Class invariants by the CRT method

Transcription

1 Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest Massachusetts Institute of Technology ANTS IX Andreas Enge and Andrew Sutherland Class invariants by the CRT method 1 of 17

2 Constructing an elliptic curve E/F q with N points Set t = q + 1 N, assuming t 0 and t < 2 q. Write 4q = t 2 v 2 D with D < 0, and then 1. Compute the Hilbert class polynomial H D (X). 2. Find a root j 0 of H D in F q. Now set k = j 0 /(1728 j 0 ). Either the elliptic curve y 2 = x 3 + 3kx + 2k or its quadratic twist has exactly N points over F q. This is the CM method. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 2 of 17

3 The Hilbert class polynomial The discriminant D uniquely determines an imaginary quadratic order O = Z[τ]. The curve E has CM by O, i.e., End(E) = O. j(τ) is an algebraic integer. H D (X) is its minimal polynomial over K = Q( D). Good news: the coefficients of H D are integers. Bad news: they are really big integers! The total size of H D is O( D log 1+ɛ D ) bits. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 3 of 17

4 Andreas Enge and Andrew Sutherland Class invariants by the CRT method 4 of 17

5 Approximate size of H D D h(d) height bound (bits) total size KB MB MB MB GB GB GB TB TB TB PB These are typical examples ( D 1/2 /h(d) ) Andreas Enge and Andrew Sutherland Class invariants by the CRT method 5 of 17

6 A tale of two ANTS ANTS VIII O( D 1+ɛ ) time H D using CRT [BBEL] (matches complexity of p-adic and complex analytic) CRT method practically slow, restricted to j CM record: D > using complex analytic [E] ANTS IX O( D 1/2+ɛ log q) space H D mod q using CRT [S] (surpasses p-adic and complex analytic) CRT method practically fast, not restricted to j CM record: D > using CRT [ES] Both CM records use class invariants other than j. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 6 of 17

7 Class invariants Let f be a modular function satisfying Ψ(f, j) = 0 for some integer polynomial Ψ(F, J). If f (τ) K (j(τ)) then f (τ) is a class invariant. Its minimal polynomial H D [f ](X) is a class polynomial. We shall assume H D [f ] has integer coefficients. If f 0 is a root of H D [f ] then we may obtain a root j 0 of H D as a root of Ψ(f 0, J). H D [f ] is smaller than H D by a factor of c(f ) = deg F (Ψ)/ deg J (Ψ). Andreas Enge and Andrew Sutherland Class invariants by the CRT method 7 of 17

8 Some particularly useful class invariants Weber f-function Double η-quotients w s p 1,p 2, with p 1 and p 2 prime Atkin functions A N with N prime function level deg F (Ψ) deg J (Ψ) c(f ) ρ f w 3, w 5, A A A ρ is the proportion of fundamental D that yield class invariants. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 8 of 17

9 Computing H D with the CRT For sufficiently many suitable primes p: 1. Find one root j 1 of H D mod p. (test random curves) 2. Find all roots j 1,..., j h of H D mod p. (using isogenies) 3. H D (X) = (X j 1 ) (X j h ) mod p. (via a product tree) Apply the CRT to obtain H D Z[X] or (better) H D mod q. Sufficiently many means O( D 1/2+ɛ ). Suitable means p is of the form 4p = t 2 v 2 D and not very big. See Computing Hilbert class polynomials with the CRT [S] for more details. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 9 of 17

10 Realizing the Galois action via isogenies The class group of O acts on the roots of H D. If [l] cl(o) has prime norm l and j 1 is a root of H D then Φ l (j 1, [l]j 1 ) = 0, where Φ l (X, Y ) is the classical modular polynomial. Typically [l]j 1 and [ l]j 1 are the only roots of Φ l (j 1, X) in F p. We use ideals l 1,..., l k, with prime norms l 1,..., l k, such that every [a] cl(o) may be written uniquely as [a] = [l e 1 1 ] [le k k ] (0 e i < r i ). for some positive integers r 1,..., r k. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 10 of 17

11 Enumerating the roots of H D mod p Given a root j 1 of H D mod p, all the roots of H D mod p may be enumerated with the recursive algorithm below. ENUMERATE(j 1, l 1,..., l k ): 1. Arbitrarily choose a root j 2 of Φ lk (j 1, X) in F p. 2. For i from 3 to r k : Let j i be the root of Φ lk (j i 1, X)/(X j i 2 ) in F p. 3. If k = 1 then output j 1,..., j rk and return. 4. ENUMERATE(j i, l 1,..., l k 1 ) for i from 1 to r k. Strategy 1: Convert j 1 to f 1 and enumerate f 1,..., f h. This requires modular polynomials Φ f l. Strategy 2: Convert j 1,..., j h to f 1,..., f h. This requires us to choose directions consistently. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 11 of 17

12 Choosing directions consistently Having walked one path of l-isogenies, we can ensure that all parallel paths are oriented in the same direction. j l 1 j l 2 j l 3 l j r l l j 1 l j 2 Instead of picking j 2 arbitrarily, we compute the polynomial φ(x) = gcd ( Φ l (j 1, X), Φ l (j 2, X) ) and let j 2 be its unique root (if 4l2 l 2 < D then deg φ = 1). We can compute j 3,..., j r in the same way. Computing GCDs is easier than finding roots! Andreas Enge and Andrew Sutherland Class invariants by the CRT method 12 of 17

13 CRT class polynomial computations: H D [f ] vs. H D Example 1 Example 2 Example 3 Example 4 D function f A 71 A 47 A 71 A 59 H D time H D time (gcds) H D [f ] time size factor * total speedup Times in CPU seconds (3.0 GHz AMD Phenom II) These examples computed H D or H D [f ] modulo a cryptographic-size prime q. They were used to construct pairing-friendly curves of prime order. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 13 of 17

14 Invariants with ramified level For the Atkin functions and the double η-quotients, when the primes dividing the level ramify in Q( D), the class polynomial H D [f ] is a perfect square. In this case we can simply compute H D [f ], which reduces both the degree and the coefficient size by a factor of 2. If 71 divides D, for example, the polynomial H D [A 71 ] is approximately = 144 times smaller than H D. This beats Weber f with c(f) = 72. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 14 of 17

15 CRT vs Complex Analytic complex analytic CRT CRT mod q D h(d) w 3,13 f w 3,13 f w 3,13 f Times in CPU seconds (3.0 GHz AMD Phenom II) For the CRT timings, H D [f ] was computed both over Z and modulo a 256-bit prime q. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 15 of 17

16 A record CM construction We computed the square-root of the class polynomial H D [A 71 ] using the discriminant D with D = > We then used the CM method to construct an elliptic curve E of prime order over a 256-bit prime field F q. The endomorphism ring of E is isomorphic to an imaginary quadratic order with class number h(d) = > Andreas Enge and Andrew Sutherland Class invariants by the CRT method 16 of 17

17 ECC Brainpool Standard Security Requirements The class number of the maximal order of the endomorphism ring of E is larger than This condition excludes curves that are generated by the well-known CM-method. This is no longer true. Andreas Enge and Andrew Sutherland Class invariants by the CRT method 17 of 17

18 Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest Massachusetts Institute of Technology ANTS IX Andreas Enge and Andrew Sutherland Class invariants by the CRT method 1 of 17