Recovering Short Generators of Principal Ideals in Cyclotomic Fields - PowerPoint PPT Presentation

Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p α q β Patrick Holzer, Thomas Wunderer, Johannes Buchmann Recovering Short Generators | Thomas Wunderer | 1

Contents Introduction Preliminaries Algorithmic Approach Index Norm Conclusion Recovering Short Generators | Thomas Wunderer | 2

Introduction Lattice-based cryptography ◮ Lattice-based crypto is assumed to be post-quantum secure. ◮ Based on well known lattice problems such as the shortest vector problem (SVP). ◮ To boost efficiency special lattices such as ideal lattices are used. ◮ Ideal lattices correspond to fractional ideals in algebraic number fields. ◮ Some schemes (e.g., [SV10] and [GGH13]) use principal ideals with short generators. ◮ To break those schemes, one needs to solve the short generator principal ideal problem (SG-PIP). Recovering Short Generators | Thomas Wunderer | 3

Introduction The SG-PIP Let K be an algebraic number field. The SG-PIP is defined as follows: ◮ Given: A Z -basis of some principal fractional ideal a ⊆ K that has some “short” generator g . ◮ Task: Recover some shortest generator of a . Recovering Short Generators | Thomas Wunderer | 4

Introduction Strategy The folklore approach is to solve the SG-PIP in two steps: ◮ Recover some arbitrary generator of the ideal, which is known as the principal 1. ideal problem (PIP) . ◮ Solvable in polynomial time on quantum computers for any number field due to Biasse and Song. ◮ Transform this generator into some shortest generator. 2. ◮ Solvable in polynomial time for cyclotomic fields Q ( ξ m ) of conductor m = p α due to Cramer, Ducas, Peikert, and Regev [CDPR16]. → Our work: task 2 for cyclotomic fields Q ( ζ m ) of conductor m = p α q β . Recovering Short Generators | Thomas Wunderer | 5

Contents Introduction Preliminaries Algorithmic Approach Index Norm Conclusion Recovering Short Generators | Thomas Wunderer | 6

Preliminaries Cyclotomic Fields Let ζ m = exp( 2 π i / m ) ∈ C be a primitive m -th root of unity, i.e., ζ m m = 1. ◮ The m -th cyclotomic field K m = Q ( ζ m ) ⊆ C . Example: 3 · ζ 2 3 + 1 3 + ζ 3 − 8 ∈ K 3 . 2 · ζ 2 ◮ The ring of integers O m of K m is given by O m = Z [ ζ m ]. Example: ζ 5 7 + 6 ζ 3 7 + 2 ζ 7 + 5 ∈ Z [ ζ 7 ]. ◮ The set of all units of O m is denoted by O × m . Recovering Short Generators | Thomas Wunderer | 7

Preliminaries Principal Ideals ◮ A principal fractional ideal of K m : � g � = g · O m = { g · z | z ∈ O m } for some g ∈ K m . ◮ Fact: If � g � = � g ′ � , then g = g ′ · u for some u ∈ O × m Recovering Short Generators | Thomas Wunderer | 8

Preliminaries Logarithmic Embedding Let n = ϕ ( m ) = 2 s and m ≥ 3. Complex embeddings of K m : σ 1 , σ 1 , ..., σ s , σ s : K m → C , where σ i ( ζ m ) = ζ j m for some j ∈ Z × m . The logarithmic embedding as Log : K × m → R s � � α �→ (log( | σ 1 ( α ) | ), ..., log( | σ s ( α ) | ) , m ) is a lattice in R s of rank s − 1! → Log( O × Recovering Short Generators | Thomas Wunderer | 9

Logarithmic Embedding Short Generator Let a = � g � ⊂ K m . g ′ ∈ K m is called a shortest generator of a , if ◮ � g ′ � = a and ◮ || Log( g ′ ) || 2 = min f ∈ K m , � f � = a || Log( f ) || 2 = min u ∈O × m || Log( g · u ) || 2 . Recovering Short Generators | Thomas Wunderer | 10

Contents Introduction Preliminaries Algorithmic Approach Index Norm Conclusion Recovering Short Generators | Thomas Wunderer | 11

Algorithmic Approach Idea ◮ Let g ′ = gu be a shortest generator of � g � = a ⊂ K m for some u ∈ O × m . ◮ Hence Log( g ′ ) = Log( g ) + Log( u ) and Log( g ) ∈ Log( O × m ) + Log( g ′ ). ◮ Since Log( g ′ ) is short, this is a CVP problem. ◮ Solve CVP in the lattice Log ( O × m ) (or in some small-index subgroup ). Log( u ) Log( g ) Log( g ′ ) Recovering Short Generators | Thomas Wunderer | 12

Algorithmic Approach CVP Algorithm: Round-off Algorithm 1 Input: B , t . 2 Output: Close(st) vector v ∈ L to t . 3 a ← ⌊ ( B ∗ ) T · t ⌉ 4 v ← B · a 5 return ( v , a ) Where B is a basis of the lattice Γ and B ∗ denotes its dual basis. On input t := v + e ∈ R n for v ∈ L ( B ) and (small) error e ∈ R n the algorithm outputs v if � b ∗ j , e � ∈ [ − 1 2 , 1 2 ). → Needs a sufficiently good basis (short dual vectors). Recovering Short Generators | Thomas Wunderer | 13

Algorithmic Approach CVP ( B ∗ ) T v v ( B ∗ ) T t ( B ∗ ) T t Figure: Round-off Algorithm Recovering Short Generators | Thomas Wunderer | 14

Algorithmic Approach Recovering Shortest Generator What is left: 1. Construct a basis B of a sublattice L ⊂ Γ = Log( O × m ). 2. Show that the index [ Γ : L ] is small. 3. Show that || b ∗ j || 2 is small enough to guarantee � b ∗ j , Log( g ′ ) � ∈ [ − 1 2 , 1 2 ). Recovering Short Generators | Thomas Wunderer | 15

Algorithmic Approach Subgroups of O × m We consider the following subgroups of O × m . For j ∈ Z × m \{± 1 } let b j := ζ j m − 1 ζ m − 1 ∈ O × m ◮ For m = p α : Consider the subgroup C m generated by the b j ’s. ◮ For m = p α q β : Consider the subgroup S m generated by the b j ’s and ± ζ m . Recovering Short Generators | Thomas Wunderer | 16

Contents Introduction Preliminaries Algorithmic Approach Index Norm Conclusion Recovering Short Generators | Thomas Wunderer | 17

Index The case m = p α as in [CDPR16] Let m = p α . Fact: the index of C m ⊂ O × m is given by h + O × � � m = m : C m , where h + m is the class number of K + m = Q ( ζ m + ζ m ). 1. We need h + m to be small. 2. Weber’s class number problem : conjectured that h + 2 l = 1 for all l ∈ N . 3. Conjectured: for every prime p exists a constant c p such that h + p l ≤ c p for all l ∈ N . → In the prime-power case, the index is small enough. Recovering Short Generators | Thomas Wunderer | 18

Index The case m = p α q β ◮ More complicated for m = p α q β . ◮ Let G m = Z × m / {± 1 } and set � � β m := (1 − χ ( p )) . χ ∈ � p | m G m p ∈ P χ �≡ 1 ◮ If m is not a prime-power: � 2 h + if 2 h + m β m m β m � = 0 [ O × m : S m ] = ∞ otherwise ◮ Cohen-Lenstra heuristics and computations suggest h + m is polynomial in m . Evaluating β m leads to the new notion of generator prime pairs . Recovering Short Generators | Thomas Wunderer | 19

Index if m = p α q β Generator Prime Pairs Definition 1 Let α , β ∈ N and p , q ∈ P \ { 2 } be distinct. Then ( p , q ) is called an ( α , β )- generator prime pair (GPP) if: ◮ If q − 1 ≡ 0 mod 4: � p � = Z × i) q β . ◮ If q − 1 �≡ 0 mod 4: � p � = Z × q β or [ Z × q β : � p � ] = 2. And ii) ◮ If p − 1 ≡ 0 mod 4: � q � = Z × p β . ◮ If p − 1 �≡ 0 mod 4: � q � = Z × p β or [ Z × p β : � q � ] = 2. If ( p , q ) is an ( α , β )-GPP for every α , β ∈ N , we call ( p , q ) a generator prime pair ( GPP ). Recovering Short Generators | Thomas Wunderer | 20

Index if m = p α q β Generator Prime Pairs Some facts about GPPs: ◮ If ( p , q ) is an ( α , β )-GPP and β ≥ 2, then ( p , q ) is an ( α , l )-GPP for all l ∈ N . ◮ In particular, ( p , q ) is a GPP iff it is a (2, 2)-GPP . ◮ Experiments suggest that ≈ 36% of all odd prime pairs are GPPs. p q p q p q p q p q p q p q 3 5 5 17 7 11 11 13 13 37 17 23 19 23 3 7 5 23 7 17 11 17 13 41 17 31 19 29 3 23 5 37 7 23 11 29 13 59 17 37 19 41 3 29 5 47 7 47 11 31 13 67 17 41 19 47 Figure: Generator prime pairs Recovering Short Generators | Thomas Wunderer | 21

Index if m = p α q β Generator Prime Pairs Figure: Generator prime pairs Recovering Short Generators | Thomas Wunderer | 22

Index if m = p α q β The factor β m Theorem 2 Let p , q be two distinct odd primes and m = p α q β for some α , β ∈ N . Then � � β m = (1 − χ ( t )) � = 0 iff ( p , q ) is an ( α , β ) -generator prime pair . χ ∈ � t | m G m t ∈ P χ �≡ 1 Theorem 3 If ( p , q ) is an ( α , β ) -generator prime pair and m = p α q β for some α , β ∈ N , then (1 − χ ( t )) = ϕ ( m ) � � β m = . 4 χ ∈ � t | m G m t ∈ P χ �≡ 1 Recovering Short Generators | Thomas Wunderer | 23

Index if m = p α q β The factor β m Figure: The factor β m for m = p α q β with two odd primes p , q Recovering Short Generators | Thomas Wunderer | 24

Contents Introduction Preliminaries Algorithmic Approach Index Norm Conclusion Recovering Short Generators | Thomas Wunderer | 25

Norm Bound m = p α as in [CDPR16] Prime-power case studied by Cramer, Ducas, Peikert and Regev: Theorem 4 If m = p α , then � log 3 m � || Log ( b j ) ∗ || 2 2 ∈ O . m → sufficiently short to solve CVP Recovering Short Generators | Thomas Wunderer | 26

Norm Bound m = p α q β More complicated for m = p α q β . We derived the following result: Theorem 5 Let ( p , q ) be an ( α , β ) -generator prime pair, and m := p α q β . Then 2 ≤ 15 C � 15 αβ + 55( α + β ) 5 β 5 α � + C 2 log 2 ( m ) · || b ∗ j || 2 + 12 p α + 12 q β m 2 m 8 m holds for some universal constant C > 0 (i.e., C is independent of m). → Sufficiently short under some conditions on α , β . Recovering Short Generators | Thomas Wunderer | 27