Lattice Reduction for Modules, or How to Reduce ModuleSVP to ModuleSVP

We show how to generalize lattice reduction algorithms to module lattices. Specifically, we reduce $\gamma$-approximate ModuleSVP over module lattices with rank $k \geq2$ to $\gamma\u27$-approximate ModuleSVP over module lattices with rank $2 \leq \beta \leq k$. To do so, we modify the celebrated slide-reduction algorithm of Gama and Nguyen to work with module filtrations, a high-dimensional generalization of the ($\Z$-)basis of a lattice. The particular value of $\gamma$ that we achieve depends on the underlying number field $K$, the order $R \subseteq \mathcal{O}_K$, and the embedding (as well as, of course, $k$, $\beta$, and $\gamma\u27$). However, for reasonable choices of these parameters, the resulting value of $\gamma$ is surprisingly close to the one achieved by ``plain\u27\u27 lattice reduction algorithms, which require an arbitrary SVP oracle in the same dimension. In other words, we show that ModuleSVP oracles are nearly as useful as SVP oracles for solving higher-rank instances of approximate ModuleSVP. Our result generalizes the recent independent result of Lee, Pellet-Mary, Stehlé, and Wallet, which works in the important special case when $\beta = 2$ and $R = \mathcal{O}_K$ is the ring of integers of $K$ under the canonical embedding. Our reduction works for any $\beta$ dividing $k$, as well as arbitrary orders $R \subseteq \mathcal{O}_K$ and a larger class of embeddings. Indeed, at a high level our reduction can be thought of as a generalization of theirs in roughly the same way that block reduction generalizes LLL reduction

On Solving Relative Norm Equations in Algebraic Number Fields

. Let j ` E ` F be algebraic number fields and M ae F a free o E - module. We prove a theorem which enables us to determine whether a given relative norm equation of the form j N F=E (j)j = j`j has any solutions j 2 M at all and, if so, to compute a complete set of nonassociate solutions. Finally we formulate an algorithm using this theorem, consider its algebraic complexity and give some examples. 1991 Mathematics Subject Classification. Primary 11Y40. Key words and phrases. Algebraic number theory, norm equations, relative norm equations, relative extensions 2 C. FIEKER, A. JURK, AND M. POHST 1. Introduction Solving norm equations is a central problem in the area of algebraic number theory. Although there is an algorithm for solving absolute norm equations (e.g. see [1] or [8, xx5.3, 6.4]), none (except the absolute one) exists in the relative case. We outline a new algorithm to decide whether a relative norm equation has solutions at all and then, if there are solutions to comp..

Some genus 3 curves with many points

We explain a naive approach towards the problem of finding genus 3 curves C over any given finite field F-q of odd characteristic, with a number of rational points close to the Hasse-Weil-Serre upper bound q+1+3[2rootq]. The method turns out to be successful at least in characteristic 3

MPQS with three large primes

We report the factorization of a 135-digit integer by the triple-large-prime variation of the multiple polynomial quadratic sieve. Previous workers [6][10] had suggested that using more than two large primes would be counterproductive, because of the greatly increased number of false reports from the sievers. We provide evidence that, for this number and our implementation, using three large primes is approximately 1.7 times as fast as using only two. The gain in efficiency comes from a sudden growth in the number of cycles arising from relations which contain three large primes. This effect, which more than compensates for the false reports, was not anticipated by the authors of [6] [10] but has become quite familiar from factorizations obtained using the number field sieve. We characterize the various types of cycles present, and give a semi-quantitative description of their rather mysterious behaviour