Computing Generator in Cyclotomic Integer Rings

Size: px

Start display at page:

Download "Computing Generator in Cyclotomic Integer Rings"

Bertina Pierce
5 years ago
Views:

1 A subfield algorithm for the Principal Ideal Problem in L 1 K 2 and application to the cryptanalysis of a FHE scheme Jean-François Biasse 1 Thomas Espitau 2 Pierre-Alain Fouque 3 Alexandre Gélin 2 Paul Kirchner 4 University of South Florida, Department of Mathematics and Statistics, Tampa, USA Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6, Paris, France Institut Universitaire de France, Paris, France and Université de Rennes 1, France École Normale Supérieure, Paris, France 2017/05/01

2 The Principal Ideal Problem Definition The Principal Ideal Problem PIP consists in finding a generator of an ideal, assuming it is principal.

3 The Principal Ideal Problem Definition The Short Principal Ideal Problem SPIP consists in finding a short generator of an ideal, assuming it is principal.

4 The Principal Ideal Problem Definition The Short Principal Ideal Problem SPIP consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes [SV10],[GGH13]

5 The Principal Ideal Problem Definition The Short Principal Ideal Problem SPIP consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes [SV10],[GGH13] Two distinct phases: 1 Given the Z-basis of the ideal a = g, find a not necessarily short generator g = g u for a unit u. 2 From g, find a short generator of the ideal.

6 The Principal Ideal Problem Definition The Short Principal Ideal Problem SPIP consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes [SV10],[GGH13] Two distinct phases: 1 Given the Z-basis of the ideal a = g, find a not necessarily short generator g = g u for a unit u. 2 From g, find a short generator of the ideal. Campbell, Groves, and Sheperd 2014 found a solution in polynomial time for the second point for power-of-two cyclotomic fields. Cramer, Ducas, Peikert, and Regev 2016 provided a proof and an extension to prime-power cyclotomic fields.

7 FHE scheme Smart and Vercauteren PKC 2010 Key Generation: 1 Fix the security parameter N = 2 n. 2 Let F X = X N + 1 be the polynomial defining the cyclotomic field K = Qζ 2N. 3 Set GX = SX, for SX of degree N 1 with coefficients in such that the norm N Gζ 2N is prime. 4 Set g = Gζ 2N O K. 5 Return the secret key sk = g and the public key pk = HNF g. [ 2 N, 2 ] N,

8 FHE scheme Smart and Vercauteren PKC 2010 Key Generation: 1 Fix the security parameter N = 2 n. 2 Let F X = X N + 1 be the polynomial defining the cyclotomic field K = Qζ 2N. 3 Set GX = SX, for SX of degree N 1 with coefficients in such that the norm N Gζ 2N is prime. 4 Set g = Gζ 2N O K. 5 Return the secret key sk = g and the public key pk = HNF g. [ 2 N, 2 ] N, Our goal: Recover the secret key from the public key.

9 Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one.

10 Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. All the complexities are expressed as a function of the field discriminant Qζ2N = N N, for N = 2 n.

11 Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. All the complexities are expressed as a function of the field discriminant Qζ2N = N N, for N = 2 n. For instance, L K α = 2 N α+o1.

12 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u

13 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Problem: no information about g ḡ g is the private key

14 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Solution: we introduce u = N ggḡ 1

15 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Solution: we introduce u = N ggḡ 1 Z-basis of g = Z-basis of u and u ū = N g 2

16 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Solution: we introduce u = N ggḡ 1 Z-basis of g = Z-basis of u and u ū = N g 2 In the end, we get g ḡ 1 and a Z-basis of I + = g + ḡ Qζ + ζ 1

17 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Solution: we introduce u = N ggḡ 1 Z-basis of g = Z-basis of u and u ū = N g 2 In the end, we get g ḡ 1 and a Z-basis of I + = g + ḡ Qζ + ζ 1 Once we have a generator for I +, we get one for I by multiplying by ḡ g 1

18 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 a 2 1 a a 2 n 2 a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l

19 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction Norm: L 3 K 2 a 2 1 a a 2 n 2 a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l

20 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l

21 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step Norm: L 5 K 4 a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l

22 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l

23 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a 3 n 3 Second step Norm: L 9 K 8 a l 1 a l 1 a l 2... a l n l

24 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a 3 n 3 Second step L 5 K 8 -smooth a l 1 a l 1 a l 2... a l n l

25 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a l 1... a 3 n 3 Second step L 5 K 8 -smooth Last but one step Norm: L K 1 a l 1 a l 2... a l n l

26 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a l 1... a 3 n 3 Second step L 5 K 8 -smooth Last but one step L K 2 -smooth a l 1 a l 2... a l n l

27 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a l 1... a 3 n 3 Second step L 5 K 8 -smooth Last but one step L K 2 -smooth a l 1 a l 2... a l n l Last step Norm: L K 1

28 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a l 1... a 3 n 3 Second step L 5 K 8 -smooth Last but one step L K 2 -smooth a l 1 a l 2... a l n l Last step L 1 K 2 -smooth

29 2.1. The q-descent Initial round Input: a of norm arbitrarily large

30 2.1. The q-descent Initial round Input: a of norm arbitrarily large Tool: DBKZ-reduction with block-size log K 1 2 N on the lattice built from the canonical embedding O K + R N 2

31 2.1. The q-descent Initial round Input: a of norm arbitrarily large Tool: DBKZ-reduction with block-size log K 1 2 N on the lattice built from the canonical embedding O K + R N 2 Output: small vector algebraic integer v a = ideal b O K + s.t. v = a b and N b L 3 K 2

32 2.1. The q-descent Initial round Input: a of norm arbitrarily large Tool: DBKZ-reduction with block-size log K 1 2 N on the lattice built from the canonical embedding O K + R N 2 Output: small vector algebraic integer v a = ideal b O K + s.t. v = a b and N b L 3 K 2 Cost: DBKZ-reduction Poly N, log N a L K 2

33 Smoothness tests & Randomization Heuristic We assume that the probability P that an ideal of norm bounded by L K a is a power-product of prime ideals of norm bounded by B = L K b satisfies P L K a b 1. Using ECM algorithm, each B-smoothness test costs L K b 2.

34 Smoothness tests & Randomization Heuristic We assume that the probability P that an ideal of norm bounded by L K a is a power-product of prime ideals of norm bounded by B = L K b satisfies P L K a b 1. Using ECM algorithm, each B-smoothness test costs L K b 2. Conclusion: b is L K 1-smooth with probability L 1 K 2 and one test costs L 1 K 2. 1

35 Smoothness tests & Randomization Heuristic We assume that the probability P that an ideal of norm bounded by L K a is a power-product of prime ideals of norm bounded by B = L K b satisfies P L K a b 1. Using ECM algorithm, each B-smoothness test costs L K b 2. Conclusion: b is L K 1-smooth with probability L 1 K 2 and one test costs L 1 K 2. 1 = We use L 1 K 2 ideals ã = a p e i i for small prime ideals p i and integers e i to be sure to derive one b that is L K 1-smooth.

36 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction.

37 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension

38 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N a L K α

39 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N a L K α Output: algebraic integer v a and ideal b O K + s.t. v = a b and N b L 2α+3 K 4

40 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N a L K α Output: algebraic integer v a and ideal b O K + s.t. v = a b and N b L 2α+3 K 4 L 2α+1 K 4 -smooth

41 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N a L K α Output: algebraic integer v a and ideal b O K + s.t. v = a b and N b L 2α+3 K 4 L 2α+1 K 4 -smooth Cost: L K 2 for lattice reduction & smoothness tests

42 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l.

43 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l. For l = log 2 log N, we have L K l L K = L log N K 1. 2

44 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l. For l = log 2 log N, we have L K l L K Conclusion: All ideals have norm below L K = L log N K 1. 2

45 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l. For l = log 2 log N, we have L K l L K Conclusion: All ideals have norm below L K = L log N K They are at most N l L K 2 ideals 1. 2

46 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l. For l = log 2 log N, we have L K l L K Conclusion: All ideals have norm below L K = L log N K They are at most N l L K 2 ideals The total runtime of the q-descent is L K

47 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2

48 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L 1 K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B

49 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L 1 K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M

50 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M Relation: principal ideal that splits on the factor base. Test ideals generated by v = v i ζ i + ζ i for v i log K.

51 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M Relation: principal ideal that splits on the factor base. Test ideals generated by v = v i ζ i + ζ i for v i log K. Norm below L K 1 = L K 2 -smooth ideals in L K 2.

52 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L 1 K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M v 1 v 2. v Q B. M 1,1 M 1, B M 2,1 M 2, B.. M Q B,1 M Q B, B B = i, v i = j=1 p M i,j j

53 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M A N-dimensional vector Y including all the valuations of the smooth ideals in the p i

54 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M A N-dimensional vector Y including all the valuations of the smooth ideals in the p i A solution X of MX = Y provides a generator of the product of the L K 2 -smooth ideals

55 Implementation results PARI-GP and fplll for BKZ-reductions IntelR XeonR CPU E GHz with 32GB of memory Dimension of the field: N = 2 8 = 256.

56 Implementation results PARI-GP and fplll for BKZ-reductions IntelR XeonR CPU E GHz with 32GB of memory Dimension of the field: N = 2 8 = 256. Gentry-Szydlo: 20h and 24GB memory

57 Implementation results PARI-GP and fplll for BKZ-reductions IntelR XeonR CPU E GHz with 32GB of memory Dimension of the field: N = 2 8 = 256. Gentry-Szydlo: 20h and 24GB memory BKZ-reduction: between 10 min and 4h Descent reduced to only one step

58 Implementation results PARI-GP and fplll for BKZ-reductions IntelR XeonR CPU E GHz with 32GB of memory Dimension of the field: N = 2 8 = 256. Gentry-Szydlo: 20h and 24GB memory BKZ-reduction: between 10 min and 4h Descent reduced to only one step We recover g ζ i and so the secret key g in less than a day.

59 Thanks Thank you

Computing generator in cyclotomic integer rings

Computing generator in cyclotomic integer rings Jean-François Biasse, Thomas Espitau, Pierre-Alain Fouque, Alexandre Gélin, Paul Kirchner To cite this version: Jean-François Biasse, Thomas Espitau, Pierre-Alain