Results 1  10
of
329
Closest Point Search in Lattices
 IEEE TRANS. INFORM. THEORY
, 2000
"... In this semitutorial paper, a comprehensive survey of closestpoint search methods for lattices without a regular structure is presented. The existing search strategies are described in a unified framework, and differences between them are elucidated. An efficient closestpoint search algorithm, ba ..."
Abstract

Cited by 333 (2 self)
 Add to MetaCart
(Show Context)
In this semitutorial paper, a comprehensive survey of closestpoint search methods for lattices without a regular structure is presented. The existing search strategies are described in a unified framework, and differences between them are elucidated. An efficient closestpoint search algorithm, based on the SchnorrEuchner variation of the Pohst method, is implemented. Given an arbitrary point x 2 R m and a generator matrix for a lattice , the algorithm computes the point of that is closest to x. The algorithm is shown to be substantially faster than other known methods, by means of a theoretical comparison with the Kannan algorithm and an experimental comparison with the Pohst algorithm and its variants, such as the recent ViterboBoutros decoder. The improvement increases with the dimension of the lattice. Modifications of the algorithm are developed to solve a number of related search problems for lattices, such as finding a shortest vector, determining the kissing number, compu...
On MaximumLikelihood Detection and the Search for the Closest Lattice Point
 IEEE TRANS. INFORM. THEORY
, 2003
"... Maximumlikelihood (ML) decoding algorithms for Gaussian multipleinput multipleoutput (MIMO) linear channels are considered. Linearity over the field of real numbers facilitates the design of ML decoders using numbertheoretic tools for searching the closest lattice point. These decoders are colle ..."
Abstract

Cited by 273 (9 self)
 Add to MetaCart
Maximumlikelihood (ML) decoding algorithms for Gaussian multipleinput multipleoutput (MIMO) linear channels are considered. Linearity over the field of real numbers facilitates the design of ML decoders using numbertheoretic tools for searching the closest lattice point. These decoders are collectively referred to as sphere decoders in the literature. In this paper, a fresh look at this class of decoding algorithms is taken. In particular, two novel algorithms are developed. The first algorithm is inspired by the Pohst enumeration strategy and is shown to offer a significant reduction in complexity compared to the ViterboBoutros sphere decoder. The connection between the proposed algorithm and the stack sequential decoding algorithm is then established. This connection is utilized to construct the second algorithm which can also be viewed as an application of the SchnorrEuchner strategy to ML decoding. Aided with a detailed study of preprocessing algorithms, a variant of the second algorithm is developed and shown to offer significant reductions in the computational complexity compared to all previously proposed sphere decoders with a nearML detection performance. This claim is supported by intuitive arguments and simulation results in many relevant scenarios.
Analysis of PSLQ, An Integer Relation Finding Algorithm
 Mathematics of Computation
, 1999
"... Let K be either the real, complex, or quaternion number system and let O(K) be the corresponding integers. Let × = (Xl, • • • , ×n) be a vector in K n. The vector × has an integer relation if there exists a vector m = (ml,..., mn) E O(K) n, m = _ O, such that mlx I + m2x 2 +... + mnXn = O. In th ..."
Abstract

Cited by 90 (27 self)
 Add to MetaCart
(Show Context)
Let K be either the real, complex, or quaternion number system and let O(K) be the corresponding integers. Let × = (Xl, • • • , ×n) be a vector in K n. The vector × has an integer relation if there exists a vector m = (ml,..., mn) E O(K) n, m = _ O, such that mlx I + m2x 2 +... + mnXn = O. In this paper we define the parameterized integer relation construction algorithm PSLQ(r), where the parameter rcan be freely chosen in a certain interval. Beginning with an arbitrary vector X = (Xl,..., Xn) _ K n, iterations of PSLQ(r) will produce lower bounds on the norm of any possible relation for X. Thus PS/Q(r) can be used to prove that there are no relations for × of norm less than a given size. Let M x be the smallest norm of any relation for ×. For the real and complex case and each fixed parameter rin a certain interval, we prove that PSLQ(r) constructs a relation in less than O(fl 3 + n 2 log Mx) iterations.
Algorithm and implementation of the KBest sphere decoding for MIMO detection
 IEEE Journal on Selected Areas in Communications
, 2006
"... Abstract—Kbest Schnorr–Euchner (KSE) decoding algorithm is proposed in this paper to approach nearmaximumlikelihood (ML) performance for multipleinput–multipleoutput (MIMO) detection. As a low complexity MIMO decoding algorithm, the KSE is shown to be suitable for very large scale integration ( ..."
Abstract

Cited by 88 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Kbest Schnorr–Euchner (KSE) decoding algorithm is proposed in this paper to approach nearmaximumlikelihood (ML) performance for multipleinput–multipleoutput (MIMO) detection. As a low complexity MIMO decoding algorithm, the KSE is shown to be suitable for very large scale integration (VLSI) implementations and be capable of supporting soft outputs. Modified KSE (MKSE) decoding algorithm is further proposed to improve the performance of the softoutput KSE with minor modifications. Moreover, a VLSI architecture is proposed for both algorithms. There are several low complexity and lowpower features incorporated in the proposed algorithms and the VLSI architecture. The proposed hardoutput KSE decoder and the softoutput MKSE decoder is implemented for 4 4 16quadrature amplitude modulation (QAM) MIMO detection in a 0.35 m and a 0.13 m CMOS technology, respectively. The implemented hardoutput KSE chip core is 5.76 mm2 with 91 K gates. The KSE decoding throughput is up to 53.3 Mb/s with a core power consumption of 626 mW at 100 MHz clock frequency and 2.8 V supply. The implemented softoutput MKSE chip can achieve a decoding throughput of more than 100 Mb/s with a 0.56 mm2 core area and 97 K gates. The implementation results show that it is feasible to achieve nearML performance and high detection throughput for a 4 4 16QAM MIMO system using the proposed algorithms and the VLSI architecture with reasonable complexity. Index Terms—Multipleinput–multipleoutput (MIMO), Schnorr–Euchner algorithm, sphere decoder, very large scale integration (VLSI). I.
The two faces of lattices in cryptology.
 In Proceedings of CaLC ’01,
, 2001
"... ..."
(Show Context)
The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
 Journal of Cryptology
, 2000
"... . We present a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonabl ..."
Abstract

Cited by 80 (18 self)
 Add to MetaCart
(Show Context)
. We present a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log 1=2 q, and can be further decreased to 2 if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of HowgraveGraham and Smart who recently introduced that topic. Our attack is based on a connection with the hidden number problem (HNP) introduced at Crypto '96 by Boneh and Venkatesan in order to study the bitsecurity of the DiffieHellman key exchange. The HNP consists, given a prime number q, of recovering a number ff 2 IFq such that for many known random t 2 IFq ...
A unified framework for tree search decoding: rediscovering the sequential decoder,”
 IEEE Transactions on Information Theory,
, 2006
"... ..."
(Show Context)
Lattice Reduction: a Toolbox for the Cryptanalyst
 Journal of Cryptology
, 1994
"... In recent years, methods based on lattice reduction have been used repeatedly for the cryptanalytic attack of various systems. Even if they do not rest on highly sophisticated theories, these methods may look a bit intricate to the practically oriented cryptographers, both from the mathematical ..."
Abstract

Cited by 72 (9 self)
 Add to MetaCart
In recent years, methods based on lattice reduction have been used repeatedly for the cryptanalytic attack of various systems. Even if they do not rest on highly sophisticated theories, these methods may look a bit intricate to the practically oriented cryptographers, both from the mathematical and the algorithmic point of view. The aim of the present paper is to explain what can be achieved by lattice reduction algorithms, even without understanding of the actual mechanisms involved. Two examples are given, one of them being the attack devised by the second named author against Knuth's truncated linear congruential generator, which has been announced a few years ago and appears here for the first time in journal version.
Attacking the ChorRivest Cryptosystem by Improved Lattice Reduction
, 1995
"... We introduce algorithms for lattice basis reduction that are improvements of the famous L 3 algorithm. If a random L 3 reduced lattice basis b1 ; : : : ; bn is given such that the vector of reduced Gram Schmidt coefficients (f¯ i;j g 1 j ! i n) is uniformly distributed in [0; 1) ( n 2 ) ..."
Abstract

Cited by 72 (6 self)
 Add to MetaCart
(Show Context)
We introduce algorithms for lattice basis reduction that are improvements of the famous L 3 algorithm. If a random L 3 reduced lattice basis b1 ; : : : ; bn is given such that the vector of reduced Gram Schmidt coefficients (f¯ i;j g 1 j ! i n) is uniformly distributed in [0; 1) ( n 2 ) , then the pruned enumeration finds with positive probability a shortest lattice vector. We demonstrate the power of these algorithms by solving random subset sum problems of arbitrary density with 74 and 82 many weights, by breaking the ChorRivest cryptoscheme in dimensions 103 and 151 and by breaking Damgard's hash function.
Better key sizes (and attacks) for LWEbased encryption
 In CTRSA
, 2011
"... We analyze the concrete security and key sizes of theoretically sound latticebased encryption schemes based on the “learning with errors ” (LWE) problem. Our main contributions are: (1) a new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success ..."
Abstract

Cited by 71 (7 self)
 Add to MetaCart
We analyze the concrete security and key sizes of theoretically sound latticebased encryption schemes based on the “learning with errors ” (LWE) problem. Our main contributions are: (1) a new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success tradeoff, which performs better than the simple distinguishing attack considered in prior analyses; (2) concrete parameters and security estimates for an LWEbased cryptosystem that is more compact and efficient than the wellknown schemes from the literature. Our new key sizes are up to 10 times smaller than prior examples, while providing even stronger concrete security levels.