Class polynomials for abelian surfaces

Transcription

1 Class polynomials for abelian surfaces Andreas Enge LFANT project-team INRIA Bordeaux Sud-Ouest LFANT seminar 27 January 2015 (joint work with Emmanuel Thomé) Andreas Enge CM2 LFANT

2 CM2 1 Elliptic curves Applications of elliptic curves Complex multiplication theory Algorithms 2 Abelian surfaces Complex multiplication theory Algorithms Implementation and examples Andreas Enge CM2 LFANT

3 Elliptic curves E : Y 2 = X 3 + ax + b, a, b F p Abelian variety of dimension 1 finite group Hasse 1934 #E(F p ) (p + 1) 2 p Moduli space of dimension 1 parameterised by invariant j = a 3 4a b 2 Andreas Enge CM2 LFANT

4 Primality proofs (ECPP) If P E(Z/N 1 Z) with P of prime order N 2, ( ) 2 4 N 2 > N1 + 1, then N 1 is prime. Record: decimal digits (Morain 2010) Andreas Enge CM2 LFANT

5 Cryptography Discrete logarithm based cryptography Need prime cardinality Prefer random curves Pairing-based cryptography Weil and (reduced) Tate pairing e : E(F p )[l] E(F p k)[l] F [l] p k Bilinear: e(ap, bq) = e(p, Q) ab An exponential number of cryptographic primitives... Need CM constructions for suitable curves. Andreas Enge CM2 LFANT

6 CM2 1 Elliptic curves Applications of elliptic curves Complex multiplication theory Algorithms 2 Abelian surfaces Complex multiplication theory Algorithms Implementation and examples Andreas Enge CM2 LFANT

7 Complex multiplication Deuring 1941: The endomorphism ring of an (ordinary) elliptic curve is either Z, or an order [ O D = 1, D + ] D 2 of discriminant D < 0 in K = Q( D). Z E with complex multiplication by O D / by D Over C: usually Z, sometimes O D Over F p : always O D! Andreas Enge CM2 LFANT

8 Complex multiplication Frobenius: π : (x, y) (x p, y p ), fixes E(F p ) Deuring 1941: Any (ordinary) curve over F p is the reduction of a curve over C with the same endomorphism ring. Hasse: π = t+v D 2, Tr(π) = t, N(π) = t2 v 2 D 4 = p #E(F p ) = p + 1 t Andreas Enge CM2 LFANT

9 Effective complex multiplication Given D, what are the curves over C with CM by D? Modular invariant φ : K = Q( D) C embedding j : H = {z C : I(z) > 0} C a = (α 1, α 2 ) ideal of O D with basis quotient τ = φ ( α2 α 1 ) H j(τ) depends only on the ideal class of a; determines the h = #Cl(O D ) curves with CM by D. Andreas Enge CM2 LFANT

10 First main theorem of complex multiplication Ω D = K(j(a)) K = Q( D) Q Ω D = Hilbert class field of K (for D fundamental discriminant) = maximal abelian, unramified extension of K σ : Cl(O D ) Gal(Ω D /K) j(a) σ(b) = j(ab 1 ) Andreas Enge CM2 LFANT

11 CM2 1 Elliptic curves Applications of elliptic curves Complex multiplication theory Algorithms 2 Abelian surfaces Complex multiplication theory Algorithms Implementation and examples Andreas Enge CM2 LFANT

12 Main algorithm Fix D < 0 and p prime s.t. p = t2 v 2 D 4 and N = p + 1 t convenient Enumerate the h ideal classes of O D : ( A i, B i + ) D 2 Compute over C the class polynomial ( ( h B i + )) D H(X) = X j Z[X] 2A i i=1 Find a root j modulo p Write down the curve E : Y 2 = X 3 + ax + b with c = j, a = 3c, b = 2c 1728 j Andreas Enge CM2 LFANT

13 Complexity Size of H Degree h O ( D ) (Littlewood 1928) Coefficients with O ( D ) digits (Schoof 1991, E. 2009) Total size O ( D ) ( D ) Evaluation of j: O ( D ) Precision: O digits Multievaluation of the polynomial j (E. 2009) Arithmetic-geometric mean (Dupont 2006) Total complexity (E. 2009) O ( D ) quasi-linear in the output size! Andreas Enge CM2 LFANT

14 Implementation Record (E. 2009) (with class invariants) D = h = Precision bits s = 3 d CPU time 5 GB Software GNU MPC: complex floating point arithmetic in arbitrary precision with guaranteed rounding Based on MPFR and GMP LGPL MPFRCX: polynomials with real (MPFR) and complex (MPC) coefficients LGPL cm: class polynomials and CM curves GPL Andreas Enge CM2 LFANT

15 Further algorithms p-adic lift Couveignes Henocq 2002, Bröker 2006 Chinese remaindering Enumerate CM curves over Fp, compute H mod p Lift to Z or directly to Z/PZ Belding Bröker E. Lauter 2008 following an idea by D. Bernstein, Sutherland 2009, E. Sutherland 2010 Record (E. Sutherland 2010) D = h = , 174 P Precision bits primes of 53 bits 200 d CPU time Size modp 200 MB Size over Z 2 PB Andreas Enge CM2 LFANT

16 AGM Dupont 2006: One can evaluate j at precision n in time O(log n M(n)) = O (n). Idea of the algorithm: Newton iterations on a function built with the arithmetic-geometric mean (AGM) Andreas Enge CM2 LFANT

17 Theta constants definition ϑ a,b (τ) = n Z a, b 1 Z/Z; q = eπiτ 2 e πi((n+a)τ(n+a)+2(n+a)b) = e 2πiab n Z (e 2πib ) n q (n+a)2 ϑ 0,0 (τ) = n Z q n2 = 1 + 2q + 2q 4 + 2q ϑ 0, 1 (τ) = 2 n Z( 1) n q n2 = 1 2q + 2q 4 2q ϑ 1,0(τ) = q (2n+1)2/4 = q 1/4 ( 1 + 2q + 2q ) 2 n Z ϑ 1 2, 1 (Z) = 0 2 Andreas Enge CM2 LFANT

18 Theta constants duplication formulæ ϑ 2 0,0(2τ) = ϑ 2 0,0 (τ) + ϑ2 0, 1 2 (τ) 2 ϑ 2 (2τ) = ϑ 2 0, 1 0,0 (τ)ϑ2 (τ) 2 0, 1 2 Andreas Enge CM2 LFANT

19 AGM ϑ 2 0,0(2τ) = ϑ 2 0,0 (τ) + ϑ2 0, 1 2 (τ) 2 AGM for a, b C a 0 = a, b 0 = b ϑ 2 (2τ) = ϑ 2 0, 1 0,0 (τ)ϑ2 (τ) 2 0, 1 2 a n+1 = a n+b n 2 b n+1 = a n b n converges quadratically towards a common limit AGM(a, b) Evaluated in time O(log n M(n)) at precision n. Andreas Enge CM2 LFANT

20 Theta quotients AGM(a, b) = a AGM(1, b/a) =: a M(b/a) k (z) = k(z) = ( ) ϑ0, 1 (z) 2 2 ϑ 0,0 (z) ( ) ϑ 2 1 2,0(z) ϑ 0,0 (z) k 2 (z) + k 2 (z) = 1 j = 256 (1 k 2 +k 4 ) 3 k 4 (1 k 2 ) 2 Andreas Enge CM2 LFANT

21 Newton iterations M(k (τ)) = 1 ϑ 2 0,0 (τ) M(k(τ)) = M(k (Sτ)) = 1 ϑ 2 0,0 (Sτ) = k 2 (τ) + k 2 (τ) = 1 f τ (x) = im(x) τm( 1 x 2 ) f τ (k (τ)) = 0 i τϑ 2 0,0 (τ) x n+1 x n f τ(x n ) f τ(x n ) converges quadratically towards k (τ) Evaluated in time O(log n M(n)) at precision n Andreas Enge CM2 LFANT

22 CM2 1 Elliptic curves Applications of elliptic curves Complex multiplication theory Algorithms 2 Abelian surfaces Complex multiplication theory Algorithms Implementation and examples Andreas Enge CM2 LFANT

23 Genus 2 curves and ppav of dimension 2 C : Y 2 = X 5 + ax 3 + bx 2 + cx + d hyperelliptic curve of genus 2 Jacobian is a principally polarised abelian surface (ppas) Moduli space of dimension 3 parameterised by Igusa invariants i 1, i 2, i 3 Frobenius endomorphism gives cardinality of Jacobian over F p source of cryptographic curves Andreas Enge CM2 LFANT

24 Endomorphism rings and period matrices End = O K = Q[X]/(X 4 + AX 2 + B) with D = A 2 4B > 0 CM field of degree 4 K = K 0 (± K 0 = Q( D) Q A± ) D 2 CM types Φ = (φ 1, φ 2 ), Φ = (φ 1, φ 2 ), embeddings: K C (a, ξ) s.t. (aad K/Q ) 1 = (ξ), φ 1 (ξ), φ 2 (ξ) i R >0 (polarisation) ( ) τ1 τ (a, ξ) τ = 2 with I(τ) positive definite (period matrix) τ 2 τ 3 Andreas Enge CM2 LFANT

25 Theta constants a, b ( ) Z/Z ϑ a,b (τ) = n Z 2 e πi((n+a)t τ(n+a)+2(n+a) T b) 10 non-zero theta constants Siegel modular forms I 4 = ϑ 8 i 10 i I 6 = certain 60 i,j,k ±(ϑ i ϑ j ϑ k ) 4 Igusa invariants according to Streng 2010 i 1 = I 4I 6 I 10 i 2 = I 12I 2 4 I 2 10 I 10 = 10i I 12 = 15 ϑ 2 i i 3 = I5 4 I 2 10 ϑ 4 i 6 i Andreas Enge CM2 LFANT

26 Class fields (dihedral case) Ω K r (i 1 (τ)) = K r (i 2 (τ)) = K r (i 1 (τ)) L K K r K 0 K r 0 Q Andreas Enge CM2 LFANT

27 CM2 1 Elliptic curves Applications of elliptic curves Complex multiplication theory Algorithms 2 Abelian surfaces Complex multiplication theory Algorithms Implementation and examples Andreas Enge CM2 LFANT

28 Algorithms Complex analytic Spallek 1994 Weng 2001 Streng 2010 p-adic lift Gaudry Houtmann Kohel Ritzenthaler Weng 2006 Chinese remaindering Eisenträger Lauter 2005 Lauter Robert 2012 Our contributions to the complex-analytic algorithm Quasi-linear evaluation of theta constants (following Dupont 2006) quasi-linear computation of class polynomials (Streng 2010) most efficient algorithm Direct computation of irreducible factors, over K r 0 instead of Q (following Streng 2010) Software Andreas Enge CM2 LFANT

29 Main algorithm (dihedral case) Let h 0 = #Cl(K 0 ), h 1 = #Cl(K)/h 0 Consider the two CM-types Φ and Φ, enumerate Cl(K) Compute S(K, Φ) = { (a, ξ) : (aād K/Q ) 1 = (ξ), Φ(ξ) (i R >0 ) 2} / and S(K, Φ ), where (a, ξ) (xa, (x x) 1 ξ) #S(K, Φ) = #S(K, Φ ) = h 1 period matrices τ i, τ i Evaluate the ϑ a,b (τ ( ) i ) and deduce the i k (τ ( ) i ) Andreas Enge CM2 LFANT

30 Main algorithm (dihedral case) Compute the first class polynomial h 1 h 1 H 1 (X) = (X i 1 (τ i )) (X i 1 (τ i )) Q[X] i=1 Compute the Hecke representations of the algebraic numbers i k (τ i ) with respect to H 1 : Ĥ k (X) = polynomial of degree h 1 1 such that i k (τ i ) = Ĥk(i 1 (τ i )) H 1 (i 1(τ i )) (roughly Lagrange interpolation) i=1 Andreas Enge CM2 LFANT

31 Borchardt sequences a n+1 = a n + b n + c n + d n 4 an bn + c n dn b n+1 = 2 an cn + b n dn c n+1 = 2 an dn + b n cn d n+1 = 2 Common limit: Borchardt mean B 2 (a 0, b 0, c 0, d 0 ) Related to duplication formulæ of four fundamental theta constants ϑ 0,..., ϑ 3. Andreas Enge CM2 LFANT

32 τ from (ϑ j (τ/2)/ϑ 0 (τ/2)) j=1,2,3 Compute (ϑ 2 j (τ)/ϑ2 0 (τ/2)) j=0,1,2,3,4,6,8,9,12,15 (duplication) Compute B 2 ((ϑ 2 j (τ)/ϑ2 0 (τ/2)) j=0,1,2,3 = 1 ϑ 2 0 (τ/2) Compute (ϑ 2 j (τ)) j=0,1,2,3,4,6,8,9,12,15 Compute u 1 = B 2 ((ϑ 2 j (τ)) j=4,0,6,2 u 3 = B 2 ((ϑ 2 j (τ)) j=8,9,0,1 u 2 = B 2 ((ϑ 2 j (τ)) j=0,8,4,12 Return τ 1 = i, τ 3 = i 1, τ 2 = ± + τ 1 τ 3 u 1 u 3 u 2 Andreas Enge CM2 LFANT

33 Improvements to Dupont 2006 Streamline the computations Replace by (gain about 25%) f τ i (τ) f(τ + εe i ) f(τ) ε Andreas Enge CM2 LFANT

34 CM2 1 Elliptic curves Applications of elliptic curves Complex multiplication theory Algorithms 2 Abelian surfaces Complex multiplication theory Algorithms Implementation and examples Andreas Enge CM2 LFANT

35 Implementation Number theoretic computations: C(K), (reduced) period matrices Pari/GP negligible effort Evaluation of theta and invariants C Libraries: GMP, MPFR, MPC MPI for parallelisation Polynomial operations MPFRCX MPI for (partial) parallelisation Andreas Enge CM2 LFANT

36 Quasi-linear complexity required precision = coefficient size time per invariant = O (precision) Andreas Enge CM2 LFANT

37 Quasi-linear complexity required precision = coefficient size time per invariant = O (precision) total time = O (output size) Andreas Enge CM2 LFANT

38 Record example K defined by X X , D = , h 0 = 8 C(K) Z/4402Z Z/2Z Z/2Z PARI/GP: 4 min (reduction of period matrices) Precision: bits Invariants: Last Newton lift: 3000 s per invariant ( 1200 second-to-last) 2 d wallclock time on 160 processors Polynomial operations (partially parallelised): 1 d wallclock time (40 processors, 1 TB memory) Algebraic coefficient recognition: 2600 s per coefficient 10 d wallclock time on 160 processors Size: 56 GB # primes in denominator: 3465 Largest prime in denominator: Bound: Andreas Enge CM2 LFANT

39 Conclusion Quasi-linear algorithm for class polynomials in dimension 2 Computation of invariants efficient arbitrarily parallel As can be expected: Memory becomes the bottleneck Better parallelisation/distribution of polynomial operations required Quasi-linear LLL in dimension 3 desirable Next steps: better understand the denominators smaller class invariants (work in progress with M. Streng) Andreas Enge CM2 LFANT