Cryptology ePrint Archive: Report 2015/1123

Practical, Predictable Lattice Basis Reduction

Daniele Micciancio and Michael Walter

Abstract: Lattice reduction algorithms are notoriously hard to predict, both in terms of running time and output quality, which poses a major problem for cryptanalysis. While easy to analyze algorithms with good worst-case behavior exist, previous experimental evidence suggests that they are outperformed in practice by algorithms whose behavior is still not well understood, despite more than 30 years of intensive research. This has lead to a situation where a rather complex simulation procedure seems to be the most common way to predict the result of their application to an instance. In this work we present new algorithmic ideas towards bridging this gap between theory and practice. We report on an extensive experimental study of several lattice reduction algorithms, both novel and from the literature, that shows that theoretical algorithms are in fact surprisingly practical and competitive. In light of our results we come to the conclusion that in order to predict lattice reduction, simulation is superfluous and can be replaced by a closed formula using weaker assumptions.

One key technique to achieving this goal is a novel algorithm to solve the Shortest Vector Problem (SVP) in the dual without computing the dual basis. Our algorithm enjoys the same practical efficiency as the corresponding primal algorithm and can be easily added to an existing implementation of it.

Category / Keywords: Lattice Reduction, Enumeration, Duality

Original Publication (with minor differences): IACR-EUROCRYPT-2016

Date: received 19 Nov 2015, last revised 4 Feb 2016

Contact author: miwalter at eng ucsd edu

Available format(s): PDF | BibTeX Citation

Version: 20160204:224235 (All versions of this report)

Short URL: ia.cr/2015/1123

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]