 Welcome to Eurocooked 2021. So in this talk, I will present the paper on the ideal shortest vector problem over random rational primes. And this is a joint work with Dr. Penn, Dr. Xu, and Dr. Wedley. So this research is closely related to the lattice-based cryptography. So this lattice-based cryptography is very popular recently because it has several very nice property, for example, is quantum resistant. And also, it allows fast operation. In lattice-based cryptography, the operation is usually just addition and multiplicity or small numbers and no explanation. And then we also have the worst case, hard list. So this is very, very interesting. But it does have a problem, since no dimensional lattice problem is usually easy. So this need some p-sized problem. That is why we want to use ideal lattice. So using ideal lattice hopefully can solve this p-sized problem. So what is lattice? Lattice is giving a linearly independent vector in the real space. And lattice is basically an integral linear compilation of those linearly independent vectors. So this vector is from a basis for this lattice. So you can see a simple picture. Here we have R2, a Euclidean plane. We have two vector. And the integral linear compilation will give you all those points. So lattice is discrete points, periodic discrete points. And there could be other basis going to be generated the same lattice. They will be generated the same lattice. But this new base is considered better because they are shorter, especially the red one. The red one is the shortest vector in the lattice. So finding this SPVP would be the most important computational problem in lattice theory. And then here we have this fundamental domain. This fundamental domain, this fundamental domain. And the volume of this fundamental domain is the determinant of this lattice. Determinant of this lattice. So the determinant is measure the size of the lattice. So for the shortest vector, we know a little bit about the length below some upper bound. So for example, there is a Hermit bound. The length is going to be the Euclidean length. Going to be less than square root of n time determinant of lattice over 1 over n. And this is a uniform bound. And then there's Gauss heuristic, which basically says on average, you should have a length square root n over 2E pi. And then determinant L over n. But this bound is a syntotic bound. And then there is Minkowski bound says that it must have a length less than square root of 2n over E pi determinant to the nth root of the determinant. And then the SVP is shortest vector problem of prosimid SVP. And Hermit SVP basically are three close-breed problem. The undefined vector of length less than lambda 1. Namda 1 is the length of the shortest vector. That would be SVP problem. You can approximate this. This problem is hard. So maybe in some case, you want approximation algorithm. So the approximation factor will be gamma. And then Hermit SVP problem is the problem we're going to study in this paper. And basically, we try to find a vector of less than gamma time determinant nth root of the determinant. So as you can see, if gamma is greater than square root of n, then there exists such a vector. So the ideal lattice basically come from the number field and number ring. So a number field over a rational number is basically you have a qx mod out by irreducible polynomial degree n by irreducible polynomial degree n. And then the ring of integer in this field is actually a free z-module. So if you see a free z-module, then you can see that there's a connection to the lattice. So sometimes this ring of integer is particularly less. This is called monogenic. Basically means that there exists an alpha such that the ring of integer is essentially linear combination of this power base. So you have a power base which generates the ring of integers. So in many cases, in cryptography, we like this kind of ring because it's easy to do the computation. So here we have a number field and a number ring. And we want to make a lattice out of it. So a number field have exactly any embedding into complex number. We call it sigma 1, sigma 2, up to sigma n. And the clonic embedding, we basically send this number field to Cn to Cn. And we essentially just mist all its complex embeddings. So we have sigma 1a, sigma 2a, and sigma na. And the image, which is just a subspace of Cn, and it is also isomorphic to Rn as an inner product space. Example, if you have a qx mod out x to the force power plus 1, then for y, you're going to send to 1, 1, 1, 1 for complex number. Or if you really prefer a real number, then that would be screwed to 0, screwed to 0. And for 1 plus x, you send to 1 plus z8, 1 plus z8 to the 7, and 1 plus z8 to the 3rd, and 1 plus z8 to the 5th. And you can see that these and these conjugates with each other. And these are complex conjugates, which is z8. It's just e to the 2 pi i over 8 for 8. So then if you insist on real number, then you just write the real part and imaginary part. But you need to put a square root of 2 factor over there to make sure that they are isomorphic as an inner product space. So there is also a coefficient embedding here that suppose the ring of an integer is monogenic, then you just send to the coefficient. So for example, again, if for the qx mod out x to the force for plus 1, and we know this can be generated, probably it's just 1xx squared x cubed. So for 1, you just send 1, 0, 0, 0. If it is 1 plus 2x, just send 1 to 0, 0. And that's go directly into integers. So this is probably if you design a group system that's the embedding you are going to use. So the ideal lattice there, so first we can have a principal idea. It's basically generated by single elements like gx. So it's corresponding to this lattice. So here that you mod all the extra m plus 1, hence that other vector basically anti-cyclic. So you're doing this cyclic rotation, but you change the sign with the first elements. And a general idea can be generated by as an OK module, can be generated by two elements. One is an integer, another one is gx. So that means that in addition to this anti-cyclic matrix, you need a unit. So those prime ideas, they are considered as a point because they are also maximum ideas. They are considered a point. So you put those points together. And here that z, again, is just a straight line. The point is basically the rational primes. And then there are primes like over those rational primes. So for example, here we have a rational prime p, and then there are two points. But you can see that this is like a tangent. So basically you have a p1 square and p2 square. And in this case, we call p's a ramified prime. And there are only finite many prime which will be ramified. So we don't need to worry too much about those prime ideas. And then there are rational primes going to split completely into four different, in this case four, because the extension degree is four. So these four distinct prime ideas. So those, again, this is the case. And we think it would be the most difficult case. And here you have two prime ideas, not over p. So those prime ideas, they each have actually a degree 2. So that's why I use a large dot to represent them. And those prime ideas are actually not difficult. Those prime ideas, the SVP problem for them, are not difficult. Are not difficult. Well, this is not as difficult as those small dots. So the reason is because this decomposition field. So basically, we actually can have a very interesting subfield. So here, let GB the Galawar group of L over Q. The decomposition group D is basically the elements in the Galawar field, Galawar group, which fix this prime idea set-wise. And then K is a decomposition field. It's essentially the subfield correspond to that group. And they have those group and field have these two properties. If P is unremifed, then D is isomorphic to the Galawar group of OL over P1. The OL over P1 is an extension of the phylet field. So this Galawar group is essentially going to generate by a single elements, the Frobenins. The Frobenins. So that D is going to be a singular group. And if the prime idea is generated as an OL module by P and a polynomial degree over G, then the degree of K, which is a decomposition field of P1, is actually just G. And the more interesting that the P1 intersection with K, this actually gives you a sub lattice. And that sub lattice has a determinant, which is basically P. So that's the reason that if D is non-trivial, then the difficulty of SVP gets decreasing if you can move to this smaller field. So this picture is going to make things even more clear. So here you have a prime idea, which you want to find a shortest vector. And because suppose there is a non-trivial Dinkum-Zien group, then this field would be a subfield of L, a non-trivial subfield of L. So here you have this C would be a lattice in this smaller field. So it has a smaller dimension. The dimension is just G. And the determinant is just P. So the shortest vector in C, which again will be a very short in P, which will be very short in P. So you can think this is, again, a subfield attack. It's just you are using this decomposition field. Decomposition field. And then the map between the CG and CN is beta. It's very simple, very simple. Just repeat the coordinates if you're using the colonic embedding. So the main theorem, this is our main theorem. The main theorem, suppose our overall queue is phylet Galois extension with degree N. And suppose P is a prime ideal, lie over unrefined rational prime. And if K is a decomposition field, the solution to this Hermit SVP with factor gamma in the sublattice and the colonic embedding will also be a solution of the Hermit SVP in P with a factor, which is not very far away from gamma under a colonic embedding. So basically, this doesn't tell you to find SVP. You can simply just find SVP in a smaller decomposition field. As known as this decomposition group, it's not trivial. And then here that you have this, in this theorem you have this complicated factor. But for part of two, cyclotomic field, which has been quite popular in cryptography, the situation is actually simpler. Simpler that you can simply depend on the prime, whether it's congruent to 1 or 3, you can calculate the number r. And so the dimension of the lattice, the real dimension would be just 2 to the other rather than 2 to the n. Since in other cases, n is much bigger than r. So that's going to make this prime ideal SVP prime much easier. So especially if P is congruent to plus minus 3, minus 8, in this case, then the real dimension is actually just 2. So you just need to solve SVP for the dimension 2. And we know for the dimension 2, you can just simply use Gauss reduction. So this basically shows that for the prime ideal lie over a rational prime, which is congruent to plus minus 3, minus 8, those prime ideal SVP is very easy. It's very easy. And we have this kind of hierarchies that if the prime is plus minus 3, minus 8, then the dimension is just 2. And if it's plus minus 7, minus 16, you just need to solve the SVP problem for dimension 4. And if it's plus minus 15, or 32, the real dimension is just 8. So it's not going to be capital N but it could potentially be very large, but just 8. So this basically says that for half of the rational prime, the prime ideal, lie over those rational prime will be extremely easy. And then just to make it 2, so you can see that there is a hierarchy of difficulty. And the difficulty actually changes pretty big. So it's actually the double of the dimension. Every time you cut the dimension, every time you move out of this hierarchy. So then what is the average case complexity or prime ideal? That is SVP. Well, it's going to depend on how you select your prime ideas. So if that you first try a random rational prime and then find your prime ideal lie over this rational prime, then your prime SVP problem is easy. Average case complexity is easy. And so similarly, that if you just again choose prime ideal according to the rational prime downstairs, then it's easy. But again, if you choose your prime ideal according to its determinant or norm, well, in that case, our work will not apply. So the average case will be still an open problem. So again, for the composite idea, so those ideas will not prime ideas will also have a result. Again, it's dependent on the prime downstairs, the rational prime downstairs. Basically, the take home message for this paper is that the prime downstairs actually determine the difficulty of the prime ideal upstairs. So open problem, which we find very interesting, will be that to determine the length or to determine the exact length of the shorted vector lie over the rational prime, which are not congruent to plus minus 3, mod 8. For the plus minus 3, mod 8, we have determined exact length of the SVP of the shorted vector. And then again, of course,