Class polynomials by Chinese remaindering Andreas Enge LFANT - PowerPoint PPT Presentation

Class polynomials by Chinese remaindering Andreas Enge LFANT project-team INRIA Bordeaux–Sud-Ouest andreas.enge@inria.fr http://www.math.u-bordeaux1.fr/~enge ECC, 22/10/2010 Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 1

Class polynomials by Chinese remaindering Complex multiplication in a nutshell 1 Complex numbers, complexity and class invariants 2 Complex algorithm and its complexity Class invariants, the complex case Class invariants and ramification Chinese remaindering 3 Class polynomials by CRT Impossibility of class invariants by CRT Unique roots Trace trick Fricke involution Timings 4 Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 1

Cardinality of elliptic curves Goal: Construct E / F p with N points Applications ◮ ECC ◮ Primality proving ◮ Pairing-based crypto Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 1

Cardinality of elliptic curves Goal: Construct E / F p with N points Applications ◮ ECC ◮ Primality proving ◮ Pairing-based crypto Deuring 1941 ◮ End( E / C ) is either Z (boring) or √ � � 1 , D + D imaginary-quadratic order O D = Z with D < 0 (CM curve) 2 ◮ E / F p is the reduction mod p of a CM curve over Ω D ⊆ C √ ◮ N = p + 1 − t , t = π + π with Frobenius π = t + v D ∈ O D 2 Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 1

Cardinality of elliptic curves Goal: Construct E / F p with N points Applications ◮ ECC ◮ Primality proving ◮ Pairing-based crypto Deuring 1941 ◮ End( E / C ) is either Z (boring) or √ � � 1 , D + D imaginary-quadratic order O D = Z with D < 0 (CM curve) 2 ◮ E / F p is the reduction mod p of a CM curve over Ω D ⊆ C √ ◮ N = p + 1 − t , t = π + π with Frobenius π = t + v D ∈ O D 2 CM algorithm (sketch) ◮ Fix D and p such that 4 p = t 2 − v 2 D , N = p + 1 − t convenient ◮ Compute j ( E ) , where E / Ω D has CM by O D ◮ j 1 = j ( E ) mod p 1728 − j 1 , a = 3 c , b = 2 c , E : Y 2 = X 3 + aX + b j 1 ◮ c = Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 1

Complex multiplication over the complex numbers What are the curves / C with CM by O D ? Modular functions C Γ � � a b � � ◮ f : C → C with f az + b = f ( z ) for ∈ Γ = Sl 2 ( Z ) cz + d c d ◮ f meromorphic, in particular“at ∞ ” : � q = e 2 π iz , f ( z ) = c ν q ν ν = ν 0 ◮ C Γ = C ( j ) , where j ( z ) = q − 1 + 744 + 196884 q + 21493760 q 2 + · · · Answer ◮ a = ( α 1 , α 2 ) ideal of O D with basis quotient τ = α 2 α 1 ◮ j ( a ) := j ( τ ) ⋆ Depends only on a , not on the basis ⋆ Depends only on the class of a modulo principal ideals Curve with j -invariant j ( a ) has CM by O D , there are h D = | Cl( O D ) | . Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 2

First main theorem of complex multiplication Ω D | √ K = Q ( D ) | Q Ω D = ring class field of O D σ : Cl( O D ) ≃ → Gal(Ω D / K ) Ω D = K ( j ( a )) j ( a ) σ ( b ) = j ( ab − 1 ) Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 3

Class polynomials by Chinese remaindering Complex multiplication in a nutshell 1 Complex numbers, complexity and class invariants 2 Complex algorithm and its complexity Class invariants, the complex case Class invariants and ramification Chinese remaindering 3 Class polynomials by CRT Impossibility of class invariants by CRT Unique roots Trace trick Fricke involution Timings 4 Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 4

Algorithm Fix D and p such that 4 p = t 2 − v 2 D , N = p + 1 − t convenient Compute j ( E ) , where E / Ω D has CM by O D j 1 = j ( E ) mod p 1728 − j 1 , a = 3 c , b = 2 c , E : Y 2 = X 3 + aX + b j 1 c = Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 4

Algorithm Fix D and p such that 4 p = t 2 − v 2 D , N = p + 1 − t convenient Enumerate the h D ideal classes of O D : √ � � A i , − B i + D 2 Compute over C the class polynomial (Weber 1908) √ h D � � �� − B i + D � H D ( x ) = x − j ∈ Z [ x ] 2 A i i =1 Find a root j 1 of H D mod p 1728 − j 1 , a = 3 c , b = 2 c , E : Y 2 = X 3 + aX + b j 1 c = Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 4

Complexity Size of H D �� � ◮ Degree h ∈ O ˜ | D | (GRH, Littlewood 1928) �� � ◮ Coefficients with O ˜ | D | digits (Schoof 1991, E. 2009) ◮ Total size O ˜( | D | ) �� � Evaluation of j : O ˜ | D | ◮ Multievaluation of the“polynomial” j (E. 2009) ◮ Arithmetic-geometric mean (Dupont 2006) Total complexity (E. 2009) O ˜( | D | ) — quasi-linear in the output size! http://cm.multiprecision.org/ Couveignes–Henocq 2002, Br¨ oker–Stevenhagen 2004: canonical p -adic lift in quasi-linear time Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 5

Class polynomials by Chinese remaindering Complex multiplication in a nutshell 1 Complex numbers, complexity and class invariants 2 Complex algorithm and its complexity Class invariants, the complex case Class invariants and ramification Chinese remaindering 3 Class polynomials by CRT Impossibility of class invariants by CRT Unique roots Trace trick Fricke involution Timings 4 Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 6

Class invariants Modular functions C Γ 0 ( N ) � a � b ◮ Invariant under matrices with N | b c d Class invariants (Weber 1908) ◮ f ( τ ) ∈ Ω D √ ◮ Schertz 2002: All primes dividing N split in K = Q ( D ) “ ⇒ ”class invariant Modular polynomial Ψ f ( X , Y ) ∈ Z [ X , Y ] s.t. Ψ( f , j ) = 0 Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 6

Class invariants Modular functions C Γ 0 ( N ) � a � b ◮ Invariant under matrices with N | b c d Class invariants (Weber 1908) ◮ f ( τ ) ∈ Ω D √ ◮ Schertz 2002: All primes dividing N split in K = Q ( D ) “ ⇒ ”class invariant Modular polynomial Ψ f ( X , Y ) ∈ Z [ X , Y ] s.t. Ψ( f , j ) = 0 Algorithm ◮ Compute over C the class polynomial √ h D � � �� − B i + D � H D ( x ) = x − j ∈ Z [ x ] 2 A i i =1 ◮ Find root j 1 of H D mod p ◮ Write down curve mod p with j -invariant j 1 Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 6

Class invariants Modular functions C Γ 0 ( N ) � a � b ◮ Invariant under matrices with N | b c d Class invariants (Weber 1908) ◮ f ( τ ) ∈ Ω D √ ◮ Schertz 2002: All primes dividing N split in K = Q ( D ) “ ⇒ ”class invariant Modular polynomial Ψ f ( X , Y ) ∈ Z [ X , Y ] s.t. Ψ( f , j ) = 0 Algorithm ◮ Compute over C the class polynomial √ h D � � �� − B i + D H f � D ( x ) = x − f ∈ Z [ x ] 2 A i i =1 ◮ Find root f 1 of H f D mod p ◮ Write down curve mod p with j -invariant j 1 Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 6

Class invariants Modular functions C Γ 0 ( N ) � a � b ◮ Invariant under matrices with N | b c d Class invariants (Weber 1908) ◮ f ( τ ) ∈ Ω D √ ◮ Schertz 2002: All primes dividing N split in K = Q ( D ) “ ⇒ ”class invariant Modular polynomial Ψ f ( X , Y ) ∈ Z [ X , Y ] s.t. Ψ( f , j ) = 0 Algorithm ◮ Compute over C the class polynomial √ h D � � �� − B i + D H f � D ( x ) = x − f ∈ Z [ x ] 2 A i i =1 ◮ Find root f 1 of H f D mod p ◮ Find root j 1 of Ψ f ( f 1 , Y ) mod p ◮ Write down curve mod p with j -invariant j 1 Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 6

Class invariants Problem: f ( a ) depends on the choice of basis! ◮ Shimura reciprocity ◮ N -systems (Schertz 2002) Advantage: Gain of a constant height factor c ( f ) = deg X Ψ f deg Y Ψ f Popular class invariants √ j γ 2 = 3 3 Weber 1908 � e � η ( z 2 ) f e ≈ 72 e � 72 Weber 1908 η ( z ) � e � � � z η 24( p +1) w e p p = e ( p − 1) � 48 E.–Morain 2009 η ( z ) � e � � � � � z z η η 12( p 1 +1)( p 2 +1) w e p 1 p 2 p 1 , p 2 = e ( p 1 − 1)( p 2 − 1) � 37 E.–Schertz 2004 � � z η η ( z ) p 1 p 2 48( p 1 +1) ··· ( p k +1) w e p 1 ,..., p k = · · · E.–Schertz 2010 2 k e ( p 1 − 1) ··· ( p k − 1) A p : optimal on X + p +1 0 ( p ) Morain 2009 deg Y Ψ Ap Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 7

Class invariants Sutherland (?) ◮ w 6 2 , 5 : 9 ◮ w 2 , 5 : 54 Morain 2009, E.–Sutherland 2010, Elkies 2010 ◮ A 71 : 36 ◮ A p with p ≡ 11 (mod 60) : 30 p +1 p − 11 → 30 ◮ A p with p ≡ − 1 (mod 60) : 30 E.–Schertz 2010 ◮ w 2 , 3 , 13 : 42 ◮ w 2 , 3 , p with p ≡ 1 (mod 12) : 36 p +1 p − 1 → 36 ◮ w 3 2 , 3 , 5 : 18 ◮ w 2 , 3 , 5 (??): 54 ◮ w 2 2 , 3 , 7 : 24 ◮ w 2 , 3 , 7 (??): 48 Corollary: For every D , there is an invariant f with c ( f ) � 30 . Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 8

Size does matter H D Visible universe Andreas Enge (INRIA Bordeaux) CM by CRT ECC 2010 9