CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

Similar documents
Constructing genus 2 curves over finite fields

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Igusa Class Polynomials

Genus 2 Curves of p-rank 1 via CM method

Igusa Class Polynomials

Math 259: Introduction to Analytic Number Theory How small can disc(k) be for a number field K of degree n = r 1 + 2r 2?

Constructing Abelian Varieties for Pairing-Based Cryptography

An introduction to the algorithmic of p-adic numbers

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

Abstracts of papers. Amod Agashe

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Class Field Theory. Steven Charlton. 29th February 2012

Maximal Class Numbers of CM Number Fields

Computing the endomorphism ring of an ordinary elliptic curve

Computing modular polynomials with the Chinese Remainder Theorem

Some algebraic number theory and the reciprocity map

COMPUTING MODULAR POLYNOMIALS

Class polynomials for abelian surfaces

14 Ordinary and supersingular elliptic curves

NUNO FREITAS AND ALAIN KRAUS

ON THE SEMIPRIMITIVITY OF CYCLIC CODES

Twisted L-Functions and Complex Multiplication

Class invariants by the CRT method

Modular polynomials and isogeny volcanoes

Igusa class polynomials

Counting points on elliptic curves over F q

Computing the modular equation

Counting points on genus 2 curves over finite

Introduction to Elliptic Curves

Primes of the Form x 2 + ny 2

Constructing Families of Pairing-Friendly Elliptic Curves

Hermitian modular forms congruent to 1 modulo p.

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

ON 2-CLASS FIELD TOWERS OF SOME IMAGINARY QUADRATIC NUMBER FIELDS

GENERATORS OF FINITE FIELDS WITH POWERS OF TRACE ZERO AND CYCLOTOMIC FUNCTION FIELDS. 1. Introduction

ORAL QUALIFYING EXAM QUESTIONS. 1. Algebra

Modular forms and the Hilbert class field

A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups

Mappings of elliptic curves

Finite Fields and Their Applications

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

Bulletin of the Transilvania University of Braşov Vol 7(56), No Series III: Mathematics, Informatics, Physics, 59-64

Point counting and real multiplication on K3 surfaces

Identifying supersingular elliptic curves

The L-series Attached to a CM Elliptic Curve

arxiv: v1 [math.nt] 2 Jul 2009

Computing the image of Galois

Computing Hilbert Class Polynomials

Fully maximal and minimal supersingular abelian varieties

COMPUTING MODULAR POLYNOMIALS

Applications of Complex Multiplication of Elliptic Curves

REDUCTION OF ELLIPTIC CURVES OVER CERTAIN REAL QUADRATIC NUMBER FIELDS

The Splitting of Primes in Division Fields of Elliptic Curves

ELLIPTIC CURVES OVER FINITE FIELDS

University of Southern California, Los Angeles, University of California at Los Angeles, and Technion Israel Institute of Technology, Haifa, Israel

Postmodern Primality Proving

p-class Groups of Cyclic Number Fields of Odd Prime Degree

Explicit Complex Multiplication

On some congruence properties of elliptic curves

Representation of prime numbers by quadratic forms

ON 3-CLASS GROUPS OF CERTAIN PURE CUBIC FIELDS. Frank Gerth III

Isogenies in a quantum world

Computers and Mathematics with Applications. Ramanujan s class invariants and their use in elliptic curve cryptography

1. Group Theory Permutations.

ON THE DISTRIBUTION OF CLASS GROUPS OF NUMBER FIELDS

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)

Quasi-reducible Polynomials

WXML Final Report: Primality of Polynomials

On the existence of unramified p-extensions with prescribed Galois group. Osaka Journal of Mathematics. 47(4) P P.1165

Isogeny graphs, modular polynomials, and point counting for higher genus curves

2,3,5, LEGENDRE: ±TRACE RATIOS IN FAMILIES OF ELLIPTIC CURVES

AVERAGE RECIPROCALS OF THE ORDER OF a MODULO n

Galois theory (Part II)( ) Example Sheet 1

On the equality case of the Ramanujan Conjecture for Hilbert modular forms

On Orders of Elliptic Curves over Finite Fields

Galois Theory TCU Graduate Student Seminar George Gilbert October 2015

Five peculiar theorems on simultaneous representation of primes by quadratic forms

Some new families of positive-rank elliptic curves arising from Pythagorean triples

GENERATION OF RANDOM PICARD CURVES FOR CRYPTOGRAPHY. 1. Introduction

Lemma 1.1. The field K embeds as a subfield of Q(ζ D ).

GENERATORS OF JACOBIANS OF GENUS TWO CURVES

CLASS GROUPS, TOTALLY POSITIVE UNITS, AND SQUARES

Algebraic number theory Revision exercises

Public-key Cryptography: Theory and Practice

Relative Densities of Ramified Primes 1 in Q( pq)

Formulas for cube roots in F 3 m

ABSTRACT. Professor Lawrence Washington Department of Mathematics

Titchmarsh divisor problem for abelian varieties of type I, II, III, and IV

c Copyright 2012 Wenhan Wang

Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map

arxiv: v1 [math.nt] 15 Mar 2012

Heuristics. pairing-friendly abelian varieties

RAMIFIED PRIMES IN THE FIELD OF DEFINITION FOR THE MORDELL-WEIL GROUP OF AN ELLIPTIC SURFACE

AMICABLE PAIRS AND ALIQUOT CYCLES FOR ELLIPTIC CURVES OVER NUMBER FIELDS

CHARACTERIZING INTEGERS AMONG RATIONAL NUMBERS WITH A UNIVERSAL-EXISTENTIAL FORMULA

FIELD THEORY. Contents

NORM FORMS REPRESENT FEW INTEGERS BUT RELATIVELY MANY PRIMES

ON GALOIS GROUPS OF ABELIAN EXTENSIONS OVER MAXIMAL CYCLOTOMIC FIELDS. Mamoru Asada. Introduction

Transcription:

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES Reinier Bröker Abstract. We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over F q with trace of Frobenius t in case such a curve exists. If GRH holds true, the expected run time of our algorithm is eo((log q) 3 ). We illustrate the algorithm by showing how to construct supersingular curves of prime order. Such curves can readily be used for pairing based cryptography. 1. Introduction Let F q be the finite field of q = p f elements with p prime. It is a classical problem to construct an elliptic curve E over F q with prescribed order. In case the requested curve is ordinary, there is no algorithm known that solves this problem in time polynomial in log q. In this paper we investigate the supersingular case. Efficiently constructing supersingular curves of prescribed order has its impact outside the area of arithmetic geometry. Indeed, a supersingular curve of prime order N = #E(F q ) has the property that its embedding degree with respect to N, defined as the degree of the field extension F q (ζ N )/F q for a primitive Nth root of unity ζ N, is very small and this makes supersingular curves suitable for pairing based cryptographic systems. We refer to [3, Ch. 24] for an overview of the cryptographic applications. A classical result due to Waterhouse [8, Theorem 4.1] states that there exists a supersingular elliptic curve over F q with trace of Frobenius t if and only if t lies in the small set S q consisting of those traces for which one of the following holds: (a) if [F q : F p ] is even and one of the following is true (i) t = ±2 q (ii) t = ± q and p 1 mod 3 (iii) t = 0 and p 1 mod 4; (b) if [F q : F p ] is odd and one of the following is true (i) t = 0 (ii) t = ± 2q and p = 2. (iii) t = ± 3q and p = 3. 2000 Mathematics Subject Classification. Primary 14H52, Secondary 11G15. Key words and phrases. Elliptic curves, Algorithms, Pairing friendly curves. 1 Typeset by AMS-TEX

2 REINIER BRÖKER In this article we give an algorithm to efficiently construct a supersingular elliptic curve over F q with prescribed trace of Frobenius. We prove the following Theorem. Theorem 1.1. The algorithm presented in this paper computes, on input of a prime power q and an integer t S q, a supersingular elliptic curve over F q with trace of Frobenius t. If GRH holds true, the expected run time of the algorithm is Õ((log q) 3 ). Here, the Õ-notation indicates that terms that are of logarithmic size in the main term have been disregarded. In Section 2 we give the algorithm for prime fields, and illustrate it with an example. The non-prime case is explained in Section 3. We illustrate how Theorem 1.1 can be applied to efficiently construct elliptic curves of prime order of prescribed size. The resulting supersingular curves can readily be used for pairing based cryptography. 2. The prime case The main ingredient in the Algorithm is to construct a supersingular curve over the prime field F p, i.e., a curve with trace of Frobenius 0. We will construct such a curve as reduction of a curve in characteristic 0 using a result due to Deuring. Theorem 2.1. Let E be an elliptic curve defined over a number field L whose endomorphism ring is the maximal order O K in an imaginary quadratic field K, and let p p be a prime of L where E has good reduction. Then E mod p is supersingular if and only if p does not split in K. Proof. See [7, Theorem 13.12]. If the quadratic field K occuring in Theorem 2.1 has class number 1, then there exists a curve E/Q with End(E) = O K. For K = Q(i) we can take E defined by Y 2 = X 3 X for instance. In this special case, we see that the reduction of E modulo primes p 3 mod 4 yields a supersingular curve modulo p. In a similar vein one shows that the curve defined by Y 2 = X 3 + 1 is supersingular for all odd primes p 2 mod 3. The idea of the algorithm presented in this section is to generalize these two constructions to arbitrary imaginary quadratic fields K. Let E be a curve as in Theorem 2.1, and let H be the Hilbert class field of K, i.e., the largest totally unramified abelian extension of K. By CM-theory [7, Theorem 10.1], the j-invariant j(e) generates H over K. We have H = K[X]/(P K ), where P K is the minimal polynomial over Q of the j-invariant j(e). The polynomial P K is called the Hilbert class polynomial. Its degree equals the class number

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES 3 h K of K, and it has integer coefficients. There are a few algorithms to explicity compute P K, we refer to [2] for an overview. If we now take K such that p remains inert in O K, then the roots of P K F p [X] are j-invariants of supersingular curves by Theorem 2.1. Since the j-invariant of a supersingular curve is contained in F p 2 by [7, Theorem 13.6], the polynomial P K splits in this case already over F p 2. An other way of seeing this last fact is using class field theory: the Artin map gives an isomorphism Gal(H/K) Cl(O K ) and as (p) O K is a principal prime ideal, it splits completely in H/K. Hence, the inertia degree of p Z is 2. The following Lemma gives a sufficient condition for P K F p [X] to have a root in F p. Lemma 2.3. Let K be an imaginary quadratic field with class number h K. Then: h K is odd K = Q(i) or K = Q( 2) or K = Q( q) with q prime and congruent to 3 mod 4. Proof. Let D be the discriminant of K, and let p 1,..., p n be the odd prime factors of D. The genus field G = K( p 1,..., p n ) with p i = ( 1)(pi 1)/2 p i is the largest unramified abelian extension of K that is abelian over Q, and the Galois group Gal(G/K) is isomorphic to the 2-Sylow group of Cl(O K ), cf. [4, Section 6]. We see that h K is odd if and only if we have an equality G = K. This yields the lemma. These observations lead to the following algorithm to construct a supersingular elliptic curve over F p. Algorithm 2.4. Input: a prime p. Output: a supersingular curve over F p. 1. If p = 2, return Y 2 + Y = X 3. 2. If p 3 mod 4, return Y 2 = X 3 X. 3. Let q be the smallest prime congruent to 3 mod 4 with ( ) q p = 1. 4. Compute P K Z[X] for K = Q( q). 5. Compute a root j F p of P K F p [X]. 6. If q = 3, return Y 2 = X 3 + 1. Else, put a 27j/(4(1728 j)) F p and return Y 2 = X 3 + ax a. Lemma 2.5. Algorithm 2.4 returns a supersingular curve over F p. If GRH holds true, the expected run time is Õ((log p)3 ). Proof. The correctness of the Algorithm is clear from the discussion preceding it. The main point in the run time analysis is Step 3. As p is congruent to 1 mod 4, we

4 REINIER BRÖKER have ( ) ( q p = p ) q by quadratic reciprocity. We therefore want q to be inert in both Q( p) and Q(i). Hence, we are looking for a prime q with prescribed Frobenius symbol in the Z/2Z Z/2Z-extension L = Q( p, i) of Q. Under GRH, there exists [6] an effectively computable constant c with the property that there is a prime q with q c (logd L ) 2, where d L = 2 4 p 2 is the discriminant of L/Q. Under GRH, computing P K in Step 4 takes time Õ((logp)2 ) by [2, Theorem 1]. By construction, this polynomial has a root modulo p. The degree of P K equals the class number h K which is of size Õ(log p) by Brauer-Siegel. Finding a root j of P K F p [X] therefore takes probabilistic time Õ(deg(P K)(log p) 2 ) = Õ((log p)3 ) by [5, Section 14.5]. Example. The smallest prime p > 10 100 with p 1 mod 12 is p = 10 100 + 1293. In this case, the prime q = 11 is inert in both Q( p) and Q(i). An elliptic curve with j-invariant 32768 F p is supersingular. 3. The Algorithm Let q = p f be a prime power and let t S q be the trace of Frobenius of the elliptic curve we want to construct. Using Algorithm 2.4, we construct a supersingular curve E/F p. Let E /F q be the base change of this curve to F q. Let t be trace of Frobenius of E. Lemma 3.1. We have t = 0 if f = [F q : F p ] is odd, t = 2 q if f is divisible by 4 and t = 2 q otherwise. Proof. The Frobenius ϕ E of E satisfied ϕ 2 E +p = 0. We derive Tr(ϕ E ) = Tr(ϕf E ) = Tr(( p) f/2 ), which yields the lemma. We contend that there exists a twist of E that has trace of Frobenius t. Indeed, if f is odd, we only need to consider the cases p = 2, 3. For these two small primes, there is only one supersingular j-invariant in characteristic p so the requested curve with trace of Frobenius t has j-invariant j(e ). Suppose that f is even. For p 1 mod 4, we twist the curve E by a primitive fourth root of unity i F q to get curves with trace of Frobenius ±2 q and 0. Similarly, for p 1 mod 3, we can twist by a primitive sixth root of unity ζ 6 F q to obtain curves with trace of Frobenius ±2 q and ± q. For p 1 mod 12, we twist by 1. Algorithmically, twisting E to get a curve with trace of Frobenius t is easy. Indeed, suppose that we want to twist by a power of ζ 6. We compute an element α F q generating F q/f q 6. The twists of E : Y 2 = X 3 + b are then given by Y 2 = X 3 + α k b

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES 5 for k = 0,..., 5, and an easy computation shows that the traces of Frobenius for these curves are t, t /2, t /2, t, t /2, t /2 respectively. Twisting by i and 1 proceeds similarly. Finally, also for p = 2, 3 all F q -isomorphisms are explicitly known [7, Appendix 1]. Proof of Theorem 1.1. We compute a supersingular elliptic curve E/F p using Algorithm 2.4 and base change this to a curve E over F q. This takes time Õ((log p)3 ). We compute the right twist of E in time Õ((log q)2 ). Example. Suppose we want to construct an elliptic curve with prime order of k 3 decimal digits. We look for a prime p such that p 2 + p + 1 is a prime of k digits. We cannot prove that such a p exists, but heuristically there are many. Indeed, by the Bateman-Horn conjecture [1] we expect that we have x 1 π(x, A) 1.52 2 (log t) 2 dt, where π(x, A) denotes the number of primes p up to x such that p 2 +p+1 is prime. As we have p 2 mod 3, the curve E/F p defined by Y 2 = X 3 +1 is supersingular. We base change this curve to E /F p 2. The curve E has p 2 +2p+1 points by Lemma 3.1 and of its 6 twists has prime order p 2 + p + 1. References 1. P. T. Bateman, R. A. Horn, A heuristic asymptotic formula concerning the distribution of prime numbers, Math. of Comp. 16, 1962, pp. 363 367. 2. J. Belding, R. Bröker, A. Enge, K. Lauter, Computing Hilbert class polynomials, Algorithmic Number Theory Symposium VIII, Springer Lecture Notes in Computer Science, vol. 5011, 2008, pp. 282 295. 3. H. Cohen, G. Frey, et al., Handbook of elliptic and hyperelliptic curve cryptography, Discrete mathematics and its applications, Chapman and Hall/CRC, 2006. 4. D. A. Cox, Primes of the form x 2 + ny 2, John Wiley & Sons, 1989. 5. J. von zur Gathen, J. Gerhard, Modern computer algebra, Cambridge University Press, 1999. 6. J. C. Lagarias, A. M. Odlyzko, Effective versions of the Chebotarev density theorem, Algebraic Number Fields, ed. A. Fröhlich, Academic Press, 1977, pp. 409 465. 7. S. Lang, Elliptic functions, Springer Graduate Texts in Mathematics, vol. 112, 1987. 8. W. W. Waterhouse, Abelian varieties over finite fields, Ann. scient. Éc. Norm. Sup., (4), 1969, pp. 521 560. Microsoft Research, MSR 99/2943, One Microsoft Way, Redmond WA, 98052 E-mail address: reinierb@microsoft.com

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback