Cryptography Core Technology

In this chapter, we describe the analysis of security basis. One is the analysis of elliptic curve discrete logarithm problem (ECDLP). ECDLP is one of the public-key cryptosystems that can achieve a short key size but it is not a post-quantum cryptosystem. Another is analysis to learning with error (LWE), which is a post-quantum cryptosystem and has the functionality of homomorphic encryption . These two security bases have important roles in each protocol described in Sect.2.2.4.2

Today, the best practical attacks against ECDLP are exponential-time, generic discrete logarithm algorithms such as Pollard's rho method [34]. However, recently, a line of research has been dedicated to the index calculus for ECDLP which was started by Semaev, Gaudry, and Diem [25,30,35]. Under certain heuristic assumptions, such algorithms could lead to subexponential attacks to ECDLP in some cases [27,31,33]. The interested reader is referred to a survey paper by Galbraith and Gaudry for a more comprehensive and in-depth account of the recent development of ECDLP algorithms along various directions [28].
In this section, we investigate the computational complexity of ECDLP for elliptic curves in various forms-including Hessian [36], Montgomery [32], (twisted) Edwards [23,24], and Weierstrass, using index calculus. Recently, elliptic curves of various forms such as Curve25519 [22] have been drawing considerable attention in deployment partly because some of them allow fast implementation and security against timing-based side-channel attacks. Furthermore, we can construct these curves not only over prime fields (such as the field of 2 255 − 19 elements as used in Curve25519) but also over extension fields. In this section, we will focus on curves over optimal extension fields (OEFs) [21]. An OEF is an extension field from a prime field F p with p close to 2 8 , 2 16 , 2 32 , 2 64 , etc. Such primes fit nicely into the processor words of 8-, 16-, 32-, or 64-bit microprocessors and hence are particularly suitable for software implementation, allowing efficient utilization of fast integer arithmetic on modern microprocessors [21]. As we will see, our experimental results show considerably significant differences in the computational complexity of ECDLP for elliptic curves in various forms over OEFs.

Index Calculus for ECDLP
Let E be an elliptic curve defined over a finite field F p n . For cryptographic applications, we are mostly interested in a prime-order subgroup generated by a rational point P ∈ E(F p n ). Here, we first give a high-level overview of a typical index-calculus algorithm for finding an integer α such that Q = α P for Q ∈ P .
1. Determine a factor base F ⊂ E(F p n ). 2. Collect a set R of relations by decomposing random points a i P + b i Q into a sum of points from F , i.e., 3. When |R| ≈ |F |, eliminate the right-hand side using linear algebra to obtain an equation of the form a P + bQ = O and α = −a/b mod ord P.
The last step of linear algebra is relatively well studied in the literature, so we will focus on the subproblem in the second step, namely, the point decomposition problem (PDP) on an elliptic curve in the rest of this section.

Definition 2.1 (Point Decomposition Problem of mth Order) Given a rational point
R ∈ E(F p n ) on an elliptic curve E and a factor base F ⊂ E(F p n ), find, if they exist, P 1 , . . . , P m ∈ F such that R = P 1 + · · · + P m .

Semaev's Summation Polynomials
We can solve PDP by considering when the sum of a set of points becomes zero on an elliptic curve. It is straightforward that if two points sum to zero on an elliptic curve E : y 2 = x 3 + ax + b in Weierstrass form, then their x-coordinates must be equal. Let us now consider the simplest yet nontrivial case where three points on E sum to zero. Let Clearly, Z is in the variety of the ideal .
Using MAGMA's EliminationIdeal function, we find that J is actually a principal ideal generated by the polynomial Clearly, the linear factors of this generator correspond to the degenerated case where two or more points are the same or of opposite signs, and f 3 is the 3rd summation polynomial, that is, the summation polynomial for three distinct points summing to zero. Starting from the 3rd summation polynomial, we can recursively construct the subsequent summation polynomials f m for m > 3 by taking resultants. As a result, the degree of each variable in f m is 2 m−2 , which grows exponentially as m. This is the observation Semaev made in his seminal work [35]. In short, his proposal is to consider factor bases of the following form: where V is a subset of F p n . Then, we solve PDP of mth order by solving the corresponding (m + 1)th summation polynomial f m+1 (X 1 , . . . , X m ,x) = 0, wherex is the x-coordinate of the point to be decomposed.
Note that this factor base is naturally invariant under point negation. That is, P i ∈ F implies −P i ∈ F . In this case, we have about |F |/2 (trivial) relations P i + (−P i ) = O for free, so we only need to find the other |F |/2 nontrivial relations. In general, we will only discuss factor bases that are invariant under point negation, so by abuse of language, both F and F modulo point negation may be referred to as a factor base in the rest of this section.

Weil Restriction
Restricting the x-coordinates of the points in a factor base to a subset of F p n is important from the viewpoint of polynomial system solving. Take f 3 as an example. When decomposing a random point a P + bQ, we first substitute its x-coordinate into say X 3 , projecting the ideal onto F p n [X 1 , X 2 ]. The dimension of the variety of this ideal is nonzero. Therefore, we would like to pose some restrictions on X 1 and X 2 to reduce the dimensions to zero so that the solving time can be more manageable.
When looking for solutions to . This can be done by identifying the indeterminate X as X 1 θ 1 + · · · + X n θ n , where (θ 1 , . . . , θ n ) is a basis for F p n over F p . Hence, f can be identified as a polynomial f 1 θ 1 + · · · + f n θ n , where f 1 , . . . , f n ∈ A = F p [X 1 , . . . , X n ]/(X p 1 − X 1 , . . . , X p n − X n ), by appropriately sending each coefficient a i ∈ F p n to a (1) i θ 1 + · · · + a (n) i θ n for a (1) i , . . . , a (n) i ∈ F p . Therefore, an equation f = 0 over F p n will give rise to a system of equations f 1 = · · · = f n = 0 over F p . This technique is known as the Weil restriction and is used in the Gaudry-Diem attack, where the factor base is chosen to consist of points whose x-coordinates lie in a subspace V of F p n over F p [25,30].

Exploiting Symmetry
Naturally, the symmetric group S m acts on a point decomposition P 1 + · · · + P m because elliptic curve groups are abelian. As noted by Gaudry in his seminal work [30], we can therefore rewrite the variables x 1 , . . . , x m ∈ F p n by elementary symmetric polynomials e 1 , . . . , e m , where Such rewriting can reduce the degree of summation polynomials and significantly speed up point decomposition [27,31].
We might be able to exploit additional symmetry brought by actions of other groups, e.g., when the factor base is invariant under addition of small torsion points. For example, consider a decomposition of a point R under the action of addition of a 2-torsion point T 2 : Clearly, this holds for any u 1 , . . . , u n−1 ∈ {0, 1}, so a decomposition can give rise to 2 n−1 − 1 other decompositions. Similar to rewriting using the elementary symmetric polynomials for the action of S m , we can also take advantage of this additional symmetry by appropriately rewriting [26].
Naturally, such speedup is curve-specific. Furthermore, even if the factor base is invariant under additional group actions, we may or may not be able to exploit such symmetry to speed up the point decomposition depending on whether the action is "easy to handle in the polynomial system solving process" [26].

PDP on (Twisted) Edwards Curves
Faugère, Gaudry, Hout, and Renault studied PDP on twisted Edwards, twisted Jacobi intersections, and Weierstrass curves [26]. For the sake of completeness, we include some of their results here. An Edwards curve over F p n for p = 2 is defined by the equation x 2 + y 2 = 1 + dx 2 y 2 for certain d ∈ F p n [24]. A twisted Edwards curve t E a,d over F p n for p = 2 is defined by the equation ax 2 + y 2 = 1 + dx 2 y 2 for certain a, d ∈ F p n [23]. A twisted Edwards curve is a quadratic twist of an Edwards curve by y). Furthermore, the addition and doubling formulae for (x 3 , y 3 ) = (x 1 , y 1 ) + (x 2 , y 2 ) are given as follows: When (x 1 , The 3rd summation polynomial for twisted Edwards curves is [26]: Again, the subsequent summation polynomials are obtained by taking resultants.

Symmetry and Decomposition Probability
Symmetry brought by group action on point decomposition will inevitably be accompanied by a decrease in decomposition probability. For example, if a factor base F is invariant under addition of a 2-torsion point, then the decomposition probability for PDP of the mth order should decrease by a factor of 2 m−1 . This is due to the same reason that the decomposition probability decreases by a factor of m! because the symmetric group S m acts on F . However, this simple fact seems to have been largely ignored in the literature. For example, Faugère, Gaudry, Hout, and Renault explicitly stated in Sect. 5.3 of their study that "[the] probability to decompose a point [into a sum of n points from the factor base] is 1 n! " for twisted Edwards or twisted Jacobi intersections curves, despite the fact that the factor base is invariant under the addition of 2-torsion points [26]. At first glance, this may not seem a problem, as we would expect to obtain 2 n−1 solutions if we can successfully solve a PDP instance. (Unfortunately, this is also not true in general. We will return to it in more detail in Sect. 2.1.5.3.) However, when estimating the cost of a complete ECDLP attack, they proposed to collapse these 2 n−1 relations into one to reduce the size of the factor base and thus the cost of the linear algebra, cf. Remark 5 of the paper. In this case, the decrease in decomposition probability does have an adverse effect, and their estimation for the overall ECDLP cost ended up being overoptimistic by a factor of at least 2 n−1 .

Montgomery Curves
A Montgomery curve M A,B over F p n for p = 2 is defined by the equation for A, B ∈ F p n such that A = ±2, B = 0, and B(A 2 − 4) = 0 [32]. For P = (x, y) ∈ M A,B , −P = (x, −y). Furthermore, the addition and doubling formulae for (x 3 , y 3 ) = (x 1 , y 1 ) + (x 2 , y 2 ) are given as follows. When (x 1 , When (x 1 , , It was noted by Montgomery himself in his original paper that such curves can give rise to efficient scalar multiplication algorithms [32]. That is, consider a random point P ∈ M A,B (F p n ) and n P = (X n : Y n : Z n ) in projective coordinates for some integer n. Then In particular, when m = n In this way, scalar multiplication on the Montgomery curve can be performed without using y-coordinates, leading to fast implementation.

Summation Polynomials for Montgomery Curves
Following Semaev's approach [35], we can construct summation polynomials for Montgomery curves. Like Weierstrass curves, the 2nd summation polynomial for Montgomery curves is simply f M,2 = X 1 − X 2 . Now, we consider P, Q ∈ M A,B for P = (x 1 , y 1 ) and Q = (x 2 , y 2 ). Let P + Q = (x 3 , y 3 ) and P − Q = (x 4 , y 4 ). By the addition formula, we have Using the relationship between the roots of a quadratic polynomial and its coefficients, we obtain From here, we can obtain for Montgomery curve which is the 3rd summation polynomial: as well as the subsequent summation polynomials by taking resultants:

Small Torsion Points on Montgomery Curves
A Montgomery curve always contains an affine 2-torsion point T 2 . Because T 2 + T 2 = 2T 2 = O, −T 2 = T 2 . If we write T 2 = (x, y), then we can see that y = 0 in order for −T 2 = T 2 as p = 2. Substituting y = 0 into Eq. (2.1), we get an equation Therefore, the set of rational points over the definition field F p n of a Montgomery curve includes at least two 2-torsion points, namely O and (0, 0). The other 2-torsion points may or may not be rational, so we will focus on (0, 0) in this section. Substituting (x 2 , y 2 ) = (0, 0) into the addition formula for Montgomery curves, we get that for any point P = (x, y) ∈ M A,B , P + (0, 0) = (1/x, −y/x 2 ).
To be able to exploit the symmetry of addition of T 2 = (0, 0), we need to choose the factor base This means that V needs to be closed by undertaking multiplicative inverses. In other words, V needs to be a subfield of F p n , i.e., V = F p for some integer that divides n. In this case, f m is invariant under the action of x i → 1/x i . Unfortunately, such an action is not linear and hence not easy to handle in polynomial system solving. How to take advantage of such kind of symmetry in PDP is still an open research problem.

Hessian Curves
A Hessian curve H d over F p n for p n = 2 mod 3 is defined by the equation for d ∈ F p n such that 27d 3 = 1 [36]. For P = (x, y) ∈ H d , −P = (y, x). Furthermore, the addition and doubling formulae for (x 3 , y 3 ) = (x 1 , y 1 ) + (x 2 , y 2 ) are given as follows.

Summation Polynomials for Hessian Curves
Following a similar approach outlined by Galbraith and Gebregiyorgis [29], we can construct summation polynomials for Hessian curves. First, we introduce a new variable T = X + Y , which is invariant under point negation. The 2nd summation polynomial for Hessian curves is simply Clearly, Z is in the variety of the ideal Again, we compute the elimination ideal and obtain a principal ideal generated by some polynomial. After removing the degenerate factors, we can obtain for Hessian curve the 3rd summation polynomial: as well as the subsequent summation polynomials by taking resultants:

Small Torsion Points on Hessian Curves
As we shall see in Sect. 2.1.4.1, we will compare elliptic curves in various forms that are isomorphism to one another over the same definition field. As a result, we will only experiment with those Hessian curves that include 2-torsion points like Montgomery or (twisted) Edwards curves. Because In this case, the addition of Obviously, the typical factor bases are not invariant under addition of this 2-torsion point in general. A Hessian curve always contains a 3-torsion point T 3 such that 3T 3 = O [36]. If we let T 3 = (x, y), then we see that 2(x, y) = −(x, y) = (y, x), substituting which into the doubling formula, we get Because x and y cannot be zero at the same time, we have x 3 − y 3 = 1 − x 3 = y 3 − 1, or x 3 = y 3 = 1. Now because p n = 2 mod 3, F p n does not have any primitive cubic roots of unity, x = y = 1 and T 3 = (1, 1). By the addition formula, if P = (x, y), then However, for P ∈ F , we only know that t = x + y ∈ V ⊂ F p n , but we know nothing about 1 − x y, which can lie outside of V . Therefore, again, typical factor bases are not invariant under addition of this 3-torsion point in general. Therefore, it is not

Experiments on PDP Solving
This section shows the results of our experiments conducted to compare the computational complexity of PDP on four different curves: Hessian(H ), Weierstrass(W ), Montgomery(M), and twisted Edwards(t E).

Experimental Setup
As explained in Sect. 2.1.2.1, we focus on PDP in these experiments as the linear algebra step is already well understood. Furthermore, we focus on the bottleneck computation in PDP, namely, the cost of the F4 algorithm for computing Gröbner bases of the polynomial systems obtained after rewriting using the elementary symmetric polynomials and applying the Weil restriction technique to summation polynomials. This way we will be taking advantage of the symmetry of S m acting on point decompositions. However, we did not exploit symmetry of any other group actions. This is because we want to compare the intrinsic computational complexity of PDP and hence only consider the symmetry that is present in all curves. Exploiting further curve-specific symmetry whenever possible will result in a further speedup, but it would be independent of our findings here.

Experimental Results
Figure 2.1 presents our experimental results for the case of n = 5. Here, we choose our factor base by taking V as the base field F p of F p n . All our experiments were performed using the MAGMA computation algebra system (version 2.23-1) on a single core of an Intel Xeon CPU E7-4830 v4 running at 2 GHz. Comparisons to solve each PDP were performed by running time (in second), Dreg, Matcost, and Rank. The "Dreg" is the maximum step degree reached during the execution of the F4 algorithm, which is referred to as the "degree of regularity" in the literature [29] and provides an upper bound for the sizes of the Macaulay submatrices involved in the computation, the "Matcost" is a number output by the MAGMA implementation of the F4 algorithm and provides an estimate of the linear algebra cost during the execution of the F4 algorithm, and finally, the "Rank" is the number of linearly independent relations we obtain once successfully solving a PDP instance. It is an important factor to consider, as it determines how many PDP instances we need to successfully solve to have enough relations for a complete ECDLP attack using index calculus. We can clearly see that the PDP solving time and Matcost for twisted Edwards curves are much smaller than those for the other curves. In contrast, the degrees of regularity for Montgomery and twisted Edwards curves are smaller than those of the other curves in the case of m = 4. In addition, we can see that the rank for Hessian and Weierstrass curves is 1 in all cases, whereas for Montgomery and twisted Edwards curves, it is 4 and 5 in the case of m = 3 and m = 4, respectively. Last but not least, although we only present the results for small p (around 8-bit long), here, we have some preliminary results for larger p (around 16-bit and 32-bit long). Apart from the slight difference in the absolute running time, all other results such as Dreg, Matcost, and Rank are similar, so we do not repeat them here.

Revisit Summation Polynomial in Each Form
As we have seen in Sect. 2.1.4.2, PDP on (twisted) Edwards curves seems easier to solve than on other curves. The explanation offered by Faugère, Gaudry, Hout, and Renault is "due to the smaller degree appearing in the computation of Gröbner basis of S D n in comparison with the Weierstrass case," cf. Sect. 4.1.1 of their paper [26]. Unfortunately, this cannot explain the difference between (twisted) Edwards and Montgomery curves as the highest degrees appearing in the computation of Gröbner bases are the same for these two curves. Therefore, there must be other reasons. We have found that the total number of terms for twisted Edwards curves is significantly lower than that for the other curves in all cases. Naturally, this could lead to faster solving time with the F4 algorithm. We also note that, except for the twisted Edwards curves, the summation polynomials before Weil restriction for the other curves are all 100% dense without any missing terms.

Missing Terms of Summation Polynomials in (Twisted) Edwards Curves
In this section, we will show that the summation polynomials for (twisted) Edwards curves mainly have terms of even degrees. The set of terms of even degrees is closed under multiplication, so intuitively, such polynomials are easier to solve, which can be the main reason for the efficiency gain observed in the case of (twisted) Edwards curves.
We shall make this intuition precise in Theorem 2.1, but before we state the main result, we need to clarify our terminology for ease of exposition. When a multivariate polynomial is regarded as a univariate polynomial in one of its variables T , we say that the coefficient a i of a term a i T i is an even or odd-degree coefficient depending on whether i is even or odd, respectively. Note that these coefficients are themselves multivariate polynomials in one fewer variable.
We say that a monomial m = n i=1 x e i i , e i ≥ 0 in a multivariate polynomial in n variables is of even degree or simply an even-degree monomial if i e i is even; that it is of odd degree or simply an odd-degree monomial otherwise. In contrast, a monomial is of (homogeneous) even parity if all e i are even; it is of (homogeneous) odd parity if all e i are odd. A monomial is of homogeneous parity if it is either of homogeneous even or odd parity. Note that the definition of monomials of odd parity depends on the total number of variables in the polynomial, which is not the case for monomials of even parity because we regard 0 as even. For example, the monomial x 1 x 2 is a monomial of odd parity in a polynomial in x 1 and x 2 but not so in another polynomial in x 1 , . . . , x n for n > 2.
By abuse of language, we say that a polynomial is of even or odd parity if it is a linear combination of monomials of even or odd parity, respectively; that a polynomial is of homogeneous parity if it is a linear combination of monomials of homogeneous parity. The set of polynomials of even parity is closed under polynomial addition and multiplication and hence forms a subring. In contrast, a polynomial f in x 1 , . . . , x n of odd parity must have the form i c i j=1 x e i j j , for e i j odd. Therefore, if f is a polynomial of odd parity and g, a polynomial of even parity, then f g must be of odd parity.  . . . , X m , x), where x is a constant depending on the point to be decomposed.
1. If m is even, then g E,m has no monomials of odd degrees. 2. If m is odd, then g E,m has some but not all monomials of odd degrees.
Among the four forms of elliptic curves that we investigated in this section, only the (twisted) Edwards form satisfies the premises of Theorem 2.1. As we have seen in Sect. 2.1.4, the PDP solving time for the (twisted) Edwards form is thus significantly faster than that for the other forms.
We will prove Theorem 2.1 in the rest of this section, for which we will need the following lemmas.
We denote s i j as the entry at the ith row and jth column of S for 1 ≤ i, j ≤ m + n.
Because both m and n are even, an even-degree coefficient a 2k or b 2k will appear in s i j for which the sum of indices i + j is even. Similarly, an odd-degree coefficient a 2k+1 or b 2k+1 will appear in s i j for which the sum of indices i + j is odd. Now recall that the determinant of S is defined as σ ∈S n+m sgn(σ )s 1,σ (1) · s 2,σ (2) · · · s m+n,σ (m+n) .
We note that the sum of the indices of any summand is which is always even. Therefore, the odd-degree coefficients must appear an even number of times, thus completing the proof.
we shall prove this lemma by induction on m.
By the premise that f E,3 is of homogeneous parity, b 0 and b 2 must consist only of monomials (in X m and X m+1 ) of even parity. Furthermore, b 1 = cX m X m+1 for some constant c. This is because f E,3 is of degree 2 in each variable, for which the only monomial of odd parity is X m X m+1 X . Now consider a term c k X k m+1 of as a univariate polynomial in X m+1 . Again as f E,3 is of degree 2 in X , we have the case of n = 2 in Eq. 2.3. Now X m+1 must come from b 1 , so we can conclude that We will complete the proof by showing that c k X k m+1 is a polynomial in X 1 , . . . , X m+1 of homogeneous parity for all k as follows.
1. If k is even, then by Lemma 2.1, β i and γ i are both even or both odd in each summand. In either case, the product a β i a γ i is a polynomial in X 1 , . . . , X m−1 of even parity. It follows that each summand is a polynomial of even parity because it is a product of polynomials of even parity. Hence, c k X k m+1 is a polynomial of even parity. 2. If k is odd, the situation is similar but slightly more complicated. By Lemma 2.1, exactly one of β i and γ i is odd in each summand, say β i . By induction hypothesis, a β i is a polynomial in X 1 , . . . , X m−1 of odd parity because it comes from a β i X β i in f E,m . It follows that each summand is a polynomial of odd parity because it is a product of a polynomial of even parity a γ i b δ i 0 b i 2 and a polynomial of odd parity a β i X k m X k m+1 . Hence, c k X k m+1 is a polynomial of odd parity.
is of homogeneous parity. Obviously, the monomials of even parity will remain of even degree after x is substituted. If m is even, then the monomials of odd parity in f E,m+1 will become of even degree after x is substituted because an even number of odd numbers sum to an even number. Similarly, if m is odd, then the monomials of odd parity in f E,m+1 will become of odd degree after x is substituted. However, those odd-degree monomials that are not of homogeneous parity, e.g., X 2 1 X 2 , cannot appear in g E,m by Lemma 2.2. This completes the proof of Theorem 2.1.

What Price for a Highly Symmetric Factor Base?
Last but not least, we discuss the price needed to pay to have a highly symmetric factor base F that is invariant under more group actions in addition to that of the symmetric group S m . As previewed in Sect. 2.1.2.6, we would expect that the effect of the decrease in decomposition probability due to additional symmetry in F could be offset by that of the increase in number of solutions. For example, let us reconsider the group action of addition of T 2 in Sect. 2.1.2.4. If we could get 2 m−1 solutions, then the loss of the factor of 2 m−1 in decomposition probability would be compensated. This way everything would be the same as if there were no such symmetry, and we could exploit the additional symmetry at no cost.
Unfortunately, this proposition is false in general. Consider an example of m = 4. Let Q i = P i + T 2 for i = 1, 2, 3, 4. We can write down all 2 m−1 = 8 possible ways of a point decomposition under this group action: It is easy to find that we have only five linearly independent relations from these eight relations, as there are nontrivial linear combinations summing to zero, e.g.: As explained in Sect. 2.1.4.1, the factor bases for Montgomery and twisted Edwards curves are invariant under addition of 2-torsion points. For m = 3, we achieve maximum rank of 2 m−1 = 4. For m = 4, as we have explained above, we can only have rank 5, which is strictly less than the maximum possible rank 2 m−1 = 8. Finally, we note that we have not exploited any symmetry for Hessian curves in our experiments. However, the rank for Hessian curves is always 1 in all our experiments. This shows that the factor base we have chosen for Hessian curves is not invariant under addition of small torsion points, as the rank would be > 1 otherwise.

Concluding Remarks
In this section, we experimentally explored index-calculus attack on ECDLP over different forms such as twisted Edwards, Montgomery, Hessian, and Weierstrass curves under the totally fair conditions as they are isomorphic to each other over the same definition field F p n and showed that twisted Edwards curves are clearly faster than others. We investigated the summation polynomials of all forms in detail, found that big differences exist in the number of terms, and proved that monomials of odd degrees in summation polynomials on twisted Edwards curves do not exist. We showed that this difference causes less solving time of index-calculus attack on ECDLP over twisted Edwards than others.

Introduction
The ring variant of learning with errors (Ring-LWE) based cryptography [15,16] is one of the most attractive research areas in cryptography. Ring-LWE has provided efficient and provably secure post-quantum cryptographic protocols, which include homomorphic encryption (HE) schemes [4,5,9]. The development of the efficiency and security of both post-quantum cryptography and HE is strongly desirable. In fact, the standardization of post-quantum cryptography is under development by the National Institute of Standards and Technology. Moreover, HE schemes that enable us to execute the computation on encrypted data without decryption have many applications in cloud computing.
Ring-LWE is characterized by two probabilistic distributions, modulus parameters (integers) and number fields, as detailed in Sect. 2.2.2.4. Usually, cyclotomic fields are used as the underlying number fields to increase efficiency and security [17]. However, especially in the case of HE schemes, improving the efficiency of the encryption/decryption procedures and homomorphic arithmetic operations on encrypted data while ensuring security remain important tasks.
To construct an HE scheme that can simultaneously encrypt many plaintexts efficiently, Arita and Handa proposed the use of a decomposition field, which is contained in a cyclotomic field with prime conductors, as an underlying number field for Ring-LWE [1]. (Sect. 2.2.3 presents the details of decomposition fields and of Arita and Handa's idea.) Arita and Handa's HE scheme, which is called the subring HE scheme, is indistinguishably secure under a chosen-plaintext attack if the decision variant of Ring-LWE over the decomposition fields is computationally infeasible. Arita and Handa's experiments [1,Sect. 5] showed that the performance of the subring HE scheme is much better than that of the FV scheme based on Ring-LWE over th cyclotomic fields with prime numbers , as implemented in HElib [11].
As for the security of the subring HE scheme, Arita and Handa remarked that in the case of decomposition fields, some of the security properties of Ring-LWE in the case of cyclotomic fields are also satisfied. More concretely, there exists a quantum polynomial-time reduction from the approximate shortest vector problem on certain ideal lattices to Ring-LWE over decomposition fields, and the equivalence between the decision and search variants of Ring-LWE over decomposition fields is satisfied.
However, solving Ring-LWE is reduced to solving certain problems on lattices, such as the closest vector problem (CVP) and the shortest vector problem, and the difficulty of problems on lattices depends heavily on the structure and given bases of the underlying lattices. For example, if the shortest vector is much shorter than the second shortest vector in a certain lattice L, then the shortest vector problem for lattice L would be easy. This means that the underlying number fields affect the difficulty of lattice problems arising in Ring-LWE. Hence, to ensure the security of the subring HE scheme, experimental or theoretical analyses of (lattice) attacks should be performed. However, [1] does not provide any such analysis.
In this study, we provide an experimental analysis of the security of Ring-LWE over decomposition fields. More precisely, we compare the security of Ring-LWE over decomposition fields and of Ring-LWE over the th cyclotomic fields with some prime numbers . In our experiments, we reduce the search Ring-LWE to the (approximate) CVP on certain lattices in the same way as Bonnoron et al.'s analysis [3] because the target of Bonnoron et al.'s analysis is Ring-LWE optimized for HE. We use Babai's nearest plane algorithm [2] and Kannan's embedding technique [12] to solve the CVP. We then compare the running times, success rates, and Hermite root factors. (The root Hermite factor [10] is usually used to evaluate the quality of lattice attacks.) We also compare the experimental results of lattice attacks against Ring-LWE over various decomposition fields to find those fields that provide weak Ring-LWE.
Our experimental results indicate that the success rates and Hermite root factors for the decomposition fields are almost the same as those for the cyclotomic fields. However, the running time for decomposition fields is longer than that for cyclotomic fields. Moreover, the difference in running time increases as the rank of the lattices increases.
Therefore, we believe that Ring-LWE over decomposition fields is more secure against the above lattice attacks than that over cyclotomic fields because the ranks of the lattices occurring in our experiments are much lower than the ranks of the lattices used in practice. This means that to construct HE schemes (or schemes of other types), fewer parameters are needed for Ring-LWE over decomposition fields than for Ring-LWE over cyclotomic fields. Therefore, as a result of our analysis, we believe that Ring-LWE over decomposition fields can be used to construct more efficient HE schemes.

Preliminaries
In this section, we briefly review the notation of lattices, Galois theory, number fields, and Ring-LWE. Throughout this study, Z, Q, R, and C denote the ring of (rational) integers, field of rational numbers, field of real numbers, and field of complex numbers, respectively. For a positive integer m ∈ Z, we suppose that any element of Z/mZ is represented by an integer contained in the interval (−m/2, m/2] ∩ Z.

Lattices
An m-dimensional lattice is defined as a discrete additive subgroup of R m . It is well known that for any lattice L ⊂ R m , there exist R-linearly independent vectors b 1 , . . . , and b n ∈ R m such that L = 1≤i≤n Zb i := { 1≤i≤n a i b i | a i ∈ Z }. In other words, for a matrix B = (b 1 , . . . , b n ) whose ith column vector is b j , we have L = {Bx | x ∈ Z n }. Then, we say that {b 1 , . . . , b n } is a lattice basis of L, and B is the basis matrix of L with respect to {b 1 , . . . , b n }. The value n is called the rank of L, and it is denoted by rank(L). There are infinite bases for a lattice. In fact, for any unimodular matrix U, all column vectors of UB also form a basis of L. An important invariant of L is the determinant defined as det(L) := √ det (BB t ). This determinant is independent of basis.
There are various computationally hard problems on lattices. Here, we explain the CVP, which is a well-known problem on lattices. Given a lattice L and target vector t ∈ R m L, the CVP on (L, t) is the problem of finding a vector x ∈ L such that for all vectors y ∈ L, we have t − x ≤ t − y . For a real number γ > 1, the approximate CVP on (L, t, γ ) is the problem of finding a vector x ∈ L such that for all vectors y ∈ L, we have t − x ≤ γ t − y . Babai's nearest plane algorithm and Kannan's embedding technique are basic algorithms for solving the approximate CVP. Almost all known problems on lattices that are useful for constructing cryptographic protocols become more difficult as the ranks of the underlying lattices increase, and the quality of the two algorithms mentioned earlier depends on ranks of input lattices.
Breaking some cryptographic protocols can be reduced to solving certain computational problems on lattices, including the (approximate) CVP [3,8]. To solve such problems on lattices, we usually use lattice basis reduction algorithms, which transform a given basis of a lattice into a basis of the same lattice that consists of nearly orthogonal and relatively short vectors. In fact, an input of Babai's nearest plane algorithm is an (LLL) reduced basis, and Kannan's embedding technique outputs an appropriate vector from the reduced basis. In our experiments, to solve CVP using Babai's nearest plane algorithm and Kannan's embedding technique, we use the LLL algorithm [13] and BKZ algorithm [7,19], which are well-known algorithms for computing such bases.
The quality of basis reduction algorithms is usually estimated by the root Hermite factor, which is defined as follows: Let b be the shortest vector of a basis of a lattice L with rank n, which has been reduced by a basis reduction algorithm A. Then, the root Hermite factor δ A,L is defined as a constant satisfying δ n A,L := b / det(L) 1/n . Better basis reduction algorithms provide smaller Hermite root factors.

Galois Theory
To describe decomposition fields, we need to describe Galois theory.
Let K be a field and L an extension field of K ; we denote this situation by L/K . The field L is a K -vector space, and the degree of extension of L/K , denoted by such that f (α) = 0, then L/K is called an algebraic extension of K . It is known that all finite extensions are algebraic extensions.
From now on, we suppose that L/K is a finite algebraic extension. For any α ∈ L, the minimal polynomial over K of α is defined as the monic polynomial f (x) ∈ K [x] with the lowest degree of all polynomials in K [x] that vanish at α. We denote Irr(α, K )(x) as the minimal polynomial over K of α. Note that the minimal polynomial over K of α coincides with the monic irreducible polynomial over K that vanishes at α. For a subset S ⊂ L, we denote K (S) as the smallest subfield of L among subfields containing K and S. We call K (S) the field generated by S over K . If L is generated by one element θ ∈ L over K , i.e., L = K (θ ), then we have an iso- Next, we describe separable, normal, and Galois extensions of fields. If Irr(α, K )(x) for any α that has no multiple roots, then L/K is called a separable extension of K . If L contains all roots of Irr(α, K )(x) for any α ∈ L, then L/K is called a normal extension of K . If all algebraic extensions of K , including infinite algebraic extensions, are separable, then K is called a perfect (field). It is known that fields with characteristic zero and any finite field are perfect, and that any finite separable extension field can be generated by one element. If L/K is a separable and normal extension of K , then L/K is called a Galois extension of K . Let be a sufficiently large field containing K such that any ring-homomorphism φ fixing K , i.e., φ(a) = a for any a ∈ K , to L satisfies φ(L) ⊂ . We define the set of all ring-homomorphisms by fixing K to the range L to as follows: (Note that any nonzero ring-homomorphism between fields is injective.) Let L/K be separable with [L : K ] = n and L = K (θ ). Let θ = θ 1 , . . . , θ n be all roots of Irr(θ, K )(x). For any σ ∈ Hom K (L , ), we have σ (Irr(θ, K )(θ )) = Irr(θ, K ) (σ (θ )) = 0. This means that σ (θ) = θ i for some i = 1, . . . , n. This then implies #Hom K (L) = n. (Any τ ∈ Hom K (L , ) is completely determined by the image of θ under τ because τ fixes K .) Moreover, if L/K is normal, then σ induces an isomorphism L ∼ = L. Note that L = K (θ ) ∼ = K (θ i ) for any i = 1, . . . , n because these fields are isomorphic to K [X ]/ (Irr(θ, K )). Therefore, we may take L as and can write Aut K (L) = Hom K (L , ). Now, we can describe the fundamental theorem of Galois theory (for finite field extensions). Let L/K be a finite Galois extension of K . Then, we can write Gal(L/K ) = Aut K (L). For a proof of Theorem 2.2, see [18] for example. (It is easy to prove (2) of Theorem 2.2 from the definitions of and .)

Number Fields
To describe Ring-LWE and decomposition fields, which play central roles in this paper, we need some notations from algebraic number theory.
An (algebraic) number field is a finite extension field of Q. Let K be a number field with extension degree [K : Q] = n. An element a ∈ K is called an algebraic integer if there exists a monic polynomial f ∈ Z[x] such that f (a) = 0. The ring of integers O K of K is defined as a subring of K consisting of all algebraic integers of K . The ring O K has an integral basis (Z-basis) {u 1 , . . . , u n }, i.e., for any element u ∈ O K , there exist integers a 1 , . . . , a n such that u is uniquely written as u = 1≤i≤n a i u i . It is well known that any (integral) ideal I of O K is uniquely factored into products of some prime ideals, i.e., there exist prime ideals P 1 , . . . , P m satisfying I = P e 1 1 · · · P e m m for e i ≥ 1. If I = pO K for a prime number p and K is a Galois extension of Q, then we have O K /P i = F p d for some d ∈ N and all e i 's are mutually equal. Moreover, we have med = n, where e := e i , and if all e i 's are equal to 1 (resp. all e i 's and d are equal to 1), then we say that p is unramified (resp. splits completely) in K . Any prime ideal of O K is a maximal ideal in O K , and thus we have P i + P j = O K for any i = j. This induces an isomorphism of rings O K /P 1 · · · P m ∼ = O K /P 1 × · · · × O K /P m .

Ring-LWE Problem
Let K and O K be as above. Let χ secret and χ error be probabilistic distributions on O K and let p be an integer. We denote by O K , p the residue ring O K / pO K . For a probabilistic distribution χ on a set X , we write a ← χ when a ∈ X is chosen according to χ . We denote U (X ) as the uniform distribution on X . The Ring-LWE distribution on O K , p , denoted by RLWE K , p,χ error ,χ sec , is defined as a probabilistic distribution that takes elements of the form (a, as + e) with a ← U (O K , p ), s ← χ secret , and with e ← χ error . The Ring-LWE problem has two variants. One is the problem of distinguishing RLWE K , p,χ error ,χ sec from U (O K , p × O K , p ), which is called the decision Ring-LWE problem. The other is a problem of finding s ∈ O K , p , given arbitrarily many samples (a i , a i s + e i ) ∈ O K , p × O K , p chosen according to RLWE K , p,χ error ,χ sec , which is called the search Ring-LWE problem.
The Ring-LWE problem is expected to be computationally difficult even with quantum computers. It is proved that the decision Ring-LWE problem is equivalent to the search problem if K is a cyclotomic field and if p is a prime number and (almost) splits completely in K [16]. In addition, this equivalence is generalized to the cases where K /Q is a Galois extension and where p is unramified in K [6]. Moreover, there is a quantum polynomial-time reduction from the search Ring-LWE to the shortest vector problem on certain ideal lattices.

Ring-LWE over Cyclotomic and Decomposition Fields
In this section, we describe why Arita and Handa proposed the use of decomposition fields as the underlying number fields of Ring-LWE to construct efficient HE schemes.

Cyclotomic Fields and Decomposition Fields
First, we briefly review cyclotomic fields. For a positive integer m, let ζ m ∈ C be a primitive mth root of unity and n = ϕ(m), where ϕ(·) denotes Euler's totient function. Then, K := Q (ζ m ) is called the mth cyclotomic field. The ring of integers of K coincides with R := Z[ζ m ]. Any prime number p that does not divide m is unramified in K , and if p ≡ 1 (mod. m), then p splits completely in K . Here, K /Q is a Galois extension of degree [K : Q] = n, and its Galois group Gal(K /Q) is isomorphic to (Z/mZ) * .
Next, we describe the decomposition fields of number fields. Let L be a number field, and suppose that L/Q is a Galois extension and that its Galois group G := Gal(L/Q) is a cyclic group. Let p be a prime number that is unramified in L and satisfies pO L = P 1 · · · P g , where the P i 's are the prime ideals of O L . Let G Z be a subgroup of G that consists of all elements ρ fixing all P i , i.e., ρ(P i ) = P i for 1 ≤ i ≤ g, and Z is the fixed field of G Z . Then, we call Z the decomposition field with respect to p. The field Z is a number field and the ring of integers of Z is O Z = O L ∩ Z . Suppose p i := O Z ∩ P i . Then, we have pO Z = p 1 · · · p g . A generator σ of G Z acts on O L /P i ∼ = F p d as the pth Frobenius map, i.e., σ (x) ≡ x p (mod. P i ) for all x ∈ O L and for 1 ≤ i ≤ g. Therefore, we have O Z /p i ∼ = F p and [Z : Q] = g, i.e., p splits completely in Z .

Cyclotomic Fields Versus Decomposition Fields
Let K , L, and Z be as above and p be a prime number that is unramified in K and splits completely in Z . Assume that L is the th cyclotomic field with a prime number . As we mentioned in Sect. 2.2.1, cyclotomic fields are usually used as the underlying number fields of Ring-LWE. From the viewpoint of the efficiency of Ring-LWE based schemes, there are good Z-bases of the rings of integers of K and Z [1,17]. As for the security of the Ring-LWE, in the cases of K and Z , both the equivalence and the reduction mentioned in Sect. 2.2.2.4 are satisfied because both K /Q and Z /Q are Galois extensions.
The main difference between K and Z is the algebraic structures of their rings of integers modulo p. Because p is unramified in K , we have O K , p ∼ = O K /P 1 × · · · × O K /P k and O K /P i ∼ = F p d for 1 ≤ i ≤ k and for d > 1, where the P i 's are prime ideals in O K lying over p, i.e., pO K = P 1 · · · P k . The FV scheme [9], which is an HE scheme based on Ring-LWE, uses O K , p as its plaintext space, and thus, the FV scheme (or any HE scheme with the same plaintext space) can encrypt and execute several additions of dk = n = [K : Q] plaintexts in F p simultaneously. However, the FV scheme cannot execute the multiplication of the same number of plaintexts in F p simultaneously. To execute the multiplication of plaintexts in F p , we can only use F p × · · · × F p (the direct product of k finite fields) as the plaintext space.
In contrast, because p splits completely in Z , we have O Z , p ∼ = O Z /p 1 × · · · × O Z /p g and O Z /p i ∼ = F p for any 1 ≤ i ≤ g, where the p i 's are prime ideals in O Z lying over p. This means that one can encrypt g = [Z : Q] plaintexts simultaneously. Moreover, one can execute additions and multiplications of the same number of plaintexts in F p simultaneously. Because the extension degrees g and n are directly related to the ranks of the lattices occurring in known lattice attacks, we should set g ≈ n to compare the security of Ring-LWE over these fields. Therefore, the HE scheme over Z can encrypt and operate d times as many plaintexts as the FV scheme over K simultaneously. Remark 2.1 1. If p ≡ 1 (mod. m), then p splits completely in K (recall that K is the mth cyclotomic field), and then there is no advantage to using decomposition fields. However, for some cryptographic applications, we want to use a small p, e.g., p = 2 [1]. Moreover, to avoid lattice attacks, the extension degree [K : Q] must be large, as we discussed above. Thus, we cannot expect p ≡ 1 (mod. m) for practical parameters in some applications. 2. By the Hensel lifting technique, for r > 1 and q := p r , we have O Z ,q ∼ = Z/qZ × · · · × Z/qZ.

Our Experimental Analysis
In this section, we present our experimental results on lattice attacks against Ring-LWE over decomposition fields and cyclotomic fields. First, we explain lattice attacks in our experiments.

Lattice Attack in Our Experiments
In our experiments, we reduce the search Ring-LWE to a CVP (or approximate CVP) in the same way as Bonnoron Lemma 3]. We sample vectors a = (a 1 , . . . , a g ), s = (s 1 , . . . , s g ) and e = (e 1 , . . . , e g ) from U (Z g ), D Z g ,σ s , and D Z g ,σ e , respectively, where D Z g ,σ denotes the discrete Gaussian distribution with mean 0 and variance σ 2 . We put a := 1≤i≤g a i μ i , s := 1≤i≤g s i μ i , e := 1≤i≤g e i μ i , and b := as + e = 1≤i≤g b i μ i (mod. q). Then, (a, b) is a Ring-LWE instance over Z . Note that to use Ring-LWE to construct HE schemes, the value σ s and σ e should be sufficiently small because the ∞ -norm s ∞ directly affects the growth of noise after multiplication. In our experiments, we set σ s = 1 and σ 2 e = 8 according to [14]. By comparing all coefficients of both sides, we get As + e = (b 1 , . . . , b g ) t = b, where A is a matrix. (For any vector v, v t means its transpose.) If we set A as (A I), then we have A (s e) t = b (mod. q), where I denotes the g × g identity matrix. From the choice of s i 's and e i 's, our target vector (s e) t is a very short vector from among all solutions to A y = b, and thus, we can expect that our target vector can be found by solving the (approximate) CVP on the lattice L = {x ∈ Z 2g | A x = 0 (mod. q)} and on w := (0 b) t , which is a solution to A y = b.
We take as a basis matrix of L, where 0 g,g denotes the g × g zero matrix. We reduce the basis matrix B using the LLL and BKZ algorithms with block size β = 10. (In practice, β should be 10 or 20.) Let B red be a reduced basis of B. We input B red and w to Babai's nearest plane algorithm. The quality of the results of Babai's nearest plane algorithm depends on the quality of the basis reduction algorithms used to compute the reduced input bases, and thus, we compute the root Hermite factor for B red .
In contrast, Kannan's embedding technique takes a basis matrix as input, and we set M = 1 according to the result of an experimental study on Kannan's embedding technique for LWE [20]. We also use the LLL and BKZ algorithms with β = 10 to reduce the above basis matrix.

Remark 2.3
For 1 ≤ r < r and q := p r , we can obtain samples of RLWE K ,q ,χ error ,χ sec from samples of RLWE K ,q,χ error ,χ sec by a natural projection O Z ,q → O Z ,q by a → a (mod. q ). In our experiments, we use a small r to reduce running times. In our experimental results, we only show r .

Experimental Results
We used a computer with 2.00 GHz CPUs (Intel(R) Xeon(R) CPU E7-4830 v4 (2.00GHz)x111) and 3 TB memory to conduct the experiments. The OS was Ubuntu 16.04.4. We implemented the code for sampling Ring-LWE instances in SageMath version 7.5.1. We also used Magma V2.23-1 to execute lattice attacks. We took 100 samples and performed lattice attacks on them.
We show our experimental results in Tables 2.1 and 2.2 for p = 2. Table 2.1 shows that there is not a considerable difference between the experimental results of cyclotomic fields and those for decomposition fields. In contrast, Table 2.2 shows that Kannan's embedding technique is much faster than Babai's nearest plane algorithm.
This implies that the behaviors of the basis reduction algorithms heavily depend on the structure of the input lattices. This is a reason why experimental analyses are necessary for ensuring the security of lattice-based schemes (or other problems). Table 2.2 also shows that the running times for the decomposition fields become longer than those for cyclotomic fields as g (or − 1) increases. Therefore, we can expect that decomposition fields provide Ring-LWE that is more secure against the lattice attacks described in Sect. 2.2.4.1 than th cyclotomic fields because the ranks of the lattices occurring in our experiments are very low compared to the ranks of lattices used in practice. This means that we can use decomposition fields with lower extension degrees than would be needed for th cyclotomic fields, and the use of such number fields makes Ring-LWE-based schemes more efficient. Therefore, as a The columns for which the values g are indicated show the results for decomposition fields; the other columns show the results for cyclotomic fields The "ratio of running times" is the ratio of the average of running time for a decomposition field to that of a cyclotomic field for each g We computed the root Hermite factor for the reduced bases, but we do not show them because the success rates in these results are 100%

Fig. 2.2
Average running times of Kannan's embedding technique for cyclotomic and decomposition fields with respect to p = 2, 3, 5, 7, 11. The label " p = 2_cyclotomic" indicates the results of the cyclotomic fields shown in Table 2.2, and the other labels indicate the results for decomposition fields with respect to the corresponding prime numbers p. We set modulus parameter q = p r so that these moduli have the almost same bit sizes. We only show the average results on at least 10 samples result of our analysis, we believe that Ring-LWE over decomposition fields can be used to construct more efficient HE schemes. We also conducted experiments for decomposition fields with respect to p = 3, 5, 7, 11 to find decomposition fields that provide weak Ring-LWE instances ( Fig. 2.2). In these experiments, we could not find decomposition fields that provide weak Ring-LWE.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.