Cryptanalysis of the multilinear map on the ideal lattices

We improve the zeroizing attack on the multilinear map of Garg, Gentry and Halevi (GGH). Our algorithm can solve the Graded Decisional Diffie-Hellman (GDDH) problem on the GGH scheme when the dimension n of the ideal lattice Z[X]/(X+1) is O(κλ) as suggested for the κ-linear GGH scheme. The zeroizing attack is to recover a basis of an ideal generated by a secret element g ∈ Z[X]/(X + 1) from the zero testing parameter and several encodings in public. It can solve the DLIN and subgroup decision problems, but not the GDDH problem on the GGH scheme for the suggested dimension n due to the hardness of the smallest basis problem and the shortest vector problem on the ideal lattice. In this paper, we propose an algorithm to find a short vector in the ideal lattice 〈g〉 by applying a lattice reduction to a sublattice obtained from the Hermit Normal Form of 〈g〉. This attack utilizes that the determinant of the lattice 〈g〉 is not large. We further show that if g has a large residual degree, one can find a short element of g in polynomial time of n. In order to resist the proposed attacks, it is required that n = Ω̃(κλ) and the positive generator of 〈g〉 ∩ Z is large enough.