On the Ideal Shortest Vector Problem over Random Rational Primes

Abstract

Any non-zero ideal in a number field can be factored into a product of prime ideals. In this paper we report a surprising connection between the complexity of the shortest vector problem (SVP) of prime ideals in number fields and their decomposition groups. When applying the result to number fields popular in lattice based cryptosystems, such as power-of-two cyclotomic fields, we show that a majority of rational primes lie under prime ideals admitting a polynomial time algorithm for SVP. Although the shortest vector problem of ideal lattices underpins the security of the Ring-LWE cryptosystem, this work does not break Ring-LWE, since the security reduction is from the worst case ideal SVP to the average case Ring-LWE, and it is one-way.

Appendices

A The Subfields of \(\mathbb {Q}(\zeta _{2^n})\)

Now we sketch the subfield lattice of \(\mathbb {Q}(\zeta _{2^{n+1}})\). Consider the three subfields

$$\mathbb {Q}(\zeta _{2^{n+1}}+\zeta _{2^{n+1}}^{-1}),~\mathbb {Q}(\zeta _{2^{n}}),~\mathbb {Q}(\zeta _{2^{n+1}}-\zeta _{2^{n+1}}^{-1}).$$

First we claim \(\mathbb {Q}(\zeta _{2^{n+1}})\) is degree two over each. On the one hand, all are proper subfields since \(\mathbb {Q}(\zeta _{2^{n+1}}+\zeta _{2^{n+1}}^{-1})\) is contained in the fixed field of the automorphism \(\zeta _{2^{n+1}}\mapsto \zeta _{2^{n+1}}^{-1}\), and \(\mathbb {Q}(\zeta _{2^{n+1}}-\zeta _{2^{n+1}}^{-1})\) is in the fixed field of the automorphism \(\zeta _{2^{n+1}}\mapsto -\zeta _{2^{n+1}}^{-1}\). On the other hand, \(\zeta _{2^{n+1}}\) is a root of the quadratic polynomials \(x^2-(\zeta _{2^{n+1}}+\zeta _{2^{n+1}}^{-1})x+1\in \mathbb {Q}(\zeta _{2^n}+\zeta _{2^{n+1}}^{-1})[x]\) and \(~~x^2-(\zeta _{2^{n+1}}-\zeta _{2^{n+1}}^{-1})x-1\in \mathbb {Q}(\zeta _{2^{n+1}}-\zeta _{2^{n+1}}^{-1})[x].\)

Moreover, since the involutions

$$\zeta _{2^{n+1}}\mapsto \zeta _{2^{n+1}}^{-1}, ~\zeta _{2^{n+1}}\mapsto \zeta _{2^{n+1}}^{2^{n-1}+1},~\zeta _{2^{n+1}}\mapsto -\zeta _{2^{n+1}}^{-1}$$

are distinct, these three subfields are distinct. Finally it is routine to sketch the subgroup lattice of \(\mathbb {Z}_2\oplus \mathbb {Z}_{2^{n-1}}\cong (\mathbb {Z}/2^{n+1}\mathbb {Z})^*\cong \mathrm {Gal}(\mathbb {Q}(\zeta _{2^{n+1}})/\mathbb {Q})\):

Here all lines indicate extensions of index two. Combining these facts we have the subfield lattice for \(\mathbb {Q}(\zeta _{2^n})\):

where all lines indicate extensions of order two.

B Decomposition Groups and Fixed Fields

Let \(\zeta = \zeta _{2^{n+1}}\), p a rational prime with \(p\equiv 3 \pmod { 4 }\), A the natural number with \(2^A|| p+1\), and let \(\mathfrak {p}\) be a prime ideal in \({\mathbb Z}[\zeta ]\) containing p. Then

$$\mathfrak {p} = (p,~ {\zeta }^{2^{n-A+1}}+ \delta {\zeta }^{2^{n-A}}-1)$$

for some \(\delta \in {\mathbb Z}\). Let \(\sigma \in Aut({\mathbb Q}({\zeta })/{\mathbb Q})\) be the automorphism of \({\mathbb Q}({\zeta })\) with \({\zeta }\mapsto {\zeta }^{-2^A-1}\). Then we have

$$\begin{aligned} {\sigma }\mathfrak {p}&= (p, ~ {\sigma }({\zeta })^{2^{n-A+1}}+ \delta {\sigma }({\zeta })^{2^{n-A}}-1)\\&=(p, ~{\zeta }^{2^{n-A+1}(-2^{A}-1)}+ \delta {\zeta }^{2^{n-A}(-2^{A}-1)}-1)\\&=(p, ~{\zeta }^{-2^{n+1}}{\zeta }^{-2^{n-A+1}}+ \delta {\zeta }^{-2^{n}}{\zeta }^{-2^{n-A}}-1)\\&=(p, ~{\zeta }^{-2^{n-A+1}}- \delta {\zeta }^{-2^{n-A}}-1)\\&=(p,~-{\zeta }^{-2^{n-A+1}}\cdot ({\zeta }^{2^{n-A+1}}+ \delta {\zeta }^{2^{n-A}}-1))\\&=\mathfrak {p}. \end{aligned}$$

We have used the fact that \({\zeta }\) is a unit in \({\mathbb Z}[{\zeta }].\)

Since \({\zeta }\mapsto {\zeta }^{-1}\) is an involution, the order of \(\sigma \) is the order of \({\zeta }\mapsto {\zeta }^{2^A+1}\) (denoted by \( {\sigma }' \) ) which is the multiplicative order of \(2^A+1\) in \(({\mathbb Z}/2^{n+1}{\mathbb Z})^*\). We claim that, for \(A\ge 2\), this order is \(2^{n+1-A}\): First note that for \(k\equiv 1\pmod { 4 }\),

$$\mathrm {ord}_{({\mathbb Z}/{2^{n+1}}{\mathbb Z})^*}(k)=2^m$$

if and only if \(2^{n+1}|| k^{2^m}-1\). This fact follows easily from the identity

$$k^{2^{g+1}}-1= (k^{2^{g}}-1) (k^{2^{g}}+1)$$

and the fact that for \(k=2^A+1\), we have \(2|| (k^{2^{g}}+1)\). Now, that the multiplicative order of \(2^A+1\) is \(2^{n+1-A}\) follows from an induction argument using the above identity.

The preceding two paragraphs prove that \({\sigma }\) lies in the decomposition group of \(\mathfrak {p}\) and that \({\sigma }\) has order \(2^{n+1-A}\). It follows from a standard result in the theory of number fields that the decomposition group of \(\mathfrak {p}\) has order \(2^{n+1-A}\). Thus \(\langle {\sigma }\rangle \) is precisely the decomposition group of \(\mathfrak {p}\). Now recall the subfield/subgroup lattice for \({\mathbb Q}({\zeta })/{\mathbb Q}\) and its Galois group \(\mathbb {Z}_{2^{n+1}}^*\). A simple computation shows that \({\sigma }\) fixes \({\zeta }^{2^{n-A}}-{\zeta }^{-2^{n-A} }\). But from the subfield lattice we can see that

$$[{\mathbb Q}({\zeta }): {\mathbb Q}({\zeta }^{2^{n-A}}-{\zeta }^{-2^{n-A} })] = 2^{n+1-A}= |\langle {\sigma }\rangle |.$$

Thus \({\mathbb Q}({\zeta }^{2^{n-A}}-{\zeta }^{-2^{n-A} })\) is precisely this fixed field.

A similar, in fact easier, analysis can be carried out for \(p\equiv 1 \pmod {4}\). In this case

$$\mathfrak {p} = (p,~ {\zeta }^{2^{n-A+1}}-u)$$

for some \(u\in {\mathbb Z}\) and \(2^A||p-1\). Then it is seen that \({\sigma }'\) fixes \(\mathfrak {p}\). As in the \(3 \pmod {4}\) case, we know from a general result of algebraic number theory that the decomposition group of \(\mathfrak {p}\) has order \(2^{n+1-A}\), which matches the order of \(\sigma '\) (computed above). We see that \({\mathbb Q}({\zeta }^{2^{n+1-A} })\) is contained in the fixed field of \(\sigma '\), and again, by looking at the subfield lattice to find \([{\mathbb Q}({\zeta }): {\mathbb Q}({\zeta }^{2^{n+1-A}})] = 2^{n+1-A}\), we see that \({\mathbb Q}({\zeta }^{2^{n+1-A} })\) is precisely the fixed field of the decomposition group of \(\mathfrak {p}\).