Practical, Predictable Lattice Basis Reduction

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9665)


Lattice reduction algorithms are notoriously hard to predict, both in terms of running time and output quality, which poses a major problem for cryptanalysis. While easy to analyze algorithms with good worst-case behavior exist, previous experimental evidence suggests that they are outperformed in practice by algorithms whose behavior is still not well understood, despite more than 30 years of intensive research. This has lead to a situation where a rather complex simulation procedure seems to be the most common way to predict the result of their application to an instance. In this work we present new algorithmic ideas towards bridging this gap between theory and practice. We report on an extensive experimental study of several lattice reduction algorithms, both novel and from the literature, that shows that theoretical algorithms are in fact surprisingly practical and competitive. In light of our results we come to the conclusion that in order to predict lattice reduction, simulation is superfluous and can be replaced by a closed formula using weaker assumptions.

One key technique to achieving this goal is a novel algorithm to solve the Shortest Vector Problem (SVP) in the dual without computing the dual basis. Our algorithm enjoys the same practical efficiency as the corresponding primal algorithm and can be easily added to an existing implementation of it.


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems. Complex. Comput. Proofs Quaderni di Matematica 13, 1–32 (2004). Preliminary version in STOC 1996MathSciNetMATHGoogle Scholar
  2. 2.
    M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In: Proceedings of STOC 1997, pp. 284–293. ACM, May 1997Google Scholar
  3. 3.
    Akhavi, A., Stehlé, D.: Speeding-up lattice reduction with random projections (extended abstract). In: Laber, E.S., Bornstein, C., Nogueira, L.T., Faria, L. (eds.) LATIN 2008. LNCS, vol. 4957, pp. 293–305. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Albrecht, M., Cadé, D., Pujol, X., Stehlé, D.: fplll-4.0, a floating-point LLL implementation.
  5. 5.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015).
  6. 6.
    Bachem, A., Kannan, R.: Lattices and basis reduction algorithm. Technical Report 84–006, Mathematisches Institut, Universität zu Köln (1984)Google Scholar
  7. 7.
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, ENS, Paris, Thse de doctorat dirige par Nguyen, Phong-Quang Informatique Paris 7 (2013)Google Scholar
  8. 8.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Coupé, C., Nguyên, P.Q., Stern, J.: The effectiveness of lattice attacks against low-exponent RSA. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 204–218. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  10. 10.
    Dadush, D., Micciancio, D.: Algorithms for the densest sub-lattice problem. In: Proceedings of the Twenty-Fourth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2013, pp. 1103–1122. SIAM (2013)Google Scholar
  11. 11.
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44, 463–471 (1985)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Gama, N., Howgrave-Graham, N., Koy, H., Nguyên, P.Q.: Rankin’s constant and blockwise lattice reduction. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 112–130. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Gama, N., Howgrave-Graham, N., Nguyên, P.Q.: Symplectic lattice reduction and NTRU. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 233–253. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  15. 15.
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proceedings of STOC, pp. 207–216. ACM, May 2008Google Scholar
  16. 16.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Goldstein, D., Mayer, A.: On the equidistribution of Hecke points. Forum Mathematicum 15(2), 165–189 (2003)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    Hanrot, G., Stehlé, D.: Improved analysis of Kannan’s shortest lattice vector algorithm. In: Proceedings of Crypto [22], pp. 170–186Google Scholar
  20. 20.
    Helfrich, B.: Algorithms to construct minkowski reduced and hermite reduced lattice bases. Theoret. Comput. Sci. 41(2–3), 125–139 (1985)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Proceedings of Crypto [22], pp. 150–169Google Scholar
  22. 22.
    Menezes, A. (ed.): CRYPTO 2007. LNCS, vol. 4622. Springer, Heidelberg (2007)MATHGoogle Scholar
  23. 23.
    Joux, A., Stern, J.: Lattice reduction: A toolbox for the cryptanalyst. J. Cryptol. 11(3), 161–185 (1998)MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Kannan, R.: Improved algorithms for integer programming, related lattice problems. In: Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing - STOC 1983, pp. 193–206. ACM, April 1983. Journal version in Math. of Operation Research 12(3), 415–440 (1987)Google Scholar
  25. 25.
    Khot, S.: Hardness of approximating the shortest vector problem in lattices. J. ACM 52(5), 789–808 (2005). Preliminary version in FOCS 2004MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Koy, H., Schnorr, C.-P.: Segment LLL-reduction of lattice bases. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 67–80. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    Lenstra, A.K., Lenstra, Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 513–534 (1982)Google Scholar
  28. 28.
    Li, J., Nguyen, P.Q.: Approximating the densest sublattice from Rankins inequality. LMS J. Comput. Math. 17, 92–111 (2014)MathSciNetCrossRefMATHGoogle Scholar
  29. 29.
    Li, J., Wei, W.: Slide reduction, successive minima, several applications. Bull. Aust. Math. Soc. 88, 390–406 (2013)MathSciNetCrossRefMATHGoogle Scholar
  30. 30.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  31. 31.
    Lyubashevsky, V., Micciancio, D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 577–594. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  32. 32.
    Mehrotra, S., Li, Z.: Segment LLL reduction of lattice bases using modular arithmetic. Algorithms 3(3), 224–243 (2010)MathSciNetCrossRefGoogle Scholar
  33. 33.
    Micciancio, D.: Almost perfect lattices, the covering radius problem, applications to Ajtai’s connection factor. SIAM J. Comput. 34(1), 118–169 (2004). Preliminary version in STOC 2002MathSciNetCrossRefMATHGoogle Scholar
  34. 34.
    Micciancio, D.: Inapproximability of the shortest vector problem: Toward a deterministic reduction. Theory Comput. 8(1), 487–512 (2012)MathSciNetCrossRefMATHGoogle Scholar
  35. 35.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. SIAM J. Comput. 37(1), 267–302 (2007). Preliminary version in FOCS 2004MathSciNetCrossRefMATHGoogle Scholar
  36. 36.
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Indyk, P. (ed.) Proceedings of the Twenty-Sixth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA, San Diego, CA, USA, January 4–6, 2015, pp. 276–294. SIAM (2015)Google Scholar
  37. 37.
    Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. Cryptology ePrint Archive, Report 2015/1123 (2015).
  38. 38.
    Neumaier, A.: Bounding basis reduction properties. Cryptology ePrint Archive, Report 2016/004 (2016).
  39. 39.
    Nguyên, P.Q.: Cryptanalysis of the goldreich-goldwasser-halevi cryptosystem from Crypto’97. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  40. 40.
    Nguyen, P.: Hermite’s constant and lattice algorithms. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm, pp. 19–69. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  41. 41.
    Nguyen, P.Q.: Lattice reduction algorithms: theory and practice. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 2–6. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  42. 42.
    Nguyên, P.Q., Stehlé, D.: Low-dimensional lattice basis reduction revisited. In: Buell, D.A. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 338–357. Springer, Heidelberg (2004). Journal version in ACM Trans. on AlgorithmsCrossRefGoogle Scholar
  43. 43.
    Nguyên, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  44. 44.
    Nguyên, P.Q., Stern, J.: Cryptanalysis of the Ajtai-Dwork cryptosystem. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 223–242. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  45. 45.
    Nguyen, P., Stern, J.: Lattice reduction in cryptology: an update. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 85–112. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  46. 46.
    Nguyên, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  47. 47.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Crypt. 30(2), 201–217 (2003)MathSciNetCrossRefMATHGoogle Scholar
  48. 48.
    Nguyen, P.Q., Stehlé, D.: Low-dimensional lattice basis reduction revisited. ACM Trans. Algorithms 5(4), 46 (2009). Preliminary version in ANTS 2004MathSciNetCrossRefMATHGoogle Scholar
  49. 49.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proceedings of STOC, pp. 333–342. ACM (2009)Google Scholar
  50. 50.
    Plantard, T., Susilo, W.: Recursive lattice reduction. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 329–344. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  51. 51.
    Pohst, M.: A modification of the LLL-reduction algorithm. J. Symbolic Comput. 4(1), 123–127 (1987)MathSciNetCrossRefMATHGoogle Scholar
  52. 52.
    Regev, O.: New lattice based cryptographic constructions. J. ACM 51(6), 899–942 (2004). Preliminary version in STOC 2003MathSciNetCrossRefMATHGoogle Scholar
  53. 53.
    Regev, O.: On lattices, learning with errors, random linear codes, cryptography. J. ACM 56(6), 34 (2009). Preliminary version in STOC 2005MathSciNetCrossRefMATHGoogle Scholar
  54. 54.
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci. 53(2–3), 201–224 (1987)MathSciNetCrossRefMATHGoogle Scholar
  55. 55.
    Schnorr, C.-P.: A more efficient algorithm for lattice basis reduction. J. Algorithms 9(1), 47–62 (1988)MathSciNetCrossRefMATHGoogle Scholar
  56. 56.
    Schnorr, C.-P.: Block reduced lattice bases and successive minima. Comb. Probab. Comput. 3, 507–522 (1994)MathSciNetCrossRefMATHGoogle Scholar
  57. 57.
    Schnorr, C.-P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  58. 58.
    Schnorr, C.P.: Fast LLL-type lattice reduction. Inf. Comput. 204(1), 1–25 (2006)MathSciNetCrossRefMATHGoogle Scholar
  59. 59.
    Schnorr, C.P.: Progress on LLL and lattice reduction. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm, pp. 145–178. Springer, Heidelberg (2010)Google Scholar
  60. 60.
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1991). Preliminary version in FCT 1994MathSciNetMATHGoogle Scholar
  61. 61.
    Schnorr, C.-P., Fischlin, M., Koy, H., May, A.: Lattice attacks on GGH cryptosystem. Rump session of Crypto 1997 (1997)Google Scholar
  62. 62.
    Schnorr, C.-P., Hörner, H.H.: Attacking the chor-rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  63. 63.
    Seysen, M.: Simultaneous reduction of a lattice basis and its reciprocal basis. Combinatorica 13(3), 363–376 (1993)MathSciNetCrossRefMATHGoogle Scholar
  64. 64.
    Shoup, V.: NTL: a library for ng number theory.
  65. 65.
    Storjohann, A.: Faster algorithms for integer lattice basis reduction. Technical Report 249, Swiss Federal Institute of Technology, ETH-Zurich, Department of Computer Science, Zurich, Switzerland, July 1996Google Scholar
  66. 66.
    Vallée, B., Girault, M., Toffin, P.: How to break okamoto’s cryptosystem by reducing lattice bases. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 281–291. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  67. 67.
    Vallée, B., Vera, A.: Probabilistic analyses of lattice reduction algorithms. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm, pp. 71–143. Springer, Heidelberg (2010)Google Scholar
  68. 68.
    van de Pol, J., Smart, N.P.: Estimating key sizes for high dimensional lattice based systems. Cryptology ePrint Archive, Report 2013/630 (2013).
  69. 69.
    Walter, M.: Lattice point enumeration on block reduced bases. In: Lehmann, A., Wolf, S. (eds.) Information Theoretic Security. LNCS, vol. 9063, pp. 269–282. Springer, Heidelberg (2015)Google Scholar
  70. 70.
    Wasserman, L.: All of Nonparametric Statistics. Springer Texts in Statistics. Springer, New York (2006)MATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.University of CaliforniaSan DiegoUSA

Personalised recommendations