Sieving for Closest Lattice Vectors (with Preprocessing)

Abstract

Lattice-based cryptography has recently emerged as a prime candidate for efficient and secure post-quantum cryptography. The two main hard problems underlying its security are the shortest vector problem (SVP) and the closest vector problem (CVP). Various algorithms have been studied for solving these problems, and for SVP, lattice sieving currently dominates in terms of the asymptotic time complexity: one can heuristically solve SVP in time (Formula Presented) in high dimensions d [Becker–Ducas–Gama–Laarhoven, SODA’16]. Although several SVP algorithms can also be used to solve CVP, it is not clear whether this also holds for heuristic lattice sieving methods. The best time complexity for CVP is currently (Formula Presented) [Becker–Gama–Joux, ANTS’14]. In this paper we revisit sieving algorithms for solving SVP, and study how these algorithms can be modified to solve CVP and its variants as well. Our first method is aimed at solving one problem instance and minimizes the overall time complexity for a single CVP instance with a time complexity of (Formula Presented). Our second method minimizes the amortized time complexity for several instances on the same lattice, at the cost of a larger preprocessing cost. Using nearest neighbor searching with a balanced space-time tradeoff, with this method we can solve the closest vector problem with preprocessing (CVPP) with (Formula Presented) space and preprocessing, in (Formula Presented) time, while the query complexity can be further reduced to (Formula Presented) at the cost of (Formula Presented) space and preprocessing, or even to (Formula Presented) for arbitrary (Formula Presented), at the cost of preprocessing time and memory complexities of (Formula Presented). For easier variants of CVP, such as approximate CVP and bounded distance decoding (BDD), we further show how the preprocessing method achieves even better complexities. For instance, we can solve approximate CVPP with large approximation factors K with polynomial-sized advice in polynomial time if (Formula Presented). This heuristically closes the gap between the decision-CVPP result of [Aharonov–Regev, FOCS’04] (with equivalent K) and the search-CVPP result of [Dadush–Regev–Stephens-Davidowitz, CCC’14] (which required larger K).