Computing isogenies between jacobians of hyperelliptic curves of arbitrary genus via differential equations
aa r X i v : . [ m a t h . AG ] F e b COMPUTING ISOGENIES BETWEEN JACOBIANS OF HYPERELLIPTICCURVES OF ARBITRARY GENUS VIA DIFFERENTIAL EQUATIONS
ELIE EID
Abstract.
Let p be an odd prime number and ℓ be an integer coprime to p . We survey an al-gorithm for computing explicit rational representations of ( ℓ, . . . , ℓ ) -isogenies between Jacobiansof hyperelliptic curves of arbitrary genus over an extension K of the field of p -adic numbers Q p .The algorithm has a quasi-linear complexity in ℓ as well as in the genus of the curves. Introduction
Over the last few years there has been a growing interest in computational aspects of abelianvarieties, especially Jacobians of algebraic curves. When such a variety is given, a first task is tocompute the number of points on it in some finite field [Sch95, BGG + p -adics [LS08, LV16, CEL20, Eid20]. In thiswork, we focus on p -adic algorithms that compute the explicit form of a rational representationof an isogeny between Jacobians of hyperelliptic curves for fields of odd characteristic.Let k be a field of characteristic different from and ℓ > and g > two integers. Let C (resp. C ) be a genus g hyperelliptic curve over k and let J (resp. J ) be its Jacobian. Weassume that there exists a separable ( ℓ, . . . , ℓ ) -isogeny I : J → J defined over k and we areinterested in computing one of its rational representations. Let us recall briefly the definitionof a rational representation and how we compute it (see [Eid20] for more details). Let P bea Weierstrass point on C and j P : C → J the Jacobi map with origin P . The morphism I ◦ j p induces a morphism I P : C → C ( g ) , where C ( g ) is the g -th symmetric power of C .When a coordinate system for C and C is fixed, the morphism I P is given by its Mumfordrepresentation, which consists of a pair of polynomials ( U ( z ) , V ( z )) with the following property:if I P ( Q ) = { R , . . . , R g } (for some Q ∈ C ), then U ( x ( R i )) = 0 and V ( x ( R i )) = y ( R i ) , for all i = 1 , . . . , g . Here x ( R i ) and y ( R i ) denote the coordinates of the point R i . The g coefficientsof the two polynomials U and V can be represented as rational fractions over k in one variableand they form what we call a rational representation of I .We assume that C (resp. C ) is given by the affine model C : y = f ( x ) (resp. C : v = f ( u ) ).Let Q be a non-Weierstrass point on C such that I P ( Q ) = { ( x (0)1 , y (0)1 ) , . . . , ( x (0) g , y (0) g ) } contains g distinct points and does not contain neither a point at infinity nor a Weierstrass point. Let t be a formal parameter of C at Q and let { ( x ( t ) , y ( t )) , . . . , ( x g ( t ) , y g ( t )) } be the image of Q ( t ) by I P . The action of I P on the spaces of holomorphic differentials of C and C ( g ) gives the ollowing differential system whose unknown is X ( t ) = ( x ( t ) , . . . , x g ( t )) ∈ ¯ k J t K . H ( X ( t )) · X ′ ( t ) = G ( t ) y i ( t ) = f ( x i ( t )) , i = 1 , . . . , gX (0) = ( x (0)1 , · · · , x (0) g ) Y (0) = ( y (0)1 , · · · , y (0) g ) (1)where G ( t ) = ( G ( t ) , . . . , G g ( t )) ∈ k J t K g and H ( X ( t )) is the matrix defined by H ( x ( t ) , . . . , x g ( t )) = x ( t ) /y ( t ) x ( t ) /y ( t ) · · · x g ( t ) /y g ( t ) x ( t ) /y ( t ) x ( t ) /y ( t ) x g ( t ) /y g ( t ) ... ... x g − ( t ) /y ( t ) x ( t ) g − /y ( t ) · · · x g ( t ) g − /y g ( t ) (2)Since the coefficients of U ( z ) are rational fractions of degree at most O ( gℓ ) [Eid20, Proposition 9],solving Equation (1) modulo t O ( gℓ ) allows to reconstruct all the components of the rationalrepresentation (note that the polynomial V ( z ) can be recovered using the polynomial U ( z ) andthe equation of C ).Let p be an odd prime number. We assume that k is a finite field of characteristic p . Let K bean unramified extension of Q p such that the residue field of K is k . In [Eid20], we have designedan algorithm that computes, after lifting Equation (1) over K , an approximation of its solution.This algorithm is based on the following Newton iteration: X m ( t ) = X m ( t ) + H ( X m ( t )) − Z ( G − H ( X m ( t )) · X ′ m ( t )) dt (3)which gives more and more accurate (for the t -adic distance) solutions of Equation (1). Thecomplexity of this algorithm is quasi-linear with respect to ℓ but, unfortunately, it is at leastquadratic in g (even if we note that the matrix H ( x ( t ) , . . . , x n ( t )) is a structured matrix). Themain reason for this lack of efficiency is due to the fact that the components of the solution X ( t ) of Equation (1) are power series over an unramified extension of degree g of K . However, therational fractions of the rational representation are defined over the ring of integers O K of K .This is where we loose an extra factor g .In this article, we revisit the algorithm of [Eid20] and manage to lower its complexity in g and make it quasi-linear as well. For this, we work directly on the first Mumford coordinate U ( z ) = g Q i =1 ( z − x i ( t )) which has the decisive advantage to be defined over the base field: werewrite the Newton scheme (3) accordingly and design fast algorithms for iterating it in quasi-linear time. Our main theorem is the following Theorem 1.
Let K be an unramified extension of Q p and k its residue field. There exists analgorithm that takes as input: • three positive integers g , n and N , • A polynomial f ∈ O K [ z ] of degree g + 1 , • a vector X = ( x (0)1 , . . . , x (0) g ) represented by the polynomial U ( z ) = g Q i =1 ( z − x (0) i ) ∈ O K [ z ] such that, over k , U ( z ) is separable, • a vector Y = ( y (0)1 , . . . , y (0) g ) represented by the interpolating polynomial V ( z ) ∈ O K [ z ] of the data { ( x (0)1 , y (0)1 ) , . . . , ( x (0) g , y (0) g ) } , a vector G ( t ) ∈ O K J t K g ,and, assuming that the solution of Equation (1) has coefficients in O L with L an unram-ified extension of K , outputs a polynomial U ( t, z ) = g Q i =1 ( z − x i ( t )) ∈ O K J t K [ z ] such that X ( t ) = ( x ( t ) , . . . , x g ( t )) is an approximation of this solution modulo ( p N , t n +1 ) for a cost ˜ O ( ng ) operations in O K at precision O ( p M ) with M = N + ⌊ log p ( n ) ⌋ . Important examples of isogenies are, of course, the multiplication-by- ℓ maps. Classical algo-rithms for computing them are usually based on Cantor algorithm for adding points on Jacobians(see for example [Can94, Abe18]). Although, they exhibit acceptable running time in practice,their theoretical complexity has not been well studied yet and experiments show that theybecome much slower when the genus gets higher. Actually, in many cases, we have observedthat the algorithms of [Eid20] perform better in practice even if their theoretical complexityin g is not optimal. Consequently, even though the algorithms designed in the present paperuse Kedlaya-Umans algorithm [KU11] as a subroutine and then could be difficult to implementin an optimized way, they appear as attractive alternatives for the computation of ℓ -divisionpolynomials on Jacobians of hyperelliptic curves.2. The main result
In this section, we sketch the proof of the main theorem by showing that the Newton iterationgiven in Equation (3) can be executed with quasi-linear time complexity to give the desiredpolynomial in Theorem 1. The precision analysis has been already studied in [Eid20].Throughout this section, the letter p refers to a fixed odd prime number and the letter K refersto a fixed unramified extension of Q p of degree d and k its residue field. Let O K be the ring ofintegers of K .We use the fixed point arithmetic model at precision O ( p M ) to do computations in O K byrepresenting an element in O K by an expression of the form x + O ( p M ) with x ∈ O K /p M O K .For instance, if d = 1 , the quotient O K /p M O K is just Z /p M Z . Additions, multiplications anddivisions in this model all reduce to the similar operations in the exact quotient ring O K /p M O K .Let M ( m ) be the number of arithmetical operations required to compute the product of twopolynomials of degree m in an exact ring. Standard algorithms allow us to take M ( m ) ∈ ˜ O ( m ) .Let g > be an integer and let G ( t ) ∈ O K J t K . Let also f be a polynomial of degree g + 1 andlet U ( z ) ∈ O K [ z ] be a polynomial of degree g which separable over k . For the sake of simplicity,we assume that U is irreducible, therefore its splitting field L is an unramified extension ofdegree g of K . Let x (0)1 , . . . , x (0) g be the roots of U ( z ) in L and X = ( x (0)1 , . . . , x (0) g ) . For i = 1 , . . . , g , we assume that f ( x (0) i ) has a square root y (0) i in O L . Take Y = ( y (0)1 , . . . , y (0) g ) andlet V ( z ) ∈ O K [ z ] be the interpolating polynomial of the data { ( x (0)1 , y (0)1 ) , . . . , ( x (0) g , y (0) g ) } . Weassume that the unique solution X ( t ) = ( x ( t ) , . . . , x n ( t )) of Equation (1) has coefficients in O L when X and Y are the initial conditions.Let m ∈ N and n = 2 m . Let X m ( t ) = ( x ( m )1 ( t ) , . . . , x ( m ) g ( t )) be an approximation of X ( t ) modulo t m represented by the minimal polynomial of x ( m )1 , U m ( t, z ) = Q ( z − x ( m ) i ( t )) . We show in thenext proposition that we can compute efficiently an approximation X n ( t ) = ( x ( n )1 ( t ) , . . . , x ( n ) g ( t )) of X ( t ) modulo t n represented by the minimal polynomial U n ( t, z ) of x ( n )1 ( t ) using Equation (3). The notation ˜ O ( − ) means that we are hiding logarithmic factors. roposition 2. Using the same notations as above, there exists an algorithm that computes U n ( t, z ) from U m ( t, z ) with time complexity ˜ O ( mg ) .Sketch of the proof. The algorithm performs the following steps.(1) Compute the degree g − polynomial W m ( t, z ) = g − P i =0 w ( m ) i ( t ) z i such that W m ( t, z ) ≡ /f ( z ) mod ( t m , U m ( t, z )) and W m (0 , z ) = 1 /V ( z ) mod U ( z ) . Observe that it is the interpolating polynomial ofthe points: { ( x ( m )1 , /y ( m )1 ) , · · · , ( x ( m ) g , /y ( m ) g ) } . Deduce V m ( z ) = f ( z ) W m ( z ) mod ( t m , U m ( z )) .(2) Compute the Newton sums s ( m ) i ( t ) = g P j =1 ( x ( m ) j ( t )) i mod t m for i = 1 , . . . , g − anddeduce r ( m ) i ( t ) = g P j =1 ( x ( m ) j ( t )) i − ( x ( m ) j ( t )) ′ mod t m .(3) Compute the two products H ( X m ( t )) X ′ m ( t ) and H ( X m ( t )) X m ( t ) as follows: H ( X m ( t )) X ′ m ( t ) = r ( m )1 r ( m )2 · · · r ( m ) g r ( m )2 r ( m )3 r ( m ) g +1 ... r ( m ) g r ( m ) g +1 · · · r ( m )2 g − w ( m )0 w ( m )1 ... w ( m ) g − mod t m and H ( X m ( t )) X m ( t ) = s ( m )1 s ( m )2 · · · s ( m ) g s ( m )2 s ( m )3 s ( m ) g +1 ... s ( m ) g s ( m ) g +1 · · · s ( m )2 g − w ( m )0 w ( m )1 ... w ( m ) g − mod t m (4) Compute ( F ( m )1 , · · · , F ( m ) g ) = H ( X m ( t )) X m ( t ) − R ( G ( t ) − H ( X m ( t )) X ′ m ( t )) dt .(5) Let D m ( t, z ) = F ( m )1 z g + F ( m )2 z g − + . . . + F ( m ) g − z + F ( m ) g z . Compute U m ( t, z ) D m ( t, z ) = q ( m )2 g z g + q ( m )2 g − z g − + . . . + q ( m )0 mod t m and read off the polynomial Q m ( t, z ) = q ( m )2 g z g − + q ( m )2 g − z g − + . . . + q ( m ) g +1 .(6) Compute T m ( t, z ) = Q m ( t, z ) V m ( t, z ) U ′ m ( t, z ) mod ( t m , U m ( t, z )) .(7) Compute U n ( t, z ) such that U n ( t, T m ( t, z )) ≡ t m , U m ( t, z )) .We now discuss briefly the complexity analysis. The polynomial W m in step 1 can be efficientlycomputed by the classical Newton scheme for extracting square roots. Since, the coefficientsof W m and V m are polynomials of degrees at most m defined over K , the complexity of this tep is O ( M ( m ) M ( g )) . The computation of the Newton sums s ( m ) i of U m in step 2 is classi-cal [BGVPS21] and can be carried out for a cost of O ( M ( m ) M ( g )) operations. In step 3, we aredealing with two Hankel matrix-vector products. This can be done in O ( M ( m ) M ( g )) operationsin K [CKY89, Section 3a]. The polynomial T m constructed in step 5 and step 6 interpolates thedata { ( x ( m )1 , x ( n )1 ) , . . . , ( x ( m ) g , x ( n ) g ) } (see [KY89, Section 5] for more details), it can be computedin O ( M ( m ) M ( g )) as well. Step 7 computes U n , the minimal polynomial of x ( n )1 . We make use ofKedlaya-Umans algorithm [KU11] to execute step 7; the resulting bit complexity is ˜ O ( mg ) . (cid:3) References [Abe18] S. Abelard.
Comptage de points de courbes hyperelliptiques en grande caractéristique : algorithmeset complexité . PhD thesis, 2018. Thèse de doctorat dirigée par Gaudry, Pierrick et Spaenlehauer,Pierre-Jean Informatique Université de Lorraine 2018. 3[BGG +
17] S. Ballentine, A. Guillevic, E. L. García, C. Martindale, M. Massierer, B. Smith, and J. Top. Isogeniesfor point counting on genus two hyperelliptic curves with maximal real multiplication. In
Algebraicgeometry for coding theory and cryptography , pages 63–94. Springer, 2017. 1[BGVPS21] A. Bostan, L. González-Vega, H. Perdry, and E. Schost. Complexity issues on newton sums ofpolynomials. 02 2021. 5[Can94] D. G. Cantor. On the analogue of the division polynomials for hyperelliptic curves. 1994(447):91–146,1994. 3[CE15] J.-M. Couveignes and T. Ezome. Computing functions on jacobians and their quotients.
LMS Journalof Computation and Mathematics , 18(1):555–577, 2015. 1[CEL12] J.-M. Couveignes, T. Ezome, and R. Lercier. A faster pseudo-primality test.
Rend. Circ. Mat.Palermo (2) , 61(2):261–278, 2012. 1[CEL20] X. Caruso, E. Eid, and R. Lercier. Fast computation of elliptic curve isogenies in characteristic two.working paper or preprint, March 2020. 1[CKY89] J. F. Canny, E. Kaltofen, and L. Yagati. Solving systems of nonlinear polynomial equations faster. In
Proceedings of the ACM-SIGSAM 1989 International Symposium on Symbolic and Algebraic Compu-tation , ISSAC ’89, page 121–128, New York, NY, USA, 1989. Association for Computing Machinery.5[CL13] J.-M. Couveignes and R. Lercier. Fast construction of irreducible polynomials over finite fields.
IsraelJ. Math. , 194(1):77–105, 2013. 1[CS20] C. Costello and B. Smith. The supersingular isogeny problem in genus 2 and beyond. In
InternationalConference on Post-Quantum Cryptography , pages 151–168. Springer, 2020. 1[Eid20] E. Eid. Fast computation of hyperelliptic curve isogenies in odd characteristic, 2020. 1, 2, 3[Elk97] N. Elkies. Elliptic and modular curves over finite fields and related computational issues. 1997. 1[FT19] E. V. Flynn and Y. B. Ti. Genus two isogeny cryptography. In J. Ding and R. Steinwandt, editors,
Post-Quantum Cryptography , pages 286–306, Cham, 2019. Springer International Publishing. 1[KU11] K. S. Kedlaya and C. Umans. Fast polynomial factorization and modular composition.
SIAM J.Comput. , 40(6):1767–1802, 2011. 3, 5[KY89] E. Kaltofen and L. Yagati. Improved sparse multivariate polynomial interpolation algorithms. InP. Gianni, editor,
Symbolic and Algebraic Computation , pages 467–474, Berlin, Heidelberg, 1989.Springer Berlin Heidelberg. 5[LS08] R. Lercier and T. Sirvent. On Elkies subgroups of l -torsion points in elliptic curves defined over afinite field. J. Théor. Nombres Bordeaux , 20(3):783–797, 2008. 1[LV16] P. Lairez and T. Vaccon. On p -adic differential equations with separation of variables. In Proceedingsof the 2016 ACM International Symposium on Symbolic and Algebraic Computation , pages 319–323.ACM, New York, 2016. 1[Sch95] R. Schoof. Counting points on elliptic curves over finite fields.
Journal de Théorie des Nombres deBordeaux , 7(1):219–254, 1995. 1 lie Eid, Univ. Rennes, CNRS, IRMAR - UMR 6625, F-35000 Rennes, France. Email address : [email protected]@univ-rennes1.fr