Abstract
Any non-zero ideal in a number field can be factored into a product of prime ideals. In this paper we report a surprising connection between the complexity of the shortest vector problem (SVP) of prime ideals in number fields and their decomposition groups. When applying the result to number fields popular in lattice based cryptosystems, such as power-of-two cyclotomic fields, we show that a majority of rational primes lie under prime ideals admitting a polynomial time algorithm for SVP. Although the shortest vector problem of ideal lattices underpins the security of the Ring-LWE cryptosystem, this work does not break Ring-LWE, since the security reduction is from the worst case ideal SVP to the average case Ring-LWE, and it is one-way.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing - STOC, pp. 99–108 (1996). https://doi.org/10.1145/237814.237838
Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_6
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Newhope without reconciliation. IACR Cryptology ePrint Archive 2016/1157 (2016). http://eprint.iacr.org/2016/1157
Bernstein, D.J.: A subfield-logarithm attack against ideal lattices: computing algebraic number theory tackles lattice-based cryptography. The cr.yp.to blog (2014). https://blog.cr.yp.to/20140213-ideal.html
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_12
Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_3
Biasse, J., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2016, pp. 893–902 (2016). https://doi.org/10.1137/1.9781611974331.ch64
Bos, J.W., et al.: CRYSTALS - kyber: a CCA-secure module-lattice-based KEM. In: Proceedings of 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, pp. 353–367 (2018). https://doi.org/10.1109/EuroSP.2018.00032
Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: Proceedings of 2nd ETSI Quantum-Safe Crypto Workshop, vol. 3, no. 9. pp. 1–9 (2014)
Cheon, J.H., Jeong, J., Changmin, L.: An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero. LMS J. Comput. Math. 19(A), 255–266 (2016). https://doi.org/10.1112/S1461157016000371
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20
Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_12
Ducas, L., Plançon, M., Wesolowski, B.: On the shortness of vectors to be found by the ideal-SVP quantum algorithm. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 322–351. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_12
Eisenträger, K., Hallgren, S., Kitaev, A.Y., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: Proceedings of Symposium on Theory of Computing, STOC 2014, pp. 293–302 (2014). https://doi.org/10.1145/2591796.2591860
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982). https://doi.org/10.1007/BF01457454
Lidl, R., Niederreiter, H.: Finite Fields, Encyclopedia of Mathematics and Its Applications, vol. 20, 2nd edn. Cambridge University Press, Cambridge (1997). https://doi.org/10.1016/s0898-1221(97)84597-x
Lovasz, L.: An Algorithmic Theory of Numbers, Graphs, and Convexity. CBMS-NSF Regional Conference Series in Applied Mathematics, vol. 50. Society for Industrial and Applied Mathematics (1986). https://doi.org/10.1137/1.9781611970203
Lu, X., et al.: LAC: practical Ring-LWE based public-key encryption with byte-level modulus. IACR Cryptology ePrint Archive 2018/1009 (2018). https://eprint.iacr.org/2018/1009
Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_13
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Marcus, D.A.: Number Fields. Universitext, 2nd edn. Springer, New York (2018). https://doi.org/10.1007/978-1-4684-9356-6
Meyn, H.: Factorization of the cyclotomic polynomials \(x^{2^n} + 1\) over finite fields. Finite Fields Appl. 2, 439–442 (1996). https://doi.org/10.1017/CBO9780511525926
Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. In: Proceedings of 43rd Symposium on Foundations of Computer Science (FOCS 2002), pp. 356–365 (2002). https://doi.org/10.1109/SFCS.2002.1181960
Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). https://doi.org/10.1007/s00037-007-0234-9
Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: A Cryptographic Perspective. The Kluwer International Series in Engineering and Computer Science, vol. 671. Kluwer Academic Publishers (2002). https://doi.org/10.1007/978-1-4615-0897-7
Neukirch, J.: Algebraic Number Theory. Grundlehren der mathematischen Wissenschaften, vol. 322, 1st edn. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-662-03983-0
Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_25
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, pp. 461–473 (2017). https://doi.org/10.1145/3055399.3055489
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 685–716. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_24
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). https://doi.org/10.1145/1568318.1568324. Preliminary version in STOC’05
Schnorr, C., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994). https://doi.org/10.1007/BF01581144
Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994). https://doi.org/10.1007/BF01581144
Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_4
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36
Tschebotareff, N.: Die bestimmung der dichtigkeit einer menge von primzahlen, welche zu einer gegebenen substitutionsklasse gehören. Math. Ann. 95(1), 191–228 (1926). https://doi.org/10.1007/BF01206606
Acknowledgements
We thank the anonymous referees for their valuable suggestions on how to improve this paper. This work is supported by National Key Research and Development Program of China (No. 2020YFA0712300, 2018YFA0704705), National Natural Science Foundation of China (No. 62032009, 61732021, 61572490) for Y. Pan and J. Xu, and National Science Foundation of USA (CCF-1900820) for N. Wadleigh and Q. Cheng.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A The Subfields of \(\mathbb {Q}(\zeta _{2^n})\)
Now we sketch the subfield lattice of \(\mathbb {Q}(\zeta _{2^{n+1}})\). Consider the three subfields
First we claim \(\mathbb {Q}(\zeta _{2^{n+1}})\) is degree two over each. On the one hand, all are proper subfields since \(\mathbb {Q}(\zeta _{2^{n+1}}+\zeta _{2^{n+1}}^{-1})\) is contained in the fixed field of the automorphism \(\zeta _{2^{n+1}}\mapsto \zeta _{2^{n+1}}^{-1}\), and \(\mathbb {Q}(\zeta _{2^{n+1}}-\zeta _{2^{n+1}}^{-1})\) is in the fixed field of the automorphism \(\zeta _{2^{n+1}}\mapsto -\zeta _{2^{n+1}}^{-1}\). On the other hand, \(\zeta _{2^{n+1}}\) is a root of the quadratic polynomials \(x^2-(\zeta _{2^{n+1}}+\zeta _{2^{n+1}}^{-1})x+1\in \mathbb {Q}(\zeta _{2^n}+\zeta _{2^{n+1}}^{-1})[x]\) and \(~~x^2-(\zeta _{2^{n+1}}-\zeta _{2^{n+1}}^{-1})x-1\in \mathbb {Q}(\zeta _{2^{n+1}}-\zeta _{2^{n+1}}^{-1})[x].\)
Moreover, since the involutions
are distinct, these three subfields are distinct. Finally it is routine to sketch the subgroup lattice of \(\mathbb {Z}_2\oplus \mathbb {Z}_{2^{n-1}}\cong (\mathbb {Z}/2^{n+1}\mathbb {Z})^*\cong \mathrm {Gal}(\mathbb {Q}(\zeta _{2^{n+1}})/\mathbb {Q})\):
Here all lines indicate extensions of index two. Combining these facts we have the subfield lattice for \(\mathbb {Q}(\zeta _{2^n})\):
where all lines indicate extensions of order two.
B Decomposition Groups and Fixed Fields
Let \(\zeta = \zeta _{2^{n+1}}\), p a rational prime with \(p\equiv 3 \pmod { 4 }\), A the natural number with \(2^A|| p+1\), and let \(\mathfrak {p}\) be a prime ideal in \({\mathbb Z}[\zeta ]\) containing p. Then
for some \(\delta \in {\mathbb Z}\). Let \(\sigma \in Aut({\mathbb Q}({\zeta })/{\mathbb Q})\) be the automorphism of \({\mathbb Q}({\zeta })\) with \({\zeta }\mapsto {\zeta }^{-2^A-1}\). Then we have
We have used the fact that \({\zeta }\) is a unit in \({\mathbb Z}[{\zeta }].\)
Since \({\zeta }\mapsto {\zeta }^{-1}\) is an involution, the order of \(\sigma \) is the order of \({\zeta }\mapsto {\zeta }^{2^A+1}\) (denoted by \( {\sigma }' \) ) which is the multiplicative order of \(2^A+1\) in \(({\mathbb Z}/2^{n+1}{\mathbb Z})^*\). We claim that, for \(A\ge 2\), this order is \(2^{n+1-A}\): First note that for \(k\equiv 1\pmod { 4 }\),
if and only if \(2^{n+1}|| k^{2^m}-1\). This fact follows easily from the identity
and the fact that for \(k=2^A+1\), we have \(2|| (k^{2^{g}}+1)\). Now, that the multiplicative order of \(2^A+1\) is \(2^{n+1-A}\) follows from an induction argument using the above identity.
The preceding two paragraphs prove that \({\sigma }\) lies in the decomposition group of \(\mathfrak {p}\) and that \({\sigma }\) has order \(2^{n+1-A}\). It follows from a standard result in the theory of number fields that the decomposition group of \(\mathfrak {p}\) has order \(2^{n+1-A}\). Thus \(\langle {\sigma }\rangle \) is precisely the decomposition group of \(\mathfrak {p}\). Now recall the subfield/subgroup lattice for \({\mathbb Q}({\zeta })/{\mathbb Q}\) and its Galois group \(\mathbb {Z}_{2^{n+1}}^*\). A simple computation shows that \({\sigma }\) fixes \({\zeta }^{2^{n-A}}-{\zeta }^{-2^{n-A} }\). But from the subfield lattice we can see that
Thus \({\mathbb Q}({\zeta }^{2^{n-A}}-{\zeta }^{-2^{n-A} })\) is precisely this fixed field.
A similar, in fact easier, analysis can be carried out for \(p\equiv 1 \pmod {4}\). In this case
for some \(u\in {\mathbb Z}\) and \(2^A||p-1\). Then it is seen that \({\sigma }'\) fixes \(\mathfrak {p}\). As in the \(3 \pmod {4}\) case, we know from a general result of algebraic number theory that the decomposition group of \(\mathfrak {p}\) has order \(2^{n+1-A}\), which matches the order of \(\sigma '\) (computed above). We see that \({\mathbb Q}({\zeta }^{2^{n+1-A} })\) is contained in the fixed field of \(\sigma '\), and again, by looking at the subfield lattice to find \([{\mathbb Q}({\zeta }): {\mathbb Q}({\zeta }^{2^{n+1-A}})] = 2^{n+1-A}\), we see that \({\mathbb Q}({\zeta }^{2^{n+1-A} })\) is precisely the fixed field of the decomposition group of \(\mathfrak {p}\).
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Pan, Y., Xu, J., Wadleigh, N., Cheng, Q. (2021). On the Ideal Shortest Vector Problem over Random Rational Primes. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12696. Springer, Cham. https://doi.org/10.1007/978-3-030-77870-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-77870-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77869-9
Online ISBN: 978-3-030-77870-5
eBook Packages: Computer ScienceComputer Science (R0)