並列摘要
Lattice basis reduction is a common and perhaps the most practical method today to solve the approximate shortest vector problem. It is important to estimate the length of the short vectors output by lattice basis reduction. However, accurate estimation is difficult to obtain, and people often rely on empirical heuristics. Based on the asymptotic behavior of the lengths of the short vectors, there is a well-known sublattice attack if the determinant of the lattice is relatively small. Here we provide detailed exposition of the cause of the sublattice attack and verify with experimentation on Goldstein-Mayer lattices.
參考文獻
[CL] Jung Hee Cheon and Changmin Lee. Cryptanalysis of the multilinear map on the ideal lattices.
[LLL82] Arjen Klaas Lenstra, Hendrik Willem Lenstra, and László Lovász. Fac- toring polynomials with rational coefficients. Mathematische Annalen, 261(4):515–534, 1982.
[LN13] Mingjie Liu and Phong Q Nguyen. Solving bdd by enumeration: An update. In Topics in Cryptology–CT-RSA 2013, pages 293–309. Springer, 2013.
[NS06] Phong Q. Nguyen and Damien Stehlé. LLL on the average. In Algorithmic Number Theory, pages 238–256. Springer, 2006.
[vdPS13] Joop van de Pol and Nigel P Smart. Estimating key sizes for high dimen- sional lattice-based systems. In Cryptography and Coding, pages 290–303. Springer, 2013.