1 Introduction

In recent years, lattice-based cryptography has been paid much attention to as a candidate of post-quantum cryptography. Ideal lattices are in a special class of lattices corresponding to ideals in rings of the form \(\mathbb {Z}[x]/(f(x))\) for some irreducible polynomials f(x), such as \(f(x) = x^n + 1\) for a 2-power integer \(n > 1\) (e.g. see [37] for details). In cryptography, ideal lattices have been used as powerful tools to construct a number of efficient and secure cryptosystems, mainly including public key encryption schemes [47, 48], hash functions [35, 39, 43] and digital signatures [34, 36]. Recently, ideal lattices have been applied to construct encryption schemes with high functionality. In 2009, Gentry [23] first proposed a construction of fully homomorphic encryption (FHE) using ideal lattices. After Gentry’s breakthrough, a number of variants of Gentry’s original FHE scheme have been proposed (in particular, variants of [24, 49] are based on ideal lattices). In 2013, Garg, Gentry and Halevi [22] first proposed a candidate of multilinear maps from ideal lattices, called the GGH scheme. In 2014, Langlois, Stehlé and Steinfeld [30] improved the GGH scheme for both efficiency and security, and their scheme is called GGHLite (see also [3] for implementation of GGHLite).

For a 2-power integer \(n > 1\), let \(K = \mathbb {Q}(\zeta _{2n})\) be the 2n-th cyclotomic field and \(O_K = \mathbb {Z}[\zeta _{2n}] \simeq \mathbb {Z}[x]/(x^n + 1)\) its ring of integers, where \(\zeta _m\) denotes a primitive m-th root of unity for an integer \(m > 2\). In the cryptographic constructions of [22, 30, 49], a certain ‘short’ element \(g \in O_K\) is used as a secret key (see Sect. 3.1 for the description of ‘short’ element). In contrast, some \(\mathbb {Z}\)-basis of the principal ideal (g), such as the Hermite normal form \({\mathrm {HNF}}(g)\), is used as a public key (e.g. see [14, Section 4] for the definition of \({\mathrm {HNF}}(g)\)). Therefore the security of [22, 30, 49] against key recovery attack relies on the computational hardness of the following problem, introduced in [16, Section 1]:

Problem 1

(Short Generator of a Principal Ideal Problem, SG-PIP) Let K be a number field and \(O_K\) its ring of integers. Let g be a short element of \(O_K\). Given a \(\mathbb {Z}\)-basis of the principal ideal (g), the problem is to find g itself or a sufficiently short element \(g' \in O_K\) satisfying \((g') = (g)\).

This problem can be divided into the following two problems:

  • Principal Ideal Problem (PIP) Given a \(\mathbb {Z}\)-basis of the principal ideal \(I = (g)\), find a generator h of I.

  • Short Generator Problem (SGP) Given a generator h of I, recover g itself or a sufficiently short generator \(g'\) of I.

1.1 Recent progress for PIP and SGP

There are several classes of efficient algorithms for PIP over number fields of large degree in both classical and quantum computing models [7, 8, 10, 13, 26]. In [26], Hallgren proposed a polynomial-time quantum algorithm for PIP over number fields of small degree. Biasse and Fieker [10] first proposed a subexponential algorithm for an arbitrary class of number fields under the generalized Riemann hypothesis (see also [7]). For security analysis of cryptosystems of [22, 30, 49], we focus on PIP over cyclotomic fields. For \(2^k\)-th cyclotomic fields, Campbell, Groves and Shepherd [13] claimed that there is a polynomial-time quantum algorithm for PIP, although their claim has not been proved yet. Recently, Biasse [11] announced the same claim as Campbell et al.’s one. In a classical computing model, Biasse [8] also presented a heuristic algorithm to solve PIP over \(2^k\)-th cyclotomic fields in time \(2^{N^{2/3+\epsilon }}\) for \(N = 2^k\) and arbitrarily small \(\epsilon > 0\). (This complexity is improved to \(2^{N^{1/2+o(1)}}\) for \(N = 2^k\) in [9].)

As for SGP, Bernstein [6] first pointed out that SGP over (\(2^k\)-th) cyclotomic fields is reduced to a closest vector problem (CVP) over the log-unit lattice, which is obtained by the logarithmic embedding. Similar attacks are also sketched by Campbell et al. [13]. Recently, Cramer, Ducas, Peikert and Regev [16] studied the geometry of a sublattice of a log-unit lattice, spanned by the image of the canonical generators of the group of cyclotomic units under the logarithmic embedding. They proved in [16, Theorem 3.1] that a basis of the sublattice has good properties. In [16, Theorem 4.1], they also give an analysis of a previously sketched attack in [6] for SGP over \(2^k\)-th cyclotomic fields, under the assumption that Weber’s class number problem holds true (the problem is the conjecture that the class number of \(\mathbb {Q}(\zeta _q + \overline{\zeta _q})\) would be equal to 1 for any 2-power integer \(q > 2\)). We refer to the attack as the Recovering Short Generators (RSG) attack. We should remark that the RSG attack was extended to the case of non-principal ideals in [17] and to that of \(p^{\alpha }q^{\beta }\)-th cyclotomic fields for two distinct odd prime numbers p and q in [27].

1.1.1 Outline of [16]

Here let us review Cramer et al.’s analysis for SGP in more detail. Given a prime power \(q = p^k\), let \(K = \mathbb {Q}(\zeta _q)\) be the q-th cyclotomic field and \(O_K = \mathbb {Z}[\zeta _q]\) its ring of integers. Consider the logarithmic embedding \({\mathrm {Log}}: K^{\times } \longrightarrow \mathbb {R}^{\varphi (q)/2}\), where \(\varphi (q) = \# (\mathbb {Z}/q\mathbb {Z})^{\times }\) (see Sect. 2.2 below for the definition of the embedding). Let \(O_K^\times \) denote the group of units in \(O_K\). Then \(\varLambda := {\mathrm {Log}}(O_K^{\times })\) defines a lattice of rank \(\varphi (q)/2 - 1\), called the log-unit lattice. Set \(G = (\mathbb {Z}/q\mathbb {Z})^{\times }/\{ \pm 1 \}\). Let \(\varLambda ^{\prime }\) be the sublattice of \(\varLambda \) spanned by the basis

$$\begin{aligned} \mathbf{B}:= \{ \mathbf{b}_j := {\mathrm {Log}}((\zeta _q^j - 1)/(\zeta _q - 1)) \mid j \in G \smallsetminus \{ 1 \} \}. \end{aligned}$$

Cramer et al. reduced SGP over K to CVP over \(\varLambda ^{\prime }\), and they gave a condition for succeeding in solving CVP over \(\varLambda ^{\prime }\). The success of their attack depends on the size of \(\Vert \mathbf{b}_j^{\vee } \Vert \) for \(j \in G \smallsetminus \{ 1 \}\), where \(\mathbf{b}_j^\vee \)’s form the dual basis of \(\mathbf{B}\) in \(\mathbb {R}^{\varphi (q)/2}\). They proved in [16, Theorem 3.1] that all \(\Vert \mathbf{b}_j^{\vee } \Vert \) for \(j \in G \smallsetminus \{ 1 \}\) are all equal, and gave an upper bound of \(\Vert \mathbf{b}_j^{\vee } \Vert \) (their attack is implemented over PARI/GP by Schank [45]).

In order to estimate the size of \(\Vert \mathbf{b}_j^{\vee } \Vert \), Cramer et al. analyzed a relation between the size of \(\Vert \mathbf{b}_j^{\vee } \Vert ^2\) and \(L(1, \chi )\) for any non-trivial even Dirichlet character \(\chi \), where \(L(s, \chi )\) denotes the Dirichlet L-function associated with \(\chi \). Indeed, they gave an implicit upper bound of \(\Vert \mathbf{b}_j^{\vee } \Vert \) up to constant [16, Theorem 3.1] by using the following implicit lower bounds [16, Theorem 2.6]:

$$\begin{aligned} |L(1, \chi )| \gg \left\{ \begin{array}{ll} \dfrac{1}{\log f_{\chi }} &{}\quad \text{( }\chi : \text{ non-quadratic, } \text{ primitive) }, \\ \dfrac{1}{\sqrt{f_{\chi }}} &{}\quad \text{( }\chi : \text{ quadratic, } \text{ primitive) }, \\ \end{array} \right. \end{aligned}$$
(1)

where \(f_{\chi }\) is the conductor of \(\chi \) (see Sect. 2.3 for definitions of Dirichlet characters, their conductors and Dirichlet L-functions). Their upper bound of \(\Vert \mathbf{b}_j^{\vee } \Vert \) implies that we have \(\Vert \mathbf{b}_j^{\vee } \Vert = \tilde{{\mathcal O}}(q^{-1/2})\). This is a good property for solving SGP for sufficiently large k. However, we need an explicit bound of \(L(1,\chi )\) for estimating the size of \(\Vert \mathbf{b}_j^{\vee } \Vert \) in the case of a fixed k used in cryptographyFootnote 1.

1.2 Our contributions

Our contributions of this paper are as follows:

  • Upper and Lower Bounds of \(L(1, \chi ^*)\): We give explicit upper and lower bounds of \(L(1, \chi ^*)\) for each non-trivial even Dirichlet character \(\chi \) modulo a prime power \(q = p^k\) (Sect. 5 below). Here \(\chi ^*\) is the primitive Dirichlet character inducing \(\chi \). We use results on upper and lower bounds of \(L(1, \chi ^*)\) by [19, 31, 33, 44]. The key point is that we give a lower bound of \(L(1, \chi ^*)\) for any even quadratic Dirichlet character \(\chi \) modulo q with the aid of the class number formula. Moreover, our bounds are easily computable, namely we can evaluate the size \(L(1, \chi ^*)\) for any fixed \(k \ge 1\) and \(\chi \).

  • Theoretical Estimation of \(\Vert \mathbf{b}_j^{\vee } \Vert \): We give explicit upper and lower bounds of the size of \(\Vert \mathbf{b}_j^{\vee } \Vert \) by using our bounds of \(L(1, \chi )\) (Sects. 6 and 7 below). Our strategy is to count the exact number of even Dirichlet characters modulo q having any given conductor \(f_{\chi }\), while Cramer et al. used a rough estimate of the number of such characters. The asymptotic evaluation of our upper bounds of \(\Vert \mathbf{b}_j^{\vee } \Vert \) has the same order as Cramer et al.’s one. In particular, we have \(\Vert \mathbf{b}_j^{\vee } \Vert = \tilde{{\mathcal O}}(q^{-1/2})\) for any prime number p and \(q = p^k\). In contrast to Cramer et al.’s evaluation, our bounds of \(\Vert \mathbf{b}_j^{\vee } \Vert \) are explicit for any fixed k. Specifically, our bounds imply that the success probability of their attack becomes much higher for \(q = 2^k\) with \(k \ge 11\).

  • Experimental Verification: By experiments, we verify the effectiveness of the RSG attack against cryptosystems of [22, 30, 49] for \(q = 2^k\) and \(6 \le k \le 10\) (Sect. 8 below). In particular, the RSG attack can recover the secret key g with probability being about 50% (resp. 85 and 100%) when \(k=6\) (resp. \(k = 8\) and \(k = 10\)). Our experiments also show that the success probability of their attack is independent of distributions for generating keys in cryptosystems of [22, 30, 49] (e.g. uniformly random and discrete Gaussian distributions).

Recall that the security of cryptosystems of [22, 30, 49] is based on the difficulty of Problem 1 (SG-PIP), which can be divided into two problems PIP and SGP. By combining our theoretical and experimental results, we expect that SGP over \(2^k\)-th cyclotomic fields in cryptosystems of [22, 30, 49] could be solved by the RSG attack if \(k \ge 10\), under the assumption that Weber’s class number problem holds true. Note that \(k \ge 10\) is required for high security (e.g. 80-bit security) of these cryptosystems. Thereby, the security of these cryptosystems relies only on the difficulty of PIP.

2 Mathematical background

In this section, we prepare mathematical notation for our later discussion. Let \(\mathbb {N}\), \(\mathbb {Z}\), \(\mathbb {R}\) and \(\mathbb {C}\) be the set of positive integers, the ring of integers, the field of real numbers and the field of complex numbers, respectively. We denote by \(\langle \cdot , \cdot \rangle \) and \(\Vert \cdot \Vert \) the natural inner product and the Euclidean norm on \(\mathbb {C}^n\), respectively. We also denote column vectors by lower-case bold letters (e.g. \(\mathbf{b}\)) and matrices by upper-case bold letters (e.g. \(\mathbf{B}\)). The symbol \(\#S\) stands for the cardinality of a set S. For non-negative functions f and g on a set X, we write \(f(x) \ll g(x)\) (or \(f(x) = {\mathcal O}(g(x))\)) if there exists a constant \(C>0\) such that \(f(x)\le C g(x)\) for all \(x\in X\). For \(\epsilon >0\), we write \(f(x) \ll _{\epsilon } \, g(x)\) if the implicit constant depends on \(\epsilon \).

2.1 Lattices and CVP

A lattice \({\mathcal {L}}\) is a discrete additive subgroup of a finite dimensional \(\mathbb {R}\)-vector space \(\mathbb {R}^n\) for some \(n \in \mathbb {N}\). The rank of \({\mathcal {L}}\) is defined as \(\dim _\mathbb {R}{\mathcal {L}} \otimes _\mathbb {Z}\mathbb {R}\). Given any lattice \(\mathcal{L}\subset \mathbb {R}^n\) of rank \(m \le n\), there exists a set of \(\mathbb {R}\)-linearly independent vectors \(\mathbf{B}= \{ \mathbf{b}_1,\ldots ,\mathbf{b}_m \}\) such that \(\mathcal{L}= \mathcal{L}(\mathbf{B}) := \sum _{1 \le i \le m}\mathbb {Z}\mathbf{b}_i\). We identify \(\mathbf{B}\) as an \(n \times m\)-matrix, and the matrix is called a basis of \(\mathcal{L}\). For any lattice \(\mathcal{L}\) with basis \(\mathbf{B}= \{ \mathbf{b}_1,\ldots ,\mathbf{b}_m \}\), there exists a set of \(\mathbb {R}\)-linearly independent vectors \(\mathbf{B}^{\vee } = \{ \mathbf{b}_1^{\vee },\ldots ,\mathbf{b}_m^{\vee } \} \subset \mathrm {span}(\mathbf{B}) := \sum _{1 \le i \le m}\mathbb {R}\mathbf{b}_i\) such that \(\langle \mathbf{b}_i, \mathbf{b}_j^{\vee } \rangle = \delta _{ij}\), where \(\delta _{ij}\) is the Kronecker delta given by \(\delta _{ij} = 1\) (resp. \(\delta _{ij} = 0\)) if \(i = j\) (resp. otherwise). In other words, \(\mathbf{B}^t \cdot \mathbf{B}^\vee = \left( \mathbf{B}^\vee \right) ^t \cdot \mathbf{B}\) is equal to the identity matrix. Then \(\mathcal{L}^\vee := \mathcal{L}(\mathbf{B}^\vee )\) defines a lattice, called the dual lattice of \(\mathcal{L}\) with the dual basis \(\mathbf{B}^\vee \) of \(\mathbf{B}\).

Given a lattice \(\mathcal{L}\subset \mathbb {R}^n\) with basis \(\mathbf{B}\) and a target vector \({\mathbf{t}} \in \mathbb {R}^n \smallsetminus \mathcal{L}\), the closest vector problem (CVP) is to find a lattice vector \(\mathbf{v}\in \mathcal{L}\) closest to \(\mathbf{t}\). An efficient approach for CVP is the round-off algorithm proposed by Babai [4]. The round-off algorithm for \(\mathbf{B}\) and \(\mathbf{t}\) outputs \(\mathbf{B}\cdot \lfloor \left( \mathbf{B}^{\vee } \right) ^t \cdot \mathbf{t}\rceil \in \mathcal{L}\), where the rounding function \(\lfloor c \rceil := \lfloor c + \frac{1}{2} \rfloor \) is applied to each entry of \(\left( \mathbf{B}^{\vee }\right) ^t \cdot \mathbf{t}\) independently. The following lemma provides a condition for solving CVP by Babai’s round-off algorithm.

Lemma 1

[16, Claim 2.1] Let \(\mathcal{L}\subset \mathbb {R}^n\) be a lattice with basis \(\mathbf{B}\). Let \(\mathbf{t}= \mathbf{v}+ \mathbf{e}\) with \(\mathbf{v}\in \mathcal{L}\) and \(\mathbf{e} \in \mathbb {R}^n\). If \(\langle \mathbf{b}_j^{\vee }, \mathbf{e} \rangle \in \left[ -\frac{1}{2}, \frac{1}{2} \right) \) for all \(\mathbf{b}_j^{\vee } \in \mathbf{B}^{\vee }\), then \(\mathbf{v}\) can be recovered by Babai’s round-off algorithm for \(\mathbf{B}\) and \(\mathbf{t}\).

This lemma is a key for solving SGP by the RSG attack (see Sect. 4).

2.2 Log-unit lattice and cyclotomic units

For an integer \(q > 2\), let \(\zeta _q \in \mathbb {C}\) be a primitive q-th root of unity. Then the field \(K = \mathbb {Q}(\zeta _q)\) is called the q-th cyclotomic field. The field K is a Galois extension of \(\mathbb {Q}\) of degree \([K : \mathbb {Q}] = \varphi (q)\), where \(\varphi \) denotes the Euler totient function defined by \(\varphi (n) = \# (\mathbb {Z}/n\mathbb {Z})^\times \) for \(n \in \mathbb {N}\). Then \(O_K = \mathbb {Z}[\zeta _q]\) is the ring of integers of K. For any \(\sigma \in {\mathrm {Gal}}(K/\mathbb {Q})\), we have \(\sigma (\zeta _q) = \zeta _q^{j}\) for some \(j \in \mathbb {Z}\) with \(\gcd (j,q) = 1\) since \(\sigma (\zeta _q)\) is also a primitive root of unity. In other words, we have

$$\begin{aligned} {\mathrm {Gal}}(K/\mathbb {Q}) = \{ \sigma _j \mid j \in (\mathbb {Z}/q\mathbb {Z})^{\times } \} \cong \left( \mathbb {Z}/q\mathbb {Z}\right) ^{\times } \end{aligned}$$

with \(\sigma _j(\zeta _q) = \zeta _q^j\). Set \(G := \left( \mathbb {Z}/q\mathbb {Z}\right) ^\times /\{ \pm 1 \}\). From now on we fix an enumeration \(G \cong \{1, \cdots , \varphi (q)/2\}\) and define the logarithmic embedding of \(K^{\times }\) by

$$\begin{aligned} {\mathrm {Log}} : K^{\times } \longrightarrow \mathbb {R}^{\varphi (q)/2}, \ a \mapsto \left( \log |\sigma _j(a)| \right) _{j \in G}. \end{aligned}$$

We have \({\mathrm {Log}}(a\cdot b) = {\mathrm {Log}}(a) + {\mathrm {Log}}(b)\) for any \(a, b \in K^\times \). Let \(O_K^\times \) denotes the group of units in \(O_K\). By the Dirichlet Unit Theorem (e.g. see [42]), \(\varLambda := {\mathrm {Log}}(O_K^{\times })\) gives a lattice of rank \(\frac{\varphi (q)}{2} - 1\), and the kernel of \({\mathrm {Log}}|_{O_K^{\times }}\) is \(\mu (K)\), where \(\mu (K)\) denotes the group of all roots of unity in K. The lattice \(\varLambda \) is called the log-unit lattice of K. It is easy to see that all vectors in \(\varLambda \) are orthogonal to \(\mathbf{1}:= (1, 1, \ldots , 1) \in \mathbb {R}^{\varphi (q)/2}\) since \(N_{K/\mathbb {Q}}(\epsilon ) = \prod _{j \in (\mathbb {Z}/q\mathbb {Z})^{\times }}\sigma _j(\epsilon ) = \pm 1\) for any \(\epsilon \in O_K^{\times }\), where \(N_{K/\mathbb {Q}}\) denotes the norm map from \(K^{\times }\) to \(\mathbb {Q}^\times \).

Let A be the multiplicative subgroup of \(K^{\times }\) generated by \(\pm \zeta _q\) and \(z_j := \zeta _q^j - 1\) for \(j \in G\). We have \({\mathrm {Log}} (z_j) = {\mathrm {Log}} (z_{-j})\) by \(z_j = -\zeta _q^jz_{-j}\), that is, \(z_j \equiv z_{-j} \pmod {\mu (K)}\). The group C of cyclotomic units is defined as

$$\begin{aligned} C := A \cap O_K^{\times }. \end{aligned}$$

In general, it may not be easy to compute generators of C. However, when \(q = p^k\) for some prime number p, generators of C are obtained by the following lemma:

Lemma 2

[52, Lemma 8.1] Let \(q = p^k\) be a prime power and C the group of cyclotomic units of the q-th cyclotomic field. Set \(G := \left( \mathbb {Z}/q\mathbb {Z}\right) ^\times /\{ \pm 1 \}\), \(z_j := \zeta _q^j - 1\) and \(b_j := z_j/z_1\) for \(j \in G \smallsetminus \{ 1 \}\). Then the group C is generated by \(\pm \zeta _q\) and the \(b_j\)’s for \(j \in G \smallsetminus \{ 1 \}\).

We call the \(b_j\)’s for \(j \in G \smallsetminus \{ 1 \}\) the canonical generators of C. Note that \({\mathrm {Log}}(C)\) is a sublattice of \(\varLambda \) of finite index. More precisely, we have \([\varLambda : {\mathrm {Log}}(C)] = h^{+}(q)\) for a prime power q, where \(h^{+}(q)\) is the class number of \(K^{+} := \mathbb {Q}(\zeta _q + \overline{\zeta _q})\) (see [52, Exercise 8.5] for details).

2.3 Dirichlet characters and Dirichlet L-functions

Let G be a finite abelian group. The character group of G, denoted by \(\widehat{G}\), is the set of group homomorphisms from G to \(\mathbb {C}^{\times }\). It is easy to see that \(\widehat{G}\) becomes a group with the pointwise product. There is a non-canonical group isomorphism between G and \(\widehat{G}\), and hence \(\# G = \# \widehat{G}\).

Let us introduce Dirichlet characters and Dirichlet L-functions (e.g. see [18, 42]). For \(q \in \mathbb {N}\), we consider the group \((\mathbb {Z}/q\mathbb {Z})^\times \). An element \(\chi \in \widehat{(\mathbb {Z}/q\mathbb {Z})^\times }\) is called a Dirichlet character (or character) modulo q. The character \(\chi \) is naturally extended to a multiplicative function \(\tilde{\chi }\) on \(\mathbb {N}\) by

$$\begin{aligned} \widetilde{\chi }(n)= {\left\{ \begin{array}{ll} \chi (n \ \text {mod} \ q) &{}\quad ({\mathrm{gcd}}(n, q)=1), \\ 0 &{}\quad ({\mathrm{gcd}}(n, q)>1). \end{array}\right. } \end{aligned}$$

The conductor \(f_{\chi }\) of \(\chi \) is defined as the minimal positive divisor d of q such that \(\chi \) factors through some Dirichlet character \(\chi '\) modulo d, that is, we have

$$\begin{aligned} \chi : (\mathbb {Z}/q\mathbb {Z})^{\times } \twoheadrightarrow (\mathbb {Z}/d\mathbb {Z})^{\times } \xrightarrow {\chi '} \mathbb {C}^{\times }. \end{aligned}$$

We denote by \(\chi ^{*}\) the Dirichlet character modulo \(f_\chi \) inducing \(\chi \). We call \(\chi \) primitive if \(f_\chi \) is exactly equal to q. Notice that \(\chi ^*\) is primitive. The character \(\chi \) is called even (resp. odd) if \(\chi (-1)=1\) (resp. \(\chi (-1)=-1\)), and \(\chi \) is called quadratic if \(\chi ^2\) is trivial but \(\chi \) is non-trivial.

Let \(L(s, \chi )\) denote the Dirichlet L-function associated with \(\chi \), defined by

$$\begin{aligned} L(s, \chi )=\sum _{n=1}^{\infty }\frac{\tilde{\chi }(n)}{n^s} \qquad (\mathrm {Re}(s)>1). \end{aligned}$$

The defining series converges absolutely on the region \(\mathrm {Re}(s)>1\). If \(\chi \) is non-trivial, the series \(L(s, \chi )\) converges on the region \(\mathrm {Re}(s)>0\). It is well-known that \(L(s, \chi )\) has a meromorphic continuation to the whole plane \(\mathbb {C}\). Furthermore, its only possible pole \(s=1\) is simple and occurs only when \(\chi \) is trivial. We have the relation

$$\begin{aligned} L(s, \chi ) = \left\{ \prod _{\begin{array}{c} p | q \\ p \not \mid f_{\chi } \end{array} } (1-\chi ^{*}(p) p^{-s}) \right\} L(s, \chi ^{*}) \end{aligned}$$
(2)

for any non-trivial character \(\chi \) modulo q, where p runs over all prime divisors of q such that \(p \not \mid f_{\chi }\). By (2), we have easily the following.

Lemma 3

Let \(\chi \) be a Dirichlet character modulo q. The following are equivalent.

  1. 1.

    \(L(s, \chi ) = L(s, \chi ^*)\).

  2. 2.

    The set of all prime divisors of \(f_\chi \) is equal to that of all prime divisors of q.

In particular, we have \(L(s, \chi )=L(s, \chi ^{*})\) if q is a prime power and \(\chi \) is non-trivial.

2.4 Relation between lower bounds and zeros of L-functions

In this subsection, we review upper and lower bounds of \(L(1, \chi )\) for non-trivial Dirichlet characters \(\chi \), and describe a reason why we have not reached the lower bound

$$\begin{aligned} L(1, \chi ) \gg \frac{1}{\log q} \end{aligned}$$

for quadratic characters \(\chi \) modulo q.

As for upper bounds, we have the following easily.

Theorem 1

[18, (13) in p. 96] For any non-trivial Dirichlet character \(\chi \) modulo q, the estimate

$$\begin{aligned} |L(1, \chi )| \ll \log q \end{aligned}$$

holds with the implicit constant independent of \(\chi \) and q.

As for lower bounds, we need to consider the influence of a possible real zero of \(L(s, \chi )\) near to 1. The following gives the definition of a Siegel zero.

Theorem 2

[18, p. 93]

  1. 1.

    There exists a constant \(C>0\) such that for any non-trivial Dirichlet character \(\chi \) modulo q, \(L(s, \chi )\) does not vanish if \(s=\sigma +\sqrt{-1}t\) \((\sigma , t \in \mathbb {R})\) is contained in the region

    $$\begin{aligned} \sigma > 1-\frac{C}{\log \{q(1+|t|)\}} \end{aligned}$$

    except for at most one real number \(\beta =\beta _{\chi } \in (1-\frac{C}{\log \{q(1+|t|)\}}, 1)\). We call the region a zero-free region of \(L(s, \chi )\). Such a possible real zero \(\beta \) for \(L(s, \chi )\) is called a Siegel zero (cf. [41, Chapter 2]).

  2. 2.

    The Siegel zero \(\beta \) of \(L(s, \chi )\) does not exist when a non-trivial character \(\chi \) is not quadratic.

Siegel zeros are not on the vertical strip \(\mathrm {Re}(s)=1/2\) contrary to the generalized Riemann hypothesis. The Siegel zero of \(L(s, \chi )\) is related to lower bounds of \(L(1, \chi )\) as follows.

Theorem 3

[29] For any non-trivial Dirichlet character \(\chi \) modulo q, we have

$$\begin{aligned} |L(1, \chi )| \gg \frac{1}{\log q} \end{aligned}$$

unless \(L(s, \chi )\) has a Siegel zero. Here the implicit constant is independent of \(\chi \) and q. In particular, the inequality as above holds if \(\chi \) is not quadratic.

The existence of Siegel zeros is a deep problem in number theory as it influences a distribution of zeros of \(L(s, \chi )\) and lower bounds of \(L(1, \chi )\). We have not reached the non-existence of Siegel zeros for Dirichlet L-functions yet. As for quadratic characters, the best lower bound of \(L(1, \chi )\) for quadratic characters \(\chi \) is currently known as Siegel’s theorem [46]. We refer to [18, Chapter 21] and [41, Chapter 2].

Theorem 4

(Siegel’s theorem [46]) For any \(\epsilon >0\), there exists an ineffective constant \(C_{\epsilon }>0\) such that the inequality

$$\begin{aligned} L(1, \chi ) \ge \frac{C_\epsilon }{q^\epsilon } \end{aligned}$$

holds for any primitive quadratic character \(\chi \) modulo q. Here recall that \(L(1, \chi )>0\) if \(\chi \) is quadratic.

The primitivity of \(\chi \) in Siegel’s theorem can be easily dropped out by

$$\begin{aligned} L(1, \chi ) \ge \left\{ \prod _{p|q}(1-p^{-1})\right\} L(1, \chi ^{*}) \gg _\epsilon \frac{1}{q^\epsilon } L(1, \chi ^{*}). \end{aligned}$$

We remark that the constant \(C_{\epsilon }\) is ineffective since it may depend on a possible Siegel zero \(\beta \in (1-\epsilon , 1)\).

Siegel’s theorem can be applied to the following two number theoretical problems. First, the class number \(h_K\) of an imaginary quadratic field K goes to infinity as the absolute value \(d_K\) of the discriminant of \(K/\mathbb {Q}\) tends to infinity. Second, the asymptotics \(\log h_{K} \sim \log \sqrt{d_K}\) holds as \(d_{K}\rightarrow \infty \) keeping K imaginary quadratic. It is a spacial case of the Brauer–Siegel theorem (cf. [32]). By this asymptotics, there exist finitely many imaginary quadratic fields K such that \(h_K=n\) for any given \(n\in \mathbb {N}\).

Later, an effective version of Siegel’s theorem was given by Tatuzawa [50] with the implicit constant effective for any quadratic character \(\chi \) except for at most one ineffective quadratic character. Although Tatuzawa’s theorem was made explicit by [32] except for one quadratic character, the exceptional one is still ineffective.

In Sects. 5 and 6 below, we will give explicit upper and lower bounds of \(L(1, \chi )\) for any non-trivial even Dirichlet characters \(\chi \) modulo any prime power. For the purpose, we review explicit estimates for primitive Dirichlet characters in [19, 33] and [44] needed later.

Proposition 1

[33, Corollary 2] Let \(\chi \) be a non-quadratic primitive Dirichlet character modulo \(q>1\). Then, we have

$$\begin{aligned} |L(1, \chi )|\ge \frac{1}{10\log (q/\pi )}. \end{aligned}$$

Proposition 2

[44, Corollaries 1 and 3] Let \(\chi \) be an even primitive Dirichlet character modulo \(q>1\). Then, we have

$$\begin{aligned} |L(1,\chi )|\le \frac{1}{2}\log q. \end{aligned}$$

In particular, if 2|q, we have

$$\begin{aligned} |L(1, \chi )|\le \frac{1}{4}\log q+\frac{1}{2}\log 2. \end{aligned}$$

Proposition 3

[19, Theorem 1.1] Let \(\chi \) be an even primitive Dirichlet character modulo \(q>1\) such that \(3|f_\chi \). Then, we have

$$\begin{aligned} |L(1, \chi )| \le \frac{1}{3}\log q + 0.368296. \end{aligned}$$

3 Cryptosystems using short generators

As mentioned in Sect. 1, the security of some cryptosystems [22, 30, 49] relies on the computational hardness of finding a short generator of a principal ideal of a number field from a \(\mathbb {Z}\)-basis of the ideal. This problem is called the Short Generator of a Principal Ideal Problem (SG-PIP). In this section, we define short generators and briefly give a relation between these cryptosystems and SG-PIP. These cryptosystems are constructed over the ring \(R = \mathbb {Z}[x]/(x^n+1)\) for a given degree parameter n of the form \(n=2^{k-1} \ (k>1)\).

3.1 Definition of short generator

Let f be any element of R and \(\sum _{0 \le i < n}f_ix^i \in \mathbb {Z}[x]\) the polynomial of degree \(<n\) representing f. For any \(1 \le \ell \le \infty \), we can define \(\ell \)-norm \(\Vert f \Vert _{\ell }\) of f as follows:

$$\begin{aligned} \Vert f \Vert _{\ell } := \Vert (f_0, \ldots , f_{n-1}) \Vert _{\ell }. \end{aligned}$$

As we explain below, one needs to construct a generator \(g \in R\) of a principal ideal such that \(\Vert g \Vert \) for some norm \(\Vert \cdot \Vert \) satisfies an inequality to generate a secret key and to conduct key recovery attacks against schemes in [22, 30, 49]. Such a g is called a short generator. Note that the definition of short generators depends on cryptosystems.

3.2 Smart–Vercauteren FHE scheme

We explain the somewhat homomorphic encryption (SHE) proposed by Smart and Vercautern [49], which is integrated to the fully homomorphic encryption (FHE) using the bootstrapping. The key generation of the SHE scheme over R is as follows:

  1. 1.

    Given a parameter \(\eta > 0\), choose a random polynomial \(G(x) = \sum _{i = 0}^{n-1} g_i x^i \in \mathbb {Z}[x]\), such that \(\Vert G(x) \Vert _\infty := \max _i | g_i |\) is \(\eta \)-bit, \(G(x) \equiv 1 \pmod {2}\), and \(p = |\det ({\mathrm {Rot}}(G(x)))|\) is prime, where \({\mathrm {Rot}}(G(x))\) denotes the rotation matrix.

  2. 2.

    Compute \(D(x) = {\mathrm {gcd}}(G(x), x^n + 1)\) over \(\mathbb {F}_p[x]\), and take the unique root \(\alpha \in \mathbb {F}_p\) of D(x).

  3. 3.

    Apply the XGCD-algorithm over \(\mathbb {Q}[x]\) to obtain \(Z(x) = \sum _{i = 0}^{n-1} z_i x^i \in \mathbb {Z}[x]\) satisfying \(Z(x) \cdot G(x) \equiv p \pmod {x^n + 1}.\) Set \(B = z_0 \pmod 2\). Then the public key is \({\mathsf {pk}} = (p, \alpha )\), and the secret key is \({\mathsf {sk}} = (p, B)\).

The ideal \({\mathfrak {p}} = (p, x - \alpha )\) of R is constructed from \({\mathsf {pk}}\), and its Hermite normal form (HNF) is given by

$$\begin{aligned} \begin{pmatrix} p &{}\quad -\alpha &{}\quad \cdots &{}\quad -\alpha ^{n-1} \\ 0 &{}\quad 1 &{}\quad \cdots &{}\quad 0 \\ \vdots &{}\quad \vdots &{}\quad \ddots &{}\quad \vdots \\ 0 &{}\quad 0 &{}\quad \cdots &{}\quad 1 \end{pmatrix}. \end{aligned}$$

By the construction, \({\mathfrak {p}}\) is a principal ideal generated by \(G(x) \in R\). As mentioned in [49], \({\mathsf {sk}}\) can be recovered from the inverse of a small generator of \({\mathfrak {p}}\) (since \(\eta \ll p\)). Hence, recovering \({\mathsf {sk}}\) from \({\mathsf {pk}}\) is an instance of SG-PIP.

3.3 GGH and GGHLite schemes

We explain the multilinear map (GGH scheme) proposed by Garg et al. [22] and its improved version called GGHLite [30]. Let \(D_{\mathbb {Z}, \sigma }\) denote the discrete Gaussian distribution over \(\mathbb {Z}\) with standard deviation \(\sigma > 0\). In the GGH scheme, a secret short element \(g = \sum _{i = 0}^{n-1} g_i x^i \in R\) is randomly chosen with \(g_i \leftarrow D_{\mathbb {Z}, \sigma }\) for \(0 \le i \le n-1\) such that \(\Vert g^{-1} \Vert \le n^2\) and \(I = (g)\) is a prime ideal in R, where \(g^{-1} \in R \otimes _\mathbb {Z}\mathbb {Q}\simeq \mathbb {Q}(\zeta _{2n})\) and \(\Vert g^{-1} \Vert \) is its Euclidean norm. The condition \(\Vert g \Vert \le \sqrt{n} \cdot \sigma \) is additionally required for the construction of the GGHLite scheme [30]. Moreover, given a modulus parameter \(q > 0\), a secret element z is randomly sampled from \(R_q = R/qR\). In both the GGH and the GGHLite schemes, the pair (gz) gives a secret key.

The zeroizing attack, which was first introduced in [22], tries to recover a basis \(\mathbf{B}\) of the ideal \(I = (g)\) from given public parameters such as several encoding of zero and one (See [14, Section 5.1] for details). Therefore, recovering g or a short element \(g'\) from the basis \(\mathbf{B}\) is an instance of SG-PIP (as mentioned in [14, Section 5.3], recovering \(g' \in R\) with \(\Vert g' \Vert < q^{3/8}/(2n)^4\) is sufficient to attack the GGH scheme).

4 Overview of Cramer et al.’s analysis for SGP

In this section, we briefly review Cramer et al.’s analysis for SGP (defined in Sect. 1) and give some remarks on their attack.

4.1 Attack algorithm

For a prime power \(q = p^k\), we use the same notation such as \(G=(\mathbb {Z}/q\mathbb {Z})^{\times }/\{ \pm 1 \}\), the log-unit lattice \(\varLambda \) and the group C of cyclotomic units of the q-th cyclotomic field \(K = \mathbb {Q}(\zeta _q)\) described in Sect. 2.2. For the canonical generator \(\{ \mathbf{b}_j \}_{j \in G \smallsetminus \{ 1 \}}\) of C, set

$$\begin{aligned} \mathbf{b}_j := {\mathrm {Log}}(b_j) \in {\mathrm {Log}}(C) \end{aligned}$$
(3)

for \(j \in G \smallsetminus \{ 1 \}\). Note that \(\{ \mathbf{b}_j \}_{j \in G \smallsetminus \{ 1 \}}\) is a basis of \({\mathrm {Log}}(C)\) by Lemma 2. Let \(g \in O_K\) be a short element as in Problem 1. Given a generator h of the principal ideal \(I = (g)\), SGP is to find g itself or a sufficiently short generator of I. Since both g and h are generators of I, we have \(h = ug\) for some \(u \in O_K^\times \), and \({\mathrm {Log}}(h) = {\mathrm {Log}}(g) + {\mathrm {Log}}(u)\) with \({\mathrm {Log}}(u) \in \varLambda = {\mathrm {Log}}(O_K^\times )\). In order to recover \({\mathrm {Log}}(u)\) from \({\mathrm {Log}}(h)\), the RSG attack aims to represent

$$\begin{aligned} {\mathrm {Log}}(u) = \sum _{j \in G \smallsetminus \{ 1 \}} a_j \mathbf{b}_j\quad \text{ for } \text{ some } a_j \in \mathbb {Z}\end{aligned}$$
(4)

by using the basis \(\{ \mathbf{b}_j \}_{j \in G \smallsetminus \{ 1 \}}\) of \({\mathrm {Log}}(C)\).

For the representation (4), Cramer et al. first assume that the \({\mathrm {Log}}(C)\) is exactly equal to the log-unit lattice \(\varLambda \):

Assumption 1

We assume \({\mathrm {Log}}(C) = \varLambda \).

Moreover, the RSG attack algorithm assumes the following (see [16, Theorem 4.1] for details):

Assumption 2

There is a probabilistic distribution D over K satisfying the following condition: For any unit vectors \(\mathbf{v}_1,\ldots ,\mathbf{v}_{\varphi (q)/2-1} \in \mathbb {R}^{\varphi (q)/2}\) satisfying \(\langle \mathbf{v}_i, \mathbf{1}\rangle = 0\), we have \(|\langle {\mathrm {Log}}(g), \mathbf{v}_i \rangle | < dq^{1/2}(\log q)^{-3/2}\) for all i with probability at least \(\alpha > 0\), where g is chosen from D and d is a universal constant.

Under Assumptions 1 and 2, the RSG attack algorithm for SGP is as follows (see [16, Theorem 4.1] for details):

Algorithm 1

$$\begin{aligned}&{\mathbf{Input}} : h = ug\,(g \leftarrow D, u \leftarrow C)&\\&{\mathbf{Output}} : g' = ug/u^{\prime }\text { for some }u^{\prime } \in C\text { or ``false''}&\end{aligned}$$
  1. 1.

    Apply Babai’s round-off algorithm to \(\mathbf{B}:= \{ \mathbf{b}_j \}_{j \in G \smallsetminus \{ 1 \}}\) and \(\mathbf{t}:= {\mathrm {Log}}(h) = {\mathrm {Log}}(u) + {\mathrm {Log}}(g)\). Let \(\mathbf{v}\in \mathbb {R}^{\varphi (q)/2}\) be its output (i.e. \(\mathbf{v}= \mathbf{B}\cdot \lfloor \left( \mathbf{B}^{\vee }\right) ^t \cdot \mathbf{t}\rceil \)).

  2. 2.

    Compute integers \(a_j \in \mathbb {Z}\) for \(j \in G \smallsetminus \{ 1 \}\) such that \(\mathbf{v}= \sum _{j \in G \smallsetminus \{ 1 \}}a_j\mathbf{b}_j\). If there are no such integers \(a_j\), then return “false”.

  3. 3.

    Compute \(u^{\prime } := \prod _{j \in G \smallsetminus \{ 1 \}}b_j^{a_j} \in C\) and output \(g' = ug/u^{\prime }\).

Cramer et al. claimed in [16, Theorem 4.1] that the above algorithm outputs \(g' = \pm \zeta _q^j \cdot g\) for some \(0 \le j < q\) with probability at least \(\alpha \), under Assumptions 1 and 2.

Note that Assumption 2 comes from the result [16, Theorem 3.1]. More specifically, by [16, Theorem 3.1] there is a constant \(d^{\prime }\) such that \(\Vert \mathbf{b}_j^{\vee } \Vert \le d^{\prime }q^{-1/2}(\log q)^{3/2}\). Thus, if the universal constant d satisfies \(d \le \frac{1}{2d^{\prime }}\), then we have

$$\begin{aligned} \alpha\le & {} {\mathrm{Pr}}\left[ |\langle {\mathrm {Log}}(g), \mathbf{b}_i^{\vee }/\Vert \mathbf{b}_i^{\vee } \Vert \rangle |< dq^{1/2}(\log q)^{-2/3} \right] \\= & {} {\mathrm{Pr}}\left[ |\langle {\mathrm {Log}}(g), \mathbf{b}_i^{\vee } \rangle | < dq^{1/2}(\log q)^{-2/3} \Vert \mathbf{b}_i^{\vee } \Vert \le \frac{1}{2} \right] . \end{aligned}$$

This implies that the success probability, that is \({\mathrm{Pr}}\left[ |\langle {\mathrm {Log}}(g), \mathbf{b}_i^{\vee } \rangle | < \frac{1}{2}, \forall j \right] \), is at least \(\alpha \) for the distribution D satisfying Assumption 2.

Remark 1

Since \([\varLambda : {\mathrm {Log}}(C)] = h^+(q)\), Assumption 1 is related to mathematical problems on \(h^+(q)\). In particular, when q is 2-power, Assumption 1 is equivalent to Weber’s class number problem (i.e. \(h^+(q) = 1\) for all 2-power q). In Appendix A below, we will give several results related to Weber’s class number problem.

4.2 Some remarks

In the first step of Algorithm 1, we are able to compute \(\mathbf{v}= {\mathrm {Log}}(u)\) by Lemma 1 if the condition

$$\begin{aligned} \left\langle {\mathrm {Log}}(g), \mathbf{b}_j^{\vee } \right\rangle \in \left[ -\frac{1}{2}, \ \frac{1}{2} \right) \quad \text{ for } \text{ all } j \in G \smallsetminus \{ 1 \} \end{aligned}$$
(5)

is satisfied. In this case, we have \(u^{\prime } \in C\) satisfying \({\mathrm {Log}}(u^{\prime }) = {\mathrm {Log}}(u)\) in the second step of Algorithm 1. This implies that \(u^{\prime }\) has the form \(\pm \zeta _q^j \cdot u\) for some j since the kernel of \({\mathrm {Log}}|_{O_K^{\times }}\) is equal to \(\mu (K)\). In other words, under condition (5), Algorithm 1 outputs our desired element \(g' = \pm \zeta _q^j \cdot g\) (note that we can recover g from \(g'\) by exhaustive search of the elements \(\pm \zeta _q^j\)’s, whose computational cost is negligible). From Cauchy–Schwarz’s inequality \(|\langle {\mathrm {Log}}(g), \mathbf{b}_j^{\vee } \rangle | \le \Vert {\mathrm {Log}}(g) \Vert \cdot \Vert \mathbf{b}_j^{\vee } \Vert \), the success of the attack deeply depends on the size of \(\Vert \mathbf{b}_j^{\vee } \Vert \), which will be estimated in Sect. 6 below. Note that Cauchy–Schwarz’s inequality is loose to estimate \(|\langle {\mathrm {Log}}(g), \mathbf{b}_j^{\vee } \rangle |\), and that the deep observation of the randomness over \({\mathrm {Log}}(g)\) would lead us to obtaining tighter bounds of \(|\langle {\mathrm {Log}}(g), \mathbf{b}_j^{\vee } \rangle |\) which are useful, as analyzed by Cramer et al. in [16, Section 5].

5 Explicit upper and lower bounds of \(L(1, \chi ^*)\)

Let \(q=p^k\) be a prime power and set \(G=(\mathbb {Z}/q\mathbb {Z})^{\times }/\{\pm 1\}\). Then \(\widehat{G}\) is identified with the group of all even Dirichlet characters modulo q. We set

$$\begin{aligned} E(q) := \frac{1}{\#G}\sum _{\chi \in \widehat{G} \smallsetminus \{1\}}\frac{4}{f_{\chi }|L(1, \chi ^{*})|^2}. \end{aligned}$$

Then, \(\Vert \mathbf{b}_j^{\vee }\Vert \) has the following expression in terms of Dirichlet L-functions.

Proposition 4

[16, Lemma 3.2 and Corollary 3.4] We have

$$\begin{aligned} ||\mathbf{b}_j^{\vee }||^2 = E(q). \end{aligned}$$

In particular, \(||\mathbf{b}_j^{\vee }||\) is independent of \(j \in G \smallsetminus \{1\}\).

Remark 2

In [16], the special convention in Washington’s book [52, Chapter 3] is adopted, namely, the symbol \(L(1, \chi )\) in [16] is used in the meaning of \(L(1, \chi ^{*})\). One may confuse Washington’s special convention since the equality \(L(1, \chi ) = L(1, \chi ^*)\) does not hold for any characters \(\chi \) in general. However, in the case of \(q=p^k\), Lemma 3 gives us \(L(s, \chi )=L(s, \chi ^*)\) for any \(\chi \in \widehat{G}\smallsetminus \{1\}\).

In this section, by using explicit estimates of \(L(1, \chi ^*)\) (Propositions 5, 6, 7 and 8), we give explicitly computable estimates of E(q), avoiding the use of Siegel’s theorem (Theorem 4). Our estimates are better than [16, Theorem 3.1]. From our result, we can easily compute upper and lower bounds of E(q). Experimental results will be shown in Sect. 7.1.

5.1 Explicit lower bound of \(L(1, \chi ^*)\)

We give explicit lower bounds of \(L(1, \chi ^*)=L(1, \chi )\) for any non-trivial even Dirichlet characters \(\chi \) modulo \(q=p^k\). The evenness of \(\chi \) is needed for attacks for SGP. We show propositions for the cases of \(p=2\), \(p\equiv 3\) (mod 4), and \(p\equiv 1\) (mod 4), respectively.

Proposition 5

(Case \(p=2\)) Let \(q=2^{k}\) with \(k \ge 3\). Let \(\chi \) be a non-trivial character modulo q. If \(\chi \) is not quadratic, we have

$$\begin{aligned} |L(1, \chi ^*)| \ge \frac{1}{10 \log (f_{\chi }/\pi )}. \end{aligned}$$

If \(\chi \) is even and quadratic, we have

$$\begin{aligned} L(1, \chi ^*) = \frac{\log (1+\sqrt{2})}{\sqrt{2}}. \end{aligned}$$

Proof

The first assertion is obvious from Proposition 1. The second assertion is also obvious since \(\chi \) is the unique even quadratic character with \(f_{\chi }= 8\). \(\square \)

For any odd prime number p, let \(\chi _p\) be the primitive quadratic character modulo p. Then, there exists a unique quadratic character modulo \(p^k\), and such a unique quadratic character is induced by \(\chi _p\). Notice that \(\chi _p\) is even if and only if \(p\equiv 1 \text { (mod 4)}\).

Proposition 6

(Case \(p\equiv 3 \text { (mod 4)}\)) Let p be a prime number such that \(p \equiv 3 \ (\text {mod } 4)\) and let \(q=p^{k}\) with \(k \ge 1\). Then, for any non-trivial even character \(\chi \) modulo q, we have

$$\begin{aligned} |L(1, \chi ^*)| \ge \frac{1}{10 \log (f_{\chi }/\pi )}. \end{aligned}$$

Proof

Since the unique quadratic character modulo \(p^k\) is odd, we obtain the assertion by Proposition 1. \(\square \)

Proposition 7

(Case \(p\equiv 1 \text { (mod 4)}\)) Let p be a prime number such that \(p \equiv 1 \ (\text {mod } 4)\) and let \(q=p^{k}\) with \(k \ge 1\). Let \(\chi \) be a non-trivial character modulo q. If \(\chi \) is not quadratic, we have

$$\begin{aligned} |L(1, \chi ^*)| \ge \frac{1}{10 \log (f_{\chi }/\pi )}. \end{aligned}$$

In particular, the estimate above holds for any quadratic \(\chi \) if \(k_{\chi } \ge m(p)\) with

$$\begin{aligned} m(p) = \frac{1}{\log p}\left( \frac{1}{10L(1, \chi _p)} + \log \pi \right) , \end{aligned}$$

where \(k_{\chi }\) is the number such that \(f_{\chi }=p^{k_\chi }\).

Furthermore, if \(\chi \) is quadratic, we have

$$\begin{aligned} L(1, \chi ^*) \ge \frac{2}{\sqrt{p}}\log \left( \frac{\sqrt{p-4}+\sqrt{p}}{2}\right) . \end{aligned}$$

Proof

The assertion is obvious from Proposition 1 in the case where \(\chi \) is not quadratic.

Consider the case where \(\chi \) is quadratic, that is, \(\chi ^*=\chi _p\). Let \(h_{p}\) and \(\epsilon _p\) be the class number and the fundamental unit of \(\mathbb {Q}(\sqrt{p})\), respectively. By \(h_p\ge 1\), \(\epsilon _p \ge \frac{\sqrt{p-4}+\sqrt{p}}{2}\) and the class number formula for \(\mathbb {Q}(\sqrt{p})\), we have the trivial lower bound

$$\begin{aligned} L(1, \chi ^*) = L(1, \chi _p) = \frac{2^2 \, h_{p} \log \epsilon _p}{2\sqrt{p}}\ge \frac{2}{\sqrt{p}}\log \left( \frac{\sqrt{p-4}+\sqrt{p}}{2}\right) . \end{aligned}$$

This completes the proof. \(\square \)

The second assertion of Proposition 7 is not conditional if \(m(p)\le 1\). Here is a table of \(L(1, \chi _p)\) and m(p) for \(p \le 100\).

p

\(L(1, \chi _p)\)

m(p)

5

\(\frac{2}{\sqrt{5}} \log (\frac{1+\sqrt{5}}{2})\)

0.856

13

\(\frac{2}{\sqrt{13}}\log (\frac{3+\sqrt{13}}{2})\)

0.505

17

\(\frac{2}{\sqrt{17}}\log (4+\sqrt{17})\)

0.439

29

\(\frac{2}{\sqrt{29}}\log (\frac{5+\sqrt{29}}{2})\)

0.388

37

\(\frac{2}{\sqrt{37}}\log (6+\sqrt{37})\)

0.351

41

\(\frac{2}{\sqrt{41}}\log (32+5\sqrt{41})\)

0.329

53

\(\frac{2}{\sqrt{53}}\log (\frac{7+\sqrt{53}}{2})\)

0.335

61

\(\frac{2}{\sqrt{61}}\log (\frac{39+5\sqrt{61}}{2})\)

0.304

73

\(\frac{2}{\sqrt{73}}\log (1068+125\sqrt{73})\)

0.280

89

\(\frac{2}{\sqrt{89}}\log (500+53\sqrt{89})\)

0.270

97

\(\frac{2}{\sqrt{97}}\log (5604+569\sqrt{97})\)

0.262

We can generally calculate the value \(L(1,\chi _p)\) with the aid of the expression

$$\begin{aligned} L(1, \chi _p)=\frac{-1}{\sqrt{p}}\sum _{a=1}^{p-1}\chi _p(a)\log \big (2\sin \frac{\pi a}{p}\big ) \end{aligned}$$

if we determine all values of \(\chi _p\) (cf. [18, p. 9, (9)]).

5.2 Explicit upper bound of \(L(1, \chi ^*)\)

We have explicit upper bounds of \(L(1, \chi ^*)=L(1,\chi )\) for non-trivial even Dirichlet characters \(\chi \). Contrary to the lower bound, we can state the proposition for any prime power as follows.

Proposition 8

Let \(\chi \) be a non-trivial even Dirichlet character modulo a prime power \(q=p^k\). When \(p=2\) and \(k\ge 3\), we have

$$\begin{aligned} |L(1, \chi ^*)|\le \frac{\log f_\chi +2\log 2}{4}. \end{aligned}$$

When \(p=3\), we have

$$\begin{aligned} |L(1, \chi ^*)| \le {\left\{ \begin{array}{ll}\dfrac{1}{2}\log f_\chi &{}\quad (k_{\chi } = 2),\\ \ \\ \dfrac{\log f_\chi +1.104888}{3} &{}\quad (k_{\chi } \ge 3), \end{array}\right. } \end{aligned}$$

where \(k_{\chi }\) is the number such that \(f_{\chi } = p^{k_{\chi }}\). When \(p\ge 5\), we have

$$\begin{aligned} |L(1, \chi ^*)| \le \frac{1}{2}\log f_\chi . \end{aligned}$$

Proof

The assertion for \(p=2\) follows from Proposition 2 or [31, Corollary 1.2]. The assertion for \(p=3\) is given by Propositions 2 and 3. Remark that \((\log 3^m)/3 + 0.368296\le (\log 3^{m})/2\) if and only if \(m\ge 2\). For \(p \ge 5\), use Proposition 2. \(\square \)

5.3 Summary of this section

Our contribution of this section is to give explicit upper and lower bounds of \(L(1, \chi ^*) = L(1, \chi )\) for any non-trivial even Dirichlet characters \(\chi \), as in Propositions 5, 6, 7 and 8, contrary to the implicit bounds (1) used in [16]. Moreover, we remark that our upper and lower bounds of \(L(1, \chi ^*)\) are computable. As for lower bounds, we give the trivial lower bound of \(L(1, \chi ^*)\) for quadratic Dirichlet characters \(\chi \) in order to avoid the ineffectiveness of Siegel’s theorem. The upper and lower bounds of \(L(1, \chi ^*)\) as above will be used in Sect. 6.

6 Theoretical estimation of \(\Vert \mathbf{b}_j^{\vee }\Vert \)

For any prime number p and \(k \in \mathbb {N}\), set \(q=p^k\) and \(G=(\mathbb {Z}/q\mathbb {Z})^{\times }/\{\pm 1\}\). In this section we give theoretical upper and lower bounds of \(||\mathbf{b}_{j}^{\vee }||^2 = E(q)\) (see Proposition 4). In order to divide the sum E(q) in terms of the conductor \(f_{\chi }\), we count the number of even Dirichlet characters of conductor \(p^j\).

Lemma 4

Let \(q=p^k\) be a prime power. For any \(j \in \mathbb {N}\) such that \(1\le j \le k\), let \(N(p^j)\) denote the number of even Dirichlet characters modulo q of conductor \(p^j\). When \(p = 2\), we have

$$\begin{aligned} N(2^j) = {\left\{ \begin{array}{ll}{2^{j-3}} &{}\quad (j \ge 3), \\ 0 &{}\quad (j=1,2). \end{array}\right. } \end{aligned}$$

When p is odd, we have

$$\begin{aligned} N(p^j) = {\left\{ \begin{array}{ll}\dfrac{(p-1)^{2}}{2}p^{j-2} &{}\quad (j \ge 2), \\ \dfrac{p-3}{2} &{}\quad (j=1). \end{array}\right. } \end{aligned}$$

Proof

Let \(\chi \) be a Dirichlet character modulo \(q=p^k\). Then \(\chi \) is even if and only if so is \(\chi ^*\) because of \(\chi (-1)=\chi ^{*}(-1)\). Thus \(N(p^j)\) for \(j\ge 3\) is evaluated as

$$\begin{aligned} N(p^j) =&\ \# \{\text {even character modulo }p^j\} - \# \{\text {even character modulo }p^{j-1}\} \\ =&\ \#((\mathbb {Z}/p^j\mathbb {Z})^{\times }/\{\pm 1\}) -\#((\mathbb {Z}/p^{j-1}\mathbb {Z})^{\times }/\{\pm 1\}) \\ =&\frac{\varphi (p^j)}{2} - \frac{\varphi (p^{j-1})}{2} = \frac{(p-1)^{2}}{2}p^{j-2}. \end{aligned}$$

In the same way, we have \(N(2)=N(2^2)=0\) and \(N(p) = (p-1)/2-1\) for any odd p. This completes the proof. \(\square \)

Explicit upper bounds of E(q) are given as follows.

Theorem 5

  1. 1.

    When \(p=2\), we have

    $$\begin{aligned} E(q) \le&\ \frac{400}{2^{k+1}} \bigg [ \frac{k(k+1)(2k+1)-84}{6}(\log 2)^2 -(\log 2)(\log \pi )\{k(k+1)-12\} \\&+(\log \pi )^2(k-3) \bigg ] +\frac{1}{2^{k-2} \{\log (1+\sqrt{2})\}^2}. \end{aligned}$$
  2. 2.

    When \(p\equiv 3 \ (\text {mod } 4)\), we have

    $$\begin{aligned} E(q) \le&\ \frac{400(p-1)}{p^{k+1}} \bigg [ \frac{k(k+1)(2k+1)-6}{6} (\log p)^2 \\&-\{k(k+1)-2\}(\log p)(\log \pi ) +(k-1)(\log \pi )^2 \bigg ] \\&+\frac{400(p-3)}{(p-1)p^k} \{\log (p/\pi )\}^2. \end{aligned}$$
  3. 3.

    When \(p\equiv 1 \ (\text {mod } 4)\), we have

    $$\begin{aligned} E(q) \le&\ \frac{400(p-1)}{p^{k+1}} \bigg [ \frac{k(k+1)(2k+1)-6}{6}(\log p)^2 \\&-\{k(k+1)-2\}(\log p)(\log \pi ) +(k-1)(\log \pi )^2 \bigg ] \\&+\frac{400(p-5)}{(p-1)p^k} \{\log (p/\pi )\}^2 + \frac{8}{(p-1)p^{k}L(1, \chi _p)^2}. \end{aligned}$$

    and the following computable estimate

    $$\begin{aligned} E(q) \le&\ \frac{400(p-1)}{p^{k+1}} \bigg [ \frac{k(k+1)(2k+1)-6}{6}(\log p)^2 \\&-\{k(k+1)-2\}(\log p)(\log \pi ) +(k-1)(\log \pi )^2 \bigg ] \\&+\frac{400(p-5)}{(p-1)p^k} \{\log (p/\pi )\}^2 + \frac{2p}{(p-1)p^{k}} \frac{1}{\{\log (\frac{\sqrt{p-4}+\sqrt{p}}{2})\}^{2}}. \end{aligned}$$

Proof

When \(p=2\) and \(k \ge 3\), we have

$$\begin{aligned} E(q) \le \frac{1}{2^{k-2}}\left( \sum _{\chi \in \widehat{G}-\{1\}, \chi ^2 \ne 1} \frac{4}{f_{\chi }|L(1,\chi ^*)|^2} + \frac{4}{8\,\{\frac{1}{\sqrt{2}}\log (1+\sqrt{2})\}^2}\right) . \end{aligned}$$

Combining this with Proposition 5 and Lemma 4, the right-hand side is majorized by

$$\begin{aligned} \frac{1}{2^{k-2}}\sum _{j=2}^{k-2} N(2^{j+2})\times \frac{4}{2^{j+2}}\{10 \log (2^{j+2}/\pi )\}^2 + \frac{1}{2^{k-2}}\times \frac{4}{8\, \{\frac{1}{\sqrt{2}}\log (1+\sqrt{2})\}^2}, \end{aligned}$$

which is evaluated as

$$\begin{aligned} \frac{400}{2^{k+1}}\sum _{j=2}^{k-2} \{(j+2)\log 2 -\log \pi \}^{2} +\frac{1}{2^{k-2}\{\log (1+\sqrt{2})\}^2}. \end{aligned}$$

This completes the proof for \(p=2\).

The second, third and the fourth inequalities are proved in the same way as in the case of \(p=2\), using Propositions 6 and 7 in place of Proposition 5; we note that there is no even quadratic Dirichlet character modulo \(q=p^k\) when \(p \equiv 3 \ (\text {mod } 4)\). \(\square \)

Explicit lower bounds of E(q) are given as follows.

Theorem 6

Let p be a prime number and \(q=p^k\) with \(k \in \mathbb {N}\). When \(p=2\) with \(k\ge 3\), we have

$$\begin{aligned} E(q) \ge \frac{8}{2^{k-2}(\log 2)^2}\sum _{j=1}^{k-2}\frac{1}{(j+4)^2}. \end{aligned}$$

When \(p=3\), we have

$$\begin{aligned} E(q) \ge \frac{8}{3^{k-1}}\sum _{j=3}^{k}\frac{1}{(j\log 3+1.104888)^2} + \frac{8}{3^{k+1}(\log 3)^2}. \end{aligned}$$

When \(p \ge 5\), we have

$$\begin{aligned} E(q) \ge \frac{16}{p^k(\log p)^2} \left( \frac{p-1}{p}\sum _{j=2}^{k}\frac{1}{j^2} +\frac{p-3}{p-1}\right) . \end{aligned}$$

Proof

Consider the case \(p=2\). By Lemma 4 and Proposition 8, we have

$$\begin{aligned} E(q) \ge \frac{1}{2^{k-2}}\sum _{j=1}^{k-2}N(2^{j+2})\times \frac{16}{2^{j+2}(\log (2^{j+2}) +2 \log 2)^2}, \end{aligned}$$

and hence the assertion for \(p=2\) follows. We obtain the assertions for any odd p in a similar fashion by virtue of Lemma 4 and Proposition 8. \(\square \)

As in the following corollary, our explicit estimates in Theorems 5 and 6 give the same asymptotic estimate \(||\mathbf{b}_j^{\vee }||^2={\mathcal O}(q^{-1}(\log q)^3)\) as in [16, Theorem 3.1].

Corollary 1

Let \(q=p^k\) be a prime power. Then, we have

$$\begin{aligned} \frac{1}{q (\log p)^2} \ll \Vert \mathbf{b}_j^{\vee }\Vert ^2 =E(q) \ll \frac{k(\log q)^{2}}{q}, \end{aligned}$$

where the implicit constant is effective and independent of p and k.

Remark 3

Note that the implicit constant in the upper bound as above is effective. By Corollary 1, we see that \(E(q) \rightarrow 0\) as \(k \rightarrow \infty \) for any prime number p. It suggests that the success condition of Algorithm 1 tends to hold as k is larger.

7 Table and figure of \(\Vert \mathbf{b}_j^{\vee } \Vert \) for \(q = 2^k\)

Since our estimate of \(||\mathbf{b}_j^{\vee }||\) in Sect. 6 is effective for all k and prime numbers p, we can show examples of behaviors of \(||\mathbf{b}_{j}^{\vee }||\). In this section, we consider the case of \(p=2\).

7.1 Case of \(q = 2^k\)

By applying Proposition 4, Theorems 5 and 6 to the case of \(p=2\), we have the upper and lower bounds of \(\Vert \mathbf{b}_j^{\vee }\Vert \) as follows:

$$\begin{aligned} E_{{\mathrm {lower}}}(k)\le \sqrt{E(2^k)} =||\mathbf{b}_{j}^{\vee }|| \le E_{\mathrm {upper}}(k). \end{aligned}$$

Here, we set

$$\begin{aligned} E_{\mathrm {upper}}(k)&= \bigg \{ \frac{400}{2^{k+1}} \bigg [ \frac{k(k+1)(2k+1)-84}{6}(\log 2)^2 -(\log 2)(\log \pi )\{k(k+1)-12\} \\&\quad +~(\log \pi )^2(k-3) \bigg ] +\frac{1}{2^{k-2} \{\log (1+\sqrt{2})\}^2} \bigg \}^{1/2} \end{aligned}$$

and

$$\begin{aligned} E_{{\mathrm {lower}}}(k)=\left\{ \frac{8}{2^{k-2}(\log 2)^2}\sum _{j=1}^{k-2}\frac{1}{(j+4)^2}\right\} ^{1/2}. \end{aligned}$$

Here are Table 1 and Fig. 1 of \(E_{{\mathrm {lower}}}(k)\), \(\sqrt{E(2^{k})}\) and \(E_{\mathrm {upper}}(k)\) for \(3\le k \le 25\). To obtain values of \(\sqrt{E(2^{k})}\), we mainly used a computer with 2.80 GHz CPU (Intel(R) Core(TM) i7-3840QM) and 8GB memory. The OS is Windows 8.1 Pro 64 bit, implementing in Magma V2.19-7. “Time” in Table 1 means the time which it took to compute the actual value of \(\sqrt{E(2^k)}\) for each \(3\le k \le 25\).

We note that, by applying Corollary 1 to the case of \(p=2\), we have

$$\begin{aligned} \sqrt{\frac{1}{2^{k}}} \ll \sqrt{E(2^k)} = ||\mathbf{b}_j^{\vee }|| \ll \sqrt{\frac{k^3}{2^{k}}}. \end{aligned}$$

It is easy to compute exact values of \(E_{{\mathrm {lower}}}(k)\) and \(E_{\mathrm {upper}}(k)\) contrary to approximate values of \(\sqrt{E(2^k)}\). We calculated the approximate values of \(\sqrt{E(2^k)}\) up to \(k=15\) because of the limitations of our computer performance. For example, it took ten days to compute the approximate value of \(\sqrt{E(2^{15})}\) by our implementation in Magma. We stopped to draw values in Fig. 1 for \(k \ge 26\) since the difference \(E_{\mathrm{upper}}(k)-E_{\mathrm{lower}}(k)\) is getting small as \(k\ge 26\) increases.

Table 1 Upper and lower bounds of \(\Vert \mathbf {b}_j^\vee \Vert \), and actual value of \(\Vert \mathbf {b}_j^\vee \Vert \) for \(q = 2^k\) with \(3 \le k \le 25\) (upper and lower bounds are given by \(E_{\mathrm {upper}}(k)\) and \(E_{\mathrm {lower}}(k)\) respectively, “Time” means that the time which it took to compute the actual value of \(\Vert \mathbf {b}_j^\vee \Vert \))
Full size table
Fig. 1
figure 1

Upper and lower bounds of \(\Vert \mathbf {b}_j^\vee \Vert \), and actual value of \(\Vert \mathbf {b}_j^\vee \Vert \) for \(q = 2^k\) with \(3 \le k \le 25\) (note that the size \(\Vert \mathbf {b}_j^\vee \Vert \) is independent of \(j \in G \smallsetminus \{ 1 \}\) by Proposition 4)

Full size image

7.2 Feedback to hardness of SGP

By Cauchy–Schwarz’s inequality

$$\begin{aligned} |\langle \log (g), \mathbf{b}_j^{\vee } \rangle | \le ||{\mathrm {Log}}(g)|| \ ||\mathbf{b}_j^{\vee }||, \end{aligned}$$

the success of the attack deeply depends on the size of \(\Vert \mathbf{b}_j^{\vee } \Vert \) as in Sect. 4.2. Now by Fig. 1, we get that all \(E_{\mathrm{lower}}(k)\), \(|| \mathbf{b}_{j}^{\vee } ||= \sqrt{E(2^k)}\) and \(E_{\mathrm{upper}}(k)\) decrease monotonously in \(k \ge 6\). In particular, if the upper bound \(E_{\mathrm{upper}}(k)\) is rapidly decreasing, so is \(\Vert \mathbf{b}_j^{\vee }\Vert \). Therefore, the success probability of Algorithm 1 for SGP is getting higher as \(k\ge 6\) increases. We will show our experimental results in Sect. 8, which suggest that it is sufficient for the success of Algorithm 1 to take \(k \ge 10\) for \(p=2\). The attack for the cryptosystems described in Sect. 3 is succeeded with probability almost being 1 for \(k \ge 10\). Note that as we mentioned in Sect. 4.2, we should deeply observe that randomness of \({\mathrm {Log}}(g)\). However, we give experimental results on the values of \(|\langle {\mathrm {Log}}(g), \mathbf{b}_j^{\vee } \rangle |\) in various situations instead of such observation since Cramer et al. have not given such experiments.

8 Experimental verification

In this section, we give our experimental results to verify whether or not Algorithm 1 succeeds in recovering short elements g (or sufficiently small g’s which can break cryptosystems described in Sect. 3).

We deal with the case of \(q=2^k\) since our targeted cryptosystems [22, 30, 49] are basically constructed over \(2^k\)-th cyclotomic fields. From the viewpoint of the efficiency of a key generation, encoding and decoding process in cryptosystems of [22, 30, 49], we usually use k with \(8 \le k \le 25\) in practice. Our theoretical bounds in Sect. 7.1 allow us to infer that the success probability of Algorithm 1 gets higher as k is greater than 6. Thus, we show our experimental results of the success probability for each k with \(6 \le k \le 10\). Set \(q := 2^k\), \(n := 2^{k-1}\), \(G := (\mathbb {Z}/q\mathbb {Z})^{\times }/\{ \pm 1 \}\) and \(R := \mathbb {Z}[x]/(x^n + 1)\).

8.1 Parameter setting for our experiments

In order to analyze the security of our targeted cryptosystems [22, 30, 49], we consider the following setting of the secret key g:

  • Choice of Distribution of Secret Key g: we consider the case where g is randomly chosen from a discrete Gaussian distribution or a uniform distribution. Recall that g is chosen from a discrete Gaussian distribution in GGH and GGHLite schemes, and that g is uniformly chosen from a certain finite subset of \(\mathbb {Z}[x]\) in FHE scheme (see Sect. 3).

  • Size of Variance: in GGH and GGHLite schemes, spaces of secret keys, that are discrete Gaussian distributions of the mean 0, depend only on their variances and n. (By contrast, in FHE scheme, the space of secret keys depends only on n). Thus, we consider whether the success probability of Algorithm 1 depends on variances of discrete Gaussian distributions by several experiments.

  • Type of Principal Ideals \(I = (g)\) (Prime or Non-Prime): in FHE, GGH and GGHLite schemes, secret keys \(g \in R\) should be prime elements in R satisfying \(R/(g) \simeq \mathbb {F}_p\) for some prime number p. However, as we will note below, this condition can be relaxed in cases of GGH and GGHLite. (In addition, it may be also possible that the primality condition of g can be relaxed for FHE). Thus, we consider whether the success probability of Algorithm 1 depends on the primality of secret keys.

8.2 Effects of primality and variance

First, we consider effects of the primality of secret keys and variances of discrete Gaussian distributions. We divide this subsection into the cases of discrete Gaussian distributions and of uniformly distributions.

Case of discrete Gaussian distribution

First, we consider the case where secret keys g are chosen from discrete Gaussian distributions of the mean 0 and given standard deviations \(\sigma \), which are spaces of secret keys of GGH and GGHLite schemes.

In each cryptosystem, a secret key g is a prime element in R such that \(\mathcal{N}(g) := |{\mathrm {Res}}(g^{\prime }(x), x^n + 1)|\) is a prime number, where \(g^{\prime }\) is a polynomial in \(\mathbb {Z}[x]\) representing g in R and \({\mathrm {Res}}(g^{\prime }(x), x^n + 1)\) is the resultant of \(g^{\prime }\) and \(x^n + 1\). (The primality of \(\mathcal{N}(g)\) is not a necessary condition but a sufficient condition that g is a prime element in R). The primality of g was used in the proof of [22, Lemmas 3 and 4]. In general, it is not efficient to obtain such a g for large k, e.g. \(k \ge 10\) [49, Section 7], [3, Section 4]. Fortunately, it is proved in [3] that the primality of g is not necessary to prove these lemmas, and thus the condition on g can be relaxed. Note that in [3], it is suggested that the primality of g is still necessary for some cryptographic applications and it may be possible to attack by using the non-primality of g. Thus, we should experiment whether Algorithm 1 is one of such attacks.

Moreover, from Cramer et al.’s analysis for discrete Gaussian distributions [16, Lemma 5.6], the success probability of Algorithm 1 seems to depend heavily on variances of discrete Gaussian distributions. From this, we should also experiment for several variances.

Before we show our experimental results, we recall from Sects. 2 and 4 that the canonical generators of the group of cyclotomic units are \(b_j := \frac{\zeta _q^j - 1}{\zeta _q - 1}\) \((j \in G \smallsetminus \{ 1 \})\), and that we set \(\mathbf{b}_j := {\mathrm {Log}}(b_j)\) as in (3) in Sect. 4.1. The vectors \(\mathbf{1}:= (1, 1, \ldots , 1) \in \mathbb {R}^{\varphi (q)/2}\) and \(\mathbf{b}_j\)’s are \(\mathbb {R}\)-linearly independent, and hence they constitute an \(\mathbb {R}\)-basis of \(\mathbb {R}^{\varphi (q)/2}\). Thus, for any \(g \in R\), we have the following unique representation:

$$\begin{aligned} {\mathrm {Log}}(g) = a_1^{(g)}\mathbf{1}+ \sum _{j \in G \smallsetminus \{ 1 \}}a_j^{(g)}\mathbf{b}_j. \end{aligned}$$
(6)

Note that we identify \(g \in R\) with the element in \(\mathbb {Z}[\zeta _q]\) by using the natural isomorphism \(R \simeq \mathbb {Z}[\zeta _q]\) in the above equation. It is easy to see

$$\begin{aligned} {\left\{ \begin{array}{ll} a_1^{(g)} = \frac{\langle {\mathrm {Log}}(g), \mathbf{1}\rangle }{\varphi (q)/2}, &{} \\ a_j^{(g)} = \langle {\mathrm {Log}}(g), \mathbf{b}_j^{\vee } \rangle &{} (j \in G \smallsetminus \{ 1 \}). \end{array}\right. } \end{aligned}$$

It implies that if we have \(|a_j^{(g)}| < \frac{1}{2}\) for all \(j \in G \smallsetminus \{ 1 \}\), then we can compute g by Algorithm 1.

The procedure for our experiment is as follows:

  1. 1.

    Construct the following three finite subsets of R

    $$\begin{aligned} _1:= & {} \{ g \in R \mid g \leftarrow D_{\mathbb {Z}^n, \sigma } \text{ and } \mathcal{N}(g) \text{ is } \text{ a } \text{ prime } \text{ number } \}, \\ _2:= & {} \{ g \in R \mid g \leftarrow D_{\mathbb {Z}^n, \sigma } \text{ and } \text{ the } \text{ ideal } (g) \text{ is } \text{ not } \text{ a } \text{ prime } \text{ ideal } \}, \\ _3:= & {} \{ g \in R \mid g \leftarrow D_{\mathbb {Z}^n, \sigma } \}, \end{aligned}$$

    such that \(\# _i = 1000\) for \(i=1,2,3\).

  2. 2.

    Compute \(\mathbf{b}_j\) and \(\mathbf{b}_j^{\vee }\) for \(j \in G \smallsetminus \{ 1 \}\), where \(G := (\mathbb {Z}/q\mathbb {Z})^{\times }/\{ \pm 1 \}\).

  3. 3.

    Compute \(a_j^{(g_i)}\) satisfying \({\mathrm {Log}}(g_i) = a_1^{(g_i)}\mathbf{1}+ \sum _{j \in G \smallsetminus \{ 1 \}}a_j^{(g_i)}\mathbf{b}_j\) for \(j \in G \smallsetminus \{ 1 \}\), \(g_1 \in _1\), \(g_2 \in _2\) and \(g_3 \in _3\).

  4. 4.

    For \(i=1,2,3\) and \( g_{i} \in _i\), compute

    $$\begin{aligned} a_{\max }^{(g_i)}:= & {} \max \{ |a_j^{(g_i)}| \mid j \in G \smallsetminus \{ 1 \} \}, \\ a_{\mathrm{ave}}(_i):= & {} \frac{1}{\#_i}\sum _{g_i \in _i}\left| a_{\max }^{(g_i)} \right| . \end{aligned}$$

We use the same computer as in Sect. 7. We use the discrete Gaussian distribution sampler [2], which is implemented in Sage by Martin Albrecht (see also [25]). We implemented in Sage for the first step and implemented in Magma V2.19-7 for the second and the third steps. When \(i = 1\) and \(i=2\), we computed the value of \(a_{\mathrm{ave}}(_i)\) only for \(k=6, 7, 8\), because of the difficulty of choosing many prime elements \(g \in R\). In addition, we computed the value of \(a_{\mathrm{ave}}(_3)\) only for \(k = 9, 10\).

In Table 2, we show our experimental results on the value of \(a_{\mathrm{ave}}(_i)\) for \(i = 1,2,3\).

Table 2 Values of \(a_{\mathrm{ave}}(_i)\) for \(6 \le k \le 10\) and \(i = 1,2,3\)
Full size table

From Table 2, we can infer that the difficulty of solving SGP is independent of the primality of secret keys and variances of discrete Gaussian distributions since the values of \(a_{\mathrm{ave}}(_1)\), \(a_{\mathrm{ave}}(_2)\) and \(a_{\mathrm{ave}}(_3)\) in Table 2 are almost the same for a fixed k and each \(\sigma \). In other words, the value of \(a_{\mathrm{ave}}(_i)\) seems to depend only on k for \(i = 1,2,3\). Note that intuitively, Assumption 2 does not seem to hold if short generators g are chosen from a discrete Gaussian distribution of a large variance. However, the following observation indicates that the intuition as above is not necessarily true: For any short generator g and \(j \in G \smallsetminus \{1\}\), we have

$$\begin{aligned} \langle {\mathrm {Log}}(g), \mathbf{b}_j^{\vee } \rangle = \langle {\mathrm {Log}}(g) - a_1^{(g)}\mathbf{1}, \mathbf{b}_j^{\vee } \rangle , \end{aligned}$$

where \(a_1^{(g)}\) is as in (6), because of \(\langle \mathbf{1}, \mathbf{b}_j^{\vee } \rangle = 0\). This means that it would be possible that the growth of variance \(\sigma \) affects the values of \(a_1^{(g)} = \frac{\langle {\mathrm {Log}}(g), \mathbf{1}\rangle }{\varphi (q)/2}\) (and of \({\mathrm {Log}}(g)\)) but not of \(\langle {\mathrm {Log}}(g), \mathbf{b}_j^{\vee } \rangle \) as shown in Table 2.

Thus, we conclude that the security of GGH and GGHLite schemes against the RSG attack does not depend on the primality of their secret keys and variances of their spaces of secret keys. Our observation above also implies that we can use non-prime elements g as secret keys in those cryptosystems except for some applications.

Case of uniform distribution

Next, we consider the case where the secret keys are chosen uniformly from certain finite subsets of \(\mathbb {Z}[x]\) described below, since this is the same as the key generation process of FHE. Set \(N := 2^n\) and \(\eta := 2^{\sqrt{N}}\). We recall that in [49], a secret key g is a prime element in R chosen uniformly from the set

$$\begin{aligned} B(\eta ) := \left\{ f = 2\left( \sum ^{N-1}_{i=0}a_ix^i \right) + 1 \in \mathbb {Z}[x] \ \bigg | \ |a_i| \le \eta /2 \ (i =1,2, \ldots , N-1) \right\} \end{aligned}$$

In our experiments, we use this method.

In this case, we also experiment whether the primality of g affects the success probability of Algorithm 1. Let \(_1\) be the set of polynomials chosen by the above method. Let \(_2\) be the set of polynomials f uniformly chosen from \(B(\eta )\) such that f mod \((x^n+1)\) does not generate a prime ideal for \(k = 6,7,8\). We also choose \(g \in B(\eta )\) uniformly without testing the primality of g for \(k = 9, 10\). Let \(_3\) be the set of such polynomials. We choose g until \(\# _1 = \# _2 = \# _3 = 1000\). For \(i = 1,2,3\), set \(a_{\mathrm{ave}}(_i)\) as above.

In Table 3, we show our experimental results on the value of \(a_{\mathrm{ave}}(_i)\) for \(i = 1,2,3\).

Table 3 Values of \(a_{\mathrm{ave}}(_i)\) for \(6 \le k \le 10\) and \(i = 1,2,3\)
Full size table

From Table 3, we infer that the primality of g does not affect the difficulty of solving SGP for FHE scheme because of the same reason as in the case of discrete Gaussian distributions. Thus, we conclude that the security of FHE scheme against the RSG attack does not depend on the primality of secret keys, and that we can use non-prime elements g as secret keys if the condition on the primality is relaxed.

8.3 Success probability of Algorithm 1

In the last of this section, we show our experimental results on the experimental success probability of Algorithm 1 for \(k = 6,8,10\) and \(\sigma = 10\) in both cases of discrete Gaussian distributions and uniformly distributions, where \(\sigma \) is the standard deviation of a discrete Gaussian distribution. We experimented 1000 times for each parameter. In Figs. 2 and 3, we show the value of \(\max \{ |\langle {\mathrm {Log}}(g), \mathbf{b}_j^{\vee } \rangle | \mid j \in G \smallsetminus \{ 1 \} \}\) for each g.

Fig. 2
figure 2

Values of \(\displaystyle \max _{j \in G \smallsetminus \{ 1\}} | \langle {\mathrm {Log}}(g), \mathbf {b}_j^\vee \rangle |\) for \(q = 2^k\) with \(k = 6, 8, 10\). Note that the RSG attack for SGP succeeds (resp. fails) if \(\max | \langle {\mathrm {Log}}(g), \mathbf {b}_j^\vee \rangle | < \frac{1}{2}\) (resp. \(> \frac{1}{2}\)). For each k, the secret key g is randomly generated by a discrete Gaussian distribution at 1000 times

Full size image
Fig. 3
figure 3

Same as Fig. 2, but g is generated by a uniformly random distribution

Full size image

From Figs. 2 and 3, we infer that the probability that Algorithm 1 will succeed in recovering secret keys of FHE, GGH and GGHLite schemes with probability being about 50% (resp. 85 and 100%) when \(k=6\) (resp. \(k = 8\) and \(k = 10\)). In other words, the number of successes increases as k is larger. We believe that it is true for \(k > 10\). Thus, our experimental results suggest that the security of FHE, GGH and GGHLite schemes depend heavily on the difficulty of solving the principal ideal problem.

9 Conclusion

In this paper, we analyzed the security of cryptosystems using short generators over ideal lattices against the RSG attack. We gave explicit estimates of the special values of Dirichlet L-functions at 1 for any non-trivial even Dirichlet characters modulo a prime power, and improved Cramer et al.’s main result verifying their attack by using our estimates. Our improvement allows one to analyze the RSG attack not only asymptotically but also explicitly for fixed practical parameters. We also gave various experimental results showing that recovering short generators over \(2^k\)-th cyclotomic fields for \(k \ge 10\) is succeeded with high probability.