Solving the Shortest Lattice Vector Problem in Time n
|
|
- Emily Eaton
- 5 years ago
- Views:
Transcription
1 Solving the Shortest Lattice Vector Problem in Time.465n Xavier Pujol 1 and Damien Stehlé 1 Université de Lyon, Laboratoire LIP, CNRS-ENSL-INRIA-UCBL, 46 Allée d Italie, Lyon Cedex 07, France CNRS, Macquarie University and University of Sydney, Department of Mathematics and Statistics F07, University of Sydney NSW 006, Australia {xavier.pujol,damien.stehle}@ens-lyon.fr Abstract. The Shortest lattice Vector Problem is central in lattice-based cryptography, as well as in many areas of computational mathematics and computer science, such as computational number theory and combinatorial optimisation. We present an algorithm for solving it in time.465n+on) and space 1.33n+on), where n is the lattice dimension. This improves the best previously known algorithm, by Micciancio and Voulgaris [SODA 010], which runs in time 3.199n+on) and space 1.35n+on). Keywords. Lattices, Shortest Vector Problem, sieve algorithms. 1 Introduction A lattice L is a discrete subgroup of R n. The dimension of L is d = dimspanl). Any lattice can be represented as the set of integer linear combinations of d linearly independent vectors b 1,...,b d. These vectors form a basis of L and we write L = Lb 1,...,b d ). Since a lattice is discrete, it has shortest non-zero vectors. Their norm λl) is called the minimum of L. The Shortest Vector Problem SVP) consists in finding such a vector. For the sake of simplicity, we consider only full rank integer lattices in this article, i.e., d = n and L Z n. SVP is known to be NP-hard under randomized reductions [1], and to remain so even if relaxed by arbitrary constant factors [13, 10]. SVP is of prime interest in cryptography for two reasons: first, the security of several lattice-based cryptosystems see, e.g., [, 19, 8] and the survey [15]) relies on the hardness of polynomially relaxed versions of the decisional variant of SVP for [], it is proved to be so in [14]); second, the main cryptanalytic tool against lattice-based cryptosystems, namely hierarchical reduction algorithms [0, 1, 7], relies on an algorithm that solves SVP in moderate dimensions. Note that SVP also occurs naturally in algorithmic number theory [4] and in combinatorial optimization [5]. The currently known algorithms for SVP can be separated in two categories. On one side, deterministic algorithms enumerate all lattice vectors shorter than a fixed bound A λl), by working on the Gram- Schmidt orthogonalization of the given lattice basis. They were introduced by Kannan [1] and Fincke and Pohst [6]. If given as input an LLL-reduced basis, the algorithm of Fincke and Pohst runs in time On), while the worst-case complexity of Kannan s algorithm is n n e +on) this complexity upper bound is proved in [9]). Note that for all complexity statements, we omit a multiplicative factor that is polynomial in the bitsize of the lattice basis. Enumeration algorithms require a polynomially bounded amount of space. On the other side, the algorithms with the best theorical complexity are probabilistic Monte Carlo) sieve algorithms, the first of which was introduced by Ajtai et al. in [3]. The initial time and space complexity bounds of On) were later improved by Regev [18], then decreased to 5.90n+on) and.95n respectively by Nguyen and Vidick [17] and recently decreased further to 3.40n+on) and 1.97n+on) by Micciancio and Voulgaris [16]. The authors of [16] also introducedlistsieve, another sieve algorithm which solves SVP in time 3.199n+on) and space 1.35n+on). Contrary to enumeration algorithms, sieve algorithms require an exponential amount of space. Our result. We present an improved version of ListSieve which solves SVP in time.465n+on) and space 1.33n+on) the constants are chosen to minimize the time complexity: a better space complexity can
2 be achieved at the expense of increasing the time complexity). The main new ingredient is the use of the birthday paradox to decrease the number of vectors that must be generated to ensure that the sieve succeeds. The improvement is most easily described with the Ajtai et al. algorithm see the simplified description of [17]). The latter samples iid vectors in L B n 0,cλ 1 L)) for a small constant c, which contains only a finite number N of lattice points. The proof of correctness requires that the same vector is sampled twice with high probability, and another technical constraint implies that only a small fraction 1/x of all the vectors is taken into account. In the previous analyses, the number of required vectors was N x. However, the birthday paradox ensures that O Nx) vectors suffice. In the case of the Ajtai et al. algorithm, this leads to a time complexity bound of.648n+on). We omit the proof, as the improved variant of ListSieve provides a better complexity bound, although it requires more care to ensure that the sampled vectors are iid. Notations. We write for the euclidean norm and, for the dot product. If u and v are non-zero vectors, we define φ u,v as the angle between u and v. We use the notation log for the natural logarithm. All balls B n x,r) are closed, and if x is omitted, it means that the ball is centred on 0. The bitsize B of a basis B is sum of the bitsizes of its vectors. We let PB) denote the fundamental parallelepiped spanned by the basis B. Finally, for any u = i u ib i, we write u mod PB) for i u i u i )b i. The SVP algorithm We first recall the ListSieve algorithm from [16], in Figure 1. It builds a list T of lattice vectors, reducing each randomly generated vector with vectors previously added to the list. ListSieve keeps adding vectors to T until it finds a lattice vector whose norm corresponds the guessed value µ for the lattice minimum λ. It makes use of sampling and reduction functions, described in Figures 3 and 4. The reduction is done on perturbed vectors u = u+x instead of lattice vectors u L, with randomly chosen x s. If the perturbations are large enough, a given perturbed vector can sometimes be obtained from several lattice vectors. The fact that the reduction function is oblivious to the lattice vector is crucial for the proof of correctness. Input: A basis B, µ λlb)), ξ > 1, N1. Output: A shortest non-zero vector of LB). Choose x 1,...,x N1 ) randomly in B n0, ξµ). T {0}. For i = 1 to N 1, do t i,t i) ReductionNewPairB,x i ), T), If t j T, 0 < t i t j µ, then return t i t j; ElseIf t i / T, then T T {t i }. Fig. 1. The ListSieve algorithm The new algorithm ListSieve-Birthday is described in Figure. It runs ListSieve for a while, and then adds to a second list U the vectors reduced with respect to the ListSieve list T. Hence the vectors of the second list U are both short with high probability) and iid. In Section 3, we will prove the following result. Theorem 1 Let L Z n be an n-dimensional lattice and B = b 1,...,b n ) be a basis of L. With suitable choices for the parameters µ, ξ, r 0, N 1 and N, the algorithm ListSieve-Birthday can be used to solve SVP on B with probability 1 Ωn) in time.465n+on) Poly B ) and space 1.33n+on) Poly B ). 3 Analysis of ListSieve-Birthday In this section we set λ = λl) and fix the parameters ξ > 1/ and r 0 > ξ. Wlog, we assume that:
3 Input: A basis B, µ λlb)), ξ > 1, r 0 > ξ, N 1, N. Output: A shortest non-zero vector of LB). Choose x 1,...,x N1,y 1,...,y N ) randomly in B n0, ξµ). T, U. For i = 1 to N 1, do t i,t i) ReductionNewPairB,x i ), T), If t i r 0 µ then T T {t i }. For i = 1 to N, do u i,u i) ReductionNewPairB,y i ), T), U U {u i }. Find closest distinct points s 1,s ) in U fail if they do not exist). Return s 1 s. Fig.. The SVP algorithm: ListSieve-Birthday Input: A basis B and a perturbation x. Output: A lattice vector u and a perturbed vector u. u x) mod PB). u u + x. Return u,u ). Fig. 3. The NewPair algorithm Input: A pair u,u ) generated by NewPair and a list T L. Output: A reduced pair u,u ). While w T : u w < `1 1 n u, u,u ) u w,u w). Return u,u ). Fig. 4. The Reduction algorithm The integer basis B is LLL-reduced. This can be done in time Poly B ). We have max i b i = On) λ if the basis is LLL-reduced then the basis vectors that are too long cannot come into play, see [17, Lemma 3.3]). We know µ such that λ µ < n) λ. This can be ensured by trying a polynomial number of values for µ. 3.1 Known results The following lemmas are variants of those given in [16]. Theorem, which is the main tool for Lemmas 3 and 4, is proven in [11]. For the sake of completeness, we give proofs of Lemmas 3, 4 and 5 in the appendix. Theorem Kabatiansky and Levenshtein) Let E R n \{0}. If there exists φ 0 > 0 such that for any u,v E, we have φ u,v φ 0, then E cn+on) with c = 1 log [1 cosminφ 0,6.99 ))] Lemma 3 Let c b = log r For any lattice L, we have B n 0,r 0 µ) L N B n) = cbn+on). Lemma 4 Let c t = 1 log 1 ξ r ) At any moment during the execution of ListSieve-Birthday, 0 the list T contains at most N T n) = ctn+on) vectors. ) Lemma 5 Let c g = 1 log 1 1 4ξ and s be a shortest non-zero vector of L. Let I s = B n 0,ξµ) B n s,ξµ). If x is chosen uniformly in B n 0,ξµ), then Pr x I s ) 1 N with N Gn) Gn) = cgn+on). 3
4 3. Proof of Theorem 1 Let N max 1 = 4N G N T and N = 8N G N B. We sample N1 uniformly in the interval [0,N max 1 1]. The purpose of Lemmas 6 and 7 is to prove that with high probability, there are sufficiently many vectors u i in U such that u i is short i.e., u i < r 0 µ) and y i I s in that case, the perturbed vector u i could be associated to another lattice vector, namely u i + s with the perturbation y i + s). Lemma 6 Consider ListSieve-Birthday with N 1 = N1 max. For i N1 max, we define the event E i : t i < r 0 µ. We let p i = Pr E i x i I s ), where the probability is taken over the randomness of x 1,...,x i, and J = {i N1 max : p i 1 }. Then J Nmax 1 /. Proof. Assume for contradiction) that J > N max 1 /. Then by Lemma 5 we have i J 1 p i )Pr x i I s ) J N G > N T. This contradicts the following inequalities. The last one derives from Lemma 4. p i )Pr x i I s ) = i J1 Pr E i ) x i I s )) Pr E i ) N T. i J i 1 In the second loop of ListSieve-Birthday, we do not add any point to T. Therefore, the points that are added to U are iid. The procedure to reduce points being the same in both loops, we have that for any i N such that y i I s, the probability that u i < r 0 µ is p. Since N N1+1 1 is sampled uniformly in [0,N1 max 1], we have p 1 N1+1 with probability 1, by Lemma 6. Lemma 7 If n is sufficiently large, then with probability 1/4 taken over the randomness of N 1, the x k s and the y k s), there exist two distinct indices i,j N such that u i = u j and y i,y j I s. Proof. Let N = N B. Until the end of the current proof, we assume that p 1 N1+1, which occurs with probability 1 and implies that Pr u i r 0µ y i I s ) 1 for all i N. Let X = {i N : u i r 0 µ) y i I s )}. Lemma 5 gives Pr u i r 0 µ) y i I s )) = Pr u i r 0 µ y i I s ) Pr y i I s ) 1 N G. The variable X has a binomial distribution of parameter p 1 N G. We have EX) = pn N and VarX) = p1 p)n EX). Therefore, by using Chebyshev s inequality, we have since N B 5 holds for n large enough, we have N 10): VarX) Pr X N) Pr X EX) EX) N) EX) N) EX) EX) N) N 1 5. So with high probability ListSieve-Birthday samples at least N iid points in S 0 = B n r 0 µ) L. The probability that a collision occurs is minimized when the distribution is uniform, i.e., the probability of each point is 1/ S 0. Since we have chosen N S 0 by Lemma 3), the birthday paradox implies that the probability will be large. More precisely it is greater than i<n where we used the fact that S 0 N B by Lemma 3). 1 i ) ) 4 )) NN 1) 1 exp ), S 0 5 N B 5 e 4
5 In order to prove that ListSieve-Birthday returns a shortest non-zero vector with high probability, we introduce a modified version ListSieve-Birthday. Recall that in Lemma 5, we have fixed a shortest vector s and defined I s = B n 0,ξµ) B n s,ξµ). For x in B n 0,ξµ), let τx) = x + s if x I s and τx) = x if x / I s. The difference between ListSieve-Birthday and ListSieve-Birthday is that in the latter the function τ is applied to each y i with probability 1 immediately after it is chosen. If x is sampled uniformly in B n 0,ξµ), then so is τx). As a consequence, the outputs of ListSieve-Birthday and ListSieve-Birthday follow the same distribution. For x I s, let u,u ) = ReductionNewPairx),T) and v,v ) = ReductionNewPairτx)),T). The fact that x I s implies that x = τx) mod PB). The actions of Reduction depend only on the perturbed vector, so we have v = u and v = u + s. Lemma 8 Let c time = maxc g + c t,c g + c b ) and c space = maxc t,c g + c b /). Then with probability 1 16 and for sufficiently large n, ListSieve-Birthday returns a shortest non-zero vector of L in time ctimen+on) and space cspacen+on). Proof. We start with the correctness property. Assume that we run the algorithms ListSieve-Birthday and ListSieve-Birthday on the same input and that they make the same random choices for N 1 and the perturbations. By Lemma 7, with probability 1 4, there exist two distinct indices i and j such that u i = u j and y i,y j I s in ListSieve-Birthday. With probability 1 4, ListSieve-Birthday applies τ to y i but not to y j. Therefore it outputs u i + s and u j = u i, because it chooses the same perturbations as ListSieve-Birthday. Thus, with probability 1 16, there exist two vectors s 1 and s in the second list of ListSieve-Birthday such that s 1 s = λl). This also holds for ListSieve-Birthday, since it has the same output distribution. The space complexity is T + U. By Lemma 4, we have T ctn+on), and, by definition of N, we have U cg+cb/)n+on). Since b i = On) µ for all i, the complexity of Reduction is T Polyn, B ). Omitting the polynomial factor, the time complexity of the first loop is T N 1 T N1 max cg+ct)n+on). The time required to find a closest pair of points in U with the naive algorithm is U. Finally, the time complexity of the second loop is T U ct+cg+cb/)n+on), which is negligibly smaller than the cost of one of the other components. Proof of Theorem 1. The time complexity is minimized when c t = c g + c b. By Lemmas 3, 4 and 5, this is equivalent to r 0 = ξ ξ. Optimizing with respect to ξ leads to ξ , r , c time.465 and c space Calling the algorithm n times ensures that it succeeds with probability exponentially close to 1. 4 Open Problems In [16] the authors drew a list of important open problems about ListSieve, in particular on the necessity of perturbing the initial lattice vectors. These carry over to ListSieve-Birthday. Another question that is specific to the latter is whether it is necessary to divide it into two steps to ensure that the vectors of the second list are iid. At first sight, it seems to be an artefact of the proof, but we did not manage to avoid it. Acknowledgments This work is part of the Australian Research Council Discovery Project DP Integral lattices and their theta series. We thank D. Micciancio and P. Voulgaris for helpful discussions. References 1. M. Ajtai. The shortest vector problem in l is NP-hard for randomized reductions extended abstract). In Proceedings of the 30th Symposium on the Theory of Computing STOC 1998), pages ACM Press, M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the 9th Symposium on the Theory of Computing STOC 1997), pages ACM Press,
6 3. M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proceedings of the 33rd Symposium on the Theory of Computing STOC 001), pages ACM Press, H. Cohen. A Course in Computational Algebraic Number Theory, nd edition. Springer-Verlag, F. Eisenbrand. 50 Years of Integer Programming , From the Early Years to the State-of-the-Art, chapter Integer Programming and Algorithmic Geometry of Numbers. Springer-Verlag, U. Fincke and M. Pohst. A procedure for determining algebraic integers of given norm. In Proceedings of EUROCAL, volume 16 of Lecture Notes in Computer Science, pages Springer-Verlag, N. Gama and P. Q. Nguyen. Finding short lattice vectors within Mordell s inequality. In Proceedings of the 40th Symposium on the Theory of Computing STOC 008). ACM, C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Symposium on the Theory of Computing STOC 008), pages ACM Press, G. Hanrot and D. Stehlé. Improved analysis of Kannan s shortest lattice vector algorithm. In Proceedings of Crypto 007, volume 46 of Lecture Notes in Computer Science, pages Springer-Verlag, I. Haviv and O. Regev. Tensor-based hardness of the shortest vector problem to within almost polynomial factors. In Proceedings of the 39th Symposium on the Theory of Computing STOC 007, pages ACM, G. A. Kabatiansky and V. I. Levenshtein. Bounds for packings on a sphere and in space. Problemy Peredachi Informatsii, 141):3 5, Available in English in Problems of Information Transmission 141): R. Kannan. Improved algorithms for integer programming and related lattice problems. In Proceedings of the 15th Symposium on the Theory of Computing STOC 1983), pages ACM Press, S. Khot. Hardness of approximating the shortest vector problem in lattices. Journal of the ACM, 55): , V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In Proceedings of Crypto 009, pages , D. Micciancio and O. Regev. Post-Quantum Cryptography, chapter Lattice-based Cryptography. Springer-Verlag, D. Micciancio and P. Voulgaris. Faster exponential time algorithms for the shortest vector problem, 010. To appear in the proceedings of SODA 10, preliminary versions available at the URLs report/009/065 and P. Nguyen and T. Vidick. Sieve algorithms for the shortest vector problem are practical. Journal of Mathematical Cryptology, ), O. Regev. Lattices in computer science, 004. Lecture notes of a course given at the Tel Aviv University. Available at the URL O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th Symposium on the Theory of Computing STOC 005), pages ACM Press, C. P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theor. Comput. Sci, 53:01 4, C. P. Schnorr and M. Euchner. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Mathematics of Programming, 66: , Known proofs Proof of Lemma 3. Let α = 1+ 1 n. The ball B λ n ) contains exactly one lattice point. We cover Bn r 0 µ) \B λ n with coronas T r = B n αr) \B n r) for r = λ, λ α,..., λ αk, with k = nlog r 0 ) = On). It suffices to prove that any corona T r contains at most cbn+on) lattice points. Let u and v be two distinct lattice vectors in T r B n r 0 µ). We have u v,u v λ, so u,v u + v λ ). This implies that: 1 cos φ u,v = u,v u v 1 u v + v u λ ) u v n λ r µ n n ) r0 1 1 n r0. 1 For any ε 0, ) and sufficiently large n we can apply Theorem with φ r0 0 = cos ε r0 ) ) 60. 6
7 Proof of Lemma 4. First, we bound the norm of any vector of T. NewPair returns t,t ) such that t PB) and t t ξµ. We have assumed that max i b i = On) λ. Hence t nmax i b i On) µ. After applying Reduction, the norm of t does not increase and t t is unchanged, so, for any t i T, we have r 0 µ t i On) + ξ)µ. It now suffices to prove that any T r = {t i T rµ t i 1 + n) 1 rµ} for r r 0 contains at most ctn+on) points. Indeed, the list T is contained in a union of On ) sets T r. Let i < j such that t i,t j T r. The idea of the proof is that for large n, the angle between t j and t i is not far from being above π 3 because t i was already in T when t j was reduced. We use the inequality t j t j ξµ to obtain a lower bound for φ t i,t j and then apply Theorem. Note that t j t j + ξµ 3rµ. Since t j was added after t i, we have: t j t i > t j t i,t j t i > t j,t i < ) t n j 1 1 ) t n j,t j [ t i + n ] t j 1 ) t n j,t j Moreover, we have t j t j,t i ξµ t i. We can now bound cosφ t i,t j ). 1 t i + 1 n 3rµ). t j,t i = t j,t i + t j t j,t i 1 t i + 1 n 3rµ) + ξµ t i The bound on T r follows directly from Theorem. cosφ ti,t j ) = t j,t i t i t j 1 t i t j + 1 n 3rµ) t i t j + ξµ t j ) + 9 n n + ξ r 1 + ξ ) 1 + O. r 0 n Proof of Lemma 5. The set B n 0,µξ) B n s,µξ) is the union of two identical n-sphere caps of height µξ λ µ ξ ) 1. Let C be one of these. It contains a cone of height h = µ ξ 1 ) whose basis is an n 1)-sphere of radius r = µ ξ 1 4. Moreover B nr) is included in a cylinder of basis B n 1 r) and height r so we have Vol B n r) r Vol B n 1 r). Then VolC Vol B n ξµ) h n Vol B n 1r) Vol B n ξµ) h rn Vol B n r) Vol B n ξµ) ξ 1 n ξ ) n/ 4ξ. 7
A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors
A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors Dan Ding 1, Guizhen Zhu 2, Yang Yu 1, Zhongxiang Zheng 1 1 Department of Computer Science
More informationImproved Nguyen-Vidick Heuristic Sieve Algorithm for Shortest Vector Problem
Improved Nguyen-Vidick Heuristic Sieve Algorithm for Shortest Vector Problem Xiaoyun Wang,, Mingjie Liu, Chengliang Tian and Jingguo Bi Institute for Advanced Study, Tsinghua University, Beijing 84, China
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationLattice Reduction Algorithms: Theory and Practice
Lattice Reduction Algorithms: Theory and Practice Phong Q. Nguyen INRIA and ENS, Département d informatique, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/ Abstract. Lattice reduction
More informationAnalyzing Blockwise Lattice Algorithms using Dynamical Systems
Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol, Damien Stehlé ENS Lyon, LIP (CNRS ENSL INRIA UCBL - ULyon) Analyzing Blockwise Lattice Algorithms using Dynamical
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationFinding shortest lattice vectors faster using quantum search
Des. Codes Cryptogr. (2015) 77:375 400 DOI 10.1007/s10623-015-0067-5 Finding shortest lattice vectors faster using quantum search Thijs Laarhoven 1 Michele Mosca 2,3,4 Joop van de Pol 5 Received: 15 October
More informationFinding shortest lattice vectors faster using quantum search
Finding shortest lattice vectors faster using quantum search Thijs Laarhoven Michele Mosca Joop van de Pol Abstract By applying a quantum search algorithm to various heuristic and provable sieve algorithms
More informationarxiv: v1 [cs.cr] 25 Jan 2013
Solving the Shortest Vector Problem in Lattices Faster Using Quantum Search Thijs Laarhoven 1, Michele Mosca 2, and Joop van de Pol 3 arxiv:1301.6176v1 [cs.cr] 25 Jan 2013 1 Dept. of Mathematics and Computer
More informationTuple Lattice Sieving
Tuple Lattice Sieving Shi Bai, Thijs Laarhoven and Damien Stehlé IBM Research Zurich and ENS de Lyon August 29th 2016 S. Bai, T. Laarhoven & D. Stehlé Tuple Lattice Sieving 29/08/2016 1/25 Main result
More informationSome Sieving Algorithms for Lattice Problems
Foundations of Software Technology and Theoretical Computer Science (Bangalore) 2008. Editors: R. Hariharan, M. Mukund, V. Vinay; pp - Some Sieving Algorithms for Lattice Problems V. Arvind and Pushkar
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky 1 and Daniele Micciancio 2 1 School of Computer Science, Tel Aviv University Tel Aviv 69978, Israel.
More informationUpper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China
Λ A Huiwen Jia 1, Chunming Tang 1, Yanhua Zhang 2 hwjia@gzhu.edu.cn, ctang@gzhu.edu.cn, and yhzhang@zzuli.edu.cn 1 Key Laboratory of Information Security, School of Mathematics and Information Science,
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationImproved Analysis of Kannan s Shortest Lattice Vector Algorithm
mproved Analysis of Kannan s Shortest Lattice Vector Algorithm Abstract The security of lattice-based cryptosystems such as NTRU GGH and Ajtai-Dwork essentially relies upon the intractability of computing
More informationImproved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract)
Improved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract) Guillaume Hanrot 1 and Damien Stehlé 2 1 LORIA/INRIA Lorraine, Technopôle de Nancy-Brabois, 615 rue du jardin botanique,
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationHardness of the Covering Radius Problem on Lattices
Hardness of the Covering Radius Problem on Lattices Ishay Haviv Oded Regev June 6, 2006 Abstract We provide the first hardness result for the Covering Radius Problem on lattices (CRP). Namely, we show
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationSolving Closest Vector Instances Using an Approximate Shortest Independent Vectors Oracle
Tian CL, Wei W, Lin DD. Solving closest vector instances using an approximate shortest independent vectors oracle. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 306): 1370 1377 Nov. 015. DOI 10.1007/s11390-015-
More informationFrom the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem
From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem Curtis Bright December 9, 011 Abstract In Quantum Computation and Lattice Problems [11] Oded Regev presented the first known connection
More information1: Introduction to Lattices
CSE 206A: Lattice Algorithms and Applications Winter 2012 Instructor: Daniele Micciancio 1: Introduction to Lattices UCSD CSE Lattices are regular arrangements of points in Euclidean space. The simplest
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationLower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices
Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices Jingguo Bi 1 and Qi Cheng 2 1 Lab of Cryptographic Technology and Information Security School of Mathematics
More informationLattice Reduction for Modular Knapsack
Lattice Reduction for Modular Knapsack Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky and Daniele Micciancio May 9, 009 Abstract We prove the equivalence, up to a small polynomial
More informationEnumeration. Phong Nguyễn
Enumeration Phong Nguyễn http://www.di.ens.fr/~pnguyen March 2017 References Joint work with: Yoshinori Aono, published at EUROCRYPT 2017: «Random Sampling Revisited: Lattice Enumeration with Discrete
More informationTuple Lattice Sieving
Tuple Lattice Sieving Shi Bai 1, Thijs Laarhoven 2, and Damien Stehlé 1 1 ENS de Lyon, Laboratoire LIP, U. Lyon, CNRS, ENSL, INRIA, UCBL, Lyon, France shi.bai@ens-lyon.fr, damien.stehle@ens-lyon.fr 2 IBM
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationNew Lattice Based Cryptographic Constructions
New Lattice Based Cryptographic Constructions Oded Regev August 7, 2004 Abstract We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationCSC 2414 Lattices in Computer Science October 11, Lecture 5
CSC 244 Lattices in Computer Science October, 2 Lecture 5 Lecturer: Vinod Vaikuntanathan Scribe: Joel Oren In the last class, we studied methods for (approximately) solving the following two problems:
More informationSolving shortest and closest vector problems: The decomposition approach
Solving shortest and closest vector problems: The decomposition approach Anja Becker 1, Nicolas Gama 2, and Antoine Joux 3 1 EPFL, École Polytechnique Fédérale de Lausanne, Switzerland 2 UVSQ, Université
More informationCSE 206A: Lattice Algorithms and Applications Spring Minkowski s theorem. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Minkowski s theorem Instructor: Daniele Micciancio UCSD CSE There are many important quantities associated to a lattice. Some of them, like the
More informationLattice reduction for modular knapsack
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 Lattice reduction for modular knapsack Thomas
More informationDensity of Ideal Lattices
Density of Ideal Lattices - Preliminary Draft - Johannes Buchmann and Richard Lindner Technische Universität Darmstadt, Department of Computer Science Hochschulstraße 10, 64289 Darmstadt, Germany buchmann,rlindner@cdc.informatik.tu-darmstadt.de
More informationBKZ 2.0: Better Lattice Security Estimates
BKZ 2.0: Better Lattice Security Estimates Yuanmi Chen and Phong Q. Nguyen 1 ENS, Dept. Informatique, 45 rue d Ulm, 75005 Paris, France. http://www.eleves.ens.fr/home/ychen/ 2 INRIA and ENS, Dept. Informatique,
More informationSieving for Shortest Vectors in Ideal Lattices
Sieving for Shortest Vectors in Ideal Lattices Michael Schneider Technische Universität Darmstadt, Germany mischnei@cdc.informatik.tu-darmstadt.de Abstract. Lattice based cryptography is gaining more and
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set
More informationLattice-based Cryptography
Lattice-based Cryptography Oded Regev Tel Aviv University, Israel Abstract. We describe some of the recent progress on lattice-based cryptography, starting from the seminal work of Ajtai, and ending with
More informationA Linearithmic Time Algorithm for a Shortest Vector Problem in Compute-and-Forward Design
A Linearithmic Time Algorithm for a Shortest Vector Problem in Compute-and-Forward Design Jing Wen and Xiao-Wen Chang ENS de Lyon, LIP, CNRS, ENS de Lyon, Inria, UCBL), Lyon 69007, France, Email: jwen@math.mcll.ca
More informationSolving BDD by Enumeration: An Update
Solving BDD by Enumeration: An Update Mingjie Liu, Phong Q. Nguyen To cite this version: Mingjie Liu, Phong Q. Nguyen. Solving BDD by Enumeration: An Update. Ed Dawson. CT-RSA 2013 - The Cryptographers
More informationCreating a Challenge for Ideal Lattices
Creating a Challenge for Ideal Lattices Thomas Plantard 1 and Michael Schneider 2 1 University of Wollongong, Australia thomaspl@uow.edu.au 2 Technische Universität Darmstadt, Germany mischnei@cdc.informatik.tu-darmstadt.de
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationAn Efficient Lattice-based Secret Sharing Construction
An Efficient Lattice-based Secret Sharing Construction Rachid El Bansarkhani 1 and Mohammed Meziani 2 1 Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraße
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More informationand the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that
Sampling short lattice vectors and the closest lattice vector problem Miklos Ajtai Ravi Kumar D. Sivakumar IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120. fajtai, ravi, sivag@almaden.ibm.com
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationOrthogonalized Lattice Enumeration for Solving SVP
Orthogonalized Lattice Enumeration for Solving SVP Zhongxiang Zheng 1, Xiaoyun Wang 2, Guangwu Xu 3, Yang Yu 1 1 Department of Computer Science and Technology,Tsinghua University, Beijing 100084, China,
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More information1 Shortest Vector Problem
Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance
More informationSpeeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search
Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search Anja Becker 1, Nicolas Gama, and Antoine Joux 3,4 1 EPFL, Lausanne, Switzerland UVSQ, Versailles,
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationTensor-based Hardness of the Shortest Vector Problem to within Almost Polynomial Factors
Tensor-based Hardness of the Shortest Vector Problem to within Almost Polynomial Factors Ishay Haviv Oded Regev March 2, 2007 Abstract We show that unless NP RTIME(2 poly(log n) ), for any ε > 0 there
More informationLattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption
Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Boaz Barak May 12, 2008 The first two sections are based on Oded Regev s lecture notes, and the third one on
More informationNew Cryptosystem Using The CRT And The Jordan Normal Form
New Cryptosystem Using The CRT And The Jordan Normal Form Hemlata Nagesh 1 and Birendra Kumar Sharma 2 School of Studies in Mathematics,Pt.Ravishankar Shukla University Raipur(C.G.). E-mail:5Hemlata5@gmail.com
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationCOMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective
COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective Daniele Micciancio
More informationInteger Factorization using lattices
Integer Factorization using lattices Antonio Vera INRIA Nancy/CARAMEL team/anr CADO/ANR LAREDA Workshop Lattice Algorithmics - CIRM - February 2010 Plan Introduction Plan Introduction Outline of the algorithm
More informationOn the smallest ratio problem of lattice bases
On the smallest ratio problem of lattice bases Jianwei Li KLMM, Academy of Mathematics and Systems Science, The Chinese Academy of Sciences, Beijing 0090, China lijianwei05@amss.ac.cn Abstract Let (b,...,
More informationA Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 14 (2010) A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations Daniele
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationAnalyzing Blockwise Lattice Algorithms Using Dynamical Systems
Analyzing Blockwise Lattice Algorithms Using Dynamical Systems Guillaume Hanrot 1,XavierPujol 1, and Damien Stehlé 2 1 ÉNSLyon,LaboratoireLIP(ULyon,CNRS,ENSLyon,INRIA,UCBL), 46 Allée d Italie, 69364 Lyon
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationA Note on Discrete Gaussian Combinations of Lattice Vectors
CHICAGO JOURNAL OF THEORETICAL COMPUTER SCIENCE 2016, Article 07, pages 1 11 http://cjtcs.cs.uchicago.edu/ A Note on Discrete Gaussian Combinations of Lattice Vectors Divesh Aggarwal Oded Regev * Received
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert Alon Rosen November 26, 2006 Abstract We demonstrate an average-case problem which is as hard as finding γ(n)-approximate
More informationTime-Memory Trade-Off for Lattice Enumeration in a Ball
Time-Memory Trade-Off for Lattice Enumeration in a Ball Paul Kirchner 1 and Pierre-Alain Fouque 2 1 École normale superieure, France, Paul.Kirchner@ens.fr 2 Universite Rennes 1 and Institut Universitaire
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationarxiv: v1 [cs.ds] 2 Nov 2013
On the Lattice Isomorphism Problem Ishay Haviv Oded Regev arxiv:1311.0366v1 [cs.ds] 2 Nov 2013 Abstract We study the Lattice Isomorphism Problem (LIP), in which given two lattices L 1 and L 2 the goal
More informationLimits on the Hardness of Lattice Problems in l p Norms
Electronic Colloquium on Computational Complexity, Report No. 148 (2006) Limits on the Hardness of Lattice Problems in l p Norms Chris Peikert December 3, 2006 Abstract We show that for any p 2, lattice
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationBALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS
BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS KONSTANTINOS A. DRAZIOTIS Abstract. We use lattice based methods in order to get an integer solution of the linear equation a x + +a nx n = a 0, which satisfies
More informationLocally Dense Codes. Daniele Micciancio. August 26, 2013
Electronic Colloquium on Computational Complexity, Report No. 115 (2013) Locally Dense Codes Daniele Micciancio August 26, 2013 Abstract The Minimum Distance Problem (MDP), i.e., the computational task
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationLecture 6: Lattice Trapdoor Constructions
Homomorphic Encryption and Lattices, Spring 0 Instructor: Shai Halevi Lecture 6: Lattice Trapdoor Constructions April 7, 0 Scribe: Nir Bitansky This lecture is based on the trapdoor constructions due to
More informationSolving the Closest Vector Problem in 2 n Time The Discrete Gaussian Strikes Again!
Solving the Closest Vector Problem in n Time The Discrete Gaussian Strikes Again! Divesh Aggarwal Divesh.Aggarwal@epfl.ch Daniel Dadush dadush@cwi.nl Noah Stephens-Davidowitz noahsd@cs.nyu.edu Abstract
More informationQUANTUM COMPUTATION AND LATTICE PROBLEMS
QUATUM COMPUTATIO AD LATTICE PROBLEMS ODED REGEV Abstract. We present the first explicit connection between quantum computation and lattice problems. amely, our main result is a solution to the Unique
More informationNew Practical Algorithms for the Approximate Shortest Lattice Vector
New Practical Algorithms for the Approximate Shortest Lattice Vector Claus Peter Schnorr Fachbereiche Mathemati/Informati, Universität Franfurt, PSF 493, D-60054 Franfurt am Main, Germany. schnorr@cs.uni-franfurt.de
More informationCSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basic Algorithms Instructor: Daniele Micciancio UCSD CSE We have already seen an algorithm to compute the Gram-Schmidt orthogonalization of a lattice
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More information