Results 1  10
of
98
A Sieve Algorithm for the Shortest Lattice Vector Problem
, 2001
"... We present a randomized 2 O(n) time algorithm to compute a shortest nonzero vector in an ndimensional rational lattice. The best known time upper bound for this problem was 2 O(n log n) ..."
Abstract

Cited by 150 (3 self)
 Add to MetaCart
We present a randomized 2 O(n) time algorithm to compute a shortest nonzero vector in an ndimensional rational lattice. The best known time upper bound for this problem was 2 O(n log n)
On the spheredecoding algorithm I. Expected complexity
 IEEE Trans. Sig. Proc
, 2005
"... Abstract—The problem of finding the leastsquares solution to a system of linear equations where the unknown vector is comprised of integers, but the matrix coefficient and given vector are comprised of real numbers, arises in many applications: communications, cryptography, GPS, to name a few. The ..."
Abstract

Cited by 76 (5 self)
 Add to MetaCart
Abstract—The problem of finding the leastsquares solution to a system of linear equations where the unknown vector is comprised of integers, but the matrix coefficient and given vector are comprised of real numbers, arises in many applications: communications, cryptography, GPS, to name a few. The problem is equivalent to finding the closest lattice point to a given point and is known to be NPhard. In communications applications, however, the given vector is not arbitrary but rather is an unknown lattice point that has been perturbed by an additive noise vector whose statistical properties are known. Therefore, in this paper, rather than dwell on the worstcase complexity of the integer leastsquares problem, we study its expected complexity, averaged over the noise and over the lattice. For the “sphere decoding” algorithm of Fincke and Pohst, we find a closedform expression for the expected complexity, both for the infinite and finite lattice.
The Two Faces of Lattices in Cryptology
, 2001
"... Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising ..."
Abstract

Cited by 69 (16 self)
 Add to MetaCart
Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist publickey cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.
Hardness of approximating the shortest vector problem in high Lp norms
 In Proceedings of the 44th IEEE Symposium on Foundations of Computer Science. IEEE Computer
"... Abstract. Let p> 1beany fixed real. We show that assuming NP ⊆ RP, there is no polynomial time algorithm that approximates the Shortest Vector Problem (SVP) in ℓp norm within a constant factor. Under the stronger assumption NP ⊆ RTIME(2poly(log n)), we show that there is no polynomialtime (log n) ..."
Abstract

Cited by 62 (2 self)
 Add to MetaCart
Abstract. Let p> 1beany fixed real. We show that assuming NP ⊆ RP, there is no polynomial time algorithm that approximates the Shortest Vector Problem (SVP) in ℓp norm within a constant factor. Under the stronger assumption NP ⊆ RTIME(2poly(log n)), we show that there is no polynomialtime (log n)1/2−ɛ algorithm with approximation ratio 2 where n is the dimension of the lattice and ɛ>0isan arbitrarily small constant. We first give a new (randomized) reduction from Closest Vector Problem (CVP) to SVP that achieves some constant factor hardness. The reduction is based on BCH Codes. Its advantage is that the SVP instances produced by the reduction behave well under the augmented tensor product,anew (log n)1/2−ɛ variant of tensor product that we introduce. This enables us to boost the hardness factor to 2.
Generalized compact knapsacks, cyclic lattices, and efficient oneway functions
 In STOC
, 2007
"... We investigate the averagecase complexity of a generalization of the compact knapsack problem to arbitrary rings: given m (random) ring elements a1,..., am ∈ R and a (random) target value b ∈ R, find coefficients x1,..., xm ∈ S (where S is an appropriately chosen subset of R) such that P ai · xi = ..."
Abstract

Cited by 47 (8 self)
 Add to MetaCart
We investigate the averagecase complexity of a generalization of the compact knapsack problem to arbitrary rings: given m (random) ring elements a1,..., am ∈ R and a (random) target value b ∈ R, find coefficients x1,..., xm ∈ S (where S is an appropriately chosen subset of R) such that P ai · xi = b. We consider compact versions of the generalized knapsack where the set S is large and the number of weights m is small. Most variants of this problem considered in the past (e.g., when R = Z is the ring of the integers) can be easily solved in polynomial time even in the worst case. We propose a new choice of the ring R and subset S that yields generalized compact knapsacks that are seemingly very hard to solve on the average, even for very small values of m. Namely, we prove that for any unbounded function m = ω(1) with arbitrarily slow growth rate, solving our generalized compact knapsack problems on the average is at least as hard as the worstcase instance of various approximation problems over cyclic lattices. Specific worstcase lattice problems considered in this paper are the shortest independent vector problem SIVP and the guaranteed distance decoding problem GDD (a variant of the closest vector problem, CVP) for approximation factors n 1+ǫ almost linear in the dimension of the lattice. Our results yield very efficient and provably secure oneway functions (based on worstcase complexity assumptions) with key size and time complexity almost linear in the security parameter n. Previous constructions with similar security guarantees required quadratic key size and computation time. Our results can also be formulated as a connection between the worstcase and averagecase complexity of various lattice problems over cyclic and quasicyclic lattices.
Efficient collisionresistant hashing from worstcase assumptions on cyclic lattices
 In TCC
, 2006
"... Abstract The generalized knapsack function is defined as fa(x) = Pi ai * xi, where a = (a1,..., am)consists of m elements from some ring R, and x = (x1,..., xm) consists of m coefficients froma specified subset S ` R. Micciancio (FOCS 2002) proposed a specific choice of the ring R andsubset S for w ..."
Abstract

Cited by 43 (12 self)
 Add to MetaCart
Abstract The generalized knapsack function is defined as fa(x) = Pi ai * xi, where a = (a1,..., am)consists of m elements from some ring R, and x = (x1,..., xm) consists of m coefficients froma specified subset S ` R. Micciancio (FOCS 2002) proposed a specific choice of the ring R andsubset S for which inverting this function (for random a, x) is at least as hard as solving certainworstcase problems on cyclic lattices. We show that for a different choice of S ae R, the generalized knapsack function is in factcollisionresistant, assuming it is infeasible to approximate the shortest vector in ndimensionalcyclic lattices up to factors ~ O(n). For slightly larger factors, we even get collisionresistancefor any m> = 2. This yields very efficient collisionresistant hash functions having key size andtime complexity almost linear in the security parameter n. We also show that altering S isnecessary, in the sense that Micciancio's original function is not collisionresistant (nor even universal oneway).Our results exploit an intimate connection between the linear algebra of ndimensional cycliclattices and the ring Z [ ff]/(ffn 1), and crucially depend on the factorization of ffn 1 intoirreducible cyclotomic polynomials. We also establish a new bound on the discrete Gaussian distribution over general lattices, employing techniques introduced by Micciancio and Regev(FOCS 2004) and also used by Micciancio in his study of compact knapsacks. 1 Introduction A function family {fa}a2A is said to be collisionresistant if given a uniformly chosen a 2 A, it is infeasible to find elements x1 6 = x2 so that fa(x1) = fa(x2). Collisionresistant hash functions are one of the most widelyemployed cryptographic primitives. Their applications include integrity checking, user and message authentication, commitment protocols, and more. Many of the applications of collisionresistant hashing tend to invoke the hash function only a small number of times. Thus, the efficiency of the function has a direct effect on the efficiency of the application that uses it. This is in contrast to primitives such as oneway functions, which typically must be invoked many times in their applications (at least when used in a blackbox way) [9].
Noisy Polynomial Interpolation and Noisy Chinese Remaindering
, 2000
"... Abstract. The noisy polynomial interpolation problem is a new intractability assumption introduced last year in oblivious polynomial evaluation. It also appeared independently in password identification schemes, due to its connection with secret sharing schemes based on Lagrange’s polynomial interpo ..."
Abstract

Cited by 41 (2 self)
 Add to MetaCart
Abstract. The noisy polynomial interpolation problem is a new intractability assumption introduced last year in oblivious polynomial evaluation. It also appeared independently in password identification schemes, due to its connection with secret sharing schemes based on Lagrange’s polynomial interpolation. This paper presents new algorithms to solve the noisy polynomial interpolation problem. In particular, we prove a reduction from noisy polynomial interpolation to the lattice shortest vector problem, when the parameters satisfy a certain condition that we make explicit. Standard lattice reduction techniques appear to solve many instances of the problem. It follows that noisy polynomial interpolation is much easier than expected. We therefore suggest simple modifications to several cryptographic schemes recently proposed, in order to change the intractability assumption. We also discuss analogous methods for the related noisy Chinese remaindering problem arising from the wellknown analogy between polynomials and integers. 1
On the Hardness of Being Truthful
 In 49th Annual IEEE Symposium on Foundations of Computer Science (FOCS
, 2008
"... The central problem in computational mechanism design is the tension between incentive compatibility and computational ef ciency. We establish the rst significant approximability gap between algorithms that are both truthful and computationallyef cient, and algorithms that only achieve one of these ..."
Abstract

Cited by 40 (5 self)
 Add to MetaCart
The central problem in computational mechanism design is the tension between incentive compatibility and computational ef ciency. We establish the rst significant approximability gap between algorithms that are both truthful and computationallyef cient, and algorithms that only achieve one of these two desiderata. This is shown in the context of a novel mechanism design problem which we call the COMBINATORIAL PUBLIC PROJECT PROBLEM (CPPP). CPPP is an abstraction of many common mechanism design situations, ranging from elections of kibbutz committees to network design. Our result is actually made up of two complementary results – one in the communicationcomplexity model and one in the computationalcomplexity model. Both these hardness results heavily rely on a combinatorial characterization of truthful algorithms for our problem. Our computationalcomplexity result is one of the rst impossibility results connecting mechanism design to complexity theory; its novel proof technique involves an application of the SauerShelah Lemma and may be of wider applicability, both within and without mechanism design. 1
Lattice Reduction in Cryptology: An Update
 Lect. Notes in Comp. Sci
, 2000
"... Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography. ..."
Abstract

Cited by 36 (7 self)
 Add to MetaCart
Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.