The best lattice reduction algorithm known in practice for high dimension is Schnorr-Euchner’s BKZ: all security estimates of lattice cryptosystems are based on NTL’s old implementation of BKZ. However, recent progress on lattice enumeration suggests that BKZ and its NTL implementation are no longer optimal, but the precise impact on security estimates was unclear. We assess this impact thanks to extensive experiments with BKZ 2.0, the first state-of-the-art implementation of BKZ incorporating recent improvements, such as Gama-Nguyen-Regev pruning. We propose an efficient simulation algorithm to model the behaviour of BKZ in high dimension with high blocksize ≥ 50, which can predict approximately both the output quality and the running time, thereby revising lattice security estimates. For instance, our simulation suggests that the smallest NTRUSign parameter set, which was claimed to provide at least 93-bit security against key-recovery lattice attacks, actually offers at most 65-bit security.


Clock Cycle Simulation Algorithm Lattice Reduction Local Block Random Lattice 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ajtai, M.: Generating random lattices according to the invariant distribution (draft of March 2006)Google Scholar
  2. 2.
    Ajtai, M.: Generating hard instances of lattice problems. In: Proc. STOC 1996, pp. 99–108. ACM (1996)Google Scholar
  3. 3.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proc. 33rd STOC 2001, pp. 601–610. ACM (2001)Google Scholar
  4. 4.
    Cadé, D., Pujol, X., Stehlé, D.: FPLLL library, version 3.0 (September 2008)Google Scholar
  5. 5.
    Devroye, L.: Non-uniform random variate generation (1986),
  6. 6.
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Mathematics of Computation 44(170), 463–471 (1985)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Gama, N., Howgrave-Graham, N., Koy, H., Nguyên, P.Q.: Rankin’s Constant and Blockwise Lattice Reduction. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 112–130. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proc. STOC 2008. ACM (2008)Google Scholar
  9. 9.
    Gama, N., Nguyen, P.Q.: Predicting Lattice Reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice Enumeration Using Extreme Pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Gentry, C., Halevi, S.: Public challenges for fully-homomorphic encryption (2010),
  12. 12.
    Goldreich, O., Goldwasser, S., Halevi, S.: Challenges for the GGH cryptosystem (1997),
  13. 13.
    Goldstein, D., Mayer, A.: On the equidistribution of Hecke points. Forum Math. 15(2), 165–189 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing Blockwise Lattice Algorithms Using Dynamical Systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Hanrot, G., Stehlé, D.: Improved Analysis of Kannan’s Shortest Lattice Vector Algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In: [35] (2010)Google Scholar
  18. 18.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A Ring-Based Public Key Cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  19. 19.
    Hoffstein, J., Silverman, J.H., Whyte, W.: Estimated breaking times for ntru lattices. Technical report, NTRU Cryptosystems, Report #012, v2 (October 2003)Google Scholar
  20. 20.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC 1983, pp. 193–206. ACM (1983)Google Scholar
  21. 21.
    Lee, M.S., Hahn, S.G.: Cryptanalysis of the GGH cryptosystem. Mathematics in Computer Science 3, 201–208 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  22. 22.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513–534 (1982)Google Scholar
  23. 23.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for lwe-based encryption. Cryptology ePrint Archive, Report 2010/613, Full version of the CT-RSA 2011Google Scholar
  24. 24.
    Lindner, R., Rückert, M.: TU Darmstadt lattice challenge,
  25. 25.
    May, A.: Cryptanalysis of NTRU–107. Draft of 1999, available on May’s webpage (1999)Google Scholar
  26. 26.
    May, A., Silverman, J.H.: Dimension Reduction Methods for Convolution Modular Lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 110–125. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    Mazo, J.E., Odlyzko, A.M.: Lattice points in high dimensional spheres. Monatsheft Mathematik 17, 47–61 (1990)CrossRefMathSciNetGoogle Scholar
  28. 28.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-Quantum Cryptography, pp. 147–191. Springer, Berlin (2009)CrossRefGoogle Scholar
  29. 29.
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC 2010. ACM (2010)Google Scholar
  30. 30.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA 2010, pp. 1468–1480. ACM-SIAM (2010)Google Scholar
  31. 31.
    Nguyên, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto’97. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)Google Scholar
  32. 32.
    Nguyen, P.Q.: Public-key cryptanalysis. In: Luengo, I. (ed.) Recent Trends in Cryptography. Contemporary Mathematics, vol. 477. AMS–RSME (2009)Google Scholar
  33. 33.
    Nguyen, P.Q.: Hermite’s constant and lattice algorithms. In: [35] (2010)Google Scholar
  34. 34.
    Nguyên, P.Q., Stehlé, D.: LLL on the Average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  35. 35.
    Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2010)Google Scholar
  36. 36.
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology 2(2), 181–207 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  37. 37.
    Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity. In: Proc. STOC 2011. ACM (2011)Google Scholar
  38. 38.
    Pohst, M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. SIGSAM Bull. 15(1), 37–44 (1981)CrossRefzbMATHMathSciNetGoogle Scholar
  39. 39.
    Rückert, M., Schneider, M.: Estimating the security of lattice-based cryptosystems. Cryptology ePrint Archive, Report 2010/137 (2010)Google Scholar
  40. 40.
    Schneider, M., Gama, N.: SVP challenge,
  41. 41.
    Schnorr, C.-P.: A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science 53(2-3), 201–224 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  42. 42.
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming 66, 181–199 (1994)CrossRefzbMATHMathSciNetGoogle Scholar
  43. 43.
    Schnorr, C.-P., Hörner, H.H.: Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)Google Scholar
  44. 44.
    Shoup, V.: Number Theory C++ Library (NTL) version 5.4.1,
  45. 45.
    Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: Cryptology ePrint Archive, Report 2010/647 (2010)Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Yuanmi Chen
    • 1
  • Phong Q. Nguyen
    • 2
  1. 1.Dept. InformatiqueENSParisFrance
  2. 2.Dept. InformatiqueINRIA and ENSParisFrance

Personalised recommendations