Results 1  10
of
46
Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems.
 Math. Programming
, 1993
"... We report on improved practical algorithms for lattice basis reduction. We propose a practical floating point version of the L3algorithm of Lenstra, Lenstra, Lov'asz (1982). We present a variant of the L3 algorithm with "deep insertions" and a practical algorithm for block KorkinZ ..."
Abstract

Cited by 228 (6 self)
 Add to MetaCart
(Show Context)
We report on improved practical algorithms for lattice basis reduction. We propose a practical floating point version of the L3algorithm of Lenstra, Lenstra, Lov'asz (1982). We present a variant of the L3 algorithm with "deep insertions" and a practical algorithm for block KorkinZolotarev reduction, a concept introduced by Schnorr (1987). Empirical tests show that the strongest of these algorithms solves almost all subset sum problems with up to 66 random weights of arbitrary bit length within at most a few hours on a UNISYS 6000/70 or within a couple of minutes on a SPARC 1+ computer.
An improved lowdensity subset sum algorithm
 in Advances in Cryptology: Proceedings of Eurocrypt '91
"... Abstract. The general subset sum problem is NPcomplete. However, there are two algorithms, one due to Brickell and the other to Lagarias and Odlyzko, which in polynomial time solve almost all subset sum problems of sufficiently low density. Both methods rely on basis reduction algorithms to find sh ..."
Abstract

Cited by 86 (14 self)
 Add to MetaCart
(Show Context)
Abstract. The general subset sum problem is NPcomplete. However, there are two algorithms, one due to Brickell and the other to Lagarias and Odlyzko, which in polynomial time solve almost all subset sum problems of sufficiently low density. Both methods rely on basis reduction algorithms to find short nonzero vectors in special lattices. The LagariasOdlyzko algorithm would solve almost all subset sum problems of density < 0.6463... in polynomial time if it could invoke a polynomialtime algorithm for finding the shortest nonzero vector in a lattice. This paper presents two modifications of that algorithm, either one of which would solve almost all problems of density < 0.9408... if it could find shortest nonzero vectors in lattices. These modifications also yield dramatic improvements in practice when they are combined with known lattice basis reduction algorithms. Key words, subset sum problems; knapsack cryptosystems; lattices; lattice basis reduction. Subject classifications. 11Y16. 1.
Straightline programs in geometric elimination theory
 J. Pure Appl. Algebra
, 1998
"... Dedicated to Volker Strassen for his work on complexity We present a new method for solving symbolically zero–dimensional polynomial equation systems in the affine and toric case. The main feature of our method is the use of problem adapted data structures: arithmetic networks and straight–line prog ..."
Abstract

Cited by 59 (14 self)
 Add to MetaCart
(Show Context)
Dedicated to Volker Strassen for his work on complexity We present a new method for solving symbolically zero–dimensional polynomial equation systems in the affine and toric case. The main feature of our method is the use of problem adapted data structures: arithmetic networks and straight–line programs. For sequential time complexity measured by network size we obtain the following result: it is possible to solve any affine or toric zero–dimensional equation system in non–uniform sequential time which is polynomial in the length of the input description and the “geometric degree ” of the equation system. Here, the input is thought to be given by a straight–line program (or alternatively in sparse representation), and the length of the input is measured by number of variables, degree of equations and size of the program (or sparsity of the equations). The geometric degree of the input system has to be adequately defined. It is always bounded by the algebraic–combinatoric “Bézout number ” of the system which is given by the Hilbert function of a suitable homogeneous ideal. However, in many important cases, the value of the geometric
Solving elliptic diophantine equations by estimating linear forms in elliptic logarithms
 ACTA ARITHMETICA
, 1994
"... ..."
(Show Context)
The hardness of the closest vector problem with preprocessing
 IEEE Transactions on Information Theory
, 2001
"... Abstract We give a new simple proof of the NPhardness of the closest vector problem. In addition to being much simpler than all previously known proofs, the new proof yields new interesting results about the complexity of the closest vector problem with preprocessing. This is a variant of the close ..."
Abstract

Cited by 33 (6 self)
 Add to MetaCart
(Show Context)
Abstract We give a new simple proof of the NPhardness of the closest vector problem. In addition to being much simpler than all previously known proofs, the new proof yields new interesting results about the complexity of the closest vector problem with preprocessing. This is a variant of the closest vector problem in which the lattice is specified in advance, and can be preprocessed for an arbitrarily long amount of time before the target vector is revealed. We show that there are lattices for which the closest vector problem remains hard, regardless of the amount of preprocessing.
Polar varieties and efficient real elimination
 MATH. Z
, 2001
"... Let S0 be a smooth and compact real variety given by a reduced regular sequence of polynomials f1,..., fp. This paper is devoted to the algorithmic problem of finding efficiently a representative point for each connected component of S0. For this purpose we exhibit explicit polynomial equations th ..."
Abstract

Cited by 30 (13 self)
 Add to MetaCart
Let S0 be a smooth and compact real variety given by a reduced regular sequence of polynomials f1,..., fp. This paper is devoted to the algorithmic problem of finding efficiently a representative point for each connected component of S0. For this purpose we exhibit explicit polynomial equations that describe the generic polar varieties of S0. This leads to a procedure which solves our algorithmic problem in time that is polynomial in the (extrinsic) description length of the input equations f1,..., fp and in a suitably introduced, intrinsic geometric parameter, called the degree of the real interpretation of the given equation system f1,..., fp.
Gröbner Bases of Lattices, Corner Polyhedra, and Integer Programming
, 1995
"... There are very close connections between the arithmetic of integer lattices, algebraic properties of the associated ideals, and the geometry and the combinatorics of corresponding polyhedra. In this paper we investigate the generating sets ("Gröbner bases") of integer lattices that corresp ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
(Show Context)
There are very close connections between the arithmetic of integer lattices, algebraic properties of the associated ideals, and the geometry and the combinatorics of corresponding polyhedra. In this paper we investigate the generating sets ("Gröbner bases") of integer lattices that correspond to the Gröbner bases of the associated binomial ideals. Extending results by Sturmfels & Thomas, we obtain a geometric characterization of the universal Gröbner basis in terms of the vertices and edges of the associated corner polyhedra. In the special case where the lattice has finite index, the corner polyhedra were studied by Gomory, and there is a close connection to the "group problem in integer programming." We present exponential lower and upper bounds for the maximal size of a reduced Grobner basis. The initial complex of (the ideal of) a lattice is shown to be dual to the boundary of a certain simple polyhedron.
Polar varieties, real equation solving and data structures: The hypersurface case
 J. COMPLEXITY
, 1997
"... In this paper we apply for the rst time a new method for multivariate equation solving which was developed in [18], [19], [20] for complex root determination to the real case. Our main result concerns the problem of nding at least one representative point foreachconnected component of a real compac ..."
Abstract

Cited by 24 (12 self)
 Add to MetaCart
(Show Context)
In this paper we apply for the rst time a new method for multivariate equation solving which was developed in [18], [19], [20] for complex root determination to the real case. Our main result concerns the problem of nding at least one representative point foreachconnected component of a real compact and smooth hypersurface. The basic algorithm of [18], [19], [20] yields a new method for symbolically solving zerodimensional polynomial equation systems over the complex numbers. feature of central importance of this algorithm is the use of a problem{adapted data type represented by the data structures arithmetic network and straightline program (arithmetic circuit). The algorithm nds the complex solutions of any a ne zerodimensional equation system in nonuniform sequential time that is polynomial in the length of the input (given in straight{line program representation) and an adequately de ned geometric degree of the equation system. Replacing the notion of geometric degree of the given polynomial equation system by a suitably de ned real (or complex) degree of certain polar varieties associated to
Limits on the hardness of lattice problems in ℓp norms
 In IEEE Conference on Computational Complexity
, 2007
"... In recent years, several papers have established limits on the computational difficulty of lattice problems, focusing primarily on the ℓ2 (Euclidean) norm. We demonstrate close analogues of these results in ℓp norms, for every 2 < p ≤ ∞. In particular, for lattices of dimension n: • Approximating ..."
Abstract

Cited by 20 (13 self)
 Add to MetaCart
(Show Context)
In recent years, several papers have established limits on the computational difficulty of lattice problems, focusing primarily on the ℓ2 (Euclidean) norm. We demonstrate close analogues of these results in ℓp norms, for every 2 < p ≤ ∞. In particular, for lattices of dimension n: • Approximating the closest vector problem, the shortest vector problem, and other related problems to within O ( √ n) factors (or O ( √ n log n) factors, for p = ∞) is in coNP. • Approximating the closest vector and bounded distance decoding problems with preprocessing to within O ( √ n) factors can be accomplished in deterministic polynomial time. • Approximating several problems (such as the shortest independent vectors problem) to within Õ(n) factors in the worst case reduces to solving the averagecase problems defined in prior works (Ajtai, STOC 1996; Micciancio and Regev, SIAM J. on Computing 2007; Regev, STOC 2005). Our results improve prior approximation factors for ℓp norms by up to √ n factors. Taken all together, they complement recent reductions from the ℓ2 norm to ℓp norms (Regev and Rosen, STOC 2006), and provide some evidence that lattice problems in ℓp norms (for p> 2) may not be substantially harder than they are in the ℓ2 norm. One of our main technical contributions is a very general analysis of Gaussian distributions over lattices, which may be of independent interest. Our proofs employ analytical techniques of Banaszczyk that, to our knowledge, have yet to be exploited in computer science. 1
Partial key exposure attacks on RSA up to full size exponents
 Advances in Cryptology  Proceedings of Eurocrypt 2005, Lecture Notes in Computer Science 3494
, 2005
"... 1?, and Benne de Weger2? ..."