Results 1  10
of
26
Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems.
 Math. Programming
, 1993
"... We report on improved practical algorithms for lattice basis reduction. We propose a practical floating point version of the L3algorithm of Lenstra, Lenstra, Lov'asz (1982). We present a variant of the L3 algorithm with "deep insertions" and a practical algorithm for block KorkinZolotarev reduct ..."
Abstract

Cited by 212 (6 self)
 Add to MetaCart
We report on improved practical algorithms for lattice basis reduction. We propose a practical floating point version of the L3algorithm of Lenstra, Lenstra, Lov'asz (1982). We present a variant of the L3 algorithm with "deep insertions" and a practical algorithm for block KorkinZolotarev reduction, a concept introduced by Schnorr (1987). Empirical tests show that the strongest of these algorithms solves almost all subset sum problems with up to 66 random weights of arbitrary bit length within at most a few hours on a UNISYS 6000/70 or within a couple of minutes on a SPARC 1+ computer.
An improved lowdensity subset sum algorithm
 in Advances in Cryptology: Proceedings of Eurocrypt '91
"... Abstract. The general subset sum problem is NPcomplete. However, there are two algorithms, one due to Brickell and the other to Lagarias and Odlyzko, which in polynomial time solve almost all subset sum problems of sufficiently low density. Both methods rely on basis reduction algorithms to find sh ..."
Abstract

Cited by 83 (14 self)
 Add to MetaCart
Abstract. The general subset sum problem is NPcomplete. However, there are two algorithms, one due to Brickell and the other to Lagarias and Odlyzko, which in polynomial time solve almost all subset sum problems of sufficiently low density. Both methods rely on basis reduction algorithms to find short nonzero vectors in special lattices. The LagariasOdlyzko algorithm would solve almost all subset sum problems of density < 0.6463... in polynomial time if it could invoke a polynomialtime algorithm for finding the shortest nonzero vector in a lattice. This paper presents two modifications of that algorithm, either one of which would solve almost all problems of density < 0.9408... if it could find shortest nonzero vectors in lattices. These modifications also yield dramatic improvements in practice when they are combined with known lattice basis reduction algorithms. Key words, subset sum problems; knapsack cryptosystems; lattices; lattice basis reduction. Subject classifications. 11Y16. 1.
Efficient Cryptographic Schemes Provably as Secure as Subset Sum
 Journal of Cryptology
, 1993
"... We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for sign ..."
Abstract

Cited by 79 (8 self)
 Add to MetaCart
We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for signature schemes). The increase in efficiency in our construction is due to the fact that many bits can be generated/hashed with one application of the assumed oneway function. All our construction can be implemented in NC using an optimal number of processors. Part of this work done while both authors were at UC Berkeley and part when the second author was at the IBM Almaden Research Center. Research supported by NSF grant CCR 88  13632. A preliminary version of this paper appeared in Proc. of the 30th Symp. on Foundations of Computer Science, 1989. 1 Introduction Many cryptosystems are based on the intractability of such number theoretic problems such as factoring and discrete logarit...
The Two Faces of Lattices in Cryptology
, 2001
"... Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising ..."
Abstract

Cited by 67 (16 self)
 Add to MetaCart
Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist publickey cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.
The rise and fall of knapsack cryptosystems
 In Cryptology and Computational Number Theory
, 1990
"... ..."
Lattice Reduction in Cryptology: An Update
 Lect. Notes in Comp. Sci
, 2000
"... Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography. ..."
Abstract

Cited by 36 (7 self)
 Add to MetaCart
Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.
Optimal measurements for the dihedral hidden subgroup problem
 Chicago Journal of Theoretical Computer Science
, 2005
"... Abstract. We consider the dihedral hidden subgroup problem as the problem of distinguishing hidden subgroup states. We show that the optimal measurement for solving this problem is the socalled pretty good measurement. We then prove that the success probability of this measurement exhibits a sharp ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
Abstract. We consider the dihedral hidden subgroup problem as the problem of distinguishing hidden subgroup states. We show that the optimal measurement for solving this problem is the socalled pretty good measurement. We then prove that the success probability of this measurement exhibits a sharp threshold as a function of the density ν = k / log 2 N, where k is the number of copies of the hidden subgroup state and 2N is the order of the dihedral group. In particular, for ν < 1 the optimal measurement (and hence any measurement) identifies the hidden subgroup with a probability that is exponentially small in log N, while for ν> 1 the optimal measurement identifies the hidden subgroup with a probability of order unity. Thus the dihedral group provides an example of a group G for which Ω(log G) hidden subgroup states are necessary to solve the hidden subgroup problem. We also consider the optimal measurement for determining a single bit of the answer, and show that it exhibits the same threshold. Finally, we consider implementing the optimal measurement by a quantum circuit, and thereby establish further connections between the dihedral hidden subgroup problem and average case subset sum problems. In particular, we show that an efficient quantum algorithm for a restricted version of the optimal measurement would imply an efficient quantum algorithm for the subset sum problem, and conversely, that the ability to quantum sample from subset sum solutions allows one to implement the optimal measurement. 1.
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
Speeding up Discrete Log and Factoring Based Schemes via Precomputations
, 1998
"... We present fast and practical methods for generating randomly distributed pairs of the form (x; g x mod p) or (x; x e mod N ), using precomputation. These generation schemes are of wide applicability for speedingup public key systems that depend on exponentiation and offer a smooth memory ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
We present fast and practical methods for generating randomly distributed pairs of the form (x; g x mod p) or (x; x e mod N ), using precomputation. These generation schemes are of wide applicability for speedingup public key systems that depend on exponentiation and offer a smooth memoryspeed tradeoff. The steps involving exponentiation in these systems can be reduced significantly in many cases. Our schemes are most suited for server applications. We present security analyses of our schemes using standard assumptions, including analyses for fully adaptive attacks. Our methods are novel in the sense that they identify and thoroughly exploit the randomness issues related to the instances generated in these publickey schemes. Our constructions use random walks on Cayley (expander) graphs over Abelian groups. Our analysis involves nonlinear versions of lattice problems. It appears that any realistic attack on our schemes would need to solve such problems.
Performance Analysis of Shamir’s Attack on the Basic MerkleHellman Knapsack Public Key Cryptosystem, in preparation
"... This paper gives a performance analysis of one variant of Shamir’s attack on the basic MerkleHellman knapsack cryptosystem, which we call Algorithm S. Let R = _ _______________________ _ # plain text bits denote the rate at which a knapsack cryptosystem transmits maximum # cipher text bits informa ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
This paper gives a performance analysis of one variant of Shamir’s attack on the basic MerkleHellman knapsack cryptosystem, which we call Algorithm S. Let R = _ _______________________ _ # plain text bits denote the rate at which a knapsack cryptosystem transmits maximum # cipher text bits information, and let n denote the number of items in a knapsack, i.e. the block size of plaintext. We show that for any fixed R Algorithm S runs to completion in time polynomial in n on all knapsacks with rate R o ≥ R. We show that it successfully breaks at least the fraction 1 − of such knapsack cryptosystems as n → ∞, where c R is a constant depending on R.