Subfield Algorithms for Ideal- and Module-SVP Based on the Decomposition Group

TL;DR

This paper explores how the decomposition group of cyclotomic rings can be used to reduce the complexity of solving SVP, revealing potential vulnerabilities in lattice-based cryptography.

Contribution

It introduces a method leveraging the decomposition group of cyclotomic rings to lower the dimension of ideal lattices needed for SVP solutions, impacting cryptographic security.

Findings

Decomposition group can significantly reduce ideal lattice dimension for SVP.

Many primes lead to easier SVP instances when ideal factors lie over certain primes.

Work does not compromise Ring-LWE security due to its reduction from worst-case SVP.

Abstract

Whilst lattice-based cryptosystems are believed to be resistant to quantum attack, they are often forced to pay for that security with inefficiencies in implementation. This problem is overcome by ring- and module-based schemes such as Ring-LWE or Module-LWE, whose keysize can be reduced by exploiting its algebraic structure, allowing for faster computations. Many rings may be chosen to define such cryptoschemes, but cyclotomic rings, due to their cyclic nature allowing for easy multiplication, are the community standard. However, there is still much uncertainty as to whether this structure may be exploited to an adversary's benefit. In this paper, we show that the decomposition group of a cyclotomic ring of arbitrary conductor can be utilised to significantly decrease the dimension of the ideal (or module) lattice required to solve a given instance of SVP. Moreover, we show that there exist a large number of rational primes for which, if the prime ideal factors of an ideal lie over primes of this form, give rise to an "easy" instance of SVP. It is important to note that the work on ideal SVP does not break Ring-LWE, since its security reduction is from worst case ideal SVP to average case Ring-LWE, and is one way.