Share This Author
BKZ 2.0: Better Lattice Security Estimates
An efficient simulation algorithm is proposed to model the behaviour of BKZ in high dimension with high blocksize ≥50, which can predict approximately both the output quality and the running time, thereby revising lattice security estimates.
Predicting Lattice Reduction
The goal of this paper is to provide an assessment of lattice reduction algorithms' behaviour based on extensive experiments performed with the NTL library, and to suggest several conjectures on the worst case and the actual behaviour of lattICE reduction algorithms.
Lattice Enumeration Using Extreme Pruning
This work revisits lattice enumeration algorithms and shows that surprising exponential speedups can be achieved both in theory and in practice by using a new technique, which is called extreme pruning.
Sieve algorithms for the shortest vector problem are practical
It is shown that AKS can actually be made practical: a heuristic variant of AKS whose running time is polynomial-time operations, and whose space requirement isPolynomially many bits is presented.
Finding short lattice vectors within mordell's inequality
A polynomial-time blockwise reduction algorithm based on duality which achieves a better and more natural approximation factor for the shortest vector problem than Schnorr's algorithm and its transference variant by Gama, Howgrave-Graham, Koy and Nguyen.
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces
All previously known results for the elliptic curve variant of DSA (ECDSA) were only heuristic, including those of Howgrave-Graham and Smart who introduced the topic.
The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
A polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k are known for a number of DSA signatures at most linear in log q, under a reasonable assumption on the hash function used in DSA.
LLL on the Average
This article tries to model the average case of lattice reduction algorithms, starting with the celebrated Lenstra-Lenstra-Lovasz algorithm (L3), and discusses what is meant by lattice Reduction on the average, and presents extensive experiments on theAverage case behavior of L3 in order to give a clearer picture of the differences/similarities between the average and worst cases.
Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto '97
- Phong Q. Nguyen
- Computer Science, MathematicsCRYPTO
- 15 August 1999
It is shown that there is a major flaw in the design of the Goldreich, Goldwasser and Halevi public-key cryptosystem, and it is concluded that the scheme cannot provide sufficient security without being impractical.
Floating-Point LLL Revisited
The L 2 algorithm is introduced, a new and natural floating-point variant of L 3 which provably outputs L 3 -reduced bases in polynomial time O(d 4 n(d + log B) log B), the first L 3 algorithm whose running time provably grows only quadratically with respect to log B.