TU Darmstadt / ULB / TUbiblio

Recovering Short Generators of Principal Fractional Ideals in Cyclotomic Fields of Conductor p^\alpha q^\beta

Holzer, Patrick :
Recovering Short Generators of Principal Fractional Ideals in Cyclotomic Fields of Conductor p^\alpha q^\beta.
[Online-Edition: http://tuprints.ulb.tu-darmstadt.de/6155]
Technische Universität , Darmstadt
[Masterarbeit], (2017)

Offizielle URL: http://tuprints.ulb.tu-darmstadt.de/6155

Kurzbeschreibung (Abstract)

Some recent cryptographic schemes rely on the hardness of finding a shortest generator of a principal (fractional) ideal in an algebraic number field $K$ in the logarithmic embedding with some guaranteed small generator, given some $\mathbb{Z}$-basis of the principal ideal. This problem can be split into two parts. First, recover some arbitrary generator of the ideal, which is known as the principal ideal problem (PIP). Second, transform this generator into some shortest generator.

The first part is known to be solvable in polynomial time on quantum computers for cyclotomic fields of prime-power conductor and for arbitrary number fields under the generalized Riemann hypothesis, see Campbell, Biasse et al. The second part is known to be solvable in polynomial time on classical computers for cyclotomic number fields of prime-power conductor, see Cramer, Ducert Peikert and Regev.

In this work we entirely focus on the second task and extend the work of Cramer, Ducas, Peikert and Regev to cyclotomic fields $K=\Q(\xi_m)$ of conductor $m=p^\alpha q^\beta$, where $p,q$ are distinct odd primes. Their algorithmic approach mainly relies on the fact that there is a well suited basis of the group of cyclotomic units which are a subgroup of $\OK^\times=\mathbb{Z}[\xi_m]^\times$ with small enough finite index. We consider the group generated by these elements in the case that $m=p^\alpha q^\beta$ and introduce a new notion for odd prime pairs $(p,q)$, named generator prime pairs, which provides a criterion to check whether the index of this subgroup in $\OK^\times$ is finite or not. We prove, that this basis is well suited to recover some shortest generator of a principal ideal in quantum polynomial time in the finite case, i.e., if $m=p^\alpha q^\beta$ for some generator prime pair $(p,q)$ with sufficiently large $\alpha,\beta \in \mathbb{n}$ with bounded distance.

Further, we consider the approximate ideal shortest vector problem in cyclotomic fields $\Q(\xi_m)$, where the task is to find short elements in arbitrary ideals $\mathfrak{a}$ in $\OK$ in the Minkowski embedding. In our second main contribution, we generalize the results of Cramer and argue, that one can efficiently solve the ideal shortest vector problem with an approximation factor $\exp(O(\sqrt{m}))$ in cyclotomic fields of conductor $m=p^\alpha q^\beta$ on quantum computers, if $(p,q)$ is an $(\alpha,\beta)$-generator prime pair.

Typ des Eintrags: Masterarbeit
Erschienen: 2017
Autor(en): Holzer, Patrick
Titel: Recovering Short Generators of Principal Fractional Ideals in Cyclotomic Fields of Conductor p^\alpha q^\beta
Sprache: Englisch
Kurzbeschreibung (Abstract):

Some recent cryptographic schemes rely on the hardness of finding a shortest generator of a principal (fractional) ideal in an algebraic number field $K$ in the logarithmic embedding with some guaranteed small generator, given some $\mathbb{Z}$-basis of the principal ideal. This problem can be split into two parts. First, recover some arbitrary generator of the ideal, which is known as the principal ideal problem (PIP). Second, transform this generator into some shortest generator.

The first part is known to be solvable in polynomial time on quantum computers for cyclotomic fields of prime-power conductor and for arbitrary number fields under the generalized Riemann hypothesis, see Campbell, Biasse et al. The second part is known to be solvable in polynomial time on classical computers for cyclotomic number fields of prime-power conductor, see Cramer, Ducert Peikert and Regev.

In this work we entirely focus on the second task and extend the work of Cramer, Ducas, Peikert and Regev to cyclotomic fields $K=\Q(\xi_m)$ of conductor $m=p^\alpha q^\beta$, where $p,q$ are distinct odd primes. Their algorithmic approach mainly relies on the fact that there is a well suited basis of the group of cyclotomic units which are a subgroup of $\OK^\times=\mathbb{Z}[\xi_m]^\times$ with small enough finite index. We consider the group generated by these elements in the case that $m=p^\alpha q^\beta$ and introduce a new notion for odd prime pairs $(p,q)$, named generator prime pairs, which provides a criterion to check whether the index of this subgroup in $\OK^\times$ is finite or not. We prove, that this basis is well suited to recover some shortest generator of a principal ideal in quantum polynomial time in the finite case, i.e., if $m=p^\alpha q^\beta$ for some generator prime pair $(p,q)$ with sufficiently large $\alpha,\beta \in \mathbb{n}$ with bounded distance.

Further, we consider the approximate ideal shortest vector problem in cyclotomic fields $\Q(\xi_m)$, where the task is to find short elements in arbitrary ideals $\mathfrak{a}$ in $\OK$ in the Minkowski embedding. In our second main contribution, we generalize the results of Cramer and argue, that one can efficiently solve the ideal shortest vector problem with an approximation factor $\exp(O(\sqrt{m}))$ in cyclotomic fields of conductor $m=p^\alpha q^\beta$ on quantum computers, if $(p,q)$ is an $(\alpha,\beta)$-generator prime pair.

Ort: Darmstadt
Fachbereich(e)/-gebiet(e): 04 Fachbereich Mathematik > Algebra
04 Fachbereich Mathematik > Algebra > Automorphe Formen, Zahlentheorie, Algebraische Geometrie
Hinterlegungsdatum: 23 Apr 2017 19:55
Offizielle URL: http://tuprints.ulb.tu-darmstadt.de/6155
URN: urn:nbn:de:tuda-tuprints-61555
Gutachter / Prüfer: Buchmann, Prof. Dr. Johannes ; Wunderer, Thomas
Datum der Begutachtung bzw. der mündlichen Prüfung / Verteidigung / mdl. Prüfung: März 2017
Export:

Optionen (nur für Redakteure)

Eintrag anzeigen Eintrag anzeigen