BKZ 2.0: Better Lattice Security Estimates

  • Yuanmi Chen
  • Phong Q. Nguyen
Conference paper

DOI: 10.1007/978-3-642-25385-0_1

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7073)
Cite this paper as:
Chen Y., Nguyen P.Q. (2011) BKZ 2.0: Better Lattice Security Estimates. In: Lee D.H., Wang X. (eds) Advances in Cryptology – ASIACRYPT 2011. ASIACRYPT 2011. Lecture Notes in Computer Science, vol 7073. Springer, Berlin, Heidelberg


The best lattice reduction algorithm known in practice for high dimension is Schnorr-Euchner’s BKZ: all security estimates of lattice cryptosystems are based on NTL’s old implementation of BKZ. However, recent progress on lattice enumeration suggests that BKZ and its NTL implementation are no longer optimal, but the precise impact on security estimates was unclear. We assess this impact thanks to extensive experiments with BKZ 2.0, the first state-of-the-art implementation of BKZ incorporating recent improvements, such as Gama-Nguyen-Regev pruning. We propose an efficient simulation algorithm to model the behaviour of BKZ in high dimension with high blocksize ≥ 50, which can predict approximately both the output quality and the running time, thereby revising lattice security estimates. For instance, our simulation suggests that the smallest NTRUSign parameter set, which was claimed to provide at least 93-bit security against key-recovery lattice attacks, actually offers at most 65-bit security.

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Yuanmi Chen
    • 1
  • Phong Q. Nguyen
    • 2
  1. 1.Dept. InformatiqueENSParisFrance
  2. 2.Dept. InformatiqueINRIA and ENSParisFrance

Personalised recommendations