The Story of Soliloquy
Chan Bae
January 10, 2017
Abstract
The quantum model of computation allows certain problems to be solved more efficiently
than does classical computation. This has implications for the field of cryptography, and
especially public-key cryptography, which relies on certain computational problems currently
admitting no efficient solution.
In this paper, we explore the Soliloquy primitive, which was a potential candidate for a
quantum-resistant cryptographic scheme, and the quantum attack that rendered it insecure.
We begin with an exposition of Lattice-based cryptography and some algebraic number
theory. We go on to give an account of the Soliloquy primitive and an implementation
in SageMath. We briefly cover the quantum attack and its implications for Soliloquy and
lattice-based cryptography.
1 Introduction
Quantum computing promises to make many intractable computational problems tractable.
This has obvious implications for the field of public-key cryptography, which relies on the
unbypassable difficulty of certain cryptographic problems.1 In response, the subfield of postquantum cryptography has emerged to develop cryptographic schemes that continue to be secure
even against quantum computers.
One potential scheme that was studied is the Soliloquy primitive. This scheme relied on the
presumed hardness of a certain computational problem in a structure known as an ideal lattice
over the ring of cyclotomic integers. However, it was shown that the problem was not so hard for
quantum computers after all. In this paper, we give an exposition of lattice-based cryptography,
the Soliloquy scheme, and the impllications of the quantum attack for cryptography.
2 An overview of Lattice-based Cryptography
We give a brief overview of lattices and their role in cryptography. A more thorough treatment
can be found in [3] or [6].
Definition 2.1. A lattice L of Rn is a discrete subgroup of Rn .
Definition 2.2. A basis of L is an ordered set B = {b1 , b2 , · · ·, bn } of linearly independent
vectors such that
L = L (B) = B · Z =
(
X
)
ci : ci bi ∈ Z
i
1
In contrast, symmetric ciphers seem fairly safe. While Grover-style speedups provide a quadratic speedup,
this is easily remedied by doubling the key size. No catastrophic speedup such as that shown by Shor’s algorithm
have been found that affect symmetric-key cryptography.
1
Given a lattice, we can ask computationally difficult problems about the lattice, and importantly,
build cryptographic schemes around these problems. We present a small selection here.
Problem 2.1 (Shortest Vector Problem (SVP)). Given a lattice (represented by a basis), find
a vector in the lattice with the smallest norm.
Problem 2.2 (Closest Vector Problem (CVP)). Given a lattice L (by a basis) and a target
vector w, find a vector v ∈ L that minimizes |w − v|.
Given arbitrary bases, these problems are very computationally expensive. However, the problems become much easier if we are given a ”good” basis. For instance, if the given basis is
orthogonal, Babai’s algorithm solves CVP in time linear in n.
2.1 Babai’s algorithm
Suppose we have a lattice L ⊂ Rn with orthogonal basis B = {b1 , b2 , · · ·, bn }. Given an
arbitrary target vector w, we have
w=
X w · bi
i≤n
|bi |2
bi
and for any v ∈ L we have
v=
X
ci bi , ci ∈ Z
i≤n
Since the ci are required to be integers, v is closest to w when ci is the integer closest to
w·bi
.
|bi |2
Note that this algorithm still works if B is slightly non-orthogonal. Of course, the less orthogonal
B gets, the less likely the algorithm is to give the correct answer.
This should hint that CVP may be a good candidate problem for a public-key cryptosystem.
We have a problem that is hard in general but easy when given a small piece of information! If
we were to build a cryptosystem out of this, having the private key be an orthogonal basis, and
the public key to be a ”bad” (far from orthogonal) basis would be a reasonable place to start.
Furthermore, our plaintext would be encoded into a vector in L , and encryption should involve
a small perturbation to the vector so that recovering the plaintext would necessarily involve
solving CVP. Indeed there is a cryptosystem following this line of thought, the GGH public-key
cryptosystem, first proposed by Goldreich, Goldweisser, and Halevi in 1997.[9]
2.2 The GGH Public-key Cryptosystem
Alice takes a good (close to orthogonal) basis B = {b1 , b2 , · · ·, bn }. This will be her private
key. She then takes a bad basis W for L (B) and releases W as the public key. A good choice
of W would be the Hermite Normal Form (HNF) of B. Note that the HNF of a basis of a given
lattice is essentially unique, and can be computed efficiently from any basis. Therefore any
choice of W would allow an attack via the HNF. Choosing the HNF as the public key therefore
is the choice revealing the least information about B, and so the best choice of public key in
this sense. [1]
Suppose Bob wants to send a message m to Alice. He picks a small random vector r, and
computes
e=W ·m+r
2
.
If r is small enough, e is not in L (B). e will be the ciphertext.
For Alice, it is easy to recover m from e, she finds W · m ∈ L (B) via Babai’s algorithm, and
since she (and everyone else!) knows W , she can recover m. However, anyone without the
private key would have to solve the CVP with only a bad basis (W ), which is a computationally
intensive task.
Note that GGH as described above is not semantically secure! This is not a huge problem in
practice, and can be avoided by randomly padding the message.
We note that the main subject of this paper, the Soliloquy primitive, is also a version of the
GGH scheme.
Although there is no known asymptotically efficient attack on the GGH algorithm, GGH at moderately large choices of the security parameter is vulnerable to known attacks. [2] Since general
lattice bases require Ω(n2 ) space to store, encryption and decryption times grow quadratically
with the security parameter. This makes GGH impractical to use, leading us to consider lattices
with more structure, that allow us to represent bases more compactly. [3]
2.3 Ideal Lattices
Let K = Q(θ) be a number field of degree n, for an algebraic integer θ. Let O denote its
ring of integers. Then O has an integral basis. Furthermore, there are exactly n real or
complex embeddings σi : K → C. From these embeddings, we build a number field lattice as
follows.
Definition 2.3 (Canonical Embedding). Let r1 be the number of real embeddings of K into C.
The remaining embeddings are all complex and thus come in complex conjugate pairs. Define
1
r2 = n−r
2 .
The canonical embedding σ : K → Rn is defined by
σ(x) = (σ1 (x), σ2 (x), · · · , σr1 (x), Re(σr1 +1 (x)), Im(σr1 +1 (x)), · · · , (σr1 +r2 (x)), Im(σr1 +r2 (x)))
where the σi are ordered such that the real embeddings come first.
We can now construct a lattice Λ = σ(O).
This allows us to represent a lattice with much less data. We need only store the identity of the
number field used to generate the lattice. Unfortunately, there are only so many number fields
that can be practically used, and these number fields can be loosely classified into families with
similar structure. For instance, all the quadratic number fields have very similar properties. So
if a good basis or attack for one lattice is known, it is often easy to adapt the attack to many
other lattices. This leads us to consider certain sublattices of number field lattices, namely, the
ones associated with ideals of the ring of integers.
Ideals are particularly suited for cryptographic purposes as as ideals can be represented by their
generating sets, and each ideal has many generating sets, some with more elements than others.
This allows us to consider ”good” and ”bad” generating sets analogous to the way we considered
”good” and ”bad” bases.
This line of thought leads to more computational problems to base cryptographic schemes
upon.
3
Problem 2.3 (Principal Ideal Problem). Given a principal ideal I , find a generator of I .
Problem 2.4 (Short Generator Principal Ideal Problem). Given a principal ideal I guaranteed
to have a short generator, find a short generator of I .
3 The Soliloquy Primitive
The Soliloquy primitive, proposed by Dan Shepherd in 2007, can be understood as a variant
of the GGH lattice encryption scheme. Initially believed to be a candidate for a practical
quantum resistant encryption algorithm, it fell from grace when an efficient quantum attack
was found.[4]
3.1 The idea
Let n be a prime, K = Q(ζ) be the n-th cyclotomic field, and O = Z[ζ] be the ring of integers
of K. For a prime p ≡ 1 mod n, the principal ideal pO decomposes into a product of prime
ideals
n−1
Y
pO =
Pi
i=1
each with norm p. Furthermore, each prime ideal has a two-element representation by the
following theorem.
Theorem 3.1 (Dedekind, as in [5]). Let K be a number field of degree n with ring of integers
O = Z[θ] generated by θ ∈ O. Given a rational prime p, suppose the minimal polynomial f of
θ over Q gives rise to the factorization into irreducibles over Zp :
e
e
f¯ = f¯1 1 · · · f¯r r
where the bar denotes the natural map Z[t] → Zp [t]. Then if fi ∈ Z[t] is any polynomial mapping
onto f¯i , the ideal Pi = pO + fi (θ)O is prime, and the prime factorization of pO is
pO =
n−1
Y
Pi
i=1
In this case, we get
Pi = pO + (ζ − ci )O
where the ci are the nontrivial n-th roots of unity mod p.
We now find a ci by defining c = 2(p−1)/n mod p. If c is nontrivial, as it will be with probability
(1 − 1/n), c is a nontrivial root of unity mod p, and one of the prime ideals P has the twoelement representation P = pO + (ζ − c)O. This lets us identify the rational prime p with the
prime ideal P.
Noting that O/P ∼
= Fp , we can see there is a natural homomorphism ψ : O → O/P ∼
= Fp
given by
ψ(1) = 1, ψ(ζ) = c
We will use ψ for our encryption function.
4
To decrypt, we need to be able to recover a coset representative. We will do this by constructing
p such that P = αO for a small α ∈ O, and this α will serve as our private key. We can then
recover by viewing decryption as an instance of the closest vector problem in the ideal lattice
corresponding to P.
This approach is similar to the one used by Smart and Vercauteren in their fully homomorphic
encryption scheme.[10]
3.2 Key Generation
We generate a suitable α by randomly generating elements of O with coefficients sampled from
a discrete Gaussian of mean 0 and width σ. Then the candidate α is tested with the following
conditions to ensure that p = N (α) is a valid public key.
• p is prime.
• c = 2(p−1)/n 6≡ 1 mod p.
Then αO is a prime ideal since p = N (α) is prime, and by unique factorization each Pi must be
the principal ideal generated by a Galois conjugate of α. All that remains is to identify which
conjugate of α corresponds to pO + (ζ − c)O, which can be done by taking each conjugate αi
and checking if ζ−c
αi ∈ O
3.3 Implementation
It is highly instructive to actually implement the Soliloquy scheme. Our implementation
of the Soliloquy cryptosystem as well as some test cases in SageMath[7] can be found at:
https://cloud.sagemath.com/projects/637e63f4-7371-4ad1-9c41-86e1e11b4152/files/
3.4 The Quantum Attack and Conclusions
Although it was hoped that Soliloquy would provide a quantum-safe public-key cryptographic
scheme, Campbell, Groves, and Shepherd found an efficient quantum attack[4] on the primitive.
This indicated that Soliloquy would not be adequate protection against quantum computers.
However, it is important to note that this does not mean that lattice-based cryptography in
general is vulnerable to quantum computation. The attack relied on the fact that Soliloquy
uses a special type of ideals that turned out to be ”weaker” than general ideals. This weakness
does not apply to most lattice-based cryptosystems. In particular, it does not apply to those
schemes which have worst-case hardness proofs that go through the Ring Learning With Errors
problem or the Ring Short Integer Solution problem. Unfortunately, most lattice-based schemes
fall into one of two categories. The first is those schemes that are efficient enough for practical
use, but do not have proven security guarantees, and the second is those schemes that have
very good proven hardness guarantees but are too slow.[3] The story of Soliloquy highlights
the importance of worst-case hardness proofs in ensuring that concessions made in the name
of practical feasibility do not introduce vulnerabilities by relying on “easy” special cases of a
presumed hard problem.
5
References
[1] Micciancio, Daniele. Improving lattice based cryptosystems using the hermite normal form
In J. Silverman, editor, Cryptography and Lattices Conference — CaLC 2001, volume 2146
of Lecture Notes in Computer Science, pages 126–145, Providence, Rhode Island, Mar. 2001.
Springer-Verlag.
[2] Nguyen, Phong. Cryptanalysis of the Goldreich–Goldwasser–Halevi Cryptosystem from
Crypto ’97. In CRYPTO ’99: Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, pages 288–304, London, UK, 1999. Springer-Verlag.
[3] Micciancio, Daniele, and Oded Regev. ”Lattice-based cryptography.” In Post-quantum cryptography, pp. 147-191. Springer Berlin Heidelberg, 2009.
[4] Campbell, Peter, Michael Groves, and Dan Shepherd. ”Soliloquy: A cautionary tale.” In
ETSI 2nd Quantum-Safe Crypto Workshop, pp. 1-9. 2014.
[5] Stewart, Ian, and David Tall. Algebraic number theory and Fermat’s last theorem. CRC
Press, 2015.
[6] Regev, Oded. ”Lattice-based cryptography.” In Annual International Cryptology Conference,
pp. 131-141. Springer Berlin Heidelberg, 2006.
[7] The Sage Developers, 2016, SageMath, the Sage Mathematics Software System (Version
7.4), http://www.sagemath.org.
[8] SageMath,
Inc.,
SageMathCloud
https://cloud.sagemath.com.
Online
Computational
Mathematics,
2016.
[9] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Public-key cryptosystems from lattice
reduction problems. In CRYPTO ’97: Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology, pages 112–131, London, UK, 1997. SpringerVerlag.
[10] Smart, Nigel P., and Frederik Vercauteren. ”Fully homomorphic encryption with relatively
small key and ciphertext sizes.” In International Workshop on Public Key Cryptography, pp.
420-443. Springer Berlin Heidelberg, 2010.
6