point counting in genus 2 reaching 128 bits
play

Point counting in genus 2: reaching 128 bits P. Gaudry E. Schost - PowerPoint PPT Presentation

Apr 01, 2023 •45 likes •425 views

Point counting in genus 2: reaching 128 bits P. Gaudry E. Schost Cacao project ORCCA CNRS-INRIA UWO Thanks to Dan Bernstein and Nikki Pitcher Genus 2 curves and associated objects In what follows: C is the curve defined over F p by

  1. Point counting in genus 2: reaching 128 bits ´ P. Gaudry E. Schost Cacao project ORCCA CNRS-INRIA UWO Thanks to Dan Bernstein and Nikki Pitcher

  2. Genus 2 curves and associated objects In what follows: • C is the curve defined over F p by y 2 = x 5 + f 4 x 4 + f 3 x 3 + f 2 x 2 + f 1 x + f 0 , with p large prime. • J is its Jacobian – variety of dimension 2 ; – we will work in Mumford coordinates. • K is the associated Kummer surface – K = J after identifying opposite points; – a variety of dimension 2 too; – we won’t work with it too much.

  3. Our question Finding a curve • whose Jacobian and its twist have an almost prime cardinality; • over a prime field ; • with small coefficients ; – the coefficients defining the Kummer surface should be small integers, to make scalar multiplication fast. • with p = 2 127 − 1. We are not there yet, but almost. • A first 128 bit run. • The curve was rather random, but slightly favorable.

  4. Previous work, large characteristic Schoof (1985): polynomial time algorithm for elliptic curves. • Pila (1990): algorithm for abelian varieties. • Kampk¨ otter (1991): genus 2 algorithm. • Adleman-Huang (1996), Huang-Ierardi (1998): improvements of Pila’s work. • Gaudry-Harley (2000): genus 2 algorithm, p ≃ 2 61 . • Gaudry-S. (2004): cryptographic size: p ≃ 2 82 . Baby steps / giant steps • Matsuo-Chao-Tsujii (2002): efficient strategy. • Gaudry-S. (2004): parallel, low-memory version of Matsuo-Chao-Tsujii. Sutherland (2007) • curves whose twist has a smooth order.

  5. Schoof’s approach Let χ = T 4 − s 1 T 3 + s 2 T 2 − ps 1 T + p 2 ∈ Z [ T ] be the characteristic polynomial of the Frobenius endomorphism on J . • card( J ) = χ (1); • for ℓ ∈ N , computing the ℓ -torsion (or a subset of it) gives χ mod ℓ (up to some indeterminacy, maybe). General scheme: • for as many coprimes ℓ 1 , . . . , ℓ r as possible, compute the ℓ -torsion; • some collision detection technique is used if we do not have enough precision to conclude by Chinese remaindering: If ℓ 1 · · · ℓ r = m , then the cost is about p 0 . 75 /m .

  6. Concretely It boils down to solving polynomial systems. Some numbers: • an element of the Jacobian has 4 coordinates with 2 relations. • ℓ -torsion has cardinality ℓ 4 . Large primes: up to ℓ = 31 or ℓ = 37 ( ℓ = 43 doable?) • bivariate resultants. Prime powers: • nice improvements on 2 k -torsion and 3 k -torsion; • dull improvements on 5 k -torsion and 7 k -torsion.

  7. Concretely Software environment: NTL • does better than Magma for the routines we need – most basic routines on uni (bi, tri) -variate polynomials. • convenient • on the other hand, no Gr¨ obner engine – anyway, faster workarounds.

  8. Large primes

  9. Reduction to bivariate solving Mostly from Gaudry-Harley and Gaudry-S. : • Rewrite [ ℓ ] D = 0 as D = P 1 ( x 1 , y 1 ) + P 2 ( x 2 , y 2 ) , [ ℓ ] P 1 = − [ ℓ ] P 2 . • You get equations in ( x 1 , y 1 , x 2 , y 2 ) with symmetries. • Rewrite these equations in the elementary symmetric polynomials. Saves a factor of 2. • Bivariate equations: bivariate resultants. • Output size ≃ ℓ 4 , cost O ˜( ℓ 6 ) operations in F p . O ˜ means we neglect logarithmic factors. What’s left to improve: • Bivariate resultants are sub-optimal. • Systems are over-determined, but we don’t know how to exploit it.

  10. Lifting the 2-torsion

  11. Lifting the torsion While (possible==true) do ℓ 4 solutions; • write the equations that say [ ℓ ] P k +1 = P k • extend the base field with one solution; ℓ → ℓ 2 → ℓ 3 → · · · • continue. Here, we deal with ℓ = 2 , 3 , 5 , 7 • general techniques (Gr¨ obner bases, resultants) do not perform very well; • the systems are simple enough that specialized solutions may pay off: – ℓ = 2: reduction to square-root extraction; – ℓ = 3: deformation techniques & root-finding; – ℓ = 5 , 7: bivariate resultants, again.

  12. Using the Kummer surface Chudnovsky 2 , Gaudry: • fast formulas for scalar multiplication in K ; • in particular, doubling: the coordinates of [2]( x, y, z, t ) are obtained through a few linear combinations and squarings. Consequence: 2 4 = 16 • division by 2 is done in K by taking 4 square roots; • the points in K are mapped back to J .

  13. Handling quadratic extensions Fact • Each division-by-2 doubles the degree of the current base field over F p (after k steps, we are in a degree 2 k extension) Possible data representations Triangular Primitive element   T 1 ( X 1 ) X 1 = V 1 ( T )       . .   . . P ( T ) = 0 , . .     T k ( X 1 , . . . , X k ) X k = V k ( T )     deg( P, T ) = 2 k deg( T k , X k ) = 2

  14. Computations 1. We use a primitive element representation • multiplications, inverses cost O ˜(2 k ) 2. Taking square roots requires some work: • when no root exists, extend the base field. • main subroutine : modular composition A, B, C �→ A ( B ) mod C . • most other operations reduce to composition or a dual form of it. – irreducibility tests – finding new primitive elements • cost : O ˜(2 1 . 5 k ) (polynomial operations) + O (2 2 k ) (linear algebra)

  15. In detail We start step k with  X 1 = V 1 ( T )    .  . deg( P, T ) = 2 k , P ( T ) = 0 , .   X k = V k ( T )   and P irreducible. We want to find a square root of A ( T ). Facts: in real life, • factoring in F p [ X ] is fast ; • taking square roots in F p [ X ] /P ( X ) is slow .

  16. Our approach 1. Change the order.   Y 2 − A ( X ) X − B ( Y )   deg( Q ) = 2 deg( P ) . − → P ( X ) Q ( Y )   Nice case: Y is a primitive element. Cost: similar to that of modular composition. 2. Factor. • either Q is irreducible, • or it has two factors of the same degree. Cost: similar to that of modular composition, up to some log’s. 3. Update. Cost: similar to that of modular composition.

  17. Lifting the 3-torsion

  18. Tools required For the 3-torsion, we found no nice formula as for ℓ = 2. Possible workarounds: • Gr¨ obner • resultants • something else Remark: • All solutions should have a cost of about O ˜( C (3 k )), with C (3 k ) the cost of modular composition in degree 3 k . • It’s all in the constant. • Upcoming: deformation techniques (Pardo-San Martin).

  19. Deformation techniques Basic idea • The system [3] P = Q is parametrized by the coordinates of Q . • Set up a homotopy between the target [3] P = Q and an initial system [3] P 0 = Q 0 for which we know the solutions basically, we let Q t = (1 − t ) Q 0 + tQ . • Compute a description of the solution curve and let t = 1.

  20. Deformation techniques Basic idea • The system [3] P = Q is parametrized by the coordinates of Q . • Set up a homotopy between the target [3] P = Q and an initial system [3] P 0 = Q 0 for which we know the solutions basically, we let Q t = (1 − t ) Q 0 + tQ . • Compute a description of the solution curve and let t = 1. Q Q 0

  21. Deformation techniques Basic idea • The system [3] P = Q is parametrized by the coordinates of Q . • Set up a homotopy between the target [3] P = Q and an initial system [3] P 0 = Q 0 for which we know the solutions basically, we let Q t = (1 − t ) Q 0 + tQ . • Compute a description of the solution curve and let t = 1. Q Q 0

  22. Deformation techniques Basic idea • The system [3] P = Q is parametrized by the coordinates of Q . • Set up a homotopy between the target [3] P = Q and an initial system [3] P 0 = Q 0 for which we know the solutions basically, we let Q t = (1 − t ) Q 0 + tQ . • Compute a description of the solution curve and let t = 1. Q Q 0

  23. Deformation techniques Basic idea • The system [3] P = Q is parametrized by the coordinates of Q . • Set up a homotopy between the target [3] P = Q and an initial system [3] P 0 = Q 0 for which we know the solutions basically, we let Q t = (1 − t ) Q 0 + tQ . • Compute a description of the solution curve and let t = 1. Q Q 0

  24. Deformation techniques Basic idea • The system [3] P = Q is parametrized by the coordinates of Q . • Set up a homotopy between the target [3] P = Q and an initial system [3] P 0 = Q 0 for which we know the solutions basically, we let Q t = (1 − t ) Q 0 + tQ . • Compute a description of the solution curve and let t = 1. Q Q 0

  25. Lifting Main tool: Newton iteration. 1. Lifting Q . I lied: • We don’t set Q t = (1 − t ) Q 0 + tQ , because Q doesn’t live in a linear space. • So we set X ( Q t ) = (1 − t ) X ( Q 0 ) + tX ( Q ), and we lift the ordinates. • This is easy. 2. Lifting P . Most of the time is spent evaluating the system [3] P = Q t and its Jacobian at power series. • The system is huge : don’t expand it! • There is a “nice” straight-line program (+gradient).

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels

Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels Schoof complexity Pierrick Gaudry, David Kohel, Benjamin Smith BSGS Real

407 views • 18 slides
Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof

Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof complexity BSGS Pierrick Gaudry, David Kohel, Benjamin Smith Real multiplication

550 views • 20 slides
Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de

Point counting on hyperelliptic curves: to genus 3 and beyond Simon Abelard Universit de Lorraine, Nancy Joint work with P. Gaudry and P.-J. Spaenlehauer January 25, 2018 CARAMBA /* */ E,C, /* */ c,r, /* */ u,l, e,s, i=5,

907 views • 36 slides
Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus

Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus

Counting numerical semigroups of a given genus by using -hyperelliptic semigroups Matheus Bernardini 1 University of Campinas / Federal Institute of S ao Paulo (Joint work in progress with Fernando Torres 1 ) International Meeting on

779 views • 51 slides
MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance, add r1, r2, r3 has - 000000 00010 00011 00001 00000 100000 opcode (OP) tells the machine which format 1 VAX Instruction Formats (x86

431 views • 20 slides
Bijective counting of one-face maps on surfaces. Guillaume Chapuy*, SFU * PIMS-CNRS postdoc

Bijective counting of one-face maps on surfaces. Guillaume Chapuy*, SFU * PIMS-CNRS postdoc

Bijective counting of one-face maps on surfaces. Guillaume Chapuy*, SFU * PIMS-CNRS postdoc Discrete Math seminar, UBC, 2009. Orientable surfaces Map of genus g = graph drawn (without edge-crossings) on a surface of genus g , such that each

1.27k views • 95 slides
Counting partitions of a fixed genus G abor Hetyei Joint work with Robert Cori Department of

Counting partitions of a fixed genus G abor Hetyei Joint work with Robert Cori Department of

Outline Preliminaries and main result Proof and instances of our main result Counting partitions of a fixed genus G abor Hetyei Joint work with Robert Cori Department of Mathematics and Statistics University of North Carolina at Charlotte

1.27k views • 124 slides
Number Systems and Computer Arithmetic Counting to four billion two fingers at a time CSE 141,

Number Systems and Computer Arithmetic Counting to four billion two fingers at a time CSE 141,

Number Systems and Computer Arithmetic Counting to four billion two fingers at a time CSE 141, S2'06 Jeff Brown What do all those bits mean now? bits (011011011100010 ....01) data instruction number text chars .............. R-format

861 views • 46 slides
Video 1: Intro to Floating point (Unsigned) Fixed-point representation The numbers are stored

Video 1: Intro to Floating point (Unsigned) Fixed-point representation The numbers are stored

Video 1: Intro to Floating point (Unsigned) Fixed-point representation The numbers are stored with a fixed number of bits for the integer part and a fixed number of bits for the fractional part. Suppose we have 8 bits to store a real number,

205 views • 18 slides
Floating point representation (Unsigned) Fixed-point representation The numbers are stored with a

Floating point representation (Unsigned) Fixed-point representation The numbers are stored with a

Floating point representation (Unsigned) Fixed-point representation The numbers are stored with a fixed number of bits for the integer part and a fixed number of bits for the fractional part. Suppose we have 8 bits to store a real number, where

906 views • 39 slides
Point-to-Point Links Outline Encoding (bits) Framing (frames) Error Detection Sliding Window

Point-to-Point Links Outline Encoding (bits) Framing (frames) Error Detection Sliding Window

Point-to-Point Links Outline Encoding (bits) Framing (frames) Error Detection Sliding Window Algorithm 1 Encoding Signals propagate over a physical medium modulate electromagnetic waves e.g., vary voltage Encode binary

152 views • 11 slides
Exact Four-Point Functions: Genus Expansion, Matrix Model, and Strong Coupling T ILL B ARGHEER

Exact Four-Point Functions: Genus Expansion, Matrix Model, and Strong Coupling T ILL B ARGHEER

Exact Four-Point Functions: Genus Expansion, Matrix Model, and Strong Coupling T ILL B ARGHEER Leibniz Universitt Hannover 1711.05326 , 1809.09145 : TB, J. Caetano, T. Fleury, S. Komatsu, P. Vieira 1904.00965 , 1909.04077 : TB, F. Coronado, P.

502 views • 34 slides
1 Transducers Inherently Discrete values devices that convert from one representation to

1 Transducers Inherently Discrete values devices that convert from one representation to

Interpretation of bits depends on context meaning of a group of bits depends on how they are interpreted 1 byte could be Bits, Bytes, 1 bit in use, 7 wasted bits (e.g., M/F in a database) 8 bits storing a number between 0 and 255

543 views • 3 slides
Is Automated Function Point Counting Useful Yet? David Kempisty Michael Harris Zurich Insurance

Is Automated Function Point Counting Useful Yet? David Kempisty Michael Harris Zurich Insurance

Is Automated Function Point Counting Useful Yet? David Kempisty Michael Harris Zurich Insurance David Consulting Group Agenda Review IFPUG Tool Certification Requirements Introduce the counting capabilities and approaches of some

536 views • 29 slides
Computer Systems What the actual bits represent depends on the context: Numerical value

Computer Systems What the actual bits represent depends on the context: Numerical value

Binary Representation Information is represented as a sequence of binary digits: Bits Computer Systems What the actual bits represent depends on the context: Numerical value (integer, floating point, fixed point) Sequence of

390 views • 22 slides
CS 457 Lecture 8 Switching and Forwarding Fall 2011 Course So Far Can communicate over a

CS 457 Lecture 8 Switching and Forwarding Fall 2011 Course So Far Can communicate over a

CS 457 Lecture 8 Switching and Forwarding Fall 2011 Course So Far Can communicate over a point to point link Encode bits on the wire (NRZ, Manchester, etc) Make frames (header + data) Check for errors (CRC, parity bits)

521 views • 24 slides
Abelian extensions of number fields Jared Asuncion ALGANT Symposium Jared Asuncion Abelian

Abelian extensions of number fields Jared Asuncion ALGANT Symposium Jared Asuncion Abelian

Abelian extensions of number fields Jared Asuncion ALGANT Symposium Jared Asuncion Abelian extensions of number fields ALGANT Symposium 1 / 18 Definition A number field is a field extension of Q of finite degree. Definition An abelian

586 views • 42 slides
Entity storage, the Drupal 8 way Francesco Placella Coding and development -

Entity storage, the Drupal 8 way Francesco Placella Coding and development -

Entity storage, the Drupal 8 way Francesco Placella Coding and development - http://bit.ly/d8-esa About me Francesco Placella, plach on drupal.org, from Venice, Italy Senior Performance Engineer at Tag1 Consulting Working with Drupal

633 views • 39 slides
The first-order theory of finitely generated Statements Distinguishing fields F.g. fields

The first-order theory of finitely generated Statements Distinguishing fields F.g. fields

The first-order theory of finitely generated fields Bjorn Poonen The first-order theory of finitely generated Statements Distinguishing fields F.g. fields fields 3 questions Rumelys work Preparations Quadratic forms Building

549 views • 27 slides
IMDEA Networks, Madrid, Spain 1 2 Many GHz of spectrum available at mm-wave frequencies

IMDEA Networks, Madrid, Spain 1 2 Many GHz of spectrum available at mm-wave frequencies

Joerg Widmer, Research Professor IMDEA Networks, Madrid, Spain 1 2 Many GHz of spectrum available at mm-wave frequencies (multi-Gbit/s per user) Very high levels of spatial reuse through highly directional antennas BUT: High path

361 views • 11 slides
A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of

A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of

A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of Witwatersrand and Santa Clara University October 11, 2013 A homomorphism from an abelian variety to a group with sub-expl DLP, that is defined

439 views • 23 slides
EXPLORING TRANSCENDENTAL EXTENSIONS ADHEEP JOSEPH MENTOR: JORDAN HIRSH DIRECTED READING PROGRAM,

EXPLORING TRANSCENDENTAL EXTENSIONS ADHEEP JOSEPH MENTOR: JORDAN HIRSH DIRECTED READING PROGRAM,

EXPLORING TRANSCENDENTAL EXTENSIONS ADHEEP JOSEPH MENTOR: JORDAN HIRSH DIRECTED READING PROGRAM, SUMMER 2018 UNIVERSITY OF MARYLAND, COLLEGE PARK AGENDA FIELD AND FIELD EXTENSIONS FIELD AXIOMS o ALGEBRAIC EXTENSIONS o TRANSCENDENTAL

358 views • 13 slides
Computing integral bases of algebraic function fields Simon Abelard LIX, cole Polytechnique

Computing integral bases of algebraic function fields Simon Abelard LIX, cole Polytechnique

Computing integral bases of algebraic function fields Simon Abelard LIX, cole Polytechnique Institut Polytechnique de Paris March 5, 2020 Simon Abelard Integral bases March 5, 2020 1 / 15 Algebraic function fields, integral bases

422 views • 38 slides
Hopf Algebroids in Homological Algebra Uli Kr ahmer joint work with Niels Kowalzig Shanghai,

Hopf Algebroids in Homological Algebra Uli Kr ahmer joint work with Niels Kowalzig Shanghai,

Hopf Algebroids in Homological Algebra Uli Kr ahmer joint work with Niels Kowalzig Shanghai, 16.9.2011 Uli Kr ahmer (joint work with Niels Kowalzig) Hopf algebroids Shanghai, 16.9.2011 1 / 29 A point of departure The following has

791 views • 68 slides

More recommend