C. P. Schnorr, `A hierarchy of polynomial time basis reduction algorithms ', Theor. Comp. Sci., 53 (1987), 201--224.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....secret key, designed a deterministic polynomial time algorithm which for # = log log p# and k = O(log p) recovers # for almost all choices of t 1 , t k IF # p . In fact, using the full power of the presently known lattice reduction algorithms such as those given in [1, 51] and some results of [27] one can reduce the number of bits to a slightly smaller number which is o(log p) see Section 3. Boneh and Venkatesan have also proposed an alternative approach [10] which work with the values of # as little as # = log log p#, but the resulting algorithm is ....

C. P. Schnorr, `A hierarchy of polynomial time basis reduction algorithms ', Theor. Comp. Sci., 53 (1987), 201--224.

....approximation oracle in Kannan s reduction [13] from the closest vector problem to shortest vector problem. The best deterministic polynomial time algorithm known for the SVP problem, which can be also used in Lemma 1, has a slightly larger approximation factor 2 #s log log s log s , see [23]. 3 Decoding Problem P # be a set of primes which exceed 2 for some integer length parameter 1. Choose a basis of n distinct primes p = p 1 , p n ) # . Fix the message space as Z[K] The pair (p, K) determines a Chinese Remainder Code as follows: an integer a is encoded ....

C. P. Schnorr, `A hierarchy of polynomial time basis reduction algorithms ', Theor. Comp. Sci., 53 (1987), 201--224.

....algorithms which can provably approximate SVP. The first algorithm of that kind was the celebrated LLL lattice basis reduction algorithm of Lenstra, Lenstra and Lovasz [7] We use the best deterministic polynomial time algorithm currently known to approximate SVP, which is due to Schnorr [16] and is based on LLL: Lemma 1. There exists a deterministic polynomial time algorithm which, given as input a basis of an s dimensional lattice L, outputs a non zero lattice vector u L such that: #u# # #z# : z L, z 0 . Recently, Ajtai et al. 2] discovered a randomized ....

....L such that: #u# # #z# : z L, z 0 . Recently, Ajtai et al. 2] discovered a randomized algorithm which slightly improves the approximation factor 2 to 2 O(s log log s log s) In practice, the best algorithm to approximate SVP is a heuristic variant of Schnorr s algorithm [16]. Interestingly, these algorithms typically perform much better than theoretically expected: they often return a shortest lattice vector, provided that the lattice dimension is not too large. Hence, it is useful to predict what can be achieved e#ciently if an SVP oracle (that is, an algorithm ....

C. P. Schnorr, `A hierarchy of polynomial time basis reduction algorithms', Theor. Comp. Sci., 53 (1987), 201--224.

....comments in Section 2) and Ajtai s proof is easily one of the most intricate and beautiful NP completeness results known. While Ajtai s proof is a major step forward, the complexity of the shortest vector problem remains far from being well understood. The best known algorithms for this problem [LLL82, Sch85] produce vectors whose length is only guaranteed to be within an exponentially large factor IBM Almaden Research Center, 650 Harry Road, San Jose, CA 95120, USA. Email: ravi almaden.ibm.com y Department of Computer Science, University of Houston, Houston, TX 77204, USA. Supported in part by the ....

C. Schnorr. A hierarchy of polynomial time basis reduction algorithms. In L. Lov'asz and E. Szemer 'edi, editors, Theory of Algorithms, volume 44 of Colloquia Mathematica, pages 375--386. J'anos Bolyai Mathematical Society, 1985.

....time would depend on ff. Also, the algorithm can be extended to work with other norms as well. An adaptation of this algorithm yields a 2 O(n) algorithm to find a non zero codeword of minimum weight in linear codes of block length n over fields of size poly(n) Combined with Schnorr s results [14] on a trade off between running time and approximation factor, it follows that in randomized O(2 O(k) n 2 ) time, one can find a (k 2 ) n=k approximate shortest vector. In particular, this improves the best approximation achievable in polynomial time: one can find a 2 n log log n= log ....

C. P. Schnorr. A hierarchy of polynomial time basis reduction algorithms. Theoretical Computer Science, 53:201--224, 1987. 13

....s , finds a lattice vector w = w 1 , w s ) satisfying the inequality s X i=1 (w i u i ) 2 # exp O s log 2 log s log s min ( s X i=1 (z i u i ) 2 , z = z 1 , z s ) # L ) Proof. The statement is a combination of the Schnorr modification [25] of the lattice basis reduction algorithm of Lenstra, Lenstra and Lovasz [15] with a result of Kannan [12] about reduction of the closest vector problem to the shortest vector problem. ## In fact for our applications we apply it in a more well known form with the constant 2 s (as found by ....

C. P. Schnorr, A hierarchy of polynomial time basis reduction algorithms, Theor. Comp. Sci., 53 (1987), 201--224.

....X i=1 (z i r i ) 2 1 2 , z = z 1 , z s ) # L 9 = That is, a given vector can be rounded in polynomial time to an approximately closest vector in a given lattice. The above algorithm uses the lattice basis reduction algorithm of Lenstra, Lenstra and Lovasz [6] see also [11] for some more recent and stronger results. For integers g and x 1 , x d , selected in the interval [0, p 2] we denote by L g (x 1 , x d ) the d 1 dimensional lattice generated by the rows of the following (d 1) d 1) matrix 0 B B B B B B B p 0 0 . 0 0 0 p 0 . ....

C. P. Schnorr, A hierarchy of polynomial time basis reduction algorithms, Theor. Comp. Sci., 53 (1987) 201--224.

....IR s , finds a lattice vector v = v 1 , v s ) satisfying the inequality s X i=1 (v i r i ) 2 # exp O s log 2 log s log s min ( s X i=1 (z i r i ) 2 , z = z 1 , z s ) # L ) Proof. The statement is a combination of the Schnorr modification [22] of the lattice basis reduction algorithm of Lenstra, Lenstra and Lovasz [13] with a result of Kannan [10] about reduction of the closest vector problem to the shortest vector problem. ## Let # 1 , #m be a fixed basis of IK over IF. For an integer k # 0 and d elements t 1 , t ....

C. P. Schnorr, A hierarchy of polynomial time basis reduction algorithms, Theor. Comp. Sci., 53 (1987), 201--224.

....v = v 1 , v s ) satisfying the inequality s X i=1 (v i r i ) 2 1 2 # exp O s log 2 log s log s min 8 : s X i=1 (z i r i ) 2 1 2 , z = z 1 , z s ) # L 9 = Proof. The statement is a combination of the Schnorr modification [26] of the lattice basis reduction algorithm of Lenstra, Lenstra and Lovasz [16] with a result of Kannan [13] about reduction of the closest vector problem to the shortest vector problem. ## Let k # 0 and let e = e 1 , e m ) be an m dimensional vector of positive integers. For t 1 , ....

C. P. Schnorr, A hierarchy of polynomial time basis reduction algorithms, Theor. Comp. Sci., 53 (1987), 201--224.

....presented by Lenstra, Lenstra and Lov asz [L L L82] achieving a polynomial time algorithm approximating the Shortest Lattice Vector to within an exponential factor 2 dim 2 . Babai [Bab86] applied L L L s methods to present an algorithm that approximates CVP to within a similar factor. Schnorr [Sch85] improved on L L L s technique, reducing the factor of approximation to (1 ffl) n , for any constant ffl 0, for both CVP and SVP. These positive approximation results are still quite weak, achieving only extremely large (exponential) factors. The question naturally arises: What are the ....

C.P. Schnorr. A hierarchy of polynomial-time basis reduction algorithms. In Proceedings of Conference on Algorithms, P'ecs (Hungary) , pages 375--386. North-Holland, 1985.

....s ) satisfying the inequality s X i=1 (v i r i ) 2 # exp O s log 2 log s log s min ( s X i=1 (z i r i ) 2 , z = z 1 , z s ) # L ) BIT SECURITY OF THE SHAMIR MESSAGE PASSING SCHEME 5 Proof. The statement is a combination of the Schnorr modification [13] of the lattice basis reduction algorithm of Lenstra, Lenstra and Lovasz [5] with a result of Kannan [6] about reduction of the closest vector problem to the shortest vector problem. ## For integers g and x 1 , x d , selected in the interval [0, p 2] we denote by L g,p (x 1 , ....

C. P. Schnorr, A hierarchy of polynomial time basis reduction algorithms, Theor. Comp. Sci., 53 (1987), 201--224.

....easily verified to be sympletic. Then A Q = n # i =1 Q(# i )Q(# # i ) 0. The contrary is trivial since by the classification theorem Q # = n #H 0 . 5 Computational methods for quadratic forms References: Lag59, Jac57a, Jac57b, Gun81, Fro94, Fro06, LT85, Bri56, Leb56] References: [Hay68, Cot74, BP71, BKP76, BK77, BG, LLL82, Sch84, Hel85a, Hel85b, Bab85, Kan83a, Kan83b, Kan86, Lag80, Sch86a, Sch86b, vEB81, BK84, Die75, BK79, Poh81, AG85, Kan, FP85, Kal83] 6 Exercises 22 6 Exercises 1 Show that the group of self isomorphisms of the bilinear form given by the ndimensional identity matrix is isomorphic to the group of n n orthogonal matrix over Z. 2 Prove that the following statements are equivalent: 1. #(#,#) 0 for all # # M , then # ....

C. P. Schnorr. A hierarchy of polynomial time basis reduction algorithms. In Theory of Algorithms, volume 44 of Colloquia Mathematica Societatis Janos Bolyai. North-Holland, 1986. 21

....1 , z s ) # L 9 = On the Security of Di#e Hellman Bits 5 That is, a given vector can be rounded in polynomial time to an approximately closest vector in a given lattice. The above algorithm uses the lattice basis reduction algorithm of Lenstra, Lenstra and Lovasz [9] see also [14] for some more recent and stronger results. For integers x 1 , x d , selected in the interval [0, T 1] we denote by L g,p (x 1 , x d ) the d 1 dimensional lattice generated by the rows of the following (d 1) d 1) matrix 0 B B B B B p 0 0 . 0 0 0 p 0 . 0 0 ....

C. P. Schnorr, A hierarchy of polynomial time basis reduction algorithms, Theor. Comp. Sci., 53 (1987) 201--224.

....was presented by Lenstra, Lenstra and Lovasz [L L L82] achieving a polynomial time algorithm approximating the Shortest Lattice Vector to within an exponential factor 2 dim 2 . Babai [5] applied L L L s methods to present an algorithm that approximates CVP to within a similar factor. Schnorr [13] improved on L L L s technique, reducing the factor of approximation to (1 ffl) n , for any constant ffl 0, for both CVP and SVP. These positive approximation results are still quite weak, achieving only extremely large (exponential) factors. The question naturally arises: What are the ....

C. Schnorr. A hierarchy of polynomial-time basis reduction algorithms. In Proceedings of Conference on Algorithms, Pecs (Hungary), pages 375--386. North-Holland, 1985.

....comments in Section 2) and Ajtai s proof is easily one of the most intricate and beautiful NPcompleteness results known. While Ajtai s proof is a major step forward, the complexity of the shortest vector problem remains far from being well understood. The best known algorithms for this problem [LLL82, Sch85] produce vectors whose length is only guaranteed to be within an exponentially large factor times the length of the shortest lattice vectors. On the other hand, the best known hardness result ( Mic98] building on Ajtai s proof) only states that it is NP hard to produce a vector that is within p ....

C. Schnorr. A hierarchy of polynomial time basis reduction algorithms. In L. Lovasz and E. Szemeredi, editors, Theory of Algorithms, volume 44 of Colloquia Mathematica, pages 375-- 386. Janos Bolyai Mathematical Society, 1985.

....L L82] achieving a polynomial time algorithm approximating the Shortest Lattice Vector to within the exponential factor 2 n=2 , where n is the dimension of the lattice. Babai [Bab86] applied L L L s methods to present an algorithm that approximates CVP to within a similar factor. Schnorr [Sch85] improved on L L L s technique, reducing the factor of approximation to (1 ) n , for any constant 0, for both CVP and SVP. These positive approximation results hold for l p norm for any p 1 yet are quite weak, achieving only extremely large (exponential) approximation factors. The ....

C.P. Schnorr. A hierarchy of polynomial-time basis reduction algorithms. In Proceedings of Conference on Algorithms, P'ecs (Hungary), pages 375--386. North-Holland, 1985. 14

....of Ajtai [Ajt96] showing a reduction from a version of SVP to the average case of the same problem, renewed interest in these problems. Currently, there is no known polynomial time algorithm for finding SVP or CVP. The best known approximation algorithm for these problems is due to Schnorr [Sch85] Schnorr s algorithm, which is an improvement of the famous L L L lattice reduction algorithm [L L L82] approximates the CVP and the SVP to within a factor of (1 ) n , for any constant 0. This lack of better approximation algorithms may indicate that the task is NP hard. However, the ....

C.P. Schnorr. A hierarchy of polynomial-time basis reduction algorithms. In Proceedings of Conference on Algorithms, P'ecs (Hungary), pages 375--386. North-Holland, 1985.

....of quadratic forms. The field Geometry of Numbers was christened by Minkowski when he proved his fundamental theorems on shortest vectors and successive minima. In recent years, there is enormous interest in the algorithmic aspects of the theory, especially in connection with basis reduction [18, 23], algorithmic Diophantine approximation and combinatorial optimization [11] integer programming [19] volume estimation for convex bodies [7, 21, 15] and, cryptography [1, 2, 10, 17] There is an inherent beauty in many problems in the theory of Geometry of Numbers. Moreover, major algorithmic ....

....to these problems within any polynomial factor, even probabilistically. The celebrated Lov asz basis reduction algorithm finds a short vector within a factor of 2 n=2 in P time. Schnorr s algorithm gets a bound of (1 ffl) n , but the running time badly depends on ffl in the exponent [23]. Babai gave an algorithm that approximates the nearest vector by a factor of (3= p 2) n [4] The recent breakthrough by Ajtai [1] has its motivations from cryptography, and the connection between average case and worst case complexity in general. It has been realized for some time that the ....

C. P. Schnorr. A hierarchy of polynomial time basis reduction algorithms. Theory of Algorithms, pages 375--386, 1985.

No context found.

Schnorr, C.P., \A hierarchy of polynomial time basis reduction algorithms", manuscript, 1984.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC