Cryptology ePrint Archive: Report 2021/600

Subfield Algorithms for Ideal- and Module-SVP Based on the Decomposition Group

Christian Porter and Andrew Mendelsohn and Cong Ling

Abstract: Whilst lattice-based cryptosystems are believed to be resistant to quantum attack, they are often forced to pay for that security with inefficiencies in implementation. This problem is overcome by ring- and module-based schemes such as Ring-LWE or Module-LWE, whose keysize can be reduced by exploiting its algebraic structure, allowing for neater and faster computations. Many rings may be chosen to define such cryptoschemes, but cyclotomic rings, due to their cyclic nature allowing for easy multiplication, are the community standard. However, there is still much uncertainty as to whether this structure may be exploited to an adversary's benefit. In this paper, we show that the decomposition group of a cyclotomic ring of arbitrary conductor may be utilised in order to significantly decrease the dimension of the ideal (or module) lattice required to solve a given instance of SVP. Moreover, we show that there exist a large number of rational primes for which, if the prime ideal factors of an ideal lie over primes of this form, give rise to an ``easy'' instance of SVP. However, it is important to note that this work does not break Ring-LWE or Module-LWE, since the security reduction is from worst case ideal or module SVP to average case Ring-LWE or Module-LWE respectively, and is one way.

Category / Keywords: public-key cryptography / Ideal Lattice, Module Lattice, Ring-LWE, Module-LWE, Shortest Vector Problem

Date: received 7 May 2021, last revised 26 May 2021

Contact author: c porter17 at imperial ac uk, andrew mendelsohn18 at imperial ac uk, c ling at imperial ac uk

Available format(s): PDF | BibTeX Citation

Note: Submitted to ASIACRYPT 2021 - pending review.

Version: 20210526:215353 (All versions of this report)

Short URL: ia.cr/2021/600


[ Cryptology ePrint archive ]