## Lattice Reduction: a Toolbox for the Cryptanalyst (1994)

Venue: | Journal of Cryptology |

Citations: | 55 - 7 self |

### BibTeX

@ARTICLE{Joux94latticereduction:,

author = {Antoine Joux and Jacques Stern},

title = {Lattice Reduction: a Toolbox for the Cryptanalyst},

journal = {Journal of Cryptology},

year = {1994},

volume = {11},

pages = {161--185}

}

### Years of Citing Articles

### OpenURL

### Abstract

In recent years, methods based on lattice reduction have been used repeatedly for the cryptanalytic attack of various systems. Even if they do not rest on highly sophisticated theories, these methods may look a bit intricate to the practically oriented cryptographers, both from the mathematical and the algorithmic point of view. The aim of the present paper is to explain what can be achieved by lattice reduction algorithms, even without understanding of the actual mechanisms involved. Two examples are given, one of them being the attack devised by the second named author against Knuth's truncated linear congruential generator, which has been announced a few years ago and appears here for the first time in journal version.

### Citations

2197 |
The art of computer programming
- Knuth
- 1973
(Show Context)
Citation Context ...m is chosen as well as a multiplier a, relatively prime to m, and an increment b. Then, from a given seed x 0 , one can generate the sequence (x i ), defined by x i+1 = (ax i + b) mod m Knuth's book (=-=[Knu69]-=-) contains a thorough discussion of these generators. 10 In case all the bits of the successive x i s are announced, the sequence becomes exactly predictable even if the modulus, the multiplier and th... |

697 | Factoring polynomials with rational coefficients
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ...rithm of the same flavor had already been included in Lenstra's work on integer programming (cf. [Len83], circulated around 1979) and the lattice reduction algorithm reached a final form in the paper =-=[LLL82]-=- of Lenstra, Lenstra and Lov'asz, from which the name LLL algorithm comes. Further refinements of the LLL algorithm were proposed by Schnorr ([Sch87, Sch88]). The relevance of those algorithms to cryp... |

288 |
A Design Principle for Hash Functions
- Damg˚ard
- 1989
(Show Context)
Citation Context ...case where m is prime and a window of successive bits of the x i s is announced. We find the details too technical to be included in the present paper. 3.2 Cryptanalysis of Damgard's hash function In =-=[Dam89]-=-, Damgard proposed to base a hash function on a knapsack compression function using 256 (non modular) numbers a i of size 120 bits. His idea was to divide the message to be hashed into blocks of 128 b... |

234 |
Integer programming with a fixed number of variables
- Lenstra
- 1983
(Show Context)
Citation Context ...ynomial-time algorithm that computes a so-called reduced basis of a lattice. Actually, a reduction algorithm of the same flavor had already been included in Lenstra's work on integer programming (cf. =-=[Len83]-=-, circulated around 1979) and the lattice reduction algorithm reached a final form in the paper [LLL82] of Lenstra, Lenstra and Lov'asz, from which the name LLL algorithm comes. Further refinements of... |

212 | Lattice basis reduction: improved practical algorithms and solving subset sum problems. In Fundamentals of computation theory (Gosen - Schnorr, Euchner - 1991 |

147 | Hiding informations and signatures in trapdoor knapsacks
- Merkle, Hellman
- 1978
(Show Context)
Citation Context ...). The relevance of those algorithms to cryptography was immediately understood: in April 1982, Shamir ([Sha82]) found a polynomial time algorithm breaking the Merkle-Hellman public key cryptosystem (=-=[MH78]-=-) based on the knapsack problem, that had been basically the unique alternative to RSA. Shamir used Lenstra's integer programming algorithm but, the same year, Adleman ([Adl83]) extended Shamir's work... |

113 |
A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms
- Schnorr
- 1987
(Show Context)
Citation Context ...described above corresponds to the value fl = 3=4 and if another value of fl is chosen, then the powers of two appearing in the above facts must be replaced by the same powers of 4=(4fl \Gamma 1). In =-=[Sch87]-=-, Schnorr proposes a whole hierarchy of lattice reduction algorithms, which are extensions of the LLL algorithms and which he calls blockwise KorkineZolotareff reductions (BKZ). What changes here is t... |

107 | AM Odlyzko, Solving low-density subset sum problems
- Lagarias
(Show Context)
Citation Context ...xtended Shamir's work by treating the cryptographic problem as a lattice problem rather than a linear programming problem. Further improvements of these methods were obtained by Lagarias and Odlyzko (=-=[LO83]-=-), by Brickell ([Bri85]) and, more recently by Coster, La Macchia, Odlyzko, Schnorr and the authors ([CJL + 92]). Lattice reduction has also been applied successfully in various other cryptographic co... |

65 |
Geometrie der Zahlen
- Minkowski
- 1896
(Show Context)
Citation Context ...ice reduction goes back to the theory of quadratic forms developed by Lagrange, Gauss, Hermite, Korkine-Zolotareff and others (see [Lag73, Gau01, Her50, KZ73]) and to Minkovski's geometry of numbers (=-=[Min10]-=-). With the advent of algorithmic number theory, 1 the subject had a revival around 1980, when Lov'asz found a polynomial-time algorithm that computes a so-called reduced basis of a lattice. Actually,... |

60 | Zolotare , Sur les formes quadratiques - Korkine, G |

57 | Disquisitiones arithmeticae - Gauss - 1966 |

39 | A more efficient algorithm for lattice basis reduction - Schnorr - 1988 |

33 |
Breaking Iterated Knapsacks
- Brickell
- 1985
(Show Context)
Citation Context ...by treating the cryptographic problem as a lattice problem rather than a linear programming problem. Further improvements of these methods were obtained by Lagarias and Odlyzko ([LO83]), by Brickell (=-=[Bri85]-=-) and, more recently by Coster, La Macchia, Odlyzko, Schnorr and the authors ([CJL + 92]). Lattice reduction has also been applied successfully in various other cryptographic contexts: against a versi... |

30 | On the Lagarias-Odlyzko Algorithm for the Subset Sum Problem - Frieze - 1986 |

26 |
On Breaking Generalized Knapsack Public Key Cryptosystems
- Adleman
- 1983
(Show Context)
Citation Context ...public key cryptosystem ([MH78]) based on the knapsack problem, that had been basically the unique alternative to RSA. Shamir used Lenstra's integer programming algorithm but, the same year, Adleman (=-=[Adl83]-=-) extended Shamir's work by treating the cryptographic problem as a lattice problem rather than a linear programming problem. Further improvements of these methods were obtained by Lagarias and Odlyzk... |

26 | A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem
- Shamir
(Show Context)
Citation Context ...gorithm comes. Further refinements of the LLL algorithm were proposed by Schnorr ([Sch87, Sch88]). The relevance of those algorithms to cryptography was immediately understood: in April 1982, Shamir (=-=[Sha82]-=-) found a polynomial time algorithm breaking the Merkle-Hellman public key cryptosystem ([MH78]) based on the knapsack problem, that had been basically the unique alternative to RSA. Shamir used Lenst... |

16 | Extraits de lettres de M. Hermite à M. Jacobi sur différents objets de la théorie des nombres, deuxième lettre - Hermite |

16 |
Inferring a sequence generated by a linear congruence
- Plumstead
- 1982
(Show Context)
Citation Context ...ase all the bits of the successive x i s are announced, the sequence becomes exactly predictable even if the modulus, the multiplier and the increment are not known. This is a result of J. Boyar (see =-=[Plu82]-=-). The journal version [Boy89], which appeared after [Ste87], extends the initial method to the case where a small portion of the lower bits are discarded. The idea of outputting the leading bits of e... |

16 |
Secret Linear Congruential Generators are not Cryptographically Secure
- Stern
- 1987
(Show Context)
Citation Context ...ography, without requiring any understanding of the actual mechanisms involved in the algorithms. Of course, this was also an opportunity to publish, in final form, results that had been announced in =-=[Ste87]-=- and [GJ94]. 1.2 Functional description of lattice reduction algorithms As was already mentioned, a lattice L consists of all integral linear combinations1 b 1 + \Delta \Delta \Delta +sp b p of a give... |

13 |
Deciphering a linear congruential encryption
- Knuth
- 1985
(Show Context)
Citation Context ...thod to the case where a small portion of the lower bits are discarded. The idea of outputting the leading bits of each of the x i s in order to increase the resistance of the LCG goes back to Knuth (=-=[Knu80]-=-). Thus, one can output, for example, half of the bits or a smaller proportion. The predictability of the resulting sequence has been investigated by Frieze, Hastad, Kannan, Lagarias and Shamir ([FHK ... |

12 |
Inferring sequences produced by a linear congruential generator missing low-order bits
- Boyar
- 1989
(Show Context)
Citation Context ...sive x i s are announced, the sequence becomes exactly predictable even if the modulus, the multiplier and the increment are not known. This is a result of J. Boyar (see [Plu82]). The journal version =-=[Boy89]-=-, which appeared after [Ste87], extends the initial method to the case where a small portion of the lower bits are discarded. The idea of outputting the leading bits of each of the x i s in order to i... |

10 | A Practical Attack against Knapsack based hash functions
- Joux, Granboulan
(Show Context)
Citation Context ...hout requiring any understanding of the actual mechanisms involved in the algorithms. Of course, this was also an opportunity to publish, in final form, results that had been announced in [Ste87] and =-=[GJ94]-=-. 1.2 Functional description of lattice reduction algorithms As was already mentioned, a lattice L consists of all integral linear combinations1 b 1 + \Delta \Delta \Delta +sp b p of a given set of n-... |

7 |
La Réduction des Réseaux en Cryptographie. PhD thesis, Labaratoire d’Informatique de L’Ecole Normale Superieure LIENS
- Joux
- 1993
(Show Context)
Citation Context ...ice-based attacks against knapsack problems. However, discussing the influence of ff is somewhat technical and is not within the scope of this article. We refer the interested reader to [CJL + 92] or =-=[Jou93]-=-. In the sequel, we will consider the most natural case and set ff = 1=2. Another parameter that is quite important in knapsack problems is the density of the knapsack: d = n log 2 (max i a i ) : This... |

6 | Recherches d’arithmétique - LAGRANGE |

5 | The cryptanalysis of a new publickey cryptosystem based on modular knapsacks - Chee - 1992 |

4 | Cryptanalysis of another knapsack cryptosystem - Joux, Stern - 1991 |

2 |
The knapsack hash-function proposed at crypto'89 can be broken
- Camion, Patarin
- 1991
(Show Context)
Citation Context ... that it 15 is feasible to build collisions for Damgard's hash function. A completely different kind of attack against this hash function has already appeared in the work of P. Camion and J. Patarin (=-=[CP91]-=-). Still, it has never been implemented, and besides, it could only find collisions for the compression function rather than for the hash function itself. In contrast with this approach, our attack ru... |

2 |
Cryptanalysis of a public-key cryptosystem based on approximations by rational numbers
- Stern, Toffin
- 1990
(Show Context)
Citation Context ...texts: against a version of Blum's protocol for exchanging secrets ([FHK + 88]), against truncated linear congruential generators ([FHK + 88, Ste87]), against cryptosystems based on rational numbers (=-=[ST90]-=-) or modular knapsacks ([JS91, CJS91]). Despite the available literature, papers are still submitted (and sometimes published) that describe cryptographic protocols that can be broken, via lattice red... |