Counting points on hyperelliptic curves with explicit real multiplication in arbitrary genus☆
Introduction
Due to its numerous applications in cryptology, number theory, algebraic geometry or even as a primitive used in other algorithms, the problem of counting points on curves and Abelian varieties has been extensively studied over the past three decades. Among the milestones in the history of point-counting, one can mention the first polynomial-time algorithm by Schoof [29] for counting points on elliptic curves, and the subsequent extension to Abelian varieties by Pila [25]. Using similar approaches, we design a probabilistic algorithm for computing the local zeta functions of hyperelliptic curves of arbitrary fixed genus with explicit real multiplication and bound its complexity.
Given an Abelian variety of dimension over a finite field , Pila’s algorithm computes its local zeta function in time , where is doubly exponential in . Further contributions were made in [4], [19] so that this exponent is now proven to be polynomial in in general, and even linear in the hyperelliptic case [3].
In genus , a tailor-made extension of Schoof’s algorithm due to Gaudry, Harley and Schost [13], [15], [16] allows to count points in time . Yet, this remains much larger than the complexity of the Schoof–Elkies–Atkin (SEA) algorithm [30], which is the standard for elliptic point-counting in large characteristic and runs in bit operations. For genus-2 curves with explicit real multiplication (RM), i.e. curves having an additional endomorphism for which an explicit expression is known, a much more efficient point-counting algorithm is introduced in [14] with a bit complexity in , thus narrowing the gap between genus 1 and 2.
These algorithms were extended to genus-3 hyperelliptic curves in [2] with an asymptotic complexity in bit operations that is decreased to bit operations when the curve has explicit RM.
The aim of this paper is to study the asymptotic complexity of point-counting on hyperelliptic curves with explicit RM when is arbitrary large. In this case, we bound the exponent of by and therefore remove the dependency on from the exponent of .
Another way to avoid such a painful dependency in in the complexity without restricting to such particular cases is to use the -adic methods, in the spirit of Satoh’s and Kedlaya’s algorithms [20], [27] for elliptic and hyperelliptic curves. These methods have also been extended beyond the hyperelliptic case [9], [32] and one can also mention the algorithms of Lauder and Lauder–Wan that also hold for very general varieties [22], [23]. Although these methods are polynomial in , they are exponential in and therefore cannot be used in large characteristic.
Indeed, the -adic approaches derived from Schoof’s algorithm and the -adic approaches are complementary when either or is small but we still lack a classical algorithm running in time polynomial in both and . However, for counting points on reductions modulo many primes of the same curve, an algorithm introduced by Harvey in [18] is polynomial in and polynomial on average in .
In this paper, we follow the spirit of the Schoof–Pila algorithm and recover the local zeta function by computing the characteristic polynomial of the action of the Frobenius endomorphism on the -torsion subgroups for sufficiently many primes . The key to our complexity result is that, thanks to the real multiplication, it is sufficient to have act on much smaller subgroups of the -torsion, at least for a positive proportion of the primes . The following definition sums up the assumptions that we make on our particular (families of) curves.
Definition 1 Explicit Real Multiplication We say that a curve has explicit real multiplication by if the subring is isomorphic to an order in a totally real degree- number field, and if we have explicit formulas describing for some fixed base point and a generic point of .
Remark Once a rational Weierstrass point is picked on , we represent elements (reduced divisors) of as formal sums and call the weight of the divisor. Alternatively, we represent elements of using the Mumford form where and are polynomials in with and . We refer to [8, Sec. 4.4 & 14.1] for more background on Jacobians of hyperelliptic curves. In cases where does not have an odd-degree Weierstrass model, we can work in an extension of degree at most of the base field in order to ensure the existence of a rational Weierstrass point.
By explicit formulas, we mean polynomials in which we denote by and such that, when is given in odd-degree Weierstrass form, the Mumford coordinates of are where is the generic point of the curve.
As in [2], [14], we consider primes such that splits as a product of prime ideals. Computing the kernels of an endomorphism in each provides us with an algebraic representation of the -torsion . Then, we compute from this representation integers in such that the sum of the Frobenius endomorphism and its dual equals . Once enough modular information is known, the values of the ’s such that are recovered via the Chinese Remainder Theorem and the coefficients of the characteristic polynomial of the Frobenius can be directly expressed in terms of the ’s.
Computing the kernels of the endomorphisms is the dominant step in terms of complexity and thus the cornerstone of our result. We still model these kernels by polynomial systems that we then have to solve, but the resultant-based techniques that were used in [14] and [2] are no longer satisfying when is arbitrary large. We therefore use the modelling strategy of [3] and apply it to the kernels instead of applying it to the whole -torsion. The polynomial systems we derive from this approach are in fact very similar to those of [3], except that our kernels are comparable in size to the “-torsion”, resulting in much smaller degrees and ultimately in a complexity gain by a factor in the exponent of , decreasing it from linear to constant. Using the geometric resolution algorithm just as in [3], we solve these systems in time where depends on (and thus on too) but not on . It is interesting to note that this result suffers from the pessimistic cubic bounds on the degrees of Cantor’s polynomials established in [3] and that – assuming quadratic bounds as proven in genus 1, 2 and 3 – we get a complexity in , which is close to the complexity bound proven in [2] for genus-3 hyperelliptic curves with explicit RM.
For hyperelliptic curves with RM, we have thus been able to eliminate the dependency in in the exponent of , but this does not mean that our algorithm reaches polynomial-time complexity in both and . Indeed, we also discuss the reasons why the “constant” depends exponentially on . Among them, we shall see that some can actually be discarded by considering even more particular cases while some appear to be inherent to our geometric-resolution based approach. This remaining exponential dependency also explains why this algorithm is currently not a practical one in genus , although its complexity seems close to that of the algorithm presented in [2].
Organization. In Section 2, we give an overview of our point-counting algorithm, along with an example of families of hyperelliptic curves of arbitrary high genus with RM by a real subfield of a cyclotomic field. In particular, we prove a bound on the size and number of primes to consider in our algorithm. Section 3 focuses on the main primitive of our algorithm: the computation of a non-zero element in the kernel of an endomorphism whose degree is a small multiple of . This section adapts methods and results of [3, Sec. 4 & 5] to design structured polynomial systems whose solution sets are subsets of . Section 4 concludes on the complexity of solving these systems, and on the overall complexity result. We also present an analysis on the dependency of the final complexity in , investigating the various places where exponential factors may occur and how to avoid them when it is possible.
Section snippets
Overview
The main result of this paper can be summarized by the following theorem, which makes the dependency on explicit.
Theorem 2 For any and any such that is a totally-real number field of degree , there exists an explicitly computable such that there is an integer such that for all prime power larger than with and for all genus- hyperelliptic curves with explicit RM by defined over , the local zeta function of can be computed with a
Modelling kernels of endomorphisms
Let be an explicit endomorphism of degree on the Jacobian of , which satisfies the properties of Lemma 5. We want to compute a polynomial system that describes the kernel of , and then solve it. The resultant-based approach of [2] cannot be used as the degrees are squared each time we eliminate a variable, causing an exponential dependency in in the exponent of . Instead, we use the modelling techniques from [3], where the endomorphism replaces the multiplication by . This
Complexity analysis
Now that we have modelled subsets of by polynomial systems whose sizes in terms of equations, variables and degrees have been carefully bounded, we apply the geometric resolution algorithm and bound its complexity.
Future work
Based on the facts that the genus-3 RM point-counting algorithm of [2] is practical and that we extended it to arbitrary genus with a similar complexity (at least conjecturally), one could hope to use it for practical computations in genus larger than 3. In the current state, the exponential dependency in and the difficulties that were already encountered in genus 3 make it unrealistic, and we also lack an open and competitive implementation of the geometric resolution algorithm.
Proving the
Acknowledgments
Most of this work already appears as Chapter VII in the author’s thesis manuscript [1]. As such, the author received helpful feedback from his advisors Pierrick Gaudry and Pierre-Jean Spaenlehauer; and from his thesis referees Christophe Ritzenthaler and Fréderik Vercauteren. The author is also grateful to Benjamin Smith and David Kohel for pointing out references and for fruitful discussions. The author is indebted to the anonymous reviewers for numerous improvements to the clarity of the
References (32)
- et al.
Counting points on curves and abelian varieties over finite fields
J. Symbolic Comput.
(2001) - et al.
Genus 2 point counting over prime fields
J. Symbolic Comput.
(2012) - et al.
A Gröbner free alternative for polynomial system solving
J. Complexity
(2001) - et al.
Counting points on curves over finite fields
J. Symbolic Comput.
(1998) Counting points on curves using a map to , II
Finite Fields Appl.
(2017)Counting points on hyperelliptic curves in large characteristic: algorithms and complexity
(2018)- et al.
Counting points on genus-3 hyperelliptic curves with explicit real multiplication
Open Book Ser.
(2019) - et al.
Improved complexity bounds for counting points on hyperelliptic curves
Found. Comput. Math.
(2019) - et al.
Short generators without quantum computers: the case of multiquadratics
- et al.
Fast computation of a rational point of a variety over a finite field
Math. Comp.
(2006)
On the analogue of the division polynomials for hyperelliptic curves
J. Reine Angew. Math.
Handbook of Elliptic and Hyperelliptic Curve Cryptography
Zeta functions of nondegenerate hypersurfaces in toric varieties via controlled reduction in p-adic cohomology
Open Book Ser.
Recovering short generators of principal ideals in cyclotomic rings
La conjecture de weil : I
Publ. Math. l’IHÉS
ÜBer die obere schranke des absoluten betrages der wurzeln einer algebraischen gleichung
Tohoku Math. J. First Ser.
Cited by (2)
Counting points on hyperelliptic curves of type y<sup>2</sup> = x<sup>2g+1</sup> + ax<sup>g+1</sup> + bx
2020, Finite Fields and their Applications
- ☆
Communicated by Klaus Meer.