Keywords

1 Introduction

Let \( Q, \mathbb {R},\mathbb {C}\) be the rational numbers field, real numbers field, and complex numbers field, respectively, and \( \mathbb {Z}\) be the integers ring. Let \( E \subset \mathbb {C}\) be an algebraic numbers field of degree n, and \(R \subset E\) be the ring of algebraic integers of E. Suppose that \(A \subset R\) is a non-zero ideal(all ideals in this chapter are non-zero), then the factor ring R/A is a finite ring, we denote by N(A) the number of elements of R/A, which is called the norm of A, and denote by \( \varphi (A)\) the number of invertible elements of R/A, which is called the Euler totient function of A. For any \(\alpha \in R,\) the principal ideal generated by \(\alpha \) is denoted by \(\alpha R\), then \(\alpha \) is an invertible element of R/A if and only if \((\alpha R,A)=1.\) It is known (see Theorem 1.19 of Narkiewicz (2004)) that

$$\begin{aligned} \varphi (A)=N(A)\prod _{P | A}(1-\frac{1}{ N(P)}) \end{aligned}$$
(1)

where the product is extended over all prime ideals P dividing A. Moreover, if \(\alpha \in R\) and \( (\alpha R,A)=1,\) then

$$\begin{aligned} \alpha ^{\varphi (A)}\equiv 1(\text {mod}\ A). \end{aligned}$$
(2)

To generalize that RSA to arbitrary algebraic number fields E, we first show the following assertion.

Theorem 1

Let \(P_{1}\) and \(P_{2}\) be two distinct prime ideals of R and \(A=P_{1}P_{2}\), then for any \(\alpha \in R\) and integer \(k\ge 0,\) we have

$$\begin{aligned} \alpha ^{k\varphi (A)+1}\equiv \alpha ({\text {mod}} \ A). \end{aligned}$$
(3)

Proof

Let \( \alpha \in R.\) If \((\alpha R, A)=1,\) then (3) follows directly from (2). If \((\alpha R, A)=A,\) then \( \alpha R \subset A\) and \( \alpha \in A,\) (3) is trivial. Thus, we only consider the cases of \((\alpha R, A)=P_{1}\) and \((\alpha R, A)=P_{2}\). If \( (\alpha R, A)=P_{1}\), then \( (\alpha R, P_{2})=1\), by (2) we have

$$\begin{aligned} \alpha ^{\varphi (P_{2})}\equiv 1(\text {mod}\ P_{2}). \end{aligned}$$

It follows that

$$\begin{aligned} \alpha ^{k \varphi (A)}\equiv 1(\text {mod}\ P_{2}),\ \ \forall k \in \mathbb {Z},\ \ k\ge 0. \end{aligned}$$

Therefore, there exists an element \(\beta \in P_{2}\) such that

$$\begin{aligned} \alpha ^{k \varphi (A)}= 1+ \beta . \end{aligned}$$

We thus have

$$\begin{aligned} \alpha ^{k \varphi (A)+1}= \alpha + \alpha \beta , \ \ \text {and} \ \ \alpha ^{k \varphi (A)+1}\equiv \alpha (\text {mod}\ A), \end{aligned}$$

since \( \alpha \beta \in A.\) The same reason gives (3) when \( (\alpha R, A)=P_{2}\).

According to Theorem 1, one can easily extend the classical RSA over an algebraic number field as follows (also see Takagi and Naito (2015)), but it does not give the proof of (3)).

Table 1 RSA in the ring of algebraic integers
Full size table

Obviously, if \(n=1\), the above algorithm is the ordinary RSA. However, it is difficult to find the prime ideals in R and to construct a set of coset representatives of R/A yet. In Takagi and Naito (2015), the author supposed the ring R is a Euclidean ring, so that S can be constructed by Euclidean algorithm in R. The simplest way is to select an prime element \(\alpha \) in R, so that the principal ideal \(\alpha R\) is a prime ideal. In algorithm I, we would precisely construct a set of coset representatives for the factor ring R/A by the lattice theory. Here we give an approximate construction of the set of coset representatives for factor ring R/A.

If \(P \subset R\) is a prime ideal, then \(P \cap \mathbb {Z}=p \mathbb {Z}\), where \(p \in \mathbb {Z}\) is a rational prime number. Since R/P is a finite field and \(\mathbb {Z}/(p\mathbb {Z})\subset R/P\), thus \(N(P)=p^{f}\), where \(f\left( 1 \le f \le n\right) \) is called the degree of P. We write \(p R=P_{1}^{e_{1}} P_{2}^{e_{2}} \cdots P_{g}^{e_{g}}\), where \(P=P_{1}\) and \(P_{i}\) are distinct prime ideals, \(e_{i}\) is called the ramification index of \(P_{i}\). There exists a remarkable relation among ramification indexes and degrees (see Theorem 3 of page 181 of Ireland and Rosen (1990))

$$\begin{aligned} \sum _{i=1}^{g} e_{i} f_{i}=n. \end{aligned}$$
(4)

Let \(\left\{ \alpha _{1}, \alpha _{2}, \cdots \alpha _{n}\right\} \subset R\) be an integral basis for \(E/Q, A=P_{1} P_{2}\). Suppose that \(P_{1} \cap \mathbb {Z}=p\mathbb {Z}\) and \(P_{2} \cap \mathbb {Z}= q\mathbb {Z}\), then \(A \cap \mathbb {Z}= pq\mathbb {Z}\), where p and q are two distinct rational prime numbers.

Lemma 1

Let

$$\begin{aligned} S_{1}=\left\{ \sum _{i=1}^{n} a_{i} \alpha _{i} \mid 0 \le a_{i}<p q, \ a_{i} \in \mathbb {Z},\ 1 \le i \le n \right\} . \end{aligned}$$
(5)

Then \(S_{1}\) covers a set of coset representatives of R/A. Moreover, if the degrees of \(P_{1}\) and \(P_{2}\) are n, then \(S_{1}\) is precisely an set of coset representatives of R/A.

Proof

Since \(A=P_{1}P_{2}\), \(P_{1} \cap \mathbb {Z}=p\mathbb {Z}\), and \(P_{2} \cap \mathbb {Z}=q\mathbb {Z}\), we have \(pq R \subset A\), thus R/pqR maps onto R/A. To prove the first assertion, it is enough to show that \(S_{1}\) is a set of coset representatives of R/pqR. Since \(\left\{ \alpha _{1}, \alpha _{2}, \ldots \alpha _{n}\right\} \) is an integral basis and

$$\begin{aligned} R=\mathbb {Z}\alpha _{1}+\mathbb {Z} \alpha _{2}+\cdots +\mathbb {Z} \alpha _{n}. \end{aligned}$$

Suppose that \(\alpha =\sum _{i=1}^{n} m_{i} \alpha _{i} \in R\), write \(m_{i}=a_{i} pq+r_{i}\), where \(0 \le r_{i}<pq\). Clearly

$$\begin{aligned} \alpha \equiv \sum _{i=1}^{n} r_{i} \alpha _{i}(\text {mod}\ pqR). \end{aligned}$$

Thus every coset of pqR contains an element of \( S_{1}\). If \(\sum _{i=1}^{n} r_{i}\alpha _{i}=\sum _{i=1}^{n} r'_{i}\alpha _{i} \) are in \(S_{1}\) and in the same coset mod pqR, then

$$\begin{aligned} \sum _{i=1}^{n}\left( r_{i}-r_{i}^{\prime }\right) \alpha _{i} \equiv 0 (\text {mod}\ \ pqR). \end{aligned}$$

Since \( \alpha _{i}\) are linearly independent, it follows that

$$\begin{aligned} r_{i}\equiv r_{i}^{\prime } ( \text{ mod }\ \ pq)\ \ \text{ and } \ \ r_{i}=r_{i}^{\prime },\ \ 1 \le i \le n . \end{aligned}$$

Next, suppose that the degrees of \(P_{1}\) and \(P_{2}\) are n, then \(N\left( P_{1}\right) =p^{n}\) and \(N\left( P_{2}\right) =q^{n}\), by (4) we thus have \(P_{1}=p R\), \(P_{2}=q R\), and \(A=pq R\). The second assertion follows immediately.

If one replaces S by \(S_{1}\) in Table 1, then the successful probability of decryption is

$$\begin{aligned} N(A) / p^{n} q^{n}=p^{f_{1}-n} q^{f_{2}-n}, \end{aligned}$$
(6)

where \(f_{1}\) and \(f_{2}\) are the degrees of \(P_{1}\) and \(P_{2}\), respectively.

We note that \(f_{1}=f_{2}=n\) if and only if \(P_{1}=p R\) and \(P_{2}=q R\); in this special case, we may give a numerical explanation. It is easy to see that

$$\begin{aligned} \varphi (A)=\varphi (p R) \varphi (q R)=\left( p^{n}-1\right) \left( q^{n}-1\right) . \end{aligned}$$

By Theorem 1, for any \( a \in \mathbb {Z}\), we have

$$\begin{aligned} a^{k\left( p^{n}-1\right) \left( q^{n}-1\right) +1} \equiv a (\text {mod}\ pq),\ \ k \in \mathbb {Z},\ \ k\ge 0. \end{aligned}$$
(7)

Since \(S_{1}\) is a set of coset representatives of R/A\(\alpha =\sum _{i=1}^{n}a_{i}\alpha _{i}\in S_{1}\), we may regard \(\alpha \) as a vector \(\left( a_{1}, a_{2}, \ldots , a_{n}\right) \in \mathbb {Z}_{pq}^{n}\). Let \(m =pq\), \(1 \le e<\left( p^{n}-1\right) \left( q^{n}-1\right) \) and \(1 \leqslant d<\left( p^{n}-1\right) \left( q^{n}-1\right) \) such that

$$\begin{aligned} ed\equiv 1(\text {mod}\ \ (p^{n}-1)(q^{n}-1)). \end{aligned}$$

Then for every input message \(\alpha =\left( a_{1}, a_{2}, \cdots ,a_{n}\right) \), we use the public key (me) and private key (pqd) to encryption and decryption for each \(a_{i}\) in order, obviously, these are the algorithms given by Takagi and Naito (2015), we consider these algorithms are just a simple repeat of RSA.

The main purpose of this chapter is to show that the high dimensional form of RSA algorithm is a lattice based on cryptosystem in general. To do this, we first establish a relationship between an algebraic number field E and the Euclidean space \(Q^{n}\). Let \(\mathbb {R}^{n}\) be the Euclidean space which is a linear space over \(\mathbb {R}\) with the Euclidean norm |x|,

$$\begin{aligned} |x|=\left( \sum _{i=1}^{n} x_{i}^{2}\right) ^{\frac{1}{2}},\ \ \text{ where } \ x^{\prime }=\left( x_{1}, x_{2}, \cdots , x_{n}\right) \in \mathbb {R}^{n}. \end{aligned}$$
(8)

We use the column notation for vector in \(\mathbb {R}^{n}\), and \(x^{\prime }\) is the transpose of x, which is called a row vector in \(\mathbb {R}^{n}\). \(Q^{n} \subset \mathbb {R}^{n}\) is a subspace of \(\mathbb {R}^{n}.\)

Without loss of generality, an algebraic number field E of degree n may be expressed as \(E=Q(\theta )\), where \(\theta \) is an algebraic integer of degree n and \(Q(\theta )\) is the field generated by \(\theta \) over Q. Let \(\phi (x)\) be the minimal polynomial of \(\theta \),

$$\begin{aligned} \phi (x)=x^{n}-\phi _{n-1} x^{n-1}-\cdots -\phi _{1} x-\phi _{0} \in \mathbb {Z}[x], \end{aligned}$$
(9)

where all \(\phi _{i} \in \mathbb {Z}.\) It is known that

$$\begin{aligned} E=Q[\theta ]=\left\{ \sum _{i=0}^{n-1} a_{i} \theta ^{i} \mid a_{i} \in Q \right\} . \end{aligned}$$
(10)

We define an one to one correspondence between E and \(Q^{n}\) by \(\tau \):

$$\begin{aligned} \alpha =\sum _{i=0}^{n-1} a_{i} \theta ^{i} \in E {\mathop {\longrightarrow }\limits ^{\tau }} \overline{\alpha }=\begin{pmatrix} a_0 \\ a_1 \\ \vdots \\ a_{n-1} \end{pmatrix} \in Q^{n} \end{aligned}$$
(11)

and write \(\tau (\alpha )=\overline{\alpha }\) or \(\alpha {\mathop {\rightarrow }\limits ^{\tau }} \overline{\alpha }\). In fact, \(\tau \) is a homomorphism of additive group from E to \(Q^{n}\), because of \(\tau (a \alpha )=a \tau (\alpha )\) for all \(a\in \mathbb {Q}.\)

As usual, the trace and norm mappings from E to Q are denoted by

$$\begin{aligned} {\text {tr}}(\alpha )={\text {tr}}_{E/Q}(\alpha ),\ \ \text{ and } \ \ N(\alpha )=N_{E/Q}(\alpha ). \end{aligned}$$

It is known (see corollary of page 58 of Narkiewicz (2004)) that

$$\begin{aligned} N(\alpha R)=|N(\alpha )|, \quad \forall \alpha \in R . \end{aligned}$$
(12)

A full-rank lattice L is a discrete addition subgroup of \(\mathbb {R}^{n}\), the equivalent expression for L is (See Micciancio and Regev (2009), Zheng et al. (2023))

$$\begin{aligned} L=L(B)=\left\{ B x \mid x \in \mathbb {Z}^{n}\right\} , \end{aligned}$$
(13)

where \(B=\left[ \overline{\beta }_{1}, \overline{\beta }_{2}, \cdots , \overline{\beta }_{n}\right] _{n \times n} \in \mathbb {R}^{n \times n}\) is an invertible matrix of \(n\times n\) dimension, B is called a generated matrix of L. If \(L \subset Q^{n}\), we call L a rational lattice, if \(L\subset \mathbb {Z}^{n}\), we call L an integer lattice. It is not difficult to see that every ideal of R corresponds to an rational lattice, we have the following.

Lemma 2

Let \(A \subset R\) be an ideal and \(A \ne 0\), then \(\tau (A)\) is a rational lattice.

Proof

Let \(\left\{ \beta _{1}, \beta _{2},\cdots , \beta _{n}\right\} \subset A\) be an integral basis for E/Q, one has

$$\begin{aligned} A=\mathbb {Z} \beta _{1}+\mathbb {Z} \beta _{2}+\cdots +\mathbb {Z} \beta _{n}. \end{aligned}$$

It follows that

$$\begin{aligned} \tau (A)=\mathbb {Z} \overline{\beta }_{1}+\mathbb {Z}\overline{ \beta }_{2}+\cdots +\mathbb {Z}\overline{ \beta }_{n}, \end{aligned}$$

where \( \overline{\beta }_{i}= \tau ( \beta _{i}) \in Q^{n}\). Let \(B=[\overline{\beta }_{1},\overline{\beta }_{2},\cdots ,\overline{\beta }_{n} ]\), since \( \{ \beta _{1},\beta _{2},\cdots ,\beta _{n}\}\) is linearly independent over Q, thus B is an invertible matrix, and we have

$$\begin{aligned} \tau (A)=L(B)=\{Bx \mid x\in \mathbb {Z}^{n}\}. \end{aligned}$$

The lemma follows at once.

Let \(L \subset Q^{n}\) be a rational lattice, of which be corresponded by an ideal A in E for some suitable algebraic number field E, we call L an ideal lattice. Ideal lattice was first introduced by Lyubashevsky and Micciancio (2006) in the case of integer lattice, here we generalize this notation to the case of rational lattices. For more detailed discussion about ideal lattice, we refer to Zheng et al. (2023).

To give an attainable algorithm for high dimensional RSA, we require the following NC-property for the algebraic number field E.

$$\begin{aligned} \text {NC- property: } \ \ \ \ \ \ \ \ \ \ \ \ \ \ E=Q(\theta ) \ \ \ \text{ and } \ \ \ \ R=\mathbb {Z}[\theta ],\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \end{aligned}$$
(14)

where

$$\begin{aligned} \mathbb {Z}[\theta ]= \left\{ \sum _{i=0}^{n-1}a_{i}\theta ^{i} \mid a_{i}\in \mathbb {Z}, \ 1\le i\le n \right\} . \end{aligned}$$
(15)

Some of the well-known algebraic number fields satisfy the NC-property, we list a few as follows (Table 2).

Table 2 Algebraic number fields with NC-property
Full size table

2 Ideal Matrices

Suppose that \(\theta \) is an algebraic integer of degree n, \( \phi (x)=x^{n}-\phi _{n-1} x^{n-1}-\cdots -\phi _{1} x-\phi _{0} \in \mathbb {Z}[x]\) is the minimal polynomial of \(\theta \), thus \(\phi (x)\) is irreducible. Let \( \theta =\theta _{0}, \theta _{1}, \theta _{2},\cdots ,\theta _{n-1}\) be n different roots of \(\phi (x)\), the Vandermonde matrix of \(\phi (x)\) is defined by

$$\begin{aligned} V=V_{\phi }=\left[ \theta _{j}^{i}\right] _{0 \le i, j \le n-1}, \ \ \text {and}\ \ \Delta =\text {det}( V_{\phi }) \ne 0 . \end{aligned}$$
(16)

According to \(\phi (x)\), we denote the rotation matrix or adjoint matrix (see page 116 of Manin and Panchishkin (2005)) by

$$\begin{aligned} H=H_{\phi }= \left( \begin{array}{ccc|c} 0 &{} \cdots &{} 0 &{} \phi _0\\ \hline &{} &{} &{} \phi _1\\ &{} I_{n-1} &{} &{} \vdots \\ &{} &{} &{} \phi _{n-1} \\ \end{array} \right) \in \mathbb {Z}^{n\times n}, \end{aligned}$$
(17)

where \( I_{n-1} \) is the unit matrix of \(n-1\) dimension.

Definition 1

An ideal matrix \(H^{*}(\overline{f})\) generated by the input vector \(\overline{f} \in \mathbb {R}^{n} \) is defined by

$$\begin{aligned} H^{*}(\overline{f})=\left[ \ \overline{f}, H\overline{f}, \cdots , H^{n-1}\overline{f} \ \right] _{n \times n} \in \mathbb {R}^{n\times n} \end{aligned}$$
(18)

and all ideal matrices are denoted by

$$\begin{aligned} M_{\mathbb {R}}^{*}=\left\{ H^{*}(\overline{f}) \mid \overline{f} \in \mathbb {R}^{n}\right\} \ \ \text{ and } \ M_{Q}^{*}=\left\{ H^{*}(\overline{f}) \mid \overline{f} \in Q^{n}\right\} . \end{aligned}$$
(19)

Definition 2

For any two vectors \(\overline{f}\) and \(\overline{g}\) in \(\mathbb {R}^{n}\), the \(\phi \)-conventional product is defined by

$$\begin{aligned} \overline{f} \otimes \overline{g}=H^{*}(\overline{f} ) \overline{g} \end{aligned}$$
(20)

and the m-multi product is denoted by

$$\begin{aligned} \overline{f}^{\otimes m} =\overbrace{\overline{f} \otimes \overline{f} \otimes \cdots \otimes \overline{f}}^{m},\ \ m \in \mathbb {Z}, \ \ m \ge 1. \end{aligned}$$
(21)

Remark 1

If \( \phi (x)=x^{n}-1\), then \(H_{\phi }\) is the classical circulant matrix (see Davis (1994)), and conventional product with circulant matrix was first proposed by Hoffstein et al. (1998), which plays a key role in their cryptosystem. In Zheng et al. (2023), we generalized this definition with more general rotation matrices.

By (18), \(H^{*}(\overline{f})=0\) is a zero matrix if and only if \(\overline{f}=0\) is a zero vector, and \(H^{*}(\overline{f}+\overline{g})=H^{*}(\overline{f})+H^{*}(\overline{g})\), then \(H^{*}(\overline{f})=H^{*}(\overline{g})\) if and only if \(\overline{f}=\overline{g}\). Thus we may regard \(H^{*} :\mathbb {R}^{n} \rightarrow \textrm{M}_{\mathbb {R}}^{*}\) as an one to one correspondence, which is also a homomorphism of Abel group.

The main aim of this subsection is to show the \(Q^{n}\) is a field under the \(\phi \)-conventional product and \(M_{Q}^{*}\) is also a field under the ordinary additive and product of matrices, both of which are isomorphic to the algebraic number field \(E=Q(\theta )\). To do this, we require some basic properties of the ideal matrices.

Let \(\overline{e}_{1}, \overline{e}_{2}, \cdots , \overline{e}_{n}\) be the unit vectors of \(\mathbb {R}^{n}\), namely

$$\begin{aligned} \overline{e}_{1}=\left( \begin{array}{c} 1 \\ 0\\ \vdots \\ 0 \end{array}\right) , \overline{e}_{2}=\left( \begin{array}{l} 0 \\ 1 \\ \vdots \\ 0 \end{array}\right) , \cdots , \quad \overline{e}_{n}=\left( \begin{array}{l} 0 \\ 0 \\ \vdots \\ 1 \end{array}\right) . \end{aligned}$$
(22)

Lemma 3

Let \(\tau \) be defined by (11), then we have

$$\begin{aligned} \left\{ \begin{array}{lll} \tau \left( \theta ^{k}\right) =\overline{e}_{k+1}, \ \ 0 \le k \le n-1 \\ H^{*}\left( \overline{e}_{k}\right) =H^{k-1}, \ \ 1 \leqslant k \leqslant n . \end{array}\right. \end{aligned}$$
(23)

Proof

\(\quad \tau \left( \theta ^{k}\right) =\overline{e}_{k+1}\) follows directly from the definition of \(\tau \). We use induction to prove \(H^{*}\left( \overline{e}_{k}\right) =H^{k-1}\). It is easy to see that \(H^{*}\left( \overline{e}_{1}\right) =I_{n}\), the unit matrix of n dimension. Suppose that \(H^{*}\left( \overline{e}_{k-1}\right) \) \(=H^{k-2}\), for \(k\ge 2\), note that \(\overline{e}_{k}=H \overline{e}_{k-1}\), it follows that

$$\begin{aligned} H^{*}\left( \overline{e}_{k}\right)&=\left[ H \overline{e}_{k-1}, H^{2} \overline{e}_{k-1}, \cdots , H^{n} \overline{e}_{k-1}\right] \\&= H\left[ \overline{e}_{k-1}, H \overline{e}_{k-1}, \cdots , H^{n-1} \overline{e}_{k-1}\right] \\&=HH^{*}(\overline{e}_{k-1})= HH^{k-2}=H^{k-1}. \end{aligned}$$

The lemma follows immediately.

Since \(\phi (x)\) is the characteristic polynomial of H, by the Hamilton-Cayley theorem, we have

$$\begin{aligned} \phi (H)=0, \ \ \text {or}\ H^{n}=\phi _{0}+\phi _{1} H+\cdots +\phi _{n-1} H^{n-1}. \end{aligned}$$
(24)

Therefore, all the rotation matrices \(H^{k}(k \ge 0)\) are the ideal matrices, especially, the unit matrix \(I_{n}=H^{*}\left( \overline{e}_{1}\right) \) is an ideal matrix.

Let \(\mathbb {R}[x]\) be the polynomials ring and \(\mathbb {R}(x) /\langle \phi (x)\rangle \) be the quotient ring, where \(\langle \phi (x)\rangle \) is the principal ideal generated by \(\phi (x)\) in \(\mathbb {R}[x]\). We establish an one to one correspondence t between \(\mathbb {R}^{n}\) and \(\mathbb {R}[x]/ \langle \phi (x)\rangle \) by

$$\begin{aligned} \overline{f}=\left( \begin{array}{c} f_{0} \\ f_{1} \\ \vdots \\ f_{n-1} \end{array}\right) \in \mathbb {R}^{n} {\mathop {\longrightarrow }\limits ^{t}} f(x)=f_{0}+f_{1} x+\cdots +f_{n-1} x^{n-1} \in \mathbb {R}[x]/ \langle \phi (x)\rangle \end{aligned}$$
(25)

and write \(t(\overline{f})=f(x)\), or \(t^{-1}(f(x))=\overline{f}\).

Lemma 4

For any \(\overline{f} \in \mathbb {R}^{n}\), the ideal matrix \(H^{*}(\overline{f})\) is given by

$$\begin{aligned} H^{*}( \overline{f})=f(H)=f_{0}I_{n}+f_{1}H+\cdots +f_{n-1}H^{n-1}. \end{aligned}$$
(26)

Moreover, if \(F(x) \in \mathbb {R}[x]\) and \(F(x)\equiv f(x)(\text {mod}\ \phi (x))\), then \(f(H)=F(H)\).

Proof

Writing \(\overline{f}=f_{0} \overline{e}_{1}+f_{1} \overline{e}_{2}+\cdots +f_{n-1} \overline{e}_{n}\), by Lemma 3, we have

$$\begin{aligned} H^{*}( \overline{f})&=f_{0}H^{*}( \overline{e}_{1})+f_{1}H^{*}( \overline{e}_{2})+\cdots +f_{n-1}H^{*}(\overline{ e}_{n})\\&=f_{0}I_{n}+f_{1}H+\cdots +f_{n-1}H^{n-1}=f(H) . \end{aligned}$$

Suppose that \( F(x) \equiv f(x)(\text {mod}\ \phi (x))\), by (24), we have \(f(H)=F(H)\) immediately.

Lemma 5

Let \(\overline{f}\) and \(\overline{g}\) be two vectors in \(\mathbb {R}^{n}\), and f(x), g(x) be the corresponding polynomials, respectively, then we have

$$\begin{aligned} t(\overline{f} \otimes \overline{g}) \equiv f(x) g(x) (\text {mod}\ \ \phi (x)). \end{aligned}$$
(27)

Proof

Since t is a bijection, it is suffice to show that

$$\begin{aligned} t^{-1}(f(x) g(x))=\overline{f} \otimes \overline{g}. \end{aligned}$$
(28)

Let \(g(x)=g_{0}+g_{1} (x)+\cdots +g_{n-1} x^{n-1} \in \mathbb {R}[x] /\langle \phi (x)\rangle \), then

$$\begin{aligned} x g(x)&=g_{0} x+\cdots +g_{n-1}x^{n}\\&=g_{n-1}\phi _{0}+(g_{0}+\phi _{1}g_{n-1} )x+\cdots +(g_{n-2}+\phi _{n-1}g_{n-1} )x^{n-1}. \end{aligned}$$

It follows that

$$\begin{aligned} t^{-1}(x g(x))=H t^{-1}(g(x))=H \overline{g}. \end{aligned}$$

More generally, we have

$$\begin{aligned} t^{-1}\left( x^{k} g(x)\right) =H^{k} t^{-1}(g(x))=H^{k}\overline{g},\quad 0 \le k \le n-1. \end{aligned}$$
(29)

Let \(f(x)=f_{0}+f_{1} x+\cdots +f_{n-1} x^{n-1}\), then

$$\begin{aligned} \begin{aligned} t^{-1}(f(x) g(x)) =\sum _{k=0}^{n-1} f_{k} t^{-1}\left( x^{k} g(x)\right) =\sum _{k=0}^{n-1} f_{k} H^{k} \overline{g} =H^{*}(\overline{f}) \overline{g}= \overline{f}\otimes \overline{g}. \end{aligned} \end{aligned}$$

The lemma follows immediately.

Lemma 6

For any two vectors \( \overline{f}=\left( \begin{array}{c} f_{0} \\ f_{1} \\ \vdots \\ f_{n-1} \end{array}\right) \in \mathbb {R}^{n},\ \ \overline{g}=\left( \begin{array}{c} g_{0} \\ g_{1} \\ \vdots \\ g_{n-1} \end{array}\right) \in \mathbb {R}^{n}, \) we have the following properties for ideal matrices:

  1. i

    \(H^{*}(\overline{f}) H^{*}(\overline{g})=H^{*}\left( \overline{g}) H^{*}(\overline{f}\right) ;\)

  2. ii

    \(H^{*}(\overline{f}) H^{*}(\overline{g})=H^{*}( H^{*}(\overline{f}) \overline{g}) ;\)

  3. iii

    \(H^{*}(\overline{f})=V_{\phi }^{-1} {\text {diag}}\left\{ f\left( \theta _{0}\right) , f\left( \theta _{1}\right) , \cdots , f\left( \theta _{n-1}\right) \right\} V_{\phi }\);

  4. iv

    \({\text {det}}\left( H^{*}(\overline{f})\right) =\prod _{i=0}^{n-1} f\left( \theta _{i}\right) \);

  5. v

    If \(\overline{f} \in Q^{n}\), \(\overline{f} \ne 0\), then \(H^{*}(\overline{f})\) is an invertible matrix and

    $$\begin{aligned} \left( H^{*}(\overline{f})\right) ^{-1}=H^{*}(\overline{u}), \end{aligned}$$

where \(u(x) \in Q[x]\) is the unique polynomial such that \(u(x) f(x) \equiv 1 (\text {mod}\ \phi (x))\) in Q[x].

Proof

By Lemma 4, we have

$$\begin{aligned} H^{*}(\overline{f}) H^{*}(\overline{g})=f(H) g(H)=g(H) f(H)=H^{*}(\overline{g}) H^{*}(\overline{f}) . \end{aligned}$$

To prove (ii), we write \(H^{*}(\overline{f}) \overline{g}=\overline{f} \otimes \overline{g}\), it follows that

$$\begin{aligned} H^{*}\left( H^{*}(\overline{f}) \overline{g}\right) =H^{*}(\overline{f} \otimes \overline{g})=f(H) g(H)=H^{*}(\overline{f}) \cdot H^{*} ( \overline{g}). \end{aligned}$$

By Theorem 3.5 of Davis (1994), we have

$$\begin{aligned} H=V_{\phi }^{-1} {\text {diag}}\left\{ \theta _{0}, \theta _{1}, \cdots , \theta _{n- 1}\right\} V_{\phi }. \end{aligned}$$
(30)

It follows that

$$\begin{aligned} H^{*}(\overline{f})=f(H)=V^{-1} _{\phi }{\text {diag}}\left\{ f\left( \theta _{0}\right) , f\left( \theta _{1}\right) , \cdots , f\left( \theta _{n-1}\right) \right\} V_{\phi }. \end{aligned}$$

Since \({\text {diag}}\left\{ f\left( \theta _{0}\right) , f\left( \theta _{1}\right) , \cdots ,f\left( \theta _{n-1}\right) \right\} \) is a diagonal matrix, we have

$$\begin{aligned} \begin{aligned} {\text {det}}\left( H^{*}(\overline{f})\right) ={\text {det}}\left( {\text {diag}}\left\{ f\left( \theta _{0}\right) , f\left( \theta _{1}\right) , \cdots , f\left( \theta _{n-1}\right) \right\} \right) =\prod _{i=0}^{n-1} f\left( \theta _{i}\right) . \end{aligned} \end{aligned}$$

To show the last assertion, since \(\overline{f} \in Q^{n}, \overline{f} \ne 0\), and \(\phi (x)\) is an irreducible polynomial, thus we have \((f(x), \phi (x))=1\) in Q[x], There are \(u(x) \in Q[x]\) and \(v(x) \in Q[x]\) such that

$$\begin{aligned} u(x) f(x)+v(x) \phi (x)=1. \end{aligned}$$

By (29) and noting that \(t^{-1}(1)=\overline{e}_{1} \in \mathbb {R}^{n}\), we have \(\overline{u} \otimes \overline{f}=\overline{e}_{1}\). It follows that

$$\begin{aligned} H^{*}(\overline{u}) \cdot H^{*}(\overline{f})=H^{*}(\overline{e}_{1})=I_{n}. \end{aligned}$$

We complete the proof of Lemma.

Next, we discuss the algebraic number field \(E=Q(\theta )\) and recall \(\tau \) is an one to one correspondence between E and \(Q^{n}\).

Lemma 7

For any two elements \(\alpha \) and \( \beta \) in E, we have

$$\begin{aligned} \tau ( \alpha \beta )=\tau ( \alpha )\otimes \tau ( \beta )=\overline{\alpha }\otimes \overline{\beta }. \end{aligned}$$
(31)

Proof

Let \(\beta =\beta _{0}+\beta _{1} \theta +\cdots +\beta _{n-1} \theta ^{n-1}\), where \(\beta _{i}\in Q\), it is easily seen that

$$\begin{aligned} \theta \beta =\phi _{0} \beta _{n-1}+\left( \beta _{0}+\phi _{1} \beta _{n-1}\right) \theta +\cdots +\left( \beta _{n-2}+\phi _{n-1} \beta _{n-1}\right) \theta ^{n-1}, \end{aligned}$$

thus we have \(\tau (\theta \beta )=H \tau (\beta )=H \overline{\beta }\), and

$$\begin{aligned} \tau \left( \theta ^{k}\beta \right) =H^{k} \tau ( \beta )=H^{k} \overline{\beta }, \quad 0 \le k \le n-1. \end{aligned}$$
(32)

Let \(\alpha =\alpha _{0} + \alpha _{1} \theta +\cdots +\alpha _{n-1} \theta ^{n-1}\), by Lemma 4, we have

$$\begin{aligned} \tau (\alpha \beta )=\sum _{k=0}^{n-1} \alpha _{k} \tau \left( \theta ^{k} \beta \right) =\sum _{k=0}^{n-1} \alpha _{k} H^{k} \overline{\beta }=H^{*} ( \overline{\alpha }) \overline{\beta }=\overline{\alpha }\otimes \overline{\beta }, \end{aligned}$$

the lemma follows immediately.

Let \(A=\left( a_{i j}\right) _{n \times n}\) be a square matrix, and the trace of A is defined by \({\text {Tr}}(A)=\sum _{i=1}^{n} a_{ ii}\) as usual. The main result of this subsection is the following theorem.

Theorem 2

Let \(E=Q(\theta )\) be an algebraic number field of degree n, and \(\phi (x) \in \mathbb {Z}[x]\) be the minimal polynomial of \(\theta \). Then the linear space \(Q^{n}\) is a field under the \(\phi \)-conventional product, and all of the ideal matrices \(M_{Q}^{*}\) generated by rational vectors is also a field with the ordinary additive and product of matrices. Both of them are isomorphic to E, namely

$$\begin{aligned} E \cong Q^{n} \cong M_{Q}^{*}. \end{aligned}$$
(33)

Moreover, let \(\alpha \in E\), \({\text {tr}}(\alpha )\) and \(N(\alpha )\) be the trace and norm of \(\alpha \), then we have

$$\begin{aligned} {\text {tr}}(\alpha )={\text {Tr}}\left( H^{*}(\overline{\alpha })\right) ,\ \text{ and } \ \ N(\alpha )={\text {det}}\left( H^{*}(\overline{\alpha })\right) . \end{aligned}$$
(34)

Proof

\(\tau : E \rightarrow Q^{n}\) given by (11), it is clearly that

$$\begin{aligned} \tau (\alpha +\beta )=\tau (\alpha )+\tau (\beta ),\ \ \text{ and } \ \ \tau (\alpha \beta )=\tau (\alpha )\otimes \tau (\beta ). \end{aligned}$$

Thus \(Q^{n}\) is a field under the \(\phi \)-conventional product and \(E \cong Q^{n}\). By Lemma 6, we have

$$\begin{aligned} H^{*}(\overline{\alpha }+\overline{\beta })=H^{*}(\overline{\alpha })+H^{*}(\overline{\beta }) \ \ \text{ and } \ \ H^{*}\left( \overline{\alpha } \otimes \overline{\beta }\right) =H^{*}(\overline{\alpha }) H^{*}(\overline{\beta }), \end{aligned}$$

thus \(M_{Q}^{*}\) is also a field and \(E \cong Q^{n} \cong M_{Q}^{*}\).

The main difficulty is to prove (34). We observe that \(\theta \) induces a linear transformation of E/Q by \(\alpha \rightarrow \theta \alpha \), and the matrix of this linear transformation under basis \(\left\{ 1, \theta , \theta ^{2},\cdots , \theta ^{n-1}\right\} \) is just H, namely

$$\begin{aligned} \theta \left( 1, \theta , \theta ^{2}, \cdots , \theta ^{n-1}\right) =\left( 1 ,\theta , \theta ^{2}, \cdots , \theta ^{n -1}\right) H . \end{aligned}$$

By the definition of trace, we have

$$\begin{aligned} {\text {tr}}(\theta )={\text {Tr}}(H), \ \text { and}\ {\text {tr}}(\theta ^{k})={\text {Tr}}(H^{k}), \quad , 1 \le k \le n-1. \end{aligned}$$

Let \(\alpha =\alpha _{0}+\alpha _{1} \theta +\cdots +\alpha _{n-1} \theta ^{n-1} \in E\), it follows that

$$\begin{aligned} \begin{aligned} {\text {tr}}(\alpha ) =\sum _{k=0}^{n-1} \alpha _{i} {\text {tr}}\left( \theta ^{k}\right) =\sum _{i=0}^{n-1} \alpha _{i} {\text {Tr}}\left( H^{k}\right) ={\text {Tr}}\left( \sum _{k=0}^{n-1} \alpha _{i } H^{k}\right) ={\text {Tr}}\left( H^{*}(\overline{\alpha })\right) . \end{aligned} \end{aligned}$$

To show that conclusion on the norm, let \(\alpha ^{(i)}(0 \le i \le n-1)\) be the n conjugations of \(\alpha \) in the smallest normal extension of Q containing E, where \(\alpha ^{(0)}=\alpha =\alpha _{0}+\alpha _{1} \theta +\cdots + \alpha _{n-1} \theta ^{n-1}\). It is easily seen that

$$\begin{aligned} \alpha ^{(i)}=\sum _{k=0}^{n-1} \alpha _{k} \theta _{i}^{k},\ \text{ where } \ \theta _{0}=\theta \ \text{ and } \ 0 \le i \le n-1. \end{aligned}$$

By property (iii) of Lemma 6, we have

$$\begin{aligned} N(\alpha )=\prod _{i=0}^{n-1} \alpha ^{(i)}=\prod _{i=0}^{n-1} \alpha \left( \theta _{i}\right) ={\text {det}}\left( H^{*}(\overline{\alpha })\right) . \end{aligned}$$

We complete the proof of Theorem 2.

The cyclic lattice in \(\mathbb {R}^{n}\) was introduced by Micciancio (2007), (also see Zheng et al. (2023)), which plays an important role in Ajtai’s construction of collision resistant Hash function (see Ajtai and Dwork (1997)). As an application, we show that every ideal in an algebraic number field corresponds to a cyclic lattice:

Corollary 1

Let \( A\subset R \) be an ideal and \(A\ne 0\), then \(\tau (A) \subset Q^{n}\) is a cyclic lattice.

Proof

Suppose that \(\alpha \in A\). Since \(\theta \in R\), then \(\theta \alpha \in A\). By (31), we have

$$\begin{aligned} \tau (\theta \alpha )=H \overline{\alpha } \in \tau (A) . \end{aligned}$$

Thus \(\tau (A)\) is a cyclic lattice.

3 High Dimensional RSA

In this section, we give an attainable algorithm for the high dimensional RSA by making use of lattice theory, and this algorithm is significant both from the theoretical and practical point of view. Suppose that the algebraic numbers field E satisfying the NC-property, then \(R=\mathbb {Z}[\theta ]\) is the ring of algebraic integers of E, the restriction of correspondence \(\tau \) gives a ring isomorphism from R to \(\mathbb {Z}^{n}\). Let \(\mathbb {Z}(x)\) be the ring of integer coefficients polynomials and \((\phi (x))\) be the principal ideal generated by \(\phi (x)\) in \(\mathbb {Z}(x)\), it is easy to see that \(R \cong \mathbb {Z}[x] / (\phi (x))\). Let \(M_{\mathbb {Z}}^{*}\) be the set of ideal matrices generated by an integral vector, i.e.

$$\begin{aligned} M_{\mathbb {Z}}^{*}=\left\{ H^{*}(\overline{f}) \mid \overline{f} \in \mathbb {Z}^{n}\right\} . \end{aligned}$$
(35)

Then the following four rings are isomorphic from each other

$$\begin{aligned} \mathbb {Z}[x]/(\phi (x)) \cong R\cong \mathbb {Z}^{n} \cong M_{\mathbb {Z}}^{*}. \end{aligned}$$
(36)

For any polynomial \( \alpha (x)=\alpha _{0}+\alpha _{1}x+\cdots +\alpha _{n-1}x^{n-1} \in \mathbb {Z}[x]/(\phi (x))\), the corresponding algebraic integer is \( \alpha =\alpha _{0}+\alpha _{1}\theta +\cdots +\alpha _{n-1}\theta ^{n-1}\in R\), we write this isomorphism by

$$\begin{aligned} \alpha (x) \rightarrow \alpha {\mathop {\longrightarrow }\limits ^{\tau }} \overline{\alpha } {\mathop {\longrightarrow }\limits ^{H^{*}}} H^{*}(\alpha ). \end{aligned}$$
(37)

A \( \phi \)-ideal lattice means an integer lattice of which corresponds an ideal of \(\mathbb {Z}(x) /(\phi (x))\), it was first introduced by Lyubashevsky and Micciancio in (see also Zheng et al. (2023)), which also plays a key role in Gentry’s construction for the full homomorphic cryptosystem (see Gentry (2009)), and Fluckiger and Suarez (2006) extended this definition to total real number field.

Lemma 8

Let E be an algebraic numbers field with NC- property, \(R=\mathbb {Z}[\theta ]\) be the ring of algebraic integers of E. Then there is an one to one correspondence between ideals of R and the \(\phi \)-ideal lattices. Moreover, if \(\alpha \in R\), then we have

$$\begin{aligned} \tau (\alpha R)=L\left( H^{*}(\overline{\alpha })\right) . \end{aligned}$$
(38)

In general, suppose that \(A \subset R\) is an ideal and \(A \ne 0\), then there exist two elements \(\alpha \) and \(\beta \) in A such that

$$\begin{aligned} \tau (A)=L\left( H^{*}(\overline{\alpha })\right) +L\left( H^{*}(\overline{\beta })\right) . \end{aligned}$$
(39)

Proof

Since there is an one to one correspondence between the \(\phi \)-ideal lattices and the ideals of \(\mathbb {Z}[x] /(\phi (x))\) (See Corollary of Zheng et al. (2023)), by (36), the first assertion follows immediately. Let \(\alpha \in R\), then \(\alpha R=\{\alpha x \mid x \in R\}\), by Lemma 7 we have

$$\begin{aligned} \tau (\alpha x)=H^{*}(\alpha ) \overline{x},\ \ \text{ where } \overline{x}= \begin{pmatrix} x_0 \\ x_1 \\ \vdots \\ x_{n-1} \end{pmatrix}\in \mathbb {Z}^{n} . \end{aligned}$$

It follows that

$$\begin{aligned} \tau (\alpha R)=\left\{ H^{*}(\alpha ) \overline{x} \mid \overline{x}\in \mathbb {Z}^{n}\right\} =L\left( H^{*}(\overline{\alpha })\right) . \end{aligned}$$

To prove (39), it is known that any ideal of R is generated by at most two elements (see corollary 5 of page 11 of Narkiewicz (2004) ), namely, \(A=\alpha R+\beta R\), then we have

$$\begin{aligned} \tau (A)=\tau (\alpha R)+\tau (\beta R)=L\left( H^{*}(\overline{\alpha })\right) +L\left( H^{*}(\overline{\beta })\right) . \end{aligned}$$

To introduce an attainable algorithm for high dimensional RSA, we require some basic results from lattice theory. Let \(L=L(B)\subset \mathbb {R}^{n}\) be a full-rank lattice, and the determinant of L is defined by

$$\begin{aligned} d(L)=|{\text {det}}(B)|. \end{aligned}$$
(40)

Suppose that the generated matrix \(B=\left[ \overline{b}_{1}, \overline{b}_{2}, \cdots , \overline{b}_{n}\right] , \overline{b}_{i} \in \mathbb {R}^{n}\) is the column vectors of B. Since \(\left\{ \overline{b}_{1}, \overline{b}_{2}, \cdots , \overline{{b}}_{n}\right\} \) is a basis for \(\mathbb {R}^{n}\), let \(B^{*}=\left\{ \overline{b}_{1}^{*}, \overline{b}_{2}^{*}, \cdots , \overline{b}_{n}^{*}\right\} \) be the corresponding orthogonal basis, where \(\overline{b}_{1}^{*}=\overline{b}_{1}\), and \(\overline{b}_{i}^{*} \) is obtained by the Gram-Schmidt orthogonal process in order.

A basis B is called in Hermited Normal Form (HNF) if it is upper triangular, all elements on the diagonal are strictly positive, and any other elements \(b_{i j}\) satisfies \(0 \le b_{i j}<b_{i i}\). It is easy to see that every integer lattice \(L=L(B)\) has a unique basis in Hermited Normal Form, denoted by \({\text {HNF}}(L)\) (see Theorem 2.4.3 of Cohen (1993)). Moreover, given any basis B for lattice L\( {\text {HNF}}(L)\) can be efficiently computed from B (see Cohen (1993), Micciancio (2001)).

Proposition 1

Let \(L=L(B)\) and \(B=(b_{ij})_{n\times n}\) be the basis in HNF. Then the corresponding orthogonal basis \(B^{*}\) is a diagonal matrix, namely

$$\begin{aligned} B^{*}={\text {diag}}\left\{ b_{11}, b_{22}, \cdots , b_{nn}\right\} . \end{aligned}$$
(41)

Moreover, we have

$$\begin{aligned} d(L)=\prod _{i=1}^{n} b_{i i}. \end{aligned}$$
(42)

Proof

See Micciancio (2001).

Definition 3

Let \(L=L(B)\subset \mathbb {R}^{n}\) be a full-rank lattice, and \(B^{*}=\left[ \overline{b}_{1}^{*}, \overline{b}_{2}^{*}, \cdots , \overline{b}_{n}^{*}\right] \) be the corresponding orthogonal basis, the orthogonal parallelepiped \(F\left( B^{*}\right) \) is defined by

$$\begin{aligned} F( B^{*})=\left\{ \sum _{i=1}^{n} x_{ i}\overline{b}_{i}^{*} \mid 0\le x_{i}<1 \ \text {and}\ x_{i}\in \mathbb {R}\right\} . \end{aligned}$$
(43)

Proposition 2

Let \(L=L(B)\subset \mathbb {Z}^{n}\) be an integer lattice, \(B= {\text {HNF}}(L)\) be the basis in \({\text {HNF}}\) and \(B^{*}= {\text {diag}}\left\{ b_{11}, b_{22}, \cdots , b_{nn}\right\} \) be the corresponding orthogonal basis, \(F\left( B^{*}\right) \) is the orthogonal parallelepiped given by (43), then S is a set of coset representatives for the quotient group \(\mathbb {Z}^{n} / L\), where

$$\begin{aligned} S=F\left( B^{*}\right) \cap \mathbb {Z}^{n}=\left\{ x^{\prime }=\left( x_{1}, x_{2}, \cdots , x_{n}\right) \mid \forall x_{i} \in \mathbb {Z}\ \ \text{ and } \ \ 0 \le x_{1}<b_{ ii}\right\} . \end{aligned}$$

Proof

See Sect. 4.1 of Micciancio (2001).

Now, we return to the algebraic numbers field \(E=Q[\theta ]\) (with NC-property). Let \(\alpha ,\beta \in R\) be two algebraic integers, by Lemma 8, the principal ideal \(\alpha R\) corresponds to the minimal \( \phi \)-ideal lattice \(L ( H^{*}(\overline{\alpha }))\). Thus \(A=(\alpha R)(\beta R)=\alpha \beta R\) corresponds to \(L\left( H^{*}( \overline{\alpha }\otimes \beta )\right) \).

Definition 4

For given \(\alpha , \beta \in R\), \( \tau (\alpha )=\overline{\alpha }\), and \(\tau (\beta )=\overline{\beta }\), we denote the lattice \(L_{\alpha , \beta }\) by

$$\begin{aligned} L_{\alpha , \beta }=L\left( H^{*}(\overline{\alpha } \otimes \overline{\beta })\right) . \end{aligned}$$
(44)

The \({\text {HNF}}\) basis of \(L_{\alpha , \beta }\) is denoted by \(B_{ \alpha , \beta }\) and the corresponding orthogonal basis is denoted by

$$\begin{aligned} B_{\alpha , \beta }^{*}={\text {diag}}\left\{ b_{1}, b_{2}, \cdots , b_{n}\right\} , \end{aligned}$$
(45)

where \(b_{i} \in \mathbb {Z}\) and \(b_{i} \ge 1\). The parallelepiped is given by

$$\begin{aligned} S_{\alpha , \beta }=\left\{ \left( x_{1}, x_{2}, \cdots , x_{n}\right) \in \mathbb {Z}^{n} \mid x_{i} \in \mathbb {Z}\ \ \text{ and } \ \ 0 \le x_{i}<b_{i}\right\} . \end{aligned}$$
(46)

Lemma 9

Let \(\alpha \in R, \beta \in R\), and \(A=\alpha \beta R\). Then \(S_{\alpha , \beta } \) given by (46) is corresponding to a set of coset representatives of the factor ring R/A in the algebraic numbers field E with NC-property.

Proof

By Proposition 1, it is easy to see that

$$\begin{aligned} \left| S_{\alpha , \beta }\right| =\prod _{i=1}^{n} b_{i} =\left| {\text {det}}\left( H^{*}(\overline{\alpha } \otimes \overline{\beta })\right) \right| =\left| {\text {det}}\left( H^{*}(\overline{\alpha })\right) \right| \cdot \left| {\text {det}}\left( H^{*}(\overline{\beta })\right) \right| =d\left( L_{\alpha , \beta }\right) . \end{aligned}$$

By Theorems 2 and (12), we have

$$\begin{aligned} \begin{aligned} N(A) =|N(\alpha \cdot \beta )|=| N( \alpha )| \cdot | N(\beta ) |= \left| {\text {det}}\left( H^{*}(\overline{\alpha })\right) \right| \cdot \left| {\text {det}}\left( H^{*}(\overline{\beta })\right) \right| =d\left( L_{\alpha , \beta }\right) . \end{aligned} \end{aligned}$$

It follows that \(N(A)=\left| S_{\alpha , \beta }\right| \). Since E satisfies NC-property, if \(\alpha \in R\), then \(\overline{\alpha }=\tau (\alpha ) \in \mathbb {Z}^{n}\), hence \(\alpha \equiv \beta (\text {mod}\ \ A)\) in R, if and only if

$$\begin{aligned} \overline{\alpha } \equiv \overline{\beta }\left( {\text {mod}}\ \ L_{\alpha , \beta }\right) . \end{aligned}$$

The lemma follows from Proposition 2 immediately.

The main result of this subsection is the following theorem.

Theorem 3

Let E be an algebraic numbers field of degree n with NC-property, \(\alpha \in R, \beta \in R\) be two distinct prime elements, \(A=\alpha \beta R\), and \(L_{\alpha , \beta }\) be the lattice given by (44). Then for any \(\overline{a} \in \mathbb {Z}^{n}, k \in \mathbb {Z}, k \ge 0\), we have

$$\begin{aligned} \overline{a}^{\otimes (k \varphi (\alpha , \beta )+1)}\equiv \overline{a} \left( \text{ mod } \ \ L_{\alpha , \beta }\right) , \end{aligned}$$
(47)

where

$$\begin{aligned} \varphi (\alpha , \beta )=\left( \left| {\text {det}}\left( H^{*}(\overline{\alpha })\right) \right| -1\right) \left( \left| {\text {det}}\left( H^{*}(\overline{\beta })\right) \right| -1\right) . \end{aligned}$$
(48)

Proof

Since E satisfies NC-property, \(\overline{a} \in \mathbb {Z}^{n}\), then \(a=\tau ^{-1}(\overline{a}) \in R\). By Theorem 1, we have

$$\begin{aligned} a^{k \varphi (A)+1} \equiv a ( \text{ mod } \ \ A ). \end{aligned}$$

It is easy to see that

$$\begin{aligned} \begin{aligned} \varphi (A)=\varphi (\alpha R) \varphi (\beta A)&=(N(\alpha R)-1)(N(\beta R)-1) \\&=(|N(\alpha )|-1)(|N(\beta )|-1) \\&=\left( \left| {\text {det}}\left( H^{*}(\overline{\alpha })\right) \right| -1\right) \left( \left| {\text {det}}\left( H^{*}(\overline{\beta })\right) \right| -1\right) \\&=\varphi (\alpha , \beta ). \end{aligned} \end{aligned}$$

By Lemma 8, we have

$$\begin{aligned} \tau (A)=\tau (\alpha \beta R)= L\left( H^{*}(\overline{\alpha }\otimes \overline{\beta })\right) =L_{\alpha , \beta } \ \ \text {and}\ \ \tau \left( a^{k \varphi (\alpha ,\beta )+1}\right) =\overline{a}^{\otimes (k\varphi (\alpha , \beta )+1)}. \end{aligned}$$

Therefore, (47) follows immediately.

According to the above theorem, we may describe an attainable algorithm for high dimensional RSA as follows (Table 3).

Table 3 Algorithm I
Full size table

Remark 2

If the class number \(h_{E}=1\), in other words, R is a UFD, then the prime elements are equivalent to irreducible elements in R, and one can find prime elements \(\alpha \) from \(\alpha (x) \in \mathbb {Z}[x]/(\phi (x))\) and \(\alpha (x)\) irreducible.

4 Security and Example

The classical RSA public key cryptosystem is nowadays used in a wide variety of applications ranging from web browsers to smart cords. Since its initial publication in 1978, many researchers have tried to look for vulnerabilities in the system. Some clever attacks have been found (see Bonech (2002), Coppersmith (2001)). However, none of the known attacks is devastating and the ordinary RSA system is still considered secure.

The security of high dimensional RSA depends on virtually factoring of an element of the algebraic integers ring R into product of of distinct prime elements. Factoring on R is much more complicated than factoring of a positive integer, and none of efficient method is known up to day, thus we consider the high dimensional RSA almost absolutely secure.

To see the size of private keys, since \({\text {det}}\left( H^{*}(\overline{\alpha })\right) =N(\alpha )\), it may be extremely huge, for example, if \(\alpha =p \in \mathbb {Z},\) \( \beta =q \in \mathbb {Z}\) are prime numbers, then

$$\begin{aligned} {\text {det}}\left( H^{*}(\overline{\alpha })\right) =N(\alpha )=p^{n},\ \ \ {\text {det}}\left( H^{*}(\overline{\beta })\right) =q^{n} \end{aligned}$$

and

$$\begin{aligned}\varphi (\alpha , \beta )=\left( p^{n}-1\right) \left( q^{n}-1\right) ,\end{aligned}$$

which is much larger than pq, the latter is the site of public key of the classical RSA cryptosystem.

The lattice based on cryptography has been intensively studied for the past two decades. The GGH cryptosystem proposed by Goldreich et al. (1997) is perhaps the most intuitive encryption scheme based on lattices. The public key is a “bad” basis for a lattice, and Micciancio proposed in (2001) to use, as the public basis, the Hermite Normal Form B = HNF(L). The private key of GGH is an exceptionally good basis for L. The security of GGH relies on the assumption that it is difficult to find a special basis for L from a known basis of L. In this sense, we regard the high dimensional RSA as secure as GGH/HNF cryptosystem at least.

Another number theoretic cryptosystem based on the lattice is NTRUEncrypt. The public key cryptosystem NTRU proposed in 1996 by Hoffstein et al. (1998) is the fastest known lattice-based encryption scheme, although its description relies on arithmetic over polynomial quotient ring \(Z[x]/\langle x^{n}-1\rangle \), it was easily observed that it could be expressed as a lattice based on cryptosystem. NTRU uses a q-ary convolutional modular lattice(see Micciancio and Regev (2009), Zheng (2022)), its public key is also the HNF basis of L, and the private key is a special basis of L containing two secrete polynomials f(x) and g(x). Obviously, our algorithm I is at least as hard as solving NTRUEncrypt.

Unfortunately, neither GGH nor NTRU is supported by a proof of security showing that breaking the cryptosystem is at least as hard as solving some underlying lattice problem; they are primarily practical proposals aimed at offering a concrete alternative to RSA or other number theoretic cryptosystems (see page 166 of Micciancio and Regev (2009)). However, the significance of this chapter is to show that the real alternative of RSA is the high dimensional RSA we present here rather than GGH and NTRU.

Example 1

Finally, we give an example and see how to work the high dimensional RSA in a quadratic field. Let \(E=Q(\sqrt{d})\), \(d \in \mathbb {Z}\) be a square-free integer and \(d\equiv 2,\) or \(3 \ \textrm{mod} \ 4\), thus E satisfies the NC-property. Let \(\delta _{E}\) be the discriminant of E, and it is known that \(\delta _{E}=4 d\) (see Proposition 13.1.2 of Ireland and Rosen (1990)). Let \(p \in \mathbb {Z}\) be an odd prime satisfying the following condition:

$$\begin{aligned} p \not \mid 4d,\ \ \text { and }\ \ x^{2}\equiv d(\text {mod}\ \ p) \ \text {is not solvable in }\ \mathbb {Z}. \end{aligned}$$
(49)

By Proposition 13.1.3 of Ireland and Rosen (1990), we know that p is a prime element in E.

According to Algorithm \(\textrm{I}\), we select two large primes p and q of which satisfying (49). Let \(\alpha =p\) and \(\beta =q\), then

$$\begin{aligned} \bar{\alpha }=\left( \begin{array}{l} p \\ 0 \end{array}\right) ,\ \bar{\beta }=\left( \begin{array}{l} q \\ 0 \end{array}\right) , \ H^{*}(\overline{\alpha })=\left( \begin{array}{ll} p &{} 0 \\ 0 &{} p \end{array}\right) ,\ \text{ and } \ H^{*}(\overline{\beta })=\left( \begin{array}{ll} q &{} 0 \\ 0 &{} q \end{array}\right) . \end{aligned}$$

It follows that

$$\begin{aligned} H^{*}( \overline{\alpha } \otimes \overline{\beta })= H^{*}( \overline{\alpha } )H^{*}( \overline{\beta } )=\left( \begin{matrix} pq&{}0\\ 0&{}pq \end{matrix}\right) ,\ \ L_{\alpha ,\beta }=L\left( H^{*}( \overline{\alpha } \otimes \overline{\beta }) \right) \end{aligned}$$
(50)

and

$$\begin{aligned} S_{\alpha , \beta }=\left\{ x=\left( \begin{matrix} x_{1}\\ x_{2} \end{matrix}\right) \in \mathbb {Z}^{2}\mid 0\le x_{1}, x_{2} <pq \right\} . \end{aligned}$$
(51)

It is easy to see that

$$\begin{aligned} \varphi (\alpha ,\beta )=(p^{2}-1)(q^{2}-1). \end{aligned}$$
(52)

In this special case, the two-dimensional RSA may be described as follows (Table 4).

Table 4 RSA in a quadratic field
Full size table

We can similarly deal with the cases of Cyclotomic Fields. Let \(n=\varphi (m)\) for some positive integers m, \(\xi _{m}=e^{2\pi i /m},\) \(E=Q(\xi _{m})\), and \(R \subset E\) be the ring of algebraic integers of E. Suppose that \(p\in \mathbb {Z}\) is a rational prime number, then p is a prime element of R if and only if (see Theorem 2 of page 196 of Ireland and Rosen (1990))

$$\begin{aligned} p \not \mid m \ \ \text {and}\ \ p^{\varphi (m)} \equiv 1(\text {mod}\ \ m). \end{aligned}$$
(53)

Suppose that \(p \in \mathbb {Z}\) and \(q\in \mathbb {Z}\) are two distinct prime numbers satisfying (53), we obtain the lattice \(L(H^{*}(\overline{p} \otimes \overline{q} ))\) and an attainable algorithm in \(Q(\xi _{m}). \)