Abstract
We formally define the Lattice Isomorphism Problem for module lattices (module-LIP) in a number field K. This is a generalization of the problem defined by Ducas, Postlethwaite, Pulles, and van Woerden (Asiacrypt 2022), taking into account the arithmetic and algebraic specificity of module lattices from their representation using pseudo-bases. We also provide the corresponding set of algorithmic and theoretical tools for the future study of this problem in a module setting. Our main contribution is an algorithm solving module-LIP for modules of rank 2 in \(K^2\), when K is a totally real number field. Our algorithm exploits the connection between this problem, relative norm equations and the decomposition of algebraic integers as sums of two squares. For a large class of modules (including \(\mathcal {O}_K^2\)), and a large class of totally real number fields (including the maximal real subfield of cyclotomic fields) it runs in classical polynomial time in the degree of the field and the residue at 1 of the Dedekind zeta function of the field (under reasonable number theoretic assumptions). We provide a proof-of-concept code running over the maximal real subfield of cyclotomic fields.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Lattices are geometric objects, so an isomorphism between lattices should respect the group structure and the geometry.
- 2.
- 3.
Our algorithm relies on arithmetic properties of the module, and does not extend to modules \(M \subset K_\mathbb {R}^2\), where \(K_\mathbb {R}:= K \otimes _\mathbb {Q}\mathbb {R}\).
- 4.
This definition is not formulated exactly in the same way as Definition 3.11 below, but both are equivalent.
- 5.
The set of \(z \in \mathcal {O}_L\) with \(z \bar{z} = a\) might be strictly larger than the set of solutions, since we may have \(\mathcal {O}_K+ i \mathcal {O}_K\subsetneq \mathcal {O}_L\), but we can easily check, given a \(z = x + iy\) if (x, y) is a solution to our equation.
- 6.
Note that \(\mathcal {O}_K\) is a Dedekind ring. In particular, it is Noetherian, so all ideals are finitely generated as \(\mathcal {O}_K\)-module.
- 7.
When \(M \subset K^l\) is a rational module, these are the conditions for U to be a pseudo-base change matrix, see [9].
- 8.
The element x is recovered up to a root of unity.
- 9.
In prior literature, this is sometimes called Humbert forms.
- 10.
For the transitivity ; let \(\boldsymbol{G} = (G, (I_i)_{1 \le i \le \ell }),\) \(\boldsymbol{G'} = (G', (J_i)_{1 \le i \le \ell }),\) \(\boldsymbol{G''} = (G'', (L_i)_{1 \le i \le \ell })\) and U (resp. \(U'\)) a congruence matrix between \(\boldsymbol{G}\) and \(\boldsymbol{G'}\) (resp. between \(\boldsymbol{G'}\) and \(\boldsymbol{G''})\), then \(U'' := U \cdot U'\) satisfies \(G'' = {U''}^*\cdot G \cdot U''\) and has coefficients \(U''_{i,j} = \sum _{k=1}^\ell u_{i,k} \cdot u'_{k,j}\). All terms of the sum are in \(I_i J_j^{-1}\) by definition. The same observation for \((U'')^{-1}\) finally gives \(\boldsymbol{G} \sim \boldsymbol{G''}\).
- 11.
By good, we mean here a (pseudo)-basis with rational coefficients. This will be needed for our attack, and we do not know how to recover it efficiently from the (pseudo-)Gram matrix since Cholesky decomposition only provides a basis with coefficients in \(\mathbb {R}\) (or \(K_\mathbb {R}\)).
- 12.
The same terminology is used for, e.g., the LWE problem. We usually say that n, m, q are parameters of the problem, which means that for each choice of (n, m, q), we have a different algorithmic problem.
- 13.
Here M is a free module so it has a basis (equivalently, the coefficient ideals are equal to \(\mathcal {O}_K\)) so the authors use bases (resp. Gram-matrices) instead of pseudo-bases (resp. pseudo-Gram matrices).
- 14.
Here we also use the general fact that for two events A and B, we can upper bound Pr\((A \cap B) =\) Pr(A) - Pr\((A \cap \lnot B) \ge \) Pr\((A) -\)Pr\((\lnot B).\).
References
Belabas, K., van Hoeij, M., Klüners, J., Steel, A..: Factoring polynomials over global fields. Journal de théorie des nombres de Bordeaux 21(1), 15–39 (2009). https://doi.org/10.5802/jtnb.655
Bennett, H., Ganju, A., Peetathawatchai, P., Stephens-Davidowitz, N.: Just how hard are rotations of \(\mathbb{Z}^n\)? algorithms and cryptography with the simplest lattice. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology. EUROCRYPT 2023. LNCS, vol. 14008, pp. 252–281. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_9
Bhargava, M., Shankar, A., Taniguchi, T., Thorne, F., Tsimerman, J., Zhao, Y.: Bounds on 2-torsion in class groups of number fields and integral points on elliptic curves. J. Am. Math. Soc. 33(4), 1087–1099 (2020)
Boer, K.D.: Random walks on Arakelov class groups. Ph.D. thesis, Leiden University (2022)
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 575–584 (2013)
Bruin, P.J., Ducas, L., Gibbons, S.: Genus distribution of random q-ary lattices. Cryptology ePrint Archive (2022)
Buchmann, J.A., Lenstra, H.W.: Computing maximal orders and factoring over \(\mathbb{Z}_{p}\). Preprint (1994)
Buchmann, J.A., Lenstra, H.W.: Approximatting rings of integers in number fields. Journal de théorie des nombres de Bordeaux 6(2), 221–260 (1994)
Cohen, H.: Advanced Topics in Computational Number Theory, vol. 193. Springer, New York (2012). https://doi.org/10.1007/978-1-4419-8489-0
Cohen, H.: A Course in Computational Algebraic Number Theory, vol. 138. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-662-02945-9
Ducas, L.: Provable lattice reduction of \(\mathbb{Z}^{n}\) with blocksize n/2. Cryptology ePrint Archive (2023)
Ducas, L., Gibbons, S.: Hull attacks on the lattice isomorphism problem. In: Boldyreva, A., Kolesnikov, V. (eds.) Public-key cryptography. PKC 2023. LNCS, vol. 13940, pp. 177–204. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-31368-4_7
Ducas, L., Postlethwaite, E.W., Pulles, L.N., Woerden, W.V.: HAWK: module LIP makes lattice signatures fast, compact and simple. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology. ASIACRYPT 2022. LNCS, vol. 13794, pp. 65–94. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-22972-5_3
Ducas, L., van Woerden, W.: On the lattice isomorphism problem, quadratic forms, remarkable lattices, and cryptography. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology. EUROCRYPT 2022. LNCS, vol. 13277, pp. 643–673. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_23
Felderhoff, J., Pellet-Mary, A., Stehlé, D., Wesolowski, B.: Ideal-SVP is hard for small-norm uniform prime ideals. In: Rothblum, G., Wee, H. (eds.) Theory of Cryptography. TCC 2023. LNCS, vol. 14372, pp. 63–92. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-48624-1_3
Fieker, C., Stehlé, D.: Short bases of lattices over number fields. In: Hanrot, G., Morain, F., Thomé, E. (eds.) Algorithmic Number Theory. ANTS-IX. LNCS, vol. 6197, pp. 157–173. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14518-6_15
Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) Advances in Cryptology. EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_20
Haviv, I., Regev, O.: On the lattice isomorphism problem. In: Proceedings of the Twenty-Fifth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 391–404. SIAM (2014)
Howgrave-Graham, N., Szydlo, M.: A method to solve cyclotomic norm equations \(f * \bar{f}\). In: Buell, D. (ed.) Algorithmic Number Theory. LNCS, vol. 3076, pp. 272–279. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24847-7_20
Kirchner, P.: Algorithms on ideal over complex multiplication order. arXiv preprint arXiv:1602.09037 (2016)
Lenstra, H.W., Jr., Silverberg, A.: Testing isomorphism of lattices over cm-orders. SIAM J. Comput. 48(4), 1300–1334 (2019)
Louboutin, S.: Explicit bounds for residues of dedekind zeta functions, values of l-functions at s= 1, and relative class numbers. J. Num. Theory 85(2), 263–282 (2000)
Mehta, S.K., Rajasree, M.S.: On the bases of z n lattice. In: 2022 24th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pp. 100–107. IEEE (2022)
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Mureau, G., Pellet-Mary, A., Pliatsok, G., Wallet, A.: Cryptanalysis of rank-2 module-lip in totally real number fields. Cryptology ePrint Archive (2024)
Neukirch, J.: Algebraic Number Theory, vol. 322. Springer, New York (2013). https://doi.org/10.1007/978-1-4612-0853-2
Serre, J.P.: Local Fields, vol. 67. Springer, New York (2013). https://doi.org/10.1007/978-1-4757-5673-9
The PARI Group. Univ. Bordeaux: PARI/GP version 2.16.2 (2024). http://pari.math.u-bordeaux.fr/
The Sage Developers. SageMath, the Sage Mathematics Software System (Version 10.3.0) (2024). https://www.sagemath.org
Washington, L.C.: Introduction to Cyclotomic Fields, vol. 83. Springer, New York (1997). https://doi.org/10.1007/978-1-4612-1934-7
Acknowledgments
We are grateful to Aurel Page and Bill Allombert for their help with the implementation of the Gentry-Szydlo algorithm, Sébastien Labbé, Xavier Caruso and Vincent Delecroix for organizing the Sage Days 125, where a significant part of the implementation took place. Thanks to Paul Kirchner and Thomas Espitau for their preliminary implementation of Gentry-Szydlo that helped for proof-of-concepts. Finally we thank Koen de Boer and Wessel van Woerden for enlightening discussions.
Guilhem Mureau and Alice Pellet-Mary were supported by the CHARM ANR-NSF grant (ANR-21-CE94-0003). All the authors were supported by the PEPR quantique France 2030 programme (ANR-22-PETQ-0008). Alice Pellet-Mary was supported by the TOTORO ANR (ANR-23-CE48-0002).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Nothing to report.
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Mureau, G., Pellet-Mary, A., Pliatsok, G., Wallet, A. (2024). Cryptanalysis of Rank-2 Module-LIP in Totally Real Number Fields. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14657. Springer, Cham. https://doi.org/10.1007/978-3-031-58754-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-58754-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58753-5
Online ISBN: 978-3-031-58754-2
eBook Packages: Computer ScienceComputer Science (R0)
