Recovering Short Generators of Principal Ideals in Cyclotomic Rings

  • Ronald CramerEmail author
  • Léo Ducas
  • Chris Peikert
  • Oded Regev
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9666)


A handful of recent cryptographic proposals rely on the conjectured hardness of the following problem in the ring of integers of a cyclotomic number field: given a basis of a principal ideal that is guaranteed to have a “rather short” generator, find such a generator. Recently, Bernstein and Campbell-Groves-Shepherd sketched potential attacks against this problem; most notably, the latter authors claimed a polynomial-time quantum algorithm. (Alternatively, replacing the quantum component with an algorithm of Biasse and Fieker would yield a classical subexponential-time algorithm.) A key claim of Campbell et al. is that one step of their algorithm—namely, decoding the log-unit lattice of the ring to recover a short generator from an arbitrary one—is classically efficient (whereas the standard approach on general lattices takes exponential time). However, very few convincing details were provided to substantiate this claim.

In this work, we clarify the situation by giving a rigorous proof that the log-unit lattice is indeed efficiently decodable, for any cyclotomic of prime-power index. Combining this with the quantum algorithm from a recent work of Biasse and Song confirms the main claim of Campbell et al. Our proof consists of two main technical contributions: the first is a geometrical analysis, using tools from analytic number theory, of the standard generators of the group of cyclotomic units. The second showsthat for a wide class of typical distributions of the short generator, a standard lattice-decoding algorithm can recover it, given any generator.

By extending our geometrical analysis, as a second main contribution we obtain an efficient algorithm that, given any generator of a principal ideal (in a prime-power cyclotomic), finds a \(2^{\tilde{O}(\sqrt{n})}\)-approximate shortest vector in the ideal. Combining this with the result of Biasse and Song yields a quantum polynomial-time algorithm for the \(2^{\tilde{O}(\sqrt{n})}\)-approximate Shortest Vector Problem on principal ideal lattices.



We thank Dan Bernstein, Jean-François Biasse, Sean Hallgren, Sorina Ionica, Dimitar Jetchev, Paul Kirchner, Shinya Okumara, René Schoof, Alice Silverberg, and Harold M. Stark for comments and many insightful conversations on topics related to this work. We also especially thank Dan Shepherd [She14] for explaining many additional details about the claims made in [CGS14], and for sharing other helpful observations.

Supplementary material


  1. [ADS15]
    Aggarwal, D., Dadush, D., Stephens-Davidowitz, N.: Solving the closest vector problem in \(2^n\) time - the discrete Gaussian strikes again! In: FOCS, pp. 563–582 (2015)Google Scholar
  2. [Bab85]
    Babai, L.: On Lovász’ lattice reduction, the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986). Preliminary version in STACS 1985MathSciNetCrossRefzbMATHGoogle Scholar
  3. [Ban93]
    Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296(4), 625–635 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  4. [Ban98]
    Banaszczyk, W.: Balancing vectors and gaussian measures of \(n\)-dimensional convex bodies. Random Struct. Algorithms 12(4), 351–360 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  5. [Ber14a]
    Bernstein, D.: Personal Communication. June 2014Google Scholar
  6. [Ber14b]
    Bernstein, D.: A subfield-logarithm attack against ideal lattices., Febuary 2014
  7. [BF14]
    Biasse, J.-F., Fieker, C.: Subexponential class group, unit group computation in large degree number fields. LMS J. Comput. Math. 17(suppl. A), 385–403 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  8. [Bia14]
    Biasse, J.-F.: Subexponential time relations in the class group of large degree number fields. Adv. Math. Commun. 8(4), 407–425 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  9. [BPR04]
    Buhler, J., Pomerance, C., Robertson, L.: Heuristics for class numbers of prime-power real cyclotomic fields. Fields Inst. Commun 41, 149–157 (2004)MathSciNetzbMATHGoogle Scholar
  10. [BS97]
    Banaszczyk, W., Szarek, S.J.: Lattice coverings and Gaussian measures of \(n\)-dimensional convex bodies. Discrete Comput. Geom. 17(3), 283–286 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  11. [BS15]
    Biasse, J.-F., Song, F.: A note on the quantum attacks against schemes relying on the hardness of finding a short generator of an ideal in \(\mathbb{Q}(\zeta _{2^n})\). In: Technical report –12, The University of Waterloo, Revision of September 28th 2015Google Scholar
  12. [BS16]
    Biasse, J.-F., Song, F.: A polynomial time quantum algorithm for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: SODA (2016)Google Scholar
  13. [CGS14]
    Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: ETSI 2nd Quantum-Safe Crypto Workshop, 2014. Available at
  14. [EHKS14]
    Eisenträger, K., Hallgren, S., Kitaev, A., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: STOC, pp. 293–302. ACM (2014)Google Scholar
  15. [Gen09]
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
  16. [GGH13]
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. [GS02]
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 299. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. [HPS98]
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  19. [Lan27]
    Landau, E.: Über Dirichletsche Reihen mit komplexen Charakteren. Journal für die reine und angewandte Mathematik 157, 26–32 (1927)zbMATHGoogle Scholar
  20. [Lan02]
    Lang, S.: Algebra. Graduate Texts in Mathematics, vol. 211, 3rd edn. Springer, New York (2002)CrossRefzbMATHGoogle Scholar
  21. [Len82]
    Lenstra, A.K.: Lattices and factorization of polynomials over algebraic number fields. In: Calmet, J. (ed.) EUROCAM ’1982. LNCS, vol. 144, pp. 32–39. Springer, Heidelberg (1982)CrossRefGoogle Scholar
  22. [LLL82]
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  23. [LLS15]
    Lamzouri, Y., Li, X., Soundararajan, K.: Conditional bounds for the least quadratic non-residue and related problems. Math. Comp. 84(295), 2391–2412 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  24. [LMPR08]
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. [Lou15]
    Louboutin, S.: An explicit lower bound on moduli of Dirichlet \(L\)-functions at \(s=1\). J. Ramanujan Math. Soc. 30(1), 101–113 (2015)MathSciNetzbMATHGoogle Scholar
  26. [LPR10]
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices, learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  27. [LPR13]
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  28. [LSS14]
    Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014)Google Scholar
  29. [Mic02]
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). Preliminary version in FOCS 2002MathSciNetCrossRefzbMATHGoogle Scholar
  30. [Mil14]
    Miller, J.C.: Class numbers of totally real fields and applications to the weber class number problem. Acta Arith. 164(4), 381–398 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  31. [Mil15]
    Miller, J.C.: Real cyclotomic fields of prime conductor and their class numbers. Math. Comp. 84(295), 2459–2469 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  32. [MR04]
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007). Preliminary version in FOCS 2004MathSciNetCrossRefzbMATHGoogle Scholar
  33. [MV06]
    Montgomery, H.L., Vaughan, R.C.: Multiplicative Number Theory I. Cambridge University Press, Cambridge (2006)CrossRefzbMATHGoogle Scholar
  34. [MV10]
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC, pp. 351–358 (2010)Google Scholar
  35. [O’D14]
    O’Donnell, R.: Analysis of Boolean Functions. Cambridge University Press, Cambridge (2014)CrossRefzbMATHGoogle Scholar
  36. [Pei10]
    Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  37. [PR07]
    Peikert, C., Rosen, A.: Lattices that admit logarithmic worst-case to average-case connection factors. In: STOC, pp. 478–487 (2007)Google Scholar
  38. [Sam70]
    Samuel, P.: Algebraic Theory of Numbers. Hermann, Paris (1970)zbMATHGoogle Scholar
  39. [Sch87]
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  40. [Sch03]
    Schoof, R.: Class numbers of real cyclotomic fields of prime conductor. Math. Comput. 72(242), 913–937 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  41. [Sch15]
    Schank, J.: LogCvp, Pari implementation of CVP in Log\(\mathbb{Z}[\zeta _{2^n}]^*\), March 2015.
  42. [She14]
    Shepherd, D.: Personal communication, December 2014Google Scholar
  43. [SV10]
    Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) Public Key Cryptography. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010)Google Scholar
  44. [Ver12]
    Vershynin, R.: Introduction to the non-asymptotic analysis of random matrices. In: Compressed sensing, pp. 210–268. Cambridge University Press, Cambridge (2012).
  45. [Was97]
    Washington, L.: Introduction to Cyclotomic Fields. Graduate Texts in Mathematics. Springer, New York (1997)CrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Ronald Cramer
    • 1
    • 2
    Email author
  • Léo Ducas
    • 1
  • Chris Peikert
    • 3
  • Oded Regev
    • 4
  1. 1.Cryptology GroupCWIAmsterdamThe Netherlands
  2. 2.Mathematical InstituteLeiden UniversityLeidenThe Netherlands
  3. 3.Department of Computer Science and EngineeringUniversity of MichiganMichiganUSA
  4. 4.Courant Institute of Mathematical SciencesNew York UniversityNew YorkUSA

Personalised recommendations