Advertisement

The Two Faces of Lattices in Cryptology

  • Phong Q. Nguyen
  • Jacques Stern
Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2146)

Abstract

Lattices are regular arrangements of points in n-dimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated Lenstra-Lenstra-Lovász lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist public-key cryptosystems based on the hardness of lattice problems, and lattices play a crucial rôle in a few security proofs. We survey the main examples of the two faces of lattices in cryptology.

Keywords

Knapsack Problem Lattice Reduction Modular Equation Digital Signature Algorithm Hermite Normal Form 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    L. M. Adleman. On breaking generalized knapsack publick key cryptosystems. In Proc. of 15th STOC, pages 402–412. ACM, 1983.Google Scholar
  2. 2.
    L. M. Adleman. Factoring and lattice reduction. Unpublished manuscript, 1995.Google Scholar
  3. 3.
    M. Ajtai. Generating hard instances of lattice problems. In Proc. of 28th STOC, pages 99–108. ACM, 1996. Available at [47] as TR96-007.Google Scholar
  4. 4.
    M. Ajtai. The shortest vector problem in L2 is NP-hard for randomized reductions. In Proc. of 30th STOC. ACM, 1998. Available at [47] as TR97-047.Google Scholar
  5. 5.
    M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc. of 29th STOC, pages 284–293. ACM, 1997. Available at [47] as TR96-065.Google Scholar
  6. 6.
    M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proc. 33rd STOC, pages 601–610. ACM, 2001.Google Scholar
  7. 7.
    S. Arora, L. Babai, J. Stern, and Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. Journal of Computer and System Sciences, 54(2):317–331, 1997.zbMATHMathSciNetCrossRefGoogle Scholar
  8. 8.
    L. Babai. On Lovász lattice reduction and the nearest lattice point problem. Combinatorica, 6:1–13, 1986.zbMATHMathSciNetCrossRefGoogle Scholar
  9. 9.
    W. Banaszczyk. New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen, 296:625–635, 1993.zbMATHMathSciNetCrossRefGoogle Scholar
  10. 10.
    M. Bellare, S. Goldwasser, and D. Micciancio. ”Pseudo-random” number generation within cryptographic algorithms: The DSS case. In Proc. of Crypto’97, volume 1294 of LNCS. IACR, Springer-Verlag, 1997.Google Scholar
  11. 11.
    M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Proc. of Euro-crypt’94, volume 950 of LNCS, pages 92–111. IACR, Springer-Verlag, 1995.Google Scholar
  12. 12.
    D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc. of Crypto’97, volume 1294 of LNCS, pages 235–248. IACR, Springer-Verlag, 1997.Google Scholar
  13. 13.
    D. Bleichenbacher and P. Q. Nguyen. Noisy polynomial interpolation and noisy Chinese remaindering. In Proc. of Eurocrypt’ 00, volume 1807 of LNCS. IACR, Springer-Verlag, 2000.Google Scholar
  14. 14.
    J. Blömer and J.-P. Seifert. On the complexity of computing short linearly independent vectors and short bases in a lattice. In Proc. of 31st STOC. ACM, 1999.Google Scholar
  15. 15.
    D. Boneh. The decision Diffie-Hellman problem. In Algorithmic Number Theory-Proc. of ANTS-III, volume 1423 of LNCS. Springer-Verlag, 1998.Google Scholar
  16. 16.
    D. Boneh. Twenty years of attacks on the RSA cryptosystem. Notices of the AMS, 46(2):203–213, 1999.zbMATHMathSciNetGoogle Scholar
  17. 17.
    D. Boneh. Finding smooth integers in short intervals using CRT decoding. In Proc. of 32nd STOC. ACM, 2000.Google Scholar
  18. 18.
    D. Boneh. Simplified OAEP for the RSA and Rabin functions. In Proc. of Crypto 2001, LNCS. IACR, Springer-Verlag, 2001.Google Scholar
  19. 19.
    D. Boneh and G. Durfee. Cryptanalysis of RSA with private key d less than N0.292. In Proc. of Eurocrypt’99, volume 1592 of LNCS, pages 1–11. IACR, Springer-Verlag, 1999.Google Scholar
  20. 20.
    D. Boneh, G. Durfee, and Y. Frankel. An attack on RSA given a small fraction of the private key bits. In Proc. of Asiacrypt’98, volume 1514 of LNCS, pages 25–34. Springer-Verlag, 1998.Google Scholar
  21. 21.
    D. Boneh, G. Durfee, and N. A. Howgrave-Graham. Factoring n = p r q for large r. In Proc. of Crypto’99, volume 1666 of LNCS. IACR, Springer-Verlag, 1999.Google Scholar
  22. 22.
    D. Boneh, A. Joux, and P. Q. Nguyen. Why textbook ElGamal and RSA encryption are insecure. In Proc. of Asiacrypt’ 00, volume 1976 of LNCS. IACR, Springer-Verlag, 2000.Google Scholar
  23. 23.
    D. Boneh and I. E. Shparlinski. Hard core bits for the elliptic curve Diffie-Hellman secret. In Proc. of Crypto 2001, LNCS. IACR, Springer-Verlag, 2001.Google Scholar
  24. 24.
    D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In Proc. of Crypto’96, LNCS. IACR, Springer-Verlag, 1996.Google Scholar
  25. 25.
    D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring. In Proc. of Eurocrypt’98, volume 1233 of LNCS, pages 59–71. Springer-Verlag, 1998.Google Scholar
  26. 26.
    V. Boyko, M. Peinado, and R. Venkatesan. Speeding up discrete log and factoring based schemes via precomputations. In Proc. of Eurocrypt’98, volume 1403 of LNCS, pages 221–235. IACR, Springer-Verlag, 1998.Google Scholar
  27. 27.
    E. F. Brickell. Solving low density knapsacks. In Proc. of Crypto’ 83. Plenum Press, 1984.Google Scholar
  28. 28.
    E. F. Brickell. Breaking iterated knapsacks. In Proc. of Crypto’ 84, volume 196 of LNCS. Springer-Verlag, 1985.Google Scholar
  29. 29.
    E. F. Brickell and A. M. Odlyzko. Cryptanalysis: A survey of recent results. In G. J. Simmons, editor, Contemporary Cryptology, pages 501–540. IEEE Press, 1991.Google Scholar
  30. 30.
    J.-Y. Cai. Some recent progress on the complexity of lattice problems. In Proc. of FCRC, 1999. Available at [47] as TR99-006.Google Scholar
  31. 31.
    J.-Y. Cai. The complexity of some lattice problems. In Proc. of ANTS-IV, volume 1838 of LNCS. Springer-Verlag, 2000.Google Scholar
  32. 32.
    J.-Y. Cai and T. W. Cusick. A lattice-based public-key cryptosystem. Information and Computation, 151:17–31, 1999.zbMATHMathSciNetCrossRefGoogle Scholar
  33. 33.
    J.-Y. Cai and A. P. Nerurkar. An improved worst-case to average-case connection for lattice problems. In Proc. of 38th FOCS, pages 468–477. IEEE, 1997.Google Scholar
  34. 34.
    S. Cavallar, B. Dodson, A. K. Lenstra, W. Lioen, P. L. Montgomery, B. Murphy, H. te Riele, K. Aardal, J. Gilchrist, G. Guillerm, P. Leyland, J. Marchand, F. Morain, A. Muffett, C. Putnam, and P. Zimmermann. Factorization of 512-bit RSA key using the number field sieve. In Proc. of Eurocrypt’ 00, volume 1807 of LNCS. IACR, Springer-Verlag, 2000.Google Scholar
  35. 35.
    B. Chor and R.L. Rivest. A knapsack-type public key cryptosystem based on arithmetic in finite fields. IEEE Trans. Inform. Theory, 34, 1988.Google Scholar
  36. 36.
    H. Cohen. A Course in Computational Algebraic Number Theory. Springer-Verlag, 1995. Second edition.Google Scholar
  37. 37.
    J.H. Conway and N.J.A. Sloane. Sphere Packings, Lattices and Groups. Springer-Verlag, 1998. Third edition.Google Scholar
  38. 38.
    D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology, 10(4):233–260, 1997. Revised version of two articles from Eurocrypt’96.zbMATHMathSciNetCrossRefGoogle Scholar
  39. 39.
    D. Coppersmith. Finding small solutions to small degree polynomials. In Proc. of CALC 2001, LNCS. Springer-Verlag, 2001.Google Scholar
  40. 40.
    D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In Proc. of Eurocrypt’ 97, LNCS. IACR, Springer-Verlag, 1997.Google Scholar
  41. 41.
    M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Comput. Complexity, 2:111–128, 1992.zbMATHMathSciNetCrossRefGoogle Scholar
  42. 42.
    C. Coupé, P. Q. Nguyen, and J. Stern. The effectiveness of lattice attacks against low-exponent RSA. In Proc. of PKC’98, volume 1431 of LNCS. Springer-Verlag, 1999.Google Scholar
  43. 43.
    W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, IT-22:644–654, Nov 1976.Google Scholar
  44. 44.
    I. Dinur. Approximating SVP∞ to within almost-polynomial factors is NP-hard. Available at [47] as TR99-016.Google Scholar
  45. 45.
    I. Dinur, G. Kindler, and S. Safra. Approximating CVP to within almost-polynomial factors is NP-hard. In Proc. of 39th FOCS, pages 99–109. IEEE, 1998. Available at [47] as TR98-048.Google Scholar
  46. 46.
    G. Durfee and P. Q. Nguyen. Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt’99. In Proc. of Asiacrypt’ 00, volume 1976 of LNCS. IACR, Springer-Verlag, 2000.Google Scholar
  47. 47.
    ECCC. http://www.eccc.uni-trier.de/eccc/. The Electronic Colloquium on Computational Complexity.
  48. 48.
    E. El Mahassni, P. Q. Nguyen, and I. E. Shparlinski. The insecurity of Nyberg-Rueppel and other DSA-like signature schemes with partially known nonces. In Proc. of CALC 2001, LNCS. Springer-Verlag, 2001.Google Scholar
  49. 49.
    P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical report, Mathematische Instituut, University of Amsterdam, 1981. Report 81-04. Available at http://turing.wins.uva.nl/~peter/.
  50. 50.
    R. Fischlin and J.-P. Seifert. Tensor-based trapdoors for CVP and their application to public key cryptography. In IMA Conference on Cryptography and Coding, LNCS. Springer-Verlag, 1999.Google Scholar
  51. 51.
    A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SI AM J. Comput, 15(2):536–539, 1986.zbMATHMathSciNetCrossRefGoogle Scholar
  52. 52.
    A. M. Frieze, J. Håstad, R. Kannan, J. C. Lagarias, and A. Shamir. Reconstructing truncated integer variables satisfying linear congruences. SI AM J. Comput., 17(2):262–280, 1988. Special issue on cryptography.zbMATHCrossRefGoogle Scholar
  53. 53.
    E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern. RSA-OAEP is secure under the RSA assumption. In Proc. of Crypto 2001, LNCS. IACR, Springer-Verlag, 2001.Google Scholar
  54. 54.
    M. L. Furst and R. Kannan. Succinct certificates for almost all subset sum problems. SIAM J. Comput, 18(3):550–558, 1989.zbMATHMathSciNetCrossRefGoogle Scholar
  55. 55.
    C.F. Gauss. Disquisitiones Arithmeticæ, Leipzig, 1801.Google Scholar
  56. 56.
    C. Gentry. Key recovery and message attacks on NTRU-composite. In Proc. of Eurocrypt 2001, volume 2045 of LNCS. IACR, Springer-Verlag, 2001.Google Scholar
  57. 57.
    M. Girault and J.-F. Misarsky. Cryptanalysis of countermeasures proposed for repairing ISO 9796-1. In Proc. of Eurocrypt’ w00, volume 1807 of LNCS. IACR, Springer-Verlag, 2000.Google Scholar
  58. 58.
    O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. of 30th STOC. ACM, 1998. Available at [47] as TR97-031.Google Scholar
  59. 59.
    O. Goldreich, S. Goldwasser, and S. Halevi. Challenges for the GGH cryptosystem. Available at http://theory.lcs.mit.edu/ shaih/challenge.html.
  60. 60.
    O. Goldreich, S. Goldwasser, and S. Halevi. Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In Proc. of Crypto’97, volume 1294 of LNCS, pages 105–111. IACR, Springer-Verlag, 1997. Available at [47] as TR97-018.Google Scholar
  61. 61.
    O. Goldreich, S. Goldwasser, and S. Halevi. Public-key cryptosystems from lattice reduction problems. In Proc. of Crypto’97, volume 1294 of LNCS, pages 112–131. IACR, Springer-Verlag, 1997. Available at [47] as TR96-056.Google Scholar
  62. 62.
    O. Goldreich, D. Micciancio, S. Safra, and J.-P. Seifert. Approximating shortest lattice vectors is not harder than approximating closest lattice vectors, 1999. Available at [47] as TR99-002.Google Scholar
  63. 63.
    M. I. González Vasco and I. E. Shparlinski. On the security of Diffie-Hellman bits. In K.-Y. Lam, I. E. Shparlinski, H. Wang, and C. Xing, editors, Proc. Workshop on Cryptography and Comp. Number Theory (CCNT’99). Birkhauser, 2000.Google Scholar
  64. 64.
    M. Grötschel, L. Lovász, and A. Schrijver. Geometric Algorithms and Combinatorial Optimization. Springer-Verlag, 1993.Google Scholar
  65. 65.
    M. Gruber and C. G. Lekkerkerker. Geometry of Numbers. North-Holland, 1987.Google Scholar
  66. 66.
    J. Håstad. Solving simultaneous modular equations of low degree. SIAM J. Comput., 17(2):336–341, April 1988. Preliminary version in Proc. of Crypto’ 85.Google Scholar
  67. 67.
    B. Helfrich. Algorithms to construct Minkowski reduced and Hermite reduced bases. Theoretical Computer Science, 41:125–139, 1985.zbMATHMathSciNetCrossRefGoogle Scholar
  68. 68.
    C. Hermite. Extraits de lettres de M. Hermite à M. Jacobi sur différents objets de la théorie des nombres, deuxième lettre. J. Reine Angew. Math., 40:279–290, 1850. Also available in the first volume of Hermite’s complete works, published by Gauthier-Villars.Google Scholar
  69. 69.
    J. Hoffstein, J. Pipher, and J.H. Silverman. NTRU: a ring based public key cryptosystem. In Proc. of ANTS III, volume 1423 of LNCS, pages 267–288. Springer-Verlag, 1998. Additional information at http://www.ntru.com. Google Scholar
  70. 70.
    N. A. Howgrave-Graham. Finding small roots of univariate modular equations revisited. In Cryptography and Coding, volume 1355 of LNCS, pages 131–142. Springer-Verlag, 1997.CrossRefGoogle Scholar
  71. 71.
    N. A. Howgrave-Graham. Computational Mathematics Inspired by RSA. PhD thesis, University of Bath, 1998.Google Scholar
  72. 72.
    N. A. Howgrave-Graham. Approximate integer common divisors. In Proc. of CALC 2001, LNCS. Springer-Verlag, 2001.Google Scholar
  73. 73.
    N. A. Howgrave-Graham and N. P. Smart. Lattice attacks on digital signature schemes. Technical report, HP Labs, 1999. HPL-1999-90. To appear in Designs, Codes and Cryptography.Google Scholar
  74. 74.
    E. Jaulmes and A. Joux. A chosen ciphertext attack on NTRU. In Proc. of Crypto 2000, volume 1880 of LNCS. IACR, Springer-Verlag, 2000.Google Scholar
  75. 75.
    A. Joux and J. Stern. Lattice reduction: A toolbox for the cryptanalyst. J. of Cryptology, 11:161–185, 1998.zbMATHMathSciNetCrossRefGoogle Scholar
  76. 76.
    C. S. Jutla. On finding small solutions of modular multivariate polynomial equations. In Proc. of Eurocrypt’98, volume 1403 of LNCS, pages 158–170. IACR, Springer-Verlag, 1998.Google Scholar
  77. 77.
    R. Kannan. Improved algorithms for integer programming and related lattice problems. In Proc. of 15th STOC, pages 193–206. ACM, 1983.Google Scholar
  78. 78.
    R. Kannan. Algorithmic geometry of numbers. Annual review of computer science, 2:231–267, 1987.MathSciNetCrossRefGoogle Scholar
  79. 79.
    R. Kannan. Minkowski’s convex body theorem and integer programming. Math. Oper. Res., 12(3):415–440, 1987.zbMATHMathSciNetGoogle Scholar
  80. 80.
    P. Klein. Finding the closest lattice vector when it’s unusually close. In Proc. of SODA’ 00. ACM-SIAM, 2000.Google Scholar
  81. 81.
    S. V. Konyagin and T. Seger. On polynomial congruences. Mathematical Notes, 55(6):596–600, 1994.MathSciNetCrossRefGoogle Scholar
  82. 82.
    A. Korkine and G. Zolotareff. Sur les formes quadratiques positives ternaires. Math. Ann., 5:581–583, 1872.MathSciNetCrossRefGoogle Scholar
  83. 83.
    A. Korkine and G. Zolotareff. Sur les formes quadratiques. Math. Ann., 6:336–389, 1873.MathSciNetCrossRefGoogle Scholar
  84. 84.
    J. C. Lagarias. Point lattices. In R. Graham, M. Grötschel, and L. Lovász, editors, Handbook of Combinatorics, volume 1, chapter 19. Elsevier, 1995.Google Scholar
  85. 85.
    J. C. Lagarias and A. M. Odlyzko. Solving low-density subset sum problems. Journal of the Association for Computing Machinery, January 1985.Google Scholar
  86. 86.
    L. Lagrange. Recherches d’arithm’etique. Nouv. Mém. Acad., 1773.Google Scholar
  87. 87.
    A. K. Lenstra and H. W. Lenstra, Jr. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993.Google Scholar
  88. 88.
    A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovász. Factoring polynomials with rational coefficients. Mathematische Ann., 261:513–534, 1982.Google Scholar
  89. 89.
    H. W. Lenstra, Jr. Integer programming with a fixed number of variables. Technical report, Mathematisch Instituut, Universiteit van Amsterdam, April 1981. Report 81-03.Google Scholar
  90. 90.
    H. W. Lenstra, Jr. Integer programming with a fixed number of variables. Math. Oper. Res., 8(4):538–548, 1983.zbMATHMathSciNetCrossRefGoogle Scholar
  91. 91.
    L. Lovász. An Algorithmic Theory of Numbers, Graphs and Convexity, volume 50. SIAM Publications, 1986. CBMS-NSF Regional Conference Series in Applied Mathematics.Google Scholar
  92. 92.
    J. Martinet. Les Réseaux Parfaits des Espaces Euclidiens. Éditions Masson, 1996. English translation to appear at Springer-Verlag.Google Scholar
  93. 93.
    J. E. Mazo and A. M. Odlyzko. Lattice points in high-dimensional spheres. Monatsh. Math., 110:47–61, 1990.zbMATHMathSciNetCrossRefGoogle Scholar
  94. 94.
    R.J. McEliece. A public-key cryptosystem based on algebraic number theory. Technical report, Jet Propulsion Laboratory, 1978. DSN Progress Report 42-44.Google Scholar
  95. 95.
    A. Menezes, P. Van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.Google Scholar
  96. 96.
    R. Merkle and M. Hellman. Hiding information and signatures in trapdoor knapsacks. IEEE Trans. Inform. Theory, IT-24:525–530, September 1978.Google Scholar
  97. 97.
    D. Micciancio. On the Hardness of the Shortest Vector Problem. PhD thesis, Massachusetts Institute of Technology, 1998.Google Scholar
  98. 98.
    D. Micciancio. The shortest vector problem is NP-hard to approximate within some constant. In Proc. of 39th FOCS. IEEE, 1998. Available at [47] as TR98-016.Google Scholar
  99. 99.
    D. Micciancio. Lattice based cryptography: A global improvement. Technical report, Theory of Cryptography Library, 1999. Report 99-05.Google Scholar
  100. 100.
    D. Micciancio. The hardness of the closest vector problem with preprocessing. IEEE Trans. Inform. Theory, 47(3):1212–1215, 2001.zbMATHMathSciNetCrossRefGoogle Scholar
  101. 101.
    D. Micciancio. Improving lattice-based cryptosystems using the Hermite normal form. In Proc. of CALC 2001, LNCS. Springer-Verlag, 2001.Google Scholar
  102. 102.
    J. Milnor and D. Husemoller. Symmetric Bilinear Forms. Springer-Verlag, 1973.Google Scholar
  103. 103.
    H. Minkowski. Geometrie der Zahlen. Teubner-Verlag, Leipzig, 1896.Google Scholar
  104. 104.
    J.-F. Misarsky. A multiplicative attack using LLL algorithm on RSA signatures with redundancy. In Proc. of Crypto’97, volume 1294 of LNCS, pages 221–234. IACR, Springer-Verlag, 1997.Google Scholar
  105. 105.
    P. L. Montgomery. Square roots of products of algebraic numbers. In Walter Gautschi, editor, Mathematics of Computation 1943-1993: a Half-Century of Computational Mathematics, Proc. of Symposia in Applied Mathematics, pages 567–571. American Mathematical Society, 1994.Google Scholar
  106. 106.
    National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.Google Scholar
  107. 107.
    P. Q. Nguyen. A Montgomery-like square root for the number field sieve. In Algorithmic Number Theory-Proc. of ANTS-III, volume 1423 of LNCS. Springer-Verlag, 1998.CrossRefGoogle Scholar
  108. 108.
    P. Q. Nguyen. Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto’97. In Proc. of Crypto’99, volume 1666 of LNCS, pages 288–304. IACR, Springer-Verlag, 1999.Google Scholar
  109. 109.
    P. Q. Nguyen. La Géométrie des Nombres en Cryptologie. PhD thesis, Université Paris 7, November 1999. Available at http://www.di.ens.fr/~pnguyen/.
  110. 110.
    P. Q. Nguyen. The dark side of the hidden number problem: Lattice attacks on DSA. In K.-Y. Lam, I. E. Shparlinski, H. Wang, and C. Xing, editors, Proc. Workshop on Cryptography and Comp. Number Theory (CCNT’99). Birkhauser, 2000.Google Scholar
  111. 111.
    P. Q. Nguyen and I. E. Shparlinski. The insecurity of the Digital Signature Algorithm with partially known nonces. J. of Cryptology, 2001. To appear.Google Scholar
  112. 112.
    P. Q. Nguyen and I. E. Shparlinski. The insecurity of the elliptic curve Digital Signature Algorithm with partially known nonces. Preprint, 2001.Google Scholar
  113. 113.
    P. Q. Nguyen and J. Stern. Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In Proc. of Crypto’97, volume 1294 of LNCS, pages 198–212. IACR, Springer-Verlag, 1997.Google Scholar
  114. 114.
    P. Q. Nguyen and J. Stern. Cryptanalysis of a fast public key cryptosystem presented at SAC’ 97. In Selected Areas in Cryptography-Proc. of SAC’98, volume 1556 of LNCS. Springer-Verlag, 1998.Google Scholar
  115. 115.
    P. Q. Nguyen and J. Stern. Cryptanalysis of the Ajtai-Dwork cryptosystem. In Proc. of Crypto’98, volume 1462 of LNCS, pages 223–242. IACR, Springer-Verlag, 1998.Google Scholar
  116. 116.
    P. Q. Nguyen and J. Stern. The Béguin-Quisquater server-aided RSA protocol from Crypto’ 95 is not secure. In Proc. of Asiacrypt’98, volume 1514 of LNCS, pages 372–379. Springer-Verlag, 1998.Google Scholar
  117. 117.
    P. Q. Nguyen and J. Stern. The hardness of the hidden subset sum problem and its cryptographic implications. In Proc. of Crypto’ 99, volume 1666 of LNCS, pages 31–46. IACR, Springer-Verlag, 1999.Google Scholar
  118. 118.
    P. Q. Nguyen and J. Stern. Lattice reduction in cryptology: An update. In Proc. of ANTS-IV, volume 1838 of LNCS. Springer-Verlag, 2000.Google Scholar
  119. 119.
    A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Cryptology and Computational Number Theory, volume 42 of Proc. of Symposia in Applied Mathematics, pages 75–88. A.M.S., 1990.Google Scholar
  120. 120.
    R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.zbMATHMathSciNetCrossRefGoogle Scholar
  121. 121.
    C. P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987.zbMATHMathSciNetCrossRefGoogle Scholar
  122. 122.
    C. P. Schnorr. A more efficient algorithm for lattice basis reduction. J. of algorithms, 9(1):47–62, 1988.zbMATHMathSciNetCrossRefGoogle Scholar
  123. 123.
    C. P. Schnorr. Factoring integers and computing discrete logarithms via diophantine approximation. In Proc. of Eurocrypt’91, volume 547 of LNCS, pages 171–181. IACR, Springer-Verlag, 1991.Google Scholar
  124. 124.
    C. P. Schnorr and M. Euchner. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming, 66:181–199, 1994.MathSciNetCrossRefGoogle Scholar
  125. 125.
    C. P. Schnorr and H. H. Hörner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Proc. of Eurocrypt’95, volume 921 of LNCS, pages 1–12. IACR, Springer-Verlag, 1995.Google Scholar
  126. 126.
    A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In Proc. of 23rd FOCS, pages 145–152. IEEE, 1982.Google Scholar
  127. 127.
    V. Shoup. Number Theory C++ Library (NTL) version 3.6. Available at http://www.shoup.net/ntl/
  128. 128.
    V. Shoup. OAEP reconsidered. In Proc. of Crypto 2001, LNCS. IACR, Springer-Verlag, 2001.Google Scholar
  129. 129.
    I. E. Shparlinski. On the generalized hidden number problem and bit security of XTR. In Proc. of 14th Symp. on Appl. Algebra, Algebraic Algorithms, and Error-Correcting Codes, LNCS. Springer-Verlag, 2001.Google Scholar
  130. 130.
    I. E. Shparlinski. Sparse polynomial approximation in finite fields. In Proc. 33rd STOC. ACM, 2001.Google Scholar
  131. 131.
    C. L. Siegel. Lectures on the Geometry of Numbers. Springer-Verlag, 1989.Google Scholar
  132. 132.
    B. Vallée. La réduction des réseaux. autour de l’algorithme de Lenstra, Lenstra, Lovász. RAIRO Inform. Théor. Appl, 23(3):345–376, 1989.MathSciNetzbMATHGoogle Scholar
  133. 133.
    B. Vallée, M. Girault, and P. Toffin. How to guess l-th roots modulo n by reducing lattice bases. In Proc. of AAEEC-6, volume 357 of LNCS, pages 427–442. Springer-Verlag, 1988.Google Scholar
  134. 134.
    S. A. Vanstone and R. J. Zuccherato. Short RSA keys and their generation. J. of Cryptology, 8(2):101–114, 1995.zbMATHGoogle Scholar
  135. 135.
    S. Vaudenay. Cryptanalysis of the Chor-Rivest cryptosystem. In Proc. of Crypto’98, volume 1462 of LNCS. IACR, Springer-Verlag, 1998.Google Scholar
  136. 136.
    E. R. Verheul. Certificates of recoverability with scalable recovery agent security. In Proc. ofPKC’00, LNCS. Springer-Verlag, 2000.Google Scholar
  137. 137.
    M. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Trans. Inform. Theory, 36(3):553–558, 1990.zbMATHMathSciNetCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Phong Q. Nguyen
    • 1
  • Jacques Stern
    • 1
  1. 1.Département d’InformatiqueÉcole Normale SupérieureParisFrance

Personalised recommendations

Cite paper

Buy options