Approximate common divisors via lattices

12 years 5 months ago
Approximate common divisors via lattices
We analyze the multivariate generalization of Howgrave-Graham’s algorithm for the approximate common divisor problem. In the m-variable case with modulus N and approximate common divisor of size Nβ, this improves the size of the error tolerated from Nβ2 to Nβ(m+1)/m , under a commonly used heuristic assumption. This gives a more detailed analysis of the hardness assumption underlying the recent fully homomorphic cryptosystem of van Dijk, Gentry, Halevi, and Vaikuntanathan. While these results do not challenge the suggested parameters, a 2 √ n approximation algorithm for lattice basis reduction in n dimensions could be used to break these parameters. We have implemented our algorithm, and it performs better in practice than the theoretical analysis suggests. Our results fit into a broader context of analogies between cryptanalysis and coding theory. The multivariate approximate common divisor problem is the number-theoretic analogue of noisy multivariate polynomial interpolation...
Henry Cohn, Nadia Heninger
Added 23 Dec 2011
Updated 23 Dec 2011
Type Journal
Year 2011
Where IACR
Authors Henry Cohn, Nadia Heninger
Comments (0)