point counting for genus 2 curves
play

Point Counting for Genus 2 Curves Division polys with Real - PowerPoint PPT Presentation

May 04, 2023 •341 likes •550 views

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof complexity BSGS Pierrick Gaudry, David Kohel, Benjamin Smith Real multiplication

  1. Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof complexity BSGS Pierrick Gaudry, David Kohel, Benjamin Smith Real multiplication Split primes Benjamin Smith Smaller kernels INRIA Saclay–ˆ Ile-de-France New relations Laboratoire d’Informatique de l’´ Ecole polytechnique (LIX) RM Complexity 1 = 2 ECC 2011, Nancy, France 21/09/2011 RM families Implementation Cryptographic Jacobians Too much, too fast

  2. Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Genus 2 cryptosystems have security and efficiency Point counting Division polys comparable* with elliptic curve cryptosystems... Kernels Schoof complexity BSGS Real multiplication ...but setting up secure genus 2 instances is much harder. Split primes Computing cardinalities over prime fields: Smaller kernels ◮ 256-bit elliptic curve: SEA in seconds New relations RM Complexity ◮ 256-bit abelian surface: replace seconds with days. 1 = 2 RM families Implementation Cryptographic Jacobians Too much, too fast

  3. Genus 2, faster Given C : y 2 = f ( x ) of genus 2 over F q Gaudry, Kohel, Smith (q odd, J C ordinary, absolutely irreducible) . Genus 1 and 2 Point counting Division polys Kernels We want to compute # J C ( F q ). Equivalently: Schoof complexity Compute the characteristic polynomial of Frobenius BSGS Real multiplication χ ( T ) = T 4 − s 1 T 3 + ( s 2 + 2 q ) T 2 − qs 1 T + q 2 , Split primes Smaller kernels which is subject to the Weil bounds New relations | s 1 | ≤ 4 √ q RM Complexity and | s 2 | ≤ 4 q 1 = 2 RM families and the R¨ uck bounds Implementation Cryptographic s 2 1 − 4 s 2 ≥ 0 and s 2 + 4 q ≥ 2 | s 1 | . Jacobians Too much, too fast

  4. Genus 2, faster Schoof’s idea: Gaudry, Kohel, Smith characteristic polynomial of Frobenius acting on J C [ ℓ ] is Genus 1 and 2 χ ℓ ( T ) := χ ( T ) mod ( ℓ ) , so Point counting Division polys ( π 2 + [¯ s 1 ]( π 2 + [¯ q ]) 2 ( D ) − [¯ s 2 ] π 2 ( D ) = 0 q ]) π ( D ) + [¯ Kernels Schoof complexity for all D in J C [ ℓ ] (here ¯ · denotes residue mod ℓ ) . BSGS ◮ Compute χ ℓ for sufficiently many prime (powers) ℓ Real multiplication ◮ Recover χ via the CRT. Split primes Smaller kernels New relations RM Complexity To compute χ ℓ : 1 = 2 RM families 1. compute generic D in J C [ ℓ ]; Implementation 2. compute π 2 ( D ), ( π 2 + [¯ q ]) π ( D ), and ( π 2 + [¯ q ]) 2 ( D ); Cryptographic Jacobians 3. search for [¯ s 1 ] and [¯ s 2 ] s.t. the relation holds. Too much, too fast

  5. Genus 2, faster Let ( u , v ) be a generic point of C , and D its image in J C . Gaudry, Kohel, Smith We say φ ∈ End ( J C ) is explicit if we can compute Genus 1 and 2 polynomials d 0 , d 1 , d 2 , e 0 , e 1 , e 2 such that � � � � Point counting x 2 + d 1 ( u ) d 2 ( u ) x + d 0 ( u ) e 2 ( u ) x + e 0 ( u ) e 1 ( u ) φ ( D ) = d 2 ( u ) , y − v . Division polys e 2 ( u ) Kernels Schoof complexity BSGS Real multiplication We call the d i and e i the φ -division polynomials . Split primes (= Cantor’s ℓ -division polys for φ = [ ℓ ]) Smaller kernels New relations RM Complexity 1 = 2 We say that φ is efficiently computable RM families if the φ -division polynomials have low degree. Implementation (ie, if evaluating φ is in O (1) field ops) Cryptographic Note: [ ℓ ] -division polys have degree in O ( ℓ 2 ) Jacobians Too much, too fast

  6. Genus 2, faster Computing generic elements of ker φ ⊂ J C Gaudry, Kohel, Smith Let φ be an explicit endomorphism, Genus 1 and 2 ( u 1 , v 1 ) , ( u 2 , v 2 ) generic points on C , Point counting D 1 , D 2 their images in J C . Division polys D = ( x 2 + a 1 x + a 0 , y − ( b 1 x + b 0 )) := D 1 + D 2 Kernels Schoof complexity is a generic point of J C . BSGS Real multiplication 1. Compute φ ( D 1 ) and φ ( D 2 ); Split primes 2. Solve for ( u 1 , v 1 , u 2 , v 2 ) in φ ( D 1 ) = − φ ( D 2 ); Smaller kernels New relations 3. Resymmetrizing, compute a triangular ideal I φ RM Complexity of relations in a 1 , a 0 , b 1 , b 0 satisfied when D ∈ ker φ . 1 = 2 Suppose degree of φ -division polynomials bounded by δ : RM families Implementation ◮ compute I φ in � O ( δ 3 ) F q -operations; Cryptographic ◮ the degree of I φ is in O ( δ 2 ) Jacobians Too much, too fast

  7. Genus 2, faster Gaudry, Kohel, Smith Conventional Schoof–Pila complexity: Genus 1 and 2 ◮ For each prime ℓ : Point counting 1. Compute I ℓ in � O ( ℓ 6 ) field ops Division polys ◮ [ ℓ ]-division polynomials have degree in O ( ℓ 2 ) Kernels ◮ triangular I ℓ has degree in O ( ℓ 4 ) Schoof complexity 2. compute π 2 ( D ), ( π 2 + [¯ q ]) π ( D ), and ( π 2 + [¯ q ]) 2 ( D ) BSGS O ( ℓ 4 log q ) field ops in � Real multiplication s 2 ) in ( Z /ℓ Z ) 2 such that 3. Find the (¯ s 1 , ¯ Split primes ( π 2 + [¯ s 1 ]( π 2 + [¯ q ]) 2 ( D ) − [¯ s 2 ] π 2 ( D ) = 0 q ]) π ( D ) + [¯ Smaller kernels ... O ( ℓ ) trials, each costing � O ( ℓ 4 ) field ops New relations ⇒ total cost � O ( ℓ 5 ) field ops = RM Complexity O ( ℓ 4 ( ℓ 2 + log q )) field ops ⇒ Computing χ ℓ costs � 1 = 2 = RM families ◮ We need χ ℓ for the O (log q ) primes ℓ in O (log q ) Implementation O (log 8 q ) bit ops ⇒ χ costs � O (log 7 ) field ops = � ◮ = Cryptographic Jacobians Too much, too fast

  8. Genus 2, faster Gaudry, Kohel, Computing in J C [ ℓ ] becomes awkward very quickly in Smith genus 2; we’re limited to ℓ = O (a handful of bits). Genus 1 and 2 This gives us s 1 and s 2 modulo some integer M . Point counting Division polys Kernels Schoof complexity BSGS We finish the computation using a generic algorithm Real multiplication such as BSGS, which runs in time Split primes O ( q 3 / 4 / M ) when M < 8 √ q , and ◮ � Smaller kernels � q / M ) when M ≥ 8 √ q . ◮ � O ( New relations RM Complexity 1 = 2 RM families Implementation This all sounds pretty bad. Cryptographic Why would we want to use genus 2 again, anyway? Jacobians Too much, too fast

  9. Genus 2, faster Gaudry, Kohel, Remember: Smith Genus 2 is not just a two-dimensional analogue of genus 1 Genus 1 and 2 (it’s much more fun than that). Point counting Division polys Kernels Schoof complexity Recall: BSGS Real multiplication ◮ End ( J C ) ⊗ Q = Q ( π ) is a quartic CM-field. Split primes ◮ Complex conjugation = Rosati involution α �→ α † Smaller kernels √ ◮ Real quadratic subfield: Q ( π + π † ) ∼ = Q ( ∆) New relations for some ∆ > 0 . RM Complexity 1 = 2 ◮ We say C has RM by O if O is a real quadratic order RM families isomorphic to a subring of End ( J C ) Implementation ◮ isomorphism classes with RM by a fixed O form Cryptographic Jacobians Humbert surfaces in the 3-dimensional moduli space. Too much, too fast

  10. Genus 2, faster Gaudry, Kohel, Smith Elliptic Curves with Schoof–Elkies–Atkin Genus 1 and 2 ◮ Z [ π ] is an unknown quadratic extension of Z . Point counting Division polys ◮ Some primes ℓ split in Z [ π ]. Kernels ◮ ( ℓ ) = ( α )(¯ α ) = ⇒ E [ ℓ ] = E [ α ] ⊕ E [¯ α ] Schoof complexity ◮ For these primes, compute modulo deg( ℓ − 1) / 2 BSGS factors of division polynomials (of deg( ℓ 2 − 1) / 2). Real multiplication Split primes ◮ Heuristically (assuming enough split primes), reduces O (log 5 q ) to � O (log 4 q ) bit ops. Smaller kernels complexity from � New relations ◮ Problem : we don’t know which ℓ split in advance; RM Complexity testing and splitting a given ℓ is complicated... 1 = 2 ◮ Need to build & factor modular polynomials RM families ◮ Extension to genus 2 is problematic Implementation Cryptographic Jacobians Too much, too fast

  11. Genus 2, faster Gaudry, Kohel, Smith Our idea: Genus 1 and 2 ◮ Z ⊂ Z [ φ ] ⊂ Z [ π, π † ]; but Z ⊂ Z [ φ ] is explicit, Point counting Division polys so we can split primes ℓ in Z [ φ ] instead of Z [ π, π † ] Kernels ◮ Split ( ℓ ) = ( α 1 )( α 2 ) = ⇒ J C [ ℓ ] = J C [ α 1 ] ⊕ J C [ α 2 ]. Schoof complexity Efficient φ = ⇒ explicit J C [ α 1 ] and J C [ α 2 ]. BSGS ◮ Compute in J C [ α 1 ] and J C [ α 2 ] faster than in J C [ ℓ ]. Real multiplication Split primes ◮ Hence, compute χ ℓ faster for split ℓ . Smaller kernels ◮ The split ℓ are known in advance: (∆ /ℓ ) = 1; New relations Cebotarev density = ⇒ half the primes ℓ split in Z [ φ ]. RM Complexity ◮ Also, explicit Z [ φ ] = ⇒ a better search space 1 = 2 (so we need fewer χ ℓ to determine χ ). RM families Implementation ◮ − → a much better complexity for computing χ . Cryptographic Jacobians Too much, too fast

  12. Genus 2, faster Gaudry, Kohel, Smith The details: Genus 1 and 2 Suppose ℓ splits in Z [ φ ]. Point counting For our families, the primes over ℓ are principal: Division polys Kernels ( ℓ ) = ( α 1 )( α 2 ) and J C [ ℓ ] = J C [ α 1 ] ⊕ J C [ α 2 ] . Schoof complexity BSGS Real multiplication ◮ We can compute generators α i = a i + b i φ Split primes √ Smaller kernels with a i , b i in O ( ℓ ) New relations ◮ The [ a i ]- and [ b i ]-division polys have degree in O ( ℓ ) RM Complexity ◮ = ⇒ the α i -division polys have degree in O ( ℓ ) 1 = 2 ⇒ kernel ideals I α i have degrees in O ( ℓ 2 ) ◮ = RM families (& we can compute I α i in � O ( ℓ 3 ) field operations). Implementation Cryptographic Jacobians Too much, too fast

Recommend

Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels

Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels Schoof complexity Pierrick Gaudry, David Kohel, Benjamin Smith BSGS Real

407 views • 18 slides
Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de Lorraine, Nancy Joint work with P. Gaudry and P.-J. Spaenlehauer January 25, 2018 CARAMBA /* */ E,C, /* */ c,r, /* */ u,l, e,s, i=5,

907 views • 36 slides
Point counting in genus 2: reaching 128 bits P. Gaudry E. Schost Cacao project ORCCA

Point counting in genus 2: reaching 128 bits P. Gaudry E. Schost Cacao project ORCCA

Point counting in genus 2: reaching 128 bits P. Gaudry E. Schost Cacao project ORCCA CNRS-INRIA UWO Thanks to Dan Bernstein and Nikki Pitcher Genus 2 curves and associated objects In what follows: C is the curve defined over F p by

425 views • 38 slides
Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange Eindhoven University Ruhr-Universitt of Technology Bochum Overview Elliptic Curves Hyperelliptic Curves HEC of Genus 2

473 views • 33 slides
ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves

ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves

ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves F. Morain I. Introduction and motivations Goal: build an effective group of cryptographic strength, resisting all known attacks. Dream: find

834 views • 48 slides
Smaller class invariants for constructing curves of genus 2 Marco Streng The 15th workshop on

Smaller class invariants for constructing curves of genus 2 Marco Streng The 15th workshop on

Smaller class invariants for constructing curves of genus 2 Marco Streng The 15th workshop on Elliptic Curve Cryptography ECC 2011 INRIA, Nancy, France Sep 19 21, 2011 Overview genus 1 genus 2 constructing curves part 1 part 2 smaller

428 views • 38 slides
Moduli spaces of genus 2 curves with split Jacobians through K3 surfaces Abhinav Kumar Stony

Moduli spaces of genus 2 curves with split Jacobians through K3 surfaces Abhinav Kumar Stony

Moduli spaces of genus 2 curves with split Jacobians through K3 surfaces Abhinav Kumar Stony Brook October 22, 2015 Abhinav Kumar Genus 2 curves with split Jacobians 1 / 33 Introduction Let C be a genus 2 curve over a field k , and J = Jac (

1.1k views • 88 slides
Update on Diophantine records for genus-3 curves ICERM workshop on Computational Aspects of

Update on Diophantine records for genus-3 curves ICERM workshop on Computational Aspects of

Update on Diophantine records for genus-3 curves ICERM workshop on Computational Aspects of L-functions and related topics 12 November 2015 Noam D. Elkies, Harvard University Update on Diophantine records for genus-3 curves ICERM workshop on

686 views • 20 slides
Sato-Tate groups of genus 2 curves Kiran S. Kedlaya Department of Mathematics, University of

Sato-Tate groups of genus 2 curves Kiran S. Kedlaya Department of Mathematics, University of

Sato-Tate groups of genus 2 curves Kiran S. Kedlaya Department of Mathematics, University of California, San Diego kedlaya@ucsd.edu http://kskedlaya.org Arithmetic of Hyperelliptic Curves NATO Advanced Study Institute Ohrid, Macedonia, August

1.31k views • 88 slides
Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus

Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus

Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus Bernardini 1 University of Campinas / Federal Institute of S ao Paulo (Joint work in progress with Fernando Torres 1 ) International Meeting on

779 views • 51 slides
The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; F q such that 6(4

784 views • 47 slides
Smaller class invariants for constructing curves of genus 2 Marco Streng Geocrypt Corsica June

Smaller class invariants for constructing curves of genus 2 Marco Streng Geocrypt Corsica June

Smaller class invariants for constructing curves of genus 2 Marco Streng Geocrypt Corsica June 2011 Overview genus 1 genus 2 constructing curves part 1 part 2 smaller class invariants part 3 part 4 Part 1: The Hilbert class polynomial

440 views • 43 slides
Serres obstruction for genus 3 curves Christophe Ritzenthaler Institut de Mathmatiques de

Serres obstruction for genus 3 curves Christophe Ritzenthaler Institut de Mathmatiques de

Serres obstruction for genus 3 curves Christophe Ritzenthaler Institut de Mathmatiques de Luminy, CNRS Geocrypt, Guadeloupe, April 27 - May 1, 2009 1 / 54 Outline Geometric versus arithmetic Torelli theorem 1 Siegel modular forms 2 A

720 views • 54 slides
Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas Decru , and Benjamin Smith NutMiC 2019, Paris June 24, 2019 Background 2006: hash functions based on supersingular elliptic curves (Charles,

564 views • 52 slides
Equivalent Curves in Surfaces Anja Bankovi c University of Illinois Equivalent Curves Fix a

Equivalent Curves in Surfaces Anja Bankovi c University of Illinois Equivalent Curves Fix a

Equivalent Curves in Surfaces Anja Bankovi c University of Illinois Equivalent Curves Fix a closed surface S , genus g 2. Equivalent Curves Fix a closed surface S , genus g 2. (Horowitz, Randol) n Z + 1 , . . . , n ,

734 views • 46 slides
A database of genus 3 curves over Q Andrew V. Sutherland MIT May 17, 2018 Joint with Raymond

A database of genus 3 curves over Q Andrew V. Sutherland MIT May 17, 2018 Joint with Raymond

A database of genus 3 curves over Q Andrew V. Sutherland MIT May 17, 2018 Joint with Raymond van Bommel, Andrew Booker, Edgar Costa, John Cremona, Tim Dokchitser, Francesc Fit, David Harvey, Kiran Kedlaya, Davide Lombardo, Elisa Lorenzo,

606 views • 21 slides
Rational Points on Curves of Higher Genus Michael Stoll Universit at Bayreuth Pacific

Rational Points on Curves of Higher Genus Michael Stoll Universit at Bayreuth Pacific

Rational Points on Curves of Higher Genus Michael Stoll Universit at Bayreuth Pacific Norhwest Number Theory Conference Simon Fraser University, Burnaby May 8, 2010 The Problem Let C be a (geometrically integral) curve defined over Q . (We

581 views • 23 slides
Some old and new problems with genus 3 curves Christophe Ritzenthaler C.N.R.S. Institut de

Some old and new problems with genus 3 curves Christophe Ritzenthaler C.N.R.S. Institut de

Some old and new problems with genus 3 curves Christophe Ritzenthaler C.N.R.S. Institut de Mathmatiques de Luminy Luminy Case 930, F13288 Marseille CEDEX 9 e-mail : ritzenth@iml.univ-mrs.fr web : http ://iml.univ-mrs.fr/ ritzenth/

1.39k views • 102 slides
Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory,

Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory,

Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory, Special Issue on Elliptic Curve Cryptography http://eprint.iacr.org/2010/294 Kristin Lauter, Microsoft Research Joint work with: Tonghai Yang,

421 views • 39 slides
Counting points on curves Edgar Costa Dartmouth College Qu ebec-Maine Number Theory

Counting points on curves Edgar Costa Dartmouth College Qu ebec-Maine Number Theory

Counting points on curves Edgar Costa Dartmouth College Qu ebec-Maine Number Theory conference, 8th October 2016 (joint work with David Harvey, UNSW) 1 / 22 Edgar Costa (Dartmouth College) Counting points on curves Setup p = prime C P

640 views • 34 slides
Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault

Index Calculus Attack for Hyperelliptic Curves of Small Genus Nicolas Thriault nicolast@exp-math.uni-essen.de University of Toronto / IEM Universitt DuisburgEssen Slide index Discrete Log Problem Large primes Hyperelliptic

927 views • 67 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Smaller and faster public-key crypto for IoT from genus-2 curves Benjamin Smith Real-world

Smaller and faster public-key crypto for IoT from genus-2 curves Benjamin Smith Real-world

Smaller and faster public-key crypto for IoT from genus-2 curves Benjamin Smith Real-world crypto+privacy summer school, Sibenik, 18/6/2019 Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Ancient history singularities

501 views • 37 slides
Smoothability of Genus 6 Petri General Curves Aaron Landesman (Harvard University) David

Smoothability of Genus 6 Petri General Curves Aaron Landesman (Harvard University) David

Smoothability of Genus 6 Petri General Curves Aaron Landesman (Harvard University) David Zureick-Brown (Emory University) Joint Mathematics Meetings Seattle, WA January 8, 2016 Smoothability Definition A scheme is smoothable if it can be

392 views • 21 slides

More recommend