Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis

Abstract

Lattices over number fields arise from various fascinating applications in cryptography. In this paper, we present two algorithms that find a nice, short basis of lattices over arbitrary Euclidean domains. One of the algorithms finds a reduced basis of lattices over biquadratic Euclidean rings with overwhelming probability. We prove that its output is bounded by a constant that depends only on the lattices.

The second algorithm applies to arbitrary norm-Euclidean domain. It is given without the proof of the output quality, nevertheless, we experimentally verify that the algorithm outputs a reasonably good basis and it conjecturally supports the quality of our algorithm.

We also show that the proposed algorithms can be used in various cryptanalytic applications. As a concrete example, we discuss how our algorithm improves special-\(\mathfrak q\) descent step in tower number field sieve method, which is one of the best known algorithms to solve the discrete logarithm problem over finite fields.

C. Lee—Supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Science, ICT & Future Planning (NRF-2016M3C4A7937116).

Appendices

Appendix

A  Simulation Results

To verify the quality of the output size of our algorithms, we implemented our algorithm using the SAGE computer algebra system [30] and carried out simulations on a desktop PC with Intel Xeon E5 CPU cores at 3.7 GHz. We also adapted a variant (cf. Algorithm 2.6.3 in [8]) for efficient implementations. We experimented lattice bases generated by the rows of the following shape.

$$ \left( \begin{array}{ccccc} ~q~ &{} ~0~ &{} ~\cdots ~ &{} ~\cdots ~ &{} ~0~ \\ \gamma _1 &{} 1 &{} ~\cdots ~ &{} ~\cdots ~ &{} ~0~ \\ \gamma _2 &{} 0 &{} 1&{} \ddots &{} 0 \\ \vdots &{} \vdots &{} \vdots &{} \ddots &{} \vdots \\ \gamma _{n-1} &{} 0 &{} \cdots &{} \cdots &{} 1\\ \end{array}\right) , $$

where q and \(\gamma _i\)’s are uniformly randomly chosen algebraic integers in \({\mathbb Z}_K\). This HNF type of bases has potential cryptographic applications, for instance, as shown in Sect. 4.1. Recall that the above lattice with \(\gamma _i \equiv \gamma ^i \mod q\) is equivalent to the lattice generated by Eq. (2).

Let M be a \({\mathbb Z}\)-lattice of dimension d. When dealing with the quality of outputs by lattice reduction, one mainly consider the Hermite factor, \(||{\mathbf b_1} ||/{\text {vol}}(M)^{1/d}\). Let us now consider M as a \({\mathbb Z}_K\)-lattice of dimension n (i.e. \([{\mathbb Z}_K : {\mathbb Z}] =d/n \)). Let \(\mathbf c_1 = (c_{1,1}, \dots , c_{1,n}) \in {\mathbb Z}_K^n\) be an output by the reduction and define by \(||{\mathbf {c}_1 } ||_\infty := \max _{ 1\le j \le n } ||{ c_{1,j} } ||_\infty \). In our experiments, we will consider a factor \(C := ||{\mathbf {c}_1 } ||_\infty / {\text {vol}} (M)^{1/d}\) to measure the quality of outputs. Then the classical Hermite’s constant by our reduction is bounded by \(C^{1/d} \cdot {d}^{1/2d}\). Note that \({\text {vol}}(M) = N_{K/{\mathbb Q}} ( {\text {det}}(M) ) = N_{K/{\mathbb Q}} (q)\).

We randomly sampled q so that its coefficients are of 100 bits and chose \(\gamma _i\) so that its coefficients are of smaller bitsize than that of q. We carried out our lattice reduction on many lattices sampled in that way and computed the average of the factor C. As the classical case, we can say that the output quality is good enough if \(C^{1/d}\) is small.

Output Quality of Algorithm 3. We experimented Algorithm 3 with a hundred of n-dimensional \({\mathbb Z}[\zeta _k]\)-lattices for each \(10 \le n \le 50\) and \(k=5, 8\) and 16. Surprisingly, the factor \(C^{1/d}\) seems to behave consistently. In other words, it seems that the factor C depends only (exponentially) on the dimension n (see Fig. 1) and \(C^{1/d}\) is well-bounded by a small constant. To give a concrete example, consider 50-dimensional lattices over \({\mathbb Z}[\zeta _8]\). By running the algorithm over hundreds of lattices of the above form, we obtained \(C^{1/d}=C^{1/4n}\approx 1.02\) on average. The classical Hermite’s constant is then bounded by \(C^{1/d} \cdot d^{1/2d} \approx 1.0335 \) which is smaller than the worst case bound of Hermite factor \((4/3)^{1/4}\approx 1.0754\). As shown in Fig. 2, we observe that \(C^{1/d}\) belongs in the range between 1.01 and 1.05 regardless the dimension of the lattices. As a remark, we used the parameter \(\mathfrak M(K) = 1/2\) or 1/5 corresponding to K and chose \(\delta =3/4\).

Timing Results of Algorithm 3. All of the \({\mathbb Z}_K\)-lattices considered above are also considered as \({\mathbb Z}\)-lattices with corresponding dimensions. We compared the speed of our algorithm with the classical LLL-algorithm. Since our implementation is far from being well-optimized yet, we avoid to use the internal LLL function in SAGE for the consistency of the comparison. We tried to use equivalently optimized code implementation for the classical LLL algorithm and our algorithm. For the completeness, we include our codes in Appendix B.

To give a concrete example, let \(K={\mathbb Q}(\zeta _8)\) and consider a \({\mathbb Z}_K\)-lattice of dimension 20. Then it translates to a \({\mathbb Z}\)-lattice of dimension 80. To get a reduced basis, on average, it took 20.40 s over \({\mathbb Z}_K\) which was much faster than 75.40 s running over \({\mathbb Z}\). We present the comparison of the average running time in Fig. 3 for \({\mathbb Z}_K={\mathbb Z}[\zeta _5]\) and \({\mathbb Z}[\zeta _{8}]\).

Fig. 1.

Average Hermite factor by Algorithm 3 over \({\mathbb Z}_K\)-lattices

Fig. 2.

Average of \(C^{1/d}\) by Algorithm 3 over \({\mathbb Z}_K\)-lattices

Fig. 3.

Time comparison of running time

Comparison of Algorithm 2 and 3 over \({\mathbb Z}[\varvec{\zeta }_\mathbf{8}]\)-Lattices. The 8-th cyclotomic fields \(K={\mathbb Q}(\zeta _8)\) is also a biquadratic field since \({\mathbb Q}(\zeta _8)={\mathbb Q}( \sqrt{-1}, \sqrt{2} )\). Thus both of our proposed algorithms can be applied. We experimented both algorithms. As a result, it appears that Algorithm 3 performs better than Algorithm 2. To give a concrete example, for 10-dimensional lattices, the average of the constant for Algorithm 3 was \(C^{1/d} \approx 1.012\). On the other hand, we have \(C^{1/d} \approx 2.976\) on average for Algorithm 2. Algorithm 3 was also better than Algorithm 2 with respect to the practical running time.

B  SAGE Implementation