Genus 2 Curves of p-rank 1 via CM method

Similar documents
Igusa Class Polynomials

Igusa Class Polynomials

Constructing genus 2 curves over finite fields

Igusa class polynomials

Class invariants for quartic CM-fields

Constructing Abelian Varieties for Pairing-Based Cryptography

Counting points on genus 2 curves over finite

Class polynomials for abelian surfaces

Constructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002

Complex multiplication and canonical lifts

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

Hyperelliptic curves

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

Bad reduction of genus 3 curves with Complex Multiplication

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

Heuristics. pairing-friendly abelian varieties

Isogeny graphs, modular polynomials, and point counting for higher genus curves

GENERATORS OF JACOBIANS OF GENUS TWO CURVES

Mappings of elliptic curves

Isogeny invariance of the BSD conjecture

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Explicit Complex Multiplication

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

On elliptic curves in characteristic 2 with wild additive reduction

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS

Computing isogeny graphs using CM lattices

Computing the endomorphism ring of an ordinary elliptic curve

Point counting and real multiplication on K3 surfaces

Some algebraic number theory and the reciprocity map

Identifying supersingular elliptic curves

A BRIEF INTRODUCTION TO LOCAL FIELDS

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS

Abstracts of papers. Amod Agashe

REDUCTION OF ELLIPTIC CURVES OVER CERTAIN REAL QUADRATIC NUMBER FIELDS

NUNO FREITAS AND ALAIN KRAUS

Class invariants by the CRT method

c Copyright 2012 Wenhan Wang

The 2-adic CM method for genus 2 curves with application to cryptography

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Galois theory (Part II)( ) Example Sheet 1

Computing the modular equation

L-Polynomials of Curves over Finite Fields

Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves

Introduction to Elliptic Curves

Graph structure of isogeny on elliptic curves

Equations for Hilbert modular surfaces

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26

Tables of elliptic curves over number fields

TOTALLY RAMIFIED PRIMES AND EISENSTEIN POLYNOMIALS. 1. Introduction

Genus 2 Hyperelliptic Curve Families with Explicit Jacobian Order Evaluation and Pairing-Friendly Constructions

Up to twist, there are only finitely many potentially p-ordinary abelian varieties over. conductor

GENUS 2 CURVES WITH COMPLEX MULTIPLICATION

this to include the explicit maps, please do so!

Integral models of Shimura varieties

Galois Representations

IN POSITIVE CHARACTERISTICS: 3. Modular varieties with Hecke symmetries. 7. Foliation and a conjecture of Oort

Lectures on Cryptography Heraklion 2003 Gerhard Frey IEM, University of Duisburg-Essen Part II Discrete Logarithm Systems

ORAL QUALIFYING EXAM QUESTIONS. 1. Algebra

Computing class polynomials in genus 2

2,3,5, LEGENDRE: ±TRACE RATIOS IN FAMILIES OF ELLIPTIC CURVES

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux

COMPLEX MULTIPLICATION OF ABELIAN SURFACES. ter verkrijging van. Proefschrift

Counting points on elliptic curves over F q

Some. Manin-Mumford. Problems

CYCLOTOMIC FIELDS CARL ERICKSON

The Fricke-Macbeath Curve

Constructing Families of Pairing-Friendly Elliptic Curves

c ij x i x j c ij x i y j

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

QUADRATIC TWISTS OF AN ELLIPTIC CURVE AND MAPS FROM A HYPERELLIPTIC CURVE

SOLVING SOLVABLE QUINTICS. D. S. Dummit

VARIETIES WITHOUT EXTRA AUTOMORPHISMS II: HYPERELLIPTIC CURVES

Surjectivity in Honda-Tate

Explicit Methods in Algebraic Number Theory

The Galois group of a polynomial f(x) K[x] is the Galois group of E over K where E is a splitting field for f(x) over K.

TOTALLY RAMIFIED PRIMES AND EISENSTEIN POLYNOMIALS. 1. Introduction

Lecture 2: Elliptic curves

Non CM p-adic analytic families of modular forms

PAIRINGS ON HYPERELLIPTIC CURVES. 1. Introduction

COUNTING MOD l SOLUTIONS VIA MODULAR FORMS

GENERATORS OF FINITE FIELDS WITH POWERS OF TRACE ZERO AND CYCLOTOMIC FUNCTION FIELDS. 1. Introduction

8430 HANDOUT 6: PROOF OF THE MAIN THEOREM

Computing the image of Galois

arxiv: v2 [math.nt] 17 Jul 2018

Galois Representations

Maximal Class Numbers of CM Number Fields

You could have invented Supersingular Isogeny Diffie-Hellman

Modular polynomials and isogeny volcanoes

On metacyclic extensions

Algebraic number theory Revision exercises

Isogeny graphs with maximal real multiplication

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups

COMPUTING MODULAR POLYNOMIALS

x mv = 1, v v M K IxI v = 1,

15 Elliptic curves and Fermat s last theorem

14 Ordinary and supersingular elliptic curves

On the equality case of the Ramanujan Conjecture for Hilbert modular forms

l-adic Representations

2-ADIC ARITHMETIC-GEOMETRIC MEAN AND ELLIPTIC CURVES

KAGAWA Takaaki. March, 1998

Transcription:

School of Mathematical Sciences University College Dublin Ireland and Claude Shannon Institute April 2009, GeoCrypt Joint work with Laura Hitt, Michael Naehrig, Marco Streng

Introduction This talk is about using the CM method to construct genus 2 curves over finite fields with p-rank 1 and certain additional properties. We discuss reduction of class polynomials mod p in this setting. Paper on arxiv.org/abs/0811.3434 Update coming soon

A Class of Problems in Computational Number Theory Construct an explicit curve over F q with Property X...

A Class of Problems in Computational Number Theory Construct an explicit curve over F q with Property X... Problem 1: Construct a genus 2 curve with p-rank 1 over F q, whose Jacobian has a prime number of F q -rational points. Problem 2: Construct a genus 2 curve with p-rank 1 over F q that has small embedding degree. These problems have been studied in the ordinary case: Spallek, Eisentrager-Lauter, Gaudry-Houtmann-Kohel-Ritzenthaler-Weng for problem 1 Freeman-Stevenhagen-Streng for problem 2 Also, q might be prescribed, or perhaps not q but the size of q. The number of points might be prescribed, or perhaps just its size. Usually the genus is prescribed.

The p-rank The p-rank of an abelian variety A defined over F q is the F p -dimension of the subgroup of p-torsion points (defined over F q ). The p-rank lies between 0 and dim(a), and is invariant under isogeny. If p-rank is equal to dim(a) we say A is ordinary.

The p-rank The p-rank of an abelian variety A defined over F q is the F p -dimension of the subgroup of p-torsion points (defined over F q ). The p-rank lies between 0 and dim(a), and is invariant under isogeny. If p-rank is equal to dim(a) we say A is ordinary. For an elliptic curve (so dim(a) = 1) if p-rank is 0 we say A is supersingular. A is called supersingular if A is isogenous (over F q ) to E g where E is a supersingular elliptic curve.

The p-rank The p-rank of an abelian variety A defined over F q is the F p -dimension of the subgroup of p-torsion points (defined over F q ). The p-rank lies between 0 and dim(a), and is invariant under isogeny. If p-rank is equal to dim(a) we say A is ordinary. For an elliptic curve (so dim(a) = 1) if p-rank is 0 we say A is supersingular. A is called supersingular if A is isogenous (over F q ) to E g where E is a supersingular elliptic curve. If dim(a) = 2 then supersingular p-rank is 0. If dim(a) = 2 then there are three types: ordinary, supersingular and p-rank 1 (intermediate, mixed, almost ordinary).

Complex Multiplication A CM field is a totally imaginary quadratic extension of a totally real algebraic number field of finite degree. In particular, a field K is a quartic CM field if K is an imaginary quadratic extension of a totally real field K 0 of degree 2 over Q. Definition Let C be a curve of genus 2 defined over k = F q, and let K be a quartic CM field. For any order O of K, we say that C has complex multiplication (CM) by O if End k (J C ) = O. We say that C has CM by K if C has CM by an order in K. We will assume O = O K.

Complex Multiplication An elliptic curve is ordinary if and only if its endomorphism ring is commutative. Note that this is false in dimension 2. Lemma Let A be a simple 2-dimensional abelian variety defined over a finite field k. If A has p-rank 1, then A is absolutely simple, and End 0 k (A) = End0 (A) is a CM field of degree 4. k

The moduli space of curves of genus 2 over C is 3-dimensional. Its function field is generated by three invariants (j 1, j 2, j 3 ) called the (absolute) Igusa invariants of C. We define three Igusa class polynomials of an order O of a primitive quartic CM field K by H O,l = s (x j (i) l ) Q[x] i=1 for l = 1, 2, 3. Here s is the number of isomorphism classes of 2-dimensional principally polarized abelian varieties over C with CM by O, and the product is over the invariants j (i) l from the s classes. We assume O = O K.

The CM Method We divide the genus 2 CM method into three parts. Input: K a quartic CM field 1 Find p and a quartic Weil q-number/polynomial with the right properties for your demands. 2 Given a Weil q-polynomial, output the reduced lifted invariants. This includes computing or looking up the class polynomials. Three ways to do this: complex analytic (Spallek, Weng) p-adic (Gaudry et al), CRT (Eisentrager-Lauter). Includes reducing the class polynomials (invariants) mod p. 3 Construct the curve from the invariants. (one way to do this: Mestre) Choose this curve or a twist.

The CM Method We divide the genus 2 CM method into three parts. Input: K a quartic CM field 1 Find p and a quartic Weil q-number/polynomial with the right properties for your demands. 2 Given a Weil q-polynomial, output the reduced lifted invariants. This includes computing or looking up the class polynomials. Three ways to do this: complex analytic (Spallek, Weng) p-adic (Gaudry et al), CRT (Eisentrager-Lauter). Includes reducing the class polynomials (invariants) mod p. 3 Construct the curve from the invariants. (one way to do this: Mestre) Choose this curve or a twist. Our paper concerns Part 1, and the last piece of Part 2.

Reduction Modulo p Let A be an (PP) abelian surface with CM by K. Let p be a rational prime. Let p be a prime of Q(j 1, j 2, j 3 ) lying over p, and suppose A has good reduction at p. Key Fact: The splitting behaviour of p in O K determines the p-rank of the reduction of A modulo p.

Reduction Modulo p Let A be an (PP) abelian surface with CM by K. Let p be a rational prime. Let p be a prime of Q(j 1, j 2, j 3 ) lying over p, and suppose A has good reduction at p. Key Fact: The splitting behaviour of p in O K determines the p-rank of the reduction of A modulo p. e.g. For elliptic curves, the reduction is ordinary iff p splits completely. For dimension 2, Goren worked out the cases assuming p is unramified. Gaudry et al extended this to the ramified case. Note K must be non-galois for the reduction to be simple of p-rank 1.

p-rank 1 Reductions The part of the results of Goren, Gaudry et al, that applies to p-rank 1 is as follows. Lemma Let K be a quartic CM field and C a curve of genus 2 over a number field L K with endomorphism ring O K. Let p be a prime number and p a prime of O L, lying over p. The reduction of C modulo p is a genus-2 curve with p-rank 1 if and only if (p) factors in O K as (p) = p 1 p 2 p 3 or (p) = p 1 p 2 p 2 3. Alexey Zaytsev is developing these ideas. Primes p with (p) = p 1 p 2 p 2 3 will divide the discriminant of K.

2 K 2 L 2 K 0 2 K r K r 0 K r (j 1, j 2, j 3 ) H r Q(j 1, j 2, j 3 ) 2 2 Q

Field of Definition of Reduction If po K factors as p 1 p 2 p 3 then it is easy to show that p is inert in K r 0, then splits in K r, and so has inertial degree 2. Using also the main theorem of complex multiplication (Shimura), the reduction modulo a prime of Q(j 1, j 2, j 3 ) above p will be defined over F p 2.

Field of Definition of Reduction If po K factors as p 1 p 2 p 3 then it is easy to show that p is inert in K r 0, then splits in K r, and so has inertial degree 2. Using also the main theorem of complex multiplication (Shimura), the reduction modulo a prime of Q(j 1, j 2, j 3 ) above p will be defined over F p 2. [ If po K factors as p 1 p 2 p 2 3 then the reduction is defined over F p. For each prime p dividing the discriminant of K, check if po K factors as p 1 p 2 p 2 3. If so, we have a curve of p-rank 1 over F p. No control over size of p, it is small. Might be no such p. If there is a p, number of points on Jacobian may not be prime. ]

Algorithm 1 Algorithm Input: A non-galois CM field K of degree 4 and a positive integer n Output: A prime p of n bits and a curve of genus 2 over F p 2 has p-rank 1 and a Jacobian with a prime number of rational points. 1 Take a random prime p of n bits. 2 If po K factors as p 1 p 2 p 3, where p 3 has degree 2, continue. Otherwise, go to step 1. 3 If p 1 is principal and generated by α, let π = αα 1 p. Otherwise, go to step 1. 4 If N(uπ 1) is prime for some u {±1}, then replace π by uπ. Otherwise, go to step 1. that 5 Compute the curve corresponding to π using steps 2 and 3 of the CM method and return this curve.

Algorithm 2 Algorithm Input: A non-galois CM field K of degree 4, a positive integer κ and a prime number r 1 (mod 2κ) which splits completely in K. Output: A prime p and a curve of genus 2 over F p 2 that has p-rank 1 and embedding degree κ with respect to r. 1 Let r be a prime of K dividing r and let s = rr 1 r 1. 2 Take a random element x of F r and a primitive 2κ-th root of unity ζ. 3 Take α O K \ O K0 such that α mod r = x, α mod r = xζ and α mod s = x 1. 4 If p = N(α) is prime in Z and different from r, continue. Otherwise, go to Step 2. 5 If the prime β = N(α)α 1 α 1 of O K0 remains prime in O K, let π = α 2 β and p = N(α). Otherwise, go to Step 2. 6 Compute the curve corresponding to π using the CM method.

Example The heuristic running time is polynomial in n. In practice get curves of cryptographic size in 10 seconds.

Example The heuristic running time is polynomial in n. In practice get curves of cryptographic size in 10 seconds. We provide examples such that the Jacobian J C (F p 2) has prime order. The CM field for all examples is K = Q(α), where α is a root of X 4 + 34X 2 + 217 Q[X ] of class number 2. We give the coefficients c i F p 2 of the curve equation C : y 2 = c 6 x 6 + c 5 x 5 + c 4 x 4 + c 3 x 3 + c 2 x 2 + c 1 x + c 0. The group order of the Jacobian can be computed as #J C (F p 2) = p 4 + 1 + a 1 (p 2 + 1) + a 2. The field F q = F p 2 is given as F p (σ), where σ has the minimal polynomial f σ = X 2 + 3 F p [X ], i. e. σ = 3 F q.

Example p = 924575392409 a 1 = 3396725192754 a 2 = 4585861472127472591045899 c 6 = 377266258806 σ + 915729517707 c 5 = 494539789092 σ + 415576796385 c 4 = 904019288751 σ + 345679289510 c 3 = 309144556572 σ + 430866212243 c 2 = 58888332305 σ + 588111907455 c 1 = 115624782924 σ + 580418244294 c 0 = 156203470202 σ + 110258906818

Refinement Let the class polynomials be H 1 (x), H 2 (x), H 3 (x). In the CM method, we need to reduce the invariants mod p. We pick one root j 1 F q of H 1 (x) mod p (or for every irreducible factor h of H 1 (x)) and for each, take all roots j 2, j 3 F q of H 2 mod p and H 3 mod p. There are more triples than the triples that correspond to the reductions of CM curves.

Refinement Let the class polynomials be H 1 (x), H 2 (x), H 3 (x). In the CM method, we need to reduce the invariants mod p. We pick one root j 1 F q of H 1 (x) mod p (or for every irreducible factor h of H 1 (x)) and for each, take all roots j 2, j 3 F q of H 2 mod p and H 3 mod p. There are more triples than the triples that correspond to the reductions of CM curves. One refinement put forth in Gaudry et al is to replace H 2 (x) and H 3 (x) by two other polynomials in such a way that they directly only yield the correct triples (j 1, j 2, j 3 ). This refinement requires H 1 (x) to have a root of multiplicity 1 mod p.

Class Polynomials mod p p p (a 1, a 2 ) [D, A, B] h K H 1 (x) mod p H 1 (x) mod p 7 113 (4,16) [8,22,113] 4 (x 2)(x 5)(x 2 + x + 6) (x + 25) 2 (x + 50) 2 7 37 (3,3) [53,25,37] 3 x(x + 2) 2 (x 3 + 6x 2 + x + 2) (x 3 + 21x 2 + 28x + 16) 2 7 617 (2,13) [8,50,617] 3 x(x + 2) 2 (x 3 + 3x 2 + 3x + 3) (x 3 + 480x 2 + 561x + 410) 2 11 433 (8,35) [12, 50, 433] 2 x(x 6)(x 2 + 8x + 10) (x + 152) 2 (x + 304) 2 11 - (7,25) [37,45,53] 3 (x 3)(x 4)(x 5) - (x 3 + 8x 2 + 9x + 1) 11 1321 (4,23) [12, 74, 1321] 4 x(x 8) 2 (x 9) (x 2 + 75x + 178) 2 (x 4 + 4x 3 + 10x 2 + 2x + 4) (x 2 + 1247x + 1068) 2 11 5 (2,-8) [124, 24, 20] 4 (x + 3)(x + 6)(x 2 + 9x + 4) x 4 13 701 (7,31) [29,65,701] 3 (x + 1)(x + 7) 2 (x 3 + 370x 2 + 174x + 456) 2 (x 3 + 4x 2 + 6x + 8) 13 17 (2,-11) [152, 26, 17] 2 (x + 7)(x + 11)(x 2 + 2x + 8) (x 2 + 6x + 4) 2 17 13 (1,-25) [237,17,13] 2 x(x + 2)(x 2 + 2x + 7) (x 2 + 6) 2 17 13 (9,41) [53, 69, 117] 4 x(x + 1)(x 2 + 8x + 11) (x 2 + 6x + 1) 2 17 1481 (10,57) [8,82,1481] 3 x(x + 2)(x + 4) (x 3 + 1157x 2 + 722x + 1341) 2 (x 3 + 7x 2 + 14x + 5) 19 59 (11,67) [5, 89, 1829] 4 (x + 2)(x + 6) 2 (x + 15) (x + 7) 2 (x + 28) 2 (x + 50) 4 (x 2 + 16x + 13)(x 2 + 17x + 6) Table: Factorization of H 1 (x) modulo primes that split as p 1 p 2 p 2 3 in K, where K was generated by the characteristic polynomial of Frobenius of Jacobians of ordinary genus 2 curves defined over F p.

Class Polynomials mod p We show using elementary class field theory that this refinement will work when (p) = p 1 p 2 p 3 and will not work when (p) = p 1 p 2 p 2 3. In the latter case we provide a modification. We use the Kummer-Dedekind Theorem which states that the factorization of H 1 (x) modulo p reflects the factorization of (p) into prime ideals in Q(j 1 ).

Advertisment 9th International Finite Fields Conference University College Dublin and Claude Shannon Institute Dublin, Ireland, July 13-17 www.shannoninstitute.ie

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback