Skip to content
BY-NC-ND 3.0 license Open Access Published by De Gruyter August 14, 2019

On the quantum attacks against schemes relying on the hardness of finding a short generator of an ideal in ℚ(𝜁2𝑠)

  • Jean-François Biasse EMAIL logo and Fang Song

Abstract

A family of ring-based cryptosystems, including the multilinear maps of Garg, Gentry and Halevi [Candidate multilinear maps from ideal lattices, Advances in Cryptology—EUROCRYPT 2013, Lecture Notes in Comput. Sci. 7881, Springer, Heidelberg 2013, 1–17] and the fully homomorphic encryption scheme of Smart and Vercauteren [Fully homomorphic encryption with relatively small key and ciphertext sizes, Public Key Cryptography—PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin 2010, 420–443], are based on the hardness of finding a short generator of a principal ideal (short-PIP) in a number field typically in (ζ2s). In this paper, we present a polynomial-time quantum algorithm for recovering a generator of a principal ideal in (ζ2s), and we recall how this can be used to attack the schemes relying on the short-PIP in (ζ2s) by using the work of Cramer et al. [R. Cramer, L. Ducas, C. Peikert and O. Regev, Recovering short generators of principal ideals in cyclotomic rings, IACR Cryptology ePrint Archive 2015, https://eprint.iacr.org/2015/313], which is derived from observations of Campbell, Groves and Shepherd [SOLILOQUY, a cautionary tale]. We put this attack into perspective by reviewing earlier attempts at providing an efficient quantum algorithm for solving the PIP in (ζ2s). The assumption that short-PIP is hard was challenged by Campbell, Groves and Shepherd. They proposed an approach for solving short-PIP that proceeds in two steps: first they sketched a quantum algorithm for finding an arbitrary generator (not necessarily short) of the input principal ideal. Then they suggested that it is feasible to compute a short generator efficiently from the generator in step 1. Cramer et al. validated step 2 of the approach by giving a detailed analysis. In this paper, we focus on step 1, and we show that step 1 can run in quantum polynomial time if we use an algorithm for the continuous hidden subgroup problem (HSP) due to Eisenträger et al. [K. Eisenträger, S. Hallgren, A. Kitaev and F. Song, A quantum algorithm for computing the unit group of an arbitrary degree number field, Proceedings of the 2014 ACM Symposium on Theory of Computing—STOC’14, ACM, New York 2014, 293–302].

MSC 2010: 11T71

1 Introduction

A series of works describes cryptosystems relying on the hardness of finding a small generator of a principal ideal in the ring of integers of (ζ2s). In particular, this problem allows to describe fully homomorphic schemes, such as that of Smart and Vercauteren [18], or the multilinear maps of Garg, Gentry and Halevi [8]. Moreover, these schemes have been described as quantum safe in the absence of quantum attacks against them. This potential for quantum safety was the main appeal to scientists from the Communications Electronics Security Group (CESG) for the development of SOLILOQUY, a cryptosystem relying on the hardness of finding a short generator of a principal ideal.

Since then, the CESG has interrupted the SOLILOQUY program because there were indications that it was not as quantum safe as they originally thought. Campbell, Groves and Shepherd [4] (referred to as CGS hereafter) released an online draft explaining the design of SOLILOQUY and its apparent weaknesses. Most notably, they observed experimentally that finding a short generator of an ideal in the ring of integers of (ζ2s) polynomially reduced to finding an arbitrary generator (which relates to the principal ideal problem). This fact was rigorously proved by Cramer et al. [6] shortly thereafter.

The bottleneck of a key-recovery attack against schemes relying on the hardness of finding a short generator of a principal ideal is the resolution of the PIP. A classical subexponential algorithm was described by Biasse and Fieker for this task [1, 2]. A quantum polynomial-time algorithm for solving the principal ideal problem (PIP) in classes of number fields of fixed constant degree was described by Hallgren [11]. It consists in reducing this problem to an instance of the hidden subgroup problem (HSP) in O(n), where n is the degree of the field, and an efficient quantum algorithm solving the HSP instance. However, the complexity of both computing the reduction and the quantum HSP algorithm decay exponentially with the degree. These two difficulties make it challenging to extend Hallgren’s algorithm to solve high-degree PIP. The draft of CGS sketches a quantum algorithm for the PIP in high-degree number fields. As usual, it consists of two components:

  1. they reduce PIP to an instance of the HSP on O(n) that is different than the one in [11];

  2. they outline a quantum algorithm for solving this HSP.

However, the draft contains no detailed analysis to justify either step, leaving the correctness and complexity of their algorithm difficult to verify. The new reduction, component (i), does appear to be efficiently computable, and hence resolves one of the difficulties. Nonetheless, their HSP algorithm, component (ii), does not seem to supersede the quantum HSP algorithm by Hallgren in [11], and many experts suspect that it would work efficiently for arbitrary (i.e., non-constant) n.

Contribution

In this paper, we give a closer look at the quantum PIP algorithm proposed by CGS. We intend to distill the justified and valuable pieces out of it and try to extend them to obtain an algorithm that provably works.

Indeed, we show that, combining a valid piece of the reduction, component (i), in CGS with techniques and results from a recent work of Eisenträger et al. [7] (call it EHKS hereafter), one can compute a generator of a principal ideal in (ζ2s) in quantum polynomial time. Together with the reduction from short-PIP to PIP of Cramer et al. [6], this yields a quantum polynomial-time attack against the FHE scheme of Smart and Vercauteren [18] and the multilinear maps of Garg, Gentry and Halevi [8].

In the appendix, we also point out some potential obstructions of component (ii) (quantum HSP algorithm) of CGS that renders it unlikely to be efficient, based on the state of the art in [11].

In a subsequent work [3], an efficient quantum algorithm is proposed that solves the general S-unit group problem in arbitrary-degree number fields. The PIP problem in general fields is thus solved as well due to simple reduction of computing PIP to finding a proper S-unit group problem.

Overview

Here we give an overview of what the CGS algorithm may fall short of and how to use the recent work EHKS to extend some piece of the CGS algorithm into a correct algorithm for finding a generator of an input ideal.

As is the case in both the constant-degree PIP algorithm by Hallgren [11] and the CGS algorithm, one first reduces the PIP problem to an HSP instance and then uses a quantum algorithm to solve the HSP problem efficiently. Roughly speaking, the HSP instance describes a function f:GS for some group G (here G=O(n)) and set S such that there is a hidden discrete subgroup HG for which f is periodic over G and f is injective on G/H (i.e., f(x)=f(y) if and only if xy+H).

We then need to find H with access to f, which would further allow us to find a generator of the input ideal from H. At the heart of the existing quantum HSP algorithm (e.g., [11]) is a quantum Fourier sampling procedure, which essentially generates uniform samples from the Fourier transform of f. In the ideal case, the Fourier transform of f will be peaked at elements of the dual group of H, from which we can recover H efficiently.

However, in reality, one thing inevitable is to discretize the function on O(n) (and truncate it within a finite window) because computers (classical or quantum) are digital and have finite precision and memory only. In effect, we end up with a discrete function f~:O(n)S, and its Fourier transform will become noisy. Namely, a random sample there, by applying the quantum Fourier sampling procedure, is less likely to hit an element in the dual of H. Therefore, to get enough clean samples, one has to repeat many times. By the best known analysis [11], the number of repetitions grows exponentially in the dimension n. The quantum HSP algorithm outlined in CGS does not go beyond Hallgren’s algorithm, and hence is unlikely to succeed within polynomial time in n unless with improved analysis.

Instead, the recent work of EHKS proposes a conceptually new notion for HSP over continuous groups such as n (call it continuous HSP). The key distinction is enforcing a stringent continuity condition on the function f. Specifically, they require f to be Lipschitz so that the change between f(x) and f(y) is bounded by some constant factor of the change between inputs x and y. This additional property ensures that, once we discretize it, its Fourier transform is still concentrated on the dual of H. EHKS then gives a modified quantum Fourier sampling procedure to generate samples from the dual of H (with good approximation) and recover H efficiently. There is also a conceptually novel ingredient in their modified quantum Fourier sampling, which, informally speaking, enables sampling the discrete-time Fourier transform (i.e., over ) of the discretized function rather than its discrete Fourier transform (i.e., over N). This facilitates the analysis and makes the HSP solvable in polynomial time. In the EHKS paper, they showcase the power of this new framework by reducing the problem of computing the unit group of a number field to this continuous HSP on O(n), and hence solve the unit group problem efficiently. The reduction generates a function f=fqfc that hides the unit group. The function f first computes a basis for a lattice fc(x), and then encodes the lattice into a quantum state by a straddle encoding procedure fq.

A natural idea arises as whether we can recast the CGS reduction, component (i), in the continuous HSP framework and solve it consequently. The CGS reduction is actually similar to the one above for the unit group. They propose a function fCGS=fqF, where the classical part F computes a lattice from an input xO(n), and fq outputs what they call a “quantum fingerprint” of the lattice F(x). While fCGS does hide a generator of the input ideal as a subgroup in O(n), the Lipschitz condition is not clear. Luckily, we notice that, by composing F in CGS with the straddle encoding function fq in EHKS, it can be shown to be a valid instance of the continuous HSP. This is possible by observing a nice connection between F and the fc function in EHKS, and reusing many results in EHKS. Details are given in Section 5.

2 An (over-)simplified presentation of quantum computing

In this section, we try to convey the aspects of quantum computing that are relevant to the quantum algorithm described in [4] as well as to other quantum cryptanalysis algorithms without getting too technical. This is achieved at the price of some simplifications. First of all, quantum computations occur on quantum states, which are vectors of the form

|x=α0|0+α2|1++α2k-1|2k-1,

where values involved in this definitions are

  1. complex numbers αi such that i|αi|2=1,

  2. vectors |i of (2)k, where |i is the i-th element of an orthonormal basis.

The notation |x|y denotes the tensor product of |x and |y. A quantum algorithm can be viewed as a unitary matrix U in 2k×2k acting on a state via |xU|x (matrix-vector multiplication). A quantum state only gives away information once it is measured (according to the chosen basis). This process returns the answer i with probability |αi|2 and leaves the system in the state |i. Therefore, whatever happens to the original state (for example, |0k) has to lead to a state whose measurement yields the result of the algorithm with good probability (typically a constant probability). More generally, when a state has the form |ψ=i|ϕi|γi, where the |ϕi are vectors of (2)k1 such that iϕi,ϕi=1 and the |γi are an orthonormal basis of (2)k2, then measuring the second register yields the answer γi with probability ϕi,ϕi and leaves the system in the state 1|ϕi|ϕi|ϕi|γi.

3 Mathematical background

Lattices

A lattice is a discrete additive subgroup of m for some integer m. The first minimum of a lattice is defined by

λ1:=minv{0}v,wherev=ikvi2is the Euclidean norm.

A basis of is a set of linearly independent vectors b1,,bk such that =b1++bk. The determinant of is det()=det(BBT), where B=(bi)ikk×m is the matrix of a basis of . For a full dimensional lattice , the best upper bound we know on λ1() is in O(kdet()1/k). The dual * of the lattice is the lattice of vectors v of m such that uv for all u.

Number fields

A number field K is a finite extension of . Its ring of integers 𝒪 has the structure of a -lattice of degree n=[K:]. A number field has r1n real embeddings (σi)ir1 and 2r2 complex embeddings (σi)r1<i2r2 (coming as r2 pairs of conjugates). The field K is isomorphic to 𝒪. We can embed K in K:=Kr1×r2 and extend the σi’s to K. Let T2 be the Hermitian form on K defined by T2(x,x):=iσi(x)σi¯(x), and let x:=T2(x,x) be the corresponding L2-norm. The (algebraic) norm of an element xK is defined by 𝒩(x)=iσi(x). Let (αi)id such that 𝒪=iωi; then the discriminant of K is given by Δ=det2(T2(αi,αj)). The volume of the fundamental domain is |Δ|, and the size of the input of algorithms working on an integral basis of 𝒪 is in O(log(|Δ|)).

Cyclotomic fields

A cyclotomic field is an extension of of the form K=(ζN), where ζN=e2iπ/N is a primitive N-th root of unity. The ring of integers 𝒪 of K is [X]/(ΦN(X))=[ζN], where ΦN is the N-th cyclotomic polynomial. When N is a power of two, ΦN(X)=XN/2+1, and when N=ps is a power of p>2, we have ΦN(X)=Xpe-1(p-1)+Xpe-1(p-2)++1 (which generalizes the case p=2). Elements a[ζN] are residues of polynomials in [X] modulo ΦN(X) and can be identified with their coefficient vectors aϕ(N), where ϕ(N) is the Euler totient of N (and the degree of ΦN(X)). When N=ps for p a prime, the degree of K satisfies [K:]=(p-1)ps-1 and Δ=±pps-1(ps-s-1); therefore log(|Δ|)nlog(n), and we can express the complexity of our algorithms in terms of n (a choice we made in this paper).

Fractional ideals in K

Elements of the form d, where 𝒪 is an (integral) ideal of the ring of integers of K and d>0, are called fractional ideals. They have the structure of a -lattice of degree n=[K;], and they form a multiplicative group . Elements of admit a unique decomposition as a power product of prime ideals of 𝒪 (with possibly negative exponents). The norm of integral ideals is given by 𝒩():=[𝒪:], which extends to fractional ideals by 𝒩(/𝔍):=𝒩()/𝒩(𝔍). The norm of a principal (fractional) ideal agrees with the norm of its generator 𝒩(x𝒪)=|𝒩(x)|.

Units of 𝒪

Elements u𝒪 that are invertible in 𝒪 are called units. Equivalently, they are the elements u𝒪 such that (u)𝒪=𝒪 and also such that 𝒩(u)=±1. The unit group of 𝒪, where K is a cyclotomic field, has rank r=n2-1 and has the form 𝒪*=μ×ϵ1××ϵr, where μ are roots of unity (torsion units) and the ϵi are non-torsion units. Such (ϵi)ir are called a system of fundamental units of 𝒪. Units generate a lattice of rank r in r+1 via the embedding xKLog(x):=(ln(|σ1(x)|),,ln(|σr+1(x)|)), where the complex embeddings (σi)in are ordered such that the first r=n2 ones are not conjugates of each other. When K=(ζps), logarithm vectors of units of the form

uj=ζpsj-1ζps-1forjps*

(the cyclotomic units) generate a sublattice of of index h+(ps), where h+(N𝔭s) is the class number of the maximal real subfield of (ζps) [19, Lemma 8.1].

Conjecture 3.1 (Weber class number problem).

For all sZ>0, we have h+(2s)=1.

The hidden subgroup problem

The problem of factoring an RSA integer reduces to an instance of the so-called hidden subgroup problem (HSP).

Definition 3.2 (Hidden subgroup problem over Z).

Given f:X for a finite set X such that there exists a subgroup H with

f(x+g)=f(x)for allxif and only ifgH,

the hidden subgroup problem is the task of finding H given oracle access to f. This means finding r such that H=r.

We want to factor an RSA integer N=pq. Let a be coprime with N (if aN, the factorization problem is solved) and

𝑓/N,
xaxmodN.

A solution to the HSP with f yields r, the order of amodN, and if a is a square, we get

(ar/2-1)(ar/2+1)=0modN.

This means that N(ar/2-1)(ar/2+1), and gcd(N,ar/2-1) may yield a non-trivial factor of N. A generalization of the HSP to m allows us to solve the discrete logarithm problem in a finite group, and we can even discretize to generalize the algorithms for efficiently solving the HSP to m, where m is fixed. This allows the computation of the class group, the unit group and the resolution of the PIP in classes of number fields of fixed degree [11]. More details about these methods are given in the appendix.

4 The PIP quantum algorithm proposed by CGS

CGS proposed a quantum algorithm for solving the PIP in (ζ2s)+. They suggested to combine it with the Gentry–Szydlo (classical) attack [9] to solve the PIP in (ζ2s). They sketched this method in [4, Section 5], but they did not provide any complexity analysis.

In this section, we review the PIP algorithm proposed in [4], and we illustrate the challenges that would need to be overcome to turn this approach into a quantum polynomial-time algorithm. There are two main steps to the approach of [4]:

  1. A reduction of the PIP in (ζ2s)+ to the search of the periods of a function from n× to the lattices in n, where n=deg((ζ2s)+) (an analogue of the HSP).

  2. The search for the periods of a function n× with an algorithm similar to the HSP algorithm of Hallgren [11].

This means that CGS exhibited a function

f:Gm{lattices overn}{quantum states}

for some subgroup G and m>0 such that f(x)=f(y) if and only if x=ymodΛ for a lattice Λm whose knowledge answers the original problem (the PIP in this case). Step (ii) consists in finding the periods of f in a fashion similar to the resolution of the HSP.

Reduction to the search for the periods of a function

Let K=(ζ2s), n=deg(K+) and r=n-1. Let αK be a totally positive generator (not necessarily small) of the input fractional ideal 𝔞 in the totally real number field K. In the context of the attacks against the short-PIP in K, we know that one of the generators of 𝔞 arises as the relative norm 𝒩K/K+(g)=gg¯ of the secret key g. This relative norm is necessarily totally positive.

Let u1,,ur be a generating set of U+r, the totally positive units of the ring of integers 𝒪 of K+. Then every totally positive generator of the principal ideal 𝔞 of K+ (including 𝒩K/K+(g)) is of the form αu1x1urxr. Let βK; then β𝒪=𝔞-k for some k if and only if Log(β)=ixiLog(ui)-kLog(α) for some (xi)irr. This means that the lattice Λαn× defined by

Λα:=(Log(α),-1)+(Log(u1),0)++(Log(ur),0)

consists of all the pairs (Log(β),k), where k, βK and β𝒪=𝔞-k. This includes elements of the form (Log(a),-1), where aK+ is a totally positive generator of 𝔞. This means that a basis for Λα yields a totally positive generator of 𝔞.

We now describe a function on n× whose periods are precisely Λα. For k and vn (not necessarily corresponding to the valuations of an element in K+), let us denote by ev𝔞k the Euclidean lattice generated by the elements of the form eva for a𝔞k. Elements in K+ such as a𝔞k correspond to real vectors (σ1(a),,σn(a)), and an element of the form eva is represented by the vector (ev1σ1(a),,evnσn(a))n. We define the function F:G{lattices overn} by F(v,k):=ev𝔞k. Then F(v,k)=𝒪 if and only if ev is a generator of 𝔞-k, which is equivalent to (v,k)Λα. Therefore, by linearity of F, the periods of F are exactly Λα.

As each element (v,k) of Λα satisfies ivi=-klog(𝒩(𝔞)), the search of the corresponding hidden subgroup can be restricted to the control space

G={(v,k)n×such thativi=-klog(𝒩(𝔞))}.

The function F used by CGS is different from the one used by Hallgren in [11] to solve the PIP. In particular, F can be evaluated in polynomial time even when the degree of K grows to infinity. This comes from the fact that it is very similar to the function defined by EHKS to hide the unit group of a number field of arbitrary degree, and the techniques they used to evaluate it in polynomial time readily apply.

Proposition 4.1.

The function F can be evaluated in classical polynomial time.

Proof.

This is immediate by application of the techniques of [7, Section 4]. The key observation is that we can perform a square-and-multiply exponentiation on the ideal with LLL-reductions at each step. ∎

The function F is then composed by a quantum encoding to identify the lattice ev𝔞k. This task is non-trivial since lattices are over n where, unlike in n, there is no canonical form such as the Hermite normal form. This encoding of lattices is called the “quantum fingerprint”, and it gives the map

f:(v,k)G𝐹F(v,k)fingerprint|ψv,k.

The details of the procedure to create |ψv,k from (v,k) are given in [4, Sections 3.4 and 3.5]. It creates a state of the form 1Γ𝐱CnL|𝐱, where

  1. 𝐱n is the scaling of a rational approximation of a vector in n,

  2. L is the lattice F(v,k),

  3. Γ>0 is a normalization factor,

  4. Cn is a bounded set such that En(ρ-ε)nCnEn(ρ+ε)n, where En(ρ) is an ellipsoid of radius ρ.

CGS conjectured that the quantum encodings of almost identical lattices have inner product close to 1, while the quantum encodings of essentially different lattices have inner product close to 0. The function f “hides” Λα in the sense that

f(v1,k1)=f(v2,k2)u:=(v1,k1)-(v2,k2)Λα.

Identifying Λα from the periods of this map is an analogue of the HSP.

Computing the periods of f

The method proposed by CGS for computing the periods of f relies on a similar strategy as the HSP resolution algorithm used by Hallgren in [11] to solve the PIP in classes of number field of fixed degree.

  1. Discretize and bound G, and then create the state

    |ψ:=1M(v,k)G|ψv,k|(v,k).
  2. Apply the quantum Fourier transform over G to the second register.

  3. Measure (v,k), and check if we obtain a good approximation of an element in Λα*.

  4. Repeat steps (ii) and (iii) until a basis of good approximations of Λα* is found.

  5. Find an approximation of a basis of Λα from Λα* with classical methods.

In step (i), M is the normalization factor depending on the radius and the precision of the bounded discretized version G of G. Table 1 highlights the main steps of the quantum algorithm of CGS and specifies those on which we can rely to prove that there is a quantum attack against schemes relying on the short-PIP. In the appendix, we use a method similar to [11] to analyze the behavior of CGS’s algorithm. This analysis implies choices of parameters that were not specified by CGS. Therefore, we cannot formally establish the complexity of the algorithm sketched in [4].

Table 1

Steps towards a proof of a polynomial run time of the PIP algorithm of [4].

PropertyStatus
The function F hides a lattices that reveals a generator of the ideal.Proved
The function F can be evaluated in classical polynomial time.Proved
The quantum fingerprint satisfied the “fidelity” property.Open question
Assuming |ψ𝐱 satisfies the “fidelity” property, step (iii) outputs good approximations of vectors in Λα*.Open question

In the rest of the paper, we show how to use the quantum encoding proposed by EHKS to solve the HSP in O(m) instead of the quantum fingerprint of CGS. EHKS proved that their quantum encoding enjoyed certain properties (one of them being similar to the “fidelity”) which allow us to solve the HSP in polynomial time.

5 A method based on the HSP algorithm of EHKS

In this section, we show how to find the periods of the function F defined in the previous section by using the lattice encoding and the corresponding HSP quantum algorithm of EHKS. This allows us to compute in quantum polynomial time a totally positive generator of an ideal 𝔞 in a totally real number field K. Recent work from EHKS developed a new framework for HSP in m, which admits an efficient quantum algorithm even for large values of m. They illustrated this by computing the unit group of a number field of arbitrary degree in polynomial time. In this section, we show how to adapt it to calculate a totally positive generator of a principal ideal given by its -basis. The algorithm described in [7] returns generators of a secret discrete subgroup H of m for an arbitrary m>0 hidden in the periods of a function f:m{quantum states}. Let G be a subgroup of m containing H. EHKSshowed in [7, Theorem 6.1] how to recover generators of H in polynomial time in the input if there is an efficiently computable function f satisfying the following properties for G=m:

  1. f is periodic on H, that is, f(x+u)=f(x) for all xG,uH;

  2. f is Lipschitz for some constant a: |f(x)-|f(y)adG(x,y) for all x,yG;

  3. there are r,ε>0 such that, for all x,yG, if dG/H(x,y)r, then |f(x)|f(y)|ε,

where dG(x,y)=x-y and dG/H(x,y)=infuHx-y-u for the Euclidean norm x.

To construct such a function, it is possible to start from a function defined on a subgroup G of m. As shown in [7, Section 6.1], if a function defined on Gm hides H and satisfies conditions (ii) and (iii) on all x,yG, it can be used to define a function on m hiding (the embedding of) H and satisfying (ii) and (iii). For simplicity, we use the following notation.

Definition 5.1 ((a,r,ε)-oracle).

Let G be a subgroup of m and f a map G{quantum states}. We say that f is an (a,r,ε)-oracle on G if it satisfies conditions (ii) and (iii) for some (a,r,ε).

Our goal is to find an efficiently computable (a,r,ε)-oracle on G=m that hides a subgroup H of m which reveals a generator of the input principal ideal. Then it can be used with the HSP algorithm of [7] to find a totally positive generator of a principal ideal in a totally real field in polynomial time in n, log(|Δ|), log(a), log(1ε) and r, where Δ is the discriminant of the field.

5.1 Review of the HSP algorithm of EHKS

To compute the unit group, EHKS used a function of the form f(x)=|ex𝒪, where ex𝒪 is the lattice generated by the elements of the form exωi for 𝒪=iωi. Such a function hides the unit group of the order 𝒪 because f(x+u)=f(x) if and only if eu𝒪=𝒪, which means that eu is a unit in 𝒪. It is derived from a function fG:Gm{quantum states}, where G is a hyperplane containing H. They show that if fG is an (a,r,ε)-oracle on G that hides H, then it can be extended to f:m{quantum states} satisfying (i), (ii) and (iii). The first step of the description of a function hiding the unit group is to find a classical function fc on a certain hyperplane G; then we compose it with a quantum encoding fq, and finally, we extend fG=fqfc to a function f on m that satisfies (i), (ii) and (iii).

Classical function

The function F used by CGS is very similar to the classical oracle fc used in [7]. The latter is defined by

Gmfc{lattices ink},
vev𝒪.

Here Gr1+r2×(/2)r1×(/)r2 is the hyperplane such that ir1+r2vi=0. In particular, it contains the elements x of the number field K such that 𝒩(x)=±1 via the correspondence

x(log|σ1(x)|,,log|σr1+r2(x)|,sign(σ1(x)),,sign(σr1(x)),θ1,,θr2),

where the θj are the phases of the complex embeddings σj(x). Then, for

v=(v1,,vr1+r2,δ1,,δr1,θ1,,θr2),

we define the exponentiation

ev=((-1)δ1ev1,,(-1)δr1evr1,e2iπθ1evr1+1,,e2iπθr2evr1+r2)r1×r2.

This can be naturally embedded into k for k=r1+2r2, and in the case of v corresponding to an xK, we have ev=x. Multiplication in k being considered component-wise, we have ev𝒪=𝒪 if and only if v corresponds to a unit of 𝒪. This also implies that fc(v1)=fc(v2) if and only if v1-v2=u, where eu is a unit of 𝒪.

The quantum encoding

The properties that fG=fqfc has to satisfy also depend on the quantum encoding that was chosen, which is one of the important contributions of EHKS. Let gs() be the Gaussian function gs(x):=e-πx2/s2, xk. For any set Sk, denote gs(S):=xSgs(x). Given a lattice L, the quantum encoding fq maps L to the lattice Gaussian state via

{lattices overk}fq𝒮(unit vectors in a Hilbert space),
L|L:=γvLgs(v)|strν,k(v),

where γ is a normalization factor. Here |strν,k(v) is the straddle encoding of a real-valued vector vk, as defined in [7]. Intuitively, we discretize the space k by a grid νk, and we encode the information about v by a superposition over all grid nodes surrounding v. Specifically, for the one-dimensional case, the straddle encoding of a real number is

x|strν(x):=cos(π2t)|j+sin(π2t)|j+1,

where j:=xν denotes the nearest grid point no bigger than x, and t:=xν-j denotes the (scaled) offset. Repeating this for each coordinate of v=(v1,,vn), we get |strν,k(v):=i=1n|strν(vi). To analyze our function hiding generators of a principal ideal 𝔞, we rely on the properties of the quantum encoding of the function hiding the unit group of 𝒪.

An (a,r,ε)-oracle on n

We will only be concerned with totally real fields, where r1=n and r2=0, and only positive units will be relevant for our purpose. We later restrict our discussion to this special case, which is much simpler since we do not need to consider the complex coordinates. We use f,c to denote the classical part (instead of fc) to indicate this special case. Let f,c be the classical oracle defined by

Gf,c{lattices inn},
vev𝒪.

Here Gn is the hyperplane such that invi=0. In particular, an element x of the number field K such that 𝒩(x)=1 leads to

x(log|σ1(x)|,,log|σn(x)|).

Then, for v=(v1,,vn), we define the exponentiation ev=(ev1,,evn)n. Multiplication in n being considered component-wise, we have ev𝒪=𝒪 if and only if v corresponds to a unit of 𝒪. This also implies that f,c(v1)=f,c(v2) if and only if v1-v2=u, where u is a totally positive unit of 𝒪.

Proposition 5.2 ([7, Theorem 5.7]).

f:=fqf,c is an (a,r,ε)-oracle on Rn with

a=πns4ν+1,ε=34,r=log(1+(sn)n-12νn)

and grid parameters s=22nn|Δ|, ν=14n(sn)2n, where Δ is the discriminant of the field.

5.2 Computing a generator of a principal ideal in a totally real field

In this section, we assume that we are given the -basis of a principal ideal 𝔞 of an order 𝒪 in a totally real field K of degree n. Moreover, we assume that 𝔞 has a totally positive generator. We show that there is a polynomial time algorithm to compute (log|g|1,,log|g|n), where g is a totally positive generator of 𝔞, n=deg(K) and |g|i=|σi(g)|=σi(g) is the i-th Archimedean valuation of g. We reduce this problem to an instance of the HSP, and we use the framework of EHKS. We start from the same classical oracle as the function F defined by CGS which we compose with fq and extend to n. The main observation that allows us to reuse the analysis of the oracle f,c hiding the (totally positive) unit group in [7] is that F(v,j)=f,c(v-jg), where eg is an arbitrary (totally positive) generator of 𝔞. The classical function we use is the same as the one of CGS

Gn×𝐹{lattices inn},
(v,j)ev𝒪𝔞-j.

The function fqF can be then extended from G to m while preserving the essential continuity properties that allow us to reuse the framework of EHKSfor the resolution of the continuous HSP. The careful analysis of the properties of fqF and that of its extension to n lead to Proposition 5.5 which shows that there is a polynomial-time algorithm to find the generator of a principal ideal in a number field.

A function hiding generators of 𝔞

The rest of the section is devoted to analyzing and extending fqF to a function f𝔞 defined on m that hides the lattice of the totally positive generators of 𝔞 and satisfies the HSP conditions (i), (ii) and (iii). The formal statement appears in Proposition 5.5, which is proven based on a few intermediate steps (Propositions 5.3 and 5.4). Given f𝔞, the quantum HSP algorithm of EHKS computes a totally positive generator efficiently.

We start off analyzing the properties of fqF.

Proposition 5.3.

With the F and fq defined above, s=22nn|Δ| and ν=14n(sn)2n, we have that fG:=fqF is an (a,r,ε)-oracle on G for

a=πns4ν+2,ε=34,r=log(1+(sn)n-12νn).

Proof.

Let us fix a generator g of 𝔞 and its corresponding (vg,1)Gn×. The main observation leading to the result is that F(v,j)=fc(v-jvg), and therefore |fG(v,j)=|fG(v-jvg).

(a) Lipschitz condition. If j1j2, then dG((v1,j1),(v2,j2))1, while, at the same time,

|fG(v1,j1)-|fG(v2,j2)2.

So, in this case,

|fG(v1,j1)-|fG(v2,j2)2dG((v1,j1),(v2,j2)).

On the other hand, if j1=j2=j, then

dG((v1,j1),(v2,j2))=dn(v1,v2)=dn(v1-jvg,v2-jvg)=dn(v1-j1vg,v2-j1vg)a|fG(v1-j1vg)-|fG(v2-j2vg)=a|fG(v1,j1)-|fG(v2,j2)

for a=πns4ν+1. Therefore, the Lipschitz condition is always satisfied for a=πns4ν+2.

(b) The (r,ε) condition. We simply need to notice that dG/Λα((v1,j1),(v2,j2))dn/U+(v1-j1vg,v2-j2vg), where U+n denotes the vectors un such that eu is a totally positive unit of K. It is immediate that the periods of f are U+, and according to Proposition 5.2, f is an (a,r,ε)-oracle for a=πns4ν, ε=34, and r=log(1+(sn)n-12νn). We use the properties of f to analyze the behavior of f𝔞.

dG/Λα((v1,j1),(v2,j2))=infuU+j(v1,j1)-(v2,j2)-(jvg,j)-(u,0)infuU+(v1-j1vg,0)-(v2-j2vg,0)-(u,0)(by choosingj=j1+j2)=dn/U+(v1-i1vg,v2-i2vg).

This means that, for r=log(1+(sn)n-12νn) and ε=34, if

dG/Λα((v1,j1),(v2,j2))r,

then dn/U+(v1-i1vg,v2-i2vg)r as well, and then, necessarily,

fG(v1,j1)|fG(v2,j2)=f(v1-j1vg)|f(v2-j2vg)ε.

Reduction to the case G=m

We described an (a,r,ε)-oracle fG on a hyperplane G of n× hiding the lattice Λα for a=πns4ν+2, ε=34, and r=log(1+(sn)n-12νn). To apply [7, Theorem 6.1], we need a function f𝔞 on m for some m that hides the lattice Λα and which is an (a¯,r¯,ε¯)-oracle in m for some a¯,r¯,ε¯, not necessarily equal to a,r,ε. A general guideline for performing such a task is given in [7, Section 6.1]. By following it, we find such a function f𝔞, and we can apply the quantum algorithm of [7] to derive Λα, thus obtaining a totally positive generator for 𝔞.

First of all, we can easily turn fG defined on the hyperplane G into a function defined over n-1× with the intermediate operation

n×ϕG,
(v,j)(v1,,vr1+r2-1,-ivi+jlog|𝒩(𝔞)|,j).

Proposition 5.4.

Assume fG is an (a,r,ε)-oracle hiding Λα on G; then the function defined by fG1:=fGϕ is an (a1,r,ε)-oracle hiding Λα on G1:=Rn-1×Z, where a1=a6(r1+r2-1)log|N(a)|.

Proof.

The fact that the (r,ε)-condition is preserved is obvious because we are dropping one coordinate. This means that if the distance in G1=n-1× (modulo Λα) is greater than r, then so is the distance in G (modulo Λα), and therefore the inner product of the two states has to be less than ε. The Lipschitz condition comes from the fact that |fG1(x)-|fG1(y)2=|fG(ϕ(x))-|fG(ϕ(y))2a2d2(ϕ(x),ϕ(y)) and that

a2d2(ϕ(x),ϕ(y))=a2(kr1+r2-1vk2+(jlog|𝒩(𝔞)|-kvk)2+j2)(where(v,j):=x-y)=a2(kr1+r2-1vk2+j2log2|𝒩(𝔞)|+kr1+r2-1vk2-2jlog|𝒩(𝔞)|(kr1+r2-1vk)+2klr1+r2-1vkvl+j2)6a2(r1+r2-1)log2|𝒩(𝔞)|(kr1+r2-1vk2+j2)=(6a2(r1+r2-1)log2|𝒩(𝔞)|)dG12(x,y).

We have now a function on k×l for k=n-1 and l=1 that hides Λα and that is an (a1,r,ε)-oracle on k×l. Following the guidelines of [7, Section 6.1], we can turn it into an (a¯,r¯,ε¯)-oracle f𝔞 on k+l that hides Λα. To do so, we define

|f𝔞(𝐱,x1,,xl):=z1,,zl{0,1}(j=1l|ψ(xj,zj))|fG1(𝐱,s(x1,z1),,s(xl,zl)),

where s(x,z)=xλ+z, |ψ(x,z)=cos(π2)strν(t) with t=xλ-s(x,z) for a lower bound λ on the shortest vector of Λα.

Proposition 5.5.

The function fa hides the lattice Λα and satisfies conditions (i), (ii) and (iii) for G=Rn and the parameters a¯,r¯,ε¯ defined by

a¯2=a12+l(π2νλ(1+ν))2=6(r1+r2-1)log2|𝒩(𝔞)|(πns4ν+2)2+l(π2νλ(1+ν))2,
r¯2=(log(1+(sn)n-12νn))2+l(2νλ)2,
ε¯=34.

Proof.

See [7, Section 6.1]. It shows that, by the transformation above, the new function is a valid HSP instance with

a¯2=a2+l(π2νλ(1+ν))2,r¯2=r2+l(2νλ)2,ε¯=ε.

6 Computing a short generator of a principal ideal in (ζ2s)

In this section, we show how to reduce the search for a small generator of an input ideal I in K=(ζ2s) to the computation of a totally positive generator of a principal ideal 𝔞 (which depends on I) in K+=(ζ2s+ζ2s-1). The main ingredient of this reduction is the norm equation resolution of the Howgrave-Graham–Szydlo algorithm [13]. This reduction seems natural, but no formal procedure (and analysis) was available [16]. The main steps of the whole attack are:

  1. Create the ideal 𝔞=(𝒩K/K+(g))K+, where g is a short generator of I.

  2. Find a generator α of 𝔞 with the quantum algorithm of Section 5.2.

  3. Find a short generator g of I by using α and a -basis of I.

The first step consists in finding a -basis of the ideal II¯K+. We can easily find a basis of the ideal II¯ of K, and we intersect it with the ring of integers of the subfield K+ of K by using [5, Algorithm 1.4.5]. When I is principal and generated by g, then 𝔞 is principal as well and generated by 𝒩K/K+(g)=gg¯.

Algorithm 1 (Creation of a=II¯K+.).

The ideal 𝔞 of the totally real field K+ is principal and generated by a totally positive generator gg¯. Therefore, it satisfies the conditions of the quantum polynomial-time algorithm for computing a totally positive generator of an ideal in a totally real field described in Section 5.2. The output of this procedure is a rational approximation of the real vector Log(α), where α is a totally positive generator of 𝔞. We want to lift this generator to obtain a generator of I. We need to assert two important properties:

  1. α is of the form 𝒩K/K+(g), where g is a generator of I.

  2. α is short enough to be written on the integral basis of K+ in polynomial time.

The surjectivity of the relative norm map does not necessarily hold true. As a matter of fact, we can only prove it under Conjecture 3.1 (Weber conjecture) which states that the class number of K+ is 1.

Proposition 6.1 (under Conjecture 3.1).

Let K=Q(ζ2s), I=(g) be an ideal of Z[ζ2s] and a=II¯K+. Then every totally positive generator of a is of the form NK/K+(g) for g a generator of I.

Proof.

The ideal 𝔞 is generated by at least one totally positive number (i.e., the image 𝒩K/K+(g) of a generator g of I by the relative norm map). Then, from [20], we know that the totally positive units are exactly the squares of units (see also [14, Intro]), which are also the norms of the units of [ζ2s] that are in K+. Let α be a totally positive generator of 𝔞. Then the two totally positive generators α,𝒩K/K+(g) of 𝔞 differ by a totally positive unit, hence a square, and hence the image of a unit u of [ζ2s]K+ by the norm map, i.e., α=𝒩K/K+(u)𝒩K/K+(g)=𝒩K/K+(ug), which is the image of a generator ug of I by the relative norm map. ∎

The vector Log(α) returned by the quantum algorithm of Section 5.2 has polynomial size, but the representation of α over an integral basis of K+ may have exponential size. Therefore, the resolution of the norm equation by the method of Howgrave-Graham and Szydlo [13] with input α may take exponential time. We need to find another totally positive generator α of 𝔞 with reasonable size. We know that α:=𝒩K/K+(g) where g is the secret short generator of I has a poly-size representation on the integral basis of K+. Therefore, we use the method of Cramer et al. [6] to derive a short generator of 𝔞 before applying the algorithm of Howgrave-Graham and Szydlo [13].

Algorithm 2 (Lift of the solution in K+.).

Proposition 6.2 (under Conjecture 3.1).

The element α computed in step 7 of Algorithm 2 has a poly-size representation on the integral basis of K+.

Proof.

This directly follows from the analysis of Babai’s round-off method (used in steps 3–4) by Cramer et al. [6]. The only difference is that we work with the lattice of the Log(𝒩K/K+(ui)) instead of that of Log(ui). Let g be the generator of I such that 𝒩K/K+(g)=α. According to the analysis of [6], we know that if we find (xi)in/2n/2 such that Log(g)=ixiLog(ui) and then perform the operation xi-xi, then g=giuixi is a generator of I that satisfies g=en1/2+o(1)𝒩(I). In particular, its representation on an integral basis has polynomial size. The (xi)in/2 calculated in step 3 are such Log(α)=2Log(g)=in/22xiLog(ui). These ensure that g=giuixi is a short generator of I, and

α=αi𝒩K/K+(ui)xi=𝒩K/K+(giuixi)=𝒩K/K+(g)

is the relative norm of the small generator g of I. It is therefore a short generator of 𝔞. ∎

Corollary 6.3.

Algorithm 2 runs in polynomial time and returns a generator g of I such that g=en1/2+o(1)N(I).

Proof.

All steps run in polynomial time. In addition, according to the proof of Proposition 6.2, we have the guarantee that step 7 produces the relative norm α of a small generator g of I. Then the solution to the relative norm equation in step 8 yields the desired short element. ∎

7 Conclusion and significance

We described a quantum polynomial time algorithm to recover a short generator of an ideal in (ζ2s). We showed that it derives from the results of [7] in a rather straightforward way. It is a significant result for post-quantum cryptography. Indeed, together with the reduction from the short-PIP to the PIP originally observed by CGS and later proved by Cramer et al. [6], it is enough to attack cryptosystems based on the hardness of finding a short generator of a principal ideal in (ζ2s) in quantum polynomial time. These include the multilinear maps of Garg, Gentry and Halevi [8] and the fully homomorphic encryption scheme of Smart and Vercauteren [18].

Strictly speaking, the algorithm we discussed in Section 5 does not solve the standard principal ideal problem with absolute certainty since the algorithm cannot decide if an input ideal is principal (it rather takes as promise that it is principal). Further generalizations of the methods of [7] will lead to the resolution of related problems in number theory in arbitrary fields including the PIP, the computation of the ideal class group, the computation of S-units, or the resolution of norm equations.


Communicated by Martin Roetteler


Award Identifier / Grant number: 1839805

Award Identifier / Grant number: 1846166

Award Identifier / Grant number: 60NANB17D184

Funding statement: This work was supported by the U.S. National Science Foundation under grants 1839805 and 1846166, by NIST under grant 60NANB17D184, and by a Seed Award of the Florida Center for Cybersecurity.

A Previous algorithms for solving the HSP

A.1 Shor’s factoring algorithm

Post-quantum cryptography really became a concern when Shor proposed a quantum algorithm to factor integers [17]. Moreover (as we see in the next section), this algorithm extends to the discrete logarithm problem in any group. An RSA integer N is an integer satisfying N=pq where p,q are distinct prime numbers. The problem of factoring an RSA integer reduces to an instance of the so-called hidden subgroup problem (HSP).

Definition A.1 (Hidden subgroup problem over Z).

Given f:X for a finite set X such that there exists a subgroup H with

f(x+g)=f(x)for allxif and only ifgH,

the hidden subgroup problem is the task of finding H given oracle access to f. This means finding r such that H=r.

We want to factor an RSA integer N=pq. Let a be coprime with N (if aN, the factorization problem is solved) and

𝑓/N,
xaxmodN.

A solution to the HSP with f yields r, the order of amodN, and if a is a square, we get

(ar/2-1)(ar/2+1)=0modN.

This means that N(ar/2-1)(ar/2+1), and gcd(N,ar/2-1) may yield a non-trivial factor of N.

Let us sketch the resolution of this instance of the HSP. The first step relies on the fact that if f is efficiently computable classically, one can create an efficient quantum algorithm to evaluate f in superposition. This yields a circuit for

1MxM|0|x𝑓1MxM|f(x)|x.

The other main ingredient we need to use in Shor’s algorithm is the so-called quantum Fourier transform (QFT) over M (for a large enough M). Let ωM=e2πi/M, the QFT is the quantum algorithm realizing

QFTM:|x1MyMωMxy|y.

If we apply the QFT to the second register of the previous state, we obtain

1MxM|f(x)|xQFTN1MxM|f(x)(1MyMωMxy|y)=1MyM(xMωMxy|f(x))|y:=1MyM|ϕy|y.

We can easily verify that the |ϕy are orthogonal vectors satisfying 1Myϕy|ϕy=1. We perform a measurement on the second register, which yields the value y with probability 1M2ϕy,ϕy1MkM/r(ωMyr)k.

Pr[measurey]=1M2(x1Mf(x1)|ωM-x1y)(x2MωMx2y|f(x2))=1M2x1,x2MωMy(x2-x1)f(x1)|f(x2)=1M2x1,x2M,f(x1)=f(x2)ωMy(x2-x1)1MkM/r(ωMyr)k.

Then if yM is close to an element of the form lr, then the above probability is high, and if not, then the probability of measuring y is low. If yM is a good enough approximation of an element of the form lr, then lr belongs to the list of convergents of the continued fraction expansion of yM, which is computed in classical polynomial time. Then we recover the period r and thus solve the problem. The probability of successfully recovering r is in 1Ω(log(log(N))) (there is a constant probability variant consisting in repeating this procedure twice). This is not the only variant of Shor’s algorithm for factoring algorithms. Alternatively, a partial measurement is performed on the f(x) register before applying the quantum Fourier transform. The quantum algorithm for solving the PIP sketched by CGS follows closely the HSP variant that we described.

A.2 The hidden subgroup problem in higher dimension

The hidden subgroup problem has a straightforward generalization in higher dimension. Many problems in algebraic number theory can be reduced to an instance of the HSP.

Definition A.2 (Hidden subgroup problem over Zm).

Given f:mX for a set X such that there exists a subgroup Hn with

f(x+g)=f(x)if and only ifgH,

the hidden subgroup problem is the task of finding H given oracle access to f.

The discrete logarithm problem is the search for h such that b=ah, where a,b are given elements of a finite group 𝒢. This can be reduced to an instance of the hidden subgroup problem in 2. We define the function

×𝑓𝒢,
(x,y)axb-y.

The periods of this function are the subgroup G=(1,h)+(r,0), where r is the order of a. Finding the subgroup G hidden by f solves our problem. The analysis we carried on to solve the HSP in generalizes in higher dimension by using the tensor product of the QFT

QFTMm:|𝐱1Mm𝐲MmωM𝐱𝐲|𝐲,

where 𝐱,𝐲Mm, and |𝐱 is an encoding of the vector 𝐱. Note that, here again, M has to be chosen large enough with respect to the typical values we are calculating. As for factoring, applying the QFT yields a state of the form 1Mm𝐲Mm|ϕ𝐲|𝐲, and we measure the vector 𝐲Mm with probability

1M2m𝐱1,𝐱2Mm,f(x1)=f(x2)ωM𝐲(𝐱2-𝐱1)=1Mm𝐮MmωM𝐲𝐮,

where m is the hidden subgroup (a lattice) we are looking for. This sum is larger when 𝐲𝐱 is an integer, that is, when 𝐲M*. It can be shown that, when 𝐲M is close enough to a point in the dual of , then it has a high probability of being sampled. This generalizes the factoring algorithm presented in the previous section which relies on the sampling of elements in the dual of the lattice =r. After finding a good approximation of the dual lattice *, we use classical linear algebra methods to compute .

To solve other number theoretic problems, we need to work with approximations of real numbers. This occurs for example in Hallgren’s method [12] to solve the Pell equation in quantum polynomial time. The discretization method used by Hallgren was generalized by Hales [10] to derive a solution to the hidden subgroup problem over (approximations of) the reals. To compute the ideal class group, the unit group and to solve instances of the principal ideal problem in number fields of higher degree, the usual approach is to first reduce the problem to the task of finding the periods of a function f defined over m for some m, and then find these periods with an algorithm for solving the HSP. For example, Hallgren [11, Section 3.1] described a unit group algorithm in a field K consisting of finding the periods of the function

r𝑓×r,
x(1μ𝒪,x-Log(μ)),whereμ𝒪minimizesLog(μ)-x.

Here r is the rank of the unit group and Log(μ)=(log|σ1(μ)|,,log|σr(μ)|) is the vector of the first r logarithms of the Archimedean embeddings of μ. Since this function relies on the search for a minimum in 𝒪, its evaluation costs exponential time in the degree, thus restricting its use for classes of number field with fixed degree. In the same paper, Hallgren [11] described quantum polynomial-time algorithms for the unit group, the class group and the principal ideal problem in classes of fixed-degree number fields.

A necessary condition to ensure that these problems can be solved in polynomial time is that they reduce to the search for the periods of a function that is efficiently computable. The evaluation of the function described above is not polynomial in the degree of the extension, which is one reason why the overall algorithm does not run in polynomial time in k. The other obstruction lies within the resolution of the subsequent instance of the HSP. Indeed, the method used in [11] to solve the hidden subgroup problem in m does not seem to run in polynomial time with respect to m. It relies on the creation and the measurement of the state

|ψ=1|q|1M𝐱Mm𝐮qωM𝐱N𝐮|𝐱,whereq=[0,q]m.

Hallgren showed that the probability of measuring 𝐱 such that 𝐱q was 1q-close to * was at least 18log(disc(𝒪))m (a term corresponding to the zero-filling was omitted, i.e., an artificial enlargement of the size of the bounded region where we perform the QFT to facilitate the analysis). In classes of fixed degree (i.e., when m is fixed), this gives a polynomial time algorithm to solve the HSP. The case of m was solved 10 years later by EHKS.

B Towards an analysis of the algorithm of CGS

In this section, we show that if we discretize G at a precision 1N as it is done in [11], then the quantum algorithm of CGS cannot return, in better complexity than 2n, a vector that is ε-close to Λα for ε=1q and qn2λ, where λ is a bound on the size of the vectors in a reduced basis of Λα.

Proposition B.1 (Sampling probability).

Let N>0 be the precision of the discretization of G. We assume that the fingerprint encoding behaves as conjectured in [4, Section 3.6], that is,

  1. ψ𝐱1|ψ𝐱2=1 if 𝐱2-𝐱1 is ε -close to for some ε<1N,

  2. ψ𝐱1|ψ𝐱2=0 otherwise.

The probability of drawing a rational approximation that is 1q-close to a vector in Λα* for q(n)2λ, where n=deg(K+), Δ=disc(K+) and where λ is a bound on the size of the vectors in a reduced basis of Λα, is at least

P18(log(|Δ|)t)nfor anyt8n.

Proof.

To bound and discretize G, we need three parameters that were not explicitly given in [4]. The grid has precision 1N for some N>0, and we choose to restrict the QFT to G[0,q]n for a large enough integer q. We also enlarge the grid by a factor t that will be used to analyze the complexity (this is the so-called zero-filling technique). Let the normalization factor be M=qtN. We can identify the discretized and bounded G with Mn. Then the algorithm is the same as for factoring,

1Mn𝐱Mn|0|x𝐹1Mn𝐱M|ψ𝐱|𝐱QFTMn1Mn𝐲Mn|ϕ𝐲|𝐲.

We measure 𝐲 and hope that it is close enough to a vector in Λα. To analyze this technique, we use the same approach as Hallgren’s 2005 paper [11]. As for Shor’s factoring algorithm, the probability of drawing 𝐲G (regardless of its properties) is

1M2nϕ𝐲,ϕ𝐲=1M2n𝐱1,𝐱2MnωM𝐲(𝐱2-𝐱1)ψ𝐱1|ψ𝐱2.

Unlike in the exact case where ψ𝐱1|ψ𝐱2 is either 1 when 𝐱2-𝐱1 and 0 otherwise (here =Λα), we are dealing with approximations. We assume that the fingerprint behaves as conjectured in [4, Section 3.6]. We formalize this by ψ𝐱1|ψ𝐱2=1 if 𝐱2-𝐱1 is ε-close to for some ε<1N and ψ𝐱1|ψ𝐱2=0 otherwise. For each lattice vector 𝐮, we have ψ𝐱1|ψ𝐱2=1 for all the 𝐱1,𝐱2 such that 𝐱2-𝐱1 is in a ball of radius ε centered around 𝐮. So the probability of measuring 𝐲 is

1M2n𝐱1,𝐱2MnωM𝐲(𝐱2-𝐱1)ψ𝐱1|ψ𝐱2=1M2n𝐱1Mn𝐱2Mn𝐱1-𝐱2+(0,ε)nωM𝐲(𝐱2-𝐱1).

To bound this probability from below, we show that the phases corresponding to an element 𝐲 close to a dual lattice vector are small. Each term 𝐱2-𝐱1 is of the form Nv+εv, where v and |εv|<1. The 𝐲 that we hope to measure are of the form tqw for w*. Moreover, to make sure that the phase terms remain bounded, we restrict ourselves to vectors with entries satisfying |yi|qNtlog|Δ|. This means that we are measuring approximations of w* with |wi|qNtlog|Δ|+1 and that N has to be chosen large enough so that we measure a significant portion of *. So 𝐲=qtw+δw for δw<12, and

𝐲(𝐱2-𝐱1)=(qtw+δw)(Nv+εv)=qNt(wv)+qt(wεv)+δw(Nv+εv).

The first term of the sum vanishes from the phase because it equals zero modulo qtN. Indeed, vw. The second term satisfies

|qt(wεv)qtN|nmaxi|wi|Nnlog|Δ|1log(n).

Finally, the third term of the phase satisfies

|δw(Nv+εv)qtN||δwv|qt+|δwεv|qtNnmax|vi|qt18

if we choose t8n. So, for large enough n, we have |𝐲(𝐱2-𝐱1)qtN|<16, and the probability P𝐳 of measuring 𝐳 satisfies

P𝐳=1M2n𝐱1Mn𝐱2Mn𝐱1-𝐱2+(0,ε)nωM𝐲(𝐱2-𝐱1)=1Mn𝐮[0,q]nωM𝐲[N𝐮]12Mn𝐮[0,q]n(e2iπ/3+e-2iπ/3)=|[0,q]n|2Mn.

The above probability holds for all 𝐳* with entries bounded by Nlog|Δ|. As in [11], we need to relate the number of points in q=[0,q]n to the number of points of N/log|Δ|*=*[0,Nlog|Δ|]n. Let λ be a bound on the length of the vectors in a reduced basis of ; by [15, Proposition 8.7], we have |q|qn2det() if qn2λ and |N/log|Δ|*|(N/log|Δ|)n2det(*) if Nlog|Δ|nn2λ. Therefore,

|q||N/log|Δ|*|qn(Nlog|Δ|)n4det()det(*)=qn(Nlog|Δ|)n4,

and the probability of drawing 𝐳 such that qt𝐳 is 1q-close to wN/log|Δ|* satisfies

P𝐳|q|2Mn18(log|Δ|t)n1|N/log|Δ|*|.

As pointed out in [11], such 𝐳 are the points of our grid such that 𝐲qt is 1q-close to a wN/log|Δ|*. As there are |N/log|Δ|*| vectors 𝐲 associated to such a w, the probability of measuring one is at least 18(log|Δ|t)n. ∎

The above statement gives a lower bound on the probability of drawing points that are approximations of elements in Λα*. This, in turn, gives an upper bound on the run time to obtain enough approximations of lattice points before being able to find a basis of Λα. Still assuming that the same techniques are used, we can also derive an upper bound on the probability of sampling an approximation of a dual lattice point, which, in turn, gives a lower bound on the run time of the algorithm.

Proposition B.2 (Exponential run time).

Under the same assumptions as Proposition B.1, the run time of the overall algorithm is at least 2n.

Proof.

With the same choice of parameters as in the proof of the previous proposition, the probability of drawing 𝐳 satisfies

P𝐳=1Mn𝐮[0,q]nωM𝐲[N𝐮]|[0,q]n|MnqnMndet().

There are |N/log|Δ|*|(N/log|Δ|)ndet(*) such points, which means that the probability of drawing a rational approximation that is 1q-close to a point in N/log|Δ|* is no more than

P(Nlog|Δ|)ndet(*)qnMndet()=1(log|Δ|t)n12n.

The total run time is at least as much as the time taken to draw a single approximation of a dual lattice point, which is at least 2n. ∎

Remark.

The above analysis shows that if we only assume that the quantum fingerprint has the property (called “fidelity”) that

  1. ψ𝐱1|ψ𝐱2=1 if 𝐱2-𝐱1 is ε-close to for some ε<1N,

  2. ψ𝐱1|ψ𝐱2=0 otherwise,

then the techniques mentioned by CGS relying on the discretization of m and the QFT do not allow to prove that the procedure has a polynomial run time.

References

[1] J.-F. Biasse, Subexponential time relations in the class group of large degree number fields, Adv. Math. Commun. 8 (2014), no. 4, 407–425. 10.3934/amc.2014.8.407Search in Google Scholar

[2] J.-F. Biasse and C. Fieker, Subexponential class group and unit group computation in large degree number fields, LMS J. Comput. Math. 17 (2014), 385–403. 10.1112/S1461157014000345Search in Google Scholar

[3] J.-F. Biasse and F. Song, Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields, Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, ACM, New York (2016), 893–902. 10.1137/1.9781611974331.ch64Search in Google Scholar

[4] P. Campbell, M. Groves and D. Shepherd, SOLILOQUY, a cautionary tale. Search in Google Scholar

[5] H. Cohen, Advanced Topics in Computational Number Theory, Grad. Texts in Math. 193, Springer, New York, 2000. 10.1007/978-1-4419-8489-0Search in Google Scholar

[6] R. Cramer, L. Ducas, C. Peikert and O. Regev, Recovering short generators of principal ideals in cyclotomic rings, IACR Cryptology ePrint Archive (2015), https://eprint.iacr.org/2015/313. 10.1007/978-3-662-49896-5_20Search in Google Scholar

[7] K. Eisenträger, S. Hallgren, A. Kitaev and F. Song, A quantum algorithm for computing the unit group of an arbitrary degree number field, Proceedings of the 2014 ACM Symposium on Theory of Computing—STOC’14, ACM, New York (2014), 293–302. 10.1145/2591796.2591860Search in Google Scholar

[8] S. Garg, C. Gentry and S. Halevi, Candidate multilinear maps from ideal lattices, Advances in Cryptology—EUROCRYPT 2013, Lecture Notes in Comput. Sci. 7881, Springer, Heidelberg (2013), 1–17. 10.1007/978-3-642-38348-9_1Search in Google Scholar

[9] C. Gentry and M. Szydlo, Cryptanalysis of the revised NTRU signature scheme, Advances in Cryptology—EUROCRYPT 2002, Lecture Notes in Comput. Sci. 2332, Springer, Berlin (2002), 299–320. 10.1007/3-540-46035-7_20Search in Google Scholar

[10] L. Hales, The quantum fourier transform and extensions of the abelian hidden subgroup problem, PhD thesis, University of California Berkeley, 2002. Search in Google Scholar

[11] S. Hallgren, Fast quantum algorithms for computing the unit group and class group of a number field, Proceedings of the 37th Annual ACM Symposium on Theory of Computing—STOC’05, ACM, New York (2005), 468–474. 10.1145/1060590.1060660Search in Google Scholar

[12] S. Hallgren, Polynomial-time quantum algorithms for Pell’s equation and the principal ideal problem, J. ACM 54 (2007), no. 1, Article ID 4. 10.1145/509907.510001Search in Google Scholar

[13] N. Howgrave-Graham and M. Szydlo, A method to solve cyclotomic norm equations ff¯, Algorithmic Number Theory, Lecture Notes in Comput. Sci. 3076, Springer, Berlin (2004), 272–279. 10.1007/978-3-540-24847-7_20Search in Google Scholar

[14] M.-H. Kim and S.-G. Lim, Square classes of totally positive units, J. Number Theory 125 (2007), no. 1, 1–6. 10.1016/j.jnt.2006.04.010Search in Google Scholar

[15] D. Micciancio and S. Goldwasser, Complexity of Lattice Problems. A Cryptographic Perspective, Kluwer Int. Ser. Eng. Comp. Sci. 671, Kluwer Academic, Boston, 2002. 10.1007/978-1-4615-0897-7Search in Google Scholar

[16] O. Regev, Private communication, 2015. Search in Google Scholar

[17] P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput. 26 (1997), no. 5, 1484–1509. 10.1137/S0097539795293172Search in Google Scholar

[18] N. P. Smart and F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, Public Key Cryptography—PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 420–443. 10.1007/978-3-642-13013-7_25Search in Google Scholar

[19] L. C. Washington, Introduction to Cyclotomic Fields, Grad. Texts in Math. 83, Springer, New York, 1982. 10.1007/978-1-4684-0133-2Search in Google Scholar

[20] H. Weber, Lehrbuch der Algebra. Vol. II, Vieweg, Braunschweig, 1899. Search in Google Scholar

Received: 2015-09-24
Revised: 2017-08-31
Accepted: 2019-05-07
Published Online: 2019-08-14
Published in Print: 2019-10-01

© 2019 Walter de Gruyter GmbH, Berlin/Boston

This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.

Downloaded on 25.2.2024 from https://www.degruyter.com/document/doi/10.1515/jmc-2015-0046/html
Scroll to top button