Upper bounding the quantum space complexity for computing class group and principal ideal problem

Iu-Iong Ng Graduate School of Mathematics, Nagoya University

Abstract

In this paper, we calculate the upper bound on quantum space complexity of the quantum algorithms proposed by Biasse and Song (SODA’16) for solving class group computation and the principal ideal problem using the reductions to $S$ -unit group computation. We follow the approach of Barbulescu and Poulalion (AFRICACRYPT’23) and the framework given by de Boer, Ducas, and Fehr (EUROCRYPT’20) and Eisenträger, Hallgren, Kitaev, and Song (STOC’14).

1 Introduction

1.1 Number theoretical problems

The computation of number theoretical problems, or computational number theory, is important both in its own right and in terms of applications, such as developing algorithms and cryptography. The main objects in these number theoretical problems are number fields, i.e., finite extensions of the field of rational numbers $\mathbb{Q}$ , and their ring of integers. Most quantum algorithms perform exponentially better than the best-known classical algorithms for addressing several theoretical problems or their applications. There are some problems which are believed to be hard classically but have polynomial quantum algorithms solving them, for example, integer factorisation and discrete logarithm [Sho94], and the problems for general number fields, like the unit group computation [Hal05, EHKS14], class group computation [Hal05, BS16], and the principal ideal problem [Hal07, BS16]. These quantum algorithms can be reduced to a type of problem, the hidden subgroup problems (HSP), which find the subgroup hidden by the period of a function.

In this work, we focus on the ideal class group computation and solving the principal ideal problem. The ideal class group, or simply the class group, of a number field is the finite abelian group consisting of the equivalent classes of fractional ideals of the ring of integers. One can also define the class group for an ideal of the ring of integers as the finite abelian group consisting of invertible fractional ideals of the order. Class groups appear in many significant problems in number theory, for instance, factoring large integers and determining principal ideals in a cyclotomic field. The computation of ideal class groups is also commonly used in other number theoretical tasks such as computing other objects of the number field like ray class group, relative class group, and unit group [BF14, EH10], or in problems like finding Bach’s bound on the maximum norm of the generators [Bac90]. There is also a close relation to cryptography, for example, the classical subexponential classical algorithm for integer factorisation [LP92], and some curve-based cryptography [BCL08] that include finding relations between elements in the class group.

An ideal is principal if it can be generated by a single element. The principal ideal problem (PIP) determines whether the input ideal is principal and finds a generator. Like the class group computation, PIP has applications in computing ray class groups, relative class groups, unit groups, and $S$ -class groups. Problems such as lattice isomorphism and matrix similarity can be efficiently reduced to deciding whether an ideal is principal [BHJ22]. Since many cryptographic schemes use principal ideals generated by a short element, PIP is also related to lattice-based cryptography. Recently, it has been shown that solving PIP in polynomial time directly induces a polynomial time attack on schemes relying on the hardness of finding the short generator of a principal ideal [CDPR16].

1.2 Quantum algorithms for number theoretical problems

Instead of the ordinary HSP, most recent quantum algorithms for number theoretical problems are based on a framework called the continuous hidden subgroup problem (CHSP), proposed by Eisenträger, Hallgren, Kitaev, and Song [EHKS14] as a generalisation of HSP to the group $\mathbb{R}^{m}$ for some non-constant dimension $m$ . As an application, [EHKS14] applied CHSP to solve the unit group problem in polynomial time by constructing an oracle that maps from a group containing the unit group to a group of ideals and then to a field of quantum states. Recently, Barbulescu and Poulalion [BP23] applied the complexity framework proposed by [BDF20] on the unit group oracle to analyse the space complexity of the unit group algorithm and propose a modified algorithm for a special case in cyclotomic fields.

Theorem 1.1 ([BP23, Corollary 37]).

Let $K$ be a number field of discriminant $\Delta$ and unit rank $m$ . For any error bound $\tau>0$ , there exists a quantum algorithm running in time $\operatorname{poly}(m,\log|\Delta|,\log\tau)$ using a number of qubits $O(m^{5}+m^{4}\log|\Delta|)+O(m\log\tau^{-1})$ which outputs a set of generators for the unit group of $K$ .

Other important applications on the CHSP are given by Biasse and Song [BS16], which gave a polynomial time quantum algorithms for computing class groups and solving PIP in arbitrary degree number fields by reducing the problems to a problem computing the $S$ -unit group. Notice that the previous works by Hallgren, the polynomial time algorithms for class group computation [Hal05] and for PIP for constant degree number fields [Hal07], utilise the HSP algorithms but not CHSP. The $S$ -unit group problem can be viewed as a generalisation of the unit group problem with $|S|$ more parameters. Hence, [BS16] follows the way of defining the oracle for unit groups and extends it to the one for $S$ -unit groups, which makes it possible to reduce the $S$ -unit group computation to CHSP. A well-known application of the PIP algorithm is the polynomial time quantum algorithm finding the shortest vector¹¹1The length of the shortest vector is called the minimum distance or the first successive minima. in an ideal lattice (ideal-SVP) proposed by Cramer, Ducas, and Wesolowski [CDW21], which applies the PIP algorithm and a variant of class group computation as dominant parts. For the applications in cryptography, since some schemes for post-quantum cryptography rely on the hardness of PIP, [BS16] indeed broke some cryptography systems from a theoretical point of view. Nevertheless, a precise estimation of the quantum time or space complexity is essential in evaluating the threat raised by the quantum algorithm rather than only knowing it runs in polynomial time.

1.3 Our results

In this work, we follow the way in [BP23] of calculating the space complexity of the unit group algorithm, apply the framework provided by [BDF20] on the oracle for $S$ -unit groups, which is defined in [BS16], and derive the space complexity for the $S$ -unit group algorithm.

Theorem 1.2.

Let $K$ be a number field of discriminant $\Delta$ and unit rank $m$ , and let $S$ be a set of prime ideals such that $S=\{\mathfrak{p}_{1},\dots,\mathfrak{p}_{k}\}$ . For any error bound $\tau>0$ , the $S$ -unit group computation algorithm from [BS16] (Theorem 2.4) uses

O(m^{5}+m^{4}\log|\Delta|+m^{4}\sum_{j=1}^{k}\log\mathcal{N}(\mathfrak{p}_{j}))+O(m\log\tau^{-1})

qubits, where $\mathcal{N}(\cdot)$ is the ideal norm.

Since the unit rank $m$ has the same order as the degree $n$ , we can rewrite it in the notations as [BS16] with a maximum.

Corollary 1.3.

The $S$ -unit group computation algorithm from [BS16] (Theorem 2.4) uses $O(n^{5}+n^{4}\log|\Delta|+n^{4}\cdot|S|\cdot\max_{\mathfrak{p}\in S}\{\log\mathcal{N}(\mathfrak{p})\})+O(n\log\tau^{-1})$ qubits.

Our result can be viewed as a generalisation of the space complexity given by [BP23] by taking the set $S$ to be empty. Applying our result to the PIP quantum algorithm derived by [BS16], which with an input ideal $\mathfrak{a}$ runs in polynomial time in the parameters $n,\log\mathcal{N}(\mathfrak{a}),\log\Delta$ , we obtain the quantum space complexity for PIP.

Corollary 1.4.

The principal ideal problem algorithm ([BS16, Theorem 1.3]) uses $O(n^{5}+n^{4}\log\Delta+n^{4}\log\mathcal{N}(\mathfrak{a}))$ qubits.

From this result, we expect the number of qubits used for PIP or its applications, e.g., ideal-SVP, to be large with respect to the degree of the input number field. Therefore, our results indicate that, in general, implementing these algorithms may require a large-scale quantum computer.

2 Preliminaries

2.1 Number field

We follow the definitions in [BS16]. Let $K$ be a number field with degree $n$ , i.e., $n=[K:\mathbb{Q}]$ . Denote by $n_{1}$ and $n_{2}$ the number of real embeddings and the number of pairs of complex embeddings, respectively. Then $n=n_{1}+2n_{2}$ and the unit rank of $K$ is defined as $m=n_{1}+n_{2}-1$ . The absolute norm of an element $x\in K$ is defined as $\mathcal{N}(x)\coloneqq\prod_{\sigma}\sigma(x)\in\mathbb{Q}$ , where $\sigma$ denotes the $n$ embeddings.

We denote the ring of integers of $K$ by $\mathcal{O}$ . Notice that every ring of integers of a number field is a Dedekind ring, and which implies that any ideal $I$ of $\mathcal{O}$ can be uniquely factored into a product of powers of prime ideals, i.e., $I=\prod\mathfrak{p}^{v_{\mathfrak{p}}(I)}$ with $v_{\mathfrak{p}}(I)\in\mathbb{Z}$ and only finitely many of them are non-zero. The norm of an ideal is defined by $\mathcal{N}(I)=|\mathcal{O}/I|$ , and if it is a principal ideal such that $I=(\alpha)$ , then $\mathcal{N}(I)=\mathcal{N}(\alpha)$ . The unit group $\mathcal{O}^{*}$ consists of invertible elements, i.e., the units, in $\mathcal{O}$ . For $\alpha\in\mathcal{O}^{*}$ , $(\alpha)=\mathcal{O}$ .

2.1.1 S-unit group

We now define the $S$ -unit group. The definition is equivalent to the one in [BS16]. We refer to [Neu99] for more details. For a Dedekind domain $\mathlcal{o}$ , define $\mathlcal{o}(X)=\{\frac{f}{g}\,|\,f,g\in\mathlcal{o},g\not\equiv 0\mod{\mathfrak{p}}\text{ for }\mathfrak{p}\in X\}$ , where $X$ is a set of nonzero prime ideals of $\mathlcal{o}$ which contains almost all prime ideals of $\mathlcal{o}$ . Let $S=\{\mathfrak{p}_{1},\dots\mathfrak{p}_{k}\}$ be a finite set of prime ideals of $\mathcal{O}$ , and let $X_{S}$ be the set of all prime ideals that do not belong to $S$ . The ring $\mathcal{O}(X_{S})$ has the units called the $S$ -units. If $S=\emptyset$ , it turns out that $\mathcal{O}(X_{S})=\mathcal{O}$ , which is the special case that the $S$ -units are exactly the units.²²2For the definition for $S$ -units given by the valuations or places, it is the case that when $S=S_{\infty}$ , the Archimedean valuations or infinite places, then the $S$ -units are the units. See, for example, [Nar04]. Otherwise, the $S$ -units are the elements $\alpha\in K$ such that $(\alpha)=\mathfrak{p}_{1}^{e_{1}}\cdots\mathfrak{p}_{k}^{e_{k}}$ for some $e_{1},\dots,e_{k}\in\mathbb{Z}$ . Then the $S$ -units from a multiplicative group $U(S)$ and satisfy that for $\alpha\in U(S)$ ,

\alpha\cdot\mathcal{O}\cdot\mathfrak{p}_{1}^{-v_{\mathfrak{p}_{1}}(\alpha)}\cdots\mathfrak{p}_{k}^{-v_{\mathfrak{p}_{k}}(\alpha)}=\mathcal{O}.

(1)

2.1.2 $E$ -ideals

We denote $E=\mathbb{R}^{n_{1}}\times\mathbb{C}^{n_{2}}$ to be the field for $K$ under canonical embeddings, i.e., for $z\in K$ , $(\sigma_{1}(z),\dots,\sigma_{n_{1}+n_{2}}(z))\in E$ , which is called the conjugate vector representation. Since $\mathcal{O}$ has the structure as a $\mathbb{Z}$ -lattice, its image under the embedding $K\rightarrow E$ , which we denote by $\underline{\mathcal{O}}$ , inherits the lattice structure and can be identified as an $\mathbb{R}^{n}$ -lattice. So do the fractional ideals of $\mathcal{O}$ with lattice structures correspond to fractional ideals (lattices) in $E$ .

Definition 2.1 ([BS16, Definition 2.1]).

An $E$ -ideal is a lattice $\Lambda\subseteq E$ such that $\forall x\in\underline{\mathcal{O}},x\Lambda\subseteq\Lambda$ .

Here state two theorems related to $E$ -ideals that will be used in our proofs.

Theorem 2.2 ([Coh93, Theorem 2.4.13]).

Let $L$ be a $\mathbb{Z}$ -submodule of a free module $\tilde{L}$ and of the same rank. Then there exist positive integers $d_{1},\dots,d_{n}$ satisfying the following conditions:

1.

For every $i$ such that $1\leq i<n$ we have $d_{i+1}|d_{i}$ .
2.

$[\tilde{L}:L]=d_{1}\cdots d_{n}$ .
3.

There exists a $\mathbb{Z}$ -basis $(v_{1},\dots v_{n})$ of $\tilde{L}$ such that $(d_{1}v_{1},\dots,d_{n}v_{n})$ is a $\mathbb{Z}$ -basis of $L$ .

Furthermore, the $d_{i}$ are uniquely determined by $L$ and $\tilde{L}$ .

Theorem 2.3 ([Coh93, Theorem 4.7.4]).

Let $M$ be a module with denominator 1 with respec to a given $R$ (i.e. $M\subset R$ ), and $W=(w_{i,j})$ its Hermite normal form (HNF) with respect to a basis $\alpha_{1},\dots,\alpha_{n}$ of $R$ . Then the product of the $w_{i,i}$ (i.e. the determinant of $W$ ) is equal to the index $[R:M]$ .

2.2 The unit group computation algorithm

In this subsection, we review the ideas for the unit group algorithm from [EHKS14]. By the properties of units, one can identify $\mathcal{O}^{*}$ as a subgroup of $\hat{G}=\mathbb{R}^{n_{1}+n_{2}-1}\times\mathbb{Z}_{2}^{n_{1}}\times(\mathbb{R}/\mathbb{Z})^{n_{2}}$ . To see this, we consider the mapping $\varphi:\hat{G}\rightarrow E$ translating between the log coordinates and the conjugate vector representation.

	$\displaystyle\varphi:$	$\displaystyle(u_{1},\dots,u_{n_{1}+n_{2}},\mu_{1},\dots,\mu_{n_{1}},\theta_{1},\dots,\theta_{n_{2}})$
		$\displaystyle\mapsto((-1)^{\mu_{1}}e^{u_{1}},\dots,(-1)^{\mu_{n_{1}}}e^{u_{n_{1}}},e^{2\pi i\theta_{1}}e^{u_{n_{1}+1}},\dots,e^{2\pi i\theta_{n_{2}}}e^{u_{n_{1}+n_{2}}}).$

Since the units are the elements $z\in\mathcal{O}$ with $\mathcal{N}(z)=\pm 1$ , for a unit written as $z=e^{\boldsymbol{u}}\boldsymbol{v}$ , where $\boldsymbol{u}\in\mathbb{R}^{n_{1}+n_{2}}$ , it satisfies that $\sum_{j=1}^{n_{1}+n_{2}}u_{j}=0$ , and hence $\mathbb{R}^{n_{1}+n_{2}-1}$ is enough for the presentation of units.

The oracle function defined in [EHKS14] is a composition of two mappings:

\mathcal{F}:\hat{G}\xrightarrow{f_{c}}\{E\text{-ideals}\}\xrightarrow{f_{q}}\{\text{quantum states}\},

where $f_{q}$ encodes a lattice $L$ into a quantum state $|L\rangle$ so that it provides a canonical representation for lattices, and $f_{c}$ map an element of $\hat{G}$ to the principal ideal generated by it.

2.3 The $S$ -unit group computation algorithm

Theorem 2.4 ([BS16, Theorem 1.1]).

There is a quantum algorithm for computing the $S$ -unit group of a number field $K$ in compact representation which runs in polynomial time in the parameters $n=\deg(K),\log(|\Delta|),|S|$ and $\max_{\mathfrak{p}\in S}\{\log(\mathcal{N}(\mathfrak{p}))\}$ , where $\Delta$ is the discriminant of the ring of integers of $K$ .

One of the contributions by [BS16] is showing how to get an exact compact representation of the desired field element, which is processed classically. Notice that similar to the unit group, the $S$ -unit group can be identified as a subgroup of $G=\hat{G}\times\mathbb{Z}^{|S|}=\mathbb{R}^{n_{1}+n_{2}-1}\times\mathbb{Z}_{2}^{n_{1}}\times(\mathbb{R}/\mathbb{Z})^{n_{2}}\times\mathbb{Z}^{|S|}$ , where $\mathbb{Z}^{|S|}$ corresponds the valuations (exponents) of the prime ideals in $S$ . The algorithm for Theorem 2.4 applies the CHSP framework from [EHKS14] with an HSP oracle

\mathcal{F}^{\prime}:G\xrightarrow{f_{c}^{\prime}}\{E\text{-ideals}\}\xrightarrow{f_{q}}\{\text{quantum states}\},

where $f_{c}^{\prime}$ is defined as

f_{c}^{\prime}(\boldsymbol{y},v_{1},\dots,v_{|S|})=\varphi(\boldsymbol{y})\cdot\underline{\mathcal{O}}\cdot\mathfrak{p}_{1}^{-v_{1}}\cdots\mathfrak{p}_{|S|}^{-v_{|S|}},

and $f_{q}$ is defined as the one in [EHKS14], which can be extended from $E$ -integral ideals to $E$ -fractional ideals. By the property of $S$ -units, $\mathcal{F}^{\prime}$ hides the subgroup of $G$ , denoted by $U(S)$ , identified as the $S$ -unit group. The periodicity of $f_{c}^{\prime}$ on $U(S)$ is proved by Proposition 5.1 in [BS16]. We rephrase it as follows.

Proposition 2.5 ([BS16, Proposition 5.1]).

For any $(y,(v_{j}))$ and $(y^{\prime},(v_{j}^{\prime}))$ , let $(u,(w_{j}))=(y^{\prime},(v_{j}^{\prime}))-(y,(v_{j}))$ . Then the function $f_{c}^{\prime}$ satisfies that

f_{c}^{\prime}(y^{\prime},(v_{j}^{\prime}))=f_{c}^{\prime}(y,(v_{j}))\Leftrightarrow\varphi(u)\in U(S).

In particular, $v_{\mathfrak{p}_{j}}(\varphi(u))=w_{j},\forall j=1,\dots,|S|$ if $\varphi(u)\in U(S)$ .

Distances.

In Section A.3 of [EHKS14], the distance between two lattices is defined as the geodesic distance on the group $\operatorname{GL}_{n}(\mathbb{R})$ between their bases matrices $B$ and $B^{\prime}$ . Here, to specify the distance by lattice but not its bases, we modify the definition as stated below.

Definition 2.6.

\operatorname{dist}_{g}(L,L^{\prime})\coloneqq\inf\{\|A\|_{2}:e^{A}B_{L^{\prime}}=B_{L},B_{L}\text{ and }B_{L^{\prime}}\text{ are bases for }L\text{ and }L^{\prime}\text{, respectively}\},

where $\|(a_{jk})\|_{2}=\sqrt{\sum_{j,k}|a_{jk}|^{2}}$ .

On the other hand, the definition of the distance for the elements in the domain in [BS16] and for the lattices are defined as follows.

Definition 2.7 ([BS16, Definition 5.2]).

Let $(z,(v_{j})_{j\leq|S|})$ and $(z^{\prime},(v^{\prime}_{j})_{j\leq|S|})$ , we define their distance in $G/U(S)$ , $\operatorname{dist}_{G/U(S)}((z,(v_{j})),(z^{\prime},(v^{\prime}_{j})))$ , by

\inf\{\|a\|+\sum_{j}|w_{j}|e_{j}\log(p_{j})\text{ such that }(z^{\prime},(v^{\prime}_{j})_{j\leq|S|})=(z,(v_{j})_{j\leq|S|})+(a,(w_{j}))+u,u\in U(S)\},

where $\|a\|$ is the Euclidean norm of the vector corresponding to $a$ in $\mathbb{R}^{n_{1}+n_{2}}\times\mathbb{Z}_{2}^{n_{1}}\times(\mathbb{R}/\mathbb{Z})^{n_{2}}$ . The $p_{j},e_{j}$ are defined as $\mathcal{N}(\mathfrak{p}_{j})=p_{j}^{e_{j}}$ .

Definition 2.8 ([BS16, Definition 5.3]).

\operatorname{dist}(L,L^{\prime})=\inf\left\{\|a\|+\sum_{j}\log(d_{j})+n\log(d)\text{ such that }L_{\Delta}=e^{\operatorname{diag}(a_{j})}B_{\omega}\operatorname{diag}(d_{j}/d)\right\},

where $L_{\Delta}$ runs over all the matrices of a basis of $L^{\prime}/L$ such that there is a matrix $B_{\omega}$ of an integral basis of $\mathcal{O}$ , $d_{j},d\in\mathbb{Z}_{>0}$ , and $\|a\|$ is the Euclidean norm of the vector $a\in\mathbb{R}^{n_{1}+n_{2}}\times\mathbb{Z}_{2}^{n_{1}}\times(\mathbb{R}/\mathbb{Z})^{n_{2}}$ corresponding to $(a_{j})_{j\leq n}\in E$ satisfying $L_{\Delta}=e^{\operatorname{diag}(a_{j})}B_{\omega}\operatorname{diag}(d_{j}/d)$ .

The definition for $L^{\prime}/L$ is not explicitly stated in [BS16], but it can be realised from the statements and proofs in the paper as $L^{\prime}/L=\varphi(z^{\prime}-z)\underline{\mathcal{O}}\prod\mathfrak{p}_{j}^{-(v_{j}^{\prime}-v_{j})}$ .

2.4 Complexity of the CHSP framework

The complexity of the CHSP framework from [EHKS14] is studied in [BDF20, BP23]. An HSP oracle hiding $L$ on $\mathbb{R}^{m}$ for some positive integer $m$ is defined as follows.

Definition 2.9 ([EHKS14, Definition 1.1]).

A function $f:\mathbb{R}^{m}\rightarrow H$ , where $H$ is the set of unit vectors in some Hilbert space, is said to be an $(a,r,\epsilon)$ -HSP oracle of the full-rank lattice $L\subset\mathbb{R}^{m}$ if

1.

$f$ is periodic on $L$ ;
2.

$f$ is $a$ -Lipschitz;
3.

For all $x,y\in\mathbb{R}$ such that $\operatorname{dist}_{\mathbb{R}^{m}/L}(x,y)\geq r$ , it holds that $|\langle f(x)|f(y)\rangle|\leq\epsilon$ .

Theorem 1.1 from [BP23] calculates the space complexity for the unit group algorithm from [EHKS14]. According to [BP23, Lemma 21, Lemma 34 and Corollary 37], one can obtain that $O(\log(1/\lambda_{1}^{*}))=O(m+\frac{1}{m}\log D)$ , where $\lambda_{1}^{*}$ is the first successive minima of the dual lattice of $L$ , and the following corollary on the complexity of the CHSP framework applied on an HSP oracle $f$ .

Corollary 2.10 ([BP23]).

Given access to an HSP oracle $f$ , the CHSP algorithm uses

O(m^{3}\log\operatorname{Lip}(f)+m^{4}\log\Delta)+O(m\log\tau^{-1})

qubits.

In [BDF20], the algorithm of [EHKS14] is rigorously analysed (and modified) as follows. The oracle function is considered on a restricted domain $\mathbb{D}^{m}\coloneqq\left(\frac{1}{q}\mathbb{Z}^{m}\right)/\mathbb{Z}^{m}$ with the parameter $q$ relating to the space complexity, and $H$ is a subset of a Hilbert space of dimension $2^{n}$ . The input state is a Gaussian superposition over the representatives $x\in\mathbb{D}^{m}_{\text{rep}}\coloneqq\frac{1}{q}\mathbb{Z}^{m}\cap[-\frac{1}{2},\frac{1}{2})^{m}$ of $\mathbb{D}^{m}$ with the parameter $s\in\mathbb{R}$ . The algorithm has oracle access to $f$ which maps $|x\rangle|0\rangle$ to $|x\rangle|f(Vx)\rangle$ with the parameter $V\in\mathbb{R}$ . The first register uses $m\log q$ qubits, and the second register uses $N$ qubits. Reference [BDF20] denotes that $\log q\eqqcolon Q$ and gives the number of qubits needed for the oracle as follows.

Theorem 2.11 ([BDF20, Theorem 2]).

There exists dual lattice sampler quantum algorithm with the error parameter $\eta>0$ and the relative distance parameter $1/2>\delta>0$ which uses one quantum oracle call to $f$ , $Qm+N$ qubits, where

Q=O\left(m\log\left(m\log\frac{1}{\eta}\right)\right)+O\left(\log\left(\frac{\operatorname{Lip}(f)}{\eta\delta\lambda_{1}^{*}}\right)\right).

(2)

Later in [BP23, Corollary 37], the number of qubits for the second register is claimed that one stores the values of $f$ on $Qm$ qubits.

Lipschitz constant.

Consider the quantum encoding part, $f_{q}$ , in the oracle functions for both the unit group algorithm and the $S$ -unit group algorithm. The Lipschitz continuity for $f_{q}$ is proven as stated below.

Theorem 2.12 ([EHKS14, Theorem D.4]).

$\||f_{q}(L)\rangle-|f_{q}(L^{\prime})\rangle\|\leq\operatorname{Lip}(f_{q})\cdot\operatorname{dist}_{g}(L,L^{\prime})$ .

From this result, [EHKS14] derived the value of $\operatorname{Lip}(\mathcal{F})$ , and the order of $\log\operatorname{Lip}(\mathcal{F})$ is given in [BP23].

Theorem 2.13 ([BP23, Theorem 36]).

$\log_{2}\operatorname{Lip}(\mathcal{F})=O(m^{2}+m\log\Delta)$ .

3 Proof for the main theorem

To prove Theorem 1.2, we need the Lipschitz constant for $\mathcal{F}^{\prime}$ . Since the Lipschitz constants depend on the distance chosen, the approach is to calculate the Lipschitz constant for $f_{c}^{\prime}$ with the distance $\operatorname{dist}(\cdot,\cdot)$ between the ideals (Lemma 3.2), and the relation between distances $\operatorname{dist}(\cdot,\cdot)$ and $\operatorname{dist}_{g}(\cdot,\cdot)$ (Lemma 3.1). Combined with Theorem 2.12, one can obtain an upper bound for $\log\operatorname{Lip}(\mathcal{F}^{\prime})$ from the upper bound for $\log\operatorname{Lip}(\mathcal{F})$ . Therefore, we will use the following two lemmas shown at the end of this section.

Lemma 3.1.

For any $E$ -ideals $L$ and $L^{\prime}$ , $\operatorname{dist}_{g}(L,L^{\prime})=O(n^{2n+2}+\prod_{j}\mathcal{N}(\mathfrak{p}_{j})^{c_{j}n})\cdot\operatorname{dist}(L,L^{\prime})$ holds for some constants $c_{j}$ .

Lemma 3.2.

For any $x,y\in G$ and $L=f_{c}^{\prime}(x),L^{\prime}=f_{c}^{\prime}(y)$ ,

\operatorname{dist}(L,L^{\prime})=O(n)\cdot\operatorname{dist}_{G/U(S)}(x,y)

holds.

Proof for Theorem 1.2.

Combining Theorem 2.12, Lemma 3.1 and Lemma 3.2, we have that

\||f_{q}(x)\rangle-|f_{q}(y)\rangle\|=O\left(n^{2n+3}+\prod_{j}\mathcal{N}(\mathfrak{p}_{j})^{c_{j}n}\right)\cdot\operatorname{Lip}(f_{q})\cdot\operatorname{dist}_{G/U(S)}(x,y)

for some constants $c_{j}$ , which implies that

\operatorname{Lip}(\mathcal{F}^{\prime})=O\left(m^{2m+3}+\prod_{j}\mathcal{N}(\mathfrak{p}_{j})^{c_{j}m}\cdot\operatorname{Lip}(\mathcal{F})\right),

and hence

\log\operatorname{Lip}(\mathcal{F}^{\prime})=O\left(m^{2}+m\log\Delta+m\sum_{j=1}^{|S|}\log\mathcal{N}(\mathfrak{p}_{j})\right)

by Theorem 2.13.

Notice that in [BS16, Theorem 5.4], it is shown that the $(\operatorname{Lip}(\mathcal{F}^{\prime}),r,\epsilon)$ -HSP oracle $\mathcal{F}^{\prime}$ reduces to an $(\operatorname{Lip}(\hat{\mathcal{F}^{\prime}}),\hat{r},\epsilon)$ -HSP oracle $\hat{\mathcal{F}^{\prime}}$ defined on $\mathbb{R}^{\hat{n}}$ with $\hat{n}=2(n_{1}+n_{2})+|S|-1$ , and moreover, $O(\log\operatorname{Lip}(\hat{\mathcal{F}^{\prime}}))=O(\log\operatorname{Lip}(\mathcal{F}^{\prime}))$ . In order to apply the CHSP framework ([BDF20, Theorem 1]) on $\hat{\mathcal{F}^{\prime}}$ , one needs that $\epsilon<1/4$ . According to [BP23, Theorem 36], we can take tensor product $\otimes^{c}\hat{\mathcal{F}^{\prime}}$ with a constant $c$ large enough such that the resulting oracle hides the same lattice. It is a $(c\operatorname{Lip}(\hat{\mathcal{F}^{\prime}}),\hat{r},\epsilon^{c})$ -HSP oracle satisfying that $\epsilon^{c}<1/4$ . Hence by applying Corollary 2.10 with $f=\mathcal{F}^{\prime}$ , we obtain the number of qubits

O(m^{5}+m^{4}\log\Delta+m^{4}\sum_{j=1}^{|S|}\log\mathcal{N}(\mathfrak{p}_{j}))+O(m\log\tau^{-1})

as claimed. ∎

Below, we give the proofs of the two lemmas.

Proof for Lemma 3.1.

Fix $L=\varphi(z)\underline{\mathcal{O}}\prod\mathfrak{p}_{j}^{-v_{j}}$ and $L^{\prime}=\varphi(z^{\prime})\underline{\mathcal{O}}\prod\mathfrak{p}_{j}^{-v_{j}^{\prime}}$ . Let $a,d_{j},d$ be ones that satisfy $\operatorname{dist}(L,L^{\prime})=\|a\|+\sum_{j}\log(d_{j})+n\log(d)$ . We first consider the special case by assuming that $d_{j}=d=1$ for all $j$ such that $L_{\Delta}=e^{\operatorname{diag}(a_{j})}B_{\omega}$ . Therefore, without loss of generality, we can write $L^{\prime}/L=\varphi(z^{\prime}-z)\underline{\mathcal{O}}\prod\mathfrak{p}_{j}^{-(v_{j}^{\prime}-v_{j})}$ , where $-(v_{j}^{\prime}-v_{j})\geq 0$ for all $j$ . It is implied that $1/\varphi(z)L\supseteq L^{\prime}$ , and that there exist the HNF-basis $H$ for $L^{\prime}$ and a matrix $A$ satisfying $e^{A}=He^{\operatorname{diag}((-z)_{j})}$ such that

	$\displaystyle\operatorname{dist}_{g}(L,L^{\prime})$	$\displaystyle\leq\\|A\\|_{2}$
		$\displaystyle\leq n^{2}\cdot\det(H)\cdot\operatorname{dist}(L,L^{\prime})$
		$\displaystyle\leq n^{2}\prod\mathcal{N}(\mathfrak{p}_{j})^{c_{j}}\cdot\operatorname{dist}(L,L^{\prime})$

by Theorem 2.3 for some constants $c_{j}$ .

Now suppose that not all of $d_{j}$ and $d$ are ones, so that $\sum_{j}\log(d_{j})+n\log(d)\geq\log 2$ . Since $L$ and $L^{\prime}$ are fractional ideals of $\mathcal{O}$ , there exist $\alpha,\alpha^{\prime}\in K$ such that they can be written as $L=\frac{1}{\alpha}M$ and $L^{\prime}=\frac{1}{\alpha^{\prime}}M^{\prime}$ for some integral ideals $M,M^{\prime}$ in $\mathcal{O}$ . Let $W,W^{\prime}\in\operatorname{GL}_{n}(\mathbb{Z})$ denote the HNF-bases such that $\frac{1}{\alpha}WB_{\omega}$ and $\frac{1}{\alpha^{\prime}}W^{\prime}B_{\omega}$ are basis for $L$ and $L^{\prime}$ , respectively. Under the condition, we can obtain an upper bound for the matrix $A$ satisfying that $e^{A}=\alpha/\alpha^{\prime}W^{\prime}W^{-1}$ by Theorem 2.3 and the inequality $\operatorname{dist}(L,L^{\prime})\geq\log 2$ derived from the above.

	$\displaystyle\operatorname{dist}_{g}(L,L^{\prime})$	$\displaystyle\leq\\|A\\|_{2}$
		$\displaystyle\leq\left\\|\frac{\alpha}{\alpha^{\prime}}\right\\|\\|W^{\prime}\\|_{2}\\|W^{-1}\\|_{2}$
		$\displaystyle\leq n^{2}\prod_{j}\mathcal{N}(\mathfrak{p}_{j})^{h_{j}}\sqrt{\sum_{j}j\|w_{j,j}^{\prime}\|^{2}}\cdot\frac{\\|W\\|_{2}^{n-1}}{\|\det W\|}$
		$\displaystyle\leq n^{2}\prod_{j}\mathcal{N}(\mathfrak{p}_{j})^{h_{j}}\frac{n(n+1)}{2}\prod_{j}w_{j,j}^{\prime}\left(\frac{n(n+1)}{2}\prod_{j}w_{j,j}\right)^{n-1}$
		$\displaystyle\leq\frac{n^{2}}{\log 2}\left(\frac{n(n+1)}{2}\right)^{n}\prod_{j}\mathcal{N}(\mathfrak{p}_{j})^{\tilde{h}_{j}n}\cdot\operatorname{dist}(L,L^{\prime})$

for some constants $h_{j}$ and $\tilde{h}_{j}$ .

Hence we can obtain that $\operatorname{dist}_{g}(L,L^{\prime})=O(n^{2n+2}+\prod_{j}\mathcal{N}(\mathfrak{p}_{j})^{\tilde{h}_{j}n})\cdot\operatorname{dist}(L,L^{\prime})$ as claimed. ∎

Proof for Lemma 3.2.

Fix $L=\varphi(z)\underline{\mathcal{O}}\prod\mathfrak{p}_{j}^{v_{j}}$ and $L^{\prime}=\varphi(z^{\prime})\underline{\mathcal{O}}\prod\mathfrak{p}_{j}^{v_{j}^{\prime}}$ that are the images of $(z,(v_{j}))$ and $(z^{\prime},(v_{j}^{\prime}))$ under the map $f_{c}^{\prime}$ , respectively. We write

\operatorname{dist}_{G/U(S)}((z,(v_{j})),(z^{\prime},(v_{j}^{\prime})))=\|z-z^{\prime}-u\|+\sum|v_{j}-v_{j}^{\prime}-w_{j}|e_{j}\log p_{j}

for some $(u,(w_{j})))\in U(S)$ . Notice that if $(z-z^{\prime}-u,(v_{j}-v_{j}^{\prime}-w_{j}))=0$ , i.e., $(z,(v_{j}))$ and $(z^{\prime},(v_{j}^{\prime}))$ satisfy the condition in Proposition 2.5 that they are different by an $S$ -unit, then $L=L^{\prime}$ , and moreover, $L^{\prime}/L=L/L^{\prime}=\underline{\mathcal{O}}$ , which implies that

\operatorname{dist}(L,L^{\prime})=\operatorname{dist}_{G/U(S)}((z,(v_{j})),(z^{\prime},(v_{j}^{\prime})))=0.

Now we suppose that $(z-z^{\prime}-u,(v_{j}-v_{j}^{\prime}-w_{j}))\neq 0$ and that $z,z^{\prime},v_{j},v_{j}^{\prime}$ satisfy the infimum, i.e., $\operatorname{dist}_{G/U(S)}((z,(v_{j})),(z^{\prime},(v_{j}^{\prime})))=\|z-z^{\prime}\|+\sum|v_{j}-v_{j}^{\prime}|e_{j}\log p_{j}$ . From the definition of the distance $\operatorname{dist}(\cdot,\cdot)$ among $E$ -ideals, we have that

\operatorname{dist}(L,L^{\prime})\leq\|z-z^{\prime}\|+\sum_{j}\log d_{j}+n\log d

for some $d_{j},d\in\mathbb{Z}$ such that $\prod d_{j}=\prod\mathcal{N}(\mathfrak{p}_{j})^{\min\{-(v_{j}^{\prime}-v_{j}),0\}}$ and $d\leq\prod\mathcal{N}(\mathfrak{p}_{j})^{\max\{-(v_{j}^{\prime}-v_{j}),0\}}$ by Theorem 2.2. Therefore, the upper bound for the distance can be taken as

\operatorname{dist}(L,L^{\prime})\leq\|z-z^{\prime}\|+n\sum_{j}c_{j}\log\mathcal{N}(\mathfrak{p}_{j})

for some constants $c_{j}$ . Then we can derive that

	$\displaystyle\operatorname{dist}(L,L^{\prime})$	$\displaystyle\leq\\|z-z^{\prime}\\|+n\sum_{j}c_{j}e_{j}\log p_{j}$
		$\displaystyle\leq nh_{j}\cdot\operatorname{dist}_{G/U(S)}((z,(v_{j})),(z^{\prime},(v_{j}^{\prime}))),$

where $h_{j}$ are constants. Hence, it follows that

\operatorname{dist}(L,L^{\prime})=O(n)\cdot\operatorname{dist}_{G/U(S)}((z,(v_{j})),(z^{\prime},(v_{j}^{\prime})))

as claimed. ∎

4 Reductions to $S$ -unit computation

Reference [BS16] proposed two problems that can be reduced to $S$ -unit group computation, the class group problem, and the principal ideal problem.

4.1 Class group problem

In the class group algorithm from [BS16], the set is taken as

S_{\text{CGP}}=\{\mathfrak{p}:\text{ prime }\mid\mathcal{N}(\mathfrak{p})\leq 48(\log|\Delta|)^{2}\},

and the output is the Smith normal form (SNF) of the valuations of the result of $S_{\text{CGP}}$ -unit group computation. The computation of the SNF is classical, so for the quantum space complexity, it suffices to evaluate $|S_{\text{CGP}}|$ . We approximate the number of rational primes smaller than $48(\log|\Delta|)^{2}$ with the following theorem, which was first discovered by Gauss; see, for example, [Apo76]. Denote by $\pi(x)$ the number of rational primes less than $x$ .

Theorem 4.1 (The prime number theorem).

$\pi(x)\sim\frac{x}{\log x}$ as $x\rightarrow\infty$ .

Let $e=\left\lfloor\frac{\log x}{\log 2}\right\rfloor$ and $p$ denotes a rational prime number. Then the number of rational prime powers that are smaller than $x$ is

\displaystyle\sum_{p\leq 1}1+\cdots+\sum_{p^{e}\leq x}1=\frac{x}{\log x}+\frac{x^{\frac{1}{2}}}{\frac{1}{2}\log x}+\cdots+\frac{x^{\frac{1}{e}}}{\frac{1}{e}\log x}

and has the order $O(x/\log x)$ . From Corollary 1.3, we can obtain the quantum space complexity of the class group algorithm.

Corollary 4.2.

Under the Generalised Riemann Hypothesis, the class group computation algorithm ([BS16, Theorem 1.2]) uses $O(n^{5}+n^{4}(\log\Delta)^{4}/\log\log\Delta)+O(n\log\tau^{-1})$ qubits.

4.2 Principal ideal problem

In the algorithm reducing PIP to $S$ -units from [BS16], the first step, that factors the input ideal to the product of powers of prime ideals $\mathfrak{a}=\mathfrak{p}_{1}^{a_{1}}\cdots\mathfrak{p}_{k}^{a_{k}}$ , is quantum. The set $S$ is taken to be the prime ideals dividing the ideal, i.e., $S_{\text{PIP}}=\{\mathfrak{p}_{1},\dots,\mathfrak{p}_{k}\}$ . The last step following the $S_{\text{PIP}}$ -unit group computation is to classically solve equations on the valuations.

For the ideal factorisation, we follow the algorithm from [EH10, Algorithm 2], which shows that factoring integers is the only computationally difficult part.

Proposition 4.3 ([EH10, Lemma 4.1]).

Factoring fractional ideals of $K$ into a product of prime ideals of $\mathcal{O}$ reduces to factoring integers in polynomial time in $\log\Delta$ and $n$ .

A fractional ideal $I$ is given as $d\in\mathcal{O}$ and $A$ , the integer which makes $dI$ an integral ideal and a matrix of a basis of $\mathcal{O}$ , respectively.

1.

Compute the norm $N=\mathcal{N}(dI)$ .
2.

Factor $N=\prod p^{e_{p}}$ with $e_{p}>0$ .
3.

For each $p$ dividing $N$ , compute the prime ideals $\mathfrak{p}_{1},\dots,\mathfrak{p}_{k}$ above $p$ .
4.

For each $p$ dividing $N$ , and each $\mathfrak{p}\supset p\mathcal{O}$ from Step (3), compute $v_{\mathfrak{p}}(dI)$ , giving the exponent of $\mathfrak{p}$ in the factorization of $dI$ .
5.

For each $\mathfrak{p}$ found with nonzero valuation, output $\mathfrak{p}$ , $v_{\mathfrak{p}}(dI)$ . We have $dI=\prod\mathfrak{p}^{v_{\mathfrak{p}}(dI)}$ .
6.

Repeat steps (1)-(5) for the integral ideal $d\mathcal{O}$ , then subtract the exponents of $d\mathcal{O}$ from the exponents computed above for the ideal $dI$ for each prime, giving the primes $\mathfrak{p}$ and the exponents $v_{\mathfrak{p}}$ such that $I=\prod\mathfrak{p}^{v_{\mathfrak{p}}}$ .

By the multiplicative rule of the ideal norms, for $\mathfrak{a}=\prod\mathfrak{p}^{v_{\mathfrak{p}(\mathfrak{a})}}$ , we can factor its norm into $\mathcal{N}(\mathfrak{a})=\prod\mathcal{N}(\mathfrak{p})^{v_{\mathfrak{p}(\mathfrak{a})}}$ . Therefore the norms of $d\mathfrak{a}$ and $d$ will be $\mathcal{N}(d\mathfrak{a})=\prod\mathcal{N}(\mathfrak{p})^{\max\{0,v_{\mathfrak{p}(\mathfrak{a})}\}}$ and $\mathcal{N}(d)=\mathcal{N}(d\mathcal{O})=\prod\mathcal{N}(\mathfrak{p})^{-\min\{0,v_{\mathfrak{p}(\mathfrak{a})}\}}$ , respectively. Hence, if we only do Step 2 in quantum, which factors positive integers $\mathcal{N}(d\mathfrak{a})$ and $\mathcal{N}(d\mathcal{O})$ , then by [Sho94], the number of qubits used for ideal factorization will be $O\left(\log\left(\mathcal{N}(d)\cdot(\mathcal{N}(\mathfrak{a})+1)\right)\right)=O(\log\mathcal{N}(\mathfrak{a}))$ . By Theorem 1.2, to compute the $S_{\text{PIP}}$ -unit group costs $O(n^{5}+n^{4}\log\Delta+n^{4}\log\mathcal{N}(\mathfrak{a}))+O(n\log\tau^{-1})$ qubits, and hence it turns out to be the quantum space complexity for PIP as claimed in Corollary 1.4.

References

[Apo76] Tom M. Apostol “Introduction to analytic number theory”, Undergraduate Texts in Mathematics Springer-Verlag, New York-Heidelberg, 1976
[Bac90] Eric Bach “Explicit bounds for primality testing and related problems” In Math. Comp. 55.191, 1990, pp. 355–380
[BCL08] Reinier Bröker, Denis Charles and Kristin Lauter “Evaluating large degree isogenies and applications to pairing based cryptography” In Pairing-based cryptography—Pairing 2008 5209, Lecture Notes in Comput. Sci., 2008, pp. 100–112
[BDF20] Koen Boer, Léo Ducas and Serge Fehr “On the quantum complexity of the continuous hidden subgroup problem” In Advances in cryptology—EUROCRYPT 2020. Part II 12106, Lecture Notes in Comput. Sci., 2020, pp. 341–370
[BF14] Jean-François Biasse and Claus Fieker “Subexponential class group and unit group computation in large degree number fields” In LMS J. Comput. Math. 17, 2014, pp. 385–403
[BHJ22] Werner Bley, Tommy Hofmann and Henri Johnston “Computation of lattice isomorphisms and the integral matrix similarity problem” In Forum Math. Sigma 10, 2022, pp. 1–36
[BP23] Razvan Barbulescu and Adrien Poulalion “The special case of cyclotomic fields in quantum algorithms for unit groups” In Progress in cryptology—AFRICACRYPT 2023 14064, Lecture Notes in Comput. Sci., 2023, pp. 229–251
[BS16] Jean-François Biasse and Fang Song “Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields” In Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, 2016, pp. 893–902
[CDPR16] Ronald Cramer, Léo Ducas, Chris Peikert and Oded Regev “Recovering short generators of principal ideals in cyclotomic rings” In Advances in cryptology—EUROCRYPT 2016. Part II 9666, Lecture Notes in Comput. Sci., 2016, pp. 559–585
[CDW21] Ronald Cramer, Léo Ducas and Benjamin Wesolowski “Mildly Short Vectors in Cyclotomic Ideal Lattices in Quantum Polynomial Time” In J. ACM 68.2, 2021
[Coh93] Henri Cohen “A course in computational algebraic number theory” 138, Graduate Texts in Mathematics Springer-Verlag, Berlin, 1993
[EH10] Kirsten Eisenträger and Sean Hallgren “Algorithms for ray class groups and Hilbert class fields” In Proceedings of the Twenty-First Annual ACM-SIAM Symposium on Discrete Algorithms, 2010, pp. 471–483
[EHKS14] Kirsten Eisenträger, Sean Hallgren, Alexei Kitaev and Fang Song “A quantum algorithm for computing the unit group of an arbitrary degree number field” In STOC’14—Proceedings of the 2014 ACM Symposium on Theory of Computing, 2014, pp. 293–302
[Hal05] Sean Hallgren “Fast quantum algorithms for computing the unit group and class group of a number field” In STOC’05: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, 2005, pp. 468–474
[Hal07] Sean Hallgren “Polynomial-time quantum algorithms for Pell’s equation and the principal ideal problem” In J. ACM 54.1, 2007, pp. Art. 4\bibrangessep19
[LP92] H.. Lenstra and Carl Pomerance “A rigorous time bound for factoring integers” In J. Amer. Math. Soc. 5.3, 1992, pp. 483–516
[Nar04] Władysław Narkiewicz “Elementary and analytic theory of algebraic numbers”, Springer Monographs in Mathematics Springer-Verlag, Berlin, 2004
[Neu99] Jürgen Neukirch “Algebraic number theory” 322, Grundlehren der mathematischen Wissenschaften [Fundamental Principles of Mathematical Sciences], 1999
[Sho94] Peter W. Shor “Algorithms for quantum computation: discrete logarithms and factoring” In 35th Annual Symposium on Foundations of Computer Science (Santa Fe, NM, 1994), 1994, pp. 124–134