < n such that µ j,..., µ j are particularly small, and µ j 0. The goal is to find some b L so that j i=j µi b i < b j. In that case replacing b j by b yields a shorter vector b j. The new method generates lattice vectors b = n i= µi b i such that µ, µ,..., µ are particularly small. The goal is to find some b L so that b = n i= µi b i < b. In that case the basis vector b is replaced by the shorter vector b. Importantly, the initial vectors b,..., b are longer than vectors b i for large i, so small coefficients µ i for small i have a bigger impact than those for large i. The Sampling Method. Let < n be constant. Suppose we are given an LLL reduced lattice basis of dimension n. We sample lattice vectors b = n i= tibi = n i= µi b i satisfying µ i { for i n for n, µn {, }. () < i < n There are at least distinct lattice vectors b of this form. The sampling algorithm (SAL) below generates a vector b in time O(n ). If the sampled vector satisfies b δ b for some constant δ < we extend b to an LLL-reduced basis with b = b and we iterate the sampling. As an LLLreduced basis satisfies b n λ there are at most n log (/δ) () iterations. Sampling Algorithm (SAL). Given a lattice basis b,..., b n with coefficients µ i,j the algorithm generates a lattice vector b = n i= µi b i satisfying ().. Select µ n {, }, b := µ n b n µ j := µ n µ n,j for j =,..., n.. FOR i = n,..., DO Select µ Z such that { µ i µ for i n, () for i > n b := b µ b i, µ j := µ j µ µ i,j for j =,..., i. OUTPUT b, µ,..., µ n satisfying b = n i= µi b i. 4
5 The coefficient µ i is updated n i times. We assume that this leads to a nearly uniform distribution of the µ i, at least for small i. That near uniformity is crucial for our method. The random behaviour for large i is less important as the contribution µ i b i to the length square of b is minor. We mae the heuristic Randomness Assumption (RA). Let the µ i of the sampled vectors b = n i= µi b i be uniformly distributed over the interval [, ] for i n resp. the interval [, ] for i > n, and let the µ i be mutually statistically independent for distinct i. Lemma. For uniformly distributed µ i, µ i R [, ] we have the following mean values :. E[ µ i ] =,. E[ µi ] =. 4 Proof.. E[ µ i ] = 0 x dx =,. E[ µi ] = 0 x dx = 4. The Geometric Series Asumption (GSA). We assume that the b i form a geometric series, b i = b q i for i =,..., n with some quotient q <. Justification of the GSA. We merely use the GSA to simplify the analysis. Typically, the GSA holds in an approximate way b i b q i if the basis has been reduced in a primal/dual way. Moreover, the GS property means that the lattice basis has the following worst case property b / b n = max ( b i / b j ) (n )/(j i) = q (n )/. i<j n If GSA does not hold there exists i < j n such that b i / b j > ( b / b n ) (j i)/(n ) and j i < n. Then it suffices to reduce the subbasis π i(b i),..., π i(b j), where π i is the orthogonal projection into span(b,..., b i ). Reducing that subbasis of dimension j i + is an easier problem as its dimension j i + is smaller than n. Such a low dimensional approach is excluded under the GSA. Sampling Short Vectors. Let, be constants, + < n. Consider the event that a sampled vector b = n i= µi b i satisfies µ i q( i)/ for i =,...,. (3) Under RA that event has probability q ( i)/ = q ()/ = q ( )/4. i= We study the probability that b < b holds under RA and the conditions (), (3). 5
6 Lemma. SAL samples vectors b that satisfy under GSA and RA that Pr[ b b [ q +(q +3 q n 4q n )/( q)] q ( )/4. Proof. By Lemma we have under (), (3) the mean value E[ µ i q i for i =,..., (3) ] = / for i = +,..., n. /3 for i = n +,..., n Under GSA this yields E[ b b (3) ] [ i= q i b i + n i=+ b i + 4 n i=n + b i ] [ = i= q i+i + q n i= q i + 4 q n [ ] q + q ( q n ) + 4q n ( q ))/( q) = i= qi ] = [ q + (q + 3 q n 4 q n )/( q)]. Now the claim follows as (3) holds with probability q ( )/4. Theorem. Let 3 and n + ln(/6). There is an algorithm which runs under GSA and RA in average time O(n 3 (/6) /4 +n 4 ) 4 ln and which transforms a given LLL-reduced basis into a basis with an approximation factor less than (/6) n/. Proof. The algorithm performs the following steps.. Sample distinct lattice vectors b via SAL until b < b, where = ln(/6) in SAL. 4 ln. Extend the short vector b to an LLL-reduced basis with b = b. This is done by one LLL-type reduction. This LLL-type reduction requires not more than O(n 3 ) steps because it remodels a given LLL-reduced lattice basis. 3. If b / b n (/4) (n )/() then terminate and output the basis. Otherwise go to and iterate the algorithm. Analysis. We apply Lemma to the geometric series b i = b q i of the lattice basis given in Step. We show that [ q + (q + 3 q n 4 q n )/( q)] < holds for q = ln(/6). If q is smaller then SAL succeeds even better. We have that q ln(/6) ( ) < e ln(/6) = We get from q < and n that 6 =. (q + 3q n 4q n )/( q) q ( + 3/) < ln(/6) +3/. ln(/6) Hence [ q +(q +3 q n 4 q n )/( q)] ( +3/ +/q) < 0.94, ln(/6) as +3/ ln(/6) + /q < 0.94 holds for 3 and q =. ln(/6) We let ln denote the natural logarithm with base e.78. 6
7 Lemma shows that b b < 0.94 holds at least with probability q( )/4, where q ( )/4 = ( ln(/6) ) ( )/4 > e ( ) ln(/6)/4 = (/6) ( +)/4. Hence Pr[ b < 0.94 b ] > (/6)( +)/4. Therefore SAL suceeds with a short b in average time O(n (/6) ( )/4 ). The algorithm performs at most O(n) iterations, an iteration requires O(n (/6) /4 ) steps for SAL and O(n 3 ) steps for the LLL-reduction. Therefore the entire algorithm runs in average time O(n 3 (/6) /4 + n 4 ). Upon termination we have that q > ln(/6). The resulting approximation factor is bounded by q n/ < ( ln(/6) ) ln(/6) n ln(/6) < e n ln(/6) = (/6) n. We need that q ( )/4 so that enough vectors can be sampled. It is sufficient that log 4 (/q) ln(/6). 4 ln Remar. We can replace in Theorem the fraction (/6) by /( ε) for an arbitrary ε > 0, provided that is sufficiently large, i.e., 0(ε). This follows from ε = o() for sufficiently large. ln(/) Refined Analysis. While the inequalities (3) are sufficient to mae b b small they are not necessary. We show that Pr[ b b < ] e/8 q ( )/4 for q = ln(/6), thus increasing the probability that SAL generates a short vector by the factor e /8. We liberalize the Inequalities (3) by allowing a few larger coefficiens µ i. We balance the larger values µ i by requiring that the remaining µ i are even smaller than q( i)/ so that i= µi b i q as before. We allow /4 larger coefficients µ ji satisfying q( j i)/ < µ ji q ( j i)/ for j i /, i =,..., /4. ( we require that j i / so that q ( j i)/.) These larger µj i can be balanced by requiring that µ i q( i)/ ( )/4 for i {j,..., j /4 }, i. For a constant selection of j,..., j /4 the modified inequalities (3) imply under RA that E[ i= µi b i ] = q [ + O( )]. Moreover, these inequalities hold with probability q ( )/4 ( )/4( /4) q ( )/4 e 3/4. The number of choices for the /4 values j,..., j /4 is ) e /8. Different choices correspond to disjoint events so that ( /4 7
8 the probabilities add up. This yields Pr[ i= µi b i q ] e/8 q ( )/4. For = 3, n 60 we get the following performance values: proven q time approx. factor n n n n n n n n n n 0.93 n n For example, we have for = 54, = 3, n 60, q = that E[ b b (3) ] = [ q + q +3 q n 4q n q ] < As (3) holds with probability q ( )/ this yields Pr[ b 0.94 b ] e54/8 q ( )/ Therefore, the algorithm of Theorem yields the quotient q > Such q corresponds to an approximation factor q (n )/ <.09 n. In the cases of = 40, 30, 5, 0, we proceed accordingly. Birthday Sampling. The birthday paradox is a well nown heuristic that reduces the number of vectors to be sampled to its square root. Instead of searching for a lattice vector b with b < b we sample distinct vectors until two vectors b, b arise with b b < b. We study the probability that b b b < for distinct vectors b, b generated by SAL. We assume in addition to RA that the coefficients µ i of b and µ i of b are statistically independent. Lemma 3. Let µ i, µ i R [, ] be uniformly distributed and statistically independent. Then we have the following mean values :. E[ µ i ± µ i ] = 6 for either sign ±,. E[ µ i µ i ] = 3 8. Proof.. E[ µ i ± µ i ] = [x 3 /3 + x y ± x y] dy = + x + y ± xy dx dy =. We have that E[µ i µ i µ i 0 µ i] = y dy = + = 6. 0 ( 4 + x)dx =. With probability we either have µi 0 µ i or µ i 0 µ i. Also with probability we either have µi, µ i 0 or µ i, µ i 0. We infer that E[ µ i µ i ] = + E[ µi µ i ] = =
9 Lemma [ 4. Distinct vectors b, b sampled via SAL satisfy under ] RA that Pr b b b 6 [q +(q +3q n 4q n )/( q)] q()/. Proof. We proceed as in the proof of Lemma. However, we use that E[ µ i ± µ i ] = 6 = E[ µi ] due to Lemma and 4. Consider the event that two vectors b = n i= µi b i, b = n i= µ i b i sampled by SAL satisfy i= µi µ i q i 6 q. (3 ) By Lemma 3, the probability of the event (3 ) is at least q ()/ under RA. [ Moreover, ] Pr b b b 6 [q + (q + 3q n 4q n )/( q)] (3 ). Hence the claim. Theorem. Let 3 and n + ln(/3). There is an algorithm which runs under GSA and RA in average time O(n 3 (/3) /8 +n 4 ) ln and which transforms a given LLL-reduced basis into a basis with an approximation factor less than (/3) n/. Setch of Proof. Proceed as in the proof of Theorem. However, set q := ln(/3) to offset the additional factor from E[ µ i ± µ i ] = E[ µ i ]. Generate O(n(/3) /8 ) lattice vectors b via SAL and search for short vectors b b so that (3 ) holds. Such vectors b b can be found efficiently. This algorithm needs to store O(n(/3) /8 ) lattice vectors. Theorem shows that birthday sampling is for large values superior to random sampling. The crossover point, where birthday sampling gets more efficient, is for a large. Birthday sampling is more efficient for q = 0.98, = 75 with an n time algorithm. 3 Towards a Practical Sieve Algorithm The Goal of the Sieve. Our method is inspired by Aijtai, Kumar, Sivaumar [AKS0]. Consider a lattice basis b,..., b n Z n of dimension n with orthogonalization vectors b,..., b n. Let be some integer < < n, = 4 t, throughout the following will be a power of 4. We present a novel, efficient deterministic algorithm that transforms an LLL-reduced basis into a basis satisfying n i=+ b i > 4 b. (4) We bound in Lemma 5 the approximation factor b /λ for lattice bases having property (4). Our time bounds count arithmetic steps using integers bounded by max i b i. 9
10 The Basic Sieve. Suppose we are given an LLL reduced lattice basis satisfying n i=+ b i 4 b for some such that 3 + n. We proceed in t stages, s = 0,..., t. Initially, at stage 0 we generate + lattice vectors b = n i= tibi = n i= µi b i satisfying { µ i for i, µn {, }. (5) for < i < n There are at least n distinct lattice vectors b of this form. We let n 3 + so that there are + vectors for stage 0. The vectors of stage 0 are positive, i.e., µ i > 0 for the largest i with µ i 0 and b 0. A vector b of stage 0 can easily be generated in time O(n ), which yields the time bound O(n + ) for stage s = 0. Stage s requires only O(n + ) steps. As the number of stages t is small compared to n the total time for the sieve is essentially the time for stage 0. Stage s. By induction on s we generate + positive vectors b = n i= µi b i of stage s satisfying µ i s for i, (6) µ i s for < i < n, 0 µ n s. (7) We partition the vectors b of stage s into classes. We divide the range ], ] s of the µ i for i into 4 intervals ]j, j + ] s of equal size for j =,, 0,. A class is given by j i {,, 0, } for i =,..., and consists of the vectors b = n i= µi b i satisfying µ i ]j i, j i + ] s for i =,...,. The vectors of stage s+ are positive vectors b b, where b, b are vectors of stage s, b ±b such that b, ±b are in the same class. As there are classes, the + vectors ±b of stage sgenerate at least + collision pairs (b, ±b ), where b, ±b fall into the same class and b b is positive. These collisions provide at least (4 ) vectors b b for stage s + counted with multiplicities, and satisfying b b = n i= (µi µ i) b i such that µ i µ i s for i =,...,. This shows the induction claim for (3) while the induction for (4) is trivial. In particular, we have that 0 µ n s as µ n {, } for stage 0. We eep from all possible vectors b b of stage s + at most + distinct, positive vectors, we discard repetitions of the same vector. The number of distinct vectors of stage s + is at least (4 ) minus the number of repetitions, where b b = b b holds for two collision pairs (b, b ), (b, b ). We mae the heuristic Few Repetitions Assumption (FRA). We assume that the number of repetitions at stage s is not greater than the number of classes. Under the FRA there are for each stage s at least (4 ) = + distinct, non-zero vectors. We will see that all vectors b of stage t satisfy 0
11 b b. Therefore, the FRA requires that there are plenty of lattice vectors b satisfying b b. Conversely, we justify below the FRA for the case that b n b n. At the final stage t := log we have that µ i { t = for i 4 t = for i >. Using that (4) is violated and b = max i b i we have that n i= µi b i b i= µi + n i=+ b i b This shows that the vectors b of stage t satisfy b b, hence: Theorem 3. Given a lattice basis satisfying n i=+ b i 4 b for n 3 + the basic sieve finds in deterministic time O(n + ) under FRA + distinct lattice vectors b, all satisfying b b. Suppose we are given an LLL-reduced basis satisfying b n λ. Then we can halve b at most n times. Iterating the basic sieve at most n times we get a basis satisfying (4). The time bound for this procedure is O(n 3 + ). Assuming the GSA. In order to interpret property (4) in terms of the approximation factor b /λ we assume that the b i form a geometric series, b i = b q i for i =,..., n with some quotient q <. Lemma 5. For α < / ln, < < n, a geometric series b i with quotient q = α ln satisfies n i=+ b i b /(α α ln ). Proof. We have that n i=+ b i b = q q n q < q /( q) = ( α ln ) α ln α ln < e = α ln /(αα ln ), where we use that ( ) < e. Corollary. A lattice basis satisfying (4) has under the GSA an approximation less than factor ( + ε) n/, ε = O( ln ). Proof. A geometric series b i satisfying (4) has by Lemma 5 a quotient q ln provided that ln. Hence b /λ b / b n = q n/ ( ln ) n/ = (e + O( )) (n/) ln = ( + O( ln )) n/.
12 The Tailored Sieve. Instead of distributing the µ i to 4 subintervals for every i we adjust the number of subintervals to the length of b i. We need more subintervals for µ i over all stages the longer b i, so that upon termination we have that µ i b i. As we need no subintervals for i > and only a few intervals for the i near to we can save 4 about half of the intervals for the average i, and thus reduce the number of classes per stage from to. We outline the construction, we tailor the sieve assuming for simplicity the GSA. Let a given lattice basis satisfy n i=+ b i 4 b. Lemma 3 with α =, > e shows that q < α ln and thus b i / b = q i i α <. We let n + so that there are + vectors b = n i= µi b i with µ i for i = +,..., n, µ n {, }. We tailor the sieve so that the µ i of stage s range over an interval ], ] η i,s where the integers η i,s are recursively defined so that η i,0 = 0 and η i,s+ η i,s {, 0, } for i =,..., η i,s = s + for i = +,..., n. Upon termination at stage t = log, we want to have that η i i,t +α for i which implies that i= µi b i b 4 = 4. At stage s we partition the range ], ] η i,s of the µ i into ν i,s intervals of equal length where ν i,s is either 0,,. Then the vectors b b of stage s + with b, ±b in the same class satisfy µ i µ i ], ] η i,s ν i,s +. We see that η i,s+ = η i,s ν i,s +, and thus η i,t = t t s=0 νi,s. We select the ν i,s as to minimize the number i ν i,s of equivalence classes of stage s. The ν i,s must satisfy for i =,..., t i s=0 νi,s t α t (8) so that η i i i,t t+α t +α holds upon termination for t = log. To meet Inequality (8) for the average i we select the νi,j such that t i s=0 νi,s = t αt, where r denotes the nearest integer to r. Moreover, we balance the sums i νi,s so that two sums for different stages differ at most by. We see from i i= t αt t t for α = that i= νi,s +. Then there are i ν i,s + classes per stage. Therefore it suffices to generate + vectors per stage which yields a time bound O(n + ) for the sieve. This proves the following Theorem 4. Given a lattice basis satisfying n i=+ b i 4 b, for n + o(), the tailored sieve finds in average time O(n + ) under FRA and GSA lattice vectors b all satisfying b b. Iteration of the taylored sieve yields for n by Theorem 4 and Corollary the approximation factor n = ( n ) in time O( n +o(n) ).
13 How to Justify FRA under GSA for the Taylored Sieve. The Gaussian volume heuristics tells us that the number of lattice points b such that b b is on average V n( b / ) b... b = n/ b n ( eπ ) n n Γ ( n + ) b... b b n n n b... b, n where V n(r) is the volume of the n-dimensional sphere with radius r. Under the GSA we have that n n ( ) i ( n n b / b i = b / b n = b / b n ). i= i= Thus the number of lattice points b such that b b is on average ( ) n eπ b (eπ) n n b.9 n, n provided that b n b n. Thus the number of lattice points b such that b b is much larger than the number +, required for the taylored sieve. This justifies the FRA for the taylored sieve in the case that b n b n. The Approximation Factor n. Theorem 4 requires that < n. Now we remove this conditions that is used to provide enough vectors for stage 0 of the taylored sieve. This yields under FRA and GSA the approximation factor n within average time O( n+o(n) ). Theorem 5. There is an algorithm that transforms under FRA and GSA an LLL-reduced lattice basis of dimension n = 4 t + in determinisitic time n+o(n) into a basis satisfying b n b n. Proof. We proceed as in the taylored sieve for = n, α =, t = log. However, we allow for the vectors of stage 0 that µ i +δ i for i =,..., n, µ n {, }. We let the integers δ i satisfy n/t + i δi < n so that we get at least n+n/t+ vectors for stage 0. We compensate for the larger µ i, µ i >, by additionally halving these µ i via the sieve + δ i-times over the t stages. This increases the number of classes per stage by the factor (n+ i δi)/t < n/t from n to at most n+n/t. Thus, the number of classes per stage, the number of vectors per stage and the time are all boundedby n+o(n). The final vectors vectors b = n i= µi b i at stage t = log satisfy for i =,..., n that Hence µ i +δ i δ i log = /, µ n log =. b = n i= µi b i n 4 n b + n b 4 n < b, where we use that b n b n and that b = max i b i. 3
14 Applying the sieve iteratively n-times to an LLL-reduced basis results in a basis satisfying b n b n. The property max i=,...,n b i / b i n implies that b approximates λ to within a factor n. Thus, the taylored sieve realizes by Theorem 5 and Corollary the approximation factor n. The Randomized Sieve. So far our worst case analysis uses that µ i µ i holds for µi, 4 µ i [, ]. Now we give an average case analysis for random µ i, µ i R [, ]. Randomnesss Assumption * (RA*). Let the µ i of the vectors of stage 0 be uniformly distributed over the invervals [, ] for i resp., [, ] for i >, and statistically independent for distinct vectors and distinct i. We get from Lemma and Lemma 4 the following Corollary. For random µ i, µ i R [, ] we have that. E[ µ i ± µ i ] = E[ µ i ],. E[ µ i µ i ] = 3 E[ µi ]. As E[ µ i ± µ i ] = E[ µ i ] it follows that E[ n i=+ µi ± µ i b i ] E[ n i=+ µi b i ], which is half the bound required for the proofs of Theorems 3 and 4. We show that Inequality (4) can be replaced by the stronger inequality n b i > 4 b. (4 ) i=+ If Inequality (4 ) is violated then we have by Corollary at the final stage t = log that E[ n i=+ µ i b i b ] t E[ n i=+ b i b ] 4 = 4. Therefore, Inequality (4) can be replaced on the average by (4 ), hence Theorem 6. Given a lattice basis satisfying n i=+ b i 4 b and < n the tailored, randomized sieve finds under FRA, GSA and RA +o() lattice vectors b all satisfying b b. Corollary 3. A lattice basis satisfying (4 ) approximates under GSA the shortest lattice vector to within a factor 3 4 n. Proof. Replacing in (4) by 4 4 amounts by Lemma 5 under GSA.5 ln to replace the quotient q = ln by q = α = by α =.5. By Corollary a quotient q approximation factor ( b /λ b / b n = q n/.5 ln ) n/ e 3 4 n ln = 3 4 n., i.e., replacing yields an.5 ln 4
15 The Time Bound Under RA*. Under RA* we can tailor the sieve using smaller intervals and fewer vectors per stage. We setch how to speed up the sieve so that there are on average vectors per stage requiring a total of O(n o() ) arithmetic steps. Suppose that the µ i for i of stage s range over the interval ], ] η i,s. We partition that interval into ν i,s subintervals of equal length. Two random µ i, µ i in the same subinterval satisfy Corollary 3 on the average that µ i µ i [, ] η i,s ν i,s 3. 3 Hence η i,s+ = η i,s ν i,s + log where ηi,s+ is non-integer and 3 log and thus ηi,t t s νi,s for t = log. Using α =.5 the worst case inequality (8) translates into an averaged inequality i s νi,s.585 t αt. (9) To meet Inequality (9) for the average i we select the ν i,s such that i s νi,s =.585 t αt. Moreover we balance the sums i= νi,s so that two sums for two stages s differ at most by. We see from α =.5, i i=.585 t αt.585 t α t t that there are on average classes per stage which yields an average time bound O(n ) for the randomized sieve. References [AKS0] M. Aijtai, R. Kumar, and D. Sivaumar, A Sieve Algorithm for the Shortest Lattice Vector Problem, Proceedings of the Thirty- Third ACM Symposium on Theory of Computing, 00. [H85] B. Helfrich, Algorithms to construct Minowsi reduced and Hermite reduced bases. Theoretical Computer Science 4, pp. 5 39, 985. [HPS98] J. Hoffstein, J. Pipher, and J. Silvermann, NTRU: A new high speed public ey cryptosystem, Proceedings of Algorithmic Number Theory (ANTS III), LNCS 43, Springer-Verlag, pp , 999. [K83] R. Kannan, Minowsi s convex body theorem and integer programming. Mathematics of Operations Research pp , 983. [KS0a] H. Koy and C.P. Schnorr, Segment LLL-Reduction of Lattice Bases. Proceedings CaLC 00, LNCS 46, Springer-Verlag, pp , 00. [KS0b] H. Koy and C.P. Schnorr, Segment LLL-Reduction of Lattice Bases with Floating Point Orthogonalization. Proceedings CaLC 00, LNCS 46, Springer-Verlag,pp. 8 96, 00. [KuSi] R. Kumar and D. Sivaumar, On polynomial approximations to the shortest lattice vector length. Proc. th Symposium on Discrete Algorithms, 00, [LLL8] A. K. Lenstra, H. W. Lenstra, and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 6, pp , 98. 5
16 [LLS90] J.C. Lagarias, H.W. Lenstra Jr, and C.P. Schnorr, Korin- Zolotarev bases and successive minima of a lattice and its reciprocal lattice. Combinatoria 0 4, pp , 990. [S87] C.P. Schnorr, A hierarchy of polynomial time lattice basis reduction algorithms, Theoretical Computer Science 53, pp. 0 4, 987. [S9] C.P. Schnorr, Factoring Integers and computing discrete logarithms via diophantine approximation, Proceedings os Eurocrypt 9, LNCS 547, Springer-Verlag, pp. 8-93, 99. Final paper in AMS DIMACS Series in Discr. Math. and Theor. Comp. Sc., 3, 7 8,
satisfying ( i ; j ) = ij Here ij = if i = j and 0 otherwise The idea to use lattices is the following Suppose we are given a lattice L and a point ~x
Dual Vectors and Lower Bounds for the Nearest Lattice Point Problem Johan Hastad* MIT Abstract: We prove that given a point ~z outside a given lattice L then there is a dual vector which gives a fairly
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationOn estimating the lattice security of NTRU
On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More information1 Shortest Vector Problem
Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance
More informationSome Sieving Algorithms for Lattice Problems
Foundations of Software Technology and Theoretical Computer Science (Bangalore) 2008. Editors: R. Hariharan, M. Mukund, V. Vinay; pp - Some Sieving Algorithms for Lattice Problems V. Arvind and Pushkar
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More informationand the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that
Sampling short lattice vectors and the closest lattice vector problem Miklos Ajtai Ravi Kumar D. Sivakumar IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120. fajtai, ravi, sivag@almaden.ibm.com
More informationHow to Factor N 1 and N 2 When p 1 = p 2 mod 2 t
How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t Kaoru Kurosawa and Takuma Ueda Ibaraki University, Japan Abstract. Let N 1 = p 1q 1 and N 2 = p 2q 2 be two different RSA moduli. Suppose that p 1 = p 2
More information47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010
47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture Date: 03/18/010 We saw in the previous lecture that a lattice Λ can have many bases. In fact, if Λ is a lattice of a subspace L with
More informationImproved Analysis of Kannan s Shortest Lattice Vector Algorithm
mproved Analysis of Kannan s Shortest Lattice Vector Algorithm Abstract The security of lattice-based cryptosystems such as NTRU GGH and Ajtai-Dwork essentially relies upon the intractability of computing
More informationA Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors
A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors Dan Ding 1, Guizhen Zhu 2, Yang Yu 1, Zhongxiang Zheng 1 1 Department of Computer Science
More informationDIMACS Workshop on Parallelism: A 2020 Vision Lattice Basis Reduction and Multi-Core
DIMACS Workshop on Parallelism: A 2020 Vision Lattice Basis Reduction and Multi-Core Werner Backes and Susanne Wetzel Stevens Institute of Technology 29th March 2011 Work supported through NSF Grant DUE
More informationInteger Factorization using lattices
Integer Factorization using lattices Antonio Vera INRIA Nancy/CARAMEL team/anr CADO/ANR LAREDA Workshop Lattice Algorithmics - CIRM - February 2010 Plan Introduction Plan Introduction Outline of the algorithm
More informationReduction of Smith Normal Form Transformation Matrices
Reduction of Smith Normal Form Transformation Matrices G. Jäger, Kiel Abstract Smith normal form computations are important in group theory, module theory and number theory. We consider the transformation
More informationWorst case complexity of the optimal LLL algorithm
Worst case complexity of the optimal LLL algorithm ALI AKHAVI GREYC - Université de Caen, F-14032 Caen Cedex, France aliakhavi@infounicaenfr Abstract In this paper, we consider the open problem of the
More informationThe Generalized Gauss Reduction Algorithm
Ž. JOURNAL OF ALGORITHMS 21, 565578 1996 ARTICLE NO. 0059 The Generalized Gauss Reduction Algorithm Michael Kaib and Claus P. Schnorr Fachbereich Mathemati Informati, Uniersitat Franfurt, PSF 11 19 32,
More informationIsodual Reduction of Lattices
Isodual Reduction of Lattices Nicholas A. Howgrave-Graham nhowgravegraham@ntru.com NTRU Cryptosystems Inc., USA Abstract We define a new notion of a reduced lattice, based on a quantity introduced in the
More informationLattice Reduction for Modular Knapsack
Lattice Reduction for Modular Knapsack Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University
More informationCryptanalysis of the Quadratic Generator
Cryptanalysis of the Quadratic Generator Domingo Gomez, Jaime Gutierrez, Alvar Ibeas Faculty of Sciences, University of Cantabria, Santander E 39071, Spain jaime.gutierrez@unican.es Abstract. Let p be
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationLower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices
Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices Jingguo Bi 1 and Qi Cheng 2 1 Lab of Cryptographic Technology and Information Security School of Mathematics
More informationLower Bounds of Shortest Vector Lengths in Random NTRU Lattices
Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices Jingguo Bi 1,2 and Qi Cheng 2 1 School of Mathematics Shandong University Jinan, 250100, P.R. China. Email: jguobi@mail.sdu.edu.cn 2 School
More informationON FREE PLANES IN LATTICE BALL PACKINGS ABSTRACT. 1. Introduction
ON FREE PLANES IN LATTICE BALL PACKINGS MARTIN HENK, GÜNTER M ZIEGLER, AND CHUANMING ZONG ABSTRACT This note, by studying relations between the length of the shortest lattice vectors and the covering minima
More informationCSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basic Algorithms Instructor: Daniele Micciancio UCSD CSE We have already seen an algorithm to compute the Gram-Schmidt orthogonalization of a lattice
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationLecture 7 Limits on inapproximability
Tel Aviv University, Fall 004 Lattices in Computer Science Lecture 7 Limits on inapproximability Lecturer: Oded Regev Scribe: Michael Khanevsky Let us recall the promise problem GapCVP γ. DEFINITION 1
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationAnother View of the Gaussian Algorithm
Another View of the Gaussian Algorithm Ali Akhavi and Céline Moreira Dos Santos GREYC Université de Caen, F-14032 Caen Cedex, France {ali.akhavi,moreira}@info.unicaen.fr Abstract. We introduce here a rewrite
More informationLattice Reduction Algorithms: Theory and Practice
Lattice Reduction Algorithms: Theory and Practice Phong Q. Nguyen INRIA and ENS, Département d informatique, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/ Abstract. Lattice reduction
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationRankin s Constant and Blockwise Lattice Reduction
Ranin s Constant and Blocwise Lattice Reduction Nicolas Gama 1, Nic Howgrave-Graham, Henri Koy 3, and Phong Q. Nguyen 4 1 École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr
More informationLattice-based Cryptography
Lattice-based Cryptography Oded Regev Tel Aviv University, Israel Abstract. We describe some of the recent progress on lattice-based cryptography, starting from the seminal work of Ajtai, and ending with
More informationLattice Basis Reduction and the LLL Algorithm
Lattice Basis Reduction and the LLL Algorithm Curtis Bright May 21, 2009 1 2 Point Lattices A point lattice is a discrete additive subgroup of R n. A basis for a lattice L R n is a set of linearly independent
More information1: Introduction to Lattices
CSE 206A: Lattice Algorithms and Applications Winter 2012 Instructor: Daniele Micciancio 1: Introduction to Lattices UCSD CSE Lattices are regular arrangements of points in Euclidean space. The simplest
More informationLattice reduction for modular knapsack
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 Lattice reduction for modular knapsack Thomas
More informationEstimation of the Success Probability of Random Sampling by the Gram-Charlier Approximation
Estimation of the Success Probability of Random Sampling by the Gram-Charlier Approximation Yoshitatsu Matsuda 1, Tadanori Teruya, and Kenji Kashiwabara 1 1 Department of General Systems Studies, Graduate
More informationFrom the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem
From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem Curtis Bright December 9, 011 Abstract In Quantum Computation and Lattice Problems [11] Oded Regev presented the first known connection
More informationApplication of the LLL Algorithm in Sphere Decoding
Application of the LLL Algorithm in Sphere Decoding Sanzheng Qiao Department of Computing and Software McMaster University August 20, 2008 Outline 1 Introduction Application Integer Least Squares 2 Sphere
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationThe Simple 7-(33,8,10)-Designs with Automorphism Group PΓL(2,32)
The Simple 7-(33,8,10)-Designs with Automorphism Group PΓL(2,32) Alfred Wassermann Abstract Lattice basis reduction in combination with an efficient backtracking algorithm is used to find all (4 996 426)
More informationNote on shortest and nearest lattice vectors
Note on shortest and nearest lattice vectors Martin Henk Fachbereich Mathematik, Sekr. 6-1 Technische Universität Berlin Straße des 17. Juni 136 D-10623 Berlin Germany henk@math.tu-berlin.de We show that
More informationCSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Winter 2016 The dual lattice Instructor: Daniele Micciancio UCSD CSE 1 Dual Lattice and Dual Basis Definition 1 The dual of a lattice Λ is the set ˆΛ of all
More informationarxiv: v1 [cs.ds] 2 Nov 2013
On the Lattice Isomorphism Problem Ishay Haviv Oded Regev arxiv:1311.0366v1 [cs.ds] 2 Nov 2013 Abstract We study the Lattice Isomorphism Problem (LIP), in which given two lattices L 1 and L 2 the goal
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationCSC 2414 Lattices in Computer Science September 27, Lecture 4. An Efficient Algorithm for Integer Programming in constant dimensions
CSC 2414 Lattices in Computer Science September 27, 2011 Lecture 4 Lecturer: Vinod Vaikuntanathan Scribe: Wesley George Topics covered this lecture: SV P CV P Approximating CVP: Babai s Nearest Plane Algorithm
More informationEnumeration. Phong Nguyễn
Enumeration Phong Nguyễn http://www.di.ens.fr/~pnguyen March 2017 References Joint work with: Yoshinori Aono, published at EUROCRYPT 2017: «Random Sampling Revisited: Lattice Enumeration with Discrete
More informationCOMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective
COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective Daniele Micciancio
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationOn the Complexity of Computing Units in a Number Field
On the Complexity of Computing Units in a Number Field V. Arvind and Piyush P Kurur Institute of Mathematical Sciences C.I.T Campus,Chennai, India 600 113 {arvind,ppk}@imsc.res.in August 2, 2008 Abstract
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationSolving the Shortest Lattice Vector Problem in Time n
Solving the Shortest Lattice Vector Problem in Time.465n Xavier Pujol 1 and Damien Stehlé 1 Université de Lyon, Laboratoire LIP, CNRS-ENSL-INRIA-UCBL, 46 Allée d Italie, 69364 Lyon Cedex 07, France CNRS,
More informationCS261: A Second Course in Algorithms Lecture #12: Applications of Multiplicative Weights to Games and Linear Programs
CS26: A Second Course in Algorithms Lecture #2: Applications of Multiplicative Weights to Games and Linear Programs Tim Roughgarden February, 206 Extensions of the Multiplicative Weights Guarantee Last
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationProgress on LLL and Lattice Reduction
Progress on LLL and Lattice Reduction Claus Peter Schnorr Abstract We surview variants and extensions of the LLL-algorithm of Lenstra, Lenstra Lovász, extensions to quadratic indefinite forms and to faster
More informationBKZ 2.0: Better Lattice Security Estimates
BKZ 2.0: Better Lattice Security Estimates Yuanmi Chen and Phong Q. Nguyen 1 ENS, Dept. Informatique, 45 rue d Ulm, 75005 Paris, France. http://www.eleves.ens.fr/home/ychen/ 2 INRIA and ENS, Dept. Informatique,
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationLattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption
Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Boaz Barak May 12, 2008 The first two sections are based on Oded Regev s lecture notes, and the third one on
More informationBlock Korkin{Zolotarev Bases. and Successive Minima. C.P. Schnorr TR September Abstract
Block Korkin{Zolotarev Bases and Successive Minima P Schnorr TR-9-0 September 99 Abstract A lattice basis b ; : : : ; b m is called block Korkin{Zolotarev with block size if for every consecutive vectors
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationLecture 5: CVP and Babai s Algorithm
NYU, Fall 2016 Lattices Mini Course Lecture 5: CVP and Babai s Algorithm Lecturer: Noah Stephens-Davidowitz 51 The Closest Vector Problem 511 Inhomogeneous linear equations Recall that, in our first lecture,
More informationA Disaggregation Approach for Solving Linear Diophantine Equations 1
Applied Mathematical Sciences, Vol. 12, 2018, no. 18, 871-878 HIKARI Ltd, www.m-hikari.com https://doi.org/10.12988/ams.2018.8687 A Disaggregation Approach for Solving Linear Diophantine Equations 1 Baiyi
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationLecture 2: Lattices and Bases
CSE 206A: Lattice Algorithms and Applications Spring 2007 Lecture 2: Lattices and Bases Lecturer: Daniele Micciancio Scribe: Daniele Micciancio Motivated by the many applications described in the first
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationThe Euclidean Distortion of Flat Tori
The Euclidean Distortion of Flat Tori Ishay Haviv Oded Regev June 0, 010 Abstract We show that for every n-dimensional lattice L the torus R n /L can be embedded with distortion O(n log n) into a Hilbert
More informationBALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS
BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS KONSTANTINOS A. DRAZIOTIS Abstract. We use lattice based methods in order to get an integer solution of the linear equation a x + +a nx n = a 0, which satisfies
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationare the q-versions of n, n! and . The falling factorial is (x) k = x(x 1)(x 2)... (x k + 1).
Lecture A jacques@ucsd.edu Notation: N, R, Z, F, C naturals, reals, integers, a field, complex numbers. p(n), S n,, b(n), s n, partition numbers, Stirling of the second ind, Bell numbers, Stirling of the
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationImplicit factorization of unbalanced RSA moduli
Implicit factorization of unbalanced RSA moduli Abderrahmane Nitaj 1 and Muhammad Rezal Kamel Ariffin 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationShort Vectors of Planar Lattices via Continued Fractions. Friedrich Eisenbrand Max-Planck-Institut für Informatik
Short Vectors of Planar Lattices via Continued Fractions Friedrich Eisenbrand Max-Planck-Institut für Informatik Outline Lattices Definition of planar integral lattices Shortest Vectors Applications The
More informationJoshua N. Cooper Department of Mathematics, Courant Institute of Mathematics, New York University, New York, NY 10012, USA.
CONTINUED FRACTIONS WITH PARTIAL QUOTIENTS BOUNDED IN AVERAGE Joshua N. Cooper Department of Mathematics, Courant Institute of Mathematics, New York University, New York, NY 10012, USA cooper@cims.nyu.edu
More informationAnalyzing Blockwise Lattice Algorithms using Dynamical Systems
Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol, Damien Stehlé ENS Lyon, LIP (CNRS ENSL INRIA UCBL - ULyon) Analyzing Blockwise Lattice Algorithms using Dynamical
More informationSafe and Effective Determinant Evaluation
Safe and Effective Determinant Evaluation Kenneth L. Clarson AT&T Bell Laboratories Murray Hill, New Jersey 07974 e-mail: clarson@research.att.com February 25, 1994 Abstract The problem of evaluating the
More informationInteger Least Squares: Sphere Decoding and the LLL Algorithm
Integer Least Squares: Sphere Decoding and the LLL Algorithm Sanzheng Qiao Department of Computing and Software McMaster University 28 Main St. West Hamilton Ontario L8S 4L7 Canada. ABSTRACT This paper
More informationBasis Reduction, and the Complexity of Branch-and-Bound
Basis Reduction, and the Complexity of Branch-and-Bound Gábor Pataki and Mustafa Tural Department of Statistics and Operations Research, UNC Chapel Hill Abstract The classical branch-and-bound algorithm
More informationOn Approximating the Covering Radius and Finding Dense Lattice Subspaces
On Approximating the Covering Radius and Finding Dense Lattice Subspaces Daniel Dadush Centrum Wiskunde & Informatica (CWI) ICERM April 2018 Outline 1. Integer Programming and the Kannan-Lovász (KL) Conjecture.
More informationComputing Machine-Efficient Polynomial Approximations
Computing Machine-Efficient Polynomial Approximations N. Brisebarre, S. Chevillard, G. Hanrot, J.-M. Muller, D. Stehlé, A. Tisserand and S. Torres Arénaire, LIP, É.N.S. Lyon Journées du GDR et du réseau
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationThe 123 Theorem and its extensions
The 123 Theorem and its extensions Noga Alon and Raphael Yuster Department of Mathematics Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University, Tel Aviv, Israel Abstract It is shown
More informationImproved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract)
Improved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract) Guillaume Hanrot 1 and Damien Stehlé 2 1 LORIA/INRIA Lorraine, Technopôle de Nancy-Brabois, 615 rue du jardin botanique,
More information1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation
1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationAn algorithm for the satisfiability problem of formulas in conjunctive normal form
Journal of Algorithms 54 (2005) 40 44 www.elsevier.com/locate/jalgor An algorithm for the satisfiability problem of formulas in conjunctive normal form Rainer Schuler Abt. Theoretische Informatik, Universität
More informationREMARKS ON THE NFS COMPLEXITY
REMARKS ON THE NFS COMPLEXITY PAVOL ZAJAC Abstract. In this contribution we investigate practical issues with implementing the NFS algorithm to solve the DLP arising in XTR-based cryptosystems. We can
More informationFast Reduction of Ternary Quadratic Forms
1:01 Fast Reduction of Ternary Quadratic Forms 1:02 1:0 1:04 1:05 1:06 Friedrich Eisenbrand 1 and Günter Rote 2 1 Max-Planck-Institut für Informatik, Stuhlsatzenhausweg 85, 6612 Saarbrücken, Germany, eisen@mpi-sb.mpg.de
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationIdentifying Ideal Lattices
Identifying Ideal Lattices Jintai Ding 1 and Richard Lindner 2 1 University of Cincinnati, Department of Mathematical Sciences PO Box 2125, Cincinnati, OH 45221-25, USA jintaiding@ucedu 2 Technische Universität
More informationThe Dual Lattice, Integer Linear Systems and Hermite Normal Form
New York University, Fall 2013 Lattices, Convexity & Algorithms Lecture 2 The Dual Lattice, Integer Linear Systems and Hermite Normal Form Lecturers: D. Dadush, O. Regev Scribe: D. Dadush 1 Dual Lattice
More informationLinear Independence. Stephen Boyd. EE103 Stanford University. October 9, 2017
Linear Independence Stephen Boyd EE103 Stanford University October 9, 2017 Outline Linear independence Basis Orthonormal vectors Gram-Schmidt algorithm Linear independence 2 Linear dependence set of n-vectors
More informationTesting Problems with Sub-Learning Sample Complexity
Testing Problems with Sub-Learning Sample Complexity Michael Kearns AT&T Labs Research 180 Park Avenue Florham Park, NJ, 07932 mkearns@researchattcom Dana Ron Laboratory for Computer Science, MIT 545 Technology
More informationPAPER On the Hardness of Subset Sum Problem from Different Intervals
IEICE TRANS FUNDAMENTALS, VOLE95 A, NO5 MAY 202 903 PAPER On the Hardness of Subset Sum Problem from Different Intervals Jun KOGURE a), Noboru KUNIHIRO, Members, and Hirosuke YAMAMOTO, Fellow SUMMARY The
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More information