Fast Reduction of Algebraic Lattices over Cyclotomic Fields.

We describe two very efficient polynomial-time algorithms for reducing module lattices defined over arbitrary cyclotomic fields that solve the \\(\\gamma \\)-Hermite Module-SVP problem. They both exploit the structure of tower fields and the second one also uses the symplectic geometry existing in these fields. We conjecture that a rank-2 module over a cyclotomic field of degree n with B-bit coefficients can be heuristically reduced within approximation factor \\(2^{\\widetilde{\\text {O}}\\left( n\\right) }\\) in time \\(\\widetilde{\\text {O}}\\left( n^2B\\right) \\). In the symplectic algorithm, if the condition number C of the input matrix is large enough, this complexity shrinks to \\(\\widetilde{\\text {O}}\\left( n^{\\log _2 3}C\\right) \\). In cryptography, matrices are well-conditioned and we can take \\(C=B\\), but in the worst case, C can be as large as nB. This last result is particularly striking as for some matrices, we can go below the \\(n^2B\\) swaps lower bound given by the analysis of LLL based on the potential. These algorithms are parallel and we provide a full implementation. We apply them on multilinear cryptographic concrete parameters by reducing matrices of dimension 4096 with 6675-bit integers in 4 days. Finally, we give a quasicubic time for the Gentry-Szydlo algorithm and run it in dimension 1024. It requires efficient ideal multiplications which need fast lattice reductions.