Short Stickelberger Class Relations and Application to Ideal-SVP

  • Ronald Cramer
  • Léo DucasEmail author
  • Benjamin Wesolowski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10210)


The worst-case hardness of finding short vectors in ideals of cyclotomic number fields (Ideal-SVP) is a central matter in lattice based cryptography. Assuming the worst-case hardness of Ideal-SVP allows to prove the Ring-LWE and Ring-SIS assumptions, and therefore to prove the security of numerous cryptographic schemes and protocols — including key-exchange, digital signatures, public-key encryption and fully-homomorphic encryption.

A series of recent works has shown that Principal Ideal-SVP is not always as hard as finding short vectors in general lattices, and some schemes were broken using quantum algorithms — the Soliloquy encryption scheme, Smart-Vercauteren fully homomorphic encryption scheme from PKC 2010, and Gentry-Garg-Halevi cryptographic multilinear-maps from Eurocrypt 2013.

Those broken schemes were using a special class of principal ideals, but these works also showed how to solve SVP for principal ideals in the worst-case in quantum polynomial time for an approximation factor of \(\exp (\tilde{O}(\sqrt{n}))\). This exposed an unexpected hardness gap between general lattices and some structured ones, and called into question the hardness of various problems over structured lattices, such as Ideal-SVP and Ring-LWE.

In this work, we generalize the previous result to general ideals. Precisely, we show how to solve the close principal multiple problem (CPM) by exploiting the classical theorem that the class-group is annihilated by the (Galois-module action of) the so-called Stickelberger ideal. Under some plausible number-theoretical hypothesis, our approach provides a close principal multiple in quantum polynomial time. Combined with the previous results, this solves Ideal-SVP in the worst case in quantum polynomial time for an approximation factor of \(\exp (\tilde{O}(\sqrt{n}))\).

Although it does not seem that the security of Ring-LWE based cryptosystems is directly affected, we contribute novel ideas to the cryptanalysis of schemes based on structured lattices. Moreover, our result shows a deepening of the gap between general lattices and structured ones.



The authors would like to thank René Schoof for helpful and interesting discussions. We are grateful to Paul Kirchner for pointing out a mistake in the appendix of an earlier version of this paper. The second author was partly supported by a grant through a public-private partnership with NXP Semiconductors, and by a Veni Innovational Research Grant from NWO under project number 639.021.645. The third author was supported by the Swiss National Science Foundation under grant number 200021-156420.


  1. [Ajt99]
    Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). doi: 10.1007/3-540-48523-6_1 CrossRefGoogle Scholar
  2. [Bac90]
    Bach, E.: Explicit bounds for primality testing and related problems. Math. Comput. 55(191), 355–380 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  3. [BCLvV16]
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Cryptology ePrint Archive, Report 2016/461 (2016).
  4. [BEF+17]
    Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings, a subfield algorithm for the principal ideal problem in L(1/2) and application to cryptanalysis of a FHE scheme. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017)Google Scholar
  5. [BF14]
    Biasse, J.-F., Fieker, C.: Subexponential class group and unit group computation in large degree number fields. LMS J. Comput. Math. 17(suppl. A), 385–403 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  6. [BPR04]
    Buhler, J., Pomerance, C., Robertson, L.: Heuristics for class numbers of prime-power real cyclotomic fields. In: High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, Fields Institute Communications, pp. 149–157. American Mathematical Society (2004)Google Scholar
  7. [BS16]
    Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 893–902. SIAM (2016)Google Scholar
  8. [BV11]
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_29 CrossRefGoogle Scholar
  9. [CDPR16]
    Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49896-5_20 CrossRefGoogle Scholar
  10. [CGS14]
    Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. ETSI 2nd Quantum-Safe Crypto Workshop (2014).
  11. [DM15]
    Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_24 Google Scholar
  12. [EH10]
    Eisenträger, K., Hallgren, S.: Algorithms for ray class groups and hilbert class fields. In: Proceedings of the Twenty-first Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, pp. 471–483. Society for Industrial and Applied Mathematics, Philadelphia, PA, USA (2010). ISBN 978-0-898716-98-6Google Scholar
  13. [EHKS14]
    Eisenträger, K., Hallgren, S., Kitaev, A., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: STOC, pp. 293–302. ACM (2014)Google Scholar
  14. [GGH13]
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_1 CrossRefGoogle Scholar
  15. [GN08]
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within mordell’s inequality. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 207–216. ACM (2008)Google Scholar
  16. [GS02]
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). doi: 10.1007/3-540-46035-7_20 CrossRefGoogle Scholar
  17. [HPS98]
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). doi: 10.1007/BFb0054868 CrossRefGoogle Scholar
  18. [JMV09]
    Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009). ISSN 0022–314X
  19. [JW15]
    Jetchev, D., Wesolowski, B.: On graphs of isogenies of principally polarizable abelian surfaces and the discrete logarithm problem. CoRR, abs/1506.00522 (2015)Google Scholar
  20. [KF16]
    Kirchner, P., Fouque, P.-A.: Comparison between subfield and straightforward attacks on NTRU. Cryptology ePrint Archive, Report 2016/717 (2016).
  21. [Len75]
    Lenstra Jr., H.W.: Euclid’s algorithm in cyclotomic fields. J. Lond. Math. Soc 10, 457–465 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  22. [LLL82]
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  23. [LM06]
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. ICALP 2, 144–155 (2006)MathSciNetzbMATHGoogle Scholar
  24. [LPR10]
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices, learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013). Preliminary version in Eurocrypt 2010MathSciNetCrossRefzbMATHGoogle Scholar
  25. [LS15]
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  26. [LSS14]
    Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_14 CrossRefGoogle Scholar
  27. [Mic02]
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). Preliminary version in FOCS 2002MathSciNetCrossRefzbMATHGoogle Scholar
  28. [Mil15]
    Miller, J.C.: Real cyclotomic fields of prime conductor and their class numbers. Math. Comp. 84(295), 2459–2469 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  29. [Nap96]
    Napias, H.: A generalization of the LLL-algorithm over euclidean rings or orders. J. Théor. nombres Bordx. 8(2), 387–396 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  30. [PR06]
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). doi: 10.1007/11681878_8 CrossRefGoogle Scholar
  31. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version in STOC 2005MathSciNetCrossRefzbMATHGoogle Scholar
  32. [Sch87]
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  33. [Sch89]
    Schoof, R.: The Structure of the Minus Class Groups of Abelian Number Fields. Rijksuniversiteit Utrecht, Mathematisch Instituut, Netherlands (1989)zbMATHGoogle Scholar
  34. [Sch98]
    Schoof, R.: Minus class groups of the fields of the \(\ell \)-th roots of unity. Math. Comput. Am. Math. Soc. 67(223), 1225–1245 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  35. [Sch03]
    Schoof, R.: Class numbers of real cyclotomic fields of prime conductor. Math. Comput. 72(242), 913–937 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  36. [Sch10]
    Schoof, R.: Catalan’s Conjecture. Springer Science and Business Media, New York (2010)zbMATHGoogle Scholar
  37. [Sch15]
    Schank, J.: LogCvp, pari implementation of CVP in \(\text{Log}\mathbb{Z}[\zeta _{2^{n}}]^*\) (2015).
  38. [Sho97]
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). doi: 10.1137/S0097539795293172. ISSN 0097–5397MathSciNetCrossRefzbMATHGoogle Scholar
  39. [Sin80]
    Sinnott, W.: On the Stickelberger ideal and the circular units of an abelian field. Invent. Math. 62, 181–234 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  40. [SS11]
    Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20465-4_4 CrossRefGoogle Scholar
  41. [SSTX09]
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10366-7_36 CrossRefGoogle Scholar
  42. [SV10]
    Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13013-7_25 CrossRefGoogle Scholar
  43. [Was12]
    Washington, L.C.: Introduction to Cyclotomic Fields, vol. 83, 2nd edn. Springer Science & Business Media, New York (2012)zbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Ronald Cramer
    • 1
    • 2
  • Léo Ducas
    • 1
    Email author
  • Benjamin Wesolowski
    • 3
  1. 1.Cryptology Group, CWIAmsterdamThe Netherlands
  2. 2.Mathematical InstituteLeiden UniversityLeidenThe Netherlands
  3. 3.École Polytechnique Fédérale de Lausanne, EPFL IC LACALLausanneSwitzerland

Personalised recommendations