About the CRT method to compute class Sminaire LFANT 10/05/2012 - PowerPoint PPT Presentation

About the CRT method to compute class Séminaire LFANT 10/05/2012 (Bordeaux) polynomials in dimension 2 Kristin Lauter 1 , Damien Robert 2 1 Microsoft Research 2 LFANT Team, IMB & INRIA Bordeaux Sud-Ouest

Class polynomials Speeding up the CRT Examples Complexity analysis Motivation Abelian varieties and cryptography prime. If A / � q is a “generic” abelian variety of small dimension g , then the DLP on A ( � q ) is thought to be hard if # A ( � q ) is divisible by a large • Take random abelian varieties and count the number of points (a bit too slow when g = 2 ); • Generate abelian varieties with a prescribed number of points ( ⇒ paring based cryptography).

Class polynomials Speeding up the CRT Examples Complexity analysis Class polynomials • If A / � q is an ordinary (simple) abelian variety of dimension g , End ( A ) ⊗ � is a (primitive) CM field K ( K is a totally imaginary quadratic extension of a totally real number field K 0 ). • The class polynomials H 1 , � H 2 ..., � H g ( g + 1 ) / 2 parametrizes the invariants of all abelian varieties A / � with End ( A ) ≃ O K . • If the class polynomials are totally split modulo P , their roots in � P gives invariants of abelian varieties A / � P with End ( A ) ≃ O K . It is easy to recover # A ( � P ) given O K and P .

Class polynomials traces Examples Complexity analysis Some technical details there is two class of CM types. Speeding up the CRT Definition • The abelian varieties are principally polarized. • A CM type Φ is a choice of an extension to K for each of the embedding K 0 → � . We have Hom ( K , � ) = Φ ⊕ Φ . Example: If K is a (primitive) CM field of degree 4 , then either K is cyclic and there is one class of CM type, or K is dihedral and • If A is an abelian variety with CM by K , the representation K → End T 0 A is given by a CM type Φ . • The isogeny class of complex abelian varieties with CM by K is determined by the class of Φ . • The reflex field of ( K , ϕ ) is the CM field K r generated by the � ϕ ∊ Φ ϕ ( x ) , x ∊ K . � • The type norm N Φ : K → K r is x �→ ϕ ∊ Φ ϕ ( x ) . The class polynomials ( H Φ ) i ) parametrizes the abelian varieties with CM by ( O K , Φ)

Class polynomials Theorem (Main theorems of complex multiplication) less precision. Speeding up the CRT Dihedral case. Class polynomials and complex multiplication Complexity analysis Examples • The class polynomials ( H Φ ) i are defined over K 0 and generate a subfield H Φ of the Hilbert class field of K r . • If A / � has CM by ( O K , Φ) and P is a prime of good reduction in H Φ , then the Frobenius of A P corresponds to N H Φ , Φ r ( P ) . If g � 2 , the CM types are in the same orbits under the absolute � Galois action, and the class polynomials H i = Φ ( H Φ ) i are rationals (and even integrals when g = 1 ). • For efficiency, we compute the class polynomials H Φ since they give a factor of the full class polynomials H . This mean we need • In genus 2 , this involves working over K 0 rather than � in the

Class polynomials Speeding up the CRT Examples Complexity analysis Constructing class polynomials precision to recover the class polynomials. to recover the class polynomials (require specific splitting use the CRT to reconstruct the class polynomials. Remark computation bounded by memory. But we can construct directly the • Analytic method: compute the invariants in � with sufficient • p -adic lifting: lift the invariants in � p with sufficient precision behavior of p ). • CRT: compute the class polynomials modulo small primes, and In genus 1 , all these methods are quasi-linear in the size of the output ⇒ class polynomials modulo p with the explicit CRT.

Class polynomials CRT. Examples Complexity analysis characteristic polynomial of the Frobenius (do some trial tests to Speeding up the CRT Remark Review of the CRT algorithm in genus 2 1. Select a CRT prime p . 2. For each abelian surface A in the O ( p 3 ) isomorphic classes: 2.1 Check if A is in the right isogeny class by computing the check for # A before). 2.2 Check if End ( A ) = O K . 3. From the invariants of the maximal curves, reconstruct ( H Φ ) i mod p . Repeat until we can recover ( H Φ ) i from the ( H Φ ) i mod p using the Since K is primitive, we only need to look at Jacobians of hyperelliptic curves of genus 2 .

Class polynomials Definition Speeding up the CRT will then be ordinary. Complexity analysis Examples Selecting the prime p A CRT prime p ⊂ O K r 0 is a prime such that all abelian varieties over � with CM by ( O K , Φ) have good reduction modulo p . • p is a CRT prime for the CM type Φ if and only if there exists an unramified prime q in O K r of degree 1 above p of principal type norm ( π ) • The isogeny class of the reduction of these abelian varieties mod p is determined (up to a twist) by ± π where N Φ ( p ) = ( π ) . • For efficiency, we work with CRT primes p that are unramified of degree one over p = p ∩ � . ⇒ the reduction to � p of the abelian varieties with CM by ( O K , Φ)

Class polynomials Speeding up the CRT Examples Complexity analysis Working with both CM types in the Dihedral case Whereas when only dealing with one CM type, we can even Remark Let Φ 1 and Φ 2 be the two CM types. • If p splits as p 1 p 2 in K r 0 , then for p to be a CRT prime for both CM types, we need p 1 and p 2 to be CRT primes. ⇒ We have less prime to work with, and less possibilities to sieve. choose the best prime among p 1 and p 2 . The reductions of the abelian varieties with CM by Φ 2 modulo p 1 are isomorphics to the reductions of the abelian varieties with CM by Φ 1 modulo p 2 .

Class polynomials Remark Examples Complexity analysis Checking if a curve is maximal Speeding up the CRT • Let J be the Jacobian of a curve in the right isogeny class. Then � [ π , π ] ⊂ End ( J ) ⊂ O K . • Let γ ∊ O K \ � [ π , π ] . We want to check if γ ∊ End ( J ) . • If p > 3 then ( O K : � [ π , π ]) is prime to p . We then have γ ∊ End ( J ) ⇔ p γ ∊ End ( J ) . • Let n be the smallest integer thus that n γ ∊ � [ π , π ] . Since ( � [ π , π ] : � [ π ]) = p , we can write np γ = P ( π ) . • Then γ ∊ End ( J ) ⇔ P ( π ) = 0 on J [ n ] . • In practice (Freeman-Lauter): compute J [ ℓ d ] for ℓ d | ( O K : � [ π , π ]) and check the action of the generators of O K on it. If 1, α , β , γ are generators of O K as a � -module, it can happen that γ = P ( α , β ) , so that we don’t need to check that γ ∊ End ( J ) .

Class polynomials Speeding up the CRT Examples Complexity analysis Example 1: Checking if a curve is maximal • Let H : y 2 = 10 x 6 + 57 x 5 + 18 x 4 + 11 x 3 + 38 x 2 + 12 x + 31 over � 59 and � � J the Jacobian of H . We have End ( J ) ⊗ � = � ( i 29 + 2 29 ) and we want to check if End ( J ) = O K . • O K is generated as a � -module by 1, α , β , γ . α is of index 2 in O K / � [ π , π ] , β of index 4 and γ of index 40 . • So the old algorithm will check J [ 2 3 ] and J [ 5 ] . • But ( O K ) 2 = � 2 [ π , π , α ] , so we only need to check J [ 2 ] and J [ 5 ] .

Class polynomials Speeding up the CRT Examples Complexity analysis Proposition Corollary Remark It may happen that we get a factor two on the degrees by working over Field of definition of the ℓ d -torsion • The geometric points of J [ ℓ d ] are defined over � p α d ⇔ π α d − 1 ∊ ℓ d End ( J ) . • α d | α 1 ℓ d − 1 . If End ( J ) = O K this is an equality: α d = α 1 ℓ d − 1 . Let α be thus that π α − 1 ∊ ℓ O K . We first check that ( π α − 1 ) /ℓ is an element of End ( J ) ( ⇔ J [ ℓ ] defined over � p α ). Then J [ ℓ d ] is defined over � p αℓ d − 1 . the twist: that is by working with − π .

Class polynomials require a lot of random points, and the result is probabilistic. Examples Complexity analysis Speeding up the CRT Computing the ℓ d -torsion • We compute # J ( � p α ) = ℓ β c (where α is the degree of definition of the ℓ d -torsion). • If P 0 is a random point of J ( � p α ) , then P = cP 0 is a random point of ℓ ∞ -torsion, and P multiplied by a suitable power of ℓ is a random point of ℓ d -torsion. • Usual method (Freeman-Lauter): take a lot of random points of ℓ d -torsion, and hope they generate it over � p α . • Problems: the random points of ℓ d -torsion are not uniform ⇒ • Our solution: Compute the whole ℓ ∞ -torsion. “Correct” points to find uniform points of ℓ d -torsion. Use pairings to save memory. ⇒ We can check if a curve is maximal faster. ⇒ We can abort early.

Class polynomials Speeding up the CRT Examples Complexity analysis Example 2: checking if a curve is maximal • Let H : y 2 = 80 x 6 + 51 x 5 + 49 x 4 + 3 x 3 + 34 x 2 + 40 x + 12 over � 139 and � � J the Jacobian of H . We have End ( J ) ⊗ � = � ( i 13 + 2 29 ) and we want to check if End ( J ) = O K . • For that we need to compute J [ 3 5 ] , that lives over an extension of degree 81 (for the twist it lives over an extension of degree 162 ). • With the old randomized algorithm, this computation takes 470 seconds (with 12 Frobenius trials over � 139 162 ). • With the new algorithm computing the ℓ ∞ -torsion, it only takes 17.3 seconds (needing only 4 random points over � 139 81 , approx 4 seconds needed to get a new random point of ℓ ∞ -torsion).