On the quantum attacks against schemes relying on the hardness of finding a short generator of an ideal in ℚ(𝜁2𝑠 )

IF 0.8 Q4 COMPUTER SCIENCE, THEORY & METHODS

Journal of Mathematical Cryptology Pub Date : 2019-10-01 DOI:10.1515/jmc-2015-0046

Jean-François Biasse, F. Song

{"title":"On the quantum attacks against schemes relying on the hardness of finding a short generator of an ideal in ℚ(𝜁2𝑠 )","authors":"Jean-François Biasse, F. Song","doi":"10.1515/jmc-2015-0046","DOIUrl":null,"url":null,"abstract":"Abstract A family of ring-based cryptosystems, including the multilinear maps of Garg, Gentry and Halevi [Candidate multilinear maps from ideal lattices, Advances in Cryptology—EUROCRYPT 2013, Lecture Notes in Comput. Sci. 7881, Springer, Heidelberg 2013, 1–17] and the fully homomorphic encryption scheme of Smart and Vercauteren [Fully homomorphic encryption with relatively small key and ciphertext sizes, Public Key Cryptography—PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin 2010, 420–443], are based on the hardness of finding a short generator of a principal ideal (short-PIP) in a number field typically in ℚ ⁢ ( ζ 2 s ) {\\mathbb{Q}(\\zeta_{2^{s}})} . In this paper, we present a polynomial-time quantum algorithm for recovering a generator of a principal ideal in ℚ ⁢ ( ζ 2 s ) {\\mathbb{Q}(\\zeta_{2^{s}})} , and we recall how this can be used to attack the schemes relying on the short-PIP in ℚ ⁢ ( ζ 2 s ) {\\mathbb{Q}(\\zeta_{2^{s}})} by using the work of Cramer et al. [R. Cramer, L. Ducas, C. Peikert and O. Regev, Recovering short generators of principal ideals in cyclotomic rings, IACR Cryptology ePrint Archive 2015, https://eprint.iacr.org/2015/313], which is derived from observations of Campbell, Groves and Shepherd [SOLILOQUY, a cautionary tale]. We put this attack into perspective by reviewing earlier attempts at providing an efficient quantum algorithm for solving the PIP in ℚ ⁢ ( ζ 2 s ) {\\mathbb{Q}(\\zeta_{2^{s}})} . The assumption that short-PIP is hard was challenged by Campbell, Groves and Shepherd. They proposed an approach for solving short-PIP that proceeds in two steps: first they sketched a quantum algorithm for finding an arbitrary generator (not necessarily short) of the input principal ideal. Then they suggested that it is feasible to compute a short generator efficiently from the generator in step 1. Cramer et al. validated step 2 of the approach by giving a detailed analysis. In this paper, we focus on step 1, and we show that step 1 can run in quantum polynomial time if we use an algorithm for the continuous hidden subgroup problem (HSP) due to Eisenträger et al. [K. Eisenträger, S. Hallgren, A. Kitaev and F. Song, A quantum algorithm for computing the unit group of an arbitrary degree number field, Proceedings of the 2014 ACM Symposium on Theory of Computing—STOC’14, ACM, New York 2014, 293–302].","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"13 1","pages":"151 - 168"},"PeriodicalIF":0.8000,"publicationDate":"2019-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2015-0046","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Mathematical Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1515/jmc-2015-0046","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 6

Abstract

Abstract A family of ring-based cryptosystems, including the multilinear maps of Garg, Gentry and Halevi [Candidate multilinear maps from ideal lattices, Advances in Cryptology—EUROCRYPT 2013, Lecture Notes in Comput. Sci. 7881, Springer, Heidelberg 2013, 1–17] and the fully homomorphic encryption scheme of Smart and Vercauteren [Fully homomorphic encryption with relatively small key and ciphertext sizes, Public Key Cryptography—PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin 2010, 420–443], are based on the hardness of finding a short generator of a principal ideal (short-PIP) in a number field typically in ℚ ⁢ ( ζ 2 s ) {\mathbb{Q}(\zeta_{2^{s}})} . In this paper, we present a polynomial-time quantum algorithm for recovering a generator of a principal ideal in ℚ ⁢ ( ζ 2 s ) {\mathbb{Q}(\zeta_{2^{s}})} , and we recall how this can be used to attack the schemes relying on the short-PIP in ℚ ⁢ ( ζ 2 s ) {\mathbb{Q}(\zeta_{2^{s}})} by using the work of Cramer et al. [R. Cramer, L. Ducas, C. Peikert and O. Regev, Recovering short generators of principal ideals in cyclotomic rings, IACR Cryptology ePrint Archive 2015, https://eprint.iacr.org/2015/313], which is derived from observations of Campbell, Groves and Shepherd [SOLILOQUY, a cautionary tale]. We put this attack into perspective by reviewing earlier attempts at providing an efficient quantum algorithm for solving the PIP in ℚ ⁢ ( ζ 2 s ) {\mathbb{Q}(\zeta_{2^{s}})} . The assumption that short-PIP is hard was challenged by Campbell, Groves and Shepherd. They proposed an approach for solving short-PIP that proceeds in two steps: first they sketched a quantum algorithm for finding an arbitrary generator (not necessarily short) of the input principal ideal. Then they suggested that it is feasible to compute a short generator efficiently from the generator in step 1. Cramer et al. validated step 2 of the approach by giving a detailed analysis. In this paper, we focus on step 1, and we show that step 1 can run in quantum polynomial time if we use an algorithm for the continuous hidden subgroup problem (HSP) due to Eisenträger et al. [K. Eisenträger, S. Hallgren, A. Kitaev and F. Song, A quantum algorithm for computing the unit group of an arbitrary degree number field, Proceedings of the 2014 ACM Symposium on Theory of Computing—STOC’14, ACM, New York 2014, 293–302].

查看原文本刊更多论文

关于对依赖于在中找到理想的短生成器的硬度的方案的量子攻击ℚ(𝜁2.𝑠 )

摘要一类基于环的密码系统，Gentry和Halevi[来自理想格的候选多线性映射，密码学进展——EUROCRYPT 2013，Comput.Sci.7881讲义，Springer，Heidelberg 2013，1-17]以及Smart和Vercauteren的全同态加密方案[具有相对较小密钥和密文大小的全同态加密，公钥密码学——PKC 2010，Comput.Sci.6056讲义，Springer，Berlin 2010420–443]，基于在通常为ℚ ⁢ （ζ2s）｛\mathbb｛Q｝（ζa_｛2^｛s｝）｝。在本文中，我们提出了一个多项式时间量子算法，用于恢复主理想的生成器ℚ ⁢ （ζ2s）｛\mathbb｛Q｝（\zeta_{2^｛s｝｝）｝，我们记得这可以用来攻击依赖于ℚ ⁢ （ζ2s）｛\mathbb｛Q｝（\zeta_{2^｛s｝）｝通过使用Cramer等人的工作。[R.Cramer，L.Ducas，C.Peikert和O.Regev，在分圆环中恢复主理想的短生成器，IACR密码学ePrint档案2015，https://eprint.iacr.org/2015/313]，源自坎贝尔、格罗夫斯和谢泼德的观察[SOLILOQUY，一个警示故事]。我们通过回顾早期为解决PIP提供有效量子算法的尝试，正确看待了这种攻击ℚ ⁢ （ζ2s）｛\mathbb｛Q｝（ζa_｛2^｛s｝）｝。坎贝尔、格罗夫斯和谢泼德对短PIP很难的假设提出了质疑。他们提出了一种求解短PIP的方法，分两步进行：首先，他们绘制了一个量子算法，用于寻找输入主理想的任意生成器（不一定是短生成器）。然后他们提出，从步骤1中的发电机有效地计算短发电机是可行的。Cramer等人通过详细分析验证了该方法的第2步。在本文中，我们重点讨论了步骤1，我们证明了如果我们使用Eisenträger等人[K.Eisentrèger，S.Hallgren，A.Kitaev和F。Song，计算任意度数域的单位群的量子算法，2014年美国计算机学会计算理论研讨会论文集——STOC’14，美国计算机学会，纽约，2014，293–302]。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊