Computing Generator in Cyclotomic Integer Rings A subfield algorithm for the Principal Ideal Problem in L|∆K | and application to the cryptanalysis of a FHE scheme 1 2 Jean-François Biasse1 Thomas Espitau2 Pierre-Alain Fouque3 Alexandre Gélin2 Paul Kirchner4 University of South Florida, Department of Mathematics and Statistics, Tampa, USA Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6, Paris, France Institut Universitaire de France, Paris, France and Université de Rennes 1, France École Normale Supérieure, Paris, France 2017/05/01 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings The Principal Ideal Problem Definition The Principal Ideal Problem (PIP) consists in finding a generator of an ideal, assuming it is principal. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings The Principal Ideal Problem Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings The Principal Ideal Problem Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes ([SV10],[GGH13]) J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings The Principal Ideal Problem Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes ([SV10],[GGH13]) Two distinct phases: 1 2 Given the Z-basis of the ideal a = hgi, find a — not necessarily short — generator g 0 = g · u for a unit u. From g 0 , find a short generator of the ideal. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings The Principal Ideal Problem Definition The Short Principal Ideal Problem (SPIP) consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes ([SV10],[GGH13]) Two distinct phases: 1 2 Given the Z-basis of the ideal a = hgi, find a — not necessarily short — generator g 0 = g · u for a unit u. From g 0 , find a short generator of the ideal. Campbell, Groves, and Sheperd (2014) found a solution in polynomial time for the second point for power-of-two cyclotomic fields. Cramer, Ducas, Peikert, and Regev (2016) provided a proof and an extension to prime-power cyclotomic fields. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings FHE scheme – Smart and Vercauteren PKC 2010 Key Generation: 1 2 Fix the security parameter N = 2n . Let F (X) = X N + 1 be the polynomial defining the cyclotomic field K = Q(ζ2N ). 3 Set G(X) = 1 + 2 · S(X), h √ √ i for S(X) of degree N − 1 with coefficients in −2 N , 2 N , such that the norm N (hG(ζ2N )i) is prime. 4 Set g = G(ζ2N ) ∈ OK . 5 Return the secret key sk = g and the public key pk = HNF(hgi). J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings FHE scheme – Smart and Vercauteren PKC 2010 Key Generation: 1 2 Fix the security parameter N = 2n . Let F (X) = X N + 1 be the polynomial defining the cyclotomic field K = Q(ζ2N ). 3 Set G(X) = 1 + 2 · S(X), h √ √ i for S(X) of degree N − 1 with coefficients in −2 N , 2 N , such that the norm N (hG(ζ2N )i) is prime. 4 Set g = G(ζ2N ) ∈ OK . 5 Return the secret key sk = g and the public key pk = HNF(hgi). Our goal: Recover the secret key from the public key. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. All the complexities are expressed as a function of the field discriminant ∆Q(ζ2N ) = N N , for N = 2n . J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. All the complexities are expressed as a function of the field discriminant ∆Q(ζ2N ) = N N , for N = 2n . For instance, L|∆K | (α) = 2N J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner α+o(1) . Computing Generator in Cyclotomic Integer Rings 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Input: a Z-basis of I = hui Output: the generator u J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Polynomial complexity and u · ū Computing Generator in Cyclotomic Integer Rings 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Input: a Z-basis of I = hui Output: the generator u Polynomial complexity and u · ū Problem: no information about g · ḡ J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner (g is the private key) Computing Generator in Cyclotomic Integer Rings 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Input: a Z-basis of I = hui Output: the generator u Polynomial complexity and u · ū Solution: we introduce u = N (g)gḡ −1 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Input: a Z-basis of I = hui Output: the generator u Polynomial complexity and u · ū Solution: we introduce u = N (g)gḡ −1 Z-basis of hgi =⇒ Z-basis of hui and u · ū = N (g)2 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Input: a Z-basis of I = hui Output: the generator u Polynomial complexity and u · ū Solution: we introduce u = N (g)gḡ −1 Z-basis of hgi =⇒ Z-basis of hui and u · ū = N (g)2 In the end, we get g · ḡ −1 and a Z-basis of I + = hg + ḡi ⊂ Q(ζ + ζ −1 ) J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Input: a Z-basis of I = hui Output: the generator u Polynomial complexity and u · ū Solution: we introduce u = N (g)gḡ −1 Z-basis of hgi =⇒ Z-basis of hui and u · ū = N (g)2 In the end, we get g · ḡ −1 and a Z-basis of I + = hg + ḡi ⊂ Q(ζ + ζ −1 ) Once we have a generator for I + , we get one for I by multiplying by 1 1 + ḡ · g −1 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 Input ideal – Norm arbitrary large a11 a12 . . . a1n1 a21 a22 . . . a2n2 a31 a32 . . . a3n3 ... al − 1 al1 al2 . . . alnl J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 Input ideal – Norm arbitrary large Initial reduction – Norm: L|∆K | 3 2 a21 a22 . . . a2n2 a31 a32 . . . a3n3 ... al − 1 al1 al2 . . . alnl J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 Input ideal – Norm arbitrary large Initial reduction – L|∆K | (1)-smooth a21 a22 . . . a2n2 a31 a32 . . . a3n3 ... al − 1 al1 al2 . . . alnl J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 a21 a22 . . . a2n2 Input ideal – Norm arbitrary large Initial reduction – L|∆K | (1)-smooth First step – Norm: L|∆K | 5 4 a31 a32 . . . a3n3 ... al − 1 al1 al2 . . . alnl J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 a21 a22 . . . a2n2 Input ideal – Norm arbitrary large Initial reduction – L|∆K | (1)-smooth First step – L|∆K | 3 4 -smooth a31 a32 . . . a3n3 ... al − 1 al1 al2 . . . alnl J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 a21 a22 . . . a2n2 a31 a32 . . . a3n3 Input ideal – Norm arbitrary large Initial reduction – L|∆K | (1)-smooth First step – L|∆K | 3 4 -smooth Second step – Norm: L|∆K | 9 8 ... al − 1 al1 al2 . . . alnl J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 a21 a22 . . . a2n2 a31 a32 . . . a3n3 Input ideal – Norm arbitrary large Initial reduction – L|∆K | (1)-smooth First step – L|∆K | 3 4 Second step – L|∆K | -smooth 5 8 -smooth ... al − 1 al1 al2 . . . alnl J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 a21 a22 . . . a2n2 a31 a32 . . . a3n3 Input ideal – Norm arbitrary large Initial reduction – L|∆K | (1)-smooth First step – L|∆K | 3 4 Second step – L|∆K | -smooth 5 8 -smooth ... al − 1 Last but one step – Norm: ≈ L|∆K | (1) al1 al2 . . . alnl J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 a21 a22 . . . a2n2 a31 a32 . . . a3n3 Input ideal – Norm arbitrary large Initial reduction – L|∆K | (1)-smooth First step – L|∆K | 3 4 Second step – L|∆K | -smooth 5 8 -smooth ... al − 1 Last but one step – ≈ L|∆K | 1 2 -smooth al1 al2 . . . alnl J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 a21 a22 . . . a2n2 a31 a32 . . . a3n3 Input ideal – Norm arbitrary large Initial reduction – L|∆K | (1)-smooth First step – L|∆K | 3 4 Second step – L|∆K | -smooth 5 8 -smooth ... al − 1 Last but one step – ≈ L|∆K | al1 al2 . . . alnl Last step – Norm: L|∆K | (1) J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 1 2 -smooth Computing Generator in Cyclotomic Integer Rings 2. The q-descent I + = a0 a11 a12 . . . a1n1 a21 a22 . . . a2n2 a31 a32 . . . a3n3 Input ideal – Norm arbitrary large Initial reduction – L|∆K | (1)-smooth First step – L|∆K | 3 4 Second step – L|∆K | -smooth 5 8 -smooth ... al − 1 al1 al2 . . . alnl Last but one step – ≈ L|∆K | Last step – L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 1 2 1 2 -smooth -smooth Computing Generator in Cyclotomic Integer Rings 2.1. The q-descent – Initial round Input: a of norm arbitrarily large J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2.1. The q-descent – Initial round Input: a of norm arbitrarily large 1 Tool: DBKZ-reduction with block-size (log |∆K |) 2 ≤ N N on the lattice built from the canonical embedding OK+ → R 2 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2.1. The q-descent – Initial round Input: a of norm arbitrarily large 1 Tool: DBKZ-reduction with block-size (log |∆K |) 2 ≤ N N on the lattice built from the canonical embedding OK+ → R 2 Output: small vector ←→ algebraic integer v ∈ a =⇒ ideal b ⊂ OK+ s.t. hvi = a · b and N (b) ≤ L|∆K | 23 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2.1. The q-descent – Initial round Input: a of norm arbitrarily large 1 Tool: DBKZ-reduction with block-size (log |∆K |) 2 ≤ N N on the lattice built from the canonical embedding OK+ → R 2 Output: small vector ←→ algebraic integer v ∈ a =⇒ ideal b ⊂ OK+ s.t. hvi = a · b and N (b) ≤ L|∆K | 23 Cost: DBKZ-reduction ⇒ Poly (N, log N (a)) · L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 1 2 Computing Generator in Cyclotomic Integer Rings Smoothness tests & Randomization Heuristic We assume that the probability P that an ideal of norm bounded by L|∆K | (a) is a power-product of prime ideals of norm bounded by B = L|∆K | (b) satisfies P ≥ L|∆K | (a − b)−1 . Using ECM algorithm, each B-smoothness test costs L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner b 2 . Computing Generator in Cyclotomic Integer Rings Smoothness tests & Randomization Heuristic We assume that the probability P that an ideal of norm bounded by L|∆K | (a) is a power-product of prime ideals of norm bounded by B = L|∆K | (b) satisfies P ≥ L|∆K | (a − b)−1 . Using ECM algorithm, each B-smoothness test costs L|∆K | Conclusion: b is L|∆K | (1)-smooth with probability L|∆K | and one test costs L|∆K | 12 . J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner b 2 . 1 −1 2 Computing Generator in Cyclotomic Integer Rings Smoothness tests & Randomization Heuristic We assume that the probability P that an ideal of norm bounded by L|∆K | (a) is a power-product of prime ideals of norm bounded by B = L|∆K | (b) satisfies P ≥ L|∆K | (a − b)−1 . Using ECM algorithm, each B-smoothness test costs L|∆K | Conclusion: b is L|∆K | (1)-smooth with probability L|∆K | and one test costs L|∆K | 12 . b 2 . 1 −1 2 Q =⇒ We use L|∆K | 21 ideals ã = a pei i for small prime ideals pi and integers ei to be sure to derive one b̃ that is L|∆K | (1)-smooth. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2.2. The q-descent – Subsequent steps We cannot reduce the norm using the same lattice-reduction. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2.2. The q-descent – Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis ζ i + ζ −i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2.2. The q-descent – Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis ζ i + ζ −i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N (a) ≤ L|∆K | (α) J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2.2. The q-descent – Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis ζ i + ζ −i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N (a) ≤ L|∆K | (α) Output: algebraic integer v ∈ a and ideal b ⊂ OK+ s.t. hvi = a · b and N (b) ≤ L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 2α+3 4 Computing Generator in Cyclotomic Integer Rings 2.2. The q-descent – Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis ζ i + ζ −i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N (a) ≤ L|∆K | (α) Output: algebraic integer v ∈ a and ideal b ⊂ OK+ s.t. hvi = a · b and N (b) ≤ L|∆K | 2α+3 4 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner ; L|∆K | 2α+1 4 -smooth Computing Generator in Cyclotomic Integer Rings 2.2. The q-descent – Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon’s trick Use the coefficient embedding in the basis ζ i + ζ −i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N (a) ≤ L|∆K | (α) Output: algebraic integer v ∈ a and ideal b ⊂ OK+ s.t. hvi = a · b and N (b) ≤ L|∆K | Cost: L|∆K | 1 2 2α+3 4 ; L|∆K | 2α+1 4 -smooth for lattice reduction & smoothness tests J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2.3. The q-descent – The final step After l − 1 steps, ideals have norm below L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 1 2 + 1 2l . Computing Generator in Cyclotomic Integer Rings 2.3. The q-descent – The final step After l − 1 steps, ideals have norm below L|∆K | 1 2 + 1 2l . For l = dlog2 (log N )e, we have 1 1 1 1 1 L|∆K | + l ≤ L|∆K | + = L|∆K | . 2 2 2 log N 2 J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 2.3. The q-descent – The final step After l − 1 steps, ideals have norm below L|∆K | 1 2 + 1 2l . For l = dlog2 (log N )e, we have 1 1 1 1 1 L|∆K | + l ≤ L|∆K | + = L|∆K | . 2 2 2 log N 2 Conclusion: All ideals have norm below L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 1 2 Computing Generator in Cyclotomic Integer Rings 2.3. The q-descent – The final step After l − 1 steps, ideals have norm below L|∆K | 1 2 + 1 2l . For l = dlog2 (log N )e, we have 1 1 1 1 1 L|∆K | + l ≤ L|∆K | + = L|∆K | . 2 2 2 log N 2 Conclusion: 1 2 All ideals have norm below L|∆K | They are at most N l L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 1 2 ideals Computing Generator in Cyclotomic Integer Rings 2.3. The q-descent – The final step After l − 1 steps, ideals have norm below L|∆K | 1 2 + 1 2l . For l = dlog2 (log N )e, we have 1 1 1 1 1 L|∆K | + l ≤ L|∆K | + = L|∆K | . 2 2 2 log N 2 Conclusion: 1 2 All ideals have norm below L|∆K | They are at most N l L|∆K | 1 2 ideals The total runtime of the q-descent is L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 1 2 . Computing Generator in Cyclotomic Integer Rings 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 1 2 Computing Generator in Cyclotomic Integer Rings 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L|∆K | 1 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L|∆K | 1 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L|∆K | 1 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M Relation: principal idealP that splits on the factor base. Test ideals generated by v = vi (ζ i + ζ −i ) for |vi | ≤ log |∆K |. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L|∆K | 1 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M Relation: principal idealP that splits on the factor base. Test ideals generated by v = vi (ζ i + ζ −i ) for |vi | ≤ log |∆K |. Norm below L|∆K | (1) =⇒ L|∆K | J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner 1 2 -smooth ideals in L|∆K | 1 2 Computing Generator in Cyclotomic Integer Rings . 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L|∆K | 1 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M v1 v2 .. . v Q|B| → → .. . → M1,1 M2,1 .. . ··· ··· MQ|B|,1 · · · J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner M1,|B| M2,|B| .. . |B| Y M pj i,j =⇒ ∀i, hv i i = j=1 MQ|B|,|B| Computing Generator in Cyclotomic Integer Rings 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L|∆K | 1 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M A N -dimensional vector Y including all the valuations of the smooth ideals in the pi J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L|∆K | 1 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M A N -dimensional vector Y including all the valuations of the smooth ideals in the pi A solution X of M X = Y provides a generator of the product of the L|∆K | 21 -smooth ideals J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings Implementation results PARI-GP and fplll for BKZ-reductions — Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz with 32GB of memory Dimension of the field: N = 28 = 256. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings Implementation results PARI-GP and fplll for BKZ-reductions — Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz with 32GB of memory Dimension of the field: N = 28 = 256. Gentry-Szydlo: 20h and 24GB memory J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings Implementation results PARI-GP and fplll for BKZ-reductions — Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz with 32GB of memory Dimension of the field: N = 28 = 256. Gentry-Szydlo: 20h and 24GB memory BKZ-reduction: between 10 min and 4h (Descent reduced to only one step) J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings Implementation results PARI-GP and fplll for BKZ-reductions — Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz with 32GB of memory Dimension of the field: N = 28 = 256. Gentry-Szydlo: 20h and 24GB memory BKZ-reduction: between 10 min and 4h (Descent reduced to only one step) We recover g · ζ i — and so the secret key g — in less than a day. J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings Thanks Thank you J.F. Biasse, T. Espitau, P.A. Fouque, A. Gélin, P. Kirchner Computing Generator in Cyclotomic Integer Rings
© Copyright 2025 Paperzz