Lifting techniques for polynomial system solving ´ Eric Schost ORCCA UWO
Goals Genus 1 • computing the ℓ th CCR modular equation time: O ˜( ℓ 3 ) • output size ℓ Genus 2 • computing the ℓ -torsion • output size ℓ 4 time: O ˜( ℓ 6 ) Genus 3 • computing the ℓ -torsion • output size ℓ 6 time: O ˜( ℓ 12 )? Today: what could we expect using homotopy techniques?
Deformation techniques Basic idea • we want to solve a system f ( p , x ) = f i ( p 1 , . . . , p m , x 1 , . . . , x n ) i ≤ n , zero-dimensional over K ( p ) • set up a homotopy between the target f ( p , x ) and an initial system f ( p ′ , x ) for which we know the solutions • done by letting p t = (1 − t ) p ′ + t p , computing a description of the solution curve and let t = 1.
Deformation techniques Basic idea • we want to solve a system f ( p , x ) = f i ( p 1 , . . . , p m , x 1 , . . . , x n ) i ≤ n , zero-dimensional over K ( p ) • set up a homotopy between the target f ( p , x ) and an initial system f ( p ′ , x ) for which we know the solutions • done by letting p t = (1 − t ) p ′ + t p , computing a description of the solution curve and let t = 1. p p ′
Deformation techniques Basic idea • we want to solve a system f ( p , x ) = f i ( p 1 , . . . , p m , x 1 , . . . , x n ) i ≤ n , zero-dimensional over K ( p ) • set up a homotopy between the target f ( p , x ) and an initial system f ( p ′ , x ) for which we know the solutions • done by letting p t = (1 − t ) p ′ + t p , computing a description of the solution curve and let t = 1. p p ′
Deformation techniques Basic idea • we want to solve a system f ( p , x ) = f i ( p 1 , . . . , p m , x 1 , . . . , x n ) i ≤ n , zero-dimensional over K ( p ) • set up a homotopy between the target f ( p , x ) and an initial system f ( p ′ , x ) for which we know the solutions • done by letting p t = (1 − t ) p ′ + t p , computing a description of the solution curve and let t = 1. p p ′
Deformation techniques Basic idea • we want to solve a system f ( p , x ) = f i ( p 1 , . . . , p m , x 1 , . . . , x n ) i ≤ n , zero-dimensional over K ( p ) • set up a homotopy between the target f ( p , x ) and an initial system f ( p ′ , x ) for which we know the solutions • done by letting p t = (1 − t ) p ′ + t p , computing a description of the solution curve and let t = 1. p p ′
Deformation techniques Basic idea • we want to solve a system f ( p , x ) = f i ( p 1 , . . . , p m , x 1 , . . . , x n ) i ≤ n , zero-dimensional over K ( p ) • set up a homotopy between the target f ( p , x ) and an initial system f ( p ′ , x ) for which we know the solutions • done by letting p t = (1 − t ) p ′ + t p , computing a description of the solution curve and let t = 1. p p ′
Triangular representation Let f t = f ( p t , x ) in K ( t )[ x ] Intermediate data structure: n polynomials in x 1 , . . . , x n over K ( t ), of the form � T n ( t, x 1 , . . . , x n ) � � . � . � . � T t � � T 2 ( t, x 1 , x 2 ) � � T 1 ( t, x 1 ) , � � with T i monic in x i , such that � T t � = � f t � • T t is a Gr¨ obner basis of f t in K ( t )[ x ] • we can let t = 1 in T t to get the solutions at t = 1. notation • ν = number of solutions = � i deg( T i , x i ) • δ = max of deg( T i , t )
Degree bounds Suppose that deg( f i ) ≤ d for all i . • Bound on the x -degree: ν ≤ d n . • Bound on the t -degree of the coefficients: δ ≤ d 2 n . • Modified representation: instead of T 1 , . . . , T n , work with S 1 , . . . , S n S i = ∂T 1 · · · ∂T i − 1 T i mod � T 1 , . . . , T i − 1 � . ∂x 1 ∂x i − 1 Then δ ′ ≤ d n .
Lifting one root If x 0 ∈ K n is a root of f ( p ′ , x ), we can compute x i +1 = x i − Jac( f t )( x i ) − 1 f t ( x i ) mod t 2 i +1 (we need some non-degeneracy assumptions). x i is a vector of n series of precision 2 i Cost: x i can be computed in ( Ln + n 3 ) M (2 i ) � � O operations in K , where: • L is such that f can be evaluated in L operations • M is the cost of univariate polynomial multiplication Summary: n O (1) O ˜( Lδ ) to lift one root to precision δ
Computing T t 1. All roots are rational • they can all be lifted to K [[ t ]] • one can reconstruct T t by: – interpolation from its (power series) roots – rational reconstruction of its coefficients • time: n O (1) O ˜( Lδν ) 2. Lift T t • we can lift T t at once • requires multivariate polynomial arithmetic • time: O ˜( c n Lδν )
Computing T t 3. Aside: using only one root • for T 1 : find the minimal polynomial of an algebraic power series – linear algebra (block Toeplitz matrix): σ -bases [Beckermann-Labahn] or structured matrices [Bitmead-Anderson, Morf] – no quasi-linear time algorithm – if δ = ν , O ˜( Lδ + δ ω ) • for T 2 , . . . , T n : a mixture of this and interpolation – ?
Example 1 Point counting in genus 2 (with P. Gaudry) • finding a secure curve of genus 2 over F 2 127 − 1 . • Schoof algorithm � computing torsion divisors � solving polynomial systems – ℓ -torsion for ℓ = 2 , 3 , 5 , 7 , . . . , 31 – ℓ k -torsion for ℓ = 2 , 3 , 5 Computing 3 k -torsion While (possible==true) do • given P k of 3 k -torsion • consider the equations [3] P k +1 = P k 81 solutions; 3 → 3 2 → 3 3 → · · · • extend the base field with one solution
Using the 3-torsion We solve [3] P = Q using lifting techniques, starting from known solutions of a system [3] E = F . • there are many (81) curve branches to lift; • but they are all conjugate: – if [3] P = Q and [3] P ′ = 0 – then [3]( P + P ′ ) = Q . So after computing the 3-torsion , we can • lift a single curve branche; • and add all the 3-torsion points to it – this is addition in the Jacobian, – with power series coordinates.
Results Over F p 810 , p = 2 127 − 1 • lifting one branch 4300 sec. • deducing all other branches 11000 sec. • interpolation 17000 sec. • all other things 25000 sec.
Example 2 (a bit speculative) Computing CCR modular equations (in genus 1) If E is an elliptic curve, the non-zero solutions of [ ℓ ]( x, y ) = 0 can be described by � y 2 − f ( x ) � � � ψ ℓ ( x ) � � Charlap-Coley-Robbins: let κ ℓ ( x, y ) = � 1 ≤ i<ℓ abscissa of [ i ]( x, y ) . Then the non-zero solutions of [ ℓ ]( x, y ) = 0 , u = κ ℓ ( x, y ) can be described by y 2 − f ( x ) � � � � φ ℓ ( x, u ) � � � Ξ ℓ ( u ) �
Cost analysis Deformation techniques • replace E by E t , parametrized by a new parameter t : E : y 2 = x 3 + ax + b, E t : y 2 = x 3 + ax + tb + ( t − 1) b 0 • we want Ξ( u ) for E 1 • assume that all the torsion of E 0 is known Cost analysis: • the system can be evaluated in O (log( ℓ )) ops • ν = ℓ 2 , δ = ℓ • time: O ˜( ℓ 3 )
Example 3 (even more speculative) Computing torsion in higher (fixed) genus Let now C be hyperelliptic. We want to solve [ ℓ ] D = 0. • embed C into a one-parameter family C t , with C = C 1 • assume that the ℓ -torsion of C 0 is known Cost analysis • the system can be evaluated in O (log( ℓ )) ops • ν = ℓ 2 g , δ = ℓ 2 g (?) • time: O ˜( ℓ 4 g ), i.e., g = 2 : ℓ 8 , g = 3 : ℓ 12
About the starting point (100% speculative) Changing prime • hopeless to store one curve per F p • just store one, for some F p 0 • when needed over F p 1 , lift it to Q and reduce mod p 1
Recommend
More recommend
