Algorithms for Breakthrough STOC 2009 Gentry multiquadratic number - - PowerPoint PPT Presentation

1

Algorithms for multiquadratic number fields

• D. J. Bernstein

Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. “Short generators without quantum computers: the case of multiquadratics.” Eurocrypt 2017. Paper and software: https://multiquad.cr.yp.to

2

Breakthrough STOC 2009 Gentry cryptosystem “Fully homomorphic encryption using ideal lattices” was broken several years later, under reasonable assumptions.

1

Algorithms for multiquadratic number fields

• D. J. Bernstein

Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. “Short generators without quantum computers: the case of multiquadratics.” Eurocrypt 2017. Paper and software: https://multiquad.cr.yp.to

2

Breakthrough STOC 2009 Gentry cryptosystem “Fully homomorphic encryption using ideal lattices” was broken several years later, under reasonable assumptions. Assumption 1: User chooses a (“small h+”) cyclotomic field as the underlying number field.

1

Algorithms for multiquadratic number fields

• D. J. Bernstein

Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. “Short generators without quantum computers: the case of multiquadratics.” Eurocrypt 2017. Paper and software: https://multiquad.cr.yp.to

2

Breakthrough STOC 2009 Gentry cryptosystem “Fully homomorphic encryption using ideal lattices” was broken several years later, under reasonable assumptions. Assumption 1: User chooses a (“small h+”) cyclotomic field as the underlying number field. Assumption 2: Attacker has a large quantum computer.

1

Algorithms for multiquadratic number fields

• D. J. Bernstein

Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. “Short generators without quantum computers: the case of multiquadratics.” Eurocrypt 2017. Paper and software: https://multiquad.cr.yp.to

2

Breakthrough STOC 2009 Gentry cryptosystem “Fully homomorphic encryption using ideal lattices” was broken several years later, under reasonable assumptions. Assumption 1: User chooses a (“small h+”) cyclotomic field as the underlying number field. Assumption 2: Attacker has a large quantum computer. Can other fields be attacked? Are there non-quantum attacks? What about other cryptosystems?

1

rithms for multiquadratic number fields Bernstein Bauch, Daniel J. Bernstein, de Valence, Tanja Lange, Christine van Vredendaal. generators without quantum computers: the case of multiquadratics.” Eurocrypt 2017. and software: https://multiquad.cr.yp.to

2

Breakthrough STOC 2009 Gentry cryptosystem “Fully homomorphic encryption using ideal lattices” was broken several years later, under reasonable assumptions. Assumption 1: User chooses a (“small h+”) cyclotomic field as the underlying number field. Assumption 2: Attacker has a large quantum computer. Can other fields be attacked? Are there non-quantum attacks? What about other cryptosystems? Compare Peikert–Regev: algebraic (including that we emplo brought

• ther prob

Yet despite significant these problems The best ideal lattices no better counterpa in practic

1

number fields Daniel J. Bernstein, alence, Tanja Lange, redendaal. rs without computers: the case of multiquadratics.” Eurocrypt 2017. are: https://multiquad.cr.yp.to

2

Breakthrough STOC 2009 Gentry cryptosystem “Fully homomorphic encryption using ideal lattices” was broken several years later, under reasonable assumptions. Assumption 1: User chooses a (“small h+”) cyclotomic field as the underlying number field. Assumption 2: Attacker has a large quantum computer. Can other fields be attacked? Are there non-quantum attacks? What about other cryptosystems? Compare to 2013 Lyubashevsky– Peikert–Regev: “All algebraic and algorithmic (including quantum that we employ : : : brought to bear against

• ther problems on

Yet despite considerable significant progress these problems has The best known algo ideal lattices perfo no better than their counterparts, both in practice.”

1

fields Bernstein, Lange, case of crypt 2017. https://multiquad.cr.yp.to

2

Breakthrough STOC 2009 Gentry cryptosystem “Fully homomorphic encryption using ideal lattices” was broken several years later, under reasonable assumptions. Assumption 1: User chooses a (“small h+”) cyclotomic field as the underlying number field. Assumption 2: Attacker has a large quantum computer. Can other fields be attacked? Are there non-quantum attacks? What about other cryptosystems? Compare to 2013 Lyubashevsky– Peikert–Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also brought to bear against SVP

• ther problems on ideal lattices.

Yet despite considerable effo significant progress in attacking these problems has been made. The best known algorithms fo ideal lattices perform essentially no better than their generic counterparts, both in theory in practice.”

2

Breakthrough STOC 2009 Gentry cryptosystem “Fully homomorphic encryption using ideal lattices” was broken several years later, under reasonable assumptions. Assumption 1: User chooses a (“small h+”) cyclotomic field as the underlying number field. Assumption 2: Attacker has a large quantum computer. Can other fields be attacked? Are there non-quantum attacks? What about other cryptosystems?

3

Compare to 2013 Lyubashevsky– Peikert–Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and

• ther problems on ideal lattices.

Yet despite considerable effort, no significant progress in attacking these problems has been made. The best known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.”

2

Breakthrough STOC 2009 Gentry cryptosystem “Fully homomorphic encryption using ideal lattices” roken several years later, reasonable assumptions. Assumption 1: User chooses a (“small h+”) cyclotomic field underlying number field. Assumption 2: Attacker has a uantum computer.

• ther fields be attacked?

there non-quantum attacks? about other cryptosystems?

3

Compare to 2013 Lyubashevsky– Peikert–Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and

• ther problems on ideal lattices.

Yet despite considerable effort, no significant progress in attacking these problems has been made. The best known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.” Secret key short element R: e.g.,

• f a cyclotomic

Public key:

2

STOC 2009 Gentry ully homomorphic ideal lattices” several years later, assumptions. User chooses a cyclotomic field underlying number field. ttacker has a computer. be attacked? non-quantum attacks?

• ther cryptosystems?

3

Compare to 2013 Lyubashevsky– Peikert–Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and

• ther problems on ideal lattices.

Yet despite considerable effort, no significant progress in attacking these problems has been made. The best known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.” Secret key in Gentry’s short element g of R: e.g., ring of integers

• f a cyclotomic field

Public key: ideal g

2

Gentry homomorphic lattices” later, umptions. es a field field. has a ed? attacks? cryptosystems?

3

Compare to 2013 Lyubashevsky– Peikert–Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and

• ther problems on ideal lattices.

Yet despite considerable effort, no significant progress in attacking these problems has been made. The best known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.” Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR.

3

Compare to 2013 Lyubashevsky– Peikert–Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and

• ther problems on ideal lattices.

Yet despite considerable effort, no significant progress in attacking these problems has been made. The best known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.”

4

Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR.

3

Compare to 2013 Lyubashevsky– Peikert–Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and

• ther problems on ideal lattices.

Yet despite considerable effort, no significant progress in attacking these problems has been made. The best known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.”

4

Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR. Attack stage 1, quantum: SODA 2016 Biasse–Song finds some generator of gR. Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R∗.

3

Compare to 2013 Lyubashevsky– Peikert–Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and

• ther problems on ideal lattices.

Yet despite considerable effort, no significant progress in attacking these problems has been made. The best known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.”

4

Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR. Attack stage 1, quantum: SODA 2016 Biasse–Song finds some generator of gR. Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R∗. Attack stage 2, cyclotomic: simple reduction algorithm from 2014 Campbell–Groves–Shepherd.

3

Compare to 2013 Lyubashevsky– ert–Regev: “All of the raic and algorithmic tools (including quantum computation) e employ : : : can also be rought to bear against SVP and problems on ideal lattices. despite considerable effort, no significant progress in attacking problems has been made. est known algorithms for lattices perform essentially etter than their generic counterparts, both in theory and ractice.”

4

Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR. Attack stage 1, quantum: SODA 2016 Biasse–Song finds some generator of gR. Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R∗. Attack stage 2, cyclotomic: simple reduction algorithm from 2014 Campbell–Groves–Shepherd. Standard view of all i.e., all u Log u ranges Dirichlet’s Log ug =

3

2013 Lyubashevsky– “All of the algorithmic tools quantum computation) : : : can also be against SVP and

• n ideal lattices.

considerable effort, no

• gress in attacking

has been made. algorithms for erform essentially their generic

• th in theory and

4

Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR. Attack stage 1, quantum: SODA 2016 Biasse–Song finds some generator of gR. Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R∗. Attack stage 2, cyclotomic: simple reduction algorithm from 2014 Campbell–Groves–Shepherd. Standard algebraic- view of all generato i.e., all ug where u Log u ranges over Dirichlet’s log-unit Log ug = Log u +

3

Lyubashevsky– tools utation) also be SVP and lattices. effort, no attacking made. rithms for essentially generic ry and

4

Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR. Attack stage 1, quantum: SODA 2016 Biasse–Song finds some generator of gR. Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R∗. Attack stage 2, cyclotomic: simple reduction algorithm from 2014 Campbell–Groves–Shepherd. Standard algebraic-number-theo view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g.

4

Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR. Attack stage 1, quantum: SODA 2016 Biasse–Song finds some generator of gR. Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R∗. Attack stage 2, cyclotomic: simple reduction algorithm from 2014 Campbell–Groves–Shepherd.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g.

4

Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR. Attack stage 1, quantum: SODA 2016 Biasse–Song finds some generator of gR. Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R∗. Attack stage 2, cyclotomic: simple reduction algorithm from 2014 Campbell–Groves–Shepherd.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug.

4

Secret key in Gentry’s system: short element g of R. R: e.g., ring of integers OK

• f a cyclotomic field K.

Public key: ideal gR. Attack stage 1, quantum: SODA 2016 Biasse–Song finds some generator of gR. Builds on Eisentr¨ ager–Hallgren– Kitaev–Song algorithm for R∗. Attack stage 2, cyclotomic: simple reduction algorithm from 2014 Campbell–Groves–Shepherd.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug. Apply, e.g., embedding or Babai, starting from basis for Log R∗? Hard to find short enough basis, unless g is extremely short.

4

key in Gentry’s system: element g of R. e.g., ring of integers OK cyclotomic field K. key: ideal gR. stage 1, quantum: 2016 Biasse–Song some generator of gR.

• n Eisentr¨

ager–Hallgren– Kitaev–Song algorithm for R∗. stage 2, cyclotomic: reduction algorithm from Campbell–Groves–Shepherd.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug. Apply, e.g., embedding or Babai, starting from basis for Log R∗? Hard to find short enough basis, unless g is extremely short. For cyclotomic

• ften u is

Known textb cyclotomic

4

Gentry’s system:

• f R.

integers OK field K. ideal gR. quantum: Biasse–Song generator of gR. Eisentr¨ ager–Hallgren– algorithm for R∗. cyclotomic: algorithm from ell–Groves–Shepherd.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug. Apply, e.g., embedding or Babai, starting from basis for Log R∗? Hard to find short enough basis, unless g is extremely short. For cyclotomic fields,

• ften u is a “cyclotomic

Known textbook basis cyclotomic units is

4

system:

K

. ager–Hallgren– R∗. cyclotomic: from ell–Groves–Shepherd.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug. Apply, e.g., embedding or Babai, starting from basis for Log R∗? Hard to find short enough basis, unless g is extremely short. For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug. Apply, e.g., embedding or Babai, starting from basis for Log R∗? Hard to find short enough basis, unless g is extremely short.

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug. Apply, e.g., embedding or Babai, starting from basis for Log R∗? Hard to find short enough basis, unless g is extremely short.

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis. Take, e.g., “ = exp(2ıi=1024); field Q(“); ring R = Z[“].

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug. Apply, e.g., embedding or Babai, starting from basis for Log R∗? Hard to find short enough basis, unless g is extremely short.

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis. Take, e.g., “ = exp(2ıi=1024); field Q(“); ring R = Z[“]. (“3 − 1)=(“ − 1) is a unit: directly invert, or apply “ → “3 automorphism to factors of “ − 1.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug. Apply, e.g., embedding or Babai, starting from basis for Log R∗? Hard to find short enough basis, unless g is extremely short.

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis. Take, e.g., “ = exp(2ıi=1024); field Q(“); ring R = Z[“]. (“3 − 1)=(“ − 1) is a unit: directly invert, or apply “ → “3 automorphism to factors of “ − 1. (“9 − 1)=(“3 − 1) is a unit. (“27 − 1)=(“9 − 1) is a unit. Et cetera. Obtain short basis.

5

Standard algebraic-number-theory view of all generators of gR, i.e., all ug where u ∈ R∗: Log u ranges over Dirichlet’s log-unit lattice; Log ug = Log u + Log g. Given any generator ug, try to find short Log g by finding lattice vector Log u close to Log ug. Apply, e.g., embedding or Babai, starting from basis for Log R∗? Hard to find short enough basis, unless g is extremely short.

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis. Take, e.g., “ = exp(2ıi=1024); field Q(“); ring R = Z[“]. (“3 − 1)=(“ − 1) is a unit: directly invert, or apply “ → “3 automorphism to factors of “ − 1. (“9 − 1)=(“3 − 1) is a unit. (“27 − 1)=(“9 − 1) is a unit. Et cetera. Obtain short basis. Now embedding easily finds g.

5

Standard algebraic-number-theory

• f all generators of gR,

all ug where u ∈ R∗: ranges over Dirichlet’s log-unit lattice; = Log u + Log g. any generator ug, try to short Log g by finding lattice Log u close to Log ug. e.g., embedding or Babai, rting from basis for Log R∗? to find short enough basis, g is extremely short.

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis. Take, e.g., “ = exp(2ıi=1024); field Q(“); ring R = Z[“]. (“3 − 1)=(“ − 1) is a unit: directly invert, or apply “ → “3 automorphism to factors of “ − 1. (“9 − 1)=(“3 − 1) is a unit. (“27 − 1)=(“9 − 1) is a unit. Et cetera. Obtain short basis. Now embedding easily finds g. Are you Try to dismiss Ask: Do

• the gR
• Gentry’s
• the origin

multilinea really matter

5

aic-number-theory generators of gR, where u ∈ R∗:

• ver

log-unit lattice; + Log g. generator ug, try to by finding lattice close to Log ug. edding or Babai, basis for Log R∗? rt enough basis, extremely short.

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis. Take, e.g., “ = exp(2ıi=1024); field Q(“); ring R = Z[“]. (“3 − 1)=(“ − 1) is a unit: directly invert, or apply “ → “3 automorphism to factors of “ − 1. (“9 − 1)=(“3 − 1) is a unit. (“27 − 1)=(“9 − 1) is a unit. Et cetera. Obtain short basis. Now embedding easily finds g. Are you a lattice salesm Try to dismiss lattice Ask: Do attacks against

• the gR → g problem,
• Gentry’s original
• the original Garg–Gentry–Halevi

multilinear maps, really matter for users?

5

er-theory R, try to lattice g. Babai, R∗? basis, rt.

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis. Take, e.g., “ = exp(2ıi=1024); field Q(“); ring R = Z[“]. (“3 − 1)=(“ − 1) is a unit: directly invert, or apply “ → “3 automorphism to factors of “ − 1. (“9 − 1)=(“3 − 1) is a unit. (“27 − 1)=(“9 − 1) is a unit. Et cetera. Obtain short basis. Now embedding easily finds g. Are you a lattice salesman? Try to dismiss lattice attacks. Ask: Do attacks against

• the gR → g problem,
• Gentry’s original FHE system,
• the original Garg–Gentry–Halevi

multilinear maps, : : : really matter for users?

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis. Take, e.g., “ = exp(2ıi=1024); field Q(“); ring R = Z[“]. (“3 − 1)=(“ − 1) is a unit: directly invert, or apply “ → “3 automorphism to factors of “ − 1. (“9 − 1)=(“3 − 1) is a unit. (“27 − 1)=(“9 − 1) is a unit. Et cetera. Obtain short basis. Now embedding easily finds g.

7

Are you a lattice salesman? Try to dismiss lattice attacks. Ask: Do attacks against

• the gR → g problem,
• Gentry’s original FHE system,
• the original Garg–Gentry–Halevi

multilinear maps, : : : really matter for users?

6

For cyclotomic fields,

• ften u is a “cyclotomic unit”.

Known textbook basis for cyclotomic units is a short basis. Take, e.g., “ = exp(2ıi=1024); field Q(“); ring R = Z[“]. (“3 − 1)=(“ − 1) is a unit: directly invert, or apply “ → “3 automorphism to factors of “ − 1. (“9 − 1)=(“3 − 1) is a unit. (“27 − 1)=(“9 − 1) is a unit. Et cetera. Obtain short basis. Now embedding easily finds g.

7

Are you a lattice salesman? Try to dismiss lattice attacks. Ask: Do attacks against

• the gR → g problem,
• Gentry’s original FHE system,
• the original Garg–Gentry–Halevi

multilinear maps, : : : really matter for users? My response to the salesman: Maybe not—but this problem is a natural starting point for studying other lattice problems that we certainly care about. “Canary in the coal mine.”

6

cyclotomic fields, u is a “cyclotomic unit”. textbook basis for cyclotomic units is a short basis. e.g., “ = exp(2ıi=1024); (“); ring R = Z[“]. 1)=(“ − 1) is a unit: directly invert, or apply “ → “3 automorphism to factors of “ − 1. 1)=(“3 − 1) is a unit. 1)=(“9 − 1) is a unit.

• cetera. Obtain short basis.

embedding easily finds g.

7

Are you a lattice salesman? Try to dismiss lattice attacks. Ask: Do attacks against

• the gR → g problem,
• Gentry’s original FHE system,
• the original Garg–Gentry–Halevi

multilinear maps, : : : really matter for users? My response to the salesman: Maybe not—but this problem is a natural starting point for studying other lattice problems that we certainly care about. “Canary in the coal mine.” “Exact Ideal-SVP”: I → shortest “Approximate I → short

6

fields, “cyclotomic unit”. basis for is a short basis. exp(2ıi=1024); R = Z[“]. is a unit: r apply “ → “3 to factors of “ − 1. 1) is a unit. 1) is a unit. Obtain short basis. easily finds g.

7

Are you a lattice salesman? Try to dismiss lattice attacks. Ask: Do attacks against

• the gR → g problem,
• Gentry’s original FHE system,
• the original Garg–Gentry–Halevi

multilinear maps, : : : really matter for users? My response to the salesman: Maybe not—but this problem is a natural starting point for studying other lattice problems that we certainly care about. “Canary in the coal mine.” “Exact Ideal-SVP”: I → shortest nonzero “Approximate Ideal-SVP”: I → short nonzero

6

unit”. basis. 1024); → “3

• f “ − 1.

unit. unit. basis. finds g.

7

Are you a lattice salesman? Try to dismiss lattice attacks. Ask: Do attacks against

• the gR → g problem,
• Gentry’s original FHE system,
• the original Garg–Gentry–Halevi

multilinear maps, : : : really matter for users? My response to the salesman: Maybe not—but this problem is a natural starting point for studying other lattice problems that we certainly care about. “Canary in the coal mine.” “Exact Ideal-SVP”: I → shortest nonzero vector “Approximate Ideal-SVP”: I → short nonzero vector in

7

Are you a lattice salesman? Try to dismiss lattice attacks. Ask: Do attacks against

• the gR → g problem,
• Gentry’s original FHE system,
• the original Garg–Gentry–Halevi

multilinear maps, : : : really matter for users? My response to the salesman: Maybe not—but this problem is a natural starting point for studying other lattice problems that we certainly care about. “Canary in the coal mine.”

8

“Exact Ideal-SVP”: I → shortest nonzero vector in I. “Approximate Ideal-SVP”: I → short nonzero vector in I.

7

Are you a lattice salesman? Try to dismiss lattice attacks. Ask: Do attacks against

• the gR → g problem,
• Gentry’s original FHE system,
• the original Garg–Gentry–Halevi

multilinear maps, : : : really matter for users? My response to the salesman: Maybe not—but this problem is a natural starting point for studying other lattice problems that we certainly care about. “Canary in the coal mine.”

8

“Exact Ideal-SVP”: I → shortest nonzero vector in I. “Approximate Ideal-SVP”: I → short nonzero vector in I. Attack is against ideal I with a short generator.

7

Are you a lattice salesman? Try to dismiss lattice attacks. Ask: Do attacks against

• the gR → g problem,
• Gentry’s original FHE system,
• the original Garg–Gentry–Halevi

multilinear maps, : : : really matter for users? My response to the salesman: Maybe not—but this problem is a natural starting point for studying other lattice problems that we certainly care about. “Canary in the coal mine.”

8

“Exact Ideal-SVP”: I → shortest nonzero vector in I. “Approximate Ideal-SVP”: I → short nonzero vector in I. Attack is against ideal I with a short generator. 2015 Peikert says idea is “useless” for more general principal ideals: “We simply hadn’t realized that the added guarantee of a short generator would transform the technique from useless to devastatingly effective.”

7

• u a lattice salesman?

dismiss lattice attacks. Do attacks against gR → g problem, Gentry’s original FHE system,

• riginal Garg–Gentry–Halevi

multilinear maps, : : : matter for users? response to the salesman: not—but this problem natural starting point for studying other lattice problems e certainly care about. ry in the coal mine.”

8

“Exact Ideal-SVP”: I → shortest nonzero vector in I. “Approximate Ideal-SVP”: I → short nonzero vector in I. Attack is against ideal I with a short generator. 2015 Peikert says idea is “useless” for more general principal ideals: “We simply hadn’t realized that the added guarantee of a short generator would transform the technique from useless to devastatingly effective.” 2015 Peik limited to “Although lot of structure, yet found attacking For commonly principal extremely

• ideals. : :

not so much

• f cyclotomics

extra structure that have

7

salesman? lattice attacks. against roblem, nal FHE system, rg–Gentry–Halevi ps, : : : users? the salesman: this problem rting point for lattice problems care about. coal mine.”

8

“Exact Ideal-SVP”: I → shortest nonzero vector in I. “Approximate Ideal-SVP”: I → short nonzero vector in I. Attack is against ideal I with a short generator. 2015 Peikert says idea is “useless” for more general principal ideals: “We simply hadn’t realized that the added guarantee of a short generator would transform the technique from useless to devastatingly effective.” 2015 Peikert also sa limited to principal “Although cyclotomics lot of structure, nob yet found a way to attacking Ideal-SVP/BDD For commonly used principal ideals are extremely small fraction

• ideals. : : : The weakness

not so much due to

• f cyclotomics, but

extra structure of p that have short generato

7

? attacks. system, rg–Gentry–Halevi salesman: roblem for roblems

• ut.

mine.”

8

“Exact Ideal-SVP”: I → shortest nonzero vector in I. “Approximate Ideal-SVP”: I → short nonzero vector in I. Attack is against ideal I with a short generator. 2015 Peikert says idea is “useless” for more general principal ideals: “We simply hadn’t realized that the added guarantee of a short generator would transform the technique from useless to devastatingly effective.” 2015 Peikert also says idea is limited to principal ideals: “Although cyclotomics have lot of structure, nobody has yet found a way to exploit it attacking Ideal-SVP/BDD : : For commonly used rings, principal ideals are an extremely small fraction of all

• ideals. : : : The weakness here

not so much due to the structure

• f cyclotomics, but rather to

extra structure of principal ideals that have short generators.”

8

“Exact Ideal-SVP”: I → shortest nonzero vector in I. “Approximate Ideal-SVP”: I → short nonzero vector in I. Attack is against ideal I with a short generator. 2015 Peikert says idea is “useless” for more general principal ideals: “We simply hadn’t realized that the added guarantee of a short generator would transform the technique from useless to devastatingly effective.”

9

2015 Peikert also says idea is limited to principal ideals: “Although cyclotomics have a lot of structure, nobody has yet found a way to exploit it in attacking Ideal-SVP/BDD : : : For commonly used rings, principal ideals are an extremely small fraction of all

• ideals. : : : The weakness here is

not so much due to the structure

• f cyclotomics, but rather to the

extra structure of principal ideals that have short generators.”

8

“Exact Ideal-SVP”: shortest nonzero vector in I. roximate Ideal-SVP”: short nonzero vector in I. is against ideal I short generator. eikert says idea is “useless” re general principal ideals: simply hadn’t realized the added guarantee of a generator would transform technique from useless to devastatingly effective.”

9

2015 Peikert also says idea is limited to principal ideals: “Although cyclotomics have a lot of structure, nobody has yet found a way to exploit it in attacking Ideal-SVP/BDD : : : For commonly used rings, principal ideals are an extremely small fraction of all

• ideals. : : : The weakness here is

not so much due to the structure

• f cyclotomics, but rather to the

extra structure of principal ideals that have short generators.” Actually, attacks fa 2016 Cramer–Ducas–W Ideal-SVP 2N1=2+o(1) under plausible about class-group Start from more features

8

Ideal-SVP”: nonzero vector in I. Ideal-SVP”: ro vector in I. against ideal I nerator. ys idea is “useless” principal ideals: hadn’t realized guarantee of a would transform from useless to effective.”

9

2015 Peikert also says idea is limited to principal ideals: “Although cyclotomics have a lot of structure, nobody has yet found a way to exploit it in attacking Ideal-SVP/BDD : : : For commonly used rings, principal ideals are an extremely small fraction of all

• ideals. : : : The weakness here is

not so much due to the structure

• f cyclotomics, but rather to the

extra structure of principal ideals that have short generators.” Actually, the idea p attacks far beyond 2016 Cramer–Ducas–W Ideal-SVP attack f 2N1=2+o(1) in deg-N under plausible assum about class-group Start from Biasse–Song, more features of cyclotomic

8

vector in I. Ideal-SVP”: in I. “useless” ideals: realized

• f a

nsform to

9

2015 Peikert also says idea is limited to principal ideals: “Although cyclotomics have a lot of structure, nobody has yet found a way to exploit it in attacking Ideal-SVP/BDD : : : For commonly used rings, principal ideals are an extremely small fraction of all

• ideals. : : : The weakness here is

not so much due to the structure

• f cyclotomics, but rather to the

extra structure of principal ideals that have short generators.” Actually, the idea produces attacks far beyond this case. 2016 Cramer–Ducas–Wesolo Ideal-SVP attack for approx 2N1=2+o(1) in deg-N cyclotomics, under plausible assumptions about class-group generators Start from Biasse–Song, use more features of cyclotomic

9

2015 Peikert also says idea is limited to principal ideals: “Although cyclotomics have a lot of structure, nobody has yet found a way to exploit it in attacking Ideal-SVP/BDD : : : For commonly used rings, principal ideals are an extremely small fraction of all

• ideals. : : : The weakness here is

not so much due to the structure

• f cyclotomics, but rather to the

extra structure of principal ideals that have short generators.”

10

Actually, the idea produces attacks far beyond this case. 2016 Cramer–Ducas–Wesolowski: Ideal-SVP attack for approx factor 2N1=2+o(1) in deg-N cyclotomics, under plausible assumptions about class-group generators etc. Start from Biasse–Song, use more features of cyclotomic fields.

9

2015 Peikert also says idea is limited to principal ideals: “Although cyclotomics have a lot of structure, nobody has yet found a way to exploit it in attacking Ideal-SVP/BDD : : : For commonly used rings, principal ideals are an extremely small fraction of all

• ideals. : : : The weakness here is

not so much due to the structure

• f cyclotomics, but rather to the

extra structure of principal ideals that have short generators.”

10

Actually, the idea produces attacks far beyond this case. 2016 Cramer–Ducas–Wesolowski: Ideal-SVP attack for approx factor 2N1=2+o(1) in deg-N cyclotomics, under plausible assumptions about class-group generators etc. Start from Biasse–Song, use more features of cyclotomic fields. Can techniques be pushed to smaller approx factors? Can techniques be adapted to break, e.g., Ring-LWE?

9

eikert also says idea is to principal ideals: “Although cyclotomics have a structure, nobody has found a way to exploit it in attacking Ideal-SVP/BDD : : : commonly used rings, rincipal ideals are an extremely small fraction of all : : : The weakness here is much due to the structure cyclotomics, but rather to the structure of principal ideals have short generators.”

10

Actually, the idea produces attacks far beyond this case. 2016 Cramer–Ducas–Wesolowski: Ideal-SVP attack for approx factor 2N1=2+o(1) in deg-N cyclotomics, under plausible assumptions about class-group generators etc. Start from Biasse–Song, use more features of cyclotomic fields. Can techniques be pushed to smaller approx factors? Can techniques be adapted to break, e.g., Ring-LWE? NIST post-quantum 69 submissions including

9

also says idea is rincipal ideals: cyclotomics have a nobody has to exploit it in Ideal-SVP/BDD : : : used rings, re an fraction of all eakness here is to the structure but rather to the

• f principal ideals

generators.”

10

Actually, the idea produces attacks far beyond this case. 2016 Cramer–Ducas–Wesolowski: Ideal-SVP attack for approx factor 2N1=2+o(1) in deg-N cyclotomics, under plausible assumptions about class-group generators etc. Start from Biasse–Song, use more features of cyclotomic fields. Can techniques be pushed to smaller approx factors? Can techniques be adapted to break, e.g., Ring-LWE? NIST post-quantum 69 submissions (5 including 20 lattice-based

9

is have a has it in : : :

• f all

here is structure to the rincipal ideals rs.”

10

Actually, the idea produces attacks far beyond this case. 2016 Cramer–Ducas–Wesolowski: Ideal-SVP attack for approx factor 2N1=2+o(1) in deg-N cyclotomics, under plausible assumptions about class-group generators etc. Start from Biasse–Song, use more features of cyclotomic fields. Can techniques be pushed to smaller approx factors? Can techniques be adapted to break, e.g., Ring-LWE? NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc.

10

Actually, the idea produces attacks far beyond this case. 2016 Cramer–Ducas–Wesolowski: Ideal-SVP attack for approx factor 2N1=2+o(1) in deg-N cyclotomics, under plausible assumptions about class-group generators etc. Start from Biasse–Song, use more features of cyclotomic fields. Can techniques be pushed to smaller approx factors? Can techniques be adapted to break, e.g., Ring-LWE?

11

NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc.

10

Actually, the idea produces attacks far beyond this case. 2016 Cramer–Ducas–Wesolowski: Ideal-SVP attack for approx factor 2N1=2+o(1) in deg-N cyclotomics, under plausible assumptions about class-group generators etc. Start from Biasse–Song, use more features of cyclotomic fields. Can techniques be pushed to smaller approx factors? Can techniques be adapted to break, e.g., Ring-LWE?

11

NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc. Most lattice-based enc systems use power-of-2 cyclotomics. Some non-power-of-2 cyclotomics: LIMA has Φ1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ701; NTRUEncrypt uses Φ743 etc.

10

Actually, the idea produces attacks far beyond this case. 2016 Cramer–Ducas–Wesolowski: Ideal-SVP attack for approx factor 2N1=2+o(1) in deg-N cyclotomics, under plausible assumptions about class-group generators etc. Start from Biasse–Song, use more features of cyclotomic fields. Can techniques be pushed to smaller approx factors? Can techniques be adapted to break, e.g., Ring-LWE?

11

NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc. Most lattice-based enc systems use power-of-2 cyclotomics. Some non-power-of-2 cyclotomics: LIMA has Φ1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ701; NTRUEncrypt uses Φ743 etc. Can cyclotomic attacks on Gentry be extended to these systems?

10

Actually, the idea produces attacks far beyond this case. Cramer–Ducas–Wesolowski: Ideal-SVP attack for approx factor

(1) in deg-N cyclotomics,

plausible assumptions class-group generators etc. from Biasse–Song, use features of cyclotomic fields. techniques be pushed smaller approx factors? techniques be adapted reak, e.g., Ring-LWE?

11

NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc. Most lattice-based enc systems use power-of-2 cyclotomics. Some non-power-of-2 cyclotomics: LIMA has Φ1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ701; NTRUEncrypt uses Φ743 etc. Can cyclotomic attacks on Gentry be extended to these systems? Some syste FrodoKEM-640, relies on commutative the potential due to the

10

idea produces

• nd this case.

Cramer–Ducas–Wesolowski: attack for approx factor deg-N cyclotomics, assumptions class-group generators etc. Biasse–Song, use cyclotomic fields. be pushed x factors? be adapted Ring-LWE?

11

NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc. Most lattice-based enc systems use power-of-2 cyclotomics. Some non-power-of-2 cyclotomics: LIMA has Φ1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ701; NTRUEncrypt uses Φ743 etc. Can cyclotomic attacks on Gentry be extended to these systems? Some systems avoid FrodoKEM-640, 9616-b relies on matrix rings; commutative rings the potential for w due to the extra structure”.

10

duces case. esolowski: x factor cyclotomics, tions generators etc. use cyclotomic fields. adapted

11

NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc. Most lattice-based enc systems use power-of-2 cyclotomics. Some non-power-of-2 cyclotomics: LIMA has Φ1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ701; NTRUEncrypt uses Φ743 etc. Can cyclotomic attacks on Gentry be extended to these systems? Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte k relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”.

11

NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc. Most lattice-based enc systems use power-of-2 cyclotomics. Some non-power-of-2 cyclotomics: LIMA has Φ1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ701; NTRUEncrypt uses Φ743 etc. Can cyclotomic attacks on Gentry be extended to these systems?

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”.

11

NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc. Most lattice-based enc systems use power-of-2 cyclotomics. Some non-power-of-2 cyclotomics: LIMA has Φ1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ701; NTRUEncrypt uses Φ743 etc. Can cyclotomic attacks on Gentry be extended to these systems?

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness

• f specific polynomial rings”.

11

NIST post-quantum competition 69 submissions (5 withdrawn), including 20 lattice-based enc. Most lattice-based enc systems use power-of-2 cyclotomics. Some non-power-of-2 cyclotomics: LIMA has Φ1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ701; NTRUEncrypt uses Φ743 etc. Can cyclotomic attacks on Gentry be extended to these systems?

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness

• f specific polynomial rings”.

Streamlined NTRU Prime 4591761, 1218-byte key: see Tanja’s talk later today.

11

post-quantum competition submissions (5 withdrawn), including 20 lattice-based enc. lattice-based enc systems wer-of-2 cyclotomics. non-power-of-2 cyclotomics: has Φ1019 option, “more conservative choice of field”; NTRU-HRSS-KEM uses Φ701; NTRUEncrypt uses Φ743 etc. cyclotomic attacks on Gentry extended to these systems?

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness

• f specific polynomial rings”.

Streamlined NTRU Prime 4591761, 1218-byte key: see Tanja’s talk later today. Two theo Theory 1: are choices “attack against ⇒ attack where LF

11

• st-quantum competition

(5 withdrawn), ice-based enc. lattice-based enc systems cyclotomics. er-of-2 cyclotomics:

• ption, “more

choice of field”; NTRU-HRSS-KEM uses Φ701; uses Φ743 etc. attacks on Gentry these systems?

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness

• f specific polynomial rings”.

Streamlined NTRU Prime 4591761, 1218-byte key: see Tanja’s talk later today. Two theories of lattice Theory 1: Best choices are choices where “attack against cryptosystem ⇒ attack against p where LF is a “lat

11

etition wn), enc. systems cyclotomics. cyclotomics: “more field”;

701;

etc. Gentry systems?

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness

• f specific polynomial rings”.

Streamlined NTRU Prime 4591761, 1218-byte key: see Tanja’s talk later today. Two theories of lattice safety Theory 1: Best choices of field are choices where we know p “attack against cryptosystem ⇒ attack against problem L where LF is a “lattice problem”.

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness

• f specific polynomial rings”.

Streamlined NTRU Prime 4591761, 1218-byte key: see Tanja’s talk later today.

13

Two theories of lattice safety Theory 1: Best choices of field F are choices where we know proofs “attack against cryptosystem CF ⇒ attack against problem LF ”, where LF is a “lattice problem”.

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness

• f specific polynomial rings”.

Streamlined NTRU Prime 4591761, 1218-byte key: see Tanja’s talk later today.

13

Two theories of lattice safety Theory 1: Best choices of field F are choices where we know proofs “attack against cryptosystem CF ⇒ attack against problem LF ”, where LF is a “lattice problem”. Intuitive flaw in theory 1: Maybe these choices make LF weak!

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness

• f specific polynomial rings”.

Streamlined NTRU Prime 4591761, 1218-byte key: see Tanja’s talk later today.

13

Two theories of lattice safety Theory 1: Best choices of field F are choices where we know proofs “attack against cryptosystem CF ⇒ attack against problem LF ”, where LF is a “lattice problem”. Intuitive flaw in theory 1: Maybe these choices make LF weak! Theory 2: Safety of field F is damaged by extra automorphisms, extra subfields, etc. Similar situation to discrete-log crypto.

12

Some systems avoid cyclotomics. FrodoKEM-640, 9616-byte key: relies on matrix rings; says that commutative rings “have the potential for weaknesses due to the extra structure”. Titanium-lite, 14720-byte key: uses “middle product” to “hedge against the weakness

• f specific polynomial rings”.

Streamlined NTRU Prime 4591761, 1218-byte key: see Tanja’s talk later today.

13

Two theories of lattice safety Theory 1: Best choices of field F are choices where we know proofs “attack against cryptosystem CF ⇒ attack against problem LF ”, where LF is a “lattice problem”. Intuitive flaw in theory 1: Maybe these choices make LF weak! Theory 2: Safety of field F is damaged by extra automorphisms, extra subfields, etc. Similar situation to discrete-log crypto. What’s a good test case for F?

12

systems avoid cyclotomics. doKEM-640, 9616-byte key:

• n matrix rings; says that

commutative rings “have

• tential for weaknesses

the extra structure”. Titanium-lite, 14720-byte key: “middle product” to “hedge against the weakness ecific polynomial rings”. Streamlined NTRU Prime

761, 1218-byte key:

anja’s talk later today.

13

Two theories of lattice safety Theory 1: Best choices of field F are choices where we know proofs “attack against cryptosystem CF ⇒ attack against problem LF ”, where LF is a “lattice problem”. Intuitive flaw in theory 1: Maybe these choices make LF weak! Theory 2: Safety of field F is damaged by extra automorphisms, extra subfields, etc. Similar situation to discrete-log crypto. What’s a good test case for F? Multiquadratic Assumptions: squarefree Q

j∈J dj

nonempt K = Q(√ smallest containing K is a degree-2 Basis: Q subset J e.g. Q( √ Q ⊕ Q √

12

avoid cyclotomics. 9616-byte key: rings; says that rings “have weaknesses structure”. 14720-byte key: duct” to the weakness

• lynomial rings”.

NTRU Prime yte key: later today.

13

Two theories of lattice safety Theory 1: Best choices of field F are choices where we know proofs “attack against cryptosystem CF ⇒ attack against problem LF ”, where LF is a “lattice problem”. Intuitive flaw in theory 1: Maybe these choices make LF weak! Theory 2: Safety of field F is damaged by extra automorphisms, extra subfields, etc. Similar situation to discrete-log crypto. What’s a good test case for F? Multiquadratic fields Assumptions: n ∈ squarefree d1; : : : ; Q

j∈J dj non-square

nonempty subset J K = Q(√d1; : : : ; √ smallest subfield of containing √d1; : : K is a degree-2n numb Basis: Q

j∈J dj for

subset J ⊆ {1; : : : ; e.g. Q( √ 2; √ 3) = Q ⊕ Q √ 2 ⊕ Q √ 3

12

cyclotomics. key: that eaknesses structure”. key: eakness ings”. y.

13

Two theories of lattice safety Theory 1: Best choices of field F are choices where we know proofs “attack against cryptosystem CF ⇒ attack against problem LF ”, where LF is a “lattice problem”. Intuitive flaw in theory 1: Maybe these choices make LF weak! Theory 2: Safety of field F is damaged by extra automorphisms, extra subfields, etc. Similar situation to discrete-log crypto. What’s a good test case for F? Multiquadratic fields Assumptions: n ∈ {0; 1; 2; : : squarefree d1; : : : ; dn ∈ Z; Q

j∈J dj non-square for each

nonempty subset J ⊆ {1; : : : K = Q(√d1; : : : ; √dn): smallest subfield of C containing √d1; : : : ; √dn. K is a degree-2n number field. Basis: Q

j∈J dj for each

subset J ⊆ {1; : : : ; n}. e.g. Q( √ 2; √ 3) = Q ⊕ Q √ 2 ⊕ Q √ 3 ⊕ Q √ 6.

13

Two theories of lattice safety Theory 1: Best choices of field F are choices where we know proofs “attack against cryptosystem CF ⇒ attack against problem LF ”, where LF is a “lattice problem”. Intuitive flaw in theory 1: Maybe these choices make LF weak! Theory 2: Safety of field F is damaged by extra automorphisms, extra subfields, etc. Similar situation to discrete-log crypto. What’s a good test case for F?

14

Multiquadratic fields Assumptions: n ∈ {0; 1; 2; : : :}; squarefree d1; : : : ; dn ∈ Z; Q

j∈J dj non-square for each

nonempty subset J ⊆ {1; : : : ; n}. K = Q(√d1; : : : ; √dn): smallest subfield of C containing √d1; : : : ; √dn. K is a degree-2n number field. Basis: Q

j∈J dj for each

subset J ⊆ {1; : : : ; n}. e.g. Q( √ 2; √ 3) = Q ⊕ Q √ 2 ⊕ Q √ 3 ⊕ Q √ 6.

13

theories of lattice safety ry 1: Best choices of field F choices where we know proofs “attack against cryptosystem CF attack against problem LF ”, LF is a “lattice problem”. Intuitive flaw in theory 1: Maybe choices make LF weak! ry 2: Safety of field F is damaged by extra automorphisms, subfields, etc. Similar situation to discrete-log crypto. What’s a good test case for F?

14

Multiquadratic fields Assumptions: n ∈ {0; 1; 2; : : :}; squarefree d1; : : : ; dn ∈ Z; Q

j∈J dj non-square for each

nonempty subset J ⊆ {1; : : : ; n}. K = Q(√d1; : : : ; √dn): smallest subfield of C containing √d1; : : : ; √dn. K is a degree-2n number field. Basis: Q

j∈J dj for each

subset J ⊆ {1; : : : ; n}. e.g. Q( √ 2; √ 3) = Q ⊕ Q √ 2 ⊕ Q √ 3 ⊕ Q √ 6. This field has 2n automo e.g. automo map a + a + b √ 2 a − b √ 2 a + b √ 2 a − b √ 2

13

lattice safety choices of field F where we know proofs cryptosystem CF against problem LF ”, “lattice problem”. theory 1: Maybe make LF weak! y of field F is extra automorphisms,

• etc. Similar

discrete-log crypto. test case for F?

14

Multiquadratic fields Assumptions: n ∈ {0; 1; 2; : : :}; squarefree d1; : : : ; dn ∈ Z; Q

j∈J dj non-square for each

nonempty subset J ⊆ {1; : : : ; n}. K = Q(√d1; : : : ; √dn): smallest subfield of C containing √d1; : : : ; √dn. K is a degree-2n number field. Basis: Q

j∈J dj for each

subset J ⊆ {1; : : : ; n}. e.g. Q( √ 2; √ 3) = Q ⊕ Q √ 2 ⊕ Q √ 3 ⊕ Q √ 6. This field is Galois: has 2n automorphisms. e.g. automorphism map a + b √ 2 + c √ a + b √ 2 + c √ 3 + a − b √ 2 + c √ 3 − a + b √ 2 − c √ 3 − a − b √ 2 − c √ 3 +

13

safety field F proofs cryptosystem CF LF ”, roblem”. Maybe eak! is rphisms, r crypto. for F?

14

Multiquadratic fields Assumptions: n ∈ {0; 1; 2; : : :}; squarefree d1; : : : ; dn ∈ Z; Q

j∈J dj non-square for each

nonempty subset J ⊆ {1; : : : ; n}. K = Q(√d1; : : : ; √dn): smallest subfield of C containing √d1; : : : ; √dn. K is a degree-2n number field. Basis: Q

j∈J dj for each

subset J ⊆ {1; : : : ; n}. e.g. Q( √ 2; √ 3) = Q ⊕ Q √ 2 ⊕ Q √ 3 ⊕ Q √ 6. This field is Galois: has 2n automorphisms. e.g. automorphisms of Q( √ 2 map a + b √ 2 + c √ 3 + d √ 6 a + b √ 2 + c √ 3 + d √ 6; a − b √ 2 + c √ 3 − d √ 6; a + b √ 2 − c √ 3 − d √ 6; a − b √ 2 − c √ 3 + d √ 6.

14

Multiquadratic fields Assumptions: n ∈ {0; 1; 2; : : :}; squarefree d1; : : : ; dn ∈ Z; Q

j∈J dj non-square for each

nonempty subset J ⊆ {1; : : : ; n}. K = Q(√d1; : : : ; √dn): smallest subfield of C containing √d1; : : : ; √dn. K is a degree-2n number field. Basis: Q

j∈J dj for each

subset J ⊆ {1; : : : ; n}. e.g. Q( √ 2; √ 3) = Q ⊕ Q √ 2 ⊕ Q √ 3 ⊕ Q √ 6.

15

This field is Galois: has 2n automorphisms. e.g. automorphisms of Q( √ 2; √ 3) map a + b √ 2 + c √ 3 + d √ 6 to a + b √ 2 + c √ 3 + d √ 6; a − b √ 2 + c √ 3 − d √ 6; a + b √ 2 − c √ 3 − d √ 6; a − b √ 2 − c √ 3 + d √ 6.

14

Multiquadratic fields Assumptions: n ∈ {0; 1; 2; : : :}; squarefree d1; : : : ; dn ∈ Z; Q

j∈J dj non-square for each

nonempty subset J ⊆ {1; : : : ; n}. K = Q(√d1; : : : ; √dn): smallest subfield of C containing √d1; : : : ; √dn. K is a degree-2n number field. Basis: Q

j∈J dj for each

subset J ⊆ {1; : : : ; n}. e.g. Q( √ 2; √ 3) = Q ⊕ Q √ 2 ⊕ Q √ 3 ⊕ Q √ 6.

15

This field is Galois: has 2n automorphisms. e.g. automorphisms of Q( √ 2; √ 3) map a + b √ 2 + c √ 3 + d √ 6 to a + b √ 2 + c √ 3 + d √ 6; a − b √ 2 + c √ 3 − d √ 6; a + b √ 2 − c √ 3 − d √ 6; a − b √ 2 − c √ 3 + d √ 6. About 2n2=4 subfields. e.g. subfields of Q( √ 2; √ 3): Q( √ 2; √ 3), Q( √ 2), Q( √ 3), Q( √ 6), Q.

14

Multiquadratic fields Assumptions: n ∈ {0; 1; 2; : : :}; refree d1; : : : ; dn ∈ Z;

j non-square for each

nonempty subset J ⊆ {1; : : : ; n}. (√d1; : : : ; √dn): smallest subfield of C containing √d1; : : : ; √dn. degree-2n number field. Q

j∈J dj for each

J ⊆ {1; : : : ; n}. ( √ 2; √ 3) = √ 2 ⊕ Q √ 3 ⊕ Q √ 6.

15

This field is Galois: has 2n automorphisms. e.g. automorphisms of Q( √ 2; √ 3) map a + b √ 2 + c √ 3 + d √ 6 to a + b √ 2 + c √ 3 + d √ 6; a − b √ 2 + c √ 3 − d √ 6; a + b √ 2 − c √ 3 − d √ 6; a − b √ 2 − c √ 3 + d √ 6. About 2n2=4 subfields. e.g. subfields of Q( √ 2; √ 3): Q( √ 2; √ 3), Q( √ 2), Q( √ 3), Q( √ 6), Q. Gentry fo Use optimizations PKC 2010 Eurocrypt

14

fields ∈ {0; 1; 2; : : :}; : ; dn ∈ Z; non-square for each subset J ⊆ {1; : : : ; n}. ; √dn):

• f C

: : : ; √dn. number field. for each : : ; n}. = 3 ⊕ Q √ 6.

15

This field is Galois: has 2n automorphisms. e.g. automorphisms of Q( √ 2; √ 3) map a + b √ 2 + c √ 3 + d √ 6 to a + b √ 2 + c √ 3 + d √ 6; a − b √ 2 + c √ 3 − d √ 6; a + b √ 2 − c √ 3 − d √ 6; a − b √ 2 − c √ 3 + d √ 6. About 2n2=4 subfields. e.g. subfields of Q( √ 2; √ 3): Q( √ 2; √ 3), Q( √ 2), Q( √ 3), Q( √ 6), Q. Gentry for multiquadratics Use optimizations PKC 2010 Smart–V Eurocrypt 2011 Gentry–Halevi.

14

: : :}; each : : ; n}. field. 6.

15

This field is Galois: has 2n automorphisms. e.g. automorphisms of Q( √ 2; √ 3) map a + b √ 2 + c √ 3 + d √ 6 to a + b √ 2 + c √ 3 + d √ 6; a − b √ 2 + c √ 3 − d √ 6; a + b √ 2 − c √ 3 − d √ 6; a − b √ 2 − c √ 3 + d √ 6. About 2n2=4 subfields. e.g. subfields of Q( √ 2; √ 3): Q( √ 2; √ 3), Q( √ 2), Q( √ 3), Q( √ 6), Q. Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi.

15

This field is Galois: has 2n automorphisms. e.g. automorphisms of Q( √ 2; √ 3) map a + b √ 2 + c √ 3 + d √ 6 to a + b √ 2 + c √ 3 + d √ 6; a − b √ 2 + c √ 3 − d √ 6; a + b √ 2 − c √ 3 − d √ 6; a − b √ 2 − c √ 3 + d √ 6. About 2n2=4 subfields. e.g. subfields of Q( √ 2; √ 3): Q( √ 2; √ 3), Q( √ 2), Q( √ 3), Q( √ 6), Q.

16

Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi.

15

This field is Galois: has 2n automorphisms. e.g. automorphisms of Q( √ 2; √ 3) map a + b √ 2 + c √ 3 + d √ 6 to a + b √ 2 + c √ 3 + d √ 6; a − b √ 2 + c √ 3 − d √ 6; a + b √ 2 − c √ 3 − d √ 6; a − b √ 2 − c √ 3 + d √ 6. About 2n2=4 subfields. e.g. subfields of Q( √ 2; √ 3): Q( √ 2; √ 3), Q( √ 2), Q( √ 3), Q( √ 6), Q.

16

Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi. F: monic irreducible polynomial. Ring R = Z[x]=F; not required to be ring of integers of Q[x]=F.

15

This field is Galois: has 2n automorphisms. e.g. automorphisms of Q( √ 2; √ 3) map a + b √ 2 + c √ 3 + d √ 6 to a + b √ 2 + c √ 3 + d √ 6; a − b √ 2 + c √ 3 − d √ 6; a + b √ 2 − c √ 3 − d √ 6; a − b √ 2 − c √ 3 + d √ 6. About 2n2=4 subfields. e.g. subfields of Q( √ 2; √ 3): Q( √ 2; √ 3), Q( √ 2), Q( √ 3), Q( √ 6), Q.

16

Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi. F: monic irreducible polynomial. Ring R = Z[x]=F; not required to be ring of integers of Q[x]=F. Multiquadratics: take, e.g., F = (x − √ 2 − √ 3) · (x + √ 2 − √ 3) · (x − √ 2 + √ 3) · (x + √ 2 + √ 3). Note Q( √ 2 + √ 3) = Q( √ 2; √ 3).

15

field is Galois: automorphisms. automorphisms of Q( √ 2; √ 3) + b √ 2 + c √ 3 + d √ 6 to 2 + c √ 3 + d √ 6; 2 + c √ 3 − d √ 6; 2 − c √ 3 − d √ 6; 2 − c √ 3 + d √ 6. 2n2=4 subfields. subfields of Q( √ 2; √ 3): ; √ 3), 2), Q( √ 3), Q( √ 6),

16

Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi. F: monic irreducible polynomial. Ring R = Z[x]=F; not required to be ring of integers of Q[x]=F. Multiquadratics: take, e.g., F = (x − √ 2 − √ 3) · (x + √ 2 − √ 3) · (x − √ 2 + √ 3) · (x + √ 2 + √ 3). Note Q( √ 2 + √ 3) = Q( √ 2; √ 3). Smart–V Take sho Compute Start ove

15

Galois: rphisms. isms of Q( √ 2; √ 3) c √ 3 + d √ 6 to + d √ 6; − d √ 6; − d √ 6; + d √ 6. subfields. Q( √ 2; √ 3): Q( √ 6),

16

Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi. F: monic irreducible polynomial. Ring R = Z[x]=F; not required to be ring of integers of Q[x]=F. Multiquadratics: take, e.g., F = (x − √ 2 − √ 3) · (x + √ 2 − √ 3) · (x − √ 2 + √ 3) · (x + √ 2 + √ 3). Note Q( √ 2 + √ 3) = Q( √ 2; √ 3). Smart–Vercauteren Take short random Compute q, absolute Start over if q is not

15

√ 2; √ 3) √ 6 to 3):

16

Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi. F: monic irreducible polynomial. Ring R = Z[x]=F; not required to be ring of integers of Q[x]=F. Multiquadratics: take, e.g., F = (x − √ 2 − √ 3) · (x + √ 2 − √ 3) · (x − √ 2 + √ 3) · (x + √ 2 + √ 3). Note Q( √ 2 + √ 3) = Q( √ 2; √ 3). Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of Start over if q is not prime.

16

Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi. F: monic irreducible polynomial. Ring R = Z[x]=F; not required to be ring of integers of Q[x]=F. Multiquadratics: take, e.g., F = (x − √ 2 − √ 3) · (x + √ 2 − √ 3) · (x − √ 2 + √ 3) · (x + √ 2 + √ 3). Note Q( √ 2 + √ 3) = Q( √ 2; √ 3).

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime.

16

Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi. F: monic irreducible polynomial. Ring R = Z[x]=F; not required to be ring of integers of Q[x]=F. Multiquadratics: take, e.g., F = (x − √ 2 − √ 3) · (x + √ 2 − √ 3) · (x − √ 2 + √ 3) · (x + √ 2 + √ 3). Note Q( √ 2 + √ 3) = Q( √ 2; √ 3).

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime. Compute root r of g in Z=q. Public key gR = qR + (x − r)R is represented as (q; r).

16

Gentry for multiquadratics Use optimizations from PKC 2010 Smart–Vercauteren, Eurocrypt 2011 Gentry–Halevi. F: monic irreducible polynomial. Ring R = Z[x]=F; not required to be ring of integers of Q[x]=F. Multiquadratics: take, e.g., F = (x − √ 2 − √ 3) · (x + √ 2 − √ 3) · (x − √ 2 + √ 3) · (x + √ 2 + √ 3). Note Q( √ 2 + √ 3) = Q( √ 2; √ 3).

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime. Compute root r of g in Z=q. Public key gR = qR + (x − r)R is represented as (q; r). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q, require gcd{b; q} > 1 for each relative norm a + b√di of g. Any squarefree q will work.)

16

for multiquadratics

• ptimizations from

2010 Smart–Vercauteren, crypt 2011 Gentry–Halevi. monic irreducible polynomial. = Z[x]=F; not required ring of integers of Q[x]=F. Multiquadratics: take, e.g., − √ 2 − √ 3) · + √ 2 − √ 3) · − √ 2 + √ 3) · + √ 2 + √ 3). Q( √ 2 + √ 3) = Q( √ 2; √ 3).

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime. Compute root r of g in Z=q. Public key gR = qR + (x − r)R is represented as (q; r). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q, require gcd{b; q} > 1 for each relative norm a + b√di of g. Any squarefree q will work.) Smart–V Take sho Ciphertext

16

multiquadratics

• ptimizations from

rt–Vercauteren, Gentry–Halevi. irreducible polynomial. ; not required integers of Q[x]=F. take, e.g., √ 3) · √ 3) · √ 3) · √ 3). 3) = Q( √ 2; √ 3).

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime. Compute root r of g in Z=q. Public key gR = qR + (x − r)R is represented as (q; r). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q, require gcd{b; q} > 1 for each relative norm a + b√di of g. Any squarefree q will work.) Smart–Vercauteren Take short m ∈ Z[ Ciphertext is m(r)

16

ercauteren, Gentry–Halevi.

• lynomial.

required [x]=F. e.g., 2; √ 3).

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime. Compute root r of g in Z=q. Public key gR = qR + (x − r)R is represented as (q; r). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q, require gcd{b; q} > 1 for each relative norm a + b√di of g. Any squarefree q will work.) Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q.

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime. Compute root r of g in Z=q. Public key gR = qR + (x − r)R is represented as (q; r). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q, require gcd{b; q} > 1 for each relative norm a + b√di of g. Any squarefree q will work.)

18

Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q.

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime. Compute root r of g in Z=q. Public key gR = qR + (x − r)R is represented as (q; r). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q, require gcd{b; q} > 1 for each relative norm a + b√di of g. Any squarefree q will work.)

18

Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q. Homomorphic operations: add/multiply ciphertexts m(r) to add/multiply messages m.

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime. Compute root r of g in Z=q. Public key gR = qR + (x − r)R is represented as (q; r). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q, require gcd{b; q} > 1 for each relative norm a + b√di of g. Any squarefree q will work.)

18

Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q. Homomorphic operations: add/multiply ciphertexts m(r) to add/multiply messages m. Decryption: given c ∈ {0; 1; : : : ; q − 1}, compute c=g ∈ Q[x]=F, round to element of Z[x]=F, multiply by g, subtract from c.

17

Smart–Vercauteren keygen: Take short random g ∈ R. Compute q, absolute norm of g. Start over if q is not prime. Compute root r of g in Z=q. Public key gR = qR + (x − r)R is represented as (q; r). (We implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup: instead of requiring prime q, require gcd{b; q} > 1 for each relative norm a + b√di of g. Any squarefree q will work.)

18

Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q. Homomorphic operations: add/multiply ciphertexts m(r) to add/multiply messages m. Decryption: given c ∈ {0; 1; : : : ; q − 1}, compute c=g ∈ Q[x]=F, round to element of Z[x]=F, multiply by g, subtract from c. Decryption works if each coefficient of m=g ∈ Q[x]=F is in (−1=2; 1=2).

17

rt–Vercauteren keygen: short random g ∈ R. Compute q, absolute norm of g.

• ver if q is not prime.

Compute root r of g in Z=q. key gR = qR + (x − r)R resented as (q; r). implemented multiquadratic adaptation of Gentry–Halevi cyclotomic keygen speedup:

• f requiring prime q,

gcd{b; q} > 1 for each relative norm a + b√di of g. squarefree q will work.)

18

Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q. Homomorphic operations: add/multiply ciphertexts m(r) to add/multiply messages m. Decryption: given c ∈ {0; 1; : : : ; q − 1}, compute c=g ∈ Q[x]=F, round to element of Z[x]=F, multiply by g, subtract from c. Decryption works if each coefficient of m=g ∈ Q[x]=F is in (−1=2; 1=2). Gentry sa complexit algorithms in securit Flaw in Sma for some keygen time in securit

17

ercauteren keygen: random g ∈ R. absolute norm of g. not prime.

• f g in Z=q.

qR + (x − r)R (q; r). implemented multiquadratic Gentry–Halevi eygen speedup: ing prime q, } > 1 for each b√di of g. will work.)

18

Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q. Homomorphic operations: add/multiply ciphertexts m(r) to add/multiply messages m. Decryption: given c ∈ {0; 1; : : : ; q − 1}, compute c=g ∈ Q[x]=F, round to element of Z[x]=F, multiply by g, subtract from c. Decryption works if each coefficient of m=g ∈ Q[x]=F is in (−1=2; 1=2). Gentry says “computational complexity of all of algorithms must be in security parameter”. Flaw in Smart–Vercauteren: for some choices of keygen time is not in security parameter.

17

eygen: .

• f g.

rime. =q. − r)R multiquadratic Gentry–Halevi eedup: q, each g. rk.)

18

Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q. Homomorphic operations: add/multiply ciphertexts m(r) to add/multiply messages m. Decryption: given c ∈ {0; 1; : : : ; q − 1}, compute c=g ∈ Q[x]=F, round to element of Z[x]=F, multiply by g, subtract from c. Decryption works if each coefficient of m=g ∈ Q[x]=F is in (−1=2; 1=2). Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter.

18

Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q. Homomorphic operations: add/multiply ciphertexts m(r) to add/multiply messages m. Decryption: given c ∈ {0; 1; : : : ; q − 1}, compute c=g ∈ Q[x]=F, round to element of Z[x]=F, multiply by g, subtract from c. Decryption works if each coefficient of m=g ∈ Q[x]=F is in (−1=2; 1=2).

19

Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter.

18

Smart–Vercauteren encryption: Take short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q. Homomorphic operations: add/multiply ciphertexts m(r) to add/multiply messages m. Decryption: given c ∈ {0; 1; : : : ; q − 1}, compute c=g ∈ Q[x]=F, round to element of Z[x]=F, multiply by g, subtract from c. Decryption works if each coefficient of m=g ∈ Q[x]=F is in (−1=2; 1=2).

19

Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter. For multiquadratic F, keygen is disastrously slow: far too many tries to find prime q. (Adaptation

• f Gentry–Halevi speedup gives
• nly a polynomial improvement.)

18

rt–Vercauteren encryption: short m ∈ Z[x]=F. Ciphertext is m(r) ∈ Z=q. Homomorphic operations: add/multiply ciphertexts m(r) add/multiply messages m. Decryption: c ∈ {0; 1; : : : ; q − 1}, compute c=g ∈ Q[x]=F, to element of Z[x]=F, multiply by g, subtract from c. Decryption works if coefficient of m=g ∈ Q[x]=F −1=2; 1=2).

19

Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter. For multiquadratic F, keygen is disastrously slow: far too many tries to find prime q. (Adaptation

• f Gentry–Halevi speedup gives
• nly a polynomial improvement.)

Why this Take field

18

ercauteren encryption: Z[x]=F. r) ∈ Z=q.

• perations:

ciphertexts m(r) messages m. : : : ; q − 1}, Q[x]=F, element of Z[x]=F, subtract from c. rks if

• f m=g ∈ Q[x]=F

2).

19

Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter. For multiquadratic F, keygen is disastrously slow: far too many tries to find prime q. (Adaptation

• f Gentry–Halevi speedup gives
• nly a polynomial improvement.)

Why this happens: Take field k of size

18

encryption: (r) m. }, =F, rom c. Q[x]=F

19

Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter. For multiquadratic F, keygen is disastrously slow: far too many tries to find prime q. (Adaptation

• f Gentry–Halevi speedup gives
• nly a polynomial improvement.)

Why this happens: Fix prime Take field k of size p2.

19

Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter. For multiquadratic F, keygen is disastrously slow: far too many tries to find prime q. (Adaptation

• f Gentry–Halevi speedup gives
• nly a polynomial improvement.)

20

Why this happens: Fix prime p. Take field k of size p2.

19

Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter. For multiquadratic F, keygen is disastrously slow: far too many tries to find prime q. (Adaptation

• f Gentry–Halevi speedup gives
• nly a polynomial improvement.)

20

Why this happens: Fix prime p. Take field k of size p2. d1; : : : ; dn are squares in k, so F splits completely in k[x]. deg h ∈ {1; 2} for each irred factor h of F in Fp[x].

19

Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter. For multiquadratic F, keygen is disastrously slow: far too many tries to find prime q. (Adaptation

• f Gentry–Halevi speedup gives
• nly a polynomial improvement.)

20

Why this happens: Fix prime p. Take field k of size p2. d1; : : : ; dn are squares in k, so F splits completely in k[x]. deg h ∈ {1; 2} for each irred factor h of F in Fp[x]. Heuristic: for most p ≤ 2n, have Θ(p) distinct linear factors h.

19

Gentry says “computational complexity of all of these algorithms must be polynomial in security parameter”. Flaw in Smart–Vercauteren: for some choices of F, keygen time is not polynomial in security parameter. For multiquadratic F, keygen is disastrously slow: far too many tries to find prime q. (Adaptation

• f Gentry–Halevi speedup gives
• nly a polynomial improvement.)

20

Why this happens: Fix prime p. Take field k of size p2. d1; : : : ; dn are squares in k, so F splits completely in k[x]. deg h ∈ {1; 2} for each irred factor h of F in Fp[x]. Heuristic: for most p ≤ 2n, have Θ(p) distinct linear factors h. For each linear factor h: with probability ≈1=p, h divides g in Fp[x], forcing p2 to divide norm of g if any di is non-square in Fp.

19

says “computational complexity of all of these rithms must be polynomial security parameter”. in Smart–Vercauteren:

• me choices of F,

time is not polynomial security parameter. multiquadratic F, keygen is disastrously slow: far too many to find prime q. (Adaptation Gentry–Halevi speedup gives polynomial improvement.)

20

Why this happens: Fix prime p. Take field k of size p2. d1; : : : ; dn are squares in k, so F splits completely in k[x]. deg h ∈ {1; 2} for each irred factor h of F in Fp[x]. Heuristic: for most p ≤ 2n, have Θ(p) distinct linear factors h. For each linear factor h: with probability ≈1=p, h divides g in Fp[x], forcing p2 to divide norm of g if any di is non-square in Fp. Our multiquadratic Smart–V adaptation

• 1. Generalize

support n Use R =

19

“computational all of these be polynomial rameter”. ercauteren:

• f F,

not polynomial rameter. multiquadratic F, keygen is w: far too many rime q. (Adaptation Gentry–Halevi speedup gives

• lynomial improvement.)

20

Why this happens: Fix prime p. Take field k of size p2. d1; : : : ; dn are squares in k, so F splits completely in k[x]. deg h ∈ {1; 2} for each irred factor h of F in Fp[x]. Heuristic: for most p ≤ 2n, have Θ(p) distinct linear factors h. For each linear factor h: with probability ≈1=p, h divides g in Fp[x], forcing p2 to divide norm of g if any di is non-square in Fp. Our multiquadratic Smart–Vercauteren adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem

support n polynomial Use R = Z[√d1; : :

19

“computational

• lynomial

ercauteren:

• lynomial

eygen is many (Adaptation gives rovement.)

20

Why this happens: Fix prime p. Take field k of size p2. d1; : : : ; dn are squares in k, so F splits completely in k[x]. deg h ∈ {1; 2} for each irred factor h of F in Fp[x]. Heuristic: for most p ≤ 2n, have Θ(p) distinct linear factors h. For each linear factor h: with probability ≈1=p, h divides g in Fp[x], forcing p2 to divide norm of g if any di is non-square in Fp. Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

20

Why this happens: Fix prime p. Take field k of size p2. d1; : : : ; dn are squares in k, so F splits completely in k[x]. deg h ∈ {1; 2} for each irred factor h of F in Fp[x]. Heuristic: for most p ≤ 2n, have Θ(p) distinct linear factors h. For each linear factor h: with probability ≈1=p, h divides g in Fp[x], forcing p2 to divide norm of g if any di is non-square in Fp.

21

Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

20

Why this happens: Fix prime p. Take field k of size p2. d1; : : : ; dn are squares in k, so F splits completely in k[x]. deg h ∈ {1; 2} for each irred factor h of F in Fp[x]. Heuristic: for most p ≤ 2n, have Θ(p) distinct linear factors h. For each linear factor h: with probability ≈1=p, h divides g in Fp[x], forcing p2 to divide norm of g if any di is non-square in Fp.

21

Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

• 2. Subroutine: Construct uniform

random invertible element of R=p.

20

Why this happens: Fix prime p. Take field k of size p2. d1; : : : ; dn are squares in k, so F splits completely in k[x]. deg h ∈ {1; 2} for each irred factor h of F in Fp[x]. Heuristic: for most p ≤ 2n, have Θ(p) distinct linear factors h. For each linear factor h: with probability ≈1=p, h divides g in Fp[x], forcing p2 to divide norm of g if any di is non-square in Fp.

21

Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

• 2. Subroutine: Construct uniform

random invertible element of R=p.

• 3. Choose y ∈ Θ(2n=n).

Force g to be invertible mod all primes p ≤ y. Heuristically, good chance of squarefree norm.

20

this happens: Fix prime p. field k of size p2. ; dn are squares in k, splits completely in k[x]. ∈ {1; 2} for each factor h of F in Fp[x]. Heuristic: for most p ≤ 2n, have distinct linear factors h. each linear factor h: robability ≈1=p, divides g in Fp[x], p2 to divide norm of g di is non-square in Fp.

21

Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

• 2. Subroutine: Construct uniform

random invertible element of R=p.

• 3. Choose y ∈ Θ(2n=n).

Force g to be invertible mod all primes p ≤ y. Heuristically, good chance of squarefree norm. Computing Fix positive Assume d i.e., log d

20

ens: Fix prime p. size p2. squares in k, completely in k[x]. r each F in Fp[x]. most p ≤ 2n, have linear factors h. factor h: ≈1=p, [x], divide norm of g non-square in Fp.

21

Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

• 2. Subroutine: Construct uniform

random invertible element of R=p.

• 3. Choose y ∈ Θ(2n=n).

Force g to be invertible mod all primes p ≤ y. Heuristically, good chance of squarefree norm. Computing units Fix positive non-squ Assume d quasipoly i.e., log d ∈ nO(1).

20

rime p. , [x]. ]. , have rs h.

• f g

Fp.

21

Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

• 2. Subroutine: Construct uniform

random invertible element of R=p.

• 3. Choose y ∈ Θ(2n=n).

Force g to be invertible mod all primes p ≤ y. Heuristically, good chance of squarefree norm. Computing units Fix positive non-square d ∈ Assume d quasipoly in 2n; i.e., log d ∈ nO(1).

21

Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

• 2. Subroutine: Construct uniform

random invertible element of R=p.

• 3. Choose y ∈ Θ(2n=n).

Force g to be invertible mod all primes p ≤ y. Heuristically, good chance of squarefree norm.

22

Computing units Fix positive non-square d ∈ Z. Assume d quasipoly in 2n; i.e., log d ∈ nO(1).

21

Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

• 2. Subroutine: Construct uniform

random invertible element of R=p.

• 3. Choose y ∈ Θ(2n=n).

Force g to be invertible mod all primes p ≤ y. Heuristically, good chance of squarefree norm.

22

Computing units Fix positive non-square d ∈ Z. Assume d quasipoly in 2n; i.e., log d ∈ nO(1). ˘ : : : ; ±"−2; ±"−1; ±1; ±"; ±"2; : : : ¯ is unit group of ring of integers of Q( √ d) for a unique " > 1, the normalized fundamental unit. log " < √ d(2 + log 4d); quasipoly.

21

Our multiquadratic tweaks to Smart–Vercauteren (including adaptation of Gentry–Halevi):

• 1. Generalize cryptosystem to

support n polynomial variables. Use R = Z[√d1; : : : ; √dn].

• 2. Subroutine: Construct uniform

random invertible element of R=p.

• 3. Choose y ∈ Θ(2n=n).

Force g to be invertible mod all primes p ≤ y. Heuristically, good chance of squarefree norm.

22

Computing units Fix positive non-square d ∈ Z. Assume d quasipoly in 2n; i.e., log d ∈ nO(1). ˘ : : : ; ±"−2; ±"−1; ±1; ±"; ±"2; : : : ¯ is unit group of ring of integers of Q( √ d) for a unique " > 1, the normalized fundamental unit. log " < √ d(2 + log 4d); quasipoly. Standard algorithms compute a; b ∈ Q with " = a + b √ d in time (log ")1+o(1); quasipoly. (Can save time by instead representing " as product.)

21

multiquadratic tweaks to rt–Vercauteren (including adaptation of Gentry–Halevi): Generalize cryptosystem to rt n polynomial variables. = Z[√d1; : : : ; √dn]. routine: Construct uniform invertible element of R=p. Choose y ∈ Θ(2n=n). g to be invertible mod all p ≤ y. Heuristically, chance of squarefree norm.

22

Computing units Fix positive non-square d ∈ Z. Assume d quasipoly in 2n; i.e., log d ∈ nO(1). ˘ : : : ; ±"−2; ±"−1; ±1; ±"; ±"2; : : : ¯ is unit group of ring of integers of Q( √ d) for a unique " > 1, the normalized fundamental unit. log " < √ d(2 + log 4d); quasipoly. Standard algorithms compute a; b ∈ Q with " = a + b √ d in time (log ")1+o(1); quasipoly. (Can save time by instead representing " as product.) Take a multiquadratic K = Q(√ Assume n The set is the group

• f all 2n

Analogous Compute all normalized

21

multiquadratic tweaks to ercauteren (including Gentry–Halevi): cryptosystem to

• lynomial variables.

; : : : ; √dn]. Construct uniform invertible element of R=p. Θ(2n=n). invertible mod all Heuristically, squarefree norm.

22

Computing units Fix positive non-square d ∈ Z. Assume d quasipoly in 2n; i.e., log d ∈ nO(1). ˘ : : : ; ±"−2; ±"−1; ±1; ±"; ±"2; : : : ¯ is unit group of ring of integers of Q( √ d) for a unique " > 1, the normalized fundamental unit. log " < √ d(2 + log 4d); quasipoly. Standard algorithms compute a; b ∈ Q with " = a + b √ d in time (log ")1+o(1); quasipoly. (Can save time by instead representing " as product.) Take a multiquadratic K = Q(√d1; : : : ; √ Assume n > 0 and The set of multiquadratic is the group generated

• f all 2n − 1 quadratic

Analogous to cyclotomic Compute this group all normalized fundamental

21

to (including Gentry–Halevi): to riables. ]. uniform

• f R=p.

mod all Heuristically, norm.

22

Computing units Fix positive non-square d ∈ Z. Assume d quasipoly in 2n; i.e., log d ∈ nO(1). ˘ : : : ; ±"−2; ±"−1; ±1; ±"; ±"2; : : : ¯ is unit group of ring of integers of Q( √ d) for a unique " > 1, the normalized fundamental unit. log " < √ d(2 + log 4d); quasipoly. Standard algorithms compute a; b ∈ Q with " = a + b √ d in time (log ")1+o(1); quasipoly. (Can save time by instead representing " as product.) Take a multiquadratic field K = Q(√d1; : : : ; √dn). Assume n > 0 and all di > 0. The set of multiquadratic units is the group generated by units

• f all 2n − 1 quadratic subfields.

Analogous to cyclotomic units. Compute this group by computing all normalized fundamental units.

22

Computing units Fix positive non-square d ∈ Z. Assume d quasipoly in 2n; i.e., log d ∈ nO(1). ˘ : : : ; ±"−2; ±"−1; ±1; ±"; ±"2; : : : ¯ is unit group of ring of integers of Q( √ d) for a unique " > 1, the normalized fundamental unit. log " < √ d(2 + log 4d); quasipoly. Standard algorithms compute a; b ∈ Q with " = a + b √ d in time (log ")1+o(1); quasipoly. (Can save time by instead representing " as product.)

23

Take a multiquadratic field K = Q(√d1; : : : ; √dn). Assume n > 0 and all di > 0. The set of multiquadratic units is the group generated by units

• f all 2n − 1 quadratic subfields.

Analogous to cyclotomic units. Compute this group by computing all normalized fundamental units.

22

Computing units Fix positive non-square d ∈ Z. Assume d quasipoly in 2n; i.e., log d ∈ nO(1). ˘ : : : ; ±"−2; ±"−1; ±1; ±"; ±"2; : : : ¯ is unit group of ring of integers of Q( √ d) for a unique " > 1, the normalized fundamental unit. log " < √ d(2 + log 4d); quasipoly. Standard algorithms compute a; b ∈ Q with " = a + b √ d in time (log ")1+o(1); quasipoly. (Can save time by instead representing " as product.)

23

Take a multiquadratic field K = Q(√d1; : : : ; √dn). Assume n > 0 and all di > 0. The set of multiquadratic units is the group generated by units

• f all 2n − 1 quadratic subfields.

Analogous to cyclotomic units. Compute this group by computing all normalized fundamental units. We go beyond this: compute O∗

K.

Could use Eisentr¨ ager–Hallgren– Kitaev–Song, but we don’t want to wait for quantum computers.

22

Computing units

• sitive non-square d ∈ Z.

Assume d quasipoly in 2n; log d ∈ nO(1). ±"−2; ±"−1; ±1; ±"; ±"2; : : : ¯ group of ring of integers of ) for a unique " > 1, the rmalized fundamental unit. √ d(2 + log 4d); quasipoly. Standard algorithms compute Q with " = a + b √ d time (log ")1+o(1); quasipoly. save time by instead resenting " as product.)

23

Take a multiquadratic field K = Q(√d1; : : : ; √dn). Assume n > 0 and all di > 0. The set of multiquadratic units is the group generated by units

• f all 2n − 1 quadratic subfields.

Analogous to cyclotomic units. Compute this group by computing all normalized fundamental units. We go beyond this: compute O∗

K.

Could use Eisentr¨ ager–Hallgren– Kitaev–Song, but we don’t want to wait for quantum computers. 1966 Wa algorithm

22

• n-square d ∈ Z.

quasipoly in 2n;

(1). 1; ±1; ±"; ±"2; : : :

¯ ring of integers of unique " > 1, the fundamental unit. log 4d); quasipoly. ithms compute = a + b √ d

• (1); quasipoly.

by instead as product.)

23

Take a multiquadratic field K = Q(√d1; : : : ; √dn). Assume n > 0 and all di > 0. The set of multiquadratic units is the group generated by units

• f all 2n − 1 quadratic subfields.

Analogous to cyclotomic units. Compute this group by computing all normalized fundamental units. We go beyond this: compute O∗

K.

Could use Eisentr¨ ager–Hallgren– Kitaev–Song, but we don’t want to wait for quantum computers. 1966 Wada: exponential-time algorithm for multiquadratics.

22

∈ Z. ; "; ±"2; : : : ¯ integers of 1, the fundamental unit. quasipoly. compute d quasipoly. duct.)

23

Take a multiquadratic field K = Q(√d1; : : : ; √dn). Assume n > 0 and all di > 0. The set of multiquadratic units is the group generated by units

• f all 2n − 1 quadratic subfields.

Analogous to cyclotomic units. Compute this group by computing all normalized fundamental units. We go beyond this: compute O∗

K.

Could use Eisentr¨ ager–Hallgren– Kitaev–Song, but we don’t want to wait for quantum computers. 1966 Wada: exponential-time algorithm for multiquadratics.

23

Take a multiquadratic field K = Q(√d1; : : : ; √dn). Assume n > 0 and all di > 0. The set of multiquadratic units is the group generated by units

• f all 2n − 1 quadratic subfields.

Analogous to cyclotomic units. Compute this group by computing all normalized fundamental units. We go beyond this: compute O∗

K.

Could use Eisentr¨ ager–Hallgren– Kitaev–Song, but we don’t want to wait for quantum computers.

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics.

23

Take a multiquadratic field K = Q(√d1; : : : ; √dn). Assume n > 0 and all di > 0. The set of multiquadratic units is the group generated by units

• f all 2n − 1 quadratic subfields.

Analogous to cyclotomic units. Compute this group by computing all normalized fundamental units. We go beyond this: compute O∗

K.

Could use Eisentr¨ ager–Hallgren– Kitaev–Song, but we don’t want to wait for quantum computers.

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}.

23

Take a multiquadratic field K = Q(√d1; : : : ; √dn). Assume n > 0 and all di > 0. The set of multiquadratic units is the group generated by units

• f all 2n − 1 quadratic subfields.

Analogous to cyclotomic units. Compute this group by computing all normalized fundamental units. We go beyond this: compute O∗

K.

Could use Eisentr¨ ager–Hallgren– Kitaev–Song, but we don’t want to wait for quantum computers.

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}. e.g. K = Q( √ 2; √ 3; √ 5), appropriate ff; fi: have Kff = Q( √ 2; √ 3); Kfi = Q( √ 2; √ 5); Kfffi = Q( √ 2; √ 15).

23

multiquadratic field (√d1; : : : ; √dn). Assume n > 0 and all di > 0. set of multiquadratic units group generated by units 2n − 1 quadratic subfields. Analogous to cyclotomic units. Compute this group by computing rmalized fundamental units. beyond this: compute O∗

K.

use Eisentr¨ ager–Hallgren– Kitaev–Song, but we don’t want ait for quantum computers.

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}. e.g. K = Q( √ 2; √ 3; √ 5), appropriate ff; fi: have Kff = Q( √ 2; √ 3); Kfi = Q( √ 2; √ 5); Kfffi = Q( √ 2; √ 15). Second step: Compute

23

multiquadratic field ; √dn). and all di > 0. multiquadratic units generated by units quadratic subfields. cyclotomic units. group by computing fundamental units. this: compute O∗

K.

Eisentr¨ ager–Hallgren– but we don’t want quantum computers.

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}. e.g. K = Q( √ 2; √ 3; √ 5), appropriate ff; fi: have Kff = Q( √ 2; √ 3); Kfi = Q( √ 2; √ 5); Kfffi = Q( √ 2; √ 15). Second step: Compute U = O∗

Kff

23

field 0. multiquadratic units units subfields. units. computing fundamental units. compute O∗

K.

ager–Hallgren– don’t want computers.

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}. e.g. K = Q( √ 2; √ 3; √ 5), appropriate ff; fi: have Kff = Q( √ 2; √ 3); Kfi = Q( √ 2; √ 5); Kfffi = Q( √ 2; √ 15). Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ K

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}. e.g. K = Q( √ 2; √ 3; √ 5), appropriate ff; fi: have Kff = Q( √ 2; √ 3); Kfi = Q( √ 2; √ 5); Kfffi = Q( √ 2; √ 15).

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}. e.g. K = Q( √ 2; √ 3; √ 5), appropriate ff; fi: have Kff = Q( √ 2; √ 3); Kfi = Q( √ 2; √ 5); Kfffi = Q( √ 2; √ 15).

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}. e.g. K = Q( √ 2; √ 3; √ 5), appropriate ff; fi: have Kff = Q( √ 2; √ 3); Kfi = Q( √ 2; √ 5); Kfffi = Q( √ 2; √ 15).

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}. e.g. K = Q( √ 2; √ 3; √ 5), appropriate ff; fi: have Kff = Q( √ 2; √ 3); Kfi = Q( √ 2; √ 5); Kfffi = Q( √ 2; √ 15).

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U.

24

1966 Wada: exponential-time O∗

K

algorithm for multiquadratics. First step: Recursively compute unit groups for three proper subfields Kff; Kfi; Kfffi of K. Base cases: Q; Q( √ d). ff; fi: distinct non-identity automorphisms of K. Kff = {x ∈ K : ff(x) = x}. e.g. K = Q( √ 2; √ 3; √ 5), appropriate ff; fi: have Kff = Q( √ 2; √ 3); Kfi = Q( √ 2; √ 5); Kfffi = Q( √ 2; √ 15).

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U. In other words, u2 ∈ U.

24

ada: exponential-time O∗

K

rithm for multiquadratics. step: Recursively compute groups for three proper subfields Kff; Kfi; Kfffi of K. cases: Q; Q( √ d). distinct non-identity automorphisms of K. {x ∈ K : ff(x) = x}. = Q( √ 2; √ 3; √ 5), riate ff; fi: have Q( √ 2; √ 3); Q( √ 2; √ 5); Q( √ 2; √ 15).

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U. In other words, u2 ∈ U. Third step: identify ( trying to

• f products

24

• nential-time O∗

K

multiquadratics. cursively compute three proper ; Kfffi of K. Q( √ d). non-identity

• f K.

(x) = x}. √ 3; √ 5), : have 3); 5); 15).

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U. In other words, u2 ∈ U. Third step: identify (O∗

K)2 inside

trying to compute

• f products of generato

24

• nential-time O∗

K

multiquadratics. compute er . .

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U. In other words, u2 ∈ U. Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U. In other words, u2 ∈ U.

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U. In other words, u2 ∈ U.

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products.

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U. In other words, u2 ∈ U.

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman.

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U. In other words, u2 ∈ U.

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}.

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

Fact: U ≤ O∗

K.

Fact: (O∗

K)2 ≤ U.

Proof: If u ∈ O∗

K then

uff(u) ∈ O∗

Kff;

ufi(u) ∈ O∗

Kfi ;

uff(fi(u)) ∈ O∗

Kfffi ; so

uff(u)ufi(u)=ff(uff(fi(u))) ∈ U. In other words, u2 ∈ U.

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}. Linear equation, usually reducing dim{e} by 1. Use many such ffl.

25

Second step: Compute U = O∗

KffO∗ Kfi ff(O∗ Kfffi ).

U ≤ O∗

K.

(O∗

K)2 ≤ U.

O∗

K then

∈ O∗

Kff;

∈ O∗

Kfi ;

u)) ∈ O∗

Kfffi ; so

ufi(u)=ff(uff(fi(u))) ∈ U.

• ther words, u2 ∈ U.

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}. Linear equation, usually reducing dim{e} by 1. Use many such ffl. Computing Main goal: where R

25

∗ KffO∗ Kfi ff(O∗ Kfffi ).

U. ; so ff(fi(u))) ∈ U.

2 ∈ U.

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}. Linear equation, usually reducing dim{e} by 1. Use many such ffl. Computing generato Main goal: Find g where R = Z[√d1;

25

O∗

Kfffi ).

∈ U.

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}. Linear equation, usually reducing dim{e} by 1. Use many such ffl. Computing generators Main goal: Find g given gR where R = Z[√d1; : : : ; √dn].

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}. Linear equation, usually reducing dim{e} by 1. Use many such ffl.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn].

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}. Linear equation, usually reducing dim{e} by 1. Use many such ffl.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g.

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}. Linear equation, usually reducing dim{e} by 1. Use many such ffl.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)?

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}. Linear equation, usually reducing dim{e} by 1. Use many such ffl.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)? First compute relative norm

• f ideal gR from K to Kff.

Obtain ideal generated by gff(g).

26

Third step: identify (O∗

K)2 inside U by

trying to compute square roots

• f products of generators of U.

2Θ(2n) products. We do much better using an NFS idea from 1991 Adleman. ¸e1

1 · · · ¸ek k square ⇒

ffl(¸1)e1 · · · ffl(¸k)ek = 1 for any quadratic character ffl with ffl(¸1); : : : ; ffl(¸k) ∈ {−1; 1}. Linear equation, usually reducing dim{e} by 1. Use many such ffl.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)? First compute relative norm

• f ideal gR from K to Kff.

Obtain ideal generated by gff(g). Recursively compute a generator

• f this ideal: probably not gff(g).

Some ugff(g) with u ∈ O∗

Kff.

26

step: identify (O∗

K)2 inside U by

to compute square roots ducts of generators of U. products. much better using NFS idea from 1991 Adleman. · ¸ek

k square ⇒

1 · · · ffl(¸k)ek = 1

any quadratic character ffl (¸1); : : : ; ffl(¸k) ∈ {−1; 1}. equation, usually reducing } by 1. Use many such ffl.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)? First compute relative norm

• f ideal gR from K to Kff.

Obtain ideal generated by gff(g). Recursively compute a generator

• f this ideal: probably not gff(g).

Some ugff(g) with u ∈ O∗

Kff.

Unit multiple unit multiple unit multiple ⇒ some

26

inside U by compute square roots generators of U. etter using from 1991 Adleman. re ⇒ )ek = 1 quadratic character ffl ffl(¸k) ∈ {−1; 1}. usually reducing Use many such ffl.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)? First compute relative norm

• f ideal gR from K to Kff.

Obtain ideal generated by gff(g). Recursively compute a generator

• f this ideal: probably not gff(g).

Some ugff(g) with u ∈ O∗

Kff.

Unit multiple of gff unit multiple of gfi unit multiple of gff ⇒ some ug2 with

26

roots

• f U.

Adleman. racter ffl {−1; 1}. reducing such ffl.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)? First compute relative norm

• f ideal gR from K to Kff.

Obtain ideal generated by gff(g). Recursively compute a generator

• f this ideal: probably not gff(g).

Some ugff(g) with u ∈ O∗

Kff.

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)? First compute relative norm

• f ideal gR from K to Kff.

Obtain ideal generated by gff(g). Recursively compute a generator

• f this ideal: probably not gff(g).

Some ugff(g) with u ∈ O∗

Kff.

28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)? First compute relative norm

• f ideal gR from K to Kff.

Obtain ideal generated by gff(g). Recursively compute a generator

• f this ideal: probably not gff(g).

Some ugff(g) with u ∈ O∗

Kff.

28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

Use quadratic characters (with values ±1 on g) to identify v ∈ O∗

K

such that vug2 is a square.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)? First compute relative norm

• f ideal gR from K to Kff.

Obtain ideal generated by gff(g). Recursively compute a generator

• f this ideal: probably not gff(g).

Some ugff(g) with u ∈ O∗

Kff.

28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

Use quadratic characters (with values ±1 on g) to identify v ∈ O∗

K

such that vug2 is a square. Now compute square root: some unit multiple of g, i.e., some g′ with g′OK = gOK.

27

Computing generators Main goal: Find g given gR, where R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation g2 = gff(g)gfi(g)=ff(gff(fi(g))). Square root of g2 is ±g. How to compute gff(g)? First compute relative norm

• f ideal gR from K to Kff.

Obtain ideal generated by gff(g). Recursively compute a generator

• f this ideal: probably not gff(g).

Some ugff(g) with u ∈ O∗

Kff.

28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

Use quadratic characters (with values ±1 on g) to identify v ∈ O∗

K

such that vug2 is a square. Now compute square root: some unit multiple of g, i.e., some g′ with g′OK = gOK. All of this takes quasipoly time.

27

Computing generators goal: Find g given gR, R = Z[√d1; : : : ; √dn]. Strategy: Reuse the equation ff(g)gfi(g)=ff(gff(fi(g))). root of g2 is ±g. to compute gff(g)? compute relative norm ideal gR from K to Kff. ideal generated by gff(g). Recursively compute a generator ideal: probably not gff(g). ugff(g) with u ∈ O∗

Kff.

28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

Use quadratic characters (with values ±1 on g) to identify v ∈ O∗

K

such that vug2 is a square. Now compute square root: some unit multiple of g, i.e., some g′ with g′OK = gOK. All of this takes quasipoly time. Computing Assume d (More w to <n2;

27

generators g given gR, d1; : : : ; √dn]. the equation )=ff(gff(fi(g))).

2 is ±g.

gff(g)? relative norm K to Kff. enerated by gff(g).

• mpute a generator

robably not gff(g). with u ∈ O∗

Kff.

28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

Use quadratic characters (with values ±1 on g) to identify v ∈ O∗

K

such that vug2 is a square. Now compute square root: some unit multiple of g, i.e., some g′ with g′OK = gOK. All of this takes quasipoly time. Computing short generato Assume d1; : : : ; dn (More work seems to <n2; see paper

27

R,

n].

equation (g))). rm . gff(g). generator gff(g).

∗

ff. 28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

Use quadratic characters (with values ±1 on g) to identify v ∈ O∗

K

such that vug2 is a square. Now compute square root: some unit multiple of g, i.e., some g′ with g′OK = gOK. All of this takes quasipoly time. Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push b to <n2; see paper and softw

28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

Use quadratic characters (with values ±1 on g) to identify v ∈ O∗

K

such that vug2 is a square. Now compute square root: some unit multiple of g, i.e., some g′ with g′OK = gOK. All of this takes quasipoly time.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.)

28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

Use quadratic characters (with values ±1 on g) to identify v ∈ O∗

K

such that vug2 is a square. Now compute square root: some unit multiple of g, i.e., some g′ with g′OK = gOK. All of this takes quasipoly time.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug.

28

Unit multiple of gff(g), unit multiple of gfi(g), unit multiple of gff(fi(g)) ⇒ some ug2 with u ∈ O∗

K.

Use quadratic characters (with values ±1 on g) to identify v ∈ O∗

K

such that vug2 is a square. Now compute square root: some unit multiple of g, i.e., some g′ with g′OK = gOK. All of this takes quasipoly time.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1).

28

multiple of gff(g), multiple of gfi(g), multiple of gff(fi(g)) some ug2 with u ∈ O∗

K.

quadratic characters values ±1 on g) identify v ∈ O∗

K

that vug2 is a square. compute square root: unit multiple of g, some g′ with g′OK = gOK. this takes quasipoly time.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1). u2n is an Log u2n = closest v

28

gff(g), gfi(g), gff(fi(g)) with u ∈ O∗

K.

characters

• n g)

∗ K

is a square. square root: multiple of g, with g′OK = gOK. quasipoly time.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1). u2n is an MQ unit. Log u2n = 2n Log u closest vector to 2n

28

. re.

• t:

gOK. time.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1). u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1).

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1).

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1).

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1).

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1).

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. (More work seems to push bound to <n2; see paper and software.) Find multiquadratic (MQ) units. Find all units. Find some generator ug. Heuristic: For most d1; : : : ; dn, all regulators log " are larger than 20:51n; so coefficients of 2n Log g

• n MQ unit basis are

almost certainly in (−0:1; 0:1).

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2. . . . Square root: ±g. Done! MQ cryptosystem is broken for all of these fields.

29

Computing short generators Assume d1; : : : ; dn ≥ 21:03n. work seems to push bound ; see paper and software.) multiquadratic (MQ) units. all units. some generator ug. Heuristic: For most d1; : : : ; dn, regulators log " rger than 20:51n; efficients of 2n Log g unit basis are certainly in (−0:1; 0:1).

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2. . . . Square root: ±g. Done! MQ cryptosystem is broken for all of these fields. Slightly simpler: Find MQ but skip

29

t generators dn ≥ 21:03n. seems to push bound er and software.) multiquadratic (MQ) units. generator ug. most d1; : : : ; dn, "

0:51n;

• f 2n Log g

basis are in (−0:1; 0:1).

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2. . . . Square root: ±g. Done! MQ cryptosystem is broken for all of these fields. Slightly simpler: Find MQ units, but skip finding all

29

rs

n.

bound software.) units. : ; dn, 0:1).

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2. . . . Square root: ±g. Done! MQ cryptosystem is broken for all of these fields. Slightly simpler: Find MQ units, but skip finding all units.

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2. . . . Square root: ±g. Done! MQ cryptosystem is broken for all of these fields.

31

Slightly simpler: Find MQ units, but skip finding all units.

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2. . . . Square root: ±g. Done! MQ cryptosystem is broken for all of these fields.

31

Slightly simpler: Find MQ units, but skip finding all units. Recursively find ug2n−1 where u is an MQ unit; i.e., skip square-root computations.

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2. . . . Square root: ±g. Done! MQ cryptosystem is broken for all of these fields.

31

Slightly simpler: Find MQ units, but skip finding all units. Recursively find ug2n−1 where u is an MQ unit; i.e., skip square-root computations. Take logs: Log ug2n−1. Round: Log u.

30

u2n is an MQ unit. Log u2n = 2n Log u is closest vector to 2n Log ug. MQ unit lattice is orthogonal. Round 2n Log ug to find 2n Log u and 2n Log g. Deduce ±g2n. Use quadratic character: g2n. Square root: ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2. . . . Square root: ±g. Done! MQ cryptosystem is broken for all of these fields.

31

Slightly simpler: Find MQ units, but skip finding all units. Recursively find ug2n−1 where u is an MQ unit; i.e., skip square-root computations. Take logs: Log ug2n−1. Round: Log u. Deduce ±g2n−1. Use quadratic character: g2n−1. Square root: ±g2n−2. . . . Square root: ±g.