Nearest Planes in Practice

The learning with errors (LWE) problem is one of the most attractive problems that lattice-based cryptosystems base their security on. Thus, assessing the hardness in theory and practice is of prime importance. Series of work investigated the hardness of LWE from a theoretical point of view. However, it is quite common that in practice one can solve lattice problems much faster than theoretical estimates predict. The most promising approach to solve LWE is the decoding method, which converts an LWE instance to an instance of the closest vector problem (CVP). The latter instance can then be solved by a CVP solver. In this work, we investigate how the nearest planes algorithm proposed by Lindner and Peikert (CT-RSA 2011) performs in practice. This algorithm improves an algorithm by Babai, and is a state-of-the-art CVP solver. We present the rst parallel version of the nearest planes algorithm. Our implementation achieves speedup factors of more than 11x on a machine with four CPU-chips totaling 16 cores. In fact, to the best of our knowledge, there is not even a single parallel implementation publicly available of any LWE solver so far. We also compare our results with heuristics on the running time of a single nearest planes run claimed by Lindner and Peikert and subsequently used by others for runtime estimations.