Abstract
In this article, we give evidence that free modules (i.e., modules which admit a basis) are no weaker than arbitrary modules, when it comes to solving cryptographic algorithmic problems (and when the rank of the module is at least 2). More precisely, we show that for three algorithmic problems used in cryptography, namely the shortest vector problem, the Hermite shortest vector problem and a variant of the closest vector problem, there is a reduction from solving the problem in any module of rank \(n \ge 2\) to solving the problem in any free module of the same rank n. As an application, we show that this can be used to dequantize the LLL algorithm for module lattices presented by Lee et al. (Asiacrypt 2019).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
In the case of ideals for instance, we know that the proportion of principal ideals among all ideals is equal to \(1/h_K\), where \(h_K\) is a quantity called the class number of the field K. When K is a cyclotomic field, it is known that \(h_K\) grows more than exponentially in the degree d of the number field (see, e.g., [Was97, Proposition 11.15]).
- 3.
Recall that in this article, modules are always included in \(K^m\) for some \(m > 0\).
- 4.
Recall that the standard CVP problem asks, given as input a target \(\textbf{t}\), to find a point \(\textbf{s}\) of the lattice \(\mathcal L\) such that \(\Vert \textbf{t}- \textbf{s}\Vert \le \gamma \cdot \textrm{dist}(\textbf{t},\mathcal L)\), for some approximation factor \(\gamma \).
- 5.
That is, an algorithm whose output is always correct, but whose running time is a random variable.
- 6.
In this article, when we say that M is a module, we always mean an \(\mathcal {O}_K\)-module included in \(K^m\) for some \(m > 0\).
- 7.
Those are usually simply called “bases”, by opposition to the pseudo-bases. But we prefer to add the adjective “free” in this work, to make the distinction even clearer.
- 8.
The other problems will not be used for ideal lattices, so we do not give them a special name.
References
Biasse, J.F., Fieker, C.: Subexponential class group and unit group computation in large degree number fields. LMS J. Comput. Math. 17(A), 385–403 (2014)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 1–36 (2014)
Bley, W., Hofmann, T., Johnston, H.: Computation of lattice isomorphisms and the integral matrix similarity problem. In: Forum of Mathematics, Sigma, vol. 10, p. e87. Cambridge University Press, Cambridge (2022)
de Boer, K.: Random walks on Arakelov class groups. PhD thesis, Leiden University (2022)
Biasse, J.F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 893–902. SIAM (2016)
Bhargava, M., Shankar, A., Taniguchi, T., Thorne, F., Tsimerman, J., Zhao, Y.: Bounds on 2-torsion in class groups of number fields and integral points on elliptic curves. J. Am. Math. Soc. 33(4), 1087–1099 (2020)
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20
Cramer, R., Ducas, L., Wesolowski, B.: Short Stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_12
Cohen, H.: Advanced Topics in Computational Number Theory, vol. 193. Springer, Heidelberg (2012). https://doi.org/10.1007/978-1-4419-8489-0
De Micheli, G., Micciancio, D.: A fully classical LLL algorithm for modules. Cryptology ePrint Archive (2022)
Felderhoff, J., Pellet-Mary, A., Stehlé, D.: On module unique-SVP and NTRU. In: Advances in Cryptology-ASIACRYPT 2022: 28th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, 5–9 December 2022, Proceedings, Part III, pp. 709–740. Springer, Heidelberg (2022)
Fieker, C., Stehlé, D.: Short bases of lattices over number fields. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS 2010. LNCS, vol. 6197, pp. 157–173. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14518-6_15
Gentry, C.: A fully homomorphic encryption scheme. PhD thesis, Stanford University (2009)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp. 169–178 (2009)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016)
Hoppe, A.: Normal forms over Dedekind domain, efficient implementation in the computer algebra system KANT. PhD thesis, TU Berlin (1998)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_13
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM (JACM) 60(6), 1–35 (2013)
Lee, C., Pellet-Mary, A., Stehlé, D., Wallet, A.: An LLL algorithm for module lattices. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 59–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_3
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Pellet-Mary, A., Stehlé, D.: On the hardness of the NTRU problem. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 3–35. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_1
Pellet-Mary, A., Tran, N.: Reductions from module lattices to free module lattices (2023). https://hal.science/hal-04119912/document
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36
Stephens-Davidowitz, N.: Dimension-preserving reductions between lattice problems (2015). http://noahsd.com/latticeproblems.pdf
Washington, L.C.: Introduction to Cyclotomic Fields, vol. 83, p. 104. Springer, Heidelberg (1997). https://doi.org/10.1007/978-1-4612-1934-7
Acknowledgements
Gabrielle De Micheli is supported in part by the Swiss National Science Foundation Early Postdoc.Mobility fellowship. Daniele Micciancio is supported by the NSF Award 1936703, Samsung and Intel. Alice Pellet-Mary is supported by the CHARM ANR-NSF grant (ANR-21-CE94-0003) and by the PEPR quantique France 2030 programme managed by the ANR (ANR-22-PETQ-0008 PQ-TLS). Nam Tran is supported by CSIRO Data61 PhD Scholarship and CSIRO Data61 Top-up Scholarship. This work was done when Nam Tran was a Master student in the University of Limoges (France) and doing his internship at Institute of Mathematics of Bordeaux (IMB, France), founded by IMB.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
De Micheli, G., Micciancio, D., Pellet-Mary, A., Tran, N. (2023). Reductions from Module Lattices to Free Module Lattices, and Application to Dequantizing Module-LLL. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14085. Springer, Cham. https://doi.org/10.1007/978-3-031-38554-4_27
Download citation
DOI: https://doi.org/10.1007/978-3-031-38554-4_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38553-7
Online ISBN: 978-3-031-38554-4
eBook Packages: Computer ScienceComputer Science (R0)