Recovering Short Generators of Principal Ideals in Cyclotomic Rings

A handful of recent cryptographic proposals rely on the conjectured hardness of the following problem in the ring of integers of a cyclotomic number field: given a basis of a principal ideal that is guaranteed to have a "rather short" generator, find such a generator. Recently, Bernstein and Campbell-Groves-Shepherd sketched potential attacks against this problem; most notably, the latter authors claimed a polynomial-time quantum algorithm. Alternatively, replacing the quantum component with an algorithm of Biasse and Fieker would yield a classical subexponential-time algorithm. A key claim of Campbell et al. is that one step of their algorithm--namely, decoding the log-unit lattice of the ring to recover a short generator from an arbitrary one--is classically efficient whereas the standard approach on general lattices takes exponential time. However, very few convincing details were provided to substantiate this claim. In this work, we clarify the situation by giving a rigorous proof that the log-unit lattice is indeed efficiently decodable, for any cyclotomic of prime-power index. Combining this with the quantum algorithm from a recent work of Biasse and Song confirms the main claim of Campbell et al. Our proof consists of two main technical contributions: the first is a geometrical analysis, using tools from analytic number theory, of the standard generators of the group of cyclotomic units. The second showsthat for a wide class of typical distributions of the short generator, a standard lattice-decoding algorithm can recover it, given any generator. By extending our geometrical analysis, as a second main contribution we obtain an efficient algorithm that, given any generator of a principal ideal in a prime-power cyclotomic, finds a $$2^{\tilde{O}\sqrt{n}}$$ -approximate shortest vector in the ideal. Combining this with the result of Biasse and Song yields a quantum polynomial-time algorithm for the $$2^{\tilde{O}\sqrt{n}}$$ -approximate Shortest Vector Problem on principal ideal lattices.

[1]  K. Brown,et al.  Graduate Texts in Mathematics , 1982 .

[2]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[3]  Marina Daecher,et al.  Introduction To Cyclotomic Fields , 2016 .

[4]  H. Davenport Multiplicative Number Theory , 1967 .

[5]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[6]  Lazhar Fekih-Ahmed,et al.  On the zeros of the Riemann Zeta function , 2010, 1004.4143.

[7]  Journal für die reine und angewandte Mathematik , 1893 .

[8]  Kannan Soundararajan,et al.  Conditional bounds for the least quadratic non-residue and related problems , 2013, Math. Comput..

[9]  Ryan O'Donnell,et al.  Analysis of Boolean Functions , 2014, ArXiv.

[10]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[11]  Wojciech Banaszczyk,et al.  Lattice coverings and Gaussian measures of n-dimensional convex bodies , 1997, Discret. Comput. Geom..

[12]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[13]  Chris Peikert,et al.  Lattices that admit logarithmic worst-case to average-case connection factors , 2007, STOC '07.

[14]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[15]  Wojciech Banaszczyk,et al.  Balancing vectors and Gaussian measures of n-dimensional convex bodies , 1998, Random Struct. Algorithms.

[16]  Fang Song,et al.  Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields , 2016, SODA.

[17]  Arjen K. Lenstra,et al.  Lattices and Factorization of Polynomials over Algebraic Number Fields , 1982, EUROCAM.

[18]  Daniel Dadush,et al.  Solving the Closest Vector Problem in 2^n Time -- The Discrete Gaussian Strikes Again! , 2015, 2015 IEEE 56th Annual Symposium on Foundations of Computer Science.

[19]  Ron Steinfeld,et al.  GGHLite: More Efficient Multilinear Maps from Ideal Lattices , 2014, IACR Cryptol. ePrint Arch..

[20]  John C. Miller,et al.  Real cyclotomic fields of prime conductor and their class numbers , 2014, Math. Comput..

[21]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[22]  Daniele Micciancio,et al.  Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[23]  Fang Song,et al.  A quantum algorithm for computing the unit group of an arbitrary degree number field , 2014, STOC.

[24]  K. Hensel Journal für die reine und angewandte Mathematik , 1892 .

[25]  Claus Fieker,et al.  Subexponential class group and unit group computation in large degree number fields , 2014, LMS J. Comput. Math..

[26]  Jean-François Biasse,et al.  Subexponential time relations in the class group of large degree number fields , 2014, Adv. Math. Commun..

[27]  Stéphane Louboutin,et al.  An explicit lower bound on moduli of Dirichlet L-functions at s = 1 , 2015 .

[28]  Joe Buhler,et al.  Heuristics for class numbers of prime-power real cyclotomic fields , 2022 .

[29]  Pierre Samuel,et al.  Algebraic theory of numbers , 1971 .

[30]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.

[31]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[32]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[33]  W. Banaszczyk Balancing vectors and Gaussian measures of n -dimensional convex bodies , 1998 .

[34]  E. Landau,et al.  Über Dirichletsche Reihen mit komplexen Charakteren. , 2022 .

[35]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[36]  René Schoof,et al.  Class numbers of real cyclotomic fields of prime conductor , 2003, Math. Comput..

[37]  Roman Vershynin,et al.  Introduction to the non-asymptotic analysis of random matrices , 2010, Compressed Sensing.

[38]  Frederik Vercauteren,et al.  Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes , 2010, Public Key Cryptography.

[39]  T. Sanders,et al.  Analysis of Boolean Functions , 2012, ArXiv.

[40]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[41]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[42]  M. Taylor INTRODUCTION TO CYCLOTOMIC FIELDS(Graduate Texts in Mathematics, 83) , 1983 .

[43]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[44]  John C. Miller Class numbers of totally real fields and applications to the Weber class number problem , 2014, 1405.1094.

[45]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[46]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[47]  P. Campbell,et al.  SOLILOQUY: A CAUTIONARY TALE , 2014 .