Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
picture: Adriaan Goossens 1 Leiden 2 CWI, University, The Netherlands Amsterdam, The Netherlands 3 EPFL, Ronald Cramer1,2 Lausanne, Switzerland Léo Ducas2 Benjamin Wesolowski3 SHORT STICKELBERGER CLASS RELATIONS AND APPLICATION TO IDEAL-SVP At Eurocrypt 2017, Paris LATTICE-BASED CRYPTOGRAPHY ▸ Lattice problems provide a strong foundation for postquantum cryptography. LATTICE-BASED CRYPTOGRAPHY ▸ Lattice problems provide a strong foundation for postquantum cryptography. ▸ How hard is it to find a short vector in a generic lattice? LATTICE-BASED CRYPTOGRAPHY ▸ Lattice problems provide a strong foundation for postquantum cryptography. ▸ How hard is it to find a short vector in a generic lattice? Approx-SVP for generic lattices Z poly(n) poly(n) BK ~ exp(Θ(n1/2)) Time cryptography ~ exp(Θ(n)) LLL Approximation factor ~ exp(Θ(n1/2)) ~ exp(Θ(n)) LATTICES OVER RINGS ▸ Generic lattices are cumbersome! Key-size = Õ(n2). LATTICES OVER RINGS ▸ Generic lattices are cumbersome! Key-size = Õ(n2). ▸ A solution: using ideal lattices, typically in a cyclotomic ring R = ℤ[ωm] (ωm a primitive m-th root of unity). Dimension n = φ(m), key-size = Õ(n). LATTICES OVER RINGS ▸ Generic lattices are cumbersome! Key-size = Õ(n2). ▸ A solution: using ideal lattices, typically in a cyclotomic ring R = ℤ[ωm] (ωm a primitive m-th root of unity). Dimension n = φ(m), key-size = Õ(n). ▸ What is an ideal lattice in ℤ[ωm]? Minkowski’s embedding ℚ(ωm) → ℝn gives ℚ(ωm) the structure of a Hermitian vector space. An ideal of ℤ[ωm] is also a lattice in that vector space. IS IDEAL-SVP AS HARD AS GENERAL SVP? ▸ Ideal lattices have much more structure than generic ones. IS IDEAL-SVP AS HARD AS GENERAL SVP? ▸ Ideal lattices have much more structure than generic ones. ▸ Can we do better than LLL and BKZ? IS IDEAL-SVP AS HARD AS GENERAL SVP? ▸ Ideal lattices have much more structure than generic ones. ▸ Can we do better than LLL and BKZ? ✓ For principal ideals, [Campbell et al., 2014] says yes: 1 2 Given a principal ideal 𝖍, recover a generator h. Solvable in quantum poly-time [Biasse and Song 2016]. Given a generator h, find a short generator g. Solvable in classical poly-time [Cramer et al. 2016] for m = pk, R = ℤ[ωm], approx. factor exp(Õ(n1/2)). ARE IDEAL-SVP AND RING-LWE BROKEN? Some obstacles remain: ▸ Restricted to principal ideals. ▸ The approximation factor is still too large. ▸ Ring-LWE ≥ Ideal-SVP, but equivalence is not known. ARE IDEAL-SVP AND RING-LWE BROKEN? Some obstacles remain: ▸ Restricted to principal ideals. ▸ The approximation factor is still too large. ▸ Ring-LWE ≥ Ideal-SVP, but equivalence is not known. In t h is wo r k , we re mo ve t h is re s t r ic t io n by s o lv in g the C lo s e Pr in c ip a l Mu lt ip le p ro ble m (CPM ) OUR RESULT ▸ This work: Ideal-SVP solvable in quantum poly-time, for R = ℤ[ωm], approx. factor exp(Õ(n1/2)) ▸ Hardness gap between SVP and Ideal-SVP Z poly(n) poly(n) Ideal-SVP in cyclotomic rings BK ~ exp(Θ(n1/2)) Time (quantum) cryptography ~ exp(Θ(n)) This work ~ exp(Θ(n1/2)) ~ exp(Θ(n)) Approximation factor APPROACH Given an ideal 𝔞, we find a short vector as follows: 1 Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is principal. The Close Principal Multiple problem (CPM). 2 Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of 𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2)) APPROACH Given an ideal 𝔞, we find a short vector as follows: 1 Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is principal. The Close Principal Multiple problem (CPM). 2 Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of 𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2)) ‣ g ∈ 𝔞𝔟 ⊂ 𝔞 because 𝔟 is integral. APPROACH Given an ideal 𝔞, we find a short vector as follows: 1 Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is principal. The Close Principal Multiple problem (CPM). 2 Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of 𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2)) ‣ g ∈ 𝔞𝔟 ⊂ 𝔞 because 𝔟 is integral. ‣ Approx. factor ≈ L/(N𝔞)1/n = (N𝔟)1/n ∙ exp(Õ(n1/2)) = exp(Õ(n1/2)). APPROACH Given an ideal 𝔞, we find a short vector as follows: 1 Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is principal. The Close Principal Multiple problem (CPM). 2 Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of 𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2)) [C am pb e ll e t a l., 2014], [Bia s s e a n d S o ng 2016] , [C rame r e t a l. 2016] APPROACH Given an ideal 𝔞, we find a short vector as follows: 1 Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is principal. The Close Principal Multiple problem (CPM). 2 Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of 𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2)) Ne w ! Th e f o c us o f [C am pb e ll e t a l., 2014], [Bia s s e a n d S o ng 2016] t h is t a lk , [C rame r e t a l. 2016] THE CLOSE PRINCIPAL MULTIPLE PROBLEM Let K = ℚ(ωm), and 𝓞 = ℤ[ωm] its ring of integers. Given an ideal 𝔞, find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is principal. How hard can this be? THE CLOSE PRINCIPAL MULTIPLE PROBLEM Let K = ℚ(ωm), and 𝓞 = ℤ[ωm] its ring of integers. Given an ideal 𝔞, find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is principal. How hard can this be? Depends on the class group: Cl(𝓞) = 𝓘(𝓞)/P(𝓞), where 𝓘(𝓞) is the group of (fractional) ideals of 𝓞, and P(𝓞) the subgroup of principal ideals. THE CLOSE PRINCIPAL MULTIPLE PROBLEM Let K = ℚ(ωm), and 𝓞 = ℤ[ωm] its ring of integers. Given an ideal 𝔞, find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is principal. How hard can this be? Depends on the class group: Cl(𝓞) = 𝓘(𝓞)/P(𝓞), where 𝓘(𝓞) is the group of (fractional) ideals of 𝓞, and P(𝓞) the subgroup of principal ideals. ▸ Suppose Cl(𝓞) is small, say #Cl(𝓞) = poly(n). Pick random ideals 𝔟 of small norm until [𝔞𝔟] = [𝓞]… we can hope to easily find a solution. THE CLOSE PRINCIPAL MULTIPLE PROBLEM Let K = ℚ(ωm), and 𝓞 = ℤ[ωm] its ring of integers. Given an ideal 𝔞, find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is principal. How hard can this be? Depends on the class group: Cl(𝓞) = 𝓘(𝓞)/P(𝓞), where 𝓘(𝓞) is the group of (fractional) ideals of 𝓞, and P(𝓞) the subgroup of principal ideals. ▸ Suppose Cl(𝓞) is small, say #Cl(𝓞) = poly(n). Pick random ideals 𝔟 of small norm until [𝔞𝔟] = [𝓞]… we can hope to easily find a solution. ~ ▸ Problem: #Cl(𝓞) = exp(Θ(n log m)): need a better solution. THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP Let 𝔅 be a set of ideals of small norm generating Cl(𝓞). QUANTUM CLASS GROUP DISCRETE LOGARITHM [BIASSE AND SONG 2016]. Given an ideal 𝔞, one can find in quantum polynomial time a vector e ∈ ℤ𝔅 such that [𝔞] = ∏ [𝔭e𝔭]. 𝔭∈𝔅 THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP Let 𝔅 be a set of ideals of small norm generating Cl(𝓞). QUANTUM CLASS GROUP DISCRETE LOGARITHM [BIASSE AND SONG 2016]. Given an ideal 𝔞, one can find in quantum polynomial time a vector e ∈ ℤ𝔅 such that [𝔞] = ∏ [𝔭e𝔭]. 𝔭∈𝔅 ‣ With 𝔟 = ∏ 𝔭-e𝔭, the product 𝔞𝔟 is principal. 𝔭∈𝔅 THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP Let 𝔅 be a set of ideals of small norm generating Cl(𝓞). QUANTUM CLASS GROUP DISCRETE LOGARITHM [BIASSE AND SONG 2016]. Given an ideal 𝔞, one can find in quantum polynomial time a vector e ∈ ℤ𝔅 such that [𝔞] = ∏ [𝔭e𝔭]. 𝔭∈𝔅 ‣ With 𝔟 = ∏ 𝔭-e𝔭, the product 𝔞𝔟 is principal. 𝔭∈𝔅 ‣ But N𝔟 ≈ exp(||e||1) may be huge! We want ||e||1 = Õ(n3/2). THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP Let 𝔅 be a set of ideals of small norm generating Cl(𝓞). QUANTUM CLASS GROUP DISCRETE LOGARITHM [BIASSE AND SONG 2016]. Given an ideal 𝔞, one can find in quantum polynomial time a vector e ∈ ℤ𝔅 such that [𝔞] = ∏ [𝔭e𝔭]. 𝔭∈𝔅 ‣ With 𝔟 = ∏ 𝔭-e𝔭, the product 𝔞𝔟 is principal. 𝔭∈𝔅 ‣ But N𝔟 ≈ exp(||e||1) may be huge! We want ||e||1 = Õ(n3/2). ‣ 𝔟 might not be integral. THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP × be the Galois group of ℚ(ω ). Let G ≅ (ℤ/mℤ) ▸ m THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP × be the Galois group of ℚ(ω ). Let G ≅ (ℤ/mℤ) ▸ m σ | σ ∈ G} generates the class group. Assume 𝔅 = {𝔭 ▸ THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP × be the Galois group of ℚ(ω ). Let G ≅ (ℤ/mℤ) ▸ m σ | σ ∈ G} generates the class group. Assume 𝔅 = {𝔭 ▸ ▸ The formal sums of the form r = ∑ σeσ, with eσ ∈ ℤ form a σ∈G ring called the group ring ℤ[G]. THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP × be the Galois group of ℚ(ω ). Let G ≅ (ℤ/mℤ) ▸ m σ | σ ∈ G} generates the class group. Assume 𝔅 = {𝔭 ▸ ▸ The formal sums of the form r = ∑ σeσ, with eσ ∈ ℤ form a σ∈G ring called the group ring ℤ[G]. ▸ We solve the DLP for [𝔞] with respect to the factor basis 𝔅: [𝔞] = ∏[𝔭σ]eσ = [𝔭]r, σ∈G where r = ∑ σeσ ∈ ℤ[G]. THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP × be the Galois group of ℚ(ω ). Let G ≅ (ℤ/mℤ) ▸ m σ | σ ∈ G} generates the class group. Assume 𝔅 = {𝔭 ▸ ▸ The formal sums of the form r = ∑ σeσ, with eσ ∈ ℤ form a σ∈G ring called the group ring ℤ[G]. ▸ We solve the DLP for [𝔞] with respect to the factor basis 𝔅: [𝔞] = ∏[𝔭σ]eσ = [𝔭]r, σ∈G where r = ∑ σeσ ∈ ℤ[G]. Is omo r ph ic t o ℤn, e le me n t s c a n b e s e e n a s ve c t o rs . Th e y h ave n o r ms ||·||1, ||·||2, e tc… THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP r, where r ∈ ℤ[G]. Suppose [𝔞] =[𝔭] ▸ THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP r, where r ∈ ℤ[G]. Suppose [𝔞] =[𝔭] ▸ ▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠 𝔭s is principal. THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP r, where r ∈ ℤ[G]. Suppose [𝔞] =[𝔭] ▸ ▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠 𝔭s is principal. s - r is small. If s ∈ 𝝠 is close to r, then s r is small, and 𝔭 ▸ THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP r, where r ∈ ℤ[G]. Suppose [𝔞] =[𝔭] ▸ ▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠 𝔭s is principal. s - r is small. If s ∈ 𝝠 is close to r, then s r is small, and 𝔭 ▸ s - r. It is small, and 𝔞𝔟 is principal. Choose 𝔟 = 𝔭 ✓ THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP r, where r ∈ ℤ[G]. Suppose [𝔞] =[𝔭] ▸ ▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠 𝔭s is principal. s - r is small. If s ∈ 𝝠 is close to r, then s r is small, and 𝔭 ▸ s - r. It is small, and 𝔞𝔟 is principal. Choose 𝔟 = 𝔭 ✓ REPHRASED CPM: CLOSE VECTOR PROBLEM (CVP) IN 𝝠 Given any r ∈ ℤ[G], find a close lattice point s ∈ 𝝠. THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP r, where r ∈ ℤ[G]. Suppose [𝔞] =[𝔭] ▸ ▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠 𝔭s is principal. s - r is small. If s ∈ 𝝠 is close to r, then s r is small, and 𝔭 ▸ s - r. It is small, and 𝔞𝔟 is principal. Choose 𝔟 = 𝔭 ✓ REPHRASED CPM: CLOSE VECTOR PROBLEM (CVP) IN 𝝠 Given any r ∈ ℤ[G], find a close lattice point s ∈ 𝝠. Is th ere such a lat tic e 𝝠? Ca n we so lve CV P in it? THE STICKELBERGER IDEAL DEFINITION: THE STICKELBERGER IDEAL The Stickelberger element θ ∈ ℚ[G] is θ= ∑ a -1 m σa. { } a ∈ (ℤ/mℤ)× The Stickelberger ideal is S = ℤ[G] ∩ θℤ[G]. THE STICKELBERGER IDEAL DEFINITION: THE STICKELBERGER IDEAL The Stickelberger element θ ∈ ℚ[G] is θ= ∑ a -1 m σa. { } a ∈ (ℤ/mℤ)× The Stickelberger ideal is S = ℤ[G] ∩ θℤ[G]. ‣ The Stickelberger ideal is an ideal of ℤ[G]. ‣ It is also a lattice in ℤ[G] (recall that ℤ[G] ≅ ℤn). STICKELBERGER’S THEOREM STICKELBERGER’S THEOREM For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In other words, S annihilates the class group. STICKELBERGER’S THEOREM STICKELBERGER’S THEOREM For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In other words, S annihilates the class group. Again, assume 𝔅 = {𝔭σ | σ ∈ G}. STICKELBERGER’S THEOREM STICKELBERGER’S THEOREM For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In other words, S annihilates the class group. Again, assume 𝔅 = {𝔭σ | σ ∈ G}. ‣ S is a lattice in ℤ[G], and s ∈ S 𝔭s is principal. STICKELBERGER’S THEOREM STICKELBERGER’S THEOREM For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In other words, S annihilates the class group. Again, assume 𝔅 = {𝔭σ | σ ∈ G}. ‣ S is a lattice in ℤ[G], and s ∈ S 𝔭s is principal. ‣ It is the property we wanted for 𝝠! Choose 𝝠 = S. STICKELBERGER’S THEOREM STICKELBERGER’S THEOREM For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In other words, S annihilates the class group. Again, assume 𝔅 = {𝔭σ | σ ∈ G}. ‣ S is a lattice in ℤ[G], and s ∈ S 𝔭s is principal. ‣ It is the property we wanted for 𝝠! Choose 𝝠 = S. ➡ Reduced CPM to CVP in S ⊂ ℤ[G]. SOLVING THE CLOSE PRINCIPAL MULTIPLE PROBLEM σ | σ ∈ G} for the class group Find a basis of the form 𝔅 = {𝔭 ▸ ▸ Solve the discrete logarithm problem for [𝔞] with respect to the factor basis 𝔅: [𝔞] = ∏[𝔭σ]eσ = [𝔭]r, where r = ∑ σeσ ∈ ℤ[G]. ▸ Solve the CVP: find a vector s in the Stickelberger ideal S that is close to r (S is a sublattice of ℤ[G]). s - r. Output 𝔞𝔟, where 𝔟 = 𝔭 ▸ CVP FOR THE STICKELBERGER IDEAL Can we solve the CVP for S? CVP FOR THE STICKELBERGER IDEAL Can we solve the CVP for S? ▸ Yes: there is an explicit, computable, short basis for S! CVP FOR THE STICKELBERGER IDEAL Can we solve the CVP for S? ▸ Yes: there is an explicit, computable, short basis for S! A few technicalities: CVP FOR THE STICKELBERGER IDEAL Can we solve the CVP for S? ▸ Yes: there is an explicit, computable, short basis for S! A few technicalities: ▸ S is not full-rank in ℤ[G]. CVP FOR THE STICKELBERGER IDEAL Can we solve the CVP for S? ▸ Yes: there is an explicit, computable, short basis for S! A few technicalities: ▸ S is not full-rank in ℤ[G]. ▸ Negative exponents give fractional ideals, but 𝔟 has to be integral. CVP FOR THE STICKELBERGER IDEAL Can we solve the CVP for S? ▸ Yes: there is an explicit, computable, short basis for S! A few technicalities: ▸ S is not full-rank in ℤ[G]. ▸ Negative exponents give fractional ideals, but 𝔟 has to be integral. ✓ Resolved by working with the relative class group Cl-(K) instead of the class group Cl(K). CVP FOR THE STICKELBERGER IDEAL Can we solve the CVP for S? ▸ Yes: there is an explicit, computable, short basis for S! A few technicalities: ▸ S is not full-rank in ℤ[G]. ▸ Negative exponents give fractional ideals, but 𝔟 has to be integral. ✓ Resolved by working with the relative class group Cl-(K) instead of the class group Cl(K). m le ob pr M CP e th e lv so to s w lo al S r fo s si ba t or sh Th at 3/2)) – we w in ! (n Õ p( ex w it h approx . fact or ARE IDEAL-SVP AND RING-LWE BROKEN? Some obstacles remain: ▸ Restricted to principal ideals. ▸ The approximation factor is still too large. ▸ Ring-LWE ≥ Ideal-SVP, but equivalence is not known. picture: Adriaan Goossens 1 Leiden 2 CWI, University, The Netherlands Amsterdam, The Netherlands 3 EPFL, Ronald Cramer1,2 Lausanne, Switzerland Léo Ducas2 Benjamin Wesolowski3 SHORT STICKELBERGER CLASS RELATIONS AND APPLICATION TO IDEAL-SVP Thank you! GENERATING THE CLASS GROUP ‣ So far we assumed 𝔅 = {𝔭σ | σ ∈ G} generates Cl(𝓞). ‣ In general, a single 𝔭 is not sufficient to generate Cl(𝓞). ‣ Method can be adapted to 𝔅 = {𝔭σi | σ ∈ G, i = 1,…, d}, as long as d = polylog(n). ‣ Numerical evidence shows such 𝔅 exists [Schoof, 1998]. ‣ Theorem+Heuristic implies we can find such 𝔅 efficiently. CVP FOR THE STICKELBERGER IDEAL A few technicalities: ▸ S is not full-rank in ℤ[G]. Let c be the com ple x con jug ati on. Assume h+=1: for any 𝖍, the ideal 𝖍𝖍c is princ ipal Fo r any 𝖍, th e idea l 𝖍1+c is pr in ci pa l. Th e bigger latt ic e S + (1+c)ℤ[G] is fu ll-ra nk an d st ill an ni hi late s th e cl as s grou p! Us e it in pl ac e of S. ▸ Negative exponents give fractional ideals, but 𝔟 has to be integral c. 𝖍 s a -1 is in t h e s ame ide a l c la s s 𝖍 l Fo r a ny 𝖍, t h e ide a . s t n e n o p x e e iv t a g e n ll a f o Us e c t o ge t r id WORKING IN THE RELATIVE CLASS GROUP ‣ If h+ = 1, we are done. ‣ In general, h+ is small but not necessarily 1… ‣ Solution: instead of Cl(𝓞), work in Cl-(𝓞): Cl-(𝓞) = {[𝖍] | 𝖍𝖍c is principal}. ‣ All issues are solved in Cl-(𝓞), “as if” h+ = 1. ‣ If the initial ideal 𝔞 is not in Cl-(𝓞), find a small 𝖈 such that [𝔞𝖈] ∈ Cl-(𝓞). Easy because #(Cl(𝓞)/Cl-(𝓞)) = h+ = poly(n). c i t s i r u e h l a c i s Cl as