Principal ideal problem and ideal shortest vector over rational primes in power-of-two cyclotomic fields

TL;DR

This paper introduces a new method to analyze the shortest vector length in prime ideals over power-of-two cyclotomic fields, providing precise characterizations and tighter bounds relevant to lattice-based cryptography.

Contribution

It presents a novel approach to determine shortest vector lengths in prime ideals, improving upon previous lattice basis analysis and deriving tighter bounds.

Findings

New method for shortest vector analysis in prime ideals

Precise characterization for p ≡ 7, 9 mod 16

Tighter upper bound for shortest vector length

Abstract

The shortest vector problem (SVP) over ideal lattices is closely related to the Ring-LWE problem, which is widely used to build post-quantum cryptosystems. Power-of-two cyclotomic fields are frequently adopted to instantiate Ring-LWE. Pan et al. (EUROCRYPT~2021) explored the SVP over ideal lattices via the decomposition fields and, in particular determined the length of the shortest vector in prime ideals lying over rational primes $p\equiv3,5\pmod{8}$ in power-of-two cyclotomic fields via explicit construction of reduced lattice bases. In this work, we first provide a new method (different from analyzing lattice bases) to analyze the length of the shortest vector in prime ideals in $\mathbb{Z}[\zeta_{2^{n+1}}]$ when $p\equiv3,5\pmod{8}$. Then we precisely characterize the length of the shortest vector in the cases of $p\equiv7,9\pmod{16}$. Furthermore, we derive a new upper bound $\sqrt[4]{2^{2n+1}p}$ for this length, which is tighter than the bound $2^n\sqrt[4]{p}$ obtained from Minkowski's theorem. Our key technique is to investigate whether a generator of a principal ideal can achieve the shortest length after embedding as a vector. If this holds for the ideal, finding the shortest vector in this ideal can be reduced to finding its shortest generator.