Revisiting the Gentry-Szydlo Algorithm

(1)

H. W. Lenstra1_{and A. Silverberg}2? 1

Mathematisch Instituut Universiteit Leiden

The Netherlands

[email protected]

2

Department of Mathematics University of California, Irvine

Irvine, CA, USA

[email protected]

Abstract. We put the Gentry-Szydlo algorithm into a mathematical framework, and show that it is part of a general theory of “lattices with symmetry”. For large ranks, there is no good algorithm that decides whether a given lattice has an orthonormal basis. But when the lattice is given with enough symmetry, we can construct a provably deterministic polynomial time algorithm to accomplish this, based on the work of Gentry and Szydlo. The techniques involve algorithmic algebraic number theory, analytic number theory, commutative algebra, and lattice basis reduction. This sheds new light on the Gentry-Szydlo algorithm, and the ideas should be applicable to a range of questions in cryptography.

Keywords: lattices, Gentry-Szydlo algorithm, ideal lattices, lattice-based cryptogra-phy

1 Introduction

In§7 of [6], Gentry and Szydlo introduced some powerful new ideas that com-bined in a clever way lattice basis reduction and number theory. They used these ideas to cryptanalyze NTRU Signatures. The recent interest in Fully Homomor-phic Encryption (FHE) and in the candidate multilinear maps of Garg-Gentry-Halevi [2] bring the Gentry-Szydlo results once again to the fore. Gentry’s first FHE scheme [3] used ideal lattices, as have a number of subsequent schemes. Fully Homomorphic Encryption is performed more efficiently with ideal lattices

?_{This material is based on research sponsored by DARPA under agreement numbers}

(2)

than with general lattices. However, ideal lattices are special, with much struc-ture (“symmetries”) that has the potential to be exploited. In his thesis [4], Gentry mentions that the Gentry-Szydlo attack on NTRU signatures can be used to attack principal ideal lattices in the ring _Z[X]/(Xn₋_{1), if the lattice} has an orthonormal basis.

As Gentry pointed out [5], the Gentry-Szydlo algorithm “seems to be a rather crazy, unusual combination of LLL with more ‘algebraic’ techniques. It seems like it should have more applications—e.g., perhaps to breaking or weakening ideal lattices.” Generalizing or improving the Gentry-Szydlo algorithm would po-tentially affect the security of all cryptography that is built from ideal lattices, or whose security is based on hard problems for ideal lattices. Candidate mul-tilinear maps were recently cryptanalyzed using the Gentry-Szydlo algorithm. As remarked by Garg, Gentry, and Halevi in [2], their “new algebraic/lattice attacks are extensions of an algorithm by Gentry and Szydlo, which combines lattice reduction and Fermat’s Little Theorem in a clever way to solve a relative norm equation in a cyclotomic field.”

The Gentry-Szydlo algorithm has been viewed by some as magic [11]. In this paper we revisit the algorithm and put it in a mathematical framework, in order to make it easier to understand, generalize, and improve on. That should help make it more widely applicable in cryptographic applications. We embed the algorithm in a wider theory that we refer to as “lattices with symmetry”.

The algorithm of Gentry and Szydlo can be viewed as a way to find an orthonormal basis (if one exists) for an ideal lattice. Determining whether a lattice has an orthonormal basis is a difficult algorithmic problem that is easier when the lattice has many symmetries. In this paper we solve this problem when the lattice comes with a sufficiently large abelian group of automorphisms, and we show how the Gentry-Szydlo algorithm is a special case of this result.

Our algorithm runs in deterministic polynomial time, whereas [6] relies on a probabilistic algorithm. Also, our setting is more general (our theory applies to arbitrary finite abelian groups, where [6] considers only cyclic groups of odd prime order), thereby covering other cases of potential cryptographic interest.

Briefly, our main result is as follows (see§2 for background information). IfG is a finite abelian group andu∈Ghas order 2, define aG-lattice to be a lattice Lwith a group homomorphismG→Aut(L) that takesuto−1. The “standard” G-lattice is the modified group ring_ZhGi=_Z[G]/(u+ 1). AG-isomorphism is an isomorphism of lattices that respects theG-actions.

Theorem 1.1 There is a deterministic polynomial time algorithm that, given a finite abelian group G, an element u ∈ G of order 2, and a G-lattice L, decides whether L and ZhGi are G-isomorphic, and if they are, exhibits a G

-isomorphism.

(3)

Gentry’s and Szydlo’s polynomial chains. In§7 of [6], taking powers of an ideal in the ringR=_Z[X]/(Xn₋_{1) required complicated bookkeeping, via polynomial} chains and lattice basis reduction to avoid coefficient blow-up. We do away with this, by using the module structure of the ideal, rather than its ideal structure. More precisely, an ideal in a commutative ring R is the same as an R-module M along with an embeddingM ,→R ofR-modules. While Gentry and Szydlo use the embedding, we observe that one can avoid coefficient blow-up by using the module structure of M but not the actual embedding. We replace ideal multiplication with tensor products of lattices.

In §2 we introduce the concept of a G-lattice, and in §2.3 we show that Theorem 1.1 implies the result of Gentry and Szydlo. In §3–§4 we introduce invertibleG-lattices, of which the ideal lattices considered by Gentry and Szydlo are examples, and give the concepts and results that we use to state our new algorithm and prove its correctness. We explicitly present the algorithm in§5.

2 G

-lattices and the modified group ring

In this section we explain some notation and concepts that we use in our main result.

2.1 Lattices and G-lattices

We first give some background on lattices (see also [10]), and introduce G -lattices.

Definition 2.1 A lattice or integral lattice is a finitely generated abelian groupL with a maph ·,· i:L×L→Zthat is

– bilinear: hx, y+zi = hx, yi+hx, zi and hx+y, zi = hx, zi+hy, zi for all

x, y, z∈L,

– symmetric:hx, yi=hy, xifor all x, y∈L, and

– positive definite:hx, xi>0 if 06=x∈L.

As a group,Lis isomorphic to_Zn _{for some}_n_{, which is called the}_rank_of_L_. In algorithms, a lattice is specified by a Gram matrix (hbi, bji)ni,j=1 associated to aZ-basis{b1, . . . , bn}.

Definition 2.2 The standard lattice of rank n is L = Zn with hx, yi =

Pn

i=1xiyi. Its Gram matrix is then×n identity matrixIn.

(4)

Definition 2.4 An isomorphism L−∼→M of lattices is a group isomorphism

ϕ : L −∼→ M that respects the lattice structures, i.e., hϕ(x), ϕ(y)i = hx, yi for all x, y ∈ L. If such a map ϕ exists, then L and M are isomorphic lattices. An automorphism of a lattice L is an isomorphism from L onto itself. The set of automorphisms of L is a finite group Aut(L) whose center contains −1

(represented by −In).

In algorithms, isomorphisms are specified by their matrices on the given bases ofLandM.

Examples 2.5 (i) “Random” lattices haveAut(L) ={±1}.

(ii) LettingSn denote the symmetric group onnletters andodenote semidirect

product, then Aut(Zn) ∼= {±1}n

oSn. (The standard basis vectors can be

permuted, and negatives taken.)

(iii) If L is the equilateral triangular lattice in the plane, then Aut(L) is the symmetry group of the regular hexagon, which is a dihedral group of order

12.

From now on, suppose thatGis a finite abelian group, and u∈Gis a fixed element of order 2.

Definition 2.6 AG-latticeis a latticeLtogether with a group homomorphism

f :G→Aut(L)such thatf(u) =−1. For each σ∈Gandx∈L, defineσx∈L

by σx=f(σ)(x).

The abelian groupGis specified by a multiplication table. The G-latticeL is specified as a lattice along with, for each σ ∈ G, the matrix describing the action ofσonL.

Definition 2.7 If L andM are G-lattices, then a G-isomorphism is an iso-morphismϕ:L−∼→M of lattices that respects theG-actions, i.e.,ϕ(σx) =σϕ(x)

for all x∈L and σ∈G. If such an isomorphism exists, we say that L and M

are G-isomorphic, or isomorphic as G-lattices.

2.2 The Modified Group Ring ZhGi

We define a modified group ring AhGiwhenever A is a commutative ring. We will usually takeA=Z, but will also takeA=Z/mZ. We considerAhGirather

than the standard group ringA[G], sinceG-lattices becomeZhGi-modules. Also,

it allows us to include the cyclotomic ringsZ[X]/(X2

k

+ 1) in our theory. The group ringA[G] is the set of formal sums P

σ∈Gaσσwithaσ∈A, with addition defined by

X

σ∈G aσσ+

X

σ∈G bσσ=

X

σ∈G

(5)

and multiplication defined by (X

σ∈G aσσ)(

X

τ∈G bττ) =

X

ρ∈G (X

στ=ρ aσbτ)ρ.

For example, ifGis a cyclic group of ordermandg is a generator, then as rings

Z[X]/(Xm−1)∼=Z[G] via the mapPm−i=01aiXi 7→Pm− 1 i=0 aigi.

Definition 2.8 If Ais a commutative ring, then writing 1for the identity ele-ment of the groupG, we define the modified group ring

AhGi=A[G]/(u+ 1).

EveryG-lattice is aZhGi-module, where one uses theG-action onLto define

ax wheneverx∈Landa∈ZhGi.

Definition 2.9 Define thescaled trace functiont:AhGi →A by

t(X σ∈G

aσσ) =a1−au.

Then t is the (additive) group homomorphism satisfying t(1) = 1, t(u) = −1, andt(σ) = 0 ifσ∈Gand σ6= 1, u.

Definition 2.10 Fora=P

σ∈Gaσσ∈AhGi, definea=Pσ∈Gaσσ−1.

The map a 7→ a is a ring automorphism of AhGi. Since a = a, it is an involution. (An involution is a map that is its own inverse.) In practice, this map plays the role of complex conjugation.

Remark 2.11 If L is a G-lattice and x, y ∈ L, then hσx, σyi= hx, yi for all

σ∈G. It follows thathax, yi=hx, ayifor alla∈_ZhGi.

Definition 2.12 Forx, y∈ZhGidefine hx, yiZhGi=t(xy). Letn=|G|/2∈Z.

Definition 2.13 Let S be a set of coset representatives ofG/hui(i.e., #S=n

andG=StuS), and for simplicity take S so that 1∈S.

The following result is straightforward.

Proposition 2.14 (i) The additive group of the ring _ZhGi is a G-lattice of rank n, with lattice structure defined by hx, yi_ZhGi andG-action defined by σx=σxwhere the right-hand side is ring multiplication in_ZhGi.

(ii) As lattices,ZhGi ∼=Zn.

(iii) ZhGi={Pσ∈Saσσ:aσ∈Z}=Lσ∈SZσandt( P

(6)

Example 2.16 Suppose G=H× huiwith H ∼=Z/nZ. Then ZhGi ∼=Z[H]∼= Z[X]/(Xn−1)as rings and as lattices. Whennis odd (soGis cyclic), then (by

sendingX to−X) we have_ZhGi ∼=Z[X]/(Xn−1)∼=Z[X]/(Xn+ 1).

Remark 2.17 The ring ZhGi is an integral domain (i.e., no zero divisors) if

and only if G is cyclic and n is a power of 2. If G is cyclic of order 2r_{, then}

ZhGi ∼=Z[ζ2r].

2.3 Ideal Lattices

Example 2.18 SupposeI is an ideal in the ring ZhGiandw∈ZhGi. Suppose

thatII =ZhGi ·wandψ(w)∈R>0for all ring homomorphismsψ:ZhGi →C.

It follows that the ideal I has finite index in ZhGi, that w=w, and thatw is

not a zero divisor. Define the G-lattice L(I,w) to be I with G-action given by

multiplication in ZhGi, and with lattice structure defined by

hx, yiI,w =t _xy

w

with t as in Definition 2.9. (Note that xy_w ∈ ZhGi since w generates the ideal

II.) In particular,L(_ZhGi,1)=ZhGi.

The lattice L(I,w) is G-isomorphic to ZhGi if and only if there exists v ∈ ZhGi such that I = (v)and w =vv. Further, knowing such a G-isomorphism

is equivalent to knowing v. More precisely, v is the image of 1 under a G -isomorphism _ZhGi −∼→L(I,w), and w =vv if and only if hav, bviI,w =t(ab) = ha, bi_Z_hGi for alla, b∈_ZhGi. Thus, findingv fromI andvv in polynomial time is equivalent to finding aG-isomorphism_ZhGi−∼→L(I,w) in polynomial time.

The point of dividing bywin the definition ofhx, yiI,w is to make the lattice

Lunimodular. It follows that when we take tensor powers ofLoverZhGi, as we

will do in§3 below, there will be no coefficient blow-up.

We next show how to recover the Gentry-Szydlo result from Theorem 1.1. The Gentry-Szydlo algorithm finds a generatorv of an idealI of finite index in the ring R =_Z[X]/(Xn₋_{1), given} _vv_{, a}

Z-basis for I, and a “promise” that

v exists. Here, n is an odd prime, and for v = v(X) = Pn−_i₌₀1aiXi ∈ R, its “reversal” isv =v(X−1_{) =}_a0₊Pn−1

i=1 an−iXi ∈ R.We takeG to be a cyclic group of order 2n. Then R∼=ZhGias in Example 2.16, and we identifyR with ZhGi. Let w=vv∈ZhGiand letL=L(I,w) as above. ThenLis the “implicit orthogonal lattice” in§7.2 of [6]. Once you know aZ-basis forIandw, you know

L. Theorem 1.1 produces aG-isomorphismZhGi−∼→Lin polynomial time, and

thus gives a generator vin polynomial time.

3 Invertible

G

-lattices, short vectors, and the tensor

algebra

Λ

(7)

3.1 Invertible G-lattices

Definition 3.1 IfLis aG-lattice, then theG-latticeLis a lattice equipped with a lattice isomorphism L−∼→L,x7→xand a group homomorphismG→Aut(L)

defined byσx=σ−1_x₌_σx_{for all}_σ_∈_G_and_x_∈_L_{, i.e.,}_σx₌_{σ x}_. Definition 3.2 If Lis aG-lattice, define the lifted inner product

·:L×L→ZhGi by x·y=

X

σ∈S

hx, σyiσ∈ZhGi.

Then

hx, yi=t(x·y) (1) andx·y=y·x. This lifted inner product isZhGi-bilinear, i.e., (ax)·y=x·(ay) =

a(x·y) for alla∈ZhGiand allx, y∈L.

Example 3.3 IfL=_ZhGi, thenL=_ZhGiwith having the same meaning as in Definition 2.10 for A=_Z, and with· being multiplication in_ZhGi.

Definition 3.4 AG-latticeLisinvertibleif the following three conditions all hold:

(i) rank(L) =n=|G|/2;

(ii) Lis unimodular (see Definition 2.3);

(iii) for each m ∈ _Z>0 there exists em ∈ L such that {σem+mL : σ ∈ G}

generates the abelian groupL/mL.

Example 3.5 If aG-latticeLisG-isomorphic to the standardG-lattice thenL

is invertible. For (iii), observe that the group_ZhGiis generated by{σ1 :σ∈G}, so the group Lis generated by{σe:σ∈G} whereeis the image of1 under the isomorphism. Now let em=efor all m.

Remark 3.6 In the full version of the paper we will show that a G-lattice L

is invertible if and only if there is a _ZhGi-moduleM such that L⊗_Z_hGiM and

ZhGiare isomorphic asZhGi-modules andL is unimodular. (See Chapter XVI

of [8] for tensor products.) We will also show that this is equivalent to the map

ϕ : L⊗_ZhGiL → ZhGi defined by ϕ(x⊗y) = x·y being an isomorphism of ZhGi-modules. Further,Lis invertible if and only ifLisG-isomorphic toL(I,w)

for someI andw as in Example 2.18.

(8)

3.2 Short vectors

Definition 3.7 We will say that a vector ein an integral lattice L isshort if

he, ei= 1.

Example 3.8 The short vectors in the standard lattice of rank n are the 2n

signed standard basis vectors{(0, . . . ,0,±1,0, . . . ,0)}. Thus, the set of short vec-tors in ZhGi isG.

Proposition 3.9 SupposeL is an invertibleG-lattice. Then:

(i) ifeis short, then{σ∈G:σe=e}={1};

(ii) ifeis short, then he, σei is1if σ= 1, is−1 ifσ=u, and is0for all other

σ∈G;

(iii) e∈Lis short if and only ife·e= 1, with inner product·defined in Definition 3.2.

Proof. Supposee∈Lis short. LetH ={σ∈G:σe=e}. For allσ∈G, by the Cauchy-Schwarz inequality we have |he, σei| ≤ (he, eihσe, σei)1/2 ₌_h_{e, e}_i _{= 1}_, and |he, σei|= 1 if and only if e and σe lie on the same line through 0. Thus he, σei ∈ {1,0,−1}. Thenhe, σei= 1 if and only if σ∈ H. Also, he, σei =−1 if and only if σe=−e if and only if σ∈Hu. Otherwise,he, σei= 0. Thus for (i,ii), it suffices to proveH ={1}.

LetT be a set of coset representatives for GmodHhui and letS =T·H, a set of coset representatives forGmodhui. If a=P

σ∈Saσσ∈(Z/mZ)hGiis

fixed byH, thenaτ σ=aσfor allσ∈Sandτ ∈H, soa∈(P_τ∈Hτ)(Z/mZ)hGi.

Let m = |H|. By Definition 3.4(iii), there is a Z[H]-module isomorphism

L/mL∼= (Z/mZ)hGi. The latter is a free module over (Z/mZ)[H] with basisT.

Sincee+mL∈(L/mL)H _{we have}_e₌_mε1_{+ (}P

τ∈Hτ)ε2withε1, ε2∈L. Since he, τ ε2i=hτ e, τ ε2i=he, ε2ifor allτ∈H, we have

1 =he, ei=mhe, ε1i+X τ∈H

he, τ ε2i=mhe, ε1+ε2i ≡0 modm.

Thus,m= 1 as desired. Part (iii) follows directly from (ii) and Definition 3.2. This enables us to prove the following result.

Proposition 3.10 SupposeL is aG-lattice. Then:

(i) ifL is invertible, then the map

{G-isomorphisms_ZhGi →L} → {short vectors of L}

that sendsf tof(1)is bijective;

(ii) ife∈Lis short and Lis invertible, then{σe:σ∈G} generates the abelian groupL;

(9)

(iv) ife∈Lis short andL is invertible, then the mapG→ {short vectors of L}

defined byσ7→σeis bijective.

Proof. For (i), thatf(1) is short is clear. Injectivity of the mapf 7→f(1) follows fromZhGi-linearity ofG-isomorphisms. For surjectivity, supposee∈Lis short.

Proposition 3.9(ii) says that{σe}σ∈Sis an orthonormal basis forL. Parts (ii) and (i) now follow, where theG-isomorphismfis defined byx7→xefor allx∈ZhGi.

Part (iii) follows from (i) and Example 3.5. For (iv), injectivity follows from Proposition 3.9(i). For surjectivity, supposee0 ∈Lis short. TakeG-isomorphisms f andf0 withf(1) =eandf0(1) =e0 as in (i), and letσ=f−1◦f0(1). Thenσ is a short vector inZhGisuch thatσe=e0. By Example 3.8 we haveσ∈G.

3.3 The Witt-Picard group

IfL andM are invertible G-lattices, then theZhGi-moduleL⊗ZhGiM is aG

-lattice with lifted inner product (x⊗v)·(y⊗w) = (x·y)(v·w), for allx, y∈L andv, w∈M, and with lattice structureha, bi=t(a·b) for alla, b∈L⊗_ZhGiM. In the notation of Example 2.18 we have

L(I1,w1)⊗ZhGiL(I2,w2)=L(I1I2,w1w2),

whereI1I2 is the product of ideals.

Definition 3.11 IfLis an invertibleG-lattice, let[L]denote itsG-isomorphism class, i.e., the class of all G-lattices that areG-isomorphic toL. We define the

Witt-Picard group of ZhGi to be the set of all G-isomorphism classes of

invertible G-lattices, with group operation defined by [L]·[M] = [L⊗_ZhGiM],

with identity element [_ZhGi], and with [L]−1_{= [}_L_]_.

The Witt-Picard group is a finite abelian group. When computing in the Witt-Picard group, one can apply a lattice basis reduction algorithm when-ever the numbers get too large. More precisely, algorithmically we represent an invertible G-lattice M by letting M = Zn as an abelian group,

specify-ing a group homomorphism G→ GL(n,Z) giving the action of G onM, and

giving data describing the map · : M ×M → ZhGi; the lattice structure is

then given by ha, bi = t(a·b) for all a, b ∈ M. If M1 and M2 are invertible G-lattices, m1, m2 ∈ Z>0, and di ∈ Mi/miMi for i = 1,2, one can compute (M1⊗_ZhGiM2, d1⊗d2) in polynomial time. Also, there is a deterministic poly-nomial time algorithm that, given M and given d ∈ M/mM, produces a pair (M0, d0) and a G-isomorphism (M, d)→ (M0, d0) such that the standard basis ofM0₌

Zn is LLL-reduced (and thus each entry of the Gram matrix is at most

2n−1_{in absolute value, by Lemma 3.12 below). This in fact proves the finiteness} of the Witt-Picard group.

IfL=L(I,w)for someI and was in Example 2.18, and j ∈Z>0, then [L]j is the G-isomorphism class of L(Ij_,wj₎. One can compute [L]j in deterministic

(10)

Lemma 3.12 If{b1, . . . , bn}is an LLL-reduced basis for an integral unimodular

latticeL and{b∗₁, . . . , b∗_n}is its Gram-Schmidt orthogonalization, then

21−i≤ |b∗_i|2_≤₂n−i

and|bi|2_≤₂n−1 _{for all}_i_{∈ {1}_{, . . . , n}_}_.

Proof. Being LLL-reduced means thatbi =b∗i + Pi−1

j=1µijb∗j with|µij| ≤ 1₂ for allj < i≤n, and|b∗

i|2≤2|b∗i+1|2 for alli < n. Thus for 1≤j ≤i≤nwe have |b∗_i|2_≤₂j−i_|_b∗

j|2, so for alliwe have

21−i|b∗1|2≤ |bi∗|2≤2n−i|b∗n|2. Since L is integral we have |b∗

1|2 = |b1|2 = hb1, b1i ≥ 1, so |b∗i|2 ≥ 21−i. LettingLi =

Pi

j=1Zbj, then|b∗i|= det(Li)/det(Li−1). SinceL is integral and unimodular, |b∗n| = det(Ln)/det(Ln−1) = 1/det(Ln−1) ≤ 1, so |b∗i|

2 _≤ ₂n−i_. Since{b∗_i}is orthogonal we have

|bi|2=|b∗i| 2₊

i−1 X

j=1

µ2_ij|b∗_j|2_≤₂n−i₊1 4

i−1 X

j=1 2n−j

= 2n−i+ (2n−2−2n−i−1) = 2n−2+ 2n−i−1≤2n−1.

3.4 The extended tensor algebra Λ

We are now ready to introduce the extended tensor algebra Λ in which our computations take place. Suppose L is an invertible G-lattice. Letting L⊗0 =

ZhGiand lettingL⊗m=L⊗ZhGi· · · ⊗ZhGiL (m times) andL

⊗(−m)₌_L⊗m₌ L⊗_ZhGi· · · ⊗ZhGiLfor allm∈Z>0, define the extended tensor algebra

Λ = M

i∈Z

L⊗i = . . .⊕L⊗3⊕L⊗2⊕L⊕ZhGi ⊕L⊕L⊗2⊕L⊗3⊕. . .

(“extended” because we extend the usual notion to include negative exponents L⊗(−m)_{). Each}_L⊗i _{is an invertible}_G_{-lattice, and represents [}_L_]i_{. For simplicity,} we denoteL⊗i_by_Li_{. The ring structure on}_Λ_{is defined as the ring structure on} the tensor algebra, supplemented with the lifted inner product·. The following result is straightforward.

Proposition 3.13 (i) Λ is a commutative ring containingZhGias a subring;

(ii) the action ofGonLbecomes multiplication inΛ, and likewise for the action ofGon L;

(iii) Λ has an involution x7→ x extending both the involution of _ZhGi and the mapL−∼→L;

(iv) the lifted inner product·:L×L→_ZhGibecomes multiplication in Λ;

(v) ife∈L is short, then e=e−1 _in_Λ _and_Λ₌

ZhGi[e, e−1].

All computations inΛand inΛ/mΛwill be done with homogeneous elements only, where the set of homogeneous elements ofΛisS

i∈ZL

(11)

4 The main ingredients

We give the main results that we will use to prove Theorem 1.1. Fix as before a finite abelian group G of order 2n and u ∈ G of order 2. Let k denote the exponent ofG. (The exponent of a groupH is the least positive integer ksuch that σk = 1 for all σ ∈ H. The exponent of H divides |H| and has the same prime factors as|H|.) For allm∈Z>1, denote byk(m) the exponent of the unit group (ZhGi/(m))∗.

Remark 4.1 By Proposition 3.10, the G-isomorphisms ZhGi−∼→L are in

one-to-one correspondence with the short vectors, and if a shorte∈Lexists, then the short vectors of L are exactly the2nvectors {σe:σ∈G}. If k is the exponent of G, then (σe)k = σkek = ek in Λ. Hence for invertible L, all short vectors in L have the samek-th power ek ∈Λ. At least philosophically, it is easier to find things that are uniquely determined. We look for ek first, and then recover

efrom it.

Proposition 4.2 There is a deterministic polynomial time algorithm that, given a finite commutative ring R and anR-moduleM, decides whether M is a free

R-module of rank one, and if it is, finds a generator.

Proof. We sketch a proof. A complete proof will be given in the full version of the paper.

The inputs are given as follows. The ringRis given as an abelian group (say, as a sum of cyclic groups) along with all the products of pairs of generators. The finiteR-moduleM is given as an abelian group (say, as a sum of cyclic groups), and for all generators of the abelian group R and all generators of the abelian group M, we are given the module products inM.

If #M 6= #R, output “no” and stop.

Suppose thatA and B are finite commutative rings, that R A×B is a surjective ring homomorphism with nilpotent kernel, and thatyB ∈M is such that the mapB→MB =B⊗RM,b7→b⊗yB is an isomorphism. LetI denote the kernel of the natural mapR→B and letN denote the image ofIM under the natural mapM →MA.

Initially, takeA=R,B= 0, andyB= 0. As long asA6= 0, do the following. IfN = 0, output “no” and stop. Otherwise, pickxA∈IM whose image x∈N is nonzero. Computea= AnnAx, where AnnAdenotes the annihilator inA. Let

b= AnnAa.

Ifa=a2_{, then}_A₋∼_→_A/_a_×_A/_b_and_M A

∼

−→MA/a×MA/b. The image ofx is of the form (x0,0). Ifx0 does not generateMA/a, stop with “no”. Otherwise, computeβ∈Rthat maps to (0,1) under the mapRA×B, and replaceyB, B, A by βyB+xA, (A/a)×B, A/b, respectively. If a 6= a2, then a∩b is a nonzero nilpotent ideal, and we replaceAbyA/(a∩b) and leaveyBunchanged. WhenA= 0, thenI is nilpotent; say Ir= 0. ThenBy =MB =M/IM for y= (yB modIM). Thus,

(12)

so output “yes”.

Lemma 4.3 Suppose thatLis a G-lattice,m∈Z>0, ande∈L. Then {σe+mL:σ∈G}

generatesL/mLas an abelian group if and only ifL/(_ZhGi ·e)is finite of order coprime to m.

Proof. The set {σe+mL : σ ∈ G} generates L/mL as an abelian group if and only multiplication by m is onto as a map from L/(_ZhGi ·e) to itself. SinceL/(_ZhGi ·e) is a finitely generated abelian group, this holds if and only if L/(_ZhGi ·e) is finite of order coprime tom.

Proposition 4.4 (i) There is a deterministic polynomial time algorithm that, givenG, a G-lattice L, and m∈Z>0, decides whether there exists em ∈L

such that{σem+mL:σ∈G} generatesL/mL as an abelian group, and if

so, finds one.

(ii) There is a deterministic polynomial time algorithm that, givenG,u, and a

G-lattice L, decides whether Lis invertible.

Proof. For (i), apply Proposition 4.2 withR=ZhGi/(m) andM =L/mL.

For (ii), it is easy to check whether rank(L) =nand whetherLis unimodular (check whether the Gram matrix has determinant 1). We need to check Definition 3.4(iii) for all m’s in polynomial time. We show that it suffices to check two particular values ofm. First takem= 2, and use (i) to determine ife2 exists. If not, output “no”. If there is one, use (i) to computee2∈L. By Lemma 4.3, the groupL/(_ZhGi ·e2) is finite of odd order. Letqdenote its order. Now apply (i) withm=q. If noeq exists, output “no”. Ifeq exists, then forallm∈Z>0 there exists em∈L that generatesL/mLas a ZhGi/(m)-module, as follows. We can

reduce to m being a prime power pt_{, since if gcd(}_{m, m}0_{) = 1 then} _L/mm0_L _is free of rank one over _ZhGi/(mm0) if and only ifL/mLis free of rank one over

ZhGi/(m) andL/m0Lis free of rank one overZhGi/(m0). Lemma 4.3 now allows

us to reduce to the casem=p. Ifp-q, we can takeep=e2. Ifp|q, we can take ep=eq.

Proposition 4.5 There is a deterministic polynomial time algorithm that, given a finite abelian group G of order 2n and u∈ G of order 2, determines prime powers` andmsuch that `, m≥2n/2_{+ 1} _and_gcd(_k₍_`₎_{, k}₍_m_{)) =}_k_.

Proof. One can prove that ifpis prime andp≡1 modk, then k(pj) = (p−1)pj−1,

using induction onj and the facts that (ZhGi/(pj))∗⊃(Z/pjZ)∗ and the latter

group has exponent (p−1)pj−1_.

We next give an algorithm that, given n, k ∈ Z>0 with k even, computes r, s∈Z>0and primes pandqsuch that p≡q≡1 modk,

(13)

pr_≥₂n/2_{+ 1, and} _qs _≥₂n/2_{+ 1. (We can then take} _`₌_pr _and _m₌_qs_{.) Try} p=k+ 1,2k+ 1,3k+ 1, . . .until the smallest primep≡1 modkis found. Find the leastrsuch thatpr_≥₂n/2_{+ 1. Try}_q₌_p₊_{k, p}_{+ 2}_{k, . . .}_{until the least prime} q ≡ 1 mod k such that gcd((p−1)p, q−1) = k is found. Find the smallest s such thatqs_≥₂n/2_{+ 1.}

This algorithm terminates, with correct output, in time (n+k)O(1)_{. The} key ingredient for proving this is Heath-Brown’s version of Linnik’s theorem [7], which implies that the primepfound by the algorithm satisfiesp≤ck5.5_{with an} effective constantc. Ifp−1 =k1k2with every prime divisor of k1also dividing k and with gcd(k2, k) = 1, then to have gcd((p−1)p, q−1) =k it suffices to have q ≡ 2 mod p and q ≡ 1 +k mod k1 and q ≡ 2 mod k2. This gives a congruence q ≡amod p(p−1) for some a. Heath-Brown’s version of Linnik’s theorem implies thatq≤c(p2)5.5≤c12k60.5.

Our prime powers ` and m play the roles that in the Gentry-Szydlo paper [6] were played by auxiliary prime numbersP, P0 >2(n+1)/2 _{such that}

gcd(P−1, P0−1) = 2n.

Ourk(`) andk(m) replace theirP−1 andP0−1, respectively. While the Gentry-Szydlo primes P and P0 are found with at best a probabilistic algorithm, we can find` andmin deterministic polynomial time. (Further, the ring elements they work with were required to not be zero divisors modulo P, P0 and other small auxiliary primes; we require no analogous condition on` andm, since by Definition 3.4(iii), when L is invertible then for allm, the (_Z/m_Z)hGi-module L/mLis free of rank one.)

Proposition 4.6 (i) Suppose L is an integral lattice, 3 ≤ m ∈ _Z, and C ∈ L/mL. ThenC contains at most one element xwith hx, xi= 1.

(ii) There is a deterministic polynomial time algorithm that, given a rank n

integral latticeL,m∈Z such that m≥2n/2+ 1, and C∈L/mL, finds all

x∈C with hx, xi= 1 (and the number of them is0 or1).

Proof. For (i), supposex, y∈C,hx, xi=hy, yi= 1, andx6=y. Sincex−y∈mL andLis an integral lattice, we have

m≤ hx−y, x−yi1/2_{≤ h}_{x, x}_i1/2₊_h_{y, y}_i1/2_{= 1 + 1 = 2} by the triangle inequality. This contradictsm≥3, giving (i).

For (ii), using LLL to solve the closest vector problem, one can find (in polynomial time)y∈C such thathy, yi<(2n₋_1)h_{x, x}_i_{for all}_x_∈_C_{. Suppose} x∈Cwithhx, xi= 1. Sincex, y∈C, there existsw∈Lsuch thatx−y=mw. Then

mhw, wi1/2₌_h_x₋_{y, x}₋_y_i1/2_{≤ h}_{x, x}_i1/2₊_h_{y, y}_i1/2_<_{(1 + 2}n/2_)h_{x, x}_i1/2_≤_m. Therefore 1 > hw, wi1/2 _∈

Z, so w = 0, and thus y = x. Compute hy, yi. If

(14)

The n of [6] is an odd prime, so k = 2n and _ZhGi embeds in _Q(ζn)×Q.

Since the latter is a product of only two number fields, the number of zeros of X2n₋_v2n_{is at most (2}_n₎2_{, and the Gentry-Szydlo method for finding}_v_from_v2n is sufficiently efficient. If one wants to generalize [6] to the case wheren is not prime, then the smallesttsuch thatZhGiembeds inF1×. . .×Ftwith number fieldsFi can be large. Givenν, the number of zeros ofXk−ν could be as large askt_{. Finding}_e_{such that}_ν₌_ek _{then requires a more efficient algorithm, which} we attain with Proposition 4.9 below.

Anorder is a commutative ring A whose additive group is isomorphic to

Zn for somen ∈Z≥0. We specify an order by saying how to multiply any two vectors in a given basis. Letµ(A) denote the group of roots of unity in A. Proposition 4.7 There is a deterministic polynomial time algorithm that, given an order A, determines a set of generators forµ(A).

Proof. The proof is a bit intricate, involving commutative algebra and algorith-mic algebraic number theory. We give a sketch. See [1] for commutative algebra background.

One starts by computing the nilradical N of the Q-algebra AQ =A⊗ZQ

as well as the unique subalgebra E ⊂A_Q that maps isomorphically toA_Q/N. One has µ(A)⊂E, so replacingA byA∩E one reduces to the case in which the nilradical of A is 0, which we now assume. Next one determines the set Spec(E) of prime ideals m of E. For each m we compute E/m, which is an algebraic number field, and we also compute its subring A/(m∩A). One has E∼=Q

m∈Spec(E)E/m, and we identifyAwith a subring of finite additive index in the product ringB=Q

m∈Spec(E)A/(m∩A).

For each prime numberpdividing|µ(A)|one has p≤1 + dim_QE, so it will suffice to find, for each such p, a set of generators for thep-primary component µ(A)p ofµ(A). Fix now a prime numberp≤1 + dim_QE.

Since eachA/(m∩A) is contained in a number field,µ(A/(m∩A))pis cyclic and easy to determine. This leads to a set of generators forµ(B)p.

ComputeC ={x∈ B : pi_x _∈_A _{for some}_i_∈

Z≥0}; this is a subring of B containingA. The group C/Ais finite of p-power order, and the groupB/C is finite of order not divisible by p. We make Spec(E) into the set of vertices of a graph by connectingm,n∈Spec(E) with an edge if and only if

(m∩C) + (n∩C)6=C.

For each connected componentV of this graph, determine the imageCV ofCin the product ringQ

m∈VA/(m∩A). Then one can show that one hasC∼= Q

V CV, with V ranging over the connected components, so thatµ(C)p =∼QV µ(CV)p. In addition, one can show that for each V and each m ∈ V the natural map µ(CV)p → µ(A/(m∩A))p is injective, so thatµ(CV)p is cyclic; the proof also leads to an efficient algorithm for computing µ(CV)p. Thus, at this point one knows a set of generators forµ(C)p.

(15)

andµ(A)p=µ(C)p∩(1 +s). To compute the latter intersection, one determines t ∈ _Z>0 withptC ⊂A as well as a presentation for the finite abelian p-group 1 + (r/pt_C_{), which is a subgroup of the unit group (}_C/pt_C₎∗_{; to do this, one} uses thatr/pt_C_{is a nilpotent ideal of}_C/pt_C_{. The group}_µ₍_A_)p_{is now obtained} as the kernel of the natural map µ(C)p→(1 + (r/pt_C₎₎_/_{(1 + (s}_/pt_C_)).

Proposition 4.8 SupposeLis an invertibleG-lattice,r∈Z>0, andν is a short

vector in theG-latticeLr_{. Let}_A₌_Λ/₍_ν₋₁₎_{. Identifying}Lr−1 i=0L

i _⊂_Λ _{with its}

image inA, we can viewA=Lr−_i₌₀1Li as aZ/rZ-graded ring. Then:

(i) G⊆µ(A)⊆Sr−_i₌₀1Li_,

(ii) {e∈L:e·e¯= 1}=µ(A)∩L,

(iii) |µ(A)|is divisible by 2n and divides2nr, and

(iv) there existse∈Lfor whiche·e¯= 1 if and only if|µ(A)|= 2nr.

Proof. Since the ideal (ν−1) = (ν−1₋_{1) = (1}₋_ν_{) = (}_ν₋_{1), the map}_a_7→_a induces an involution onA. Since the lattice’s inner product is symmetric and positive definite, for all ring homomorphisms ψ :A→C we haveψ(a) =ψ(a)

for alla∈A, andT

ψkerψ= 0. LetE={e∈A:ee= 1}, a subgroup ofA ∗_. Supposee ∈ µ(A). Then for all ring homomorphisms ψ : A → C we have

1 =ψ(e)ψ(e) =ψ(e)ψ(e) =ψ(ee), soee= 1. Thus, µ(A)⊆E.

Conversely, supposee∈E. Writee=Pr−_i₌₀1εi withεi ∈Li, soe= Pr−1

i=0εi withεi ∈L−i =Lr−i in A. We have 1 =ee=

Pr−1

i=0εiεi (the degree 0 piece of ee). Applying the maptof Definition 2.9 and using (1) we have 1 =Pr−_i₌₀1hεi, εii. It follows that there exists j such thathεj, εji= 1, and εi = 0 ifi 6=j. Thus, E ⊆Sr−_i₌₀1{e∈Li :he, ei= 1}, giving (i). By Proposition 3.9(iii) and Example 3.8 we haveE∩ZhGi=G, so µ(ZhGi) =G.

The degree map from E to Z/rZ that takes e ∈ E to j such that e ∈ Lj

is a group homomorphism with kernel E∩ZhGi = G. Therefore, |E| divides

|G| · |Z/rZ|= 2nr. Thus,E⊆µ(A)⊆E, soE=µ(A) and we have (ii,iii). The

degree map is surjective if and only if|µ(A)|= 2nr, and if and only if 1 is in the image, i.e., if and only ifµ(A)∩L6=∅. Part (iv) now follows from (ii).

Proposition 4.9 There is a deterministic polynomial time algorithm that, given

Gof exponentk, an invertibleG-latticeL, andν ∈Lk, determines whether there existse∈L such thatν =ek ande·e¯= 1, and if so, finds one.

Proof. Check whether νν = 1. If so, letA =Λ/(ν−1) and apply Proposition 4.7 to compute generators forµ(A). Using Proposition 4.8 withr=k, apply the degree mapµ(A)→Z/kZto the generators, check whether the images generate Z/kZ, and if they do, compute an element e ∈ µ(A) whose image is 1. Then

(16)

5 The Algorithm

We present the main algorithm, followed by a fuller explanation. As before,kis the exponent of the groupGandk(j) is the exponent of (ZhGi/(j))∗ifj ∈Z>1. Algorithm 5.1 Input a finite abelian group G, an element u∈G of order 2, and a G-lattice L. Output a G-isomorphism ZhGi −∼→L, or a proof that none

exists.

(i) Apply Proposition 4.4(ii) to check whether L is invertible. If it is not, ter-minate with “no”.

(ii) Find` andmas in Proposition 4.5.

(iii) Computee`m as in Proposition 4.4(i).

(iv) Using an addition chain for k(m) and the algorithms mentioned in §3.3, compute the pair(Lk(m), e_`mk(m)+mLk(m)). Use Proposition 4.6(ii) to decide whether the cosetek_`m(m)+mLk(m) _{contains a short vector} _ν

m∈Lk(m), and

if so, compute it. Terminate with “no” if none exists.

(v) Computes∈((_Z/`_Z)hGi)∗ _{such that} νm=s(e

k(m) `m +`L

k(m)₎

inLk(m)/`Lk(m).

(vi) Use the extended Euclidean algorithm to findb∈Zsuch that

bk(m)≡k modk(`).

(vii) Using an addition chain forkand the algorithms mentioned in§3.3, compute the pair(Lk_{, e}k

`m+`L

k₎_{and compute}_sb₍_ek `m+`L

k₎_{. Use Proposition 4.6(ii)}

to decide whether the latter coset contains a short vectorν ∈Lk_{, and if so,}

compute it. Terminate with “no” if none exists.

(viii) Apply Proposition 4.9 to find e ∈L such that ν =ek ande·e¯= 1 (or to prove there is noG-isomorphism).

We explain the algorithm in more detail. By Proposition 3.10(iii), the G -latticeL isG-isomorphic to ZhGi if and only ifLis invertible and has a short

vector. Run the algorithm in Proposition 4.4(ii) to check whetherLis invertible. If it is not, terminate with “no”. If it is, we look for ane∈Lsuch thatee¯= 1. Lattice basis reduction algorithms such as LLL can find fairly short vectors, but they are not nearly short enough for our purpose. We supplement LLL with computations modulo m. Any short e satisfies _ZhGie =L, which implies that for all m ∈ _Z>0, the coset e+mL generates L/mL as a ZhGi/(m)-module.

Proposition 4.4(i) gives another generator em. Thus, em = ye for some y ∈ (_ZhGi/(m))∗. We have emk(m) modm=ek(m) modmin Λ/mΛ.

(17)

Computee`m(which works as bothemande`) as in Proposition 4.4(i). Propo-sition 4.6(ii) applied to the coset e`m+mLk(m)∈Lk(m)/mLk(m) finds a short vectorνm (if it exists). Ife∈Lis short, then νm=ek(m) by Proposition 4.6(i). Since ek_`m(m) (by definition) and νm (by Proposition 3.10(ii)) each generate the (_Z/`_Z)hGi-module Lk(m)_/`Lk(m)_{, we can find} _s _∈ ₍₍

Z/`Z)hGi)∗ such that

νm=s(e k(m) `m +`L

k(m)_{) in}_Lk(m)_/`Lk(m)_{. Since}_k_{= gcd(}_k₍_`₎_{, k}₍_m_{)), we can use} the extended Euclidean algorithm to finda, b∈_Zsuch thatak(`) +bk(m) =k. Compute sb _∈ ₍₍

Z/`Z)hGi)∗ and sbek`m ∈ Lk/`Lk and use Proposition 4.6(ii) to compute a short ν ∈ Lk _{in this coset or prove that none exists. If} _e_∈ _L _is short, then ek(m) ₌_ν

m≡se k(m)

`m mod`Λ, soe k _≡_νb

m(e k(`) `m )

a _≡_sb_ek

`m mod`Λ, so sb₍_ek

`m+`Lk) contains the short vector ek of Lk, and by Proposition 4.6(i) we haveν=ek_{. Proposition 4.9 then finds a short vector} _e_∈_L_{, or proves none} exists. The mapx7→xe gives the desiredG-isomorphism fromZhGitoL. This

completes the proof of Theorem 1.1.

Remark 5.2 There is a version of the algorithm in which checking invertibility in step (i) is skipped. In this case, the algorithm may misbehave at other points, indicating that L is not invertible and thus not G-isomorphic to _ZhGi. At the end one would check whether he, ei = 1 and he, σei = 0 for all σ 6= 1, u. If so, then {σe}σ∈S is an orthonormal basis for L, and x7→xe gives the desired isomorphism; if not, no such isomorphism exists.

Acknowledgments:We thank the participants of the August 2013 Workshop on Lattices with Symmetry, in particular Craig Gentry, Ren´e Schoof, and Mike Szydlo, and we thank the reviewers for helpful comments.

References

1. M. F. Atiyah and I. G. Macdonald, Introduction to commutative algebra, Addison-Wesley Publishing Co., Reading, MA, 1969.

2. S. Garg, C. Gentry, and S. Halevi,Candidate multilinear maps from ideal lattices, Advances in Cryptology—EUROCRYPT 2013, Lect. Notes in Comp. Sci. 7881, Springer, 2013, 1–17.

3. C. Gentry,Fully homomorphic encryption using ideal lattices, in Proceedings of the 41st ACM Symposium on Theory of Computing—STOC 2009, ACM, New York (2009), 169–178.

4. C. Gentry,A fully homomorphic encryption scheme, Stanford University PhD the-sis, 2009,http://crypto.stanford.edu/craig/craig-thesis.pdf.

5. C. Gentry, email, May 9, 2012.

6. C. Gentry and M. Szydlo,Cryptanalysis of the revised NTRU signature scheme, Advances in Cryptology—EUROCRYPT 2002, Lect. Notes in Comp. Sci. 2332, Springer, Berlin, 2002, 299-320, full version at http://www.szydlo.com/ ntru-revised-full02.pdf.

(18)

8. S. Lang, Algebra, Third edition, Graduate Texts in Mathematics211, Springer-Verlag, New York, 2002.

9. A. K. Lenstra, H. W. Lenstra, Jr., and L. Lov´asz, Factoring polynomials with rational coefficients, Math. Ann.261(1982), 515–534.

10. H. W. Lenstra, Jr.,Lattices, in Algorithmic number theory: lattices, number fields, curves and cryptography, Math. Sci. Res. Inst. Publ.44, Cambridge Univ. Press, Cambridge, 2008, 127–181.