A family of ring-based cryptosystems, including the multilinear maps of Garg, Gentry and Halevi [Candidate multilinear maps from ideal lattices, Advances in Cryptology—EUROCRYPT 2013, Lecture Notes in Comput. Sci. 7881, Springer, Heidelberg 2013, 1–17] and the fully homomorphic encryption scheme of Smart and Vercauteren [Fully homomorphic encryption with relatively small key and ciphertext sizes, Public Key Cryptography—PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin 2010, 420–443], are based on the hardness of finding a short generator of a principal ideal (short-PIP) in a number field typically in . In this paper, we present a polynomial-time quantum algorithm for recovering a generator of a principal ideal in , and we recall how this can be used to attack the schemes relying on the short-PIP in by using the work of Cramer et al. [R. Cramer, L. Ducas, C. Peikert and O. Regev, Recovering short generators of principal ideals in cyclotomic rings, IACR Cryptology ePrint Archive 2015, https://eprint.iacr.org/2015/313], which is derived from observations of Campbell, Groves and Shepherd [SOLILOQUY, a cautionary tale]. We put this attack into perspective by reviewing earlier attempts at providing an efficient quantum algorithm for solving the PIP in . The assumption that short-PIP is hard was challenged by Campbell, Groves and Shepherd. They proposed an approach for solving short-PIP that proceeds in two steps: first they sketched a quantum algorithm for finding an arbitrary generator (not necessarily short) of the input principal ideal. Then they suggested that it is feasible to compute a short generator efficiently from the generator in step 1. Cramer et al. validated step 2 of the approach by giving a detailed analysis. In this paper, we focus on step 1, and we show that step 1 can run in quantum polynomial time if we use an algorithm for the continuous hidden subgroup problem (HSP) due to Eisenträger et al. [K. Eisenträger, S. Hallgren, A. Kitaev and F. Song, A quantum algorithm for computing the unit group of an arbitrary degree number field, Proceedings of the 2014 ACM Symposium on Theory of Computing—STOC’14, ACM, New York 2014, 293–302].
A series of works describes cryptosystems relying on the hardness of finding a small generator of a principal ideal in the ring of integers of . In particular, this problem allows to describe fully homomorphic schemes, such as that of Smart and Vercauteren , or the multilinear maps of Garg, Gentry and Halevi . Moreover, these schemes have been described as quantum safe in the absence of quantum attacks against them. This potential for quantum safety was the main appeal to scientists from the Communications Electronics Security Group (CESG) for the development of SOLILOQUY, a cryptosystem relying on the hardness of finding a short generator of a principal ideal.
Since then, the CESG has interrupted the SOLILOQUY program because there were indications that it was not as quantum safe as they originally thought. Campbell, Groves and Shepherd  (referred to as CGS hereafter) released an online draft explaining the design of SOLILOQUY and its apparent weaknesses. Most notably, they observed experimentally that finding a short generator of an ideal in the ring of integers of polynomially reduced to finding an arbitrary generator (which relates to the principal ideal problem). This fact was rigorously proved by Cramer et al.  shortly thereafter.
The bottleneck of a key-recovery attack against schemes relying on the hardness of finding a short generator of a principal ideal is the resolution of the PIP. A classical subexponential algorithm was described by Biasse and Fieker for this task [1, 2]. A quantum polynomial-time algorithm for solving the principal ideal problem (PIP) in classes of number fields of fixed constant degree was described by Hallgren . It consists in reducing this problem to an instance of the hidden subgroup problem (HSP) in , where n is the degree of the field, and an efficient quantum algorithm solving the HSP instance. However, the complexity of both computing the reduction and the quantum HSP algorithm decay exponentially with the degree. These two difficulties make it challenging to extend Hallgren’s algorithm to solve high-degree PIP. The draft of CGS sketches a quantum algorithm for the PIP in high-degree number fields. As usual, it consists of two components:
they reduce PIP to an instance of the HSP on that is different than the one in ;
they outline a quantum algorithm for solving this HSP.
However, the draft contains no detailed analysis to justify either step, leaving the correctness and complexity of their algorithm difficult to verify. The new reduction, component (i), does appear to be efficiently computable, and hence resolves one of the difficulties. Nonetheless, their HSP algorithm, component (ii), does not seem to supersede the quantum HSP algorithm by Hallgren in , and many experts suspect that it would work efficiently for arbitrary (i.e., non-constant) n.
In this paper, we give a closer look at the quantum PIP algorithm proposed by CGS. We intend to distill the justified and valuable pieces out of it and try to extend them to obtain an algorithm that provably works.
Indeed, we show that, combining a valid piece of the reduction, component (i), in CGS with techniques and results from a recent work of Eisenträger et al.  (call it EHKS hereafter), one can compute a generator of a principal ideal in in quantum polynomial time. Together with the reduction from short-PIP to PIP of Cramer et al. , this yields a quantum polynomial-time attack against the FHE scheme of Smart and Vercauteren  and the multilinear maps of Garg, Gentry and Halevi .
In the appendix, we also point out some potential obstructions of component (ii) (quantum HSP algorithm) of CGS that renders it unlikely to be efficient, based on the state of the art in .
In a subsequent work , an efficient quantum algorithm is proposed that solves the general S-unit group problem in arbitrary-degree number fields. The PIP problem in general fields is thus solved as well due to simple reduction of computing PIP to finding a proper S-unit group problem.
Here we give an overview of what the CGS algorithm may fall short of and how to use the recent work EHKS to extend some piece of the CGS algorithm into a correct algorithm for finding a generator of an input ideal.
As is the case in both the constant-degree PIP algorithm by Hallgren  and the CGS algorithm, one first reduces the PIP problem to an HSP instance and then uses a quantum algorithm to solve the HSP problem efficiently. Roughly speaking, the HSP instance describes a function for some group G (here ) and set S such that there is a hidden discrete subgroup for which f is periodic over G and f is injective on (i.e., if and only if ).
We then need to find H with access to f, which would further allow us to find a generator of the input ideal from H. At the heart of the existing quantum HSP algorithm (e.g., ) is a quantum Fourier sampling procedure, which essentially generates uniform samples from the Fourier transform of f. In the ideal case, the Fourier transform of f will be peaked at elements of the dual group of H, from which we can recover H efficiently.
However, in reality, one thing inevitable is to discretize the function on (and truncate it within a finite window) because computers (classical or quantum) are digital and have finite precision and memory only. In effect, we end up with a discrete function , and its Fourier transform will become noisy. Namely, a random sample there, by applying the quantum Fourier sampling procedure, is less likely to hit an element in the dual of H. Therefore, to get enough clean samples, one has to repeat many times. By the best known analysis , the number of repetitions grows exponentially in the dimension n. The quantum HSP algorithm outlined in CGS does not go beyond Hallgren’s algorithm, and hence is unlikely to succeed within polynomial time in n unless with improved analysis.
Instead, the recent work of EHKS proposes a conceptually new notion for HSP over continuous groups such as (call it continuous HSP). The key distinction is enforcing a stringent continuity condition on the function f. Specifically, they require f to be Lipschitz so that the change between and is bounded by some constant factor of the change between inputs x and y. This additional property ensures that, once we discretize it, its Fourier transform is still concentrated on the dual of H. EHKS then gives a modified quantum Fourier sampling procedure to generate samples from the dual of H (with good approximation) and recover H efficiently. There is also a conceptually novel ingredient in their modified quantum Fourier sampling, which, informally speaking, enables sampling the discrete-time Fourier transform (i.e., over ) of the discretized function rather than its discrete Fourier transform (i.e., over ). This facilitates the analysis and makes the HSP solvable in polynomial time. In the EHKS paper, they showcase the power of this new framework by reducing the problem of computing the unit group of a number field to this continuous HSP on , and hence solve the unit group problem efficiently. The reduction generates a function that hides the unit group. The function f first computes a basis for a lattice , and then encodes the lattice into a quantum state by a straddle encoding procedure .
A natural idea arises as whether we can recast the CGS reduction, component (i), in the continuous HSP framework and solve it consequently. The CGS reduction is actually similar to the one above for the unit group. They propose a function , where the classical part F computes a lattice from an input , and outputs what they call a “quantum fingerprint” of the lattice . While does hide a generator of the input ideal as a subgroup in , the Lipschitz condition is not clear. Luckily, we notice that, by composing F in CGS with the straddle encoding function in EHKS, it can be shown to be a valid instance of the continuous HSP. This is possible by observing a nice connection between F and the function in EHKS, and reusing many results in EHKS. Details are given in Section 5.
2 An (over-)simplified presentation of quantum computing
In this section, we try to convey the aspects of quantum computing that are relevant to the quantum algorithm described in  as well as to other quantum cryptanalysis algorithms without getting too technical. This is achieved at the price of some simplifications. First of all, quantum computations occur on quantum states, which are vectors of the form
where values involved in this definitions are
complex numbers such that ,
vectors of , where is the i-th element of an orthonormal basis.
The notation denotes the tensor product of and . A quantum algorithm can be viewed as a unitary matrix U in acting on a state via (matrix-vector multiplication). A quantum state only gives away information once it is measured (according to the chosen basis). This process returns the answer i with probability and leaves the system in the state . Therefore, whatever happens to the original state (for example, ) has to lead to a state whose measurement yields the result of the algorithm with good probability (typically a constant probability). More generally, when a state has the form , where the are vectors of such that and the are an orthonormal basis of , then measuring the second register yields the answer with probability and leaves the system in the state .
3 Mathematical background
A lattice is a discrete additive subgroup of for some integer m. The first minimum of a lattice is defined by
A basis of is a set of linearly independent vectors such that . The determinant of is , where is the matrix of a basis of . For a full dimensional lattice , the best upper bound we know on is in . The dual of the lattice is the lattice of vectors of such that for all .
A number field K is a finite extension of . Its ring of integers has the structure of a -lattice of degree . A number field has real embeddings and complex embeddings (coming as pairs of conjugates). The field K is isomorphic to . We can embed K in and extend the ’s to . Let be the Hermitian form on defined by , and let be the corresponding -norm. The (algebraic) norm of an element is defined by . Let such that ; then the discriminant of K is given by . The volume of the fundamental domain is , and the size of the input of algorithms working on an integral basis of is in .
A cyclotomic field is an extension of of the form , where is a primitive N-th root of unity. The ring of integers of K is , where is the N-th cyclotomic polynomial. When N is a power of two, , and when is a power of , we have (which generalizes the case ). Elements are residues of polynomials in modulo and can be identified with their coefficient vectors , where is the Euler totient of N (and the degree of ). When for p a prime, the degree of K satisfies and ; therefore , and we can express the complexity of our algorithms in terms of n (a choice we made in this paper).
Fractional ideals in K
Elements of the form , where is an (integral) ideal of the ring of integers of K and , are called fractional ideals. They have the structure of a -lattice of degree , and they form a multiplicative group . Elements of admit a unique decomposition as a power product of prime ideals of (with possibly negative exponents). The norm of integral ideals is given by , which extends to fractional ideals by . The norm of a principal (fractional) ideal agrees with the norm of its generator .
Elements that are invertible in are called units. Equivalently, they are the elements such that and also such that . The unit group of , where K is a cyclotomic field, has rank and has the form , where μ are roots of unity (torsion units) and the are non-torsion units. Such are called a system of fundamental units of . Units generate a lattice of rank r in via the embedding , where the complex embeddings are ordered such that the first ones are not conjugates of each other. When , logarithm vectors of units of the form
(the cyclotomic units) generate a sublattice of of index , where is the class number of the maximal real subfield of [19, Lemma 8.1].
Conjecture 3.1 (Weber class number problem).
For all , we have .
The hidden subgroup problem
The problem of factoring an RSA integer reduces to an instance of the so-called hidden subgroup problem (HSP).
Definition 3.2 (Hidden subgroup problem over ).
Given for a finite set X such that there exists a subgroup with
the hidden subgroup problem is the task of finding H given oracle access to f. This means finding r such that .
We want to factor an RSA integer . Let a be coprime with N (if , the factorization problem is solved) and
A solution to the HSP with f yields r, the order of , and if a is a square, we get
This means that , and may yield a non-trivial factor of N. A generalization of the HSP to allows us to solve the discrete logarithm problem in a finite group, and we can even discretize to generalize the algorithms for efficiently solving the HSP to , where m is fixed. This allows the computation of the class group, the unit group and the resolution of the PIP in classes of number fields of fixed degree . More details about these methods are given in the appendix.
4 The PIP quantum algorithm proposed by CGS
CGS proposed a quantum algorithm for solving the PIP in . They suggested to combine it with the Gentry–Szydlo (classical) attack  to solve the PIP in . They sketched this method in [4, Section 5], but they did not provide any complexity analysis.
In this section, we review the PIP algorithm proposed in , and we illustrate the challenges that would need to be overcome to turn this approach into a quantum polynomial-time algorithm. There are two main steps to the approach of :
A reduction of the PIP in to the search of the periods of a function from to the lattices in , where (an analogue of the HSP).
The search for the periods of a function with an algorithm similar to the HSP algorithm of Hallgren .
This means that CGS exhibited a function
for some subgroup G and such that if and only if for a lattice whose knowledge answers the original problem (the PIP in this case). Step (ii) consists in finding the periods of f in a fashion similar to the resolution of the HSP.
Reduction to the search for the periods of a function
Let , and . Let be a totally positive generator (not necessarily small) of the input fractional ideal in the totally real number field K. In the context of the attacks against the short-PIP in K, we know that one of the generators of arises as the relative norm of the secret key g. This relative norm is necessarily totally positive.
Let be a generating set of , the totally positive units of the ring of integers of . Then every totally positive generator of the principal ideal of (including ) is of the form . Let ; then for some if and only if for some . This means that the lattice defined by
consists of all the pairs , where , and . This includes elements of the form , where is a totally positive generator of . This means that a basis for yields a totally positive generator of .
We now describe a function on whose periods are precisely . For and (not necessarily corresponding to the valuations of an element in ), let us denote by the Euclidean lattice generated by the elements of the form for . Elements in such as correspond to real vectors , and an element of the form is represented by the vector . We define the function by . Then if and only if is a generator of , which is equivalent to . Therefore, by linearity of F, the periods of F are exactly .
As each element of satisfies , the search of the corresponding hidden subgroup can be restricted to the control space
The function F used by CGS is different from the one used by Hallgren in  to solve the PIP. In particular, F can be evaluated in polynomial time even when the degree of K grows to infinity. This comes from the fact that it is very similar to the function defined by EHKS to hide the unit group of a number field of arbitrary degree, and the techniques they used to evaluate it in polynomial time readily apply.
The function F can be evaluated in classical polynomial time.
This is immediate by application of the techniques of [7, Section 4]. The key observation is that we can perform a square-and-multiply exponentiation on the ideal with LLL-reductions at each step. ∎
The function F is then composed by a quantum encoding to identify the lattice . This task is non-trivial since lattices are over where, unlike in , there is no canonical form such as the Hermite normal form. This encoding of lattices is called the “quantum fingerprint”, and it gives the map
The details of the procedure to create from are given in [4, Sections 3.4 and 3.5]. It creates a state of the form , where
is the scaling of a rational approximation of a vector in ,
L is the lattice ,
is a normalization factor,
is a bounded set such that , where is an ellipsoid of radius ρ.
CGS conjectured that the quantum encodings of almost identical lattices have inner product close to 1, while the quantum encodings of essentially different lattices have inner product close to 0. The function f “hides” in the sense that
Identifying from the periods of this map is an analogue of the HSP.
Computing the periods of f
The method proposed by CGS for computing the periods of f relies on a similar strategy as the HSP resolution algorithm used by Hallgren in  to solve the PIP in classes of number field of fixed degree.
Discretize and bound G, and then create the state
Apply the quantum Fourier transform over G to the second register.
Measure , and check if we obtain a good approximation of an element in .
Repeat steps (ii) and (iii) until a basis of good approximations of is found.
Find an approximation of a basis of from with classical methods.
In step (i), M is the normalization factor depending on the radius and the precision of the bounded discretized version of G. Table 1 highlights the main steps of the quantum algorithm of CGS and specifies those on which we can rely to prove that there is a quantum attack against schemes relying on the short-PIP. In the appendix, we use a method similar to  to analyze the behavior of CGS’s algorithm. This analysis implies choices of parameters that were not specified by CGS. Therefore, we cannot formally establish the complexity of the algorithm sketched in .
|The function F hides a lattices that reveals a generator of the ideal.||Proved|
|The function F can be evaluated in classical polynomial time.||Proved|
|The quantum fingerprint satisfied the “fidelity” property.||Open question|
|Assuming satisfies the “fidelity” property, step (iii) outputs good approximations of vectors in .||Open question|
In the rest of the paper, we show how to use the quantum encoding proposed by EHKS to solve the HSP in instead of the quantum fingerprint of CGS. EHKS proved that their quantum encoding enjoyed certain properties (one of them being similar to the “fidelity”) which allow us to solve the HSP in polynomial time.
5 A method based on the HSP algorithm of EHKS
In this section, we show how to find the periods of the function F defined in the previous section by using the lattice encoding and the corresponding HSP quantum algorithm of EHKS. This allows us to compute in quantum polynomial time a totally positive generator of an ideal in a totally real number field K. Recent work from EHKS developed a new framework for HSP in , which admits an efficient quantum algorithm even for large values of m. They illustrated this by computing the unit group of a number field of arbitrary degree in polynomial time. In this section, we show how to adapt it to calculate a totally positive generator of a principal ideal given by its -basis. The algorithm described in  returns generators of a secret discrete subgroup H of for an arbitrary hidden in the periods of a function . Let G be a subgroup of containing H. EHKSshowed in [7, Theorem 6.1] how to recover generators of H in polynomial time in the input if there is an efficiently computable function f satisfying the following properties for :
f is periodic on H, that is, for all ;
f is Lipschitz for some constant a: for all ;
there are such that, for all , if , then ,
where and for the Euclidean norm .
To construct such a function, it is possible to start from a function defined on a subgroup G of . As shown in [7, Section 6.1], if a function defined on hides H and satisfies conditions (ii) and (iii) on all , it can be used to define a function on hiding (the embedding of) H and satisfying (ii) and (iii). For simplicity, we use the following notation.
Definition 5.1 (-oracle).
Let G be a subgroup of and f a map . We say that f is an -oracle on G if it satisfies conditions (ii) and (iii) for some .
Our goal is to find an efficiently computable -oracle on that hides a subgroup H of which reveals a generator of the input principal ideal. Then it can be used with the HSP algorithm of  to find a totally positive generator of a principal ideal in a totally real field in polynomial time in n, , , and r, where Δ is the discriminant of the field.
5.1 Review of the HSP algorithm of EHKS
To compute the unit group, EHKS used a function of the form , where is the lattice generated by the elements of the form for . Such a function hides the unit group of the order because if and only if , which means that is a unit in . It is derived from a function , where G is a hyperplane containing H. They show that if is an -oracle on G that hides H, then it can be extended to satisfying (i), (ii) and (iii). The first step of the description of a function hiding the unit group is to find a classical function on a certain hyperplane G; then we compose it with a quantum encoding , and finally, we extend to a function f on that satisfies (i), (ii) and (iii).
The function F used by CGS is very similar to the classical oracle used in . The latter is defined by
Here is the hyperplane such that . In particular, it contains the elements x of the number field K such that via the correspondence
where the are the phases of the complex embeddings . Then, for
we define the exponentiation
This can be naturally embedded into for , and in the case of v corresponding to an , we have . Multiplication in being considered component-wise, we have if and only if v corresponds to a unit of . This also implies that if and only if , where is a unit of .
The quantum encoding
The properties that has to satisfy also depend on the quantum encoding that was chosen, which is one of the important contributions of EHKS. Let be the Gaussian function , . For any set , denote . Given a lattice L, the quantum encoding maps L to the lattice Gaussian state via
where γ is a normalization factor. Here is the straddle encoding of a real-valued vector , as defined in . Intuitively, we discretize the space by a grid , and we encode the information about v by a superposition over all grid nodes surrounding v. Specifically, for the one-dimensional case, the straddle encoding of a real number is
where denotes the nearest grid point no bigger than x, and denotes the (scaled) offset. Repeating this for each coordinate of , we get . To analyze our function hiding generators of a principal ideal , we rely on the properties of the quantum encoding of the function hiding the unit group of .
An -oracle on
We will only be concerned with totally real fields, where and , and only positive units will be relevant for our purpose. We later restrict our discussion to this special case, which is much simpler since we do not need to consider the complex coordinates. We use to denote the classical part (instead of ) to indicate this special case. Let be the classical oracle defined by
Here is the hyperplane such that . In particular, an element x of the number field K such that leads to
Then, for , we define the exponentiation . Multiplication in being considered component-wise, we have if and only if v corresponds to a unit of . This also implies that if and only if , where u is a totally positive unit of .
Proposition 5.2 ([7, Theorem 5.7]).
is an -oracle on with
and grid parameters , , where Δ is the discriminant of the field.
5.2 Computing a generator of a principal ideal in a totally real field
In this section, we assume that we are given the -basis of a principal ideal of an order in a totally real field K of degree n. Moreover, we assume that has a totally positive generator. We show that there is a polynomial time algorithm to compute , where g is a totally positive generator of , and is the i-th Archimedean valuation of g. We reduce this problem to an instance of the HSP, and we use the framework of EHKS. We start from the same classical oracle as the function F defined by CGS which we compose with and extend to . The main observation that allows us to reuse the analysis of the oracle hiding the (totally positive) unit group in  is that , where is an arbitrary (totally positive) generator of . The classical function we use is the same as the one of CGS
The function can be then extended from G to while preserving the essential continuity properties that allow us to reuse the framework of EHKSfor the resolution of the continuous HSP. The careful analysis of the properties of and that of its extension to lead to Proposition 5.5 which shows that there is a polynomial-time algorithm to find the generator of a principal ideal in a number field.
A function hiding generators of
The rest of the section is devoted to analyzing and extending to a function defined on that hides the lattice of the totally positive generators of and satisfies the HSP conditions (i), (ii) and (iii). The formal statement appears in Proposition 5.5, which is proven based on a few intermediate steps (Propositions 5.3 and 5.4). Given , the quantum HSP algorithm of EHKS computes a totally positive generator efficiently.
We start off analyzing the properties of .
With the F and defined above, and , we have that is an -oracle on G for
Let us fix a generator g of and its corresponding . The main observation leading to the result is that , and therefore .
(a) Lipschitz condition. If , then , while, at the same time,
So, in this case,
On the other hand, if , then
for . Therefore, the Lipschitz condition is always satisfied for .
(b) The condition. We simply need to notice that , where denotes the vectors such that is a totally positive unit of K. It is immediate that the periods of are , and according to Proposition 5.2, is an -oracle for , , and . We use the properties of to analyze the behavior of .
This means that, for and , if
then as well, and then, necessarily,
Reduction to the case
We described an -oracle on a hyperplane G of hiding the lattice for , , and . To apply [7, Theorem 6.1], we need a function on for some m that hides the lattice and which is an -oracle in for some , not necessarily equal to . A general guideline for performing such a task is given in [7, Section 6.1]. By following it, we find such a function , and we can apply the quantum algorithm of  to derive , thus obtaining a totally positive generator for .
First of all, we can easily turn defined on the hyperplane G into a function defined over with the intermediate operation
Assume is an -oracle hiding on G; then the function defined by is an -oracle hiding on , where .
The fact that the -condition is preserved is obvious because we are dropping one coordinate. This means that if the distance in (modulo ) is greater than r, then so is the distance in G (modulo ), and therefore the inner product of the two states has to be less than ε. The Lipschitz condition comes from the fact that and that
We have now a function on for and that hides and that is an -oracle on . Following the guidelines of [7, Section 6.1], we can turn it into an -oracle on that hides . To do so, we define
where , with for a lower bound λ on the shortest vector of .
The function hides the lattice and satisfies conditions (i), (ii) and (iii) for and the parameters defined by
See [7, Section 6.1]. It shows that, by the transformation above, the new function is a valid HSP instance with
6 Computing a short generator of a principal ideal in
In this section, we show how to reduce the search for a small generator of an input ideal I in to the computation of a totally positive generator of a principal ideal (which depends on I) in . The main ingredient of this reduction is the norm equation resolution of the Howgrave-Graham–Szydlo algorithm . This reduction seems natural, but no formal procedure (and analysis) was available . The main steps of the whole attack are:
Create the ideal , where g is a short generator of I.
Find a generator of with the quantum algorithm of Section 5.2.
Find a short generator of I by using and a -basis of I.
The first step consists in finding a -basis of the ideal . We can easily find a basis of the ideal of K, and we intersect it with the ring of integers of the subfield of K by using [5, Algorithm 1.4.5]. When I is principal and generated by g, then is principal as well and generated by .
Algorithm 1 (Creation of .).
The ideal of the totally real field is principal and generated by a totally positive generator . Therefore, it satisfies the conditions of the quantum polynomial-time algorithm for computing a totally positive generator of an ideal in a totally real field described in Section 5.2. The output of this procedure is a rational approximation of the real vector , where is a totally positive generator of . We want to lift this generator to obtain a generator of I. We need to assert two important properties:
is of the form , where is a generator of I.
is short enough to be written on the integral basis of in polynomial time.
The surjectivity of the relative norm map does not necessarily hold true. As a matter of fact, we can only prove it under Conjecture 3.1 (Weber conjecture) which states that the class number of is 1.
Proposition 6.1 (under Conjecture 3.1).
Let , be an ideal of and . Then every totally positive generator of is of the form for a generator of I.
The ideal is generated by at least one totally positive number (i.e., the image of a generator g of I by the relative norm map). Then, from , we know that the totally positive units are exactly the squares of units (see also [14, Intro]), which are also the norms of the units of that are in . Let be a totally positive generator of . Then the two totally positive generators of differ by a totally positive unit, hence a square, and hence the image of a unit u of by the norm map, i.e., , which is the image of a generator ug of I by the relative norm map. ∎
The vector returned by the quantum algorithm of Section 5.2 has polynomial size, but the representation of over an integral basis of may have exponential size. Therefore, the resolution of the norm equation by the method of Howgrave-Graham and Szydlo  with input may take exponential time. We need to find another totally positive generator α of with reasonable size. We know that where g is the secret short generator of I has a poly-size representation on the integral basis of . Therefore, we use the method of Cramer et al.  to derive a short generator of before applying the algorithm of Howgrave-Graham and Szydlo .
Algorithm 2 (Lift of the solution in .).
Proposition 6.2 (under Conjecture 3.1).
The element α computed in step 7 of Algorithm 2 has a poly-size representation on the integral basis of .
This directly follows from the analysis of Babai’s round-off method (used in steps 3–4) by Cramer et al. . The only difference is that we work with the lattice of the instead of that of . Let be the generator of I such that . According to the analysis of , we know that if we find such that and then perform the operation , then is a generator of I that satisfies . In particular, its representation on an integral basis has polynomial size. The calculated in step 3 are such . These ensure that is a short generator of I, and
is the relative norm of the small generator g of I. It is therefore a short generator of . ∎
Algorithm 2 runs in polynomial time and returns a generator g of I such that .
All steps run in polynomial time. In addition, according to the proof of Proposition 6.2, we have the guarantee that step 7 produces the relative norm α of a small generator g of I. Then the solution to the relative norm equation in step 8 yields the desired short element. ∎
7 Conclusion and significance
We described a quantum polynomial time algorithm to recover a short generator of an ideal in . We showed that it derives from the results of  in a rather straightforward way. It is a significant result for post-quantum cryptography. Indeed, together with the reduction from the short-PIP to the PIP originally observed by CGS and later proved by Cramer et al. , it is enough to attack cryptosystems based on the hardness of finding a short generator of a principal ideal in in quantum polynomial time. These include the multilinear maps of Garg, Gentry and Halevi  and the fully homomorphic encryption scheme of Smart and Vercauteren .
Strictly speaking, the algorithm we discussed in Section 5 does not solve the standard principal ideal problem with absolute certainty since the algorithm cannot decide if an input ideal is principal (it rather takes as promise that it is principal). Further generalizations of the methods of  will lead to the resolution of related problems in number theory in arbitrary fields including the PIP, the computation of the ideal class group, the computation of S-units, or the resolution of norm equations.
Funding source: National Science Foundation
Award Identifier / Grant number: 1839805
Award Identifier / Grant number: 1846166
Funding source: National Institute of Standards and Technology
Award Identifier / Grant number: 60NANB17D184
Funding statement: This work was supported by the U.S. National Science Foundation under grants 1839805 and 1846166, by NIST under grant 60NANB17D184, and by a Seed Award of the Florida Center for Cybersecurity.
A Previous algorithms for solving the HSP
A.1 Shor’s factoring algorithm
Post-quantum cryptography really became a concern when Shor proposed a quantum algorithm to factor integers . Moreover (as we see in the next section), this algorithm extends to the discrete logarithm problem in any group. An RSA integer N is an integer satisfying where are distinct prime numbers. The problem of factoring an RSA integer reduces to an instance of the so-called hidden subgroup problem (HSP).
Definition A.1 (Hidden subgroup problem over ).
Given for a finite set X such that there exists a subgroup with
the hidden subgroup problem is the task of finding H given oracle access to f. This means finding r such that .
We want to factor an RSA integer . Let a be coprime with N (if , the factorization problem is solved) and
A solution to the HSP with f yields r, the order of , and if a is a square, we get
This means that , and may yield a non-trivial factor of N.
Let us sketch the resolution of this instance of the HSP. The first step relies on the fact that if f is efficiently computable classically, one can create an efficient quantum algorithm to evaluate f in superposition. This yields a circuit for
The other main ingredient we need to use in Shor’s algorithm is the so-called quantum Fourier transform (QFT) over (for a large enough M). Let , the QFT is the quantum algorithm realizing
If we apply the QFT to the second register of the previous state, we obtain
We can easily verify that the are orthogonal vectors satisfying . We perform a measurement on the second register, which yields the value y with probability .
Then if is close to an element of the form , then the above probability is high, and if not, then the probability of measuring y is low. If is a good enough approximation of an element of the form , then belongs to the list of convergents of the continued fraction expansion of , which is computed in classical polynomial time. Then we recover the period r and thus solve the problem. The probability of successfully recovering r is in (there is a constant probability variant consisting in repeating this procedure twice). This is not the only variant of Shor’s algorithm for factoring algorithms. Alternatively, a partial measurement is performed on the register before applying the quantum Fourier transform. The quantum algorithm for solving the PIP sketched by CGS follows closely the HSP variant that we described.
A.2 The hidden subgroup problem in higher dimension
The hidden subgroup problem has a straightforward generalization in higher dimension. Many problems in algebraic number theory can be reduced to an instance of the HSP.
Definition A.2 (Hidden subgroup problem over ).
Given for a set X such that there exists a subgroup with
the hidden subgroup problem is the task of finding H given oracle access to f.
The discrete logarithm problem is the search for such that , where are given elements of a finite group . This can be reduced to an instance of the hidden subgroup problem in . We define the function
The periods of this function are the subgroup , where r is the order of a. Finding the subgroup G hidden by f solves our problem. The analysis we carried on to solve the HSP in generalizes in higher dimension by using the tensor product of the QFT
where , and is an encoding of the vector . Note that, here again, M has to be chosen large enough with respect to the typical values we are calculating. As for factoring, applying the QFT yields a state of the form , and we measure the vector with probability
where is the hidden subgroup (a lattice) we are looking for. This sum is larger when is an integer, that is, when . It can be shown that, when is close enough to a point in the dual of , then it has a high probability of being sampled. This generalizes the factoring algorithm presented in the previous section which relies on the sampling of elements in the dual of the lattice . After finding a good approximation of the dual lattice , we use classical linear algebra methods to compute .
To solve other number theoretic problems, we need to work with approximations of real numbers. This occurs for example in Hallgren’s method  to solve the Pell equation in quantum polynomial time. The discretization method used by Hallgren was generalized by Hales  to derive a solution to the hidden subgroup problem over (approximations of) the reals. To compute the ideal class group, the unit group and to solve instances of the principal ideal problem in number fields of higher degree, the usual approach is to first reduce the problem to the task of finding the periods of a function f defined over for some m, and then find these periods with an algorithm for solving the HSP. For example, Hallgren [11, Section 3.1] described a unit group algorithm in a field K consisting of finding the periods of the function
Here r is the rank of the unit group and is the vector of the first r logarithms of the Archimedean embeddings of μ. Since this function relies on the search for a minimum in , its evaluation costs exponential time in the degree, thus restricting its use for classes of number field with fixed degree. In the same paper, Hallgren  described quantum polynomial-time algorithms for the unit group, the class group and the principal ideal problem in classes of fixed-degree number fields.
A necessary condition to ensure that these problems can be solved in polynomial time is that they reduce to the search for the periods of a function that is efficiently computable. The evaluation of the function described above is not polynomial in the degree of the extension, which is one reason why the overall algorithm does not run in polynomial time in k. The other obstruction lies within the resolution of the subsequent instance of the HSP. Indeed, the method used in  to solve the hidden subgroup problem in does not seem to run in polynomial time with respect to m. It relies on the creation and the measurement of the state
Hallgren showed that the probability of measuring such that was -close to was at least (a term corresponding to the zero-filling was omitted, i.e., an artificial enlargement of the size of the bounded region where we perform the QFT to facilitate the analysis). In classes of fixed degree (i.e., when m is fixed), this gives a polynomial time algorithm to solve the HSP. The case of was solved 10 years later by EHKS.
B Towards an analysis of the algorithm of CGS
In this section, we show that if we discretize G at a precision as it is done in , then the quantum algorithm of CGS cannot return, in better complexity than , a vector that is ε-close to for and , where λ is a bound on the size of the vectors in a reduced basis of .
Proposition B.1 (Sampling probability).
Let be the precision of the discretization of G. We assume that the fingerprint encoding behaves as conjectured in [4, Section 3.6], that is,
if is ε -close to for some ,
The probability of drawing a rational approximation that is -close to a vector in for , where , and where λ is a bound on the size of the vectors in a reduced basis of , is at least
To bound and discretize G, we need three parameters that were not explicitly given in . The grid has precision for some , and we choose to restrict the QFT to for a large enough integer q. We also enlarge the grid by a factor t that will be used to analyze the complexity (this is the so-called zero-filling technique). Let the normalization factor be . We can identify the discretized and bounded with . Then the algorithm is the same as for factoring,
We measure and hope that it is close enough to a vector in . To analyze this technique, we use the same approach as Hallgren’s 2005 paper . As for Shor’s factoring algorithm, the probability of drawing (regardless of its properties) is
Unlike in the exact case where is either 1 when and 0 otherwise (here ), we are dealing with approximations. We assume that the fingerprint behaves as conjectured in [4, Section 3.6]. We formalize this by if is ε-close to for some and otherwise. For each lattice vector , we have for all the such that is in a ball of radius ε centered around . So the probability of measuring is
To bound this probability from below, we show that the phases corresponding to an element close to a dual lattice vector are small. Each term is of the form , where and . The that we hope to measure are of the form for . Moreover, to make sure that the phase terms remain bounded, we restrict ourselves to vectors with entries satisfying . This means that we are measuring approximations of with and that N has to be chosen large enough so that we measure a significant portion of . So for , and
The first term of the sum vanishes from the phase because it equals zero modulo qtN. Indeed, . The second term satisfies
Finally, the third term of the phase satisfies
if we choose . So, for large enough n, we have , and the probability of measuring satisfies
The above probability holds for all with entries bounded by . As in , we need to relate the number of points in to the number of points of . Let λ be a bound on the length of the vectors in a reduced basis of ; by [15, Proposition 8.7], we have if and if . Therefore,
and the probability of drawing such that is -close to satisfies
As pointed out in , such are the points of our grid such that is -close to a . As there are vectors associated to such a w, the probability of measuring one is at least . ∎
The above statement gives a lower bound on the probability of drawing points that are approximations of elements in . This, in turn, gives an upper bound on the run time to obtain enough approximations of lattice points before being able to find a basis of . Still assuming that the same techniques are used, we can also derive an upper bound on the probability of sampling an approximation of a dual lattice point, which, in turn, gives a lower bound on the run time of the algorithm.
Proposition B.2 (Exponential run time).
Under the same assumptions as Proposition B.1, the run time of the overall algorithm is at least .
With the same choice of parameters as in the proof of the previous proposition, the probability of drawing satisfies
There are such points, which means that the probability of drawing a rational approximation that is -close to a point in is no more than
The total run time is at least as much as the time taken to draw a single approximation of a dual lattice point, which is at least . ∎
The above analysis shows that if we only assume that the quantum fingerprint has the property (called “fidelity”) that
if is ε-close to for some ,
then the techniques mentioned by CGS relying on the discretization of and the QFT do not allow to prove that the procedure has a polynomial run time.
 J.-F. Biasse and C. Fieker, Subexponential class group and unit group computation in large degree number fields, LMS J. Comput. Math. 17 (2014), 385–403. 10.1112/S1461157014000345Search in Google Scholar
 J.-F. Biasse and F. Song, Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields, Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, ACM, New York (2016), 893–902. 10.1137/1.9781611974331.ch64Search in Google Scholar
 P. Campbell, M. Groves and D. Shepherd, SOLILOQUY, a cautionary tale. Search in Google Scholar
 R. Cramer, L. Ducas, C. Peikert and O. Regev, Recovering short generators of principal ideals in cyclotomic rings, IACR Cryptology ePrint Archive (2015), https://eprint.iacr.org/2015/313. 10.1007/978-3-662-49896-5_20Search in Google Scholar
 K. Eisenträger, S. Hallgren, A. Kitaev and F. Song, A quantum algorithm for computing the unit group of an arbitrary degree number field, Proceedings of the 2014 ACM Symposium on Theory of Computing—STOC’14, ACM, New York (2014), 293–302. 10.1145/2591796.2591860Search in Google Scholar
 S. Garg, C. Gentry and S. Halevi, Candidate multilinear maps from ideal lattices, Advances in Cryptology—EUROCRYPT 2013, Lecture Notes in Comput. Sci. 7881, Springer, Heidelberg (2013), 1–17. 10.1007/978-3-642-38348-9_1Search in Google Scholar
 C. Gentry and M. Szydlo, Cryptanalysis of the revised NTRU signature scheme, Advances in Cryptology—EUROCRYPT 2002, Lecture Notes in Comput. Sci. 2332, Springer, Berlin (2002), 299–320. 10.1007/3-540-46035-7_20Search in Google Scholar
 L. Hales, The quantum fourier transform and extensions of the abelian hidden subgroup problem, PhD thesis, University of California Berkeley, 2002. Search in Google Scholar
 S. Hallgren, Fast quantum algorithms for computing the unit group and class group of a number field, Proceedings of the 37th Annual ACM Symposium on Theory of Computing—STOC’05, ACM, New York (2005), 468–474. 10.1145/1060590.1060660Search in Google Scholar
 N. Howgrave-Graham and M. Szydlo, A method to solve cyclotomic norm equations , Algorithmic Number Theory, Lecture Notes in Comput. Sci. 3076, Springer, Berlin (2004), 272–279. 10.1007/978-3-540-24847-7_20Search in Google Scholar
 D. Micciancio and S. Goldwasser, Complexity of Lattice Problems. A Cryptographic Perspective, Kluwer Int. Ser. Eng. Comp. Sci. 671, Kluwer Academic, Boston, 2002. 10.1007/978-1-4615-0897-7Search in Google Scholar
 O. Regev, Private communication, 2015. Search in Google Scholar
 P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput. 26 (1997), no. 5, 1484–1509. 10.1137/S0097539795293172Search in Google Scholar
 N. P. Smart and F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, Public Key Cryptography—PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 420–443. 10.1007/978-3-642-13013-7_25Search in Google Scholar
 H. Weber, Lehrbuch der Algebra. Vol. II, Vieweg, Braunschweig, 1899. Search in Google Scholar
© 2019 Walter de Gruyter GmbH, Berlin/Boston
This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.