Recovering short generators of principal fractional ideals in cyclotomic fields of conductor pαqβ

Abstract

Several recent cryptographic constructions – including a public key encryption scheme, a fully homomorphic encryption scheme, and a candidate multilinear map construction – rely on the hardness of the short generator principal ideal problem (SG-PIP): given a ℤ -basis of some principal (fractional) ideal in an algebraic number field that is guaranteed to have an exceptionally short generator, find a shortest generator of the principal ideal. The folklore approach to this problem is to first, recover some arbitrary generator of the ideal, which is known as the principal ideal problem (PIP) and second, solve a bounded distance decoding (BDD) problem in the log-unit lattice to transform this arbitrary generator into a shortest one. The PIP can be solved in polynomial time on quantum computers for arbitrary number fields under the generalized Riemann hypothesis due to Biasse and Song. Cramer et al. showed, based on the work of Campbell et al., that the second problem can be solved in polynomial time on classical computers for cyclotomic fields of prime-power conductor. In this work, we extend the work of Cramer et al. to cyclotomic fields K= ℚ(ξm) of conductor m= pαqβ, where p, q are distinct odd primes. In more detail, we show that the BDD problem in the log-unit lattice can be solved in classical polynomial time (with quantum polynomial time precomputation) under some sufficient conditions, if (p, q) is an (α, β) -generator prime pair, a new notion introduced in this work.