Subfield Algorithms for Ideal- and Module-SVP Based on the Decomposition Group

by   Christian Porter, et al.

Whilst lattice-based cryptosystems are believed to be resistant to quantum attack, they are often forced to pay for that security with inefficiencies in implementation. This problem is overcome by ring- and module-based schemes such as Ring-LWE or Module-LWE, whose keysize can be reduced by exploiting its algebraic structure, allowing for neater and faster computations. Many rings may be chosen to define such cryptoschemes, but cyclotomic rings, due to their cyclic nature allowing for easy multiplication, are the community standard. However, there is still much uncertainty as to whether this structure may be exploited to an adversary's benefit. In this paper, we show that the decomposition group of a cyclotomic ring of arbitrary conductor may be utilised in order to significantly decrease the dimension of the ideal (or module) lattice required to solve a given instance of SVP. Moreover, we show that there exist a large number of rational primes for which, if the prime ideal factors of an ideal lie over primes of this form, give rise to an "easy" instance of SVP. However, it is important to note that this work does not break Ring-LWE or Module-LWE, since the security reduction is from worst case ideal or module SVP to average case Ring-LWE or Module-LWE respectively, and is one way.


page 1

page 2

page 3

page 4


On the ideal shortest vector problem over random rational primes

Any ideal in a number field can be factored into a product of prime idea...

A Coefficient-Embedding Ideal Lattice can be Embedded into Infinitely Many Polynomial Rings

Many lattice-based crypstosystems employ ideal lattices for high efficie...

Non-Commutative Ring Learning With Errors From Cyclic Algebras

The Learning with Errors (LWE) problem is the fundamental backbone of mo...

Cyclic Lattices, Ideal Lattices and Bounds for the Smoothing Parameter

Cyclic lattices and ideal lattices were introduced by Micciancio in <cit...

M-cancellation Ideals

Let R be a commutative ring with non–zero identy and let M be an R–modul...

Cryptanalysis of the DHDP and EGDP protocols over E_p^(m)

In this paper we break the protocol based on the Diffie-Hellman Decompos...

Lattice attack on group ring NTRU: The case of the dihedral group

Group ring NTRU (GR-NTRU) provides a general structure to design differe...

Please sign up or login with your details

Forgot password? Click here to reset