Abstract
We describe two very efficient polynomial-time algorithms for reducing module lattices defined over arbitrary cyclotomic fields that solve the \(\gamma \)-Hermite Module-SVP problem. They both exploit the structure of tower fields and the second one also uses the symplectic geometry existing in these fields. We conjecture that a rank-2 module over a cyclotomic field of degree n with B-bit coefficients can be heuristically reduced within approximation factor \(2^{\widetilde{\text {O}}\left( n\right) }\) in time \(\widetilde{\text {O}}\left( n^2B\right) \). In the symplectic algorithm, if the condition number C of the input matrix is large enough, this complexity shrinks to \(\widetilde{\text {O}}\left( n^{\log _2 3}C\right) \). In cryptography, matrices are well-conditioned and we can take \(C=B\), but in the worst case, C can be as large as nB. This last result is particularly striking as for some matrices, we can go below the \(n^2B\) swaps lower bound given by the analysis of LLL based on the potential. These algorithms are parallel and we provide a full implementation. We apply them on multilinear cryptographic concrete parameters by reducing matrices of dimension 4096 with 6675-bit integers in 4 days. Finally, we give a quasicubic time for the Gentry-Szydlo algorithm and run it in dimension 1024. It requires efficient ideal multiplications which need fast lattice reductions.
This is a preview of subscription content, access via your institution.
Buying options
Notes
- 1.
The approximation factor loss appearing with this technique is not increasing the approximation factor of the whole dbkz routine, as it acts only as a polynomial control of the bitsize of the elements and to transform generating families of lattices to bases without degrading the size of the vectors.
- 2.
In whole generality, it is not necessarily free, but imposing both fields to be cyclotomics is sufficient to imply this property.
- 3.
We defer the precise computation of this constant to [23].
- 4.
The precise definition of this completion and lifting is given in a dedicated paragraph.
- 5.
For a distribution which cannot be quantified in closed form, however.
- 6.
As a generalization of the fact that the density of coprime integers is \(1/\zeta (2)\).
- 7.
References
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th STOC, pp. 99–108. ACM, May 1996
Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions - cryptanalysis of some FHE and graded encoding schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_6
Albrecht, M.R., Cocis, C., Laguillaumie, F., Langlois, A.: Implementing candidate graded encoding schemes from ideal lattices. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 752–775. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_31
Batut, C., Belabas, K., Bernardi, D., Cohen, H., Olivier, M.: PARI-GP (1998). ftp://megrez.math.u-bordeaux.fr/pub/pari
Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings - a subfield algorithm for the principal ideal problem in L\(_{|{{\varDelta }{\mathbb{K}|}}}(\frac{1}{2})\) and application to the cryptanalysis of a FHE scheme. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_3
Cheon, J.H., Jeong, J., Lee, C.: An algorithm for NTRU-problems, cryptanalysis of the GGH multilinear map without an encoding of zero. In: ANTS (2016)
Cohen, H.: Advanced topics in Computational Number Theory, vol. 193. Springer, Heidelberg (2012)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997). https://doi.org/10.1007/s001459900030
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20
Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Side-channel attacks on BLISS lattice-based signatures: exploiting branch tracing against strongSwan and electromagnetic emanations in microcontrollers. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) CCS 2017, pp. 1857–1874. ACM (2017)
Gama, N., Howgrave-Graham, N., Nguyen, P.Q.: Symplectic lattice reduction and NTRU. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 233–253. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_15
Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Ladner, R.E., Dwork, C. (eds.) 40th STOC, pp. 207–216. ACM (2008)
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1
Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_20
Golub, G.H., Van Loan, C.F.: Matrix Computations, 3rd edn. The Johns Hopkins University Press, Baltimore (1996)
Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_25
Heckler, C., Thiele, L.: Complexity analysis of a parallel lattice basis reduction algorithm. SIAM J. Comput. 27(5), 1295–1302 (1998)
Higham, N.J.: Accuracy and Stability of Numerical Algorithms. SIAM, Philadelphia (2002)
Hu, Y., Jia, H.: Cryptanalysis of GGH map. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 537–565. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_21
Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Johnson, D.S., et al. (eds.) Symposium on Theory of Computing, pp. 193–206. ACM (1983)
Kim, T., Lee, C.: Lattice reductions over Euclidean rings with applications to cryptanalysis. In: O’Neill, M. (ed.) IMACC 2017. LNCS, vol. 10655, pp. 371–391. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71045-7_19
Kirchner, P.: Algorithms on ideal over complex multiplication order. Cryptology ePrint Archive, Report 2016/220 (2016)
Kirchner, P., Espitau, T., Fouque, P.-A.: Algebraic and euclidean lattices: optimal lattice reduction and beyond. Cryptology ePrint Archive, Report 2019/1436 (2019)
Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2014). https://doi.org/10.1007/s10623-014-9938-4
Lee, C., Pellet-Mary, A., Stehlé, D., Wallet, A.: An LLL algorithm for module lattices. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part II. LNCS, vol. 11922, pp. 59–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_3
Lenstra, A.K., Lenstra, H.W.J., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
Lenstra, H.W.J., Silverberg, A.: Testing isomorphism of lattices over CM-orders. SIAM J. Comput. 48(4), 1300–1334 (2019)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Mehlhorn, K., Sanders, P.: Algorithms and Data Structures: The Basic Toolbox. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-77978-0
Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_31
Mukherjee, T., Stephens-Davidowitz, N.: Lattice reduction for modules, or how to reduce Module-SVP to Module-SVP. Cryptology ePrint Archive, Report 2019/1142 (2019). Accepted to Crypto 2020
Napias, H.: A generalization of the LLL-algorithm over Euclidean rings or orders. J. théorie nombres Bordeaux 8(2), 387–396 (1996)
Neukirch, J.: Algebraic Number Theory. Springer, Heidelberg (1988)
Neumaier, A., Stehlé, D.: Faster LLL-type reduction of lattice bases, In: International Symposium on Symbolic and Algebraic Computation, ISSAC, pp. 373–380. ACM (2016)
Nguên, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_13
Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity: extended abstract. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd STOC, pp. 403–412. ACM Press, June 2011
Pornin, T., Prest, T.: More efficient algorithms for the NTRU key generation using the field norm. In: Lin, D., Sako, K. (eds.) PKC 2019, Part II. LNCS, vol. 11443, pp. 504–533. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_17
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th STOC, pp. 84–93. ACM Press (2005)
Sawyer, P.: Computing Iwasawa decomposition of classical Lie groups of noncompact type using QR-decomposition. Linear Algebra Appl. 493, 573–579 (2016)
Schnorr, C., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994). https://doi.org/10.1007/BF01581144
Schönhage, A.: Fast reduction and composition of binary quadratic forms. In: International Symposium on Symbolic and Algebraic Computation, ISSAC 1991, pp. 128–133. ACM (1991)
Seysen, M.: Simultaneous reduction of a lattice basis its reciprocal basis. Combinatorica 13(3), 363–376 (1993)
The FPLLL development team FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll
Villard, G.: Parallel lattice basis reduction. In: International Symposium on Symbolic and Algebraic Computation, ISSAC 1992, pp. 269–277. ACM (1992)
Acknowledgment
We would like to thank Bill Allombert for his help in the parallelization of the program and Léo Ducas and Damien Stehlé for interesting discussions. Part of this work was done while the authors were visiting the Simons Institute for the Theory of Computing in February 2020. This work is supported by the European Union H2020 program under grant agreements ERC-669891 and Prometheus Project-780701.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 International Association for Cryptologic Research
About this paper
Cite this paper
Kirchner, P., Espitau, T., Fouque, PA. (2020). Fast Reduction of Algebraic Lattices over Cyclotomic Fields. In: Micciancio, D., Ristenpart, T. (eds) Advances in Cryptology – CRYPTO 2020. CRYPTO 2020. Lecture Notes in Computer Science(), vol 12171. Springer, Cham. https://doi.org/10.1007/978-3-030-56880-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-56880-1_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-56879-5
Online ISBN: 978-3-030-56880-1
eBook Packages: Computer ScienceComputer Science (R0)
-
Published in cooperation with
https://iacr.org/
