HAL Id: inria-00514121
https://hal.inria.fr/inria-00514121
Submitted on 1 Sep 2010
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
prime fields
Pierrick Gaudry, Eric Schost
To cite this version:
Pierrick Gaudry, Eric Schost. Construction of secure random curves of genus 2 over prime fields. Eu- rocrypt, 2004, Interlaken, Switzerland. pp.239-256, �10.1007/978-3-540-24676-3_15�. �inria-00514121�
PierrikGaudry 1
and
EriShost 2
1
LaboratoireLIX,
Eolepolytehnique,Frane
gaudrylix.polytehnique.fr
2
LaboratoireSTIX,
Eolepolytehnique,Frane
Eri.Shostpolytehnique.fr
Abstrat. For ountingpointsof Jaobians of genus 2urvesdened
overlargeprimeelds,thebestknownmethodis avariantof Shoof's
algorithm.Wepresentseveralimprovementsonthealgorithmsdesribed
by GaudryandHarley in2000.Inpartiular werebuild thesymmetry
that hadbeen brokenbythe use ofCantor'sdivision polynomials and
design afaster division by 2 and a division by 3. Combined with the
algorithm by Matsuo, Chao and Tsujii,our implementationan ount
thepointsonaJaobianofsize164bitswithinaboutoneweekonaPC.
1 Introdution
Genus2hyperelliptiurvesprovideaninterestingalternativetoelliptiurves
forthedesignofdisrete-logbasedryptosystems.Indeed,forasimilarseurity,
thekeyorsignaturelengthsarethesameasforelliptiurvesandfurthermore
thesizeof thebaseeld inwhihtheomputationstakeplaeistwiesmaller.
Duringthelastyears,eortsinimprovingthegrouplawalgorithmsmadethese
ryptosystemsquiteompetitive[19,25℄.
Toensuretheseurityofthesystem,it isrequiredto haveagroupoflarge
prime order. Until reently, for the Jaobian of a genus 2 urve, only spei
onstrutionsprovidedurveswithknownJaobianorder,namelytheomplex
multipliation (CM) method [34℄ andthe Koblitz urves.These urveshavea
veryspeial struture;although nobody knowsif theyareweakerthangeneral
urves,itispertinenttoonsiderrandomurvesaswell.Thisraisestheproblem
ofpoint-ounting:givenarandomurve,ndthegrouporderofitsJaobian.
With today's stateof theart, theomplexityof thepoint ounting taskin
genus2highlydependsonthesizeoftheharateristiofthebaseeld:inshort,
thesmallertheharateristi,theeasierthetaskofpointounting(\easy"means
fastanddoesnotmeanthatthetheoretialtoolsaresimple).
In the ase of genus 2 urves in small harateristi p, the point ounting
problem was reently solved using p-adi methods [31,23,20℄. The partiular
asewherep=2isinfattreatedalmostasquiklyasingenus1.Unfortunately,
thesedramatiimprovementsdonotapplywhenpbeomestoolarge(say,afew
For largep, the best known algorithms are variantsof Shoof's algorithm,
theoretialdesriptionsofwhihanbefoundin[26,18,1,16℄.In2000,Gaudry
and Harley [11℄ designed and implemented the rst pratial genus 2 Shoof
algorithm,makinguseofCantor'sdivisionpolynomials[8℄.Toreahreasonable
sizes,however,itwasneessaryto ombinetheShoofapproahwithaPollard
lambda method. Their reord wasa random genus 2 urve overa prime eld
of size about 10 19
, thus too small to be used in aryptosystem. For\medium
harateristi", they also proposed to use the Cartier-Manin operator to get
additionalinformationthatanbeombinedwithothers.Therefore,formedium
harateristip(say10 9
,see[5℄),pointountingiseasierthanforverylargep.
Wementionedthat in thenon-small harateristi ase,onethe groupor-
derhasbeenomputedmodulo somelargeinteger,theomputation isnished
usingaPollardlambdamethod.Matsuo,ChaoandTsujii[21℄proposedaBaby-
step/Giant-stepalgorithmthat speedsupthislastphase.With thisdevie and
usingtheCartier-Manintrik,theyperformedapointountingomputationof
ryptographialsizeforamediumharateristield.
Inthispaper,weimproveonthemethodsof[11℄,sothat,ombinedwiththe
algorithm of [21℄,weanreah ryptographialsize overprime elds. Ourim-
provementsareonernedwiththeonstrutionandthemanipulationoftorsion
elementsintheShoof-likealgorithmof[11℄.Theimpatoftheseimprovements
is asymptotially by a onstant fator, but they yield signiant speed-up in
pratieforthesize ofinterestin ryptography.Wenowsummarizethem:
Our rst ontribution is the reintrodution of symmetries that were lost
in [11℄. Indeed, the use of Cantor's division polynomials to onstrut torsion
elementsis veryeÆient,but theresulting divisor is given asasum of points
insteadofin Mumfordrepresentation. Thereforeafatorof2in thedegreesof
the polynomials that are manipulated is lost.In Setions 3.2 and 3.3, wegive
algorithmstosavethisfatorof2inthedegrees.
In[11℄,itisproposedtobuild2 k
-torsionelementsusingahalvingalgorithm
basedonGrobnerbasisomputations.Ourseondontributionis afasterdivi-
sionby2,usingabetterrepresentationofthesystem;inthesamespiritweshow
that adivision by 3an also be done: this is desribed in Setion 4. Another
pratial improvement is theubiquitous use of an expliitation on the roots
omingfromthegrouplawtospeed-upthefatorizationsthatouratdierent
stages.Weexplainitin detailsintheaseofthedivision by2inSetion 3.4.
To illustrate and to test the performane of our improvements, we imple-
mentedtheminMagmaorNTLandmixedthemwiththealgorithmof[21℄and
an early abort strategy. Our main outome is the rst onstrution of seure
randomurvesofgenus2overaprimeeld,asweobtainedJaobiansofprime
orderofsize about2 164
.
2 Generalities
Inthiswork,pdenotesaxedoddprime,F
p
istheniteeldwithpelements,
2
squarefreemonipolynomialin F
p
[X℄ofdegree5.Themainobjetweonsider
is theJaobianJ(C) ofC. Wehandle elementsof J(C) throughtheirMumford
representation: eah element of J(C)an be uniquelyrepresented bya pair of
polynomialshu(x);v(x)i,whereuismoniofdegreeatmost2,visofdegreeless
than thedegreeof u,and udivides v 2
f.The degreeof theu-polynomialin
Mumford'srepresentationisalled theweightofadivisor.IfK isanextension
eld of F
p
, we may distinguish the urves dened on K and F
p
, by denoting
themC=K andC=F
p
;theJaobiansareorrespondinglydenotedbyJ(C=K)and
J(C=F
p
). Forpreise denitions and algorithms for the group law, we refer to
[22℄and[7,19℄.
LetF
p
beanalgebrailosureofF
p
andletusonsidertheFrobeniusendo-
morphismonJ(C=F
p
)denotedby.ByWeil'stheorem(see[24℄),theharater-
istipolynomial(T)of hastheform(T)=T 4
s
1 T
3
+s
2 T
2
ps
1 T+p
2
,
where s
1 and s
2
are integerssuhthat js
1 j 4
p
p andjs
2
j 6p. Furthermore
#J(C)=(1)=p 2
+1 s
1
(p+1)+s
2 .
In point-ounting algorithms based on Shoof's idea [27℄, the torsion ele-
ments ofJ(C) play animportant role. IfN is apositiveinteger, thesubgroup
ofN-torsionelementsofJ(C=F
p
)isanitegroupdenoted byJ(C)[N℄; itisiso-
morphito(Z=NZ) 4
andhasthestrutureofafreeZ=NZ-mo duleofdimension
4(see[24℄).Furthermore,theharateristipolynomialoftherestritionof to
J(C)[N℄is(T)modN.Applyingthistodierentsmallprimesorprimepowers
leadstothegenus2ShoofalgorithmthatisskethedinAlgorithm1.
Algorithm1Sketh ofagenus2Shoofalgorithm
1. ForsuÆientlymanysmallprimesorprimepowers`:
(a) LetL=f(s
1
;s
2 ); s
1
;s
2
2[0;` 1℄g.
(b) While#L>1do
{ Construtanew`-torsiondivisorD;
{ Eliminatethoseelements(s
1
;s
2
)inLsuhthat
4
(D) s1 3
(D)+s2 2
(D) (ps1mod`)(D)+(p 2
mod`)D6=0
() Dedue(T)mod`fromtheremainingpairinL.
2. Dedue(T)fromthepairs(`;(T)mod`)byChineseremaindering,orusingthe
algorithmof[21℄.
Ourontributionistoimprovetherstpartofthealgorithm,theonstru-
tionof `-torsiondivisors;theomputations forsmall primes andprime powers
arerespetivelydesribedinSetions3and4.
WewillfrequentlymakegeneriityassumptionsontheurveCanditstorsion
divisors.WeassumethatCishosenrandomlyamonggenus2urvesdenedover
alargeeldF
p
,soweanexpetthatwithhighprobability,suhassumptionsare
satised.Theaseswhenourassumptionsfailshouldrequirespeialtreatments,
whiharenotdevelopedhere.
Fortheomplexityestimates,wedenotebyM(d)thenumberofF
p
-operations
requiredtomultiplytwopolynomialsofdegreeddenedoverF
p
.Wemakethe
if no preise referene is given for an algorithm, then it an be found in [32℄,
togetherwithaomplexityanalysisintermsofM.
3 Computation modulo a small prime `
In thelassialShoof algorithm forellipti urves,aformal `-torsionpoint is
used: theomputations aremade withapoint P =(x;y),where x anelsthe
`-thdivisionpolynomial
`
andyislinkedtoxbytheequationoftheurve.In
otherwords,weworkinarank2polynomialalgebraquotientedbytworelations:
F
p
[x;y℄=(
` (x);y
2
(x 3
+ax+b)).
Ingenus2,weimitatethisstrategy.Aordingto[18℄,itisenoughtoonsider
the`-torsiondivisorsofweight2(thisisnotsurprisingsineageneridivisorhas
weight2).LetthusDbeaweight2divisorgiveninMumfordrepresentation,D=
hx 2
+u
1 x+u
0
;v
1 x+v
0
i:ThenthereexistsaradialidealI
` ofF
p [U
1
;U
0
;V
1
;V
0
℄
suhthat
D 2J(C)[`℄ () '(u
1
;u
0
;v
1
;v
0
)=0; 8'2I
` :
Byanalogywithelliptidivisionpolynomials,thisidealI
`
isalledthe`-thdivi-
sionideal.Thereare` 4
1non-zero`-torsionelements,sothatI
`
hasdimension
0anddegreeat most` 4
1;generially,bytheManin-Mumfordonjeture[15,
p.435℄,allnon-zerotorsiondivisorshaveweight2,sothedegreeofI
`
isexatly
` 4
1.
Fromtheomputationalpointofview,agoodhoieforageneratingsetofI
`
isaGrobnerbasisforalexiographiorder.UsingtheorderU
1
<U
0
<V
1
<V
0 ,
we an atually predit the shape of this Grobner basis. Indeed, if D is an
`-torsiondivisor, then its opposite D is also `-torsion,so it hasthe sameu-
oordinates, and opposite v-oordinates. Furthermore,we make the generiity
assumptionthatallthepairsfD; Dgof`-torsiondivisorshavedierentvalues
foru
1
.Then,theGrobnerbasisfortheidealI
`
takestheform
I
`
= 8
>
>
<
>
>
: V
0 V
1 S
0 (U
1 )
V 2
1 S
1 (U
1 )
U
0 R
0 (U
1 )
R
1 (U
1 );
where R
1
is a squarefree polynomial of degree (`
4
1)=2 and R
0
;S
1
;S
0 are
polynomials of degree at most (`
4
1)=2 1. If suh a Grobner basis for I
`
is known, then it is not diÆult to imitate Shoof's algorithm, by working in
the quotient algebra F
p [U
1
;U
0
;V
1
;V
0
℄=I
`
: Unfortunately, no easy omputable
reurreneformulaeareknownthatrelateGrobnerbasesof`-divisionidealsfor
dierentvaluesof`,justlikefordivisionpolynomialsofelliptiurves.Therefore
weshallstartwiththeapproahof[11℄usingCantor'sdivisionpolynomialsand
showthat weanderiveeÆientlyamultipleofR
1 .
3.1 Cantor's divisionpolynomials
Letusxaprime`.Cantor'sdivisionpolynomials[8℄arepolynomialsinF
p [X℄,
denoted byd , d , d ,e ,e ,,with thefollowingproperty:foradivisorP =
hx x
P
;y
P
iofweight1,themultipliationofP by`in J(C)isgivenby
[`℄P =
x 2
+ d
1 (x
P )
d
2 (x
P )
x+ d
0 (x
P )
d
2 (x
P )
; y
P
e
1 (x
P )
(x
P )
x+ e
0 (x
P )
(x
P )
:
Thesepolynomialshaverespetivedegrees2`
2
1,2`
2
2,2`
2
3,3`
2
2,3`
2
3,
3`
2
2andareeasilyomputedbymeansofreurreneformulae.Evenifanaive
method is used, theost oftheir omputationis byfar negligibleompared to
thesubsequentoperations.
Now,letD=hx 2
+U
1 x+U
0
;V
1 x+V
0
ibeageneridivisorofweight2,where
U
1 ,U
0 , V
1 , V
0
areindeterminates,subjetto theonditionthat x 2
+U
1 x+U
0
divides(V
1 x+V
0 )
2
f.ThedivisorDanbewrittenasthesumoftwoweight
1divisors P
1
=hx X
1
;Y
1
iand P
2
=hx X
2
;Y
2
i,where U
1
= (X
1 +X
2 ),
U
0
=X
1 X
2
,and whereY
1 andY
2
satisfyV
1 X
1 +V
0
=Y
1 andV
1 X
2 +V
0
=Y
2 .
SineD=P
1 +P
2
,thenD is`-torsionifandonlyif[`℄P
1
= [`℄P
2 .
Rewriting this equation using Cantor's division polynomials, we get four
equationsthat mustbesatisedforD to be`-torsion.Someofthese equations
aremultiplesofX
1 X
2
:thisisanartifatduetothesplittingofDintodivisors
of weight1 and ifthis is the aseone should divide out this fator. Hene we
obtainthefollowingsystem:
8
>
>
<
>
>
: E
1 (X
1
;X
2
) =(d
1 (X
1 )d
2 (X
2 ) d
1 (X
2 )d
2 (X
1 ))=(X
1 X
2 )=0;
E
2 (X
1
;X
2
) =(d
0 (X
1 )d
2 (X
2 ) d
0 (X
2 )d
2 (X
1 ))=(X
1 X
2 )=0;
F
1 (X
1
;X
2
;Y
1
;Y
2
)= Y
1 e
1 (X
1 )e
0 (X
2 )+Y
2 e
1 (X
2 )e
0 (X
1
) =0;
F
2 (X
1
;X
2
;Y
1
;Y
2
)= Y
1 e
2 (X
1 )e
0 (X
2 )+Y
2 e
2 (X
2 )e
0 (X
1
) =0:
Considernowthenite-dimensionalF
p
-algebra
B=F
p [X
1
;X
2
;Y
1
;Y
2
℄=(E
1
;E
2
;F
1
;F
2
;Y 2
1 f(X
1 );Y
2
2 f(X
2 )):
In a generi situation, the minimal polynomial of (X
1 +X
2
) in B is then
preisely the polynomial R
1
that appears in the Grobner basis of I
`
(failures
ouldour,e.g.,ifthereexistsan`-torsiondivisorD=P
1 +P
2
,suhthat[`℄P
1
isnotofweight2).Wewill seebelowthat thewholeGrobnerbasisof I
` isnot
neessarytothepoint-ountingappliationwehaveinmind.Thus,weanstart
byworkingwiththersttwoequationsE
1
;E
2
,whihinvolveX
1
;X
2 only.
Thesepolynomialswerealreadyonsideredin[11℄.Thestrategyusedinthat
paperonsisted in omputing theresultantof E
1
;E
2
with respet to X
2 fora
start,fromwhihitwaspossibletodeduetheoordinatesof[`℄-torsiondivisors.
Thisapproahdidnottakeintoaountthesymmetryin(X
1
;X
2
);wenowshow
howto work diretlyin Mumford'soordinatesU
1
= (X
1 +X
2 );U
0
=X
1 X
2 ,
soastoomputeresultantsoflowerdegrees.
3.2 Resymmetrisation
The polynomialsE
1 (X
1
;X
2
)and E
2 (X
1
;X
2
) aresymmetri polynomials.It is
polynomialsX
1 X
2 andX
1 +X
2
.TheheartofMumford'srepresentationisthe
useofthisexpression,butthishadbeenbrokeninordertoapplyCantor'sdivi-
sionpolynomials.Weallresymmetrisationthemethodthat wepresentnowto
ome baktoarepresentationofbivariatepolynomialsin termsoftheelemen-
tary symmetri polynomials. This is notas trivialasit seems, sinethe naive
shoolbookmethodtosymmetrizeapolynomialyieldsaomplexityjumpinour
ase.
Let us onsider the unique polynomialsE
1 and E
2 in F
p [U
0
;U
1
℄ suh that
E
1 (X
1 X
2
; X
1 X
2 ) = E
1 (X
1
;X
2
) and E
2 (X
1 X
2
; X
1 X
2 ) = E
2 (X
1
;X
2 )
andletR
1 2F
p [U
1
℄betheirresultantwithrespetto U
0
;thenR
1
dividesR
1 .
Wewanttousethefollowingevaluation/interpolationtehniquestoompute
R
1
:evaluatethevariableU
1
atsuÆientlymanysalarsu
1
, omputetheresul-
tants of E
1 (U
0
;u
1
) and E
2 (U
0
;u
1
), and interpolate theresults. Unfortunately,
omputing with E
1 and E
2
themselves has prohibitive ost, as these polyno-
mials haveO(`
4
) monomials.However,theirspei shapeyieldsthe following
workaround.
LethbeapolynomialinF
p
[X℄andX
1 andX
2
betwoindeterminates.Then
thedivideddierenesofharethebivariatesymmetripolynomials
A
0 (h)=
h(X
1 ) h(X
2 )
=(X
1 X
2
) and A
1 (h)=
X
1 h(X
2 ) X
2 h(X
1 )
=(X
1 X
2 ):
We let A
0
(h) and A
1
(h) be the unique polynomials in F
p [U
0
;U
1
℄ suh that
A
0 (h)(X
1 X
2
; X
1 X
2 )=A
0
(h) andA
1 (h)(X
1 X
2
; X
1 X
2 )=A
1
(h). Then
adiretomputationshowsthat
E
1
=A
0 (d
1 )A
1 (d
2 ) A
0 (d
2 )A
1 (d
1 );
E
2
=A
0 (d
0 )A
1 (d
2 ) A
0 (d
2 )A
1 (d
0
) inF
p [U
0
;U
1
℄:
Given an arbitrary polynomial h in F
p
[X℄ and u
1 2 F
p
, we show in the last
paragraphshowtoomputethepolynomialsA
0
(h)andA
1
(h)evaluatedatU
1
=
u
1
eÆiently. Taking this operation for granted, we dedue Algorithm 2 for
omputingtheresultantR
1 ofE
1 andE
2 .
Algorithm2ComputationoftheresultantR
1
1. Fordeg (R1)+1dierentvaluesofu12Fp,do
(a) ComputeA
0 (d
0 ),A
1 (d
0 );A
0 (d
1 );A
1 (d
1 );A
0 (d
2 );A
1 (d
2
)evaluatedatU
1
=u
1 .
(b) DedueE1 andE2,evaluatedatU1=u1.
() ComputeR
1 (u
1
)astheresultantinU
0 ofE
1 andE
2 .
2. InterpolateR
1
fromthepairs(u
1
;R
1 (u
1 )).
Thelassial estimates for the degrees of resultantsimply that the degree
of R
1 is 6`
4
17`
2
+12; thus to be able to perform the interpolation, it is
neessarytotakeatleast6`
4
17`
2
+13dierentvaluesofu
1
.Inpratie,itis
reommendedtotakeafewmorevaluesofu
1
,inordertohektheomputation.
Notethat theresultantofE
1
;E
2
hasdegree8`
4
22`
2
+15.
We nish this subsetion by detailing our solution to the problem raised
above:givenu in F and hin F [X℄,howto ompute thepolynomialsA (h)
