IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 54, NO. 7, JULY 2008 3221 C. Comparison in the Security Our scheme provides a clearer security proof than NTRUSign with the old perturbation. For NTRUSign with the old perturbation, the attacker can still con- struct some quadratic function of the private keys. Such quadratic func- tion can still be taken as the function of real number variables. Those methods of the continuous mathematics can still be used for computing the private keys. Its strength against the attack of [7] is only based on the longer private keys, so that on the the greater computation amount. For our scheme, the attacker can only construct some complicated function of the private keys. Such function is sensitive to the values of the private keys. It is a function of integer variables. It can be nei- ther taken as nor approached by a function of real number variables. Computation of the private keys is somewhat like decomposing a large integer. VI. SEVERAL NOTES ON OUR SCHEME In Section II, we use , the set of subindexes. Such set guarantees a sufficiently unpredictable hidden distribution, and a clear reasoning procedure. If we take another set of subindexes (for ex- ample, ), the hidden distribution may not be unpredictable enough, and the reasoning procedure may not be clear enough. Lattice reduction attack is not considered in this correspondence. Our scheme holds the security basis of NTRU, that is, the SVP and the CVP of the NTRU lattice (CS lattice). Like all digital signature schemes following the NTRU design, our scheme is not a zero-knowledge scheme. This means that each valid signature will leak information on the private key. It is enough to guar- antee the hardness for computing the private keys. REFERENCES [1] J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: A new high speed public key cryptosystem,” in Proceedings of Algorithm Number Theory-ANTS III , ser. Lecture Notes in Computer Science. Berlin, Germany: Springer-Verlag, 1998, vol. 1423, pp. 267–288. [2] D. Coppersmith and A. Shamir, “Lattice attacks on NTRU,” in Ad- vances in Cryptology-Eurocrypt 1997, ser. Lecture Notes in Computer Science. Berlin, Germany: Springer-Verlag, 1997, vol. 1233, pp. 52–61. [3] N. Gama, N. Howgrave-Graham, and P. Q. Nguyen, “Symplectic lat- tice reduction and NTRU,” in Advances in Cryptology-Eurocrypt 2006, ser. Lecture Notes in Computer Science. Berlin, Germany: Springer- Verlag, 2006, vol. 4004, pp. 234–253. [4] N. Gama, N. Howgrave-Graham, H. Koy, and P. Q. Nguyen, “Rakin’s constant and blockwise lattice reduction,” in Advances in Cryptology- Crypto 2006, ser. Lecture Notes in Computer Science. Berlin, Ger- many: Springer-Verlag, 2006, vol. 4117, pp. 112–130. [5] C. Gentry and M. Szydlo, “Cryptanalysis of the revised NTRU sig- nature scheme,” in Advances in Cryptology-Eurocrypt 2002, ser. Lec- ture Notes in Computer Science. Berlin, Germany: Springer-Verlag, 2002, vol. 2332, pp. 299–320. [6] J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte, “NTRUSign: Digital signatures using the NTRU lattice,” in Proceedings of CT-RSA 2003, ser. Lecture Notes in Computer Science. Berlin, Germany: Springer-Verlag, 2003, vol. 2612, pp. 122–140. [7] P. Q. Nguyen and O. Regev, “Learning a parallelepiped: Cryptanal- ysis of GGH and NTRU cignatures,” in Advances in Cryptology-Eu- rocrypt 2006, ser. Lecture Notes in Computer Science. Berlin, Ger- many: Springer-Verlag, 2006, vol. 4004, pp. 271–288. On the Mutual Information and Low-SNR Capacity of Memoryless Noncoherent Rayleigh-Fading Channels Sébastien de la Kethulle de Ryhove, Ninoslav Marina, and Geir E. Øien Abstract—The memoryless noncoherent single-input–single-output (SISO) Rayleigh-fading channel is considered. Closed-form expressions are derived for the mutual information between the output and the input of this channel when the input magnitude distribution is discrete and is restricted to having two mass points. It is subsequently shown how these expressions can be used to obtain closed-form expressions for the capacity of this channel for signal to noise ratio (SNR) values of up to approximately 0 dB, and a tight capacity lower bound for SNR values between 0 dB and 10 dB. The expressions for the channel capacity and its lower bound are given as functions of a parameter which can be obtained via numerical root-finding algorithms. Index Terms—Capacity, capacity lower bound, hypergeometric function, hypergeometric series, memoryless channel, mutual information, nonco- herent communication channel, Rayleigh-fading channel. I. INTRODUCTION Wireless communication channels in which neither the transmitter nor the receiver possess any knowledge of the channel propagation coefficients (also known as noncoherent channels) have recently been receiving a considerable amount of attention [2]–[10]. Such channels arise whenever the channel coherence time is too short to obtain a re- liable estimate of the propagation coefficients via the standard pilot symbol technique (high mobility wireless systems are a typical ex- ample of such a scenario). They are currently less well understood than coherent channels, in which the channel state is assumed to be known to the receiver (and sometimes also the transmitter). In this correspondence, we consider the memoryless noncoherent single-input single-output (SISO) Rayleigh-fading channel, which was studied under the assumption of an average power constrained input in, e.g., [5]–[7]. In [5], Abou-Faycal et al. rigorously proved (in the av- erage power constrained input case) that the magnitude of the capacity- achieving distribution is discrete with a finite number of mass points, one of these mass points being necessarily located at the origin (zero magnitude). Using numerical optimization algorithms, the authors also empirically found that a magnitude distribution with two mass points achieves capacity at low signal-to-noise ratio (SNR) values, and that the required number of mass points to achieve capacity increases monoton- ically with the SNR. Numerical optimization algorithms remain how- ever the only way to find the number of mass points of the capacity- achieving magnitude distribution for a given SNR. Manuscript received May 17, 2006; revised May 21, 2007. This work was supported in part by the Swiss National Science Foundation under Grant 21-055699.98. S. de la Kethulle de Ryhove was with the Department of Electronics and Telecommunications, Norwegian University of Science and Technology (NTNU), NO-7491 Trondheim, Norway. He is now with the Electromagnetic Geoservices, Stiklestadveien 1, NO-7041 Trondheim, Norway (e-mail: sry- hove@emgs.com). N. Marina was with the School of Computer and Communication Sciences of the Swiss Federal Institute of Technology (EPFL), CH-1015 Lausanne, Switzer- land. He is now with the Department of Electrical Engineering, University of Hawai’i at Manoa, Honolulu 96822 HI USA (e-mail: ninoslav@hawaii.edu). G. E. Øien is with the Department of Electronics and Telecommunications, Norwegian University of Science and Technology, O. S. Bragstads pl. 2B, NO-7491, Trondheim, Norway (e-mail: oien@iet.ntnu.no). Communicated by K. Kobayashi, Associate Editor for Shannon Theory. Digital Object Identifier 10.1109/TIT.2008.924708 0018-9448/$25.00 © 2008 IEEE Authorized licensed use limited to: UNIVERSITY OF OSLO. Downloaded on May 20, 2009 at 11:20 from IEEE Xplore. Restrictions apply.