 Thank you Leo for this introduction. So today we are talking about the principle ideal problem in cyclotomic fields because we are not afraid of cyclotomic fields and Cryptonalysis of a fully homomorphic encryption scheme Okay, so first what is the principle ideal problem? So it consists in finding a generator of an ideal assuming this ideal is principle Okay, this problem is computationally hard, but There is not so many application in that form. So we have the G-Wide form the short principle ideal problem That consists in finding a short generator of this ideal. This has application and cryptography So it was already presented in the previous talk. So the smart and work out when encryption scheme and and The multiliner map of guard gentry and alibi So for solving this pipe short principle ideal problem, we have two distinct parts. So the first one is given any Z basis of The ideal to find one generator without any condition on the generator Except that it actually generates the ideal and the second part is the reduction from any generator to a short one, so As already specified in the previous talk This reduction part has been already well studied in the previous years because of come back growth and shepherd found a Solution in polynomial time and it was proven by Kramer, Ducat, Beichert and Weger last year at Eurocrypt With an extension to all prime power cyclotomic fields That's why we're interesting in solving the pipe in prime power cyclotomic fields because thanks to this polynomial time reduction We have also solved this pipe So here is the key generation process for the smart and work out around scheme Just in order to give you an idea of what we can do with With the pipe. So the two first parts are for fixing The number field that is a power of two cyclotomic field and then we Constructed generator with this polynomial g thanks to another polynomial s with coefficient in that set and Because because of this set we know that the generator is quite small in comparison with all the elements in the cyclotomic field in addition we want the norm of this generator so the evaluation in zeta of the polynomial g to be Prime number just in order to avoid the splitting attacks then the secret key is this generator or g and The public key is any of the bases of this ideal. So Any z bases of something with two generators here We put the army form that is a special form from from the ideal, but And easy basis, it's okay Then our goal is to recover the secret key from the public key. So it's key recovery. We don't Will is tonight the problem of Decreption but just a key recovery, okay So our algorithm contains Four phases. So the first one is Reduction to the totally real subfield. So it's again a subfield, but this time there is only one subfield So it's okay. So this just consists in having the dimension by two It's always better to have something with smaller dimension is the second step is a decent because at the beginning we have a Large ideal and we want that at each step to have norms to have ideals with norm smaller and smaller In the end at the source step, we have to take care of this smooth idea of these small ideals and The fourth part is the reduction to a short generator from any arbitrary generator Okay, so all the complexity I will give now are expressed in the Discriminant of the field that is exactly for that case the dimension to the dimension and We will use the elm Subexponential notation and if you are not familiar with it Just think that hell of alpha is something in two to the end to the alpha plus a little something Okay, so now I will speak about the details. So the First part is the reduction to the totally real subfield So we have a cyclotomic field of dimension and and we want to Work in the totally real subfield of dimension and over two So this is based on the again to silo algorithm that has polynomial complexity. So it takes as input as the basis of our ideal that is principle and something on the generators as a product between you and It's complex conjugate and that is the generator. So We are happy because we can find the generator. The problem is that if G is the private key We have no information about this product G times G bar. So We cannot apply it in that way. The solution is to introduce a new algebraic integer U So define in that way. Here's the norm factor is just there for avoiding working with denominators so from the Z basis of G we can obtain a Z basis of few and We have information about The product because it's exactly the square of the norm of the ideal. So we know it so we can apply the again to silo algorithm on this Ideal and we obtain the product so we can avoid the norm factor and thanks to this product We are able to build this ideal I plus Generated by G plus G bar Even if we don't know G plus G bar and this ideal belongs to the totally real subfield In the end once we have recover a generator of our ideal I plus then it's Just we just need to multiply it by this quantity in order to recover Zero generator G of the input ideal. So now we have Reguce our problem to the same problem, but in the totally real subfield Then here is an outline of the descent. So at the beginning you have an input ideal with norm arbitrary late and So we begin by bootstrapping the descent so it's reduction. We will see later the details but you can't see is of Ideal reduction and we obtain something in a lot of three hours and Using smoothness results. We can expect to have something in that is a lot of one smooth and after this first step then we Continue the descent and we see that again the norm will decrease and In the end we have something That is that has norm in L of one and we know that Using smoothness results. We can obtain something that is L of one half smooth Okay, so here are the details. So the initial on at the beginning. We have an ideal of norm arbitrary load and What we use is lattice reduction. So we have to consider an ideal build from the No, we have to consider a lattice build from this ideal in order to Perform lattice reduction So this lattice is built from the canonical embedding of the ring of integers of the totality We also feel is in something as a pro of air So you just have to consider the elements of the Z bases of the ideal and just look at its complex embeddings and we obtain a lattice and then we perform lattice reduction So we use the dbkz reduction with block size defined in that way just for keeping a complexity that is below L of one half So the output of this lattice reduction is a small vector in the lattice that correspond with an algebraic integer v that belongs to the ideal and Thanks to this algebraic integer there exists a uniquely determined integral ideal B such that the ideal generated by v is equals to 8 times B and we have this upper bound on the ideal the norm of the ideal B Okay, the cost of this reduction is polynomial in the dimension and in the size of the input and we have this term in L of one half because of the block size we have chosen Okay, so at this moment we have something in L of three R's, but if we remember I want something in L of one So this is done using smoothness results So we have to to assume this following your six that is something really well known for class group computation and all index calculus method So we need to assume that's the norm of an ideal. No, yeah We need to assume that an ideal that has norm that is below L of a is L of B smooth with a probability greater than L of a minus B to the minus one so Performing smoothness tests Can be done using the ECM algorithm, so elliptic curve method and With a smoothness bound in L of B this costs L of B over 2 so applying to our ideal we have something that can be L of one smooth with probability in L of one half and Each test cost L of one half. So what we want to do is just to test L of one half Ideals in order to obtain one that is L of one smooths. The problem is that the input ideal is fixed I cannot turn it. So we Just start a randomization factor as a product of the PI to the EI for small prime Ideals because as in the end I want small ideals. I can multiply it by small ideals. It's okay Won't change my my result. So I can test L of one half such ideals in order to obtain one that is L of one smooths Okay, so now I Have ideals at all that has norm Below L of one and I want to continue my decent But if I do the same thing I will obtain the same bounds and I Cannot find something better So I have to change my reduction process and we use what we call the churn streak because of notes But it's something well known in the community. So we change the lattice in now We don't look at the canonical embedding, but we look at the coefficient embedding in This basis of the ring of integers of the totally real subfield. So We have an integral lattice that we can put in hermit form that is a special form for the lattice with that is triangular and When the lattice is in that form then we have results that we can find shorter vector in Sublattice with smaller dimension. So the result is that if we have as input An ideal with norm below L of alpha Then the algebraic integer we will find and The ideal be in the same way We so the norm will be bounded by this quantity and Using the same process for the randomization of as in the first Reduction we can obtain by testing L of one half ideals Something that is L of two alpha plus one over four smooths Okay, so at the beginning we have L of alpha in the end we have this quantity So this is a reduction if alpha is greater than one half Okay, so now I have the descent so I can do that recursively and in the end I Just need to know. Oh, yeah, I don't talk about the cost, but Because the lattice reduction is the same. It's L of one half and the smoothness that's also is L of one half So yeah, the only thing I have to speak about now is just where I stopped the descent So after about L steps, we have something in that form where the norm is bounded by this quantity and If we fix L as something in log log M Then we have this equality because the term in one of our log N is very small and actually we can avoid it the For those who are familiar with the L notation it we can do that if we multiply the second constant by a factor e Okay, so now I know that All my ideals have known below L of one half I know that the number of my or the number of ideals involved is upper bounded by L of one half and All the steps I have performed is in L of one half so that the total cost of my descent is L of one half The only thing I have to do now is to take care of my ideals that have known below L of one half So this is done using the same method at class book computation. So it's an index calculus method I have to fix a factor base. So I take all the prime ideals with norm that is below the bound B and I perform a relation collection So I want to construct a following matrix and what is the relation? So a relation is obtained when we have a principle ideal that splits on the fact base So our idea is to test Ideal generated by small Algebraic integers V Constructed in that way with small vi. We know that the norm of such V Is below L of one so we know that if we test L of one half such ideals will refine L of one half smooth ideals so this The cost is in L of one of two and it was the kind of matrix you obtain So, you know, we have vi that is the algebraic integer and then in the matrix for the ice line we have This all the valuation in the prime ideals of the factor base. So this is the matrix. We have constructed once we have the matrix We also construct a vector With where we put all them we put all the valuation in the Prime ideals of the factor base for the input ideals then we have all the information of all the L of one half smooth ideals we had as input and then it just to to solve our problem just solving a linear system m times x equals y and then in that x we will have the exponent for Constructing our generator and for that we will use the vi we have used in the relation collection so in the end we have a Generator of all the products of the L of one half smooth ideals So we have a generator for the last line of the diagram We I show you at the beginning and then using all the algebraic integers that appear during the decent Step, then we are able to recover a generator of the top of the tree Then we have solved our problem and we have an Generator of the input ideal in the totally real subfield so that we can obtain something For the ideal in the cyclotomic field Okay, we also have some implementation results. So we looked at the dimension to 56 years So we perform the gentry silo algorithm for reduce the problem to the dimension one twenty eight So it was we think the first time that Gentry silo algorithm one on such dimension and it costs 20 hours and 24 gigabytes of memory and after that something not strange, but Very convenient up here. That is we perform one big easy reduction using the fpll software So this goes between 10 minutes and four hours, but this is sufficient for performing the full descent because of the small dimension 128 and because we know that there exists a small generator and we know that last reduction performs well in practice better than theoretically and We are we were able to recover a generator of the totally real The ideal or in the totally real subfield with just one big easy reduction. So So that was decent is just only one step We We are about to recover. So the circuit key in dimension 256 in less than one day So this is Yeah, that's it That's for me and thank you for your attention Any question for our speaker? Okay, so maybe what block size did you run BKZ for this last production? so There is two blocks as we used that's why we are Timing between ten minutes and four hours at the beginning we run with block size 24 which run we ten minutes and in 75% of the time it's sufficient and when the generator we obtain is not sufficiently small then we perform a BKZ with block size 30 so this one in more time and We obtain a result for all the instances we have test