Recovering Short Generators of Principal Ideals in Cyclotomic Rings - - PowerPoint PPT Presentation

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

L´ eo Ducas

CWI, Amsterdam, The Netherlands

Joint work with Ronald Cramer Chris Peikert Oded Regev Presented at ICERM, Brown University, April 2015

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 1 / 29

Recovering Short Generators for Cryptanalysis

A few cryptosystems (Fully Homomomorphic Encryption [SV10] and Multilinear Maps [GGH13, LSS14]) share this KeyGen: sk Choose a short g in some ring R as a private key pk Give a bad Z-basis B of the ideal (g) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack)

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 2 / 29

Recovering Short Generators for Cryptanalysis

A few cryptosystems (Fully Homomomorphic Encryption [SV10] and Multilinear Maps [GGH13, LSS14]) share this KeyGen: sk Choose a short g in some ring R as a private key pk Give a bad Z-basis B of the ideal (g) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack)

1 Principal Ideal Problem (PIP) ◮ Given a Z-basis B of a principal ideal I, ◮ Recover some generator h (i.e. I = (h)) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 2 / 29

Recovering Short Generators for Cryptanalysis

A few cryptosystems (Fully Homomomorphic Encryption [SV10] and Multilinear Maps [GGH13, LSS14]) share this KeyGen: sk Choose a short g in some ring R as a private key pk Give a bad Z-basis B of the ideal (g) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack)

1 Principal Ideal Problem (PIP) ◮ Given a Z-basis B of a principal ideal I, ◮ Recover some generator h (i.e. I = (h)) 2 Short Generator Problem ◮ Given an arbitrary generator h ∈ R of I ◮ Recover g (or some g ′ equivalently short) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 2 / 29

Cost of those two steps

1 Principal Ideal Problem (PIP) ◮ sub-exponential time (2 ˜

O(n2/3)) classical algorithm [BF14, Bia14].

◮ progress toward quantum polynomial time

algorithm [EHKS14, BS15, CGS14].

2 Short Generator Problem ◮ equivalent to the CVP in the log-unit lattice ◮ becomes a BDD problem in the crypto cases. ◮ claimed to be easy [CGS14] in the cyclotomic case m = 2k ◮ confirmed by experiments [Sch15]

This Work [CDPR15]

We focus on step

2 , and prove it can be solved in classical polynomial

time for the aforementioned cryptanalytic instances, when the ring R is the ring of integers of the cyclotomic number field K = Q(ζm) for m = pk.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 3 / 29

Overview

1

Introduction

2

Preliminary

3

Geometry of Cyclotomic Units

4

Shortness of Log g

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 4 / 29

The Logarithmic Embedding

Let K be a number field of degree n, σ1 . . . σn : K → C be its embeddings, and let R be its ring of integers. The logarithmic Embedding is defined as Log : K → Rn x → (log |σ1(x)|, . . . , log |σn(x)|) It induces

◮ a group morphism from (K \ {0}, ·) to (Rn, +) ◮ a monoid morphism from (R \ {0}, ·) to (Rn, +)

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 5 / 29

The Unit Group

Let R× denotes the multiplicative group of units of R. Let Λ = Log R×. By Dirichlet Unit Theorem

◮ the kernel of Log is the cyclic group T of roots of unity of R ◮ Λ ⊂ Rn is an lattice of rank r + c − 1

(where K has r real embeddings and 2c complex embeddings)

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 6 / 29

The Unit Group

Let R× denotes the multiplicative group of units of R. Let Λ = Log R×. By Dirichlet Unit Theorem

◮ the kernel of Log is the cyclic group T of roots of unity of R ◮ Λ ⊂ Rn is an lattice of rank r + c − 1

(where K has r real embeddings and 2c complex embeddings)

Reduction to CVP

Elements g, h ∈ R generate the same ideal if and only if h = g · u for some unit u ∈ R×. In particular Log g ∈ Log h + Λ. and g is the “smallest” generator iff Log u ∈ Λ is a vector “closest” to Log h.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 6 / 29

Example: Embedding Z[ √ 2] ֒ → R2

1 1

−1 1 2

p

2 1 +

p

2

◮ x-axis: a + b

√ 2 → a + b √ 2

◮ y-axis: a + b

√ 2 → a − b √ 2

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

Example: Embedding Z[ √ 2] ֒ → R2

1 1

−1 1 2

p

2 1 +

p

2

◮ x-axis: a + b

√ 2 → a + b √ 2

◮ y-axis: a + b

√ 2 → a − b √ 2

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

Example: Embedding Z[ √ 2] ֒ → R2

1 1

−1 1 2

p

2 1 +

p

2

◮ x-axis: a + b

√ 2 → a + b √ 2

◮ y-axis: a + b

√ 2 → a − b √ 2

◮ component-wise multiplication

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

Example: Embedding Z[ √ 2] ֒ → R2

1 1

−1 1 2

p

2 1 +

p

2

◮ x-axis: a + b

√ 2 → a + b √ 2

◮ y-axis: a + b

√ 2 → a − b √ 2

◮ component-wise multiplication ◮ Symmetries induced by

◮ mult. by −1 ◮ conjugation

√ 2 → − √ 2

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

Example: Embedding Z[ √ 2] ֒ → R2

1 1

−1 1 2

p

2 1 +

p

2

◮ x-axis: a + b

√ 2 → a + b √ 2

◮ y-axis: a + b

√ 2 → a − b √ 2

◮ component-wise multiplication ◮ Symmetries induced by

◮ mult. by −1 ◮ conjugation

√ 2 → − √ 2

“Orthogonal” elements Units (algebraic norm 1) “Isonorms” curves

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 7 / 29

Example: Logarithmic Embedding Log Z[ √ 2]

({•}, +) is a sub-monoid of R2

1 1

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 8 / 29

Example: Logarithmic Embedding Log Z[ √ 2]

Λ =({•}, +) ∩ is a lattice of R2, orthogonal to (1, 1)

1 1

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 8 / 29

Example: Logarithmic Embedding Log Z[ √ 2]

{•} ∩ are shifted finite copies of Λ

1 1

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 8 / 29

Example: Logarithmic Embedding Log Z[ √ 2]

Some {•} ∩ may be empty (e.g. no elements of Norm 3 in Z[ √ 2])

1 1

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 8 / 29

Reduction modulo Λ = Log Z[ √ 2]×

The reduction modΛ for various fundamental domains.

1 1

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 9 / 29

Reduction modulo Λ = Log Z[ √ 2]×

The reduction modΛ for various fundamental domains.

1 1

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 9 / 29

Reduction modulo Λ = Log Z[ √ 2]×

The reduction modΛ for various fundamental domains.

1 1

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 9 / 29

Reduction modulo Λ = Log Z[ √ 2]×

The reduction modΛ for various fundamental domains.

1 1

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 9 / 29

Decoding with the RoundOff algorithm

The simplest algorithm [Bab86] to reduce modulo a lattice

RoundOff(B, t), B a Z-basis of Λ

v = B · ⌊(B∨)⊤ · t⌉ e = t − v return (t, e) where t ∈ B Used as a decoding algorithm, its correctness is characterized by the error e and the dual basis B∨.

Fact(Correctness of RoundOff)

let t = v + e for some v ∈ Λ. If b∨

j , e ∈ [− 1 2, 1 2) for all j, then

RoundOff(B, t) = (v, e).

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 10 / 29

RoundOff in pictures

t t RoundOff algorithm:

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 11 / 29

RoundOff in pictures

t t × (B∨)t − → t′ RoundOff algorithm:

1 use basis B to switch to the lattice Zn (×(B∨)t)

t′ = (B∨)t · t;

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 11 / 29

RoundOff in pictures

t t × (B∨)t − → t′ v′ RoundOff algorithm:

1 use basis B to switch to the lattice Zn (×(B∨)t) 2 Round each coordinate

t′ = (B∨)t · t; v′ = ⌊t′⌉;

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 11 / 29

RoundOff in pictures

t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v t v × (B∨)t − → ← − × B t′ v′ RoundOff algorithm:

1 use basis B to switch to the lattice Zn (×(B∨)t) 2 Round each coordinate 3 Switch back to the lattice L (×B)

t′ = (B∨)t · t; v′ = ⌊t′⌉; v = B · v′

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 11 / 29

Recovering Short Generator: Proof Plan

Folklore strategy [Ber14, CGS14] to recover a short generator g

1 Construct a basis B of the unit-log lattice Log R× ◮ For K = Q(ζm), m = pk, an (almost1) canonical basis is given by

bj = Log 1 − ζj 1 − ζ , j ∈ {2, . . . , m/2}, j co-prime with m

2 Prove that the basis is “good”, that is b∨

j are all small

3 Prove that e = Log g is small enough 1it only spans a super-lattice of finite index h+ which is conjectured to be small L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 12 / 29

Recovering Short Generator: Proof Plan

Folklore strategy [Ber14, CGS14] to recover a short generator g

1 Construct a basis B of the unit-log lattice Log R× ◮ For K = Q(ζm), m = pk, an (almost1) canonical basis is given by

bj = Log 1 − ζj 1 − ζ , j ∈ {2, . . . , m/2}, j co-prime with m

2 Prove that the basis is “good”, that is b∨

j are all small

3 Prove that e = Log g is small enough

Technical contributions [CDPR15]

2

Estimate b∨

j precisely using analytic tools [Was97, Lan27]

3

Bound e using theory of sub-exponential random variables [Ver12]

1it only spans a super-lattice of finite index h+ which is conjectured to be small L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 12 / 29

Overview

1

Introduction

2

Preliminary

3

Geometry of Cyclotomic Units

4

Shortness of Log g

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 13 / 29

Cyclotomic units

We fix the number field K = Q(ζm) where m = pk for some prime p. Set zj = 1 − ζj and bj = zj/z1 for all j coprimes with m. The bj are units, and the group C generated by ζ, bj for j = 2, . . . m/2, j coprime with m is known as the group of cyclotomic units.

2One just need the index [R× : C] = h+(m) to be small. L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 14 / 29

Cyclotomic units

We fix the number field K = Q(ζm) where m = pk for some prime p. Set zj = 1 − ζj and bj = zj/z1 for all j coprimes with m. The bj are units, and the group C generated by ζ, bj for j = 2, . . . m/2, j coprime with m is known as the group of cyclotomic units.

Simplification 1 (Weber’s Class Number Problem)

We assume2 that R× = C. It is conjectured to be true for m = 2k.

2One just need the index [R× : C] = h+(m) to be small. L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 14 / 29

Cyclotomic units

We fix the number field K = Q(ζm) where m = pk for some prime p. Set zj = 1 − ζj and bj = zj/z1 for all j coprimes with m. The bj are units, and the group C generated by ζ, bj for j = 2, . . . m/2, j coprime with m is known as the group of cyclotomic units.

Simplification 1 (Weber’s Class Number Problem)

We assume2 that R× = C. It is conjectured to be true for m = 2k.

Simplification 2 (for this talk)

We study the dual matrix Z∨, where zj = Log zj. It can be proved to close to B∨ where bj = zj − z1.

2One just need the index [R× : C] = h+(m) to be small. L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 14 / 29

The matrix Z

The field K admits exactly ϕ(m)/2 pairs of conjugate complex embeddings σi = σ−i, where σi : ζ → ωi is defined for all i ∈ Z×

m.

where ω = exp(2ıπ/m) ∈ C is a primitive root of unity.

10 20 30 40 50 60 10 20 30 40 50 60

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 15 / 29

The matrix Z

The field K admits exactly ϕ(m)/2 pairs of conjugate complex embeddings σi = σ−i, where σi : ζ → ωi is defined for all i ∈ Z×

m.

where ω = exp(2ıπ/m) ∈ C is a primitive root of unity.

10 20 30 40 50 60 10 20 30 40 50 60

Figure : Na¨ ıve Indexing (i = 1, 3, 5, . . . )

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 15 / 29

The matrix Z

The field K admits exactly ϕ(m)/2 pairs of conjugate complex embeddings σi = σ−i, where σi : ζ → ωi is defined for all i ∈ Z×

m.

where ω = exp(2ıπ/m) ∈ C is a primitive root of unity.

10 20 30 40 50 60 10 20 30 40 50 60

Figure : Multiplicative Indexing (i = 30, 31, 32, . . . )

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 15 / 29

Dual of a Circulant Basis

Notice that Zij = log |σj(1 − ζi)| = log |1 − ωij|: the matrix Z is G-circulant for the cyclic group G = Z×

m/ ± 1.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 16 / 29

Dual of a Circulant Basis

Notice that Zij = log |σj(1 − ζi)| = log |1 − ωij|: the matrix Z is G-circulant for the cyclic group G = Z×

m/ ± 1.

Fact

If M is a non-singular, G-circulant matrix, then

◮ its eigenvalues are given by λχ = g∈G χ(g) · M1,g

where χ ∈ G is a character G → C

◮ All the vectors of M∨ have the same norm m∨ i 2 = χ∈ G |λχ|−2

Note: The characters of G can be extended to even Dirichlet characters mod m: χ : Z → C, by setting χ(a) = 0 if gcd(a, m) > 1.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 16 / 29

Computing the Eigenvalues

We wish to give a lower bound on |λχ| where λχ =

• a∈G

χ(a) · log |1 − ωa|.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 17 / 29

Computing the Eigenvalues

We wish to give a lower bound on |λχ| where λχ =

• a∈G

χ(a) · log |1 − ωa|.

Why not stop here ?

This formulae is pretty easy to evaluate numerically: at this point we can already check RoundOff’s correctness numerically up to m = 106 or more.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 17 / 29

Computing the Eigenvalues

We wish to give a lower bound on |λχ| where λχ =

• a∈G

χ(a) · log |1 − ωa|.

Why not stop here ?

This formulae is pretty easy to evaluate numerically: at this point we can already check RoundOff’s correctness numerically up to m = 106 or more.

Something cute to be learned !

The equations looks not very algebraic (log ?), yet appears quite naturally... Surely mathematicians knows how to deal with this. Indeed, computation of the volume of that basis appears in [Was97].

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 17 / 29

Computing the Eigenvalues

We wish to give a lower bound on |λχ| where λχ =

• a∈G

χ(a) · log |1 − ωa|. We develop using the Taylor series log |1 − x| = −

• k≥1

xk/k

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 17 / 29

Computing the Eigenvalues

We wish to give a lower bound on |λχ| where λχ =

• a∈G

χ(a) · log |1 − ωa|. We develop using the Taylor series log |1 − x| = −

• k≥1

xk/k and obtain −λχ =

• a∈G
• k≥1

χ(a) · ωka k .

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 17 / 29

Computing the Eigenvalues (continued)

We were trying to lower bound |λχ| where −λχ =

• k≥1

1 k ·

• a∈G

χ(a) · ωka.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 18 / 29

Computing the Eigenvalues (continued)

We were trying to lower bound |λχ| where −λχ =

• k≥1

1 k ·

• a∈G

χ(a) · ωka.

Fact (Separability of Gauss Sums)

If χ is a primitive Dirichlet character modm then

• a∈Z×

m

χ(a) · ωka = χ(k) · G(χ) where |G(χ)| = √m.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 18 / 29

Computing the Eigenvalues (continued)

We were trying to lower bound |λχ| where −λχ =

• k≥1

1 k ·

• a∈G

χ(a) · ωka.

Fact (Separability of Gauss Sums)

If χ is a primitive Dirichlet character modm then

• a∈Z×

m

χ(a) · ωka = χ(k) · G(χ) where |G(χ)| = √m. For this talk, let’s ignore non-primitive characters. We rewrite

• λχ
• =

m 2 ·

• k≥1

χ(k) k

• .

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 18 / 29

The Analytical Hammer

We were trying to lower bound

• λχ
• = m

2 ·

• k≥1

χ(k) k

• .

One recognizes a Dirichlet L-series L(s, χ) = χ(k) ks .

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 19 / 29

The Analytical Hammer

We were trying to lower bound

• λχ
• = m

2 ·

• k≥1

χ(k) k

• .

One recognizes a Dirichlet L-series L(s, χ) = χ(k) ks .

Theorem ([Lan27])

For any primitive Dirichlet character χ mod m it holds that 1 ℓ(m) ≤ |L(1, χ)| ≤ ℓ(m) where ℓ(m) = C ln m for some universal constant C > 0.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 19 / 29

Geometric Conclusion

Theorem (Cramer, D. , Peikert, Regev)

Let m = pk, and B =

• Log(bj))j∈G\{1} be the canonical basis of Log C.

Then all the vectors of B∨ have the same norm and

• b∨

j

• 2 ≤ O
• m−1 · log3 m
• .

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 20 / 29

Overview

1

Introduction

2

Preliminary

3

Geometry of Cyclotomic Units

4

Shortness of Log g

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 21 / 29

Proof Plan (Reminder)

1 Construct a basis B of the unit-log lattice Log R× ◮ Choose the Canonical Cyclotomics Units

bj = Log 1 − ζj 1 − ζ

2 Prove that the basis is “good”, that is b∨

j are all small

◮ Proved

• b∨

j

• 2 ≤ O
• m−1 · log3 m
• 3 Prove that e = Log g is small enough

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 22 / 29

Scaling Invariance

Lets assume the embeddings (σi(g)) are i.i.d. of distribution D. Log (s · Dn) ≃ (1, 1, . . . 1) · log s + Log Dn

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 23 / 29

Heuristic argument

Using scaling, assume that E[Log Dm] = 0.

◮ Let e ← Log Dm (e = Log g) ◮ Each coordinate Log D of e are independents, centered, of variance V ◮ For any b, the variance of b, e is V · b ◮ By Markov Inequality, for a fixed i it should hold that

|b∨

i , e| ≤ 1/2

except with o(1) probability (recall we’ve proved that b∨

i = o(1))

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 24 / 29

Conclusion from better tail bounds

The previous argument does not allows to conclude simultanously on all i’s. We fill this gap using stronger tail bounds, form the theory of sub-exponential random variables [Ver12]

“Theorem” (Cramer, D. , Peikert, Regev)

If g follows a Continuous Normal Distribution, then for e = Log g, we have |b∨

i , e| ≤ 1/2 for all i’s except with negligible probability.

“Corollary”

If g follows a Discrete Normal Distribution of parameter σ ≥ poly(m), then for e = Log g, we have |b∨

i , e| ≤ 1/2 for all i’s except with probability

1/nΘ(1).

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 25 / 29

Thanks

Thank you for your attention. Questions ?

We thank Dan Bernstein, Jean-Franois Biasse, Sorina Ionica, Dimitar Jetchev, Paul Kirchner, and Dan Shepherd for many insightful conversations related to this work.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 26 / 29

References I

L´ aszl´

• Babai.

On Lov´ asz’ lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1–13, 1986. Preliminary version in STACS 1985. Dan Bernstein. A subfield-logarithm attack against ideal lattices. http://blog.cr.yp.to/20140213-ideal.html, Febuary 2014. J.-F. Biasse and C. Fieker. Subexponential class group and unit group computation in large degree number fields. LMS Journal of Computation and Mathematics, 17:385–403, 1 2014. Jean-Fran¸ cois Biasse. Subexponential time relations in the class group of large degree number fields.

• Adv. Math. Commun., 8(4):407–425, 2014.

J.-F. Biasse and F. Song. A polynomial time quantum algorithm for computing class groups and solving the principal ideal problem in arbitrary degree number fields. http://www.lix.polytechnique.fr/Labo/Jean-Francois.Biasse/, 2015. In preparation.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 27 / 29

References II

Peter Campbell, Michael Groves, and Dan Shepherd. Soliloquy: A cautionary tale. ETSI 2nd Quantum-Safe Crypto Workshop, 2014. Available at http://docbox.etsi.org/Workshop/2014/201410_CRYPTO/S07_Systems_ and_Attacks/S07_Groves_Annex.pdf. Kirsten Eisentr¨ ager, Sean Hallgren, Alexei Kitaev, and Fang Song. A quantum algorithm for computing the unit group of an arbitrary degree number field. In Proceedings of the 46th Annual ACM Symposium on Theory of Computing, pages 293–302. ACM, 2014. Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal lattices. In EUROCRYPT, pages 1–17, 2013. Edmund Landau. ¨ Uber Dirichletsche Reihen mit komplexen Charakteren. Journal f¨ ur die reine und angewandte Mathematik, 157:26–32, 1927. Adeline Langlois, Damien Stehl´ e, and Ron Steinfeld. Gghlite: More efficient multilinear maps from ideal lattices. In Advances in Cryptology–EUROCRYPT 2014, pages 239–256. Springer, 2014.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 28 / 29

References III

John Schank. LogCvp, Pari implementation of CVP in log Z[ζ2n]∗. https://github.com/jschanck-si/logcvp, 2015. Nigel P. Smart and Frederik Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. In Public Key Cryptography, pages 420–443, 2010. Roman Vershynin. Compressed Sensing, Theory and Applications, chapter 5, pages 210–268. Cambridge University Press, 2012. Available at http://www-personal.umich.edu/~romanv/papers/non-asymptotic-rmt-plain.pdf. L.C. Washington. Introduction to Cyclotomic Fields. Graduate Texts in Mathematics. Springer New York, 1997.

L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators ICERM, April 2015 29 / 29