Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields

124

Abstract. Several ideal-lattice-based cryptosystems have been broken by recent attacks that exploit special structures of the rings used in those cryptosystems. The same structures are also used in the leading proposals for post-quantum lattice-based cryptography, including the classic NTRU cryptosystem and typical Ring-LWE-based cryptosystems. This paper (1) proposes NTRU Prime, which tweaks NTRU to use rings without these structures; (2) proposes Streamlined NTRU Prime, a public-key cryptosystem optimized from an implementation perspective, subject to the standard design goal of IND-CCA2 security; (3) finds high-security post-quantum parameters for Streamlined NTRU Prime; and (4) optimizes a constant-time implementation of those parameters. The resulting sizes and speeds show that reducing the attack surface has very low cost.

Section: Choosing Haswell Multiplication Instructionsmentioning

confidence: 99%

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

124

“…Sections 6.2 and 6.3 then prove upper and lower bounds on these covering radii. In fact, the proofs demonstrate more: the lower bound holds for "almost all" principal ideals, and the upper bound is algorithmic in the following sense: given an arbitrary generator (which can be found using the quantum PIP algorithm of [BS15,BS16]), we can efficiently find a generator satisfying the bound, which in particular is a exp(Õ( √ m))-approximate shortest vector in the ideal. Throughout this section we let m > 2 be a prime power, and let n := |G| = ϕ(m)/2 = Θ(m).…”

Section: Shortest Generators Of Principal Ideals and An Svp Algorithmmentioning

confidence: 99%

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Cramer

Ducas

Peikert

et al. 2016

100

104

A handful of recent cryptographic proposals rely on the conjectured hardness of the following problem in the ring of integers of a cyclotomic number field: given a basis of a principal ideal that is guaranteed to have a "rather short" generator, find such a generator. Recently, Bernstein and Campbell-Groves-Shepherd sketched potential attacks against this problem; most notably, the latter authors claimed a polynomial-time quantum algorithm. (Alternatively, replacing the quantum component with an algorithm of Biasse and Fieker would yield a classical subexponential-time algorithm.) A key claim of Campbell et al. is that one step of their algorithm-namely, decoding the log-unit lattice of the ring to recover a short generator from an arbitrary one-is classically efficient (whereas the standard approach on general lattices takes exponential time). However, very few convincing details were provided to substantiate this claim.In this work, we clarify the situation by giving a rigorous proof that the log-unit lattice is indeed efficiently decodable, for any cyclotomic of prime-power index. Combining this with the quantum algorithm from a recent work of Biasse and Song confirms the main claim of Campbell et al. Our proof consists of two main technical contributions: the first is a geometrical analysis, using tools from analytic number theory, of the standard generators of the group of cyclotomic units. The second shows that for a wide class of typical distributions of the short generator, a standard lattice-decoding algorithm can recover it, given any generator.By extending our geometrical analysis, as a second main contribution we obtain an efficient algorithm that, given any generator of a principal ideal (in a prime-power cyclotomic), finds a 2Õ ( √ n) -approximate shortest vector in the ideal. Combining this with the result of Biasse and Song yields a quantum polynomial-time algorithm for the 2Õ ( √ n) -approximate Shortest Vector Problem on principal ideal lattices.

“…Despite those two serious obstacles to attack Ring-LWE based schemes by the algebraic approach developed in [CGS14,BS16,CDPR16] and in this paper, it seems a reasonable precaution to start considering weaker structured lattice assumptions, such as Module-LWE [LS15] (i.e., an "unusually-Short Vector Problem" in a module of larger rank over a smaller ring), which provides an intermediate problem between ring-LWE and general LWE.…”

Section: Impact Open Questions and Recommendationsmentioning

confidence: 98%

“…[CGS14, CDPR16,BS16] B K Z For principal ideals of cyclotomic rings (of prime-power conductor), the aforementioned results give a quantum polynomial runtime (i.e., t = 0) for any a ≥ 1/2. Approximation factors used in cryptography are typically between polynomial poly(n) and quasi-polynomial exp(polylog(n)).…”

Section: Fhe [Bv11]mentioning

confidence: 99%

See 1 more Smart Citation

Short Stickelberger Class Relations and Application to Ideal-SVP

Cramer

Ducas

Wesolowski

2017

Abstract. The hardness of finding short vectors in ideals of cyclotomic number fields (Ideal-SVP) serves as the worst-case hypothesis underlying the security of numerous cryptographic schemes, including key-exchange, public-key encryption and fully-homomorphic encryption. A series of recent works has shown that, for large approximation factors, Principal Ideal-SVP is not as hard as finding short vectors in general lattices. Namely, there exists a quantum polynomial time algorithm for an approximation factor of exp(Õ( √ n)), even in the worst-case. Some schemes were broken, but more generally this exposed an unexpected hardness gap between general lattices and some structured ones, and called into question the exact security of various assumption over structured lattices.In this work, we generalize the previous result to general ideals. We show an efficient way of finding a close enough principal multiple of any ideal by exploiting the classical theorem that, in our setting, the class-group is annihilated by the (Galois-module action of) the so-called Stickelberger ideal. Under some plausible number-theoretical hypothesis, we conclude that worstcase Ideal-SVP in this same set-up -choice of ring, and approximation factor exp(Õ( √ n)) -is also solvable in quantum polynomial time. Although it is not yet clear whether the security of further cryptosystems is directly affected, we contribute novel ideas to the cryptanalysis of schemes based on structured lattices. Moreover, our result shows a deepening of the gap between general lattices and structured one.