Approx-SVP in Ideal Lattices with Pre-processing

  • Alice Pellet-Mary
  • Guillaume HanrotEmail author
  • Damien Stehlé
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11477)


We describe an algorithm to solve the approximate Shortest Vector Problem for lattices corresponding to ideals of the ring of integers of an arbitrary number field K. This algorithm has a pre-processing phase, whose run-time is exponential in \(\log |\varDelta |\) with \(\varDelta \) the discriminant of K. Importantly, this pre-processing phase depends only on K. The pre-processing phase outputs an “advice”, whose bit-size is no more than the run-time of the query phase. Given this advice, the query phase of the algorithm takes as input any ideal I of the ring of integers, and outputs an element of I which is at most \(\exp (\widetilde{O}((\log |\varDelta |)^{\alpha +1}/n))\) times longer than a shortest non-zero element of I (with respect to the Euclidean norm of its canonical embedding). This query phase runs in time and space \(\exp (\widetilde{O}( (\log |\varDelta |)^{\max (2/3, 1-2\alpha )}))\) in the classical setting, and\(\exp (\widetilde{O}((\log |\varDelta |)^{1-2\alpha }))\) in the quantum setting. The parameter \(\alpha \) can be chosen arbitrarily in [0, 1 / 2]. Both correctness and cost analyses rely on heuristic assumptions, whose validity is consistent with experiments.

The algorithm builds upon the algorithms from Cramer et al. [EUROCRYPT 2016] and Cramer et al. [EUROCRYPT 2017]. It relies on the framework from Buchmann [Séminaire de théorie des nombres 1990], which allows to merge them and to extend their applicability from prime-power cyclotomic fields to all number fields. The cost improvements are obtained by allowing precomputations that depend on the field only.



We thank Léo Ducas for his suggestion to use Laarhoven’s CVPP algorithm. We thank Oded Regev and Noah Stephens-Davidowitz for illustrating the importance of limiting the witness size by the run-time of the query phase, by pointing out the faster algorithm with exponential-size witness described in the introduction. We also thank Dan Bernstein, Elena Kirshanova and Alexandre Wallet for helpful discussions.

This work was supported in part by BPI-France in the context of the national project RISQ (P141580), by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701) and by the ERC Starting Grant ERC-2013-StG-335086-LATTAC.


  1. [AD17]
    Albrecht, M.R., Deo, A.: Large modulus Ring-LWE \(\ge \) Module-LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 267–296. Springer, Cham (2017). Scholar
  2. [Bac90]
    Bach, E.: Explicit bounds for primality testing and related problems. Math. Comput. 55(191), 355–380 (1990)MathSciNetCrossRefGoogle Scholar
  3. [BBV+17]
    Bauch, J., Bernstein, D.J., de Valence, H., Lange, T., van Vredendaal, C.: Short generators without quantum computers: the case of multiquadratics. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 27–59. Springer, Cham (2017). Scholar
  4. [BEF+17]
    Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017). Scholar
  5. [Ber14]
    Bernstein, D.J.: A subfield-logarithm attack against ideal lattices: computational algebraic number theory tackles lattice-based cryptography. The blog (2014).
  6. [BF14]
    Biasse, J.-F., Fieker, C.: Subexponential class group and unit group computation in large degree number fields. LMS J. Comput. Math. 17(A), 385–403 (2014)MathSciNetCrossRefGoogle Scholar
  7. [Bia14]
    Biasse, J.-F.: Subexponential time ideal decomposition in orders of number fields of large degree. Adv. Math. Commun. 8(4), 407–425 (2014)MathSciNetCrossRefGoogle Scholar
  8. [Bia17]
    Biasse, J.-F.: Approximate short vectors in ideal lattices of \(\mathbb{Q}(\zeta _{p^e})\) with precomputation of \({\text{ Cl }}(\cal{O}_K)\). In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 374–393. Springer, Cham (2018). Scholar
  9. [BS96]
    Bach, E., Shallit, J.O.: Algorithmic Number Theory: Efficient Algorithms, vol. 1. MIT Press, Cambridge (1996)zbMATHGoogle Scholar
  10. [BS16]
    Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: SODA, pp. 893–902. Society for Industrial and Applied Mathematics (2016)Google Scholar
  11. [Buc88]
    Buchmann, J.: A subexponential algorithm for the determination of class groups and regulators of algebraic number fields. Séminaire de théorie des nombres, Paris 1989(1990), 27–41 (1988)Google Scholar
  12. [BV11a]
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS 2011, pp. 97–106. IEEE Computer Society (2011)Google Scholar
  13. [BV11b]
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from Ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). Scholar
  14. [BV18]
    Biasse, J.-F., Van Vredendaal, C.: Fast multiquadratic S-unit computation and application to the calculation of class groups. The Open Book Series 2, 103–118 (2019).
  15. [CDPR16]
    Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. Part II. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). Scholar
  16. [CDW17]
    Cramer, R., Ducas, L., Wesolowski, B.: Short Stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). Scholar
  17. [CGS14]
    Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale (2014).
  18. [Coh13]
    Cohen, H.: A Course in Computational Algebraic Number Theory, vol. 138. Springer, Heidelberg (2013)Google Scholar
  19. [DLW19]
    Doulgerakis, E., Laarhoven, T., de Weger, B.: Finding closest lattice vectors using approximate Voronoi cells. In: PQCRYPTO. Springer (2019, to appear)Google Scholar
  20. [DPW19]
    Ducas, L., Plançon, M., Wesolowski, B.: On the shortness of vectors to be found by the Ideal-SVP Quantum Algorithm (2019, to appear)Google Scholar
  21. [EHKS14]
    Eisenträger, K., Hallgren, S., Kitaev, A., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, pp. 293–302. ACM Press, May/June 2014Google Scholar
  22. [Gel17]
    Gelin, A.: Calcul de groupes de classes d’un corps de nombres et applications à la cryptologie. Ph.D. thesis, Paris 6 (2017)Google Scholar
  23. [Gen09]
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st Annual ACM Symposium on Theory of Computing, pp. 169–178. ACM Press, May/June 2009Google Scholar
  24. [GGH13]
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). Scholar
  25. [HM89]
    Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989)MathSciNetCrossRefGoogle Scholar
  26. [HWB17]
    Holzer, P., Wunderer, T., Buchmann, J.A.: Recovering short generators of principal fractional ideals in cyclotomic fields of conductor \(p^\alpha q^\beta \). In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 346–368. Springer, Cham (2017). Scholar
  27. [Laa16]
    Laarhoven, T.: Sieving for closest lattice vectors (with preprocessing). In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 523–542. Springer, Cham (2017). Scholar
  28. [LM00]
    Laurent, B., Massart, P.: Adaptive estimation of a quadratic functional by model selection. Ann. Stat. 28(5), 1302–1338 (2000)MathSciNetCrossRefGoogle Scholar
  29. [Lou00]
    Louboutin, S.: Explicit bounds for residues of Dedekind zeta functions, values of \(l\)-functions at \(s= 1\), and relative class numbers. J. Number Theory 85(2), 263–282 (2000)Google Scholar
  30. [LPR10]
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). Scholar
  31. [LS15]
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)MathSciNetCrossRefGoogle Scholar
  32. [Min67]
    Minkowski, H.: Gesammelte Abhandlungen. Chelsea, New York (1967)Google Scholar
  33. [PRS17]
    Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of Ring-LWE for any ring and modulus. In: STOC 2017, pp. 461–473. ACM (2017)Google Scholar
  34. [RBV04]
    Rekaya, G., Belfiore, J.-C., Viterbo, E.: A very efficient lattice reduction tool on fast fading channels. In: ISITA (2004)Google Scholar
  35. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press, May 2005Google Scholar
  36. [Sam13]
    Samuel, P.: Algebraic Theory of Numbers: Translated from the French by Allan J. Silberger. Courier Corporation, Chelmsford (2013)zbMATHGoogle Scholar
  37. [Sch87]
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefGoogle Scholar
  38. [SE94]
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)MathSciNetCrossRefGoogle Scholar
  39. [SSTX09]
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). Scholar
  40. [Ste19]
    Stephens-Davidowitz, N.: A time-distance trade-off for GDD with preprocessing - instantiating the DLW heuristic (2019). Personal communicationGoogle Scholar
  41. [Zim80]
    Zimmert, R.: Ideale kleiner Norm in Idealklassen und eine Regulatorabschätzung. Inventiones mathematicae 62(3), 367–380 (1980)MathSciNetCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Alice Pellet-Mary
    • 1
  • Guillaume Hanrot
    • 1
    Email author
  • Damien Stehlé
    • 1
  1. 1.Univ. Lyon, EnsL, UCBL, CNRS, Inria, LIPLyon Cedex 07France

Personalised recommendations