**Solving shortest and closest vector problems: The decomposition approach**

*Anja Becker, Nicolas Gama and Antoine Joux*

**Abstract: **In this paper, we present a heuristic algorithm for solving exact, as
well as approximate, SVP and CVP for lattices. This algorithm is based
on a new approach which is very different from and complementary to the
sieving technique. This new approach frees us from the kissing number bound and allows us to solve SVP and CVP in lattices of dimension $n$ in time $2^{0.377n}$ using memory $2^{0.292n}$. The key idea is to no longer work with a single lattice but to move the problems around in a tower of related lattices. We initiate the algorithm by sampling very short vectors in a dense overlattice of the original lattice that admits a quasi-orthonormal basis and hence an efficient enumeration of vectors of bounded norm. Taking sums of vectors in the sample, we construct short vectors in the next lattice of our tower. Repeating this, we climb all the way to the top of the tower and finally obtain solution vector(s) in the initial lattice as a sum of vectors of the overlattice just below it. The complexity analysis relies on the Gaussian heuristic. This heuristic is backed by experiments in low and high dimensions that closely reflect these estimates when solving hard lattice problems in the average case.

**Category / Keywords: **foundations / lattice, shortest vector problem, closest vector problem, decomposition technique, structural reduction, sieving

**Date: **received 24 Oct 2013

**Contact author: **anja becker at epfl ch

**Available format(s): **PDF | BibTeX Citation

**Version: **20131024:160733 (All versions of this report)

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]