30,742 research outputs found
A Modified KZ Reduction Algorithm
The Korkine-Zolotareff (KZ) reduction has been used in communications and
cryptography. In this paper, we modify a very recent KZ reduction algorithm
proposed by Zhang et al., resulting in a new algorithm, which can be much
faster and more numerically reliable, especially when the basis matrix is ill
conditioned.Comment: has been accepted by IEEE ISIT 201
An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices
In this paper, we study the Learning With Errors problem and its binary
variant, where secrets and errors are binary or taken in a small interval. We
introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on
a quantization step that generalizes and fine-tunes modulus switching. In
general this new technique yields a significant gain in the constant in front
of the exponent in the overall complexity. We illustrate this by solving p
within half a day a LWE instance with dimension n = 128, modulus ,
Gaussian noise and binary secret, using
samples, while the previous best result based on BKW claims a time
complexity of with samples for the same parameters. We then
introduce variants of BDD, GapSVP and UniqueSVP, where the target point is
required to lie in the fundamental parallelepiped, and show how the previous
algorithm is able to solve these variants in subexponential time. Moreover, we
also show how the previous algorithm can be used to solve the BinaryLWE problem
with n samples in subexponential time . This
analysis does not require any heuristic assumption, contrary to other algebraic
approaches; instead, it uses a variant of an idea by Lyubashevsky to generate
many samples from a small number of samples. This makes it possible to
asymptotically and heuristically break the NTRU cryptosystem in subexponential
time (without contradicting its security assumption). We are also able to solve
subset sum problems in subexponential time for density , which is of
independent interest: for such density, the previous best algorithm requires
exponential time. As a direct application, we can solve in subexponential time
the parameters of a cryptosystem based on this problem proposed at TCC 2010.Comment: CRYPTO 201
Decoding by Sampling: A Randomized Lattice Algorithm for Bounded Distance Decoding
Despite its reduced complexity, lattice reduction-aided decoding exhibits a
widening gap to maximum-likelihood (ML) performance as the dimension increases.
To improve its performance, this paper presents randomized lattice decoding
based on Klein's sampling technique, which is a randomized version of Babai's
nearest plane algorithm (i.e., successive interference cancelation (SIC)). To
find the closest lattice point, Klein's algorithm is used to sample some
lattice points and the closest among those samples is chosen. Lattice reduction
increases the probability of finding the closest lattice point, and only needs
to be run once during pre-processing. Further, the sampling can operate very
efficiently in parallel. The technical contribution of this paper is two-fold:
we analyze and optimize the decoding radius of sampling decoding resulting in
better error performance than Klein's original algorithm, and propose a very
efficient implementation of random rounding. Of particular interest is that a
fixed gain in the decoding radius compared to Babai's decoding can be achieved
at polynomial complexity. The proposed decoder is useful for moderate
dimensions where sphere decoding becomes computationally intensive, while
lattice reduction-aided decoding starts to suffer considerable loss. Simulation
results demonstrate near-ML performance is achieved by a moderate number of
samples, even if the dimension is as high as 32
A nested Krylov subspace method to compute the sign function of large complex matrices
We present an acceleration of the well-established Krylov-Ritz methods to
compute the sign function of large complex matrices, as needed in lattice QCD
simulations involving the overlap Dirac operator at both zero and nonzero
baryon density. Krylov-Ritz methods approximate the sign function using a
projection on a Krylov subspace. To achieve a high accuracy this subspace must
be taken quite large, which makes the method too costly. The new idea is to
make a further projection on an even smaller, nested Krylov subspace. If
additionally an intermediate preconditioning step is applied, this projection
can be performed without affecting the accuracy of the approximation, and a
substantial gain in efficiency is achieved for both Hermitian and non-Hermitian
matrices. The numerical efficiency of the method is demonstrated on lattice
configurations of sizes ranging from 4^4 to 10^4, and the new results are
compared with those obtained with rational approximation methods.Comment: 17 pages, 12 figures, minor corrections, extended analysis of the
preconditioning ste
Decoding by Embedding: Correct Decoding Radius and DMT Optimality
The closest vector problem (CVP) and shortest (nonzero) vector problem (SVP)
are the core algorithmic problems on Euclidean lattices. They are central to
the applications of lattices in many problems of communications and
cryptography. Kannan's \emph{embedding technique} is a powerful technique for
solving the approximate CVP, yet its remarkable practical performance is not
well understood. In this paper, the embedding technique is analyzed from a
\emph{bounded distance decoding} (BDD) viewpoint. We present two complementary
analyses of the embedding technique: We establish a reduction from BDD to
Hermite SVP (via unique SVP), which can be used along with any Hermite SVP
solver (including, among others, the Lenstra, Lenstra and Lov\'asz (LLL)
algorithm), and show that, in the special case of LLL, it performs at least as
well as Babai's nearest plane algorithm (LLL-aided SIC). The former analysis
helps to explain the folklore practical observation that unique SVP is easier
than standard approximate SVP. It is proven that when the LLL algorithm is
employed, the embedding technique can solve the CVP provided that the noise
norm is smaller than a decoding radius , where
is the minimum distance of the lattice, and . This
substantially improves the previously best known correct decoding bound . Focusing on the applications of BDD to decoding of
multiple-input multiple-output (MIMO) systems, we also prove that BDD of the
regularized lattice is optimal in terms of the diversity-multiplexing gain
tradeoff (DMT), and propose practical variants of embedding decoding which
require no knowledge of the minimum distance of the lattice and/or further
improve the error performance.Comment: To appear in IEEE Transactions on Information Theor
Splitting full matrix algebras over algebraic number fields
Let K be an algebraic number field of degree d and discriminant D over Q. Let
A be an associative algebra over K given by structure constants such that A is
isomorphic to the algebra M_n(K) of n by n matrices over K for some positive
integer n. Suppose that d, n and D are bounded. Then an isomorphism of A with
M_n(K) can be constructed by a polynomial time ff-algorithm. (An ff-algorithm
is a deterministic procedure which is allowed to call oracles for factoring
integers and factoring univariate polynomials over finite fields.)
As a consequence, we obtain a polynomial time ff-algorithm to compute
isomorphisms of central simple algebras of bounded degree over K.Comment: 15 pages; Theorem 2 and Lemma 8 correcte
- …