HAL Id: inria-00514826
https://hal.inria.fr/inria-00514826
Submitted on 3 Sep 2010
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
An extension of Kedlaya’s algorithm to superelliptic curves
Pierrick Gaudry, Nicolas Gürel
To cite this version:
Pierrick Gaudry, Nicolas Gürel. An extension of Kedlaya’s algorithm to superelliptic curves. Asi- acrypt, 2001, Gold Coast, Australia. pp.480-494, �10.1007/3-540-45682-1_28�. �inria-00514826�
Algorithm to Superellipti Curves
PierrikGaudryandNiolasGurel
LIX,
Eolepolytehnique,91128Palaiseau Cedex,Frane
fgaudry, gurelglix.polytehnique.fr
Abstrat. Wepresentanalgorithmforountingpointsonsuperellipti
urvesy r
=f(x) overa nite eld F
q
of smallharateristi dierent
fromr.Thisisanextensionofanalgorithmforhyperelliptiurvesdue
toKedlaya.Inthisextension,theomplexity,assumingr andthegenus
are xed, is O(log 3+"
q) in time and spae, just like for hyperellipti
urves.Wegivesomenumerialexamplesobtainedwithourrstimple-
mentation,thusprovingthatryptographisizesarenowreahable.
1 Introdution
Inthepastfewyearsalotofandidateshavebeenproposedtoenlargethesetof
groupsthatanbeusedinprotoolsbasedonthedisretelogarithmproblemlike
DiÆe{Hellman orElGamal. Beside the lassialmultipliativegroups of nite
elds, the most famous are ertainly the systems based onellipti urves [21,
26℄.Indeed,forthesesystemstheonlygeneralattaksknownarevariantsofthe
PollardRhomethodwhihrequireexponentialtimeomputation;in pratieit
meansthatthekeysizeismuhshorterthaninasystemthat usesniteelds.
Thereafter,systemsbasedonhyperelliptiurveswereproposed[22℄.Theyseem
to havethesameadvantages asellipti urveryptosystems(at leastwhenthe
genusislessthan4[1,14℄).
Morereently, systemsbasedon the disrete logarithm problem in the Ja-
obians of other urves were designed. Namely, in the literature, we an now
ndalgorithms forworkingin Jaobiansofsuperelliptiurves[13℄ andof C
ab
urves[2℄. Several works relatedto these urveshave already beenpublished,
onerningseurityissues[4℄,eÆieny[17,6℄,buildingurveswithknownnum-
berof points[3℄, orpossible usein aWeil restrition attakon ellipti urves
[5℄. The next step for studying the possible ryptographiuse of these urves
is to oneive an algorithm for ounting points of the Jaobian of a random
urve.Indeed, this is thoughtto be oneof themost seure ways ofbuilding a
ryptosystembyalargepartoftheommunity.
Intheaseofelliptiurves,thisproblemofpointountinghasbeenahal-
lenge of thepast 15yearsand nowadayswehavesatisfatory solutions.When
the harateristi of thebase eld is large thebest known method is Shoof's
algorithmandalltheimprovementsleadingtotheso-alledShoof{Elkies{Atkin
algorithm.Wereferto[7℄or[23℄forsurveysofthesetehniquesandtotherefer-
to be enough for ryptographi sizes. The situation is quite dierent in small
harateristi: twoyearsago, Satoh[32℄ showedthat p-adi methodsusing the
anonialliftouldleadtoanalgorithmasymptotiallyfasterthanSEA.Some
work hasbeendone onsequentlyon the subjetto extendit to harateristi
2 [33,9℄, to implement it and obtainnew reords[9℄, to use less memory [34℄,
andtoombineitwithanearly-abortstrategyforgeneratingseureurves[10℄.
Mestre,HarleyandGaudryreentlyproposedarelatedalgorithm,basedonthe
arithmeti-geometrimean,forellipti urvesandhyperelliptiurvesof genus
2in haratersti2; aniefeature ofthis tehniqueis that it does notexpli-
itly make useof j-invariants, ofmodular equationsnor of Velu-typeformulae,
and these had previously been the main obstrutions to generalizing beyond
theellipti ase.However,theAGM method doesnotseemtoextendeasily to
non-hyperelliptiurves.Anotherapproah,also usingp-adi methodsbut not
basedonanoniallifting, hasbeenproposed by Kedlaya[18℄.Hismethod ap-
pliestohyperelliptiurvesinsmalloddharateristi.Theomplexityin time
isO(log 3+"
q),forurvesoverF
q
ofxedgenus,i.e.thesameasallthevariants
ofSatoh'smethodandtheomplexityinspaeisO(log 3
q)whihisthesameas
Satoh'soriginalalgorithm,butbadomparedtothealgorithmof[34℄orAGM.
Theontributionofthispaperistwofold:rstly weshowthatKedlaya'sal-
gorithmanbeextendedinaratherstraightforwardwaytosuperelliptiurves;
seondly we report some results obtained with our rst implementation writ-
tenin Magma.Toourknowledge, these aretherstpublished pointounting
omputationsforrandomhyperelliptiandsuperelliptiurvesofryptographi
sizes.
Thepaperis organizedas follows: after realling somebasisabouturves
andp-adinumbers,wedesribeKedlaya'soriginalalgorithmandshowhowto
adapt it for superellipti urves. Then we give some moredetails on the way
thesealgorithmsanbehandledinpratieandweestimatetheomplexity.We
onludeby numerialexamplesand remarks about theuse of these urvesin
ryptography.
2 Bakground on Algebrai Curves and p-adi Number
Rings
Inthissetion,wereallsomebasifatsaboutalgebraiurvesoverniteelds
andp-adinumbers.Weshallnotgivepreisedenitionsandwereferthereader
to lassialbooks onthesubjet([12,20,19,24℄forinstane).
2.1 Hyperelliptiand SuperelliptiCurves
LetF
q
beaniteeld with q=p n
elements. Weshallonsider onlytwotypes
ofurvesoverF ,namelyhyperelliptiandsuperelliptiurves.
equation ofthe form
y r
=f(x);
whererisaprimedierentfrompandf ismoni,squarefreeofdegreedoprime
tor.
Withsuhadenition,Cisnon-singularinitsaÆnepart,andadmitsaunique
plaeofdegree1at innity.Moreoveritsgenusisgivenbyg=
(d 1)(r 1)
2 .
Denition2 In harateristi dierent from 2, a hyperellipti urve isa su-
perellipti urve whose equation is of the form y 2
=f(x), with r=2and f of
degree 2g+1.
Note that there exists a more general denition of hyperellipti urves whih
donotexludetheaseof harateristi2.Butthealgorithmswewilldesribe
workonlyforthispartiular ase.
LetC beasuperelliptiurveof genus g. Assoiatedto this urve, onean
dene itsJaobian, notedJ(C),whihis anite abeliangroup.Inthepastfew
years,severalalgorithmsweredevelopedtoomputeexpliitlyinthisgroup[13,
2,17,6℄. The next step is to study the order of J(C). For this the q-th power
Frobenius endomorphismand itsharateristipolynomial (T)are keytools.
Morepreisely,(T)anbewritten as
(T)= 2g
X
i=0 a
i T
i
; with a
2g
=1; a
i
=q g i
a
2g i
fori=0;:::;g 1;
andallitsrootshaveabsolutevalue p
q.ThisisessentiallytheRiemannHypoth-
esisforzetafuntionsofurves.Forus,theinterestingfatisthat#J(C)=(1).
Ourgoalinthispaperistoompute(T)andtoobtain#J(C)asabyprodut.
2.2 The Ring Z
q
Let K bethe (unique upto isomorphism) unramiedextension of degreen of
Q
p
;itsresidualeld isF
q
.Wedenote byZ
q
thering ofintegersof K. Inorder
to onstrut it, we anstart with the polynomial P(t)whih denes F
q asan
algebraiextensionofF
p
;wethenonsidertheextension
Z
q :=Z
p
[t℄=(P(t));
where the polynomial P(t) is obtained from P(t) by lifting triviallyits oeÆ-
ientsto p-adiintegers.In pratie,anelement z of Z
q
anberepresented as
apolynomialz=z
n 1 t
n 1
+z
n 2 t
n 2
++z
1 t+z
0
takenmodulo P(t)and
where thez
i
areintegersmoduloapowerof palled thepreisionatwhihthe
omputationisdone.
ItanbeshownthattheGaloisgroupofKoverQ
p
isyli.Wewilldenote
q
writing z
for an element z in Z
q
expressed on a polynomial basis asabove.
Later on, we will desribe how to preompute t
and then z
is obtained as
follows:
z
= n 1
X
i=0 z
i t
i
!
= n 1
X
i=0 z
i (t
) i
:
3 Kedlaya's Algorithm and its Extension
3.1 Overview ofKedlaya's Algorithmfor Hyperellipti Curves
LetC beahyperelliptiurveof genus g given byits equationy 2
=f(x) over
F
q
. Followingthe onstrutionof Kedlaya(see also [20℄,page72), we onsider
the urveC 0
obtainedfrom C by removingthe point at innity andthe points
withvertialtangent(i.e.y=0).
ThereisawaytolifttheoordinateringofC 0
alledtheweakompletion[27℄,
withtheniepropertythatitsohomologyveriesa\Lefshetz traeformula"
[28℄andhenegivesinformationabouttheardinalitiesoftheinitialurveC.
Taking alowbrowpoint ofviewin whihweanforgetabouttheurveC 0
,
weshall workonthevetorspaegenerated overthep-adinumbereldK by
thefollowingdierentialforms:
D=
x i
dx
y
; i2[0;2g 1℄
;
in whih we have the relations oming from the equation of the urve and
d'(x;y) 0for every rational funtion '. On the dierential forms onean
dene a Frobenius ation whih is ompatible with the p-th power Frobenius
onC: takex
=x p
,y
givenby(y
) 2
=f(x)
and (dx)
=px p 1
dx. Kedlaya
showsinaonstrutivewaythatthespaeDisstableundertheationofthis.
Hene isanendomorphismofavetorspaeofdimension2g;andeverything
is done in order for its harateristi polynomial to be losely related to the
(T) weare looking for. The heartof Kedlaya'salgorithm isthen to ompute
thematrixof forthegivenbasisofD.
Foreahiin[0;2g 1℄,
x i
dx
y
= 1
y
px ip+p 1
dx;
thereforethetrikypartistheomputationof 1
y
.Thisisnotdenedinalifted
oordinatering beauseit involvesa square root and that is areasonwhy we
usetheweakompletion.Fromapratialpointofview,itmeansthatweshall
beableto expand 1
as apower seriesin = 1
2
: startingwith the denition
(y ) =f(x) , wehave
1
y
=(f(x)
) 1=2
=(f(x)
f(x) p
+f(x) p
) 1=2
=(f(x) p
) 1=2
1+ f(x)
f(x) p
f(x) p
1=2
= 1
y p
( 1+ p
(f(x)
f(x) p
)) 1=2
:
Bytheusualpowerseriesexpansionof(1+X) 1=2
wegetanexpressionofthe
form
1
y
=y p
X
k 0 P
k (x)
pk
=y 1
(p 1)=2
X
k 0 P
k (x)
pk
:
Notethatpdivides(f(x)
f(x) p
)sothatthepowerofpdividingP
k
(x)tends
to innity ask grows(atually this is what is expeted due to the theoretial
onstrutionoftheweakompletion).Weannowwrite
x i
dx
y
= 0
X
k 0 Q
k (x)
k 1
A dx
y
;
where Q
k
(x) are polynomials. The algorithm proeeds asfollows:weompute
this expression up to somepreisionin , and then we use the relationsin D
desribedabovetoreduetheexpressiontoapolynomialofdegreeatmost2g 1,
times dx
y
.InthiswayweshallprovethatDisindeed -stableandmoreoverwe
obtainanexplitdesriptionoftheationofonthebasis.Forthiswewilluse
threestrategiesofredution:
Red 1. Firstofall,usingtheequationoftheurve,oneanwrite
Q
k (x)
k
=(
k
(x)f(x)+
k (x))
k
=
k (x)
k 1
+
k (x)
k
;
where
k and
k
arethe quotientand theremainder in thedivision of Q
k
byf.ThereforeoneanassumethatQ
k
(x)isofdegreeatmost2gforallk,
exeptforQ
0
(x)forwhihoneanshowthatthedegreeisatmost2pg 1.
Red 2. Then we use the relations of ohomology to rewrite the series in the
form Q(x) dx
y
. Fixk 1 and onsider the term Q
k (x)
kdx
y
. Let U(x) and
V(x)besuh thatQ
k
(x)=U(x)f(x)+V(x)f 0
(x) (theydoexist beausef
issquarefree).Using
d
V(x)
y 2k 1
0;
oneobtains
Q
k (x)
k dx
y
U(x)+ 2
2k 1 V
0
(x)
k 1
dx
y :
Repeatingthisfordereasingk's,weanrewriteeverythingontheonstant
Red 3. Finally,intheexpressionQ(x)
y
thatweobtained,oneanreduethe
degreeÆofQtoatmost2g 1inthefollowingway.Assume Æ2g:using
d(x Æ 2g
y)0;
onegetsapolynomialofdegreeÆthatanbesubtratedfromQ.
Atthispoint,wehaveomputeda2g2gmatrixM suhthat
0
B
B
dx
y
.
.
.
x 2g 1
dx
y 1
C
C
A
= M 0
B
B
dx
y
.
.
.
x 2g 1
dx
y 1
C
C
A :
MostoftheoperationsdoneduringtheomputationinvolveelementsofZ
q ,but
at theendwemayhaveto dividebysmall powersofp.FinallytheoeÆients
ofM liein p s
Z
q
withasmall,preditables, whihdependsonlyonpandg.
Thenalstepisthentoomputetheharateristipolynomialofthematrix
MM
M
n 1
;
whihhasoeÆientsin Z
2
andisap-adiapproximationof (T).
3.2 SuperelliptiCurves
LetC beasuperelliptiurvegivenbyitsequationy r
=f(x)withf ofdegreed
overF
q
.Thetheoryisexatlythesameasforhyperelliptiurves.Inthepresent
ase,thespaeofdierentialforms weonsideris
x i
dx
y j
; i2[0;d 2℄; j2[1;r 1℄
:
TheFrobeniusationliftingthep-thpowerFrobenius onC isdened similarly:
takex
=x p
,y
givenby(y
) r
=f(x)
and(dx)
=px p 1
dx.
Again,thespaeof dierentialforms hasbeen hosensuh that itis stable
under theationof ;wewillnowdesribetheredutionproesswhihallows
us to rewrite
x i
dx
y j
overthebasis. Fixan i2[0;d 2℄and aj 2[1;r 1℄.
Weanwrite
1
y j
asapowerseries
1
y j
=y jp
1+ f(x)
f(x) p
y rp
j=r
=y jp
X
k 0 P
k (x)
pk
;
wherewehaveset =y r
.Hene weanwrite
x i
dx
y j
= 0
X
k 0 Q
k (x)
k 1
A dx
y jpmodr
:
In the following, we let ` = jpmodr. We now proeed with three redution
k
areofdegreeatmostd 1,exeptfortherstone.
Red 2. Then,rewritethetermin k
asatermin k 1
.Fork1,letU(x)and
V(x)besuhthat Q
k
(x)=U(x)f(x)+V(x)f 0
(x),onehas
Q
k (x)
k dx
y
`
U(x)+ r
r(k 1)+` V
0
(x)
k 1
dx
y
` :
Red 3. Finally,weareleftwithanexpressionoftheformQ(x) dx
y
`
,whereQ(x)is
apolynomialofdegreeÆthatweanreduetodegreeatmostd 2:assume
Æ d 1, the exat dierential d(x Æ d+1
y r l
) 0 gives apolynomial of
degreeÆthatanbesubtratedfromQ(x).
Weobtaina2g2gmatrixM andweonludeasbeforebytakingthehara-
teristipolynomialofits\norm".
Notethatthedierentialformsin dx
y j
aresentbytothesubspaegenerated
by forms in dx
y
`
with` =jpmodr. As aonsequene, M isa matrixthat an
be viewed in bloks of size d 1, with the property that there is exatlyone
non-zeroblokin eahrowblokand eaholumnblok.
4 Details and Complexity
4.1 Preision ofthe Computation
Theintermediateresultobtainedfrom thealgorithmof setion3isanapprox-
imation of thepolynomial (T)that weare looking for, and by omputing to
suÆient preision we an determine it exatly. Two parameters have to be
tuned, to ensure that at theend we get enoughinformation to onlude.The
rstisthep-adipreisionp
atwhihwetrunateelementsofZ
p
.Theseond
isthe-adipreisionatwhihwetrunatetheseries.
Boundson theoeÆients of (T)an be dedued from the bounds on its
roots: ja
i j
2g
i
q i=2
fori 2[1;g℄. We assumethat q is largeompared to the
genus, so that a
g
determines the required preision. Hene we need to know
(T)modulod2 2g
g
q g=2
etobesuretoreoveralltheoeÆients.Thereforethe
workingpreisionshouldbeatleast
=
log
p
2
2g
g
q g=2
:
Thepreisionin is moreproblemati:at rstsightitis notlearthat we
do notneed all theterms ofthe series to get aresultwhih makessense even
modulop.Atuallyinthepowerseriesexpansion,oneanseethattheoeÆient
in k
(whih is apolynomial overZ
q
)isdivisible by apowerofp whih grows
toinnityatthespeedofk=p.Heneitappearsthatthepreisionin should
beatleast ptimes thep-adipreision. Moreover,theredutionproessalso
perturbsthings:startingwith atermQ
k (x)
kdx
`
, withp m
dividing Q
k
(x),one
