Standard lattices of compatibly embedded finite fields Luca De Feo, - PowerPoint PPT Presentation

Context Overview Standard lattices Standard lattices of compatibly embedded finite fields Luca De Feo, Hugues Randriam, Édouard Rousseau JNCF 2019 1 / 22

Context Overview Standard lattices C ONTENTS Context Overview Standard lattices 2 / 22

Context Overview Standard lattices C ONTEXT ◮ Use of Computer Algebra System (CAS) ◮ Use of many extensions of a prime finite field F p ◮ Computations in ¯ F p . F p 9 F p 25 F p 3 F p 5 F p ℓ 2 F p 4 F p 2 F p ℓ F p 3 / 22

Context Overview Standard lattices E MBEDDINGS ◮ When l | m , we know F p l ֒ → F p m ◮ How to compute this embedding efficiently ? ◮ Naive algorithm: if F p l = F p [ x ] / ( f ( x )) , find a root ρ of f in x to ρ . Complexity strictly larger than ˜ O ( l 2 ) . F p m and map ¯ ◮ Lots of other solutions in the litterature: ◮ [Lenstra ’91] ◮ [Allombert ’02] ˜ O ( l 2 ) ◮ [Rains ’96] ◮ [Narayanan ’18] 4 / 22

Context Overview Standard lattices C OMPATIBILITY ◮ K , L , M three finite fields with K ֒ → L ֒ → M → L , g : L ֒ → M , h : K ֒ → M embeddings ◮ f : K ֒ Compatibility: M g h L f K 5 / 22

Context Overview Standard lattices C OMPATIBILITY ◮ K , L , M three finite fields with K ֒ → L ֒ → M → L , g : L ֒ → M , h : K ֒ → M embeddings ◮ f : K ֒ Compatibility: M g h L f K ? g ◦ f = h 5 / 22

Context Overview Standard lattices E NSURING COMPATIBILITY : C ONWAY POLYNOMIALS Definition ( m -th Conway polynomials C m ) ◮ monic ◮ irreducible ◮ degree m ◮ primitive ( i.e. its roots generate F × p m ) pm − 1 � � pl − 1 = 0 ◮ norm-compatible ( i.e. C l = 0 mod C m if l | m ) X 6 / 22

Context Overview Standard lattices E NSURING COMPATIBILITY : C ONWAY POLYNOMIALS Definition ( m -th Conway polynomials C m ) ◮ monic ◮ irreducible ◮ degree m ◮ primitive ( i.e. its roots generate F × p m ) pm − 1 � � pl − 1 = 0 ◮ norm-compatible ( i.e. C l = 0 mod C m if l | m ) X ◮ Standard polynomials 6 / 22

Context Overview Standard lattices E NSURING COMPATIBILITY : C ONWAY POLYNOMIALS Definition ( m -th Conway polynomials C m ) ◮ monic ◮ irreducible ◮ degree m ◮ primitive ( i.e. its roots generate F × p m ) pm − 1 � � pl − 1 = 0 ◮ norm-compatible ( i.e. C l = 0 mod C m if l | m ) X ◮ Standard polynomials pm − 1 ◮ Compatible embeddings: ¯ X �→ ¯ pl − 1 ˜ O ( m 2 ) Y 6 / 22

Context Overview Standard lattices E NSURING COMPATIBILITY : C ONWAY POLYNOMIALS Definition ( m -th Conway polynomials C m ) ◮ monic ◮ irreducible ◮ degree m ◮ primitive ( i.e. its roots generate F × p m ) pm − 1 � � pl − 1 = 0 ◮ norm-compatible ( i.e. C l = 0 mod C m if l | m ) X ◮ Standard polynomials pm − 1 ◮ Compatible embeddings: ¯ X �→ ¯ pl − 1 ˜ O ( m 2 ) Y ◮ Hard to compute (exponential complexity) 6 / 22

Context Overview Standard lattices E NSURING COMPATIBILITY : B OSMA , C ANNON AND S TEEL ◮ Framework used in MAGMA ◮ Based on the naive embedding algorithm ◮ Constraints of the embedding imply that adding a new embedding can be expensive M L . . . K 1 K 2 K r 7 / 22

Context Overview Standard lattices E NSURING COMPATIBILITY : B OSMA , C ANNON AND S TEEL ◮ Framework used in MAGMA ◮ Based on the naive embedding algorithm ◮ Constraints of the embedding imply that adding a new embedding can be expensive ◮ Inefficient as the number of extensions grows M L . . . K 1 K 2 K r 7 / 22

Context Overview Standard lattices E NSURING COMPATIBILITY : B OSMA , C ANNON AND S TEEL ◮ Framework used in MAGMA ◮ Based on the naive embedding algorithm ◮ Constraints of the embedding imply that adding a new embedding can be expensive ◮ Inefficient as the number of extensions grows M L . . . K 1 K 2 K r ◮ Non standard polynomials 7 / 22

Context Overview Standard lattices I DEAS ◮ Plugging Allombert’s embedding algorithm in Bosma, Cannon, and Steel ◮ Generalizing Bosma, Cannon, and Steel ◮ Generalizing Conway polynomials Goal: bring the best of both worlds 8 / 22

Context Overview Standard lattices A LLOMBERT ’ S EMBEDDING ALGORITHM I ◮ Based on an extension of Kummer theory ◮ For p ∤ l , we work in A l = F p l ⊗ F p ( ζ l ) , and study ( σ ⊗ 1 )( x ) = ( 1 ⊗ ζ l ) x (H90) ◮ Solutions of (H90) form a F p ( ζ l ) -vector space of dimension 1 ◮ α l = � a − 1 j = 0 x j ⊗ ζ j l solution of (H90), then x 0 generates F p l . ◮ Let ⌊ α l ⌋ = x 0 the projection on the first coordinate ◮ ( α l ) l = 1 ⊗ c ∈ 1 ⊗ F p ( ζ l ) 9 / 22

Context Overview Standard lattices A LLOMBERT ’ S EMBEDDING ALGORITHM II Input: F p l , F p m , with l | m , ζ l and ζ m with ( ζ m ) m / l = ζ l Output: s ∈ F p l , t ∈ F p m , such that s �→ t defines an embedding φ : F p l → F p m 1. Construct A l and A m 2. Find α l ∈ A l and α m ∈ A m , nonzero solutions of (H90) for the roots ζ l and ζ m 3. Compute ( α l ) l = 1 ⊗ c l and ( α m ) m = 1 ⊗ c m 4. Compute κ l , m a l -th root of c l / c m 5. Return ⌊ α l ⌋ and � ( 1 ⊗ κ l , m )( α m ) m / l � 10 / 22

Context Overview Standard lattices A LLOMBERT AND B OSMA , C ANON , AND S TEEL ◮ Need to store one constant κ l , m for each pair ( F p l , F p m ) ◮ The constant κ l , m depends on α l and α m We would like to: ◮ get rid of the constants κ l , m ( e.g. have κ l , m = 1) ◮ equivalently, get "standard" solutions of (H90) ◮ select solutions α l , α m that always define the same embedding ◮ such that the constants κ l , m are well understood ( e.g. κ l , m = 1) 11 / 22

Context Overview Standard lattices T HE CASE l | m | p − 1 Let l | m | p − 1 ◮ A l = F p l ⊗ F p ∼ = F p l ◮ A m = F p m ◮ σ ( α l ) = ζ l α l and σ ( α m ) = ζ m α m ◮ ( α l ) l = c l ∈ F p and ( α m ) m = c m ∈ F p ◮ κ l , m = � l c l / c m ◮ κ l , m = 1 implies c l = c m In particular, for m = p − 1 we obtain σ ( α p − 1 ) = ( α p − 1 ) p = ζ p − 1 α p − 1 ◮ ( α p − 1 ) p − 1 = c p − 1 = ζ p − 1 ◮ this implies ∀ l | p − 1 , c l = ζ p − 1 12 / 22

Context Overview Standard lattices C OMPLETE ALGEBRA Let A l = F p l ⊗ F p ( ζ l ) Definition (degree, level) ◮ degree of A l : l ◮ level of A l : a = [ F p ( ζ l ) : F p ] Idea: consider the largest algebra for a given level Definition (Complete algebra of level a ) ◮ A p a − 1 = F p pa − 1 ⊗ F p ( ζ p a − 1 ) ∼ = F p pa − 1 ⊗ F p a 13 / 22

Context Overview Standard lattices S TANDARD SOLUTIONS How to define standard solutions of (H90)? Lemma If α p a − 1 is a solution of (H90) for ζ p a − 1 , then c p a − 1 = ( ζ p a − 1 ) a . Definition (Standard solution) Let A l an algebra of level a , α l ∈ A l a solution of (H90) for pa − 1 l , α l is standard if c l = ( ζ p a − 1 ) a ζ l = ( ζ p a − 1 ) Definition (Standard polynomial) All standard solutions α l define the same irreducible polynomial of degree l , we call it the standard polynomial of degree l . 14 / 22

Context Overview Standard lattices S TANDARD EMBEDDINGS ( SAME LEVEL ) Let l | m and A l , A m algebras with the same level a , ζ l = ( ζ m ) m / l ◮ α l and α m standard solutions of (H90) for ζ l and ζ m 15 / 22

Context Overview Standard lattices S TANDARD EMBEDDINGS ( SAME LEVEL ) Let l | m and A l , A m algebras with the same level a , ζ l = ( ζ m ) m / l ◮ α l and α m standard solutions of (H90) for ζ l and ζ m ◮ c l = c m = ( ζ p a − 1 ) a 15 / 22

Context Overview Standard lattices S TANDARD EMBEDDINGS ( SAME LEVEL ) Let l | m and A l , A m algebras with the same level a , ζ l = ( ζ m ) m / l ◮ α l and α m standard solutions of (H90) for ζ l and ζ m ◮ c l = c m = ( ζ p a − 1 ) a ◮ κ l , m = 1 15 / 22

Context Overview Standard lattices S TANDARD EMBEDDINGS ( SAME LEVEL ) Let l | m and A l , A m algebras with the same level a , ζ l = ( ζ m ) m / l ◮ α l and α m standard solutions of (H90) for ζ l and ζ m ◮ c l = c m = ( ζ p a − 1 ) a ◮ κ l , m = 1 ◮ The embedding ⌊ α l ⌋ �→ � ( α m ) m / l � is standard too (only depends on ζ p a − 1 ). 15 / 22

Context Overview Standard lattices S TANDARD EMBEDDINGS ( DIFFERENT LEVEL ) Let l | m and A l of level a , A m of level b , a � = b . ◮ Natural norm-compatibility condition, we want: pb − 1 pa − 1 = N ( ζ p b − 1 ) = φ F pa ֒ ( ζ p b − 1 ) → F pb ( ζ p a − 1 ) 16 / 22

Context Overview Standard lattices S TANDARD EMBEDDINGS ( DIFFERENT LEVEL ) Let l | m and A l of level a , A m of level b , a � = b . ◮ Natural norm-compatibility condition, we want: pb − 1 pa − 1 = N ( ζ p b − 1 ) = φ F pa ֒ ( ζ p b − 1 ) → F pb ( ζ p a − 1 ) We let N be the “norm-like” map N ( α ) = � b / a − 1 ( 1 ⊗ σ aj )( α ) j = 0 16 / 22

Context Overview Standard lattices S TANDARD EMBEDDINGS ( DIFFERENT LEVEL ) Let l | m and A l of level a , A m of level b , a � = b . ◮ Natural norm-compatibility condition, we want: pb − 1 pa − 1 = N ( ζ p b − 1 ) = φ F pa ֒ ( ζ p b − 1 ) → F pb ( ζ p a − 1 ) We let N be the “norm-like” map N ( α ) = � b / a − 1 ( 1 ⊗ σ aj )( α ) j = 0 ◮ We obtain N ( α p b − 1 ) = Φ A pa − 1 ֒ → A pb − 1 ( α p a − 1 ) 16 / 22