point counting for genus 2 curves
play

Point counting for genus 2 curves SchoofPila with real - PowerPoint PPT Presentation

Oct 02, 2022 •224 likes •407 views

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels Schoof complexity Pierrick Gaudry, David Kohel, Benjamin Smith BSGS Real

  1. Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point counting for genus 2 curves Schoof–Pila with real multiplication Division polys Kernels Schoof complexity Pierrick Gaudry, David Kohel, Benjamin Smith BSGS Real multiplication Benjamin Smith RM families INRIA Saclay–ˆ Ile-de-France Split primes Laboratoire d’Informatique de l’´ Ecole polytechnique (LIX) Smaller kernels New relations Geocrypt, Bastia, 20/6/2011 RM Complexity Implementation Cryptographic Jacobians Extreme experiments

  2. Genus 2, faster Gaudry, Kohel, Genus 2 cryptosystems have security and efficiency Smith comparable 1 with elliptic curve cryptosystems... Genus 1 and 2 Point counting Schoof–Pila Division polys Let E / F p 1 and C / F p 2 have genus 1 and 2, respectively, Kernels such that E and J C have the same prime order N . Schoof complexity BSGS The advantages of using E or C are debatable. Real multiplication RM families Split primes Smaller kernels ...but setting up secure genus 2 instances is much harder. New relations ◮ 256-bit EC: SEA in seconds RM Complexity Implementation ◮ 256-bit abelian surface: replace seconds with days. Cryptographic Jacobians Extreme experiments 1 In the paper-generation sense of the word

  3. Genus 2, faster Given C : y 2 = f ( x ) of genus 2 over F q Gaudry, Kohel, Smith (q odd, J C ordinary, absolutely irreducible) Genus 1 and 2 we want to compute # J C ( F q ). Point counting Schoof–Pila Division polys Equivalently: Kernels Schoof complexity Compute the characteristic polynomial of Frobenius BSGS χ ( T ) = T 4 − s 1 T 3 + ( s 2 + 2 q ) T 2 − qs 1 T + q 2 , Real multiplication RM families which is subject to the Weil bounds Split primes Smaller kernels | s 1 | ≤ 4 √ q and | s 2 | ≤ 4 q New relations RM Complexity and the R¨ uck bounds Implementation Cryptographic Jacobians s 2 1 − 4 s 2 ≥ 0 and s 2 + 4 q ≥ 2 | s 1 | . Extreme experiments

  4. Genus 2, faster Schoof’s idea: Gaudry, Kohel, Smith characteristic polynomial of Frobenius acting on J C [ ℓ ] is Genus 1 and 2 χ ℓ ( T ) := χ ( T ) mod ( ℓ ) , Point counting Schoof–Pila ( π 2 + [¯ s 1 ]( π 2 + [¯ q ]) 2 ( D ) − [¯ s 2 ] π 2 ( D ) = 0 q ]) π ( D ) + [¯ Division polys Kernels for all D in J C [ ℓ ] (here ¯ · denotes residue mod ℓ ). Schoof complexity To compute χ , we compute χ ℓ for sufficiently many prime BSGS (powers) ℓ to recover χ via the CRT. Real multiplication RM families Split primes Smaller kernels To compute χ ℓ : New relations RM Complexity 1. compute generic D in J C [ ℓ ]; Implementation 2. compute π 2 ( D ), ( π 2 + [¯ q ]) π ( D ), and ( π 2 + [¯ q ]) 2 ( D ); Cryptographic Jacobians 3. search for [¯ s 1 ] and [¯ s 2 ] s.t. the relation holds. Extreme experiments

  5. Genus 2, faster Let ( u , v ) be a generic point of C , and D its image in J C . Gaudry, Kohel, Smith We say φ ∈ End ( J C ) is explicit if we can compute Genus 1 and 2 polynomials d 0 , d 1 , d 2 , e 0 , e 1 , e 2 such that � � � � Point counting x 2 + d 1 ( u ) d 2 ( u ) x + d 0 ( u ) e 2 ( u ) x + e 0 ( u ) e 1 ( u ) φ ( D ) = d 2 ( u ) , y − v . Schoof–Pila e 2 ( u ) Division polys Kernels Schoof complexity BSGS We call the d i and e i the φ -division polynomials . Real multiplication (= Cantor’s ℓ -division polys for φ = [ ℓ ]) RM families Split primes Smaller kernels New relations We say that φ is efficiently computable RM Complexity if the φ -division polynomials have low degree. Implementation (ie evaluating φ is in O (1) field ops) Cryptographic Jacobians (Note: [ ℓ ]-division polys have degree in O ( ℓ 2 )) Extreme experiments

  6. Genus 2, faster Computing generic elements of ker φ ⊂ J C Gaudry, Kohel, Smith Let φ be an explicit endomorphism, Genus 1 and 2 ( u 1 , v 1 ) , ( u 2 , v 2 ) generic points on C , Point counting D 1 , D 2 their images in J C . Schoof–Pila D = ( x 2 + a 1 x + a 0 , y − ( b 1 x + b 0 )) := D 1 + D 2 Division polys Kernels is a generic point of J C . Schoof complexity BSGS 1. Compute φ ( D 1 ) and φ ( D 2 ); Real multiplication 2. Solve for ( u 1 , v 1 , u 2 , v 2 ) in φ ( D 1 ) = − φ ( D 2 ); RM families Split primes 3. Resymmetrizing, compute a triangular ideal I φ Smaller kernels of relations in a 1 , a 0 , b 1 , b 0 satisfied when D ∈ ker φ . New relations Suppose degree of φ -division polynomials bounded by δ : RM Complexity Implementation ◮ compute I φ in � O ( δ 3 ) F q -operations; Cryptographic ◮ the degree of I φ is in O ( δ 2 ) Jacobians Extreme experiments

  7. Genus 2, faster Computing χ ℓ : Gaudry, Kohel, Smith The [ ℓ ]-division polynomials have degree in O ( ℓ 2 ); Genus 1 and 2 the ideal I ℓ defining generic D ∈ J C [ ℓ ] has degree ℓ 4 . Point counting 1. Compute I ℓ in � O ( ℓ 6 ) field ops; Schoof–Pila 2. Compute π ( D ), ( π 2 − [¯ q ])( D ), and ( π 2 − [¯ q ]) 2 ( D ) Division polys O ( ℓ 4 log q ) field ops; in � Kernels Schoof complexity s 2 ) in � O ( ℓ 5 ) field ops; 3. Find the right (¯ s 1 , ¯ BSGS O ( ℓ 4 ( ℓ 2 + log q )) field ops. ⇒ we compute χ ℓ in � = Real multiplication RM families Split primes Smaller kernels Conventional Schoof–Pila complexity: New relations ◮ We need χ ℓ for the O (log q ) primes ℓ in O (log q ). RM Complexity O (log 7 q ) bit ops; Implementation ◮ We compute each χ ℓ in � Cryptographic O (log 8 q ) bit ops. ⇒ total cost to compute χ is in � ◮ = Jacobians Extreme experiments

  8. Genus 2, faster Gaudry, Kohel, The ℓ -torsion computations become awkward very quickly Smith in genus 2; we’re limited to ℓ = O (a handful of bits). Genus 1 and 2 This gives us s 1 and s 2 modulo some integer M . Point counting Schoof–Pila Division polys Kernels Schoof complexity We finish the computation using a generic algorithm BSGS such as BSGS, which runs in time Real multiplication O ( q 3 / 4 / M ) when M < 8 √ q , and ◮ � RM families � q / M ) when M ≥ 8 √ q . ◮ � O ( Split primes Smaller kernels New relations RM Complexity Implementation This all sounds pretty bad. Cryptographic Why would we want to use genus 2 again, anyway? Jacobians Extreme experiments

  9. Genus 2, faster Remember: Gaudry, Kohel, Smith Genus 2 is not just a two-dimensional analogue of genus 1 Genus 1 and 2 (it’s much more fun than that). Point counting Schoof–Pila Division polys Kernels Recall: Schoof complexity BSGS ◮ End ( J C ) ⊗ Q = Q ( π ) is a quartic CM-field. Real multiplication ◮ Complex conjugation = Rosati involution α �→ α † RM families √ ◮ Real quadratic subfield: Q ( π + π † ) ∼ = Q ( ∆) Split primes for some ∆ > 0 . Smaller kernels New relations ◮ We say C has RM by O if O is a real quadratic order RM Complexity isomorphic to a subring of End ( J C ) Implementation ◮ the C with RM by a fixed ring form Humbert surfaces Cryptographic Jacobians in the 3-dimensional moduli space. Extreme experiments

  10. Genus 2, faster We can construct genus 2 curves with efficient RM Gaudry, Kohel, Smith using some explicit one/two-parameter families. Genus 1 and 2 (Mestre, Tautz–Top–Verberkmoes, Hashimoto, Brumer...) Point counting Schoof–Pila Division polys Kernels Consider the Tautz–Top–Verberkmoes family Schoof complexity C : y 2 = x 5 − 5 x 3 + 5 x + t . BSGS Real multiplication We have an explicit endomorphism φ defined by RM families Split primes φ (( u , v )) = ( x 2 − τ ux + u 2 + τ 2 − 4 , y − v ) Smaller kernels New relations where τ = ζ 5 + ζ − 1 (in F q if q �≡ ± 2 mod 5). RM Complexity 5 Implementation We have φ 2 + φ − 1 = 0, so √ Cryptographic C has efficient RM by Z [ φ ] ∼ = Z [ 1+ 5 ]. Jacobians 2 Extreme experiments

  11. Genus 2, faster Gaudry, Kohel, Smith Our idea: Genus 1 and 2 Point counting ◮ Cebotarev density = ⇒ half the primes ℓ split in Z [ φ ]. Schoof–Pila ◮ These splittings correspond to decompositions Division polys of the ℓ -torsion. Kernels Schoof complexity ◮ φ is efficient = ⇒ we can make the decomposition BSGS factors explicit. Real multiplication ◮ We can compute in the factors faster than in J C [ ℓ ]. RM families ◮ Hence, we can compute χ ℓ faster for split ℓ . Split primes Smaller kernels ◮ Also, explicit Z [ φ ] = ⇒ a better search space New relations (so we need fewer χ ℓ to determine χ ). RM Complexity ◮ − → a much better complexity for computing χ . Implementation Cryptographic Jacobians Extreme experiments

  12. Genus 2, faster Gaudry, Kohel, Smith The details: Genus 1 and 2 Suppose ℓ splits in Z [ φ ]. Point counting For our families, the primes over ℓ are principal: Schoof–Pila Division polys ( ℓ ) = ( α 1 )( α 2 ) and J C [ ℓ ] = J C [ α 1 ] ⊕ J C [ α 2 ] Kernels Schoof complexity BSGS ◮ We can compute generators α i = a i + b i φ Real multiplication √ RM families with a i , b i in O ( ℓ ) Split primes ◮ The [ a i ]- and [ b i ]-division polys have degree in O ( ℓ ) Smaller kernels ◮ = ⇒ the α i -division polys have degree in O ( ℓ ) New relations ◮ the kernel ideals I α i have degrees in O ( ℓ 2 ) RM Complexity (+ we can compute I α i in � O ( ℓ 3 ) field operations). Implementation Cryptographic Jacobians Extreme experiments

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof

Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof complexity BSGS Pierrick Gaudry, David Kohel, Benjamin Smith Real multiplication

550 views • 20 slides
Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de Lorraine, Nancy Joint work with P. Gaudry and P.-J. Spaenlehauer January 25, 2018 CARAMBA /* */ E,C, /* */ c,r, /* */ u,l, e,s, i=5,

907 views • 36 slides
Point counting in genus 2: reaching 128 bits P. Gaudry E. Schost Cacao project ORCCA

Point counting in genus 2: reaching 128 bits P. Gaudry E. Schost Cacao project ORCCA

Point counting in genus 2: reaching 128 bits P. Gaudry E. Schost Cacao project ORCCA CNRS-INRIA UWO Thanks to Dan Bernstein and Nikki Pitcher Genus 2 curves and associated objects In what follows: C is the curve defined over F p by

425 views • 38 slides
Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange

Efficient Doubling on Genus Two Curves over Binary Fields (SAC 2004) Marc Stevens Tanja Lange Eindhoven University Ruhr-Universitt of Technology Bochum Overview Elliptic Curves Hyperelliptic Curves HEC of Genus 2

473 views • 33 slides
ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves

ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves

ECC2011 summer school September 1516, 2011 Point counting algorithms on hyperelliptic curves F. Morain I. Introduction and motivations Goal: build an effective group of cryptographic strength, resisting all known attacks. Dream: find

834 views • 48 slides
Smaller class invariants for constructing curves of genus 2 Marco Streng The 15th workshop on

Smaller class invariants for constructing curves of genus 2 Marco Streng The 15th workshop on

Smaller class invariants for constructing curves of genus 2 Marco Streng The 15th workshop on Elliptic Curve Cryptography ECC 2011 INRIA, Nancy, France Sep 19 21, 2011 Overview genus 1 genus 2 constructing curves part 1 part 2 smaller

428 views • 38 slides
Moduli spaces of genus 2 curves with split Jacobians through K3 surfaces Abhinav Kumar Stony

Moduli spaces of genus 2 curves with split Jacobians through K3 surfaces Abhinav Kumar Stony

Moduli spaces of genus 2 curves with split Jacobians through K3 surfaces Abhinav Kumar Stony Brook October 22, 2015 Abhinav Kumar Genus 2 curves with split Jacobians 1 / 33 Introduction Let C be a genus 2 curve over a field k , and J = Jac (

1.1k views • 88 slides
Update on Diophantine records for genus-3 curves ICERM workshop on Computational Aspects of

Update on Diophantine records for genus-3 curves ICERM workshop on Computational Aspects of

Update on Diophantine records for genus-3 curves ICERM workshop on Computational Aspects of L-functions and related topics 12 November 2015 Noam D. Elkies, Harvard University Update on Diophantine records for genus-3 curves ICERM workshop on

685 views • 20 slides
Sato-Tate groups of genus 2 curves Kiran S. Kedlaya Department of Mathematics, University of

Sato-Tate groups of genus 2 curves Kiran S. Kedlaya Department of Mathematics, University of

Sato-Tate groups of genus 2 curves Kiran S. Kedlaya Department of Mathematics, University of California, San Diego kedlaya@ucsd.edu http://kskedlaya.org Arithmetic of Hyperelliptic Curves NATO Advanced Study Institute Ohrid, Macedonia, August

1.31k views • 88 slides
Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus

Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus

Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus Bernardini 1 University of Campinas / Federal Institute of S ao Paulo (Joint work in progress with Fernando Torres 1 ) International Meeting on

779 views • 51 slides
The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; F q such that 6(4

784 views • 47 slides
Smaller class invariants for constructing curves of genus 2 Marco Streng Geocrypt Corsica June

Smaller class invariants for constructing curves of genus 2 Marco Streng Geocrypt Corsica June

Smaller class invariants for constructing curves of genus 2 Marco Streng Geocrypt Corsica June 2011 Overview genus 1 genus 2 constructing curves part 1 part 2 smaller class invariants part 3 part 4 Part 1: The Hilbert class polynomial

440 views • 43 slides
Serres obstruction for genus 3 curves Christophe Ritzenthaler Institut de Mathmatiques de

Serres obstruction for genus 3 curves Christophe Ritzenthaler Institut de Mathmatiques de

Serres obstruction for genus 3 curves Christophe Ritzenthaler Institut de Mathmatiques de Luminy, CNRS Geocrypt, Guadeloupe, April 27 - May 1, 2009 1 / 54 Outline Geometric versus arithmetic Torelli theorem 1 Siegel modular forms 2 A

720 views • 54 slides
Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas Decru , and Benjamin Smith NutMiC 2019, Paris June 24, 2019 Background 2006: hash functions based on supersingular elliptic curves (Charles,

564 views • 52 slides
Equivalent Curves in Surfaces Anja Bankovi c University of Illinois Equivalent Curves Fix a

Equivalent Curves in Surfaces Anja Bankovi c University of Illinois Equivalent Curves Fix a

Equivalent Curves in Surfaces Anja Bankovi c University of Illinois Equivalent Curves Fix a closed surface S , genus g 2. Equivalent Curves Fix a closed surface S , genus g 2. (Horowitz, Randol) n Z + 1 , . . . , n ,

734 views • 46 slides
A database of genus 3 curves over Q Andrew V. Sutherland MIT May 17, 2018 Joint with Raymond

A database of genus 3 curves over Q Andrew V. Sutherland MIT May 17, 2018 Joint with Raymond

A database of genus 3 curves over Q Andrew V. Sutherland MIT May 17, 2018 Joint with Raymond van Bommel, Andrew Booker, Edgar Costa, John Cremona, Tim Dokchitser, Francesc Fit, David Harvey, Kiran Kedlaya, Davide Lombardo, Elisa Lorenzo,

606 views • 21 slides
Controlled reduction in the p -adic cohomology of toric hypersurfaces Kiran S. Kedlaya (joint

Controlled reduction in the p -adic cohomology of toric hypersurfaces Kiran S. Kedlaya (joint

Controlled reduction in the p -adic cohomology of toric hypersurfaces Kiran S. Kedlaya (joint work with David Harvey, UNSW) Department of Mathematics, Massachusetts Institute of Technology; kedlaya@mit.edu Department of Mathematics, University of

1.51k views • 53 slides
Annual General Meeting 23 July 2019 Hotels, E xp erien c es &amp; S er vic es T H E F I R S T

Annual General Meeting 23 July 2019 Hotels, E xp erien c es &amp; S er vic es T H E F I R S T

Annual General Meeting 23 July 2019 Hotels, E xp erien c es &amp; S er vic es T H E F I R S T M Y A N M A R T O U R I S M P L A T F O R M L I S T E D O N T H E S I N G A P O R E E X C H A N G E Overview of Myanmar Tourism Market

427 views • 14 slides
CM-Points on Straight Lines A joint work with Amalia Pizarro-Madariaga Bill Allombert &amp; Yuri

CM-Points on Straight Lines A joint work with Amalia Pizarro-Madariaga Bill Allombert &amp; Yuri

CM-Points on Straight Lines A joint work with Amalia Pizarro-Madariaga Bill Allombert &amp; Yuri Bilu Bordeaux September 23, 2014 Complex Multiplication Lattices j -invariant Complex Multiplication Class Field Theory The Class Number

1.46k views • 128 slides
Ultracold atoms in optical lattices: beyond the Hubbard model Sebas&amp;ano Pila&amp;

Ultracold atoms in optical lattices: beyond the Hubbard model Sebas&amp;ano Pila&amp;

Ultracold atoms in optical lattices: beyond the Hubbard model Sebas&amp;ano Pila&amp; The Abdus Salam Interna(onal Centre for Theore(cal Physics Trieste- Italy COLLABORATORS:

308 views • 27 slides
twenty seven masonry construction: www.theeagle.com beams &amp; columns Masonry Construction 1

twenty seven masonry construction: www.theeagle.com beams &amp; columns Masonry Construction 1

E LEMENTS OF A RCHITECTURAL S TRUCTURES : F ORM, B EHAVIOR, AND D ESIGN ARCH 614 D R. A NNE N ICHOLS S PRING 2018 lecture twenty seven masonry construction: www.theeagle.com beams &amp; columns Masonry Construction 1 Elements of

376 views • 25 slides
Fast MC simulation for top studies S.Chekanov (ANL) Feb 2013 Introduction ~ 3 months ago

Fast MC simulation for top studies S.Chekanov (ANL) Feb 2013 Introduction ~ 3 months ago

Fast MC simulation for top studies S.Chekanov (ANL) Feb 2013 Introduction ~ 3 months ago we have started a new project called Inclusive boosted top studies using a jet X fast MC simulation (Delphes) for LO+PS models +

564 views • 13 slides
How to Count like a Mathematician Counting Warmup Round 1 squares Lara Pudwell dominoes

How to Count like a Mathematician Counting Warmup Round 1 squares Lara Pudwell dominoes

How to Count like a Mathe- matician Lara Pudwell Introduction How to Count like a Mathematician Counting Warmup Round 1 squares Lara Pudwell dominoes Round 2 trees Department of Mathematics and Computer Science blocks The Bigger

1.11k views • 83 slides
Recursion II Fundamentals of Computer Science Outline Recursion A method calling itself

Recursion II Fundamentals of Computer Science Outline Recursion A method calling itself

Recursion II Fundamentals of Computer Science Outline Recursion A method calling itself A new way of thinking about a problem A powerful programming paradigm Examples: Last time: Factorial, binary search, H-tree,

644 views • 43 slides

More recommend