Analyzing Blockwise Lattice Algorithms Using Dynamical Systems

  • Guillaume Hanrot
  • Xavier Pujol
  • Damien Stehlé
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6841)


Strong lattice reduction is the key element for most attacks against lattice-based cryptosystems. Between the strongest but impractical HKZ reduction and the weak but fast LLL reduction, there have been several attempts to find efficient trade-offs. Among them, the BKZ algorithm introduced by Schnorr and Euchner [FCT’91] seems to achieve the best time/quality compromise in practice. However, no reasonable complexity upper bound is known for BKZ, and Gama and Nguyen [Eurocrypt’08] observed experimentally that its practical runtime seems to grow exponentially with the lattice dimension. In this work, we show that BKZ can be terminated long before its completion, while still providing bases of excellent quality. More precisely, we show that if given as inputs a basis (b i ) i ≤ n  ∈ ℚ n ×n of a lattice L and a block-size β, and if terminated after \(\Omega\left(\frac{n^3}{\beta^2}(\log n + \log \log \max_i \|{b}_i\|)\right)\) calls to a β-dimensional HKZ-reduction (or SVP) subroutine, then BKZ returns a basis whose first vector has norm \(\leq 2 \nu _{\beta}^{\frac{n-1}{2(\beta-1)}+\frac{3}{2}} \cdot (\det L )^{\frac{1}{n}}\), where ν β  ≤ β is the maximum of Hermite’s constants in dimensions ≤ β. To obtain this result, we develop a completely new elementary technique based on discrete-time affine dynamical systems, which could lead to the design of improved lattice reduction algorithms.


Euclidean lattices BKZ lattice-based cryptanalysis 


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proc. of STOC, pp. 99–108. ACM, New York (1996)Google Scholar
  2. 2.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proc. of STOC, pp. 601–610. ACM, New York (2001)Google Scholar
  3. 3.
    Akhavi, A.: Worst-case complexity of the optimal LLL algorithm. In: Gonnet, G.H., Viola, A. (eds.) LATIN 2000. LNCS, vol. 1776, pp. 355–366. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Cadé, D., Pujol, X., Stehlé, D.: fplll-3.1, a floating-point LLL implementation,
  5. 5.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  6. 6.
    Gama, N., Howgrave-Graham, N., Koy, H., Nguyên, P.Q.: Rankin’s constant and blockwise lattice reduction. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 112–130. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proc. of STOC, pp. 207–216. ACM, New York (2008)Google Scholar
  8. 8.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. 9.
    Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. TR96-056 (1996),
  10. 10.
    Hanrot, G., Pujol, X., Stehlé, D.: Terminating BKZ. Cryptology ePrint Archive (2011),
  11. 11.
    Hanrot, G., Stehlé, D.: Improved analysis of Kannan’s shortest lattice vector algorithm (extended abstract). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Haviv, I., Regev, O.: Tensor-based hardness of the shortest vector problem to within almost polynomial factors. In: Proc. of STOC, pp. 469–477. ACM, New York (2007)Google Scholar
  13. 13.
    Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt parameters in light of combined lattice reduction and MITM approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Proc. of STOC, pp. 99–108. ACM, New York (1983)Google Scholar
  16. 16.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetzbMATHCrossRefGoogle Scholar
  17. 17.
    Lenstra Jr., H.W.: Flags and lattice basis reduction. In: Proceedings of the Third European Congress of Mathematics, vol. 1. Birkhäuser, Basel (2001)Google Scholar
  18. 18.
    Lovász, L.: An Algorithmic Theory of Numbers, Graphs and Convexity. CBMS-NSF Regional Conference Series in Applied Mathematics. SIAM, Philadelphia (1986)Google Scholar
  19. 19.
    Madritsch, M. G., Vallée, B.: Modelling the LLL algorithm by sandpiles. In: López-Ortiz, A. (ed.) LATIN 2010. LNCS, vol. 6034, pp. 267–281. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. 20.
    Martinet, J.: Perfect Lattices in Euclidean Spaces. Springer, Heidelberg (2002)Google Scholar
  21. 21.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: Proc. of STOC, pp. 351–358. ACM, New York (2010)Google Scholar
  23. 23.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proc. of SODA. ACM, New York (2010)Google Scholar
  24. 24.
    Nguyên, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto’97. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)Google Scholar
  25. 25.
    Nguyên, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Nguyen, P.Q., Stehlé, D.: An LLL algorithm with quadratic complexity. SIAM J. Comput. 39(3), 874–903 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  27. 27.
    Nguyên, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  28. 28.
    Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2009)Google Scholar
  29. 29.
    Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity. To Appear in the Proceedings of STOC (2011),
  30. 30.
    Pujol, X., Stehlé, D.: Rigorous and efficient short lattice vectors enumeration. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 390–405. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  31. 31.
    Regev, O.: The learning with errors problem. In: Invited Survey in CCC 2010 (2010),
  32. 32.
    Schnorr, C.P.: Progress on LLL and lattice reduction. In: [28]Google Scholar
  33. 33.
    Schnorr, C.P.: A hierarchy of polynomial lattice basis reduction algorithms. Theor. Comput. Science 53, 201–224 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  34. 34.
    Schnorr, C.P.: Block reduced lattice bases and successive minima. Combinatorics, Probability and Computing 3, 507–533 (1994)MathSciNetzbMATHCrossRefGoogle Scholar
  35. 35.
    Schnorr, C.P.: Accelerated slide- and LLL-reduction. Electronic Colloquium on Computational Complexity (ECCC) 11(50) (2011)Google Scholar
  36. 36.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In: Budach, L. (ed.) FCT 1991. LNCS, vol. 529, pp. 68–85. Springer, Heidelberg (1991)Google Scholar
  37. 37.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Mathematics of Programming 66, 181–199 (1994)MathSciNetzbMATHCrossRefGoogle Scholar
  38. 38.
    Schnorr, C.P., Hörner, H.H.: Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)Google Scholar
  39. 39.
    Schönhage, A.: Fast reduction and composition of binary quadratic forms. In: Proceedings of the 1991 International Symposium on Symbolic and Algebraic Computation (ISSAC 1991), pp. 128–133. ACM, New York (1991)CrossRefGoogle Scholar
  40. 40.
    Shoup, V.: NTL, Number Theory C++ Library,
  41. 41.
    Yap, C.K.: Fast unimodular reduction: planar integer lattices. In: Proceedings of the 1992 Symposium on the Foundations of Computer Science (FOCS 1992), pp. 437–446. IEEE Computer Society Press, Los Alamitos (1992)Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Guillaume Hanrot
    • 1
  • Xavier Pujol
    • 1
  • Damien Stehlé
    • 2
  1. 1.ÉNS Lyon, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL)Lyon Cedex 07France
  2. 2.CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL)Lyon Cedex 07France

Personalised recommendations