On the ideal shortest vector problem over random rational primes
aa r X i v : . [ c s . CR ] A p r ON THE IDEAL SHORTEST VECTOR PROBLEM OVERRANDOM RATIONAL PRIMES
YANBIN PAN, JUN XU, NICK WADLEIGH, AND QI CHENG
Abstract.
Any ideal in a number field can be factored into a product ofprime ideals. In this paper we study the prime ideal shortest vector problem(SVP) in the ring Z [ x ] / ( x n + 1) , a popular choice in the design of ideal latticebased cryptosystems. We show that a majority of rational primes lie underprime ideals admitting a polynomial time algorithm for SVP. Although theshortest vector problem of ideal lattices underpins the security of Ring-LWEcryptosystem, this work does not break Ring-LWE, since the security reductionis from the worst case ideal SVP to the average case Ring-LWE, and it is one-way. Keywords: ring-LWE, ideal lattice, average case computational complexity Introduction
Due to their conjectured ability to resist quantum computer attack, lattice-basedcryptosystems have drawn considerable attention. In 1996, Ajtai [1] pioneered theresearch on worst-case to average-case reduction for the Short Integer Solution prob-lem (SIS). In 2005, Regev [28] presented a worst-case to average-case (quantum)reduction for the Learning With Errors problem (LWE). SIS and LWE became twoimportant cryptographic primitives, and a large number of cryptographic schemesbased on these two problems have been designed. However, the common draw-back of such schemes is their limited efficiency owing to the absence of algebraicstructures in SIS and LWE.The first lattice-based scheme with some algebraic structure was the NTRU pub-lic key cryptosystem [14], which was introduced by Hoffstein, Pipher and Silvermanin 1996. It works in the convolution ring Z [ x ] / ( x p − where p is a prime. The cycli-cal nature of the ring Z [ x ] / ( x p − contributes to NTRU’s efficiency, and makesNTRU one of the most popular schemes. Later the ring was employed in manyother cryptographic primitives, such as [21, 18, 26, 22, 31, 4].In 2009, Stehlé et al . [32] introduced a structured and more efficient variant ofLWE, which involves the ring F p [ x ] / ( x N +1) where N is a power of 2 and p is a primesatisfying p ≡ . In 2010, Lyubashevsky, Peikert and Regev [19] presenteda ring-based variant of LWE, called Ring-LWE. The hardness of problems in [32, 19]is based on worst-case assumptions on ideal lattices. Recently, Peikert, Regev andStephens-Davidowitz [25] presented a polynomial time quantum reduction from(worst-case) ideal lattice problems to Ring-LWE for any modulus and any numberfield. Since then, more and more schemes employ the ring Z [ x ] / ( x N + 1) where N isa power of 2, for example, NewHope [2], Crystals-Kyber [7], and LAC [17] submittedto NIST’s post-quantum cryptography standardization. Although solving the idealSVP does not necessarily break Ring-LWE, any weakness of ideal SVP casts doubton the security of Ring-LWE. .1. Previous works.
Principal ideal lattices are a class of important ideal latticeswhich can be generated by a single element. There is a line of work focusing onthe principal ideal SVP. Based on [8, 3], solving approx-SVP problems on principalideal lattices can be divided into the following two steps: Step 1 is finding an idealgenerator by using class group computations. In this step, a quantum polynomialtime algorithm is presented by Biasse and Song [6], which is based on the work [13];a classical subexponential time algorithm was given by Biasse, Espitau, Fouque,Gélin and Kirchner [5]. Step 2 is shortening the ideal generator in Step 1 withthe log-unit lattice. This step was analyzed by Cramer, Ducas, Peikert and Regev[9]. Then a quantum polynomial time algorithm for approx-SVP, with a ˜ O ( √ N ) approximation factor, on principal ideal lattices in cyclotomic number fields waspresented in [9].In 2017, Cramer, Ducas and Wesolowski [10] extended the case of principal ideallattices in [9] to the case of a general ideal lattice in a cyclotomic ring of prime-power conductor. For approx-SVP on ideal lattices, the result in [10] is betterthan the BKZ algorithm [29] when the approximation factor is larger than ˜ O ( √ N ) .Ducas, Plancon and Wesolowski [11] analyzed the approximation factor ˜ O ( √ N ) in[9, 10] to determine the specific dimension N so that the corresponding algorithmsoutperform BKZ for an ideal lattice in cyclotomic number fields. Recently, Pellet-Mary, Hanrot and Stehlé [27], inspired by the algorithms in [9, 10], solved approx-SVP with the approximation factor ˜ O ( √ N ) in ideal lattices for all number fields,aiming to provide trade-offs between the approximation factor and the runningtime. However, there is an exponential pre-processing phase.1.2. Our results.
In this paper, we investigate the SVP of prime ideals. Thedensity of prime ideals is not as high as that of principal ideals. In the simplecase of the ring of rational integers Z , every ideal is principal, while the density ofprime numbers among the positive integers ≤ n is only about / log n . On the otherhand, every nonzero ideal in a Dedekind Domain can be factored uniquely into aproduct of prime ideals, so short vectors in prime ideals may help us to find shortvectors in general ideals. If, in a general prime ideal p , we are able to efficientlyfind a vector with length within the Minkowski bound for p , then for an ideal a with few prime ideal factors, we will be able to approximate the shortest vector in a to within a factor much better than what is achieved by the LLL [15] or BKZ [30]algorithms. The most difficult step in factoring an ideal is actually factorizationof an integer (the norm of the ideal), which can be done in polynomial time byquantum computers, or in subexponential time by classical computers.In this paper, we begin an in-depth study of the SVP of prime ideals in the rings Z [ x ] / ( x n + 1) , which are quite popular in cryptography. We show that there is ahierarchy for the hardness of SVP for these prime ideal lattices. Roughly speaking,we can classify such prime ideal lattices into n distinct classes, and for a primeideal lattice in the r -th class, we can find its shortest vector by solving SVP ina r -dimensional lattice. This suggests that the difficulty of prime ideal SVP canchange dramatically from ideal to ideal, an interesting phenomenon that has, toour knowledge, not been pointed out in the literature. See Theorem 3.2 for moredetails. By considering certain of these classes, we prove that a nontrivial fractionof prime ideals admit an efficient SVP algorithm. roposition 1.1. Let N = 2 n , where n is a positive integer. Let p be a prime idealin the ring Z [ x ] / ( x N + 1) , and suppose p contains a prime number p ≡ ± .Then under the coefficient embedding (see Page 6 for definition), the shortest vectorin p can be found in time poly ( N, log p ) , and the length of the shortest vector isexactly √ p . Can we conclude from the above result that the average case prime ideal SVP iseasy? It depends how we define an average prime ideal lattice. As prime ideals arerigid structures, changing distributions gives us totally different complexity results.If norms of prime ideals are selected uniformly at random, then easy cases are rare.Nevertheless our result does show that an average case of the prime ideal SVP inpower-of-two cyclotomic fields is not hard, if the rational primes contained in theideals are selected uniformly at random. See Subsection 3.3 for details.The algorithm can be adapted to any Galois extension L of Q . Indeed, fix aprime ideal P in the ring of integers, O L , of L . The subgroup of Gal ( L / Q ) thatstabilizes P set-wise is known as the decomposition group of P . Let K ⊂ L be thesubfield fixed by the decomposition group of P . To find a short vector in P , we cansearch for a short vector in the lattice P ∩ K , which has smaller dimension. Moreprecisely, for a rational prime p , if pO L is factored into a product of g prime idealsin O L , we can reduce the problem of finding a short vector in any of these primeideals to a problem of finding a short vector in a dimension- g lattice, provided thatthe determinant of the sublattice is not too large compared to the original lattice.For general (non prime) ideals in Z [ x ] / ( x n + 1) , we present an algorithm toconfirm that the hierarchy for the hardness of SVP also exists; That is, we can solveSVP for an ideal lattice by solving SVP in a r -dimensional lattice, for some positiveinteger r related to the factorization of the ideal (see Theorem 4.1). FollowingProposition 1.1, we show how to solve the SVP for ideals all of whose prime factorslie in a certain class. This is a special case of Theorem 4.1. Proposition 1.2.
Let N = 2 n , where n is a positive integer. Let I be an ideal inthe ring Z [ x ] / ( x N + 1) with prime factorization I = p p · · · p k . If each p i contains a prime integer ≡ ± , the shortest vector in I can befound in time poly ( N, log( N ( I ))) . We would like to stress that the algorithm works by exploiting the multiplicationstructure of ideals in the ring of integers of a number field. This appears to be new.More interestingly, our algorithm does not need to factor the ideal. We regardthis as the second contribution of this work, in addition to the algorithm for primeideals.1.3.
Paper organization.
The remainder of the paper is organized as follows. InSection 2, we give some mathematical preliminaries needed. In Section 3 and 4,we first sketch an idea for a solution to SVP in the fully general setting of a finiteGalois extension of Q . Then we present our algorithms solving SVP for prime ideallattices and general ideal lattices in Z [ ζ n +1 ] . Finally, a conclusion and some openproblems are given in Section 5. . Mathematical preliminary
Lattice.
Lattices are discrete additive subgroups of R N . Any finite set ofvectors b , b , · · · , b m ∈ R N generate a lattice: L = ( m X i =1 z i b i | z i ∈ Z ) . When the b i are linearly independent and B is the matrix whose column vectorsare b i , we say B is a matrix for L ; m and N are the rank and dimension of L ,respectively. If m = N , we define the determinant of L , denoted by det( L ) , to be | det( B ) | .The shortest vector problem (SVP), the problem of finding a shortest nonzerolattice vector in a given lattice, is one of the most famous hard problems in latticecryptography. Denote by λ ( L ) the length of a shortest nonzero lattice vector inan N -dimensional lattice L . Minkowski’s theorem [23] tells us that λ ( L ) ≤ V /NN · det( L ) N ≤ √ N · det( L ) N , where V N is the volume of the N -dimensional ball with radius 1. The closest vectorproblem (CVP) is another famous hard problem in lattice cryptography. This refersto the problem of finding a lattice vector that is closest to a given vector.2.2. Ideal in Z [ ζ n +1 ] . The cyclotomic field of order N = 2 n +1 is widely used incryptography. Its ring of integers is Z [ ζ n +1 ] , which is isomorphic to Z [ x ] / ( x N + 1) .Its discriminant is n n .Let p be a rational prime, and let x N + 1 = ( f f · · · f g ) e be the prime factorization of x N + 1 in the polynomial ring F p [ x ] . Then we have ( p ) = ( p p · · · p g ) e , where p i = ( p, f i ( ζ n +1 )) (here f i is any integer polynomial which projects to the f i in the above factorization). We say the prime ideal p i lies over the prime p . If e is greater than , we say the prime p is ramified (in Z [ ζ n +1 ] ); otherwise we say p is unramified. One can verify that is the only ramified rational prime in thecyclotomic field of order N , and that the prime ideal (2 , ζ n +1 + 1) = ( ζ n +1 + 1) lies above the ideal (2) .We are therefore interested in the explicit factorization of the n +1 -th cyclotomicpolynomials, x n + 1 , over F p [ x ] . This is settled in [16] when p ≡ and in[20] when p ≡ . Theorem 2.1.
Let p ≡ , i.e. p = 2 A · m + 1 , A ≥ , m odd. Denote by U k the set of all primitive k -th roots of unity modulo p . We have • If n < A , then x n + 1 is the product of n irreducible linear factors over F p : x n + 1 = Y u ∈ U n +1 ( x + u ) . If n ≥ A , then x n + 1 is the product of A − irreducible binomials over F p of degree n − A +1 : x n + 1 = Y u ∈ U A ( x n − A +1 + u ) . Theorem 2.2.
Let p ≡ , i.e. p = 2 A · m − , A ≥ , m odd. Denote by D s ( x, a ) the Dickson polynomials ⌊ s ⌋ X i =0 ss − i (cid:18) s − ii (cid:19) ( − a ) i x s − i over F p . For n ≥ , we have • If n < A , then x n + 1 is the product of n − irreducible trinomials over F p : x n + 1 = Y γ ∈ Γ ( x + γx + 1) , where Γ is the set of all roots of D n − ( x, . • If n ≥ A , then x n + 1 is the product of A − irreducible trinomials over F p of degree n − A +1 : x n + 1 = Y δ ∈ ∆ ( x n − A +1 + δx n − A − , where ∆ is the set of all roots of D A − ( x, − . Ideal Lattices.
Let K be a number field over Q with degree N , and let O K beits ring of integers. To treat an ideal in O K as a lattice, we need to map elementsin O K to real vectors. We introduce two ways to do this: the canonical embeddingand the coefficient embedding.2.3.1. Canonical embedding.
Let σ , σ , · · · , σ s be the real embeddings from K to R , and let σ s +1 , σ s +2 , · · · , σ s + s ,σ s + s +1 = σ s +1 , σ s + s +2 = σ s +2 , · · · , σ s +2 s = σ s + s be the complex embeddings from K to C , where · is the complex conjugate. Fromthese σ i ’s we can make two different Q -linear embeddings: Σ = Σ K : K → C s +2 s , a ( σ ( a ) , σ ( a ) , · · · , σ s +2 s ( a )) , and Σ ′ = Σ ′ K : K → R s +2 s , a ( σ ( a ) , · · · , σ s ( a ) , √ Re ( σ s +1 ( a )) , √ Im ( σ s +1 ( a )) , · · · , √ Re ( σ s + s ( a )) , √ Im ( σ s + s ( a ))) . The √ ’s are added so that the l norms of Σ ′ ( a ) and Σ( a ) agree. We call the map Σ (or Σ ′ ) the canonical embedding. Σ ′ has the advantage that it embeds O K (andany nonzero ideal thereof) as a full rank lattice in R s +2 s . The formula for Σ ′ mayappear inelegant, but notice that in the case where K / Q is Galois, we have either s = 0 or s = 0 . .3.2. Coefficient embedding.
If one can find a monic integral polynomial f ( x ) sothat the ring of integers O K is isomorphic to Z [ x ] / ( f ( x )) , such a number field iscalled monogenic. The coefficient embedding of O K in a monogenic field sends anelement to the coefficient vector of the corresponding polynomial in Z [ x ] / ( f ( x )) ,namely, C ( a + a x + · · · + a N − x N − ) = ( a , a , · · · , a N − ) . Ideal lattices.
The ring of integers O K of K is a free Z -module, and any ideal I in O K is a free Z -submodule since Z is principle. Under the canonical embeddingor the coefficient embedding, any such I is sent to a lattice in R N . We call thisimage the ideal lattice associated with I , and we denote it also by I .Usually it is easier to use the canonical embedding in mathematical analysis,and to use the coefficient embedding in cryptography. For example, the latticeassociated with the prime ideal p i = ( p, f i ( ζ n +1 )) is generated by the coefficientvectors of the following polynomials (modulo x N + 1 of course) f i , xf i , · · · , x N − f i and p, px, · · · , px N − . The minimum generating set should have only N vectors, which can be found bycomputing the Hermite Norm Form.3. Solving SVP for prime ideal lattice
Before specializing to Z [ ζ n +1 ] = O Q [ ζ n +1 ] , we explain our idea to solve SVP for aprime ideal of O L when L is a general, finite Galois extension of Q . Such an idealcontains a rational prime p , and therefore occurs as one of the prime ideals, say p ,in the factorization pO L = ( p p · · · p g ) e . To find a vector of p with length within the Minkowski bound, we try to find ashort vector in the sublattice given by the intersection of p with some intermediatefield between Q and L . Since this sublattice has smaller dimension, this may leadto a more efficient algorithm than working in L directly.More precisely, let G be the Galois group of L over Q . The subgroup D ≤ G consisting of all elements which set-wise stabilize p is called the decompositiongroup of p . That is, D := { σ ∈ G : σ ( p ) = p } . Let K be the fixed field of D . That is K := { x ∈ L : ∀ σ ∈ D, σ ( x ) = x } . Let O K be its algebraic integer ring. It is well known that the degree of K over Q is g . This is our desired intermediate field.Now let c = p T O K , and consider the following diagram p O L L R [ L : Q ] c O K K R g ( p ) Z Q R ⊂ ⊂ Σ ′ L ⊂ ⊂ Σ ′ K β ⊂ ⊂ ⊂ ere β is chosen to be the R -linear map making the diagram commute. For sim-plicity let us assume that all embeddings K → C are complex (for instance this isthe case if K R and K / Q is Galois). This is not at all essential; forgoing thisassumption only introduces a factor of √ in the following discussion. We makethis assumption for the sole purpose that β is then just the linear embedding givenby repeating each coordinate [ L : Q ] /g times. Thus we have(1) k β ( v ) k = s [ L : Q ] g · k v k . Additionally, one may check that the lattice in R g which is the image of O K hasdeterminant p | disc ( K ) | (something else which recommends the √ ’s in the defini-tion of Σ ′ ), where disc ( ∗ ) is the disciminant. It is also not hard to prove that thenorm of c is exactly p . Thus, under the canonical embedding of O K into R g , anyvector v ∈ c within the Minkowski bound satisfies k v k ≤ √ g · p g | disc ( K ) | g . By equation (1) above, we therefore have(2) k β ( v ) k ≤ p g | disc ( K ) | g · p [ L : Q ] . On the other hand, the norm of p is p [ L : Q ] eg . Hence, when p is unramified in L (that is, when e = 1 ) the Minkowski bound for p (under the canonical embeddinginto R [ L : Q ] ) becomes p [ L : Q ] · ( p [ L : Q ] g ) L : Q ] · | disc ( L ) | L : Q ] = p [ L : Q ] · ( p g ) · | disc ( L ) | L : Q ] . Comparing this with (2), we find that β ( v ) lies within the Minkowski bound for p provided that(3) | disc ( K ) | K : Q ] ≤ | disc ( L ) | L : Q ] . We have therefore established the following quite general theorem
Theorem 3.1.
Suppose L / Q is a finite Galois extension, and suppose p is a primeideal of O L lying over an unramified rational prime. If K is the fixed field of thedecomposition group of p , and if the inequality (3) holds, then the problem of findinga nonzero Minkowski-short vector of p (under the canonical embedding of L ) reducesto the problem of finding a Minkowski-short vector of the sublattice p ∩ O K (underthe canonical embedding of K ). Finally note that the sublattice p ∩ O K has dimension no more than half thatof p (unless p = pO L , in which case SVP for p is likely trivial). We do not knowwhether (3) holds in general, but it is true for power-of-two cyclotomic fields (seenext subsection) and prime order cyclotomic fields (see the Appendix).3.1. Solving SVP for a prime ideal lattice in Z [ ζ n +1 ] . For simplicity, we let ζ = ζ n +1 . Now we specialize to L = Q ( ζ ) . We say goodbye to the canonicalembedding, and use the coefficient embedding: Q ( ζ ) → R n , n − X i =0 a i ζ i ( a , a , ..., a n − ) . The coefficient embedding is widely used in lattice-based cryptographic construc-tions. In fact, for power-of-two cyclotomic fields, the two embeddings are related y scaled-rotations. The prime is the unique ramified prime in Q ( ζ ) , and theprime ideal lying over (2) is (2 , ζ + 1) = ( ζ + 1) . Hence it is easy to find the shortestvector in the ideal lattice ( ζ + 1) , and its length is √ .Below we consider a prime ideal lying over an odd prime and show that there is ahierarchy for the hardness of solving SVP for prime ideal lattices in Z [ ζ ] . Roughlyspeaking, we can classify all the prime ideal lattices into n classes labeled with , , · · · , n , depending on the congruence class of p (mod 2 n +1 ) , and for a primeideal lattice in the r -th class, we can always find its shortest vector by solving SVPin a r -dimensional lattice. More precisely, we have: Theorem 3.2.
For any prime ideal p = ( p, f ( ζ )) in Z [ ζ ] , where p is an odd primeand f ( x ) is some irreducible factor of x n + 1 in F p [ x ] . Write p = (cid:26) A · m + 1 , if p ≡ ; A · m − , if p ≡ ,for some odd m and A ≥ , and let r = (cid:26) min { A − , n } , if p ≡ ; min { A, n } , if p ≡ .Then given an oracle that can solve SVP for r -dimensional lattice, a shortestnonzero vector in p can be found in poly (2 n , log p ) time with the coefficient embed-ding.Proof. It is well known that the Galois group G of Q ( ζ ) over Q is isomorphic tothe multiplicative group ( Z / n +1 Z ) ∗ . Let G = { σ , σ , · · · , σ n +1 − } where σ i : Q ( ζ ) → Q ( ζ ); ζ ζ i . Next we prove the theorem by considering the two cases separately.
Case 1:
First we deal with the case when p ≡ . The theorem holdsfor n < A .If n ≥ A , we have r = A − . By Theorem 2.1, we know that f ( x ) = x n − A +1 + u = x n − r + u for some u ∈ U A . Then the prime ideal lattice p can be generated by p and f ( ζ ) = ζ n − r + u . Consider the subgroup H = h σ r +1 +1 i of G generated by σ r +1 +1 . H is also a subgroup of the decomposition group of the ideal p since σ r +1 +1 ( p ) = p, σ r +1 +1 ( f ( ζ )) = f ( ζ ) . Note that K = Q ( ζ n − r ) is the fixed field of H and its integer ring O K has a Z -basis (1 , ζ n − r , ζ · n − r , · · · , ζ (2 r − · n − r ) .Let c = p T O K . We claim that p is an internal orthogonal direct sum:(4) p = n − r − M k =0 ζ k c . ndeed for any a ∈ p , there exist integers z i ’s and w i ’s such that a = n − X i =0 z i ζ i f ( ζ ) + n − X i =0 w i pζ i = n − r − X k =0 ζ k r − X j =0 ( z k + j · n − r ζ j · n − r f ( ζ ) + w k + j · n − r pζ j · n − r )= n − r − X k =0 ζ k (cid:18) ( r − X j =0 z k + j · n − r ζ j · n − r ) f ( ζ ) + ( r − X j =0 w k + j · n − r ζ j · n − r ) p (cid:19) . Let a ( k ) = ( P r − j =0 z k + j · n − r ζ j · n − r ) f ( ζ ) + ( P r − j =0 w k + j · n − r ζ j · n − r ) p for any k .Since p ∈ c and f ( ζ ) ∈ c , a ( k ) ∈ c . We have established (4).Since multiplication by ζ is an isometry, (4) implies λ ( p ) = λ ( c ) , and that to find the shortest vector in ideal lattice p , it is enough to find theshortest vector v in the ideal lattice c , a lattice with dimension r . Indeed ζ k v forany ≤ k ≤ n − r − will be a shortest vector in the ideal lattice p . Case 2:
For the case when p ≡ , everything is similar except that r = A . Indeed by Theorem 2.2, Q ( ζ ) is a cyclic extension of degree n − A +1 overthe decomposition field for p . We sketch the subfield lattice for Q ( ζ ) , and calculatethe decomposition group for p in the appendix. Algorithm:
We can summarize the algorithm to solve SVP in ideal prime latticeas Algorithm 1.
Algorithm 1
Solve SVP in prime ideal lattice
Input: a prime ideal p = ( p, f ( ζ )) in Z [ ζ ] , where p is odd. Output: a shortest vector in the corresponding prime ideal lattice. Compute the ideal c generated by p and f ( ζ ) in O K where K = Q ( ζ n − r ) . Find a shortest vector v in the r -dimensional lattice c ; Output v .The most time-consuming step in Algorithm 1 is Step 2 and the other steps canbe done in poly (2 n , log p ) time. (cid:3) Remark 3.1.
Since for any a ∈ p , there exist a ( k ) ∈ c for ≤ k < n − r , such that a = P n − r − k =0 ζ k a ( k ) , we conclude that if ( b ( i ) ) ≤ i< r is a basis of the ideal lattice c , then ( ζ j b ( i ) ) ≤ i< r , ≤ j< n − r is a basis of the ideal lattice I . Furthermore, for j = j , any vector in ( ζ j b ( i ) ) ≤ i< r is orthogonal to any vector in ( ζ j b ( i ) ) ≤ i< r .Denote by L j the lattice generated by ( ζ j b ( i ) ) ≤ i< r , then we have that the ideallattice p has an orthogonal decomposition: L ⊕ L ⊕ · · · ⊕ L n − r − , where L i isorthogonal to L j for i = j , that is, for any vector v ( i ) ∈ L i and v ( j ) ∈ L j , the innerproduct h v ( i ) , v ( j ) i = 0 . Remark 3.2.
By the remark above, solving the closest vector problem (CVP) forthe prime ideal lattice can be also reduced to solving CVP in some r -dimensionalsublattice. .2. The shortest vector of some prime ideal lattice in Z [ ζ n +1 ] . Using The-orem 3.2, we can now prove Proposition 1.1 in Section 1.2.For the case p ≡ − , by Theorem 2.1, x n +1 = ( x n − + u ) · ( x n − + u ) over F p [ x ] , where u i satisfies u i ≡ − p ) . By the proof of Theorem 3.2, theshortest vector of the ideal lattice ( p, ζ n − + u i ) can be found efficiently by solvingSVP in the -dimensional lattice L i generated by (cid:18) u i p (cid:19) . For any vector v ∈ L i ,there exists an integer vector ( z , z ) such that v = ( z u i + z p, z ) . Note that k v k = ( z u i + z p ) + z = z ( u i + 1) + z p + 2 pz z u i ≡ p ) . If v is the shortest nonzero vector, we have < k v k < π · p < p (by Minkowski’sTheorem [23]), which implies that k v k = p . Hence the proposition follows in thiscase.Similarly, the proposition holds for p ≡ .3.3. Average-case hardness to solve SVP for prime ideal lattice in Z [ ζ ] . Precisely defining the average-case hardness of SVP for a prime ideal lattice in Z [ ζ ] requires specifying a distribution. We consider the following three distributions.3.3.1. The first distribution.
To select a random prime ideal, one fixes a large M ,uniformly randomly selects a prime number in the set { p is a prime : p < M } , and then uniformly randomly selects a prime ideal lying over p . This processprovides a reasonable distribution among prime ideals, since every prime ideal inthe ring of integers of Q [ x ] / ( f ( x )) is of the form ( p, g ( x )) , where p is a prime numberand g ( x ) is an irreducible factor of f ( x ) over F p [ x ] . Since roughly half of all primes p ≤ M satisfy p ≡ ± , according to Dirichlet’s theorem on arithmeticprogressions, at least half of all such p have the property that the ideals lying over p admit an efficient algorithm for SVP.3.3.2. The second distribution.
Again fixing a large M , we might alternatively selecta prime ideal uniformly at random from the set { p prime ideal : p ∈ p , p is a prime , p < M } . In this case, first we would like to point out that
Proposition 3.1.
Under the distribution above, a random prime ideal of Z [ ζ ] ad-mits an efficient SVP algorithm with probability at least n − .Proof. For simplicity, we disregard the single prime ideal lying over 2. Note that for p = 8 k ± , there are exactly two prime ideals over p , and, by Proposition 1.1, theSVP for the corresponding ideal lattices is easy. For p = 8 k ± , there are at most n prime ideals lying over p , by Theorem 2.1 and 2.2. Then by Dirichlet’s primenumber theorem, even if we only count the prime ideals lying over p = 8 k ± , thefraction of easy instances is at least n − . (cid:3) By Theorem 3.2, SVP for a prime ideal lattice p reduces to SVP for a r -dimensional sub-lattice c , where r is as defined in the statement of 3.2. We aretherefore interested in the expected value of r when p is chosen uniformly at ran-dom according to the second distribution. ore precisely, for a large integer M > , consider the set P S M consisting of allprime ideals lying over a rational prime p < M . An ideal can be chosen uniformlyat random from P S M since P S M is finite. We can then compute the expecteddimension D M of the sub-lattice c , which is about n X A =2 A − · M / A +1 M − + n X A =2 A · M / A +1 M − + M X A = n +1 n · M / A +1 M − · , when M is big enough. As M → ∞ , the expected dimension of the lattice c tendsto n + O (1) .Hence, even with the exponential time algorithm [24] to solve the r -dimensionalideal, the expected running time is still polynomial, that is, poly (2 n , log p ) .3.3.3. The third distribution.
The third distribution is more common in mathemat-ics, but it seems hard to sample. Namely, after fixing a large M , we select uniformlyat random a prime ideal from the set { p prime ideal : N ( p ) < M } , where N ( p ) is the norm of the ideal p .By Theorem 3.2, SVP for a prime ideal lattice p reduces to SVP for a r -dimensional sub-lattice c , where r is as defined in the statement of 3.2. Note thatour algorithm will not improve matters if r = n , that is, if p splits completely in Q ( ζ ) and hence N ( p ) = p . By Chebotarev’s density theorem [33], there are about M n log M rational primes which split in Q ( ζ ) and hence M log M prime ideals lying abovethose primes, for which our algorithm will not improve the efficiency to solve SVP.For those prime ideals that our algorithm can do better, we must have the prime p lying below them must satisfy p ≤ √ M since N ( p ) = p f < M where f is someinteger greater than 1. Hence there are at most √ M such primes and hence at most n − √ M prime ideals that our algorithm can do better.Therefore, under such a distribution, the density of the easy instances for ouralgorithm is at most n − log M √ M which goes to zero when M tends to infinity.4. Solving SVP for general ideal lattice in Z [ ζ n +1 ] For simplicity, we let ζ = ζ n +1 . Even for a general ideal lattice I ⊂ Z [ ζ ] , thereis a similar hierarchy for the hardness of SVP for I . Theorem 4.1.
Let I be a nonzero ideal of Z [ ζ ] with prime factorization I = p · p · · · p t , where p i = ( f i ( ζ ) , p i ) for rational primes p i , and where the p i are not necessarilydistinct. Write p i = 2 A i · m i + 1 when p i ≡ and p i = 2 A i · m i − when p i ≡ with odd m i , and let r = max { r i } , where r i = min { A i − , n } , if p i ≡ ; min { A i , n } , if p i ≡ ; n, if p i = 2 .Then the shortest vector in the ideal lattice L corresponding to I can be solved viasolving SVP in a r -dimensional lattice. roof. If r = n , then the theorem follows simply.If r < n , W.L.O.G., we assume r = r . Following the proof of Theorem 3.2,denote the Galois group G = { σ , σ , · · · , σ n +1 − } of Q ( ζ ) over Q , where σ i ( ζ ) = ζ i . Consider the subgroup H = h σ r +1 +1 i of G generated by σ r +1 +1 . For any τ ∈ H and every prime ideal p i = ( p i , f i ( ζ )) , we have τ ( p i ) = p i since σ r +1 +1 ( p i ) = p i , σ r +1 +1 ( f i ( ζ )) = f i ( ζ ) . Note that K = Q ( ζ n − r ) is the fixed field of H and itsinteger ring O K has a Z -basis (1 , ζ n − r , ζ · n − r , · · · , ζ (2 r − · n − r ) .Let c = I T O K . We claim that for any a ∈ I , there exist a ( k ) ∈ c for ≤ k < n − r , such that a = n − r − X k =0 ζ k a ( k ) . We proceed by induction. When t = 1 the above claim holds by Theorem 3.2.Suppose the claim holds for t − . Then setting I = p · p · · · p t , and I = p · p · · · p t − , we have I = I · p t . For any a ∈ I , we can write a = P x i y i where x i ∈ I and y i ∈ p t . It suffices to show that for any xy , where x ∈ I and y ∈ p t ,there exist b ( k ) ∈ I T O K for ≤ k < n − r , such that xy = P n − r − k =0 ζ k b ( k ) .By the induction assumption, there exist x ( i ) ∈ I T O K for ≤ i < n − r suchthat x = P n − r − i =0 ζ i x ( i ) , and there exist y ( j ) ∈ p t T O K for ≤ j < n − r such that y = P n − r − j =0 ζ j y ( j ) . Hence, we have xy = n − r − X i =0 2 n − r − X j =0 ζ i + j x ( i ) y ( j ) = n − r − X k =0 ζ k X i + j = k x ( i ) y ( j ) + · n − r − X k =2 n − r ζ k X i + j = k x ( i ) y ( j ) = n − r − X k =0 ζ k X i + j = k x ( i ) y ( j ) + n − r − X k =0 ζ k X i + j = k +2 n − r ζ n − r x ( i ) y ( j ) = n − r − X k =0 ζ k ( X i + j = k x ( i ) y ( j ) + X i + j = k +2 n − r ζ n − r x ( i ) y ( j ) ) + ζ n − r − X i + j =2 n − r − x ( i ) y ( j ) . Let b ( k ) = P i + j = k x ( i ) y ( j ) + P i + j = k +2 n − r ζ n − r x ( i ) y ( j ) for any ≤ k ≤ n − r − and b (2 n − r − = P i + j =2 n − r − x ( i ) y ( j ) . We have that b ( k ) ∈ I T O K for ≤ k < n − r . Hence, for any a ∈ I , there exist a ( k ) ∈ c for ≤ k < n − r , such that a = P n − r − k =0 ζ k a ( k ) . As in the proof of Theorem 3.2, we can show that λ ( I ) = λ ( c ) and any nonzeroshortest vector in c will yield n − r nonzero shortest vectors in I . (cid:3) We would like to point out that in some cases, the r in Theorem 4.1 can beimproved. Consider the case when n ≥ and I = (2 , ζ − = (2 , ζ + 1) . Weneed to solve SVP in a n -dimensional lattice by Theorem 4.1. However, usingthe intermediate field Q ( ζ ) as in the proof of Theorem 4.1, we can find a shortestvector by solving SVP in a n − -dimensional lattice. urthermore, since for any a ∈ I , there exist a ( k ) ∈ c for ≤ k < n − r , suchthat a = P n − r − k =0 ζ k a ( k ) , we conclude that if ( b ( i ) ) ≤ i< r is a basis of the ideallattice c , then ( ζ j b ( i ) ) ≤ i< r , ≤ j< n − r is a basis of ideal lattice I . Denote by L j thelattice generated by ( ζ j b ( i ) ) ≤ i< r . Then we have that the ideal lattice I has anorthogonal decomposition: L ⊕ L ⊕ · · · ⊕ L n − r − , where L i is orthogonal to L j for i = j .In fact, for any ¯ r , let c = I T O K where K = Q ( ζ n − ¯ r ) . For any basis ( b ( i ) ) ≤ i< ¯ r of the ideal lattice c , if ( ζ j b ( i ) ) ≤ i< ¯ r , ≤ j< n − ¯ r is a basis of the ideal lattice I (mean-ing that the ideal lattice I has an orthogonal decomposition), then the shortestvector in c is also a shortest vector in I . Hence we have the following algorithm tosolve SVP for general ideal in Z [ ζ ] . Algorithm 2
Solve SVP in general ideal lattice
Input: an ideal I ; Output: a shortest vector in the corresponding ideal lattice L . for ¯ r = 1 to n do Compute a basis ( b ( i ) ) ≤ i< ¯ r of the ideal lattice c = I T O K , where K = Q ( ζ n − ¯ r ) . if ( ζ j b ( i ) ) ≤ i< ¯ r , ≤ j< n − ¯ r is exactly a basis of ideal lattice I then Find a shortest vector v in the ¯ r -dimensional lattice c ; Output v . end if end for Note that Step 2 can be done efficiently by taking O K as a lattice and thencomputing the intersection of the lattice I and the lattice O K under the coefficientembedding. Remark 4.1.
By Theorem 4.1, solving the closest vector problem (CVP) for thegeneral ideal lattice can be also reduced to solving CVP in some r -dimensionallattice. Conclusion and open problems
We have investigated the SVP of prime ideal lattices in the power-of-two cyclo-tomic fields, and designed an algorithm exploiting the subfield structure of suchfields to efficiently solve SVP for a large portion of such ideals. Using ideal factor-ization, we obtained an efficient algorithm for many general (non prime) ideals. Wealso determined the length of the shortest vector of those prime ideals lying overrational primes congruent to ± . It is an interesting problem to study thelength of the shortest vectors in other prime ideals. The worst case hardness ofprime ideal lattice SVP for power-of-two cyclotomic fields is also left open. References [1] Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedingsof the Twenty-Eighth Annual ACM Symposium on the Theory of Computing - STOC. pp.99–108 (1996)[2] Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Newhope without reconciliation. IACRCryptology ePrint Archive , 1157 (2016), http://eprint.iacr.org/2016/1157
3] Bernstein, D.J.: A subfield-logarithm attack against ideal lattices: Computing al-gebraic number theory tackles lattice-based cryptography. The cr. yp.to blog, 2014. https://blog.cr.yp.to/20140213-ideal.html [4] Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime:Reducing attack surface at low cost. In: Selected Areas in Cryptography - SAC2017 - 24th International Conference, Ottawa, ON, Canada, August 16-18, 2017, Re-vised Selected Papers. pp. 235–260 (2017). https://doi.org/10.1007/978-3-319-72565-9_12, https://doi.org/10.1007/978-3-319-72565-9_12 [5] Biasse, J., Espitau, T., Fouque, P., Gélin, A., Kirchner, P.: Computinggenerator in cyclotomic integer rings. In: Advances in Cryptology - EURO-CRYPT 2017 - 36th Annual International Conference on the Theory and Ap-plications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017,Proceedings, Part I. pp. 60–88 (2017). https://doi.org/10.1007/978-3-319-56620-7_3, https://doi.org/10.1007/978-3-319-56620-7_3 [6] Biasse, J., Song, F.: Efficient quantum algorithms for computing classgroups and solving the principal ideal problem in arbitrary degree numberfields. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Sympo-sium on Discrete Algorithms, SODA 2016, Arlington, VA, USA, January 10-12, 2016. pp. 893–902 (2016). https://doi.org/10.1137/1.9781611974331.ch64, https://doi.org/10.1137/1.9781611974331.ch64 [7] Bos, J.W., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M.,Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALS - kyber: A CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy,EuroS&P 2018, London, United Kingdom, April 24-26, 2018. pp. 353–367 (2018).https://doi.org/10.1109/EuroSP.2018.00032, https://doi.org/10.1109/EuroSP.2018.00032 [8] Campbell, P., Groves, M., Shepherd, D.: Soliloquy: A cautionary tale, 2014. https://docbox.etsi.org/workshop/2014. [9] Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal idealsin cyclotomic rings. In: Advances in Cryptology - EUROCRYPT 2016. pp. 559–585 (2016)[10] Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and applicationto ideal-SVP. In: Advances in Cryptology - EUROCRYPT 2017 - 36th Annual InternationalConference on the Theory and Applications of Cryptographic Techniques, Paris, France, April30 - May 4, 2017, Proceedings, Part I. pp. 324–348 (2017). https://doi.org/10.1007/978-3-319-56620-7_12, https://doi.org/10.1007/978-3-319-56620-7_12 [11] Ducas, L., Plançon, M., Wesolowski, B.: On the shortness of vectors to be found by theideal-SVP quantum algorithm. Quantum Algorithm, 2019. To appear.[12] Dummit, D.S., Foote, R.M.: Abstract Algebra. John Wiley and Sons, 3rd edn. (2004)[13] Eisenträger, K., Hallgren, S., Kitaev, A.Y., Song, F.: A quantum algorithm for computingthe unit group of an arbitrary degree number field. In: Symposium on Theory of Com-puting, STOC 2014, New York, NY, USA, May 31 - June 03, 2014. pp. 293–302 (2014).https://doi.org/10.1145/2591796.2591860, https://doi.org/10.1145/2591796.2591860 [14] Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In:Algorithmic Number Theory, Third International Symposium, ANTS-III. pp. 267–288 (1998)[15] Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients.Mathematische Annalen (4), 515–534 (1982)[16] Lidl, R., Niederreiter, H.: Finite fields. Encyclopedia of Mathematics and Its Applications,Vol. 20, Addison–Wesley, Reading, MA, 1983[17] Lu, X., Liu, Y., Zhang, Z., Jia, D., Xue, H., He, J., Li, B.: LAC: practical Ring-LWE basedpublic-key encryption with byte-level modulus. IACR Cryptology ePrint Archive , 1009(2018), https://eprint.iacr.org/2018/1009 [18] Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision re-sistant. In: Automata, Languages and Programming, 33rd International Colloquium,ICALP 2006, Venice, Italy, July 10-14, 2006, Proceedings, Part II. pp. 144–155 (2006).https://doi.org/10.1007/11787006_13, https://doi.org/10.1007/11787006_13 [19] Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors overrings. In: Advances in Cryptology - EUROCRYPT. Lecture Notes in Computer Science,vol. 6110, pp. 1–23. Springer (2010)
20] Meyn, H.: Factorization of the cyclotomic polynomials x n + 1 over finite fields. Finite FieldsAppl. 2 (1996), 439-442.[21] Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. In: 43rd Symposium on Foun-dations of Computer Science (FOCS 2002), 16-19 November 2002, Vancouver, BC,Canada, Proceedings. pp. 356–365 (2002). https://doi.org/10.1109/SFCS.2002.1181960, https://doi.org/10.1109/SFCS.2002.1181960 [22] Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way func-tions. Computational Complexity (4), 365–411 (2007). https://doi.org/10.1007/s00037-007-0234-9, https://doi.org/10.1007/s00037-007-0234-9 [23] Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: a cryptographic perspective,The Kluwer International Series in Engineering and Computer Science, vol. 671. KluwerAcademic Publishers, Boston, Massachusetts (Mar 2002)[24] Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for mostlattice problems based on voronoi cell computations. SIAM J. Comput. (3), 1364–1391(2013). https://doi.org/10.1137/100811970, https://doi.org/10.1137/100811970 [25] Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for anyring and modulus. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theoryof Computing, STOC 2017, Montreal, QC, Canada, June 19-23, 2017. pp. 461–473 (2017).https://doi.org/10.1145/3055399.3055489, https://doi.org/10.1145/3055399.3055489 [26] Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptionson cyclic lattices. In: Theory of Cryptography, Third Theory of Cryptography Confer-ence, TCC 2006, New York, NY, USA, March 4-7, 2006, Proceedings. pp. 145–166 (2006).https://doi.org/10.1007/11681878_8, https://doi.org/10.1007/11681878_8 [27] Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing.IACR Cryptology ePrint Archive , 215 (2019), https://eprint.iacr.org/2019/215 [28] Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. Journalof the ACM (6), 34 (2009), preliminary version in STOC’05[29] Schnorr, C., Euchner, M.: Lattice basis reduction: Improved practical algo-rithms and solving subset sum problems. Math. Program. , 181–199 (1994).https://doi.org/10.1007/BF01581144, https://doi.org/10.1007/BF01581144 [30] Schnorr, C.P., Euchner, M.: Lattice basis reduction: Improved practical algorithms andsolving subset sum problems. Mathematical programming (1-3), 181–199 (1994)[31] Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices.In: Advances in Cryptology - EUROCRYPT 2011. pp. 27–47 (2011)[32] Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based onideal lattices. In: Advances in Cryptology - ASIACRYPT 2009, 15th International Confer-ence on the Theory and Application of Cryptology and Information Security, Tokyo, Japan,December 6-10, 2009. Proceedings. pp. 617–635 (2009). https://doi.org/10.1007/978-3-642-10366-7_36, https://doi.org/10.1007/978-3-642-10366-7_36 [33] Tschebotareff, N.: Die bestimmung der dichtigkeit einer menge von primzahlen, welche zueiner gegebenen substitutionsklasse geh´’oren. Mathematische Annalen (1), 191–228 (1926)[34] Washington, L.C.: Introduction to Cyclotomic Fields. Springer-Verlag, 2nd edn. (1997) Appendix A. Q ( ζ p ) For p a prime, we described subfields of Q ( ζ p ) and their discriminants. It is well-known (see for instance [12, Thm 14.5]) that subfields of Q ( ζ p ) have the form Q ( X b ∈ B ζ bp ) where B is a subgroup of ( Z /p Z ) ∗ . The discriminant of such a subfield, K , isdescribed by a simple formula in terms of its degree over Q : disc ( K/ Q ) = p [ K : Q ] − . This can be seen using the Führerdiskriminantenproduktformel (see [34, Thm3.11]), which says the following. For H a group of Dirichlet characters of Z /m Z that is, a group of group homomorphisms h : ( Z /m Z ) ∗ → C ∗ ), the fixed field of ∩ h ∈ H ker ( h ) in Q ( ζ m ) has discriminant with magnitude Y h ∈ H C h , where C h is the conductor of h . That is, C h is the minimum among divisors n | m for which there exists a group homomorphism h ′ : ( Z /n Z ) ∗ → C ∗ such that h = h ′ ◦ π m,n , where π m,n : ( Z /m Z ) ∗ → ( Z /n Z ) ∗ is the restriction of thenatural projection. And the fixed field of ∩ h ∈ H ker ( h ) has degree | H | over Q .In the present case, the only choice for π p,n is π p, , or π p,p . Thus C h = p for everynontrivial character h . For K the fixed field of ∩ h ∈ H ker ( h ) , the Führerdiskrimi-nantenproduktformel therefore gives disc ( K ) = Y h ∈ H C h = p | H |− = p [ K : Q ] − . Appendix B. Q ( ζ n ) Now we sketch the subfield lattice of Q ( ζ n +1 ) . Consider the three subfields Q ( ζ n +1 + ζ − n +1 ) , Q ( ζ n ) , Q ( ζ n +1 − ζ − n +1 ) . First we claim Q ( ζ n +1 ) is degree two over each: On the one hand, all are propersubfields since Q ( ζ n +1 + ζ − n +1 ) is contained in the fixed field of the automorphism ζ n +1 ζ − n +1 , and Q ( ζ n +1 − ζ − n +1 ) , is in the fixed field of the automorphism ζ n +1
7→ − ζ − n +1 . On the other hand, ζ n +1 is a root of the quadratic polynomials x − ( ζ n +1 + ζ − n +1 ) x + 1 ∈ Q ( ζ n + ζ − n +1 )[ x ] ,x − ( ζ n +1 − ζ − n +1 ) x − ∈ Q ( ζ n +1 − ζ − n +1 )[ x ] . Moreover, since the involutions ζ n +1 ζ − n +1 , ζ n +1 ζ n − +12 n +1 , ζ n +1
7→ − ζ − n +1 are distinct, these three subfields are distinct. Finally it is routine to sketch thesubgroup lattice of Z ⊕ Z n − ∼ = ( Z / n +1 Z ) ∗ ∼ = Gal ( Q ( ζ n +1 ) / Q ) : (0 , ih (1 , i h (0 , n − ) i h (1 , n − ) ih (1 , , (0 , n − ) i h (0 , n − ) i h (1 , n − ) ih (1 , , (0 , n − ) i h (0 , n − ) i h (1 , n − ) i ... ... ... h (1 , , (0 , i h (0 , i h (1 , i Z ⊕ Z n − Here all lines indicate extensions of index two. Combining these facts we have thesubfield lattice for Q ( ζ n ) : Q ( ζ n +1 ) Q ( ζ n +1 + ζ − n +1 ) Q ( ζ n ) Q ( ζ n +1 − ζ − n +1 ) Q ( ζ n + ζ − n ) Q ( ζ n − ) Q ( ζ n − ζ − n ) Q ( ζ n − + ζ − n − ) Q ( ζ n − ) Q ( ζ n − − ζ − n − ) ... ... ... Q ( ζ + ζ − ) Q ( i ) Q ( ζ − ζ − ) Q Where all lines indicate extensions of order two.
Appendix C. Decomposition groups and fixed fields
Let ζ = ζ n +1 , p a rational prime with p ≡ , A the natural numberwith A || p + 1 , and let p be a prime ideal in Z [ ζ ] containing p . Then p = ( p, ζ n − A +1 + δζ n − A − or some δ ∈ Z . Let σ ∈ Aut ( Q ( ζ ) / Q ) be the automorphism of Q ( ζ ) with ζ ζ − A − . Then we have σ p = ( p, σ ( ζ ) n − A +1 + δσ ( ζ ) n − A − p, ζ n − A +1 ( − A − + δζ n − A ( − A − − p, ζ − n +1 ζ − n − A +1 + δζ − n ζ − n − A − p, ζ − n − A +1 − δζ − n − A − p, − ζ − n − A +1 · ( ζ n − A +1 + δζ n − A − p . We have used the fact that ζ is a unit in Z [ ζ ] . Since ζ ζ − is an involution, the order of σ is the order of ζ ζ A +1 (denotedby σ ′ ) which is the multiplicative order of A + 1 in ( Z / n +1 Z ) ∗ . We claim that,for A ≥ , this order is n +1 − A : First note that for k ≡ , ord Z ∗ n +1 ( k ) = 2 m if and only if n +1 || k m − . This fact follows easily from the identity k g +1 − k g − k g + 1) and the fact that for k = 2 A + 1 , we have || ( k g + 1) . Now, that the multiplicativeorder of A + 1 is n +1 − A follows from an induction argument using the aboveidentity.The preceding two paragraphs prove that σ lies in the decomposition group of p and that σ has order n +1 − A . It follows from a standard result in the theory ofnumber fields that the decomposition group of p has order n +1 − A . Thus h σ i isprecisely the decomposition group of p . Now recall the subfield/subgroup latticefor Q ( ζ ) / Q and its Galois group Z ∗ n +1 . A simple computation shows that σ fixes ζ n − A − ζ − n − A . But from the subfield lattice we can see that [ Q ( ζ ) : Q ( ζ n − A − ζ − n − A )] = 2 n +1 − A = |h σ i| . Thus Q ( ζ n − A − ζ − n − A ) is precisely this fixed field.A similar, in fact easier, analysis can be carried out for p ≡ . In thiscase p = ( p, ζ n − A +1 − u ) for some u ∈ Z and A || p − . Then it is seen that σ ′ fixes p . As in the case, we know from a general result of algebraic number theory that the decom-position group of p has order n +1 − A , which matches the order of σ ′ (computedabove). We see that Q ( ζ n +1 − A ) is contained in the fixed field of σ ′ , and again, by ooking at the subfield lattice to find [ Q ( ζ ) : Q ( ζ n +1 − A )] = 2 n +1 − A , we see that Q ( ζ n +1 − A ) is precisely the fixed field of the decomposition group of p . Key Laboratory of Mathematics Mechanization, NCMIS, Academy of Mathematicsand Systems Science, Chinese Academy of Sciences, Beijing 100190, China
E-mail address : [email protected] State Key Laboratory of Information Security, Institute of Information Engi-neering, Chinese Academy of Sciences, Beijing 100093, China
E-mail address : [email protected] School of Computer Science, University of Oklahoma, Norman, OK 73019, USA
E-mail address : [email protected], [email protected]@gmail.com, [email protected]