National Chiao Tung University - Introduction of CM-method ...rjchen/ECC2009/20070814CM...5. Compute...

Introduction of CM-method of Hyperelliptic Curves ofGenus 2

Pei-Chuan Tsai

Department of Computer Science, National Chiao Tung University

Aug. 14, 2007

Pei-Chuan TsaiIntroduction of CM-method of Hyperelliptic Curves of Genus 2

Aug. 14, 20071 / 22 Cryptanalysis Lab

Outline

1 Introduction

2 DefinitionHyperelliptic curveDivisorHCDLPGroup order of hyperelliptic curve of genus 2Igusa invariants (j-invariants)

3 Complex MultiplicationCM-fieldTheta constantsIgusa’s invariantsMestre’s algorithm



IntroductionB We can construct elliptic curve we used by

1. subfield curve (construct E(Fpn) by E(Fp) )

2. Schoof’s algorithm (or SEA algorithm)

3. CM-method

B There doesn’t exist point counting algorithm for randomly chosenhyperelliptic curves with large group order ( 2160 )



Definition - Hyperelliptic curve (1/2)

B (Def.) A curve given by an equation of the form

C : y2 + h(x)y = f(x),

h, f ∈ K[x], deg(f) = 2g + 1, deg(h) ≤ g, f monic

is called a hyperelliptic curve of genus g over K if no pointP = (x, y), x, y ∈ K satisfies both partial derivatives 2y + h = 0and f ′ − h′y = 0 .

B Examples:

1. Hyperelliptic curve of genus 1 over K (elliptic curve)

y2 = x3 +Ax+B, A, B ∈ K

2. Hyperelliptic curve of genus 2 over K

y2 = x5 + f4x4 + f3x

3 + · · · + f0, fi ∈ K, i = 0, . . . , 4



Definition - Hyperelliptic curve (2/2)

B In the case of odd characteristic the transformationy 7→ y′ − h(x)/2 allows to consider an isomorphic curve of theform

y′2 = f(x) = x2g+1 + f2gx2g + · · · + f1x+ f0, with fi ∈ K

where f has no multiple roots over K

B Examples:The hyperelliptic curve

y2 + 2xy = x5 + f4x4 + f3x

3 + f2x2 + f1x+ f0

is isomorphic to

y′2 = x5 + f4x4 + f3x

3 + (f2 − 1)x2 + f1x+ f0

where y′ = y + x



Definition - Divisor

B (Def.) Let C be a hyperelliptic curve of genus g over K . Thegroup of divisors of C of deg 0 over K is given by

Div0(C) =

D =∑

P∈C

nPP | nP ∈ Z,∑

P∈C

nP = 0,

and such that σ(D) = D, ∀σ ∈ GKwhere GK is the Galois group of K

B (Def.) The divisor class group (Jacobian) of C is defined by

J(C) = Div0(C)/Princ(C)



HCDLP

B Let a divisor D1 in JC(Fq) with known order N , andD2 ∈ < D1 > .It is hard to find an integer λ such that

D2 = λD1

principal divisor,

Princ(C)

D1

2D1

D2 = λD1

Jacobian J(C) : quotient group of Div0(C) by the group of

principal divisors



Group order of hyperelliptic curve of genus 2

B The isogeny(x, y) 7→ (xp, yp)

on the curve C (over Fp ) induces an endomorphism π on theJacobian JC .The endomorphism π is called Frobenius endomorphism .

B The characteristic polynomial of the Frobenius is a polynomial ofdegree 4 .

B Once we know the roots πi of the characteristic polynomial, wecan determine the group order by

#J(C) =

4∏

i=1

(1 − πi).



Group order - Example

B Recall the Frobenius endomorphism of elliptic curve:For an elliptic curve E over Fp ,

#E(Fp) = p+ 1 − t

and the Frobenius endomorphism is the root of

F (X) = X2 − tX + p

→ #E(Fp) = F (X = 1)



Igusa invariants (j-invariants)

B Let C : y2 = x5 + f4x4 + f3x

3 + f2x2 + f1x+ f0 be a

hyperelliptic curve of genus 2. Then the three invariants ji of theJacobian of C can be expressed by

j1 = I52/I10, j2 = I3

2I4/I10, j3 = I22I6/I10

where the Ii ’s are given in terms of the coefficients fj :

I2 = 6f23 − 16f4f2 + 40f1,

I4 = 4(f24 f

22 − 3f3f

22 − 3f2

4 f3f1 + · · · + 75f2f0),I6 = −2(−4f2

4 f23 f

22 + 12f3

3 f22 + · · · − 1125f3f

20 ),

I10 = f24f

23 f

22 f

21 − 4f3

3 f22 f

21 − · · · + 3125f4

0 .

B Hence we can compute the invariants ji of the curve C if weknow the curve equation.

Conversely, from the invariants we get a system of polynomialequations for the coefficients of an equation defining C



Basic concept

E(Fp)

E(C)

C/Lτ

isomorphic

compute

H(X) mod p

module p

[ ]xXH Ζ∈ )(

j-invariant

(mod p)

The same

endomorphism

ring

C(Fp)

J(C)

C2/L

isomorphic

compute

Mestre s algo

find the denominator

[ ]xQXHj iii )( , , ∈θ

[ ]xXH i Ζ∈ )('

j-invariant

(mod p)



Rough idea of the algorithm

1. Fix a CM-field K and find a suitable prime p and a possiblegroup order n .

2. List all principally polarized abelian varieties over C havingcomplex multiplication by OK . ( → find corresponding periodmatrix).

3. Compute the ten theta constants θi .

4. Compute Igusa’s invariant j1, j2, j3 from the theta constants.Reduce them modulo p .

5. Compute Mestre’s invariants Qij and Hijk from j1, j2, j3 .

6. Apply Mestre’s algorithm to get the equation of the hyperellipticcurve C .

7. Check whether the group order #JC(Fp) is equal to n .



CM-field

B Choose a squarefree d ∈ N such that K0 = Q(√d) has class

number one.Choose α = a+ b

√d squarefree and totally positive, i.e.,

a± b√d > 0 .

Then K = K0(i√α) is a CM-field of degree 4.

Example:K = Q(i

√

3 +√

7)

B Period matrixGiven a principally polarized abelian variety of type (K, 1, ψ)of the form (sj , s

ψj ) , the corresponding period matrix is given by

Ωsj , s

ψj

=1

ω − ωσ

(

ω2sj − (ωψ)2sψj ωsj − ωψsψjωsj − ωψsψj sj − sψj

)



Theta constants (1/2)

B The definition of the theta constants in terms of the period matrixΩ for genus g = 2 :

θ

[

δǫ

]

(z,Ω) =

∑

n∈Z2

exp

(

πi

(

n +1

2δ

)t

Ω

(

n +1

2δ

)

+ 2πi

(

n +1

2δ

)t(

z +1

2ǫ

)

)

where δ, ǫ ∈ 0, 12

B It can be shown that

θ

[

δǫ

]

(0,Ω) = 0

if δǫt = 1 mod 2.



Theta constants (2/2)

B So we compute the 10 theta constants which δtǫ ≡ 0 mod 2.They are given by

θ1 := θ

[(00

)

(00

)

]

, θ2 := θ

[(00

)

(10

)

]

, θ3 := θ

[(00

)

(01

)

]

, θ4 := θ

[(00

)

(11

)

]

,

θ5 := θ

[(10

)

(00

)

]

, θ6 := θ

[(10

)

(01

)

]

, θ7 := θ

[(01

)

(00

)

]

, θ8 := θ

[(01

)

(10

)

]

,

θ9 := θ

[(11

)

(00

)

]

, θ10 := θ

[(11

)

(11

)

]

,



Igusa’s invariants (1/2)

B Given the 10 theta characteristic evaluated at the period matrixΩ(i) ( i = 1, · · · , s ), we can compute the three j-invariants of thecorresponding hyperelliptic curve.

1. First, we define h(i)4 , h

(i)10 , h

(i)12 , h

(i)16

h(i)4 :=

10∑

k=1

θ8k,

h(i)10 :=

10∏

k=1

θ2k,

h(i)12 := (θ1θ5θ2θ9θ6θ10)

4 + · · · + (θ1θ6θ10θ3θ7θ4)4,

h(i)16 := θ4

8(θ1θ5θ2θ9θ6θ8θ10)4 + · · · + θ4

4(θ1θ9θ8θ10θ3θ7θ4)4.

2. Then we get four invariants I(i)2 , I

(i)4 , I

(i)6 , I

(i)10 :

I(i)2 :=

h(i)12

h(i)10

, I(i)4 := h

(i)4 , I

(i)6 :=

h(i)16

h(i)10

, I(i)10 := h

(i)10



Igusa’s invariants (2/2)

B (continue)

3. And the three invariants are given by

j(i)1 :=

(

I(i)2

)5

I(i)10

, j(i)2 :=

(

I(i)2

)3

I(i)4

I(i)10

, j(i)3 :=

(

I(i)2

)2

I(i)6

I(i)10

B For these invariants, we can compute the class polynomial

H1(X) =

s∏

i=1

(

X − j(i)1

)

,

H2(X) =s∏

i=1

(

X − j(i)2

)

,

H3(X) =

s∏

i=1

(

X − j(i)3

)

.



Igusa’s invariants (mod p )

B Given the class polynomials H1(X), H2(X), H3(X) ∈ Q[x] , wefind the denominator of each polynomial and get the polynomialsH ′

1(X), H ′

2(X), H ′

3(X) ∈ Z[x]

→ Hi(X) =1

pk11 p

k22 · · · pknn

H ′

i(X)

B For each (a1, a2, a3) where H ′

i(ai) = 0 mod p , we get acandidate triple of the invariants mod p

j1 := a1, j2 := a2, j3 := a3.



Mestre’s algorithm (1/4)

B For a given candidate triple of invariants (j1, j2, j3) , we can useMestre’s algorithm to find the equation of the correspondinghyperelliptic curve:

1. Define Mestre’s invariants A, B, C, D and invariants j′1, j′2, j

′3

j′1 = A5/D, j′2 = A3B/D, j′3 = A2C/D

which satisfy

j′1 = − j11205

, j′2 =720j′16750

− j21203 · 6750

,

j′3 =j3

1202 · 2025100+

1080j′22025

− 16j′1375

and relates Mestre’s invariant D with Igusa’s discriminant ∆( = I10 ) by

α =D

∆




B (continue)2. Since α = D

∆ , we can express α in terms of j′i :

α = − 1

4556250

(

1

j′1+ 62208

)

+16j′275j′1

+16j′345j′1

− 2j′223j′21

− 4j′2j′3

3j′21

3. Define a conic Q(j1, j2, j3) by the equation∑

1≤i, k≤3

Qikxixk = 0

with

Q11 =6j′3 + j′2

3j′1, Q12 = Q21 =

2(

j′22 + j′1j′3

)

3j′21,

Q13 = Q31 = Q22α, Q23 = Q321

j′21

(

j′323j′1

+4j′2j

′3

9+

2j′233

)

Q33 =1

j′21

(

j′1j′2α

2+

2j′22 j′3

9j′1+

2j′239

)




B (continue)

4. Define a cubic H(j1, j2, j3) given by the equation

∑

1≤i, k, l≤3

Hiklxixkxl

where

H111 =2(

j′1j′3 − 6j′2j

′3 + 9j′21 α

)

9j′21,

H112 = H211 =2j′32 + 4j′1j

′2j

′3 + 12j′1j

′23 + j′31 α

9j′31,

H113 = H311 = H131 = H122 = · · ·...

H333 = · · ·




B (continue)

5. We would like to parametrize the conic such that

Qj1, j2, j3 (f1(t), f2(t), f3(t)) = 0.

Then plug the parametrization (f1(t), f2(t), f3(t)) into the cubic

∑

1≤i, k, l≤3

Hiklfi(t)fk(t)fl(t)

to get the model of the hyperelliptic curve

y2 =∑

1≤i, k, l≤3

Hiklfi(t)fk(t)fl(t) =: f(t).

6. Transform f into a polynomial ( g ) of degree 5 if possible.Then the curve y2 = g(t) will be the curve we wanted.



Date post:	01-Apr-2021
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

National Chiao Tung University - Introduction of CM-method ...rjchen/ECC2009/20070814CM...5. Compute...

Documents