Computing Generator in Cyclotomic Integer Rings � 1 � A subfield algorithm for the Principal Ideal Problem in L | ∆ K | 2 and application to the cryptanalysis of a FHE scheme Jean-François Biasse 1 Thomas Espitau 2 Pierre-Alain Fouque 3 Alexandre Gélin 2 Paul Kirchner 4 University of South Florida, Department of Mathematics and Statistics, Tampa, USA Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6, Paris, France Institut Universitaire de France, Paris, France and Université de Rennes 1, France École Normale Supérieure, Paris, France 2017/05/01 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
The Principal Ideal Problem Definition The Principal Ideal Problem (PIP) consists in finding a generator of an ideal, assuming it is principal. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
The Principal Ideal Problem Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
The Principal Ideal Problem Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes ([SV10],[GGH13]) J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
The Principal Ideal Problem Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes ([SV10],[GGH13]) Two distinct phases: Given the Z -basis of the ideal a = � g � , find a — not 1 necessarily short — generator g ′ = g · u for a unit u . From g ′ , find a short generator of the ideal. 2 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
The Principal Ideal Problem Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes ([SV10],[GGH13]) Two distinct phases: Given the Z -basis of the ideal a = � g � , find a — not 1 necessarily short — generator g ′ = g · u for a unit u . From g ′ , find a short generator of the ideal. 2 Campbell, Groves, and Sheperd (2014) found a solution in polynomial time for the second point for power-of-two cyclotomic fields. Cramer, Ducas, Peikert, and Regev (2016) provided a proof and an extension to prime-power cyclotomic fields. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
FHE scheme – Smart and Vercauteren PKC 2010 Key Generation: 1 Fix the security parameter N = 2 n . 2 Let F ( X ) = X N + 1 be the polynomial defining the cyclotomic field K = Q ( ζ 2 N ) . 3 Set G ( X ) = 1 + 2 · S ( X ) , √ √ � N � N , 2 for S ( X ) of degree N − 1 with coefficients in − 2 , such that the norm N ( � G ( ζ 2 N ) � ) is prime. 4 Set g = G ( ζ 2 N ) ∈ O K . 5 Return the secret key sk = g and the public key pk = HNF ( � g � ) . J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
FHE scheme – Smart and Vercauteren PKC 2010 Key Generation: 1 Fix the security parameter N = 2 n . 2 Let F ( X ) = X N + 1 be the polynomial defining the cyclotomic field K = Q ( ζ 2 N ) . 3 Set G ( X ) = 1 + 2 · S ( X ) , √ √ � N � N , 2 for S ( X ) of degree N − 1 with coefficients in − 2 , such that the norm N ( � G ( ζ 2 N ) � ) is prime. 4 Set g = G ( ζ 2 N ) ∈ O K . 5 Return the secret key sk = g and the public key pk = HNF ( � g � ) . Our goal: Recover the secret key from the public key. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q -descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q -descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. All the complexities are expressed as a function of the field discriminant ∆ Q ( ζ 2 N ) = N N , for N = 2 n . J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q -descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. All the complexities are expressed as a function of the field discriminant ∆ Q ( ζ 2 N ) = N N , for N = 2 n . For instance, L | ∆ K | ( α ) = 2 N α + o (1) . J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z -basis of I = � u � u · ¯ and u Output: the generator u J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z -basis of I = � u � u · ¯ and u Output: the generator u Problem: no information about g · ¯ ( g is the private key) g J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z -basis of I = � u � u · ¯ and u Output: the generator u g − 1 Solution: we introduce u = N ( g ) g ¯ J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z -basis of I = � u � u · ¯ and u Output: the generator u g − 1 Solution: we introduce u = N ( g ) g ¯ u = N ( g ) 2 Z -basis of � g � = ⇒ Z -basis of � u � and u · ¯ J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z -basis of I = � u � u · ¯ and u Output: the generator u g − 1 Solution: we introduce u = N ( g ) g ¯ u = N ( g ) 2 Z -basis of � g � = ⇒ Z -basis of � u � and u · ¯ g − 1 and a Z -basis of In the end, we get g · ¯ I + = � g + ¯ g � ⊂ Q ( ζ + ζ − 1 ) J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z -basis of I = � u � u · ¯ and u Output: the generator u g − 1 Solution: we introduce u = N ( g ) g ¯ u = N ( g ) 2 Z -basis of � g � = ⇒ Z -basis of � u � and u · ¯ g − 1 and a Z -basis of In the end, we get g · ¯ I + = � g + ¯ g � ⊂ Q ( ζ + ζ − 1 ) Once we have a generator for I + , we get one for I by multiplying by 1 g · g − 1 1 + ¯ J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
2. The q -descent I + = a 0 Input ideal – Norm arbitrary large . . . a 1 a 1 a 1 1 2 n 1 . . . a 2 a 2 a 2 1 2 n 2 . . . a 3 a 3 a 3 1 2 n 3 . . . a l − 1 2 . . . a l a l a l n l 1 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
2. The q -descent I + = a 0 Input ideal – Norm arbitrary large � 3 . . . a 1 � a 1 a 1 Initial reduction – Norm: L | ∆ K | 2 1 2 n 1 . . . a 2 a 2 a 2 1 2 n 2 . . . a 3 a 3 a 3 1 2 n 3 . . . a l − 1 2 . . . a l a l a l n l 1 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
2. The q -descent I + = a 0 Input ideal – Norm arbitrary large . . . a 1 a 1 a 1 Initial reduction – L | ∆ K | (1) -smooth 1 2 n 1 . . . a 2 a 2 a 2 1 2 n 2 . . . a 3 a 3 a 3 1 2 n 3 . . . a l − 1 2 . . . a l a l a l n l 1 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
Recommend
More recommend
