Short Stickelberger Class Relations and Application to Ideal-SVP

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10210)


The worst-case hardness of finding short vectors in ideals of cyclotomic number fields (Ideal-SVP) is a central matter in lattice based cryptography. Assuming the worst-case hardness of Ideal-SVP allows to prove the Ring-LWE and Ring-SIS assumptions, and therefore to prove the security of numerous cryptographic schemes and protocols — including key-exchange, digital signatures, public-key encryption and fully-homomorphic encryption.

A series of recent works has shown that Principal Ideal-SVP is not always as hard as finding short vectors in general lattices, and some schemes were broken using quantum algorithms — the Soliloquy encryption scheme, Smart-Vercauteren fully homomorphic encryption scheme from PKC 2010, and Gentry-Garg-Halevi cryptographic multilinear-maps from Eurocrypt 2013.

Those broken schemes were using a special class of principal ideals, but these works also showed how to solve SVP for principal ideals in the worst-case in quantum polynomial time for an approximation factor of \(\exp (\tilde{O}(\sqrt{n}))\). This exposed an unexpected hardness gap between general lattices and some structured ones, and called into question the hardness of various problems over structured lattices, such as Ideal-SVP and Ring-LWE.

In this work, we generalize the previous result to general ideals. Precisely, we show how to solve the close principal multiple problem (CPM) by exploiting the classical theorem that the class-group is annihilated by the (Galois-module action of) the so-called Stickelberger ideal. Under some plausible number-theoretical hypothesis, our approach provides a close principal multiple in quantum polynomial time. Combined with the previous results, this solves Ideal-SVP in the worst case in quantum polynomial time for an approximation factor of \(\exp (\tilde{O}(\sqrt{n}))\).

Although it does not seem that the security of Ring-LWE based cryptosystems is directly affected, we contribute novel ideas to the cryptanalysis of schemes based on structured lattices. Moreover, our result shows a deepening of the gap between general lattices and structured ones.


  1. [Ajt99]
    Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). doi:10.1007/3-540-48523-6_1 CrossRefGoogle Scholar
  2. [Bac90]
    Bach, E.: Explicit bounds for primality testing and related problems. Math. Comput. 55(191), 355–380 (1990)MathSciNetCrossRefMATHGoogle Scholar
  3. [BCLvV16]
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Cryptology ePrint Archive, Report 2016/461 (2016).
  4. [BEF+17]
    Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings, a subfield algorithm for the principal ideal problem in L(1/2) and application to cryptanalysis of a FHE scheme. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017)Google Scholar
  5. [BF14]
    Biasse, J.-F., Fieker, C.: Subexponential class group and unit group computation in large degree number fields. LMS J. Comput. Math. 17(suppl. A), 385–403 (2014)MathSciNetCrossRefMATHGoogle Scholar
  6. [BPR04]
    Buhler, J., Pomerance, C., Robertson, L.: Heuristics for class numbers of prime-power real cyclotomic fields. In: High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, Fields Institute Communications, pp. 149–157. American Mathematical Society (2004)Google Scholar
  7. [BS16]
    Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 893–902. SIAM (2016)Google Scholar
  8. [BV11]
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_29 CrossRefGoogle Scholar
  9. [CDPR16]
    Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_20 CrossRefGoogle Scholar
  10. [CGS14]
    Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. ETSI 2nd Quantum-Safe Crypto Workshop (2014).
  11. [DM15]
    Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_24 Google Scholar
  12. [EH10]
    Eisenträger, K., Hallgren, S.: Algorithms for ray class groups and hilbert class fields. In: Proceedings of the Twenty-first Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, pp. 471–483. Society for Industrial and Applied Mathematics, Philadelphia, PA, USA (2010). ISBN 978-0-898716-98-6Google Scholar
  13. [EHKS14]
    Eisenträger, K., Hallgren, S., Kitaev, A., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: STOC, pp. 293–302. ACM (2014)Google Scholar
  14. [GGH13]
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38348-9_1 CrossRefGoogle Scholar
  15. [GN08]
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within mordell’s inequality. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 207–216. ACM (2008)Google Scholar
  16. [GS02]
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). doi:10.1007/3-540-46035-7_20 CrossRefGoogle Scholar
  17. [HPS98]
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). doi:10.1007/BFb0054868 CrossRefGoogle Scholar
  18. [JMV09]
    Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009). ISSN 0022–314X
  19. [JW15]
    Jetchev, D., Wesolowski, B.: On graphs of isogenies of principally polarizable abelian surfaces and the discrete logarithm problem. CoRR, abs/1506.00522 (2015)Google Scholar
  20. [KF16]
    Kirchner, P., Fouque, P.-A.: Comparison between subfield and straightforward attacks on NTRU. Cryptology ePrint Archive, Report 2016/717 (2016).
  21. [Len75]
    Lenstra Jr., H.W.: Euclid’s algorithm in cyclotomic fields. J. Lond. Math. Soc 10, 457–465 (1975)MathSciNetCrossRefMATHGoogle Scholar
  22. [LLL82]
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefMATHGoogle Scholar
  23. [LM06]
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. ICALP 2, 144–155 (2006)MathSciNetMATHGoogle Scholar
  24. [LPR10]
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices, learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013). Preliminary version in Eurocrypt 2010MathSciNetCrossRefMATHGoogle Scholar
  25. [LS15]
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)MathSciNetCrossRefMATHGoogle Scholar
  26. [LSS14]
    Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_14 CrossRefGoogle Scholar
  27. [Mic02]
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). Preliminary version in FOCS 2002MathSciNetCrossRefMATHGoogle Scholar
  28. [Mil15]
    Miller, J.C.: Real cyclotomic fields of prime conductor and their class numbers. Math. Comp. 84(295), 2459–2469 (2015)MathSciNetCrossRefMATHGoogle Scholar
  29. [Nap96]
    Napias, H.: A generalization of the LLL-algorithm over euclidean rings or orders. J. Théor. nombres Bordx. 8(2), 387–396 (1996)MathSciNetCrossRefMATHGoogle Scholar
  30. [PR06]
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). doi:10.1007/11681878_8 CrossRefGoogle Scholar
  31. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version in STOC 2005MathSciNetCrossRefMATHGoogle Scholar
  32. [Sch87]
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefMATHGoogle Scholar
  33. [Sch89]
    Schoof, R.: The Structure of the Minus Class Groups of Abelian Number Fields. Rijksuniversiteit Utrecht, Mathematisch Instituut, Netherlands (1989)MATHGoogle Scholar
  34. [Sch98]
    Schoof, R.: Minus class groups of the fields of the \(\ell \)-th roots of unity. Math. Comput. Am. Math. Soc. 67(223), 1225–1245 (1998)MathSciNetCrossRefMATHGoogle Scholar
  35. [Sch03]
    Schoof, R.: Class numbers of real cyclotomic fields of prime conductor. Math. Comput. 72(242), 913–937 (2003)MathSciNetCrossRefMATHGoogle Scholar
  36. [Sch10]
    Schoof, R.: Catalan’s Conjecture. Springer Science and Business Media, New York (2010)MATHGoogle Scholar
  37. [Sch15]
    Schank, J.: LogCvp, pari implementation of CVP in \(\text{Log}\mathbb{Z}[\zeta _{2^{n}}]^*\) (2015).
  38. [Sho97]
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). doi:10.1137/S0097539795293172. ISSN 0097–5397MathSciNetCrossRefMATHGoogle Scholar
  39. [Sin80]
    Sinnott, W.: On the Stickelberger ideal and the circular units of an abelian field. Invent. Math. 62, 181–234 (1980)MathSciNetCrossRefMATHGoogle Scholar
  40. [SS11]
    Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20465-4_4 CrossRefGoogle Scholar
  41. [SSTX09]
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_36 CrossRefGoogle Scholar
  42. [SV10]
    Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13013-7_25 CrossRefGoogle Scholar
  43. [Was12]
    Washington, L.C.: Introduction to Cyclotomic Fields, vol. 83, 2nd edn. Springer Science & Business Media, New York (2012)MATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Ronald Cramer
    • 1
    • 2
  • Léo Ducas
    • 1
  • Benjamin Wesolowski
    • 3
  1. 1.Cryptology Group, CWIAmsterdamThe Netherlands
  2. 2.Mathematical InstituteLeiden UniversityLeidenThe Netherlands
  3. 3.École Polytechnique Fédérale de Lausanne, EPFL IC LACALLausanneSwitzerland

Personalised recommendations