M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proceedings of the thirty-third Annual ACM Symposium on Theory of Computing - STOC 2001.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....secret key, designed a deterministic polynomial time algorithm which for # = log log p# and k = O(log p) recovers # for almost all choices of t 1 , t k IF # p . In fact, using the full power of the presently known lattice reduction algorithms such as those given in [1, 51] and some results of [27] one can reduce the number of bits to a slightly smaller number which is o(log p) see Section 3. Boneh and Venkatesan have also proposed an alternative approach [10] which work with the values of # as little as # = log log p#, but the resulting algorithm is ....

....for which this problem can be solved has been described. This condition is related to uniformity of distribution among the elements of IF p . To give it a quantitative form we need to recall that the discrepancy of an N element sequence # = # 1 , #N elements of the interval [0, 1] is defined as D(#) sup J#[0,1] A(J, N) N J where the supremum is extended over all subintervals J of [0, 1] J is the length of J , and A(J, N) denotes the number of points # n in J for 1 N . We say that a finite sequence of integers is # homogeneously distributed ....

[Article contains additional citation context not shown here]

M. Ajtai, R. Kumar and D. Sivakumar, `A sieve algorithm for the shortest lattice vector problem', Proc. 33rd ACM Symp. on Theory of Comput. , Crete, Greece, July 6-8, (2001), 601--610.

....a lattice vector whose distance from t is within approximation factor s #(s) of the distance of the closest vector in L to t. We combine Kannan s reduction [13] from CVP to SVP with the best known approximation polynomial time result for the shortest vector problem given in Corollary 15 of [1] to get the following. 4 Lemma 1. For any constant # 0, there exists a randomised polynomialtime algorithm which, given an s dimensional full rank lattice L, and a vector , finds a lattice vector v satisfying with probability exponentially close to 1 the inequality #v t# s #z ....

....a randomised polynomialtime algorithm which, given an s dimensional full rank lattice L, and a vector , finds a lattice vector v satisfying with probability exponentially close to 1 the inequality #v t# s #z t# : z L . Proof. By taking k = log n# in Corollary 15 of [1] where c 0 is a sufficiently large constant, we obtain a randomised polynomial time algorithm which approximates the shortest vector within 2 for any constant # 0. The result follows by using this algorithm as a shortest vector approximation oracle in Kannan s reduction [13] from the ....

M. Ajtai, R. Kumar and D. Sivakumar, `A sieve algorithm for the shortest lattice vector problem', Proc. 33rd ACM Symp. on Theory of Comput., Crete, Greece, July 6-8, 2001, 601--610.

....SVP, which is due to Schnorr [16] and is based on LLL: Lemma 1. There exists a deterministic polynomial time algorithm which, given as input a basis of an s dimensional lattice L, outputs a non zero lattice vector u L such that: #u# # #z# : z L, z 0 . Recently, Ajtai et al. [2] discovered a randomized algorithm which slightly improves the approximation factor 2 to 2 O(s log log s log s) In practice, the best algorithm to approximate SVP is a heuristic variant of Schnorr s algorithm [16] Interestingly, these algorithms typically perform much better than ....

M. Ajtai, R. Kumar and D. Sivakumar, `A sieve algorithm for the shortest lattice vector problem' Proc. 33rd ACM Symp. on Theory of Comput., ACM, 2001, 601-- 610.

....n) steps. Finding very short lattice vectors requires additional search beyond LLLtype reduction. The algorithm of Kannan [K83] nds the shortest lattice vector in time n by a diligent exhaustive search, see [H85] for an n 2 o(n) time algorithm. The recent probabilistic sieve algorithm of [AKS01] runs in 2 average time and space, but is impractical as the exponent O(n) is about 30 n. Schnorr [S87] has generalized the LLL algorithm in various ways that repeatedly construct short bases of k dimensional lattices of dimension k 2. While 2kreduction [S87] runs in O(n n ) time, ....

M. Ajtai, R. Kumar, and D. Sivakumar, A sieve algorithm for the shortest lattice vector problem. Proc. 33th STOC, 2001.

....especially in coding theory and cryptography (see [14] The best inapproximability result for CVP is due to Dinur et al. 7] where it is shown that approximating CVP to within almost polynomial factors is NP hard. The best probabilistic polynomial time approximation algorithm due to Ajtai et al. [1] obtains a 2 O(n log log n= log n) approximation factor and it uses the deterministic polynomial time O(n(log log n) log n) approximation algorithm by Schnorr [16] Our model is motivated by applications of lattices is coding theory and cryptography. There, the encoding or encryption ....

M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proc. 33rd ACM Symp. on Theory of Computing, pages 601-610, 2001.

....of a lattice L, LLL provably outputs in polynomial time a basis (b 1 ; b d ) satisfying: kb 1 k 2 vol(L) kb i k 2 i (L) and kb i k 2 ( 2 ) 2 vol(L) Thus, LLL can approximate SVP to within 2 . Schnorr [121] improved the bound to 2 , and Ajtai et al. [6] recently further improved it to 2 in randomized polynomial time thanks to a new randomized algorithm to find the shortest vector. In fact, Schnorr defined an LLL based Schnorr s result is usually cited in the literature as an approximation algorithm to within (1 ) for any constant ....

....complexity of reduction algorithms. Babai s nearest plane algorithm [8] uses LLL to approximate CVP to within , in polynomial time (see also [80] Using Schnorr s algorithm [121] this can be improved to 2 in polynomial time, and even further to in randomized polynomial time using [6], due to Kannan s link between CVP and SVP (see previous section) In practice however, the best strategy seems to be the embedding method (see [61, 108] which uses the previous algorithms for SVP and a simple heuristic reduction from CVP to SVP. Namely, given a lattice basis (b 1 ; b d ....

[Article contains additional citation context not shown here]

M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proc. 33rd STOC, pages 601--610. ACM, 2001.

No context found.

M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proceedings of the thirty-third Annual ACM Symposium on Theory of Computing - STOC 2001.

No context found.

M. Ajtai, R. Kumar, D. Sivakumar, \A Sieve Algorithm for the Shortest Lattice Vector Problem," STOC 2001 (Proc. 31st Symp. Theory of Computing), pp.601{ 610, ACM Press, 2001.

No context found.

M. Ajtai, R. Kumar, and D. Sivakumar, A Sieve Algorithm for the Shortest Lattice Vector Problem. Proc. 33th STOC, pp. 601-610, 2001.

No context found.

M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proc. 33rd ACM Symp. on Theory of Computing, pages 601--610, 2001.

No context found.

M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proceedings of the thirty-third annual ACM symposium on Theory of computing, pages 601--610. ACM Press, 2001.

No context found.

M. Ajtai, R. Kumar and D. Sivakumar, `A sieve algorithm for the shortest lattice vector problem', Proc. 33rd ACM Symp. on Theory of Comput., Crete, Greece, July 6-8, 2001, 601--610.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC