Radboud University Master Thesis Computing the power residue symbol Koen de Boer supervised by dr. W. Bosma dr. H.W. Lenstra Jr. August 28, 2016 ii Foreword Introduction In this thesis, an algorithm is proposed to compute the power residue symbol α b m in arbitrary number rings containing a primitive m-th root of unity. The algorithm consists of three parts: principalization, reduction and evaluation, where the reduction part is optional. The evaluation part is a probabilistic algorithm of which the expected running time might be polynomially bounded by the input size, a presumption made plausible by prime density results from analytic number theory and timing experiments. The principalization part is also probabilistic, but it is not tested in this thesis. The reduction algorithm is deterministic, but might not be a polynomial- time algorithm in its present form. Despite the fact that this reduction part is apparently not effective, it speeds up the overall process significantly in practice, which is the reason why it is incorporated in the main algorithm. When I started writing this thesis, I only had the reduction algorithm; the two other parts, principalization and evaluation, were invented much later. This is the main reason why this thesis concentrates primarily on the reduction al- gorithm by covering subjects like lattices and lattice reduction. Results about the density of prime numbers and other topics from analytic number theory, on which the presumed effectiveness of the principalization and evaluation al- gorithm is based, are not as extensively treated as I would have liked to. Since, in the beginning, I only had the reduction algorithm, I tried hard to prove that its running time is polynomially bounded. When I did not succeed, I attempted to pose some assumptions I thought to be plausible, in order to deduce from it that the reduction algorithm is effective. I did not succeed in making the assumptions plausible nor in deducing the effectiveness of the reduction algorithm. The short research about these assumptions is placed in the appendix (see section B.2). Acknowledgements I would like to thank my supervisor, dr. Wieb Bosma of the FNWI at the Rad- boud University, for his unstoppable faith and enthusiasm. The large amount of freedom and independence that characterizes his supervision might be over- whelming for others, but for me, it was exactly what I needed. His ability to see the big picture in difficult mathematical subjects has often saved me from losing myself in the details. Besides my advisor, I would like to thank dr. H.W. Lenstra of the Mathe- matisch Instituut at the Universiteit Leiden, for being an outstanding teacher and for inspiring me with many very good ideas, including two-sided reduction and principalization. With his expertise and eye for detail, he has pointed out many areas of improvement in my thesis. My sincere thanks also go to dr. J. Bouw of the Mathematisch Instituut at the Universiteit Leiden, for allowing me to read his PhD thesis before the publication, so that I could implement his algorithm that computes Hilbert symbols. This heavily motivated me to think about an effective algorithm to compute power residue symbols. I have good memories of my visit to Leiden, when we verified each other's computations. I would also like to acknowledge dr. M. Kosters of the department of Math- ematics at the University of California (Irvine), for sending me a summary of Bouw's algorithm that focusses on the algorithmic aspect, which has been very useful for me. Furthermore, I would like to thank dr. D. Micciancio of the Computer Science & Engineering department at the University of California (San Diego), for giving a comprehensive answer to my question about q-ary lattices. My thesis would be full of textual mistakes without the proofreaders: Elke de Boer, Els de Jong, Kris Roufs and Janneke de Wit. Many thanks for your effort. Also, many thanks to Djordy Timmermans, who designed the beautiful cover of this thesis. Finally, I must express my gratitude to my parents, to my brothers and sister, and to my partner Kris Roufs for supporting me spiritually throughout writing this thesis and my life in general. This accomplishment would not have been possible without them. Thank you. iv Contents Foreword ii Introduction . iii Acknowledgements . iv 1 Number fields and completions 1 1.1 Introduction . .1 1.2 Number fields . .1 1.2.1 Finite degree field extensions . .1 1.2.2 Number rings . .2 1.2.3 Ideal arithmetic . .4 1.2.4 Discriminant and singular primes . .7 1.3 Local Fields and Completions . 10 1.3.1 Introduction . 10 1.3.2 Absolute values . 10 1.3.3 p-adic completions . 12 1.3.4 p-adic local fields . 13 2 Ideals and lattices 17 2.1 Introduction . 17 2.2 Lattices . 17 2.3 Ideals as lattices . 20 2.3.1 Basis matrix of a lattice . 20 2.3.2 The Hermite normal form . 21 2.3.3 Computing the HNF . 22 2.3.4 HNF and operations on ideals . 23 2.4 Lattice reduction: LLL . 24 2.4.1 Introduction . 24 2.4.2 Reduced bases . 24 2.5 Element reduction modulo an ideal . 27 2.6 q-ary lattices . 28 2.6.1 Introduction . 28 2.6.2 q-ary lattices in the reduction algorithm . 29 2.6.3 Different inner products . 31 3 Power residue symbols and Hilbert symbols 35 3.1 Introduction . 35 3.2 Power residue symbols . 35 3.2.1 Definition . 35 3.2.2 Power residue symbols in number rings . 37 3.3 Hilbert symbols . 39 3.4 Exploitable properties of power residue symbols . 41 3.5 Bouw's algorithm . 43 3.5.1 Introduction . 43 3.5.2 Roots of unity and the weakly distinguished unit . 44 3.5.3 Find the Hilbert symbol from exponential representation 48 4 Heuristic algorithm for the power residue symbol 51 4.1 Introduction . 51 4.2 Squirrel's algorithm . 51 4.2.1 General power residue symbol . 51 4.2.2 Principal power residue symbol . 52 4.3 Preliminaries . 53 4.3.1 Notation . 53 4.3.2 Two-sided reduction . 53 4.3.3 Near-prime ideals . 54 4.4 Description of the main algorithm . 55 4.4.1 Outline . 55 4.4.2 Principalization . 56 4.4.3 Reduction . 56 4.4.4 Evaluation . 58 4.5 The correctness of the algorithm . 60 4.5.1 Principalization correctness . 60 4.5.2 Reduction correctness . 60 4.5.3 Evaluation correctness . 62 4.6 Analysis . 62 4.6.1 Introduction . 62 4.6.2 Reduction analysis . 62 4.6.3 Evaluation analysis . 63 4.6.4 Principalization analysis . 66 4.7 Possible improvements . 67 5 Computational Results 69 5.1 Introduction . 69 5.2 Method . 69 5.2.1 Reduction method . 69 5.2.2 Evaluation method . 70 5.3 Results . 70 5.4 Conclusion . 71 5.4.1 Evaluation . 71 5.4.2 Reduction . 73 5.5 Discussion . 74 vi Appendices 75 A Data 77 B Notes 81 B.1 Introduction . 81 B.2 The QSDL-conjecture . 81 B.3 Other attempts to compute the power residue symbol . 83 C Explanation of the picture on the front cover 87 vii viii CHAPTER 1 Number fields and completions 1.1 Introduction The main subjects of this thesis are the power residue symbol and, to a lesser extent, the related Hilbert symbol. In order to obtain a clear understanding of these symbols, one has to be acquainted with algebraic number theory and its notions: number fields, ideals, orders, integral elements, completions, etcetera. This chapter will give a quick, incomplete and subjective overview of the algebraic number theory topics needed. For professional and complete stud- ies of number fields, I would like to recommend [Jan96] and [CF67]. Another goal of this chapter is introducing notation, to avoid misunderstandings in the remainder of this thesis. We denote the integers by Z, and the rational numbers by Q. We denote rounding to the closest integer by d·c, and the group of invertible matrices with entries in Z by GLn(Z). 1.2 Number fields 1.2.1 Finite degree field extensions Definition 1.1 (Algebraic number field). A number field is a finite degree field extension of the rational numbers Q. In this thesis, a number field is often denoted by the capital letter K (from the German word K¨orper) with degree n = [K : Q] over the rational numbers. Also, towers of finite extensions will occur. In that case, the field above K will be called L. The extension L : K is called a relative extension, in contrast to K : Q, to which is referred as an absolute extension. In a computational context, a number field L is defined by an irreducible polynomial f over its ground field K. Via the isomorphism L ' K[x]=f(x), any 2 Chapter 1. Number fields and completions n element of L can be uniquely represented by a vector (k1; : : : ; kn) 2 K , with n = deg f. Definition 1.2 (Galois extension). Suppose K ⊆ L are both number fields. The finite degree field extension L : K is called a Galois extension if it is a normal extension; i.e., if for every irreducible polynomial f(x) 2 K[x] holds f(x) has a root in L =) f(x) splits in linear factors over L: Remark 1.3. Equivalently, a Galois extension L : K is a splitting field of some polynomial f(x) 2 K[x], see [Lan05, Vx3, i.p. Thm. 3.3]. Every Galois extension has a Galois group G = Gal(L : K) associated with it, which is a subgroup of the permutation group on the zeroes of the defining polynomial.