2. Cryptography Core Technology

Let E be an elliptic curve defined over a finite field \(\mathbb {F}_{p^n}\). For cryptographic applications, we are mostly interested in a prime-order subgroup generated by a rational point \(P\in E(\mathbb {F}_{p^n})\). Here, we first give a high-level overview of a typical index-calculus algorithm for finding an integer \(\alpha \) such that \(Q=\alpha P\) for \(Q\in \langle P\rangle \).

The last step of linear algebra is relatively well studied in the literature, so we will focus on the subproblem in the second step, namely, the point decomposition problem (PDP) on an elliptic curve in the rest of this section.

We can solve PDP by considering when the sum of a set of points becomes zero on an elliptic curve. It is straightforward that if two points sum to zero on an elliptic curve \(E: y^2=x^3+ax+b\) in Weierstrass form, then their x-coordinates must be equal. Let us now consider the simplest yet nontrivial case where three points on E sum to zero. LetClearly, Z is in the variety of the ideal \(I\subset \mathbb {F}_{p^n}[X_1,Y_1,X_2,Y_2,X_3,Y_3]\) generated byNow let \(J=I\cap \mathbb {F}_{p^n}[X_1,X_2,X_3]\). Using MAGMA’s EliminationIdeal function, we find that J is actually a principal ideal generated by the polynomial \((X_2 - X_3)(X_1 - X_3)(X_1 - X_2)f_3\), whereClearly, the linear factors of this generator correspond to the degenerated case where two or more points are the same or of opposite signs, and \(f_3\) is the 3rd summation polynomial, that is, the summation polynomial for three distinct points summing to zero.

Starting from the 3rd summation polynomial, we can recursively construct the subsequent summation polynomials \(f_m\) for \(m>3\) by taking resultants. As a result, the degree of each variable in \(f_m\) is \(2^{m-2}\), which grows exponentially as m. This is the observation Semaev made in his seminal work [35]. In short, his proposal is to consider factor bases of the following form:where V is a subset of \(\mathbb {F}_{p^n}\). Then, we solve PDP of mth order by solving the corresponding \((m+1)\)th summation polynomial \(f_{m+1}(X_1,\ldots ,X_m,\tilde{x})=0\), where \(\tilde{x}\) is the x-coordinate of the point to be decomposed.

Note that this factor base is naturally invariant under point negation. That is, \(P_i\in \mathcal F\) implies \(-P_i\in \mathcal F\). In this case, we have about \(|\mathcal F|/2\) (trivial) relations \(P_i+(-P_i)=\mathcal O\) for free, so we only need to find the other \(|\mathcal F|/2\) nontrivial relations. In general, we will only discuss factor bases that are invariant under point negation, so by abuse of language, both \(\mathcal F\) and \(\mathcal F\) modulo point negation may be referred to as a factor base in the rest of this section.

Restricting the x-coordinates of the points in a factor base to a subset of \(\mathbb {F}_{p^n}\) is important from the viewpoint of polynomial system solving. Take \(f_3\) as an example. When decomposing a random point \(aP+bQ\), we first substitute its x-coordinate into say \(X_3\), projecting the ideal onto \(\mathbb {F}_{p^n}[X_1,X_2]\). The dimension of the variety of this ideal is nonzero. Therefore, we would like to pose some restrictions on \(X_1\) and \(X_2\) to reduce the dimensions to zero so that the solving time can be more manageable.

When looking for solutions to a polynomial \(f=\sum a_iX^i\in \mathbb {F}_{p^n}[X]\) in \(\mathbb {F}_{p^n}\), we can view \(\mathbb {F}_{p^n}[X]\) as a commutative affine algebra \(\mathcal A=\mathbb {F}_{p^n}[X]/(X^{p^n} - X)\cong \mathbb {F}_{p^n}[X_1,\ldots ,X_n]/(X_1^p - X_1,\ldots ,X_n^p - X_n)\). This can be done by identifying the indeterminate X as \(X_1\theta _1+\cdots +X_n\theta _n\), where \((\theta _1,\ldots ,\theta _n)\) is a basis for \(\mathbb {F}_{p^n}\) over \(\mathbb {F}_p\). Hence, f can be identified as a polynomial \(f_1\theta _1+\cdots +f_n\theta _n\), where \(f_1,\ldots ,f_n\in \mathcal A'=\mathbb {F}_p[X_1,\ldots ,X_n]/(X_1^p - X_1,\ldots ,X_n^p - X_n)\), by appropriately sending each coefficient \(a_i\in \mathbb {F}_{p^n}\) to \(a_i^{(1)}\theta _1+\cdots +a_i^{(n)}\theta _n\) for \(a_i^{(1)},\ldots ,a_i^{(n)}\in \mathbb {F}_p\). Therefore, an equation \(f=0\) over \(\mathbb {F}_{p^n}\) will give rise to a system of equations \(f_1=\cdots =f_n=0\) over \(\mathbb {F}_p\). This technique is known as the Weil restriction and is used in the Gaudry–Diem attack, where the factor base is chosen to consist of points whose x-coordinates lie in a subspace V of \(\mathbb {F}_{p^n}\) over \(\mathbb {F}_p\) [25, 30].

Naturally, the symmetric group \(S_m\) acts on a point decomposition \(P_1+\cdots +P_m\) because elliptic curve groups are abelian. As noted by Gaudry in his seminal work [30], we can therefore rewrite the variables \(x_1,\ldots ,x_m\in \mathbb {F}_{p^n}\) by elementary symmetric polynomials \(e_1,\ldots ,e_m\), where \(e_1=\sum x_i\), \(e_2=\sum _{i\ne j}x_ix_j\), \(e_3=\sum _{i\ne j,i\ne k,j\ne k}x_ix_jx_k\), etc. Such rewriting can reduce the degree of summation polynomials and significantly speed up point decomposition [27, 31].

We might be able to exploit additional symmetry brought by actions of other groups, e.g., when the factor base is invariant under addition of small torsion points. For example, consider a decomposition of a point R under the action of addition of a 2-torsion point \(T_2\):Clearly, this holds for any \(u_1,\ldots ,u_{n-1}\in \{0,1\}\), so a decomposition can give rise to \(2^{n-1}-1\) other decompositions. Similar to rewriting using the elementary symmetric polynomials for the action of \(S_m\), we can also take advantage of this additional symmetry by appropriately rewriting [26].

Naturally, such speedup is curve-specific. Furthermore, even if the factor base is invariant under additional group actions, we may or may not be able to exploit such symmetry to speed up the point decomposition depending on whether the action is “easy to handle in the polynomial system solving process” [26].

Faugère, Gaudry, Hout, and Renault studied PDP on twisted Edwards, twisted Jacobi intersections, and Weierstrass curves [26]. For the sake of completeness, we include some of their results here. An Edwards curve over \(\mathbb {F}_{p^n}\) for \(p\ne 2\) is defined by the equation \(x^2+y^2=1+dx^2y^2\) for certain \(d\in \mathbb {F}_{p^n}\) [24]. A twisted Edwards curve \(tE_{a,d}\) over \(\mathbb {F}_{p^n}\) for \(p\ne 2\) is defined by the equation \(ax^2+y^2=1+dx^2y^2\) for certain \(a,d\in \mathbb {F}_{p^n}\) [23]. A twisted Edwards curve is a quadratic twist of an Edwards curve by \(a_0=1/(a-d)\). For \(P=(x,y)\in tE_{a,d}\), \(-P=(-x,y)\). Furthermore, the addition and doubling formulae for \((x_3,y_3)=(x_1,y_1)+(x_2,y_2)\) are given as follows: The 3rd summation polynomial for twisted Edwards curves is [26]:Again, the subsequent summation polynomials are obtained by taking resultants.

Symmetry brought by group action on point decomposition will inevitably be accompanied by a decrease in decomposition probability. For example, if a factor base \(\mathcal F\) is invariant under addition of a 2-torsion point, then the decomposition probability for PDP of the mth order should decrease by a factor of \(2^{m-1}\). This is due to the same reason that the decomposition probability decreases by a factor of m! because the symmetric group \(S_m\) acts on \(\mathcal F\).

However, this simple fact seems to have been largely ignored in the literature. For example, Faugère, Gaudry, Hout, and Renault explicitly stated in Sect. 5.​3 of their study that “[the] probability to decompose a point [into a sum of n points from the factor base] is \(\frac{1}{n!}\)” for twisted Edwards or twisted Jacobi intersections curves, despite the fact that the factor base is invariant under the addition of 2-torsion points [26]. At first glance, this may not seem a problem, as we would expect to obtain \(2^{n-1}\) solutions if we can successfully solve a PDP instance. (Unfortunately, this is also not true in general. We will return to it in more detail in Sect. 2.1.5.3.) However, when estimating the cost of a complete ECDLP attack, they proposed to collapse these \(2^{n-1}\) relations into one to reduce the size of the factor base and thus the cost of the linear algebra, cf. Remark 5 of the paper. In this case, the decrease in decomposition probability does have an adverse effect, and their estimation for the overall ECDLP cost ended up being overoptimistic by a factor of at least \(2^{n-1}\).

A Montgomery curve \(M_{A,B}\) over \(\mathbb {F}_{p^n}\) for \(p\ne 2\) is defined by the equationfor \(A,B\in \mathbb {F}_{p^n}\) such that \(A\ne \pm 2\), \(B\ne 0\), and \(B(A^2-4)\ne 0\) [32]. For \(P=(x,y)\in M_{A,B}\), \(-P=(x,-y)\). Furthermore, the addition and doubling formulae for \((x_3,y_3)=(x_1,y_1)+(x_2,y_2)\) are given as follows. When \((x_1,y_1)\ne (x_2,y_2)\):When \((x_1,y_1)=(x_2,y_2)\):It was noted by Montgomery himself in his original paper that such curves can give rise to efficient scalar multiplication algorithms [32]. That is, consider a random point \(P\in M_{A,B}(\mathbb {F}_{p^n})\) and \(nP=(X_n:Y_n:Z_n)\) in projective coordinates for some integer n. ThenIn particular, when \(m=n\)In this way, scalar multiplication on the Montgomery curve can be performed without using y-coordinates, leading to fast implementation.

Following Semaev’s approach [35], we can construct summation polynomials for Montgomery curves. Like Weierstrass curves, the 2nd summation polynomial for Montgomery curves is simply \(f_{M,2} = X_1 - X_2\). Now, we consider \(P,Q\in M_{A, B}\) for \(P=(x_1, y_1)\) and \(Q=(x_2, y_2)\). Let \(P+Q=(x_3, y_3)\) and \(P-Q=(x_4, y_4)\). By the addition formula, we haveIt follows thatUsing the relationship between the roots of a quadratic polynomial and its coefficients, we obtainFrom here, we can obtain for Montgomery curve which is the 3rd summation polynomial:as well as the subsequent summation polynomials by taking resultants:

A Montgomery curve always contains an affine 2-torsion point \(T_2\). Because \(T_2+T_2=2T_2=\mathcal O\), \(-T_2=T_2\). If we write \(T_2=(x,y)\), then we can see that \(y=0\) in order for \(-T_2=T_2\) as \(p\ne 2\). Substituting \(y=0\) into Eq. (2.1), we get an equation \(x^3+Ax^2+x=0\). The left-hand side factors into \(x(x^2+Ax+1)=0\), so we getTherefore, the set of rational points over the definition field \(F_{p^n}\) of a Montgomery curve includes at least two 2-torsion points, namely \(\mathcal O\) and (0, 0). The other 2-torsion points may or may not be rational, so we will focus on (0, 0) in this section. Substituting \((x_2,y_2)=(0,0)\) into the addition formula for Montgomery curves, we get that for any point \(P=(x,y)\in M_{A,B}\), \(P+(0,0)=(1/x,-y/x^2)\).

To be able to exploit the symmetry of addition of \(T_2=(0,0)\), we need to choose the factor base \(\mathcal F=\{(x,y)\in E(\mathbb {F}_{p^n}):x\in V\subset \mathbb {F}_{p^n}\}\) invariant under addition of \(T_2\). This means that V needs to be closed by undertaking multiplicative inverses. In other words, V needs to be a subfield of \(\mathbb {F}_{p^n}\), i.e., \(V=\mathbb {F}_{p^\ell }\) for some integer \(\ell \) that divides n. In this case, \(f_m\) is invariant under the action of \(x_i\mapsto 1/x_i\). Unfortunately, such an action is not linear and hence not easy to handle in polynomial system solving. How to take advantage of such kind of symmetry in PDP is still an open research problem.

A Hessian curve \(H_d\) over \(\mathbb {F}_{p^n}\) for \(p^n=2\bmod 3\) is defined by the equationfor \(d\in \mathbb {F}_{p^n}\) such that \(27d^3\ne 1\) [36]. For \(P=(x,y)\in H_d\), \(-P=(y,x)\). Furthermore, the addition and doubling formulae for \((x_3,y_3)=(x_1,y_1)+(x_2,y_2)\) are given as follows.

Following a similar approach outlined by Galbraith and Gebregiyorgis [29], we can construct summation polynomials for Hessian curves. First, we introduce a new variable \(T=X+Y\), which is invariant under point negation. The 2nd summation polynomial for Hessian curves is simply \(f_{H,2} = T_1 - T_2\). Now letClearly, Z is in the variety of the ideal \(I\subset \mathbb {F}_{p^n}[X_1,Y_1,T_1,X_2,Y_2,T_2,X_3,Y_3,T_3]\) generated byAgain, we compute the elimination ideal \(I\cap \mathbb {F}_{p^n}[T_1,T_2,T_3]\) and obtain a principal ideal generated by some polynomial. After removing the degenerate factors, we can obtain for Hessian curve the 3rd summation polynomial:as well as the subsequent summation polynomials by taking resultants:

As we shall see in Sect. 2.1.4.1, we will compare elliptic curves in various forms that are isomorphism to one another over the same definition field. As a result, we will only experiment with those Hessian curves that include 2-torsion points like Montgomery or (twisted) Edwards curves. Because \(T_2+T_2=2T_2=\mathcal O\), it follows that \(-T_2=T_2\). If we write \(T_2=(x,y)\), then we can see that \(x=y\) in order for \(-T_2=T_2\) as \(-T_2=(y,x)\). Substituting \(x=y\) into Eq. (2.2), we get an equation \(2x^3-3dx^2+1=0\). Therefore, a Hessian curve \(H_d(\mathbb {F}_{p^n})\) has a 2-torsion point \((\zeta ,\zeta )\) if the polynomial \(2X^3 - 3dX^2 + 1\) has a root \(\zeta \) in \(\mathbb {F}_{p^n}\). In this case, the addition of this 2-torsion point to a point (x, y) would give a point \((x',y')\), whereObviously, the typical factor bases are not invariant under addition of this 2-torsion point in general.

A Hessian curve always contains a 3-torsion point \(T_3\) such that \(3T_3=\mathcal O\) [36]. If we let \(T_3=(x,y)\), then we see that \(2(x,y)=-(x,y)=(y,x)\), substituting which into the doubling formula, we getBecause x and y cannot be zero at the same time, we have \(x^3-y^3=1-x^3=y^3-1\), or \(x^3=y^3=1\). Now because \(p^n=2\bmod 3\), \(\mathbb {F}_{p^n}\) does not have any primitive cubic roots of unity, \(x=y=1\) and \(T_3=(1,1)\). By the addition formula, if \(P=(x,y)\), thenHowever, for \(P\in \mathcal F\), we only know that \(t=x+y\in V\subset \mathbb {F}_{p^n}\), but we know nothing about \(1-xy\), which can lie outside of V. Therefore, again, typical factor bases are not invariant under addition of this 3-torsion point in general. Therefore, it is not clear how to exploit such symmetry brought by addition of small torsion points for Hessian curves.

As explained in Sect. 2.1.2.1, we focus on PDP in these experiments as the linear algebra step is already well understood. Furthermore, we focus on the bottleneck computation in PDP, namely, the cost of the F4 algorithm for computing Gröbner bases of the polynomial systems obtained after rewriting using the elementary symmetric polynomials and applying the Weil restriction technique to summation polynomials. This way we will be taking advantage of the symmetry of \(S_m\) acting on point decompositions. However, we did not exploit symmetry of any other group actions. This is because we want to compare the intrinsic computational complexity of PDP and hence only consider the symmetry that is present in all curves. Exploiting further curve-specific symmetry whenever possible will result in a further speedup, but it would be independent of our findings here.

Figure 2.1 presents our experimental results for the case of \(n=5\). Here, we choose our factor base by taking V as the base field \(\mathbb {F}_p\) of \(\mathbb {F}_{p^n}\). All our experiments were performed using the MAGMA computation algebra system (version 2.23-1) on a single core of an Intel Xeon CPU E7-4830 v4 running at 2 GHz. Comparisons to solve each PDP were performed by running time (in second), Dreg, Matcost, and Rank. The “Dreg” is the maximum step degree reached during the execution of the F4 algorithm, which is referred to as the “degree of regularity” in the literature [29] and provides an upper bound for the sizes of the Macaulay submatrices involved in the computation, the “Matcost” is a number output by the MAGMA implementation of the F4 algorithm and provides an estimate of the linear algebra cost during the execution of the F4 algorithm, and finally, the “Rank” is the number of linearly independent relations we obtain once successfully solving a PDP instance. It is an important factor to consider, as it determines how many PDP instances we need to successfully solve to have enough relations for a complete ECDLP attack using index calculus. We can clearly see that the PDP solving time and Matcost for twisted Edwards curves are much smaller than those for the other curves. In contrast, the degrees of regularity for Montgomery and twisted Edwards curves are smaller than those of the other curves in the case of \(m=4\). In addition, we can see that the rank for Hessian and Weierstrass curves is 1 in all cases, whereas for Montgomery and twisted Edwards curves, it is 4 and 5 in the case of \(m=3\) and \(m=4\), respectively. Last but not least, although we only present the results for small p (around 8-bit long), here, we have some preliminary results for larger p (around 16-bit and 32-bit long). Apart from the slight difference in the absolute running time, all other results such as Dreg, Matcost, and Rank are similar, so we do not repeat them here.

As we have seen in Sect. 2.1.4.2, PDP on (twisted) Edwards curves seems easier to solve than on other curves. The explanation offered by Faugère, Gaudry, Hout, and Renault is “due to the smaller degree appearing in the computation of Gröbner basis of \(\mathscr {S}_{D_n}\) in comparison with the Weierstrass case,” cf. Sect. 4.​1.​1 of their paper [26]. Unfortunately, this cannot explain the difference between (twisted) Edwards and Montgomery curves as the highest degrees appearing in the computation of Gröbner bases are the same for these two curves. Therefore, there must be other reasons. We have found that the total number of terms for twisted Edwards curves is significantly lower than that for the other curves in all cases. Naturally, this could lead to faster solving time with the F4 algorithm. We also note that, except for the twisted Edwards curves, the summation polynomials before Weil restriction for the other curves are all 100% dense without any missing terms.

In this section, we will show that the summation polynomials for (twisted) Edwards curves mainly have terms of even degrees. The set of terms of even degrees is closed under multiplication, so intuitively, such polynomials are easier to solve, which can be the main reason for the efficiency gain observed in the case of (twisted) Edwards curves.

We shall make this intuition precise in Theorem 2.1, but before we state the main result, we need to clarify our terminology for ease of exposition. When a multivariate polynomial is regarded as a univariate polynomial in one of its variables T, we say that the coefficient \(a_i\) of a term \(a_iT^i\) is an even or odd-degree coefficient depending on whether i is even or odd, respectively. Note that these coefficients are themselves multivariate polynomials in one fewer variable.

We say that a monomial \(m=\prod _{i=1}^n x_i^{e_i},e_i\ge 0\) in a multivariate polynomial in n variables is of even degree or simply an even-degree monomial if \(\sum _i e_i\) is even; that it is of odd degree or simply an odd-degree monomial otherwise. In contrast, a monomial is of (homogeneous) even parity if all \(e_i\) are even; it is of (homogeneous) odd parity if all \(e_i\) are odd. A monomial is of homogeneous parity if it is either of homogeneous even or odd parity. Note that the definition of monomials of odd parity depends on the total number of variables in the polynomial, which is not the case for monomials of even parity because we regard 0 as even. For example, the monomial \(x_1x_2\) is a monomial of odd parity in a polynomial in \(x_1\) and \(x_2\) but not so in another polynomial in \(x_1,\ldots ,x_n\) for \(n>2\).

By abuse of language, we say that a polynomial is of even or odd parity if it is a linear combination of monomials of even or odd parity, respectively; that a polynomial is of homogeneous parity if it is a linear combination of monomials of homogeneous parity. The set of polynomials of even parity is closed under polynomial addition and multiplication and hence forms a subring. In contrast, a polynomial f in \(x_1,\ldots ,x_n\) of odd parity must have the form \(\sum _i c_i\left( \prod _{j=1} x_j^{e_{ij}}\right) \), for \(e_{ij}\) odd. Therefore, if f is a polynomial of odd parity and g, a polynomial of even parity, then fg must be of odd parity.

Among the four forms of elliptic curves that we investigated in this section, only the (twisted) Edwards form satisfies the premises of Theorem 2.1. As we have seen in Sect. 2.1.4, the PDP solving time for the (twisted) Edwards form is thus significantly faster than that for the other forms.

We will prove Theorem 2.1 in the rest of this section, for which we will need the following lemmas.

By Lemma 2.2, \(g_{\mathcal E,m}(X_1,\ldots ,X_m)=f_{\mathcal E,m+1}(X_1,\ldots ,X_m,x)\) is of homogeneous parity. Obviously, the monomials of even parity will remain of even degree after x is substituted. If m is even, then the monomials of odd parity in \(f_{\mathcal E,m+1}\) will become of even degree after x is substituted because an even number of odd numbers sum to an even number. Similarly, if m is odd, then the monomials of odd parity in \(f_{\mathcal E,m+1}\) will become of odd degree after x is substituted. However, those odd-degree monomials that are not of homogeneous parity, e.g., \(X_1^2X_2\), cannot appear in \(g_{\mathcal E,m}\) by Lemma 2.2. This completes the proof of Theorem 2.1.

Last but not least, we discuss the price needed to pay to have a highly symmetric factor base \(\mathcal F\) that is invariant under more group actions in addition to that of the symmetric group \(S_m\). As previewed in Sect. 2.1.2.6, we would expect that the effect of the decrease in decomposition probability due to additional symmetry in \(\mathcal F\) could be offset by that of the increase in number of solutions. For example, let us reconsider the group action of addition of \(T_2\) in Sect. 2.1.2.4. If we could get \(2^{m-1}\) solutions, then the loss of the factor of \(2^{m-1}\) in decomposition probability would be compensated. This way everything would be the same as if there were no such symmetry, and we could exploit the additional symmetry at no cost.

Unfortunately, this proposition is false in general. Consider an example of \(m=4\). Let \(Q_i=P_i+ T_2\) for \(i=1,2,3,4\). We can write down all \(2^{m-1}=8\) possible ways of a point decomposition under this group action:It is easy to find that we have only five linearly independent relations from these eight relations, as there are nontrivial linear combinations summing to zero, e.g.:As explained in Sect. 2.1.4.1, the factor bases for Montgomery and twisted Edwards curves are invariant under addition of 2-torsion points. For \(m=3\), we achieve maximum rank of \(2^{m-1}=4\). For \(m=4\), as we have explained above, we can only have rank 5, which is strictly less than the maximum possible rank \(2^{m-1}=8\).

Finally, we note that we have not exploited any symmetry for Hessian curves in our experiments. However, the rank for Hessian curves is always 1 in all our experiments. This shows that the factor base we have chosen for Hessian curves is not invariant under addition of small torsion points, as the rank would be \(>1\) otherwise.

An m-dimensional lattice is defined as a discrete additive subgroup of \(\mathbb {R}^m\). It is well known that for any lattice \(\mathcal{L}\subset \mathbb {R}^m\), there exist \(\mathbb {R}\)-linearly independent vectors \(\mathbf{b}_1, \ldots , and\,\mathbf{b}_n \in \mathbb {R}^m\) such that \(\mathcal{L}=\sum _{1 \le i \le n} \mathbb {Z}\mathbf{b}_i := \{ \sum _{1 \le i \le n}a_i\mathbf{b}_i \mid a_i \in \mathbb {Z}\ \}\). In other words, for a matrix \(\mathbf{B}= \left( \mathbf{b}_1, \ldots , \mathbf{b}_n \right) \) whose ith column vector is \(\mathbf{b}_j\), we have \(\mathcal{L}= \{ \mathbf{B}\mathbf{x} \mid \mathbf{x} \in \mathbb {Z}^n \}\). Then, we say that \(\{ \mathbf{b}_1, \ldots , \mathbf{b}_n \}\) is a lattice basis of \(\mathcal{L}\), and \(\mathbf{B}\) is the basis matrix of \(\mathcal{L}\) with respect to \(\{ \mathbf{b}_1, \ldots , \mathbf{b}_n \}\). The value n is called the rank of \(\mathcal{L}\), and it is denoted by \(\mathrm {rank}(\mathcal{L})\). There are infinite bases for a lattice. In fact, for any unimodular matrix \(\mathbf{U}\), all column vectors of \(\mathbf{U} \mathbf{B}\) also form a basis of \(\mathcal{L}\). An important invariant of \(\mathcal{L}\) is the determinant defined as \(\det (\mathcal{L}) := \sqrt{\det \left( \mathbf{B}\mathbf{B}^t \right) }\). This determinant is independent of basis.

There are various computationally hard problems on lattices. Here, we explain the CVP, which is a well-known problem on lattices. Given a lattice \(\mathcal{L}\) and target vector \(\mathbf{t} \in \mathbb {R}^m \smallsetminus \mathcal{L}\), the CVP on \((\mathcal{L}, \mathbf{t})\) is the problem of finding a vector \(\mathbf{x} \in \mathcal{L}\) such that for all vectors \(\mathbf{y} \in \mathcal{L}\), we have \(\Vert \mathbf{t} - \mathbf{x} \Vert \le \Vert \mathbf{t} - \mathbf{y} \Vert \). For a real number \(\gamma > 1\), the approximate CVP on \((\mathcal{L}, \mathbf{t}, \gamma )\) is the problem of finding a vector \(\mathbf{x} \in \mathcal{L}\) such that for all vectors \(\mathbf{y} \in \mathcal{L}\), we have \(\Vert \mathbf{t} - \mathbf{x} \Vert \le \gamma \Vert \mathbf{t} - \mathbf{y} \Vert \). Babai’s nearest plane algorithm and Kannan’s embedding technique are basic algorithms for solving the approximate CVP. Almost all known problems on lattices that are useful for constructing cryptographic protocols become more difficult as the ranks of the underlying lattices increase, and the quality of the two algorithms mentioned earlier depends on ranks of input lattices.

Breaking some cryptographic protocols can be reduced to solving certain computational problems on lattices, including the (approximate) CVP [3, 8]. To solve such problems on lattices, we usually use lattice basis reduction algorithms, which transform a given basis of a lattice into a basis of the same lattice that consists of nearly orthogonal and relatively short vectors. In fact, an input of Babai’s nearest plane algorithm is an (LLL) reduced basis, and Kannan’s embedding technique outputs an appropriate vector from the reduced basis. In our experiments, to solve CVP using Babai’s nearest plane algorithm and Kannan’s embedding technique, we use the LLL algorithm [13] and BKZ algorithm [7, 19], which are well-known algorithms for computing such bases.

The quality of basis reduction algorithms is usually estimated by the root Hermite factor, which is defined as follows: Let \(\mathbf{b}\) be the shortest vector of a basis of a lattice \(\mathcal{L}\) with rank n, which has been reduced by a basis reduction algorithm \(\mathcal{A}\). Then, the root Hermite factor \(\delta _{\mathcal{A}, \mathcal{L}}\) is defined as a constant satisfying \( \delta ^n_{\mathcal{A}, \mathcal{L}} := \Vert \mathbf{b}\Vert /\det (\mathcal{L})^{1/n}. \) Better basis reduction algorithms provide smaller Hermite root factors.

To describe decomposition fields, we need to describe Galois theory.

Let K be a field and L an extension field of K; we denote this situation by L/K. The field L is a K-vector space, and the degree of extension of L/K, denoted by [L : K], is defined as the dimension of L as K-vector space. If M is a subfield of L containing K as a subfield, i.e., \(K \subset M \subset L\), then we call M an intermediate field of L/K. If L/K satisfies \([L:K] < \infty \), then L/K is called a finite extension of K. If M is an intermediate field of L/K with \([L:K] < \infty \), then we have \([L:K]=[L:M][M:K]\). If for any \(\alpha \in L\), there exists a nonzero polynomial \(f(x) \in K[x]\) such that \(f(\alpha ) = 0\), then L/K is called an algebraic extension of K. It is known that all finite extensions are algebraic extensions.

From now on, we suppose that L/K is a finite algebraic extension. For any \(\alpha \in L\), the minimal polynomial over K of \(\alpha \) is defined as the monic polynomial \(f(x) \in K[x]\) with the lowest degree of all polynomials in K[x] that vanish at \(\alpha \). We denote \(\mathrm {Irr}(\alpha , K)(x)\) as the minimal polynomial over K of \(\alpha \). Note that the minimal polynomial over K of \(\alpha \) coincides with the monic irreducible polynomial over K that vanishes at \(\alpha \). For a subset \(S \subset L\), we denote K(S) as the smallest subfield of L among subfields containing K and S. We call K(S) the field generated by S over K. If L is generated by one element \(\theta \in L\) over K, i.e., \(L = K(\theta )\), then we have an isomorphism \(L \cong K[x]/\left( \mathrm {Irr}(\theta , K)(x) \right) \) by \(\theta \mapsto x\) (mod. \(\left( \mathrm {Irr}(\theta , K)(x) \right) \). This implies that \([K(\theta ):K] = \deg \mathrm {Irr}(\alpha , K)\).

Next, we describe separable, normal, and Galois extensions of fields. If \(\mathrm {Irr}(\alpha , K)(x)\) for any \(\alpha \) that has no multiple roots, then L/K is called a separable extension of K. If L contains all roots of \(\mathrm {Irr}(\alpha , K)(x)\) for any \(\alpha \in L\), then L/K is called a normal extension of K. If all algebraic extensions of K, including infinite algebraic extensions, are separable, then K is called a perfect (field). It is known that fields with characteristic zero and any finite field are perfect, and that any finite separable extension field can be generated by one element. If L/K is a separable and normal extension of K, then L/K is called a Galois extension of K. Let \(\Omega \) be a sufficiently large field containing K such that any ring-homomorphism \(\phi \) fixing K, i.e., \(\phi (a) = a\) for any \(a \in K\), to L satisfies \(\phi (L) \subset \Omega \). We define the set of all ring-homomorphisms by fixing K to the range L to \(\Omega \) as follows:(Note that any nonzero ring-homomorphism between fields is injective.) Let L/K be separable with \([L:K] = n\) and \(L = K(\theta )\). Let \(\theta = \theta _1, \ldots , \theta _n\) be all roots of \(\mathrm {Irr}(\theta , K)(x)\). For any \(\sigma \in \mathrm {Hom}_K(L, \Omega )\), we have \(\sigma \left( \mathrm {Irr}(\theta , K)(\theta ) \right) = \mathrm {Irr}(\theta , K) (\sigma (\theta )) = 0\). This means that \(\sigma (\theta ) = \theta _i\) for some \(i = 1, \ldots , n\). This then implies \(\# \mathrm {Hom}_K(L) = n\). (Any \(\tau \in \mathrm {Hom}_K(L, \Omega )\) is completely determined by the image of \(\theta \) under \(\tau \) because \(\tau \) fixes K.)

Moreover, if L/K is normal, then \(\sigma \) induces an isomorphism \(L \cong L\). Note that \(L = K(\theta ) \cong K(\theta _i)\) for any \(i = 1, \ldots , n\) because these fields are isomorphic to \(K[X]/\left( \mathrm {Irr}(\theta , K) \right) \). Therefore, we may take L as \(\Omega \) and can write \(\mathrm {Aut}_K(L)=\mathrm {Hom}_K(L, \Omega )\).

Now, we can describe the fundamental theorem of Galois theory (for finite field extensions). Let L/K be a finite Galois extension of K. Then, we can write \(\mathrm {Gal}(L/K) = \mathrm {Aut}_K(L)\). For any subgroup \(H \subset \mathrm {Gal}(L/K)\) and an intermediate field M of L/K, we defineWe note that L/M is a Galois extension with \(\mathrm {Gal}(L/M) = G_M\). It is not difficult to see that \(L^H\) is an intermediate field of L/K and that \(G_M\) is a subgroup of \(\mathrm {Gal}(L/K)\). We can define two maps with respect to L/K. One is a map \(\Phi \) from \(A := \{ M \subset L \mid \! M{ isanintermediatefieldof}L/K \}\) to \(B := \{ H \subset \mathrm {Gal}(L/K)\! \mid H{ isasubgroupof}\mathrm {Gal}(L/K) \}\) by \(M \mapsto G_M\). The other is a map \(\Psi \) from B to A by \(H \mapsto L^H\). The fundamental theorem of Galois theory is as follows:

For a proof of Theorem 2.2, see [18] for example. (It is easy to prove (2) of Theorem 2.2 from the definitions of \(\Phi \) and \(\Psi \).)

To describe Ring-LWE and decomposition fields, which play central roles in this paper, we need some notations from algebraic number theory.

An (algebraic) number field is a finite extension field of \(\mathbb {Q}\). Let K be a number field with extension degree \([ K : \mathbb {Q}] = n\). An element \(a \in K\) is called an algebraic integer if there exists a monic polynomial \(f \in \mathbb {Z}[x]\) such that \(f(a) = 0\). The ring of integers \(O_K\) of K is defined as a subring of K consisting of all algebraic integers of K. The ring \(O_K\) has an integral basis (\(\mathbb {Z}\)-basis) \(\{ u_1, \ldots , u_n \}\), i.e., for any element \(u \in O_K\), there exist integers \(a_1, \ldots , a_n\) such that u is uniquely written as \(u = \sum _{1\le i \le n}a_iu_i\). It is well known that any (integral) ideal I of \(O_K\) is uniquely factored into products of some prime ideals, i.e., there exist prime ideals \(\mathcal{P}_1, \ldots , \mathcal{P}_m\) satisfying \(I = \mathcal{P}_1^{e_1} \cdots \mathcal{P}_m^{e_m}\) for \(e_i \ge 1\). If \(I = pO_K\) for a prime number p and K is a Galois extension of \(\mathbb {Q}\), then we have \(O_K/\mathcal{P}_i = \mathbb {F}_{p^{d}}\) for some \(d \in \mathbb {N}\) and all \(e_i\)’s are mutually equal. Moreover, we have \(med = n\), where \(e := e_i\), and if all \(e_i\)’s are equal to 1 (resp. all \(e_i\)’s and d are equal to 1), then we say that p is unramified (resp. splits completely) in K. Any prime ideal of \(O_K\) is a maximal ideal in \(O_K\), and thus we have \(P_i + P_j = O_K\) for any \(i \ne j\). This induces an isomorphism of rings \( O_K/\mathcal{P}_1 \cdots \mathcal{P}_m \cong O_K/\mathcal{P}_1 \times \cdots \times O_K/\mathcal{P}_m \).

Let K and \(O_K\) be as above. Let \(\chi _{\mathrm {secret}}\) and \(\chi _{\mathrm {error}}\) be probabilistic distributions on \(O_K\) and let p be an integer. We denote by \(O_{K, p}\) the residue ring \(O_K/pO_K\). For a probabilistic distribution \(\chi \) on a set X, we write \(a \leftarrow \chi \) when \(a \in X\) is chosen according to \(\chi \). We denote U(X) as the uniform distribution on X. The Ring-LWE distribution on \(O_{K,p}\), denoted by \(\mathrm {RLWE}_{K, p, \chi _{\mathrm {error}}, \chi _{\mathrm {sec}}}\), is defined as a probabilistic distribution that takes elements of the form \((a, as + e)\) with \(a \leftarrow U(O_{K, p})\), \(s \leftarrow \chi _{\mathrm {secret}}\), and with \(e \leftarrow \chi _{\mathrm {error}}\). The Ring-LWE problem has two variants. One is the problem of distinguishing \(\mathrm {RLWE}_{K, p, \chi _{\mathrm {error}}, \chi _{\mathrm {sec}}}\) from \(U(O_{K, p} \times O_{K, p})\), which is called the decision Ring-LWE problem. The other is a problem of finding \(s \in O_{K, p}\), given arbitrarily many samples \((a_i, a_is + e_i) \in O_{K, p} \times O_{K, p}\) chosen according to \(\mathrm {RLWE}_{K, p, \chi _{\mathrm {error}}, \chi _{\mathrm {sec}}}\), which is called the search Ring-LWE problem.

The Ring-LWE problem is expected to be computationally difficult even with quantum computers. It is proved that the decision Ring-LWE problem is equivalent to the search problem if K is a cyclotomic field and if p is a prime number and (almost) splits completely in K [16]. In addition, this equivalence is generalized to the cases where \(K/\mathbb {Q}\) is a Galois extension and where p is unramified in K [6]. Moreover, there is a quantum polynomial-time reduction from the search Ring-LWE to the shortest vector problem on certain ideal lattices.

First, we briefly review cyclotomic fields. For a positive integer m, let \(\zeta _m \in \mathbb {C}\) be a primitive mth root of unity and \(n = \varphi (m)\), where \(\varphi (\cdot )\) denotes Euler’s totient function. Then, \(K := \mathbb {Q}\left( \zeta _m \right) \) is called the mth cyclotomic field. The ring of integers of K coincides with \(R := \mathbb {Z}[\zeta _m]\). Any prime number p that does not divide m is unramified in K, and if \(p \equiv 1\) (mod. m), then p splits completely in K. Here, \(K/\mathbb {Q}\) is a Galois extension of degree \([K : \mathbb {Q}] = n\), and its Galois group \(\mathrm {Gal}(K/\mathbb {Q})\) is isomorphic to \(\left( \mathbb {Z}/m\mathbb {Z}\right) ^{*}\).

Next, we describe the decomposition fields of number fields. Let L be a number field, and suppose that \(L/\mathbb {Q}\) is a Galois extension and that its Galois group \(G := \mathrm {Gal}(L/\mathbb {Q})\) is a cyclic group. Let p be a prime number that is unramified in L and satisfies \(pO_L = \mathcal{P}_1 \cdots \mathcal{P}_g\), where the \(\mathcal{P}_i\)’s are the prime ideals of \(O_L\). Let \(G_Z\) be a subgroup of G that consists of all elements \(\rho \) fixing all \(\mathcal{P}_i\), i.e., \(\rho (\mathcal{P}_i) = \mathcal{P}_i\) for \(1\le i \le g\), and Z is the fixed field of \(G_Z\). Then, we call Z the decomposition field with respect to p. The field Z is a number field and the ring of integers of Z is \(O_Z = O_L \cap Z\). Suppose \(\mathrm {p}_i := O_Z \cap \mathcal{P}_i\). Then, we have \(pO_Z = \mathrm {p}_1 \cdots \mathrm {p}_g\). A generator \(\sigma \) of \(G_Z\) acts on \(O_L/\mathcal{P}_i \cong \mathbb {F}_{p^d}\) as the pth Frobenius map, i.e., \(\sigma (x) \equiv x^p\) (mod. \(\mathcal{P}_i\)) for all \(x \in O_L\) and for \(1 \le i \le g\). Therefore, we have \(O_Z/\mathrm {p}_i \cong \mathbb {F}_p\) and \([Z : \mathbb {Q}] = g\), i.e., p splits completely in Z.

Let K, L, and Z be as above and p be a prime number that is unramified in K and splits completely in Z. Assume that L is the \(\ell \)th cyclotomic field with a prime number \(\ell \). As we mentioned in Sect. 2.2.1, cyclotomic fields are usually used as the underlying number fields of Ring-LWE. From the viewpoint of the efficiency of Ring-LWE based schemes, there are good \(\mathbb {Z}\)-bases of the rings of integers of K and Z [1, 17]. As for the security of the Ring-LWE, in the cases of K and Z, both the equivalence and the reduction mentioned in Sect. 2.2.2.4 are satisfied because both \(K/\mathbb {Q}\) and \(Z/\mathbb {Q}\) are Galois extensions.

The main difference between K and Z is the algebraic structures of their rings of integers modulo p. Because p is unramified in K, we have \(O_{K, p} \cong O_K/\mathcal{P}_1 \times \cdots \times O_K/\mathcal{P}_k\) and \(O_K/\mathcal{P}_i \cong \mathbb {F}_{p^d}\) for \(1 \le i \le k\) and for \(d > 1\), where the \(\mathcal{P}_i\)’s are prime ideals in \(O_K\) lying over p, i.e., \(pO_K = \mathcal{P}_1 \cdots \mathcal{P}_k\). The FV scheme [9], which is an HE scheme based on Ring-LWE, uses \(O_{K, p}\) as its plaintext space, and thus, the FV scheme (or any HE scheme with the same plaintext space) can encrypt and execute several additions of \(dk = n = [K : \mathbb {Q}]\) plaintexts in \(\mathbb {F}_p\) simultaneously. However, the FV scheme cannot execute the multiplication of the same number of plaintexts in \(\mathbb {F}_p\) simultaneously. To execute the multiplication of plaintexts in \(\mathbb {F}_p\), we can only use \(\mathbb {F}_p \times \cdots \times \mathbb {F}_p\) (the direct product of k finite fields) as the plaintext space.

In contrast, because p splits completely in Z, we have \(O_{Z, p} \cong O_Z/\mathrm {p}_1 \times \cdots \times O_Z/\mathrm {p}_g\) and \(O_Z/\mathrm {p}_i \cong \mathbb {F}_p\) for any \(1 \le i \le g\), where the \(\mathrm {p}_i\)’s are prime ideals in \(O_Z\) lying over p. This means that one can encrypt \(g = [Z : \mathbb {Q}]\) plaintexts simultaneously. Moreover, one can execute additions and multiplications of the same number of plaintexts in \(\mathbb {F}_p\) simultaneously. Because the extension degrees g and n are directly related to the ranks of the lattices occurring in known lattice attacks, we should set \(g \approx n\) to compare the security of Ring-LWE over these fields. Therefore, the HE scheme over Z can encrypt and operate d times as many plaintexts as the FV scheme over K simultaneously.

In our experiments, we reduce the search Ring-LWE to a CVP (or approximate CVP) in the same way as Bonnoron et al.’s analysis [3] because the target of Bonnoron et al.’s analysis is Ring-LWE optimized for HE. We describe this approach briefly in the case of decomposition fields. Let \(O_Z\) and p be as in Sect. 2.2.3.1. Set \(q := p^r\) for \(r>1\). Let \(\{ \mu _1, \ldots , \mu _g \}\) be a \(\mathbb {Z}\)-basis of \(O_Z\), which is a good basis, as shown in [1, Lemma 3]. We sample vectors \(\mathbf{a} = (a_1, \ldots , a_g)\), \(\mathbf{s} = (s_1, \ldots , s_g)\) and \(\mathbf{e} = (e_1, \ldots , e_g)\) from \(U(\mathbb {Z}^g)\), \(D_{\mathbb {Z}^g, \sigma _{\mathrm {s}}}\), and \(D_{\mathbb {Z}^g, \sigma _{\mathrm {e}}}\), respectively, where \(D_{\mathbb {Z}^g, \sigma }\) denotes the discrete Gaussian distribution with mean 0 and variance \(\sigma ^2\).

We put \(a := \sum _{1 \le i \le g}a_i\mu _i\), \(s := \sum _{1 \le i \le g}s_i\mu _i\), \(e := \sum _{1 \le i \le g}e_i\mu _i\), and \(b := as + e = \sum _{1 \le i \le g}b_i\mu _i\) (mod. q). Then, (a, b) is a Ring-LWE instance over Z. Note that to use Ring-LWE to construct HE schemes, the value \(\sigma _{\mathrm {s}}\) and \(\sigma _{\mathrm {e}}\) should be sufficiently small because the \(\ell _{\infty }\)-norm \(\Vert \mathbf{s} \Vert _{\infty }\) directly affects the growth of noise after multiplication. In our experiments, we set \(\sigma _{\mathrm {s}} = 1\) and \(\sigma _{\mathrm {e}}^{2} = 8\) according to [14]. By comparing all coefficients of both sides, we get \(\mathbf{A}{} \mathbf{s} + \mathbf{e} = (b_1, \ldots , b_g)^t = \mathbf{b}\), where \(\mathbf{A}\) is a matrix. (For any vector \(\mathbf{v}\), \(\mathbf{v}^t\) means its transpose.) If we set \(\mathbf{A'}\) as \(\left( \mathbf{A} \ \ \mathbf{I} \right) \), then we have \(\mathbf{A'}(\mathbf{s} \ \ \mathbf{e} )^{t} = \mathbf{b}\) (mod. q), where \(\mathbf{I}\) denotes the \(g \times g\) identity matrix. From the choice of \(s_i\)’s and \(e_i\)’s, our target vector \((\mathbf{s} \ \ \mathbf{e} )^{t}\) is a very short vector from among all solutions to \(A'{} \mathbf{y} = \mathbf{b}\), and thus, we can expect that our target vector can be found by solving the (approximate) CVP on the lattice \(\mathcal{L}= \{ \mathbf{x} \in \mathbb {Z}^{2g} \mid \mathbf{A'x} = \mathbf{0} \text{(mod. } q\text{) } \}\) and on \(\mathbf{w} := (\mathbf{0} \ \ \mathbf{b} )^{t}\), which is a solution to \(\mathbf{A'y} = \mathbf{b}\).

We takeas a basis matrix of \(\mathcal{L}\), where \(\mathbf{0}_{g, g}\) denotes the \(g \times g\) zero matrix. We reduce the basis matrix \(\mathbf{B}\) using the LLL and BKZ algorithms with block size \(\beta = 10\). (In practice, \(\beta \) should be 10 or 20.) Let \(\mathbf{B}_{\mathrm {red}}\) be a reduced basis of \(\mathbf{B}\). We input \(\mathbf{B}_{\mathrm {red}}\) and \(\mathbf{w}\) to Babai’s nearest plane algorithm. The quality of the results of Babai’s nearest plane algorithm depends on the quality of the basis reduction algorithms used to compute the reduced input bases, and thus, we compute the root Hermite factor for \(\mathbf{B}_{\mathrm {red}}\).

In contrast, Kannan’s embedding technique takes a basis matrixas input, and we set \(M = 1\) according to the result of an experimental study on Kannan’s embedding technique for LWE [20]. We also use the LLL and BKZ algorithms with \(\beta = 10\) to reduce the above basis matrix.

We used a computer with 2.00 GHz CPUs (Intel(R) Xeon(R) CPU E7-4830 v4 (2.00GHz)x111) and 3 TB memory to conduct the experiments. The OS was Ubuntu 16.04.4. We implemented the code for sampling Ring-LWE instances in SageMath version 7.5.1. We also used Magma V2.23-1 to execute lattice attacks. We took 100 samples and performed lattice attacks on them.

We show our experimental results in Tables 2.1 and 2.2 for \(p = 2\). Table 2.1 shows that there is not a considerable difference between the experimental results of cyclotomic fields and those for decomposition fields. In contrast, Table 2.2 shows that Kannan’s embedding technique is much faster than Babai’s nearest plane algorithm.

This implies that the behaviors of the basis reduction algorithms heavily depend on the structure of the input lattices. This is a reason why experimental analyses are necessary for ensuring the security of lattice-based schemes (or other problems). Table 2.2 also shows that the running times for the decomposition fields become longer than those for cyclotomic fields as g (or \(\ell - 1\)) increases. Therefore, we can expect that decomposition fields provide Ring-LWE that is more secure against the lattice attacks described in Sect. 2.2.4.1 than \(\ell \)th cyclotomic fields because the ranks of the lattices occurring in our experiments are very low compared to the ranks of lattices used in practice. This means that we can use decomposition fields with lower extension degrees than would be needed for \(\ell \)th cyclotomic fields, and the use of such number fields makes Ring-LWE-based schemes more efficient. Therefore, as a result of our analysis, we believe that Ring-LWE over decomposition fields can be used to construct more efficient HE schemes.

We also conducted experiments for decomposition fields with respect to \(p = 3, 5, 7, 11\) to find decomposition fields that provide weak Ring-LWE instances (Fig. 2.2). In these experiments, we could not find decomposition fields that provide weak Ring-LWE.