On polynomial approximation to the shortest lattice vector length
SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
A sieve algorithm for the shortest lattice vector problem
STOC '01 Proceedings of the thirty-third annual ACM symposium on Theory of computing
A Generalized Birthday Problem
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Fast Correlation Attacks: An Algorithmic Point of View
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Noise-tolerant learning, the parity problem, and the statistical query model
Journal of the ACM (JACM)
A new paradigm for collision-free hashing: incrementality at reduced cost
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
An improved multi-set algorithm for the dense subset sum problem
ANTS-VIII'08 Proceedings of the 8th international conference on Algorithmic number theory
Security Bounds for the Design of Code-Based Cryptosystems
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
INDOCRYPT '09 Proceedings of the 10th International Conference on Cryptology in India: Progress in Cryptology
Really fast syndrome-based hashing
AFRICACRYPT'11 Proceedings of the 4th international conference on Progress in cryptology in Africa
Faster and smoother: VSH revisited
ACISP'11 Proceedings of the 16th Australasian conference on Information security and privacy
Statistical decoding of codes over Fq
PQCrypto'11 Proceedings of the 4th international conference on Post-Quantum Cryptography
Improving the performance of the SYND stream cipher
AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
Hi-index | 0.00 |
Consider the following problem: Given k = 2q random lists of n-bit vectors, L1, ..., Lk, each of length m, find x1 ∈ L1, ..., xk ∈ Lk such that x1 + ... + xk = 0, where + is the XOR operation. This problem has applications in a number of areas, including cryptanalysis, coding theory, finding shortest lattice vectors, and learning theory. The so-called k-tree algorithm, due to Wagner, solves this problem in Õ(2q+n/(q+1)) expected time provided the length m of the lists is large enough, specifically if m ≥ 2n/(q+1). In many applications, however, it is necessary to work with lists of smaller length, where the above algorithm breaks down. In this paper we generalize the algorithm to work for significantly smaller values of the list length m, all the way down to the threshold value for which a solution exists with reasonable probability. Our algorithm exhibits a tradeoff between the value of m and the running time. We also provide the first rigorous bounds on the failure probability of both our algorithm and that of Wagner.