L. Babai. On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....duals was then investigated to some extent in [3] and [5] Other relevant results about trellis structure and trellis complexity of block codes can be found in papers in [30] and the references therein. The problem of lattice decoding also lies at the heart of many integer programming problems [2], 13] 16] The main approach to the decoding of lattices in integer programming is based on using a reduced basis for the lattice. The complexity of such decoding algorithms has two parts: i) computing the reduced basis of the lattice, and ii) finding the nearest lattice 0018 9448 98 10.00 ....

....Hermite, Minkowski, Korkin Zolotarev (K Z) and more recently Lenstra, Lenstra, and Lov asz (L ) see, e.g. 12, pp. 147 164] After the introduction of the L reduced basis, which can be computed in polynomial time, reduction theory has found many applications in a variety of areas (see, e.g. [2], 13] 16] 19] 21] 24, pp. 71 74] However, it can be shown that for the decoding of lattices, the K Z reduced basis is a more powerful tool than the L reduced basis [6] In the following, we explain the K Z reduced basis, which is used in our decoding algorithms. Let be a lattice with ....

[Article contains additional citation context not shown here]

L. Babai, "On Lovasz' lattice reduction and the nearest lattice point problem," Combinatorica 6, pp. 1--13, 1986.

....the blocksize. So far, the best reduction algorithms in practice are variants [124, 125] of those BKZ algorithms, which apply a heuristic to reduce exhaustive search. But little is known on the average case (and even worst case) complexity of reduction algorithms. Babai s nearest plane algorithm [8] uses LLL to approximate CVP to within , in polynomial time (see also [80] Using Schnorr s algorithm [121] this can be improved to 2 in polynomial time, and even further to in randomized polynomial time using [6] due to Kannan s link between CVP and SVP (see previous section) In ....

.... ; 0) be such that j(fft i mod q) Gamma a i j q=2 : Then with probability at least , all u 2 L with ku Gamma ak are of the form: u = t 1 fi mod q; t d fi mod q; fi=2 ) where ff j fi (mod q) Since a is close enough to L, Babai s nearest plane CVP approximation algorithm [8] yields a lattice point sufficiently close to a, which leads to: Theorem 4 (Boneh Venkatesan) Let ff be in Z q . Let O be a function defined by O(t) MSB (fft mod q) with = d log qe dlog log qe. There exists a deterministic polynomial time algorithm A which, on input t 1 ; t d ....

[Article contains additional citation context not shown here]

L. Babai. On Lov'asz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

....and the lattice reduction algorithm reached a final form in the paper [LLL82] of Lenstra, Lenstra and Lov asz, from which the name LLL algorithm comes. Further refinements of the LLL algorithm were proposed by Schnorr ( Sch87, Sch88] who has improved the above factor into (1 ffl) Babai [Bab86] gave an algorithm that approximates the closest vector by a factor of (3= 2) The existence of polynomial bounds is completely open: CVP is hard to approximate within a factor 2 (log n) 0:99 as shown in [ABSS97] but a result of Goldreich and Goldwasser [GG] suggests that it is hopeless ....

L. Babai. On Lov'asz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

....the blocksize. So far, the best reduction algorithms in practice are variants [104, 105] of those BKZ algorithms, which apply a heuristic to reduce exhaustive search. But little is known on the average case (and even worst case) complexity of reduction algorithms. Babai s nearest plane algorithm [7] uses LLL to approximate CVP to within , in polynomial time (see also [66] Using Schnorr s algorithm [101] this can be improved to 2 , due to Kannan s link between CVP and SVP (see previous section) In practice however, the best strategy seems to be the embedding method (see [49, 90] ....

....SBP. The message space is a large enough cube in Z . A message m 2 Z is encrypted into c = mB e where e is an error vector uniformly chosen from f Gammaoe; oeg , where oe is a security parameter. A ciphertext c is decrypted as bcR eRB (note: this is Babai s round method [7] to solve CVP) But an eavesdropper is left with the CVP instance defined by c and B. The private basis R is generated in such a way that the decryption process succeeds with high probability. The larger oe is, the harder the CVP instances are expected to be. But oe must be small for the ....

[Article contains additional citation context not shown here]

L. Babai. On Lov'asz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986. 24

..... Note that although the worst case bound in (20) appears to be loose, this suboptimal algorithm works much better in practice as reported in the literature (cf. 5] Another suboptimal polynomial time algorithm for finding an approximately nearest lattice point is due to Babai (1986) cf. 1] [4] and [8] 4.3 Searching for Integral Points Inside an Ellipsoid Once a candidate (or guess) z = z to the minimizer of k y GammaGzk is found, we need to check whether there exists anyother z 2 Z satisfying k y Gamma Gzk k y Gamma Gzk. If no such z exists then z is the global ....

L. Babai, "On Lov'asz' lattice reduction and the nearest lattice point problem," Combinatorica 6 (1986) 1-13.

.... by Helfrich [9] Recently, Blomer obtained an O(n ) time deterministic algorithm to compute the closest vector exactly [2] For the problem of approximating the closest vector, using the LLL algorithm [12] Babai obtained a (3= p 2) n approximation algorithm that runs in polynomial time [3]. Using a 2 O(n) algorithm for SVP 1 and the polynomial time Turing reduction from approximate CVP to SVP given in [10] the present authors obtained a p n=2 approximation algorithm that runs in 2 O(n) time and a 2 n log log n= log n approximation algorithm that runs in polynomial time ....

L. Babai. On Lov'asz' lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1--13, 1986.

.... can be arbitrarily preprocessed [22] or one allows for approximate solutions with approximation factor 2 lg 1 n [3, 9] To date, the best polynomial time algorithm to approximate CVP achieves only a worst case approximation factor which is almost exponential in the dimension of the lattice [19, 4, 29]. A closely related problem is the shortest vector problem (SVP) given a lattice L = L(B) nd the length (L) of the shortest non zero vector in L(B) By linearity, B) equals the minimum distance between any two lattice points minfkv wk : v; w 2 L(B) v 6= wg. It is easy to see that for any ....

....of the shortest vector in a lattice L = L(B) satis es (L) min i kb i k. Moreover, given a vector v within distance = 1 2 min i kb i k from the lattice, the (unique) lattice vector within distance from v can be eciently computed from B and v using Babai s nearest plane algorithm [4]. See also [18] 3 The GGH Encryption Scheme The GGH encryption scheme [14] works essentially as follows. The private and public keys of the scheme are two bases B;R of the same lattice L = L(B) L(R) The private key R is an exceptionally good basis. In particular, R is chosen in such a way ....

[Article contains additional citation context not shown here]

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1-13, 1986.

.... work as follows: 1) rst a computationally intensive algorithm is run on the lattice to obtain some information useful for decoding (usually a reduced basis or a trellis) 2) then this information is used to solve the closest vector problem using some simple procedure (some form of rounding [6] for methods based on lattice reduction, or the Viterbi algorithm [7] for trellis based decoding) Trellis based decoding is very ecient, provided that a small trellis for the lattice exists. Unfortunately it has been demonstrated that minimal trellis size can grow exponentially with the dimension ....

....of lattice basis) i.e. given any basis for the lattice, they produce a new basis consisting of short vectors. In certain cases the short basis can be computed in polynomial time, resulting in a polynomial time approximation algorithm for the closest vector problem. This is the case for example in [6] where LLL reduced bases (see [11] are used, or [12] where block KZ reduced bases (see [13] are used, achieving 2 O(n) and 2 o(n) approximation factors. In other cases it is not known how to eciently compute the good basis, but once this good basis is found, a much better approximation to ....

Laszlo Babai, \On Lovasz' lattice reduction and the nearest lattice point problem," Combinatorica, vol. 6, no. 1, pp. 1-13, 1986.

....can easily be recovered. It has been shown by Bellare et al. 3] that one can still recover # if the nonce k is produced by Knuth s linear congruential generator with known parameters, or variants. That attack is provable under the random oracle model, and relies on Babai s approximation algorithm [2] for the closest vector problem (CVP) in a lattice, which is based on the celebrated LLL algorithm [18] The attack does not work if the parameters of the generator are unknown. Recently, Howgrave Graham and Smart [11] introduced a di#erent scenario to study the security of DSA. Suppose that for a ....

....known. Howgrave Graham and Smart proposed in [11] several heuristic attacks to recover the secret key in such setting and variants (known bits in the middle, or dispatched in several blocks) when # is not too small. Like [3] the attacks make use of LLL based Babai s CVP approximation algorithm [2]. However, the attacks of [3] and [11] are quite di#erent. Howgrave Graham and Smart have followed an applied approach. The attack used several heuristic assumptions which did not allow precise statements on its theoretical behaviour. It has been assumed that the DSA signatures followed a ....

L. Babai. On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

....The celebrated LLL algorithm achieves an approximation factor of 2 n 2 in P time for SVP. Schnorr improves this to (1 #) n , but the polynomial running time depends on 1 # in the exponent [29] Babai gave an algorithm that approximates the closest lattice vector by a factor of (3 # 2) n [6]. Very recently Ajtai, Kumar and Sivakumar have derived a 2 O(n) time SVP algorithm [4] The recent work on worst case to average case connection has its motivations from cryptography, aside from the intrinsic interest in the relationship between average case and worst case complexity in ....

L. Babai. On Lov asz' lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

....of the lattice basis reduction algorithm of Lenstra, Lenstra and Lovasz [15] with a result of Kannan [12] about reduction of the closest vector problem to the shortest vector problem. ## In fact for our applications we apply it in a more well known form with the constant 2 s (as found by Babai [2]) namely s X i=1 (w i u i ) 2 # 2 s min ( s X i=1 (z i u i ) 2 , z = z 1 , z s ) # L ) Moreover, because in our applications the dimension s is fixed we can also use algorithms which find the closest vector in a lattice in polynomial time (see [11, 1] The ....

L. Babai, On Lov asz lattice reduction and the nearest lattice point problem, Combinatorica, 6 (1986), 1--13.

....that there exists a simultaneous diophantine # approximation P 1 , P n , Q of # 1 , # n excluding p. We can find in polynomial time a simultaneous diophantine C n 1 p# approximation of # 1 , # n excluding p, where C n = 4 # n2 n 2 . 6 We will use Babai s modification [Bab86] of Lovasz s lattice algorithm [LLL82, Lov86] In [Bab86] the following result is proven for # 1 = # m ; the general case follows from the same proof. Theorem 4.2 ( Bab86] Theorem 7.1) Let # 1 , #m , # 1 , #m , # 1 0, # m 0 be given rational numbers. Let q 0 be ....

....P 1 , P n , Q of # 1 , # n excluding p. We can find in polynomial time a simultaneous diophantine C n 1 p# approximation of # 1 , # n excluding p, where C n = 4 # n2 n 2 . 6 We will use Babai s modification [Bab86] of Lovasz s lattice algorithm [LLL82, Lov86] In [Bab86] the following result is proven for # 1 = # m ; the general case follows from the same proof. Theorem 4.2 ( Bab86] Theorem 7.1) Let # 1 , #m , # 1 , #m , # 1 0, # m 0 be given rational numbers. Let q 0 be the smallest integer Q for which there exist P 1 , ....

[Article contains additional citation context not shown here]

L. Babai. On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1--13, 1986. 7

....and definitions. Let b 1 , b s be a set of linearly independent vectors in IR s . The set of vectors L = z : z = s X i=1 t i b i , t 1 , t s # ZZ is called an s dimensional full rank lattice. The set b 1 , b s is called the basis of L. 6 In [1] Babai describes a polynomial time algorithm which, for given a lattice L and a vector r = r 1 , r s ) # IR s , finds a lattice vector v = v 1 , v s ) satisfying the inequality s X i=1 (v i r i ) 2 1 2 # 2 s 4 min 8 : s X i=1 (z i r i ) 2 ....

....certain multiples of p vectors, we obtain a lattice point u # = u 1 , u d , # p) # L g,p (x 1 , x d ) such that u i r i p2 k , i = 1, d. Therefore, d 1 X i=1 (u i r i ) 2 1 2 # p(d 1) 1 2 2 k . Now we can use the Babai algorithm [1] to find in polynomial time a lattice vector v = v 1 , v d , v d 1 ) # L g,p (x 1 , x d ) such that d X i=1 (v i r i ) 2 1 2 # 2 (d 1) 4 min 8 : d 1 X i=1 (z i r i ) 2 1 2 , z = z 1 , z d , z d 1 ) # L 9 = # 2 (d 1) 4 p(d 1) ....

L. Babai, On Lovasz' lattice reduction and the nearest lattice point problem, Combinatorica, 6 (1986), 11--13.

....the signature v T H 1 m . The signature is verified by comparing with m Bv He . Instead of using the Babai s round off algorithm to get the lattice point near the message, we can use his nearest plane algorithm to decrease more distance between the signature generated by H and the message[3]. Let s consider a signing oracle that refuses to sign a short message. Though the signer would get suspicious having to sign a small vector u whose elements range from k to k, we can still attack by generating a random v, having her sign u Bv u, and removing v from the signature, where u is the ....

L. Babai, On Lovasz lattice reduction and the nearest lattice point problem, Combinatorica, Vol. 6, No. 1, 1986, pp. 1--13. 13

....Assume e is chosen as described and each component of v is chosen uniformly from, say, f Gamman 2 ; Gamman 2 1; n 2 Gamma 1; n 2 g. Let c = f (B;oe) v; e) Bv e. If oe is chosen carefully, the function can be inverted using R by applying Babai s rounding technique [5]: represent c as a linear combination of the columns of R and then round the coefficients in the linear combination to the nearest integers to obtain a lattice point (integer linear combination of the columns of R) Once v is recovered we find e = c Gamma Bv. In the Goldreich, Goldwasser, and ....

L. Babai, On Lov'asz' Lattice Reduction and the Nearest Lattice Point Problem, Combinatorica 6(1), 1986, pp. 1--13

....problem hence yields g uv . The question remains for which k the hidden number problem can be solved in probabilistic polynomial time. Boneh and Venkatesan proved the following result by using rounding techniques in lattices, based on methods of Lenstra, Lenstra, and Lovasz [29] and Babai [2]. Theorem 10 [6] Let p be prime, n = dlog pe, and let G = Z p . For k = d p ne dlog ne, it is computationally equivalent to compute all the k most significant bits of the Diffie Hellman key simultaneously and to solve the DH problem. For any 0 and sufficiently large p, this holds for k = ....

L. Babai, On Lovasz' lattice reduction and the nearest lattice point problem, Combinatorica, Vol. 6, pp. 1--13, 1986.

....also O( 2= p 3) n 2 =2 log M ) The first formulation (i) is based on Proposition 17, and Lemmata 4, 16. The proof of the second formulation (ii) uses also Lemma 18 (which is proved under a very plausible heuristic) The next Lemma is an adaptation of ones used by Babai, Kannan and Schnorr [Bab86,Kan83,Sch87] when finding a shortest vector in a lattice with a Lovasz reduced basis on hand. Lemma 16. Let t 2]1; 2[ be a real parameter and L be a lattice generated by a basis b : b 1 ; b n ) which is not necessarily integral and whose vectors are of arbitrary 6 The naive bound is obtained ....

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1--13, 1986.

....In this paper, we first describe the two main decoding strategies, due to Pohst and to Kannan, in a unified framework, which makes it possible to elucidate the similarities and the differences between them. This is done in Section III A, where we also discuss the Babai nearest plane algorithm [8] and the Schnorr Euchner refinement of the Pohst strategy. In Section III B, we present a stand alone implementation of what we believe is the fastest closestpoint search algorithm currently available for general lattices. The algorithm is based on the Schnorr Euchner [41] strategy, bootstrapped ....

....refinement of the Pohst strategy. In Section III B, we present a stand alone implementation of what we believe is the fastest closestpoint search algorithm currently available for general lattices. The algorithm is based on the Schnorr Euchner [41] strategy, bootstrapped with the Babai [8] nearest point. It is described in sufficient detail to allow straightforward implementation, without knowledge of the underlying theory. One of the main contributions of this paper is a theoretical and experimental comparison of the various closestpoint search algorithms, presented in Sections V ....

[Article contains additional citation context not shown here]

L. Babai, "On Lov'asz' lattice reduction and the nearest lattice point problem," Combinatorica, vol. 6, no. 1, pp. 1--13, 1986.

....compl#uta y ofl#8[Q 8 basedprobl#84Q SVP and CVP. See al#T Cai sarticl# on more refined survey [16] 4.1 ApproximationAl#ionT8DD Theorem 4.1 [45] he LLL is a pol#DD[TN] 55QT al# gorithm and approximates SVP within a factor of 2 Dim 2 , where Dim is the dimension of thel#eT]D] Theorem 4. 2 [8]: CVP has a pol#x TN845[ T approximating al#tingT5 within a factor of 2 Dim 2 . Theorem 4.3 [64] Both SVP and CVP have a pol# QTN8]I8[Tl approximating al#atingT within a factor of (1 #) n . 4.2 Impossibil#T yResul#[ Theorem 4.4 [74] CVP is NP hard with respect to p norm. Note that ....

.... m i and assumes that a few of the bits of the random ephemeral key y i associated with each message m i are known (e.g. it may be recovered due to a weak random number generator) Their method resembl#e techniques used in [13] where a pol#8 TN] QT al##8 TN for approximating CVP of Babai [8] pl# ys a central rol## 7. Connection between Lattice and NumberTheory Schnorr [66] suggests therel#8[4ITN8 between factoring (and al#d the discrete l#screteT probl#te and finding smal# vectors in al#DI[DDT Schnorr provides an heuristic argument that factoring isreducibl# to findingsmal# ....

L. Babai, "On Lovasz' lattice reduction and the nearest latticep

....an approximation factor of 2 n=2 in P time for SVP. Schnorr improves this to (1 ffl) n , but the polynomial running time depends on 1=ffl in the exponent [27] Using Lov asz s basis reduction, Babai gave an algorithm that approximates the closest lattice vector by a factor of (3= p 2) n [5]. The recent work on worst case to average case connection has its motivations from cryptography, aside from the intrinsic interest in the relationship between average case and worst case complexity in general. It has been realized for some time that the security of a cryptographic protocol ....

L. Babai. On Lov'asz' lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

....ff can easily be recovered. It was shown by Bellare et al. 2] that one can still recover ff if the nonce k is produced by Knuth s linear congruential generator with known parameters, or variants. That attack is provable under the random oracle model, and relies on Babai s approximation algorithm [1] for the closest vector problem (CVP) in a lattice, which is based on the celebrated LLL algorithm [15] The attack does not work if the parameters of the generator are unknown. Recently, Howgrave Graham and Smart [12] introduced a different scenario. Suppose that for a reasonable number of ....

....known. Howgrave Graham and Smart proposed in [12] several heuristic attacks to recover the secret key in such setting and variants (known bits in the middle, or dispatched in several blocks) when is not too small. Like [2] the attacks are based on LLL based Babai s CVP approximation algorithm [1]. However, the attacks of [2] and [12] are quite different. Howgrave Graham and Smart followed an applied approach. The attack used several heuristic assumptions which did not allow precise statements on its theoretical behaviour. It was assumed that the DSA signatures followed a perfectly uniform ....

[Article contains additional citation context not shown here]

L. Babai. On Lov'asz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

....and definitions. Let b 1 , b s be a set of linearly independent vectors in IR s . The set of vectors L = z : z = s X i=1 t i b i , t 1 , t s # ZZ is called an s dimensional full rank lattice. The set b 1 , b s is called the basis of L. In [1] Babai describes a polynomial time algorithm which, for given a lattice L and a vector r = r 1 , r s ) # IR s , finds a lattice vector v = v 1 , v s ) satisfying the inequality s X i=1 (v i r i ) 2 1 2 # 2 s 4 min 8 : s X i=1 (z i r i ) 2 ....

....a lattice point u# = u 1 , u d , # p) # L g,p (x 1 , x d ) such that u i r i p2 k , i = 1, d. Therefore, d 1 X i=1 (u i r i ) 2 1 2 # p(d 1) 1 2 2 k . 8 M. I. Gonzalez Vasco and i.e. Shparlinski Now we can use the Babai algorithm [1] to find in polynomial time a lattice vector v = v 1 , v d , v d 1 ) # L g,p (x 1 , x d ) such that d X i=1 (v i r i ) 2 1 2 # 2 (d 1) 4 min 8 : d 1 X i=1 (z i r i ) 2 1 2 , z = z 1 , z d , z d 1 ) # L 9 = # 2 (d 1) 4 p(d ....

L. Babai, On Lovasz' lattice reduction and the nearest lattice point problem, Combinatorica, 6 (1986), 11--13.

....# can easily be recovered. It was shown by Bellare et al. 2] that one can still recover # if the nonce k is produced by Knuth s linear congruential generator with known parameters, or variants. That attack is provable under the random oracle model, and relies on Babai s approximation algorithm [1] for the closest vector problem (CVP) in a lattice, which is based on the celebrated LLL algorithm [15] The attack does not work if the parameters of the generator are unknown. Recently, Howgrave Graham and Smart [12] introduced a di#erent scenario. Suppose that for a reasonable number of ....

....known. Howgrave Graham and Smart proposed in [12] several heuristic attacks to recover the secret key in such setting and variants (known bits in the middle, or dispatched in several blocks) when # is not too small. Like [2] the attacks are based on LLL based Babai s CVP approximation algorithm [1]. However, the attacks of [2] and [12] are quite di#erent. Howgrave Graham and Smart followed an applied approach. The attack used several heuristic assumptions which did not allow precise statements on its theoretical behaviour. It was assumed that the DSA signatures followed a perfectly uniform ....

[Article contains additional citation context not shown here]

L. Babai. On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

....L = y : y = d X i=1 t i b i ; t i 2 Z ) where the b i are linearly independent vectors in R d . The set fb i g d i=1 is called the basis of the lattice and d is the dimension of the lattice. We denote the L 2 norm of a vector v 2 R d by k v k. An important result due to Babai [4] shows how given a lattice L and a point v one can find a lattice point which is approximately the closest to v. Using the lattice basis reduction algorithm of Lenstra, Lenstra and Lovasz [13] he proves the following. THEOREM 2.2 Let L be a lattice of dimension d. Given a point v 2 R d there ....

L. Babai, "On Lovasz' lattice reduction and the nearest lattice point problem", Combinatorica, Vol. 6, 1986, pp. 1--13.

....the blocksize. So far, the best reduction algorithms in practice are variants [104, 105] of those BKZ algorithms, which apply a heuristic to reduce exhaustive search. But little is known on the average case (and even worst case) complexity of reduction algorithms. Babai s nearest plane algorithm [7] uses LLL to approximate CVP to within 2 d=2 , in polynomial time (see also [66] Using Schnorr s algorithm [101] this can be improved to 2 O(d(log log d) 2 = log d) due to Kannan s link between CVP and SVP (see previous section) In practice however, the best strategy seems to be the ....

....message space is a large enough cube in Z n . A message m 2 Z n is encrypted into c = mB e where e is an error vector uniformly chosen from f Gammaoe; oeg n , where oe is a security parameter. A ciphertext c is decrypted as bcR Gamma1 eRB Gamma1 (note: this is Babai s round method [7] to solve CVP) But an eavesdropper is left with the CVP instance defined by c and B. The private basis R is generated in such a way that the decryption process succeeds with high probability. The larger oe is, the harder the CVP instances are expected to be. But oe must be small for the ....

[Article contains additional citation context not shown here]

L. Babai. On Lov'asz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986. 24

....L they show by using this basis it is possible to produce a vector y 2 L and a certificate that d( x; L) cn Gamma 3 2 k x Gamma yk. Our existential proof is nonconstructive and we know of no subexponential time algorithm that finds the vector v. We would like to point out that Babai [B] using Lov asz lattice reduction algorithm (from [LLL] has given a polynomial time algorithm that finds a vector v that satisfies jf( x; v)gj k vk 9 Gamman d( x; L) 2. Preliminaries and Notation Let L be a lattice with basis ( b i ) n i=1 . In general we will work with several ....

Babai L. "On Lov'asz' lattice reduction and the nearest lattice point problem", Combinatorica 6, (1986), 1-13.

....approximating SVP within a factor p n is not NP hard 1 unless the polynomial time hierarchy collapses. The closest vector problem had a similar history, except that polynomial time (approximation) algorithms were harder to find and stronger hardness results were more easily established. Babai [8] modified the LLL reduction algorithm to approximate in polynomial time CVP within a factor 2 n . The approximation factor was improved to 2 ffln in [69, 45, 71] Kannan [46] gave a polynomial time algorithm to solve CVP exactly in any fixed number of dimensions. The dependency of the running ....

....problem associated to the closest vector problem (the inhomogeneous version of the shortest vector problem) Therefore, the technique we use to reduce CVP to SVP can be considered as a homogenization process. This is not new in the study of the computational complexity of lattice problems (see [8, 46, 45]) However all homogenization techniques developed in the past involve some sort of recursion on the number of dimensions of the lattice and consequently introduce error factors of n 1=p or greater. For example, 46] shows that approximating CVP within a factor p n is polynomial time ....

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6, 1986.

.... at most fl the shortest, and in the approximate CVP one must find a lattice vector at distance at most fl Delta dist(v; L(B) To date, the best polynomial time algorithms to approximate SVP and CVP achieve only a worst case approximation factor fl exponential in the dimension of the lattice [11, 4, 13]. On the other hand, CVP is NP hard to approximate within a factor fl = 2 ln 1 Gammaffl n [3, 5] and SVP is NP hard (for randomized reductions) to approximate within any factor less than p 2 [12] The relation between the two problems has also been investigated, and in [9] it is proved that ....

L'aszl'o Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6, 1986.

....factor (cf. 6] The latter work also shows that if CVP could be approximated within any factor greater than 2 log 1 Gammaffl n , then NP e P. On the other hand, Babai showed that CVP can be approximated within factor 2 n by a modification of the LLL lattice reduction algorithm [8], and improvements by [45, 34] yield for every ffl 0 approximation within factor 2 ffln . The problem of verifying the approximate optimality of a solution to the CVP problem has also been considered. Given a point c in the lattice, its distance to t clearly provides an upper bound on the ....

L. Babai. On Lov'asz Lattice Reduction and the Nearest Lattice Point Problem. Combinatorica, Vol. 6 (1), pages 1--13, 1986.

....to any factor in polynomial time given an approximation CVP oracle for the same factor and dimension. On the other hand, approximating SVP or CVP to p n= log(n) are unlikely to be NP hard [13] n denotes the lattice dimension) Furthermore, there exist polynomial time approximation algorithms [20, 4, 25, 27], such as the celebrated LLL algorithm, that can achieve exponential bounds. And it is well known that these reduction algorithms behave much better in practice than theoretically expected. Therefore, the practical security of AD and GGH had to be assessed. In the case of AD, such an assessment ....

....depend on a parameter called the blocksize. These algorithms use some kind of exhaustive search which is exponential in the blocksize. So far, the best reduction algorithms in practice are variants [27] of those BKZ algorithms, which apply a heuristic to reduce exhaustive search. Babai [4] showed how to use a reduced basis to approximate CVP. The more reduced the basis is, the better the approximation is. For an LLL reduced basis, this yields an exponential factor. But in practice, the best method to solve CVP is the so called embedding technique (see [16] which reduces the ....

[Article contains additional citation context not shown here]

L. Babai. On Lov'asz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

.... classes whose functionality comprises lattice algorithms for computing reduced lattice bases (e.g. Schnorr Euchner algorithm [10, 12] computing relations from a given generating system (e.g. Buchmann Kessler algorithm [5] handling Gram matrices as well as computing shortest and closest vectors [1, 7, 8]. 3 TEMPLATE MODULES AND KERNELS In the classes described in the previous section, many variations of the same basic algorithm have to be implemented depending on the various information stored in the bit fields. In general, the differences are rather small and the diversity would normally ....

Babai, L.: On Lov'asz' Lattice Reduction and the Nearest Lattice Point Problem. Combinatorica 6, 1--13 (1986).

No context found.

L. Babai. On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

No context found.

L. Babai, On Lov'asz' lattice reduction and the nearest lattice point problem, Combinatorica 6 (1986), no. 1, 1--13.

No context found.

L. Babai, "On Lovasz' lattice reduction and the nearest lattice point problem," Combinatorica 6, pp. 1--13, 1986.

No context found.

L. Babai, "On Lovasz' lattice reduction and the nearest lattice point problem," Combinatorica 6, pp. 1--13, 1986.

No context found.

L. Babai, On Lov'asz lattice reduction and the nearest lattice point problem. in Combinatorica, vol. 6, 1986, pp. 1-13.

No context found.

L'aszl'o Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6, 1986.

No context found.

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1-13, 1986.

No context found.

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1--13, 1986.

No context found.

L. Babai. On lovasz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1--13, 1986.

No context found.

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatoria 1986, 6(1): 1--13.

No context found.

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. In Proceedings of Symposium on Theoretical Aspects in Computer Science, Lecture Notes in Computer Science, Berlin: Springer-Verlag, 1985, 182: 13-- 20.

No context found.

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1--13, 1986.

No context found.

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1--13, 1986.

No context found.

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6, 1986.

No context found.

L. Babai, On Lov'asz lattice reduction and the nearest lattice point problem. in Combinatorica, vol. 6, 1986, pp. 1-13.

No context found.

L. Babai, "On Lovasz' lattice reduction and the nearest lattice point problem," Combinatorica, vol. 6, no. 1, pp. 1--13, 1986.

No context found.

L. Babai, `On Lovasz' lattice reduction and the nearest lattice point problem', Combinatorica, 6 (1986), 1--13.

No context found.

L. Babai. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica, 6, 1986.

No context found.

L. Babai. On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica,

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC