Results 1 
8 of
8
The Two Faces of Lattices in Cryptology
, 2001
"... Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising ..."
Abstract

Cited by 69 (16 self)
 Add to MetaCart
Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist publickey cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.
The shortest vector in a lattice is hard to approximate to within some constant
 in Proc. 39th Symposium on Foundations of Computer Science
, 1998
"... Abstract. We show that approximating the shortest vector problem (in any ℓp norm) to within any constant factor less than p √ 2 is hardfor NP under reverse unfaithful random reductions with inverse polynomial error probability. In particular, approximating the shortest vector problem is not in RP (r ..."
Abstract

Cited by 51 (4 self)
 Add to MetaCart
Abstract. We show that approximating the shortest vector problem (in any ℓp norm) to within any constant factor less than p √ 2 is hardfor NP under reverse unfaithful random reductions with inverse polynomial error probability. In particular, approximating the shortest vector problem is not in RP (random polynomial time), unless NP equals RP. We also prove a proper NPhardness result (i.e., hardness under deterministic manyone reductions) under a reasonable number theoretic conjecture on the distribution of squarefree smooth numbers. As part of our proof, we give an alternative construction of Ajtai’s constructive variant of Sauer’s lemma that greatly simplifies Ajtai’s original proof. Key words. NPhardness, shortest vector problem, point lattices, geometry of numbers, sphere packing
Lattice Reduction in Cryptology: An Update
 Lect. Notes in Comp. Sci
, 2000
"... Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography. ..."
Abstract

Cited by 36 (7 self)
 Add to MetaCart
Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.
Security of the most significant bits of the Shamir message passing scheme
 MATH. COMP
, 2000
"... Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a “hidden ” element α of a finite field Fp of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from F ∗ p.Unfor ..."
Abstract

Cited by 19 (13 self)
 Add to MetaCart
Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a “hidden ” element α of a finite field Fp of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from F ∗ p.Unfortunately the applications to the computational security of most significant bits of private keys of some finite field exponentiation based cryptosystems given by Boneh and Venkatesan are not quite correct. For the DiffieHellman cryptosystem the result of Boneh and Venkatesan has been corrected and generalized in our recent paper. Here a similar analysis is given for the Shamir message passing scheme. The results depend on some bounds of exponential sums.
Sparse Polynomial Approximation in Finite Fields
 Proc. 33rd ACM Symp. on Theory of Comput
, 2000
"... We consider a polynomial analogue of the hidden number problem which has recently been introduced by Boneh and Venkatesan. Namely we consider the sparse polynomial approximation problem of recovering an unknown polynomial f(X) # IF p [X] with at most m nonzero terms from approximate values of f( ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
We consider a polynomial analogue of the hidden number problem which has recently been introduced by Boneh and Venkatesan. Namely we consider the sparse polynomial approximation problem of recovering an unknown polynomial f(X) # IF p [X] with at most m nonzero terms from approximate values of f(t) at polynomially many points t # IF p selected uniformly at random. The case of a polynomial f(X) = #X corresponds to the hidden number problem. The above problem is related to the noisy polynomial interpolation problem and to the sparse polynomial interpolation problem which have recently been considered in the literature. Our results are based on a combination of some number theory tools such as bounds of exponential sums and the number of solutions of congruences with the lattice reduction technique. 1 Introduction As usual, for a prime p we denote by IF p the field of p elements which we assume to be represented by the elements {0, . . . , p  1}. For integers s and m # 1 we d...
Hidden number problem with hidden multipliers, timedrelease crypto and noisy exponentiation
 Math. Comp
"... Abstract. We consider a generalisation of the hidden number problem recently introduced by Boneh and Venkatesan. The initial problem can be stated as follows: recover a number a ∈ Fp such that for many known random t ∈ Fp approximations to the values of ⌊at ⌋ p areknown. Herewestudyaversionof the pr ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. We consider a generalisation of the hidden number problem recently introduced by Boneh and Venkatesan. The initial problem can be stated as follows: recover a number a ∈ Fp such that for many known random t ∈ Fp approximations to the values of ⌊at ⌋ p areknown. Herewestudyaversionof the problem where the “multipliers ” t are not known but rather certain approximations to them are given. We present a probabilistic polynomial time solution when the error is small enough, and we show that the problem cannot be solved if the error is sufficiently large. We apply the result to the bit security of “timedrelease crypto ” introduced by Rivest, Shamir and Wagner, to noisy exponentiation blackboxes and to the bit security of the “inverse” exponentiation. We also show that it implies a certain bit security result for Weil pairing on elliptic curves. 1.
Guest Column: Complexity of SVP  A reader's digest
, 2001
"... We present highlevel technical summaries of five recent results on the computational complexity of the shortest lattice vector problem. ..."
Abstract
 Add to MetaCart
We present highlevel technical summaries of five recent results on the computational complexity of the shortest lattice vector problem.
Exponential Sums and Lattice Reduction:
"... We describe how a rather surprising, yet powerful combination of two famous number theoretic techniques: bounds of exponential sums and lattice reduction algorithms. This combination... ..."
Abstract
 Add to MetaCart
We describe how a rather surprising, yet powerful combination of two famous number theoretic techniques: bounds of exponential sums and lattice reduction algorithms. This combination...