Date post: 09-Jul-2020
The Shortest Vector Problem in Ideal Lattices Simon T. Hu` ynh Thesis advisor: A. Kirsten Eisenträger Department of Mathematics, The Pennsylvania State University Quantum Attacks on Public-key Cryptosystems The security of RSA relies upon the hardness of factoring integers into primes. Shor’s algorithm is a quantum algorithm which factors integers in quantum polynomial time [Sho95]. Thus, a quantum computer can break RSA. NSA announced its preparation for a transition to quantum resistant algorithms in 2015 [NSA15]. Figure 1:Δ= x + y - z denotes the period of time when information protected by public-key cryptosystems becomes vulnerable under the attacks of quantum algorithms [Mos15]. An Alternative: Lattice-based Cryptography Lattice-based cryptosystems are attractive for strong provable security and resistance to quantum attacks. Their security depends on the hardness of the Shortest Vector Problem (SVP) in lattices. Ideal lattices are used to allow faster computations and less space complexity. However, the security of ideal lattice-based cryptographic schemes are not well-understood. Preliminaries A commutative ring R is a set with binary operator + and × such that: (R, +) is an Abelian group, × is associative and commutative, and × is distributive over +. A subset S R is a subring of R if S is also a ring. A subring I of R is called an ideal of R if for all r R, r × I = {r × x : x I } = I. An ideal I of a ring R is principal if there exists a R for all x I such that x = a × y for some y R. A quotient ring R/I , where I is an ideal of a ring R, is a set of equivalent classes where ¯ x y if and only if x - y I . Let R 1 and R 2 be rings. R 1 is isomorphic to R 2 , denotes R 1 = R 2 , if there exists a map φ : R 1 R 2 such that φ is a bijection, φ(x + y )= φ(x)+ φ(y ), and φ(x × y )= φ(x) × φ(y ) for all x, y R 1 . Example: The set Z with the usual + and × is a commutative ring. Every ideals of Z is of the form (n)= n × Z for n Z, thus principal. Given an ideal (n) of Z, the quotient ring Z/(n) is the ring of integers modulo n. Lattices A lattice L(B) is a set of Z-linear combinations of basis vectors B = b 1 ,..., b n . L(B)= {Bx : x Z n } . Λ ⊂L(B) is a sublattice of L(B) is Λ is itself a lattice. Figure 2:A lattice with basis B = {(1), (π, 1)}. Theorem 1. For two distinct lattice bases B and C, L(B)= L(C) ⇐⇒ U GL(n, Z) such that B = CU [Mic14b]. The Shortest Vector Problem The minimum distance of a lattice L is λ := inf v : v = 0 ∈L . Given L, the Shortest Vector Problem (SVP) asks to find a nonzero vector v ∈L such that v = λ. SVP is NP-hard in lattices. Its hardness is unknown in ideal lattices [MR09]. Basis Reduction Given B, the Gram-Schmidt orthogonalization B * of B is defined by b * i = b i - i-1 j =1 μ i,j b * j where μ i,j = b i , b * j b * j , b * j . B is said to be δ -LLL reduced for 1 4 1 if |μ i,j |≤ 1 2 for all i>j and δ b * i 2 μ i+1,i b * i + b * i+1 2 for all i. Theorem 2. For any 1 4 1, if B is a δ -LLL reduced basis then b 1 α (n-1)/2 λ, where α := 1 δ - 1 4 4 3 [Mic14a]. The LLL Algorithm The LLL algorithm δ -LLL reduces any lattice basis in polynomial time in the lattice’s dimension and the bit- size of B [LLL82, Reg04]. Cyclic Lattices Let x =(x 1 ,...,x n ) be in R n , the rotational shift operator acting on x is defined as rot( x) := (x n ,x 1 ,...,x n-1 ) R n . A lattice L is cyclic if and only if for all x ∈L, rot( x) ∈L. For n Z + , the map γ : Z[ x]/(x n - 1) Z n by γ n-1 i=0 a i x i =(a 0 ,...,a n-1 ), where a j Z, is a ring isomorphism [PR05]. That is, Z[ x]/(x n - 1) = Z n . Theorem 3. A subring I of Z[ x]/(x n - 1) is an ideal if and only if γ (I ) is a cyclic sublattice of Z n [Mic07]. Example: Consider R = Z[ x]/(x 2 - 1) = Z 2 . Let I 1 := (x - 1) and I 2 := (2x - 3) be ideals of R. γ (I 1 ) is a 1-dimensional sublattice of Z 2 with a basis {(1, -1)}. A shortest vector is (1, -1). γ (I 2 ) is a 2-dimensional sublattice of Z 2 with a basis {(2, -3), (-3, 2)}. A shortest vector is (-1, -1). A 1-LLL reduced basis of γ (I 2 ) is {(-1, -1), (2, -3)}. Figure 3:The cyclic sublattice γ (I 1 ) of Z 2 . Figure 4:The cyclic sublattice γ (I 2 ) of Z 2 . Results Theorem 4. Let I be a principal ideal generated by p(x) of Z[ x]/(x n - 1), for p(x) Z[ x], and f (x) := x n - 1 gcd(p(x),x n - 1) . Then the set p, rot( p),..., rot deg(f )-1 ( p) , where p = γ (p(x)) Z n , is a basis of the cyclic sublattice γ (I ) of Z n . It follows that the dimension of γ (I ) is deg(f ). In particular, if p(x) is relatively prime to x n - 1 then γ (I ) is a full-rank sublattice of Z n . Conjecture 5. Let I be a principal ideal of Z[ x]/(x n - 1) and consider the cyclic sublattice γ (I ) of Z n constructed via the isomorphism γ : Z[ x]/(x n - 1) Z n . Let B 1-LLL be a 1-LLL reduced basis for γ (I ). Then the vector v B 1-LLL , where v = min b : b B 1-LLL , is a shortest vector in the lattice γ (I ). Conclusion Under the assumption that Conjecture 5 is true, SVP becomes easy in this specific family of cyclic lattices. That is, we can use the well-known LLL algorithm to solve SVP for the cyclic lattice γ (I ) where I is a principal ideal of Z[ x]/(x n - 1). Acknowledgments I wish to express my deepest gratitude and appreciation to my thesis advisor Dr. A. Kirsten Eisenträger. Thank you for giving me the opportunity to challenge myself. References [LLL82] A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients. Mathematische Annalen, 261:515–534, 1982. [Mic07] D. Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. 2007. [Mic14a] D. Micciancio. Basis reduction, 2014. [Mic14b] D. Micciancio. Point lattices, 2014. [Mos15] M. Mosca. Cybersecurity in an era with quantum computers: will we be ready? Cryptology ePrint Archive, Report 2015/1075, 2015. [MR09] D. Micciancio and O. Regev. Lattice-based cryptography. In Johannes A Buchmann Daniel J. Bernstein and Erik Dahmen, editors, Post-Quantum Cryptography, pages 147–187. Springer, Berlin Heidelberg, 2009. [NSA15] Commercial national security algorithm suite. U.S. National Security Agency, 2015. [PR05] C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. 2005. [Reg04] O. Regev. Lattices in Computer Science. Lecture notes taught at the Computer Science Tel Aviv University, 2004. [Sho95] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. 1995.
