Computing generator in cyclotomic integer rings
نویسندگان
چکیده
The Principal Ideal Problem (resp. Short Principal Ideal Problem), shorten as PIP (resp. SPIP), consists in finding a generator (resp. short generator) of a principal ideal in the ring of integers of a number field. Several lattice-based cryptosystems rely on the presumed hardness of these two problems. In practice, most of them do not use an arbitrary number field but a power-of-two cyclotomic field. The Smart and Vercauteren fully homomorphic encryption scheme and the multilinear map of Garg, Gentry, and Halevi epitomize this common restriction. Recently, Cramer, Ducas, Peikert, and Regev showed that solving the SPIP in such cyclotomic rings boiled down to solving the PIP. In this paper, we present a heuristic algorithm that solves the PIP in prime-power cyclotomic fields in subexponential time L|∆K| (1/2), where ∆K denotes the discriminant of the number field. This is achieved by descending to its totally real subfield. The implementation of our algorithm allows to recover in practice the secret key of the Smart and Vercauteren scheme, for the smallest proposed parameters (in dimension 256).
منابع مشابه
Computing Generator in Cyclotomic Integer Rings - A Subfield Algorithm for the Principal Ideal Problem in L|Δ𝕂|(½) and Application to the Cryptanalysis of a FHE Scheme
متن کامل
Computing generator in cyclotomic integer rings A L|∆K| (1/2) algorithm for the Principal Ideal Problem and application to the cryptanalysis of a FHE scheme
The Principal Ideal Problem (resp. Short Principal Ideal Problem), shorten as PIP (resp. SPIP), consists in finding a generator (resp. short generator) of a principal ideal in the ring of integers of a number field. Several lattice-based cryptosystems rely on the presumed hardness of these two problems. Yet, in practice, most of them do not use an arbitrary number field but a power-of-two cyclo...
متن کاملPolynomial Time Reduction from Approximate Shortest Vector Problem to Principal Ideal Problem for Lattices in Some Cyclotomic Rings
Many cryptographic schemes have been established based on the hardness of lattice problems. For the asymptotic efficiency, ideal lattices in the ring of cyclotomic integers are suggested to be used in most such schemes. On the other hand in computational algebraic number theory one of the main problem is the principal ideal problem (PIP). Its goal is to find a generator of any principal ideal i...
متن کاملSubring Homomorphic Encryption
In this paper, we construct subring homomorphic encryption scheme that is a homomorphic encryption scheme built on the decomposition ring, which is a subring of cyclotomic ring. In the scheme, each plaintext slot contains an integer in Zpl , rather than an element of GF(p) as in conventional homomorphic encryption schemes on cyclotomic rings. Our benchmark results indicate that the subring homo...
متن کاملSequences related to Legendre/Jacobi sequences
Two families of binary sequences are constructed from dth order cyclotomic generator and from dth order generalized cyclotomic generator with respect to two distinct primes respectively. By using estimates of certain exponential sums over rings or fields, the upper bounds of both the well-distribution measure and the order k (at least for small k) correlation measure of the resulting binary seq...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2016 شماره
صفحات -
تاریخ انتشار 2016