ArticlePDF Available

Average Time Fast SVP and CVP Algorithms: Factoring Integers in Polynomial Time

Authors:

Abstract

We use pruned enumeration algorithms to find lattice vectors close to a specific target vector for the prime number lattice. These algorithms generate multiplicative prime number relations modulo N that factorize a given integer N. The algorithm New Enum performs the stages of exhaustive enumeration of close lattice vectors in order of decreasing success rate. For example an integer N ≈ 10¹⁴ can be factored by about 90 prime number relations modulo N for the 90 smallest primes. Our randomized algorithm generated for example 139 such relations in 15 minutes. This algorithm can be further optimized. The optimization for larger integers N is still open.
Average Time Fast SVP and CVP Algorithms:
Factoring Integers in Polynomial Time
Claus P. SCHNORR
Fachbereich Informatik und Mathematik
Goethe-Universität
Frankfurt am Main
Workshop Factoring 2009, Sept. 11,12
RUHR-UNIVERSITÄT BOCHUM
http://www.mi.informatik.uni-frankfurt.de/research/papers.html
Road map 2
ILattice notation, Time bound of new SVP/CVP algorithm
II Factoring integers via easy CVP solutions
III Outline and partial analysis of the new SVP algorithm
We survey how to use known proof elements and we focus on
novel proof elements that are not covered by published work.
I: Lattices, QR-decomposition, LLL-bases 3
lattice basis B= [b1, . . . , bn]Zm×n
lattice L(B) = {Bx |xZn}
norm kxk=hx,xi= (Pm
i=1x1
1)1/2
SV-length λ1(L) = min{kbk | b∈ L\{0}}
Successive minima λ1, ..., λn
QR-decomposition B=QR Rm×nsuch that
the GNF — geom. normal form — R= [ri,j]Rn×nis
uppertriangular, ri,j=0 for j<iand ri,i>0,
QRm×nisometric:hQx,Qyi=hx,yi.
LLL-basis B=QR for δ(1
4,1](Lenstra, Lenstra, Lovasz 82):
1. |ri,j| ≤ 1
2ri,ifor all j>i(size-reduced)
2. δr2
i,ir2
i,i+1+r2
i+1,i+1for i=1, . . . , n1.
Average time fast SVP algorithm 4
Def. The relative density of L:rd(L):=λ1γ1/2
n(det L)1/n
rd(L) = λ1(L)/max λ1(L0)holds for the maximum of λ1(L0)
over all lattices L0such that dim L=dim L0and det L=det L0.
The HERMITE constant γn=max{λ2
1/det(L)2/n|dim L=n}.
We always have kb1k2=rd(L)2γn(det L)2/n.
Theorem 4.1 (GSA). Given a lattice basis such that
kb1k ≤ 2eπnbλ1,b0, NE W ENU M solves SVP in time
nO(1)+ (O(n2bε))n+1
4if rd(L) = n1
2ε,ε > 0.
This time bound is polynomial if 2b< ε.
GSA : Let B=QR =Q[ri,j]satisfy (for ri,i=kb
ik):
r2
i,i/r2
i1,i1=qfor i=2, ..., nand some q>0.
W.l.o.g. let q<1, otherwise kb1k=λ1.
We outline the proof of Thm 4.1 in part III.
Average time fast CVP algorithm 5
Corollary 6.1 (GSA). Given b1∈ L, 0 6=kb1k=O(λ1),
NEW ENUM finds b∈ L such that kbtk=kL − tkin time
nO(1)+O(n rd(L)kL − tk2λ2
1)n+1
4.
This time bound is polynomial if
kL − tk=O(λ1)and rd(L)n1
2εfor ε > 0.
The required short vector b1can in practice be added to the
basis, extending the lattice by a short vector preserving rd(L).
An example will be given in part II for factoring integers using
the prime number lattice.
II: Factoring integers via easy CVP solutions 6
Let Nbe a positive integer that is not a prime power. Let
p1<··· <pnenumerate all primes less than (ln N)α. Then
n= (ln N)α/(αln ln N)(1+O(1)ln ln N).
Let the prime factors pof Nsatisfy p>pn.
We show how to factor Nby solving easy CVP’s for the prime
number lattice L(B), basis matrix B= [b1, . . . , bn]R(n+1)×n:
B=
pln p10 0
0...0
0 0 pln pn
Ncln p1··· Ncln pn
,N=
0
.
.
.
0
Ncln N0
,
and the target vector NRn+1, where either N0=Nor
N0=Npn+jfor one of the next nprimes pn+j>pn,jn.
W.l.o.g. let N0=Nfor the analysis.
Outline of the factoring method 7
We identify the vector b=Pn
i=1eibi∈ L(B)with the pair (u,v)
of integers u=Qej>0pej
j,v=Qej<0pej
jN.
Then u,vare free of primes larger than pnand gcd(u,v) = 1.
We compute vectors b=Pn
i=1eibi∈ L(B)close to Nsuch that
|uvN0|<u. The prime factorizations |uvN 0|=Qn
i=1pe0
i
i
and of uyield a non-trivial relation
Qei>0pei
i=±Qn
i=1pe0
i
imod N. (7.1)
Given n+1 independent relations (7.1) we write these relations
with p0=1 and ei,j,e0
i,jNas Qn
i=0pei,je0
i,j
i=1 mod N
for j=1, ..., n+1. Any non trivial solution z1, ..., zn+1Zof the
equations Pn+1
j=1zj(ei,je0
i,j) = 0 mod 2 for i=0, ..., n
solves X2=Y2mod Nwith X=Qn+1
j=1pPn
i=0ziei,j
jmod N,
Y=Qn+1
j=1pPn
i=0zie0
i,j
jmod N.
Computing relations (7.1) from smooth (u,v) 8
Lemma If |uvN0|=o(Nc),v= Θ(Nc1),e1, ..., en∈ {0±1}
then kbNk2= (2c1)ln N+ln(pn+j) + Θ(|uvN0|2(N/N0)2).
Proof. We see from e1, ..., en∈ {0±1}that
kbNk2=ln u+ln v+N2c|ln u
vN0|2.
Clearly, v= Θ(Nc1),|uvN0|=o(Nc)implies
ln u+ln v= (2c1)ln N+ln(N0/N) + Θ(1).
Moreover
|ln u
vN0|=|ln 1+uvN 0
vN0|=|uvN 0|
vN0(1+o(1)) = Θ( |uvN0|
Nc1N0).
Combining these equations proves the claim.
Theorem 7.2 kbNk2(2c1)ln N+2δln pnimplies
|uvN0| ≤ p
1
α+δ+o(1)
n.
The existence of b∈ L(B)such that |uvN|=19
An integer zis called y-smooth, if all prime factors pof zsatisfy
py. Let N0be either Nor Npn+jfor one of the next nprimes
pn+j>pn. We denote
Mα,c,N=n(u,v)N2uNc,|uvN0|=1,Nc1/2<v<Nc1
u,vare squarefree and (ln N)αsmooth o.
Theorem 7.4 [S93] If the equation |u− du/NcN|=1 is for
random uof order Ncnearly statistically independent from the
event that u,du/Ncare squarefree and (ln N)α-smooth then
#Mα,c,N=Nε+o(1)holds if α > 2c1
c1,c>1.
We will use this theorem for c=ln Nand α > 4.
Vectors b∈ L closest to Nyield relations (7.1) 10
Theorem 7.5 The vector b=Pn
i=1eibi∈ L(B)closest to N
provides a non-trivial relation (7.1) provided that Mα,c,N6=.
Theorem 7.6 If Mα,c,N6=for c=ln Nand α > 4 then we can
minimize kL(B)Nkin polynomial time under GSA given
b∈ L(B)such that 0 6=kbk=O(λ1).
It follows from Mα,c,N6=for N0∈ {N,Npn+j}that
kL − Nk2(2c1)ln N0+1= (2c1+o(1)) ln N.
Lemma 5.3 of [MG02] proves that λ2
12cln NΘ(1)
Claim λ2
1=2cln N+O(1).
rd(L) = λ1/(γn(det L)1
n).2eπ2cln N
(ln N)α1
2
=O(cln N)(1α)/2=O((ln N)1α).
Moreover, we have for c=ln N,α > 4 and ε=1
21/α > 0 that
n1
2ε=n1+1(αln ln N)11(ln N)1α>rd (L).
Providing a nearly shortest vector of L(B)11
We extend the prime number basis Band L(B)by a nearly
shortest lattice vector of the extended lattice, preserving rd(L),
det(L)and the structure of the lattice.
We extend the prime base by a prime ¯
pn+1of order Θ(Nc)such
that |u¯
pn+1|=O(1)holds for a squarefree (ln N)α-smooth u.
Then kPieibibn+1k2=2cln N+O(1)holds for u=Qipei
i
the additional basis vector bn+1corresponding to ¯
pn+1.
Pieibibn+1is a nearly shortest vector of L(b1, ..., bn+1).
Efficient construction of ¯
pn+1. Generate uat random and
test the nearby ¯
pfor primality. If the density of primes near the
uis not exceptionally small ¯
pn+1and bn+1can be found in
probabilistic polynomial time. A single ¯
pn+1can be used to
solve all CVP’s for the factorization of all integers of order Θ(N).
III: A novel enumeration of short lattice vectors 12
Let πt:span(b1, ..., bn)span(b1, ..., bt1)for t=1, ..., n
denote the orthogonal projections and let Lt=L(b1, ..., bt1).
Stage (ut, ..., un)of ENUM. b := Pn
i=tuibi∈ L and
ut, ..., unZare given. The stage searches exhaustively for all
Pt1
i=1uibi∈ L such that kPn
i=1uibik2Aholds for a given
upper bound Aλ2
1. We have
kPn
i=1uibik2=kζt+Pt1
i=1uibik2+kπt(b)k2.
where ζt:= bπt(b) = Qvtspan Ltis the orthogonal
projection in span Ltof the given b=Pn
i=tuibiand
vt= (v1, ..., vt1,0nt+1)tfor vi=Pn
i=tri,juj. Stage (ut, ..., un)
exhaustively enumerates Bt1(ζt, ρt)∩ Lt, the intersection of
the lattice Ltand the sphere Bt1(ζt, ρt)span Ltof dimension
t1 with radius ρt:= (A− kπt(b)k2)1/2and center ζt.
The success rate βtof stages 13
The GAUSSIAN volume heuristics estimates |Bt1(ζt, ρt)∩ Lt|
for t>1 to
βt=def vol Bt1(ζt, ρt)/det Lt.
Here vol Bt1(ζt, ρt) = Vt1ρt1
t,Vt1=πt1
2/(t1
2)!
is the volume of the unit sphere of dimension t1,
det Lt=Qt1
i=1ri,i,ρ2
t:= A− kπt(Pn
i=tuibi)k2.
We call βtthe success rate of stage (ut, ..., un).
If ζtmod Ltis uniformly distributed over
{Pt1
i=1ribi|0r1, ..., rt1<1}
then Eζt[|Bt1(ζt, ρt)∩ Lt|] = βt, where Eζtrefers to a random
ζtmod Lt. This holds because 1/det Ltis the number of
lattice points of Ltper volume in span Lt. The formal analysis of
NEW ENUM by Theorem 4.1 uses a proven version of the
volume heuristics without assuming that ζtmod Ltis random.
Outline of New Enum for SVP 14
INPUT LLL-basis B=QR Zm×n,RRn×n,A:= n
4(det BtB)2/n,
OUTPUT a sequence of b∈ L(B)of decreasing length
kbk2Aterminating with kbk=λ1.
1. s:= 1, Ls:= , (we call sthe level)
2. Perform algorithm ENUM [SE94] pruned to stages with βt2s:
Upon entry of stage (ut, ..., un)compute βt. If βt<2sdelay
this stage and store (βt,ut, ..., un)in the list Lsof delayed stages
If βt2sperform stage (ut, ..., un)on level s, and as soon
as some non-zero b∈ L of length kbk2Ahas been found
give out band set A:= kbk21.
3. Ls+1:= , perform the stages (ut, ..., un)of Lswith βt2s1
in increasing order of tand for fixed tin order of decreasing βt.
Collect the appearing substages (ut0, ..., ut, ..., un)
with βt0<2s1in Ls+1.
4. IF Ls+16=THEN [s:= s+1, GO TO 3 ]
ELSE terminate by exhaustion.
Proof of Theorem 4.1 15
Thm 4.1 NEW EN UM solves SVP in time nO(1)+ (O(n2bε)) n+1
4
if rd(L) = n1
2ε,ε > 0 and if b1k ≤ 2eπnb.
NEW ENUM essentially performs stages in decreasing order of
the success rate βt. Let b0=Pn
i=1u0
ibi∈ L denote the unique
vector of length λ1that is found by NEW ENUM.
Let β0
tbe the success rate of stage (u0
t, ..., u0
n).
NEW ENUM performs stage (u0
t, ..., u0
n)prior to all stages
(ut, ..., un)of success rate βt1
2β0
t
Simplifying assumption. We assume that NEW ENUM
performs stage (u0
t, ..., u0
n)prior to all stages of success rate
βt< β0
t, ( i.e., ρt< ρ0
t).
By definition ρ2
t=A− kπt(b)k2and ρ0
t
2=A− kπt(b0)k2.
Without using the simplifying assumption, the proven time
bound of Theorem 4.1 increases at most by the factor 2.
A proven version of the volume heuristics 16
Consider the number Mtof stages (ut, ..., un)with
kπt(Pn
i=tuibi)k ≤ λ1:Mt:= #Bnt+1(0, λ1)πt(L).
Modulo the heuristic simplifications Mtcovers the stages that
precede (u0
t, ..., u0
n)and those that finally prove kb0k=λ1.
Lemma 4.2 Mtent+1
2Qn
i=t(1+8π λ1
nt+1ri,i).
Proof. We use the method of Lemma 1 of [MO90] and follow
the adjusted proof of (2) in section 4.1 of [HS07]. We
abbreviate nt=nt+1. Consider the ellipsoid
Et={(xt, ..., xn)tRnt|kπt(Pn
i=txibi)k2λ2
1}, where
kπt(Pn
i=txibi)k2=Pn
i=tPn
j=i(ri,jxj)2=Pn
i=tPn
j=i(µj,ixj)2kb
ik2.
By definition Mt#(EtZnt). We set
Pix:= Pj>i
ri,j
ri,ixjand x0
i:= xi+dPixc,
{Pix}:= Pix− dPixc,
Ft:= {(x0
t, ..., x0
n)tRnt|Pn
i=t(x0
i+{Pix})2r2
i,iλ2
1}.
Claim #(EtZnt)#(FtZnt)17
Proof. The transformation (xt, ..., xn)7→ (x0
t, ..., x0
n)is injective.
[ If itis the least index such that (yi, ..., yn)and (zi, ..., zn)
differ then y0
i6=z0
i. Moreover (x0
i+{Pix})ri,i=Pn
j=iri,jxj.]
We simplify Etto E0
t={x0Rnt|Pn
i=tx0
i
2r2
i,i4λ2
1}.
Since |{Pix}| ≤ 1
2,xiZand |xi+ε|2x2
i/4 for |ε| ≤ 1
2we
see that FtZnt⊂ E0
tZnt. Hence Mt#(E0
tZnt).
We bound #(E0
tZnt)using the method of [MO90, Lemma 1].
Denoting Nr:= #{(kt, ..., kn)tZnt|Pn
i=tr2
i,ik2
i=r}we have
#(E0
tZnt) = P
0r4λ2
1
Nres(4λ2
1r)ntes4λ2
1ntP
r0
Nresrnt
es4λ2
1nt
n
Q
i=tP
kiZ
esr2
i,ik2
intes4λ2
1nt
n
Q
i=t
(1+π
sntri,i)
since PkZeTk2=1+2P
k=1eTk21+2R
0eTx2dx =
1+pπ/T. We get for s:= 1/(8λ2
1):
#(E0
tZnt)ent/2Qn
i=t(1+8π λ1
ntri,i).
Proof of Theorem 4.1 continued 18
Now r2
i,i=kb1k2qi1,λ2
1/(γnrd(L)2) = (det L)2
n=kb1k2qn1
2
hold by GSA and thus γnn
2eπdirectly imply for i=t, ..., n
nt+1ri,i2eπrd(L)1λ1q(2in1)/4.
By Lemma 4.2 MtQn
i=t
eπrd(L)1λ1q(2in1)/4+8eπ λ1
nt+1ri,i.
For ¯η:= 2+e,t:= n
2+1c,
m(q,c) := [if c>0then q1c2
4else 1]we get
Mtm(q,c)¯η2eπ λ1
nt+1rd(L)nt+1/det πt(L), (4.1)
because m(q,c) = q1c2
4=qPc
i=0(2i1)/4)Qn/2+1
i=t
nt+1ri,i
¯η2eπ λ1
for c>0. We see from (4.1) and
det πt(L) = kb1knt+1qPn1
i=t1i/2that
Mtm(q,c)¯η2eπ λ1
nt+1rd(L)kb1knt+1/qPn1
i=t1i/2(4.2)
19
Now γn1.744 (n+o(n))
2eπ[KL78] implies via GSA
eπ λ2
1
n rd(L)2kb1k2qn1
2for nn0. (4.3)
(4.2), (4.3), 1
n1Pn1
i=t1i=n
2(t1)(t2)
2(n1)yield
Mtm(q,c)¯η2eπ λ1
nt+1rd(L)kb1knt+1n rd(L)kb1k
eπ λ1n(t1)(t2)
n1.
The difference of the exponents
de(t) = n(t1)(t2)
n1n+t1= (t1)(1t2
n1)
is positive for tnand maximal for tmax =n
2+1,
de(n
2+1c) = n+1
4+1/4c2
n1. We get for kb1k ≤ 2eπnbλ1,
t=n
2+1c:Mtm(q,c)O(n1
2+brd(L))n+1
4+1/4c2
n1.
Hence Mt= (O(n1
2+2brd(L) ) n+1
4.
Open problems 20
Main open problem
Can the factoring algorithm be improved by the method of the
number field sieve ?
We factor Nvia easy CVP-solutions that correspond to
multiplicative relations mod N, related to the quadratic sieve.
The last coordinate of an CVP-solution yields a multiplicative
relation of the factor base, under the natural logarithm ln.
How to incorporate mod Nreductions under the ln transform ?
Refences 21
Ad95 L.A. Adleman, Factoring and lattice reduction.
Manuscript, 1995.
AEVZ02 E. Agrell, T. Eriksson, A. Vardy and K. Zeger,
Closest point search in lattices. IEEE Trans. on
Inform. Theory,48 (8), pp. 2201–2214, 2002.
Aj96 M. Ajtai, Generating hard instances of lattice
problems. In Proc. 28th Annual ACM Symposium
on Theory of Computing, pp. 99–108, 1996.
AD97 M. Ajtai and C. Dwork, A public-key cryptosystem
with worst-case / average-case equivalence. In
Proc 29-th STOC, ACM, pp. 284–293, 1997.
Ba86 L. Babai, On Lovasz’ lattice reduction and the
nearest lattice point problem. Combinatorica 6 (1),
pp.1–13, 1986.
BL05 J. Buchmann and C. Ludwig, Practical lattice basis
sampling reduction. eprint.iacr.org, TR 072, 2005.
References 22
Ca98 Y.Cai, A new transference theorem and
applications to Ajtai’s connection factor. ECCC,
Report No. 5, 1998.
CEP83 E.R. Canfield, P. Erdös and C. Pomerance, On a
problem of Oppenheim concerning "Factorisatio
Numerorum". J. of Number Theory,17, pp. 1–28,
1983.
CS93 J.H. Conway and N.J.A. Sloane, Sphere Packings,
Lattices and Groups. third edition,
Springer-Verlag1998.
FP85 U. Fincke and M. Pohst, Improved methods for
calculating vectors of short length in a lattice,
including a complexity analysis. Math. of Comput.,
44, pp. 463–471, 1985.
Refences 23
HHHW09 P.Hirschhorn, J. Hoffstein, N. Howgrave-Graham,
W. Whyte, Choosing NTRUEncrypt parameters in
light of combined lattice reduction and MITM
approaches. In Proc. ACNS 2009, LNCS 5536,
Springer-Verlag,pp. 437–455, 2009.
HPS98 J. Hoffstein, J. Pipher and J. Silverman, NTRU: A
ring-based public key cryptosystem. In Proc.
ANTS III, LNCS 1423, Springer-Verlag, pp.
267–288, 1998.
H07 N. Howgrave-Graham, A hybrid lattice–reduction
and meet-in-the-middle attiack against NTRU. In
Proc, CRYPTO 2007, LNCS 4622,
Springer-Verlag, pp. 150–169, 2007.
HS07 G. Hanrot and D. Stehlé, Improved analysis of
Kannan’s shortest lattice vector algorithm. In Proc.
CRYPTO 2007, LNCS 4622, Springer-Verlag,pp.
170–186, 2007.
Refences 24
HS08 G. Hanrot and D. Stehlé, Worst-case
Hermite-Korkine-Zolotarev reduced lattice bases.
CoRR, abs/0801.3331,
http://arxix.org/abs/0801.3331.
Ka87 R. Kannan, Minkowski’s convex body theorem and
integer programming. Math. Oper. Res.,12, pp.
415–440, 1987.
KL78 G.A.Kabatiansky and V.I. Levenshtein, Bounds for
packing on a sphere and in space. Problems of
Information Transmission,14, pp. 1–17, 1978.
LLL82 H. W. Lenstra Jr., , A. K. Lenstra, and L. Lovász ,
Factoring polynomials with rational coefficients,
Mathematische Annalen 261, pp. 515–534, 1982.
MO90 J. Mazo and A. Odlydzko, Lattice points in
high-dimensional spheres. Monatsh. Math. 110,
pp. 47–61, 1990.
Refences 25
MG02 D. Micciancio and S. Goldwasser, Complexity of
Lattice Problems: A Cryptographic Perspective.
Kluwer Academic Publishers, Boston, London,
2002.
S87 C.P. Schnorr, A Hierarchy of Polynomial Time
Lattice Basis Reduction Algorithms. Theoret.
Comput. Sci.,53, pp. 201–224, 1987.
S93 C.P.Schnorr, Factoring integers and computing
discrete logarithms via Diophantine approximation.
In Advances in Computational Complexity, AMS,
DIMACS Series in Discrete Mathematics and
Theoretical Computer Science,13, pp. 171–182,
1993. Preliminary version in Proc.
EUROCRYPT’91, LNCS 547, Springer-Verlag,pp.
281–293, 1991.
//www.mi.informatik.uni-frankfurt.de.
Refences 26
SE94 C.P. Schnorr and M. Euchner, Lattce basis
reduction: Improved practical algorithms and
solving subset sum problems. Mathematical
Programming 66, pp. 181–199, 1994.
SH95 C.P. Schnorr and H.H. Hörner, Attacking the
Chor–Rivest cryptosystem by improved lattice
reduction. In Proc. EUROCRYPT’95, LNCS 921,
Springer-Verlag, pp. 1–12, 1995.
S03 C.P. Schnorr, Lattice reduction by sampling and
birthday methods. Proc. STACS 2003: 20th
Annual Symposium on Theoretical Aspects of
Computer Science, LNCS 2007, Springer-Verlag,
pp. 146–156, 2003.
S06 C.P. Schnorr, Fast LLL-type lattice reduction.
Information and Computation, 204, pp. 1–25,
2006.
References 27
S07 C.P. Schnorr, Progress on LLL and lattice
reduction, Proceedings LLL+25, Caen, France,
June 29–July 1, 2007, Final version to appear;
... We can also see a flowchart containing Schnorr's algorithm in figure 1. More details can be found in [9,10,11]. ...
Preprint
Full-text available
Current asymmetric cryptography is based on the principle that while classical computers can efficiently multiply large integers, the inverse operation, factorization, is significantly more complex. For sufficiently large integers, this factorization process can take in classical computers hundreds or even thousands of years to complete. However, there exist some quantum algorithms that might be able to factor integers theoretically -- the theory works properly, but the hardware requirements are far away from what we can build nowadays -- and, for instance, Yan, B. et al. ([14]) claim to have constructed a hybrid algorithm which could be able even to challenge RSA-2048 in the near future. This work analyses this article and replicates the experiments they carried out, but with a different quantum method (VQE), being able to factor the number 1961.
Article
Full-text available
We present a hierarchy of polynomial time lattice basis reduction algorithms that stretch from Lenstra, Lenstra, Lovász reduction to Korkine–Zolotareff reduction. Let λ(L) be the length of a shortest nonzero element of a lattice L. We present an algorithm which for k∈ finds a nonzero lattice vector b so that . This algorithm uses arithmetic operations on O(n log B)-bit integers. This holds provided that the given basis vectors are integral and have the length bound B. This algorithm successively applies Korkine–Zolotareff reduction to blocks of length k of the lattice basis. We also improve Kannan's algorithm for Korkine-Zolotareff reduction.
Article
The standard methods for calculating vectors of short length in a lattice use a reduction procedure followed by enumerating all vectors of Z"' in a suitable box. However, it suffices to consider those x e Z'" which lie in a suitable ellipsoid having a much smaller volume than the box. We show in this paper that searching through that ellipsoid is in many cases much more efficient. If combined with an appropriate reduction procedure our method allows to do computations in lattices of much higher dimensions. Several randomly constructed numerical examples illustrate the superiority of our new method over the known ones.
Article
The security of lattice-based cryptosystems such as NTRU, GGH and Ajtai-Dwork essentially relies upon the intractability of com- puting a shortest non-zero lattice vector and a closest lattice vector to a given target vector in high dimensions. The best algorithms for these tasks are due to Kannan, and, though remarkably simple, their complex- ity estimates have not been improved since over twenty years. Kannan's algorithm for solving the shortest vector problem (SVP) is in particu- lar crucial in Schnorr's celebrated block reduction algorithm, on which rely the best known generic attacks against the lattice-based encryp- tion schemes mentioned above. In this paper we improve the complexity upper-bounds of Kannan's algorithms. The analysis provides new insight on the practical cost of solving SVP, and helps progressing towards pro- viding meaningful key-sizes.
Article
The paper presents an algorithm for solving Integer Programming problems whose running time depends on the number n of variables as nOn. This is done by reducing an n variable problem to 2n5i/2 problems in n-i variables for some i greater than zero chosen by the algorithm. The factor of On5/2 “per variable” improves the best previously known factor which is exponential in n. Minkowski's Convex Body theorem and other results from Geometry of Numbers play a crucial role in the algorithm. Several related algorithms for lattice problems are presented. The complexity of these problems with respect to polynomial-time reducibilities is studied.
Article
There is little doubt that the present explosion of interest in the algorithmic aspects of mathematics is due to the development of computers — even though special algorithms and their study can be traced back all the way through the history of mathematics. Mathematics started out in Egypt and Babylon as a clearly algorithmic science. In ancient Greece the foundations of its “descriptive” or “structural” line were established; but even here we find algorithmic problems — just think of the problem of constructibility of various geometric figures by compass and ruler. I find it amazing that this problem was precisely formulated in the framework of axiomatic geometry (reflecting the current state of devices at the disposal of the Greeks when they were carrying out those constructions). It is unnecessary to say how much this problem contributed to the later development of geometry and to the creation of algebra: both the positive and the negative results inspired fundamental notions and theorems (e.g. the golden ratio on the one hand and the solvability of algebraic equations by radicals, in particular by square roots, on the other). In our day, the development of computers and the theory of algorithms and their complexity have produced a similar situation. In the last centuries, a vast body of “structural” mathematics has evolved. Now that we are interested in the algorithmic aspects of these results, we meet extremely difficult problems. Some of the most elementary results in number theory, geometry, algebra, or calculus become utterly difficult when we ask for algorithms to find those objects whose existence is (at least by now) easily established. Just think of the elementary fact, known to Euclid, that any integer has a unique prime factorization, and contrast it with the apparent intractability of the corresponding algorithmic problem, namely, the problem of finding this decomposition.
Article
We propose and analyze novel algorithms for finding shortest and closest lattice vec- tors. The algorithm New Enum performs the stages of exhaustive enumeration of short / close lattice vectors in order of decreasing success rate. We analyze New Enum under GSA which in practice holds on the average for well reduced bases. A shortest lattice vector is found in polyno- mial time if the density of the lattice is not close to maximum. We prove a worst case time bound n n 32 +o(n) for SVP of lattices of dimension n. This gives New Enum enormous power in attacking lattice based cryptographic schemes, in particular the Ajtai-Dwork scheme uses lattices of low density. The RSA scheme might also be aected. We show under GSA and standard assumptions on the distribution of smooth integers that integers N can be factored by solving (lnN) 4+" CVP's for the prime number lattice. But so far these CVP's are either not easy and not useful for factoring.