Shortest Vector from Lattice Sieving: A Few Dimensions for Free

  • Léo Ducas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10820)


Asymptotically, the best known algorithms for solving the Shortest Vector Problem (SVP) in a lattice of dimension n are sieve algorithms, which have heuristic complexity estimates ranging from \((4/3)^{n+o(n)}\) down to \((3/2)^{n/2 +o(n)}\) when Locality Sensitive Hashing techniques are used. Sieve algorithms are however outperformed by pruned enumeration algorithms in practice by several orders of magnitude, despite the larger super-exponential asymptotical complexity \(2^{\varTheta (n \log n)}\) of the latter.

In this work, we show a concrete improvement of sieve-type algorithms. Precisely, we show that a few calls to the sieve algorithm in lattices of dimension less than \(n-d\) solves SVP in dimension n, where \(d = \varTheta (n/\log n)\).

Although our improvement is only sub-exponential, its practical effect in relevant dimensions is quite significant. We implemented it over a simple sieve algorithm with \((4/3)^{n+o(n)}\) complexity, and it outperforms the best sieve algorithms from the literature by a factor of 10 in dimensions 70–80. It performs less than an order of magnitude slower than pruned enumeration in the same range.

By design, this improvement can also be applied to most other variants of sieve algorithms, including LSH sieve algorithms and tuple-sieve algorithms. In this light, we may expect sieve-techniques to outperform pruned enumeration in practice in the near future.


Cryptanalysis Lattice Sieving Nearest-Plane 



The author wishes to thank Koen de Boer, Gottfried Herold, Pierre Karman, Elena Kirshanova, Thijs Laarhoven, Marc Stevens and Eamonn Postlethwaite for enlightening conversations on this topic. The author is also extremely grateful to Martin Albrecht and the FPLLL development team for their thorough work on the fplll and fpylll libraries. This work was supported by a Veni Innovational Research Grant from NWO under project number 639.021.645.


  1. [Ajt99]
    Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). Scholar
  2. [AKS01]
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: 33rd Annual ACM Symposium on Theory of Computing, pp. 601–610. ACM Press, July 2001Google Scholar
  3. [AN17]
    Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017). Scholar
  4. [Bab86]
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  5. [BDGL16]
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 10–24. ACM-SIAM, January 2016Google Scholar
  6. [BGJ13]
    Becker, A., Gama, N., Joux, A.: Solving shortest and closest vector problems: The decomposition approach. Cryptology ePrint Archive, Report 2013/685 (2013).
  7. [BGJ15]
    Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522 (2015).
  8. [BLS16]
    Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. LMS J. Comput. Math. 19(A), 146–162 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  9. [BNvdP14]
    Bos, J.W., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Cryptology ePrint Archive, Report 2014/880 (2014).
  10. [Cha02]
    Charikar, M.: Similarity estimation techniques from rounding algorithms. In: 34th Annual ACM Symposium on Theory of Computing, pp. 380–388. ACM Press, May 2002Google Scholar
  11. [Che13]
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph. D. thesis (2013)Google Scholar
  12. [CN11]
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). Scholar
  13. [FBB+15]
    Fitzpatrick, R., Bischof, C., Buchmann, J., Dagdelen, Ö., Göpfert, F., Mariano, A., Yang, B.-Y.: Tuning GaussSieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Cham (2015). Scholar
  14. [FK15]
    Fukase, M., Kashiwabara, K.: An accelerated algorithm for solving svp based on statistical analysis. J. Inf. Process. 23(1), 67–80 (2015)Google Scholar
  15. [FPL16a]
    FPLLL development team. Strategizer, an optimizer for pruned enumeration (2016).
  16. [FPL16b]
    FPLLL development team. fplll, a lattice reduction library (2016).
  17. [FPL16c]
    FPLLL development team. fpylll, a python interface for fplll (2016).
  18. [GN08]
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). Scholar
  19. [GNR10]
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). Scholar
  20. [HK17]
    Herold, G., Kirshanova, E.: Improved algorithms for the approximate k-list problem in euclidean norm. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 16–40. Springer, Heidelberg (2017). Scholar
  21. [HPS98]
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). Scholar
  22. [HPS11]
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). Scholar
  23. [HS07]
    Hanrot, G., Stehlé, D.: Improved analysis of kannan’s shortest lattice vector algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007). Scholar
  24. [Kan83]
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th Annual ACM Symposium on Theory of Computing, pp. 193–206. ACM Press, April 1983Google Scholar
  25. [Kle00]
    Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: Shmoys, D.B. (eds.) 11th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 937–941. ACM-SIAM, January 2000Google Scholar
  26. [Laa15a]
    Laarhoven, T.: Search problems in cryptography (2015).
  27. [Laa15b]
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). Scholar
  28. [Laa16]
    Laarhoven, T.: Randomized lattice sieving for the closest vector problem (with preprocessing). Cryptology ePrint Archive, Report 2016/888 (2016).
  29. [LLL82]
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  30. [LM18]
    Laarhoven, T., Mariano, A.: Progressive lattice sieving. In: PQcrypto 2018, Cryptology ePrint Archive, Report 2018/079 (2018, to appear).
  31. [MLB17]
    Mariano, A., Laarhoven, T., Bischof, C.: A parallel variant of LDSIEVE for the SVP on lattices. In: 2017 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP), pp. 23–30. IEEE (2017)Google Scholar
  32. [MV10]
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Charika, M. (ed.) 21st Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 1468–1480. ACM-SIAM, January 2010Google Scholar
  33. [MW15]
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Indyk, P. (ed.) 26th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 276–294. ACM-SIAM, January 2015Google Scholar
  34. [MW16]
    Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016). Scholar
  35. [Ngu09]
    Nguyen, P.Q.: Hermite’s constant and lattice algorithms. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography. Springer, Heidelberg (2009). Scholar
  36. [NV08]
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  37. [Poh81]
    Pohst, M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. ACM SIGSAM Bull. 15(1), 37–44 (1981)CrossRefzbMATHGoogle Scholar
  38. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press, May 2005Google Scholar
  39. [SE94]
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  40. [SG10]
    Schneider, M., Gama, N.: SVP Challenge (2010).
  41. [SH95]
    Schnorr, C.P., Hörner, H.H.: Attacking the chor-rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995). Scholar
  42. [Ste10]
    Stehlé, D.: Floating-point LLL: theoretical and practical aspects. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 179–213. Springer, Heidelberg (2010). Scholar
  43. [TKH18]
    Teruya, T., Kashiwabara, K., Hanaoka, G.: Fast lattice basis reduction suitable for massive parallelization and its application to the shortest vector problem. Cryptology ePrint Archive, Report 2018/044 (2018, to appear).
  44. [YD16]
    Yu, Y., Ducas, L.: Second order statistical behavior of LLL and BKZ. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 3–22. Springer, Cham (2018). Scholar
  45. [YKYC17]
    Yang, S.-Y., Kuo, P.-C., Yang, B.-Y., Cheng, C.-M.: Gauss Sieve Algorithm on GPUs. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 39–57. Springer, Cham (2017). Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Cryptology GroupCWIAmsterdamThe Netherlands

Personalised recommendations