Faster exponential time algorithms for the shortest vector problem

We present new faster algorithms for the exact solution of the shortest vector problem in arbitrary lattices. Our main result shows that the shortest vector in any <i>n</i>-dimensional lattice can be found in time 2<sup>3.199<i>n</i></sup> (and space 2<sup>1.325<i>n</i></sup>), or in space 2<sup>1.095<i>n</i></sup> (and still time 2<sup><i>O(n)</i></sup>). This improves the best previously known algorithm by Ajtai, Kumar and Sivakumar [Proceedings of STOC 2001] which was shown by Nguyen and Vidick [J. Math. Crypto. 2(2):181--207] to run in time 2<sup>5.9<i>n</i></sup> and space 2<sup>2.95<i>n</i></sup>. We also present a practical variant of our algorithm which provably uses an amount of space proportional to τ<i>n</i>, the "kissing" constant in dimension <i>n</i>. No upper bound on the running time of our second algorithm is currently known, but experimentally the algorithm seems to perform fairly well in practice, with running time 2<sup>0.52<i>n</i></sup>, and space complexity 2<sup>0.2<i>n</i></sup>.

[1]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[2]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[3]  Thomas C. Hales Sphere packings, I , 1997, Discret. Comput. Geom..

[4]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[5]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[6]  Alexander Vardy,et al.  Closest point search in lattices , 2002, IEEE Trans. Inf. Theory.

[7]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[8]  R. Kannan ALGORITHMIC GEOMETRY OF NUMBERS , 1987 .

[9]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[10]  Jacques Stern,et al.  The Two Faces of Lattices in Cryptology , 2001, CaLC.

[11]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[12]  Damien Stehlé,et al.  Rigorous and Efficient Short Lattice Vectors Enumeration , 2008, ASIACRYPT.

[13]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[14]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[15]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[16]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[17]  Nicolas Gama,et al.  Finding short lattice vectors within mordell's inequality , 2008, STOC.

[18]  Damien Stehlé,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[19]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[20]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[21]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[22]  Brent Waters,et al.  Lossy Trapdoor Functions and Their Applications , 2011, SIAM J. Comput..

[23]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[24]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[25]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[26]  Butler W. Lampson,et al.  Annual Review of Computer Science , 1986 .

[27]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[28]  N. J. A. Sloane,et al.  Sphere Packings, Lattices and Groups , 1987, Grundlehren der mathematischen Wissenschaften.

[29]  Cynthia Dwork,et al.  Positive Applications of Lattices to Cryptography , 1997, MFCS.

[30]  Michael E. Pohst,et al.  On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications , 1981, SIGS.

[31]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..