Algorithms for quadratic orders INGRID BIEHL AND JOHANNES BUCHMANN. Abstract. We describe deterministic algorithms for solving the following

Transcription

1 Proceedings of Symposia in Applied Mathematics Volume 00, 0000 Algorithms for quadratic orders INGRID BIEHL AND JOHANNES BUCHMANN Abstract. We describe deterministic algorithms for solving the following algorithmic problems in quadratic orders: Computing fundamental unit and regulator, principal ideal testing, solving prime norm equations, computing the structure of the class group, computing the order of an ideal class and determining discrete logarithms in the class group. We also prove upper bounds for the time and space complexity of the algorithms. 1. Introduction A quadratic discriminant is an integer 2 ZZ which is not a square in ZZ such that 0; 1 mod 4. By D we denote the set of all quadratic discriminants. Let 2 D. By p we denote the square root of in C which for > 0 is positive and for < 0 has positive imaginary part. Then O = ZZ + + p ZZ 2 is the quadratic order of discriminant. Important computational problems for O are the following: For > 0 nd the fundamental unit and the regulator R of O. Decide whether an ideal of O is principal. If it is, nd a generator. Decide whether a prime number p is a norm in O. If it is, nd a number in O of norm p. Find the ideal class group of O. Solve the discrete logarithm problem in the class group of O. In this paper we describe deterministic algorithms for solving these problems and we prove upper bounds for their time and space bit complexity. To give a 1991 Mathematics Subject Classication. 11Y16. This paper is in nal form and no version of it will be submitted for publication elsewhere. c0000 American Mathematical Society /00 $ $.25 per page 1

2 2 INGRID BIEHL AND JOHANNES BUCHMANN simpler form for these upper bounds we write T = O (f) for functions f; T : ZZ >0! ZZ >0 if T f p with some polynomial function p : ZZ >0! ZZ >0. Also, for < 0 we let R = 1. We prove the following upper bounds both for time and space complexity: Problem complexity Fundamental unit O (R 1=2 Principal ideal testing O (R 1=2 Norm p problem O (p 1=2 + R 1=2 Class group O (jj 1=2 ) Discrete logarithm O (jj 1=4 ) ) Algorithms for solving all the computational problems mentioned above were already developed by Lagrange, Gau and others in the 18th century. While the running time of these classical methods is roughly the square of the running time of the algorithms described in this paper, they only require space O (1) (see [8]). So they are more useful for hand computations. With the invention of computers it became possible to handle large sets of data. It was Shanks [16], [17] who discovered that the running times of all the classical methods could be reduced to their square root at the expense of using a lot more storage. Some of the ideas of Shanks are explained and analyzed in papers of Lenstra [11] and Schoof [15]. There, however, the following problem was not solved. If for > 0 one represents the fundamental unit, the generator of an ideal, or a number of norm p in the standard way as (x + y p )=2 with x; y 2 ZZ, then the number of bits required to write down this representation may be of the order of magnitude R. It is therefore not possible to prove the asserted complexity results using that representation. One can only prove upper running time bounds for computing an approximation to the regulator and for deciding principality or the existence of a number of norm p. The complexity results can only be shown with a new binary representation of numbers in the eld of fractions K of O. This representation was introduced in [2]. The binary length of the binary representation for the fundamental unit, for example, is O (1). Most of the operations that one wants to perform with numbers in K can be carried out in polynomial time with numbers given in binary representation. One can, for example, verify in polynomial time that a unit given in binary representation is a unit, i.e., generates the principal ideal O. Similar ideas were used in [4] and [7]. While Shanks relied on using probabilistic algorithms for nding a generating system for the class group, we restrict ourselves in this paper to deterministic methods. Generalizations of our complexity results to arbitrary number elds can be

3 ALGORITHMS FOR QUADRATIC ORDERS 3 found in [1]. Stronger results can be obtained if one is willing to assume the truth of the generalized Riemann hypothesis or if one applies randomized algorithms. There are various results in this direction. A systematic presentation will be given in a forthcoming paper. The paper is organized as follows. After a few preliminary remarks we present algorithms for nite abelian groups which are given in such a way that multiplication, inversion and equality testing is possible. In particular, we describe algorithms for nding the structure of the group and for computing discrete logarithms. All these algorithms are based on ideas of Shanks. These algorithms are then applied to the class group. We dene that group, and we describe how elements are represented using reduced ideals. We show how multiplication and inversion can be performed in polynomial time. We also show how equality testing is possible in polynomial time if < 0. We then discuss in great detail the problem of deciding whether an ideal class belongs to a given set of ideal classes for > 0. Again, we use an idea of Shanks to develop an algorithm for solving that problem. At the same time we are able to present algorithms for determining the fundamental unit, for principal ideal testing and for solving the norm p problem. At the end of the paper we present an algorithm of H.W. Lenstra [13] for computing the class group. 2. Preliminaries 2.1. Representation of rational numbers. With a few exceptions, which will be explicitly mentioned, we use for integers the binary representation. The binary length of an integer z 6= 0 is size(z) = blog jzjc + 2, where log denotes the logarithm to base 2. The extra bit encodes the sign of z. We also set size(0) = 2. Each mathematical object which we consider in this paper is represented by a nite sequence of integers. The binary length of such a representation is the sum of the binary lengths of the sequence elements. A rational number q, for example, is represented as q = u=v with u; v 2 ZZ, v > Approximations to complex numbers. Let c be a complex number, and let q be an integer. An approximation of precision q to c is a number ^c 2 2?(q+1) ZZ[i] such that jc? ^cj < 2?q Ordered sets. An ordered set is a pair G = (S(G); < G ), where S(G) is a set and < G is a total ordering of S(G). We also consider ; as an ordered set. Instead of explicitly dening S(G) and < G, we often just write the series of elements of S(G) in increasing order with respect to < G. So, for example, (g; h; k) is the ordered set (S(G); < G ) with S(G) = fg; h; kg and g < G h, h < G k and g < G k.

4 4 INGRID BIEHL AND JOHANNES BUCHMANN Let G be an ordered set. We write ]G for cardinality of S(G), and if h 2 S(G), we write h 2 G. A subset of G is an ordered set G 0 where S(G 0 ) S(G) and < G 0 is < G restricted to S(G 0 ). If G 0 is another ordered set which is disjoint from G, i.e., S(G) and S(G 0 ) are disjoint, then GG 0 = (S(G)[S(G 0 ); < GG 0), where on G and G 0 the ordering < GG 0 agrees with < G and < G 0, respectively, and where g < GG 0 g 0 for every g 2 G, g 0 2 G 0. The set of all maps from S(G) to ZZ is denoted by ZZ G. For v; w 2 ZZ G we write v < w if v(g) < w(g) for all g 2 G. Moreover, we use the lexicographic ordering on ZZ G : v is less than w with respect to the lexicographic ordering if v(g) < w(g) for the smallest element g 2 G on which v and w disagree. A map f 2 ZZ G can be interpreted as a vector (f(g)) g2g and vice versa. By 1 we denote the vector in ZZ G whose rst component is 1 and whose other components are 0. Let G 0 be a subset of G. Then each y 2 ZZ G0 can be extended to a vector in ZZ G by setting y(g) = 0 for g 2 G, g 62 G 0. For a set T the system of all ordered subsets of T is denoted by G(T ). 3. Finite abelian groups In order to describe the computation of the ideal class group, we present an algorithm for nding the structure of a nite abelian group H. We also solve the problem of computing orders of elements and determining discrete logarithms Group operations. We assume that H is a multiplicatively written nite abelian group. The elements of H are represented by nite sequences of integers. That representation is not necessarily unique. But we assume that we can carry out the following group operations: multiplication, inversion and deciding equality. If we can decide equality of two elements, then we can also decide whether an element belongs to a subset T of H. Such an operation is called a containment test Relation lattice. Let G be an ordered subset of H. For e 2 ZZ G we set G e = Y g2g g e(g) : The subgroup of H generated by the elements of G is hgi = fg e : e 2 ZZ G g: If hgi = H, then G is called a generating system for H. The map ZZ G! hgi; (e(g)) g2g 7! Y g2g g e(g)

5 ALGORITHMS FOR QUADRATIC ORDERS 5 is a surjective homomorphism. Its kernel L(G) is a ]G-dimensional sublattice of ZZ G and hgi = ZZ G =L(G): The lattice L(G) is called the relation lattice for G. relations. Lattices are represented by bases. Its elements are called 3.3. Structure. Let s 1 ; : : : ; s k be the elementary divisors of H, i.e., the s i are positive integers for 1 i k, s i divides s i+1 for 1 i k? 1 and (1) H = km i=1 ZZ=s i ZZ: If we know a generating system G and the relation lattice L(G), then the elementary divisors of H, the isomorphism (1) and its inverse can be determined in polynomial time using the algorithm of [6]. Hence, nding (G; L(G)) means determining the structure of G The bounded relation problem. The bounded relation problem is the following. Given an ordered set G in H and an upper bound u 2 ZZ G, u > 1, decide whether there is a relation y on G with 1 y < u. If there is one, nd the minimal one with respect to the lexicographic ordering. The problems of computing the structure of H, determining the order of an element in H and nding discrete logarithms in H can be reduced to solving the bounded relation problem. The solution of the bounded relation problem is based on the following statement. Proposition 3.1. Let G be an ordered subset of H, u 2 ZZ G, u > 1. Let y be the minimal such relation on G with y 1. If y < u, then y can be written as y = qb p uc + r with q; r 2 IN G, 0 q 2 < u and 1 r 2 < u. This statement leads immediately to the following algorithm RELATION which is based on [16] and in which we use NEXT which, given G and x 2 ZZ G, computes the successor of x according to the lexicographical ordering. For RELATION we get the next theorem. Theorem 3.2. RELATION is correct and requires O( p k) operations and tests for containment in a subset of H with O( p Q k) elements, where k = u(g). g2g RELATION also requires space for O( p k) elements of H.

6 6 INGRID BIEHL AND JOHANNES BUCHMANN Algorithm 3.3. (RELATION) Input: H, G 2 G(H), u 2 ZZ G, u > 1. Output: If there is y 2 L(G) with 1 y < u, then the minimal such y, else y = 0. S := ;; r := 1; y := 0 (1) REPEAT (2) h := G r (3) S := S [ f(h; r)g (4) r := NEXT(G; r) (5) UNTIL r 2 u or h = 1 (6) q := 0 (7) REPEAT (8) h := G?qbp uc (9) IF (h; r) 2 S for some r (10) THEN y := qb p uc + r (11) ELSE q := NEXT(G; q) (12) UNTIL y 6= 0 or q 2 u (13) 3.5. Computing relation lattices. The algorithm BASIS which nds the relation lattice L(G) for an ordered set G in H and which is described in this section is based on the following statement. Proposition 3.4. Let G be an ordered subset of H. For h 2 G let e(h) = (e(g; h)) g2g be the extension of the minimal relation on fg 2 G : g hg to G. Then e = (e(h)) h2g is a basis of L(G) with e(g; h) 0 and e(g; h) 8 < : = 0 if g < G h; > 0 if g = h; < e(g; g) if h < G g; for all g; h 2 G. Also, the basis e is uniquely determined by these conditions. We say that the basis from Proposition 3.4 is in Hermite normal form (HNF). Theorem 3.5. BASIS is correct and requires O(]G(log k) p k) operations and tests for containment in each of O(]G log k) subsets of H with O( p k) elements, where k = ]hgi. BASIS also requires space for O( p k) elements in G. Proof. The number of iterations of the FOR loop is ]G. Let e 2 ZZ GG be the HNF basis of L(G). Also, let k = ]hgi. Suppose that the algorithm is executing

7 ALGORITHMS FOR QUADRATIC ORDERS 7 an iteration of the FOR loop. Then u(g) = e(g; g) for every g with g > G h. We also always have u(h) 2e(h; h). Therefore, Q the number of iterations in the REPEAT loop is O(log e(h; h)). Since k = g2g e(g; g), it follows from Theorem 3.2 that the iteration of the FOR loop requires O((log k) p k) operations and tests for containment in each of log k subsets of H with O( p k) elements. The space required is O( p k). Algorithm 3.6. (BASIS) Input: Output: H, G 2 G(H). The HNF basis e of L(G). G 0 := ; (1) FOR all h 2 G in descending order (2) G 0 := fhg G 0 ; u(h) := 2 (3) REPEAT (4) e(h) := RELATION(H; G 0 ; u) (5) u(h) := 2 u(h) (6) UNTIL e(h) 6= 0 (7) Extend e(h) to G; u(h) := e(h; h) (8) 3.6. Discrete logarithms. For g; h 2 H with g 2 hhi, the discrete logarithm of g to base h is the minimal positive integer y such that g = h y. It is denoted by log h g. Algorithm 3.7. (DISCRETE LOG) Input: H, g; h 2 H. Output: y = log h g, if it exists, and y = 0 otherwise. u(g) := u(h) := 2 (1) REPEAT (2) y := RELATION(H; (g; h); u) (3) o := RELATION(H; (h); u(h)) (4) u(h) := 2u(h) (5) UNTIL y + o 6= 0 (6) The algorithm for computing discrete logarithms is based on the following observation.

8 8 INGRID BIEHL AND JOHANNES BUCHMANN Proposition 3.8. Let g; h 2 H. If g 6= h y for all y with 1 y order h, the discrete logarithm of g to base h does not exist. Theorem 3.9. DISCRETE LOG is correct. The algorithm requires O((log k) p k) operations and tests for containment in each of O(log k) subsets of H with O( p k) elements as well as space for O( p k) elements of H. If the discrete logarithm of g to base h exists, then k = log h g. Otherwise, k = order h. 4. Quadratic numbers Let be a quadratic discriminant. The eld of fractions of O is K = Q( p ). The standard representation of a number 2 K is = (x+y p )=(2z) with x; y; z 2 ZZ, z > 0 and gcd(x; y; z) = 1. The integer z is called the denominator of with respect to we write z = d(). The conjugate of is = (x? y p )=(2z). The height of is H() = maxfjj; jjg. The norm of is N() =. If S is a set of numbers in K then we write S = f : 2 Sg. 5. Ideals We wish to use the algorithms from the previous section in class groups. In order to explain what they are, and how operations in those groups are performed, we rst talk about ideals. Let be a quadratic discriminant. By an ideal of O we always mean an invertible ideal of O. (2) 5.1. Representation. A subset A of O is an ideal of O if and only if A = q ZZ + b + p ZZ 2a where a; b 2 ZZ, q 2 Q, a; q > 0, c = (b 2? )=(4a) 2 ZZ and gcd(a; b; c) = 1. In this representation, the numbers a; q are uniquely determined and the integer b is unique modulo 2a. We write a = a(a) and q = q(a). A representation (2) is called standard representation if jbj maxfa; p jjg. Ideals are always given in some standard representation. The norm of A is q 2 a. The ideal A is called normal if q = 1. The denominator d(a) of A is the smallest positive integer d such that da O. If A is normal, then d(a) = a(a). The set I of invertible ideals of O is an abelian group Inverse. The inverse of an ideal A of O is A?1 = (1=N(A))A Product. The product of two ideals A, B can be determined as follows. Let b(a), b(b) be the numbers b appearing in some standard representation of A and B (see x 5.1). Compute m = gcd(a(a); a(b); (b(a)+b(b))=2). Let j; k; ` 2 ZZ! ;

9 ALGORITHMS FOR QUADRATIC ORDERS 9 with ja(a) + ka(b) + `(b(a) + b(b))=2 = m. Then a(ab) = a(a)a(b)=(m 2 ), b(ab) (ja(a)b(b) + ka(b)b(a) + `(b(a)b(b) + )=2)=m mod a(ab) and q(ab) = q(a)q(b)m Principal ideals. By K we denote the set of nonzero elements of K. A principal ideal of O is an ideal of the form O with 2 K. The number is called a generator of O. Let 2 K, = (x + y p )=(2z), be its standard representation. The principal ideal O can be found as follows. Compute m = gcd(y; (x + y)=2) and let k; ` 2 ZZ such that ky + `(x + y)=2 = m. Then a(o ) = a = jx 2? y 2 j=(4m 2 ), b(o ) b = (kx + `(x + y)=2)=m mod 2a and q(o ) = ma=z Prime ideals. We denote by IP the set of all prime numbers p such that there is an invertible prime ideal of norm p in O. For a prime number p 2 IP there is a prime ideal A p = ZZ + b p + p ZZ; 2p where b p is the uniquely determined integer with 0 < b p < p, and b 2 p mod 4p. The only possible other prime ideal of norm p is A p. On input of and a prime number p, the procedure PRIME IDEAL returns A p if p 2 IP and 0 otherwise. In PRIME IDEAL the square root of mod p must be found. The fastest deterministic algorithm for factoring polynomials mod p requires time and space O ( p p) (see [18]). Therefore, also PRIME IDEAL requires time and space O ( p p). 6. Ideal class group In this section we introduce the ideal class group and we explain how to perform the basic operations in these groups Denition. The set P of all principal ideals of O is a subgroup of the group I of all ideals of O. The elements of the ideal class group Cl = I =P are called ideal classes of O. The number h = ]Cl is called class number of. Ideals A; B 2 O are called equivalent if they belong to the same ideal class. The class of an ideal A is denoted by [A] Representation. For a; b 2 ZZ, a > 0, we denote by (a; b) the uniquely determined number b 0 such that b 0 b mod 2a and?2a + p < b 0 < p for > 0 and a < p ;?a < b 0 a for < 0 or > 0 and a > p :

10 10 INGRID BIEHL AND JOHANNES BUCHMANN For an ideal A of O we dene b(a) = (b; a); c(a) = jb(a) 2? j=(4a(a)) and (A) = b(a) + p : 2a(A) An ideal A of O is called reduced if it is normal and b(a) maxf0; 2a(A)? p g for > 0; jb(a)j a(a) c(a) for < 0: Each ideal class contains a reduced ideal. Hence, we can in fact represent each ideal class by a reduced ideal. For > 0, however, this representation is far from being unique. p Here are a few properties of reduced ideals. If A is reduced, then a(a); jb(a)j < jj, and if > 0, then (A) > 1 and?1 < (A) < 0. Also, a normal ideal A is reduced if a(a) < p jj= Multiplication, inversion. If we want to determine the inverse of an ideal class or the product of two ideal classes, then we compute the product or the inverse of their reduced representatives. The resulting ideals are, in general, not reduced. Therefore, in this section we describe a polynomial-time algorithm REDUCE which on input of an ideal A computes a reduced ideal in the ideal class of A. Thus, computing inverses and products of ideal classes can be eected in polynomial time. Let A be a normal ideal. Dene (A) = (1=(A))A = ZZ + 1 (A) ZZ: Then (A) is normal, a((a)) = c(a); b((a)) = (?b(a); c(a)): Here is the reduction algorithm which works in polynomial time.

11 Algorithm 6.1. (REDUCE) ALGORITHMS FOR QUADRATIC ORDERS 11 Input: 2 D, A 2 I. Output: A reduced ideal B in the class of A, 2 A with A = B and H() q(a). := 1; B := A (1) REPEAT (2) := (B) (3) B := (B) (4) UNTIL B is reduced (5) The output of the algorithm REDUCE is called the reducing number of A Containment problem. Let A and B be ideals of O in the same ideal class. Then there is 2 K such that A = B. The number is called a generator of A relative to B. For > 0 we assume without loss of generality that > q(a). So in this case, the minimal generator is well dened. For < 0 each generator of A relative to B is called minimal. The containment problem for is the following. Given a quadratic discriminant, a set T of reduced ideals in O and a reduced ideal A of O, i.e., decide whether A is equivalent to a reduced ideal B in T. If so, nd the minimal generator of A relative to B Solving the containment problem for < 0. If < 0, then there are at most two reduced ideals in each ideal class. More precisely, let A be a reduced ideal of O ; then the only other possible reduced ideal of the same class is (A). Hence, for < 0 the containment problem can be solved as follows. Let T be a set of reduced ideals and A be a reduced ideal of O. We order the elements of T such that binary search is possible. Then we determine the reduced ideals contained in [A], and using binary search, we check whether one of these ideals belongs to T. If so, the generator of A relative to that ideal is either 1 or (A). Thus, we have proved the following statement. Proposition 6.2. For 2 D, < 0 the containment problem can be solved using time and space O (]T ) The equivalence problem for > 0. If > 0 then there can be more than p reduced ideals in one ideal class. Hence in this case, the containment problem is more dicult to solve. We rst consider a special case.

12 12 INGRID BIEHL AND JOHANNES BUCHMANN The bounded equivalence problem is the following. Given a positive quadratic discriminant, reduced ideals A; B of O and a positive integer u, i.e., decide whether A has a generator relative to B with < u. If so, nd the minimal. This problem is very similar to the discrete logarithm problem in an abelian group. It is, however, not clear whether the decision problem belongs to the complexity class NP. In the sequel, we will prove that this is the case. We will also present an algorithm to solve the equivalence problem. This algorithm is very similar to the discrete logarithm procedure from above Minima. Let > 0. To show that the equivalence decision problem belongs to NP, we study the representation of relative generators. Let A be an ideal of O. A generator of A relative to a reduced ideal of O is called a minimum of A. The logarithm of a minimum of A can be considered as some sort of discrete logarithm. These logarithms form a discrete subset of the real line. Each minimum has a right and a left neighbor which is easily computable. This will now be explained in more detail. The ideal A is reduced if and only if 1 is a minimum of A. Let be a minimum of A; then jn()j < N(A) p : The right neighbor of a minimum in A is the uniquely determined minimum of A with minimal >. It can be computed via R MIN(; A; ) = ((1=)A): In particular, if A is reduced, then (A) is the right neighbor of 1 in A. The left neighbor of a minimum in A is the uniquely determined minimum of A with minimal jj > jj. It can be computed via L MIN(; A; ) = ((1=)A): Let ; be minima of A. Then is the right neighbor of if and only if is the left neighbor of. Also jj; jj are minima of A and jj is the left neighbor of if is the right neighbor of. Fix some minimum 0 of A. Let ( i ) i2 Z be the sequence of minima in A with the property that i is the right neighbor of i?1 for i 2 ZZ. Then we have (3) and log i+2? log i 1; i 2 ZZ; (4) 0 < log i+1? log i < (log )=2; i 2 ZZ: The previous statements show that minima have a fairly regular distribution on the real line.

13 ALGORITHMS FOR QUADRATIC ORDERS 13 The sequence ( i ) i2 Z is periodic in the following sense. There is k = k(a) 2 ZZ >0 such that i = j is a unit in O if and only if i j mod k for any i; j 2 ZZ. The number " = k = 0 is the fundamental unit of O. For every i; l 2 ZZ we have lk+i = i = " l. The number k(a) is an invariant of the ideal class of A. It is called the period length of [A]. If k(a) = 1, then (5) log i+1? log i > 1=2; i 2 ZZ: 6.8. Reduced ideals for > 0. Let A be an invertible ideal of O. The reduced ideals in [A] are exactly the ideals (1=)A where is a minimum in A. If A reduced, then the right neighbor of A is and the left neighbor of A is R IDEAL(; A) = (A) L IDEAL(; A) = (A): If B and C are reduced ideals in the class of A, B = (1=)A, C = (1=)A with minima ; of A, then C is the right neighbor of B if and only if is the right neighbor of. The graph of reduced ideals in the class of A is a cycle, the cycle of reduced ideals in the class of A. The number of elements of that cycle is k(a) Binary representation of minima. Let A be a reduced ideal of O and a minimum of A. A binary representation of in A is of the form = ny i=1 where n 2 ZZ 1, i 2 K, 1 i n satisfy We write 2n?i i ; n log log + 2, H( i ) Q < 16 5=4 for 1 i n, j j = i=1 2j?i i is a minimum in A for 1 j n. = ( 1 ; : : : ; n ): It follows that the binary length of the standard representation of each i is O (1), and the binary length of a binary representation of is O (log log H()). We will show below that all minima have binary representations. Minima in reduced ideals will be always given in binary representation. Note that log = X (log i )2 n?i : This looks like a real binary representation for the \discrete logarithm" log except that the log i are not bits but \small" numbers.

14 14 INGRID BIEHL AND JOHANNES BUCHMANN It is easy to see that there is a polynomial-time algorithm IDEAL that on input of, A and a minimum of A in binary representation determines the ideal (1=)A. It is also easy to see that there is a polynomial-time algorithm APPROX that on input of, A, a minimum of A in binary representation and a positive integer q in unary representation determines an approximation of precision q to log Finding minima of a given size. Let A be a reduced ideal of O and s 2 Q >0. A minimum in A is called close to s if (6) js? log j > js? log j? 3=4 for every minimum in A. From (3) and (4) one can deduce (7) and (8) js? log j < (log + 3)=4; maxf2 s?3=4?1=4 ; 2?s?3=4 N(A)?1=4 g H() maxf2 s+3=4 1=4 ; 2?s+3=4 N(A) 3=4 g: We now present the algorithm CLOSE which on input of, A and s nds in polynomial time a minimum of A which is close to s. The main tool that is used in CLOSE is the procedure DOUBLE, which on input of t 2 Q >0 and a minimum ( 1 ; : : : ; k?1 ) of A which is close to t determines in polynomial time a minimum ( 1 ; : : : ; k?1 ; k ) of A which is close to 2t. Using DOUBLE as a subroutine, CLOSE works as follows. Algorithm 6.3. (CLOSE) Input: 2 D, > 0, a reduced ideal A of O, s 2 Q 0. Output: A minimum = ( 1 ; : : : ; n ) of A close to s, where n = dlog se + 1 and H( i ) 4 5=4 for 1 i n if s > 0, otherwise 1. IF s = 0 (1) THEN = 1 (2) ELSE n := dlog se + 1 (3) := 1 (4) t := s=2 n (5) FOR i = 1; 2; : : : ; n (6) := DOUBLE(A; ; t) (7) t := 2t; (8)

15 ALGORITHMS FOR QUADRATIC ORDERS 15 Proposition 6.4. CLOSE is correct and has running time O (1). Proof. The assertion follows from the fact that DOUBLE has polynomial running time and that we have initially t < 1=2. Next we present the procedure DOUBLE. DOUBLE uses the procedure NEAREST, which on input of an ideal B and a rational number u nds in polynomial time a minimum in B very close to u, i.e., for every minimum of B we have ju? log j > ju? log j? 1=4: Algorithm 6.5. (DOUBLE) Input: Output: 2 D, > 0, a reduced ideal A of O, t 2 Q >0, a minimum ( 1 ; : : : ; k?1 ) of A. A minimum ( 1 ; : : : ; k?1 ; k ) of A close to 2t with H( k ) 4 5=4. B := (1= 2 )A (1) u := 2(t? APPROX(; ; 3)) (2) k := NEAREST(; B; u) (3) Proposition 6.6. DOUBLE is correct and has running time O (1). Proof. NEAREST determines a minimum k in B. Hence, 0 = ( 1 ; : : : ; k?1 ; k ) = k 2 is a minimum in A. Let be a minimum in A. Then = = 2 is a minimum in B. It follows that j2t? log j ju? log j? j2 APPROX(; ; 3)? 2 log j Thus, 0 is close to 2t. ju? log j? 1=4 ju? log k j? 1=2 j2t? log 0 j? 3=4: Next we estimate the parameter u that is input for NEAREST. Since initially the minimum is close to t, it follows that (9) juj = 2jt? APPROX(; ; 3)j < (log )=2 + 7=4: It is easy to verify that (1= 2 )A can be determined in polynomial time. Since B is the square of a reduced ideal, it follows that the running time of NEAREST is polynomial in log. Also, it follows from (9) and (8) that H( k ) 8 5=4 : Finally, we present NEAREST.

16 16 INGRID BIEHL AND JOHANNES BUCHMANN Algorithm 6.7. (NEAREST) Input: 2 D, > 0, an ideal B of O, u 2 Q >0. Output: A minimum 2 B very close to u. (C; ) := REDUCE(; B); c := APPROX(; ; 2) (1) IF c u (2) THEN REPEAT (3) := (4) := R MIN(R MIN(; B; )) (5) c := APPROX(; ; 2) (6) UNTIL c > u (7) ELSE REPEAT (8) := L MIN(L MIN(; B; )) (9) c := APPROX(; ; 2) (10) := (11) UNTIL c < u (12) 0 := L MIN(; B; ) (13) 1 := (14) 2 := R MIN(; B; ) (15) 3 := R MIN(; B; 2 ) (16) 4 := R MIN(; B; 3 ) (17) For choose that element from f 0 ; 1 ; 2 ; 3 ; 4 g such that ju? APPROX(; ; 2)j is minimal (18) Proposition 6.8. NEAREST is correct and has running time O (1). Proof. We show that NEAREST works correctly by proving that the optimal minimum of B, i.e., the minimum 0 with ju? log j ju? log 0 j for every minimum of B, belongs to the set f i : 0 i 4g from which the output is chosen. NEAREST starts by computing the reducing number for B. Let 0 =, and let ( i ) i2 Z be the sequence of minima as in x 6.7. In the sequence S = (: : : ;?4 ;?2 ; 0 ; 2 ; 4 ; : : :) NEAREST determines the last minimum = k such that APPROX(; ; 2) u. That minimum is found in the two REPEAT loops since by (3), APPROX(; i+2 ; 2)? APPROX(; i ; 2) 1=2. If log k > u, then for i 1 the minimum k+i cannot be optimal. Also, since

17 ALGORITHMS FOR QUADRATIC ORDERS 17 log k < u + 1=4, it follows from (3) that for i 2 the minimum log k?i cannot be optimal. If log k < u, then for i 1 the minimum k?i cannot be optimal. Also, since log k+2 > u? 1=4, it follows from (3) that for i 4 the minimum log k+i cannot be optimal. Next, we must show that the running time of NEAREST is polynomial. In NEAREST we have initially N(B) H() q(b). It follows from this inequality and from (4) for all minima computed in the algorithm that minflog(n(b)); u? log? 1=4g log maxf0; u + log + 1=4g for every minimum computed in the algorithm. This shows that the sizes of the input to the procedures used in NEAREST are O (1) Computing binary representations for minima. The procedure CLOSE is used in BINARY, which determines a binary representation for any minimum of a reduced ideal A of O. Algorithm 6.9. (BINARY) Input: 2 D, > 0, a reduced ideal A of O, for some minimum of A the ideal B = (1=)A and an approximation a of log of precision 3. Output: A binary representation of in A. 1 := CLOSE(; A; a) (1) 0 := L MIN(; B; 1 ); 2 := R MIN(; B; 1 ) (2) For choose the element in f 0 ; 1 ; 2 g such that japprox(; ; 3)? aj 1=2 and (1=)B = A BINARY is based on the following statement. Proposition Let be a minimum in the reduced ideal A. Let a be an approximation to log of precision 3. Let 1 be a minimum of A which is close to a, 0 the left neighbor of 1, 2 the right neighbor of 1, M = f 0 ; 1 ; 2 g. Then 2 M, and if 0 2 M, a 0 an approximation of precision 3 to log 0, then 0 = if and only if ja 0? aj < 1=4 and (1= 0 )B = (1=)B. Proof. Since a is an approximation of precision 3 to log, we have ja? logj < 1=8. Since 1 is close to a, it follows from (6) that ja? log 1 j < 3=4 + 1=8, and thus j log? log 1 j < 1. By (3) we have j log? log 1 j > 1 for every minimum in the sequence of right neighbors of a 2 and also for every minimum in the sequence of left neighbors of 0. Hence, belongs to the set M. Let 0 2 M and a 0 an approximation of precision 3 to log 0. If = 0, then we obviously have ja 0? aj < 1=4 and (1= 0 )A = (1=)A. On the other hand, (3)

18 18 INGRID BIEHL AND JOHANNES BUCHMANN assume that 6= 0. If k(a) exceeds 1, then the ideals (1= 0 )A 6= (1= 1 )A and (1= 2 )A 6= (1= 1 )A. Also, log 2? log 0 > 1, so (1= 0 )A 6= (1=)A or ja? a 0 j > 1=4. If k(a) = 1, then by (5), j log 0? log j > 1=2 and so ja 0? aj > 1=4. As an immediate consequence of Proposition 6.4 we obtain the following running time estimate. Proposition BINARY is correct and has running time O (1) Solving the bounded equivalence problem. Let > 0. The algorithm BOUNDED EQUIVALENCE is based on the following statement. Proposition Let 2 D, > 0. Let A; B be reduced ideals, u 2 ZZ >0, q = maxf0; d(log?((log )=4+1))= p u?1eg. Let be a minimum in A which is close to some s with q p u s < q p u + 1=4. For q = 0 let = 1. If there is a generator of A relative to B with 0 < log < u, then for = = the inverse 1= is a minimum in B and 0 < log < p u + (log )= Also, q < p u. Proof. Let be a generator of A relative to B with log < u: Let q be as above. Suppose that q = 0. Then = and log = log p u + (log )= Now assume that q > 0. Then and therefore (q? 1) p u < log? ((log )=4 + 1)? p u q p u (10) (log )=4 + 1 < log? q p u p u + (log )=4 + 1: Since log < u, this implies that q < p u. By (7) we have (11) j log? q p uj < (log )=4 + 1: Since = =, the inverse 1= is a minimum in B, and it follows from (10) and (11) that 0 < log < p u + (log )= BOUNDED EQUIVALENCE rst determines all the numbers such that 1= is a minimum in B and log is below p u plus some error, which is of technical relevance. Next, the algorithm constructs minima in A close to q p u for q = 1; 2; : : : until is a generator of A relative to B. All the minima are stored in binary representation. To multiply two minima, one can determine the sum of approximations of precision 4 to the log of the factors and then use BINARY to construct the product. In the algorithm, we use the procedure APP, which determines approximations to values of elementary functions. Algorithm (BOUNDED EQUIVALENCE) Input: 2 D, > 0, reduced ideals A; B of O, u 2 IN.

19 ALGORITHMS FOR QUADRATIC ORDERS 19 Output: The minimal generator of A relative to B, if it exists, and log < u. := 1; S := ;; := 0; C := B; d = APP((log )=2; 2) (1) REPEAT (2) := (L MIN(; C; 1)) (3) c := APPROX(; ; 2) (4) C := L IDEAL(; C) (5) S := S [ f(c; )g (6) UNTIL (c? d? 5=2) 2 u or C = A (7) Sort S according to rst components (8) q := 0 (9) REPEAT (10) s = APP(q p u + 1=8; 3) (11) := CLOSE(; A; s) (12) C := (1=)A (13) IF (C; ) 2 S for some (14) THEN := (15) ELSE q := q + 1; (16) UNTIL q 2 u or 6= 0 (17) Proposition and space O ( p u). BOUNDED EQUIVALENCE is correct and requires time Proof. Clearly, the algorithm terminates, and if the output is 6= 0, then is a generator of A relative to B. Suppose that there is a generator of A relative to B and that log < u. Let q be as in Proposition Then q < p u. Let be the minimum found in the second REPEAT loop, = =. Then by Proposition 6.12 we have 0 < log < p u + (log )=2 + 2 and therefore, (c? d? 5=2) 2 < u for any approximation of precision 2 to log. This implies that S contains the pair (B; ) and thus, the algorithm nds a generator of A relative to B. Next we show that this generator is the minimal one. Let 0 = 0 be the generator found in the algorithm. Let c 0 be the approximation of log 0 computed in the rst REPEAT loop. Assume that 6= 0. Since (1=)A = (1= 0 )A = B, it follows from the results of x 6.7 that log 0?log > 1=2 and thus, log 0?log > 1=2. This implies that c < c 0 for every approximation c of precision 2 to log.

20 20 INGRID BIEHL AND JOHANNES BUCHMANN Hence, S must contain the pairs (B; ) and ( 0 B; 0 ), and this is impossible since the rst components of all pairs in S are pairwise distinct. Finally, we prove the running time estimate. The number of elements in S is O ( p u), so the time and space spent in that loop is O (1). Since for the IF decision we can use binary search, the time and space required for the second REPEAT loop is also O ( p u) Principal ideal testing. Let B be a principal ideal of O. Let be the reducing number for B and let be the minimal generator of A = (1=)B relative to O. Then is a generator of B and it is called the minimal generator of B. It is represented as the pair (; ). That representation is of binary length O (1). Algorithm (PRINCIPAL) Input: 2 D, B 2 I. Output: If B is principal, then the minimal generator (; ) of B, else (0; ) with some. (A; ) := REDUCE(B); := 0 (1) IF < 0 (2) THEN IF A = O (3) THEN := 1 (4) ELSE := 0 (5) ELSE u := 1; " := 0 (6) Proposition REPEAT (7) " := BOUNDED EQUIVALENCE(; A; A; u) (8) := BOUNDED EQUIVALENCE(; A; B; u) (9) u := 2u (10) UNTIL 6= 0 or " 6= 0 (11) IF " 6= 0 and = 0 (12) THEN R = APPROX(; log"; 4) (13) := BOUNDED EQUIVALENCE(; A; B; R) (14) For < 0, PRINCIPAL has polynomial running time. Let > 0. If B is a principal ideal, then PRINCIPAL nds its minimal generator (; ) using time and space O ((log jj) 1=2 ). Otherwise, PRINCIPAL decides in time and space O (R 1=2 ) that B is not principal.

21 ALGORITHMS FOR QUADRATIC ORDERS 21 Proof. If u is such that R < u and A is principal, then log < u for the minimal generator of A. This proves the correctness. The assertions concerning time and space follow from x 6.5 and Proposition Computing the fundamental unit. Let > 0; then the fundamental unit " of O can be computed via ("; 1) := PRINCIPAL(; O ). Proposition For > 0 the fundamental unit of O can be determined in time and space O (R 1=2 ) Solving norm equations. Another application of PRINCIPAL is the solution of norm equations. We consider only the case of prime norms. By means of combinatorial techniques, the method can be extended to arbitrary norms. Algorithm (NORM EQUATION) Input: 2 D, and a prime number p. Output: A number in O of norm p, if it exists, and = 0 otherwise. IF p = 1 (1) THEN := PRINCIPAL(; PRIME IDEAL(; p)) (2) ELSE := 0 (3) Proposition NORM EQUATION is correct. If there is a number of norm p in O, then NORM EQUATION requires time and space O (p 1=2 + (log jj) 1=2 ), where is the minimal such number with jj > 1. Otherwise, the algorithm requires time and space O (p 1=2 + R 1=2 ) Solving the containment problem. Let T be a set of reduced ideals of O, and let A be a reduced ideal of O. We wish to nd out whether A is equivalent to some B 2 T. If so, we wish to nd the minimal generator of A relative to B. For < 0 that problem was already solved in x 6.5. So assume that > 0. Since we might want to solve the containment problem for a xed set T, but for many dierent reduced ideals A, we proceed in two steps. In a precomputation we determine the regulator of O and we compute an expansion of T. As it was necessary in BOUNDED EQUIVALENCE to determine the set S of pairs (C; ), it is now necessary to determine a similar set for each element of T. The union of all these sets is the expansion S of T. Algorithm (BABY STEPS) Input: 2 D, a set T of reduced ideals. Output: The expansion S of T, u = d p R e.

22 22 INGRID BIEHL AND JOHANNES BUCHMANN S := f(c; 0) : C 2 T g (1) IF > 0 (2) THEN " := PRINCIPAL(; O ); u := d(log ") 1=2 e (3) FOR all C 2 T (4) := 1 (5) REPEAT (6) := (L MIN(; C; 1)) (7) C := L IDEAL(; C) (8) c := APPROX(; ; 4) (9) S := S [ f(c; c)g (10) UNTIL c u + (log )=2 + 1 or C = A (11) Algorithm (CONTAINMENT) Input: Output: 2 D, The expansion S of set T of reduced ideals of O, a reduced ideal A of O. If A is equivalent to some B 2 T, then (B; ), where is the minimal generator of A relative to B, else (A; 0). B := A; := 0 (1) IF < 0 (2) THEN IF (A; 0) 2 S (3) THEN := 1 (4) ELSE IF ((A); 0) 2 S (5) THEN B := (A); := (A) (6) ELSE q := 0 (7) REPEAT (8) := CLOSE(; A; qu) (9) C := (1=)A (10) IF (C; c) 2 S for some c (11) THEN b := APPROX(; ; 4) (12) := BINARY(; A; B; b + c) (13) ELSE q := q + 1; (14) UNTIL q = u or 6= 0 (15)

23 ALGORITHMS FOR QUADRATIC ORDERS 23 Proposition BABY STEPS is correct. For < 0 it requires time and space O (]T ). For > 0 it requires time and space O (]T (R ) 1=2 ). Proof. Each individual operation in BABY STEPS can be carried out in polynomial time. For < 0 the number of operations is O (]T ). For > 0 it follows from (3) that the number of operations is O (]T (R ) 1=2 ). Proposition CONTAINMENT is correct. For < 0 it requires polynomial time. For > 0 it requires time and space O ((R ) 1=2 ). 7. Orders and discrete logarithms in the class group Proposition 7.1. Any discrete logarithm problem in Cl can be solved in time and space O (jj 1=4 ). Proof. Let < 0. From [14], pp , there follows h = O (jj 1=2 ). Multiplication, inversion in the class group can be performed in polynomial time. By Proposition 6.2, containment tests in the class group for a set with O ((h ) 1=2 ) elements requires a precomputation which uses time and space O (jj 1=4 ). Each individual containment test can then be eected in polynomial time. Hence, the result follows from x 3.6. Let > 0. We have h R = O ( 1=2 ). Again, multiplication and inversion in the class group can be carried out in polynomial time. By Proposition 6.2, containment tests in the class group for a set with O ((h ) 1=2 ) elements requires a precomputation which uses time and space O ((h R ) 1=2 ) = O (jj 1=4 ). Each individual containment test can then be eected using time and space O (R 1=2 ). Hence, the result follows from x Computing the class group We now sketch an algorithm CLASS GROUP, which nds the class group in time O (jj 1=2 ). CLASS GROUP is based on an idea of H.W. Lenstra, Jr. [13]. The idea is the following. By a theorem of Minkowski, each ideal class of O contains an ideal of norm c p jj, where c = 1=2 for > 0 and c = 2= for < 0. Therefore, the ideals of prime norm p c p jj generate the class group. The best known upper bound for the time for determining that generating system is O (jj 3=4 ). Hence, we do not determine that system but we only write down the list P of all prime numbers p c p jj such that there is an ideal of O of norm p. We delete its rst element p and determine the ideal A p of norm p. Then we compute all the elements in the subgroup H generated by [A p ], and all the ideals of prime norm in P which, when input to REDUCE, yield a reduced ideal in a class of H. These prime ideals cannot contribute anything new to the class group. These norms are deleted from P. Then we pick the rst prime

24 24 INGRID BIEHL AND JOHANNES BUCHMANN number q in P that has survived. We compute the elements in H = h[a p ]; [A q ]i and again we eliminate in P all norms of ideals which, when reduced, belong to a class of H. Iterating that process, we nd the whole class group. Each time we determine a new prime ideal, the number of elements of H grows by a factor 2. Hence the total number of prime ideals that we must compute is only O (1). CLASS GROUP uses PRIME NORMS. On input of a reduced ideal A, the PRIME NORMS yields the set of all prime numbers p such that A = REDUCE(A p ). It is based on the following statement. p Proposition 8.1. Let p be a prime number with p < c jdj. If > 0, then A p is reduced. p If < 0, then A p is reduced, or A = (A p ) is reduced and b(a p ) = 4a(A)p +. CLASS GROUP is a modication of BASIS. The details are left to the reader. Proposition 8.2. A generating system G for Cl with O (1) p elements and its relation lattice L(G) can be determined in time and space O ( jj). References 1. J. Buchmann, Zur Komplexitat der Berechnung von Einheiten und Klassenzahlen algebraischer Zahlkorper, Habilitationsschrift, Dusseldorf, J. Buchmann, C. Thiel, H. C. Williams, Short representation of quadratic integers, to appear in Proceedings of CANT J. Buchmann, S. Paulus, Algorithms for nite abelian groups, in preparation. 4. J. Buchmann, H. C. Williams, On the existence of a short proof for the value of the class number and regulator of a real quadratic eld, Number Theory and Applications, in: A. Molin, NATO ASI Series, Kluwer Academic Press, 1989, pp G. W. Fung, H. C. Williams, Compact representation of the fundamental unit in a complex cubic eld, unpublished manuscript, J. L. Hafner, K. S. McCurley, Asymptotically fast triangularization of matrices over rings, SIAM J. Comput. 20 (1991), pp J. C. Lagarias, Succinct certicates for the solvability of binary quadratic polynomials, Proc. 20th IEEE Conference on Foundations of Computer Science, 1979, pp J. C. Lagarias, Worst-case complexity bounds in the theory of integral quadratic forms, J. Algorithms 1 (1980), pp J. C. Lagarias, Succinct certicates for the solvability of binary quadratic Diophantine equations, in preparation. 10. A.K. Lenstra, H.W. Lenstra, Jr., Algorithms in number theory, in J. van Leeuwen, Handbook of theoretical computer science, Elsevier Science Publishers B.V., 1990, pp. 673{ H. W. Lenstra, Jr., On the computation of regulators and class numbers of quadratic elds, Lond. Math. Soc. Lect. Note Ser. 56 (1982), pp H. W. Lenstra, Jr., Algorithms in algebraic number theory, Bull. Amer. Math. Soc. (N.S) 26 (1992), pp H. W. Lenstra, Jr., Private communication W. Narkiewiecz, Elementary and analytic theory of algebraic numbers, Polish Scientic Publishers, Warszawa, R.J. Schoof, Quadratic elds and factorization, in: H.W. Lenstra. Jr., R. Tijdeman, Computational methods in number theory, 1982, vol. 2, pp. 235{ D. Shanks, Class Number, A Theory of Factorization and Genera, Proc. Sympos. Pure Math. 20, American Mathematical Society, 1970, pp. 415{440.

25 ALGORITHMS FOR QUADRATIC ORDERS D. Shanks, The infrastructure of a real quadratic eld and its applications, Proc Number Theory Conference, Boulder, 1972, pp V. Shoup, On the deterministic complexity of factoring polynomials over nite elds, Inform. Process. Lett., 1990, no. 33, pp. 261{ C. Thiel, Short proofs using compact representations of algebraic integers, to appear, Fachbereich Informatik, Universitat des Saarlandes, Saarbrucken, Germany address: ingi@cs.uni-sb.de Fachbereich Informatik, Universitat des Saarlandes, Saarbrucken, Germany address: buchmann@cs.uni-sb.de