Mildly Short Vectors in Cyclotomic Ideal Lattices in Quantum Polynomial Time
نویسندگان
چکیده
In this article, we study the geometry of units and ideals cyclotomic rings derive an algorithm to find a mildly short vector in any given ideal lattice quantum polynomial time, under some plausible number-theoretic assumptions. More precisely, ring conductor m , finds approximation shortest by factor exp (Õ(√ )). This result exposes unexpected hardness gap between these structured lattices general lattices: The best known time generic algorithms can only reach (Õ(m)). Following recent series attacks, results call into question various problems over lattices, such as Ideal-SVP Ring-LWE, upon which relies security number cryptographic schemes. N OTE . article is extended version conference paper [11]. are generalized arbitrary fields. particular, also extend Reference [10] addition, prove numerical stability method [10]. These appeared Ph.D. dissertation third author [46].
منابع مشابه
Sieving for Shortest Vectors in Ideal Lattices
Lattice based cryptography is gaining more and more importance in the cryptographic community. It is a common approach to use a special class of lattices, so-called ideal lattices, as the basis of lattice based crypto systems. This speeds up computations and saves storage space for cryptographic keys. The most important underlying hard problem is the shortest vector problem. So far there is no ...
متن کاملPolynomial time reduction from approximate shortest vector problem to the principle ideal porblem for lattices in cyclotomic rings
Many cryptographic schemes have been established based on the hardness of lattice problems. For the asymptotic efficiency, ideal lattices in the ring of cyclotomic integers are suggested to be used in most such schemes. On the other hand in computational algebraic number theory one of the main problem is called principle ideal problem (PIP). Its goal is to find a generators of any principle ide...
متن کاملPolynomial Time Reduction from Approximate Shortest Vector Problem to Principal Ideal Problem for Lattices in Some Cyclotomic Rings
Many cryptographic schemes have been established based on the hardness of lattice problems. For the asymptotic efficiency, ideal lattices in the ring of cyclotomic integers are suggested to be used in most such schemes. On the other hand in computational algebraic number theory one of the main problem is the principal ideal problem (PIP). Its goal is to find a generator of any principal ideal i...
متن کاملSieving for shortest vectors in ideal lattices: a practical perspective
The security of many lattice-based cryptographic schemes relies on the hardness of finding short vectors in integral lattices. We propose a new variant of the parallel Gauss sieve algorithm to compute such short vectors. It combines favorable properties of previous approaches resulting in reduced run time and memory requirement per node. Our publicly available implementation outperforms all pre...
متن کاملAdvances on quantum cryptanalysis of ideal lattices
knowledge, the same problems remain hard over arbitrary lattices, even with a quantum computer. More precisely, for certain sub-exponential approximation factors a, a-SVP on ideal lattices admit a polynomial-time algorithm, as depicted in Figure 1. In this survey, we give an overview of the techniques that have lead to these results. The first quantum attack on certain ideal lattices of cycloto...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
ژورنال
عنوان ژورنال: Journal of the ACM
سال: 2021
ISSN: ['0004-5411', '1557-735X']
DOI: https://doi.org/10.1145/3431725