Identifying reducible k-tuples of vectors with subspace-proximity sensitive hashing/filtering

We introduce and analyse a family of hash and predicate functions that are more likely to produce collisions for small reducible configurations of vectors. These may offer practical improvements to lattice sieving for short vectors. In particular, in one asymptotic regime the family exhibits significantly different convergent behaviour than existing hash functions and predicates.Comment: 20 pages, 5 figure

Accelerating the Final Exponentiation in the Computation of the Tate Pairings

Tate pairing computation consists of two parts: Miller step and final exponentiation step. In this paper, we investigate how to accelerate the final exponentiation step. Consider an order $r$ subgroup of an elliptic curve defined over \Fq with embedding degree $k$. The final exponentiation in the Tate pairing is an exponentiation of an element in \Fqk by $(q^k-1)/r$. The hardest part of this computation is to raise to the power \lam:=\varphi_k(q)/r. Write it as \lam=\lam_0+\lam_1q+\cdots+\lam_{d-1}q^{d-1} in the $q$-ary representation. When using multi-exponentiation techniques with precomputation, the final exponentiation cost mostly depends on $\kappa(\lambda)$, the size of the maximum of $|\lambda_i|$. In many parametrized pairing-friendly curves, the value $\kappa$ is about $\left(1-\frac{1}{\rho\varphi(k)}\right)\log q$ where $\rho=\log q/\log r$, while random curves will have $\kappa \approx \log q$. We analyze how this small $\kappa$ is obtained for parametrized elliptic curves, and show that $\left(1-\frac{1}{\rho\varphi(k)}\right)\log q$ is almost optimal in the sense that for all known construction methods of parametrized pairing-friendly curves it is the lower bound. This method is useful, but has a limitation that it can only be applied to only parametrized curves and excludes many of elliptic curves. In the second part of our paper, we propose a method to obtain a modified Tate pairing with smaller $\kappa$ for {\em any elliptic curves}. More precisely, our method finds an integer $m$ such that $\kappa(m\lambda)=\left(1-\frac{1}{\rho\varphi(k)}\right)\log q$ efficiently using lattice reduction. Using this modified Tate pairing, we can reduce the number of squarings in the final exponentiation by about $\left(1-\frac{1}{\rho\varphi(k)}\right)$ times from the usual Tate pairing. We apply our method to several known pairing friendly curves to verify the expected speedup

Formes quadratiques ternaires représantant tous les entiers impairs

Les calculs numériques ont été effectués à l'aide du logiciel SAGE.En 1993, Conway et Schneeberger fournirent un critère simple permettant de déterminer si une forme quadratique donnée représente tous les entiers positifs ; le théorème des 15. Dans ce mémoire, nous nous intéressons à un problème analogue, soit la recherche d’un critère similaire permettant de détecter si une forme quadratique en trois variables représente tous les entiers impairs. On débute donc par une introduction générale à la théorie des formes quadratiques, notamment en deux variables, puis on expose différents points de vue sous lesquels on peut les considérer. On décrit ensuite le théorème des 15 et ses généralisations, en soulignant les techniques utilisées dans la preuve de Bhargava. Enfin, on démontre deux théorèmes qui fournissent des critères permettant de déterminer si une forme quadratique ternaire représente tous les entiers impairs.In 1993, Conway and Schneeberger gave a simple criterion allowing one to determine whether a given quadratic form represents all positive integers ; the 15-theorem. In this thesis, we investigate an analogous problem, that is the search for a similar criterion allowing one to detect if a quadratic form in three variables represents all odd integers. We start with a general introduction to the theory of quadratic forms, namely in two variables, then, we expose different points of view under which quadratic forms can be considered. We then describe the 15-theorem and its generalizations, with a particular emphasis on the techniques used in Bhargava’s proof of the theorem. Finally, we give a proof of two theorems which provide a criteria to determine whether a ternary quadratic form represents all odd integers

Low-dimensional lattice basis reduction revisited

International audienceLattice reduction is a geometric generalization of the problem of computing greatest common divisors. Most of the interesting algorithmic problems related to lattice reduction are NP-hard as the lattice dimension increases. This article deals with the low-dimensional case. We study a greedy lattice basis reduction algorithm for the Euclidean norm, which is arguably the most natural lattice basis reduction algorithm, because it is a straightforward generalization of an old two-dimensional algorithm of Lagrange, usually known as Gauss' algorithm, and which is very similar to Euclid's gcd algorithm. Our results are two-fold. From a mathematical point of view, we show that up to dimension four, the output of the greedy algorithm is optimal: the output basis reaches all the successive minima of the lattice. However, as soon as the lattice dimension is strictly higher than four, the output basis may be arbitrarily bad as it may not even reach the first minimum. More importantly, from a computational point of view, we show that up to dimension four, the bit-complexity of the greedy algorithm is quadratic without fast integer arithmetic, just like Euclid's gcd algorithm. This was already proved by Semaev up to dimension three using rather technical means, but it was previously unknown whether or not the algorithm was still polynomial in dimension four. We propose two different analyzes: a global approach based on the geometry of the current basis when the length decrease stalls, and a local approach showing directly that a significant length decrease must occur every O(1) consecutive steps. Our analyzes simplify Semaev's analysis in dimensions two and three, and unify the cases of dimensions two to four. Although the global approach is much simpler, we also present the local approach because it gives further information on the behavior of the algorithm