The LLL algorithm (from Lenstra, Lenstra and Lovász) and its generalization BKZ (from Schnorr and Euchner) are widely used in cryptanalysis, especially for lattice-based cryptography. Precisely understanding their behavior is crucial for deriving appropriate key-size for cryptographic schemes subject to lattice-reduction attacks. Current models, e.g. the Geometric Series Assumption and Chen-Nguyen’s BKZ-simulator, have provided a decent first-order analysis of the behavior of LLL and BKZ. However, they only focused on the average behavior and were not perfectly accurate. In this work, we initiate a second order analysis of this behavior. We confirm and quantify discrepancies between models and experiments —in particular in the head and tail regions— and study their consequences. We also provide variations around the mean and correlations statistics, and study their impact. While mostly based on experiments, by pointing at and quantifying unaccounted phenomena, our study sets the ground for a theoretical and predictive understanding of LLL and BKZ performances at the second order.

, , , ,
Lecture Notes in Computer Science
Cryptanalysis of Lattice-based Cryptography
Annual Conference on Selected Areas in Cryptography

Yu, Y, & Ducas, L. (2017). Second order statistical behavior of LLL and BKZ. In Proceedings of the 24th Annual Conference on Selected Areas in Cryptography (pp. 3–22). doi:10.1007/978-3-319-72565-9_1