An introduction to the algorithmic of p-adic numbers

Similar documents
A linear resolvent for degree 14 polynomials

Algebraic Number Theory Notes: Local Fields

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

1 Absolute values and discrete valuations

Chapter 8. P-adic numbers. 8.1 Absolute values

A BRIEF INTRODUCTION TO LOCAL FIELDS

Counting Points on Curves using Monsky-Washnitzer Cohomology

Absolute Values and Completions

p-adic fields Chapter 7

February 1, 2005 INTRODUCTION TO p-adic NUMBERS. 1. p-adic Expansions

Galois groups of 2-adic fields of degree 12 with automorphism group of order 6 and 12

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Modular Multiplication in GF (p k ) using Lagrange Representation

P -adic root separation for quadratic and cubic polynomials

THE P-ADIC NUMBERS AND FINITE FIELD EXTENSIONS OF Q p

Counting points on curves: the general case

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

KILLING WILD RAMIFICATION

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Algebraic function fields

Polynomials. Chapter 4

Higher Ramification Groups

Dieudonné Modules and p-divisible Groups

Mappings of elliptic curves

Part 1. For any A-module, let M[x] denote the set of all polynomials in x with coefficients in M, that is to say expressions of the form

14 Ordinary and supersingular elliptic curves

NUMBER FIELDS UNRAMIFIED AWAY FROM 2

School of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information

8 Complete fields and valuation rings

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.

2-ADIC ARITHMETIC-GEOMETRIC MEAN AND ELLIPTIC CURVES

Galois groups with restricted ramification

Public-key Cryptography: Theory and Practice

Elliptic Curves Spring 2017 Lecture #5 02/22/2017

Counting points on elliptic curves: Hasse s theorem and recent developments

LECTURE 2. Hilbert Symbols

Local Fields. Chapter Absolute Values and Discrete Valuations Definitions and Comments

Notes on p-divisible Groups

Lecture 7: Etale Fundamental Group - Examples

3 Extensions of local fields

Number of points on a family of curves over a finite field

arxiv: v2 [math.nt] 12 Dec 2018

Fast hashing to G2 on pairing friendly curves

The Local Langlands Conjectures for n = 1, 2

CLASS FIELD THEORY WEEK Motivation

Boston College, Department of Mathematics, Chestnut Hill, MA , May 25, 2004

The Polynomial Composition Problem in (Z/nZ)[X]

Computing with polynomials: Hensel constructions

FIELD THEORY. Contents

Graph structure of isogeny on elliptic curves

GALOIS GROUPS OF DEGREE 12 2-ADIC FIELDS WITH TRIVIAL AUTOMORPHISM GROUP

Identifying supersingular elliptic curves

ABSOLUTE VALUES AND VALUATIONS

CHAPTER 0 PRELIMINARY MATERIAL. Paul Vojta. University of California, Berkeley. 18 February 1998

AN APPLICATION OF THE p-adic ANALYTIC CLASS NUMBER FORMULA

1.6.1 What are Néron Models?

LECTURE 2 FRANZ LEMMERMEYER

An Approach to Hensel s Lemma

A Note on Cyclotomic Integers

CLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES

Some algebraic number theory and the reciprocity map

On elliptic curves in characteristic 2 with wild additive reduction

1/30: Polynomials over Z/n.

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

Local corrections of discriminant bounds and small degree extensions of quadratic base fields

An Introduction to Supersingular Elliptic Curves and Supersingular Primes

A survey of p-adic approaches to zeta functions (plus a new approach)

Contents Lecture 1 2 Norms 2 Completeness 4 p-adic expansions 5 Exercises to lecture 1 6 Lecture 2 7 Completions 7 p-adic integers 7 Extensions of Q

CONSTRUCTING GALOIS 2-EXTENSIONS OF THE 2-ADIC NUMBERS

NOTES ON FINITE FIELDS

Application of Explicit Hilbert s Pairing to Constructive Class Field Theory and Cryptography

Formulary for elliptic divisibility sequences and elliptic nets. Let E be the elliptic curve defined over the rationals with Weierstrass equation

P -ADIC ROOT SEPARATION FOR QUADRATIC AND CUBIC POLYNOMIALS. Tomislav Pejković

Hamburger Beiträge zur Mathematik

Counting points on genus 2 curves over finite

Constructing genus 2 curves over finite fields

Galois Representations

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26

TC10 / 3. Finite fields S. Xambó

MANIN-MUMFORD AND LATTÉS MAPS

Definability in fields Lecture 2: Defining valuations

Chapter 4 Finite Fields

Defining Valuation Rings

Model theory of valued fields Lecture Notes

Class invariants by the CRT method

0.1 Valuations on a number field

Modular forms and the Hilbert class field

DIVISION ALGEBRAS WITH AN ANTI-AUTOMORPHISM BUT WITH NO INVOLUTION

Introduction to Elliptic Curves

A Version of the Grothendieck Conjecture for p-adic Local Fields

NOTES ON DIOPHANTINE APPROXIMATION

Constructing Abelian Varieties for Pairing-Based Cryptography

Exact Arithmetic on a Computer

ON p-adic REPRESENTATIONS OF Gal(Q p /Q p ) WITH OPEN IMAGE

Computing the endomorphism ring of an ordinary elliptic curve

Introduction to Number Fields David P. Roberts University of Minnesota, Morris

The p-adic numbers. Given a prime p, we define a valuation on the rationals by

Fast, twist-secure elliptic curve cryptography from Q-curves

1 Rings 1 RINGS 1. Theorem 1.1 (Substitution Principle). Let ϕ : R R be a ring homomorphism

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 43

Transcription:

An introduction to the algorithmic of p-adic numbers David Lubicz 1 1 Universté de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France

Outline Introduction 1 Introduction 2 3 4 5 6 7 8

When do we need p-adic numbers? In elliptic curve cryptography, most of time, the important objects to manipulate are finite fields F q. Sometimes, we would like to use formulas coming from the classical theory of elliptic curves over C but they have no meaning in characteristic p because for instance they imply the evaluation of 1/p.

Cryptographic applications Main cryptographic applications of p-adic numbers : point counting algorithms; CM-methods; isogeny computations.

What are the p-adic numbers? A dictionary : Function fields C[X] C(X) a monomial (X α) finite extension of C(X) Laurent series about α Number theory Z Q p prime finite extension of Q p-adic numbers

Construction of p-adic numbers I Let p be a prime, let A n = Z/p n Z. We have a natural morphism φ : A n A n 1 provided by the reduction modulo p n 1. The sequence... A n A n 1... A 2 A 1 is an inverse system. Definition The ring of p-adic numbers is by definition Z p = lim(a n, φ n ).

Construction of p-adic numbers II An element of a = Z p can be represented as a sequence of elements a = (a 1, a 2,..., a n,...) with a i Z/p i Z and a i mod p i 1 = a i 1. The ring structure is the one inherited from that of Z/p i Z. The neutral element is (1,..., 1,...). There exists natural projections p i : Z p Z/p i Z, a a i = a mod p i.

I Proposition Let x Z p, x is invertible if and only if x mod p is invertible. Let x Z p, there exists a unique (u, n) where u is an invertible element of Z p and n a positive integer such that x = p n u. The integer n is called the valuation of x and denoted by v(x).

II Z p is a characteristic 0 ring; Z p is integral; Z p has a unique maximal ideal O p = {x Z p v(x) > 0}; There is a canonical isomorphism Z p /O p F p.

The field of p-adics Definition The field of p-adic numbers noted Q p is by definition the field of fractions of Z p. The valuation of Z p extend immediately to Q p by letting v(x/y) = v(x) v(y) for x, y Z p ; Q p comes with a norm called the p-adic norm given by x Qp = p v(x).

Representation as a series I Definition An element π Z p is called a uniformizing element if v(π) = 1. Let p 1 be the canonical projection from Z p to F p. A map ω : F p Z p is a system of representatives of F p if for all x F p we have p 1 ( ω(x) ) = x. Definition An element x Z p is called a lift of an element x 0 F p if p 1 (x) = x 0. Consequently, for all x F p, ω(x) is a lift of x.

Representation as a series II Let π be a uniformizing element of Z p, ω a system of representatives of F p in Z p and x Z p. Let n = v(x), then x/π n is an invertible element of Z p and there exists a unique x n F p such that v ( x π n ω(x n ) ) = n + 1. Iterating this process, we obtain that Proposition There exists a unique sequence (x i ) i 0 of elements of F p such that x = ω(x i )π i. i=0

I Let K be a finite extension of Q p defined by an irreducible polynomial m Q p [X]. There exists a unique norm K on K extending the p-adic norm on Q p. R = {x K x K 1} is the valuation ring of K. M = {x R x K < 1} is be the unique maximal ideal of R.

Field extension II Definition Keeping the notation from above : The field F q = R/M is an algebraic extension of F p, the degree of which is called the inertia degree of K and is denoted by f. The absolute ramification index of K is the integer e = v K ( ψ(p) ), where ψ : Z K is the canonical embedding of Z into K.

Unramified extensions I We have the Theorem Let d be the degree of K /Q p, then d = ef. Definition Let K /Q p be a finite extension. Then K is called absolutely unramified if e = 1. An absolutely unramified extension of degree d is denoted by Q q with q = p d and its valuation ring by Z q.

Unramified extensions II Proposition Let K be a finite extension of Q p defined by an irreducible polynomial m Q p [X]. Denote by P 1 the reduction morphism R[X] F q [X] induced by p 1 and let m be the irreducible polynomial defined by P 1 (m). The extension K /Q p is absolutely unramified if and only if deg m = deg m. Let d = deg m and F q = F p d the finite field defined by m, then we have p 1 (R) = F q.

Unramified extensions III The classification of unramified extension is given by their degree. Proposition Let K 1 and K 2 be two unramified extensions of Q p defined respectively by m 1 and m 2 then K 1 K 2 if and only if deg m 1 = deg m 2.

Unramified extensions IV The Galois properties of unramified extensions of Q p is the same as that of finite fields. Proposition An unramified extension K of Q p is Galois and its Galois group is cyclic generated by an element Σ that reduces to the Frobenius morphism on the residue field. We call this automorphism the Frobenius substitution on K.

Lefschetz principle I The field Q p and its unramified extensions enjoy several important properties: Their Galois groups reflect the structure of finite field extensions; Their are big enough to be characteristic 0 fields......but small enough so that there exists an field morphism K C for any K finite extension of Q p. Warning : Q p /Q is NOT an algebraic extension.

Lefschetz principle II The so-called Lefschetz principle consists in lifting objects defined over finite fields over the p-adics, then embedding the p-adics into C where we can obtain algebraic relations using analytic methods, and then interpret these relations over finite fields by reduction modulo p.

I Introduction Proposition Let K be an unramified extension of Q p with valuation ring R and norm K. Let f R[X] and let x 0 R be such that then the sequence f (x 0 ) K < f (x 0 ) 2 K x n+1 = x n f (x n) f (x n ) (1) converges quadratically towards a zero of f in R.

II The quadratic convergence implies that the precision of the approximation nearly doubles at each iteration. More precisely, let k = v K ( f (x 0 ) ) and let x be the limit of the sequence (1). Suppose that x i is an approximation of x to precision n, i.e. v K (x x i ) n, then x i+1 = x i f (x i )/f (x i ) is an approximation of x to precision 2n k.

Hensel lift Introduction Lemma (Hensel) Let f, A k, B k, U, V be polynomials with coefficients in R such that f A k B k (mod M k ), U(X)A k (X) + V (X)B k (X) = 1, with A k monic and deg U(X) < deg B k (X) and deg V (X) < deg A k (X) then there exist polynomials A k+1 and B k+1 satisfying the same conditions as above with k replaced by k + 1 and A k+1 A k (mod M k ), B k+1 B k (mod M k ).

Representation of p adic integers In practice, one computes with p-adic integers up to some precision N. An element a Z p is approximated by p N (a) Z/p N Z. The arithmetic reduces to the arithmetic modulo p N. For a given precision N, each element takes O(N log p) space.

Polynomial representation I Let Q q be the unramified extension of Q p of degree d. By proposition 3, Q q is defined by any polynomial M[X] Z p [X] such that m = P 1 (M) F p [X] is an irreducible degree d polynomial. We can assume that M is monic. As a consequence every a Q q can be written as a = d 1 i=0 a ix i with a i Q p and every b Z q can be written as b = d 1 i=0 b ix i with b i Z p. In order to make the reduction modulo M very fast, we choose M sparse.

Polynomial representation II In general, we work with Z q up to precision N. This can be done by computing in (Z/NZ)[X]/(M N ) where M N is the reduction of M modulo p N. The size of an object is O(dN log(p)).

Polynomials representation III Two common choices to speed up arithmetic in Z q : sparse modulus representation : we deduce M by lifting in a trivial way the coefficients of m. The reduction modulo M of a polynomial of degree less than 2(d 1) takes d(w 1) multiplication of a Z/NZ element by a small integer and dw subtractions in Z p where w is the number of non zero coefficients in M. Teichmüller modulus representation : We define M as the unique polynomial over Z p such that M(X) X q X and M(X) mod p = m(x). In this representation we have Σ(X) = X p.

Multiplication I The arithmetic in Z p with precision N is the same thing as the arithmetic in Z/p N Z. The multiplication of two elements of Z p takes O(N µ ) where µ is the exponent in the multiplication estimate of two integers (µ = 1 + ɛ with FFT, µ = log 3 with Karatsuba, and µ = 2 with school book method);

Multiplication II The multiplications of two elements of Z q is equivalent to the multiplication of two polynomials in (Z/NZ)[X] which take O(d ν N µ ) time (here ν is the exponent of the complexity function for the multiplication of two polynomials). In all the complexity of the multiplication of two p-adics is O(d ν N µ ).

Computing inverse with In order to inverse a Z q can be done by computing an inverse of p 1 (a) F q ; taking any lift z 1 Z q of 1/p 1 (a) F q ; z 1 is an approximation to precision 1 of the root of the polynomial f (X) = 1 ax; lifting the root z 1 to a given precision with Newton.

Computing inverse with Inverse Input: A unit a Z q and a precision N Output: The inverse of a to precision N 1 If N = 1 Then 2 z 1/a mod p 3 Else 4 z Inverse(a, N 2 ) 5 z z + z(1 az) mod p N 6 Return z

Computing inverse with We go through the log(n) iterations; The dominant operation is a multiplication of elements of Z q with precision N : this can be done in O(d ν N µ ) time; The overall complexity is O(log(N)d ν N µ ).

Computing square root with In the same way it, one can compute the inverse square root of a Z q to precision N in time O(log(N)d ν N µ ); Principle: compute the square root mod p and then do a with the polynomial f (X) = 1 ax 2 ; For a reference ([CFA + 06] pp. 248).

The AGM algorithm I Elliptic curve AGM Input: An ordinary elliptic curve E : y 2 + xy = x 3 + c over F 2 d with j(e) 0. Output: The number of points on E(F 2 d ). 1 N d 2 + 3 2 a 1 and b (1 + 8c) mod 2 4 3 For i = 5 To N Do 4 (a, b) ( (a + b)/2, ab ) mod 2 i 5 a 0 a

The AGM algorithm II 1 For i = 0 To d 1 Do 2 (a, b) ( (a + b)/2, ab ) mod 2 N 3 t a 0 a mod 2N 1 4 If t 2 > 2 d+2 Then t t 2 N 1 5 Return 2 d + 1 t

Complexity of the AGM algorithm You know everything you need to see that the complexity is quasi-cubic.

The End Introduction Thank you for your attention. Any question?

Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen, and Frederik Vercauteren, editors. Handbook of elliptic and hyperelliptic curve cryptography. Discrete Mathematics and its Applications (Boca Raton). Chapman & Hall/CRC, Boca Raton, FL, 2006. Neal Koblitz. p-adic numbers, p-adic analysis, and zeta-functions, volume 58 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1984. Alain M. Robert.

A course in p-adic analysis, volume 198 of Graduate Texts in Mathematics. Springer-Verlag, New York, 2000. J.-P. Serre. A course in arithmetic. Springer-Verlag, New York, 1973. Translated from the French, Graduate Texts in Mathematics, No. 7. Jean-Pierre Serre. Local fields, volume 67 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1979. Translated from the French by Marvin Jay Greenberg.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback