Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Size: px

Start display at page:

Download "Recovering Short Generators of Principal Ideals in Cyclotomic Rings"

Gladys Nash
6 years ago
Views:

1 Recoering Shor Generaors of Principal Ideals in Cycloomic Rings Léo Ducas CWI, Amserdam, The Neherlands Join work wih Ronald Cramer Chris Peiker Oded Rege Conference on Mahemaics of Crypography, Augus 205, UC Irine Slides reised on Sep. 7, 205. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus 205 / 30

2 Recoering Shor Generaors for Crypanalysis A few cryposysems (Fully Homomorphic Encrypion [Smar and Vercaueren, 200] and Mulilinear Maps [Garg e al., 203, Langlois e al., 204]) share his KeyGen: sk Choose a shor g in some ring R as a priae key pk Gie a bad Z-basis B of he ideal (g) as a public key (e.g. HNF). Crypanalysis in wo seps (Key Recoery Aack) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

3 Recoering Shor Generaors for Crypanalysis A few cryposysems (Fully Homomorphic Encrypion [Smar and Vercaueren, 200] and Mulilinear Maps [Garg e al., 203, Langlois e al., 204]) share his KeyGen: sk Choose a shor g in some ring R as a priae key pk Gie a bad Z-basis B of he ideal (g) as a public key (e.g. HNF). Crypanalysis in wo seps (Key Recoery Aack) Principal Ideal Problem (PIP) Gien a Z-basis B of a principal ideal I, Recoer some generaor h (i.e. I = (h)) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

4 Recoering Shor Generaors for Crypanalysis A few cryposysems (Fully Homomorphic Encrypion [Smar and Vercaueren, 200] and Mulilinear Maps [Garg e al., 203, Langlois e al., 204]) share his KeyGen: sk Choose a shor g in some ring R as a priae key pk Gie a bad Z-basis B of he ideal (g) as a public key (e.g. HNF). Crypanalysis in wo seps (Key Recoery Aack) Principal Ideal Problem (PIP) Gien a Z-basis B of a principal ideal I, Recoer some generaor h (i.e. I = (h)) 2 Shor Generaor Problem Gien an arbirary generaor h R of I Recoer g (or some g equialenly shor) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

5 Cos of hose wo seps Principal Ideal Problem (PIP) sub-exponenial ime (2Õ(n2/3) ) classical algorihm [Biasse and Fieker, 204, Biasse, 204]. progress oward quanum polynomial ime algorihm [Eisenräger e al., 204, Biasse and Song, 205b, Campbell e al., 204, Biasse and Song, 205a]. 2 Shor Generaor Problem equialen o he CVP in he log-uni laice becomes a BDD problem in he crypo cases. claimed o be easy [Campbell e al., 204] in he cycloomic case m = 2 k confirmed by experimens [Schank, 205] This Work [Cramer e al., 205] We focus on sep 2, and proe i can be soled in classical polynomial ime for he aforemenioned crypanalyic insances, when he ring R is he ring of inegers of he cycloomic number field K = Q(ζ m ) for m = p k. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

6 Oeriew Inroducion 2 Preliminary 3 Geomery of Cycloomic Unis 4 Shorness of Log g Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

7 The Logarihmic Embedding Le K be a number field of degree n, σ... σ n : K C be is embeddings, and le R be is ring of inegers. The logarihmic Embedding is defined as I induces Log : K R n x (log σ (x),..., log σ n (x) ) a group morphism from (K \ {0}, ) o (R n, +) a monoid morphism from (R \ {0}, ) o (R n, +) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

8 The Uni Group Le R denoes he muliplicaie group of unis of R. Le Λ = Log R. By Dirichle Uni Theorem he kernel of Log is he cyclic group T of roos of uniy of R Λ R n is an laice of rank r + c (where K has r real embeddings and 2c complex embeddings) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

9 The Uni Group Le R denoes he muliplicaie group of unis of R. Le Λ = Log R. By Dirichle Uni Theorem he kernel of Log is he cyclic group T of roos of uniy of R Λ R n is an laice of rank r + c (where K has r real embeddings and 2c complex embeddings) Reducion o CVP Elemens g, h R generae he same ideal if and only if h = g u for some uni u R. In paricular Log g Log h + Λ. and g is he smalles generaor iff Log u Λ is a ecor closes o Log h. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

10 Example: Embedding Z[ 2] R 2 x-axis: a + b 2 a + b 2 y-axis: a + b 2 a b Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

11 Example: Embedding Z[ 2] R 2 x-axis: a + b 2 a + b 2 y-axis: a + b 2 a b Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

12 Example: Embedding Z[ 2] R 2 2 x-axis: a + b 2 a + b 2 y-axis: a + b 2 a b 2 componen-wise muliplicaion Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

13 Example: Embedding Z[ 2] R 2 2 x-axis: a + b 2 a + b 2 y-axis: a + b 2 a b 2 componen-wise muliplicaion Symmeries induced by mul. by conjugaion 2 2 Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

14 Example: Embedding Z[ 2] R 2 2 x-axis: a + b 2 a + b 2 y-axis: a + b 2 a b 2 componen-wise muliplicaion Symmeries induced by mul. by conjugaion 2 2 Orhogonal elemens Unis (algebraic norm ) Isonorms cures Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

15 Example: Logarihmic Embedding Log Z[ 2] ({ }, +) is a sub-monoid of R 2 Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

16 Example: Logarihmic Embedding Log Z[ 2] Λ =({ }, +) is a laice of R 2, orhogonal o (, ) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

17 Example: Logarihmic Embedding Log Z[ 2] { } are shifed finie copies of Λ Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

18 Example: Logarihmic Embedding Log Z[ 2] Some { } may be empy (e.g. no elemens of Norm 3 in Z[ 2]) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

19 Reducion modulo Λ = Log Z[ 2] The reducion modλ for arious fundamenal domains. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

20 Reducion modulo Λ = Log Z[ 2] The reducion modλ for arious fundamenal domains. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

21 Reducion modulo Λ = Log Z[ 2] The reducion modλ for arious fundamenal domains. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

22 Reducion modulo Λ = Log Z[ 2] The reducion modλ for arious fundamenal domains. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

23 Decoding wih he RoundOff algorihm The simples algorihm [Babai, 986] o reduce modulo a laice RoundOff(B, ), B a Z-basis of Λ = B (B ) e = reurn (, e) where B Used as a decoding algorihm, is correcness is characerized by he error e and he dual basis B. Fac(Correcness of RoundOff) le = + e for some Λ. If b j, e [ 2, 2 ) for all j, hen RoundOff(B, ) = (, e). Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

24 RoundOff in picures RoundOff algorihm: Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus 205 / 30

25 RoundOff in picures (B ) RoundOff algorihm: use basis B o swich o he laice Z n ( (B ) ) = (B ) ; Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus 205 / 30

26 RoundOff in picures (B ) RoundOff algorihm: use basis B o swich o he laice Z n ( (B ) ) 2 Round each coordinae = (B ) ; = ; Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus 205 / 30

27 RoundOff in picures (B ) B RoundOff algorihm: use basis B o swich o he laice Z n ( (B ) ) 2 Round each coordinae 3 Swich back o he laice L ( B) = (B ) ; = ; = B Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus 205 / 30

28 Recoering Shor Generaor: Proof Plan Folklore sraegy [Bernsein, 204, Campbell e al., 204] o recoer a shor generaor g Consruc a basis B of he uni-log laice Log R For K = Q(ζ m ), m = p k, an (almos 2 ) canonical basis is gien by b j = Log ζj, j {2,..., m/2}, j co-prime wih m ζ 2 Proe ha he basis is good, ha is b j are all small 3 Proe ha e = Log g is small enough 2 i only spans a super-laice of finie index h + which is conjecured o be small Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

29 Recoering Shor Generaor: Proof Plan Folklore sraegy [Bernsein, 204, Campbell e al., 204] o recoer a shor generaor g Consruc a basis B of he uni-log laice Log R For K = Q(ζ m ), m = p k, an (almos 2 ) canonical basis is gien by b j = Log ζj, j {2,..., m/2}, j co-prime wih m ζ 2 Proe ha he basis is good, ha is b j are all small 3 Proe ha e = Log g is small enough Technical conribuions [CDPR5] 2 Esimae b j precisely using analyic ools [Washingon, 997, Lilewood, 924] 3 Bound e using heory of sub-exponenial random ariables [Vershynin, 202] 2 i only spans a super-laice of finie index h + which is conjecured o be small Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

30 Oeriew Inroducion 2 Preliminary 3 Geomery of Cycloomic Unis 4 Shorness of Log g Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

31 Cycloomic unis We fix he number field K = Q(ζ m ) where m = p k for some prime p. Se z j = ζ j and b j = z j /z for all j coprimes wih m. The b j are unis, and he group C generaed by ζ, b j for j = 2,... m/2, j coprime wih m is known as he group of cycloomic unis. 3 One jus need he index [R : C] = h + (m) o be small. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

32 Cycloomic unis We fix he number field K = Q(ζ m ) where m = p k for some prime p. Se z j = ζ j and b j = z j /z for all j coprimes wih m. The b j are unis, and he group C generaed by ζ, b j for j = 2,... m/2, j coprime wih m is known as he group of cycloomic unis. Simplificaion (Weber s Class Number Problem) We assume 3 ha R = C. I is conjecured o be rue for m = 2 k. 3 One jus need he index [R : C] = h + (m) o be small. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

33 Cycloomic unis We fix he number field K = Q(ζ m ) where m = p k for some prime p. Se z j = ζ j and b j = z j /z for all j coprimes wih m. The b j are unis, and he group C generaed by ζ, b j for j = 2,... m/2, j coprime wih m is known as he group of cycloomic unis. Simplificaion (Weber s Class Number Problem) We assume 3 ha R = C. I is conjecured o be rue for m = 2 k. Simplificaion 2 (for his alk) We sudy he dual marix Z, where z j = Log z j. I can be proed o close o B where b j = z j z. 3 One jus need he index [R : C] = h + (m) o be small. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

34 The marix Z The field K admis exacly ϕ(m)/2 pairs of conjugae complex embeddings σ i = σ i, where σ i : ζ ω i is defined for all i Z m. where ω = exp(2ıπ/m) C is a primiie roo of uniy. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

35 The marix Z The field K admis exacly ϕ(m)/2 pairs of conjugae complex embeddings σ i = σ i, where σ i : ζ ω i is defined for all i Z m. where ω = exp(2ıπ/m) C is a primiie roo of uniy. cycliciy.pdf Figure : Naïe Indexing (i =, 3, 5,... ) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

36 The marix Z The field K admis exacly ϕ(m)/2 pairs of conjugae complex embeddings σ i = σ i, where σ i : ζ ω i is defined for all i Z m. where ω = exp(2ıπ/m) C is a primiie roo of uniy. cycliciy2.pdf Figure : Muliplicaie Indexing (i = 3 0, 3, 3 2,... ) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

37 Dual of a Circulan Basis Noice ha Z ij = log σ j ( ζ i ) = log ω ij : he marix Z is G-circulan for he cyclic group G = Z m/ ±. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

38 Dual of a Circulan Basis Noice ha Z ij = log σ j ( ζ i ) = log ω ij : he marix Z is G-circulan for he cyclic group G = Z m/ ±. Fac If M is a non-singular, G-circulan marix, hen is eigenalues are gien by λ χ = g G χ(g) M,g where χ Ĝ is a characer G C All he ecors of M hae he same norm m i 2 = χ Ĝ λ χ 2 Noe: The characers of G can be exended o een Dirichle characers mod m: χ : Z C, by seing χ(a) = 0 if gcd(a, m) >. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

39 Compuing he Eigenalues We wish o gie a lower bound on λ χ where λ χ = a G χ(a) log ω a. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

40 Compuing he Eigenalues We wish o gie a lower bound on λ χ where λ χ = a G χ(a) log ω a. Why no sop here? This formula is prey easy o ealuae numerically: a his poin we can already check RoundOff s correcness numerically up o m = 0 6 or more. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

41 Compuing he Eigenalues We wish o gie a lower bound on λ χ where λ χ = a G χ(a) log ω a. Why no sop here? This formula is prey easy o ealuae numerically: a his poin we can already check RoundOff s correcness numerically up o m = 0 6 or more. Somehing cue o be learned! The equaions looks no ery algebraic (log?), ye appears quie naurally... Surely mahemaicians knows how o deal wih his. Indeed, compuaion of he olume of ha basis appears in [Washingon, 997]. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

42 Compuing he Eigenalues We wish o gie a lower bound on λ χ where λ χ = a G χ(a) log ω a. We deelop using he Taylor series log x = k x k /k Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

43 Compuing he Eigenalues We wish o gie a lower bound on λ χ where λ χ = a G χ(a) log ω a. We deelop using he Taylor series log x = k x k /k and obain λ χ = a G k χ(a) ωka k. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

44 Compuing he Eigenalues (coninued) We were rying o lower bound λ χ where λ χ = k χ(a) ω ka. k a G Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

45 Compuing he Eigenalues (coninued) We were rying o lower bound λ χ where λ χ = k χ(a) ω ka. k a G Fac (Separabiliy of Gauss Sums) If χ is a primiie Dirichle characer modm hen χ(a) ω ka = χ(k) G(χ) where G(χ) = m. a Z m Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

46 Compuing he Eigenalues (coninued) We were rying o lower bound λ χ where λ χ = k χ(a) ω ka. k a G Fac (Separabiliy of Gauss Sums) If χ is a primiie Dirichle characer modm hen χ(a) ω ka = χ(k) G(χ) where G(χ) = m. a Z m For his alk, le s ignore non-primiie characers. We rewrie λ χ m = 2 χ(k) k. k Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

47 The Analyical Hammer We were rying o lower bound λχ = m 2 k One recognizes a Dirichle L-series L(s, χ) = χ(k) k s. χ(k) k. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

48 The Analyical Hammer We were rying o lower bound λχ = m 2 k One recognizes a Dirichle L-series L(s, χ) = χ(k) k s. Theorem ([Lilewood, 924, Youness e al., 203]) χ(k) k. Under he Generalized Riemann Hypohesis, for any primiie Dirichle characer χ mod m i holds ha /l(m) L(, χ) l(m) where l(m) = C ln ln m for some uniersal consan C > 0. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

49 Geomeric Conclusion Theorem (Cramer, D., Peiker, Rege) Le m = p k, and B = ( Log(b j )) j G\{} be he canonical basis of Log C. Then, all he ecors of B hae he same norm and, under GRH, his norm is upper bounded as follows b 2 j O ( m log 3 m ). Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

50 Oeriew Inroducion 2 Preliminary 3 Geomery of Cycloomic Unis 4 Shorness of Log g Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

51 Proof Plan (Reminder) Consruc a basis B of he uni-log laice Log R Choose he Canonical Cycloomics Unis b j = Log ζj ζ 2 Proe ha he basis is good, ha is b j are all small Proed b 2 j O ( m log 3 m ) 3 Proe ha e = Log g is small enough Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

52 Scaling Inariance Les assume he embeddings (σ i (g)) are i.i.d. of disribuion D. Log (s D n ) (,,... ) log s + Log D n Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

53 Heurisic argumen Using scaling, assume ha E[Log D m ] = 0. Le e Log D m (e = Log g) Each coordinae Log D of e are independens, cenered, of ariance V For any b, he ariance of b, e is V b By Marko Inequaliy, for a fixed i i should hold ha b i, e /2 excep wih o() probabiliy (recall we e proed ha b i = o()) Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

54 Conclusion from beer ail bounds The preious argumen does no allows o conclude simulanously on all i s. We fill his gap using sronger ail bounds, form he heory of sub-exponenial random ariables [Vershynin, 202] Theorem (Cramer, D., Peiker, Rege) If g follows a Coninuous Normal Disribuion, hen for e = Log g, we hae b i, e /2 for all i s excep wih negligible probabiliy. Corollary If g follows a Discree Normal Disribuion of parameer σ poly(m), hen for e = Log g, we hae b i, e /2 for all i s excep wih probabiliy /n Θ(). Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

55 Thanks Figure : The Shinani Domain of Z[ζ 7 + ζ 7 ]. Credi: Paul Gunells hp://people.mah.umass.edu/~gunnells/picures/picures.hml We hank Dan Bernsein, Jean-Franois Biasse, Sorina Ionica, Dimiar Jeche, Paul Kirchner, René Schoof, Dan Shepherd and Harold M. Sark for many insighful conersaions relaed o his work. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

56 References I Babai, L. (986). On Loász laice reducion and he neares laice poin problem. Combinaorica, 6(): 3. Preliminary ersion in STACS 985. Bernsein, D. (204). A subfield-logarihm aack agains ideal laices. hp://blog.cr.yp.o/ ideal.hml. Biasse, J.-F. (204). Subexponenial ime relaions in he class group of large degree number fields. Ad. Mah. Commun., 8(4): Biasse, J.-F. and Fieker, C. (204). Subexponenial class group and uni group compuaion in large degree number fields. LMS Journal of Compuaion and Mahemaics, 7: Biasse, J.-F. and Song, F. (205a). A noe on he quanum aacks agains schemes relying on he hardness of finding a shor generaor of an ideal in Q(z 2ˆn). hp://cacr.uwaerloo.ca/echrepors/205/cacr205-2.pdf. Technical Repor. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

57 References II Biasse, J.-F. and Song, F. (205b). A polynomial ime quanum algorihm for compuing class groups and soling he principal ideal problem in arbirary degree number fields. hp:// In preparaion. Campbell, P., Groes, M., and Shepherd, D. (204). Soliloquy: A cauionary ale. ETSI 2nd Quanum-Safe Crypo Workshop. Aailable a hp://docbox.esi.org/workshop/204/2040_crypto/s07_sysems_ and_aacks/s07_groes_annex.pdf. Cramer, R., Ducas, L., Peiker, C., and Rege, O. (205). Recoering shor generaors of principal ideals in cycloomic rings. Crypology eprin Archie, Repor 205/33. hp://eprin.iacr.org/. Eisenräger, K., Hallgren, S., Kiae, A., and Song, F. (204). A quanum algorihm for compuing he uni group of an arbirary degree number field. In Proceedings of he 46h Annual ACM Symposium on Theory of Compuing, pages ACM. Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

58 References III Garg, S., Genry, C., and Halei, S. (203). Candidae mulilinear maps from ideal laices. In EUROCRYPT, pages 7. Langlois, A., Sehlé, D., and Seinfeld, R. (204). Gghlie: More efficien mulilinear maps from ideal laices. In Adances in Crypology EUROCRYPT 204, pages Springer. Lilewood, J. (924). On he zeros of he riemann zea-funcion. In Mahemaical Proceedings of he Cambridge Philosophical Sociey, olume 22, pages Cambridge Uni Press. Schank, J. (205). LogCp, Pari implemenaion of CVP in log Z[ζ 2 n ]. hps://gihub.com/jschanck-si/logcp. Smar, N. P. and Vercaueren, F. (200). Fully homomorphic encrypion wih relaiely small key and cipherex sizes. In Public Key Crypography, pages Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

59 References IV Vershynin, R. (202). Compressed Sensing, Theory and Applicaions, chaper 5, pages Cambridge Uniersiy Press. Aailable a hp://www-personal.umich.edu/~roman/papers/non-asympoic-rm-plain.pdf. Washingon, L. (997). Inroducion o Cycloomic Fields. Graduae Texs in Mahemaics. Springer New York. Youness, L., Xiannan, L., and Kannan, S. (203). Condiional bounds for he leas quadraic non-residue and relaed problems. hp://arxi.org/abs/ Léo Ducas (CWI, Amserdam) Recoering Shor Generaors UC Irine, Augus / 30

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Recoering Shor Generaors of Principal Ideals in Cycloomic Rings Léo Ducas CWI, Amserdam, The Neherlands Join work wih Ronald Cramer Chris Peiker Oded Rege Presened a ICERM, Brown Uniersiy, April 205 Léo