What is the most efficient lattice problem solving algorithm?

Question

I've recently become very interested in post-quantum cryptography, specifically lattice-based cryptography. As of this posting there exists no quantum algorithm that can perform better at solving lattice problems than a conventional computer.

There are, however, algorithms that exist that theoretically can solve lattice problems, albeit slowly.

I'd like to study one or more of these algorithms myself to help me better understand lattice cryptography and lattices in general.

So, what is the most efficient lattice problem solving algorithm and why is it so efficient?

Answer 1

The most efficient algorithm for solving lattice problems depends on the specific problem, parameters (e.g., dimension, modulus), and computational regime (classical vs. quantum). However, some of the most prominent and widely studied algorithms are:

1. For Approximate Shortest Vector Problem (SVP) & Learning With Errors (LWE):

• BKZ (Block Korkine-Zolotarev) Algorithm

  • The de facto standard for solving SVP and LWE in practice.
  • Uses enumeration (for small blocks) and sieving (for larger blocks).
  • Best variants: BKZ 2.0 [Chen & Nguyen, 2011], Progressive BKZ, Self-Dual BKZ.
  • Time complexity: ≈ $(2^{0.292n})$ (sieving) or ≈ $(2^{0.39n})$ (enumeration) for dimension (n) (asymptotically).

• Sieve Algorithms (For exact/exponential SVP)

  • AKS Sieve [Ajtai-Kumar-Sivakumar, 2001] – First provable sieve, but impractical.
  • List Sieve [Micciancio & Voulgaris, 2010] – More efficient in practice.
  • GSK (General Sieve Kernel) [Albrecht et al., 2019] – State-of-the-art for high dimensions.
  • Best heuristic complexity: ≈ $(2^{0.292n})$ time & memory (using locality-sensitive hashing).

• Dual Attack (For LWE)

  • Reduces LWE to Bounded Distance Decoding (BDD) via lattice duality.
  • Often combined with BKZ sieving for optimal performance.

2. For Bounded Distance Decoding (BDD) & LWE Decoding:

• Babai’s Nearest Plane Algorithm (For BDD with small error)
  • Polynomial time but only works for very small errors.
• Lindner-Peikert Nearest Planes (Improvement for LWE)
• BDD-to-uSVP Reduction + BKZ Sieving (Best for cryptanalysis).

3. For Worst-Case Lattice Problems (e.g., GapSVP, SIVP):

• LLL Algorithm (Lenstra-Lenstra-Lovász)
  • Polynomial time $(O(n^5))$, but only gives exponential approximations.
  • Used as a subroutine in BKZ.

4. Alternative Approaches (Combinatorial/Algebraic):

• BKW Algorithm (Blum-Kalai-Wasserman)
  • Works for LWE with subexponential time $(2^{O(n/\log n)})$, but requires $(2^{O(n)})$ memory.
  • Outperforms BKZ in low-modulus LWE but impractical for large dimensions.
• Algebraic Attacks (Arora-Ge, Gröbner Basis)
  • Only effective for very small secrets/noise (not competitive in general).

Quantum Speedups

• Grover + Sieving: Quadratic speedup → ≈ $(2^{0.207n})$ (theoretically).
• Kuperberg’s Algorithm: Subexponential for hidden subgroup problems, but not directly applicable to standard lattice problems.

Current Best in Practice

Algorithm	Regime	Time Complexity	Memory	Best For
BKZ + Sieving	Large (n)	$(2^{0.292n})$	$(2^{0.207n})$	General SVP/LWE
GSK Sieve	High (n)	$(2^{0.292n})$	$(2^{0.292n})$	Exact SVP
Dual Attack + BKZ	Cryptanalysis	Depends on (q)	High	LWE
BKW	Low (q)	$(2^{O(n/\log n)})$	$(2^{O(n)})$	Small-modulus LWE

Answer 2

What you want is probably a lattice reduction algorithm.

Lattice cryptography usually relies on the Closest Vector Problem (CVP) or the Shortest Vector Problem (SVP). Solving these involves the Lenstra–Lenstra–Lovász lattice basis reduction algorithm, or LLL. This algorithm is the quintessential lattice reduction algorithm, and is probably what you are looking for. This algorithm is used internally by other algorithms, such as Babai's nearest plane algorithm for CVP.

Note that the LLL algorithm is not able to reduce lattices in higher dimensions, which is the case with practical lattice cryptography. Instead, different algorithms are required, such as BKZ 2.0 for NTRU. However for the purpose of learning about lattice reductions, understanding LLL should be sufficient.