Whilst lattice-based cryptosystems are believed to be resistant to quantum attack, they are often forced to pay for that security with inefficiencies in implementation. This problem is overcome by ring- and module-based schemes such as Ring-LWE or Module-LWE, whose keysize can be reduced by exploiting its algebraic structure, allowing for neater and faster computations. Many rings may be chosen to define such cryptoschemes, but cyclotomic rings, due to their cyclic nature allowing for easy multiplication, are the community standard. However, there is still much uncertainty as to whether this structure may be exploited to an adversary's benefit. In this paper, we show that the decomposition group of a cyclotomic ring of arbitrary conductor may be utilised in order to significantly decrease the dimension of the ideal (or module) lattice required to solve a given instance of SVP. Moreover, we show that there exist a large number of rational primes for which, if the prime ideal factors of an ideal lie over primes of this form, give rise to an "easy" instance of SVP. However, it is important to note that this work does not break Ring-LWE or Module-LWE, since the security reduction is from worst case ideal or module SVP to average case Ring-LWE or Module-LWE respectively, and is one way.
翻译:虽然据信基于拉蒂的加密系统对量子攻击有抗力,但它们往往被迫为这种安全付出代价,执行效率低下。这个问题通过环状和模块式计划,如环式LWE或模块-LWE(其关键大小可以通过利用代数结构减少,从而进行更清洁和更快的计算)来克服。许多环可以选择来定义这种加密化学,但环状环状环,因为它们的周期性性质允许容易的倍增,是社区的标准。然而,对于这一结构是否可以被利用来为对手的利益服务,还存在着很大的不确定性。在本文中,我们表明,任意导体环状环的分解组可以通过利用其代数,从而大大降低理想(或模块)的尺寸,从而解决SVP的某个实例。此外,我们表明,由于这些圆形的周期性周期性周期性,如果理想性的最佳因素存在于这一形式之上,那么这种结构是否会被利用为对手的利益所取代。我们表明,自SWE-P的“最坏的”或“最坏的”模式,因此,SWE-WE-B-B-S-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-SWE-SWE-S-S-S-S-S-S-S-S-S-S-B-S-S-S-B-B-B-B-S-S-B-S-S-S-S-B-S-S-S-S-S-S-WE-S-S-S-S-S-S-S-V-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-V-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-S-V-S-S-S-S-S-S-S-S-S-S-S-S-S-S
相关内容
微信扫码咨询专知VIP会员