Class group and unit group computation for large degree...

Class group and unit group computation for largedegree number fields

Jean-Francois Biasse

University of Calgary

October 2013

Biasse (U of C) large degree fields October 2013 1 / 30

Presentation of the problem

Let K be a number field of degree n, OK its maximal order and O ⊆ OK

an order in K .

We are interested in the following problems :

Compute the class group Cl(O) and the unit group U(O) of O.

Let a ⊆ O, find α ∈ O such that a = (α).

Let a ∈ Cl(O) and B > 0, find p1, · · · , pk such that

a = p1 · · · pk , with N (pi ) ≤ B

We mention applications of the resolution of these problems to numbertheory and cryptography.

an order in K .

a = p1 · · · pk , with N (pi ) ≤ B

an order in K .

a = p1 · · · pk , with N (pi ) ≤ B

an order in K .

a = p1 · · · pk , with N (pi ) ≤ B

an order in K .

a = p1 · · · pk , with N (pi ) ≤ B

1 Motivation

2 Class group and unit group computation

3 Complexity aspects

4 Relations in the polarized class group

Computation of Cl(O) and U(O)

Computing the unit group has applications to the resolution of someDiophantine equations.

The Pell equation

For ∆ > 0, solvingx2 −∆y2 = 1,

is equivalent to finding the unit group for Q(√

Connexion with other equations

Other Diophantine equations can be solved from solutions to the Pellequation

Shaffer : y2 = 1k + · · ·+ xk .

y2 = Sxx−a.

Where S denotes the Stirling number.

Computation of Cl(O) and U(O)

Computing the unit group has applications to the resolution of someDiophantine equations.

The Pell equation

For ∆ > 0, solvingx2 −∆y2 = 1,

is equivalent to finding the unit group for Q(√

Connexion with other equations

Other Diophantine equations can be solved from solutions to the Pellequation

Shaffer : y2 = 1k + · · ·+ xk .

y2 = Sxx−a.

Where S denotes the Stirling number.

Cryptanalysis of homomorphic schemes

Principal ideal problem

Gentry’s original scheme (and some others) rely on the hardness of findinga small generator of a principal ideal.

Alice sets up the schemes. Let Z[X ]/(XN + 1) = Z[θ].

Alice draws small α ∈ Z[X ]/(XN + 1) until N (α) = p prime.

Alice displays a Z-basis of p = (α).

Bob wants to encrypt M ∈ {0, 1}.Bob draws R ∈ Z[X ] at random.

Bob sends M + 2R(θ) mod p.

To decrypt, it suffices to know a small generator of p.

Group action on elliptic curves

Let O be a quadratic order, Fq a finite field and a prime l - q.

Isomorphism classes are represented by j-invariants.

EllO,t := {Isomorphism classes of E (Fq) | End(E ) ' O and trace(E ) = t}.

Group action of Cl(O) on EllO,t

A split prime ideal a of norm l acts via an isogenie of degree l .

If l is large, the action is hard to evaluate.

If a ∼∏

i pi with small N (pi ), it boils down to evaluating that of the pi .

Transports the discrete logarithm problem to another curve.

Allows endomorphism ring computation.

If a ∼∏

1 Motivation

Input and output of the algorithm

A number field K .

Its r1 real embeddings, its r2 pairs of complex embeddings.

Its ring of integers OK =∑

i Zαi .

Output

Cl(OK ) = Z/d1Z× · · · × Z/dkZ.

U = µ× 〈γ1〉 × · · · × 〈γr 〉

where r := r1 + r2 − 1 and µ is the set of roots of unity.

The γi are given in compact representation.

Input and output of the algorithm

A number field K .

Its r1 real embeddings, its r2 pairs of complex embeddings.

Its ring of integers OK =∑

i Zαi .

Output

Cl(OK ) = Z/d1Z× · · · × Z/dkZ.

U = µ× 〈γ1〉 × · · · × 〈γr 〉

where r := r1 + r2 − 1 and µ is the set of roots of unity.

The γi are given in compact representation.

Class group computation

Factor base

Let B = {p1, · · · , pN} be a set of ideals whose classes generate Cl(OK ).

We consider the surjective morphism

ZN ϕ−−−−→ I π−−−−→ Cl(OK )

(e1, . . . , eN) −−−−→∏

i peii −−−−→

∏i [pi ]

Property

The class group satisfies Cl(OK ) ' ZN/ ker(π ◦ ϕ).

We deduce Cl(OK ) from the lattice of all the (e1, · · · , eN) such that

pe11 · · · p

eNN = (α) = 1 ∈ Cl(OK ) for some α ∈ OK .

Class group computation

Factor base

Let B = {p1, · · · , pN} be a set of ideals whose classes generate Cl(OK ).

We consider the surjective morphism

ZN ϕ−−−−→ I π−−−−→ Cl(OK )

(e1, . . . , eN) −−−−→∏

i peii −−−−→

∏i [pi ]

Property

The class group satisfies Cl(OK ) ' ZN/ ker(π ◦ ϕ).

We deduce Cl(OK ) from the lattice of all the (e1, · · · , eN) such that

pe11 · · · p

eNN = (α) = 1 ∈ Cl(OK ) for some α ∈ OK .

From relations to the ideal class groupThe rows (e1, · · · , eN) of the relation matrix M satisfy

pe11 · · · p

eNN = (α)

There are unimodular matrices U,V and integers di such that di+1 | di and

U ·M · V =

d1 0 . . . 0

0 d2. . .

......

. . .. . . 0

0 . . . 0 dN(0)

If the rows of M generate all the possible relations then

Cl(OK ) = Z/d1Z× · · · × Z/dNZ.

pe11 · · · p

eNN = (α)

U ·M · V =

d1 0 . . . 0

0 d2. . .

......

. . .. . . 0

0 . . . 0 dN(0)

Cl(OK ) = Z/d1Z× · · · × Z/dNZ.

pe11 · · · p

eNN = (α)

U ·M · V =

d1 0 . . . 0

0 d2. . .

......

. . .. . . 0

0 . . . 0 dN(0)

Cl(OK ) = Z/d1Z× · · · × Z/dNZ.

From relations to the unit group

Let M ∈ ZN×N′ be a relation matrix. That is,

∀i , pmi,1

1 · · · pmi,N

N = (αi ) = 1 ∈ Cl(OK ).

Property

Let X = (x1, · · · , x ′N) be such that XM = 0. Then,

βX := αx11 · · ·α

x ′NN is a unit

We use the following strategy

We derive units in compact representation from elements in ker(M).

We construct a minimal generating set for U by induction.

From relations to the unit group

∀i , pmi,1

1 · · · pmi,N

N = (αi ) = 1 ∈ Cl(OK ).

Property

Let X = (x1, · · · , x ′N) be such that XM = 0. Then,

βX := αx11 · · ·α

x ′NN is a unit

We use the following strategy

We derive units in compact representation from elements in ker(M).

We construct a minimal generating set for U by induction.

Connexion with the principal ideal problem

The principal ideal problem (PIP)

Let a ⊆ OK . We wish to

Decide if a is principal.

If so, find α ∈ OK such that a = (α).

∀i , pmi,1

1 · · · pmi,N

N = (αi ) = 1 ∈ Cl(OK ).

Algorithm for solving the PIP

Decompose a = (α)py11 · · · p

If XA = Y has no solution, a is not principal.

Otherwise, a = (β) with β = α · αx11 · · ·α

∀i , pmi,1

1 · · · pmi,N

N = (αi ) = 1 ∈ Cl(OK ).

∀i , pmi,1

1 · · · pmi,N

N = (αi ) = 1 ∈ Cl(OK ).

1 Motivation

Choice of a factor baseThe algorithm starts by choosing prime ideals generating Cl(O)

B := {p prime | N (p) ≤ B} = {p1, · · · , pN}

Asymptotic bounds with respect to ∆ = disc(O)

The most commonly used bounds for the asymptotic analysis are

Minkowski bound : B = O(√|∆|) (unconditional).

Bach bound : B = O(log2 |∆|) (under GRH).

Another bound, asymptotically larger, is used in practice (Belabas et al.)∑(m,p):N (pm)≤B′

logN (p)

N (pm/2)

(1− logN (pm)

log(B ′)

2log |∆| − 1.9n − 0.785r1

+2.468n + 1.832r1

log(B ′),

B := {p prime | N (p) ≤ B} = {p1, · · · , pN}

logN (p)

N (pm/2)

(1− logN (pm)

log(B ′)

2log |∆| − 1.9n − 0.785r1

+2.468n + 1.832r1

log(B ′),

B := {p prime | N (p) ≤ B} = {p1, · · · , pN}

logN (p)

N (pm/2)

(1− logN (pm)

log(B ′)

2log |∆| − 1.9n − 0.785r1

+2.468n + 1.832r1

log(B ′),

Reduction of an ideal

Ideals have unique factorization, but it is possible to have∏i

peii = (α)a,

where α ∈ K and a 6=∏

i peii .

In particular, if N (a) is small, a has a better chance to be B-smooth.

LLL-reduction of an ideal

Let a ⊆ OK . We use LLL to find a′ = a ∈ Cl(O) with small norm.

b← ka−1 where k is the denominator of a−1.

Let β be the first element of an LLL-reduced basis of b.

a′ ←(βk

Then we have a′ ⊆ OK and N (a′) ≤ 2O(n2)√|∆|.

peii = (α)a,

i peii .

a′ ←(βk

peii = (α)a,

i peii .

a′ ←(βk

peii = (α)a,

i peii .

a′ ←(βk

peii = (α)a,

i peii .

a′ ←(βk

peii = (α)a,

i peii .

a′ ←(βk

peii = (α)a,

i peii .

a′ ←(βk

The subexponential functionTo measure the complexity of the operations, we use the subexponentialfunction

L∆(α, β) := eβ(log |∆|)α(log log |∆|)1−α.

Property

For α ∈ [0, 1], L∆(α, β) is between polynomial and exponential in log |∆|.

L∆(0, β) = (log |∆|)β

L∆(1, β) = (|∆|)β

Some interesting rules of calculation :

L∆(α, β1)× L∆(α, β2) = L∆(α, β1 + β2)

L∆(α, β)k = L∆(α, kβ).

Property

L∆(0, β) = (log |∆|)β

L∆(1, β) = (|∆|)β

L∆(α, β1)× L∆(α, β2) = L∆(α, β1 + β2)

L∆(α, β)k = L∆(α, kβ).

Property

L∆(0, β) = (log |∆|)β

L∆(1, β) = (|∆|)β

L∆(α, β1)× L∆(α, β2) = L∆(α, β1 + β2)

L∆(α, β)k = L∆(α, kβ).

Smoothness probabilityLet Ψ(x , y) be the number of y -smooth ideals of norm bounded by x .Subexponential methods consist of falling in the range where

Ψ(x , y)

x= u−u(1+o(1)), u =

log y(1).

Known estimates (for which (1) holds)

Over Z : Hildebrand 84

Over ideals of a number field : Sourfield 04 (GRH).

Over principal ideals : conjectural.

If x = L∆(a, b) and y = L∆(c , d), then

Ψ(x , y)

x= L∆

(a− c ,− c

d(b − d) + o(1)

Ψ(x , y)

x= u−u(1+o(1)), u =

log y(1).

Ψ(x , y)

x= L∆

(a− c ,− c

d(b − d) + o(1)

Ψ(x , y)

x= u−u(1+o(1)), u =

log y(1).

Ψ(x , y)

x= L∆

(a− c ,− c

d(b − d) + o(1)

Fixed degree number fields

Hafner-McCurley and Buchmann computed the class group and unit groupfor fixed n = [K : Q] in time L∆(1/2, c).

Creation of relations in Cl(O)

We choose B = {p | N (p) ≤ B} where B = L∆(1/2, c).

Draw a :=∏

i peii at random where pi ∈ B.

Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.

If b =∏

j qj is B-smooth, keep the relation∏

i peii ·∏

j q−1j = 1.

If n is fixed, we derive |B| = L∆(1/2, c) relations in L∆(1/2, d).

Then Cl(O) and U(O) are found in time |B|k = L∆(1/2, kd).

Draw a :=∏

Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.

If b =∏

i peii ·∏

j q−1j = 1.

Draw a :=∏

Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.

If b =∏

i peii ·∏

j q−1j = 1.

Draw a :=∏

Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.

If b =∏

i peii ·∏

j q−1j = 1.

Draw a :=∏

Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.

If b =∏

i peii ·∏

j q−1j = 1.

Draw a :=∏

Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.

If b =∏

i peii ·∏

j q−1j = 1.

Draw a :=∏

Let b = (α)a with N (b) ≤ 2O(n2)√|∆|.

If b =∏

i peii ·∏

j q−1j = 1.

When n→∞ : changing the reduction algorithm

If LLL-reduce a :=∏

i pi , we get b ∼ a with N (b) ≤ 2O(n2)√|∆|.

We have N (b) ≥ L∆(2, c) for some c > 0.

With B = L∆(α, d) for some α < 1 and d > 0,

E(time to find b B − smooth) ≥ L∆(2− α, e) ≥ |∆|e for some e > 0.

BKZ reduction

Let k > 0, the BKZk reduction allows to find b = (α)a with

N (b) ≤ 2O(

)√|∆| in time O(2k).

We replace LLL-reduction by BKZk reduction with k = 2/3.

It runs in time L∆(2/3 + ε, d) for d > 0 and arbitrary small ε > 0.

BKZ reduction

N (b) ≤ 2O(

BKZ reduction

N (b) ≤ 2O(

Class group and unit group of Z[θ] in L∆(1/3)

Let K/Q defined by P ∈ Z[X ] with n = deg(P) and d = log(H(P)).

We draw φ = A(θ) for A ∈ Z[X ] with k = deg(A) and a = log(H(A)).

We have N (φ) ≤ na + dk + n log k + k log n.

Property

When n = log(|∆|)α and d = log(|∆|)1−α for α ∈]

[We can choose A ∈ Z[X ] such that N (φ) ≤ L∆

(23 , c)

for c > 0.

It takes L∆

(13 , e)

to find an L∆

(13 , d)-smooth φ.

We can compute Cl(Z[θ]) and U(Z[θ]) in L∆(1/3, f ) for some f > 0.

This does not extend to Z[θ] ( O.

Property

We can choose A ∈ Z[X ] such that N (φ) ≤ L∆

(23 , c)

for c > 0.

It takes L∆

(13 , e)

to find an L∆

(13 , d)-smooth φ.

Property

(23 , c)

for c > 0.

It takes L∆

(13 , e)

to find an L∆

(13 , d)-smooth φ.

Property

(23 , c)

for c > 0.

It takes L∆

(13 , e)

to find an L∆

(13 , d)-smooth φ.

Property

(23 , c)

for c > 0.

It takes L∆

(13 , e)

to find an L∆

(13 , d)-smooth φ.

Cyclotomic fields

We want to calculate Cl(Z[θ]) and U(Z[θ]) for K = Q[X ]/XN + 1.

H(XN + 1) = 1.

log |Disc(XN + 1)| := log |∆| = N log(N).

Relation search

We draw φ ∈ Z[θ] of the form A(θ) with

k := deg(A) = N.

a := log(H(A)) = log(N)

logN (φ) ≤ O (a · N + k + N log(k) + k log(N)) ≤ O(log |∆|)

This way, we can perform the relation search in time L∆

(12 , c)

for somec > 0.

Cyclotomic fields

H(XN + 1) = 1.

Relation search

k := deg(A) = N.

(12 , c)

for somec > 0.

Cyclotomic fields

H(XN + 1) = 1.

Relation search

k := deg(A) = N.

(12 , c)

for somec > 0.

Short generators of ideals

Let a ⊆ O a principal ideal and U = µ× 〈ε1〉 × · · · × 〈εr 〉 the unit group.

We know how to compute generators for U and a generator of a.

We want a small generator of a.

Assume we find α ∈ O such that a = (α), then

∀(e1, · · · , er ) ∈ Zr , a = (εe11 , · · · , ε

err α).

When r = 1, then we find e ∈ Z such that log |α| − e log |ε| has thedesired size.

Let ~vx = (log |x |1, · · · , log |x |r ) ∈ Rr .

We want ‖~α +∑

i ei ~εi‖2 small.

In arbitrary dimension, we want to solve the closest vector problem.

∀(e1, · · · , er ) ∈ Zr , a = (εe11 , · · · , ε

err α).

We want ‖~α +∑

∀(e1, · · · , er ) ∈ Zr , a = (εe11 , · · · , ε

err α).

We want ‖~α +∑

The q-descent

Let O ⊆ OK be an order in K , and a |∆|-smooth a ⊆ O.

We find a L∆(1/3, b)-smooth decomposition of a in time L∆(1/3, c).

This allows an L∆(1/3) algorithm to compute Cl(O) and U(O).

Let q ⊆ O and vq such that q = qO + (θ − vq)O. Then

Lq := Zv0 + Z(v1 − θ) + · · ·+ Z(vk − θk) ⊆ q,

where vi = v ip mod q.

The φ ∈ Lq are of the form φ = A(θ) for A ∈ Z[X ].

We look for small elements φ ∈ Lq.

The q-descent

Lq := Zv0 + Z(v1 − θ) + · · ·+ Z(vk − θk) ⊆ q,

The q-descent

Lq := Zv0 + Z(v1 − θ) + · · ·+ Z(vk − θk) ⊆ q,

The q-descent

a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆

(13 + τ, 1

find αi ∈ qi with (αi )/qi L∆(1/3 + τ/2, c)-smooth

qi = (αi )q′−11 · · · q′

−1i · · · q′

−1k ′

N (q′j) ∈ L∆

(13 + τ

2 , 1)

Repeat until τ is small enough

Find αi ∈ q′i with N (αi ) ∈ L∆(1/3, c∞)

a = (α) · q′′e11 · · · q′′

ell N (q′′j) ∈ L∆

(13 , c∞

The q-descent

a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆

(13 + τ, 1

)find αi ∈ qi with (αi )/qi L∆(1/3 + τ/2, c)-smooth

qi = (αi )q′−11 · · · q′

−1i · · · q′

−1k ′

N (q′j) ∈ L∆

(13 + τ

2 , 1)

a = (α) · q′′e11 · · · q′′

(13 , c∞

The q-descent

a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆

(13 + τ, 1

qi = (αi )q′−11 · · · q′

−1i · · · q′

−1k ′

N (q′j) ∈ L∆

(13 + τ

2 , 1)

a = (α) · q′′e11 · · · q′′

(13 , c∞

The q-descent

a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆

(13 + τ, 1

qi = (αi )q′−11 · · · q′

−1i · · · q′

−1k ′

N (q′j) ∈ L∆

(13 + τ

2 , 1)

a = (α) · q′′e11 · · · q′′

(13 , c∞

The q-descent

a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆

(13 + τ, 1

qi = (αi )q′−11 · · · q′

−1i · · · q′

−1k ′

N (q′j) ∈ L∆

(13 + τ

2 , 1)

a = (α) · q′′e11 · · · q′′

(13 , c∞

The q-descent

a = (α) · q1 · · · qi · · · qk N (qj) ∈ L∆

(13 + τ, 1

qi = (αi )q′−11 · · · q′

−1i · · · q′

−1k ′

N (q′j) ∈ L∆

(13 + τ

2 , 1)

a = (α) · q′′e11 · · · q′′

(13 , c∞

)Biasse (U of C) large degree fields October 2013 20 / 30

1 Motivation

The polarized class group

Let K be a CM field, K+ be the maximal totally real subfield of K and Oan order in K .

An ideal a ⊆ O is polarized if

∃α ∈ K+ totally real such that aa = (α).

C(O) = {Polarized ideals of O}/{Principal polarized ideals}

C(O) acts on isomorphism classes of principally polarized Abelian varietieswith complex multiplication by O.

The class of a acts via an isogenie of degree N (a).

This action preserves the polarization.

Relations in the polarized class group

The cost of evaluating the action of the class of a ⊆ O grows with N (a).

The action of a is deduced from the action of ideals of smaller norm.

This boils down to decomposing a in C(O).

Using smooth ideals

Let a be a polarized ideal of O and B > 0. We rewrite the class of a as

a = p1 · · · pk in C(O), where N (pi ) ≤ B.

Evaluating the action of a boils down to evaluating that of the (pi )i≤k .

Ideals in O are unlikely to be polarized.

We need to produce relations between polarized ideals.

Using smooth ideals

From relations in Cl(O) to relations in C(O) Bisson-11

Let K a CM field with type Φ and reflex field K r with type Φr . We havemaps between K and K r .

Type norm : NΦ : x ∈ K →∏φ∈Φ φ(x) ∈ K r .

Reflex type norm : NΦr : x ∈ K r →∏φ∈Φr φ(x) ∈ K .

Property

Let a ⊆ O be an ideal of O and ar ⊆ OK r be an ideal of OK r .

NΦ(a) is an ideal of OK r and N (ar ) is an ideal of OK .

NΦr (ar ) is a polarized ideal of OK .

We draw a relation p1 · · · pk = 1 in Cl(O) and deduce the relation

NΦr (NΦ(p1)) · · · NΦr (NΦ(pk)) = 1 ∈ C(O).

Property

Relations in C(O)

(α) = p1 · · · pk(α′) = p′1 · · · p′k

(β) = (q1, β1) · · · (qk , βk)

NΦ(pi ) = p′i

NΦr (p′j) = qj

Relations in C(O)

(α) = p1 · · · pk

(α′) = p′1 · · · p′k(β) = (q1, β1) · · · (qk , βk)

NΦ(pi ) = p′i

NΦr (p′j) = qj

Relations in C(O)

(α) = p1 · · · pk(α′) = p′1 · · · p′k

(β) = (q1, β1) · · · (qk , βk)

NΦ(pi ) = p′i

NΦr (p′j) = qj

Relations in C(O)

(α) = p1 · · · pk(α′) = p′1 · · · p′k

(β) = (q1, β1) · · · (qk , βk)

NΦ(pi ) = p′i

NΦr (p′j) = qj

The case of g →∞Let V /Fq be a dimension g Abelian variety defined over Fq with CM byan order O in K .

We want to derive relations in C(O).

We want to establish conditions on K to use the q-descent.

K = Q[X ]/χ(X ) is defined by a q-Weil polynomial of the form

χ(X ) =∏j≤2g

(X −√qe iθj ).

Let ∆ = disc(χ), do n = deg(χ) and d = log(H(χ)) satisfy

n = n0(log |∆|)α(1 + o(1))

d = d0(log |∆|)1−α(1 + o(1)),

for α ∈]0, 1[ and n0, d0 > 0, allowing a subexponential q-descent ?

χ(X ) =∏j≤2g

(X −√qe iθj ).

n = n0(log |∆|)α(1 + o(1))

d = d0(log |∆|)1−α(1 + o(1)),

χ(X ) =∏j≤2g

(X −√qe iθj ).

n = n0(log |∆|)α(1 + o(1))

d = d0(log |∆|)1−α(1 + o(1)),

The case of g →∞Let log |∆′| := g2 log(q), and g = log(q)δ for some δ > 0, then

n = n0 log |∆′|α(1 + o(1)).

d = d0 log |∆′|1−α(1 + o(1)).

We can have subexponential time with respect to log |∆′|. Do we havelog |∆′| ∼ log |Disc(χ)| ?.

The discriminant of χ is given by

Disc(χ) = (√q)(2g

g )∏j 6=k

(e iθj − e iθk

We have the upper bound log |Disc(χ)| ≤ O(g2 log(q))(1 + o(1)).

But we might have log |Disc(χ)| � g2 log(q).

If |e iθj − e iθk | ≥ 1pε for some ε < 1/2, then log |Disc(χ)| & O(g2 log(q)).

n = n0 log |∆′|α(1 + o(1)).

d = d0 log |∆′|1−α(1 + o(1)).

g )∏j 6=k

(e iθj − e iθk

n = n0 log |∆′|α(1 + o(1)).

d = d0 log |∆′|1−α(1 + o(1)).

g )∏j 6=k

(e iθj − e iθk

n = n0 log |∆′|α(1 + o(1)).

d = d0 log |∆′|1−α(1 + o(1)).

g )∏j 6=k

(e iθj − e iθk

n = n0 log |∆′|α(1 + o(1)).

d = d0 log |∆′|1−α(1 + o(1)).

g )∏j 6=k

(e iθj − e iθk

Choosing roots of χ(X )

θ2 − θ1e iθ1

e iθ2

d = sin(θ2 − θ1) ∼ θ2 − θ1

(−1, 0) (1, 0)

(0,−1)

(0, 1)

θ2 − θ1e iθ1

e iθ2

e iθ3 d = sin(θ2 − θ1) ∼ θ2 − θ1

(−1, 0) (1, 0)

(0,−1)

(0, 1)

θ2 − θ1e iθ1

e iθ2

e iθ3

e iθ4

d = sin(θ2 − θ1) ∼ θ2 − θ1

(−1, 0) (1, 0)

(0,−1)

(0, 1)

Distribution of eigenangles

We study the case where g ∼ (log(q))δ for some δ > 0.

|e iθj − e iθk | < 1pε implies θj − θk → 0.

In this case, |e iθj − e iθk | ∼ |θj − θk | := Θ < 1pε .

If the (θj)j≤2g were equidistributed then we would have

(∀j , k , |e iθj − e iθk | ≥ 1

)=∏l≤2g

(1− l ·Θ)→ 1.

Katz-Sarnak

The distribution of the eigenangles is “close” to uniform

limg→∞

limq→∞

|Mg (Fq)|

) ∑C∈Mg (Fq)

discrep(µ(univ), µ(C/Fq)) = 0.

(∀j , k , |e iθj − e iθk | ≥ 1

)=∏l≤2g

(1− l ·Θ)→ 1.

Katz-Sarnak

limg→∞

limq→∞

|Mg (Fq)|

) ∑C∈Mg (Fq)

(∀j , k , |e iθj − e iθk | ≥ 1

)=∏l≤2g

(1− l ·Θ)→ 1.

Katz-Sarnak

limg→∞

limq→∞

|Mg (Fq)|

) ∑C∈Mg (Fq)

Computing the action of C(O)

Let V /Fq of dimension g and a polarized ideal (a, l) with N (a) = lg .

We represent V by a theta structure of level n.

We want to evaluate the action of a on the ismorphism class of V .

Computation of an (Z/lZ)g -isogeny

Let H be an isotropic subgroup of V isomorphic to (Z/lZ)g .

Evaluating φ with ker(φ) = H takes O(l3g+o(1)) operations in Fq.

Computing H boils down to computing the l-torsion.

1 Compute the zeta function ZA(T ) of A/Fq. Set L← {}2 Write #A(Fqlg−1−1) as mlk where l - m.

3 Let P = mO where O is a random point of A(Fqlg−1−1).

4 If P /∈ 〈L〉 ⊆ A[l ] then L← L ∪ P.

Subexponential relations in C(O)

We have g ∼ log(q)δ. Our goal is to find α, β < 1 such that

The factor base is B = {p | N (p) ≤ L∆(α, c + o(1))}.We can find and evaluate B-smooth relations in time L∆(β, d + o(1)).

were c , d > o and log |∆| = g2 log(q).

Cost of the evaluation

For N (p) = l , the evaluation of the action of p takes lO(g).

We want to adjust the trade-off between |B| and the expected time.

We have subexponential time when the conditions are satisfied

1− β ≥ δ ≥ 1− α− β.

β + 2α ≥ 1 and 2β + α ≥ 1.

β > δ or 2β + α = 1.

For example : α = β = 1/3 works for 13 ≤ δ ≤

1− β ≥ δ ≥ 1− α− β.

β + 2α ≥ 1 and 2β + α ≥ 1.

β > δ or 2β + α = 1.

1− β ≥ δ ≥ 1− α− β.

β + 2α ≥ 1 and 2β + α ≥ 1.

β > δ or 2β + α = 1.

Conclusion

Thank you for your attention.

Class group and unit group computation for large degree...

Documents

Transcript of Class group and unit group computation for large degree...