Abstract
Lattices over number fields arise from various fascinating applications in cryptography. In this paper, we present two algorithms that find a nice, short basis of lattices over arbitrary Euclidean domains. One of the algorithms finds a reduced basis of lattices over biquadratic Euclidean rings with overwhelming probability. We prove that its output is bounded by a constant that depends only on the lattices.
The second algorithm applies to arbitrary norm-Euclidean domain. It is given without the proof of the output quality, nevertheless, we experimentally verify that the algorithm outputs a reasonably good basis and it conjecturally supports the quality of our algorithm.
We also show that the proposed algorithms can be used in various cryptanalytic applications. As a concrete example, we discuss how our algorithm improves special-\(\mathfrak q\) descent step in tower number field sieve method, which is one of the best known algorithms to solve the discrete logarithm problem over finite fields.
C. Lee—Supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2016M3C4A7937116).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
For a commutative ring R, an R-module is a finitely generated set of elements that is closed under additions and scalar multiplication by R.
- 2.
In the classical case, it corresponds to, given \(a \in {\mathbb Q}\), find \(q \in {\mathbb Z}\) such that \({|{a-q} | \le 1/2}\).
- 3.
This can always be done since we are working with the Euclidean domain. Given a prime ideal of the form \(\mathfrak q = \langle \pi , S(\iota ) \rangle \) (as usual \(\pi \) is a prime integer and S is a factor of h modulo \(\pi \)), a generator q is the greatest common divisor of \(\pi \) and \(S(\iota )\).
References
Aoki, K., Franke, J., Kleinjung, T., Lenstra, A.K., Osvik, D.A.: A kilobit special number field sieve factorization. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 1–12. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_1
Aranha, D.F., Fuentes-Castañeda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing pairings at the 192-bit security level. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 177–195. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36334-4_11
Barbulescu, R., Duquesne, S.: Updating key size estimations for pairings. IACR Cryptology ePrint Archive 2017:334 (2017)
Barbulescu, R., Gaudry, P., Kleinjung, T.: The tower number field sieve. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 31–55. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_2
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383_22
Bauch, J., Bernstein, D.J., de Valence, H., Lange, T., van Vredendaal, C.: Short generators without quantum computers: the case of multiquadratics. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 27–59. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_2
Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_3
Cohen, H.: A Course in Computational Algebraic Number Theory, New York, NY, USA (1993)
Cohen, H.: Advanced Topics in Computational Number Theory. Graduate Texts in Mathematics, New York, NY, Berlin, Heidelberg (2000)
Fieker, C., Pohst, M.E.: On lattices over number fields. In: Cohen, H. (ed.) ANTS 1996. LNCS, vol. 1122, pp. 133–139. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61581-4_48
Fieker, C., Stehlé, D.: Short bases of lattices over number fields. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS 2010. LNCS, vol. 6197, pp. 157–173. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14518-6_15
Gan, Y.H., Ling, C., Mow, W.H.: Complex lattice reduction algorithm for low-complexity full-diversity mimo detection. Trans. Sig. Proc. 57(7), 2701–2710 (2009)
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, 31 May–2 June 2009, pp. 169–178 (2009)
Gordon, D.M.: Discrete logarithms in \({GF}(p)\) using the number field sieve. SIAM J. Discret. Math. 6(1), 124–138 (1993)
Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_19
Kaiblinger, N.: Cyclotomic rings with simple euclidean algorithm. JP J. Algebra Number Theory Appl. 23(1), 61–76 (2011)
Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_20
Kim, T., Jeong, J.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 388–408. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_16
Lemmermeyer, F.: Euclid’s algorithm in quartic CM-fields. arXiv preprint arXiv:1108.6215 (2011)
Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
Lenstra, H.W.: Euclid’s algorithm in cyclotomic fields. J. London Math. Soc. s2–10(4), 457–465 (1975)
Lezowski, P.: Computation of the euclidean minimum of algebraic number fields. Math. Comput. 83, 1397–1426 (2014). 30 pages, shorter version, with many typos fixed
Masley, J.M.: On Euclidean rings of integers in cyclotomic fields. Journal für die reine und angewandte Mathematik (Crelles Journal) 272, 45–48 (1975)
Napias, H.: A generalization of the LLL-algorithm over Euclidean rings or orders. Journal de théorie des nombres de Bordeaux 8(2), 387–396 (1996)
Ojala, T.: Euclid’s algorithm in the cyclotomic field \({Q}(\zeta _{16})\). Math. Comput. 31(137), 268–273 (1977)
Schnorr, C.P., Hörner, H.H.: Attacking the chor-rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_1
Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)
Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_25
Stein, W., et al.: Sage Mathematics Software (Version 5.11). The Sage Development Team (2013), http://www.sagemath.org
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Simulation Results
To verify the quality of the output size of our algorithms, we implemented our algorithm using the SAGE computer algebra system [30] and carried out simulations on a desktop PC with Intel Xeon E5 CPU cores at 3.7 GHz. We also adapted a variant (cf. Algorithm 2.6.3 in [8]) for efficient implementations. We experimented lattice bases generated by the rows of the following shape.
where q and \(\gamma _i\)’s are uniformly randomly chosen algebraic integers in \({\mathbb Z}_K\). This HNF type of bases has potential cryptographic applications, for instance, as shown in Sect. 4.1. Recall that the above lattice with \(\gamma _i \equiv \gamma ^i \mod q\) is equivalent to the lattice generated by Eq. (2).
Let M be a \({\mathbb Z}\)-lattice of dimension d. When dealing with the quality of outputs by lattice reduction, one mainly consider the Hermite factor, \(||{\mathbf b_1} ||/{\text {vol}}(M)^{1/d}\). Let us now consider M as a \({\mathbb Z}_K\)-lattice of dimension n (i.e. \([{\mathbb Z}_K : {\mathbb Z}] =d/n \)). Let \(\mathbf c_1 = (c_{1,1}, \dots , c_{1,n}) \in {\mathbb Z}_K^n\) be an output by the reduction and define by \(||{\mathbf {c}_1 } ||_\infty := \max _{ 1\le j \le n } ||{ c_{1,j} } ||_\infty \). In our experiments, we will consider a factor \(C := ||{\mathbf {c}_1 } ||_\infty / {\text {vol}} (M)^{1/d}\) to measure the quality of outputs. Then the classical Hermite’s constant by our reduction is bounded by \(C^{1/d} \cdot {d}^{1/2d}\). Note that \({\text {vol}}(M) = N_{K/{\mathbb Q}} ( {\text {det}}(M) ) = N_{K/{\mathbb Q}} (q)\).
We randomly sampled q so that its coefficients are of 100 bits and chose \(\gamma _i\) so that its coefficients are of smaller bitsize than that of q. We carried out our lattice reduction on many lattices sampled in that way and computed the average of the factor C. As the classical case, we can say that the output quality is good enough if \(C^{1/d}\) is small.
Output Quality of Algorithm 3. We experimented Algorithm 3 with a hundred of n-dimensional \({\mathbb Z}[\zeta _k]\)-lattices for each \(10 \le n \le 50\) and \(k=5, 8\) and 16. Surprisingly, the factor \(C^{1/d}\) seems to behave consistently. In other words, it seems that the factor C depends only (exponentially) on the dimension n (see Fig. 1) and \(C^{1/d}\) is well-bounded by a small constant. To give a concrete example, consider 50-dimensional lattices over \({\mathbb Z}[\zeta _8]\). By running the algorithm over hundreds of lattices of the above form, we obtained \(C^{1/d}=C^{1/4n}\approx 1.02\) on average. The classical Hermite’s constant is then bounded by \(C^{1/d} \cdot d^{1/2d} \approx 1.0335 \) which is smaller than the worst case bound of Hermite factor \((4/3)^{1/4}\approx 1.0754\). As shown in Fig. 2, we observe that \(C^{1/d}\) belongs in the range between 1.01 and 1.05 regardless the dimension of the lattices. As a remark, we used the parameter \(\mathfrak M(K) = 1/2\) or 1/5 corresponding to K and chose \(\delta =3/4\).
Timing Results of Algorithm 3. All of the \({\mathbb Z}_K\)-lattices considered above are also considered as \({\mathbb Z}\)-lattices with corresponding dimensions. We compared the speed of our algorithm with the classical LLL-algorithm. Since our implementation is far from being well-optimized yet, we avoid to use the internal LLL function in SAGE for the consistency of the comparison. We tried to use equivalently optimized code implementation for the classical LLL algorithm and our algorithm. For the completeness, we include our codes in Appendix B.
To give a concrete example, let \(K={\mathbb Q}(\zeta _8)\) and consider a \({\mathbb Z}_K\)-lattice of dimension 20. Then it translates to a \({\mathbb Z}\)-lattice of dimension 80. To get a reduced basis, on average, it took 20.40 s over \({\mathbb Z}_K\) which was much faster than 75.40 s running over \({\mathbb Z}\). We present the comparison of the average running time in Fig. 3 for \({\mathbb Z}_K={\mathbb Z}[\zeta _5]\) and \({\mathbb Z}[\zeta _{8}]\).
Comparison of Algorithm 2 and 3 over \({\mathbb Z}[\varvec{\zeta }_\mathbf{8}]\)-Lattices. The 8-th cyclotomic fields \(K={\mathbb Q}(\zeta _8)\) is also a biquadratic field since \({\mathbb Q}(\zeta _8)={\mathbb Q}( \sqrt{-1}, \sqrt{2} )\). Thus both of our proposed algorithms can be applied. We experimented both algorithms. As a result, it appears that Algorithm 3 performs better than Algorithm 2. To give a concrete example, for 10-dimensional lattices, the average of the constant for Algorithm 3 was \(C^{1/d} \approx 1.012\). On the other hand, we have \(C^{1/d} \approx 2.976\) on average for Algorithm 2. Algorithm 3 was also better than Algorithm 2 with respect to the practical running time.
B SAGE Implementation
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Kim, T., Lee, C. (2017). Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis. In: O'Neill, M. (eds) Cryptography and Coding. IMACC 2017. Lecture Notes in Computer Science(), vol 10655. Springer, Cham. https://doi.org/10.1007/978-3-319-71045-7_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-71045-7_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71044-0
Online ISBN: 978-3-319-71045-7
eBook Packages: Computer ScienceComputer Science (R0)