Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Recursive lattice reduction -- A framework for finding short lattice vectors

Divesh Aggarwal, Thomas Espitau, Spencer Peters, Noah Stephens-Davidowitz

TL;DR

The paper introduces a recursive lattice reduction framework that finds short lattice vectors and dense sublattices by recursively reducing to lower-rank instances, avoiding explicit basis-centric descriptions where possible and offering a complementary view to basis reduction.Key contributions include a main HSVP-based reduction that matches state-of-the-art tradeoffs, a DSP-to-SVP reduction that relies on HSVP oracles, an efficient DSP-to-DSP reduction with polynomial-time guarantees, and a computer-aided search that yields practical improvements.The framework leverages duality and intersections to navigate between primal and dual lattices, and it provides two lattice representations (LLL-based and approximate) to control bitlength growth and running time across recursion.Together, these results offer a modular, implementable approach with potential cryptanalytic implications for lattice-based cryptography and open avenues for further unification with classical basis-reduction techniques.

Abstract

We propose a recursive lattice reduction framework for finding short non-zero vectors or dense sublattices of a lattice. The framework works by recursively searching for dense sublattices of dense sublattices (or their duals) with progressively lower rank. When the procedure encounters a recursive call on a lattice $L$ with relatively low rank, we simply use a known algorithm to find a shortest non-zero vector in $L$. This new framework is complementary to basis reduction algorithms, which similarly work to reduce an $n$-dimensional lattice problem with some approximation factor $γ$ to a lower-dimensional exact lattice problem in some lower dimension $k$, with a tradeoff between $γ$, $n$, and $k$. Our framework provides an alternative and arguably simpler perspective. For example, our algorithms can be described at a high level without explicitly referencing any specific basis of the lattice, the Gram-Schmidt orthogonalization, or even projection (though, of course, concrete implementations of algorithms in this framework will likely make use of such things). We present a number of instantiations of our framework. Our main concrete result is an efficient reduction that matches the tradeoff achieved by the best-known basis reduction algorithms. This reduction also can be used to find dense sublattices with any rank $\ell$ satisfying $\min\{\ell,n-\ell\} \leq n-k+1$, using only an oracle for SVP in $k$ dimensions, with slightly better parameters than what was known using basis reduction. We also show a simple reduction with the same tradeoff for finding short vectors in quasipolynomial time, and a reduction from finding dense sublattices of a high-dimensional lattice to this problem in lower dimension. Finally, we present an automated search procedure that finds algorithms in this framework that (provably) achieve better approximations with fewer oracle calls.

Recursive lattice reduction -- A framework for finding short lattice vectors

TL;DR

The paper introduces a recursive lattice reduction framework that finds short lattice vectors and dense sublattices by recursively reducing to lower-rank instances, avoiding explicit basis-centric descriptions where possible and offering a complementary view to basis reduction.Key contributions include a main HSVP-based reduction that matches state-of-the-art tradeoffs, a DSP-to-SVP reduction that relies on HSVP oracles, an efficient DSP-to-DSP reduction with polynomial-time guarantees, and a computer-aided search that yields practical improvements.The framework leverages duality and intersections to navigate between primal and dual lattices, and it provides two lattice representations (LLL-based and approximate) to control bitlength growth and running time across recursion.Together, these results offer a modular, implementable approach with potential cryptanalytic implications for lattice-based cryptography and open avenues for further unification with classical basis-reduction techniques.

Abstract

We propose a recursive lattice reduction framework for finding short non-zero vectors or dense sublattices of a lattice. The framework works by recursively searching for dense sublattices of dense sublattices (or their duals) with progressively lower rank. When the procedure encounters a recursive call on a lattice with relatively low rank, we simply use a known algorithm to find a shortest non-zero vector in . This new framework is complementary to basis reduction algorithms, which similarly work to reduce an -dimensional lattice problem with some approximation factor to a lower-dimensional exact lattice problem in some lower dimension , with a tradeoff between , , and . Our framework provides an alternative and arguably simpler perspective. For example, our algorithms can be described at a high level without explicitly referencing any specific basis of the lattice, the Gram-Schmidt orthogonalization, or even projection (though, of course, concrete implementations of algorithms in this framework will likely make use of such things). We present a number of instantiations of our framework. Our main concrete result is an efficient reduction that matches the tradeoff achieved by the best-known basis reduction algorithms. This reduction also can be used to find dense sublattices with any rank satisfying , using only an oracle for SVP in dimensions, with slightly better parameters than what was known using basis reduction. We also show a simple reduction with the same tradeoff for finding short vectors in quasipolynomial time, and a reduction from finding dense sublattices of a high-dimensional lattice to this problem in lower dimension. Finally, we present an automated search procedure that finds algorithms in this framework that (provably) achieve better approximations with fewer oracle calls.
Paper Structure (40 sections, 21 theorems, 122 equations, 5 figures)

This paper contains 40 sections, 21 theorems, 122 equations, 5 figures.

Table of Contents

  1. Introduction
  2. Basis reduction algorithms
  3. An overview of recursive lattice reduction
  4. A first example
  5. An efficient reduction to a harder problem (and from a harder problem)
  6. Getting an efficient reduction (from either HSVP or DSP) to HSVP!
  7. On using automated search to find such reductions
  8. Representing the lattices in our reductions
  9. Some more context, and the relationship with prior work
  10. On SVP vs. HSVP
  11. Preliminaries
  12. Duality and sublattices
  13. The Densest Sublattice Problem (DSP)
  14. Reducing approximate DSP to DSP
  15. Proof of the theorem
  16. ...and 25 more sections

Key Result

Lemma 3.1

Suppose that $\mathcal{L}'$ of rank $\ell$ is a sublattice of $\mathcal{L}$ of rank $n$. Then $\Pi_{(\mathcal{L}')^\perp}(\mathcal{L})$ is a lattice with rank $n - \ell$, and

Figures (5)

  • Figure 1: A comparison of tradeoffs between the approximation factor $\gamma$ and the running time (measured by the number of HSVP oracle calls $C$) when reducing $\gamma$-HSVP with rank $n = 50$ to $\sqrt{\delta_k}$-HSVP with rank $k = 10$. The blue dotted curve is our recursive DSP to HSVP reduction with nearly optimal parameters chosen by computer search. The red stars show the tradeoff achieved by the recursive reduction of \ref{['theorem:dsp-to-svp']}. The orange curve is an upper bound on the approximation factor obtained by slide reduction from WalConvergenceSlidetypeReductions2021, which we include to provide (rough) context. The blue, orange, and red curves all converge to the green dotted line as the running time grows large.
  • Figure 2: A similar comparison to \ref{['figure:C50']}, but with $n = 100$ and $k = 30$.
  • Figure 3: The first few recursive calls of our recursive DSP to HSVP reduction, with optimal parameters (up to some rather aggressive coarsening) discovered by computer search. Each recursive call is labeled with the input rank $n$, output rank $\ell$, and the budget $C$ (of running time measured in HSVP oracle calls) allocated to the call. The initial parameters $n = 50, \ell = 1, C = 40000$ correspond to the regime of \ref{['figure:C50']} where the approximation factor achieved by the recursive reduction has gotten quite close to its value as $C$ goes to infinity (i.e., where the blue curve has more-or-less merged with the green curve).
  • Figure 4: A comparison of tradeoffs between the approximation factor $\gamma$ and the running time $T$ for solving $\gamma$-HSVP with rank $n = 50$, in the simplified model where we assume that an HSVP oracle call with rank $k$ takes time $2^k$, and we neglect the time taken by all other operations. All curves correspond to our recursive HSVP to HSVP reduction with nearly optimal parameters chosen by computer search. The blue curve is allowed to make HSVP oracle calls with arbitrary rank $k$ (provided $2^k$ is less than its time budget $T$), whereas the others are only allowed to make HSVP oracle calls with a certain fixed rank $k$.
  • Figure 5: A similar comparison to \ref{['figure:T50']}, but with $n = 100$.

Theorems & Definitions (42)

  • Lemma 3.1: MarPerfectLatticesEuclidean2003
  • proof
  • Lemma 3.2
  • proof
  • Lemma 3.3: MarPerfectLatticesEuclidean2003
  • proof
  • Lemma 3.4
  • proof
  • Definition 3.5
  • Corollary 3.6
  • ...and 32 more