On the quantum attacks against schemes relying on the hardness of finding a short generator of an ideal in ℚ(𝜁_2^𝑠)

Contribution

In this paper, we give a closer look at the quantum PIP algorithm proposed by CGS. We intend to distill the justified and valuable pieces out of it and try to extend them to obtain an algorithm that provably works.

Indeed, we show that, combining a valid piece of the reduction, component (i), in CGS with techniques and results from a recent work of Eisenträger et al. [7] (call it EHKS hereafter), one can compute a generator of a principal ideal in ℚ⁢(ζ2s) in quantum polynomial time. Together with the reduction from short-PIP to PIP of Cramer et al. [6], this yields a quantum polynomial-time attack against the FHE scheme of Smart and Vercauteren [18] and the multilinear maps of Garg, Gentry and Halevi [8].

In the appendix, we also point out some potential obstructions of component (ii) (quantum HSP algorithm) of CGS that renders it unlikely to be efficient, based on the state of the art in [11].

In a subsequent work [3], an efficient quantum algorithm is proposed that solves the general S-unit group problem in arbitrary-degree number fields. The PIP problem in general fields is thus solved as well due to simple reduction of computing PIP to finding a proper S-unit group problem.

Overview

Here we give an overview of what the CGS algorithm may fall short of and how to use the recent work EHKS to extend some piece of the CGS algorithm into a correct algorithm for finding a generator of an input ideal.

As is the case in both the constant-degree PIP algorithm by Hallgren [11] and the CGS algorithm, one first reduces the PIP problem to an HSP instance and then uses a quantum algorithm to solve the HSP problem efficiently. Roughly speaking, the HSP instance describes a function f:G→S for some group G (here G=ℝO⁢(n)) and set S such that there is a hidden discrete subgroup H≤G for which f is periodic over G and f is injective on G/H (i.e., f⁢(x)=f⁢(y) if and only if x∈y+H).

We then need to find H with access to f, which would further allow us to find a generator of the input ideal from H. At the heart of the existing quantum HSP algorithm (e.g., [11]) is a quantum Fourier sampling procedure, which essentially generates uniform samples from the Fourier transform of f. In the ideal case, the Fourier transform of f will be peaked at elements of the dual group of H, from which we can recover H efficiently.

However, in reality, one thing inevitable is to discretize the function on ℝO⁢(n) (and truncate it within a finite window) because computers (classical or quantum) are digital and have finite precision and memory only. In effect, we end up with a discrete function f~:ℤO⁢(n)→S, and its Fourier transform will become noisy. Namely, a random sample there, by applying the quantum Fourier sampling procedure, is less likely to hit an element in the dual of H. Therefore, to get enough clean samples, one has to repeat many times. By the best known analysis [11], the number of repetitions grows exponentially in the dimension n. The quantum HSP algorithm outlined in CGS does not go beyond Hallgren’s algorithm, and hence is unlikely to succeed within polynomial time in n unless with improved analysis.

Instead, the recent work of EHKS proposes a conceptually new notion for HSP over continuous groups such as ℝn (call it continuous HSP). The key distinction is enforcing a stringent continuity condition on the function f. Specifically, they require f to be Lipschitz so that the change between f⁢(x) and f⁢(y) is bounded by some constant factor of the change between inputs x and y. This additional property ensures that, once we discretize it, its Fourier transform is still concentrated on the dual of H. EHKS then gives a modified quantum Fourier sampling procedure to generate samples from the dual of H (with good approximation) and recover H efficiently. There is also a conceptually novel ingredient in their modified quantum Fourier sampling, which, informally speaking, enables sampling the discrete-time Fourier transform (i.e., over ℤ) of the discretized function rather than its discrete Fourier transform (i.e., over ℤN). This facilitates the analysis and makes the HSP solvable in polynomial time. In the EHKS paper, they showcase the power of this new framework by reducing the problem of computing the unit group of a number field to this continuous HSP on ℝO⁢(n), and hence solve the unit group problem efficiently. The reduction generates a function f=fq∘fc that hides the unit group. The function f first computes a basis for a lattice fc⁢(x), and then encodes the lattice into a quantum state by a straddle encoding procedure fq.

A natural idea arises as whether we can recast the CGS reduction, component (i), in the continuous HSP framework and solve it consequently. The CGS reduction is actually similar to the one above for the unit group. They propose a function fCGS=fq′∘F, where the classical part F computes a lattice from an input x∈ℝO⁢(n), and fq′ outputs what they call a “quantum fingerprint” of the lattice F⁢(x). While fCGS does hide a generator of the input ideal as a subgroup in ℝO⁢(n), the Lipschitz condition is not clear. Luckily, we notice that, by composing F in CGS with the straddle encoding function fq in EHKS, it can be shown to be a valid instance of the continuous HSP. This is possible by observing a nice connection between F and the fc function in EHKS, and reusing many results in EHKS. Details are given in Section 5.

Lattices

A lattice is a discrete additive subgroup of ℝm for some integer m. The first minimum of a lattice ℒ is defined by

A basis of ℒ is a set of linearly independent vectors b→1,…,b→k such that ℒ=ℤ⁢b→1+⋯+ℤ⁢b→k. The determinant of ℒ is det⁡(ℒ)=det⁡(B⋅BT), where B=(b→i)i≤k∈ℝk×m is the matrix of a basis of ℒ. For a full dimensional lattice ℒ, the best upper bound we know on λ1⁢(ℒ) is in O⁢(k⁢det⁡(ℒ)1/k). The dual ℒ* of the lattice ℒ is the lattice of vectors v→ of ℝm such that u→⋅v→∈ℤ for all u→∈ℒ.

Number fields

A number field K is a finite extension of ℚ. Its ring of integers 𝒪 has the structure of a ℤ-lattice of degree n=[K:ℚ]. A number field has r1≤n real embeddings (σi)i≤r1 and 2⁢r2 complex embeddings (σi)r1<i≤2⁢r2 (coming as r2 pairs of conjugates). The field K is isomorphic to 𝒪⊗ℚ. We can embed K in Kℝ:=K⊗ℝ≃ℝr1×ℂr2 and extend the σi’s to Kℝ. Let T2 be the Hermitian form on Kℝ defined by T2(x,x′):=∑iσi(x)σi¯(x′), and let ∥x∥:=T2⁢(x,x) be the corresponding L2-norm. The (algebraic) norm of an element x∈K is defined by 𝒩⁢(x)=∏iσi⁢(x). Let (αi)i≤d such that 𝒪=⊕iℤ⁢ωi; then the discriminant of K is given by Δ=det2⁡(T2⁢(αi,αj)). The volume of the fundamental domain is |Δ|, and the size of the input of algorithms working on an integral basis of 𝒪 is in O⁢(log⁡(|Δ|)).

Cyclotomic fields

A cyclotomic field is an extension of ℚ of the form K=ℚ⁢(ζN), where ζN=e2⁢i⁢π/N is a primitive N-th root of unity. The ring of integers 𝒪 of K is ℤ⁢[X]/(ΦN⁢(X))=ℤ⁢[ζN], where ΦN is the N-th cyclotomic polynomial. When N is a power of two, ΦN⁢(X)=XN/2+1, and when N=ps is a power of p>2, we have ΦN⁢(X)=Xpe-1⁢(p-1)+Xpe-1⁢(p-2)+⋯+1 (which generalizes the case p=2). Elements a∈ℤ⁢[ζN] are residues of polynomials in ℤ⁢[X] modulo ΦN⁢(X) and can be identified with their coefficient vectors a→∈ℤϕ⁢(N), where ϕ⁢(N) is the Euler totient of N (and the degree of ΦN⁢(X)). When N=ps for p a prime, the degree of K satisfies [K:ℚ]=(p-1)ps-1 and Δ=±pps-1⁢(p⁢s-s-1); therefore log⁡(|Δ|)∼n⁢log⁡(n), and we can express the complexity of our algorithms in terms of n (a choice we made in this paper).

Fractional ideals in K

Elements of the form ℑd, where ℑ⊆𝒪 is an (integral) ideal of the ring of integers of K and d>0, are called fractional ideals. They have the structure of a ℤ-lattice of degree n=[K;ℚ], and they form a multiplicative group ℐ. Elements of ℐ admit a unique decomposition as a power product of prime ideals of 𝒪 (with possibly negative exponents). The norm of integral ideals is given by 𝒩(ℑ):=[𝒪:ℑ], which extends to fractional ideals by 𝒩(ℑ/𝔍):=𝒩(ℑ)/𝒩(𝔍). The norm of a principal (fractional) ideal agrees with the norm of its generator 𝒩⁢(x⁢𝒪)=|𝒩⁢(x)|.

Units of 𝒪

Elements u∈𝒪 that are invertible in 𝒪 are called units. Equivalently, they are the elements u∈𝒪 such that (u)⁢𝒪=𝒪 and also such that 𝒩⁢(u)=±1. The unit group of 𝒪, where K is a cyclotomic field, has rank r=n2-1 and has the form 𝒪*=μ×〈ϵ1〉×⋯×〈ϵr〉, where μ are roots of unity (torsion units) and the ϵi are non-torsion units. Such (ϵi)i≤r are called a system of fundamental units of 𝒪. Units generate a lattice ℒ of rank r in ℝr+1 via the embedding x∈K↦Log(x):=(ln(|σ1(x)|),…,ln(|σr+1(x)|)), where the complex embeddings (σi)i≤n are ordered such that the first r=n2 ones are not conjugates of each other. When K=ℚ⁢(ζps), logarithm vectors of units of the form

(the cyclotomic units) generate a sublattice of ℒ of index h+⁢(ps), where h+⁢(N⁢𝔭s) is the class number of the maximal real subfield of ℚ⁢(ζps) [19, Lemma 8.1].

The hidden subgroup problem

The problem of factoring an RSA integer reduces to an instance of the so-called hidden subgroup problem (HSP).

We want to factor an RSA integer N=p⁢q. Let a be coprime with N (if ∣⁡aN, the factorization problem is solved) and

A solution to the HSP with f yields r, the order of amodN, and if a is a square, we get

This means that ∣⁡N(ar/2-1)⁢(ar/2+1), and gcd⁡(N,ar/2-1) may yield a non-trivial factor of N. A generalization of the HSP to ℤm allows us to solve the discrete logarithm problem in a finite group, and we can even discretize ℝ to generalize the algorithms for efficiently solving the HSP to ℝm, where m is fixed. This allows the computation of the class group, the unit group and the resolution of the PIP in classes of number fields of fixed degree [11]. More details about these methods are given in the appendix.

Reduction to the search for the periods of a function

Let K=ℚ⁢(ζ2s), n=deg⁡(K+) and r=n-1. Let α′∈K be a totally positive generator (not necessarily small) of the input fractional ideal 𝔞 in the totally real number field K. In the context of the attacks against the short-PIP in K, we know that one of the generators of 𝔞 arises as the relative norm 𝒩K/K+⁢(g)=g⁢g¯ of the secret key g. This relative norm is necessarily totally positive.

Let u1,…,ur be a generating set of U+≃ℤr, the totally positive units of the ring of integers 𝒪 of K+. Then every totally positive generator of the principal ideal 𝔞 of K+ (including 𝒩K/K+⁢(g)) is of the form α′⋅u1x1⁢⋯⁢urxr. Let β∈K; then β⋅𝒪=𝔞-k for some k∈ℤ if and only if Log⁡(β)=∑ixi⁢Log⁡(ui)-k⁢Log⁡(α′) for some (xi)i≤r∈ℤr. This means that the lattice Λα′⊆ℝn×ℤ defined by

consists of all the pairs (Log⁡(β),k), where k∈ℤ, β∈K and β⋅𝒪=𝔞-k. This includes elements of the form (Log⁡(a),-1), where a∈K+ is a totally positive generator of 𝔞. This means that a basis for Λα′ yields a totally positive generator of 𝔞.

We now describe a function on ℝn×ℤ whose periods are precisely Λα′. For k∈ℤ and v∈ℝn (not necessarily corresponding to the valuations of an element in K+), let us denote by ev⋅𝔞k the Euclidean lattice generated by the elements of the form ev⋅a for a∈𝔞k. Elements in K+ such as a∈𝔞k correspond to real vectors (σ1⁢(a),…,σn⁢(a)), and an element of the form ev⋅a is represented by the vector (ev1⁢σ1⁢(a),…,evn⁢σn⁢(a))∈ℝn. We define the function F:G→{lattices over⁢ℝn} by F(v,k):=ev𝔞k. Then F⁢(v,k)=𝒪 if and only if ev is a generator of 𝔞-k, which is equivalent to (v,k)∈Λα′. Therefore, by linearity of F, the periods of F are exactly Λα′.

As each element (v,k) of Λα′ satisfies ∑ivi=-k⁢log⁡(𝒩⁢(𝔞)), the search of the corresponding hidden subgroup can be restricted to the control space

The function F used by CGS is different from the one used by Hallgren in [11] to solve the PIP. In particular, F can be evaluated in polynomial time even when the degree of K grows to infinity. This comes from the fact that it is very similar to the function defined by EHKS to hide the unit group of a number field of arbitrary degree, and the techniques they used to evaluate it in polynomial time readily apply.

The function F is then composed by a quantum encoding to identify the lattice ev⁢𝔞k. This task is non-trivial since lattices are over ℝn where, unlike in ℤn, there is no canonical form such as the Hermite normal form. This encoding of lattices is called the “quantum fingerprint”, and it gives the map

The details of the procedure to create |ψv,k〉 from (v,k) are given in [4, Sections 3.4 and 3.5]. It creates a state of the form 1Γ∑𝐱∈Cn∩L|𝐱〉, where

1. 𝐱∈ℤn is the scaling of a rational approximation of a vector in ℝn,

2. L is the lattice F⁢(v,k),

3. Γ>0 is a normalization factor,

4. Cn is a bounded set such that En⁢(ρ-ε)∩ℤn⊆Cn⊆En⁢(ρ+ε)∩ℤn, where En⁢(ρ) is an ellipsoid of radius ρ.

CGS conjectured that the quantum encodings of almost identical lattices have inner product close to 1, while the quantum encodings of essentially different lattices have inner product close to 0. The function f “hides” Λα′ in the sense that

Identifying Λα′ from the periods of this map is an analogue of the HSP.

Computing the periods of f

The method proposed by CGS for computing the periods of f relies on a similar strategy as the HSP resolution algorithm used by Hallgren in [11] to solve the PIP in classes of number field of fixed degree.

1. Discretize and bound G, and then create the state

   |ψ〉:=1M∑(v,k)∈G′|ψv,k〉|(v,k)〉.

2. Apply the quantum Fourier transform over G to the second register.

3. Measure (v,k), and check if we obtain a good approximation of an element in Λα′*.

4. Repeat steps (ii) and (iii) until a basis of good approximations of Λα′* is found.

5. Find an approximation of a basis of Λα′ from Λα′* with classical methods.

In step (i), M is the normalization factor depending on the radius and the precision of the bounded discretized version G′ of G. Table 1 highlights the main steps of the quantum algorithm of CGS and specifies those on which we can rely to prove that there is a quantum attack against schemes relying on the short-PIP. In the appendix, we use a method similar to [11] to analyze the behavior of CGS’s algorithm. This analysis implies choices of parameters that were not specified by CGS. Therefore, we cannot formally establish the complexity of the algorithm sketched in [4].

In the rest of the paper, we show how to use the quantum encoding proposed by EHKS to solve the HSP in ℝO⁢(m) instead of the quantum fingerprint of CGS. EHKS proved that their quantum encoding enjoyed certain properties (one of them being similar to the “fidelity”) which allow us to solve the HSP in polynomial time.

5.1 Review of the HSP algorithm of EHKS

To compute the unit group, EHKS used a function of the form f(x)=|ex⋅𝒪〉, where ex⋅𝒪 is the lattice generated by the elements of the form ex⋅ωi for 𝒪=∑iℤ⁢ωi. Such a function hides the unit group of the order 𝒪 because f⁢(x+u)=f⁢(x) if and only if eu⋅𝒪=𝒪, which means that eu is a unit in 𝒪. It is derived from a function fG:G⊆ℝm→{quantum states}, where G is a hyperplane containing H. They show that if fG is an (a,r,ε)-oracle on G that hides H, then it can be extended to f:ℝm→{quantum states} satisfying (i), (ii) and (iii). The first step of the description of a function hiding the unit group is to find a classical function fc on a certain hyperplane G; then we compose it with a quantum encoding fq, and finally, we extend fG=fq∘fc to a function f on ℝm that satisfies (i), (ii) and (iii).

5.2 Computing a generator of a principal ideal in a totally real field

In this section, we assume that we are given the ℤ-basis of a principal ideal 𝔞 of an order 𝒪 in a totally real field K of degree n. Moreover, we assume that 𝔞 has a totally positive generator. We show that there is a polynomial time algorithm to compute (log|g|1,…,log|g|n), where g is a totally positive generator of 𝔞, n=deg⁡(K) and |g|i=|σi⁢(g)|=σi⁢(g) is the i-th Archimedean valuation of g. We reduce this problem to an instance of the HSP, and we use the framework of EHKS. We start from the same classical oracle as the function F defined by CGS which we compose with fq and extend to ℝn. The main observation that allows us to reuse the analysis of the oracle fℝ,c hiding the (totally positive) unit group in [7] is that F⁢(v,j)=fℝ,c⁢(v-j⁢g), where eg is an arbitrary (totally positive) generator of 𝔞. The classical function we use is the same as the one of CGS

The function fq∘F can be then extended from G to ℝm while preserving the essential continuity properties that allow us to reuse the framework of EHKSfor the resolution of the continuous HSP. The careful analysis of the properties of fq∘F and that of its extension to ℝn lead to Proposition 5.5 which shows that there is a polynomial-time algorithm to find the generator of a principal ideal in a number field.