algorithmic aspects of mestre’scacr.uwaterloo.ca/conferences/2003/ecc2003/lercier.pdf ·...

Algorithmic aspects of Mestre’s

p-adic point counting ideas

Reynald Lercier

[email protected]

—

David Lubicz

[email protected]

August 2003

Overview

Introduction“Who’s who” of point counting over Fpn , p small

Elliptic curves

Hyperelliptic curves

Othersp-adic arithmetic

Unramified extensions

Newton’s iterationsLifting the Frobenius

Mestre’s ideas for elliptic curves

O(n3) time-complexity

O(n2.5) time-complexity


Finite Fields with GNB

Finite Fields without GNBMestre’s ideas for genus 2 curves



O(n2) for hyperelliptic curvesInitialization phase

Lift phase

Norm phase

LLL phase

Conclusion

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�<4*=�>��*�� ?�*=6��@�A��B&�*+�/��ED��$%��(�*=�F'GIHKJML �A�� /N "*+��*+8�8��9 ��?�C�$%��(�*=�O ��$8��

Algebraic curves and cryptography

Algebraic curves are an alternative to the use of

finite fields in cryptographic schemes (Miller 1986,

Koblitz 1987, . . . ).

For non supersingular curves of small genus, the

discrete logarithm problem is hard. The only

known attack is a variant of Pollard’s algorithm

with exponential running time.

A prerequisite is to count efficiently points on

curves. It used to be a difficult task.

It is no more the case for curves defined over Fpn , p

small, especially thanks to a Satoh’s breakthrough

for elliptic curves and clever simplifications and

extensions due to Mestre for the “small” genus

hyperelliptic case.

Goal of this talk : give a complete overview of the

algorithmic tools needed to efficiently implement

these ideas.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�898

:;898�� <�$%��(�*=�>@?/ �*+�A*+898��9 %��B�C�$%��(�*=�D � � *+�A�

3%E�6��%��<6��9� � 5'*$��F4*=�G��*�� B�*=6��H�I��J*+898�� C�$��(�*=�F4*=�G��*�� B�*=6��H�I��J&�*+�/��@K��$%��(�*=�L'MONQPSR �I�� ?� "*+��*+8�8��9 ��B�C�$%��(�*=�T ��$8��

Elliptic curves

O(npn/4) in time:

• D. Shanks. Class number, a theory of factorization,

and genera. In Proc. Symp. Pure Math., 20, 1971.

• J.M. Pollard. Monte Carlo methods for index

computation (mod p). Math. Comp., 32, 1978.

O(n5+ε) in time, O(n2) in space:

• R. Schoof. Elliptic curves over finite fields and the

computation of square roots mod p. Math. Comp.,

44, 1985.

• A. O. L. Atkin. The number of points on an elliptic

curve modulo a prime, 1988. Number Theory

Mailing List.

• A.J. Menezes, S.A. Vanstone, R. J. Zuccherato.

Counting points on elliptic curves over F2m . Math.

Comp., 60, 1993.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�898

:;898�� <�$%��(�*=�>@?/ �*+�A*+898��9 %��B�C�$%��(�*=�D � � *+�A�


Elliptic curves


• N. D. Elkies. Explicit isogenies. Draft, 1991.

• A. O. L. Atkin. The number of points on an elliptic

curve modulo a prime, 1991. Number Theory

Mailing List.

• R. Schoof. Counting points on elliptic curves over

finite fields. J. Theor. Nombres Bordeaux, 1995.

• J. M. Couveignes. Quelques calculs en theorie des

nombres. these, Universite de Bordeaux I, 1994.

• R. Lercier. Computing isogenies in F2n . ANTS-II,

LNCS, 1996.

• J. M. Couveignes. Computing l-isogenies with the

p-torsion. ANTS-II, LNCS, 1996.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�898

:;898�� <�$%��(�*=�>@?/ �*+�A*+898��9 %��B�C�$%��(�*=�D � � *+�A�


Elliptic curves


• T. Satoh. The canonical lift of an ordinary elliptic

curve over a finite field and its point counting.

J. Ramanujan Math. Soc., 15, 2000.

• M. Fouquet, P. Gaudry R.J. Harley. An extension

of Satoh’s algorithm and its implementation.

J. Ramanujan Math. Soc., 2000.

• B. Skjernaa, Satoh’s algorithm in characteristic 2.

To appear in Math. Comp., preprint, 2000.


• F. Vercauteren, B. Preneel, J. Vandewalle. A

Memory Efficient Version of Satoh’s Algorithm.

EUROCRYPT 2001, LNCS.

• J.F. Mestre. AGM pour le genre 1 et 2. Lettre a

Gaudry et Harley, december 2000.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�898

:;898�� <�$%��(�*=�>@?/ �*+�A*+898��9 %��B�C�$%��(�*=�D � � *+�A�


Elliptic curves

O(n2.5+ε) time, O(n2) in space:

• T. Satoh, B. Skjernaa, Y. Taguchi. Fast

computation of canonical lifts of elliptic curves and

its application to point counting, August 2001.

• T. Satoh. On p-adic point counting algorithms for

elliptic curves over finite fields. ANTS-V, July

2002.

• H.Y. Kim, J.Y. Park, J.H. Cheon, J.H. Park, J.H.

Kim, S.G. Hahn. Fast elliptic curve point counting

using gaussian normal basis. ANTS-V, July 2002.

• P. Gaudry. A comparison and a combination of

SST and AGM algorithms for counting points of

elliptic curves in characteristic 2. ASIACRYPT

2002, December 2002.


• R. Lercier, D. Lubicz. Counting points on elliptic

curves over finite fields in quadratic time,

submitted for publication, September 2002.

• R.J. Harley, Algorithmes avances pour

l’arithmetique des courbes, Thesis, draft, 2003.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�898

:;898�� <�$%��(�*=�>@?/ �*+�A*+898��9 %��B�C�$%��(�*=�D � � *+�A�


Hyperelliptic curves of any genus

Polynomial in time:

• J. Pila. Frobenius maps of abelian varieties and

finding roots of unity in finite fields. Math. Comp.,

1990.

O(g6+εn3+ε) in time, O(g3n3) in space:

• A.G.B Lauder, D. Wan. Computing zeta functions

of Artin-Schreier curves over finite fields. London

Mathematical Society JCM 5, 2002.

O(g5+εn3+ε) in time, O(g3n3) in space:

• K. Kedlaya. Counting points on hyperelliptic

curves using Monsky-Washnitzer cohomology,

J. Ramanujan Mathematical Society 16 (2001).

• A.G.B Lauder, D. Wan. Computing zeta functions

of Artin-Schreier curves over finite fields II.

Preprint, 2002.

• J. Denef, F. Vercauteren. An Extension of

Kedlaya’s Algorithm to Artin-Schreier Curves in

Characteristic 2. ANTS-V, 2002.

• F. Vercauteren, Computing Zeta Functions of

Hyperelliptic Curves over Finite Fields of

Characteristic 2. CRYPTO 2002.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�898

:;898�� <�$%��(�*=�>@?/ �*+�A*+898��9 %��B�C�$%��(�*=�D � � *+�A�


Hyperelliptic curves of small genus

Genus 2, O(n3+ε) in time, O(n2) in space:

• J.F. Mestre. AGM pour le genre 1 et 2. Lettre a

Gaudry et Harley, 2000.

• P. Gaudry. Algorithms for counting points on

curves. ECC, Waterloo, 2001.

O(pgn3+ε) in time, O(pgn2) in space:

• J.F. Mestre. Algorithmes pour compter des points

en petite caracteristique en genre 1 et 2. Talk at

the cryptographic seminar of Rennes, 2002.

O(pgn2+ε) in time, O(pgn2) in space:

• R. Lercier, D. Lubicz. A quasi-quadratic time

algorithm for hyperelliptic curve point counting

preprint, 2003.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�898

:;898�� <�$%��(�*=�>@?/ �*+�A*+898��9 %��B�C�$%��(�*=�D � � *+�A�


Others

Superelliptic curves, O(g4+εn3+ε) in time, O(g3n3)in space:

• P. Gaudry, N. Gurel. An extension of Kedlaya’s

point-counting algorithm to superelliptic curves.

ASIACRYPT 2001, LNCS.

Genus 3, O(n3+ε) in time, O(n2) in space:

• C. Ritzenhaler. Problemes arithmetiques relatifs a

certaines familles de courbes sur les corps finis.

Thesis, Universite Paris 7, 2003.

⇒ yields a O(n2+ε) algorithm with these ideas.

Algebraic varieties, polynomial in time:

• A.G.B Lauder, D. Wan. Counting rational points

on varieties over finite fields of small

characteristic. MSRI, Algorithmic Number Theory,

2002.

• A.G.B Lauder. Counting solutions to equations in

many variables over finite fields. Preprint, 2003.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��

<=�%�>6�5'�9?�*@�A*$B/��*+��C=*+��D�E�F�9��*+�>6)��9��GD�9�H��%&'� � *JI%�>��K�*@�%�9��

L4*@�M��*�� N�*@6��F�O��P*+898�� Q�$��(�*@�L4*@�M��*�� N�*@6��F�O��P&�*+�/��=R��$%��(�*@�S'TVUDWYX �O�� /Z "*+��*+8�8��9 ��N�Q�$%��(�*@�[ ��$8��

p-adic numbers

p-adic norm | · |p of r ∈ Q∗ is |r|p = p−ρ, r = pρu/v,

ρ, u, v ∈ Z, p 6 | u, p 6 | v.

Field of p-adic numbers Qp is the completion of Q

w.r.t. | · |p,

∞∑

i=ρ

aipi, ai ∈ {0, 1, . . . , p − 1}, ρ ∈ Z.

p-adic integers Zp is the ring with | · |p ≤ 1 or

ρ ≥ 0.

Unique maximal ideal

M = {x ∈ Qp | |x|p < 1} = pZp

and Zp/M ∼= Fp.

Alternative construction.

Def. Let πm be the projection from Z/pm+1Z onto

Z/pmZ, then a p-adic integer is a sequence

x = (x1, x2, . . . , xm, . . .) with xm ∈ Z/pmZ and

such that πm(xm+1) = xm.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��

<=�%�>6�5'�9?�*@�A*$B/��*+��C=*+��D�E�F�9��*+�>6)��9��GD�9�H��%&'� � *JI%�>��K�*@�%�9��


Unramified extensions of p-adics

K extension of Qp of degree n with valuation ring

Zq and maximal ideal MZq = {x ∈ K | |x|K < 1}where |.|K is the unique extension of |.|p to K.

K is said unramified iff Zq/MZq∼= Fq (residue

field).

Def. The Teichmuller Lift is the map

ω : Fq → Zq defined by ω(0) = 0 and for x 6= 0,

ω(x) is the unique q − 1-th root of unity in Zq such

that π(ω(x)) = x with π the canonical projection of

Zq to Fq.

Def. The semi-Witt decomposition of x ∈ Zq is

the unique sequence (xi)i≥0 of Fq such that

x =∑

i≥0ω(xi)p

i.

Galois group of K over Qp is cyclic with generator

Frobenius substitution σ and σ modulo MZq equals

to the small Frobenius on Fq.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��

<=�%�>6�5'�9?�*@�A*$B/��*+��C=*+��D�E�F�9��*+�>6)��9��GD�9�H��%&'� � *JI%�>��K�*@�%�9��

L4*@�M��*�� N�*@6��F�O��P*+898�� Q�$��(�*@�L4*@�M��*�� N�*@6��F�O��P&�*+�/��=R��$%��(�*@�S'TVUDWYX �O�� /Z "*+��*+8�8��9 ��N�Q�$%��(�*@�[ ��$8�� Unramified extensions of p-adics

Polynomial Basis: Let Fq∼= Fp[t]/(F (t)) then, K

can be constructed as

K ∼= Qp[t]/(F (t)),

with F (t) any lift of F (t) to Zp[t]. Such a choice

yields a basis {1, t, . . . , tn−1}.Multiplication at precision m of two p-adics costs

Tm,n = O((nm)µ).

Gaussian Normal Basis: For Galois extension

K/Qp, there exists elements α which yields basis of

the form {α, ασ, . . . , ασn−1}.

Def. For some T such that ∃ a primitive T -th

root of unity τ in Z/(nT + 1)Z and such that

α =∑T−1

i=0γτi

(where γ is a primitive (nT + 1)-th

root of unity) generates a normal basis over Qp

called a Gaussian Normal Basis (GNB) of type T .

In this case, Tm,n = O((Tnm)µ).

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��

<=�%�>6�5'�9?�*@�A*$B/��*+��C=*+��D�E�F�9��*+�>6)��9��GD�9�H��%&'� � *JI%�>��K�*@�%�9��


Newton iteration

To compute the root of a polynomial f(x) from

f(x + pwδ) = f(x) + pwδ∂f

∂x(x) + O(p2w).

Algorithm Newton

Algorithm to compute a root of f(x) mod pm,

knowing a solution x0 modulo p2k+1 where

k = v(∂f/∂x(x0)).

Input: x0 ∈ Zq/p2k+1Zq , m ∈ N.

Output: x a solution of f(x) mod pm.

1. if m ≤ 2k + 1 then return x0;

2. w := dm2 e + k;

3. x := Newton(x0, w);

4. Lift x to precision m;

5. V := f(x) mod pm; ∆x := ∂f/∂x(x) mod pw−k;

6. return x − V/∆x;

Remark. Very fast in practice (precision is nearly

doubled at each step). For polynomials with O(1)

terms of degree O(1), time complexity is O(Tm,n).

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��

<=�%�>6�5'�9?�*@�A*$B/��*+��C=*+��D�E�F�9��*+�>6)��9��GD�9�H��%&'� � *JI%�>��K�*@�%�9��


Lifting the Frobenius at precision m

Prop. Let (xi)i≥0 be the semi-Witt

decomposition of a p-adic x, then

xσ =∑

i≥0ω(xi)

ppi.

Polynomial Basis by [Satoh-Harley]:

At first, one lifts F (t) at precision m to the

minimal polynomial F (t) of ω(t) using the fact that

F (tp) =

p−1∏

i=0

F (tζi) with ζp = 1.

This can be done by a newton iteration in

O(Tm,n log n) ?

It follows that tσ = t2 and xσ =∑n−1

i=0xit

2i can be

easily computed in O(Tm,n).

GNB by [Kim et al.]:

Computing σk can be done by a permutation of

the nT components of x. This can be easily done

in Sm,n = O(nmT ).

A more elaborated implementation strategy (with

indexes) yields a O(n) time complexity.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�

D'EAFHGJI ��5'*$:��$��5' %8�*$K�L�>MD'EAFHN$O PJI ��5'*$:��$��5' %8�*$K/�9�QMD'EAF N I ��5'*$:��$��5' %8�*$K�L�>M

R!��%�9��*SR!��*+8��@�B�9� �UT;V#WR!��%�9��*SR!��*+8��@�B�9� � �� T;V#W

<4*=�>��*�� ?�*=6��@�A��B&�*+�/��YX��$%��(�*=�D'EZF N I �A�� M� "*+��*+8�8��9 ��?�C�$%��(�*=�[ ��$8��

The “lift” and “norm” paradigm

Let E be an elliptic curve defined over the field F2n

by an equation y2 + xy = x3 + α.

#E(F2n) = 2n + 1 − c with |c| ≤ 2√

2n.

A first O(n3) algorithm given by Satoh to compute

c, improved by Vercauteren et al. to get a O(n2) in

space.

At the same time, a completely different method

given by Mestre for the characteristic 2 case, same

complexity, based on AGM.

e e e

-

6�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

Lift

Norm

tn−1

+ · · ·+ tk+ · · · + t

0Zq : Zp :

Fq : tn−1

+ · · ·+ tk+ · · · + t

0

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�


<4*=�>��*�� ?�*=6��@�A��B&�*+�/��SR��$%��(�*=�D'ETF N I �A�� M� "*+��*+8�8��9 ��?�C�$%��(�*=�U ��$8�� O(n3) time complexity

Given a explanation of the mathematics which are

“behind” the scene is out of the scope of this talk.

A first explanation by Mestre based on isogenies of

degree 2 between elliptic curves, more recently an

explanation based on the Riemann θ functions

(cf. [Carls2003], [Ritzenthaler2003]).

Algorithm AGM

Algorithm to compute the trace of an ordinary

elliptic curve E/F2n : y2 + xy = x3 + α.

Input: α ∈ F2n .

Output: The trace c of E.

\\Lift phase

1. a := 1 + 8α ∈ Zq ; b := 1 ∈ Zq ;

2. for (i := 1; i < n/2 + O(1); i := i + 1) {3. a, b := a+b

2 ,√

ab ;

4. }\\Norm phase

5. A := a; B := b;

6. for (i := 1; i < n; i := i + 1) {7. a, b := a+b

2 ,√

ab ;

8. }9. return A

a mod 2n as a signed integer in [−2√

2n, 2√

2n].

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�


<4*=�>��*�� ?�*=6��@�A��B&�*+�/��SR��$%��(�*=�D'ETF N I �A�� M� "*+��*+8�8��9 ��?�C�$%��(�*=�U ��$8��

O(n2.5) time complexity

First, the AGM iterations

ai+1 = ai+bi2

,

bi+1 =√

aibi,

can be replaced via ci = ai/bi by

ci+1 =2 + ci

2√

ci.

Second,

ci+1 = cσi .

Consequently, one must solve at precision

n/2 + O(1),

4x(xσ)2 = (1 + x)2

This equation is an equation of the form φ(x, xσ)

where φ(x, y) is a bivariate polynomial.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�


<4*=�>��*�� ?�*=6��@�A��B&�*+�/��SR��$%��(�*=�D'ETF N I �A�� M� "*+��*+8�8��9 ��?�C�$%��(�*=�U ��$8��

SST

Algorithm SSTLift

Algorithm to compute a root of φ(x, xσ) mod pm,

knowing a solution x0 modulo pk+1 where

k = v(∂φ/∂x(x0, xσ0 )).

Input: x0 ∈ Zq/pk+1Zq , m ∈ N.

Output: x a solution of φ(x, xσ) mod pm.

1. w := dmµ/(µ+1)e; d any lift of (∂xφ(x0, xσ0 )) to Zq/pw+k

Zq ;

2. x any lift of x0 to Zq/pw+kZq

3. for (i := k + 1; i < w + k; i := i + 1) {4. y := xσ ;

5. x := x − φ(x, y)/d;

6. }7. y := xσ mod pw+k;

8. Dx := ∂xφ(x, y) mod pw+k; Dy := ∂yφ(x, y) mod pw+k;

9. for (j := 1; jw + k < m; j := j + 1){10. Lift x to Zq/p(j+1)w+k

Zq ;

11. y := xσ mod p(j+1)w+k;

12. V := φ(x, y) mod p(j+1)w+k;

13. for (i := 0; i < w; i := i + 1) {14. ∆x = −p−(jw+i)V/d;

15. ∆y = ∆σx mod pw−i+k;

16. x := x + pjw+i∆x mod p(j+1)w+k;

17. V + := pjw+i(Dx∆x+Dy∆y) mod p(j+1)w+k;

18. }19. }20. return x;

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�


<4*=�>��*�� ?�*=6��@�A��B&�*+�/��SR��$%��(�*=�D'ETF N I �A�� M� "*+��*+8�8��9 ��?�C�$%��(�*=�U ��$8��

The Norm phase

Once a root cdn/2e+3 of

4x(xσ)2 = (1 + x)2

is computed, it remains to get c.

In fact, it turns out that

c = NZ2n /Z2

(

2cdn/2e+3

1 + cdn/2e+3

)

.

Satoh outlines that when ordp(a − 1) > 1

p−1, the

following formula can be used

NZq/Zp(a) = exp(TrZq/Zp(log a)).

This yields a O(nµmµ+ 12 ) time complexity with

space equal to O(nm).

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�



<4*=�>��*�� ?�*=6��@�A��B&�*+�/��YX��$%��(�*=�D'EZF N I �A�� M� "*+��*+8�8��9 ��?�C�$%��(�*=�[ ��$8�� Generalized Newton iterations

Recent results enable to generalize Newton iterations to

equations of the form φ(x, xσ) = 0. Based on

φ(x + pwδ, (x + pwδ)σ) = φ(x, xσ)+

pwδ∂φ

∂x(x, xσ) + pwδσ ∂φ

∂y(x, xσ) + O(p2w).

Algorithm NewtonLift

Algorithm to compute a root of φ(x, xσ) mod pm,

knowing a solution x0 modulo p2k+1 where

k = v(∂φ/∂y(x0, xσ0 )).

Input: x0 ∈ Zq/p2k+1Zq , m ∈ N.

Output: x a solution of φ(x, xσ) mod pm.

1. if m ≤ 2k + 1 then return x0;

2. w := dm2 e + k;

3. x := NewtonLift(x0, w);

4. Lift x to Zq/pmZq ; y := xσ mod pm;

5. ∆x := ∂xφ(x, y) mod pw−k; ∆y := ∂yφ(x, y) mod pw−k;

6. V := φ(x, y) mod pm;

7. a, b := ArtinSchreierRoot(−V/(pw−k∆y),−∆x/∆y, w−k, n);

8. return x + pw−k(1 − a)−1b;

Remark. ArtinSchreierRoot is a “black box” which

solves equations of the form

xσ = ax + b, a and b in Zq .

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�



<4*=�>��*�� ?�*=6��@�A��B&�*+�/��YX��$%��(�*=�D'EZF N I �A�� M� "*+��*+8�8��9 ��?�C�$%��(�*=�[ ��$8��

Artin-Schreier equations with GNB

[Lercier-Lubicz]

For all k ∈ N, xσk ≡ akx + bk mod pw.

xσn

= x, which means that (1 − an)x = bn.

A classical “square and multiply” composition

formula, ∀k, k′ ∈ Z2,

xσk+k′

= aσk′

k ak′x + aσk′

k bk′ + bσk′

k .

Algorithm ArtinSchreierRoot

Algorithm to compute a root of xσ = ax + b (when

called with ν = n).

Input: a and b in Zq/pmZq , m and ν in N.

Output: A and B s.t. x = Axσn−ν+ B mod pm.

1. if ν = 1 then return aσn−1, bσn−1

mod pm;

2. A, B := ArtinSchreierRoot(a, b, m, b ν2 c);

3. A, B := AAσn−b ν

2c, ABσ

n−b ν2c

+ B mod pm;

4. if ν mod 2 then A, B := Aaσn−ν, Abσn−ν

+B mod pm;

5. return A, B;

Then, the classical “divide and conquer” algorithm

to compute the norm works very well for GNB.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�



<4*=�>��*�� ?�*=6��@�A��B&�*+�/��YX��$%��(�*=�D'EZF N I �A�� M� "*+��*+8�8��9 ��?�C�$%��(�*=�[ ��$8��

Timings for counting points on elliptic

curves defined over F2n (GNB)

On a 731 MHz Alpha EV6 CPU.

n GNB type 1

Lift Norm Total

1018 2.5s 1.5s 4s

2052 10s 7s 17s

4098 1mn 45s 1mn 45

8218 6mn 30 4mn 30 11mn

16420 34mn 23mn 57mn

32770 3h 17 2h 18 5h 35

65538 15h 45 13h 20 1d 5

100002 1d 18 1d 16 3d 10

Current record : 130020 bits by Harley.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�



<4*=�>��*�� ?�*=6��@�A��B&�*+�/��YX��$%��(�*=�D'EZF N I �A�� M� "*+��*+8�8��9 ��?�C�$%��(�*=�[ ��$8��

Artin-Schreier equations without GNB

[Harley-Gaudry]

A cross between Newton iterations and the SST

algorithm.

Algorithm ArtinSchreierRoot

Algorithm to compute a root of xσ = ax + b.

Input: x, y, V , i, j, a, b such that a and b in

Zq/pmZq , v(a) = 1, v(b) = 0, i is the current

precision, j > i is the wanted precision,, x a root at

precision i, y = xσ mod 2j and V = y + ax + b.

Output: A root x′ at precision j and x′σ mod 2j .

1. if j = i + 1 then return x + 2i√

V/2i, y + V ;

2. k := b i+j2 c;

3. x′, y′ := ArtinSchreierRoot(x, y, V , i, k, a, b);

4. y′ := y + (x′ − x)σ ;

5. V + := (x′ − x)a + (y′ − y);

6. return ArtinSchreierRoot(x′, y′, V , k, j, a, b);

Norm computation through the use of Collins’

sub-resultant algorithm ?

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�<4*=�>��*�� ?�*=6��@�A��B&�*+�/��ED��$%��(�*=�

F'GAHJILK ��5'*$:��$��5' %8�*$M�N�>OF'GAHJPLK ��5'*$:��$��5' %8�*$M�N�>O

F'GQH P K �A�� O� "*+��*+8�8��9 ��?�C�$%��(�*=�R ��$8��

O(n3+ε) time complexity

It works for curves with ordinary jacobian i.e.

which have maximal p-rank.

Riemann formulas become for the genus 2, p = 2 :

ai+1 = ai+bi+ci+di4

,

bi+1 =

√aibi+

√cidi

2,

ci+1 =√

aici+√

bidi

2,

di+1 =

√aidi+

√bici

2,

(the so called “Borchardt” mean).

Using an algorithm very similar to AGM

algorithm, we are able to get A, B, C, D at the

needed precision (O(3/2n)).

After n supplementary iterations, one gets

A

a=

B

b=

C

c=

D

d

which, thanks to the Thomae-Fay formulas, equals

to the product of the eigenvalues of the Frobenius

morphism which are invertible modulo 2.

⇒ O(n3+ε) time complexity

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�<4*=�>��*�� ?�*=6��@�A��B&�*+�/��ED��$%��(�*=�


F'GQH P K �A�� O� "*+��*+8�8��9 ��?�C�$%��(�*=�R ��$8��

O(n2+ε) time complexity

Let

Φ(b, c, d) =(√

b +√

c√

d)/2

(1 + b + c + d)/4,

then Borchardt iterations can be replaced by

bi+1

ci+1

di+1

=

Φ(bi, ci, di)

Φ(ci, bi, di)

Φ(di, bi, ci)

&

bi+1

ci+1

di+1

=

bσi

cσi

dσi

Lift phase. solved through a generalization of

NewtonLift.

Norm phase. Similar to the elliptic curve case.

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�<4*=�>��*�� ?�*=6��@�A��B&�*+�/��ED��$%��(�*=�


F'GQH P K �A�� O� "*+��*+8�8��9 ��?�C�$%��(�*=�R ��$8��

Timings for counting points on genus 2



n GNB type 1

Lift Norm Total

1018 2mn 5s 2mn 5

2052 8mn 30 25s 8mn 55

4098 50mn 5s 2mn 15 52mn 20

8218 4h 52mn 13mn 5h 5

16420 1d 5 1h 1d 6

32770 7d 22 6h 8d 4

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�<4*=�>��*�� ?�*=6��@�A��B&�*+�/��ED��$%��(�*=�F'GIHKJML �A�� /N "*+��*+8�8��9 ��?�C�$%��(�*=�

��%�9��6�89��O=6)��P � 6��*QK�9�R�E � 6��*SE��5T � 6��*QUQVQW � 6��*

X ��$8��

O(n2+ε) for ordinary hyperelliptic curves

Four main phases:

Initialization phase. Given an hyperelliptic curve

H/Fpn one computes at small precision the values

at z = 0 taken by pg theta functions with pg

characteristics.

Lift phase. Using Riemann duplication formulas, one

has to solve a multivariate system F (X) = Xσ in

Zq at a precision m large enough. Solution from

the theta constants computed in the initialization

phase thanks to a lifting algorithm

Norm phase. Computing the norm NZq/Zpof an

element of Zq derived from X yields at precision m

the product π1 · · ·πg of the g eigenvalues (invertible

modulo p) of the Frobenius defined by H.

LLL phase. With LLL algorithm, one obtains a

symmetric polynomial Psym(X) whose roots are of

the form X + q/X ( X is the product of g terms

which belong to {π1, q/π1}, . . . , {πg , q/πg}). It

remains to compute its roots over C in order to find

the characteristic polynomial χ(+−X) of the

Frobenius.



X ��$8��Initialization phase

We first lift in Z2n an affine model of H,

y2 + h(x)y = h(x)q(x),

as follows,

Y 2 = (2y + h(x))2 = h(x)(h(x) + 22q(x)).

When h(x) and h(x) + 4q(x) completely split over

Z2n ,

Y 2 =

2g+1∏

i=0

(X − xi) such that xi ∈ Z22n

and x2i ≡ x2i+1 mod 22.

Then, Thomae-Fay formulas enable to compute 2g

theta constants θ0, . . . , θ2g−1 at small precision

through

θe =

√

∏

0≤i<j≤g

(x2i+εi − x2j+εj )(x2i+1−εi − x2j+1−εj ),

where ε0 = 0 and where e is written in basis 2 as

εg2g−1 + · · · + ε1 (the square root is chosen such

that θe ≡ 1 mod 22).



X ��$8��

Lift phase

Let R(t1) = 2√

t11+t1

for curves of genus g = 1 and

R(t1, · · · , t2g−1) =

2√

t1 + 2√

t2√

t3 + · · · + 2√

t2g−2

√t2g−1

1 + t1 + · · · + t2g−1

for g > 1.

Riemann duplication formulas yield

∀e ∈ {1, . . . , 2g−1}, τσe = R(τe, τi2 , τi3 , . . . , τi2g−2

, τi2g−1)

where, for each e, the indexes i2, . . . , i2g−1 are s.t.

{{0, e}, {i2, i3}, . . . , {i2g−2, i2g−1}} =

{{j, j ⊕ e} | j ∈ {1, . . . , 2g − 1}}

(⊕ denotes the exclusive or of two integers) and

τe = θe/θ0 mod 24.

⇒ solved through a generalization of NewtonLift.



X ��$8��

Norm phase

The product π of the g eigenvalues (invertible

modulo 2) of the Frobenius defined by H satisfies

π ≡ NZ2n /Z2

(

2g

1 + τ1 + · · · + τ2g−1

)

mod 2m.

⇒ solved in a way similar to the elliptic curve case.



X ��$8��

LLL phase

At first, we build a symmetric polynomial of degree2g−1 with root η = π + 2gn/π thanks to a LLLreduction of the lattice L given by

K × M1 K × M2 · · · K × M2g−1+1 K × 2m

0 0 · · · 2bn×S

2g−1+1c

0

0 0 · · · 0 0

.

.

.. . .

.

.

....

0 2bn×S2c · · · 0 0

2bn×S1c 0 · · · 0 0

,

where

M =

[

2(2g−1−1−i)n

ηi

mod 2m | i ∈ {0, . . . , 2

g−1 − 1}]

∪ [η2g−1

mod 2m

, 2m

],

and

S =

[

(i − 1)(g − 2)

2| i ∈ {1, . . . , 2

g−1}]

∪[

2g−1(g − 2)

2+ 1

]

(K is some arbitrarily large constant).



X ��$8��Precision needed

The coefficients of Psym are components of a vector

Π of small norm in L.

Asymptotic estimates state that the LLL alorigthm

can compute the lattice reduction of L if its

euclidian norm || ||2 (or sup-norm || ||1) satisfy

||Π||1 ≤ ||Π||2 ≤ det(L)1/ dimL.

⇒ the precision m needed for the lift must satisfy

m >22g(g − 2) + 2g+1(g + 2)

16n.

Some numeric values:

g 1 2 3 4 5 6

m n/2 2n 9n 44n 220n 1088n

g 7 8 9 10

m 5264n 24896n 115392n 525824n



X ��$8��

Timings for counting points on genus 3



n GNB type 1

Lift Norm Total

1018 8h 30 1mn 8h 31

2052 1d 3 5mn 1d 3

4098 6d 8h 25mn 6d 8h

�� ! "��#�$��%��%&'�)(�*+�-,/.+021)34��576�8983%:�6��%��;6��9� � 5'*$��<4*=�>��*�� ?�*=6��@�A��B*+898�� C�$��(�*=�<4*=�>��*�� ?�*=6��@�A��B&�*+�/��ED��$%��(�*=�F'GIHKJML �A�� /N "*+��*+8�8��9 ��?�C�$%��(�*=�O ��$8��

Conclusions & Open Problems

• We have now algorithms to count points for

many curves in time very close to the time

needed to multiply a divisor by an integer in

the Jacobian.

• Reasonable wishes. . .

– Non ordinary hyperelliptic curves ?

– Non hyperelliptic curves in small genus ?

– O(g?n2+ε) time complexities algorithms for

hyperelliptic curves of any genus ?

– etc.

• Golden Grail: practical algorithms for large p ?

algorithmic aspects of mestre’scacr.uwaterloo.ca/conferences/2003/ecc2003/lercier.pdf ·...

Documents