Computing genus 2 curves from invariants on the Hilbert moduli space - PowerPoint PPT Presentation

Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory, Special Issue on Elliptic Curve Cryptography http://eprint.iacr.org/2010/294 Kristin Lauter, Microsoft Research Joint work with: Tonghai Yang, University of Wisconsin ECC 2010, October 21, 2010

Constructing genus 2 curves for cryptography C smooth, projective, irreducible genus 2 curve over F p . J ( C ) the Jacobian variety. J ( C )( F p ) can be used in cryptography as the group with a hard Discrete Log Problem (DLP) if the group has a subgroup of large prime order (roughly size p 2 ) p of size 2 128 instead of 2 256 as for elliptic curves. Advantage: Applications: key exchange, digital signatures, encryption, ...

Challenge: Generate C / F q with # J ( C )( F q ) = N , N a large prime. Strategy: Construct curves with a known order using complex multiplication (CM) techniques. 1. Given N 1 = # C ( F q ) and N 2 = # C ( F q 2 ) F p , this determines a quartic CM number field K by the characteristic polynomial of Frobenius. 2. Compute ”modular invariants” associated to the field K. 3. Reconstruct the curve from its invariants via Mestre’s algorithm.

Computing the CM field K For an ordinary genus 2 curve C over a prime field F q , let N 1 = # C ( F q ) and N 2 = # C ( F q 2 ). Then # J ( C )( F q ) = ( N 2 1 + N 2 ) / 2 − q . (1) Set s 1 := q + 1 − N 1 and s 2 := 1 s 2 1 + N 2 − 1 − q 2 � � . 2 Then the quartic polynomial satisfied by the Frobenius endomorphism of the Jacobian is f ( t ) = t 4 − s 1 t 3 + s 2 t 2 − qs 1 t + q 2 . Thus the Jacobian of the curve has endomorphism ring equal to an order in the quartic CM field K = Q [ t ] / ( f ( t )).

Genus 2 curves with CM K = quartic primitive CM field. A curve C over C has CM by O K if O K embeds in the endomorphism ring of Jac( C ). CM points on the moduli space of principally polarized abelian surfaces correspond to isomorphism classes of CM curves.

The Siegel moduli space The Siegel moduli space A 2 parameterizes abelian surfaces with principal polarization. Let Sp 2 ( Z ) be the symplectic group over Z of genus two, consisting of 4 × 4-integral matrices g satisfying gJg t = J , � � 0 I 2 J = − I 2 0 where I 2 is the identity matrix of order 2. Let H 2 = { τ = ( τ 1 τ 2 τ 2 τ 3 ) ∈ M 2 ( C ) : ℑ τ > 0 } be the Siegel upper half-plane of genus two, and let X 2 = Sp 2 ( Z ) \ H 2 be the open Siegel modular 3-fold.

The Siegel moduli space Here Sp 2 ( R ) acts on H 2 via � A B τ = ( A τ + B )( C τ + D ) − 1 . � C D We can give explicit representatives for all the CM points on A 2 ( C ): { τ : C 2 / � I 2 τ � has CM by O K } / Sp 4 ( Z )

Absolute Igusa invariants Igusa gave 3 Siegel modular functions h 1 , h 2 , h 3 , the absolute Igusa invariants. h 1 = 2 · 3 5 χ 5 12 , χ 6 10 h 2 = 3 3 ψ 4 χ 3 12 , χ 4 2 3 10 2 5 ( ψ 6 χ 2 + 2 2 · 3 ψ 4 χ 3 h 3 = 3 12 12 ) . χ 3 χ 4 10 10

Igusa class polynomials Definition The Igusa class polynomials � H i ( x ) = ( x − h i ( τ )) , i = 1 , 2 , 3 . { τ : C 2 / � I 2 τ � has CM by O K } Sp4( Z )

The Hilbert modular surface √ F = Q ( D ) be a real quadratic field with prime discriminant D ≡ 1 mod 4 √ √ σ ( a + b D ) = a − b D is the non-trivial Galois conjugate of F over Q . ǫ > 0 is a unit such that σ ( ǫ ) ǫ = − 1. Let X = SL 2 ( O F ) \ H 2 be the open Hilbert modular surface.

For z = ( z 1 , z 2 ) and a ∈ F , we denote z ∗ = diag( z 1 , z 2 ), and a ∗ = diag( a , σ ( a )). We also denote � a ∗ b ∗ � a b γ ∗ = � � , for γ = ∈ SL 2 ( F ) . c ∗ d ∗ c d Choose a Z -basis { e 1 , e 2 } for O F : O F = Z e 1 + Z e 2 , (2) and define e 1 e 2 � � R = . (3) σ ( e 1 ) σ ( e 2 )

Map between Hilbert and Siegel We define the maps φ ( z ) = R t diag( ǫ z 1 , σ ( ǫ φ : H 2 → H 2 , √ √ ) z 2 ) R , (4) D D and φ ( γ ) = S γ ∗ S − 1 , φ : SL 2 ( F ) → Sp 2 ( Q ) , (5) √ D S = diag( R t , R − 1 )diag( I 2 , ( ǫ ) ∗ ) .

√ F = Q ( 5) √ √ 5), and let ǫ = 1+ 5 Assume F = Q ( . Let 2 φ : SL 2 ( O F ) \ H 2 → Sp 2 ( Z ) \ H 2 , ǫ 5 z 1 − σ ( ǫ ) z 2 − z 1 � � 0 � � � ǫ � √ 5 z 1 √ √ 5 z 2 √ � � 1 1 1 σ ( ǫ ) 5 φ ( z ) = = σ ( ǫ ) ǫ − σ ( ǫ ) z 2 − z 1 − σ ( ǫ ) 0 5 z 2 1 ǫ 5 z 1 + ǫ √ √ √ √ 5 z 2 5 be the map defined above, and let e ( z ) := e 2 π iz and √ √ q 1 = e ( ǫ z 1 − σ ( ǫ ) z 2 ) = e (1 + 5 z 1 − 1 − 5 q 2 = e ( z 2 − z 1 √ √ √ √ z 2 ) , √ ) . 5 5 2 5 2 5 5

Then for a holomorphic Siegel modular form f of weight k for Sp 2 ( Z ), g = φ ∗ f is a symmetric holomorphic Hilbert modular form for SL 2 ( O F ) with the Fourier expansion: � a g ( t ) q a 1 q b g ( z ) = a f (0) + 2 , √ t = a + b 1 − 5 ∈O + 2 F with

Pullback �� �� 1 m 1 2 m � a g ( t ) = a f . 1 2 m m 2 condition ( ∗ ) Condition (*):    m 1 , m 2 ∈ Z + ,  m ∈ Z ,         m 2 < 4 m 1 m 2 ,   (6)    m 1 + m 2 = a ,          m + m 2 = b 

Hilbert Eisenstein series √ √ 5) ǫ = 1+ 5 F = Q ( . 2 The Eisenstein series of even weight k ≥ 2: � b k ( t ) q a 1 q b G k ( z ) = 1 + 2 , (7) √ t = a + b 1 − 5 ∈O + 2 F where � ( µ ) k − 1 . b k ( t ) = κ k (8) ( µ ) ⊃ ( t ) (2 π ) 2 k √ 5 κ k = ( k − 1)! 2 5 k ζ F ( k )

Coefficients for the Hilbert Eisenstein series √ √ 0 < a ≤ 3 , 1 − 5 a < b < 1 + 5 a 2 2 G k ( z ) = 1 + κ k (1 + q 2 ) q 1 + q − 1 + (1 + 4 k − 1 ) + (1 + 5 k − 1 ) q 2 + (1 + 4 k − 1 ) q 2 2 + q 3 q 2 � � κ k 1 + 2 2 κ k [(1 + 5 k − 1 ) q − 1 + (1 + 9 k − 1 ) + (1 + 11 k − 1 ) q 2 + (1 + 11 k − 1 ) q 2 2 2 +(1 + 9 k − 1 ) q 3 2 + (1 + 5 k − 1 ) q 4 2 ] q 3 1 .

Theta series 2 5 3 3 5 2 ( G 6 − G 3 67 Let θ 6 = − 2 ), θ 10 = 2 G 6 +2 2 · 3 · 7 · 4231 G 5 2 − 10 3 − 5 5 − 5 7 − 1 (412751 G 10 − 5 · 67 · 2293 G 2 2 ), θ 12 = 2 − 2 ( θ 2 6 − G 2 θ 10 )

Gundlach invariants Theorem (Gundlach) (1) The ring of symmetric holomorphic Hilbert modular forms for SL 2 ( O F ) is a polynomial ring of G 2 , G 6 , and θ 10 . (2) The field of symmetric meromorphic Hilbert modular functions for SL 2 ( O F ) are rational functions of J 2 = G 5 J 1 = θ 6 2 a nd . G 3 θ 10 2 We call J 1 and J 2 the Gundlach invariants .

Alternative choices for Gundlach invariants Use the invariants J 1 and J 3 , where = θ 6 G 2 2 + θ 10 J 3 = J 1 + J − 1 . 2 G 5 2 This choice has the advantage that both invariants are rather small. Another possible choice is to use invariants J 2 and J 4 where J 4 = J 1 J 2 = θ 6 G 2 2 . θ 10 This choice has the advantage that both invariants have denominator θ 10 .

Pullback of Igusa invariants to Gundlach invariants Proposition φ ∗ h 1 = 8 J 2 (3 J 2 1 J 2 − 2) 5 , φ ∗ h 2 = 1 2 J 2 (3 J 2 1 J 2 − 2) 3 , 1 J 2 + 2 5 · 3 2 J 1 − 3) . φ ∗ h 3 = 2 − 3 J 2 (3 J 2 1 J 2 − 2) 2 (4 J 2

Algorithm for computing Gundlach invariants Input: K a primitive quartic CM field, p a prime which splits completely into principal ideals in K ∗ , the reflex of K , and S a collection of 2 or 4 possible group orders for Jacobians of genus 2 curves over F p with CM by K . Output: Gundlach invariants modulo p for genus 2 curves with CM by K and equations for curves C over F p with # J ( C ) ∈ S . √ 1. Find ∆ ∈ O F such that ∆ is totally negative, K = F ( ∆) √ b 0 + ∆ O K = O F + O F . 2 √ � 2. Let M = Q ( ∆ , σ (∆)) be the Galois closure of K over Q . √ � Im ( ∆) > 0 , Im ( σ (∆)) > 0 .

Algorithm... 3. Find the class number h K and the ideals generating the class group of K . 4. Write ideal a of K in the form √ √ a = [ a , b + ∆ b + ∆ ] = O F a + O F 2 2 such that a is totally positive with a O F = K / F a , and that √ z = b + ∆ . 2 a z ([ a ] , Φ) = Φ( z ) = ( z , σ z ) ∈ H 2 is the CM point in X = SL 2 ( O F ) \ H 2 associated to the ideal class z ([ a ] , Φ ′ ) = ( ǫ z , σ ′ ( ǫ z )) ∈ H 2 is the CM point of CM type Φ ′ associated to a .

Algorithm 5. Compute J i ( z ([ a ] , Φ)) and J i ( z ([ a ] , Φ ′ )). Form the minimal polynomials P 1 ( X ) and P 2 ( X ). Reduce modulo a prime p not dividing the denominators and find roots (mod p ). 6. Compute φ ∗ h i (mod p ) via the pull-back formulas. Apply Mestre’s algorithm to pairs of roots from step 5 to construct a genus 2 curve over the finite field F p .

Why is this better than using Igusa invariants? CM points are easier to write down. Two variables instead of three (fewer exponentials to evaluate, fewer multiplications) Smaller height. Two invariants instead of three. Good control over precision needed.

Comparison with others’ work Three methods for computing Igusa class polynomials: 1 Complex analytic method: Spallek, van Wamelen, Weng, Cohn-L, Dupont, Streng 2 CRT Chinese Remainder Theorem: Eisentraeger-L., Freeman, Broker, Gruenewald, Robert 3 p-adic method: Gaudry, Houtmann, Kohel, Ritzenthaler, Weng, Carls, Lubicz

Joint work with Michael Naehrig Examples database Improvements to the algorithm Understanding the factorization of coefficients of class polynomials