Computational 2013.07 talk slide online: algebraic number theory I - - PowerPoint PPT Presentation

Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right Big generator Moving through the night —Yes, “Big Generator”, 1987 2013.07 talk slide online: “I think NTRU should switch to random prime-degree extensions with big Galois groups.” 2014.02 blog post: “Here’s a concrete suggestion, which I’ll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems.” NTRU Prime uses primes p; q with field (Z=q)[x]=(xp − x − 1).

Computational raic number theory tackles lattice-based cryptography

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven Moving to the left Moving to the right Big generator Moving through the night —Yes, “Big Generator”, 1987 2013.07 talk slide online: “I think NTRU should switch to random prime-degree extensions with big Galois groups.” 2014.02 blog post: “Here’s a concrete suggestion, which I’ll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems.” NTRU Prime uses primes p; q with field (Z=q)[x]=(xp − x − 1). Clear advantage cyclotomics:

er theory ased cryptography Bernstein Illinois at Chicago & Universiteit Eindhoven Moving to the left Moving to the right Big generator through the night Generator”, 1987 2013.07 talk slide online: “I think NTRU should switch to random prime-degree extensions with big Galois groups.” 2014.02 blog post: “Here’s a concrete suggestion, which I’ll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems.” NTRU Prime uses primes p; q with field (Z=q)[x]=(xp − x − 1). Clear advantage of cyclotomics: minor

cryptography Chicago & Eindhoven the left the right generator the night r”, 1987 2013.07 talk slide online: “I think NTRU should switch to random prime-degree extensions with big Galois groups.” 2014.02 blog post: “Here’s a concrete suggestion, which I’ll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems.” NTRU Prime uses primes p; q with field (Z=q)[x]=(xp − x − 1). Clear advantage of the usual cyclotomics: minor speedup.

2013.07 talk slide online: “I think NTRU should switch to random prime-degree extensions with big Galois groups.” 2014.02 blog post: “Here’s a concrete suggestion, which I’ll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems.” NTRU Prime uses primes p; q with field (Z=q)[x]=(xp − x − 1). Clear advantage of the usual cyclotomics: minor speedup.

2013.07 talk slide online: “I think NTRU should switch to random prime-degree extensions with big Galois groups.” 2014.02 blog post: “Here’s a concrete suggestion, which I’ll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems.” NTRU Prime uses primes p; q with field (Z=q)[x]=(xp − x − 1). Clear advantage of the usual cyclotomics: minor speedup. Extra advantage often claimed: some “security reductions”.

2013.07 talk slide online: “I think NTRU should switch to random prime-degree extensions with big Galois groups.” 2014.02 blog post: “Here’s a concrete suggestion, which I’ll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems.” NTRU Prime uses primes p; q with field (Z=q)[x]=(xp − x − 1). Clear advantage of the usual cyclotomics: minor speedup. Extra advantage often claimed: some “security reductions”. But is this really an advantage? Lange and I conjecture that security is negatively correlated with strength of reductions.

2013.07 talk slide online: “I think NTRU should switch to random prime-degree extensions with big Galois groups.” 2014.02 blog post: “Here’s a concrete suggestion, which I’ll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems.” NTRU Prime uses primes p; q with field (Z=q)[x]=(xp − x − 1). Clear advantage of the usual cyclotomics: minor speedup. Extra advantage often claimed: some “security reductions”. But is this really an advantage? Lange and I conjecture that security is negatively correlated with strength of reductions. Disadvantage of cyclotomics: many more symmetries feed a scary attack strategy. Already serious damage to some lattice-based systems, concerns about other systems.

2013.07 talk slide online: think NTRU should switch to prime-degree extensions big Galois groups.” 2014.02 blog post: “Here’s a concrete suggestion, I’ll call NTRU Prime, liminating the structures find worrisome in existing ideal-lattice-based encryption systems.” Prime uses primes p; q field (Z=q)[x]=(xp − x − 1). Clear advantage of the usual cyclotomics: minor speedup. Extra advantage often claimed: some “security reductions”. But is this really an advantage? Lange and I conjecture that security is negatively correlated with strength of reductions. Disadvantage of cyclotomics: many more symmetries feed a scary attack strategy. Already serious damage to some lattice-based systems, concerns about other systems. Typical lattice “Because in high-dimensional has been algorithmic

• f years

unique evidence cryptoschemes

slide online: should switch to

• degree extensions

groups.”

• st:

concrete suggestion, NTRU Prime, the structures rrisome in ideal-lattice-based systems.” uses primes p; q )[x]=(xp − x − 1). Clear advantage of the usual cyclotomics: minor speedup. Extra advantage often claimed: some “security reductions”. But is this really an advantage? Lange and I conjecture that security is negatively correlated with strength of reductions. Disadvantage of cyclotomics: many more symmetries feed a scary attack strategy. Already serious damage to some lattice-based systems, concerns about other systems. Typical lattice advertisement: “Because finding sho in high-dimensional has been a notoriously algorithmic question

• f years : : : we have

unique evidence that cryptoschemes are

switch to extensions suggestion, Prime, structures p; q x − 1). Clear advantage of the usual cyclotomics: minor speedup. Extra advantage often claimed: some “security reductions”. But is this really an advantage? Lange and I conjecture that security is negatively correlated with strength of reductions. Disadvantage of cyclotomics: many more symmetries feed a scary attack strategy. Already serious damage to some lattice-based systems, concerns about other systems. Typical lattice advertisement: “Because finding short vecto in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds

• f years : : : we have solid and

unique evidence that lattice-based cryptoschemes are secure.”

Clear advantage of the usual cyclotomics: minor speedup. Extra advantage often claimed: some “security reductions”. But is this really an advantage? Lange and I conjecture that security is negatively correlated with strength of reductions. Disadvantage of cyclotomics: many more symmetries feed a scary attack strategy. Already serious damage to some lattice-based systems, concerns about other systems. Typical lattice advertisement: “Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds

• f years : : : we have solid and

unique evidence that lattice-based cryptoschemes are secure.”

Clear advantage of the usual cyclotomics: minor speedup. Extra advantage often claimed: some “security reductions”. But is this really an advantage? Lange and I conjecture that security is negatively correlated with strength of reductions. Disadvantage of cyclotomics: many more symmetries feed a scary attack strategy. Already serious damage to some lattice-based systems, concerns about other systems. Typical lattice advertisement: “Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds

• f years : : : we have solid and

unique evidence that lattice-based cryptoschemes are secure.”

• No. Dangerous exaggeration!

There are many obvious gaps between lattice-based systems and the classic lattice problems: e.g., the systems use ideals. Important to study these gaps.

advantage of the usual cyclotomics: minor speedup. advantage often claimed: “security reductions”. this really an advantage? and I conjecture that y is negatively correlated strength of reductions. Disadvantage of cyclotomics: more symmetries scary attack strategy. Already serious damage some lattice-based systems, concerns about other systems. Typical lattice advertisement: “Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds

• f years : : : we have solid and

unique evidence that lattice-based cryptoschemes are secure.”

• No. Dangerous exaggeration!

There are many obvious gaps between lattice-based systems and the classic lattice problems: e.g., the systems use ideals. Important to study these gaps. 2009 Sma homomo relatively sizes”: “Recovering key given therefore principal a principal ‘small’ generato This is one in computational and has previous see for example

• f the usual

minor speedup.

• ften claimed:

reductions”. an advantage? conjecture that negatively correlated reductions. cyclotomics: symmetries attack strategy. damage lattice-based systems,

• ther systems.

Typical lattice advertisement: “Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds

• f years : : : we have solid and

unique evidence that lattice-based cryptoschemes are secure.”

• No. Dangerous exaggeration!

There are many obvious gaps between lattice-based systems and the classic lattice problems: e.g., the systems use ideals. Important to study these gaps. 2009 Smart–Vercauteren homomorphic encryption relatively small key sizes”: “Recovering key given the public therefore an instance principal ideal problem: a principal ideal : : ‘small’ generator of This is one of the in computational n and has formed the previous cryptograp see for example [3].”

usual eedup. claimed: reductions”. advantage? that rrelated reductions. cyclotomics: strategy. systems, systems. Typical lattice advertisement: “Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds

• f years : : : we have solid and

unique evidence that lattice-based cryptoschemes are secure.”

• No. Dangerous exaggeration!

There are many obvious gaps between lattice-based systems and the classic lattice problems: e.g., the systems use ideals. Important to study these gaps. 2009 Smart–Vercauteren “Fully homomorphic encryption with relatively small key and ciphertex sizes”: “Recovering the private key given the public key is therefore an instance of the principal ideal problem: : : : Given a principal ideal : : : compute ‘small’ generator of the ideal. This is one of the core problems in computational number theo and has formed the basis of previous cryptographic proposals, see for example [3].”

Typical lattice advertisement: “Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds

• f years : : : we have solid and

unique evidence that lattice-based cryptoschemes are secure.”

• No. Dangerous exaggeration!

There are many obvious gaps between lattice-based systems and the classic lattice problems: e.g., the systems use ideals. Important to study these gaps. 2009 Smart–Vercauteren “Fully homomorphic encryption with relatively small key and ciphertext sizes”: “Recovering the private key given the public key is therefore an instance of the small principal ideal problem: : : : Given a principal ideal : : : compute a ‘small’ generator of the ideal. This is one of the core problems in computational number theory and has formed the basis of previous cryptographic proposals, see for example [3].”

ypical lattice advertisement: Because finding short vectors high-dimensional lattices een a notoriously hard rithmic question for hundreds rs : : : we have solid and evidence that lattice-based cryptoschemes are secure.” Dangerous exaggeration! are many obvious gaps een lattice-based systems the classic lattice problems: the systems use ideals. rtant to study these gaps. 2009 Smart–Vercauteren “Fully homomorphic encryption with relatively small key and ciphertext sizes”: “Recovering the private key given the public key is therefore an instance of the small principal ideal problem: : : : Given a principal ideal : : : compute a ‘small’ generator of the ideal. This is one of the core problems in computational number theory and has formed the basis of previous cryptographic proposals, see for example [3].” Smart–V “There a approaches In conclusion private k key is an and well algorithmic particula solutions the only does not equivalent

advertisement: short vectors high-dimensional lattices riously hard stion for hundreds have solid and that lattice-based re secure.” exaggeration!

• bvious gaps

lattice-based systems lattice problems: systems use ideals. study these gaps. 2009 Smart–Vercauteren “Fully homomorphic encryption with relatively small key and ciphertext sizes”: “Recovering the private key given the public key is therefore an instance of the small principal ideal problem: : : : Given a principal ideal : : : compute a ‘small’ generator of the ideal. This is one of the core problems in computational number theory and has formed the basis of previous cryptographic proposals, see for example [3].” Smart–Vercauteren, “There are currently approaches to the In conclusion determining private key given only key is an instance and well studied problem algorithmic number particular there are solutions for this p the only sub-exponential does not find a solution equivalent to our p

advertisement: vectors es rd hundreds and lattice-based .” exaggeration! gaps systems roblems: ls. gaps. 2009 Smart–Vercauteren “Fully homomorphic encryption with relatively small key and ciphertext sizes”: “Recovering the private key given the public key is therefore an instance of the small principal ideal problem: : : : Given a principal ideal : : : compute a ‘small’ generator of the ideal. This is one of the core problems in computational number theory and has formed the basis of previous cryptographic proposals, see for example [3].” Smart–Vercauteren, continued: “There are currently two approaches to the problem. : In conclusion determining the private key given only the public key is an instance of a classical and well studied problem in algorithmic number theory. In particular there are no efficient solutions for this problem, and the only sub-exponential metho does not find a solution which equivalent to our private key

2009 Smart–Vercauteren “Fully homomorphic encryption with relatively small key and ciphertext sizes”: “Recovering the private key given the public key is therefore an instance of the small principal ideal problem: : : : Given a principal ideal : : : compute a ‘small’ generator of the ideal. This is one of the core problems in computational number theory and has formed the basis of previous cryptographic proposals, see for example [3].” Smart–Vercauteren, continued: “There are currently two approaches to the problem. : : : In conclusion determining the private key given only the public key is an instance of a classical and well studied problem in algorithmic number theory. In particular there are no efficient solutions for this problem, and the only sub-exponential method does not find a solution which is equivalent to our private key.”

Smart–Vercauteren “Fully homomorphic encryption with relatively small key and ciphertext “Recovering the private given the public key is re an instance of the small rincipal ideal problem: : : : Given rincipal ideal : : : compute a generator of the ideal.

• ne of the core problems

computational number theory has formed the basis of revious cryptographic proposals, example [3].” Smart–Vercauteren, continued: “There are currently two approaches to the problem. : : : In conclusion determining the private key given only the public key is an instance of a classical and well studied problem in algorithmic number theory. In particular there are no efficient solutions for this problem, and the only sub-exponential method does not find a solution which is equivalent to our private key.” In fact, the focus on e.g., mak for many make table for many Highlights Low-dim Far fewer consider

• f the algo

to much

ercauteren “Fully encryption with ey and ciphertext “Recovering the private public key is instance of the small roblem: : : : Given : : : compute a r of the ideal. the core problems computational number theory the basis of cryptographic proposals, [3].” Smart–Vercauteren, continued: “There are currently two approaches to the problem. : : : In conclusion determining the private key given only the public key is an instance of a classical and well studied problem in algorithmic number theory. In particular there are no efficient solutions for this problem, and the only sub-exponential method does not find a solution which is equivalent to our private key.” In fact, the classical focus on small dimensions: e.g., make table of for many quadratic make table of class for many cubic fields. Highlights multiplicative Low-dim lattice issues Far fewer papers consider scalability

• f the algorithmic

to much larger dimensions.

“Fully with ciphertext rivate the small : Given compute a ideal. roblems theory

• f

roposals, Smart–Vercauteren, continued: “There are currently two approaches to the problem. : : : In conclusion determining the private key given only the public key is an instance of a classical and well studied problem in algorithmic number theory. In particular there are no efficient solutions for this problem, and the only sub-exponential method does not find a solution which is equivalent to our private key.” In fact, the classical studies focus on small dimensions: e.g., make table of class numb for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions.

Smart–Vercauteren, continued: “There are currently two approaches to the problem. : : : In conclusion determining the private key given only the public key is an instance of a classical and well studied problem in algorithmic number theory. In particular there are no efficient solutions for this problem, and the only sub-exponential method does not find a solution which is equivalent to our private key.” In fact, the classical studies focus on small dimensions: e.g., make table of class numbers for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions.

rt–Vercauteren, continued: There are currently two roaches to the problem. : : : conclusion determining the key given only the public an instance of a classical ell studied problem in rithmic number theory. In rticular there are no efficient solutions for this problem, and

• nly sub-exponential method

not find a solution which is equivalent to our private key.” In fact, the classical studies focus on small dimensions: e.g., make table of class numbers for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions. The short-generato Take degree- i.e. field (Weaker with Q ⊆

ercauteren, continued: currently two the problem. : : : determining the

• nly the public

instance of a classical problem in ber theory. In are no efficient problem, and

• nential method

solution which is

• ur private key.”

In fact, the classical studies focus on small dimensions: e.g., make table of class numbers for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions. The short-generato Take degree-n numb i.e. field K ⊆ C with (Weaker specification: with Q ⊆ K and len

continued:

• roblem. : : :

the public classical in . In efficient and method which is ey.” In fact, the classical studies focus on small dimensions: e.g., make table of class numbers for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions. The short-generator problem Take degree-n number field K i.e. field K ⊆ C with lenQ K (Weaker specification: field K with Q ⊆ K and lenQ K = n

In fact, the classical studies focus on small dimensions: e.g., make table of class numbers for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions. The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.)

In fact, the classical studies focus on small dimensions: e.g., make table of class numbers for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions. The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1).

In fact, the classical studies focus on small dimensions: e.g., make table of class numbers for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions. The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1).

In fact, the classical studies focus on small dimensions: e.g., make table of class numbers for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions. The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1).

In fact, the classical studies focus on small dimensions: e.g., make table of class numbers for many quadratic fields, make table of class numbers for many cubic fields. Highlights multiplicative issues. Low-dim lattice issues are easy. Far fewer papers consider scalability

• f the algorithmic ideas

to much larger dimensions. The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1). e.g. K = Q( √ 2; √ 3; √ 5; : : : ; √ 29).

fact, the classical studies

• n small dimensions:

make table of class numbers any quadratic fields, table of class numbers any cubic fields. Highlights multiplicative issues. w-dim lattice issues are easy. er papers consider scalability algorithmic ideas much larger dimensions. The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1). e.g. K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). Define O O , ։ Zn Nonzero factor uniquely powers of

classical studies dimensions:

• f class numbers

quadratic fields, class numbers fields. multiplicative issues. issues are easy. scalability rithmic ideas dimensions. The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1). e.g. K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). Define O = Z ∩ K O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as powers of prime ideals

studies dimensions: numbers ers issues. easy. dimensions. The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1). e.g. K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). Define O = Z ∩ K; subring of O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O.

The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1). e.g. K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). Define O = Z ∩ K; subring of K. O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O.

The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1). e.g. K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). Define O = Z ∩ K; subring of K. O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O. e.g. K = Q(i) , ։ Q[x]=(x2 + 1) ⇒ O = Z[i] , ։ Z[x]=(x2 + 1).

The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1). e.g. K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). Define O = Z ∩ K; subring of K. O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O. e.g. K = Q(i) , ։ Q[x]=(x2 + 1) ⇒ O = Z[i] , ։ Z[x]=(x2 + 1). e.g. “ = exp(ıi=256), K = Q(“) ⇒ O = Z[“] , ։ Z[x]=(x256 + 1).

The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1). e.g. K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). Define O = Z ∩ K; subring of K. O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O. e.g. K = Q(i) , ։ Q[x]=(x2 + 1) ⇒ O = Z[i] , ։ Z[x]=(x2 + 1). e.g. “ = exp(ıi=256), K = Q(“) ⇒ O = Z[“] , ։ Z[x]=(x256 + 1). e.g. “ = exp(2ıi=661), K = Q(“) ⇒ O = Z[“] , ։ · · ·.

The short-generator problem Take degree-n number field K. i.e. field K ⊆ C with lenQ K = n. (Weaker specification: field K with Q ⊆ K and lenQ K = n.) e.g. n = 2; K = Q(i) = Q ⊕ Qi , ։ Q[x]=(x2 + 1). e.g. n = 256; “ = exp(ıi=n); K = Q(“) , ։ Q[x]=(xn + 1). e.g. n = 660; “ = exp(2ıi=661); K = Q(“) , ։ Q[x]=(xn + · · · + 1). e.g. K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). Define O = Z ∩ K; subring of K. O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O. e.g. K = Q(i) , ։ Q[x]=(x2 + 1) ⇒ O = Z[i] , ։ Z[x]=(x2 + 1). e.g. “ = exp(ıi=256), K = Q(“) ⇒ O = Z[“] , ։ Z[x]=(x256 + 1). e.g. “ = exp(2ıi=661), K = Q(“) ⇒ O = Z[“] , ։ · · ·. e.g. K = Q( √ 5) ⇒ O = Z[(1+ √ 5)=2] , ։ Z[x]=(x2−x−1).

short-generator problem degree-n number field K. field K ⊆ C with lenQ K = n. er specification: field K ⊆ K and lenQ K = n.) = 2; K = Q(i) = i , ։ Q[x]=(x2 + 1). = 256; “ = exp(ıi=n); (“) , ։ Q[x]=(xn + 1). = 660; “ = exp(2ıi=661); (“) , ։ Q[x]=(xn + · · · + 1). = Q( √ 2; √ 3; √ 5; : : : ; √ 29). Define O = Z ∩ K; subring of K. O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O. e.g. K = Q(i) , ։ Q[x]=(x2 + 1) ⇒ O = Z[i] , ։ Z[x]=(x2 + 1). e.g. “ = exp(ıi=256), K = Q(“) ⇒ O = Z[“] , ։ Z[x]=(x256 + 1). e.g. “ = exp(2ıi=661), K = Q(“) ⇒ O = Z[“] , ։ · · ·. e.g. K = Q( √ 5) ⇒ O = Z[(1+ √ 5)=2] , ։ Z[x]=(x2−x−1). The short-generato Find “sho given the e.g. “ = O = Z[“ The Z-submo 201 − 233 935 − 1063 979 − 1119 718 − 829 is an ideal Can you such that

rt-generator problem number field K. with lenQ K = n. ecification: field K lenQ K = n.) Q(i) = =(x2 + 1). = exp(ıi=n); [x]=(xn + 1). = exp(2ıi=661); [x]=(xn + · · · + 1). √ 3; √ 5; : : : ; √ 29). Define O = Z ∩ K; subring of K. O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O. e.g. K = Q(i) , ։ Q[x]=(x2 + 1) ⇒ O = Z[i] , ։ Z[x]=(x2 + 1). e.g. “ = exp(ıi=256), K = Q(“) ⇒ O = Z[“] , ։ Z[x]=(x256 + 1). e.g. “ = exp(2ıi=661), K = Q(“) ⇒ O = Z[“] , ։ · · ·. e.g. K = Q( √ 5) ⇒ O = Z[(1+ √ 5)=2] , ։ Z[x]=(x2−x−1). The short-generato Find “short” nonzero given the principal e.g. “ = exp(ıi=4); O = Z[“] , ։ Z[x]= The Z-submodule 201 − 233“ − 430“ 935 − 1063“ − 1986 979 − 1119“ − 2092 718 − 829“ − 1537 is an ideal I of O. Can you find a sho such that I = gO?

roblem field K. K = n. field K n.) 1). =n); 1). =661); · · · + 1). : ; √ 29). Define O = Z ∩ K; subring of K. O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O. e.g. K = Q(i) , ։ Q[x]=(x2 + 1) ⇒ O = Z[i] , ։ Z[x]=(x2 + 1). e.g. “ = exp(ıi=256), K = Q(“) ⇒ O = Z[“] , ։ Z[x]=(x256 + 1). e.g. “ = exp(2ıi=661), K = Q(“) ⇒ O = Z[“] , ։ · · ·. e.g. K = Q( √ 5) ⇒ O = Z[(1+ √ 5)=2] , ։ Z[x]=(x2−x−1). The short-generator problem: Find “short” nonzero g ∈ O given the principal ideal gO. e.g. “ = exp(ıi=4); K = Q(“ O = Z[“] , ։ Z[x]=(x4 + 1). The Z-submodule of O gen 201 − 233“ − 430“2 − 712“3 935 − 1063“ − 1986“2 − 3299 979 − 1119“ − 2092“2 − 3470 718 − 829“ − 1537“2 − 2546 is an ideal I of O. Can you find a short g ∈ O such that I = gO?

Define O = Z ∩ K; subring of K. O , ։ Zn as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O. e.g. K = Q(i) , ։ Q[x]=(x2 + 1) ⇒ O = Z[i] , ։ Z[x]=(x2 + 1). e.g. “ = exp(ıi=256), K = Q(“) ⇒ O = Z[“] , ։ Z[x]=(x256 + 1). e.g. “ = exp(2ıi=661), K = Q(“) ⇒ O = Z[“] , ։ · · ·. e.g. K = Q( √ 5) ⇒ O = Z[(1+ √ 5)=2] , ։ Z[x]=(x2−x−1). The short-generator problem: Find “short” nonzero g ∈ O given the principal ideal gO. e.g. “ = exp(ıi=4); K = Q(“); O = Z[“] , ։ Z[x]=(x4 + 1). The Z-submodule of O gen by 201 − 233“ − 430“2 − 712“3, 935 − 1063“ − 1986“2 − 3299“3, 979 − 1119“ − 2092“2 − 3470“3, 718 − 829“ − 1537“2 − 2546“3 is an ideal I of O. Can you find a short g ∈ O such that I = gO?

O = Z ∩ K; subring of K. Zn as Z-modules. Nonzero ideals of O uniquely as products of ers of prime ideals of O. = Q(i) , ։ Q[x]=(x2 + 1) Z[i] , ։ Z[x]=(x2 + 1). = exp(ıi=256), K = Q(“) Z[“] , ։ Z[x]=(x256 + 1). = exp(2ıi=661), K = Q(“) Z[“] , ։ · · ·. = Q( √ 5) ⇒ O = √ 5)=2] , ։ Z[x]=(x2−x−1). The short-generator problem: Find “short” nonzero g ∈ O given the principal ideal gO. e.g. “ = exp(ıi=4); K = Q(“); O = Z[“] , ։ Z[x]=(x4 + 1). The Z-submodule of O gen by 201 − 233“ − 430“2 − 712“3, 935 − 1063“ − 1986“2 − 3299“3, 979 − 1119“ − 2092“2 − 3470“3, 718 − 829“ − 1537“2 − 2546“3 is an ideal I of O. Can you find a short g ∈ O such that I = gO? The lattice Use LLL short elements ZA + ZB A = (201 B = (935 C = (979 D = (718

K; subring of K.

• modules.
• f O

as products of ideals of O. ։ Q[x]=(x2 + 1) Z[x]=(x2 + 1). 256), K = Q(“) Z[x]=(x256 + 1). =661), K = Q(“) · · ·. ⇒ O = Z[x]=(x2−x−1). The short-generator problem: Find “short” nonzero g ∈ O given the principal ideal gO. e.g. “ = exp(ıi=4); K = Q(“); O = Z[“] , ։ Z[x]=(x4 + 1). The Z-submodule of O gen by 201 − 233“ − 430“2 − 712“3, 935 − 1063“ − 1986“2 − 3299“3, 979 − 1119“ − 2092“2 − 3470“3, 718 − 829“ − 1537“2 − 2546“3 is an ideal I of O. Can you find a short g ∈ O such that I = gO? The lattice perspective Use LLL to quickly short elements of lattice ZA + ZB + ZC + A = (201; −233; − B = (935; −1063; C = (979; −1119; D = (718; −829; −

ing of K. ducts of O. + 1) 1). Q(“)

256 + 1).

= Q(“) −x−1). The short-generator problem: Find “short” nonzero g ∈ O given the principal ideal gO. e.g. “ = exp(ıi=4); K = Q(“); O = Z[“] , ։ Z[x]=(x4 + 1). The Z-submodule of O gen by 201 − 233“ − 430“2 − 712“3, 935 − 1063“ − 1986“2 − 3299“3, 979 − 1119“ − 2092“2 − 3470“3, 718 − 829“ − 1537“2 − 2546“3 is an ideal I of O. Can you find a short g ∈ O such that I = gO? The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712) B = (935; −1063; −1986; −3299) C = (979; −1119; −2092; −3470) D = (718; −829; −1537; −2546)

The short-generator problem: Find “short” nonzero g ∈ O given the principal ideal gO. e.g. “ = exp(ıi=4); K = Q(“); O = Z[“] , ։ Z[x]=(x4 + 1). The Z-submodule of O gen by 201 − 233“ − 430“2 − 712“3, 935 − 1063“ − 1986“2 − 3299“3, 979 − 1119“ − 2092“2 − 3470“3, 718 − 829“ − 1537“2 − 2546“3 is an ideal I of O. Can you find a short g ∈ O such that I = gO? The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712); B = (935; −1063; −1986; −3299); C = (979; −1119; −2092; −3470); D = (718; −829; −1537; −2546):

The short-generator problem: Find “short” nonzero g ∈ O given the principal ideal gO. e.g. “ = exp(ıi=4); K = Q(“); O = Z[“] , ։ Z[x]=(x4 + 1). The Z-submodule of O gen by 201 − 233“ − 430“2 − 712“3, 935 − 1063“ − 1986“2 − 3299“3, 979 − 1119“ − 2092“2 − 3470“3, 718 − 829“ − 1537“2 − 2546“3 is an ideal I of O. Can you find a short g ∈ O such that I = gO? The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712); B = (935; −1063; −1986; −3299); C = (979; −1119; −2092; −3470); D = (718; −829; −1537; −2546): Find (3; 1; 4; 1) as −37A + 3B − 7C + 16D. This was my original g.

The short-generator problem: Find “short” nonzero g ∈ O given the principal ideal gO. e.g. “ = exp(ıi=4); K = Q(“); O = Z[“] , ։ Z[x]=(x4 + 1). The Z-submodule of O gen by 201 − 233“ − 430“2 − 712“3, 935 − 1063“ − 1986“2 − 3299“3, 979 − 1119“ − 2092“2 − 3470“3, 718 − 829“ − 1537“2 − 2546“3 is an ideal I of O. Can you find a short g ∈ O such that I = gO? The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712); B = (935; −1063; −1986; −3299); C = (979; −1119; −2092; −3470); D = (718; −829; −1537; −2546): Find (3; 1; 4; 1) as −37A + 3B − 7C + 16D. This was my original g. Also find, e.g., (−4; −1; 3; 1). Multiplying by root of unity (here “2) preserves shortness.

short-generator problem: “short” nonzero g ∈ O the principal ideal gO. = exp(ıi=4); K = Q(“); [“] , ։ Z[x]=(x4 + 1).

• submodule of O gen by

233“ − 430“2 − 712“3, 1063“ − 1986“2 − 3299“3, 1119“ − 2092“2 − 3470“3, 829“ − 1537“2 − 2546“3 ideal I of O.

• u find a short g ∈ O

that I = gO? The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712); B = (935; −1063; −1986; −3299); C = (979; −1119; −2092; −3470); D = (718; −829; −1537; −2546): Find (3; 1; 4; 1) as −37A + 3B − 7C + 16D. This was my original g. Also find, e.g., (−4; −1; 3; 1). Multiplying by root of unity (here “2) preserves shortness. For much LLL almost Big gap and size that LLL

rt-generator problem: nonzero g ∈ O rincipal ideal gO. 4); K = Q(“); ]=(x4 + 1). dule of O gen by 430“2 − 712“3, 1986“2 − 3299“3, 2092“2 − 3470“3, 1537“2 − 2546“3 O. short g ∈ O O? The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712); B = (935; −1063; −1986; −3299); C = (979; −1119; −2092; −3470); D = (718; −829; −1537; −2546): Find (3; 1; 4; 1) as −37A + 3B − 7C + 16D. This was my original g. Also find, e.g., (−4; −1; 3; 1). Multiplying by root of unity (here “2) preserves shortness. For much larger n: LLL almost never finds Big gap between size and size of “short” that LLL typically

roblem: O O. (“); 1). gen by “3, 3299“3, 3470“3, 2546“3 O The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712); B = (935; −1063; −1986; −3299); C = (979; −1119; −2092; −3470); D = (718; −829; −1537; −2546): Find (3; 1; 4; 1) as −37A + 3B − 7C + 16D. This was my original g. Also find, e.g., (−4; −1; 3; 1). Multiplying by root of unity (here “2) preserves shortness. For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I.

The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712); B = (935; −1063; −1986; −3299); C = (979; −1119; −2092; −3470); D = (718; −829; −1537; −2546): Find (3; 1; 4; 1) as −37A + 3B − 7C + 16D. This was my original g. Also find, e.g., (−4; −1; 3; 1). Multiplying by root of unity (here “2) preserves shortness. For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I.

The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712); B = (935; −1063; −1986; −3299); C = (979; −1119; −2092; −3470); D = (718; −829; −1537; −2546): Find (3; 1; 4; 1) as −37A + 3B − 7C + 16D. This was my original g. Also find, e.g., (−4; −1; 3; 1). Multiplying by root of unity (here “2) preserves shortness. For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower.

The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; −233; −430; −712); B = (935; −1063; −1986; −3299); C = (979; −1119; −2092; −3470); D = (718; −829; −1537; −2546): Find (3; 1; 4; 1) as −37A + 3B − 7C + 16D. This was my original g. Also find, e.g., (−4; −1; 3; 1). Multiplying by root of unity (here “2) preserves shortness. For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time.

lattice perspective LLL to quickly find elements of lattice ZB + ZC + ZD where (201; −233; −430; −712); (935; −1063; −1986; −3299); (979; −1119; −2092; −3470); (718; −829; −1537; −2546): (3; 1; 4; 1) as + 3B − 7C + 16D. as my original g. find, e.g., (−4; −1; 3; 1). Multiplying by root of unity “2) preserves shortness. For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time. Exploiting Use LLL, generate What happ Pure lattice Work much

erspective quickly find

• f lattice

+ ZD where ; −430; −712); 1063; −1986; −3299); 1119; −2092; −3470); ; −1537; −2546): as C + 16D. riginal g. −4; −1; 3; 1). root of unity serves shortness. For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time. Exploiting factorization Use LLL, BKZ, etc. generate rather sho What happens if ¸ Pure lattice approach: Work much harder,

where 712); −3299); −3470); 2546): 1). unity rtness. For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time. Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO What happens if ¸O = gO? Pure lattice approach: Disca Work much harder, find shorter

For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time. Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸.

For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time. Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals.

For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time. Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2

For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time. Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2 and ¸2O = gO · P · Q3

For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time. Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2 and ¸2O = gO · P · Q3 and ¸3O = gO · P · Q2

For much larger n: LLL almost never finds g. Big gap between size of g and size of “short” vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven–de Weger finds g in time ≈1:23n. Big progress compared to, e.g., 2008 Nguyen–Vidick (≈1:33n) but still exponential time. Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2 and ¸2O = gO · P · Q3 and ¸3O = gO · P · Q2 then P = ¸1¸−1

3 O and Q = ¸2¸−1 3 O

and gO = ¸−1

1 ¸−2 2 ¸4 3O.

much larger n: almost never finds g. gap between size of g size of “short” vectors LLL typically finds in I. Increased BKZ block size: reduced gap but slower. ancier lattice algorithms: reasonable assumptions, Laarhoven–de Weger in time ≈1:23n. rogress compared to, e.g., Nguyen–Vidick (≈1:33n) still exponential time. Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2 and ¸2O = gO · P · Q3 and ¸3O = gO · P · Q2 then P = ¸1¸−1

3 O and Q = ¸2¸−1 3 O

and gO = ¸−1

1 ¸−2 2 ¸4 3O.

General strategy: factor ¸O

• f some

Solve system to find generato as product

n: never finds g. size of g rt” vectors ypically finds in I. block size: slower. algorithms: reasonable assumptions, rhoven–de Weger ≈1:23n. compared to, e.g., en–Vidick (≈1:33n)

• nential time.

Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2 and ¸2O = gO · P · Q3 and ¸3O = gO · P · Q2 then P = ¸1¸−1

3 O and Q = ¸2¸−1 3 O

and gO = ¸−1

1 ¸−2 2 ¸4 3O.

General strategy: F factor ¸O into pro

• f some primes and

Solve system of equations to find generator fo as product of powers

rs I. sumptions, e.g., 33n) Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2 and ¸2O = gO · P · Q3 and ¸3O = gO · P · Q2 then P = ¸1¸−1

3 O and Q = ¸2¸−1 3 O

and gO = ¸−1

1 ¸−2 2 ¸4 3O.

General strategy: For many factor ¸O into products of p

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the

Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2 and ¸2O = gO · P · Q3 and ¸3O = gO · P · Q2 then P = ¸1¸−1

3 O and Q = ¸2¸−1 3 O

and gO = ¸−1

1 ¸−2 2 ¸4 3O.

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s.

Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2 and ¸2O = gO · P · Q3 and ¸3O = gO · P · Q2 then P = ¸1¸−1

3 O and Q = ¸2¸−1 3 O

and gO = ¸−1

1 ¸−2 2 ¸4 3O.

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes.

Exploiting factorization Use LLL, BKZ, etc. to generate rather short ¸ ∈ gO. What happens if ¸O = gO? Pure lattice approach: Discard ¸. Work much harder, find shorter ¸. Alternative: Gain information from factorization of ideals. e.g. If ¸1O = gO · P 2 · Q2 and ¸2O = gO · P · Q3 and ¸3O = gO · P · Q2 then P = ¸1¸−1

3 O and Q = ¸2¸−1 3 O

and gO = ¸−1

1 ¸−2 2 ¸4 3O.

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But {primes} is infinite!”

Exploiting factorization LLL, BKZ, etc. to generate rather short ¸ ∈ gO. happens if ¸O = gO? lattice approach: Discard ¸. much harder, find shorter ¸. Alternative: Gain information factorization of ideals. ¸1O = gO · P 2 · Q2 O = gO · P · Q3 O = gO · P · Q2 then

1¸−1 3 O and Q = ¸2¸−1 3 O

O = ¸−1

1 ¸−2 2 ¸4 3O.

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But {primes} is infinite!” — Restrict e.g., all p

ization

• etc. to

short ¸ ∈ gO. if ¸O = gO? roach: Discard ¸. rder, find shorter ¸. Gain information ization of ideals. O · P 2 · Q2 · P · Q3 · P · Q2 then and Q = ¸2¸−1

3 O −2 2 ¸4 3O.

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But {primes} is infinite!” — Restrict to a “facto e.g., all primes of no

gO. O? Discard ¸. shorter ¸. rmation ideals. then ¸−1

3 O

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But {primes} is infinite!” — Restrict to a “factor base”: e.g., all primes of norm ≤y.

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But {primes} is infinite!” — Restrict to a “factor base”: e.g., all primes of norm ≤y.

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But {primes} is infinite!” — Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?”

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But {primes} is infinite!” — Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?” — Then throw it away. But often it does factor.

General strategy: For many ¸’s, factor ¸O into products of powers

• f some primes and gO.

Solve system of equations to find generator for gO as product of powers of the ¸’s. “Can the system be solved?” — Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. “But {primes} is infinite!” — Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?” — Then throw it away. But often it does factor. Familiar issue from “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of (¸=g)O as “random” integer in [1; x]; y-smoothness chance ≈1=y if log y ≈ p (1=2) log x log log x.

General strategy: For many ¸’s, ¸O into products of powers some primes and gO. system of equations generator for gO duct of powers of the ¸’s. the system be solved?” Becomes increasingly reasonable to expect as the er of equations approaches passes the number of primes. {primes} is infinite!” — Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?” — Then throw it away. But often it does factor. Familiar issue from “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of (¸=g)O as “random” integer in [1; x]; y-smoothness chance ≈1=y if log y ≈ p (1=2) log x log log x. Variation: Generate factor ¸O After enough solve sys

• btain generato

strategy: For many ¸’s, roducts of powers and gO. equations r for gO wers of the ¸’s. be solved?” increasingly expect as the equations approaches number of primes. is infinite!” — Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?” — Then throw it away. But often it does factor. Familiar issue from “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of (¸=g)O as “random” integer in [1; x]; y-smoothness chance ≈1=y if log y ≈ p (1=2) log x log log x. Variation: Ignore g Generate rather sho factor ¸O into small After enough ¸’s, solve system of equations;

• btain generator fo

many ¸’s,

• f powers

the ¸’s. solved?” the roaches primes. — Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?” — Then throw it away. But often it does factor. Familiar issue from “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of (¸=g)O as “random” integer in [1; x]; y-smoothness chance ≈1=y if log y ≈ p (1=2) log x log log x. Variation: Ignore gO. Generate rather short ¸ ∈ O factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

— Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?” — Then throw it away. But often it does factor. Familiar issue from “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of (¸=g)O as “random” integer in [1; x]; y-smoothness chance ≈1=y if log y ≈ p (1=2) log x log log x. Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

— Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?” — Then throw it away. But often it does factor. Familiar issue from “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of (¸=g)O as “random” integer in [1; x]; y-smoothness chance ≈1=y if log y ≈ p (1=2) log x log log x. Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

After this precomputation, factor one ¸O ⊆ gO;

• btain generator for gO.

— Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?” — Then throw it away. But often it does factor. Familiar issue from “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of (¸=g)O as “random” integer in [1; x]; y-smoothness chance ≈1=y if log y ≈ p (1=2) log x log log x. Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

After this precomputation, factor one ¸O ⊆ gO;

• btain generator for gO.

“Do all primes have generators?”

— Restrict to a “factor base”: e.g., all primes of norm ≤y. “But what if ¸O doesn’t factor into those primes?” — Then throw it away. But often it does factor. Familiar issue from “index calculus” DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of (¸=g)O as “random” integer in [1; x]; y-smoothness chance ≈1=y if log y ≈ p (1=2) log x log log x. Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

After this precomputation, factor one ¸O ⊆ gO;

• btain generator for gO.

“Do all primes have generators?” — Standard heuristics: For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes.

Restrict to a “factor base”: all primes of norm ≤y. what if ¸O doesn’t into those primes?” Then throw it away.

• ften it does factor.

amiliar issue from calculus” DL methods, C, LS, QS, NFS, etc. the norm of (¸=g)O “random” integer in [1; x];

• thness chance ≈1=y

≈ p (1=2) log x log log x. Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

After this precomputation, factor one ¸O ⊆ gO;

• btain generator for gO.

“Do all primes have generators?” — Standard heuristics: For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes. {principal kernel of {nonzero C is a finite the “class Fundamental in algebraic

“factor base”:

• f norm ≤y.

doesn’t primes?” it away. es factor. from DL methods, QS, NFS, etc.

• f (¸=g)O

integer in [1; x]; chance ≈1=y 2) log x log log x. Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

After this precomputation, factor one ¸O ⊆ gO;

• btain generator for gO.

“Do all primes have generators?” — Standard heuristics: For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes. {principal nonzero kernel of a semigroup {nonzero ideals} ։ C is a finite abelian the “class group of Fundamental objec in algebraic numbe

base”: y. methods, etc. O x]; =y log x. Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

After this precomputation, factor one ¸O ⊆ gO;

• btain generator for gO.

“Do all primes have generators?” — Standard heuristics: For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes. {principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory.

Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

After this precomputation, factor one ¸O ⊆ gO;

• btain generator for gO.

“Do all primes have generators?” — Standard heuristics: For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes. {principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory.

Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

After this precomputation, factor one ¸O ⊆ gO;

• btain generator for gO.

“Do all primes have generators?” — Standard heuristics: For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes. {principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory. Factoring many small ¸O is a standard textbook method

• f computing class group

and generators of ideals.

Variation: Ignore gO. Generate rather short ¸ ∈ O, factor ¸O into small primes. After enough ¸’s, solve system of equations;

• btain generator for each prime.

After this precomputation, factor one ¸O ⊆ gO;

• btain generator for gO.

“Do all primes have generators?” — Standard heuristics: For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes. {principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory. Factoring many small ¸O is a standard textbook method

• f computing class group

and generators of ideals. Also compute unit group O∗ via ratios of generators.

riation: Ignore gO. Generate rather short ¸ ∈ O, ¸O into small primes. enough ¸’s, system of equations; generator for each prime. this precomputation,

• ne ¸O ⊆ gO;

generator for gO. all primes have generators?” Standard heuristics: many (most?) number fields, but for big cyclotomics, no! dulo a few small primes, yes. {principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory. Factoring many small ¸O is a standard textbook method

• f computing class group

and generators of ideals. Also compute unit group O∗ via ratios of generators. A note on Smart–V regarding Buchmann: complexit p log(∆)

re gO. short ¸ ∈ O, small primes. ’s, equations; for each prime. recomputation, gO; for gO. have generators?” heuristics: (most?) number fields, cyclotomics, no! small primes, yes. {principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory. Factoring many small ¸O is a standard textbook method

• f computing class group

and generators of ideals. Also compute unit group O∗ via ratios of generators. A note on time analysis Smart–Vercauteren regarding similar algo Buchmann: “This complexity exp(O( p log(∆) · log log(∆)).”

O, rimes. prime. recomputation, rators?” fields, cyclotomics, no! rimes, yes. {principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory. Factoring many small ¸O is a standard textbook method

• f computing class group

and generators of ideals. Also compute unit group O∗ via ratios of generators. A note on time analysis Smart–Vercauteren statement regarding similar algorithm b Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).”

{principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory. Factoring many small ¸O is a standard textbook method

• f computing class group

and generators of ideals. Also compute unit group O∗ via ratios of generators. A note on time analysis Smart–Vercauteren statement regarding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).”

{principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory. Factoring many small ¸O is a standard textbook method

• f computing class group

and generators of ideals. Also compute unit group O∗ via ratios of generators. A note on time analysis Smart–Vercauteren statement regarding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).” — [citation needed]

{principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory. Factoring many small ¸O is a standard textbook method

• f computing class group

and generators of ideals. Also compute unit group O∗ via ratios of generators. A note on time analysis Smart–Vercauteren statement regarding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).” — [citation needed] Did they mean Θ? And +? exp(Θ(N log N)) factor for short-vector enumeration? Silly: BKZ works just fine.

{principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} ։ C where C is a finite abelian group, the “class group of K”. Fundamental object of study in algebraic number theory. Factoring many small ¸O is a standard textbook method

• f computing class group

and generators of ideals. Also compute unit group O∗ via ratios of generators. A note on time analysis Smart–Vercauteren statement regarding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).” — [citation needed] Did they mean Θ? And +? exp(Θ(N log N)) factor for short-vector enumeration? Silly: BKZ works just fine. The whole algorithm will be subexponential unless norms are much worse than exponential.

rincipal nonzero ideals} is

• f a semigroup map

nonzero ideals} ։ C where finite abelian group, “class group of K”. undamental object of study algebraic number theory. ring many small ¸O standard textbook method computing class group generators of ideals. compute unit group O∗ ratios of generators. A note on time analysis Smart–Vercauteren statement regarding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).” — [citation needed] Did they mean Θ? And +? exp(Θ(N log N)) factor for short-vector enumeration? Silly: BKZ works just fine. The whole algorithm will be subexponential unless norms are much worse than exponential. Big generato Smart–V this metho a generato with large large, that generato „ may tak Indeed, generato product Must be but extremely

nonzero ideals} is semigroup map ։ C where elian group,

• f K”.

ject of study number theory. small ¸O textbook method class group

• f ideals.

unit group O∗ generators. A note on time analysis Smart–Vercauteren statement regarding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).” — [citation needed] Did they mean Θ? And +? exp(Θ(N log N)) factor for short-vector enumeration? Silly: BKZ works just fine. The whole algorithm will be subexponential unless norms are much worse than exponential. Big generator Smart–Vercauteren: this method is likely a generator of large with large coefficients. large, that writing generator down as „ may take exponential Indeed, generator found product of powers Must be gu for som but extremely unlik

is where group, study . method O∗ A note on time analysis Smart–Vercauteren statement regarding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).” — [citation needed] Did they mean Θ? And +? exp(Θ(N log N)) factor for short-vector enumeration? Silly: BKZ works just fine. The whole algorithm will be subexponential unless norms are much worse than exponential. Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed large, that writing the obtained generator down as a polynomial „ may take exponential time.” Indeed, generator found for g product of powers of various Must be gu for some u ∈ O but extremely unlikely to be

A note on time analysis Smart–Vercauteren statement regarding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).” — [citation needed] Did they mean Θ? And +? exp(Θ(N log N)) factor for short-vector enumeration? Silly: BKZ works just fine. The whole algorithm will be subexponential unless norms are much worse than exponential. Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in „ may take exponential time.” Indeed, generator found for gO is product of powers of various ¸’s. Must be gu for some u ∈ O∗, but extremely unlikely to be g.

A note on time analysis Smart–Vercauteren statement regarding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · p log(∆) · log log(∆)).” — [citation needed] Did they mean Θ? And +? exp(Θ(N log N)) factor for short-vector enumeration? Silly: BKZ works just fine. The whole algorithm will be subexponential unless norms are much worse than exponential. Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in „ may take exponential time.” Indeed, generator found for gO is product of powers of various ¸’s. Must be gu for some u ∈ O∗, but extremely unlikely to be g. How do we find g from gu?

• n time analysis

rt–Vercauteren statement rding similar algorithm by Buchmann: “This method has complexity exp(O(N log N) · (∆) · log log(∆)).” [citation needed] they mean Θ? And +? exp(Θ(N log N)) factor rt-vector enumeration? BKZ works just fine. whole algorithm will be

• nential unless norms are

worse than exponential. Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in „ may take exponential time.” Indeed, generator found for gO is product of powers of various ¸’s. Must be gu for some u ∈ O∗, but extremely unlikely to be g. How do we find g from gu? There ar ring maps

analysis ercauteren statement algorithm by “This method has (N log N) · log(∆)).” needed] Θ? And +? factor enumeration? rks just fine. rithm will be unless norms are than exponential. Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in „ may take exponential time.” Indeed, generator found for gO is product of powers of various ¸’s. Must be gu for some u ∈ O∗, but extremely unlikely to be g. How do we find g from gu? There are exactly n ring maps ’1; : : : ;

statement by has ) · +? enumeration? fine. e rms are

• nential.

Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in „ may take exponential time.” Indeed, generator found for gO is product of powers of various ¸’s. Must be gu for some u ∈ O∗, but extremely unlikely to be g. How do we find g from gu? There are exactly n distinct ring maps ’1; : : : ; ’n : K →

Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in „ may take exponential time.” Indeed, generator found for gO is product of powers of various ¸’s. Must be gu for some u ∈ O∗, but extremely unlikely to be g. How do we find g from gu? There are exactly n distinct ring maps ’1; : : : ; ’n : K → C.

Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in „ may take exponential time.” Indeed, generator found for gO is product of powers of various ¸’s. Must be gu for some u ∈ O∗, but extremely unlikely to be g. How do we find g from gu? There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|).

Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in „ may take exponential time.” Indeed, generator found for gO is product of powers of various ¸’s. Must be gu for some u ∈ O∗, but extremely unlikely to be g. How do we find g from gu? There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|). Log O∗ is a lattice

• f rank r1 + r2 − 1 where

r1 = #{i : ’i(K) ⊆ R}, 2r2 = #{i : ’i(K) ⊆ R}.

Big generator Smart–Vercauteren: “However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in „ may take exponential time.” Indeed, generator found for gO is product of powers of various ¸’s. Must be gu for some u ∈ O∗, but extremely unlikely to be g. How do we find g from gu? There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|). Log O∗ is a lattice

• f rank r1 + r2 − 1 where

r1 = #{i : ’i(K) ⊆ R}, 2r2 = #{i : ’i(K) ⊆ R}. e.g. “ = exp(ıi=256), K = Q(“): images of “ under ring maps are “; “3; “5; : : : ; “511. r1 = 0; r2 = 128; rank 127.

generator rt–Vercauteren: “However method is likely to produce generator of large height, i.e., rge coefficients. Indeed so that writing the obtained generator down as a polynomial in take exponential time.” Indeed, generator found for gO is duct of powers of various ¸’s. be gu for some u ∈ O∗, extremely unlikely to be g. do we find g from gu? There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|). Log O∗ is a lattice

• f rank r1 + r2 − 1 where

r1 = #{i : ’i(K) ⊆ R}, 2r2 = #{i : ’i(K) ⊆ R}. e.g. “ = exp(ıi=256), K = Q(“): images of “ under ring maps are “; “3; “5; : : : ; “511. r1 = 0; r2 = 128; rank 127. Compute as sum of for the o

ercauteren: “However likely to produce rge height, i.e.,

• efficients. Indeed so

writing the obtained as a polynomial in

• nential time.”

r found for gO is ers of various ¸’s. some u ∈ O∗, unlikely to be g. g from gu? There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|). Log O∗ is a lattice

• f rank r1 + r2 − 1 where

r1 = #{i : ’i(K) ⊆ R}, 2r2 = #{i : ’i(K) ⊆ R}. e.g. “ = exp(ıi=256), K = Q(“): images of “ under ring maps are “; “3; “5; : : : ; “511. r1 = 0; r2 = 128; rank 127. Compute Log gu as sum of multiples for the original ¸’s.

ever duce height, i.e., Indeed so

• btained
• lynomial in

time.” r gO is rious ¸’s. O∗, e g. ? There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|). Log O∗ is a lattice

• f rank r1 + r2 − 1 where

r1 = #{i : ’i(K) ⊆ R}, 2r2 = #{i : ’i(K) ⊆ R}. e.g. “ = exp(ıi=256), K = Q(“): images of “ under ring maps are “; “3; “5; : : : ; “511. r1 = 0; r2 = 128; rank 127. Compute Log gu as sum of multiples of Log ¸ for the original ¸’s.

There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|). Log O∗ is a lattice

• f rank r1 + r2 − 1 where

r1 = #{i : ’i(K) ⊆ R}, 2r2 = #{i : ’i(K) ⊆ R}. e.g. “ = exp(ıi=256), K = Q(“): images of “ under ring maps are “; “3; “5; : : : ; “511. r1 = 0; r2 = 128; rank 127. Compute Log gu as sum of multiples of Log ¸ for the original ¸’s.

There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|). Log O∗ is a lattice

• f rank r1 + r2 − 1 where

r1 = #{i : ’i(K) ⊆ R}, 2r2 = #{i : ’i(K) ⊆ R}. e.g. “ = exp(ıi=256), K = Q(“): images of “ under ring maps are “; “3; “5; : : : ; “511. r1 = 0; r2 = 128; rank 127. Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu.

There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|). Log O∗ is a lattice

• f rank r1 + r2 − 1 where

r1 = #{i : ’i(K) ⊆ R}, 2r2 = #{i : ’i(K) ⊆ R}. e.g. “ = exp(ıi=256), K = Q(“): images of “ under ring maps are “; “3; “5; : : : ; “511. r1 = 0; r2 = 128; rank 127. Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu. This is a close-vector problem (“bounded-distance decoding”). “Embedding” heuristic: CVP as fast as SVP.

There are exactly n distinct ring maps ’1; : : : ; ’n : K → C. Define Log : K∗ → Rn by Log = (log |’1|; : : : ; log |’n|). Log O∗ is a lattice

• f rank r1 + r2 − 1 where

r1 = #{i : ’i(K) ⊆ R}, 2r2 = #{i : ’i(K) ⊆ R}. e.g. “ = exp(ıi=256), K = Q(“): images of “ under ring maps are “; “3; “5; : : : ; “511. r1 = 0; r2 = 128; rank 127. Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu. This is a close-vector problem (“bounded-distance decoding”). “Embedding” heuristic: CVP as fast as SVP. This finds Log u. Easily reconstruct g up to a root of unity. #{roots of unity} is small.

are exactly n distinct maps ’1; : : : ; ’n : K → C. Log : K∗ → Rn by (log |’1|; : : : ; log |’n|).

∗ is a lattice

rank r1 + r2 − 1 where #{i : ’i(K) ⊆ R}, #{i : ’i(K) ⊆ R}. = exp(ıi=256), K = Q(“): images of “ under ring maps “3; “5; : : : ; “511. 0; r2 = 128; rank 127. Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu. This is a close-vector problem (“bounded-distance decoding”). “Embedding” heuristic: CVP as fast as SVP. This finds Log u. Easily reconstruct g up to a root of unity. #{roots of unity} is small. A subfield-loga Say we kno for a prop

exactly n distinct : ; ’n : K → C. → Rn by : : : ; log |’n|). tice 1 where ) ⊆ R}, ) ⊆ R}. 256), K = Q(“): under ring maps ; “511. 128; rank 127. Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu. This is a close-vector problem (“bounded-distance decoding”). “Embedding” heuristic: CVP as fast as SVP. This finds Log u. Easily reconstruct g up to a root of unity. #{roots of unity} is small. A subfield-logarithm Say we know Log no for a proper subfield

distinct → C. |). Q(“): maps 127. Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu. This is a close-vector problem (“bounded-distance decoding”). “Embedding” heuristic: CVP as fast as SVP. This finds Log u. Easily reconstruct g up to a root of unity. #{roots of unity} is small. A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K.

Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu. This is a close-vector problem (“bounded-distance decoding”). “Embedding” heuristic: CVP as fast as SVP. This finds Log u. Easily reconstruct g up to a root of unity. #{roots of unity} is small. A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K.

Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu. This is a close-vector problem (“bounded-distance decoding”). “Embedding” heuristic: CVP as fast as SVP. This finds Log u. Easily reconstruct g up to a root of unity. #{roots of unity} is small. A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K. We also know Log normK:F gu, so we know Log normK:F u.

Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu. This is a close-vector problem (“bounded-distance decoding”). “Embedding” heuristic: CVP as fast as SVP. This finds Log u. Easily reconstruct g up to a root of unity. #{roots of unity} is small. A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K. We also know Log normK:F gu, so we know Log normK:F u. This linearly constrains Log u to a shifted sublattice of Log O∗. Number of independent constraints: unit rank for F.

Compute Log gu as sum of multiples of Log ¸ for the original ¸’s. Find elements of Log O∗ close to Log gu. This is a close-vector problem (“bounded-distance decoding”). “Embedding” heuristic: CVP as fast as SVP. This finds Log u. Easily reconstruct g up to a root of unity. #{roots of unity} is small. A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K. We also know Log normK:F gu, so we know Log normK:F u. This linearly constrains Log u to a shifted sublattice of Log O∗. Number of independent constraints: unit rank for F. Find elements close to Log gu. Lower-dimension lattice problem, if unit rank of F is positive.

Compute Log gu

• f multiples of Log ¸
• riginal ¸’s.

elements of Log O∗ to Log gu. a close-vector problem

• unded-distance decoding”).

edding” heuristic: as fast as SVP. finds Log u. reconstruct g a root of unity.

• ts of unity} is small.

A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K. We also know Log normK:F gu, so we know Log normK:F u. This linearly constrains Log u to a shifted sublattice of Log O∗. Number of independent constraints: unit rank for F. Find elements close to Log gu. Lower-dimension lattice problem, if unit rank of F is positive. Start by Log norm for each Various constraints depending

multiples of Log ¸ ’s.

• f Log O∗

close-vector problem

• unded-distance decoding”).

heuristic: SVP. . reconstruct g unity. } is small. A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K. We also know Log normK:F gu, so we know Log normK:F u. This linearly constrains Log u to a shifted sublattice of Log O∗. Number of independent constraints: unit rank for F. Find elements close to Log gu. Lower-dimension lattice problem, if unit rank of F is positive. Start by recursively Log normK:F g via for each F ⊂ K. Various constraints depending on subfield

¸ roblem ding”). small. A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K. We also know Log normK:F gu, so we know Log normK:F u. This linearly constrains Log u to a shifted sublattice of Log O∗. Number of independent constraints: unit rank for F. Find elements close to Log gu. Lower-dimension lattice problem, if unit rank of F is positive. Start by recursively computing Log normK:F g via norm of g for each F ⊂ K. Various constraints on Log u depending on subfield structure.

A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K. We also know Log normK:F gu, so we know Log normK:F u. This linearly constrains Log u to a shifted sublattice of Log O∗. Number of independent constraints: unit rank for F. Find elements close to Log gu. Lower-dimension lattice problem, if unit rank of F is positive. Start by recursively computing Log normK:F g via norm of gO for each F ⊂ K. Various constraints on Log u, depending on subfield structure.

A subfield-logarithm attack Say we know Log normK:F g for a proper subfield F ⊂ K. We also know Log normK:F gu, so we know Log normK:F u. This linearly constrains Log u to a shifted sublattice of Log O∗. Number of independent constraints: unit rank for F. Find elements close to Log gu. Lower-dimension lattice problem, if unit rank of F is positive. Start by recursively computing Log normK:F g via norm of gO for each F ⊂ K. Various constraints on Log u, depending on subfield structure. e.g. “ = exp(2ıi=661), K = Q(“). Degrees of subfields of K: 660 330 q q q 220 ☞ ☞ 132 ✷ ✷ 60 ▼▼▼ 165 q q q 110 ☞ ☞ q q q 66 ✷ ✷ q q q 44 ✷✷✷ ☞ ☞ ☞30 ❚❚❚❚❚❚❚ ☞ ☞ 20 ❚❚❚❚❚❚❚✷ ✷ 12 ❚❚❚❚❚❚❚ ▼ ▼ ▼ ▼ 55 ③ ③ 33 ❉ ❉ ③ ③ 22 ❉ ❉ ③ ③ 15 ❱❱❱❱❱❱❱❱❱ ③ ③ 10 ❱❱❱❱❱❱❱❱❱ ③ ③ 6 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ ③ ③ ③ 4 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ 11 ▼ ▼ ▼ ▼✷ ✷ ☞ ☞ 5 ❚❚❚❚❚❚❚❚ ☞ ☞ q q q q 3 ❚❚❚❚❚❚❚❚ ✷ ✷ ③ ③ ③ 2 ❚❚❚❚❚❚❚❚ ✷ ✷ ☞ ☞ q q q q q 1 ▼▼▼▼ ✷ ✷ ☞ ☞ q q q q q

subfield-logarithm attack e know Log normK:F g roper subfield F ⊂ K. also know Log normK:F gu, know Log normK:F u. linearly constrains Log u shifted sublattice of Log O∗. er of independent constraints: unit rank for F. elements close to Log gu. r-dimension lattice problem, rank of F is positive. Start by recursively computing Log normK:F g via norm of gO for each F ⊂ K. Various constraints on Log u, depending on subfield structure. e.g. “ = exp(2ıi=661), K = Q(“). Degrees of subfields of K: 660 330 q q q 220 ☞ ☞ 132 ✷ ✷ 60 ▼▼▼ 165 q q q 110 ☞ ☞ q q q 66 ✷ ✷ q q q 44 ✷✷✷ ☞ ☞ ☞30 ❚❚❚❚❚❚❚ ☞ ☞ 20 ❚❚❚❚❚❚❚✷ ✷ 12 ❚❚❚❚❚❚❚ ▼ ▼ ▼ ▼ 55 ③ ③ 33 ❉ ❉ ③ ③ 22 ❉ ❉ ③ ③ 15 ❱❱❱❱❱❱❱❱❱ ③ ③ 10 ❱❱❱❱❱❱❱❱❱ ③ ③ 6 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ ③ ③ ③ 4 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ 11 ▼ ▼ ▼ ▼✷ ✷ ☞ ☞ 5 ❚❚❚❚❚❚❚❚ ☞ ☞ q q q q 3 ❚❚❚❚❚❚❚❚ ✷ ✷ ③ ③ ③ 2 ❚❚❚❚❚❚❚❚ ✷ ✷ ☞ ☞ q q q q q 1 ▼▼▼▼ ✷ ✷ ☞ ☞ q q q q q Most extrem Composite K = Q( √ CVP becomes

ithm attack Log normK:F g subfield F ⊂ K. Log normK:F gu, normK:F u. constrains Log u sublattice of Log O∗. endent unit rank for F. close to Log gu. lattice problem, is positive. Start by recursively computing Log normK:F g via norm of gO for each F ⊂ K. Various constraints on Log u, depending on subfield structure. e.g. “ = exp(2ıi=661), K = Q(“). Degrees of subfields of K: 660 330 q q q 220 ☞ ☞ 132 ✷ ✷ 60 ▼▼▼ 165 q q q 110 ☞ ☞ q q q 66 ✷ ✷ q q q 44 ✷✷✷ ☞ ☞ ☞30 ❚❚❚❚❚❚❚ ☞ ☞ 20 ❚❚❚❚❚❚❚✷ ✷ 12 ❚❚❚❚❚❚❚ ▼ ▼ ▼ ▼ 55 ③ ③ 33 ❉ ❉ ③ ③ 22 ❉ ❉ ③ ③ 15 ❱❱❱❱❱❱❱❱❱ ③ ③ 10 ❱❱❱❱❱❱❱❱❱ ③ ③ 6 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ ③ ③ ③ 4 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ 11 ▼ ▼ ▼ ▼✷ ✷ ☞ ☞ 5 ❚❚❚❚❚❚❚❚ ☞ ☞ q q q q 3 ❚❚❚❚❚❚❚❚ ✷ ✷ ③ ③ ③ 2 ❚❚❚❚❚❚❚❚ ✷ ✷ ☞ ☞ q q q q q 1 ▼▼▼▼ ✷ ✷ ☞ ☞ q q q q q Most extreme case: Composite of quadratics, K = Q( √ 2; √ 3; √ 5 CVP becomes trivia

attack g K. gu, . Log u Log O∗. F. gu. roblem,

• sitive.

Start by recursively computing Log normK:F g via norm of gO for each F ⊂ K. Various constraints on Log u, depending on subfield structure. e.g. “ = exp(2ıi=661), K = Q(“). Degrees of subfields of K: 660 330 q q q 220 ☞ ☞ 132 ✷ ✷ 60 ▼▼▼ 165 q q q 110 ☞ ☞ q q q 66 ✷ ✷ q q q 44 ✷✷✷ ☞ ☞ ☞30 ❚❚❚❚❚❚❚ ☞ ☞ 20 ❚❚❚❚❚❚❚✷ ✷ 12 ❚❚❚❚❚❚❚ ▼ ▼ ▼ ▼ 55 ③ ③ 33 ❉ ❉ ③ ③ 22 ❉ ❉ ③ ③ 15 ❱❱❱❱❱❱❱❱❱ ③ ③ 10 ❱❱❱❱❱❱❱❱❱ ③ ③ 6 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ ③ ③ ③ 4 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ 11 ▼ ▼ ▼ ▼✷ ✷ ☞ ☞ 5 ❚❚❚❚❚❚❚❚ ☞ ☞ q q q q 3 ❚❚❚❚❚❚❚❚ ✷ ✷ ③ ③ ③ 2 ❚❚❚❚❚❚❚❚ ✷ ✷ ☞ ☞ q q q q q 1 ▼▼▼▼ ✷ ✷ ☞ ☞ q q q q q Most extreme case: Composite of quadratics, such K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). CVP becomes trivial!

Start by recursively computing Log normK:F g via norm of gO for each F ⊂ K. Various constraints on Log u, depending on subfield structure. e.g. “ = exp(2ıi=661), K = Q(“). Degrees of subfields of K: 660 330 q q q 220 ☞ ☞ 132 ✷ ✷ 60 ▼▼▼ 165 q q q 110 ☞ ☞ q q q 66 ✷ ✷ q q q 44 ✷✷✷ ☞ ☞ ☞30 ❚❚❚❚❚❚❚ ☞ ☞ 20 ❚❚❚❚❚❚❚✷ ✷ 12 ❚❚❚❚❚❚❚ ▼ ▼ ▼ ▼ 55 ③ ③ 33 ❉ ❉ ③ ③ 22 ❉ ❉ ③ ③ 15 ❱❱❱❱❱❱❱❱❱ ③ ③ 10 ❱❱❱❱❱❱❱❱❱ ③ ③ 6 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ ③ ③ ③ 4 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ 11 ▼ ▼ ▼ ▼✷ ✷ ☞ ☞ 5 ❚❚❚❚❚❚❚❚ ☞ ☞ q q q q 3 ❚❚❚❚❚❚❚❚ ✷ ✷ ③ ③ ③ 2 ❚❚❚❚❚❚❚❚ ✷ ✷ ☞ ☞ q q q q q 1 ▼▼▼▼ ✷ ✷ ☞ ☞ q q q q q Most extreme case: Composite of quadratics, such as K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). CVP becomes trivial!

Start by recursively computing Log normK:F g via norm of gO for each F ⊂ K. Various constraints on Log u, depending on subfield structure. e.g. “ = exp(2ıi=661), K = Q(“). Degrees of subfields of K: 660 330 q q q 220 ☞ ☞ 132 ✷ ✷ 60 ▼▼▼ 165 q q q 110 ☞ ☞ q q q 66 ✷ ✷ q q q 44 ✷✷✷ ☞ ☞ ☞30 ❚❚❚❚❚❚❚ ☞ ☞ 20 ❚❚❚❚❚❚❚✷ ✷ 12 ❚❚❚❚❚❚❚ ▼ ▼ ▼ ▼ 55 ③ ③ 33 ❉ ❉ ③ ③ 22 ❉ ❉ ③ ③ 15 ❱❱❱❱❱❱❱❱❱ ③ ③ 10 ❱❱❱❱❱❱❱❱❱ ③ ③ 6 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ ③ ③ ③ 4 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ 11 ▼ ▼ ▼ ▼✷ ✷ ☞ ☞ 5 ❚❚❚❚❚❚❚❚ ☞ ☞ q q q q 3 ❚❚❚❚❚❚❚❚ ✷ ✷ ③ ③ ③ 2 ❚❚❚❚❚❚❚❚ ✷ ✷ ☞ ☞ q q q q q 1 ▼▼▼▼ ✷ ✷ ☞ ☞ q q q q q Most extreme case: Composite of quadratics, such as K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). CVP becomes trivial! Many intermediate cases. “Subexponential in cyclotomic rings of highly smooth index”: It’s much more general than that.

Start by recursively computing Log normK:F g via norm of gO for each F ⊂ K. Various constraints on Log u, depending on subfield structure. e.g. “ = exp(2ıi=661), K = Q(“). Degrees of subfields of K: 660 330 q q q 220 ☞ ☞ 132 ✷ ✷ 60 ▼▼▼ 165 q q q 110 ☞ ☞ q q q 66 ✷ ✷ q q q 44 ✷✷✷ ☞ ☞ ☞30 ❚❚❚❚❚❚❚ ☞ ☞ 20 ❚❚❚❚❚❚❚✷ ✷ 12 ❚❚❚❚❚❚❚ ▼ ▼ ▼ ▼ 55 ③ ③ 33 ❉ ❉ ③ ③ 22 ❉ ❉ ③ ③ 15 ❱❱❱❱❱❱❱❱❱ ③ ③ 10 ❱❱❱❱❱❱❱❱❱ ③ ③ 6 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ ③ ③ ③ 4 ❱❱❱❱❱❱❱❱❱❱ ❉ ❉ ❉ 11 ▼ ▼ ▼ ▼✷ ✷ ☞ ☞ 5 ❚❚❚❚❚❚❚❚ ☞ ☞ q q q q 3 ❚❚❚❚❚❚❚❚ ✷ ✷ ③ ③ ③ 2 ❚❚❚❚❚❚❚❚ ✷ ✷ ☞ ☞ q q q q q 1 ▼▼▼▼ ✷ ✷ ☞ ☞ q q q q q Most extreme case: Composite of quadratics, such as K = Q( √ 2; √ 3; √ 5; : : : ; √ 29). CVP becomes trivial! Many intermediate cases. “Subexponential in cyclotomic rings of highly smooth index”: It’s much more general than that. For cyclotomics this approach is superseded by subsequent Campbell–Groves–Shepherd algorithm, using known (good) basis for cyclotomic units.