Point counting for genus 2 curves SchoofPila with real - PowerPoint PPT Presentation

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point counting for genus 2 curves Schoof–Pila with real multiplication Division polys Kernels Schoof complexity Pierrick Gaudry, David Kohel, Benjamin Smith BSGS Real multiplication Benjamin Smith RM families INRIA Saclay–ˆ Ile-de-France Split primes Laboratoire d’Informatique de l’´ Ecole polytechnique (LIX) Smaller kernels New relations Geocrypt, Bastia, 20/6/2011 RM Complexity Implementation Cryptographic Jacobians Extreme experiments

Genus 2, faster Gaudry, Kohel, Genus 2 cryptosystems have security and efficiency Smith comparable 1 with elliptic curve cryptosystems... Genus 1 and 2 Point counting Schoof–Pila Division polys Let E / F p 1 and C / F p 2 have genus 1 and 2, respectively, Kernels such that E and J C have the same prime order N . Schoof complexity BSGS The advantages of using E or C are debatable. Real multiplication RM families Split primes Smaller kernels ...but setting up secure genus 2 instances is much harder. New relations ◮ 256-bit EC: SEA in seconds RM Complexity Implementation ◮ 256-bit abelian surface: replace seconds with days. Cryptographic Jacobians Extreme experiments 1 In the paper-generation sense of the word

Genus 2, faster Given C : y 2 = f ( x ) of genus 2 over F q Gaudry, Kohel, Smith (q odd, J C ordinary, absolutely irreducible) Genus 1 and 2 we want to compute # J C ( F q ). Point counting Schoof–Pila Division polys Equivalently: Kernels Schoof complexity Compute the characteristic polynomial of Frobenius BSGS χ ( T ) = T 4 − s 1 T 3 + ( s 2 + 2 q ) T 2 − qs 1 T + q 2 , Real multiplication RM families which is subject to the Weil bounds Split primes Smaller kernels | s 1 | ≤ 4 √ q and | s 2 | ≤ 4 q New relations RM Complexity and the R¨ uck bounds Implementation Cryptographic Jacobians s 2 1 − 4 s 2 ≥ 0 and s 2 + 4 q ≥ 2 | s 1 | . Extreme experiments

Genus 2, faster Schoof’s idea: Gaudry, Kohel, Smith characteristic polynomial of Frobenius acting on J C [ ℓ ] is Genus 1 and 2 χ ℓ ( T ) := χ ( T ) mod ( ℓ ) , Point counting Schoof–Pila ( π 2 + [¯ s 1 ]( π 2 + [¯ q ]) 2 ( D ) − [¯ s 2 ] π 2 ( D ) = 0 q ]) π ( D ) + [¯ Division polys Kernels for all D in J C [ ℓ ] (here ¯ · denotes residue mod ℓ ). Schoof complexity To compute χ , we compute χ ℓ for sufficiently many prime BSGS (powers) ℓ to recover χ via the CRT. Real multiplication RM families Split primes Smaller kernels To compute χ ℓ : New relations RM Complexity 1. compute generic D in J C [ ℓ ]; Implementation 2. compute π 2 ( D ), ( π 2 + [¯ q ]) π ( D ), and ( π 2 + [¯ q ]) 2 ( D ); Cryptographic Jacobians 3. search for [¯ s 1 ] and [¯ s 2 ] s.t. the relation holds. Extreme experiments

Genus 2, faster Let ( u , v ) be a generic point of C , and D its image in J C . Gaudry, Kohel, Smith We say φ ∈ End ( J C ) is explicit if we can compute Genus 1 and 2 polynomials d 0 , d 1 , d 2 , e 0 , e 1 , e 2 such that � � � � Point counting x 2 + d 1 ( u ) d 2 ( u ) x + d 0 ( u ) e 2 ( u ) x + e 0 ( u ) e 1 ( u ) φ ( D ) = d 2 ( u ) , y − v . Schoof–Pila e 2 ( u ) Division polys Kernels Schoof complexity BSGS We call the d i and e i the φ -division polynomials . Real multiplication (= Cantor’s ℓ -division polys for φ = [ ℓ ]) RM families Split primes Smaller kernels New relations We say that φ is efficiently computable RM Complexity if the φ -division polynomials have low degree. Implementation (ie evaluating φ is in O (1) field ops) Cryptographic Jacobians (Note: [ ℓ ]-division polys have degree in O ( ℓ 2 )) Extreme experiments

Genus 2, faster Computing generic elements of ker φ ⊂ J C Gaudry, Kohel, Smith Let φ be an explicit endomorphism, Genus 1 and 2 ( u 1 , v 1 ) , ( u 2 , v 2 ) generic points on C , Point counting D 1 , D 2 their images in J C . Schoof–Pila D = ( x 2 + a 1 x + a 0 , y − ( b 1 x + b 0 )) := D 1 + D 2 Division polys Kernels is a generic point of J C . Schoof complexity BSGS 1. Compute φ ( D 1 ) and φ ( D 2 ); Real multiplication 2. Solve for ( u 1 , v 1 , u 2 , v 2 ) in φ ( D 1 ) = − φ ( D 2 ); RM families Split primes 3. Resymmetrizing, compute a triangular ideal I φ Smaller kernels of relations in a 1 , a 0 , b 1 , b 0 satisfied when D ∈ ker φ . New relations Suppose degree of φ -division polynomials bounded by δ : RM Complexity Implementation ◮ compute I φ in � O ( δ 3 ) F q -operations; Cryptographic ◮ the degree of I φ is in O ( δ 2 ) Jacobians Extreme experiments

Genus 2, faster Computing χ ℓ : Gaudry, Kohel, Smith The [ ℓ ]-division polynomials have degree in O ( ℓ 2 ); Genus 1 and 2 the ideal I ℓ defining generic D ∈ J C [ ℓ ] has degree ℓ 4 . Point counting 1. Compute I ℓ in � O ( ℓ 6 ) field ops; Schoof–Pila 2. Compute π ( D ), ( π 2 − [¯ q ])( D ), and ( π 2 − [¯ q ]) 2 ( D ) Division polys O ( ℓ 4 log q ) field ops; in � Kernels Schoof complexity s 2 ) in � O ( ℓ 5 ) field ops; 3. Find the right (¯ s 1 , ¯ BSGS O ( ℓ 4 ( ℓ 2 + log q )) field ops. ⇒ we compute χ ℓ in � = Real multiplication RM families Split primes Smaller kernels Conventional Schoof–Pila complexity: New relations ◮ We need χ ℓ for the O (log q ) primes ℓ in O (log q ). RM Complexity O (log 7 q ) bit ops; Implementation ◮ We compute each χ ℓ in � Cryptographic O (log 8 q ) bit ops. ⇒ total cost to compute χ is in � ◮ = Jacobians Extreme experiments

Genus 2, faster Gaudry, Kohel, The ℓ -torsion computations become awkward very quickly Smith in genus 2; we’re limited to ℓ = O (a handful of bits). Genus 1 and 2 This gives us s 1 and s 2 modulo some integer M . Point counting Schoof–Pila Division polys Kernels Schoof complexity We finish the computation using a generic algorithm BSGS such as BSGS, which runs in time Real multiplication O ( q 3 / 4 / M ) when M < 8 √ q , and ◮ � RM families � q / M ) when M ≥ 8 √ q . ◮ � O ( Split primes Smaller kernels New relations RM Complexity Implementation This all sounds pretty bad. Cryptographic Why would we want to use genus 2 again, anyway? Jacobians Extreme experiments

Genus 2, faster Remember: Gaudry, Kohel, Smith Genus 2 is not just a two-dimensional analogue of genus 1 Genus 1 and 2 (it’s much more fun than that). Point counting Schoof–Pila Division polys Kernels Recall: Schoof complexity BSGS ◮ End ( J C ) ⊗ Q = Q ( π ) is a quartic CM-field. Real multiplication ◮ Complex conjugation = Rosati involution α �→ α † RM families √ ◮ Real quadratic subfield: Q ( π + π † ) ∼ = Q ( ∆) Split primes for some ∆ > 0 . Smaller kernels New relations ◮ We say C has RM by O if O is a real quadratic order RM Complexity isomorphic to a subring of End ( J C ) Implementation ◮ the C with RM by a fixed ring form Humbert surfaces Cryptographic Jacobians in the 3-dimensional moduli space. Extreme experiments

Genus 2, faster We can construct genus 2 curves with efficient RM Gaudry, Kohel, Smith using some explicit one/two-parameter families. Genus 1 and 2 (Mestre, Tautz–Top–Verberkmoes, Hashimoto, Brumer...) Point counting Schoof–Pila Division polys Kernels Consider the Tautz–Top–Verberkmoes family Schoof complexity C : y 2 = x 5 − 5 x 3 + 5 x + t . BSGS Real multiplication We have an explicit endomorphism φ defined by RM families Split primes φ (( u , v )) = ( x 2 − τ ux + u 2 + τ 2 − 4 , y − v ) Smaller kernels New relations where τ = ζ 5 + ζ − 1 (in F q if q �≡ ± 2 mod 5). RM Complexity 5 Implementation We have φ 2 + φ − 1 = 0, so √ Cryptographic C has efficient RM by Z [ φ ] ∼ = Z [ 1+ 5 ]. Jacobians 2 Extreme experiments

Genus 2, faster Gaudry, Kohel, Smith Our idea: Genus 1 and 2 Point counting ◮ Cebotarev density = ⇒ half the primes ℓ split in Z [ φ ]. Schoof–Pila ◮ These splittings correspond to decompositions Division polys of the ℓ -torsion. Kernels Schoof complexity ◮ φ is efficient = ⇒ we can make the decomposition BSGS factors explicit. Real multiplication ◮ We can compute in the factors faster than in J C [ ℓ ]. RM families ◮ Hence, we can compute χ ℓ faster for split ℓ . Split primes Smaller kernels ◮ Also, explicit Z [ φ ] = ⇒ a better search space New relations (so we need fewer χ ℓ to determine χ ). RM Complexity ◮ − → a much better complexity for computing χ . Implementation Cryptographic Jacobians Extreme experiments

Genus 2, faster Gaudry, Kohel, Smith The details: Genus 1 and 2 Suppose ℓ splits in Z [ φ ]. Point counting For our families, the primes over ℓ are principal: Schoof–Pila Division polys ( ℓ ) = ( α 1 )( α 2 ) and J C [ ℓ ] = J C [ α 1 ] ⊕ J C [ α 2 ] Kernels Schoof complexity BSGS ◮ We can compute generators α i = a i + b i φ Real multiplication √ RM families with a i , b i in O ( ℓ ) Split primes ◮ The [ a i ]- and [ b i ]-division polys have degree in O ( ℓ ) Smaller kernels ◮ = ⇒ the α i -division polys have degree in O ( ℓ ) New relations ◮ the kernel ideals I α i have degrees in O ( ℓ 2 ) RM Complexity (+ we can compute I α i in � O ( ℓ 3 ) field operations). Implementation Cryptographic Jacobians Extreme experiments