Short generators without quantum computers : the case of multiquadratics

Finding a short element g of a number field, given the ideal generated by g, is a classic problem in computational algebraic number theory. Solving this problem recovers the private key in cryptosystems introduced by Gentry, Smart–Vercauteren, Gentry–Halevi, Garg–Gentry– Halevi, et al. Work over the last few years has shown that for some number fields this problem has a surprisingly low post-quantum security level. This paper shows, and experimentally verifies, that for some number fields this problem has a surprisingly low pre-quantum security level.

How secure is approx SVP?
2002 Micciancio-Goldwasser (emphasis added): "To date, the best known polynomial time (possibly randomized) approximation algorithms for SVP and CVP achieve worst-case (over the choice of the input) approximation factors γ(n) that are essentially exponential in the rank n." 2007 Regev: 2013 Micciancio: "Smooth trade-off between running time and approximation: γ ≈ 2 O(n log log T / log T ) " as in discrete-log crypto, eliminate unnecessary ring morphisms.
This talk: Switch from cyclotomics to other Galois number fields. Another popular example in algebraic-number-theory textbooks: multiquadratics; e.g., Q( Case study of a lattice-based cryptosystem that was already defined in detail for arbitrary number fields: 2010 Smart-Vercauteren, optimized version of 2009 Gentry.
Secret key: very short g ∈ R.
Public key: gR.
Case study of a lattice-based cryptosystem that was already defined in detail for arbitrary number fields: 2010 Smart-Vercauteren, optimized version of 2009 Gentry.
Secret key: very short g ∈ R.
Public key: gR.
To handle multiquadratics better, we generalized beyond Z[α]; fixed a keygen speed problem; used twisted Hadamard transforms as replacement for FFTs; adapted 2011 Gentry-Halevi cyclotomic speedups to multiquadratics.
Part II: Some preliminaries Definition A number field is a field L containing Q with finite dimension as a Q-vector space. Its degree is this dimension.

Definition
The ring of integers O L of a number field L is the set of algebraic integers in L. The invertible elements of this ring form the unit group O × L .

Problem
Recover a "small" g ∈ O L (modulo roots of unity) given g O L .

Definition (for this talk)
A multiquadratic field is a number field that can be written in the form The degree of the multiquadratic field is N = 2 n . Fix a number field L of degree N and fix distinct complex embeddings σ 1 , . . . , σ N of L. The Dirichlet logarithm map is defined as Fix a number field L of degree N and fix distinct complex embeddings σ 1 , . . . , σ N of L. The Dirichlet logarithm map is defined as Λ is a lattice of rank r + c − 1, where r is the number of real embeddings and c is the number of complex-conjugate pairs of non-real embeddings of L.
Fix a number field L of degree N and fix distinct complex embeddings σ 1 , . . . , σ N of L. The Dirichlet logarithm map is defined as Λ is a lattice of rank r + c − 1, where r is the number of real embeddings and c is the number of complex-conjugate pairs of non-real embeddings of L.

Fact
If hO L = g O L and g = 0 then h = ug for some u ∈ O × L , and Multiquadratic fields have a huge number of subfields We use 3 specific ones (plus recursion) Multiquadratic fields have a huge number of subfields We use 3 specific ones (plus recursion) Let σ be the automorphism of L that negates √ d n and fixes other d j .
Let σ be the automorphism of L that negates √ d n and fixes other d j .
Let τ be the automorphism of L that negates d n−1 and fixes other d j .
Let σ be the automorphism of L that negates √ d n and fixes other d j .
Let τ be the automorphism of L that negates d n−1 and fixes other d j .
Let σ be the automorphism of L that negates √ d n and fixes other d j .
Let τ be the automorphism of L that negates d n−1 and fixes other d j .
So if we can find a basis for (O × L ) 2 , taking square roots gives O × L . 1966 Wada: We can do this-in exponential time! Check which products of subsets of basis vectors for U L are squares.

Fact
Can compute N σ (g )O Kσ quickly from g O L .
Apply algorithm recursively to find generator h σ of N σ (g )O Kσ . i.e. h σ = u σ N σ (g ) for some unit u σ .

Fact
Can compute N σ (g )O Kσ quickly from g O L .
Apply algorithm recursively to find generator Subfield relation: h = ug 2 for some u ∈ O × L .

Fact
Can compute N σ (g )O Kσ quickly from g O L .
Apply algorithm recursively to find generator Subfield relation: h = ug 2 for some u ∈ O × L . Problem: This is not necessarily a square! Fact Can compute N σ (g )O Kσ quickly from g O L .
Apply algorithm recursively to find generator Subfield relation: h = ug 2 for some u ∈ O × L . Problem: This is not necessarily a square! Solution: Use quadratic characters to find v ∈ O × L with square vh.

Fact
Can compute N σ (g )O Kσ quickly from g O L .
Apply algorithm recursively to find generator Subfield relation: h = ug 2 for some u ∈ O × L . Problem: This is not necessarily a square! Solution: Use quadratic characters to find v ∈ O × L with square vh. Last step is to shorten the generator u g = √ vh by solving the BDD problem in the log-unit lattice.    Questions?