On Using Torsion Points in the Elliptic Curve Index Calculus Gu - - PowerPoint PPT Presentation

On Using Torsion Points in the Elliptic Curve Index Calculus

Gu´ ena¨ el Renault

Sorbonne Universit´ es UPMC, INRIA, CNRS LIP6

1/43

General Context

Discrete Logarithm Problem (DLP)

Given a finite cyclic group (G = g, +) and h ∈ G, find k such that h = [k]g = g + · · · + g

k times

Generic algorithms O √#G

• ◮ Baby Step Giant Step, Pollard’s rho, etc.

◮ For any black box group G, optimal complexity (Shoup)

Index Calculus can be quasi-polynomial, sub-exponential

◮ sieving + linear algebra ◮ G = (F×

2k, ×)

◮ G = (F×

q , ×), G = (JC(Fq), +) with genus g > 2

☞ G = E(Fq) no sub-exponential index calculus algo. in general

2/43

Context

☞ Index calculus algo. adaptation for E(Fqn) (n small) Semaev/Gaudry/Diem (≈ 2005) (Point Decomposition Problem) Semaev Summation Polynomial Polynomial System Solving ☞ Increasing the efficiency by using the symmetries ☞ Using Symmetries in the Index Calculus for ECDLP (J. Crypto. 2014) (J.-C. Faug` ere, P. Gaudry, L. Huot, G. R.) ☞ Symmetrized Summation Polynomials (Eurocrypt’14) (J.-C. Faug` ere, L. Huot, A. Joux, G. R., V. Vitse)

3/43

Outline

1

PDP in the Index Calculus

2

Polynomial System Solving

3

PoSSo With Symmetries

4

From Torsion Point to Symmetry

5

Characteristic 2

6

New Computational Record: 8th Summation Polynomial

7

Conclusion

4/43

Outline

1

PDP in the Index Calculus

2

Polynomial System Solving

3

PoSSo With Symmetries

4

From Torsion Point to Symmetry

5

Characteristic 2

6

New Computational Record: 8th Summation Polynomial

7

Conclusion

5/43

Index Calculus for ECDLP

Algorithm (Gaudry 2005)

Input: P, Q ∈ E(Fqn) Output: x such that Q = [x]P

• 1. Def. factor base: F = {(x, y) ∈ E(Fqn) | x ∈ Fq}
• 2. Sieving: [aj]P ⊕ [bj]Q = P1 ⊕ · · · ⊕ Pn, Pi ∈ F until having #F + 1

such relations

• 3. Linear algebra
• j

[λj · aj]P ⊕ [λj · bj]Q = 0E(Fqn)

Point Decomposition Problem

Given R ∈ E F a factor base of points in E find P1, . . . , Pn ∈ F such that R = P1 ⊕ . . . ⊕ Pn

6/43

Point Decomposition Problem

PDP(n, R, F)

Given R ∈ E F a factor base of points in E find P1, . . . , Pn ∈ F such that R = P1 ⊕ . . . ⊕ Pn ☞ Modeling the problem as a polynomial system {g1, . . . , gs} and solve this system: (xi, yi) ∈ E (x1, y1) ⊕ (x2, y2) ⊕ · · · ⊕ (xn, yn) = (Rx, Ry) ☞ The solution has to be found in F

7/43

Algebraic modelling of PDP: Summation polynomials

Semaev, 2004, Gaudry, 2005

☞ Projection of the PDP(n, R = 0, F = {(x, y) ∈ E(Fqn) | x ∈ Fq}) PDP: g1( , . . . , ) = · · · = gs( , . . . , ) = 0 Summation: fn( , . . . , ) = 0 Projection πn

8/43

Algebraic modelling of PDP: Summation polynomials

Semaev, 2004, Gaudry, 2005

☞ Projection of the PDP(n, R = 0, F = {(x, y) ∈ E(Fqn) | x ∈ Fq}) PDP: g1(x1, . . . , xm, y1, . . . , ym), . . . , gs(x1, . . . , xm, y1, . . . , ym) Summation: fn(x1, . . . , xn) = g1, . . . , gs ∩ Fqn[x1, . . . , xn] degxi(fn) 2n−2 Elimination (Resultant, Gr¨

• bner basis)

π : (x, y) → x

Characterization

fn(x1, ..., xn) = 0

• ∃(y1, ..., yn) ∈ F

n qn s.t. ∀i, Pi = (xi, yi) ∈ E and P1 ⊕ · · · ⊕ Pn = 0

8/43

Algebraic modelling of PDP: Summation polynomials

Semaev, 2004, Gaudry, 2005

☞ Projection of the PDP(n, R = 0, F = {(x, y) ∈ E(Fqn) | x ∈ Fq}) PDP: g1(x1, . . . , xm, y1, . . . , ym), . . . , gs(x1, . . . , xm, y1, . . . , ym) Summation: fn(x1, . . . , xn) = g1, . . . , gs ∩ Fqn[x1, . . . , xn] degxi(fn) 2n−2 Elimination (Resultant, Gr¨

• bner basis)

π : (x, y) → x

Application in Index Calculus: (Gaudry 2005)

Solving PDP(R, F) with factor base F = {(x, y) ∈ E(Fqn) | x ∈ Fq}.

• Finding (x1, . . . , xn) with xi ∈ Fq s.t. fn+1(x1, ..., xn, (−R)x) = 0

☞ In Weierstrass model Rx = (−R)x

8/43

From summation polynomials to PoSSo

Problem

We want to find P1, . . . , Pn ∈ F = {(x, y) ∈ E | x ∈ Fq} such that R= P1 + · · · + Pn ⇐ ⇒ P1 + · · · + Pn − R = 0E

• Finding (x1, . . . , xn) with xi ∈ Fq s.t. fn+1(x1, ..., xn, Rx) = 0

Solving process: Restriction of scalar on sum. polynomial

Fqn ≃ Fq(ω) : n dimensional Fq-vector space fn+1(x1, . . . , xn, Rx) = 0E =

n−1

• i=0

ϕi(x1, . . . , xn) · ωi

9/43

From summation polynomials to PoSSo

Solving process: Restriction of scalar on sum. polynomial

Fqn ≃ Fq(ω) : n dimensional Fq-vector space fn+1(x1, . . . , xn, Rx) = 0E =

n−1

• i=0

ϕi(x1, . . . , xn) · ωi ⇒   

• S = {ϕ0, . . . , ϕn−1} ⊂ Fq[x1, . . . , xn]
• n variables, n equations
• solutions in Fq

H1: The polynomial systems S are zero-dimensional

9/43

Outline

1

PDP in the Index Calculus

2

Polynomial System Solving

3

PoSSo With Symmetries

4

From Torsion Point to Symmetry

5

Characteristic 2

6

New Computational Record: 8th Summation Polynomial

7

Conclusion

10/43

Solving 0-dim polynomial systems

Let S = {f1, . . . , fn} where fi ∈ K[x1, . . . , xn] and Deg(fi) ≤ 2n−1 Solving S means here to compute VK(S)

11/43

Solving 0-dim polynomial systems

Let S = {f1, . . . , fn} where fi ∈ K[x1, . . . , xn] and Deg(fi) ≤ 2n−1 Solving S means here to compute VK(S)

Gr¨

• bner basis

Since |VK| < ∞, the Gr¨

• bner basis G of S w.r.t. lexicographical order

with x1 > . . . > xn then G has a triangular form          h1,1(x1, . . . , xn), . . . , h1,k1(x1, . . . , xn) . . . hn−1,1(xn−1, xn), . . . , hn−1,kn−1(xn−1, xn) hn(xn) ☞ Factoring univariate polynomials over a finite field.

11/43

Solving 0-dim polynomial systems

Let S = {f1, . . . , fn} where fi ∈ K[x1, . . . , xn] and Deg(fi) ≤ 2n−1 Solving S means here to compute VK(S) ☞ Compute a GB of S w.r.t. a lexicographical order.

Zero-dim solve

• 1. Compute GB DRL from S (F4/F5)
• 2. Compute GB LEX from GB DRL (FGLM)

11/43

Solving 0-dim polynomial systems

Let S = {f1, . . . , fn} where fi ∈ K[x1, . . . , xn] and Deg(fi) ≤ 2n−1 Compute GB DRL from S ☞ Linear alg. on Macaulay mat. c1

i,j

c2

i,j . . .

    m1 > m2 > . . .

. . .

ti,jfi

Faug` ere F4, F5

Compute GB LEX from GB DRL ☞ See K[x1, . . . , xn]/S as a K-ev GB DRL ⇒ K-ev B1 K-ev B2 ⇒ GB LEX Change of basis B1 → B2

Faug` ere, Gaudry, Huot, R. ISSAC’14

O

• nenω2(n−1)nω + n · deg(S)ω

☞ deg(S) = the number of solutions (with multiplicities) ☞ ω represents the linear algebra constant

11/43

On the complexity of computing GB DRL

☞ These results are usually obtain for homogeneous polynomial systems ☞ In order to avoid fall of degree issues, need to consider regular situation

Regular sequences

A sequence of homogeneous polynomials (f1, . . . , fn) ⊂ K[x1, . . . , xn] is said to be regular when fi+1 is a regular element in K[x1, . . . , xn]/f1, . . . fi

Affine regular sequences

A sequence of affine polynomials (f1, . . . , fn) ⊂ K[x1, . . . , xn] is said to be regular when the sequence f(h)

1

, . . . , f(h)

n

• f corresponding homogeneous

component of highest degree is regular. ☞ Complexity DRL(pol. sys. affine regular) < DRL(its homogenization) H2: The affine polynomial systems S are regular (H2 ⇒ H1)

12/43

Outline

1

PDP in the Index Calculus

2

Polynomial System Solving

3

PoSSo With Symmetries

4

From Torsion Point to Symmetry

5

Characteristic 2

6

New Computational Record: 8th Summation Polynomial

7

Conclusion

13/43

Invariant Polynomial/System

Let be given a polynomial system S :          f1(x1, . . . , xn) . . . fn−1(x1, . . . , xn) fn(x1, . . . , xn) σ ∈ G ⊂ GL(K, n), σ · fi = fi(σ · x) ☞ Assume all fi are invariant under the action of G. How this assumption can help in solving the polynomial system?

14/43

Invariant ring

Definition

Let K[x1, . . . , xn] be a polynomial ring and G ⊂ GL(K, n). K[x1, . . . , xn]G = {p ∈ K[x1, . . . , xn] | σ · p = p for all σ ∈ G} We want to efficiently solve S :          f1(x1, . . . , xn) . . . fn−1(x1, . . . , xn) fn(x1, . . . , xn) under the assumption f1, . . . , fn ∈ K[x1, . . . , xn]G

15/43

Hironaka decomposition

Hilbert’s finiteness theorem

Let G ⊂ GL(K, n). Its invariant ring K[x1, . . . , xn]G is finitely generated. K[x1, . . . , xn]G =

t

• i=1

ηiK[θ1, . . . , θn] . primary invariants θ1, . . . , θn ∈ K[x1, . . . , xn]G secondary invariants η1, . . . , ηt ∈ K[x1, . . . , xn]G ☞ primary invariants are algebraically independent

16/43

Example of Hironaka decomposition

Q[x1, x2, x3]A3 =

2

• i=1

ηiQ[θ1, θ2, θ3] where θ1 = x1 + x2 + x3, θ2 = x1x2 + x2x3 + x1x3, θ3 = x1x2x3 η1 = 1, η2 = x2

1x3 + x1x2 2 + x2x2 3

f = x3

1x4 2x3 + x4 1x2 2x2 3 + x3 1x3 2x2 3 + x2 1x4 2x2 3 + x4 1x2x3 3 + x3 1x2 2x3 3 + x2 1x3 2x3 3 +

x2

1x2 2x4 3 + x1x3 2x4 3 + x3 1x2 + 2x2 1x2 2 + x1x3 2 + x3 1x3 + 5x2 1x2x3 + 5x1x2 2x3 +

x3

2x3 + 2x2 1x2 3 + 5x1x2x2 3 + 2x2 2x2 3 + x1x3 3 + x2x3 3

f ∈ Q[x1, x2, x3]A3 f = θ2

1θ2η1 + θ2θ3η2

17/43

Solving by using symmetries

K[x1, . . . , xn]G =

t

• i=1

ηi · K[θ1, . . . , θn] . Change of variable: f ∈ K[x1, . . . , xn]G − → ˜ f(θ1, . . . , θn, η1, . . . , ηt) I = S ∈ K[x1, . . . , xn] − → J = (I ∪ IΩ) ∩ K[y1, . . . , yn+t] with IΩ = θ1 − y1, . . . , θn − yn, η1 − yn+1, . . . , ηt − yn+t

Computing V(I)/G

Compute LEX Gr¨

• bner basis GΩ of I ∪ IΩ

G = GΩ ∩ K[y1, . . . , yn+t] is a Gr¨

• bner basis of J =I(V(I)/G).

V(I) =

• (v1,...,vn+t)∈V(I)/G

V (G (y1 = v1, . . . , yn+t = vn+t))

18/43

Solving by using symmetries

K[x1, . . . , xn]G =

t

• i=1

ηi · K[θ1, . . . , θn] . Change of variable: f ∈ K[x1, . . . , xn]G − → ˜ f(θ1, . . . , θn, η1, . . . , ηt) I = S ∈ K[x1, . . . , xn] − → J = (I ∪ IΩ) ∩ K[y1, . . . , yn+t] with IΩ = θ1 − y1, . . . , θn − yn, η1 − yn+1, . . . , ηt − yn+t

Computing V(I)/G

Compute LEX Gr¨

• bner basis GΩ of I ∪ IΩ

G = GΩ ∩ K[y1, . . . , yn+t] is a Gr¨

• bner basis of J =I(V(I)/G).

Pros: deg(J ) = deg(I)/#G complx of FGLM step / by (#G)ω. Cons: DRL GB of J may be more difficult to compute

◮ n + t variables ◮ η1, . . . , ηt are not independent add equations: F(η1, . . . , ηt) = 0. 18/43

Invariant ring as polynomial ring

Symmetric group: the well known example

K[x1, . . . , xn]Sn = K[e1, . . . , en] where ek =

• 1≤i1<i2<...<ik≤n

xi1xi2 · · · xik is the kth elementary symmetric polynomial. Applying the change of variables      y1 = e1(x1, . . . , xn) . . . yn = en(x1, . . . , xn) I ⊂ K[x1, . . . , xn] − → J ⊂ K[y1, . . . , yn] The evolution of the degree deg (I) = n! · deg (J )

19/43

Invariant ring as polynomial ring

Theorem (Shepard, Todd ; Chevalley)

If char(K) ∤ #G then G is a reflection group = ⇒ K[x1, . . . , xn]G = K[θ1, . . . , θn] where θ1, . . . , θn ∈ K[x1, . . . , xn] are algebraically independent. Applying the change of variables      y1 = θ1(x1, . . . , xn) . . . yn = θn(x1, . . . , xn) I ⊂ K[x1, . . . , xn] − → J ⊂ K[y1, . . . , yn] The evolution of the degree deg (I) = #G · deg (J )

19/43

Evolution on the total complexity for solving PoSSo

Let S = {f1, . . . , fn} where fi ∈ K[x1, . . . , xn]G with G reflection grp Compute GB DRL from S ☞ Linear alg. on Macaulay mat. c1

i,j

c2

i,j . . .

    m1 > m2 > . . .

. . .

ti,jfi

???

Faug` ere F4, F5

Compute GB LEX from GB DRL ☞ See K[x1, . . . , xn]/S as a K-ev GB DRL ⇒ K-ev B1 K-ev B2 ⇒ GB LEX

D i v i d e d b y # Gω

Change of basis B1 → B2

Faug` ere, Gaudry, Huot, R. ISSAC’14

20/43

On the complexity of computing GB DRL and Symmetries

S = {f1, . . . , fn} ⊂ K[θ1, . . . , θn] ⊂ K[x1, . . . , xn], Deg(θi) = wi S regular θ(h)

i

algebraically independent

DRL with weights (w1, . . . , wn) (Faug`

ere, Safey El Din, Verron, 2013)

The complexity of GB DRL is divided by (w1 · · · wn)ω

Regularity preservation (Faug`

ere, Gaudry, Huot, R.)

The system obtained after the change of coordinates is still regular.

Corollary

S = {f1, . . . , fn} ⊂ K[x1, . . . , xn]G, G reflection group. Using the symmetries divides the complexity for solving S by #Gω (no other hypothesis).

21/43

Evolution on the total complexity for solving PoSSo

Let S = {f1, . . . , fn} where fi ∈ K[x1, . . . , xn]G with G reflection grp Compute GB DRL from S ☞ Linear alg. on Macaulay mat. c1

i,j

c2

i,j . . .

    m1 > m2 > . . .

. . .

ti,jfi

D i v i d e d b y # Gω

Faug` ere F4, F5

Compute GB LEX from GB DRL ☞ See K[x1, . . . , xn]/S as a K-ev GB DRL ⇒ K-ev B1 K-ev B2 ⇒ GB LEX

D i v i d e d b y # Gω

Change of basis B1 → B2

Faug` ere, Gaudry, Huot, R. ISSAC’14

22/43

Outline

1

PDP in the Index Calculus

2

Polynomial System Solving

3

PoSSo With Symmetries

4

From Torsion Point to Symmetry

5

Characteristic 2

6

New Computational Record: 8th Summation Polynomial

7

Conclusion

23/43

Elliptic curve representations

Ordinary elliptic curves

Weierstrass equation, E : y2 = x3 + ax + b

Arithmetic: Number of operations in Fqn:

• (Doubling) 5 mult + 6 squares + 1 div
• (Adding) 12 mult + 2 squares

Group law not unified

Efficient arithmetic on Elliptic curves

Edwards, Bulletin of the AMS 2007 ; Bernstein et al., AFRICACRYPT 2008

Edwards representation, E : ax2 + y2 = 1 + dx2y2

Arithmetic: Number of operations in Fqn:

• (Doubling) 3 mult + 4 squares
• (Adding) 10 mult + 1 square + 1 div

Group law unified resistant to side channel attacks.

24/43

Elliptic curve representations

Ordinary elliptic curves

Weierstrass equation, E : y2 = x3 + ax + b

Symmetry: (negative of a point) P = (x, y) ⇒ ⊖P = (x, −y). Reflection w.r.t. x-axis.

Efficient arithmetic on Elliptic curves

Edwards, Bulletin of the AMS 2007 ; Bernstein et al., AFRICACRYPT 2008

Edwards representation, E : ax2 + y2 = 1 + dx2y2

Symmetries: (negative of a point) P = (x, y) ⇒ ⊖P = (−x, y). Reflection w.r.t. y-axis. (addition with T2) P = (x, y) and T2 = (0, −1) ⇒ P ⊕ T2 = (−x, −y). Point reflection w.r.t. (0, 0).

24/43

Application of summation polynomials

PDP(R,F)

We want to find P1, . . . , Pn ∈ F = {(x, y) ∈ E | x ∈ Fq} such that R = P1 ⊕ · · · ⊕ Pn ⇐ ⇒ P1 ⊕ · · · ⊕ Pn ⊖ R = 0E where R is a fixed point in E.

A first symmetry

☞ The problem has intrinsic symmetries: R = P1 ⊕ P2 ⇔ R = P2 ⊕ P1

• Does not imply that summation polynomials are symmetric in general.

Fortunately it is the case!

☞ How to use more symmetries?

25/43

System symmetrization - Weierstrass model

fn+1(x1, . . . , xn, xR) ∈ Fqn[x1, . . . , xn]Sn

Corollary (Gaudry 2005)

fn+1(x1, . . . , xn, xR) ∈ Fqn[x1, . . . , xn]Sn change of variables e1, . . . , en

• fn+1(e1, . . . , en, xR) ∈ Fqn[e1, . . . , en]

Weil restriction SSn = {ϕ1, . . . , ϕn} ⊂ Fq[e1, . . . , en]

☞ Deg(ϕi) ≤ 2n−1 H2: The affine polynomial systems SSn are regular

26/43

Edwards curves: Action of 2-torsion point

☞ Reflection w.r.t. y-axis, projection on the yi’s for summation polynomial

Definition

Ea,d : ax2 + y2 = 1 + dx2y2 has a 2-torsion point T2 = (0, −1)

Property

∀P = (x, y) ∈ Ea,d(Fqn), P ⊕ T2 = (−x, −y).

Action on the points (geometry)

For any combination of an even number of additions by T2: P1 ⊕ · · · ⊕ Pn = R ⇐ ⇒ (P1 ⊕ T2) ⊕ (P2 ⊕ T2) ⊕ P3 ⊕ · · · ⊕ Pn = R (y1, . . . , yn) ∈ VR ⇐ ⇒ (−y1, −y2, y3, . . . , yn) ∈ VR What is the name of the group G acting on the variety?

27/43

The Coxeter group Dn ⊃ Sn

Definition

Dn is the symmetry group of the n-demihypercube. Dn = (Z/2Z)n−1 ⋊ Sn = ⇒ #Dn = n! · 2n−1 (Z/2Z)n−1 : even sign changes on {y1, . . . , yn}.

Dn properties

Reflection group Fq[y1, . . . , yn]Dn = Fq[s1, . . . , sn−1, en]

◮ si =

• 1≤j1<...<ji≤n

i

• k=1

y2

jk elem. symmetric polynomial in y2 1, . . . , y2 n.

◮ en =

n

• k=1

yk the nth elem. symmetric polynomial.

28/43

From geometry to algebra

Let G be a linear group.

Problem

• G · S = S ⇐⇒ G · S = S ⇐

⇒ G · V(S) = V(S)

Invariance of summation polynomials under Dn (Faug`

ere, Gaudry, Huot, R.)

fn+1(y1, . . . , yn, yR) ∈ Fqn[y1, . . . , yn]Dn ☞ We are in the conditions of Shepard, Todd Thm (large charac.)

29/43

New change of variables

Corollary

fn+1(y1, . . . , yn, yR) ∈ Fqn[y1, . . . , yn]Dn change of variables s1, . . . , sn−1, en

• fn+1(s1, . . . , sn−1, en, xR) ∈ Fqn[s1, . . . , sn−1, en]

Weil restriction SDn = {ϕ1, . . . , ϕn} ⊂ Fq[s1, . . . , sn−1, en] Each si = θi(e1, . . . , en) with Deg(θi) = 2 → weights (2, . . . , 2, 1)

Theorem (Faug`

ere, Gaudry, Huot, R.)

Under the same hypothesis H2 on SSn, by using the action of T2 the complexity for solving PDP is divided by 2ω(n−1)

30/43

Some practical results

Magma or fgb

#Fq : 16 bits n Step 1 Step 2 Total # ops Time (s) Time (s) time (s) 4

• W. sym

6 460 466 229 E/J Dn 3 3 223 5

• W. sym

> 2 days fgb E/J Dn 567 2165 2732 245 n = 4 #Fq (bits) 32 64 128 160 Total time (s)

• W. sym

6922 4717 5837 6898 E/J Dn 43 40 53 73

31/43

Outline

1

PDP in the Index Calculus

2

Polynomial System Solving

3

PoSSo With Symmetries

4

From Torsion Point to Symmetry

5

Characteristic 2

6

New Computational Record: 8th Summation Polynomial

7

Conclusion

32/43

Action of the 2-torsion in charac. 2 (Faug`

ere, Huot, Joux, R., Vitse)

Elliptic curve E defined over F2kn with j(E) = 0: y2 + xy = x3 + ax2 + b Assume b = γ4.

T2 the 2-torsion point of E

T2 = (0, γ2) P ⊕ T2 =

γ2 x(P)

☞ No chance to use such a point as in large characteristic!

33/43

Characteristic 2: change of coordinates for a better action

Elliptic curve E defined over F2kn with j(E) = 0: y2 + xy = x3 + ax2 + b Assume b = γ4. ☞ Change of coordinates: x →

γ x+γ + λ

T2 the 2-torsion point of E becomes

T2 = (1 + λ, γ2) P ⊕ T2 = x(P) + 1

34/43

Characteristic 2: change of coordinates for a better action

Elliptic curve E defined over F2kn with j(E) = 0: y2 + xy = x3 + ax2 + b Assume b = γ4. ☞ Change of coordinates: x →

γ x+γ + λ

T2 the 2-torsion point of E becomes

T2 = (1 + λ, γ2) P ⊕ T2 = x(P) + 1 ☞ Better action but no more linear, anyway we are in the modular case!

34/43

Some Galois theory with the action Xi → Xi + 1

K = F2kn K(X1, . . . , Xn) K(X1, . . . , Xn)(Z/2Z)n K(X1, . . . , Xn)(Z/2Z)n−1⋊Sn K(X1, . . . , Xn)(Z/2Z)n⋊Sn

2n 2n−1n! n! 2

K(X1, . . . , Xn)(Z/2Z)n = K(X2

1 + X1, . . . , X2 n + Xn)

K(X1, . . . , Xn)(Z/2Z)n⋊Sn = K(s1, . . . , sn), si = ei(X2

1 + X1, . . . , X2 n + Xn)

K(X1, . . . , Xn)(Z/2Z)n−1⋊Sn = K(e1, s2, . . . , sn), e1 = X1 + · · · + Xn K[X1, . . . , Xn](Z/2Z)n−1⋊Sn = K[e1, s2, . . . , sn]

35/43

Characteristic 2: conclusion (Faug`

ere, Huot, Joux, R., Vitse)

Summation polynomial in characteristic 2 (λ = 0, 1)

fn+1(x1, . . . , xn, xR) ∈ F2kn[x1, . . . , xn]Dn = F2kn[e1, s2 . . . , sn] fn+1(x1, . . . , xn, xR) ∈ F2kn[e2

1, s2 2 . . . , s2 n−1, sn]

Theorem

Under the same hypothesis H2 on SSn, by using the action of T2 the complexity for solving PDP is divided by 2ω2(n−1)

Practical results (Oakley ‘Well-Known Groups’ 3 over F231×5)

To obtain one relation Joux-Vitse n − 1-method: ≈ 37 years This work: ≈ 5.5 hours

36/43

Outline

1

PDP in the Index Calculus

2

Polynomial System Solving

3

PoSSo With Symmetries

4

From Torsion Point to Symmetry

5

Characteristic 2

6

New Computational Record: 8th Summation Polynomial

7

Conclusion

37/43

Iterative Construction

Sn(x1, . . . , xn) = ResX(Sn−k+1(x1, . . . , xn−k, X), Sk+1(xn−k+1, . . . , xn, X)) k ∈ {2, . . . , n − 2} O(2n2) ☞ In characteristic 2, rewrite it with smaller degrees!

38/43

Iterative Construction

Sn(x1, . . . , xn) ∈ F2kn[e2

1, s2 2 . . . , s2 n−1, sn] si = ei(X2

1 + X1, . . . , X2 n + Xn)

ResX ( Sp

n−k+1

• e2

1,n−k, s2 2,n−k, . . . , s2 n−k−1,n−k, sn−k,n−k, X

• ,

Sp

k+1

• e2

1,k, s2 2,k, . . . , s2 k−1,k, sk,k, X

• .

k ∈ {2, . . . , n − 2}

Ω :                                e2

1

= e2

1,n−k + e2 1,k

s2

2

= s2

2,n−k + s2 2,k + α1α2

s2

3

= s2

3,n−k + s2 3,k + α1s2 2,k + α2s2 2,n−k

s2

4

= s2

4,n−k + s2 4,k + α1s2 3,k + α2s2 3,n−k + s2 2,n−ks2 2,k

. . . s2

n−2

= s2

n−k,n−kss k−2,k + s2 n−k−1,n−ks2 k−1,k + s2 n−k−2,n−ks2 k,k

s2

n−1

= s2

n−k,n−ks2 k−1,k + s2 n−k−1,n−ks2 k,k

sn = sn−k,n−ksk,k α1 = e2

1,n−k + e1,n−k and α2 = e2 1,k + e1,k.

39/43

Iterative Construction

Sn(x1, . . . , xn) ∈ F2kn[e2

1, s2 2 . . . , s2 n−1, sn] si = ei(X2

1 + X1, . . . , X2 n + Xn)

ResX ( Sp

n−k+1

• e2

1,n−k, s2 2,n−k, . . . , s2 n−k−1,n−k, sn−k,n−k, X

• ,

Sp

k+1

• e2

1,k, s2 2,k, . . . , s2 k−1,k, sk,k, X

• .

k ∈ {2, . . . , n − 2} The change of var. Ω can be applied with a Grobner basis comp. On can obtain S6 with this method We obtain S7 by using some shortcuts (essentially by hand) ☞ The 8th Summation polynomial still intractable!

39/43

Sparse multivariate polynomial interpolation

• (e2

1, s2 2, . . . , s2 n−1, sn)

ResX

• Sp

n−k+1, Sp k+1

• v

Sn(e2

1, s2 2, . . . , s2 n−1, sn)

Zippel’s probabilistic algorithm Interpolation of dense univariate polynomials Iterative on the variables The evaluation step has to be very efficient (O(nt2n−3) evaluations)

40/43

Sparse multivariate polynomial interpolation

• (e2

1, s2 2, . . . , s2 n−1, sn)

ResX

• Sp

n−k+1, Sp k+1

• v

Sn(e2

1, s2 2, . . . , s2 n−1, sn)

Zippel’s probabilistic algorithm The evaluation step has to be very efficient (O(nt2n−3) evaluations)

Ω :                                e2

1

= e2

1,n−k + e2 1,k

s2

2

= s2

2,n−k + s2 2,k + α1α2

s2

3

= s2

3,n−k + s2 3,k + α1s2 2,k + α2s2 2,n−k

s2

4

= s2

4,n−k + s2 4,k + α1s2 3,k + α2s2 3,n−k + s2 2,n−ks2 2,k

. . . s2

n−2

= s2

n−k,n−kss k−2,k + s2 n−k−1,n−ks2 k−1,k + s2 n−k−2,n−ks2 k,k

s2

n−1

= s2

n−k,n−ks2 k−1,k + s2 n−k−1,n−ks2 k,k

sn = sn−k,n−ksk,k α1 = e2

1,n−k + e1,n−k and α2 = e2 1,k + e1,k.

• Grobner basis comp. not enough efficient: 1.4sec. 5 years for S8

40/43

Sparse multivariate polynomial interpol. using symmetry

• (e2

1, s2 2, . . . , s2 n−1, sn)

ResX

• Sp

n−k+1, Sp k+1

• v

Sn(e2

1, s2 2, . . . , s2 n−1, sn)

☞

• (s2

1, . . . , s2 n) can be deduced from

• (e2

1, s2 2, . . . , s2 n−1, sn)

☞ The s2

i come from elem. symm. pol: s2 i = ei(x4 1 + x2 1, . . . , x4 n + x2 n)

fn(X) = Xn + s2

1Xn−1 + · · · +

s2

n−1X +

s2

n = n

• i=1
• X +
• x4

i +

x2

i

• .

fn(X) = fk(X)fn−k(X) ☞ Evaluation points of Sp

n−k+1, Sp k+1 deduced from fk(x), fn−k(X).

41/43

Sparse multivariate polynomial interpol. using symmetry

• (e2

1, s2 2, . . . , s2 n−1, sn)

ResX

• Sp

n−k+1, Sp k+1

• v

Sn(e2

1, s2 2, . . . , s2 n−1, sn)

Final computation with fast evaluation

Grobner basis comp. → factorization, 3 degree 2 pol. to solve (over F2k) ✌ Using this fast evaluation we computed S8 in ≈ 40.5h

41/43

Outline

1

PDP in the Index Calculus

2

Polynomial System Solving

3

PoSSo With Symmetries

4

From Torsion Point to Symmetry

5

Characteristic 2

6

New Computational Record: 8th Summation Polynomial

7

Conclusion

42/43

Conclusion

☞ Here some introductory results are presented, more are given in our EC’14 paper:

Torsion points of small order

Faug` ere, Huot, Joux, R., Vitse EC’14

Study more general projection (Diem’s view point) Characterize the possible interesting torsion points Show how to use full 2-torsion in large char. (w/ experimental results)

43/43