Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

An efficient quantum algorithm for computing $S$-units and its applications

Jean-Francois Biasse, Fang Song

TL;DR

Let $K$ be a number field with discriminant $ ext{Δ}$ and let $S$ be a finite set of primes. The paper presents a quantum algorithm to compute the $S$-unit group $U_S$ in time polynomial in $n= ext{deg}(K)$, $ ext{log}| ext{Δ}|$, $|S|$, and $ ext{max}_{ rak p in S} ext{log}ig( ext{N}( rak p)ig)$, with GRH enabling polynomial-time corollaries for class groups, $S$-class groups, relative class groups, unit groups, the principal ideal problem, ray class groups, and certain norm equations. The core strategy reduces CGP and PIP to $S$-unit computation and then to a continuous Hidden Subgroup Problem on $bR^m$, leveraging $E$-ideals and lattice-encoded quantum states to realize an efficient quantum oracle. A key contribution is the generalized reduction to HSP for arbitrary degree fields, along with a robust quantum encoding that yields exact (compact) representations of the obtained $S$-units and the ability to translate these into classical algebraic data. These results imply broad cryptanalytic consequences—most notably polynomial-time attacks on schemes relying on short generators of principal ideals—and provide a unified quantum framework for several central number-theoretic computations, including class groups and norm equations, under GRH.

Abstract

In this paper, we provide details on the proofs of the quantum polynomial time algorithm of Biasse and Song (SODA 16) for computing the $S$-unit group of a number field. This algorithm directly implies polynomial time methods to calculate class groups, S-class groups, relative class group and the unit group, ray class groups, solve the principal ideal problem, solve certain norm equations, and decompose ideal classes in the ideal class group. Additionally, combined with a result of Cramer, Ducas, Peikert and Regev (Eurocrypt 2016), the resolution of the principal ideal problem allows one to find short generators of a principal ideal. Likewise, methods due to Cramer, Ducas and Wesolowski (Eurocrypt 2017) use the resolution of the principal ideal problem and the decomposition of ideal classes to find so-called ``mildly short vectors'' in ideal lattices of cyclotomic fields.

An efficient quantum algorithm for computing $S$-units and its applications

TL;DR

Let be a number field with discriminant and let be a finite set of primes. The paper presents a quantum algorithm to compute the -unit group in time polynomial in , , , and , with GRH enabling polynomial-time corollaries for class groups, -class groups, relative class groups, unit groups, the principal ideal problem, ray class groups, and certain norm equations. The core strategy reduces CGP and PIP to -unit computation and then to a continuous Hidden Subgroup Problem on , leveraging -ideals and lattice-encoded quantum states to realize an efficient quantum oracle. A key contribution is the generalized reduction to HSP for arbitrary degree fields, along with a robust quantum encoding that yields exact (compact) representations of the obtained -units and the ability to translate these into classical algebraic data. These results imply broad cryptanalytic consequences—most notably polynomial-time attacks on schemes relying on short generators of principal ideals—and provide a unified quantum framework for several central number-theoretic computations, including class groups and norm equations, under GRH.

Abstract

In this paper, we provide details on the proofs of the quantum polynomial time algorithm of Biasse and Song (SODA 16) for computing the -unit group of a number field. This algorithm directly implies polynomial time methods to calculate class groups, S-class groups, relative class group and the unit group, ray class groups, solve the principal ideal problem, solve certain norm equations, and decompose ideal classes in the ideal class group. Additionally, combined with a result of Cramer, Ducas, Peikert and Regev (Eurocrypt 2016), the resolution of the principal ideal problem allows one to find short generators of a principal ideal. Likewise, methods due to Cramer, Ducas and Wesolowski (Eurocrypt 2017) use the resolution of the principal ideal problem and the decomposition of ideal classes to find so-called ``mildly short vectors'' in ideal lattices of cyclotomic fields.

Paper Structure

This paper contains 35 sections, 19 theorems, 80 equations, 7 algorithms.

Table of Contents

  1. Introduction
  2. Previous work
  3. Our contribution
  4. Response to a recent preprint from de Boer and Felderhoff BoerF25
  5. Technical background
  6. Number Theory
  7. Number fields
  8. The ideal class group
  9. The $S$-unit group
  10. $E$-ideals
  11. HSP resolution
  12. Continuous HSP
  13. High level overview
  14. Review: reduction for unit-group STOC2014
  15. Reducing $S$-units to HSP
  16. ...and 20 more sections

Key Result

Theorem 1

There is a quantum algorithm for computing the $S$-unit group of a number field $K$ in compact representation which runs in polynomial time in the parameters $n=\deg(K)$, $\log(|\Delta|)$, $|S|$ and $\max_{\mathfrak{p}\in S}\{\log(\mathcal{N}(\mathfrak{p}))\}$, where $\Delta$ is the discriminant of

Theorems & Definitions (41)

  • Theorem 1: $S$-unit group computation
  • Corollary 1
  • Definition 1: $E$-ideals
  • Definition 2: Continuous HSP over $\mathbb{R}^m$
  • Definition 3: Control group $G$
  • Definition 4: Matrix distance between $E$-ideals
  • Lemma 1
  • proof
  • Proposition 1
  • Lemma 2
  • ...and 31 more