Fast Reduction of Algebraic Lattices over Cyclotomic Fields

  • Paul KirchnerEmail author
  • Thomas EspitauEmail author
  • Pierre-Alain FouqueEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12171)


We describe two very efficient polynomial-time algorithms for reducing module lattices defined over arbitrary cyclotomic fields that solve the \(\gamma \)-Hermite Module-SVP problem. They both exploit the structure of tower fields and the second one also uses the symplectic geometry existing in these fields. We conjecture that a rank-2 module over a cyclotomic field of degree n with B-bit coefficients can be heuristically reduced within approximation factor \(2^{\widetilde{\text {O}}\left( n\right) }\) in time \(\widetilde{\text {O}}\left( n^2B\right) \). In the symplectic algorithm, if the condition number C of the input matrix is large enough, this complexity shrinks to \(\widetilde{\text {O}}\left( n^{\log _2 3}C\right) \). In cryptography, matrices are well-conditioned and we can take \(C=B\), but in the worst case, C can be as large as nB. This last result is particularly striking as for some matrices, we can go below the \(n^2B\) swaps lower bound given by the analysis of LLL based on the potential. These algorithms are parallel and we provide a full implementation. We apply them on multilinear cryptographic concrete parameters by reducing matrices of dimension 4096 with 6675-bit integers in 4 days. Finally, we give a quasicubic time for the Gentry-Szydlo algorithm and run it in dimension 1024. It requires efficient ideal multiplications which need fast lattice reductions.



We would like to thank Bill Allombert for his help in the parallelization of the program and Léo Ducas and Damien Stehlé for interesting discussions. Part of this work was done while the authors were visiting the Simons Institute for the Theory of Computing in February 2020. This work is supported by the European Union H2020 program under grant agreements ERC-669891 and Prometheus Project-780701.


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th STOC, pp. 99–108. ACM, May 1996Google Scholar
  2. 2.
    Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions - cryptanalysis of some FHE and graded encoding schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). Scholar
  3. 3.
    Albrecht, M.R., Cocis, C., Laguillaumie, F., Langlois, A.: Implementing candidate graded encoding schemes from ideal lattices. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 752–775. Springer, Heidelberg (2015). Scholar
  4. 4.
    Batut, C., Belabas, K., Bernardi, D., Cohen, H., Olivier, M.: PARI-GP (1998).
  5. 5.
    Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings - a subfield algorithm for the principal ideal problem in L\(_{|{{\varDelta }{\mathbb{K}|}}}(\frac{1}{2})\) and application to the cryptanalysis of a FHE scheme. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017). Scholar
  6. 6.
    Cheon, J.H., Jeong, J., Lee, C.: An algorithm for NTRU-problems, cryptanalysis of the GGH multilinear map without an encoding of zero. In: ANTS (2016)Google Scholar
  7. 7.
    Cohen, H.: Advanced topics in Computational Number Theory, vol. 193. Springer, Heidelberg (2012)Google Scholar
  8. 8.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997). Scholar
  9. 9.
    Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). Scholar
  10. 10.
    Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Side-channel attacks on BLISS lattice-based signatures: exploiting branch tracing against strongSwan and electromagnetic emanations in microcontrollers. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) CCS 2017, pp. 1857–1874. ACM (2017)Google Scholar
  11. 11.
    Gama, N., Howgrave-Graham, N., Nguyen, P.Q.: Symplectic lattice reduction and NTRU. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 233–253. Springer, Heidelberg (2006). Scholar
  12. 12.
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Ladner, R.E., Dwork, C. (eds.) 40th STOC, pp. 207–216. ACM (2008)Google Scholar
  13. 13.
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). Scholar
  14. 14.
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). Scholar
  15. 15.
    Golub, G.H., Van Loan, C.F.: Matrix Computations, 3rd edn. The Johns Hopkins University Press, Baltimore (1996)zbMATHGoogle Scholar
  16. 16.
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). Scholar
  17. 17.
    Heckler, C., Thiele, L.: Complexity analysis of a parallel lattice basis reduction algorithm. SIAM J. Comput. 27(5), 1295–1302 (1998)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Higham, N.J.: Accuracy and Stability of Numerical Algorithms. SIAM, Philadelphia (2002)CrossRefGoogle Scholar
  19. 19.
    Hu, Y., Jia, H.: Cryptanalysis of GGH map. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 537–565. Springer, Heidelberg (2016). Scholar
  20. 20.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Johnson, D.S., et al. (eds.) Symposium on Theory of Computing, pp. 193–206. ACM (1983)Google Scholar
  21. 21.
    Kim, T., Lee, C.: Lattice reductions over Euclidean rings with applications to cryptanalysis. In: O’Neill, M. (ed.) IMACC 2017. LNCS, vol. 10655, pp. 371–391. Springer, Cham (2017). Scholar
  22. 22.
    Kirchner, P.: Algorithms on ideal over complex multiplication order. Cryptology ePrint Archive, Report 2016/220 (2016)Google Scholar
  23. 23.
    Kirchner, P., Espitau, T., Fouque, P.-A.: Algebraic and euclidean lattices: optimal lattice reduction and beyond. Cryptology ePrint Archive, Report 2019/1436 (2019)Google Scholar
  24. 24.
    Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). Scholar
  25. 25.
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2014). Scholar
  26. 26.
    Lee, C., Pellet-Mary, A., Stehlé, D., Wallet, A.: An LLL algorithm for module lattices. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part II. LNCS, vol. 11922, pp. 59–90. Springer, Cham (2019). Scholar
  27. 27.
    Lenstra, A.K., Lenstra, H.W.J., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Lenstra, H.W.J., Silverberg, A.: Testing isomorphism of lattices over CM-orders. SIAM J. Comput. 48(4), 1300–1334 (2019)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). Scholar
  30. 30.
    Mehlhorn, K., Sanders, P.: Algorithms and Data Structures: The Basic Toolbox. Springer, Heidelberg (2008). Scholar
  31. 31.
    Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016). Scholar
  32. 32.
    Mukherjee, T., Stephens-Davidowitz, N.: Lattice reduction for modules, or how to reduce Module-SVP to Module-SVP. Cryptology ePrint Archive, Report 2019/1142 (2019). Accepted to Crypto 2020Google Scholar
  33. 33.
    Napias, H.: A generalization of the LLL-algorithm over Euclidean rings or orders. J. théorie nombres Bordeaux 8(2), 387–396 (1996)MathSciNetCrossRefGoogle Scholar
  34. 34.
    Neukirch, J.: Algebraic Number Theory. Springer, Heidelberg (1988)zbMATHGoogle Scholar
  35. 35.
    Neumaier, A., Stehlé, D.: Faster LLL-type reduction of lattice bases, In: International Symposium on Symbolic and Algebraic Computation, ISSAC, pp. 373–380. ACM (2016)Google Scholar
  36. 36.
    Nguên, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005). Scholar
  37. 37.
    Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity: extended abstract. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd STOC, pp. 403–412. ACM Press, June 2011Google Scholar
  38. 38.
    Pornin, T., Prest, T.: More efficient algorithms for the NTRU key generation using the field norm. In: Lin, D., Sako, K. (eds.) PKC 2019, Part II. LNCS, vol. 11443, pp. 504–533. Springer, Cham (2019). Scholar
  39. 39.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th STOC, pp. 84–93. ACM Press (2005)Google Scholar
  40. 40.
    Sawyer, P.: Computing Iwasawa decomposition of classical Lie groups of noncompact type using QR-decomposition. Linear Algebra Appl. 493, 573–579 (2016)MathSciNetCrossRefGoogle Scholar
  41. 41.
    Schnorr, C., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994). Scholar
  42. 42.
    Schönhage, A.: Fast reduction and composition of binary quadratic forms. In: International Symposium on Symbolic and Algebraic Computation, ISSAC 1991, pp. 128–133. ACM (1991)Google Scholar
  43. 43.
    Seysen, M.: Simultaneous reduction of a lattice basis its reciprocal basis. Combinatorica 13(3), 363–376 (1993)MathSciNetCrossRefGoogle Scholar
  44. 44.
    The FPLLL development team FPLLL, a lattice reduction library (2016).
  45. 45.
    Villard, G.: Parallel lattice basis reduction. In: International Symposium on Symbolic and Algebraic Computation, ISSAC 1992, pp. 269–277. ACM (1992)Google Scholar

Copyright information

© International Association for Cryptologic Research 2020

Authors and Affiliations

  1. 1.Rennes Univ., IRISA/CNRS FranceRennesFrance
  2. 2.NTT Corp. Secure Plateform LaboratoriesRennesFrance

Personalised recommendations