An introduction to the algorithmic of p-adic numbers

Transcription

1 An introduction to the algorithmic of p-adic numbers David Lubicz 1 1 Universté de Rennes 1, Campus de Beaulieu, Rennes Cedex, France

2 Outline Introduction 1 Introduction

3 When do we need p-adic numbers? In elliptic curve cryptography, most of time, the important objects to manipulate are finite fields F q. Sometimes, we would like to use formulas coming from the classical theory of elliptic curves over C but they have no meaning in characteristic p because for instance they imply the evaluation of 1/p.

4 Cryptographic applications Main cryptographic applications of p-adic numbers : point counting algorithms; CM-methods; isogeny computations.

5 What are the p-adic numbers? A dictionary : Function fields C[X] C(X) a monomial (X α) finite extension of C(X) Laurent series about α Number theory Z Q p prime finite extension of Q p-adic numbers

6 Construction of p-adic numbers I Let p be a prime, let A n = Z/p n Z. We have a natural morphism φ : A n A n 1 provided by the reduction modulo p n 1. The sequence... A n A n 1... A 2 A 1 is an inverse system. Definition The ring of p-adic numbers is by definition Z p = lim(a n, φ n ).

7 Construction of p-adic numbers II An element of a = Z p can be represented as a sequence of elements a = (a 1, a 2,..., a n,...) with a i Z/p i Z and a i mod p i 1 = a i 1. The ring structure is the one inherited from that of Z/p i Z. The neutral element is (1,..., 1,...). There exists natural projections p i : Z p Z/p i Z, a a i = a mod p i.

8 I Proposition Let x Z p, x is invertible if and only if x mod p is invertible. Let x Z p, there exists a unique (u, n) where u is an invertible element of Z p and n a positive integer such that x = p n u. The integer n is called the valuation of x and denoted by v(x).

9 II Z p is a characteristic 0 ring; Z p is integral; Z p has a unique maximal ideal O p = {x Z p v(x) > 0}; There is a canonical isomorphism Z p /O p F p.

10 The field of p-adics Definition The field of p-adic numbers noted Q p is by definition the field of fractions of Z p. The valuation of Z p extend immediately to Q p by letting v(x/y) = v(x) v(y) for x, y Z p ; Q p comes with a norm called the p-adic norm given by x Qp = p v(x).

11 Representation as a series I Definition An element π Z p is called a uniformizing element if v(π) = 1. Let p 1 be the canonical projection from Z p to F p. A map ω : F p Z p is a system of representatives of F p if for all x F p we have p 1 ( ω(x) ) = x. Definition An element x Z p is called a lift of an element x 0 F p if p 1 (x) = x 0. Consequently, for all x F p, ω(x) is a lift of x.

12 Representation as a series II Let π be a uniformizing element of Z p, ω a system of representatives of F p in Z p and x Z p. Let n = v(x), then x/π n is an invertible element of Z p and there exists a unique x n F p such that v ( x π n ω(x n ) ) = n + 1. Iterating this process, we obtain that Proposition There exists a unique sequence (x i ) i 0 of elements of F p such that x = ω(x i )π i. i=0

13 I Let K be a finite extension of Q p defined by an irreducible polynomial m Q p [X]. There exists a unique norm K on K extending the p-adic norm on Q p. R = {x K x K 1} is the valuation ring of K. M = {x R x K < 1} is be the unique maximal ideal of R.

14 Field extension II Definition Keeping the notation from above : The field F q = R/M is an algebraic extension of F p, the degree of which is called the inertia degree of K and is denoted by f. The absolute ramification index of K is the integer e = v K ( ψ(p) ), where ψ : Z K is the canonical embedding of Z into K.

15 Unramified extensions I We have the Theorem Let d be the degree of K /Q p, then d = ef. Definition Let K /Q p be a finite extension. Then K is called absolutely unramified if e = 1. An absolutely unramified extension of degree d is denoted by Q q with q = p d and its valuation ring by Z q.

16 Unramified extensions II Proposition Let K be a finite extension of Q p defined by an irreducible polynomial m Q p [X]. Denote by P 1 the reduction morphism R[X] F q [X] induced by p 1 and let m be the irreducible polynomial defined by P 1 (m). The extension K /Q p is absolutely unramified if and only if deg m = deg m. Let d = deg m and F q = F p d the finite field defined by m, then we have p 1 (R) = F q.

17 Unramified extensions III The classification of unramified extension is given by their degree. Proposition Let K 1 and K 2 be two unramified extensions of Q p defined respectively by m 1 and m 2 then K 1 K 2 if and only if deg m 1 = deg m 2.

18 Unramified extensions IV The Galois properties of unramified extensions of Q p is the same as that of finite fields. Proposition An unramified extension K of Q p is Galois and its Galois group is cyclic generated by an element Σ that reduces to the Frobenius morphism on the residue field. We call this automorphism the Frobenius substitution on K.

19 Lefschetz principle I The field Q p and its unramified extensions enjoy several important properties: Their Galois groups reflect the structure of finite field extensions; Their are big enough to be characteristic 0 fields......but small enough so that there exists an field morphism K C for any K finite extension of Q p. Warning : Q p /Q is NOT an algebraic extension.

20 Lefschetz principle II The so-called Lefschetz principle consists in lifting objects defined over finite fields over the p-adics, then embedding the p-adics into C where we can obtain algebraic relations using analytic methods, and then interpret these relations over finite fields by reduction modulo p.

21 I Introduction Proposition Let K be an unramified extension of Q p with valuation ring R and norm K. Let f R[X] and let x 0 R be such that then the sequence f (x 0 ) K < f (x 0 ) 2 K x n+1 = x n f (x n) f (x n ) (1) converges quadratically towards a zero of f in R.

22 II The quadratic convergence implies that the precision of the approximation nearly doubles at each iteration. More precisely, let k = v K ( f (x 0 ) ) and let x be the limit of the sequence (1). Suppose that x i is an approximation of x to precision n, i.e. v K (x x i ) n, then x i+1 = x i f (x i )/f (x i ) is an approximation of x to precision 2n k.

23 Hensel lift Introduction Lemma (Hensel) Let f, A k, B k, U, V be polynomials with coefficients in R such that f A k B k (mod M k ), U(X)A k (X) + V (X)B k (X) = 1, with A k monic and deg U(X) < deg B k (X) and deg V (X) < deg A k (X) then there exist polynomials A k+1 and B k+1 satisfying the same conditions as above with k replaced by k + 1 and A k+1 A k (mod M k ), B k+1 B k (mod M k ).

24 Representation of p adic integers In practice, one computes with p-adic integers up to some precision N. An element a Z p is approximated by p N (a) Z/p N Z. The arithmetic reduces to the arithmetic modulo p N. For a given precision N, each element takes O(N log p) space.

25 Polynomial representation I Let Q q be the unramified extension of Q p of degree d. By proposition 3, Q q is defined by any polynomial M[X] Z p [X] such that m = P 1 (M) F p [X] is an irreducible degree d polynomial. We can assume that M is monic. As a consequence every a Q q can be written as a = d 1 i=0 a ix i with a i Q p and every b Z q can be written as b = d 1 i=0 b ix i with b i Z p. In order to make the reduction modulo M very fast, we choose M sparse.

26 Polynomial representation II In general, we work with Z q up to precision N. This can be done by computing in (Z/NZ)[X]/(M N ) where M N is the reduction of M modulo p N. The size of an object is O(dN log(p)).

27 Polynomials representation III Two common choices to speed up arithmetic in Z q : sparse modulus representation : we deduce M by lifting in a trivial way the coefficients of m. The reduction modulo M of a polynomial of degree less than 2(d 1) takes d(w 1) multiplication of a Z/NZ element by a small integer and dw subtractions in Z p where w is the number of non zero coefficients in M. Teichmüller modulus representation : We define M as the unique polynomial over Z p such that M(X) X q X and M(X) mod p = m(x). In this representation we have Σ(X) = X p.

28 Multiplication I The arithmetic in Z p with precision N is the same thing as the arithmetic in Z/p N Z. The multiplication of two elements of Z p takes O(N µ ) where µ is the exponent in the multiplication estimate of two integers (µ = 1 + ɛ with FFT, µ = log 3 with Karatsuba, and µ = 2 with school book method);

29 Multiplication II The multiplications of two elements of Z q is equivalent to the multiplication of two polynomials in (Z/NZ)[X] which take O(d ν N µ ) time (here ν is the exponent of the complexity function for the multiplication of two polynomials). In all the complexity of the multiplication of two p-adics is O(d ν N µ ).

30 Computing inverse with In order to inverse a Z q can be done by computing an inverse of p 1 (a) F q ; taking any lift z 1 Z q of 1/p 1 (a) F q ; z 1 is an approximation to precision 1 of the root of the polynomial f (X) = 1 ax; lifting the root z 1 to a given precision with Newton.

31 Computing inverse with Inverse Input: A unit a Z q and a precision N Output: The inverse of a to precision N 1 If N = 1 Then 2 z 1/a mod p 3 Else 4 z Inverse(a, N 2 ) 5 z z + z(1 az) mod p N 6 Return z

32 Computing inverse with We go through the log(n) iterations; The dominant operation is a multiplication of elements of Z q with precision N : this can be done in O(d ν N µ ) time; The overall complexity is O(log(N)d ν N µ ).

33 Computing square root with In the same way it, one can compute the inverse square root of a Z q to precision N in time O(log(N)d ν N µ ); Principle: compute the square root mod p and then do a with the polynomial f (X) = 1 ax 2 ; For a reference ([CFA + 06] pp. 248).

34 The AGM algorithm I Elliptic curve AGM Input: An ordinary elliptic curve E : y 2 + xy = x 3 + c over F 2 d with j(e) 0. Output: The number of points on E(F 2 d ). 1 N d a 1 and b (1 + 8c) mod For i = 5 To N Do 4 (a, b) ( (a + b)/2, ab ) mod 2 i 5 a 0 a

35 The AGM algorithm II 1 For i = 0 To d 1 Do 2 (a, b) ( (a + b)/2, ab ) mod 2 N 3 t a 0 a mod 2N 1 4 If t 2 > 2 d+2 Then t t 2 N 1 5 Return 2 d + 1 t

36 Complexity of the AGM algorithm You know everything you need to see that the complexity is quasi-cubic.

37 The End Introduction Thank you for your attention. Any question?

38 Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen, and Frederik Vercauteren, editors. Handbook of elliptic and hyperelliptic curve cryptography. Discrete Mathematics and its Applications (Boca Raton). Chapman & Hall/CRC, Boca Raton, FL, Neal Koblitz. p-adic numbers, p-adic analysis, and zeta-functions, volume 58 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, Alain M. Robert.

39 A course in p-adic analysis, volume 198 of Graduate Texts in Mathematics. Springer-Verlag, New York, J.-P. Serre. A course in arithmetic. Springer-Verlag, New York, Translated from the French, Graduate Texts in Mathematics, No. 7. Jean-Pierre Serre. Local fields, volume 67 of Graduate Texts in Mathematics. Springer-Verlag, New York, Translated from the French by Marvin Jay Greenberg.