## Lattice Reduction in Cryptology: An Update (2000)

Venue: | Lect. Notes in Comp. Sci |

Citations: | 36 - 7 self |

### BibTeX

@INPROCEEDINGS{Nguyen00latticereduction,

author = {Phong Q. Nguyen and Jacques Stern},

title = {Lattice Reduction in Cryptology: An Update},

booktitle = {Lect. Notes in Comp. Sci},

year = {2000},

pages = {85--112},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.

### Citations

2898 | A method for obtaining digital signatures and public key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...ch was enough in [74]. 2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]), which were early alternatives to the RSA cryptosystem =-=[100]-=-. The success of reduction algorithms at breaking various cryptographic schemes over the past twenty years (see [61]) have arguably established lattice reduction techniques as the most popular tool in... |

2696 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ... number problem, which enables to prove the hardness of the most significant bits of secret keys in Diffie-Hellman and related schemes in prime fields. Recall the Diffie-Hellman key exchange protocol =-=[36]: Ali-=-ce and Bob fix a finite cyclic G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a and g b . The secret key is g ab . Proving the security of the protocol under "r... |

2462 | Handbook of Applied Cryptography
- Menezes, Vanstone, et al.
- 1996
(Show Context)
Citation Context ...security proofs for NTRU: there is no known result proving that NTRU or variants of its encryption scheme satisfy standard security requirements (such as semantic security or non-malleability, 10 see =-=[79]-=-), assuming the hardness of a sufficiently precise problem. Besides, there exist simple chosen ciphertext attacks [60] that can recover the secret key, so that appropriate padding is necessary. 10 NTR... |

1139 |
Geometric Algorithms and Combinatorial Optimization
- Grötschel, Lovász, et al.
- 1981
(Show Context)
Citation Context ... LLL comes. Further refinements of the LLL algorithm were later proposed, notably by Schnorr [101, 102]. Those algorithms have proved invaluable in many areas of mathematics and computer science (see =-=[75, 64, 109, 52, 30, 69]-=-). In particular, their relevance to 1 The technique is however polynomial-time for fixed dimension, which was enough in [74]. 2 cryptology was immediately understood, and they were used to break sche... |

910 |
A Course in Computational Algebraic Number Theory (fourth corrected printing
- Cohen
- 2000
(Show Context)
Citation Context ... LLL comes. Further refinements of the LLL algorithm were later proposed, notably by Schnorr [101, 102]. Those algorithms have proved invaluable in many areas of mathematics and computer science (see =-=[75, 64, 109, 52, 30, 69]-=-). In particular, their relevance to 1 The technique is however polynomial-time for fixed dimension, which was enough in [74]. 2 cryptology was immediately understood, and they were used to break sche... |

694 | Factoring polynomials with rational coefficients
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ... lattice reduction technique. That algorithm inspired Lov'asz to develop a polynomial-time algorithm that computes a so-called reduced basis of a lattice. It reached a final form in the seminal paper =-=[73]-=- where Lenstra, Lenstra and Lov'asz applied it to factor rational polynomials in polynomial time (back then, a famous problem), from which the name LLL comes. Further refinements of the LLL algorithm ... |

234 |
Integer programming with a fixed number of variables
- Lenstra
- 1983
(Show Context)
Citation Context ...ong others, and to Minkowski's geometry of numbers [85]. With the advent of algorithmic number theory, the subject had a revival around 1980 with Lenstra's celebrated work on integer programming (see =-=[74]-=-), which was, among others, based on a novel but non-polynomial time 1 lattice reduction technique. That algorithm inspired Lov'asz to develop a polynomial-time algorithm that computes a so-called red... |

227 |
On Lovasz Lattice Reduction and the Nearest Lattice Pint Problem”, volume 9 of Combinatorica
- Babai
- 1986
(Show Context)
Citation Context ... BKZ-algorithms, which apply a heuristic to reduce exhaustive search. But little is known on the average-case (and even worst-case) complexity of reduction algorithms. Babai's nearest plane algorithm =-=[7]-=- uses LLL to approximate CVP to within 2 d=2 , in polynomial time (see also [66]). Using Schnorr's algorithm [101], this can be improved to 2 O(d(log log d) 2 = log d) , due to Kannan's link between C... |

211 | Lattice basis reduction: improved practical algorithms and solving subset sum problems
- Schnorr, Euchner
- 1994
(Show Context)
Citation Context ...rformances depend on a parameter called the blocksize. These algorithms use some kind of exhaustive search exponential in the blocksize. So far, the best reduction algorithms in practice are variants =-=[104, 105]-=- of those BKZ-algorithms, which apply a heuristic to reduce exhaustive search. But little is known on the average-case (and even worst-case) complexity of reduction algorithms. Babai's nearest plane a... |

205 | A public-key cryptosystem with worstcase/average-case equivalence
- Ajtai, Dwork
- 1997
(Show Context)
Citation Context ...ty results opened the door to positive applications in cryptology. Indeed, several cryptographic schemes based on the hardness of lattice problems were proposed shortly after Ajtai's discoveries (see =-=[5, 49, 56, 26, 83, 41]-=-). Some have been broken, while others seem to resist state-of-the-art attacks, for now. Those schemes attracted interest for at least two reasons: on the one hand, there are very few public-key crypt... |

197 |
A public-key cryptosystem based on algebraic coding theory,” DSN progress report
- McEliece
- 1978
(Show Context)
Citation Context ...t the assumption was reasonable in practice. 4.2 The Goldreich-Goldwasser-Halevi cryptosystem The Goldreich-Goldwasser-Halevi cryptosystem [49] (GGH) can be viewed as a lattice-analog to the McEliece =-=[78]-=- cryptosystem based on algebraic coding theory. In both schemes, a ciphertext is the addition of a random noise vector 5 A variant of AD with less message expansion was proposed in [26], however witho... |

196 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ...ick random a; b 2 [1; jGj] and exchange g a and g b . The secret key is g ab . Proving the security of the protocol under "reasonable " assumptions has been a challenging problem in cryptogr=-=aphy (see [12]-=-). Computing the most significant bits of g ab is as hard as computing g ab itself, in the case of prime fields: Theorem 2 (Boneh-Venkatesan). Let q be an n-bit prime and g be a generator of Z q . Let... |

158 |
Generating Hard Instances of Lattice Problems
- Ajtai
- 1996
(Show Context)
Citation Context ...blems, which originated in large part in two seminal papers written by Ajtai in 1996 and in 1997 respectively. Prior to 1996, little was known on the complexity of lattice problems. In his 1996 paper =-=[3]-=-, Ajtai discovered a fascinating connection between the worst-case complexity and the average-case complexity of some well-known lattice problems. Such a connection is not known to hold for any other ... |

153 | The hardness of approximate optima in lattices, codes, and systems of linear equations
- Arora, Babai, et al.
- 1997
(Show Context)
Citation Context ...CVP to within d 3=2 f(d) 2 . CVP was shown to be NP-hard as early as in 1981 [40] (for a simplified proof, see [65]). Approximating CVP to within a quasi-polynomial factor 2 log 1\Gamma" d is NP-=-=hard [6, 38]-=-. However, NP-hardness results for SVP and CVP have limits. Goldreich and Goldwasser [46] showed that approximating SVP or CVP to within p d=O(log d) is not NP-hard, unless the polynomial-time hierarc... |

147 | Hiding informations and signatures in trapdoor knapsacks - Merkle, Hellman - 1978 |

141 | Cryptanalysis of short RSA secret exponents
- Wiener
- 1990
(Show Context)
Citation Context ...s and [79]), or if the public exponent is not too small. For instance, the popular choice e = 65537 is not threatened by these attacks. Small private exponent. When dsN 0:25 , an old result of Wiener =-=[114]-=- shows that one can easily recover the secret exponent d (and thus the factorization of N) from the continued fractions algorithm. Boneh and Durfee [15] recently improved the bound to dsN 0:292 , by a... |

128 | Twenty years of attacks on the RSA cryptosystem
- Boneh
- 1999
(Show Context)
Citation Context ...propriate choice of h. This result is practical (see [35, 58] for experimental results) and has many applications. It can be used to attack RSA encryption when a very low public exponent is used (see =-=[13]-=- for a survey). Boneh et al. [17] applied it to factor efficiently numbers of the form N = p r q for large r. Boneh [14] used a variant to find smooth numbers in short interval. See also [10] for an a... |

127 |
Minkowski’s convex body theorem and integer programming
- Kannan
- 1987
(Show Context)
Citation Context ...hm approximating SVP to within a non-decreasing function f(d) can be used to approximate CVP to within d 3=2 f(d) 2 . CVP was shown to be NP-hard as early as in 1981 [40] (for a simplified proof, see =-=[65]). Ap-=-proximating CVP to within a quasi-polynomial factor 2 log 1\Gamma" d is NP-hard [6, 38]. However, NP-hardness results for SVP and CVP have limits. Goldreich and Goldwasser [46] showed that approx... |

126 |
The Development of the Number Field Sieve
- Lenstra, Lenstra
- 1993
(Show Context)
Citation Context ...they would require very good lattice reduction for lattices of dimension over at least several thousands. We close this review by mentioning that current versions of the Number Field Sieve (NFS) (see =-=[72, 30]-=-), the best algorithm known for factoring large integers, use lattice reduction. Indeed, LLL plays a crucial role in the last stage of NFS where one has to compute an algebraic square root of a huge a... |

124 |
Geometry of numbers
- Gruber, Lekkerkerker
- 1987
(Show Context)
Citation Context ...more generally: Theorem 1 (Minkowski). For all d-dimensional lattice L and all rsd : r Y i=1si (L)sp fl r d vol(L) r=d : More information on lattice theory can be found in numerous textbooks, such as =-=[53, 108, 76]-=-. 2.2 Algorithmic problems In the rest of this section, we assume implicitly that lattices are rational lattices (lattices in Q n ), and d will denote the lattice dimension. The most famous lattice pr... |

124 | Symmetric Bilinear Forms - Milnor, Husemoller |

119 | Public-key cryptosystems from lattice reduction problems
- Goldreich, Goldwasser, et al.
(Show Context)
Citation Context ...ty results opened the door to positive applications in cryptology. Indeed, several cryptographic schemes based on the hardness of lattice problems were proposed shortly after Ajtai's discoveries (see =-=[5, 49, 56, 26, 83, 41]-=-). Some have been broken, while others seem to resist state-of-the-art attacks, for now. Those schemes attracted interest for at least two reasons: on the one hand, there are very few public-key crypt... |

114 |
The shortest vector problem in L2 is NP-hard for randomized reductions, STOC
- Ajtai
- 1998
(Show Context)
Citation Context ...rst-case complexity and the average-case complexity of some well-known lattice problems. Such a connection is not known to hold for any other problem in NP believed to be outside P. In his 1997 paper =-=[4]-=-, building on previous work by Adleman [2], Ajtai further proved the NP-hardness (under randomized reductions) of the most famous lattice problem, the shortest vector problem (SVP). The NP-hardness of... |

114 | Cryptanalysis of RSA with private key d less than
- Boneh, Durfee
(Show Context)
Citation Context ...eme when a very low public exponent or a low private exponent is used (see [13] for a survey), and related schemes such as the KMOV cryptosystem (see [9]). In particular, the experimental evidence of =-=[15, 9]-=- shows that the method is very effective in practice for certain polynomials. Remarks. In the case of univariate polynomials, there was basically no choice over the polynomials q u;v (x) = N h\Gamma1\... |

107 | AM Odlyzko, Solving low-density subset sum problems
- Lagarias
(Show Context)
Citation Context ...ors (y 1 ; : : : ; yn+1 ) such that y 1 a 1 + \Delta \Delta \Delta + yn an = yn+1 s: Such a lattice can easily be built in polynomial time from the a i 's and s. It was proved by Lagarias and Odlyzko =-=[70]-=- that if ds0:6463 : : : , the target vector (x 1 ; : : : ; xn ; 1) was the shortest vector of L(a 1 ; : : : ; an ; s) with high probability over the choice of the a i 's. The proof relies on bounds [7... |

101 |
An algorithmic theory of numbers, graphs, and convexity
- Lovász
- 1986
(Show Context)
Citation Context ... LLL comes. Further refinements of the LLL algorithm were later proposed, notably by Schnorr [101, 102]. Those algorithms have proved invaluable in many areas of mathematics and computer science (see =-=[75, 64, 109, 52, 30, 69]-=-). In particular, their relevance to 1 The technique is however polynomial-time for fixed dimension, which was enough in [74]. 2 cryptology was immediately understood, and they were used to break sche... |

94 |
Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes
- Boneh, Venkatesan
- 1996
(Show Context)
Citation Context ...of polynomials (circular shifts). 14 5 The hidden number problem 5.1 Hardness of Diffie-Hellman bits There is only one example known in which the LLL algorithm plays a positive role in cryptology. In =-=[18]-=-, Boneh and Venkatesan used LLL to solve the hidden number problem, which enables to prove the hardness of the most significant bits of secret keys in Diffie-Hellman and related schemes in prime field... |

83 | Improved low-density subset sum algorithms
- Coster, Joux, et al.
- 1992
(Show Context)
Citation Context ...lies on bounds [77] on the number of integer points in n-dimensional balls. Thus, if one has access to an SVP-oracle, one can solve most subset sum problems of density ds0:6463: : : : . Coster et al. =-=[34]-=- later improved the connection between SVP and the knapsack problem. By using a simple variant of L(a 1 ; : : : ; an ; s), they showed that if ds0:9408 : : : , the knapsack problem can be reduced to a... |

80 | On the limits of nonapproximability of lattice problems
- Goldreich, Goldwasser
- 1986
(Show Context)
Citation Context ...plified proof, see [65]). Approximating CVP to within a quasi-polynomial factor 2 log 1\Gamma" d is NP-hard [6, 38]. However, NP-hardness results for SVP and CVP have limits. Goldreich and Goldwa=-=sser [46]-=- showed that approximating SVP or CVP to within p d=O(log d) is not NP-hard, unless the polynomial-time hierarchy collapses. Interestingly, SVP and CVP problems seem to be more difficult with the infi... |

80 |
Improved algorithms for integer programming and related lattice problems
- Kannan
- 1983
(Show Context)
Citation Context ...l lattice . Depending on the lattice, one should choose a coefficient different than 1 in (v; 1). For exact SVP or CVP, the best algorithms known (in theory) are Kannan's super-exponential algorithms =-=[63, 65]-=-, with running time 2 O(d log d) . 3 Knapsacks Cryptology and lattices share a long history with the knapsack (also called subset sum) problem, a well-known NP-hard problem considered by Karp: given a... |

76 | Solving Simultaneous Modular Equations of Low Degree
- Hastad
- 1988
(Show Context)
Citation Context ... current lattice reduction algorithms behave ideally, as opposed to what is 3 theoretically guaranteed. The use of lattice reduction techniques to solve polynomial equations goes back to the eighties =-=[54, 110]-=-. The first result of that kind, the broadcast attack on low-exponent RSA due to Hastad [54], can be viewed as a weaker version of Coppersmith's theorem on univariate modular polynomial equations. The... |

66 |
Finding small roots of univariate modular equations revisited
- Howgrave-Graham
- 1997
(Show Context)
Citation Context ...ll integers x 0 such that P (x 0 ) j 0 (mod N) and jx 0 jsN 1=ffi . Related (but weaker) results appeared in the eighties [54, 110]. 13 We sketch a proof of Theorem 5, as presented by Howgrave-Graham =-=[57]-=-, who simplified Coppersmith's original proof (see also [62]). Coppersmith's method reduces the problem of finding small modular roots to the (easy) problem of solving polynomial equations over Z. Mor... |

66 | Attacking the Chor-Rivest cryptosystem by improved lattice reduction
- Schnorr, Hörner
- 1995
(Show Context)
Citation Context ...rformances depend on a parameter called the blocksize. These algorithms use some kind of exhaustive search exponential in the blocksize. So far, the best reduction algorithms in practice are variants =-=[104, 105]-=- of those BKZ-algorithms, which apply a heuristic to reduce exhaustive search. But little is known on the average-case (and even worst-case) complexity of reduction algorithms. Babai's nearest plane a... |

64 |
Zur Geometrie der Zahlen
- Minkowski
- 1911
(Show Context)
Citation Context ...duction goes back to the reduction theory of quadratic forms developed by Lagrange [71], Gauss [44], Hermite [55], Korkine and Zolotarev [67, 68], among others, and to Minkowski's geometry of numbers =-=[85]-=-. With the advent of algorithmic number theory, the subject had a revival around 1980 with Lenstra's celebrated work on integer programming (see [74]), which was, among others, based on a novel but no... |

63 |
A Polynomial Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem
- Shamir
- 1984
(Show Context)
Citation Context ...vented one of the first public-key cryptosystems, by converting some easy knapsacks into what they believed were hard knapsacks. It was basically the unique alternative to RSA until 1982, when Shamir =-=[106]-=- proposed an attack against the simplest version of the MerkleHellman scheme. Shamir used Lenstra's integer programming algorithm [74] but, the same year, Adleman [1] showed how to use LLL instead, ma... |

62 |
Approximating CVP to within almost-polynomial factors is NP-hard
- Dinur, Kindler, et al.
- 2003
(Show Context)
Citation Context ...CVP to within d 3=2 f(d) 2 . CVP was shown to be NP-hard as early as in 1981 [40] (for a simplified proof, see [65]). Approximating CVP to within a quasi-polynomial factor 2 log 1\Gamma" d is NP-=-=hard [6, 38]-=-. However, NP-hardness results for SVP and CVP have limits. Goldreich and Goldwasser [46] showed that approximating SVP or CVP to within p d=O(log d) is not NP-hard, unless the polynomial-time hierarc... |

60 |
Zolotare , Sur les formes quadratiques
- Korkine, G
(Show Context)
Citation Context ... From the mathematical point of view, the history of lattice reduction goes back to the reduction theory of quadratic forms developed by Lagrange [71], Gauss [44], Hermite [55], Korkine and Zolotarev =-=[67, 68]-=-, among others, and to Minkowski's geometry of numbers [85]. With the advent of algorithmic number theory, the subject had a revival around 1980 with Lenstra's celebrated work on integer programming (... |

55 | Lattice reduction: a toolbox for the cryptanalyst
- Joux, Stern
- 1998
(Show Context)
Citation Context ...sack problem (see [99, 23]), which were early alternatives to the RSA cryptosystem [100]. The success of reduction algorithms at breaking various cryptographic schemes over the past twenty years (see =-=[61]-=-) have arguably established lattice reduction techniques as the most popular tool in public-key cryptanalysis. As a matter of fact, applications of lattices to cryptology have been mainly negative. In... |

54 | An improved worst-case to average-case connection for lattice problems
- Cai, Nerurkar
(Show Context)
Citation Context ...oldwasser [46] showed that approximating SVP1/CVP1 to within d=O(log d) is not NP-hard, unless the polynomial-time hierarchy collapses. We will not discuss Ajtai's worst-case/average-case equivalence =-=[3, 27]-=-, which refers to special versions of SVP and SBP (see [24, 25, 11]) such as SVP when the lattice gaps2 = 1 is at least polynomial in the dimension. 2.4 Algorithmic results The main algorithmic result... |

52 |
Another NP-complete problem and the complexity of computing short vectors in a lattice
- Boas
- 1981
(Show Context)
Citation Context ...an proved in [64] that any algorithm approximating SVP to within a non-decreasing function f(d) can be used to approximate CVP to within d 3=2 f(d) 2 . CVP was shown to be NP-hard as early as in 1981 =-=[40] (for-=- a simplified proof, see [65]). Approximating CVP to within a quasi-polynomial factor 2 log 1\Gamma" d is NP-hard [6, 38]. However, NP-hardness results for SVP and CVP have limits. Goldreich and ... |

52 |
NTRU: A Ring Based Public Key Cryptosystem
- Hoffstein, Pipher, et al.
(Show Context)
Citation Context ...ty results opened the door to positive applications in cryptology. Indeed, several cryptographic schemes based on the hardness of lattice problems were proposed shortly after Ajtai's discoveries (see =-=[5, 49, 56, 26, 83, 41]-=-). Some have been broken, while others seem to resist state-of-the-art attacks, for now. Those schemes attracted interest for at least two reasons: on the one hand, there are very few public-key crypt... |

49 | The rise and fall of knapsack cryptosystems
- Odlyzko
(Show Context)
Citation Context ...The technique is however polynomial-time for fixed dimension, which was enough in [74]. 2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see =-=[99, 23]-=-), which were early alternatives to the RSA cryptosystem [100]. The success of reduction algorithms at breaking various cryptographic schemes over the past twenty years (see [61]) have arguably establ... |

47 | Lattice attacks on NTRU - Coppersmith, Shamir |

47 |
Lectures on the Geometry of Numbers
- Siegel
- 1989
(Show Context)
Citation Context ...more generally: Theorem 1 (Minkowski). For all d-dimensional lattice L and all rsd : r Y i=1si (L)sp fl r d vol(L) r=d : More information on lattice theory can be found in numerous textbooks, such as =-=[53, 108, 76]-=-. 2.2 Algorithmic problems In the rest of this section, we assume implicitly that lattices are rational lattices (lattices in Q n ), and d will denote the lattice dimension. The most famous lattice pr... |

45 | Approximating shortest lattice vectors is not harder than approximating closest lattice vectors - GOLDREICH, MICCIANCIO, et al. - 1999 |

43 |
Breaking RSA may not be equivalent to factoring
- Boneh, Venkatesan
- 1998
(Show Context)
Citation Context ...re is integer factorization. Note that to prove (or disprove) the equivalence between integer factorization and breaking RSA encryption remains an important open problem in cryptology (latest results =-=[19]-=- suggest that breaking RSA encryption may actually be easier). We already pointed out that in some special cases, lattice reduction leads to efficient factorization: when the factors are partially kno... |

43 |
Cryptanalysis: a survey of recent results
- BRICKELL, ODLYZKO
- 1988
(Show Context)
Citation Context ...The technique is however polynomial-time for fixed dimension, which was enough in [74]. 2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see =-=[99, 23]-=-), which were early alternatives to the RSA cryptosystem [100]. The success of reduction algorithms at breaking various cryptographic schemes over the past twenty years (see [61]) have arguably establ... |

42 |
An attack on RSA given a small fraction of the private key bits
- Boneh, Durfee, et al.
- 1998
(Show Context)
Citation Context ...olynomial (see [32]). Theorem 8 was introduced to factor in polynomial time an RSA--modulus 17 N = pq provided that half of the (either least or most significant) bits of either p or q are known (see =-=[32, 14, 16]-=-). This was sufficient to break an ID-based RSA encryption scheme proposed by Vanstone and Zuccherato [111]. Boneh et al. [16] provide another application, for recovering the RSA secret key when a lar... |

41 | Noisy Polynomial Interpolation and Noisy Chinese Remaindering
- Bleichenbacher, Nguyen
- 2000
(Show Context)
Citation Context ...m (in dimension n) with high probability. In a different context (polynomial interpolation in the presence of noise), another example of attack based on provable reduction to SVP appeared recently in =-=[10]-=-. In the light of recent results on the complexity of SVP, those reductions from knapsack to SVP may seem useless. Indeed, the NP-hardness of SVP under randomized reductions suggests that there is no ... |

41 |
The shortest vector problem is NP-hard to approximate to within some constant
- Micciancio
- 2001
(Show Context)
Citation Context ...L)=vol(L) 1=d . 5 2.3 Complexity results We refer to Cai [24, 25] for an up-to-date survey of complexity results. Ajtai [4] recently proved that SVP is NP-hard under randomized reductions. Micciancio =-=[82, 81]-=- simplified and improved the result by showing that approximating SVP to within a factor ! p 2 is also NP-hard under randomized reductions. The NP-hardness of SVP under deterministic (Karp) reductions... |