Skip to main content

Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9230)


Recently, it was shown that angular locality-sensitive hashing (LSH) can be used to significantly speed up lattice sieving, leading to a heuristic time complexity for solving the shortest vector problem (SVP) of \(2^{0.337n + o(n)}\) (and space complexity \(2^{0.208n + o(n)}\). We study the possibility of applying other LSH methods to sieving, and show that with the spherical LSH method of Andoni et al. we can heuristically solve SVP in time \(2^{0.298n + o(n)}\) and space \(2^{0.208n + o(n)}\). We further show that a practical variant of the resulting SphereSieve is very similar to Wang et al.’s two-level sieve, with the key difference that we impose an order on the outer list of centers.


  • Shortest vector problem (svp)
  • Sieving algorithms
  • Nearest neighbor problem
  • Locality-sensitive hashing (lsh)
  • Lattice cryptography

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-22174-8_6
  • Chapter length: 18 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-22174-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)
Fig. 1.


  1. 1.

    A similarity measure D may informally be thought of as a “slightly relaxed” metric, which may not satisfy all properties associated to metrics; see e.g. [21] for details.

  2. 2.

    Technically speaking, [4] uses the Johnson-Lindenstrauss lemma to project n- to \(n_0\)-dimensional vectors with \(n_0 = o(n)\), so that single-exponential costs in \(n_0\) (\(2^{\varTheta (n_0)}\)) are sub-exponential in n (\(2^{o(n)}\)). However, this projection only preserves inter-point distances up to small errors if the length of the list is sufficiently small (\(N = 2^{o(n)}\)), which is not the case in sieving. Moreover, we estimated the potential improvement using Euclidean LSH to be smaller than the improvement we obtain here.

  3. 3.

    In Sect. 3 we will justify why this assumption makes sense in sieving.

  4. 4.

    Note that Andoni et al. sample vectors with average norm \(\sqrt{n}\) instead, which means that everything in our description is scaled by a factor \(\sqrt{n}\).

  5. 5.

    Here “close” means that \(\Vert \varvec{v} - \varvec{w}\Vert \le \gamma R\), which corresponds to \(\theta (\varvec{v}, \varvec{w}) \le 60^{\circ } + o(1)\). Similarly “far away” corresponds to a large angle \(\theta (\varvec{v}, \varvec{w}) > 60^{\circ } + o(1)\).

  6. 6.

    By choosing the order terms in k appropriately, the o(1)-term inside \(w(\theta )\) may be cancelled out, in which case the \(\delta \)-term dominates. Note that the o(1)-term in \(w(\theta )\) can be further controlled by the choice of \(\gamma = 1 - o(1)\).

  7. 7.

    Note that \(\alpha \) is implicitly a function of \(c_t\) as well.


  1. Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete gaussian sampling. In: STOC (2015)

    Google Scholar 

  2. Ajtai, M.: The shortest vector problem in \(L_2\) is NP-hard for randomized reductions (extended abstract). In: STOC, pp. 10–19 (1998)

    Google Scholar 

  3. Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)

    Google Scholar 

  4. Andoni, A., Indyk, P.: Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions. In: FOCS, pp. 459–468 (2006)

    Google Scholar 

  5. Andoni, A., Indyk, P., Nguyen, H.L., Razenshteyn, I.: Beyond locality-sensitive hashing. In: SODA, pp. 1018–1028 (2014)

    Google Scholar 

  6. Andoni, A., Razenshteyn, I.: Optimal data-dependent hashing for approximate near neighbors. In: STOC (2015)

    Google Scholar 

  7. Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. In: ANTS, pp. 49–70 (2014)

    Google Scholar 

  8. Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522 (2015)

    Google Scholar 

  9. Becker, A., Laarhoven, T.: Efficient sieving on (ideal) lattices using cross-polytopic LSH. (preprint 2015)

    Google Scholar 

  10. Bernstein, D.J., Buchmann, J., Dahmen, E.: Post-Quantum Cryptography. Springer, Heidelberg (2009)

    MATH  CrossRef  Google Scholar 

  11. Bos, J., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Cryptology ePrint Archive, Report 2014/880 (2014)

    Google Scholar 

  12. Charikar, M.S.: Similarity estimation techniques from rounding algorithms. In: STOC, pp. 380–388 (2002)

    Google Scholar 

  13. Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  14. Datar, M., Immorlica, N., Indyk, P., Mirrokni, V.S.: Locality-sensitive hashing scheme based on \(p\)-stable distributions. In: SOCG, pp. 253–262 (2004)

    Google Scholar 

  15. Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice. Math. Comput. 44(170), 463–471 (1985)

    MathSciNet  CrossRef  Google Scholar 

  16. Fitzpatrick, R., Bischof, C., Buchmann, J., Dagdelen, Ö., Göpfert, F., Mariano, A., Yang, B.-Y.: Tuning gausssieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Heidelberg (2015)

    Google Scholar 

  17. Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  18. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)

    Google Scholar 

  19. Hanrot, G., Pujol, X., Stehlé, D.: Algorithms for the shortest and closest lattice vector problems. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 159–190. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  20. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)

    CrossRef  Google Scholar 

  21. Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: STOC, pp. 604–613 (1998)

    Google Scholar 

  22. Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel gauss sieve algorithm: solving the SVP challenge over a \(128\)-dimensional ideal lattice. In: PKC, pp. 411–428 (2014)

    Google Scholar 

  23. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206 (1983)

    Google Scholar 

  24. Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: CRYPTO (2015)

    Google Scholar 

  25. Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des., Codes Crypt. (2015)

    Google Scholar 

  26. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  27. Mariano, A., Timnat, S., Bischof, C.: Lock-free gausssieve for linear speedups in parallel high performance SVP calculation. In: SBAC-PAD, pp. 278–285 (2014)

    Google Scholar 

  28. Mariano, A., Dagdelen, Ö., Bischof, C.: A comprehensive empirical comparison of parallel listsieve and gausssieve. In: Lopes, L., et al. (eds.) Euro-Par 2014 Workshops. LNCS, pp. 48–59. Springer, Heidelberg (2014)

    Google Scholar 

  29. Mariano, A., Laarhoven, T., Bischof, C.: Parallel (probable) lock-free hashsieve: a practical sieving algorithm for the SVP. In: ICPP (2015)

    Google Scholar 

  30. Micciancio, D.: The shortest vector in a lattice is hard to approximate to within some constant. In: FOCS, pp. 92–98 (1998)

    Google Scholar 

  31. Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: STOC, pp. 351–358 (2010)

    Google Scholar 

  32. Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010)

    Google Scholar 

  33. Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: SODA, pp. 276–294 (2015)

    Google Scholar 

  34. Milde, B., Schneider, M.: A parallel implementation of gausssieve for the shortest vector problem in lattices. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 452–458. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  35. Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)

    MATH  MathSciNet  CrossRef  Google Scholar 

  36. Plantard, T., Schneider, M.: Ideal lattice challenge (2014).

  37. Pohst, M.E.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. ACM SIGSAM Bull. 15(1), 37–44 (1981)

    MATH  MathSciNet  CrossRef  Google Scholar 

  38. van de Pol, J., Smart, N.P.: Estimating key sizes for high dimensional lattice-based systems. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 290–303. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  39. Pujol, X., Stehlé, D.: Solving the shortest lattice vector problem in time \(2^{2.465n}\). Cryptology ePrint Archive, Report 2009/605 (2009)

    Google Scholar 

  40. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)

    Google Scholar 

  41. Schneider, M.: Analysis of gauss-sieve for solving the shortest vector problem in lattices. In: Katoh, N., Kumar, A. (eds.) WALCOM 2011. LNCS, vol. 6552, pp. 89–97. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  42. Schneider, M.: Sieving for shortest vectors in ideal lattices. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 375–391. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  43. Schneider, M., Gama, N., Baumann, P., Nobach, L.: SVP challenge (2015).

  44. Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(2), 201–224 (1987)

    MATH  MathSciNet  CrossRef  Google Scholar 

  45. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2), 181–199 (1994)

    MathSciNet  CrossRef  Google Scholar 

  46. Wang, X., Liu, M., Tian, C., Bi, J.: Improved nguyen-vidick heuristic sieve algorithm for shortest vector problem. In: ASIACCS, pp. 1–9 (2011)

    Google Scholar 

  47. Zhang, F., Pan, Y., Hu, G.: A three-level sieve algorithm for the shortest vector problem. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 29–47. Springer, Heidelberg (2014)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Thijs Laarhoven .

Editor information

Editors and Affiliations



A Proof of Proposition 1

To prove Proposition 1, we will show how to choose a sequence of parameters \(\{(k_n, t_n)\}_{n \in \mathbb {N}}\) such that for large n, the following holds:

  1. 1.

    The probability that a list vector \(\varvec{w}\) closeFootnote 5 to a target vector \(\varvec{v}\) collides with \(\varvec{v}\) in at least one of the t hash tables is at least constant in n:

    $$\begin{aligned} p_1^* = \mathbb {P}_{\{h_{i,j}\} \subset \mathcal {H}}(\varvec{v}, \varvec{w} \text { collide} \mid \theta (\varvec{v}, \varvec{w}) \le \tfrac{\pi }{3}) \ge 1 - \varepsilon . \quad (\varepsilon \ne \varepsilon (n)) \end{aligned}$$
  2. 2.

    The average probability that a list vector \(\varvec{w}\) far away (See footnote 5) from a target vector \(\varvec{v}\) collides with \(\varvec{v}\) is exponentially small:

    $$\begin{aligned} p_2^* = \mathbb {P}_{\{h_{i,j}\} \subset \mathcal {H}}(\varvec{v}, \varvec{w} \text { collide} \mid \theta (\varvec{v}, \varvec{w}) > \tfrac{\pi }{3}) \le N^{-0.5681 + o(1)}. \end{aligned}$$
  3. 3.

    The number of hash tables grows as \(t = N^{0.4319 + o(1)}\).

This would imply that for each search, the number of candidate vectors is of the order \(N \cdot N^{-0.5681} = N^{0.4319}\). Overall we search the list \(\tilde{O}(N)\) times, so after substituting \(N = (4/3)^{n/2 + o(n)}\) this leads to the following time and space complexities:

  • Time (hashing): \(O(N \cdot t) = 2^{0.2972n + o(n)}\).

  • Time (searching): \(O(N^2 \cdot p_2^*) = 2^{0.2972n + o(n)}\).

  • Space: \(O(N \cdot t) = 2^{0.2972n + o(n)}\).

The next two subsections are dedicated to proving Eqs. (6) and (7).

1.1 A.1 Good Vectors Collide with Constant Probability

The following lemma shows how to choose k (in terms of t) to guarantee that (6) holds.

Lemma 3

Let \(\varepsilon > 0\) and let \(k = 6 n^{-1/2} (\ln t - \ln \ln (1/\varepsilon )) \approx (6 \ln t) / \sqrt{n}\). Then the probability that reducing vectors collide in at least one of the hash tables is at least \(1 - \varepsilon \).


The probability that a reducing vector \(\varvec{w}\) is a candidate vector, given the angle \(\varTheta = \varTheta (\varvec{v}, \varvec{w}) \in (0, \frac{\pi }{3})\), is \(p_1^* = \mathbb {E}_{\varTheta \in (0, \frac{\pi }{3})} \left[ p^*(\varTheta )\right] \), where we recall that \(p^*(\theta ) = 1 - (1 - p(\theta )^k)^t\) and \(p(\theta ) = \mathbb {P}_{h \in \mathcal {H}}[h(\varvec{v}) = h(\varvec{w})]\) is given in Lemma 2. Since \(p^*(\varTheta )\) is strictly decreasing in \(\varTheta \), we can obtain a lower bound by substituting \(\varTheta = \frac{\pi }{3}\) above. Using the bound \(1 - x \le e^{-x}\) which holds for all x, and inserting the given expression for k, we obtain \(p_1^* \ge p^*\left( \tfrac{\pi }{3}\right) = 1 - (1 - \exp (\ln \ln (\tfrac{1}{\varepsilon }) - \ln t))^t = 1 - \left( 1 - \tfrac{\ln (1/\varepsilon )}{t}\right) ^t \ge 1 - \varepsilon \).

1.2 A.2 Bad Vectors Collide with Low Probability

We first recall a lemma about the density of angles between random vectors. In short, the density at an angle \(\theta \) is proportional to \((\sin \theta )^n\).

Lemma 4

[24, Lemma 4] Assuming Heuristic 1 holds, the pdf \(f(\theta )\) of the angle between target vectors and list vectors satisfies

$$\begin{aligned} f(\theta ) = \sqrt{\frac{2n}{\pi }} \ (\sin \theta )^{n-2} \left[ 1 + o(1)\right] = 2^{n\log _2\sin \theta + o(n)}. \end{aligned}$$

The following lemma relates the collision probability \(p_2^*\) of (7) to the parameters k and t. Since Lemma 3 relates k to t, this means that only t ultimately remains to be chosen.

Lemma 5

Suppose \(N = 2^{c_n \cdot n}\) with \(c_n \ge \gamma _1 = \frac{1}{2} \log _2(\frac{4}{3}) \approx 0.2075\), and suppose \(t = 2^{c_t \cdot n}\). Let \(k = \frac{6 \ln t}{\sqrt{n}}(1 - o(1))\). Then, for large n, under Heuristic 1 we have

$$\begin{aligned} p_2^* = \mathbb {P}_{\{h_{i,j}\} \subset \mathcal {H}}(\varvec{v}, \varvec{w} \text { collide} \mid \theta (\varvec{v}, \varvec{w}) > \tfrac{\pi }{3}) \le O(N^{-\alpha }), \end{aligned}$$

where \(\alpha \in (0,1)\) is defined as

$$\begin{aligned} \alpha = \frac{-1}{c_n}\left[ \max _{\theta \in (\frac{\pi }{3}, \frac{\pi }{2})} \left\{ \log _2 \sin \theta - \left( 3 \tan ^2 \left( \frac{\theta }{2}\right) - 1\right) c_t\right\} \right] + o(1). \end{aligned}$$


First, if we know the angle \(\theta \in (\frac{\pi }{3}, \frac{\pi }{2})\) between two bad vectors, then according to Lemma 2 the probability of a collision in at least one of the hash tables is equal to

$$\begin{aligned} p^*(\theta ) = 1 - \left( 1 - \exp \left[ -\frac{k\sqrt{n}}{2} \tan ^2\left( \frac{\theta }{2}\right) (1 + o(1))\right] \right) ^t\!\!. \end{aligned}$$

Letting \(f(\theta )\) denote the density of angles \(\theta \) on \((\frac{\pi }{3}, \frac{\pi }{2})\), we have

$$\begin{aligned} p_2^* = \mathbb {E}_{\varTheta \in (\frac{\pi }{3}, \frac{\pi }{2})}\left[ p^*(\varTheta )\right] = \int _{\pi /3}^{\pi /2} f(\theta ) p^*(\theta ) d\theta . \end{aligned}$$

Substituting \(p^*(\theta )\) and the expression of Lemma 4 for \(f(\theta )\), noting that \(\int _{\pi /3}^{\pi /2} f(\theta ) d\theta \approx \int _0^{\pi /2} f(\theta ) d\theta = 1\), we get

$$\begin{aligned} p_2^* = \int _{\pi /3}^{\pi /2} (\sin \theta )^n \left[ 1 - \left( 1 - \exp \left[ -3 \ln t\tan ^2\left( \tfrac{\theta }{2}\right) (1 + o(1))\right] \right) ^t\right] d\theta . \end{aligned}$$

For convenience, let us write \(w(\theta ) = [-3 \ln t\tan ^2\left( \frac{\theta }{2}\right) (1 + o(1))\). Note that for \(\theta \gg \frac{\pi }{3}\) we have \(w(\theta ) \ll -\ln t\) so that \((1 - \exp w(\theta ))^t \approx 1 - t \exp w(\theta )\), in which case we can simplify the expression between square brackets. However, the integration range includes \(\frac{\pi }{3}\) as well, so to be careful we will split the integration interval at \(\frac{\pi }{3} + \delta \), where \(\delta = \varTheta (n^{-1/2})\). (Note that any value \(\delta \) with \(\frac{1}{n} \ll \delta \ll 1\) suffices.)

$$\begin{aligned} p_2^* = \underbrace{\int _{\pi /3}^{\pi /3 + \delta } f(\theta ) p^*(\theta ) d\theta }_{I_1} + \underbrace{\int _{\pi /3 + \delta }^{\pi /2} f(\theta ) p^*(\theta ) d\theta }_{I_2}. \end{aligned}$$

Bounding \(I_1\). Using \(f(\theta ) \le f(\frac{\pi }{3} + \delta )\), \(p^*(\theta ) \le 1\), and \(\sin (\frac{\pi }{3} + \delta ) = \frac{1}{2} \sqrt{3} \left[ 1 + O(\delta )\right] \) (which follows from a Taylor expansion of \(\sin x\) around \(x = \frac{\pi }{3}\)), we obtain

$$\begin{aligned} I_1 \le \text {poly}(n) \sin ^n(\tfrac{\pi }{3} + \delta ) = \text {poly}(n) (\tfrac{\sqrt{3}}{2})^n \left( 1 + O(\delta )\right) ^n = 2^{-\gamma _1 n + o(n)}. \end{aligned}$$

Bounding \(I_2\). For \(I_2\), our choice of \(\delta \) is sufficient to make the aforementioned approximation workFootnote 6. Thus, for \(I_2\) we obtain the simplified expression

$$\begin{aligned} I_2&\le \text {poly}(n) \int _{\pi /3 + \delta }^{\pi /2} (\sin \theta )^n t \exp \left[ -3 \ln t\tan ^2\left( \frac{\theta }{2}\right) (1 + o(1))\right] d\theta \end{aligned}$$
$$\begin{aligned}&\le \int _{\pi /3}^{\pi /2} 2^{n \log _2 \sin \theta - (3 \tan ^2\left( \frac{\theta }{2}\right) - 1) \log _2 t + o(n)} d\theta . \end{aligned}$$

Note that the integrand is exponential in n and that the exponent \(E(\theta ) = n \log _2 \sin \theta + (-3 \tan ^2 \frac{\theta }{2} - 1) \log _2 t\) is a continuous, differentiable function of \(\theta \). So the asymptotic behavior of the entire integral \(I_2\) is the same as the asymptotic behavior of the integrand’s maximum value:

$$\begin{aligned} \log _2 I_2&\le \max _{\theta \in (\frac{\pi }{3}, \frac{\pi }{2})} \big \{n \log _2 \sin \theta - \left( 3 \tan ^2 \tfrac{\theta }{2} - 1\right) \log _2 t \big \} + o(n). \end{aligned}$$

Bounding \(p_2^* = I_1 + I_2\). Combining (15), (18), and \(c_t = \frac{1}{n} \log _2 t\), we have

$$\begin{aligned} \tfrac{\log _2 p_2^*}{n} \le \max \{-\gamma _1, \ \max _{\theta \in (\frac{\pi }{3}, \frac{\pi }{2})} \{\log _2 \sin \theta - (3 \tan ^2 \tfrac{\theta }{2} - 1) c_t \}\} + o(1). \end{aligned}$$

The assumption \(c_n \ge \gamma _1\) and the definition of \(\alpha \le 1\) now give \(\log _2 p_2^* \le -\alpha c_n n + o(n)\) which completes the proof.

1.3 A.3 Balancing the Parameters

Recall that the overall time and space complexities are given by \(O(N \cdot t) = 2^{(c_n + c_t)n + o(n)}\) (time for hashing), \(O(N^2 \cdot p_2^*) = 2^{(c_n + (1 - \alpha ) c_n)n + o(n)}\) (time for comparing vectors), and \(O(N \cdot t) = 2^{(c_n + c_t)n + o(n)}\) (memory requirement). For the overall time and space complexities \(2^{c_{\text {time}} n}\) and \(2^{c_{\text {space}} n}\) we find

$$\begin{aligned} c_{\text {time}}&= c_n + \max \{c_t, (1 - \alpha ) c_n\} + o(1), \quad c_{\text {space}} = c_n + c_t + o(1). \end{aligned}$$

Further recall that from Nguyen and Vidick’s analysis, we have \(N = (4/3)^{n/2 + o(n)}\) or \(c_n = \gamma _1\). To balance the time complexities of hashing and searching, so that the overall time complexity is minimized, we solve \((1 - \alpha ) \gamma _1 = c_t\) numericallyFootnote 7 for \(c_t\) to obtain the following corollary. Here \(\theta ^*\) denotes the dominant angle \(\theta \) maximizing the expression in (10). Note that the final result takes into account the density at \(\theta = \theta ^*\) as well, and so the result does not simply follow from Lemma 2.

Corollary 1

Taking \(c_t \approx 0.089624\) leads to:

$$\begin{aligned} \theta ^* \approx 0.42540 \pi , \ \alpha \approx 0.56812, \ c_{{\text {time}}} \approx 0.29714, \ c_{{\text {space}}} \approx 0.29714. \end{aligned}$$

Thus, setting \(t \approx 2^{0.08962 n}\) and \(k = \varTheta (\sqrt{n})\), the heuristic time and space complexities of the SphereSieve algorithm are balanced at \(2^{0.29714n + o(n)}\).

1.4 A.4 Trade-Off Between the Space and Time Complexities

Finally, note that \(c_t = 0\) leads to the original Nguyen-Vidick sieve algorithm, while \(c_t \approx 0.089624\) minimizes the heuristic time complexity at the cost of more space. One can obtain a continuous trade-off between these two extremes by considering values \(c_t \in (0, 0.089624)\). Numerically evaluating the resulting complexities for this range of values of \(c_t\) leads to the curve shown in Fig. 1.

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Laarhoven, T., de Weger, B. (2015). Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing. In: Lauter, K., Rodríguez-Henríquez, F. (eds) Progress in Cryptology -- LATINCRYPT 2015. LATINCRYPT 2015. Lecture Notes in Computer Science(), vol 9230. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-22173-1

  • Online ISBN: 978-3-319-22174-8

  • eBook Packages: Computer ScienceComputer Science (R0)