A parameter study for LLL and BKZ with application to shortest vector problems

TL;DR

This paper investigates solving shortest vector problems (SVPs) that arise when reformulating LWE instances from NIST-style PQC schemes into lattice problems, by applying lattice reduction algorithms (LLL and BKZ) to the embedded lattice. It provides an empirical study across varying problem sizes $n$, moduli $q$, and BKZ block sizes $\\beta$, measuring the probability of recovering the LWE secret and the associated runtimes. Key findings show that, for fixed $q$, the success probability decays with increasing $n$, while larger moduli $q$ can increase solvability; BKZ improvements with larger $\\beta$ also raise success rates but incur exponential cost, with practical vulnerabilities identified at certain parameter regimes. The results offer guidance for parameter selection in lattice-based cryptography and underscore the need for comprehensive benchmarking tools to assess PQC security against classical and quantum-accelerated attacks.

Abstract

In this work, we study the solution of shortest vector problems (SVPs) arising in terms of learning with error problems (LWEs). LWEs are linear systems of equations over a modular ring, where a perturbation vector is added to the right-hand side. This type of problem is of great interest, since LWEs have to be solved in order to be able to break lattice-based cryptosystems as the Module-Lattice-Based Key-Encapsulation Mechanism published by NIST in 2024. Due to this fact, several classical and quantum-based algorithms have been studied to solve SVPs. Two well-known algorithms that can be used to simplify a given SVP are the Lenstra-Lenstra-Lovász (LLL) algorithm and the Block Korkine-Zolotarev (BKZ) algorithm. LLL and BKZ construct bases that can be used to compute or approximate solutions of the SVP. We study the performance of both algorithms for SVPs with different sizes and modular rings. Thereby, application of LLL or BKZ to a given SVP is considered to be successful if they produce bases containing a solution vector of the SVP.

Figures (4)

• Figure 1: The probability that the LLL algorithm recovers the secret for varying key length $n$ and modulus $q\in\{71,401,3329\}$. The curves were fitted using a sigmoid function $p_{\rho,\sigma}(n)=1-(1+\exp(\rho-\sigma n))^{-1}$ with parameters $\rho=9.32$, $\sigma=0.35$ for $q=71$, $\rho=17.00$, $\sigma=0.36$ for $q=401$, and $\rho=26.94$, $\sigma=0.38$ for $q=3329$.
• Figure 2: The maximum key length $n$ for which the probability that the LLL algorithm recovers the secret is at least $50\%$ for varying modulus $q$. The values $n$ are computed as the ratio of the fit parameters $\rho/\sigma$.
• Figure 3: The average runtime for the BKZ algorithm for varying block size $\beta$ and key size $n$, and modulus $q=401$.
• Figure 4: The probability that the BKZ algorithm recovers the secret for varying key length $n$ and block size $\beta$, and moduli $q=71$ ((a) top left), $q=401$ ((b) top right), and $q=3329$ ((c) bottom).