Random Self-reducibility of Ideal-SVP via Arakelov Random Walks

  • Koen de BoerEmail author
  • Léo DucasEmail author
  • Alice Pellet-MaryEmail author
  • Benjamin WesolowskiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12171)


Fixing a number field, the space of all ideal lattices, up to isometry, is naturally an abelian group, called the Arakelov class group. This fact, well known to number theorists, has so far not been explicitly used in the literature on lattice-based cryptography. Remarkably, the Arakelov class group is a combination of two groups that have already led to significant cryptanalytic advances: the class group and the unit torus.

In the present article, we show that the Arakelov class group has more to offer. We start with the development of a new versatile tool: we prove that, subject to the Riemann Hypothesis for Hecke L-functions, certain random walks on the Arakelov class group have a rapid mixing property. We then exploit this result to relate the average-case and the worst-case of the Shortest Vector Problem in ideal lattices. Our reduction appears particularly sharp: for Hermite-SVP in ideal lattices of certain cyclotomic number fields, it loses no more than a \(\tilde{O}(\sqrt{n})\) factor on the Hermite approximation factor.

Furthermore, we suggest that this rapid-mixing theorem should find other applications in cryptography and in algorithmic number theory.



The authors are grateful to René Schoof for valuable feedback on a preliminary version of this work. Part of this work was done while the authors were visiting the Simons Institute for the Theory of Computing.

L.D. is supported by the European Union Horizon 2020 Research and Innovation Program Grant 780701 (PROMETHEUS), and by a Fellowship from the Simons Institute. K.d.B. was supported by the ERC Advanced Grant 740972 (ALGSTRONGCRYPTO) and by the European Union Horizon 2020 Research and Innovation Program Grant 780701 (PROMETHEUS). A.P. was supported in part by CyberSecurity Research Flanders with reference number VR20192203 and by the Research Council KU Leuven grant C14/18/067 on Cryptanalysis of post-quantum cryptography. Part of this work was done when A.P. was visiting CWI, under the CWI PhD internship program. Part of this work was done when B.W. was at the Cryptology Group, CWI, Amsterdam, The Netherlands, supported by the ERC Advanced Grant 740972 (ALGSTRONGCRYPTO).


  1. 1.
    Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). Scholar
  2. 2.
    Bach, E., Shallit, J.O.: Algorithmic Number Theory: Efficient Algorithms, vol. 1. MIT Press, Cambridge (1996)zbMATHGoogle Scholar
  3. 3.
    Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296(4), 625–636 (1993). Scholar
  4. 4.
    Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017). Scholar
  5. 5.
    Biasse, J.-F., Fieker, C.: Subexponential class group and unit group computation in large degree number fields. LMS J. Comput. Math. 17(A), 385–403 (2014)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Biasse, J.-F., Song, F.: A polynomial time quantum algorithm for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: SODA (2016)Google Scholar
  7. 7.
    de Boer, K., Ducas, L., Pellet-Mary, A., Wesolowski, B.: Random self-reducibility of ideal-SVP via Arakelov random walks. Cryptology ePrint Archive, report 2020/297 (2020).
  8. 8.
    de Boer, K., Pagano, C.: Calculating the power residue symbol and Ibeta. In: ISSAC, vol. 68, pp. 923–934 (2017)Google Scholar
  9. 9.
    Buhler, J., Pomerance, C., Robertson, L.: Heuristics for class numbers of prime-power real cyclotomic fields. In: High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, Fields Institute Communications, pp. 149–157. American Mathematical Society (2004)Google Scholar
  10. 10.
    Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: ETSI 2nd Quantum-Safe Crypto Workshop (2014)Google Scholar
  11. 11.
    Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). Scholar
  12. 12.
    Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). Scholar
  13. 13.
    Deitmar, A., Echterhoff, S.: Principles of Harmonic Analysis, 2nd edn. Springer, Cham (2016)zbMATHGoogle Scholar
  14. 14.
    Dobrowolski, E.: On a question of Lehmer and the number of irreducible factors of a polynomial. Acta Arithmetica 34(4), 391–401 (1979)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Ducas, L., Plançon, M., Wesolowski, B.: On the shortness of vectors to be found by the ideal-SVP quantum algorithm. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 322–351. Springer, Cham (2019). Scholar
  16. 16.
    Eisenträger, K., Hallgren, S., Kitaev, A., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: STOC, pp. 293–302. ACM (2014)Google Scholar
  17. 17.
    Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009).
  18. 18.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
  19. 19.
    Gentry, C.: Toward basing fully homomorphic encryption on worst-case hardness. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 116–137. Springer, Heidelberg (2010). Scholar
  20. 20.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)Google Scholar
  21. 21.
    Iwaniec, H., Kowalski, E.: Analytic Number Theory. American Mathematical Society, Providence (2004)zbMATHGoogle Scholar
  22. 22.
    Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129, 1491–1504 (2009)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Jetchev, D., Wesolowski, B.: On graphs of isogenies of principally polarizable abelian surfaces and the discrete logarithm problem. CoRR, abs/1506.00522 (2015)Google Scholar
  24. 24.
    Kessler, V.: On the minimum of the unit lattice. Séminaire de Théorie des Nombres de Bordeaux 3(2), 377–380 (1991)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)Google Scholar
  26. 26.
    Lee, C., Pellet-Mary, A., Stehlé, D., Wallet, A.: An LLL algorithm for module lattices. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part II. LNCS, vol. 11922, pp. 59–90. Springer, Cham (2019). Scholar
  27. 27.
    Louboutin, S.: Explicit bounds for residues of Dedekind zeta functions, values of l-functions at s=1, and relative class numbers. J. Number Theory 85, 263–282 (2000)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). Scholar
  29. 29.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013). Preliminary version in Eurocrypt 2010MathSciNetCrossRefGoogle Scholar
  30. 30.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). Preliminary version in FOCS 2002MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Miller, J.C.: Real cyclotomic fields of prime conductor and their class numbers. Math. Comput. 84(295), 2459–2469 (2015)MathSciNetCrossRefGoogle Scholar
  33. 33.
    Miller, S.D., Stephens-Davidowitz, N.: Generalizations of Banaszczyk’s transference theorems and tail bound. arXiv preprint arXiv:1802.05708 (2018)
  34. 34.
    Minkowski, H.: Gesammelte Abhandlungen. Chelsea, New York (1967)Google Scholar
  35. 35.
    Miyake, T.: Modular Forms. Springer Monographs in Mathematics. Springer, Heidelberg (1989). Scholar
  36. 36.
    Neukirch, J.: Algebraic Number Theory, vol. 322. Springer, Heidelberg (2013). Scholar
  37. 37.
    Neukirch, J., Schappacher, N.: Algebraic Number Theory. Grundlehren der mathematischen Wissenschaften. Springer, Heidelberg (2013)Google Scholar
  38. 38.
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). Scholar
  39. 39.
    Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 685–716. Springer, Cham (2019). Scholar
  40. 40.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version in STOC 2005MathSciNetCrossRefGoogle Scholar
  41. 41.
    Schoof, R.: Computing Arakelov class groups. In: Algorithmic Number Theory: Lattices, Number Fields, Curves and Cryptography, pp. 447–495. Cambridge University Press (2008)Google Scholar
  42. 42.
    Shoup, V.: A new polynomial factorization algorithm and its implementation. J. Symb. Comput. 20(4), 363–397 (1995)MathSciNetCrossRefGoogle Scholar
  43. 43.
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). Scholar
  44. 44.
    von zur Gathen, J., Panario, D.: Factoring polynomials over finite fields: a survey. J. Symb. Comput. 31(1), 3–17 (2001)MathSciNetCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2020

Authors and Affiliations

  1. 1.Cryptology GroupCWIAmsterdamThe Netherlands
  2. 2.imec-COSIC, KU LeuvenLeuvenBelgium
  3. 3.Univ. Bordeaux, CNRS, Bordeaux INP, IMB, UMR 5251TalenceFrance
  4. 4.INRIA, IMB, UMR 5251TalenceFrance

Personalised recommendations