Short Stickelberger Class Relations and Application to Ideal-SVP

Abstract

The worst-case hardness of finding short vectors in ideals of cyclotomic number fields (Ideal-SVP) is a central matter in lattice based cryptography. Assuming the worst-case hardness of Ideal-SVP allows to prove the Ring-LWE and Ring-SIS assumptions, and therefore to prove the security of numerous cryptographic schemes and protocols — including key-exchange, digital signatures, public-key encryption and fully-homomorphic encryption.

A series of recent works has shown that Principal Ideal-SVP is not always as hard as finding short vectors in general lattices, and some schemes were broken using quantum algorithms — the Soliloquy encryption scheme, Smart-Vercauteren fully homomorphic encryption scheme from PKC 2010, and Gentry-Garg-Halevi cryptographic multilinear-maps from Eurocrypt 2013.

Those broken schemes were using a special class of principal ideals, but these works also showed how to solve SVP for principal ideals in the worst-case in quantum polynomial time for an approximation factor of \(\exp (\tilde{O}(\sqrt{n}))\). This exposed an unexpected hardness gap between general lattices and some structured ones, and called into question the hardness of various problems over structured lattices, such as Ideal-SVP and Ring-LWE.

In this work, we generalize the previous result to general ideals. Precisely, we show how to solve the close principal multiple problem (CPM) by exploiting the classical theorem that the class-group is annihilated by the (Galois-module action of) the so-called Stickelberger ideal. Under some plausible number-theoretical hypothesis, our approach provides a close principal multiple in quantum polynomial time. Combined with the previous results, this solves Ideal-SVP in the worst case in quantum polynomial time for an approximation factor of \(\exp (\tilde{O}(\sqrt{n}))\).

Although it does not seem that the security of Ring-LWE based cryptosystems is directly affected, we contribute novel ideas to the cryptanalysis of schemes based on structured lattices. Moreover, our result shows a deepening of the gap between general lattices and structured ones.

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

The problem of finding the shortest vector of a Euclidean lattice (the shortest vector problem, or SVP) is a central hard problem in complexity theory. Approximated versions of this problem (approx-SVP) have become the theoretical foundation for many cryptographic constructions thanks to the average-case to worst-case reductions of Ajtai [Ajt99] — a classical reduction from approx-SVP to the Short Integer Solution (SIS) problem — and Regev [Reg05] — a quantum reduction from approx-SVP to Learning with Errors (LWE).

For efficiency reasons, it is tempting to rely on structured lattices, in particular lattices arising as ideals or modules over certain rings, the earliest example being the NTRUencrypt ¹ proposal from Hoffstein et al. [HPS98]. Later on, variations on these foundations were also considered.

Precisely, the Ring-SIS [Mic02, LM06, PR06] and Ring-LWE [SSTX09, LPR10] problems were introduced, and shown to reduce to worst-case instances of Ideal-SVP, a specialization of SVP to ideals viewed as lattices. Both problems Ring-SIS and Ring-LWE have shown very versatile problems for building efficient cryptographic schemes upon.

The typical choices of rings for Ring-SIS, Ring-LWE and Ideal-SVP are the ring of integers of a cyclotomic number field of conductor m, that is \(K = \mathbb {Q}(\omega _m)\), of degree \(n = \varphi (m)\), where \(\omega _m\) is a complex primitive m-th root of unity. This choice further ensures the hardness of the decisional version of Ring-LWE under the same worst-case Ideal-SVP hardness assumption [LPR10].

Attack on Principal Ideals. For some time, it seemed plausible that the structured versions of lattice problems should be just as hard to solve as the unstructured ones: only some (almost) linear-time advantages were known. This was challenged by a claim of Campbell et al. [CGS14]: a quantum polynomial-time attack against their schemes Soliloquy. The attack also applies to the fully-homomorphic encryption scheme of [SV10] and the cryptographic multilinear maps candidates [GGH13, LSS14], as they all share a common key generation procedure, describe below.

For the secret key, choose an integral element \(g \in \mathcal O_K\) with small distortion, i.e. a \(g \in \mathcal O_K\) such that

$$\begin{aligned} \frac{\max _\sigma |\sigma (g)|}{\min _\sigma |\sigma (g)|} \le \mathrm {poly}(n) \end{aligned}$$

(1)

where \(\sigma \) ranges over the n complex embeddings \(K \mapsto \mathbb C\). A corresponding public key consists of the ideal \(\mathfrak I = (g)\), described by a “bad” \(\mathbb {Z}\)-basis (e.g. a \(\mathbb {Z}\)-basis in Hermite normal form).

The attack consists of two steps, sketched in [CGS14]. First, using a quantum computer, it should be possible to solve the Principal Ideal Problem (PIP): given \(\mathfrak I \subset \mathcal O_K\) find \(h \in \mathcal O_K\) such that \(\mathfrak I = (h)\). Second, a (classical) close-vector algorithm in the log-unit lattice \({\text {Log}} \mathcal O_K^\times \) should allow to recover the secret key² g from h. Both steps are claimed to be polynomial time.

While the analysis of the quantum step was unclear³, such a result seemed plausible considering the recent breakthrough on the Hidden Subgroup Problem over \(\mathbb {R}^n\) by Eisentrager et al. [EHKS14] including efficient quantum unit-group computation. And indeed Biasse and Song [BS16] generalized [EHKS14] to S-unit-group computation, allowing in particular to solve PIP [BS16, Theorem 1.3].

The claimed correctness of the short generator recovery step also raised questions: unless a particularly orthogonal basis of the log-unit lattice \({\text {Log}} \mathcal O_K^\times \) is known, this step should take exponential time. It was already noticed [GGH13, Full version, pp. 43] that the log-unit lattice could be efficiently decoded up to a radius of \(n^{-O(\log \log n)}\) thanks to the Gentry-Szydlo algorithm [GS02], but this is far from sufficient. Yet, the claim that it can be done in polynomial time was quickly supported by convincing numerical experiments [Sch15]. And indeed, by analyzing the geometry of cyclotomic units, Cramer et al. [CDPR16, Theorem 4.1] proved that the decoding-radius given by a basis of such units is in fact much better.

A second result of Cramer et al. [CDPR16, Theorem 6.3] analyses how good of an approximation of the shortest vector is obtained in the worst-case, i.e. without condition (1). Using a variation on the algorithm of [CGS14], they prove that from any generator h of \(\mathfrak I\), one can efficiently find a generator g of euclidean length \((N \mathfrak I)^{1/n} \cdot \exp (\tilde{O}(\sqrt{n}))\). Combined with [BS16], this solves in quantum polynomial time the Short Vector Problem over principal ideals in the worst-case for an approximation factor \(\gamma = \exp (\tilde{O}(\sqrt{n}))\).

Claim 1

([BS16, Theorem 1.3] Combined with [CDPR16, Theorem 6.3]). There exists a quantum polynomial time algorithm \(\textsc {PrincipalIdealSVP}(\mathfrak a)\), that given an ideal of \(\mathcal O_K\) for K a cyclotomic number field of prime power conductor, returns an generator \(v \in \mathfrak a\) of Euclidean norm \(\Vert v\Vert \le (N \mathfrak a)^{1/n} \cdot \exp (\tilde{O}(\sqrt{n}))\).

In particular, v is a solution to Ideal-SVP for an approximation factor \(\gamma = \Vert v\Vert /\lambda _1(\mathfrak a) = \exp (\tilde{O}(\sqrt{n}))\) where \(\lambda _1(\mathfrak a)\) denotes the length of the shortest vector of \(\mathfrak a\).

It is also shown [CDPR16, Lemma 6.2] that this result is tight up to a \(\mathrm {polylog}(n)\) factor in the exponent: the shortest generator is typically larger than the shortest element by a factor \(\exp (\tilde{O}(\sqrt{n}))\).

Fig. 1.

Best known (quantum) time–approximation factor tradeoffs to solve approx-SVP in arbitrary lattices (on the left) and in principal ideal lattices (on the right), in the worst case. The approximation factors of (ideal)-SVP used to build cryptography upon are typically between polynomial \(\mathrm {poly}(n)\) and quasi-polynomial \(\exp (\mathrm {polylog}(n))\).

Impact and Limitatioms of the Attack on Principal Ideals. Whereas some cryptosystems were broken by this quantum attack, the current limitations of this approach to tackle more standard problems as Ring-LWE are three-fold.

1. (i)

   First, it is restricted to principal ideals, while Ring-SIS and Ring-LWE rely on worst-case hardness of SVP over general ideals.

2. (ii)

   Second, the approximation factor \(\gamma = \exp (\tilde{O}(\sqrt{n}))\) in the worst-case is asymptotically too large to affect any actual Ring-LWE based schemes even for advanced cryptosystems such as the state of the art fully homomorphic encryption schemes (see [BV11, DM15]).

3. (iii)

   Third, Ring-LWE is known to be at least as hard as Ideal-SVP but not known to be equivalent.

But it does show an asymptotic gap between the search of mildly short vectors in general lattices and in certain structured lattices (see Fig. 1), and calls for a more thorough study of the hardness assumption over structured lattices. This work addresses the first of them.

1.1 Contributions

This work provides strong evidence that the general case of Ideal-SVP is not harder than the principal case for similar approximation factors. As a consequence, the approximation factors reachable in quantum polynomial time appear to be significantly smaller in arbitrary ideals of cyclotomic fields of prime-power conductor than known for general lattices, dropping from \(\exp ({\tilde{\varTheta }(n)})\) to \(\exp (\tilde{\varTheta }(\sqrt{n}))\).

Main Result

(Under GRH, Assumptions 1 and 2 ). There exists a quantum polynomial time algorithm \(\textsc {IdealSVP}(\mathfrak a)\), that given an ideal of \(\mathcal O_K\) for K a cyclotomic number field of prime power conductor, returns an element \(v \in \mathfrak a\) of Euclidean norm \(\Vert v\Vert \le (N \mathfrak a)^{1/n} \cdot \exp (\tilde{O}(\sqrt{n}))\).

In other words, Ideal-SVP is solvable in quantum polynomial time in cyclotomic number fields for an approximation factor \(\gamma = \exp (\tilde{O}(\sqrt{n}))\).

The strategy consists in reducing the problem over general ideals to that over principal ideals, for cyclotomic fields of prime-power conductor m. We show that under some number-theoretic assumptions, it is possible to solve the close principal multiple (CPM) problem in quantum polynomial time for an a good enough approximation factor. More precisely, the CPM problem consists in finding a principal ideal \(\mathfrak c \subset \mathfrak a\) for an arbitrary ideal \(\mathfrak a\), such that the algebraic norm of \(\mathfrak c\) is not much larger than the norm of \(\mathfrak a\), say up to a factor \(\exp (\tilde{O}(n^{1+c}))\). We will argue that one can reach \(c=1/2\), yet, any \(c<1\) will provide a better time-approximation factor tradeoff than the generic algorithms LLL and BKZ.

Our main tool to solve CPM is the classical theorem that the class-group is annihilated by the Galois-module action of the so-called Stickelberger ideal: it provides explicit class relations between an ideal and its Galois conjugates. An important fact is that this Stickelberger ideal has many short elements and that these can be explicitly constructed (see for example [Sch10]). This leads to a quantum polynomial time algorithm to solve CPM for a factor \(\exp (\tilde{O}(n^{1+c}))\), where the constant c depends on how many Galois orbits of prime ideals are used to generate the (minus part of the) class group. It remains to apply the short generator recovery to \(\mathfrak c\) to find a short vector of \(\mathfrak a\), approximating the shortest vector by a factor \(\exp (\tilde{O}(n^{\max (1/2, c)}))\).

We follow the notations of Fig. 1. If the exponent c can be made strictly smaller than 1, this gives a non-trivial result compared to generic lattice algorithms (see [Sch87, GN08]): we get \(t = 0\) for any \(a \ge \max (1/2,c)\), and in particular \(a+t < 1\), against \(a+t = 1\) for generic algorithms. If c can be made as small as 1/2, then the asymptotic tradeoffs for Ideal-SVP are as good as the tradeoffs for Principal-Ideal-SVP.

Concluding formally on which value of c can be achieved is not straightforward, as it relies on the structure of the class group \(\mathrm {Cl}_K\) as a \(\mathbb {Z}[G]\)-module (see Sect. 2.3). Based on computations of the class group structure of Schoof [Sch98] and a heuristic argument, we strongly believe it is plausible that \(c = 1/2\) is reachable at least for a dense family of conductors m, if not all. This leads to the main result stated above.

1.2 Impact, Open Questions and Recommendations

To the best of our knowledge, this new result does not immediately lead to an attack on any proposed scheme, since most of them are based on Ring-LWE: obstacles (ii) and (iii) remain. Each of this obstacle leaves a crucial open cryptanalytic questions.

• The first question is whether the \(\gamma = \exp (\tilde{O}(\sqrt{n}))\) approximation factors can be improved, potentially increasing the running time. One could for example consider many CPM solutions rather than just one, and hope that one of them leads to a much shorter vector.

• The second is whether an oracle for Ideal-SVP (an approx-SVP oracle for modules of rank 1) can be helpful to solve Ring-LWE, which can be summarized as an “unusually-Short Vector Problem” over a module of rank 3. Note that the natural approach of using LLL generalized to other rings as done by Napias [LLL82, Nap96] fails since only the ring of integers of a few cyclotomic fields of small conductor are Euclidean [Len75].

Despite those two serious obstacles to attack Ring-LWE based schemes by the algebraic approach developed in [CGS14, BS16, CDPR16] and in this paper, it seems a reasonable precaution to start considering weaker structured lattice assumptions, such as Module-LWE [LS15] (i.e., an “unusually-Short Vector Problem” in a module of larger rank over a smaller ring), which provides an intermediate problem between ring-LWE and general LWE.

It is also possible to consider other rings, as done in [BCLvV16]. Yet, the latter proposal surprisingly relies on the seemingly stronger NTRU assumption (“unusually-Short Vector Problem” over modules of rank 2). In the current state of affairs [KF16], there seems to be an asymptotic hardness gap between NTRU and Ring-LWE, whatever the ring⁴, and down to quite small polynomial approximation factors. Should the concrete security claims of [BCLvV16] not be directly affected, the same reasonable precaution principle should favor weaker assumptions, involving modules of a larger rank.

2 Overview

2.1 Notations and Reminders

Throughout this paper, let m be a prime power, \(\omega _m \in \mathbb C\) be a complex primitive m-th root of unity, and \(K = \mathbb {Q}(\omega _m)\) be the cyclotomic number field of conductor m. It is a number field of degree \(n = \varphi (m) = \varTheta (m)\). Let G denote its Galois group over \(\mathbb {Q}\) and \(\tau \in G\) denotes the complex conjugation. We recall that the discriminant \(\varDelta _K\) of K asymptotically satisfies \(\log |\varDelta _K| = O(n \log n)\).

Ideals as Lattices. The field K is endowed with a canonical Hermitian vector space structure via its Minkowsky embedding. Concretely, its inner product is defined via the trace map \({\text {Tr}}: K\rightarrow \mathbb {Q}\) by \(\langle a, b \rangle = {\text {Tr}}(a \tau (b))\), and the associated Euclidean norm is denoted \(\Vert \cdot \Vert : a \mapsto \langle a, a \rangle = {\text {Tr}}(a \tau (a))\).

The ring of integers of \(K\) is denoted \(\mathcal O_K\) and in the cyclotomic case is simply given by \(\mathcal O_K= \mathbb {Z}[\omega _m]\). Any ideal \(\mathfrak h\) of \(\mathcal O_K\) can be viewed as a Euclidean lattice via the above inner-product. The algebraic norm of an ideal \(\mathfrak h\) is written \(N \mathfrak h\). The volume of \(\mathfrak h\) as a lattice relates to its algebraic norm by \({\text {Vol}}(\mathfrak h) = \sqrt{|\varDelta _K|} N \mathfrak h\). The length \(\lambda _1(\mathfrak h)\) of the shortest vector of \(\mathfrak h\) is determined by its algebraic norm up to a polynomial factor:

$$\begin{aligned} \frac{1}{\mathrm {poly}(n)} N (\mathfrak h)^{1/n} \le \lambda _1(\mathfrak h) \le \mathrm {poly}(n) N (\mathfrak h)^{1/n}. \end{aligned}$$

The right inequality is an application of Minkowsky’s second theorem, whereas the left one follows from the fact that the ideal \(v \mathcal O_K\) generated by the shortest vector v of \(\mathfrak h\) is a multiple (a sub-ideal) of \(\mathfrak h\), and that \({\text {Vol}}(v\mathcal O_K) \le \Vert v\Vert ^n\).

Class Group. The class group \(\mathrm {Cl}_K = \mathscr {I}_K/ \mathscr {P}_K\) of \(K\) is the quotient of the (abelian) multiplicative group of fractional ideals \(\mathscr {I}_K\) by the subgroup of fractional principal ideals. We denote \([\mathfrak h] \in \mathrm {Cl}_K\) the class of an ideal \(\mathfrak h\). The trivial class \([\mathcal O_K]\) is the class of principal ideals. Given two ideals \(\mathfrak h\) and \(\mathfrak f\), we write \(\mathfrak h \sim \mathfrak f\) if they have the same class. The class group is written multiplicatively.

The class number \(h_K = |\mathrm {Cl}_K|\) is the order of the class group. Loosely speaking, the class group measures the lack of principality of the ring \(\mathcal O_K\). In particular, the class group is trivial (\(h_K = 1\)) if and only if \(\mathcal O_K\) is a principal ideal domain. This holds only for finitely many conductors \(m \ge 1\) and, more precisely, we know that \(\log h_K = \varTheta (n \log m)\) [Was12, Theorem 4.20].

2.2 Overview

It has been shown [CGS14, BS16, CDPR16] (under reasonable assumptions) that given an arbitrary principal ideal \(\mathfrak a \subset \mathcal O_K\), one can recover in quantum polynomial time an element \(g \in \mathfrak a\) (in fact a generator of \(\mathfrak a\), i.e. such that \(\mathfrak a = g \mathcal O_K\)) such that \(\Vert g\Vert \le (N\mathfrak a)^{1/n} \cdot \exp ({\tilde{O}(n^{1/2})})\). Our goal is to reduce the case of general ideals to the case of principal ideals.

The Close Principal Multiple Problem (CPM). To do so, a folklore approach is to search for a reasonably close multiple \(\mathfrak c = \mathfrak a \mathfrak b\) of \(\mathfrak a\) that is principal; in other words, one searches for a small integral ideal \(\mathfrak b\) such that \(\mathfrak b \sim \mathfrak a^{-1}\). If such an ideal \(\mathfrak b\) with norm less than \(\exp ({\tilde{O}(n^{1+c})})\) for some constant \(c > 0\) is found, this implies, by the aforementioned results, that one can find a generator g of \(\mathfrak c\) such that

$$\begin{aligned} \Vert g\Vert&\le (N\mathfrak c)^{1/n} \cdot \exp \left( \widetilde{O}\left( n^{1/2}\right) \right) \\&\le (N\mathfrak a)^{1/n} \cdot (N\mathfrak b)^{1/n} \cdot \exp \left( {\widetilde{O}\left( n^{1/2}\right) }\right) \\&\le (N\mathfrak a)^{1/n} \cdot \exp \left( {\widetilde{O}\left( n^{\max (1/2,c)}\right) }\right) . \end{aligned}$$

Because \(g \in \mathfrak c \subset \mathfrak a\), one has found a short vector of \(\mathfrak a\), larger than the shortest vector of \(\mathfrak a\) by a sub-exponential approximation factor \(\exp ({\tilde{O}(n^{\max (1/2,c)})})\). This is asymptotically as good as the principal case when \(c = 1/2\), and better than LLL for any \(c<1\).

CPM as a Close Vector Problem. Before searching for a solution to the CPM problem, let us discuss wether a \(\exp ({\tilde{O}(n^{1+c})})\)-close principal multiple exists in general. A positive answer follows from the results of [JW15, Corrolary 6.5]⁵ setting a prime factor basis \(\mathfrak B = \{\mathfrak p \mid N\mathfrak p \le n^{4 + o(1)}\}\), for any class \(C \in \mathrm {Cl}_K\), there exists a non-negative small solution \(e \in \mathbb {Z}^{\mathfrak B}_{\ge 0}\) to the class equation \([\prod \mathfrak p ^{e_{\mathfrak p}}] = C\), of \(\ell _1\)-norm \(\Vert e\Vert _1 \le O(n^{1+o(1)})\). This proves, assuming GHR, the existence of a solution \(\mathfrak b = \prod \mathfrak p ^{e_{\mathfrak p}}\) to the CPM problem as small as \(\exp ({\tilde{O}(n^{1+c})})\) for \(c = o(1)\).

The previous argument is based on the analysis of the expander properties of certain Caley graphs on the class group. For our purpose, existence is not enough, as we wish to efficiently find a close principal multiple. We instead write the class group using lattices. If the factor basis \(\mathfrak B\) generates the whole class group, then one may rewrite \(\mathrm {Cl}_K \simeq \mathbb {Z}^{\mathfrak B} / \varLambda \) where \(\varLambda \) is the lattice of class relations: \(\varLambda = \{e \in \mathbb {Z}^{\mathfrak B}| [\prod \mathfrak p^{e_{\mathfrak p}}] = [\mathcal O_K]\}\). Otherly said, \(\varLambda \subset \mathbb {Z}^{\mathfrak B}\) is the kernel of the surjection \(\mu : \mathbb {Z}^{\mathfrak B} \twoheadrightarrow \mathrm {Cl}_K\). In fact, it will be enough to consider any full-rank sublattice \(\varGamma \subset \varLambda \) of class relations, i.e. any subgroup \(\varGamma \subset \varLambda \) of finite index.

The CPM problem can now be rephrased as a close vector problem: given a class \(C = [\mathfrak a]^{-1} \in \mathrm {Cl}_K\), one first use the Biasse-Song quantum algorithm [BS16] to compute a representative of that class \(\alpha \in \mathbb {Z}^{\mathfrak B}\) in base \(\mathfrak B\) (see Proposition 2), that is an \(\alpha \) such that \(\mu (\alpha ) = C\). Then one reduces this representation, by searching for a lattice vector \(\beta \in \varGamma \) close to \(\alpha \). Note that \(\mu (\alpha - \beta ) = \mu (\alpha ) = C\). This provides a solution⁶ \(\mathfrak b = \prod \mathfrak p^{\alpha _{\mathfrak p} - \beta _{\mathfrak p}}\), of norm at most \(B^{\Vert \alpha - \beta \Vert _1}\), where B is a bound such that \(N\mathfrak p \le B\) for every \(\mathfrak p \in \mathfrak B\). It is therefore sufficient to find an appropriate factor basis together with a good basis of the lattice of relations \(\varGamma \) to attack this problem. The condition over \(\varGamma \) to be of full-rank is necessary to have any guarantee on the length of the reduced representative \(\alpha - \beta \).

The Stickelberger Ideal: Class Relations for Free. For this discussion, let us assume for now that the class group can be generated by a single ideal of small norm and its conjugates: \(\mathfrak B = \{\mathfrak p^\sigma = \sigma (\mathfrak p)| \sigma \in G\}\) and \(N \mathfrak p = \mathrm {poly}(n)\).

Stickelberger’s theorem will provide explicit class relations between any ideal \(\mathfrak h\) and its conjugates. More precisely, consider the group ring \(\mathbb {Z}[G]\), which naturally acts on \(\mathcal O_K\)-ideals as follows:

$$\begin{aligned} \mathfrak h^s = \prod _{\sigma \in G} \mathfrak h^{s_\sigma \cdot \sigma } = \prod _{\sigma \in G} \sigma (\mathfrak h)^{s_\sigma } \quad \text {where } s = \sum _{\sigma \in G} s_\sigma \cdot \sigma \in \mathbb {Z}[G]. \end{aligned}$$

Stickelberger gave an explicit construction of a \(\mathbb {Z}[G]\)-ideal \(S \subset \mathbb {Z}[G]\) that annihilates the class group, i.e. \(\mathfrak h^s \sim \mathcal O_K\) (i.e., \(\mathfrak h^s\) is principal) for any ideal \(\mathfrak h \subset \mathcal O_K\) and any element \(s \in S\). Forgetting the multiplicative structure of \(\mathbb {Z}[G]\) directly gives a lattice of class relations \(\mu (S) \subset \mathbb {Z}^{\mathfrak B}\) by the canonical morphism of \(\mathbb {Z}\)-modules \(\kappa : \mathbb {Z}[G] \rightarrow \mathbb {Z}^{\mathfrak B}\), sending \(\sigma \) to the canonical vector \(\mathbf 1_{\mathfrak p^\sigma }\).

A technical issue is that the Stickelberger ideal is not of full rank in \(\mathbb {Z}[G]\) as a \(\mathbb {Z}\)-module, so needs to be extended⁷ in order to serve as the lattice of relations \(\varGamma \). This can be resolved by working only with the minus part \(\mathrm {Cl}^-_K\) of the class group, i.e., the relative class group of \(K\) over the maximal real subfield \(K^+\). More formally, \(\mathrm {Cl}^-_K\) is the kernel of the morphism \(\mathrm {Cl}_K \rightarrow \mathrm {Cl}_{K^+}\) induced by the relative norm map \(N_{K/K^+}: \mathfrak h \mapsto \mathfrak h \mathfrak h^\tau \). This subgroup \(\mathrm {Cl}^-_K \subset \mathrm {Cl}_K\) is annihilated by the augmented Stickelberger ideal \(S'= S + \left( 1 + \tau \right) \mathbb {Z}[G]\). For this discussion, let us just assume that \(\mathrm {Cl}_{K^+}\) is trivial, so that the whole class group \(\mathrm {Cl}_K = \mathrm {Cl}^-_{K}\) is annihilated by the augmented Stickelberger ideal \(S'\).

The Geometry of the Stickelberger Ideal. An important fact is that this ideal has many short elements and that these can be explicitly constructed — this remark is certainly not new, at least for prime conductors [Sch10]. Under our simplifying assumption that \(\mathfrak B = \{\mathfrak p^\sigma \mid \sigma \in G\}\) generates \(\mathrm {Cl}_K\), and the additional assumption that the plus part of the class group \(\mathrm {Cl}_{K^+}\) is trivial, this approach will allow to solve the close multiple problem within a norm bound

$$\begin{aligned} \exp \left( {\widetilde{O}\left( n^{3/2}\right) }\right) . \end{aligned}$$

Sufficient Conditions. In the result sketched above, we made two simplifying assumptions. We now sketch how those assumptions can be relaxed, and provide evidences for the relaxed assumptions. Those assumptions and their supporting evidences will be detailed in Sect. 2.3.

Triviality of \(\mathrm {Cl}_{K^+}\). One assumption was that the plus part \(\mathrm {Cl}_{K^+}\) of the class group is trivial. In fact, we can rather easily handle a non-trivial plus-part as long as \(h^+_K = |\mathrm {Cl}_{K^+}| = \mathrm {poly}(n)\), using rapid-mixing properties of some Cayley graphs on \(\mathrm {Cl}_{K^+}\). And since \(h^+_K\) is the class number of a totally real number field, it is actually expected to be small. This assumption is already present in [CGS14, CDPR16], and is supported by numerical evidences ([Was12, p. 420, Table 4], computed by Schoof [Sch89]), and by arguments based on the Cohen-Lenstra heuristic [BPR04].

Knowledge of a \(\mathbb {Z}[G]\)-generator of \(\mathrm {Cl}^-_K\). The other assumption was that we know of a factor basis of \(\mathrm {Cl}^-_K\) of the form \(\mathfrak B = \{\mathfrak p^\sigma = \sigma (\mathfrak p) \mid \sigma \in G\}\) for a single ideal \(\mathfrak p\) of small norm \(N \mathfrak p = \mathrm {poly}(n)\). Otherly said, we know of a small norm ideal \(\mathfrak p \subseteq \mathcal O_K\) such that \([\mathfrak p]\) is a \(\mathbb {Z}[G]\)-generator of \(\mathrm {Cl}^-_K\).

This assumption can also be relaxed. We may allow a few primes and their conjugates in the factor basis. Assuming one knows a factor basis \(\mathfrak B = \{\mathfrak p_i^\sigma \mid \sigma \in G, i = 1, \dots , d\}\) composed of d Galois orbits, (with \(N \mathfrak p_i \le \mathrm {poly}(n)\)) that generates \(\mathrm {Cl}^-_K\), our approach leads to solving the close principal multiple problem within a norm bound

$$ \exp \left( {\widetilde{O}\left( d \cdot n^{3/2}\right) }\right) . $$

This leads to solving approximate Ideal-SVP with a better approximation factor than pure lattice reduction for any class of conductors \(m \in \mathbb {Z}\) whenever one can build a factor basis of size \(d = \tilde{O}(n^{a})\) for an \(a < 1/2\).

Therefore, the crux of the matter is about how small of a factor basis \(\mathfrak B\) can be built⁸. The structure of the class group \(\mathrm {Cl}^-_K\) remains quite elusive, but it appears that it admits a very small minimum number of generators as a \(\mathbb {Z}[G]\)-module. Schoof [Sch98] computed that for all prime conductors \(m \le 509\), \(\mathrm {Cl}^-_K\) is \(\mathbb {Z}[G]\)-cyclic (i.e., it is generated by a single element as a \(\mathbb {Z}[G]\)-module). This property is sufficient to argue that one can efficiently find a small generating set and reach \(c = 1/2\), under the heuristic that classes of small random ideals behave similarly to uniformly random classes. Even if the minimal number of generators is not always 1 but still small, say \(O(n^{\epsilon })\) for some \(\epsilon > 0\), this heuristic allows to reach \(c = 1/2 + \epsilon \).

2.3 Assumptions

Our main result is conditionned on two assumptions concerning the asymptotic structure of the class group, sketched above and stated below. Of course, if those statement were to not hold for all prime power conductors m, our result remains meaningful if both assumptions simultaneously hold for a common infinite class of conductors, such as \(\mathcal M_\ell = \{m = \ell ^e \mid e\ge 0\}\) for a fixed prime \(\ell \). We also note that the second assumption can be weakened from \(d = \mathrm {polylog}(n)\) to \(d = n^\epsilon \) for any \(\epsilon <1/2\) to reach a non trivial approximation factor \(\gamma = \exp (\tilde{O}(n^{1/2+\epsilon }))\).

The Real Class Number. The first assumption concerns the size \(h_K^+\) of the class group of the real subfield \(K^+\), and is already used in [CGS14, CDPR16]. For any integer m, let \(h^+(m)\) be the class number of the maximal totally real subfield of the cyclotomic field of conductor m.

Assumption 1

For prime powers m, it holds that \(h^+(m) \le \mathrm {poly}(n)\).

The literature on \(h^+_K\) provides strong theoretical and computational evidence that it is indeed small enough. First, the Buhler, Pomerance, Robertson [BPR04] formulate and argue in favor of the following conjecture, based on Cohen-Lenstra heuristics.

Conjecture 1

(Buhler, Pomerance, Robertson [BPR04]). For all but finitely many pairs \((\ell ,e)\), where \(\ell \) is a prime and e is a positive integer, we have \(h^+(\ell ^{e+1}) = h^+(\ell ^{e})\).

A stronger version for the case \(\ell =2\) was formulated by Weber.

Conjecture 2

(Weber’s Class Number Problem). For any e, \(h^+(2^e) = 1\).

A direct consequence of Conjecture 1 is that for fixed \(\ell \) and increasing e, \(h^+(\ell ^{e})\) is O(1), implying that Assumption 1 holds over the class \(\mathcal M_\ell \).

But even for increasing primes \(\ell \), \(h^+(\ell )\) itself is also small: Schoof [Sch03] computed all the values of \(h^+(\ell )\) for \(\ell < 10,000\) (correct under heuristics of type Cohen-Lenstra, and Miller proved in [Mil15] its correctness under GRH at least for the primes \(\ell \le 241\)). According to this table, for \(75.3\%\) of the primes \(\ell < 10,000\) we have \(h^+(\ell ) = 1\) (matching Schoof’s prediction of \(71.3\%\) derived from the Cohen-Lenstra heuristics). All the non-trivial values remain very small, as \(h^+(\ell ) \le \ell \) for \(99.75\%\) of the primes.

Constructing Small Factor Bases of \(\mathbf{Cl }^\mathbf{-}_{\varvec{K}}\). This assumption is arguably new, and can be read as a strengthened version of a Theorem of Bach [Bac90, Theorem 4] and its generalizations from [JMV09] and [JW15, Corrolary 6.5].

Assumption 2

There are integers \(d \le \mathrm {polylog}(n)\) and \(B \le \mathrm {poly}(n)\) such that the following holds. Choose uniformly at random d prime ideals \(\mathfrak p_1, \dots , \mathfrak p_d\) among the finitely many ideals \(\mathfrak p\) satisfying \(N\mathfrak p \le B\) and \([\mathfrak p] \in \mathrm {Cl}^-_K\). Then, the factor basis \(\mathfrak B = \{\mathfrak p_i^\sigma \mid \sigma \in G, i = 1 \dots d\}\) generates \(\mathrm {Cl}^-_K\) with probability at least 1/2.

To argue for this assumption, we prove (Proposition 1) that if \(\mathrm {Cl}^-_K\) can be generated by r ideal classes, then \(r \cdot \mathrm {polylog}(n)\) many uniformly random classes in \(\mathrm {Cl}^-_K\) will generate it.

Proposition 1

Let K be a cyclotomic field of conductor m, with Galois group G and relative class group \(\mathrm {Cl}^-_K\). Let r be the minimal number of \(\mathbb {Z}[G]\)-generators of \(\mathrm {Cl}^-_K\). Let \(\alpha \ge 1\) be a parameter, and s be any integer such that

$$s \ge {r(\log _2\log _2 (h^-_K) + \alpha )} $$

(note that \(\log _2\log _2 (h^-_K) \sim \log _2(n)\)). Let \(g_1, \dots , g_s\) be s independent uniform elements of \(\mathrm {Cl}^-_K\). The probability that \(\{g_1, \dots , g_s\}\) generates \(\mathrm {Cl}^-_K\) as a \(\mathbb {Z}[G]\)-module is at least \(\exp \left( -{\frac{3}{2^{\alpha }}}\right) = 1-O(2^{-\alpha })\).

The proof is deferred to Appendix A.

To justify Assumption 2, we first argue that r is admittedly as small as \( \mathrm {polylog}(n)\). For the case \(m = 2^e\), this can be argued by just looking at the value of \(h^-(2^e)\) computed up to \(e=9\) in [Was12, Table 3]. These values are square-free, so \(\mathrm {Cl}^-_K\) is \(\mathbb {Z}\)-cyclic and therefore \(\mathbb {Z}[G]\)-cyclic; in other words, \(r=1\). The case of prime conductors was also studied by Schoof [Sch98]: he proved that \(\mathrm {Cl}_K^-\) is \(\mathbb {Z}[G]\)-cyclic for every prime conductor \(m \le 509\); again, \(r = 1\).

While it is unclear that this cyclicity should be the typical behavior asymptotically, it seems reasonable to assume that r remains as small as \(\mathrm {polylog}(n)\), at least for a dense class of prime power conductors.

Once it is admitted that \(r \le \mathrm {polylog}(n)\), Assumption 2 simply assumes that Proposition 1 remains true when imposing that the random classes \(g_1 \dots g_s\) are chosen as the classes of random ideals of small norm, i.e. \(g_i = [\mathfrak p_i]\) where \(N\mathfrak p_i \le \mathrm {poly}(n)\). This restriction on the norms seems reasonable considering that it has been proven that prime ideals of norm \(\mathrm {poly}(n)\) are sufficient to generate \(\mathrm {Cl}^-_K\), assuming GRH and Assumption 1 (see [JW15, Corrolary 6.5]).

3 Quantum Algorithms for Class Groups

Searching for a principal multiple of the ideal \(\mathfrak a\) in \(\mathcal O_K\) will require to perform computations in the class group in an efficient way. Classically, problems related to class group computations remain difficult, and the best known classical algorithms run in sub-exponential time (for example, see [BF14, BEF+17]). Yet, building on the recent advances on quantum algorithms for the Hidden Subgroup Problem in large dimensions [EHKS14], Biasse and Song [BS16] introduced a quantum algorithm to perform S-unit group computations. It implies class group computations, and solution to the principal ideal problem (PIP) in quantum polynomial time.

The Biasse-Song [BS16] algorithm for S-unit group computation also allows to solve the class group discrete logarithm problem: given a basis \(\mathfrak B\) of ideals generating a subgroup of the class group \(\mathrm {Cl}_K\) containing the class of \(\mathfrak a\), express the class of \(\mathfrak a\) as a product of ideals in \(\mathfrak B\). Below, we give a formal statement and in the Appendix B, we provide a proof for completeness.⁹

Proposition 2

([BS16]). Let \(\mathfrak B\) be a set of prime ideals generating a subgroup H of \(\mathrm {Cl}_K\). There exists a quantum algorithm \(\mathrm {Cl}\!{\text {DL}}_\mathfrak B\) which, when given as input any ideal \(\mathfrak a\) in \(\mathcal O_K\) such that \([\mathfrak a] \in H\), outputs a vector \(\mathbf y \in \mathbb {Z}^\mathfrak B\) such that \(\prod \mathfrak p^{y_\mathfrak p} \sim \mathfrak a\), and runs in polynomial time in \(n = \deg (K)\), \(\max _{\mathfrak p \in \mathfrak B}\log (N\mathfrak p)\), \(\log (N\mathfrak a)\), and \(|\mathfrak B|\).

4 Close Multiple in the Relative Class Group

Let \(K^+ = \mathbb {Q}(\omega _m + \omega _m^{-1})\) denote the maximal real subfield of \(K\), and \(\mathrm {Cl}_{K^+}\) the class group of \(K^+\). The relative norm map \(N_{K/K^+}: \mathrm {Cl}_K~\rightarrow ~\mathrm {Cl}_{K^+}\) on ideal classes (which sends the class of \(\mathfrak a\) to the class of \(\mathfrak a\mathfrak a^\tau \), where \(\tau \) is the complex conjugation) is a surjection, and its kernel is the relative class group \(\mathrm {Cl}^-_K\). In particular, it induces the isomorphism \(\mathrm {Cl}_{K^+}\cong \mathrm {Cl}_K / \mathrm {Cl}^-_K\).

The core of the method to find a close principal multiple of an ideal \(\mathfrak a\) works within the relative class group \(\mathrm {Cl}^-_K \subset \mathrm {Cl}_K\). Therefore, as a first step, we need to “send” the ideal \(\mathfrak a \in \mathrm {Cl}_K\) into this subgroup. More precisely, we want an integral ideal \(\mathfrak b\) of small norm such that \(\mathfrak a \mathfrak b \in \mathrm {Cl}^-_K\); the rest of the method then works with \(\mathfrak a \mathfrak b\). Let \(h_K = |\mathrm {Cl}_K|\) be the class number of K, and \(h^-_K = |\mathrm {Cl}^-_K|\) its relative class number. The difficulty of this step is directly related to the index of \(\mathrm {Cl}^-_K\) inside \(\mathrm {Cl}_K\), which is the real class number \(h^+_K = |\mathrm {Cl}_{K^+}|\) of \(K^+\), and is expected to be very small.

4.1 Random Walks to the Relative Class Group

For any \(x > 0\), consider the set \(\mathcal S_x\) of ideals in \(\mathcal O_{K}\) of prime norm at most x, and let \(S_x\) be the multiset of its image in \(\mathrm {Cl}_K\). Let \(\mathscr {G}_x\) denote the induced Cayley (multi)graph \(\mathrm {Cay}(\mathrm {Cl}_K,S_x)\). From [JW15, Corrolary 6.5] (under GRH), for any \(\varepsilon >0\) there is a constant C and a bound

$$ B = O\left( (n\log \varDelta _{K})^{2+\varepsilon }\right) = O\left( (n^2\log n)^{2+\varepsilon }\right) $$

such that any random walk in \(\mathscr {G}_B\) of length at least \(C\log (h_K)/\log \log (\varDelta _{K})\), for any starting point, lands in the subgroup \(\mathrm {Cl}^-_K\) with probability at least \(1/(2h^+_K)\).

A random walk of length \(\ell = \lceil C\log (h_K)/\log \log (\varDelta _{K})\rceil = \tilde{O}(n)\) is a sequence \(\mathfrak p_1,\ldots , \mathfrak p_\ell \) of ideals chosen independently, uniformly at random in \(\mathcal S_B\), and their product \(\mathfrak b = \prod \mathfrak p_i\) has a norm bounded by

$$\begin{aligned} N\mathfrak b = \prod _{i = 1}^\ell N\mathfrak p_i \le B^\ell = \exp (\mathrm {polylog}(n) \cdot {\tilde{O}(\log {h_K})}) = \exp ({\tilde{O}(n)}), \end{aligned}$$

If \([\mathfrak a]\) is the starting point of the random walk in the graph, the endpoint \([\mathfrak a\mathfrak b]\) falls in \(\mathrm {Cl}^-_K\) with probability at least \(1/(2h^+_K)\), and therefore an ideal \(\mathfrak b\) such that \([\mathfrak a \mathfrak b] \in \mathrm {Cl}^-_K\) can be found in probabilistic polynomial time in \(h^+_K\). Note that the PIP algorithm of Biasse and Song [BS16] allows to test the membership \([\mathfrak a\mathfrak b] \in \mathrm {Cl}^-_K\), simply by testing the principality of \(N_{K/K^+}(\mathfrak a\mathfrak b)\) as an ideal of \(\mathcal O_K^+\).

The procedure is summarized as Algorithm 1, and the effiency is stated below. Under GRH and Assumption 1, this procedure runs in polynomial time.

Lemma 1

(Under GRH). Algorithm 1 (\(\textsc {WalkTo}\mathrm {Cl}^-(\mathfrak a)\)) runs in expected time \(O(h^+_K) \cdot \mathrm {poly}(n, \log N \mathfrak a)\) and is correct.

5 Short Relations in \(\mathrm {Cl}^-_K\) via the Stickelberger Ideal

Consider any ideal \(\mathfrak f\) of \(\mathcal O_K\) such that \([\mathfrak f]\in \mathrm {Cl}^-_K\), and its orbit under the action of the Galois group G, denoted \(\mathfrak F = G(\mathfrak f)\). Let R be the group ring \(\mathbb {Z}[G]\). It projects to \(\mathbb {Z}^{\mathfrak F}\), via the map sending \(\sigma \) to \(\mathbf 1_{\mathfrak f^\sigma }\).

We now show the construction of an explicit full-rank lattice of class relations in \(\mathbb {Z}^{\mathfrak F}\) with an explicit set of short generators. We proceed by augmenting the Stickelberger ideal. This allows to reduce the representation of a given class expressed in basis \(\mathfrak F\), as shown in Subsect. 5.3.

Recall that the Galois group G is canonically isomorphic to \((\mathbb {Z}/m\mathbb {Z})^*\) via \(a \mapsto \sigma _a = \zeta _m \mapsto \zeta ^a_m\). The norms \(\Vert \cdot \Vert \) and \(\Vert \cdot \Vert _1\) denote the usuals \(\ell _2\) (Euclidean) and \(\ell _1\) norms over \(\mathbb {R}^n\), and are defined over \(\mathbb {Z}[G]\) via the natural isomorphism \(\mathbb {Z}[G] \cong _{\mathbb {Z}} \mathbb {Z}^n\).

The fractional part of a rational \(x \in \mathbb {Q}\) is denoted \(\{x\}\), it is defined as the unique rational in the interval [0, 1) such that \(\{x\} = x \mod \mathbb {Z}\); equivalently, \(\{x\} = x - \lfloor x \rfloor \).

5.1 The (augmented) Stickelberger Ideal

Definition 1

(The Stickelberger ideal). The Stickelberger element \(\theta \in \mathbb {Q}[G]\) is defined as

$$\begin{aligned} \theta = \sum _{a \in (\mathbb {Z}/m\mathbb {Z})^*} \left\{ \frac{a}{m} \right\} \sigma _a^{-1}. \end{aligned}$$

The Stickelberger ideal is defined as \(S = R \cap \theta R\). We will refer to the Stickelberger lattice when S is considered as a \(\mathbb {Z}\)-module.

This ideal \(S \subset R\) will provide some class relations in \(\mathbb {Z}^{\mathfrak F}\), thanks to the following theorem.

Theorem 1

(Stickelberger’s theorem [Was12, Theorem 6.10]). The Stickelberger ideal annihilates the ideal class group of \(K\). In other words, for any ideal \(\mathfrak h\) of \(\mathcal O_K\) and any \(s \in S\), the ideal \(\mathfrak h^s\) is principal.

We cannot directly use \(S \subset R\) as our lattice of class relations since it does not have full rank in R as a \(\mathbb {Z}\)-module (precisely its \(\mathbb {Z}\)-rank is \(n/2 + 1\) when \(m\ge 2\)). Indeed, if the lattice is not full rank, there can be no guarentee of how short of a representant will be obtained by reducing modulo the lattice. To solve this issue, we will augment the Stickelberger ideal to a full-rank ideal which still annihilates the minus part \(\mathrm {Cl}^-_K\) of the class group.

Definition 2

The augmented Stickelberger ideal \(S'\) is defined as

$$\begin{aligned} S'= S + (1+\tau ) R. \end{aligned}$$

(2)

We will refer to the augmented Stickelberger lattice when \(S'\) is considered as a \(\mathbb {Z}\)-module.

Lemma 2

The augmented Stickelberger ideal \(S'\) annihilates \(\mathrm {Cl}^-_K\). In other words, for any ideal \(\mathfrak h\) of \(\mathcal O_K\) such that \([\mathfrak h] \in \mathrm {Cl}^-_K\) and any \(s \in S\), the ideal \(\mathfrak h^s\) is principal. Moreover, \(S'\subset R\) has full-rank n as a \(\mathbb {Z}\)-module.

Proof

For the annihilation property it suffices to show that both S and \((1+\tau )R\) annihilate \(\mathrm {Cl}^-_K\). By Stickelberger’s theorem S annihilates \(\mathrm {Cl}_K\) so it in particular annihilates the subgroup \(\mathrm {Cl}^-_K \subset \mathrm {Cl}_K\). The ideal \((1+\tau )R\) also annihilates \(\mathrm {Cl}^-_K\) since \(\mathfrak h^{1+\tau } = \mathfrak h \bar{\mathfrak h} = N_{K/K^+} (\mathfrak h)\). We conclude from the fact that \(\mathrm {Cl}^-_K\) is exactly the kernel of the norm map \(N_{K/K^+}: \mathrm {Cl}_K \rightarrow \mathrm {Cl}^+_K\).

For the rank, consider the ideal \(S^- = S \cap (1-\tau ) R\). A theorem from Iwasawa (originally published in [Sin80] but reformulated more conveniently in [Was12, Theorem 6.19]) states that \(S^-\) is full rank in \((1-\tau ) R\). Noting that \(2R \subset (1-\tau ) R + (1 + \tau )R\), we conclude that \(S^- + (1+\tau )R \) has full rank in 2R, and so does \(S'\).    \(\square \)

5.2 Short Generating Vectors of the Augmented Stickelberger Lattice

In the following, the elements of \((\mathbb {Z}/m\mathbb {Z})^*\) are canonically identified with the positive integers \(0< a_1< a_2< \dots< a_{n} < m\) such that each \(a_i\) is coprime to m. The elements of G are indexed as \((\sigma _{a_1}, \dots ,\sigma _{a_{n}})\). Define the extra element \(a_{n+1} = m + a_1\), and note that \(a_2 \le 3\) and that \(a_{i+1} - a_i \le 2\) for any i.

Lemma 3

The Stickelberger lattice is generated by the vectors \(v_i = (a_i - \sigma _{a_i}) \theta \) for \(i \in \{2, \dots , n+1\}\).

Proof

This is almost [Was12, Lemma 6.9]. There, S is considered as an ideal in R, whereas we need these elements to generate S as a \(\mathbb {Z}\)-module. Let L be the \(\mathbb {Z}\)-module generated by the \(v_i\)’s. First, [Was12, Lemma 6.9] immediately implies that \(v_i \in S\) and thereby \(L \subseteq S\). Now, let \(\left( \sum _{i = 2}^{n+1} x_i \sigma _{a_i}\right) \theta \) be an arbitrary element of S, with \(a_i \in \mathbb Z\). One can prove as in [Was12, Lemma 6.9] that m divides \(\sum _{i = 2}^{n+1} x_i a_i \in \mathbb {Z}\). Since \(m = (m+1)-\sigma _{m+1}\), \(m\theta \) is in L, and we deduce that \(\left( \sum _{i = 2}^{n+1} x_i a_i\right) \theta \) is also in L. Therefore,

$$ \left( \sum _{i = 2}^{n+1} x_i \sigma _{a_i}\right) \theta = \left( \sum _{i = 2}^{n+1} x_i (\sigma _{a_i} - a_i)\right) \theta + \left( \sum _{i = 2}^{n+1} x_i a_i\right) \theta \in L. $$

This proves that \(S \subseteq L\), hence \(L = S\).    \(\square \)

We are now ready to construct our set of short generators for \(S'\). Let \(w_2 = v_2\) and \(w_{i+1} = v_{i+1} - v_i\) for \(i \in \{2, \dots , n\}\), and let

$$\begin{aligned} W = \{w_{2}, \dots , w_{n+1}\} \cup \{ (1+\tau )\sigma , \sigma \in G \}. \end{aligned}$$

Lemma 4

The set S is a set of short generators of \(S'\). More precisely,

1. 1.

   W generates the augmented Stickelberger lattice \(S'\),

2. 2.

   For any \(i\in \{3 \dots n+1\}\), \(w_{i} = \sum _{b \in (\mathbb {Z}/m\mathbb {Z})^*} \epsilon _{i,b} \cdot \sigma _{b}^{-1}\), with \(\epsilon _{i,j} \in \{0,1,2\}\),

3. 3.

   For any \(w \in W\), we have \(\Vert w\Vert \le \max (2 \sqrt{n},\sqrt{10})\).

The second item essentially generalizes [Sch10, Proposition 9.4] from prime conductors to prime-power conductors.

Proof

We prove each item individually.

1. 1.

   First note that \(\{w_{2}, \dots , w_{n+1}\}\) generates S: this is a direct consequence of Lemma 3 and the construction of W. By definition of \(R = \mathbb {Z}[G]\), the set \(\{ (1+\tau )\sigma , \sigma \in G \}\) generates \((1+\tau ) R\). One can conclude from the definition of \(S'= S + (1+\tau ) R\).

2. 2.

   We follow the computation in the proof of [Was12, Lemma 6.9]:

   $$\begin{aligned} v_i = (a_i - \sigma _{a_i})\theta&= \sum _{b \in (\mathbb {Z}/m\mathbb {Z})^*} \left( a_i \left\{ \frac{b}{m}\right\} - \left\{ \frac{a_ib}{m}\right\} \right) \sigma _b^{-1}\\&= \sum _{b \in (\mathbb {Z}/m\mathbb {Z})^*} \left\lfloor a_i \left\{ \frac{b}{m}\right\} \right\rfloor \sigma _b^{-1} \end{aligned}$$

   using the identity \(x\{y\} - \{xy\} = \lfloor x\{y\} \rfloor \) for any integer x and real number y, since this difference is an integer and the term \(\{xy\}\) is in the range [0, 1). It remains to rewrite \(w_i = \sum _{b \in (\mathbb {Z}/m\mathbb {Z})^*} \epsilon _{i,b} \sigma _b^{-1}\), where

   $$\begin{aligned} \epsilon _{i,b} = \left\lfloor a_{i+1} \left\{ \frac{b}{m}\right\} \right\rfloor - \left\lfloor a_i \left\{ \frac{b}{m}\right\} \right\rfloor \le a_{i+1} - a_i \le 2. \end{aligned}$$
3. 3.

   The property follows from the previous item for any \(i>2\). For \(i = 2\), we have \(w_2 = v_2 = a_2 - \sigma _{a_2}\), and therefore \(\Vert w_2\Vert = \sqrt{a_2^2 +1} \le \sqrt{3^2 + 1} = \sqrt{10}\). Finally, elements \(w \in W\) of the form \((1+\tau ) \sigma \) have norm \(\Vert w\Vert = \sqrt{2} \le \sqrt{10}\).     \(\square \)

5.3 Reducing a Class Representative in an R-cycle of \(\mathrm {Cl}^-_K\)

We now show how to exploit the previously constructed set W of short relations to reduce class representations. More precisely, for any large \(\alpha \in R\) we will find a short \(\beta \in R\) such that \(C^\beta = C^\alpha \), for any class \(C \in \mathrm {Cl}^-_K\). We shall rely on the following close vector algorithm.

Proposition 3

(Close vector algorithm). Let \(\varGamma \subset \mathbb {R}^k\) be a lattice, and let W be a set generating \(\varGamma \). There exists a (classical) polynomial time algorithm \({\text {CV}}\), that when given any \(y \in \varGamma \otimes \mathbb {R}\) as input, outputs a vector \(x = {\text {CV}}(y,W) \in \varGamma \) such that \(\Vert x - y\Vert _1 \le \frac{k}{2} \cdot \max _{w \in W}\Vert w\Vert \).

Proof

Let first \(B \subset W\) be a basis of a full-rank sublattice \(\varGamma ' \subset \varGamma \) (this is easily built in polynomial time). Let \(\tilde{B}\) denote the Gram-Schmidt orthogonalization of B. Let \(g = \max _{b \in \tilde{B}} \Vert \tilde{b}\Vert \le \max _{b \in B}\Vert b\Vert \le \max _{w \in W}\Vert w\Vert \). Applying the Nearest Plane algorithm leads to \( x \in \varGamma \) such that \(x-y\) belongs to the fundamental parallelepiped \(\{\tilde{B} z, z \in [-1/2,1/2]\}\). We then have

$$\begin{aligned} \Vert x-y \Vert ^2_2 \le \frac{1}{4} \sum \Vert \tilde{b}_i\Vert ^2. \end{aligned}$$

In particular, \(\Vert x-y \Vert _2 \le \sqrt{k} \cdot g / 2\) and one concludes \(\Vert x-y \Vert _1 \le k g /2\).    \(\square \)

Theorem 2

Assume \(n \ge 3\). There is an algorithm \(\textsc {Reduce}\), that given \(\alpha \in R\), finds in polynomial time in n and \(\log (||\alpha ||)\), an element \(\beta = \textsc {Reduce}(\alpha ) \in R\) such that \(||\beta ||_1 \le n^{3/2}\), and \(C^\alpha = C^\beta \) for any \(C \in \mathrm {Cl}^-_K\).

Proof

Let W be the basis for the augmented Stickelberger ideal \(S'\) as in Lemma 4. From Lemma 2, it has full rank in R. So the close vector algorithm from Proposition 3 can be applied to find an element \(\gamma = {\text {CV}}(\alpha ,W) \in S'\) such that \(||\alpha - \gamma ||_1 \le \frac{n}{2} \cdot \max _{w \in W}\Vert w\Vert \le n^{3/2}\). Let \(\beta = \alpha - \gamma \). For any \(C \in \mathrm {Cl}^-_K\), Lemma 2 implies that \(C^\gamma = 0\) and therefore \(C^\alpha = C^\beta \).    \(\square \)

6 Close Principal Multiple Within the Relative Class Group

We now show how to solve the CPM problem for ideals sitting in \(\mathrm {Cl}^-_K\), given a factor basis \(\mathfrak B\) of \(\mathrm {Cl}^-_K\). The CPM approximation factor will depend on the size of the factor basis \(\mathfrak B\).

Suppose the ideal \(\mathfrak a\) is in the relative class group \(\mathrm {Cl}^-_K\). We are looking for an integral ideal \(\mathfrak b\) in \(\mathcal O_K\) of small norm such that \(\mathfrak a \mathfrak b\) is principal. Let \(\mathfrak B = \{\mathfrak p_i^\sigma \mid \sigma \in G, i=1, \dots ,d \}\) be a set generating \(\mathrm {Cl}^-_K\), composed of d Galois orbits, such that \(N \mathfrak p_i \le \mathrm {poly}(n)\) for all i. To state the algorithm and its correctness, no assumption is made on the factor basis \(\mathfrak B\). In the final Sect. 7, we will employ Assumption 2 to provide a factor basis with \(d=\mathrm {polylog}(n)\) to this algorithm.

Theorem 3

Algorithm 2, \(\textsc {ClosePrincipalMultiple}^-\), runs in quantum polynomial time in \(n = \deg (K)\), d and \(\log (N\mathfrak a)\), and is correct.

Proof

Let \(\mathfrak a, \mathfrak B\) be proper inputs, that is, \(\mathfrak a\) is an ideal of \(\mathcal O_K\) such that \([\mathfrak a] \in \mathrm {Cl}^-_K\), and \(\mathfrak B\) is a factor basis \(\mathfrak B = \{\mathfrak p_i^\sigma \mid i=1 \dots d, \sigma \in G \}\) generating \(\mathrm {Cl}^-_K\), such that \(N \mathfrak p_i \le \mathrm {poly}(n)\) for all i.

The running time follows immediately from Proposition 2 and Theorem 2. Let us now prove the correctness. We have

$$ \phi (\mathbf y) = \prod _{\mathfrak p \in \mathfrak B}\mathfrak p^{y_{\mathfrak p}} = \prod _{i = 1}^d \prod _{\mathfrak p \in \mathfrak B_i} \mathfrak p^{y_{\mathfrak p}} = \prod _{i = 1}^d \prod _{\sigma \in G_i} (\mathfrak p_i^\sigma )^{y_{(\mathfrak p_i^\sigma )}} = \prod _{i = 1}^d \mathfrak p_i^{\alpha _i}. $$

Observe that for each i, \(\mathfrak b_i \sim \mathfrak p_i^{-\beta _i}\), since \(\mathfrak p_i^{-1} \sim \mathfrak p_i^{\tau }\). From Theorem 2, we obtain \(\mathfrak p_i^{\alpha _i} \mathfrak b_i \sim \mathcal O_K\), which implies that \(\phi (\mathbf y) \mathfrak b \sim \prod _{i = 1}^d \mathfrak p_i^{\alpha _i} \mathfrak b_i \sim \mathcal O_K.\) From Proposition 2, we have \(\phi (\mathbf y) \sim \mathfrak a\), and therefore \(\mathfrak a \mathfrak b \sim \mathcal O_K\).

Now, Theorem 2 ensures that \(||\beta ||_1 \le n^{3/2}\). So \(||\gamma _i^+||_1\) + \(||\gamma _i^-||_1\) is bounded by \(n^{3/2}\) and we obtain that \(N\mathfrak b_i \le (N\mathfrak p_i)^{n^{3/2}}\). Then,

$$ N\mathfrak b = \prod _{i=1}^d N\mathfrak b_i \le \left( \max _{i=1 \dots d} N\mathfrak p_i\right) ^{dn^{3/2}} = \exp \left( \tilde{O}\big (d n^{3/2}\big )\right) , $$

where the last inequality uses the fact that each \(N\mathfrak p_i\) is polynomially bounded in n.    \(\square \)

7 Main Result

We now have all the ingredients to demonstrate our main result:

Main Result

(Under GRH, Assumptions 1 and 2 ). Assuming simultaneously the Generalized Riemann Hypothesis, Assumption 1, and Assumption 2, there exists a quantum polynomial time algorithm \(\textsc {IdealSVP}(\mathfrak a)\), that given an ideal of \(\mathcal O_K\) for K a cyclotomic number field of prime power conductor, returns an element \(v \in \mathfrak a\) of Euclidean norm \(\Vert v\Vert \le (N \mathfrak a)^{1/n} \cdot \exp (\tilde{O}(\sqrt{n}))\).

Proof

The algorithm is given as Algorithm 3. Efficiency and correctness follow from the previous statements and assumptions:

• Step 2 is quantum polynomial time since membership in \(\mathrm {Cl}^-_K\) can be tested by applying the Biasse-Song PIP algorithm [BS16, Theorem 1.3] to \(N_{K/K^+}(\mathfrak a\mathfrak b)\).

• By Assumption 2, Steps 3 and 4 produce a factor basis \(\mathfrak B\) generating \(\mathrm {Cl}^-_K\). Both steps can trivially be performed in polynomial time.

• By Lemma 1, GRH and Assumption 1, Step 5 is quantum polynomial time, and produces an integral ideal \(\mathfrak b'\) such that \(N \mathfrak b' \le \exp (\tilde{O}(n))\) and \([\mathfrak a \mathfrak b'] \in \mathrm {Cl}^-_K\).

• By Theorem 3, Step 6 produces (in quantum polynomial time) an integral ideal \(\mathfrak b\) such that

  $$\begin{aligned} N \mathfrak b \le \exp (\tilde{O}(dn^{3/2})) = \exp (\tilde{O}(n^{3/2})) \end{aligned}$$

  and such that \(\mathfrak a \mathfrak b \mathfrak b'\) is principal.

• By Claim 1 ([CGS14, BS16, CDPR16]), Step 7 produces in quantum polynomial time a vector \(v \in \mathfrak a \mathfrak b \mathfrak b'\) of length \(\Vert v\Vert \le (N \mathfrak a\mathfrak b \mathfrak b')^{1/n} \cdot \exp (\tilde{O}(\sqrt{n}))\).

Because \(\mathfrak b\) and \(\mathfrak b'\) are integral, \(\mathfrak a \mathfrak b \mathfrak b' \subset \mathfrak a\), and \(v \in \mathfrak a\). Finally,

$$\begin{aligned} \Vert v\Vert&\le (N \mathfrak a)^{1/n} (N\mathfrak b)^{1/n} (N \mathfrak b')^{1/n} \cdot \exp (\tilde{O}(\sqrt{n})) \\&\le (N \mathfrak a)^{1/n} \cdot \exp (\tilde{O}(\sqrt{n})). \end{aligned}$$

    \(\square \)

Appendices

A Proof of Proposition 1

In this appendix, we provide the proof of Proposition 1 (restated below, used to support Assumption 2).

Proposition 1

Let K be a cyclotomic field of conductor m, with Galois group G and relative class group \(\mathrm {Cl}^-_K\). Let r be the minimal number of \(\mathbb {Z}[G]\)-generators of \(\mathrm {Cl}^-_K\). Let \(\alpha \ge 1\) be a parameter, and s be any integer such that

$$s \ge {r(\log _2\log _2 (h^-_K) + \alpha )} $$

(note that \(\log _2\log _2 (h^-_K) \sim \log _2(n)\)). Let \(x_1, \dots , x_s\) be s independent uniform elements of \(\mathrm {Cl}^-_K\). The probability that \(\{x_1, \dots , x_s\}\) generates \(\mathrm {Cl}^-_K\) as a \(\mathbb {Z}[G]\)-module is at least \(\exp \left( -{\frac{3}{2^{\alpha }}}\right) = 1-O(2^{-\alpha })\).

In other words, a set of \(\varTheta (r\log (n))\) random ideal classes in \(\mathrm {Cl}^-_K\) will generate this \(\mathbb {Z}[G]\)-module with very good probability. Let us first prove a few lemmas.

Lemma 5

Let R be a finite commutative local ring of cardinality \(\ell ^n\), for some prime number \(\ell \). A set of s independent uniformly random elements in R generates R as an R-module with probability at least \(1 - \ell ^{-s}\).

Proof

An element generates R if and only if it is invertible, meaning that it is not in the maximal ideal of R. This ideal is a fraction at most \(\ell ^{-1}\) of R, so an element does not generate R with probability at most \(\ell ^{-1}\). Among s independent elements, the probability that none of them is a generator is at most \(\ell ^{-s}\).

Lemma 6

Let R be a finite commutative local ring of cardinality \(\ell ^n\), for some prime number \(\ell \). Let M be a cyclic R-module. A set of s independent uniformly random elements in M generates M with probability at least \(1 - \ell ^{-s}\).

Proof

Let g be a generator of M, and consider the homomorphism \(\varphi : R \rightarrow M : \alpha \mapsto \alpha g\). Let \(x_1,\dots ,x_s\) be s independent uniformly random element in M. For each i, let \(\alpha _i\) be a uniformly random element of the coset \(\varphi ^{-1}(x_i)\). The elements \(\alpha _i\) are independent and uniformly distributed in R, so from Lemma 5, they generate R with probability at least \(1 - \ell ^{-s}\). If the \(\alpha _i\)’s generate R, then the \(x_i\)’s generate M, and we conclude.

Lemma 7

Let R be a finite commutative local ring of cardinality \(\ell ^n\), for some prime number \(\ell \). Let M be an R-module, and let r be the smallest number of R-generators of M. A set of s independent uniformly random elements in M generates M with probability at least \(\left( 1 - \ell ^{-\lfloor s/r\rfloor }\right) ^r\).

Proof

Proceed by induction on r. The case \(r = 1\) is Lemma 6. Suppose that for any R-module \(M'\) generated by \(r-1\) elements, and any positive \(s'\), a set of \(s'\) random elements in \(M'\) generates \(M'\) with probability at least

$$\left( 1 - \ell ^{-\lfloor s'/(r-1)\rfloor }\right) ^{r-1}.$$

Choose s independent uniformly random elements \(x_1,\dots ,x_s\) in M, and let \(t = \lfloor s/r\rfloor \). Let \(g_1,\dots ,g_r\) be a generating set for M. The quotient \(M/(Rg_r)\) is generated by \(r-1\) elements, so the first \(s-t\) random elements generate it with probability at least

$$\left( 1 - \ell ^{-\lfloor (s-t)/(r-1)\rfloor }\right) ^{r-1} \ge \left( 1 - \ell ^{-\lfloor s/r\rfloor }\right) ^{r-1}.$$

Now assume that these \(s-t\) elements indeed generate \(M/(Rg_r)\). It remains to show that adding the remaining t random elements allow to generate the full module M with probability at least \(1 - \ell ^{-\lfloor s/r\rfloor }\). Let \(N \subset M\) be the submodule of M generated by the first \(s-t\) random elements. Observe that the module M / N is generated by \(g_r\). Indeed, let m be an arbitrary element of M. Since \(M/(Rg_r)\) is generated by N, there is an \(n\in N\) such that \(m+Rg_r = n+Rg_r\). This implies that there is an element \(\alpha g_r \in Rg_r\) such that \(m + N = \alpha g_r + N\), proving that M / N is generated by \(g_r\). From Lemma 6, M / N is generated by the last t random elements with probability at least \(1 - \ell ^{-\lfloor s/r\rfloor }\). So M is generated by \(x_1,\dots ,x_s\) with probability at least \(\left( 1 - \ell ^{-\lfloor s/r\rfloor }\right) ^r\).

Theorem 4

Let R be a finite commutative ring, and M a finite R-module of cardinality m, and r be the minimal number of R-generators of M. A set of s independent uniformly random elements in M generates M with probability at least \(\left( 1 - 2^{-\lfloor s/r\rfloor }\right) ^{\log _2 m}.\)

Proof

The ring R decomposes as an internal direct sum \(\bigoplus _{i=1}^k R_{i}\) of finite local subrings \(R_{i}\). For each i, define \(e_i \in R\) the idempotent which projects to the unity of \(R_i\) and to zero in all other components of the decomposition (then, \(R_i = e_iR\)). In particular, we have that \(M = \bigoplus _{i} e_i M\), and \(e_i M\) may be viewed as an \(R_i\)-module.

Let \(x_1,\dots ,x_s\) be s independent uniformly random elements in M. They generate M as an R-module if and only if for any i, the projections \(e_ix_1,\dots ,e_ix_s\) generate \(M_i\) as an \(R_i\)-module. Let \(p_i\) be the probability that \(e_ix_1,\dots ,e_ix_s\) generate \(M_i\), and let \(r_i\) be the minimal number of generators of \(R_i\). From Lemma 7, \(p_i\) is at least \(\left( 1 - 2^{-\lfloor s/r_i\rfloor }\right) ^{r_i}.\) We have the two bounds \(r_i \le r\) and \(r_i \le \log _2 |M_i|\), and we deduce

$$p_i \ge \left( 1 - 2^{-\lfloor s/r\rfloor }\right) ^{\log _2 |M_i|}.$$

Therefore \(x_1,\dots ,x_s\) generate M with probability at least

$$\prod _{i = 1}^k p_i = \left( 1 - 2^{-\lfloor s/r\rfloor }\right) ^{\sum _i\log _2 |M_i|} = \left( 1 - 2^{-\lfloor s/r\rfloor }\right) ^{\log _2 m},$$

concluding the proof.

Proof of Proposition 1. Note that a set of elements in \(\mathrm {Cl}^-_K\) generate it as a \(\mathbb {Z}[G]\)-module if and only if they generate it as a \((\mathbb {Z}/h^-_K\mathbb {Z})[G]\)-module. We deduce from Theorem 4 that \(x_1, \dots , x_s\) generate \(\mathrm {Cl}^-_K\) with probability at least \((1 - 2^{-\lfloor s/r\rfloor })^{\log _2 h^-_K}\). For any \(0 < x \le 1/2\), we have \(\ln (1-x)>-(3/2) x\). We have \(2^{-\lfloor s/r\rfloor } \le 2^{-\lfloor \alpha \rfloor } \le 1/2\), so

$$\begin{aligned}{1} \left( 1 - 2^{-\lfloor s/r\rfloor }\right) ^{\log _2 h^-_K}&= \exp \left( {\log _2 h^-_K\ln \left( 1 - 2^{-\lfloor s/r\rfloor }\right) }\right) \\&\ge \exp \left( {-\frac{3}{2} \log _2(h^-_K)2^{-\lfloor s/r\rfloor }}\right) . \end{aligned}$$

With \(s \ge r (\log _2\log _2(h^-_K)+\alpha )\), we get \(\lfloor s/r\rfloor \ge \log _2\log _2(h^-_K) + \alpha -1\) and

$$\begin{aligned}{1} \left( 1 - 2^{-\lfloor s/r\rfloor }\right) ^{\log _2 h^-_K}&\ge \exp \left( {-\frac{3}{2^{\alpha }}}\right) . \end{aligned}$$

    \(\square \)

B Proof of Proposition 2

Given the Theorem 1.1 of [BS16] the proof of this corollary is standard, and known as the linear-algebra step of index calculus methods.

The prime factorization \(\mathfrak a = \mathfrak q_1^{a_1}\dots \mathfrak q_k^{a_k}\) can be obtained in polynomial time in n, \(\log (\varDelta _K)\) and \(\log (N\mathfrak a)\), by Shor’s algorithm [Sho97, EH10]. Let \(\mathfrak C = \mathfrak B \cup \{\mathfrak q_1\dots , \mathfrak q_k\}\), and one can assume without loss of generality that this union is disjoint. Let \(r = n_1 + n_2 - 1\), where \(n_1\) is the number of real embeddings of K, and \(n_2\) is the number of pairs of complex embeddings. Consider the homomorphism

$$\begin{aligned} \psi : \mathbb {Z}^\mathfrak B \times \mathbb {Z}^{k}&\longrightarrow \mathrm {Cl}_K: \left( (e_\mathfrak p)_{\mathfrak p \in \mathfrak B}, (f_1,\dots , f_k)\right) \longmapsto \left[ \prod _{\mathfrak p \in \mathfrak B} \mathfrak p^{e_\mathfrak p}\right] \cdot \left[ \prod _{i = 1}^{d} \mathfrak q_i^{f_i}\right] . \end{aligned}$$

As described in [BS16, Sect. 4], solving the \(\mathfrak C\)-unit problem provides a generating set of size \(c = r+|\mathfrak B|+k\) for the kernel L of \(\psi \). From [BS16, Theorem 1.1] such a generating set \(\{\mathbf v_i\}_{i=1}^{c}\) can be found by a quantum algorithm in time polynomial in n, \(\max _{\mathfrak p \in \mathfrak C}\{\log (N\mathfrak p)\}\), \(\log (d_K)\) and \(|\mathfrak C| = O(|\mathfrak B| + \log (N\mathfrak a))\). For each i, write \(\mathbf v_i = ((w_{i,\mathfrak p})_{\mathfrak p \in \mathfrak B},(v_{i,1},\dots ,v_{i,k}))\). Since \([\mathfrak a] \in H\) and \(\mathfrak B\) generates H, the system of equations \(\{\sum _{j = 1}^{c} x_j v_{j,i} = a_i\}_{i = 1}^{k}\) has a solution \(\mathbf x \in \mathbb {Z}^{c}\) which can be computed in polynomial time. We obtain

$$ 0 = \psi \left( \sum _{i = 1}^{c} x_i \mathbf v_i \right) = \left[ \prod _{\mathfrak p \in \mathfrak B} \mathfrak p^{ \sum _j x_j w_{j,\mathfrak p}}\right] \cdot \left[ \prod _{i = 1}^{d} \mathfrak q_i^{\sum _j x_j v_{j,i}}\right] =\left[ \prod _{\mathfrak p \in \mathfrak B} \mathfrak p^{ \sum _j x_j w_{j,\mathfrak p}}\right] \cdot [\mathfrak a]. $$

Then, the output of \(\mathrm {Cl}\!{\text {DL}}_\mathfrak B\) is \(\mathbf y = \left( -\sum _j x_j w_{j,\mathfrak p}\right) _{\mathfrak p \in \mathfrak B}\).    \(\square \)