Contents Elliptic curves with complex multiplication: history and - PowerPoint PPT Presentation

Contents Elliptic curves with complex multiplication: history and computations I. History. F . Morain II. A review of classical theory. Laboratoire d’Informatique de l’École polytechnique III. Using CM. CNRS IV. Modular curves and class invariants. ECC2010 – Redmond (WA), October 18, 2010 Corrected and improved after the talk (2010/10/26 version) I. History A new era Schoof (1985): ◮ gives the first polynomial time deterministic algorithm for Gauß, Abel, Eisentein, Kronecker, Klein, Weber, Watson, Fueter, Takagi, Hasse, Deuring, Weil, Shimura, etc. computing # E ( F q ) , using O (( log p ) 8 ) bit operations; ◮ for marketing reasons, he applies it to a known case, √ thereby obtaining the striking result that − 1 mod p can See Kronecker’s Jugendtraum and modular functions , by be computed in the same time. S. G. Vl˘ adu¸ t. ◮ The same article contains this marvelous algorithm and everything you need to understand CM theory!

A new era (cont’d) A fundamental dichotomy The same year: ◮ H. W. Lenstra, Jr. invents ECM (soon implemented with great successes); If you want to do ECC, then you need a curve. . . ! ◮ Bosma introduces elliptic Mersenne primes (for Z [ i ] , Z [ ρ ] ); ◮ Chudnovsky & Chudnovsky write an IBM report Two choices: investigating many aspects of elliptic curves over finite ◮ look for a random curve E / F p and compute its cardinality fields. (or other properties) using Schoof’s algorithms (and its improvements); rather slow. 1986: ◮ Primality proving: two independent threads ◮ Atkin proposes to use CM curves to get a usable primality ◮ build E as the reduction of some CM curve defined over proving algorithm, tried with success on Cunningham some K D ; faster. You get # E , but do these CM properties prp’s not proven by Cohen/Lenstra. endanger the corresponding cryptosystems? ◮ Goldwasser & Kilian are close to proving isPrime? is in RP (this is eventually done by Adleman & Huang using hyperelliptic curves). ◮ Miller, Koblitz invent (independently) elliptic curve cryptography. Algebraic theory II. A review of the classical theory Write a = [ α 1 , α 2 ] and α = α 1 /α 2 ; define j ( a ) = j ( α ) . Notations: D = m 2 D K where D K is the discriminant of an imaginary quadratic field K ; D is the discriminant of Thm. K D / K is Galois, with group ∼ Cl ( O ) and therefore O = [ 1 , m ω ] where Z K = [ 1 , ω ] ; h ( O ) = # Cl ( O ) . [ K D : K ] = h ( O ) . Moreover: Ex. D = − 1 2 · 4 , K = Q ( i ) , Z K = [ 1 , i ] , h = 1 , Cl = { ( 1 , 0 , 1 ) } . j ( a ) σ ( i ) = j ( i − 1 a ) . Thm. 4 p = U 2 − DV 2 iff p splits in the ring class field K D Thm. H D ( X ) = � i ∈ Cl ( O ) ( X − j ( i )) ∈ Z [ X ] . ( m = 1 corresponds to the Hilbert Class Field of K ). Fundamental Thm. 4 p = U 2 − DV 2 iff ( D / p ) = + 1 and H D ( X ) Thm. K D = K ( j ( m ω )) where j is the modular invariant has h ( O ) roots modulo p . j ( z ) = 1 � c n x n Ex. 4 p = U 2 + 4 V 2 if and only if p = 2 or p ≡ 1 mod 4 . x + 744 + n > 0 References: LNM 21, Serre, Cox, Cohn. with x = exp ( 2 i π z ) .

“Computing” K D Elliptic curves with CM Computation of H D ( X ) : write each class of Cl ( O ) as i = [ α 1 , α 2 ] and evaluate j ( α 1 /α 2 ) as a multiprecision number. Def. E / C has complex multiplication iff its ring of endomorphisms is greater than Z (all [ n ] belong to End ( E ) ). Ex. H − 3 ( X ) = X , H − 4 ( X ) = X − 1728 ; Thm. E / C has CM iff End ( E ) ∼ O , an order in some imaginary H − 23 ( X ) = X 3 + 3491750 X 2 − 5151296875 X + 12771880859375 ; quadratic K . H − 3 × 5 2 ( X ) = X 2 + 654403829760 X + 5209253090426880 . Ex. E : Y 2 = X 3 + X has CM by Z [ i ] . ⇒ p = x 2 + y 2 iff ( − 4 / p ) = + 1 ; Thm. E / C has CM iff j ( E ) is a root of H D ( X ) for some D . 4 p = x 2 + 3 × 5 2 y 2 iff ( − 75 / p ) = + 1 and H − 3 × 5 2 ( X ) factors modulo p . More on this later! Elliptic curves over finite fields III. Using CM Thm. E / F p has always CM (due to the Frobenius: ( X , Y ) �→ ( X p , Y p ) ). A) A tribute to the pioneer Thm. (Hasse) # E ( F p ) = p + 1 − t , | t | ≤ 2 √ p . √ Thm. (Schoof) − 1 mod p can be computed in deterministic Thm. (Deuring) given | t | , there exists E / F p s.t. # E = p + 1 − t , polynomial time O (( log p ) 8 ) (resp. ˜ O (( log p ) 5 ) ). obtainable as the reduction of E / K D modulo a factor of ( p ) in K D , where D = t 2 − 4 p = mD K . Proof: compute the cardinality of E : Y 2 = X 3 + X , which we know is p + 1 − 2 u where p = u 2 + v 2 . Deduce v and But: − 1 ≡ ( u / v ) 2 mod p . � ◮ no general formula for # E except in some special cases (small CM, E obtained by reduction). Claim: we can improve this to O (( log p ) 6 ) or ˜ O (( log p ) 4 ) . ◮ no efficient way for finding E given t except in some special cases (CM again). Rem. (Partially) generalizable to q = p n .

Improving Schoof’s squareroot algorithm (1/2) Improving Schoof’s squareroot algorithm (2/2) How do we compute f λ ? write f λ ( X ) = f 2 + i ( X ) and use For E : Y 2 = X 3 + X , the splitting of the division polynomial f ℓ is Satoh’s generalized division polynomials, computable using given by CM theory: generalized recurrences ( f 2 u + 1 ± ω , etc.). ◮ if ℓ ≡ 3 mod 4 : f ℓ is irreducible over Q ( i ) . ◮ if ℓ ≡ 1 mod 4 : f ℓ has two eigenfactors of degree ( ℓ − 1 ) / 2 Equality test: gcd ( a i ( T ) − b i ( T ) , T 2 + 1 ) for over Q ( i ) . Ex: a ( X , T ) = � i a i ( T ) X i , b ( X , T ) = � i b i ( T ) X i . � X 2 + 1 / 5 + 2 / 5 i � � X 2 + 1 / 5 − 2 / 5 i � f 5 ( X ) = 5 Ex. p = 241 , ℓ = 5 , E : Y 2 = X 3 + X : X 8 + 12 X 6 − 26 X 4 − 52 X 2 + 1 � � f λ ( X , T ) = X 2 + 193 + 145 T , × . Over F p [ T ] / ( T 2 + 1 ) : use f λ ( X ) = X 2 + 1 / 5 + 2 / 5 i and look X p ≡ − X , Y p ≡ 177 Y for the eigenvalue 1 ≤ λ < ℓ [ 2 ]( X , Y , 1 ) = ( − X , − YT , 1 ) ( X p , Y p ) = [ λ ]( X , Y ) and gcd ( T 2 + 1 , − T − 177 ) = T + 177 (actually guessable from in B ℓ = F p [ X , Y , T ] / ( Y 2 − ( X 3 + AX + B )) , f λ ( X , T ) , T 2 + 1 ) . the value of Y p ). It has the flavor of Elkies’s algorithm. . . and a better complexity This behaviour is very very very frequent: hard to find an (no modular polynomials needed). example where we must really compute t . B) Primality proving ECPP in one slide Idea: (Selfridge’s) DOWNRUN using CM elliptic curves. One of the important parameters: a set D of (fundamental) discriminants. function ECPP( N , D ) • if N is small enough, prove its primality directly. • repeat find D ∈ D s.t. 4 N = U 2 − DV 2 until m = N + 1 − U = cN ′ with c > 1 small, N ′ probable prime; • build E as the reduction of an elliptic curve having CM over [...] I conceived and programmed the method (with me this is Q , and find P of order m ; one thing - I don’t “implement” myself anymore than I would • return ECPP( N ′ , D ). subcontract my algebra or analysis) in 3 months in the spring of 1986.

ECPP (cont’d) A short history of ECPP ◮ First program of Atkin: up to 243 decimal digits (the largest PRP in the Cunningham tables at that time). ◮ Original M. implementation (1987–1988): up to 500 dd (cofactor of F 11 ). Complexity: (Lenstra & Lenstra, 1990) for ◮ Distribution of computations (1989): 1000dd. D = {| D | = O (( log N ) 2 ) } , one gets a heuristic complexity ◮ Problems: class polynomials ⇒ new smaller invariants ˜ ( log N ) 2 ( log N ) 2 ◮ Competition with PRIMO. O ( ( log N ) ) . � �� � � �� � � �� � ◮ AKS (and Dan Bernstein – 2003) caused renewed √ number of steps # D D mod N interest in a faster version (J. Shallit, see LeLe90), never implemented so far, using D = { q ∗ i 1 q ∗ i 2 · · · q ∗ i r , 1 ≤ i u ≤ t } for All other steps are in ˜ O (( log N ) 4 ) . t = O ( log N ) . Output: a generalized Pratt certificate of size O (( log N ) 2 ) ⇒ complexities of all phases are now (heuristically) requiring ˜ O (( log N ) 3 ) deterministic time to be checked. ˜ O (( log N ) 4 ) . ⇒ 10 , 000 dd reached (Franke/Kleinjung/Wirth, 2003) ⇒ 15 , 000 dd reached (Franke/Kleinjung/M./Wirth, 2004) ⇒ 20 , 000 dd reached (M., 2006). One step further C) The independent life of the CM method N = 6753 5122 + 5122 6753 (taken from P . Leyland’s tables) is a The sentence 25050 -digit prime; gzipped certificate of 2024 steps has 55 Mb. • build E as the reduction of an elliptic curve having CM over Calendar time: 2010/09/01 – 2010/10/15. Q , and find P of order m ; has nothing to do with primality proving and can serve as a Machines: network of bi-core i7 quad-core; using open MPI. building block in cryptography related things. what CPU days √ 281 D ◮ Building cyclic elliptic curves (M. 1991); find ( D , h ) 199 Cornacchia 172 ◮ E of given cardinality (but varying p – FKW 37 Bröker/Stevenhagen); PRP 1005 5 H D ◮ Pairing friendly curves (see Freeman/Scott/Teske root H D 253 taxonomy paper); Step 1 1696 Step 2 282 ◮ EAKS (Couveignes/Ezome/Lercier). Check 4.4