An L(1/3) algorithm for ideal class group and regulator computation in certain number fields

AN L (1 / 3) ALGORITHM F OR IDEAL CLASS GR OUP AND REGULA TOR COMPUT A TION IN CER T AIN NUMBER FIELDS JEAN-FRANC ¸ OIS BIASSE Abstract. W e analyse the complexit y of the computat ion of the class group structure, regulator, and a system of fundamen tal units of a ce rtain class of n umber fields. Our approac h d iffers from Buc hmann’s, who prov ed a complex- ity bound of L (1 / 2 , O (1)) when t he dis cr iminant tends to infinit y wi th fixed degree. W e ach iev e a subexp onen tial complexit y i n O ( L (1 / 3 , O (1))) w hen both the discri minant and the degree of the extension tend to infinity by usi ng tec h- niques due to Enge and Gaudry in the con text of algebraic curv es o v er finite fields. 1. Introduction Let K = Q ( θ ) b e a num ber field of degree n and discriminant ∆. The ideal clas s group of its ma ximal order O K is a finite ab elian gr oup that can b e decomp osed as: Cl( O K ) = M i Z /d i Z , with d i | d i +1 . Computing the structure of Cl( O K ), along with the regulator and a system of fundamental units o f O K is a ma jor tas k in computational num ber theory . In addition, ma n y algorithms so lving the dis c rete logarithm pro blem a re based o n the g roup structure computation. In 1968 , Sha nks [12, 13] prop osed an algor ithm relying on the baby-step g iant- step metho d to co mpute the structure of the ideal c la ss gro up and the r e gulator of a quadra tic num ber field in time O  | ∆ | 1 / 4+ ǫ  , or O  | ∆ | 1 / 5+ ǫ  under the extended Riemann hypothesis [10]. Then, a subexp onential strategy for the computation of the group structure of the class group of an ima ginary quadratic extension w as describ ed in 198 9 by Hafner and McCurley [9]. The expected running time of this metho d is L ∆ (1 / 2 , √ 2 + o (1)) = e ( √ 2+ o (1) ) √ log | ∆ | log log | ∆ | . Buchmann [2] gener a lized this result to the ca se of an ar bitrary ex tension, the complexity b eing v alid for fixed degree n and ∆ tending to infinit y . E nge [5] used this techn ique in the con text of discrete lo garithm computations in the Jacobian of hyper elliptic curves, and develope d w ith Ga udry [6 ] an a lgorithm for computing the group structure of the Jac o bian a nd solv ing the discr ete logar ithm problem for a cer tain clas s of curv e s in time: L q g (1 / 3 , O (1)) = e O (1) ( log( q g ) 1 / 3 log log( q g ) 2 / 3 ) . 2000 Mathematics Subje ct Classific ation. Primar y 54C40, 14E20; Secondary 46E25, 20C20. Key wor ds and phr ases. Num b er fields, i deal class group, regulator, un its, index calculus, subexp onen tial it y . The author was suppor ted by a DGA grant. 1 2 JEAN-FRANC ¸ OIS BIASSE In this pap er, we ada pt the L (1 / 3) algo rithm of E nge and Ga udry to the co mputa- tion of the group str ucture of the idea l c lass g roup, the regulator , and a sy s tem o f fundamen tal units o f O K . W e deal with the case wher e both the discriminant and the degree of the ex tension g row to infinity in certain prop ortions, whereas in [2] the deg ree is assumed to be fixed. 2. Main idea W e consider a num b er field K = Q ( θ ) of discriminant ∆ which can b e written as: K = Q [ X ] /T ( X ) , with T ( X ) = t n X n + t n − 1 X n − 1 + . . . + t 0 ∈ Z [ X ], and n := [ K : Q ]. Let d b e a bo und o n the bit size of the coe fficien ts of T : d := max i { log( t i ) } . In addition, we r e quire that: n ≤ n 0 log ( | ∆ | ) α (1 + o (1)) (1) d ≤ d 0 log ( | ∆ | ) 1 − α (1 + o (1)) , (2) for s o me α ∈  1 3 , 2 3  , and some constant s n 0 and d 0 . W e define κ := n 0 d 0 . W e als o denote by r 1 the num b er o f rea l pla c es, by r 2 the num b er o f complex places and we define r := r 1 + r 2 − 1 . Our algorithm computes the gro up structure of Cl( Z [ θ ]), its reg ulator, and a system o f fundamen tal units of Z [ θ ], in expected time lying in: O  L Disc( T ) (1 / 3 , O (1))  . In the case of num b er fields satisfying Z [ θ ] = O K and the abov e r estrictions, w e compute the gr oup structure o f Cl( O K ), R , and a sy stem of fundamental units, in exp ected time L ∆ (1 / 3 , O (1)). F ro m now o n, we assume that K satisfies (1 ), (2), and Z [ θ ] = O K . Example. Let ∆ ∈ Z , and K n,K be an extension of Q defined by an irr educible po lynomial of the form: T ( X ) = X n − K, with log K = j log ( | ∆ | ) 1 − α k n = ⌊ log ( | ∆ | ) α ⌋ , for s o me α ∈  1 3 , 2 3  . Then, O K n,K has discriminant sa tis fying : log(Disc( O K n,K )) = log ( n n K n − 1 ) = lo g ( | ∆ | )(1 + o (1)) . If in addition we req uire that n and K b e the lar g est prime n umbers be low their resp ective b ounds such that: n 2 ∤ K n − 1 − 1 , then we meet the las t restric tion Z [ θ ] = O K n,K . W e pro ceed by analogy with the appr oach of [6 ] in the context o f algebr aic curves, where the authors ex a mined curves of the form: C : Y n + X d + f ( X , Y ) , AN L (1 / 3) ALGORITHM F OR NUMBER FIELDS 3 such that an y monomial X i Y j o ccuring in f s atisfies ni + d j < nd . The genus g is assumed to tend to infinit y and: n ≈ g α d ≈ g 1 − α . The idea in [6] is to lo ok fo r functions φ ( X, Y ) ∈ F q [ X , Y ] satisfying: deg Y φ ≈ g α − 1 / 3 and deg X φ ≈ g 2 / 3 − α , with N ( φ ) splitting into p o lynomials of degree b ounded b y B = log ( L (1 / 3 , ρ )) for some num b er ρ determined in the complexity analysis. Each time such a decomp o- sition o ccurs, the ideal ( φ ) is necessa rily a pro duct o f primes belonging to the set B of the prime idea ls of degree b ounded b y B : ( φ ) = Y p i ∈B p e i i . Such a decomp osition of a principal ideal is called a r elation . In the following, we will also denote the vector ( e i ) itself a relation. Every time w e find a re la tion, w e add the r ow vector ( e i ) to a matrix M ∈ Z m × N called the r elation matr ix , where N := |B | , and m ≥ k is the n umber o f relations collected. A linear algebra step is p erfor med on this matrix. It c o nsists in computing its Smith Normal F or m, that is to say integers d 1 , . . . , d N , with d N | d N − 1 | . . . | d 1 , such that there exist t wo unimo dular matr ices U ∈ Z m × m and V ∈ Z N × N satisfying: M = U            d 1 (0) . . . (0) d k (0) (0)            V . The SNF of M provides us with the g roup structure o f the Jacobia n of the curve C . Indeed, if L Z is the lattice spa nned b y a ll the pos sible relations , and if J denotes the J acobian of C , then w e ha ve: J ≃ Z N / L Z . Providing m is lar ge enough to ensur e that the rows of M generate L Z , w e ha ve: J ≃ M i Z /d i Z . In our context, we need the g roup structure of Cl( O K ), along with the reg ulator R , and a sys tem o f fundamental units of O K . The computation of the g r oup s truc- ture of Cl ( O K ) is done using metho ds similar to tho se used for the computation of the s tructure o f J . W e lo ok fo r relations o f the form: ( φ ) = Y i p e i i , where φ ∈ K , and where the p i are prime ideals of norm bounded b y L (1 / 3 , ρ ). Every time we find such a relation, we add the row vector ( e i ) i ≤ N to the relatio n 4 JEAN-FRANC ¸ OIS BIASSE matrix denoted b y M Z ∈ Z m × N . T o c ont inue the ana logy with [6], we requir e that φ b e of the form: φ = A ( θ ) , where A ∈ Z [ X ] of deg ree k . During the analysis, we will pr ovide b ounds o n k and on the co efficient s o f A , that delimit the sea rch space. Providing the r ows of M Z generate the lattice L Z of all the p ossible row vectors ( e i ) i ≤ N ∈ Z N representing a relation, we have: Cl( O K ) ≃ Z N / L Z ≃ M i ≤ N Z /d i Z , where the d i are the dia g onal co efficients of the SNF o f M Z . The main difference with the con text o f alg ebraic curves is the co mputation of R and of a system o f fundamen tal units. The gr oup o f units of O K is of the fo r m: U ( K ) ≃ µ ( K ) × Z r , where µ ( K ) is the multiplicativ e g roup of the ro ots of unit y in O K . A system of fundamen tal units ( γ i ), i ≤ r , is a set of elemen ts of K satisfying: U ( K ) ≃ µ ( K ) × h γ 1 i × . . . × h γ r i . Once s uch a system is found, we use the log arithm map: K − → R r +1 Log : φ 7− → (log | φ | 1 , . . . , lo g | φ | r +1 ) , where the | . | j are the archimedian v aluations on K , to c onstruct a matrix A ∈ R r × ( r +1) whose rows are the vectors Log( φ i ), for i ≤ r . The regulator is defined as the determinant of any r × r minor of A . T o construct A and a system of funda- men tal units, we augment the row vectors b y columns containing the archimedian v aluations, and add the row: ( e 1 , . . . , e k , log | φ | 1 , . . . , log | φ | r +1 ) ∈ Z N × R r +1 to a relation matrix M whenever a relation ( φ ) = Q i p e i i is found. A linear algebr a step pe rformed on M provides us with the group structure, the regulator, a nd a system o f fundamental units. It is descr ibe d in detail in § 4. 3. The rela tion ma trix Let ρ b e a c o nstant to b e determined later, and B a smo o thness b ound satisfying: B = ⌈ L ∆ (1 / 3 , ρ ) ⌉ . W e define the factor base B as the set of all non inert prime ideals of norm bo unded by B . This factor base has cardinality: N := |B | = L (1 / 3 , ρ + o (1)) . In the following, we will need to test the smo o thness of principal ideals of the form ( φ ), where φ = A ( θ ) with A ∈ Z [ X ]. W e will use the w ell-known res ult that is prov ed in [4], Lemma 3.3.4: Lemma 1. The norm of φ satisfies: N ( φ ) = R es ( T ( X ) , A ( X )) , wher e R es denotes the r esultant. AN L (1 / 3) ALGORITHM F OR NUMBER FIELDS 5 Computing N ( φ ) for φ ∈ K allows us to decide whether φ is a pr o duct of prime ideals p ∈ B . Indeed, it suffices to chec k if N ( φ ) ∈ Z is B - smo oth whic h ca n b e done b y trial division or the E CM metho d in p olynomial time. W e a ssume that the co efficients a i of the p olyno mial A hav e their lo garithm b ounded by an in teger a , and that there exis t tw o constants δ and ν to be determined later such that: a ≤  δ κ log | ∆ | /n (log | ∆ | / M ) 1 / 3  (3) k ≤  ν n (log | ∆ | / M ) 1 / 3  , (4) with M := log log | ∆ | . Using Lemma 1 and Hadamard’s inequality , w e deduce an upper bo und o n log N ( φ ): log N ( φ ) ≤ na + dk + n log k + k log n (5) ≤ κ log ( | ∆ | ) 2 / 3 M 1 / 3 ( δ + ν + o (1)) . (6) In the following, we will also need a b ound on the real co efficients log | φ | i o ccuring in the relation matrix. By the following prop ositio n, we der ive a b ound on the log | θ | i from the imp osed bounds on the coefficients of T : Prop ositio n 2 . L et σ i b e the n c omplex emb e ddings of K such that we have T = Q i ( X − σ i ( θ )) , then the σ i ( θ ) s atisfy: log( | θ | i ) = lo g ( | σ i ( θ ) | ) = O (log ( | ∆ | ) 1 − α ) . Pr o of. Landau-Mig notte’s theor em [1 1] states that if D | T with deg D = m , then the c o e fficien ts d j of D s atisfy: | d j | ≤ 2 m − 1 ( | T | + t n ) , where | T | is the euclidia n nor m of the vector of the co efficients of T . Applying this to D = X − σ i ( θ ) and m = 1 allows us to o btain: log( | θ | i ) ≤ lo g ( | T | + t n ) ∈ O (log ( | ∆ | ) 1 − α ) .  Corollary 3. With φ = A , and a and k r esp e ctively b ounde d by (3) and (4), we have: log | φ | i ≤ O (log ( | ∆ | ) 2 / 3 M 1 / 3 ) . T o compute the probability for φ to b e B -smo oth, we hav e to make the following assumption: Heuristic 4. We assume that N ( φ ) b ehaves like a r andom numb er whose lo garithm satisfies log( N ( φ )) ≤ ι := κ log ( | ∆ | ) 2 / 3 M 1 / 3 ( δ + ν + o (1)) , and whose distribution is given by the ψ function of [3] . Consequently , computing the probability for a g iven ( φ ) to b e B -smo oth boils down to computing the probability for a num b er who se log arithm is b ounded b y ι to b e smoo th with resp ect to prime num b er s with log arithm b ounded b y µ := ⌈ ρ log ( | ∆ | ) 1 / 3 M 2 / 3 ⌉ . Using [3], and carrying o ut the same computation as in the pro of of Theor em 1 of [6], o ne readily s hows the follo wing r esult on the proba bility of finding a relation: 6 JEAN-FRANC ¸ OIS BIASSE Prop ositio n 5. L et: ι = ⌊ lo g L ( ζ , c ) ⌋ = ⌊ c log ( | ∆ | ) ζ M 1 − ζ ⌋ µ = ⌈ lo g L ( β , d ) ⌉ = ⌈ d lo g ( | ∆ | ) β M 1 − β ⌉ , then we have: ψ ( ι, µ ) e ν ≥ L  ζ − β , − c d ( ζ − β ) + o (1)  , wher e ψ ( ι, µ ) denotes t he c ar di nality of the set of inte gers x su ch that log x ≤ ι , and x is smo oth with r esp e ct to the set of prime nu mb ers p such that log p ≤ µ . 4. The linear al gebra phase In this sectio n, we sta r t with an overview of the linear algebra pha s e, then w e address its c omplexity in § 4.1 and § 4.2. W e denote by M the re la tion matrix whos e rows lie in Z N × R r +1 , and by M Z and M R the matrices for med res pectively by the first N and the la st r + 1 columns of M . M th us has the following sha pe: M = M Z M R ! . T o ma ke sure we generate the full lattice of rela tions, we make the following a s - sumption: Heuristic 6. We assume that ther e is a c onst ant K 1 such that c ol le cting N + K 1 r al lows u s to gener ate the ful l lattic e of r elations. In the follo wing, we assume that Heuristic 6 is satisfied. If this is not the case (whic h can b e tested easily as we will see a t the end of this section), we sta rt all over again a nd constr uct another relation matrix. M R contains rationa l approximations of the log | φ i | j for i ≤ N + K 1 r and j ≤ r + 1: the discussion of approximation issues w he n we a dd or m ultiply tw o real n umbers is postp oned to § 5. As the rows of M are assumed to generate the full lattice of the r elations, the determinant of the lattice L Z spanned by the r ows of M Z gives us the clas s num b er h ( O K ), and its Smith Nor mal F orm diag( d 1 , . . . , d N ) g ives us the decomp osition Cl( O K ) ≃ Z N / L Z ≃ M i Z /d i Z . On the other ha nd, we need to constr uc t r relations o f the form (0 , . . . , 0 , log | γ | 1 , . . . , lo g | γ | r +1 ) , along with the cor resp onding v alues of γ (that ar e necessarily units), such that these relatio ns genera te the lattice L R of r e lations whose int eger pa rt contains only zero co efficients. T o do this, w e co mpute separ ately the Hermite Normal F orm of M Z and a basis ( u j ) j ≤ l with l ≤ K 1 r of the kernel o f M Z . Then, we apply the u j to M R , thus obtaining a matr ix A R ∈ R l × ( r +1) whose rows co rresp ond to the archimedian v aluations of units ( β j ) j ≤ l . More details on this pa rt of the a lg orithm are giv en in § 4.1. T o co mpute the r egulator R , we need to find r combinations of ro ws of A R , along with the cor resp onding units ( γ i ) i ≤ r , that span the la ttice of units L R . This procedur e is described in § 4.2. AN L (1 / 3) ALGORITHM F OR NUMBER FIELDS 7 A t the e nd o f the linea r a lgebra pha se, we hav e to chec k a p osterior i that N + K 1 r relations were enough to g enerate L Z and L R . The analytic class n umber formula provides a n um ber h ∗ computable in po lynomial time satisfying: h ∗ ≤ h ( O K ) R < 2 h ∗ . Before going int o more details on the line a r alge br a phas e , we recall the main steps of this pro cess: Algorithm 1 Linear a lgebra phas e Input: M Output: h ( O K ), the structure of Cl( O K ), R , a nd a s y stem of fundamen ta l units 1: Compute the HNF of M Z . 2: Compute the SNF of M Z and deduce h ( O K ) a nd the gro up structure of Cl( O K ). 3: Compute a basis ( u j ) j ≤ l of ker M Z and deduce A R 4: Find r indep endent relations g enerating L R along with the corresp onding units. 5: Compute the determinant R of L R . 6: Compute h ∗ and chec k if h ∗ ≤ h ( O K ) R < 2 h ∗ . If not cre a te ano ther M and go back to step one. Notation 7 . In the fol lowing, r X i denotes the r ow numb er i of the matrix X . 4.1. H ermite and k ernel basis computation. T o obta in the matrix A R , we apply the k ernel ba sis computation algorithm describ ed in [8] to the rectangular matrix M Z . It provides l ≤ K 1 r vectors u j in Z N + K 1 r representing linear dep en- dencies b etw een the rows of M Z . Applying thos e linear co m bina tions to the rows of M yie lds l re lations with z e ro co efficients on the first N co o rdinates. W e denote by L R the lattice o f the relations having only zero s on their fir st N co o rdinates. As we assume Heuris tic 6, these l rela tions g enerate L R . The las t r + 1 coor dinates of each of the l relatio ns cr eated this wa y are added as a row vector to the matr ix A R . In addition, for every u j of the form: u j = ( u (1) j , . . . , u ( N + K 1 r ) j ) , and for all j ≤ l , the v alue β j = Q i φ u ( i ) j i is the unit corresp onding to the row r A R j = X i u ( i ) j r M i . As we will see in § 6, the co efficients u ( i ) j are to o la rge to allow us to compute directly Q i φ u ( i ) j i in s ubex p onential time. W e thus g ive the units β j in c ompact representa- tion, that is to say b y storing the u j . It is proved in [14] that the computation of the u j takes: O ( l 2 N 3 (log N + log | M Z | ) , where | M Z | = ma x i,j n | M i,j Z | o . W e need a b ound on | M Z | to express this co mplex - it y in terms of the s ize of the input: 8 JEAN-FRANC ¸ OIS BIASSE Prop ositio n 8. | M Z | satisfies: | M Z | = O ((lo g | ∆ | ) 2 / 3 (log lo g | ∆ | ) 1 / 3 ) . Pr o of. W e restricted ourselves to φ satisfying log( N ( φ )) ≤ κ (log | ∆ | ) 2 / 3 (log lo g | ∆ | ) 1 / 3 ( δ + ν + o (1)) . If N ( φ ) = Q i N ( p i ) e i , then we clea rly see that the vector ( e i ) ha ving the lar gest co efficient under the previous constraint is the one where e 1 is max imal and all the others are set to z e ro, providing we set p 1 to the prime ideal of s ma llest norm. In that case , e 1 satisfies: e 1 = O (( log | ∆ | ) 2 / 3 (log lo g | ∆ | ) 1 / 3 ) .  Corollary 9. The c omplexity of the c omputation of the kernel b asis of M Z is b ounde d by: O ( L (1 / 3 , 3 ρ + o (1)) . W e use the HNF a lg orithm describ ed in [8]. Its bit co mplexit y is bo unded by: O  l N 3 (log N + log | M Z | ) 3 + N 5  log N + log | M Z | 2   . This a llows us to de ter mine explicitly the exp ected time taken by the computatio n of the HNF a nd of the kernel basis of M Z with r esp ect to the siz e of the en tries : Prop ositio n 10. The c omputation of the HNF and of the kernel b asis of M Z has bit c omplexity b ounde d by: O ( L (1 / 3 , 5 ρ + o (1)) . In the following, we will need b ounds o n | u j | and on | A R | . Direct applica tion of the metho ds used in [8] lea ds to the following result: Lemma 11 . | u j | and | A R | satisfy: log | u j | = O ( L (1 / 3 , ρ + o (1)) log | A R | = O ( L (1 / 3 , ρ + o (1)) . 4.2. The c omputation of R and o f the system of fundamen tal units. T o compute the regulator and a sys tem of fundamental units, we have to find a set of r row vectors that span L R . T o do that, we take succe ssive r × r determinants from subma trices extracted from A R , and we p erform some elemen ta ry o per ations on the rows of A R . This procedure is desc r ibe d in Algorithm 2, which was first int ro duced in [4], Algo rithm 6.5.7 . It makes use o f the real GCD algorithm, which is also presen ted in [4], Algorithm 5.9 .3 . Given t wo m ultiples of the regula tor aR and bR , where a and b are in teger s, the real GCD algorithm outputs dR , where d is the GCD of a and b , under the assumption that R > 0 . 2. Algorithm 2 also calls the pre-computatio n step describ ed in Alg o rithm 3. This step, not presented in [4], is ess e n tial to ensure the v alidit y of Algo rithm 2. AN L (1 / 3) ALGORITHM F OR NUMBER FIELDS 9 Algorithm 2 Computation of the r egulator a nd a system of fundamen tal units Input: A R and the corr esp onding units β i Output: R and a system of fundamen tal units R 1 ← 0 i ← r − 2 Find r linea rly indep endent rows using Algorithm 3 while i < l do Let A be the matrix obtained by extracting a n y r columns a nd r ows i − r + 2 to i from A R . R 2 ← det A Using the real GCD algorithm, co mpute u , v , R 3 such that uR 1 + v R 2 = R 3 R 1 ← R 3 γ i ← β v i × β i − r +1 ( − 1) r u i ← i + 1 end whi le R ← R 1 Algorithm 3 Search fo r r independent rows Input: A R Output: A permutation of the rows of A R such that the fir st r are indep endent A 1 ← r A R 1 i ← 1 for i = 2 to r do m ← i ret ← 0 while r e t = 0 do A i ←    A i − 1 r A R m    . if det( A t i A i ) = 0 then m ← m + 1 else Swap r A R i and r A R m ret ← 1 end if end whi le end for The main lo op of Algorithm 2 ensures that the sub-lattice L ′ R of L R corres p onding to the γ l , for i − ( r − 1) ≤ l ≤ i , ha s determina n t R 3 . Indeed, L ′ R is the sum of tw o sub-lattices of L R differing b y a single element. The sign ( − 1) r is the sig nature of the per m utation that is per formed b efore this addition to make s ur e that uR 1 + 10 JEAN-FRANC ¸ OIS BIASSE v R 2 = R 3 holds b y m ultilinearity o f the determinant . The precomputation done with Algorithm 3 ensur es that the first determinant co mputed is not null, which is essential for the co mpletenes s of Algorithm 2. Whenever det( A t i A i ) 6 = 0 , w e ha ve i linearly indep endent r ows. W e p os tpone the computation of the complexity of Algorithms 2 and 3 to § 5, where w e calc ulate the precis ion w e hav e to tak e for the rational a pproximations of the logar ithms. In § 5, we also ensure that this precision is accur a te enough to enable us to decide whever det( A t i A i ) = 0 or not. Algor ithm 4 describ es the real GCD co mputation. Its pre s en tation a nd corr ectness can be found in [4]. Algorithm 4 Real GCD algor ithm Input: R 1 = aR and R 2 = bR with R > 0 . 1, R 1 > R 2 and a, b ∈ Z Output: R 3 = dR a nd u , v ∈ Z s uch that uR 1 + v R 2 = R 3 u 0 ← 1, v 0 ← 0 u 1 ← 0, v 1 ← 1 while R 2 > 0 . 1 do q ← ⌊ R 1 /R 2 ⌋ , r ← R 1 − R 2 ⌊ R 1 /R 2 ⌋ u 1 ← u 0 − q u 1 v 1 ← v 0 − q v 1 R 1 ← R 2 R 2 ← r end whi le R 3 ← R 1 u ← u 1 , v ← v 1 5. Appro xima tion issues The matrix M R contains fixed point ratio na l approximations ˆ x ij of the log a- rithms of the units x ij := log | φ i | j . In this sectio n, w e discuss the prec ision of the computation o f the reg ula tor. In the following, we count the precision in bits. F or example, w e say tha t ˆ x is a rationa l approximation of x ∈ R with precision q if | ˆ x − x | < 2 − q . Let q 0 be the pr e cision o f the matrix M R . W e have for i ≤ N + K 1 r and j ≤ r + 1: ˆ x ij = ⌈ log | x ij |⌉ X k = − q 0 2 k a ij k , where the a ij k are the co efficients of the development of x ij as P ∞ k = −∞ 2 k a ij k . B efore establishing the list o f the steps where we might lo ose precisio n, we reca ll the following result that we will use to estimate the loss of precision whenever we add or multiply ratio nal appr oximations: Lemma 12. L et ˆ x and ˆ y b e r ational app r oximations of pr e cision q 1 of r esp e ctively x and y , and u ∈ Z s uch that ⌈ log 2 u ⌉ = q 2 < q 1 , then: • ˆ x + ˆ y is a r ational appr oximation of x + y of pr e cision q 1 − 1 . • u ˆ x is a r ational appr oximation of ux of pr e cision q 1 − q 2 . • ˆ x ˆ y is an appr oximation of xy of pr e cision q 1 − max { log 2 | x | , log 2 | y |} . q 0 is the pr e c ision taken for the approximation of the log | φ i | j . W e set its v a lue to: q 0 := L (1 / 3 , 3 ρ ) . AN L (1 / 3) ALGORITHM F OR NUMBER FIELDS 11 The computation of the a pproximate v alue of ea ch log | φ i | j for j ≤ N + K 1 r and j ≤ r + 1 tak es O (M( q 0 ) log q 0 ) ∈ O ( L (1 / 3 , 3 ρ + o (1))) bit oper ations [1]. As we hav e to perfor m this computation ( r + 1)( N + K 1 r ) ∈ O ( L (1 / 3 , ρ + o (1)) times, the time taken for the crea tion of M R is b ounded by O ( L (1 / 3 , 3 ρ + o (1))). Now, let us pro cede with the enumeration of the steps in the algor ithm that dete- riorate the precision. The first source of erro r is the co mputation of the co efficients of the matrix A R . Indeed, it cont ains r ational appr oximations o f N + K 1 r X i =1 u ( i ) j log | φ i | j , for j = 1 , . . . , l . The loss o f precision is due to the m ultiplications by the u ( i ) j and to the N + K 1 r additions. W e deduce from Le mma 11 the following pro po s ition that gives us the loss of pr ecision o ccuring in the computation of the co efficients of A R with r esp ect to the o riginal precis ion taken during the construction of M : Prop ositio n 1 3. The c omputation of P i u ( i ) j log | φ i | j for j = 1 , . . . , r + 1 , with pr e cision q ′ , r e quir es that the pr e cision q 0 of the log | φ i | j b e: q ′ + N + K 1 r + ma x i,j n log 2 | u ( i ) j | o . Thus, the loss of pr e cision during the c omputation of A R is b ounde d by O ( L (1 / 3 , ρ + o (1))) . Pr o of. Multiplying log 2 | φ i | j by u i induces a loss of log 2 | u i | ∈ O ( L (1 / 3 , ρ + o (1))) bits of pre c ision. F urthermore e very a ddition induces the loss of one bit of pr ecision. As we p erform N + K 1 r = O ( L (1 / 3 , ρ + o (1 ))) o f them, we thus lose a nother N + K 1 r bits of precision. Consequently , the total loss of precisio n is bounded from above by: N + K 1 r + ma x i,j n log 2 | u ( i ) j | o ∈ O ( L (1 / 3 , ρ + o (1))) .  Once A R is obtained, we need to compute succe ssive r × r deter mina n ts extracted from this matrix. Every co mputation of suc h a determinant induces a loss of pr e- cision. The following prop osition a llows us to ev aluate the loss of pr ecision for one computation o f an r × r determina n t of a matrix ˆ Ω extra cted from A R . Prop ositio n 14. The c omputation with pr e cision q ′ of the determinant of an r × r matrix ˆ Ω extr acte d fr om A R , and which is a r ational appr oximatio n of Ω ∈ R r × r , r e quir es that q = q ′ + ( r/ 2 + 1) log 2 ( r ) log 2  | Ω | r − 1 + 1  , wher e q is the pr e cision of the c o efficients of A R , and | Ω | = max i,j | Ω ij | . Thus, the loss of pr e cision during t he c omputation of t he determinant of an r × r submatrix of A R is b ounde d by O ( L (1 / 3 , ρ + o (1))) . 12 JEAN-FRANC ¸ OIS BIASSE Pr o of. W e know that Ω = ( ω 1 , . . . , ω r ) and ˆ Ω = ( ˆ ω 1 , . . . , ˆ ω r ) are r × r matrices with r ≤ n ∈ O (log 2 ( | ∆ | ) α ) a nd | Ω − ˆ Ω | ≤ 2 − q , and furthermor e, by lemma 11, Ω satisfies log 2 | Ω | ∈ O ( L (1 / 3 , ρ + o (1))). W e have by multilinearit y of the determina n t and by Hadamar d’s inequality: | det ˆ Ω − det Ω | = | r X i =1 det( ω 1 , . . . , ω i − 1 , ˆ ω i − ω i , ˆ ω i +1 , . . . , ˆ ω r ) | ≤ r r / 2+1 ( | Ω | r − 1 + 1)2 − q . Thu s, the loss o f precisio n is of ( r/ 2 + 1) lo g 2 ( r ) log 2  | Ω | r − 1 + 1  = O ( L (1 / 3 , ρ + o (1))) .  The last source of loss of precis ion is the series of multiplications and a dditions inv olved in the computation of the rea l GCD of tw o approximations of multiples of the reg ulator. The following propo s ition gives us this loss o f precisio n during the successive r eal GCD computations in Algorithm 2, knowing from Heuristic 6 that the r eal GCD need not be called mo re than K 1 r times. Prop ositio n 15. If we have t he determinants of the suc c essive r × r matric es with pr e cision q , then we c an obtain t he r e gulator with pr e cision q ′ pr oviding q = q ′ + K 1 r 3 4 log 2 2 ( r ) log 2 2 | A R | . Thus, the loss of pr e cision during the suc c essive r e al GCD c omput ations is b ounde d by O ( L (1 / 3 , 2 ρ + o (1))) . Pr o of. Whenever we compute another determina n t R 2 of an r × r matr ix ex tr acted from A R , w e ha ve to perform the step R 1 ← R 2 − R 1 ⌊ R 2 /R 1 ⌋ at most log 2 R 2 times to g e t the real GCD of R 1 and R 2 , where R 1 is the previous approximation of the r egulator R . W e know that the coefficients of the submatrix whose de ter minant is R 2 hav e bit size bounded b y log 2 | Ω | ≤ lo g 2 | A R | ∈ O ( L (1 / 3 , ρ + o (1))) . By Hada mard’s inequality , w e ha ve: log 2 R 2 ≤ r / 2 log 2 r log 2 | A R | = O ( L (1 / 3 , ρ + o (1))) , which gives us an upp er bo und on the n umber of times we enter the main lo o p of the real GCD algorithm. E very multiplication R 1 j R 2 R 1 k induces the los s of a t most log 2 R 2 bits of precision. Thu s, the total lo ss of precision of one call to the real GCD a lgorithm is of: r 2 4 log 2 2 ( r ) log 2 2 | A R | = O ( L (1 / 3 , 2 ρ + o (1))) . As we know that Algorithm 4 is ca lled at most K 1 r times, the lo ss of precis ion after the K 1 r calls for the real GCD algorithm is still o f L (1 / 3 , 2 ρ + o (1)) bits. The last thing w e hav e to do is to c he ck the v alidity o f the v alue j R 2 R 1 k . Indeed if R 2 /R 1 is close to a n integer, then we risk to compute j R 2 R 1 k ± 1 . Assume that R 1 = k 1 R and AN L (1 / 3) ALGORITHM F OR NUMBER FIELDS 13 R 2 = k 2 R , with k 1 = k ′ 1 d , k 2 = k ′ 2 d , and with k ′ 1 and k ′ 2 coprime. Theoretically , we hav e ⌊ R 2 /R 1 ⌋ = ⌊ k ′ 2 /k ′ 1 ⌋ , but w e can obtain the wr ong v alue if k ′ 2 ∼ K k ′ 1 for some integer K , the worst case scena rio b eing k ′ 2 = K k ′ 1 ± 1 (w e cannot hav e k ′ 2 = K k ′ 1 since k ′ 1 and k ′ 2 are coprime). In that case, we have:     k ′ 2 k ′ 1 − K     ≥ 1 k ′ 1 . Thu s, we need that the precision b e at most of 2 log 2 | k ′ 1 | . As the lo ss o f pre - cision encountered so fa r is in O ( L (1 / 3 , 2 ρ + o (1))) , and as the original prec i- sion is in O ( L (1 / 3 , 3 ρ + o (1))), the current precision of the v alue j R 2 R 1 k is still in O ( L (1 / 3 , 3 ρ + o (1))). F ur ther more, log 2 | k ′ 1 | ≤ log 2 R 1 ≤ L (1 / 3 , ρ + o (1)), so the c o ndition is satisfied a nd the v alue of the quotient ca n be trusted.  Corollary 16. The total loss of pr e cision is of: N + K 1 r + max i,j n log 2 | u ( i ) j | o + K 1 r 3 4 log 2 2 ( r ) log 2 2 | A R | ∈ O ( L (1 / 3 , 2 ρ + o (1))) . These considera tions a llow us to ev aluate the co mplexit y of Algorithm 2. Indeed, it consists of at most K 1 r co mputations of the determina nt of an r × r submatrix ˆ Ω of A R . Let I ⊂ [1 , K 2 r ] a nd J ⊂ [1 , r + 1] b oth b e subsets of cardinality r such that ˆ Ω =: ( ˆ y ij ) i ∈ I , j ∈ J . In addition, w e define A = ( a ij ) i ∈ I , j ∈ J ∈ Z r × r such that it satisfies: ˆ y ij = ⌈ log 2 | y ij |⌉ X k = − q 2 k a ij k =: a ij 2 q . W e th us ha ve by multilinearit y: det ˆ Ω = det A 2 r q , where q ∈ O ( L (1 / 3 , 3 ρ + o (1)) is the pr ecision of the co efficients of A R . F urther- more, the co mputation of det A takes ˜ O ( r 4 log 2 | A | ) bit op era tions (see [14]), where ˜ O denotes the co mplexity when we o mit the log arithm factor s. There fore, the exp ected time for the computation of det A is in ˜ O  r 4  q + log 2 | ˆ Ω |  , since log 2 | A | = max ij { log 2 a ij } ≤ q + log 2 | ˆ Ω | . As q is in O ( L (1 / 3 , 3 ρ + o (1))), and as we know from Lemma 11 that lo g 2 | ˆ Ω | ∈ O ( L (1 / 3 , ρ + o (1))), w e ha ve the following re sult on the co mplexit y of Algorithm 2: Prop ositio n 17. The c omplexity of Algo rithm 2 lies in O ( L (1 / 3 , 3 ρ + o (1))) . Now, let us chec k the v alidity and the co mplexity of Algorithm 3. Given a n r × i submatrix A i of A R , we want to deter mine whether its rows are appro ximations of independa n t ro ws. T o do this, we compute det ( A t i A i ) and decide whether this is 14 JEAN-FRANC ¸ OIS BIASSE the appr oximation of a zero determinant. W e use Minko wsk i’s b ound, which states that (7) q det A t i A i ≥ k b ( i ) 1 k 2 √ r ! r , where b ( i ) 1 is the non-zero vector o f minimal length in the lattice spanned by the rows of A i . F or every i , b ( i ) 1 is the logarithm vector of a unit. I n [7], it is shown that for every unit ǫ that is not a ro ot o f unity , w e ha ve: (8) X i log | ǫ | 2 i ! 1 / 2 > 21 128 log n n 2 . Therefore, we can prov e the follo wing pr o po sition: Prop ositio n 18. The pr e cision q 0 = L (1 / 3 , 3 ρ ) is ac cur ate enough to ensur e the validity of Algo rithm 3, whose c omplexity is in O ( L (1 / 3 , 3 ρ + o (1))) . Pr o of. First, we calculate the precis io n o f the v alue det( A t i A i ). The c o e fficien ts c ( i ) kl ( k , l ≤ i ) of A t i A i are giv en by: c ( i ) kl = X h ≤ r a ( i ) kh a ( i ) lh , where the a ( i ) kl ( k ≤ i , l ≤ r ) a re the co efficient s of A i . W e know from Lemma 1 1 that the co efficients of A i hav e bit size in O ( L (1 / 3 , ρ + o (1))), th us, using Lemma 12, we prove that the precision of c ( i ) kl ( k , l ≤ i ) is still in O ( L (1 / 3 , 3 ρ + o (1))). Using the same techniques as in Prop osition 14, w e pr ov e that the loss of precis ion we encounter during the co mputation o f det( A t i A i ) is of ( i/ 2 + 1) log 2 ( i ) log 2  | A t i A i | i − 1 + 1  . As log 2 | A t i A i | ∈ O ( L (1 / 3 , 2 ρ + o (1))), this loss of precision is in O ( L (1 / 3 , 2 ρ + o (1))) as well. W e th us ha ve the v alue of det( A t i A i ) with a pr e cision q satisfying: q ∈ O ( L (1 / 3 , 3 ρ + o (1))) . On the other ha nd, we have a lower b ound on the v alue of det( A t i A i ) fro m the c om- bination o f (7) and (8) in the case where A i contains approximations of indep endent rows: det( A t i A i ) ≥  21 128  2 r 1 r r  log n n 2  2 r . If det( A t i A i ) ≤ 1 / 2 q , then it might equal zero , otherwise it is necess arily the appr ox- imation of a s trictly non-zero determinant. F urther more, the bound on det( A t i A i ) satisfies:      log "  21 128  2 r 1 r r  log n n 2  2 r #      ≤ n log ( n )(1 + o (1)) ≪ q . W e can th us conc lude that if det( A t i A i ) ≤ 1 / 2 q , then the rows of A i are neces sarily depe ndent.  This allo w s us to state the follo wing prop osition: AN L (1 / 3) ALGORITHM F OR NUMBER FIELDS 15 Prop ositio n 1 9. The c omplexity of the c omputation of R and of t he system of fundamental units lies in O ( L (1 / 3 , 3 ρ + o (1))) . In additio n, we know the value of R with a pr e cision: q R ∈ O ( L (1 / 3 , 3 ρ + o (1)) . 6. Subexponentiality In this s ection, we show that we a ch ieve a subexp onential c o mplexity for the ov era ll r unning time of the algor ithm. Direct a pplication of Prop ositio n 5 with the parameters β = 1 3 , d = ρ ζ = 2 3 , c = κ ( δ + ν + o (1)) , shows that the ex pected num b e r of trials to obtain a relation is at mo st L  1 / 3 , κ ( ν + δ ) 3 ρ + o (1)  . W e know that the factor base has size N ∈ O ( L (1 / 3 , ρ )), thus the complexity of the s earch for N + K 1 r relations is b ounded b y: L  1 / 3 , κ ( ν + δ ) 3 ρ + ρ + o (1 )  . The num b er of φ in the sear ch space is in O ( L (1 / 3 ) , ν δ κ ). W e thus hav e the following co nstraint o n the parameters: (9) ν δ κ = κ ( ν + δ ) 3 ρ + ρ. W e can prov e that the str ategy minimizing the overall time is the o ne where the relation collection and the linear algebr a ta ke the same time. As the co mplexit y of the linear alg ebra is dominated by the HNF computation which lies is O ( L (1 / 3 , 5 ρ + o (1))), we thus hav e the additional co nstraint: (10) κν δ = 5 ρ. F ro m (9) and (10), we obtain: ν δ = 5 ρ κ ν + δ = 12 b 2 κ . Thu s, δ and ν ar e ro o ts of the p olynomial: X 2 − 24 ρ 2 κ X + 5 ρ κ . These r o ots exist providing we hav e: ρ ≥ 3 r 5 κ 144 . 16 JEAN-FRANC ¸ OIS BIASSE The optimal choice is to minimize ρ , thus fix ing the parameters δ and ν : δ = ν = r 5 ρ κ = 6 r 625 144 κ 2 . The total running time b e c omes L (1 / 3 , 5 ρ + o (1)), with: ρ = 3 r 5 κ 144 . Ackno wledgments The author thanks Andreas E nge for his supp or t, the fruitful dis cussions we had, and his car eful reading of this article. He also tha nks Steven Galbraith for the o riginal sugg estion of adapting the L (1 / 3) algor ithm of [6 ] to the context o f nu mber fields, and Michael Pohst for po in ting out [7]. References [1] R.P . Brent . F ast mu ltiple-precision ev aluation of elementa ry functions. Journal of t he ACM , 23:242–251, 1976. [2] J. Buchmann. A subexp onential algorithm for the determination of class group s and regu- lators of algebraic n umber fields. In Catherine Goldstein, editor, S´ eminair e de Th ´ eorie des Nombr es, Paris 1988– 1989 , Progress in M athematics, pages 27–41, B oston, 1990. Bi rkh¨ auser. [3] E.R. Canfield, P . Erd˝ os, and C . Pomerance. On a problem of Oppenheim concerning ‘factori- satio n umerorum’. J. N umb er The ory , 17:1–28, 1983. [4] H. Cohen. A c ourse i n c omputational algebr aic numb er the ory , volume 138 of Gr aduate T exts in Mathematics . Springer-V erlag, 1991. [5] A. Enge . Computing discrete logarithms in high-gen us h yp erelliptic Jacobians in pro v ably subexp onen tial time. M athematics of Computation , 71:729–742, 2001. [6] A. Enge and P . Gaudry . An L (1/3 + ǫ ) algorithm for the discrete logarithm problem for low degree cu rves. In EUR OCR YPT ’07: Pr o c e ed i ngs of the 26 th annual international c onfer- enc e on A dvanc es in Cryptolo gy , Lecture Notes in Computer Science, pages 379–393, Berlin, Heidelber g, 2007. Springer-V erlag. [7] C. Fiek er and M . P ohst. Dep endency of units in n umber fields. Mathematics of Computation , 75:1507–151 8, 2006. [8] M. Giesbrech t, M. Jacobson, and A. Storjohann. Algorithms for large inte ger matrix problems. In S. Boztas and I. Shparlinski, editors, Pr o c e ed ings of t he 14th International Symp osium on Applie d Algebr a, Algebr aic Al gorithms and Err or-Corr e cting Co des, AAECC-14 , volume 2227 of L e ctur e Notes in Computer Scienc e , pages 297–307, Heidelb erg, 2001. Springer V erlag. [9] J.L. Hafner and K.S. McCurl ey . A r igorous subexp onen tial algorithm for computation of class groups. Journal of Americ an So ciety , 2:839–850, 1989. [10] A.K. Lenstra. On the calculation of regulators and class num b ers of quadratic fields. In Journ ´ ees arithm´ etiques , pages 123–150. Cambridge Univ. Press, 1982. [11] M. Mignotte. An i nequality about factors of p olynomials. Mathematics of Computation , 28:1153–115 7, 1974. [12] D. Shanks. Class num ber, a theory of factorization, and genera. In W. J. LeV eque and E. G. Straus, editors, Pr o c e e dings of Symp osia in Pur e Mathematics , volume 20, pages 415 –440. American Mathematical Society , 1969. [13] D. Shanks. The infrastructure of a real quadratic field and its applications. In Pr o c e e dings of the 1972 N umb er The ory Confer enc e , pages 217–224. Boulder: Uni v er s it y of Colorado, 1972. [14] A. Storjohann. Al gorithms f or Matrix Canonic al F orms . PhD thesis, Department of Com- puter Science, Swiss F ederal Institute of T ec hnology – ETH, 2000. LIX , ´ Ecole Pol ytechniqu e , 91128 P ALAIS EAU , France E-mail addr ess : biasse@lix.po lytechni que.fr