computational 2013 07 talk slide online algebraic number
play

Computational 2013.07 talk slide online: algebraic number theory I - PowerPoint PPT Presentation

Computational 2013.07 talk slide online: algebraic number theory I think NTRU should switch to tackles lattice-based cryptography random prime-degree extensions with big Galois groups. Daniel J. Bernstein University of Illinois at


  1. advantage of the usual Typical lattice advertisement: 2009 Sma cyclotomics: minor speedup. “Because finding short vectors homomo in high-dimensional lattices relatively advantage often claimed: has been a notoriously hard sizes”: “Recovering “security reductions”. algorithmic question for hundreds key given this really an advantage? of years : : : we have solid and therefore and I conjecture that unique evidence that lattice-based principal y is negatively correlated cryptoschemes are secure.” a principal strength of reductions. ‘small’ generato No. Dangerous exaggeration! Disadvantage of cyclotomics: This is one There are many obvious gaps more symmetries in computational between lattice-based systems scary attack strategy. and has and the classic lattice problems: Already serious damage previous e.g., the systems use ideals. some lattice-based systems, see for example Important to study these gaps. concerns about other systems.

  2. of the usual Typical lattice advertisement: 2009 Smart–Vercauteren minor speedup. “Because finding short vectors homomorphic encryption in high-dimensional lattices relatively small key often claimed: has been a notoriously hard sizes”: “Recovering reductions”. algorithmic question for hundreds key given the public an advantage? of years : : : we have solid and therefore an instance conjecture that unique evidence that lattice-based principal ideal problem: negatively correlated cryptoschemes are secure.” a principal ideal : : reductions. ‘small’ generator of No. Dangerous exaggeration! cyclotomics: This is one of the There are many obvious gaps symmetries in computational n between lattice-based systems attack strategy. and has formed the and the classic lattice problems: damage previous cryptograp e.g., the systems use ideals. lattice-based systems, see for example [3].” Important to study these gaps. other systems.

  3. usual Typical lattice advertisement: 2009 Smart–Vercauteren “Fully eedup. “Because finding short vectors homomorphic encryption with in high-dimensional lattices relatively small key and ciphertex claimed: has been a notoriously hard sizes”: “Recovering the private reductions”. algorithmic question for hundreds key given the public key is advantage? of years : : : we have solid and therefore an instance of the that unique evidence that lattice-based principal ideal problem: : : : Given rrelated cryptoschemes are secure.” a principal ideal : : : compute reductions. ‘small’ generator of the ideal. No. Dangerous exaggeration! cyclotomics: This is one of the core problems There are many obvious gaps in computational number theo between lattice-based systems strategy. and has formed the basis of and the classic lattice problems: previous cryptographic proposals, e.g., the systems use ideals. systems, see for example [3].” Important to study these gaps. systems.

  4. Typical lattice advertisement: 2009 Smart–Vercauteren “Fully “Because finding short vectors homomorphic encryption with in high-dimensional lattices relatively small key and ciphertext has been a notoriously hard sizes”: “Recovering the private algorithmic question for hundreds key given the public key is of years : : : we have solid and therefore an instance of the small unique evidence that lattice-based principal ideal problem: : : : Given cryptoschemes are secure.” a principal ideal : : : compute a ‘small’ generator of the ideal. No. Dangerous exaggeration! This is one of the core problems There are many obvious gaps in computational number theory between lattice-based systems and has formed the basis of and the classic lattice problems: previous cryptographic proposals, e.g., the systems use ideals. see for example [3].” Important to study these gaps.

  5. ypical lattice advertisement: 2009 Smart–Vercauteren “Fully Smart–V Because finding short vectors homomorphic encryption with “There a high-dimensional lattices relatively small key and ciphertext approaches een a notoriously hard sizes”: “Recovering the private In conclusion rithmic question for hundreds key given the public key is private k rs : : : we have solid and therefore an instance of the small key is an evidence that lattice-based principal ideal problem: : : : Given and well cryptoschemes are secure.” a principal ideal : : : compute a algorithmic ‘small’ generator of the ideal. particula Dangerous exaggeration! This is one of the core problems solutions are many obvious gaps in computational number theory the only een lattice-based systems and has formed the basis of does not the classic lattice problems: previous cryptographic proposals, equivalent the systems use ideals. see for example [3].” rtant to study these gaps.

  6. advertisement: 2009 Smart–Vercauteren “Fully Smart–Vercauteren, short vectors homomorphic encryption with “There are currently high-dimensional lattices relatively small key and ciphertext approaches to the riously hard sizes”: “Recovering the private In conclusion determining stion for hundreds key given the public key is private key given only have solid and therefore an instance of the small key is an instance that lattice-based principal ideal problem: : : : Given and well studied problem re secure.” a principal ideal : : : compute a algorithmic number ‘small’ generator of the ideal. particular there are exaggeration! This is one of the core problems solutions for this p obvious gaps in computational number theory the only sub-exponential lattice-based systems and has formed the basis of does not find a solution lattice problems: previous cryptographic proposals, equivalent to our p systems use ideals. see for example [3].” study these gaps.

  7. advertisement: 2009 Smart–Vercauteren “Fully Smart–Vercauteren, continued: vectors homomorphic encryption with “There are currently two es relatively small key and ciphertext approaches to the problem. : rd sizes”: “Recovering the private In conclusion determining the hundreds key given the public key is private key given only the public and therefore an instance of the small key is an instance of a classical lattice-based principal ideal problem: : : : Given and well studied problem in .” a principal ideal : : : compute a algorithmic number theory. In ‘small’ generator of the ideal. particular there are no efficient exaggeration! This is one of the core problems solutions for this problem, and gaps in computational number theory the only sub-exponential metho systems and has formed the basis of does not find a solution which roblems: previous cryptographic proposals, equivalent to our private key ls. see for example [3].” gaps.

  8. 2009 Smart–Vercauteren “Fully Smart–Vercauteren, continued: homomorphic encryption with “There are currently two relatively small key and ciphertext approaches to the problem. : : : sizes”: “Recovering the private In conclusion determining the key given the public key is private key given only the public therefore an instance of the small key is an instance of a classical principal ideal problem: : : : Given and well studied problem in a principal ideal : : : compute a algorithmic number theory. In ‘small’ generator of the ideal. particular there are no efficient This is one of the core problems solutions for this problem, and in computational number theory the only sub-exponential method and has formed the basis of does not find a solution which is previous cryptographic proposals, equivalent to our private key.” see for example [3].”

  9. Smart–Vercauteren “Fully Smart–Vercauteren, continued: In fact, the homomorphic encryption with “There are currently two focus on relatively small key and ciphertext approaches to the problem. : : : e.g., mak “Recovering the private In conclusion determining the for many given the public key is private key given only the public make table re an instance of the small key is an instance of a classical for many rincipal ideal problem: : : : Given and well studied problem in Highlights rincipal ideal : : : compute a algorithmic number theory. In Low-dim generator of the ideal. particular there are no efficient Far fewer one of the core problems solutions for this problem, and consider computational number theory the only sub-exponential method of the algo has formed the basis of does not find a solution which is to much revious cryptographic proposals, equivalent to our private key.” example [3].”

  10. ercauteren “Fully Smart–Vercauteren, continued: In fact, the classical encryption with “There are currently two focus on small dimensions: ey and ciphertext approaches to the problem. : : : e.g., make table of “Recovering the private In conclusion determining the for many quadratic public key is private key given only the public make table of class instance of the small key is an instance of a classical for many cubic fields. roblem: : : : Given and well studied problem in Highlights multiplicative : : : compute a algorithmic number theory. In Low-dim lattice issues r of the ideal. particular there are no efficient Far fewer papers the core problems solutions for this problem, and consider scalability computational number theory the only sub-exponential method of the algorithmic the basis of does not find a solution which is to much larger dimensions. cryptographic proposals, equivalent to our private key.” [3].”

  11. “Fully Smart–Vercauteren, continued: In fact, the classical studies with “There are currently two focus on small dimensions: ciphertext approaches to the problem. : : : e.g., make table of class numb rivate In conclusion determining the for many quadratic fields, private key given only the public make table of class numbers the small key is an instance of a classical for many cubic fields. : Given and well studied problem in Highlights multiplicative issues. compute a algorithmic number theory. In Low-dim lattice issues are easy ideal. particular there are no efficient Far fewer papers roblems solutions for this problem, and consider scalability theory the only sub-exponential method of the algorithmic ideas of does not find a solution which is to much larger dimensions. roposals, equivalent to our private key.”

  12. Smart–Vercauteren, continued: In fact, the classical studies “There are currently two focus on small dimensions: approaches to the problem. : : : e.g., make table of class numbers In conclusion determining the for many quadratic fields, private key given only the public make table of class numbers key is an instance of a classical for many cubic fields. and well studied problem in Highlights multiplicative issues. algorithmic number theory. In Low-dim lattice issues are easy. particular there are no efficient Far fewer papers solutions for this problem, and consider scalability the only sub-exponential method of the algorithmic ideas does not find a solution which is to much larger dimensions. equivalent to our private key.”

  13. rt–Vercauteren, continued: In fact, the classical studies The short-generato There are currently two focus on small dimensions: Take degree- roaches to the problem. : : : e.g., make table of class numbers i.e. field conclusion determining the for many quadratic fields, (Weaker key given only the public make table of class numbers with Q ⊆ an instance of a classical for many cubic fields. ell studied problem in Highlights multiplicative issues. rithmic number theory. In Low-dim lattice issues are easy. rticular there are no efficient Far fewer papers solutions for this problem, and consider scalability only sub-exponential method of the algorithmic ideas not find a solution which is to much larger dimensions. equivalent to our private key.”

  14. ercauteren, continued: In fact, the classical studies The short-generato currently two focus on small dimensions: Take degree- n numb the problem. : : : e.g., make table of class numbers i.e. field K ⊆ C with determining the for many quadratic fields, (Weaker specification: only the public make table of class numbers with Q ⊆ K and len instance of a classical for many cubic fields. problem in Highlights multiplicative issues. ber theory. In Low-dim lattice issues are easy. are no efficient Far fewer papers problem, and consider scalability onential method of the algorithmic ideas solution which is to much larger dimensions. our private key.”

  15. continued: In fact, the classical studies The short-generator problem focus on small dimensions: Take degree- n number field K roblem. : : : e.g., make table of class numbers i.e. field K ⊆ C with len Q K the for many quadratic fields, (Weaker specification: field K public make table of class numbers with Q ⊆ K and len Q K = n classical for many cubic fields. in Highlights multiplicative issues. . In Low-dim lattice issues are easy. efficient Far fewer papers and consider scalability method of the algorithmic ideas which is to much larger dimensions. ey.”

  16. In fact, the classical studies The short-generator problem focus on small dimensions: Take degree- n number field K . e.g., make table of class numbers i.e. field K ⊆ C with len Q K = n . for many quadratic fields, (Weaker specification: field K make table of class numbers with Q ⊆ K and len Q K = n .) for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability of the algorithmic ideas to much larger dimensions.

  17. In fact, the classical studies The short-generator problem focus on small dimensions: Take degree- n number field K . e.g., make table of class numbers i.e. field K ⊆ C with len Q K = n . for many quadratic fields, (Weaker specification: field K make table of class numbers with Q ⊆ K and len Q K = n .) for many cubic fields. e.g. n = 2; K = Q ( i ) = Highlights multiplicative issues. ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , Low-dim lattice issues are easy. Far fewer papers consider scalability of the algorithmic ideas to much larger dimensions.

  18. In fact, the classical studies The short-generator problem focus on small dimensions: Take degree- n number field K . e.g., make table of class numbers i.e. field K ⊆ C with len Q K = n . for many quadratic fields, (Weaker specification: field K make table of class numbers with Q ⊆ K and len Q K = n .) for many cubic fields. e.g. n = 2; K = Q ( i ) = Highlights multiplicative issues. ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , Low-dim lattice issues are easy. e.g. n = 256; “ = exp( ıi=n ); Far fewer papers ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , consider scalability of the algorithmic ideas to much larger dimensions.

  19. In fact, the classical studies The short-generator problem focus on small dimensions: Take degree- n number field K . e.g., make table of class numbers i.e. field K ⊆ C with len Q K = n . for many quadratic fields, (Weaker specification: field K make table of class numbers with Q ⊆ K and len Q K = n .) for many cubic fields. e.g. n = 2; K = Q ( i ) = Highlights multiplicative issues. ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , Low-dim lattice issues are easy. e.g. n = 256; “ = exp( ıi=n ); Far fewer papers ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , consider scalability e.g. n = 660; “ = exp(2 ıi= 661); of the algorithmic ideas ։ Q [ x ] = ( x n + · · · + 1). K = Q ( “ ) , to much larger dimensions.

  20. In fact, the classical studies The short-generator problem focus on small dimensions: Take degree- n number field K . e.g., make table of class numbers i.e. field K ⊆ C with len Q K = n . for many quadratic fields, (Weaker specification: field K make table of class numbers with Q ⊆ K and len Q K = n .) for many cubic fields. e.g. n = 2; K = Q ( i ) = Highlights multiplicative issues. ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , Low-dim lattice issues are easy. e.g. n = 256; “ = exp( ıi=n ); Far fewer papers ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , consider scalability e.g. n = 660; “ = exp(2 ıi= 661); of the algorithmic ideas ։ Q [ x ] = ( x n + · · · + 1). K = Q ( “ ) , √ √ √ √ to much larger dimensions. e.g. K = Q ( 2 ; 3 ; 5 ; : : : ; 29).

  21. fact, the classical studies The short-generator problem Define O ։ Z n on small dimensions: O , Take degree- n number field K . make table of class numbers i.e. field K ⊆ C with len Q K = n . Nonzero any quadratic fields, factor uniquely (Weaker specification: field K table of class numbers powers of with Q ⊆ K and len Q K = n .) any cubic fields. e.g. n = 2; K = Q ( i ) = Highlights multiplicative issues. ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , w-dim lattice issues are easy. e.g. n = 256; “ = exp( ıi=n ); er papers ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , consider scalability e.g. n = 660; “ = exp(2 ıi= 661); algorithmic ideas ։ Q [ x ] = ( x n + · · · + 1). K = Q ( “ ) , √ √ √ √ much larger dimensions. e.g. K = Q ( 2 ; 3 ; 5 ; : : : ; 29).

  22. classical studies The short-generator problem Define O = Z ∩ K ։ Z n as Z -modules. dimensions: O , Take degree- n number field K . of class numbers i.e. field K ⊆ C with len Q K = n . Nonzero ideals of O quadratic fields, factor uniquely as (Weaker specification: field K class numbers powers of prime ideals with Q ⊆ K and len Q K = n .) fields. e.g. n = 2; K = Q ( i ) = multiplicative issues. ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , issues are easy. e.g. n = 256; “ = exp( ıi=n ); ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , scalability e.g. n = 660; “ = exp(2 ıi= 661); rithmic ideas ։ Q [ x ] = ( x n + · · · + 1). K = Q ( “ ) , √ √ √ √ dimensions. e.g. K = Q ( 2 ; 3 ; 5 ; : : : ; 29).

  23. studies The short-generator problem Define O = Z ∩ K ; subring of ։ Z n as Z -modules. dimensions: O , Take degree- n number field K . numbers i.e. field K ⊆ C with len Q K = n . Nonzero ideals of O factor uniquely as products of (Weaker specification: field K ers powers of prime ideals of O . with Q ⊆ K and len Q K = n .) e.g. n = 2; K = Q ( i ) = issues. ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , easy. e.g. n = 256; “ = exp( ıi=n ); ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , e.g. n = 660; “ = exp(2 ıi= 661); ։ Q [ x ] = ( x n + · · · + 1). K = Q ( “ ) , √ √ √ √ dimensions. e.g. K = Q ( 2 ; 3 ; 5 ; : : : ; 29).

  24. The short-generator problem Define O = Z ∩ K ; subring of K . ։ Z n as Z -modules. O , Take degree- n number field K . i.e. field K ⊆ C with len Q K = n . Nonzero ideals of O factor uniquely as products of (Weaker specification: field K powers of prime ideals of O . with Q ⊆ K and len Q K = n .) e.g. n = 2; K = Q ( i ) = ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , e.g. n = 256; “ = exp( ıi=n ); ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , e.g. n = 660; “ = exp(2 ıi= 661); ։ Q [ x ] = ( x n + · · · + 1). K = Q ( “ ) , √ √ √ √ e.g. K = Q ( 2 ; 3 ; 5 ; : : : ; 29).

  25. The short-generator problem Define O = Z ∩ K ; subring of K . ։ Z n as Z -modules. O , Take degree- n number field K . i.e. field K ⊆ C with len Q K = n . Nonzero ideals of O factor uniquely as products of (Weaker specification: field K powers of prime ideals of O . with Q ⊆ K and len Q K = n .) ։ Q [ x ] = ( x 2 + 1) e.g. K = Q ( i ) , e.g. n = 2; K = Q ( i ) = ։ Z [ x ] = ( x 2 + 1). ⇒ O = Z [ i ] , ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , e.g. n = 256; “ = exp( ıi=n ); ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , e.g. n = 660; “ = exp(2 ıi= 661); ։ Q [ x ] = ( x n + · · · + 1). K = Q ( “ ) , √ √ √ √ e.g. K = Q ( 2 ; 3 ; 5 ; : : : ; 29).

  26. The short-generator problem Define O = Z ∩ K ; subring of K . ։ Z n as Z -modules. O , Take degree- n number field K . i.e. field K ⊆ C with len Q K = n . Nonzero ideals of O factor uniquely as products of (Weaker specification: field K powers of prime ideals of O . with Q ⊆ K and len Q K = n .) ։ Q [ x ] = ( x 2 + 1) e.g. K = Q ( i ) , e.g. n = 2; K = Q ( i ) = ։ Z [ x ] = ( x 2 + 1). ⇒ O = Z [ i ] , ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , e.g. “ = exp( ıi= 256), K = Q ( “ ) e.g. n = 256; “ = exp( ıi=n ); ։ Z [ x ] = ( x 256 + 1). ⇒ O = Z [ “ ] , ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , e.g. n = 660; “ = exp(2 ıi= 661); ։ Q [ x ] = ( x n + · · · + 1). K = Q ( “ ) , √ √ √ √ e.g. K = Q ( 2 ; 3 ; 5 ; : : : ; 29).

  27. The short-generator problem Define O = Z ∩ K ; subring of K . ։ Z n as Z -modules. O , Take degree- n number field K . i.e. field K ⊆ C with len Q K = n . Nonzero ideals of O factor uniquely as products of (Weaker specification: field K powers of prime ideals of O . with Q ⊆ K and len Q K = n .) ։ Q [ x ] = ( x 2 + 1) e.g. K = Q ( i ) , e.g. n = 2; K = Q ( i ) = ։ Z [ x ] = ( x 2 + 1). ⇒ O = Z [ i ] , ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , e.g. “ = exp( ıi= 256), K = Q ( “ ) e.g. n = 256; “ = exp( ıi=n ); ։ Z [ x ] = ( x 256 + 1). ⇒ O = Z [ “ ] , ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , e.g. “ = exp(2 ıi= 661), K = Q ( “ ) e.g. n = 660; “ = exp(2 ıi= 661); ⇒ O = Z [ “ ] , ։ · · · . ։ Q [ x ] = ( x n + · · · + 1). K = Q ( “ ) , √ √ √ √ e.g. K = Q ( 2 ; 3 ; 5 ; : : : ; 29).

  28. The short-generator problem Define O = Z ∩ K ; subring of K . ։ Z n as Z -modules. O , Take degree- n number field K . i.e. field K ⊆ C with len Q K = n . Nonzero ideals of O factor uniquely as products of (Weaker specification: field K powers of prime ideals of O . with Q ⊆ K and len Q K = n .) ։ Q [ x ] = ( x 2 + 1) e.g. K = Q ( i ) , e.g. n = 2; K = Q ( i ) = ։ Z [ x ] = ( x 2 + 1). ⇒ O = Z [ i ] , ։ Q [ x ] = ( x 2 + 1). Q ⊕ Q i , e.g. “ = exp( ıi= 256), K = Q ( “ ) e.g. n = 256; “ = exp( ıi=n ); ։ Z [ x ] = ( x 256 + 1). ⇒ O = Z [ “ ] , ։ Q [ x ] = ( x n + 1). K = Q ( “ ) , e.g. “ = exp(2 ıi= 661), K = Q ( “ ) e.g. n = 660; “ = exp(2 ıi= 661); ⇒ O = Z [ “ ] , ։ · · · . ։ Q [ x ] = ( x n + · · · + 1). √ K = Q ( “ ) , √ √ √ √ e.g. K = Q ( 5) ⇒ O = √ e.g. K = Q ( 2 ; 3 ; 5 ; : : : ; 29). ։ Z [ x ] = ( x 2 − x − 1). Z [(1+ 5) = 2] ,

  29. short-generator problem Define O = Z ∩ K ; subring of K . The short-generato ։ Z n as Z -modules. O , Find “sho degree- n number field K . given the field K ⊆ C with len Q K = n . Nonzero ideals of O factor uniquely as products of e.g. “ = er specification: field K powers of prime ideals of O . O = Z [ “ ⊆ K and len Q K = n .) The Z -submo ։ Q [ x ] = ( x 2 + 1) e.g. K = Q ( i ) , = 2; K = Q ( i ) = 201 − 233 ։ Z [ x ] = ( x 2 + 1). ⇒ O = Z [ i ] , ։ Q [ x ] = ( x 2 + 1). i , 935 − 1063 e.g. “ = exp( ıi= 256), K = Q ( “ ) = 256; “ = exp( ıi=n ); 979 − 1119 ։ Z [ x ] = ( x 256 + 1). ⇒ O = Z [ “ ] , ։ Q [ x ] = ( x n + 1). ( “ ) , 718 − 829 e.g. “ = exp(2 ıi= 661), K = Q ( “ ) = 660; “ = exp(2 ıi= 661); is an ideal ⇒ O = Z [ “ ] , ։ · · · . ։ Q [ x ] = ( x n + · · · + 1). √ ( “ ) , Can you √ √ √ √ e.g. K = Q ( 5) ⇒ O = √ = Q ( 2 ; 3 ; 5 ; : : : ; 29). such that ։ Z [ x ] = ( x 2 − x − 1). Z [(1+ 5) = 2] ,

  30. rt-generator problem Define O = Z ∩ K ; subring of K . The short-generato ։ Z n as Z -modules. O , Find “short” nonzero number field K . given the principal with len Q K = n . Nonzero ideals of O factor uniquely as products of e.g. “ = exp( ıi= 4); ecification: field K powers of prime ideals of O . O = Z [ “ ] , ։ Z [ x ] = len Q K = n .) The Z -submodule ։ Q [ x ] = ( x 2 + 1) e.g. K = Q ( i ) , Q ( i ) = 201 − 233 “ − 430 “ ։ Z [ x ] = ( x 2 + 1). ⇒ O = Z [ i ] , = ( x 2 + 1). 935 − 1063 “ − 1986 e.g. “ = exp( ıi= 256), K = Q ( “ ) = exp( ıi=n ); 979 − 1119 “ − 2092 ։ Z [ x ] = ( x 256 + 1). ⇒ O = Z [ “ ] , [ x ] = ( x n + 1). 718 − 829 “ − 1537 e.g. “ = exp(2 ıi= 661), K = Q ( “ ) = exp(2 ıi= 661); is an ideal I of O . ⇒ O = Z [ “ ] , ։ · · · . [ x ] = ( x n + · · · + 1). √ Can you find a sho √ √ √ e.g. K = Q ( 5) ⇒ O = √ 3 ; 5 ; : : : ; 29). such that I = g O ? ։ Z [ x ] = ( x 2 − x − 1). Z [(1+ 5) = 2] ,

  31. roblem Define O = Z ∩ K ; subring of K . The short-generator problem: ։ Z n as Z -modules. O , Find “short” nonzero g ∈ O field K . given the principal ideal g O . K = n . Nonzero ideals of O factor uniquely as products of e.g. “ = exp( ıi= 4); K = Q ( “ field K ։ Z [ x ] = ( x 4 + 1). powers of prime ideals of O . O = Z [ “ ] , n .) The Z -submodule of O gen ։ Q [ x ] = ( x 2 + 1) e.g. K = Q ( i ) , 201 − 233 “ − 430 “ 2 − 712 “ 3 ։ Z [ x ] = ( x 2 + 1). ⇒ O = Z [ i ] , 935 − 1063 “ − 1986 “ 2 − 3299 1). e.g. “ = exp( ıi= 256), K = Q ( “ ) 979 − 1119 “ − 2092 “ 2 − 3470 =n ); ։ Z [ x ] = ( x 256 + 1). ⇒ O = Z [ “ ] , 718 − 829 “ − 1537 “ 2 − 2546 1). e.g. “ = exp(2 ıi= 661), K = Q ( “ ) = 661); is an ideal I of O . ⇒ O = Z [ “ ] , ։ · · · . √ · · · + 1). Can you find a short g ∈ O √ e.g. K = Q ( 5) ⇒ O = √ : ; 29). such that I = g O ? ։ Z [ x ] = ( x 2 − x − 1). Z [(1+ 5) = 2] ,

  32. Define O = Z ∩ K ; subring of K . The short-generator problem: ։ Z n as Z -modules. O , Find “short” nonzero g ∈ O given the principal ideal g O . Nonzero ideals of O factor uniquely as products of e.g. “ = exp( ıi= 4); K = Q ( “ ); ։ Z [ x ] = ( x 4 + 1). powers of prime ideals of O . O = Z [ “ ] , The Z -submodule of O gen by ։ Q [ x ] = ( x 2 + 1) e.g. K = Q ( i ) , 201 − 233 “ − 430 “ 2 − 712 “ 3 , ։ Z [ x ] = ( x 2 + 1). ⇒ O = Z [ i ] , 935 − 1063 “ − 1986 “ 2 − 3299 “ 3 , e.g. “ = exp( ıi= 256), K = Q ( “ ) 979 − 1119 “ − 2092 “ 2 − 3470 “ 3 , ։ Z [ x ] = ( x 256 + 1). ⇒ O = Z [ “ ] , 718 − 829 “ − 1537 “ 2 − 2546 “ 3 e.g. “ = exp(2 ıi= 661), K = Q ( “ ) is an ideal I of O . ⇒ O = Z [ “ ] , ։ · · · . √ Can you find a short g ∈ O e.g. K = Q ( 5) ⇒ O = √ such that I = g O ? ։ Z [ x ] = ( x 2 − x − 1). Z [(1+ 5) = 2] ,

  33. O = Z ∩ K ; subring of K . The short-generator problem: The lattice Z n as Z -modules. Find “short” nonzero g ∈ O Use LLL given the principal ideal g O . Nonzero ideals of O short elements uniquely as products of e.g. “ = exp( ıi= 4); K = Q ( “ ); Z A + Z B ։ Z [ x ] = ( x 4 + 1). ers of prime ideals of O . O = Z [ “ ] , A = (201 The Z -submodule of O gen by B = (935 ։ Q [ x ] = ( x 2 + 1) = Q ( i ) , 201 − 233 “ − 430 “ 2 − 712 “ 3 , C = (979 ։ Z [ x ] = ( x 2 + 1). Z [ i ] , 935 − 1063 “ − 1986 “ 2 − 3299 “ 3 , D = (718 = exp( ıi= 256), K = Q ( “ ) 979 − 1119 “ − 2092 “ 2 − 3470 “ 3 , ։ Z [ x ] = ( x 256 + 1). Z [ “ ] , 718 − 829 “ − 1537 “ 2 − 2546 “ 3 = exp(2 ıi= 661), K = Q ( “ ) is an ideal I of O . Z [ “ ] , ։ · · · . √ Can you find a short g ∈ O = Q ( 5) ⇒ O = √ such that I = g O ? ։ Z [ x ] = ( x 2 − x − 1). 5) = 2] ,

  34. K ; subring of K . The short-generator problem: The lattice perspective -modules. Find “short” nonzero g ∈ O Use LLL to quickly given the principal ideal g O . of O short elements of lattice as products of e.g. “ = exp( ıi= 4); K = Q ( “ ); Z A + Z B + Z C + ։ Z [ x ] = ( x 4 + 1). ideals of O . O = Z [ “ ] , A = (201 ; − 233 ; − The Z -submodule of O gen by B = (935 ; − 1063 ; ։ Q [ x ] = ( x 2 + 1) 201 − 233 “ − 430 “ 2 − 712 “ 3 , C = (979 ; − 1119 ; Z [ x ] = ( x 2 + 1). 935 − 1063 “ − 1986 “ 2 − 3299 “ 3 , D = (718 ; − 829 ; − 256), K = Q ( “ ) 979 − 1119 “ − 2092 “ 2 − 3470 “ 3 , Z [ x ] = ( x 256 + 1). 718 − 829 “ − 1537 “ 2 − 2546 “ 3 = 661), K = Q ( “ ) is an ideal I of O . · · · . Can you find a short g ∈ O ⇒ O = such that I = g O ? Z [ x ] = ( x 2 − x − 1).

  35. ing of K . The short-generator problem: The lattice perspective Find “short” nonzero g ∈ O Use LLL to quickly find given the principal ideal g O . short elements of lattice ducts of e.g. “ = exp( ıi= 4); K = Q ( “ ); Z A + Z B + Z C + Z D where ։ Z [ x ] = ( x 4 + 1). O . O = Z [ “ ] , A = (201 ; − 233 ; − 430 ; − 712) The Z -submodule of O gen by B = (935 ; − 1063 ; − 1986 ; − 3299) + 1) 201 − 233 “ − 430 “ 2 − 712 “ 3 , C = (979 ; − 1119 ; − 2092 ; − 3470) 1). 935 − 1063 “ − 1986 “ 2 − 3299 “ 3 , D = (718 ; − 829 ; − 1537 ; − 2546) Q ( “ ) 979 − 1119 “ − 2092 “ 2 − 3470 “ 3 , 256 + 1). 718 − 829 “ − 1537 “ 2 − 2546 “ 3 = Q ( “ ) is an ideal I of O . Can you find a short g ∈ O such that I = g O ? − x − 1).

  36. The short-generator problem: The lattice perspective Find “short” nonzero g ∈ O Use LLL to quickly find given the principal ideal g O . short elements of lattice e.g. “ = exp( ıi= 4); K = Q ( “ ); Z A + Z B + Z C + Z D where ։ Z [ x ] = ( x 4 + 1). O = Z [ “ ] , A = (201 ; − 233 ; − 430 ; − 712) ; The Z -submodule of O gen by B = (935 ; − 1063 ; − 1986 ; − 3299) ; 201 − 233 “ − 430 “ 2 − 712 “ 3 , C = (979 ; − 1119 ; − 2092 ; − 3470) ; 935 − 1063 “ − 1986 “ 2 − 3299 “ 3 , D = (718 ; − 829 ; − 1537 ; − 2546) : 979 − 1119 “ − 2092 “ 2 − 3470 “ 3 , 718 − 829 “ − 1537 “ 2 − 2546 “ 3 is an ideal I of O . Can you find a short g ∈ O such that I = g O ?

  37. The short-generator problem: The lattice perspective Find “short” nonzero g ∈ O Use LLL to quickly find given the principal ideal g O . short elements of lattice e.g. “ = exp( ıi= 4); K = Q ( “ ); Z A + Z B + Z C + Z D where ։ Z [ x ] = ( x 4 + 1). O = Z [ “ ] , A = (201 ; − 233 ; − 430 ; − 712) ; The Z -submodule of O gen by B = (935 ; − 1063 ; − 1986 ; − 3299) ; 201 − 233 “ − 430 “ 2 − 712 “ 3 , C = (979 ; − 1119 ; − 2092 ; − 3470) ; 935 − 1063 “ − 1986 “ 2 − 3299 “ 3 , D = (718 ; − 829 ; − 1537 ; − 2546) : 979 − 1119 “ − 2092 “ 2 − 3470 “ 3 , Find (3 ; 1 ; 4 ; 1) as 718 − 829 “ − 1537 “ 2 − 2546 “ 3 − 37 A + 3 B − 7 C + 16 D . is an ideal I of O . This was my original g . Can you find a short g ∈ O such that I = g O ?

  38. The short-generator problem: The lattice perspective Find “short” nonzero g ∈ O Use LLL to quickly find given the principal ideal g O . short elements of lattice e.g. “ = exp( ıi= 4); K = Q ( “ ); Z A + Z B + Z C + Z D where ։ Z [ x ] = ( x 4 + 1). O = Z [ “ ] , A = (201 ; − 233 ; − 430 ; − 712) ; The Z -submodule of O gen by B = (935 ; − 1063 ; − 1986 ; − 3299) ; 201 − 233 “ − 430 “ 2 − 712 “ 3 , C = (979 ; − 1119 ; − 2092 ; − 3470) ; 935 − 1063 “ − 1986 “ 2 − 3299 “ 3 , D = (718 ; − 829 ; − 1537 ; − 2546) : 979 − 1119 “ − 2092 “ 2 − 3470 “ 3 , Find (3 ; 1 ; 4 ; 1) as 718 − 829 “ − 1537 “ 2 − 2546 “ 3 − 37 A + 3 B − 7 C + 16 D . is an ideal I of O . This was my original g . Can you find a short g ∈ O Also find, e.g., ( − 4 ; − 1 ; 3 ; 1). such that I = g O ? Multiplying by root of unity (here “ 2 ) preserves shortness.

  39. short-generator problem: The lattice perspective For much “short” nonzero g ∈ O Use LLL to quickly find LLL almost the principal ideal g O . short elements of lattice Big gap = exp( ıi= 4); K = Q ( “ ); Z A + Z B + Z C + Z D where and size ։ Z [ x ] = ( x 4 + 1). [ “ ] , A = (201 ; − 233 ; − 430 ; − 712) ; that LLL -submodule of O gen by B = (935 ; − 1063 ; − 1986 ; − 3299) ; 233 “ − 430 “ 2 − 712 “ 3 , C = (979 ; − 1119 ; − 2092 ; − 3470) ; 1063 “ − 1986 “ 2 − 3299 “ 3 , D = (718 ; − 829 ; − 1537 ; − 2546) : 1119 “ − 2092 “ 2 − 3470 “ 3 , Find (3 ; 1 ; 4 ; 1) as 829 “ − 1537 “ 2 − 2546 “ 3 − 37 A + 3 B − 7 C + 16 D . ideal I of O . This was my original g . ou find a short g ∈ O Also find, e.g., ( − 4 ; − 1 ; 3 ; 1). that I = g O ? Multiplying by root of unity (here “ 2 ) preserves shortness.

  40. rt-generator problem: The lattice perspective For much larger n : nonzero g ∈ O Use LLL to quickly find LLL almost never finds rincipal ideal g O . short elements of lattice Big gap between size 4); K = Q ( “ ); Z A + Z B + Z C + Z D where and size of “short” ] = ( x 4 + 1). A = (201 ; − 233 ; − 430 ; − 712) ; that LLL typically dule of O gen by B = (935 ; − 1063 ; − 1986 ; − 3299) ; 430 “ 2 − 712 “ 3 , C = (979 ; − 1119 ; − 2092 ; − 3470) ; 1986 “ 2 − 3299 “ 3 , D = (718 ; − 829 ; − 1537 ; − 2546) : 2092 “ 2 − 3470 “ 3 , Find (3 ; 1 ; 4 ; 1) as 1537 “ 2 − 2546 “ 3 − 37 A + 3 B − 7 C + 16 D . O . This was my original g . short g ∈ O Also find, e.g., ( − 4 ; − 1 ; 3 ; 1). O ? Multiplying by root of unity (here “ 2 ) preserves shortness.

  41. roblem: The lattice perspective For much larger n : O Use LLL to quickly find LLL almost never finds g . O . short elements of lattice Big gap between size of g ( “ ); Z A + Z B + Z C + Z D where and size of “short” vectors 1). A = (201 ; − 233 ; − 430 ; − 712) ; that LLL typically finds in I . B = (935 ; − 1063 ; − 1986 ; − 3299) ; gen by “ 3 , C = (979 ; − 1119 ; − 2092 ; − 3470) ; 3299 “ 3 , D = (718 ; − 829 ; − 1537 ; − 2546) : 3470 “ 3 , Find (3 ; 1 ; 4 ; 1) as 2546 “ 3 − 37 A + 3 B − 7 C + 16 D . This was my original g . O Also find, e.g., ( − 4 ; − 1 ; 3 ; 1). Multiplying by root of unity (here “ 2 ) preserves shortness.

  42. The lattice perspective For much larger n : Use LLL to quickly find LLL almost never finds g . short elements of lattice Big gap between size of g Z A + Z B + Z C + Z D where and size of “short” vectors A = (201 ; − 233 ; − 430 ; − 712) ; that LLL typically finds in I . B = (935 ; − 1063 ; − 1986 ; − 3299) ; C = (979 ; − 1119 ; − 2092 ; − 3470) ; D = (718 ; − 829 ; − 1537 ; − 2546) : Find (3 ; 1 ; 4 ; 1) as − 37 A + 3 B − 7 C + 16 D . This was my original g . Also find, e.g., ( − 4 ; − 1 ; 3 ; 1). Multiplying by root of unity (here “ 2 ) preserves shortness.

  43. The lattice perspective For much larger n : Use LLL to quickly find LLL almost never finds g . short elements of lattice Big gap between size of g Z A + Z B + Z C + Z D where and size of “short” vectors A = (201 ; − 233 ; − 430 ; − 712) ; that LLL typically finds in I . B = (935 ; − 1063 ; − 1986 ; − 3299) ; Increased BKZ block size: C = (979 ; − 1119 ; − 2092 ; − 3470) ; reduced gap but slower. D = (718 ; − 829 ; − 1537 ; − 2546) : Find (3 ; 1 ; 4 ; 1) as − 37 A + 3 B − 7 C + 16 D . This was my original g . Also find, e.g., ( − 4 ; − 1 ; 3 ; 1). Multiplying by root of unity (here “ 2 ) preserves shortness.

  44. The lattice perspective For much larger n : Use LLL to quickly find LLL almost never finds g . short elements of lattice Big gap between size of g Z A + Z B + Z C + Z D where and size of “short” vectors A = (201 ; − 233 ; − 430 ; − 712) ; that LLL typically finds in I . B = (935 ; − 1063 ; − 1986 ; − 3299) ; Increased BKZ block size: C = (979 ; − 1119 ; − 2092 ; − 3470) ; reduced gap but slower. D = (718 ; − 829 ; − 1537 ; − 2546) : Fancier lattice algorithms: Find (3 ; 1 ; 4 ; 1) as Under reasonable assumptions, − 37 A + 3 B − 7 C + 16 D . 2015 Laarhoven–de Weger This was my original g . finds g in time ≈ 1 : 23 n . Also find, e.g., ( − 4 ; − 1 ; 3 ; 1). Big progress compared to, e.g., 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) Multiplying by root of unity (here “ 2 ) preserves shortness. but still exponential time.

  45. lattice perspective For much larger n : Exploiting LLL to quickly find LLL almost never finds g . Use LLL, elements of lattice Big gap between size of g generate Z B + Z C + Z D where and size of “short” vectors What happ (201 ; − 233 ; − 430 ; − 712) ; that LLL typically finds in I . Pure lattice (935 ; − 1063 ; − 1986 ; − 3299) ; Increased BKZ block size: Work much (979 ; − 1119 ; − 2092 ; − 3470) ; reduced gap but slower. (718 ; − 829 ; − 1537 ; − 2546) : Fancier lattice algorithms: (3 ; 1 ; 4 ; 1) as Under reasonable assumptions, + 3 B − 7 C + 16 D . 2015 Laarhoven–de Weger as my original g . finds g in time ≈ 1 : 23 n . find, e.g., ( − 4 ; − 1 ; 3 ; 1). Big progress compared to, e.g., 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) Multiplying by root of unity “ 2 ) preserves shortness. but still exponential time.

  46. erspective For much larger n : Exploiting factorization quickly find LLL almost never finds g . Use LLL, BKZ, etc. of lattice Big gap between size of g generate rather sho + Z D where and size of “short” vectors What happens if ¸ ; − 430 ; − 712) ; that LLL typically finds in I . Pure lattice approach: 1063 ; − 1986 ; − 3299) ; Increased BKZ block size: Work much harder, 1119 ; − 2092 ; − 3470) ; reduced gap but slower. ; − 1537 ; − 2546) : Fancier lattice algorithms: as Under reasonable assumptions, C + 16 D . 2015 Laarhoven–de Weger riginal g . finds g in time ≈ 1 : 23 n . − 4 ; − 1 ; 3 ; 1). Big progress compared to, e.g., 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) root of unity serves shortness. but still exponential time.

  47. For much larger n : Exploiting factorization LLL almost never finds g . Use LLL, BKZ, etc. to Big gap between size of g generate rather short ¸ ∈ g O where and size of “short” vectors What happens if ¸ O � = g O ? 712) ; that LLL typically finds in I . Pure lattice approach: Disca − 3299) ; Increased BKZ block size: Work much harder, find shorter − 3470) ; reduced gap but slower. 2546) : Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈ 1 : 23 n . 1). Big progress compared to, e.g., 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) unity rtness. but still exponential time.

  48. For much larger n : Exploiting factorization LLL almost never finds g . Use LLL, BKZ, etc. to Big gap between size of g generate rather short ¸ ∈ g O . and size of “short” vectors What happens if ¸ O � = g O ? that LLL typically finds in I . Pure lattice approach: Discard ¸ . Increased BKZ block size: Work much harder, find shorter ¸ . reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈ 1 : 23 n . Big progress compared to, e.g., 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) but still exponential time.

  49. For much larger n : Exploiting factorization LLL almost never finds g . Use LLL, BKZ, etc. to Big gap between size of g generate rather short ¸ ∈ g O . and size of “short” vectors What happens if ¸ O � = g O ? that LLL typically finds in I . Pure lattice approach: Discard ¸ . Increased BKZ block size: Work much harder, find shorter ¸ . reduced gap but slower. Alternative: Gain information Fancier lattice algorithms: from factorization of ideals. Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈ 1 : 23 n . Big progress compared to, e.g., 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) but still exponential time.

  50. For much larger n : Exploiting factorization LLL almost never finds g . Use LLL, BKZ, etc. to Big gap between size of g generate rather short ¸ ∈ g O . and size of “short” vectors What happens if ¸ O � = g O ? that LLL typically finds in I . Pure lattice approach: Discard ¸ . Increased BKZ block size: Work much harder, find shorter ¸ . reduced gap but slower. Alternative: Gain information Fancier lattice algorithms: from factorization of ideals. Under reasonable assumptions, e.g. If ¸ 1 O = g O · P 2 · Q 2 2015 Laarhoven–de Weger finds g in time ≈ 1 : 23 n . Big progress compared to, e.g., 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) but still exponential time.

  51. For much larger n : Exploiting factorization LLL almost never finds g . Use LLL, BKZ, etc. to Big gap between size of g generate rather short ¸ ∈ g O . and size of “short” vectors What happens if ¸ O � = g O ? that LLL typically finds in I . Pure lattice approach: Discard ¸ . Increased BKZ block size: Work much harder, find shorter ¸ . reduced gap but slower. Alternative: Gain information Fancier lattice algorithms: from factorization of ideals. Under reasonable assumptions, e.g. If ¸ 1 O = g O · P 2 · Q 2 2015 Laarhoven–de Weger and ¸ 2 O = g O · P · Q 3 finds g in time ≈ 1 : 23 n . Big progress compared to, e.g., 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) but still exponential time.

  52. For much larger n : Exploiting factorization LLL almost never finds g . Use LLL, BKZ, etc. to Big gap between size of g generate rather short ¸ ∈ g O . and size of “short” vectors What happens if ¸ O � = g O ? that LLL typically finds in I . Pure lattice approach: Discard ¸ . Increased BKZ block size: Work much harder, find shorter ¸ . reduced gap but slower. Alternative: Gain information Fancier lattice algorithms: from factorization of ideals. Under reasonable assumptions, e.g. If ¸ 1 O = g O · P 2 · Q 2 2015 Laarhoven–de Weger and ¸ 2 O = g O · P · Q 3 finds g in time ≈ 1 : 23 n . and ¸ 3 O = g O · P · Q 2 Big progress compared to, e.g., 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) but still exponential time.

  53. For much larger n : Exploiting factorization LLL almost never finds g . Use LLL, BKZ, etc. to Big gap between size of g generate rather short ¸ ∈ g O . and size of “short” vectors What happens if ¸ O � = g O ? that LLL typically finds in I . Pure lattice approach: Discard ¸ . Increased BKZ block size: Work much harder, find shorter ¸ . reduced gap but slower. Alternative: Gain information Fancier lattice algorithms: from factorization of ideals. Under reasonable assumptions, e.g. If ¸ 1 O = g O · P 2 · Q 2 2015 Laarhoven–de Weger and ¸ 2 O = g O · P · Q 3 finds g in time ≈ 1 : 23 n . and ¸ 3 O = g O · P · Q 2 then Big progress compared to, e.g., P = ¸ 1 ¸ − 1 3 O and Q = ¸ 2 ¸ − 1 3 O 2008 Nguyen–Vidick ( ≈ 1 : 33 n ) and g O = ¸ − 1 1 ¸ − 2 2 ¸ 4 3 O . but still exponential time.

  54. much larger n : Exploiting factorization General strategy: factor ¸ O almost never finds g . Use LLL, BKZ, etc. to of some gap between size of g generate rather short ¸ ∈ g O . size of “short” vectors What happens if ¸ O � = g O ? Solve system LLL typically finds in I . to find generato Pure lattice approach: Discard ¸ . as product Increased BKZ block size: Work much harder, find shorter ¸ . reduced gap but slower. Alternative: Gain information ancier lattice algorithms: from factorization of ideals. reasonable assumptions, e.g. If ¸ 1 O = g O · P 2 · Q 2 Laarhoven–de Weger and ¸ 2 O = g O · P · Q 3 in time ≈ 1 : 23 n . and ¸ 3 O = g O · P · Q 2 then rogress compared to, e.g., P = ¸ 1 ¸ − 1 3 O and Q = ¸ 2 ¸ − 1 3 O Nguyen–Vidick ( ≈ 1 : 33 n ) and g O = ¸ − 1 1 ¸ − 2 2 ¸ 4 3 O . still exponential time.

  55. n : Exploiting factorization General strategy: F factor ¸ O into pro never finds g . Use LLL, BKZ, etc. to of some primes and size of g generate rather short ¸ ∈ g O . rt” vectors What happens if ¸ O � = g O ? Solve system of equations ypically finds in I . to find generator fo Pure lattice approach: Discard ¸ . as product of powers block size: Work much harder, find shorter ¸ . slower. Alternative: Gain information algorithms: from factorization of ideals. reasonable assumptions, e.g. If ¸ 1 O = g O · P 2 · Q 2 rhoven–de Weger and ¸ 2 O = g O · P · Q 3 ≈ 1 : 23 n . and ¸ 3 O = g O · P · Q 2 then compared to, e.g., P = ¸ 1 ¸ − 1 3 O and Q = ¸ 2 ¸ − 1 3 O en–Vidick ( ≈ 1 : 33 n ) and g O = ¸ − 1 1 ¸ − 2 2 ¸ 4 3 O . onential time.

  56. Exploiting factorization General strategy: For many factor ¸ O into products of p Use LLL, BKZ, etc. to of some primes and g O . generate rather short ¸ ∈ g O . rs What happens if ¸ O � = g O ? Solve system of equations I . to find generator for g O Pure lattice approach: Discard ¸ . as product of powers of the Work much harder, find shorter ¸ . Alternative: Gain information from factorization of ideals. sumptions, e.g. If ¸ 1 O = g O · P 2 · Q 2 and ¸ 2 O = g O · P · Q 3 and ¸ 3 O = g O · P · Q 2 then e.g., P = ¸ 1 ¸ − 1 3 O and Q = ¸ 2 ¸ − 1 3 O 33 n ) and g O = ¸ − 1 1 ¸ − 2 2 ¸ 4 3 O .

  57. Exploiting factorization General strategy: For many ¸ ’s, factor ¸ O into products of powers Use LLL, BKZ, etc. to of some primes and g O . generate rather short ¸ ∈ g O . What happens if ¸ O � = g O ? Solve system of equations to find generator for g O Pure lattice approach: Discard ¸ . as product of powers of the ¸ ’s. Work much harder, find shorter ¸ . Alternative: Gain information from factorization of ideals. e.g. If ¸ 1 O = g O · P 2 · Q 2 and ¸ 2 O = g O · P · Q 3 and ¸ 3 O = g O · P · Q 2 then P = ¸ 1 ¸ − 1 3 O and Q = ¸ 2 ¸ − 1 3 O and g O = ¸ − 1 1 ¸ − 2 2 ¸ 4 3 O .

  58. Exploiting factorization General strategy: For many ¸ ’s, factor ¸ O into products of powers Use LLL, BKZ, etc. to of some primes and g O . generate rather short ¸ ∈ g O . What happens if ¸ O � = g O ? Solve system of equations to find generator for g O Pure lattice approach: Discard ¸ . as product of powers of the ¸ ’s. Work much harder, find shorter ¸ . “Can the system be solved?” Alternative: Gain information from factorization of ideals. — Becomes increasingly reasonable to expect as the e.g. If ¸ 1 O = g O · P 2 · Q 2 number of equations approaches and ¸ 2 O = g O · P · Q 3 and passes the number of primes. and ¸ 3 O = g O · P · Q 2 then P = ¸ 1 ¸ − 1 3 O and Q = ¸ 2 ¸ − 1 3 O and g O = ¸ − 1 1 ¸ − 2 2 ¸ 4 3 O .

  59. Exploiting factorization General strategy: For many ¸ ’s, factor ¸ O into products of powers Use LLL, BKZ, etc. to of some primes and g O . generate rather short ¸ ∈ g O . What happens if ¸ O � = g O ? Solve system of equations to find generator for g O Pure lattice approach: Discard ¸ . as product of powers of the ¸ ’s. Work much harder, find shorter ¸ . “Can the system be solved?” Alternative: Gain information from factorization of ideals. — Becomes increasingly reasonable to expect as the e.g. If ¸ 1 O = g O · P 2 · Q 2 number of equations approaches and ¸ 2 O = g O · P · Q 3 and passes the number of primes. and ¸ 3 O = g O · P · Q 2 then P = ¸ 1 ¸ − 1 3 O and Q = ¸ 2 ¸ − 1 3 O “But { primes } is infinite!” and g O = ¸ − 1 1 ¸ − 2 2 ¸ 4 3 O .

  60. Exploiting factorization General strategy: For many ¸ ’s, — Restrict factor ¸ O into products of powers e.g., all p LLL, BKZ, etc. to of some primes and g O . generate rather short ¸ ∈ g O . happens if ¸ O � = g O ? Solve system of equations to find generator for g O lattice approach: Discard ¸ . as product of powers of the ¸ ’s. much harder, find shorter ¸ . “Can the system be solved?” Alternative: Gain information factorization of ideals. — Becomes increasingly reasonable to expect as the ¸ 1 O = g O · P 2 · Q 2 number of equations approaches O = g O · P · Q 3 and passes the number of primes. O = g O · P · Q 2 then 1 ¸ − 1 3 O and Q = ¸ 2 ¸ − 1 3 O “But { primes } is infinite!” O = ¸ − 1 1 ¸ − 2 2 ¸ 4 3 O .

  61. ization General strategy: For many ¸ ’s, — Restrict to a “facto factor ¸ O into products of powers e.g., all primes of no etc. to of some primes and g O . short ¸ ∈ g O . if ¸ O � = g O ? Solve system of equations to find generator for g O roach: Discard ¸ . as product of powers of the ¸ ’s. rder, find shorter ¸ . “Can the system be solved?” Gain information ization of ideals. — Becomes increasingly reasonable to expect as the O · P 2 · Q 2 number of equations approaches · P · Q 3 and passes the number of primes. · P · Q 2 then and Q = ¸ 2 ¸ − 1 3 O “But { primes } is infinite!” − 2 2 ¸ 4 3 O .

  62. General strategy: For many ¸ ’s, — Restrict to a “factor base”: factor ¸ O into products of powers e.g., all primes of norm ≤ y . of some primes and g O . g O . O ? Solve system of equations to find generator for g O Discard ¸ . as product of powers of the ¸ ’s. shorter ¸ . “Can the system be solved?” rmation ideals. — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. then ¸ − 1 3 O “But { primes } is infinite!”

  63. General strategy: For many ¸ ’s, — Restrict to a “factor base”: factor ¸ O into products of powers e.g., all primes of norm ≤ y . of some primes and g O . Solve system of equations to find generator for g O as product of powers of the ¸ ’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But { primes } is infinite!”

  64. General strategy: For many ¸ ’s, — Restrict to a “factor base”: factor ¸ O into products of powers e.g., all primes of norm ≤ y . of some primes and g O . “But what if ¸ O doesn’t Solve system of equations factor into those primes?” to find generator for g O as product of powers of the ¸ ’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But { primes } is infinite!”

  65. General strategy: For many ¸ ’s, — Restrict to a “factor base”: factor ¸ O into products of powers e.g., all primes of norm ≤ y . of some primes and g O . “But what if ¸ O doesn’t Solve system of equations factor into those primes?” to find generator for g O — Then throw it away. as product of powers of the ¸ ’s. But often it does factor. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But { primes } is infinite!”

  66. General strategy: For many ¸ ’s, — Restrict to a “factor base”: factor ¸ O into products of powers e.g., all primes of norm ≤ y . of some primes and g O . “But what if ¸ O doesn’t Solve system of equations factor into those primes?” to find generator for g O — Then throw it away. as product of powers of the ¸ ’s. But often it does factor. “Can the system be solved?” Familiar issue from — Becomes increasingly “index calculus” DL methods, reasonable to expect as the CFRAC, LS, QS, NFS, etc. number of equations approaches Model the norm of ( ¸=g ) O and passes the number of primes. as “random” integer in [1 ; x ]; y -smoothness chance ≈ 1 =y “But { primes } is infinite!” p if log y ≈ (1 = 2) log x log log x .

  67. General strategy: For many ¸ ’s, — Restrict to a “factor base”: Variation: ¸ O into products of powers e.g., all primes of norm ≤ y . Generate some primes and g O . factor ¸ O “But what if ¸ O doesn’t After enough system of equations factor into those primes?” solve sys generator for g O — Then throw it away. obtain generato duct of powers of the ¸ ’s. But often it does factor. the system be solved?” Familiar issue from Becomes increasingly “index calculus” DL methods, reasonable to expect as the CFRAC, LS, QS, NFS, etc. er of equations approaches Model the norm of ( ¸=g ) O passes the number of primes. as “random” integer in [1 ; x ]; y -smoothness chance ≈ 1 =y { primes } is infinite!” p if log y ≈ (1 = 2) log x log log x .

  68. strategy: For many ¸ ’s, — Restrict to a “factor base”: Variation: Ignore g roducts of powers e.g., all primes of norm ≤ y . Generate rather sho and g O . factor ¸ O into small “But what if ¸ O doesn’t After enough ¸ ’s, equations factor into those primes?” solve system of equations; r for g O — Then throw it away. obtain generator fo wers of the ¸ ’s. But often it does factor. be solved?” Familiar issue from increasingly “index calculus” DL methods, expect as the CFRAC, LS, QS, NFS, etc. equations approaches Model the norm of ( ¸=g ) O number of primes. as “random” integer in [1 ; x ]; y -smoothness chance ≈ 1 =y is infinite!” p if log y ≈ (1 = 2) log x log log x .

  69. many ¸ ’s, — Restrict to a “factor base”: Variation: Ignore g O . of powers e.g., all primes of norm ≤ y . Generate rather short ¸ ∈ O factor ¸ O into small primes. “But what if ¸ O doesn’t After enough ¸ ’s, factor into those primes?” solve system of equations; — Then throw it away. obtain generator for each prime. the ¸ ’s. But often it does factor. solved?” Familiar issue from “index calculus” DL methods, the CFRAC, LS, QS, NFS, etc. roaches Model the norm of ( ¸=g ) O primes. as “random” integer in [1 ; x ]; y -smoothness chance ≈ 1 =y p if log y ≈ (1 = 2) log x log log x .

  70. — Restrict to a “factor base”: Variation: Ignore g O . e.g., all primes of norm ≤ y . Generate rather short ¸ ∈ O , factor ¸ O into small primes. “But what if ¸ O doesn’t After enough ¸ ’s, factor into those primes?” solve system of equations; — Then throw it away. obtain generator for each prime. But often it does factor. Familiar issue from “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of ( ¸=g ) O as “random” integer in [1 ; x ]; y -smoothness chance ≈ 1 =y p if log y ≈ (1 = 2) log x log log x .

  71. — Restrict to a “factor base”: Variation: Ignore g O . e.g., all primes of norm ≤ y . Generate rather short ¸ ∈ O , factor ¸ O into small primes. “But what if ¸ O doesn’t After enough ¸ ’s, factor into those primes?” solve system of equations; — Then throw it away. obtain generator for each prime. But often it does factor. After this precomputation, factor one ¸ O ⊆ g O ; Familiar issue from obtain generator for g O . “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of ( ¸=g ) O as “random” integer in [1 ; x ]; y -smoothness chance ≈ 1 =y p if log y ≈ (1 = 2) log x log log x .

  72. — Restrict to a “factor base”: Variation: Ignore g O . e.g., all primes of norm ≤ y . Generate rather short ¸ ∈ O , factor ¸ O into small primes. “But what if ¸ O doesn’t After enough ¸ ’s, factor into those primes?” solve system of equations; — Then throw it away. obtain generator for each prime. But often it does factor. After this precomputation, factor one ¸ O ⊆ g O ; Familiar issue from obtain generator for g O . “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. “Do all primes have generators?” Model the norm of ( ¸=g ) O as “random” integer in [1 ; x ]; y -smoothness chance ≈ 1 =y p if log y ≈ (1 = 2) log x log log x .

  73. — Restrict to a “factor base”: Variation: Ignore g O . e.g., all primes of norm ≤ y . Generate rather short ¸ ∈ O , factor ¸ O into small primes. “But what if ¸ O doesn’t After enough ¸ ’s, factor into those primes?” solve system of equations; — Then throw it away. obtain generator for each prime. But often it does factor. After this precomputation, factor one ¸ O ⊆ g O ; Familiar issue from obtain generator for g O . “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. “Do all primes have generators?” Model the norm of ( ¸=g ) O — Standard heuristics: as “random” integer in [1 ; x ]; For many (most?) number fields, y -smoothness chance ≈ 1 =y yes; but for big cyclotomics, no! p if log y ≈ (1 = 2) log x log log x . Modulo a few small primes, yes.

  74. Restrict to a “factor base”: Variation: Ignore g O . { principal all primes of norm ≤ y . Generate rather short ¸ ∈ O , kernel of factor ¸ O into small primes. { nonzero what if ¸ O doesn’t After enough ¸ ’s, C is a finite into those primes?” solve system of equations; the “class Then throw it away. obtain generator for each prime. Fundamental often it does factor. After this precomputation, in algebraic factor one ¸ O ⊆ g O ; amiliar issue from obtain generator for g O . calculus” DL methods, C, LS, QS, NFS, etc. “Do all primes have generators?” the norm of ( ¸=g ) O — Standard heuristics: “random” integer in [1 ; x ]; For many (most?) number fields, othness chance ≈ 1 =y yes; but for big cyclotomics, no! p ≈ (1 = 2) log x log log x . Modulo a few small primes, yes.

  75. “factor base”: Variation: Ignore g O . { principal nonzero of norm ≤ y . Generate rather short ¸ ∈ O , kernel of a semigroup factor ¸ O into small primes. { nonzero ideals } ։ doesn’t After enough ¸ ’s, C is a finite abelian primes?” solve system of equations; the “class group of it away. obtain generator for each prime. Fundamental objec es factor. After this precomputation, in algebraic numbe factor one ¸ O ⊆ g O ; from obtain generator for g O . DL methods, QS, NFS, etc. “Do all primes have generators?” of ( ¸=g ) O — Standard heuristics: integer in [1 ; x ]; For many (most?) number fields, chance ≈ 1 =y yes; but for big cyclotomics, no! 2) log x log log x . Modulo a few small primes, yes.

  76. base”: Variation: Ignore g O . { principal nonzero ideals } is y . Generate rather short ¸ ∈ O , kernel of a semigroup map factor ¸ O into small primes. { nonzero ideals } ։ C where After enough ¸ ’s, C is a finite abelian group, solve system of equations; the “class group of K ”. obtain generator for each prime. Fundamental object of study After this precomputation, in algebraic number theory. factor one ¸ O ⊆ g O ; obtain generator for g O . methods, etc. “Do all primes have generators?” O — Standard heuristics: x ]; For many (most?) number fields, =y yes; but for big cyclotomics, no! log x . Modulo a few small primes, yes.

  77. Variation: Ignore g O . { principal nonzero ideals } is Generate rather short ¸ ∈ O , kernel of a semigroup map factor ¸ O into small primes. { nonzero ideals } ։ C where After enough ¸ ’s, C is a finite abelian group, solve system of equations; the “class group of K ”. obtain generator for each prime. Fundamental object of study After this precomputation, in algebraic number theory. factor one ¸ O ⊆ g O ; obtain generator for g O . “Do all primes have generators?” — Standard heuristics: For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes.

  78. Variation: Ignore g O . { principal nonzero ideals } is Generate rather short ¸ ∈ O , kernel of a semigroup map factor ¸ O into small primes. { nonzero ideals } ։ C where After enough ¸ ’s, C is a finite abelian group, solve system of equations; the “class group of K ”. obtain generator for each prime. Fundamental object of study After this precomputation, in algebraic number theory. factor one ¸ O ⊆ g O ; Factoring many small ¸ O obtain generator for g O . is a standard textbook method “Do all primes have generators?” of computing class group — Standard heuristics: and generators of ideals. For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes.

  79. Variation: Ignore g O . { principal nonzero ideals } is Generate rather short ¸ ∈ O , kernel of a semigroup map factor ¸ O into small primes. { nonzero ideals } ։ C where After enough ¸ ’s, C is a finite abelian group, solve system of equations; the “class group of K ”. obtain generator for each prime. Fundamental object of study After this precomputation, in algebraic number theory. factor one ¸ O ⊆ g O ; Factoring many small ¸ O obtain generator for g O . is a standard textbook method “Do all primes have generators?” of computing class group — Standard heuristics: and generators of ideals. For many (most?) number fields, Also compute unit group O ∗ yes; but for big cyclotomics, no! via ratios of generators. Modulo a few small primes, yes.

  80. riation: Ignore g O . { principal nonzero ideals } is A note on Generate rather short ¸ ∈ O , kernel of a semigroup map Smart–V ¸ O into small primes. { nonzero ideals } ։ C where regarding enough ¸ ’s, C is a finite abelian group, Buchmann: system of equations; the “class group of K ”. complexit generator for each prime. p Fundamental object of study log(∆) this precomputation, in algebraic number theory. one ¸ O ⊆ g O ; Factoring many small ¸ O generator for g O . is a standard textbook method all primes have generators?” of computing class group Standard heuristics: and generators of ideals. many (most?) number fields, Also compute unit group O ∗ but for big cyclotomics, no! via ratios of generators. dulo a few small primes, yes.

  81. re g O . { principal nonzero ideals } is A note on time analysis short ¸ ∈ O , kernel of a semigroup map Smart–Vercauteren small primes. { nonzero ideals } ։ C where regarding similar algo ’s, C is a finite abelian group, Buchmann: “This equations; the “class group of K ”. complexity exp( O ( for each prime. p log(∆) · log log(∆)).” Fundamental object of study recomputation, in algebraic number theory. g O ; Factoring many small ¸ O for g O . is a standard textbook method have generators?” of computing class group heuristics: and generators of ideals. (most?) number fields, Also compute unit group O ∗ cyclotomics, no! via ratios of generators. small primes, yes.

  82. { principal nonzero ideals } is A note on time analysis O , kernel of a semigroup map Smart–Vercauteren statement rimes. { nonzero ideals } ։ C where regarding similar algorithm b C is a finite abelian group, Buchmann: “This method has the “class group of K ”. complexity exp( O ( N log N ) · prime. p log(∆) · log log(∆)).” Fundamental object of study recomputation, in algebraic number theory. Factoring many small ¸ O is a standard textbook method rators?” of computing class group and generators of ideals. fields, Also compute unit group O ∗ cyclotomics, no! via ratios of generators. rimes, yes.

  83. { principal nonzero ideals } is A note on time analysis kernel of a semigroup map Smart–Vercauteren statement { nonzero ideals } ։ C where regarding similar algorithm by C is a finite abelian group, Buchmann: “This method has the “class group of K ”. complexity exp( O ( N log N ) · p log(∆) · log log(∆)).” Fundamental object of study in algebraic number theory. Factoring many small ¸ O is a standard textbook method of computing class group and generators of ideals. Also compute unit group O ∗ via ratios of generators.

  84. { principal nonzero ideals } is A note on time analysis kernel of a semigroup map Smart–Vercauteren statement { nonzero ideals } ։ C where regarding similar algorithm by C is a finite abelian group, Buchmann: “This method has the “class group of K ”. complexity exp( O ( N log N ) · p log(∆) · log log(∆)).” Fundamental object of study in algebraic number theory. — [citation needed] Factoring many small ¸ O is a standard textbook method of computing class group and generators of ideals. Also compute unit group O ∗ via ratios of generators.

  85. { principal nonzero ideals } is A note on time analysis kernel of a semigroup map Smart–Vercauteren statement { nonzero ideals } ։ C where regarding similar algorithm by C is a finite abelian group, Buchmann: “This method has the “class group of K ”. complexity exp( O ( N log N ) · p log(∆) · log log(∆)).” Fundamental object of study in algebraic number theory. — [citation needed] Factoring many small ¸ O Did they mean Θ? And +? is a standard textbook method exp(Θ( N log N )) factor of computing class group for short-vector enumeration? and generators of ideals. Silly: BKZ works just fine. Also compute unit group O ∗ via ratios of generators.

  86. { principal nonzero ideals } is A note on time analysis kernel of a semigroup map Smart–Vercauteren statement { nonzero ideals } ։ C where regarding similar algorithm by C is a finite abelian group, Buchmann: “This method has the “class group of K ”. complexity exp( O ( N log N ) · p log(∆) · log log(∆)).” Fundamental object of study in algebraic number theory. — [citation needed] Factoring many small ¸ O Did they mean Θ? And +? is a standard textbook method exp(Θ( N log N )) factor of computing class group for short-vector enumeration? and generators of ideals. Silly: BKZ works just fine. Also compute unit group O ∗ The whole algorithm will be via ratios of generators. subexponential unless norms are much worse than exponential.

  87. rincipal nonzero ideals } is A note on time analysis Big generato of a semigroup map Smart–Vercauteren statement Smart–V nonzero ideals } ։ C where regarding similar algorithm by this metho finite abelian group, Buchmann: “This method has a generato “class group of K ”. complexity exp( O ( N log N ) · with large p log(∆) · log log(∆)).” undamental object of study large, that algebraic number theory. generato — [citation needed] „ may tak ring many small ¸ O Did they mean Θ? And +? standard textbook method Indeed, generato exp(Θ( N log N )) factor computing class group product for short-vector enumeration? generators of ideals. Must be Silly: BKZ works just fine. but extremely compute unit group O ∗ The whole algorithm will be ratios of generators. subexponential unless norms are much worse than exponential.

Recommend


More recommend