Paper 2021/1428

Non-randomness of S-unit lattices

Daniel J. Bernstein and Tanja Lange


Spherical models of lattices are standard tools in the study of lattice-based cryptography, except for variations in terminology and minor details. Spherical models are used to predict the lengths of short vectors in lattices and the effectiveness of reduction modulo those short vectors. These predictions are consistent with an asymptotic theorem by Gauss, theorems on short vectors in almost all lattices from the invariant distribution, and a variety of experiments in the literature. $S$-unit attacks are a rapidly developing line of attacks against structured lattice problems. These include the quantum polynomial-time attacks that broke the cyclotomic case of Gentry's original STOC 2009 FHE system under minor assumptions, and newer attacks that have broken through various barriers previously claimed for this line of work. $S$-unit attacks take advantage of auxiliary lattices, standard number-theoretic lattices called $S$-unit lattices. Spherical models have recently been applied to these auxiliary lattices to deduce core limits on the power of $S$-unit attacks. This paper shows that these models underestimate the power of $S$-unit attacks: $S$-unit lattices, like the lattice $Z^d$, have much shorter vectors and reduce much more effectively than predicted by these models. The attacker can freely choose $S$ to make the gap as large as desired, breaking through the core limits previously asserted for $S$-unit attacks.

Available format(s)
Public-key cryptography
Publication info
Preprint. Minor revision.
post-quantum cryptographylattice-based cryptographyIdeal-SVPS-unit attacksGaussian heuristicalgorithm analysis
Contact author(s)
authorcontact-spherical @ box cr yp to
2021-10-24: received
Short URL
Creative Commons Attribution


      author = {Daniel J.  Bernstein and Tanja Lange},
      title = {Non-randomness of S-unit lattices},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1428},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.