On the quantum security of high-dimensional RSA protocol

Nour-eddine Rahmani; Taoufik Serraj; Moulay Chrif Ismaili; Abdelmalek Azizi

doi:10.1515/jmc-2024-0007

Artikel Open Access

On the quantum security of high-dimensional RSA protocol

Nour-eddine Rahmani , Taoufik Serraj , Moulay Chrif Ismaili und Abdelmalek Azizi

Veröffentlicht/Copyright: 11. November 2024

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen Erkunden Sie dieses Fachgebiet

Aus der Zeitschrift Journal of Mathematical Cryptology Band 18 Heft 1

Abstract

The idea of extending the classical RSA protocol using algebraic number fields was introduced by Takagi and Naito (Construction of RSA cryptosystem over the algebraic field using ideal theory and investigation of its security. Electron Commun Japan Part III Fund Electr Sci. 2000;83:19–29). Recently, Zheng et al. proposed the use of the ring of algebraic integers of an algebraic number field and the lattice theory to present a high-dimensional form of RSA. The authors claim that their proposal is post-quantum and is significant both from the theoretical and practical point of view. In this article, we prove that the security of Zheng et al.’s scheme is still based on the factorization problem, and we present a practical quantum attack on this proposed scheme, our attack is a quantum polynomial time algorithm that employs Shor’s algorithm as a subroutine.

Keywords: RSA; lattices; algebraic number theory; cryptanalysis

MSC 2010: 11Y40; 11T71; 94A60

1 Introduction

Over the past three decades, information and communication technologies have changed our everyday life in different areas, and many services are provided online. In order to secure sensitive data exchanged or stored over public networks, many symmetric and asymmetric cryptographic techniques are used. Nowadays, Advanced Encryption Standard (AES), Rivest-Shamir-Adleman (RSA) encryption and Elliptic Curve Cryptography (ECC) are examples of schemes widely used for this purpose. Due to the rapid development of quantum technology in recent years and according to Grover’s algorithm [1], the impact of quantum algorithms on symmetric cryptographic primitives is not expected to be as severe as Shor’s algorithm [2] on number-theoretic-based public key constructions such as RSA and its underlying integer factorization problem. As a result, the current emphasis in post-quantum cryptography is on public-key cryptography. However, especially during the future standardization process, it is critical to consider the diversity of cryptographic primitives and the underlying hard mathematical problems. The approaches were studying new alternatives to public-key cryptosystems based on the integer factorization and discrete logarithm problems or extending the existing schemes to become post-quantum.

In 2005, Regev introduced the learning with error (LWE) problem [3] and showed that we could construct a public key scheme where its security is based on the LWE problem, but the scheme was not efficient for practical use. In 2010, Lyubashevsky et al. introduced the Ring-LWE [4], a variant of the LWE [3], and showed an efficiently practical scheme construction using elements of the ring of integers of an algebraic number field. The search version of the LWE (resp. Ring-LWE) is given ( A , b ) such that A is uniformly sampled from Z m × n (resp. A is uniformly sampled from R , where R is the ring of integers of a number field K ) and b = A s + e mod q , where s ∈ Z n and e ∈ Z m (resp. s ∈ R and e ∈ R ) following some specific distributions D s , D e , q an integer modulus, and the goal is to find s or e . We refer the reader to previous studies [4–8] for more details about algebraically structured variants in the literature.

Nowadays, lattice-based constructions are considered to be promising alternatives; indeed, there are two digital signatures (Falcon [9] and CRYSTALS-Dilithium [10]) and one key-encapsulation mechanism (CRYSTALS-Kyber [11]^[1]) based on lattice hard problems, which are selected to be standardized by National Institute of Systems and Technologies (NIST) in 2022 [12]. Analysing lattice constructions is still an open topic; many algorithms to solve lattice problems have been improved in the last 20 years, without any success to solve the problem in lattices of high dimensions [13–15], but lead to estimate more accurately the hardness of such a lattice instance. (For NTRU cryptanalysis, we refer the reader to [16,17].)

In 1986, introduced the idea to extend RSA to higher dimensions was introduced in the literature; later in 2015, Takagi and Naito [18] demonstrated a variant of the RSA in algebraic number fields; however, this necessitates that the ring of algebraic integers be a Euclidean ring, a requirement that is significantly more stringent than the class number one condition.

Zhiyong et al. [19] proposed a new cryptosystem in number fields similar to the RSA cryptosystem, claiming that the system’s security is dependent on the problem of solving the factorization of ideals in the number field in question, which is, based on their claim, much more difficult than factorization of integers in the ring of integers Z . As a result, they claim their construction as a new member of post-quantum construction. In this article, we prove that factorization in the ring of integer Z is as hard as factorization in the ring of integers O K of any number field K is hard. This fact enables us to propose a quantum attack on high-dimensional RSA system.

The rest of the article is organized as follows: Section 2 recalls some notions on algebraic number theory and Euclidean lattices, and Section 3 briefly reviews the high-dimensional RSA encryption scheme. The proposed attack and the corresponding security and efficiency analysis are presented and discussed in Section 4. Finally, a conclusion is provided. An implementation using the PARI/GP system is given in the Appendix.

2 Preliminaries

This section recalls some notions and known results related to algebraic number fields and lattices. We denote by I n the identity square matrix of n rows and n columns, by 0 n , m the zero matrix of n rows and m columns, we omit m when m = n , by ‖ ⋅ ‖ the euclidean norm of a vector x = ( x 1 , … , x n ) ∈ R n , ‖ x ‖ = ∑ i = 1 n x i 2 , and by ⋅ t the transpose for matrices and vectors.

2.1 Algebraic number theory

A field K that contains Q is called an extension of Q . The dimension of K as Q -vector space is called the degree of the extension and denoted by [ K : Q ] . If the degree is finite, then we call K an Algebraic Number Field.

The set { y ∈ K ∣ ∃ P monic ∈ Z [ X ] : P ( y ) = 0 } is called the ring of integers of K and it is a ring under the induced operations of K and it is denoted by O K . K is called Galois number field if for every irreducible P ∈ Q , if P has a root in K , then all the other roots^[2] are in K . ( P splits into simple polynomials^[3] in K .) Let us denote by Gal ( K ⁄ Q ) the Galois group of K which is the set of K -automorphisms that fix Q . It is known that the number of automorphisms is equal to the degree of number field K , Gal ( K ⁄ Q ) = { σ : K ⟶ K ∣ σ ( x ) = x , ∀ x ∈ Q } . Norm N and trace Tr of an element x of K are defined as follows: N ( x ) = ∏ σ ∈ Gal ( K ⁄ Q ) σ ( x ) and Tr ( x ) = ∑ σ ∈ Gal ( K ⁄ Q ) σ ( x ) . Finally the discriminant of K is defined as Δ K = det ( ( Tr ( b i b j ) ) 1 ≤ i , j ≤ n ) for a basis B = { b 1 , … , b n } .^[4]

Example 1

The number field K = Q ( ζ n ) such that ζ n = e 2 i π n is a primitive n th-root of unity, i.e., a root of Φ n ( x ) = ∏ 1 ≤ k < n g c d ( k , n ) = 1 ( x − ζ i k ) is called the n -th cyclotomic number field. It is known that K ⁄ Q is a Galois number field of degree φ ( n ) and φ is the Euler totient function.

We have the following facts from algebraic number theory:

Let K denote a number field of degree n , then the following properties hold:

There exists an α in K such that K = Q ( α ) , such one is called a primitive element of K , and K is isomorphic to Q [ X ] ⁄ ⟨ ϕ α ( X ) ⟩ where ϕ α ( X ) ∈ Q [ X ] is the minimal polynomial of α .
Each ideal p Z for a prime number p of Z has a unique decomposition into product of prime ideals P i in O K :
( p ) ≔ p O K = ∏ i = 1 g P i e i ,
e i is called index of ramification of P i over p . g is the number of prime ideals of K over p .
The index [ O K ⁄ P i : Z ⁄ p Z ] is finite and it is denoted by f i and called inertia degree of P i over p , and we have N ( P i ) = p f i .
We have n = ∑ i = 1 g e i f i , and if K is Galois, then there exist f and e from N * such that f i = f and e i = e for every i , which implies n = e f g . We simply call e and f by index of ramification of p and inertia degree of p , respectively.
It is known that for a prime ideal P of O K above a prime number p in Z , its norm is N K ⁄ Q ( P ) = p f P such that f P is the residual degree of P above p . Also, for our work, we will use the following important property: For an ideal A in O K such that there exist a set of prime ideals in O K , P 1 , … , P k and A = ∏ i = 1 k P i , we have
N ( A ) = ∏ i = 1 k N ( P i ) .
In particular, if A = P 1 P 2 for two prime ideals P 1 and P 2 in O K above two integer primes p 1 and p 2 respectively, we have
N ( A ) = p 1 f 1 p 2 f 2
such that f 1 and f 2 are the inertia degree of P 1 and P 2 above p 1 and p 2 , respectively.
The number of invertible elements of ( O K ⁄ P i ) ⁄ ( Z ⁄ p Z ) is N ( P i ) − 1 , and in general for an ideal A = ∏ i P i e i of O K , we have N ( A ) = ∏ i N ( P i e i ) and the number of invertible elements of O K ⁄ A is ∏ i N ( P i ) e i − 1 ( N ( P i ) − 1 ) . In particular for A as in point 5, the number of invertible elements of O K ⁄ A is ( N ( P 1 ) − 1 ) ( N ( P 2 ) − 1 ) .

For proofs of the last propositions, we refer the reader to the study of Washington [21].

The following theorem tells us how to compute such a prime decomposition in K .

Theorem 1

[22] Let K be a number field such that K = Q ( α ) for α ∈ O K defined by an irreducible polynomial P ( X ) ∈ Q [ X ] , and let q be a prime number in Z such that ^[5] q ∤ [ O K : Z [ α ] ] . Suppose that

P ( X ) = ∏ i = 1 g g i ( X ) e i mod q ,

then q splits in O K as follows:

q O K = ∏ i = 1 g ( g i ( α ) , q ) e i ,

and f i = deg ( g i ) , ∀ i .

To decompose a prime integer in a number field K , it suffices to factor the minimal polynomial that defines K modulo p and this can be done in polynomial time (see Section 3.4, p. 124, in Cohen [23]).

2.2 Euclidean lattices

In this section, we provide the necessary preliminaries for a better understanding of the subsequent discussions.

Definition 1

An Euclidean lattice (or simply a lattice) ℒ formally is a discrete subgroup of R n for a norm ‖ ⋅ ‖ , and equivalently it is a free Z -module of free rank m contained in R n . A lattice can be represented by a basis B = { b 1 , … , b m } , for b i ∈ R n .

A basis is not unique if 1 < m ≤ n , so

ℒ ( B ) ≔ ∑ i = 0 m α i b i ∣ α i ∈ Z ,

and C is a basis of ℒ if and only if there is a unimodular matrix U (i.e. ∣ det ( U ) ∣ = 1 and U ∈ Z m × m ) such that B = C U , consequently for a lattice of rank greater than 2, there are infinite many different bases of that lattice. If m = n , then the lattice is said a full-rank lattice. From lattices theory, there is a shortest non-zero vector in ℒ , and finding such a vector is the well-known problem of the shortest vector problem (SVP).

Definition 2

(SVP)

Given: B ∈ Z n × m ,
Find: z ∈ Z m \ { 0 } , such that ‖ B z ‖ ≤ ‖ B y ‖ for every y in Z m .

Another important lattice problem is the closest vector problem (CVP), given a non-lattice target vector, find the closest lattice vector to the latter.

Definition 3

(CVP)

Given: B ∈ Z n × m , and t ∈ R n \ ℒ
Find: z ∈ Z m \ { 0 } , such that ‖ B z − t ‖ ≤ ‖ B y − t ‖ for every y in Z m .

If ℒ is a subset of Z n , then it is called an integral lattice, and for a given q if ℒ contains q Z n , then ℒ is called a q -ary lattice. For more details and discussion of the hardness of the above problems, we refer the reader to [7,24].

Since there are infinitely many bases for a given lattice, it is natural to ask which of basis is better to work with. This is a well-studied topic in lattices theory, and there is no precise definition for a good basis and bad basis. A good basis in general is a basis with short vectors; in contrast, a bad basis is constituted by long vectors and form a skewed parallelepiped. The operation to find a good basis from a given bad basis is known as lattice reduction [13,25], and there are many strategies to find such one, and they differ by running time and the quality of the output basis, precisely the LLL algorithm runs in polynomial time but it produces a base with exponential approximate short vector, in contrast HKZ-reduction runs in exponential time and produces a basis containing a shortest vector. We refer the reader to the survey [7] for more details. Finally, good to mention that improving lattice reductions is still an open research [14] and most known efficient implementation is known as the general sieve kernel [15].

3 High-dimensional RSA

In this section, we state the ideal factorization problem in number fields, and we recall the high-dimensional RSA as it is described in the original article. Then, we provide some remarks on the vulnerabilities that we found.

3.1 Coefficient embedding and rotation matrix

In the study of Zhiyong et al. [19], the multiplication of elements in K is defined as the matrix-vector product which is known in the literature of lattice-based cryptography (e.g. see [7,8]), by using the rotation matrix of an element a in K and multiply it by the vector corresponding to the coefficients of an element b of K . We respect the same notation of the paper for clarity.

Every degree n number field K = Q ( ζ ) defines an n -dimensional vector space over Q with basis 1 , ζ , … , ζ n − 1 . As a result, any element a ∈ K may be expressed as a = ∑ j = 0 n − 1 a j ζ j , where a j ∈ Q .

The isomorphism that sends every element a in K to its coefficient vector τ ( a ) = ( a 0 , … , a n − 1 ) t is the coefficient embedding τ : K → Q n and denoted by τ ( x ) = x ¯ . By the coefficient embedding, multiplication by x can be represented by a matrix multiplication, with the associated matrix denoted by Rot ( x ) ∈ R n × n . More specifically, it returns τ ( a ) = Rot ( b ) ⋅ τ ( c ) for every a , b , c in K with a = b c . It is worth noting that the matrix Rot ( a ) is invertible in K for all a ≠ 0 , and that its concrete form is determined by the number field K .

Definition 4

Let K be a number field. We define ⊗ to be the operation between coefficients vectors of α and β , for α and β from K such that the result is in the number field K . Explicitly

∀ α , β ∈ K , α ¯ ⊗ β ¯ ≔ τ − 1 ( Rot ( α ) ⋅ τ ( β ) ) .

We remark that α ¯ ⊗ β ¯ is an element of K . Clearly, if a = ∑ i = 0 n − 1 a i ζ i ∈ O K and O K = Z [ ζ ] , then τ ( a ) = ( a 0 , a 1 , … , a n − 1 ) t ∈ Z n . The property O K = Z [ ζ ] is called NC-property in the paper of [19]. They defined and denoted the rotation matrix by the following matrix:

Rot ( a ) = H * ( a ) = [ τ ( a ) , H τ ( a ) , … , H n − 1 τ ( a ) ] ,

where H depends on the number field defined by the polynomial ϕ ( x ) = x n − ∑ i = 0 n − 1 ϕ i x i , and it equals

H = 0 … 0 ϕ 0 ϕ 1 I n − 1 ⋮ ϕ n − 1 .

The product of two elements a and b in K can be computed by a ⋅ b = τ − 1 ( Rot ( a ) τ ( b ) ) .

3.2 Description of the high-dimensional RSA

Let n ≥ 1 be a positive integer, K be an algebraic number field with the NC-property of degree n , R = O K ⊂ K be the ring of algebraic integers of K , α ∈ R , β ∈ R be two distinct prime elements of R , A = α β R be a principal ideal of R , H * ( α ¯ ⊗ β ¯ ) be the ideal matrix corresponding to A , L α , β = L H * ( α ¯ ⊗ β ¯ ) be the lattice generated by H * ( α ¯ ⊗ β ¯ ) , B α , β = HNF ( L α , β ) be the basis of L α , β in Hermite normal form, and B α , β * = diag { b 1 , b 2 , … , b n } be the elements in the diagonal of the B α , β matrix.

Parameters:

ϕ ( α , β ) = ( ∣ det ( H * ( α ) ) ∣ − 1 ) ⋅ ( ∣ det ( H * ( β ) ) ∣ − 1 ) , S α , β = { x = ( x 1 , x 2 , … , x n ) ∈ Z n ∣ 0 ≤ x i < b i } , 1 ≤ e < ϕ ( α , β ) such that e coprime with ϕ ( α , β ) , 1 ≤ d < ϕ ( α , β ) such that e d ≡ 1 ( mod ϕ ( α , β ) ) .

Public keys: The rotation matrix H , the lattice L ( B α , β ) = L α , β , and the positive integer e are public keys.

Private keys: Ideal matrices H ( α ¯ ) and H ( β ¯ ) , the basis H * ( α ¯ ⊗ β ¯ ) of L α , β , and the positive integer d are private keys.

Encryption: For any input message a ∈ S α , β , the ciphertext c is given by c ≡ a e ( mod L α , β ) .

Decryption: c d ≡ a d e ≡ a k ϕ ( α , β ) + 1 ≡ a ( mod L α , β ) . One can find the plaintext a from c in S α , β .

Decryption success probability: The authors proved that decryption success probability depends on the norm of A = P Q for prime ideals P , Q in O K and the splitting behaviour of the integer primes p , q in P , Q respectively, showing that the decryption success probability is

s = p f P q f Q p n q n ,

where f P , f Q the residual degree of P , Q above p , q , respectively, and n is the degree of K over Q .

4 Attacking high-dimensional RSA

While claiming that the proposed scheme has post-quantum security, we do not find any proof for this claim in the original paper; in this section, we provide remarks on the security of the scheme that lie on the hardness of factorization in number fields.

4.1 Hardness of factorization in number fields

We prove the following fact:

Theorem 2

Let K be a number field with degree d. There is a polynomial time algorithm that factors elements in the ring of integers Z if and only if there is a polynomial time algorithm that factors ideals in the ring of integers O K of the number field K.

Proof

It is clear, if there is a polynomial time algorithm to factor an ideal A of O K into a product of prime ideals in O K in polynomial time leads to factor an integer n = ∏ i = 1 r p i e i in Z in polynomial time. Considering the ideal in O K generated by n and since the ring of integers is a Dedikind domain A factors uniquely into prime ideals (up to permutation) as follows:

A = n O K = ∏ i = 1 r ∏ j = 1 g i P i , j e i , j

in O K where each of P i , j is a prime ideal of O K above p i , e i , j is the ramification index of P i , j ’s above p i , and g i is the number of prime ideals in O K above p i for all i , j . Then, computing P i , j ∩ Z = p i Z and e i = max { e : n ≡ 0 mod p i e } and return ( p i , e i ) for every i .

Now, we prove the other direction. For a fixed number field K ⁄ Q , given an ideal A = ∏ i = 1 r P i t i of O K with P i are prime ideals of O K , and our goal is to find P i and t i for each i . For simplicity, we assume that the prime ideals are ordered by the prime integers they contain, for each 1 ≤ i < j ≤ r , there is p i and p j prime integers in N such that: p i ≤ p j , p i ∈ P i , and p j ∈ P j . Assume that there is an algorithm that solves the problem of integer factorization in polynomial time. First, we compute the algebraic norm N = N ( A ) , which is an integer number in Z , the algebraic norm of an ideal is known to be computable in polynomial time by computing the determinant of its representative matrix (since determinants can be computed in polynomial time using, for example, Gaussian elimination). Using the integer factorization algorithm to factor N over Z , the algorithm will output ( p i , t i f i ) for 1 ≤ i ≤ r such that p i is in increasing order, and we have

N = ∏ i = 1 r p i t i f i ,

where, for each 1 ≤ i ≤ r , f i is the residual degree of P i above p i , which is less than d . Now, for each i , the procedure to find P i and t i is starts by decomposing the prime integers p i in O K , which returns a set of prime ideals P i , j of O K that lie above p i , since the prime decomposition is unique in a O K , only one of the P i , j is equal to P i , which divides A and P i lies above p i in O K , thus, running – for example – an exhaustive search for the right index j and the maximum exponent t i of the prime ideal P i , j above p i such that P i , j t i divides A for each i and j . By the proposition from the fact 2.1, we have less than d many prime ideals above p i . Thus, this process clearly is polynomially bounded in the number field degree d and number of primes that divide N .□

The previous proof has no efficiency concerns, in fact it is only to show that the two problems are equivalent computationally for any number field K . As a consequence, we conclude that if there is a polynomial time algorithm that solves one of them in polynomial time, then necessarily there is an algorithm that solves the other equivalent problem in polynomial time, which implies that the problem is solvable (e.g. using Shor’s algorithm) in quantum polynomial time. One may wonder if there is a number field K in which it is possible to perform ideal factorization in polynomial time (may be classical), thus by the theorem we know that the existence of such a field implies that we can factor integers n of Z in polynomial time by factoring n O K using the known algorithm and computing P i ∩ Z = p Z which can also be done in polynomial time as described in the proof of Theorem 2.

4.2 Parameter restriction

Assume that p , q are b -bits prime numbers that lie in the prime ideals P , Q with inertia degree f P , f Q respectively, then we have the following inequalities:

2 b ( f P + f Q − 2 n ) ≤ s ≤ 2 ( b − 1 ) ( f P + f Q − 2 n ) .

Since f P and f Q are less than or equal to n , the decryption success probability s is negligible in b and n unless f P = f Q = n . This is another inconvenience of the proposed scheme, on the one hand, factorization of integers is achievable for product of small primes, on the other hand, for larger bit-size prime numbers, if one of the selected primes does not have inertia degree equals to n in the number field K , then we have a negligible success probability which makes the scheme useless for. This restriction also makes key generation harder. The decryption success probability in question is related to the construction, and the proposed scheme does not provide any additional procedures to make the scheme randomized for public key purpose.

In the next section, we show our last observation using the fact from Theorem 2 and the restriction above, which make the proposed scheme insecure.

4.3 Attack description

We describe in this section our key recovery attack against the described construction in Algorithm 1, which we will prove that it runs in (at most quantum) polynomial time.

We have seen in the previous section that to obtain a negligible decryption failure is to choose α , β such that P = α R , Q = β R are inert prime ideals of Z in O K . So, we have to focus on prime ideals of form P = p R for p in Z . The latter have norm p n and for A = P Q = p q R the norm of A is clearly N ( A ) = p n q n , and hence, we have decryption failure probability equal to 0. It is known that we can compute the norm of A from the given B α , β by computing the determinant of B α , β . Using the following algorithm, we could retrieve the private key d . We do not need to retrieve α and β since d = e − 1 mod ϕ ( A ) , where ϕ ( A ) = ( p f p − 1 ) ( q f q − 1 ) is computable if we know p and q . Thus, only p and q are sufficient to retrieve and then makes, the construction insecure.

Algorithm 1: Compute private key d
	Input: Public key as lattice basis B α , β
	Output: Private key d
1	Compute N ← det B α , β ;
2	Compute N ← N 1 n ;
3	F ( ( p , e p ) , ( q , e q ) ) ← Factor ( N ) its prime factors;
4	Compute d ← e − 1 mod ( p n − 1 ) ( q n − 1 ) ;
5	return d

4.4 Running time and algorithm correctness

Since P = α R and Q = β R , by algebraic number theory, we know that P ∩ Z = p Z and Q ∩ Z = q Z for prime numbers p , q ∈ Z . Therefore det ( L α , β ) = N ( L α , β ) = p f P q f Q . The following remarks justify why the algorithm runs in polynomial time:

The lattice volume is an invariant of the lattice, which leads to computing the norm from the bad basis B α , β .
Step 2 can be done efficiently using sufficient precision, and the result is surely an integer since we restricted the choice of parameters as in the previous discussion.
Step 3 can be done by using any factoring algorithm. Using Shor’s algorithm makes this step computable in quantum polynomial time.
Step 4 can be done in polynomial time even in a classical computer.

This proves that our suggested algorithm runs at most in quantum polynomial time; therefore, our recovery attack is efficient, and the proposed scheme is not a post-quantum construction.

Basing the proposed scheme on number fields of large degree may help to resist Shor’s algorithm (e.g. extensions of degree ≥ 100 ), but since the proposed construction work with principal maximal ideal of O K this is not always secure because for example if the primes contained in the ideals splits completely then the norm of the public key does not get increased sufficiently to make the Shor’s factoring algorithm costly, thus, one should avoid primes that splits completely in K in the key generation process, and also for inert primes since we can compute n -th root of the determinant of the lattice which is the result of the norm of the ideals multiplication. Conversely, increasing the number field degree makes the computations too slow, which is not favourable in practice.

Remark 1

We stress that we do not see any role of the lattice structure in the proposed design security, nor the author of the proposed scheme has presented a security guaranty based on a lattice problem. Our attack does not exploit any problem related to lattices, and hence, the design has no security guarantee based on any of the lattice problems (e.g. the SVP).

Example 2

Let K = Q ( 2 3 ) be the number field defined by the polynomial x 3 − 2 = X 3 − 0 ⋅ x 2 − 0 ⋅ x − 2 . Its ring of integers verifies O K = Z [ 2 3 ] . The matrix H related to this field is

H = 0 0 2 1 0 0 0 1 0 .

Let a = 3 + 2 2 2 3 and b = 3 + 2 3 − 2 2 3 , then their coefficients vectors are, respectively, a ¯ = ( 3 , 0 , 2 ) t and b ¯ = ( 3 , 1 , − 1 ) . Now, to compute the product a b , we need to compute τ − 1 ( H * ( a ) b ¯ ) . Computing H * ( a ) , we find

H * ( a ) = a ¯ H a ¯ H 2 a ¯ = 3 4 0 0 3 4 2 0 3

and therefore

H * ( a ) b ¯ = a ¯ H a ¯ H 2 a ¯ ⋅ b ¯ = 3 4 0 0 3 4 2 0 3 ⋅ 3 1 − 1 = 13 − 1 3 ,

hence,

a b = 13 − 2 3 + 3 2 2 3 .

A simple verification

x y = ( 3 + 2 2 2 3 ) ⋅ ( 3 + 2 3 − 2 2 3 ) = 9 + 3 2 3 − 3 2 2 3 + 6 2 2 3 + 4 − 4 2 3 = 13 − 2 3 + 3 2 2 3

is needed.

We can verify that x and y are irreducible elements of O K of prime norms 59 and 43, respectively.^[6] The public key is the product x y = 13 − 2 3 + 3 4 3 , which corresponds to its rotation matrix in Example 2. The totient in this case is ϕ = ( 5 9 1 − 1 ) ( 4 3 1 − 1 ) = 2,436 .

Let the public key be e = 5 , and d = 5 − 1 = 1,949 mod 2,436 . Encrypting the message m = 1 + 2 3 + 4 3 , we obtain c = m ⊗ e ≡ − 2 − 8 2 3 − 3 4 3 mod A . Decrypting c gives D = c ⊗ d ≡ 191 + 97 2 3 + 209 4 3 mod A , which is clearly different from the starting message m , and for this example, the success probability is s = 1 64,36,369 . This example shows the weakness of parameters that leads to observable decryption failure.

Example 3

Now, we encrypt the same message using prime ideals of K , which contains an integer prime that inerts in K . Let x = 49 + 14 2 3 − 42 4 3 and y = 31 + 93 2 3 − 93 4 3 , e = 11 , we obtain ϕ = 1,01,88,180 and d = 46,30,991 mod 1,01,88,180 . The encryption then is c = m ⊗ e ≡ 36 + 191 2 3 + 67 4 3 mod A and the decryption can also be verified to be correct. But the matter here is that given the Hermite normal form of this parameters, one can compute the norm as the determinant of the matrix

B = 217 0 0 0 217 0 0 0 217 ,

which is 21 7 3 and we have 217 = 7 × 31 .

In order to give a numerical example of the proposed attack, we used Pari/GP software. In this example, we work with cyclotomic fields, one of the suggested families of number fields by Zhiyong et al. [19] that satisfies the NC-property.

Example 4

We fix n = 128 for the 256th cyclotomic number field with the following parameters:

the defining polynomial of the number field is X 128 + 1 ,
the private keys are
1. α = 2 x 126 − x 125 + x 124 − 5 x 123 − x 122 − 4 x 121 + x 120 + 6 x 119 − 9 x 118 + 2 x 115 − x 114 + 4 x 112 − x 110 − 2 x 109 − 2 x 107 − x 106 − x 105 − 2 x 104 − x 103 − x 102 + 2 x 101 + x 99 − 2 x 98 − x 97 + x 96 − x 95 + 3 x 94 − 3 x 93 − 3 x 92 − x 91 + 5 x 89 − x 88 + x 86 − x 85 + x 84 + 3 x 81 − x 80 − 2 x 78 − x 77 + x 76 − 3 x 75 + 5 x 74 + 2 x 73 + 21 x 72 − x 71 − x 70 + 11 x 66 + x 65 − x 64 + 2 x 63 − 5 x 61 − 6 x 60 + 2 x 59 + 3 x 58 + 7 x 57 + x 56 − x 55 − 4 x 54 − 8 x 53 − 2 x 52 − x 51 − 2 x 49 − 2 x 48 − x 46 + 2 x 44 + x 43 − 4 x 42 − 3 x 40 + 2 x 39 + 3 x 38 − x 37 + 13 x 36 + x 35 + 2 x 34 + 3 x 33 − x 32 − x 31 + x 30 + x 29 + 2 x 28 + x 27 + x 26 + x 25 − 2 x 24 − 33 x 23 − 2 x 21 + x 20 + 2 x 19 − x 16 − 2 x 15 + x 14 − x 12 − x 10 + 2 x 9 + 3 x 8 − 17 x 5 − 6 x 4 + x 3 + x 2 + 8 x − 1
2. β = 3 x 127 − x 126 + x 125 + x 124 − x 123 + 5 x 122 + x 121 + x 120 − x 119 − x 118 + x 117 + 5 x 116 − x 115 + x 114 − x 113 + 2 x 111 − 5 x 110 − 99 x 109 + x 108 − 2 x 105 + x 103 + 2 x 102 + x 101 + 11 x 99 − 3 x 98 + x 97 − x 96 + x 93 − 2 x 92 + 4 x 91 − 29 x 90 − 2 x 88 + x 87 − 36 x 86 + x 85 − 13 x 84 − x 82 − 12 x 81 − x 79 − x 78 + x 77 − 7 x 76 − x 75 + 47 x 74 − 5 x 73 + 52 x 72 + x 71 − x 69 − 3 x 67 − x 66 − 13 x 65 − x 63 + x 62 − x 61 + x 60 − x 59 + 8 x 58 − x 57 − 3 x 56 − x 54 + 2 x 53 − 3 x 52 − 42 x 51 − 3 x 50 + 3 x 49 − x 48 + x 46 + 2 x 45 + x 43 + x 42 − x 39 + x 38 − 7 x 37 − 44 x 36 − x 35 − 3 x 34 + x 33 − 3 x 31 − x 30 − 19 x 28 − 5 x 27 − x 26 + 2 x 25 + x 23 + 2 x 22 + x 21 + x 20 − x 18 − 6 x 17 − 5 x 16 + 4 x 15 + 19 x 14 + 2 x 13 + x 12 − x 11 + 2 x 9 − x 8 − x 7 + x 5 + x 4 − x 3 + 4 x 2 + 2 x .
3. Computing ϕ ( α , β ) we obtain (in hexadecimal): ϕ ( α , β ) = 33 b f 97 d a 2 f d d b 268 d b 31 c 6 b b 7 a 846 d 06 d 223 f 0 f a f 9 b 3 b a e e 105 a 8152 e 1413 a 9 f 6 d 5 d a 04 b c 33 f 794 d f c c 815 e e 61338 c 2 f 52 f f 51 a 05 f 34 c 583 b 84 b b 02 a 18 b 05 d 0505017 d e a 0 e a 5936 a 75869717 d 49 f 15883 366 f a 4 f c 4 a 12 b a 022882 b 0 c d a 052 e 6 d 2 d e 90 c 6108 a 117 c 55 d 57 a 88 b a f 02 a 3 a 2 d 25 a 075 f e a 12 b c f 3 a 5 d 31 d 3 c 53 e a 7428 f d 90 d b a d 14340 b 40 f a e 247133 a 296697 c 490 c c e 35784648 d 5492 f 5 e c 18 c 06 f a f 26 c e 3 f 647 b 5 f c 4 f 27961 a f 8 d b f 9 f 5 b 825 c 3 e 10845 f 0508 d f 70 e 5642 d 871 d 357 e c 00000 .
The public key which is the given ideal: A = (−382x ¹²⁷ − 291x ¹²⁶ − 817x ¹²⁵ − 160x ¹²⁴ − 1203x ¹²³ − 1148x ¹²² + 297x ¹²¹ − 544x ¹²⁰ + 14x ¹¹⁹ − 199x ¹¹⁸ − 952x ¹¹⁷ − 201x ¹¹⁶ + 309x ¹¹⁵ + 1172x ¹¹⁴ + 1634x ¹¹³ − 105x ¹¹² + 235x ¹¹¹ − 231x ¹¹⁰ + 717x ¹⁰⁹ − 419x ¹⁰⁸ + 789x ¹⁰⁷ − 128x ¹⁰⁶ + 429x ¹⁰⁵ + 14x ¹⁰⁴ − 106x ¹⁰³ − 685x ¹⁰² + 99x ¹⁰¹ + 332x ¹⁰⁰ − 747x ⁹⁹ − 81x ⁹⁸ − 1142x ⁹⁷ + 631x ⁹⁶ − 1726x ⁹⁵ − 112x ⁹⁴ + 77x ⁹³ + 46x ⁹² + 545x ⁹¹ + 67x ⁹⁰ + 356x ⁸⁹ + 577x ⁸⁸ − 852x ⁸⁷ + 524x ⁸⁶ − 493x ⁸⁵ − 240x ⁸⁴ − 236x ⁸³ + 371x ⁸² + 229x ⁸¹ + 242x ⁸⁰ − 1103x ⁷⁹ − 85x ⁷⁸ − 375x ⁷⁷ − 652x ⁷⁶ + 660x ⁷⁵ + 795x ⁷⁴ + 209x ⁷³ − 722x ⁷² + 10x ⁷¹ + 581x ⁷⁰ + 29x ⁶⁹ − 82x ⁶⁸ + 351x ⁶⁷ − 479x ⁶⁶ − 288x ⁶⁵ − 11x ⁶⁴ − 537x ⁶³ + 384x ⁶² − 212x ⁶¹ − 116x ⁶⁰ + 1215x ⁵⁹ − 210x ⁵⁸ + 289x ⁵⁷ + 152x ⁵⁶ + 415x ⁵⁵ + 181x ⁵⁴ + 2150x ⁵³ − 223x ⁵² + 760x ⁵¹ + 379x ⁵⁰ + 276x ⁴⁹ + 315x ⁴⁸ + 1238x ⁴⁷ − 215x ⁴⁶ − 591x ⁴⁵ − 41x ⁴⁴ − 142x ⁴³ + 52x ⁴² − 4x ⁴¹ + 464x ⁴⁰ + 847x ³⁹ + 544x ³⁸ − 927x ³⁷ + 150x ³⁶ − 576x ³⁵ + 160x ³⁴ − 366x ³³ + 163x ³² − 95x ³¹ + 168x ³⁰ − 699x ²⁹ + 416x ²⁸ − 101x ²⁷ − 283x ²⁶ + 140x ²⁵ + 598x ²⁴ − 309x ²³ + 249x ²² − 14x ²¹ + 274x ²⁰ + 325x ¹⁹ − 1825x ¹⁸ + 1444x ¹⁷ − 1069x ¹⁶ + 296x ¹⁵ + 160x ¹⁴ − 137x ¹³ − 570x ¹² + 22x ¹¹ − 594x ¹⁰ + 323x ⁹ + 37x ⁸ − x ⁷ + 25x ⁶ − 270x ⁵ − 2982x ⁴ − 262x ³ − 499x ² − 421x + 111) O K
If we choose e = 65537 we obtain (in hexadecimal): d = e − 1 mod ϕ ( α , β ) = c 4 e 8 a 6 c a 769901 e 83 d 2 a 8 b 2 b 98678 e f 60568 f d f 0037904341 b c 6479337 c f 1 d 62 c 8 a 51 a e f 2 f 64 b 811296 f b 304009 a 45334 e 7 e 79 f b e 44 a c 9 c 90 d d d f 3 d 83 b 59 d c 9 a d d 11702 e d 0 c c f a c 47 d b 045 f f 47 f 08 f d e 54 b 9 e 480 e 394 e 48 b d 2 d a 91 f 5 b 5254223 f 02 e 7 a 0 c 40 e 9 b b a a 262508137 d 3 e 6 d a b 8301504 e 884204 f c 9 a 615 93 d d 592 a d a f c c 2 d 09 b a e e c 59 a 8 d 081 b 3 e 98 c b 17 f e 6 a 426 d 3 b 35582 f 4 e e e f a 82 b b 84482 a f 8 c f 62 b a 2 c 3 e 0 d b 7 b d 936 a 8 d 6 b 95 d 5326 c e 2 f e 5 c a c 3 d 05 d 4028 f 38 e 7 a 6 e a 16 d 7 e e 570001 .

Now, we retrieve the secret decryption key d , given A and e :

Computing the norm of A gives (in hexadecimal): N ( A ) = 33 b f 97 d a 2 f d d b 268 d b 31 c 6 b b 7 a 846 d 06 d 223 f 0 f a f 9 b 3 b a e e 105 a 8152 e 1413 a 9 f 6 d 5 d a 04 b c 33 f 794 d f c c 815 e e 61338 c 2 f 52 f f 51 a 05 f 34 c 583 b 84 b b 02 a 18 b 05 d 0505017 d e a 0 e a 5936 a 75869717 d 49 f 15883366 f a 4 f c 4 a 42 c 4 d f e 92 d b 3 c 15 c 034 f b 7 b 07 a 71477 a a 68 d 81 c 24 b f 5 d 9 a b 8 f 16 c 65 b 9257 d 355 b 29 e a b f 38388 d a 239 a 9 d 9492281 b b 44 e 87 a 8 a 41 e 2 e 134140 f f d f f a 0 c a 5 a d 437 b 62 a 2 a 0128977 a 0 f 4 e 21 d e 46 d e 92 f 07 b 1 f 7 c 1 e 3 f a 77 c 663 b b 58 d 433114458551 f 469925568 a 474 e d 84263178101 .
The factorization into prime numbers gives (in hexadecimal): p = 113 b f 6817372776 d 88 f 58 c c 40 e f c 6434929 b 12638 a d 7 f 24 f a 63 e 8 d 61155 d d c e 4 b 68 b 40459 a c 5 e b 56 e d 51 d b f 63 e c 3 a 6 b f 0479222441 c 655 f e f 2012 e 9 b d 3 e 49 d 49 b 2 b 5546 f 81 a f d 6 c 6227 c 0 b 7 a 5929 f b 8 e 5 c 032455 f c 01 and q = 300 a d d c 0 a b 02 f 3 b b b 068 e 4 d 1 e 9 a b 36 f 095112 b e c d 16 d 1 e a a 28 e 617 c 27 f 6 a 672 b 9142 a d 875550 e 0525848 a 12 e 426 e 93650867335 a a b c 528 e 7 d e 363828 d 2 f 3 b 715 c a 7 d d 48 a 967220646200 c d b f 3 e e 2 c 109 f a 4420907830 3 e 0 e a d c 79 d c b b 379490 c 79 f f b 3 e f 0 a 08 e 80 a 6 b e 6 d 58501 .
We compute the valuation of N at the prime integer p and q , and obtain f p = f q = 1 .
We compute ϕ ( A ) = ( p − 1 ) ( q − 1 ) and then retrieve d = e − 1 mod ϕ ( A ) and obtain the same value of d as above.

In the previous example, the primes p , q are not inert in the cyclotomic number field K = Q ( ζ 256 ) , and our goal in this example was to show the ability of retrieving the decryption d even for higher degree number field with NC property. Also, good to mention that our attack is applicable on general number fields not necessarily have the NC property.

5 Conclusion

In summary, this study provides insights on the high-dimensional RSA scheme’s vulnerabilities to quantum polynomial attacks. By disproving the claim that the suggested construction provides post-quantum security that is more robust than NTRU [26], we highlight the significance of thorough study in the assessment of cryptographic primitives. Despite having a lattice structure, the suggested design is vulnerable to quantum attacks, since its hardness is not based on a lattice hard problem. Moreover, our results serve as a warning story, emphasizing that security against sophisticated attacks is not guaranteed simply by relying on a lattice structure.

Funding information: None declared.
Author contributions: All authors have accepted responsibility for the entire content of this manuscript and approved its submission.
Conflict of interest: The authors declare no conflict of interest/competing interest.

Appendix A Pari/GP demonstration

To obtain an idea of the comportment of our attack, we have used the Pari/GP software [27] to implement our attack on ideals which are the product of two prime ideals over power of two cyclotomic number fields, and summarized the result in Table A1.

Table A1

Average CPU time and wall time for different degrees of cyclotomic number fields

Degree	1	1	2	4	8
Average CPU time	143 ms	135 ms	163 ms	311 ms	424 ms
Average wall time	0 ms	0 ms	1 ms	1 ms	1 ms

Degree	16	32	64	128	256
Average CPU time	643 ms	1,007 ms	1,007 ms	1,427 ms	3,459 ms
Average wall time	1 ms	4 ms	1 ms	2 ms	9 ms

Degree	512	1,024
Average CPU time	16,013 ms	1,56,591 ms
Average wall time	72 ms	1,819 ms

This research was supported through computational resources of HPC-MARWAN (hpc.marwan.ma) provided by the National Center for Scientific and Technical Research (CNRST), Rabat, Morocco. We run the code on HPC-Marwan Cluster, using a node of 2 cpus and 64 Go of memory, the running time to complete took 5 hours 12 minutes and 34 seconds. Our demonstrative code can be found in the following link: https://github.com/ndrahmani/Attack_code.

default("parisize", 64G);

default("timer", 1);

bit = 1024 ; /* Primes bit size */

ns = powers(2, 11);

verbose = 0 ; /* Set to 1 for printing messages, 0 to hide them */

NUM_TEST = 100 ; /* Number of tests */

NUM_PRIM = 2 ; /* Number of primes */

/* Function to safely read a text file if it exists */

read_field(filename) = {

my (result);

iferr(

result = read(filename),

E, /* If an error occurs (e.g., file not found) */

result = 0;

);

result;

}

/* Function to write number field to a text file */

write_field(filename, field) = {

write(filename, field); /* Create and write the number field to the file */

}

{

for (n_i = 1, #ns -1,

n = ns[n_i];

filename = Str("cyclotomic_field_", n, ".txt");

/* Attempt to read the number field from the file */

K = read_field(filename);

if (!K,

/* File does not exist, compute the cyclotomic polynomial and number field */

P = polcyclo(n);

print1("Computing the ", n, "-th cyclotomic number field defined by the irreducible polynomial: ", P, " of degree: ", poldegree(P));

K = nfinit(P);

/* Store the number field in the file */

write_field(filename, K);

print("… Completed and stored.");

, P = K.pol;

print("Using Stored number field… nThe ", n, "-th cyclotomic number field \ ndefined by the irreducible polynomial: ", P, " of degree: ", poldegree(P));

);

if (verbose,

print("/********************************");

print("Generating starting primes since ");

print("we don’t have a quantum computer");

print("*********************************/");

);

[S, F] = [0, 0];

if (verbose, print("**************************");

print("Number of tests: ", NUM_TEST);

print("**************************");

);

t0 = getwalltime();

t0_ = gettime();

for (test = 1, NUM_TEST,

/* Generate two random primes */

kill(ps);

ps = vector(NUM_PRIM, i, randomprime([2^(bit-1), 2^bit]));

/* Decompose primes in the number field K */

Ps = vector(#ps, i, idealprimedec(K, ps[i]));

/* Generate a random ideal in K */

A = idealmul(K, 1, 1);

for (i = 1, #Ps,

P_above_p_i = Ps[i][random([1, #Ps[i]])];

P_exp_p_i =1 ;/* random([1, 32]);*/;

A = idealmul(K, A, P_above_p_i);/*idealpow(K, P_above_p_i, P_exp_p_i));*/

);

/* STARTING THE ATTACK */

/************************/

/* Calculate the norm of the ideal A and find prime divisors */

t0 = getwalltime();

normA = idealnorm(K, A);

p_div_normA = [];

for (i = 1, #ps,

if (normA % ps [i] == 0,

p_div_normA = concat(p_div_normA, ps[i])

)

);

/* Verify all primes were used to construct A */

if (verbose, print("Assuring that we got all the primes that we constructed A from: ", ps == p_div_normA));

/* Decompose the primes that divide the norm of A */

if (verbose, print("Assume now that we factored the norm of the ideal A then we

decompose the primes and check for each prime divide A and get its valuation: "));

ind_pow = [];

for (i = 1, #p_div_normA,

P_above_p = idealprimedec(K, p_div_normA[i]);

for (j = 1, #P_above_p,

e = idealval(K, A, P_above_p[j]);

if (e != 0,

ind_pow = concat(ind_pow, [[j, e]])

)

);

/* Reconstruct the ideal A */

new_A = idealmul(K, 1, 1);

for (i = 1, #Ps,

[pi, e_pi] = ind_pow[i];

P_above_p_i = Ps[i][pi];

P_exp_p_i = e_pi;

new_A = idealmul(K, new_A, idealpow(K, P_above_p_i, P_exp_p_i));

);

t1 = getwalltime();

/* Check if reconstruction was successful */

if (new_A == A,

S += 1;

F += 1;

);

kill(new_A);

kill(Ps);

kill(ps);

kill(A)

);

t1_ = gettime();

t1 = getwalltime();

print("NUMBER OF TESTS : ", NUM_TEST);

print("SUCCESS RATE : ", S/NUM_TEST * 100, " %");

print("AVERAGE WALL TIME: ", strtime(ceil((t1-t0)/NUM_TEST)));

print("AVERAGE CPU TIME : ", strtime(ceil((t1_-t0_)/NUM_TEST)));

print("======================================================");

print();

);

print("DONE");

}

\q

References

[1] Grover LK. A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing. STOC ’96. New York, NY, USA: Association for Computing Machinery; 1996. p. 212–9. 10.1145/237814.237866. Suche in Google Scholar

[2] Shor PW. Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science; 1994. p. 124–34. 10.1109/SFCS.1994.365700Suche in Google Scholar

[3] Regev O. On lattices, learning with errors, random linear codes, and cryptography. New York, NY, USA: Association for Computing Machinery; 2005. 10.1145/1060590.1060603. Suche in Google Scholar

[4] Lyubashevsky V, Peikert C, Regev O. On ideal lattices and learning with errors over rings. In: Gilbert H, editor. Advances in cryptology - EUROCRYPT 2010. Berlin, Heidelberg: Springer Berlin Heidelberg; 2010. p. 1–23. 10.1007/978-3-642-13190-5_1Suche in Google Scholar

[5] Stehlé D, Steinfeld R, Tanaka K, Xagawa K. Efficient public key encryption based on ideal lattices. In: Matsui M, editor. Advances in cryptology - ASIACRYPT 2009. Berlin, Heidelberg: Springer Berlin Heidelberg; 2009. p. 617–35. 10.1007/978-3-642-10366-7_36Suche in Google Scholar

[6] Lindner R, Peikert C. Better key sizes (and attacks) for LWE-based encryption. In: Kiayias A, editor. Topics in Cryptology - CT-RSA 2011. Berlin, Heidelberg: Springer; 2011. p. 319–39. 10.1007/978-3-642-19074-2_21Suche in Google Scholar

[7] Peikert C. A decade of lattice cryptography; 2016. http://dx.doi.org/10.1561/0400000074. Suche in Google Scholar

[8] Peikert C, Pepin Z. Algebraically structured LWE, Revisited. In: Hofheinz D, Rosen A, editors. Theory of Cryptography. Cham: Springer International Publishing; 2019. p. 1–23. 10.1007/978-3-030-36030-6_1Suche in Google Scholar

[9] Fouque PA, Hoffstein J, Kirchner P, Lyubashevsky V, Pornin T, Prest T, et al. Falcon: Fast-Fourier lattice-based compact signatures over NTRU. Submission to the NIST’s post-quantum cryptography standardization process. 2018;36(5):1–75.Suche in Google Scholar

[10] Ducas L, Kiltz E, Lepoint T, Lyubashevsky V, Schwabe P, Seiler G, et al. CRYSTALS-Dilithium: A lattice-based digital signature scheme. Transactions on cryptographic hardware and embedded systems. 2018;2018(1):238–68.10.46586/tches.v2018.i1.238-268Suche in Google Scholar

[11] Bos J, Ducas L, Kiltz E, Lepoint T, Lyubashevsky V, Schanck JM, et al. CRYSTALS - Kyber: A CCA-Secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P); 2018. p. 353–67. 10.1109/EuroSP.2018.00032Suche in Google Scholar

[12] Alagic G, Apon D, Cooper D, Dang Q, Dang T, Kelsey J, et al. Status report on the third round of the NIST post-quantum cryptography standardization process. USA: US Department of Commerce, NIST. 2022. 10.6028/NIST.IR.8413Suche in Google Scholar

[13] Lenstra AK, Lenstra HW, Lovász LM. Factoring polynomials with rational coefficients. Mathematische Annalen. 1982;261:515–34. https://api.semanticscholar.org/CorpusID:5701340. 10.1007/BF01457454Suche in Google Scholar

[14] Zhao Z, Ding J. Practical improvements on BKZ algorithm. In: Dolev S, Gudes E, Paillier P, editors. Cyber Security, Cryptology, and Machine Learning. Cham: Springer Nature Switzerland; 2023. p. 273–84. 10.1007/978-3-031-34671-2_19Suche in Google Scholar

[15] Albrecht M, Ducas L, Herold G, Kirshanova E, Postlethwaite E, Stevens M. The General Sieve Kernel and New Records in Lattice Reduction. In: EUROCRYPT 2019. Lecture Notes in Computer Science. Springer; 2019. p. 717–46. 10.1007/978-3-030-17656-3_25Suche in Google Scholar

[16] Kirchner P, Fouque PA. Revisiting lattice attacks on overstretched NTRU parameters. In: Coron JS, Nielsen JB, editors. Advances in cryptology - EUROCRYPT 2017. Cham: Springer International Publishing; 2017. p. 3–26. 10.1007/978-3-319-56620-7_1Suche in Google Scholar

[17] Micheli GD, Heninger N, Shani B. Characterizing overstretched NTRU attacks. J Math Cryptol. 2020;14(1):110–9. 10.1515/jmc-2015-0055 [cited 2024-07-09]. Suche in Google Scholar

[18] Takagi T, Naito S. Construction of RSA cryptosystem over the algebraic field using ideal theory and investigation of its security. Electron Commun Japan Part III Fund Electr Sci. 2000;83:19–29. https://api.semanticscholar.org/CorpusID:119513671. 10.1002/(SICI)1520-6440(200008)83:8<19::AID-ECJC3>3.0.CO;2-0Suche in Google Scholar

[19] Zhiyong Z, Fengxia L, Man C. On the high-dimensional RSA algorithm–a public key cryptosystem based on lattice and algebraic number theory. In: Zheng Z, editor. Proceedings of the Second International Forum on Financial Mathematics and Financial Technology. Singapore: Springer Nature Singapore; 2023. p. 169–89. 10.1007/978-981-99-2366-3_9Suche in Google Scholar

[20] Lang S. Algebraic number theory. Graduate texts in mathematics. Springer-Verlag; 1994. 10.1007/978-1-4612-0853-2Suche in Google Scholar

[21] Washington LC. Introduction to Cyclotomic Fields. Graduate Texts in Mathematics. New York: Springer; 1997. 10.1007/978-1-4612-1934-7Suche in Google Scholar

[22] Murty MR, Esmonde J. Problems in algebraic number theory. vol. 190. Springer Science & Business Media; 2005. Suche in Google Scholar

[23] Cohen H. A course in computational algebraic number theory. Graduate Texts in Mathematics. Berlin Heidelberg: Springer; 2000. https://books.google.co.ma/books?id=hXGr-9l1DXcC. Suche in Google Scholar

[24] Regev O. On the complexity of lattice problems with polynomial approximation factors. In: Nguyen PQ, Vallée B, editors. Berlin, Heidelberg: Springer Berlin Heidelberg; 2010. p. 475–96. 10.1007/978-3-642-02295-1_15. Suche in Google Scholar

[25] Schnorr CP. A hierarchy of polynomial time lattice basis reduction algorithms. Theoretic Comput Sci. 1987;53(2):201–24. https://www.sciencedirect.com/science/article/pii/0304397587900648. 10.1016/0304-3975(87)90064-8Suche in Google Scholar

[26] Hoffstein J, Pipher J, Silverman JH. NTRU: A ring-based public key cryptosystem. In: International Workshop on Ant Colony Optimization and Swarm Intelligence; 1998. 10.1007/BFb0054868Suche in Google Scholar

[27] PARI/GP version 2.15.4. Univ. Bordeaux; 2023. http://pari.math.u-bordeaux.fr/. Suche in Google Scholar

Received: 2024-02-10

Revised: 2024-08-27

Accepted: 2024-09-13

Published Online: 2024-11-11

This work is licensed under the Creative Commons Attribution 4.0 International License.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2024-0007

Schlagwörter für diesen Artikel

RSA; lattices; algebraic number theory; cryptanalysis

Creative Commons

BY 4.0