24 research outputs found
Recovering short generators of principal ideals in cyclotomic rings
Abstract: A handful of recent cryptographic proposals rely on the conjectured hardness of the following problem in the ring of integers of a cyclotomic number field: given a basis of a principal ideal that is guaranteed to have a ``rather short'' generator, find such a generator. Recently, Bernstein and Campbell-Groves-Shepherd sketched potential attacks against this problem; most notably, the latter authors claimed a \emph{polynomial-time quantum} algorithm. (Alternatively, replacing the quantum component with an algorithm of Biasse and Fieker would yield a \emph{classical subexponential-time} algorithm.) A key claim of Campbell \etal\ is that one step of their algorithm---namely, decoding the \emph{log-unit} lattice of the ring to recover a short generator from an arbitrary one---is classically efficient (whereas the standard approach on general lattices takes exponential time). However, very few convincing details were provided to substantiate this claim.
In this work, we clarify the situation by giving a rigorous proof that the log-unit lattice is indeed efficiently decodable, for any cyclotomic of prime-power index. Combining this with the quantum algorithm from a recent work of Biasse and Song confirms the main claim of Campbell \etal\xspace Our proof consists of two main technical contributions: the first is a geometrical analysis, using tools from analytic number theory, of the standard generators of the group of cyclotomic units. The second shows that for a wide class of typical distributions of the short generator, a standard lattice-decoding algorithm can recover it, given any generator.
By extending our geometrical analysis, as a second main contribution we obtain an efficient algorithm that, given any generator of a principal ideal (in a prime-power cyclotomic), finds a 2^O~(n^1/2)
-approximate shortest vector in the ideal. Combining this with the result of Biasse and Song yields a quantum polynomial-time algorithm for the 2^O~(n^1/2)-approximate Shortest Vector Problem on principal ideal lattices
Recovering Short Generators of Principal Ideals in Cyclotomic Rings
A handful of recent cryptographic proposals rely on the conjectured
hardness of the following problem in the ring of integers of a
cyclotomic number field: given a basis of a principal ideal that is
guaranteed to have a ``rather short\u27\u27 generator, find such a
generator. Recently, Bernstein and Campbell-Groves-Shepherd sketched
potential attacks against this problem; most notably, the latter
authors claimed a \emph{polynomial-time quantum} algorithm.
(Alternatively, replacing the quantum component with an algorithm of
Biasse and Fieker would yield a \emph{classical subexponential-time}
algorithm.) A key claim of Campbell \etal\ is that one step of their
algorithm---namely, decoding the \emph{log-unit} lattice of the ring
to recover a short generator from an arbitrary one---is classically
efficient (whereas the standard approach on general lattices takes
exponential time). However, very few convincing details were provided
to substantiate this claim.
In this work, we clarify the situation by giving a rigorous proof that
the log-unit lattice is indeed efficiently decodable, for any
cyclotomic of prime-power index. Combining this with the quantum
algorithm from a recent work of Biasse and Song confirms the main
claim of Campbell \etal\xspace Our proof consists of two main technical
contributions: the first is a geometrical analysis, using tools from
analytic number theory, of the standard generators of the group of
cyclotomic units. The second shows that for a wide class of typical
distributions of the short generator, a standard lattice-decoding
algorithm can recover it, given any generator.
By extending our geometrical analysis, as a second main contribution
we obtain an efficient algorithm that, given any generator of a
principal ideal (in a prime-power cyclotomic), finds a
-approximate shortest vector in the ideal.
Combining this with the result of Biasse and Song yields a quantum
polynomial-time algorithm for the
-approximate Shortest Vector Problem on
principal ideal lattices
Algorithms on Ideal over Complex Multiplication order
We show in this paper that the Gentry-Szydlo algorithm for cyclotomic orders,
previously revisited by Lenstra-Silverberg, can be extended to
complex-multiplication (CM) orders, and even to a more general structure. This
algorithm allows to test equality over the polarized ideal class group, and
finds a generator of the polarized ideal in polynomial time. Also, the
algorithm allows to solve the norm equation over CM orders and the recent
reduction of principal ideals to the real suborder can also be performed in
polynomial time. Furthermore, we can also compute in polynomial time a unit of
an order of any number field given a (not very precise) approximation of it.
Our description of the Gentry-Szydlo algorithm is different from the original
and Lenstra- Silverberg's variant and we hope the simplifications made will
allow a deeper understanding. Finally, we show that the well-known speed-up for
enumeration and sieve algorithms for ideal lattices over power of two
cyclotomics can be generalized to any number field with many roots of unity.Comment: Full version of a paper submitted to ANT
Counting points on hyperelliptic curves with explicit real multiplication in arbitrary genus
We present a probabilistic Las Vegas algorithm for computing the local zeta
function of a genus- hyperelliptic curve defined over with
explicit real multiplication (RM) by an order in a degree-
totally real number field.
It is based on the approaches by Schoof and Pila in a more favorable case
where we can split the -torsion into kernels of endomorphisms, as
introduced by Gaudry, Kohel, and Smith in genus 2. To deal with these kernels
in any genus, we adapt a technique that the author, Gaudry, and Spaenlehauer
introduced to model the -torsion by structured polynomial systems.
Applying this technique to the kernels, the systems we obtain are much smaller
and so is the complexity of solving them.
Our main result is that there exists a constant such that, for any
fixed , this algorithm has expected time and space complexity as grows and the characteristic is large enough. We prove that
and we also conjecture that the result still holds for .Comment: To appear in Journal of Complexity. arXiv admin note: text overlap
with arXiv:1710.0344
On the ideal shortest vector problem over random rational primes
Any ideal in a number field can be factored into a product of prime ideals.
In this paper we study the prime ideal shortest vector problem (SVP) in the
ring , a popular choice in the design of ideal lattice
based cryptosystems. We show that a majority of rational primes lie under prime
ideals admitting a polynomial time algorithm for SVP. Although the shortest
vector problem of ideal lattices underpins the security of Ring-LWE
cryptosystem, this work does not break Ring-LWE, since the security reduction
is from the worst case ideal SVP to the average case Ring-LWE, and it is
one-way
Quantum-secure message authentication via blind-unforgeability
Formulating and designing unforgeable authentication of classical messages in
the presence of quantum adversaries has been a challenge, as the familiar
classical notions of unforgeability do not directly translate into meaningful
notions in the quantum setting. A particular difficulty is how to fairly
capture the notion of "predicting an unqueried value" when the adversary can
query in quantum superposition. In this work, we uncover serious shortcomings
in existing approaches, and propose a new definition. We then support its
viability by a number of constructions and characterizations. Specifically, we
demonstrate a function which is secure according to the existing definition by
Boneh and Zhandry, but is clearly vulnerable to a quantum forgery attack,
whereby a query supported only on inputs that start with 0 divulges the value
of the function on an input that starts with 1. We then propose a new
definition, which we call "blind-unforgeability" (or BU.) This notion matches
"intuitive unpredictability" in all examples studied thus far. It defines a
function to be predictable if there exists an adversary which can use
"partially blinded" oracle access to predict values in the blinded region. Our
definition (BU) coincides with standard unpredictability (EUF-CMA) in the
classical-query setting. We show that quantum-secure pseudorandom functions are
BU-secure MACs. In addition, we show that BU satisfies a composition property
(Hash-and-MAC) using "Bernoulli-preserving" hash functions, a new notion which
may be of independent interest. Finally, we show that BU is amenable to
security reductions by giving a precise bound on the extent to which quantum
algorithms can deviate from their usual behavior due to the blinding in the BU
security experiment.Comment: 23+9 pages, v3: published version, with one theorem statement in the
summary of results correcte
On the shortness of vectors to be found by the Ideal-SVP quantum algorithm
The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard a
On the Shortness of Vectors to be found by the Ideal-SVP Quantum Algorithm
The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the ana