On the shortness of vectors to be found by the Ideal-SVP quantum algorithm

The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard a

On the Shortness of Vectors to be found by the Ideal-SVP Quantum Algorithm

The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the ana

On the Shortness of Vectors to be found by the Ideal-SVP Quantum Algorithm

The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the analog problem for general lattices (SVP), even when considering quantum algorithms. But in the last few years, a series of works has lead to a quantum algorithm for Ideal-SVP that outperforms what can be done for general SVP in certain regimes. More precisely, it was demonstrated (under certain hypotheses) that one can find in quantum polynomial time a vector longer by a factor at most $\alpha = \exp({\tilde O(n^{1/2})})$ than the shortest non-zero vector in a cyclotomic ideal lattice, where $n$ is the dimension. In this work, we explore the constants hidden behind this asymptotic claim. While these algorithms have quantum steps, the steps that impact the approximation factor $\alpha$ are entirely classical, which allows us to estimate it experimentally using only classical computing. Moreover, we design heuristic improvements for those steps that significantly decrease the hidden factors in practice. Finally, we derive new provable effective lower bounds based on volumetric arguments. This study allows to predict the crossover point with classical lattice reduction algorithms, and thereby determine the relevance of this quantum algorithm in any cryptanalytic context. For example we predict that this quantum algorithm provides shorter vectors than BKZ-300 (roughly the weakest security level of NIST lattice-based candidates) for cyclotomic rings of rank larger than about $24000$

A Coefficient-Embedding Ideal Lattice can be Embedded into Infinitely Many Polynomial Rings

Many lattice-based crypstosystems employ ideal lattices for high efficiency. However, the additional algebraic structure of ideal lattices usually makes us worry about the security, and it is widely believed that the algebraic structure will help us solve the hard problems in ideal lattices more efficiently. In this paper, we study the additional algebraic structure of ideal lattices further and find that a given ideal lattice in some fixed polynomial ring can be embedded as an ideal in infinitely many different polynomial rings. We explicitly present all these polynomial rings for any given ideal lattice. The interesting phenomenon tells us that a single ideal lattice may have more abundant algebraic structures than we imagine, which will impact the security of corresponding crypstosystems. For example, it increases the difficulties to evaluate the security of crypstosystems based on ideal lattices, since it seems that we need consider all the polynomial rings that the given ideal lattices can be embedded into if we believe that the algebraic structure will contribute to solve the corresponding hard problem. It also inspires us a new method to solve the ideal lattice problems by embedding the given ideal lattice into another well-studied polynomial ring. As a by-product, we also introduce an efficient algorithm to identify if a given lattice is an ideal lattice or not

An algorithm for computing the Stickelberger ideal for multiquadratic number fields

Представлен алгоритм вычисления идеала Штикельбергера для мультиквадра- тичного поля K = Q^/di^/d2,... ,Vdn), где di = 1 mod 4, i g {1,..., n}, или некоторый dj = ±2 mod 8, j g {1,... , n}, все di — целые, попарно взаимно простые и свободные от квадратов. В основу работы положена статья Р. Кучеры (J. Number Theory, 1996, no. 56). Мы предлагаем алгоритм вычисления идеала Штикельбергера, работающий за время O(lg AK • 2n • poly(n)), где AK — дискриминант поля K. В качестве приложения показана взаимосвязь идеала Штикельбергера с числом классов мультиквадратичного поля

RLWE/PLWE equivalence for the maximal totally real subextension of the 2rpq-th cyclotomic field

We generalise our previous work by giving a polynomial upper bound on the condition number of certain quasi-Vandermonde matrices to es tablish the equivalence between the RLWE and PLWE problems for the totally real subfield of the cyclotomic fields of conductor 2r , 2rp and 2rpq with r ≥ 1 and p, q arbitrary primes. Moreover, we give some cryptographic motivations for the study of these subfields.Agencia Estatal de Investigació

On the ideal shortest vector problem over random rational primes

Any ideal in a number field can be factored into a product of prime ideals. In this paper we study the prime ideal shortest vector problem (SVP) in the ring $\Z[x]/(x^{2^n} + 1)$, a popular choice in the design of ideal lattice based cryptosystems. We show that a majority of rational primes lie under prime ideals admitting a polynomial time algorithm for SVP. Although the shortest vector problem of ideal lattices underpins the security of Ring-LWE cryptosystem, this work does not break Ring-LWE, since the security reduction is from the worst case ideal SVP to the average case Ring-LWE, and it is one-way

Computing ee-th roots in number fields

We describe several algorithms for computing $e$-th roots of elements in a number field $K$, where $e$ is an odd prime-power integer. In particular we generalize Couveignes' and Thom\'e's algorithms originally designed to compute square-roots in the Number Field Sieve algorithm for integer factorization. Our algorithms cover most cases of $e$ and $K$ and allow to obtain reasonable timings even for large degree number fields and large exponents $e$. The complexity of our algorithms is better than general root finding algorithms and our implementation compared well in performance to these algorithms implemented in well-known computer algebra softwares. One important application of our algorithms is to compute the saturation phase in the Twisted-PHS algorithm for computing the Ideal-SVP problem over cyclotomic fields in post-quantum cryptography.Comment: 9 pages, 4 figures. Associated experimental code provided at https://github.com/ob3rnard/eth-root