Probability Redistribution Pruning Method

Updated 24 January 2026

The paper introduces the probability redistribution pruning method to optimize lattice enumeration by systematically allocating pruning radii to maintain a target success probability.
It employs O(n²) algorithms to compute success probability and enumeration cost using truncated simplex volume integrations and cylinder-intersection estimates.
The approach uses spline and modifying-constant interpolation to generate near-optimal pruning curves for practical lattice reduction and BKZ applications.

Probability redistribution pruning, as introduced in the context of lattice enumeration, denotes a family of techniques for optimizing the sequence of pruning coefficients in lattice vector enumeration algorithms. Its motivation is to minimize the expected computational cost while maintaining a specified probability of success in recovering the shortest lattice vector. The central framework is Gama–Nguyen–Regev's Extreme Pruning, which systematically adjusts the bounds on projected lengths at each stage of the search tree, probabilistically allocating the "pruning budget" across enumeration levels to achieve near-optimal performance (Aono, 2014).

1. Lattice Enumeration and Pruning Coefficients

Lattice enumeration for the Shortest Vector Problem (SVP) explores a search tree whose nodes correspond to partial coefficient vectors $(a_n, ..., a_1)$ . Each partial sum $v = \sum_{i=n-k+1}^n a_i b_i$ at depth $k$ is pruned if its projected Euclidean length $\|\pi_{n-k}(v)\|$ exceeds a bound. Probability redistribution pruning utilizes a sequence of non-decreasing pruning coefficients $r = (R_1, ..., R_n)$ with $0 \leq R_1 \leq \cdots \leq R_n = 1$ . A node is pruned at level $k$ if $\|\pi_{n-k}(v)\| > c R_k$ , where $c$ is the search radius, typically set to the Gaussian heuristic estimate for the shortest vector length. Choices of $R_k < 1$ reduce search cost but introduce a failure probability.

2. Probabilistic Analysis of Pruning: Success Probability and Cost

The design of pruning coefficients is grounded in two analytic quantities:

Success Probability: Denoted $P(r)$ , it is the probability that the shortest vector survives all pruning tests,

$P(r) = \Pr_{u \sim c \cdot S^{n-1}}[\forall \ell = 1 ... n : \textstyle\sum_{i=1}^\ell u_i^2 \leq (c R_\ell)^2].$

Under the heuristic that the shortest vector's direction is uniformly random on the $n$ -sphere, this probability equals the measure of the "cylinder-intersection" $C_n(r) = \{x \in \mathbb{R}^n : \sum_{i=1}^\ell x_i^2 \leq R_\ell^2, \forall \ell\}$ within $S^{n-1}$ .

Enumeration Cost: The (expected) number of nodes visited is estimated as

$T(r) \approx \frac{1}{2} \sum_{k=1}^n \frac{c^k C_k(r)}{\prod_{i=n-k+1}^n \|b^*_i\|},$

where $C_k(r)$ are $k$ -dimensional cylinder-intersection volumes, and $\{\|b^*_i\|\}$ is the Gram–Schmidt orthogonalization of the basis.

3. Fast Success-Probability and Enumeration-Cost Computation

Section 3.3 of (Aono, 2014) introduces $O(n^2)$ -time algorithms for computing both $P(r)$ and $T(r)$ .

Success Probability Computation: The exact probability is reduced to volume computations of truncated simplices $\Delta_k(r) = \{y \in \Delta_k: \sum_{i=1}^j y_i \leq R_{2j}^2, j = 1 ... k\}$ . Inductive integration defines polynomials $F_{i,j}(y)$ with recurrence

$F_{i, j}(y) = F_{i, j-1}(y) - h_{i, j-1} (y - b_j)^{i-j+1},$

where $b_j = R_{2j}^2$ and $h_{i,j-1} = F_{j-1, j-1}/(i-j+1)!$ . From $F_{d,0}(y) = y^d/d!$ , the table $F_{i,j}$ is computed in $O(n^2)$ operations. The truncated simplex volume $\Delta_k(r) = F_{k,k}(R_{2k}^2)$ yields $P(r)$ .

Enumeration Cost Computation: For even $k$ , $C_k(r) = V_k(R_k) \cdot k! \cdot \Delta_{k/2}(r)$ , using the volume of the $k$ -ball of radius $R_k$ . For odd $k$ , $C_k(r)$ is bounded by linear interpolation between neighboring even slices. The cost is assembled by summing these terms, terminating early if a partial sum already exceeds the current best cost.

Pseudocode for the overall cost computation routine is provided in the source and is directly implemented as described (Aono, 2014).

4. Optimization of Pruning Coefficients

A core contribution is a practical method for finding near-optimal $r$ for any relevant choice of dimension $n$ , block-size $\delta$ , and target success probability $p_0$ . This is achieved as follows:

For each $(n, \delta, p_0)$ in a grid ( $n \in \{60, 80,..., 200\}$ , etc.), a randomized "perturb-and-modify" search optimizes 16 defining points $s_0, ..., s_{16} \in [0, 1]$ . These anchor points are spline-interpolated to obtain the full sequence $(R_1^2,...,R_n^2)$ and the result is constrained so that $P(r) \geq p_0$ .
The table below illustrates sample optimized defining points for $\delta=1.01$ , $p_0=0.01$ , and $n = 60, ..., 140$ :

$i$	$s_i$ ( $n$ =60)	$s_i$ ( $n$ =80)	$s_i$ ( $n$ =100)	$s_i$ ( $n$ =120)	$s_i$ ( $n$ =140)
0	0.0214	0.01641	0.0324	0.0098	0.1318
1	0.1208	0.1385	0.1270	0.1437	0.1859
...	...	...	...	...	...
16	1.0000	1.0007	1.0000	1.0000	1.0000

Direct use of interpolated $s_i$ may yield $P(r)$ differing from $p_0$ by up to $\sim$ 10%. A “modifying constant” $a\in[0,1]$ is introduced to blend lower and upper probability bounds $L,U$ so that $p_0 \simeq aL + (1-a)U$ . At runtime, the pruning curve is linearly blended between the nearest precomputed tables according to interpolated $a$ .

Empirical error in $P(r)$ after this procedure is $<$ 1% in $O(n)$ computational steps for $n\leq 200$ .

5. Structure and Behavior of Optimized Pruning Curves

Optimized pruning curves $R_k$ as a function of $k/n$ exhibit characteristic features:

For all practical dimensions and $p_0$ , $R_1 \approx 0$ rises slowly up to a "knee" in the interval $k/n \approx 0.2 \dots 0.8$ , then increases sharply to $R_n = 1$ near $k = n$ .
Lower $p_0$ allows for tighter pruning (smaller radii), while higher $p_0$ necessitates less aggressive pruning to guarantee the target probability of success.

6. Practical Implementation of Probability Redistribution Pruning

The procedure for implementing probability redistribution pruning follows directly from the algorithmic description:

Precompute or download the coefficient table for the block-size $\delta$ and target $p_0$ .
For the given lattice dimension $n \leq 200$ , employ spline and modifying-constant interpolation to compute defining points $s_0, ..., s_m$ and corresponding pruning radii, enforcing $0 \leq R_1 \leq ... \leq R_n \leq 1$ .
Compute the search radius $c$ as the Gaussian heuristic $GH(L)$ using Gram-Schmidt lengths.
At each node in enumeration, prune if $\|\pi_{n-k}(v)\| > c R_k$ for depth $k$ .
In dynamic BKZ routines, update the pruning coefficients whenever the basis or block-size changes.
Optionally, validate the empirical survival probability against $p_0$ using random directions on $S^{n-1}$ and make minor adjustments.

The entire workflow leverages the $O(n^2)$ cost-and-probability subroutines and interpolation to generate near-optimal pruning schemes efficiently (Aono, 2014).

7. Significance and Broader Context

Probability redistribution pruning, grounded in the Gama–Nguyen–Regev framework, provides a principled methodology for balancing enumeration cost with success probability in high-dimensional lattice problems. The algorithmic contributions in efficient probability and cost evaluation, as well as interpolation-based coefficient synthesis, enable practical deployment in lattice reduction and SVP solvers, especially in blockwise reduction frameworks like BKZ. The empirically-validated error bounds and rapid runtime underline its relevance for cryptanalytic applications and research on the hardness of lattice problems.

Markdown Report Issue Upgrade to Chat

References (1)

A faster method for computing Gama-Nguyen-Regev's extreme pruning coefficients (2014)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Probability Redistribution Pruning Method.