The point decomposition problem in Jacobian varieties

Transcription

1 The point decomposition problem in Jacobian varieties Alexandre Wallet ENS Lyon, Laboratoire LIP, Equipe AriC 1 / 38

2 1 Generalities Discrete Logarithm Problem Short State-of-the-Art for curves About Index-Calculus 2 Harvesting and Decomposition attacks 3 Degree reduction and practical computations 4 Summation Ideals 5 A geometric recreation: harvesting by sieving 2 / 38

3 Discrete Logarithm Problem (DLP) Let g, h = [x] g (G, +), with x Z. Compute x. Is this a hard problem? Classic Generic group: yes For some groups: no Cryptography: yes Quantum NO Security basis for Diffie-Hellman, El-Gamal, Digital Signatures,... Today s groups: Elliptic curves E(F q ) Jacobian of algebraic curves J Fq (C) 3 / 38

4 Computing Discrete Logs exp. time Generic alg. lower bound: DLP ON CURVES : genus : #Field Index Calculus "Small genus" Decomposition Baby-steps Giant-steps -Pollard subexp. time ~ [G'00], [D'07] [GTTD'07] "Large genus" [G'09,D'11],[N'10] [GTTD'07] "Large degree" poly. time [ADH'99], [EGS'02] [EGTT'13] 4 / 38

5 Situation for elliptic curves For cryptography: mostly elliptic curves (g = 1) Elliptic curves over prime fields over extension fields Generic only Decomposition attacks Transfer attacks Higher genus Finite field 5 / 38

6 About Index-Calculus : algebraic curve : Jacobian variety of Inputs 1) Select Factor base too small: harvesting too hard trade-off [GTTD'07] too big: linear algebra too long Harvesting 2) Find relations: T sparse matrix + easy to enumerate + elements should be "small" Several techniques Today: over done by solving polynomial systems Linear Algebra 1) Compute s.t. (aka: Decomposition attacks) Complexity 2) Use to retrieve linalg ~ well-known Discrete Logarithm harvest. ~ x Find 1 relation What about this? 6 / 38

7 Today s target: harvesting in Index-Calculus for curves over F q n. Motivations: Algorithmic Number Theory Computational Algebraic Geometry Cryptography Compute discrete logs in abelian varieties. How efficient can we be? Transfer attacks! 7 / 38

8 1 Generalities 2 Harvesting and Decomposition attacks What is a relation? How to find a relation? Complexity and Polynomial System Solving 3 Degree reduction and practical computations 4 Summation Ideals 5 A geometric recreation: harvesting by sieving 8 / 38

9 Algebraic curves, Jacobian varieties, group law C : P(x, y) = 0, for some P F q [X, Y ], algebraic curve of genus g. g = 1: elliptic: y 2 = x 3 + Ax + B, A, B F q g = 2: hyperelliptic: y 2 + h 1 (x)y = x h 1 F q [x], deg h 1 2 g 3: hyperelliptic: y 2 + h 1 (x)y = x 2g h 1 F q [x], deg h 1 g Non-hyperelliptic (all the rest). 9 / 38

10 Algebraic curves, Jacobian varieties, group law C : P(x, y) = 0, for some P F q [X, Y ], algebraic curve of genus g. Fix a point O. J (C): Jacobian variety J (C) is a quotient group. Its elements are reduced divisors. In practice, a reduced divisor is D = k P i ko. i=1 for some P 1,..., P k C, k g Ex: g = 1, E elliptic, point at infinity O P 3 Line through P 1, P 2 : f (x, y) = 0. In J (E) : P 1 + P 2 +P 3 3O = 0, so that (P 1 O) + (P 2 O) = ([ P 3 ] O). P 1 P 2 P 3 9 / 38

11 Algebraic curves, Jacobian varieties, group law C : P(x, y) = 0, for some P F q [X, Y ], algebraic curve of genus g. Fix a point O. J (C): Jacobian variety J (C) is a quotient group. Its elements are reduced divisors. In practice, a reduced divisor is D = k P i ko. i=1 for some P 1,..., P k C, k g Ex: g = 2, H hyperelliptic, point at infinity O Cubic through P 1,..., P 4 : f (x, y) = 0 In J (H) : P 1 + +P 6 6O = 0 P 5 P 6 P 4 so that: (P 1 + P 2 2O) }{{} + (P 3 + P 4 2O) }{{} D 1 + D 2 = [ P 5 ] + [ P 6 ] 2O }{{} D 3 P 2 P 1 P 6 P 3 P 5 9 / 38

12 Geometry of relations Point m-decomposition Problem (PDP m ) Let H be a curve of genus g, R J (H) and F J (H). Find, if possible, D 1,..., D m F s.t. R = D D m. Harvesting = solving multiple PDP m instances, for some fixed m. 10 / 38

13 Geometry of relations Point m-decomposition Problem (PDP m ) Let H be a curve of genus g, R J (H) and F J (H). Find, if possible, D 1,..., D m F s.t. R = D D m. Harvesting = solving multiple PDP m instances, for some fixed m. Let R = i (x R i, y Ri ) go J (H). R = i,j (x D ij, y Dij ) mgo f (x, y) s.t.: f (x Ri, y Ri ) = f (x Dij, y Dij ) = 0. Such f s form a linear space of finite dim: f Span(f 1,..., f d ) f = d a i f i i=1 Goal: find (a i ) i d. 10 / 38

14 Geometry of relations Point m-decomposition Problem (PDP m ) Let H be a curve of genus g, R J (H) and F J (H). Find, if possible, D 1,..., D m F s.t. R = D D m. Harvesting = solving multiple PDP m instances, for some fixed m. Let R = i (x R i, y Ri ) go J (H). R = i,j (x D ij, y Dij ) mgo f (x, y) s.t.: Ex: g = 2 and m = 2 D i = D i1 + D i2 2O. f (x Ri, y Ri ) = f (x Dij, y Dij ) = 0. Such f s form a linear space of finite dim: f Span(f 1,..., f d ) f = d a i f i i=1 Goal: find (a i ) i d. R 1 R 2 10 / 38

15 Geometry of relations Point m-decomposition Problem (PDP m ) Let H be a curve of genus g, R J (H) and F J (H). Find, if possible, D 1,..., D m F s.t. R = D D m. Harvesting = solving multiple PDP m instances, for some fixed m. Let R = i (x R i, y Ri ) go J (H). R = i,j (x D ij, y Dij ) mgo f (x, y) s.t.: Ex: g = 2 and m = 2 D i = D i1 + D i2 2O. f (x Ri, y Ri ) = f (x Dij, y Dij ) = 0. Such f s form a linear space of finite dim: f Span(f 1,..., f d ) f = d a i f i i=1 Goal: find (a i ) i d. D 12 R 1 D 11 D 21 D 22 R 2 10 / 38

16 Solving PDP m [G 09], [N 10], [D 11] Goal: Find (a i ) i d in a smart way Assume base field is F q n = Span Fq (1, t,..., t n 1 ) 11 / 38

17 Solving PDP m [G 09], [N 10], [D 11] Goal: Find (a i ) i d in a smart way Assume base field is F q n = Span Fq (1, t,..., t n 1 ) Restriction of scalars Write x = j x j t j, x j F q, x = (x 1,..., x n): (x, y) H ( x, ȳ) W where W: Weil Restriction of H over F q Factor base: F = {P O : P H, x(p) F q} = W {x j = 0} j>0 11 / 38

18 Solving PDP m [G 09], [N 10], [D 11] Goal: Find (a i ) i d in a smart way Assume base field is F q n = Span Fq (1, t,..., t n 1 ) Restriction of scalars Write x = j x j t j, x j F q, x = (x 1,..., x n): (x, y) H ( x, ȳ) W where W: Weil Restriction of H over F q Factor base: F = {P O : P H, x(p) F q} = W {x j = 0} j>0 Decomposition Polynomial DP R Resy (H, f ) DP R (x) = (x xri ) = xm + m 1 N i ((a i ))x i i=0 If f describes R = i,j (x ij, y ij ) mo: DP R (x ij ) = 0, i m, j n 1 Write N i ((a i )) = j 0 N ij ((ā i ))t j : D 1,..., D m F DP R (x) F q[x] N ij ((ā i )) = 0, i, j > 0 11 / 38

19 Solving PDP m [G 09], [N 10], [D 11] Goal: Find (a i ) i d in a smart way Assume base field is F q n = Span Fq (1, t,..., t n 1 ) Restriction of scalars Write x = j x j t j, x j F q, x = (x 1,..., x n): (x, y) H ( x, ȳ) W where W: Weil Restriction of H over F q Factor base: F = {P O : P H, x(p) F q} = W {x j = 0} j>0 Decomposition Polynomial DP R Resy (H, f ) DP R (x) = (x xri ) = xm + m 1 N i ((a i ))x i i=0 If f describes R = i,j (x ij, y ij ) mo: DP R (x ij ) = 0, i m, j n 1 Write N i ((a i )) = j 0 N ij ((ā i ))t j : D 1,..., D m F DP R (x) F q[x] N ij ((ā i )) = 0, i, j > 0 Finding relations solving Polynomial systems. For m = ng, {N ij (ā i ) = 0} i m,j>0 is generally 0-dimensional. 11 / 38

20 Solving 0-dimensional systems with Gröbner Bases tools Original System DRL Basis F4, F5 Change order FGLM Univariate Solving n variables s equations : degree of regularity D: #solutions O(s ( ) n+ ω) O(nD ω ) ω: lin. alg. exponent 12 / 38

21 Solving 0-dimensional systems with Gröbner Bases tools Original System DRL Basis F4, F5 Change order FGLM Univariate Solving n variables s equations : degree of regularity D: #solutions O(s ( ) n+ ω) O(nD ω ) In PDP ng setting F q n, genus g = Õ(D1/n ) D = 2 n(n 1)g 1 relation costs O((ng)!D ω ) + Proba that all roots of DP R in F q 1/(ng)! D is the main complexity parameter. Can we reduce it? 12 / 38

22 Situation Known reductions: [FGHR 14], [FHJRV 14], [GG 14] Uses Summation polynomials and symmetries (invariant theory) Higher genus: No reduction known before only for g = 1 (elliptic curves). Ex: g = 2, n = 3, log q = 15 Find 1 relation 12 days. Contributions 1 : Reduction of D for hyperelliptic curves of all genus, if q = 2 n. Practical harvesting on a meaningul curve (#J (H) 184 bits prime). 1 J-C. Faugère, A.W., The Point Decomposition Problem in Hyperelliptic Curves. Designs, Codes and Cryptography [In revision] 13 / 38

23 1 Generalities 2 Harvesting and Decomposition attacks 3 Degree reduction and practical computations Structure of DP R Degree reduction Impact, comparisons 4 Summation Ideals 5 A geometric recreation: harvesting by sieving 14 / 38

24 Structure of DP R in even characteristic, part 1 H : y 2 + h 1 (x)y = h 0 (x) hyperelliptic of genus g over F 2 kn, fix R J (H). m 1 DP R (x) = x m + N i (a)x i & i, deg N i (a) = 2. i=0 With F 2 kn = Span F2 k (tj ) j n 1, N i (a) = j N ij(ā)t j. Reminder: solving PDP ng = solving {N ij (ā) = 0} j>0,i ng over F 2 k. 15 / 38

25 Structure of DP R in even characteristic, part 1 H : y 2 + h 1 (x)y = h 0 (x) hyperelliptic of genus g over F 2 kn, fix R J (H). m 1 DP R (x) = x m + N i (a)x i & i, deg N i (a) = 2. i=0 With F 2 kn = Span F2 k (tj ) j n 1, N i (a) = j N ij(ā)t j. Reminder: solving PDP ng = solving {N ij (ā) = 0} j>0,i ng over F 2 k. N i (a) square j, N ij (ā) squares replace quadratic eqs by linear eqs Proposition: Number of squares Let h 1 (x) = s i=t α ix i, and let L = s t + 1 be the length of h 1 (x). There are exactly g L 1 squares among the N i (a). Consequence: (n 1)(g L 1) replacements in {N ij (ā) = 0} j>0,i ng. Find n 1 more if α s F 2 k. 15 / 38

26 Structure of DP R in even characteristic, part 2 In H : y 2 + h 1 (x)y = h 0 (x), we usually have h 1 (x) monic. Proposition: N m 1 is univariate Let a = (a 1,..., a d ). Then N m 1 (a d ) = a d 2 + a d + λ for some λ F 2 kn. Rewrite: N m 1 (a d ) = a 2 d,0 + a d,0 + λ 0 + j 1 a2 d,j t2j + j 1 (a d,j + λ j )t j = N m 1,0 (ā d ) + j 1 N m 1,j(a d,1,..., a d,n 1 )t j. Proposition: presolving {N m 1,j (a d,1,..., a d,n 1 )} j 1 is 0-dimensional and has a solution in F 2 k whp. Consequence: determines n 1 vars in the full system, removes n 1 eqs. 16 / 38

27 Analysis of degree reduction Base field F 2 kn, m = ng. Implies d = (n 1)g. Let L be the length of h 1. Genericity assumption: PDP ng systems behave like regular systems of dimension 0. Before reduction: #ā = n(n 1)g #eqs = n(n 1)g Eqs have deg = 2 d old = 2 n(n 1)g After reduction: n 1 determined vars (n 1)(g L 1) linear eqs remaining have deg = 2 d new = 2 (n 1)((n 1)g+L 2) 2 (n 1)((n 1)g 1) d new 2 (n 1)(ng 1) factor 2 (n 1)(g+1) d old d new 2 n 1 17 / 38

28 Impact of the reduction For g = 2, n = 3, d old = 2 12 = 4096, d new = 2 6 = 64. Toy-example for one PDP 6 instance: fields tool time for d old time for d new ratio F 2 45 F 2 15 Magma s 0.029s H with L h1 = 1, over F 2 93 = F and #J (H) = 2 3 p, with log p = 184. #cores tool old this work C 30 years 7 days 8000 (optimized 2 ) unfeasible practical comparison with recent DL over 768 bits finite field: #rels harvesting time matrix size matrix density log p #linalg. [KDL+ 17] months our work days F5 with code gen., Sparse-FGLM [FM 11], NTL lib. 18 / 38

29 Situation Target: harvesting in Index-Calculus for hyperelliptic curves over F q n. Results: degree reduction if q = 2 k for hyperelliptics practical, meaningful computations in genus 2 Questions: What about q odd? What about non-hyperelliptics? Reduction of F s size? 19 / 38

30 Situation Target: harvesting in Index-Calculus for hyperelliptic curves over F q n. Results: degree reduction if q = 2 k for hyperelliptics practical, meaningful computations in genus 2 Questions: What about q odd? What about non-hyperelliptics? Reduction of F s size? For elliptic curves, reduction achieved using Summation polynomials. Works for even and odd characteristic. Enables factor basis reduction faster linear algebra Let s see how it is done. 19 / 38

31 1 Generalities 2 Harvesting and Decomposition attacks 3 Degree reduction and practical computations 4 Summation Ideals Summation polynomials? Generalization, Analysis for Index Calculus Degree Reduction in even characteristic 5 A geometric recreation: harvesting by sieving 20 / 38

32 Summation polynomials for elliptic curves Let E be an elliptic curve over F with point at infinity O, and m 3. Definition The m th summation polynomial for E is S m F[X 1,..., X m ] generating the projection of the group law ideal over a set of coordinates: S m (x 1,..., x m ) = 0 y 1,..., y m F s.t. P i = (x i, y i ) E and P P m = O. Projection of the group law on the x-line P 3 P 1 + P 2 + P 3 = O P 1 P 2 algebra geometry S 3 (x 1, x 2, x 3 ) = 0 x 1 x 2 x 3 21 / 38

33 Solving PDP m for elliptic curves, [G 09], [D 11] Goal: Find decomposition P P m of R E(F q n) geometry algebra R = P P m S m+1 (x R, x 1,..., x m ) = 0 New goal: Find x 1,..., x m i.e. solve S m+1 (x R, X 1,..., X m ) 22 / 38

34 Solving PDP m for elliptic curves, [G 09], [D 11] Goal: Find decomposition P P m of R E(F q n) geometry algebra R = P P m S m+1 (x R, x 1,..., x m ) = 0 New goal: Find x 1,..., x m i.e. solve S m+1 (x R, X 1,..., X m ) Restriction of scalar: x i = j x ijt j, x ij F q. Set factor base: F = {P E(F q n) : x(p) F q }. Then we can write: S n+1 (x R, X 1,..., X n ) = We want P i F: S n+1 (x R, X 1,..., X n ) = 0 W = n 1 i=0 s i(x 1,0,..., X n,n 1 )t j s 1 (X 1,..., X n ) = 0.. s n (X 1,..., X n ) = 0 22 / 38

35 Known results Heuristic: W is 0-dimensional. In practice: never failed. D treshold for m As presented n! 2 n(n 1) =4 S m is symmetric 2 n(n 1) < 6 immediate 23 / 38

36 Known results Heuristic: W is 0-dimensional. In practice: never failed. D treshold for m As presented n! 2 n(n 1) =4 S m is symmetric 2 n(n 1) < 6 immediate 1 rational 2-torsion point 2 (n 1)2 < 8 [FGHR 14], some models all 2-torsion is rational 2 (n 1)(n 2) = 8 [FHJRV 14], any model Now what about other curves? : size of factor base is also reduced. : close to threaten Brainpool Curve! (over F 31 5 ). 23 / 38

37 Summation Variety J-C. Faugère, A. Wallet, The Point Decomposition Problem on Hyperelliptic curves, DCC Journal [In revision] H hyperelliptic curve over F. R J (H). Goal: Describe V m,r = { (P 1,..., P m ) : m i=1 (P i) = R} Summation Variety 24 / 38

38 Summation Variety J-C. Faugère, A. Wallet, The Point Decomposition Problem on Hyperelliptic curves, DCC Journal [In revision] H hyperelliptic curve over F. R J (H). Goal: Describe V m,r = { (P 1,..., P m ) : m i=1 (P i) = R} Summation Variety Definition of Decomposition polynomial: With e i = Sym i (x 1,..., x m ): R = (P 1 ) + + (P m ) i, DP R (x i ) = 0 m 1 m 1 DP R (x) = x m + N i (a)x i = x m + ( 1) m i e m i x i i=0 i=0 24 / 38

39 Summation Variety J-C. Faugère, A. Wallet, The Point Decomposition Problem on Hyperelliptic curves, DCC Journal [In revision] H hyperelliptic curve over F. R J (H). Goal: Describe V m,r = { (P 1,..., P m ) : m i=1 (P i) = R} Summation Variety Definition of Decomposition polynomial: With e i = Sym i (x 1,..., x m ): R = (P 1 ) + + (P m ) i, DP R (x i ) = 0 m 1 m 1 DP R (x) = x m + N i (a)x i = x m + ( 1) m i e m i x i i=0 i=0 This gives a polynomial ideal: I m,r = N m 1 (a) = e 1,.. N 0 (a) = ( 1) m+1 e m. 24 / 38

40 Summation ideals Theorem The ideal I m,r F[a, e] is a polynomial parametrization of V m,r S m. Conditions in e = Sym(x i ) : eliminate a Geometry projection onto e Algebra Gröbner basis of I m,r F[e]. m th Summation Ideals For m g + 1, the m th summation ideal for H is I m,r F[e]. If S m,r = I m,r F[e], then S m,r is called a set of m-summation polynomials, or a m th summation set. 25 / 38

41 Properties of Summation Ideals S m,r (x) : evaluation of all S S m,r at x. H hyperelliptic curve over F. Summation property S m,r (x) = 0 y 1,..., y m F s.t. P i = (x i, y i ) H and (P 1 ) + + (P m ) = R. Invariance by permutations S m,r Sm = S m,r, and the modelling computes a symmetrized summation set. Let V = V (I m,r F[e]): Codim V = g #S m,r g in practice, #S m,r g Heuristic: deg V = 2 m g [D 11]: proven for g = 1 26 / 38

42 New PDP m solving for hyperelliptic curve Let H defined over F q n = Span Fq (1, t,..., t n 1 ), fix R J (H) 0) Factor base: F = {(P) J (H) : x(p) F q }. 1) Compute ng th Summation Set S ng,r = {S 1,..., S r }. 2) Restriction of scalars F q n F q on each S i = j s 11 (e 1,..., e ng ) = 0. 3) Solve the system W =. s rn (e 1,..., e ng ) = 0 s ij (e 1,..., e ng )t j 27 / 38

43 New PDP m solving for hyperelliptic curve Let H defined over F q n = Span Fq (1, t,..., t n 1 ), fix R J (H) 0) Factor base: F = {(P) J (H) : x(p) F q }. 1) Compute ng th Summation Set S ng,r = {S 1,..., S r }. 2) Restriction of scalars F q n F q on each S i = j s 11 (e 1,..., e ng ) = 0. 3) Solve the system W =. s rn (e 1,..., e ng ) = 0 s ij (e 1,..., e ng )t j r g = CodimV deg V = 2 (n 1)g W W n(v) deg W = (deg V) n = 2 n(n 1)g Same degree as Nagao s approach 27 / 38

44 Structure of DP R in even characteristic, the return H : y 2 + h 1 (x)y = h 0 (x) hyperelliptic of genus g over F 2 kn, R J (H). m 1 m 1 DP R (x) = x m + N i (a)x i = x m + ( 1) m i e m i x i i=0 i=0 Recall: there are squares among the N i (a)! In Nagao s approach: N i (a) square N ij (ā) = 0 Replaced by linear equations First part of the talk In Summation approach: Induces weight system on the e i s. Weighted degree is smaller. What does this mean? 28 / 38

45 Square equations and weighted structure Let Ñi be the squares among the N i (a) s. Ñ 2 i (a) = e i Ñ i (a) = e i I m,r : J m,r : N i (a) = e i N i (a) = e i I e = I m,r F[e] J e = J m,r F[e] 29 / 38

46 Square equations and weighted structure Let Ñi be the squares among the N i (a) s. Ñ 2 i (a) = e i Ñ i (a) = e i I m,r : J m,r : N i (a) = e i N i (a) = e i I e = I m,r F[e] ϕ(e i )=e w i i w i =2,w i =1 J e = J m,r F[e] Theorem With ϕ(e i ) = e w i i, I e is the radical of ϕ(j e ). Applications: Find points in V (J e ) instead of V (I e ). Weighted degree of J e is smaller than deg I e 29 / 38

47 Degree reduction in summation approach over F 2 kn Proposition: With ϕ(e i ) = e w i i, deg w J e = deg ϕ(j e) n i=1 w. i Let V J = V (J e ), V I = V (I e ). Corollary There is a constant C depending on h 1 s.t. deg w (V J ) = C deg V I 2 m g+l / 38

48 Degree reduction in summation approach over F 2 kn Proposition: With ϕ(e i ) = e w i i, deg w J e = deg ϕ(j e) n i=1 w. i Let V J = V (J e ), V I = V (I e ). Corollary There is a constant C depending on h 1 s.t. deg w (V J ) = C Let W = W n (V J ) i,j 1 V (e ij ). Experimentally, C = 2 L 1. Corollary: In PDP ng instances (m = ng), with L =length of h 1 : deg W = C n deg V I 2 m g+l 1. d old 2 (n 1)(g L+1)+n(L 1) = d old 2 (n 1)(g L+1). 30 / 38

49 Comparison of approaches after reduction With additional reductions, same reduction as in the first part of the talk. Best reduction Implementation Best running time Nagao immediate when L = 0 Easy 0.029s. Summation needs L = 0 and Tricky 0.34s. additional work In practice: better use approach of the first part. : on toy examples ( F 2 45 ) 31 / 38

50 Perspectives Limits: if g 2, can t reduce degree in odd char. Why? Degree of equations too small to exploit Frobeniuses Summation Variety not invariant under Jacobian 2-torsion Summation framework for Abelian varieties Generalization with Kummer varieties Arithmetic in g = 2 well-understood (theta functions) Explicit Jacobian summation polynomials Exploitation of more symmetries for decomposition attacks ex: set of 2-torsion points is larger in g = 2, action expresses linearly Factor base invariant under 2-torsion can be built. 32 / 38

51 1 Generalities 2 Harvesting and Decomposition attacks 3 Degree reduction and practical computations 4 Summation Ideals 5 A geometric recreation: harvesting by sieving Old-school smooth harvesting New approach: harvesting by sieving Timings 33 / 38

52 Old-school harvesting for smooth divisors non-hyperelliptic case C : C(x, y) = 0 non-hyperelliptic of genus g 3. ([D 08] deg C g + 1) Factor base F = { P C(F q ) } (rational points). To find one relation: Non-hyperelliptic case [D 08] 1 Select P 1, P 2 F. 2 Compute F F q [x] describing C the line (P 1 P 2 ), with P 1, P 2 removed. 3 If F splits over F q ( div(p 1 P 2 ) is smooth ) Then relation. Else Try new P 1, P 2. 1 deg F = g 1 so probability : (g 1)! 34 / 38

53 Old-school harvesting for smooth divisors non-hyperelliptic case C : C(x, y) = 0 non-hyperelliptic of genus g 3. ([D 08] deg C g + 1) Factor base F = { P C(F q ) } (rational points). To find one relation: Non-hyperelliptic case [D 08] 1 Select P 1, P 2 F. 2 Compute F F q [x] describing C the line (P 1 P 2 ), with P 1, P 2 removed. 3 If F splits over F q ( div(p 1 P 2 ) is smooth ) Then relation. Else Try new P 1, P 2. 1 deg F = g 1 so probability : (g 1)! 1 Free 2 Cheap 3 Costs g 2 log q 95% of time: checking if smooth or not and duplicate relations #F q (g 1)! tries for a relation harvesting in (g 1)!q(g 2 log q) 34 / 38

54 New approach: Harvesting by Sieving V.Vitse, A.Wallet, Improved Sieving on Algebraic curves, LatinCrypt 2015 Sieving = time-memory trade-off. Theory: Add one degree of freedom in decompositions. Practice: Store results of cheap computations. Smoothness checks Existing: [SS 14]: hyperelliptic only Cons: sort, backtracking, hyperelliptic only Our contribution: Adapt sieve to all curve types Suitable for other Index-calculus variants Compared to [SS 14]: skip computations, better memory efficiency, no sorting. 35 / 38

55 Illustration for non-hyperelliptic curves C : C(x, y) = 0 non-hyperelliptic of genus g 3. ([D 08] deg C g + 1) Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P: λ P (P i ) = y i y P x i x P Loop over F, compute λ P (P i ) s: (cheap!) λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... P T = [ ] P 4 P 3 P 2 36 / 38

56 Illustration for non-hyperelliptic curves C : C(x, y) = 0 non-hyperelliptic of genus g 3. ([D 08] deg C g + 1) Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P: λ P (P i ) = y i y P x i x P Loop over F, compute λ P (P i ) s: (cheap!) λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... P T = [ ] P 4 P 3 P 1 P 2 36 / 38

57 Illustration for non-hyperelliptic curves C : C(x, y) = 0 non-hyperelliptic of genus g 3. ([D 08] deg C g + 1) Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P: λ P (P i ) = y i y P x i x P Loop over F, compute λ P (P i ) s: (cheap!) λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... P T = [ ] P 4 P 3 P 1 P 2 36 / 38

58 Illustration for non-hyperelliptic curves C : C(x, y) = 0 non-hyperelliptic of genus g 3. ([D 08] deg C g + 1) Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P: λ P (P i ) = y i y P x i x P Loop over F, compute λ P (P i ) s: (cheap!) λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... P T = [ ] P 4 P 3 P 1 P 2 36 / 38

59 Illustration for non-hyperelliptic curves C : C(x, y) = 0 non-hyperelliptic of genus g 3. ([D 08] deg C g + 1) Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P: λ P (P i ) = y i y P x i x P Loop over F, compute λ P (P i ) s: (cheap!) λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... P T = [ ] λ P (P i ) = λ P (P j ) P, P i, P j lined up. P 4 P 3 P 1 P 2 36 / 38

60 Illustration for non-hyperelliptic curves C : C(x, y) = 0 non-hyperelliptic of genus g 3. ([D 08] deg C g + 1) Factor base F = {P, P 1, P 2,... }. First round of sieving: fix P = (x P, y P ). Slope of a line through P: λ P (P i ) = y i y P x i x P Loop over F, compute λ P (P i ) s: (cheap!) λ P (P 1 ) λ P (P 2 ) λ P (P 3 )... P T = [ ] λ P (P i ) = λ P (P j ) P, P i, P j lined up. P 4 P 3 When T[λ i ] = g Relation! Next round: remove P from F, start again with P 1. P 1 P 2 36 / 38

61 Analysis in the non-hyperelliptic case For one loop: O(q) multiplications + O(q) storage. Harvesting in g!q. Expect q g! relations. Overall: Old-school: (g 1)!q(g 2 log q) Speed-up g log q. Relations management: Loop on P uses all lines through P: no duplicate relations. 37 / 38

62 Timings Genus 3, degree 4 Genus 4, degree 5 Genus 5, degree 6 Genus 7, degree 7 q Diem Sieving Ratio Diem Sieving Ratio Diem Sieving Ratio Diem Sieving Ratio Implementation in Magma; CPU Intel c Core i5@2.00ghz processor. Time to collect relations, expressed in seconds. 38 / 38

63 Timings [Diem-Kochinke]: > fix a singular point to start the sieving degree of polynomial by multiplicity > no more singular points? jump to another model Genus 5, degree 6 Genus 7, degree 7 q Diem & Kochinke Sieving Ratio Diem & Kochinke Sieving Ratio Implementation in Magma; CPU Intel c Core i5@2.00ghz processor. Time to collect relations, expressed in seconds. 38 / 38