A Quantum Algorithm for Finding Midly Short Vectorsin Cyclotomic Ideal Lattices
Leo DucasBased on Joint Work with
R. Cramer, O. Regev. C. Peikert, B. Wesolowski
Cryptology Group, CWI, Amsterdam, The Netherlands
Mathematics of Public Key CryptographyAussois, FR, March 2019
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 1 / 47
Lattice-Based Crypto
Lattice problems provide a strong fundation for Post-Quantum Crypto
Worst-case to average-case reduction [Ajt99, Reg09]
Worst-case Approx-SVP ≤{
SIS (Short Intreger Solution)LWE (Learning With Errors)
How hard is Approx-SVP ? Depends on the Approximation factor α.
Cry
pto
αpoly(n) eΘ(
√n) eΘ(n)
Time
poly(n)
eΘ(√n)
eΘ(n)
LLL
BKZ
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 2 / 47
Lattice-Based Crypto
Lattice problems provide a strong fundation for Post-Quantum Crypto
Worst-case to average-case reduction [Ajt99, Reg09]
Worst-case Approx-SVP ≤{
SIS (Short Intreger Solution)LWE (Learning With Errors)
How hard is Approx-SVP ? Depends on the Approximation factor α.
Cry
pto
αpoly(n) eΘ(
√n) eΘ(n)
Time
poly(n)
eΘ(√n)
eΘ(n)
LLL
BKZ
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 2 / 47
Lattices over Rings (Ideals, Modules)
Generic lattices are cumbersome! Key-size = O(n2).
NTRU Cryptosystems [HPS98, HHGP+03]
Use the convolution ring R = R[X ]/(X p − 1), and module-lattices:
Lh = {(x , y) ∈ R2, hx + y ≡ 0 mod q}.
Same lattice dimension, Key-Size = O(n). Later came variants withworst-case fundations:
wc-to-ac reduction [Mic07, LPR13]
Worst-case Approx-Ideal-SVP ≤{
Ring-SISRing-LWE
Applicable for cyclotomic rings R = Z[ζm] (ζm a primitive m-th root of unity).
Denote n = degR. In our cyclotomic cases: n = φ(m) ∼ m.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 3 / 47
Lattices over Rings (Ideals, Modules)
Generic lattices are cumbersome! Key-size = O(n2).
NTRU Cryptosystems [HPS98, HHGP+03]
Use the convolution ring R = R[X ]/(X p − 1), and module-lattices:
Lh = {(x , y) ∈ R2, hx + y ≡ 0 mod q}.
Same lattice dimension, Key-Size = O(n). Later came variants withworst-case fundations:
wc-to-ac reduction [Mic07, LPR13]
Worst-case Approx-Ideal-SVP ≤{
Ring-SISRing-LWE
Applicable for cyclotomic rings R = Z[ζm] (ζm a primitive m-th root of unity).
Denote n = degR. In our cyclotomic cases: n = φ(m) ∼ m.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 3 / 47
Lattices over Rings (Ideals, Modules)
Generic lattices are cumbersome! Key-size = O(n2).
NTRU Cryptosystems [HPS98, HHGP+03]
Use the convolution ring R = R[X ]/(X p − 1), and module-lattices:
Lh = {(x , y) ∈ R2, hx + y ≡ 0 mod q}.
Same lattice dimension, Key-Size = O(n). Later came variants withworst-case fundations:
wc-to-ac reduction [Mic07, LPR13]
Worst-case Approx-Ideal-SVP ≤{
Ring-SISRing-LWE
Applicable for cyclotomic rings R = Z[ζm] (ζm a primitive m-th root of unity).
Denote n = degR. In our cyclotomic cases: n = φ(m) ∼ m.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 3 / 47
Approx-Ideal-SVP in poly-time for large α
Approx-Ideal-SVP solvable in Quantum poly-time, for
R = Z[ζm], α = exp(O(√n)).
Better tradeoffs
Cry
pto
αpoly(n) eΘ(
√n) eΘ(n)
Time
poly(n)
eΘ(√n)
eΘ(n)BKZ
This alg.
Impact and limitations
I No schemes broken
I Hardness gap betweenSVP and Ideal-SVP
I New cryptanalytic tools
⇒ start favoring weakerassumptions ?e.g. Module-LWE
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 4 / 47
Approx-Ideal-SVP in poly-time for large α
Approx-Ideal-SVP solvable in Quantum poly-time, for
R = Z[ζm], α = exp(O(√n)).
Better tradeoffs
Cry
pto
αpoly(n) eΘ(
√n) eΘ(n)
Time
poly(n)
eΘ(√n)
eΘ(n)BKZ
This alg.
Impact and limitations
I No schemes broken
I Hardness gap betweenSVP and Ideal-SVP
I New cryptanalytic tools
⇒ start favoring weakerassumptions ?e.g. Module-LWE
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 4 / 47
Approx-Ideal-SVP in poly-time for large α
Approx-Ideal-SVP solvable in Quantum poly-time, for
R = Z[ζm], α = exp(O(√n)).
Better tradeoffs
Cry
pto
αpoly(n) eΘ(
√n) eΘ(n)
Time
poly(n)
eΘ(√n)
eΘ(n)BKZ
This alg.
Impact and limitations
I No schemes broken
I Hardness gap betweenSVP and Ideal-SVP
I New cryptanalytic tools
⇒ start favoring weakerassumptions ?e.g. Module-LWE
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 4 / 47
Approx-Ideal-SVP in poly-time for large α
Approx-Ideal-SVP solvable in Quantum poly-time, for
R = Z[ζm], α = exp(O(√n)).
Better tradeoffs
Cry
pto
αpoly(n) eΘ(
√n) eΘ(n)
Time
poly(n)
eΘ(√n)
eΘ(n)BKZ
This alg.
Impact and limitations
I No schemes broken
I Hardness gap betweenSVP and Ideal-SVP
I New cryptanalytic tools
⇒ start favoring weakerassumptions ?e.g. Module-LWE
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 4 / 47
Algebraic Number Theory
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 5 / 47
Ideals and Principal Ideals
Cyclotomic number field: K (= Q(ζm)), ring of integer OK (= Z[ζm]), whereζm is a formal m-th root of unity. The degree of K is n = ϕ(m)
Definition (Ideals)
I An integral ideal is a subset h ⊂ OK closed under addition, and bymultiplication by elements of OK ,
I A (fractional) ideal is a subset f ⊂ K of the form f = 1x h, where
x ∈ Z,
I A principal ideal is an ideal f of the form f = gOK for some g ∈ K .
In particular, ideals are lattices.
We denote FK the set of fractional ideals,and PK the set of principal ideals.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 6 / 47
Ideals as Lattices
There is a Ring morphism (the empeddings):
K → Cn
ζ 7→ (ωi )i∈Z×m
where ω ∈ C is a complex m-th root of unity. This allows to view ideal aslattices.
I One can therefore view Ideal as lattices
I In the empedding space, multiplication is component-wise (' FFT)
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 7 / 47
Class Group
Ideals can be multiplied, and remain ideals:
ab =
{∑finite
aibi , ai ∈ a, bi ∈ b
}.
The product of two principal ideals remains principal:
(aOK )(bOK ) = (ab)OK .
FK form an abelian group1, PK is a subgroup of it.
Definition (Class Group)
Their quotient forms the class group ClK = FK/PK .The class of an ideal a ∈ FK is denoted [a] ∈ ClK .
An ideal a is principal iff [a] = [OK ].
1with neutral element OK
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 8 / 47
Class Group
Ideals can be multiplied, and remain ideals:
ab =
{∑finite
aibi , ai ∈ a, bi ∈ b
}.
The product of two principal ideals remains principal:
(aOK )(bOK ) = (ab)OK .
FK form an abelian group1, PK is a subgroup of it.
Definition (Class Group)
Their quotient forms the class group ClK = FK/PK .The class of an ideal a ∈ FK is denoted [a] ∈ ClK .
An ideal a is principal iff [a] = [OK ].
1with neutral element OK
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 8 / 47
Lattice of Class Relations
Choose a factor basis: a set B = {p1, . . . , pk} such that {[p1], . . . , [pk ]}generates ClK .Consider the morphism
φ : Zk → ClK
(x1, . . . xk) 7→[∏
pxii
]
I The kernel Λ = ker φ is the lattice of class relation over B.
I Reducing xi modulo Λ : finding a small representative in the same class
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 9 / 47
Unit Group and Principal Ideals
I An element g ∈ K× generates an ideal gOK (≈ GLn(R))
I The unit group O×K = {x ∈ OK s.t. x−1 ∈ OK}. (≈ GLn(Z))
I g and h generates the same ideal iff g = uh for some unit u ∈ OK
PK ' K×/O×K
({lattices} ' GLn(R)/GLn(Z))
I Unlike {lattices} ' GLn(R)/GLn(Z), the groups are commutative :reduction should be much easier...
I Spoiler: take the log and O×K becomes a lattice !
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 10 / 47
Unit Group and Principal Ideals
I An element g ∈ K× generates an ideal gOK (≈ GLn(R))
I The unit group O×K = {x ∈ OK s.t. x−1 ∈ OK}. (≈ GLn(Z))
I g and h generates the same ideal iff g = uh for some unit u ∈ OK
PK ' K×/O×K
({lattices} ' GLn(R)/GLn(Z))
I Unlike {lattices} ' GLn(R)/GLn(Z), the groups are commutative :reduction should be much easier...
I Spoiler: take the log and O×K becomes a lattice !
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 10 / 47
Unit Group and Principal Ideals
I An element g ∈ K× generates an ideal gOK (≈ GLn(R))
I The unit group O×K = {x ∈ OK s.t. x−1 ∈ OK}. (≈ GLn(Z))
I g and h generates the same ideal iff g = uh for some unit u ∈ OK
PK ' K×/O×K
({lattices} ' GLn(R)/GLn(Z))
I Unlike {lattices} ' GLn(R)/GLn(Z), the groups are commutative :reduction should be much easier...
I Spoiler: take the log and O×K becomes a lattice !
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 10 / 47
Unit Group and Principal Ideals
I An element g ∈ K× generates an ideal gOK (≈ GLn(R))
I The unit group O×K = {x ∈ OK s.t. x−1 ∈ OK}. (≈ GLn(Z))
I g and h generates the same ideal iff g = uh for some unit u ∈ OK
PK ' K×/O×K
({lattices} ' GLn(R)/GLn(Z))
I Unlike {lattices} ' GLn(R)/GLn(Z), the groups are commutative :reduction should be much easier...
I Spoiler: take the log and O×K becomes a lattice !
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 10 / 47
Tesselation: commutative v.s. non-commutative
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 11 / 47
Overview
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 12 / 47
4 Steps to Ideal-SVP
The Close Principal Multiple Problem
Given an ideal a, find c ⊂ a that is principal, and not much sparser
1. Find a representative∏
pxii of [a−1] [EHKS14, BS15]
2. Make the xi small by reducing modulo class relations [CDW17]
⇒ Output c = a ·∏
pxii
Short Generator Problem
Given a principal ideal c, find a short generator g of c
3. Find any generator g of c [EHKS14, BS15]
4. Reduce g modulo the unit group O×K [CDPR16]
⇒ Output g
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 13 / 47
This talk
Working Hypothesis
|Quantum〉 = Magic
We will focus on the following steps:
2. Make the xi small by reducing modulo class relations [CDW17]
4. Reduce g modulo the unit group O×K [CDPR16]
For a survey covering all the steps, refer to [Duc17].
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 14 / 47
The Close Principal MultipleProblem
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 15 / 47
From CPM to Ideal-SVP
Definition (The Close Principal Multiple problem)
I Given an ideal a, and an factor F
I Find a small integral ideal b such that [ab] = [OK ] and Nb ≤ F
Smallness is with respect to the Algebraic Norm N of b,(essentially the volume of b as a lattice).
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 16 / 47
Factor Basis, Class-Group Discrete-Log
Choose a factor basis B of integral ideals and search b of the form:
b =∏p∈B
pep .
We choose |B| small (say n) and p ∈ B small as well Np = poly(n).
Corollary (Quantum Cl-Discrete Logarithm,[BS15])
Assume B generates the class-group. Given a and B, one can find inquantum polynomial time a vector e ∈ ZB such that:∏
p∈B
[pep]
=[a−1].
This finds a b such that [ab] = [OK ], yet:
I b may not be integral (negative exponents, yet easy to solve)
I Nb ≈ exp(‖e‖1) may be huge (unbounded e, want ‖e‖1 = O(n3/2)).
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 17 / 47
Factor Basis, Class-Group Discrete-Log
Choose a factor basis B of integral ideals and search b of the form:
b =∏p∈B
pep .
We choose |B| small (say n) and p ∈ B small as well Np = poly(n).
Corollary (Quantum Cl-Discrete Logarithm,[BS15])
Assume B generates the class-group. Given a and B, one can find inquantum polynomial time a vector e ∈ ZB such that:∏
p∈B
[pep]
=[a−1].
This finds a b such that [ab] = [OK ], yet:
I b may not be integral (negative exponents, yet easy to solve)
I Nb ≈ exp(‖e‖1) may be huge (unbounded e, want ‖e‖1 = O(n3/2)).
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 17 / 47
Factor Basis, Class-Group Discrete-Log
Choose a factor basis B of integral ideals and search b of the form:
b =∏p∈B
pep .
We choose |B| small (say n) and p ∈ B small as well Np = poly(n).
Corollary (Quantum Cl-Discrete Logarithm,[BS15])
Assume B generates the class-group. Given a and B, one can find inquantum polynomial time a vector e ∈ ZB such that:∏
p∈B
[pep]
=[a−1].
This finds a b such that [ab] = [OK ], yet:
I b may not be integral (negative exponents, yet easy to solve)
I Nb ≈ exp(‖e‖1) may be huge (unbounded e, want ‖e‖1 = O(n3/2)).
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 17 / 47
Navigating the Class-Group
Cayley-Graph(G ,A):
I A node for any element g ∈ G
I An arrow ga−→ ga for any g ∈ G , a ∈ A
Figure: Cayley-Graph((Z/5Z,+),{1,2})
�?
Rephrased Goal for CPM
Find a short path from [a] to [OK ] in Cayley-Graph(Cl,B).
I Using a few well chosen ideals in B, Cayley-Graph(Cl,B) is anexpander Graph [JW15]: very short paths exist.
I Finding such short path generically too costly: |Cl | > exp(n)
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 18 / 47
A lattice problem
Cl is abelian and finite, so Cl = ZB/Λ for some lattice Λ:
Λ ={
e ∈ ZB, s.t.∏
[pep] = [OK ]}
i.e. the (full-rank) lattice of class-relations in base B.
Figure: (Z/5Z,+) = Z{1,2}/Λ
�
Rephrased Goal for CPM: CVP in Λ
Find a short path from t ∈ ZB to any lattice point v ∈ Λ.
In general: very hard. But for good Λ, with a good basis, can be easy.
Why should we know anything special about Λ ?
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 19 / 47
A lattice problem
Cl is abelian and finite, so Cl = ZB/Λ for some lattice Λ:
Λ ={
e ∈ ZB, s.t.∏
[pep] = [OK ]}
i.e. the (full-rank) lattice of class-relations in base B.
Figure: (Z/5Z,+) = Z{1,2}/Λ
�
Rephrased Goal for CPM: CVP in Λ
Find a short path from t ∈ ZB to any lattice point v ∈ Λ.
In general: very hard. But for good Λ, with a good basis, can be easy.
Why should we know anything special about Λ ?
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 19 / 47
Example
Figure: Cayley-Graph(Z/5Z, {1, 2}) ' Z{1,2}/Λ
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 20 / 47
More than just a lattice
Let G denote the Galois group, it acts on ideals and therefore on classes:
[a]σ = [σ(a)].
Consider the group-ring Z[G ] (formal sums on G ), extend the G -action:
[a]e =∏σ∈G
[σ(a)]eσ where e =∑
eσσ.
I Assume B = {pσ, σ ∈ G}I G acts on B, and so it acts on ZB by permuting coordinates
I the lattice Λ ⊂ ZB is invariant by the action of G !i.e. Λ admits G as a group of symmetries
Λ is more than just a lattice: it is a Z[G ]-module
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 21 / 47
More than just a lattice
Let G denote the Galois group, it acts on ideals and therefore on classes:
[a]σ = [σ(a)].
Consider the group-ring Z[G ] (formal sums on G ), extend the G -action:
[a]e =∏σ∈G
[σ(a)]eσ where e =∑
eσσ.
I Assume B = {pσ, σ ∈ G}I G acts on B, and so it acts on ZB by permuting coordinates
I the lattice Λ ⊂ ZB is invariant by the action of G !i.e. Λ admits G as a group of symmetries
Λ is more than just a lattice: it is a Z[G ]-module
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 21 / 47
More than just a lattice
Let G denote the Galois group, it acts on ideals and therefore on classes:
[a]σ = [σ(a)].
Consider the group-ring Z[G ] (formal sums on G ), extend the G -action:
[a]e =∏σ∈G
[σ(a)]eσ where e =∑
eσσ.
I Assume B = {pσ, σ ∈ G}I G acts on B, and so it acts on ZB by permuting coordinates
I the lattice Λ ⊂ ZB is invariant by the action of G !i.e. Λ admits G as a group of symmetries
Λ is more than just a lattice: it is a Z[G ]-module
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 21 / 47
More than just a lattice
Let G denote the Galois group, it acts on ideals and therefore on classes:
[a]σ = [σ(a)].
Consider the group-ring Z[G ] (formal sums on G ), extend the G -action:
[a]e =∏σ∈G
[σ(a)]eσ where e =∑
eσσ.
I Assume B = {pσ, σ ∈ G}I G acts on B, and so it acts on ZB by permuting coordinates
I the lattice Λ ⊂ ZB is invariant by the action of G !i.e. Λ admits G as a group of symmetries
Λ is more than just a lattice: it is a Z[G ]-module
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 21 / 47
Stickelberger’s Theorem
In fact, we know much more about Λ !
Definition (The Stickelberger ideal)
The Stickelberger element θ ∈ Q[G ] is defined as
θ =∑
a∈(Z/mZ)∗
( a
mmod 1
)σ−1a where G 3 σa : ω 7→ ωa.
The Stickelberger ideal is defined as S = Z[G ] ∩ θZ[G ].
Theorem (Stickelberger’s theorem)
The Stickelberger ideal annihilates the class group: ∀e ∈ S , a ⊂ K
[ae ] = [OK ].
In particular, if B = {pσ, σ ∈ G}, then S ⊂ Λ.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 22 / 47
Geometry of the Stickelberger ideal
Fact
There exists an explicit (efficiently computable) short basis of S , namely ithas ternary coefficients.
Corollary
Given t ∈ Z[G ], one can find x ∈ S suh that ‖x − t‖1 ≤ n3/2.
Conclusion: back to CPM
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 23 / 47
Extra technicalities
Convenient simplifications/omissions made so far:
B = {pσ, σ ∈ G} generates the class group.
I can allow a few (say polylog) many different ideals and theirconjugates in B
I Numerical computation says such B should exist [Sch98]
I Theorem+Heuristic then say we can find such B efficiently
Eliminating minus exponents
I Easy when h+ = 1 : [a−1] = [a], doable when h+ = poly(n). a
I Justified by numerical computations and heuristics[BPR04, Sch03]
a h+ is the size of the class group of K+, the max. real subfield of K
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 24 / 47
The Short Generator Problem
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 25 / 47
Invocation of |Quantum〉 Magic
Given an ideal c, one can find a generator h of it using a quantum computer.[EHKS14, Bia14]
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 26 / 47
The Logarithmic Embedding
The n embeddings σi : K 7→ C for i for i ∈ Z×m are given by
σi (ζ) = ωi
The logarithmic Embedding is defined as
Log : K → Rn/2
x 7→ (log |σi (x)|)i∈Z×m/±1
It induces
I a group morphism from (K \ {0}, ·) to (Rn/2,+)
I a monoid morphism from (R \ {0}, ·) to (Rn/2,+)
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 27 / 47
The Unit Group
By Dirichlet Unit Theorem
I the kernel of Log is the cyclic group T of roots of unity of OK
I LogO×K ⊂ Rn is an lattice of rank r + c − 1
(where K has r real embeddings and 2c complex embeddings)
Reduction modulo OK : a Close Vector Problem
Elements g , h ∈ K generate the same ideal if and only if h = g · u for someunit u ∈ O×K . In particular
Log g ∈ Log h + LogO×K .
and g is the “smallest” generator iff Log u ∈ LogO×K is a vector “closest”to Log h.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 28 / 47
The Unit Group
By Dirichlet Unit Theorem
I the kernel of Log is the cyclic group T of roots of unity of OK
I LogO×K ⊂ Rn is an lattice of rank r + c − 1
(where K has r real embeddings and 2c complex embeddings)
Reduction modulo OK : a Close Vector Problem
Elements g , h ∈ K generate the same ideal if and only if h = g · u for someunit u ∈ O×K . In particular
Log g ∈ Log h + LogO×K .
and g is the “smallest” generator iff Log u ∈ LogO×K is a vector “closest”to Log h.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 28 / 47
Example: Embedding Z[√
2] ↪→ R2
1
1
−1
0
1
2
√2
1 +√
2
I x-axis: a + b√
2 7→ a + b√
2
I y -axis: a + b√
2 7→ a− b√
2
I component-wise multiplication
I Symmetries induced byI mult. by −1I conjugation
√2 7→ −
√2
� “Orthogonal” elements
� Units (algebraic norm 1)
� “Isonorms” curves
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 29 / 47
Example: Embedding Z[√
2] ↪→ R2
1
1
−1
0
1
2
√2
1 +√
2
I x-axis: a + b√
2 7→ a + b√
2
I y -axis: a + b√
2 7→ a− b√
2
I component-wise multiplication
I Symmetries induced byI mult. by −1I conjugation
√2 7→ −
√2
� “Orthogonal” elements
� Units (algebraic norm 1)
� “Isonorms” curves
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 29 / 47
Example: Embedding Z[√
2] ↪→ R2
1
1
−1
0
1
2
√2
1 +√
2
I x-axis: a + b√
2 7→ a + b√
2
I y -axis: a + b√
2 7→ a− b√
2
I component-wise multiplication
I Symmetries induced byI mult. by −1I conjugation
√2 7→ −
√2
� “Orthogonal” elements
� Units (algebraic norm 1)
� “Isonorms” curves
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 29 / 47
Example: Embedding Z[√
2] ↪→ R2
1
1
−1
0
1
2
√2
1 +√
2
I x-axis: a + b√
2 7→ a + b√
2
I y -axis: a + b√
2 7→ a− b√
2
I component-wise multiplication
I Symmetries induced byI mult. by −1I conjugation
√2 7→ −
√2
� “Orthogonal” elements
� Units (algebraic norm 1)
� “Isonorms” curves
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 29 / 47
Example: Embedding Z[√
2] ↪→ R2
1
1
−1
0
1
2
√2
1 +√
2
I x-axis: a + b√
2 7→ a + b√
2
I y -axis: a + b√
2 7→ a− b√
2
I component-wise multiplication
I Symmetries induced byI mult. by −1I conjugation
√2 7→ −
√2
� “Orthogonal” elements
� Units (algebraic norm 1)
� “Isonorms” curves
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 29 / 47
Example: Logarithmic Embedding LogZ[√
2]
({•},+) is a sub-monoid of R2
1
1
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 30 / 47
Example: Logarithmic Embedding LogZ[√
2]
LogO×K =({•},+) ∩ � is a lattice of R2, orthogonal to (1, 1)
1
1
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 30 / 47
Example: Logarithmic Embedding LogZ[√
2]
{•} ∩ � are shifted finite copies of LogO×K
1
1
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 30 / 47
Example: Logarithmic Embedding LogZ[√
2]
Some {•} ∩ � may be empty (e.g. no elements of Norm 3 in Z[√
2])
1
1
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 30 / 47
Reduction modulo LogZ[√
2]×
The reduction modulo Z[√
2]×.
1
1
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 31 / 47
Cyclotomic units
Let’s assume m = pk for some prime p.
zj = 1− ζ j and bj = zj/z1 for all j coprimes with m.
The bj are units, and the group C generated by
ζ, bj for j = 2, . . .m/2, j coprime with m
is known as the group of cyclotomic units.
Simplification 1 (Weber’s Class Number Problem)
We assume2 that O×K = C . It is conjectured to be true for m = 2k .
Simplification 2 (for this talk)
We study the dual matrix Z∨, where zj = Log zj .It can be proved to close to B∨ where bj = zj − z1.
2One just need the index [O×K : C ] = h+(m) to be small.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 32 / 47
Cyclotomic units
Let’s assume m = pk for some prime p.
zj = 1− ζ j and bj = zj/z1 for all j coprimes with m.
The bj are units, and the group C generated by
ζ, bj for j = 2, . . .m/2, j coprime with m
is known as the group of cyclotomic units.
Simplification 1 (Weber’s Class Number Problem)
We assume2 that O×K = C . It is conjectured to be true for m = 2k .
Simplification 2 (for this talk)
We study the dual matrix Z∨, where zj = Log zj .It can be proved to close to B∨ where bj = zj − z1.
2One just need the index [O×K : C ] = h+(m) to be small.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 32 / 47
Cyclotomic units
Let’s assume m = pk for some prime p.
zj = 1− ζ j and bj = zj/z1 for all j coprimes with m.
The bj are units, and the group C generated by
ζ, bj for j = 2, . . .m/2, j coprime with m
is known as the group of cyclotomic units.
Simplification 1 (Weber’s Class Number Problem)
We assume2 that O×K = C . It is conjectured to be true for m = 2k .
Simplification 2 (for this talk)
We study the dual matrix Z∨, where zj = Log zj .It can be proved to close to B∨ where bj = zj − z1.
2One just need the index [O×K : C ] = h+(m) to be small.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 32 / 47
How good is this basis
I It is quite easy to prove that ‖zi‖ ≤ O(√m).
I ⇒ One can solve CVP with `∞ distance ≤ O(√n log n).
I ⇒ we can find a generator of length ‖g‖ ≤ exp(O(√n log n)) · (Nc)1/n.
QED
Recall that the principal ideal c ⊂ a verified Nc ≤ exp(n3/2)Na. That givesg ∈ a:
‖g‖ ≤ exp(√n log n) · vol(a)1/n.
We have solved Ideal-SVP with approximation fact exp(O(√n log n))
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 33 / 47
Don’t leave !
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 34 / 47
More fun with LogO×K ...
How well can we solve BDD in this lattice ?
This actually has devastating consequence for ‘atypical’ crypto schemes(Soliloquy and the first generation of Fully Homomorphic Encryption Scheme)
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 35 / 47
Round-Off Decoding
We also need the fundamental domain to have an efficient reductionalgorithm. The simplest one follows:
RoundOff(B, t) for B a basis of Λ
I Return B · bB−1 · te.
Used as a decoding algorithm, its correctness is characterized by the error eand the dual basis B∨ = B−T .
Fact
Suppose t = v + e for some v ∈ Λ. If 〈b∨j , e〉 ∈ [−12 ,
12 ) for all j , then
Round(B, t) = v.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 36 / 47
Dual of a Circulant Basis
Notice that Zij = log |σj(1− ζ i )| = log |1− ωij |:the matrix Z is G -circulant for the cyclic group G = Z×m/± 1.
Fact
If M is a non-singular, G -circulant matrix, then
I its eigenvalues are given by λχ =∑
g∈G χ(g) ·M1,g
where χ ∈ G is a character G → CI All the vectors of M∨ have the same norm ‖m∨i ‖2 =
∑χ∈G |λχ|
−2
Note: The characters of G can be extended to even Dirichlet charactersmod m: χ : Z→ C, by setting χ(a) = 0 if gcd(a,m) > 1.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 37 / 47
Dual of a Circulant Basis
Notice that Zij = log |σj(1− ζ i )| = log |1− ωij |:the matrix Z is G -circulant for the cyclic group G = Z×m/± 1.
Fact
If M is a non-singular, G -circulant matrix, then
I its eigenvalues are given by λχ =∑
g∈G χ(g) ·M1,g
where χ ∈ G is a character G → CI All the vectors of M∨ have the same norm ‖m∨i ‖2 =
∑χ∈G |λχ|
−2
Note: The characters of G can be extended to even Dirichlet charactersmod m: χ : Z→ C, by setting χ(a) = 0 if gcd(a,m) > 1.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 37 / 47
Computing the Eigenvalues
We wish to give a lower bound on |λχ| where
λχ =∑a∈G
χ(a) · log |1− ωa|.
We develop using the Taylor series
log |1− x | = −∑k≥1
xk/k
and obtain
−λχ =∑a∈G
∑k≥1
χ(a) · ωka
k.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 38 / 47
Computing the Eigenvalues
We wish to give a lower bound on |λχ| where
λχ =∑a∈G
χ(a) · log |1− ωa|.
We develop using the Taylor series
log |1− x | = −∑k≥1
xk/k
and obtain
−λχ =∑a∈G
∑k≥1
χ(a) · ωka
k.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 38 / 47
Computing the Eigenvalues
We wish to give a lower bound on |λχ| where
λχ =∑a∈G
χ(a) · log |1− ωa|.
We develop using the Taylor series
log |1− x | = −∑k≥1
xk/k
and obtain
−λχ =∑a∈G
∑k≥1
χ(a) · ωka
k.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 38 / 47
Computing the Eigenvalues (continued)
We were trying to lower bound |λχ| where
−λχ =∑k≥1
1
k·∑a∈G
χ(a) · ωka.
Fact (Separability of Gauss Sums)
If χ is a primitive Dirichlet character modm then∑a∈Z×
m
χ(a) · ωka = χ(k) · G (χ) where |G (χ)| =√m.
For this talk, let’s ignore non-primitive characters. We rewrite
∣∣λχ∣∣ =
√m
2·
∣∣∣∣∣∑k≥1
χ(k)
k
∣∣∣∣∣.Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 39 / 47
Computing the Eigenvalues (continued)
We were trying to lower bound |λχ| where
−λχ =∑k≥1
1
k·∑a∈G
χ(a) · ωka.
Fact (Separability of Gauss Sums)
If χ is a primitive Dirichlet character modm then∑a∈Z×
m
χ(a) · ωka = χ(k) · G (χ) where |G (χ)| =√m.
For this talk, let’s ignore non-primitive characters. We rewrite
∣∣λχ∣∣ =
√m
2·
∣∣∣∣∣∑k≥1
χ(k)
k
∣∣∣∣∣.Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 39 / 47
Computing the Eigenvalues (continued)
We were trying to lower bound |λχ| where
−λχ =∑k≥1
1
k·∑a∈G
χ(a) · ωka.
Fact (Separability of Gauss Sums)
If χ is a primitive Dirichlet character modm then∑a∈Z×
m
χ(a) · ωka = χ(k) · G (χ) where |G (χ)| =√m.
For this talk, let’s ignore non-primitive characters. We rewrite
∣∣λχ∣∣ =
√m
2·
∣∣∣∣∣∑k≥1
χ(k)
k
∣∣∣∣∣.Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 39 / 47
The Analytic Hammer
We were trying to lower bound∣∣λχ∣∣ =
√m2 ·∣∣∑
k≥1χ(k)k
∣∣.One recognizes a Dirichlet L-series
L(s, χ) =∑ χ(k)
ks.
Theorem ([Lit24, LLS15])
For any primitive non-quadratic Dirichlet character χ mod m it holds that
1/`(m) ≤ |L(1, χ)| ≤ `(m) where `(m) = C lnm
for some universal constant C > 0.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 40 / 47
The Analytic Hammer
We were trying to lower bound∣∣λχ∣∣ =
√m2 ·∣∣∑
k≥1χ(k)k
∣∣.One recognizes a Dirichlet L-series
L(s, χ) =∑ χ(k)
ks.
Theorem ([Lit24, LLS15])
For any primitive non-quadratic Dirichlet character χ mod m it holds that
1/`(m) ≤ |L(1, χ)| ≤ `(m) where `(m) = C lnm
for some universal constant C > 0.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 40 / 47
Conclusion
Theorem
Then, all the vectors of B∨ have the same norm and, this norm is upperbounded as follows ∥∥b∨j
∥∥2 ≤ O(m−1 · log3 m
).
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 41 / 47
Further work
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 42 / 47
D., Plancon, Wesolowski 2019
I Analyse the hidden factors behind O’s.
I Predict when this algorithm outperform LLL and BKZ
Hanrot, Stehle and Pellet–Mary 2019
I Using some precomputation depending only on the number field K
I Generalize this results to any number field K
I Generalize to a time/approx-factor trade-off
T = exp(O(nc)), α = exp(O(n(1−c)/2))
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 43 / 47
References I
Miklos Ajtai.Generating hard instances of the short basis problem.In ICALP, pages 1–9, 1999.
Jean-Francois Biasse.Subexponential time relations in the class group of large degree number fields.Adv. Math. Commun., 8(4):407–425, 2014.
Joe Buhler, Carl Pomerance, and Leanne Robertson.Heuristics for class numbers of prime-power real cyclotomic fields.Fields Inst. Commun, 41:149–157, 2004.
J.-F. Biasse and F. Song.A polynomial time quantum algorithm for computing class groups and solving the principalideal problem in arbitrary degree number fields.http://www.lix.polytechnique.fr/Labo/Jean-Francois.Biasse/, 2015.In preparation.
Ronald Cramer, Leo Ducas, Chris Peikert, and Oded Regev.Recovering short generators of principal ideals in cyclotomic rings.Eurocrypt 2016, 2016.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 44 / 47
References II
Ronald Cramer, Leo Ducas, and Benjamin Wesolowski.Short stickelberger class relations and application to ideal-svp.Eurocrypt 2017, 2017.
Leo Ducas.Advances on quantum cryptanalysis of ideal lattices.Nieuw Archief voor Wiskunde, 5:184–189, 2017.
Kirsten Eisentrager, Sean Hallgren, Alexei Kitaev, and Fang Song.A quantum algorithm for computing the unit group of an arbitrary degree number field.In Proceedings of the 46th Annual ACM Symposium on Theory of Computing, pages293–302. ACM, 2014.
Jeffrey Hoffstein, Nick Howgrave-Graham, Jill Pipher, Joseph H. Silverman, and WilliamWhyte.NTRUSIGN: Digital signatures using the NTRU lattice.In CT-RSA, pages 122–140, 2003.
Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman.NTRU: A ring-based public key cryptosystem.In ANTS, pages 267–288, 1998.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 45 / 47
References III
Dimitar Jetchev and Benjamin Wesolowski.On graphs of isogenies of principally polarizable abelian surfaces and the discrete logarithmproblem.CoRR, abs/1506.00522, 2015.
J. E. Littlewood.On the zeros of the Riemann zeta-function.Mathematical Proceedings of the Cambridge Philosophical Society, 22:295–318,September 1924.
Youness Lamzouri, Xiannan Li, and Kannan Soundararajan.Conditional bounds for the least quadratic non-residue and related problems.Math. Comp., 84(295):2391–2412, 2015.
Vadim Lyubashevsky, Chris Peikert, and Oded Regev.On ideal lattices and learning with errors over rings.Journal of the ACM, 60(6):43:1–43:35, November 2013.Preliminary version in Eurocrypt 2010.
Daniele Micciancio.Generalized compact knapsacks, cyclic lattices, and efficient one-way functions.Computational Complexity, 16(4):365–411, 2007.Preliminary version in FOCS 2002.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 46 / 47
References IV
Oded Regev.On lattices, learning with errors, random linear codes, and cryptography.J. ACM, 56(6):1–40, 2009.Preliminary version in STOC 2005.
Rene Schoof.Minus class groups of the fields of the l-th roots of unity.Mathematics of Computation of the American Mathematical Society, 67(223):1225–1245,1998.
Rene Schoof.Class numbers of real cyclotomic fields of prime conductor.Mathematics of computation, 72(242):913–937, 2003.
Leo Ducas (CWI, Amsterdam) Quantum Ideal-SVP Math of PKC. Mar. 2019 47 / 47