Short Programs for functions on Curves



Similar documents
Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

7. Some irreducible polynomials

Quotient Rings and Field Extensions

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

Introduction to Finite Fields (cont.)

minimal polyonomial Example

Integer Factorization using the Quadratic Sieve

Continued Fractions and the Euclidean Algorithm

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

Mathematics Course 111: Algebra I Part IV: Vector Spaces

Copy in your notebook: Add an example of each term with the symbols used in algebra 2 if there are any.

An Overview of Integer Factoring Algorithms. The Problem

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

JUST THE MATHS UNIT NUMBER 1.8. ALGEBRA 8 (Polynomials) A.J.Hobson

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

OSTROWSKI FOR NUMBER FIELDS

PYTHAGOREAN TRIPLES KEITH CONRAD

Mathematics Review for MS Finance Students

Math Review. for the Quantitative Reasoning Measure of the GRE revised General Test

CONTINUED FRACTIONS AND PELL S EQUATION. Contents 1. Continued Fractions 1 2. Solution to Pell s Equation 9 References 12

On the representability of the bi-uniform matroid

ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS

Math Abstract Algebra I Questions for Section 23: Factoring Polynomials over a Field

Algebra Unpacked Content For the new Common Core standards that will be effective in all North Carolina schools in the school year.

Math 4310 Handout - Quotient Vector Spaces

MATH 423 Linear Algebra II Lecture 38: Generalized eigenvectors. Jordan canonical form (continued).

ECE 842 Report Implementation of Elliptic Curve Cryptography

a 1 x + a 0 =0. (3) ax 2 + bx + c =0. (4)

On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples

Unique Factorization

Integer roots of quadratic and cubic polynomials with integer coefficients

HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Factoring Polynomials

IRREDUCIBLE OPERATOR SEMIGROUPS SUCH THAT AB AND BA ARE PROPORTIONAL. 1. Introduction

Factoring & Primality

MATH10040 Chapter 2: Prime and relatively prime numbers

Factorization Methods: Very Quick Overview

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao

Basics of Polynomial Theory

Introduction to Algebraic Geometry. Bézout s Theorem and Inflection Points

Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013

MATH 289 PROBLEM SET 4: NUMBER THEORY

Computing divisors and common multiples of quasi-linear ordinary differential equations

How To Prove The Dirichlet Unit Theorem

THE NUMBER OF REPRESENTATIONS OF n OF THE FORM n = x 2 2 y, x > 0, y 0

Lecture 13 - Basic Number Theory.

1 VECTOR SPACES AND SUBSPACES

Algebra 2 Chapter 1 Vocabulary. identity - A statement that equates two equivalent expressions.

A One Round Protocol for Tripartite

Algebra I Vocabulary Cards

PROBLEM SET 6: POLYNOMIALS

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)

Basic Algorithms In Computer Algebra

Elliptic Curve Cryptography

Factorization Algorithms for Polynomials over Finite Fields

a 11 x 1 + a 12 x a 1n x n = b 1 a 21 x 1 + a 22 x a 2n x n = b 2.

Zeros of Polynomial Functions

Monogenic Fields and Power Bases Michael Decker 12/07/07

Copyrighted Material. Chapter 1 DEGREE OF A CURVE

On the largest prime factor of x 2 1

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 22

Factoring Algorithms

PUTNAM TRAINING POLYNOMIALS. Exercises 1. Find a polynomial with integral coefficients whose zeros include

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

9 More on differentiation

SECRET sharing schemes were introduced by Blakley [5]

Notes 11: List Decoding Folded Reed-Solomon Codes

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

9. POLYNOMIALS. Example 1: The expression a(x) = x 3 4x 2 + 7x 11 is a polynomial in x. The coefficients of a(x) are the numbers 1, 4, 7, 11.

Prime Numbers and Irreducible Polynomials

Factoring of Prime Ideals in Extensions

Lecture 14: Section 3.3

A New Generic Digital Signature Algorithm

The Factor Theorem and a corollary of the Fundamental Theorem of Algebra

ON GALOIS REALIZATIONS OF THE 2-COVERABLE SYMMETRIC AND ALTERNATING GROUPS

4. Expanding dynamical systems

Similarity and Diagonalization. Similar Matrices

3. INNER PRODUCT SPACES

ELLIPTIC CURVES AND LENSTRA S FACTORIZATION ALGORITHM

G(s) = Y (s)/u(s) In this representation, the output is always the Transfer function times the input. Y (s) = G(s)U(s).

GREATEST COMMON DIVISOR

Modern Algebra Lecture Notes: Rings and fields set 4 (Revision 2)

The van Hoeij Algorithm for Factoring Polynomials

Math 319 Problem Set #3 Solution 21 February 2002

The degree of a polynomial function is equal to the highest exponent found on the independent variables.

Real Roots of Univariate Polynomials with Real Coefficients

CORRELATED TO THE SOUTH CAROLINA COLLEGE AND CAREER-READY FOUNDATIONS IN ALGEBRA

11 Multivariate Polynomials

3 1. Note that all cubes solve it; therefore, there are no more

by the matrix A results in a vector which is a reflection of the given

Factorization in Polynomial Rings

How To Know If A Domain Is Unique In An Octempo (Euclidean) Or Not (Ecl)

Systems of Linear Equations

MATH 22. THE FUNDAMENTAL THEOREM of ARITHMETIC. Lecture R: 10/30/2003

Transcription:

Short Programs for functions on Curves Victor S. Miller Exploratory Computer Science IBM, Thomas J. Watson Research Center Yorktown Heights, NY 10598 May 6, 1986 Abstract The problem of deducing a function on an algebraic curve having a given divisor is important in the field of indefinite integration. Indeed, it is the main computational step in determining whether an algebraic function posseses an indefinite integral. It has also become important recently in the study of discrete elliptic logarithms in cryptography, and in the construction of the new class of error-correcting codes which exceed the Varshamov-Gilbert bound. It can also be used to give a partial answer to a question raised by Schoof in his paper on computing the exact number of points on an elliptic curve over a finite field. Heretofore, the best known algorithm for calculating such functions was exponential in the size of the input. In this paper I give an algorithm which is linear in the size of the input (if arithmetic in the field under consideration takes constant time). For this algorithm it is necessary to represent the function as a straight-line program, for representation as a rational function may be exponential in the size of the input. 1 Introduction I recall some standard terminology from the theory of algebraic curves. There are many good references for this theory, for example [Ful69]. It contains all results quoted here. For simplicity in presentation I only work with plane curves, even though all of the results work for more general curves. Definition 1 Projective n-space over a field K: denoted by P n (K) is the set of equivalence classes {(a 0,..., a n ) 0 a i ɛk} where two vectors are equivalent if they are non-zero scalar multiples of one another. The equivalence class contataining (a 0,, a n ) is denoted by (a 0 : : a n ). The projective line is P 1, and the projective plane is P 2. 1

Definition 2 A plane (projective) algebraic curve is the set of solutions to a homogeneous polynomial f(x, Y, Z) considered as points in boldp 1. The curve is non-singular if the three partial derivatives of f never vanish simultaneously. Definition 3 The function field of the curve, C, is the set of functions from the curve to the projective line, which are given by rational functions of the coordinates and is denoted by k(c). Definition 4 A (geometric) point, P on C is a solution to the set of defining equations. Definition 5 At each point, P, of the curve one can define the :hp2order, v P (f), of the function f at P : it is n > 0 if the function has a zero of order n at P, and is n < 0 if the function has a pole of order n at P ( 1/f has a zero of order n). Definition 6 A divisor on a curve, C as being a formal sum of points on the curve with integral coefficients: P a P (P ), where only finitely many of the a P are 0. Divisors will normally be denoted by script letters such as A or B. Definition 7 The degree of a divisor is the sum of its coefficients: deg A = P a P. A function f has only a finite number of zeroes and poles. Therefore we may define Definition 8 The divisor of a function f 0, denoted by (f) is P v P (f)(p ). It is also true that deg(f) = 0. The set of divisors of degree 0 is denoted by D 0. A divisor of a function is also called principal. Definition 9 Linear equivalence. If A and B are divisors we write A B if there is a function f such that A = B + (f). Principal divisors are also called linearly equivalent to 0. The set of all such is denoted by D l. The group D 0 /D l is known as the Picard group of C and is denoted by Pic(C). Definition 10 Genus. The genus g of a curve C is an integer 0, which is a measure of the curve s complexity. It, for example, is the number of donut-holes in the Riemann-surface of the curve if we are working over the complex numbers. See [Ful69] for an exact definition. For our purposes, we only need to know that g (n 1)(n 2)/2 where n is the degree of the polynomial defining the curve. A curve whose genus is 1 is usually called an elliptic curve. Definition 11 Linear system. The linear system of a divisor A is L(A) = {0} {fɛk(c) (f) + A 0}. It is easily seen that L(A) is a vector space (in fact finite-dimensional). We denote l(a) = dim L(A). Definition 12 Support. The support supp A of a divisor A is the set {P A P 0}. 2

2 The main algorithm One of the fundamental problems in the theory of curves is to determine when a divisor of degree 0 is principal, and to construct a function whose divisor is the given divisor. In [Dav79]. Davenport gives an algorithm for this problem which does not always work for curves of genus > 1, and which is claimed to run in O(lg A where A is the largest multiplicity of a zero or a pole at any point. This claim seems to be unjustified. The construction below gives a straight-line program instead of a ratio of two polynomials. This is in keeping with the spirit of [Kal85]. Algorithm 1 Input: 1. An algebraic curve C of genus g 2. a fixed point Q on C 3. a divisor A = P a P (P ) of degree 0 Output: 1. A straight-line program for a function f on the curve 2. A divisor of the form C g(q) where deg C = g and C 0. The divisor C g(q) will = 0 if and only if A 0. We will further have A = (f) + C g(q). The length of this program is O(L) where L = P lg( a P + 1) and the running time of the algorithm is O(L) arithmetic operations in the field of definition. The program gives the value undefined on a set of points of size 2gL. We use the following fundamental theorem: Theorem 1 The Riemann Theorem: Given a non-singular curve C, and a divisor A, then l(a) deg A + 1 g with equality holding if deg A > 2g 2. Using the above we have Lemma 1 Any divisor A of degree 0 is equivalent to a divisor of the form C g(q), where deg C = g and C 0. Proof: Using the Riemann Theorem we find that l(a + g(q)) 1. Thus there is a function f 0, fɛl(a + g(q)). Now set C = (f) + A + g(q). It is readily seen that C has the desired properties. We use 1 to make calculations in the Picard Group, by representing each equivalence class by a divisor of the form C g(q). The fundamental point is that 3

to calculate a representative for the sum of two such divisors takes O(g 3 ) field operations (basically the solution of a system of linear equations). We then write the divisor A = P a P (P ) as P a P ((P ) (Q)). We then can calculate a straight-line program of length 2 lg( a P + 1) and a divisor C g(q) as above by means of the binary method of addition (or any other addition chain). The program will be undefined at most at all points of the supports of the divisors occuring in the intermediate steps. We then finish off by adding up all of the individual pieces, while multiplying the functions (this concatenates the straight-line programs with a multiplication in between). In actual calculation one must proceed more explicitly: First calculate a basis for the space L(3g(Q)) in the form f 1,..., f d where ord Q (f 1 ) > ord Q (f 2 ) > > ord Q (f d ). When adding the two divisors A g(q) and B g(q) we first find fɛl(3g(q) A B). Define C = (f) + 3g(Q) A B then it is effective of degree g. Now find hɛl(2g(q) C), and set D = (h) + 2g(Q) C. This divisor is also effective of degree g and A g(q)+b g(q) = D g(q)+(f/h). We further exploit the fact that there is a one-to-one correspondence between effective divisors and integral ideals of the ring of functions whose only poles are at Q. We represent each ideal by means of it Grobner Basis. In this way we avoid the necessity for root finding and factorization. In the case of genus 1 we do not even need to do this. All zeroes and poles of intermediate divisors must be rational. If the curve is given in Weierstrass form y 2 = x 3 + ax + b then 1, x, y form a basis of L(3g(0)). Finding the function f above amounts to finding the coefficients of the line y = cx + d passing through the points A and B. 3 Applications In this section I discuss some applications of the above construction. The first is the calculation of the Weil e N pairing. Andre Weil [Wei46] introduced a pairing on points of finite order on elliptic curves in his first proof of the Riemann Hypothesis for curves over finite fields. Following are its definition and properties: Definition 13 Given an elliptic curve C and a non-negative integer N there is a unique function e N defined on points of exponent N (P is of exponent N if NP = 0, it is of order N if N is an exponent and no smaller integer is). It has the following properties: 1. e N (P, Q) is an N-th root of unity. 2. Skew-symmetry: e N (P, Q) = e N (Q, P )sup 1 3. Linearity: e N (P + R, Q) = e N (P, Q)e N (R, Q) 4. Non-degeneracy: Given a point P of order N there is a point Q of order N such that e N (P, Q) 1. 4

This pairing may be defined as follows (see [Lan73, pages 243 245]): If A is a divisor of order N in the divisor class group D 0 /D l, then there is a function f A such that (f A ) = NA. This function is defined up to multiplication by a constant. If f is any function, and A = P a P (P ) is a divisor of degree 0, then we define f(a) = P f(p )ap. Note that this depends only on (f). If P and Q are points of exponent N, define f P and f Q as above. Then e N (P, Q) = f A (B)/f B (A) where A (P ) (0) and B (Q) (0) and whose support is disjoint. This is independent of the choice of A and B. This yields: Algorithm 2 Calculation of e N pairing Input: 1. An Elliptic Curve E 2. A natural number N 3. Two points P, Q on C of exponent N Output: 1. The value e N (P, Q) Method: First fix an addition chain 1 = a 1,..., a t = N. Now choose T, U points on C at random until T and T + P are distinct from a i U and a i (U + Q) and U and U + Q are distinct from a i T and a i (T + P ) for all i. This choice guarantees that the straight-line programs constructed below are defined at input values used. Set A = (T + P ) (T ) and B = (U + Q) (Q). Use 1 to construct straight-line programs for the functions f A and f B. Now the number of pairs (T, U) which do not satisfy the two conditions above is 8tN p where N p is the total number of points on the curve in GF (p). Because there always is an addition chain with t 2 lg N we see that when N 256 that the probability of success is gt1/2. We then set e N (P, Q) = f A(U + Q)f B (T ) f B (T + P )f A (U) If one is willing to work a little harder, a deterministic algorithm for the Weil pairing with the same running time as above may be obtained. The main idea is to modify the straight line program to give the value of the function at all points. The program will no longer be straight-line, but will be allowed to have case statements. One handles zeroes and poles by representing the value there by a pair (α, n) with the property that α 0 and that the Laurent series of the function at the point P starts with αu n where u is a uniformizer at P. Such functions may be multiplied without any problems: one multiplies their α s and adds their n s. If one uses this representation it is possible to dispense with the usual restriction that the divisors A and B above have disjoint supports. 5

One application of the e N pairing is to give a partial answer to a question raised by Schoof [Sch85]. In that paper, Schoof gives a determinstic algorithm, polynomial in lg p for calculating the exact order of the group of points on an elliptic curve mod p. He points out that he does not determine the structure of the underlying group. It is known that this group is always either cyclic, or the product of two cyclic groups of orders d and e where d e. I give a random algorithm which runs in expected time polynomial in lg p if the factorization of gcd(p 1, N) is known, where N is the order computed by Schoof s algorithm. Algorithm 3 1. Calculate N p = N 0 N 1 where gcd(n 0, N 1 ) = 1, and the set of prime divisors of N 0 is the same as the set of prime divisors of gcd(p 1, N p ). 2. Using the Euclidean Algorithm find α and β such that αn 0 + βn 1 = 1. 3. Pick two points P, Q on the curve C, and set P = βn 1 P, Q = βn 1 Q. 4. Find the exact order of P and Q (this is where we need the factorization). Say they are m and n. 5. Set r = lcm(m, n). 6. Set a = e r (P, Q) 7. Find the exact order of a. Say it s s. 8. If rs = N then stop, the orders of the two groups are r and s. 9. If not go to step 3. The analysis of the algorithm depends on the non-degeneracy of e N, and its skew-symmetry. The probability of failure in the last step is O(lg lg 1 p). References [Dav79] James H. Davenport. On the Integration of Algebraic Functions, volume 102 of Lecture Notes in Computer Science. Springer-Verlag, Berlin, 1979. [Ful69] William Fulton. Algebraic Curves. W. A. Benjamin, Inc., New York, 1969. [Kal85] Erich Kaltofen. Computing with polynomials given by straight-line programs i; greatest common divisors. In Proc. 17th ACM Symp. Theory Comp., pages 131 142. ACM Press, 1985. [Lan73] Serge Lang. Elliptic Functions. Addison-Wesley, Reading, 1973. 6

[Sch85] R. Schoof. Elliptic curves over finite fields and the computation of square roots mod p. Math. Comp., pages 483 494, 1985. [Wei46] Andre Weil. Sur les fonctions algebriques a corps de constantes fini. C. R. Academie des Sciences, 1946. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information