An efficient simulation algorithm is proposed to model the behaviour of BKZ in high dimension with high blocksize ≥50, which can predict approximately both the output quality and the running time, thereby revising lattice security estimates.Expand

The goal of this paper is to provide an assessment of lattice reduction algorithms' behaviour based on extensive experiments performed with the NTL library, and to suggest several conjectures on the worst case and the actual behaviour of lattICE reduction algorithms.Expand

This work revisits lattice enumeration algorithms and shows that surprising exponential speedups can be achieved both in theory and in practice by using a new technique, which is called extreme pruning.Expand

It is shown that AKS can actually be made practical: a heuristic variant of AKS whose running time is polynomial-time operations, and whose space requirement isPolynomially many bits is presented.Expand

A polynomial-time blockwise reduction algorithm based on duality which achieves a better and more natural approximation factor for the shortest vector problem than Schnorr's algorithm and its transference variant by Gama, Howgrave-Graham, Koy and Nguyen.Expand

All previously known results for the elliptic curve variant of DSA (ECDSA) were only heuristic, including those of Howgrave-Graham and Smart who introduced the topic.Expand

A polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k are known for a number of DSA signatures at most linear in log q, under a reasonable assumption on the hash function used in DSA.Expand

This article tries to model the average case of lattice reduction algorithms, starting with the celebrated Lenstra-Lenstra-Lovasz algorithm (L3), and discusses what is meant by lattice Reduction on the average, and presents extensive experiments on theAverage case behavior of L3 in order to give a clearer picture of the differences/similarities between the average and worst cases.Expand

It is shown that there is a major flaw in the design of the Goldreich, Goldwasser and Halevi public-key cryptosystem, and it is concluded that the scheme cannot provide sufficient security without being impractical.Expand

The L 2 algorithm is introduced, a new and natural floating-point variant of L 3 which provably outputs L 3 -reduced bases in polynomial time O(d 4 n(d + log B) log B), the first L 3 algorithm whose running time provably grows only quadratically with respect to log B.Expand