Recovering Short Generators of Principal Ideals in Cyclotomic Rings - PowerPoint PPT Presentation

Recovering Short Generators of Principal Ideals in Cyclotomic Rings L´ eo Ducas CWI, Amsterdam, The Netherlands Joint work with Ronald Cramer Chris Peikert Oded Regev Presented at ICERM, Brown University, April 2015 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 1 / 29

Recovering Short Generators for Cryptanalysis A few cryptosystems (Fully Homomomorphic Encryption [SV10] and Multilinear Maps [GGH13, LSS14]) share this KeyGen : sk Choose a short g in some ring R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 2 / 29

Recovering Short Generators for Cryptanalysis A few cryptosystems (Fully Homomomorphic Encryption [SV10] and Multilinear Maps [GGH13, LSS14]) share this KeyGen : sk Choose a short g in some ring R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) ◮ Given a Z -basis B of a principal ideal I , ◮ Recover some generator h (i.e. I = ( h )) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 2 / 29

Recovering Short Generators for Cryptanalysis A few cryptosystems (Fully Homomomorphic Encryption [SV10] and Multilinear Maps [GGH13, LSS14]) share this KeyGen : sk Choose a short g in some ring R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) ◮ Given a Z -basis B of a principal ideal I , ◮ Recover some generator h (i.e. I = ( h )) 2 Short Generator Problem ◮ Given an arbitrary generator h ∈ R of I ◮ Recover g (or some g ′ equivalently short) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 2 / 29

Cost of those two steps 1 Principal Ideal Problem ( PIP ) ◮ sub-exponential time (2 ˜ O ( n 2 / 3 ) ) classical algorithm [BF14, Bia14]. ◮ progress toward quantum polynomial time algorithm [EHKS14, BS15, CGS14]. 2 Short Generator Problem ◮ equivalent to the CVP in the log-unit lattice ◮ becomes a BDD problem in the crypto cases. ◮ claimed to be easy [CGS14] in the cyclotomic case m = 2 k ◮ confirmed by experiments [Sch15] This Work [CDPR15] 2 , and prove it can be solved in classical polynomial We focus on step time for the aforementioned cryptanalytic instances, when the ring R is the ring of integers of the cyclotomic number field K = Q ( ζ m ) for m = p k . L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 3 / 29

Overview Introduction 1 Preliminary 2 Geometry of Cyclotomic Units 3 Shortness of Log g 4 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 4 / 29

The Logarithmic Embedding Let K be a number field of degree n , σ 1 . . . σ n : K �→ C be its embeddings, and let R be its ring of integers. The logarithmic Embedding is defined as Log : K → R n x �→ (log | σ 1 ( x ) | , . . . , log | σ n ( x ) | ) It induces ◮ a group morphism from ( K \ { 0 } , · ) to ( R n , +) ◮ a monoid morphism from ( R \ { 0 } , · ) to ( R n , +) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 5 / 29

The Unit Group Let R × denotes the multiplicative group of units of R . Let Λ = Log R × . By Dirichlet Unit Theorem ◮ the kernel of Log is the cyclic group T of roots of unity of R ◮ Λ ⊂ R n is an lattice of rank r + c − 1 (where K has r real embeddings and 2 c complex embeddings) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 6 / 29

The Unit Group Let R × denotes the multiplicative group of units of R . Let Λ = Log R × . By Dirichlet Unit Theorem ◮ the kernel of Log is the cyclic group T of roots of unity of R ◮ Λ ⊂ R n is an lattice of rank r + c − 1 (where K has r real embeddings and 2 c complex embeddings) Reduction to CVP Elements g , h ∈ R generate the same ideal if and only if h = g · u for some unit u ∈ R × . In particular Log g ∈ Log h + Λ . and g is the “smallest” generator iff Log u ∈ Λ is a vector “closest” to Log h . L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 6 / 29

√ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 2 1 1 0 1 p 1 + 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

√ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 2 1 1 0 1 p 1 + 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

√ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 ◮ component-wise multiplication 2 1 1 0 1 p 1 + 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

√ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 ◮ component-wise multiplication 2 1 1 ◮ Symmetries induced by ◮ mult. by − 1 0 1 p √ √ 1 + 2 ◮ conjugation 2 �→ − 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

√ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 ◮ component-wise multiplication 2 1 1 ◮ Symmetries induced by ◮ mult. by − 1 0 1 p √ √ 1 + 2 ◮ conjugation 2 �→ − 2 − 1 p 2 � “Orthogonal” elements � Units (algebraic norm 1) � “Isonorms” curves L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

√ Example: Logarithmic Embedding Log Z [ 2] ( {•} , +) is a sub-monoid of R 2 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 8 / 29

√ Example: Logarithmic Embedding Log Z [ 2] Λ =( {•} , +) ∩ � is a lattice of R 2 , orthogonal to (1 , 1) 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 8 / 29

√ Example: Logarithmic Embedding Log Z [ 2] {•} ∩ � are shifted finite copies of Λ 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 8 / 29

√ Example: Logarithmic Embedding Log Z [ 2] √ Some {•} ∩ � may be empty (e.g. no elements of Norm 3 in Z [ 2]) 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 8 / 29

√ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 9 / 29

√ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 9 / 29

√ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 9 / 29

√ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 9 / 29

Decoding with the RoundOff algorithm The simplest algorithm [Bab86] to reduce modulo a lattice RoundOff ( B , t ), B a Z -basis of Λ v = B · ⌊ ( B ∨ ) ⊤ · t ⌉ e = t − v return ( t , e ) where t ∈ B Used as a d ecoding algorithm, its correctness is characterized by the error e and the dual basis B ∨ . Fact(Correctness of RoundOff ) j , e � ∈ [ − 1 2 , 1 let t = v + e for some v ∈ Λ. If � b ∨ 2 ) for all j , then RoundOff ( B , t ) = ( v , e ) . L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 10 / 29

RoundOff in pictures t t RoundOff algorithm : L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 11 / 29

RoundOff in pictures t ′ × ( B ∨ ) t t t − → RoundOff algorithm : 1 use basis B to switch to the lattice Z n ( × ( B ∨ ) t ) t ′ = ( B ∨ ) t · t ; L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 11 / 29

RoundOff in pictures t ′ × ( B ∨ ) t t t v ′ − → RoundOff algorithm : 1 use basis B to switch to the lattice Z n ( × ( B ∨ ) t ) 2 Round each coordinate t ′ = ( B ∨ ) t · t ; v ′ = ⌊ t ′ ⌉ ; L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 11 / 29