Results 1 
7 of
7
The Two Faces of Lattices in Cryptology
, 2001
"... Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising ..."
Abstract

Cited by 69 (16 self)
 Add to MetaCart
Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist publickey cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.
Lattice Reduction in Cryptology: An Update
 Lect. Notes in Comp. Sci
, 2000
"... Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography. ..."
Abstract

Cited by 36 (7 self)
 Add to MetaCart
Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.
Exposing an RSA Private Key Given a Small Fraction of its Bits
, 1998
"... We show that for low public exponent RSA, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for larger values of e. For instance, when e is a prime in the range [N^(1/4), N^(1/2)], half the bits of the ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
We show that for low public exponent RSA, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for larger values of e. For instance, when e is a prime in the range [N^(1/4), N^(1/2)], half the bits of the private key suffice to reconstruct the entire private key. Our results point out the danger of partial key exposure in the rsa public key system.
Parallel Shortest Lattice Vector Enumeration on Graphics Cards
, 2010
"... In this paper we present an algorithm for parallel exhaustive search for short vectors in lattices. This algorithm can be applied to a wide range of parallel computing systems. To illustrate the algorithm, it was implemented on graphics cards using CUDA, a programming framework for NVIDIA graphics ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
In this paper we present an algorithm for parallel exhaustive search for short vectors in lattices. This algorithm can be applied to a wide range of parallel computing systems. To illustrate the algorithm, it was implemented on graphics cards using CUDA, a programming framework for NVIDIA graphics cards. We gain large speedups compared to previous serial CPU implementations. Our implementation is almost 5 times faster in high lattice dimensions. Exhaustive search is one of the main building blocks for lattice basis reduction in cryptanalysis. Our work results in an advance in practical lattice reduction.
The Geometry of Numbers in Cryptology
, 1999
"... Introduction A lattice is a discrete subgroup of the ndimensional space R n . The history of finding short vectors in lattices goes back to the works of Gauss and Dirichlet. With the fundamental results of Minkowski about a hundred years ago, the theory of lattices became a separate branch of nu ..."
Abstract
 Add to MetaCart
Introduction A lattice is a discrete subgroup of the ndimensional space R n . The history of finding short vectors in lattices goes back to the works of Gauss and Dirichlet. With the fundamental results of Minkowski about a hundred years ago, the theory of lattices became a separate branch of number theory, under the name geometry of numbers. From an algorithmic point of view, the subject had a revival around 1980, when Lenstra, Lenstra and Lov'asz found a polynomialtime algorithm (LLL) that computes a socalled reduced basis of a lattice. Further refinements of the LLL algorithm were later proposed by Schnorr. Lattice reduction algorithms have found numerous applications, such as in number theory and cryptology. In particular, it has proved invaluable in publickey cryptanalysis, most notably against knapsackbased cryptosystems. After being confined to a cryptanalyst tool, geometry of numbers recently aroused the interest of cryptog
Shortest Lattice Vector Enumeration on Graphics Cards ⋆
"... Abstract. In this paper we make a first feasibility analysis for implementing lattice reduction algorithms on GPU using CUDA, a programming framework for NVIDIA graphics cards. The enumeration phase of the BKZ lattice reduction algorithm is chosen as a good candidate for massive parallelization on G ..."
Abstract
 Add to MetaCart
Abstract. In this paper we make a first feasibility analysis for implementing lattice reduction algorithms on GPU using CUDA, a programming framework for NVIDIA graphics cards. The enumeration phase of the BKZ lattice reduction algorithm is chosen as a good candidate for massive parallelization on GPU. Given the nature of the problem we gain large speedups compared to previous CPU implementations. Our implementation saves more than 50 % of the time in high lattice dimensions. Among other impacts, this result influences the security of lattice based cryptosystems.
Rounding LLL: Finding Faster Small Roots of Univariate Polynomial Congruences
, 2013
"... In a seminal work at EUROCRYPT ’96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in publickey cryptanalysis and in a few security proofs. However, the running time of the algorithm is a highdegree polynomi ..."
Abstract
 Add to MetaCart
In a seminal work at EUROCRYPT ’96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in publickey cryptanalysis and in a few security proofs. However, the running time of the algorithm is a highdegree polynomial, which limits experiments: the bottleneck is an LLL reduction of a highdimensional matrix with extralarge coefficients. We present in this paper a polynomial speedup over Coppersmith’s algorithm. Our improvement is based on a special property of the matrices used by Coppersmith’s algorithm, which allows us to speed up the LLL reduction by rounding. The exact speedup depends on the LLL algorithm used: for instance, the speedup is quadratic in the bitsize of the smallroot bound if one uses the NguyenStehlé L 2 algorithm.