Testing isomorphism of lattices over CM-orders

A CM-order is a reduced order equipped with an involution that mimics complex conjugation. The Witt-Picard group of such an order is a certain group of ideal classes that is closely related to the "minus part" of the class group. We present a deterministic polynomial-time algorithm for the following problem, which may be viewed as a special case of the principal ideal testing problem: given a CM-order, decide whether two given elements of its Witt-Picard group are equal. In order to prevent coefficient blow-up, the algorithm operates with lattices rather than with ideals. An important ingredient is a technique introduced by Gentry and Szydlo in a cryptographic context. Our application of it to lattices over CM-orders hinges upon a novel existence theorem for auxiliary ideals, which we deduce from a result of Konyagin and Pomerance in elementary number theory.Comment: To appear in SIAM Journal on Computin

Universal gradings of orders

For commutative rings, we introduce the notion of a {\em universal grading}, which can be viewed as the "largest possible grading". While not every commutative ring (or order) has a universal grading, we prove that every {\em reduced order} has a universal grading, and this grading is by a {\em finite} group. Examples of graded orders are provided by group rings of finite abelian groups over rings of integers in number fields. We generalize known properties of nilpotents, idempotents, and roots of unity in such group rings to the case of graded orders; this has applications to cryptography. Lattices play an important role in this paper; a novel aspect is that our proofs use that the additive group of any reduced order can in a natural way be equipped with a lattice structure.Comment: Added section 10; added to and rewrote introduction and abstract (new Theorem 1.4 and Examples 1.6 and 1.7

Generating cryptographically-strong random lattice bases and recognizing rotations of Zn\mathbb{Z}^n

Lattice-based cryptography relies on generating random bases which are difficult to fully reduce. Given a lattice basis (such as the private basis for a cryptosystem), all other bases are related by multiplication by matrices in $GL(n,\mathbb{Z})$. How can one sample random elements from $GL(n,\mathbb{Z})$? We consider various methods, finding some are stronger than others with respect to the problem of recognizing rotations of the $\mathbb{Z}^n$ lattice. In particular, the standard algorithm of multiplying unipotent generators together (as implemented in Magma's RandomSLnZ command) generates instances of this last problem which can be efficiently broken, even in dimensions nearing 1,500. Similar weaknesses for this problem are found with the random basis generation method in one of the NIST Post-Quantum Cryptography competition submissions (DRS). Other algorithms are described which appear to be much stronger.Comment: 24 pages, 2 figure

Testing isomorphism of lattices over CM-orders

A CM-order is a reduced order equipped with an involution that mimics complex conjugation. The Witt-Picard group of such an order is a certain group of ideal classes that is closely related to the "minus part" of the class group. We present a deterministic polynomial-time algorithm for the following problem, which may be viewed as a special case of the principal ideal testing problem: given a CM-order, decide whether two given elements of its Witt - Picard group are equal. In order to prevent coefficient blow-up, the algorithm operates with lattices rather than with ideals. An important ingredient is a technique introduced by Gentry and Szydlo in a cryptographic context. Our application of it to lattices over CM-orders hinges upon a novel existence theorem for auxiliary ideals, which we deduce from a result of Konyagin and Pomerance in elementary number theory