 And the one thing keeping you from lunch is going to be recovering short generators of principle ideals and cyclotomic rings It's by Ronald Kramer, Leo Ducar, Chris Piekert and Oda Dragheff and Leo is going to give the talk All right. Thank you Nigel for the introduction So from the title you might not directly know what this talk is about so here is The topic so principle ideals in cryptography so those are related to those Scheme that are connected with special lattices so more precisely we we will work in a number field and its ring of integer So typically we consider the cyclotomic ones because they're very nice geometric and computational properties and So typically we do ring LWE or more involved problem on those rings but for efficiency or for functionality some cryptosystem went a bit further and started basing scheme not on those Ring LWE problem or entry problems, but directly on principle ideals on those rings So this is the case of the soliloquy scheme that was developed internally by the GCHQ some fully homomorphic encryption so that was one of the first attempt at improving upon the Gentry scheme and also more recently to get those graded Uncoded scheme that are used to build in this feasibility obfuscation our or multinational maps so They all share this key generation procedure somehow you will choose as your security You're going to choose a short element G in this ring and as you're publicly you're going to describe This is the ideally generates you but you're going to describe it as a general lattice You're you're just going to give a bad Z basis of it So we know it has some structure, but we don't necessarily know what what a generator of this is Meaning a generator for the ring for example You can take the hermit normal form of any Z basis of that lattice and you give this as your public key So the cutan is this question of course is the following It's So you can you can you given just this is bad basis Can you actually recover this short generator and you split this as two problems? The first one is called the principle ideal problem So you're given this Z basis and you have the promise that it is a basis of a principle ideal And you need to recover some generator H of this ideal But not necessarily the one that is actually usable as a secret key and the second part of an attack on this would be well Now we have one element H that actually generates Exactly this ideal I and you need to recover is the good one the one that is usable as a secret key or Something that is also as short as this original G So what should be the course of those two steps according to the current state of the art? Well, there has been quite some study recently on those on the question of this first problem the principle ideal problem and actually we have Subexponential time classical algorithm for this task and this task look Very similar to factorization problem, but you have to solve factorization problem in number field instead of doing this over the integer So that's why you end up with a bigger Subexponential exponent 2 3rd instead of 1 3rd Maybe it can even be further And also very recently treasure that you can actually solve this using quantum polynomial time algorithms and that's a bit scary But again, it's not Extremely surprising because they're related to factorization and factorization. We know how to do quantumly So it was recently showed that we can basically generalize all those techniques to many dimensions So what I'm more interested in this talk is the second step. That's not quantum And it is quite well known in algebraic number series that you can view somehow this problem as a closed vector problem In the lattice that's called the log unit lattice of the ring and But that's the very general case of finding a short generator For the instances that I explain how to to generate for for crypto purposes This closest vector problem CVP becomes a BDD problem bounded distance encoding. So that's how It was explained before it's like a problem is it's lattice problem with the promise that The solution is actually quite close to a lattice vector and that make the problem slightly easier in general But still typically hard and in a recent draft from the GCSQ They claimed that actually this should be easy when we take the m-cycle atomic ring for m a power of two and There was little explanation, but it was very quickly confirmed by experiments and the experiments are not very hard to mount It was a bit surprising and so that's what we try to clarify in this work We focus on the second step and you try to explain why and we actually give a proof that it can indeed Be sold in classical polynomial time for those specific instances So when ring when the ring R is Integer of cyclotomic number field, but not only for powers of two we can actually prove it for powers of any prime Under reasonable conjectures Okay, an overview of the bit more details on the on the on the problem on what we have to do So remember the prime short generator recovery. So we're given one generator of ideal H And we need to find a short one We need to find a small one G that generate the same ideal and two elements in a ring that they will generate the same ideal Well, exactly if they Multiplicately differ by a unit of the ring So for example in Z that would be one and minus one but in more general rings you have plenty of units You have infinitely many units So the space you need to explore to find this short generator is somehow the group of units and that's a multiplicative group and We are asking a geometric question. So we're working in a group That's a billion and we're asking a geometric question. It's a bit annoying that it's multiplicative So we're gonna take the logarithm to make it an additive problem. So because an additive group with Geometry on it that's called the lattice and then we can use lattice algorithms So we take logarithms. How do we do that in general for a number field? Well, I'm sorry. That's this kind of stuff was done a long time ago by Dirichlet You basically take the logarithm of the absolute value of each of the complex on meetings I'm not gonna annoy you too long with this so basically there's a notion of logarithm to make it an additive problem and There is a Quite old theorem Dirichlet unit theorem that takes that tells you that if you take the logarithm of all these elements of this unit group R star Well, actually what you get lambda is an additive group, but it's not only an additive group It's actually going to be a lattice in our end and we even know its rank And this is how we reduce our problem to a closed vector problem But in a fixed lattice lambda here the lattice lambda does not depends on the problem It only depends on the ring you've chosen to build your scheme on So the element G is going to be a generator of H If only they differ multiplicatively by a unit and if you take the logarithm of this it means that the logarithm of G is in the core set of lambda shifted by log of H and It's not only an algebraic mapping this logarithm mapping It actually preserves some geometric information and we can say in some way that G is going to be the smallest generator of all the generator of that ideal if and only if Log of G is actually the smallest element in this core set in other term if log of G is the Closest element to log of H in lambda This was a bit algebraic. So let's do some pictures to to to get a bit familiar with those notions So here is my ring represented in its here's the real embeddings. It only has real embeddings I'm taking a very simple ring to dimension Z a joint with square root of 2 and here are all my elements So when I add up to element, I just add everything Coefficient wise so you're familiar with this. This is a lattice But it's also a ring and here when I do this embeddings the Multiplication also happened component wise So if I take two points this point in this point and multiply the x coordinate and the y coordinates I will still get a point in that lattice and Now the geometry we're studying here is not is the multiplicative geometry. So that's why I'm trying to represent here and in this geometry we have Element that I would call autogonal So what are the autogonal elements? Well, those are elements when I multiply by those elements what happened to my space is it only gets Scaled in every direction the same way and potentially rotate. So for example, if I multiply by 2 and I just I just Shift I just scale everything minus 2. It's also the case but if you also do this with root 2 well, then you've got some rotation, but there are still autogonals and The units the importance in the units Here well units are kind of the opposite concept or autogonal concept Units are elements that don't scale volumes, but they shift things in one direction So if they scale things horizontally by some factor, they will scratch the rest by the same factor and So quite easily in two-dimension you see that this form a hyperbola And then you have those eyes on curve So those are elements that potentially only differ multiplicatively by your units, but that might not be perfectly the case as we will see So now what happened if we take the logarithm of this picture? Well, we get this This logarithm embedding on the right here So those autogonal elements that will be sent here and the units they'll be completely autogonal to this and well originally our stuff here is this when we do multiplication in this ring we obtain a monoid So when we take the log we still get a monoid So we can add stuff, but we cannot necessarily subtract them because we were not necessarily Allowed to divide them on this site So now what's interesting is that if you intersect those points with the one that are just units Well, then you're supposed to get a group. That's the definition of being a unit and on this picture It means that this subset of the blue point intersected with a red line Well, what you're gonna get is actually a lattice and Interesting properties also from the monoid property what you can see is that Now if you intersect every line with this every iso norm line with the blue dots you get Each time finitely many copies of your original log unit lattice This line here So sometimes you don't have anything on the line, but you always get finitely many shifted copy of that original lattice And What we want to do when we want to recover a short unit well We want to recover a short unit. We are only allowed to multiply by units. So somehow we won't get really closer to zero So we don't think we don't we cannot make things short in that sense But we can make them short by making them closer to orthogonal. So things are short if Somehow they don't distort space too much and we want to bring our elements back Closest possible to this line and we translate it to this logarithm Through the logarithm what we want to do is like we want to bring things back to this beam of light So we have a fundamental domain When we're in a caution by the group of units and it looks like Like this band in the logarithmic unit and like a cone in this space So if we can bring things back to this fundamental domain, then we've brought them back closer to Being small or togonal and that's good But we need to be careful on which fundamental domain we choose because if we choose another fundamental domain like this one Then we get things that are much further much further away from and Of course, we need to be able to do this algorithmically. So we need a fundamental domain for which there is an efficient Reduction algorithm and for this we can actually go for the simplest algorithm There is in lattice theory to reduce the fundamental domain. We will use the simple running algorithm So let's not go over the detail too much But what's important is that when you want to use it as a decoding algorithm You can characterize its correctness depending on the dual basis So if you have some lattice point that has some error and you want to recover the lattice point Well, the property that you need is that the error Has a small scale of product with every dual vector here and this characterization is going to allow us to get our proof go through All right, so that's the general strategy to tackle this program So that's kind of a focal strategy for algebraic number theorists The first step is to first construct a basis B of this log unit lattice and only getting a basis of it This is not an easy problem. It's not easy to know exactly what this lattice is, but for those particular Rings, especially the rings of integer cyclotomic number fields We actually know a lot of units and we conjecture that in most of the case They're actually basis that we catch all elements with those And and we have a very simple explicit formula for those units given here So the second step Is to prove that this basis is actually of sufficient quality to solve this problem And the third step is to prove that what you want to correct the error You want to correct this log of G is going to be small enough and those two steps are the technical contribution of our paper so the first step is an estimation of the norm of those dual vector and amusingly it relates to analytical number theory I will very briefly give an overview of this and We also solve these third points like we Studies the distribution of log of G when G is Gaussian And this is done using sub exponential random viable theory. I'm not gonna work. I'm not gonna cover this during this talk All right, so what? What are the the technical results? So the first as I told you we use analytical number theory to characterize the quality of these bases and this is based on this kind of CRM's This one is from London, but we're using all the ones that if Chi is a non-quadratic Dirichlet character We have this bond. So what does this things relate to? Well, those are objects that were introduced By Dirichlet and the Riemann for the program of studying prime numbers. So that's the Interesting part of this result is that this problem actually relates to question from analytical number theory and I'm using this kind of result and Some a bit more effort what we can prove is a bond an upper bond on the length of those dual vectors So we solve a geometric question using analytical number theory And so how should you interpret this this result? Well, this log unit lattice so log of ours our star actually admits a known and Efficiently computable basis that is almost orthogonal and because it's almost orthogonal BDD is going to be an easy problem So when we apply this to cryptanalysis the corollary of this theorem is that well We formalize what was claimed before is that if g follows a reasonable distribution like the Gaussian one Then when we're given any gender h of an ideal g we can actually recover g in polynomial time With a given probability And if we combine this with the poly time quantum attack for the first step the PIP step Well, we can break several cryptographic proposals or we can also apply sub exponential algorithm if Meaning that even classically we'd have to increase the parameters to be secure What else do we do in this paper will so slightly study Worst cases because so far I've been speaking about those instances that come from cryptographic instances But now that we have some information about the basis of this lattice Can we say some stuff about the worst case and what we show is that in the worst case? for any generator H of a principle ideal well given by this H you can actually find another generator of H and his lengths can be bonded by the algebraic norm rescaled by the dimension multiply by By a sub exponential factor So here this factor is basically taking account for how big your ideal is so here where you have the approximation factor and for such an approximation factor If you use classical algorithm like LL and BKZ you were supposed to require a super polynomial time even No, just cyclotomic And Actually, this result is nearly optimal in the sense that there exist some ideals Whereas the shortest generator Can not be any it must be at least as large as this so why I'm using m and n here Yeah, and equal m or kind of n And is equal to five of them. Sorry So basically this result is is nearly optimal and This has a bit some consequences on the open question so My first open question would be are there other classes of ring for which we can carry on This kind of study of the log unit lattice So what happens that for the cyclotomic there are plenty of I say several but they're actually plenty of Happy events that allows the analysis to go through So for other ring it might be harder to study But the question is like is does it mean that those problem are harder? Intristically or they're just harder to study so by switching to another ring. Are we actually just Improving security by ignorance or actually improving security concretely Sorry intrinsically So the second question is of course, can we generalize this result? To non-principle ideals because so far we've been dealing with principal ideals and all those ring LWP problems They're more connected to general ideals or non-principle ideals and in the worst case. So can you say? anything about non-principle ideals and My guess is that might not be completely impossible But you start doing some you need to start using some fancy Number theory so you have to study like kind of to put some geometry on the class group to do that And you have many theorems that are interesting in that regard But if you do so we would still have kind of this limit that was given by by the last slide That's in the worst case. You can only get this kind of approximation factor and So what what you can does it also have a bearing on the actual concrete? Security of ring LWP because this problem reduces to this one But it's not because we break this one that we break this one And this to me seems much harder than the than this step And even if it well because suddenly you start introducing non-commutativity and then you need very very serious Yeah, non-commutative geometry in there and In this case, we don't know how to go with many dimension. We know how to do things in very little number of dimensions but even if we would be carried through if Without any additional technique if it was still based on the same type same type of techniques We would still be limited by this to this approximation factor Which is inherent to any approach using the log unit lattice Thank you for attention and be happy to answer any question Are there any questions? No, I've got a question. So if you so these are any works for cyclotomics, which which was easy Because we know the cyclotomic units. Yeah, so we've got very good control of the regulator So would you be able to say generalize your result for rings for which we've we know something nice about the regulator So if you know something about the regulator, you might be able to prove Non-uniform results like oh they exist a basis that would make this problem easy and because the ring Yeah, then then with a non-uniform attack you might be able to say some stuff I'm I cannot Promise that it will all depend on How big your regulator is And then and then for the non-plits by deals So what would you do would you just say that you have a two element representation of a non-principle ideal which is itself small So what does that mean geometrically? So what you want to do is to so what I would try to do I'm trying to do but is to try to find An ideal that's the multiple a print you're trying to find a principal ideal Which is a multiple of your current ideal So you're trying to to walk in the class group using small elements to walk back to the to the to the trivial class and You're trying to find a short pass in there Once if your ideal to be started with non-principle. Yeah, that's the point You start from from the non-principle you start from the non-principle one and you walk by multiplying by small Small ideals you try to walk your way back to the principal to the trivial class to the But then that's like gal bracing with walking through the classroom Yes, that's very related I've been trying to place this but the theorems are not powerful enough for what I want. Okay, okay Cool, is there any other questions? No, okay. Let's thank the speaker again. In fact, let's thank both speakers again It's now time for lunch Make sure you return in the afternoon at the correct time