J. Cryptology (1998) 11: 161–185
© 1998 International Association for Cryptologic Research
Lattice Reduction: A Toolbox for the Cryptanalyst
Antoine Joux DGA/CELAR, Bruz, France Jacques Stern Laboratoire d’Informatique, Ecole Normale Sup´erieure, Paris, France
Communicated by Andrew M. Odlyzko
Received 19 May 1994 and revised 31 December 1997
Abstract. In recent years, methods based on lattice reduction have been used repeat- edly for the cryptanalytic attack of various systems. Even if they do not rest on highly sophisticated theories, these methods may look a bit intricate to practically oriented cryptographers, both from the mathematical and the algorithmic point of view. The aim of this paper is to explain what can be achieved by lattice reduction algorithms, even without understanding the actual mechanisms involved. Two examples are given. One is the attack devised by the second author against Knuth’s truncated linear congruential generator. This attack was announced a few years ago and appears here for the first time in complete detail.
Key words. Lattices, Cryptanalysis, Knapsack cryptosystems.
1. Introduction
1.1. Historical Background A lattice is a discrete subgroup of Rn or equivalently the set L consisting of integral linear combinations