Download cvp for the stickelberger ideal

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
Document related concepts

Quantum group wikipedia , lookup

Bra–ket notation wikipedia , lookup

Transcript 
picture: Adriaan Goossens
1 Leiden
2 CWI,
University, The Netherlands
Amsterdam, The Netherlands
3 EPFL,
Ronald Cramer1,2
Lausanne, Switzerland
Léo Ducas2 Benjamin Wesolowski3
SHORT STICKELBERGER CLASS RELATIONS
AND APPLICATION TO IDEAL-SVP
At Eurocrypt 2017, Paris
LATTICE-BASED CRYPTOGRAPHY
▸ Lattice problems provide a strong foundation for postquantum cryptography.
LATTICE-BASED CRYPTOGRAPHY
▸ Lattice problems provide a strong foundation for postquantum cryptography.
▸ How hard is it to find a short vector in a generic lattice?
LATTICE-BASED CRYPTOGRAPHY
▸ Lattice problems provide a strong foundation for postquantum cryptography.
▸ How hard is it to find a short vector in a generic lattice?
Approx-SVP for
generic lattices
Z
poly(n)
poly(n)
BK
~
exp(Θ(n1/2))
Time
cryptography
~
exp(Θ(n))
LLL Approximation factor
~
exp(Θ(n1/2))
~
exp(Θ(n))
LATTICES OVER RINGS
▸ Generic lattices are cumbersome! Key-size = Õ(n2).
LATTICES OVER RINGS
▸ Generic lattices are cumbersome! Key-size = Õ(n2).
▸ A solution: using ideal lattices, typically in a cyclotomic
ring R = ℤ[ωm] (ωm a primitive m-th root of unity).
Dimension n = φ(m), key-size = Õ(n).
LATTICES OVER RINGS
▸ Generic lattices are cumbersome! Key-size = Õ(n2).
▸ A solution: using ideal lattices, typically in a cyclotomic
ring R = ℤ[ωm] (ωm a primitive m-th root of unity).
Dimension n = φ(m), key-size = Õ(n).
▸ What is an ideal lattice in ℤ[ωm]? Minkowski’s
embedding
ℚ(ωm) → ℝn
gives ℚ(ωm) the structure of a Hermitian vector space.
An ideal of ℤ[ωm] is also a lattice in that vector space.
IS IDEAL-SVP AS HARD AS GENERAL SVP?
▸ Ideal lattices have much more structure than generic ones.
IS IDEAL-SVP AS HARD AS GENERAL SVP?
▸ Ideal lattices have much more structure than generic ones.
▸ Can we do better than LLL and BKZ?
IS IDEAL-SVP AS HARD AS GENERAL SVP?
▸ Ideal lattices have much more structure than generic ones.
▸ Can we do better than LLL and BKZ?
✓ For principal ideals, [Campbell et al., 2014] says yes:
1
2
Given a principal ideal 𝖍, recover a generator h.
Solvable in quantum poly-time [Biasse and Song 2016].
Given a generator h, find a short generator g.
Solvable in classical poly-time [Cramer et al. 2016] for
m = pk, R = ℤ[ωm], approx. factor exp(Õ(n1/2)).
ARE IDEAL-SVP AND RING-LWE BROKEN?
Some obstacles remain:
▸ Restricted to principal ideals.
▸ The approximation factor is still too large.
▸ Ring-LWE ≥ Ideal-SVP, but equivalence is not known.
ARE IDEAL-SVP AND RING-LWE BROKEN?
Some obstacles remain:
▸ Restricted to principal ideals.
▸ The approximation factor is still too large.
▸ Ring-LWE ≥ Ideal-SVP, but equivalence is not known.
In t h is wo r k , we re mo ve
t h is re s t r ic t io n by s o lv in
g the
C lo s e Pr in c ip a l Mu lt ip le
p ro ble m (CPM )
OUR RESULT
▸ This work: Ideal-SVP solvable in quantum poly-time, for
R = ℤ[ωm], approx. factor exp(Õ(n1/2))
▸ Hardness gap between SVP and Ideal-SVP
Z
poly(n)
poly(n)
Ideal-SVP in
cyclotomic rings
BK
~
exp(Θ(n1/2))
Time (quantum)
cryptography
~
exp(Θ(n))
This work
~
exp(Θ(n1/2))
~
exp(Θ(n))
Approximation factor
APPROACH
Given an ideal 𝔞, we find a short vector as follows:
1
Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is
principal. The Close Principal Multiple problem (CPM).
2
Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of
𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2))
APPROACH
Given an ideal 𝔞, we find a short vector as follows:
1
Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is
principal. The Close Principal Multiple problem (CPM).
2
Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of
𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2))
‣ g ∈ 𝔞𝔟 ⊂ 𝔞 because 𝔟 is integral.
APPROACH
Given an ideal 𝔞, we find a short vector as follows:
1
Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is
principal. The Close Principal Multiple problem (CPM).
2
Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of
𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2))
‣ g ∈ 𝔞𝔟 ⊂ 𝔞 because 𝔟 is integral.
‣ Approx. factor ≈ L/(N𝔞)1/n = (N𝔟)1/n ∙ exp(Õ(n1/2)) = exp(Õ(n1/2)).
APPROACH
Given an ideal 𝔞, we find a short vector as follows:
1
Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is
principal. The Close Principal Multiple problem (CPM).
2
Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of
𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2))
[C am pb e ll e t a l., 2014],
[Bia s s e a n d S o ng 2016]
,
[C rame r e t a l. 2016]
APPROACH
Given an ideal 𝔞, we find a short vector as follows:
1
Find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2)) and 𝔞𝔟 is
principal. The Close Principal Multiple problem (CPM).
2
Solve Principal-Ideal-SVP for 𝔞𝔟, output a generator g of
𝔞𝔟 of length L = N(𝔞𝔟)1/n ∙ exp(Õ(n1/2))
Ne w ! Th e f o c us o f
[C am pb e ll e t a l., 2014],
[Bia s s e a n d S o ng 2016]
t h is t a lk
,
[C rame r e t a l. 2016]
THE CLOSE PRINCIPAL MULTIPLE PROBLEM
Let K = ℚ(ωm), and 𝓞 = ℤ[ωm] its ring of integers.
Given an ideal 𝔞, find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2))
and 𝔞𝔟 is principal. How hard can this be?
THE CLOSE PRINCIPAL MULTIPLE PROBLEM
Let K = ℚ(ωm), and 𝓞 = ℤ[ωm] its ring of integers.
Given an ideal 𝔞, find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2))
and 𝔞𝔟 is principal. How hard can this be?
Depends on the class group: Cl(𝓞) = 𝓘(𝓞)/P(𝓞), where
𝓘(𝓞) is the group of (fractional) ideals of 𝓞, and P(𝓞) the
subgroup of principal ideals.
THE CLOSE PRINCIPAL MULTIPLE PROBLEM
Let K = ℚ(ωm), and 𝓞 = ℤ[ωm] its ring of integers.
Given an ideal 𝔞, find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2))
and 𝔞𝔟 is principal. How hard can this be?
Depends on the class group: Cl(𝓞) = 𝓘(𝓞)/P(𝓞), where
𝓘(𝓞) is the group of (fractional) ideals of 𝓞, and P(𝓞) the
subgroup of principal ideals.
▸ Suppose Cl(𝓞) is small, say #Cl(𝓞) = poly(n). Pick random
ideals 𝔟 of small norm until [𝔞𝔟] = [𝓞]… we can hope to
easily find a solution.
THE CLOSE PRINCIPAL MULTIPLE PROBLEM
Let K = ℚ(ωm), and 𝓞 = ℤ[ωm] its ring of integers.
Given an ideal 𝔞, find an ideal 𝔟 such that N𝔟 = exp(Õ(n3/2))
and 𝔞𝔟 is principal. How hard can this be?
Depends on the class group: Cl(𝓞) = 𝓘(𝓞)/P(𝓞), where
𝓘(𝓞) is the group of (fractional) ideals of 𝓞, and P(𝓞) the
subgroup of principal ideals.
▸ Suppose Cl(𝓞) is small, say #Cl(𝓞) = poly(n). Pick random
ideals 𝔟 of small norm until [𝔞𝔟] = [𝓞]… we can hope to
easily find a solution.
~
▸ Problem: #Cl(𝓞) = exp(Θ(n log m)): need a better solution.
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP
Let 𝔅 be a set of ideals of small norm generating Cl(𝓞).
QUANTUM CLASS GROUP DISCRETE LOGARITHM [BIASSE AND SONG 2016].
Given an ideal 𝔞, one can find in quantum polynomial
time a vector e ∈ ℤ𝔅 such that
[𝔞] = ∏ [𝔭e𝔭].
𝔭∈𝔅
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP
Let 𝔅 be a set of ideals of small norm generating Cl(𝓞).
QUANTUM CLASS GROUP DISCRETE LOGARITHM [BIASSE AND SONG 2016].
Given an ideal 𝔞, one can find in quantum polynomial
time a vector e ∈ ℤ𝔅 such that
[𝔞] = ∏ [𝔭e𝔭].
𝔭∈𝔅
‣ With 𝔟 = ∏ 𝔭-e𝔭, the product 𝔞𝔟 is principal.
𝔭∈𝔅
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP
Let 𝔅 be a set of ideals of small norm generating Cl(𝓞).
QUANTUM CLASS GROUP DISCRETE LOGARITHM [BIASSE AND SONG 2016].
Given an ideal 𝔞, one can find in quantum polynomial
time a vector e ∈ ℤ𝔅 such that
[𝔞] = ∏ [𝔭e𝔭].
𝔭∈𝔅
‣ With 𝔟 = ∏ 𝔭-e𝔭, the product 𝔞𝔟 is principal.
𝔭∈𝔅
‣ But N𝔟 ≈ exp(||e||1) may be huge! We want ||e||1 = Õ(n3/2).
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP
Let 𝔅 be a set of ideals of small norm generating Cl(𝓞).
QUANTUM CLASS GROUP DISCRETE LOGARITHM [BIASSE AND SONG 2016].
Given an ideal 𝔞, one can find in quantum polynomial
time a vector e ∈ ℤ𝔅 such that
[𝔞] = ∏ [𝔭e𝔭].
𝔭∈𝔅
‣ With 𝔟 = ∏ 𝔭-e𝔭, the product 𝔞𝔟 is principal.
𝔭∈𝔅
‣ But N𝔟 ≈ exp(||e||1) may be huge! We want ||e||1 = Õ(n3/2).
‣ 𝔟 might not be integral.
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP
× be the Galois group of ℚ(ω ).
Let
G
≅
(ℤ/mℤ)
▸
m
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP
× be the Galois group of ℚ(ω ).
Let
G
≅
(ℤ/mℤ)
▸
m
σ | σ ∈ G} generates the class group.
Assume
𝔅
=
{𝔭
▸
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP
× be the Galois group of ℚ(ω ).
Let
G
≅
(ℤ/mℤ)
▸
m
σ | σ ∈ G} generates the class group.
Assume
𝔅
=
{𝔭
▸
▸ The formal sums of the form r = ∑ σeσ, with eσ ∈ ℤ form a
σ∈G
ring called the group ring ℤ[G].
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP
× be the Galois group of ℚ(ω ).
Let
G
≅
(ℤ/mℤ)
▸
m
σ | σ ∈ G} generates the class group.
Assume
𝔅
=
{𝔭
▸
▸ The formal sums of the form r = ∑ σeσ, with eσ ∈ ℤ form a
σ∈G
ring called the group ring ℤ[G].
▸ We solve the DLP for [𝔞] with respect to the factor basis 𝔅:
[𝔞] = ∏[𝔭σ]eσ = [𝔭]r,
σ∈G
where r = ∑ σeσ ∈ ℤ[G].
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: FIRST STEP
× be the Galois group of ℚ(ω ).
Let
G
≅
(ℤ/mℤ)
▸
m
σ | σ ∈ G} generates the class group.
Assume
𝔅
=
{𝔭
▸
▸ The formal sums of the form r = ∑ σeσ, with eσ ∈ ℤ form a
σ∈G
ring called the group ring ℤ[G].
▸ We solve the DLP for [𝔞] with respect to the factor basis 𝔅:
[𝔞] = ∏[𝔭σ]eσ = [𝔭]r,
σ∈G
where r = ∑ σeσ ∈ ℤ[G].
Is omo r ph ic t o ℤn, e le me n t s
c a n b e s e e n a s ve c t o rs . Th e y
h ave n o r ms ||·||1, ||·||2, e tc…
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP
r, where r ∈ ℤ[G].
Suppose
[𝔞]
=[𝔭]
▸
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP
r, where r ∈ ℤ[G].
Suppose
[𝔞]
=[𝔭]
▸
▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠
𝔭s is principal.
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP
r, where r ∈ ℤ[G].
Suppose
[𝔞]
=[𝔭]
▸
▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠
𝔭s is principal.
s - r is small.
If
s
∈
𝝠
is
close
to
r,
then
s
r
is
small,
and
𝔭
▸
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP
r, where r ∈ ℤ[G].
Suppose
[𝔞]
=[𝔭]
▸
▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠
𝔭s is principal.
s - r is small.
If
s
∈
𝝠
is
close
to
r,
then
s
r
is
small,
and
𝔭
▸
s - r. It is small, and 𝔞𝔟 is principal.
Choose
𝔟
=
𝔭
✓
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP
r, where r ∈ ℤ[G].
Suppose
[𝔞]
=[𝔭]
▸
▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠
𝔭s is principal.
s - r is small.
If
s
∈
𝝠
is
close
to
r,
then
s
r
is
small,
and
𝔭
▸
s - r. It is small, and 𝔞𝔟 is principal.
Choose
𝔟
=
𝔭
✓
REPHRASED CPM: CLOSE VECTOR PROBLEM (CVP) IN 𝝠
Given any r ∈ ℤ[G], find a close lattice point s ∈ 𝝠.
THE CLOSE PRINCIPAL MULTIPLE PROBLEM: SECOND STEP
r, where r ∈ ℤ[G].
Suppose
[𝔞]
=[𝔭]
▸
▸ Let 𝝠 be a lattice in ℤ[G] such that: s ∈ 𝝠
𝔭s is principal.
s - r is small.
If
s
∈
𝝠
is
close
to
r,
then
s
r
is
small,
and
𝔭
▸
s - r. It is small, and 𝔞𝔟 is principal.
Choose
𝔟
=
𝔭
✓
REPHRASED CPM: CLOSE VECTOR PROBLEM (CVP) IN 𝝠
Given any r ∈ ℤ[G], find a close lattice point s ∈ 𝝠.
Is th ere such a lat tic e 𝝠? Ca n we so lve CV P in it?
THE STICKELBERGER IDEAL
DEFINITION: THE STICKELBERGER IDEAL
The Stickelberger element θ ∈ ℚ[G] is
θ=
∑
a -1
m σa.
{ }
a ∈ (ℤ/mℤ)×
The Stickelberger ideal is S = ℤ[G] ∩ θℤ[G].
THE STICKELBERGER IDEAL
DEFINITION: THE STICKELBERGER IDEAL
The Stickelberger element θ ∈ ℚ[G] is
θ=
∑
a -1
m σa.
{ }
a ∈ (ℤ/mℤ)×
The Stickelberger ideal is S = ℤ[G] ∩ θℤ[G].
‣ The Stickelberger ideal is an ideal of ℤ[G].
‣ It is also a lattice in ℤ[G] (recall that ℤ[G] ≅ ℤn).
STICKELBERGER’S THEOREM
STICKELBERGER’S THEOREM
For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In
other words, S annihilates the class group.
STICKELBERGER’S THEOREM
STICKELBERGER’S THEOREM
For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In
other words, S annihilates the class group.
Again, assume 𝔅 = {𝔭σ | σ ∈ G}.
STICKELBERGER’S THEOREM
STICKELBERGER’S THEOREM
For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In
other words, S annihilates the class group.
Again, assume 𝔅 = {𝔭σ | σ ∈ G}.
‣ S is a lattice in ℤ[G], and s ∈ S
𝔭s is principal.
STICKELBERGER’S THEOREM
STICKELBERGER’S THEOREM
For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In
other words, S annihilates the class group.
Again, assume 𝔅 = {𝔭σ | σ ∈ G}.
‣ S is a lattice in ℤ[G], and s ∈ S
𝔭s is principal.
‣ It is the property we wanted for 𝝠! Choose 𝝠 = S.
STICKELBERGER’S THEOREM
STICKELBERGER’S THEOREM
For any s ∈ S and any ideal 𝖍 in 𝓞, 𝖍s is principal. In
other words, S annihilates the class group.
Again, assume 𝔅 = {𝔭σ | σ ∈ G}.
‣ S is a lattice in ℤ[G], and s ∈ S
𝔭s is principal.
‣ It is the property we wanted for 𝝠! Choose 𝝠 = S.
➡ Reduced CPM to CVP in S ⊂ ℤ[G].
SOLVING THE CLOSE PRINCIPAL MULTIPLE PROBLEM
σ | σ ∈ G} for the class group
Find
a
basis
of
the
form
𝔅
=
{𝔭
▸
▸ Solve the discrete logarithm problem for [𝔞] with respect
to the factor basis 𝔅:
[𝔞] = ∏[𝔭σ]eσ = [𝔭]r,
where r = ∑ σeσ ∈ ℤ[G].
▸ Solve the CVP: find a vector s in the Stickelberger ideal S
that is close to r (S is a sublattice of ℤ[G]).
s - r.
Output
𝔞𝔟,
where
𝔟
=
𝔭
▸
CVP FOR THE STICKELBERGER IDEAL
Can we solve the CVP for S?
CVP FOR THE STICKELBERGER IDEAL
Can we solve the CVP for S?
▸ Yes: there is an explicit, computable, short basis for S!
CVP FOR THE STICKELBERGER IDEAL
Can we solve the CVP for S?
▸ Yes: there is an explicit, computable, short basis for S!
A few technicalities:
CVP FOR THE STICKELBERGER IDEAL
Can we solve the CVP for S?
▸ Yes: there is an explicit, computable, short basis for S!
A few technicalities:
▸ S is not full-rank in ℤ[G].
CVP FOR THE STICKELBERGER IDEAL
Can we solve the CVP for S?
▸ Yes: there is an explicit, computable, short basis for S!
A few technicalities:
▸ S is not full-rank in ℤ[G].
▸ Negative exponents give fractional ideals, but 𝔟 has to be
integral.
CVP FOR THE STICKELBERGER IDEAL
Can we solve the CVP for S?
▸ Yes: there is an explicit, computable, short basis for S!
A few technicalities:
▸ S is not full-rank in ℤ[G].
▸ Negative exponents give fractional ideals, but 𝔟 has to be
integral.
✓ Resolved by working with the relative class group Cl-(K)
instead of the class group Cl(K).
CVP FOR THE STICKELBERGER IDEAL
Can we solve the CVP for S?
▸ Yes: there is an explicit, computable, short basis for S!
A few technicalities:
▸ S is not full-rank in ℤ[G].
▸ Negative exponents give fractional ideals, but 𝔟 has to be
integral.
✓ Resolved by working with the relative class group Cl-(K)
instead of the class group Cl(K).
m
le
ob
pr
M
CP
e
th
e
lv
so
to
s
w
lo
al
S
r
fo
s
si
ba
t
or
sh
Th at
3/2)) – we w in !
(n
Õ
p(
ex
w it h approx . fact or
ARE IDEAL-SVP AND RING-LWE BROKEN?
Some obstacles remain:
▸ Restricted to principal ideals.
▸ The approximation factor is still too large.
▸ Ring-LWE ≥ Ideal-SVP, but equivalence is not known.
picture: Adriaan Goossens
1 Leiden
2 CWI,
University, The Netherlands
Amsterdam, The Netherlands
3 EPFL,
Ronald Cramer1,2
Lausanne, Switzerland
Léo Ducas2 Benjamin Wesolowski3
SHORT STICKELBERGER CLASS RELATIONS
AND APPLICATION TO IDEAL-SVP
Thank you!
GENERATING THE CLASS GROUP
‣ So far we assumed 𝔅 = {𝔭σ | σ ∈ G} generates Cl(𝓞).
‣ In general, a single 𝔭 is not sufficient to generate Cl(𝓞).
‣ Method can be adapted to 𝔅 = {𝔭σi | σ ∈ G, i = 1,…, d}, as
long as d = polylog(n).
‣ Numerical evidence shows such 𝔅 exists [Schoof, 1998].
‣ Theorem+Heuristic implies we can find such 𝔅 efficiently.
CVP FOR THE STICKELBERGER IDEAL
A few technicalities:
▸ S is not full-rank in ℤ[G].
Let c be the com ple x con jug ati on.
Assume h+=1: for any 𝖍, the
ideal 𝖍𝖍c is princ ipal
Fo r any 𝖍, th e idea l 𝖍1+c is pr in ci pa l. Th e bigger latt
ic e S + (1+c)ℤ[G]
is fu ll-ra nk an d st ill an ni hi late s th e cl as s grou p! Us
e it in pl ac e of S.
▸ Negative exponents give fractional ideals, but 𝔟 has to be
integral
c.
𝖍
s
a
-1 is in t h e s ame ide a l c la s s
𝖍
l
Fo r a ny 𝖍, t h e ide a
.
s
t
n
e
n
o
p
x
e
e
iv
t
a
g
e
n
ll
a
f
o
Us e c t o ge t r id
WORKING IN THE RELATIVE CLASS GROUP
‣ If h+ = 1, we are done.
‣ In general, h+ is small but not necessarily 1…
‣ Solution: instead of Cl(𝓞), work in Cl-(𝓞):
Cl-(𝓞) = {[𝖍] | 𝖍𝖍c is principal}.
‣ All issues are solved in Cl-(𝓞), “as if” h+ = 1.
‣ If the initial ideal 𝔞 is not in Cl-(𝓞), find a small 𝖈 such that
[𝔞𝖈] ∈ Cl-(𝓞). Easy because
#(Cl(𝓞)/Cl-(𝓞)) = h+ = poly(n).
c
i
t
s
i
r
u
e
h
l
a
c
i
s
Cl as
Related documents
MATH 4512. Differential Equations with Applications. Problems and Solutions
MATH 4512. Differential Equations with Applications. Problems and Solutions
Protein Folding 2 Lattice Model
Protein Folding 2 Lattice Model
3 - NUS Physics
3 - NUS Physics
ST2334: SOME NOTES ON CONTINUOUS RANDOM VARIABLES
ST2334: SOME NOTES ON CONTINUOUS RANDOM VARIABLES
Unless otherwise stated in the examination question, assume: • The
Unless otherwise stated in the examination question, assume: • The
random numbers
random numbers
Why Art Education - Northern Secondary School
Why Art Education - Northern Secondary School
Physics 880K20 (Quantum Computing): Problem Set 1. David Stroud, instructor
Physics 880K20 (Quantum Computing): Problem Set 1. David Stroud, instructor
Linear Circuit Analysis with Reactive Components
Linear Circuit Analysis with Reactive Components
Review for Evolution Test - Phillips Scientific Methods
Review for Evolution Test - Phillips Scientific Methods