recovering short generators of principal ideals: extensions...
TRANSCRIPT
![Page 1: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/1.jpg)
Recovering Short Generators of Principal Ideals:Extensions and Open Problems
Chris Peikert
University of Michigan and Georgia Tech
2 September 2015Math of Crypto @ UC Irvine
1 / 7
![Page 2: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/2.jpg)
Where We Left Off
Short Generator of a Principal Ideal Problem (SG-PIP)
I Given a Z-basis of a principal ideal I = 〈g〉 ⊆ R where g is “rathershort,” find g (up to trivial symmetries).
Theorem
In prime-power cyclotomic rings R of degree n, SG-PIP is solvable inclassical subexponential 2n
2/3and quantum polynomial time.
Algorithm: SG-PIP = SG-G G-PIP
1 Find some generator, given a principal ideal (G-PIP)
2 Find the promised short generator, given an arbitrary generator (SG-G)
2 / 7
![Page 3: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/3.jpg)
Where We Left Off
Short Generator of a Principal Ideal Problem (SG-PIP)
I Given a Z-basis of a principal ideal I = 〈g〉 ⊆ R where g is “rathershort,” find g (up to trivial symmetries).
Theorem
In prime-power cyclotomic rings R of degree n, SG-PIP is solvable inclassical subexponential 2n
2/3and quantum polynomial time.
Algorithm: SG-PIP = SG-G G-PIP
1 Find some generator, given a principal ideal (G-PIP)
2 Find the promised short generator, given an arbitrary generator (SG-G)
2 / 7
![Page 4: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/4.jpg)
Where We Left Off
Short Generator of a Principal Ideal Problem (SG-PIP)
I Given a Z-basis of a principal ideal I = 〈g〉 ⊆ R where g is “rathershort,” find g (up to trivial symmetries).
Theorem
In prime-power cyclotomic rings R of degree n, SG-PIP is solvable inclassical subexponential 2n
2/3and quantum polynomial time.
Algorithm: SG-PIP = SG-G G-PIP
1 Find some generator, given a principal ideal (G-PIP)
2 Find the promised short generator, given an arbitrary generator (SG-G)
2 / 7
![Page 5: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/5.jpg)
What Does This Mean for Ring-Based Crypto?
I A few works [SV’10,GGH’13,LSS’14,CGS’14] are classically weakened, andquantumly broken.
these works ≤ SG-PI-SVP ≤ SG-PIP
I Most ring-based crypto is so far unaffected, because its security islower-bounded by harder/more general problems:
SG-PI-SVP ≤ PI-SVP ≤ I-SVP ≤ Ring-SIS/LWE ≤ most crypto
NTRU also lies somewhere above SG-PI-SVP.
I Attack crucially relies on existence of an “unusually short” generator.
3 / 7
![Page 6: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/6.jpg)
What Does This Mean for Ring-Based Crypto?
I A few works [SV’10,GGH’13,LSS’14,CGS’14] are classically weakened, andquantumly broken.
these works ≤ SG-PI-SVP ≤ SG-PIP
I Most ring-based crypto is so far unaffected, because its security islower-bounded by harder/more general problems:
SG-PI-SVP ≤ PI-SVP ≤ I-SVP ≤ Ring-SIS/LWE ≤ most crypto
NTRU also lies somewhere above SG-PI-SVP.
I Attack crucially relies on existence of an “unusually short” generator.
3 / 7
![Page 7: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/7.jpg)
What Does This Mean for Ring-Based Crypto?
I A few works [SV’10,GGH’13,LSS’14,CGS’14] are classically weakened, andquantumly broken.
these works ≤ SG-PI-SVP ≤ SG-PIP
I Most ring-based crypto is so far unaffected, because its security islower-bounded by harder/more general problems:
SG-PI-SVP ≤ PI-SVP ≤ I-SVP ≤ Ring-SIS/LWE ≤ most crypto
NTRU also lies somewhere above SG-PI-SVP.
I Attack crucially relies on existence of an “unusually short” generator.
3 / 7
![Page 8: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/8.jpg)
Agenda
Animating question: How far can we push these attack techniques?
1 Rarity of principal ideals having short generators.
2 Extend SG-PIP attack to non-cyclotomic number fields?
3 Use SG-PIP to attack NTRU? Ring-LWE?
4 / 7
![Page 9: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/9.jpg)
Rarity of Principal Ideals with Short Generators
Facts
1 Less than a n−Ω(n) fraction of principal ideals I have a generator g s.t.‖g‖ ≤ λ1(I) · poly(n).
2 A “typical” principal ideal’s shortest generator g has norm‖g‖ ≥ λ1(I) · 2
√n.
So the SG-PIP attack usually approximates PI-SVP quite poorly.
I For simplicity, normalize s.t. N(I) = 1, so√n ≤ λ1(I) ≤ n.
I Let G = generators of I = g ·R∗.Then Log(G) = Log(g) + Log(R∗) is a coset of the log-unit lattice.
I To have ‖g‖ ≤ poly(n), we need every
log|σi(g)| ≤ O(log n) =⇒ ‖Log(g)‖1 ≤ r = O(n log n).
I Volume of such g is 2n
n! · rn = O(log n)n.
Volume of log-unit lattice (regulator) is Θ(√n)n.
5 / 7
![Page 10: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/10.jpg)
Rarity of Principal Ideals with Short Generators
Facts
1 Less than a n−Ω(n) fraction of principal ideals I have a generator g s.t.‖g‖ ≤ λ1(I) · poly(n).
2 A “typical” principal ideal’s shortest generator g has norm‖g‖ ≥ λ1(I) · 2
√n.
So the SG-PIP attack usually approximates PI-SVP quite poorly.
I For simplicity, normalize s.t. N(I) = 1, so√n ≤ λ1(I) ≤ n.
I Let G = generators of I = g ·R∗.Then Log(G) = Log(g) + Log(R∗) is a coset of the log-unit lattice.
I To have ‖g‖ ≤ poly(n), we need every
log|σi(g)| ≤ O(log n) =⇒ ‖Log(g)‖1 ≤ r = O(n log n).
I Volume of such g is 2n
n! · rn = O(log n)n.
Volume of log-unit lattice (regulator) is Θ(√n)n.
5 / 7
![Page 11: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/11.jpg)
Rarity of Principal Ideals with Short Generators
Facts
1 Less than a n−Ω(n) fraction of principal ideals I have a generator g s.t.‖g‖ ≤ λ1(I) · poly(n).
2 A “typical” principal ideal’s shortest generator g has norm‖g‖ ≥ λ1(I) · 2
√n.
So the SG-PIP attack usually approximates PI-SVP quite poorly.
I For simplicity, normalize s.t. N(I) = 1, so√n ≤ λ1(I) ≤ n.
I Let G = generators of I = g ·R∗.Then Log(G) = Log(g) + Log(R∗) is a coset of the log-unit lattice.
I To have ‖g‖ ≤ poly(n), we need every
log|σi(g)| ≤ O(log n) =⇒ ‖Log(g)‖1 ≤ r = O(n log n).
I Volume of such g is 2n
n! · rn = O(log n)n.
Volume of log-unit lattice (regulator) is Θ(√n)n.
5 / 7
![Page 12: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/12.jpg)
Rarity of Principal Ideals with Short Generators
Facts
1 Less than a n−Ω(n) fraction of principal ideals I have a generator g s.t.‖g‖ ≤ λ1(I) · poly(n).
2 A “typical” principal ideal’s shortest generator g has norm‖g‖ ≥ λ1(I) · 2
√n.
So the SG-PIP attack usually approximates PI-SVP quite poorly.
I For simplicity, normalize s.t. N(I) = 1, so√n ≤ λ1(I) ≤ n.
I Let G = generators of I = g ·R∗.Then Log(G) = Log(g) + Log(R∗) is a coset of the log-unit lattice.
I To have ‖g‖ ≤ poly(n), we need every
log|σi(g)| ≤ O(log n) =⇒ ‖Log(g)‖1 ≤ r = O(n log n).
I Volume of such g is 2n
n! · rn = O(log n)n.
Volume of log-unit lattice (regulator) is Θ(√n)n.
5 / 7
![Page 13: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/13.jpg)
Rarity of Principal Ideals with Short Generators
Facts
1 Less than a n−Ω(n) fraction of principal ideals I have a generator g s.t.‖g‖ ≤ λ1(I) · poly(n).
2 A “typical” principal ideal’s shortest generator g has norm‖g‖ ≥ λ1(I) · 2
√n.
So the SG-PIP attack usually approximates PI-SVP quite poorly.
I For simplicity, normalize s.t. N(I) = 1, so√n ≤ λ1(I) ≤ n.
I Let G = generators of I = g ·R∗.Then Log(G) = Log(g) + Log(R∗) is a coset of the log-unit lattice.
I To have ‖g‖ ≤ poly(n), we need every
log|σi(g)| ≤ O(log n) =⇒ ‖Log(g)‖1 ≤ r = O(n log n).
I Volume of such g is 2n
n! · rn = O(log n)n.
Volume of log-unit lattice (regulator) is Θ(√n)n.
5 / 7
![Page 14: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/14.jpg)
SG-PIP Beyond Cyclotomics
I To recover the short generator from any generator of I ⊆ R, it sufficesto have a “good” basis of (a dense enough sublattice of) LogR∗.
(For cyclotomics: standard basis of the cyclotomic units.)
I Can we get such a basis for other number rings?
I In general, can preprocess R in 2rank(LogR∗) time.Then can quickly solve many instances of SG-PIP in R.
I In particular cases, we can do much better.
E.g., multiquadratic K = Q(√d1, . . . ,
√dk) for appropriate di. Facts:
F unit rank = 2k − 1 = number of quadratic subfields Q(√dI), I ⊆ [k] \ ∅.
F fund units of the Q(√dI) generate a finite-index subgroup of O∗
K .
(See, e.g., Keith Conrad’s ‘blurb’ on Dirichlet’s unit theorem for proofs.)
F How “good” are these units? How small is their finite index?
I Other number rings? E.g., Z[x]/(xp − x− 1) has many easy units:x, Φd(x) for d|(p− 1), . . .
6 / 7
![Page 15: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/15.jpg)
SG-PIP Beyond Cyclotomics
I To recover the short generator from any generator of I ⊆ R, it sufficesto have a “good” basis of (a dense enough sublattice of) LogR∗.
(For cyclotomics: standard basis of the cyclotomic units.)
I Can we get such a basis for other number rings?
I In general, can preprocess R in 2rank(LogR∗) time.Then can quickly solve many instances of SG-PIP in R.
I In particular cases, we can do much better.
E.g., multiquadratic K = Q(√d1, . . . ,
√dk) for appropriate di. Facts:
F unit rank = 2k − 1 = number of quadratic subfields Q(√dI), I ⊆ [k] \ ∅.
F fund units of the Q(√dI) generate a finite-index subgroup of O∗
K .
(See, e.g., Keith Conrad’s ‘blurb’ on Dirichlet’s unit theorem for proofs.)
F How “good” are these units? How small is their finite index?
I Other number rings? E.g., Z[x]/(xp − x− 1) has many easy units:x, Φd(x) for d|(p− 1), . . .
6 / 7
![Page 16: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/16.jpg)
SG-PIP Beyond Cyclotomics
I To recover the short generator from any generator of I ⊆ R, it sufficesto have a “good” basis of (a dense enough sublattice of) LogR∗.
(For cyclotomics: standard basis of the cyclotomic units.)
I Can we get such a basis for other number rings?
I In general, can preprocess R in 2rank(LogR∗) time.Then can quickly solve many instances of SG-PIP in R.
I In particular cases, we can do much better.
E.g., multiquadratic K = Q(√d1, . . . ,
√dk) for appropriate di. Facts:
F unit rank = 2k − 1 = number of quadratic subfields Q(√dI), I ⊆ [k] \ ∅.
F fund units of the Q(√dI) generate a finite-index subgroup of O∗
K .
(See, e.g., Keith Conrad’s ‘blurb’ on Dirichlet’s unit theorem for proofs.)
F How “good” are these units? How small is their finite index?
I Other number rings? E.g., Z[x]/(xp − x− 1) has many easy units:x, Φd(x) for d|(p− 1), . . .
6 / 7
![Page 17: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/17.jpg)
SG-PIP Beyond Cyclotomics
I To recover the short generator from any generator of I ⊆ R, it sufficesto have a “good” basis of (a dense enough sublattice of) LogR∗.
(For cyclotomics: standard basis of the cyclotomic units.)
I Can we get such a basis for other number rings?
I In general, can preprocess R in 2rank(LogR∗) time.Then can quickly solve many instances of SG-PIP in R.
I In particular cases, we can do much better.
E.g., multiquadratic K = Q(√d1, . . . ,
√dk) for appropriate di. Facts:
F unit rank = 2k − 1 = number of quadratic subfields Q(√dI), I ⊆ [k] \ ∅.
F fund units of the Q(√dI) generate a finite-index subgroup of O∗
K .
(See, e.g., Keith Conrad’s ‘blurb’ on Dirichlet’s unit theorem for proofs.)
F How “good” are these units? How small is their finite index?
I Other number rings? E.g., Z[x]/(xp − x− 1) has many easy units:x, Φd(x) for d|(p− 1), . . .
6 / 7
![Page 18: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/18.jpg)
SG-PIP Beyond Cyclotomics
I To recover the short generator from any generator of I ⊆ R, it sufficesto have a “good” basis of (a dense enough sublattice of) LogR∗.
(For cyclotomics: standard basis of the cyclotomic units.)
I Can we get such a basis for other number rings?
I In general, can preprocess R in 2rank(LogR∗) time.Then can quickly solve many instances of SG-PIP in R.
I In particular cases, we can do much better.
E.g., multiquadratic K = Q(√d1, . . . ,
√dk) for appropriate di. Facts:
F unit rank = 2k − 1 = number of quadratic subfields Q(√dI), I ⊆ [k] \ ∅.
F fund units of the Q(√dI) generate a finite-index subgroup of O∗
K .
(See, e.g., Keith Conrad’s ‘blurb’ on Dirichlet’s unit theorem for proofs.)
F How “good” are these units? How small is their finite index?
I Other number rings? E.g., Z[x]/(xp − x− 1) has many easy units:x, Φd(x) for d|(p− 1), . . .
6 / 7
![Page 19: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/19.jpg)
SG-PIP Beyond Cyclotomics
I To recover the short generator from any generator of I ⊆ R, it sufficesto have a “good” basis of (a dense enough sublattice of) LogR∗.
(For cyclotomics: standard basis of the cyclotomic units.)
I Can we get such a basis for other number rings?
I In general, can preprocess R in 2rank(LogR∗) time.Then can quickly solve many instances of SG-PIP in R.
I In particular cases, we can do much better.
E.g., multiquadratic K = Q(√d1, . . . ,
√dk) for appropriate di. Facts:
F unit rank = 2k − 1 = number of quadratic subfields Q(√dI), I ⊆ [k] \ ∅.
F fund units of the Q(√dI) generate a finite-index subgroup of O∗
K .
(See, e.g., Keith Conrad’s ‘blurb’ on Dirichlet’s unit theorem for proofs.)
F How “good” are these units? How small is their finite index?
I Other number rings? E.g., Z[x]/(xp − x− 1) has many easy units:x, Φd(x) for d|(p− 1), . . .
6 / 7
![Page 20: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/20.jpg)
SG-PIP Beyond Cyclotomics
I To recover the short generator from any generator of I ⊆ R, it sufficesto have a “good” basis of (a dense enough sublattice of) LogR∗.
(For cyclotomics: standard basis of the cyclotomic units.)
I Can we get such a basis for other number rings?
I In general, can preprocess R in 2rank(LogR∗) time.Then can quickly solve many instances of SG-PIP in R.
I In particular cases, we can do much better.
E.g., multiquadratic K = Q(√d1, . . . ,
√dk) for appropriate di. Facts:
F unit rank = 2k − 1 = number of quadratic subfields Q(√dI), I ⊆ [k] \ ∅.
F fund units of the Q(√dI) generate a finite-index subgroup of O∗
K .
(See, e.g., Keith Conrad’s ‘blurb’ on Dirichlet’s unit theorem for proofs.)
F How “good” are these units? How small is their finite index?
I Other number rings? E.g., Z[x]/(xp − x− 1) has many easy units:x, Φd(x) for d|(p− 1), . . .
6 / 7
![Page 21: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/21.jpg)
SG-PIP Beyond Cyclotomics
I To recover the short generator from any generator of I ⊆ R, it sufficesto have a “good” basis of (a dense enough sublattice of) LogR∗.
(For cyclotomics: standard basis of the cyclotomic units.)
I Can we get such a basis for other number rings?
I In general, can preprocess R in 2rank(LogR∗) time.Then can quickly solve many instances of SG-PIP in R.
I In particular cases, we can do much better.
E.g., multiquadratic K = Q(√d1, . . . ,
√dk) for appropriate di. Facts:
F unit rank = 2k − 1 = number of quadratic subfields Q(√dI), I ⊆ [k] \ ∅.
F fund units of the Q(√dI) generate a finite-index subgroup of O∗
K .
(See, e.g., Keith Conrad’s ‘blurb’ on Dirichlet’s unit theorem for proofs.)
F How “good” are these units? How small is their finite index?
I Other number rings? E.g., Z[x]/(xp − x− 1) has many easy units:x, Φd(x) for d|(p− 1), . . .
6 / 7
![Page 22: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/22.jpg)
SG-PIP Beyond Cyclotomics
I To recover the short generator from any generator of I ⊆ R, it sufficesto have a “good” basis of (a dense enough sublattice of) LogR∗.
(For cyclotomics: standard basis of the cyclotomic units.)
I Can we get such a basis for other number rings?
I In general, can preprocess R in 2rank(LogR∗) time.Then can quickly solve many instances of SG-PIP in R.
I In particular cases, we can do much better.
E.g., multiquadratic K = Q(√d1, . . . ,
√dk) for appropriate di. Facts:
F unit rank = 2k − 1 = number of quadratic subfields Q(√dI), I ⊆ [k] \ ∅.
F fund units of the Q(√dI) generate a finite-index subgroup of O∗
K .
(See, e.g., Keith Conrad’s ‘blurb’ on Dirichlet’s unit theorem for proofs.)
F How “good” are these units? How small is their finite index?
I Other number rings? E.g., Z[x]/(xp − x− 1) has many easy units:x, Φd(x) for d|(p− 1), . . .
6 / 7
![Page 23: Recovering Short Generators of Principal Ideals: Extensions ...asilverb/Conference2015/Slides/Peikert...I Volume of such gis 2n n! r n= O(logn) . Volume of log-unit lattice (regulator)](https://reader033.vdocuments.mx/reader033/viewer/2022060900/609d7260fb6c626d6e6efb17/html5/thumbnails/23.jpg)
WARNING:No theorems beyond this point!
7 / 7