Advances on Quantum Cryptanalysis of Ideal Lattices Léo Ducas

184 NAW 5/18 nr. 3 september 2017 Advances on quantum cryptanalysis of ideal lattices Léo Ducas

Léo Ducas Cryptology Group Centrum voor Wiskunde & Informatica [email protected]

Advances on quantum cryptanalysis of ideal lattices

Léo Ducas is a NWO Veni Laureate working in CWI’s Cryptology Group on lattice-based knowledge, the same problems remain cryptology. He co-authored the efficient quantum-safe key exchange algorithm ‘New Hope’ hard over arbitrary lattices, even with a which was awarded the Facebook Internet Defense Award. Although using lattices with quantum computer. More precisely, for cer- additional structure can lead to more efficient cryptographic algorithms, in this article tain sub-exponential approximation factors Ducas explains how lattices that have too much additional structure may be insecure due a, a-SVP on ideal lattices admit a polyno- to efficient quantum attacks. mial-time algorithm, as depicted in Figure 1. In this survey, we give an overview of the The problem of finding a shortest vector lattices, such as lattices generated by a cir- techniques that have lead to these results. of a Euclidean lattice (the shortest vector culant matrix. The earliest example of such The first quantum attack on certain ideal problem, or SVP) is a central hard prob- a cryptosystem is the NTRUencrypt propos- lattices of cyclotomic fields was sketched lem in complexity theory. Approximated al from Hoffstein et al. [9] from 1998. Alge- by Campbell, Groves and Shefferd [5], and versions of this problem (e.g. a-SVP, the braically, those lattices can be viewed as applies to a few schemes, in particular to problem of finding a vector at most a ideals or modules over cyclotomic number one of the first Fully-Homomorphic En- times longer than the shortest one) have fields. cryption schemes [17]. Yet those broken become the theoretical foundation for Nevertheless, there is no guarantee that schemes were based on ad-hoc problems many cryptographic constructions. Indeed, hard lattice problems remain hard on par- that do not benefit from worse-case hard- lattice-based cryptography typically bene- ticular classes of structured lattices, and ness. fits from worst-case hardness [1, 14, 18]: it indeed, a series of results [4–8] have lead The first step of this attack does not is sufficient that there exists some lattices to new quantum algorithms solving certain actually solve a lattice problem: it does not in which finding short vectors is hard for ideal lattice problems. To the best of our provide guarantees about the shortness of those cryptosystems to be secure. Among several advantages, lattice-based cryp- Time Time tography is also praised for its apparent Θ(˜ n) resistance to quantum algorithms, unlike e BKZ the current public-key schemes based on BKZ factoring or discrete logarithm. Θ(˜ √n) The main drawback of lattice-based e cryptography is its large memory and band- Crypto Crypto width footprints: a lattice is represented by LLL New alg. O(1) a basis, i.e. an nn# matrix for a dimen- n O(1) Θ(˜ √n) Θ(˜ n) α O(1) Θ(˜ √n) Θ(˜ n) α sion n of several hundreds. For efficiency n e e n e e reasons, it is tempting to rely on structured Figure 1 Best known quantum algorithm for general a-SVP (left), and for a-SVP in cyclotomic ideal lattices (right). Léo Ducas Advances on quantum cryptanalysis of ideal lattices NAW 5/18 nr. 3 september 2017 185

the solution. Namely, hinted by recent results of Eisenträger, Hallgren, Kitaev and δ1 Song [8], it is conjectured in [5] that the v t Principal Ideal Problem (finding a gener- δ ator of a given principal ideal) could be 2 solved in quantum polynomial time. This was soon confirmed by the work of Bi- asse and Song [4]. The second step was Figure 2 Rounding with a good basis. also only conjectured to be correct, but could easily be checked in practice. Pre- cisely, taking logarithms, finding a short δ1 generator can be phrased as a lattice problem in a fixed lattice (Dirichlet’s unit δ2 lattice), for which we know a seemingly good basis. A detailed geometric analysis of the cyclotomic units [6] confirmed that conjecture, using tools from analytic Figure 3 Rounding with a bad basis. number theory. While this initial attack concerned a par- them with respect to an absolute distance est enclosing sphere of (respectively largest ticular distribution of principal ideal lattices, d, rather than an approximation factor a. enclosed sphere) of P. More precisely: the work of [6] also considers what can be d 1 !b # 1 b done in the worst-case: using similar algo- Definition. The Close Vector Problem up to 1 = 2 max / i 2 / i , rithms, one can always recover a generator distance d (d-CVP) is defined as: d 1 0 2 = 2 min bi , longer than the shortest vector by a factor –– Given a basis B of a lattice K 1 Rn, a u 0 at most = exp((On)). This constitutes a –– Given a target t ! Rn, where bi denotes the i-th vector of the T -1 first worst-case hardness gap between ge- –– Find v ! K\{0} such that vt- # d, dual basis ()B . We see that the ability neric lattices and structured ones. The gap to solve these problems highly depends on where d is large enough so that a solution was widened in a follow-up result of Cramer, the quality of the basis B. For comparison, exists for any target t (namely d is larger Ducas and Wesolowski [7], showing how we picture what happens with a bad basis than the covering radius of K). to extend these algorithms to non-principal of the same lattice in Figure 3: the CVP and ideals. Naturally, one would look for an ideal BDD radii get worse. Definition. The Bounded Distance Decod- ab 1 a which is a multiple of a, that is princi- ing Problem up to distance d (d-BDD) is pal, and with a small relative index #(aa/)b . Lattice-based cryptography defined as: Again, this problem can be translated to The gap between what can be done with n a lattice problem in a fixed lattice, namely –– Given a basis B of a lattice K 1 R , good and bad bases is what gives rise to n the lattice underlying Stickelberger’s class –– Given a target t ! R at distance at public key cryptography: the bad basis will group annihilation theorem [19]. most d from K, be used as a public key (allowing to gen- –– Find v ! K\{0} such that vt- # d, erate noisy lattice points as ciphertexts), Lattices and computational problems where d is small enough so that at most while the good basis is kept secret (al- We recall that a lattice is a discrete sub- one solution exists for any target t (namely lowing to solve BDD for decryption). The group of the vector space Rn, equipped dm< 1 ()K /2). secret-key owner is able to construct a with its canonical Euclidean norm denoted good basis only because he controls the $ . The minimal distance of a lattice K is Both problems are somehow dual, in construction of the lattice. particular d-CVP gets easier as d increases, defined bym 10()K = minx ! K\{ } x . In this brief overview, we explained Our main goal is to solve the following while d-BDD gets easier as d decreases. why CVP and BDD are useful problems in problem in a particular class of lattices. A very simple and efficient algorithm for cryptography, but it turns out that the core those problems is given by a simple coor- problem is SVP. For example, solving SVP a Definition. The Short Vector Problem with dinate-wise rounding: few times allows to construct a basis with approximation factor a (a-SVP) is defined small vectors, allowing in turn to solve vB= $ B- 1 $ t . as: 6 h CVP. And the converse is also true for cer- This algorithm induces a parallelepipedic –– Given a basis B of a lattice K 1 Rn, tain variants of CVP and BDD, as demon- tiling of the space as depicted in Figure 2, –– Find v ! K\{0} such that v # am$ ()K . strated by the worst-case to average-case 1 where the shape of the tile is given by P reductions of Ajtai and others [1, 14, 18]. the basis : For our purpose, we will also consider B These converse results allow to prove that two related problems, namely the approx- 1 1 n 1 1 breaking certain cryptosystems is at least Pb= Bx$ - , =-/ ii|,xi ! . imate Close Vector Problem (d-CVP), and : 2 2D &0: 2 2D as hard as solving a-SVP for some approx- the Bounded Distance Decoding problem This fast algorithm solves d1-CVP (respec- imation factor, typically polynomially large O()1 (d-BDD). For convenience, we will define tively d2-BDD) for radii defined by the small- in the dimension a = n . 186 NAW 5/18 nr. 3 september 2017 Advances on quantum cryptanalysis of ideal lattices Léo Ducas

The hardness of a-SVP decrease with schemes deployed nowadays would be- growing approximation factor a. For small come insecure, as they are all based on a = O()1 , this problem is known to be NP- factoring and discrete logarithm problems. hard [12], unfortunately it seems impossi- This motivates the development of cryp- ble to base cryptosystems on a-SVP with tosystems based on other mathematical such a small approximation factor. The problems, such as lattice-based schemes. best known algorithms for a-SVP for pol- This also calls for a better understanding ynomial approximation factors a = nO()1 of the power of quantum computers, espe- in unstructured lattices require time ex- cially with respect to Shor’s idea of period ponential in n. The conjecture that it can- finding. This is generalized as the following Figure 4 Discrete Gaussian distribution over a lattice. not be done much faster implies that lat- problem. tice-based cryptosystems are unbreakable quantum representations. While we do not in an asymptotic sense. More generally, Definition. The Hidden Subgroup Problem know of an efficiently computable normal the best algorithms to solve exp()nc -SVP (HSP) over the Abelian group G is defined form for non-integer large dimensional lat- is BKZ [15], a generalization of the Lenstra– as: tices, we do know how to sample according Lenstra–Lovàsz algorithm (LLL) [11], and –– Given an efficient quantum computa- to a canonical distribution over a lattice, u 1 - c runs in time exp((H n )), as depicted in ble function fG: " S, which is exactly with an efficient classical probabilistic al- Figure 1. H-periodic for a subgroup HG1 , gorithm. First, one would start by finding a –– Find the hidden subgroup H, weakly reduced basis with the LLL algorithm Cyclotomic ideal lattices [11], followed by Klein’s sampling algorithm where S denotes the set of quantum states. Consider the m-th cyclotomic number field [10], which produces a wide discrete Gauss- K = Q()g , where g denotes a formal m-th ian distribution supported by the lattice L. primitive root of unity. Its ring of integer is This problem admits an efficient quan- This probabibilistic algorithm produc- tum algorithm in many cases. For example, known to be OK = Z[]g . The number field ing a classical distribution can be adapted K is equipped with nm= z() complex em- Shor’s algorithm is an instance of the HSP [8, 14] to a quantum algorithm producing beddings, sending g to each of the primi- algorithm where G = Z, Hr= Z, and where the corresponding quantum state S, name- i the function f is injective modulo the peri- tive m-th roots of unity in C: }gi : 7 ~ for ly S is a weighted quantum superposition each im! (/ZZ)#, where ~ = exp(/2-r m). od r. In this particular case, f produces a of all lattice points: classical result, that is trivially encoded as An (integral) ideal I 1 OK is an addi- a quantum state. More generally, quantum RS:,L " tive subgroup of OK also closed under algorithms for HSP are now known for larger - x 2 multiplication by elements of OK. An ideal RL()= exp $|.x H n n / 2v2 may be viewed as a euclidean lattice via Abelian groups such as Z , and even R [8] x ! L dn the Minkowski embedding: with some technical restriction on f. The above quantum superposition is in- finite, but can be tail-cut considering the }}:(xK! 7 ()xx,,f } ()) 11m - Quantum encodings of lattices rapid decay of Gaussian distributions. Ex- nn2 !-HC= R . As we will see in the next section, many tra effort is also needed to discretize Rd problems in number theory can be phrased d Each embedding }i is a field morphism; in and represent each point x ! R using a particular } is linear, and multiplication in as HSP using a function f producing lattic- finite amount of qubits (see ‘straddle en- K corresponds to component-wise multipli- es rather than quantum states: fG: " LV coding’ in [8]). cation in H. where L = {|LL1 V is a lattice}. To apply the known HSP algorithm (using Rf% ) HSPs in number theory Quantum algorithms and HSP one therefore needs to be able to com- In this section, we describe algorithms In 1994, Shor [16] formulated a factoriza- pute canonical representation for lattices [4, 5, 8] that apply to any number fieldK , tion algorithm that would run in polynomi- RS: LV " , a task that is not always so given its ring of integers OK. Let us start al time on a quantum computer. Shor’s al- easy. by recalling the definitions of ideals ofK : d gorithm exploits the properties of quantum For integer lattices L 1 Z , such a rep- mechanics to efficiently find the period of resentation is provided by the Hermite Nor- Definition. An integral ideal I of K is an the function: mal Form, which is computable in classical additive subgroup I 1 OK closed by mul- polynomial time: the representation R is tiplication by elements of O : ! Z 7 x K fx:maNod classical. When L 1 Rd is a lattice of small # ax!!II,.O " ax ! which reveals the order r of aN! (/ZZ) . dimension d, one can also compute a nor- K Unless aNr/2 =-1 mod , the quantities mal form, for example using an Hermite– A fractional ideal f of K is a set of the form r/2 r/2 1 gcd(,aN+ 1 ) and gcd(,aN- 1 ) will Korkin–Zolotarev (HKZ) reduced basis. fI= z for some non-zero integer z ! Z, provide non-trivial factors of N. Very similar Again, this representation of L is purely and some integral ideal I 1 OK. ideas also allow to solve the discrete loga- classical. But as dimension grows, HKZ re- An ideal f 1 K is said principal if it rithm problem over any cyclic group G. In a duction becomes exponentially hard. is generated by a single element, i.e. if world with large general-purpose quantum This issue was circumvented by Eisen- f ==ggOOKK{}xx;! for some gK! ; computers, all the public key cryptographic träger et al. [8], this time by resorting to such a g is called a generator of f. Léo Ducas Advances on quantum cryptanalysis of ideal lattices NAW 5/18 nr. 3 september 2017 187

Principal ideals have multiple genera- wishes to apply the known HSP algorithm Definition. The Short Generator Problem tors, more precisely, g and gK' ! generate over the vector space Rn. This issue is es- a-SGP consists in: the same ideal if and only if ug= /g' is a sentially dealt with by resorting to the well –– Given an element hK! #, generating an unit of O . The multiplicative group of units K known logarithmic embeddings: ideal I = hOK # -1 is denoted OOKK= {uu!;! OK}. –– Find a generator gK! # of I of small Recall that ideals can be multiplied: # " Rn Log : K Euclidean length: g # am$ 1 ()I . xx7 (|logl}}11()|,f,|og m - ()x |). ab$ = / abi ii;!abab,,i ! Remembering that h and g generate the #- n " In more details, defineEx p : CH by co- same ideal if and only if gh= u for some which makes the set F of fractional ide- " # K ordinate-wise application of exp :CC. unit u ! O , the idea consists in rephras- als an Abelian group. The set of PF1 K KKUp to an appropriate quotient on the do- ing this problem as a close vector problem of principal ideals form a subgroup of F . K main, one can set using the logarithmic embedding: indeed, With those definitions, we can already n we have that LogLgh=+og Log u must consider two important computational fUGP : C " L # belong to the lattice coset logLh + og OK. problems in number theory. 7 Exp()9 }()O yyK Furthermore, up to appropriate rescaling, # it can be proved that the length of g is Definition. The Unit Group Problem (UGP) and recovers Log OK from the period of related to the length of its logarithmic em- consists in: fUGP. Geometrically, fUGP ()y is a deformation the of the lattice }()O , where the bedding Log g. Minimizing g can therefore –– Given a number fieldK and its ring of K i-th coordinate axis of HC= n has been be rephrased as finding a unitu such that integers O , K stretched by the complex factor exp()y ; Log u is close to - Log h, in other words –– Find a finite set of unitsuu ,,f ! O# i 1 dKthis deformation leaves }()O invariant solving a Close Vector Problem over Dir- that generate O# . K # K precisely when Exp()y equals to }()u for ichlet’s logarithmic unit lattice Log OK. some unit u ! O# . Moreover, in certain cryptosystems, we Definition. The Principal Ideal Problem (PIP) K While this strategy seems simple, prov- have additional constraints on the ideal I, consists in: ing its correctness requires an in-depth ensuring that a unusually short generator g –– Given a number fieldK and its ring of exists (which is used as the secret key). This analysis of the metric properties of Rf% UGP: integers OK, Lipschitz continuity and some strong form suggested that the Close Vector Problem –– Given a principal ideal I 1 K, of injectivity. We refer to the original article may actually become a BDD problem [5]. –– Find a generator g of I. for more details [8]. And indeed, experiments confirmed that Finally, we sketch a (over-)simplified this BDD is easily solved in practice. Run- Both problems can be viewed as par- strategy to generalize the above to the ning such experiments requires knowing # ticular cases of the more general problem Principal Ideal Problem. Given a principal the group of units OK. Fortunately, in the of computing the group of S-units for a ideal I, one extends the function f to: case of cyclotomic number fields, there are well chosen set S of prime ideals, as done some well known units — that very often i # in the paper of Biasse and Song [4]. fiPIP()I :(yy,)7 Exp()9 }()I . generate the whole group OK — namely, We start by phrasing the Unit Group the cyclotomic units: Problem as a multiplicative Hidden Sub- The periods of this function contains the extension of the previous, namely, i group Problem. Note that uK! is a 1 - g # # {}g , u = ;!im(/ZZ) . it is (,Log0O ) periodic; but it is also *4i 1 - g unit of OK if and only if uOOKK= , and K (,Log g - 1) periodic for any generator g of more generally ggOOKK= ' if and only if I, as fg(,Log -=1) g $ I-1 = O . With this ug= /g' is a unit of OK. This means that K Geometric analysis of the cyclotomic units function f , the quantum algorithm for the function: PIP()I The fact that the attack works in practice sug- Hidden Subgroup Problem of [8] allows not gests that the matrix U = ()Log u ! ZZ# # only to recover the unit group, but also a ii (/m ) fKUGP : " PK forms a good basis for BDD. Yet it is not so generator of the principal ideal I. Again, xx7 $ OK straightforward to prove it: recalling the first much care is required to ensure that this section, one needs to show that the dual is (multiplicatively) O# -periodic, and one strategy will indeed work, see [4]. K vectors u0 are short. To proceed with the easily checks that it is injective modulo O# i K analysis, Cramer et al. [6] instead consid- as well. The images of such a function are Short generators of principal ideals -1 ered the related matrix M=-((Log 1 gi )) , ideals, and can therefore be viewed as lat- So far, we have been concerned with prob- i where tices. Using the strategy described in the lems that were purely of number theoretic previous section, one can efficiently con- nature, in the sense that the solutions to ij--11i Mij, =-logl|(}gj 11)|=-og ||~ struct a canonical quantum representation UGP and PIP have no guarantees in term of these lattices. of size. In this section we explain how one for indices i, j running over the group A lot of technicalities remain to imple- can recover a short generator of a prin- Gm= (/ZZ)#. Since this matrix is G-circu- ment this approach. In particular, the do- cipal ideal from an arbitrary generator in lant, it can therefore be explicitly diagonal- main of the function f described above the particular case of cyclotomic number ized, and a lower-bound on the diagonal is the multiplicative group K#, while one fields. coefficients will provide an upper-bound 188 NAW 5/18 nr. 3 september 2017 Advances on quantum cryptanalysis of ideal lattices Léo Ducas

0 cvii- on the length of the dual vectors mi . very small fraction of all ideals, it is unclear is small, and all positive. Then bp= % i The eigenvalue m| associated to the char- whether this previous result has an impact will be an appropriate solution to CPM, up vcii- O()vc- 1 acter | : G " C of G is given by: on lattice-based cryptography beyond the to a factor FN==%()pi n few aforementioned atypical cryptosys- where x 1 = /|x | denotes the , -norm m| ~i i 1 | =-/ ()i log ||1 . tems [5, 17]. Indeed, most schemes are in- of . iG! x stead based on worst-case problems, and In general, there is no reason why CVP Using classical techniques of analytic num- are not affected by the presence of a small should be easy in the lattice K, which is ber theory (in this case, the Taylor series fraction of weak ideal lattices. not even explicitly known. Yet, by choos- of log, and separation of Gauss sums), the The obstacle ahead to attack non-prin- ing an appropriate factor basis, namely, above formula can be massaged to cipal ideals is the class group, the quotient a basis composed of all the Galois con-

m|||= fL$ (,1), of all ideals by the principal ones: jugates of a single ideal, one can on the contrary get a very explicit description of where f is the conductor of |, and L de- = | ClKKFP/.K the lattice K thanks to the classical theo- notes Dirichlet’s L-series. Lower bounds on The class of an ideal a 1 K in this quotient rem of Stickelberger [19]. It turns out that L-series at 1 have a very long history and is denoted []a ! Cl , and the neutral ele- one may easily explicitly construct a short play a crucial role in the study of the dis- K ment is []O (the class of principal ideals). basis of K. Again, this overview is highly tribution of prime numbers. For example, K This quotient is always finite, and in the simplified, and hides several technicalities, Landau proved that LO(,| 11)/$ ()log f | case of cyclotomic number fields, it has see [7]. for non-quadratic characters. With more ef- size about #Cl2= H()nnlog : the fraction fort, Cramer et al. [6] conclude on an upper K of principal ideals is super-exponentially Conclusion and open questions bound on m0 and then on u0 . i i small. There remain serious obstacles for this To generalize the previous result to approach to attack ideal lattice-based Extension to the worst-case non-principal ideals, the natural strategy cryptosystems. First the approximation fac- In addition, the article [6] also covers the consists in trying to find sub-ideals that tor a = exp((Onu )) is too large to affect performance of this strategy in the worst- are principal. More formally, Cramer, Ducas cryptographic schemes. Second, these al- case, that is when there is no guarantee of and Wesolowski [7] define the following gorithms are limited to ideal lattices (i.e. existence of a particularly short generator g, problem: module lattices of rank 1), while most cryp- by quantifying how good is the basis to U tosystems in fact use module lattices of solve CVP. This analysis is somewhat eas- Definition. The Close Principal Multiple rank 2 or more. ier as it concerns the length of the primal problem with approximation factor F Nevertheless, these recent works ques- vectors, whose length can be bounded us- (F-CPM) is defined as: tioned our understanding of the hardness ing the following finite integral: –– Given an ideal a 1 K, of lattice problems when using special 1 –– Find an integral ideal b such that ab is classes of lattices. We now know of a spe- # (|loge12- xp()-3rxd|)2 x < . cialized algorithm for relevant classes of principal (i.e. []ab = []OK ) and such that 0 b is a dense ideal: NFb # , structured lattices that outperforms generic Further efforts lead to a classical probabil- ones (see Figure 1). Alternatives to cycloto- where Nbb|= #(O /) denotes the alge- istic polynomial time algorithm that solves K mics ideal lattices are already being stud- braic norm (i.e. the sparsity) of the ideal b. a-SGP for sub-exponential a = exp((Onu )). ied [2, 3, 13] from various point of view: Combined with the previous algorithm of complexity theory, concrete cryptographic Combining algorithm for F-CPM with Biasse and Song for PIP [4], this provides design and cryptanalysis. the previous algorithms provides solution a solution to a-SVP in quantum polynomi- There are many cases where the volume to a-SVP over non-principal ideals within al time over principal ideal lattices in the of the log-unit lattice (the regulator) and approximation factor: worst case, outperforming the best known the lattice of class relation (the class num- generic algorithms LLL and BKZ. a = FO1/n $ exp((u n)). ber) is well understood. We have seen here Finally, it is also shown in [6] that this that in the case of cyclotomic number field, result is roughly optimal: there exist many In this section, we will sketch how this CPM much more can be said about those lattic- 32/ ideals for which the shortest generator g is problem was solved for FO= exp((u n )), es (known good bases, covering radius,...). much larger than the shortest vector, by a which leads to a similar SVP approximation Generalizing this geometric analysis to oth- factor exp((Onu )). This is established by a factor a = exp((Onu )) as in the principal er number fields seems to be an interest- lower bound on the covering radius of the case. Consider a factor basis of prime ideals ing mathematical problem, with potential # Bp= {,f,}p that are dense (Nnp # O()1 ) lattice Log OK. Lowering the SVP approxi- 1 d i cryptanalytic implications. s mation factor reachable in polynomial time and the morphism: will necessarily require algorithms that are e zz:CZd " l, ()e = p i . not limited to finding generators. K 7% i A Assuming that z is surjective, we can re- Acknowledgments The author wishes to express his gratitude to Short vectors in arbitrary ideals phrase CPM as a CVP problem in the lattice Koen de Boer, Fang Song and Benjamin We- Considering that the previous result only of class relations K = ker z. Indeed, consid- solowski for their precious comments on drafts applies to principal ideals, which form a er v ! z-1 ([a]), and c ! K such that cv- of this article. Léo Ducas Advances on quantum cryptanalysis of ideal lattices NAW 5/18 nr. 3 september 2017 189

References 1 M. Ajtai, Generating hard instances of the 7 R. Cramer, L. Ducas and B. Wesolowski, 13 C. Peikert, O. Regev and N. Stephens-Dav- short basis problem, ICALP 1999. Short Stickelberger class relations and ap- idowitz, Pseudorandomness of Ring-LWE for 2 J. Bauch, D. J. Bernstein, H. de Valence, T. Lange plication to ideal-SVP, Eurocrypt 2017. any ring and modulus, STOC 2017. and C. van Vredendaal, Short generators 8 K. Eisenträger, S. Hallgren, A. Kitaev and F. 14 O. Regev, On lattices, learning with errors, without quantum computers: The case of Song, A quantum algorithm for computing random linear codes, and cryptography, multiquadratics, Eurocrypt 2017. the unit group of an arbitrary degree num- STOC 2005. 3 D. J. Bernstein, C. Chuengsatiansup, T. Lange ber field, STOC 2014. 15 C.-P. Schnorr, A hierarchy of polynomial time and C. van Vredendaal, NTRU Prime, Preprint 9 J. Hoffstein, J. Pipher and J. H. Silverman, lattice basis reduction algorithms, Theoreti- 2016. NTRUSIGN: Digital signatures using the cal Computer Science 53(2) (1987). 4 J.-F. Biasse and F. Song, A polynomial time NTRU lattice, CT-RSA 2003. 16 P. W. Shor, Algorithms for quantum compu- quantum algorithm for computing class 10 P. Klein, Finding the closest lattice vector tation: Discrete logarithms and factoring, groups and solving the principal ideal prob- when it’s unusually close, SODA 2000. FOCS 1994. lem in arbitrary degree number fields, SODA 11 A. K. Lenstra, H. W. Lenstra and L. Lovàsz, 17 N. P. Smart and F. Vercauteren, Fully homo- 2016. Factoring polynomials with rational coef- morphic encryption with relatively small key 5 Peter Campbell, Michael Groves and Dan ficients, Mathematische Annalen 261(4) and ciphertext sizes, PKC 2010. Shepherd, Soliloquy: A cautionary tale, ETSI (1982). 18 D. Stehlé, R. Steinfeld, K. Tanaka and K. 2nd Quantum-Safe Crypto Workshop, 2014. 12 M. Daniele, The shortest vector in a lattice Xagawa, Efficient public key encryption 6 R. Cramer, L. Ducas, C. Peikert and O. Regev, is hard to approximate to within some con- based on ideal lattices, Asiacrypt 2009. Recovering short generators of principal ide- stant, SIAM Journal on Computing 30(6) 19 L. C. Washington, Introduction to Cyclotomic als in cyclotomic rings, Eurocrypt 2016. (2001). Fields, Springer, 1997.