Whilst lattice-based cryptosystems are believed to be resistant to quantum attack, they are often forced to pay for that security with inefficiencies in implementation. This problem is overcome by ring- and module-based schemes such as Ring-LWE or Module-LWE, whose keysize can be reduced by exploiting its algebraic structure, allowing for neater and faster computations. Many rings may be chosen to define such cryptoschemes, but cyclotomic rings, due to their cyclic nature allowing for easy multiplication, are the community standard. However, there is still much uncertainty as to whether this structure may be exploited to an adversary's benefit. In this paper, we show that the decomposition group of a cyclotomic ring of arbitrary conductor may be utilised in order to significantly decrease the dimension of the ideal (or module) lattice required to solve a given instance of SVP. Moreover, we show that there exist a large number of rational primes for which, if the prime ideal factors of an ideal lie over primes of this form, give rise to an "easy" instance of SVP. However, it is important to note that this work does not break Ring-LWE or Module-LWE, since the security reduction is from worst case ideal or module SVP to average case Ring-LWE or Module-LWE respectively, and is one way.

中文翻译：

---

基于分解组的理想SVP和子SVP子域算法

尽管人们认为基于晶格的密码系统可以抵御量子攻击，但它们常常被迫为实现这种安全性付出了低效率的代价。通过诸如Ring-LWE或Module-LWE之类的基于环和模块的方案可以克服此问题，它们的密钥大小可以通过利用其代数结构来减小，从而可以更整洁，更快地进行计算。可以选择许多环来定义这样的密码学方案，但是环原子环由于其循环特性而易于繁衍，因此是社区标准。但是，对于是否可以利用这种结构以使对手受益，仍然存在很多不确定性。在本文中，我们表明，可以利用任意导体的环环的分解基团来显着减小求解给定实例SVP所需的理想（或模块）晶格的尺寸。而且，我们表明存在大量的有理素数，如果有理想素数的理想理想因素位于这种形式的素数之上，则它们会引起SVP的“简单”实例。但是，必须注意，这项工作不会破坏Ring-LWE或Module-LWE，因为安全性降低是从最坏情况下的理想状态或模块SVP到平均情况下的Ring-LWE或Module-LWE，并且是一种方法。SVP的实例。但是，必须注意，这项工作不会破坏Ring-LWE或Module-LWE，因为安全性降低是从最坏情况下的理想状态或模块SVP到平均情况下的Ring-LWE或Module-LWE，并且是一种方法。SVP的实例。但是，必须注意，这项工作不会破坏Ring-LWE或Module-LWE，因为安全性降低是从最坏情况下的理想状态或模块SVP到平均情况下的Ring-LWE或Module-LWE，并且是一种方法。