Notation 3.1. If G is a finite abelian group (written multiplicatively) and $M\geq 1$ , we write $G^M := \{x^M : x\in G\}$ for the subgroup of Mth powers in G.Footnote ¹¹

Proof. Pontryagin duality for finite abelian groups is an equivalence of categories, and therefore an exact functor. In simple terms, this implies that injections turn into surjections when switching to the dual, and vice versa. Hence, the Mth power map $G \twoheadrightarrow G^M$ , $g\mapsto g^M$ , induces an injection defined by

$$ \begin{align*} \iota(\chi)(g) := \chi\left(g^M\right) \end{align*} $$

for every $\chi \in \widehat {G^M}$ and $g\in G$ . Moreover, the restriction map $\widehat {G} \to \widehat {G^M}$ is surjective, using exactness of Pontryagin duality again. Thus, every $\chi \in \widehat {G^M}$ can be extended to a character $\widetilde {\chi }$ on G, and

$$ \begin{align*} \chi\left(g^M\right) = \widetilde{\chi}(g^M) = \widetilde{\chi}^M(g). \end{align*} $$

This implies that the image of $\iota $ is contained in $\widehat {G}^M$ . Since $\big \lvert \widehat {G^M}\big \rvert = \big \lvert {G^M}\big \rvert = \big \lvert \widehat {G}^M\big \rvert $ , the lemma follows.

Proof.

1. 1. For every prime p, since $K(p^{m_p})$ is a power of p dividing $\left |(\mathbb {Z}/N\mathbb {Z})^{\times }\right | = \phi (N)$ , we have

   $$ \begin{align*} \prod_{p} K(p^{m_p}) \mid \phi(N). \end{align*} $$

   By definition of $m_p$ , we know that $K(p^{m_p}) \geq p^{d m_p/10}$ for every p, and thus

   $$ \begin{align*} {M_*}^{d/10} = \prod_p p^{dm_p/10} \leq \prod_{p} K(p^{m_p}) \leq \phi(N) \leq N. \end{align*} $$

   Recalling that $d = \lceil \! \sqrt {\log N} \rceil $ , it follows that ${M_*} \leq e^{10d}$ .

2. 2. In any finite abelian group (written multiplicatively) and for any coprime integers a and b, there is an isomorphism

   $$ \begin{align*} \ker\!\big(g\mapsto g^{a}\big) \times \ker\!\big(g\mapsto g^{b}\big) \cong \ker\!\big(g\mapsto g^{ab}\big). \end{align*} $$

   Thus, if $h = \prod _{p} p^{e_p}$ is the prime factorisation of h, we see that $K({M_*}) = \prod _p K(p^{m_p})$ and $K({M_*} h) = \prod _{p} K(p^{m_p+e_p})$ , where all products are finite. Whenever $e_p\geq 1$ , we have

   $$ \begin{align*} K(p^{m_p+e_p}) < p^{d(m_p+e_p)/10},\quad K(p^{m_p}) \geq p^{dm_p/10} \end{align*} $$

   by definition of $m_p$ . Thus ${K(p^{m_p+e_p})}/{K(p^{m_p})} \leq p^{de_p/10}$ , and this last inequality also holds when $e_p = 0$ . We conclude that

   $$ \begin{align*} \frac{K({M_*} h)}{K({M_*})} = \prod_p \frac{K(p^{m_p+e_p})}{K(p^{m_p})} \leq \prod_p p^{de_p/10} = h^{d/10}. \end{align*} $$

   as claimed.

Proof. Let $f_h : G^{M_*} \to G^{M_*}$ be the hth power map, $f(\chi ) := \chi ^h$ . By assumption, the n distinct characters $\chi _1\chi _n^{-1}, \chi _2\chi _n^{-1}, \ldots , \chi _n\chi _n^{-1}$ lie in the kernel of f. Hence,

$$ \begin{align*} n \leq \big\lvert \!\ker(f)\big\rvert = \frac{|G^{M_*}|}{|(G^{M_*})^h|} = \frac{|((\mathbb{Z}/N\mathbb{Z})^{\times})^{M_*}|}{|((\mathbb{Z}/N\mathbb{Z})^{\times})^{{M_*} h}|} = \frac{K({M_*} h)}{K({M_*})}, \end{align*} $$

which is $\leq h^{d/10}$ by Lemma 3.4.

Proof. By orthogonality of characters in the abelian group $G^M$ , we have

$$ \begin{align*} \mathbf{1}_{\prod_i b_i^{Me_i} \equiv 1 \,(\mathrm{mod}\, N)} = \frac{1}{\big\lvert \widehat{G^M}\big\rvert} \sum_{\psi \in \widehat{G^M}} \psi \left(\prod_{i=1}^d b_i^{Me_i}\right) = \frac{1}{\big\lvert \widehat{G^M}\big\rvert} \sum_{\psi \in \widehat{G^M}} \prod_{i=1}^d \psi \big( b_i^{Me_i}\big). \end{align*} $$

Observe that $\psi \big ( b_i^{Me_i}\big ) = \iota (\psi ) (b_i^{e_i})$ , where $\iota $ is the isomorphism $\widehat {G^M} \xrightarrow {\sim } \widehat {G}^M$ defined in Lemma 3.2. We may thus rewrite this equality as

$$ \begin{align*} \mathbf{1}_{\prod_i b_i^{Me_i} \equiv 1 \,(\mathrm{mod}\, N)} = \frac{1}{\big\lvert \widehat{G}^M\big\rvert} \sum_{\chi \in \widehat{G}^M} \prod_{i=1}^d \chi \big( b_i^{e_i}\big). \end{align*} $$

Therefore, the number of vectors $(e_1, \ldots , e_d)\in \mathbb {Z}^d \cap [-H,H]^d$ such that $\prod _{i=1}^d b_i^{Me_i} \equiv 1 \ \pmod N$ is

$$ \begin{align*} \sum_{\substack{(e_1, \ldots, e_d)\in \mathbb{Z}^d \\ \max_i |e_i|\leq H}} \mathbf{1}_{\prod_i {\mathbf{b}}_i^{Me_i} \equiv 1~(N)} = \frac{1}{\big\lvert \widehat{G}^M\big\rvert} \sum_{\chi \in \widehat{G}^M} \sum_{\substack{(e_1, \ldots, e_d)\in \mathbb{Z}^d \\ \max_i |e_i|\leq H}} \prod_{i=1}^d \chi^{e_i} (b_i) = \frac{1}{\big\lvert \widehat{G}^M\big\rvert} \sum_{\chi \in \widehat{G}^M} F_{\chi,H}(b_1, \ldots, b_d) \end{align*} $$

as claimed.

Proof. Define

$$ \begin{align*} \left\langle b_1, \ldots, b_d\right\rangle^{\perp} := \{\chi \in \widehat{G} \ :\ \forall i\in [d],\,\chi(b_i)=1 \}. \end{align*} $$

Observe that

(11) $$ \begin{align} \big\lvert \left\langle b_1, \ldots, b_d\right\rangle^{\perp} \cap \widehat{G}^M \big\rvert = \big\lvert \big\{\chi\in \widehat{G^M} \ :\ \forall i\in [d], \,\chi\big(b_i^M\big)=1 \big\}\big\rvert = \frac{\big\lvert {G^M}\big\rvert}{\big\lvert\left\langle b_1^M, \ldots, b_d^M\right\rangle\big\rvert} \end{align} $$

where the first equality follows from Lemma 3.2 and the second from the canonical isomorphism $H_1^{\perp } \cong \widehat {G_1/H_1}$ for any subgroup $H_1$ of a finite abelian group $G_1$ .

Clearly, if $\chi \in \left \langle b_1, \ldots , b_d\right \rangle ^{\perp }\cap \widehat {G}^M$ , we have $F_{\chi ,H}(\underline {b}) = (2H+1)^d$ . Hence, by (11), those characters contribute

$$ \begin{align*} \frac{1}{\big\lvert \widehat{G}^M\big\rvert} \sum_{\chi \in \left\langle b_1, \ldots, b_d\right\rangle^{\perp} \cap \widehat{G}^M} F_{\chi,H}(\underline{b}) = \frac{(2H+1)^d}{\big\lvert\left\langle b_1^M, \ldots, b_d^M\right\rangle\big\rvert} \end{align*} $$

to the sum (10).

For any character $\chi \in \widehat {G}^{M}\setminus \left \langle b_1, \ldots , b_d\right \rangle ^{\perp }$ of order $\leq e^{10d}$ , and any $i\in [d]$ such that $\chi (b_i) \neq 1$ , we can bound

$$ \begin{align*} \left|\sum_{|h| \leq H} \chi(b_i)^h\right| \leq \mathrm{ord}(\chi) \leq e^{10d} \end{align*} $$

by the geometric series formula. Thus, defining

$$ \begin{align*} I_{\chi} := \{i \in [d] : \chi(b_i) \neq 1\}, \end{align*} $$

we have

$$ \begin{align*} \left|F_{\chi,H}(\underline{b})\right| \leq e^{10d\left|I_{\chi}\right|} (2H+1)^{d - \left|I_{\chi}\right|}. \end{align*} $$

Consequently,

(12) $$ \begin{align} \sum_{\substack{\chi \in \widehat{G}^{M}\setminus \left\langle b_1, \ldots, b_d\right\rangle^{\perp}\\ \mathrm{ord}(\chi) \leq e^{10d}}} \left|F_{\chi,H}(\underline{b})\right| \ll \sum_{\substack{I \subset [d]\\ I\neq \emptyset}} e^{10d\left|I\right|} (2H+1)^{d - \left|I\right|} \sum_{\substack{\chi \in \widehat{G}^M\\ \mathrm{ord}(\chi) \leq e^{10d}\\ I_{\chi} = I}} 1. \end{align} $$

Fix some nonempty set $I \subset [d]$ and complex numbers $(z_i)_{i\in I}$ . Let $C_{I, (z_i)}$ be the set of all characters $\chi \in \widehat {G}^M$ such that

$$ \begin{align*} \chi(b_i) = \begin{cases} z_i & \text{if }i\in I \\ 1 & \text{if }i\in [d]\setminus I. \end{cases} \end{align*} $$

Note that $C_{I, (z_i)}$ is either the empty set, or a coset of $\left \langle b_1, \ldots , b_d\right \rangle ^{\perp } \cap \widehat {G}^M$ in $\widehat {G}^M$ . Moreover, if $\chi $ has order at most $e^{10d}$ , this set $C_{I, (z_i)}$ can only be nonempty if all $z_i$ are roots of unity of order $\leq e^{10d}$ , and there are $\leq e^{20d}$ such roots of unity. We conclude that

$$ \begin{align*} \sum_{\substack{\chi \in \widehat{G}^M\\ \mathrm{ord}(\chi) \leq e^{10d}\\ I_{\chi} = I}} 1 \leq \sum_{(z_i)_{i\in I}} \left|C_{I, (z_i)}\right|\leq e^{20d|I|} \big\lvert \left\langle b_1, \ldots, b_d\right\rangle^{\perp} \cap \widehat{G}^M \big\rvert. \end{align*} $$

Thus, we can bound the right-hand side of (12) by

$$ \begin{align*} \ll (2H+1)^{d} \big\lvert \left\langle b_1, \ldots, b_d\right\rangle^{\perp} \cap \widehat{G}^M \big\rvert \sum_{\substack{I \subset [d]\\ I\neq \emptyset}} \big(e^{30d} H^{-1}\big)^{\left|I\right|} \ll (2H+1)^{d} \big\lvert \left\langle b_1, \ldots, b_d\right\rangle^{\perp} \cap \widehat{G}^M \big\rvert 2^{d}e^{30d}H^{-1} \end{align*} $$

where we used that $H\geq e^{30d}$ in the last step. By (11), this means that

$$ \begin{align*} \frac{1}{\big\lvert \widehat{G}^M\big\rvert}\sum_{\substack{\chi \in \widehat{G}^{M}\setminus \left\langle b_1, \ldots, b_d\right\rangle^{\perp}\\ \mathrm{ord}(\chi) \leq e^{10d}}} \left|F_{\chi,H}(\underline{b})\right|\ll e^{31d}H^{-1} \frac{(2H+1)^d}{\big\lvert\left\langle b_1^M, \ldots, b_d^M\right\rangle\big\rvert}, \end{align*} $$

which completes the proof.

Proof. This is [Reference Jutila11, Theorem 1 (1.7)].

Proof. By Proposition 3.10 (the zero-density estimate), the number of Dirichlet characters modulo N whose associated L-function has a zero in the region

(13) $$ \begin{align} \left\{s\in \mathbb{C}\ : \ {1-\frac{1}{10d}}< \Re{s} \leq 1,\ \left|\Im{s}\right| \leq {X}\right\} \end{align} $$

is bounded by

(14) $$ \begin{align} \ll (NX)^{(2+1)/(10d)}\ll e^{d}. \end{align} $$

If a nonprincipal character $\psi $ modulo N has no zero in the region (13), then by Proposition 3.9 we have

(15) $$ \begin{align} \mathbb{E}\left[\psi({\mathbf{b}}_1)\right] \ll X^{-1/(10d)}(\log (NX))^3 \ll d^{-100} d^6 \ll d^{-94}. \end{align} $$

We now expand $\mathbb {E}\left [ |F_{\chi ,H}({\mathbf {b}}_1, \ldots , {\mathbf {b}}_d)|^2 \right ]$ as

$$ \begin{align*} \mathbb{E}\left[ \bigg\lvert \prod_{i=1}^d \sum_{|h|\leq H} \chi^h({\mathbf{b}}_i) \bigg\rvert^2 \right] & = \prod_{i=1}^d \mathbb{E}\left[\bigg\lvert\sum_{|h|\leq H} \chi^h({\mathbf{b}}_i)\bigg\rvert^2 \right] \\ & = \Bigg(\sum_{|h_1|\leq H} \sum_{|h_2|\leq H} \mathbb{E}\left[\chi^{h_1-h_2}({\mathbf{b}}_1)\right]\Bigg)^d \\ & \leq (2H+1)^d \Bigg(\sum_{|h|\leq 2H} \left|\mathbb{E}\left[\chi^h({\mathbf{b}}_1)\right]\right|\Bigg)^d. \end{align*} $$

We can use (15) to bound the term $\mathbb {E}\left [\chi ^h({\mathbf {b}}_1)\right ]$ , unless $\chi ^h$ is principal or $L(s, \chi ^h)$ has a zero in the region (13). By (14), the number of values of h with $|h|\leq 2H$ for which one of these two situations occurs is

$$ \begin{align*} \ll \left(1+\frac{H}{\mathrm{ord}(\chi)}\right) e^{d} \ll e^{-10d} e^{d}H \ll e^{-d}H. \end{align*} $$

By (15), we deduce that, for all but $O(e^{-d}H)$ values of $|h|\leq 2H$ , the bound $\mathbb {E}\left [\chi ^h({\mathbf {b}}_1)\right ]\ll d^{-94}$ holds. Hence

$$ \begin{align*} \mathbb{E}\left[ |F_{\chi,H}({\mathbf{b}}_1, \ldots, {\mathbf{b}}_d)|^2 \right] \leq (2H+1)^d \Big(O(e^{-d}H) + O(d^{-94}H)\Big)^d \ll e^{O(d)}d^{-94d} H^{2d} \ll d^{-10d} H^{2d}, \end{align*} $$

as desired.

Proof. As in the proof of Lemma 3.11, we have

(17) $$ \begin{align} \mathbb{E}\left[ |F_{\chi,H}({\mathbf{b}}_1, \ldots, {\mathbf{b}}_d)|^2 \right] = \mathbb{E}\left[ \bigg\lvert \prod_{i=1}^d \sum_{|h|\leq H} \chi^h({\mathbf{b}}_i) \bigg\rvert^2 \right] \leq (2H+1)^d \Bigg(\sum_{|h|\leq 2H} \left|\mathbb{E}\left[\chi^h({\mathbf{b}}_1)\right]\right|\Bigg)^d. \end{align} $$

Let $I_1$ be the set of all $-2H\leq h\leq 2H$ such that $\chi ^h$ is principal. Since $\chi $ has order $\geq e^{10d}$ , we have

$$ \begin{align*} |I_1| \ll 1+e^{-10d}H \ll e^{-10d}H. \end{align*} $$

Let $I_2$ be the set of all $-2H\leq h\leq 2H$ such that $L(s, \chi ^h)$ has a zero in the region (16). By contradiction, suppose that the conclusion of Lemma 3.12 does not hold. Then any sub-interval of $[-2H, 2H]$ of length $e^{3t}$ contains at most one element of $I_2$ . This implies that

$$ \begin{align*} \left|I_2\right| \ll 1+e^{-3t}H \ll e^{-3t}H. \end{align*} $$

Moreover, for any integer $h\in [-2H, 2H]\setminus (I_1\cup I_2)$ , the character $\chi ^h$ is nonprincipal and has no zero in the region (16), which by Proposition 3.9 implies that

$$ \begin{align*} \mathbb{E}\left[\chi^h({\mathbf{b}}_1)\right] \ll X^{-t/(100d)}(\log (NX))^3 \ll d^{-10t} d^6 \ll e^{-3t}. \end{align*} $$

Therefore, we can bound

$$ \begin{align*} \sum_{|h|\leq 2H} \left|\mathbb{E}\left[\chi^h({\mathbf{b}}_1)\right]\right| \ll |I_1| + |I_2| + e^{-3t}H \ll e^{-10d}H+e^{-3t}H \ll e^{-3t}H. \end{align*} $$

Hence, by (17) we get

$$ \begin{align*} \mathbb{E}\left[ |F_{\chi,H}({\mathbf{b}}_1, \ldots, {\mathbf{b}}_d)|^2 \right] \leq e^{O(d)}e^{-3td}H^{2d}, \end{align*} $$

which contradicts the assumption in the statement if $t_0$ is chosen to be sufficiently large.

Proof. If $t\geq 2d$ , the bound (18) is trivially satisfied as the right-hand side is $\gg N$ . We may thus assume that ${t_0 \leq t\leq 2d}$ , in which case Lemma 3.12 applies.

Let $E_t$ be the set of all characters $\psi $ modulo N such that $L(s, \psi )$ has a zero in the rectangle defined in (16). By Proposition 3.10, this set $E_t$ has size

(19) $$ \begin{align} \left|E_t\right| \ll (NX)^{(2+1/2)t/(100 d)}\ll e^{td/20}. \end{align} $$

For every $\chi \in \widehat {G}$ of order $\geq e^{10d}$ , if $\mathbb {E}\left [ |F_{\chi ,H}({\mathbf {b}}_1, \ldots , {\mathbf {b}}_d)|^2 \right ]> e^{-2td} H^{2d}$ then by Lemma 3.12 we can write

$$ \begin{align*} \chi^h = \psi_1 \overline{\psi_2} \end{align*} $$

for some integer $0< h < e^{3t}$ and some characters $\psi _1, \psi _2\in E_t$ . Hence, the left-hand side of (18) is

(20) $$ \begin{align} \leq \sum_{\psi_1,\psi_2\in E_t} \sum_{0 < h < e^{3t}} \left|\big\{ \chi\in \widehat{G}^M \ : \ \chi^h = \psi_1\overline{\psi_2}\big\}\right|. \end{align} $$

Since $\widehat {G}^{{M_*}}$ and $\widehat {G^{M_*}}$ are isomorphic, Lemma 3.5 implies that

(21) $$ \begin{align} \left|\big\{ \chi\in \widehat{G}^{M_*} \ : \ \chi^h = \psi_1\overline{\psi_2}\big\}\right| \leq h^{d/10}\leq e^{3td/10}. \end{align} $$

Inserting Eqs. (19) and(21) into (20), we conclude that the left-hand side of (18) is

$$ \begin{align*} \leq |E_t|^2 e^{3t} e^{3td/10} \leq e^{3t} e^{4td/10} \ll e^{td/2} \end{align*} $$

as claimed.

Proof. By Lemma 3.11, we know that $\mathbb {E}\left [ |F_{\chi ,H}(\underline {{\mathbf {b}}})|^2\right ]^{1/2} \leq C d^{-5d} H^d$ for all characters $\chi \in \widehat {G}$ of order $\geq e^{10d}$ , where $C>0$ is an absolute constant (as before, $\underline {{\mathbf {b}}}$ stands for ${\mathbf {b}}_1, \ldots , {\mathbf {b}}_d$ ). Therefore,

$$ \begin{align*} \sum_{\substack{\chi\in \widehat{G}^{{M_*}}\\ \mathrm{ord}(\chi) \geq e^{10d}}} \mathbb{E}\left[ |F_{\chi,H}(\underline{{\mathbf{b}}})|^2\right]^{1/2} \leq \sum_{m = m_0}^{+\infty}\sum_{\substack{\chi\in \widehat{G}^{{M_*}}\\ \mathrm{ord}(\chi) \geq e^{10d}}} e^{-m+1}H^d \mathbf{1}_{e^{-m} < \mathbb{E}\left[ |F_{\chi,H}(\underline{{\mathbf{b}}})|^2\right]^{1/2} H^{-d} \leq e^{-m+1}}(\chi) \end{align*} $$

where $m_0 := \lfloor 5d\log d - \log C + 1\rfloor $ . We may assume that $m_0 \geq \max (t_0d, 4d\log d)$ , since otherwise $d\ll 1$ and Proposition 3.14 is trivially satisfied (given that $|\widehat {G}^{M_*}| \leq N \ll 1$ when $d\ll 1$ ).

Applying Lemma 3.13 with $t := m/d$ , we obtain that for every $m \geq t_0d$ ,

$$ \begin{align*} \left| \left\{\chi\in \widehat{G}^{M_*} \ :\ \mathrm{ord}(\chi) \geq e^{10d},\ \mathbb{E}\left[ |F_{\chi,H}(\underline{{\mathbf{b}}})|^2\right]^{1/2}> e^{-m}H^{d}\right\} \right| \ll e^{m/2}. \end{align*} $$

Therefore,

$$ \begin{align*} \sum_{\substack{\chi\in \widehat{G}^{M_*}\\ \mathrm{ord}(\chi) \geq e^{10d}}} \mathbb{E}\left[ |F_{\chi,H}(\underline{{\mathbf{b}}})|^2\right]^{1/2} \ll \sum_{m = m_0}^{+\infty} e^{m/2} e^{-m+1} H^d \ll e^{-m_0/2} H^d \end{align*} $$

which is $O(d^{-2d} H^d)$ as $m_0 \geq 4d\log d$ .

Proof. Let $e_1, \ldots , e_d$ be the standard basis for $\mathbb {R}^d$ . Let $v\in \mathbb {R}^d$ be a unit vector orthogonal to V. Without loss of generality, since $\left \|v\right \|_2 = 1$ , we may assume that $\left \langle v, e_1\right \rangle \geq 1/\sqrt {d}$ .

Suppose that V intersects two unit cubes $C_i$ and $C_j$ where $C_i = C_j + ke_1$ for some integer $k \geq 0$ . Then, there is some $p\in C_i$ and some $w\in \mathbb {R}^d$ with $\left \|w\right \|_{\infty } \leq 1$ such that $p\in V$ and $p+ke_1+w\in V$ . Therefore, $ke_1+w \in V$ and thus $\left \langle ke_1+w,v\right \rangle = 0$ . Noting that

$$ \begin{align*} \left\langle ke_1+w, v\right\rangle \geq k \left\langle e_1, v\right\rangle - \left\|w\right\|_{2} \left\|v\right\|_{2} \geq \frac{k}{\sqrt{d}} - \sqrt{d}, \end{align*} $$

we deduce that $k\leq d$ .

We have thus proved that, for any cube $C_i$ , there are at most $d+1$ cubes of the form $C_i+ke_1$ for some $k\in \mathbb {Z}$ which intersect V. The lemma follows.

Proof. By contradiction, suppose that there exists a linear hyperplane V containing all the points $v\in \Lambda \cap [-H_1, H_1]^d$ .

Let $L = H_1/H_0$ . The large cube $[-H_1, H_1]^d$ can be covered by $(2L)^d$ axis-parallel cubes of side length $H_0$ in the natural way. By Lemma 3.15, we can bound

$$ \begin{align*} \left|\Lambda \cap [-H_1, H_1]^d\right| \leq (d+1) (2L)^{d-1} \sup_C~\left|\Lambda \cap C\right|, \end{align*} $$

where the supremum runs over all (not necessarily centred) axis-parallel cubes $C\subset \mathbb {R}^d$ of side length $H_0$ . If C is such a cube and $v\in \Lambda \cap C$ , then $C \subset v + [-H_0, H_0]^d$ , which implies that

$$ \begin{align*} \left|\Lambda \cap C\right| \leq \left|\Lambda \cap \big(v + [-H_0, H_0]^d\big)\right| = \left|\Lambda \cap [-H_0, H_0]^d\right|. \end{align*} $$

Thus,

$$ \begin{align*} \left|\Lambda \cap [-H_1, H_1]^d\right| \leq (d+1) (2L)^{d-1}\left|\Lambda \cap [-H_0, H_0]^d\right|. \end{align*} $$

Plugging in our lattice point estimate (22), we get

$$ \begin{align*} \theta_1 (2H_1+1)^{d} \leq (d+1) (2L)^{d-1} \theta_0 (2H_0+1)^{d}. \end{align*} $$

Using $2H_1+1 \geq 2LH_0$ and $d+1 \leq 2d$ , this implies that $L \leq \frac {\theta _0}{\theta _1} d \big (2+\frac {1}{H_0}\big )^d$ , contradicting the inequality in the statement of the lemma.

Proof. By assumption, there are linearly independent vectors $v_1, \ldots , v_d \in \Lambda _1 \cap [-H, H]^d$ . Then $Mv_1, \ldots , Mv_d$ are linearly independent vectors of $\Lambda _2$ such that $\max _{i\in [d]} \left \|Mv_i\right \|_2 \leq \sqrt {d} MH$ .

Let $B\subset \mathbb {R}^d$ be the unit ball for the Euclidean norm. Let ${0 < \lambda _1 \leq \cdots \leq \lambda _d}$ be the successive minimaFootnote ¹² of B with respect to $\Lambda _2$ . Since $Mv_1, \ldots , Mv_d \in \Lambda _2$ are linearly independent, we deduce from the above that $\lambda _d \leq \sqrt {d} MH$ .

By Mahler’s theorem (see [Reference Tao and Vu22, Theorem 3.34]), we conclude that $\Lambda _2$ admits a basis of vectors of Euclidean norm at most $d \lambda _d \leq d^{3/2}MH$ , which is what we needed to show.

Proof of Theorem 3.18.

Let $M := {M_*}(N)$ be the integer defined in Lemma 3.4. We introduce the auxiliary lattice

$$ \begin{align*} \mathcal{L}_{M} := \Big\{ (e_1, \ldots, e_d, f_1, \ldots, f_r) \in \mathbb{Z}^{d+r} \ : \ \prod_{i=1}^d {\mathbf{b}}_i^{M e_i} \prod_{i=1}^r \mathbf{x}_i^{M f_i} \equiv 1 \quad\pmod{N} \Big\}. \end{align*} $$

By Lemmas 3.7 and 3.8, we have the lattice point estimate

(23) $$ \begin{align} \left|\mathcal{L}_{M} \cap [-H, H]^{d+r}\right| = \frac{ \left(1 + O\left({e^{31(d+r)}}{H^{-1}}\right)\right) (2H+1)^{d+r} }{ \big\lvert\left\langle {\mathbf{b}}_1^{M}, \ldots, {\mathbf{b}}_d^{M}, \mathbf{x}_1^{M}, \ldots, \mathbf{x}_r^M \right\rangle\big\rvert } + \frac{1}{\big\lvert \widehat{G}^{M}\big\rvert} \!\!\!\!\sum_{\substack{\chi \in \widehat{G}^M\\ \mathrm{ord}(\chi) \geq e^{10d}}} \!\!\!\! \left|F_{\chi,H}(\underline{{\mathbf{b}}}, \underline{\mathbf{x}})\right| \end{align} $$

for every integer $H\geq e^{31(d+r)}$ , where

$$ \begin{align*} F_{\chi,H}(\underline{{\mathbf{b}}}, \underline{\mathbf{x}}) := F_{\chi, H}({\mathbf{b}}_1, \ldots, {\mathbf{b}}_d, \mathbf{x}_1, \ldots, \mathbf{x}_r) = \Bigg(\prod_{i=1}^d \sum_{|h|\leq H} \chi^h({\mathbf{b}}_i)\Bigg) \Bigg(\prod_{i=1}^r \sum_{|h|\leq H} \chi^h(\mathbf{x}_i)\Bigg). \end{align*} $$

Since the $\mathbf {x}_i$ have unknown distributions, we will use the trivial bound

$$ \begin{align*} \left|F_{\chi,H}(\underline{{\mathbf{b}}},\underline{\mathbf{x}})\right| \leq (2H+1)^r \left|F_{\chi,H}({\mathbf{b}}_1, \ldots, {\mathbf{b}}_d)\right|. \end{align*} $$

Applying Proposition 3.14, we deduce that, for all $H\geq e^{10d}$ ,

$$ \begin{align*} \sum_{\substack{\chi\in \widehat{G}^{{M_*}}\\ \mathrm{ord}(\chi) \geq e^{10d}}} \mathbb{E}\left[ |F_{\chi,H}(\underline{{\mathbf{b}}}, \underline{\mathbf{x}})|^2\right]^{1/2} \ll d^{-2d} (2H+1)^{d+r}. \end{align*} $$

By the $L^2$ triangle inequality and Chebyshev’s inequality, this implies that, for fixed $H\geq e^{10d}$ ,

(24) $$ \begin{align} \mathbb{P}\bigg({\sum_{\substack{\chi \in \widehat{G}^M\\ \mathrm{ord}(\chi) \geq e^{10d}}} \!\!\!\! \left|F_{\chi,H}(\underline{{\mathbf{b}}}, \underline{\mathbf{x}})\right|}> d^{-d}(2H+1)^{d+r}\bigg) \ll d^{-2d}. \end{align} $$

Let $H_0 := d \lceil e^{31(d+r)}\rceil $ and $H_1 := \lceil d (d+r) (5/2)^{d+r}\rceil H_0$ . We apply Eqs. (23) and (24) twice, once with $H = H_0$ and once with $H = H_1$ to obtain the following: with probability ${1+O\big (d^{-d}\big )}$ , the two estimates

$$ \begin{align*} \left|\mathcal{L}_{M} \cap [-H_0, H_0]^{d+r}\right| = \left(1 + O(1/d)\right) \frac{(2H_0+1)^{d+r}}{ \big\lvert\left\langle {\mathbf{b}}_1^{M}, \ldots, {\mathbf{b}}_d^{M}, \mathbf{x}_1^{M}, \ldots, \mathbf{x}_r^M \right\rangle\big\rvert} \end{align*} $$

and

$$ \begin{align*} \left|\mathcal{L}_{M} \cap [-H_1, H_1]^{d+r}\right| = \left(1 + O(1/d)\right) \frac{(2H_1+1)^{d+r}}{ \big\lvert\left\langle {\mathbf{b}}_1^{M}, \ldots, {\mathbf{b}}_d^{M}, \mathbf{x}_1^{M}, \ldots, \mathbf{x}_r^M \right\rangle\big\rvert} \end{align*} $$

simultaneously hold.

We now apply Lemma 3.16. By our choice of $H_0$ and $H_1$ , the inequality in the statement is satisfied provided that d is sufficiently large. We can assume that d is large enough as, for $d\ll 1$ , we have $N \ll 1$ and Theorem 3.18 is trivially true. Thus, Lemma 3.16 implies that ${\mathcal {L}_M \cap [-H_1, H_1]^{d+r}}$ contains $d+r$ linearly independent vectors, with probability ${1+O\big (d^{-d}\big )}$ . By Lemma 3.17, since $M\mathcal {L} \subset \mathcal {L}_M$ , we conclude that, with probability ${1+O\big (d^{-d}\big )}$ , $\mathcal {L}$ admits a basis of vectors of Euclidean norm at most

$$ \begin{align*} \ll d^{3/2} M H_1 \ll d^{3/2} e^{10d} d^2 (d+r) (5/2)^{d+r} e^{31(d+r)} \ll e^{42(d+r)} \end{align*} $$

using the bound $M \leq e^{10d}$ given by Lemma 3.4. This completes the proof.

Proof. This is similar to [Reference Regev18, p5] or [Reference Ragavan and Vaikuntanathan17, Lemma 12] but for general values of m. Without loss of generality, assume that d is a power of $2$ , say $d = 2^l$ . We proceed to compute this product in a binary tree fashion. Let $T(k)$ be the complexity of multiplying any k of these numbers $a_i^{t_i}$ modulo N. Note that $T(2k) \leq 2T(k) + O(M(mk))$ where $M(x)$ is the time needed to multiply two integers having at most x bits. By the work of Harvey and van der Hoeven [Reference Harvey and van der Hoeven10], it is known that $M(x) = O(x\log x)$ , which leads to the bound

$$ \begin{align*} T(d) \ll \sum_{j=0}^{l} 2^j M(md/2^{j+1}) \ll \sum_{j=0}^{l} md \log(md/2^{j+1}) \ll md (\log d) \log(md). \end{align*} $$

as claimed.

Proof. This well-known fact is explained in Section A.1 of the full version of [Reference Ragavan and Vaikuntanathan17].

Proof. Since N has $\ll \log N$ prime factors, and since the number of primes $\leq X$ is $\gg X/\log X$ , we have

$$ \begin{align*} \mathbb{P}\left(\mathbf{n}_1 \text{ is prime and }\mathbf{n}_1\nmid N\right) \geq \frac{c}{\log X} \end{align*} $$

for some absolute constant $c>0$ . Thus, if $E_i$ is the event that $\mathbf {n}_i$ is not prime or divides N, then by the union bound and independence,

$$ \begin{align*} \mathbb{P} \bigg(\bigcup_{\substack{I \subset [k]\\ |I|> k-d}} \bigcap_{i\in I} E_i\bigg) \leq \sum_{l< d} \binom{k}{l} \left(1-\frac{c}{\log X}\right)^{k-l} \leq dk^d e^{-c(k-d)/\log X} \ll e^{-d^2} \end{align*} $$

as needed.

Proof of Theorem 1.2.

Suppose we are given an integer $N>2$ and elements $g,y\in (\mathbb {Z}/N\mathbb {Z})^{\times }$ such that y lies in the subgroup generated by g in $ (\mathbb {Z}/N\mathbb {Z})^{\times }$ . Let $d := \lceil \!\sqrt {\log N} \rceil $ and $X := d^{10^3d}$ . Let ${\mathbf {b}}_1, \ldots , {\mathbf {b}}_d$ be i.i.d. random variables, each uniformly distributed in the set of primes $\leq X$ not dividing N.

Consider the random lattice

$$ \begin{align*} \mathcal{L}_{\underline{{\mathbf{b}}},g,y} := \Big\{(e_1, \ldots, e_d, f_1, f_2) \in \mathbb{Z}^{d+2} \ : \ \Bigg(\prod_{i=1}^d {\mathbf{b}}_i^{e_i}\Bigg) g^{f_1} y^{f_2} \equiv 1 \quad\pmod{N}\Big\}. \end{align*} $$

By Theorem 3.18, with probability $1 +O(d^{-d})$ , this lattice has a basis consisting of vectors of Euclidean norm $\ll e^{42d}$ .

Computing the discrete logarithm of y with respect to the base g reduces (with a polynomial-time classical algorithm) to computing a short basis for $\mathcal {L}_{\underline {{\mathbf {b}}},g,y}$ . To see why this is the case, suppose that we managed to compute a basis $v_1, \ldots , v_{d+2}$ for $\mathcal {L}_{\underline {{\mathbf {b}}},g,y}$ with $\max _i \left \|v_i\right \|_2 \ll e^{42d}$ . It is then easy to find a vector in $\mathcal {L}_{\underline {{\mathbf {b}}},g,y}$ of the form $(0, \ldots , 0, x, 1)$ for some integer x (note that such a vector exists since we assume that $y\in \left \langle g\right \rangle $ ). Indeed, this amounts to solving a linear system with integer coefficients. The complexity of solving an integer linear system is polynomial in the dimensions of the matrix and the number of bits of the coefficients, which are both $O(d)$ since $\max _i \left \|v_i\right \|_2 \ll e^{42d}$ (see [Reference Bareiss3]). This yields an integer x such that $g^x \equiv y \ \pmod {N}$ .

The algorithm for solving the discrete logarithm problem thus proceeds as follows.

1. 1. Generate d primes $b_1, \ldots , b_d$ independently and uniformly at random in the set of primes $\leq X$ not dividing N. To do this, it suffices to generate $d^4$ independent random integers $\leq X$ . By Lemma 4.3, the required conditions will be satisfied for at least d of those with probability $1+O(1/N)$ . This first step takes polynomial time on a classical computer using the AKS primality test [Reference Agrawal, Kayal and Saxena1].

2. 2. Use the procedure described by Ekerå and Gärtner [Reference Ekerå and Gärtner7] to obtain a basis for the lattice $\mathcal {L}_{\underline {b},g,y}$ . This involves making $O(d)$ calls to a quantum circuit, followed by polynomial-time classical postprocessing. This step is now guaranteed to succeed with probability $\Theta (1)$ , using the fact that $\mathcal {L}_{\underline {b},g,y}$ has a basis of vectors of Euclidean norm $\ll e^{42d}$ with probability $1 +O(d^{-d})$ (Theorem 3.18).

3. 3. Compute the discrete logarithm of y in classical polynomial time using this basis, as explained above.

It remains to analyse the gate and space costs of the quantum part of this algorithm.

The only modification needed to the analysis of the quantum circuit in [Reference Ekerå and Gärtner7] comes from the fact that $b_1, \ldots , b_d$ are not quite as small as in [Reference Ekerå and Gärtner7]. In [Reference Ekerå and Gärtner7] (and more generally in [Reference Ragavan and Vaikuntanathan17, Reference Regev18]), the primes $b_i$ are assumed to have $O(\log d)$ bits. In the present situation, we instead have the bound $b_i\leq X = d^{10^3d}$ , that is, each $b_i$ has $O(d\log d)$ bits.

The only place in [Reference Ekerå and Gärtner7] where the assumption on the size of the $b_i$ ’s is used is in [Reference Ekerå and Gärtner7, Lemma 3]. In turn, the only point in the proof of [Reference Ekerå and Gärtner7, Lemma 3] where this assumption is needed is when [Reference Ragavan and Vaikuntanathan17, Lemma 5] is invoked (as a black box). The proof of [Reference Ragavan and Vaikuntanathan17, Lemma 5] is given in [Reference Ragavan and Vaikuntanathan17, Section 5], and the size assumption on the $b_i$ ’s only comes up in [Reference Ragavan and Vaikuntanathan17, Lemma 12].

The result [Reference Ragavan and Vaikuntanathan17, Lemma 12] essentiallyFootnote ¹⁴ states that there is a quantum circuit using $O(d \log ^3d)$ gates and $O(d \log ^3d)$ qubits to perform the computation of $\prod _{i=1}^d a_i^{t_i}$ where $t_i\in \{0, 1\}$ and $a_i$ are integers on $O(\log d)$ bits. This is a special case of Lemma 4.1 (used together with Lemma 4.2) applied with $m = O(\log d)$ . In our case, we just apply Lemma 4.1 with $m = O(d\log d)$ , together with Lemma 4.2 to convert the classical circuit into a quantum one. This yields a quantum circuit having $O(d^2\log ^3 d)$ gates and $O(d^2\log ^3 d)$ qubits to compute $\prod _{i=1}^d b_i^{t_i}$ .

The number of gates of the quantum circuit [Reference Ragavan and Vaikuntanathan17, Lemma 5] is

$$ \begin{align*} O\big( d (n\log n + d\log^3 d) \big) = O(n^{3/2} \log n) \end{align*} $$

(because [Reference Ragavan and Vaikuntanathan17, Lemma 12] is used $O(d)$ times, see [Reference Ragavan and Vaikuntanathan17, Algorithm 5.2] and the surrounding explanations). Note that this is the same as for Regev’s algorithm (see [Reference Regev18, p5]). In our case, the number of gates is

$$ \begin{align*} O\big( d (n\log n + d^2\log^3 d) \big) = O(n^{3/2} \log^3 n). \end{align*} $$

The space optimisations of Ragavan and Vaikuntanathan keep the total number of qubits for their circuit [Reference Ragavan and Vaikuntanathan17, Lemma 5] under

$$ \begin{align*} O\big(n\log n + d\log^3 d\big) = O(n\log n), \end{align*} $$

due to the way the qubits are used and restored in the main loop of [Reference Ragavan and Vaikuntanathan17, Algorithm 5.2]. In our situation, the number of qubits is

$$ \begin{align*} O\big(n\log n + d^2\log^3 d\big) = O(n\log^3 n). \end{align*} $$

In summary, our final quantum circuit has $O(n^{3/2}\log ^3 n)$ gates and $O(n \log ^3 n)$ qubits. As noted in [Reference Ekerå and Gärtner7], the fact that the two elements g and y are not small (g and y can be as large as N, as opposed to the $b_i$ ’s) does not affect these complexity bounds.

Proof. This elementary number-theoretic fact is well-known – it was already needed for Shor’s algorithm [Reference Peter20]. See [Reference Nielsen and Chuang16, Appendix A4.3] for a detailed proof.

Proof of Theorem 1.1.

We can assume that N is odd and not a perfect prime power, as otherwise it is easy to factor N in polynomial time with a classical computer (see [Reference Nielsen and Chuang16, Exercise 5.17]).

Let $d := \lceil \!\sqrt {\log N} \rceil $ and $X := d^{10^3d}$ . The probabilistic algorithm to find a nontrivial divisor of N goes as follows.

1. 1. Generate d primes $b_1, \ldots , b_d$ independently and uniformly at random in the set of primes $\leq X$ not dividing N. Sample another integer x uniformly chosen in $(\mathbb {Z}/N\mathbb {Z})^{\times }$ . As in the proof of Theorem 1.2, this can be done classically in polynomial time with probability $1+O(1/N)$ .

2. 2. Use the algorithm of Ekerå and Gärtner [Reference Ekerå and Gärtner7] to obtain a basis for the lattice

   $$ \begin{align*} \mathcal{L}_{\underline{b},x} := \Big\{(e_1, \ldots, e_d, f) \in \mathbb{Z}^{d+1} \ : \ \Bigg(\prod_{i=1}^d b_i^{e_i}\Bigg) x^f \equiv 1 \quad\pmod{N}\Big\}. \end{align*} $$
   This involves making $O(d)$ calls to a quantum circuit, followed by polynomial-time classical postprocessing. By Theorem 3.18, $\mathcal {L}_{\underline {b},x}$ has a basis of vectors of Euclidean norm $\ll e^{42d}$ with probability $1 +O(d^{-d})$ , which means that this step is guaranteed to succeed with probability $\Theta (1)$ .

3. 3. Using the short basis for $\mathcal {L}_{\underline {b},x}$ computed in the previous step, find the vector of the form $(0, \ldots , 0, r)$ in $\mathcal {L}_{\underline {b},x}$ with $r\geq 1$ as small as possible. This involves solving a linear system with integer coefficients, which can be done efficiently as in the proof of Theorem 1.2. This integer r is the order of x in $(\mathbb {Z}/N\mathbb {Z})^{\times }$ . By Lemma 4.5, with probability $\geq 1/2$ , this order r will be even and the element $x^{r/2}$ will be a nontrivial square root of $1$ modulo N. Hence, N divides the product $(x^{r/2}-1)(x^{r/2}+1)$ but neither term individually, which implies that $\gcd (N,\, x^{r/2}-1 \!\!\mod {N})$ is a nontrivial divisor of N.

The analysis of this algorithm is identical to the corresponding part of the proof of Theorem 1.2.