Quasi-quadratic elliptic

curve point counting using

rigid cohomology
Hendrik Hubrechts

Katholieke Universiteit Leuven

MEGA 2007 - Strobl (Austria)

June 28, 2007

 Quasi-quadratic
Outline elliptic curve point
counting using
rigid cohomology

Hendrik
Hubrechts

Motivation:
cryptography
Motivation: cryptography
Elliptic curves and
point counting

Elliptic curves and point counting Rigid cohomology

and Kedlaya’s
algorithm

A new
Rigid cohomology and Kedlaya’s algorithm quasi-quadratic
algorithm

A new quasi-quadratic algorithm

 Quasi-quadratic
Outline elliptic curve point
counting using
rigid cohomology

Hendrik
Hubrechts

Motivation:
cryptography
Motivation: cryptography
Elliptic curves and
point counting

Elliptic curves and point counting Rigid cohomology

and Kedlaya’s
algorithm

A new
Rigid cohomology and Kedlaya’s algorithm quasi-quadratic
algorithm

A new quasi-quadratic algorithm

 Quasi-quadratic
Outline elliptic curve point
counting using
rigid cohomology

Hendrik
Hubrechts

Motivation:
cryptography
Motivation: cryptography
Elliptic curves and
point counting

Elliptic curves and point counting Rigid cohomology

and Kedlaya’s
algorithm

A new
Rigid cohomology and Kedlaya’s algorithm quasi-quadratic
algorithm

A new quasi-quadratic algorithm

 Quasi-quadratic
Outline elliptic curve point
counting using
rigid cohomology

Hendrik
Hubrechts

Motivation:
cryptography
Motivation: cryptography
Elliptic curves and
point counting

Elliptic curves and point counting Rigid cohomology

and Kedlaya’s
algorithm

A new
Rigid cohomology and Kedlaya’s algorithm quasi-quadratic
algorithm

A new quasi-quadratic algorithm

 Quasi-quadratic
Public key cryptography – one way functions elliptic curve point
counting using
rigid cohomology

Hendrik
Hubrechts
I Cryptography: studies methods for secure
communication Motivation:
cryptography
I Public Key Cryptography: secure communication over Elliptic curves and
point counting
an unsecure channel
Rigid cohomology
Idea: use public information to encode, and Kedlaya’s
algorithm
private information to decode A new
quasi-quadratic
I Basic component: “(trapdoor) one way function” algorithm

f :D→E (suppose bijective)

where f is easy to compute, but hard to invert (without

secret knowledge)
 Quasi-quadratic
Examples of one way functions elliptic curve point
counting using
rigid cohomology

Hendrik
1. Product/factorization: p, q large primes, compute Hubrechts

n := p · q Motivation:
cryptography
Protocol: RSA, well-known and widely used
Elliptic curves and
cryptosystem point counting

2. Shortest vector in a lattice: NTRU cryptosystem Rigid cohomology

and Kedlaya’s
algorithm
3. Discrete exponentiation (inverse: discrete logarithm)
A new
(Cyclic) group G = < g >, · quasi-quadratic
algorithm

Z
ϕ: → G : x 7→ g x
(#G )Z

Proposed groups G : F× q , elliptic curves (EC’s) over Fq ,

Jacobians of hyperelliptic curves over Fq
 Quasi-quadratic
Security of these functions elliptic curve point
counting using
rigid cohomology

1. Factorization of n: subexponential time in log n Hendrik

Hubrechts
(number field sieve)
Motivation:
2. Shortest vector in a lattice: in general exponential time cryptography

in the dimension Elliptic curves and

point counting
3. Discrete logarithm problem: Rigid cohomology
I F×
q : subexponential time in log q (index calculus)
and Kedlaya’s
algorithm

A new
I Elliptic curves (EC’s), Jacobians of low genus quasi-quadratic
hyperelliptic curves over Fq : in general exponential time algorithm

in log(#G ).
(q = p n with p and n moderate: subexponential time
algorithm (C. Diem))
I If #G is smooth: subexponential time, viz. polynomial
time in log(#G ) × the largest prime factor of #G
For this reason we need point counting algorithms!
 Quasi-quadratic
Elliptic curves and zeta functions elliptic curve point
counting using
rigid cohomology
I An EC Ē /Fpn is a smooth genus 1 curve over Fpn . It Hendrik
Hubrechts
has an affine Weierstrass equation
Motivation:
Y 2 + ā1 XY + ā3 Y = X 3 + ā2 X 2 + ā4 X + ā6 , cryptography

Elliptic curves and

point counting
and one point P∞ at infinity. Rigid cohomology
and Kedlaya’s
I Ē has a natural and computable group structure algorithm

A new
quasi-quadratic
I Define Nk := #Ē /F(pn )k and the Weil zeta function of algorithm

Ē
∞
!

X Nk k p n T 2 − tT + 1
Z Ē /Fpn ; T := exp T = ,
k (1 − T )(1 − p n T )
k=1
√
where t ∈ Z, |t| ≤ 2 p n (Hasse-Weil bound)
I N1 = p n + 1 − t is what we want to compute
 Quasi-quadratic
A bound on t, the trace of Frobenius elliptic curve point
counting using
rigid cohomology

Hendrik
Hubrechts
I We say that Ē is supersingular if t ≡ 0 mod p, equivalently
N1 ≡ 1 mod p Motivation:
cryptography
I Such curves are rare, special and to avoid in cryptography
Elliptic curves and
We always assume that Ē is not supersingular (which is easy to point counting

verify) Rigid cohomology

and Kedlaya’s
algorithm

√ A new
I Goal: compute t, as |t| < 2 p n it suffices to compute quasi-quadratic
algorithm
√
t mod p N with p N ≥ 4 p n ⇒ N := dn/2+logp 4e

Note that we can assume N ≤ n, so that t mod p n

certainly suffices
 Quasi-quadratic
A few known point counting methods elliptic curve point
counting using
rigid cohomology
We work with a curve Ē over Fpn Hendrik
Hubrechts

1. Schoof ’85 (SEA): time Õ((log p n )4 ) Motivation:

cryptography
(Still the best for large p)
Elliptic curves and
Idea: compute t modulo some small primes ` 6= p, by point counting

considering the `-torsion of the curve Rigid cohomology

and Kedlaya’s
algorithm

2. Satoh ’99, . . . , Harley ’02: Õ(n2 ) A new

quasi-quadratic
(p-adic ⇒ fixed small p) algorithm

Idea: compute canonical lift of Ē and determine action

of Frobenius on it

3. Rigid cohomology (started with Kedlaya ’01): more

details immediately
Originally: Õ(n3 ), now Õ(n2 )
 Quasi-quadratic
Weil cohomology elliptic curve point
counting using
rigid cohomology

Hendrik
Hubrechts

Suggested by Weil in ’49 (for proving the Weil conjectures): Motivation:

Try to find a good cohomology for your variety (defined over cryptography
n
Fpn ) with a Frobenius morphism (“x 7→ x p ”) on it, then a Elliptic curves and
point counting
Lefschetz fixed point formula for this operator gives you the Rigid cohomology
and Kedlaya’s
zeta function algorithm

A new
quasi-quadratic
Given a curve f¯(X , Y ) = 0, the de Rham cohomology of algorithm
n
Fpn [X , Y ]/f¯(X , Y ) does not work, e.g. all X p −1 dX are
non-exact.
 Quasi-quadratic
p-Adic numbers and rigid lifts elliptic curve point
counting using
rigid cohomology
  
X   Hendrik
X Hubrechts
ai p i  J ∈ Z, ai ∈ {0, 1, . . . , p − 1} , Zp :

Qp =
Motivation:
 
i≥J  i≥0 cryptography

Qpn = unique unramified degree n extension of Qp , Elliptic curves and

point counting

then we have Zpn /pZpn ∼

Rigid cohomology
= Fp n (?) and Kedlaya’s
algorithm
Frobenius automorphism σ : Qpn → Qpn , lift of x 7→ x p A new
quasi-quadratic
algorithm

Given EC Ē : Y 2 + ā1 XY + ā3 Y = X 3 + ā2 X 2 + ā4 X + ā6

over Fpn , then we can take a rigid lift by

E : Y 2 + a1 XY + a3 Y = X 3 + a2 X 2 + a4 X + a6 ,

where ai ∈ Zpn and (ai mod p) ≡ āi using (?)

 Quasi-quadratic
Monsky-Washnitzer cohomology elliptic curve point
counting using
rigid cohomology
I p-Adic ring k: the ring of overconvergent power series is
Hendrik
   Hubrechts

X ordp (bij ) 
khX , Y i† := bij X i Y j  lim inf
 Motivation:
>0 , cryptography

i,j≥0  i+j→∞ i + j 
Elliptic curves and
point counting

i.e. all power series converging on a disk strictly bigger Rigid cohomology
and Kedlaya’s
than the unit disk algorithm

I For a curve Ē : f¯(X , Y ) = 0 with rigid lift E given by A new

quasi-quadratic
algorithm
f (X , Y ) = 0, we define the dagger ring

Zpn hX , Y i†
A† :=
f (X , Y )

I Monsky-Washnitzer cohomology: de Rham coh. of A† :

1 Ω1 (A† )
HMW (Ē /Fpn ) := ⊗ Qpn
dA†
 Quasi-quadratic
Point counting using the Frobenius operator elliptic curve point
counting using
rigid cohomology

For simplicity we take EC Ē : Y 2 = Q̄(X ) with rigid lift Hendrik

Hubrechts
E : Y 2 = Q(X )
Motivation:
I For algorithmic purposes Kedlaya removed the Weierstrass points: cryptography

Elliptic curves and

E 0 := E minus {(x, y ) | Q(x) = 0} point counting

Rigid cohomology
I Resulting dagger ring: and Kedlaya’s
algorithm
D p p E†
A† = Zpn X , Q, 1/ Q A new
quasi-quadratic
algorithm
I On A† a p n th power Frobenius morphism Fpn exists,
1
HMW (E 0 ) is a Qpn -vector space of dimension 5
Let Fpn be a matrix of Fpn , then

Tr(Fpn ) = # Ē /Fpn − p n − #{x ∈ Fpn |Q̄(x) = 0}

 Quasi-quadratic
In practice: two adaptations elliptic curve point
counting using
rigid cohomology

I For convergence reasons: it is much better to work with Hendrik

Hubrechts
Fp , the pth power Frobenius, here given by
Motivation:
cryptography
X 7→ X p , dX 7→ d(X p ) = pX p−1 dX ,
Elliptic curves and
point counting
1/2
Q(X )p − Q σ (X p )

Rigid cohomology
∈ A†
p
Q(X ) 7→ Q(X )p/2 · 1 − and Kedlaya’s
Q(X )p algorithm

A new
quasi-quadratic
algorithm
I With the hyperelliptic
√ √involution
ı : X 7→ X , Q 7→ − Q we have
1
HMW (E 0 ) ∼ +
= HMW −
(E 0 ) ⊕ HMW (E 0 ),

eigenspaces corresponding to the eigenvalues ±1 of ı

−
I The Qpn -vector space HMW (E 0 ) has dimension 2
 Quasi-quadratic
Conclusion elliptic curve point
counting using
rigid cohomology

Hendrik
−
I We end up with HMW (E 0 ), a 2-dimensional Qpn -vector Hubrechts

space, with the operators Motivation:

cryptography
Fp as pth power Frobenius (matrix Fp ), Elliptic curves and
point counting
Fpn as p n th power Frobenius (matrix Fpn ), and
Rigid cohomology
and Kedlaya’s
n algorithm
Tr(Fpn ) = t (recall: N1 = p + 1 − t)
A new
quasi-quadratic
I As Fp is σ-linear we have (recall σ : Qpn → Qpn , the lift algorithm

of x 7→ x p )

Fpn = σ n−1 (Fp ) · σ n−2 (Fp ) · · · σ(Fp ) · Fp

 Quasi-quadratic
Kedlaya’s algorithm elliptic curve point
counting using
rigid cohomology

(in fact for hyperelliptic curves in odd characteristic) Hendrik

√ 3 √ 3 −
Hubrechts
I Take a basis ({dX / Q , XdX / Q }) of HMW (E 0 ),
Motivation:
compute Fp (b) ∈ A† for b in the basis, cryptography

Elliptic curves and

reduce the result back to the basis and find Fp point counting

I Compute Fpn from Fp via (roughly) Rigid cohomology

and Kedlaya’s
algorithm
i
M0 := Fp , Mi+1 := σ 2 (Mi ) · Mi A new
quasi-quadratic
algorithm

I Determine the zeta function from Fpn

I All computations have to be done modulo p M for
appropriate M

• Result: time Õ(n3 ), space O(n3 ) (for fixed small p and

fixed genus)
 Quasi-quadratic
The slow steps in Kedlaya’s algorithm elliptic curve point
counting using
rigid cohomology

Two main steps in Kedlaya’s algorithm: Hendrik

Hubrechts

Motivation:
1. Computing Fp : computing Fp (b) for b in the basis is cryptography
very expensive ⇒ Õ(n3 ) time and O(n3 ) space Elliptic curves and
point counting
2. Computing F from Fp : computing
pn σk on Qpn is Rigid cohomology
expensive ⇒ Õ(n3 ) time and Kedlaya’s
algorithm

A new
quasi-quadratic
algorithm

We will do both steps in time Õ(n2 ):

1. Using deformation (EC’s: all curves in good families)

2. By semi-diagonalising Fp (EC’s: Fp is 2-dimensional,
but has in fact only one invariant)
 Quasi-quadratic
Deformation: families of curves elliptic curve point
counting using
rigid cohomology
Assume p is odd (p = 2: more complicated, similar results)
Choose family ĒΓ : Y 2 = Q̄Γ (X ) of (hyper)elliptic curves, Hendrik
Hubrechts
with Q̄Γ (X ) ∈ Fp [X , Γ], and γ̄ ∈ Fpn s.t. Fpn = Fp [γ̄]
Motivation:
In earlier work we have proven for the curve Ēγ̄ : cryptography

Elliptic curves and

Theorem point counting

We can compute Fp (γ) in time Õ(n2 ) and space O(n2 ). Rigid cohomology
and Kedlaya’s
algorithm
We will immediately explain how this works A new
quasi-quadratic
Lemma algorithm

Given any EC Ē over Fpn , we can find (efficiently) an

equation of the form

Y 2 = X 3 + (ā2 + b̄2 γ̄)X 2 + · · · + (ā6 + b̄6 γ̄),

where āi , b̄i ∈ Fp , γ̄ ∈ Fpn , for either Ē or its quadratic twist.

Main point: we can always work with a family ĒΓ as above

 Quasi-quadratic
Relative rigid cohomology elliptic curve point
counting using
rigid cohomology
−
We construct HMW (E 0 ) as before, but now for the whole Hendrik
family ĒΓ at once Hubrechts

Motivation:
Concretely: ĒΓ : Y 2 = Q̄Γ (X ), rigid lift EΓ : Y 2 = QΓ (X ), cryptography

then Elliptic curves and

point counting
*   −1 +† Rigid cohomology
† ∂ and Kedlaya’s
S := Qp Γ, ResX QΓ , QΓ , the base ring, algorithm
∂X A new
quasi-quadratic
with the singular fibres removed from the family, algorithm

*   −1 +†
†
p p ∂
T := Qp X , QΓ , 1/ QΓ , Γ, ResX QΓ , QΓ ,
∂X

− Ω1 (T † )
HMW (EΓ0 ) ⊂ ,
dT †
which is an S † -module of rank 2
 Quasi-quadratic
The connection and differential equation elliptic curve point
counting using
rigid cohomology

I Let Fp (Γ) be the matrix of the pth power Frobenius Fp Hendrik

Hubrechts
−
on this module HMW (EΓ0 )
Motivation:
I We define the connection cryptography

Elliptic curves and

∂f point counting
∇ : T † → T † dΓ : f 7→ dΓ,
∂Γ Rigid cohomology
and Kedlaya’s
algorithm
−
with matrix G (Γ) on HMW (EΓ0 ) A new
quasi-quadratic
I From ∇ ◦ Fp = Fp ◦ ∇ we can deduce algorithm

∂
Fp (Γ) + Fp (Γ) · G (Γ) = G (Γp ) · Fp (Γ)d(Γp )
∂Γ

I With a few more ideas we can compute Fp (Γ) as power

series up to sufficient precision p N , ΓM in time Õ(n2 )
 Quasi-quadratic
Computing the small Frobenius elliptic curve point
counting using
rigid cohomology

I As σ(Γ) = Γp , hence σ(γ) = γ p , we need for γ ∈ Qpn Hendrik

Hubrechts
the Teichmüller lift of γ̄ ∈ Fpn , i.e. the unique root of
unity congruent to γ̄ mod p Motivation:
cryptography
I Let ϕ̄(x) be the minimal polynomial of γ̄, then we take ϕ(x) as Elliptic curves and
point counting
the Teichmüller modulus lift of ϕ̄(x), i.e. the minimal polynomial
n Rigid cohomology
of the Teichmüller lift γ, or equivalently ϕ(x) | x p − x and Kedlaya’s
algorithm
I Conclusion (with some abuse of notation): A new
quasi-quadratic
algorithm
Qp [γ]
Qpn = , and Fp (γ) = (Fp (Γ) mod ϕ(Γ)),
ϕ(γ)

which can be computed in time Õ(n2 )

I An algorithm of Harley allows us to find ϕ(x) mod p N in time
Õ(n2 )
 Quasi-quadratic
Integral matrices elliptic curve point
counting using
rigid cohomology

Hendrik
Hubrechts

A slight complication: in the next step we need that Fp (γ)

Motivation:
is integral, i.e. is defined over Zpn cryptography

Elliptic curves and

( ) point counting
dX XdX Rigid cohomology
I p odd: basis √ 3, √ 3 suffices and Kedlaya’s
QΓ QΓ algorithm

A new
quasi-quadratic
algorithm
I p = 2: we can compute (efficiently) a matrix of basis
transformation such that the transformed Fp (γ) is
integral
 Quasi-quadratic
The slow steps in Kedlaya’s algorithm (again) elliptic curve point
counting using
rigid cohomology

Two main steps in Kedlaya’s algorithm: Hendrik

Hubrechts

Motivation:
1. Computing Fp : computing Fp (b) for b in the basis is cryptography
very expensive ⇒ Õ(n3 ) time and O(n3 ) space Elliptic curves and
point counting
2. Computing F from Fp : computing
pn σk on Qpn is Rigid cohomology
expensive ⇒ Õ(n3 ) time and Kedlaya’s
algorithm

A new
quasi-quadratic
algorithm

We will do both steps in time Õ(n2 ):

1. Using deformation (EC’s: all curves in good families)

2. By semi-diagonalising Fp (EC’s: Fp is 2-dimensional,
but has in fact only one invariant)
 Quasi-quadratic
An eigenvalue of the big Frobenius elliptic curve point
counting using
The Weil conjectures imply for a nonsupersingular EC that rigid cohomology

Hendrik

det (Fpn (γ)) = p n and Tr (Fpn (γ)) = t 6≡ 0 mod p Hubrechts

Motivation:
cryptography
and hence that Fpn (γ) has p-adic eigenvalues
Elliptic curves and
point counting
pn
λ and , with λ ∈ Z×
p
Rigid cohomology
λ and Kedlaya’s
algorithm

A new
quasi-quadratic
algorithm
As we work mod p N with N ≤ n, we have
pn
t = Tr (Fpn (γ)) = λ + ≡ λ mod p N ,
λ
so we have to compute

t ≡ λ mod p N
From the pth to the p n th power Frobenius Quasi-quadratic
elliptic curve point
counting using
Recall: we need λ, the p-adic unit eigenvalue of Fpn (γ) rigid cohomology

I Suppose we can solve the equation Hendrik

Hubrechts
   
x σ(x)
Fp (γ) · =µ· , (?) Motivation:
y σ(y ) cryptography

Elliptic curves and

x, y , µ ∈ Zpn , µ a unit, then we find the factorization point counting

    Rigid cohomology
σ µ ∗ −1 x ∗ and Kedlaya’s
Fp (γ) = C · ·C , with C = algorithm
0 ∗ y ∗ A new
quasi-quadratic
I This gives for the big Frobenius Fpn (γ) = algorithm

 σn−1  σ  
[σ n ] µ ∗ µ ∗ µ ∗
C · ··· · · C −1
0 ∗ 0 ∗ 0 ∗
hence also
n−1
λ = µσ · · · µσ · µ = NQpn /Qp (µ)
I By known fast generalized Newton lifting methods, (?) can be
solved in time Õ(n2 )
 Quasi-quadratic
Computing the norm elliptic curve point
counting using
rigid cohomology

Hendrik
We want to compute t ≡ NQpn /Qp (µ) mod p N Hubrechts

Motivation:
I (Idea of Harley) recall Qpn ∼
= Qp [x]/ϕ(x), then with cryptography

Elliptic curves and

µ(x) ∈ Qpn point counting

Y Rigid cohomology
and Kedlaya’s
Resx (ϕ(x), µ(x)) = µ(α) = algorithm
α root of ϕ A new
quasi-quadratic
Y algorithm
µ(τ (x)) = NQpn /Qp (µ(x))
τ ∈Gal(Qpn /Qp )

I This resultant can be computed in time Õ(n2 ) using an

adaptation of Moenck’s fast gcd algorithm
 Quasi-quadratic
Overview of the algorithm elliptic curve point
counting using
rigid cohomology
INPUT: EC Ē over Fpn
Hendrik
OUTPUT: Number of points on Ē Hubrechts

Motivation:
Let N := dlogp 4 + n/2e cryptography

Elliptic curves and

1. Place Ē in a good family over Fp point counting

Rigid cohomology
2. Compute Fp (γ) by solving the differential equation and Kedlaya’s
algorithm
3. Compute a unit semi-eigenvalue µ of Fp (γ)
√ A new
4. Compute t ≡ NQpn /Qp (µ) mod p N s.t. |t| < 2 p n quasi-quadratic
algorithm

5. Output p n + 1 − t

Theorem
We can compute the number of points on an elliptic curve Ē
over Fpn in time Õ(n2 ) and space O(n2 ).

Note: this is only relevant for fixed small p

 Quasi-quadratic
Implementation results elliptic curve point
counting using
rigid cohomology

Hendrik
We do not use Moenck’s algorithm for the norm computation, but Hubrechts

Satoh, Skjernaa and Taguchi’s method (which is far easier to Motivation:

cryptography
implement)
Elliptic curves and
point counting

For a random elliptic curve over Fpn , time in seconds Rigid cohomology
and Kedlaya’s
(AMD Athlon 64 3000+): algorithm

A new
quasi-quadratic
algorithm
p\n 50 100 250 500 1000 2000
3 .18 .50 2.55 10.05 46 229
5 .58 1.38 6.48 27.08 117 610
7 2.16 5.51 34.13 156.21 800 4454
 Quasi-quadratic
Implementation results elliptic curve point
counting using
rigid cohomology

For field sizes 3n with n = 1, . . . , 1000: Hendrik

Hubrechts

Motivation:
cryptography

Elliptic curves and

point counting

Rigid cohomology
and Kedlaya’s
algorithm

A new
quasi-quadratic
algorithm