Paper 2022/1343

Improved Progressive BKZ with Lattice Sieving and a Two-Step Mode for Solving uSVP

Wenwen Xia, Xidian University
Leizhang Wang, Xidian University
GengWang, Shanghai Jiao Tong University
Dawu Gu, Xidian University, Shanghai Jiao Tong University
Baocang Wang, Xidian University

The unique Shortest Vector Problem (uSVP) is one of the core hard problems in lattice-based cryptography. In NIST PQC standardization (Kyber, Dilithium), leaky-LWE-Estimator is used to estimate the hardness of LWE-based cryptosystems by reducing LWE to uSVP and considers the primal attack using Progressive BKZ (ProBKZ). ProBKZ trivially increases blocksize β and lifts the shortest vector in the final BKZ block to find the unique shortest vector in the full lattice. In this paper, we show that a ProBKZ algorithm as above (we call it a BKZ-only mode) is not the best way to solve uSVP. So we present a two-step mode to solve it, where the ProBKZ algorithm is followed by a sieving algorithm with the dimension larger than the blocksize of BKZ. While instantiating our two-step mode with the sieving algorithm Pump and Pump-and-jump BKZ (PnjBKZ) presented in G6K, which are the state-of-art sieving and BKZ implementations, we show that our algorithm is not only better than the BKZ-only mode but also better than the heuristic uSVP solving algorithm in G6K. However, a ProBKZ with the heuristic parameter selection in leaky-LWE-Estimator or the optimized parameter selection in the literature (Yoshinori Aono et al. at Asiacrypt 2016), is insufficient in optimizing the efficiency of a two-step solving algorithm. To find the best param- eters, we design a PnjBKZ simulator which allows the choice of value jump to be more than 1. Based on the newly designed simulator, we give a blocksize and jump strategy selection algorithm, which can achieve the best simulated efficiency in solving uSVP instances. Combining all the things above, we get a new lattice solving algorithm called Improved Progressive PnjBKZ (ProPnjBKZ for short). We test the efficiency of our ProPnjBKZ with the TU Darmstadt LWE Challenge. The experiment result shows that our ProPnjBKZ is 7.6∼12.9 times more efficient than the heuristic uSVP solving algorithm in G6K. Besides, we break the TU Darmstadt LWE Challenges with (n, α) ∈{(40, 0.035), (40, 0.040), (50, 0.025), (55, 0.020), (90, 0.005)}. Finally, we give a newly refined security estimator of LWE. The evaluation results indicate that the concrete hardness of the lattice-based NIST candidate schemes from LWE primal attack will decrease by 1.9∼4.2 bits when using our optimized blocksize and jump selection strategy and two-step solving mode. In addition, when using the list-decoding technology proposed by MATZOV in 2022, it further decreased by 8∼10.7 bits.

Available format(s)
Public-key cryptography
Publication info
cryptanalysislattice reductionuSVP· progressive BKZPnjBKZ Simulatoroptimized blocksize and jump strategy.
Contact author(s)
xiawenwen @ stu xidian edu cn
lzwang_2 @ stu xidian edu cn
wanggxx @ sjtu edu cn
dwgu @ sjtu edu cn
bcwang @ xidian edu cn
2024-06-01: last of 6 revisions
2022-10-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Wenwen Xia and Leizhang Wang and GengWang and Dawu Gu and Baocang Wang},
      title = {Improved Progressive {BKZ} with Lattice Sieving and a Two-Step Mode for Solving {uSVP}},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1343},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.