Algorithms for ray class groups and Hilbert class fields
|
|
- Melinda Alexander
- 5 years ago
- Views:
Transcription
1 (Quantum) Algorithms for ray class groups and Hilbert class fields Sean Hallgren joint with Kirsten Eisentraeger Penn State 1
2 Quantum Algorithms Quantum algorithms for number theoretic problems: Factoring Pell s equation Number fields Unit group Class group Principal ideal problem Goal: compute extensions of number fields 2
3 Number Field Applications Number fields: Q(θ) Number field sieve Buchmann-Williams key-exchange Towers of number fields: Q(θ 1 ) Q(θ 2 ) Q(θ 3 ) Lattice-based crypto Error correcting codes 3
4 n 1 0) Q(θ) ={ 1) 2) 3) Q Q(ω p ) Q( d) Number Field Examples i=0 a p 2 ω p 2 p + + a 1 ω p + a 0 a i Q degree p 1 d Z >0 α = a + b d a i θ i : a i Q} ω p = e 2πi/p p 1 i=0 ω i p =0 θ algebraic x p 1 = 0 αα =(a + b d)(a b d)=a 2 b 2 d 4 4
5 Q(ω p, ω q ) Q(ω p ) Computing Extensions Q(θ 1, ω p ) Q(ω p ) Q(θ 1 ) where p 1 >n Output: Q(θ 2 ) Input: Q(θ 1 ) Hilbert class field of Q(θ 1 ) Maximal abelian unramified extension Q(θ 2 ) Abelian: Galios group of Q(θ 2 )/Q(θ 1 ) Unramified: p O = Π q q e q e q =0, 1 q Q(θ 1 ) p plus real embeddings... 5
6 Algorithms Theorem 1: Computing the Hilbert class field (a degree 2 subextension) reduces to Computing: 1) unit group 2) class group 3) factoring ideals 4) computing discrete logs in finite fields Theorem 2: computing the ray class group Reductions are efficient: poly(log( )) reduces to Computing: 1) unit group 2) class group 3) principal ideal problem 4) factoring m 5) computing discrete logs in finite fields 6
7 Motivation: Some background on lattice and crypto 7
8 Quantum and Crypto Quantum can break: RSA Diffie-Hellman Elliptic curve crypto Buchmann-Williams key-exchange Some algebraically homomorphic encr Secure against quantum (so far): Lattice-based crypto McEliece MRV proposal based on Hidden Subgroup 8 8
9 Lattice Based Crypto RSA has average-case assumption breaking RSA factoring Lattices can provide stronger security: worst case lattice problem breaking cryptosystem Three directions in lattice-based crypto: Improve worst-case assumption Make more efficient Build more primitives Use special lattices 9 9
10 Lattices Given b 1,..., b n R n { } L = ai b i : a i Z b 1 b 1 b 2 b 2 Infinite number of bases for a lattice 10 10
11 Shortest Vector Problem (SVP) Given b 1,..., b n R n { } L = ai b i : a i Z Compute the shortest vector b 2 b
12 Approximate-SVP Complexity b 1 b 2 γ = const NP-Hard γ = poly(n) Crypto 12 γ =2 n LLL 12
13 One-Way Functions from Cyclic Lattices Hash function: rnd A Z n m q Simple, but inefficient in practice One-way function: circulant matrix A = f(y) =Ay mod q A Z n m q a 1 a 2 a 3 z 1 z 2 z 3 a 2 a 3 a 1... z 2 z 3 z 1 a 3 a 1 a 2 z 3 z 1 z 2 Worst-case assumption approx-svp for cyclic lattices, and only for one-way Hash function: ideal lattices from Z[x]/ f(x) Worst-case assumption is for ideal lattices
14 Variations Goals: Improve efficiency Want to compete with RSA Reduce approximation factor γ Something between constant and 2 n Change the worst-case assumption Use special lattices: unique shortest vector ideal lattices 14 14
15 Recent Lattice Work Ajtai/Dwork97 Assume unique-svp hard Regev05: based on SVP but the reduction is quantum Assume no quantum alg for SVP Peikert08: based on SVP Ideal lattices: Micciancio02: more efficient hash function Peikert/Rosen07: improve connection factor from poly(n) to log(n) Assume SVP hard in ideal lattices 15 15
16 Special Lattices: Ideal Lattices Number field Q( d) a + b d Ring of integers Z[ d ] (1, 1) Ideals I 1 I 2 I 3 Ideals map to sublattices ( d, d) 16 16
17 Ideal Lattices and Number Fields Q(θ 1 ) L 1,L 2,L 3,... deg = dim worst-case to average-case reduction (Peikert/Rosen) Q(ω 5 ) L 1 = { a i b i : a i Z} Embeddings: 1, (ω 5 ) 1, (ω 5 ) 2, (ω 5 ) 3 1, (ω5) 2 1, (ω5) 2 2, (ω5) 2 3 b 1 = (1, 1, 1, 1) b 2 =(ω5, 1 ω5, 2 ω5, 3 ω5) 4 b 3 =(ω5, 2 ω5, 4 ω5, 1 ω5) 3 b 4 =(ω5, 3 ω5, 1 ω5, 4 ω5) 2 L 2,L 3,... Take all sublattices of L 1 17
18 Back to computing towers 18
19 Computing Number Field Towers Input: degree n Output: number field with bounded root discriminant 1/n Lattice-based crypto - Peikert/Rosen07 Connection factor 1.5/n log n degree n Error correcting codes - Guruswami, Lenstra Rate: R(C) = 1/n Q(θ 3 ) Q(θ 2 ) Q(θ 1 ) Existence using Hilbert class fields Q(θ 1 ) Q(θ 2 ) Q(θ 3 ) Goal: compute the number fields in the tower 19 19
20 Computing Number Fields from Towers Strategy: Start with a number field of small degree Iterate until degree is n: Compute the Hilbert class field Two good base fields: Q( ) Q( 30030) The extension depends on the class group. Degree is a problem in the running time
21 Number Field Problems Given number field: Ring of integers Q(θ) O 2) Class group = Ideals mod Principal ideals Ideals I 1 I 2 I 3 Compute: 1) Unit group = O Invertible elements of O 3) Principal ideal problem αo α Quantum algorithms for constant degree cases 21 21
22 Hilbert Class Field L of K Hilbert class field - maximal unramified abelian extension Constant root discriminant 1/n L K Described by class group of K Degree of L/K = size of class group of K 1) Could be trivial: no extension, L=K 2) Could be exponential size: can t write down 22 22
23 Computing Hilbert Class Fields Hilbert class field Size of class group Theorem 1: Efficient quantum algorithm for degree two extensions in the Hilbert class field (Still has constant root discriminant) 23 23
24 Computing Hilbert Class Fields Ingredients: Change to compact representations Virtual units The group (O/m)* Ideal factorization We show these efficiently reduce to unit group, class group, etc
25 Ideal Factorization Given I O compute I = p e 1 1 pe k k Algorithm: 1. Factor the norm N(I) =p e 1 1 pe k k 2. Compute the set of prime ideals above each prime integer p p p 1 p l 3. Compute valuations of each prime p We show steps 2 and 3 are efficient. 25
26 Computing Primes Above p: Easy Case K = Q(θ) Easy case: p [O K : Z[θ]] f = minimal polynomial of θ Factor f(x) =Π i f i (x) e i over F p The primes above: p p i = po K + f i (θ)o K 26
27 Computing Primes Above p: Hard Case p-radical: I p = {x O K : x m po K for some m Z + } Claim: I p = Π i p i product over primes above p p O K /I p = O K /p 1 O K /p k (CRT) Finites fields 1) Compute I p 2) Given distinct primes over p I = p 1 p 2 p k Compute p 1, p 2,..., p k 27
28 Computing Primes Above p: Hard Case 1) Computing I p = Π i p i Compute basis of F p I p /po K ker(x x q ) Compute the radical of O K /po K = I p /po K Compute I p Use generators of I p /po K and po K 28
29 Computing Primes Above p: Hard Case 2) Given distinct primes over I = p 1 p 2 p k Compute p 1, p 2,..., p k Compute an idempotent e O K /I Compute e(1 e) =e e 2 =0 O K /I H 1 = I + eo K e 0, 1 (1, 0) 2 = (1, 0) H 2 = I + (1 e)o K I = H 1 H 2 is a nontrivial factorization I 2 + ei + (1 e)i + e(1 e)o K I I ei + (1 e)i : eα + (1 e)α = α I 29
30 Summary Two basic objects in class field theory that also appear in apps in computer science. We gave efficient quantum algorithms for: 1. Degree two extensions in the Hilbert class field 2. The ray class group 30
31 Compute Towers? Goal: compute towers Compute larger subfields of Hilbert class fields Compute multiple steps in a tower Compute ray class field towers Theorem: Q. alg for the ray class group U ρ (O K /m) ψ Cl m φ Cl 1 31
32 Open Problem: Arbitrary Degree Hilbert class field iterations require class group computations (at least) Ideals SVP in ideal lattices must be solved Use superpositions to bypass this? Rework definitions so SVP not necessary? 32 32
33 Open Problem Quantum algorithm for SVP in ideal lattices? Two extra features: For constant root discriminant, the length of the shortest vector can be efficiently approximated. The lattice is also an ideal: closed under multiplication. b 1 b 2 γ = const γ = poly(n) γ =2 n 33 33
34 Main Problems Input: Q( d) O Unit group Principal ideal problem I 1 I 2 I 3 Shortest lattice vector Ray Class group Hilbert/Ray Class Field Tower b 2 b
Post-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationPrime Decomposition. Adam Gamzon. 1 Introduction
Prime Decomposition Adam Gamzon 1 Introduction Let K be a number field, let O K be its ring of integers, and let p Z be a prime. Since every prime of O K lies over a prime in Z, understanding how primes
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationPage Points Possible Points. Total 200
Instructions: 1. The point value of each exercise occurs adjacent to the problem. 2. No books or notes or calculators are allowed. Page Points Possible Points 2 20 3 20 4 18 5 18 6 24 7 18 8 24 9 20 10
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationRecovering Short Generators of Principal Ideals: Extensions and Open Problems
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationSome algebraic number theory and the reciprocity map
Some algebraic number theory and the reciprocity map Ervin Thiagalingam September 28, 2015 Motivation In Weinstein s paper, the main problem is to find a rule (reciprocity law) for when an irreducible
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationMcEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks
McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana Uniersity South Bend joint work with Cristopher Moore Uniersity of New Mexico Alexander Russell Uniersity
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationFrom the shortest vector problem to the dihedral hidden subgroup problem
From the shortest vector problem to the dihedral hidden subgroup problem Curtis Bright University of Waterloo December 8, 2011 1 / 19 Reduction Roughly, problem A reduces to problem B means there is a
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert Alon Rosen November 26, 2006 Abstract We demonstrate an average-case problem which is as hard as finding γ(n)-approximate
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationFrom the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem
From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem Curtis Bright December 9, 011 Abstract In Quantum Computation and Lattice Problems [11] Oded Regev presented the first known connection
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationAlgebra Exam, Spring 2017
Algebra Exam, Spring 2017 There are 5 problems, some with several parts. Easier parts count for less than harder ones, but each part counts. Each part may be assumed in later parts and problems. Unjustified
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationGalois theory (Part II)( ) Example Sheet 1
Galois theory (Part II)(2015 2016) Example Sheet 1 c.birkar@dpmms.cam.ac.uk (1) Find the minimal polynomial of 2 + 3 over Q. (2) Let K L be a finite field extension such that [L : K] is prime. Show that
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de
More informationLecture 15: The Hidden Subgroup Problem
CS 880: Quantum Information Processing 10/7/2010 Lecture 15: The Hidden Subgroup Problem Instructor: Dieter van Melkebeek Scribe: Hesam Dashti The Hidden Subgroup Problem is a particular type of symmetry
More information1. a) Let ω = e 2πi/p with p an odd prime. Use that disc(ω p ) = ( 1) p 1
Number Theory Mat 6617 Homework Due October 15, 018 To get full credit solve of the following 7 problems (you are welcome to attempt them all) The answers may be submitted in English or French 1 a) Let
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationQuantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 6: Quantum query complexity of the HSP
Quantum algorithms (CO 78, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 6: Quantum query complexity of the HSP So far, we have considered the hidden subgroup problem in abelian groups.
More informationALGEBRA EXERCISES, PhD EXAMINATION LEVEL
ALGEBRA EXERCISES, PhD EXAMINATION LEVEL 1. Suppose that G is a finite group. (a) Prove that if G is nilpotent, and H is any proper subgroup, then H is a proper subgroup of its normalizer. (b) Use (a)
More informationAlgebra Qualifying Exam, Fall 2018
Algebra Qualifying Exam, Fall 2018 Name: Student ID: Instructions: Show all work clearly and in order. Use full sentences in your proofs and solutions. All answers count. In this exam, you may use the
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationFactoring integers with a quantum computer
Factoring integers with a quantum computer Andrew Childs Department of Combinatorics and Optimization and Institute for Quantum Computing University of Waterloo Eighth Canadian Summer School on Quantum
More informationImaginary Quadratic Fields With Isomorphic Abelian Galois Groups
Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups Universiteit Leiden, Université Bordeaux 1 July 12, 2012 - UCSD - X - a Question Let K be a number field and G K = Gal(K/K) the absolute
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationAlgebraic number theory Revision exercises
Algebraic number theory Revision exercises Nicolas Mascot (n.a.v.mascot@warwick.ac.uk) Aurel Page (a.r.page@warwick.ac.uk) TA: Pedro Lemos (lemos.pj@gmail.com) Version: March 2, 20 Exercise. What is the
More informationGraduate Preliminary Examination
Graduate Preliminary Examination Algebra II 18.2.2005: 3 hours Problem 1. Prove or give a counter-example to the following statement: If M/L and L/K are algebraic extensions of fields, then M/K is algebraic.
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationConstructing Class invariants
Constructing Class invariants Aristides Kontogeorgis Department of Mathematics University of Athens. Workshop Thales 1-3 July 2015 :Algebraic modeling of topological and computational structures and applications,
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationGalois Theory, summary
Galois Theory, summary Chapter 11 11.1. UFD, definition. Any two elements have gcd 11.2 PID. Every PID is a UFD. There are UFD s which are not PID s (example F [x, y]). 11.3 ED. Every ED is a PID (and
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationCOMPUTING THE UNIT GROUP, CLASS GROUP AND COMPACT REPRESENTATIONS IN ALGEBRAIC FUNCTION FIELDS
COMPUTING THE UNIT GROUP, CLASS GROUP AND COMPACT REPRESENTATIONS IN ALGEBRAIC FUNCTION FIELDS KIRSTEN EISENTRÄGER AND SEAN HALLGREN Abstract. Number fields and global function fields have many similar
More informationQuantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem
Quantum Computing Lecture Notes, Extra Chapter Hidden Subgroup Problem Ronald de Wolf 1 Hidden Subgroup Problem 1.1 Group theory reminder A group G consists of a set of elements (which is usually denoted
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationx mv = 1, v v M K IxI v = 1,
18.785 Number Theory I Fall 2017 Problem Set #7 Description These problems are related to the material covered in Lectures 13 15. Your solutions are to be written up in latex (you can use the latex source
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationRing-SIS and Ideal Lattices
Ring-SIS and Ideal Lattices Noah Stephens-Davidowitz (for Vinod Vaikuntanathan s class) 1 Recalling h A, and its inefficiency As we have seen, the SIS problem yields a very simple collision-resistant hash
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationQuadratic reciprocity (after Weil) 1. Standard set-up and Poisson summation
(December 19, 010 Quadratic reciprocity (after Weil Paul Garrett garrett@math.umn.edu http://www.math.umn.edu/ garrett/ I show that over global fields k (characteristic not the quadratic norm residue symbol
More informationHallgren s Quantum Algorithm for Pell s Equation
Hallgren s Quantum Algorithm for Pell s Equation Pradeep Sarvepalli pradeep@cs.tamu.edu Department of Computer Science, Texas A&M University Quantum Algorithm for Pell s Equation p. /6 Outline Pell s equation
More informationp-adic fields Chapter 7
Chapter 7 p-adic fields In this chapter, we study completions of number fields, and their ramification (in particular in the Galois case). We then look at extensions of the p-adic numbers Q p and classify
More informationARITHMETIC IN PURE CUBIC FIELDS AFTER DEDEKIND.
ARITHMETIC IN PURE CUBIC FIELDS AFTER DEDEKIND. IAN KIMING We will study the rings of integers and the decomposition of primes in cubic number fields K of type K = Q( 3 d) where d Z. Cubic number fields
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationON THE HARDNESS OF COMPUTING ENDOMORPHISM RINGS OF SUPERSINGULAR ELLIPTIC CURVES
ON THE HARDNESS OF COMPUTING ENDOMORPHISM RINGS OF SUPERSINGULAR ELLIPTIC CURVES KIRSTEN EISENTRÄGER, SEAN HALLGREN, AND TRAVIS MORRISON Abstract. Cryptosystems based on supersingular isogenies have been
More informationFIELD THEORY. Contents
FIELD THEORY MATH 552 Contents 1. Algebraic Extensions 1 1.1. Finite and Algebraic Extensions 1 1.2. Algebraic Closure 5 1.3. Splitting Fields 7 1.4. Separable Extensions 8 1.5. Inseparable Extensions
More informationAn Efficient Lattice-based Secret Sharing Construction
An Efficient Lattice-based Secret Sharing Construction Rachid El Bansarkhani 1 and Mohammed Meziani 2 1 Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraße
More informationM4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD
M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD Ha Tran, Dung H. Duong, Khuong A. Nguyen. SEAMS summer school 2015 HCM University of Science 1 / 31 1 The LLL algorithm History Applications of
More informationClass Field Theory. Steven Charlton. 29th February 2012
Class Theory 29th February 2012 Introduction Motivating examples Definition of a binary quadratic form Fermat and the sum of two squares The Hilbert class field form x 2 + 23y 2 Motivating Examples p =
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationExplicit Methods in Algebraic Number Theory
Explicit Methods in Algebraic Number Theory Amalia Pizarro Madariaga Instituto de Matemáticas Universidad de Valparaíso, Chile amaliapizarro@uvcl 1 Lecture 1 11 Number fields and ring of integers Algebraic
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationORAL QUALIFYING EXAM QUESTIONS. 1. Algebra
ORAL QUALIFYING EXAM QUESTIONS JOHN VOIGHT Below are some questions that I have asked on oral qualifying exams (starting in fall 2015). 1.1. Core questions. 1. Algebra (1) Let R be a noetherian (commutative)
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More informationSub-Linear Root Detection for Sparse Polynomials Over Finite Fields
1 / 27 Sub-Linear Root Detection for Sparse Polynomials Over Finite Fields Jingguo Bi Institute for Advanced Study Tsinghua University Beijing, China October, 2014 Vienna, Austria This is a joint work
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationPractice Algebra Qualifying Exam Solutions
Practice Algebra Qualifying Exam Solutions 1. Let A be an n n matrix with complex coefficients. Define tr A to be the sum of the diagonal elements. Show that tr A is invariant under conjugation, i.e.,
More informationSelected exercises from Abstract Algebra by Dummit and Foote (3rd edition).
Selected exercises from Abstract Algebra by Dummit and Foote (3rd edition). Bryan Félix Abril 12, 2017 Section 14.2 Exercise 3. Determine the Galois group of (x 2 2)(x 2 3)(x 2 5). Determine all the subfields
More informationCLASS FIELD THEORY NOTES
CLASS FIELD THEORY NOTES YIWANG CHEN Abstract. This is the note for Class field theory taught by Professor Jeff Lagarias. Contents 1. Day 1 1 1.1. Class Field Theory 1 1.2. ABC conjecture 1 1.3. History
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More informationName: Solutions Final Exam
Instructions. Answer each of the questions on your own paper, and be sure to show your work so that partial credit can be adequately assessed. Put your name on each page of your paper. 1. [10 Points] For
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationUnderstanding hard cases in the general class group algorithm
Understanding hard cases in the general class group algorithm Makoto Suwama Supervisor: Dr. Steve Donnelly The University of Sydney February 2014 1 Introduction This report has studied the general class
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationWhat is the Langlands program all about?
What is the Langlands program all about? Laurent Lafforgue November 13, 2013 Hua Loo-Keng Distinguished Lecture Academy of Mathematics and Systems Science, Chinese Academy of Sciences This talk is mainly
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationGalois groups with restricted ramification
Galois groups with restricted ramification Romyar Sharifi Harvard University 1 Unique factorization: Let K be a number field, a finite extension of the rational numbers Q. The ring of integers O K of K
More informationThe only method currently known for inverting nf-exp requires computing shortest vectors in lattices whose dimension is the degree of the number eld.
A one way function based on ideal arithmetic in number elds Johannes Buchmann Sachar Paulus Abstract We present a new one way function based on the diculty of nding shortest vectors in lattices. This new
More informationGenerating Subfields
Generating Subfields joint with Marc van Hoeij, Andrew Novocin Jürgen Klüners Universität Paderborn Number Theory Conference, Bordeaux, 14th January 2013 Jürgen Klüners (Universität Paderborn) Generating
More information5 Non-unique factorizations
5 Non-unique factorizations In this chapter we briefly discuss some aspects of non-unique factorization, ending with an application of quadratic forms (and more generally ideals) to factorization problems
More informationSchool of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information
MRQ 2017 School of Mathematics and Statistics MT5836 Galois Theory Handout 0: Course Information Lecturer: Martyn Quick, Room 326. Prerequisite: MT3505 (or MT4517) Rings & Fields Lectures: Tutorials: Mon
More informationA SIMPLE PROOF OF KRONECKER-WEBER THEOREM. 1. Introduction. The main theorem that we are going to prove in this paper is the following: Q ab = Q(ζ n )
A SIMPLE PROOF OF KRONECKER-WEBER THEOREM NIZAMEDDIN H. ORDULU 1. Introduction The main theorem that we are going to prove in this paper is the following: Theorem 1.1. Kronecker-Weber Theorem Let K/Q be
More informationHONDA-TATE THEOREM FOR ELLIPTIC CURVES
HONDA-TATE THEOREM FOR ELLIPTIC CURVES MIHRAN PAPIKIAN 1. Introduction These are the notes from a reading seminar for graduate students that I organised at Penn State during the 2011-12 academic year.
More informationEfficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields
Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields Jean-François Biasse Fang Song Abstract This paper gives polynomial time
More informationComputational complexity of lattice problems and cyclic lattices
Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont McKenna College Undergraduate Summer Research Program ICERM - Brown University July 28, 2014 Euclidean lattices
More informationApplication of Explicit Hilbert s Pairing to Constructive Class Field Theory and Cryptography
Applied Mathematical Sciences, Vol. 10, 2016, no. 45, 2205-2213 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ams.2016.64149 Application of Explicit Hilbert s Pairing to Constructive Class Field
More information