Elsevier

Journal of Complexity

Volume 57, April 2020, 101440
Journal of Complexity

Counting points on hyperelliptic curves with explicit real multiplication in arbitrary genus

https://doi.org/10.1016/j.jco.2019.101440Get rights and content

Abstract

We present a probabilistic Las Vegas algorithm for computing the local zeta function of a genus-g hyperelliptic curve defined over Fq with explicit real multiplication (RM) by an order Z[η] in a degree-g totally real number field.

It is based on the approaches by Schoof and Pila in a more favourable case where we can split the -torsion into g kernels of endomorphisms, as introduced by Gaudry, Kohel, and Smith in genus 2. To deal with these kernels in any genus, we adapt a technique that the author, Gaudry, and Spaenlehauer introduced to model the -torsion by structured polynomial systems. Applying this technique to the kernels, the systems we obtain are much smaller and so is the complexity of solving them.

Our main result is that there exists a constant c>0 such that, for any fixed g, this algorithm has expected time and space complexity O((logq)c) as q grows and the characteristic is large enough. We prove that c9 and we also conjecture that the result still holds for c=7.

Introduction

Due to its numerous applications in cryptology, number theory, algebraic geometry or even as a primitive used in other algorithms, the problem of counting points on curves and Abelian varieties has been extensively studied over the past three decades. Among the milestones in the history of point-counting, one can mention the first polynomial-time algorithm by Schoof [29] for counting points on elliptic curves, and the subsequent extension to Abelian varieties by Pila [25]. Using similar approaches, we design a probabilistic algorithm for computing the local zeta functions of hyperelliptic curves of arbitrary fixed genus g with explicit real multiplication and bound its complexity.

Given an Abelian variety of dimension g over a finite field Fq, Pila’s algorithm computes its local zeta function in time (logq)Δ, where Δ is doubly exponential in g. Further contributions were made in [4], [19] so that this exponent Δ is now proven to be polynomial in g in general, and even linear in the hyperelliptic case [3].

In genus 2, a tailor-made extension of Schoof’s algorithm due to Gaudry, Harley and Schost [13], [15], [16] allows to count points in time O˜(log8q). Yet, this remains much larger than the complexity of the Schoof–Elkies–Atkin (SEA) algorithm [30], which is the standard for elliptic point-counting in large characteristic and runs in O˜(log4q) bit operations. For genus-2 curves with explicit real multiplication (RM), i.e. curves having an additional endomorphism for which an explicit expression is known, a much more efficient point-counting algorithm is introduced in [14] with a bit complexity in O˜(log5q), thus narrowing the gap between genus 1 and 2.

These algorithms were extended to genus-3 hyperelliptic curves in [2] with an asymptotic complexity in O˜(log14q) bit operations that is decreased to O˜(log6q) bit operations when the curve has explicit RM.

The aim of this paper is to study the asymptotic complexity of point-counting on hyperelliptic curves with explicit RM when g is arbitrary large. In this case, we bound the exponent of logq by 9 and therefore remove the dependency on g from the exponent of logq.

Another way to avoid such a painful dependency in g in the complexity without restricting to such particular cases is to use the p-adic methods, in the spirit of Satoh’s and Kedlaya’s algorithms [20], [27] for elliptic and hyperelliptic curves. These methods have also been extended beyond the hyperelliptic case [9], [32] and one can also mention the algorithms of Lauder and Lauder–Wan that also hold for very general varieties [22], [23]. Although these methods are polynomial in g, they are exponential in logp and therefore cannot be used in large characteristic.

Indeed, the -adic approaches derived from Schoof’s algorithm and the p-adic approaches are complementary when either g or p is small but we still lack a classical algorithm running in time polynomial in both g and logq. However, for counting points on reductions modulo many primes p of the same curve, an algorithm introduced by Harvey in [18] is polynomial in g and polynomial on average in logp.

In this paper, we follow the spirit of the Schoof–Pila algorithm and recover the local zeta function by computing the characteristic polynomial χπ of the action of the Frobenius endomorphism π on the -torsion subgroups for sufficiently many primes . The key to our complexity result is that, thanks to the real multiplication, it is sufficient to have π act on much smaller subgroups of the -torsion, at least for a positive proportion of the primes . The following definition sums up the assumptions that we make on our particular (families of) curves.

Definition 1 Explicit Real Multiplication

We say that a curve C has explicit real multiplication by Z[η] if the subring Z[η]End(Jac(C)) is isomorphic to an order in a totally real degree-g number field, and if we have explicit formulas describing η(PP) for some fixed base point P and a generic point P of C.

Remark

Once a rational Weierstrass point P is picked on C, we represent elements (reduced divisors) of Jac(C) as formal sums i=1w(PiP) and call w the weight of the divisor. Alternatively, we represent elements of JacC using the Mumford form u,v where u and v are polynomials in Fq[X] with degu=w and u|v2f. We refer to [8, Sec. 4.4 & 14.1] for more background on Jacobians of hyperelliptic curves. In cases where C does not have an odd-degree Weierstrass model, we can work in an extension of degree at most 2g+2 of the base field in order to ensure the existence of a rational Weierstrass point.

By explicit formulas, we mean 2g+2 polynomials in Fq[x,y] which we denote by(ηi(u)(x,y))i{0,1,,g} and (ηi(v)(x,y))i{0,1,,g} such that, when C is given in odd-degree Weierstrass form, the Mumford coordinates of η((x,y)P) are Xg+i=0g1(ηi(u)(x,y)ηg(u)(x,y))Xi,i=0g1(ηi(v)(x,y)ηg(v)(x,y))Xi,where (x,y) is the generic point of the curve.

As in [2], [14], we consider primes Z such that Z[η] splits as a product p1pg of prime ideals. Computing the kernels of an endomorphism αi in each pi provides us with an algebraic representation of the -torsion Jac(C)[]Kerα1++Kerαg. Then, we compute from this representation integers a0,,ag1 in ZZ such that the sum π+π of the Frobenius endomorphism and its dual equals a0+a1η++ag1ηg1mod. Once enough modular information is known, the values of the ai’s such that π+π=i=0g1aiηi are recovered via the Chinese Remainder Theorem and the coefficients of the characteristic polynomial of the Frobenius can be directly expressed in terms of the ai’s.

Computing the kernels of the endomorphisms αi is the dominant step in terms of complexity and thus the cornerstone of our result. We still model these kernels by polynomial systems that we then have to solve, but the resultant-based techniques that were used in [14] and [2] are no longer satisfying when g is arbitrary large. We therefore use the modelling strategy of [3] and apply it to the kernels instead of applying it to the whole -torsion. The polynomial systems we derive from this approach are in fact very similar to those of [3], except that our kernels are comparable in size to the “1g-torsion”, resulting in much smaller degrees and ultimately in a complexity gain by a factor g in the exponent of logq, decreasing it from linear to constant. Using the geometric resolution algorithm just as in [3], we solve these systems in time K(logq)9+o(1) where K depends on η (and thus on g too) but not on q. It is interesting to note that this result suffers from the pessimistic cubic bounds on the degrees of Cantor’s polynomials established in [3] and that – assuming quadratic bounds as proven in genus 1, 2 and 3 – we get a complexity in K(logq)7+o(1), which is close to the complexity bound proven in [2] for genus-3 hyperelliptic curves with explicit RM.

For hyperelliptic curves with RM, we have thus been able to eliminate the dependency in g in the exponent of logq, but this does not mean that our algorithm reaches polynomial-time complexity in both g and logq. Indeed, we also discuss the reasons why the “constant” K depends exponentially on g. Among them, we shall see that some can actually be discarded by considering even more particular cases while some appear to be inherent to our geometric-resolution based approach. This remaining exponential dependency also explains why this algorithm is currently not a practical one in genus 4, although its complexity seems close to that of the algorithm presented in [2].

Organization. In Section 2, we give an overview of our point-counting algorithm, along with an example of families of hyperelliptic curves of arbitrary high genus with RM by a real subfield of a cyclotomic field. In particular, we prove a bound on the size and number of primes to consider in our algorithm. Section 3 focuses on the main primitive of our algorithm: the computation of a non-zero element in the kernel of an endomorphism α whose degree is a small multiple of 2. This section adapts methods and results of [3, Sec. 4 & 5] to design structured polynomial systems whose solution sets are subsets of J[α]. Section 4 concludes on the complexity of solving these systems, and on the overall complexity result. We also present an analysis on the dependency of the final complexity in g, investigating the various places where exponential factors may occur and how to avoid them when it is possible.

Section snippets

Overview

The main result of this paper can be summarized by the following theorem, which makes the dependency on η explicit.

Theorem 2

For any g and any ηQ¯ such thatQ(η) is a totally-real number field of degree g, there exists an explicitly computable c(η)>0 such that there is an integer q0(g,η) such that for all prime power q=pn larger than q0(g,η) with p(logq)c(η) and for all genus-g hyperelliptic curves C with explicit RM by Z[η] defined over Fq, the local zeta function of C can be computed with a

Modelling kernels of endomorphisms

Let α be an explicit endomorphism of degree O(2) on the Jacobian of C, which satisfies the properties of Lemma 5. We want to compute a polynomial system that describes the kernel J[α] of α, and then solve it. The resultant-based approach of [2] cannot be used as the degrees are squared each time we eliminate a variable, causing an exponential dependency in g in the exponent of . Instead, we use the modelling techniques from [3], where the endomorphism α replaces the multiplication by . This

Complexity analysis

Now that we have modelled subsets of J[α] by polynomial systems whose sizes in terms of equations, variables and degrees have been carefully bounded, we apply the geometric resolution algorithm and bound its complexity.

Future work

Based on the facts that the genus-3 RM point-counting algorithm of [2] is practical and that we extended it to arbitrary genus with a similar complexity (at least conjecturally), one could hope to use it for practical computations in genus larger than 3. In the current state, the exponential dependency in g and the difficulties that were already encountered in genus 3 make it unrealistic, and we also lack an open and competitive implementation of the geometric resolution algorithm.

Proving the

Acknowledgments

Most of this work already appears as Chapter VII in the author’s thesis manuscript [1]. As such, the author received helpful feedback from his advisors Pierrick Gaudry and Pierre-Jean Spaenlehauer; and from his thesis referees Christophe Ritzenthaler and Fréderik Vercauteren. The author is also grateful to Benjamin Smith and David Kohel for pointing out references and for fruitful discussions. The author is indebted to the anonymous reviewers for numerous improvements to the clarity of the

References (32)

  • CantorDavid G.

    On the analogue of the division polynomials for hyperelliptic curves

    J. Reine Angew. Math.

    (1994)
  • CohenHenri et al.

    Handbook of Elliptic and Hyperelliptic Curve Cryptography

    (2005)
  • CostaEdgar et al.

    Zeta functions of nondegenerate hypersurfaces in toric varieties via controlled reduction in p-adic cohomology

    Open Book Ser.

    (2019)
  • CramerRonald et al.

    Recovering short generators of principal ideals in cyclotomic rings

  • DelignePierre

    La conjecture de weil : I

    Publ. Math. l’IHÉS

    (1974)
  • FujiwaraMatsusaburô

    ÜBer die obere schranke des absoluten betrages der wurzeln einer algebraischen gleichung

    Tohoku Math. J. First Ser.

    (1916)
  • Cited by (2)

    Communicated by Klaus Meer.

    View full text