Security analysis of cryptosystems using short generators over ideal lattices
 47 Downloads
Abstract
In this paper, we analyze the security of cryptosystems using short generators over ideal lattices. Our approach is based on a recent work by Cramer et al. on analysis of the recovering short generators problem on qth cyclotomic fields with prime powers q. In their analysis, implicit lower bounds of the special values of Dirichlet Lfunctions at 1 are essentially used for estimating some sizes of the dual bases of the logunit lattices of the qth cyclotomic fields. Our contribution is to improve Cramer et al.’s analysis by giving explicit lower and upper bounds of the special values of Dirichlet Lfunctions at 1. Our improvement allows one to analyze the RSG attack not only asymptotically but also explicitly for fixed practical parameters. Moreover, we give experimental evidence that recovering short generators over \(2^k\)th cyclotomic fields for \(k \ge 10\) is succeeded with high probability.
Keywords
Short generators Cyclotomic fields Logunit lattices Dirichlet LfunctionsMathematics Subject Classification
94A60 11Y35 11041 Introduction
In recent years, latticebased cryptography has been paid much attention to as a candidate of postquantum cryptography. Ideal lattices are in a special class of lattices corresponding to ideals in rings of the form \(\mathbb {Z}[x]/(f(x))\) for some irreducible polynomials f(x), such as \(f(x) = x^n + 1\) for a 2power integer \(n > 1\) (e.g. see [37] for details). In cryptography, ideal lattices have been used as powerful tools to construct a number of efficient and secure cryptosystems, mainly including public key encryption schemes [47, 48], hash functions [35, 39, 43] and digital signatures [34, 36]. Recently, ideal lattices have been applied to construct encryption schemes with high functionality. In 2009, Gentry [23] first proposed a construction of fully homomorphic encryption (FHE) using ideal lattices. After Gentry’s breakthrough, a number of variants of Gentry’s original FHE scheme have been proposed (in particular, variants of [24, 49] are based on ideal lattices). In 2013, Garg, Gentry and Halevi [22] first proposed a candidate of multilinear maps from ideal lattices, called the GGH scheme. In 2014, Langlois, Stehlé and Steinfeld [30] improved the GGH scheme for both efficiency and security, and their scheme is called GGHLite (see also [3] for implementation of GGHLite).
For a 2power integer \(n > 1\), let \(K = \mathbb {Q}(\zeta _{2n})\) be the 2nth cyclotomic field and \(O_K = \mathbb {Z}[\zeta _{2n}] \simeq \mathbb {Z}[x]/(x^n + 1)\) its ring of integers, where \(\zeta _m\) denotes a primitive mth root of unity for an integer \(m > 2\). In the cryptographic constructions of [22, 30, 49], a certain ‘short’ element \(g \in O_K\) is used as a secret key (see Sect. 3.1 for the description of ‘short’ element). In contrast, some \(\mathbb {Z}\)basis of the principal ideal (g), such as the Hermite normal form \({\mathrm {HNF}}(g)\), is used as a public key (e.g. see [14, Section 4] for the definition of \({\mathrm {HNF}}(g)\)). Therefore the security of [22, 30, 49] against key recovery attack relies on the computational hardness of the following problem, introduced in [16, Section 1]:
Problem 1
(Short Generator of a Principal Ideal Problem, SGPIP) Let K be a number field and \(O_K\) its ring of integers. Let g be a short element of \(O_K\). Given a \(\mathbb {Z}\)basis of the principal ideal (g), the problem is to find g itself or a sufficiently short element \(g' \in O_K\) satisfying \((g') = (g)\).

Principal Ideal Problem (PIP) Given a \(\mathbb {Z}\)basis of the principal ideal \(I = (g)\), find a generator h of I.

Short Generator Problem (SGP) Given a generator h of I, recover g itself or a sufficiently short generator \(g'\) of I.
1.1 Recent progress for PIP and SGP
There are several classes of efficient algorithms for PIP over number fields of large degree in both classical and quantum computing models [7, 8, 10, 13, 26]. In [26], Hallgren proposed a polynomialtime quantum algorithm for PIP over number fields of small degree. Biasse and Fieker [10] first proposed a subexponential algorithm for an arbitrary class of number fields under the generalized Riemann hypothesis (see also [7]). For security analysis of cryptosystems of [22, 30, 49], we focus on PIP over cyclotomic fields. For \(2^k\)th cyclotomic fields, Campbell, Groves and Shepherd [13] claimed that there is a polynomialtime quantum algorithm for PIP, although their claim has not been proved yet. Recently, Biasse [11] announced the same claim as Campbell et al.’s one. In a classical computing model, Biasse [8] also presented a heuristic algorithm to solve PIP over \(2^k\)th cyclotomic fields in time \(2^{N^{2/3+\epsilon }}\) for \(N = 2^k\) and arbitrarily small \(\epsilon > 0\). (This complexity is improved to \(2^{N^{1/2+o(1)}}\) for \(N = 2^k\) in [9].)
As for SGP, Bernstein [6] first pointed out that SGP over (\(2^k\)th) cyclotomic fields is reduced to a closest vector problem (CVP) over the logunit lattice, which is obtained by the logarithmic embedding. Similar attacks are also sketched by Campbell et al. [13]. Recently, Cramer, Ducas, Peikert and Regev [16] studied the geometry of a sublattice of a logunit lattice, spanned by the image of the canonical generators of the group of cyclotomic units under the logarithmic embedding. They proved in [16, Theorem 3.1] that a basis of the sublattice has good properties. In [16, Theorem 4.1], they also give an analysis of a previously sketched attack in [6] for SGP over \(2^k\)th cyclotomic fields, under the assumption that Weber’s class number problem holds true (the problem is the conjecture that the class number of \(\mathbb {Q}(\zeta _q + \overline{\zeta _q})\) would be equal to 1 for any 2power integer \(q > 2\)). We refer to the attack as the Recovering Short Generators (RSG) attack. We should remark that the RSG attack was extended to the case of nonprincipal ideals in [17] and to that of \(p^{\alpha }q^{\beta }\)th cyclotomic fields for two distinct odd prime numbers p and q in [27].
1.1.1 Outline of [16]
1.2 Our contributions

Upper and Lower Bounds of \(L(1, \chi ^*)\): We give explicit upper and lower bounds of \(L(1, \chi ^*)\) for each nontrivial even Dirichlet character \(\chi \) modulo a prime power \(q = p^k\) (Sect. 5 below). Here \(\chi ^*\) is the primitive Dirichlet character inducing \(\chi \). We use results on upper and lower bounds of \(L(1, \chi ^*)\) by [19, 31, 33, 44]. The key point is that we give a lower bound of \(L(1, \chi ^*)\) for any even quadratic Dirichlet character \(\chi \) modulo q with the aid of the class number formula. Moreover, our bounds are easily computable, namely we can evaluate the size \(L(1, \chi ^*)\) for any fixed \(k \ge 1\) and \(\chi \).

Theoretical Estimation of \(\Vert \mathbf{b}_j^{\vee } \Vert \): We give explicit upper and lower bounds of the size of \(\Vert \mathbf{b}_j^{\vee } \Vert \) by using our bounds of \(L(1, \chi )\) (Sects. 6 and 7 below). Our strategy is to count the exact number of even Dirichlet characters modulo q having any given conductor \(f_{\chi }\), while Cramer et al. used a rough estimate of the number of such characters. The asymptotic evaluation of our upper bounds of \(\Vert \mathbf{b}_j^{\vee } \Vert \) has the same order as Cramer et al.’s one. In particular, we have \(\Vert \mathbf{b}_j^{\vee } \Vert = \tilde{{\mathcal O}}(q^{1/2})\) for any prime number p and \(q = p^k\). In contrast to Cramer et al.’s evaluation, our bounds of \(\Vert \mathbf{b}_j^{\vee } \Vert \) are explicit for any fixed k. Specifically, our bounds imply that the success probability of their attack becomes much higher for \(q = 2^k\) with \(k \ge 11\).

Experimental Verification: By experiments, we verify the effectiveness of the RSG attack against cryptosystems of [22, 30, 49] for \(q = 2^k\) and \(6 \le k \le 10\) (Sect. 8 below). In particular, the RSG attack can recover the secret key g with probability being about 50% (resp. 85 and 100%) when \(k=6\) (resp. \(k = 8\) and \(k = 10\)). Our experiments also show that the success probability of their attack is independent of distributions for generating keys in cryptosystems of [22, 30, 49] (e.g. uniformly random and discrete Gaussian distributions).
2 Mathematical background
In this section, we prepare mathematical notation for our later discussion. Let \(\mathbb {N}\), \(\mathbb {Z}\), \(\mathbb {R}\) and \(\mathbb {C}\) be the set of positive integers, the ring of integers, the field of real numbers and the field of complex numbers, respectively. We denote by \(\langle \cdot , \cdot \rangle \) and \(\Vert \cdot \Vert \) the natural inner product and the Euclidean norm on \(\mathbb {C}^n\), respectively. We also denote column vectors by lowercase bold letters (e.g. \(\mathbf{b}\)) and matrices by uppercase bold letters (e.g. \(\mathbf{B}\)). The symbol \(\#S\) stands for the cardinality of a set S. For nonnegative functions f and g on a set X, we write \(f(x) \ll g(x)\) (or \(f(x) = {\mathcal O}(g(x))\)) if there exists a constant \(C>0\) such that \(f(x)\le C g(x)\) for all \(x\in X\). For \(\epsilon >0\), we write \(f(x) \ll _{\epsilon } \, g(x)\) if the implicit constant depends on \(\epsilon \).
2.1 Lattices and CVP
A lattice \({\mathcal {L}}\) is a discrete additive subgroup of a finite dimensional \(\mathbb {R}\)vector space \(\mathbb {R}^n\) for some \(n \in \mathbb {N}\). The rank of \({\mathcal {L}}\) is defined as \(\dim _\mathbb {R}{\mathcal {L}} \otimes _\mathbb {Z}\mathbb {R}\). Given any lattice \(\mathcal{L}\subset \mathbb {R}^n\) of rank \(m \le n\), there exists a set of \(\mathbb {R}\)linearly independent vectors \(\mathbf{B}= \{ \mathbf{b}_1,\ldots ,\mathbf{b}_m \}\) such that \(\mathcal{L}= \mathcal{L}(\mathbf{B}) := \sum _{1 \le i \le m}\mathbb {Z}\mathbf{b}_i\). We identify \(\mathbf{B}\) as an \(n \times m\)matrix, and the matrix is called a basis of \(\mathcal{L}\). For any lattice \(\mathcal{L}\) with basis \(\mathbf{B}= \{ \mathbf{b}_1,\ldots ,\mathbf{b}_m \}\), there exists a set of \(\mathbb {R}\)linearly independent vectors \(\mathbf{B}^{\vee } = \{ \mathbf{b}_1^{\vee },\ldots ,\mathbf{b}_m^{\vee } \} \subset \mathrm {span}(\mathbf{B}) := \sum _{1 \le i \le m}\mathbb {R}\mathbf{b}_i\) such that \(\langle \mathbf{b}_i, \mathbf{b}_j^{\vee } \rangle = \delta _{ij}\), where \(\delta _{ij}\) is the Kronecker delta given by \(\delta _{ij} = 1\) (resp. \(\delta _{ij} = 0\)) if \(i = j\) (resp. otherwise). In other words, \(\mathbf{B}^t \cdot \mathbf{B}^\vee = \left( \mathbf{B}^\vee \right) ^t \cdot \mathbf{B}\) is equal to the identity matrix. Then \(\mathcal{L}^\vee := \mathcal{L}(\mathbf{B}^\vee )\) defines a lattice, called the dual lattice of \(\mathcal{L}\) with the dual basis \(\mathbf{B}^\vee \) of \(\mathbf{B}\).
Given a lattice \(\mathcal{L}\subset \mathbb {R}^n\) with basis \(\mathbf{B}\) and a target vector \({\mathbf{t}} \in \mathbb {R}^n \smallsetminus \mathcal{L}\), the closest vector problem (CVP) is to find a lattice vector \(\mathbf{v}\in \mathcal{L}\) closest to \(\mathbf{t}\). An efficient approach for CVP is the roundoff algorithm proposed by Babai [4]. The roundoff algorithm for \(\mathbf{B}\) and \(\mathbf{t}\) outputs \(\mathbf{B}\cdot \lfloor \left( \mathbf{B}^{\vee } \right) ^t \cdot \mathbf{t}\rceil \in \mathcal{L}\), where the rounding function \(\lfloor c \rceil := \lfloor c + \frac{1}{2} \rfloor \) is applied to each entry of \(\left( \mathbf{B}^{\vee }\right) ^t \cdot \mathbf{t}\) independently. The following lemma provides a condition for solving CVP by Babai’s roundoff algorithm.
Lemma 1
[16, Claim 2.1] Let \(\mathcal{L}\subset \mathbb {R}^n\) be a lattice with basis \(\mathbf{B}\). Let \(\mathbf{t}= \mathbf{v}+ \mathbf{e}\) with \(\mathbf{v}\in \mathcal{L}\) and \(\mathbf{e} \in \mathbb {R}^n\). If \(\langle \mathbf{b}_j^{\vee }, \mathbf{e} \rangle \in \left[ \frac{1}{2}, \frac{1}{2} \right) \) for all \(\mathbf{b}_j^{\vee } \in \mathbf{B}^{\vee }\), then \(\mathbf{v}\) can be recovered by Babai’s roundoff algorithm for \(\mathbf{B}\) and \(\mathbf{t}\).
This lemma is a key for solving SGP by the RSG attack (see Sect. 4).
2.2 Logunit lattice and cyclotomic units
Lemma 2
[52, Lemma 8.1] Let \(q = p^k\) be a prime power and C the group of cyclotomic units of the qth cyclotomic field. Set \(G := \left( \mathbb {Z}/q\mathbb {Z}\right) ^\times /\{ \pm 1 \}\), \(z_j := \zeta _q^j  1\) and \(b_j := z_j/z_1\) for \(j \in G \smallsetminus \{ 1 \}\). Then the group C is generated by \(\pm \zeta _q\) and the \(b_j\)’s for \(j \in G \smallsetminus \{ 1 \}\).
We call the \(b_j\)’s for \(j \in G \smallsetminus \{ 1 \}\) the canonical generators of C. Note that \({\mathrm {Log}}(C)\) is a sublattice of \(\varLambda \) of finite index. More precisely, we have \([\varLambda : {\mathrm {Log}}(C)] = h^{+}(q)\) for a prime power q, where \(h^{+}(q)\) is the class number of \(K^{+} := \mathbb {Q}(\zeta _q + \overline{\zeta _q})\) (see [52, Exercise 8.5] for details).
2.3 Dirichlet characters and Dirichlet Lfunctions
Let G be a finite abelian group. The character group of G, denoted by \(\widehat{G}\), is the set of group homomorphisms from G to \(\mathbb {C}^{\times }\). It is easy to see that \(\widehat{G}\) becomes a group with the pointwise product. There is a noncanonical group isomorphism between G and \(\widehat{G}\), and hence \(\# G = \# \widehat{G}\).
Lemma 3
 1.
\(L(s, \chi ) = L(s, \chi ^*)\).
 2.
The set of all prime divisors of \(f_\chi \) is equal to that of all prime divisors of q.
2.4 Relation between lower bounds and zeros of Lfunctions
As for upper bounds, we have the following easily.
Theorem 1
As for lower bounds, we need to consider the influence of a possible real zero of \(L(s, \chi )\) near to 1. The following gives the definition of a Siegel zero.
Theorem 2
 1.There exists a constant \(C>0\) such that for any nontrivial Dirichlet character \(\chi \) modulo q, \(L(s, \chi )\) does not vanish if \(s=\sigma +\sqrt{1}t\) \((\sigma , t \in \mathbb {R})\) is contained in the regionexcept for at most one real number \(\beta =\beta _{\chi } \in (1\frac{C}{\log \{q(1+t)\}}, 1)\). We call the region a zerofree region of \(L(s, \chi )\). Such a possible real zero \(\beta \) for \(L(s, \chi )\) is called a Siegel zero (cf. [41, Chapter 2]).$$\begin{aligned} \sigma > 1\frac{C}{\log \{q(1+t)\}} \end{aligned}$$
 2.
The Siegel zero \(\beta \) of \(L(s, \chi )\) does not exist when a nontrivial character \(\chi \) is not quadratic.
Siegel zeros are not on the vertical strip \(\mathrm {Re}(s)=1/2\) contrary to the generalized Riemann hypothesis. The Siegel zero of \(L(s, \chi )\) is related to lower bounds of \(L(1, \chi )\) as follows.
Theorem 3
The existence of Siegel zeros is a deep problem in number theory as it influences a distribution of zeros of \(L(s, \chi )\) and lower bounds of \(L(1, \chi )\). We have not reached the nonexistence of Siegel zeros for Dirichlet Lfunctions yet. As for quadratic characters, the best lower bound of \(L(1, \chi )\) for quadratic characters \(\chi \) is currently known as Siegel’s theorem [46]. We refer to [18, Chapter 21] and [41, Chapter 2].
Theorem 4
Siegel’s theorem can be applied to the following two number theoretical problems. First, the class number \(h_K\) of an imaginary quadratic field K goes to infinity as the absolute value \(d_K\) of the discriminant of \(K/\mathbb {Q}\) tends to infinity. Second, the asymptotics \(\log h_{K} \sim \log \sqrt{d_K}\) holds as \(d_{K}\rightarrow \infty \) keeping K imaginary quadratic. It is a spacial case of the Brauer–Siegel theorem (cf. [32]). By this asymptotics, there exist finitely many imaginary quadratic fields K such that \(h_K=n\) for any given \(n\in \mathbb {N}\).
Later, an effective version of Siegel’s theorem was given by Tatuzawa [50] with the implicit constant effective for any quadratic character \(\chi \) except for at most one ineffective quadratic character. Although Tatuzawa’s theorem was made explicit by [32] except for one quadratic character, the exceptional one is still ineffective.
In Sects. 5 and 6 below, we will give explicit upper and lower bounds of \(L(1, \chi )\) for any nontrivial even Dirichlet characters \(\chi \) modulo any prime power. For the purpose, we review explicit estimates for primitive Dirichlet characters in [19, 33] and [44] needed later.
Proposition 1
Proposition 2
Proposition 3
3 Cryptosystems using short generators
As mentioned in Sect. 1, the security of some cryptosystems [22, 30, 49] relies on the computational hardness of finding a short generator of a principal ideal of a number field from a \(\mathbb {Z}\)basis of the ideal. This problem is called the Short Generator of a Principal Ideal Problem (SGPIP). In this section, we define short generators and briefly give a relation between these cryptosystems and SGPIP. These cryptosystems are constructed over the ring \(R = \mathbb {Z}[x]/(x^n+1)\) for a given degree parameter n of the form \(n=2^{k1} \ (k>1)\).
3.1 Definition of short generator
3.2 Smart–Vercauteren FHE scheme
 1.
Given a parameter \(\eta > 0\), choose a random polynomial \(G(x) = \sum _{i = 0}^{n1} g_i x^i \in \mathbb {Z}[x]\), such that \(\Vert G(x) \Vert _\infty := \max _i  g_i \) is \(\eta \)bit, \(G(x) \equiv 1 \pmod {2}\), and \(p = \det ({\mathrm {Rot}}(G(x)))\) is prime, where \({\mathrm {Rot}}(G(x))\) denotes the rotation matrix.
 2.
Compute \(D(x) = {\mathrm {gcd}}(G(x), x^n + 1)\) over \(\mathbb {F}_p[x]\), and take the unique root \(\alpha \in \mathbb {F}_p\) of D(x).
 3.
Apply the XGCDalgorithm over \(\mathbb {Q}[x]\) to obtain \(Z(x) = \sum _{i = 0}^{n1} z_i x^i \in \mathbb {Z}[x]\) satisfying \(Z(x) \cdot G(x) \equiv p \pmod {x^n + 1}.\) Set \(B = z_0 \pmod 2\). Then the public key is \({\mathsf {pk}} = (p, \alpha )\), and the secret key is \({\mathsf {sk}} = (p, B)\).
3.3 GGH and GGHLite schemes
We explain the multilinear map (GGH scheme) proposed by Garg et al. [22] and its improved version called GGHLite [30]. Let \(D_{\mathbb {Z}, \sigma }\) denote the discrete Gaussian distribution over \(\mathbb {Z}\) with standard deviation \(\sigma > 0\). In the GGH scheme, a secret short element \(g = \sum _{i = 0}^{n1} g_i x^i \in R\) is randomly chosen with \(g_i \leftarrow D_{\mathbb {Z}, \sigma }\) for \(0 \le i \le n1\) such that \(\Vert g^{1} \Vert \le n^2\) and \(I = (g)\) is a prime ideal in R, where \(g^{1} \in R \otimes _\mathbb {Z}\mathbb {Q}\simeq \mathbb {Q}(\zeta _{2n})\) and \(\Vert g^{1} \Vert \) is its Euclidean norm. The condition \(\Vert g \Vert \le \sqrt{n} \cdot \sigma \) is additionally required for the construction of the GGHLite scheme [30]. Moreover, given a modulus parameter \(q > 0\), a secret element z is randomly sampled from \(R_q = R/qR\). In both the GGH and the GGHLite schemes, the pair (g, z) gives a secret key.
The zeroizing attack, which was first introduced in [22], tries to recover a basis \(\mathbf{B}\) of the ideal \(I = (g)\) from given public parameters such as several encoding of zero and one (See [14, Section 5.1] for details). Therefore, recovering g or a short element \(g'\) from the basis \(\mathbf{B}\) is an instance of SGPIP (as mentioned in [14, Section 5.3], recovering \(g' \in R\) with \(\Vert g' \Vert < q^{3/8}/(2n)^4\) is sufficient to attack the GGH scheme).
4 Overview of Cramer et al.’s analysis for SGP
In this section, we briefly review Cramer et al.’s analysis for SGP (defined in Sect. 1) and give some remarks on their attack.
4.1 Attack algorithm
For the representation (4), Cramer et al. first assume that the \({\mathrm {Log}}(C)\) is exactly equal to the logunit lattice \(\varLambda \):
Assumption 1
We assume \({\mathrm {Log}}(C) = \varLambda \).
Moreover, the RSG attack algorithm assumes the following (see [16, Theorem 4.1] for details):
Assumption 2
There is a probabilistic distribution D over K satisfying the following condition: For any unit vectors \(\mathbf{v}_1,\ldots ,\mathbf{v}_{\varphi (q)/21} \in \mathbb {R}^{\varphi (q)/2}\) satisfying \(\langle \mathbf{v}_i, \mathbf{1}\rangle = 0\), we have \(\langle {\mathrm {Log}}(g), \mathbf{v}_i \rangle  < dq^{1/2}(\log q)^{3/2}\) for all i with probability at least \(\alpha > 0\), where g is chosen from D and d is a universal constant.
Under Assumptions 1 and 2, the RSG attack algorithm for SGP is as follows (see [16, Theorem 4.1] for details):
Algorithm 1
 1.
Apply Babai’s roundoff algorithm to \(\mathbf{B}:= \{ \mathbf{b}_j \}_{j \in G \smallsetminus \{ 1 \}}\) and \(\mathbf{t}:= {\mathrm {Log}}(h) = {\mathrm {Log}}(u) + {\mathrm {Log}}(g)\). Let \(\mathbf{v}\in \mathbb {R}^{\varphi (q)/2}\) be its output (i.e. \(\mathbf{v}= \mathbf{B}\cdot \lfloor \left( \mathbf{B}^{\vee }\right) ^t \cdot \mathbf{t}\rceil \)).
 2.
Compute integers \(a_j \in \mathbb {Z}\) for \(j \in G \smallsetminus \{ 1 \}\) such that \(\mathbf{v}= \sum _{j \in G \smallsetminus \{ 1 \}}a_j\mathbf{b}_j\). If there are no such integers \(a_j\), then return “false”.
 3.
Compute \(u^{\prime } := \prod _{j \in G \smallsetminus \{ 1 \}}b_j^{a_j} \in C\) and output \(g' = ug/u^{\prime }\).
Cramer et al. claimed in [16, Theorem 4.1] that the above algorithm outputs \(g' = \pm \zeta _q^j \cdot g\) for some \(0 \le j < q\) with probability at least \(\alpha \), under Assumptions 1 and 2.
Remark 1
Since \([\varLambda : {\mathrm {Log}}(C)] = h^+(q)\), Assumption 1 is related to mathematical problems on \(h^+(q)\). In particular, when q is 2power, Assumption 1 is equivalent to Weber’s class number problem (i.e. \(h^+(q) = 1\) for all 2power q). In Appendix A below, we will give several results related to Weber’s class number problem.
4.2 Some remarks
5 Explicit upper and lower bounds of \(L(1, \chi ^*)\)
Proposition 4
Remark 2
In [16], the special convention in Washington’s book [52, Chapter 3] is adopted, namely, the symbol \(L(1, \chi )\) in [16] is used in the meaning of \(L(1, \chi ^{*})\). One may confuse Washington’s special convention since the equality \(L(1, \chi ) = L(1, \chi ^*)\) does not hold for any characters \(\chi \) in general. However, in the case of \(q=p^k\), Lemma 3 gives us \(L(s, \chi )=L(s, \chi ^*)\) for any \(\chi \in \widehat{G}\smallsetminus \{1\}\).
In this section, by using explicit estimates of \(L(1, \chi ^*)\) (Propositions 5, 6, 7 and 8), we give explicitly computable estimates of E(q), avoiding the use of Siegel’s theorem (Theorem 4). Our estimates are better than [16, Theorem 3.1]. From our result, we can easily compute upper and lower bounds of E(q). Experimental results will be shown in Sect. 7.1.
5.1 Explicit lower bound of \(L(1, \chi ^*)\)
We give explicit lower bounds of \(L(1, \chi ^*)=L(1, \chi )\) for any nontrivial even Dirichlet characters \(\chi \) modulo \(q=p^k\). The evenness of \(\chi \) is needed for attacks for SGP. We show propositions for the cases of \(p=2\), \(p\equiv 3\) (mod 4), and \(p\equiv 1\) (mod 4), respectively.
Proposition 5
Proof
The first assertion is obvious from Proposition 1. The second assertion is also obvious since \(\chi \) is the unique even quadratic character with \(f_{\chi }= 8\). \(\square \)
For any odd prime number p, let \(\chi _p\) be the primitive quadratic character modulo p. Then, there exists a unique quadratic character modulo \(p^k\), and such a unique quadratic character is induced by \(\chi _p\). Notice that \(\chi _p\) is even if and only if \(p\equiv 1 \text { (mod 4)}\).
Proposition 6
Proof
Since the unique quadratic character modulo \(p^k\) is odd, we obtain the assertion by Proposition 1. \(\square \)
Proposition 7
Proof
The assertion is obvious from Proposition 1 in the case where \(\chi \) is not quadratic.
p  \(L(1, \chi _p)\)  m(p) 

5  \(\frac{2}{\sqrt{5}} \log (\frac{1+\sqrt{5}}{2})\)  0.856 
13  \(\frac{2}{\sqrt{13}}\log (\frac{3+\sqrt{13}}{2})\)  0.505 
17  \(\frac{2}{\sqrt{17}}\log (4+\sqrt{17})\)  0.439 
29  \(\frac{2}{\sqrt{29}}\log (\frac{5+\sqrt{29}}{2})\)  0.388 
37  \(\frac{2}{\sqrt{37}}\log (6+\sqrt{37})\)  0.351 
41  \(\frac{2}{\sqrt{41}}\log (32+5\sqrt{41})\)  0.329 
53  \(\frac{2}{\sqrt{53}}\log (\frac{7+\sqrt{53}}{2})\)  0.335 
61  \(\frac{2}{\sqrt{61}}\log (\frac{39+5\sqrt{61}}{2})\)  0.304 
73  \(\frac{2}{\sqrt{73}}\log (1068+125\sqrt{73})\)  0.280 
89  \(\frac{2}{\sqrt{89}}\log (500+53\sqrt{89})\)  0.270 
97  \(\frac{2}{\sqrt{97}}\log (5604+569\sqrt{97})\)  0.262 
5.2 Explicit upper bound of \(L(1, \chi ^*)\)
We have explicit upper bounds of \(L(1, \chi ^*)=L(1,\chi )\) for nontrivial even Dirichlet characters \(\chi \). Contrary to the lower bound, we can state the proposition for any prime power as follows.
Proposition 8
5.3 Summary of this section
Our contribution of this section is to give explicit upper and lower bounds of \(L(1, \chi ^*) = L(1, \chi )\) for any nontrivial even Dirichlet characters \(\chi \), as in Propositions 5, 6, 7 and 8, contrary to the implicit bounds (1) used in [16]. Moreover, we remark that our upper and lower bounds of \(L(1, \chi ^*)\) are computable. As for lower bounds, we give the trivial lower bound of \(L(1, \chi ^*)\) for quadratic Dirichlet characters \(\chi \) in order to avoid the ineffectiveness of Siegel’s theorem. The upper and lower bounds of \(L(1, \chi ^*)\) as above will be used in Sect. 6.
6 Theoretical estimation of \(\Vert \mathbf{b}_j^{\vee }\Vert \)
For any prime number p and \(k \in \mathbb {N}\), set \(q=p^k\) and \(G=(\mathbb {Z}/q\mathbb {Z})^{\times }/\{\pm 1\}\). In this section we give theoretical upper and lower bounds of \(\mathbf{b}_{j}^{\vee }^2 = E(q)\) (see Proposition 4). In order to divide the sum E(q) in terms of the conductor \(f_{\chi }\), we count the number of even Dirichlet characters of conductor \(p^j\).
Lemma 4
Proof
Explicit upper bounds of E(q) are given as follows.
Theorem 5
 1.When \(p=2\), we have$$\begin{aligned} E(q) \le&\ \frac{400}{2^{k+1}} \bigg [ \frac{k(k+1)(2k+1)84}{6}(\log 2)^2 (\log 2)(\log \pi )\{k(k+1)12\} \\&+(\log \pi )^2(k3) \bigg ] +\frac{1}{2^{k2} \{\log (1+\sqrt{2})\}^2}. \end{aligned}$$
 2.When \(p\equiv 3 \ (\text {mod } 4)\), we have$$\begin{aligned} E(q) \le&\ \frac{400(p1)}{p^{k+1}} \bigg [ \frac{k(k+1)(2k+1)6}{6} (\log p)^2 \\&\{k(k+1)2\}(\log p)(\log \pi ) +(k1)(\log \pi )^2 \bigg ] \\&+\frac{400(p3)}{(p1)p^k} \{\log (p/\pi )\}^2. \end{aligned}$$
 3.When \(p\equiv 1 \ (\text {mod } 4)\), we haveand the following computable estimate$$\begin{aligned} E(q) \le&\ \frac{400(p1)}{p^{k+1}} \bigg [ \frac{k(k+1)(2k+1)6}{6}(\log p)^2 \\&\{k(k+1)2\}(\log p)(\log \pi ) +(k1)(\log \pi )^2 \bigg ] \\&+\frac{400(p5)}{(p1)p^k} \{\log (p/\pi )\}^2 + \frac{8}{(p1)p^{k}L(1, \chi _p)^2}. \end{aligned}$$$$\begin{aligned} E(q) \le&\ \frac{400(p1)}{p^{k+1}} \bigg [ \frac{k(k+1)(2k+1)6}{6}(\log p)^2 \\&\{k(k+1)2\}(\log p)(\log \pi ) +(k1)(\log \pi )^2 \bigg ] \\&+\frac{400(p5)}{(p1)p^k} \{\log (p/\pi )\}^2 + \frac{2p}{(p1)p^{k}} \frac{1}{\{\log (\frac{\sqrt{p4}+\sqrt{p}}{2})\}^{2}}. \end{aligned}$$
Proof
The second, third and the fourth inequalities are proved in the same way as in the case of \(p=2\), using Propositions 6 and 7 in place of Proposition 5; we note that there is no even quadratic Dirichlet character modulo \(q=p^k\) when \(p \equiv 3 \ (\text {mod } 4)\). \(\square \)
Explicit lower bounds of E(q) are given as follows.
Theorem 6
Proof
As in the following corollary, our explicit estimates in Theorems 5 and 6 give the same asymptotic estimate \(\mathbf{b}_j^{\vee }^2={\mathcal O}(q^{1}(\log q)^3)\) as in [16, Theorem 3.1].
Corollary 1
7 Table and figure of \(\Vert \mathbf{b}_j^{\vee } \Vert \) for \(q = 2^k\)
Since our estimate of \(\mathbf{b}_j^{\vee }\) in Sect. 6 is effective for all k and prime numbers p, we can show examples of behaviors of \(\mathbf{b}_{j}^{\vee }\). In this section, we consider the case of \(p=2\).
7.1 Case of \(q = 2^k\)
Upper and lower bounds of \(\Vert \mathbf {b}_j^\vee \Vert \), and actual value of \(\Vert \mathbf {b}_j^\vee \Vert \) for \(q = 2^k\) with \(3 \le k \le 25\) (upper and lower bounds are given by \(E_{\mathrm {upper}}(k)\) and \(E_{\mathrm {lower}}(k)\) respectively, “Time” means that the time which it took to compute the actual value of \(\Vert \mathbf {b}_j^\vee \Vert \))
k  \(E_{\mathrm{lower}}(k)\)  \(\ \mathbf{b}_j^{\vee }=\sqrt{E(2^k)} \)  \(E_{\mathrm{upper}}(k) \)  Time 

3  0.577  0.802  0.802  0.000 s 
4  0.531  0.709  5.78  0.000 s 
5  0.428  0.568  7.10  0.000 s 
6  0.329  0.445  7.32  0.000 s 
7  0.246  0.342  6.95  0.015 s 
8  0.181  0.261  6.27  0.219 s 
9  0.132  0.197  5.46  1.312 s 
10  0.0959  0.148  4.63  10.203 s 
11  0.0692  0.110  3.85  74.918 s 
12  0.0498  0.0815  3.15  555.170 s 
13  0.0357  0.0601  2.54  7552.266 s 
14  0.0256  0.0442  2.03  13.4583 h 
15  0.0183  0.0324  1.61  310.137 h 
16  0.0130  N/A  1.26  N/A 
17  0.00930  N/A  0.985  N/A 
18  0.00662  N/A  0.764  N/A 
19  0.00471  N/A  0.589  N/A 
20  0.00335  N/A  0.452  N/A 
21  0.00238  N/A  0.345  N/A 
22  0.00169  N/A  0.263  N/A 
23  0.00120  N/A  0.199  N/A 
24  0.000854  N/A  0.151  N/A 
25  0.000606  N/A  0.114  N/A 
7.2 Feedback to hardness of SGP
8 Experimental verification
In this section, we give our experimental results to verify whether or not Algorithm 1 succeeds in recovering short elements g (or sufficiently small g’s which can break cryptosystems described in Sect. 3).
We deal with the case of \(q=2^k\) since our targeted cryptosystems [22, 30, 49] are basically constructed over \(2^k\)th cyclotomic fields. From the viewpoint of the efficiency of a key generation, encoding and decoding process in cryptosystems of [22, 30, 49], we usually use k with \(8 \le k \le 25\) in practice. Our theoretical bounds in Sect. 7.1 allow us to infer that the success probability of Algorithm 1 gets higher as k is greater than 6. Thus, we show our experimental results of the success probability for each k with \(6 \le k \le 10\). Set \(q := 2^k\), \(n := 2^{k1}\), \(G := (\mathbb {Z}/q\mathbb {Z})^{\times }/\{ \pm 1 \}\) and \(R := \mathbb {Z}[x]/(x^n + 1)\).
8.1 Parameter setting for our experiments

Choice of Distribution of Secret Key g: we consider the case where g is randomly chosen from a discrete Gaussian distribution or a uniform distribution. Recall that g is chosen from a discrete Gaussian distribution in GGH and GGHLite schemes, and that g is uniformly chosen from a certain finite subset of \(\mathbb {Z}[x]\) in FHE scheme (see Sect. 3).

Size of Variance: in GGH and GGHLite schemes, spaces of secret keys, that are discrete Gaussian distributions of the mean 0, depend only on their variances and n. (By contrast, in FHE scheme, the space of secret keys depends only on n). Thus, we consider whether the success probability of Algorithm 1 depends on variances of discrete Gaussian distributions by several experiments.

Type of Principal Ideals \(I = (g)\) (Prime or NonPrime): in FHE, GGH and GGHLite schemes, secret keys \(g \in R\) should be prime elements in R satisfying \(R/(g) \simeq \mathbb {F}_p\) for some prime number p. However, as we will note below, this condition can be relaxed in cases of GGH and GGHLite. (In addition, it may be also possible that the primality condition of g can be relaxed for FHE). Thus, we consider whether the success probability of Algorithm 1 depends on the primality of secret keys.
8.2 Effects of primality and variance
First, we consider effects of the primality of secret keys and variances of discrete Gaussian distributions. We divide this subsection into the cases of discrete Gaussian distributions and of uniformly distributions.
Case of discrete Gaussian distribution
First, we consider the case where secret keys g are chosen from discrete Gaussian distributions of the mean 0 and given standard deviations \(\sigma \), which are spaces of secret keys of GGH and GGHLite schemes.
In each cryptosystem, a secret key g is a prime element in R such that \(\mathcal{N}(g) := {\mathrm {Res}}(g^{\prime }(x), x^n + 1)\) is a prime number, where \(g^{\prime }\) is a polynomial in \(\mathbb {Z}[x]\) representing g in R and \({\mathrm {Res}}(g^{\prime }(x), x^n + 1)\) is the resultant of \(g^{\prime }\) and \(x^n + 1\). (The primality of \(\mathcal{N}(g)\) is not a necessary condition but a sufficient condition that g is a prime element in R). The primality of g was used in the proof of [22, Lemmas 3 and 4]. In general, it is not efficient to obtain such a g for large k, e.g. \(k \ge 10\) [49, Section 7], [3, Section 4]. Fortunately, it is proved in [3] that the primality of g is not necessary to prove these lemmas, and thus the condition on g can be relaxed. Note that in [3], it is suggested that the primality of g is still necessary for some cryptographic applications and it may be possible to attack by using the nonprimality of g. Thus, we should experiment whether Algorithm 1 is one of such attacks.
Moreover, from Cramer et al.’s analysis for discrete Gaussian distributions [16, Lemma 5.6], the success probability of Algorithm 1 seems to depend heavily on variances of discrete Gaussian distributions. From this, we should also experiment for several variances.
 1.Construct the following three finite subsets of Rsuch that \(\# _i = 1000\) for \(i=1,2,3\).$$\begin{aligned} _1:= & {} \{ g \in R \mid g \leftarrow D_{\mathbb {Z}^n, \sigma } \text{ and } \mathcal{N}(g) \text{ is } \text{ a } \text{ prime } \text{ number } \}, \\ _2:= & {} \{ g \in R \mid g \leftarrow D_{\mathbb {Z}^n, \sigma } \text{ and } \text{ the } \text{ ideal } (g) \text{ is } \text{ not } \text{ a } \text{ prime } \text{ ideal } \}, \\ _3:= & {} \{ g \in R \mid g \leftarrow D_{\mathbb {Z}^n, \sigma } \}, \end{aligned}$$
 2.
Compute \(\mathbf{b}_j\) and \(\mathbf{b}_j^{\vee }\) for \(j \in G \smallsetminus \{ 1 \}\), where \(G := (\mathbb {Z}/q\mathbb {Z})^{\times }/\{ \pm 1 \}\).
 3.
Compute \(a_j^{(g_i)}\) satisfying \({\mathrm {Log}}(g_i) = a_1^{(g_i)}\mathbf{1}+ \sum _{j \in G \smallsetminus \{ 1 \}}a_j^{(g_i)}\mathbf{b}_j\) for \(j \in G \smallsetminus \{ 1 \}\), \(g_1 \in _1\), \(g_2 \in _2\) and \(g_3 \in _3\).
 4.For \(i=1,2,3\) and \( g_{i} \in _i\), compute$$\begin{aligned} a_{\max }^{(g_i)}:= & {} \max \{ a_j^{(g_i)} \mid j \in G \smallsetminus \{ 1 \} \}, \\ a_{\mathrm{ave}}(_i):= & {} \frac{1}{\#_i}\sum _{g_i \in _i}\left a_{\max }^{(g_i)} \right . \end{aligned}$$
Values of \(a_{\mathrm{ave}}(_i)\) for \(6 \le k \le 10\) and \(i = 1,2,3\)
\(\log _{10}(\sigma )\)  1  1.477  1.699  2  3  4 

k  
6  0.542/0.544  0.539/0.546  0.547/0.547  0.539/0.556  0.546/0.549  0.548/0.541 
7  0.474/0.481  0.471/0.483  0.479/0.485  0.476/0.472  0.481/0.468  0.472/0.477 
8  0.406/0.403  0.404/0.404  0.405/0.402  0.403/0.404  0.399/0.405  0.400/0.399 
9  0.33/–  0.328/–  0.331/–  0.331/–  0.33/–  0.32/– 
10  0.267/–  0.265/–  0.268/–  0.268/–  0.267/–  0.268/– 
Thus, we conclude that the security of GGH and GGHLite schemes against the RSG attack does not depend on the primality of their secret keys and variances of their spaces of secret keys. Our observation above also implies that we can use nonprime elements g as secret keys in those cryptosystems except for some applications.
Case of uniform distribution
In this case, we also experiment whether the primality of g affects the success probability of Algorithm 1. Let \(_1\) be the set of polynomials chosen by the above method. Let \(_2\) be the set of polynomials f uniformly chosen from \(B(\eta )\) such that f mod \((x^n+1)\) does not generate a prime ideal for \(k = 6,7,8\). We also choose \(g \in B(\eta )\) uniformly without testing the primality of g for \(k = 9, 10\). Let \(_3\) be the set of such polynomials. We choose g until \(\# _1 = \# _2 = \# _3 = 1000\). For \(i = 1,2,3\), set \(a_{\mathrm{ave}}(_i)\) as above.
Values of \(a_{\mathrm{ave}}(_i)\) for \(6 \le k \le 10\) and \(i = 1,2,3\)
k  \(a_{\mathrm{ave}}(_1)\) / \(a_{\mathrm{ave}}(_2)\)  \(a_{\mathrm{ave}}(_3)\) 

6  0.554/0.542  – 
7  0.487/0.477  – 
8  0.402/0.404  – 
9  –  0.334 
10  –  0.267 
From Table 3, we infer that the primality of g does not affect the difficulty of solving SGP for FHE scheme because of the same reason as in the case of discrete Gaussian distributions. Thus, we conclude that the security of FHE scheme against the RSG attack does not depend on the primality of secret keys, and that we can use nonprime elements g as secret keys if the condition on the primality is relaxed.
8.3 Success probability of Algorithm 1
From Figs. 2 and 3, we infer that the probability that Algorithm 1 will succeed in recovering secret keys of FHE, GGH and GGHLite schemes with probability being about 50% (resp. 85 and 100%) when \(k=6\) (resp. \(k = 8\) and \(k = 10\)). In other words, the number of successes increases as k is larger. We believe that it is true for \(k > 10\). Thus, our experimental results suggest that the security of FHE, GGH and GGHLite schemes depend heavily on the difficulty of solving the principal ideal problem.
9 Conclusion
In this paper, we analyzed the security of cryptosystems using short generators over ideal lattices against the RSG attack. We gave explicit estimates of the special values of Dirichlet Lfunctions at 1 for any nontrivial even Dirichlet characters modulo a prime power, and improved Cramer et al.’s main result verifying their attack by using our estimates. Our improvement allows one to analyze the RSG attack not only asymptotically but also explicitly for fixed practical parameters. We also gave various experimental results showing that recovering short generators over \(2^k\)th cyclotomic fields for \(k \ge 10\) is succeeded with high probability.
Footnotes
Notes
Acknowledgements
We would like to thank the authors in [16] for some comments. This work was supported by JST CREST Grant Number JPMJCR14D6, Japan.
References
 1.Ajtai, M., Dwork, C.: A publickey cryptosystem with worstcase/averagecase equivalence. In: Proceedings of the 29th Annual ACM Symposium on Theory of Computing—STOC 1997. ACM, pp. 284–293 (1997)Google Scholar
 2.Albrecht, M.: Discrete Gaussian samplers over lattices. http://doc.sagemath.org/html/en/reference/stats/sage/stats/distributions/discrete_gaussian_lattice.html
 3.Albrecht, M.R., Cocis, C., Laguillaumie, F., Langlois, A.: Implementing candidate graded encoding schemes from ideal lattices. IACR Cryptology ePrint Archive, 2014/928 (2014)Google Scholar
 4.Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986) (preliminary version in STACS 1985) Google Scholar
 5.Bauer, H.: Numerische Bestimmung von Klassenzahlen reeller zyklischer Zahlkörper. J. Number Theory 1, 161–162 (1969)CrossRefMATHGoogle Scholar
 6.Bernstein, D.: A subfieldlogarithm attack against ideal lattices (2014). http://blog.cr.yp.to/20140213ideal.html. Accessed 9 May 2018
 7.Biasse, J.F.: Subexponential time relations in the class group of large degree number fields. Adv. Math. Commun. 8(4), 407–425 (2014)CrossRefMATHGoogle Scholar
 8.Biasse, J.F.: A fast algorithm for finding a short generator of a principal ideal of \({\mathbb{Q}}(\zeta _{2^n})\)”, arXiv preprint (2015). arXiv:1503.03107
 9.Biasse, J.F., Espitau, T., Fouque, P.A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings—a subfield algorithm for the principal ideal problem in \(L_{\varDelta \mathbb{K}}(\frac{1}{2})\) and application to the cryptanalysis of a FHE scheme, EUROCRYPT 2017. Springer LNCS 10210, pp. 60–88 (2017)Google Scholar
 10.Biasse, J.F., Fieker, C.: Subexponential class group and unit group computation in large degree number fields. LMS J. Comput. Math. 17(A), 385–403 (2014)CrossRefMATHGoogle Scholar
 11.Biasse, J.F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Proceedings of the TwentySeventh Annual ACMSIAM Symposium on Discrete Algorithms, SODA ’16, pp. 893–902 (2016)Google Scholar
 12.Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symb. Comput. 24, 235–265 (1997)CrossRefMATHGoogle Scholar
 13.Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: ETSI 2nd QuantumSafe Crypto Workshop (2014). https://docbox.etsi.org/workshop/2014/201410_CRYPTO/S07_Systems_and_Attacks/S07_Groves_Annex.pdf. Accessed 9 May 2018
 14.Cheon, J.H., Lee, C.: Cryptanalysis of the multilinear map on the ideal lattices, IACR Cryptology ePrint Archive, 2015/461 (2015)Google Scholar
 15.Cohn, H.: A numerical study of Weber’s real class number calculation I. Numer. Math. 2, 347–362 (1960)CrossRefMATHGoogle Scholar
 16.Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering Short Generators of Principal Ideals in Cyclotomic Rings, Advances in CryptologyEUROCRYPT 2016, Springer LNCS 9666, pp. 559–585 (2016)Google Scholar
 17.Cramer, R., Ducas, L., Wesolowski, B.: Short Stickelberger Class Relations and application to IdealSVP, Advances in CryptologyEUROCRYPT 2017, Springer LNCS, 10210, pp. 324–348 (2017)Google Scholar
 18.Davenport, H.: Multiplicative Number Theory, 3rd edn. Graduate Texts in Mathematics, vol. 74. Springer, New York (2000)Google Scholar
 19.Eddin, S.S., Platt, D.J.: Explicit upper bounds for \(L(1, \chi )\) when \(\chi (3)=0\). Colloq. Math. 133(1), 23–34 (2013)CrossRefMATHGoogle Scholar
 20.Fukuda, T., Komatsu, K.: Weber’s class number problem in the cyclotomic \(\mathbb{Z}_2\)extension of \(\mathbb{Q}\), II. J. Théor. Nombres Bordeaux 22(2), 359–368 (2010)CrossRefMATHGoogle Scholar
 21.Fukuda, T., Komatsu, K.: Weber’s class number problem in the cyclotomic \(\mathbb{Z}_2\)extension of \(\mathbb{Q}\), III. Int. J. Number Theory 7(06), 1627–1635 (2011)CrossRefMATHGoogle Scholar
 22.Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices, Advances in CryptologyEUROCRYPT 2013, Springer LNCS, 7881, pp. 1–17 (2013)Google Scholar
 23.Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 2009 ACM International Symposium on Theory of Computing—STOC 2009, ACM, pp. 169–178 (2009)Google Scholar
 24.Gentry, C., Halevi, S.: Implementing Gentry’s fully homomorphic encryption, Advances in CryptologyEUROCRYPT 2011, Springer LNCS, 6632, pp. 129–148 (2011)Google Scholar
 25.Gentry, C., Peikert, C., Vaikuntanathan, V. : Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing—STOC 2008. ACM, pp. 197–206 (2008)Google Scholar
 26.Hallgren, S.: Fast quantum algorithms for computing the unit group and class group of a number field. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing—STOC 2005. ACM, pp. 468–474 (2005)Google Scholar
 27.Holzer, P., Wunderer, T., Buchmann, J.A.: Recovering Short Generators of Principal Fractional Ideals in Cyclotomic Fields of Conductor \(p^{\alpha }q^{\beta }\)”, IACR Cryptology ePrint Archive, 2017/513 (2017)Google Scholar
 28.Horie, K.: Certain primary components of the ideal class group of the \(\mathbb{Z}_2\)extension over the rationals. Tohoku Math. J. 59, 259–291 (2007)CrossRefMATHGoogle Scholar
 29.Landau, E.: Über Dirichletsche Reihen mit komplexen Charakteren. J. Reine Angew. Math. 157, 26–32 (1927)MATHGoogle Scholar
 30.Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices”, Advances in CryptologyEUROCRYPT 2014, Springer LNCS, 8441, pp. 239–256 (2014)Google Scholar
 31.Louboutin, S.: Majorations explicites de \(L(1, \chi )\) (quatrième partie). C. R. Acad. Sci. Paris 334, 625–628 (2002)CrossRefMATHGoogle Scholar
 32.Louboutin, S.: Simple proofs of the Siegel–Tatuzawa and Brauer–Siegel theorems. Colloq. Math. 108, 277–283 (2007)CrossRefMATHGoogle Scholar
 33.Louboutin, S.: An explicit lower bound on moduli of Dirichlet \(L\)functions at \(s=1\). J. Ramanujan Math. Soc. 30(1), 101–113 (2015)MATHGoogle Scholar
 34.Lyubashevsky, V.: Latticebased identification schemes secure under active attacks, Public Key CryptographyPKC 2008. Springer LNCS, 4939, pp. 162–179 (2008)Google Scholar
 35.Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant, Automata, Languages and ProgrammingICALP 2006. Springer LNCS, 4052, pp. 144–155 (2006)Google Scholar
 36.Lyubashevsky, V., Micciancio, D.: Asymptotically efficient latticebased digital signatures. Theory of Cryptography, Springer LNCS, vol. 4948, pp. 37–54 (2008)Google Scholar
 37.Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(3), 43 (2013)Google Scholar
 38.Masley, J.M.: Class numbers of real cyclic number fields with small conductor. Compos. Math. 37, 297–319Google Scholar
 39.Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient oneway functions. Comput. Complex. 16(4), 365–411 (2007)CrossRefMATHGoogle Scholar
 40.Miller, J.C.: Class numbers of totally real fields and applications to the Weber class number problem. Acta Arith. 164(4), 381–397 (2014)CrossRefMATHGoogle Scholar
 41.Molteni, G.: \(L\)functions: Siegeltype theorems and structure theorems, Ph.D. thesis. University of Milan, Milan (1999)Google Scholar
 42.Neukirch, J.: Algebraic Number Theory, Grundlehren der mathematischen Wissenschaften 322. Springer, Berlin (1999)Google Scholar
 43.Peikert, C., Rosen, A.: Efficient collisionresistant hashing from worstcase assumptions on cyclic lattices, Theory of CryptographyTCC 2006. Springer LNCS, 3876, pp. 145–166 (2006)Google Scholar
 44.Ramaré, O.: Approximate formulae for \(L(1, \chi )\). Acta Arith. 100, 245–266 (2001)CrossRefMATHGoogle Scholar
 45.Schanck, J.: LogCVP, Pari implementation of CVP in Log \(\mathbb{Z}[\zeta \_{2^n}]^*\) (2015). https://github.com/jschancksi/logcvp. Accessed 9 May 2018
 46.Siegel, C.L.: Über die Classenzahl quadratischer Zahlkörper. Acta Arith. 1, 83–86 (1935)CrossRefMATHGoogle Scholar
 47.Stehlé, D., Steinfeld, R.: Making NTRU as secure as worstcase problems over ideal lattices, Advances in CryptologyEUROCRYPT 2011. Springer LNCS, 6632, pp. 27–47 (2011)Google Scholar
 48.Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices, Advances in CryptologyASIACRYPT 2009. Springer LNCS, 5912, pp. 617–635 (2009)Google Scholar
 49.Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes, Public Key CryptographyPKC 2010. Springer LNCS, 6056, pp. 420–443 (2010)Google Scholar
 50.Tatuzawa, T.: On a theorem of Siegel. Jpn. J. Math. 21, 163–178 (1951)CrossRefMATHGoogle Scholar
 51.van der Linden, F.J.: Class number computations of real abelian number fields. Math. Comput. 39, 693–707 (1982)CrossRefMATHGoogle Scholar
 52.Washington, L.: Introduction to Cyclotomic Fields, Graduate Texts in Mathematics, vol. 83. Springer, New York (1997)CrossRefGoogle Scholar
 53.Weber, H.: Theorie der Abel’schen Zahlkörper. Acta Math. 8, 193–263 (1886)CrossRefMATHGoogle Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.