Counting Points on Curves using Monsky-Washnitzer Cohomology

Transcription

1 Counting Points on Curves using Monsky-Washnitzer Cohomology Frederik Vercauteren Jan Denef University of Leuven University of Bristol 1

2 Overview Who s who of p-adic point counting Zeta functions and Weil conjectures Monsky-Washnitzer cohomology Kedlaya s algorithm for hyperelliptic curves in odd characteristic Extending Kedlaya s algorithm to C a,b curves Experimental results Conclusions and open problems 2

3 Who s who of p-adic point counting Elliptic Curves over F p n p Time Space Satoh p 5 O(n 3+ε ) O(n 3 ) Skjernaa p = 2 O(n 3+ε ) O(n 3 ) Fouquet-Gaudry-Harley p = 2, 3 O(n 3+ε ) O(n 3 ) Vercauteren all p O(n 3+ε ) O(n 2 ) Mestre-Harley (AGM) p = 2 O(n 3+ε ) O(n 2 ) Satoh-Skjernaa-Taguchi all p O(n 2+1/2+ε ) O(n 2 ) Gaudry p = 2 O(n 2+1/2+ε ) O(n 2 ) Carls all p O(n 3+ε ) O(n 2 ) Harley all p O(n 2+1/2+ε ) O(n 2 ) Mestre-Lercier-Lubicz all p O(n 2+ε ) O(n 2 ) 3

4 Who s who of p-adic point counting Hyperelliptic curves over F p n p Time Space Genus Kedlaya p 3 O(g 4+ε n 3+ε ) O(g 3 n 3 ) all g Mestre-Gaudry-Harley p = 2 O(n 3+ε ) O(n 2 ) g = 2 (O) Lauder-Wan all p O(g 5+ε n 3+ε ) O(g 3 n 3 ) all g (AS) Denef-Vercauteren p = 2 O(g 4+ε n 3+ε ) O(g 3 n 3 ) all g Mestre-Lercier-Lubicz p = 2 O(2 g n 2+ε ) O(2 g n 2 ) g = 2 (O) Superelliptic curves over F p n p Time Space Genus Gaudry-Gürel all p O(g 4+ε n 3+ε ) O(g 3 n 3 ) all g Lauder all p O(g 4+ε n 3+ε ) O(g 3 n 3 ) a p 1 C a,b curves over F p n p Time Space Genus Denef-Vercauteren all p O(g?+ε n 3+ε ) O(g? n 3 ) all g Algebraic varieties over F p n p Time Space Lauder-Wan all p Polynomial Polynomial 4

5 The Zeta Function and Weil Conjectures Let C be smooth projective curve over F q, then zeta function of C is ( ) t r Z(t) = Z(C; t) = exp N r r r=1 with N r the number of points on C with coordinates in F q r. Weil Conjectures: Z(t) is rational function over Z and can be written as P (t) (1 t)(1 qt) P (t) = 2g i=1 (1 α it) with g genus of C and α i = q P (t) = 2g i=0 a it i with a 0 = 1, a 2g = q g and a g+i = q i a g i N r = q r + 1 2g i=1 αr i and P (1) is the order of Jac(C/F q) 5

6 Unramified Extensions of p-adics K extension of Q p of degree n with valuation ring R and maximal ideal M R = {x K x p < 1} of R. K is called unramified iff its residue field R/M R = F q. Let F q = F p [t]/(q(t)) then K can be constructed as K = Q p [t]/(q(t)), with Q(t) any monic lift of Q(t) to Z p [t]. Gal(K/Q p ) is cyclic with generator Frobenius substitution σ and σ modulo p equals p-th power Frobenius σ on F q. Since q = p n we have F = σ n and F is q-th power Frobenius. 6

7 Computing Zeta Function - General Strategy X smooth affine variety over F q of dimension d. Monsky and Washnitzer construct K-vectorspaces H i (X/K) with an induced action of Frobenius F on it such that these cohomology groups satisfy a Lefschetz trace formula: N r = d ( 1) i Tr ( (q d F 1 ) r H i (X/K) ) i=0 For smooth affine curve C the only non-trivial MW cohomology groups are H 0 (C/K) and H 1 (C/K), so #C(F q r) = q r Trace ( (qf 1 ) r H 1 (C/K) ) 7

8 Hyperelliptic Curves Hyperelliptic curve C of genus g over finite field F q, C : y 2 + h(x)y = f(x) where deg h g, f monic, deg f = 2g + 1 and C non-singular. If char F q > 2 one can take h = 0 and f has to be squarefree. Jacobian Jac(C/F q ) is abelian group associated with C which is quotient group of degree 0 divisors by principal divisors. Problem: compute order of Jac(C/F q ). 8

9 Kedlaya s Algorithm - p Small Odd Prime C : y 2 f(x) = 0 genus g affine hyperelliptic curve C over F p n. Affine curve C is C minus points (θ i, 0) for 0 i 2g. Coordinate ring A of C is F q [x, y, y 1 ]/(y 2 f(x)). Take any monic lift f(x) R[x] of f(x) and let C be affine curve y 2 f(x) = 0 minus 2g + 1 points (θ i, 0) for 0 i 2g. The coordinate ring of C then is A = R[x, y, y 1 ]/(y 2 f(x)). The weak completion or dagger ring A consists of series + k= 2g i=0 a i,k x i y k and valuation of a i,k grows linearly with k. 9

10 Kedlaya s Algorithm - Frobenius on A Lift σ to σ : A A as x σ := x p and y σ satisfies (y σ ) 2 = f(x) σ. Formula for y σ as element of A : y σ = (f(x) σ ) 1/2 = (f(x) σ f(x) p + f(x) p ) 1/2 = f(x) p/2 (1 + f(x)σ f(x) p f(x) p ) 1/2 ( ) 1/2 (f(x) = y p σ f(x) p ) k k y 2pk k=0 10

11 Kedlaya s Algorithm - Cohomology Groups Let D 1 (A ) := (A dx + A dy)/(2ydy f (x)dx) and d 0 : A D 1 (A ) and d 1 : D 1 (A ) 2 D 1 (A ), then H 0 (A/R) = Ker d 0 = R and H 1 (A/R) = Ker d 1 /Im d 0. H 1 (A/K) := H 1 (A/R) R K splits into eigenspaces under ı Invariant: H 1 (A/K) + with basis x i dx/y 2 for 0 i 2g Anti-invariant: H 1 (A/K) with basis x i dx/y for 0 i < 2g H 1 (A/K) + corresponds to the 2g + 1 removed points (θ i, 0) Characteristic polynomial of F on H 1 (A/K) equals χ(t) := t 2g P (1/t) 11

12 Kedlaya s Algorithm - Computing Zeta Function The action of σ on a differential form x k dx/y is given by σ (x k dx/y) = px pk+p 1 dx/y σ. Use reduction formulae to express this on basis of H 1 (A/K). This gives matrix M which is an approximation of the action of σ on H 1 (A/K). The polynomial χ(t) := t 2g P (1/t) can then be approximated by the characteristic polynomial of MM σ M σn 1. 12

13 Kedlaya s Algorithm - Complexity Complexity for genus g hyperelliptic curve over F p n Algorithm Time Complexity Space Complexity Char p 2: Kedlaya O(g 4+ε n 3+ε ) O(g 3 n 3 ) Char 2 : Average case O(g 4+ε n 3+ε ) O(g 3 n 3 ) Char 2 : Worst case O(g 5+ε n 3+ε ) O(g 4 n 3 ) Complexity depends on splitting type of h(x) = s i=1 (x θ i) m i. Worst case is s g/2, m i = 1 for 0 < i < s and m s g/2. 13

14 C a,b curves C a,b curve C over finite field F q, C : y a + a 1 i=1 f i (x)y i + f 0 (x) = 0 where deg f 0 (x) = b, a deg f i (x) + bi ab and gcd(a, b) = 1. Absolutely irreducible and if smooth genus is g = (a 1)(b 1) 2. Unique degree 1 place Q at infinity and v Q (x) = a, v Q (y) = b. Various subclasses of C a,b curves: Hyperelliptic curves: a = 2 and b = 2g + 1 Superelliptic curves: f i (x) = 0 for i = 1,..., a 1 14

15 C a,b curves - Lift of Curve The affine curve C has coordinate ring A := F q [x, y]/(c). Take arbitrary lifts f i (x) R[x] of f i (x) for i = 0,..., a 1 with deg f i (x) = deg f i (x) and define C : y a + a 1 i=1 f i (x)y i + f 0 (x) = 0 Let A be the dagger ring of A := R[x, y]/(c). Elements of A can be represented as a 1 l=0 the valuation of a k,l grows linearly with k. + k=0 a k,lx k y l and 15

16 C a,b curves - Frobenius on A The necessary conditions on the Frobenius σ on A are x σ x p mod p and y σ y p mod p and C σ (x σ, y σ ) = 0 Fixing x σ = x p also fixes y σ as the solution of C σ (x p, y σ ) = 0, ) p which implies that has to be invertible in A. ( C(x,y) y Main idea: lift Frobenius on x and y simultaneously such that denominator in the Newton iteration is invertible in A. Let Z A such that x σ = x p + αz and y σ = y p + βz, then C σ (x σ, y σ ) = C σ (x p + αz, y p + βz) = 0 and Z 0 mod p 16

17 C a,b curves - Frobenius on A Let G(Z) := C σ (x p + αz, y p + βz), then Z k+1 = Z k G(Z k) G (Z k ) with G (Z) α Cσ x (x p,y p ) + β Cσ y (x p,y p ) + O(Z) mod p G (Z) will be invertible in A if G (Z) 1 mod p and thus G (Z) α ( C x ) p + β ( C y ) p 1 mod p Assume C non-singular, then C x, C y and C generate unit ideal and using Buchberger s algorithm we compute α, β, γ A with 1 = α ( C x ) p + β ( C y ) p + γc 17

18 C a,b curves - Basis of H 1 (A/K) If C is smooth, then 2g = (a 1)(b 1) and a basis for H 1 (A/K) x k y l dx for k = 0,..., b 2 and l = 1,..., a 1 Using equation of the curve: x i y l dx or x i y l dy for 0 l < a Clearly d(x i y l+1 ) 0 and thus x i y l dy 1 l+1 xi 1 y l dx Differentiating the curve C leads to the equality a 1 ( i=1 f i(x)y i + f 0(x)) dx = (ay a 1 + a 1 i=1 f i (x)iy i 1 ) dy 18

19 C a,b curves - Reduction Formula To reduce x i y l dx we multiply this equation with x j y l a 1 x j ( i=1 f i(x)y i + f 0(x))y l dx = x j (ay a 1 + a 1 i=1 f i (x)iy i 1 )y l dy (*) Partially integrating the right-hand side to y gives ( )) a 1 d (x j a i a + l ya+l + i + l f i(x)y i+l i=1 0 This gives an expression for the right-hand side of ( ) and thus x j a 1 X i=1! l i + l f i(x)y i + f 0(x) y l dx jx j 1 a 1 a X a + l ya + i=1! i i + l f i(x)y i y l dx 19

20 C a,b -curves - Zeta Function The action of σ on a differential form x k y l dx is given by σ (x k y l dx) (x σ ) k (y σ ) l dx σ. Substituting power series for x σ and y σ, we can write σ (x k y l dx) on basis of H 1 (A/K) using the reduction formulae. This gives matrix M which is an approximation of the action of σ on H 1 (A/K). The polynomial χ(t) := t 2g P (1/t) can then be approximated by the characteristic polynomial of MM σ M σn 1. 20

21 Dependence on size of Jacobian Timings for 180-bit Jacobians of hyperelliptic curves for various genus g and extension degrees n. Genus g Degree n Lifting y σ (s) Reduction (s) Total (s)

22 Kedlaya in Char 2 - Example: Genus 3 over F 2 59 Let F 2 59 be defined as F 2 [t]/p (t) with P (t) = t 59 + t 7 + t 4 + t and consider the random hyperelliptic curve C 3 of genus 3 defined by 3X y 2 + ( h i x i )y = x 7 + i=0 6X f i x i, i=0 where h 0 = E97EB3821 h 1 = 49F340F25EA38A2 h 2 = 2DE854D48D56154 h 3 = 0B6372FF f 0 = 1104FDBEB454C58 f 1 = 0C426890E5C7481 f 2 = 34967E2EB7D50C3 f 3 = 1F1728AA28C616C f 4 = 1AE177BFE49826A f 5 = 3895A0E400F7D18 f 6 = 6DF634A1E2BFA8E The group order of the Jacobian J ec3 of C 3 over F 2 59 is #J ec3 = where the last factor is 176-bit prime. 22

23 Conclusions & Open Problems Now possible to compute the zeta function of hyperelliptic curves and C a,b curves over finite fields of any small characteristic. Complexity: O(g 4+ε n 3+ε ) operations and O(g 3 n 3 ) space. Resulting algorithms can be used to generate curves suitable for cryptography, but not as fast as AGM. Can we get substantial improvement for ordinary curves? Lifting works for arbitrary non-singular affine curves, but how easy is it to write down explicit basis and reduction formulae? Golden grail: practical algorithms for large p? 23