Skip to main content
Springer Nature Link
Log in

Some Easy Instances of Ideal-SVP and Implications on the Partial Vandermonde Knapsack Problem

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2022 (CRYPTO 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13508))

Included in the following conference series:

Abstract

In this article, we generalize the works of Pan et al. (Eurocrypt’21) and Porter et al. (ArXiv’21) and provide a simple condition under which an ideal lattice defines an easy instance of the shortest vector problem. Namely, we show that the more automorphisms stabilize the ideal, the easier it is to find a short vector in it. This observation was already made for prime ideals in Galois fields, and we generalize it to any ideal (whose prime factors are not ramified) of any number field.

We then provide a cryptographic application of this result by showing that particular instances of the partial Vandermonde knapsack problem, also known as partial Fourier recovery problem, can be solved classically in polynomial time. As a proof of concept, we implemented our attack and managed to solve those particular instances for concrete parameter settings proposed in the literature. For random instances, we can halve the lattice dimension with non-negligible probability.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    In this paper, we only consider regimes where the solution to this problem is unique.

  2. 2.

    For the sake of simplicity, we focus on cyclotomic fields in the introduction but stress that  can be defined over any number field.

  3. 3.

    This is not the standard definition, see for instance [Mar77, Theorem 52] for a proof that this is an equivalent definition.

  4. 4.

    Note that the equality \(\tau (I) = I\) means that the two sets are equal, but it does not mean that all the elements of I are fixed by \(\tau \).

  5. 5.

    For arbitrary Euclidean lattices, it is much harder to give concrete conditions which ensure a unique solution for \(\textrm{HBDD}\). This is why we think the definition of this problem only makes sense in the ideal setting.

  6. 6.

    Even though they originally called it the partial Fourier recovery problem.

  7. 7.

    For the case of HPSSW parameters, the generation of a is slightly different, in order to be consistent with the specifications of [HPS+14]. They consider  instances over the cyclic ring \(\mathbb {Z}[X]/(X^m-1)\) instead of \(O_K\). For this specific case, we generate a with ternary coefficients in the ring \(\mathbb {Z}[X]/(X^m-1)\), and then reduce it modulo \(\varPhi _m(X)\) in order to map it to \(O_K\) and continue the attack in \(O_K\), cf. Sect. 2.4.

  8. 8.

    Note that here, we do not reduce the size of \(\varOmega \) below \(t_0\): we take \(\varOmega \) as the union of multiple sets \(\varOmega '\), each one of size 16 such that \(I_{\varOmega '}\) is fixed by a subgroup H of \(\textrm{Aut}_\mathbb {Q}(K)\) of size 16 (the same H for all the \(\varOmega '\)).

References

  1. Albrecht, M.R., Deo, A.: Large modulus ring-LWE \(\ge \) module-LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 267–296. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_10

    Chapter  Google Scholar 

  2. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108. ACM (1996)

    Google Scholar 

  3. Babai, L.: On lovász’lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)

    Article  MathSciNet  Google Scholar 

  4. Boudgoust, K., Gachon, E., Pellet-Mary, A.: Some easy instances of ideal-SVP and implications on the partial Vandermonde Knapsack problem. Cryptology ePrint Archive, Paper 2022/709 (2022)

    Google Scholar 

  5. Bernard, O., Lesavourey, A., Nguyen, T.-H., Roux-Langlois, A.: Log-S-unit lattices using explicit stickelberger generators to solve approx ideal-SVP. Cryptology ePrint Archive (2021)

    Google Scholar 

  6. Boudgoust, K.: Theoretical hardness of algebraically structured learning with errors. Ph.D. thesis, Universite Rennes 1 (2021). https://tel.archives-ouvertes.fr/tel-03534254/document

  7. Bernard, O., Roux-Langlois, A.: Twisted-PHS: using the product formula to solve approx-SVP in ideal lattices. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 349–380. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_12

    Chapter  Google Scholar 

  8. Boudgoust, K., Sakzad, A., Steinfeld, R.: Vandermonde meets Regev: public key encryption schemes based on partial Vandermonde problems. Cryptology ePrint Archive, Report 2022/679 (2022)

    Google Scholar 

  9. Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20

    Chapter  MATH  Google Scholar 

  10. Cramer, R., Ducas, L., Wesolowski, B.: Mildly short vectors in cyclotomic ideal lattices in quantum polynomial time. J. ACM (JACM) 68(2), 1–26 (2021)

    Article  MathSciNet  Google Scholar 

  11. Conrad, K.: The different ideal. https://kconrad.math.uconn.edu/blurbs/gradnumthy/different.pdf. Accessed 16 Feb 2022

  12. de Boer, K., Ducas, L., Pellet-Mary, A., Wesolowski, B.: Random self-reducibility of ideal-SVP via Arakelov random walks. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 243–273. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_9

    Chapter  Google Scholar 

  13. Doröz, Y., Hoffstein, J., Silverman, J.H., Sunar, B.: MMSAT: a scheme for multimessage multiuser signature aggregation. Cryptology ePrint Archive, Report 2020/520 (2020)

    Google Scholar 

  14. Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009). http://crypto.stanford.edu/craig

  15. Hoffstein, J., Kaliski, B.S., Jr., Lieman, D.B., Robshaw, M.J.B., Yin, Y.L.: Secure user identification based on constrained polynomials, 13 June 2000. US Patent 6,076,163. Filed 20 October 1997

    Google Scholar 

  16. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868

    Chapter  Google Scholar 

  17. Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_25

    Chapter  Google Scholar 

  18. Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W.: Practical signatures from the partial Fourier recovery problem. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 476–493. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07536-5_28

    Chapter  Google Scholar 

  19. Hoffstein, J., Silverman, J.H.: Pass-encrypt: a public key cryptosystem based on partial evaluation of polynomials. Des. Codes Crypt. 77(2), 541–552 (2015)

    Article  MathSciNet  Google Scholar 

  20. Lang, S.: Algebra. Springer, Heidelberg (2002). https://doi.org/10.1007/978-1-4613-0041-0

    Book  MATH  Google Scholar 

  21. Lyubashevsky, V., Micciancio, D.: Generalized compact Knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_13

    Chapter  Google Scholar 

  22. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    Chapter  Google Scholar 

  23. Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2014). https://doi.org/10.1007/s10623-014-9938-4

    Article  MathSciNet  MATH  Google Scholar 

  24. Lu, X., Zhang, Z., Au, M.H.: Practical signatures from the partial Fourier recovery problem revisited: a provably-secure and Gaussian-distributed construction. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 813–820. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_50

    Chapter  MATH  Google Scholar 

  25. Marcus, D.A.: Number Fields, vol. 2. Springer, Heidelberg (1977). https://doi.org/10.1007/978-1-4684-9356-6

    Book  MATH  Google Scholar 

  26. Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. In: FOCS, pp. 356–365. IEEE Computer Society (2002)

    Google Scholar 

  27. Micciancio, D., Walter, M.: On the bit security of cryptographic primitives. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 3–28. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_1

    Chapter  Google Scholar 

  28. Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 685–716. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_24

    Chapter  MATH  Google Scholar 

  29. Porter, C., Mendelsohn, A., Ling, C.: Subfield algorithms for ideal-and module-SVP based on the decomposition group. arXiv preprint arXiv:2105.03219 (2021)

  30. Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8

    Chapter  Google Scholar 

  31. Pan, Y., Xu, J., Wadleigh, N., Cheng, Q.: On the ideal shortest vector problem over random rational primes. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 559–583. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_20

    Chapter  Google Scholar 

  32. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM (2005)

    Google Scholar 

  33. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)

    Article  MathSciNet  Google Scholar 

  34. Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36

    Chapter  Google Scholar 

  35. The Sage Developers. SageMath, the Sage Mathematics Software System (Version 9.0) (2020). https://www.sagemath.org

  36. Washington, L.C.: Introduction to Cyclotomic Fields, vol. 83. Springer, Berlin (1982). https://doi.org/10.1007/978-1-4684-0133-2

    Book  MATH  Google Scholar 

Download references

Acknowledgments

We are grateful to Amin Sakzad, Damien Stehlé and Ron Steinfeld for helpful discussions. This research was partly funded by the ANR CHARM project (ANR-21-CE94-0003) and further supported by the Danish Independent Research Council under project number 0165-00107B (C3PO).

Author information

Authors and Affiliations

  1. Aarhus University, Aarhus, Denmark

    Katharina Boudgoust

  2. Univ. Bordeaux, CNRS, INRIA, Bordeaux INP, IMB, UMR 5251, 33400, Talence, France

    Erell Gachon & Alice Pellet-Mary

Authors
  1. Katharina Boudgoust
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Erell Gachon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alice Pellet-Mary
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Katharina Boudgoust .

Editor information

Editors and Affiliations

  1. New York University, New York, NY, USA

    Yevgeniy Dodis

  2. University of Florida, Gainesville, FL, USA

    Thomas Shrimpton

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Boudgoust, K., Gachon, E., Pellet-Mary, A. (2022). Some Easy Instances of Ideal-SVP and Implications on the Partial Vandermonde Knapsack Problem. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13508. Springer, Cham. https://doi.org/10.1007/978-3-031-15979-4_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15979-4_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15978-7

  • Online ISBN: 978-3-031-15979-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships