This work studies the Bounded Distance Decoding (BDD) problem for random lattices with sub-Gaussian generating matrices. We first establish that BDD is NP-hard in the worst case—challenging the long-standing “average-case hardness implies worst-case hardness” paradigm prevalent in lattice-based cryptography. Second, we propose a polynomial-time algorithm based on singular value decomposition (SVD) and probabilistic analysis, which solves BDD exactly with high probability on random instances. Theoretical analysis and empirical evaluation jointly confirm that the algorithm achieves polynomial average-case time complexity and success probability tending to one. To our knowledge, this is the first rigorous demonstration of a separation between worst-case NP-hardness and average-case tractability for any lattice problem. Our results provide new insights into the foundational security assumptions of lattice cryptography and open avenues for efficient algorithm design.

The current paper investigates the bounded distance decoding (BDD) problem for ensembles of lattices whose generator matrices have sub-Gaussian entries. We first prove that, for these ensembles the BDD problem is NP-hard in the worst case. Then, we introduce a polynomial-time algorithm based on singular value decomposition (SVD) and establish, both theoretically and through extensive experiments, that, for a random selected lattice from the same ensemble, the algorithm solves the BDD problem with high probability. To the best of our knowledge, this work provides the first example of a lattice problem that is NP-hard in the worst case yet admits a polynomial time algorithm on the average case.