Abstract
We describe an algorithm to solve the approximate Shortest Vector Problem for lattices corresponding to ideals of the ring of integers of an arbitrary number field K. This algorithm has a pre-processing phase, whose run-time is exponential in \(\log |\varDelta |\) with \(\varDelta \) the discriminant of K. Importantly, this pre-processing phase depends only on K. The pre-processing phase outputs an “advice”, whose bit-size is no more than the run-time of the query phase. Given this advice, the query phase of the algorithm takes as input any ideal I of the ring of integers, and outputs an element of I which is at most \(\exp (\widetilde{O}((\log |\varDelta |)^{\alpha +1}/n))\) times longer than a shortest non-zero element of I (with respect to the Euclidean norm of its canonical embedding). This query phase runs in time and space \(\exp (\widetilde{O}( (\log |\varDelta |)^{\max (2/3, 1-2\alpha )}))\) in the classical setting, and\(\exp (\widetilde{O}((\log |\varDelta |)^{1-2\alpha }))\) in the quantum setting. The parameter \(\alpha \) can be chosen arbitrarily in [0, 1 / 2]. Both correctness and cost analyses rely on heuristic assumptions, whose validity is consistent with experiments.
The algorithm builds upon the algorithms from Cramer et al. [EUROCRYPT 2016] and Cramer et al. [EUROCRYPT 2017]. It relies on the framework from Buchmann [Séminaire de théorie des nombres 1990], which allows to merge them and to extend their applicability from prime-power cyclotomic fields to all number fields. The cost improvements are obtained by allowing precomputations that depend on the field only.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
This figure, like all similar ones in this work, is in \((\log _n \log _2)\)-scale for both axes.
- 2.
Laarhoven also describes a variant of his algorithm in which he uses locality-sensitive hashing to reduce the run-time of the query phase below the bit-size of the advice, but we are not considering this variant here.
- 3.
Given a set \(S = \{\mathfrak {p}_1, \cdots , \mathfrak {p}_r\}\) of prime integral ideals, the S-units are the elements \(\alpha \in K\) such that there exist \(e_1, \cdots , e_r \in \mathbb {Z}\) with \(\prod _i \mathfrak {p}_i^{e_i} = \langle \alpha \rangle \).
- 4.
As \(\varLambda \) is not full rank in \(\mathbb {R}^{n}\), we change the ambient space such that \(f_{H\cap E}(\varLambda )\) becomes full rank in \(H \cap E = \mathbb {R}^{r_1+r_2-1}\). Note however that the \(\ell _2\)-norm is preserved by this transformation (this is not the case for the \(\ell _1\) and \(\ell _\infty \) norms).
- 5.
As we solved CVP in L for the \(\ell _2\)-norm, the quantity \(\mu ^{(\infty )}(L)\) may be over-estimated, but this should not be over-estimated by too much. Further, as we want an upper bound on \(\mu ^{(\infty )}(L)\), this is not an issue.
References
Albrecht, M.R., Deo, A.: Large modulus Ring-LWE \(\ge \) Module-LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 267–296. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_10
Bach, E.: Explicit bounds for primality testing and related problems. Math. Comput. 55(191), 355–380 (1990)
Bauch, J., Bernstein, D.J., de Valence, H., Lange, T., van Vredendaal, C.: Short generators without quantum computers: the case of multiquadratics. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 27–59. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_2
Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_3
Bernstein, D.J.: A subfield-logarithm attack against ideal lattices: computational algebraic number theory tackles lattice-based cryptography. The cr.yp.to blog (2014). https://blog.cr.yp.to/20140213-ideal.html
Biasse, J.-F., Fieker, C.: Subexponential class group and unit group computation in large degree number fields. LMS J. Comput. Math. 17(A), 385–403 (2014)
Biasse, J.-F.: Subexponential time ideal decomposition in orders of number fields of large degree. Adv. Math. Commun. 8(4), 407–425 (2014)
Biasse, J.-F.: Approximate short vectors in ideal lattices of \(\mathbb{Q}(\zeta _{p^e})\) with precomputation of \({\text{ Cl }}(\cal{O}_K)\). In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 374–393. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_19
Bach, E., Shallit, J.O.: Algorithmic Number Theory: Efficient Algorithms, vol. 1. MIT Press, Cambridge (1996)
Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: SODA, pp. 893–902. Society for Industrial and Applied Mathematics (2016)
Buchmann, J.: A subexponential algorithm for the determination of class groups and regulators of algebraic number fields. Séminaire de théorie des nombres, Paris 1989(1990), 27–41 (1988)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS 2011, pp. 97–106. IEEE Computer Society (2011)
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from Ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_29
Biasse, J.-F., Van Vredendaal, C.: Fast multiquadratic S-unit computation and application to the calculation of class groups. The Open Book Series 2, 103–118 (2019). https://doi.org/10.2140/obs.2019.2.103
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. Part II. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20
Cramer, R., Ducas, L., Wesolowski, B.: Short Stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_12
Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale (2014). http://docbox.etsi.org/Workshop/2014/201410_CRYPTO/S07_Systems_and_Attacks/S07_Groves_Annex.pdf
Cohen, H.: A Course in Computational Algebraic Number Theory, vol. 138. Springer, Heidelberg (2013)
Doulgerakis, E., Laarhoven, T., de Weger, B.: Finding closest lattice vectors using approximate Voronoi cells. In: PQCRYPTO. Springer (2019, to appear)
Ducas, L., Plançon, M., Wesolowski, B.: On the shortness of vectors to be found by the Ideal-SVP Quantum Algorithm (2019, to appear)
Eisenträger, K., Hallgren, S., Kitaev, A., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, pp. 293–302. ACM Press, May/June 2014
Gelin, A.: Calcul de groupes de classes d’un corps de nombres et applications à la cryptologie. Ph.D. thesis, Paris 6 (2017)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st Annual ACM Symposium on Theory of Computing, pp. 169–178. ACM Press, May/June 2009
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1
Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2(4), 837–850 (1989)
Holzer, P., Wunderer, T., Buchmann, J.A.: Recovering short generators of principal fractional ideals in cyclotomic fields of conductor \(p^\alpha q^\beta \). In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 346–368. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71667-1_18
Laarhoven, T.: Sieving for closest lattice vectors (with preprocessing). In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 523–542. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_28
Laurent, B., Massart, P.: Adaptive estimation of a quadratic functional by model selection. Ann. Stat. 28(5), 1302–1338 (2000)
Louboutin, S.: Explicit bounds for residues of Dedekind zeta functions, values of \(l\)-functions at \(s= 1\), and relative class numbers. J. Number Theory 85(2), 263–282 (2000)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)
Minkowski, H.: Gesammelte Abhandlungen. Chelsea, New York (1967)
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of Ring-LWE for any ring and modulus. In: STOC 2017, pp. 461–473. ACM (2017)
Rekaya, G., Belfiore, J.-C., Viterbo, E.: A very efficient lattice reduction tool on fast fading channels. In: ISITA (2004)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press, May 2005
Samuel, P.: Algebraic Theory of Numbers: Translated from the French by Allan J. Silberger. Courier Corporation, Chelmsford (2013)
Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci. 53, 201–224 (1987)
Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36
Stephens-Davidowitz, N.: A time-distance trade-off for GDD with preprocessing - instantiating the DLW heuristic (2019). Personal communication
Zimmert, R.: Ideale kleiner Norm in Idealklassen und eine Regulatorabschätzung. Inventiones mathematicae 62(3), 367–380 (1980)
Acknowledgments
We thank Léo Ducas for his suggestion to use Laarhoven’s CVPP algorithm. We thank Oded Regev and Noah Stephens-Davidowitz for illustrating the importance of limiting the witness size by the run-time of the query phase, by pointing out the faster algorithm with exponential-size witness described in the introduction. We also thank Dan Bernstein, Elena Kirshanova and Alexandre Wallet for helpful discussions.
This work was supported in part by BPI-France in the context of the national project RISQ (P141580), by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701) and by the ERC Starting Grant ERC-2013-StG-335086-LATTAC.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Pellet-Mary, A., Hanrot, G., Stehlé, D. (2019). Approx-SVP in Ideal Lattices with Pre-processing. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11477. Springer, Cham. https://doi.org/10.1007/978-3-030-17656-3_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-17656-3_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17655-6
Online ISBN: 978-3-030-17656-3
eBook Packages: Computer ScienceComputer Science (R0)
