1 Introduction

Hard Problem in Lattices. Lattice-based problems appear to be among the most attractive alternatives to the integer factorization and discrete logarithm problems due to their conjectured resistance to quantum computations. Fortunately, all cryptographic primitives can be instantiated on the hardness of solving lattice problems, such as signature, basic encryption, Identity Based Encryption (IBE) as well as Fully Homomorphic Encryption (FHE) [21]. Not all these schemes rely on the same lattice-based problem. For instance, the NTRU cryptosystem [24], which is one of the most efficient encryption scheme related to lattices, is based on the Shortest Vector Problem (SVP). Besides, the authors of NTRU were the first to consider specific kinds of lattices, namely those related to polynomial rings. This idea was followed by the definition of another lattice-based problem that is the topic of a large body of works [31,32,33,34, 44]: the Ring Learning With Error Problem (RLWE). Cryptosystems based on RLWE present both an efficient key size reduction and improved performance (for instance decryption, encryption and signature are faster than with arbitrary lattices). Yet, RLWE belongs to the specific family of ideal-lattice problems, which stem from algebraic number theory. This raises a potential drawback, since those lattices carry more structure than classical lattices, as they are derived from ideals in integer rings of number fields.

SPIP and PIP. Another presumably hard problem related to these ideals is called the Short Principal Ideal Problem (SPIP). It consists in finding a shortFootnote 1 generator of an ideal, assuming it is principal. For instance, recovering the secret key from the public key in the Smart and Vercauteren FHE scheme [43] and in the Garg, Gentry, and Halevi multilinear map scheme [20], consists in solving an instance of the SPIP. This problem turns out to hinge on two distinct phases: on the one hand finding an arbitrary generator — known as the Principal Ideal Problem (PIP) — and on the other hand reducing such a generator to a short one. The problem of finding a generator of a principal ideal, which is the aim of this article, and even testing the principality of an ideal, are difficult problems in algorithmic number theory, as precised in [15, Chap. 4] and [45, Sect. 7].

From SPIP to PIP in Cyclotomic Fields. Recently, Cramer, Ducas, Peikert, and Regev [17] showed how to recover a small generator of a principal ideal in a prime-power cyclotomic field from an arbitrary generator in polynomial time. This work was based on an observation of Campbell, Groves, and Shepherd [12] who first proposed an efficient algorithm for reduction, essentially by decoding the log-unit lattice. The correctness of this approach was corroborated by Schank in an independent replication study [39].

Studying SPIP and PIP in this very specific class of number fields is motivated by the concrete instantiations of the various schemes. Again the Smart and Vercauteren FHE scheme [43] and the Garg, Gentry, and Halevi Multilinear Map scheme [20] exemplify this restriction to cyclotomic fields.

Prior Work on the PIP. Solving the PIP essentially requires the computation of the ideal class group \({\text {Cl}}(\mathbb {K})\) of the number field \(\mathbb {K}\) where the ideals are defined. This approach is described in [15, Algorithm 6.5.10] (see [5, Algorithm 7] for a description in line with the approach of this paper). The first subexponential algorithm for computing \({\text {Cl}}(\mathbb {K})\) was due to Hafner and McCurley [23]. It applies to imaginary quadratic fields, and it was later generalized by Buchmann [11] to classes of number fields of fixed degree. In [8], Biasse and Fieker presented an algorithm for computing \({\text {Cl}}(\mathbb {K})\) in subexponential time in arbitrary classes of number fields. Combined with [5, Algorithm 7], this yielded a subexponential time algorithm for solving the PIP in arbitrary classes of number fields. In a prime-power cyclotomic field of degree N, the Biasse-Fieker algorithm solves the PIP in time , for \(\varepsilon >0\) arbitrarily small. Biasse also describedFootnote 2 in [6] an \(L_{|\varDelta _\mathbb {K}|}\left( 1/2+\varepsilon \right) \)-algorithm that computes \({\text {Cl}}(\mathbb {K})\) and solves the PIP in fields of the form \(\mathbb {Q}(\zeta _{p^k})\). Note that the PIP is also the subject of research on quantum algorithms for its resolution. Recently, Biasse and Song [9] described a quantum polynomial time algorithm for the PIP in classes of number fields of arbitrary degree.

Our Results. The main contribution of this paper is an algorithm for computing the class group \({\text {Cl}}(\mathbb {K}^+)\) and solving the PIP in \(\mathbb {K}^+\) in time where \(\mathbb {K}^+\) is the maximal real subfield of prime-power cyclotomic field \(\mathbb {K}\) and N denotes its degree. Thanks to the Gentry-Szydlo algorithm, our algorithm also provides a solution to the PIP in \(\mathbb {K}\) with the same \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \)-complexity.

In addition to this theoretical study, we implement an attack against a FHE scheme that relies on the hardness of finding a small generator of ideals in those fields. We were able to recover in practice a generator in the field \(\mathbb {Q}(\zeta _{512})\). Such parameters were proposed by Smart and Vercauteren as toy parameters in [43]. The most challenging part of the computation was to efficiently implement the Gentry-Szydlo algorithm [22]. We used the version of Gentry-Szydlo described by Kirchner in [26]. We also implemented an algorithm for descending to the subfield \(\mathbb {K}^+\) from \(\mathbb {K}\) and for collecting relations between generators of \({\text {Cl}}(\mathbb {K}^+)\).

Organization of the Paper. In Sect. 2, we recall mathematical results for lattices and algebraic number theory that we use in the rest of the paper. Then, Sect. 3 presents the principal ideal problem (PIP) and the cryptosystems based on this problem such as the Smart-Vercauteren fully homomorphic encryption scheme. Next, we describe the different steps of the algorithm to solve PIP in Sect. 4. Finally, Sect. 5 gives information about our experimentations.

2 Mathematical Background

We recall briefly here basic facts on lattices and algebraic number theory. A more detailed introduction is provided in the Appendix A.

General Notations. For dealing with complexities, we introduce the L-notation, that is classical when presenting index calculus algorithms with subexponential complexity. Given two constants a and c with \(a\in [0,1]\) and \(c \ge 0\), we denote by:

$$\begin{aligned} L_{|\varDelta _\mathbb {K}|}(a,c) = e^{(c + o(1)) (\log |\varDelta _\mathbb {K}|)^a (\log \log |\varDelta _\mathbb {K}|)^{1-a}}, \end{aligned}$$

where o(1) tends to 0 as \(|\varDelta _\mathbb {K}|\), the discriminant of the number field, tends to infinity. We also encounter the notation \(L_{|\varDelta _\mathbb {K}|}\left( a\right) \) when specifying c is superfluous, that is considering quantities in \(L_{|\varDelta _\mathbb {K}|}(a,O(1))\).

2.1 Lattices

Lattices are defined as additive discrete subgroups of \(\mathbb {R}^n\), i.e. the integer span \(L(\mathbf {b}_1, \ldots , \mathbf {b}_d) = \bigoplus _{i=1}^d \mathbb {Z}\mathbf {b}_i\) of a linearly independent family of vectors \(\mathbf {b}_1, \ldots , \mathbf {b}_d\) in \(\mathbb {R}^n\). Such a family is called a basis of the lattice, and is not unique. Nevertheless, all the bases of a given lattice have the same number of elements, d, which is called the dimension of the lattice. Among the infinite number of different bases of an n-dimensional lattice with \(n\ge 2\), some have interesting properties, such as having reasonably small vectors and low orthogonality defect — that means that they are almost orthogonal.

The problem of finding such good bases is the aim of lattice reduction. There are in short two kinds of reduction algorithms: approximation algorithms on the one hand, like the celebrated LLL algorithm and its blockwise variants such as BKZ and DBKZ [35], and exact algorithms on the other hand, such as enumeration or sieving, that are exponential in time and space. In high dimension, only approximation algorithms — which run in polynomial time in the dimensionFootnote 3 — can be used to find relatively short vectors, but usually not the shortest ones.

The DBKZ Algorithm and Cheon’s Determinant Trick. In this part, we recall the complexity of DBKZ algorithm, introduced by Micciancio and Walter in [35], its approximation factor, and a trick due to Cheon and Lee [14] that improves this factor for integer lattices with small determinant.

Theorem 1

(Bounds for DBKZ output). The smallest vector output by DBKZ algorithm with block-size \(\beta \) has a norm bounded by:

$$\begin{aligned} \beta ^{\frac{n-1}{2(\beta -1)}} \cdot \mathrm {Vol}\left( \mathcal {L}\right) ^\frac{1}{n}. \end{aligned}$$

The algorithm runs in time \({Poly}(n,{size}(\mathbf {B})) \cdot (3/2+o(1))^{\beta /2}\), where \(\mathbf {B}\) is the input basis and \((3/2+o(1))^{\beta /2}\) stands for the cost of solving the Shortest Vector Problem in dimension \(\beta \), using sieving techniques (see [3]).

Proof

This is a direct application of [35, Theorem 1], where the Hermite constant \(\gamma _\beta \) is upper bounded by \(\beta \).

In a note [14] of 2015, Cheon and Lee suggest to convert the basis of an integer lattice having small determinant, to its Hermite normal form (HNF) before reducing it, for instance with the DBKZ algorithm. This algorithm seems to be folklore. In particular, Biasse uses a similar strategy in the context of class group computations in [5, Sect. 3.3]. This note gives a detailed analysis and we refer to this method as Cheon’s trick. We develop here this idea and derive corresponding bounds. For completeness purpose, the definition of HNF is recalled in Appendix A.1. More precisely, we have the following lemma.

Lemma 1

Given \(\mathbf {B} =[\mathbf {b}_1, \ldots , \mathbf {b}_n]\) a basis in HNF of a n-dimensional lattice \(\mathcal {L}\), we have for any \(1\le i < n\):

$$\begin{aligned} \mathrm {Vol}\left( [\mathbf {b}_1, \ldots ,\mathbf {b}_i]\right) \le \mathrm {Vol}\left( [\mathbf {b}_{1}, \ldots , \mathbf {b}_{i+1}]\right) . \end{aligned}$$

In particular, for any sublattice \(\mathcal {L}'\) generated by the m first vectors of \(\mathbf {B}\), we have \(\mathrm {Vol}\left( \mathcal {L'}\right) \le \mathrm {Vol}\left( \mathcal {L}\right) \).

Remark that both the n-th root of the determinant and an exponential factor of n appear in the bound of Theorem 1. Hence we can perform the DBKZ reduction on a sublattice only generated by the first m columns of the HNF in order to minimize this upper bound, as a trade-off between these quantities.

Explicitly we fix \(m=\left\lfloor \sqrt{\frac{2\beta }{\log {\beta }}\log (\mathrm {Vol}\left( \mathcal {L})\right) }~ \right\rceil \) and run the algorithm of Fig. 1 on the basis \(\mathbf {B} =\left( \mathbf {b}_1, \ldots , \mathbf {b}_n\right) \):

Fig. 1.
figure 1

Approx-SVP algorithm with HNF+DBKZ with block-size \(\beta \).

Full size image

Theorem 2

For any n-dimensional integer lattice \(\mathcal {L}\) such that \(\mathrm {Vol}\left( \mathcal {L}\right) \le \beta ^\frac{n^2}{2\beta }\), the output \(\mathbf {v}\) of the previous Approx-SVP algorithm satisfies:

$$\begin{aligned} \Vert \mathbf {v} \Vert \le \beta ^{\left( 1+o(1)\right) \sqrt{2\log _\beta \left( \mathrm {Vol}\left( \mathcal {L}\right) \right) /\beta }}. \end{aligned}$$

This algorithm takes time \({Poly}(n,{size}(\mathbf {B}))(3/2+o(1))^{\beta /2}\).

Proof

The condition on the covolume of \(\mathcal {L}\) ensures that \(m\le n\).

Then, by Theorem 1 and Lemma 1 we have

$$ \begin{aligned} \Vert \mathbf {v} \Vert \quad&\le \quad \beta ^{\frac{m}{2\beta }} \cdot \mathrm {Vol}\left( \mathcal {L}'\right) ^\frac{1}{m} \\&\le \quad \beta ^{\frac{m}{2\beta }} \cdot \mathrm {Vol}\left( \mathcal {L}\right) ^\frac{1}{m} \\&\le \quad \beta ^{\sqrt{2\log _\beta (\mathrm {Vol}\left( \mathcal {L})\right) /\beta }}, \end{aligned} $$

which yields the announced result.

2.2 Number Fields

Let \(\mathbb {K}=\mathbb {Q}(\alpha )\) be a number field of degree N, then there exists a monic irreducible degree-N polynomial \(P \in \mathbb {Z}[X]\) such that \(\mathbb {K}\simeq \mathbb {Q}[X]/(P)\). Denoting by \(\left( \alpha _1,\ldots ,\alpha _N\right) \in \mathbb {C}^N\) its distinct complex roots, each embedding (field homomorphism) \(\sigma _i:\mathbb {K}\rightarrow \mathbb {C}\) is the evaluation of \(\mathbf {a}\in \mathbb {K}\), viewed as a polynomial modulo P, at the root \(\alpha _i\), i.e. \(\sigma _i:\mathbf {a} \mapsto \mathbf {a}(\alpha _i)\). Let \(r_1\) be the number of real roots and \(r_2\) be the number of pairs of complex roots (\(N=r_1+2r_2\)), we have \(\mathbb {K}\otimes {\mathbb {R}} \simeq {\mathbb {R}}^{r_1}\times {\mathbb {C}}^{r_2}\). We define the norm \(\Vert \cdot \Vert \) over \(\mathbb {K}\) as the canonical Euclidean norm of \(\sigma (\mathbf {x})\in \mathbb {R}^{r_1}\times \mathbb {C}^{r_2}\) where \(\sigma (\mathbf {x})=(\sigma _1(\mathbf {x}),\ldots ,\sigma _{r_1+r_2}(\mathbf {x}))\in \mathbb {R}^{r_1}\times \mathbb {C}^{r_2}\), where \(\sigma _1,\ldots ,\sigma _{r_1}\) are the real embeddings of \(\mathbb {K}\) and \(\sigma _{r_1+1},\ldots ,\sigma _{N}\) are the complex embeddings of \(\mathbb {K}\), each \(\sigma _{r_1+j}\) being paired with its complex conjugate \(\sigma _{r_1+r_2+j}\). The number field \(\mathbb {K}\) is viewed as a Euclidean \(\mathbb {Q}\)-vector space endowed with the inner product \(\langle \mathbf {a},\mathbf {b} \rangle =\sum _{\sigma } \sigma (\mathbf {a})\bar{\sigma }(\mathbf {b})\) where \(\sigma \) ranges over all the \(r_1+2r_2\) embeddings \(\mathbb {K}\rightarrow \mathbb {C}\). This defines the euclidean norm denoted \(\Vert \cdot \Vert \). The algebraic norm on \(\mathbb {K}\) is defined as \(\mathcal {N}_{\mathbb {K}/\mathbb {Q}}(\mathbf {v}) = \prod _{i=1}^N \sigma _i(\mathbf {v}).\)

Coefficient Embedding and Ideal Lattices. Let \(\alpha \) be one of the roots \(\alpha _i\) (it may differ from the initial \(\alpha \) if this one is not an algebraic integer). Considering the natural isomorphism between \(\mathbb {Z}[\alpha ] \subset \mathcal {O}_\mathbb {K}\) and \(\mathbb {Z}[X]/(P)\) gives rise to an embedding of \(\mathbb {Z}[\alpha ]\) trough the coefficients of associated polynomials. More precisely, we have the following sequence of abelian groups

figure a

defining the announced embedding by coefficients as \(\mathcal {C} = \iota ^{-1} \circ \pi ^{-1}\). Such an embedding provides a norm in the field, namely: \(\Vert \mathbf {a} \Vert _\mathcal {C} = \Vert \mathcal {C}(\mathbf {a}) \Vert _2\).

Let us state a basic result on the link between field norm and polynomial representation:

Lemma 2

For algebraic integers defined as polynomials in \(\alpha \), namely \(\mathbf {a} = T(\alpha )\) for \(T \in \mathbb {Z}[X]\), we can bound the norm by

$$\begin{aligned} |\mathcal {N}_{\mathbb {K}/\mathbb {Q}}(\mathbf {a})|\le (N+1)^{m/2} (m+1)^{N/2} H(T)^N H(P)^m, \end{aligned}$$

where \(m=\deg T\), \(N=\deg P\) and H(P) is the absolute maximum of the coefficients of P.

Proof

Remark first that the norm of this element corresponds to the resultant of the polynomials T and P [15, Proposition 4.3.4]. Then we apply the bounds of [10, Theorem 7] for the resultant of two polynomials and conclude.

As a result, we can directly relate the norm of the embedding with the field norm:

Corollary 1

For any \(\mathbf {a} \in \mathbb {Z}[\alpha ]\): \(|\mathcal {N}_{\mathbb {K}/\mathbb {Q}}(\mathbf {a})|^{\frac{1}{N}} \le (N+1) \cdot H(P)\cdot \Vert \mathbf {a}\Vert _\mathcal {C}.\)

Canonical Embedding and Ideals. A remarkable property of the canonical embedding is the way it represents the ring of integers and more generally every integral ideal. Indeed, the embedding \(\sigma (\mathfrak {a})\) of any integral ideal \(\mathfrak {a}\) is a Euclidean lattice. In particular, for the ring of integers, we have that \(\sigma (\mathcal {O}_\mathbb {K})\) is a lattice. Its (co)volume is called the discriminant \(\varDelta _\mathbb {K}\) of the field \(\mathbb {K}\). Therefore, one can compute the discriminant as a determinant: for \((\mathbf {b}_1,\ldots , \mathbf {b}_N)\) an integral basis of \(\mathcal {O}_\mathbb {K}\), we have

$$ \varDelta _\mathbb {K}=\left( {\text {det}}\left( \begin{array}{cccc} \sigma _1(\mathbf {b}_1) &{} \sigma _1(\mathbf {b}_2) &{}\cdots &{} \sigma _1(\mathbf {b}_N) \\ \sigma _2(\mathbf {b}_1) &{} \ddots &{} &{} \vdots \\ \vdots &{} &{} \ddots &{} \vdots \\ \sigma _N(\mathbf {b}_1) &{} \cdots &{} \cdots &{} \sigma _N(\mathbf {b}_N) \end{array} \right) \right) ^2. $$

Loosely speaking, the discriminant is a size measure of the integer ring. That is why we use it to express the complexity when we work with number fields or rings of integers. Moreover, it acts as a proportionality coefficient between the norm of an ideal and the covolume of its embedding:

Lemma 3

For any integral ideal \(\mathfrak {a}\) of \(\mathbb {K}\), we have \(\sigma (\mathfrak {a})\) is a lattice of \(\mathbb {R}^N\) and

$$\begin{aligned} \mathrm {Vol}\left( \sigma (\mathfrak {a})\right) = {\sqrt{|\varDelta _\mathbb {K}|}\mathcal {N} \left( \mathfrak {a}\right) }, \end{aligned}$$

where \(\mathrm {Vol}\left( \mathcal {L}\right) \) is the covolume of the lattice \(\mathcal {L}\).

Smoothness of Ideals. To evaluate the probability of smoothness of ideals, we need to assume the same unproven heuristic as in [5, 8], directly derived from what has been proved for integers by Canfield, Erdős and Pomerance [13]. Let \(\mathcal {P}(x,y)\) be the probability that a principal ideal of \(\mathcal {O}_\mathbb {K}\) of norm bounded by x is a power-product of prime ideals of norm bounded by y. Then, we have

Heuristic 1

[5, Heuristic 1]. We assume that under the Generalized Riemann Hypothesis (GRH), the probability \(\mathcal {P}(x,y)\) satisfies

$$\begin{aligned} \mathcal {P}(x,y) \ge e^{-u \log u (1+o(1))} \quad \text {for } u=\frac{\log x}{\log y}. \end{aligned}$$

Heuristic 1 was put in perspective with Scourfield’s work [40] by Biasse and Fieker [8, Sect. 3.1]. In the number field setting, the previous heuristic admits a neat rewriting in terms of the handy L-notation:

Corollary 2

[5, Corollary 2.1]. Let \(x = \lfloor \log L_{|\varDelta _\mathbb {K}|}\left( {a,c}\right) \rfloor \) and the smoothness bound \(y = \lceil \log L_{|\varDelta _\mathbb {K}|}\left( {b,c'}\right) \rceil \). Then assuming Heuristic 1, the probability \(\mathcal {P}(x,y)\) that an ideal of \(\mathcal {O}_\mathbb {K}\) of norm bounded by x is a power-product of prime ideals of norm bounded by y satisfies

$$\begin{aligned} \mathcal {P}(x,y) \ge L_{|\varDelta _\mathbb {K}|}\left( {a - b, \frac{-c}{c'}(a - b)}\right) . \end{aligned}$$

A similar assertion for smoothness of ideals was proved by Seysen [41] in 1985 for the quadratic case, but for arbitrary degree, it remains conjectural, even under GRH. This is one of the reasons why the complexity of the number field sieve (NFS) [29] is still a heuristic estimation.

2.3 Cyclotomic Fields and Cyclotomic Integers

We denote by \(\varPhi _m\) the m-th cyclotomic polynomial, that is the unique irreducible polynomial in \(\mathbb {Q}[X]\) dividing \(X^m - 1\) that is not a divisor of any of the \(X^k -1\) for \(k<m\). Its roots are thus the m-th primitive roots of the unity. Therefore, cyclotomic polynomials can be written in closed form as:

$$\begin{aligned} \varPhi _m = \prod _{\begin{array}{c} 1\le k\le m\\ \gcd (k,m)=1 \end{array}} \left( X-e^{2i\pi \frac{k}{m}}\right) . \end{aligned}$$

The m-th cyclotomic field \(\mathbb {Q}(\zeta _m)\) is obtained by adjoining a primitive m-th root \(\zeta _m\) of unity to the rational numbers. As such, \(\mathbb {Q}(\zeta _m)\) is isomorphic to the splitting field \(\mathbb {Q}[X]/(\varPhi _m)\). Its degree over \(\mathbb {Q}\) is \(\text {deg}(\varPhi _m)\), that is \(\varphi (m)\), where \(\varphi \) is the Euler totient function. In this specific class of number fields, the ring of integer is precisely \(\mathbb {Z}[X]/(\varPhi _m) \cong \mathbb {Z}[\zeta _m]\) (see [46, Theorem 2.6] for a proof of this statement).

The canonical embedding can also be easily presented since the embeddings are the linear functions sending \(\zeta _m\) to \(\zeta _m^j\), for \(j \in (\mathbb {Z}/m\mathbb {Z})^*\). Since the roots come in conjugate pairs (\(\zeta _m^j = -\zeta _m^{m-j}\) for all j), we can write down the \(\text {Log}\)-embedding by indexing over the quotient \(G = (\mathbb {Z}/m\mathbb {Z})^*\big /\{-1,1\}\):

$$ \begin{aligned} \text {Log}(x):&\qquad \quad \mathbb {K}\qquad \longrightarrow \mathbb {R}^{\varphi (m)/2}\\ {}&\quad P \!\mod \varPhi _m \mapsto \big ( \log |P(\zeta _m^j)| \big )_{j\in G}. \end{aligned} $$

The discriminant of \(\mathbb {Q}(\zeta _m)\) has a closed form expression [46, Proposition 2.7]:

$$ \varDelta _{\mathbb {Q}(\zeta _m)} = (-1)^{\varphi (m)/2} \frac{m^{\varphi (m)}}{\displaystyle \prod _{p|m} p^{\varphi (m)/(p-1)}},$$

where the product in the denominator is over primes p dividing m.

Example 1

For a prime-power cyclotomic field, we get \(\left| \varDelta _{\mathbb {Q}(\zeta _{p^k})}\right| = p^{(kp-k-1)p^{k-1}}\). In particular, when \(p=2\), \(\left| \varDelta _{\mathbb {Q}(\zeta _{2^{n+1}})}\right| = 2^{n2^n}.\)

For power-of-two cyclotomic fields, we then have \(L_{|\varDelta _\mathbb {K}|}\left( \alpha \right) = 2^{O(N^\alpha \log (N))}\). Thus, writing the complexity as \(L_{|\varDelta _\mathbb {K}|}\left( \alpha \right) \) or \(2^{O(N^{\alpha }\log (N))}\) is equivalent. We choose to use the L-notation, since it eases the exposition of the complexities presented in this paper.

2.4 Cyclotomic Units

Giving the complete description of the units of a generic number field is a computationally hard problem of algorithmic number theory. However it is possible to describe a subgroup of finite index of the unit group, called the cyclotomic units. This subgroup contains all the units that are products of numbersFootnote 4 of the form \(\zeta _m^i - 1\) for any \(1\le i\le m\). More precisely we have

Lemma 4

(Lemma 8.1 of [46]). Let m be a prime power, then the group C of cyclotomic units is generated by \(\pm \zeta _m\) and \((\mathbf {b}_i)_{1\le i \le m}\), where

$$\begin{aligned} \mathbf {b}_i = \frac{\zeta _m^i -1}{\zeta _m-1}. \end{aligned}$$

The index of the subgroup of cyclotomic units in the group of units is \(h^+(m)\), the class number of the totally real subfield of \(\mathbb {Q}(\zeta _m)\) (see for instance [46]). In the case of power-of-two m, a well supported conjecture clarifies the value of \(h^+\).

Heuristic 2

(Weber’s class number problem). We assume that for power-of-two cyclotomic fields, the class number of its totally real subfield is 1.

Thus, under Weber’s heuristic, the cyclotomic units and the units coincide in the power-of-two cyclotomic fields.

3 Principal-Ideal Problem and Cryptography

Among all the FHE schemes proposed in the last decade, the security of a couple of them directly relies on the ability to find relatively short generators in principal ideals. This is the case of the proposal of Smart and Vercauteren [43], which is a simplified version of the original scheme of Gentry [21]. Other schemes based on the same security assumptions include the Soliloquy scheme of Campbell, Groves and Shepherd [12] and the candidates for multilinear maps [20, 28]. More formally, the underlying — presumably hard — problem is the following one, already known as SPIP (Short Principal Ideal Problem) or SG-PIP (Short Generator-Principal Ideal Problem): given some \(\mathbb {Z}\)-basis of a principal ideal with a promise that it possesses a “short” generator \(\mathbf {g}\) for the Euclidean norm, find this generator or at least a short enough generator of this ideal.

The strategy to address this problem roughly splits in two main steps:

  1. 1.

    Given the \(\mathbb {Z}\)-basis of the ideal, find a generator, not necessarily short, that is \(\mathbf {g'} = \mathbf {g}\cdot \mathbf {u}\) for a unit \(\mathbf {u}\).

  2. 2.

    From \(\mathbf {g'}\), find a short generator of the ideal.

Recently, several results have allowed to deal with the second step. Indeed, Campbell, Groves and Shepherd [12] claimed in 2014 an — although unproven — efficient solution for power-of-two cyclotomic fields, confirmed by experiments conducted by Schank [39] in 2015. Eventually, the proof was provided by Cramer, Ducas, Peikert, and Regev [17] in 2015. Throughout this paper, we focus on the resolution of the first step, known as PIP (Principal Ideal Problem). Nonetheless, for completeness, we present briefly the reduction from SPIP to PIP in Sect. 4.4.

As a direct illustration of the resolution of this problem, we present an attack on the scheme that Smart and Vercauteren present in [43], which leads to a full key recovery. This attack is our key thread through the exposition of the algorithm. Before going any further in the details of the attack, we recall in Fig. 2 the key generation process in the case of power-of-two cyclotomic fields. This instantiation is the one chosen by the authors for presenting their implementation results.

Fig. 2.
figure 2

Key generation of the scheme [43].

Full size image

Remark 1

The public key can be any \(\mathbb {Z}\)-basis of the ideal generated by \(\mathbf {g}\), or even a two-elements representation of this ideal. Precisely, [43] provides the public key as a pair of elements that generates the lattice. This is always possible, see [15, Sect. 4.7.2]. We make the choice of the Hermite Normal Form representationFootnote 5.

As our attack consists in a full secret key recovery, realized directly from the public key, we do not mention here the encryption and decryption procedures. Even though this work tackles more on the principal ideal problem than on this reduction, we emphasize the fact that the output of this reduction to a short generator can be any one of the \(\mathbf {g}\cdot \zeta _{2N}^i\), having same Euclidean norm for any \(1 \le i \le 2N\). Nonetheless, this does not represent an issue, since all of these keys are equivalent with regard to the decryption procedure. In addition, in this precise construction of the Smart and Vercauteren FHE scheme, the only odd coefficient of G(X) is the last one, so that we may recover the exact generator \(\mathbf {g}\) readily.

The whole complexity of our attack is subexponential, in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). This beats the previous state-of-the-art in \(L_{|\varDelta _\mathbb {K}|}\left( 2/3\right) \), derived from the combined work of [8, 17].

4 Solving the PIP or How to Perform a Full Key Recovery?

We recall that our ultimate goal is to perform a full key recovery given only the public elements. As mentioned in [43], this problem is obviously much more difficult than recovering a plain-text from a cipher-text which is based on the bounded distance decoding problem and the security level is set according to this latter problem. We first give an overview of the whole strategy and then get an in-depth view of each part. But before going any further into the details of the attack, let us fix the notations and recurrent objects we are going to use. The number field where the PIP is defined is \(\mathbb {Q}(\zeta _{2N})\), for \(N = 2^n\), defined by the polynomial \(X^N+1\), in the same fashion as in Sect. 2.3. For the sake of notation simplicity, \(\zeta _{2N}\) is simply denoted by \(\zeta \). Though we focus on power-of-two cyclotomic fields, all our results can be easily generalized to arbitrary prime-power cyclotomic fields. Our starting point is the public key, that is, a somewhat “bad” basis of the principal ideal \(\mathbf {\mathcal {I}}= \langle \mathbf {g} \rangle \), generated by the secret key \(\mathbf {g}\).

Before any other operations, the dimension of the ideals involved is shrunk by half by reducing the problem to an equivalent one in the totally real subfield \(\mathbb {Q}(\zeta + \zeta ^{-1})\). This is not mandatory (see [6]), but it eases the computation. This part of the algorithm is a straightforward consequence of the Gentry-Szydlo algorithm introduced in [22]. The problem is now reduced to the research of a generator of an ideal \(\mathbf {\mathcal {I}}^+\) in the totally real subfield. Then, the strategy appears to be recursive reductions of ideals, until we eventually reach a B-smooth ideal \(\mathbf {\mathcal {I}}^s\), for a fixed bound \(B>0\) and an algebraic integer \(\mathbf {h}\) such that \(\langle \mathbf {h}\rangle = \mathbf {\mathcal {I}}^+ \cdot \mathbf {\mathcal {I}}^s\). This is the \(\mathfrak {q}\) -descent phase.

We are now interested in finding a generator of \(\mathbf {\mathcal {I}}^s\). We use a strategy based on class group computation. It consists in finding a generating set of all the relations between generators of the class group, and then rewrite the input ideal with respect to these generators. Then we can recover a generator \(\mathbf {h_0}\) of \(\mathbf {\mathcal {I}}^s\) by solving a linear system of equations. It then permits to derive the generator of the ideal \(\mathbf {\mathcal {I}}^+\): \(\mathbf {h}\cdot \mathbf {h_0}^{-1}\). A generator of the public-key ideal is then obtained by lifting it from the totally real subfield to the initial number field \(\mathbb {Q}(\zeta )\). It suffices to multiply the current generator by another integer obtained during the computation. Now the PIP is solved, it only remains a final step to recover the secret key: perform the reduction from this generator to a short one, using the method of [17].

Consequently, the full algorithm can be split in four main steps, which are, in a nutshell:

  1. 1.

    Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension.

  2. 2.

    Then a \(\mathfrak {q}\)-descent makes the size of involved ideals decrease.

  3. 3.

    Collect relations and run linear algebra to construct small ideals and a generator.

  4. 4.

    Eventually run the derivation of the small generator from a bigger one.

Let us now get into the details of all these parts.

4.1 Step 1: Reduction to the Totally Real Subfield

Starting with the public key, we get a \(\mathbb {Z}\)-basis \((\mathbf {b}_1,\ldots , \mathbf {b}_N)\) of an ideal \(\mathbf {\mathcal {I}}\) belonging to the cyclotomic field \(\mathbb {Q}(\zeta )\) of dimensionFootnote 6 N. The larger the dimension is, the harder it is to handle and even only represent such objects. However, it is possible to halve the dimension. The main part of this step relies on the so-called Gentry-Szydlo (GS) algorithm, first described in [22] as an attack on the NTRU scheme and later revised and generalized by Lenstra and Silverberg in [30].

This original algorithm takes as input a \(\mathbb {Z}\)-basis of an ideal \(\mathbf {\mathcal {I}}\) in the ring \(\mathbb {Z}[X]/(X^N+1)\) — with the promise to be principal — and the algebraic integer \(\mathbf {u} \cdot \mathbf {\bar{u}}\), for \(\mathbf {u}\) a generator of \(\mathbf {\mathcal {I}}\). Here, \(\mathbf {\bar{u}}\) denotes the conjugate of \(\mathbf {u}\) for the automorphism defined by \(\zeta \mapsto \zeta ^{-1}\). It then recovers in polynomial time the element \(\mathbf {u}\). In our case, we can not perform the recovery of the generator \(\mathbf {g}\), secret key of the scheme, since a priori we do not have access to any kind of information about the product \(\mathbf {g} \cdot \mathbf {\bar{g}}\).

To overcome this difficulty, we introduce another integer \(\mathbf {u} = \mathcal {N} \left( \mathbf {g}\right) \,{\mathbf {g}}\,{\mathbf {\bar{g}}^{-1}}\), as described by Garg, Gentry, and Halevi in [20, Sect. 7.8.1]. One should notice that the norm factor is only there to avoid introduction of denominators in the definition of \(\mathbf {u}\). Although \(\mathbf {u}\) is still unknown at this point, thanks to the \(\mathbb {Z}\)-basis of \(\langle \mathbf {g}\rangle \) we can construct a \(\mathbb {Z}\)-basis of \(\langle \mathbf {u} \rangle \) and deriving the product \(\mathbf {u} \cdot \mathbf {\bar{u}}\) which simply corresponds to \(\mathcal {N} \left( \mathbf {g}\right) ^2\).

Hence, we get access to \(\mathbf {u}\) in polynomial time using GS. From this element \(\mathbf {u}\), we directly reconstruct \({\mathbf {g}}\,{\mathbf {\bar{g}}^{-1}}\) and using the basis of \(\mathbf {\mathcal {I}}\), we then introduce the family of vectors

$$\begin{aligned} \mathbf {c}_i = \mathbf {b}_i \left( 1+\frac{\bar{\mathbf {g}}}{\mathbf {{g}}}\right) , \end{aligned}$$

providing a basis of the ideal \(\mathbf {\mathcal {I}}^+\) generated by \(\mathbf {g}+\mathbf {\bar{g}}\). The reader should notice that this ideal belongs to the totally real subfield \(\mathbb {Q}(\zeta + \zeta ^{-1})\), of index 2 in \(\mathbb {Q}(\zeta )\). From now on, we denote by \(\mathcal {O}_\mathbb {K}^+\) the ring of integers of \(\mathbb {Q}(\zeta + \zeta ^{-1})\), corresponding to \(\mathcal {O}_\mathbb {K}\cap \mathbb {Q}(\zeta + \zeta ^{-1})\).

Let us suppose briefly that we know the generator \(\mathbf {g}+\mathbf {\bar{g}}\) of \(\mathbf {\mathcal {I}}^+\). Then it would be sufficient to multiply it by \(\frac{1}{1+{\mathbf {g}}\,{\mathbf {\bar{g}}^{-1}}}\) to recover the secret key \(\mathbf {g}\). Hence, we have reduced the problem of finding a generator of the idea \(\mathbf {\mathcal {I}}\) belonging to the cyclotomic field of dimension N to the one of finding a generator of ideal \(\mathbf {\mathcal {I}}^+\) that belongs to the totally real subfield, whose dimension is \(\frac{N}{2}\). For a more detailed presentation of this technique, see [20, Theorem 8].

Note that even though the generator is known up to a unit — i.e. \((\mathbf {g}+\bar{\mathbf {g}})\cdot \mathbf {v}\) for \(\mathbf {v}\in \mathcal {U}_{\mathbb {Q}(\zeta )}\) — the generator of \(\mathbf {\mathcal {I}}\) recovered is \(\mathbf {g} \cdot \mathbf {v}\). This suffices, thanks to the last reduction part, to recover a short generator.

One could wonder if working in a real field has some relevant matter with the upcoming parts of the attack. The answer is up to our knowledge negative and we are only interested in the halving of dimension. For the asymptotic complexity, this initial reduction is somehow not meaningful since it only gives a speedup of a constant factor in the exponent. But in practice, it allows to double the dimension of the tractable cases, implying tackling security parameters twice bigger!

4.2 Step 2: \(\mathfrak {q}\)-descent Phase

Let us momentarily set aside the algebraic integer obtained in the previous phase and only focus on the ideal \(\mathbf {\mathcal {I}}^+\). By construction, it is principal and generated by \(\mathbf {g}+\mathbf {\bar{g}}\). From now on, all the computations are performed in the totally real subfield of dimension \(\frac{N}{2}\), and from then on N becomes \(\frac{N}{2}\).

The goal of this phase is to find an integer \(\mathbf {h}\) and a B-smooth principal ideal \(\mathbf {\mathcal {I}}^s\), such that \(\langle \mathbf {h} \rangle = \mathbf {\mathcal {I}}^+ \cdot \mathbf {\mathcal {I}}^s\), for a certain bound \(B>0\). These objects are discovered recursively, by generating at each step ideals of norm smaller and smaller. This descent strategy derives from discrete logarithm computations (see [1, 25]) and has been adapted to number fields of large degree by Biasse [5, Sect. 3.2]. Since we want a global complexity in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \), the smoothness bound B is chosenFootnote 7 in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). In order to bootstrap this \(\mathfrak {q}\)-descent, we first need to find an ideal that splits in the class group as a product of multiple prime ideals of controlled norm, that is in our case, upper bounded by \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \).

Initial Round: Classical DBKZ Reduction. As announced, we aim to construct efficiently a \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \)-smooth principal ideal from \(\mathbf {\mathcal {I}}^+\). Formally, we want to prove the following:

Theorem 3

Let \(\mathbb {K}\) be a number field. Assuming Heuristic 1, from any ideal \(\mathfrak {a}\subset \mathcal {O}_\mathbb {K}\), it is possible to generate in expected time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) an integral ideal \(\mathfrak {b}\) that is \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \)-smooth and an integer \(\mathbf {v}\) such that:

$$\begin{aligned} \langle \mathbf {v} \rangle = \mathfrak {a}\cdot \mathfrak {b}. \end{aligned}$$

The difficulty of this preliminary part is that a priori the norm of the input ideal \(\mathfrak {a}\) can be large. We thus want to construct at first an ideal whose norm is bounded independently from \(\mathcal {N} \left( \mathfrak {a}\right) \) in the same ideal class as \(\mathfrak {a}\). We proceed by ideal-lattice reduction, as Biasse did in [5, Sect. 2.2]. Through the canonical embedding, any integral ideal \(\mathfrak {a}\) can be viewed as a Euclidean lattice. As usual when dealing with lattice reduction, we are interested in small vectors, or equivalently here, integers with small Euclidean norm. Let us first study the guarantees that a classical DBKZ-reduction offers on the embedding of \(\mathfrak {a}\).

Lemma 5

Let \(\mathbb {K}\) be a number field of degree N, \(\beta \in \{1,\ldots , N\}\), and \(\mathfrak {a}\) be an ideal of \(\mathcal {O}_\mathbb {K}\). Then it is possible to find a short element \(\mathbf {v} \in \mathfrak {a}\) in time \({Poly}\big (N,\log \mathcal {N} \left( \mathfrak {a}\right) \big )(3/2+o(1))^{\beta /2}\), that satisfies:

$$\begin{aligned} \Vert \mathbf {v} \Vert \le \beta ^{\frac{N}{2\beta }}\cdot |\varDelta _\mathbb {K}|^{\frac{1}{2N}}\cdot \mathcal {N} \left( \mathfrak {a}\right) ^{\frac{1}{N}} \end{aligned}$$

where \(\Vert .\Vert \) denotes the Euclidean norm.

Proof

This is only a direct application of Theorem 1 and Lemma 3. Indeed, let \(\mathbf {v}\) be the short vector output by DBKZ applied to the lattice of the embedding of \(\mathfrak {a}\). It has determinant \(\mathcal {N} \left( \mathfrak {a}\right) \sqrt{|\varDelta _\mathbb {K}|}\), yielding the announced upper bound.

Since the ideal \(\mathfrak {a}\) contains \(\langle \mathbf {v} \rangle \), there exists a unique integral ideal \(\mathfrak {b}\) satisfying \(\langle \mathbf {v} \rangle = \mathfrak {a}\cdot \mathfrak {b}.\) From the guarantees on \(\Vert \mathbf {v}\Vert \), we can bound the norm of this new ideal \(\mathfrak {b}\).

Corollary 3

With the same notations as in Lemma 5, we have

$$\begin{aligned} \mathcal {N} \left( \mathfrak {b}\right) \le \beta ^{\frac{N^2}{2\beta }}\cdot \sqrt{|\varDelta _\mathbb {K}|}. \end{aligned}$$

Proof

From Lemma 5, we have

$$ \Vert \mathbf {v}\Vert \le \beta ^{\frac{N}{2\beta }}\cdot |\varDelta _\mathbb {K}|^{\frac{1}{2N}}\cdot \mathcal {N} \left( \mathfrak {a}\right) ^{\frac{1}{N}}.$$

Thus, its field norm is below the N-th power of this bound — the \(N^N\) term is negligible here — and so:

$$\begin{aligned} \mathcal {N} \left( \langle \mathbf {v} \rangle \right) \le \beta ^{\frac{N^2}{2\beta }}\cdot \sqrt{|\varDelta _\mathbb {K}|} \cdot \mathcal {N} \left( \mathfrak {a}\right) . \end{aligned}$$

As a consequence, since \(\langle \mathbf {v} \rangle = \mathfrak {a}\cdot \mathfrak b\), we have by the multiplicative property of the norm \(\mathcal {N} \left( \mathfrak {b}\right) \le \beta ^{\frac{N^2}{2\beta }}\cdot \sqrt{|\varDelta _\mathbb {K}|}\).

Remark 2

Because \(\mathbb {K}\) is a cyclotomic field, we may choose a block-size \(\beta \) in \(\log L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) since \(\log L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) =N^{1/2+o(1)} \le N\). Then Corollary 3 generates in time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) an integral ideal of norm bounded by \(L_{|\varDelta _\mathbb {K}|}\left( 3/2\right) \).

This last result allows us to find an ideal of norm bounded independently from \(\mathcal {N} \left( \mathfrak {a}\right) \). We then want this new ideal to split in the class group as a product of multiple prime ideals of controlled norms. Thanks to Corollary 2, the probability of an integral ideal \(\mathfrak {b}\) of norm bounded by \(L_{|\varDelta _\mathbb {K}|}\left( 3/2\right) \) to be \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \)-smooth is greater than \({L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) }^{-1}\). In addition, using ECM for testing smoothness keeps the complexity in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). The analysis of this part is left for Sect. 4.5. Therefore, repeating the last construction \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) times on randomized independent inputs eventually yields a \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \)-smooth ideal. The simplest strategy to perform this randomization of the input ideal is to compose it with some factors of norm less than \(B= L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). Formally, we denote by \(\mathcal {B} = \{\mathfrak {p}_1, \ldots , \mathfrak {p}_{|\mathcal {B}|}\}\) the set of all prime ideals of norm upper bounded by \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). Let \(k, A > 0\) be fixed integers. We choose \(\mathfrak {p}_{j_1}, \ldots , \mathfrak {p}_{j_k}\) prime ideals of norm \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). Then for any k-uple \((e_1, \ldots , e_k) \in \{1,\ldots , A\}^k\), we have

$$ \mathcal {N} \left( \mathfrak {a}\cdot \prod _{i=1}^k \mathfrak {p}_{j_i}^{e_i} \right) \le \mathcal {N} \left( \mathfrak {a}\right) \cdot \prod _{i=1}^k \mathcal {N} \left( \mathfrak {p}_{j_i}\right) ^{e_i} \le \mathcal {N} \left( \mathfrak {a}\right) \cdot L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) ^{k\cdot A} = \mathcal {N} \left( \mathfrak {a}\right) \cdot L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) . $$

We know from the Landau prime ideal theorem [27] that in every number field \(\mathbb {K}\), the number of prime ideals of norm bounded by X, denoted by \(\pi _\mathbb {K}(X)\), satisfies

$$\begin{aligned} \pi _\mathbb {K}(X) \sim \frac{X}{\log X}. \end{aligned}$$
(1)

Thus, the randomization can be done by choosing uniformly at random the tuple \((e_1, \ldots , e_k)\) and k prime ideals in \(\mathcal {B}\). Since \(|\mathcal {B}| = L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \), set of possible samples is large enough for our purposes.

Other ways to perform the randomization may be by randomizing directly the lattice reduction algorithm or by enumerating points of the lattice of norm close to the norm guarantee and change the basis vectors by freshly enumerated ones. The latter would be useful in practice as it reduces the number of reductions.

This last remark concludes the proof of Theorem 3. The full outline of this bootstrap section is given in Fig. 3.

Fig. 3.
figure 3

First reduction to a \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \)-smooth ideal.

Full size image

Interlude: Reduction with Cheon’s Trick. In the proof of Theorem 3, we use the classical-DBKZ reduction in order to find a short element in the embedding of the considered ideal. We could not use directly Cheon’s trick here since the norm of the ideal \(\mathbf {\mathcal {I}}^+\) — and so the determinant of its coefficient embedding — is potentially large. Nonetheless, the norm of prime ideals appearing in the factorization are by construction bounded, hence a natural question is to look at the guarantees offered when applying the sub-cited trick. The systematic treatment of this question is the aim of Theorem 4.

Theorem 4

Let \(\mathfrak {a}\) be an integral ideal of norm below \(L_{|\varDelta _\mathbb {K}|}\left( \alpha \right) \), for \(\frac{1}{2} \le \alpha \le 1\). Then, in expected time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \), it is possible to construct an algebraic integer \(\mathbf {v}\) and an \(L_{|\varDelta _\mathbb {K}|}\left( (2\alpha + 1)/4\right) \)-smooth ideal \(\mathfrak {b}\) such that:

$$\begin{aligned} \langle \mathbf {v} \rangle = \mathfrak {a}\cdot \mathfrak {b}. \end{aligned}$$

Proof

The core of the proof is somehow similar to the proof of Theorem 3 as it heavily relies on lattice reduction and randomization techniques. Nonetheless, the major difference is on the embedding with respect to which the reduction is performed. In Theorem 3, the canonical embedding is used, whereas we use here the coefficient embedding \(\mathcal {C}\). It avoids the apparition of a power of the discriminant in the field norm of the output of DBKZ. Nonetheless, remark that since we work in the totally real subfield, we cannot use a naive coefficients embedding of this subfield. In order to benefit from the nice shape of the defining polynomial \(X^N+1\) of the cyclotomic field, we use instead a fold-in-two strategy: the embedding of \(\mathcal {O}_\mathbb {K}^+\) is defined as the coefficient embedding \(\mathcal {C}^+\) for the \(\mathbb {Z}\)-base \((\zeta ^i+\zeta ^{-i})_i\). Let us denote by \(\Vert . \Vert _{\mathcal {C}^+}\) the induced norm. Hence, for any \(v \in \mathcal {O}_\mathbb {K}^+\):

$$\begin{aligned} \Vert \mathbf {v}\Vert _\mathcal {C} = \sqrt{2}\Vert \mathbf {v}\Vert _{\mathcal {C}^+}. \end{aligned}$$

Let \(\mathcal {L} = \mathcal {C}^+(\mathfrak {a})\) be the embedding of \(\mathfrak {a}\). Its covolume is by definition its index in \(\mathbb {Z}^n\), that is the index of \(\mathfrak {a}\) as a \(\mathbb {Z}\)-module in \(\mathcal {O}_\mathbb {K}^+\), which is \(\mathcal {N} \left( \mathfrak {a}\right) \). Then, with the same block-size \(\beta = \log L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) = \mathcal {O}(\sqrt{N}\log (N))\), we have

$$\begin{aligned} \mathrm {Vol}\left( \mathcal {L}\right) \le L_{|\varDelta _\mathbb {K}|}\left( \alpha \right) = 2^{O(N^\alpha \log (N))} \le \beta ^{\frac{N^2}{2\beta }}. \end{aligned}$$

Using the Approx-SVP algorithm of Theorem 2 yields in time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) an integer \(\mathbf {v}\) satisfying:

$$ \Vert \mathbf {v} \Vert _{\mathcal {C}^+} \le \beta ^{\left( 1+o(1)\right) \sqrt{2\frac{\log _\beta \left( \det (\mathcal {L})\right) }{\beta }}} \le \beta ^{\left( 1+o(1)\right) \sqrt{4\frac{N^\alpha }{\sqrt{N} \log {N}}}} = L_{|\varDelta _\mathbb {K}|}\left( \alpha /2-1/4\right) . $$

Using Corollary 1 to fall back on the field norm induces:

$$ \mathcal {N}_{\mathbb {K}/\mathbb {Q}}(\mathbf {v}) \le {(\sqrt{2}(N+1))}^N \cdot \Vert \mathbf {v}\Vert ^N_\mathcal {C} = L_{|\varDelta _\mathbb {K}|}\left( 1\right) \cdot L_{|\varDelta _\mathbb {K}|}\left( \alpha /2+3/4\right) . $$

Since \(\alpha \ge 1/2\), we then have \(\mathcal {N} \left( \langle \mathbf {v}\rangle \right) = \mathcal {N}_{\mathbb {K}/\mathbb {Q}}(\mathbf {v}) \le L_{|\varDelta _\mathbb {K}|}\left( \alpha /2+3/4\right) \).

Because the ideal \(\mathfrak {a}\) contains \(\langle \mathbf {v} \rangle \), there exists a unique ideal \(\mathfrak {b}\), satisfying \(\langle \mathbf {v} \rangle = \mathfrak {a}\cdot \mathfrak {b}\). We get that \(\mathcal {N} \left( \mathfrak {b}\right) \le L_{|\varDelta _\mathbb {K}|}\left( \alpha /2+3/4\right) \) from the multiplicative property of the norm and \(\mathcal {N}(\mathfrak {a}) = L_{|\varDelta _\mathbb {K}|}\left( 1\right) \le L_{|\varDelta _\mathbb {K}|}\left( \alpha /2+3/4\right) \). Under Heuristic 1, this ideal is \(L_{|\varDelta _\mathbb {K}|}\left( \alpha /2+1/4\right) \)-smooth with probability \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). Eventually performing the randomization-and-repeat technique as in the initial round, this reduction in the coefficient embedding yields the desired couple \((\mathbf {v},\mathfrak {b})\) in expected time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \).

Descending to B -smoothness. After the first round, we end up with an \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \)-smooth ideal, denoted by \(\mathbf {\mathcal {I}}^{(0)}\), and an algebraic integer \(\mathbf {h}^{(0)}\) satisfying

$$\begin{aligned} \langle \mathbf {h}^{(0)} \rangle = \mathbf {\mathcal {I}}^+\cdot \mathbf {\mathcal {I}}^{(0)}, \end{aligned}$$

with \(\mathbf {\mathcal {I}}^+\) the ideal of the totally real subfield obtained after phase Sect. 4.1. The factorization of \(\mathbf {\mathcal {I}}^{(0)}\) gives

$$\begin{aligned} \mathbf {\mathcal {I}}^{(0)} = \prod _j {\mathcal {I}^{(0)}_{j}}, \end{aligned}$$

where the \(\mathbf {\mathcal {I}}_j^{(0)}\) are integral prime ideals of norm upper bounded by \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \). Taking the norms of the ideals involved in this equality ensures that the number of terms in this product is \(O(n_{\mathbf {\mathcal {I}}})\), with \(n_\mathbf {\mathcal {I}}=\frac{\log |\varDelta _\mathbb {K}|}{\log \log |\varDelta _\mathbb {K}|}=O(N)\). Then applying Theorem 4 on each small ideal \({\mathcal {I}^{(0)}_{j}}\) gives rise to ideals \({\mathcal {I}^{(1)}_{j}}\) in expected time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) that are \(L_{|\varDelta _\mathbb {K}|}\left( \frac{2\times 1+1}{4}\right) = L_{|\varDelta _\mathbb {K}|}\left( 3/4\right) \)-smooth and integers \({\mathbf {h}^{(1)}_{j}}\) such that for every j,

$$\begin{aligned} \langle {\mathbf {h}^{(1)}_{j}} \rangle = {\mathcal {I}^{(0)}_{j}} \cdot {\mathcal {I}^{(1)}_{j}}. \end{aligned}$$

For each factor \({\mathcal {I}^{(1)}_{j}}\), let us write its prime decomposition:

$$\begin{aligned} {\mathcal {I}^{(1)}_{j}} = \prod _k {\mathcal {I}^{(1)}_{j,k}}. \end{aligned}$$

Once again, the number of terms appearing is \(O(n_\mathbf {\mathcal {I}})\). Because we have the inequality \(\mathcal {N} \left( {\mathcal {I}^{(1)}_{j,k}}\right) \le L_{|\varDelta _\mathbb {K}|}\left( 3/4\right) \), then performing the same procedure on each ideal \({\mathcal {I}^{(1)}_{j,k}}\) now yields \(L_{|\varDelta _\mathbb {K}|}\left( 5/8\right) \)-smooth ideals \({\mathcal {I}^{(2)}_{j,k}}\) and integers \({\mathbf {h}^{(2)}_{j,k}}\) such that

$$\begin{aligned} \langle {\mathbf {h}^{(2)}_{j,k}} \rangle = {\mathcal {I}^{(1)}_{j,k}} \cdot {\mathcal {I}^{(2)}_{j,k}}, \end{aligned}$$

once again in expected time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). Remark that this smoothness bound in \(L_{|\varDelta _\mathbb {K}|}\left( 5/8\right) \) is obtained as \(L_{|\varDelta _\mathbb {K}|}\left( \frac{2\times 3/4 +1}{4}\right) \), as exposed in Theorem 4. This reasoning naturally leads to a recursive strategy for reduction. At step k, we want to reduce an ideal \({\mathcal {I}^{(k-1)}_{a_1,\ldots , a_{k-1}}}\) which is \(L_{|\varDelta _\mathbb {K}|}\left( 1/2+1/2^{k+1}\right) \)-smooth. As before, we have a decomposition — in \(O(n_\mathbf {\mathcal {I}})\) terms — in smaller ideals:

$$\begin{aligned} {\mathcal {I}^{(k-1)}_{a_1,\ldots , a_{k-1}}} = \prod _j {\mathcal {I}^{(k-1)}_{a_1,\ldots , a_{k-1}, j}}. \end{aligned}$$

Using Theorem 4 on each factor \({\mathcal {I}^{(k-1)}_{a_1,\ldots , a_{k-1}, j}}\) which have norm bounded by \(L_{|\varDelta _\mathbb {K}|}\left( 1/2+1/2^{k+1}\right) \) leads to \(L_{|\varDelta _\mathbb {K}|}\left( 1/2+1/2^{k+2}\right) \)-smooth ideals \({\mathcal {I}^{(k)}_{a_1,\ldots , a_{k-1}, j}}\) and algebraic integers \({\mathbf {h}^{(k)}_{a_1,\ldots , a_{k-1}, j}}\) such that

$$ \langle {\mathbf {h}^{(k)}_{a_1,\ldots , a_{k-1}, j}} \rangle = {\mathcal {I}^{(k-1)}_{a_1,\ldots , a_{k-1}, j}} \cdot {\mathcal {I}^{(k)}_{a_1,\ldots , a_{k-1}, j}}, $$

since \({\frac{2\times (1/2+1/2^{k+1}) +1}{4}} = 1/2+1/2^{k+2}\).

As a consequence, one can generate \(L_{|\varDelta _\mathbb {K}|}\left( 1/2+1/\log N\right) \)-smooth ideals with the previous method in at most \(\left\lceil \log _2(\log N) \right\rceil \) recursive steps. At this point only \(\left( n_\mathbf {\mathcal {I}}\right) ^{\left\lceil \log _2(\log N) \right\rceil }\) ideals and algebraic integers appear since at each step this number is multiplied by a factor \(O(n_\mathbf {\mathcal {I}})\). As deriving one couple integer/ideal is done in expected time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \), the whole complexity remains in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \).

Fig. 4.
figure 4

The \(\mathfrak {q}\)-descent algorithm.

Full size image

However, as \(|\varDelta _\mathbb {K}| = N^N\), a quick calculation entails that

$$\begin{aligned} \log L_{|\varDelta _\mathbb {K}|}\left( \frac{1}{2}+\frac{1}{\log (N)}\right)&= O(N^{\frac{1}{2}+\frac{1}{\log N}}\log (N)) \\ {}&= O(N^{\frac{1}{2}}\log (N))\cdot N^{\frac{1}{\log N}}. \end{aligned}$$

Since the last factor is \(e = \exp (1)\), we obtain that

$$\begin{aligned} \log L_{|\varDelta _\mathbb {K}|}\left( \frac{1}{2}+\frac{1}{\log (N)}\right) = \log L_{|\varDelta _\mathbb {K}|}\left( \frac{1}{2}\right) , \end{aligned}$$

so that after at most \(\left\lceil \log _2(\log N) \right\rceil \) steps, we have ideals that are \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \)-smooth.

At the end of this final round, we may express the input ideal as the product of ideals for which we know a generator and others that have by construction norms bounded by \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). Let us denote \(\mathcal K\) the final step. For avoiding to carry inverse ideals, we may assume without loss of generalityFootnote 8 that \(\mathcal K\) is even. Explicitly we have

figure b

In this last expression, the indices are chosen such that \(1 \le t \le \mathcal K\) and \(2 \le s \le \mathcal K\). We also recall that all the quantities involved here belong to the totally real subfield \(\mathbb {Q}(\zeta + \zeta ^{-1})\).

By construction, \(\mathbf {\mathcal {I}}^s\) is \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \)-smooth and we directly get \(\mathbf {h} \in \mathcal {O}_\mathbb {K}^+\) such that \(\langle \mathbf {h} \rangle = \mathbf {\mathcal {I}}^+ \cdot \mathbf {\mathcal {I}}^s.\) The full outline of this descent phase is sketched in Fig. 4.

Remark that the number of terms, which is at most \(O(N)^\mathcal {K}\) is in \(L_{|\varDelta _\mathbb {K}|}\left( o(1)\right) \), is negligible in the final complexity estimate.

4.3 Step 3: Case of \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \)-smooth Ideals

At this point, we have reduced the search for a generator of a principal ideal of large norm to the search for a generator of a principal ideal \(\mathbf {\mathcal {I}}^s\) which is \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \)-smooth. If we can find a generator of \(\mathbf {\mathcal {I}}^s\) in time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \), from the previous steps we directly recover the generator of \(\mathbf {\mathcal {I}}^+\), and so the generator of \(\mathbf {\mathcal {I}}\), that is the secret key. To tackle this final problem, we follow the approach relying on class group computation (see [15, Algorithm 6.5.10] or [5, Algorithm 7]): we consider the previously introduced set \(\mathcal {B}\) of prime ideals of norm below \(B>0\) where \(B\in L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) and look for relations of the shape

$$\begin{aligned} \langle \mathbf {v}\rangle = \prod _i \mathfrak {p}_i^{e_i}, \qquad \mathrm{for\,\,\,} \mathbf {v} \in \mathcal {O}_{\mathbb {K}^+}. \end{aligned}$$

As the classes of prime ideals in \(\mathcal {B}\) generate the class group \({\text {Cl}}(\mathcal {O}_{\mathbb {K}^+})\) (see [2]), we have a surjective morphism:

figure c

Formally, a relation is an element of \(\text {Ker~}(\pi \circ \phi )\), which is a full-rank sublattice of \(\mathbb {Z}^{|\mathcal {B}|}\). Following the subexponential approach of [8, 11, 23], we need to find at least \(|\mathcal {B}|\in L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) linearly independent relations to generate this lattice. The relation collection is performed in a similar way as [4]: due to the good shape of the defining polynomial \(X^N+1\), the algebraic integers whose representation as polynomials in \(\zeta \) have small coefficients also have small norms.

Let us fix an integer \(0<A\le L_{|\varDelta _\mathbb {K}|}\left( 0\right) = \log |\varDelta _\mathbb {K}|\). Then for any integers \((v_0, \ldots , v_{\frac{N}{2}-1}) \in \{-A, \ldots , A\}^\frac{N}{2}\), we define the element \(\mathbf {v} = v_0 + \sum _{i \ge 1} v_i \left( \zeta ^i+\zeta ^{-i}\right) \). The norm of this element in \(\mathbb {K}^+\) is upper bounded by \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \). Indeed, it corresponds to the square root of its norm in \(\mathbb {K}\), which is below \(N^N \cdot A^N = L_{|\varDelta _\mathbb {K}|}\left( 1\right) \) by Lemma 2. Then under Heuristic 1, the element \(\mathbf {v}\) generates an ideal \(\langle \mathbf {v}\rangle \) that is \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \)-smooth with probability \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) ^{-1}\). This means that we need to draw on average \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) independent algebraic integers to find one relation.

To bound the run time of the algorithm, we need to assume that the relation we collect by this method are independent. This is a commonly used heuristic in the analysis of index calculus algorithms for computing \({\text {Cl}}(\mathbb {K})\).

Heuristic 3

[4, Heuristic 2]. There exists Q negligible with respect to \(|\mathcal {B}|\) such that collecting \(Q\cdot |\mathcal {B}|\) relations suffices to generate the whole lattice of relations.

Thanks to Eq. (1), we know that \(\mathcal {B}\) contains about \(L_{|\varDelta _\mathbb {K}|}\left( {1}/{2}\right) \) elements. Therefore, \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) relations are needed thanks to Heuristic 3, implying that \(L_{|\varDelta _\mathbb {K}|}\left( {1}/{2}\right) ^2 = L_{|\varDelta _\mathbb {K}|}\left( {1}/{2}\right) \) independently drawn algebraic integers suffice to generate the whole lattice of relations. Of course, the set of integers arising from the previous construction is large enough to allow such repeated sampling, because its size is \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \). We store the relations in a \({|\mathcal {B}|} \times {Q|\mathcal {B}|}\) matrix M, as well as the corresponding algebraic integers in a vector G.

figure d

The \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \)-smooth ideal \(\mathbf {\mathcal {I}}^s\) splits over the set \(\mathcal {B}\), so that there exists a vector Y of \(\mathbb {Z}^{|\mathcal {B}|}\) containing the exponents of the factorization

$$\begin{aligned} \mathbf {\mathcal {I}}^s = \prod _i \mathfrak {p}_i^{Y_i}. \end{aligned}$$

As the relations stored in M generate the lattice of all elements of this form, the vector Y necessarily belongs to it. Hence solving the equation \(MX=Y\) yields a vector \(X \in \mathbb {Z}^{Q|\mathcal {B}|}\) from which we can recover a generator of the ideal since:

$$\begin{aligned} \prod _i \mathfrak {p}_i^{Y_i} = \langle \mathbf {v}_1^{X_1}\cdots \mathbf {v}_{Q|\mathcal {B}|}^{X_{Q|\mathcal {B}|}}\rangle . \end{aligned}$$
(2)

By construction, \(\mathcal {N} \left( \mathbf {\mathcal {I}}^s\right) \le L_{|\varDelta _\mathbb {K}|}\left( \mathcal {K}/2+1/2\right) \) so that the coefficients of Y are below \(L_{|\varDelta _\mathbb {K}|}\left( 0\right) \). Since solving such a linear system with Dixon’s p-adic method [18] can be done in time \({Poly}(d,\log \Vert M\Vert )\) where d is the dimension of the matrix and \(\Vert M\Vert = \max |M_{i,j}|\) the maximum of its coefficients, we are able to recover X with a complexity in \(L_{|\varDelta _\mathbb {K}|}\left( {1}/{2}\right) \).

4.4 Final Step: Reduction to a Short Generator

As mentioned in Sect. 3, this part of the algorithm is a result of Cramer, Ducas, Peikert, and Regev [17]. They state that recovering a short generator from an arbitrary one can be solved in polynomial time in any prime-power cyclotomic ring. For completeness purposes, we give here a brief overview of this reduction.

As a liminary observation, note that for those fields, a set of fundamental units is given for free, whereas their computation in arbitrary number fields is computationally hard. A second remark is that we get the promise that there exists a small generator of the considered ideal. Then, instead of solving a general closest vector problem (CVP), we solve an instance of bounded-distance decoding problem (BDD). The key argument is based on a precise study of the geometry of the log-unit lattice of prime-power cyclotomic fields (see Appendix A.3 for basic recalls about this lattice). Finally, their geometric properties make possible to solve BDD in this lattice in polynomial time, instead of exponential time as for generic instances.

Theorem 5

[17, Theorem 4.1]. Let D be a distribution over \(\mathbb {Q}(\zeta )\) with the property that for any tuple of vectors \(\mathbf {v}_1,\ldots , \mathbf {v}_{N/2-1}\in \mathbb {R}^{N/2-1}\) of Euclidean norm 1 that are orthogonal to the all-1 vector 1, the probability that the inequation \(|(\mathrm {Log}(\mathbf {g}), \mathbf {v}_i)| < c\sqrt{2N}\cdot \log (2N)^{-3/2}\) holds for all i is at least some \(\alpha >0\), where \(\mathbf {g}\) is chosen from D and c is a universal constant. Then there is an efficient algorithm that, given \(\mathbf {g}' = \mathbf {g} \cdot \mathbf {u}\), where \(\mathbf {g}\) chosen from D and \(\mathbf {u} \in C\) is a cyclotomic unit, outputs an element of the form \(\zeta ^j\cdot \mathbf {g}\) with probability at least \(\alpha \).

The reader might argue that, in order to use this theorem on the output of our algorithm, we should ensure that we recover a generator up to a cyclotomic unit and not up to an arbitrary unit. In the specific case of power-of-two cyclotomic fields, we can rely on Weber’s Heuristic 2 to ensure this constraint. In case \(h^+(N)>1\), two solutions are given in [17]. The first one is to directly compute the group of units, which is hopefully determined by the kernel of the matrix M arising in the third stageFootnote 9. One can then enumerate the \(h^+(N)\) classes of the group of units modulo the subgroup of cyclotomic units. Another possibility is to generate a list of ideals, sampled according to the same distribution as the input ideal, with a known generator. Then, we run the PIP algorithm on these ideals, and deduce the cosets of the group of units modulo the subgroup of cyclotomic units, which are likely to be output.

The whole key recovery, combining our PIP algorithm and the aforementioned reduction is outlined in Fig. 5.

Fig. 5.
figure 5

Recovery of the secret key by PIP + [17].

Full size image

4.5 Complexity Analysis

The whole runtime of our attack is \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \), that is about \(2^{N^{1/2+o(1)}}\) operations. We have already mentioned the complexity of most parts of our algorithm. However, we provide a brief summary in this paragraph to ensure the entirety of our result.

For the reduction algorithms, DBKZ and Cheon’s trick, the block-size is always in \(\log L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) so that the complexity is \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \). Our choice for the smoothness bound \(B=L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) ensures that the step of relation collection together with the linear system solution are derived in time \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \).

In addition, from the work of [20], we get that the first part of the algorithm, corresponding to the reduction to the totally real subfield, is performed in polynomial time.

The last part, which corresponds to the generation of a small generator from an arbitrary one, runs in polynomial time with respect to the input \(\left( \mathbf {B},t\right) \) of Babai’s round-off algorithm (see Step 4 of the algorithm in Fig. 5), thanks to the results of [17]. However, \(t = \text {Log}(\mathbf {g_0})+\text {Log}(\mathcal {O}_\mathbb {K})\) is of subexponential size at this stage. Indeed, according to Eq. (2),

$$\begin{aligned} \text {Log}(\mathbf {g_0}) = X_1\text {Log}(\mathbf {v}_1) + \cdots + X_{Q|\mathcal {B}|}\text {Log}(\mathbf {v}_{Q|\mathcal {B}|}), \end{aligned}$$

where each \(\mathbf {v}_i\) is of polynomial size while, by Hadamard’s bound, the \(X_i\) satisfy \(X_i\le Q|\mathcal {B}|^{Q|\mathcal {B}|/2}\Vert M\Vert ^{Q|\mathcal {B}|-1}\max _j\Vert Y_j\Vert \). Therefore, the bit size of the \(X_i\) are in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \), and the fixed point approximations of \(\text {Log}(\mathbf {v}_i)\) must be taken at precision \(b\in L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) to ensure the accuracy of the value of \(\text {Log}(\mathbf {g_0})\) (and therefore t). Babai’s round-off computation \(\mathbf {B} \lfloor (\mathbf {B}^\vee )^t\cdot t\rceil \) has an asymptotic cost in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) and returns \(e_1,\ldots ,e_r\) where the \(e_i\) have bit size in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) and where

$$\mathbf {g'} = \mathbf {g_0}\cdot \mathbf {b}_1^{e_1}\cdots \mathbf {b}_r^{e_r}= \left( \mathbf {v}_1^{X_1}\cdots \mathbf {v}_{Q|\mathcal {B}|}^{X_{Q|\mathcal {B}|}}\right) \cdot \left( \mathbf {b}_1^{e_1}\cdots \mathbf {b}_r^{e_r}\right) ,$$

is a short generator of the input ideal. This product cannot be evaluated directly since the intermediate terms may have exponential size, but it may be performed modulo distinct prime ideals \(\mathfrak {p}_1,\ldots ,\mathfrak {p}_k\) such that \(\mathcal {N}\left( \prod \mathfrak {p}_i\right) > \mathcal {N}(\mathbf {g'})\) and then reconstructed by the Chinese Remainder Theorem. The complexity of this process is in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \).

We highlight now two points whose complexity were eluded in the exposition of the algorithm:

  • Arithmetic of ideals. All the operations made on ideals are classical, with complexities polynomial in the dimension and in the size of the entries (see for instance [15, Chap. 4]), which is way below the bound of \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \).

  • Smoothness tests. The strategy is to deal with the norms of ideals, that are integers. The largest norm arising in the computations is in \(L_{|\varDelta _\mathbb {K}|}\left( 3/2\right) \) and appears after the initial DBKZ reduction. Testing \(L_{|\varDelta _\mathbb {K}|}\left( 1\right) \)-smoothness for an integer of this size is easier than completely factorizing it, even if both methods share the same asymptotic complexity in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) Footnote 10. Hence all the smoothness tests performed have complexity dominated by \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \).

As a consequence the global complexity is given by the first and last steps of the \(\mathfrak {q}\)-descent, that is in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \).

Remark 3

This algorithm has a complexity in \(L_{|\varDelta _\mathbb {K}|}\left( 1/2\right) \) in the discriminant, that represents the size of the number field involved. However, it is important to figure out that the parameters of the keys have \(N^{3/2}\) bits. Therefore we present an algorithm that is “sort of” \(L\left( 1/3\right) \) in the size of the inputs.

5 Implementation Results

In addition to the theoretical improvement, our algorithm permits in practice to break concrete cryptosystems. Our discussion is based on the scheme presented by Smart and Vercauteren at PKC 2010. In [43, Sect. 7], security estimations are given for parameters \(N = 2^n\) for \(8 \le n \le 11\) since they are unable to generate keys for larger parameters. Our implementation allows us to recover the secret key from the public key for \(N=2^8=256\) in less than a day. The code runs with [38], with an external call to [19], and all the computations are performed on an Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50 GHz with 32 GB of memory. Indeed the Gentry-Szydlo algorithm requires large storage.

We perform the key generation as recalled in Fig. 2. We then obtain a generator for the ideal as a polynomial in \(\zeta = \zeta _{512}\), of degree 255 and coefficients absolutely bounded by \(2^{\sqrt{256}}+1 = 65537\). That corresponds to ideals whose norm has about 4800 bits in average, that is below the bound 6145 from Lemma 2, but above the size given in [43] (4096). As for every timing arising in this section, we have derived a set of 10 keys, and the given time is the average one. Thus, deriving a secret key takes on average 30 s. We test 1381 algebraic integers for finding 10 having prime norm. Then the public key is derived from the secret key in about 96 s.

While, in theory, the first reduction to the totally real subfield seems to be of limited interest, it is clearly the main part of the practical results: indeed, it reduces in our example the size of the matrices involved from \(256 \times 256\) to \(128 \times 128\). As we know that lattice-reduction is getting worse while the dimension grows, this part is the key point of the algorithm. Our code essentially corresponds to the Gentry-Szydlo algorithm together with the trick explained in Sect. 4.1, in order to output the element \(\mathbf {u}\) and a basis of the ideal \(\mathbf {\mathcal {I}}^+\) generated by \(\mathbf {g}+\bar{\mathbf {g}}\). This part of the algorithm has the largest runtime, about 20 h, and requires 24Go of memory.

At this point, we put aside \(\mathbf {u}\) and only consider the ideal \(\mathbf {\mathcal {I}}^+\). Our goal is to recover one generator of this ideal, and a multiplication with \(\frac{1}{1+\mathbf {u}}\) is going to lead to the generator of the input ideal. The method we have presented is to reduce step by step the norm of the ideals involved by performing lattice reductions. However, we observe that for the cases we run, the first reduction suffices: the short vector we find corresponds to the generator. We make use of the BKZ algorithm implemented in [19], with block-size 24 to begin. It gives a correct generator with probability higher than 0.75 and runs in less than 10 minutes. If the output is not correct, we increase the block-size to 30. This always works and requires between 2 and 4 h.

In addition to the good behavior of this reduction, the generator we exhibit is already small, by construction. More precisely, it corresponds to \(\mathbf {g}+\bar{\mathbf {g}}\), up to a factor that is a power of \(\zeta \). Hence, we recover \(\mathbf {g} \cdot \zeta ^i\) thanks to \(\mathbf {u}\) and the decoding algorithm analyzed in [17] is unnecessary for our concern. The key recovery is already completed after these two first steps. We still implement this part together with a method for recovering the actual private key (up to sign). Indeed, because all its coefficients are even except the constant one, it is easy to identify the power of \(\zeta \) that appears as a factor during the computation.

Additional Work. To illustrate the practical performances of our method, we look at one of the main other steps of the algorithm: namely the relation collection between generators of \({\text {Cl}}(\mathbb {K}^+)\). Thanks to the good behavior of BKZ, the relation collection is not necessary for the attack in \(\mathbb {Q}(\zeta _{512})\), but it is an important part of the computation in higher dimension.

We fix our factor base as all the prime ideals in the totally-real field that lie above a prime number p that is below the bound \(c \left( \log |\varDelta _\mathbb {K}|\right) ^{2}\), for a parameter \(c \in \{0.1, 0.2, 0.3\}\). We give in Table 1 the values, together with the size of the factor base and the time required for building it in [16]. The computations are performed on a laptop with Intel(R) Core(TM) i7-4710MQ CPU @ 2.50 GHz and 8Go of RAM for this part.

Naturally, this choice of bound would not be sufficient for the descent described in Fig. 4, because it is polynomial and not subexponential. However, it provides a relation matrix for the computation of the class group. Reaching a subexponential bound seems unlikely in that way, that supports the fact that our implementation results are consequences of the small dimension obtained by the Gentry-Szydlo algorithm.

Table 1. Construction of differently parametrized factor bases.
Full size table

The relation collection is performed using algebraic integers of the shape

$$\begin{aligned} \sum _{i=1}^5 \zeta ^{a_i}+\zeta ^{-a_i} = \sum _{i=1}^5 \zeta ^{a_i} - \zeta ^{256-a_i}, \end{aligned}$$

for \(a_i\) chosen at random in \(\{1,\ldots ,255\}\). This is inspired from the work of Miller [37]. We use C++ code with NTL Library [42] for finding a set of integers with different norms that suffice for generating the full lattice of relations (see Sect. 4.3). The size of these sets depends on the bound we have chosen and on the relations picked, so that the timings may vary. Our results are provided in Table 2. Once we know these integers, we use Magma for building the entire matrix of relations. In particular, we make use of the automorphisms on the field for deriving 128 relations from each integer — this is the reason we use integers of different norms. Eventually, the matrices we get are full-rank.

Table 2. Relation collection for the different parameters.
Full size table

We also run our code for the algorithm described in [17] on inputs constructed as a secret key multiplied by a random non-zero vector of the log-unit lattice (because in the full attack described previously, we only have the null vector). This runs in 150 s.

To conclude, for the parameter \(N=2^8\), the time of the key recovery is below 24 h, and the main part of the computation comes from the reduction to the totally real subfield. Hence, one may wonder if this step is mandatory, and the answer is yes, because the surprisingly good practical behavior of the BKZ reduction is a conjoint consequence of the dimension of lattices involved on the one hand — the regime for such medium dimension allows better practical output bounds than the theoretical worst case — and the specificity of the geometry of the considered ideals induced by the abnormally small norm of its generator.