### Citations

3529 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...f DSS, such that someday the security and efficiency issues of NTRUSign may be amended.s2.2 Hash-and-sign signaturessDSSs based on the hash-and-sign paradigm follow seminal work by Diffie and Hellman =-=[30]-=-. The concept followssthe criterion that a message, μ, should be hashed before being signed. That is, to sign a message, first hash μ tossome point h = H(μ), which must be in the range of the trapdoor... |

1636 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...it is signed σ =sf -1 (h) and a verification algorithm checks that f(σ) =sH(μ) to confirm whether (σ,μ) is a valid message/signature pair. This theory became the foundation for full-domainshash (FDH) =-=[31]-=-, with the hash function H() being modelled on a random oracle. Where f is a trapdoorspermutation, the scheme is shown to be existentially unforgeable under a chosen-message attack. The relationslatt... |

1270 | Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer
- SHOR
- 1997
(Show Context)
Citation Context ...With the onset of quantum computers ever looming, the computational power it could provide would causesinstant insecurity to many of today’s universally used cryptographic schemes by virtue of Shor’s =-=[1]-=- algorithm.sSpecifically, schemes based on the discrete-logarithm problem or number-theoretic hard problems, whichssubsume almost all public-key encryption schemes used on the Internet, including elli... |

1121 | An algorithm for the machine calculation of complex fourier series - Cooley - 1965 |

1119 | Differential Power Analysis
- Kocher, Jaffe, et al.
- 1999
(Show Context)
Citation Context ...this stage more efficient could result in significant improvements overall. As lattice-basedsDSSs become more practical and publicly available, further attack vectors like side-channel analysis (SCA) =-=[53]-=- havesto be considered. Timing and fault injection attacks, power, electro-magnetic analysis and advanced machineslearning-based attacks are serious threats to many real-world implementations. Recent ... |

1019 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ... Fiat-Shamir SignaturessAn alternative way of constructing a DSS is to first build an identification scheme of a certain form, then convertingsit into a DSS by means of the Fiat-Shamir transformation =-=[35, 36]-=-. Lattice-based signature schemes which use thesFiat-Shamir transformation are mainly due to research by Lyubashevsky et al. [14, 37-41]. The procedures in thesfirst publication by Lyubashevsky [37] a... |

1008 |
Elliptic Curve Cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...schemessbegin to replace current public-key cryptography and their integration into practical applications needs to besexplored. For example, ECC was proposed independently by Miller [19] and Koblitz =-=[20]-=- in 1986/1987, but it tooks20 years until it appeared in actual security systems. Even with relatively little cryptanalysis and low confidence insparameters sets, the most critical issue to date with ... |

739 |
Use of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ...ice-based crypto schemessbegin to replace current public-key cryptography and their integration into practical applications needs to besexplored. For example, ECC was proposed independently by Miller =-=[19]-=- and Koblitz [20] in 1986/1987, but it tooks20 years until it appeared in actual security systems. Even with relatively little cryptanalysis and low confidence insparameters sets, the most critical is... |

658 | Fully homomorphic encryption using ideal lattices
- Gentry
(Show Context)
Citation Context ...earch field. As a result,sconcepts such as functional encryption [4], identity-based encryption [5, 6], attribute-based encryption [7], groupssignature schemes [8-10] and fully homomorphic encryption =-=[11, 12]-=- have been developed. On the practical front,ssome constructions of public-key encryption schemes and digital signature schemes based on lattice problems aresnow more practical than traditional scheme... |

394 | Efficient Identification and Signatures for Smart Cards - Schnorr - 1989 |

209 | A sieve algorithm for the shortest lattice vector problem
- Ajtai, Kumar, et al.
(Show Context)
Citation Context ...schemes. Computational problems that exist within the lattice environment, such as finding thesshortest vector (SVP) or finding the closest vector (CVP) are thought to be immune to quantum reductions =-=[2,3]-=-swhich imply its conjectured intractability. Such properties show promise, with regards to security andspracticability, for replacing current encryption schemes that would be susceptible to attacks in... |

207 | A fully homomorphic encryption scheme
- Gentry
- 2009
(Show Context)
Citation Context ...earch field. As a result,sconcepts such as functional encryption [4], identity-based encryption [5, 6], attribute-based encryption [7], groupssignature schemes [8-10] and fully homomorphic encryption =-=[11, 12]-=- have been developed. On the practical front,ssome constructions of public-key encryption schemes and digital signature schemes based on lattice problems aresnow more practical than traditional scheme... |

203 | NTRU: A Ring-Based Public Key Cryptosystem
- Hoffstein, Pipher, et al.
- 1998
(Show Context)
Citation Context ...attice problems generally fall into three categories: 1) GGH/NTRUSign signatures;s2) Hash-and-sign signatures; and 3) Fiat- Shamir signatures.s2.1 GGH/NTRUSign signaturessThe GGH [21] and NTRUEncrypt =-=[22]-=- cryptosystems were among the first shown to be based on the hardness ofslattice problems, specifically based on solving the approximate closest vector problem. The difference betweensthese schemes is... |

189 | Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert, et al.
- 2008
(Show Context)
Citation Context ...ttack. The relationslattices have to hash-and-sign signatures is the intuition that a short basis for a lattice could provide such astrapdoor function. This led to the first proposal by Gentry et al. =-=[32]-=- (GPV), showing a DSS based on the hardness ofslattice problems. Central to the scheme is the construction of trapdoor functions with the necessary property thatsevery output value has several preimag... |

160 | Fast Fourier Transform and Convolution Algorithms - Nussbaumer - 1982 |

147 | Public-key cryptosystems from lattice reduction problems
- Goldreich, Goldwasser, et al.
- 1997
(Show Context)
Citation Context ... on the hardness of lattice problems generally fall into three categories: 1) GGH/NTRUSign signatures;s2) Hash-and-sign signatures; and 3) Fiat- Shamir signatures.s2.1 GGH/NTRUSign signaturessThe GGH =-=[21]-=- and NTRUEncrypt [22] cryptosystems were among the first shown to be based on the hardness ofslattice problems, specifically based on solving the approximate closest vector problem. The difference bet... |

142 | Generating hard instances of lattice problems (extended abstract - Ajtai - 1996 |

122 | On Ideal Lattices and Learning with Errors over Rings
- Lyubashevsky, Peikert, et al.
- 2010
(Show Context)
Citation Context ...ugh thesrobustness of this hardness assumption, in comparison to general lattices, has not been explicitly proven, it issgenerally considered that most problems still remain hard using ideal lattices =-=[17, 18]-=-. Additionally, using idealslattices offers a significant speed-up and reduction in key sizes for almost all cryptographic protocols, in particular,sin encryption schemes and digital signatures. Howev... |

109 | Functional encryption: Definitions and challenges
- Boneh, Sahai, et al.
- 2011
(Show Context)
Citation Context ...sceptible to attacks in a post-quantumsworld.sIn recent years there has been a tremendous growth in lattice-based cryptography as a research field. As a result,sconcepts such as functional encryption =-=[4]-=-, identity-based encryption [5, 6], attribute-based encryption [7], groupssignature schemes [8-10] and fully homomorphic encryption [11, 12] have been developed. On the practical front,ssome construct... |

82 | An adaptation of the fast Fourier transform for parallel processing - Pease - 1968 |

76 |
Approximating CVP to Within AlmostPolynomial Factors is NP-Hard
- Dinur, Kindler, et al.
- 2003
(Show Context)
Citation Context ...schemes. Computational problems that exist within the lattice environment, such as finding thesshortest vector (SVP) or finding the closest vector (CVP) are thought to be immune to quantum reductions =-=[2,3]-=-swhich imply its conjectured intractability. Such properties show promise, with regards to security andspracticability, for replacing current encryption schemes that would be susceptible to attacks in... |

71 | Better key sizes (and attacks) for LWE-based encryption. - LINDNER, PEIKERT - 2011 |

70 | Generalized compact knapsacks, cyclic lattices, and efficient one-way functions - Micciancio - 2007 |

68 | Generating shorter bases for hard random lattices
- Alwen, Peikert
- 2009
(Show Context)
Citation Context ...scheme by Micciancio and Peikert [33] also adopts hash-and-sign, introducing a more efficientstrapdoor than the one used in GPV. Improvements to the key generation were also made by Alwen and Peikerts=-=[34]-=-.s2.3 Fiat-Shamir SignaturessAn alternative way of constructing a DSS is to first build an identification scheme of a certain form, then convertingsit into a DSS by means of the Fiat-Shamir transforma... |

66 |
Trapdoors for lattices
- Micciancio, Peikert
- 2012
(Show Context)
Citation Context ...nctions with the necessary property thatsevery output value has several preimages, the Gaussian sampling algorithm and also the use of modular lattices. Asmore recent scheme by Micciancio and Peikert =-=[33]-=- also adopts hash-and-sign, introducing a more efficientstrapdoor than the one used in GPV. Improvements to the key generation were also made by Alwen and Peikerts[34].s2.3 Fiat-Shamir SignaturessAn a... |

59 | The fast Fourier transform in a finite field,” - Pollard - 1971 |

52 | Algorithms to construct Minkowski reduced and Hermite reduced lattice bases, Theor - Helfrich - 1985 |

51 | Swifft: A modest proposal for fft hashing - Lyubashevsky, Micciancio, et al. - 2008 |

44 | Lattice Signatures without Trapdoors
- Lyubashevsky
- 2012
(Show Context)
Citation Context ... furthermore finding a collision in a randomly chosen h H is equivalent to finding short vectors in aslattice over R, that is, the ring-SIS problem.sThe subsequent improvements made by Lyubashevsky =-=[38]-=- (LYU) were twofold. The most significant change is thatsof the hardness assumption used, adapting from ring-SIS to ring-LWE, which is shown to significantly decrease thessizes of the signature and th... |

43 | D.: Classical hardness of learning with errors - Brakerski, Langlois, et al. - 2013 |

38 | On the power of power analysis in the real world: A complete break of the KeeLoq code hopping scheme.
- Eisenbarth, Kasper, et al.
- 2008
(Show Context)
Citation Context ...ro-magnetic analysis and advanced machineslearning-based attacks are serious threats to many real-world implementations. Recent work has shown that SCAsattacks are applicable in real-world situations =-=[54]-=-. There has been very little research conducted on thesvulnerabilities of lattice-based cryptographic implementations to physical attacks. It is anticipated that there maysbe a particular vulnerabilit... |

37 | C.: From identification to signatures via the fiat-shamir transform: Minimizing assumptions for security and forward-security
- Abdalla, An, et al.
- 2002
(Show Context)
Citation Context ... Fiat-Shamir SignaturessAn alternative way of constructing a DSS is to first build an identification scheme of a certain form, then convertingsit into a DSS by means of the Fiat-Shamir transformation =-=[35, 36]-=-. Lattice-based signature schemes which use thesFiat-Shamir transformation are mainly due to research by Lyubashevsky et al. [14, 37-41]. The procedures in thesfirst publication by Lyubashevsky [37] a... |

29 | 2012. Mathematics of Public-Key Cryptography - Galbraith |

28 | T.: Practical lattice-based cryptography: A signature scheme for embedded systems
- Güneysu, Lyubashevsky, et al.
(Show Context)
Citation Context ...rssecurity level, and with the added properties of consuming less resources and greater adaptability for scaling. Withsregards to digital signature schemes, the two most notable are by Güneysu et al. =-=[14]-=- and Pöppelmann et al. [15]swith the former implementation resulting in a 1.5x speed improvement compared to an equivalent RSA design,sand the latter scheme being faster, consuming less resources, nee... |

25 | NSS: An NTRU Lattice-Based Signature Scheme
- Hoffstein, Pipher, et al.
- 2001
(Show Context)
Citation Context ...tosystemsincluded a DSS, in turn forming the basis of NTRUSign [23] which combined almost the entire design of GGH butsuses the NTRU lattices employed in NTRUEncrypt. The predecessor to NTRUSign, NSS =-=[24]-=-, was broken by Gentryset al. [25, 26] and incidently NTRUSign suffered the same fate with works by Nguyen and Regev [27], which showssexperimental results recovering the secret-key with 400 signature... |

23 | Lattice signatures and bimodal Gaussians.
- DUCAS, DURMUS, et al.
- 2013
(Show Context)
Citation Context ...own to besstrongly unforgeable and is based on the worst-case hardness of finding short vectors in a lattice.sThe current state-of-the-art in lattice-based DSSs is the proposed scheme by Ducas et al. =-=[41]-=- named BLISS. Thesmain contribution of this work is the significant improvement in the rejection sampling stage. As a consequence,sthis scheme presents an important bridge between theoretical and prac... |

23 | Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions - Micciancio, Mol - 2011 |

22 | Article A, Publication date: January YYYY - unknown authors |

20 | A Group Signature Scheme from Lattice Assumptions - Gordon, Katz, et al. - 2010 |

20 | Efficient Reductions Among Lattice Problems - Micciancio - 2008 |

16 | On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes - Göttert, Feller, et al. - 2012 |

15 | Enhanced lattice-based signatures on reconfigurable hardware. - PÖPPELMANN, DUCAS, et al. - 2014 |

14 | Attribute-Based Functional Encryption on Lattices
- Boyen
- 2013
(Show Context)
Citation Context ...e has been a tremendous growth in lattice-based cryptography as a research field. As a result,sconcepts such as functional encryption [4], identity-based encryption [5, 6], attribute-based encryption =-=[7]-=-, groupssignature schemes [8-10] and fully homomorphic encryption [11, 12] have been developed. On the practical front,ssome constructions of public-key encryption schemes and digital signature scheme... |

14 | Sampling from Discrete Gaussians for Lattice-based Cryptography on a Constrained Device,” Applicable Algebra
- Dwarakanath, Galbraith
- 2014
(Show Context)
Citation Context ...for implementations on both large and lightweight devices. Another modulespertaining to one of the more computationally expensive in hardware is the Gaussian sampling stage.sDwarakanath and Galbraith =-=[51]-=- and Roy et al. [52] look into different approaches to efficiently compute such asstage for constrained devices. As shown by [15] and [46] the CDT approach is best suited for larger devices withsthe B... |

14 | Practical Fast Polynomial Multiplication - Moenck - 1976 |

13 | Estimating the Security of Lattice-based Cryptosystems - Rückert, Schneider - 2010 |

12 | An improved compression technique for signatures based on learning with errors. - BAI, GALBRAITH - 2014 |

12 | Improvement and efficient implementation of a lattice-based signature scheme. IACR Cryptology ePrint Archive
- Bansarkhani, Buchmann
- 2013
(Show Context)
Citation Context ... slow rejection sampling and relies on the NTL librarysfor basic arithmetic. For GPV [32], initial outputs and key sizes were many megabits long and even withsimprovements by Bansarkhani and Buchmann =-=[45]-=-, signature and key sizes are still large in practice, around 250 kbsfor security of around 100-bits. With the improvements proposed by Micciancio and Peikert [33], their schemesalleviates the sizes o... |

12 | Hea An, Mihir Bellare, and Chanathip Namprempre. From identification to signatures via the Fiat-Shamir transform: Minimizing assumptions for security and forward-security - Abdalla, Jee - 2002 |

12 | Towards practical lattice-based public-key encryption on reconfigurable hardware. - PÖPPELMANN, GÜNEYSU - 2013 |

11 |
Towards Efficient Arithmetic for Lattice-Based Cryptography on Reconfigurable Hardware
- Pöppelmann, Güneysu
- 2012
(Show Context)
Citation Context ... suboptimal given works on fast multiplication such as [13]. The BLISS implementation bysPöppelmann et al. [15] uses the Number Theoretic Transform (NTT) multiplier proposed by Pöppelmann andsGüneysu =-=[49]-=- and achieves high throughput for signing and verification. The resource consumption is alsosreasonable and the design fits on low-cost Spartan-6 devices. Usage of the improved NTT multiplier design b... |

10 | Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. 2013. Lattice Signatures and Bimodal Gaussians - Ducas |

9 | Software speed records for lattice-based signatures.
- GÜNEYSU, ODER, et al.
- 2013
(Show Context)
Citation Context ...tiplication, the vectorised GLP implementation is twice as fast as BLISS.sThus in the future, it is expected that BLISS could be further improved by applying the vectorisation ideas ofsGüneysu et al. =-=[43]-=-. Moreover, for the signing procedure of BLISS, the impact of higher security levels onsperformance is moderate as n and q stay the same, with the significant changes being in the Gaussian sampler and... |

8 | Fully Anonymous Attribute Tokens from Lattices - Camenisch, Neven, et al. - 2012 |

7 | Lattice-Based Group Signatures with Logarithmic Signature Size - Laguillaumie, Langlois, et al. - 2013 |

7 | Tightly-Secure Signatures from Lossy Identification Schemes - Abdalla, Fouque, et al. - 2012 |

7 |
Comparison of innovative signature algorithms for WSNs
- Driessen, Poschmann, et al.
- 2008
(Show Context)
Citation Context ...entations of Lattice-based Digital Signature SchemessAs previously discussed, there are currently no practical instantiations of the GGH [21] signature schemes andsimplementations of NTRUSign such as =-=[42]-=- are vulnerable to cryptanalysis, so they are not considered in thissevaluation. Lattice-based schemes investigated here for which implementation results are available are GPV [32,s33], LYU [38], GLP ... |

7 | High Precision Discrete Gaussian Sampling on FPGAs
- Roy, Vercauteren, et al.
- 2014
(Show Context)
Citation Context ...on both large and lightweight devices. Another modulespertaining to one of the more computationally expensive in hardware is the Gaussian sampling stage.sDwarakanath and Galbraith [51] and Roy et al. =-=[52]-=- look into different approaches to efficiently compute such asstage for constrained devices. As shown by [15] and [46] the CDT approach is best suited for larger devices withsthe Bernoulli approach sh... |

7 | The Fiat-Shamir transformation in a quantum world
- Dagdelen, Fischlin, et al.
- 2013
(Show Context)
Citation Context ... still secure to a quantumsadversary. Although making the DSSs less efficient, schemes by Gentry et al. [32] and Lyubashevsky [38] aresrespectively shown by Boneh and Zhandry [55] and Dagdelen et al. =-=[56]-=- to be secure to such an adversary, creatingsthe quantum random oracle model. This could also motivate an important area for future research, such assproving security for more DSSs to a quantum advers... |

6 | T.: Efficient identity-based encryption over NTRU lattices
- Ducas, Lyubashevsky, et al.
- 2014
(Show Context)
Citation Context ...quantumsworld.sIn recent years there has been a tremendous growth in lattice-based cryptography as a research field. As a result,sconcepts such as functional encryption [4], identity-based encryption =-=[5, 6]-=-, attribute-based encryption [7], groupssignature schemes [8-10] and fully homomorphic encryption [11, 12] have been developed. On the practical front,ssome constructions of public-key encryption sche... |

6 | Worst-case to average-case reductions for module lattices. Designs, Codes and Cryptography
- Langlois, Stehlé
- 2014
(Show Context)
Citation Context ...ugh thesrobustness of this hardness assumption, in comparison to general lattices, has not been explicitly proven, it issgenerally considered that most problems still remain hard using ideal lattices =-=[17, 18]-=-. Additionally, using idealslattices offers a significant speed-up and reduction in key sizes for almost all cryptographic protocols, in particular,sin encryption schemes and digital signatures. Howev... |

6 | I.: Efficient software implementation of Ring-LWE encryption - Clercq, Roy, et al. |

6 | An FPGA implementation of the NTRUEncrypt cryptosystem - Kamal, Youssef - 2009 |

6 | Hardware realization of a Fermat number transform,” - McClellan - 1976 |

4 |
Area Optimization of Lightweight Lattice-Based Encryption on Reconfigurable Hardware
- Pöppelmann, Güneysu
(Show Context)
Citation Context ...the added properties of consuming less resources and greater adaptability for scaling. Withsregards to digital signature schemes, the two most notable are by Güneysu et al. [14] and Pöppelmann et al. =-=[15]-=-swith the former implementation resulting in a 1.5x speed improvement compared to an equivalent RSA design,sand the latter scheme being faster, consuming less resources, needing less iterations and at... |

4 | R.: On constrained implementation of lattice-based cryptographic primitives and schemes on smart cards
- Boorghany, Sarmadi, et al.
(Show Context)
Citation Context ...ifferent samplers (Bernoulli, Knuth-Yao and Discrete Ziggurat) andsrunning at 168 MHz; the device produces 28 signing, 167 verification and 0.46 key generation operations perssecond. Boorghany et al. =-=[47]-=- and Boorghany and Jalili [48] provide an implementation of GLP and BLISS used as ansidentification scheme on 8-bit architectures (Atmega and ATxmega), showing that lattice-based DSSs perform wellseve... |

4 | Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi. 2012. Tightly-Secure Signatures from Lossy Identification Schemes - Abdalla |

4 | Introduction to Algorithms (third edition ed - Cormen, Leiserson, et al. - 2009 |

4 | Frederik Vercauteren, Nele Mentens, Donald Donglong Chen, and Ingrid Verbauwhede. 2014. Compact Hardware Implementation of Ring-LWE Cryptosystems - Roy |

2 | Instantiating Treeless Signature Schemes. IACR Cryptology ePrint Archive 2013
- Weiden, Hülsing, et al.
- 2013
(Show Context)
Citation Context ...pler andsnumber of rejections. As Gaussian sampling is not needed for verification, the runtime of verification is basicallysindependent of the security level. The LYU implementation by Weiden et al. =-=[44]-=- is not competitive, mainly due toslarger parameters and also because the implementation uses slow rejection sampling and relies on the NTL librarysfor basic arithmetic. For GPV [32], initial outputs ... |

2 | Fully homomorphic encryption using ideal lattices - 2009b |

1 |
Compact Hardware Implementation of Ring-LWE Cryptosystems
- Roy, Vercauteren, et al.
- 2014
(Show Context)
Citation Context ... schemes based on lattice problems aresnow more practical than traditional schemes based on RSA. The most recent implementation of a lattice-basedsencryption scheme in hardware is shown by Roy et al. =-=[13]-=- with results outperforming those of RSA. Moresspecifically, the scheme shows performances an order of magnitude faster in comparison to RSA, for a higherssecurity level, and with the added properties... |

1 |
Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures
- 2012b
(Show Context)
Citation Context ... 400 signatures. Since Nguyen and Regev categorically showsNTRUSign (without perturbation) to be absolutely insecure and further countermeasures and a version withsperturbations have also been broken =-=[28]-=-, this scheme will not be covered as implementation results currently dosnot have practical applications. However, recent research such as Melchor et al. [29] hold some promise for thesfuture of this ... |

1 | Article A, Publication date: January YYYY. Practical Lattice-based Digital Signature Schemes A:23 - unknown authors - 2013 |

1 | Efficient FPGA implementation of FFT based multipliers - Cheng, Miri, et al. - 2005 |

1 | Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic - 2012a |

1 | A Fully Homomorphic Encryption Scheme - 2009a |

1 | A Digital Signature Scheme Secure Against Adaptive Chosen-message Attacks - Howe, Pöppelmann, et al. - 1988 |

1 | Sheueling Chang Shantz. 2004. Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs - Gura, Patel, et al. |

1 | Implementing Modular FFTs in FPGAs - A Basic Block for Lattice-Based Cryptography - Györfi, Cret, et al. - 2013 |

1 | On Ideal Lattices and Learning with Errors over Rings - 2013a |

1 | Oded Regev. 2013b. A Toolkit for Ring-LWE Cryptography - Lyubashevsky, Peikert |

1 | Micciancio and Oded Regev. 2004. Worst-Case to Average-Case Reductions Based on Gaussian Measures - Daniele |

1 | Micciancio and Oded Regev. 2007. Worst-Case to Average-Case Reductions Based on Gaussian Measures - Daniele |

1 | and Oded Regev. 2009. Learning a Parallelepiped - Nguyen |