Practical Improvements on BKZ Algorithm

Lattice problems such as NTRU and LWE problems are widely used as the security base of post-quantum cryptosystems. And currently, lattice reduction by BKZ algorithm is the most efficient way to solve them. In this paper, we give four further improvements on BKZ algorithm, which can be used for SVP subroutines based on enumeration and sieving. These improvements in combination provide a speed-up of $$2^\text {3-4}$$ in total. So all the lattice-based NIST PQC candidates lose 3–4 bits of security in concrete attacks. Using these new techniques, we solved the 656 and 700 dimensional ideal lattice challenges in 380 and 1787 thread hours, respectively. The cost of the first one (also used an enumeration-based SVP subroutine) is much less than the previous records (4600 thread hours). One can still simulate the improved BKZ algorithm to find the blocksize strategy that makes $$\textrm{Pot}$$ of the basis (defined in Sect. 4.2) decrease as fast as possible, which means the length of the first basis vector decrease the fastest if we accept the GSA assumption. It is useful for analyzing concrete attacks on lattice-based cryptography.