Approximate Short Vectors in Ideal Lattices of \(\mathbb {Q}(\zeta _{p^e})\) with Precomputation of \({\text {Cl}}(\mathcal {O}_K)\)

Abstract

Let a, b be constants such that \(b\le 7a - 2\) and \(\frac{2}{5}< a < \frac{1}{2}\). We present a classical heuristic PIP resolution method that finds a generator of any input \(\mathfrak {I}\) such that \(\mathcal {N}(\mathfrak {I})\le 2^{n^b}\) in time \(2^{n^{a + o(1)}}\) given a one time classical precomputation of cost and size \(2^{n^{2-3a+o(1)}}\).

We also present a quantum variant of this PIP algorithm with precomputation. Let \(1/3< a < 1/2\). With a quantum coprocessor running Shor’s algorithm, our algorithm solves the \(\gamma \)-ideal-SVP for \(\gamma = 2^{n^{1/2+o(1)}}\) in time \(2^{n^{a + o(1)}}\) using \(\tilde{O}(n^{2-a})\) qubits and a one time classical precomputation on \(\mathbb {Q}(\zeta _{p^e})\) of cost \(2^{n^{2-3a+o(1)}}\). This is a superpolynomial improvement over the best classical method relying on the BKZ reduction, and it uses asymptotically fewer qubit than the quantum polynomial time method relying on the PIP algorithm of [BS16] which requires \(\varOmega (n^3)\) qubits.

This work was supported by NIST under grant 60NANB17D and by the Simons Foundation under grant 430128.

1 Introduction

The computational hardness of finding short vectors in lattices that are ideals in a cyclotomic field is the basis for many of the most promising proposals for quantum-safe cryptography and Fully Homomorphic Encryption (FHE). The problem of finding a vector in an ideal lattice \(\mathfrak {I}\) of the maximal order \(\mathcal {O}_K\) of \(K = \mathbb {Q}(\zeta _{2^e})\) whose length is within a factor \(\gamma > 0\) of the shortest vector of \(\mathfrak {I}\) is called the \(\gamma \)-ideal-Shortest Vector Problem and is denoted \(\gamma \)-ideal-SVP. The work of Cramer, Ducas, Peikert and Regev [CDPR16] combined with that of Cramer, Ducas and Wesolowski [CDW16] shows that \(\gamma \)-ideal-SVP for some \(\gamma = 2^{n^{1/2+o(1)}}\) where \(n:=[K:\mathbb {Q}]\) heuristically reduces to the Principal Ideal Problem (PIP).

Given an ideal \(\mathfrak {I}\) of the maximal order \(\mathcal {O}_K\) of \(K = \mathbb {Q}(\zeta _{p^e})\), solving the PIP consists in deciding if \(\mathfrak {I}\) is principal, and if so, computing \(\alpha \in \mathcal {O}_K\) such that \(\mathfrak {I} = (\alpha )\mathcal {O}_K\). The PIP is a fundamental problem in computational number theory and a generator of a principal ideal of the maximal order \(\mathcal {O}_K\) of a number field K can be found in heuristic subexponential time \(2^{\log (|\varDelta |)^{2/3+o(1)}}\) where \(\varDelta := {\text {disc}}(K)\) by using an algorithm of Biasse and Fieker [Bia, BF14], and in the case where \(K = \mathbb {Q}(\zeta _{p^e})\), similar methods yield a heuristic run time of \(2^{n^{1/2+o(1)}}\) by using recent work of Biasse, Espiteau, Fouque, Gélin and Kirchner [BEF+17]. Note that when \(K = \mathbb {Q}(\zeta _{p^e})\), \(\log (|\varDelta |) = \varTheta (n\log (n))\), so \(2^{n^{1/2+o(1)}} = 2^{\log (|\varDelta |)^{1/2+o(1)}}\).

We can also find a generator of a principal ideal in quantum polynomial time with an algorithm of Biasse and Song [BS16] which relies on the hidden subgroup resolution algorithm in \(\mathbb {R}^{O(n)}\) of Eisenträger, Hallgren, Kitaev and Song [EHKS14]. This algorithm requires \(\varOmega (n^3)\) qubits (see Appendix A).

The extra algebraic structure that ideal lattices enjoy allows multiple performance enhancements over cryptosystems using general lattices. The extent to which this extra structure also allows better algorithms to solve the underlying hard problems (in particular \(\gamma \)-ideal-SVP for a non trivial \(\gamma \)) is an open problem. The best classical method to solve \(\gamma \)-ideal-SVP for a subexponential \(\gamma \) is the BKZ lattice reduction [Sch87]. In particular, it solves \(\gamma \)-ideal-SVP for \(\gamma = 2^{n^{1/2+o(1)}}\) in time \(2^{n^{1/2+o(1)}}\). The possibility of a superpolynomial improvement over the BKZ reduction algorithm by using quantum computers was recently highlighted by Cramer, Ducas and Wesolowski [CDW16] who combined the quantum PIP algorithm of [BS16] with a heuristic reduction from \(\gamma \)-ideal-SVP to PIP for some \(\gamma = 2^{n^{1/2+o(1)}}\) to solve \(\gamma \)-ideal-SVP in quantum polynomial time. This indicates that \(\gamma \)-ideal-SVP in ideal lattices is not as computationally hard as in general lattices (at least for some non-trivial approximation factors \(\gamma \)), but this discrepancy is not well understood, and it is a major stake in the development and the standardization of post-quantum cryptographic primitives. This paper further illustrates this divide by providing algorithms for \(\gamma \)-ideal-SVP where \(\gamma = 2^{n^{1/2 + o(1)}}\) that outperform BKZ by leveraging a precomputation on \(\mathbb {Q}(\zeta _{p^e})\).

Contributions. We describe classical and quantum algorithms for computing approximate short vectors in ideals of \(\mathbb {Q}(\zeta _{p^e})\) by using a one-time classical subexponential precomputation on \(\mathbb {Q}(\zeta _{p^e})\). At a given security level, most ideal lattice-based cryptosystem use the same field for all keys, therefore this precomputation reduces the hardness of all instances of our search problem.

1. (i)

   The classical precomputation consists in the computation of a basis of the relations¹ between classes of prime ideals of norm less than a given \(B > 0\) in the ideal class group of \(\mathbb {Q}(\zeta _{p^e})\). When \(B \ge 2^{n^{1/2}}\), our algorithm computes all relations between the classes of prime ideals of norm less than B in time \(B^{\tilde{O}(1)}\).

2. (ii)

   Let a, b be constants such that \(b\le 7a - 2\) and \(\frac{2}{5}< a < \frac{1}{2}\). We present a classical heuristic PIP resolution method that finds a generator of any input \(\mathfrak {I}\) such that \(\mathcal {N}(\mathfrak {I})\le 2^{n^b}\) in time \(2^{n^{a + o(1)}}\) given a one time classical precomputation of the relations between ideals of norm less than \(2^{n^{2-3a + o(1)}}\) which costs \(2^{n^{2-3a+o(1)}}\). For example, given a \(2^{n^{5/7 + o(1)}}\) precomputation, we retrieve the private keys of the cryptographic schemes² relying on the hardness of finding a short generator of an ideal \(\mathfrak {I}\subseteq \mathbb {Q}(\zeta _{p^e})\) (short-PIP) with \(\mathcal {N}(\mathfrak {I})\le 2^{n^{1+o(1)}}\) in time \(2^{n^{3/7+o(1)}}\) from the corresponding public keys.

3. (iii)

   Let \(1/3< a < 1/2\) be a constant. We present a quantum heuristic PIP resolution method that finds a generator of any ideal \(\mathfrak {I}\subset \mathbb {Q}(\zeta _{p^e})\) time \(2^{n^{a + o(1)}}\) using \(\tilde{O}(n^{2-a})\) qubits given a one time classical precomputation on \(\mathbb {Q}(\zeta _{p^e})\) of cost \(2^{n^{2-3a+o(1)}}\). With the heuristic reduction from \(\gamma \)-ideal-SVP to PIP of [CDW16], this yields a solution to \(\gamma \)-ideal-SVP for some \(\gamma = 2^{n^{1/2+o(1)}}\) in time \(2^{n^{a + o(1)}}\).

• It is a superpolynomial improvement over the best classical method based on the BKZ reduction which runs in time \(2^{n^{1/2+o(1)}}\).

• It uses asymptotically fewer qubits than the best quantum method which relies on the Biasse-Song quantum PIP method which uses \(\varOmega (n^3)\) qubits.

In addition to using fewer qubits than the method of [BS16], this has the advantage of solely relying on a very well studied quantum subroutine, namely Shor’s factoring algorithm. The exact qubit requirement of Shor’s algorithm [Sho97] is very well understood, as well as the classical part of this algorithm while the algorithm for solving the HSP in \(\mathbb {R}^{O(n)}\) of [EHKS14] is likely to be a lot more complicated to implement and to involve a non-trivial classical part. The search for low-resource quantum algorithms that solve hard problems in cryptography is a growing area of research. For example, Bernstein, Biasse and Mosca [BBM17] recently described a quantum factoring algorithm requiring \(\tilde{O}(\log (N))^{2/3})\) qubits and offering a polynomial improvement over the classical Number Field Sieve. This contribution achieves a similar goal: providing a quantum algorithm for solving a problem with significantly less resource than the best quantum algorithm while running significantly faster than the best known classical method. We did not consider a quantum variant of the precomputation as to the best of our knowledge, it would only provide a polynomial speedup.

2 Background

Lattices. A lattice is a discrete additive subgroup of \(\mathbb {R}^n\) for some integer n. The first minimum of a lattice \(\mathcal {L}\) is defined by \(\lambda _1 := \min _{{\varvec{v}}\in \mathcal {L}\setminus \{0\}}\Vert {\varvec{v}}\Vert \). A basis of \(\mathcal {L}\) is a set of linearly independent vectors \({\varvec{b}}_1,\cdots ,{\varvec{b}}_k\) such that \(\mathcal {L} = \mathbb {Z}{\varvec{b}}_1 + \cdots + \mathbb {Z}{\varvec{b}}_k\). The determinant of \(\mathcal {L}\) is \(\det (\mathcal {L}) = \sqrt{\det (B\cdot B^T)}\) where \(B = ({\varvec{b}}_i)_{i\le k}\in \mathbb {R}^{k\times n}\) is the matrix of a basis of \(\mathcal {L}\). For a full dimensional lattice \(\mathcal {L}\), we know that \(\lambda _1(\mathcal {L})\) is in \(O\left( \sqrt{n}\det (\mathcal {L})^{1/n}\right) \). The problem of finding a shortest vector \(v\in \mathcal {L}\) is known as the Shortest Vector Problem (SVP), while the problem of finding \(v\in \mathcal {L}\) such that \(\Vert {\varvec{v}}\Vert \le \gamma \lambda _1(\mathcal {L})\) for some \(\gamma \ge 1\) is known as \(\gamma \)-SVP. A solution \({\varvec{v}}\) to \(\gamma \)-SVP satisfies \(\Vert {\varvec{v}}\Vert \in O\left( \gamma \sqrt{n}\det (\mathcal {L})^{1/n}\right) \). Given the matrix of a basis A as input, the LLL algorithm [LLL82] returns a basis \(({\varvec{b}}_i)_{i\le n}\) such that \(\frac{\Vert {\varvec{b}}_1\Vert }{\det (\mathcal {L})^{1/n}}\in 2^{O(n)}\) in polynomial time in n and \(\log (|A|)\). The BKZ algorithm [Sch87] with block size k returns a basis \(({\varvec{b}}_i)_{i\le n}\) such that \(\frac{\Vert {\varvec{b}}_1\Vert }{\det (\mathcal {L})^{1/n}}\in O(k^{\tilde{O}(n/k)})\) in time \(2^{O(k)}{\text {Poly}}(n,\log (|A|))\) [HPS11, Theorem 1].

Number Fields. A number field K is a finite extension of \(\mathbb {Q}\). Its ring of integers \(\mathcal {O}_K\) has the structure of a lattice of degree \(n=[K:\mathbb {Q}]\). A number field has \(r_1\le n\) real embeddings \((\sigma _i)_{i\le r_1}\) and \(2r_2\) complex embeddings \((\sigma _i)_{r_1 < i \le 2r_2}\) (coming as \(r_2\) pairs of conjugates). The field K is isomorphic to \(\mathcal {O}_K\otimes \mathbb {Q}\). We can embed K in \(K_\mathbb {R}:= K\otimes \mathbb {R}\simeq \mathbb {R}^{r_1}\times \mathbb {C}^{r_2}, \) and extend the \(\sigma _i\)’s to \(K_\mathbb {R}\). Let \(T_2\) be the Hermitian form on \(K_\mathbb {R}\) defined by \(T_2(x,x') := \sum _i \sigma _i(x)\overline{\sigma _i}(x')\), and let \(\Vert x\Vert := \sqrt{T_2(x,x)}\) be the corresponding \(\ell _2\)-norm. The norm of an element \(x\in K\) is defined by \(\mathcal {N}(x) = \prod _i\sigma _i(x)\). Let \((\alpha _i)_{i\le d}\) such that \(\mathcal {O}_K= \oplus _i \mathbb {Z}\alpha _i\), then the discriminant of K is given by \(\varDelta = \det ^2(T_2(\alpha _i,\alpha _j))\). The volume of the fundamental domain is \(\sqrt{|\varDelta |}\), and the size of the input of algorithms working on an integral basis of \(\mathcal {O}_K\) is in \(O(\log (|\varDelta |))\). In \(K = \mathbb {Q}(\zeta _{p^e})\), the degree satisfies \([K:\mathbb {Q}] = (p-1)p^{s-1}\) and \(\varDelta = \pm p^{p^{s-1}(ps - s - 1)}\), therefore \(\log (|\varDelta |)\sim n\log (n)\) and we can express the complexity of our algorithms in terms of n (a choice we made in this paper), which makes it easier to compare with other lattice reduction results. However, most of the literature on class group computation presents complexities in terms of \(\log (|\varDelta |)\), which is in general the right value to measure the input. For example, it makes no sense to express the complexity with respect to the degree of K in infinite classes of quadratic number fields.

Cyclotomic Fields. A cyclotomic field is an extension of \(\mathbb {Q}\) of the form \(K = \mathbb {Q}(\zeta _N)\) where \(\zeta _N = e^{2i\pi /N}\) is a primitive N-th root of unity. The ring of integers \(\mathcal {O}_K\) of K is \(\mathbb {Z}[X]/(\varPhi _N(X))\) where \(\varPhi _N\) is the N-th cyclotomic polynomial. When N is a power of two, \(\varPhi _N(X) = X^{N/2} + 1\), and when \(N = p^e\) is a power of \(p>2\), we have \(\varPhi _N(X) = X^{p^{e-1}(p-1)} + X^{p^{e-1}(p-2)} + \cdots + 1\) (which generalizes the case \(p = 2\)). Elements \(a\in \mathcal {O}_K\) are residues of polynomials in \(\mathbb {Z}[X]\) modulo \(\varPhi _N(X)\), and can be identified with their coefficient vectors \({\varvec{a}}\in \mathbb {Z}^{\phi (N)}\) where \(\phi (N) = p^{e-1}(p-1)\) is the Euler totient of N (and the degree of \(\varPhi _N(X)\)).

The Ideal Class Group. Elements of the form \(\frac{\mathfrak {I}}{d}\) where \(\mathfrak {I}\subseteq \mathcal {O}_K\) is an (integral) ideal of the ring of integers of K and \(d > 0\) are called fractional ideals. They have the structure of a \(\mathbb {Z}\)-lattice of degree \(n=[K:\mathbb {Q}]\), and they form a multiplicative group \(\mathcal {I}\). Elements of \(\mathcal {I}\) admit a unique decomposition as a power product of prime ideals of \(\mathcal {O}_K\) (with possibly negative exponents). The norm of integral ideals is given by \(\mathcal {N}(\mathfrak {I}) := [\mathcal {O}_K:\mathfrak {I}]\), which extends to fractional ideals by \(\mathcal {N}(\mathfrak {I}/\mathfrak {J}) := \mathcal {N}(\mathfrak {I})/\mathcal {N}(\mathfrak {J})\). The norm of a principal (fractional) ideal agrees with the norm of its generator \(\mathcal {N}(x\mathcal {O}_K) = |\mathcal {N}(x)|\). The principal fractional ideals \(\mathcal {P}\) of K are a subgroup of \(\mathcal {P}\) and ideal class group of \(\mathcal {O}_K\) is defined by \({\text {Cl}}(\mathcal {O}_K) := \mathcal {I}/\mathcal {P}.\) We denote by \([\mathfrak {a}]\) the class of a fractional \(\mathfrak {a}\) in \({\text {Cl}}(\mathcal {O}_K)\) and by h the cardinality of \({\text {Cl}}(\mathcal {O}_K)\) which is a finite group. In \({\text {Cl}}(\mathcal {O}_K)\) we identify two fractional ideals \(\mathfrak {a},\mathfrak {b}\) if there is \(\alpha \in K\) such that \(\mathfrak {a}= (\alpha )\mathfrak {b}\). This is denoted by \(\mathfrak {a}\sim \mathfrak {b}\).

Units of \(\mathcal {O}_K.\) Elements \(u\in \mathcal {O}_K\) that are invertible in \(\mathcal {O}_K\) are called units. Equivalently, they are the elements \(u\in \mathcal {O}_K\) such that \((u)\mathcal {O}_K= \mathcal {O}_K\) and also such that \(\mathcal {N}(u) = \pm 1\). The unit group of \(\mathcal {O}_K\) where K is a cyclotomic field has rank \(r = n/2-1\) and has the form \(\mathcal {O}_K^* = \mu \times \langle \epsilon _1\rangle \times \cdots \times \langle \epsilon _r\rangle \) where \(\mu \) are roots of unity (torsion units) and the \(\epsilon _i\) are non-torsion units. Such \((\epsilon _i)_{i\le r}\) are called a system of fundamental units of \(\mathcal {O}_K\). Units generate a lattice \(\mathcal {L}\) of rank r in \(\mathbb {R}^{r+1}\) via the embedding \(x\in K\longmapsto {\text {Log}}(x) := \left( \ln (|\sigma _1(x)|) , \cdots , \ln (|\sigma _{r+1}(x)|)\right) \) where the complex embeddings \((\sigma _i)_{i\le n}\) are ordered such that the first \(r = n/2\) ones are not conjugates of each other. The volume R of \(\mathcal {L}\) is an invariant of K called the regulator. The regulator R and the class number h satisfy \(hR = \frac{|\mu |\sqrt{|\varDelta |}}{2^{r_1}(2\pi )^{r_2}}\lim _{s\rightarrow 1} \left( (s-1)\zeta _K(s)\right) ,\) where \(\zeta _K(s) = \sum _\mathfrak {a}\frac{1}{\mathcal {N}(\mathfrak {a})^s}\) is the usual \(\zeta \)-function associated to K and \(|\mu |\) is the cardinality of \(\mu \) the group of torsion units. This allows us to derive a bound \(h^*\) in polynomial time under GRH that satisfies \(h^* \le hR < 2h^*\) ([Bac95]). When \(K = \mathbb {Q}(\zeta _{p^e})\), logarithm vectors of units of the form \(u_j = \frac{\zeta _{p^e}^j - 1}{\zeta _{p^e} - 1}\) for \(j\in \mathbb {Z}_{p^e}^*\) (the cyclotomic units) generate a sublattice of \(\mathcal {L}\) of index \(h^+(p^s)\) where \(h^+(N)\) is the class number of the maximal real subfield of \(\mathbb {Q}(\zeta _{p^e})\) [Was82, Lemma 8.1].

Heuristic 1

(Weber and [BPR04]). \(h^+(2^e)=1\) (Weber class number problem) and that \(h^+(p^e)\) remains bounded for fixed p and increasing e.

Smoothness of Ideals. Let \(x,y,\varepsilon > 0\). To bound the run time of our algorithms, we need to use estimates of \(\Psi (x,y) := \left| \{ \mathfrak {a}\subseteq \mathcal {O}_K, \mathcal {N}(\mathfrak {a})\le \right. \) \(\left. x, \mathfrak {a}\ y\text {--smooth}\} \right| \). Sourfield [Sco04], showed that \(\frac{\Psi (x,y)}{x}\sim \lambda _K\rho (u)\), where \(u=\frac{\ln (x)}{\ln (y)}\), \(\rho \) is the Dickman function, \(\lambda _K\) is the residue of the zeta function \(\zeta _K(s)\) at \(s=1\) and \((\ln \ln (x))^{\frac{5}{3}+\varepsilon }\le \ln (y)\le \ln (x),\ x \ge x_0(\varepsilon )\) for some \(x_0(\varepsilon )\). There is no known analogue of Sourfield’s result for restricted classes of ideals. This is one of the reasons why the complexity of the number field sieve [LLMP90] is only heuristic. We therefore rely on the following heuristic for the smoothness of ideals.

Heuristic 2

We assume that the probability \(P(\iota ,\mu )\) that a principal ideal of \(\mathcal {O}_K\) of norm bounded by \(\iota \) is a power-product of prime ideals of norm bounded by \(\mu \) satisfies \(P(\iota ,\mu )\ge e^{\left( -u \ln u (1+o(1))\right) },\ \text {for }u = \ln (\iota ) / \ln (\mu )\).

Notations. Throughout this paper, \(\Vert A\Vert = \max _{i,j}|A_{i,j}|\) denotes the infinite norm of a matrix. We denote by \(\ln (x)\) the natural logarithm of x and by \(\log (x)\) its base-2 logarithm. If \(\mathcal {S}=\{s_i\}_{i\le k}\) is a set in a group and \({\varvec{v}}\in \mathbb {Z}^k\), \(\mathcal {S}^{{\varvec{v}}}:=\prod _i s_i^{v_i}\).

3 High Level Description of the Algorithms

The Precomputation: Calculation of \({\text {Cl}}(\mathcal {O}_K).\) To compute the ideal class group of \(\mathbb {Q}(\zeta _{p^e})\), we follow the general framework deriving from the algorithm of Hafner and McCurley [HM89] (subsequently generalized by Buchmann [Buc90] and Biasse-Fieker [BF14]). Let \(B>0\) be a smoothness bound and a factor base \(\mathcal {B}:= \{ \text {prime ideals }\mathfrak {p}\text { with } \mathcal {N}(\mathfrak {p})\le B\}\). We compute a generating set of the lattice \(\varLambda \) of all the vectors \((e_1,\cdots ,e_m)\in \mathbb {Z}^m\) with \(m:=|\mathcal {B}|\) such that \(\exists \alpha \in K, \ \ (\alpha )\mathcal {O}_K= \mathfrak {p}_1^{e_1}\cdots \mathfrak {p}_m^{e_m}\). When \(B>12\ln ^2|\varDelta |\), the classes of ideals in \(\mathcal {B}\) generate \({\text {Cl}}(\mathcal {O}_K)\) under the GRH [Bac90, Theorem 4]. Therefore, \((\mathcal {B},\varLambda )\) is a presentation of the group \({\text {Cl}}(\mathcal {O}_K)\) and the search for a generating set of the relations \(\mathcal {B}^{{\varvec{v}}}=(\alpha )\) is equivalent to computing the group structure of \({\text {Cl}}(\mathcal {O}_K)\). Indeed, the morphism

is surjective, and the class group \({\text {Cl}}(\mathcal {O}_K)\) is isomorphic to \(\mathbb {Z}^m/\ker (\pi \circ \varphi ) = \mathbb {Z}^m/\varLambda .\)

PIP with Precomputation on K. Given an ideal \(\mathfrak {I}\), and a basis for the lattice \(\varLambda \) of all relations between primes of norm up to \(B > 0\), we find a generator of \(\mathfrak {I}\).

1. 1.

   Use a \(\mathfrak {q}\)-descent to find a relation of the form \(\mathfrak {I} = (\alpha )\prod _i\mathfrak {q}_i\) where \(\mathcal {N}(\mathfrak {q}_i)\le B\).

2. 2.

   Use a basis of \(\varLambda \) in Hermite Normal Form (HNF) to rewrite each \(\mathfrak {q}_i\) with respect to ideals \(\mathfrak {p}_i\) of norm less than \(12(\ln (|\varDelta |))^2\). That is \(\mathfrak {I} = (\alpha ')\prod _j\mathfrak {p}_j^{b_j}\).

3. 3.

   Using the HNF basis, find the sublattice \(\varLambda '\subset \varLambda \) of relations between ideals of norm less than \(12(\ln (|\varDelta |))^2\). Let \(A=(a_{i,j})\) be the matrix of a basis of \(\varLambda '\) and \(\alpha _i\) such that \((\alpha _i) = \prod _j\mathfrak {p}_j^{a_{i,j}}\).

4. 4.

   Solve \({\varvec{x}}A = {\varvec{b}}\) and return \(\beta := \alpha '\cdot \prod _j\alpha _j^{x_j}\), which is a generator of \(\mathfrak {I}\).

Reducing the Short-PIP and \(\gamma \)-ideal-SVP to the PIP. Assume that the input ideal \(\mathfrak {I}\subseteq \mathcal {O}_K\) is generated by a short element g, and that we have computed \(\alpha \in \mathcal {O}_K\) such that \(\mathfrak {I} = (\alpha )\cdot \mathcal {O}_K\). Given a generating set \(u_1,\cdots ,u_r\) of the unit group \(\mathcal {O}_K^*\), all generators \(g'\) of \(\mathfrak {I}\) are of the form \(g' = \alpha \cdot u_1^{x_1}\cdots u_r^{x_r}\) for some \((x_1,\cdots ,x_r)\in \mathbb {Z}^r\). The problem of finding g (or another short generator, which is equivalent for the sake of a cryptanalysis of a system relying on the hardness of short-PIP), boils down to finding \((x_1,\cdots ,x_r)\) such that \(\alpha \cdot u_1^{x_1}\cdots u_r^{x_r}\) is short. This can be done by finding \((x_1,\cdots ,x_r)\) such that \(\Vert {\text {Log}}(\alpha ) - \sum _i x_i {\text {Log}}(u_i)\Vert \) is small. To do this, we find the closest vector to \({\text {Log}}(\alpha )\) in the lattice \(\mathcal {L}:= \mathbb {Z}{\text {Log}}(u_1)+\cdots +\mathbb {Z}{\text {Log}}(u_r)\). It was observed by Campbell, Groves, and Shepherd [CGS] and proved by Cramer et al. [CDPR16] under Heuristic 1 that the cyclotomic units have interesting geometric properties allowing the method descrived in [CDPR16, Proof of Theorem 5.3] to return the correct value. This short generator of \(\mathfrak {I}\) is also a solution to \(\gamma \)-ideal-SVP in \(\mathfrak {I}\) for some \(\gamma =2^{n^{1/2+o(1)}}\) [CDPR16, Sect. 6].

Moreover, under reasonable assumptions on the ideal class group, given an arbitrary input ideal \(\mathfrak {I}\subseteq \mathcal {O}_K\), the heuristic methods of [CDW16] allow us to find an ideal \(\mathfrak {J}\) with \(\mathcal {N}(\mathfrak {J})\in 2^{\tilde{O}(n^{3/2})}\) such that \(\mathfrak {I}\mathfrak {J}\) is principal. Then a short generator of \(\mathfrak {I}\mathfrak {J}\) is a solution to \(\gamma \)-ideal-SVP for \(\mathfrak {I}\) with \(\gamma = 2^{n^{1/2+o(1)}}\). The close principal multiple algorithm of [CDW16] uses the decomposition of an input ideal on a short generating set.

4 Computation of \({\text {Cl}}(\mathcal {O}_K)\)

In this section, we use the method of [Bia14] to compute \({\text {Cl}}(\mathcal {O}_K)\) where \(K = \mathbb {Q}(\zeta _{p^e})\) is a cyclotomic field of prime power conductor in heuristic time \(2^{n^{1/2+o(1)}}\) for \(n:=[K:\mathbb {Q}]\). The algorithm of [Bia14] was originally designed to work in time \(2^{\log (|\varDelta |)^{1/3 + o(1)}}\) on classes of number fields with specific conditions on their degree and on the height of their defining polynomial. Cyclotomic fields of prime power conductor have a defining polynomial with height 1, which allows us to use [Bia14] and achieve a run time of \(2^{n^{1/2+o(1)}}\). In [BEF+17], Biasse et al. also used this technique for computing the class group of \(\mathbb {Q}(\zeta _{p^e})^+\). The method of [Bia14] consists in drawing elements \(\alpha \in \mathcal {O}_K\) with small coefficients on the power basis \(1,\zeta _{p^e},\cdots ,\zeta _{p^e}^{n-1}\) and test them for smoothness with respect to a factor basis \(\mathcal {B} = \{ \mathfrak {p}\ \mid \ \mathcal {N}(\mathfrak {p})\le B\}\) for some smoothness bound \(B > 0\). The smoothness test is simply done by checking if \(\mathcal {N}(\alpha )\) is B-smooth as an integer using either a factoring algorithm [LLMP90, Pom85] or a dedicated smoothness test algorithm [Ber]. Every time we have a relation of the form \((\alpha ) = \mathfrak {p}_1^{e_1}\cdots \mathfrak {p}_m^{e_m},\) we store the vector \((e_1,\cdots ,e_m)\) in the rows of a matrix M. Once enough relations are found, we find \({\text {Cl}}(\mathcal {O}_K)\) by doing linear algebra on M.

The run time of Algorithm 1 depends on the probability of smoothness of principal ideals, which is ruled by Heuristic 2. This gives us a bound on the average time to find a relation. However, we do not know how the relations we find are distributed. Suppose we found a full rank sublattice \(\varLambda _0\) of \(\varLambda \), Hafner and McCurley [HM89] proved under GRH that their relation search for quadratic fields yielded relation vectors \({\varvec{x}}\) such that \(P({\varvec{x}}\in {\varvec{w}}+\varLambda _0)\) was high enough for any \({\varvec{w}}\in \varLambda \). This proves that their algorithm terminates with high enough probability in subexponential time. It reasonable to assume that by drawing coefficient vectors uniformly at random in \([-A,A]\), the generators of the principal ideals of our relations will be well enough distributed to justify that the relations themselves are equally distributed in \(\varLambda \), but proving it remains an open question.

Heuristic 3

(Heuristic 2 of [Bia14]). There exists Q negligible with respect to \(|\mathcal {B}|\) such that collecting \(Q|\mathcal {B}|\) relations suffices to generate the whole lattice of relations.

Proposition 1

(GRH + Heuristic 2   + Heuristic 3 ). Algorithm 1 with \(B = 2^{n^{1/2}}\) is correct and its heuristic complexity is in \(2^{n^{1/2+o(1)}}\)

Proof

The run time depends on the smoothness probability of \(\alpha \in \mathcal {O}_K\) drawn in Step 4. Let \(P\in \mathbb {Z}[X]\) such that \(\alpha = P(\zeta _{p^e})\). The norm of \(\alpha \) is \({\text {Res}}(\varPhi _{p^e},P)\) where \(\varPhi _{p^e}\) is the \(p^e\)-th cyclotomic polynomial. The first n rows of the resultant have length less than \(\sqrt{n}\) while the last n rows have length bounded by \(\sqrt{n}A\). By Hadamard’s bound, the resultant is bounded by \(n^nA^n\). This means that \(\log (|\mathcal {N}(\alpha )|) \le n\log (n)(1+o(1))\). Let \(u := \frac{\log (|\mathcal {N}(\alpha )|)}{\log (B)}\), from Heuristic 2, the probability of finding a smooth \(\alpha \) is at least \(e^{-u\ln (u)(1+o(1))} = \frac{1}{2^{n^{1/2+o(1)}}}\), and therefore the relation search takes time \(2^{n^{1/2+o(1)}}\). The linear algebra phase (HNF and SNF computation) takes time \(|\mathcal {B}|^{4+o(1)} = 2^{n^{1/2+o(1)}}\).

Corollary 1

(GRH + Heuristic 2  + Heuristic 3 ). When \(B = 2^{n^\kappa }\) for \(\kappa > 1/2\), Algorithm 1 has heuristic complexity \(2^{n^{\kappa +o(1)}}\).

5 Precomputation on \(\mathbb {Q}(\zeta _{p^e})\)

Let \(B = 2^{n^{\kappa }}\) for some \(1/2<\kappa <1\) and a prime p. In Sect. 4, we recalled how to compute a basis of the lattice \(\mathcal {L}\) of \({\varvec{x}}\) such that \(\mathcal {B}^{{\varvec{x}}}\sim (1)\) with \(\mathcal {B}=\{\mathfrak {p}\ \mid \ \mathcal {N}(\mathfrak {p})\le B\}\) that has the shape \(H = \left( {\begin{matrix} C &{} (0) \\ D &{} I \end{matrix}}\right) \) with \(i_0:= \dim (C) < 12(\ln (|\varDelta |))^2\). In this section, we compute \(\beta _i\bmod (p)\mathcal {O}_K\) and \({\text {Log}}(\beta _i)\) where \((\beta _i) = \mathcal {B}^{H_i}\), \(i\le \dim (H)\), \(j\le s\). These are essential tools to solve the subsequent instances of the PIP, and we prove that each element of this precomputation has polynomial size.

Given B, Algorithm 1 returns a generating set \(({\varvec{b}}_1,\cdots ,{\varvec{b}}_t)\) of \(\mathcal {L}\) together with \(\alpha _i\in K\) such that \(\mathcal {B}^{{\varvec{b}}_i} = (\alpha _i)\). We process this basis and the \((\alpha _i)\) to return an HNF-reduced basis \(H=({\varvec{h}}_1,\cdots ,{\varvec{h}}_m)\) for \(\mathcal {L}\). Using [Sto00, Proposition 6.3], we can find \(U\in {\text {GL}}_{t\times t}(\mathbb {Z})\) such that \(UM = \left( \frac{H}{(0)}\right) \) is the HNF of \(M=({\varvec{b}}_i)_{i\le t}\) with \(\Vert U\Vert \le \left( \sqrt{m}\Vert M\Vert \right) ^m\) in time \(O\left( tm^{\theta - 1}\log (\delta ) + tm\log (m){\text {Mult}}(\log (\delta ))\right) \) for \(\delta := \left( \sqrt{m}\Vert M\Vert \right) ^m\), \({\text {Mult}}(x)\) the complexity of x-bit integer multiplication, and \(2\le \theta \le 3\) the matrix multiplication exponent. The matrix H has a small essential part C. Under GRH, \(h_{i,i} = 1\) for \(i> i_0\) where \(i_0 \le 12\log (|\varDelta |)^2\). We leverage this to facilitate the resolution of the linear system giving the solution to the PIP. However, for this to yield a generator, we need to compute the \((\beta _i)_{i\le m}\) such that \(\prod _{j\le t}\alpha _j^{U_{i,j}} = \beta _i\) for \(i\le m\). As the coefficients of U and the number of terms m in the product are large, we cannot afford to write down these algebraic numbers on the integral basis of \(\mathbb {Q}(\zeta _{p^e})\). However, we know that they are used to compute an element of \(\mathfrak {I}\) whose length is within \(2^{n^{1/2+o(1)}}\) of the first minimum \(\lambda _1(\mathfrak {I})\le \sqrt{n}|\varDelta |^{1/n}\mathcal {N}(\mathfrak {I})^{1/n}\) of the ideal lattice \(\mathfrak {I}\). So we compute \(\beta _i\bmod (p)\mathcal {O}_K\) for a prime p such that \(p \ge e^n n^{n/2} |\varDelta |\mathcal {N}(\mathfrak {I})\). We can always assume that \(\mathcal {N}(\mathfrak {I})\le 2^{n^{2 + o(1)}}\) because we can find \(\mathfrak {I}'\sim \mathfrak {I}\) such that \(\mathcal {N}(\mathfrak {I}')\le 2^{n^{2+o(1)}}\) in polynomial time by using the LLL reduction [BF14, Sect. 3.2]. Therefore, we need a p such that \(p \ge 2^{n^{2 + o(1)}}\).

We also keep \({\text {Log}}(\beta _i)\) as part of the precomputation. Each of these values satisfies \({\text {Log}}(\beta _i) = \sum _{j\le t} U_{i,j}{\text {Log}}(\alpha _j)\). The logarithm vectors of the \(\alpha _j\) have polynomial size, but the bit size of the \(U_{i,j}\) is \(2^{n^{\kappa +o(1)}}\) where \(1/2< \kappa < 1\). As we are aiming at lowering down the cost of subsequent resolutions of the short-PIP which all require the values of \({\text {Log}}(\beta _i)\), we must find different generators for the ideals \((\beta _i)\mathcal {O}_K\). We do so by using the log-unit lattice decoding algorithm of  [CGS, CDPR16] which returns a short generator of \((\beta _i)\mathcal {O}_K\) under Heuristic 1.

Proposition 2

(GRH + Heuristic 1  + Heuristic 2 ). Assume that \(B = 2^{n^\kappa } \) for \(\kappa \ge 1/2 \), and that \(p \ge e^n n^{n/2} |\varDelta |\mathcal {N}(\mathfrak {I})\), then the heuristic expected run time of Algorithm 2 is less than \(2^{n^{\kappa +o(1)}}\), and the bit size of the representation of the \({\text {Log}}(\beta _j)\) is polynomial in n.

Proof

The run time of Algorithm 2 is dominated by the cost of the search for relations and the computation of the HNF of the relation matrix (together with the premultipliers). We need to bound the \({\text {Log}}(\beta _i)\). The upper bound on a generator \(\beta _i\) of the integral principal ideal \(\mathfrak {I}_i = \prod _{j\le m}\mathfrak {p}_j^{h_{i,j}}\) is given by the norm of \(\mathfrak {I}_i\). When \(i\le i_0\), \(\mathfrak {I}_i\) has the shape \(\mathfrak {I}_i = \prod _{j\le i_0}\mathfrak {p}_j^{h_{i,j}}\) while when \(i > i_0\), \(\mathfrak {I}_i\) is of the form \(\mathfrak {I}_{i} := \mathfrak {p}_{i}\cdot \left( \prod _{j\le i_0}\mathfrak {p}_j^{h_{i,j}}\right) \). For each \(j\le i_0\), \(\mathcal {N}(\mathfrak {p}_j)\le 12\ln (|\varDelta |)^2\) while \(\mathcal {N}(\mathfrak {p}_i)\le 2^{n^{\kappa +o(1)}}\) if \(i > i_0\) and \(h_{i,j}\le |{\text {Cl}}(\mathcal {O}_K)|\in \tilde{O}(\sqrt{|\varDelta |})\) for \(i,j\le i_0\). Therefore, in any case \(\mathcal {N}(\mathfrak {I}_i)\in 2^{\tilde{O}(|\varDelta |)}\), and \(\Vert \beta _i\Vert \le 2^{\tilde{O}(n^{1/2})}\mathcal {N}(\mathfrak {I}_i)^{1/n}\in 2^{\tilde{O}(|\varDelta |)}\). For each \(\sigma \in {\text {Gal}}(K/\mathbb {Q})\), \(\max _\sigma |\sigma (\beta _i)|\le \Vert \beta _i\Vert \in 2^{\tilde{O}(|\varDelta |)}\), and \(\min _\sigma |\sigma (\beta _i)|\ge \frac{|\mathcal {N}(\beta _i)|}{\left( \max _\sigma |\sigma (\beta _i)|\right) ^{n-1}} \ge \frac{1}{2^{\tilde{O}(n|\varDelta |)}}\). Therefore, for all \(\sigma \in {\text {Gal}}(K/\mathbb {Q})\), \(|\ln (|\sigma (\beta _i))|\in \tilde{O}(|\varDelta |^2)\), and the representation of \({\text {Log}}(\beta _i)\) has a polynomial bit size in n.

Remark 1

In the RAM model, accessing the information in a large precomputed data is assumed to be efficient. However, ignoring the time required to access this data might not be realistic, and our algorithm would have a larger asymptotic complexity in other model such as the AT (Area-Time) model. Yet, exploiting the fact that ideals can be sorted by norm, and considering that memory access are independent, it is very plausible that access time is not going to be an issue in practice, using for example several hard-drives through a communication network.

6 Finding Short Elements in \(\mathfrak {I}\)

Let \(\mathfrak {I}\) be an ideal of \(\mathcal {O}_K\). We want to find elements \(\alpha \in \mathfrak {I}\) of small norm. To do this, we restrict the search to the lattice

$$\mathcal {L}_{\mathfrak {I},k} := \mathbb {Z}v_{1,1} + \mathbb {Z}(v_{2,2}\zeta _{p^e} + v_{2,1}) + \cdots + \mathbb {Z}(v_{k,k}\zeta _{p^e}^k + v_{k,k-1}\zeta _{p^e}^{k-1}+\cdots + v_k)\subseteq \mathfrak {I},$$

for some \(k > 0\) where the coefficients \(v_{i,j}\) are the upper left \(k\times k\) submatrix of the HNF of the \(\mathbb {Z}\)-basis of \(\mathfrak {I}\). This strategy was used in [Bia11, Bia, BF14] in the case of \(\mathfrak {I}=\mathfrak {q}\) a degree one prime ideal, which is enough for the sake of collecting relations to compute \({\text {Cl}}(\mathcal {O}_K)\) and solve the PIP. However, it was pointed out in [BEF+17] that this approach was folklore. In particular, it has been used under the more general form presented in this paper by Cheon [CL15].

Lemma 1

Let \(l\le k\le n\). By using the BKZ reduction with block size l, we can find a vector \(\alpha \in \mathcal {L}_{\mathfrak {I},k}\) of length less than \(l^{(k-1)/2(l-1) + 3/2}\mathcal {N}(\mathfrak {I})^{\frac{1}{k}}\) in time \(2^{O(l)}{\text {Poly}}(l,\log (\mathcal {N}(\mathfrak {I})))\).

Proof

The determinant of \(\mathcal {L}_\mathfrak {I}\) satisfies \(\det (\mathcal {L}_{\mathfrak {I},k}) \le \prod _{i\le N}v_{i,i} = \mathcal {N}(\mathfrak {I})\). According to [HPS11, Theorem 1], the BKZ reduction algorithm with block length l returns a basis whose first vector has length less than \(l^{(k-1)/2(l-1) + 3/2}\mathcal {N}(\mathfrak {I})^{\frac{1}{k}}\) after \({\text {Poly}}(k,\log \log (\mathcal {N}(\mathfrak {I})))\) calls to an SVP oracle which can be done in time \(2^{O(l)}{\text {Poly}}(\log (\mathcal {N}(\mathfrak {I})))\) using [AKS01].

Lemma 2

Suppose \(k=n^{a_1}\), \(l=n^{a_2}\) for \(1\ge a_1>a_2>0\). We can find an element \(\alpha \in \mathfrak {I}\) such that \(\mathcal {N}(\alpha )\le l^{\frac{kn}{2l}(1+o(1))}\mathcal {N}(\mathfrak {I})^{\frac{n}{k}}\) in time \(2^{l^{1+o(1)}}\).

Proof

Let \(\alpha \) be the first vector of a BKZ-reduced basis of \(\mathcal {L}_{\mathfrak {I},k}\) with block size l. The calculation of this basis takes time \(2^{l^{1+o(1)}}\) and by Lemma 1, the length of its first vector \((\alpha _1,\cdots ,\alpha _k)\) is bounded by \(l^{(k-1)/2(l-1) + 3/2}\mathcal {N}(\mathfrak {I})^{\frac{1}{k}}\). As shown in the proof of Proposition 1, the algebraic norm of \(\alpha := \sum _i \alpha _i \zeta _{p^e}^i\) satisfies

$$\mathcal {N}(\alpha ) \le \left. \sqrt{n}\right. ^n \left( \Vert (\alpha _1,\cdots ,\alpha _k)\Vert \right) ^n \le \underbrace{n^{n/2} l^{n\left( \frac{k-1}{2(l-1)} + \frac{3}{2}\right) }}_{l^{\frac{kn}{2l}(1+o(1))}}\mathcal {N}(\mathfrak {I})^{\frac{n}{k}}.$$

Proposition 3

(GRH + Heuristic 2 ). Let \(k=n^{a_1}\), \(l=n^{a_2}\) for \(1\ge a_1>a_2>0\), and \(\nu \le 2^{n^{1/2+o(1)}}\). When \(A\ge 2\), Algorithm 3 returns a list of \(\nu \) elements \(\alpha \in \mathfrak {I}\) such that \(\mathcal {N}(\alpha ) \le \left( l^{\frac{kn}{2l}}\mathcal {N}(\mathfrak {I})^{\frac{n}{k}}\right) ^{1+o(1)}\) in time \(\nu 2^{l^{1+o(1)}}\).

Proof

The ideal \(\mathfrak {I}'\) created in Step 3 of Algorithm 3 satisfies \(\mathcal {N}(\mathfrak {I}') \le \mathcal {N}(\mathfrak {I})^{1+o(1)}\) and \(\mathfrak {I}'\subseteq \mathfrak {I}\). Indeed, the norm of the extra factor used for randomization is \(\mathcal {N}(\prod _i \mathfrak {p}_i^{x_i}) \le 2^{An^{1/2+o(1)}}\) while \(\mathcal {N}(\mathfrak {I}) \ge 2^{n^{b}}\) for \(b > 1/2\). Therefore, according to Lemma 2, the \(\alpha \) derived in Step 6 satisfies

$$\log (\mathcal {N}(\alpha )) \le \left( \frac{kn\log (l)}{l} + \frac{n}{k}\log \left( \mathcal {N}(\mathfrak {I})\right) \right) (1+o(1)).$$

For any \(A\ge 2\), the number of possible vectors \((x_i)\) is \(\left( {\begin{array}{c}|S|\\ n^{1/2}\end{array}}\right) A^{n^{1/2}}\gg 2^{n^{1/2+o(1)}}\). The run time of each BKZ-reduction is in \(2^{l^{1+o(1)}}\), and we execute this \(\nu \) times, which justifies the total runtime of this procedure.

7 Classical Attack Against Short-PIP with Precomputation

Let \(\mathfrak {I}\) be a principal ideal satisfying \(\mathcal {N}(\mathfrak {I})\le 2^{n^b}\). We describe a \(\mathfrak {q}\)-descent procedure to find a product of ideals in the same ideal class as \(\mathfrak {I}\) and involving only prime ideals of norm less than \( 2^{n^{2-3a+o(1)}}\) in time \(2^{n^{a+o(1)}}\) where \(b\le 7a - 2\) and \(\frac{2}{5}< a < \frac{1}{2}\). Then we use the precomputation to solve the PIP and then find a short generator of \(\mathfrak {I}\).

The \(\mathfrak {q}\)-descent. Let \(\varepsilon > 0\), and a prime ideal \(\mathfrak {q}\) such that \(\log (\mathcal {N}(\mathfrak {q})) \le n^b\). We use Algorithm 3 to find \(\alpha \in \mathfrak {q}\) such that \((\alpha )/\mathfrak {q}= \prod \mathfrak {q}_i\) where the \(\mathfrak {q}_i\) are prime ideals satisfying \(\log (\mathcal {N}(\mathfrak {q}_i))\le n^{b - \varepsilon }\).

Proposition 4

(GRH + Heuristic 2 ). Let \(\varepsilon > 0\), and let \(a,b > 0\) be constants satisfying \(2-3a + \varepsilon \le b\le 7a - 2\) and \(\frac{2}{5} + \frac{\varepsilon }{5}< a < \frac{1}{2}\). Let \(\mathfrak {q}\) be a prime with \(\log (\mathcal {N}(\mathfrak {q}))\le n^b\). Steps 5 to 7 of Algorithm 4 returns a decomposition of \(\mathfrak {q}\) in \({\text {Cl}}(\mathcal {O}_K)\) as a product of primes \(\mathfrak {p}_i\) with \(\log (\mathcal {N}(\mathfrak {p}_i))\le n^{b-\varepsilon }\) in time \(2^{n^{a + o(1) }}\).

Proof

According to Lemma 2, any \(\alpha \) derived in Step 5 of Algorithm 4 satisfies \(\log (\mathcal {N}(\alpha )) \in O\left( \frac{nk\log (l)}{l} + \frac{n}{k}\log (\mathcal {N}(\mathfrak {q}))\right) \). As \(k\le n^{4a-1}\) and \(l = n^a\), we get \(\frac{nk}{l}\le n^{1+4a-1-a}.\) Moreover, since \(k = \min \{ n^{4a - 1} , n^{b+2a-1-\varepsilon }\}\), we get \(\frac{n}{k}\log (\mathcal {N}(\mathfrak {q})) \in O(n^{3a})\). The latter inequality follows from the fact that by definition \(a\ge \frac{2}{5} + \frac{\varepsilon }{5}\). Therefore, \(\log (\mathcal {N}(\alpha )) \in O (n^{3a})\), and testing the smoothness of \(\mathcal {N}(\alpha )\) with the Number Field Sieve takes time \(2^{n^{a+o(1)}}\). As \(k\le n^{b+2a-1-\varepsilon }\), we also have \(\frac{nk}{l}\le n^{a +b-\varepsilon }.\) In addition, we can show that \(k\ge n^{1-a+\varepsilon }\). Indeed, from the definition of a, b we get \(1-a + \varepsilon \le 4a-1\) and \(1-a + \varepsilon \le b + 2a -1 -\varepsilon \). Therefore, \(\frac{n}{k}\log (\mathcal {N}(\mathfrak {q})) \in O\left( n^{a + b - \varepsilon }\right) .\) This means that \(\log (\mathcal {N}(\alpha )) \in O (n^{a + b - \varepsilon })\), and from Heuristic 2, the number of \(\alpha \) we need only need to test \(2^{n^{a + o(1)}}\) elements before obtaining one such that \((\alpha )/\mathfrak {q}\) is \(2^{n^{b-\varepsilon }}\)-smooth. From Proposition 3, we know that we can make L large enough for this search. For correctness, we also check that \(k=n^{a_1}\), \(l = n^{a_2}\) for \(0< a_2 < a_1 \le 1\). \(k\ge n^{1-a+\varepsilon }\) so \(a_1 > 1-a\), and \(a_2 = a\) with \(a < 1/2\), so \(a_2> a_1 > 0\). On the other hand \(a_1 \le 4a-1 \le 1\).

Corollary 2

(GRH + Heuristic 2 ). Algorithm 4 decomposes \(\mathfrak {I}\) with \(\mathcal {N}(\mathfrak {I})\le 2^{n^{b_0}}\) as an \(2^{n^{2-3a+\varepsilon }}\)-smooth product in \({\text {Cl}}(\mathcal {O}_K)\) in time \(\left( n^{3a}\right) ^{O\left( \frac{1}{\varepsilon }\right) }2^{n^{a + o(1)}}\), where \(b_0 \le 7a - 2\) and \(\frac{2}{5} + \frac{\varepsilon }{5} \le a \le \frac{1}{2}\).

We can choose \(\varepsilon = \frac{1}{\log (n)} = o(1)\) to ensure that the required precomputation has asymptotic complexity \(2^{n^{2-3a + o(1)}}\) while that of Algorithm 4 is \(2^{n^{a + o(1)}}\). Indeed, at each of the \(O\left( \frac{1}{\varepsilon }\right) \) steps, the number of primes in \(\text {primeList}\) gets multiplied by at most \(n^{3a}\) elements, which is a bound on the number of divisors of \(\alpha \).

Resolution Step. Given \(\mathfrak {I}=(\phi )\mathfrak {p}_1\cdots \mathfrak {p}_m\) such that \(\phi \in \mathbb {Q}(\zeta _{p^e})\) and \(\mathcal {N}(\mathfrak {p}_i)\le 2^{n^{\kappa }}\) where \(1/2<\kappa <1\), we refine this decomposition into one that involves only primes of norm less than \(12\ln (|\varDelta |)^2\) by using the precomputed relation matrix and we solve a linear system to obtain a generator of \(\mathfrak {I}\). This generator is then used to derive a short generator of \(\mathfrak {I}\) by using the techniques of [CDPR16]. The precomputed relation matrix has the form \(H = \left( {\begin{matrix} C &{} (0) \\ D &{} I \end{matrix}}\right) \) where I is the identity. Under the GRH, \(i_0 := \dim (C)\le 12\ln (|\varDelta |)^2\). The rows of index \(i > i_0\) correspond to relations of the form \(\mathfrak {p}_i\sim \prod _{j\le i_0}\mathfrak {p}_j^{e_j}\) where \((-e_i)\) is a row vector of D and \(\mathcal {N}(\mathfrak {p}_j)\le 12\ln (|\varDelta |)^2\) for \(j\le i_0\). Given the input decomposition of \(\mathfrak {I}\) over \(\mathcal {B}\), it is straightforward to rewrite all large prime ideals as products of the ideals of norm less than \(\mathcal {N}(\mathfrak {p}_{i_0})\le 12\ln (|\varDelta |)^2\). We describe this procedure in Algorithm 5.

Proposition 5

(GRH + Heuristic 1 + Heuristic 2 ). Let \(\frac{2}{5}< a < \frac{1}{2}\), \(b \le 7a - 2\) and a principal ideal \(\mathfrak {I}\) of \(\mathbb {Q}(\zeta _{p^e})\) such that \(\mathcal {N}(\mathfrak {I})\le 2^{n^b}\) for \(n:=[\mathbb {Q}(\zeta _{p^e}):\mathbb {Q}]\). Given the output of Algorithm 1 with \(\kappa = 2-3a + o(1)\), Algorithm 6 is correct and runs in time \(2^{n^{a +o(1)}}\).

With \(a= \frac{3}{7}\) and \(b=1+o(1)\), and a precomputation cost in \(2^{n^{5/7 + o(1)}}\), all instances of searches of small generators in principal ideals \(\mathfrak {I}\) with \(\log (\mathcal {N}(\mathfrak {I}))\le n^{1+o(1)}\) take heuristic time in \(2^{n^{3/7+o(1)}}\).

8 Quantum \(\gamma \)-ideal-SVP in \(\mathbb {Q}(\zeta _{p^e})\) with Precomputation

Let \(1/3< a < 1/2\). We present a quantum algorithm that finds a \(2^{n^{2-3a+o(1)}}\)-smooth decomposition of an input ideal \(\mathfrak {I}\subset \mathbb {Q}(\zeta _{p^e})\) in time \(2^{n^{a + o(1)}}\) where \(n = [\mathbb {Q}(\zeta _{p^e}):\mathbb {Q}]\) by using \(\tilde{O}(n^{2-a})\) qubits. When combined with the precomputation of the relations between ideals of norm less than \(2^{n^{2-3a+o(1)}}\), this yields an algorithm for \(\gamma \)-ideal-SVP running in heuristic time \(2^{n^{a + o(1)}}\). For example, if \(a = 3/7\), we solve \(\gamma \)-ideal-SVP for \(\gamma \in 2^{n^{1/2+o(1)}}\) in heuristic quantum complexity in \(2^{n^{3/7 + o(1)}}\) using \(\tilde{O}(n^{11/7})\) qubits and a one-time (classical) precomputation on \(\mathbb {Q}(\zeta _{p^e})\) in time \(2^{n^{5/7 + o(1)}}\).

Quantum \(\mathfrak {q}\)-descent. Our \(\mathfrak {q}\)-descent strategy to find a \(2^{n^{2-3a+o(1)}}\)-smooth decomposition of an input ideal \(\mathfrak {I}\) can be decomposed into 3 main steps:

1. 1.

   Find \(\mathfrak {I}'\) such that \(\mathfrak {I}\sim \mathfrak {I}'\) using BKZ where \(\mathcal {N}(\mathfrak {I}')\in 2^{n^{2-a+o(1)}}\).

2. 2.

   Find \(\mathfrak {I}''\) such that \(\mathfrak {I}'\sim \mathfrak {I}''\) and \(\mathfrak {I}''\) is \(2^{n^{2-2a}}\)-smooth.

3. 3.

   Recursively decompose each \(\mathfrak {q}\mid \mathfrak {I}''\) with norm less than \(2^{n^b}\) into a product of terms with norm less than \(2^{n^{b-\varepsilon }}\) until we get a \(2^{n^{2-3a+\varepsilon }}\)-smooth decomposition for \(\varepsilon \rightarrow 0 \).

The initial BKZ-reduction of \(\mathfrak {I}\) is the algorithm described in [BF14, Algorithm 2]. It consists in drawing a short vector from a BKZ-reduced basis of the inverse of \(\mathfrak {I}\). The norm of the ideal obtained by multiplying that element to \(\mathfrak {I}\) is bounded by a function of the invariants of the field.

Proposition 6

Let \(1/3< a < 1/2\), and \(k = \log (n)n^a\). Step 2 of Algorithm 7 returns \(\alpha \in \mathbb {Q}(\zeta _{p^e})\) such that \(\mathfrak {I}':= (\alpha )\mathfrak {I}\) satisfies \(\mathcal {N}(\mathfrak {I}') \le 2^{n^{2-a+o(1)}}\sqrt{|\varDelta |}\) in time \(2^{n^{a+o(1)}}{\text {Poly}}\left( \log (\mathcal {N}(\mathfrak {I}))\right) \).

The second step of the quantum \(\mathfrak {q}\)-descent consists in looking for short vectors \(\alpha \in \mathfrak {I}'\) such that \((\alpha )/\mathfrak {I}'\) is \(2^{n^{2-2a}}\)-smooth. This step is the one where the numbers we test for smoothness with Shor’s algorithm are the largest. Therefore, the parameters are set to minimize the size of the elements \(\alpha \in \mathfrak {I}'\) we draw. These elements \(\alpha \) satisfy \(\log (\mathcal {N}(\alpha ))\in \tilde{O}(n^{2-a})\) which sets the qubit requirements of the entire descent.

Proposition 7

(GRH + Heuristic 2 ). Let \(\mathfrak {I}'\) be an ideal with \(\log (\mathcal {N}(\mathfrak {I}'))\le O(n^{2-a})\), \(\varepsilon > 0\), \(1/3< a < 1/2\). Steps 3 and 4 of Algorithm 7 return a decomposition of \(\mathfrak {I}'\) in \({\text {Cl}}(\mathcal {O}_K)\) as a product of primes \(\mathfrak {p}_i\) with \(\log (\mathcal {N}(\mathfrak {p}_i))\le n^{2-2a}\) in time \(2^{n^{a + o(1) }}\) using less than \(\tilde{O}(n^{2-a})\) qubits.

Proof

In Step 4, we have \(\log (\mathcal {N}(\alpha )) \in O\left( \frac{nk\log (l)}{l} + \frac{n}{k}\log (\mathcal {N}(\mathfrak {I}'))\right) \). As \(k = n\) and \(l = n^a\), we get that \(\log (\mathcal {N}(\alpha )) \in \tilde{O}(n^{2-a})\). We can test the smoothness of these \(\alpha \) using Shor’s algorithm with \(\tilde{O}(n^{2-a})\) qubits in polynomial time, and from Heuristic 2, the number of \(\alpha \) we need to test before obtaining one such that \((\alpha )/\mathfrak {I}\) is \(2^{n^{2-2a}}\)-smooth is bounded by \(2^{n^{a + o(1)}}\). As before, we can prove that the search space is large enough from Proposition 3.

Proposition 8

(GRH + Heuristic 2 ). Let \(\varepsilon > 0\) and let \(\mathfrak {q}\) be a prime with \(\log (\mathcal {N}(\mathfrak {q}))\le n^b\) for \(2-3a +\varepsilon \le b \le 2-2a.\) Step 10 returns a \(2^{n^{b-\varepsilon }}\)-smooth of \(\mathfrak {q}\) in time \(\left( n^{2-a}\right) ^{O\left( \frac{1}{\varepsilon }\right) }2^{n^{a + o(1)}}\) using less than \(\tilde{O}(n^{2-a})\) qubits.

Proof

In Step 9, \(\log (\mathcal {N}(\alpha )) \in O\left( \frac{nk\log (l)}{l} + \frac{n}{k}\log (\mathcal {N}(\mathfrak {q}))\right) \). As \(k= n^{1-a + \varepsilon }\) and \(l = n^a\), we get \(\frac{n}{k}\log (\mathcal {N}(\mathfrak {q})) \le n^{b - \varepsilon + a}\) and \(\frac{nk}{l}\le n^{2 - 2a}\). Since \(b\le 2-2a\), \(\log (\mathcal {N}(\alpha ))\le \tilde{O}(n^{2-a})\) and we can test the smoothness of \((\alpha )/\mathfrak {q}\) using Shor’s algorithm in quantum polynomial time using less than \(\tilde{O}(n^{2-a})\) qubits. From Heuristic 2, the number of \(\alpha \) we need to test before obtaining one such that \((\alpha )/\mathfrak {I}\) is \(2^{n^{b-\varepsilon }}\)-smooth is bounded by \(2^{n^{a + o(1)}}\). From Proposition 3, the search space is large enough.

To make the precomputation time \(2^{n^{2-3a+o(1)}}\) and the \(\mathfrak {q}\)-descent time \(2^{n^{a+o(1)}}\), we can choose \(\varepsilon = \frac{1}{\log (n)}\) as in the classical \(\mathfrak {q}\)-descent.

Resolution Step. Given an ideal \(\mathfrak {I}\), we look for a solution \(\alpha \in \mathfrak {I}\) to \(\gamma \)-ideal-SVP for \(\gamma = 2^{n^{1/2 + o(1)}}\). We assume that we are given a precomputed relation matrix \(H = \left( {\begin{matrix} C &{} (0) \\ D &{} I \end{matrix}}\right) \) of relations between the ideals \((\mathfrak {p}_i)_{i\le m}\) of norm less than \(2^{n^{\kappa }}\) where \(1/2< \kappa < 1\) and I is the identity matrix. Our algorithm for \(\gamma \)-ideal-SVP is:

1. 1.

   Find an ideal \(\mathfrak {J}\) with \(\mathcal {N}(\mathfrak {J})\in 2^{\tilde{O}(n^{3/2})}\) such that \(\mathfrak {I}\mathfrak {J}\) is principal using the heuristic method of [CDW16, Algorithms 1 and 2].

2. 2.

   Use Algorithm 7 to decompose \(\mathfrak {I}\mathfrak {J}\) over ideals of norm less then \(2^{n^{\kappa }}\).

3. 3.

   With Algorithm 5, express \(\mathfrak {I}\mathfrak {J}\) with respect to \((\mathfrak {p}_i)_{i\le i_0}\) where \(i_0 := \dim (C)\).

4. 4.

   Find a short generator \(\alpha \) of \(\mathfrak {I}\mathfrak {J}\) using Algorithm 6³.

The element \(\alpha \in \mathfrak {I}\mathfrak {J}\) computed in Step 4 satisfies \(\Vert \alpha \Vert \le 2^{n^{1/2 + o(1)}}\mathcal {N}\left( \mathfrak {I}\mathfrak {J}\right) ^{1/n} = 2^{n^{1/2 + o(1)}}\mathcal {N}\left( \mathfrak {I}\right) ^{1/n}\). It is therefore a solution to \(\gamma \)-ideal-SVP in \(\mathfrak {I}\) for \(\gamma = 2^{n^{1/2 + o(1)}}\). The run time of the close principal multiple algorithm of [CDW16] depends on:

Heuristic 4

There are primes \((\mathfrak {p}_i)_{i\le i_0}\) with \(\mathcal {N}(\mathfrak {p}_i)\le {\text {Poly}}(n)\), \(i_0\le {\text {Poly}}(\log (n))\) such that the classes of \((\mathfrak {p}_i^\sigma )_{i\le i_0,\sigma \in {\text {Gal}}(K/\mathbb {Q})}\) generate \({\text {Cl}}(\mathcal {O}_K)^{-} := \ker (\mathcal {N}_{K/K^+})\) where \(\mathcal {N}_{K/K^+}([\mathfrak {I}]) = [\mathfrak {I}\overline{\mathfrak {I}}]\).

Step 1 is performed with a modification of [CDW16, Algorithm 2]. In [CDW16, Algorithm 2, Step 1], the input ideal \(\mathfrak {I}\) is decomposed over a short generating set (the \((\mathfrak {p}_i)_{i\le i_0}\)) using the quantum algorithm of Biasse and Song [BS16]. Here, we replace it with a variation of Algorithm 5 to decompose the class of \(\mathfrak {I}\) with respect to generators for \({\text {Cl}}(\mathcal {O}_K)^{-}\). Therefore Step 1 runs in time \(2^{n^{a + o(1)}}\). Note that Heuristic 4, is a stronger variant of Heuristic [CDW16, Assumption 2] used by Cramer et al.

Proposition 9

(GRH + Heuristic 1 + Heuristic 2 + Heuristic 4 ). Let \(1/3< a < 1/2\) and an ideal \(\mathfrak {I}\). Given the output of Algorithm 1 with \(\kappa = 2-3a + o(1)\), Steps 1 to 4 return a solution to \(\gamma \)-ideal-SVP in \(\mathfrak {I}\) for \(\gamma = 2^{n^{1/2+o(1)}}\) in time \(2^{n^{a +o(1)}}\) by using \(\tilde{O}(n^{2-a})\) qubits.

A Qubit Requirement of Quantum PIP Algorithm

The quantum polynomial time algorithm described by Biasse and Song directly relies on the Hidden Subgroup Problem algorithm of Eisenträger et al. [EHKS14], and it has therefore the same qubit requirements. In [BS], Biasse and Song showed how to directly use the HSP solver of [EHKS14] to perform a cryptanalysis against the schemes which rely on the hardness of finding a short generator of a principal ideal.

Solving the HSP. The HSP algorithm of [EHKS14] requires a quantum oracle \(f:G\subseteq \mathbb {R}^m\rightarrow \{\text {quantum states}\}\) such that the periods of f are a secret subgroup of G which answers our problem (here: finding a generator of the input ideal). This means that if \(\forall g\in G,\ f(g+x)=f(g)\) then \(x\in H\). Such a function must satisfy the conditions stated in [EHKS14, Theorem 6.1]. Let \(n := \deg (\mathbb {Q}(\zeta _{p^e})^+)\) be the degree of the maximal real subfield of \(\mathbb {Q}(\zeta _{p^e})\). We use

where \(G = \{(u_i)_{i\le n}\ | \sum _{i\le n} v_i = j\log (|\mathcal {N}(\mathfrak {I})|)\}\). The periods of f yield a generator for \(\mathfrak {I}\overline{\mathfrak {I}}\) which can be lifted to a generator of \(\mathfrak {I}\) using the Gentry-Szydlo algorithm [GS02].

Qubit Requirement. The qubit requirement of the HSP algorithm of [EHKS14] directly comes from \(f_q\), the quantum encoding of lattices in \(\mathbb {R}^n\) that is used in the quantum oracle. Let \(g_s(\cdot )\) be the Gaussian function \(g_s(x): = e^{\pi \Vert x\Vert ^2/s^2}, x\in \mathbb {R}^n\). For any set \(S\subset \mathbb {R}^n\), denote \(g_s(S): =\sum _{x\in S} g_s(x)\). The encoding maps L to \(|L\rangle : = \gamma \sum _{v\in L} g_s(v) |\mathrm {str}_{\nu ,n}(v)\rangle \), where \(\gamma \) is a factor that normalizes the state. Here \(|\mathrm {str}_{\nu ,n}(v)\rangle \) is the straddle encoding of a real-valued vector \(v\in \mathbb {R}^n\). In the one-dimensional case, the straddle encoding of a real number is \( x \in \mathbb {R}\mapsto |\mathrm {str}_\nu (x)\rangle : = \cos (\frac{\pi }{2} t) |j\rangle + \sin (\frac{\pi }{2} t) |j+1\rangle \) where \(j: = \lfloor x/\nu \rfloor \) denotes the nearest grid point no bigger than x and \(t: = x/\nu - j\) denotes the (scaled) offset. Repeat this for each coordinate of \(v=(v_1,\ldots , v_n)\) to get \(|\mathrm {str}_{\nu ,n}(v)\rangle := \bigotimes _{i=1}^n |\mathrm {str}_\nu (v_i)\rangle \). According to [EHKS14, Theorem 5.7], the parameters of \(f_q\) must satisfy \(\nu \le \frac{1}{4n(s\sqrt{n})^{2n}}\) and \(s \ge cn\left( \frac{\sqrt{n}}{\lambda }\right) ^{n-1}d\) where c is a constant, \(\lambda \) is a lower bound on the length of the non-zero vectors of H and d is an upper bound on the volume of \(\mathbb {R}^n/H\). Elements of H correspond to algebraic numbers that are not torsion units. Therefore, their length is larger than \(\lambda := \frac{21}{128}\frac{\ln (n)}{n^2}\) (by applying the proof of [FP06, Cor. 3.5] to an algebraic number). Let \((u_i)_{i\le n-1}\) be a generating set for the unit group, and let \({\varvec{u}}_i := {\text {Log}}(u_i)\). Let g be a generator of \(\mathfrak {I}\) and let \({\varvec{g}}:= {\text {Log}}(g)\). Then H is generated by the vectors \(({\varvec{u}}_i,0)\) and \(({\varvec{g}},-1)\). We proceed as in [EHKS14] to determine an upper bound on the volume d(H) of H. We first augment H with an orthogonal unit vector \({\varvec{v}} = \frac{1}{\sqrt{n+1 + \ln ^2(\mathcal {N}(\mathfrak {I}))}}(1,\cdots ,1,-\ln (\mathcal {N}(\mathfrak {I}))).\) Then \(d(H) = |\det ({\varvec{u}}_1,\cdots ,{\varvec{u}}_{n-1},{\varvec{g}},{\varvec{v}})|\). By expanding this determinant with respect to its last row, we obtain \(d(H)\le \frac{1}{\sqrt{n+1 + \ln ^2(\mathcal {N}(\mathfrak {I}))}}(n +\ln (\mathcal {N}(\mathfrak {I}))\Vert {\varvec{g}}\Vert ) R\) where \(R\in \tilde{O}(\sqrt{|\varDelta |})\) is the regulator of \(\mathbb {Q}(\zeta _{p^e})^+\), i.e. the determinant of any submatrix of \(({\varvec{u}}_1,\cdots ,{\varvec{u}}_{n-1})\) where one column is removed. This means that we can choose s such that \(\log (s)\in \tilde{O}(n)\), and \(\nu \) that satisfies \(\log \left( \frac{1}{\nu }\right) \in \tilde{O}(n^2)\). Then, as the straddle encoding of a vector is the tensor product of n values requiring \(O\left( \log \left( \frac{1}{\nu }\right) \right) \) qubits, the encoding of a lattice requires \(\tilde{O}(n^3)\). Up to logarithm factors, this is the same qubit requirement as the unit group computation algorithm of Eisenträger et al. [EHKS14, Theorem 5.7]. The total qubit requirement of the algorithm depends on the circuit used to encode lattices. Its analysis is left to future work, but it must be in \(\varOmega (n^3)\) since at least \(n^3\) qubits are required to store L.