Point Counting for Genus 2 Curves Division polys with Real - PowerPoint PPT Presentation

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof complexity BSGS Pierrick Gaudry, David Kohel, Benjamin Smith Real multiplication Split primes Benjamin Smith Smaller kernels INRIA Saclay–ˆ Ile-de-France New relations Laboratoire d’Informatique de l’´ Ecole polytechnique (LIX) RM Complexity 1 = 2 ECC 2011, Nancy, France 21/09/2011 RM families Implementation Cryptographic Jacobians Too much, too fast

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Genus 2 cryptosystems have security and efficiency Point counting Division polys comparable* with elliptic curve cryptosystems... Kernels Schoof complexity BSGS Real multiplication ...but setting up secure genus 2 instances is much harder. Split primes Computing cardinalities over prime fields: Smaller kernels ◮ 256-bit elliptic curve: SEA in seconds New relations RM Complexity ◮ 256-bit abelian surface: replace seconds with days. 1 = 2 RM families Implementation Cryptographic Jacobians Too much, too fast

Genus 2, faster Given C : y 2 = f ( x ) of genus 2 over F q Gaudry, Kohel, Smith (q odd, J C ordinary, absolutely irreducible) . Genus 1 and 2 Point counting Division polys Kernels We want to compute # J C ( F q ). Equivalently: Schoof complexity Compute the characteristic polynomial of Frobenius BSGS Real multiplication χ ( T ) = T 4 − s 1 T 3 + ( s 2 + 2 q ) T 2 − qs 1 T + q 2 , Split primes Smaller kernels which is subject to the Weil bounds New relations | s 1 | ≤ 4 √ q RM Complexity and | s 2 | ≤ 4 q 1 = 2 RM families and the R¨ uck bounds Implementation Cryptographic s 2 1 − 4 s 2 ≥ 0 and s 2 + 4 q ≥ 2 | s 1 | . Jacobians Too much, too fast

Genus 2, faster Schoof’s idea: Gaudry, Kohel, Smith characteristic polynomial of Frobenius acting on J C [ ℓ ] is Genus 1 and 2 χ ℓ ( T ) := χ ( T ) mod ( ℓ ) , so Point counting Division polys ( π 2 + [¯ s 1 ]( π 2 + [¯ q ]) 2 ( D ) − [¯ s 2 ] π 2 ( D ) = 0 q ]) π ( D ) + [¯ Kernels Schoof complexity for all D in J C [ ℓ ] (here ¯ · denotes residue mod ℓ ) . BSGS ◮ Compute χ ℓ for sufficiently many prime (powers) ℓ Real multiplication ◮ Recover χ via the CRT. Split primes Smaller kernels New relations RM Complexity To compute χ ℓ : 1 = 2 RM families 1. compute generic D in J C [ ℓ ]; Implementation 2. compute π 2 ( D ), ( π 2 + [¯ q ]) π ( D ), and ( π 2 + [¯ q ]) 2 ( D ); Cryptographic Jacobians 3. search for [¯ s 1 ] and [¯ s 2 ] s.t. the relation holds. Too much, too fast

Genus 2, faster Let ( u , v ) be a generic point of C , and D its image in J C . Gaudry, Kohel, Smith We say φ ∈ End ( J C ) is explicit if we can compute Genus 1 and 2 polynomials d 0 , d 1 , d 2 , e 0 , e 1 , e 2 such that � � � � Point counting x 2 + d 1 ( u ) d 2 ( u ) x + d 0 ( u ) e 2 ( u ) x + e 0 ( u ) e 1 ( u ) φ ( D ) = d 2 ( u ) , y − v . Division polys e 2 ( u ) Kernels Schoof complexity BSGS Real multiplication We call the d i and e i the φ -division polynomials . Split primes (= Cantor’s ℓ -division polys for φ = [ ℓ ]) Smaller kernels New relations RM Complexity 1 = 2 We say that φ is efficiently computable RM families if the φ -division polynomials have low degree. Implementation (ie, if evaluating φ is in O (1) field ops) Cryptographic Note: [ ℓ ] -division polys have degree in O ( ℓ 2 ) Jacobians Too much, too fast

Genus 2, faster Computing generic elements of ker φ ⊂ J C Gaudry, Kohel, Smith Let φ be an explicit endomorphism, Genus 1 and 2 ( u 1 , v 1 ) , ( u 2 , v 2 ) generic points on C , Point counting D 1 , D 2 their images in J C . Division polys D = ( x 2 + a 1 x + a 0 , y − ( b 1 x + b 0 )) := D 1 + D 2 Kernels Schoof complexity is a generic point of J C . BSGS Real multiplication 1. Compute φ ( D 1 ) and φ ( D 2 ); Split primes 2. Solve for ( u 1 , v 1 , u 2 , v 2 ) in φ ( D 1 ) = − φ ( D 2 ); Smaller kernels New relations 3. Resymmetrizing, compute a triangular ideal I φ RM Complexity of relations in a 1 , a 0 , b 1 , b 0 satisfied when D ∈ ker φ . 1 = 2 Suppose degree of φ -division polynomials bounded by δ : RM families Implementation ◮ compute I φ in � O ( δ 3 ) F q -operations; Cryptographic ◮ the degree of I φ is in O ( δ 2 ) Jacobians Too much, too fast

Genus 2, faster Gaudry, Kohel, Smith Conventional Schoof–Pila complexity: Genus 1 and 2 ◮ For each prime ℓ : Point counting 1. Compute I ℓ in � O ( ℓ 6 ) field ops Division polys ◮ [ ℓ ]-division polynomials have degree in O ( ℓ 2 ) Kernels ◮ triangular I ℓ has degree in O ( ℓ 4 ) Schoof complexity 2. compute π 2 ( D ), ( π 2 + [¯ q ]) π ( D ), and ( π 2 + [¯ q ]) 2 ( D ) BSGS O ( ℓ 4 log q ) field ops in � Real multiplication s 2 ) in ( Z /ℓ Z ) 2 such that 3. Find the (¯ s 1 , ¯ Split primes ( π 2 + [¯ s 1 ]( π 2 + [¯ q ]) 2 ( D ) − [¯ s 2 ] π 2 ( D ) = 0 q ]) π ( D ) + [¯ Smaller kernels ... O ( ℓ ) trials, each costing � O ( ℓ 4 ) field ops New relations ⇒ total cost � O ( ℓ 5 ) field ops = RM Complexity O ( ℓ 4 ( ℓ 2 + log q )) field ops ⇒ Computing χ ℓ costs � 1 = 2 = RM families ◮ We need χ ℓ for the O (log q ) primes ℓ in O (log q ) Implementation O (log 8 q ) bit ops ⇒ χ costs � O (log 7 ) field ops = � ◮ = Cryptographic Jacobians Too much, too fast

Genus 2, faster Gaudry, Kohel, Computing in J C [ ℓ ] becomes awkward very quickly in Smith genus 2; we’re limited to ℓ = O (a handful of bits). Genus 1 and 2 This gives us s 1 and s 2 modulo some integer M . Point counting Division polys Kernels Schoof complexity BSGS We finish the computation using a generic algorithm Real multiplication such as BSGS, which runs in time Split primes O ( q 3 / 4 / M ) when M < 8 √ q , and ◮ � Smaller kernels � q / M ) when M ≥ 8 √ q . ◮ � O ( New relations RM Complexity 1 = 2 RM families Implementation This all sounds pretty bad. Cryptographic Why would we want to use genus 2 again, anyway? Jacobians Too much, too fast

Genus 2, faster Gaudry, Kohel, Remember: Smith Genus 2 is not just a two-dimensional analogue of genus 1 Genus 1 and 2 (it’s much more fun than that). Point counting Division polys Kernels Schoof complexity Recall: BSGS Real multiplication ◮ End ( J C ) ⊗ Q = Q ( π ) is a quartic CM-field. Split primes ◮ Complex conjugation = Rosati involution α �→ α † Smaller kernels √ ◮ Real quadratic subfield: Q ( π + π † ) ∼ = Q ( ∆) New relations for some ∆ > 0 . RM Complexity 1 = 2 ◮ We say C has RM by O if O is a real quadratic order RM families isomorphic to a subring of End ( J C ) Implementation ◮ isomorphism classes with RM by a fixed O form Cryptographic Jacobians Humbert surfaces in the 3-dimensional moduli space. Too much, too fast

Genus 2, faster Gaudry, Kohel, Smith Elliptic Curves with Schoof–Elkies–Atkin Genus 1 and 2 ◮ Z [ π ] is an unknown quadratic extension of Z . Point counting Division polys ◮ Some primes ℓ split in Z [ π ]. Kernels ◮ ( ℓ ) = ( α )(¯ α ) = ⇒ E [ ℓ ] = E [ α ] ⊕ E [¯ α ] Schoof complexity ◮ For these primes, compute modulo deg( ℓ − 1) / 2 BSGS factors of division polynomials (of deg( ℓ 2 − 1) / 2). Real multiplication Split primes ◮ Heuristically (assuming enough split primes), reduces O (log 5 q ) to � O (log 4 q ) bit ops. Smaller kernels complexity from � New relations ◮ Problem : we don’t know which ℓ split in advance; RM Complexity testing and splitting a given ℓ is complicated... 1 = 2 ◮ Need to build & factor modular polynomials RM families ◮ Extension to genus 2 is problematic Implementation Cryptographic Jacobians Too much, too fast

Genus 2, faster Gaudry, Kohel, Smith Our idea: Genus 1 and 2 ◮ Z ⊂ Z [ φ ] ⊂ Z [ π, π † ]; but Z ⊂ Z [ φ ] is explicit, Point counting Division polys so we can split primes ℓ in Z [ φ ] instead of Z [ π, π † ] Kernels ◮ Split ( ℓ ) = ( α 1 )( α 2 ) = ⇒ J C [ ℓ ] = J C [ α 1 ] ⊕ J C [ α 2 ]. Schoof complexity Efficient φ = ⇒ explicit J C [ α 1 ] and J C [ α 2 ]. BSGS ◮ Compute in J C [ α 1 ] and J C [ α 2 ] faster than in J C [ ℓ ]. Real multiplication Split primes ◮ Hence, compute χ ℓ faster for split ℓ . Smaller kernels ◮ The split ℓ are known in advance: (∆ /ℓ ) = 1; New relations Cebotarev density = ⇒ half the primes ℓ split in Z [ φ ]. RM Complexity ◮ Also, explicit Z [ φ ] = ⇒ a better search space 1 = 2 (so we need fewer χ ℓ to determine χ ). RM families Implementation ◮ − → a much better complexity for computing χ . Cryptographic Jacobians Too much, too fast

Genus 2, faster Gaudry, Kohel, Smith The details: Genus 1 and 2 Suppose ℓ splits in Z [ φ ]. Point counting For our families, the primes over ℓ are principal: Division polys Kernels ( ℓ ) = ( α 1 )( α 2 ) and J C [ ℓ ] = J C [ α 1 ] ⊕ J C [ α 2 ] . Schoof complexity BSGS Real multiplication ◮ We can compute generators α i = a i + b i φ Split primes √ Smaller kernels with a i , b i in O ( ℓ ) New relations ◮ The [ a i ]- and [ b i ]-division polys have degree in O ( ℓ ) RM Complexity ◮ = ⇒ the α i -division polys have degree in O ( ℓ ) 1 = 2 ⇒ kernel ideals I α i have degrees in O ( ℓ 2 ) ◮ = RM families (& we can compute I α i in � O ( ℓ 3 ) field operations). Implementation Cryptographic Jacobians Too much, too fast