Twisted-PHS: Using the Product Formula to Solve Approx-SVP in Ideal Lattices

Bernard, Olivier; Roux-Langlois, Adeline

doi:10.1007/978-3-030-64834-3_12

Olivier Bernard^10,11 &
Adeline Roux-Langlois¹⁰

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12492))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

1613 Accesses
6 Citations

Abstract

Approx-Svp is a well-known hard problem on lattices, which asks to find short vectors on a given lattice, but its variant restricted to ideal lattices (which correspond to ideals of the ring of integers $\mathcal {O}_{K}$ of a number field K) is still not fully understood. For a long time, the best known algorithm to solve this problem on ideal lattices was the same as for arbitrary lattice. But recently, a series of works tends to show that solving this problem could be easier in ideal lattices than in arbitrary ones, in particular in the quantum setting.

Our main contribution is to propose a new “twisted” version of the PHS (by Pellet-Mary, Hanrot and Stehlé 2019) algorithm, that we call Twisted-PHS. As a minor contribution, we also propose several improvements of the PHS algorithm. On the theoretical side, we prove that our Twisted-PHS algorithm performs at least as well as the original PHS algorithm. On the practical side though, we provide a full implementation of our algorithm which suggests that much better approximation factors are achieved, and that the given lattice bases are a lot more orthogonal than the ones used in PHS. This is the first time to our knowledge that this type of algorithm is completely implemented and tested for fields of degrees up to 60.

You have full access to this open access chapter, Download conference paper PDF

Log- $$\mathcal {S}$$ -unit Lattices Using Explicit Stickelberger Generators to Solve Approx Ideal-SVP

Approx-SVP in Ideal Lattices with Pre-processing

Some Easy Instances of Ideal-SVP and Implications on the Partial Vandermonde Knapsack Problem

Keywords

1 Introduction

Lattice-based cryptography is one of the most promising post-quantum solution to build cryptographic constructions, as shown by the large number of lattice-based submissions to the recent NIST post-quantum competition. Among those submissions, and the other recent more advanced constructions, several hard problems are used to build the security proofs, such as the Learning With Errors (LWE) problem [Reg05], its ring [SSTX09, LPR10] or module [LS15] variants (respectively Ring-LWE and Module-LWE) or the NTRU problem [HPS98]. In particular the Ring variant of the Learning With Errors problem is widely used as it seems to allow a nice trade-off between security and efficiency. Indeed, it is defined in a ring, usually $R=\mathbb {Z} / \langle x^n + 1\rangle $ for n a power of 2, whose structure allows constructions having a much better efficiency than if based on unstructured problems like LWE. Concerning its hardness, there exists quantum worst-case to average case reductions [SSTX09, LPR10, PRS17] from the approx Shortest Vector Problem on ideal-lattices (Approx-id-Svp) to the Ring-LWE problem.

Approx-Svp is a well-known hard problem on lattices, which asks to find short vectors on a given lattice, but its variant restricted to ideal lattices (corresponding to ideals of the ring of integers R of a number field K) is still not fully understood. For a long time, the best known algorithm to solve this problem on ideal lattices was the same as for arbitrary lattices. The best trade-off in this case is given by Schnorr’s hierarchy [Sch87], which allows to reach an approximation factor $2^{\tilde{O}(n^{\alpha })}$ in time $2^{\tilde{O}(n^{1-\alpha })}$, for $\alpha \in (0,1)$, using the BKZ algorithm. But recently, a series of works [CGS14, EHKS14, BS16, CDPR16, CDW17, DPW19, PHS19a] tends to show that solving this problem could be easier in ideal lattices than in arbitrary ones, in particular in the quantum setting.

Hardness of Approx-SVP on Ideal Lattices. This series of works starts with a claimed result [CGS14] of a quantum polynomial-time attack against a scheme named Soliloquy, which solves the Approx-Svp problem on a principal ideal lattice. The algorithm has two steps: the first one is solving the Principal Ideal Problem (Pip), and finds a generator of the ideal, the second one is solving a Closest-Vector Problem (Cvp) in the log-unit lattice to find the shortest generator of the ideal. On one hand, the results of [EHKS14, BS16] on describing a quantum algorithm to compute class groups and then solve Pip in arbitrary degree number fields allow to have a quantum polynomial-time algorithm for the first step. On the other hand, a work by Cramer et al. [CDPR16] provides a full proof of the correctness of the algorithm described by [CGS14], and then concludes that there exists a polynomial-time quantum algorithm which solve Approx-Svp on ideal lattices for an approximation factor $2^{\tilde{O}(\sqrt{n})}$. In 2017, Cramer, Ducas and Wesolowski [CDW17] show how to use the Stickelberger lattice to generalize this result to any ideal lattice in prime power cyclotomic fields. The practical impact of their result was evaluated by the authors of [DPW19] by running extensive simulations. They conclude that the CDW algorithm should beat BKZ-300 for cyclotomic fields of degree larger than 24000.

In parallel, Pellet-Mary, Hanrot and Stehlé [PHS19a] proposed an extended version of [CDPR16, CDW17] which is now proven for any number fields K. The main feature of their algorithm, that we call PHS, is to use an exponential amount of preprocessing, depending only on K, in order to efficiently combine the two principal resolution steps of [CDW17], namely the Cpmp (Close Principal Multiple Problem) and the Sgp (Shortest Generator Problem). Combining these two steps in a single Cvp instance provides some guarantee that the output of the Cpmp solver has a generator which is “not much larger” than its shortest non-zero vector. Hence, the PHS algorithm in a number field K of degree n and discriminant $\varDelta _{K}$ is split in two phases, given $\omega \in [0,1/2]$:

1.
The preprocessing phase builds a specific lattice, depending only on the field K, together with some hint allowing to efficiently solve Approx-Cvp instances. This phase runs in time $2^{\tilde{O}(\log |{\varDelta _{K}}|)}$ and outputs a hint $\mathcal {V}$ of bit-size $2^{\tilde{O}(\log ^{1-2\omega } |{\varDelta _{K}}|)}$.
2.
The query phase reduces each Approx-id-Svp challenge to an Approx-Cvp instance in this fixed lattice. It takes as inputs any ideal of $\mathcal {O}_{K}$, whose algebraic norm has bit-size bounded by $2^{\mathrm {poly}(\log |{\varDelta _{K}}|)}$, the hint $\mathcal {V}$, and runs in time $2^{\tilde{O}(\log ^{1-2\omega } |{\varDelta _{K}}|)} + {{\,\mathrm{T}\,}}_{\textsf {Su}}(K)$. It outputs a non-zero element x of the ideal which solves Approx-Svp with an approximation factor $ 2^{\tilde{O}(\log ^{\omega +1}|{\varDelta _{K}}|/n)}$.

The term ${{\,\mathrm{T}\,}}_{\textsf {Su}}(K)$ denotes the running time for computing S-unit groups which can then be used to compute class groups, unit groups, and class group discrete logarithms [BS16]. In the quantum world, ${{\,\mathrm{T}\,}}_{\textsf {Su}}(K) = \tilde{O}\bigl (\ln |{\varDelta _{K}}|\bigr )$ is polynomial, as shown in [BS16], building upon [EHKS14]. In the classical world, it remains subexponential in $\ln |{\varDelta _{K}}|$, i.e. ${{\,\mathrm{T}\,}}_{\textsf {Su}}(K) = \exp \tilde{O}(\ln ^{\alpha }|{\varDelta _{K}}|)$, where $\alpha =1/2$ for prime power cyclotomic fields [BEF+17], and $\alpha =2/3$ in the general case [BF14], being recently lowered to 3/5 by Gélin [Gél17].

Forgetting about the preprocessing cost, the query phase beats the traditional Schnorr’s hierarchy [Sch87] when $\log |{\varDelta _{K}}| \le \tilde{O}(n^{1+\varepsilon })$ with $\varepsilon = 1/3$ in the quantum case, and $\varepsilon =1/11$ in the classical case [PHS19a, Fig. 5.3]. It should be noted however that these bounds on the discriminant are not uniform as the approximation factor varies, e.g. for an approximation factor set to $2^{\sqrt{n}}$, the time complexity of the PHS algorithm asymptotically beats Schnorr’s hierarchy only in the quantum case and only for $\varepsilon \le 1/6$.

Our Contribution. Our main contribution is to propose a new “twisted” version of the PHS [PHS19a] algorithm, that we call Twisted-PHS. As a minor contribution, we also propose several improvements of the PHS algorithm, in a optimized version described in Sect. 3.3. On the theoretical side, we prove that our Twisted-PHS algorithm performs at least as well as the original PHS algorithm, using the same Cvp solver using a preprocessing hint by Laarhoven [Laa16].

On the practical side though, we provide a full implementation of our algorithm, which suggests that much better approximation factors are achieved and that the given lattice bases are much more orthogonal than the ones used in [PHS19a]. To our knowledge, this is the first time that this type of algorithm is completely implemented and tested for fields of degrees up to 60. As a point of comparison, experiments of [PHS19a] constructed the log-S-unit lattice for cyclotomic fields of degrees at most 24, all but the last two being principal [PHS19a, Fig. 4.1]. We shall also mention the extensive simulations performed by [DPW19] using the Stickelberger lattice in prime power cyclotomic fields. Adapting these results to our construction is not immediate, as we need explicit S-units to compute our lattice. This is left for future work.

We explain our experiments in Sect. 5, where we evaluate three algorithms: the original PHS algorithm, as implemented in [PHS19b]; our optimized version Opt-PHS (Sect. 3.3), and our new twisted variant Tw-PHS (Sect. 4). We target two families of number fields, namely non-principal cyclotomic fields $\mathbb {Q}(\zeta _{m})$ of prime conductors $m\in [\![{23}, {71} ]\!]$, and NTRU Prime fields $\mathbb {Q}(z_{q})$ where $z_{q}$ is a root of $x^q-x-1$, for $q\in [\![{23}, {47} ]\!]$ prime. These correspond to the range of what is feasible in a reasonable amount of time in a classical setting. For cyclotomic fields, we managed to compute S-units up to $\mathbb {Q}(\zeta _{71})$ for all factor bases in less than a day, and all log-S-unit lattice variants up to $\mathbb {Q}(\zeta _{61})$. For NTRU Prime fields, we managed all computations up to $\mathbb {Q}(z_{47})$.

Experiments. We chose to perform three experiments to test the performances of our Twisted-PHS algorithm, and to compare it with the two other algorithms:

We first evaluate the geometric characteristics of the lattice output by the preprocessing phase: the root Hermite factor $\delta _0$, the orthogonality defect $\delta $, and the average vector basis angle $\theta _{\textsf {avg}}$, as described in details in Sect. 2.5. The last one seems difficult to interpret as it gives similar results in all cases, but the two other seem to show that the lattice output by Twisted-PHS is of better quality than in the two other cases. It shows significantly better root Hermite factor and orthogonality defect than any other lattice.
For our second experiment, we evaluate the Gram-Schmidt log norms of each produced lattice. We propose two comparisons, the first one is before and after BKZ reduction to see the evolution of the norms in each case: it shows that the two curves are almost identical for Twisted-PHS but not for the other PHS variants. The second one is between the lattices output by the different algorithms, after BKZ reduction. The experiments emphasises that the decrease of the log norms seems much smaller in the twisted case than in the two other. Those two observations seem to corroborate the fact that the Twisted-PHS lattice is already quite orthogonal.
Finally, we implemented all three algorithms from end to end and used them on numerous challenges to estimate their practically achieved approximation factors. This is to our knowledge the first time that these types of algorithms are completely run on concrete examples. The results of the experiments, shown in Fig. 1, suggest that the approximation factor reached by our algorithm increases very slowly with the dimension, in a way that could reveal subexponential or even better. We think that this last feature would be particularly interesting to prove.

Technical Overview. We first quickly recall the principle of the PHS algorithm described in [PHS19a], which is split in two phases. The first phase consists in building a lattice that depends only on the number field K and allowing to express any Approx-id-Svp instance in K as an Approx-Cvp instance in the lattice. This preprocessing chooses a factor base $\mathrm {FB}$, and builds an associated lattice consisting in the diagonal concatenation of some log-unit related lattice and the lattice of relations in the class group $\mathrm {Cl}_{K}$ between ideals of $\mathrm {FB}$, with explicit generators. It then computes a hint of constrained size for the lattice to facilitate forthcoming Approx-Cvp queries. Concretely, they suggest to use Laarhoven’s algorithm [Laa16], which for any $\omega \in [0,1/2]$ outputs a hint $\mathcal {V}$ of bit-size bounded by $2^{\tilde{O}(\log ^{1-2\omega }|{\varDelta _{K}}|)}$ that allows to deliver answers for approximation factors $\tilde{O}(\log |{\varDelta _{K}}|^{\omega })$ in time bounded by the bit-size of $\mathcal {V}$ [Laa16, Cor. 1–2]. The second phase reduces the resolution of Approx-id-Svp to a single call to an Approx-Cvp oracle in the lattice output by the preprocessing phase, for any challenge ideal $\mathfrak {b}$ in the maximal order of K. The main idea of this reduction is to multiply the principal ideal output by the Cldl of $\mathfrak {b}$ on $\mathrm {FB}$ by ideals in $\mathrm {FB}$ until a “better” principal ideal is reached, i.e. having a short generator.

Our first contribution is to propose three improvements of the PHS algorithm. The first one consists in expliciting a candidate for the isometry used in the first preprocessing phase to build the lattice, and to use its geometric properties to derive a smaller lattice dimension, while still guaranteeing the same proven approximation factor. The last two respectively modify the composition of the factor base and the definition of the target vector in a way that significantly improves the approximation factor experimentally achieved by the second phase of the algorithm. Although these improvements do not modify the core of PHS algorithm and have no impact on the asymptotics, they nevertheless are of importance in practice, as shown by our experiments in Sect. 5.

We now explain our main contribution, called Twisted-PHS, which is based on the PHS algorithm. As in PHS algorithm, our algorithm relies on the so-called log-S-unit lattice with respect to a collection $\mathrm {FB}$ of prime ideals, called the factor base. This lattice captures local informations on $\mathrm {FB}$, not only on (infinite) embeddings, to reduce a close principal multiple of a target ideal $\mathfrak {b}$ to a principal ideal containing $\mathfrak {b}$ which is guaranteed to have a somehow short generator. The main feature of our algorithm is to use the Product Formula to describe this log-S-unit lattice. This induces two major changes in PHS algorithm:

1.
The first one is twisting the $\mathfrak {p}$-adic valuations by $\ln \mathcal {N}(\mathfrak {p})$, giving weight to the fact that using a relation increasing the valuations at big norm ideals costs more than a relation involving smaller norm ideals.
2.
The second one is projecting the target directly inside the log-S-unit lattice and not only into the unit log-lattice corresponding to fundamental units.

In fact, the way our twisted version uses S-units with respect to $\mathrm {FB}$ to reduce the solution of the Cldl problem can be viewed as a natural generalization of the way classical algorithms reduce principal ideal generators using regular units.

Adding weights $\ln \mathcal {N}(\mathfrak {p})$ to integer valuations at any prime ideal $\mathfrak {p}$ intuitively allows to make a more relevant combination of the S-units we use to reduce the output of the Cldl, quantifying the fact that increasing valuations at big norm prime ideals costs more than increasing valuations at small norm prime ideals. Besides, the product formula induces the possibility to project elements on the whole log-S-unit lattice instead of projecting only on the subspace corresponding to the log-unit lattice. As a consequence, it maintains inside the lattice the size and the algebraic norm logarithm of the S-units. At the end, the Cvp solver in this alternative lattice combines more efficiently the goal of minimizing the algebraic norm for the Cpmp while still guaranteeing a small size for the Sgp solution in the obtained principal multiple.

In Sect. 4, we describe two versions of our Twisted-PHS algorithm. The first one, composed by $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {pcmp}}^{{\text {(Laa)}}}$ and $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}^{{\text {(Laa)}}}$ is proven to perform at least as well as the original PHS algorithm with the same Cvp solver using a preprocessing hint by Laarhoven. But in practice, we propose two alternative algorithms $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {pcmp}}^{{\text {(bkz)}}}$ and $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}^{{\text {(np)}}}$ with the following differences. Algorithm $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {pcmp}}^{{\text {(bkz)}}}$ performs a minimal reduction step of the lattice as sole lattice preprocessing to smooth the input basis. Algorithm $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}^{{\text {(np)}}}$ resorts to Babai’s Nearest Plane algorithm for the Cvp solver role. Experimental evidence in Sect. 5 suggest that these algorithms perform remarkably well, because the twisted description of the log-S-unit lattice seems much more orthogonal than expected. Proving this property would remove, in a quantum setting, the only part that is not polynomial in $\ln |{\varDelta _{K}}|$.

2 Preliminaries

Notations. A vector is designated by a bold letter $\mathbf {v}$, its i-th coordinate by ${v}_{i}$ and its $\ell _{p}$-norm, $p \in \mathbb {N}^{*}\cup \{\infty \}$, by $\Vert {\mathbf {v}}\Vert _{p}$. As a special case, the n-dimensional vector whose coefficients are all 1’s is written $\mathbf {1}_{n}$. All matrices will be given using row vectors, $\mathcal {D}_{\mathbf {v}}$ is the diagonal matrix with coefficients ${v}_{i}$ on the diagonal, $I_{n}$ is the identity and $\mathbf {1}_{n\times n}$ denotes the square matrix of dimension n filled with 1’s.

2.1 Number Fields, Ideals and Class Groups

In this paper, K always denotes a number field of degree n over $\mathbb {Q}$ and $\mathcal {O}_{K}$ its maximal order. The algebraic trace and norm of $\alpha \in K$, resp. denoted by $\mathrm {Tr}(\alpha )$ and $\mathcal {N}(\alpha )$, are defined as the trace and determinant of the endomorphism $x\mapsto \alpha x$ of K, viewed as a $\mathbb {Q}$-vector space. The discriminant of K is written $\varDelta _{K}$ and can be defined, for any $\mathbb {Z}$-basis $\omega _{1}, \dotsc , \omega _{n}$ of $\mathcal {O}_{K}$, as $\det \bigl (\mathrm {Tr}(\omega _i\omega _j)\bigr )_{i,j}$. Most complexities of number theoretic algorithms depend on $\ln |{\varDelta _{K}}|$.

The fractional ideals of K are designated by gothic letters, like $\mathfrak {b}$, and form a multiplicative group $\mathcal {I}_{K}$. The class group $\mathrm {Cl}_{K}$ of K is the quotient group of $\mathcal {I}_{K}$ with its subgroup of principal ideals . The class group is a finite group, whose order $h_{K}$ is called the class number of K. For any ideal $\mathfrak {b}\in \mathcal {I}_{K}$, the class of $\mathfrak {b}$ in $\mathrm {Cl}_{K}$ is denoted by $\bigl [\mathfrak {b}\bigr ]$.

We will specifically target two families of number fields, widely used in cryptography [Pei16]: cyclotomic fields $\mathbb {Q}(\zeta _{m})$, where $\zeta _{m}$ is a primitive m-th root of unity, and NTRU Prime [BCLV17] fields $\mathbb {Q}(z_{q})$, where $z_{q}$ is a root of $x^q-x-1$ for q prime. Both families have discriminants of order $n^n$. More exactly, for cyclotomic fields $\mathcal {O}_{\mathbb {Q}(\zeta _{m})} = \mathbb {Z}[\zeta _{m}]$, so we have [Was97, Pr. 2.7]: $\varDelta _{\mathbb {Q}(\zeta _{m})} = (-1)^{\varphi (m)/2} \tfrac{m^{\varphi (m)}}{\prod _{p\mid m} p^{\varphi (m)/(p-1)}}$.

For NTRU Prime fields, the siuation is marginally more involved, as $\mathbb {Z}[z_{q}]$ is maximal if and only if its discriminant $D_0 = q^q-(q-1)^{q-1}$ [Swa62, Th. 2] is squarefree [Kom75, Th. 4]: $\varDelta _{\mathbb {Q}(z_{q})} = \prod _{p \mid D_0} p^{v_{p}(D_0)\mod *{2}}$, where $p^{v_{p}(D_0)}$ divides exactly $D_0$. Note however that there is strong evidence that such $D_0$’s are generically squarefree, say with probability roughly 0.99 [BMT15, Conj. 1.1]. Actually, we checked that the conductor of $\mathbb {Z}[z_{q}]$ is not divisible by any of the first $10^6$ primes for all $q\le 1000$ outside the set $\{257,487\}$, for which $59^2\mid D_0$.

2.2 The Product Formula

Let $(r_1, r_2)$ be the signature of K with $n = r_1+2r_2$. The real embeddings of K are numbered from $\sigma _1$ to $\sigma _{r_1}$, whereas the complex embeddings come in pairs $\bigl (\sigma _j, \overline{\sigma }_j\bigr )$ for $j \in [\![r_1+1, r_2]\!]$.

Each embedding $\sigma $ of K into $\mathbb {C}$ induces an archimedean absolute value $|{\cdot }|_{\sigma }$ on K, such that for $\alpha \in K$, $|{\alpha }|_{\sigma } = |{\sigma (\alpha )}|$; two complex conjugate embeddings yield the same absolute value. Thus, it is common to identify the set $\mathcal {S}_{\infty }^{}{}$ of infinite places of K with the embeddings of K into $\mathbb {C}$ up to conjugation, so that $\mathcal {S}_{\infty }^{}{} = \bigl \{ \sigma _1, \dotsc , \sigma _{r_1},\sigma _{r_1+1}, \dotsc , \sigma _{r_1+r_2}\bigr \}$. The completion of K with respect to the absolute value induced by an infinite place $\sigma \in \mathcal {S}_{\infty }^{}{}$ is denoted by $K_{\sigma }$; it is $\mathbb {R}$ (resp. $\mathbb {C}$) for real places (resp. complex places).

Likewise, let $\mathfrak {p}$ be a prime ideal of $\mathcal {O}_{K}$ above $p\in \mathbb {Z}$ of residue degree f. For $\alpha \in K$, the largest power of $\mathfrak {p}$ that divides $\langle \alpha \rangle $ is called the valuation of $\alpha $ at $\mathfrak {p}$, and denoted by $v_{\mathfrak {p}}(\alpha )$; this defines a non-archimedean absolute value $|{\cdot }|_{\mathfrak {p}}$ on K such that $|{\alpha }|_{\mathfrak {p}} = p^{-v_{\mathfrak {p}}(\alpha )}$. This absolute value can also be viewed as induced by any of the f embeddings of K into its $\mathfrak {p}$-adic completion $K_{\mathfrak {p}} \subseteq \mathbb {C}_p$, which is an extension of $\mathbb {Q}_p$ of degree f. Hence, the set $\mathcal {S}_{0}^{}{}$ of finite places of K is specified by the infinite set of prime ideals of $\mathcal {O}_{K}$, and Ostrowski’s theorem for number fields ( [Con, Th. 3], [Nar04, Th. 3.3]) states that all non archimedean absolute values on K are obtained in this way, up to equivalence.

Probably the most interesting thing is that these absolute values are tied together by the following product formula ( [Con, Th. 4], [Nar04, Th. 3.5]):

$$\begin{aligned} \prod _{\sigma \in \mathcal {S}_{\infty }^{}{}} |{\alpha }|_{\sigma }^{[K_{\sigma }:\mathbb {R}]} \cdot \prod _{\mathfrak {p}\in \mathcal {S}_{0}^{}{} \supset p\mathbb {Z}} |{\alpha }|_{\mathfrak {p}}^{[K_{\mathfrak {p}}:\mathbb {Q}_p]} \biggl (= \mathcal {N}(\alpha )\cdot \prod _{\mathfrak {p}\in \mathcal {S}_{0}^{}{}} \mathcal {N}(\mathfrak {p})^{-v_{\mathfrak {p}}(\alpha )}\biggr ) = 1. \end{aligned}$$

(21)

As all but finitely many of the $|{\alpha }|_{v}$’s, for $v \in \mathcal {S}_{\infty }^{}{}\cup \mathcal {S}_{0}^{}{}$, are 1, their product is really a finite product. Note that the $\mathcal {S}_{\infty }^{}{}$ part is $|{\mathcal {N}(\alpha )}|$, and each term of the $\mathcal {S}_{0}^{}{}$ part can be written as $\mathcal {N}(\mathfrak {p})^{-v_{\mathfrak {p}}(\alpha )}$. This formula is actually a natural generalization to number fields of the innocuous looking product formula for $r\in \mathbb {Q}$, written as: $|{r}|\cdot \prod _{p \text { prime}} p^{-v_{p}(r)} = 1$.

2.3 Unit Groups

A more thorough version of this section is given in the full version [BR20, § 2.3]. Let $\mathcal {O}_{K}^{\times }$ be the multiplicative group of units of $\mathcal {O}_{K}$, i.e. the group of all elements of K of algebraic norm $\pm 1$, and let $\mu \bigl (\mathcal {O}_{K}^{\times }\bigr )$ be its torsion subgroup of roots of unity of K. Classically, the logarithmic embedding from K to $\mathbb {R}^{r_1+r_2}$ is defined as [Coh93, Def. 4.9.6]: $\mathrm {Log}_{\infty }\alpha = \left( \left[ K_{\sigma }:\mathbb {R}\right] \cdot \ln |{\sigma (\alpha )}| \right) _{\sigma \in \mathcal {S}_{\infty }^{}}.$ Actually, it will be more convenient to use a flat logarithmic embedding from K to $\mathbb {R}^{r_1+2r_2}$, as in [PHS19a, BDPW20], and defined as follows:

$$\begin{aligned} {{\,\mathrm{\overline{Log}}\,}}_{\infty }\alpha = \Bigl ( \bigl \{\ln |{\sigma _i(\alpha )}|\bigr \}_{i\in [\![{1}, {r_1} ]\!]}, \bigl \{\ln |{\sigma _{r_1+j}(\alpha )}|, \ln |{\overline{\sigma }_{r_1+j}(\alpha )}|\bigr \}_{j\in [\![{1}, {r_2} ]\!]}\Bigr ). \end{aligned}$$

(22)

Dirichlet’s unit theorem [Nar04, Th. 3.13] states that $\mathcal {O}_{K}^{\times }$ is a finitely generated abelian group of rank $\nu = r_1+r_2-1$. Further, its image ${{\,\mathrm{\overline{Log}}\,}}_{\infty }\mathcal {O}_{K}^{\times }$ under the flat logarithmic embedding is a lattice, called the log-unit lattice, which spans $H_{0}$, defined as $\mathcal {L}_{0}\cap \mathbb {R}_{0}^{n}$, i.e. the intersection of the trace zero hyperplane of $\mathbb {R}^n$ and of $\mathcal {L}_{0} = \bigl \{\mathbf {y}\in \mathbb {R}^n : {y}_{r_1+2j-1} = {y}_{r_1+2j}, j\in [\![{1}, {r_2} ]\!] \bigr \}$: there exist fundamental torsion-free elements $\varepsilon _{1}, \dotsc , \varepsilon _{\nu } \in \mathcal {O}_{K}^{\times }$ such that:

$$\begin{aligned} \mathcal {O}_{K}^{\times } \simeq \mu \bigl (\mathcal {O}_{K}^{\times }\bigr ) \times \varepsilon _{1}^{\mathbb {Z}} \times \cdots \times \varepsilon _{\nu }^{\mathbb {Z}}. \end{aligned}$$

(23)

Let $\varLambda _{K} = \left( \mathrm {Log}_{\infty }\varepsilon _{i}\right) _{1\le i\le \nu }$ be any $\mathbb {Z}$-basis of $\mathrm {Log}_{\infty }\mathcal {O}_{K}^{\times }$. The regulator of K, written $R_{K}$, quantifies the density of the unit group in K. It is defined as the absolute value of the determinant of $\varLambda _{K}^{(j)}$, where $\varLambda _{K}^{(j)}$ is the submatrix of $\varLambda _{K}$ without the j-th coordinate, for any $j \in [\![{1}, {r_1+r_2} ]\!]$.

On the S-unit Group. The S-unit group generalizes the unit group $\mathcal {O}_{K}^{\times }$ by allowing inverses of elements whose valuations are non zero exactly over a chosen finite set of primes of $\mathcal {S}_{0}^{}{}$. Let $\mathrm {FB}= \bigl \{ \mathfrak {p}_1, \dotsc , \mathfrak {p}_k\bigr \}$ be such a factor basis, and let $\mathcal {O}_{K,\mathrm {FB}}^{\times }$ denote the S-unit group of K with respect to $\mathrm {FB}$. Formally, we have $\mathcal {O}_{K,\mathrm {FB}}^{\times } = \left\{ \alpha \in K: \exists e_{1}, \dotsc , e_{k} \in \mathbb {Z}, \langle \alpha \rangle = \prod \mathfrak {p}_{j}^{e_j}\right\} $. Similarly, we define a flat S-logarithmic embedding [Nar04, §3, p. 98] from K to $\mathcal {L} = \mathcal {L}_{0} \times \mathbb {R}^k$ by:

$$\begin{aligned} {{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\alpha = \Bigl ( {{\,\mathrm{\overline{Log}}\,}}_{\infty }{\alpha },\bigl \{-v_{\mathfrak {p}}(\alpha )\cdot \ln \mathcal {N}(\mathfrak {p})\bigr \}_{\mathfrak {p}\in \mathrm {FB}}\Bigr ). \end{aligned}$$

(24)

From the product formula (21), the image of $\mathcal {O}_{K,\mathrm {FB}}^{\times }$ lies in $H= \mathcal {L}\cap \mathbb {R}_{0}^{n+k}$, the trace zero hyperplane of $\mathcal {L}$. This fact is used to prove the following theorem:

Theorem 2.1

(Dirichlet-Chevalley-Hasse [Nar04, Th. III.3.12]). The S-unit group is a finitely generated abelian group of rank $\sharp {\mathcal {S}_{\infty }^{}{}}+\sharp {\mathrm {FB}}-1$. Further, the image ${{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\bigl ( \mathcal {O}_{K,\mathrm {FB}}^{\times } / \mu \bigl (\mathcal {O}_{K}^{\times }\bigr )\bigr )$ is a lattice which spans the $(\nu +k)$-dimensional space $H$: there exist fundamental torsion-free S-units $\eta _{1}, \dotsc , \eta _{k} \in \mathcal {O}_{K,\mathrm {FB}}^{\times }$ st.:

$$\begin{aligned} \mathcal {O}_{K,\mathrm {FB}}^{\times } \simeq \mu \bigl (\mathcal {O}_{K}^{\times }\bigr ) \times \varepsilon _{1}^{\mathbb {Z}} \times \cdots \times \varepsilon _{\nu }^{\mathbb {Z}}\times \eta _{1}^{\mathbb {Z}} \times \cdots \times \eta _{k}^{\mathbb {Z}}. \end{aligned}$$

Let $\widetilde{\varLambda }_{K,\mathrm {FB}} = \bigl (\{{{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}} \varepsilon _{i}\},\{{{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}} \eta _{j}\}\bigr )$ be a row basis of ${{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\mathcal {O}_{K,\mathrm {FB}}^{\times }$, which will be called the log-S-unit lattice. Using that ${{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\varepsilon _{i}$ is uniformly zero on coordinates corresponding to finite places, the shape of $\widetilde{\varLambda }_{K,\mathrm {FB}}$ is:

(25)

Similarly, Theorem 2.1 allows to define the S-regulator $R_{K,\mathrm {FB}}$ of K wrpt. $\mathrm {FB}$ as the absolute value of any of the $(r_1+r_2+k)$ minors of any row basis $\varLambda _{K,\mathrm {FB}}$ of $\mathrm {Log}_{\infty ,\mathrm {FB}}\mathcal {O}_{K,\mathrm {FB}}^{\times }$. The value of $R_{K,\mathrm {FB}}$ is given by the following proposition:

Proposition 2.2

Let $h_{K}^{(\mathrm {FB})}$ the cardinal of the subgroup $\mathrm {Cl}_{K}^{(\mathrm {FB})}$ of $\mathrm {Cl}_{K}$ generated by classes of ideals in $\mathrm {FB}$. Then, the S-regulator $R_{K,\mathrm {FB}}$ can be written as: $R_{K,\mathrm {FB}} = h_{K}^{(\mathrm {FB})}R_{K}\prod _{\mathfrak {p}\in \mathrm {FB}} \ln \mathcal {N}(\mathfrak {p})$.

The proof is given in the full version. We stress that the S-regulator could not be consistently defined anymore if these twistings by the $\ln \mathcal {N}(\mathfrak {p})$’s were removed, as in this case, the property that all columns sum to 0 disappears. Finally, the volume of the log-S-unit lattice is tied to $R_{K,\mathrm {FB}}$ by the following proposition, which generalizes [BDPW20, Lem. A.1], and that we also prove in [BR20]:

Proposition 2.3

Under the flat S-logarithmic embedding, the log-S-unit lattice has volume: $ \mathrm {Vol}\bigl ( {{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\mathcal {O}_{K,\mathrm {FB}}^{\times }\bigr ) = \sqrt{n+k}\cdot 2^{-r_2/2}\cdot h_{K}^{(\mathrm {FB})}R_{K}\prod _{\mathfrak {p}\in \mathrm {FB}} \ln \mathcal {N}(\mathfrak {p})$. Using an empty factor basis, it implies $\mathrm {Vol}\bigl ({{\,\mathrm{\overline{Log}}\,}}_{\infty }\mathcal {O}_{K}^{\times }\bigr )= \sqrt{n}\cdot 2^{-r_2/2}\cdot R_{K}$.

2.4 Algorithmic Number Theory

This section is split into Sect. 2.4 and Sect. 2.5 in the full version [BR20]. The former recalls useful number theoretic bounds and relations, such as the analytic class number formula, allowing to bound $h_{K}R_{K}$ , Bach’s bound on the algebraic norm of class group generators , and the Prime Ideal Theorem on the density of prime ideals . All rely on the Generalized Riemann Hypothesis (GRH). We only recall problem definitions discussed in the latter, the most essential being the Cldl.

Problem 2.4

(Class Group Discrete Logarithm (ClDL) [BS16]). Given a set $\mathrm {FB}$ of prime ideals generating a subgroup $\mathrm {Cl}_{K}^{(\mathrm {FB})}$ of $\mathrm {Cl}_{K}$, and a fractional ideal $\mathfrak {b}$ st. $\bigl [\mathfrak {b}\bigr ]\in \mathrm {Cl}_{K}^{(\mathrm {FB})}$, output $\alpha \in K$ and $v_i \in \mathbb {Z}$ st. $\langle \alpha \rangle = \mathfrak {b}\cdot \prod _{\mathfrak {p}_i\in \mathrm {FB}}\mathfrak {p}_i^{v_i}$.

Problem 2.5

(Close Principal Multiple Problem (CPMP) [CDW17, § 2.2]). Given a fractional ideal $\mathfrak {b}$, output a “reasonably small” integral ideal $\mathfrak {c}$ such that $\bigl [\mathfrak {c}\bigr ] = \bigl [\mathfrak {b}\bigr ]^{-1}$.

Problem 2.6

(Shortest Generator Problem (SGP)). Given $\mathfrak {a}= \langle \alpha \rangle $, principal ideal generated by some $\alpha \in K$, find the shortest $\alpha ' \in \mathfrak {a}$ such that $\mathfrak {a}= \langle \alpha ' \rangle $.

2.5 Lattices Geometry and Hard Problems

Let L be a lattice. For any $p \in \mathbb {N}^{*}\cup \{\infty \}$ and $1\le i\le \dim L$, the i-th minimum $\lambda _{i}^{(p)}(L)$ of L for the $\ell _{p}$-norm is the minimum radius $r>0$ such that $\{ \mathbf {v}\in L: \Vert {\mathbf {v}}\Vert _{p}\le r \}$ has rank i [NV10, Def. 2.13]. For any $\mathbf {t}$ in the span of L, the distance between $\mathbf {t}$ and L is $\mathrm {dist}_{p} (\mathbf {t}, L) = \inf _{\mathbf {v}\in L} \Vert {\mathbf {t}-\mathbf {v}}\Vert _{p}$, and the covering radius of L wrpt. $\ell _{p}$-norm is $\mu _{p} (L) = \sup _{\mathbf {t} \in L\otimes \mathbb {R}} \mathrm {dist}_{p}(\mathbf {t},L)$. For the euclidean norm, we omit $p=2$ most of the time.

A fractional ideal $\mathfrak {b}$ of K can be seen, under the canonical embedding, as a full rank lattice in $\mathbb {R}^n$, called an ideal lattice, of volume $\sqrt{|{\varDelta _{K}}|}\cdot \mathcal {N}(\mathfrak {b})$. The arithmetic-geometric mean inequality, using that $|{\mathcal {N}(\alpha )}|\ge \mathcal {N}(\mathfrak {b})$ for all $\alpha \in \mathfrak {b}$, and the Minkowski’s inequality [NV10, Th. 2.4] imply:

$$\begin{aligned} \mathcal {N}(\mathfrak {b})^{1/n} \le \lambda _{1}^{(\infty )}(\mathfrak {b}) \le \sqrt{|{\varDelta _{K}}|}^{1/n}\mathcal {N}(\mathfrak {b})^{1/n}\end{aligned}$$

(26)

$$\begin{aligned} \sqrt{n}\cdot \mathcal {N}(\mathfrak {b})^{1/n} \le \lambda _{1}^{(2)}(\mathfrak {b}) \le \sqrt{n}\cdot \sqrt{|{\varDelta _{K}}|}^{1/n}\mathcal {N}(\mathfrak {b})^{1/n} \end{aligned}$$

(27)

More precisely, $\lambda _{1}(\mathfrak {b}) \le (1+o(1))\sqrt{2n/\pi e}\cdot \mathrm {Vol}^{1/n}(\mathfrak {b})$, and the Gaussian Heuristic for full rank random lattices [NV10, Def. 2.8] predicts $\lambda _{1}(\mathfrak {b})\approx \sqrt{n/2\pi e}\cdot \mathrm {Vol}^{1/n}(\mathfrak {b})$ on average. In the case of ideal lattices, this yields a pretty good estimation of the shortness of vectors, even if $\lambda _{1}(\mathfrak {b})$ is not known precisely.

We will consider the following algorithmic lattice problems. Both problems can be readily restricted to ideal lattices under the labels Approx-id-Svp and Approx-id-Cvp.

Problem 2.7

(Approximate Shortest Vector Problem (Approx-SVP) [NV10, Pb. 2.2]). Given a lattice L and an approximation factor $\gamma \ge 1$, find a vector $\mathbf {v}\in L$ such that $\Vert {\mathbf {v}}\Vert _{}\le \gamma \cdot \lambda _{1}(L)$.

Problem 2.8

(Approximate Closest Vector Problem (Approx-CVP) [NV10, Pb. 2.5]). Given a lattice L, a target $\mathbf {t}\in L\otimes \mathbb {R}$ and an approximation factor $\gamma \ge 1$, find a vector $\mathbf {v}\in L$ such that $\Vert {\mathbf {t}-\mathbf {v}}\Vert _{} \le \gamma \cdot \mathrm {dist}_{}(\mathbf {t},L)$.

Actually, it will be more convenient to work with a slightly modified version of Approx-Cvp, where the output is required to be at distance absolutely bounded by some B, independently of the target distance to the lattice. By abuse of terminology, we still call this variant Approx-Cvp.

Evaluating the Quality of a Lattice Basis. Let $B=(\mathbf {b}_{1}, \dotsc , \mathbf {b}_{n})$ be a basis of a full rank n-dimensional lattice L, and let the Gram-Schmidt Orthogonalization of B be $\mathrm {GSO}(B)=(\mathbf {b}^{\star }_{1}, \dotsc , \mathbf {b}^{\star }_{n})$. Approximation algorithms usually attempt to compute a good basis of the given lattice, i.e. whose vectors are as short and as orthogonal as possible. These lattice reduction algorithms, such as LLL [LLL82] or BKZ [CN11], try to limit the decrease of the Gram-Schmidt norms $\Vert {\mathbf {b}^{\star }_i}\Vert _{}$: intuitively, a wide gap in this sequence reveals that $\mathbf {b}_i$ is far from orthogonal to $\bigl \langle \mathbf {b}_{1}, \dotsc , \mathbf {b}_{i-1} \bigr \rangle $. Evaluating the quality of a lattice basis is actually a tricky task that depends partly on the targeted problem (see e.g.Xu13). We will use the following geometric metrics:

1.
the root-Hermite factor $\delta _0$ is widely used to measure the performance of lattice reduction algorithms [NS06, GN08, CN11], especially for solving Svp-like problems: $\delta _0^n(B) = \frac{\Vert {\mathbf {b}_1}\Vert _{}}{\mathrm {Vol}^{1/n} L}$. Experimental evidence suggest that on average, LLL achieves $\delta _0^{\textsf {LLL}}\approx 1.02$ [NS06, GN08] and BKZ with block size b achieves $\delta _0^{\textsf {BKZ}_{b}} \approx \bigl (\frac{b}{2\pi e} (\pi b)^{1/b}\bigr )^{1/(2b-2)}$ for $b\ge 50$ [Che13, CN11].
2.
the normalized orthogonality defect $\delta $ [MG02, Def. 7.5] captures the global quality of the basis, not just of the first vector, and is especially useful for $\textsc {Cvp}$-like problems e.g. if the lattice possesses abnormally short vectors: $\delta ^n(B) = \frac{\prod _{i=1}^n \Vert {\mathbf {b}_i}\Vert _{}}{\mathrm {Vol}L}$. For purely orthogonal bases $\delta = 1$, and its smallest possible value is $\bigl (\prod _i \lambda _{i}(L) / \mathrm {Vol}L\bigr )^{1/n} \le \sqrt{1+\frac{n}{4}}$ by Minkowski’s second theorem [NV10, Th. 2.5].
3.
the minimum vector basis angle, defined as [Xu13, Eq. (15)]: $\theta _{\textsf {min}}(B) = \min _{1\le i < j\le n} \min \bigl \{\theta _{ij}, \pi -\theta _{ij}\bigr \}$ for $\theta _{ij} = \frac{\arccos \bigl \langle \mathbf {b}_i, \mathbf {b}_j\bigr \rangle }{\Vert {\mathbf {b}_i}\Vert _{}\Vert {\mathbf {b}_j}\Vert _{}}$. We propose to consider the mean vector basis angle $\theta _{\textsf {avg}}(B)$, which averages over all $\min \bigl \{\theta _{ij}, \pi -\theta _{ij}\bigr \}$.

3 The PHS Algorithm

This section describes the PHS algorithm for solving Approx-id-Svp, as introduced by Pellet-Mary, Hanrot and Stehlé in [PHS19a], and discusses several improvements. The PHS algorithm extends the techniques from [CDPR16, CDW17] to any number field K and is split in two phases:

1.
the preprocessing phase $\mathcal {A}_{\textsf {pre}\hbox {-}\textsf {proc}}$, described in Sect. 3.1, builds a specific lattice together with some hint allowing to efficiently solve Approx-Cvp instances;
2.
the query phase $\mathcal {A}_{\textsf {query}}$, detailed in Sect. 3.2, reduces each Approx-id-Svp challenge to an Approx-Cvp instance in this fixed lattice.

More precisely, under the GRH and several heuristic assumptions detailed in [PHS19a, H. 1–6], they prove the following theorem:

Theorem 3.1

( [PHS19a, Th. 1.1]). Let $\omega \in [0,1/2]$ and K be a number field of degree n and discriminant $\varDelta _{K}$ with a known basis of $\mathcal {O}_{K}$. Under some conjectures and heuristics, there exist two algorithms $\mathcal {A}_{\textsf {pre}\hbox {-}\textsf {proc}}$ and $\mathcal {A}_{\textsf {query}}$ such that:

Algorithm $\mathcal {A}_{\textsf {pre}\hbox {-}\textsf {proc}}$ takes as input $\mathcal {O}_{K}$, runs in time $2^{\tilde{O}(\log |{\varDelta _{K}}|)}$ and outputs a hint $\mathcal {V}$ of bit-size $2^{\tilde{O}(\log ^{1-2\omega } |{\varDelta _{K}}|)}$;
Algorithm $\mathcal {A}_{\textsf {query}}$ takes as inputs any ideal $\mathfrak {b}$ of $\mathcal {O}_{K}$, whose algebraic norm has bit-size bounded by $2^{\mathrm {poly}(\log |{\varDelta _{K}}|)}$, and the hint $\mathcal {V}$ output by $\mathcal {A}_{\textsf {pre}\hbox {-}\textsf {proc}}$, runs in time $2^{\tilde{O}(\log ^{1-2\omega } |{\varDelta _{K}}|)} + {{\,\mathrm{T}\,}}_{\textsf {Su}}(K)$, and outputs a non-zero element $x\in \mathfrak {b}$ such that $\Vert {x}\Vert _{2} \le 2^{\tilde{O}(\log ^{\omega +1}|{\varDelta _{K}}|/n)}\cdot \lambda _{1}(\mathfrak {b})$.

We start by describing the preprocessing phase $\mathcal {A}_{\textsf {pre}\hbox {-}\textsf {proc}}$ in Sect. 3.1, then the query phase together in Sect. 3.2. We thereafter discuss several algorithmic and theoretic minor improvements in Sect. 3.3.

3.1 Preprocessing of the Number Field

From a number field K and a size parameter $\omega \in [0,1/2]$, the preprocessing phase consists in building and preparing a lattice $L_{\textsf {phs}}$ that depends only on the number field K and allows to express any Approx-id-Svp instance in K as an Approx-Cvp instance in $L_{\textsf {phs}}$. The most significant part of this preprocessing is devoted to the computation of a hint of constrained size that can be used to facilitate those forthcoming Approx-Cvp queries.

We first define the lattice which is used in [PHS19a], discuss how the authors derive its dimension from volume considerations, and then expose the full preprocessing algorithm.

Definition of the Lattice $\varvec{L_{\textsf {phs}}}$. Let $\mathrm {FB}= \bigl \{ \mathfrak {p}_{1}, \dotsc , \mathfrak {p}_{k} \bigr \}$ be a set of prime ideals generating the class group $\mathrm {Cl}_{K}$. The lattice $L_{\textsf {phs}}$ proposed in [PHS19a, § 3.1] consists in the diagonal concatenation of some log-unit related lattice and the lattice of relations in $\mathrm {Cl}_{K}$ between ideals of $\mathrm {FB}$, with explicit generators. Formally, it is generated by the $(\nu +k)$ rows of the following square matrix:

(31)

where $f_{H_{0}}$ is an isometry from $H_{0}\subset \mathbb {R}^n$ to $\mathbb {R}^{\nu }$, where $H_{0}$ is the intersection of the span $\mathcal {L}_{0}$ of ${{\,\mathrm{\overline{Log}}\,}}_{\infty }\mathcal {O}_{K}$, i.e. $\mathcal {L}_{0}= \bigl \{ \mathbf {y} \in \mathbb {R}^n: {y}_{r_1+2i-1} = {y}_{r_1+2i}, i \in [\![{1}, {r_2} ]\!]\bigr \}$, and of the trace zero hyperplane $\mathbb {R}_{0}^{n}= \mathbf {1}_{n}^{\perp }$;
the matrix $B_{\varLambda }$ is a row basis of $f_{H_{0}}\bigl ({{\,\mathrm{\overline{Log}}\,}}_{\infty }\mathcal {O}_{K}^{\times }\bigr )$;
the bottom right part of $B_{L\textsf {phs}}$ generates the lattice of all relations in $\mathrm {Cl}_{K}$ between ideals of $\mathrm {FB}$, i.e. is the kernel of $\mathfrak {f}_{\mathrm {FB}} : \bigl (e_{1}, \dotsc , e_{k}\bigr )\in \mathbb {Z}^k \mapsto \prod _j \bigl [\mathfrak {p}_j\bigr ]^{e_j}$;
each row basis vector $\mathbf {v}_i = (v_{i1},\dotsc ,v_{ik})$ of $\ker \mathfrak {f}_{\mathrm {FB}}$ is associated to $\eta _{i} \in K$ such that $\langle \eta _{i} \rangle \cdot \prod _j \mathfrak {p}_j^{v_{ij}} = \mathcal {O}_{K}$, thus $v_{ij}=-v_{\mathfrak {p}_j}(\eta _{i})$, and , where $\pi _{H_{0}}$ is the projection on $H_{0}$ in $\mathbb {R}^n$;
c is a scaling parameter whose value depends on $f_{H_{0}}$ (set later to $n^{3/2}/k$).

The condition that the factor base generates $\mathrm {Cl}_{K}$ guarantees that for any challenge ideal there exists a solution to the Cldl on $\mathrm {FB}$. It can be relaxed to some extent to generate only a small index subgroup of $\mathrm {Cl}_{K}$ like in [CDW17]. As we discuss in more details in [BR20, § 3.1], the choice of the isometry $f_{H_{0}}$ is actually not innocuous, and we exhibit in Sect. 3.3 a candidate with nice properties.

Finally, we detail in the full version a simpler formalism, viewing $L_{\textsf {phs}}$ as generated by the images of the fundamental elements generating $\mathcal {O}_{K,\mathrm {FB}}^{\times }$ under the following isomorphism between $\mathcal {O}_{K,\mathrm {FB}}^{\times }/\mu \bigl (\mathcal {O}_{K}^{\times }\bigr )$ and $L_{\textsf {phs}}\subsetneq \mathbb {R}^{\nu }\times \mathbb {Z}^k$:

$$\begin{aligned} \varphi _{\textsf {phs}}(\alpha ) = \Bigl ( c \cdot f_{H_{0}}\circ \pi _{H_{0}}\bigl ({{\,\mathrm{\overline{Log}}\,}}_{\infty }\alpha \bigr ), \bigl \{ -v_{\mathfrak {p}_i}(\alpha ) \bigr \}_{1\le i \le k}\Bigr ). \end{aligned}$$

(32)

Volume of $\varvec{L_{\textsf {phs}}}$ and Cardinality of FB. It remains to derive an explicit value for the cardinality k of the factor base $\mathrm {FB}$. As detailed in the full version [BR20]:

$$\begin{aligned} \mathrm {Vol}L_{\textsf {phs}}= c^{\nu }\cdot \frac{\sqrt{n}}{2^{r_2/2}} \cdot h_{K}R_{K}. \end{aligned}$$

(33)

The idea is then to choose k such that $\mathrm {Vol}^{1/(\nu +k)}=O(1)$, e.g. by taking $(\nu +k) = \ln \mathrm {Vol}L_{\textsf {phs}}$. Using the analytic class number formula as pointed in Sect. 2.4, and using the fact that c will be later set to $n^{3/2}/k$, $\mathrm {Vol}L_{\textsf {phs}}$ is asymptotically bounded by $\exp \tilde{O}\bigl (\ln |{\varDelta _{K}}| + n\ln \ln |{\varDelta _{K}}|\bigr )$; therefore, $(\nu +k)$ can be set to:

$$\begin{aligned} \nu + k = \max \bigl \{ \nu + \log h_{K}, \ln |{\varDelta _{K}}|+n\ln \ln |{\varDelta _{K}}| \bigr \}. \end{aligned}$$

(34)

The $\log h_{K}$ part is there as a sufficient but not necessary condition ensuring that $\mathrm {Cl}_{K}$ can be generated by $k \ge \log h_{K}$ ideals [PHS19a, Lem. 2.7]. As $h_{K} \le \tilde{O}(\sqrt{|{\varDelta _{K}}|})$, we remark that the second term dominates, so the maximum in the above formula can be ignored; in the associated code [PHS19b], $(k+\nu )$ is explicitly set to $\lfloor \ln |{\varDelta _{K}}| \rfloor $. We stress that in practice the dimension of $L_{\textsf {phs}}$ is quite sensitive to small changes in the value of c or the targeted root volume. We refer to Sect. 3.3 for more details and examples.

Preprocessing Algorithm. Algorithm 3.1 details the complete preprocessing procedure that, from a number field and some precomputation size parameter, chooses a factor base $\mathrm {FB}$, builds the associated matrix $B_{L\textsf {phs}}$, and processes $L_{\textsf {phs}}$ in order to facilitate Approx-Cvp queries.

The dimension k of the factor base and the scaling factor c are set in step 1 as in the published code [PHS19b]. Steps 2 and 3 are a concise version of [PHS19a, Alg. 3.1, st. 1–5]; it basically enlarges a generating set of $\mathrm {Cl}_{K}$ of size $k'\le \log h_{K}$ by picking $(k-k')$ random prime ideals of bounded norms. The crucial point is to invoke the prime ideal theorem to show that taking a bound which is polynomial in k and $\log |{\varDelta _{K}}|$ [PHS19a, Cor. 2.10] is actually sufficient.

The last step consists in preprocessing $L_{\textsf {phs}}$ in order to solve Approx-Cvp instances efficiently. As noted in [PHS19a, p. 6], the problem is easy without any constraint on the size of the output hint. To guarantee a hint size that is not exceeding the query phase time, they suggest to use Laarhoven’s algorithm [Laa16], which outputs a hint $\mathcal {V}$ of bit-size bounded by $2^{\tilde{O}((\nu +k)^{1-2\omega })}$, i.e. $2^{\tilde{O}(\log ^{1-2\omega }|{\varDelta _{K}}|)}$ using $(\nu +k)=\tilde{O}(\log |{\varDelta _{K}}|)$, allowing to deliver the answer for approximation factors $(\nu +k)^{\omega }$ in time bounded by the bit-size of $\mathcal {V}$ [Laa16, Cor. 1–2].

3.2 Query Phase: Solving id-Svp Using the Preprocessing

This section describes the query phase $\mathcal {A}_{\textsf {query}}$ of PHS algorithm; for any challenge ideal $\mathfrak {b}\subseteq K$ having a polynomial description in $\log |{\varDelta _{K}}|$, it reduces the resolution of Approx-id-Svp in $\mathfrak {b}$ to a single call to an Approx-Cvp oracle in $L_{\textsf {phs}}$ as output by the preprocessing phase.

The main idea of this reduction is to multiply the principal ideal output by the Cldl of $\mathfrak {b}$ on $\mathrm {FB}$ by ideals in $\mathrm {FB}$ until a “better” principal ideal is reached, i.e. having a short generator. In $L_{\textsf {phs}}$, it translates into adding vectors of $L_{\textsf {phs}}$ to some target vector derived from $\mathfrak {b}$ until the result is short, hence into solving a Cvp instance. This is formalized in Algorithm 32, which rewrites [PHS19a, Alg. 3.2] to take into account our change of conventions in the definition of $L_{\textsf {phs}}$ and the choice of Laarhoven’s algorithm as the Approx-Cvp oracle [Laa16, § 4.2].

Note that the output of the Cldl in step 1 is a S-unit if and only if $\mathfrak {b}$ is only divisible by prime ideals in the factor base. Each exponent $v_i$ can be expressed as $v_i = v_{\mathfrak {p}_i}(\alpha ) - v_{\mathfrak {p}_i}(\mathfrak {b})$. Then, the target defined in step 2 can be viewed as a drifted by $\beta $ image of $\alpha $ in $L_{\textsf {phs}}$; using the formalism we introduced in Eq. (32), it writes simply as $\mathbf {t}= \varphi _{\textsf {phs}}(\alpha )+\mathbf {b}_{\textsf {phs}}$, where $\mathbf {b}_{\textsf {phs}}=(0,\dotsc ,0, \beta , \dotsc , \beta )$ is non zero only on the k last coordinates. We stress that the role of $\mathbf {b}_{\textsf {phs}}$ in the definition of the target serves a unique purpose: guarantee that $\alpha /s\in \mathfrak {b}$. In practice, this is not an anecdotic condition, and choosing carefully $\beta $ has a significant impact on the length of the output, as we will see in Sect. 3.3. The rest of the proof of correctness, quality and running time of Algorithm 32 is recalled in the full version.

3.3 Optimizing PHS Parameters

In this section, we propose three improvements of the PHS algorithm. The first one consists in expliciting a candidate for $f_{H_{0}}$ and using its geometric properties to derive a smaller lattice dimension, while still guaranteeing the same proven approximation factor. The last two respectively modify the composition of the factor base and the definition of the target vector in a way that drastically improves the approximation factor experimentally achieved by $\mathcal {A}_{\textsf {query}}$.

Although these improvements do not modify the core of PHS algorithm and have no impact on the asymptotics, they nevertheless are of importance in practice, as we will see in Sect. 5.

Expliciting the Isometry: Towards Smaller Factor Bases. We exhibit explicitly a candidate for the isometry $f_{H_{0}}$ going from $H_{0}=\mathbb {R}_{0}^{n}\cap \mathcal {L}_{0}\subseteq \mathbb {R}^n$ to $\mathbb {R}^{\nu }$ and evaluate its effect on the infinity norm. It allows to lower the value of c in Algorithm 32 from $n\sqrt{n}/k$ to $n(1+\ln n)/ k$, inducing a smaller $\mathrm {Vol}L_{\textsf {phs}}$, and in turn implies using a smaller factor base for the same proven approximation factor. We define the isometry $f_{H_{0}}$ as the linear map represented by $\overline{\mathrm {GSO}}^{\mathrm {T}}(M_{H_{0}})$, with:

Actually, $M_{H_{0}}$ is simply a basis of $\mathbb {R}_{0}^{n}\cap \mathcal {L}_{0}$ in $\mathbb {R}^n$, constituted of vectors that are orthogonal to $\mathbf {1}_{n}$ and to each of the $r_2$ independent vectors $\mathbf {v}_j$, $j \in [\![{1}, {r_2} ]\!]$, that sends any $\mathbf {y} \in \mathcal {L}_{0}$ to $\mathbf {0}$ by substracting ${y}_{r_1+2j}$ from its copy ${y}_{r_1+2j-1}$ and forgetting every other coordinate.

We prove that this isometry verifies $\forall \mathbf {h}\in H_{0}$, $\Vert {\mathbf {h}}\Vert _{\infty } \le (1+\ln n) \cdot \Vert {f_{H_{0}}(\mathbf {h})}\Vert _{\infty }$ [BR20, Pr. 3.2]. Hence, as fully explained in [BR20, § 3.3], we can choose:

$$\begin{aligned} c = \max \biggl (1, \frac{(1+\ln n)n}{\sum _{\mathfrak {p}\in \mathrm {FB}}\ln \mathcal {N}(\mathfrak {p})}\biggr ). \end{aligned}$$

(36)

We quantify the gain obtained by this new value of c using several experiments, all described and discussed in the full version of this paper [BR20, Tab. 3.1–2].

Lowering the Factor Base Weight. Second, we suggest choosing the k elements of the factor base as the k prime ideals of least possible norm, instead of randomly picking them up to some polynomial bound. As discussed in the full version, this incidentally lowers the approximation factor, which depends on $\prod _{\mathfrak {p}\in \mathrm {FB}} \mathcal {N}(\mathfrak {p})$.

Formally, this only modifies step 3 of Algorithm 31 as follows. Let $\bigl \{\mathfrak {p}_1, \dotsc , \mathfrak {p}_{k'}\bigr \}$ be a generating set of $\mathrm {Cl}_{K}$, with $k'\le \log h_{K}$, as obtained by the previous step 2. As in Algorithm 31, using the prime ideal theorem yields that we can choose some bound B polynomial in k and $\log |{\varDelta _{K}}|$ such that the set of prime ideals of norm bounded by B contains at least k elements. Then, we order this set by increasing norms, choosing an arbitrary permutation for isonorm ideals, and remove ideals that were already present in $\bigl \{\mathfrak {p}_1, \dotsc , \mathfrak {p}_{k'}\bigr \}$. It remains to extract the first $(k-k')$ elements to obtain our factor base.

There is one issue to consider, namely adapting the justification of [PHS19a, H. 4], relying on $L_{\textsf {phs}}$ being a “somehow random” lattice to derive that $\mu _{\infty }(L_{\textsf {phs}})$ is close to $\lambda _{1}^{(\infty )}(L_{\textsf {phs}})$. We discuss this in more details for Heuristic 4.8 in Sect. 4.2. Moreover, in practice, it is always possible to empirically upper bound the infinity covering radius of $L_{\textsf {phs}}$ to verify that this heuristic holds. For example, as described in [PHS19a, § 4.1]: take sufficiently many random samples $\mathbf {t}_{i}$ in the span of $L_{\textsf {phs}}$ from a continuous Gaussian distribution of sufficiently large deviation; solve Approx-Cvp for the $\ell _{2}$-norm for each of them to obtain vectors $\mathbf {w}_i\in L_{\textsf {phs}}$ close to $\mathbf {t}_i$; finally, majorate $\mu _{\infty }(L_{\textsf {phs}})$ by $\max _i \Vert {\mathbf {t}_i-\mathbf {w}_i}\Vert _{\infty }$. Then, if the expected heuristic behaviour is too far from this estimate, we could still replace one ideal of $\mathrm {FB}$ by an ideal of bigger norm and iterate the process.

Minimizing the Target Drift. Our last suggested improvement modifies the definition of the target vector to take into account the fact that valuations at prime ideals are integers. Hence, the condition enforcing $\alpha /s\in \mathfrak {b}$, which was written as $\forall \mathfrak {p}\in \mathrm {FB}$, $v_{\mathfrak {p}}(\alpha ) - v_{\mathfrak {p}}(s) \ge 0$, can be replaced by the equivalent requirement that $\forall \mathfrak {p}\in \mathrm {FB}$, $v_{\mathfrak {p}}(\alpha ) - v_{\mathfrak {p}}(s) > -1$. Intuitively, this reduces the valuations at prime ideals of the output element by one on average, hence lowering the approximation factor bound. Formally, using the notations of Algorithm 32, we only modify the definition of the target $\mathbf {t}$ in step 2 of Algorithm 32. For any $0<\varepsilon <1$, let $\widetilde{\beta }=(\beta -1+\varepsilon )$ and let $\widetilde{\mathbf {b}}_{\textsf {phs}}=(0,\dotsc ,0, \widetilde{\beta }, \dotsc , \widetilde{\beta })$ with non zero values only on the k last coordinates. The modified target is defined as:

$$\begin{aligned} \widetilde{\mathbf {t}}= \varphi _{\textsf {phs}}(\alpha )+\widetilde{\mathbf {b}}_{\textsf {phs}}= \Bigl (c\cdot f_{H_{0}}\circ \pi _{H_{0}}\bigl ({{\,\mathrm{\overline{Log}}\,}}_{\infty }\alpha \bigr ), \bigl \{-v_i+\widetilde{\beta }\bigr \}_{1\le i \le k}\Bigr ). \end{aligned}$$

(37)

The remaining steps of Algorithm 32 stay unchanged. We have to prove that the output is still correct, i.e. that $\alpha /s\in \mathfrak {b}$, where $\mathbf {w}= \varphi _{\textsf {phs}}(s) \in L_{\textsf {phs}}$ verifies $\Vert {\widetilde{\mathbf {t}}-\mathbf {w}}\Vert _{\infty }\le \beta $. This is done in the following Proposition 3.2, which adapts [PHS19a, Th. 3.3] to benefit from all the improvements of this section. Its proof is moved to [BR20, Pr. 3.5].

Though this adjustment might seem insignificant at first sight, we stress that the induced gain is of order $\prod _{\mathfrak {p}\in \mathrm {FB}} \mathcal {N}(\mathfrak {p})^{1/n}$, which is roughly subexponential in n, and that its impact is very noticeable experimentally. In fact, the quality of the output is so sensitive to this $\widetilde{\beta }$ that we implemented a dichotomic strategy to find, for each challenge $\mathfrak {b}$, the smallest possible translation $\widetilde{\beta }$ that must be applied to $\varphi _{\textsf {phs}}(\alpha )$ to ensure $(\alpha /s) \in \mathfrak {b}$.

Proposition 3.2

Given access to an Approx-Cvp oracle that, on any input, output $\mathbf {w}\in L_{\textsf {phs}}$ at infinity distance at most $\beta $, the modified algorithm $\mathcal {A}_{\textsf {query}}$ using the isometry $f_{H_{0}}$ defined in Eq. (35), the value c defined in Eq. (36), and for any $0<\varepsilon <1$, the modified target $\widetilde{\mathbf {t}}$ defined in Eq. (37), computes $x\in \mathfrak {b}\setminus \{0\}$ such that: $ \Vert {x}\Vert _{2} \le \sqrt{n} \cdot \mathcal {N}(\mathfrak {b})^{1/n} \cdot \exp \biggl [\frac{(\beta +\lfloor 2\beta -1\rfloor )\cdot \sum _{\mathfrak {p}\in \mathrm {FB}}\ln \mathcal {N}(\mathfrak {p})}{n}\biggr ].$

4 Twisted-PHS Algorithm

Our main contribution is to propose a twisted version of the PHS algorithm. The main modification is to use the natural description of the log-S-unit lattice given in Eq. (25) that is deduced from the product formula of Eq. (21).

On the theoretical side, we prove that our twisted-PHS algorithm performs at least as well as the original PHS algorithm with the same Cvp solver using a preprocessing hint by Laarhoven. More precisely:

Theorem 4.1

Let $\omega \in [0,1/2]$ and K be a number field of degree n and discriminant $\varDelta _{K}$. Assume that a basis of $\mathcal {O}_{K}$ is known. Under GRH and heuristics Heuristic 4.8 and 4.9, there exist two algorithms $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {pcmp}}^{{\text {(Laa)}}}$ and $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}^{{\text {(Laa)}}}$ such that:

Algorithm $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {pcmp}}^{{\text {(Laa)}}}$ takes as input $\mathcal {O}_{K}$, runs in time $2^{\tilde{O}(\log |{\varDelta _{K}}|)}$ and outputs a hint $\mathcal {V}$ of bit-size $2^{\tilde{O}(\log ^{1-2\omega } |{\varDelta _{K}}|)}$;
Algorithm $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}^{{\text {(Laa)}}}$ takes as inputs any ideal $\mathfrak {b}$ of $\mathcal {O}_{K}$, whose algebraic norm has bit-size bounded by $2^{\mathrm {poly}(\log |{\varDelta _{K}}|)}$, and the hint $\mathcal {V}$ output by $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {pcmp}}^{{\text {(Laa)}}}$, runs in time $2^{\tilde{O}(\log ^{1-2\omega } |{\varDelta _{K}}|)} + {{\,\mathrm{T}\,}}_{\textsf {Su}}(K)$, and outputs a non-zero element $x\in \mathfrak {b}$ such that $\Vert {x}\Vert _{2} \le 2^{\tilde{O}(\log ^{\omega +1}|{\varDelta _{K}}|/n)}\cdot \lambda _{1}(\mathfrak {b})$.

All the results of this section are fully proven in the full version [BR20, §4].

On the practical side though, experimental evidence given in Sect. 5 suggest that we achieve much better approximation factors than expected, and that the given lattice bases are a lot more orthogonal than the ones used in [PHS19a]. Thus, in practice, we propose two alternative algorithms $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {pcmp}}^{{\text {(bkz)}}}$ and $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}^{{\text {(np)}}}$: the former applies a minimal reduction strategy as sole lattice preprocessing, and the latter resorts to Babai’s Nearest Plane algorithm for the Cvp solver role.

4.1 Preprocessing of the Number Field

As for the PHS algorithm, the preprocessing phase consists, from a number field K and a size parameter $\omega \in [0,1/2]$, in building and preparing a lattice $L_{\textsf {tw}}$ that depends only on the number field and allows to express any Approx-id-Svp instance in K as an Approx-Cvp instance in $L_{\textsf {tw}}$.

Theoretically, the only difference between the original PHS preprocessing and ours resides in the lattice definition and in the factor base elaboration. Its most significant part still consists in computing a hint of constrained size to facilitate forthcoming Approx-Cvp queries. In practice though, we replace this hint computation by merely a few rounds of BKZ with small block size (see Sect. 5). In a quantum setting this removes the only part that is not polynomial in $\ln |{\varDelta _{K}}|$, and in a classical setting avoids the dominating exponential part.

Defining the Lattice $\varvec{L_{\textsf {tw}}}$: A Full-Rank Version of the log-S-unit Lattice. Let $\mathrm {FB}= \bigl \{\mathfrak {p}_{1}, \dotsc , \mathfrak {p}_{k}\bigr \}$ be a set of prime ideals generating the class group $\mathrm {Cl}_{K}$. The lattice $L_{\textsf {tw}}$ used by our twisted-PHS algorithm is basically the log-S-unit lattice ${{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\mathcal {O}_{K,\mathrm {FB}}^{\times }$ wrpt. $\mathrm {FB}$ under the flat logarithmic embedding, to which we apply an isometric transformation to obtain a full-rank lattice in $\mathbb {R}^{\nu +k}$.

Formally, $L_{\textsf {tw}}$ is defined as the lattice generated by the images of the fundamental elements generating the S-unit group $\mathcal {O}_{K,\mathrm {FB}}^{\times }$, as given by Theorem 2.1, under the following map $\varphi _{\textsf {tw}}$ from K to $\mathbb {R}^{\nu +k}$:

$$\begin{aligned} \varphi _{\textsf {tw}}(\alpha ) = f_{H}\circ \pi _{H}\bigl ( {{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}} \alpha \bigr ), \end{aligned}$$

(41)

where $f_{H}$ is an isometry from $H\subset \mathbb {R}^{n+k}$ to $\mathbb {R}^{\nu +k}$, with $H$ the intersection of the trace zero hyperplane $\mathbb {R}_{0}^{n+k} = \mathbf {1}_{n+k}^{\perp }$, and of the span of ${{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\mathcal {O}_{K,\mathrm {FB}}^{\times }$, i.e. $\mathcal {L}= \bigl \{\mathbf {y}\in \mathbb {R}^{n+k}:{y}_{r_1+2i-1} = {y}_{r_1+2i}, i\in [\![{1}, {r_2} ]\!]\bigr \}$;
$\pi _{H}$ is the projection on H, in particular it is the identity on the S-unit group.

This map naturally inherits from the homomorphism properties of ${{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}$, i.e. $\varphi _{\textsf {tw}}(\alpha \alpha ')=\varphi _{\textsf {tw}}(\alpha )+\varphi _{\textsf {tw}}(\alpha ')$ and $\forall \lambda \in \mathbb {Z}$, $\varphi _{\textsf {tw}}(\alpha ^{\lambda })=\lambda \cdot \varphi _{\textsf {tw}}(\alpha )$, and also defines an isomorphism between $\mathcal {O}_{K,\mathrm {FB}}^{\times }\bigl /\mu \bigl (\mathcal {O}_{K}^{\times }\bigr )$ and $L_{\textsf {tw}}$.

The isometry $f_{H}$ must be carefully chosen in order to control its effect on the $\ell _{\infty }$-norm. Nevertheless, it should be seen as a technicality allowing to work with tools designed for full-rank lattices. Formally, let $f_{H}$ be the linear map represented by $\overline{\mathrm {GSO}}^{\mathrm {T}}(M_{H})$, which denotes the transpose of the Gram-Schmidt orthonormalization of the following matrix:

Actually, $M_{H}$ is simply a basis of $\mathbb {R}_{0}^{n+k}\cap \mathcal {L}$ in $\mathbb {R}^{n+k}$, constituted of vectors that are orthogonal to $\mathbf {1}_{n+k}$ and to each of the $r_2$ independent vectors $\mathbf {v}_j, j\in [\![{1}, {r_2} ]\!]$ that sends any $\mathbf {y}\in \mathcal {L}$ to $\mathbf {0}$ by substracting ${y}_{r_1+2j}$ from its copy ${y}_{r_1+2j-1}$ and forgetting every other coordinate. Hence, graphically, a row basis of $L_{\textsf {tw}}$ is:

(43)

where the first part is the basis $\widetilde{\varLambda }_{K,\mathrm {FB}}$ of ${{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\mathcal {O}_{K,\mathrm {FB}}^{\times }$ defined in Sect. 2.3.

Volume of $\varvec{L_{\textsf {tw}}}$ and Optimal Factor Base Choice. First, we evaluate the volume of $L_{\textsf {tw}}=f_{H}\bigl ({{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\mathcal {O}_{K,\mathrm {FB}}^{\times }\bigr )$. As the isometry $f_{H}$ stabilizes the span of the log-S-unit lattice, it preserves its volume, which is given by Proposition 2.3. Using that ideal classes of $\mathrm {FB}$ generate the class group, hence $h_{K}^{(\mathrm {FB})} = h_{K}$, yields:

$$\begin{aligned} \mathrm {Vol}L_{\textsf {tw}}= \sqrt{n+k}\cdot 2^{-r_2/2}\cdot h_{K}R_{K} \prod _{1\le i\le k} \ln \mathcal {N}(\mathfrak {p}_i). \end{aligned}$$

(44)

Certainly, the volume of $L_{\textsf {tw}}$ is growing with the log norms of the factor base prime ideals, but a remarkable property is that this growth is at first slower than the lattice density increase induced by the bigger dimension. The meaning of this is that we can enlarge the factor base to densify our lattice up to an optimal point, after which including new ideals become counter-productive.

Formally, let $V_{k'}$ denote the reduced volume $\mathrm {Vol}^{1/(\nu +k')}L_{\textsf {tw}}$ for a factor base of size $k'\ge k_0$, where $k_0$ is the number of generators of $\mathrm {Cl}_{K}$. We have:

$$\begin{aligned} V_{k'+1} = V_{k'} \cdot \Bigl (\sqrt{1+\tfrac{1}{n+k'}}\cdot \frac{\ln \mathcal {N}(\mathfrak {p}_{k'+1})}{V_{k'}}\Bigr )^{1/(\nu +k'+1)}. \end{aligned}$$

(45)

This shows that $V_{k'+1} < V_{k'}$ is equivalent to $\ln \mathcal {N}(\mathfrak {p}_{k'+1}) < V_{k'}\Bigl /\sqrt{1+\tfrac{1}{n+k'}}$. Using this property, Algorithm 41 outputs a factor base maximizing the density of $L_{\textsf {tw}}$.

First, for a fixed factor base of size k, we compare the reduced volume $V_{k}$ of $L_{\textsf {tw}}$ with the reduced volume of $L_{\textsf {phs}}$, denoted .

Lemma 4.2

We have: $\dfrac{V_{k}}{V_{\textsf {phs}}} \le \dfrac{e^{1/ne}}{k} \cdot \sum _{\mathfrak {p}\in \mathrm {FB}}\ln \mathcal {N}(\mathfrak {p})$.

This means that the gap between the reduced volume of the twisted lattice and the reduced volume of the untwisted lattice evolves roughly as the arithmetic mean of the $\ln \mathcal {N}(\mathfrak {p})$. We stress that this bound is valid for any k.

Although the reduced volume significantly decreases in the first loop iterations, reaching precisely the minimum value can be very gradual, so that it might be clever to early abort the loop in Algorithm 41 when the gradient is too low, or truncate the output to at most $k'=\tilde{O}(\ln |{\varDelta _{K}}|)$. We quantify the fact that the density loss is at most constant in the worst case in the following result.

Lemma 4.3

Let $k' = C\bigl (\ln |{\varDelta _{K}}| + n \ln \ln |{\varDelta _{K}}|\bigr )$. Let $V_{\textsf {min}}$ be the minimum reduced volume output by $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {FB}}$, and suppose $V_{\textsf {min}}$ is reached for some $k > k'$, then $V_{k'} \le e^{1/C+1/ne}\cdot V_{\textsf {min}}$.

Proposition 4.4

Algorithm $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {FB}}$ terminates in time ${{\,\mathrm{T}\,}}_{\textsf {Su}}(K) + \mathrm {poly}(\ln |{\varDelta _{K}}|)$ and outputs a factor base of size $k = \mathrm {poly}(\ln |{\varDelta _{K}}|)$ using $B=\mathrm {poly}(\ln |{\varDelta _{K}}|)$.

In practice, experiments of Sect. 5 report that the dimensions of the factor bases output by $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {FB}}$ are significantly smaller than those showed in [BR20, Tab. 3.1–2] for the (optimized) PHS algorithm, so that Lemma 4.3 is never triggered.

Preprocessing Algorithm. Algorithm 42 details the complete preprocessing procedure that, from a number field and some precomputation size parameter, chooses a factor base $\mathrm {FB}$, builds the associated matrix $B_{L\textsf {tw}}$, and processes $L_{\textsf {tw}}$ in order to facilitate Approx-Cvp queries.

This Tw-PHS preprocessing differs from the original PHS preprocessing given in Algorithm 31 on two aspects: the factor base, output by $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {FB}}$ in step 1 and which is essentially much smaller in practice, and the new twisted lattice in step 3.

The last two alternative steps consists in preprocessing $L_{\textsf {tw}}$ in order to solve Approx-Cvp instances efficiently. Theoretically, we retain in step 4 the same approach as in step 6 of the original PHS preprocessing Algorithm 31, that guarantees a hint size not exceeding the query phase time using Laarhoven’s algorithm [Laa16]. This outputs a hint $\mathcal {V}$ of bit size bounded by $2^{\tilde{O}(\nu +k)^{1-2\omega }}$, i.e. $2^{\tilde{O}(\log ^{1-2\omega }|{\varDelta _{K}}|)}$ using $(\nu +k)=\tilde{O}(\log |{\varDelta _{K}}|)$, allowing to deliver the answer for approximation factors $(\nu +k)^{\omega }$ in time bounded by the bit size of $\mathcal {V}$ [Laa16, Cor. 1–2]. This theoretic version will be denoted by $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {pcmp}}^{{\text {(Laa)}}}$.

Nevertheless, in practice the twisted lattice output by Algorithm 42 incidentally appears to be a lot more orthogonal than expected. That’s the reason why we suggest to replace the exponential step 4 of Algorithm 42 by step 5, which performs some polynomial lattice reduction using a small block size BKZ. In a quantum setting this removes the only part that is not polynomial in $\ln |{\varDelta _{K}}|$, and in a classical setting avoids the dominating exponential part. This practical version will be denoted by $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {pcmp}}^{{\text {(bkz)}}}$.

4.2 Query Phase

This section describes the query phase $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}$ of the Tw-PHS algorithm. As for the query phase of the original PHS algorithm, it reduces the resolution of Approx-id-Svp in $\mathfrak {b}$, for any challenge ideal $\mathfrak {b}\subseteq K$ having a polynomial description in $\log |{\varDelta _{K}}|$, to a single call to an Approx-Cvp oracle in $L_{\textsf {tw}}$ as output by the preprocessing phase. The main idea of this reduction remains to multiply the principal ideal generator output by the Cldl of $\mathfrak {b}$ on $\mathrm {FB}$ by elements of $\mathcal {O}_{K,\mathrm {FB}}^{\times }$ until we reach a principal ideal having a short generator. This translates into adding vectors of $L_{\textsf {tw}}$ to some target vector derived from $\mathfrak {b}$ until the result is short, hence into solving a Cvp instance in the log-S-unit lattice $L_{\textsf {tw}}$.

The essential difference of the Tw-PHS version lies in the definition of this target, which is adapted in order to benefit from the twisted description of the log-S-unit lattice. This is formalized in Algorithm 43.

Note that the output of the Cldl in step 1 is not a S-unit unless $\mathfrak {b}$ is divisible only by prime ideals of $\mathrm {FB}$. For each i, $v_i = v_{\mathfrak {p}_i}(\alpha ) - v_{\mathfrak {p}_i}(\mathfrak {b})$. For convenience and without any loss of generality we shall assume that $\mathfrak {b}$ is coprime with all elements of the factor base, i.e. $\forall \mathfrak {p}\in \mathrm {FB}$, $v_{\mathfrak {p}}(\mathfrak {b}) = 0$. In that case, the target in step 2 writes naturally as $\mathbf {t}= \varphi _{\textsf {tw}}(\alpha ) + f_{H}\bigl (\mathbf {b}_{\textsf {tw}}\bigr ).$ This target definition calls a few comments. First, the output of the Cldl is projected on the whole log-S-unit lattice instead of only on the log-unit sublattice, hence maintaining its length and algebraic norm logarithms in the instance scope. Thus, the way our algorithm uses S-units to reduce the solution of the Cldl problem can be seen as a smooth generalization of the way traditional Sgp solvers use regular units to reduce the solution of the Pip as in [CDPR16]. Second, the sole purpose of the drift by $\mathbf {b}_{\textsf {tw}}$ is to ensure that $\alpha /s\in \mathfrak {b}$. Adapting its definition to the twisted setting is slightly tedious and deferred to the next paragraph. The most notable novelty is that we force the use of a drift that is inside the log-S-unit lattice span. This somehow captures and compensates for the perturbation induced on infinite places for correcting negative valuations on finite places using S-units.

Finally, as already mentioned, $L_{\textsf {tw}}$ seems much more orthogonal in practice than expected, so that we advise to resort to Babai’s Nearest Plane algorithm for solving Approx-Cvp in $L_{\textsf {tw}}$, instead of using Laarhoven’s query phase with the precomputed hint. We only keep Laarhoven’s algorithm to theoretically prove the correctness and complexity of our new algorithm. The theoretical and practical versions of $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}$ are respectively denoted by $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}^{{\text {(Laa)}}}$ and $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}^{{\text {(np)}}}$.

We now detail explicitly our target choice, from which we deduce the correctness and the output quality of Algorithm 43, as fully proven in [BR20].

Definition of the Target Vector. Recall that we assumed that $\mathfrak {b}$ is coprime with $\mathrm {FB}$, hence $f_{H}^{-1}(\mathbf {t}) = \pi _{H}\bigl ({{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\alpha \bigr ) + \mathbf {b}_{\textsf {tw}}$, for some $\mathbf {b}_{\textsf {tw}}\in H$ that must ensure $\alpha /s\in \mathfrak {b}$, for $s = \varphi _{\textsf {tw}}^{-1}(\mathbf {w})$ and when $\Vert {f_{H}^{-1}(\mathbf {t}-\mathbf {w})}\Vert _{\infty }\le \widetilde{\beta }$. Indexing coordinates by places, we exhibit $\mathbf {b}_{\textsf {tw}}= \bigl (\{b_{\sigma }\}_{\sigma \in \mathcal {S}_{\infty }^{}{}\cup \overline{\mathcal {S}}_{\infty }^{}{}},\{b_{\mathfrak {p}}\}_{\mathfrak {p}\in \mathrm {FB}}\bigr )$, where:

(46)

It is easy to verify that all coordinates sum to 0, i.e. $\mathbf {b}_{\textsf {tw}}\in H$. We now explain this choice, first showing that under the above hypotheses, Algorithm 43 is correct.

Proposition 4.5

Given access to an Approx-Cvp oracle that on any input $\mathbf {t}$, outputs $\mathbf {w}\in L_{\textsf {tw}}$ st. $\Vert {f_{H}^{-1}(\mathbf {t}-\mathbf {w})}\Vert _{\infty } \le \widetilde{\beta }$, $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}$ outputs $x\in \mathfrak {b}\setminus \{0\}$.

The proof of Proposition 4.5 also quantifies the intuition that the output element has smaller valuations at big norm prime ideals. In particular, strictly positive valuations occur only for ideals st. $\ln \mathcal {N}(\mathfrak {p})\le \widetilde{\beta }$. This has a very valuable consequence: estimating the $\ell _{\infty }$-norm covering radius of $L_{\textsf {tw}}$ allows to control the prime ideal support of any optimal solution. Hence, even if the Approx-Cvp cannot reach $\mu _{\infty }(L_{\textsf {tw}})$, it is possible to confine the algebraic norm of each query output by not including in $\mathrm {FB}$ the prime ideals whose log-norm would in fine exceed $\mu _{\infty }(L_{\textsf {tw}})$, and at which the optimal solution provably has a null valuation. Roughly speaking, this is what $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {FB}}$ tends to achieve in Algorithm 41.

Translating Infinite Coordinates. As already mentionned, one important novelty consists in forcing the drift used to ensure $\alpha /s\in \mathfrak {b}$ to be inside the log-S-unit span. The underlying intuition is that “correcting” negative valuations at finite primes should only involve S-units. We modelize this by splitting the weight of the $b_{\mathfrak {p}}$’s evenly across the infinite places coordinates, hence obtaining Eq. (46). This heuristically presumes that S-units absolute value logarithms are generically balanced on infinite places. Let us summarize our target definition:

Quality of the Output of $\varvec{\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}^{{\text {(Laa)}}}}$. To bound the quality of the output of Algorithm 43, the general idea is that minimizing the distance of our target to the twisted lattice directly minimizes the p-adic absolute values $-v_{\mathfrak {p}}(\alpha )\ln \mathcal {N}(\mathfrak {p})$ instead of minimizing the valuations $v_{\mathfrak {p}}(\alpha )$ independently of $\ln \mathcal {N}(\mathfrak {p})$.

This makes use of the following log-S-unit lattice structure lemma, adapting its log-unit lattice classical equivalent [PHS19a, Lem. 2.11–12], [CDPR16, § 6.1]:

Lemma 4.6

For $\alpha \in K$, let . Decompose $\langle \alpha \rangle $ on $\mathrm {FB}$ as $\mathfrak {b}\cdot \prod _{\mathfrak {p}\in \mathrm {FB}} \mathfrak {p}^{v_{\mathfrak {p}}(\alpha )}$, with $\mathfrak {b}$ coprime to $\mathrm {FB}$. Then ${{\,\mathrm{\overline{Log}}\,}}_{\infty ,\mathrm {FB}}\alpha = \mathbf {h}_{\alpha } + \tfrac{\ln \mathcal {N}(\mathfrak {b})}{n+k}\cdot \mathbf {1}_{n+k}$. Furthermore, the length of $\alpha $ is bounded by:

$$\begin{aligned} \Vert {\alpha }\Vert _{2} \le \sqrt{n} \cdot \mathcal {N}(\mathfrak {b})^{1/(n+k)} \cdot \exp \Bigl [\ \max _{1\le j\le n} {(\mathbf {h}_{\alpha })}_{j}\Bigr ]. \end{aligned}$$

Note that using the max of the coordinates of $\mathbf {h}_{\alpha }$ instead of its $\ell _{\infty }$-norm norm acknowledges for the fact that logarithms of small infinite valuations can become large negatives that should be ignored when evaluating the length of $\alpha $.

Theorem 4.7

Given access to an Approx-Cvp oracle that on any input $\mathbf {t}$, outputs $\mathbf {w}\in L_{\textsf {tw}}$ st. $\Vert {f_{H}^{-1}(\mathbf {t}-\mathbf {w})}\Vert _{\infty } \le \widetilde{\beta }$, $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {query}}$ computes $x\in \mathfrak {b}\setminus \{0\}$ such that $\Vert {x}\Vert _{2}\le \sqrt{n}\cdot \mathcal {N}(\mathfrak {b})^{1/n}\cdot \exp \left[ \frac{(n+k)\widetilde{\beta }- \sum _{\mathfrak {p}\in \mathrm {FB}}\ln \mathcal {N}(\mathfrak {p})}{n} \right] $.

This outperforms the bound of Proposition 3.2 if $(n+k)\cdot \widetilde{\beta }\le 2\beta \cdot \sum _{\mathfrak {p}\in \mathrm {FB}}\ln \mathcal {N}(\mathfrak {p})$. In particular, this is implied by Lemma 4.2 if ${\widetilde{\beta }}/{\beta }\approx {V_{k}}/{V_{\textsf {phs}}}$ for $k\ge n$. We will see that under some reasonable heuristics, this is indeed the case when using the same factor base, and that experiments suggest a much broader gap. One intuitive reason for this behaviour is that the covering radius of our twisted lattice grows at a slower pace than the log-norm of the prime ideals of $\mathrm {FB}$.

Heuristic Evaluation of $\varvec{\widetilde{\beta }}$. Proving the second part of Theorem 4.1 necessitates to evaluate $\widetilde{\beta }$. This evaluation rely on several heuristics that adapt heuristics [PHS19a, H. 4–6]. We argue that the arguments developped in [PHS19a, §4] to support these heuristics can be transposed to our setting, as fully discussed in the full version, and both heuristics are validated by experiments in Sect. 5.

Heuristic 4.8

(Adapted from [PHS19a, H. 4]). The $\ell _{\infty }$-norm covering radius of $L_{\textsf {tw}}$ is $O\bigl ( \mathrm {Vol}^{1/(\nu +k)} L_{\textsf {tw}}\bigr )$. Likewise, $\mu _{2}(L_{\textsf {tw}}) = O\bigl (\sqrt{\nu +k}\cdot \mathrm {Vol}^{1/(\nu +k)} L_{\textsf {tw}}\bigr )$.

This assumption relies on $L_{\textsf {tw}}$ to behave like a random lattice. Heuristically, prime ideals of $\mathrm {FB}$ represent uniform random classes in $\mathrm {Cl}_{K}$, and S-units archimedean absolute value logarithms are likely to be uniform in $\mathbb {R}^n\bigl /{{\,\mathrm{\overline{Log}}\,}}_{\infty }\mathcal {O}_{K}^{\times }$.

Heuristic 4.9

(Adapted from [PHS19a, H. 5–6]). With non-negligible probability over the input target vector $\mathbf {t}$, the vector $\mathbf {w}$ output by Laarhoven’s algorithm satisfies $\Vert {f_{H}^{-1}(\mathbf {t}-\mathbf {w})}\Vert _{\infty }\le O\bigl (\ln (n+k)/\sqrt{n+k}\bigr )\cdot \Vert {\mathbf {t}-\mathbf {w}}\Vert _{2}$.

This heuristic conveys the idea that coefficients of the output of Laarhoven’s algorithm are somehow balanced, so that $\Vert {\mathbf {w}}\Vert _{2}\approx \sqrt{n+k}\cdot \Vert {f_{H}^{-1}(\mathbf {w})}\Vert _{\infty }$. In our setting, this is justified by assuming $\mathbf {t}$ is uniformly distributed in $\bigl (\mathbb {R}\otimes L_{\textsf {tw}}\bigr )/L_{\textsf {tw}}$, and can be randomized by multiplying $\mathfrak {b}$ by small ideals coprime to $\mathrm {FB}$.

5 Experimental Data

This is the first time to our knowledge that this type of algorithm is completely implemented and tested for fields of degrees up to 60. As a point of comparison, the experiments of [PHS19a] constructed the log-S-unit lattice $L_{\textsf {phs}}$ for cyclotomic fields of degrees at most 24 and $h_{K}\le 3$, all but the last two being principal [PHS19a, Fig. 4.1].

Hardware and Library Description. All S-units and class group computations, for the log-S-unit lattice description and the Cldl resolution, were performed using Magma v2.24-10 [BCP97].^{Footnote 1} The BKZ reductions and Cvp/Svp computations used fplll v5.3.2 [The16]. All other parts of the experiments rely on SageMath v9.0 [The20]. All the sources and scripts are available as supplementary material on https://github.com/ob3rnard/Twisted-PHS. The experiments took less than a week on a server with 36 cores and 768 GB RAM.

Targeted Algorithms. We evaluate three algorithms: the original PHS algorithm, as implemented in [PHS19b]; our optimized version Opt-PHS described in Sect. 3.3, and our new twisted variant Tw-PHS, which is described in Sect. 4. This yields three different lattices, respectively denoted by $L_{\textsf {phs}}$, $L_{\textsf {opt}}$ and $L_{\textsf {tw}}$. Note that there are a few differences between [PHS19a] and its implementation in [PHS19b], but we chose to stick to the provided implementation as much as possible.

In order to separate the improvements due to $\mathcal {A}_{\textsf {tw}\hbox {-}\textsf {FB}}$ outputting smaller factor bases from those purely induced by our specific use of the product formula to describe the log-S-unit lattice, we also built lattices and corresponding to PHS and Opt-PHS algorithms, but using the same factor base as $L_{\textsf {tw}}$.

Number Fields. As announced in Sect. 2.1, we consider two families of number fields, namely non-principal cyclotomic fields $\mathbb {Q}(\zeta _{m})$ of prime conductors $m\in [\![{23}, {71} ]\!]$, and NTRU Prime fields $\mathbb {Q}(z_{q})$ where $z_{q}$ is a root of $x^q-x-1$, for $q\in [\![{23}, {47} ]\!]$ prime. These correspond to the range of what is feasible in a reasonable amount of time, as the asymptotics of ${{\,\mathrm{T}\,}}_{\textsf {Su}}(K)$ rapidly speak in a classical setting.

For cyclotomic fields, we managed to compute S-units up to $\mathbb {Q}(\zeta _{71})$ for all factor bases in less than a day, and all log-S-unit lattice variants up to $\mathbb {Q}(\zeta _{61})$. For NTRU Prime fields, we managed all computations up to $\mathbb {Q}(z_{47})$.

BKZ Reductions and Cvp Solving. We applied the same reduction strategy to all of our lattices. Namely, lattices of dimension less than 60 were HKZ reduced, while lattices of greater dimension were reduced using at most 300 loops of BKZ with block size 40. This yields reasonably good bases for a small computational cost [CN11, p. 2]. Note the loop limit was in practice never hit.

For Cvp computations, we applied with these reduced bases Babai’s Nearest Plane algorithm, as described in [Gal12, § 18.1, Alg. 26].

Precision Issues. Choosing the right bit precision for floating point arithmetic in the experiments is particularly tricky. We generically used at most 500 bits of precision in our experiments (corresponding to the lattice volume logarithm in base 2 plus some extra margin). There are two notable exceptions:

1.
The S-units wrpt. $\mathrm {FB}$ can have huge coefficients. Computing the absolute values of their embeddings must then be performed at very high precision. All our lattice constructions were conducted using 10000 bits of precision.
2.
Computing the target involves the challenge and the Cldl solution, whose coefficients are potentially huge rational numbers, up $2^{25000}$ for e.g. $\mathbb {Q}(\zeta _{53})$. As above, we adjust the precision in order to obtain sensible values.

In all cases, once in the log space the resulting high precision data can be rounded back to the generic precision before lattice reduction or Cvp computations.

5.1 Geometric Characteristics

First, we evaluated the geometric characteristics of each produced lattice, using indicators recalled in Sect. 2.5, namely: the root Hermite factor $\delta _0$, the orthogonality defect $\delta $, and the minimum $\theta _{\textsf {min}}$ (resp. average $\theta _{\textsf {avg}}$) vector basis angle. Each of these indicators is declined before and after BKZ reduction to compare their evolution. We also evaluated experimentally the relevance of Heuristic 4.8 and 4.9, according to the protocol we detailed in the full version [BR20]. Example results are given in Table 1 for NTRU Prime fields, aside the lattices dimension $d=\nu +k$ and reduced volume $V^{1/d}$. Extensive data can be found in the full version [BR20, Tab. B.1–2] for both cyclotomic and NTRU primes fields.

Table 1. Geometric characteristics of log-S-unit lattices for NTRU Prime field $\mathbb {Q}(z_{47})$.

Full size table

Orthogonality Indicators. We first remark that the minimum and average vector basis angles seem difficult to interpret. They are slightly better for the NTRU Prime field but it is harder to extract a general tendency for cyclotomic fields.

After a light BKZ reduction, twisted lattices show significantly better root Hermite factor and orthogonality defect than any other log-S-unit lattice representations, even when the lattices have the same dimension, i.e. when the same factor base is used. Second, the evolution of the orthogonality defect before and after the reduction is more restricted in the twisted case than in the others. In particular, we observe that the BKZ-reduced versions of and have bigger orthogonality defects than the unreduced $L_{\textsf {tw}}$. This last observation is true for all NTRU Prime fields we tested except $\mathbb {Q}(z_{23})$.

These two phenomenons (better values and small variations) are particularly clear for NTRU Prime fields. We remark that in this case, the twisted version of the log-S-unit lattice fully expresses, since for NTRU Prime fields most factor base elements have distinct norms. On the contrary, factor bases for our targeted cyclotomic fields are composed of one (or two, as for $\mathbb {Q}(\zeta _{59})$) Galois orbits whose elements all have the same norm. Finally, we stress that reducing $L_{\textsf {tw}}$ lattices is much faster in practice than reducing and . This is corroborated by the graphs of the Gram-Schmidt log norms in Sect. 5.2.

5.2 Plotting Gram-Schmidt Log Norms

For our second experiment, we evaluate the Gram-Schmidt norms of each produced lattice. We propose two comparisons, the first one is before and after BKZ reduction to see the evolution of the norms in each case at iso factor bases in Fig. 2, and the second one is between the different lattices (after BKZ reduction) in Fig. 3. Again, extensive data for other examples can be found in [BR20, § B.2] for both cyclotomic fields and NTRU Prime fields.

We first remark that in Fig. 2 the two curves, before and after BKZ reduction, are almost superposed for the Twisted-PHS lattice. This does not seem to be the case for the two other PHS variants we consider here.

Since the volume of $L_{\textsf {tw}}$ is bigger, by roughly the average log norm of the factor base elements by Lemma 4.2, the Gram-Schmidt log norms of our bases have bigger values. The important phenomenon to consider is how these log norms decrease. Figure 3 emphasises that the decrease of the Gram-Schmidt log norms is very limited in the twisted case, compared to other cases (with iso factor base on the left, and the original algorithms on the right), where the decrease of the log norms seems significant. This observation seems to corroborate the fact that the twisted-PHS lattice is already quite orthogonal.

Finally, we note that both phenomenons do not depend on the lattices having the same dimension.

5.3 Approximation Factors

We implemented all three algorithms from end to end and used them on numerous challenges to estimate their practically achieved approximation factors. This is to our knowledge the first time that these types of algorithms are completely run on concrete examples.

Ideal Svp challenges and Cl dl computations. For each targeted field, we chose 50 prime ideals $\mathfrak {b}$ of prime norm q. Indeed, these are the most interesting ideals: in the extreme opposite case, taking $\mathfrak {b}$ inert of norm $q^n$ implies that q reaches the lower bound of Eq. (27), as $\Vert {q}\Vert _{2} = \sqrt{n}\cdot q$, hence the id-Svp solution is trivial.

We then tried to solve the Cldl for these challenges wrpt. all targeted factor bases. We stress that, using Magma, S-units computations for the Cldl become harder as the norm of the challenge grows. This is especially true when the factor base inflates, hence providing an additional motivation for taking as small as possible factor bases. Therefore, we restricted ourselves to challenges of norms around 100 bits. Computing the Cldl solutions for these challenges revealed much harder than computing S-units on all factor bases, which contain only relatively small prime ideals. As a consequence, we were able to compute the Cldl step only up to $\mathbb {Q}(\zeta _{53})$ (partially) and $\mathbb {Q}(z_{47})$.

Query Algorithm. We exclusively used Babai’s Nearest Plane algorithm on the BKZ reduced bases of all log-S-unit lattices to solve the Approx-Cvp instances. Actually, the hardest computational task was to compute the output $\alpha /s$, which necessitates a multi-exponentiation over huge S-units. As a particular point of interest, we stress that using directly the drift proposed in [PHS19a] would be especially unfair. Hence, for a challenge $\mathfrak {b}$, the target drifts $\mathbf {b}_{\textsf {phs}}$, $\widetilde{\mathbf {b}}_{\textsf {phs}}$ and $\mathbf {b}_{\textsf {tw}}$ were all minimized using an iterative dichotomic approach on $\beta $ and $\widetilde{\beta }$, taking a bigger value if the output $x \notin \mathfrak {b}$, and a smaller value if $x\in \mathfrak {b}$. After 5 iterations, the shortest x that verified $x\in \mathfrak {b}$ is returned.

Results. Figure 1 and 4 report the obtained approximation factors. Note that for these dimensions, it is still possible to exactly solve id-Svp in the Minkowski space, so that these graphs show real approximation factors. We stress that we used a logarithmic scale to represent on the same graphs the performances of the Twisted-, Opt-PHS and PHS algorithms. The figures suggest that the approximation factor reached by our algorithm increases very slowly with the dimension, in a way that could reveal subexponential or even better. This feature would be particularly interesting to prove.

As a final remark, we point out that increasing the factor base for our Twisted-PHS algorithm has very little impact on the quality of the output. This is expected, since the log norm of the prime ideals constrain the valuation of the output, as in the proof of Proposition 4.5 [BR20]. On the contrary, increasing the factor base for the PHS and Opt-PHS variants clearly sabotages the quality of their output, as their lattice description is blind to these prime norms.

Notes

1.
Note that SageMath is significantly faster than Magma for computing class groups, but behaves surprisingly poorly when it comes to computing S-units.

References

Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_12
Chapter Google Scholar
Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). Computational algebra and number theory (London, 1993)
Google Scholar
de Boer, K., Ducas, L., Pellet-Mary, A., Wesolowski, B.: Random Self-reducibility of Ideal-SVP via Arakelov Random Walks. Cryptology ePrint Archive, Report 2020/297 (2020)
Google Scholar
Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_3
Chapter MATH Google Scholar
Biasse, J., Fieker, C.: Subexponential class group and unit group computation in large degree number fields. LMS J. Comput. Math. 17(A), 385–403 (2014)
Google Scholar
Boyd, D.W., Martin, G., Thom, M.: Squarefree values of trinomial discriminants. LMS J. Comput. Math. 18(1), 148–169 (2015)
Article MathSciNet Google Scholar
Bernard, O., Roux-Langlois, A.: Twisted-PHS: Using the Product Formula to Solve Approx-SVP in Ideal Lattices (full version). Cryptology ePrint Archive, Report 2020/1081 (2020). https://eprint.iacr.org
Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: SODA, pp. 893–902. SIAM (2016)
Google Scholar
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20
Chapter MATH Google Scholar
Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_12
Chapter Google Scholar
Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale (2014). http://docbox.etsi.org/Workshop/2014/201410_CRYPTO/S07_Systems_and_Attacks/S07_Groves_Annex.pdf
Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Paris 7 (2013)
Google Scholar
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Chapter Google Scholar
Cohen, H.: A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics, vol. 138. Springer, Heidelberg (1993)
Book Google Scholar
Conrad, K.: Ostrowski for number fields. In Expository papers on Algebraic Number Theory. https://kconrad.math.uconn.edu/blurbs/gradnumthy/ostrowskinumbfield.pdf
Ducas, L., Plançon, M., Wesolowski, B.: On the shortness of vectors to be found by the ideal-SVP quantum algorithm. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 322–351. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_12
Chapter Google Scholar
Eisenträger, K., Hallgren, S., Kitaev, A.Y., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: STOC, pp. 293–302. ACM (2014)
Google Scholar
Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)
Book Google Scholar
Gélin, A.: Calcul de groupes de classes d’un corps de nombres et applications à la cryptologie. Ph.D. thesis, UPMC Paris 6 (2017)
Google Scholar
Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_3
Chapter Google Scholar
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868
Chapter Google Scholar
Komatsu, K.: Integral bases in algebraic number fields. Journal für die reine und angewandte Mathematik 1975(278–279), 137–144 (1975)
MathSciNet MATH Google Scholar
Laarhoven, T.: Sieving for closest lattice vectors (with preprocessing). In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 523–542. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_28
Chapter Google Scholar
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
Article MathSciNet Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Chapter Google Scholar
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2014). https://doi.org/10.1007/s10623-014-9938-4
Article MathSciNet MATH Google Scholar
Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems. The Springer International Series in Engineering and Computer Science, vol. 671. Springer, Boston (2002). https://doi.org/10.1007/978-1-4615-0897-7
Book MATH Google Scholar
Narkiewicz, W.: Elementary and Analytic Theory of Algebraic Numbers. Springer Monographs in Mathematics. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-662-07001-7
Book MATH Google Scholar
Nguyen, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006). https://doi.org/10.1007/11792086_18
Chapter Google Scholar
Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm. Information Security and Cryptography. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1
Book MATH Google Scholar
Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016)
Article MathSciNet Google Scholar
Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 685–716. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_24
Chapter MATH Google Scholar
Pellet-Mary, A., Hanrot, G., Stehlé, D.: Published code of “Approx-SVP in Ideal Lattices with Pre-processing” (2019). https://apelletm.github.io/code/code-approx-ideal-svp.zip/
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: STOC, pp. 461–473. ACM (2017)
Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM (2005)
Google Scholar
Schnorr, C.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)
Article MathSciNet Google Scholar
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36
Chapter Google Scholar
Swan, R.G.: Factorization of polynomials over finite fields. Pacific J. Math. 12(3), 1099–1106 (1962)
Article MathSciNet Google Scholar
The FPLLL development team: FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll
The Sage Developers: SageMath, the Sage Mathematics Software System (Version 9.0) (2020). https://www.sagemath.org
Washington, L.C.: Introduction to Cyclotomic Fields. Graduate Texts in Mathematics, vol. 83. Springer, New York (1997). https://doi.org/10.1007/978-1-4612-1934-7
Book MATH Google Scholar
Xu, P.: Experimental quality evaluation of lattice basis reduction methods for decorrelating low-dimensional integer least squares problems. EURASIP J. Adv. Signal Process. 137–165, 2013 (2013)
Google Scholar

Download references

Acknowledgements

We thank Thomas Ricosset for valuable discussions on the geometry of lattices. Part of this work was performed while the first author was visiting Alice Pellet-Mary and Damien Stehlé at LIP, ENS Lyon for six weeks. This work is supported by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701).

Author information

Authors and Affiliations

Univ Rennes, CNRS, IRISA, Rennes, France
Olivier Bernard & Adeline Roux-Langlois
Thales, Gennevilliers, Laboratoire CHiffre, Gennevilliers, France
Olivier Bernard

Authors

Olivier Bernard
View author publications
You can also search for this author in PubMed Google Scholar
Adeline Roux-Langlois
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Olivier Bernard or Adeline Roux-Langlois .

Editor information

Editors and Affiliations

Network Security Research Institute (NICT), Tokyo, Japan
Shiho Moriai
Nanyang Technological University, Singapore, Singapore
Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Bernard, O., Roux-Langlois, A. (2020). Twisted-PHS: Using the Product Formula to Solve Approx-SVP in Ideal Lattices. In: Moriai, S., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2020. ASIACRYPT 2020. Lecture Notes in Computer Science(), vol 12492. Springer, Cham. https://doi.org/10.1007/978-3-030-64834-3_12

Download citation

DOI: https://doi.org/10.1007/978-3-030-64834-3_12
Published: 05 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64833-6
Online ISBN: 978-3-030-64834-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)