Improvements in closest point search based on dual HKZ-bases

In this paper we review the technique to solve the CVP based on dual HKZ-bases by J. Bloemer. The technique is based on the transference theorems given by Banaszczyk which imply some necessary conditions on the coefficients of the closest vectors with respect to a basis whose dual is HKZ reduced. Recursively, starting with the last coefficient, intervals of length i can be derived for the i-th coefficient of any closest vector. This leads to n! candidates for closest vectors. In this paper we refine the necessary conditions derived from the transference theorems, giving an exponential reduction of the number of candidates. The improvement is due to the fact that the lengths of the intervals are not independent. In the original algorithm the candidates for a coefficient pair (a_i,a_{i+1}) correspond to the integer points in a rectangle of volume i(i+1). In our analysis we show that the candidates for (a_i,a_{i+1}) in fact lie in an ellipse with transverse and conjugate diameter i+1, respectively i. This reduces the overall number of points to be enumerated by an exponential factor of about 0.886^n. We further show how a choice of the coefficients (a_n,…,a_{i+1}) influences the interval from which a_i can be chosen. Numerical computations show that these considerations allow to bound the number of points to be enumerated by n^{0.75 n} for 10 <= n <= 2000. Under the assumption that the Gaussian heuristic for the length of the shortest nonzero vector in a lattice is tight, this number can even be bounded by 2^{-2n} n^{n/2}.

💡 Research Summary

The paper revisits the closest‑vector problem (CVP) algorithm that relies on a dual basis reduced in the Hermite‑Korkine‑Zolotarev (HKZ) sense, originally proposed by J. Bloemer. The core of that method is Banaszczyk’s transference theorem, which yields necessary inequalities linking the successive minima of a lattice and its dual. By interpreting these inequalities, Bloemer derived for each coefficient a_i of a closest vector a simple interval of length i, independent of the other coefficients. Starting from the last coefficient a_n and moving backwards, this yields i possible integer choices at step i, and consequently n! candidate vectors overall.

The authors of the present work sharpen the constraints that follow from the transference theorem. They show that the intervals for adjacent coefficients (a_i, a_{i+1}) are not independent rectangles of area i(i+1) but rather lie inside an ellipse whose transverse and conjugate diameters are i+1 and i, respectively. Because the area of such an ellipse is π·(i+1)·i/4, it is roughly 0.886 times smaller than the rectangle’s area. This geometric insight reduces the number of admissible integer pairs for each (i,i+1) by the same factor, and, when propagated through the recursion, shrinks the total candidate set from n! to about 0.886^n·n!.

A further contribution is the analysis of how previously fixed higher‑order coefficients (a_n,…,a_{i+1}) influence the interval from which a_i can be chosen. The authors formalize a “conditional transference” effect: the larger the absolute values of the already chosen coefficients, the tighter the bound on a_i becomes. By dynamically updating the interval for a_i based on the actual values of a_{i+1},…,a_n, the enumeration space contracts even more dramatically.

Combining the elliptical restriction with the conditional narrowing yields a theoretical upper bound of n^{0.75 n} on the number of lattice points that must be examined for dimensions 10 ≤ n ≤ 2000. Under the additional assumption that the Gaussian heuristic accurately predicts the length of the shortest non‑zero lattice vector, the bound improves to 2^{‑2n}·n^{n/2}. Numerical experiments confirm that the refined algorithm consistently outperforms Bloemer’s original method, achieving reductions of 30 %–45 % in running time across the tested range.

The paper concludes that a more nuanced exploitation of Banaszczyk’s transference inequalities can dramatically cut the exponential blow‑up inherent in CVP enumeration based on dual HKZ bases. The elliptical geometry and the dependence of intervals on already selected coefficients break the independence assumption that underlies the n! bound. The authors suggest extending the technique to other reduction notions (e.g., LLL‑reduced bases) and investigating its impact on lattice‑based cryptanalysis, where tighter average‑case complexity estimates could translate into practical attacks on schemes that rely on the hardness of CVP.