1. University of South Florida and Eindhoven University of Technology
A Fast Algorithm for Computing the S-unit Group in Multiquadratics and its application to Class Group Computation
J.-F. Biasse and C. van Vredendaal
University of South Florida and Eindhoven University of Technology 

2. Main contribution
Let 𝐾=ℚ 𝑑 1 , 𝑑 2 ,…, 𝑑 𝑛 for 𝑑 𝑖 >0 and 𝑆 be a set of non zero prime ideals of 𝐾
We propose efficient algorithms for computing:
The ideal class group of 𝐾.
The S-class group of K.
The S-unit group of K
We use a recursive strategy for computing the S-unit group, and then derive the (S)-class group

3. Main Motivation
Let 𝐾 be a number field with maximal order 𝒪 𝐾 . We describe algorithms for computing 𝐶𝑙 𝐾 ≔ Fractional ideals of 𝐾 {Principal fractional ideals of 𝐾}
What do we mean by “computing 𝐶𝑙(𝐾)” ?
Typically: Find 𝑑 1 ,…, 𝑑 𝑘 such that 𝐶𝑙 𝐾 ≃ ℤ 𝑑 1 ℤ × … × ℤ 𝑑 𝑘 ℤ
Better: Find fractional ideals 𝔤 1 ,…, 𝔤 𝑘 such that 𝐶𝑙 𝐾 ≃ [𝔤 1 ] × … × [𝔤 𝑘 ]
Even better: Get the 𝛼 𝑖 ∈𝐾 such that 𝔤 𝑖 𝑑 𝑖 =( 𝛼 𝑖 ) 𝒪 𝐾

4. Relationship between various computational problems
This work
S-unit group
Generators of principal ideals
Relative norm equations
Class group
Discrete Log in Cl(K)
D. Simon 99
S-class group
Crypto applications
D. Simon 99
CDPR16,CDW17,BEGFK17,BBdVLvV17,…

5. The (S)-Unit group
The unit group 𝑈of 𝐾 is the integers 𝛼 that satisfy 𝛼 𝒪 𝐾 = 𝒪 𝐾
Connection to the computation of 𝐶𝑙(𝐾) via the exact sequence 𝜑 1 ℐ
𝐶𝑙(𝐾) 𝑈
𝐾 ∗ 1
𝑈=Ker(𝜑)
Fractional ideals
Collect many principal ideals 𝛼 𝑖 𝒪 𝐾
𝐶𝑙 𝐾 =ℐ/Im(𝜑)
By linear algebra: find 𝑥 such that 𝑖 𝜑 𝛼 𝑖 𝑥 𝑖 ∈Ker(𝜑)
Let 𝑆= 𝔭 1 ,…, 𝔭 𝑠 be a set of non-zero prime ideals of 𝐾
An S-unit is an element 𝛼∈𝐾 such that 𝛼 𝒪 𝐾 = 𝔭 1 𝑒 1 ,…, 𝔭 𝑠 𝑒 𝑠 For some 𝑒 1 ,…, 𝑒 𝑠 ∈ ℤ 𝑠

6. S-class group and S-unit group
Let 𝑆 be a set of prime ideals of 𝐾, the ring of S-integers of K is the ring
𝑅 𝑆 = 𝛼∈𝐾 such that 𝑣 𝔭 𝛼 ≥0 for all 𝔭∉𝑆
𝐶𝑙 𝑆 𝐾 = {Fractional ideals of 𝑅 𝑆 }∕{Principal fractional ideals of 𝑅 𝑆 }.
𝑈 𝑆 is 𝛼∈ 𝑅 𝑆 that satisfy 𝛼 𝑅 𝑆 = 𝑅 𝑆 1 1
𝐶𝑙( 𝑆 ) 1 1 𝑈
𝑈 𝑆 𝑆
𝐶𝑙 𝐾 ,𝑈, 𝐶𝑙 𝑆 𝐾 , 𝑈 𝑆
𝐶𝑙(𝐾) 1 1 𝑈
𝐾 ∗ ℐ
are tied by the following exact sequences 1
𝐶𝑙 𝑆 𝐾 1
𝑈 𝑆
𝐾 ∗
ℐ 𝑆 1 1

7. The computation of 𝐶𝑙(𝐾) from S-units
Let S= 𝔓 1 ,…, 𝔓 𝑠 a set of prime ideals that generate 𝐶𝑙(𝐾). We have a surjective morphism:
𝔞 and 𝔟 are in the same class if ∃𝛼, 𝔞=(𝛼)𝔟
ℤ 𝑠
Ideals of 𝐾
𝐶𝑙(𝐾)
𝑒 𝑖 𝑖≤𝑠
Class of Π 𝑖≤𝑠 𝔓 𝑖 𝑒 𝑖
Π 𝑖≤𝑠 𝔓 𝑖 𝑒 𝑖
We compute a basis ( 𝑎 𝑖 ) for the lattice ℒ of 𝑣 = 𝑣 1 ,…, 𝑣 𝑠 such that: ∃ 𝛼 𝑣 ∈ 𝐾such that 𝔓 1 𝑣 1 … 𝔓 𝑠 𝑣 𝑠 = 𝒪 𝐾 ( 𝛼 𝑣 )
𝐶𝑙 𝐾 ≅ ℤ 𝑠 / ℒ
Bulk of the work: finding a generating set for ℒ.
Finding a basis for ℒ and the decomposition of ℤ 𝑠 / ℒ is done by linear algebra.
Finding the S-unit group allows us to compute ℒ and thus 𝐶𝑙(𝐾)

8. A recursive approach to compute S-units
Let 𝜎,𝜏∈Gal(𝐾/ℚ) be endomorphisms such that 𝜎 2 = 𝜏 2 =Id. 𝐾
Degree 2
𝐾 𝜎
𝐾 𝜏
𝐾 𝜎𝜏
Idea: recover the S-unit group of 𝐾 from the S-unit groups of 𝐾 𝜎 , 𝐾 𝜏 , 𝐾 𝜎𝜏
Remark: in subfields, we talk about 𝔭∩ 𝐾 𝑖 for 𝔭∈𝑆
BBdVLvV17: same with units

9. Using S-units of subfields
S-units of 𝐾 𝜎 , 𝐾 𝜏 , 𝐾 𝜎𝜏 are S-units of 𝐾
Not all S-unit of 𝐾 is an S-unit of 𝐾 𝜎 , 𝐾 𝜏 , 𝐾 𝜎𝜏
We can show that the subgroup 𝑈⊆𝐾 generated by S-units of 𝐾 𝜎 , 𝐾 𝜏 , 𝐾 𝜎𝜏 contains all the squares of the S-units of 𝐾: 𝑈 𝑆 2 ⊆𝑈⊆ 𝑈 𝑆
𝛼 2 = 𝒩 𝐾 𝜎 𝐾 𝛼 . 𝒩 𝐾 𝜏 𝐾 𝛼 𝜎 𝒩 𝐾 𝜎𝜏 𝐾 𝛼
General strategy:
Compute S-units in 𝐾 𝜎 , 𝐾 𝜏 , 𝐾 𝜎𝜏 .
Compute a basis for the squares in 𝑈.
Compute the square roots of the basis elements and deduce 𝑈 𝑆 .

10. Those annoying square roots
Goal: Given a generating set for the squares of 𝑈 𝑆 , find a minimal generating set for 𝑈 𝑆
Solution: use maps 𝐾 𝜑 𝑖 𝔽 𝑞 𝑖 like in the square root phase of Number Field Sieve
We consider vectors 𝜑 𝛼 ≔ log − 𝜑 1 (𝛼) 𝑞 1 , log − 𝜑 2 (𝛼) 𝑞 ,…, log − 𝜑 𝑚 (𝛼) 𝑞 𝑚
If 𝜑 𝛼 =0 then ∀𝑖, 𝜑 𝑖 (𝛼) is a square mod 𝑞 𝑖
Heuristic: 𝛼 is a square in 𝐾
Given 𝑣 𝑖 ,…, 𝑣 𝑘 generating the squares of 𝑈 𝑆
Then 𝑢 𝑥 ≔ 𝑖 𝑣 𝑖 𝑥 𝑖 is a square
Find 𝑥 such that 𝑖 𝑥 𝑖 𝜑 𝑣 𝑖 = 0
Compute 𝑢 𝑥

11. The case of multiquadratics
Our method works particularly well with fields of the form:
𝐾=ℚ 𝑑 1 , 𝑑 2 ,…, 𝑑 𝑛
We focused on the case 𝑑 𝑖 >0
Let 𝜎: 𝑑 𝑛 − 𝑑 𝑛 and τ: 𝑑 𝑛−1 − 𝑑 𝑛−1 , then we have:
𝐾 𝜎 =ℚ 𝑑 1 , 𝑑 2 ,…, 𝑑 𝑛−1
𝐾 𝜏 =ℚ 𝑑 1 ,…, 𝑑 𝑛−2 , 𝑑 𝑛
𝐾 𝜎𝜏 =ℚ 𝑑 1 ,…, 𝑑 𝑛−2 , 𝑑 𝑛−1 𝑑 𝑛
𝑁= deg 𝐾 = 2 𝑛
disc 𝐾 = Δ= 2 𝑎 𝑝 1 … 𝑝 𝑘 2 𝑛−1
𝑑 𝑖 = 𝑝 𝑖 𝑚 𝑖
𝑎∈ 0,1,2

12. Asymptotic complexity
Our algorithm relies on GRH and a heuristic on square root computation (similar to NFS)
Poly Size 𝑆 .Poly 𝑁 .Poly Δ . 𝑒 𝑂 𝑖 log 𝑑 𝑖
Asymptotic complexity:
Corrolary: if 𝑖 log 𝑑 𝑖 < log log Δ 𝑐 for some 𝑐<2 class group computation in Poly Δ
Comparison: best known method with complexity exp 𝑂 3 log |Δ|
B10

13. Numerical results
Let 𝑑 1 =5, 𝑑 2 =13, 𝑑 3 =17, 𝑑 4 =29, 𝑑 5 =37, 𝑑 6 =41, 𝑑 7 =53
𝐾 𝑖 = ℚ 𝑑 1 , 𝑑 2 ,…, 𝑑 𝑖 I
[ 𝑲 𝒊 :ℚ]
Magma
Sage
This work
Cl( 𝑲 𝒊 ) 3 8
1.4
0.25
99.9
Trivial 4 16 12
0.91
648
𝐶 4 × 𝐶 4 5 32
3615
77.7
5027
𝐶 2 × 𝐶 4 × 𝐶 8 4 6 64 .
>
𝐶 2 9 × 𝐶 4 3 × 𝐶 8 × 𝐶 4 16 × 𝐶 48 × 𝐶 240 7
128
𝐶 2 10 × 𝐶 4 16 × 𝐶 8 13 × 𝐶 16 2 × 𝐶 48 6 × 𝐶 96 3 × 𝐶 480 × 𝐶 960
Time in CPU sec.

14. Conclusion: further directions
Application to other problems than class groups
Extension to other classes of number fields.
Efficient parallel implementation of the S-unit computation

15. Thank you for your attention