Mildly Short Vectors in Cyclotomic Ideal Lattices in Quantum Polynomial Time.

In this article, we study the geometry of units and ideals of cyclotomic rings and derive an algorithm to find a mildly short vector in any given cyclotomic ideal lattice in quantum polynomial time, under some plausible number-theoretic assumptions. More precisely, given an ideal lattice of the cyclotomic ring of conductor m, the algorithm finds an approximation of the shortest vector by a factor exp(-õ (vm)). This result exposes an unexpected hardness gap between these structured lattices and general lattices: The best known polynomial time generic lattice algorithms can only reach an approximation factor exp(-O (m)). Following a recent series of attacks, these results call into question the hardness of various problems over structured lattices, suchas Ideal-SVP and Ring-LWE, upon which relies the security of a number of cryptographic schemes. [ABSTRACT FROM AUTHOR]