NTNov 12, 2021
Reduction Theory of Algebraic Modules and their Successive MinimaChristian Porter, Cong Ling
Lattices defined as modules over algebraic rings or orders have garnered interest recently, particularly in the fields of cryptography and coding theory. Whilst there exist many attempts to generalise the conditions for LLL reduction to such lattices, there do not seem to be any attempts so far to generalise stronger notions of reduction such as Minkowski, HKZ and BKZ reduction. Moreover, most lattice reduction methods for modules over algebraic rings involve applying traditional techniques to the embedding of the module into real space, which distorts the structure of the algebra. In this paper, we generalise some classical notions of reduction theory to that of free modules defined over an order. Moreover, we extend the definitions of Minkowski, HKZ and BKZ reduction to that of such modules and show that bases reduced in this manner have vector lengths that can be bounded above by the successive minima of the lattice multiplied by a constant that depends on the algebra and the dimension of the module. In particular, we show that HKZ reduced bases are polynomially close to the successive minima of the lattice in terms of the module dimension. None of our definitions require the module to be embedded and thus preserve the structure of the module.
CRMay 7, 2021
Subfield Algorithms for Ideal- and Module-SVP Based on the Decomposition GroupChristian Porter, Andrew Mendelsohn, Cong Ling
Whilst lattice-based cryptosystems are believed to be resistant to quantum attack, they are often forced to pay for that security with inefficiencies in implementation. This problem is overcome by ring- and module-based schemes such as Ring-LWE or Module-LWE, whose keysize can be reduced by exploiting its algebraic structure, allowing for faster computations. Many rings may be chosen to define such cryptoschemes, but cyclotomic rings, due to their cyclic nature allowing for easy multiplication, are the community standard. However, there is still much uncertainty as to whether this structure may be exploited to an adversary's benefit. In this paper, we show that the decomposition group of a cyclotomic ring of arbitrary conductor can be utilised to significantly decrease the dimension of the ideal (or module) lattice required to solve a given instance of SVP. Moreover, we show that there exist a large number of rational primes for which, if the prime ideal factors of an ideal lie over primes of this form, give rise to an "easy" instance of SVP. It is important to note that the work on ideal SVP does not break Ring-LWE, since its security reduction is from worst case ideal SVP to average case Ring-LWE, and is one way.