ALGORITHMS FOR ALGEBRAIC CURVES

Transcription

1 ALGORITHMS FOR ALGEBRAIC CURVES SUMMARY OF LECTURE 3 In this text the symbol Θ stands for a positive constant. 1. COMPLEXITY THEORY AGAIN : DETERMINISTIC AND PROBABILISTIC CLASSES We refer the reader to Papadimitriou s book [Pap] for a complete treatment of complexity theory Languages. Let Σ be an alphabet i.e. a finite set of symbols. The set of finite words on Σ is denoted Σ. A language is a subset of Σ. For a language L Σ the associated decision problem is as follows. On input a word w Σ we want to decide if w belongs to L or not. Examples : even integers, prime integers, etc. For a function f : Σ Σ, the associated functional problem is as follows. On input a word w Σ we want to evaluate f(w). Examples : multiplying, factoring, etc Turing machines. Turing machines are a theoretical model for computers. They are finite automata (they have finitely many inner states), but they can write or read on an infinite tape with a tape head. A Turing machine can be defined by a transition table. For a given inner state and current character read by the head, the transition table provides the next inner state, which character to write on the tape in place of the current one, and how the head should move on the tape (one step left, one step right, or no move at all). More formally, a Turing machine is a 4-uple M = (K, Σ, δ, s) where K is the finite set of states, s K is the initial state, Σ is a finite set of symbols (the alphabet). One assumes that Σ contains two special symbols and, the spacing and the starting symbol. And the transition function is δ : K Σ (K {h, yes, no }) Σ {,, }. The state h is the end state, yes is the accepting state, and no is the rejecting state. The moving instructions are to move one step on the left, to move one step on the right, and not to move. The transition function δ associates to the current state q K and to the read symbol σ Σ, the triple (p, ρ, D) where p is the next state, ρ is the symbol to be written in place of σ, and D indicates how the head should move. The head initially stays at the beginning of the tape, and the symbol is written there. The input of the algorithme is written just after the symbol. The transition function must satisfy the following condition : if the symbol is read, moving to the left is prohibited. And the symbol cannot be erased. This ensures that the head never leaves the tape on the left. This model is called one tape Turing machine. One may also consider Turing machines with several tapes, and one head on each tape. 1

2 2 SUMMARY OF LECTURE 3 Question 1. How fast can a one tape Turing machine copy the input on its right? How fast can a two tape Turing machine copy the input on its right? What about sorting? How fast can a multitape Turing machine merge two sorted lists? More on Turing machines can be found in Chapter 2 of [Pap]. Remind a decision problem is a question that must be answered by yes or no: for example, deciding whether an integer is prime. The answer to a functional problem is a more general function of the question. For example, factoring an integer is a functional problem. If we want to solve a functional problem with a Turing machine, we write the input on the tape, we run the Turing machine, and we wait until it stops. We then read the output on the tape. If the machine always stops and returns the correct answer, we say that it solves the problem in question. The time complexity is the number of steps before the Turing machine has solved a given problem. Such a Turing machine is said to be deterministic because its behavior only depends on the input. The size of the input is the number of bits required to encode it. This is the space used on the tape to write this input. For example, the size of an integer is the number of bits in its binary expansion. A problem is said to be deterministic polynomial time if there exists a deterministic Turing machine that solves it in time polynomial in the size of the input. The class of all functional problems that can be solved in deterministic polynomial time is denoted FP or FPTIME. The class of deterministic polynomial time decision problems is denoted P or PTIME. Question 2. Is every language L {0, 1} accepted by a Turing machine? 1.3. Las Vegas randomized algorithms. Assume now that we are interested in the following problem: Given an odd prime integer p, find an integer a such that 1 a p 1 and a is not a square modulo p. ( ) This looks like a very easy problem because half of the nonzero residues modulo p are not squares. So we may just pick a random integer a between 1 and p 1 and compute the Legendre symbol ( ) p 1 a p = a 2. If the symbol is 1 we output a. Otherwise we output FAIL. The probability of success is 1/2 and failing is not a big problem because we can rerun the algorithm: we just pick another random integer a. This is a typical example of a randomized Las Vegas algorithm. The behavior of the algorithm depends on the input, of course, but also on the result of some random choices. One has to flip coins. A nice model for such an algorithm would be a Turing machine that receives besides the input, a long enough (say infinite) one-dimensional array R consisting of 0s and 1s. Whenever the machine needs to flip a coin, it looks at the next entry in the array R. So the Turing machine does not need to flip coins: we provide enough random data at the beginning. We assume that the running time of the algorithm is bounded from above in terms of the size of the input only (this upper bound should not depend on the random data R). For each input, we ask that the probability (on R) that the Turing machine returns the correct answer is 1/2. The random data R takes values in {0, 1} N. The measure on this latter set is the limit of the uniform measures on {0, 1} k when k tends to infinity. If the Turing machine fails to return the correct answer, it should return FAIL instead.

3 ALGORITHMS FOR ALGEBRAIC CURVES 3 We have just proved that finding a nonquadratic residue modulo p can be done in Las Vegas probabilistic polynomial time. At present (April 2012) there is no known algorithm that can be proved to solve this problem in deterministic polynomial time. The class of Las Vegas probabilistic polynomial time decision problems is denoted ZPP Picking random elements in finite sets. Let X and Y be two finite subsets. Prove that the product of the uniform measure on X by the uniform measure on Y is the uniform measure on X Y. Let X Y be two finite subsets. Prove that the restriction to X of the uniform measure on Y is the uniform measure on X. How can we pick a random integer in [1, p 1] with uniform probability, using a coin? How long does it take? How can we we pick a random element in a finite field with uniform probability? Picking a random point on an elliptic curve is a bit more tricky if we want uniform distribution. We have the finite set X(F q ) = {(x, y) F q 2 y 2 (x 3 + ax + b)}. A first idea is to first pick a random x coordinate in P 1 (K) = K. Then try to solve the degree two equation E(y, x) = 0. If there is no solution we throw x and start again. If there is a single solution we have a 2-torsion point and we are happy with it. If there are two solutions we choose one of them by flipping a coin. It is easy to check that [2]-torsion points are more likely to be selected (by a factor two). So the distribution is not uniform. A simple way of correcting this is to flip a coin even if there is a single solution to E(y, x) = 0. And to keep the point iff the the result is heads. If it is tails we throw x away Monte Carlo randomized algorithms. We now consider another slightly more difficult problem: Given an odd prime integer p, find a generating set (g i ) 1 i I for the cyclic group (Z/pZ). ( ) We have a simple probabilistic algorithm for this problem. We compute an integer I such that log 2 (3 log 2 (p 1)) I log 2 (3 log 2 (p 1)) + 2 and we pick I random integers (a i ) 1 i I in the interval [1, p 1]. The a i are uniformly distributed and pairwise independent. We set g i = a i mod p, and we show that the (g i ) 1 i I generate the group (Z/pZ) with probability 2/3. Indeed, if they don t, they must all lie in a maximal subgroup of (Z/pZ). The maximal subgroups of (Z/pZ) correspond to prime divisors of p 1. Let q be such a prime divisor. The probability that the (g i ) 1 i I all lie in the subgroup of index q is bounded from above by 1 q I 1 2 I, so the probability that the (g i ) 1 i I don t generate (Z/pZ) is bounded from above by 2 I times the number of prime divisors of q 1. Since the latter is log 2 (p 1), the probability of failure

4 4 SUMMARY OF LECTURE 3 is log 2(p 1), 2 I and this 1/3 by definition of I. Note that here we have a new kind of probabilistic algorithm: the answer is correct with probability 2/3 but when the algorithm fails, it may return a false answer. Such an algorithm (a Turing machine) is called Monte Carlo probabilistic. This is weaker than a Las Vegas algorithm. We just proved that problem ( ) can be solved in Monte Carlo probabilistic polynomial time. We don t know of any Las Vegas probabilistic polynomial time algorithm for this problem. The class of Monte Carlo probabilistic polynomial time decision problems is denoted BPP. In general, a Monte Carlo algorithm can be turned into a Las Vegas one provided the answer can be checked efficiently, because we then can force the algorithm to admit that it has failed. Note also that if we set I = f + log 2 (log 2 (p 1)), where f is a positive integer; then the probability of failure in the algorithm above is bounded from above by 2 f. So we can make this probability arbitrarily small at almost no cost. 2. MAPS BETWEEN ELLIPTIC CURVES Definition Let K be a field and let (X 1, O 1 ) and (X 2, O 2 ) be two elliptic curves over K. A morphism of elliptic curves is a morphism of algebraic curves f : X 1 X 2 such that f(o 1 ) = O 2. A non-constant morphism is called an isogeny. Examples, automorphisms : the identity, the involution (x, y) (x, y). These are indeed automorphisms. The automorphism group has order at least 2. Assume that the characteristic p of K is not 2. The elliptic curve with equation y 2 = x 3 + x has the automorphism (x, y) ( x, iy) defined over K(i). Its automorphism group over K has order at least 4. Assume that the characteristic p of K is not 2 or 3. The elliptic curve with equation y 2 = x has the automorphism (x, y) (ζ 3 x, y) over K(ζ 3 ). Its automorphism group over K has order at least 6. Theorem The automorphism group is of order 2 if j {0, 1728}. It is of order 6 if j = 0 and p {2, 3}. It is of order 4 if j = 0 and p {2, 3}. Indeed for p {2, 3} we have a reduced Weierstrass form and any K-automorphism takes the form (x, y) (u 2 x, u 3 y) for some u K. Examples, multiplication by n : for n a positive integer we define np = P + P and ( n)p = (np ). The map [n] : P np is a morphism of the elliptic curve into itself (an endomorphism). For n 0 this is a finite morphism with degree n 2. We already computed an explicit description of the map [1], [ 1] and [2]. Indeed we expressed the coordinates of 2P namely (x 2P, y 2P ) as rational fractions in x P and y P. A similar calculation would give (x 3P, y 3P ) as rational fractions in x P and y P. Classically these rational fractions are given as x np = φ n(x, y) ψ n (x, y) and y 2 np = ω n(x, y) ψ n (x, y), 3

5 ALGORITHMS FOR ALGEBRAIC CURVES 5 where φ n, ψ n and ω n are polynomials in x and y satisfying simple recurrence formulae. See the books by Silverman [Sil] or Enge [Eng]. They have degree 0 or 1 in y and degree n 2 in x. The three polynomials φ n, ψ n and ω n can be computed in time n 2 log n operations in K. For n odd ψ n is a degree (n 2 1)/2 polynomial in K[x]. It vanishes exactly at the x- coordinates of non-zero n-torsion points. The n-torsion points form a set (group) X[n]( K) = {P X( K) np = O}. Example : for X with affine equation y 2 = x 3 + x we have ψ 2 = 2y, ψ 3 = 3x 4 + 6x 2 1, ψ 4 = (4x x 4 20x 2 4)y, ψ 5 = 5x x x 8 300x 6 125x 4 50x The ideal generated by y 2 x 3 ax b and ψ n (x, y) is the ideal of X[n] O in the affine plane. The Frobenius morphism : let X be given by some Weierstrass equation E(x, y) = y 2 x 3 ax b with a, and b in K a field with finite characteristic p. Let X (p) be the curve with equation E(x, y) = y 2 x 3 a p x b p. The map Φ (p) : (x, y) (x p, y p ) defines a morphism from X onto X (p). Indeed such a morphism exists for every curve over a field with chracteristic p. We note that the image by Φ (p) of the origin O is the origin on X (p). The degree of Φ (p) is p. And Φ (p) is a purely inseparable map. Over a finite field with cardinality q = p e the morphism Φ (q) is an endomorphism. Theorem : any morphism of elliptic curves f : (X 1, O 1 ) (X 2, O 2 ) is a morphism of (algebraic) groups : f(p + Q) = f(p ) + f(q). When f is separable, then Ker(f) is a dimension zero reduced subscheme of X. It is in fact a subgroupscheme. From a set theoretical point of view we can then identify Ker(f) with the set of its K-points Ker(f)( K) = {P X 1 ( K) f(p ) = O 2 }. In general (without assuming that f is separable), the finite group Ker(f)( K) has order the separable degree of f. The dual isogeny Let f : X Y an isogeny. To every divisor D on Y we associate its pull-back f (D) on X. If D has local equation g then f (D) has local equation g f. We deduce a map f : Pic 0 (Y ) = Y (K) Pic 0 (X) = X(K). It is induced by a morphism ˆf : Y X. This ˆf is called the dual isogeny. We have ˆff = [deg(f)] X, f ˆf = [deg(f)] Y, deg( ˆf) = deg(f), ˆf = f, fg = ĝ ˆf. The dual of [n] is [n]. 3. VÉLU S FORMULAE We have seen how to write down equations for the Frobenius and multiplication by n morphisms. Vélu s formulae provide such explicit equations for a much broader class of isogenies. Notation For A X(K) we call τ A : X X the translation by A. So τ A (P ) = P + A. We set x A = x τ A and y A = y τ A.

6 6 SUMMARY OF LECTURE 3 Let f be a separable isogeny f : X X with degree d. We assume that Ker(f) splits over K, that is Ker(f)( K) = Ker(f)(K). Further we assume that Ker(f)(K) is cyclic, that is Ker(f)( K) = {O, T, 2T,..., (d 1)T } with T X(K). We call G = {τ A A Ker(f)(K)} the group of translations by elements in the kernel. It is the group of automorphisms of f. It is the group of automorphisms of the Galois field extension K(X ) K(X). And X can be seen as the quotient of X by the finite group Ker(f)(K). The field K(X ) is the fixed subfield of K(X) by this finite group of translations. Vélu s formulae provide an explicit form for Y and f in terms of X and the generator T. The main idea is that the functions x and y on X are almost the traces of x and y in the extension K(X ) K(X). We give these formulae for the simpler case when d 3 is an odd integer. So T E(K) is a point of order d. For A X(K) we set τ A and x A = x A τ A. For k an integer, we set x k = x kt, y k = y kt and following Vélu [Vel1], we define (1) x = x + [x k x(kt )] and y = y + [y k y(kt )]. We also set w 4 = w 6 = 1 k d 1 1 k (d 1)/2 1 k (d 1)/2 a 4 = a 4 5w 4, a 6 = a 6 b 2 w 4 7w 6, 6 x(kt ) 2 + b 2 x(kt ) + b 4, 1 k d 1 10 x(kt ) b 2 x(kt ) b 4 x(kt ) + b 6, and b 2 = a a 2, b 4 = a 1 a 3 + 2a 4, b 6 = a a 6, b 8 = a 2 1a 6 + 4a 2 a 6 a 1 a 3 a 4 + a 2 a 2 3 a 2 4. (2) a 1 = a 1, a 2 = a 2, a 3 = a 3. Vélu proves the identity (y ) 2 + a 1x y + a 3y = (x ) 3 + a 2(x ) 2 + a 4x + a 6. This gives an explicit description of the isogeny in that case. If we want to apply these formulae to compute a separable isogeny with non-split kernel, we may move to the splitting field of this kernel. In case the kernel is non-cyclic we may proceed in several steps since any isogeny if a composite of isogenies with cyclic kernels.

7 ALGORITHMS FOR ALGEBRAIC CURVES 7 4. THE ENDOMORPHISM RING An endomorphism is a morphism f : X X of an elliptic curve into itself. Because X is a (algebraic) group, we can add two endomorphisms of X. We can also compose them. Theorem : the set of endomorphisms of E with the laws + and is a ring. The map f ˆf is a ring anti-homomorphism, and an involution. The fixed subring of the involution is Z End(X). The endomorphism ring is a free Z-module of rank 1, 2, or 4. Every endomorphism has a trace Tr(f) = f + ˆf in Z, a norm Norm(f) = f ˆf in Z, a characteristic polynomial χ f (X) = X 2 Tr(f)X + Norm(f). And of course χ f (f) = χ f ( ˆf) = 0. Example : Consider again the elliptic curve (X, O) where X is given by the affine equation y 2 = x 3 + x over C. The ring End(X) contains Z and J : (x, y) ( x, ζ 4 y) where ζ 4 = exp(2iπ/4). We check that J = 0, Ĵ = J. The subring of End(X) generated by J is isomorphic to the imaginary quadratic order Z[ 1]. Another example : let K = F 9 = F 3 [z]/(z 2 + 1). Consider the elliptic curve (X, O) where X is given by the affine equation y 2 = x 3 + x over K. Then End(X) contains Z and J where J(x, y) = ( x, zy) where z mod z is a root of 1 again. This time we also have the Frobenius endomorphism Φ (3). The ring End(X) is not commutative because J and Φ (3) do not commute. Cardinality and trace of the Frobenius Let K be a finite field with q = p e elements. Let (X, O) be an elliptic curve over K. We denote by Φ the Frobenius endomorphism Φ (q) : X X. The characteristic polynomial T 2 tt + q. of Φ brings much information. Theorem The order of X(K) is q + 1 t where t is the trace of Φ. Further t 2 4q 0. Indeed E(F q ) = {P = (X : Y : Z) E( K) Φ(P ) = (X q : Y q : Z q ) = (X : Y : Z) = P }. So E(F q ) is the set theoretic kernel of Φ 1. And #E(F q ) is the number of K points in the kernel of Φ Id. This is the separable degree deg s (Φ Id). It is a fact that Φ Id is separable (it acts on differentials like Id). So deg s (Φ 1) = deg(φ 1) = (Φ 1)(ˆΦ 1) = q + 1 Tr(Φ) = q + 1 t. Example Let K = Z/3Z and X the elliptic curve with affine equation y 2 = x 3 + x. The characteristic polynomial of Φ = Φ (3) is T 2 tt +3. The number of points #X(F 3 ) is 3+1 t. We have counted 4 points on X. So t = 0. The ring generated by Φ is isomorphic to Z[X]/(X 2 tx + q) Z[ 3] here. We deduce that the trace of Φ k = Φ (3k) is ( 3) k + ( 3) k and the cardinality as already observed. X(F 3 k) = 3 k + 1 ( 3) k ( 3) k,

8 8 SUMMARY OF LECTURE 3 5. USING MAGMA TO PLAY WITH GENERIC POINTS We comment the following instructions in MAGMA. >Q:=Rationals(); The base field is the field Q of rationals. >X := EllipticCurve([ Q 1, 1]); We consider the elliptic curve X over Q with Weierstrass equation y 2 = x 3 + x + 1. >K<y> := FunctionField(X); >F<x> := BaseRing(K); The function field K = Q(X) of X is the field of fractions of the quotient ring Q[x, y]/(y 2 x 3 x 1). >XK := BaseChange(X, K); >P:=XK! [x,y,1]; We base change E to its own function field. So we have an evident non-trivial point on X Q K. This point P is what André Weil in his foundations [Wei] calls a generic point on X. > -P; (x : -y : 1) The coordinates of P give us the formula for the involution. > P+P; ((1/4*x^4-1/2*x^2-2*x + 1/4)/(x^3 + x + 1) : (1/8*x^6 + 5/8*x^4 + 5/2*x^3-5/8*x^2-1/2*x - 9/8) /(x^6 + 2*x^4 + 2*x^3 + x^2 + 2*x + 1)*y : 1) The coordinates of 2P give us the formula for the multiplication by 2. The x 3 + x + 1 in the denominator is very important : it vanishes for non-trivial points of order 2. This is the division polynomial of order 2. > P+P+P; ((1/9*x^9-4/3*x^7-32/3*x^6 + 10/3*x^5-8/3*x^4 + 28/3*x^3 + 16/3*x^2 + 35/3*x + 8) /(x^8 + 4*x^6 + 8*x^5 + 10/3*x^4 + 16*x^3 + 44/3*x^2-8/3*x + 1/9) : (1/27*x^ /27*x^ /27*x^9-55/9*x^8-176/9*x^7-1868/27*x^6 + 88/9*x^5-1145/27*x^4-400/27*x^3-238/9*x^2-1028/27*x - 611/27) /(x^12 + 6*x^ *x^9 + 11*x^8 + 48*x^7 + 52*x^6 + 40*x^ /3*x^4 + 48*x^3-46/3*x^2 + 4/3*x - 1/27)*y : 1) This time we obtain the degree 8 polynomial x 8 + 4x 6 + 8x /3x x /3x 2 8/3x + 1/9 vanishing at every non-zero point of order 3. This is the 3-division polynomial. Using fast exponentiation we can efficiently compute np and deduce the n-division polynomials. Equivalently, text books provide explicit recurrence formulae.

9 ALGORITHMS FOR ALGEBRAIC CURVES 9 REFERENCES [Eng] Andreas Enge. Elliptic Curves and Their Applications to Cryptography - an introduction. Kluwer, [Gat] J. Von Zur Gathen and J. Gerhard. Modern Computer Algebra. Cambridge University Press. [Knu] Donald E. Knuth. The Art of Computer Programming. Four volumes. Addison-Wesley. [Pap] C.H. Papadimitriou. Computational complexity. Addison Wesley, Reading, [Sil] J. Silverman. The arithmetic of elliptic curves. Lecture Notes in Math. 106, Springer, Berlin, [Vel1] J. Vélu. Isogénies entre courbes elliptiques. Comptes Rendus de l Académie des Sciences, Série I, 273, pp , [Vel2] J. Vélu. Courbes elliptiques munies d un sous-groupe Z/nZ µ n. Mémoires de la Société Mathématique de France, no. 57 (1978), pp [Wei] A. Weil. Foundations of Algebraic Geometry. American Mathematical Society Colloquium Publications, vol. 29, 1946.