research-article

A Complete Analysis of the BKZ Lattice Reduction Algorithm

Authors: Jianwei Li, Phong Q. NguyenAuthors Info & Claims

Journal of Cryptology, Volume 38, Issue 1

https://doi.org/10.1007/s00145-024-09527-0

Published: 13 December 2024 Publication History

Abstract

We present the first rigorous dynamic analysis of BKZ, the most widely used lattice reduction algorithm besides LLL: we provide guarantees on the quality of the current lattice basis during execution. Previous analyses were either heuristic or only applied to theoretical variants of BKZ, not the real BKZ implemented in software libraries. Our analysis extends to a generic BKZ algorithm where the SVP-oracle is replaced by an approximate oracle and/or the basis update is not necessarily performed by LLL. As an application, we observe that in certain approximation regimes, it is more efficient to use BKZ with an approximate rather than exact SVP-oracle.

References

[1]

M.R. Albrecht, S. Bai, P.-A. Fouque, P. Kirchner, D. Stehlé, W. Wen, Faster enumeration-based lattice reduction: Root Hermite factor

k^{1 / (2 k)}

in time

k^{k / 8 + o (k)}

, in CRYPTO, (2020), pp. 186–212

[2]

M.R. Albrecht, S. Bai, J. Li, J. Rowell, Lattice reduction with approximate enumeration oracles: Practical algorithms and concrete performance, in CRYPTO, (2021), pp. 732–759

[3]

M.R. Albrecht, L. Ducas, Lattice attacks on NTRU and LWE: A history of refinements. https://eprint.iacr.org/2021/799 (2021)

[4]

M.R. Albrecht, L. Ducas, G. Herold, E. Kirshanova, E.W. Postlethwaite, M. Stevens, The general sieve kernel and new records in lattice reduction, in EUROCRYPT, (2019), pp. 717–746

[5]

D. Aggarwal, D. Dadush, O. Regev, N. Stephens-Davidowitz, Solving the shortest vector problem in

2^{n}

time using discrete Gaussian sampling, in STOC, (2015), pp. 733–742

[6]

M. Ajtai, R. Kumar, D. Sivakumar, A sieve algorithm for the shortest lattice vector problem, in STOC, (2001), pp. 601–610

[7]

D. Aggarwal, J. Li, P.Q. Nguyen, N. Stephens-Davidowitz, Slide reduction, revisited — filling the gaps in SVP approximation, in CRYPTO, (2020), pp. 274–295

[8]

Y. Aono, P.Q. Nguyen, Random sampling revisited: Lattice enumeration with discrete pruning, in EUROCRYPT, (2017), pp. 65–102

[9]

Y. Aono, P.Q. Nguyen, T. Seito, J. Shikata, Lower bounds on lattice enumeration with extreme pruning, in CRYPTO, (2018), pp. 608–637

[10]

Y. Aono, Y. Wang, T. Hayashi, T. Takagi, Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator, in EUROCRYPT, (2016), pp. 789–819

[11]

H.F. Blichfeldt, A new principle in the geometry of numbers, with some applications. Trans. Am. Math. Soc.16, 227–235 (1914)

[12]

Blichfeldt HF A new principle in the geometry of numbers, with some applications Trans. Am. Math. Soc. 1914 16 227-235

[13]

Y. Chen, P.Q. Nguyen, BKZ 2.0: better lattice security estimates, in ASIACRYPT, (2011), pp. 1–20

[14]

Conway JH and Sloane NJA Sphere-packings, Lattices, and Groups 1987 Berlin Springer

Digital Library

[15]

L. Ducas, M. Stevens, W. van Woerden, Advanced lattice sieving on GPUs, with tensor cores, in EUROCRYPT, (2021), pp. 249–279

[16]

Dutka J The incomplete beta function: a historical profile Arch. Hist. Exact Sci. 1981 24 11-29

[17]

FPLLL development team. FPLLL, a lattice reduction library. Available at https://github.com/fplll/fplll (2019)

[18]

FPyLLL development team. FPyLLL, a Python interface to FPLLL. Available at https://github.com/fplll/fpylll (2019)

[19]

N. Gama, N. Howgrave-Graham, H. Koy, P.Q. Nguyen, Rankin’s constant and blockwise lattice reduction, in CRYPTO, (2006), pp. 112–130

[20]

N. Gama, P.Q. Nguyen, Finding short lattice vectors within Mordell’s inequality, in STOC, (2008), pp. 207–216

[21]

N. Gama P.Q. Nguyen, Predicting lattice reduction, in EUROCRYPT, (2008) pp. 31–51

[22]

N. Gama, P.Q. Nguyen, O. Regev, Lattice enumeration using extreme pruning, in EUROCRYPT, (2010), pp. 257–278

[23]

G. Hanrot, X. Pujol, D. Stehlé, Analyzing blockwise lattice algorithms using dynamical systems, in CRYPTO, (2011), pp. 447–464. Full version in https://eprint.iacr.org/2011/198.pdf

[24]

G. Hanrot, D. Stehlé. Improved analysis of Kannan’s shortest lattice vector algorithm, in CRYPTO, (2007), pp. 170–186

[25]

G. Hanrot, D. Stehlé. Worst-case Hermite-Korkine-Zolotarev reduced lattice bases. https://arxiv.org/pdf/0801.3331.pdf (2008)

[26]

R. Kannan, Improved algorithms for integer programming and related lattice problems, in STOC, (1983), pp. 193–206

[27]

Kunihiro N and Takayasu A Worst case short lattice vector enumeration on block reduced bases of arbitrary blocksizes Discrete Appl. Math. 2020 277 198-220

Digital Library

[28]

Lenstra AK, Lenstra HW Jr, and Lovász L Factoring polynomials with rational coefficients Math. Ann. 1982 261 366-389

[29]

J. Li, P.Q. Nguyen. Computing a lattice basis revisited, in ISSAC, (2019), pp. 275–282

[30]

Li J and Walter M Improving convergence and practicality of slide-type reductions Inf. Comput. 2023 291 105012

Digital Library

[31]

J. Li, M. Walter. Improving convergence and practicality of slide-type reductions. Inf. Comput.291, 105012 (2023)

[32]

J. Milnor and D. Husemoller. Symmetric bilinear forms. (Springer, Berlin, 1973)

[33]

L.J. Mordell, Observation on the minimum of a positive quadratic form in eight variables. J. London Math. Soc.19, 3–6 (1944)

[34]

Milnor J and Husemoller D Symmetric bilinear forms 1973 Berlin Springer

[35]

Mordell LJ Observation on the minimum of a positive quadratic form in eight variables J. London Math. Soc. 1944 19 3-6

[36]

A. Neumaier, Bounding basis reduction properties. Des. Codes Cryptogr.84, 237–259 (2017)

[37]

A. Neumaier, Private communication. (Jan, 2020)

[38]

Neumaier A Bounding basis reduction properties Des. Codes Cryptogr. 2017 84 237-259

Digital Library

[39]

Newman M Bounds for cofactors and arithmetic minima of quadratic forms J. London Math. Soc. 1963 38 215-217

[40]

A. Neumaier, D. Stehlé, Faster LLL-type reduction of lattice bases, in ISSAC, (2016), pp. 373–380

[41]

M. Pohst, A modification of the LLL reduction algorithm. J. Symbolic Comput.4(1), 123–127 (1987)

[42]

Pohst M A modification of the LLL reduction algorithm J. Symbolic Comput. 1987 4 1 123-127

Digital Library

[43]

C.A. Rogers, The number of lattice points in a set. Proc. Lond. Math. Soc. 3-6 (1956)

[44]

C.P. Schnorr, A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci.53, 201–224 (1987)

[45]

C.P. Schnorr, M. Euchner, Lattice basis reduction: Improved practical algorithms and solving subset sum problems, in FCT, (1991), pp. 68–85. Full version in Math. Program. (1994)

[46]

Schnorr CP A hierarchy of polynomial time lattice basis reduction algorithms Theoret. Comput. Sci. 1987 53 201-224

[47]

V. Shoup. NTL 11.4.3: Number theory c++ library. http://www.shoup.net/ntl/ (2020)

[48]

Siegel CL A mean value theorem in Geometry of Numbers Ann. of Math. 1945 46 340-347

[49]

J. Wen, X.-W. Chang, On the kz reduction. IEEE Trans. Inf. Theory, 65(3), 1921–1935 (2019)

[50]

Wen J and Chang X-W On the kz reduction IEEE Trans. Inf. Theory 2019 65 3 1921-1935

[51]

Yanai H, Takeuchi K, and Takane Y Projection Matrices, Generalized Inverse Matrices, and Singular Value 2011 Berlin Springer

Index Terms

A Complete Analysis of the BKZ Lattice Reduction Algorithm

Index terms have been assigned to the content through auto-classification.

Recommendations

A Lattice Reduction Algorithm Based on Sublattice BKZ
Provable and Practical Security
Abstract
We present m-SubBKZ reduction algorithm that outputs a reduced lattice basis, containing a vector shorter than the original BKZ. The work is based on the properties of sublattices and the Gaussian Heuristic of the full lattice and sublattices. By ...
Analyzing Pump and Jump BKZ Algorithm Using Dynamical Systems
Post-Quantum Cryptography
Abstract
The analysis of the reduction effort of the lattice reduction algorithm is important in estimating the hardness of lattice-based cryptography schemes. Recently many lattice challenge records have been cracked by using the Pnj-BKZ algorithm which ... ${_{}}_{}$ $_{}$ $(\frac{^{}}{} (_{}_{}_{}_{} \frac{∥_{}^{}∥}{^{}}))$ $_{}$ $∥_{}∥_{}^{\frac{}{}} {()}^{\frac{}{}}$
Analysis of DeepBKZ reduction for finding short lattice vectors
Abstract
Lattice basis reduction is a mandatory tool for solving lattice problems such as the shortest vector problem. The Lenstra–Lenstra–Lovász reduction algorithm (LLL) is the most famous, and its typical improvements are the block Korkine–Zolotarev ...

Comments

Information & Contributors

Information

Published In

cover image Journal of Cryptology

Journal of Cryptology Volume 38, Issue 1

Jan 2025

574 pages

Issue’s Table of Contents

© International Association for Cryptologic Research 2024.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 13 December 2024

Accepted: 09 October 2024

Revision received: 04 October 2024

Received: 10 April 2023

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Jan 2025

Other Metrics

View Author Metrics

Citations

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents