54 research outputs found
On the shortness of vectors to be found by the Ideal-SVP quantum algorithm
The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard a
On the Shortness of Vectors to be found by the Ideal-SVP Quantum Algorithm
The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the ana
On the Shortness of Vectors to be found by the Ideal-SVP Quantum Algorithm
The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the analog problem for general lattices (SVP), even when considering quantum algorithms.
But in the last few years, a series of works has lead to a quantum algorithm for Ideal-SVP that outperforms what can be done for general SVP in certain regimes. More precisely, it was demonstrated (under certain hypotheses) that one can find in quantum polynomial time a vector longer by a factor at most than the shortest non-zero vector in a cyclotomic ideal lattice, where is the dimension.
In this work, we explore the constants hidden behind this asymptotic claim. While these algorithms have quantum steps, the steps that impact the approximation factor are entirely classical, which allows us to estimate it experimentally using only classical computing. Moreover, we design heuristic improvements for those steps that significantly decrease the hidden factors in practice. Finally, we derive new provable effective lower bounds based on volumetric arguments.
This study allows to predict the crossover point with classical lattice reduction algorithms, and thereby determine the relevance of this quantum algorithm in any cryptanalytic context. For example we predict that this quantum algorithm provides shorter vectors than BKZ-300 (roughly the weakest security level of NIST lattice-based candidates) for cyclotomic rings of rank larger than about
A Coefficient-Embedding Ideal Lattice can be Embedded into Infinitely Many Polynomial Rings
Many lattice-based crypstosystems employ ideal lattices for high efficiency.
However, the additional algebraic structure of ideal lattices usually makes us
worry about the security, and it is widely believed that the algebraic
structure will help us solve the hard problems in ideal lattices more
efficiently. In this paper, we study the additional algebraic structure of
ideal lattices further and find that a given ideal lattice in some fixed
polynomial ring can be embedded as an ideal in infinitely many different
polynomial rings. We explicitly present all these polynomial rings for any
given ideal lattice. The interesting phenomenon tells us that a single ideal
lattice may have more abundant algebraic structures than we imagine, which will
impact the security of corresponding crypstosystems. For example, it increases
the difficulties to evaluate the security of crypstosystems based on ideal
lattices, since it seems that we need consider all the polynomial rings that
the given ideal lattices can be embedded into if we believe that the algebraic
structure will contribute to solve the corresponding hard problem. It also
inspires us a new method to solve the ideal lattice problems by embedding the
given ideal lattice into another well-studied polynomial ring. As a by-product,
we also introduce an efficient algorithm to identify if a given lattice is an
ideal lattice or not
An algorithm for computing the Stickelberger ideal for multiquadratic number fields
Представлен алгоритм вычисления идеала Штикельбергера для мультиквадра- тичного поля K = Q^/di^/d2,... ,Vdn), где di = 1 mod 4, i g {1,..., n}, или некоторый dj = ±2 mod 8, j g {1,... , n}, все di — целые, попарно взаимно простые и свободные от квадратов. В основу работы положена статья Р. Кучеры (J. Number Theory, 1996, no. 56). Мы предлагаем алгоритм вычисления идеала Штикельбергера, работающий за время O(lg AK • 2n • poly(n)), где AK — дискриминант поля K. В качестве приложения показана взаимосвязь идеала Штикельбергера с числом классов мультиквадратичного поля
RLWE/PLWE equivalence for the maximal totally real subextension of the 2rpq-th cyclotomic field
We generalise our previous work by giving a polynomial upper
bound on the condition number of certain quasi-Vandermonde matrices to es tablish the equivalence between the RLWE and PLWE problems for the totally
real subfield of the cyclotomic fields of conductor 2r
, 2rp and 2rpq with r ≥ 1
and p, q arbitrary primes. Moreover, we give some cryptographic motivations
for the study of these subfields.Agencia Estatal de Investigació
On the ideal shortest vector problem over random rational primes
Any ideal in a number field can be factored into a product of prime ideals.
In this paper we study the prime ideal shortest vector problem (SVP) in the
ring , a popular choice in the design of ideal lattice
based cryptosystems. We show that a majority of rational primes lie under prime
ideals admitting a polynomial time algorithm for SVP. Although the shortest
vector problem of ideal lattices underpins the security of Ring-LWE
cryptosystem, this work does not break Ring-LWE, since the security reduction
is from the worst case ideal SVP to the average case Ring-LWE, and it is
one-way
Computing -th roots in number fields
We describe several algorithms for computing -th roots of elements in a
number field , where is an odd prime-power integer. In particular we
generalize Couveignes' and Thom\'e's algorithms originally designed to compute
square-roots in the Number Field Sieve algorithm for integer factorization. Our
algorithms cover most cases of and and allow to obtain reasonable
timings even for large degree number fields and large exponents . The
complexity of our algorithms is better than general root finding algorithms and
our implementation compared well in performance to these algorithms implemented
in well-known computer algebra softwares. One important application of our
algorithms is to compute the saturation phase in the Twisted-PHS algorithm for
computing the Ideal-SVP problem over cyclotomic fields in post-quantum
cryptography.Comment: 9 pages, 4 figures. Associated experimental code provided at
https://github.com/ob3rnard/eth-root
- …