Techniques for Solving Shortest Vector Problem

Lattice-based crypto systems are regarded as secure and believed to be secure even against quantum computers. lattice-based cryptography relies upon problems like the Shortest Vector Problem. Shortest Vector Problem is an instance of lattice problems that are used as a basis for secure cryptographic schemes. For more than 30 years now, the Shortest Vector Problem has been at the heart of a thriving research field and finding a new efficient algorithm turned out to be out of reach. This problem has a great many applications such as optimization, communication theory, cryptography, etc. This paper introduces the Shortest Vector Problem and other related problems such as the Closest Vector Problem. We present the average case and worst case hardness results for the Shortest Vector Problem. Further this work explore efficient algorithms solving the Shortest Vector Problem and present their efficiency. More precisely, this paper presents four algorithms: the Lenstra-Lenstra-Lovasz (LLL) algorithm, the Block Korkine-Zolotarev (BKZ) algorithm, a Metropolis algorithm, and a convex relaxation of SVP. The experimental results on various lattices show that the Metropolis algorithm works better than other algorithms with varying sizes of lattices. Keywords—Lattice; SVP; CVP; post quantum cryptography


I. INTRODUCTION
A lattice an abstract structure defined as the set of all integer linear combinations of some independent vectors in R n . Over the last two centuries, mathematicians have explored the fascinating combinatorial structure of lattices, and it has also been studied from an asymptotic algorithmic viewpoint for at least three decades. Most fundamental problems are not considered to be effectively solvable on lattices. In addition, hardness results suggest that such problems can not be solved by polynomial-time algorithms unless the hierarchy of polynomial-time collapses. Cryptographic constructions based on lattice hold a clear promise for cryptography with strong security proof, as was demonstrated by Ajtai [1], who came up with a construction of cryptographic primitives based on worst-case hardness of certain lattice problems.
Two main important and very closely related hard computational problems used by cryptographers are the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP). In the former, for a lattice specified by some basis we are supposed to find nontrivial and small nonzero vector (length of vector) in the lattice. The problem CVP is an inhomogeneous variant of SVP, in which given a lattice (specified by some basis) and a vector v, one has to find the vector in L closest to v. The hardness of these problems is partially due to the fact that multiple bases can generate the same lattice. This work presents the best hardness result known for SVP, compares different algorithms solving SVP with respect to their efficiency and optimal solution.

A. Definitions and Related Problems
Let (b 1 , . . . , b n ) be a basis in R n and N a norm on R n .
We are now able to define SVP. For L a lattice, the exact form Shortest Vector Problem, denoted by SV P (L) is as follows.
SV P (L) : Find v ∈ L such that N (v) = λ(L) As it is often the case, we will actually be interested in algorithms solving an approximation of SVP. For γ 1 the approximated form of SV P (L), denoted by SV P γ (L) is SV P γ (L) : Find v ∈ L\{0} such that N (v) γλ(L) Now, a closely related problem is the Closest Vector Problem CV P (L, x), defined for a lattice L ⊂ R n and x ∈ R n as In its exact form. As in the above we can define an approximated problem CV P γ In fact, CV P γ solves SV P γ . Indeed, for i = 1, . . . , n ..n is a solution to SV P γ (L). For we have the following claim: ..,n contains a solution to SV P (L) Proof. Indeed, let x = n i b i be any solution to SV P (L), as N x 2 < N (x) we get that x 2 / ∈ L and there is i ∈ {1, . . . , n} such that n i is odd. Then, x + b i ∈ L i Therefore, the set ..,n contains a element of norm less than or equal to N (x).
When N is the l 2 norm on R n , CV P has another formulation that allows us to use convex optimization techniques. To this end, let B be the matrix given by the basis (b 1 , . . . , b n ) and c a vector in R n . Then, CV P (L, c) is equivalent to This is readily seen by expanding out the quantity Bx − c 2 . Following (ref), we will apply a convex relaxation to this problem to get an efficient randomized algorithm solving CV P γ .
Finally, a last related problem is the Hermite Shortest Vector problem denoted by HSV P . Again, let B ∈ R n×n be the matrix given by (b 1 , . . . , b n ) , for γ 1, HSV P γ (L) is the following problem.
According to a theorem of Minkowski's, HSVP and SV P are in fact closely related. The LLL algorithm described in Section III-A actually solves HSV P γ .

B. Hardness: Average and Worst Case
An interesting feature of lattice problem is there hardness. M.Ajtai in his seminal papers [1], [2] showed in particular that worst-case hardness is related to average-case hardness and that SVP is NP-hard for randomized reductions. This makes lattice problems particularly interesting as basis for crypto systems. Example of such systems are systems of Ajtai and Dwork [3], Goldreich, Goldwasser and Halevi [4], the NTRU cryptosystem [5], and the first fully homomorphic encryption scheme by Gentry [6]. In this section we state a number of hardness results without proofs. For a more precise treatment see also [7]. The main result of worst-case to average case NP-hardness is as follows.
Theorem 1 Suppose there is a randomized polynomial time algorithm A such that for all n, A returns a vector of Λ(X) of length n with probability 1 n O(1) for Λ(X) chosen at random in Λ n,m,q where m = αn log(n) and q = n β for appropriate α, β. Then, there exist a randomized polynomial time algorithm B and constants c 1 , c 2 , c 3 such that for all n, (b 1 , . . . , b n ) basis of R n and L := ⊕Zb i , B performs the following with high probability [3]: 1) Finds a basis {β 1 , . . . , β n } for L such that 2) finds an estimateλ of λ(L) such that, 3) If moreover, L has a n c3 unique shortest vector, finds this vector.
We are now oing to explain the content of this theorem. First of all, we must explain a number of concepts and notation.
Here, . refers to the l 2 -norm.
A randomized algorithm is an algorithm that uses a degree of randomness as part of its process. As such, it does not guarantee success, but the probability of success for a given input size can be computed. A randomized algorithm is said to perform an event with high probability if the probability of this event goes to 1 as the input size goes to +∞ We turn now to the definition of Λ(X). Let n, m, q ∈ N, (Z/qZ) n×m the space of matrices with entries in (Z/qZ), and Ω n,m,q the uniform distribution on (Z/qZ) n×m Now, for any X ∈ (Z/qZ) n×m , set Λ(X) as the lattice {y ∈ Z m | Xy ≡ 0[q]} and Λ n,m,q the space of such lattices. We see Λ n,m,q as a probability space by choosing X according to Ω n,m,q and computing Λ(X). For any X, Λ(X) is indeed a lattice, as q (Z m ) ⊂ Λ(X).
Finally, for c 1 a lattice L endowed with a norm N is said to have a c-unique shortest vector v if the following holds This result is called a worst-case to average case hardness because it links the lack of a polynomial ranodmized algorithm over 'all' lattices to the lack of such algorithm for a small class of lattices, namely Λ n,m,q . We also note that similar results exist for related problems such as CV P . In the following, we list further hardness results.
Theorem 2 SV P is N P -hard under the l ∞ -norm. Moreover, CVP is NP-hard under the l p -norm for all p 1 [8]..

Theorem 3
For all γ, CV P γ is NP-hard under any l p -norm [9].
Building on results by Ajtai [2], Micciancio proved the following.

Finally:
Theorem 5 There is c > 0 such that CVP is NP-hard to approximate within a factor n c log(log(n)) , where n is the dimension of the lattice [11].
Many other results related to hardness exist. We only decided to mention some of the most fundamental ones.

III. SOLVING SVP
This section presents solving SV P and related results. Even though many hardness results have been found, we can still solve approximate SV P within some reasonable constant depending on the input size. Usually, the 'reasonable constant' is not known theoretically to be 'reasonable' but only empirically. For instance, the first algorithm on this list, LLL, is only known to solve SV P within a factor exponential in the input size. However, results with LLL are in practice much better than the bound.

A. Lenstra-Lenstra-Lováz Algorithm
This section presents the Lenstra-Lenstra-Lovász reduction basis algorithm, by Lenstra, Lenstra and Lovász, see [12]. Originally, the purpose of this algorithm is to factor polynomials, we will not consider this problem here.
Moreover, it is important to note that the techniques used were developed by Hermite, Minkowksy and others to study Siegel sets and lattices in algebraic groups. This is why LLL is in fact an algorithm solving HSV P. HSV P and SV P are related thanks to the following results due to Minkowski.
Theorem 6 (Minkowski). Let n ∈ N and L be any lattice in R n , then λ(L) γ n (det(L)) 1 n where γ n is some constant depending only on n. More precisely, γ n is known to satisfy n 2πe γ n n πe This theorem admits a short and elementary proof but can also be seen as a consequence of Minkowski's convex body theorem. For proofs and further details see [13] and [14]. In particular, we get the following important fact.
The Gram-Schmidt orthogonalization method is critical in the LLL algorithm, we briefly recall what this method entails. Let (V, ·, · ) be a vector space endowed with a scalar product and · the l 2 -norm on V given by this scalar product. For any basis (b 1 , . . . , b n ) we define inductively its orthogonalization In the following, we will pay particular attention to the Gram-schmidt coefficients µ i,j := bi,bj b * j 2 for i > j. Moreover, let B * be the matrix with columns the vectors (b * 1 , . . . , b * n ) and L the lattice generated by (b 1 , . . . , b n ) . Then, it is readily seen that vol In order to make use of this observation, we define the following condition.
For the sake of simplicity, we removed the necessary parts that consist in updating the Gram-Schmidt orthogonalization initialization; Require: a basis (b 1 , . . . , b n ) of L and δ ∈ 1 4 ; 1 Ensure: the output basis Algorithm 1: LLL basis reduction algorithm and Gram-Schmidt coefficients. Therefore, the previous algorithm is only a sketch of the Lenstra-Lenstra-Lovász reduction algorithm. Let us now state the main result about this algorithm, namely its complexity and the properties of the output basis.
Theorem 7 Let (b 1 , ..., b n ) be a basis generating a lattice L and δ ∈ 1 4 , 1 . Given these as input, the LLL algorithm terminates in poly d, (1 − δ) −1 , log (max b i ) and the output is a basis (β 1 , . . . , β n ) generating L such that: In particular, for δ = 1 − with e small, the LLL algorithm terminates in poly d, 1 , log (max b i ) time and the output satisfies: Empirically, it has been observed that for large n, that β1 vol(L) 1/6 is around 1.02 n which is a considerable improvement [15].
This result is about how well LLL solves the Hermite Shortest Vector Problem [12]. According to a remark made earlier, we obtain the following result concerning our main interest, the Shortest Vector Problem. Corollary 1. With the same input as above, the output (β 1 , . . . , β n ) satisfies: Or for > 0 small and δ = 1 − we get that: More precisely, we can get the following complexity. www.ijacsa.thesai.org Now, we briefly mention an improvement of LLL due to Schnorr and Euchner, see [16]. In the previous algorithm, when the swap function is applied, instead of swapping b i and b i−1 we apply what Schnorr and Euchner call deep insertions. This entails to inserting b i at the index j where j is the smallest index satisfying: The result of this change is shorter outputs but longer running time.

B. Block Korkine-Zolotarev Algorithm
The Block korkine-Zootarev (BKZ) algorithm is another algorithm solving SV P γ . Even though it also runs in polynomial time, its purpose is to achieve better accuracy than LLL, therefore has longer running time. After breaking down how LLL algorithm works, we could see that it uses an SVP-oracle for lattices in dimension 2 called Gauss's reduction. Given more efficient oracles or higher dimensional SVP -oracles we could hope for a more efficient algorithm. This algorithm was proposed by Schnorr and Euchner in their paper [17].
Along this line of thought, given an SVP-oracle for all dimensions up to some integer k the BKZ algorithm finds a shorter vector than LLL does. Unsurprisingly, running BKZ takes more time than running LLL. Here, there is a clear tradeoff between the shortness of the output and the complexity of the algorithm. Moreover, as of today it is not known theoretically if BKZ terminates in polynomial time, only empirical results are known.
Here, an SV P -oracle is a mean by which we are able to solve the exact SV P . Many techniques were developed to solve SV P, but as one could guess from NP-hardness results, all these methods have at least exponential time complexity. Therefore, it is not deemed feasible to run these algorithms in high dimension. Among such oracles are enumeration algorihtms which are some kind of greedy algorithms that dates back to Pohst [18], sieving techniques which are applications of Monte-carlo methods (just as the next section is) due to Micciancio and Voulgaris in [19], and a method based on Voronoi cells due to the same authors in [20]. Even though these methods have exponential complexity, they can still be used for lattices in reasonably large dimension.
Let us now turn to the exposition of BKZ algorithm. To this end, we first need to define the notion of Korkine-Zolotarev reduced basis and a KZ-reduction algorithm. Suppose we have a SV P -oracle O up to dimension k and, for any basis (b 1 , . . . , b k ) generating a lattice L define π i : R k → span (b 1 , . . . , v i ) ⊥ as the orthogonal projection and is the Gram-Schmidt reduction of (b 1 , . . . , b n ) . (Note that π i (b i ) = b * i .) As for all i there is α i ∈ [−1/2; 1/2] such that α i b ∞ i + b * i+1 ∈ L i we get by an induction argument the following theorem.
Moreover, we have the following KZ-reduction algorithm.

Result: Write here the result initialization;
Require: a basis B = (b 1 , . . . , b n ) for L and a SV P -oracle O for up to k dimensions. Ensure: The output basis is KZ-reduced. m ← c(R) generates L end Algorithm 2: KZ-reduction algorithm Note that step 4 may look as hard as solving CV P but is actually a lot easier thanks to the properties of orthogonal projections. Now, BKZ is as follows. The theoretical complexity computation of this algorithm is not computed, but the following can be proved.
Theorem 10 Given a basis (b 1 , . . . , b n ) generating L and an SV P oracle O for up to k dimensions, the BKZ algorithm outputs a basis (β 1 , . . . , β n ) generating L that satisfies: The next algorithm is a randomized algorithm applying the well-known Metropolis algorithm, a kind of Monte-Carlo method, to lattice problems. For a precise account on this method see for instance [21]. The following Metropolis algorithm is due to Ajitha, Biswas, and Kurur in [22]. This algorithm returns an approximate solution with respect to the euclidean norm, denoted by · .
The search space is defined as follows.
Once again let (b 1 , . . . , b n ) be a matrix of R n , L the lattice it generates and B the matrix given by (b 1 , . . . , b n ).
The main idea behind this Metropolis-Hastings is to work on a bounded set of vectors with integer entries and pair each of these vectors v to a cost c(v) := Bv . If w ∈ L has norm less than or equal to k then w = Bv where v has integer entries bounded above by M = (αn) n , where α = max i,j (|b ij | , k) . Thus, it is enough to look at vectors bounded above by M . As we want to modify the vector step by step, it is interesting to work with more than one vector at a time. Let us now define the Markov chain we will be working on.
Fix parameters k ∈ R, m ∈ N and set M as above. The search space S consists of matrices A := [A | I] with integer entries bounded above by M where A is a n × m matrix and I is the n × n identity matrix. It remains only to describe the transition probability of the Markov chain. We first describe the neighbourhood of a given the state, the actual transition matrix will be described later on in the pseudo-code of the Metropolis-Hastings algorithm.
(i) S is equal to R up to swapping two columns; (ii) S is equal to R up to multiplying a column by -1 (iii) we can get from R to S by r i ← r i ± 2 l r j for any 1 i m, 1 j n + m, i = j Two interesting features of S are: • For any R ∈ S, #N (R ) = O m 2 log(M ) • For any R , S ∈ S, there is a path between R and S of length O(mn log(M )) Let us now turn to the pseudo-code and the actual description of the transition probability.
Here, (p i ) is a probability distribution on N such that there is n 0 ∈ N satisfying p i = 0 for all i n 0 . This algorithm seems to give better results than LLL for lattices in low dimensional vector spaces. However, in higher dimension such methods will have to deal with the following geometric issue, the so-called curse of dimensionality. Let R > > 0 then vol (B R n (R)) vol (B R n (R − )) → n→+∞ 0 Therefore, as n goes to +∞ 'most' of the states of the markov chain built in the Metropolis algorithm will lie in the annulus B R n (R)\B R n (R − ) and the markov chain might take more and more time before hitting any point inside B R n (R − ). For more on related heuristics see [23].

initialization;
Require: a basis B = (b 1 , . . . , b n ) for L and K ∈ Q Ensure: Matrix R with integer entries such that BR has a column c with c K. m ← c(R) while m > K do Select S a neighbour of R by performing one of the following operations.
• Swap two columns with probability Finally, note that a similar method is widely used to solve exact instances of SVP. The version of this algorithm used to solve SV P is called a sieve method and is often used as an SV P -oracle in the BKZ algorithm, see for instance the following paper by Micciancio and Voulgaris [19].

D. Convex Relaxation
This section presents the convex relaxation (see [24] for definitions and results on convex relaxation) to obtain another randomized algorithm to solve CV P γ (thus, SV P γ as well). As mentioned in the first part of this report, CVP γ admits another formulation, more precisely CVP(L, c) is equivalent to Where B be the matrix given by the basis (b 1 , . . . , b n ) and c a vector in R n . A convex relaxation consists in relaxing the hard condition x ∈ Z n to a looser condition so that the problem considered is now a convex optimization problem.
Here, the method is due to Park and Boyd in [25]. The convex relaxation is in this particular case an instance of semidefinite programming, for more on this topic see [26]. We first relax Problem 1 into a non-convex problem So we get the following relaxation.
(4) minimize Now, this is a semi definite relaxation that can be solved in polynomial time.

initialization;
Require f best ← f x (k) end end Algorithm 5: Randomized algorithm for suboptimal solution Where the Cholesky factorisation is an algorithm computing the square root of a positive semidefinite matrix in O n 3 [27].

initialization;
Require: x ∈ Z n , P = B T B, c ∈ R n . g ← 2(P x + c) repeat Find index i and integer a minimizing a 2 P ii + cg i ; Algorithm 6: Greedy descent algorithm This last algorithm runs in polynomial time as well. Combining these two algorithms we get a approximate solution such that for all integer a ∈ Z and all index i, x is a better solution than x + ae i

IV. EXPERIMENTAL RESULTS
This section describes how the said approaches perform on benchmark instances. We see that the output of the LLL algorithm is near to the shortest vector which is 2 n−1 2 of the shortest vector for the given lattice, it can be used for polynomial factoring etc. LLL algorithm complexity is O n 6 · log 3 β , where β is max 1≤i≤n ||b i ||. We ran tests to compare LLL algorithm and BKZ algorithm on data from [22], [21] and [24].
For experimental analysis a class of SVP instances are generated using the techniques developed by Richard Lindner and Michael Schneider [28]. They have given sample bases for Modular, Random, ntru, SWIFT and Dual Modular lattices of dimension 10. We have tested our code for all these instances and found that our algorithm works faster and gives shorter lattice vector when compared to LLL. The tested results are given in the Table I.  A. LLL/BKZ Fig. 1 and Fig. 2 compare the basis reduction algorithms LLL and BKZ for a given family of Lattices parametrized by their dimension. Moreover, BKZ given an enumeration oracle for blocks of size 30. In particular, we see that with these parameters, the BKZ algorithm needs considerably more time to get a slightly shorter vector. To some extent, the LLL algorithm already seems to be efficient. A comparative results for running time of BKZ and LLL algorithms for varying dimension of lattice is given in Fig. 2. For a specific class of lattices [21], we have tested LLL and MH algorithms and the results are shown in Table I. Moreover, these data seem to support the curse of dimensionality heuristic as we can see the times needed to solve cases with large input size is high compared to small input size.

C. Convex Relaxation
The algorithm from [24] returns an approximate solution to CV P shown in Table II. To test their method, they computed solutions for instances randomly generated : all entries ar ∼ N (0, 1) then normalized so that the solution to problem (1) without the integer constraint has value -1. In what follows, n will denote the dimension, opt the percentage of outputs that were optimal solutions and t the time it took to get this output. All values are averages. Because of the N P -hardness of CV P it is hard to compute the quantity opt in higher dimensions. However, the break down of running times of the method for larger n s presented in Table III. In spite of the theoretical running time being O n 3 we can note that the total running time seems to grow subcubically.

V. CONCLUSION
In this paper we have discussed Shortest Vector Problem, Closest Vector Problem and their average case and worst case hardness results. Further, this work presented solving SVP using the LLL algorithm, BKZ algorithm, a Metropolis algorithm and a convex relaxation. We have compared the performance of these algorithms on various lattices by varying input sizes and the results we have obtained are fairly encouraging. The experimental results on various lattices shows that Metropolis algorithm works better than other algorithms.