numerisation.irem.univ-mrs.fr · Created Date: 20130917132816Z
Class group and unit group computation for large degree...
Transcript of Class group and unit group computation for large degree...
![Page 1: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/1.jpg)
Class group and unit group computation for largedegree number fields
Jean-Francois Biasse
University of Calgary
October 2013
Biasse (U of C) large degree fields October 2013 1 / 30
![Page 2: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/2.jpg)
Presentation of the problem
Let K be a number field of degree n, OK its maximal order and O ⊆ OK
an order in K .
We are interested in the following problems :
Compute the class group Cl(O) and the unit group U(O) of O.
Let a ⊆ O, find α ∈ O such that a = (α).
Let a ∈ Cl(O) and B > 0, find p1, · · · , pk such that
a = p1 · · · pk , with N (pi ) ≤ B
We mention applications of the resolution of these problems to numbertheory and cryptography.
Biasse (U of C) large degree fields October 2013 1 / 30
![Page 3: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/3.jpg)
Presentation of the problem
Let K be a number field of degree n, OK its maximal order and O ⊆ OK
an order in K .
We are interested in the following problems :
Compute the class group Cl(O) and the unit group U(O) of O.
Let a ⊆ O, find α ∈ O such that a = (α).
Let a ∈ Cl(O) and B > 0, find p1, · · · , pk such that
a = p1 · · · pk , with N (pi ) ≤ B
We mention applications of the resolution of these problems to numbertheory and cryptography.
Biasse (U of C) large degree fields October 2013 1 / 30
![Page 4: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/4.jpg)
Presentation of the problem
Let K be a number field of degree n, OK its maximal order and O ⊆ OK
an order in K .
We are interested in the following problems :
Compute the class group Cl(O) and the unit group U(O) of O.
Let a ⊆ O, find α ∈ O such that a = (α).
Let a ∈ Cl(O) and B > 0, find p1, · · · , pk such that
a = p1 · · · pk , with N (pi ) ≤ B
We mention applications of the resolution of these problems to numbertheory and cryptography.
Biasse (U of C) large degree fields October 2013 1 / 30
![Page 5: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/5.jpg)
Presentation of the problem
Let K be a number field of degree n, OK its maximal order and O ⊆ OK
an order in K .
We are interested in the following problems :
Compute the class group Cl(O) and the unit group U(O) of O.
Let a ⊆ O, find α ∈ O such that a = (α).
Let a ∈ Cl(O) and B > 0, find p1, · · · , pk such that
a = p1 · · · pk , with N (pi ) ≤ B
We mention applications of the resolution of these problems to numbertheory and cryptography.
Biasse (U of C) large degree fields October 2013 1 / 30
![Page 6: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/6.jpg)
Presentation of the problem
Let K be a number field of degree n, OK its maximal order and O ⊆ OK
an order in K .
We are interested in the following problems :
Compute the class group Cl(O) and the unit group U(O) of O.
Let a ⊆ O, find α ∈ O such that a = (α).
Let a ∈ Cl(O) and B > 0, find p1, · · · , pk such that
a = p1 · · · pk , with N (pi ) ≤ B
We mention applications of the resolution of these problems to numbertheory and cryptography.
Biasse (U of C) large degree fields October 2013 1 / 30
![Page 7: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/7.jpg)
1 Motivation
2 Class group and unit group computation
3 Complexity aspects
4 Relations in the polarized class group
Biasse (U of C) large degree fields October 2013 1 / 30
![Page 8: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/8.jpg)
Computation of Cl(O) and U(O)
Computing the unit group has applications to the resolution of someDiophantine equations.
The Pell equation
For ∆ > 0, solvingx2 −∆y2 = 1,
is equivalent to finding the unit group for Q(√
∆).
Connexion with other equations
Other Diophantine equations can be solved from solutions to the Pellequation
Shaffer : y2 = 1k + · · ·+ xk .
y2 = Sxx−a.
Where S denotes the Stirling number.
Biasse (U of C) large degree fields October 2013 2 / 30
![Page 9: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/9.jpg)
Computation of Cl(O) and U(O)
Computing the unit group has applications to the resolution of someDiophantine equations.
The Pell equation
For ∆ > 0, solvingx2 −∆y2 = 1,
is equivalent to finding the unit group for Q(√
∆).
Connexion with other equations
Other Diophantine equations can be solved from solutions to the Pellequation
Shaffer : y2 = 1k + · · ·+ xk .
y2 = Sxx−a.
Where S denotes the Stirling number.
Biasse (U of C) large degree fields October 2013 2 / 30
![Page 10: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/10.jpg)
Cryptanalysis of homomorphic schemes
Principal ideal problem
Gentry’s original scheme (and some others) rely on the hardness of findinga small generator of a principal ideal.
Alice sets up the schemes. Let Z[X ]/(XN + 1) = Z[θ].
Alice draws small α ∈ Z[X ]/(XN + 1) until N (α) = p prime.
Alice displays a Z-basis of p = (α).
Bob wants to encrypt M ∈ {0, 1}.Bob draws R ∈ Z[X ] at random.
Bob sends M + 2R(θ) mod p.
To decrypt, it suffices to know a small generator of p.
Biasse (U of C) large degree fields October 2013 3 / 30
![Page 11: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/11.jpg)
Cryptanalysis of homomorphic schemes
Principal ideal problem
Gentry’s original scheme (and some others) rely on the hardness of findinga small generator of a principal ideal.
Alice sets up the schemes. Let Z[X ]/(XN + 1) = Z[θ].
Alice draws small α ∈ Z[X ]/(XN + 1) until N (α) = p prime.
Alice displays a Z-basis of p = (α).
Bob wants to encrypt M ∈ {0, 1}.Bob draws R ∈ Z[X ] at random.
Bob sends M + 2R(θ) mod p.
To decrypt, it suffices to know a small generator of p.
Biasse (U of C) large degree fields October 2013 3 / 30
![Page 12: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/12.jpg)
Cryptanalysis of homomorphic schemes
Principal ideal problem
Gentry’s original scheme (and some others) rely on the hardness of findinga small generator of a principal ideal.
Alice sets up the schemes. Let Z[X ]/(XN + 1) = Z[θ].
Alice draws small α ∈ Z[X ]/(XN + 1) until N (α) = p prime.
Alice displays a Z-basis of p = (α).
Bob wants to encrypt M ∈ {0, 1}.Bob draws R ∈ Z[X ] at random.
Bob sends M + 2R(θ) mod p.
To decrypt, it suffices to know a small generator of p.
Biasse (U of C) large degree fields October 2013 3 / 30
![Page 13: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/13.jpg)
Cryptanalysis of homomorphic schemes
Principal ideal problem
Gentry’s original scheme (and some others) rely on the hardness of findinga small generator of a principal ideal.
Alice sets up the schemes. Let Z[X ]/(XN + 1) = Z[θ].
Alice draws small α ∈ Z[X ]/(XN + 1) until N (α) = p prime.
Alice displays a Z-basis of p = (α).
Bob wants to encrypt M ∈ {0, 1}.Bob draws R ∈ Z[X ] at random.
Bob sends M + 2R(θ) mod p.
To decrypt, it suffices to know a small generator of p.
Biasse (U of C) large degree fields October 2013 3 / 30
![Page 14: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/14.jpg)
Group action on elliptic curves
Let O be a quadratic order, Fq a finite field and a prime l - q.
Isomorphism classes are represented by j-invariants.
EllO,t := {Isomorphism classes of E (Fq) | End(E ) ' O and trace(E ) = t}.
Group action of Cl(O) on EllO,t
A split prime ideal a of norm l acts via an isogenie of degree l .
If l is large, the action is hard to evaluate.
If a ∼∏
i pi with small N (pi ), it boils down to evaluating that of the pi .
Transports the discrete logarithm problem to another curve.
Allows endomorphism ring computation.
Biasse (U of C) large degree fields October 2013 4 / 30
![Page 15: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/15.jpg)
Group action on elliptic curves
Let O be a quadratic order, Fq a finite field and a prime l - q.
Isomorphism classes are represented by j-invariants.
EllO,t := {Isomorphism classes of E (Fq) | End(E ) ' O and trace(E ) = t}.
Group action of Cl(O) on EllO,t
A split prime ideal a of norm l acts via an isogenie of degree l .
If l is large, the action is hard to evaluate.
If a ∼∏
i pi with small N (pi ), it boils down to evaluating that of the pi .
Transports the discrete logarithm problem to another curve.
Allows endomorphism ring computation.
Biasse (U of C) large degree fields October 2013 4 / 30
![Page 16: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/16.jpg)
Group action on elliptic curves
Let O be a quadratic order, Fq a finite field and a prime l - q.
Isomorphism classes are represented by j-invariants.
EllO,t := {Isomorphism classes of E (Fq) | End(E ) ' O and trace(E ) = t}.
Group action of Cl(O) on EllO,t
A split prime ideal a of norm l acts via an isogenie of degree l .
If l is large, the action is hard to evaluate.
If a ∼∏
i pi with small N (pi ), it boils down to evaluating that of the pi .
Transports the discrete logarithm problem to another curve.
Allows endomorphism ring computation.
Biasse (U of C) large degree fields October 2013 4 / 30
![Page 17: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/17.jpg)
1 Motivation
2 Class group and unit group computation
3 Complexity aspects
4 Relations in the polarized class group
Biasse (U of C) large degree fields October 2013 4 / 30
![Page 18: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/18.jpg)
Input and output of the algorithm
Input
A number field K .
Its r1 real embeddings, its r2 pairs of complex embeddings.
Its ring of integers OK =∑
i Zαi .
Output
Cl(OK ) = Z/d1Z× · · · × Z/dkZ.
U = µ× 〈γ1〉 × · · · × 〈γr 〉
where r := r1 + r2 − 1 and µ is the set of roots of unity.
The γi are given in compact representation.
Biasse (U of C) large degree fields October 2013 5 / 30
![Page 19: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/19.jpg)
Input and output of the algorithm
Input
A number field K .
Its r1 real embeddings, its r2 pairs of complex embeddings.
Its ring of integers OK =∑
i Zαi .
Output
Cl(OK ) = Z/d1Z× · · · × Z/dkZ.
U = µ× 〈γ1〉 × · · · × 〈γr 〉
where r := r1 + r2 − 1 and µ is the set of roots of unity.
The γi are given in compact representation.
Biasse (U of C) large degree fields October 2013 5 / 30
![Page 20: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/20.jpg)
Class group computation
Factor base
Let B = {p1, · · · , pN} be a set of ideals whose classes generate Cl(OK ).
We consider the surjective morphism
ZN ϕ−−−−→ I π−−−−→ Cl(OK )
(e1, . . . , eN) −−−−→∏
i peii −−−−→
∏i [pi ]
ei
Property
The class group satisfies Cl(OK ) ' ZN/ ker(π ◦ ϕ).
We deduce Cl(OK ) from the lattice of all the (e1, · · · , eN) such that
pe11 · · · p
eNN = (α) = 1 ∈ Cl(OK ) for some α ∈ OK .
Biasse (U of C) large degree fields October 2013 6 / 30
![Page 21: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/21.jpg)
Class group computation
Factor base
Let B = {p1, · · · , pN} be a set of ideals whose classes generate Cl(OK ).
We consider the surjective morphism
ZN ϕ−−−−→ I π−−−−→ Cl(OK )
(e1, . . . , eN) −−−−→∏
i peii −−−−→
∏i [pi ]
ei
Property
The class group satisfies Cl(OK ) ' ZN/ ker(π ◦ ϕ).
We deduce Cl(OK ) from the lattice of all the (e1, · · · , eN) such that
pe11 · · · p
eNN = (α) = 1 ∈ Cl(OK ) for some α ∈ OK .
Biasse (U of C) large degree fields October 2013 6 / 30
![Page 22: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/22.jpg)
From relations to the ideal class groupThe rows (e1, · · · , eN) of the relation matrix M satisfy
pe11 · · · p
eNN = (α)
There are unimodular matrices U,V and integers di such that di+1 | di and
U ·M · V =
d1 0 . . . 0
0 d2. . .
......
. . .. . . 0
0 . . . 0 dN(0)
,
If the rows of M generate all the possible relations then
Cl(OK ) = Z/d1Z× · · · × Z/dNZ.
Biasse (U of C) large degree fields October 2013 7 / 30
![Page 23: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/23.jpg)
From relations to the ideal class groupThe rows (e1, · · · , eN) of the relation matrix M satisfy
pe11 · · · p
eNN = (α)
There are unimodular matrices U,V and integers di such that di+1 | di and
U ·M · V =
d1 0 . . . 0
0 d2. . .
......
. . .. . . 0
0 . . . 0 dN(0)
,
If the rows of M generate all the possible relations then
Cl(OK ) = Z/d1Z× · · · × Z/dNZ.
Biasse (U of C) large degree fields October 2013 7 / 30
![Page 24: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/24.jpg)
From relations to the ideal class groupThe rows (e1, · · · , eN) of the relation matrix M satisfy
pe11 · · · p
eNN = (α)
There are unimodular matrices U,V and integers di such that di+1 | di and
U ·M · V =
d1 0 . . . 0
0 d2. . .
......
. . .. . . 0
0 . . . 0 dN(0)
,
If the rows of M generate all the possible relations then
Cl(OK ) = Z/d1Z× · · · × Z/dNZ.
Biasse (U of C) large degree fields October 2013 7 / 30
![Page 25: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/25.jpg)
From relations to the unit group
Let M ∈ ZN×N′ be a relation matrix. That is,
∀i , pmi,1
1 · · · pmi,N
N = (αi ) = 1 ∈ Cl(OK ).
Property
Let X = (x1, · · · , x ′N) be such that XM = 0. Then,
βX := αx11 · · ·α
x ′NN is a unit
We use the following strategy
We derive units in compact representation from elements in ker(M).
We construct a minimal generating set for U by induction.
Biasse (U of C) large degree fields October 2013 8 / 30
![Page 26: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/26.jpg)
From relations to the unit group
Let M ∈ ZN×N′ be a relation matrix. That is,
∀i , pmi,1
1 · · · pmi,N
N = (αi ) = 1 ∈ Cl(OK ).
Property
Let X = (x1, · · · , x ′N) be such that XM = 0. Then,
βX := αx11 · · ·α
x ′NN is a unit
We use the following strategy
We derive units in compact representation from elements in ker(M).
We construct a minimal generating set for U by induction.
Biasse (U of C) large degree fields October 2013 8 / 30
![Page 27: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/27.jpg)
Connexion with the principal ideal problem
The principal ideal problem (PIP)
Let a ⊆ OK . We wish to
Decide if a is principal.
If so, find α ∈ OK such that a = (α).
Let M ∈ ZN×N′ be a relation matrix. That is,
∀i , pmi,1
1 · · · pmi,N
N = (αi ) = 1 ∈ Cl(OK ).
Algorithm for solving the PIP
Decompose a = (α)py11 · · · p
yNN .
If XA = Y has no solution, a is not principal.
Otherwise, a = (β) with β = α · αx11 · · ·α
xNN .
Biasse (U of C) large degree fields October 2013 9 / 30
![Page 28: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/28.jpg)
Connexion with the principal ideal problem
The principal ideal problem (PIP)
Let a ⊆ OK . We wish to
Decide if a is principal.
If so, find α ∈ OK such that a = (α).
Let M ∈ ZN×N′ be a relation matrix. That is,
∀i , pmi,1
1 · · · pmi,N
N = (αi ) = 1 ∈ Cl(OK ).
Algorithm for solving the PIP
Decompose a = (α)py11 · · · p
yNN .
If XA = Y has no solution, a is not principal.
Otherwise, a = (β) with β = α · αx11 · · ·α
xNN .
Biasse (U of C) large degree fields October 2013 9 / 30
![Page 29: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/29.jpg)
Connexion with the principal ideal problem
The principal ideal problem (PIP)
Let a ⊆ OK . We wish to
Decide if a is principal.
If so, find α ∈ OK such that a = (α).
Let M ∈ ZN×N′ be a relation matrix. That is,
∀i , pmi,1
1 · · · pmi,N
N = (αi ) = 1 ∈ Cl(OK ).
Algorithm for solving the PIP
Decompose a = (α)py11 · · · p
yNN .
If XA = Y has no solution, a is not principal.
Otherwise, a = (β) with β = α · αx11 · · ·α
xNN .
Biasse (U of C) large degree fields October 2013 9 / 30
![Page 30: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/30.jpg)
1 Motivation
2 Class group and unit group computation
3 Complexity aspects
4 Relations in the polarized class group
Biasse (U of C) large degree fields October 2013 9 / 30
![Page 31: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/31.jpg)
Choice of a factor baseThe algorithm starts by choosing prime ideals generating Cl(O)
B := {p prime | N (p) ≤ B} = {p1, · · · , pN}
Asymptotic bounds with respect to ∆ = disc(O)
The most commonly used bounds for the asymptotic analysis are
Minkowski bound : B = O(√|∆|) (unconditional).
Bach bound : B = O(log2 |∆|) (under GRH).
Another bound, asymptotically larger, is used in practice (Belabas et al.)∑(m,p):N (pm)≤B′
logN (p)
N (pm/2)
(1− logN (pm)
log(B ′)
)>
1
2log |∆| − 1.9n − 0.785r1
+2.468n + 1.832r1
log(B ′),
Biasse (U of C) large degree fields October 2013 10 / 30
![Page 32: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/32.jpg)
Choice of a factor baseThe algorithm starts by choosing prime ideals generating Cl(O)
B := {p prime | N (p) ≤ B} = {p1, · · · , pN}
Asymptotic bounds with respect to ∆ = disc(O)
The most commonly used bounds for the asymptotic analysis are
Minkowski bound : B = O(√|∆|) (unconditional).
Bach bound : B = O(log2 |∆|) (under GRH).
Another bound, asymptotically larger, is used in practice (Belabas et al.)∑(m,p):N (pm)≤B′
logN (p)
N (pm/2)
(1− logN (pm)
log(B ′)
)>
1
2log |∆| − 1.9n − 0.785r1
+2.468n + 1.832r1
log(B ′),
Biasse (U of C) large degree fields October 2013 10 / 30
![Page 33: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/33.jpg)
Choice of a factor baseThe algorithm starts by choosing prime ideals generating Cl(O)
B := {p prime | N (p) ≤ B} = {p1, · · · , pN}
Asymptotic bounds with respect to ∆ = disc(O)
The most commonly used bounds for the asymptotic analysis are
Minkowski bound : B = O(√|∆|) (unconditional).
Bach bound : B = O(log2 |∆|) (under GRH).
Another bound, asymptotically larger, is used in practice (Belabas et al.)∑(m,p):N (pm)≤B′
logN (p)
N (pm/2)
(1− logN (pm)
log(B ′)
)>
1
2log |∆| − 1.9n − 0.785r1
+2.468n + 1.832r1
log(B ′),
Biasse (U of C) large degree fields October 2013 10 / 30
![Page 34: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/34.jpg)
Reduction of an ideal
Ideals have unique factorization, but it is possible to have∏i
peii = (α)a,
where α ∈ K and a 6=∏
i peii .
In particular, if N (a) is small, a has a better chance to be B-smooth.
LLL-reduction of an ideal
Let a ⊆ OK . We use LLL to find a′ = a ∈ Cl(O) with small norm.
b← ka−1 where k is the denominator of a−1.
Let β be the first element of an LLL-reduced basis of b.
a′ ←(βk
)a
Then we have a′ ⊆ OK and N (a′) ≤ 2O(n2)√|∆|.
Biasse (U of C) large degree fields October 2013 11 / 30
![Page 35: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/35.jpg)
Reduction of an ideal
Ideals have unique factorization, but it is possible to have∏i
peii = (α)a,
where α ∈ K and a 6=∏
i peii .
In particular, if N (a) is small, a has a better chance to be B-smooth.
LLL-reduction of an ideal
Let a ⊆ OK . We use LLL to find a′ = a ∈ Cl(O) with small norm.
b← ka−1 where k is the denominator of a−1.
Let β be the first element of an LLL-reduced basis of b.
a′ ←(βk
)a
Then we have a′ ⊆ OK and N (a′) ≤ 2O(n2)√|∆|.
Biasse (U of C) large degree fields October 2013 11 / 30
![Page 36: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/36.jpg)
Reduction of an ideal
Ideals have unique factorization, but it is possible to have∏i
peii = (α)a,
where α ∈ K and a 6=∏
i peii .
In particular, if N (a) is small, a has a better chance to be B-smooth.
LLL-reduction of an ideal
Let a ⊆ OK . We use LLL to find a′ = a ∈ Cl(O) with small norm.
b← ka−1 where k is the denominator of a−1.
Let β be the first element of an LLL-reduced basis of b.
a′ ←(βk
)a
Then we have a′ ⊆ OK and N (a′) ≤ 2O(n2)√|∆|.
Biasse (U of C) large degree fields October 2013 11 / 30
![Page 37: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/37.jpg)
Reduction of an ideal
Ideals have unique factorization, but it is possible to have∏i
peii = (α)a,
where α ∈ K and a 6=∏
i peii .
In particular, if N (a) is small, a has a better chance to be B-smooth.
LLL-reduction of an ideal
Let a ⊆ OK . We use LLL to find a′ = a ∈ Cl(O) with small norm.
b← ka−1 where k is the denominator of a−1.
Let β be the first element of an LLL-reduced basis of b.
a′ ←(βk
)a
Then we have a′ ⊆ OK and N (a′) ≤ 2O(n2)√|∆|.
Biasse (U of C) large degree fields October 2013 11 / 30
![Page 38: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/38.jpg)
Reduction of an ideal
Ideals have unique factorization, but it is possible to have∏i
peii = (α)a,
where α ∈ K and a 6=∏
i peii .
In particular, if N (a) is small, a has a better chance to be B-smooth.
LLL-reduction of an ideal
Let a ⊆ OK . We use LLL to find a′ = a ∈ Cl(O) with small norm.
b← ka−1 where k is the denominator of a−1.
Let β be the first element of an LLL-reduced basis of b.
a′ ←(βk
)a
Then we have a′ ⊆ OK and N (a′) ≤ 2O(n2)√|∆|.
Biasse (U of C) large degree fields October 2013 11 / 30
![Page 39: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/39.jpg)
Reduction of an ideal
Ideals have unique factorization, but it is possible to have∏i
peii = (α)a,
where α ∈ K and a 6=∏
i peii .
In particular, if N (a) is small, a has a better chance to be B-smooth.
LLL-reduction of an ideal
Let a ⊆ OK . We use LLL to find a′ = a ∈ Cl(O) with small norm.
b← ka−1 where k is the denominator of a−1.
Let β be the first element of an LLL-reduced basis of b.
a′ ←(βk
)a
Then we have a′ ⊆ OK and N (a′) ≤ 2O(n2)√|∆|.
Biasse (U of C) large degree fields October 2013 11 / 30
![Page 40: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/40.jpg)
Reduction of an ideal
Ideals have unique factorization, but it is possible to have∏i
peii = (α)a,
where α ∈ K and a 6=∏
i peii .
In particular, if N (a) is small, a has a better chance to be B-smooth.
LLL-reduction of an ideal
Let a ⊆ OK . We use LLL to find a′ = a ∈ Cl(O) with small norm.
b← ka−1 where k is the denominator of a−1.
Let β be the first element of an LLL-reduced basis of b.
a′ ←(βk
)a
Then we have a′ ⊆ OK and N (a′) ≤ 2O(n2)√|∆|.
Biasse (U of C) large degree fields October 2013 11 / 30
![Page 41: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/41.jpg)
The subexponential functionTo measure the complexity of the operations, we use the subexponentialfunction
L∆(α, β) := eβ(log |∆|)α(log log |∆|)1−α.
Property
For α ∈ [0, 1], L∆(α, β) is between polynomial and exponential in log |∆|.
L∆(0, β) = (log |∆|)β
L∆(1, β) = (|∆|)β
Some interesting rules of calculation :
L∆(α, β1)× L∆(α, β2) = L∆(α, β1 + β2)
L∆(α, β)k = L∆(α, kβ).
Biasse (U of C) large degree fields October 2013 12 / 30
![Page 42: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/42.jpg)
The subexponential functionTo measure the complexity of the operations, we use the subexponentialfunction
L∆(α, β) := eβ(log |∆|)α(log log |∆|)1−α.
Property
For α ∈ [0, 1], L∆(α, β) is between polynomial and exponential in log |∆|.
L∆(0, β) = (log |∆|)β
L∆(1, β) = (|∆|)β
Some interesting rules of calculation :
L∆(α, β1)× L∆(α, β2) = L∆(α, β1 + β2)
L∆(α, β)k = L∆(α, kβ).
Biasse (U of C) large degree fields October 2013 12 / 30
![Page 43: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/43.jpg)
The subexponential functionTo measure the complexity of the operations, we use the subexponentialfunction
L∆(α, β) := eβ(log |∆|)α(log log |∆|)1−α.
Property
For α ∈ [0, 1], L∆(α, β) is between polynomial and exponential in log |∆|.
L∆(0, β) = (log |∆|)β
L∆(1, β) = (|∆|)β
Some interesting rules of calculation :
L∆(α, β1)× L∆(α, β2) = L∆(α, β1 + β2)
L∆(α, β)k = L∆(α, kβ).
Biasse (U of C) large degree fields October 2013 12 / 30
![Page 44: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/44.jpg)
Smoothness probabilityLet Ψ(x , y) be the number of y -smooth ideals of norm bounded by x .Subexponential methods consist of falling in the range where
Ψ(x , y)
x= u−u(1+o(1)), u =
log x
log y(1).
Known estimates (for which (1) holds)
Over Z : Hildebrand 84
Over ideals of a number field : Sourfield 04 (GRH).
Over principal ideals : conjectural.
If x = L∆(a, b) and y = L∆(c , d), then
Ψ(x , y)
x= L∆
(a− c ,− c
d(b − d) + o(1)
).
Biasse (U of C) large degree fields October 2013 13 / 30
![Page 45: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/45.jpg)
Smoothness probabilityLet Ψ(x , y) be the number of y -smooth ideals of norm bounded by x .Subexponential methods consist of falling in the range where
Ψ(x , y)
x= u−u(1+o(1)), u =
log x
log y(1).
Known estimates (for which (1) holds)
Over Z : Hildebrand 84
Over ideals of a number field : Sourfield 04 (GRH).
Over principal ideals : conjectural.
If x = L∆(a, b) and y = L∆(c , d), then
Ψ(x , y)
x= L∆
(a− c ,− c
d(b − d) + o(1)
).
Biasse (U of C) large degree fields October 2013 13 / 30
![Page 46: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/46.jpg)
Smoothness probabilityLet Ψ(x , y) be the number of y -smooth ideals of norm bounded by x .Subexponential methods consist of falling in the range where
Ψ(x , y)
x= u−u(1+o(1)), u =
log x
log y(1).
Known estimates (for which (1) holds)
Over Z : Hildebrand 84
Over ideals of a number field : Sourfield 04 (GRH).
Over principal ideals : conjectural.
If x = L∆(a, b) and y = L∆(c , d), then
Ψ(x , y)
x= L∆
(a− c ,− c
d(b − d) + o(1)
).
Biasse (U of C) large degree fields October 2013 13 / 30
![Page 47: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/47.jpg)
Fixed degree number fields
Hafner-McCurley and Buchmann computed the class group and unit groupfor fixed n = [K : Q] in time L∆(1/2, c).
Creation of relations in Cl(O)
We choose B = {p | N (p) ≤ B} where B = L∆(1/2, c).
Draw a :=∏
i peii at random where pi ∈ B.
Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.
If b =∏
j qj is B-smooth, keep the relation∏
i peii ·∏
j q−1j = 1.
If n is fixed, we derive |B| = L∆(1/2, c) relations in L∆(1/2, d).
Then Cl(O) and U(O) are found in time |B|k = L∆(1/2, kd).
Biasse (U of C) large degree fields October 2013 14 / 30
![Page 48: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/48.jpg)
Fixed degree number fields
Hafner-McCurley and Buchmann computed the class group and unit groupfor fixed n = [K : Q] in time L∆(1/2, c).
Creation of relations in Cl(O)
We choose B = {p | N (p) ≤ B} where B = L∆(1/2, c).
Draw a :=∏
i peii at random where pi ∈ B.
Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.
If b =∏
j qj is B-smooth, keep the relation∏
i peii ·∏
j q−1j = 1.
If n is fixed, we derive |B| = L∆(1/2, c) relations in L∆(1/2, d).
Then Cl(O) and U(O) are found in time |B|k = L∆(1/2, kd).
Biasse (U of C) large degree fields October 2013 14 / 30
![Page 49: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/49.jpg)
Fixed degree number fields
Hafner-McCurley and Buchmann computed the class group and unit groupfor fixed n = [K : Q] in time L∆(1/2, c).
Creation of relations in Cl(O)
We choose B = {p | N (p) ≤ B} where B = L∆(1/2, c).
Draw a :=∏
i peii at random where pi ∈ B.
Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.
If b =∏
j qj is B-smooth, keep the relation∏
i peii ·∏
j q−1j = 1.
If n is fixed, we derive |B| = L∆(1/2, c) relations in L∆(1/2, d).
Then Cl(O) and U(O) are found in time |B|k = L∆(1/2, kd).
Biasse (U of C) large degree fields October 2013 14 / 30
![Page 50: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/50.jpg)
Fixed degree number fields
Hafner-McCurley and Buchmann computed the class group and unit groupfor fixed n = [K : Q] in time L∆(1/2, c).
Creation of relations in Cl(O)
We choose B = {p | N (p) ≤ B} where B = L∆(1/2, c).
Draw a :=∏
i peii at random where pi ∈ B.
Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.
If b =∏
j qj is B-smooth, keep the relation∏
i peii ·∏
j q−1j = 1.
If n is fixed, we derive |B| = L∆(1/2, c) relations in L∆(1/2, d).
Then Cl(O) and U(O) are found in time |B|k = L∆(1/2, kd).
Biasse (U of C) large degree fields October 2013 14 / 30
![Page 51: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/51.jpg)
Fixed degree number fields
Hafner-McCurley and Buchmann computed the class group and unit groupfor fixed n = [K : Q] in time L∆(1/2, c).
Creation of relations in Cl(O)
We choose B = {p | N (p) ≤ B} where B = L∆(1/2, c).
Draw a :=∏
i peii at random where pi ∈ B.
Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.
If b =∏
j qj is B-smooth, keep the relation∏
i peii ·∏
j q−1j = 1.
If n is fixed, we derive |B| = L∆(1/2, c) relations in L∆(1/2, d).
Then Cl(O) and U(O) are found in time |B|k = L∆(1/2, kd).
Biasse (U of C) large degree fields October 2013 14 / 30
![Page 52: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/52.jpg)
Fixed degree number fields
Hafner-McCurley and Buchmann computed the class group and unit groupfor fixed n = [K : Q] in time L∆(1/2, c).
Creation of relations in Cl(O)
We choose B = {p | N (p) ≤ B} where B = L∆(1/2, c).
Draw a :=∏
i peii at random where pi ∈ B.
Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.
If b =∏
j qj is B-smooth, keep the relation∏
i peii ·∏
j q−1j = 1.
If n is fixed, we derive |B| = L∆(1/2, c) relations in L∆(1/2, d).
Then Cl(O) and U(O) are found in time |B|k = L∆(1/2, kd).
Biasse (U of C) large degree fields October 2013 14 / 30
![Page 53: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/53.jpg)
Fixed degree number fields
Hafner-McCurley and Buchmann computed the class group and unit groupfor fixed n = [K : Q] in time L∆(1/2, c).
Creation of relations in Cl(O)
We choose B = {p | N (p) ≤ B} where B = L∆(1/2, c).
Draw a :=∏
i peii at random where pi ∈ B.
Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.
If b =∏
j qj is B-smooth, keep the relation∏
i peii ·∏
j q−1j = 1.
If n is fixed, we derive |B| = L∆(1/2, c) relations in L∆(1/2, d).
Then Cl(O) and U(O) are found in time |B|k = L∆(1/2, kd).
Biasse (U of C) large degree fields October 2013 14 / 30
![Page 54: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/54.jpg)
When n→∞ : changing the reduction algorithm
If LLL-reduce a :=∏
i pi , we get b ∼ a with N (b) ≤ 2O(n2)√|∆|.
We have N (b) ≥ L∆(2, c) for some c > 0.
With B = L∆(α, d) for some α < 1 and d > 0,
E(time to find b B − smooth) ≥ L∆(2− α, e) ≥ |∆|e for some e > 0.
BKZ reduction
Let k > 0, the BKZk reduction allows to find b = (α)a with
N (b) ≤ 2O(
n2
k
)√|∆| in time O(2k).
We replace LLL-reduction by BKZk reduction with k = 2/3.
It runs in time L∆(2/3 + ε, d) for d > 0 and arbitrary small ε > 0.
Biasse (U of C) large degree fields October 2013 15 / 30
![Page 55: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/55.jpg)
When n→∞ : changing the reduction algorithm
If LLL-reduce a :=∏
i pi , we get b ∼ a with N (b) ≤ 2O(n2)√|∆|.
We have N (b) ≥ L∆(2, c) for some c > 0.
With B = L∆(α, d) for some α < 1 and d > 0,
E(time to find b B − smooth) ≥ L∆(2− α, e) ≥ |∆|e for some e > 0.
BKZ reduction
Let k > 0, the BKZk reduction allows to find b = (α)a with
N (b) ≤ 2O(
n2
k
)√|∆| in time O(2k).
We replace LLL-reduction by BKZk reduction with k = 2/3.
It runs in time L∆(2/3 + ε, d) for d > 0 and arbitrary small ε > 0.
Biasse (U of C) large degree fields October 2013 15 / 30
![Page 56: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/56.jpg)
When n→∞ : changing the reduction algorithm
If LLL-reduce a :=∏
i pi , we get b ∼ a with N (b) ≤ 2O(n2)√|∆|.
We have N (b) ≥ L∆(2, c) for some c > 0.
With B = L∆(α, d) for some α < 1 and d > 0,
E(time to find b B − smooth) ≥ L∆(2− α, e) ≥ |∆|e for some e > 0.
BKZ reduction
Let k > 0, the BKZk reduction allows to find b = (α)a with
N (b) ≤ 2O(
n2
k
)√|∆| in time O(2k).
We replace LLL-reduction by BKZk reduction with k = 2/3.
It runs in time L∆(2/3 + ε, d) for d > 0 and arbitrary small ε > 0.
Biasse (U of C) large degree fields October 2013 15 / 30
![Page 57: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/57.jpg)
Class group and unit group of Z[θ] in L∆(1/3)
Let K/Q defined by P ∈ Z[X ] with n = deg(P) and d = log(H(P)).
We draw φ = A(θ) for A ∈ Z[X ] with k = deg(A) and a = log(H(A)).
We have N (φ) ≤ na + dk + n log k + k log n.
Property
When n = log(|∆|)α and d = log(|∆|)1−α for α ∈]
13 ,
23
[We can choose A ∈ Z[X ] such that N (φ) ≤ L∆
(23 , c)
for c > 0.
It takes L∆
(13 , e)
to find an L∆
(13 , d)-smooth φ.
We can compute Cl(Z[θ]) and U(Z[θ]) in L∆(1/3, f ) for some f > 0.
This does not extend to Z[θ] ( O.
Biasse (U of C) large degree fields October 2013 16 / 30
![Page 58: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/58.jpg)
Class group and unit group of Z[θ] in L∆(1/3)
Let K/Q defined by P ∈ Z[X ] with n = deg(P) and d = log(H(P)).
We draw φ = A(θ) for A ∈ Z[X ] with k = deg(A) and a = log(H(A)).
We have N (φ) ≤ na + dk + n log k + k log n.
Property
When n = log(|∆|)α and d = log(|∆|)1−α for α ∈]
13 ,
23
[
We can choose A ∈ Z[X ] such that N (φ) ≤ L∆
(23 , c)
for c > 0.
It takes L∆
(13 , e)
to find an L∆
(13 , d)-smooth φ.
We can compute Cl(Z[θ]) and U(Z[θ]) in L∆(1/3, f ) for some f > 0.
This does not extend to Z[θ] ( O.
Biasse (U of C) large degree fields October 2013 16 / 30
![Page 59: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/59.jpg)
Class group and unit group of Z[θ] in L∆(1/3)
Let K/Q defined by P ∈ Z[X ] with n = deg(P) and d = log(H(P)).
We draw φ = A(θ) for A ∈ Z[X ] with k = deg(A) and a = log(H(A)).
We have N (φ) ≤ na + dk + n log k + k log n.
Property
When n = log(|∆|)α and d = log(|∆|)1−α for α ∈]
13 ,
23
[We can choose A ∈ Z[X ] such that N (φ) ≤ L∆
(23 , c)
for c > 0.
It takes L∆
(13 , e)
to find an L∆
(13 , d)-smooth φ.
We can compute Cl(Z[θ]) and U(Z[θ]) in L∆(1/3, f ) for some f > 0.
This does not extend to Z[θ] ( O.
Biasse (U of C) large degree fields October 2013 16 / 30
![Page 60: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/60.jpg)
Class group and unit group of Z[θ] in L∆(1/3)
Let K/Q defined by P ∈ Z[X ] with n = deg(P) and d = log(H(P)).
We draw φ = A(θ) for A ∈ Z[X ] with k = deg(A) and a = log(H(A)).
We have N (φ) ≤ na + dk + n log k + k log n.
Property
When n = log(|∆|)α and d = log(|∆|)1−α for α ∈]
13 ,
23
[We can choose A ∈ Z[X ] such that N (φ) ≤ L∆
(23 , c)
for c > 0.
It takes L∆
(13 , e)
to find an L∆
(13 , d)-smooth φ.
We can compute Cl(Z[θ]) and U(Z[θ]) in L∆(1/3, f ) for some f > 0.
This does not extend to Z[θ] ( O.
Biasse (U of C) large degree fields October 2013 16 / 30
![Page 61: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/61.jpg)
Class group and unit group of Z[θ] in L∆(1/3)
Let K/Q defined by P ∈ Z[X ] with n = deg(P) and d = log(H(P)).
We draw φ = A(θ) for A ∈ Z[X ] with k = deg(A) and a = log(H(A)).
We have N (φ) ≤ na + dk + n log k + k log n.
Property
When n = log(|∆|)α and d = log(|∆|)1−α for α ∈]
13 ,
23
[We can choose A ∈ Z[X ] such that N (φ) ≤ L∆
(23 , c)
for c > 0.
It takes L∆
(13 , e)
to find an L∆
(13 , d)-smooth φ.
We can compute Cl(Z[θ]) and U(Z[θ]) in L∆(1/3, f ) for some f > 0.
This does not extend to Z[θ] ( O.
Biasse (U of C) large degree fields October 2013 16 / 30
![Page 62: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/62.jpg)
Cyclotomic fields
We want to calculate Cl(Z[θ]) and U(Z[θ]) for K = Q[X ]/XN + 1.
H(XN + 1) = 1.
log |Disc(XN + 1)| := log |∆| = N log(N).
Relation search
We draw φ ∈ Z[θ] of the form A(θ) with
k := deg(A) = N.
a := log(H(A)) = log(N)
logN (φ) ≤ O (a · N + k + N log(k) + k log(N)) ≤ O(log |∆|)
This way, we can perform the relation search in time L∆
(12 , c)
for somec > 0.
Biasse (U of C) large degree fields October 2013 17 / 30
![Page 63: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/63.jpg)
Cyclotomic fields
We want to calculate Cl(Z[θ]) and U(Z[θ]) for K = Q[X ]/XN + 1.
H(XN + 1) = 1.
log |Disc(XN + 1)| := log |∆| = N log(N).
Relation search
We draw φ ∈ Z[θ] of the form A(θ) with
k := deg(A) = N.
a := log(H(A)) = log(N)
logN (φ) ≤ O (a · N + k + N log(k) + k log(N)) ≤ O(log |∆|)
This way, we can perform the relation search in time L∆
(12 , c)
for somec > 0.
Biasse (U of C) large degree fields October 2013 17 / 30
![Page 64: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/64.jpg)
Cyclotomic fields
We want to calculate Cl(Z[θ]) and U(Z[θ]) for K = Q[X ]/XN + 1.
H(XN + 1) = 1.
log |Disc(XN + 1)| := log |∆| = N log(N).
Relation search
We draw φ ∈ Z[θ] of the form A(θ) with
k := deg(A) = N.
a := log(H(A)) = log(N)
logN (φ) ≤ O (a · N + k + N log(k) + k log(N)) ≤ O(log |∆|)
This way, we can perform the relation search in time L∆
(12 , c)
for somec > 0.
Biasse (U of C) large degree fields October 2013 17 / 30
![Page 65: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/65.jpg)
Short generators of ideals
Let a ⊆ O a principal ideal and U = µ× 〈ε1〉 × · · · × 〈εr 〉 the unit group.
We know how to compute generators for U and a generator of a.
We want a small generator of a.
Assume we find α ∈ O such that a = (α), then
∀(e1, · · · , er ) ∈ Zr , a = (εe11 , · · · , ε
err α).
When r = 1, then we find e ∈ Z such that log |α| − e log |ε| has thedesired size.
Let ~vx = (log |x |1, · · · , log |x |r ) ∈ Rr .
We want ‖~α +∑
i ei ~εi‖2 small.
In arbitrary dimension, we want to solve the closest vector problem.
Biasse (U of C) large degree fields October 2013 18 / 30
![Page 66: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/66.jpg)
Short generators of ideals
Let a ⊆ O a principal ideal and U = µ× 〈ε1〉 × · · · × 〈εr 〉 the unit group.
We know how to compute generators for U and a generator of a.
We want a small generator of a.
Assume we find α ∈ O such that a = (α), then
∀(e1, · · · , er ) ∈ Zr , a = (εe11 , · · · , ε
err α).
When r = 1, then we find e ∈ Z such that log |α| − e log |ε| has thedesired size.
Let ~vx = (log |x |1, · · · , log |x |r ) ∈ Rr .
We want ‖~α +∑
i ei ~εi‖2 small.
In arbitrary dimension, we want to solve the closest vector problem.
Biasse (U of C) large degree fields October 2013 18 / 30
![Page 67: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/67.jpg)
Short generators of ideals
Let a ⊆ O a principal ideal and U = µ× 〈ε1〉 × · · · × 〈εr 〉 the unit group.
We know how to compute generators for U and a generator of a.
We want a small generator of a.
Assume we find α ∈ O such that a = (α), then
∀(e1, · · · , er ) ∈ Zr , a = (εe11 , · · · , ε
err α).
When r = 1, then we find e ∈ Z such that log |α| − e log |ε| has thedesired size.
Let ~vx = (log |x |1, · · · , log |x |r ) ∈ Rr .
We want ‖~α +∑
i ei ~εi‖2 small.
In arbitrary dimension, we want to solve the closest vector problem.
Biasse (U of C) large degree fields October 2013 18 / 30
![Page 68: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/68.jpg)
The q-descent
Goal
Let O ⊆ OK be an order in K , and a |∆|-smooth a ⊆ O.
We find a L∆(1/3, b)-smooth decomposition of a in time L∆(1/3, c).
This allows an L∆(1/3) algorithm to compute Cl(O) and U(O).
Let q ⊆ O and vq such that q = qO + (θ − vq)O. Then
Lq := Zv0 + Z(v1 − θ) + · · ·+ Z(vk − θk) ⊆ q,
where vi = v ip mod q.
The φ ∈ Lq are of the form φ = A(θ) for A ∈ Z[X ].
We look for small elements φ ∈ Lq.
Biasse (U of C) large degree fields October 2013 19 / 30
![Page 69: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/69.jpg)
The q-descent
Goal
Let O ⊆ OK be an order in K , and a |∆|-smooth a ⊆ O.
We find a L∆(1/3, b)-smooth decomposition of a in time L∆(1/3, c).
This allows an L∆(1/3) algorithm to compute Cl(O) and U(O).
Let q ⊆ O and vq such that q = qO + (θ − vq)O. Then
Lq := Zv0 + Z(v1 − θ) + · · ·+ Z(vk − θk) ⊆ q,
where vi = v ip mod q.
The φ ∈ Lq are of the form φ = A(θ) for A ∈ Z[X ].
We look for small elements φ ∈ Lq.
Biasse (U of C) large degree fields October 2013 19 / 30
![Page 70: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/70.jpg)
The q-descent
Goal
Let O ⊆ OK be an order in K , and a |∆|-smooth a ⊆ O.
We find a L∆(1/3, b)-smooth decomposition of a in time L∆(1/3, c).
This allows an L∆(1/3) algorithm to compute Cl(O) and U(O).
Let q ⊆ O and vq such that q = qO + (θ − vq)O. Then
Lq := Zv0 + Z(v1 − θ) + · · ·+ Z(vk − θk) ⊆ q,
where vi = v ip mod q.
The φ ∈ Lq are of the form φ = A(θ) for A ∈ Z[X ].
We look for small elements φ ∈ Lq.
Biasse (U of C) large degree fields October 2013 19 / 30
![Page 71: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/71.jpg)
The q-descent
a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆
(13 + τ, 1
)
find αi ∈ qi with (αi )/qi L∆(1/3 + τ/2, c)-smooth
qi = (αi )q′−11 · · · q′
−1i · · · q′
−1k ′
N (q′j) ∈ L∆
(13 + τ
2 , 1)
Repeat until τ is small enough
Find αi ∈ q′i with N (αi ) ∈ L∆(1/3, c∞)
a = (α) · q′′e11 · · · q′′
ell N (q′′j) ∈ L∆
(13 , c∞
)
Biasse (U of C) large degree fields October 2013 20 / 30
![Page 72: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/72.jpg)
The q-descent
a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆
(13 + τ, 1
)find αi ∈ qi with (αi )/qi L∆(1/3 + τ/2, c)-smooth
qi = (αi )q′−11 · · · q′
−1i · · · q′
−1k ′
N (q′j) ∈ L∆
(13 + τ
2 , 1)
Repeat until τ is small enough
Find αi ∈ q′i with N (αi ) ∈ L∆(1/3, c∞)
a = (α) · q′′e11 · · · q′′
ell N (q′′j) ∈ L∆
(13 , c∞
)
Biasse (U of C) large degree fields October 2013 20 / 30
![Page 73: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/73.jpg)
The q-descent
a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆
(13 + τ, 1
)find αi ∈ qi with (αi )/qi L∆(1/3 + τ/2, c)-smooth
qi = (αi )q′−11 · · · q′
−1i · · · q′
−1k ′
N (q′j) ∈ L∆
(13 + τ
2 , 1)
Repeat until τ is small enough
Find αi ∈ q′i with N (αi ) ∈ L∆(1/3, c∞)
a = (α) · q′′e11 · · · q′′
ell N (q′′j) ∈ L∆
(13 , c∞
)
Biasse (U of C) large degree fields October 2013 20 / 30
![Page 74: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/74.jpg)
The q-descent
a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆
(13 + τ, 1
)find αi ∈ qi with (αi )/qi L∆(1/3 + τ/2, c)-smooth
qi = (αi )q′−11 · · · q′
−1i · · · q′
−1k ′
N (q′j) ∈ L∆
(13 + τ
2 , 1)
Repeat until τ is small enough
Find αi ∈ q′i with N (αi ) ∈ L∆(1/3, c∞)
a = (α) · q′′e11 · · · q′′
ell N (q′′j) ∈ L∆
(13 , c∞
)
Biasse (U of C) large degree fields October 2013 20 / 30
![Page 75: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/75.jpg)
The q-descent
a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆
(13 + τ, 1
)find αi ∈ qi with (αi )/qi L∆(1/3 + τ/2, c)-smooth
qi = (αi )q′−11 · · · q′
−1i · · · q′
−1k ′
N (q′j) ∈ L∆
(13 + τ
2 , 1)
Repeat until τ is small enough
Find αi ∈ q′i with N (αi ) ∈ L∆(1/3, c∞)
a = (α) · q′′e11 · · · q′′
ell N (q′′j) ∈ L∆
(13 , c∞
)
Biasse (U of C) large degree fields October 2013 20 / 30
![Page 76: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/76.jpg)
The q-descent
a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆
(13 + τ, 1
)find αi ∈ qi with (αi )/qi L∆(1/3 + τ/2, c)-smooth
qi = (αi )q′−11 · · · q′
−1i · · · q′
−1k ′
N (q′j) ∈ L∆
(13 + τ
2 , 1)
Repeat until τ is small enough
Find αi ∈ q′i with N (αi ) ∈ L∆(1/3, c∞)
a = (α) · q′′e11 · · · q′′
ell N (q′′j) ∈ L∆
(13 , c∞
)Biasse (U of C) large degree fields October 2013 20 / 30
![Page 77: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/77.jpg)
1 Motivation
2 Class group and unit group computation
3 Complexity aspects
4 Relations in the polarized class group
Biasse (U of C) large degree fields October 2013 20 / 30
![Page 78: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/78.jpg)
The polarized class group
Let K be a CM field, K+ be the maximal totally real subfield of K and Oan order in K .
An ideal a ⊆ O is polarized if
∃α ∈ K+ totally real such that aa = (α).
The polarized class group
C(O) = {Polarized ideals of O}/{Principal polarized ideals}
C(O) acts on isomorphism classes of principally polarized Abelian varietieswith complex multiplication by O.
The class of a acts via an isogenie of degree N (a).
This action preserves the polarization.
Biasse (U of C) large degree fields October 2013 21 / 30
![Page 79: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/79.jpg)
The polarized class group
Let K be a CM field, K+ be the maximal totally real subfield of K and Oan order in K .
An ideal a ⊆ O is polarized if
∃α ∈ K+ totally real such that aa = (α).
The polarized class group
C(O) = {Polarized ideals of O}/{Principal polarized ideals}
C(O) acts on isomorphism classes of principally polarized Abelian varietieswith complex multiplication by O.
The class of a acts via an isogenie of degree N (a).
This action preserves the polarization.
Biasse (U of C) large degree fields October 2013 21 / 30
![Page 80: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/80.jpg)
The polarized class group
Let K be a CM field, K+ be the maximal totally real subfield of K and Oan order in K .
An ideal a ⊆ O is polarized if
∃α ∈ K+ totally real such that aa = (α).
The polarized class group
C(O) = {Polarized ideals of O}/{Principal polarized ideals}
C(O) acts on isomorphism classes of principally polarized Abelian varietieswith complex multiplication by O.
The class of a acts via an isogenie of degree N (a).
This action preserves the polarization.
Biasse (U of C) large degree fields October 2013 21 / 30
![Page 81: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/81.jpg)
Relations in the polarized class group
The cost of evaluating the action of the class of a ⊆ O grows with N (a).
The action of a is deduced from the action of ideals of smaller norm.
This boils down to decomposing a in C(O).
Using smooth ideals
Let a be a polarized ideal of O and B > 0. We rewrite the class of a as
a = p1 · · · pk in C(O), where N (pi ) ≤ B.
Evaluating the action of a boils down to evaluating that of the (pi )i≤k .
Ideals in O are unlikely to be polarized.
We need to produce relations between polarized ideals.
Biasse (U of C) large degree fields October 2013 22 / 30
![Page 82: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/82.jpg)
Relations in the polarized class group
The cost of evaluating the action of the class of a ⊆ O grows with N (a).
The action of a is deduced from the action of ideals of smaller norm.
This boils down to decomposing a in C(O).
Using smooth ideals
Let a be a polarized ideal of O and B > 0. We rewrite the class of a as
a = p1 · · · pk in C(O), where N (pi ) ≤ B.
Evaluating the action of a boils down to evaluating that of the (pi )i≤k .
Ideals in O are unlikely to be polarized.
We need to produce relations between polarized ideals.
Biasse (U of C) large degree fields October 2013 22 / 30
![Page 83: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/83.jpg)
Relations in the polarized class group
The cost of evaluating the action of the class of a ⊆ O grows with N (a).
The action of a is deduced from the action of ideals of smaller norm.
This boils down to decomposing a in C(O).
Using smooth ideals
Let a be a polarized ideal of O and B > 0. We rewrite the class of a as
a = p1 · · · pk in C(O), where N (pi ) ≤ B.
Evaluating the action of a boils down to evaluating that of the (pi )i≤k .
Ideals in O are unlikely to be polarized.
We need to produce relations between polarized ideals.
Biasse (U of C) large degree fields October 2013 22 / 30
![Page 84: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/84.jpg)
From relations in Cl(O) to relations in C(O) Bisson-11
Let K a CM field with type Φ and reflex field K r with type Φr . We havemaps between K and K r .
Type norm : NΦ : x ∈ K →∏φ∈Φ φ(x) ∈ K r .
Reflex type norm : NΦr : x ∈ K r →∏φ∈Φr φ(x) ∈ K .
Property
Let a ⊆ O be an ideal of O and ar ⊆ OK r be an ideal of OK r .
NΦ(a) is an ideal of OK r and N (ar ) is an ideal of OK .
NΦr (ar ) is a polarized ideal of OK .
We draw a relation p1 · · · pk = 1 in Cl(O) and deduce the relation
NΦr (NΦ(p1)) · · · NΦr (NΦ(pk)) = 1 ∈ C(O).
Biasse (U of C) large degree fields October 2013 23 / 30
![Page 85: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/85.jpg)
From relations in Cl(O) to relations in C(O) Bisson-11
Let K a CM field with type Φ and reflex field K r with type Φr . We havemaps between K and K r .
Type norm : NΦ : x ∈ K →∏φ∈Φ φ(x) ∈ K r .
Reflex type norm : NΦr : x ∈ K r →∏φ∈Φr φ(x) ∈ K .
Property
Let a ⊆ O be an ideal of O and ar ⊆ OK r be an ideal of OK r .
NΦ(a) is an ideal of OK r and N (ar ) is an ideal of OK .
NΦr (ar ) is a polarized ideal of OK .
We draw a relation p1 · · · pk = 1 in Cl(O) and deduce the relation
NΦr (NΦ(p1)) · · · NΦr (NΦ(pk)) = 1 ∈ C(O).
Biasse (U of C) large degree fields October 2013 23 / 30
![Page 86: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/86.jpg)
From relations in Cl(O) to relations in C(O) Bisson-11
Let K a CM field with type Φ and reflex field K r with type Φr . We havemaps between K and K r .
Type norm : NΦ : x ∈ K →∏φ∈Φ φ(x) ∈ K r .
Reflex type norm : NΦr : x ∈ K r →∏φ∈Φr φ(x) ∈ K .
Property
Let a ⊆ O be an ideal of O and ar ⊆ OK r be an ideal of OK r .
NΦ(a) is an ideal of OK r and N (ar ) is an ideal of OK .
NΦr (ar ) is a polarized ideal of OK .
We draw a relation p1 · · · pk = 1 in Cl(O) and deduce the relation
NΦr (NΦ(p1)) · · · NΦr (NΦ(pk)) = 1 ∈ C(O).
Biasse (U of C) large degree fields October 2013 23 / 30
![Page 87: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/87.jpg)
Relations in C(O)
K c
K K r
NΦ
NΦr
(α) = p1 · · · pk(α′) = p′1 · · · p′k
(β) = (q1, β1) · · · (qk , βk)
NΦ(pi ) = p′i
NΦr (p′j) = qj
Biasse (U of C) large degree fields October 2013 24 / 30
![Page 88: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/88.jpg)
Relations in C(O)
K c
K K r
NΦ
NΦr
(α) = p1 · · · pk
(α′) = p′1 · · · p′k(β) = (q1, β1) · · · (qk , βk)
NΦ(pi ) = p′i
NΦr (p′j) = qj
Biasse (U of C) large degree fields October 2013 24 / 30
![Page 89: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/89.jpg)
Relations in C(O)
K c
K K r
NΦ
NΦr
(α) = p1 · · · pk(α′) = p′1 · · · p′k
(β) = (q1, β1) · · · (qk , βk)
NΦ(pi ) = p′i
NΦr (p′j) = qj
Biasse (U of C) large degree fields October 2013 24 / 30
![Page 90: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/90.jpg)
Relations in C(O)
K c
K K r
NΦ
NΦr
(α) = p1 · · · pk(α′) = p′1 · · · p′k
(β) = (q1, β1) · · · (qk , βk)
NΦ(pi ) = p′i
NΦr (p′j) = qj
Biasse (U of C) large degree fields October 2013 24 / 30
![Page 91: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/91.jpg)
The case of g →∞Let V /Fq be a dimension g Abelian variety defined over Fq with CM byan order O in K .
We want to derive relations in C(O).
We want to establish conditions on K to use the q-descent.
K = Q[X ]/χ(X ) is defined by a q-Weil polynomial of the form
χ(X ) =∏j≤2g
(X −√qe iθj ).
Let ∆ = disc(χ), do n = deg(χ) and d = log(H(χ)) satisfy
n = n0(log |∆|)α(1 + o(1))
d = d0(log |∆|)1−α(1 + o(1)),
for α ∈]0, 1[ and n0, d0 > 0, allowing a subexponential q-descent ?
Biasse (U of C) large degree fields October 2013 25 / 30
![Page 92: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/92.jpg)
The case of g →∞Let V /Fq be a dimension g Abelian variety defined over Fq with CM byan order O in K .
We want to derive relations in C(O).
We want to establish conditions on K to use the q-descent.
K = Q[X ]/χ(X ) is defined by a q-Weil polynomial of the form
χ(X ) =∏j≤2g
(X −√qe iθj ).
Let ∆ = disc(χ), do n = deg(χ) and d = log(H(χ)) satisfy
n = n0(log |∆|)α(1 + o(1))
d = d0(log |∆|)1−α(1 + o(1)),
for α ∈]0, 1[ and n0, d0 > 0, allowing a subexponential q-descent ?
Biasse (U of C) large degree fields October 2013 25 / 30
![Page 93: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/93.jpg)
The case of g →∞Let V /Fq be a dimension g Abelian variety defined over Fq with CM byan order O in K .
We want to derive relations in C(O).
We want to establish conditions on K to use the q-descent.
K = Q[X ]/χ(X ) is defined by a q-Weil polynomial of the form
χ(X ) =∏j≤2g
(X −√qe iθj ).
Let ∆ = disc(χ), do n = deg(χ) and d = log(H(χ)) satisfy
n = n0(log |∆|)α(1 + o(1))
d = d0(log |∆|)1−α(1 + o(1)),
for α ∈]0, 1[ and n0, d0 > 0, allowing a subexponential q-descent ?
Biasse (U of C) large degree fields October 2013 25 / 30
![Page 94: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/94.jpg)
The case of g →∞Let log |∆′| := g2 log(q), and g = log(q)δ for some δ > 0, then
n = n0 log |∆′|α(1 + o(1)).
d = d0 log |∆′|1−α(1 + o(1)).
We can have subexponential time with respect to log |∆′|. Do we havelog |∆′| ∼ log |Disc(χ)| ?.
The discriminant of χ is given by
Disc(χ) = (√q)(2g
g )∏j 6=k
(e iθj − e iθk
).
We have the upper bound log |Disc(χ)| ≤ O(g2 log(q))(1 + o(1)).
But we might have log |Disc(χ)| � g2 log(q).
If |e iθj − e iθk | ≥ 1pε for some ε < 1/2, then log |Disc(χ)| & O(g2 log(q)).
Biasse (U of C) large degree fields October 2013 26 / 30
![Page 95: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/95.jpg)
The case of g →∞Let log |∆′| := g2 log(q), and g = log(q)δ for some δ > 0, then
n = n0 log |∆′|α(1 + o(1)).
d = d0 log |∆′|1−α(1 + o(1)).
We can have subexponential time with respect to log |∆′|. Do we havelog |∆′| ∼ log |Disc(χ)| ?.
The discriminant of χ is given by
Disc(χ) = (√q)(2g
g )∏j 6=k
(e iθj − e iθk
).
We have the upper bound log |Disc(χ)| ≤ O(g2 log(q))(1 + o(1)).
But we might have log |Disc(χ)| � g2 log(q).
If |e iθj − e iθk | ≥ 1pε for some ε < 1/2, then log |Disc(χ)| & O(g2 log(q)).
Biasse (U of C) large degree fields October 2013 26 / 30
![Page 96: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/96.jpg)
The case of g →∞Let log |∆′| := g2 log(q), and g = log(q)δ for some δ > 0, then
n = n0 log |∆′|α(1 + o(1)).
d = d0 log |∆′|1−α(1 + o(1)).
We can have subexponential time with respect to log |∆′|. Do we havelog |∆′| ∼ log |Disc(χ)| ?.
The discriminant of χ is given by
Disc(χ) = (√q)(2g
g )∏j 6=k
(e iθj − e iθk
).
We have the upper bound log |Disc(χ)| ≤ O(g2 log(q))(1 + o(1)).
But we might have log |Disc(χ)| � g2 log(q).
If |e iθj − e iθk | ≥ 1pε for some ε < 1/2, then log |Disc(χ)| & O(g2 log(q)).
Biasse (U of C) large degree fields October 2013 26 / 30
![Page 97: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/97.jpg)
The case of g →∞Let log |∆′| := g2 log(q), and g = log(q)δ for some δ > 0, then
n = n0 log |∆′|α(1 + o(1)).
d = d0 log |∆′|1−α(1 + o(1)).
We can have subexponential time with respect to log |∆′|. Do we havelog |∆′| ∼ log |Disc(χ)| ?.
The discriminant of χ is given by
Disc(χ) = (√q)(2g
g )∏j 6=k
(e iθj − e iθk
).
We have the upper bound log |Disc(χ)| ≤ O(g2 log(q))(1 + o(1)).
But we might have log |Disc(χ)| � g2 log(q).
If |e iθj − e iθk | ≥ 1pε for some ε < 1/2, then log |Disc(χ)| & O(g2 log(q)).
Biasse (U of C) large degree fields October 2013 26 / 30
![Page 98: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/98.jpg)
The case of g →∞Let log |∆′| := g2 log(q), and g = log(q)δ for some δ > 0, then
n = n0 log |∆′|α(1 + o(1)).
d = d0 log |∆′|1−α(1 + o(1)).
We can have subexponential time with respect to log |∆′|. Do we havelog |∆′| ∼ log |Disc(χ)| ?.
The discriminant of χ is given by
Disc(χ) = (√q)(2g
g )∏j 6=k
(e iθj − e iθk
).
We have the upper bound log |Disc(χ)| ≤ O(g2 log(q))(1 + o(1)).
But we might have log |Disc(χ)| � g2 log(q).
If |e iθj − e iθk | ≥ 1pε for some ε < 1/2, then log |Disc(χ)| & O(g2 log(q)).
Biasse (U of C) large degree fields October 2013 26 / 30
![Page 99: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/99.jpg)
Choosing roots of χ(X )
x
y
θ2 − θ1e iθ1
e iθ2
d = sin(θ2 − θ1) ∼ θ2 − θ1
(−1, 0) (1, 0)
(0,−1)
(0, 1)
Biasse (U of C) large degree fields October 2013 27 / 30
![Page 100: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/100.jpg)
Choosing roots of χ(X )
x
y
θ2 − θ1e iθ1
e iθ2
e iθ3 d = sin(θ2 − θ1) ∼ θ2 − θ1
(−1, 0) (1, 0)
(0,−1)
(0, 1)
Biasse (U of C) large degree fields October 2013 27 / 30
![Page 101: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/101.jpg)
Choosing roots of χ(X )
x
y
θ2 − θ1e iθ1
e iθ2
e iθ3
e iθ4
d = sin(θ2 − θ1) ∼ θ2 − θ1
(−1, 0) (1, 0)
(0,−1)
(0, 1)
Biasse (U of C) large degree fields October 2013 27 / 30
![Page 102: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/102.jpg)
Distribution of eigenangles
We study the case where g ∼ (log(q))δ for some δ > 0.
|e iθj − e iθk | < 1pε implies θj − θk → 0.
In this case, |e iθj − e iθk | ∼ |θj − θk | := Θ < 1pε .
If the (θj)j≤2g were equidistributed then we would have
P
(∀j , k , |e iθj − e iθk | ≥ 1
pε
)=∏l≤2g
(1− l ·Θ)→ 1.
Katz-Sarnak
The distribution of the eigenangles is “close” to uniform
limg→∞
limq→∞
(1
|Mg (Fq)|
) ∑C∈Mg (Fq)
discrep(µ(univ), µ(C/Fq)) = 0.
Biasse (U of C) large degree fields October 2013 28 / 30
![Page 103: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/103.jpg)
Distribution of eigenangles
We study the case where g ∼ (log(q))δ for some δ > 0.
|e iθj − e iθk | < 1pε implies θj − θk → 0.
In this case, |e iθj − e iθk | ∼ |θj − θk | := Θ < 1pε .
If the (θj)j≤2g were equidistributed then we would have
P
(∀j , k , |e iθj − e iθk | ≥ 1
pε
)=∏l≤2g
(1− l ·Θ)→ 1.
Katz-Sarnak
The distribution of the eigenangles is “close” to uniform
limg→∞
limq→∞
(1
|Mg (Fq)|
) ∑C∈Mg (Fq)
discrep(µ(univ), µ(C/Fq)) = 0.
Biasse (U of C) large degree fields October 2013 28 / 30
![Page 104: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/104.jpg)
Distribution of eigenangles
We study the case where g ∼ (log(q))δ for some δ > 0.
|e iθj − e iθk | < 1pε implies θj − θk → 0.
In this case, |e iθj − e iθk | ∼ |θj − θk | := Θ < 1pε .
If the (θj)j≤2g were equidistributed then we would have
P
(∀j , k , |e iθj − e iθk | ≥ 1
pε
)=∏l≤2g
(1− l ·Θ)→ 1.
Katz-Sarnak
The distribution of the eigenangles is “close” to uniform
limg→∞
limq→∞
(1
|Mg (Fq)|
) ∑C∈Mg (Fq)
discrep(µ(univ), µ(C/Fq)) = 0.
Biasse (U of C) large degree fields October 2013 28 / 30
![Page 105: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/105.jpg)
Computing the action of C(O)
Let V /Fq of dimension g and a polarized ideal (a, l) with N (a) = lg .
We represent V by a theta structure of level n.
We want to evaluate the action of a on the ismorphism class of V .
Computation of an (Z/lZ)g -isogeny
Let H be an isotropic subgroup of V isomorphic to (Z/lZ)g .
Evaluating φ with ker(φ) = H takes O(l3g+o(1)) operations in Fq.
Computing H boils down to computing the l-torsion.
1 Compute the zeta function ZA(T ) of A/Fq. Set L← {}2 Write #A(Fqlg−1−1) as mlk where l - m.
3 Let P = mO where O is a random point of A(Fqlg−1−1).
4 If P /∈ 〈L〉 ⊆ A[l ] then L← L ∪ P.
Biasse (U of C) large degree fields October 2013 29 / 30
![Page 106: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/106.jpg)
Computing the action of C(O)
Let V /Fq of dimension g and a polarized ideal (a, l) with N (a) = lg .
We represent V by a theta structure of level n.
We want to evaluate the action of a on the ismorphism class of V .
Computation of an (Z/lZ)g -isogeny
Let H be an isotropic subgroup of V isomorphic to (Z/lZ)g .
Evaluating φ with ker(φ) = H takes O(l3g+o(1)) operations in Fq.
Computing H boils down to computing the l-torsion.
1 Compute the zeta function ZA(T ) of A/Fq. Set L← {}2 Write #A(Fqlg−1−1) as mlk where l - m.
3 Let P = mO where O is a random point of A(Fqlg−1−1).
4 If P /∈ 〈L〉 ⊆ A[l ] then L← L ∪ P.
Biasse (U of C) large degree fields October 2013 29 / 30
![Page 107: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/107.jpg)
Computing the action of C(O)
Let V /Fq of dimension g and a polarized ideal (a, l) with N (a) = lg .
We represent V by a theta structure of level n.
We want to evaluate the action of a on the ismorphism class of V .
Computation of an (Z/lZ)g -isogeny
Let H be an isotropic subgroup of V isomorphic to (Z/lZ)g .
Evaluating φ with ker(φ) = H takes O(l3g+o(1)) operations in Fq.
Computing H boils down to computing the l-torsion.
1 Compute the zeta function ZA(T ) of A/Fq. Set L← {}2 Write #A(Fqlg−1−1) as mlk where l - m.
3 Let P = mO where O is a random point of A(Fqlg−1−1).
4 If P /∈ 〈L〉 ⊆ A[l ] then L← L ∪ P.
Biasse (U of C) large degree fields October 2013 29 / 30
![Page 108: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/108.jpg)
Subexponential relations in C(O)
We have g ∼ log(q)δ. Our goal is to find α, β < 1 such that
The factor base is B = {p | N (p) ≤ L∆(α, c + o(1))}.We can find and evaluate B-smooth relations in time L∆(β, d + o(1)).
were c , d > o and log |∆| = g2 log(q).
Cost of the evaluation
For N (p) = l , the evaluation of the action of p takes lO(g).
We want to adjust the trade-off between |B| and the expected time.
We have subexponential time when the conditions are satisfied
1− β ≥ δ ≥ 1− α− β.
β + 2α ≥ 1 and 2β + α ≥ 1.
β > δ or 2β + α = 1.
For example : α = β = 1/3 works for 13 ≤ δ ≤
23 .
Biasse (U of C) large degree fields October 2013 30 / 30
![Page 109: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/109.jpg)
Subexponential relations in C(O)
We have g ∼ log(q)δ. Our goal is to find α, β < 1 such that
The factor base is B = {p | N (p) ≤ L∆(α, c + o(1))}.We can find and evaluate B-smooth relations in time L∆(β, d + o(1)).
were c , d > o and log |∆| = g2 log(q).
Cost of the evaluation
For N (p) = l , the evaluation of the action of p takes lO(g).
We want to adjust the trade-off between |B| and the expected time.
We have subexponential time when the conditions are satisfied
1− β ≥ δ ≥ 1− α− β.
β + 2α ≥ 1 and 2β + α ≥ 1.
β > δ or 2β + α = 1.
For example : α = β = 1/3 works for 13 ≤ δ ≤
23 .
Biasse (U of C) large degree fields October 2013 30 / 30
![Page 110: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/110.jpg)
Subexponential relations in C(O)
We have g ∼ log(q)δ. Our goal is to find α, β < 1 such that
The factor base is B = {p | N (p) ≤ L∆(α, c + o(1))}.We can find and evaluate B-smooth relations in time L∆(β, d + o(1)).
were c , d > o and log |∆| = g2 log(q).
Cost of the evaluation
For N (p) = l , the evaluation of the action of p takes lO(g).
We want to adjust the trade-off between |B| and the expected time.
We have subexponential time when the conditions are satisfied
1− β ≥ δ ≥ 1− α− β.
β + 2α ≥ 1 and 2β + α ≥ 1.
β > δ or 2β + α = 1.
For example : α = β = 1/3 works for 13 ≤ δ ≤
23 .
Biasse (U of C) large degree fields October 2013 30 / 30
![Page 111: Class group and unit group computation for large degree ...iml.univ-mrs.fr/ati/geocrypt2013/slides/biasse1.pdf · Diophantine equations. The Pell equation For >0, solving x2 y2 =](https://reader035.fdocuments.us/reader035/viewer/2022070806/5f0400977e708231d40bd53c/html5/thumbnails/111.jpg)
Conclusion
Thank you for your attention.
Biasse (U of C) large degree fields October 2013 30 / 30