Recovering Short Generators of Principal Ideals in Cyclotomic Rings - PowerPoint PPT Presentation

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer L´ eo Ducas Chris Peikert Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of Michigan, USA New-York University, USA Eurocrypt , May 2016, Vienna, Austria. Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 1 / 21

Principal ideals in cryptography Let K be a numberfield (e.g. = Q ( ζ m )) and R its ring of integer ( R = Z [ ζ m ]). A few cryptosystems, for example: ◮ Soliloquy [Campbell et al., 2014] ◮ FHE [Smart and Vercauteren, 2010] ◮ Graded encoding schemes [Garg et al., 2013, Langlois et al., 2014] share this Key Generation procedure. KeyGen sk Choose a “short” g ∈ R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 2 / 21

Short generator recovery Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) ◮ Given a Z -basis B of a principal ideal I , ◮ Recover some generator h (i.e. I = ( h )) Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 3 / 21

Short generator recovery Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) ◮ Given a Z -basis B of a principal ideal I , ◮ Recover some generator h (i.e. I = ( h )) 2 Short Generator Problem ◮ Given an arbitrary generator h ∈ R of I ◮ Recover g (or some g ′ equivalently short) Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 3 / 21

Cost of those two steps 1 Principal Ideal Problem ( PIP ) ◮ sub-exponential time (2 ˜ O ( n 2 / 3 ) ) classical algorithm [Biasse and Fieker, 2014, Biasse, 2014]. ◮ quantum polynomial time algorithm [Eisentr¨ ager et al., 2014, Campbell et al., 2014, Biasse and Song, 2015]. 2 Short Generator Problem ◮ equivalent to the CVP in the log-unit lattice ◮ becomes a BDD problem in the crypto cases. ◮ claimed to be easy [Campbell et al., 2014] for the m th -cyclotomic ring when m = 2 k ◮ confirmed by experiments [Schank, 2015] This Work 2 , and prove it can be solved in classical polynomial time We focus on step for the aforementioned cryptanalytic instances, when the ring R is the ring of integers of the cyclotomic number field K = Q ( ζ m ) for m = p k . Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 4 / 21

Introduction 1 Overview 2 Results and conclusion 3 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 5 / 21

The Problem Short generator recovery Given h ∈ R , find a small generator g of the ideal ( h ). Note that g ∈ ( h ) is a generator iff g = u · h for some unit u ∈ R × . We need to explore the (multiplicative) unit group R × . Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 6 / 21

The Problem Short generator recovery Given h ∈ R , find a small generator g of the ideal ( h ). Note that g ∈ ( h ) is a generator iff g = u · h for some unit u ∈ R × . We need to explore the (multiplicative) unit group R × . Translation an to additive problem Take logarithms: Log : g �→ (log | σ 1 ( g ) | , . . . , log | σ n ( g ) | ) ∈ R n where the σ i ’s are the canonical embeddings K → C . Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 6 / 21

The Unit Group and the log-unit lattice Let R × denotes the multiplicative group of units of R . Let Λ = Log R × . Theorem (Dirichlet unit Theorem) Λ ⊂ R n is a lattice (of a given rank). Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 7 / 21

The Unit Group and the log-unit lattice Let R × denotes the multiplicative group of units of R . Let Λ = Log R × . Theorem (Dirichlet unit Theorem) Λ ⊂ R n is a lattice (of a given rank). Reduction to a Close Vector Problem Elements g is a generator of ( h ) if and only if Log g ∈ Log h + Λ . Moreover the map Log preserves some geometric information: g is the “smallest” generator iff Log g is the “smallest” in Log h + Λ. Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 7 / 21

√ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: σ 1 ( a + b 2) = a + b 2 √ √ ◮ y -axis: σ 2 ( a + b 2) = a − b 2 ◮ component-wise additions and 2 multiplications 1 1 0 1 p 1 + 2 − 1 p 2 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 8 / 21

√ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: σ 1 ( a + b 2) = a + b 2 √ √ ◮ y -axis: σ 2 ( a + b 2) = a − b 2 ◮ component-wise additions and 2 multiplications 1 1 0 1 p 1 + 2 − 1 p 2 � “Orthogonal” elements � Units (algebraic norm 1) � “Isonorms” curves Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 8 / 21

√ Example: Logarithmic Embedding Log Z [ 2] ( {•} , +) is a sub-monoid of R 2 Log 1 − − → 1 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 9 / 21

√ Example: Logarithmic Embedding Log Z [ 2] Λ =( {•} , +) ∩ � is a lattice of R 2 , orthogonal to (1 , 1) Log 1 − − → 1 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 9 / 21

√ Example: Logarithmic Embedding Log Z [ 2] {•} ∩ � are shifted finite copies of Λ Log 1 − − → 1 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 9 / 21

√ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. Log 1 − − → 1 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 10 / 21

√ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. Log 1 − − → 1 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 10 / 21

√ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. Log 1 − − → 1 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 10 / 21

√ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. Log 1 − − → 1 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 10 / 21

Round-Off Decoding We also need the fundamental domain to have an efficient reduction algorithm. The simplest one follows: Round ( B , t ) for B a basis of Λ ◮ Return B · frac( B − 1 · t ). Used as a decoding algorithm, its correctness is characterized by the error e and the dual basis B ∨ = B − T . Fact [Lenstra, 1982, Babai, 1986] Suppose t = v + e for some v ∈ Λ. If � b ∨ j , e � ∈ [ − 1 2 , 1 2 ) for all j , then Round ( B , t ) = v . Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 11 / 21

Recovering Short Generator: Proof Plan Folklore strategy [Bernstein, 2014, Campbell et al., 2014] to recover a short generator g 1 Construct a basis B of the unit-log lattice Log R × ◮ For K = Q ( ζ m ), m = p k , an (almost 1 ) canonical basis is given by b j = Log 1 − ζ j 1 − ζ , j ∈ { 2 , . . . , m / 2 } , j co-prime with m 2 Prove that the basis is “good”, that is � b ∨ j � are all small 3 Prove that e = Log g is small enough 1 it only spans a super-lattice of finite index h + which is conjectured to be small Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 12 / 21

Recovering Short Generator: Proof Plan Folklore strategy [Bernstein, 2014, Campbell et al., 2014] to recover a short generator g 1 Construct a basis B of the unit-log lattice Log R × ◮ For K = Q ( ζ m ), m = p k , an (almost 1 ) canonical basis is given by b j = Log 1 − ζ j 1 − ζ , j ∈ { 2 , . . . , m / 2 } , j co-prime with m 2 Prove that the basis is “good”, that is � b ∨ j � are all small 3 Prove that e = Log g is small enough Technical contributions Estimate � b ∨ j � precisely using analytic tools 2 [Washington, 1997, Landau, 1927] Bound e using theory of sub-exponential random variables 3 [Vershynin, 2012] 1 it only spans a super-lattice of finite index h + which is conjectured to be small Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 12 / 21

Introduction 1 Overview 2 Results and conclusion 3 Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 13 / 21

Geometric statement from Analytic Number Theory Theorem ([Landau, 1927]) If χ is a non-quadratic Dirichlet character of conductor f . | L (1 , χ ) | ≥ 1 / O (log f ) . Cramer, D. , Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt , May 2016 14 / 21