Hyperelliptic curves

Similar documents
Constructing genus 2 curves over finite fields

Hyperelliptic Curve Cryptography

Non-generic attacks on elliptic curve DLPs

Genus 2 Curves of p-rank 1 via CM method

Problème du logarithme discret sur courbes elliptiques

Igusa Class Polynomials

Riemann surfaces with extra automorphisms and endomorphism rings of their Jacobians

Fast arithmetic and pairing evaluation on genus 2 curves

Igusa Class Polynomials

Explicit isogenies and the Discrete Logarithm Problem in genus three

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Mappings of elliptic curves

Class numbers of algebraic function fields, or Jacobians of curves over finite fields

Optimal curves of genus 1, 2 and 3

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 45

Public-key Cryptography: Theory and Practice

COMPLEX MULTIPLICATION: LECTURE 15

Constructing Abelian Varieties for Pairing-Based Cryptography

Calcul d indice et courbes algébriques : de meilleures récoltes

Explicit Complex Multiplication

TC10 / 3. Finite fields S. Xambó

Counting Points on Curves using Monsky-Washnitzer Cohomology

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Class invariants for quartic CM-fields

Quadratic points on modular curves

2004 ECRYPT Summer School on Elliptic Curve Cryptography

L-Polynomials of Curves over Finite Fields

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

Outline of the Seminar Topics on elliptic curves Saarbrücken,

The point decomposition problem in Jacobian varieties

Definition of a finite group

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Porteous s Formula for Maps between Coherent Sheaves

A quasi polynomial algorithm for discrete logarithm in small characteristic

On the complexity of computing discrete logarithms in the field F

Invariants and hyperelliptic curves: geometric, arithmetic and algorithmic aspects

Fast Cryptography in Genus 2

Discrete Logarithm Computation in Hyperelliptic Function Fields

Counting points on genus 2 curves over finite

Introduction to Elliptic Curve Cryptography. Anupam Datta

Elliptic Curve Discrete Logarithm Problem

Kummer Surfaces. Max Kutler. December 14, 2010

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux

Algorithmic Number Theory in Function Fields

Igusa class polynomials

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

THE JACOBIAN AND FORMAL GROUP OF A CURVE OF GENUS 2 OVER AN ARBITRARY GROUND FIELD E. V. Flynn, Mathematical Institute, University of Oxford

Enumerating Curves of Genus 2 Over Finite Fields

A p-adic Birch and Swinnerton-Dyer conjecture for modular abelian varieties

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Each is equal to CP 1 minus one point, which is the origin of the other: (C =) U 1 = CP 1 the line λ (1, 0) U 0

Proof of the Shafarevich conjecture

The point decomposition problem in Jacobian varieties

Exercises for algebraic curves

DIVISOR THEORY ON TROPICAL AND LOG SMOOTH CURVES

Topics in Number Theory: Elliptic Curves

Isogeny graphs, modular polynomials, and point counting for higher genus curves

Some. Manin-Mumford. Problems

A remark on the arithmetic invariant theory of hyperelliptic curves

SM9 identity-based cryptographic algorithms Part 1: General

Weil pairing. Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg. Wednesday 22 nd June, 2016.

Elliptic and Hyperelliptic Curve Cryptography

Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

Elliptic curves over function fields 1

FINITE GROUPS AND EQUATIONS OVER FINITE FIELDS A PROBLEM SET FOR ARIZONA WINTER SCHOOL 2016

Computations with Coleman integrals

Alternative Models: Infrastructure

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

Quadratic reciprocity (after Weil) 1. Standard set-up and Poisson summation

AN EXPOSITION OF THE RIEMANN ROCH THEOREM FOR CURVES

Introduction to Elliptic Curves

AN INTRODUCTION TO MODULI SPACES OF CURVES CONTENTS

Number Theory in Cryptology

Surjectivity in Honda-Tate

arxiv: v1 [math.ag] 7 Apr 2015

Introduction to Algebraic Geometry. Franz Lemmermeyer

Complex Algebraic Geometry: Smooth Curves Aaron Bertram, First Steps Towards Classifying Curves. The Riemann-Roch Theorem is a powerful tool

Arithmetic of Hyperelliptic Curves

COMPLEX MULTIPLICATION: LECTURE 14

Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field

Algebraic Geometry Spring 2009

NOTES ON FINITE FIELDS

Primes of the form X² + ny² in function fields

15 Elliptic curves and Fermat s last theorem

Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves

c Copyright 2012 Wenhan Wang

ACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS

Quadratic reciprocity (after Weil) 1. Standard set-up and Poisson summation

Topics in Algebraic Geometry

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

NUNO FREITAS AND ALAIN KRAUS

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

BRILL-NOETHER THEORY. This article follows the paper of Griffiths and Harris, "On the variety of special linear systems on a general algebraic curve.

Distribution of Squares in Arithmetic Progressions over Number Fields

Counting points on elliptic curves over F q

Counting points on curves: the general case

Some algebraic number theory and the reciprocity map

Elliptic Curve Cryptography with Derive

Transcription:

1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven

2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic discrete log problem Genus 2 CM-method

3/40 Why hyperelliptic? Philosophical reasons: Elliptic curves have proven to provide fast and secure cryptosystems. Natural question: what about more general curves? Good idea to get the general picture in order to get some insight on the particular case. Concrete reasons: Some hyperelliptic cryptosystems are competitive in terms of speed / security with the best ECC. Classes of elliptic curves for which DLP can be solved faster via hyperelliptic curves.

4/40 Why hyperelliptic? Outside crypto: Hyperelliptic curves provides a proven alternative to the famous ECM factorization method. First ZPP (Las Vegas) algorithm for primality proving was obtained with hyperelliptic curves. Rem. Same kind of idea to provably reduce in subexponential time CDH to DL in a generic group.

5/40 Definition of hyperelliptic curve Def. A hyperelliptic curve C is a curve of equation y 2 = f (x), with f a squarefree, monic polynomial of odd degree 2g + 1, where g is the genus of C. NB: in char. 2, change this to y 2 + h(x)y = f (x). NB: general case includes also deg f = 2g + 2, so-called real model.

6/40 Some remarks The squarefree condition means that the curve is smooth. There is a singular point at infinity, but it is a nice one: once desingularized, there is only one point, denoted by or P. The genus is a general notion that can be defined for any algebraic curve. Genus 0 : conics Genus 1 : elliptic curves Genus 2 : other curves All genus 2 curves are hyperelliptic, but starting with genus 3, there are curves that are not hyperelliptic.

7/40 A genus 2 curve: y 2 = f (x) P C Picture courtesy of J. Detrey / N. Estibals Rem. Depending on the number of real roots of f, the number of components varies.

8/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic discrete log problem Genus 2 CM-method

9/40 Trying to imitate elliptic curves Thm. Let C be a curve of genus 2. It is not possible to define a group law on the points of C in a geometric way. The true meaning of geometric : given by rational fractions in terms of the coordinates; valid over the algebraic closure of the base-field. Let s try to do it with genus 2 curves. [blackboard]

10/40 Genus 2: pairs of points Let C be a curve of genus 2. Let {P 1, P 2 } and {Q 1, Q 2 } be pairs of points of C. Assuming some genericity, there is a polynomial c(x) of degree 3 such that the curve y = c(x) interpolates all points. Its intersection with C has 6 points, 4 of them are known. Therefore 2 remains. Call {R 1, R 2 } their opposites w.r.t. x-axis.

10/40 Genus 2: pairs of points Let C be a curve of genus 2. Let {P 1, P 2 } and {Q 1, Q 2 } be pairs of points of C. Assuming some genericity, there is a polynomial c(x) of degree 3 such that the curve y = c(x) interpolates all points. Its intersection with C has 6 points, 4 of them are known. Therefore 2 remains. Call {R 1, R 2 } their opposites w.r.t. x-axis. Fact. This analogue of the chord and tangent method, using a degree-3 ruler gives a group law on (unordered) pairs of points. Rem. The point at infinity is the neutral. Two symmetric points are opposite. Simplify before drawing y = c(x). Rem. To make it a real group, one must also allow single points as elements. To add one those to a pair, just take c(x) of degree 2.

11/40 Genus 2: a picture P C Picture courtesy of J. Detrey / N. Estibals

11/40 Genus 2: a picture P P 1 P 2 D P C Picture courtesy of J. Detrey / N. Estibals D P = {P 1, P 2 }

11/40 Genus 2: a picture P Q 2 P 1 P 2 D P Q 1 C D Q Picture courtesy of J. Detrey / N. Estibals D P = {P 1, P 2 } D Q = {Q 1, Q 2 }

11/40 Genus 2: a picture P Q 2 P 1 P 2 D P Q 1 C D Q Picture courtesy of J. Detrey / N. Estibals D P = {P 1, P 2 } D Q = {Q 1, Q 2 }

11/40 Genus 2: a picture P Q 2 P 1 P 2 D P R 1 R 2 Q 1 C D Q Picture courtesy of J. Detrey / N. Estibals D P = {P 1, P 2 } D Q = {Q 1, Q 2 }

11/40 Genus 2: a picture P Q 2 P 1 P 2 D P R 1 R 1 R 2 R 2 Q 1 C D Q Picture courtesy of J. Detrey / N. Estibals D P = {P 1, P 2 } D Q = {Q 1, Q 2 }

11/40 Genus 2: a picture P Q 2 P 1 P 2 D P R 1 R 1 R 2 D R R 2 Q 1 C D Q Picture courtesy of J. Detrey / N. Estibals D P = {P 1, P 2 } D Q = {Q 1, Q 2 } D R = {R 1, R 2 } D P + D Q = D R

12/40 Higher genus The same kind of construction works for any genus g curve. Needs to repeat up to g 1 times the reduction of the number of points using a polynomial c(x). Problem with this point of view: Points may have coordinates that live in an extension field (unless over alg. closed). Impossible to prove associativity by hand. Very good exercise to do it with a CAS (knowledge about Gröbner basis might help).

13/40 Divisors Let C be a hyperelliptic curve of genus g. Def. A divisor is a finite formal sum of points of C: D = P C n P P (almost all n P are zero; the point at infinity is included in the sum.) Def. The degree of a divisor is the sum of its coefficients: deg ( P C n P P ) = P C n P. Prop. The set of divisors is a group, denoted by Div C. Prop. The set of divisors of degree 0 is a sub-group of Div C, denoted by Div 0 C.

Functions Def. A function on C is a rational fraction in the coordinates x and y of a generic point of C. NB. Need also to deal with point at infinity, but in our case, the support of the intuition should be enough. NB. Only the value at points of C is important. If we add the equation of the curve to the fraction, we get the same function. If the base field of C is K, the set of functions is called the function field of C and denoted by K(C). Def. Let P be a point and ϕ be a function on C. The valuation of C at P, denoted ν P (ϕ) is 0 if ϕ is defined and non-zero at P; n > 0 if ϕ is zero (with multiplicity n) at P; n < 0 if 1/ϕ is zero (with multiplicity n) at P (this is a pole). [ Picture on blackboard ] 14/40

15/40 Principal divisors Prop. Counting multiplicities, a function has as many zeros as poles. Def. Let ϕ be a non-zero function on C. The divisor of ϕ is div(ϕ) = P C ν P (ϕ). The previous proposition translates into Prop. The divisor of a function is of degree 0. Prop. The set of non-zero function is a multiplicative group. The div operator is a group homomorphism to Div 0 C. Def. A divisor of the form div(ϕ) is called a principal divisor. The group of principal divisors is denoted by Prin C.

16/40 The Jacobian as the divisor class group Def. Let C be a hyperelliptic curve of genus g. Its Jacobian is the quotient group Jac C = Div 0 C/Prin C. Rem. This way of presenting (keyword: Picard group) is suitable for computation. The Jacobian can also be defined as a geometric object: an algebraic variety of dimension g endowed with a group law (keyword: Abelian variety).

17/40 Rationality questions Assume that C is defined over a field K. Def. A divisor D is defined over K if it is invariant under the action of Gal( K/K). Rem. Does not imply that all the points in D are defined over K. If a point occur in D, then all its Galois-conjugates must occur with the same coefficient. For elements of the Jacobian, (in our case) it is equivalent to put defined over K before or after taking the quotient.

18/40 Mumford representation Thm. Each element of Jac C can be uniquely represented by a divisor of the form D = P 1 + P 2 + + P r r, with r g and P i is not symmetric of P j. This is a consequence of Riemann-Roch theorem. Exercise: find the statement of R-R theorem and deduce the proof of the given Thm. Prop. (Mumford representation) Each element of Jac C can be uniquely represented by a pair of polynomials u(x), v(x), with deg v < deg u g and u v 2 f. Rem. If P i = (x i, y i ), then u(x) = (x x i ) and v is such that v(x i ) = y i. (+ other conditions if there are multiplicities.)

19/40 Examples [ Sage worksheet ]

20/40 Cantor s algorithm Fact. Drawing a line (in elliptic curve group law) or a higher degree curve, basically means picking a function ϕ, and use divϕ to reduce the size of a divisor. Fact. Taking vertical lines shows that the opposite of a point is its symmetric. Hence, the geometric construction follows precisely the definition of Jac C. This is indeed a group law! Cantor s algorithm: do the same, but with the two polynomials in Mumford representation. No need to worry about field of definition. Follows the algorithms for quadratic forms.

Cantor s algorithm Input: D 1 = u 1, v 1 and D 2 = u 2, v 2 in Jacobian of y 2 = f (x). Output: D 3 = D 1 + D 2. d, s 1, s 2, s 3 = xgcd(u 1, u 2, v 1 + v 2 ); u = u 1u 2 ; d 2 v = s 1u 1 v 2 +s 2 u 2 v 1 +s 3 (v 1 v 2 +f ) d mod u; while deg u > g: u = f v 2 u ; v = v mod u ; u = u ; v = v make u monic and return u, v. Rem. In general, the loop decreases the degree of u by 2. In genus 2, optimized formulae give 1 inversion and around 25 multiplications. 21/40

22/40 Further topics on the group law For fixed genus (mostly 2): find good explicit formulae. Maybe use the Kummer surface. Maybe use alternate representation based on theta functions. See talk by Joppe Bos next week.

23/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic discrete log problem Genus 2 CM-method

24/40 Cardinalities If the base field is F q, the set of points of C and Jac(C) are finite. Thm. (Weil conjectures) i.e #G is about q g. #C (q + 1) 2g q ( q 1) 2g #Jac C ( q + 1) 2g Rem. If one wants a group order of (say) 256 bits, the base field can be smaller when one takes a higher genus curve.

25/40 Cardinalities Frobenius The key tool when studying cardinalities is: Def. The Frobenius map π q : x x q extends coordinate-wise do points of C; and then by linearity to divisors and Jacobian elements. Thm. π q on Jac C admits a characteristic polynomial of the form χ(t ) = T 2g + a 1 T 2g 1 + + a g T g + + q 2g 1 a 1 T + q 2g, where the a i are integers. This form implies: if α is a root of χ(t ), then q/α is also a root. Weil conjectures say that these roots have abs. value q. #Jac C (F q ) = χ(1) and #C(F q ) = q + 1 a 1.

26/40 Hyperelliptic cryptosystem (genus 2) 1. Take any protocol that relies on a finite abelian group in which DLP is supposed to be difficult. (Diffie Hellman, ElGamal,... ) 2. Pick a base field F q with q 2 128. 3. Pick a hyperelliptic curve C of genus 2 over F q. 4. Count the points in Jac C (F q ) (see next talk!) 5. If the number of points is not prime, go back and try another curve. 6. Pick a random (non-zero) element g of Jac C (F q ). 7. Run the protocol with this group / generator / group order. Exercise. Implement your favorite protocol in Sage.

27/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic discrete log problem Genus 2 CM-method

28/40 The discrete log problem Def. Fix a cyclic group G of order l, with generator g, for a given h G, find x such that h = g x. Thm. If G is a generic group, any algorithm for the DLP in G will take at least Ω( l) group operations. What about groups that are Jaocbians of hyperelliptic curves?

29/40 Smoothness notion for hyperelliptic curves Recall the Mumford representation: D = u(x), v(x). Lem. If u(x) can be factored over K as u(x) = u i (x), then, putting v i (x) = v(x) mod u i (x), we have: D i = u i (x), v i (x) is a valid Mumford representation of an element of Jac C (K). D = D i, the sum being taken with the Jacobian group Exercise. Prove this (no deep theorem involved, just use the definition). Def. An element of Jac C (F q ) is B-smooth if the u-polynomial in its Mumford representation is B-smooth as a polynomial.

30/40 Remarks on smooth Jacobian elements Rem. The sentence An element is B-smooth. makes sense only if B g. In the case of elliptic curve (genus 1), the u-pol is of degree 1 and the notion of smoothness is void. For large genus, many choices for B. Rem. Decomposing a smooth-divisor is computationally easy (as easy as factoring polynomials over a finite field).

31/40 Index calculus for hyperelliptic curves Let C be a genus g hyperelliptic curve over F q with a Jacobian of prime order l. Let D 1 and D 2 be two elements. 1. Set B [1, g], a smoothness bound (see analysis below). 2. Construct the factor base F B. I.e. the set of elements u(x), v(x), with u(x) irreducible of degree at most B. 3. Repeat until more than #F B relations have been found: 3.1 Pick random a, b until D = ad 1 + bd 2 is B-smooth. 3.2 Store a, b and the decomposition of D as a row of a matrix M. 4. By linear algebra, find a combination of rows that is zero on all the factor base elements: ( λ i a i )D 1 + ( λ i b i )D 2 = 0. 5. Deduce discrete log: λi a i log D1 (D 2 ) = mod l. λi b i

32/40 Index calculus for hyperelliptic curves The analysis follows what is done for finite fields: If g is large enough: Set B = log L q g (1/2)/ log q. Then #F B L q g (1/2). The probability that a random element is B-smooth is 1/L q g (1/2). So time to build the matrix is then L q g (1/2). Time for (sparse) linear algebra is again L q g (1/2). Thm. Discrete logarithm in hyperelliptic curves of large enough genus can be solved in L(1/2)-subexponential time.

33/40 What is large enough? The devil is in the ceiling symbol when setting B. If q is large, but g is small, then the optimal value for B is far less than 1, but we have to round it to 1. Analysis with fixed value of g and q tending to infinity: #F B q. Time for building the matrix is O(q). Time for sparse linear algebra is O(q 2 ). With further tricks (balance both phases, use large primes): Thm. Discrete logarithm in hyperelliptic curves of fixed genus g 2 can be solved in time Õ(q 2 2 g ). Rem. Still more tricks for genus 3 curves (more complicated, have to consider non-hyperelliptic curves in an intermediate step).

34/40 Conclusion on security of HECC For genus > 2, there exist algorithms that are faster than the generic ones. If the genus is small and fixed, they are still exponential algorithms; but nowadays, we tend to avoid them for building cryptosystems. For genus 2 (and a fortiori for genus 1, i.e. elliptic curves), the index calculus does not work at all. Except for some particular cases, genus 2 hyperelliptic curves can be considered as generic groups.

35/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic discrete log problem Genus 2 CM-method

36/40 Invariants? Question. What is the analogue of the j-invariant? Case of genus 2: They are called Igusa invariants. Need 3 invariants instead of one. The moduli space of genus 2 curves is of dimension 3. The formulae are not nice, but j 1, j 2, j 3 are rational fractions in the coefficients of the equation of the curve. Warning: not as canonical as the elliptic j-invariant. In higher genus, it gets messy: Not every abelian variety is a Jacobian of a hyperelliptic curve. Not every curve is hyperelliptic. In general, need more invariants than the dimension, and there are relations between them.

37/40 Curve from invariants For elliptic curves, given a j-invariant, it is easy to get a curve with that invariant. In genus 2: Since j 1, j 2, j 3 are rational fractions in the coefficients of the equation of the curve we could solve the algebraic system. Much better (elegance, efficiency): use Mestre s algorithm. Key point in this algo: find a rational point on a conic. Always possible over finite field. Over the rationals: not always possible, requires some integer to be factored. NB. Implemented in Sage (almost finished) and Magma.

38/40 Ring of endomorphisms in genus 2 The ring of endomorphisms of the Jacobian of a genus 2 curves can be complicated: Supersingularity in higher genus really hurts; The Jacobian can be isomorphic to a product of 2 elliptic curves; In the general case (absolutely simple, ordinary Jacobian): It is commutative, without zero divisors. The rank as a Z-module is 4. After tensorization with Q, this is a CM field, that is a purely imaginary extension of a quadratic real field. Short recipe. If C is defined over a finite field, the CM field is defined by the characteristic polynomial χ of the Frobenius.

39/40 Igusa class polynomials The main object in CM theory is the Hilbert polynomial. In genus 2, we can define Igusa class polynomials: A triple of Igusa class polynomials is associated to a (order in the ring of integers of a) CM field K. They have integer coefficients. They are not monic. There degree is related to the class number of K. Knowing the Igusa class polynomials allows to find the Igusa invariants of the curve having CM by K.

40/40 Current research topics Compute efficiently the Igusa class polynomials. Find better invariants, as in the elliptic case, to make these polynomials smaller. Understand the leading coefficients. Understand non-generic cases. [ See ECC talks by Kristin Lauter and Marco Streng ]

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback