Short Generators Without Quantum Computers: The Case of Multiquadratics

  • Jens BauchEmail author
  • Daniel J. BernsteinEmail author
  • Henry de ValenceEmail author
  • Tanja LangeEmail author
  • Christine van VredendaalEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10210)


Finding a short element g of a number field, given the ideal generated by g, is a classic problem in computational algebraic number theory. Solving this problem recovers the private key in cryptosystems introduced by Gentry, Smart–Vercauteren, Gentry–Halevi, Garg–Gentry–Halevi, et al. Work over the last few years has shown that for some number fields this problem has a surprisingly low post-quantum security level. This paper shows, and experimentally verifies, that for some number fields this problem has a surprisingly low pre-quantum security level.


Public-key encryption Lattice-based cryptography Ideal lattices Soliloquy Gentry Smart–Vercauteren Units Multiquadratic fields 


  1. 1.
    Abel, C.S.: Ein Algorithmus zur Berechnung der Klassenzahl und des Regulators reell-quadratischer Ordnungen. Ph.D. thesis, Universität des Saarlandes, Saarbrücken, Germany (1994)Google Scholar
  2. 2.
    Adleman, L.M.: Factoring numbers using singular integers. In: STOC 1991, pp. 64–71 (1991)Google Scholar
  3. 3.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. USENIX Security 2016, pp. 327–343 (2016)Google Scholar
  4. 4.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_1 CrossRefGoogle Scholar
  6. 6.
    Belabas, K.: Topics in computational algebraic number theory. J. de Théorie des Nombres de Bordeaux 16(1), 19–63 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Biasse, J.-F., Fieker, C.: Improved techniques for computing the ideal class group and a system of fundamental units in number fields. In: ANTS-IX. Open Book Series, vol. 1, pp. 113–133. Mathematical Sciences Publishers (2012)Google Scholar
  8. 8.
    Biasse, J.-F., Jacobson Jr., M.J., Silvester, A.K.: Security estimates for quadratic field based cryptosystems. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 233–247. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14081-5_15 CrossRefGoogle Scholar
  9. 9.
    Biasse, J.-F., Song, F.: On the quantum attacks against schemes relying on the hardness of finding a short generator of an ideal in \(\mathbb{Q}(\zeta _{p^n})\) (2015).
  10. 10.
    Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: SODA 2016, pp. 893–902 (2016)Google Scholar
  11. 11.
    Biehl, I., Buchmann, J.: Algorithms for quadratic orders. In: Mathematics of Computation 1943–1993: A Half-century of Computational Mathematics, pp. 425–451. AMS (1994)Google Scholar
  12. 12.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: IEEE S&P 2015, pp. 553–570 (2015)Google Scholar
  13. 13.
    Buchmann, J., Maurer, M., Möller, B.: Cryptography based on number fields with large regulator. J. de Théorie des Nombres de Bordeaux 12(2), 293–307 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Buchmann, J., Vollmer, U.: Binary Quadratic Forms: An Algorithmic Approach. Algorithms and Computation in Mathematics. Springer, Heidelberg (2007)CrossRefzbMATHGoogle Scholar
  15. 15.
    Buchmann, J.A.: A subexponential algorithm for the determination of class groups and regulators of algebraic number fields. In: Séminaire de Théorie des Nombres, Paris 1988–1989, pp. 27–41 (1990)Google Scholar
  16. 16.
    Buhler, J.P., Lenstra Jr., H.W., Pomerance, C.: Factoring integers with the number field sieve. In: Lenstra, A.K., Lenstra, H.W. (eds.) Algorithms and Computation in Mathematics. Springer, Heidelberg (2007)Google Scholar
  17. 17.
    Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale (2014).
  18. 18.
    Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_1 Google Scholar
  19. 19.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1993)CrossRefzbMATHGoogle Scholar
  20. 20.
    Cohen, H.: Advanced Topics in Computational Number Theory. Springer, New York (1999)Google Scholar
  21. 21.
    Coron, J.-S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 267–286. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_13 CrossRefGoogle Scholar
  22. 22.
    Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49896-5_20 CrossRefGoogle Scholar
  23. 23.
    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 7.5.1) (2017).
  24. 24.
    Eisenträger, K., Hallgren, S., Lauter, K.: Weak instances of PLWE. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 183–194. Springer, Cham (2014). doi: 10.1007/978-3-319-13051-4_11 CrossRefGoogle Scholar
  25. 25.
    Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)CrossRefzbMATHGoogle Scholar
  26. 26.
    Galbraith, S.D., Gaudry, P.: Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Cryptogr. 78(1), 51–72 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_1 CrossRefGoogle Scholar
  28. 28.
    Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009).
  29. 29.
    C. Gentry.: Fully homomorphic encryption using ideal lattices. In: STOC 2009, pp. 169–178 (2009)Google Scholar
  30. 30.
    Gentry, C.: Toward basing fully homomorphic encryption on worst-case hardness. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 116–137. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_7 CrossRefGoogle Scholar
  31. 31.
    Gentry, C., Halevi, S.: Implementing Gentry’s fully-homomorphic encryption scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 129–148. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20465-4_9 CrossRefGoogle Scholar
  32. 32.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). doi: 10.1007/BFb0054868 CrossRefGoogle Scholar
  33. 33.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_20 CrossRefGoogle Scholar
  34. 34.
    Kubota, T.: Über den bizyklischen biquadratischen Zahlkörper. Nagoya Math. J. 10, 65–85 (1956)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Lenstra, H.W.: Solving the Pell equation. Notices Amer. Math. Soc. 49, 182–192 (2002)MathSciNetzbMATHGoogle Scholar
  37. 37.
    Pohst, M.: A modification of the LLL reduction algorithm. J. Symb. Comput. 4, 123–127 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13013-7_25 CrossRefGoogle Scholar
  39. 39.
    van der Kallen, W.: Complexity of an extended lattice reduction algorithm (1998).
  40. 40.
    Vollmer, U.: Asymptotically fast discrete logarithms in quadratic number fields. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 581–594. Springer, Heidelberg (2000). doi: 10.1007/10722028_39 CrossRefGoogle Scholar
  41. 41.
    Vollmer, U.: Rigorously analyzed algorithms for the discrete logarithm problem in quadratic number fields. Ph.D. thesis, Technische Universität, Darmstadt (2004)Google Scholar
  42. 42.
    Wada, H.: On the class number and the unit group of certain algebraic number fields. J. Fac. Sci. Univ. Tokyo Sect. I 13(13), 201–209 (1966)MathSciNetzbMATHGoogle Scholar
  43. 43.
    Williams, H.C.: Solving the Pell equation. In: Number theory for the millennium III, pp. 397–435. A K Peters (2002)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Department of MathematicsSimon Fraser UniversityBurnabyCanada
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands
  3. 3.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA

Personalised recommendations