Nick Howgrave-Graham scite author profile

Abstract. We show that recent results of Coppersmith, Boneh, Durfee and Howgrave-Graham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of "fully" approximate common divisors, i.e. where both integers are only known by approximations. We explain the lattice techniques in both the partial and general cases. As an application of the partial approximate common divisor algorithm we show that a cryptosystem proposed by Okamoto actually leaks the private information directly from the public information in polynomial time. In contrast to the partial setting, our technique with respect to the general setting can only be considered heuristic, since we encounter the same "proof of algebraic independence" problem as a subset of the above authors have in previous papers. This problem is generally considered a (hard) problem in lattice theory, since in our case, as in previous cases, the method still works extremely reliably in practice; indeed no counter examples have been obtained. The results in both the partial and general settings are far stronger than might be supposed from a continued-fraction standpoint (the way in which the problems were attacked in the past), and the determinant calculations admit a reasonably neat analysis.

show abstract

NTRUSign: Digital Signatures Using the NTRU Lattice

Hoffstein¹,

Howgrave-Graham²,

Pipher³

et al. 2003

212

153

View full text Add to dashboard Cite

Finding small roots of univariate modular equations revisited

Howgrave-Graham¹

1997

251

141

View full text Add to dashboard Cite

An alternative technique for finding small roots of univaxiate modular equations is described. This approach is then compared with that taken in (Coppersmith, 1996), which links the concept of the dual lattice (see (Cassels, 1971)) to the LLL algorithm (see (Lenstra et al., 1982)). Timing results comparing both algorithms are given, and practical considerations axe discussed. This work has direct applications to several low exponent attacks on the RSA cryptographic scheme (see (Coppersmith, 1996)). I n t r o d u c t i o nLet p ( x ) be a univariate modular polynomial of degree k;It is assumed that p ( x ) is monic and irreducible, and that N is not prime, but hard to factorise. In this paper we describe a new method for finding all the small integer roots, Ixol < N 1/k, of equation 1, and show the relationship between the approach taken here, and that taken in (Coppersmith, 1996). It will be proved, via a general result on dual lattices that these two algorithms are in fact equivalent, though the present approach may be preferred for computational efficiency.It has been shown in (Coppersmith, 1996) how finding small solutions to equation 1 can lead to various attacks on the RSA cryptographic scheme when using a small encrypting exponent.Since both approaches employ lattice basis reduction, the remainder of this section deals with the notation and technical results that will be required.Sections 2 and 3 give expositions of the algorithms in question, together with proofs of their validity; examples of both algorithms are shown in section 4.Section 5 proves a technical result about dual lattices with respect to the LLL algorithm, whilst section 6 shows that it is indeed this theory that links the two methods. Section 7 then discusses practical issues relating to the algorithms and gives relevant timing results. N o t a t i o nFor the sake of consistency, all the results stated in this paper will be with respect to the r o w s of the relevant matrices. We shall denote the i'th row of a matrix M by m~, and the i'th element of a vector v by v~.

show abstract

New Generic Algorithms for Hard Knapsacks

Howgrave-Graham¹,

Joux

2010

107

101

View full text Add to dashboard Cite

Abstract. In this paper, we study the complexity of solving hard knapsack problems, i.e., knapsacks with a density close to 1 where latticebased low density attacks are not an option. For such knapsacks, the current state-of-the-art is a 31-year old algorithm by Schroeppel and Shamir which is based on birthday paradox techniques and yields a running time ofÕ(2 n/2 ) for knapsacks of n elements and usesÕ(2 n/4 ) storage. We propose here two new algorithms which improve on this bound, finally lowering the running time down to eitherÕ(2 0.385 n ) orÕ(2 0.3113 n ) under a reasonable heuristic. We also demonstrate the practicality of these algorithms with an implementation.

show abstract

Rankin’s Constant and Blockwise Lattice Reduction

Gama

Howgrave-Graham²,

Koy

et al. 2006

View full text Add to dashboard Cite

Abstract. Lattice reduction is a hard problem of interest to both publickey cryptography and cryptanalysis. Despite its importance, extremely few algorithms are known. The best algorithm known in high dimension is due to Schnorr, proposed in 1987 as a block generalization of the famous LLL algorithm. This paper deals with Schnorr's algorithm and potential improvements. We prove that Schnorr's algorithm outputs better bases than what was previously known: namely, we decrease all former bounds on Schnorr's approximation factors to their (ln 2)-th power. On the other hand, we also show that the output quality may have intrinsic limitations, even if an improved reduction strategy was used for each block, thereby strengthening recent results by Ajtai. This is done by making a connection between Schnorr's algorithm and a mathematical constant introduced by Rankin more than 50 years ago as a generalization of Hermite's constant. Rankin's constant leads us to introduce the so-called smallest volume problem, a new lattice problem which generalizes the shortest vector problem, and which has applications to blockwise lattice reduction generalizing LLL and Schnorr's algorithm, possibly improving their output quality. Schnorr's algorithm is actually based on an approximation algorithm for the smallest volume problem in low dimension. We obtain a slight improvement over Schnorr's algorithm by presenting a cheaper approximation algorithm for the smallest volume problem, which we call transference reduction.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.