Computing modular polynomials with the Chinese Remainder Theorem

Similar documents
Modular polynomials and isogeny volcanoes

Computing the modular equation

On the evaluation of modular polynomials

Computing the endomorphism ring of an ordinary elliptic curve

Class invariants by the CRT method

Identifying supersingular elliptic curves

ON THE EVALUATION OF MODULAR POLYNOMIALS

Isogenies in a quantum world

ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Counting points on elliptic curves over F q

Constructing genus 2 curves over finite fields

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

COMPUTING MODULAR POLYNOMIALS

Counting points on genus 2 curves over finite

Evaluating Large Degree Isogenies between Elliptic Curves

Isogeny graphs, modular polynomials, and point counting for higher genus curves

COMPUTING MODULAR POLYNOMIALS

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux

arxiv: v3 [math.nt] 7 May 2013

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

Explicit Complex Multiplication

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

Computing the image of Galois

14 Ordinary and supersingular elliptic curves

Class polynomials for abelian surfaces

A quantum algorithm for computing isogenies between supersingular elliptic curves

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

A Candidate Group with Infeasible Inversion

Constructing Abelian Varieties for Pairing-Based Cryptography

arxiv: v1 [math.nt] 29 Oct 2013

Igusa class polynomials

Genus 2 Curves of p-rank 1 via CM method

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Computing L-series coefficients of hyperelliptic curves

Graph structure of isogeny on elliptic curves

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26

Even sharper upper bounds on the number of points on curves

A gentle introduction to isogeny-based cryptography

Journal of Number Theory

Tables of elliptic curves over number fields

Igusa Class Polynomials

Computing isogeny graphs using CM lattices

Abstracts of papers. Amod Agashe

20 The modular equation

Mappings of elliptic curves

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Addition sequences and numerical evaluation of modular forms

arxiv: v3 [math.nt] 28 Jan 2015

Isolated Curves and the MOV Attack

Generation Methods of Elliptic Curves

A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker

Computing Hilbert Class Polynomials

You could have invented Supersingular Isogeny Diffie-Hellman

Non-generic attacks on elliptic curve DLPs

How many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May Noam D. Elkies, Harvard University

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

An introduction to supersingular isogeny-based cryptography

Hard and Easy Problems for Supersingular Isogeny Graphs

A numerically explicit Burgess inequality and an application to qua

Elliptic Curves Spring 2015 Problem Set #10 Due: 4/24/2015

Supersingular isogeny graphs and endomorphism rings: reductions and solutions

Elliptic Curves over Finite Fields

Class invariants for quartic CM-fields

Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

Igusa Class Polynomials

A Course in Computational Algebraic Number Theory

part 2: detecting smoothness part 3: the number-field sieve

Fast, twist-secure elliptic curve cryptography from Q-curves

Edwards Curves and the ECM Factorisation Method

20 The modular equation

On the Computation of Modular Polynomials for Elliptic Curves

Pairing the volcano. 1 Introduction. Sorina Ionica 1 and Antoine Joux 1,2

The powers of logarithm for quadratic twists

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Elliptic Curve Primality Proving

WEIL DESCENT ATTACKS

Hard Homogeneous Spaces

Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman

Computing endomorphism rings of abelian varieties of dimension two

Counting points on elliptic curves: Hasse s theorem and recent developments

Elliptic Curves Spring 2013 Lecture #4 02/14/2013

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Classical and Quantum Algorithms for Isogeny-based Cryptography

The Sato-Tate conjecture for abelian varieties

The complexity of class polynomial computation via floating point approximations

Point counting and real multiplication on K3 surfaces

PUBLIC-KEY CRYPTOSYSTEM BASED ON ISOGENIES

Material covered: Class numbers of quadratic fields, Valuations, Completions of fields.

Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography

Implementing the Schoof-Elkies-Atkin Algorithm with NTL

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Cryptographic Hash Functions from Expander Graphs

An Alternate Decomposition of an Integer for Faster Point Multiplication on Certain Elliptic Curves

Loop-abort faults on supersingular isogeny cryptosystems

Distributed computation of the number. of points on an elliptic curve

Transcription:

Computing modular polynomials with the Chinese Remainder Theorem Andrew V. Sutherland Massachusetts Institute of Technology ECC 009 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Computing modular polynomials 1 of 5

Isogenies An isogeny φ : E 1 E is a morphism of elliptic curves, a rational map that preserves the identity. Andrew V. Sutherland (MIT) Computing modular polynomials of 5

Isogenies An isogeny φ : E 1 E is a morphism of elliptic curves, a rational map that preserves the identity. Over a finite field, E 1 and E are isogenous if and only if #E 1 (F q ) = #E (F q ). Andrew V. Sutherland (MIT) Computing modular polynomials of 5

Some applications of isogenies Isogenies make hard problems easier: Counting the points on E Polynomial time (SEA). Constructing E with the CM method. D 10 14 h(d) 5, 000, 000 (CRT approach). Computing the endomorphism ring of E. Subexponential time (heuristically, Bisson-S 009). These algorithms all rely on modular polynomials Φ l (X, Y ). Andrew V. Sutherland (MIT) Computing modular polynomials 3 of 5

Isogenies in elliptic curve cryptography Isogenies allow the discrete logarithm problem to be transferred from one elliptic curve to another. This raises a few questions: 1. How efficiently can we compute isogenies?. Are all isogenous curves created equal? Andrew V. Sutherland (MIT) Computing modular polynomials 4 of 5

Isogenies in elliptic curve cryptography Isogenies allow the discrete logarithm problem to be transferred from one elliptic curve to another. This raises a few questions: 1. How efficiently can we compute isogenies?. Are all isogenous curves created equal? The endomorphism ring End(E) is critical to both questions. (Bröker-Charles-Lauter 008, Jao-Miller-Venkatesan 005, 009). Andrew V. Sutherland (MIT) Computing modular polynomials 4 of 5

Properties of isogenies Degree The kernel of φ : E 1 E is a finite subgroup of E 1 (F). When φ is separable, we have ker φ = deg φ. An l-isogeny is a (separable) isogeny of degree l. For prime l, the kernel is necessarily cyclic. Orientation We say that φ : E 1 E is horizontal if End(E 1 ) = End(E ). Otherwise φ is vertical. Andrew V. Sutherland (MIT) Computing modular polynomials 5 of 5

CM-action Let E/F q be an ordinary elliptic curve. Then End(E) = O O K, for some imaginary quadratic field K. Andrew V. Sutherland (MIT) Computing modular polynomials 6 of 5

CM-action Let E/F q be an ordinary elliptic curve. Then End(E) = O O K, for some imaginary quadratic field K. The class group cl(o) acts on the set {j(e/f q ) : End(E) = O}. Horizontal l-isogenies are the action of an ideal with norm l. Andrew V. Sutherland (MIT) Computing modular polynomials 6 of 5

CM-action Let E/F q be an ordinary elliptic curve. Then End(E) = O O K, for some imaginary quadratic field K. The class group cl(o) acts on the set {j(e/f q ) : End(E) = O}. Horizontal l-isogenies are the action of an ideal with norm l. A horizontal isogeny of large degree may be equivalent to a sequence of isogenies of small degree, via relations in cl(o). Andrew V. Sutherland (MIT) Computing modular polynomials 6 of 5

CM-action Let E/F q be an ordinary elliptic curve. Then End(E) = O O K, for some imaginary quadratic field K. The class group cl(o) acts on the set {j(e/f q ) : End(E) = O}. Horizontal l-isogenies are the action of an ideal with norm l. A horizontal isogeny of large degree may be equivalent to a sequence of isogenies of small degree, via relations in cl(o). Under the ERH this is always true, and small = O(log D ). Andrew V. Sutherland (MIT) Computing modular polynomials 6 of 5

Isogenies from kernels Any finite subgroup G of E(F) determines a separable isogeny with G as its kernel Given G, we can compute φ explicitly via Vélu s formula. The complexity depends both on the size of ker φ, and the field in which the points of ker φ are defined. When working in F q, we assume the coefficients of φ lie in F q. But ker φ may lie in an extension of degree up to l 1. Andrew V. Sutherland (MIT) Computing modular polynomials 7 of 5

The classical modular polynomial Φ l The symmetric polynomial Φ l Z[X, Y ] has the property Φ l ( j(e1 ), j(e ) ) = 0 E 1 and E are l-isogenous. Andrew V. Sutherland (MIT) Computing modular polynomials 8 of 5

The classical modular polynomial Φ l The symmetric polynomial Φ l Z[X, Y ] has the property Φ l ( j(e1 ), j(e ) ) = 0 E 1 and E are l-isogenous. The l-isogeny graph has vertex set {j(e) : E/F q } and edges (j 1, j ) whenever Φ l (j 1, j ) = 0 (in F q ). The neighbors of j are the roots of Φ l (X, j) F q [X]. Andrew V. Sutherland (MIT) Computing modular polynomials 8 of 5

The classical modular polynomial Φ l The symmetric polynomial Φ l Z[X, Y ] has the property Φ l ( j(e1 ), j(e ) ) = 0 E 1 and E are l-isogenous. The l-isogeny graph has vertex set {j(e) : E/F q } and edges (j 1, j ) whenever Φ l (j 1, j ) = 0 (in F q ). The neighbors of j are the roots of Φ l (X, j) F q [X]. Φ l is big: O(l 3 log l) bits. Andrew V. Sutherland (MIT) Computing modular polynomials 8 of 5

Andrew V. Sutherland (MIT) Computing modular polynomials 9 of 5

Andrew V. Sutherland (MIT) Computing modular polynomials 10 of 5

l coefficients largest average total 17 858 7.5kb 5.3kb 5.5MB 51 31880 16kb 1kb 48MB 503 176 36kb 7kb 431MB 1009 510557 78kb 60kb 3.9GB 003 00901 166kb 13kb 33GB 3001 4507505 59kb 08kb 117GB 4001 8010005 356kb 87kb 87GB 5003 1551 454kb 369kb 577GB 10007 50085038 968kb 774kb 4.8TB* Size of Φ l (X, Y ) *Estimated Andrew V. Sutherland (MIT) Computing modular polynomials 11 of 5

Algorithms to compute Φ l q-expansions: (Atkin?, Elkies 9, 98, LMMS 94, Morain 95, Müller 95, BCRS 99) Φ l : O(l 4 log 3+ɛ l) (via the CRT) Φ l mod p: O(l 3 log l log 1+ɛ p) (p > l + 1) Andrew V. Sutherland (MIT) Computing modular polynomials 1 of 5

Algorithms to compute Φ l q-expansions: (Atkin?, Elkies 9, 98, LMMS 94, Morain 95, Müller 95, BCRS 99) Φ l : O(l 4 log 3+ɛ l) (via the CRT) Φ l mod p: O(l 3 log l log 1+ɛ p) (p > l + 1) isogenies: (Charles-Lauter 005) Φ l : O(l 5+ɛ ) (via the CRT) Φ l mod p: O(l 4+ɛ log +ɛ p) (p > 1l + 13) Andrew V. Sutherland (MIT) Computing modular polynomials 1 of 5

Algorithms to compute Φ l q-expansions: (Atkin?, Elkies 9, 98, LMMS 94, Morain 95, Müller 95, BCRS 99) Φ l : O(l 4 log 3+ɛ l) (via the CRT) Φ l mod p: O(l 3 log l log 1+ɛ p) (p > l + 1) isogenies: (Charles-Lauter 005) Φ l : O(l 5+ɛ ) (via the CRT) Φ l mod p: O(l 4+ɛ log +ɛ p) (p > 1l + 13) evaluation-interpolation: (Enge 009) Φ l : O(l 3 log 4+ɛ l) (floating-point) Φ l mod m: O(l 3 log 4+ɛ l) (reduces Φ l ) Andrew V. Sutherland (MIT) Computing modular polynomials 1 of 5

A new algorithm to compute Φ l We compute Φ l using isogenies and the CRT. Andrew V. Sutherland (MIT) Computing modular polynomials 13 of 5

A new algorithm to compute Φ l We compute Φ l using isogenies and the CRT. For certain p we can compute Φ l mod p in expected time O(l log 3+ɛ p). Andrew V. Sutherland (MIT) Computing modular polynomials 13 of 5

A new algorithm to compute Φ l We compute Φ l using isogenies and the CRT. For certain p we can compute Φ l mod p in expected time O(l log 3+ɛ p). Under the GRH, we find many such p with log p = O(log l). Φ l : O(l 3 log 3+ɛ l) (via the CRT) Φ l mod m: O(l 3 log 3+ɛ l) (via the explicit CRT) Computing Φ l mod m uses O(l log(lm)) space. Andrew V. Sutherland (MIT) Computing modular polynomials 13 of 5

A new algorithm to compute Φ l We compute Φ l using isogenies and the CRT. For certain p we can compute Φ l mod p in expected time O(l log 3+ɛ p). Under the GRH, we find many such p with log p = O(log l). Φ l : O(l 3 log 3+ɛ l) (via the CRT) Φ l mod m: O(l 3 log 3+ɛ l) (via the explicit CRT) Computing Φ l mod m uses O(l log(lm)) space. In practice the algorithm is much faster than other methods. It is probabilistic, but the output is unconditionally correct. Andrew V. Sutherland (MIT) Computing modular polynomials 13 of 5

Performance highlights Level records 1. l = 5003: Φ l. l = 10007: Φ l mod m 3. l = 5001: Φ f l Each in less than 4 hours elapsed time ( 1 CPU-days), using m 56. Speed records 1. l = 51 : Φ l in 40s Φ l mod m in 5.5s. l = 1009: Φ l in 38s Φ l mod m in 408s 3. l = 1009: Φ f l in 3.s Single core CPU times (AMD 3.0 GHz), using m 56. Effective throughput when computing Φ 1009 mod m is 100Mb/s. Andrew V. Sutherland (MIT) Computing modular polynomials 14 of 5

Mapping a volcano Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l 1. Find a root of H D (X) Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l 901 1. Find a root of H D (X): 901 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 = l 0 l, ( D ) = 1 l 0 901. Enumerate surface using the action of α l0 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 901. Enumerate surface using the action of α l0 901 158 501 351 701 87 15 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 901 351. Enumerate surface using the action of α l0 901 158 501 351 701 87 15 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 901 351 15. Enumerate surface using the action of α l0 901 158 501 351 701 87 15 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 901 351 15 501. Enumerate surface using the action of α l0 901 158 501 351 701 87 15 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 87 901 351 15 501. Enumerate surface using the action of α l0 901 158 501 351 701 87 15 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 901 158 351 15 87 501. Enumerate surface using the action of α l0 901 158 501 351 701 87 15 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 901 701 158 351 15 87 501. Enumerate surface using the action of α l0 901 158 501 351 701 87 15 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 901 701 158 351 15 87 501 3. Descend to the floor using Vélu s formula Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 901 701 158 351 15 87 501 3188 3. Descend to the floor using Vélu s formula: 901 5 3188 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l 0 901 701 158 351 15 87 501 3188 4. Enumerate floor using the action of β l0 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k 0 901 701 158 351 15 87 501 3188 4. Enumerate floor using the action of β l0 3188 945 3144 3508 843 150 676 970 3497 1180 464 41 48 434 1478 344 55 976 3345 1064 1868 338 91 3147 566 4397 087 3341 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k 0 901 701 158 351 15 87 501 3188 970 1478 338 4. Enumerate floor using the action of β l0 3188 945 3144 3508 843 150 676 970 3497 1180 464 41 48 434 1478 344 55 976 3345 1064 1868 338 91 3147 566 4397 087 3341 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k 0 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 4. Enumerate floor using the action of β l0 3188 945 3144 3508 843 150 676 970 3497 1180 464 41 48 434 1478 344 55 976 3345 1064 1868 338 91 3147 566 4397 087 3341 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k 0 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 676 434 1868 3341 4. Enumerate floor using the action of β l0 3188 945 3144 3508 843 150 676 970 3497 1180 464 41 48 434 1478 344 55 976 3345 1064 1868 338 91 3147 566 4397 087 3341 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k 0 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 676 434 1868 3341 3144 1180 55 3147 4. Enumerate floor using the action of β l0 3188 945 3144 3508 843 150 676 970 3497 1180 464 41 48 434 1478 344 55 976 3345 1064 1868 338 91 3147 566 4397 087 3341 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k 0 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 676 434 1868 3341 3144 1180 5 3147 4. Enumerate floor using the action of β l0 3188 945 3144 3508 843 150 676 970 3497 1180 464 41 48 434 1478 344 55 976 3345 1064 1868 338 91 3147 566 4397 087 3341 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k 0 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 676 434 1868 3341 3144 1180 5 3147 4. Enumerate floor using the action of β l0 3188 945 3144 3508 843 150 676 970 3497 1180 464 41 48 434 1478 344 55 976 3345 1064 1868 338 91 3147 566 4397 087 3341 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k 0 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 676 434 1868 3341 3144 1180 5 3147 4. Enumerate floor using the action of β l0 3188 945 3144 3508 843 150 676 970 3497 1180 464 41 48 434 1478 344 55 976 3345 1064 1868 338 91 3147 566 4397 087 3341 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k 0 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 676 434 1868 3341 3144 1180 5 3147 Andrew V. Sutherland (MIT) Computing modular polynomials 15 of 5

Interpolation 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 676 434 1868 3341 3144 1180 5 3147 Φ 5 (X, 901) = (X 701)(X 351)(X 3188)(X 970)(X 1478)(X 338) Φ 5 (X, 351) = (X 901)(X 15)(X 3508)(X 464)(X 976)(X 566) Φ 5 (X, 15) = (X 351)(X 501)(X 3341)(X 1868)(X 434)(X 676) Φ 5 (X, 501) = (X 15)(X 87)(X 3147)(X 55)(X 1180)(X 3144) Φ 5 (X, 87) = (X 501)(X 158)(X 150)(X 48)(X 1064)(X 087) Φ 5 (X, 158) = (X 87)(X 701)(X 945)(X 3497)(X 344)(X 91) Φ 5 (X, 701) = (X 158)(X 901)(X 843)(X 41)(X 3345)(X 4397) Andrew V. Sutherland (MIT) Computing modular polynomials 16 of 5

Interpolation 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 676 434 1868 3341 3144 1180 5 3147 Φ 5 (X, 901) = X 6 + 1337X 5 + 543X 4 + 497X 3 + 4391X + 3144X + 36 Φ 5 (X, 351) = X 6 + 3174X 5 + 1789X 4 + 3373X 3 + 397X + 93X + 4019 Φ 5 (X, 15) = X 6 + 18X 5 + 51X 4 + 435X 3 + 844X + 084X + 709 Φ 5 (X, 501) = X 6 + 991X 5 + 3075X 5 + 3918X 3 + 41X + 3755X + 1157 Φ 5 (X, 87) = X 6 + 389X 5 + 39X 4 + 3909X 3 + 161X + 1003X + 091 Φ 5 (X, 158) = X 6 + 1803X 5 + 794X 4 + 3584X 3 + 5X + 1530X + 1975 Φ 5 (X, 701) = X 6 + 515X 5 + 1419X 4 + 941X 3 + 4145X + 7X + 754 Andrew V. Sutherland (MIT) Computing modular polynomials 16 of 5

Interpolation 901 701 158 351 15 87 501 3188 970 1478 338 3508 464 976 566 676 434 1868 3341 3144 1180 5 3147 Φ 5 (X, Y ) = X 6 + (4450Y 5 + 370Y 4 + 433Y 3 + 3499Y + 70Y + 397)X 5 (370Y 5 + 3683Y 4 + 348Y 3 + 808Y + 3745Y + 33)X 4 (433Y 5 + 348Y 4 + 08Y 3 + 05Y + 4006Y + 11)X 3 (3499Y 5 + 808Y 4 + 05Y 3 + 4378Y + 3886Y + 050)X ( 70Y 5 + 3745Y 4 + 4006Y 3 + 3886Y + 905Y + 091)X (Y 6 + 397Y 5 + 33Y 4 + 11Y 3 + 050Y + 091Y + 108) Andrew V. Sutherland (MIT) Computing modular polynomials 16 of 5

Computing Φ l (X, Y ) mod p Assume D and p are suitably chosen with D = O(l ) and log p = O(log l), and that H D (X) has been precomputed. 1. Find a root of H D (X) over F p. O(l log 3+ɛ l). Enumerate the surface(s) using cl(d)-action. O(l log +ɛ l) 3. Descend to the floor using Vélu. O(l log 1+ɛ l) 4. Enumerate the floor using cl(l D)-action. O(l log +ɛ l) 5. Build each Φ l (X, j i ) from its roots. O(l log 3+ɛ l) 6. Interpolate Φ l (X, Y ) mod p. O(l log 3+ɛ l) Time complexity is O(l log 3+ɛ l). Space complexity is O(l log l). Andrew V. Sutherland (MIT) Computing modular polynomials 17 of 5

After computing Φ 5 (X, Y ) mod p for the primes: 4451, 6911, 9551, 8111, 54851, 110051, 13491, 160591, 11711, 80451, 434111, 530851, 686051, 736511, we apply the CRT to obtain Φ 5 (X, Y ) = X 6 + Y 6 X 5 Y 5 + 370(X 5 Y 4 + X 4 Y 5 ) 4550940(X 5 Y 3 + X 3 Y 5 ) + 0855100(X 5 Y + X Y 5 ) 46683410950(X 5 Y + XY 5 ) + 19631148980(X 5 + Y 5 ) + 1665999364600X 4 Y 4 + 10787898185336800(X 4 Y 3 + X 3 Y 4 ) + 38308360977981115375(X 4 Y + X Y 4 ) + 1854179890688816384000(X 4 Y + XY 4 ) + 184733138414445653440(X 4 + Y 4 ) 4550940(X 3 Y 5 + X 5 Y 3 ) 441069655191483546100X 3 Y 3 + 689848885838073157741778000(X 3 Y + X Y 3 ) 19457934618989965510831168000(X 3 Y + XY 3 ) + 804477788439578043156597868800(X 3 + Y 3 ) + 511094177755418083110765199360000X Y + 3655473658394969957064733656640000(X Y + XY ) + 669500046799770848714941501506846700(X + Y ) 6407345707660596597157904797878949376XY + 5374330803444545040160733565091513000(X + Y ) + 141359947154713586977534746910713675100467000. Andrew V. Sutherland (MIT) Computing modular polynomials 18 of 5

After computing Φ 5 (X, Y ) mod p for the primes: 4451, 6911, 9551, 8111, 54851, 110051, 13491, 160591, 11711, 80451, 434111, 530851, 686051, 736511, we apply the CRT to obtain Φ 5 (X, Y ) = X 6 + Y 6 X 5 Y 5 + 370(X 5 Y 4 + X 4 Y 5 ) 4550940(X 5 Y 3 + X 3 Y 5 ) + 0855100(X 5 Y + X Y 5 ) 46683410950(X 5 Y + XY 5 ) + 19631148980(X 5 + Y 5 ) + 1665999364600X 4 Y 4 + 10787898185336800(X 4 Y 3 + X 3 Y 4 ) + 38308360977981115375(X 4 Y + X Y 4 ) + 1854179890688816384000(X 4 Y + XY 4 ) + 184733138414445653440(X 4 + Y 4 ) 4550940(X 3 Y 5 + X 5 Y 3 ) 441069655191483546100X 3 Y 3 + 689848885838073157741778000(X 3 Y + X Y 3 ) 19457934618989965510831168000(X 3 Y + XY 3 ) + 804477788439578043156597868800(X 3 + Y 3 ) + 511094177755418083110765199360000X Y + 3655473658394969957064733656640000(X Y + XY ) + 669500046799770848714941501506846700(X + Y ) 6407345707660596597157904797878949376XY + 5374330803444545040160733565091513000(X + Y ) + 141359947154713586977534746910713675100467000. (but note that Φ f 5 (X, Y ) = X 6 + Y 6 X 5 Y 5 + 4XY ). Andrew V. Sutherland (MIT) Computing modular polynomials 18 of 5

The algorithm Given a prime l > and an integer m > 0: 1. Pick a discriminant D suitable for l.. Select a set of primes S suitable for l and D. 3. Precompute H D, cl(d), cl(l D), and CRT data. 4. For each p S, compute Φ l mod p and update CRT data. 5. Perform CRT postcomputation and output Φ l mod m. To compute Φ l over Z, just use m = p. For small m, use explicit CRT modm. For large m, standard CRT for large m. For m in between, use a hybrid approach. Andrew V. Sutherland (MIT) Computing modular polynomials 19 of 5

Chinese remaindering Let S = {p 1,..., p n}, M = Q p i, M i = M/p i, and a i M 1 i mod p i. For each coefficient c of Φ l, let c i c mod p i and assume 4 c < M. Standard CRT: c P c i a i M i mod M. Explicit CRT mod m [Bernstein]: X c ci a i M i rm mod m where r is the closest integer to P c i a i /M i. Online algorithm: process each c i as it is computed, then discard it! Assuming log p i = O(log l): Space complexity: O(l log(lm). Time complexity: O(l 3 log 3+ɛ l + l 3 M(log m)) With hybrid approach, time is O(l 3 log 3+ɛ l) independent of m. See arxiv.org/abs/090.4670 for more details. Andrew V. Sutherland (MIT) Computing modular polynomials 0 of 5

Complexity Theorem (GRH) For every prime l > there is a suitable discriminant D with D = O(l ) for which there are Ω(l 3 log 3 l) primes p = O(l 6 (log l) 4 ) that are suitable for l and D. Heuristically, p = O(l 4 ). In practice, lg p < 64. Theorem (GRH) The expected running time is O(l 3 log 3 l log log l). The space required is O(l log(lm)). Andrew V. Sutherland (MIT) Computing modular polynomials 1 of 5

An explicit height bound for Φ l Let l be a prime. Let h(φ l ) be the (natural) logarithmic height of Φ l. Asymptotic bound: h(φ l ) = 6l log l + O(l) (Paula Cohen 1984). Andrew V. Sutherland (MIT) Computing modular polynomials of 5

An explicit height bound for Φ l Let l be a prime. Let h(φ l ) be the (natural) logarithmic height of Φ l. Asymptotic bound: h(φ l ) = 6l log l + O(l) (Paula Cohen 1984). Explicit bound: h(φ l ) 6l log l + 17l (Bröker-S 009). Conjectural bound: h(φ l ) 6l log l + 1l (for l > 30). The explicit bound holds for all l. The conjectural bound is known to hold for 30 < l < 3600. Andrew V. Sutherland (MIT) Computing modular polynomials of 5

Other modular functions We can compute polynomials relating f (z) and f (lz) for other modular functions, including the Weber f-function. The coefficients of Φ f l are roughly 7 times smaller. This means we need 7 fewer primes. The polynomial Φ f l is roughly 4 times sparser. This means we need 4 times fewer interpolation points. Overall, we get nearly a 178-fold speedup using Φ f l. Andrew V. Sutherland (MIT) Computing modular polynomials 3 of 5

Modular polynomials for l = 11 Classical: X 1 + Y 1 X 11 Y 11 + 1X 11 Y 11 + 8184X 11 Y 10 878756X 11 Y 9 + 536868816X 11 Y 8 61058988656490X 11 Y 7 + 457039313564171X 11 Y 6 17899567883039048X 11 Y 5 + 497837387749846750X 11 Y 4 59134841844639613861795X 11 Y 3 + 7098116580566458155600X 11 Y 3746400635670139351581761X 11 Y + 9647090355405758300000X 11... 8 pages omitted... + 394334509457654908696... 100 digits omitted... 000 Atkin: X 1 X 11 Y + 744X 11 + 196680X 10 + 187X 9 Y + 1354080X 9 + 506X 8 Y + 830467440X 8 11440X 7 Y + 1687537744X 7 5744X 6 Y + 08564958976X 6 + 184184X 5 Y + 16785887360X 5 + 1675784X 4 Y + 903155113600X 4 + 186771X 3 Y + 3349979904000X 3 85640X Y + 7446810880000X 19849600XY + 98997734400000X + Y 870000Y + 5841107000000 Weber: X 1 + Y 1 X 11 Y 11 + 11X 9 Y 9 44X 7 Y 7 + 88X 5 Y 5 88X 3 Y 3 + 3XY Andrew V. Sutherland (MIT) Computing modular polynomials 4 of 5

Performance comparison function l floating-point CRT ratio classical j 51 688 40 17. 503 830 410 0.3 1009 10700 38 8.0 Weber f 1009 16. 3. 5.1 5003 4504 49 9. 10007 66758 4931 13.5 floating-point vs. CRT (3.0 GHz AMD Phenom CPU seconds, m 56 ) Andrew V. Sutherland (MIT) Computing modular polynomials 5 of 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback