Solving relative norm equations in abelian number fjelds Andreas - PowerPoint PPT Presentation

Solving relative norm equations in abelian number fjelds Andreas Enge LFANT project-team INRIA Bordeaux–Sud-Ouest andreas.enge@inria.fr http://www.math.u-bordeaux.fr/~aenge Finite Geometries, Fifth Irsee Conference, 15 September 2017 (joint work with Bernhard Schmidt, NTU, Singapore) Andreas Enge Solving norm equations Irsee 2017 1

Solving norm equations 1 Relative norm equations and fjnite geometry 2 Abelian number fjelds and well-known algorithms 3 Gentry-Szydlo type algorithm for abelian fjelds 4 Implementation and results Andreas Enge Solving norm equations Irsee 2017 1

Circulant Hadamard matrices n . . . . . . . Let i . h i i n Then n Andreas Enge Solving norm equations Irsee 2017 . . . . . 1 . .   · · · h 0 h 1 h 2 h n − 1 · · ·  h n − 1 h 0 h 1 h n − 2  H =       · · · h 1 h 2 h 3 i h 0 H · H T = n · id with h i ∈ {± 1 } ,

Circulant Hadamard matrices . . . . . . . . . . . Let Then Andreas Enge Solving norm equations Irsee 2017 . . . . 1   · · · h 0 h 1 h 2 h n − 1 · · ·  h n − 1 h 0 h 1 h n − 2  H =       · · · h 1 h 2 h 3 i h 0 H · H T = n · id with h i ∈ {± 1 } , n − 1 ∑ χ = h i ζ i n . i =0 χχ = n

Abelian difgerence sets D v D D k n Cyclic case: v v D i D i v Andreas Enge Solving norm equations Irsee 2017 i i 2 -difgerence set D g D g G D a v k DD g G g k k G ∑ D ⊆ G ↔ D = 1 · ⟨ g ⟩ ∈ Z [ G ] g ∈ D

Abelian difgerence sets D v D D k n Cyclic case: v v D i D i v Andreas Enge Solving norm equations Irsee 2017 i i 2 G ∑ D ⊆ G ↔ D = 1 · ⟨ g ⟩ ∈ Z [ G ] g ∈ D ∑ 1 · ⟨ g − 1 ⟩ D = g ∈ D ∑ D a ( v , k , λ ) -difgerence set ⇔ DD = λ · ⟨ g ⟩ + k · ⟨ 1 ⟩ g ∈ G \{ 1 } = ( k − λ ) · ⟨ 1 ⟩ + λ · G

Abelian difgerence sets Cyclic case: Irsee 2017 Solving norm equations Andreas Enge v 2 ∑ D ⊆ G ↔ D = 1 · ⟨ g ⟩ ∈ Z [ G ] g ∈ D ∑ 1 · ⟨ g − 1 ⟩ D = g ∈ D ∑ D a ( v , k , λ ) -difgerence set ⇔ DD = λ · ⟨ g ⟩ + k · ⟨ 1 ⟩ g ∈ G \{ 1 } = ( k − λ ) · ⟨ 1 ⟩ + λ · G χ : G → { ζ i v : i = 0 , . . . , v − 1 } ⊆ C χ ( D ) χ ( D ) = k − λ = n ∑ D ⊆ { 0 , . . . , v − 1 } , χ ( D ) = ζ i i ∈ D

Solving norm equations 1 Relative norm equations and fjnite geometry 2 Abelian number fjelds and well-known algorithms 3 Gentry-Szydlo type algorithm for abelian fjelds 4 Implementation and results Andreas Enge Solving norm equations Irsee 2017 3

(Abelian) number fjelds Trace Irsee 2017 Solving norm equations Andreas Enge T Tr T Positive defjnite bilinear form K Tr 3 30 60 Q ( ζ v ) = Q ( ζ 2387 ) Z [ ζ 2387 ] Ex.: f = Φ v ( X ) σ : K → C , X �→ root of f K = Q [ X ]/ f ( X ) Z [ X ]/ f σ i : X �→ ζ i v for gcd ( v , i ) = 1 Q Z

(Abelian) number fjelds Trace Irsee 2017 Solving norm equations Andreas Enge Positive defjnite bilinear form Tr 3 30 60 Q ( ζ v ) = Q ( ζ 2387 ) Z [ ζ 2387 ] Ex.: f = Φ v ( X ) σ : K → C , X �→ root of f K = Q [ X ]/ f ( X ) Z [ X ]/ f σ i : X �→ ζ i v for gcd ( v , i ) = 1 Q Z : K → Q ∑ α �→ σ ( α ) σ T ( α, β ) = Tr ( α · β ) ∑ T ( α, α ) = σ ( α ) σ ( α ) σ

Compute class group and generalised discrete logarithm in it. Ideal factorisation is “small” Irsee 2017 Solving norm equations Andreas Enge subexponential More advanced algorithm: of dimension deg K . LLL fjnds element with small T -norm in the lattice Heuristic: Ex.: 4 χχ = n ⇒ aa = ( n ) with a = ( χ ) ( n ) = ppqq ⇒ a = pq ; pq ; pq ; pq Look for generator χ of pq or pq .

Compute class group and generalised discrete logarithm in it. Ideal factorisation More advanced algorithm: Irsee 2017 Solving norm equations Andreas Enge subexponential 4 Ex.: χχ = n ⇒ aa = ( n ) with a = ( χ ) ( n ) = ppqq ⇒ a = pq ; pq ; pq ; pq Look for generator χ of pq or pq . Heuristic: χ is “small” LLL fjnds element with small T -norm in the lattice a of dimension deg ( K ) .

Ideal factorisation More advanced algorithm: Irsee 2017 Solving norm equations Andreas Enge subexponential Compute class group and generalised discrete logarithm in it. 4 Ex.: χχ = n ⇒ aa = ( n ) with a = ( χ ) ( n ) = ppqq ⇒ a = pq ; pq ; pq ; pq Look for generator χ of pq or pq . Heuristic: χ is “small” LLL fjnds element with small T -norm in the lattice a of dimension deg ( K ) .

Solving norm equations 1 Relative norm equations and fjnite geometry 2 Abelian number fjelds and well-known algorithms 3 Gentry-Szydlo type algorithm for abelian fjelds 4 Implementation and results Andreas Enge Solving norm equations Irsee 2017 5

History Kirchner (2016) Irsee 2017 Solving norm equations Andreas Enge E.–Schmidt (2017) 5 Lenstra–Silverberg (2014) Gentry–Szydlo (2002) Given a and n with aa = ( n ) , output χ s.t. χχ = n or failure. ▶ algorithm for f = X v − 1 ▶ breaks lattice based cryptosystems in practice ▶ deterministic polynomial time complexity ▶ generalisation to CM number fjelds ▶ claim of polynomial complexity doubtful ▶ code not available ▶ generalisation to abelian number fjelds ▶ polynomial complexity very probable

e with e e small and mod P “Ideal hopping” and frequent LLL reductions to compute e K with Ideas e mod P e lift Andreas Enge Solving norm equations Irsee 2017 mod P w e and e Compute . P Choose (totally split) large prime P and let e Second (rough) idea: First idea: Use adapted T -norm 6 Given a and w ∈ K with aa = ( w ) , output χ s.t. χχ = w . T w ( x , y ) = Tr ( xy / w ) ∈ Z for x , y ∈ a T w ( χ, χ ) = deg ( K )

Ideas “Ideal hopping” and frequent LLL reductions to compute Irsee 2017 Solving norm equations Andreas Enge lift e mod P mod P small and with K e 6 Compute Second (rough) idea: First idea: Use adapted T -norm Given a and w ∈ K with aa = ( w ) , output χ s.t. χχ = w . T w ( x , y ) = Tr ( xy / w ) ∈ Z for x , y ∈ a T w ( χ, χ ) = deg ( K ) Choose (totally split) large prime P and let e = P − 1 . a e = ( χ e ) with a e a e = ( w e ) and χ e ≡ 1 ( mod P )

Ideas Second (rough) idea: Irsee 2017 Solving norm equations Andreas Enge “Ideal hopping” and frequent LLL reductions to compute Compute 6 First idea: Use adapted T -norm Given a and w ∈ K with aa = ( w ) , output χ s.t. χχ = w . T w ( x , y ) = Tr ( xy / w ) ∈ Z for x , y ∈ a T w ( χ, χ ) = deg ( K ) Choose (totally split) large prime P and let e = P − 1 . a e = ( χ e ) with a e a e = ( w e ) and χ e ≡ 1 ( mod P ) δ = χ e · ε ∈ K with ε small and δ ′ = δ mod P = ε mod P . χ e = δ ) − 1 ( lift ( δ ′ )

Algorithm — Initialisation Invariants: Irsee 2017 Solving norm equations Andreas Enge w mod P k w w k e w k 7 r k e k ∑ e ( i ) 2 r − i = = e 0 e 1 e 2 . . . e r − 1 e r i =0 e ( i ) 2 k − i = ⌊ e /2 r − k ⌋ ∑ = = e 0 e 1 e 2 . . . e k − 1 e k i =0 Initialisation k = 0 : a k = ( χ k ) a 0 = a = = χ k χ k w 0 δ k = χ e k χ k δ 0 = δ ′ δ ′ = = δ k mod P

8 u k Square! Irsee 2017 Solving norm equations Andreas Enge k w k for e ( k ) = 0 Algorithm — Step k − 1 → k a k − 1 = ( χ k − 1 ) , w k − 1 = χ k − 1 χ k − 1 , δ k − 1 = χ e k − 1 χ k − 1 , δ ′ k − 1 = δ k − 1 mod P a 2 b k = k − 1 χ 2 β k = k − 1 β k β k = w 2 = k − 1 = small element in b k w.r.t. Tr ( xy / u k ) ← LLL γ k ( γ k ) b k − 1 a k = γ k β k − 1 = χ k ( γ k γ k )( β k β k ) − 1 = γ k γ k / u k = δ 2 k − 1 w − 2 = ← in factored form! δ k k − 1 γ k δ ′ ( δ ′ k − 1 ) 2 w − 2 = ∈ Z / p Z [ X ] k − 1 γ k mod P

Square — then multiply! Andreas Enge Solving norm equations Irsee 2017 9 for e ( k ) = 1 Algorithm — Step k − 1 → k

Algorithm — The End v P Irsee 2017 Solving norm equations Andreas Enge and take a d -th root in K . v u d u P d P Choose second prime P , compute 10 ψ = χ P − 1 = δ r ) − 1 lift ( δ ′ ( r )

and take a d -th root in K . Algorithm — The End Andreas Enge Solving norm equations Irsee 2017 10 ψ = χ P − 1 = δ r ) − 1 lift ( δ ′ ( r ) Choose second prime P ′ , compute ψ ′ = χ P ′ − 1 d = u ( P − 1) − v ( P ′ − 1) χ d = ψ u ( ψ ′ ) − v

Solving norm equations 1 Relative norm equations and fjnite geometry 2 Abelian number fjelds and well-known algorithms 3 Gentry-Szydlo type algorithm for abelian fjelds 4 Implementation and results Andreas Enge Solving norm equations Irsee 2017 11

Implementation Step 3 Irsee 2017 Solving norm equations Andreas Enge 47 Cumulated core time: Mat([[-184, -104, -92, -148, -192, -182, -178, ...]~, 4774]) delta 1 ... Double, norm 1 Double, norm 1 About 1100 lines in PARI/GP: http://pari.math.u-bordeaux.fr/ Step 2 Small element: [-184, -104, -92, -148, -192, -182, -178, ...]~ Time for LLL: 2.4 2.2 Time for G: Step 1 P 630169, P' = P + 4774 ? test_random() It works! 11