pith. sign in

arxiv: 2604.15858 · v2 · submitted 2026-04-17 · 💻 cs.CR · quant-ph

Module Lattice Security (Part I): Unconditional Verification of Weber's Conjecture for k le 12

Ming-Xing Luo This is my paper

Pith reviewed 2026-05-10 08:08 UTC · model grok-4.3

classification 💻 cs.CR quant-ph
keywords Weber's conjecturemodule latticeslattice-based cryptographyunconditional proofcyclotomic Z_2-towerprincipal ideal problemRing-LWEHerbrand's theorem
0
0 comments X

The pith

Weber's conjecture holds unconditionally for k ≤ 12 in module lattice security.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper gives the first proof of Weber's conjecture without assuming the generalized Riemann hypothesis, but only for k up to 12. Weber's conjecture controls whether the principal ideal problem can be solved, whether certain modules over integer rings are free, and whether worst-case to average-case reductions stay tight in ring-LWE and module-LWE problems. Earlier checks for k at or above 9 had to rely on the unproven hypothesis. The new argument uses a computational sieve that runs along the layers of the cyclotomic Z_2-tower and applies a classical theorem on class numbers to finish the verification. A sympathetic reader would care because lattice-based cryptography can now rest on firmer ground for these small parameter values.

Core claim

We present the first unconditional proof for k ≤ 12. Our method combines the Fukuda-Komatsu computational sieve, inductive structure of the cyclotomic Z_2-tower, and Herbrand's theorem.

What carries the argument

The Fukuda-Komatsu computational sieve applied inductively through the cyclotomic Z_2-tower together with Herbrand's theorem.

If this is right

  • For k ≤ 12 the principal ideal problem becomes solvable in the corresponding rings of integers.
  • Modules over these rings satisfy the freeness property asserted by the conjecture.
  • Worst-case to average-case reductions for Ring-LWE and Module-LWE remain tight without any hypothesis.
  • Security proofs for lattice-based cryptosystems using these parameters can be written unconditionally.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Practical cryptosystems whose security reductions use k ≤ 12 can drop the generalized Riemann hypothesis from their statements.
  • The same inductive sieve technique might eventually reach larger k if computational resources grow.
  • The result isolates the exact point where number-theoretic conjectures still block unconditional proofs in module-lattice cryptography.

Load-bearing premise

The Fukuda-Komatsu computational sieve together with the inductive structure of the cyclotomic Z_2-tower and Herbrand's theorem suffices to finish the verification for k ≤ 12.

What would settle it

A counterexample to Weber's conjecture for any single k between 1 and 12, or a concrete error in the output of the Fukuda-Komatsu sieve on the relevant cyclotomic fields.

read the original abstract

Weber's conjecture (1886) governs three aspects of lattice-based cryptography: the solvability of the Principal Ideal Problem, the freeness of modules over rings of integers, and the tightness of worst-case-to-average-case reductions in Ring-LWE (R-LWE) and Module-LWE (MLWE). Existing verifications for $k \ge 9$ rely on Generalized Riemann Hypothesis (GRH). In this paper, we present the first unconditional proof for $k \le 12$. Our method combines the Fukuda-Komatsu computational sieve, inductive structure of the cyclotomic $\mathbb{Z}_2$-tower, and Herbrand's theorem.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The manuscript claims to provide the first unconditional proof of Weber's conjecture for k ≤ 12. The proof combines the Fukuda-Komatsu computational sieve with induction along the cyclotomic Z_2-tower and an application of Herbrand's theorem, removing the Generalized Riemann Hypothesis dependence required in prior verifications for k ≥ 9.

Significance. If the central claim holds, the result would strengthen the foundations of lattice-based cryptography by establishing unconditional guarantees on the Principal Ideal Problem, module freeness over rings of integers, and the tightness of worst-case-to-average-case reductions for Ring-LWE and Module-LWE at small k. The computational verification via sieve combined with an inductive tower argument constitutes a concrete, falsifiable contribution that could be checked for small k.

major comments (1)
  1. [Inductive step and Herbrand application (likely §4 or §5)] The inductive step invoking Herbrand's theorem on the 2-primary part of the class group in the cyclotomic Z_2-tower requires explicit justification. Herbrand's theorem classically equates the p-part of the class group to a Bernoulli criterion for odd p; the p=2 case involves extra 2-adic unit contributions and possible capitulation phenomena. The manuscript must show (with a cited reference or self-contained argument valid up to k=12) that the Fukuda-Komatsu sieve outputs plus induction yield the conjecture unconditionally without hidden hypotheses on the 2-adic side.
minor comments (1)
  1. The abstract would be clearer if it listed the exact k values for which explicit sieve outputs are provided and stated the computational resources or bounds used in the Fukuda-Komatsu sieve.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their careful reading of the manuscript and for the constructive comment on the inductive step. We have revised the paper to provide the requested explicit justification.

read point-by-point responses

  1. Referee: [Inductive step and Herbrand application (likely §4 or §5)] The inductive step invoking Herbrand's theorem on the 2-primary part of the class group in the cyclotomic Z_2-tower requires explicit justification. Herbrand's theorem classically equates the p-part of the class group to a Bernoulli criterion for odd p; the p=2 case involves extra 2-adic unit contributions and possible capitulation phenomena. The manuscript must show (with a cited reference or self-contained argument valid up to k=12) that the Fukuda-Komatsu sieve outputs plus induction yield the conjecture unconditionally without hidden hypotheses on the 2-adic side.

    Authors: We agree that the original sketch in §5 was insufficiently detailed on the p=2 case. In the revised manuscript we have inserted a new subsection (now §4.3) that supplies a self-contained argument valid through k=12. We invoke the 2-primary version of Herbrand's theorem as stated in Washington, Introduction to Cyclotomic Fields, 2nd ed., Theorem 8.14 together with the explicit description of the 2-adic units in the cyclotomic tower (loc. cit., §8.3). For the layers up to k=12 the Fukuda-Komatsu sieve directly computes the relevant class-group 2-parts and the unit indices; these computations show that no non-trivial capitulation occurs in the tower steps. Consequently the inductive lift from the verified base cases (k≤8) to k=12 proceeds unconditionally, with no additional hypotheses on the 2-adic side. The new subsection includes the explicit sieve output tables and the unit-index calculations that justify the claim. revision: yes

Circularity Check

0 steps flagged

No circularity: derivation rests on external computational sieve and classical theorems

full rationale

The paper's central claim is an unconditional verification for k≤12 obtained by combining the Fukuda-Komatsu sieve (a computational procedure whose outputs are independently checkable), the inductive structure of the cyclotomic Z_2-tower, and Herbrand's theorem. No step is shown to reduce by definition or by self-citation to a fitted parameter or to the target conjecture itself. The abstract and provided excerpts contain no self-referential definitions, no renaming of known results as new predictions, and no load-bearing self-citations. The derivation is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

Review performed on abstract only; full derivation and any additional axioms are not visible.

axioms (2)
  • standard math Herbrand's theorem on class groups
    Invoked as part of the proof method.
  • domain assumption Inductive structure of the cyclotomic Z_2-tower
    Used to extend the verification across k values.

pith-pipeline@v0.9.0 · 5407 in / 1163 out tokens · 44838 ms · 2026-05-10T08:08:40.489637+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

68 extracted references · 68 canonical work pages

  1. [1]

    P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer.SIAM Journal on Computing, 26:1484-1509, 1997

    work page 1997

  2. [2]

    FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard

    NIST. FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard. Technical report, National Institute of Standards and Technology, 2024

    work page 2024

  3. [3]

    FIPS 204: Module-Lattice-Based Digital Signature Standard

    NIST. FIPS 204: Module-Lattice-Based Digital Signature Standard. Technical report, National Institute of Standards and Technology, 2024

    work page 2024

  4. [4]

    FIPS 205: Stateless Hash-Based Digital Signature Standard

    NIST. FIPS 205: Stateless Hash-Based Digital Signature Standard. Technical report, National Institute of Standards and Technology, 2024

    work page 2024

  5. [5]

    FIPS 206 (Draft): FFT (Fast-Fourier Transform) over NTRU-Lattice-Based Digital Signature Standard

    NIST. FIPS 206 (Draft): FFT (Fast-Fourier Transform) over NTRU-Lattice-Based Digital Signature Standard. Technical report, National Institute of Standards and Technology, 2024

    work page 2024

  6. [6]

    Lyubashevsky, C

    V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings.Journal of the ACM, 60(6):Art. 43, 2013

    work page 2013

  7. [7]

    C. Peikert. A decade of lattice cryptography.Foundations and Trends in Theoretical Computer Science, 10:283-424, 2016

    work page 2016

  8. [8]

    Lyubashevsky, C

    V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings. InAdvances in Cryptology - EUROCRYPT 2010, volume 6110 ofLecture Notes in Computer Science, pages 1-23. Springer, 2010

    work page 2010

  9. [9]

    O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC 2005), pages 84-93, 2005

    work page 2005

  10. [10]

    H. Weber. Theorie der abel’schen zahlk¨ orper.Acta Mathematica, 8:193-263, 1886

    work page

  11. [11]

    Cramer, L

    R. Cramer, L. Ducas, C. Peikert, and O. Regev. Recovering short generators of principal ideals in cyclotomic rings. InAdvances in Cryptology - EUROCRYPT 2016, volume 9666 ofLecture Notes in Computer Science, pages 559-585. Springer, 2016

    work page 2016

  12. [12]

    Biasse and F

    J.-F. Biasse and F. Song. Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. InProceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms (SODA 2016), pages 893-902. SIAM, 2016

    work page 2016

  13. [13]

    Campbell, M

    P. Campbell, M. Groves, and D. Shepherd. Soliloquy: A cautionary tale. InETSI 2nd Quantum-Safe Crypto Workshop, 2014

    work page 2014

  14. [14]

    Eisentr¨ ager, S

    K. Eisentr¨ ager, S. Hallgren, A. Kitaev, and F. Song. A quantum algorithm for computing the unit group of an arbitrary degree number field. InProceedings of the 46th Annual ACM Symposium on Theory of Computing (STOC 2014), pages 293-302, 2014

    work page 2014

  15. [15]

    Cramer, L

    R. Cramer, L. Ducas, and B. Wesolowski. Short stickelberger class relations and application to ideal-svp. InAdvances in Cryptology-EUROCRYPT 2017, volume 10210 ofLecture Notes in Computer Science, pages 324-348. Springer, 2017. 21

    work page 2017

  16. [16]

    Langlois and D

    A. Langlois and D. Stehl´ e. Worst-case to average-case reductions for module lattices. Designs, Codes and Cryptography, 75:565-599, 2015

    work page 2015

  17. [17]

    Alkim, L

    E. Alkim, L. Ducas, T. P¨ oppelmann, and P. Schwabe. Post-quantum key exchange – a new hope. In25th USENIX Security Symposium (USENIX Security 16), pages 327-343. USENIX Association, 2016

    work page 2016

  18. [18]

    Ducas, E

    L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, P. Schwabe, G. Seiler, and D. Stehl´ e. CRYSTALS-Dilithium: A lattice-based digital signature scheme.Transactions on Crypto- graphic Hardware and Embedded Systems (TCHES), 2018(1):238-268, 2018

    work page 2018

  19. [19]

    Peikert, O

    C. Peikert, O. Regev, and N. Stephens-Davidowitz. Pseudorandomness of ring-lwe for any ring and modulus. InProceedings of the 49th Annual ACM Symposium on Theory of Computing (STOC 2017), pages 461-473, 2017

    work page 2017

  20. [20]

    H. Bauer. Numerische bestimmung von klassenzahlen reeller zyklischer zahlk¨ orper.Journal of Number Theory, 1:161-162, 1969

    work page 1969

  21. [21]

    F. J. van der Linden. Class number computations of real abelian number fields.Mathematics of Computation, 39:693-707, 1982

    work page 1982

  22. [22]

    Fukuda and K

    T. Fukuda and K. Komatsu. Weber’s class number problem in the cyclotomic Z2-extension ofQ.Experimental Mathematics, 18:213-222, 2009

    work page 2009

  23. [23]

    J. C. Miller. Class numbers of totally real fields and applications to the weber class number problem.Acta Arithmetica, 164:381-398, 2014

    work page 2014

  24. [24]

    Fukuda and K

    T. Fukuda and K. Komatsu. Weber’s class number problem in the cyclotomic Z2-extension ofQ, III.International Journal of Number Theory, 7:1627-1635, 2011

    work page 2011

  25. [25]

    J. M. Masley. Solution of the class number two problem for cyclotomic fields.Inventiones Mathematicae, 28:243-244, 1975

    work page 1975

  26. [26]

    W. Sinnott. On the stickelberger ideal and the circular units of a cyclotomic field.Annals of Mathematics, 108:107-134, 1978

    work page 1978

  27. [27]

    L. C. Washington.Introduction to Cyclotomic Fields. Springer, 2nd edition, 1997

    work page 1997

  28. [28]

    E. Bach. Explicit bounds for primality testing and related problems.Mathematics of Computation, 55:355-380, 1990

    work page 1990

  29. [29]

    R. Schoof. Minus class groups of the fields of the ℓ-th roots of unity.Mathematics of Computation, 67:1225-1245, 1998

    work page 1998

  30. [30]

    R. Schoof. Class numbers of real cyclotomic fields of prime conductor.Mathematics of Computation, 72:913-937, 2003

    work page 2003

  31. [31]

    K. Iwasawa. On γ-extensions of algebraic number fields.Bulletin of the American Mathe- matical Society, 65:183-226, 1959

    work page 1959

  32. [32]

    K. Iwasawa. On Zl-extensions of algebraic number fields.Annals of Mathematics, 98:246-326, 1973

    work page 1973

  33. [33]

    Ferrero and L

    B. Ferrero and L. C. Washington. The iwasawa invariant µp vanishes for abelian number fields.Annals of Mathematics, 109:377-395, 1979

    work page 1979

  34. [34]

    Greenberg

    R. Greenberg. On the Iwasawa invariants of totally real number fields.American Journal of Mathematics, 98:263-284, 1976. 22

    work page 1976

  35. [35]

    Greenberg

    R. Greenberg. Iwasawa theory-past and present.Advanced Studies in Pure Mathematics, 30:335-385, 2001

    work page 2001

  36. [36]

    Ozaki and H

    M. Ozaki and H. Taya. On the iwasawa λ2-invariants of certain families of real quadratic fields.Manuscripta Mathematica, 94:437-444, 1997

    work page 1997

  37. [37]

    J. S. Kraft and R. Schoof. Computing iwasawa modules of real quadratic number fields. Compositio Mathematica, 97:135-155, 1995

    work page 1995

  38. [38]

    F. Thaine. On the ideal class groups of real abelian number fields.Annals of Mathematics, 128:1-18, 1988

    work page 1988

  39. [39]

    V. A. Kolyvagin. Euler systems. InThe Grothendieck Festschrift, volume II, pages 435-483. Birkh¨ auser, 1990

    work page 1990

  40. [40]

    K. Rubin. Global units and ideal class groups.Inventiones Mathematicae, 89:511-526, 1987

    work page 1987

  41. [41]

    Rubin.Euler Systems, volume 147 ofAnnals of Mathematics Studies

    K. Rubin.Euler Systems, volume 147 ofAnnals of Mathematics Studies. Princeton University Press, 2000

    work page 2000

  42. [42]

    Micciancio

    D. Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity, 16:365-411, 2007

    work page 2007

  43. [43]

    Ideal-SVP is hard for small-norm uniform prime ideals

    Jo¨ el Felderhoff, Alice Pellet-Mary, Damien Stehl´ e, and Benjamin Wesolowski. Ideal-SVP is hard for small-norm uniform prime ideals. InTheory of Cryptography-TCC 2023, volume 14372 ofLNCS, pages 63-92. Springer, 2023

    work page 2023

  44. [44]

    Cryptanalysis of rank-2 module- LIP: A single real embedding is all it takes

    Bill Allombert, Alice Pellet-Mary, and Wessel van Woerden. Cryptanalysis of rank-2 module- LIP: A single real embedding is all it takes. InAdvances in Cryptology-EUROCRYPT 2025, volume 15602 ofLNCS, pages 193-224. Springer, 2025

    work page 2025

  45. [45]

    Predicting module-lattice reduction

    L´ eo Ducas, Thomas Espitau, and Alice Postlethwaite. Predicting module-lattice reduction. Cryptology ePrint Archive, Report 2025/1904, 2025

    work page 2025

  46. [46]

    H. W. Lenstra, Jr. Factoring integers with elliptic curves.Annals of Mathematics, 126:649- 673, 1987

    work page 1987

  47. [47]

    Zimmermann et al

    P. Zimmermann et al. GMP-ECM: Elliptic curve method for integer factorization. https: //gitlab.inria.fr/zimmerma/ecm, 2023

    work page 2023

  48. [48]

    Neukirch.Algebraic Number Theory

    J. Neukirch.Algebraic Number Theory. Springer, 1999

    work page 1999

  49. [49]

    Lang.Algebraic Number Theory

    S. Lang.Algebraic Number Theory. Springer, 2nd edition, 1994

    work page 1994

  50. [50]

    C. W. Curtis and I. Reiner.Representation Theory of Finite Groups and Associative Algebras. Wiley, 1962

    work page 1962

  51. [51]

    Stickelberger

    L. Stickelberger. ¨Uber eine verallgemeinerung der kreistheilung.Mathematische Annalen, 37:321-367, 1890

    work page

  52. [52]

    Iwasawa module of the cyclotomic Z2-extension of certain real quadratic fields

    Josu´ e´Avila. Iwasawa module of the cyclotomic Z2-extension of certain real quadratic fields. The Ramanujan Journal, 67(1), 2025

    work page 2025

  53. [53]

    Laxmi and Anupam Saikia

    H. Laxmi and Anupam Saikia. Z2-extension of real quadratic fields with Z/2Z as 2-class group at each layer.The Ramanujan Journal, 64(4), 2024

    work page 2024

  54. [54]

    Iwaniec and E

    H. Iwaniec and E. Kowalski.Analytic Number Theory, volume 53 ofAmerican Mathematical Society Colloquium Publications. American Mathematical Society, 2004. 23

    work page 2004

  55. [55]

    Louboutin

    S. Louboutin. Explicit bounds for residues of dedekind zeta functions, values of l-functions ats= 1, and relative class numbers.Journal of Number Theory, 85:263-282, 2000

    work page 2000

  56. [56]

    J. B. Conrey and K. Soundararajan. Real zeros of quadratic dirichletl-functions.Inventiones Mathematicae, 150:1-44, 2002

    work page 2002

  57. [57]

    Herbrand

    J. Herbrand. Sur les classes des corps circulaires.Journal de Math´ ematiques Pures et Appliqu´ ees, 11:417-441, 1932

    work page 1932

  58. [58]

    K. A. Ribet. A modular construction of unramified p-extensions of Q(µp).Inventiones Mathematicae, 34:151-162, 1976

    work page 1976

  59. [59]

    A. K. Lenstra and H. W. Lenstra, Jr. editors.The Development of the Number Field Sieve, volume 1554 ofLecture Notes in Mathematics. Springer, 1993

    work page 1993

  60. [60]

    Cado-nfs: An implementation of the number field sieve algorithm.https://cado-nfs.gitlabpages.inria.fr, 2023

    The CADO-NFS Development Team. Cado-nfs: An implementation of the number field sieve algorithm.https://cado-nfs.gitlabpages.inria.fr, 2023

    work page 2023

  61. [61]

    Boudot, P

    E. Boudot, P. Gaudry, A. Guillevic, N. Heninger, E. Thom´ e, and P. Zimmermann. Comparing the difficulty of factorization and discrete logarithm: A 240-digit experiment. InAdvances in Cryptology - CRYPTO 2020, volume 12171 ofLecture Notes in Computer Science, pages 62-91. Springer, 2020

    work page 2020

  62. [62]

    Peikert and A

    C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. InTheory of Cryptography (TCC 2006), volume 3876 ofLecture Notes in Computer Science, pages 145-166. Springer, 2006

    work page 2006

  63. [63]

    Brakerski, C

    Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. InProceedings of the 3rd Innovations in Theoretical Computer Science Conference (ITCS 2012), pages 309-325, 2012

    work page 2012

  64. [64]

    M. R. Albrecht, A. Cini, R. Player, S. Sheridan, and J. Xu. Revisiting the concrete security of module-lwe. InAdvances in Cryptology - ASIACRYPT 2018, volume 11272 ofLecture Notes in Computer Science, pages 370-399. Springer, 2018

    work page 2018

  65. [65]

    Micciancio and O

    D. Micciancio and O. Regev. Worst-case to average-case reductions based on gaussian measures.SIAM Journal on Computing, 37:267-302, 2007

    work page 2007

  66. [66]

    Rosca, D

    M. Rosca, D. Stehl´ e, and A. Wallet. On the ring-lwe and polynomial-lwe problems. In Advances in Cryptology-EUROCRYPT 2018, volume 10820 ofLecture Notes in Computer Science, pages 146-173. Springer, 2018

    work page 2018

  67. [67]

    J. Coates. p-adic l-functions and Iwasawa’s theory. InAlgebraic Number Fields (Durham Symposium), pages 269-353. Academic Press, 1977

    work page 1977

  68. [68]

    Ichimura

    H. Ichimura. Note on the class numbers of certain real cyclotomic fields.Abhandlungen aus dem Mathematischen Seminar der Universit¨ at Hamburg, 84:57-62, 2014. 24

    work page 2014