Algorithms for ray class groups and Hilbert class fields

Transcription

1 (Quantum) Algorithms for ray class groups and Hilbert class fields Sean Hallgren joint with Kirsten Eisentraeger Penn State 1

2 Quantum Algorithms Quantum algorithms for number theoretic problems: Factoring Pell s equation Number fields Unit group Class group Principal ideal problem Goal: compute extensions of number fields 2

3 Number Field Applications Number fields: Q(θ) Number field sieve Buchmann-Williams key-exchange Towers of number fields: Q(θ 1 ) Q(θ 2 ) Q(θ 3 ) Lattice-based crypto Error correcting codes 3

4 n 1 0) Q(θ) ={ 1) 2) 3) Q Q(ω p ) Q( d) Number Field Examples i=0 a p 2 ω p 2 p + + a 1 ω p + a 0 a i Q degree p 1 d Z >0 α = a + b d a i θ i : a i Q} ω p = e 2πi/p p 1 i=0 ω i p =0 θ algebraic x p 1 = 0 αα =(a + b d)(a b d)=a 2 b 2 d 4 4

5 Q(ω p, ω q ) Q(ω p ) Computing Extensions Q(θ 1, ω p ) Q(ω p ) Q(θ 1 ) where p 1 >n Output: Q(θ 2 ) Input: Q(θ 1 ) Hilbert class field of Q(θ 1 ) Maximal abelian unramified extension Q(θ 2 ) Abelian: Galios group of Q(θ 2 )/Q(θ 1 ) Unramified: p O = Π q q e q e q =0, 1 q Q(θ 1 ) p plus real embeddings... 5

6 Algorithms Theorem 1: Computing the Hilbert class field (a degree 2 subextension) reduces to Computing: 1) unit group 2) class group 3) factoring ideals 4) computing discrete logs in finite fields Theorem 2: computing the ray class group Reductions are efficient: poly(log( )) reduces to Computing: 1) unit group 2) class group 3) principal ideal problem 4) factoring m 5) computing discrete logs in finite fields 6

7 Motivation: Some background on lattice and crypto 7

8 Quantum and Crypto Quantum can break: RSA Diffie-Hellman Elliptic curve crypto Buchmann-Williams key-exchange Some algebraically homomorphic encr Secure against quantum (so far): Lattice-based crypto McEliece MRV proposal based on Hidden Subgroup 8 8

9 Lattice Based Crypto RSA has average-case assumption breaking RSA factoring Lattices can provide stronger security: worst case lattice problem breaking cryptosystem Three directions in lattice-based crypto: Improve worst-case assumption Make more efficient Build more primitives Use special lattices 9 9

10 Lattices Given b 1,..., b n R n { } L = ai b i : a i Z b 1 b 1 b 2 b 2 Infinite number of bases for a lattice 10 10

11 Shortest Vector Problem (SVP) Given b 1,..., b n R n { } L = ai b i : a i Z Compute the shortest vector b 2 b

12 Approximate-SVP Complexity b 1 b 2 γ = const NP-Hard γ = poly(n) Crypto 12 γ =2 n LLL 12

13 One-Way Functions from Cyclic Lattices Hash function: rnd A Z n m q Simple, but inefficient in practice One-way function: circulant matrix A = f(y) =Ay mod q A Z n m q a 1 a 2 a 3 z 1 z 2 z 3 a 2 a 3 a 1... z 2 z 3 z 1 a 3 a 1 a 2 z 3 z 1 z 2 Worst-case assumption approx-svp for cyclic lattices, and only for one-way Hash function: ideal lattices from Z[x]/ f(x) Worst-case assumption is for ideal lattices

14 Variations Goals: Improve efficiency Want to compete with RSA Reduce approximation factor γ Something between constant and 2 n Change the worst-case assumption Use special lattices: unique shortest vector ideal lattices 14 14

15 Recent Lattice Work Ajtai/Dwork97 Assume unique-svp hard Regev05: based on SVP but the reduction is quantum Assume no quantum alg for SVP Peikert08: based on SVP Ideal lattices: Micciancio02: more efficient hash function Peikert/Rosen07: improve connection factor from poly(n) to log(n) Assume SVP hard in ideal lattices 15 15

16 Special Lattices: Ideal Lattices Number field Q( d) a + b d Ring of integers Z[ d ] (1, 1) Ideals I 1 I 2 I 3 Ideals map to sublattices ( d, d) 16 16

17 Ideal Lattices and Number Fields Q(θ 1 ) L 1,L 2,L 3,... deg = dim worst-case to average-case reduction (Peikert/Rosen) Q(ω 5 ) L 1 = { a i b i : a i Z} Embeddings: 1, (ω 5 ) 1, (ω 5 ) 2, (ω 5 ) 3 1, (ω5) 2 1, (ω5) 2 2, (ω5) 2 3 b 1 = (1, 1, 1, 1) b 2 =(ω5, 1 ω5, 2 ω5, 3 ω5) 4 b 3 =(ω5, 2 ω5, 4 ω5, 1 ω5) 3 b 4 =(ω5, 3 ω5, 1 ω5, 4 ω5) 2 L 2,L 3,... Take all sublattices of L 1 17

18 Back to computing towers 18

19 Computing Number Field Towers Input: degree n Output: number field with bounded root discriminant 1/n Lattice-based crypto - Peikert/Rosen07 Connection factor 1.5/n log n degree n Error correcting codes - Guruswami, Lenstra Rate: R(C) = 1/n Q(θ 3 ) Q(θ 2 ) Q(θ 1 ) Existence using Hilbert class fields Q(θ 1 ) Q(θ 2 ) Q(θ 3 ) Goal: compute the number fields in the tower 19 19

20 Computing Number Fields from Towers Strategy: Start with a number field of small degree Iterate until degree is n: Compute the Hilbert class field Two good base fields: Q( ) Q( 30030) The extension depends on the class group. Degree is a problem in the running time

21 Number Field Problems Given number field: Ring of integers Q(θ) O 2) Class group = Ideals mod Principal ideals Ideals I 1 I 2 I 3 Compute: 1) Unit group = O Invertible elements of O 3) Principal ideal problem αo α Quantum algorithms for constant degree cases 21 21

22 Hilbert Class Field L of K Hilbert class field - maximal unramified abelian extension Constant root discriminant 1/n L K Described by class group of K Degree of L/K = size of class group of K 1) Could be trivial: no extension, L=K 2) Could be exponential size: can t write down 22 22

23 Computing Hilbert Class Fields Hilbert class field Size of class group Theorem 1: Efficient quantum algorithm for degree two extensions in the Hilbert class field (Still has constant root discriminant) 23 23

24 Computing Hilbert Class Fields Ingredients: Change to compact representations Virtual units The group (O/m)* Ideal factorization We show these efficiently reduce to unit group, class group, etc

25 Ideal Factorization Given I O compute I = p e 1 1 pe k k Algorithm: 1. Factor the norm N(I) =p e 1 1 pe k k 2. Compute the set of prime ideals above each prime integer p p p 1 p l 3. Compute valuations of each prime p We show steps 2 and 3 are efficient. 25

26 Computing Primes Above p: Easy Case K = Q(θ) Easy case: p [O K : Z[θ]] f = minimal polynomial of θ Factor f(x) =Π i f i (x) e i over F p The primes above: p p i = po K + f i (θ)o K 26

27 Computing Primes Above p: Hard Case p-radical: I p = {x O K : x m po K for some m Z + } Claim: I p = Π i p i product over primes above p p O K /I p = O K /p 1 O K /p k (CRT) Finites fields 1) Compute I p 2) Given distinct primes over p I = p 1 p 2 p k Compute p 1, p 2,..., p k 27

28 Computing Primes Above p: Hard Case 1) Computing I p = Π i p i Compute basis of F p I p /po K ker(x x q ) Compute the radical of O K /po K = I p /po K Compute I p Use generators of I p /po K and po K 28

29 Computing Primes Above p: Hard Case 2) Given distinct primes over I = p 1 p 2 p k Compute p 1, p 2,..., p k Compute an idempotent e O K /I Compute e(1 e) =e e 2 =0 O K /I H 1 = I + eo K e 0, 1 (1, 0) 2 = (1, 0) H 2 = I + (1 e)o K I = H 1 H 2 is a nontrivial factorization I 2 + ei + (1 e)i + e(1 e)o K I I ei + (1 e)i : eα + (1 e)α = α I 29

30 Summary Two basic objects in class field theory that also appear in apps in computer science. We gave efficient quantum algorithms for: 1. Degree two extensions in the Hilbert class field 2. The ray class group 30

31 Compute Towers? Goal: compute towers Compute larger subfields of Hilbert class fields Compute multiple steps in a tower Compute ray class field towers Theorem: Q. alg for the ray class group U ρ (O K /m) ψ Cl m φ Cl 1 31

32 Open Problem: Arbitrary Degree Hilbert class field iterations require class group computations (at least) Ideals SVP in ideal lattices must be solved Use superpositions to bypass this? Rework definitions so SVP not necessary? 32 32

33 Open Problem Quantum algorithm for SVP in ideal lattices? Two extra features: For constant root discriminant, the length of the shortest vector can be efficiently approximated. The lattice is also an ideal: closed under multiplication. b 1 b 2 γ = const γ = poly(n) γ =2 n 33 33

34 Main Problems Input: Q( d) O Unit group Principal ideal problem I 1 I 2 I 3 Shortest lattice vector Ray Class group Hilbert/Ray Class Field Tower b 2 b