Genus 2 Curves of p-rank 1 via CM method

Transcription

1 School of Mathematical Sciences University College Dublin Ireland and Claude Shannon Institute April 2009, GeoCrypt Joint work with Laura Hitt, Michael Naehrig, Marco Streng

2 Introduction This talk is about using the CM method to construct genus 2 curves over finite fields with p-rank 1 and certain additional properties. We discuss reduction of class polynomials mod p in this setting. Paper on arxiv.org/abs/ Update coming soon

3 A Class of Problems in Computational Number Theory Construct an explicit curve over F q with Property X...

4 A Class of Problems in Computational Number Theory Construct an explicit curve over F q with Property X... Problem 1: Construct a genus 2 curve with p-rank 1 over F q, whose Jacobian has a prime number of F q -rational points. Problem 2: Construct a genus 2 curve with p-rank 1 over F q that has small embedding degree. These problems have been studied in the ordinary case: Spallek, Eisentrager-Lauter, Gaudry-Houtmann-Kohel-Ritzenthaler-Weng for problem 1 Freeman-Stevenhagen-Streng for problem 2 Also, q might be prescribed, or perhaps not q but the size of q. The number of points might be prescribed, or perhaps just its size. Usually the genus is prescribed.

5 The p-rank The p-rank of an abelian variety A defined over F q is the F p -dimension of the subgroup of p-torsion points (defined over F q ). The p-rank lies between 0 and dim(a), and is invariant under isogeny. If p-rank is equal to dim(a) we say A is ordinary.

6 The p-rank The p-rank of an abelian variety A defined over F q is the F p -dimension of the subgroup of p-torsion points (defined over F q ). The p-rank lies between 0 and dim(a), and is invariant under isogeny. If p-rank is equal to dim(a) we say A is ordinary. For an elliptic curve (so dim(a) = 1) if p-rank is 0 we say A is supersingular. A is called supersingular if A is isogenous (over F q ) to E g where E is a supersingular elliptic curve.

7 The p-rank The p-rank of an abelian variety A defined over F q is the F p -dimension of the subgroup of p-torsion points (defined over F q ). The p-rank lies between 0 and dim(a), and is invariant under isogeny. If p-rank is equal to dim(a) we say A is ordinary. For an elliptic curve (so dim(a) = 1) if p-rank is 0 we say A is supersingular. A is called supersingular if A is isogenous (over F q ) to E g where E is a supersingular elliptic curve. If dim(a) = 2 then supersingular p-rank is 0. If dim(a) = 2 then there are three types: ordinary, supersingular and p-rank 1 (intermediate, mixed, almost ordinary).

8 Complex Multiplication A CM field is a totally imaginary quadratic extension of a totally real algebraic number field of finite degree. In particular, a field K is a quartic CM field if K is an imaginary quadratic extension of a totally real field K 0 of degree 2 over Q. Definition Let C be a curve of genus 2 defined over k = F q, and let K be a quartic CM field. For any order O of K, we say that C has complex multiplication (CM) by O if End k (J C ) = O. We say that C has CM by K if C has CM by an order in K. We will assume O = O K.

9 Complex Multiplication An elliptic curve is ordinary if and only if its endomorphism ring is commutative. Note that this is false in dimension 2. Lemma Let A be a simple 2-dimensional abelian variety defined over a finite field k. If A has p-rank 1, then A is absolutely simple, and End 0 k (A) = End0 (A) is a CM field of degree 4. k

10 The moduli space of curves of genus 2 over C is 3-dimensional. Its function field is generated by three invariants (j 1, j 2, j 3 ) called the (absolute) Igusa invariants of C. We define three Igusa class polynomials of an order O of a primitive quartic CM field K by H O,l = s (x j (i) l ) Q[x] i=1 for l = 1, 2, 3. Here s is the number of isomorphism classes of 2-dimensional principally polarized abelian varieties over C with CM by O, and the product is over the invariants j (i) l from the s classes. We assume O = O K.

11 The CM Method We divide the genus 2 CM method into three parts. Input: K a quartic CM field 1 Find p and a quartic Weil q-number/polynomial with the right properties for your demands. 2 Given a Weil q-polynomial, output the reduced lifted invariants. This includes computing or looking up the class polynomials. Three ways to do this: complex analytic (Spallek, Weng) p-adic (Gaudry et al), CRT (Eisentrager-Lauter). Includes reducing the class polynomials (invariants) mod p. 3 Construct the curve from the invariants. (one way to do this: Mestre) Choose this curve or a twist.

12 The CM Method We divide the genus 2 CM method into three parts. Input: K a quartic CM field 1 Find p and a quartic Weil q-number/polynomial with the right properties for your demands. 2 Given a Weil q-polynomial, output the reduced lifted invariants. This includes computing or looking up the class polynomials. Three ways to do this: complex analytic (Spallek, Weng) p-adic (Gaudry et al), CRT (Eisentrager-Lauter). Includes reducing the class polynomials (invariants) mod p. 3 Construct the curve from the invariants. (one way to do this: Mestre) Choose this curve or a twist. Our paper concerns Part 1, and the last piece of Part 2.

13 Reduction Modulo p Let A be an (PP) abelian surface with CM by K. Let p be a rational prime. Let p be a prime of Q(j 1, j 2, j 3 ) lying over p, and suppose A has good reduction at p. Key Fact: The splitting behaviour of p in O K determines the p-rank of the reduction of A modulo p.

14 Reduction Modulo p Let A be an (PP) abelian surface with CM by K. Let p be a rational prime. Let p be a prime of Q(j 1, j 2, j 3 ) lying over p, and suppose A has good reduction at p. Key Fact: The splitting behaviour of p in O K determines the p-rank of the reduction of A modulo p. e.g. For elliptic curves, the reduction is ordinary iff p splits completely. For dimension 2, Goren worked out the cases assuming p is unramified. Gaudry et al extended this to the ramified case. Note K must be non-galois for the reduction to be simple of p-rank 1.

15 p-rank 1 Reductions The part of the results of Goren, Gaudry et al, that applies to p-rank 1 is as follows. Lemma Let K be a quartic CM field and C a curve of genus 2 over a number field L K with endomorphism ring O K. Let p be a prime number and p a prime of O L, lying over p. The reduction of C modulo p is a genus-2 curve with p-rank 1 if and only if (p) factors in O K as (p) = p 1 p 2 p 3 or (p) = p 1 p 2 p 2 3. Alexey Zaytsev is developing these ideas. Primes p with (p) = p 1 p 2 p 2 3 will divide the discriminant of K.

16 2 K 2 L 2 K 0 2 K r K r 0 K r (j 1, j 2, j 3 ) H r Q(j 1, j 2, j 3 ) 2 2 Q

17 Field of Definition of Reduction If po K factors as p 1 p 2 p 3 then it is easy to show that p is inert in K r 0, then splits in K r, and so has inertial degree 2. Using also the main theorem of complex multiplication (Shimura), the reduction modulo a prime of Q(j 1, j 2, j 3 ) above p will be defined over F p 2.

18 Field of Definition of Reduction If po K factors as p 1 p 2 p 3 then it is easy to show that p is inert in K r 0, then splits in K r, and so has inertial degree 2. Using also the main theorem of complex multiplication (Shimura), the reduction modulo a prime of Q(j 1, j 2, j 3 ) above p will be defined over F p 2. [ If po K factors as p 1 p 2 p 2 3 then the reduction is defined over F p. For each prime p dividing the discriminant of K, check if po K factors as p 1 p 2 p 2 3. If so, we have a curve of p-rank 1 over F p. No control over size of p, it is small. Might be no such p. If there is a p, number of points on Jacobian may not be prime. ]

19 Algorithm 1 Algorithm Input: A non-galois CM field K of degree 4 and a positive integer n Output: A prime p of n bits and a curve of genus 2 over F p 2 has p-rank 1 and a Jacobian with a prime number of rational points. 1 Take a random prime p of n bits. 2 If po K factors as p 1 p 2 p 3, where p 3 has degree 2, continue. Otherwise, go to step 1. 3 If p 1 is principal and generated by α, let π = αα 1 p. Otherwise, go to step 1. 4 If N(uπ 1) is prime for some u {±1}, then replace π by uπ. Otherwise, go to step 1. that 5 Compute the curve corresponding to π using steps 2 and 3 of the CM method and return this curve.

20 Algorithm 2 Algorithm Input: A non-galois CM field K of degree 4, a positive integer κ and a prime number r 1 (mod 2κ) which splits completely in K. Output: A prime p and a curve of genus 2 over F p 2 that has p-rank 1 and embedding degree κ with respect to r. 1 Let r be a prime of K dividing r and let s = rr 1 r 1. 2 Take a random element x of F r and a primitive 2κ-th root of unity ζ. 3 Take α O K \ O K0 such that α mod r = x, α mod r = xζ and α mod s = x 1. 4 If p = N(α) is prime in Z and different from r, continue. Otherwise, go to Step 2. 5 If the prime β = N(α)α 1 α 1 of O K0 remains prime in O K, let π = α 2 β and p = N(α). Otherwise, go to Step 2. 6 Compute the curve corresponding to π using the CM method.

21 Example The heuristic running time is polynomial in n. In practice get curves of cryptographic size in 10 seconds.

22 Example The heuristic running time is polynomial in n. In practice get curves of cryptographic size in 10 seconds. We provide examples such that the Jacobian J C (F p 2) has prime order. The CM field for all examples is K = Q(α), where α is a root of X X Q[X ] of class number 2. We give the coefficients c i F p 2 of the curve equation C : y 2 = c 6 x 6 + c 5 x 5 + c 4 x 4 + c 3 x 3 + c 2 x 2 + c 1 x + c 0. The group order of the Jacobian can be computed as #J C (F p 2) = p a 1 (p 2 + 1) + a 2. The field F q = F p 2 is given as F p (σ), where σ has the minimal polynomial f σ = X F p [X ], i. e. σ = 3 F q.

23 Example p = a 1 = a 2 = c 6 = σ c 5 = σ c 4 = σ c 3 = σ c 2 = σ c 1 = σ c 0 = σ

24 Refinement Let the class polynomials be H 1 (x), H 2 (x), H 3 (x). In the CM method, we need to reduce the invariants mod p. We pick one root j 1 F q of H 1 (x) mod p (or for every irreducible factor h of H 1 (x)) and for each, take all roots j 2, j 3 F q of H 2 mod p and H 3 mod p. There are more triples than the triples that correspond to the reductions of CM curves.

25 Refinement Let the class polynomials be H 1 (x), H 2 (x), H 3 (x). In the CM method, we need to reduce the invariants mod p. We pick one root j 1 F q of H 1 (x) mod p (or for every irreducible factor h of H 1 (x)) and for each, take all roots j 2, j 3 F q of H 2 mod p and H 3 mod p. There are more triples than the triples that correspond to the reductions of CM curves. One refinement put forth in Gaudry et al is to replace H 2 (x) and H 3 (x) by two other polynomials in such a way that they directly only yield the correct triples (j 1, j 2, j 3 ). This refinement requires H 1 (x) to have a root of multiplicity 1 mod p.

26 Class Polynomials mod p p p (a 1, a 2 ) [D, A, B] h K H 1 (x) mod p H 1 (x) mod p (4,16) [8,22,113] 4 (x 2)(x 5)(x 2 + x + 6) (x + 25) 2 (x + 50) (3,3) [53,25,37] 3 x(x + 2) 2 (x 3 + 6x 2 + x + 2) (x x x + 16) (2,13) [8,50,617] 3 x(x + 2) 2 (x 3 + 3x 2 + 3x + 3) (x x x + 410) (8,35) [12, 50, 433] 2 x(x 6)(x 2 + 8x + 10) (x + 152) 2 (x + 304) (7,25) [37,45,53] 3 (x 3)(x 4)(x 5) - (x 3 + 8x 2 + 9x + 1) (4,23) [12, 74, 1321] 4 x(x 8) 2 (x 9) (x x + 178) 2 (x 4 + 4x x 2 + 2x + 4) (x x ) (2,-8) [124, 24, 20] 4 (x + 3)(x + 6)(x 2 + 9x + 4) x (7,31) [29,65,701] 3 (x + 1)(x + 7) 2 (x x x + 456) 2 (x 3 + 4x 2 + 6x + 8) (2,-11) [152, 26, 17] 2 (x + 7)(x + 11)(x 2 + 2x + 8) (x 2 + 6x + 4) (1,-25) [237,17,13] 2 x(x + 2)(x 2 + 2x + 7) (x 2 + 6) (9,41) [53, 69, 117] 4 x(x + 1)(x 2 + 8x + 11) (x 2 + 6x + 1) (10,57) [8,82,1481] 3 x(x + 2)(x + 4) (x x x ) 2 (x 3 + 7x x + 5) (11,67) [5, 89, 1829] 4 (x + 2)(x + 6) 2 (x + 15) (x + 7) 2 (x + 28) 2 (x + 50) 4 (x x + 13)(x x + 6) Table: Factorization of H 1 (x) modulo primes that split as p 1 p 2 p 2 3 in K, where K was generated by the characteristic polynomial of Frobenius of Jacobians of ordinary genus 2 curves defined over F p.

27 Class Polynomials mod p We show using elementary class field theory that this refinement will work when (p) = p 1 p 2 p 3 and will not work when (p) = p 1 p 2 p 2 3. In the latter case we provide a modification. We use the Kummer-Dedekind Theorem which states that the factorization of H 1 (x) modulo p reflects the factorization of (p) into prime ideals in Q(j 1 ).

28 Advertisment 9th International Finite Fields Conference University College Dublin and Claude Shannon Institute Dublin, Ireland, July