Recovering short generators of principal ideals in cyclotomic rings

Abstract: A handful of recent cryptographic proposals rely on the conjectured hardness of the following problem in the ring of integers of a cyclotomic number field: given a basis of a principal ideal that is guaranteed to have a ``rather short'' generator, find such a generator. Recently, Bernstein and Campbell-Groves-Shepherd sketched potential attacks against this problem; most notably, the latter authors claimed a \emph{polynomial-time quantum} algorithm. (Alternatively, replacing the quantum component with an algorithm of Biasse and Fieker would yield a \emph{classical subexponential-time} algorithm.) A key claim of Campbell \etal\ is that one step of their algorithm---namely, decoding the \emph{log-unit} lattice of the ring to recover a short generator from an arbitrary one---is classically efficient (whereas the standard approach on general lattices takes exponential time). However, very few convincing details were provided to substantiate this claim. In this work, we clarify the situation by giving a rigorous proof that the log-unit lattice is indeed efficiently decodable, for any cyclotomic of prime-power index. Combining this with the quantum algorithm from a recent work of Biasse and Song confirms the main claim of Campbell \etal\xspace Our proof consists of two main technical contributions: the first is a geometrical analysis, using tools from analytic number theory, of the standard generators of the group of cyclotomic units. The second shows that for a wide class of typical distributions of the short generator, a standard lattice-decoding algorithm can recover it, given any generator. By extending our geometrical analysis, as a second main contribution we obtain an efficient algorithm that, given any generator of a principal ideal (in a prime-power cyclotomic), finds a 2^O~(n^1/2) -approximate shortest vector in the ideal. Combining this with the result of Biasse and Song yields a quantum polynomial-time algorithm for the 2^O~(n^1/2)-approximate Shortest Vector Problem on principal ideal lattices

The Minimal Resultant Locus

Let K be a complete, algebraically closed nonarchimedean valued field, and let f(z) in K(z) be a rational function of degree d at least 2. We give an algorithm to determine whether f(z) has potential good reduction over K, based on a geometric reformulation of the problem using the Berkovich Projective Line. We show the minimal resultant is is either achieved at a single point in the Berkovich line, or on a segment, and that minimal resultant locus is contained in the tree in spanned by the fixed points and the poles of f(z). When f(z) is defined over the rationals, the algorithm runs in probabilistic polynomial time. If f(z) has potential good reduction, and is defined over a subfield H of K, we show there is an extension L/H in K with degree at most (d + 1)^2 such that f(z) achieves good reduction over L.Comment: 37 page