Lifting techniques for polynomial system solving Eric Schost - - PowerPoint PPT Presentation

lifting techniques for polynomial system solving
SMART_READER_LITE
LIVE PREVIEW

Lifting techniques for polynomial system solving Eric Schost - - PowerPoint PPT Presentation

Oct 30, 2022 675 likes •889 views

Lifting techniques for polynomial system solving Eric Schost ORCCA UWO Goals Genus 1 computing the th CCR modular equation time: O ( 3 ) output size Genus 2 computing the -torsion output size 4 time:

slide-1
SLIDE 1

Lifting techniques for polynomial system solving

´ Eric Schost ORCCA UWO

slide-2
SLIDE 2

Goals

Genus 1

  • computing the ℓth CCR modular equation
  • output size ℓ

time: O˜(ℓ3) Genus 2

  • computing the ℓ-torsion
  • output size ℓ4

time: O˜(ℓ6) Genus 3

  • computing the ℓ-torsion
  • output size ℓ6

time: O˜(ℓ12)? Today: what could we expect using homotopy techniques?

slide-3
SLIDE 3

Deformation techniques

Basic idea

  • we want to solve a system f(p, x) = fi(p1, . . . , pm, x1, . . . , xn)i≤n,

zero-dimensional over K(p)

  • set up a homotopy between the target f(p, x) and an initial system f(p′, x) for

which we know the solutions

  • done by letting pt = (1 − t)p′ + tp, computing a description of the solution

curve and let t = 1.

slide-4
SLIDE 4

Deformation techniques

Basic idea

  • we want to solve a system f(p, x) = fi(p1, . . . , pm, x1, . . . , xn)i≤n,

zero-dimensional over K(p)

  • set up a homotopy between the target f(p, x) and an initial system f(p′, x) for

which we know the solutions

  • done by letting pt = (1 − t)p′ + tp, computing a description of the solution

curve and let t = 1. p′ p

slide-5
SLIDE 5

Deformation techniques

Basic idea

  • we want to solve a system f(p, x) = fi(p1, . . . , pm, x1, . . . , xn)i≤n,

zero-dimensional over K(p)

  • set up a homotopy between the target f(p, x) and an initial system f(p′, x) for

which we know the solutions

  • done by letting pt = (1 − t)p′ + tp, computing a description of the solution

curve and let t = 1. p′ p

slide-6
SLIDE 6

Deformation techniques

Basic idea

  • we want to solve a system f(p, x) = fi(p1, . . . , pm, x1, . . . , xn)i≤n,

zero-dimensional over K(p)

  • set up a homotopy between the target f(p, x) and an initial system f(p′, x) for

which we know the solutions

  • done by letting pt = (1 − t)p′ + tp, computing a description of the solution

curve and let t = 1. p′ p

slide-7
SLIDE 7

Deformation techniques

Basic idea

  • we want to solve a system f(p, x) = fi(p1, . . . , pm, x1, . . . , xn)i≤n,

zero-dimensional over K(p)

  • set up a homotopy between the target f(p, x) and an initial system f(p′, x) for

which we know the solutions

  • done by letting pt = (1 − t)p′ + tp, computing a description of the solution

curve and let t = 1. p′ p

slide-8
SLIDE 8

Deformation techniques

Basic idea

  • we want to solve a system f(p, x) = fi(p1, . . . , pm, x1, . . . , xn)i≤n,

zero-dimensional over K(p)

  • set up a homotopy between the target f(p, x) and an initial system f(p′, x) for

which we know the solutions

  • done by letting pt = (1 − t)p′ + tp, computing a description of the solution

curve and let t = 1. p′ p

slide-9
SLIDE 9

Triangular representation

Let ft = f(pt, x) in K(t)[x] Intermediate data structure: n polynomials in x1, . . . , xn over K(t), of the form Tt

  • Tn(t, x1, . . . , xn)

. . . T2(t, x1, x2) T1(t, x1), with Ti monic in xi, such that Tt = ft

  • Tt is a Gr¨
  • bner basis of ft in K(t)[x]
  • we can let t = 1 in Tt to get the solutions at t = 1.

notation

  • ν = number of solutions =

i deg(Ti, xi)

  • δ = max of deg(Ti, t)
slide-10
SLIDE 10

Degree bounds

Suppose that deg(fi) ≤ d for all i.

  • Bound on the x-degree: ν ≤ dn.
  • Bound on the t-degree of the coefficients:

δ ≤ d2n.

  • Modified representation: instead of T1, . . . , Tn, work with S1, . . . , Sn

Si = ∂T1 ∂x1 · · · ∂Ti−1 ∂xi−1 Ti mod T1, . . . , Ti−1. Then δ′ ≤ dn.

slide-11
SLIDE 11

Lifting one root

If x0 ∈ Kn is a root of f(p′, x), we can compute xi+1 = xi − Jac(ft)(xi)−1ft(xi) mod t2i+1 (we need some non-degeneracy assumptions). xi is a vector of n series of precision 2i Cost: xi can be computed in O

  • (Ln + n3)M(2i)
  • perations in K, where:
  • L is such that f can be evaluated in L operations
  • M is the cost of univariate polynomial multiplication

Summary: nO(1)O˜(Lδ) to lift one root to precision δ

slide-12
SLIDE 12

Computing Tt

  • 1. All roots are rational
  • they can all be lifted to K[[t]]
  • one can reconstruct Tt by:

– interpolation from its (power series) roots – rational reconstruction of its coefficients

  • time: nO(1)O˜(Lδν)
  • 2. Lift Tt
  • we can lift Tt at once
  • requires multivariate polynomial arithmetic
  • time: O˜(cnLδν)
slide-13
SLIDE 13

Computing Tt

  • 3. Aside: using only one root
  • for T1: find the minimal polynomial of an algebraic power series

– linear algebra (block Toeplitz matrix): σ-bases [Beckermann-Labahn] or structured matrices [Bitmead-Anderson, Morf] – no quasi-linear time algorithm – if δ = ν, O˜(Lδ + δω)

  • for T2, . . . , Tn: a mixture of this and interpolation

– ?

slide-14
SLIDE 14

Example 1

Point counting in genus 2 (with P. Gaudry)

  • finding a secure curve of genus 2 over F2127−1.
  • Schoof algorithm computing torsion divisors solving polynomial systems

– ℓ-torsion for ℓ = 2, 3, 5, 7, . . . , 31 – ℓk-torsion for ℓ = 2, 3, 5 Computing 3k-torsion While (possible==true) do

  • given Pk of 3k-torsion
  • consider the equations [3]Pk+1 = Pk

81 solutions;

  • extend the base field with one solution

3 → 32 → 33 → · · ·

slide-15
SLIDE 15

Using the 3-torsion

We solve [3]P = Q using lifting techniques, starting from known solutions of a system [3]E = F.

  • there are many (81) curve branches to lift;
  • but they are all conjugate:

– if [3]P = Q and [3]P ′ = 0 – then [3](P + P ′) = Q. So after computing the 3-torsion, we can

  • lift a single curve branche;
  • and add all the 3-torsion points to it

– this is addition in the Jacobian, – with power series coordinates.

slide-16
SLIDE 16

Results

Over Fp810, p = 2127 − 1

  • lifting one branch

4300 sec.

  • deducing all other branches

11000 sec.

  • interpolation

17000 sec.

  • all other things

25000 sec.

slide-17
SLIDE 17

Example 2 (a bit speculative)

Computing CCR modular equations (in genus 1) If E is an elliptic curve, the non-zero solutions of [ℓ](x, y) = 0 can be described by

  • y2 − f(x)

ψℓ(x) Charlap-Coley-Robbins: let κℓ(x, y) =

1≤i<ℓ abscissa of [i](x, y). Then the non-zero

solutions of [ℓ](x, y) = 0, u = κℓ(x, y) can be described by

  • y2 − f(x)

φℓ(x, u) Ξℓ(u)

slide-18
SLIDE 18

Cost analysis

Deformation techniques

  • replace E by Et, parametrized by a new parameter t:

E : y2 = x3 + ax + b, Et : y2 = x3 + ax + tb + (t − 1)b0

  • we want Ξ(u) for E1
  • assume that all the torsion of E0 is known

Cost analysis:

  • the system can be evaluated in O(log(ℓ)) ops
  • ν = ℓ2, δ = ℓ
  • time: O˜(ℓ3)
slide-19
SLIDE 19

Example 3 (even more speculative)

Computing torsion in higher (fixed) genus Let now C be hyperelliptic. We want to solve [ℓ]D = 0.

  • embed C into a one-parameter family Ct, with C = C1
  • assume that the ℓ-torsion of C0 is known

Cost analysis

  • the system can be evaluated in O(log(ℓ)) ops
  • ν = ℓ2g, δ = ℓ2g (?)
  • time: O˜(ℓ4g), i.e.,

g = 2 : ℓ8, g = 3 : ℓ12

slide-20
SLIDE 20

About the starting point (100% speculative)

Changing prime

  • hopeless to store one curve per Fp
  • just store one, for some Fp0
  • when needed over Fp1, lift it to Q and reduce mod p1