A fast algorithm for finding a short generator of a principal ideal of $\mathbb{Q}(\zeta_{p^s})$

TL;DR

This paper introduces a heuristic algorithm for efficiently finding short generators of principal ideals in cyclotomic fields, impacting cryptographic schemes based on ideal class groups.

Contribution

It presents a novel heuristic algorithm with improved complexity for computing principal ideal generators, enabling practical attacks on certain cryptographic schemes.

Findings

Algorithm runs in time 2^{O(n^{1/2+ε})}

Practical improvements and variants are described

Breaks schemes relying on the hardness of finding short generators

Abstract

We present a heuristic algorithm to compute the ideal class group, and a generator of a principal ideal in $\mathbb{Q}(\zeta_{p^s})$ in time $2^{O(n^{1/2+\varepsilon})}$ for $n:= deg(K)$ and arbitrarily small $\varepsilon$. This yields an attack on the schemes relying on the hardness of finding a short generator of a principal ideal such as such as the homomorphic encryption scheme of Vercauteren and Smart, and the multilinear maps of Garg, Gentry and Halevi. We rely on the work from Cramer, Ducas, Peikert and Regev. They proved that finding a short generator polynomially reduces to finding an arbitrary one. The complexity is better than when we rely on the work of Biasse and Fieker on the PIP, which yields an attack in time $2^{n^{2/3+\varepsilon}}$ for arbitrarily small $\varepsilon >0$. $\textbf{Since Sep. 30 2016}$ We present practical improvements to our methods. Moreover, we describe a variant that solves the PIP on input ideal $I$ of norm less than $2^{n^b}$ in time $2^{O\left(n^{c+o(1)}\right)}$ for $2/5 < c < 1/2$ and $b\leq 7c -2$ given a one time precomputation of cost $2^{O(n^{2-3c+\varepsilon})}$ for an arbitrarily small $\varepsilon$. This also solves $\gamma$-SVP in principal ideals of $\mathbb{Q}(\zeta_{p^s})$ for $\gamma\in e^{\tilde{O}(\sqrt{n})}$. On principal ideals of norm less than $2^{n^b}$, we can leverage the precomputation to achieve a better asymptotic run time than the BKZ algorithm.