 Okay, fine, so I'm gonna talk about lattices. Is that okay, the sound? Like this? So by now I'm sure you're all familiar with the fact that lattice problems provide strong foundation for post-quantum cryptography. And I'm gonna talk more specifically about the problem of finding short vectors in lattices. So how hard is it to find short vectors in generic lattices? Well, it depends on how short you want it to be. In polynomial time, you can find an exponential approximation of the shortest vector using the LLL algorithm. And if you want a really good approximation, you can find a polynomial approximation of the shortest vector. When I say polynomial, it's an N, which is the dimension of the lattice. In an exponential time using the PICASE algorithm and PICASE also provides a trade-off between these two points. So the problem of generic lattices is that they are cumbersome. So the typical key size associated to them will be quadratic in N. So what we do is we want to use some lattices with more, to use lattices with more structure to have a faster arithmetic and smaller keys. Do you still hear me? Yeah, good. So we're gonna work with what we call ideal lattices. So typically in a cyclotomic ring, which is the ring of this form, a z-joint omega m, where omega m is a primitive m-throat of unity. So the dimension here will be n equals phi of m, where phi is Eulostation function, which brings the key size down to a bigger of n. So what exactly is an ideal lattice in such a ring? Well, Minkowski's embedding of the cyclotomic field into the nth dimensional real vector space gives to the cyclotomic ring, and the cyclotomic field, the structure of the Hermitian vector space. And lattices in that ring are actually also, sorry, ideals in that ring, also lattices in that vector space, and these are what we call ideal lattices. So ideal lattices are great. They allow faster arithmetic and smaller keys, but they also have more structures, which raises an important question. Can we do better than LLL and BKZ for these lattices? So the answer is yes. At least for principle ideals, it has been highlighted by a lot of people. So first by Campbell and collaborators in 2014, relying on two main ingredients that were later proven rigorously. The first one is that if you have a principle ideal, meaning an ideal that is generated by a single element, you can recover a generator H in quantum polynomial time. And the second ingredient says that once you have a generator H, which is an arbitrary generator, not necessarily short, you can find another generator that is short. And this is solvable in classical polynomial time for these cyclotomic rings, at least when the conductor M is a power of a prime number. And by short, we mean with an approximation factor that is exponential in the square root of N. So it is not a very small approximation factor. This is not polynomial yet, but it is already much smaller than what can be done generically in classical polynomial time or quantum polynomial time. So some obstacles remain before we actually break ideal as VP and Ring LWE. The first one is that what I've just presented is restricted to principle ideals, whereas we would like it to work for arbitrary ideals. The second restriction is of course that the approximation factor we find is a bit too large. We would like to really break the crypto polynomial approximation. And the last limitation is that ideal as VP reduces to Ring LWE, but the converse is not known to be true. So breaking ideal as VP will not be sufficient to really break Ring LWE yet. So here I'm gonna talk about removing the first restriction. So taking what was doable previously in principle ideals and show that we can actually do the same in the same time for arbitrary ideals. And we'll do this by solving the close principle multiple problem. So more precisely, our result is the following. We can solve ideal as VP in quantum polynomial time for these ring of cyclotomic integers where M is the power of a prime number for an approximation factor exponential in the square root of N. So this highlights the hardness gap between the generic version of as VP and ideal as VP. So in this graphic, in the generic case, the BKZ line would continue as a straight line to the bottom and we break this line in the middle. We say in quantum polynomial time, we can do much better than generically. So our approach is the following. We are given an ideal A and we want to find a short vector in A. So first, we find another ideal B, which is of small norm. So here small norm means exponential in a bigger of N to the three halves, such that the product AB is a principal ideal. This part is what we call the close principle multiple. AB is close to A because B is small and the product is principal. Once we have done that, the second step consists in solving the principal ideal as VP problem for the product AB and output the generator, which will be of length and Nth root of the norm of AB times a factor, an approximation factor, which is exponential in the square root of N. Why does this work? Because the generator G that we find in the second step is in the product AB and as long as B is an integral ideal, the product AB is a sub lattice of A. So the element G that we find is actually in A. Now, is it good enough? Well, the approximation factor is given by the length of G divided by the Nth root of the norm of A, which is exponential in the square root of N, which is what we want. So the second step is already solvable by all these people that worked on the principal ideal version of the problem. And the first step is the focus of this talk. So let's fix the notations. I let K be the cyclotomic field of conductor M and I take O, it's ring of integers. We are given an ideal A in this ring of integers and we are looking for an ideal B that is of small norms such that the product AB is principal. So how hard can this be? The difficulty will be related to the size of the class group. So the class group is the group of fractional ideals. So if you have two ideals, you can multiply them to obtain another ideal. It's not a group quite yet because you don't have inverses. So we cheat a little bit and we consider fractional ideals. This forms a group. A subgroup of that is generated by principal ideals which we denote P of O and the quotient is the class group. It's a finite a billion group. Now, if you suppose that the class group is small, say of size polynomial in N, then the problem is pretty simple. You pick a random ideal B of small norm and you just pray that the product AB will be principal. And if the class group is small, then this will happen with good enough probability and you're done. The problem is that the class group is not that small. It is of size exponential in N log M. So we need a better solution. The first ingredient of a better solution is that we are able to solve in quantum polynomial time the discrete logarithm problem in class groups thanks to a paper by Bias and Song. So if we fix a basis B of factors that consists, it's just a set of small ideals that generate the class group. And if we are given an ideal A, we can find in polynomial time a decomposition of A as a product of elements in this basis of factors. So A is a product of, well, the class of A in the class group is a product of the classes of the elements in the factor base to the power some integers. So we could just say, okay, let's solve this problem and write B as the product of this element in the factor basis with exponents minus the integers we find by solving the discrete logarithm. And then the product A, B is principle. It's easy arithmetic in the class group. It's easy to verify. The problem is that the norm of B will be huge. B is a product of small ideals but it's a product that contains a lot of factors and actually the norm of B will be exponential in the L1 norm of our vector of exponents. And we want this L1 norm to be a big O of n to the power three halfs to reach our target. Another problem is that B might not be integral. You might have a negative exponents and if B is not integral then the factor of the product A, B will not be a subset of A so you will not find a short generator that is also in the lattice A. So to solve these issues, we look at the structure we have in our cyclotomic field. So we let G be the multiplicative group of integers modulo M which is isomorphic to the Galois group of our cyclotomic field. Now assume that we have a factor, a basis of factors that is of the form a Galois orbit of one ideal. So you have an ideal P. If you take an element of the Galois group it sends this ideal somewhere else. So we consider that the orbit of this action is generating the class group. Now we are going to look at formal sums of the form, a sum of some elements in the Galois group times an integer. It's by formal sum I mean just an element in the three a billion group generated by the elements in the Galois group. And this formal sum form a ring which we call the group ring and which we denote Z a joint G. So now we can solve the discrete logarithm problem for a from the previous slide with respect to the factor of basis b. And with this notion of formal sums we can actually write a as the ideal P to the power and element in the formal sum. So here it's just a formal game of pushing the product into the exponent and you obtain an exponent r that is an element in the group ring. So this group ring what's interesting is that it's isomorphic to Z to the n so its elements can be seen as vectors and it comes with L1 norms, L2 norms, et cetera which we will exploit. Our second ingredient will be the following. So we suppose we have written a as a power of p where the exponent is in the group ring. Now suppose you have a lattice lambda in the group ring such that for any element in lambda the power p to the s is principal. So just imagine you have a lattice like that. Now if an element s in lambda is close to r r being the exponent that appears in the decomposition of a then s minus r is small and the ideal p to the power s minus r will be also small, it will have small norm. So if we can do that we can just choose b to be p to the power s minus r and the product AB is principal and the b is small. So we have rephrased the close principal multiple problem as a close vector problem in the lattice lambda. So given any r in the group ring can we find a close lattice point s in lambda? So the question now is can we find such a lattice lambda with that property? And most importantly can we solve the closest vector problem in that lattice lambda? Well this is where Stickelberger comes in. The Stickelberger ideal is defined like this. So you define the Stickelberger element like this by this formula and then the Stickelberger ideal is the intersection of the group ring and theta times the group ring. So two observations, the Stickelberger ideal is an ideal in the group ring. It's also a sub lattice of the group ring because the group ring is isomorphic to ZTDN. So now we have Stickelberger's theorem which will give us exactly the property that we need. For any element in the Stickelberger ideal and any ideal h in our ring of integers the power h to the s is principal. So the Stickelberger ideal annihilates the class group. So again assume that we have a factor basis of this form. Now we have these two things. The Stickelberger ideal is a lattice in the group ring and for any element in the Stickelberger ideal p to the s is principal. These are exactly the properties that we wanted for our lattice lambda. So we can just say let's choose lambda equals s. And we have reduced the close principal multiple problem into a closest vector problem for the Stickelberger ideal. So here's a summary of the algorithm. First you find a basis of the correct form, the Galois orbit of one ideal p. Then you solve the discrete logarithm problem for the class of a with respect to the factor basis b. So you express a as a power of p with an exponent in the group ring. And then you solve the closest vector problem, meaning you find a vector s in the Stickelberger ideal that is close to r. And then you choose b to the p to the minus s minus r and you output the product a b. So now can we solve the closest vector problem for the Stickelberger ideal? The answer is yes. We actually know an explicit computable and short basis for the Stickelberger ideal. I don't have time to give a description of that basis but it's pretty explicit. But a few technicalities remain. The first of which is that the Stickelberger ideal is not full rank in the group ring. So you cannot really take any element in the group ring and directly find the closest vector in the Stickelberger ideal. You first need to expand your ideal. You form a large lattice of relations that annihilate the class group. The second technicality, I already mentioned it, is that negative exponents might appear and they will give fractional ideals which you don't want. So I'm not explaining in details how we solve these technicalities but they are resolved by working with the relative class groups, cl minus of k, instead of the class group. Assuming these technicalities are resolved by working the relative class group, the short basis for the Stickelberger ideal allows to solve the close principle multiple problem with an approximation factor exponential in n to the power of three halves which is exactly what we needed to reach our target. So we have removed the first restriction. So now the best attack, the best algorithm we knew for principle ideals also works for arbitrary ideals but there is still more work to really break ring LWE or ideal SVP. Thank you. So we have time for questions. I might have missed it. The fact, you need this assumption that there's one ideal which generates under the Galois group, the whole class group, what's the conditions on that being true? So I have a slide about that. So we assume that one elements, that's your question. We did this assumption and actually it's pretty unlikely that one element is sufficient but we can take a few and the algorithm generalizes and it works as well as long as the number of ideals we need is a polylogarithmic in n and there is strong experimental evidence that it's true. It's very difficult to prove anything with that respect. The structure of the class group is a kind of a mystery when it comes to exact statements but experimentally it works. Another question. There is one there. Did you investigate the connection between the creation of short relations in the class group to the evaluation of isogenes, higher genus? Okay, so you would require a billion varieties whose endomorphism ring lives in a cyclotomic field. So that's pretty specific and now I didn't look at it. So that's because the Stickelberger technique is restricted to the cyclotomic field. So you have a notion that extends to a near billion extensions. I think the relations you get are not that good but there might be worth it if you're maybe close enough to something cyclotomic. Okay, another question. Maybe I have one, well it's more a philosophical question but if one day you had an algorithm that had a polynomial approximation factor would it directly break some of the crypto systems? Well anyway not directly because we would also need the computer that goes with it. Yeah, of course. With a quantum computer of course. Well to break which problem exactly, ideal SVP? Well it doesn't break carrying LWE but are there other crypto systems that would be attacked directly by it? I don't know. As far as I know the approximation factor we get does not allow us to find anything. If it was polynomial probably. I don't have anything more precise in that.