135 research outputs found
Decoding by Embedding: Correct Decoding Radius and DMT Optimality
The closest vector problem (CVP) and shortest (nonzero) vector problem (SVP)
are the core algorithmic problems on Euclidean lattices. They are central to
the applications of lattices in many problems of communications and
cryptography. Kannan's \emph{embedding technique} is a powerful technique for
solving the approximate CVP, yet its remarkable practical performance is not
well understood. In this paper, the embedding technique is analyzed from a
\emph{bounded distance decoding} (BDD) viewpoint. We present two complementary
analyses of the embedding technique: We establish a reduction from BDD to
Hermite SVP (via unique SVP), which can be used along with any Hermite SVP
solver (including, among others, the Lenstra, Lenstra and Lov\'asz (LLL)
algorithm), and show that, in the special case of LLL, it performs at least as
well as Babai's nearest plane algorithm (LLL-aided SIC). The former analysis
helps to explain the folklore practical observation that unique SVP is easier
than standard approximate SVP. It is proven that when the LLL algorithm is
employed, the embedding technique can solve the CVP provided that the noise
norm is smaller than a decoding radius , where
is the minimum distance of the lattice, and . This
substantially improves the previously best known correct decoding bound . Focusing on the applications of BDD to decoding of
multiple-input multiple-output (MIMO) systems, we also prove that BDD of the
regularized lattice is optimal in terms of the diversity-multiplexing gain
tradeoff (DMT), and propose practical variants of embedding decoding which
require no knowledge of the minimum distance of the lattice and/or further
improve the error performance.Comment: To appear in IEEE Transactions on Information Theor
Twisting Lattice and Graph Techniques to Compress Transactional Ledgers
International audienceKeeping track of financial transactions (e.g., in banks and blockchains) means keeping track of an ever-increasing list of exchanges between accounts. In fact, many of these transactions can be safely " forgotten " , in the sense that purging a set of them that compensate each other does not impact the network's semantic meaning (e.g., the accounts' balances). We call nilcatenation a collection of transactions having no effect on a network's semantics. Such exchanges may be archived and removed, yielding a smaller, but equivalent ledger. Motivated by the computational and analytic benefits obtained from more compact representations of numerical data, we formalize the problem of finding nilcatenations, and propose detection methods based on graph and lattice-reduction techniques. Atop interesting applications of this work (e.g., decoupling of centralized and distributed databases), we also discuss the original idea of a " community-serving proof of work " : finding nilcatenations constitutes a proof of useful work, as the periodic removal of nilcatenations reduces the transactional graph's size
A Gentle Tutorial for Lattice-Based Cryptanalysis
The applicability of lattice reduction to a wide variety of cryptographic situations makes it an important part of the cryptanalyst\u27s toolbox. Despite this, the construction of lattices and use of lattice reduction algorithms for cryptanalysis continue to be somewhat difficult to understand for beginners. This tutorial aims to be a gentle but detailed introduction to lattice-based cryptanalysis targeted towards the novice cryptanalyst with little to no background in lattices. We explain some popular attacks through a conceptual model that simplifies the various components of a lattice attack
An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices
In this paper, we study the Learning With Errors problem and its binary
variant, where secrets and errors are binary or taken in a small interval. We
introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on
a quantization step that generalizes and fine-tunes modulus switching. In
general this new technique yields a significant gain in the constant in front
of the exponent in the overall complexity. We illustrate this by solving p
within half a day a LWE instance with dimension n = 128, modulus ,
Gaussian noise and binary secret, using
samples, while the previous best result based on BKW claims a time
complexity of with samples for the same parameters. We then
introduce variants of BDD, GapSVP and UniqueSVP, where the target point is
required to lie in the fundamental parallelepiped, and show how the previous
algorithm is able to solve these variants in subexponential time. Moreover, we
also show how the previous algorithm can be used to solve the BinaryLWE problem
with n samples in subexponential time . This
analysis does not require any heuristic assumption, contrary to other algebraic
approaches; instead, it uses a variant of an idea by Lyubashevsky to generate
many samples from a small number of samples. This makes it possible to
asymptotically and heuristically break the NTRU cryptosystem in subexponential
time (without contradicting its security assumption). We are also able to solve
subset sum problems in subexponential time for density , which is of
independent interest: for such density, the previous best algorithm requires
exponential time. As a direct application, we can solve in subexponential time
the parameters of a cryptosystem based on this problem proposed at TCC 2010.Comment: CRYPTO 201
A Note on the Density of the Multiple Subset Sum Problems
It is well known that the general subset sum problem is NP-complete. However, almost all subset sum problems with density less than can be solved in polynomial time with an oracle that can find the shortest vector in a special lattice. In this paper, we give a similar result for the multiple subset sum problems which has subset sum problems with the same solution. Some extended versions of the multiple subset sum problems are also considered. In addition, a modified lattice is involved to make the analysis much simpler than before
- …