Arithmetic on Abelian and Kummer varieties 2013/12/03 PEACE Rennes - PowerPoint PPT Presentation

Arithmetic on Abelian and Kummer varieties 2013/12/03 — PEACE — Rennes David Lubicz, Damien Robert

Arithmetic of theta functions Compatible additions Questions: Can compute any arithmetic operation, but much slower. only(?) for scalar multiplication; Problem: We want efficient arithmetic on abelian varieties (cryptography); The context Formulas Efficient representation Coordinates compression We use theta functions (of level n ); For the slides we will work with an abelian surface A , but everything work in higher dimensions g (or in dimension 1 ). The 2 g = 4 level two theta functions give a projective embedding of the Kummer variety K = A / ± 1 . Compact representation, fast arithmetic, but The 4 g = 16 level four theta functions give a projective embedding of A . How much arithmetic descend on K ? Can we compute it explicitly? Are there more compact/efficient representations to work directly on A ? Something like level 2 + some extra information?

Arithmetic of theta functions Compatible additions Coordinates compression Efficient representation Formulas Outline 1 Arithmetic of theta functions 2 Compatible additions 3 Coordinates compression 4 Efficient representation 5 Formulas

Arithmetic of theta functions Compatible additions Coordinates compression Efficient representation Formulas The tools Theorem (Duplication formula) The duplication formula express the isogeny Let � be an ample totally symmetric line bundle. � ϑ � 2 u ( x ) ϑ � 2 ϑ � i ( x + y ) ϑ � j ( x − y ) = v ( y ) u + v = i u − v = j f : A × A −→ A × A ; ( x , y ) �−→ ( x + y , x − y ) Gives a link between theta functions of level n and theta functions of level 2 n (Koizumi-Kempf’s formulas are a generalisation to higher level).

Arithmetic of theta functions normal (Koizumi-Kempf). Coordinates compression Efficient representation Formulas Riemann relations Theorem (Application of the duplication formula) (Mumford’s description of the corresponding modular space); Remark Compatible additions equivalently that the embedding of the Kummer variety is projectively � � � � � � χ ( t ) ϑ i + t ( x 1 ) ϑ j + t ( y 1 ) . χ ( t ) ϑ k + t ( u 1 ) ϑ l + t ( v 1 ) = t ∊ Z ( 2 ) t ∊ Z ( 2 ) � � � � � � χ ( t ) ϑ i ′ + t ( x 2 ) ϑ j ′ + t ( y 2 ) . χ ( t ) ϑ k ′ + t ( u 2 ) ϑ l ′ + t ( v 2 ) . t ∊ Z ( 2 ) t ∊ Z ( 2 ) Where x 1 , y 1 , u 1 , v 1 , z ∊ A ( k ) with 2 z = x 1 + y 1 + u 1 + v 1 , x 2 = z − x 1 , y 2 = z − y 1 , u 2 = z − u 1 and v 2 = z − v 1 , Z ( 2 ) , i , j , k , l , m ∊ Z ( n ) with 2 m = i + j + k + l , i ′ = m − i , j ′ = m − j , for all χ ∊ ˆ k ′ = m − k and l ′ = m − l . When 4 | n Riemann relations encode all the arithmetic of the abelian variety When n = 2 we assume that the even theta constants are non zero, or ⇒ A is absolutely simple, and not a Jacobian of an hyperelliptic curve when g ⩾ 3 .

Arithmetic of theta functions Compatible additions structures. This extra affine data is crucial for isogenies or pairings computations The previous arithmetic actually can be defined over affine lifts of the projective Remark addition); [LR10; LR13]. Formulas Arithmetic from Riemann relations Efficient representation Coordinates compression Given x = ( ϑ i ( x )) and y = ( ϑ i ( y )) , one can recover All ϑ i ( x + y ) ϑ j ( x − y ) when 4 | n ; All ϑ i ( x + y ) ϑ j ( x − y ) + ϑ j ( x + y ) ϑ i ( x − y ) when n = 2 . Proposition ( 2 | n ) Given x = ( ϑ i ( x )) , one can compute − x = ( ϑ − i ( x ) (Opposite); Given the points x , y and x − y , one can compute x + y (Differential Given the points x 1 ,..., x n and the two by two sums x i + x j , one can recover x 1 + ... + x n (Multiway addition). theta coordinates. These lifts correspond to the lift of the projection � g → � g / Λ when k = � , or in general to a choice of projective system of compatible theta

Arithmetic of theta functions (Projective) additions the linear relations coming from Compatible additions Formulas Efficient representation Coordinates compression Given x and y , we want to compute x + y . When 4 | n , we can always compute x + y by using Riemann relations; When n = 2 , we can compute the (sub-scheme) { x + y , x − y } as follows: Let κ i j = ϑ i ( x + y ) ϑ j ( x − y ) + ϑ j ( x + y ) ϑ i ( x − y ) ; The roots of P i ( X ) = X 2 − 2 κ i 0 ϑ i ( z P − z Q ) κ 00 X + κ ii ϑ i ( z P + z Q ) κ 00 are ϑ 0 ( z P + z Q ) and ϑ 0 ( z P − z Q ) ; We recover the subscheme { x + y , x − y } via the equation P α ( X ) = 0 and � �� � � � ϑ 0 ( x + y ) ϑ 0 ( x − y ) ϑ i ( x − y ) κ 0 i = ; ϑ α ( x + y ) ϑ α ( x − y ) ϑ i ( x + y ) κ α i Recovering the set { x + y , x − y } explicitly costs a square root in k .

Arithmetic of theta functions Compatible additions Coordinates compression Efficient representation Formulas Compatible additions Theorem Proof. quadratic polynomials! We work on the Kummer variety K = A / ± 1 . Let x , y , z , t be geometric points on A such that x + y = z + t and x − y ̸ = z − t . Then one can compute x + y = z + t on K . The corresponding point is just the intersection of { x + y , x − y } and { z + t , z − t } . In practice this is just a gcd computation between two

Arithmetic of theta functions Proof. once the other is computed by using Riemann relations for the three-way addition; projective multiway addition needs less input than the affine multiway The arithmetic here works only in the projective setting, that’s why the Remark Compatible additions addition. Corollary (Projective multiway addition) Projective multiway additions Formulas Efficient representation Coordinates compression Let x 0 be a point not of 2 -torsion. Then from x 1 ,..., x n ∊ K and x 0 + x 1 ,..., x 0 + x n ∊ K , one can compute x 1 + ... x n and x 0 + x 1 + ... x n . By an easy recursion, it suffices to look at the case n = 2 . In the previous theorem set x = x 1 , y = x 2 , z = x 0 + x 1 , t = − x 0 + x 2 to recover x 1 + x 2 , and x = x 1 , y = x 0 + x 2 , z = x 2 , t = x 0 + x 1 to recover x 0 + x 1 + x 2 . In the n = 2 case above, one can also recover the point x 0 + x 1 + x 2 or x 1 + x 2

Arithmetic of theta functions Compatible additions We expect to need to reconstruct a missing element in the square with probability Remark Example But actually we only need to keep track of two elements in the square. 3 A cleverer way is to use a triangle (DJB); 2 Double scalar multiplication 1 Formulas Efficient representation Coordinates compression compatible additions by bits. In a Kummer variety, how to compute α P + β Q ? (Think GLV/GLS). We assume that we are given P , Q and P + Q . A Montgomery square mP + nQ , ( m + 1 ) P + nQ , mP + ( n + 1 ) Q , ( m + 1 ) P + ( n + 1 ) Q , adding the correct element to the square depending on the current bits of ( α , β ) ; From nP + ( m + 1 ) Q , ( n + 1 ) P + mQ , one can recover nP + mQ by using a compatible addition with x = nP + ( m + 1 ) Q , y = − Q , z = ( n + 1 ) P + mQ , t = − P . 1 / 2 , but when we do that we can be clever in the two elements we keep, so the probability is actually 9 / 16 . The final cost is 2 differential additions + 7 / 16

Arithmetic of theta functions At each step we do one compatible addition to recover the element we Coordinates compression Efficient representation Formulas Multi scalar multiplication In a Kummer variety, we want to compute dimensional GLV/GLS). Compatible additions need in the hypercube, and then use it for two differential additions; The trivial way would be to use an hypercube; But as previously, we just need two elements in the hypercube, say � α i P i . (Think higher We assume that we are given the two by two sums P i + P j (actually, we just need the P 1 + P i , we can recover the others via compatible additions); � � m i P i and P 1 + m i P i ; The total cost is 2 differential additions + 1 compatible addition by bits.

Arithmetic of theta functions Compatible additions Coordinates compression Efficient representation Formulas Isogenies and affine lifts functions; f : ( x i ) i ∊ Z ( ℓ n ) �→ ( x i ) i ∊ Z ( n ) is an ℓ -isogeny between an abelian variety A given by level ℓ n theta functions and an abelian variety given by level n theta Let T i be a basis of A 1 [ ℓ n ] , the kernel of this isogeny is generated by the nT i ; One can lift f to a morphism � f on the affine lifts of the geometric points; � g Then x ∊ A ( k ) is uniquely determined by the � i = 1 α i � f ( � x + T i ) . Example ( g = 1 , ℓ = 3 , n = 4 ) 0 A = ( a 0 ,..., a 11 ) , � � T 1 = ( a 1 , a 2 ,..., a 11 , a 0 ) ; � f : (( x 0 ,..., x 11 ) �→ (( x 0 , x 3 , x 6 , x 9 )) ; � x + � f ( � T 1 ) = ( x 1 , x 4 , x 7 , x 10 ) ; � x + 2 � f ( � T 1 ) = ( x 2 , x 5 , x 8 , x 11 ) .

Arithmetic of theta functions Proposition This idea is at the heart of the explicit isogenies computations in [LR12; CR13; Remark Compatible additions Rob10]. Coordinates compression Isogenies and differential additions Formulas Efficient representation From � f ( � T i ) and � f ( � T i + � T j ), one can use differential additions and (affine) � g multi-way additions to recover all � i = 1 α i � T i ) , hence � f ( 0 A . From � x ) and � x + � f ( � f ( � T i ) , one can use differential additions and (affine) � g multi-way additions to recover all � i = 1 α i � f ( � x + T i ) , hence � x .