### Citations

959 | Factoring polynomials with rational coefficients
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ... 2.0 incarnation [8] incorporating pruning, recursive preprocessing and early termination strategies [14,18], • the Slide reduction algorithm of Gama and Nguyen [15], an elegant generalization of LLL =-=[27,36]-=- which provably approximates short lattice vectors within factors related to Mordell’s inequality. Both algorithms make use of a Shortest Vector Problem (SVP) oracle for lower dimensional lattices, an... |

361 | On Lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2009
(Show Context)
Citation Context ...approximating lattice problems within factors that are super-linear in the lattice dimension. In fact, much effort has been put on minimizing such factors in the design of cryptographic constructions =-=[1, 2, 29,31,33,45,48,49]-=-. 2 One of our main findings is that the Slide reduction algorithm is much more practical than originally thought, and as the dimension increases, it performs almost as well as BKZ, while at the same ... |

356 |
Improved methods for calculating vectors of short length in a lattice, including a complexity analysis
- Fincke, Pohst
- 1985
(Show Context)
Citation Context ... enumeration algorithms are usually employed, since these are the most efficient algorithms for currently realistic dimensions. The standard enumeration procedure, usually attributed to Fincke, Pohst =-=[11]-=-, and Kannan [24] can be described as a recursive algorithm: given as input a basis B ∈ Zm×n and a radius r, it first recursively finds all vectors v′ ∈ L(pi2(B)) with ‖v′‖ ≤ r, and then for each of t... |

322 | Lattice basis reduction: Improved practical algorithms and solving subset sum problems
- Schnorr, Euchner
- 1994
(Show Context)
Citation Context ...ressed in this material are those of the author(s) and do not necessarily reflect the views of DARPA or NSF. 1 • the eminently practical Block-Korkine-Zolotarev (BKZ) algorithm of Schnorr and Euchner =-=[50,55]-=-, in its modern BKZ 2.0 incarnation [8] incorporating pruning, recursive preprocessing and early termination strategies [14,18], • the Slide reduction algorithm of Gama and Nguyen [15], an elegant gen... |

246 | A public-key cryptosystem with worst case/average case equivalence
- Ajtai, Dwork
- 1997
(Show Context)
Citation Context ...approximating lattice problems within factors that are super-linear in the lattice dimension. In fact, much effort has been put on minimizing such factors in the design of cryptographic constructions =-=[1, 2, 29,31,33,45,48,49]-=-. 2 One of our main findings is that the Slide reduction algorithm is much more practical than originally thought, and as the dimension increases, it performs almost as well as BKZ, while at the same ... |

192 |
Generating hard instances of lattice problems.
- Ajtai
- 2004
(Show Context)
Citation Context ...approximating lattice problems within factors that are super-linear in the lattice dimension. In fact, much effort has been put on minimizing such factors in the design of cryptographic constructions =-=[1, 2, 29,31,33,45,48,49]-=-. 2 One of our main findings is that the Slide reduction algorithm is much more practical than originally thought, and as the dimension increases, it performs almost as well as BKZ, while at the same ... |

152 | Public-key cryptosystems from the worst-case shortest vector problem
- Peikert
- 2009
(Show Context)
Citation Context |

146 |
A hierarchy of polynomial time lattice basis reduction algorithm, Theor
- Schnorr
- 1987
(Show Context)
Citation Context ...ressed in this material are those of the author(s) and do not necessarily reflect the views of DARPA or NSF. 1 • the eminently practical Block-Korkine-Zolotarev (BKZ) algorithm of Schnorr and Euchner =-=[50,55]-=-, in its modern BKZ 2.0 incarnation [8] incorporating pruning, recursive preprocessing and early termination strategies [14,18], • the Slide reduction algorithm of Gama and Nguyen [15], an elegant gen... |

131 | Worst-case to average-case reductions based on Gaussion measures
- Micciancio, Regev
- 2007
(Show Context)
Citation Context |

120 |
Improved algorithms for integer programming and related problems
- Kannan
- 1983
(Show Context)
Citation Context ...rithms are usually employed, since these are the most efficient algorithms for currently realistic dimensions. The standard enumeration procedure, usually attributed to Fincke, Pohst [11], and Kannan =-=[24]-=- can be described as a recursive algorithm: given as input a basis B ∈ Zm×n and a radius r, it first recursively finds all vectors v′ ∈ L(pi2(B)) with ‖v′‖ ≤ r, and then for each of them finds all v ∈... |

97 | Lattice Reduction
- Nguyen, Stern
(Show Context)
Citation Context ...ound on the length of its shortest output vector: γ (n−1)/(2(k−1)) k det(L) 1/n, where γk = Θ(k) is Hermite constant, and det(L) is the determinant of the lattice. Unfortunately, it has been reported =-=[15,16]-=- that in experiments the Slide reduction algorithm is outperformed by BKZ, which produces much shorter vectors for comparable block size. In fact, [15] remarks that even BKZ with block-size k = 20 pro... |

90 | Hardness of approximating the shortest vector problem in lattices
- Khot
(Show Context)
Citation Context ...ere Ω(n) ≤ γn ≤ n is Hermite’s constant. Finding a (even approximate) shortest nonzero vector in a lattice, commonly known as the Shortest Vector Problem (SVP), is NP-hard under randomized reductions =-=[25,32]-=-. For every lattice Λ, its dual is defined as Λ̂ = {w ∈ span(Λ)|〈w,v〉 ∈ Z for all v ∈ Λ}. It is a classical fact that det(Λ̂) = det(Λ)−1. For a lattice basis B, let D be the unique matrix that satisfi... |

82 | The two faces of lattices in cryptology - Nguyen, Stern |

72 | Lattice Reduction: A Toolbox for the Cryptanalyst - Joux, Stern - 1998 |

72 | Attacking the Chor-Rivest cryptosystem by improved lattice reduction. - Schnorr, Hörner - 1995 |

59 |
BKZ 2.0: Better lattice security estimates.
- CHEN, NGUYEN
- 2011
(Show Context)
Citation Context ...thor(s) and do not necessarily reflect the views of DARPA or NSF. 1 • the eminently practical Block-Korkine-Zolotarev (BKZ) algorithm of Schnorr and Euchner [50,55], in its modern BKZ 2.0 incarnation =-=[8]-=- incorporating pruning, recursive preprocessing and early termination strategies [14,18], • the Slide reduction algorithm of Gama and Nguyen [15], an elegant generalization of LLL [27,36] which provab... |

55 | Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto ’97 - Nguyen - 1999 |

54 |
All of Nonparametric Statistics, Springer Texts in Statistics,
- Wasserman
- 2006
(Show Context)
Citation Context ...r each of them. Our confidence interval with confidence parameter α, according to the bootstrap percentile interval method, is simply the α/2 and 1 − α/2 quantiles. For further discussion we refer to =-=[66]-=-. Throughout this work we use α = .05 and l = 100. The complete confidence intervals for mean value and standard deviation are 14 listed in Appendix B. Whenever we refer to the standard deviation of a... |

52 |
Algorithms to construct Minkowski reduced and Hermite reduced lattice bases, Theor
- Helfrich
- 1985
(Show Context)
Citation Context ...projected) vector and thus increase the chance of finding some short vector early, which will update the bound r and keep the search space smaller. For more details on recent improvements we refer to =-=[14,19,20,34,65]-=-. 2.3 Lattice Reduction As opposed to exact SVP algorithms, lattice reductions approximate the shortest vector. The quality of their output is usually measured in the length of the shortest vector the... |

47 | The insecurity of the elliptic curve digital signature algorithm with partially known nonces,” Des. - Nguyen, Shparlinski - 2003 |

44 | Lattice reduction in cryptology: An update - Nguyen, Stern |

44 | New lattice based cryptographic constructions
- Regev
- 2003
(Show Context)
Citation Context |

43 | LLL on the average.
- Nguyen, Stehlé
- 2006
(Show Context)
Citation Context ...LL reduced. From this it is straight forward to prove that LLL reduction achieves a root Hermite factor of at most δ ≤ γ1/42 ≈ 1.0746. However, LLL has been reported to behave much better in practice =-=[16,39]-=-, but to this day it remains unclear why. BKZ [50] is a generalization of LLL to larger block size. A basis B is BKZ reduced with block size k (denoted by BKZ-k) if B[1,min(k,n)] is SVP reduced and pi... |

42 | A more efficient algorithm for lattice basis reduction - Schnorr - 1988 |

41 | Improved analysis of kannan’s shortest lattice vector algorithm.
- Hanrot, Stehle
- 2007
(Show Context)
Citation Context ...projected) vector and thus increase the chance of finding some short vector early, which will update the bound r and keep the search space smaller. For more details on recent improvements we refer to =-=[14,19,20,34,65]-=-. 2.3 Lattice Reduction As opposed to exact SVP algorithms, lattice reductions approximate the shortest vector. The quality of their output is usually measured in the length of the shortest vector the... |

40 |
Finding short lattice vectors within Mordell's inequality.
- Gama, Nguyen
- 2008
(Show Context)
Citation Context ...know v in order to achieve this – knowing x is sufficient. It is not immediately clear that the size of the numbers during the execution of this step is polynomially bounded. However, Gama and Nguyen =-=[15]-=- show that it is if using the right strategy for the GCD computation and we will skip this detail here. 8 Conclusion and Future Work While our experimental study of lattice reduction confirms that the... |

38 | Low-dimensional lattice basis reduction revisited - Nguyen, Stehle - 2004 |

37 | Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor.
- Micciancio
- 2004
(Show Context)
Citation Context |

28 | Cryptanalysis of the Ajtai-Dwork cryptosystem - Nguyen, Stern - 1998 |

26 | On bounded distance decoding, unique shortest vectors, and the minimum distance problem
- Lyubashevsky, Micciancio
- 2009
(Show Context)
Citation Context |

25 | reduced lattice bases and successive minima - Block - 1994 |

24 | Fast LLL-type lattice reduction - Schnorr - 2006 |

23 |
Lattice enumeration using extreme pruning.
- GAMA, NGUYEN, et al.
- 2010
(Show Context)
Citation Context ...practical Block-Korkine-Zolotarev (BKZ) algorithm of Schnorr and Euchner [50,55], in its modern BKZ 2.0 incarnation [8] incorporating pruning, recursive preprocessing and early termination strategies =-=[14,18]-=-, • the Slide reduction algorithm of Gama and Nguyen [15], an elegant generalization of LLL [27,36] which provably approximates short lattice vectors within factors related to Mordell’s inequality. Bo... |

23 | A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. - HOWGRAVE-GRAHAM - 2007 |

22 | Segment LLL-Reduction of Lattice Bases - Koy, Schnorr |

21 | A modification of the LLL reduction algorithm - Pohst - 1987 |

18 | Simultaneous reduction of a lattice basis and its reciprocal basis - Seysen - 1993 |

17 |
NTL: A Library for doing Number Theory, available at http://www.shoup.net/index.html
- Shoup
(Show Context)
Citation Context ...rovably achieve bounds only slightly worse than (1) (and exactly (2)). For these reasons, BKZ is very popular in practice and implementations are readily available in different libraries, e.g. in NTL =-=[59]-=- or fpLLL [4]. In [15], Gama and Nguyen introduced a different block reduction algorithm, namely Slide reduction. It is also parametrized by a block size k, which is required to divide the lattice dim... |

15 | Rankin’s constant and blockwise lattice reduction. - Gama, Howgrave-Graham, et al. - 2006 |

15 | Analyzing blockwise lattice algorithms using dynamical systems
- Hanrot, Pujol, et al.
- 2011
(Show Context)
Citation Context ...ct the average case behavior of Slide reduction and yields the same estimate as Corollary 1. 4 Dynamical System In this section we analyze the DBKZ algorithm using the dynamical system technique from =-=[17]-=-. Let B = [b1, . . . ,bn] be an input basis to DBKZ, and assume without loss of generality that det(B) = 1. During a forward tour, our algorithm computes a sequence of lattice vectors B′ = [b′1, . . .... |

12 | The effectiveness of lattice attacks against lowexponent RSA - Coupé, Nguyen, et al. |

12 | Faster algorithms for integer lattice basis reduction - Storjohann |

12 | How to break Okamoto’s cryptosystem by reducing lattice bases - Vallée, Girault, et al. - 1988 |

12 | Estimating key sizes for high dimensional lattice-based systems,
- Pol, Smart
- 2013
(Show Context)
Citation Context ...t quality. This provides a simple and effective method to evaluate the impact of lattice basis reduction attacks on lattice cryptography, without the need to run simulators or other computer programs =-=[8, 63]-=-. Key to our findings, is a new procedure to enumerate shortest lattice vectors in dual lattices, without the need to explicitly compute a dual basis. Interestingly, our dual enumeration procedure is ... |

10 | Symplectic Lattice Reduction and NTRU - Gama, Howgrave-Graham, et al. - 2006 |

10 | Lattice Reduction Algorithms: Theory and Practice - Nguyen - 2011 |

8 | Progress on LLL and lattice reduction - Schnorr - 2009 |

7 | Lattices and basis reduction algorithm - Bachem, Kannan - 1984 |

7 | Inapproximability of the shortest vector problem: Toward a deterministic reduction.
- Micciancio
- 2012
(Show Context)
Citation Context ...ere Ω(n) ≤ γn ≤ n is Hermite’s constant. Finding a (even approximate) shortest nonzero vector in a lattice, commonly known as the Shortest Vector Problem (SVP), is NP-hard under randomized reductions =-=[25,32]-=-. For every lattice Λ, its dual is defined as Λ̂ = {w ∈ span(Λ)|〈w,v〉 ∈ Z for all v ∈ Λ}. It is a classical fact that det(Λ̂) = det(Λ)−1. For a lattice basis B, let D be the unique matrix that satisfi... |

6 | Fast lattice point enumeration with minimal overhead
- Micciancio, Walter
(Show Context)
Citation Context ...projected) vector and thus increase the chance of finding some short vector early, which will update the bound r and keep the search space smaller. For more details on recent improvements we refer to =-=[14,19,20,34,65]-=-. 2.3 Lattice Reduction As opposed to exact SVP algorithms, lattice reductions approximate the shortest vector. The quality of their output is usually measured in the length of the shortest vector the... |

6 | Probabilistic analyses of lattice reduction algorithms - Vallée, Vera - 2010 |

5 | Speeding-up lattice reduction with random projections - Akhavi, Stehlé - 2008 |

5 |
On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046
- Albrecht, Player, et al.
- 2015
(Show Context)
Citation Context ...dimensions, but to be quite accurate starting in dimension > 45. Based on Equation (5), the root Hermite factor achieved by lattice reduction (usually with regards to BKZ) is commonly estimated to be =-=[5]-=- δ ≈ GH(k) 1k−1 . (6) However, since the Gaussian Heuristic only seems to hold in large enough dimensions and BKZ makes calls to SVP oracles in all dimensions up to the block size k, it is not immedia... |

4 |
fplll-4.0, a floating-point LLL implementation. Available at http://perso.ens-lyon.fr/damien.stehle
- Albrecht, Cadé, et al.
(Show Context)
Citation Context ...e bounds only slightly worse than (1) (and exactly (2)). For these reasons, BKZ is very popular in practice and implementations are readily available in different libraries, e.g. in NTL [59] or fpLLL =-=[4]-=-. In [15], Gama and Nguyen introduced a different block reduction algorithm, namely Slide reduction. It is also parametrized by a block size k, which is required to divide the lattice dimension n, but... |

3 | Algorithms for the densest sub-lattice problem - Dadush, Micciancio - 2013 |

3 |
Terminating bkz. Cryptology ePrint Archive, Report 2011/198
- Hanrot, Pujol, et al.
- 2011
(Show Context)
Citation Context ...practical Block-Korkine-Zolotarev (BKZ) algorithm of Schnorr and Euchner [50,55], in its modern BKZ 2.0 incarnation [8] incorporating pruning, recursive preprocessing and early termination strategies =-=[14,18]-=-, • the Slide reduction algorithm of Gama and Nguyen [15], an elegant generalization of LLL [27,36] which provably approximates short lattice vectors within factors related to Mordell’s inequality. Bo... |

3 |
Hermite’s constant and lattice algorithms
- Nguyen
(Show Context)
Citation Context ... 2.0 incarnation [8] incorporating pruning, recursive preprocessing and early termination strategies [14,18], • the Slide reduction algorithm of Gama and Nguyen [15], an elegant generalization of LLL =-=[27,36]-=- which provably approximates short lattice vectors within factors related to Mordell’s inequality. Both algorithms make use of a Shortest Vector Problem (SVP) oracle for lower dimensional lattices, an... |

2 | Lattice attacks on GGH cryptosystem. Rump session of Crypto'97 - Schnorr, Fischlin, et al. - 1997 |

1 |
Rduction de rseau et scurit concrte du chiffrement compltement homomorphe
- Chen
- 2013
(Show Context)
Citation Context ...ld in large enough dimensions and BKZ makes calls to SVP oracles in all dimensions up to the block size k, it is not immediately clear how justified this estimation is. While there is a proof by Chen =-=[7]-=- that under the Gaussian Heuristic, Equation (6) is accurate for BKZ, this is only true as the lattice dimension tends to infinity. It might be reasonable to assume that this also holds in practice as... |

1 | 2007, volume 4622 of LNCS - CRYPTO - 2007 |

1 |
Approximating the densest sublattice from rankins inequality
- Li, Nguyen
(Show Context)
Citation Context ...search into reduction algorithms that make use of dual SVP reduction, like variants of Slide reduction. Future lines of research could explore if, for example, the block Rankin reduction algorithm of =-=[28]-=- can be efficiently implemented by using it to apply the densest sublattice algorithm of [10] to the dual lattice. This could be used to achieve potentially stronger notions of reduction with better o... |

1 | Segment lll reduction of lattice bases using modular arithmetic - Mehrotra, Li |

1 | Recursive lattice reduction - Plantard, Susilo - 2010 |

1 | Lattice point enumeration on block reduced bases
- Walter
- 2015
(Show Context)
Citation Context |