## Generalized compact knapsacks are collision resistant (2006)

### Cached

### Download Links

- [www.cs.ucsd.edu]
- [www-cse.ucsd.edu]
- [www.cs.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [www.cs.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [www.di.ens.fr]
- [www.di.ens.fr]
- [www.cs.ucsd.edu]
- [cseweb.ucsd.edu]
- [www-cse.ucsd.edu]
- [charlotte.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In ICALP (2 |

Citations: | 46 - 14 self |

### BibTeX

@INPROCEEDINGS{Lyubashevsky06generalizedcompact,

author = {Vadim Lyubashevsky and Daniele Micciancio},

title = {Generalized compact knapsacks are collision resistant},

booktitle = {In ICALP (2},

year = {2006},

pages = {144--155},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

n.A step in the direction of creating efficient cryptographic functions based on worst-case hardness was

### Citations

985 | A Course in Computational Algebraic Number Theory - Cohen - 1995 |

750 | Factoring polynomials with rational coefficients
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context .... The asymptotically fastest algorithm for computing the shortest vector exactly takes time 2 O(n) [3] and the best polynomial time algorithm approximates the shortest n log log n O( log n ) [3],[20],=-=[12]-=-. It is conjectured that approximating SV P to within a vector to within a factor of 2 polynomial factor is a hard problem, although it is shown that (under standard complexity assumptions) for small ... |

312 |
A Design Principle for Hash Functions
- Damgård
- 1989
(Show Context)
Citation Context ...lems from that area. We believe that this will further our understanding of ideal lattices. There have been many proposed cryptographic primitives whose hardness relied on the knapsack problem (e.g., =-=[13, 7, 6]-=-), but attacks against them (e.g., [21, 11, 22]) rendered the primitives impractical. These attacks, however, were applied to a group-based knapsack problem, and it is unclear how to apply them to our... |

251 | How to Break MD5 and Other Hash Functions
- Wang, Yu
(Show Context)
Citation Context ...l lattices (i.e., lattices that can be described as ideals of certain polynomial rings). With current hash functions that are not based on any hardness assumptions, but used in practice, being broken =-=[23, 24, 4]-=-, we believe that it may be an appropriate time to consider using efficient hash functions which do have an underlying hardness assumption, especially worst-case ones. Our contributions and comparison... |

169 |
Generating hard instances of lattice problems
- Ajtai
- 2004
(Show Context)
Citation Context ...ase to average-case reductions, knapsacks 1 Introduction Ever since Ajtai’s discovery of a function whose average-case hardness can be proved based on worst-case complexity assumptions about lattices =-=[2]-=-, the possibility of building cryptographic functions whose security is based on worst-case problems has been very alluring. Ajtai’s initial discovery [2] and subsequent developments [5, 15, 17] are v... |

161 | A sieve algorithm for the shortest lattice vector problem
- Ajtai, Kumar, et al.
(Show Context)
Citation Context ...ortest vector problem in the infinity norm SV P ∞ γ for factor up to γ(n) = n1/log log n by Dinur [8]. The asymptotically fastest algorithm for computing the shortest vector exactly takes time 2 O(n) =-=[3]-=- and the best polynomial time algorithm approximates the shortest n log log n O( log n ) [3],[20],[12]. It is conjectured that approximating SV P to within a vector to within a factor of 2 polynomial ... |

154 | Hiding information and signatures in trapdoor knapsacks
- Merkle, Hellman
(Show Context)
Citation Context ...lems from that area. We believe that this will further our understanding of ideal lattices. There have been many proposed cryptographic primitives whose hardness relied on the knapsack problem (e.g., =-=[13, 7, 6]-=-), but attacks against them (e.g., [21, 11, 22]) rendered the primitives impractical. These attacks, however, were applied to a group-based knapsack problem, and it is unclear how to apply them to our... |

134 | NTRU: A Ring-Based Public Key Cryptosystem
- Hoffstein, Pipher, et al.
- 1998
(Show Context)
Citation Context ... a discussion of known algorithms for cyclic lattices). Determining the worst-case hardness of lattice problems for ideal lattices is a very interesting open problem. The ring-based cryptosystem NTRU =-=[10]-=- uses lattices that are similar to ours. While that cryptosystem has no known security proofs (not even one based on average-case assumptions), it has resisted attacks. This is perhaps due to the inhe... |

128 | Complexity of lattice problems: A cryptographic perspective - Micciancio, Goldwasser - 2002 |

88 | Worst-case to average-case reductions based on gaussian measures
- Micciancio, Regev
(Show Context)
Citation Context ...bout lattices [2], the possibility of building cryptographic functions whose security is based on worst-case problems has been very alluring. Ajtai’s initial discovery [2] and subsequent developments =-=[5, 15, 17]-=- are very interesting from a theoretical point of view because they are essentially the only problems for which such a worst-case / average-case connection is known. Unfortunately, the cryptographic f... |

85 | On the limits of nonapproximability of lattice problems
- Goldreich, Goldwasser
(Show Context)
Citation Context ...P to within a vector to within a factor of 2 polynomial factor is a hard problem, although it is shown that (under standard complexity assumptions) for small polynomial factors it is not NP-hard [1], =-=[9]-=-. 2.3 Gaussian distribution Let X and Y be random variables over a set A with probability density functions δX and δY . We denote the statistical distance between X and Y by ∆(X, Y ). For any vectors ... |

63 |
A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem
- Shamir
- 1982
(Show Context)
Citation Context ...l further our understanding of ideal lattices. There have been many proposed cryptographic primitives whose hardness relied on the knapsack problem (e.g., [13, 7, 6]), but attacks against them (e.g., =-=[21, 11, 22]-=-) rendered the primitives impractical. These attacks, however, were applied to a group-based knapsack problem, and it is unclear how to apply them to our ring-based one. Also, none of those primitives... |

56 | An improved worst-case to average-case connection for lattice problems
- Cai, Nerurkar
(Show Context)
Citation Context ...bout lattices [2], the possibility of building cryptographic functions whose security is based on worst-case problems has been very alluring. Ajtai’s initial discovery [2] and subsequent developments =-=[5, 15, 17]-=- are very interesting from a theoretical point of view because they are essentially the only problems for which such a worst-case / average-case connection is known. Unfortunately, the cryptographic f... |

50 | Generalized compact knapsacks, cyclic lattices, and efficient oneway functions
- Micciancio
(Show Context)
Citation Context ...ey size and computation time at least quadratic in the security parameter n. A step in the direction of creating efficient cryptographic functions based on worst-case hardness was taken by Micciancio =-=[14]-=-. He showed how to create a family of efficiently computable one-way functions, namely, the generalized compact knapsack functions described in the abstract, whose security is based on a certain probl... |

49 | Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices
- Peikert, Rosen
- 2006
(Show Context)
Citation Context ...le, but essential, as we can show that the generalized compact knapsack instances considered in [14] are not collision resistant. Concurrently with, and independently from our work, Peikert and Rosen =-=[18]-=- have shown, using very similar techniques, that the one-way function in [14] is not collision resistant and showed how to construct collision-resistant hash functions based on the hardness of finding... |

36 | A Knapsack Type Public Key Cryptosystem Based on Arithmetic
- Chor, Rivest
(Show Context)
Citation Context ...lems from that area. We believe that this will further our understanding of ideal lattices. There have been many proposed cryptographic primitives whose hardness relied on the knapsack problem (e.g., =-=[13, 7, 6]-=-), but attacks against them (e.g., [21, 11, 22]) rendered the primitives impractical. These attacks, however, were applied to a group-based knapsack problem, and it is unclear how to apply them to our... |

32 | Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor
- Micciancio
(Show Context)
Citation Context ...out lattices [2], the possibility of building cryptographic functions whose security is based on worst-case problems has been very alluring. Ajtai's initial discovery [2] and subsequent develop-ments =-=[5, 15, 17]-=- are very interesting from a theoretical point of view because they are essentially the only problems for which such a worst-case / average-case connection is known. Unfortunately, the cryptographicfu... |

30 |
A hierarchy of polynomial time basis reduction algorithms,” manuscript
- Schnorr
- 1984
(Show Context)
Citation Context ...r [8]. The asymptotically fastest algorithm for computing the shortest vector exactly takes time 2 O(n) [3] and the best polynomial time algorithm approximates the shortest n log log n O( log n ) [3],=-=[20]-=-,[12]. It is conjectured that approximating SV P to within a vector to within a factor of 2 polynomial factor is a hard problem, although it is shown that (under standard complexity assumptions) for s... |

22 | Lattice problems in NP ∩ coNP
- Aharonov, Regev
(Show Context)
Citation Context ...g SV P to within a vector to within a factor of 2 polynomial factor is a hard problem, although it is shown that (under standard complexity assumptions) for small polynomial factors it is not NP-hard =-=[1]-=-, [9]. 2.3 Gaussian distribution Let X and Y be random variables over a set A with probability density functions δX and δY . We denote the statistical distance between X and Y by ∆(X, Y ). For any vec... |

21 | Cryptanalysis of the Chor-Rivest cryptosystem
- Vaudenay
- 1998
(Show Context)
Citation Context ...l further our understanding of ideal lattices. There have been many proposed cryptographic primitives whose hardness relied on the knapsack problem (e.g., [13, 7, 6]), but attacks against them (e.g., =-=[21, 11, 22]-=-) rendered the primitives impractical. These attacks, however, were applied to a group-based knapsack problem, and it is unclear how to apply them to our ring-based one. Also, none of those primitives... |

11 | A practical attack against knapsack based hash functions
- Joux, Granboulan
(Show Context)
Citation Context ...l further our understanding of ideal lattices. There have been many proposed cryptographic primitives whose hardness relied on the knapsack problem (e.g., [13, 7, 6]), but attacks against them (e.g., =-=[21, 11, 22]-=-) rendered the primitives impractical. These attacks, however, were applied to a group-based knapsack problem, and it is unclear how to apply them to our ring-based one. Also, none of those primitives... |

8 |
Approximating SV P∞ to within almost-polynomial factors is NP-hard
- Dinur
- 2000
(Show Context)
Citation Context ..., but most of our results are easily translated was shown to be NP-hard to other norms as well. The shortest vector problem in the infinity norm SV P ∞ γ for factor up to γ(n) = n1/log log n by Dinur =-=[8]-=-. The asymptotically fastest algorithm for computing the shortest vector exactly takes time 2 O(n) [3] and the best polynomial time algorithm approximates the shortest n log log n O( log n ) [3],[20],... |

6 | Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice - van - 1981 |

3 |
Lattice problems in NP " coNP
- Aharonov, Regev
- 1996
(Show Context)
Citation Context ... conjectured that approximating SV P to within a polynomial factor is a hard problem, although it is shown that (under standard complexity assumptions) forsmall polynomial factors it is not N P -hard =-=[1]-=-, [9]. 2.3 Gaussian distribution Let X and Y be random variables over a set A with probability density functions ffiX and ffiY . We denote thestatistical distance between X and Y by \Delta ( X, Y ). F... |

1 |
Collisions of SHA-0 and reducedSHA-1
- Biham, Chen, et al.
- 1997
(Show Context)
Citation Context ...al lattices (i.e., lattices that can be described as ideals of certain polynomialrings). With current hash functions that are not based on any hardness assumptions, but used in practice, being broken =-=[23, 24, 4]-=-, we believe that it may be an appropriate time to consider using efficient hashfunctions which do have an underlying hardness assumption, especially worst-case ones. Our contributions and comparison ... |

1 | On the limits of nonapproximability of lattice problems - Lattices, Vieweg, et al. |