Computing Generator in Cyclotomic Integer Rings 1 A subfield - - PowerPoint PPT Presentation

Computing Generator in Cyclotomic Integer Rings

A subfield algorithm for the Principal Ideal Problem in L|∆K| 1

2

• and application to the cryptanalysis of a FHE scheme

Jean-François Biasse1 Thomas Espitau2 Pierre-Alain Fouque3 Alexandre Gélin2 Paul Kirchner4

University of South Florida, Department of Mathematics and Statistics, Tampa, USA Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6, Paris, France Institut Universitaire de France, Paris, France and Université de Rennes 1, France École Normale Supérieure, Paris, France

2017/05/01

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

The Principal Ideal Problem

Definition The Principal Ideal Problem (PIP) consists in finding a generator of an ideal, assuming it is principal.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

The Principal Ideal Problem

Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

The Principal Ideal Problem

Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes ([SV10],[GGH13])

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

The Principal Ideal Problem

Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes ([SV10],[GGH13]) Two distinct phases:

1

Given the Z-basis of the ideal a = g, find a — not necessarily short — generator g′ = g · u for a unit u.

2

From g′, find a short generator of the ideal.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

The Principal Ideal Problem

Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes ([SV10],[GGH13]) Two distinct phases:

1

Given the Z-basis of the ideal a = g, find a — not necessarily short — generator g′ = g · u for a unit u.

2

From g′, find a short generator of the ideal.

Campbell, Groves, and Sheperd (2014) found a solution in polynomial time for the second point for power-of-two cyclotomic fields. Cramer, Ducas, Peikert, and Regev (2016) provided a proof and an extension to prime-power cyclotomic fields.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

FHE scheme – Smart and Vercauteren PKC 2010

Key Generation:

1 Fix the security parameter N = 2n. 2 Let F(X) = XN + 1 be the polynomial defining the

cyclotomic field K = Q(ζ2N).

3 Set G(X) = 1 + 2 · S(X),

for S(X) of degree N − 1 with coefficients in

• −2

√ N, 2 √ N

, such that the norm N (G(ζ2N)) is prime.

4 Set g = G(ζ2N) ∈ OK. 5 Return the secret key sk = g and the public key

pk = HNF(g).

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

FHE scheme – Smart and Vercauteren PKC 2010

Key Generation:

1 Fix the security parameter N = 2n. 2 Let F(X) = XN + 1 be the polynomial defining the

cyclotomic field K = Q(ζ2N).

3 Set G(X) = 1 + 2 · S(X),

for S(X) of degree N − 1 with coefficients in

• −2

√ N, 2 √ N

, such that the norm N (G(ζ2N)) is prime.

4 Set g = G(ζ2N) ∈ OK. 5 Return the secret key sk = g and the public key

pk = HNF(g). Our goal: Recover the secret key from the public key.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Outline of the algorithm

1 Perform a reduction from the cyclotomic field to its totally real

subfield, allowing to work in smaller dimension.

2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small

ideals and a generator.

4 Eventually run the derivation of the short generator from a

bigger one.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Outline of the algorithm

1 Perform a reduction from the cyclotomic field to its totally real

subfield, allowing to work in smaller dimension.

2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small

ideals and a generator.

4 Eventually run the derivation of the short generator from a

bigger one. All the complexities are expressed as a function of the field discriminant ∆Q(ζ2N) = NN, for N = 2n.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Outline of the algorithm

1 Perform a reduction from the cyclotomic field to its totally real

subfield, allowing to work in smaller dimension.

2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small

ideals and a generator.

4 Eventually run the derivation of the short generator from a

bigger one. All the complexities are expressed as a function of the field discriminant ∆Q(ζ2N) = NN, for N = 2n. For instance, L|∆K|(α) = 2Nα+o(1).

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 1. Reduction to the totally real subfield

Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u · ¯ u Output: the generator u

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 1. Reduction to the totally real subfield

Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u · ¯ u Output: the generator u Problem: no information about g · ¯ g (g is the private key)

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 1. Reduction to the totally real subfield

Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u · ¯ u Output: the generator u Solution: we introduce u = N(g)g¯ g−1

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 1. Reduction to the totally real subfield

Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u · ¯ u Output: the generator u Solution: we introduce u = N(g)g¯ g−1 Z-basis of g = ⇒ Z-basis of u and u · ¯ u = N(g)2

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 1. Reduction to the totally real subfield

Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u · ¯ u Output: the generator u Solution: we introduce u = N(g)g¯ g−1 Z-basis of g = ⇒ Z-basis of u and u · ¯ u = N(g)2 In the end, we get g · ¯ g−1 and a Z-basis of I+ = g + ¯ g ⊂ Q(ζ + ζ−1)

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 1. Reduction to the totally real subfield

Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u · ¯ u Output: the generator u Solution: we introduce u = N(g)g¯ g−1 Z-basis of g = ⇒ Z-basis of u and u · ¯ u = N(g)2 In the end, we get g · ¯ g−1 and a Z-basis of I+ = g + ¯ g ⊂ Q(ζ + ζ−1) Once we have a generator for I+, we get one for I by multiplying by 1 1 + ¯ g · g−1

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

. . . a3

n3

. . . a2

n2

. . . a1

n1 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

. . . a3

n3

. . . a2

n2

. . . a1

n1

Initial reduction – Norm: L|∆K| 3

2

• J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner

Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

. . . a3

n3

. . . a2

n2

. . . a1

n1

Initial reduction – L|∆K| (1)-smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

. . . a3

n3

. . . a2

n2

First step – Norm: L|∆K| 5

4

• . . . a1

n1

Initial reduction – L|∆K| (1)-smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

. . . a3

n3

. . . a2

n2

First step – L|∆K| 3

4

• smooth

. . . a1

n1

Initial reduction – L|∆K| (1)-smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

. . . a3

n3

Second step – Norm: L|∆K| 9

8

• . . . a2

n2

First step – L|∆K| 3

4

• smooth

. . . a1

n1

Initial reduction – L|∆K| (1)-smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

. . . a3

n3

Second step – L|∆K| 5

8

• smooth

. . . a2

n2

First step – L|∆K| 3

4

• smooth

. . . a1

n1

Initial reduction – L|∆K| (1)-smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

Last but one step – Norm: ≈ L|∆K| (1) . . . a3

n3

Second step – L|∆K| 5

8

• smooth

. . . a2

n2

First step – L|∆K| 3

4

• smooth

. . . a1

n1

Initial reduction – L|∆K| (1)-smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

Last but one step – ≈ L|∆K| 1

2

• smooth

. . . a3

n3

Second step – L|∆K| 5

8

• smooth

. . . a2

n2

First step – L|∆K| 3

4

• smooth

. . . a1

n1

Initial reduction – L|∆K| (1)-smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

Last step – Norm: L|∆K| (1) Last but one step – ≈ L|∆K| 1

2

• smooth

. . . a3

n3

Second step – L|∆K| 5

8

• smooth

. . . a2

n2

First step – L|∆K| 3

4

• smooth

. . . a1

n1

Initial reduction – L|∆K| (1)-smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 2. The q-descent

Input ideal – Norm arbitrary large I+ = a0 a1

1

a1

2

a2

1

a2

2

a3

1

a3

2

. . . al − 1 al

1

al

2 . . . al nl

Last step – L|∆K| 1

2

• smooth

Last but one step – ≈ L|∆K| 1

2

• smooth

. . . a3

n3

Second step – L|∆K| 5

8

• smooth

. . . a2

n2

First step – L|∆K| 3

4

• smooth

. . . a1

n1

Initial reduction – L|∆K| (1)-smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.1. The q-descent – Initial round

Input: a of norm arbitrarily large

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.1. The q-descent – Initial round

Input: a of norm arbitrarily large Tool: DBKZ-reduction with block-size (log |∆K|)

1 2 ≤ N

• n the lattice built from the canonical embedding OK+ → R

N 2 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.1. The q-descent – Initial round

Input: a of norm arbitrarily large Tool: DBKZ-reduction with block-size (log |∆K|)

1 2 ≤ N

• n the lattice built from the canonical embedding OK+ → R

N 2

Output: small vector ← → algebraic integer v ∈ a = ⇒ ideal b ⊂ OK+ s.t. v = a · b and N (b) ≤ L|∆K| 3

2

• J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner

Computing Generator in Cyclotomic Integer Rings

2.1. The q-descent – Initial round

Input: a of norm arbitrarily large Tool: DBKZ-reduction with block-size (log |∆K|)

1 2 ≤ N

• n the lattice built from the canonical embedding OK+ → R

N 2

Output: small vector ← → algebraic integer v ∈ a = ⇒ ideal b ⊂ OK+ s.t. v = a · b and N (b) ≤ L|∆K| 3

2

• Cost:

DBKZ-reduction ⇒ Poly (N, log N(a)) · L|∆K| 1

2

• J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner

Computing Generator in Cyclotomic Integer Rings

Smoothness tests & Randomization

Heuristic We assume that the probability P that an ideal of norm bounded by L|∆K|(a) is a power-product of prime ideals of norm bounded by B = L|∆K|(b) satisfies P ≥ L|∆K| (a − b)−1 . Using ECM algorithm, each B-smoothness test costs L|∆K| b

2

• .

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Smoothness tests & Randomization

Heuristic We assume that the probability P that an ideal of norm bounded by L|∆K|(a) is a power-product of prime ideals of norm bounded by B = L|∆K|(b) satisfies P ≥ L|∆K| (a − b)−1 . Using ECM algorithm, each B-smoothness test costs L|∆K| b

2

• .

Conclusion: b is L|∆K|(1)-smooth with probability L|∆K| 1

2

−1 and one test costs L|∆K| 1

2

• .

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Smoothness tests & Randomization

Heuristic We assume that the probability P that an ideal of norm bounded by L|∆K|(a) is a power-product of prime ideals of norm bounded by B = L|∆K|(b) satisfies P ≥ L|∆K| (a − b)−1 . Using ECM algorithm, each B-smoothness test costs L|∆K| b

2

• .

Conclusion: b is L|∆K|(1)-smooth with probability L|∆K| 1

2

−1 and one test costs L|∆K| 1

2

• .

= ⇒ We use L|∆K| 1

2

• ideals ˜

a = a pei

i for small prime ideals pi

and integers ei to be sure to derive one ˜ b that is L|∆K| (1)-smooth.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.2. The q-descent – Subsequent steps

We cannot reduce the norm using the same lattice-reduction.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.2. The q-descent – Subsequent steps

We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis

• ζi + ζ−i

i

Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.2. The q-descent – Subsequent steps

We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis

• ζi + ζ−i

i

Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N(a) ≤ L|∆K|(α)

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.2. The q-descent – Subsequent steps

We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis

• ζi + ζ−i

i

Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N(a) ≤ L|∆K|(α) Output: algebraic integer v ∈ a and ideal b ⊂ OK+ s.t. v = a · b and N (b) ≤ L|∆K| 2α+3

4

• J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner

Computing Generator in Cyclotomic Integer Rings

2.2. The q-descent – Subsequent steps

We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis

• ζi + ζ−i

i

Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N(a) ≤ L|∆K|(α) Output: algebraic integer v ∈ a and ideal b ⊂ OK+ s.t. v = a · b and N (b) ≤ L|∆K| 2α+3

4

• L|∆K|

2α+1

4

• smooth

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.2. The q-descent – Subsequent steps

We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis

• ζi + ζ−i

i

Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N(a) ≤ L|∆K|(α) Output: algebraic integer v ∈ a and ideal b ⊂ OK+ s.t. v = a · b and N (b) ≤ L|∆K| 2α+3

4

• L|∆K|

2α+1

4

• smooth

Cost: L|∆K| 1

2

• for lattice reduction & smoothness tests

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.3. The q-descent – The final step

After l − 1 steps, ideals have norm below L|∆K| 1

2 + 1 2l

• .

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.3. The q-descent – The final step

After l − 1 steps, ideals have norm below L|∆K| 1

2 + 1 2l

• .

For l = ⌈log2(log N)⌉, we have L|∆K| 1 2 + 1 2l

• ≤ L|∆K|

1 2 + 1 log N

• = L|∆K|

1 2

• .

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.3. The q-descent – The final step

After l − 1 steps, ideals have norm below L|∆K| 1

2 + 1 2l

• .

For l = ⌈log2(log N)⌉, we have L|∆K| 1 2 + 1 2l

• ≤ L|∆K|

1 2 + 1 log N

• = L|∆K|

1 2

• .

Conclusion: All ideals have norm below L|∆K| 1

2

• J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner

Computing Generator in Cyclotomic Integer Rings

2.3. The q-descent – The final step

After l − 1 steps, ideals have norm below L|∆K| 1

2 + 1 2l

• .

For l = ⌈log2(log N)⌉, we have L|∆K| 1 2 + 1 2l

• ≤ L|∆K|

1 2 + 1 log N

• = L|∆K|

1 2

• .

Conclusion: All ideals have norm below L|∆K| 1

2

• They are at most Nl ≪ L|∆K|

1

2

• ideals

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

2.3. The q-descent – The final step

After l − 1 steps, ideals have norm below L|∆K| 1

2 + 1 2l

• .

For l = ⌈log2(log N)⌉, we have L|∆K| 1 2 + 1 2l

• ≤ L|∆K|

1 2 + 1 log N

• = L|∆K|

1 2

• .

Conclusion: All ideals have norm below L|∆K| 1

2

• They are at most Nl ≪ L|∆K|

1

2

• ideals

The total runtime of the q-descent is L|∆K| 1

2

• .

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 3. Solution for smooth ideals

Input: Bunch of prime ideals of norm below B = L|∆K| 1

2

• J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner

Computing Generator in Cyclotomic Integer Rings

• 3. Solution for smooth ideals

Input: Bunch of prime ideals of norm below B = L|∆K| 1

2

• Index Calculus Method:

Factor base: set of all prime ideals with norm below B

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 3. Solution for smooth ideals

Input: Bunch of prime ideals of norm below B = L|∆K| 1

2

• Index Calculus Method:

Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 3. Solution for smooth ideals

Input: Bunch of prime ideals of norm below B = L|∆K| 1

2

• Index Calculus Method:

Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M Relation: principal ideal that splits on the factor base. Test ideals generated by v = vi(ζi + ζ−i) for |vi| ≤ log |∆K|.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 3. Solution for smooth ideals

Input: Bunch of prime ideals of norm below B = L|∆K| 1

2

• Index Calculus Method:

Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M Relation: principal ideal that splits on the factor base. Test ideals generated by v = vi(ζi + ζ−i) for |vi| ≤ log |∆K|. Norm below L|∆K|(1) = ⇒ L|∆K| 1

2

• smooth ideals in L|∆K|

1

2

• .

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 3. Solution for smooth ideals

Input: Bunch of prime ideals of norm below B = L|∆K| 1

2

• Index Calculus Method:

Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M      v1 v2 . . . vQ|B|      → → . . . →      M1,1 · · · M1,|B| M2,1 · · · M2,|B| . . . . . . MQ|B|,1 · · · MQ|B|,|B|      = ⇒ ∀i, vi =

|B|

• j=1

pMi,j

j

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 3. Solution for smooth ideals

Input: Bunch of prime ideals of norm below B = L|∆K| 1

2

• Index Calculus Method:

Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M A N-dimensional vector Y including all the valuations of the smooth ideals in the pi

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

• 3. Solution for smooth ideals

Input: Bunch of prime ideals of norm below B = L|∆K| 1

2

• Index Calculus Method:

Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M A N-dimensional vector Y including all the valuations of the smooth ideals in the pi A solution X of MX = Y provides a generator of the product

• f the L|∆K|

1

2

• smooth ideals

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Implementation results

PARI-GP and fplll for BKZ-reductions — Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz with 32GB of memory Dimension of the field: N = 28 = 256.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Implementation results

PARI-GP and fplll for BKZ-reductions — Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz with 32GB of memory Dimension of the field: N = 28 = 256. Gentry-Szydlo: 20h and 24GB memory

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Implementation results

PARI-GP and fplll for BKZ-reductions — Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz with 32GB of memory Dimension of the field: N = 28 = 256. Gentry-Szydlo: 20h and 24GB memory BKZ-reduction: between 10 min and 4h (Descent reduced to only one step)

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Implementation results

PARI-GP and fplll for BKZ-reductions — Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz with 32GB of memory Dimension of the field: N = 28 = 256. Gentry-Szydlo: 20h and 24GB memory BKZ-reduction: between 10 min and 4h (Descent reduced to only one step) We recover g · ζi — and so the secret key g — in less than a day.

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings

Thanks

Thank you

J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings