Name: Recovering short generators of principal ideals in cyclotomic fields of pq-order

Abstract: Several proposed cryptographic protocols based on ideal lattices, such as Soliloquy encryption scheme or Smart and Vercauteren homomorphic encryption, use principal ideals with short generators in cyclotomic fields. It was later suggested ([1], [2]) to use the logarithm embedding to recover such generator. A rigorous proof for such attack was later provided by [3] for the case when the cyclotomic ring has a prime-power order. In this talk, we will discuss how to modify the aforementioned methods from prime-power cyclotomic fields to cyclotomic fields of order pq, which is a product of two distinct odd primes.

[1] P. Campbell, M. Groves, D. Shepherd: SOLILOQUY: A Cautionary Tale [2] D. Bernstein: A subfield-logarithm attack against ideal lattices [3] L. Ducas, R. Cramer, C. Peikert, O. Regev: Recovering Short Generators of Principal Ideals in Cyclotomic Rings