On the evaluation of modular polynomials

Transcription

1 On the evaluation of modular polynomials Andrew V. Sutherland Massachusetts Institute of Technology ANTS X July 10, drew 1 / 16

2 Introduction Let l be a prime and let F q be a finite field (assume q is prime). Problem: Given an elliptic curve E/F q, identify any and all curves E /F q that are l-isogenous to E. This problem arises in many applications, and it is often the computationally dominant step. 2 / 16

3 Introduction Let l be a prime and let F q be a finite field (assume q is prime). Problem: Given an elliptic curve E/F q, identify any and all curves E /F q that are l-isogenous to E. This problem arises in many applications, and it is often the computationally dominant step. Solution: Compute the polynomial φ l (Y) = Φ l (j(e), Y), and find its roots in F q. Here Φ l Z[X, Y] is the classical modular polynomial that parameterizes pairs of l-isogenous elliptic curves. If l is at all large, say l = Ω(log q), the hard part is computing φ l. Finding its roots is easy by comparison. 2 / 16

4 The Modular Polynomial Φ l (X, Y) Φ l Z[X, Y] is symmetric, with degree l + 1 in both X and Y. Its total size is O(l 3 log l) bits. l coefficients largest average total kb 5.3kb 5.5MB kb 12kb 48MB kb 27kb 431MB kb 60kb 3.9GB kb 132kb 33GB kb 208kb 117GB kb 287kb 287GB kb 369kb 577GB kb 774kb 4.8TB Size of Φ l (X, Y) 3 / 16

5 The Modular Polynomial Φ l (X, Y) Φ l Z[X, Y] is symmetric, with degree l + 1 in both X and Y. Its total size is O(l 3 log l) bits. l coefficients largest average total kb 5.3kb 5.5MB kb 12kb 48MB kb 27kb 431MB kb 60kb 3.9GB kb 132kb 33GB kb 208kb 117GB kb 287kb 287GB kb 369kb 577GB kb 774kb 4.8TB Size of Φ l (X, Y) But for l = and q 2 256, the size of φ l is just 320KB! Even with log q l = it is under 20MB. 3 / 16

6 Point-counting at 2500 digits... Despite this progress, computing modular polynomials remains the stumbling block for new point counting records. Clearly, to circumvent the memory problems, one would need an algorithm that directly obtains the polynomial specialised in one variable. INRIA Project-Team TANC Report This record was set in December / 16

7 Computing Φ l with the CRT Strategy: compute Φ l mod p for sufficiently many primes p and use the CRT to compute Φ l (or Φ l mod q). For suitable primes p we can compute Φ l mod p in time O(l 2 log 3 p llog p) using isogeny volcanoes [BLS 2011]. Assuming the GRH, we can efficiently find sufficiently many such primes with log p = O(log l). Sufficiently many is O(l). Henceforth we assume the GRH. 5 / 16

8 Computing Φ l with the CRT Strategy: compute Φ l mod p for sufficiently many primes p and use the CRT to compute Φ l (or Φ l mod q). For suitable primes p we can compute Φ l mod p in time O(l 2 log 3 p llog p) using isogeny volcanoes [BLS 2011]. Assuming the GRH, we can efficiently find sufficiently many such primes with log p = O(log l). Sufficiently many is O(l). Uses O(l 3 log 3 l llog l) expected time and O(l 3 log l) space. Using the explicit CRT, we can directly compute Φ l mod q using O(l 2 (n + log l)) space, where n = log q. But the size of φ l is O(ln). Henceforth we assume the GRH. 5 / 16

9 Computing φ l (Y) with the CRT (naïve approach) Strategy: lift j(e) from F q to Z, compute Φ l (X, Y) mod p and evaluate φ l (Y) = Φ l (j(e), Y) mod p for sufficiently many primes p. Obtain φ l mod q via the explicit CRT. Uses O(l 2 log 3+ɛ p) expected time for each p, and O(l 2 log p) space. 6 / 16

10 Computing φ l (Y) with the CRT (naïve approach) Strategy: lift j(e) from F q to Z, compute Φ l (X, Y) mod p and evaluate φ l (Y) = Φ l (j(e), Y) mod p for sufficiently many primes p. Obtain φ l mod q via the explicit CRT. Uses O(l 2 log 3+ɛ p) expected time for each p, and O(l 2 log p) space. However, sufficiently many is now O(ln), where n = log q. Total expected time is O(l 3 n log 3+ɛ l), using O(ln + l 2 log l) space. This approach is not very useful: If n is large (e.g. n l), it takes way too long (quartic in l). It n is small (e.g. n log l), it doesn t save any space. 6 / 16

11 Computing φ l (Y) with the CRT (Algorithm 1) Strategy: lift j, j 2, j 3,..., j l+1 from F q to Z and then compute φ l (Y) = c ik j i Y k mod p for sufficiently many primes p, where Φ l = c ik X i Y k. Obtain φ l mod q via the explicit CRT. 7 / 16

12 Computing φ l (Y) with the CRT (Algorithm 1) Strategy: lift j, j 2, j 3,..., j l+1 from F q to Z and then compute φ l (Y) = c ik j i Y k mod p for sufficiently many primes p, where Φ l = c ik X i Y k. Obtain φ l mod q via the explicit CRT. Now sufficiently many is O(l + n). For n = O(l log l), uses O(l 3 log 3+ɛ l) expected time and O(l 2 log l) space (under GRH). For n = Ω(l log l), the space bound is optimal. This algorithm can also evaluate the partial derivatives of Φ l needed to construct normalized equations for Ẽ (important for SEA). 7 / 16

13 Computing φ l (Y) with the CRT (Algorithm 2) Strategy: lift j(e) from F q to Z and for sufficiently many primes p compute φ l mod p as follows: 1. For each of l + 2 j-invariants y i, compute z i = k (j(e) j k), where the j k range over l + 1 neighbors of y i in G l (F p ). 2. Interpolate φ l (Y) F p as the unique polynomial of degree l + 1 for which φ l (y i ) = z i. Obtain φ l mod q via the explicit CRT. 8 / 16

14 Computing φ l (Y) with the CRT (Algorithm 2) Strategy: lift j(e) from F q to Z and for sufficiently many primes p compute φ l mod p as follows: 1. For each of l + 2 j-invariants y i, compute z i = k (j(e) j k), where the j k range over l + 1 neighbors of y i in G l (F p ). 2. Interpolate φ l (Y) F p as the unique polynomial of degree l + 1 for which φ l (y i ) = z i. Obtain φ l mod q via the explicit CRT. For n = O(l c ), uses O(l 3 (n + log l) log 1+ɛ l) expected time and O(ln + l log l) space (under GRH). For n = O(log 2 ɛ q) the algorithm is faster than computing Φ l. For n = Ω(log l) the space bound is optimal. 8 / 16

15 Genus 1 point counting in large characteristic Algorithms to compute #E(F q ) = q + 1 t. Algorithm Time Space Totally naive O(e 2n+ɛ ) O(n) Slightly less naive O(e n+ɛ ) O(n) Baby-step giant-step O(e n/4+ɛ ) O(e n/4+ɛ ) Pollard kangaroo O(e n/4+ɛ ) O(n 2 ) Schoof O(n 5 llog n) O(n 3 ) SEA O(n 4 log 3 n llog n) O(n 3 log n) SEA (Φ l precomputed) O(n 4 llog n) O(n 4 ) Complexity estimates for SEA-based algorithms are heuristic expected times. 9 / 16

16 Genus 1 point counting in large characteristic Algorithms to compute #E(F q ) = q + 1 t. Algorithm Time Space Totally naive O(e 2n+ɛ ) O(n) Slightly less naive O(e n+ɛ ) O(n) Baby-step giant-step O(e n/4+ɛ ) O(e n/4+ɛ ) Pollard kangaroo O(e n/4+ɛ ) O(n 2 ) Schoof O(n 5 llog n) O(n 3 ) SEA O(n 4 log 3 n llog n) O(n 3 log n) SEA (Φ l precomputed) O(n 4 llog n) O(n 4 ) SEA with Algorithm 1 O(n 4 log 2 n llog n) O(n 2 log n) Amortized O(n 4 llog n) O(n 2 log n) Complexity estimates for SEA-based algorithms are heuristic expected times. 9 / 16

17 Alternative modular polynomials In practice, the modular polynomials Φ l are not used in SEA. There are alternatives (due to Atkin, Müller, and others) that are smaller by a large constant factor (100x to 1000x is typical). The isogeny-volcano approach of [BLS 2010] can compute many types of (symmetric) modular polynomials derived from modular functions other than j(z), but these do not include the modular polynomials commonly used with SEA. 10 / 16

18 Alternative modular polynomials In practice, the modular polynomials Φ l are not used in SEA. There are alternatives (due to Atkin, Müller, and others) that are smaller by a large constant factor (100x to 1000x is typical). The isogeny-volcano approach of [BLS 2010] can compute many types of (symmetric) modular polynomials derived from modular functions other than j(z), but these do not include the modular polynomials commonly used with SEA. They do include modular polynomials Φ f l derived from the Weber function f(z), but these have never (?) been used with SEA before. Provided End(E) has discriminant D 1 mod 8 with 3 D, the polynomial φ f l (Y) = Φf l (f(e), Y) parameterizes l-isogenies from E. This condition is easily checked (without knowing D). If it fails, powers of f, or other modular functions may be used. 10 / 16

19 The Weber function The Weber f-function is defined by f(τ) = η( (τ + 1)/2 ), ζ 48 η(τ) and satisfies j(τ) = (f(τ) 24 16) 3 /f(τ) 24. The coefficients of Φ f l are roughly 72 times smaller. This means we need 72 times fewer primes. The polynomial Φ f l is roughly 24 times sparser. This means we need 24 times fewer interpolation points. Overall, we get nearly a 1728-fold speedup using Φ f l. 11 / 16

20 Modular polynomials for l = 11 Classical: X 12 + Y 12 X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X pages omitted Atkin: X 12 X 11 Y + 744X X X 9 Y X X 8 Y X X 7 Y X X 6 Y X X 5 Y X X 4 Y X X 3 Y X X 2 Y X XY X + Y Y Weber: X 12 + Y 12 X 11 Y X 9 Y 9 44X 7 Y X 5 Y 5 88X 3 Y XY 12 / 16

21 Elliptic curve point counting record The number of points on the elliptic curve E defined by y 2 = x x , modulo the 5011 digit prime q = is / 16

22 Elliptic curve point counting record Task Compute φ f l Find a root j Compute g l Compute π mod g l, E Find λ l Total CPU Time 32 days 995 days 3 days 326 days 22 days φ f l (Y) = Φf l ( j(e), Y) was computed for l from 5 to Exactly 700 of 1400 were found to be Elkies primes. Atkin primes were not used. The largest φ f l was under 20MB in size and took about two hours to compute using 1 core. 14 / 16

23 Modular polynomial evaluation record For l = and q = we computed φ f l (Y) = Φf l (j(e), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φ f l is about 1 GB. 15 / 16

24 Modular polynomial evaluation record For l = and q = we computed φ f l (Y) = Φf l (j(e), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φ f l is about 1 GB. For comparison: The size of Φ f l mod q is about 2 TB. 15 / 16

25 Modular polynomial evaluation record For l = and q = we computed φ f l (Y) = Φf l (j(e), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φ f l is about 1 GB. For comparison: The size of Φ f l mod q is about 2 TB. The size of Φ l mod q is about 50 TB. 15 / 16

26 Modular polynomial evaluation record For l = and q = we computed φ f l (Y) = Φf l (j(e), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φ f l is about 1 GB. For comparison: The size of Φ f l mod q is about 2 TB. The size of Φ l mod q is about 50 TB. The size of Φ l is more than 10 PB. 15 / 16

27 Improved space complexity of computing horizontal isogenies The algorithm of [Bisson-S 2011] for computing the endomorphism ring of an elliptic curve E/F q runs in L[1/2, 3/2] expected time and uses L[1/2, 1/ 3] space (under GRH). The space complexity can now be improved to L[1/2, 1/ 12]. A similar improvement applies to algorithms for computing horizontal isogenies of large degree [Jao-Soukharev ANTS IX]. 16 / 16