Short representation of quadratic integers

2 downloads 0 Views 251KB Size Report
Aug 10, 1993 - Let 2 ZZ be a quadratic discriminant, i.e. is not a square in ZZ and ... is N( )=(x2 ? y2 )=4, the height of ... Lenstra 3] the odd part of the class number is one with probability at ... impossible to write down the fundamental unit for most of the real ... By log we always mean the logarithm to base 2 and by ln we.

Short representation of quadratic integers Johannes Buchmann Christoph Thiel Fachbereich Informatik Universitat des Saarlandes 6600 Saarbrucken Germany

Hugh Williams Department of Computer Science University of Manitoba Winnipeg, Manitoba Canada, R3T2N2

August 10, 1993 Abstract

Let O be a real quadratic order of discriminant . For elements in O we develop a compact representation whose binary length is polynomially bounded in log log H( ), log N( ) and log  where H( ) is the height of and N( ) is the norm of . We show that using compact representations we can in polynomial time compute norms, signs, products, and inverses of numbers in O and principal ideals generated by numbers in O. We also show how to compare numbers given in compact represention in polynomial time.

1 Introduction Let  2 ZZ bep a quadratic discriminant, i.e.  is not a square in ZZ and   0; 1 mod4. Then O = ZZ + +2  ZZ is the quadratic order of discriminant . Any 2 O can be uniquely represented as p x + y = 2  (1) where x; y 2 ZZ. This representation will be called the standard representation ofp in O . The norm p of is N( ) = (x2 ? y2 )=4, the height of is H( ) = maxfjx + y j; jx ? y jg=2. We also set C( ) = maxfjxj; jyjg. In real quadratic orders there are many integers of small absolute norm and very big height. For example, assuming the extended Riemann hypothesis and that  is suciently large, the number p of bits needed to write down the standard representation of the fundamental unit of O is at least =(9h log) where h is the class number of O. This will be shown in section 3. Notions like fundamental unit and class number will be explained in section 2 which is a fairly self contained introduction to the algorithmic theory of real quadratic elds as it is used in this paper. Since according to the heuristics of Cohen and Lenstra [3] the odd part of the class number is one with probability at least 75% it is therefore completely impossible to write down the fundamental unit for most of the real quadratic orders. The binary length of its standard representation grows exponentially in log . Therefore, there cannot be a polynomial time algorithm which on input of  determines the standard representation of the fundamental unit of O . Similarly, it can be shown under reasonable assumptions that there cannot be a polynomial time algorithm that on input of  and the norm of a principal ideal in O computes the standard representation of a generator of such an ideal because the length of this representation is too big. It is therefore desirable to have a shorter representation for numbers in O of small norm which can be used to perform the same operations that can be performed using the standard representation. In this 1

paper we introduce and study such a representation. It is a generalization of the short representation for units that was introduced in [4]. Also, a similar representation for units is used in the computer algebra system PARI, see [2].

1.1 De nition Let  be a quadratic discriminant and let 2 O . A compact representation of (with respect to ) is a representation k  2 ? Y j = d j j =1

k j

where and , j 2 O , dj 2 ZZ, 1  j  k with

k  log log H( ) + 2 H( )  jN( )j;

and

0 < dj  jj1=2; H( j )  jj5=2 for 1  j  k: Qj ?1 ? 2 Also, for 1  j  k the number j = j i=1 ( i =di) belongs to O and its norm is dj . j

i

For  < 0 the standard representation of 2 O is a compact representation of . So we can restrict our attention to the case where  > 0. We estimate in section 3 of this paper the number of bits necessary to write down compact representations. We show in particular that writing down a compact representation of the fundamental unit of O only requires O((log)2 ) bits. We also prove that for any principal ideal A of O there exists a generator which when compactly represented is of binary length O(log jN(A)j + (log )2) where N(A) is the norm of A. Assuming that O  IR we show in section 4 that for any 2 O a standard representation can be computed in polynomial time from the sign of , the principal ideal O and a suciently precise approximation to log . In section 5 we show how to perform operations on numbers given in compact representation. We present polynomial time algorithms for computing the sign, the norm, the product, the quotient of numbers in compact representation. We show how to determine in polynomial time the principal ideal generated by those numbers and for a given modulus m the coecients in the standard representation modulo m. We also describe polynomial time methods for comparing two numbers in compact representation. As an application, we show in section 6 that principal ideal testing belongs to the complexity class NP. In a di erent context that result can also be found in [1] and [5]. The main tool used in this paper is the infrastructure of the ideal classes of real quadratic orders that was rst discovered by Shanks [10] and extensively studied by H.W. Lenstra in [6]. In section 2 we give a short self contained presentation of that theory. In the remaining sections of this paper we assume that  is a quadratic discriminant,  > 0. We let O = O and we let K be the eld of fractions of O. By K ! IR, 7! (i) , i = 1; 2, we denote the embeddings of K into the eld C of complex numbers. We assume that K  IR and that = (1) for every 2 K. We also write = (2). By log we always mean the logarithm to base 2 and by ln we mean the natural logarithm.

2 Algorithmic ideal theory In this section we review the results of algorithmic ideal theory in O that are used in this paper. To keep the paper self contained, we present most of the proofs. The presentation is inspired by [6] and [2] but we do not use the language of forms here. We also prove numerous results that are not contained in those descriptions. We start with an algebraic characterization of quadratic orders in K. 2

2.1 Proposition A subset O0 of K is a quadratic order, if and only if O0 is an unitary subring of K which as a ZZ-module is free of rank 2. Also, if 0 is the discriminant of O0 then O is contained in O0 if and only if 0= is a square in ZZ.

Proof: If O0 is a quadratic order, then according to the de nition given in the introduction, O0 is of p 0 0 the form O0 = ZZ +  +2  ZZ. So O0 is obviously a free ZZ-module of rank 2 and it is easy to verify that O0 is a unitary ring. Conversely, assume thatpO0 is a unitary subring of K which as a ZZ-module is free of rank 2. Then O0 has a ZZ-basis 1; ! =p(u + v )=(2d) with u; v;pd 2 ZZ, vd > 0. Since !2 2 O0 there must be x; y 2 ZZ with u2 + v2 + 2uv  = 4d2x + 2d2yu + 2d2yv . This implies that d2 y = u and p v2  = 4d2x + up2 which 2 2 0 2 2 0 2 means that d divides v D. Set  = v =d . Then  = 4x + y and (u + v )=(2d) = (y + 0)=2. The rst of those p equations shows that y   mod2. Therefore it follows from the second equation that O0 = ZZ + 0 +2 0 ZZ. p p p p If O  O0 then  +  = 2x + y0 + y D0 . This means that v=d = = 0 = y 2 ZZ as asserted. It is easy to deduce from this statement what the maximal order in K looks like.

2.2 Corollary Let D be the largest square free divisor of . If D  1 mod4 set 0 = D0 and otherwise set 0 = 4D0 . Then the quadratic order of discriminant 0 is with respect to inclusion maximal among all the quadratic orders in K.

Corollary 2.2 shows that being able to compute maximalorders means being able to determine the square free part of a rational integer. This is considered to be a very hard algorithmic problem. Although the maximal order in K has very nice algebraic properties, it is therefore in general impossible to nd that order. An (integral) ideal of O is an additive subgroup A of O with AO  A. In this paper, ideals will always be assumed to be non zero. The norm of A is N(A) = jO=Aj. A fractional ideal of O is a subset A of K such that dA is an ideal in O for some d 2 ZZ>0 . The denominator d(A) of A is the minimal such d. Also put A = f : 2 Ag. Two fractional ideals A and B are called equivalent if there is a non zero 2 K such that A = B. Equivalence of fractional ideals is an equivalence relation. The eqivalence 2 )). Unless we talk classes are called ideal classes of O. The norm of A is N(A) = N(d(A)A)=(d(A) p about compact representations, elements 2 A will be given as = (x + y )=(2d(A)) with x; y 2 ZZ. Let 2 K, 6= 0, the denominator d( ) with respect to  is the denominator of the principal ideal O of O. The height of is H( ) = H(d( ) )=d( ).

2.3 Lemma For any fractional ideal A of O and any 2 A we have jN( )j  N(A). Proof: It suces to prove the assertion for integral ideals. But then the assertion follows from the fact that O is a subgroup of A. 2.4 Lemma For 2 O we have d(1= )jN( ), jN(d(1= )= )j  jd(1= )j and H(d( )= )  H( ). Proof: Clearly, N( )= = (2) 2 O. Therefore, d(1= )jN( ). Thus jN(d(1= )= )j = d(1= )2=jN( )j  d(1= ). H(d(1= )= )  H(N( )= ) = H( ). p For a;pb 2 ZZ; a = 6 0; let p (b; a) bep the unique integer  such that   b mod2a, ?a <   a if a > , and  ? 2a <  <  if a < . 3

2.5 Proposition A subset A of K is an ideal of O if and only if A can be written as p ! A = m aZZ + b +  ZZ

2

where a; b; m 2 ZZ, a; m > 0, b = (b; a) and 4a divides  ? b2. This representation of ideals is unique. p

Proof: Let A be an ideal of O. The elements 1; ! = +2  form a ZZ-basis of O. Hence, there is a ZZ-basis u; v + w! of A with u; v; w 2 ZZ, w > 0. The numbers u; w are uniquely determined, and v is unique modulo u. Choose v such that ?u < 2v + w  u. Since u! belongs to A we must have u! = xu + y(v + w!) = xu + yv + yw! with x; y 2 ZZ. This implies that u = yw and 0 = xu + yv = xywp+ yv, thus pv = ?xw. Also, ?y < ?2x +   y. Now let a = y, b0 = ?2x +  and p m = w. If a >  or b0   ? 2a then we set b = b0, otherwise we set b = b0 + 2a. Then m(a; (b + )=2) is a basis of A where b = (b0; a). It remains p p to show that 4a divides  ? b2. Without losspof generality we may assume that m = 1. Since !(b + )=2 2 A we must have ((b + 1) + (b + ) )=4 = xa + y(b + )=2 with x; y 2 ZZ. This implies that 2y = b +  and (b + 1) = 4xa + 2yb = 4xa + b2 + b. Thus we have 4xa =  ? b2. Conversely, let A be a subset of K which is of the the form given in the lemma.pWithout loss of generality we may assumepthat m = 1. We must p show that ! 2 A for 2 fa; (b + )=2g. So we must have !a = a=2 + a =2 = xa + y(b + )=2 with x; y 2 ZZ. This implies that y = a and x = ( ? b)=2. Since 4 divides p ? b2, either  and b are both p odd or both even. pTherefore, x is an integer. We must also have !(b + )=2 = ((b + 1) + (b + ) )=4 = xa + y(b + )=2. As shown above this is true for y = (b + )=2 and x = ( ? b2 )=(4a). By our assumption both x and y are integers. The representation of Proposition 2.5 will be called the standard representation of the ideal A. For a fractional ideal A of O the standard representation is (repfrac) p ! b + m (2) A = d(A) aZZ + 2  ZZ where a; b; m satisfy the conditions of Proposition 2.5. By determining a fractional ideal we will mean determining its standard representation.

2.6 Proposition Let ; 2 K be linearly independent over ZZ and let A = ZZ+ ZZ. Then OA = f 2 K : A  Ag is an order of K and A is a fractional ideal of OA. Proof: Obviously OA is a unitary subring of K. It is also easy to see that there is some d 2 ZZ>0 with dO  A  (1=d)O. This implies that (1=d2)O  OA  d2O which means that as a ZZ-module OA is free of rank 2. The order of Proposition 2.6 is called the ring of multipliers of A. As the next statement shows, the ring of multipliers of an ideal of A can be easily computed. When dealing with an ideal A we may therefore assume that the order under consideration is the ring of multipliers of A. p

2.7 Proposition Let A = aZZ + b+2  ZZ be an ideal of O in standard representation, let b2 ?  = 4ac

and let s = gcd(a; b; c). Then s2 divides  and the ring of multipliers of A is of discriminant A = =s2 . 0 +pA b 0 0 0 Moreover, if a = a=s and b = b=s then A = s(a ZZ + 2 ZZ) is the standard representation of A with respect to OA.

4

p

Proof: Clearly, s2 divides  and A = s(a0ZZ + b0+ 2 A ZZ) is the standard representation of A with respect to the order O0 = OA . This pshows that O0  OA . Conversely, let 0 = =k2 be the discriminant of O0 . Then A = aZZ + b+k2 0 ZZ. Then it follows from Proposition 2.5 that k divides a and b and thus k divides c. Hence, it follows from Lemma 2.1 that OA  O0 . For two fractional ideals A and B of O we de ne A + B = f + : ( ; ) 2 A  Bg and AB = fP(a;b)2S ab : S  A  B niteg. The sum A + B and the product AB are fractional ideals of O. The set of fractional ideals of O with this multiplication is a semigroup. The fractional ideal A of O is called invertible if there is a fractional ideal B of O with AB = O. The set I of invertible ideals is an abelian group in which the set P of principal ideals is a subgroup. The class group of O is the factor group I =P .

2.8 Lemma A fractional pideal A of O is invertible if and only if O ispthe ring of multipliers of A. Moreover, if A = aZZ + b+2  ZZ is invertible then the inverse is ZZ + ?b+2a  ZZ.

Proof: Let O0 be the ring of multipliers of A. Clearly O  O0 . If A is invertible then there is a fractional ideal B of O with AB = O. Hence, we have for every 2 K with A  A that AB  AB, i.e. 2 AB = O. This proves that O0  O. ?b+p ZZ. Also, let b2 ?  = 4ac. Conversely, assume that O is the ring of multipliers of A. Let B = Z Z+ 2a p p Then the ideal AB is generated by a; c; (b+ )=2; (b ? )=2. Therefore, AB  O and since a; b; c are contained in AB and since by Proposition 2.7 those numbers are coprime, it follows that AB = O. Now we present a few results concerning ideal arithmetic. By polynomial time we mean that the running time is bounded by a polynomial in log  and the binary length of the input.

2.9 Proposition For 2 O, =

x+yp where 2

x; y 2 ZZ, the ideal A = O can be determined in polynomial time. More prescisely, if we set m = p gcd(y; (x + y)=2) and choose k; ` 2 ZZ such that ky + `(x + y)=2 = m then A = m(aZZ + b+2  ZZ) is the standard representation of A where a = jN( )j=m2 and b = ((kx + `(x + y)=2)=m; a):

p p p Proof: by (x+y )=2 and (x+y )(+ )=4 = ((x+y)+(x+ p p As a ZZ-module, A is generated y) )=4. Let A = pm(aZZ + b+2  ZZ) be the standard representation of A. Since m is the smallest positive coecient of =2 in A, we get m = gcd(y; (x + y)=2). We also know that N(A) = m2 a = jN( )j, hence a = jN( )j=(m2 ). Also, if ky + `(x + y)=2 = m then b = (kx + `(x + y)=2)=m; a). p

2.10 Proposition Letp A1 and A2 be ideals in O with the standard representations A1 = a1ZZ+ b1+2  ZZ

and A2 = a2ZZ + b2 +2  ZZ. Then A1 A2 can be computed in polynomial time. More precisely, if m = gcd(a1; a2; (b1p+ b2)=2), if j; k; ` 2 ZZ are integers such that ja1 + ka2 + `(b1 + b2)=2 = m then A1 A2 = m(a3 ZZ + b3+2  ZZ) is the standard representation of A1 A2 where a3 = a1 a2=(m2 ) and b3 = ((ja1 b2 + ka2 b1 + `(b1 b2 + )=2)=m; a3).

p p Proof: The ideal Ap3 = A1 A2 is generated over pZZ by a1 a2, a1(b2 + )=2, a2 (b1 + )=2 and

(b1 b2 + (b1 + b + 2)  + )=4. If m(a3 ZZ + b3 +2  ZZ) is the standard representation of A3 then we have m = gcd(a1 ; a2; (b1 + b2 )=2) and a3 = a1a2 =m2 . If ja1 + ka2 + `(b1 + b2 )=2 = m then b3 = ((ja1 b2 + ka2b1 + `(b1 b2 + )=2)=m; a3).

5

Next we discuss minima and reduced ideals. We let A be an invertible ideal of O. By Proposition 2.7 and Lemma 2.8 we can determine whether this is true and if it is not true we can easily modify O0 such that it becomes true. A minimum of A is an element 2 A such that (1) > 0 and there is no non zero 2 A with j (i) j < j (i)j for i = 1; 2. The fractional ideal A is called reduced if 1 is a minimum in A. Those notions allow a geometric interpretation. Consider the map K ! IR2 ; 7! = ( (1); (2)): (3) p Then the image A of A under this map is a two dimensional lattice in IR2 of determinant N(A) . For 2 A to be a minimum of A means that the open rectangle f(x; y) 2 IR2 : jxj < j (1)j; jyj < j (2)j is free of non zero lattice points. (2) c

c 6

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c c

c

c

c

c

c

c

c

c

c

c -

c

c

c

c

(1)

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

p

2.11 Lemma If A is reduced then its standard representation is of the form A = ZZ + b+2a ZZ, i.e. in

(2) we have m = 1 and a = d(A).

p Proof: Since 1 belongs to A we must have 1 = m(xa + yb + y )=d(A) with x; y 2 ZZ. This implies that y = 0 and mxa=d(A) = 1. Since A is reduced there is no element 2 A with H( ) < 1. Therefore we must have x = 1 and ma = d(A). But since m is a divisor of d(A) it follows from the minimality of d(A) that m = 1.

2.12 Corollary If A is reduced then N(A) = 1=d(A). p 2.13 Lemma Let ci 2 IR>0 with c1c2 > N(A) . Then there exists 2 A with j (i)j < ci for i = 1; 2. Proof: This is a special case of Minkowski's convex body theorem, see [8]. 6

p p 2.14 Lemma Let A = ZZ + b+2  ZZ be a reduced ideal in standard representation. Then a; jbj < . p Proof: Since 1 is a minimum in A it follows from Lemma 2.13 and Lemma 2.12 that 1  N(A)  = p

=d(A).

p

2.15 Proposition Let A be a fractional ideal of O andp let A = ZZ + b+2a ZZ be its standard representation. Then A is reduced if and only if b  0 and b +  > 2a. p p p Proof: Assume that A is reduced. If a >  then j(b+ )=(2a) p j < 1 and j(b ? )=(2a)pj < 1 which means that A is not reduced. Consequently, we must p p have a < . If b < 0 then ?2a +  < b < 0 which implies that jbj = ?pb < 2a ?  or jbj +  < 2a which also contradicts the fact that A is reduced. So b  0 and b +  > 2a. p Conversely, assume that b  0 and b +  > 2a. The fractional idealpA is reduced if and only if 1 is a minimum in A which, in p turn, is true if and only pif H(2xa + y(b +p ))  2a for pall x; y 2 ZZ with (x; y) = 6 (0; 0). pThen b +  > 2a implies that a < . Hence b ?  < 0 and b +  > 0 and thus H(2xa + y(b + ))  2jxja. If x = 6 0 that height clearly exceeds 2a. So let x = 0 and y = 6 0. Then the height takes its minimum value for y = 1 and for y = 1 the height exceeds 1. p

2.16 Corollary Let A bepa fractional ideal of O and let A = ZZ+ b+2a  ZZ be its standard representation. Then A is reduced if a  =2. p p p p Proof: If a  =2 then we have b > 0 and 2a ? b ?    ? b ?   0 which by Proposition 2.15 means that A is reduced.

2.17 Lemma If the extended Riemann hypothesis holds p then there is a constant 0 2 IR>0 such that for  > 0 the number of reduced ideals is at least =(3 ln).

Proof: It follows from a theorem of Oesterl p e [9] that there exists 0 2 IR>0 such that for every =2 such that  is a quadratic residue modulo p is at least  >  the number of odd primes p  p 0 =(3 ln). We show that for any such p there is a reduced ideal of denominator p. Let p be such a prime number and let b 2 ZZ, 0  b < p, with b2   modp. If b ?  is even then we also have b2   mod4p. Otherwise we replace b bypb ? p which then implies b2   mod4p. By Proposition 2.5 and Corollary 2.16 it follows that ZZ + b+2p  ZZ is a reduced ideal of denominator p. p

p

(A) = b+2a  and (A) = Assume that ZZ + b+2a  ZZ ist the standard representation of A. We de ne p (1= (A))A. Then the standard representation of (A) is ZZ +  (?b;c2c)+  where c = j ? b2j=(4a). We now prove that at most dlog ae + 1 applications of the reduction operator  yields a reduced ideal in the equivalence class of A. p

2.18 Proposition Let A = ZZ + b+2a  ZZ be the standard representation of A. Set A0 = A and for i > 0 set Ai = (1= (p Ai?1 )Ai?1. If Ai is not reduced, then d(Ai) < d(AiQ ?1)=2 and thus Ai is reduced ?1 (A ) is a minimum in for some i  dlog(a= )e + 1. Let k be the minimal such i. Then = kj =1 j A, Ak = (1= )A and H( )  1. p p Proof: For i  0 let ZZ + b +2a  ZZ be the standard representation of Ai. If ai?1 >  we have 2 2 jbi?1j < ai?1 which p implies that ai = j(bpi?1 ? )=(4ai?1)j < (ai?1p+ )=(4ai?1) < ai?1=2. This means that ai < p for some i  dlog(a= )e. Assume that ai < . If ai+1  ai it follows that  ? b2i  4a2i , hence + jbi j > 2ai and by Proposition 2.15 this implies that Ai is reduced. If ai+1 < ai i

i

7

p p then a2i+1 < ai ai+1 = aij(b2i ? )=(4ai)j = ( ? b2i )=4. Thus ai+1 < ( ? b2i )=2 < =2. But then Corollary 2.16 implies that Ai+1 is reduced. Now we prove the assertions concerning . Clearly, Ak = (1= )A and p since Ak is reducedpit follows that is a minimum in A. As long as Ai is not reduced, we have H((bi + )=(2ai)) = (jbij + )=(2ai) < 1 which implies that H( ) < 1.

2.19 Corollary There is a polynomial time algorithm that on input of the fractional ideal A of O computes a reduced ideal B in the equivalence class of A and also a minimum in A with H( )  N(A) and B = (1= )A.

2.20 Corollary The class group of O is nite. Proof: It follows from Corollary 2.19 that every ideal class of O contains a reduced ideal. By Proposition 2.15 and Lemma 2.14 the number of reduced ideals of O is nite. The right neighbor of a minimum in A is is the uniquely determined minimum of A with minimal (1) > (1). The left neighbor of a minimum in A is the uniquely determined minimum of A with minimal j (2)j > j (2)j. Again those two notions have a geometric interpretation. The right neighbor is characterized by the fact that belongs to A, > and the open rectangle f(x; y) : jxj < j (2)j; jyj < (1) g is free of non zero points of the lattice A. The left neighbor is characterized by the fact that belongs to A, < and the open rectangle f(x; y) : jxj < j (2)j; jyj < (1)g is free of non zero points of the lattice A. (2) 6

c

c

c

c

c

c

c

c

c

c

c c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c c

(1)

c

c

c

c

c

c

c

c

c

c c

c

c

c

c

c

c c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

c

If A is reduced, then the right neighbor of A is the reduced ideal (1= )A where is the right neighbor of 1 in A and the left neighbor of A is (1= )A where is the left neighbor of 1 in A. The following statement can be easily veri ed: 8

2.21 Lemma Let 2 K, > 0. Then the map A ! A, 7! is a bijection which maps minima to minima, right neighbors to right neighbors, and left neighbors to left neighbors. 2.22 Corollary The reduced ideals equivalent to A are exactly the ideals (1= )A where is a minimum

in A.

The following statement is immediate from the de nition of (A).

2.23 Lemma If A is reduced then (A) > 1 and ?1 < (A) < 0. 2.24 Proposition Let A = ZZ + (A)ZZ be a reduced ideal of O. Then the right neighbor of 1 in A is

(A) and the right neighbor of A is (A).

Proof: Let r = x + y (A) be the right neighbor of 1 in A. Then it follows from Lemma 2.23 that y > 0 and x  0. Among all the candidates r is minimal for x = 0 and y = 1. Left neighbors can be determined using the following symmetry result: p

2.25 Proposition Let A = ZZ + b+2a be a reduced ideal in standard representation. Then A is a p

reduced ideal. The standard representation of A is ZZ +  (?b;a2a)+  ZZ. Moreover, let be a minimum in A with left neighbor . Then j j is a minimum in A with right neighbor . p

)+  For the left neighbors we also introduce symbols. If A is reduced then we set (A) = ? (?b;a 2a and (A) = (1=( ))A. Then (A) is the left neighbor of 1 in A and (A) is the left neighbor of A. We remark that when computing sequences of left neighbors of A it is practically useful do this via computing sequences of right neighbors of A.

2.26 Corollary The right and left neighbor of a minimum of A can be computed in polynomial time. Proof: Let be a minimum of A. We determine the reduced ideal B = (1= )A. Using Proposition

2.24 and Proposition 2.25 we nd the right neighbor r and the left neighbor l of 1 in B. Then l is the left neighbor of and r is the right neighbor of .

Let 0 be a minimum of A and for i 2 ZZ let i?1 be the left neighbor and i+1 the right neighbor of i . Also, let Ai = (1= i)A. Note that by Proposition 2.24 we have i+1 = i (Ai ) and Ai+1 = (Ai) for i 2 ZZ. The lattice points in the sequence ( i)i2ZZ lie on some sort of hyperbola as the next gure illustrates.

9

(2) 6

i c

i+1

(1)

p 2.27 Lemma We have 0 < log i ? log i?1  log  for i 2 ZZ.

Proof: It follows from Lemma 2.13 that p p (2) i= i?1 = j (1) i i?1j=jN( i?1)j  N(A) =jN( i?1)j  : 2.28 Lemma We have log i+1 ? log i?1  1 for i 2 ZZ. (2) (2) Proof: By Proposition 2.23 we have sign( (2) i ) = ? sign( i+1 ) for i 2 ZZ. This implies that sign( i?1) = (2) (2) (2) (1) (1) (1) (1) sign( (2) i+1 ). Therefore, we obtain j i+1 ? ai?1j < j i?1j. If i+1 = i?1 < 2 then we have i?1 < i+1 < (1) (1) (1) 2 (1) i?1 which implies that 0 < i+1 ? i?1 < i?1. This contradicts the minimality of i?1.

2.29 Lemma The sequence ( i )i2ZZ contains all the minima of A and the elements of that sequence are pairwise distinct.

Proof: The elements of ( i)i2ZZ must be pairwise distinct because the sequence ( i)i2ZZ is strictly increasing. More precisely, it follows from Lemma 2.28 that limi!1 i = 1 and limi!?1 i = ?1. Let be any minimum of A. Let i 2 ZZ with i  (1) < i+1. We claim that = i. Otherwise we (2) (2) must have (1) > (1) i and since is a minimum j j < j i j which would contradict the minimality of (1) i+1.

2.30 Theorem

1. The sequence (Ai )i2ZZ is periodic, i.e. there is k 2 ZZ>0 such that Ai = Aj , if and only if i  j modk for any i; j 2 ZZ. The number k is called the period length of the sequence of reduced ideals equivalent to A, we write k = k(A). 2. The set of reduced ideals equivalent to A is fAi : 0  i < kg. 3. Let  = k = 0. Then  is a unit of O, every unit of O is, up to sign change, a power of  and for every i; l 2 ZZ we have lk+i = i = l .

10

Proof: By Corollary 2.20 the number of reduced ideals in the equivalence class of A is nite. Hence there is i; k 2 ZZ such that Ai = Ai+k . This implies that i A = i+k A, so  = i+k = i both  and 1= belong to the ring of multipliers of A which by assumption is O. Thus  is a unit in O. It follows from Lemma 2.21 that s+lk = l s for every s; l 2 ZZ and thus As = At for every s; t 2 ZZ with s  t modk. Choose k minimal with A0 = Ak . Then the Aj , 0  j < k, are pairwise distinct and as a consequence of Corollary 2.22 and Lemma 2.29 any reduced ideal is equal to one of the Aj . Let  be any unit in O. We show that  = sl with s = 1 and l 2 ZZ. Without loss of generality we assume that (1) > 0. Then it follows from Lemma 2.29 that =  0 = j with j 2 ZZ. Since Aj = A0 we must have j = lk with l 2 ZZ>0 and therefore  0 = lk = l 0 which implies that  = l . 2.31 Corollary If k(A) = 1 then log i ? log i?1  1=2 for i 2 ZZ. Theorem 2.30 shows that the factor group O = < ?1 > is an in nite cyclic group. The unit  with  > 1 whose canonical image is a generator of that group is called the fundamental unit of O. The regulator R = j lnj is an invariant of O. Theorem 2.30 also shows that the nite sequence of reduced ideals can be viewed as lying on a circle with circumpherence R. Reduced ideals that are neighbors are also neighbors on the circle. The distance between some reduced ideal A and its right neighbor (A) is log (A). A

(A)

h

h

h

h h h

h

h h 





h

log (A) 

h

h

h

h

h

h

h

h h

h h

h

h

h h

h

h

h h

p 2.32 Lemma For m 2 ZZ, n 2 ZZ>0 we have bn=2c  log m+n ? log m  n log .

Proof: This statement is an immediate consequence of Lemma 2.28 and Lemma 2.27. 2.33 Lemma We have 2R= ln  k(A)  2R= ln2. Proof: Let k = k(A) We have R = ln k ? ln 0. Hence the rst assertion follows immediately from Lemma 2.32. It also follows from that Lemma that for every m 2 ZZ>0 we have (ln 2)(mk ? 1)=2  b(ln 2)mk=2c  mR. This implies the second assertion. 2.34 Corollary We have R  ln 2=2. 11

3 Sizes We assume that integers are represented in binary. The binary length of a rational integer z 6= 0 is size(z) = blog jz jc + 2 where log denotes the logarithm to base 2. The extra bit encodespthe sign of z. We also set size(0) = 2. The binary length of the standard representation = (x + y )=2 of a numberQ 2 O is size?s( ) = size(x) +Psize(y) + size(). The binary length of a compact representation = ki=1 ( i =di)2 is sizes ( ) + ki=1 (sizes ( i) + size(di )) + size(). We de ne sizec ( ) to be the maximum of that quantity taken over all compact representations. k i

3.1 Lemma For 2 O, 6= 0, we have log H( )  sizes( )  2 log H( ) + log  + 8. p p Proof: Let = (xp + y )=2 be the standard representation of . Since H( ) = (jxj + jyj )=2, it follows that jxj; jyj   2H( ) which p implies that size(x)+size(y)+size()  2 logH( )+log +8. It also follows that jxj  H( ) or jyj   H( ) which implies that size(x) + size(y) + size()  log H( ). 3.2 Corollary For 2 O we have sizec ( )  2 log jN( )j+2 log+10+(loglog H( )+2)((13 log)=2+

10).

p 3.3 Lemma We have hR   ln.

Proof: For the proof see [7]. 3.4 Corollary For the fundamental unit  of O we have sizec () = O((log )2). 3.5 Lemma Assume that the p extended Riemann hypothesis holds. Then there is 0 2 IR>0 such that for  > 0 we have hR  =(6 log) where R is the regulator and h is the class number of O. Proof: P For 1 pj  h let kj be the period length of the jth ideal class. Then it follows from Lemma 2.17 that hj=1 kj  =(3 ln) for  >p0. On the other hand we have by Lemma 2.33 that kj  R= ln2 for 1  j  h. Hence we have hR  =(6 log) which implies the assertion. 3.6 Corollary Assume that the extended p Riemann hypothesis holds. Then there is 0 2 IR>0 such that for every  > 0 we have sizes () > =(9h log) where  is the fundamental unit and h is the class number of O. p 3.7 Lemma For any principal ideal A in O there is a generator of A with log H( )  maxf  log; log N(A)g. Proof: Let be a generator of A with (1)  1 and let  be a fundamental unit of O with log(1) = R. Let k 2 ZZ such that 0  log (1) p + k log (1) < R. Then = k(2)is a generator of A and we have by (1) Lemma 3.3 0  log < R  log . This implies that log j j  log N(A). 3.8 Corollary For any principal ideal A in O there is a generator of A with sizec ( ) = O(log jN( )j)+ (log )2).

12

4 Determining compact representations Let c be a complex number and let q 2 ZZ>0 . An approximation of precision q to c is a number c^ 2 2?q+1 ZZ such that jc ? ^cj < 2?q . In this section we prove the following theorem:

4.1 Theorem There is a polynomial time algorithm that for any 2 O, 6= 0, on input of sign( ), an approximation a of precision 4 to log j j and of the ideal O computes a compact representation of . Let 2 O, > 0 and assume that a is an approximation of precision 4 to log . Compute a minimum

2 O with H( )  jN( )j. Set  = = . Then  is a minimum of O and (1)  1 or (2)  1. We assume that (1)  1. If (1) < 1 then one can use the procedure described below to nd a compact representation for (2) from which we immediately obtain a compact representation for . We also compute an approximation c of precision 4 to log and set r = c ? a, A = ( = )O. Then r is an approximation of precision 3 to log . Since 1= generates the reduced ideal A and since satis es the conditions of De nition 1.1 we have reduced the problem of nding a compact representation for to nding a compact representation for 1=. The quantity r = log can be viewed as the distance between those reduced ideals. That distance is uniquely determined up to integer multiples of the regulator R. 1O 

O log  

-

We let k := minfj 2 ZZ>0 : r=2j  (log )=4 + 1=4g and sj := r=2k?j , 0  j  k. s0

sk?2

r 

sk

sk?1 -

For 0  j  k we compute a pair (Aj ; rj ) where Aj = (1=j )A is a reduced principal ideal of O, rj is an approximation to log j and rj is close to sj , i.e. jrj ? sj j < (log  + 1)=4 for 0  j  k ? 1 and jrk ? rj < 1=4. We choose A0 = O and r0 = 0 and we will have Ak = A. s0

sk?2

sk?1

sk

r0

rk?2

rk?1

rk

A0

Ak?2

Ak?1

Ak

For 1  j  k we will alsoQhave Aj = ( j =dj )A2j ?1 with j 2 O and dj 2 ZZ>0 as speci ed in De nition 1.1. Moreover, if j = ji=1(di = i) then it is easy to verify that Aj = (1=j )O and we will have jrj ? log j j 0:8. Since k = maxf0; dlog(r=)eg we have k = 0 for r  0:8 So assume that r > 0:8. Then log > 0:6 and (log + 1=16)=0:8 < 1:5 log. We also have 14

4.2 Algorithm k := minfj 2 ZZ>0 : r=2j  (log)=4 + 1=4g; FOR 0  j  k sj := r=2k?j 0 := 1; r0 := 0; d0 := 1; A0 := O FOR 1  j  k ? 1 Bj = (Aj ?1)2; Compute minimum j in Bj with H( j )  N(Bj ). Compute approximation bj to log j of precision 2(k ? j) + 4. rj := 2rj ?1 + bj WHILE rj ? sj  ?(log  + 1)=4 replace j by its right neighbor and bj by an approximation of precision 2(k ? j) + 4 to log j ; rj := 2rj ?1 + bj WHILE rj ? sj  (log  + 1)=4 replace j by its left neighbor and bj by an approximation of precision 2(k ? j) + 4 to log j ; rj := 2rj ?1 + bj Aj := (1= j )Bj ; dj := d(Aj ); j := dj = j Bk := (Ak?1)2 Compute minimum k in Bk with H( k )  N(Bk ). Compute approximation bk to log k of precision 4; rk := 2rk?1 + bk ; Ak := (1= k )Bk ; WHILE rk ? r  ?1=4 or Ak 6= A replace k by its right neighbor and bk by an approximation of precision 4 to log k ; rj := 2rj ?1 + bj ; Ak := (1= k )Bk WHILE rk ? r  1=4 or Ak 6= A replace k by its left neighbor and bk by an approximation of precision 4 to log k ; rk := 2rk?1 + bk ; Ak := (1= k )Bk dk := d(Ak ); k := dk = k

15

(1) (2) (3) (4) (5) (6)

(7) (8) (9) (10) (11) (12)

(13) (14) (15) (16) (17)

H()  H( )H( )=jN( )j  H( ). This implies k  log(r=) + 1  log((log + 1=16)=0:8) + 1  log(1:5 log) + 1  log logH( ) + 2: Let 0 = 1 and for 1  j  k de ne j = (j ?1 )2 j . Then we have for 0  j  k (ac) j =

j Y i=0

(dj = j )2 ? ; j

i

(4)

j is a minimum of O and Aj = (1=j )O.

4.4 Lemma For 0  j  k we have jrj ? log j j < 2?(2(k?j)+3). Proof: By de nition we have r0 = log 0 . Now suppose that the assertion is true for j ? 1. Then jrj ? logj j = j2rj ?1 + bj ? 2 logj ?1 ? log j j  2  2?(2(k?j +1)+3) + 2?(2(k?j )+4) = 2?(2(k?j )+3):

4.5 Lemma For 1  j  k Algorithm 4.2 enters at most one of the while loops and terminates after nitely many steps. At the end we have k = .

Proof: Let j  k ? 1. It follows from Lemma 2.27 that there exists a minimum  with jsj ? log j  (log )=4. If rj ? sj < ?(log )=4 ? 1=4 then by Lemma 4.4 we have logj ? sj < (log )=4. Hence,  belongs to the sequence of right neighbors of j . This implies that in the rst while loop we will nd a value of rj such that the conditions of both while loops are violated. If rj ? sj > (log)=4 + 1=4 then the existence of  guarantees that in the second while loop we will nd a value of rj such that the conditions of the rst two while loops are violated. To prove the assertion for j = k we note that j log ? rj < 1=8 which implies that either in the third or in the fourth while loop we will nd a value of rk and Ak such that both conditions of the third and the fourth while loop are violated. By Lemma 2.28 this can only happen if k =  or if k is a neighbor of . If  and k are neighbors then it follows from Theorem 2.30 and from the fact that the second condition in the while loops is violated that there is exactly one reduced ideal in the equivalence class of A. Hence, by Lemma 2.31 we have j log ? logk j  1=2. But this contradicts the fact that the rst condition in both while loops is violated. This means that k = . 4.6 Lemma For 1  j  k we always have d(Bj )  , j log j j  3 log=2, H( j )  2, and H(1= j )  2 . Proof: Since d(Bj ) divides d(Aj?1)2 for 1  j  k, the rst assertion holds.

Suppose that we are in step j of the loop. Upon entering the while loop we have jN( j )j  N(Bj )  1= and H( j )   which implies that ? log  logbj  0. If the algorithm enters the rst or the third while loop then log j is increased and since 2sj ?1 = sj we have log j  bj + 1=4 = rj ? 2rj ?1 + 1=4 = 16

(rj ? sj ) ? 2(rj ?1 ? sj ?1 )+1=4. We also have jrj ? sj j < (log+1)=4 and jrj ?1 ? sj ?1 j < (log +1)=4. This implies that log j < 3 log=4 + 1 < 3 log=2. Analogously, one can show that we always have log j  ?3 log =2. It follows from the second that 1=  j j(1) j  . p The last two assertions follow from the fact p p assertion that N( j )  N(Bj )    and jN(1= j )j  N(Aj )  1= .

4.7 Lemma The running time of Algorithm 4.2 is polynomially bounded in log log H( ) and log. Proof: By Lemma 4.3 the number of iterations of the for loop is bounded by loglog H( ) + 2. As shown in the proof of Lemma 4.6 we have upon entering the while loops jrj ? sj j = j2(rj ?1 ? sj ?1 ) + bj j  (3 log )=2 + 3=4. Since by Lemma 2.28 after any two iterations of the while loop rj is increased (or decreased) by at least 1 ? 1=4, the number of iterations in the while loops is O(log ). By Lemma 2.18 the time for determining the rst j is polynomially bounded in log. Since by Lemma 4.6 d(Bj )   and H( j )  3=2 it follows that the binary length of the standard representation of all the j is polynomially bounded in log and thus the neighbors and the approximations can be computed in time polynomial in log .

4.8 Lemma For 0  j  k we have dj  jj1=2 and H( j )  5=2. Proof: The rst inequality follows from Lemma 2.14 the second one from Lemma 4.6.

?1( =d )2 ? belongs to O and its norm is d . 4.9 Lemma For 0  j  k the number j = j Qij=0 i i  j j

i

Proof: For 0  j  k we have j = j =j?1 = dj =j . Since dj is the denominator of the reduced ideal (1=j )O the assertion follows from Lemma 2.11.

5 Computing with compact representations The following theorems deal with the complexity of computations with numbers in O given in compact representation. By polynomial time we mean that the algorithm is polynomial in log  and in the binary length of the compact representations and the remaining input.

5.1 Theorem There is a polynomial time algorithm that given 2 O , 6= 0, in compact representation and q 2 ZZ>0 in unary representation computes an approximation of precision q to log j j. Proof: Let = Qkj=1 ( j =dj )2 ? be a compact representation of . Set 0 = 0=d0 and for 1  j  k k j

de ne j = j2?1 j =dj . Then = k . Determine an approximation b0 of precision 3k + q + 1 to 0 and for 1  j  k determine an approximation aj of precision 3(k ? j) ? 2 + q + 1 to log j and an approximation lj of precision 3(k ? j) ? 1 to log dj . Set compute bj = 2bj ?1 + aj ? lj . Then bj is an approximation of precision 3(k ? j) + q + 1 to log j for 1  j  k. Finally determine an approximation c of precision q + 1 to log j j and set a = bk + c. Then a is the approximation we were looking for. This process clearly takes polynomial time.

5.2 Corollary Given 2 O in standard representation, one can determine a compact representation of in polynomial time.

5.3 Theorem Given 2 O, 6= 0, in compact representation, the ideals O and (1= )O can be determined in polynomial time. 17

Proof: We use the notations of De nition 1.1. We start by computing A0 = ( 0 =d0)O. Then we determine recursively Aj = ( j =dj )(Aj ?1)2 for 1  j  k. Since j (Aj ?1)2 = j O, those ideals can be computed in polynomial time. Finally we calculate O = Ak . The ideal (1= )O can be determined similarly.

5.4 Theorem Given 2 O in compact representation sign( ) can be computed in polynomial time. Proof: Using the notations of De nition 1.1 we see that sign( ) = sign( ) sign( 0) which clearly can be computed in polnomial time. 5.5 Theorem Given 2 O in compact representation the norm of can be determined in polynomial

time.

Proof: Using the notations of De nition 1.1 we see that N( ) = N( )=dk . 5.6 Theorem Given ; 2 O in compact representation. Then a compact representation of the product can be computed in polynomial time. Proof: From an approximation a to log j j and b to log j j of precision 5 which by Theorem 5.1 can be computed in polynomial time we can determine the approximation a + b of precision 4 to log j j. By

Theorem 5.4 we can also nd sign( ) in polynomial time. So by Theorem 4.1 we can nd a compact representation for in polynomial time.

p 5.7 Theorem Let 2 O and let = (x + y )=2 be the standard representation of . Then given a compact representation of and n 2 ZZ>0 the values x modn and y modn can be determined in polynomial time.

2(k?j )+1 Qk d2j and Proof: We use the notations of De nition 1.1. For 1  j  k let D = 2 j i=j p p let j = (xj + yj )=2 and = (u + v )=2 be the standard representations. We start by determining x0 modD0 n and y0 modD0 n. Now suppose p 2 that i  1 and we know2xi?1 modDi?1n and 2

yi?1 modDi?1 n. Since 4di?1 i = (xi?1 + yi?1 ) i we can determine 4di?1xi modDi?1 n and 2 4d2i?1yi modDi?1n and thus we can nd p xi modDi n and yi modDi n. So we have nally xk mod2dk n 2 and yk mod2dk n. Since = (xk +yk )=2dk this implies that we can determine x modn and y modn. The numbers involved never exceed maxfC( j ) : 0  j  kg [ fC( )g [ f22k+1D0 ng. Their binary length is polynomially bounded in the length of the input. Since we only perform elementary operations with rational integers, the algorithm takes polynomial time.

5.8 Theorem Given 2 O, 6= 0, in compact representation we can compute the denominator d(1= ) and a compact representation of d(1= )= in polynomial time.

Proof: The denominator d of 1= is the denominator of (1= )O which by Theorem 5.3 can be determined in polynomial time. Since log j(d= )j = log d ? log j j, and since sign(d= ) = sign( ) the assertion follows from Theorem 5.1 and Theorem 4.1. 5.9 Theorem Given ; in compact representation with 6= 0 we can in polynomial time decide whether divides in O and if the decision is positive, we can in polynomial time determine a compact representation of = .

18

Proof: We compute d = d(1= ) and a compact representation for 1 = d= which is possible by Theorem 5.8. It follows from Lemma 2.4 that jN( 1)j  jN( )j and H( 1)  H( ). Therefore, by Theorem 5.6 the computation of a compact representation of 2 = 1 is possible in polynomial time in the size of the 1). p p original input data. Also we have jN( 2)j = jN( )N( 1)j and H( 2)  H( )H( Let 2 = (x+y )=2 be the standard representation of 2. Then we can write 2 = z +y +2  where z = (x ? y)=2. Clearly = belongs to O if d divides y and z which means that 2d divides x ? y. It therefore suces to determine x and y modulo 2d which by Theorem 5.7 is possible in polynomial time. If we have found that = belongs to O then we must only determine an approximation of precision 5 to log j 2=dj = log j 2j ? logd which by Theorem 5.1 is possible in polynomial time. Then by Theorem 4.1 we obtain a compact representation of = in polynomial time in the size of the original input data.

5.10 Theorem Given ; 2 O in compact representation, we can decide in polynomial time whether

or not = .

Proof: First we determine whether or not and are of the same norm and sign. If not they cannot be equal. By Theorem 5.5 and Theorem 5.4 this can be done in polynomial time. Then we nd out whether not divides in O. If so, we compute a compact representation of = = which by Theorem 5.9 can be done in polynomial time. Now is a unit of O and by Lemma 2.4 H( )  H( )H( ). We also determine an approximation c of precision 3 to log j j. By Theorem 5.1 this takes polynomial time. By Lemma 3.5 we have = 1 if and only if jcj < 1=8. 5.11 Theorem Given ; 2 O in compact representation, we can in polynomial time decide whether

or not j j > j j.

Proof: We have = 0 or = 0 if and only if one of the factors in one of the compact representations is zero. So without loss of generality we may assume that ; 6= 0. Let = d(1= ) = . Then jaj > j j if and only if j j > d(1= ). We determine approximations c of precision 1 to log j j and d to logd(1= ). By Theorems 5.8, 5.6, and 5.1 this is possible in polynomial time. If c > d+1 then log j j > log jd(1= )j and this means that j j > j j. Otherwise log j j < logd(1= ) + 2 = log(4d(1= )). In that case we compute approximations c of precision 1 to log j j and n to log jN( )j. This is possible by Theorem 5.5 and Theorem 5.1 since an application of the non trivial automorphism of O to the compact representation of

yields a compact representation of . If n?c < d?3=2 then jN( )= j < d(1= ) which implies that j j < j j. Otherwise c  3=2 + n ? d and therefore log j j < 3 + log jN( )j ? logd(1= ) = log(8jN( )j=d(1= )) or j j < 8jN( )j=d(1= ) = 8d(1= )jN( )=N( )j  8jN( )j. So we can either decide that j j > j j or we have H( ) < maxf4jN( )j;p8jN( )jg In the latter case we can determine in polynomial time the standard representation = (x + y )=2 and using that representation it is an easy matter to tell whether or not j j > d(1= ).

6 Principal ideal testing is in NP As an application of the results of the previous sections we solve inpthis section the following problem: Given a quadratic discriminant  and given an ideal A = aZZ + b+2  ZZ of O . Is there a short proof for the principality of A We rst give a more precise formulation of this question. Integers arep always given in binary. Then the set L = f(; a; b) 2 ZZ3 :  is a quadratic discriminant; aZZ + b+2  ZZ is a principal ideal in O g can be considered as a language over the alphabet  = f0; 1; @g. The symbol @ is used as a separator. The class of languages over  which in polynomial time are decided by a deterministic Turing machine is denoted by P. The class of languages over  which can in polynmial time be accepted by a non deterministic Turing machine is denoted by NP. 19

6.1 Theorem The language L belongs to the class NP.

p p Proof: Let (; a; b) 2 L. Let be a generator of A = aZZ+ b+2  ZZ with log H( )  maxf (log)2 ; N(A)g.

By Lemma 3.7 such a generator exists. A compact representation of as in equality (4) and Lemma 4.8 is a proof for the principality of A which by Theorem 5.3 can be veri ed in polynomial time.

References [1] J. Buchmann, H. C. Williams, On the existence of a short proof for the value of the class number and regulator of a real quadratic eld, Number Theory and Applications, Nato ASI Series, Kluwer Academic Press, 1989, 327-345. [2] H. Cohen, A Course in Computational algebraic number theory, Springer Verlag, to appear. [3] H. Cohen, H. W. Lenstra, Heuristics on class groups of number elds, Number Theory (Noordwijkerhout, 1983), Lecture Notes in Math. Vol. 1068, Springer-Verlag, Berlin and New York, 1984, 33-62. [4] G. W. Fung, H. C. Williams, Compact Representation of the Fundamental Unit in a Complex Cubic Field, unpublished manuscript, 1991. [5] J. C. Lagarias, Succinct certi cates for the solvability of binary quadratic polynomials, Proc. 20th IEEE Conference on Foundations of Computer Science, 1979, 47-54. [6] H. W. Lenstra, On the computation of regulators and class numbers of quadratic elds, Lond. Math. Soc. Lect. Note Ser. 56 (1982), 123-150. [7] W. Narkiewiecz, Elementary and Analytic Theory of Algebraic Numbers , Polish Scienti c Publishers, Warszawa, 1974, 400-401. [8] J. Neukirch, Algebraische Zahlentheorie, Springer Verlag, Berlin, 1992, 33-34. [9] J. Oesterle, Versions e ectives du theoreme de Chebotarev sous l'hypothese de Riemann generalisee, Soc. Math. de France Asterisque 61 (1979), 165-167. [10] D. Shanks, The infrastructure of a real quadratic eld and its applications, Proc. 1972 Number Theory Conference, Boulder (1972), 217-224.

20