DOCSLIB.ORG

Algorithms for the Elliptic Curve Discrete Logarithm and the Approximate Common Divisor Problem

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Algorithms for the Elliptic Curve Discrete Logarithm and the Approximate Common Divisor Problem Algorithms for the Elliptic Curve Discrete Logarithm and the Approximate Common Divisor Problem Shishay Welay Gebregiyorgis A Thesis Submitted in Fulfillment of the Requirements for the Degree of Doctor of Philosophy in Mathematics The University of Auckland January 2016 Abstract Public key cryptosystems such as Diffie-Hellman key exchange and homomorphic encryption over the integers are based on the assumption that the Discrete Logarithm Problem (DLP) and the Approximate Common Divisor (ACD) problem are hard respectively. These computational assumptions can be tested by developing improved algorithms to solve them. The DLP for elliptic curves defined over certain finite fields is believed to be hard. The best current algorithm for this problem is Pollard rho. The most promising new idea for attacking the DLP over these curves is the index calculus algorithm, since it solves the DLP for finite fields in subexponential time. It is important to understand this class of algorithms. We study the index calculus algorithm based on summation polynomials. This reduces the DLP to solving systems of multivariate polynomial equations. We explain recent research on exploiting symmetries arising from points of small order. The use of such symmetries can be used to speed up solving the system of polynomial equations, and hence speed up the algorithm. We give an improved index calculus algorithm for solving the DLP for binary elliptic curves. Despite our improved ideas, our experiments suggest that Pollard rho is still the best algorithm for the DLP in practice. We discuss and analyse a new idea called the “splitting technique”, which does not make use of symmetries. We finally suggest a new definition of the factor base to bring the probability of finding a relation close to 1. To extend the notion of symmetries we investigate the use of an automorphism of elliptic curves defined over a field of characteristic 3 to speed up the index calculus algorithm. Our finding is that an automorphism speeds up the algorithm, but not to the extent that we would wish. Finally we review, compare and precisely analyse some existing algorithms to solve the ACD problem. Our experiments show that the Cohn-Heninger algorithm is slower than the orthogonal lattice based ap- proach. We propose a preprocessing of the ACD instances to speed up these algorithms. We explain that the preprocessing does not seem to threaten the ACD problem in practice. Acknowledgements I like to thank to my PhD supervisor Steven Galbraith for supporting me during my three years stay in the University of Auckland. He did not only supervise me but also he taught me how to be an independent self confident researcher. Above all, special appreciation goes to him for our collaborative work in my first published paper on the results in Chapter 3. I also like to thank Arkadii Slinko, Ben Martin, Igor Klep for their comments and suggestions. My work has been supported by the University of Auckland. The University of Auckland did not only provide me materials needed for my PhD program but also for awarding me a University of Auckland Doctoral Scholarship. So I really like to thank to all staff in this great University. Finally huge thanks goes to my family for supporting me in all ways. All the work is dedicated to my amazing family. Contents 1 Cryptography and Computational Assumptions3 1.1 Cryptography..........................................4 1.2 The integer factorization problem and RSA cryptosystem...................5 1.3 Integer factorization algorithms.................................6 1.3.1 Pollard p − 1 algorithm................................6 1.3.2 The elliptic curve factorization method........................7 1.3.3 The quadratic sieve factorization method.......................7 1.4 The discrete logarithm problem and Elgamal cryptosystem..................8 1.5 Algorithms for solving the discrete logarithm problem.................... 10 1.5.1 The baby-step-giant-step algorithm.......................... 10 1.5.2 The Pohlig-Hellman algorithm............................. 10 1.5.3 The Pollard rho algorithm............................... 11 1.5.4 The index calculus method............................... 11 2 Elliptic Curves and Summation Polynomials 13 2.1 Computational algebraic geometry............................... 14 2.1.1 Ideals and affine varieties................................ 14 2.1.2 Grobner¨ basis...................................... 16 2.1.3 Invariant theory..................................... 18 2.1.4 Solving polynomial systems with symmetries using Grobner¨ basis.......... 20 2.2 Elliptic curves.......................................... 22 2.2.1 Elliptic curve definition................................. 22 2.2.2 Elliptic curve representation.............................. 25 2.2.3 The elliptic curve discrete logarithm problem (ECDLP)................ 27 2.3 Summation polynomials.................................... 30 2.3.1 Summation polynomials definition........................... 31 2.3.2 Weil descent of an elliptic curve............................ 31 2.3.3 The index calculus algorithm.............................. 32 2.3.4 Resolution of polynomial systems using symmetries................. 38 3 Index Calculus Algorithm to Solve the DLP for Binary Edwards Curve 40 3.1 Summation polynomials of binary Edwards curve....................... 41 3.1.1 Factor base definition.................................. 43 3.1.2 Weil descent of binary Edwards curve......................... 44 3.2 Symmetries to speed up resolution of polynomial systems.................. 45 1 3.2.1 The action of symmetric group............................. 45 3.2.2 The action of a point of order 2............................ 45 3.2.3 The action of points of order 4............................. 46 3.3 Index calculus algorithm.................................... 47 3.4 Breaking symmetry in the factor base............................. 50 3.5 Grobner¨ basis versus SAT solvers comparison......................... 51 3.6 Experimental results...................................... 52 3.7 Splitting method to solve DLP for binary curves........................ 57 4 The DLP for Supersingular Ternary Curves 60 4.1 Elliptic curve over a field of characteristic three........................ 60 4.2 Automorphisms and resolution of point decomposition problem............... 61 4.3 Invariant rings under the automorphism and symmetric groups................ 62 5 The Approximate Common Divisor Problem and Lattices 65 5.1 Lattices and computational assumptions............................ 66 5.1.1 Algorithms to solve CVP and SVP........................... 68 5.1.2 Solving Knapsack problem............................... 70 5.2 Algorithms to solve the approximate common divisor problem................ 71 5.2.1 Exhaustive search.................................... 73 5.2.2 Simultaneous Diophantine approximation....................... 74 5.2.3 Orthogonal vectors to common divisors (NS-Approach)............... 76 5.2.4 Orthogonal vectors to error terms (NS*-Approach).................. 80 5.2.5 Multivariate polynomial equations method (CH-Approach).............. 82 5.3 Comparison of algorithms for the ACD problem........................ 85 5.3.1 Experimental observation............................... 87 5.4 Pre-processing of the ACD samples.............................. 88 2 Chapter 1 Cryptography and Computational Assumptions Contents 1.1 Cryptography........................................4 1.2 The integer factorization problem and RSA cryptosystem................5 1.3 Integer factorization algorithms..............................6 1.3.1 Pollard p − 1 algorithm...............................6 1.3.2 The elliptic curve factorization method.......................7 1.3.3 The quadratic sieve factorization method......................7 1.4 The discrete logarithm problem and Elgamal cryptosystem...............8 1.5 Algorithms for solving the discrete logarithm problem.................. 10 1.5.1 The baby-step-giant-step algorithm......................... 10 1.5.2 The Pohlig-Hellman algorithm............................ 10 1.5.3 The Pollard rho algorithm.............................. 11 1.5.4 The index calculus method.............................. 11 Secure cryptosystems are built using computational problems that are believed to be hard. The RSA and Diffie-Hellman key exchange are based on the assumption that the integer factorization and discrete logarithm problems are hard respectively. If we can break the underlying assumption, then the cryptosystem is not secure any more. In this regard, we are interested in trying to solve the underlying hard computational problems of cryptosystems. If the computational problem is intrinsically easy, we can provide an algorithm to solve the problem in polynomial time. If however the computational problem is intrinsically difficult, we would wish to show that there is no algorithm that solves the problem. The lack of proof showing that there is no efficient algorithm to solve the underlying hard computational problems in many cryptosytems is our motivation for our research. We test computational assumptions by developing improved algorithms to solve them. We give a summary of the existing algorithms to solve the integer factorization and discrete logarithm problems. 3 1.1 Cryptography Cryptography deals with securing communication channels, electronic transactions, sensitive data and other critical information such as medical records. It is concerned with designing a cyptosystem or a cryp- tographic system that is capable
Load more

Recommended publications
  • Lectures on the NTRU Encryption Algorithm and Digital Signature Scheme: Grenoble, June 2002
    Lectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002 J. Pipher Brown University, Providence RI 02912 1 Lecture 1 1.1 Integer lattices Lattices have been studied by cryptographers for quite some time, in both the field of cryptanalysis (see for example [16{18]) and as a source of hard problems on which to build encryption schemes (see [1, 8, 9]). In this lecture, we describe the NTRU encryption algorithm, and the lattice problems on which this is based. We begin with some definitions and a brief overview of lattices. If a ; a ; :::; a are n independent vectors in Rm, n m, then the 1 2 n ≤ integer lattice with these vectors as basis is the set = n x a : x L f 1 i i i 2 Z . A lattice is often represented as matrix A whose rows are the basis g P vectors a1; :::; an. The elements of the lattice are simply the vectors of the form vT A, which denotes the usual matrix multiplication. We will specialize for now to the situation when the rank of the lattice and the dimension are the same (n = m). The determinant of a lattice det( ) is the volume of the fundamen- L tal parallelepiped spanned by the basis vectors. By the Gram-Schmidt process, one can obtain a basis for the vector space generated by , and L the det( ) will just be the product of these orthogonal vectors. Note that L these vectors are not a basis for as a lattice, since will not usually L L possess an orthogonal basis.
    [Show full text]
  • Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems
    Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems † Thijs Laarhoven∗ Joop van de Pol Benne de Weger∗ September 10, 2012 Abstract This paper is a tutorial introduction to the present state-of-the-art in the field of security of lattice- based cryptosystems. After a short introduction to lattices, we describe the main hard problems in lattice theory that cryptosystems base their security on, and we present the main methods of attacking these hard problems, based on lattice basis reduction. We show how to find shortest vectors in lattices, which can be used to improve basis reduction algorithms. Finally we give a framework for assessing the security of cryptosystems based on these hard problems. 1 Introduction Lattice-based cryptography is a quickly expanding field. The last two decades have seen exciting devel- opments, both in using lattices in cryptanalysis and in building public key cryptosystems on hard lattice problems. In the latter category we could mention the systems of Ajtai and Dwork [AD], Goldreich, Goldwasser and Halevi [GGH2], the NTRU cryptosystem [HPS], and systems built on Small Integer Solu- tions [MR1] problems and Learning With Errors [R1] problems. In the last few years these developments culminated in the advent of the first fully homomorphic encryption scheme by Gentry [Ge]. A major issue in this field is to base key length recommendations on a firm understanding of the hardness of the underlying lattice problems. The general feeling among the experts is that the present understanding is not yet on the same level as the understanding of, e.g., factoring or discrete logarithms.
    [Show full text]
  • Improvements in Computing Discrete Logarithms in Finite Fields
    ISSN (Print): 2476-8316 ISSN (Online): 2635-3490 Dutse Journal of Pure and Applied Sciences (DUJOPAS), Vol. 5 No. 1a June 2019 Improvements in Computing Discrete Logarithms in Finite Fields 1*Ali Maianguwa Shuaibu, 2Sunday Babuba & 3James Andrawus 1, 2,3 Department of Mathematics, Federal University Dutse, Jigawa State Email: [email protected] Abstract The discrete logarithm problem forms the basis of numerous cryptographic systems. The most efficient attack on the discrete logarithm problem in the multiplicative group of a finite field is via the index calculus. In this paper, we examined a non-generic algorithm that uses index calculus. If α is a generator × × for 퐹푝 then the discrete logarithm of 훽 ∈ 퐹푝 with respect to 훼 is also called the index of 훽 (with respect to 훼), whence the term index calculus. This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard 푝 − 1method and the elliptic curve method. In conclusion, we suggest improved elliptic curve as well as hyperelliptic curve cryptography methods as fertile ground for further research. Keywords: Elliptic curve, Index calculus, Multiplicative group, Smooth numbers Introduction 푥 It is known that the logarithm 푙표푔푏 푎 is a number x such that 푏 = 푎, for given numbers a and b. Similarly, in any group G, powers 푏푘 can be defined for all integers 푘, and 푘 the discrete logarithm푙표푔푏 푎 is an integer k such that 푏 = 푎. In number theory,푥 = 푥 푖푛푑푟푎(푚표푑 푚) is read as the index of 푎 to the base r modulo m which is equivalent to 푟 = 푎(푚표푑 푚) if r is the primitive root of m and greatest common divisor, 푔푐푑( 푎, 푚) = 1.
    [Show full text]
  • The Index Calculus Method Using Non-Smooth Polynomials
    MATHEMATICS OF COMPUTATION Volume 70, Number 235, Pages 1253{1264 S 0025-5718(01)01298-4 Article electronically published on March 7, 2001 THE INDEX CALCULUS METHOD USING NON-SMOOTH POLYNOMIALS THEODOULOS GAREFALAKIS AND DANIEL PANARIO Abstract. We study a generalized version of the index calculus method for n the discrete logarithm problem in Fq ,whenq = p , p is a small prime and n !1. The database consists of the logarithms of all irreducible polynomials of degree between given bounds; the original version of the algorithm uses lower bound equal to one. We show theoretically that the algorithm has the same asymptotic running time as the original version. The analysis shows that the best upper limit for the interval coincides with the one for the original version. The lower limit for the interval remains a free variable of the process. We provide experimental results that indicate practical values for that bound. We also give heuristic arguments for the running time of the Waterloo variant and of the Coppersmith method with our generalized database. 1. Introduction Let G denote a group written multiplicatively and hgi the cyclic subgroup gen- erated by g 2 G.Giveng and y 2hgi,thediscrete logarithm problem for G is to find the smallest integer x such that y = gx.Theintegerx is called the discrete logarithm of y in the base g, and is written x =logg y. The main reason for the intense current interest on the discrete logarithm prob- lem (apart from being interesting on a purely mathematical level) is that the se- curity of many public-key cryptosystems depends on the assumption that finding discrete logarithms is hard, at least for certain groups.
    [Show full text]
  • On Ideal Lattices and Learning with Errors Over Rings∗
    On Ideal Lattices and Learning with Errors Over Rings∗ Vadim Lyubashevskyy Chris Peikertz Oded Regevx June 25, 2013 Abstract The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for lattice-based hash functions (and related primitives). We resolve this question in the affirmative by introducing an algebraic variant of LWE called ring- LWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ring-LWE distribution is pseudorandom, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms. Applications include the first truly practical lattice-based public-key cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ring-LWE. 1 Introduction Over the last decade, lattices have emerged as a very attractive foundation for cryptography. The appeal of lattice-based primitives stems from the fact that their security can often be based on worst-case hardness assumptions, and that they appear to remain secure even against quantum computers.
    [Show full text]
  • On Lattices, Learning with Errors, Random Linear Codes, and Cryptography
    On Lattices, Learning with Errors, Random Linear Codes, and Cryptography Oded Regev ¤ May 2, 2009 Abstract Our main result is a reduction from worst-case lattice problems such as GAPSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the ‘learning from parity with error’ problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GAPSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., non-quantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GAPSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryp- tosystems: the public key is of size O~(n2) and encrypting a message increases its size by a factor of O~(n) (in previous cryptosystems these values are O~(n4) and O~(n2), respectively). In fact, under the assumption that all parties share a random bit string of length O~(n2), the size of the public key can be reduced to O~(n). 1 Introduction Main theorem. For an integer n ¸ 1 and a real number " ¸ 0, consider the ‘learning from parity with n error’ problem, defined as follows: the goal is to find an unknown s 2 Z2 given a list of ‘equations with errors’ hs; a1i ¼" b1 (mod 2) hs; a2i ¼" b2 (mod 2) .
    [Show full text]
  • Making NTRU As Secure As Worst-Case Problems Over Ideal Lattices
    Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé1 and Ron Steinfeld2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d’Italie, 69364 Lyon Cedex 07, France. [email protected] – http://perso.ens-lyon.fr/damien.stehle 2 Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University, NSW 2109, Australia [email protected] – http://web.science.mq.edu.au/~rons Abstract. NTRUEncrypt, proposed in 1996 by Hoffstein, Pipher and Sil- verman, is the fastest known lattice-based encryption scheme. Its mod- erate key-sizes, excellent asymptotic performance and conjectured resis- tance to quantum computers could make it a desirable alternative to fac- torisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields. Our main contribution is to show that if the se- cret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the R-LWE problem. Keywords. Lattice-based cryptography, NTRU, provable security. 1 Introduction NTRUEncrypt, devised by Hoffstein, Pipher and Silverman, was first presented at the Crypto’96 rump session [14]. Although its description relies on arithmetic n over the polynomial ring Zq[x]=(x − 1) for n prime and q a small integer, it was quickly observed that breaking it could be expressed as a problem over Euclidean lattices [6].
    [Show full text]
  • Index Calculus in the Trace Zero Variety 3
    INDEX CALCULUS IN THE TRACE ZERO VARIETY ELISA GORLA AND MAIKE MASSIERER Abstract. We discuss how to apply Gaudry’s index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1. Introduction Given an elliptic curve E defined over a finite field Fq, consider the group E(Fqn ) of rational points over a field extension of prime degree n. Since E is defined over Fq, the group E(Fqn ) contains the subgroup E(Fq) of Fq-rational points of E. Moreover, it contains the subgroup Tn of − points P E(F n ) whose trace P + ϕ(P )+ ... + ϕn 1(P ) is zero, where ϕ denotes the Frobenius ∈ q homomorphism on E. The group Tn is called the trace zero subgroup of E(Fqn ), and it is the group of Fq-rational points of the trace zero variety relative to the field extension Fqn Fq. In this paper, we study the hardness of the DLP in the trace zero variety. Our| interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02, RS09] and by Avanzi and Cesena in [AC07, Ces10]. Ideally, in pairing-based proto- F∗ cols the embedding degree k is such that the DLP in Tn and in qkn have the same complexity.
    [Show full text]
  • Lower Bounds on Lattice Sieving and Information Set Decoding
    Lower bounds on lattice sieving and information set decoding Elena Kirshanova1 and Thijs Laarhoven2 1Immanuel Kant Baltic Federal University, Kaliningrad, Russia [email protected] 2Eindhoven University of Technology, Eindhoven, The Netherlands [email protected] April 22, 2021 Abstract In two of the main areas of post-quantum cryptography, based on lattices and codes, nearest neighbor techniques have been used to speed up state-of-the-art cryptanalytic algorithms, and to obtain the lowest asymptotic cost estimates to date [May{Ozerov, Eurocrypt'15; Becker{Ducas{Gama{Laarhoven, SODA'16]. These upper bounds are useful for assessing the security of cryptosystems against known attacks, but to guarantee long-term security one would like to have closely matching lower bounds, showing that improvements on the algorithmic side will not drastically reduce the security in the future. As existing lower bounds from the nearest neighbor literature do not apply to the nearest neighbor problems appearing in this context, one might wonder whether further speedups to these cryptanalytic algorithms can still be found by only improving the nearest neighbor subroutines. We derive new lower bounds on the costs of solving the nearest neighbor search problems appearing in these cryptanalytic settings. For the Euclidean metric we show that for random data sets on the sphere, the locality-sensitive filtering approach of [Becker{Ducas{Gama{Laarhoven, SODA 2016] using spherical caps is optimal, and hence within a broad class of lattice sieving algorithms covering almost all approaches to date, their asymptotic time complexity of 20:292d+o(d) is optimal. Similar conditional optimality results apply to lattice sieving variants, such as the 20:265d+o(d) complexity for quantum sieving [Laarhoven, PhD thesis 2016] and previously derived complexity estimates for tuple sieving [Herold{Kirshanova{Laarhoven, PKC 2018].
    [Show full text]
  • Integer Factorization and Computing Discrete Logarithms in Maple
    Integer Factorization and Computing Discrete Logarithms in Maple Aaron Bradford∗, Michael Monagan∗, Colin Percival∗ [email protected], [email protected], [email protected] Department of Mathematics, Simon Fraser University, Burnaby, B.C., V5A 1S6, Canada. 1 Introduction As part of our MITACS research project at Simon Fraser University, we have investigated algorithms for integer factorization and computing discrete logarithms. We have implemented a quadratic sieve algorithm for integer factorization in Maple to replace Maple's implementation of the Morrison- Brillhart continued fraction algorithm which was done by Gaston Gonnet in the early 1980's. We have also implemented an indexed calculus algorithm for discrete logarithms in GF(q) to replace Maple's implementation of Shanks' baby-step giant-step algorithm, also done by Gaston Gonnet in the early 1980's. In this paper we describe the algorithms and our optimizations made to them. We give some details of our Maple implementations and present some initial timings. Since Maple is an interpreted language, see [7], there is room for improvement of both implementations by coding critical parts of the algorithms in C. For example, one of the bottle-necks of the indexed calculus algorithm is finding and integers which are B-smooth. Let B be a set of primes. A positive integer y is said to be B-smooth if its prime divisors are all in B. Typically B might be the first 200 primes and y might be a 50 bit integer. ∗This work was supported by the MITACS NCE of Canada. 1 2 Integer Factorization Starting from some very simple instructions | \make integer factorization faster in Maple" | we have implemented the Quadratic Sieve factoring al- gorithm in a combination of Maple and C (which is accessed via Maple's capabilities for external linking).
    [Show full text]
  • Algorithms for the Densest Sub-Lattice Problem
    Algorithms for the Densest Sub-Lattice Problem Daniel Dadush∗ Daniele Micciancioy December 24, 2012 Abstract We give algorithms for computing the densest k-dimensional sublattice of an arbitrary lattice, and related problems. This is an important problem in the algorithmic geometry of numbers that includes as special cases Rankin’s problem (which corresponds to the densest sublattice problem with respect to the Euclidean norm, and has applications to the design of lattice reduction algorithms), and the shortest vector problem for arbitrary norms (which corresponds to setting k = 1) and its dual (k = n − 1). Our algorithm works for any norm and has running time kO(k·n) and uses 2n poly(n) space. In particular, the algorithm runs in single exponential time 2O(n) for any constant k = O(1). ∗Georgia Tech. Atlanta, GA, USA. Email: [email protected] yUniversity of California, San Diego. 9500 Gilman Dr., Mail Code 0404, La Jolla, CA 92093, USA. Email: [email protected]. This work was supported in part by NSF grant CNS-1117936. Any opinions, findings, and con- clusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. 1 Introduction n A lattice is a discrete subgroup of R . Computational problems on lattices play an important role in many areas of computer science, mathematics and engineering, including cryptography, cryptanalysis, combinatorial optimization, communication theory and algebraic number theory. The most famous problem on lattices is the shortest vector problem (SVP), which asks to find the shortest nonzero vector in an input lattice.
    [Show full text]
  • Lattices in MIMO Spatial Multiplexing
    Lattices in MIMO Spatial Multiplexing: Detection and Geometry Francisco A. T. B. N. Monteiro (Fitzwilliam College) Department of Engineering University of Cambridge May 2012 To Fotini and To my mother iii iv Abstract Multiple-input multiple-output (MIMO) spatial multiplexing (SM) allows unprecedented spectral efficiencies at the cost of high detection complexity due to the fact that the underlying detection problem is equivalent to the closest vector problem (CVP) in a lattice. Finding better algorithms to deal with the problem has been a central topic in the last decade of research in MIMO SM. This work starts by introducing the most prominent detection techniques for MIMO, namely linear filtering, ordered successive interference cancellation (OSIC), lattice- reduction-aided, and the sphere decoding concept, along with their geometrical interpretation. The geometric relation between the primal and the dual-lattice is clarified, leading to the proposal of a pre-processing technique that allows a number of candidate solutions to be efficiently selected. A sub-optimal quantisation-based technique that reduces the complexity associated with exhaustive search detection is presented. Many of the detection algorithms for MIMO have roots in the fields of algorithmic number theory, theoretical computer science and applied mathematics. This work takes some of those tools originally defined for integer lattices and investigates their suitability for application to the rational lattices encountered in MIMO channels. Looking at lattices from a group theory perspective, it is shown that it is possible to approximate the typical lattices encountered in MIMO by a lattice having a trellis representation. Finally, this dissertation presents an alternative technique to feedback channel state information to the transmitter that shifts some of the processing complexity from the receiver to the transmitter while also reducing the amount of data to be sent in the feedback link.
    [Show full text]