Class Group Computations in Number Fields and Applications to … · 2017-05-09 · Class Group...

Class Group ComputationsApplication to Cryptography

Class Group Computations in Number Fieldsand Applications to Cryptography

Alexandre Gélin

Laboratoire d’Informatique de Paris 6UPMC – Sorbonne Universités

25/04/2017

Alexandre Gélin Class Group & Cryptography

Number fields

K number field ⇒ finite extension of Q ⇒ ∃T ∈ Z[X] monic s.t.

K ' Q[X]/(T ).

T is a defining polynomial of K.

Two interesting structures:Group of ideals

Quotient by principal ideals ⇒ class group Cl(OK)

Group of units

Finitely generated ⇒ fundamental units

Aim: Compute the structure of the class group.

Number fields

K ' Q[X]/(T ).

Group of units

Finitely generated ⇒ fundamental units

Number fields

K ' Q[X]/(T ).

Group of unitsFinitely generated ⇒ fundamental units

Number fields

K ' Q[X]/(T ).

Group of unitsFinitely generated ⇒ fundamental units

General strategy for computationConditional Improvement

Outline

1 Class Group ComputationsGeneral strategy for computationConditional Improvement

2 Application to CryptographyThe Principal Ideal Problem (PIP)Our descent algorithm

Subexponential L-notation : LN (0, c) ≈ (logN)c LN (1, c) ≈ Nc

LN (α, c) = exp((c + o(1))(logN)

α(log logN)

1−α).

1969 Shanks: quadratic number fields in O(|∆K|15 ).

1989 Hafner and McCurley: imaginary quadratic number fields inL|∆K|(

12 ,√

1990 Buchmann: all number fields with fixed degree inL|∆K|(

12 , 1.7).

2014 Biasse and Fieker: all number fields in L|∆K|(23 + ε) in general

and L|∆K|(12) if n ≤ log(|∆K|)3/4−ε.

2014 Biasse and Fieker: number fields defined by a good polynomialin L|∆K|(a), 1

3 ≤ a <12 .

Index calculus

1 Factor baseFix a factor base composed of small elements.

2 Relation collectionCollect some relations between those small elements,corresponding to linear equations.

3 Linear algebraDeduce the sought result performing linear algebra on thesystem built.

The factor base

B = {prime ideals in OK of norm below B}

B determined so that B generates the whole class group.

Minkowski’s bound: every class contains an ideal of norm smallerthan

MK =√|∆K|

)r2 n!

Bach’s bound: assuming GRH, classes of ideals of norm less than12(log |∆K|)2 generate the class group.

PracticallyB = L|∆K|(β, cb).

The factor base

B = {prime ideals in OK of norm below B}

B determined so that B generates the whole class group.

Minkowski’s bound: every class contains an ideal of norm smallerthan

MK =√|∆K|

)r2 n!

Bach’s bound: assuming GRH, classes of ideals of norm less than12(log |∆K|)2 generate the class group.

PracticallyB = L|∆K|(β, cb).

Relation collection

B = (p1, · · · , pN )

Surjective morphism:

ZN φ−→ I π−→ Cl(OK)(e1, · · · , eN ) 7−→

∏i peii 7−→

∏i[pi]

Cl(OK) ' ZN/{

(e1, · · · , eN ) ∈ ZN |∏i peii = (α)OK

Idea:1 Pick at random A =

∏i pvii .

2 Find a reduced ideal A′ in the same class.3 If A′ splits on B (⇔ A′ =

∏i pv′ii ) then

A(A′)−1 =∏i pvi−v′ii is principal.

Relation collection

B = (p1, · · · , pN )

Surjective morphism:

ZN φ−→ I π−→ Cl(OK)(e1, · · · , eN ) 7−→

∏i peii 7−→

∏i[pi]

Cl(OK) ' ZN/{

(e1, · · · , eN ) ∈ ZN |∏i peii = (α)OK

}Idea:

1 Pick at random A =∏i pvii .

2 Find a reduced ideal A′ in the same class.3 If A′ splits on B (⇔ A′ =

∏i pv′ii ) then

A(A′)−1 =∏i pvi−v′ii is principal.

Linear algebra

Relations stored in a matrix of size about N ×N .

Structure of the class group given by the Smith Normal Formof the matrix.

First compute Hermite Normal Form with a premultiplierbecause we need kernel vectors.

Storjohann and Labahn algorithm, runtime in Nω+1

(2 ≤ ω ≤ 3 exponent of matrix multiplication)

Verification

We find a tentative class group H, but the class group Cl(OK) maybe only a quotient of H.⇒ Need an approximation of the class number hK = |Cl(OK)|.

Class number formula + Euler Product:

hKRegK = EP ·wK ·

√|∆K|

2r1 · (2π)r2.

From the relations, we can also deduce a candidate for anapproximation of RegK and perform the verification step.

Verification

hKRegK = EP ·wK ·

√|∆K|

2r1 · (2π)r2.

Verification

hKRegK = EP ·wK ·

√|∆K|

2r1 · (2π)r2.

Subexponential L-notation : LN (0, c) ≈ (logN)c LN (1, c) ≈ Nc

LN (α, c) = exp((c + o(1))(logN)

α(log logN)

1−α).

1969 Shanks: quadratic number fields in O(|∆K|15 ).

1989 Hafner and McCurley: imaginary quadratic number fields inL|∆K|(

12 ,√

1990 Buchmann: all number fields with fixed degree inL|∆K|(

12 , 1.7).

2014 Biasse and Fieker: all number fields in L|∆K|(23 + ε) in general

and L|∆K|(12) if n ≤ log(|∆K|)3/4−ε.

2014 Biasse and Fieker: number fields defined by a good polynomialin L|∆K|(a), 1

3 ≤ a <12 .

What is a good polynomial ?

We want a polynomial that defines a fixed number field:The degree is fixed,We want the coefficients as small as possible.

Definition

Let T =∑akX

k ∈ Z[X]. The height of T is defined as the maximalnorm of its coefficients, namely

H(T ) = maxk|ak|.

What is a good polynomial ?

We want a polynomial that defines a fixed number field:The degree is fixed,We want the coefficients as small as possible.

Definition

Let T =∑akX

k ∈ Z[X]. The height of T is defined as the maximalnorm of its coefficients, namely

H(T ) = maxk|ak|.

Classes from Biasse and Fieker work

Definition

Let n0, d0 > 0 and 0 < α < 12 .

Cn0,d0,α =

{K = Q[X]/(T )

∣∣ deg(T ) = n0(log |∆K|)α(1 + o(1))logH(T ) = d0(log |∆K|)1−α(1 + o(1))

TheoremIf we know such a good polynomial, there exists an algorithm withruntime L|∆K|(a) for class group computation with

a = max

1− α2

Our results [GJ16]

DefinitionLet n0, d0 > 0, 0 < α < 1 and 1− α ≤ γ ≤ 1.

Dn0,d0,α,γ =

∣∣ deg(T ) ≤ n0

(log |∆K|

log log |∆K|

)αlogH(T ) ≤ d0(log |∆K|)γ(log log |∆K|)1−γ

PropositionIf there exists a polynomial T such that K ∈ Dn0,d0,α,γ , we find theminimal one in time L|∆K|(α).

TheoremUnder GRH and smoothness heuristics, for every K ∈ Dn0,d0,α,γ ,α < 1

2 , there exists an L∆K(a) algorithm for class group computationwith

a = max(α,γ

Our results [GJ16]

Dn0,d0,α,γ =

∣∣ deg(T ) ≤ n0

(log |∆K|

log log |∆K|

a = max(α,γ

Our results [GJ16]

Dn0,d0,α,γ =

∣∣ deg(T ) ≤ n0

(log |∆K|

log log |∆K|

a = max(α,γ

State of the art [BF14]

General case:

L|∆K|(

) L|∆K|(

23 + ε

34 1 α

First general subexponential algorithm.Alexandre Gélin Class Group & Cryptography

State of the art [BF14]

Special case:

L|∆K|(

) L|∆K|(

23 + ε

)L|∆K|

(max(α, 1−α

34 1 α

Only if K is defined by T such that H(T ) = L|∆K| (1− α).Alexandre Gélin Class Group & Cryptography

Our work [GJ16]

General case:

depending on γ

L|∆K|(max(α, γ2 )

34 1 α

Without any condition.Alexandre Gélin Class Group & Cryptography

The Principal Ideal Problem (PIP)Our descent algorithm

Outline

1 Class Group ComputationsGeneral strategy for computationConditional Improvement

2 Application to CryptographyThe Principal Ideal Problem (PIP)Our descent algorithm

The Principal Ideal Problem

DefinitionThe Principal Ideal Problem (PIP) consists in finding agenerator of an ideal, assuming it is principal.

Base of several cryptographical schemes ([SV10],[GGH13])

Two distinct phases:1 Given the Z-basis of the ideal a = 〈g〉, find a — not

necessarily short — generator g′ = g · u for a unit u.2 From g′, find a short generator of the ideal.

Campbell, Groves, and Sheperd (2014) found a solution the secondpoint for power-of-two cyclotomic fields. Cramer, Ducas, Peikert,and Regev (2016) provided a proof and an extension toprime-power cyclotomic fields.

DefinitionThe Short Principal Ideal Problem (SPIP) consists in finding a shortgenerator of an ideal, assuming it is principal.

FHE scheme – Smart and Vercauteren PKC 2010

Key Generation:1 Fix the security parameter N = 2n.

2 Let F (X) = XN + 1 be the polynomial defining thecyclotomic field K = Q(ζ2N ).

3 Set G(X) = 1 + 2 · S(X),for S(X) of degree N − 1 with coefficients in

[−2√N , 2

√N],

such that the norm N (〈G(ζ2N )〉) is prime.

4 Set g = G(ζ2N ) ∈ OK.

5 Return the secret key sk = g and the public keypk = HNF(〈g〉).

Our goal: Recover the secret key from the public key.

FHE scheme – Smart and Vercauteren PKC 2010

Key Generation:1 Fix the security parameter N = 2n.

2 Let F (X) = XN + 1 be the polynomial defining thecyclotomic field K = Q(ζ2N ).

3 Set G(X) = 1 + 2 · S(X),for S(X) of degree N − 1 with coefficients in

[−2√N , 2

√N],

such that the norm N (〈G(ζ2N )〉) is prime.

4 Set g = G(ζ2N ) ∈ OK.

5 Return the secret key sk = g and the public keypk = HNF(〈g〉).

Our goal: Recover the secret key from the public key.Alexandre Gélin Class Group & Cryptography

Outline of the algorithm [BEFGK17]

1 Perform a reduction from the cyclotomic field to its totally realsubfield, allowing to work in smaller dimension.

2 Then a descent makes the size of involved ideals decrease.

3 Collect relations and run linear algebra to construct smallideals and a generator.

4 Eventually run the derivation of the small generator from abigger one.

The descent strategy

Input ideal – Norm arbitrary largea0

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl

. . . a3n3

. . . a2n2

. . . a1n1

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl

. . . a3n3

. . . a2n2

. . . a1n1

Initial reduction – Norm: L|∆K|(

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl

. . . a3n3

. . . a2n2

. . . a1n1

Initial reduction – L|∆K| (1)-smooth 12

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl

. . . a3n3

. . . a2n2

First step – Norm: L|∆K|(

). . . a1

n1Initial reduction – L|∆K| (1)-smooth 1

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl

. . . a3n3

. . . a2n2

First step – L|∆K|(

)-smooth

. . . a1n1

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl

. . . a3n3

Second step – Norm: L|∆K|(

). . . a2

n2First step – L|∆K|

)-smooth

. . . a1n1

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl

. . . a3n3

Second step – L|∆K|(

)-smooth

. . . a2n2

)-smooth

. . . a1n1

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl

Last but one step – Norm: ≈ L|∆K| (1) 12

. . . a3n3

)-smooth

. . . a2n2

)-smooth

. . . a1n1

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl

Last but one step – ≈ L|∆K|(

)-smooth

. . . a3n3

)-smooth

. . . a2n2

)-smooth

. . . a1n1

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl Last step – Norm: L|∆K| (1) 12

)-smooth

. . . a3n3

)-smooth

. . . a2n2

)-smooth

. . . a1n1

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl Last step – L|∆K|(

)-smooth

. . . a3n3

)-smooth

. . . a2n2

)-smooth

. . . a1n1

a11 a1

a21 a2

a31 a3

al− 1

al1 al2 . . . alnl Last step – L|∆K|(

)-smooth ,

)-smooth

. . . a3n3

)-smooth

. . . a2n2

)-smooth

. . . a1n1

Solution for L|∆K|(

)-smooth ideals

Input: Bunch of prime ideals of norm below B = L|∆K|(

As for class group computations, factor base: set of all primeideals with norm below B {p1, · · · , pN}

Construction of a full-rank matrix of relations M using thesame process (relation collection)

A N -dimensional vector Y including all the valuations of thesmooth ideals in the pi

A solution X of MX = Y provides a generator of the productof the L|∆K|

)-smooth ideals

)As for class group computations, factor base: set of all primeideals with norm below B {p1, · · · , pN}

)-smooth ideals

Thanks

Class Group Computations in Number Fields and Applications to … · 2017-05-09 · Class Group...

Documents

Transcript of Class Group Computations in Number Fields and Applications to … · 2017-05-09 · Class Group...

Embarrassingly Parallel Computations Partitioning and Divide-and-Conquer Strategies Pipelined Computations Synchronous Computations Asynchronous Computations.

Acoustic-Imaging Computations by Echolocating Bats: …papers.nips.cc/paper/224-acoustic-imaging-computations... · 2014-04-14 · Acoustic-Imaging Computations by Echolocating Bats

Categorifying Computations into Components via …group-mmm.org/~ichiro/papers/fromComptoComp.pdf · Categorifying Computations into Components via Arrows as Profunctors Kazuyuki

Great Circle Computations

Surprising computations

Spatially invariant computations in stereoscopic visionpapers.vcl.salk.edu/PDFs/Spatially invariant computations...Vidal-Naquet and Gepshtein Spatially invariant computations in stereoscopic

Group Tennis Class

Computations on Milnor K2 - UCLA Department of …math.ucla.edu/~sharifi/dagslides.pdf · 2016-08-09 · Computations on Milnor K2 ... (ζa+b−1)(ζa+2b−1)+ ... GF,S= Galois group

BEAM COMPUTATIONS

Class 19: 3D Cartesian Coordinate Computations GISC-3325 26 March 2009.

Zigbee Computations

Heliospheric Computations

Fertilizer Computations Updated

Church Sunday School Care Group Ministry · Class Care Group Ministry 1 2 3 Class Care Group Director(s) Care Group Leaders (One for every four to six class Members) Class Members

Distributed Computations MapReduce

Group Class Sub

GROUP CLASS DISCOUNTS

THE SMITH GROUP AND THE CRITICAL GROUP OF THE … · graphs. A particular class that has proved amenable to computations is the class of strongly regular graphs (e.g. [4]). In this

Class Group Photos

Group Law Computations on Jacobians of Hyperelliptic Curves · 2011-09-19 · Group Law Computations on Jacobians of Hyperelliptic Curves 3 2 Background We give some brief background