# Cryptography Core Technology

- 3.9k Downloads

## Abstract

In this chapter, we describe the analysis of security basis. One is the analysis of elliptic curve discrete logarithm problem (ECDLP). ECDLP is one of the public-key cryptosystems that can achieve a short key size but it is not a post-quantum cryptosystem. Another is analysis to learning with error (LWE), which is a post-quantum cryptosystem and has the functionality of *homomorphic encryption*. These two security bases have important roles in each protocol described in Sect. 2.2.4.2

## 2.1 Analysis on ECDLP

### 2.1.1 Introduction

In recent years, elliptic curve cryptography is gaining momentum in deployment because it can achieve the same level of security as RSA using much shorter keys and ciphertexts. The security of elliptic curve cryptography is closely related to the computational complexity of the elliptic curve discrete logarithm problem (ECDLP). Let *p* be a prime number and *E*, a nonsingular elliptic curve over \(\mathbb {F}_{p^n}\), which is a finite field of \(p^n\) elements. That is, *E* is a plane algebraic curve defined by the equation \(y^2=x^3+ax+b\) for \(a,b\in \mathbb {F}_{p^n}\) such that \(\Delta =-16(4a^3+27b^2)\ne 0\). Along with a point \(\mathcal O\) at infinity, the set of rational points \(E(\mathbb {F}_{p^n})\) forms an abelian group with \(\mathcal O\) as the identity. Given \(P\in E(\mathbb {F}_{p^n})\) and *Q* in the subgroup generated by *P*, ECDLP is the problem of finding an integer \(\alpha \) such that \(Q=\alpha P\).

Today, the best practical attacks against ECDLP are exponential-time, generic discrete logarithm algorithms such as Pollard’s rho method [34]. However, recently, a line of research has been dedicated to the index calculus for ECDLP which was started by Semaev, Gaudry, and Diem [25, 30, 35]. Under certain heuristic assumptions, such algorithms could lead to subexponential attacks to ECDLP in some cases [27, 31, 33]. The interested reader is referred to a survey paper by Galbraith and Gaudry for a more comprehensive and in-depth account of the recent development of ECDLP algorithms along various directions [28].

In this section, we investigate the computational complexity of ECDLP for elliptic curves in various forms—including Hessian [36], Montgomery [32], (twisted) Edwards [23, 24], and Weierstrass, using index calculus. Recently, elliptic curves of various forms such as Curve25519 [22] have been drawing considerable attention in deployment partly because some of them allow fast implementation and security against timing-based side-channel attacks. Furthermore, we can construct these curves not only over prime fields (such as the field of \(2^{255} - 19\) elements as used in Curve25519) but also over extension fields. In this section, we will focus on curves over optimal extension fields (OEFs) [21]. An OEF is an extension field from a prime field \(\mathbb {F}_p\) with *p* close to \(2^8, 2^{16}, 2^{32}, 2^{64}\), etc. Such primes fit nicely into the processor words of 8-, 16-, 32-, or 64-bit microprocessors and hence are particularly suitable for software implementation, allowing efficient utilization of fast integer arithmetic on modern microprocessors [21]. As we will see, our experimental results show considerably significant differences in the computational complexity of ECDLP for elliptic curves in various forms over OEFs.

### 2.1.2 Previous Works

#### 2.1.2.1 Index Calculus for ECDLP

Let *E* be an elliptic curve defined over a finite field \(\mathbb {F}_{p^n}\). For cryptographic applications, we are mostly interested in a prime-order subgroup generated by a rational point \(P\in E(\mathbb {F}_{p^n})\). Here, we first give a high-level overview of a typical index-calculus algorithm for finding an integer \(\alpha \) such that \(Q=\alpha P\) for \(Q\in \langle P\rangle \).

- 1.
Determine a

*factor base*\(\mathcal F\subset E(\mathbb {F}_{p^n})\). - 2.Collect a set \(\mathcal R\) of
*relations*by decomposing random points \(a_iP+b_iQ\) into a sum of points from \(\mathcal F\), i.e.,$$ \mathcal R=\left\{ a_iP+b_iQ=\sum _jP_{i,j}:P_{i,j}\in \mathcal F\right\} . $$ - 3.
When \(|\mathcal R|\approx |\mathcal F|\), eliminate the right-hand side using linear algebra to obtain an equation of the form \(aP+bQ=\mathcal O\) and \(\alpha =-a/b\bmod {{\,\mathrm{ord}\,}}P\).

The last step of linear algebra is relatively well studied in the literature, so we will focus on the subproblem in the second step, namely, the point decomposition problem (PDP) on an elliptic curve in the rest of this section.

### Definition 2.1

*Point Decomposition Problem of mth Order*) Given a rational point \(R\in E(\mathbb {F}_{p^n})\) on an elliptic curve

*E*and a factor base \(\mathcal F\subset E(\mathbb {F}_{p^n})\), find, if they exist, \(P_1,\ldots ,P_m\in \mathcal F\) such that

#### 2.1.2.2 Semaev’s Summation Polynomials

*x*-coordinates must be equal. Let us now consider the simplest yet nontrivial case where three points on

*E*sum to zero. Let

*Z*is in the variety of the ideal \(I\subset \mathbb {F}_{p^n}[X_1,Y_1,X_2,Y_2,X_3,Y_3]\) generated by

*J*is actually a principal ideal generated by the polynomial \((X_2 - X_3)(X_1 - X_3)(X_1 - X_2)f_3\), where

*summation*

*polynomial*, that is, the summation polynomial for three distinct points summing to zero.

*m*. This is the observation Semaev made in his seminal work [35]. In short, his proposal is to consider factor bases of the following form:

*V*is a subset of \(\mathbb {F}_{p^n}\). Then, we solve PDP of

*m*th order by solving the corresponding \((m+1)\)th summation polynomial \(f_{m+1}(X_1,\ldots ,X_m,\tilde{x})=0\), where \(\tilde{x}\) is the

*x*-coordinate of the point to be decomposed.

Note that this factor base is naturally invariant under point negation. That is, \(P_i\in \mathcal F\) implies \(-P_i\in \mathcal F\). In this case, we have about \(|\mathcal F|/2\) (trivial) relations \(P_i+(-P_i)=\mathcal O\) for free, so we only need to find the other \(|\mathcal F|/2\) nontrivial relations. In general, we will only discuss factor bases that are invariant under point negation, so by abuse of language, both \(\mathcal F\) and \(\mathcal F\) modulo point negation may be referred to as a factor base in the rest of this section.

#### 2.1.2.3 Weil Restriction

Restricting the *x*-coordinates of the points in a factor base to a subset of \(\mathbb {F}_{p^n}\) is important from the viewpoint of polynomial system solving. Take \(f_3\) as an example. When decomposing a random point \(aP+bQ\), we first substitute its *x*-coordinate into say \(X_3\), projecting the ideal onto \(\mathbb {F}_{p^n}[X_1,X_2]\). The dimension of the variety of this ideal is nonzero. Therefore, we would like to pose some restrictions on \(X_1\) and \(X_2\) to reduce the dimensions to zero so that the solving time can be more manageable.

When looking for solutions to a polynomial \(f=\sum a_iX^i\in \mathbb {F}_{p^n}[X]\) in \(\mathbb {F}_{p^n}\), we can view \(\mathbb {F}_{p^n}[X]\) as a commutative affine algebra \(\mathcal A=\mathbb {F}_{p^n}[X]/(X^{p^n} - X)\cong \mathbb {F}_{p^n}[X_1,\ldots ,X_n]/(X_1^p - X_1,\ldots ,X_n^p - X_n)\). This can be done by identifying the indeterminate *X* as \(X_1\theta _1+\cdots +X_n\theta _n\), where \((\theta _1,\ldots ,\theta _n)\) is a basis for \(\mathbb {F}_{p^n}\) over \(\mathbb {F}_p\). Hence, *f* can be identified as a polynomial \(f_1\theta _1+\cdots +f_n\theta _n\), where \(f_1,\ldots ,f_n\in \mathcal A'=\mathbb {F}_p[X_1,\ldots ,X_n]/(X_1^p - X_1,\ldots ,X_n^p - X_n)\), by appropriately sending each coefficient \(a_i\in \mathbb {F}_{p^n}\) to \(a_i^{(1)}\theta _1+\cdots +a_i^{(n)}\theta _n\) for \(a_i^{(1)},\ldots ,a_i^{(n)}\in \mathbb {F}_p\). Therefore, an equation \(f=0\) over \(\mathbb {F}_{p^n}\) will give rise to a system of equations \(f_1=\cdots =f_n=0\) over \(\mathbb {F}_p\). This technique is known as the *Weil restriction* and is used in the Gaudry–Diem attack, where the factor base is chosen to consist of points whose *x*-coordinates lie in a subspace *V* of \(\mathbb {F}_{p^n}\) over \(\mathbb {F}_p\) [25, 30].

#### 2.1.2.4 Exploiting Symmetry

Naturally, the symmetric group \(S_m\) acts on a point decomposition \(P_1+\cdots +P_m\) because elliptic curve groups are abelian. As noted by Gaudry in his seminal work [30], we can therefore rewrite the variables \(x_1,\ldots ,x_m\in \mathbb {F}_{p^n}\) by elementary symmetric polynomials \(e_1,\ldots ,e_m\), where \(e_1=\sum x_i\), \(e_2=\sum _{i\ne j}x_ix_j\), \(e_3=\sum _{i\ne j,i\ne k,j\ne k}x_ix_jx_k\), etc. Such rewriting can reduce the degree of summation polynomials and significantly speed up point decomposition [27, 31].

*R*under the action of addition of a 2-torsion point \(T_2\):

Naturally, such speedup is curve-specific. Furthermore, even if the factor base is invariant under additional group actions, we may or may not be able to exploit such symmetry to speed up the point decomposition depending on whether the action is “easy to handle in the polynomial system solving process” [26].

#### 2.1.2.5 PDP on (Twisted) Edwards Curves

#### 2.1.2.6 Symmetry and Decomposition Probability

Symmetry brought by group action on point decomposition will inevitably be accompanied by a *decrease in decomposition probability*. For example, if a factor base \(\mathcal F\) is invariant under addition of a 2-torsion point, then the decomposition probability for PDP of the *m*th order should decrease by a factor of \(2^{m-1}\). This is due to the same reason that the decomposition probability decreases by a factor of *m*! because the symmetric group \(S_m\) acts on \(\mathcal F\).

However, this simple fact seems to have been largely ignored in the literature. For example, Faugère, Gaudry, Hout, and Renault explicitly stated in Sect. 5.3 of their study that “[the] probability to decompose a point [into a sum of *n* points from the factor base] is \(\frac{1}{n!}\)” for twisted Edwards or twisted Jacobi intersections curves, despite the fact that the factor base is invariant under the addition of 2-torsion points [26]. At first glance, this may not seem a problem, as we would expect to obtain \(2^{n-1}\) solutions if we can successfully solve a PDP instance. (Unfortunately, this is also *not true* in general. We will return to it in more detail in Sect. 2.1.5.3.) However, when estimating the cost of a complete ECDLP attack, they proposed to *collapse* these \(2^{n-1}\) relations into one to reduce the size of the factor base and thus the cost of the linear algebra, cf. Remark 5 of the paper. In this case, the decrease in decomposition probability *does* have an adverse effect, and their estimation for the overall ECDLP cost ended up being overoptimistic by a factor of at least \(2^{n-1}\).

### 2.1.3 Montgomery and Hessian Curves

#### 2.1.3.1 Montgomery Curves

*n*. Then

*y*-coordinates, leading to fast implementation.

#### 2.1.3.2 Summation Polynomials for Montgomery Curves

#### 2.1.3.3 Small Torsion Points on Montgomery Curves

To be able to exploit the symmetry of addition of \(T_2=(0,0)\), we need to choose the factor base \(\mathcal F=\{(x,y)\in E(\mathbb {F}_{p^n}):x\in V\subset \mathbb {F}_{p^n}\}\) invariant under addition of \(T_2\). This means that *V* needs to be closed by undertaking multiplicative inverses. In other words, *V* needs to be a *subfield* of \(\mathbb {F}_{p^n}\), i.e., \(V=\mathbb {F}_{p^\ell }\) for some integer \(\ell \) that divides *n*. In this case, \(f_m\) is invariant under the action of \(x_i\mapsto 1/x_i\). Unfortunately, such an action is not linear and hence not easy to handle in polynomial system solving. How to take advantage of such kind of symmetry in PDP is still an open research problem.

#### 2.1.3.4 Hessian Curves

#### 2.1.3.5 Summation Polynomials for Hessian Curves

*Z*is in the variety of the ideal \(I\subset \mathbb {F}_{p^n}[X_1,Y_1,T_1,X_2,Y_2,T_2,X_3,Y_3,T_3]\) generated by

#### 2.1.3.6 Small Torsion Points on Hessian Curves

*x*,

*y*) would give a point \((x',y')\), where

*x*and

*y*cannot be zero at the same time, we have \(x^3-y^3=1-x^3=y^3-1\), or \(x^3=y^3=1\). Now because \(p^n=2\bmod 3\), \(\mathbb {F}_{p^n}\) does not have any primitive cubic roots of unity, \(x=y=1\) and \(T_3=(1,1)\). By the addition formula, if \(P=(x,y)\), then

*V*. Therefore, again, typical factor bases are not invariant under addition of this 3-torsion point in general. Therefore, it is not clear how to exploit such symmetry brought by addition of small torsion points for Hessian curves.

### 2.1.4 Experiments on PDP Solving

This section shows the results of our experiments conducted to compare the computational complexity of PDP on four different curves: Hessian(*H*), Weierstrass(*W*), Montgomery(*M*), and twisted Edwards(*tE*).

#### 2.1.4.1 Experimental Setup

*did not*exploit symmetry of any other group actions. This is because we want to compare the

*intrinsic*computational complexity of PDP and hence only consider the symmetry that is present in

*all*curves. Exploiting further curve-specific symmetry whenever possible will result in a further speedup, but it would be independent of our findings here.

#### 2.1.4.2 Experimental Results

Figure 2.1 presents our experimental results for the case of \(n=5\). Here, we choose our factor base by taking *V* as the base field \(\mathbb {F}_p\) of \(\mathbb {F}_{p^n}\). All our experiments were performed using the MAGMA computation algebra system (version 2.23-1) on a single core of an Intel Xeon CPU E7-4830 v4 running at 2 GHz. Comparisons to solve each PDP were performed by running time (in second), Dreg, Matcost, and Rank. The “Dreg” is the maximum step degree reached during the execution of the F4 algorithm, which is referred to as the “degree of regularity” in the literature [29] and provides an upper bound for the sizes of the Macaulay submatrices involved in the computation, the “Matcost” is a number output by the MAGMA implementation of the F4 algorithm and provides an estimate of the linear algebra cost during the execution of the F4 algorithm, and finally, the “Rank” is the number of linearly independent relations we obtain once successfully solving a PDP instance. It is an important factor to consider, as it determines how many PDP instances we need to successfully solve to have enough relations for a complete ECDLP attack using index calculus. We can clearly see that the PDP solving time and Matcost for twisted Edwards curves are much smaller than those for the other curves. In contrast, the degrees of regularity for Montgomery and twisted Edwards curves are smaller than those of the other curves in the case of \(m=4\). In addition, we can see that the rank for Hessian and Weierstrass curves is 1 in all cases, whereas for Montgomery and twisted Edwards curves, it is 4 and 5 in the case of \(m=3\) and \(m=4\), respectively. Last but not least, although we only present the results for small *p* (around 8-bit long), here, we have some preliminary results for larger *p* (around 16-bit and 32-bit long). Apart from the slight difference in the absolute running time, all other results such as Dreg, Matcost, and Rank are similar, so we do not repeat them here.

### 2.1.5 Analysis

#### 2.1.5.1 Revisit Summation Polynomial in Each Form

As we have seen in Sect. 2.1.4.2, PDP on (twisted) Edwards curves seems easier to solve than on other curves. The explanation offered by Faugère, Gaudry, Hout, and Renault is “due to the smaller degree appearing in the computation of Gröbner basis of \(\mathscr {S}_{D_n}\) in comparison with the Weierstrass case,” cf. Sect. 4.1.1 of their paper [26]. Unfortunately, this *cannot* explain the difference between (twisted) Edwards and Montgomery curves as the highest degrees appearing in the computation of Gröbner bases are *the same* for these two curves. Therefore, there must be other reasons. We have found that the total number of terms for twisted Edwards curves is significantly lower than that for the other curves in all cases. Naturally, this could lead to faster solving time with the F4 algorithm. We also note that, except for the twisted Edwards curves, the summation polynomials before Weil restriction for the other curves are all 100% dense without any missing terms.

#### 2.1.5.2 Missing Terms of Summation Polynomials in (Twisted) Edwards Curves

In this section, we will show that the summation polynomials for (twisted) Edwards curves *mainly* have terms of *even* degrees. The set of terms of even degrees is closed under multiplication, so intuitively, such polynomials are easier to solve, which can be the main reason for the efficiency gain observed in the case of (twisted) Edwards curves.

We shall make this intuition precise in Theorem 2.1, but before we state the main result, we need to clarify our terminology for ease of exposition. When a multivariate polynomial is regarded as a univariate polynomial in one of its variables *T*, we say that the coefficient \(a_i\) of a term \(a_iT^i\) is an *even or odd-degree coefficient* depending on whether *i* is even or odd, respectively. Note that these coefficients are themselves multivariate polynomials in one fewer variable.

We say that a monomial \(m=\prod _{i=1}^n x_i^{e_i},e_i\ge 0\) in a multivariate polynomial in *n* variables is *of even degree* or simply an *even-degree monomial* if \(\sum _i e_i\) is even; that it is *of odd degree* or simply an *odd-degree monomial* otherwise. In contrast, a monomial is *of (homogeneous) even parity* if all \(e_i\) are even; it is *of (homogeneous) odd parity* if all \(e_i\) are odd. A monomial is *of homogeneous parity* if it is either of homogeneous even or odd parity. Note that the definition of monomials of odd parity depends on the total number of variables in the polynomial, which is not the case for monomials of even parity because we regard 0 as even. For example, the monomial \(x_1x_2\) is a monomial of odd parity in a polynomial in \(x_1\) and \(x_2\) but not so in another polynomial in \(x_1,\ldots ,x_n\) for \(n>2\).

By abuse of language, we say that a polynomial is *of even or odd parity* if it is a linear combination of monomials of even or odd parity, respectively; that a polynomial is *of homogeneous parity* if it is a linear combination of monomials of homogeneous parity. The set of polynomials of even parity is closed under polynomial addition and multiplication and hence forms a subring. In contrast, a polynomial *f* in \(x_1,\ldots ,x_n\) of odd parity must have the form \(\sum _i c_i\left( \prod _{j=1} x_j^{e_{ij}}\right) \), for \(e_{ij}\) odd. Therefore, if *f* is a polynomial of odd parity and *g*, a polynomial of even parity, then *fg* must be of odd parity.

### Theorem 2.1

Let \(\mathcal E\) be a family of elliptic curves such that its 3rd summation polynomial \(f_{\mathcal E,3}(X_1,X_2,X_3)\) is of degree 2 in each variable \(X_i\) and of homogeneous parity. Let \(g_{\mathcal E,m}\) be the polynomial corresponding to the PDP of *m*th order for \(\mathcal E\) as described in Sect. 2.1.2.2. That is, \(g_{\mathcal E,m}(X_1,\ldots ,X_m)=f_{\mathcal E,m+1}(X_1,\ldots ,X_m,x)\), where *x* is a constant depending on the point to be decomposed.

- 1.
If

*m*is even, then \(g_{\mathcal E,m}\) has no monomials of odd degrees. - 2.
If

*m*is odd, then \(g_{\mathcal E,m}\) has some but not all monomials of odd degrees.

Among the four forms of elliptic curves that we investigated in this section, only the (twisted) Edwards form satisfies the premises of Theorem 2.1. As we have seen in Sect. 2.1.4, the PDP solving time for the (twisted) Edwards form is thus significantly faster than that for the other forms.

We will prove Theorem 2.1 in the rest of this section, for which we will need the following lemmas.

### Lemma 2.1

Let \(f_1(T_1,\ldots ,T_r,T)=a_0 + a_1T + \cdots + a_mT^m\) and \(f_2(T_1,\ldots ,T_r,T)=b_0 + b_1T + \cdots + b_nT^n\) be two polynomials in \(r+1\) variables, where \(a_i\) and \(b_i\) are polynomials in \(T_1,\ldots ,T_r\). Let \(f(T_1,\ldots ,T_r)={{\,\mathrm{Res}\,}}_T(f_1,f_2)\) be the resultant of \(f_1\) and \(f_2\) regarded as two univariate polynomials in *T*. If both *m* and *n* are even, then every monomial of *f* is a product of an even number or none of the odd-degree coefficients of \(f_1\) and \(f_2\) and some or none of the even-degree coefficients of \(f_1\) and \(f_2\). Specifically, the odd-degree coefficients \(a_{2k+1}\) and \(b_{2k+1}\) of \(f_1\) and \(f_2\), respectively, appear in total an even number of times in each monomial of *f*.

### Proof

*S*:

*i*th row and

*j*th column of

*S*for \(1\le i,j\le m+n\). Because both

*m*and

*n*are even, an even-degree coefficient \(a_{2k}\) or \(b_{2k}\) will appear in \(s_{ij}\) for which the sum of indices \(i+j\) is even. Similarly, an odd-degree coefficient \(a_{2k+1}\) or \(b_{2k+1}\) will appear in \(s_{ij}\) for which the sum of indices \(i+j\) is odd. Now recall that the determinant of

*S*is defined as

### Lemma 2.2

Let \(\mathcal E\) be a family of elliptic curves such that its 3rd summation polynomial \(f_{\mathcal E,3}(X_1,X_2,X_3)\) is of degree 2 in each variable \(X_i\) and of homogeneous parity. Then, any subsequent summation polynomial \(f_{\mathcal E,m}(X_1,\ldots ,X_m)\) for \(m>3\) is of homogeneous parity.

### Proof

*m*. Let \(f_{\mathcal E,m}(X_1,\ldots ,X_{m-1},X)=a_{2^{m-2}}X^{2^{m-2}}+\cdots +a_1X+a_0\) and \(f_{\mathcal E,3}(X_m,X_{m+1},X)=b_2X^2+b_1X+b_0\). By the premise that \(f_{\mathcal E,3}\) is of homogeneous parity, \(b_0\) and \(b_2\) must consist only of monomials (in \(X_m\) and \(X_{m+1}\)) of even parity. Furthermore, \(b_1=cX_mX_{m+1}\) for some constant

*c*. This is because \(f_{\mathcal E,3}\) is of degree 2 in each variable, for which the only monomial of odd parity is \(X_mX_{m+1}X\).

*X*, we have the case of \(n=2\) in Eq. 2.3. Now \(X_{m+1}\) must come from \(b_1\), so we can conclude that

*k*as follows.

- 1.
If

*k*is even, then by Lemma 2.1, \(\beta _i\) and \(\gamma _i\) are both even or both odd in each summand. In either case, the product \(a_{\beta _i}a_{\gamma _i}\) is a polynomial in \(X_1,\ldots ,X_{m-1}\) of even parity. It follows that each summand is a polynomial of even parity because it is a product of polynomials of even parity. Hence, \(c_kX_{m+1}^k\) is a polynomial of even parity. - 2.
If

*k*is odd, the situation is similar but slightly more complicated. By Lemma 2.1, exactly one of \(\beta _i\) and \(\gamma _i\) is odd in each summand, say \(\beta _i\). By induction hypothesis, \(a_{\beta _i}\) is a polynomial in \(X_1,\ldots ,X_{m-1}\) of odd parity because it comes from \(a_{\beta _i} X^{\beta _i}\) in \(f_{\mathcal E,m}\). It follows that each summand is a polynomial of odd parity because it is a product of a polynomial of even parity \(a_{\gamma _i} b_0^{\delta _i} b_2^{\epsilon _i}\) and a polynomial of odd parity \(a_{\beta _i} X_m^kX_{m+1}^k\). Hence, \(c_kX_{m+1}^k\) is a polynomial of odd parity.

By Lemma 2.2, \(g_{\mathcal E,m}(X_1,\ldots ,X_m)=f_{\mathcal E,m+1}(X_1,\ldots ,X_m,x)\) is of homogeneous parity. Obviously, the monomials of even parity will remain of even degree after *x* is substituted. If *m* is even, then the monomials of odd parity in \(f_{\mathcal E,m+1}\) will become of even degree after *x* is substituted because an even number of odd numbers sum to an even number. Similarly, if *m* is odd, then the monomials of odd parity in \(f_{\mathcal E,m+1}\) will become of odd degree after *x* is substituted. However, those odd-degree monomials that are *not* of homogeneous parity, e.g., \(X_1^2X_2\), cannot appear in \(g_{\mathcal E,m}\) by Lemma 2.2. This completes the proof of Theorem 2.1.

#### 2.1.5.3 What Price for a Highly Symmetric Factor Base?

Last but not least, we discuss the price needed to pay to have a highly symmetric factor base \(\mathcal F\) that is invariant under more group actions in addition to that of the symmetric group \(S_m\). As previewed in Sect. 2.1.2.6, we would expect that the effect of the decrease in decomposition probability due to additional symmetry in \(\mathcal F\) could be offset by that of the increase in number of solutions. For example, let us reconsider the group action of addition of \(T_2\) in Sect. 2.1.2.4. If we could get \(2^{m-1}\) solutions, then the loss of the factor of \(2^{m-1}\) in decomposition probability would be compensated. This way everything would be the same as if there were no such symmetry, and we could exploit the additional symmetry at no cost.

*false*in general. Consider an example of \(m=4\). Let \(Q_i=P_i+ T_2\) for \(i=1,2,3,4\). We can write down all \(2^{m-1}=8\) possible ways of a point decomposition under this group action:

Finally, we note that we have not exploited any symmetry for Hessian curves in our experiments. However, the rank for Hessian curves is always 1 in all our experiments. This shows that the factor base we have chosen for Hessian curves is *not* invariant under addition of small torsion points, as the rank would be \(>1\) otherwise.

### 2.1.6 Concluding Remarks

In this section, we experimentally explored index-calculus attack on ECDLP over different forms such as twisted Edwards, Montgomery, Hessian, and Weierstrass curves under the totally fair conditions as they are isomorphic to each other over the same definition field \(\mathbb {F}_{p^n}\) and showed that twisted Edwards curves are clearly faster than others. We investigated the summation polynomials of all forms in detail, found that big differences exist in the number of terms, and proved that monomials of odd degrees in summation polynomials on twisted Edwards curves do not exist. We showed that this difference causes less solving time of index-calculus attack on ECDLP over twisted Edwards than others.

## 2.2 Analysis on Ring-LWE over Decomposition Fields

### 2.2.1 Introduction

The ring variant of learning with errors (Ring-LWE) based cryptography [15, 16] is one of the most attractive research areas in cryptography. Ring-LWE has provided efficient and provably secure post-quantum cryptographic protocols, which include homomorphic encryption (HE) schemes [4, 5, 9]. The development of the efficiency and security of both post-quantum cryptography and HE is strongly desirable. In fact, the standardization of post-quantum cryptography is under development by the National Institute of Standards and Technology. Moreover, HE schemes that enable us to execute the computation on encrypted data without decryption have many applications in cloud computing.

Ring-LWE is characterized by two probabilistic distributions, modulus parameters (integers) and number fields, as detailed in Sect. 2.2.2.4. Usually, cyclotomic fields are used as the underlying number fields to increase efficiency and security [17]. However, especially in the case of HE schemes, improving the efficiency of the encryption/decryption procedures and homomorphic arithmetic operations on encrypted data while ensuring security remain important tasks.

To construct an HE scheme that can simultaneously encrypt many plaintexts efficiently, Arita and Handa proposed the use of a decomposition field, which is contained in a cyclotomic field with prime conductors, as an underlying number field for Ring-LWE [1]. (Sect. 2.2.3 presents the details of decomposition fields and of Arita and Handa’s idea.) Arita and Handa’s HE scheme, which is called the subring HE scheme, is indistinguishably secure under a chosen-plaintext attack if the decision variant of Ring-LWE over the decomposition fields is computationally infeasible. Arita and Handa’s experiments [1, Sect. 5] showed that the performance of the subring HE scheme is much better than that of the FV scheme based on Ring-LWE over \(\ell \)th cyclotomic fields with prime numbers \(\ell \), as implemented in HElib [11].

As for the security of the subring HE scheme, Arita and Handa remarked that in the case of decomposition fields, some of the security properties of Ring-LWE in the case of cyclotomic fields are also satisfied. More concretely, there exists a quantum polynomial-time reduction from the approximate shortest vector problem on certain ideal lattices to Ring-LWE over decomposition fields, and the equivalence between the decision and search variants of Ring-LWE over decomposition fields is satisfied.

However, solving Ring-LWE is reduced to solving certain problems on lattices, such as the closest vector problem (CVP) and the shortest vector problem, and the difficulty of problems on lattices depends heavily on the structure and given bases of the underlying lattices. For example, if the shortest vector is much shorter than the second shortest vector in a certain lattice \(\mathcal{L}\), then the shortest vector problem for lattice \(\mathcal{L}\) would be easy. This means that the underlying number fields affect the difficulty of lattice problems arising in Ring-LWE. Hence, to ensure the security of the subring HE scheme, experimental or theoretical analyses of (lattice) attacks should be performed. However, [1] does not provide any such analysis.

In this study, we provide an experimental analysis of the security of Ring-LWE over decomposition fields. More precisely, we compare the security of Ring-LWE over decomposition fields and of Ring-LWE over the \(\ell \)th cyclotomic fields with some prime numbers \(\ell \). In our experiments, we reduce the search Ring-LWE to the (approximate) CVP on certain lattices in the same way as Bonnoron et al.’s analysis [3] because the target of Bonnoron et al.’s analysis is Ring-LWE optimized for HE. We use Babai’s nearest plane algorithm [2] and Kannan’s embedding technique [12] to solve the CVP. We then compare the running times, success rates, and Hermite root factors. (The root Hermite factor [10] is usually used to evaluate the quality of lattice attacks.) We also compare the experimental results of lattice attacks against Ring-LWE over various decomposition fields to find those fields that provide weak Ring-LWE.

Our experimental results indicate that the success rates and Hermite root factors for the decomposition fields are almost the same as those for the cyclotomic fields. However, the running time for decomposition fields is longer than that for cyclotomic fields. Moreover, the difference in running time increases as the rank of the lattices increases.

Therefore, we believe that Ring-LWE over decomposition fields is more secure against the above lattice attacks than that over cyclotomic fields because the ranks of the lattices occurring in our experiments are much lower than the ranks of the lattices used in practice. This means that to construct HE schemes (or schemes of other types), fewer parameters are needed for Ring-LWE over decomposition fields than for Ring-LWE over cyclotomic fields. Therefore, as a result of our analysis, we believe that Ring-LWE over decomposition fields can be used to construct more efficient HE schemes.

### 2.2.2 Preliminaries

In this section, we briefly review the notation of lattices, Galois theory, number fields, and Ring-LWE. Throughout this study, \(\mathbb {Z}\), \(\mathbb {Q}\), \(\mathbb {R}\), and \(\mathbb {C}\) denote the ring of (rational) integers, field of rational numbers, field of real numbers, and field of complex numbers, respectively. For a positive integer \(m \in \mathbb {Z}\), we suppose that any element of \(\mathbb {Z}/m\mathbb {Z}\) is represented by an integer contained in the interval \(\left( -m/2, m/2 \right] \cap \mathbb {Z}\).

#### 2.2.2.1 Lattices

An *m*-dimensional lattice is defined as a discrete additive subgroup of \(\mathbb {R}^m\). It is well known that for any lattice \(\mathcal{L}\subset \mathbb {R}^m\), there exist \(\mathbb {R}\)-linearly independent vectors \(\mathbf{b}_1, \ldots , and\,\mathbf{b}_n \in \mathbb {R}^m\) such that \(\mathcal{L}=\sum _{1 \le i \le n} \mathbb {Z}\mathbf{b}_i := \{ \sum _{1 \le i \le n}a_i\mathbf{b}_i \mid a_i \in \mathbb {Z}\ \}\). In other words, for a matrix \(\mathbf{B}= \left( \mathbf{b}_1, \ldots , \mathbf{b}_n \right) \) whose *i*th column vector is \(\mathbf{b}_j\), we have \(\mathcal{L}= \{ \mathbf{B}\mathbf{x} \mid \mathbf{x} \in \mathbb {Z}^n \}\). Then, we say that \(\{ \mathbf{b}_1, \ldots , \mathbf{b}_n \}\) is a lattice basis of \(\mathcal{L}\), and \(\mathbf{B}\) is the basis matrix of \(\mathcal{L}\) with respect to \(\{ \mathbf{b}_1, \ldots , \mathbf{b}_n \}\). The value *n* is called the rank of \(\mathcal{L}\), and it is denoted by \(\mathrm {rank}(\mathcal{L})\). There are infinite bases for a lattice. In fact, for any unimodular matrix \(\mathbf{U}\), all column vectors of \(\mathbf{U} \mathbf{B}\) also form a basis of \(\mathcal{L}\). An important invariant of \(\mathcal{L}\) is the determinant defined as \(\det (\mathcal{L}) := \sqrt{\det \left( \mathbf{B}\mathbf{B}^t \right) }\). This determinant is independent of basis.

There are various computationally hard problems on lattices. Here, we explain the CVP, which is a well-known problem on lattices. Given a lattice \(\mathcal{L}\) and target vector \(\mathbf{t} \in \mathbb {R}^m \smallsetminus \mathcal{L}\), the CVP on \((\mathcal{L}, \mathbf{t})\) is the problem of finding a vector \(\mathbf{x} \in \mathcal{L}\) such that for all vectors \(\mathbf{y} \in \mathcal{L}\), we have \(\Vert \mathbf{t} - \mathbf{x} \Vert \le \Vert \mathbf{t} - \mathbf{y} \Vert \). For a real number \(\gamma > 1\), the approximate CVP on \((\mathcal{L}, \mathbf{t}, \gamma )\) is the problem of finding a vector \(\mathbf{x} \in \mathcal{L}\) such that for all vectors \(\mathbf{y} \in \mathcal{L}\), we have \(\Vert \mathbf{t} - \mathbf{x} \Vert \le \gamma \Vert \mathbf{t} - \mathbf{y} \Vert \). Babai’s nearest plane algorithm and Kannan’s embedding technique are basic algorithms for solving the approximate CVP. Almost all known problems on lattices that are useful for constructing cryptographic protocols become more difficult as the ranks of the underlying lattices increase, and the quality of the two algorithms mentioned earlier depends on ranks of input lattices.

Breaking some cryptographic protocols can be reduced to solving certain computational problems on lattices, including the (approximate) CVP [3, 8]. To solve such problems on lattices, we usually use lattice basis reduction algorithms, which transform a given basis of a lattice into a basis of the same lattice that consists of nearly orthogonal and relatively short vectors. In fact, an input of Babai’s nearest plane algorithm is an (LLL) reduced basis, and Kannan’s embedding technique outputs an appropriate vector from the reduced basis. In our experiments, to solve CVP using Babai’s nearest plane algorithm and Kannan’s embedding technique, we use the LLL algorithm [13] and BKZ algorithm [7, 19], which are well-known algorithms for computing such bases.

The quality of basis reduction algorithms is usually estimated by the root Hermite factor, which is defined as follows: Let \(\mathbf{b}\) be the shortest vector of a basis of a lattice \(\mathcal{L}\) with rank *n*, which has been reduced by a basis reduction algorithm \(\mathcal{A}\). Then, the root Hermite factor \(\delta _{\mathcal{A}, \mathcal{L}}\) is defined as a constant satisfying \( \delta ^n_{\mathcal{A}, \mathcal{L}} := \Vert \mathbf{b}\Vert /\det (\mathcal{L})^{1/n}. \) Better basis reduction algorithms provide smaller Hermite root factors.

#### 2.2.2.2 Galois Theory

To describe decomposition fields, we need to describe Galois theory.

Let *K* be a field and *L* an extension field of *K*; we denote this situation by *L*/*K*. The field *L* is a *K*-vector space, and the degree of extension of *L*/*K*, denoted by [*L* : *K*], is defined as the dimension of *L* as *K*-vector space. If *M* is a subfield of *L* containing *K* as a subfield, i.e., \(K \subset M \subset L\), then we call *M* an intermediate field of *L*/*K*. If *L*/*K* satisfies \([L:K] < \infty \), then *L*/*K* is called a finite extension of *K*. If *M* is an intermediate field of *L*/*K* with \([L:K] < \infty \), then we have \([L:K]=[L:M][M:K]\). If for any \(\alpha \in L\), there exists a nonzero polynomial \(f(x) \in K[x]\) such that \(f(\alpha ) = 0\), then *L*/*K* is called an algebraic extension of *K*. It is known that all finite extensions are algebraic extensions.

From now on, we suppose that *L*/*K* is a finite algebraic extension. For any \(\alpha \in L\), the minimal polynomial over *K* of \(\alpha \) is defined as the monic polynomial \(f(x) \in K[x]\) with the lowest degree of all polynomials in *K*[*x*] that vanish at \(\alpha \). We denote \(\mathrm {Irr}(\alpha , K)(x)\) as the minimal polynomial over *K* of \(\alpha \). Note that the minimal polynomial over *K* of \(\alpha \) coincides with the monic irreducible polynomial over *K* that vanishes at \(\alpha \). For a subset \(S \subset L\), we denote *K*(*S*) as the smallest subfield of *L* among subfields containing *K* and *S*. We call *K*(*S*) the field generated by *S* over *K*. If *L* is generated by one element \(\theta \in L\) over *K*, i.e., \(L = K(\theta )\), then we have an isomorphism \(L \cong K[x]/\left( \mathrm {Irr}(\theta , K)(x) \right) \) by \(\theta \mapsto x\) (mod. \(\left( \mathrm {Irr}(\theta , K)(x) \right) \). This implies that \([K(\theta ):K] = \deg \mathrm {Irr}(\alpha , K)\).

*L*/

*K*is called a separable extension of

*K*. If

*L*contains all roots of \(\mathrm {Irr}(\alpha , K)(x)\) for any \(\alpha \in L\), then

*L*/

*K*is called a normal extension of

*K*. If all algebraic extensions of

*K*, including infinite algebraic extensions, are separable, then

*K*is called a perfect (field). It is known that fields with characteristic zero and any finite field are perfect, and that any finite separable extension field can be generated by one element. If

*L*/

*K*is a separable and normal extension of

*K*, then

*L*/

*K*is called a Galois extension of

*K*. Let \(\Omega \) be a sufficiently large field containing

*K*such that any ring-homomorphism \(\phi \) fixing

*K*, i.e., \(\phi (a) = a\) for any \(a \in K\), to

*L*satisfies \(\phi (L) \subset \Omega \). We define the set of all ring-homomorphisms by fixing

*K*to the range

*L*to \(\Omega \) as follows:

*L*/

*K*be separable with \([L:K] = n\) and \(L = K(\theta )\). Let \(\theta = \theta _1, \ldots , \theta _n\) be all roots of \(\mathrm {Irr}(\theta , K)(x)\). For any \(\sigma \in \mathrm {Hom}_K(L, \Omega )\), we have \(\sigma \left( \mathrm {Irr}(\theta , K)(\theta ) \right) = \mathrm {Irr}(\theta , K) (\sigma (\theta )) = 0\). This means that \(\sigma (\theta ) = \theta _i\) for some \(i = 1, \ldots , n\). This then implies \(\# \mathrm {Hom}_K(L) = n\). (Any \(\tau \in \mathrm {Hom}_K(L, \Omega )\) is completely determined by the image of \(\theta \) under \(\tau \) because \(\tau \) fixes

*K*.)

Moreover, if *L*/*K* is normal, then \(\sigma \) induces an isomorphism \(L \cong L\). Note that \(L = K(\theta ) \cong K(\theta _i)\) for any \(i = 1, \ldots , n\) because these fields are isomorphic to \(K[X]/\left( \mathrm {Irr}(\theta , K) \right) \). Therefore, we may take *L* as \(\Omega \) and can write \(\mathrm {Aut}_K(L)=\mathrm {Hom}_K(L, \Omega )\).

*L*/

*K*be a finite Galois extension of

*K*. Then, we can write \(\mathrm {Gal}(L/K) = \mathrm {Aut}_K(L)\). For any subgroup \(H \subset \mathrm {Gal}(L/K)\) and an intermediate field

*M*of

*L*/

*K*, we define

*L*/

*M*is a Galois extension with \(\mathrm {Gal}(L/M) = G_M\). It is not difficult to see that \(L^H\) is an intermediate field of

*L*/

*K*and that \(G_M\) is a subgroup of \(\mathrm {Gal}(L/K)\). We can define two maps with respect to

*L*/

*K*. One is a map \(\Phi \) from \(A := \{ M \subset L \mid \! M{ isanintermediatefieldof}L/K \}\) to \(B := \{ H \subset \mathrm {Gal}(L/K)\! \mid H{ isasubgroupof}\mathrm {Gal}(L/K) \}\) by \(M \mapsto G_M\). The other is a map \(\Psi \) from

*B*to

*A*by \(H \mapsto L^H\). The fundamental theorem of Galois theory is as follows:

### Theorem 2.2

*L*/

*K*,

*A*,

*B*, \(\Phi \), and \(\Psi \) be as above. Then, the following statements are true:

- (1)
There is a one-to-one correspondence between

*A*and*B*. More precisely, \(\Phi \) and \(\Psi \) are inverse maps of each other.- (2)
If \(M_1\) and \(M_2\) are intermediate fields of

*L*/*K*with \(M_1 \subset M_2\), then we have \(\Phi (M_2) \subset \Phi (M_1)\). Similarly, if \(H_1\) and \(H_2\) are subgroups of \(\mathrm {Gal}(L/K)\) with \(H_1 \subset H_2\), then we have \(\Psi (H_2) \subset \Psi (H_1)\).- (3)
Let \(M_1\), \(M_2\), \(H_1\) and \(H_2\) be as in (2). Then, we have \((H_2:H_1) = \#H_2/H_1 = [\Psi (H_1) : \Psi (H_2)]\) and \([M_2:M_1] = (\Phi (M_1) : \Phi (M_2))\).

- (4)
- A subfield
*M*of*L*/*K*is a Galois extension of*K*if and only if \(G_M = \Phi (M)\) is a normal subgroup of \(\mathrm {Gal}(L/K)\). Moreover, if \(G_M = \mathrm {Gal}(L/M)\) is a normal subgroup of \(\mathrm {Gal}(L/K)\), then we haveIn particular, if \(\mathrm {Gal}(L/K)\) is an abelian group, then all subfields of$$ \mathrm {Gal}(L/K)/\mathrm {Gal}(L/M) \cong Gal(M/K). $$*L*/*K*are Galois extensions of*K*.

For a proof of Theorem 2.2, see [18] for example. (It is easy to prove (2) of Theorem 2.2 from the definitions of \(\Phi \) and \(\Psi \).)

#### 2.2.2.3 Number Fields

To describe Ring-LWE and decomposition fields, which play central roles in this paper, we need some notations from algebraic number theory.

An (algebraic) number field is a finite extension field of \(\mathbb {Q}\). Let *K* be a number field with extension degree \([ K : \mathbb {Q}] = n\). An element \(a \in K\) is called an algebraic integer if there exists a monic polynomial \(f \in \mathbb {Z}[x]\) such that \(f(a) = 0\). The ring of integers \(O_K\) of *K* is defined as a subring of *K* consisting of all algebraic integers of *K*. The ring \(O_K\) has an integral basis (\(\mathbb {Z}\)-basis) \(\{ u_1, \ldots , u_n \}\), i.e., for any element \(u \in O_K\), there exist integers \(a_1, \ldots , a_n\) such that *u* is uniquely written as \(u = \sum _{1\le i \le n}a_iu_i\). It is well known that any (integral) ideal *I* of \(O_K\) is uniquely factored into products of some prime ideals, i.e., there exist prime ideals \(\mathcal{P}_1, \ldots , \mathcal{P}_m\) satisfying \(I = \mathcal{P}_1^{e_1} \cdots \mathcal{P}_m^{e_m}\) for \(e_i \ge 1\). If \(I = pO_K\) for a prime number *p* and *K* is a Galois extension of \(\mathbb {Q}\), then we have \(O_K/\mathcal{P}_i = \mathbb {F}_{p^{d}}\) for some \(d \in \mathbb {N}\) and all \(e_i\)’s are mutually equal. Moreover, we have \(med = n\), where \(e := e_i\), and if all \(e_i\)’s are equal to 1 (resp. all \(e_i\)’s and *d* are equal to 1), then we say that *p* is unramified (resp. splits completely) in *K*. Any prime ideal of \(O_K\) is a maximal ideal in \(O_K\), and thus we have \(P_i + P_j = O_K\) for any \(i \ne j\). This induces an isomorphism of rings \( O_K/\mathcal{P}_1 \cdots \mathcal{P}_m \cong O_K/\mathcal{P}_1 \times \cdots \times O_K/\mathcal{P}_m \).

#### 2.2.2.4 Ring-LWE Problem

Let *K* and \(O_K\) be as above. Let \(\chi _{\mathrm {secret}}\) and \(\chi _{\mathrm {error}}\) be probabilistic distributions on \(O_K\) and let *p* be an integer. We denote by \(O_{K, p}\) the residue ring \(O_K/pO_K\). For a probabilistic distribution \(\chi \) on a set *X*, we write \(a \leftarrow \chi \) when \(a \in X\) is chosen according to \(\chi \). We denote *U*(*X*) as the uniform distribution on *X*. The Ring-LWE distribution on \(O_{K,p}\), denoted by \(\mathrm {RLWE}_{K, p, \chi _{\mathrm {error}}, \chi _{\mathrm {sec}}}\), is defined as a probabilistic distribution that takes elements of the form \((a, as + e)\) with \(a \leftarrow U(O_{K, p})\), \(s \leftarrow \chi _{\mathrm {secret}}\), and with \(e \leftarrow \chi _{\mathrm {error}}\). The Ring-LWE problem has two variants. One is the problem of distinguishing \(\mathrm {RLWE}_{K, p, \chi _{\mathrm {error}}, \chi _{\mathrm {sec}}}\) from \(U(O_{K, p} \times O_{K, p})\), which is called the decision Ring-LWE problem. The other is a problem of finding \(s \in O_{K, p}\), given arbitrarily many samples \((a_i, a_is + e_i) \in O_{K, p} \times O_{K, p}\) chosen according to \(\mathrm {RLWE}_{K, p, \chi _{\mathrm {error}}, \chi _{\mathrm {sec}}}\), which is called the search Ring-LWE problem.

The Ring-LWE problem is expected to be computationally difficult even with quantum computers. It is proved that the decision Ring-LWE problem is equivalent to the search problem if *K* is a cyclotomic field and if *p* is a prime number and (almost) splits completely in *K* [16]. In addition, this equivalence is generalized to the cases where \(K/\mathbb {Q}\) is a Galois extension and where *p* is unramified in *K* [6]. Moreover, there is a quantum polynomial-time reduction from the search Ring-LWE to the shortest vector problem on certain ideal lattices.

### 2.2.3 Ring-LWE over Cyclotomic and Decomposition Fields

In this section, we describe why Arita and Handa proposed the use of decomposition fields as the underlying number fields of Ring-LWE to construct efficient HE schemes.

#### 2.2.3.1 Cyclotomic Fields and Decomposition Fields

First, we briefly review cyclotomic fields. For a positive integer *m*, let \(\zeta _m \in \mathbb {C}\) be a primitive *m*th root of unity and \(n = \varphi (m)\), where \(\varphi (\cdot )\) denotes Euler’s totient function. Then, \(K := \mathbb {Q}\left( \zeta _m \right) \) is called the *m*th cyclotomic field. The ring of integers of *K* coincides with \(R := \mathbb {Z}[\zeta _m]\). Any prime number *p* that does not divide *m* is unramified in *K*, and if \(p \equiv 1\) (mod. *m*), then *p* splits completely in *K*. Here, \(K/\mathbb {Q}\) is a Galois extension of degree \([K : \mathbb {Q}] = n\), and its Galois group \(\mathrm {Gal}(K/\mathbb {Q})\) is isomorphic to \(\left( \mathbb {Z}/m\mathbb {Z}\right) ^{*}\).

Next, we describe the decomposition fields of number fields. Let *L* be a number field, and suppose that \(L/\mathbb {Q}\) is a Galois extension and that its Galois group \(G := \mathrm {Gal}(L/\mathbb {Q})\) is a cyclic group. Let *p* be a prime number that is unramified in *L* and satisfies \(pO_L = \mathcal{P}_1 \cdots \mathcal{P}_g\), where the \(\mathcal{P}_i\)’s are the prime ideals of \(O_L\). Let \(G_Z\) be a subgroup of *G* that consists of all elements \(\rho \) fixing all \(\mathcal{P}_i\), i.e., \(\rho (\mathcal{P}_i) = \mathcal{P}_i\) for \(1\le i \le g\), and *Z* is the fixed field of \(G_Z\). Then, we call *Z* the decomposition field with respect to *p*. The field *Z* is a number field and the ring of integers of *Z* is \(O_Z = O_L \cap Z\). Suppose \(\mathrm {p}_i := O_Z \cap \mathcal{P}_i\). Then, we have \(pO_Z = \mathrm {p}_1 \cdots \mathrm {p}_g\). A generator \(\sigma \) of \(G_Z\) acts on \(O_L/\mathcal{P}_i \cong \mathbb {F}_{p^d}\) as the *p*th Frobenius map, i.e., \(\sigma (x) \equiv x^p\) (mod. \(\mathcal{P}_i\)) for all \(x \in O_L\) and for \(1 \le i \le g\). Therefore, we have \(O_Z/\mathrm {p}_i \cong \mathbb {F}_p\) and \([Z : \mathbb {Q}] = g\), i.e., *p* splits completely in *Z*.

#### 2.2.3.2 Cyclotomic Fields Versus Decomposition Fields

Let *K*, *L*, and *Z* be as above and *p* be a prime number that is unramified in *K* and splits completely in *Z*. Assume that *L* is the \(\ell \)th cyclotomic field with a prime number \(\ell \). As we mentioned in Sect. 2.2.1, cyclotomic fields are usually used as the underlying number fields of Ring-LWE. From the viewpoint of the efficiency of Ring-LWE based schemes, there are good \(\mathbb {Z}\)-bases of the rings of integers of *K* and *Z* [1, 17]. As for the security of the Ring-LWE, in the cases of *K* and *Z*, both the equivalence and the reduction mentioned in Sect. 2.2.2.4 are satisfied because both \(K/\mathbb {Q}\) and \(Z/\mathbb {Q}\) are Galois extensions.

The main difference between *K* and *Z* is the algebraic structures of their rings of integers modulo *p*. Because *p* is unramified in *K*, we have \(O_{K, p} \cong O_K/\mathcal{P}_1 \times \cdots \times O_K/\mathcal{P}_k\) and \(O_K/\mathcal{P}_i \cong \mathbb {F}_{p^d}\) for \(1 \le i \le k\) and for \(d > 1\), where the \(\mathcal{P}_i\)’s are prime ideals in \(O_K\) lying over *p*, i.e., \(pO_K = \mathcal{P}_1 \cdots \mathcal{P}_k\). The FV scheme [9], which is an HE scheme based on Ring-LWE, uses \(O_{K, p}\) as its plaintext space, and thus, the FV scheme (or any HE scheme with the same plaintext space) can encrypt and execute several additions of \(dk = n = [K : \mathbb {Q}]\) plaintexts in \(\mathbb {F}_p\) simultaneously. However, the FV scheme cannot execute the multiplication of the same number of plaintexts in \(\mathbb {F}_p\) simultaneously. To execute the multiplication of plaintexts in \(\mathbb {F}_p\), we can only use \(\mathbb {F}_p \times \cdots \times \mathbb {F}_p\) (the direct product of *k* finite fields) as the plaintext space.

In contrast, because *p* splits completely in *Z*, we have \(O_{Z, p} \cong O_Z/\mathrm {p}_1 \times \cdots \times O_Z/\mathrm {p}_g\) and \(O_Z/\mathrm {p}_i \cong \mathbb {F}_p\) for any \(1 \le i \le g\), where the \(\mathrm {p}_i\)’s are prime ideals in \(O_Z\) lying over *p*. This means that one can encrypt \(g = [Z : \mathbb {Q}]\) plaintexts simultaneously. Moreover, one can execute additions and multiplications of the same number of plaintexts in \(\mathbb {F}_p\) simultaneously. Because the extension degrees *g* and *n* are directly related to the ranks of the lattices occurring in known lattice attacks, we should set \(g \approx n\) to compare the security of Ring-LWE over these fields. Therefore, the HE scheme over *Z* can encrypt and operate *d* times as many plaintexts as the FV scheme over *K* simultaneously.

### Remark 2.1

- 1.
If \(p \equiv 1\) (mod.

*m*), then*p*splits completely in*K*(recall that*K*is the*m*th cyclotomic field), and then there is no advantage to using decomposition fields. However, for some cryptographic applications, we want to use a small*p*, e.g., \(p = 2\) [1]. Moreover, to avoid lattice attacks, the extension degree \([K : \mathbb {Q}]\) must be large, as we discussed above. Thus, we cannot expect \(p \equiv 1\) (mod.*m*) for practical parameters in some applications. - 2.
By the Hensel lifting technique, for \(r > 1\) and \(q := p^r\), we have \(O_{Z, q} \cong \mathbb {Z}/q\mathbb {Z}\times \cdots \times \mathbb {Z}/q\mathbb {Z}\).

### 2.2.4 Our Experimental Analysis

In this section, we present our experimental results on lattice attacks against Ring-LWE over decomposition fields and cyclotomic fields. First, we explain lattice attacks in our experiments.

#### 2.2.4.1 Lattice Attack in Our Experiments

In our experiments, we reduce the search Ring-LWE to a CVP (or approximate CVP) in the same way as Bonnoron et al.’s analysis [3] because the target of Bonnoron et al.’s analysis is Ring-LWE optimized for HE. We describe this approach briefly in the case of decomposition fields. Let \(O_Z\) and *p* be as in Sect. 2.2.3.1. Set \(q := p^r\) for \(r>1\). Let \(\{ \mu _1, \ldots , \mu _g \}\) be a \(\mathbb {Z}\)-basis of \(O_Z\), which is a good basis, as shown in [1, Lemma 3]. We sample vectors \(\mathbf{a} = (a_1, \ldots , a_g)\), \(\mathbf{s} = (s_1, \ldots , s_g)\) and \(\mathbf{e} = (e_1, \ldots , e_g)\) from \(U(\mathbb {Z}^g)\), \(D_{\mathbb {Z}^g, \sigma _{\mathrm {s}}}\), and \(D_{\mathbb {Z}^g, \sigma _{\mathrm {e}}}\), respectively, where \(D_{\mathbb {Z}^g, \sigma }\) denotes the discrete Gaussian distribution with mean 0 and variance \(\sigma ^2\).

We put \(a := \sum _{1 \le i \le g}a_i\mu _i\), \(s := \sum _{1 \le i \le g}s_i\mu _i\), \(e := \sum _{1 \le i \le g}e_i\mu _i\), and \(b := as + e = \sum _{1 \le i \le g}b_i\mu _i\) (mod. *q*). Then, (*a*, *b*) is a Ring-LWE instance over *Z*. Note that to use Ring-LWE to construct HE schemes, the value \(\sigma _{\mathrm {s}}\) and \(\sigma _{\mathrm {e}}\) should be sufficiently small because the \(\ell _{\infty }\)-norm \(\Vert \mathbf{s} \Vert _{\infty }\) directly affects the growth of noise after multiplication. In our experiments, we set \(\sigma _{\mathrm {s}} = 1\) and \(\sigma _{\mathrm {e}}^{2} = 8\) according to [14]. By comparing all coefficients of both sides, we get \(\mathbf{A}{} \mathbf{s} + \mathbf{e} = (b_1, \ldots , b_g)^t = \mathbf{b}\), where \(\mathbf{A}\) is a matrix. (For any vector \(\mathbf{v}\), \(\mathbf{v}^t\) means its transpose.) If we set \(\mathbf{A'}\) as \(\left( \mathbf{A} \ \ \mathbf{I} \right) \), then we have \(\mathbf{A'}(\mathbf{s} \ \ \mathbf{e} )^{t} = \mathbf{b}\) (mod. *q*), where \(\mathbf{I}\) denotes the \(g \times g\) identity matrix. From the choice of \(s_i\)’s and \(e_i\)’s, our target vector \((\mathbf{s} \ \ \mathbf{e} )^{t}\) is a very short vector from among all solutions to \(A'{} \mathbf{y} = \mathbf{b}\), and thus, we can expect that our target vector can be found by solving the (approximate) CVP on the lattice \(\mathcal{L}= \{ \mathbf{x} \in \mathbb {Z}^{2g} \mid \mathbf{A'x} = \mathbf{0} \text{(mod. } q\text{) } \}\) and on \(\mathbf{w} := (\mathbf{0} \ \ \mathbf{b} )^{t}\), which is a solution to \(\mathbf{A'y} = \mathbf{b}\).

### Remark 2.2

In the case of \(\ell \)-cyclotomic fields with prime numbers \(\ell \), we use \(\{ 1, \zeta _{\ell }, \ldots , \zeta ^{\ell -2}_{\ell } \}\) as a \(\mathbb {Z}\)-basis, which is also a good basis [17].

### Remark 2.3

For \(1 \le r' < r\) and \(q' := p^{r'}\), we can obtain samples of \(\mathrm {RLWE}_{K, q', \chi _{\mathrm {error}}, \chi _{\mathrm {sec}}}\) from samples of \(\mathrm {RLWE}_{K, q, \chi _{\mathrm {error}}, \chi _{\mathrm {sec}}}\) by a natural projection \(O_{Z, q} \rightarrow O_{Z, q'}\) by \(a \mapsto a\) (mod. \(q'\)). In our experiments, we use a small \(r'\) to reduce running times. In our experimental results, we only show \(r'\).

#### 2.2.4.2 Experimental Results

We used a computer with 2.00 GHz CPUs (Intel(R) Xeon(R) CPU E7-4830 v4 (2.00GHz)x111) and 3 TB memory to conduct the experiments. The OS was Ubuntu 16.04.4. We implemented the code for sampling Ring-LWE instances in SageMath version 7.5.1. We also used Magma V2.23-1 to execute lattice attacks. We took 100 samples and performed lattice attacks on them.

Experimental results on Babai’s nearest plane algorithm for \(p = 2\)

\(\ell \) | 59 | 16183 | 73 | 2089 | 83 | 4051 | 131 | 5419 | 173 | 14449 | 227 | 9719 |
---|---|---|---|---|---|---|---|---|---|---|---|---|

| − | 58 | − | 72 | − | 81 | − | 129 | − | 172 | − | 226 |

Lattice rank | 118 | 116 | 146 | 144 | 166 | 162 | 262 | 258 | 346 | 344 | 454 | 452 |

\(r'\) | 20 | 20 | 20 | 20 | 20 | 20 | 30 | 30 | 30 | 30 | 30 | 30 |

Number of samples | 93 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 40 | 37 | 15 | 14 |

Success rate (%) | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 89 | 0 | 0 |

Average root Hermite factor | 1.014 | 1.014 | 1.014 | 1.014 | 1.014 | 1.014 | 1.020 | 1.020 | 1.020 | 1.020 | 1.089 | 1.021 |

Average running time (s) | 72.22 | 88.97 | 218.4 | 238.2 | 443.3 | 456.1 | 12790.5 | 11744.6 | 54763.0 | 57862.3 | 231816.1 | 237846.9 |

Ratio of running times (%) | − | 123.2 | − | 109.0 | − | 102.9 | − | 91.8 | − | 105.7 | − | 102.6 |

Experimental results on Kannan’s embedding technique for \(p = 2\)

\(\ell \) | 59 | 161831 | 73 | 2089 | 83 | 4051 | 131 | 5419 | 173 | 14449 | 227 | 9719 |
---|---|---|---|---|---|---|---|---|---|---|---|---|

| − | 58 | − | 72 | − | 81 | − | 129 | − | 172 | − | 226 |

Lattice rank | 119 | 117 | 147 | 145 | 167 | 163 | 263 | 259 | 347 | 345 | 455 | 453 |

\(r'\) | 20 | 20 | 20 | 20 | 20 | 20 | 30 | 30 | 30 | 30 | 40 | 40 |

Number of samples | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 23 | 21 |

Success rate (%) | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 | 100 |

Average running time (s) | 10.4 | 10.7 | 36.7 | 41.4 | 92.3 | 97.6 | 4714.6 | 5556.7 | 19387.5 | 25138.7 | 136978.2 | 159772.6 |

Ratio of running times (%) | − | 103.5 | − | 112.7 | − | 105.7 | − | 117.9 | − | 129.7 | − | 116.6 |

This implies that the behaviors of the basis reduction algorithms heavily depend on the structure of the input lattices. This is a reason why experimental analyses are necessary for ensuring the security of lattice-based schemes (or other problems). Table 2.2 also shows that the running times for the decomposition fields become longer than those for cyclotomic fields as *g* (or \(\ell - 1\)) increases. Therefore, we can expect that decomposition fields provide Ring-LWE that is more secure against the lattice attacks described in Sect. 2.2.4.1 than \(\ell \)th cyclotomic fields because the ranks of the lattices occurring in our experiments are very low compared to the ranks of lattices used in practice. This means that we can use decomposition fields with lower extension degrees than would be needed for \(\ell \)th cyclotomic fields, and the use of such number fields makes Ring-LWE-based schemes more efficient. Therefore, as a result of our analysis, we believe that Ring-LWE over decomposition fields can be used to construct more efficient HE schemes.

## References

- 1.S. Arita, S. Handa, Subring homomorphic encryption, in
*Proceedings of ICISC 2017*. LNCS, vol. 10779 (Springer, Cham, 2018), pp. 112–136Google Scholar - 2.L. Babai, On Lovász’ Lattice reduction and the nearest lattice point problem. Combinatorica
**6**(1), 1–13 (1986). Springer (Preliminary version in STACS 1985)Google Scholar - 3.G. Bonnoron, C. Fontaine, A note on ring-LWE security in the case of fully homomorphic encryption, in
*Proceedings of INDOCRYPT 2017*. LNCS, vol. 10698 (Springer, Cham, 2017), pp. 27–43Google Scholar - 4.Z. Brakerski, C. Gentry, V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping, in
*Proceedings of ITCS 2012*(ACM New York, NY, USA, 2012), pp. 309–325Google Scholar - 5.Z. Brakerski, V. Vaikuntanathan, Fully homomorphic encryption from ring-LWE and security for key dependent messages, in
*Proceedings of CRYPTO 2011*. LNCS, vol. 6841 (Springer, Berlin, Heidelberg, 2011), pp. 505–524Google Scholar - 6.H. Chen, K. Lauter, K.E. Stange, Security considerations for Galois non-dual RLWE families, in
*Proceedings of SAC 2016*. LNCS, vol. 10532 (Springer, Cham, 2016), pp. 443–462Google Scholar - 7.Y. Chen, P.Q. Nguyen, BKZ 2.0: better lattice security estimates, in
*Proceedings of ASIACRYPT 2011*. LNCS, vol. 7073 (Springer, Berlin, Heidelberg, 2011), pp. 1–20Google Scholar - 8.D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol.
**10**(4), 233–260 (1997). SpringerGoogle Scholar - 9.J. Fan, F. Vercauteren, Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Report 2012/144 (2012)Google Scholar
- 10.N. Gama, P.Q. Nguyen, Predicting lattice reduction, in
*Proceedings of EUROCRYPT 2008*. LNCS, vol. 4965. Springer, Berlin, Heidelberg, 2008), pp. 31–51Google Scholar - 11.S. Halevi, V. Shoup, Algorithms in HElib, in
*Proceedings of CRYPTO 2014*. LNCS, vol. 8616. (Springer, Berlin, Heidelberg, 2014), pp. 554–571Google Scholar - 12.R. Kannan, Minkowski’s Convex body theorem and integer programming,
*Mathematics of Operations Research*, vol. 12 (3), pp. 415–440, INFORMS, Linthicum, Maryland, USA, (1987)Google Scholar - 13.A.K. Lenstra, H.W. Lenstra Jr., L. Lovász, Factoring polynomials with rational coefficients, Math. Ann.
**261**(4), 515–534 (1982). SpringerGoogle Scholar - 14.T. Lepoint, M. Naehrig, A comparison of the homomorphic encryption schemes FV and YASHE, in
*Proceedings of AFRICACRYPT 2014*. LNCS, vol 8469. (Springer, Cham, 2014), pp. 318–335Google Scholar - 15.V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings, in
*Proceedings of EUROCRYPT 2010*. LNCS, vol. 6110 (Springer, Berlin, Heidelberg, 2010), pp. 1–23Google Scholar - 16.V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings. J. ACM (JACM)
**60**(6), 43:1–43:35 (2013), ACM New York, NY, USAGoogle Scholar - 17.V. Lyubashevsky, C. Peikert, O. Regev, A toolkit for ring-LWE cryptography, in
*Proceedings of EUROCRYPT 2013*. LNCS, vol. 7881 (Springer, Berlin, Heidelberg, 2013), pp. 35–54Google Scholar - 18.P. Morandi, Field and galois theory,
*Graduate Texts in Mathematics*, vol. 167 (Springer-Verlag, New York, 1996)Google Scholar - 19.C.P. Schnorr, M. Euchner, Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Progr.
**66**(1-3), 181–199 (1994). SpringerGoogle Scholar - 20.Y. Wang, Y. Aono, T. Takagi, An experimental study of Kannan’s embedding technique for the search LWE problem, in:
*Proceedings of ICICS 2017*. LNCS, vol. 10631 (Springer, Cham, 2018), pp. 541–553Google Scholar - 21.D.V. Bailey, C. Paar, Optimal extension fields for fast arithmetic in public-key algorithms, in
*Advances in Cryptology - CRYPTO ’98, 18th Annual International Cryptology Conference, Santa Barbara, California, USA, August 23-27, 1998, Proceedings*(Springer, 1998), pp. 472–485Google Scholar - 22.D.J. Bernstein, Curve25519: new diffie-hellman speed records. in
*Public Key Cryptography - PKC 2006, 9th International Conference on Theory and Practice of Public-Key Cryptography, New York, NY, USA, April 24-26, 2006, Proceedings*(Springer, 2006) pp. 207–228Google Scholar - 23.D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, Twisted Edwards curves. IACR Cryptology ePrint Archive
**2008**, 13 (2008)zbMATHGoogle Scholar - 24.D.J. Bernstein, T. Lange, Faster addition and doubling on elliptic curves. IACR Cryptology ePrint Archive
**2007**, 286 (2007)zbMATHGoogle Scholar - 25.C. Diem, On the discrete logarithm problem in class groups of curves. Math. Comput.
**80**(273), 443–475 (2011)MathSciNetCrossRefGoogle Scholar - 26.J. Faugère, P. Gaudry, L. Huot, G. Renault, Using symmetries in the index calculus for elliptic curves discrete logarithm. J. Cryptol.
**27**(4), 595–635 (2014)MathSciNetCrossRefGoogle Scholar - 27.J. Faugère, L. Perret, C. Petit, G. Renault, Improving the complexity of index calculus algorithms in elliptic curves over binary fields. in
*Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Proceedings*(Springer, 2012) pp. 27–44Google Scholar - 28.S.D. Galbraith, P. Gaudry, Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Cryptogr.
**78**(1), 51–72 (2016)MathSciNetCrossRefGoogle Scholar - 29.S.D. Galbraith, S.W. Gebregiyorgis, Summation polynomial algorithms for elliptic curves in characteristic two. in
*Progress in Cryptology - INDOCRYPT 2014 - 15th International Conference on Cryptology in India, New Delhi, India, December 14-17, 2014, Proceedings*(Springer, 2014), pp. 409–427Google Scholar - 30.P. Gaudry, Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput.
**44**(12), 1690–1702 (2009)MathSciNetCrossRefGoogle Scholar - 31.Y. Huang, C. Petit, N. Shinohara, T. Takagi, Improvement of Faugère et al.’s Method to Solve ECDLP, in
*Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Okinawa, Japan, November 18-20, 2013, Proceedings*(Springer, 2013), pp. 115–132Google Scholar - 32.P.L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization. Math. Comput.
**48**, 243–264 (1987). URLhttp://links.jstor.org/sici?sici=0025-5718(198701)48:177<243:STPAEC>2.0.CO;2-3 - 33.C. Petit, J. Quisquater, On polynomial systems arising from a weil descent. IACR Cryptology ePrint Archive
**2012**, 146 (2012)zbMATHGoogle Scholar - 34.J.M. Pollard, Monte Carlo methods for index computation mod \(p\). Math. Comput.
**32**, 918–924 (1978)MathSciNetzbMATHGoogle Scholar - 35.I.A. Semaev, Summation polynomials and the discrete logarithm problem on elliptic curves. IACR Cryptology ePrint Archive
**2004**, 31 (2004)Google Scholar - 36.N.P. Smart, The hessian form of an elliptic curve, in
*Cryptographic Hardware and Embedded Systems - CHES 2001, Third International Workshop, Paris, France, May 14-16, 2001, Proceedings*, number Generators. (Springer, 2001), pp. 118–125Google Scholar

## Copyright information

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.