46 research outputs found
Approximate common divisors via lattices
We analyze the multivariate generalization of Howgrave-Graham's algorithm for
the approximate common divisor problem. In the m-variable case with modulus N
and approximate common divisor of size N^beta, this improves the size of the
error tolerated from N^(beta^2) to N^(beta^((m+1)/m)), under a commonly used
heuristic assumption. This gives a more detailed analysis of the hardness
assumption underlying the recent fully homomorphic cryptosystem of van Dijk,
Gentry, Halevi, and Vaikuntanathan. While these results do not challenge the
suggested parameters, a 2^(n^epsilon) approximation algorithm with epsilon<2/3
for lattice basis reduction in n dimensions could be used to break these
parameters. We have implemented our algorithm, and it performs better in
practice than the theoretical analysis suggests.
Our results fit into a broader context of analogies between cryptanalysis and
coding theory. The multivariate approximate common divisor problem is the
number-theoretic analogue of multivariate polynomial reconstruction, and we
develop a corresponding lattice-based algorithm for the latter problem. In
particular, it specializes to a lattice-based list decoding algorithm for
Parvaresh-Vardy and Guruswami-Rudra codes, which are multivariate extensions of
Reed-Solomon codes. This yields a new proof of the list decoding radii for
these codes.Comment: 17 page
Decoding of Interleaved Reed-Solomon Codes Using Improved Power Decoding
We propose a new partial decoding algorithm for -interleaved Reed--Solomon
(IRS) codes that can decode, with high probability, a random error of relative
weight at all code rates , in time polynomial in the
code length . For , this is an asymptotic improvement over the previous
state-of-the-art for all rates, and the first improvement for in the
last years. The method combines collaborative decoding of IRS codes with
power decoding up to the Johnson radius.Comment: 5 pages, accepted at IEEE International Symposium on Information
Theory 201
Fast Computation of Minimal Interpolation Bases in Popov Form for Arbitrary Shifts
We compute minimal bases of solutions for a general interpolation problem,
which encompasses Hermite-Pad\'e approximation and constrained multivariate
interpolation, and has applications in coding theory and security.
This problem asks to find univariate polynomial relations between vectors
of size ; these relations should have small degree with respect to an
input degree shift. For an arbitrary shift, we propose an algorithm for the
computation of an interpolation basis in shifted Popov normal form with a cost
of field operations, where
is the exponent of matrix multiplication and the notation
indicates that logarithmic terms are omitted.
Earlier works, in the case of Hermite-Pad\'e approximation and in the general
interpolation case, compute non-normalized bases. Since for arbitrary shifts
such bases may have size , the cost bound
was feasible only with restrictive
assumptions on the shift that ensure small output sizes. The question of
handling arbitrary shifts with the same complexity bound was left open.
To obtain the target cost for any shift, we strengthen the properties of the
output bases, and of those obtained during the course of the algorithm: all the
bases are computed in shifted Popov form, whose size is always . Then, we design a divide-and-conquer scheme. We recursively reduce
the initial interpolation problem to sub-problems with more convenient shifts
by first computing information on the degrees of the intermediate bases.Comment: 8 pages, sig-alternate class, 4 figures (problems and algorithms
Algorithms for the approximate common divisor problem
The security of several homomorphic encryption schemes depends on the hardness of the Approximate Common Divisor (ACD) problem. In this paper we review and compare existing algorithms to solve the ACD problem using lattices. In particular we consider the simultaneous Diophantine approximation method, the orthogonal lattice method, and a method based on multivariate polynomials and Coppersmith\u27s algorithm that was studied in detail by Cohn and Heninger. One of our main goals is to compare the multivariate polynomial approach with other methods. We find that the multivariate polynomial approach is not better than the orthogonal lattice algorithm for practical cryptanalysis.
Another contribution is to consider a sample-amplification technique for ACD samples, and to consider a pre-processing algorithm similar to the Blum-Kalai-Wasserman (BKW) algorithm for learning parity with noise. We explain why, unlike in other settings, the BKW algorithm does not give an improvement over the lattice algorithms.
This is the full version of a paper published at ANTS-XII in 2016
Bohr sets generated by polynomials and Coppersmith's method in many variables
We obtain bounds on the average size of Bohr sets with coefficients
parametrised by polynomials over finite fields and obtain a series of general
results and also some sharper results for specific sets which are important for
applications to computer science. In particular, we use our estimates to show
that a heuristic assumption used in the many variable version of Coppersmith's
method holds with high probability. We demonstrate the use of our results on
the approximate greatest common divisor problem and obtain a fully rigorous
version of the heuristic algorithm of H. Cohn and N. Heninger (2013)
Simultaneous Diagonalization of Incomplete Matrices and Applications
We consider the problem of recovering the entries of diagonal matrices
for from multiple "incomplete" samples
of the form , where and are unknown matrices of low rank. We
devise practical algorithms for this problem depending on the ranks of and
. This problem finds its motivation in cryptanalysis: we show how to
significantly improve previous algorithms for solving the approximate common
divisor problem and breaking CLT13 cryptographic multilinear maps.Comment: 16 page