NON-CYCLIC SUBGROUPS OF JACOBIANS OF GENUS TWO CURVES WITH COMPLEX MULTIPLICATION 8 0 CHRISTIANROBENHAGENRAVNSHØJ 0 2 E an nAibanstarnad tK.obLliettzhabveeapnroevlleipdtti ha utrivfethdee(cid:28)ℓnthedrooovtesroaf(cid:28)unniittey(cid:28)µeℓldi.sBnoatla sµounℓbtraaimnead- J intheground(cid:28)eld,thena(cid:28)eldextensionoftheground(cid:28)eld ontains ifand ℓ E 8 onlyifthe -torsionpointsof arerationaloverthesame(cid:28)eldextension. We generalize thisresulttoJa obiansofgenustwo urveswith omplexmultipli- 1 ation. In parti ular, weshow that the Weil-and the Tate-pairing on su h a ] Ja obianarenon-degenerate overthesame(cid:28)eldextensionoftheground(cid:28)eld. G A . h 1. Introdu tion t a In [11℄, Koblitz des ribed how to use ellipti urves to onstru t a publi key m ryptosystem. To get a more general lass of urves, and possibly larger group [ orders, Koblitz [12℄ then proposed using Ja obians of hyperellipti urves. 1 In ellipti urve ryptography it is essential to know the number of points on v the urve. Cryptographi ally we are interested in ellipti urves with large y li 8 subgroups. Su h ellipti urves an be onstru ted. The onstru tion is based on 2 thetheoryof omplexmultipli ation,studiedindetailby[1℄. Itisreferredtoasthe 8 CM method. The CM method for onstru ting ellipti urves has been generalized 2 . togenustwo urvesby[22℄,ande(cid:30) ientalgorithmshavebeenproposedby[23℄and 1 K [9℄. Both algorithms take as input a primitive, quarti CM (cid:28)eld (see se tion 5), 0 C F p 8 and give as output a genus two urve de(cid:28)ned overa prime (cid:28)eld . 0 After Boneh and Franklin [3℄ proposed an identity based ryptosystem by us- : ing the Weil pairing on an ellipti urve, pairings have been of great interest to v i ryptography [7℄. The next natural step was to onsider pairings on Ja obians of X hyperellipti urves. Galbraith et al [8℄ survey the re ent resear h on pairings on r Ja obians of hyperellipti urves. a The pairing in question is usually the Weil- or the Tate-pairing; both pairings an be omputed with Miller's algorithm [14℄. The Tate-pairing an be omputed C moree(cid:30) ientlythantheWeil-pairing, f. [6℄. Let beasmooth urvede(cid:28)nedover F J C ℓ q C a(cid:28)nite(cid:28)eld , andlet betheJa obianof . Let beaprimenumberdividing F k q the number of -rational points on the Ja obian, and let be the multipli ative q ℓ JC(Fqk)[ℓ] orderof modulo . By [10℄, the Tate-pairingis non-degenerateon . By J [ℓ] J [ℓ] C C [21, Proposition8.1,p. 96℄,the Weil-pairingisnon-degenerateon . So if JC(Fqk) isnot ontainedin , thentheTatepairingisnon-degenerateoverapossible smaller (cid:28)eld extension than the Weil-pairing. For ellipti urves, in most ases relevantto ryptography,the Weil-pairingandtheTate-pairingarenon-degenerate 2000 Mathemati s Subje tClassi(cid:28) ation. Primary14H40;Se ondary 11G15,14Q05, 94A60. Key words and phrases. Ja obians,hyperellipti urves, embeddingdegree, omplexmultipli- ation, ryptography. Resear h supported inpartbyaPhDgrantfromCRYPTOMAThIC. 1 2 C.R.RAVNSHØJ E F p overthesame(cid:28)eld: let beanellipti urvede(cid:28)ned over , and onsideraprime ℓ F E p number dividing the number of -rational points on . Balasubramanian and Koblitz [2℄ proved that ℓ∤p−1 E[ℓ]⊆E(Fpk) ℓ|pk−1 (1) if , then if and only if . By Rubin and Silverberg [19℄, this result also holds for Ja obians of genus two ℓ ∤ p−1 urves in the following sense: if , then the Weil-pairing is non-degenerate U ×V U = J (F )[ℓ] V = ker(ϕ− p)∩J [ℓ] ϕ p C p C on , where , and is the -power J C Frobenius endomorphism on . ℓ∤p−1 E(Fpk)[ℓ] The result (1) an alsobe stated as: if , then is bi y li if and ℓ |pk−1 only if . In this paper, we show that in most ases, this result also holds forJa obiansof genus two urveswith omplex multipli ation. More pre isely, the following theorem is established. C F End(J )≃O p C K TheorKem 9. Consider a genus two urve de(cid:28)ned over withω pm , m where is a primitive, quarti CM (cid:28)eld ( f. se tion 5). Let be a -Weil J ℓ C number of the Ja obian . Let be an odd prime number dividing the number of F J ℓ K ℓ∤p ℓ ∤p−1 p p C -rational points on , and with unrami(cid:28)ed in , and . Let be k ℓ of multipli ative order modulo . Then the following holds. ωm2 6≡1 (mod ℓ) JC(Fpm)[ℓ] ℓ pm−1 (i) If , then is bi y li if and only if divides . JC(Fpk)[ℓ]×JC(Fpk)[ℓ] (ii) The Weil-pairing is non-degenerate on . FNotation and assumptions. In thisOpaper we only onsider smooth urFves. If F is an algebrai number (cid:28)eld, then denotes the ring of integers of , and F =F ∩R F 0 denotes the real sub(cid:28)eld of . 2. Genus two urves C ⊆ Pn A hyperellipti urve is a proje tive urve of genus at least two with a φ:C →P1 separable, degree two morphism . It is well known, that any genus two C urveishyperellipti . Throughoutthispaper,let bea urveofgenustwode(cid:28)ned F p q overa(cid:28)nite(cid:28)eld of hara teristi . BytheRiemann-Ro hTheoremthereexists ψ :C →P2 C a birational map , mapping to a urve given by an equation of the form y2+g(x)y =h(x), g,h∈F [x] deg(g)≤3 deg(h)≤6 q where are of degree and ; f. [4, hapter 1℄. P(C) C Thesetofprin ipaldivisors on onstitutesasubgroupofthedegreezero Div (C) J C 0 C divisors . The Ja obian of is de(cid:28)ned as the quotient J =Div (C)/P(C). C 0 ℓ 6= p ℓn J [ℓn] ⊆ J C C Let be aℓnprimeZn/uℓmnbZer. The -torsion subgroup of points of order dividing is a -module of rank four, i.e. J [ℓn]≃Z/ℓnZ×Z/ℓnZ×Z/ℓnZ×Z/ℓnZ; C f. [13, Theorem 6, p. 109℄. k q ℓ Themultipli ativeorder of modulo playsanimportantrolein ryptography, Fqk sin e the (redu ed) Tate-pairing is non-degenerate over ; f. [10℄. ℓ 6= p De(cid:28)nition 1 (Embedding degree). Consider a prime number dividing the F J J (F ) q C C q numberof -rationalpointsontheJa obian . Theembeddingdegreeof ℓ k qk ≡1 (mod ℓ) with respe t to is the least number , su h that . NON-CYCLIC SUBGROUPS OF JACOBIANS OF GENUS TWO CURVES WITH CM 3 Closely related to the embedding degree, we have the full embedding degree. ℓ 6= p De(cid:28)nition 2 (Full embedding degree). Consider a prime number dividing F J q C the number of -rational points on the Ja obian . The full embedding degree JC(Fq) ℓ κ JC[ℓ]⊆JC(Fqκ) of with respe t to is the least number , su h that . JC[ℓ]⊆JC(Fqκ) ℓ|qκ−1 Remark 3. If ,then ; f.[5,Corollary5.77,p.111℄. Hen e, the full embedding degree is a multiple of the embedding degree. Fqκ A priori, the Weil-pairing is only non-degenerate over . But in fa t, as we Fqk shall see, the Weil-pairing is also non-degenerate over . 3. The Weil- and the Tate-pairing F F x∈J (F)[ℓ] y = a P ∈J (F) Let beanalgebrai extensionof q. Let C and Pi i i C y¯∈J (F)/ℓJ (F) C C bedivisorswithdisjointsupports,andlet denotethedivisor lass y f ∈ F(C) C x ontaining thdeivd(ivfis)or= .ℓxFurtherfm(oyr)e,=let f(P )ai be a raetio(xn,ay¯l)fu=n ftio(ny)on with divisor x . Set x Qi i . Then ℓ x is a well-de(cid:28)ned pairing e :J (F)[ℓ]×J (F)/ℓJ (F)−→F×/(F×)ℓ, ℓ C C C |F×| it is alled the Tate-pairing; f. [7℄. µRa⊆isinF¯g the reℓstuhlt to the power ℓ gives a ℓ well-de(cid:28)ned element in the subgroup of the roots of unity. This pairing eˆ :J (F)[ℓ]×J (F)/ℓJ (F)−→µ ℓ C C C ℓ F ℓth is alled the redu ed Tate-pairing. If the (cid:28)eld is (cid:28)nite and ontains the roots of unity, then the Tate-pairing is bilinear and non-degenerate; f. [10℄. x,y ∈J [ℓ] C Now let be divisors with disjoint support. The Weil-pairing e :J [ℓ]×J [ℓ]→µ ℓ C C ℓ e (x,y) = eˆℓ(x,y¯) is then de(cid:28)ned by ℓ eˆℓ(y,x¯). The Weil-pairing is bilinear, anti-symmetri J [ℓ]×J [ℓ] C C and non-degenerate on ; f. [15℄. 4. Matrix representation of the endomorphism ring ψ : J → J ψ¯ : J [ℓ] → J [ℓ] C C C C An endomorphism indu es a linear map by ψ M ∈ Mat (Z/ℓZ) J [ℓ] 4 C restri tion. Hen e, is represented by a matrix on . Let f ∈ Z[X] ψ f¯∈(Z/ℓZ)b[Xe]the hara teristi polynomial of ψ(¯see [13,fpp. 109(cid:21)110℄), and let bethe hara teristi polynomialof . Then isamoni polynomial of degree four, and by [13, Theorem 3, p. 186℄, f(X)≡f¯(X) (mod ℓ). C F (x,y) 7→ (xq,yq) C q Sin e is de(cid:28)ned over , the mapping is a morphism on . q ϕ J C Thismorphismindu esthe -powerFrobeniusendomorphism ontheJa obian . P(X) ϕ P(X) Let bethe hara teristi polynomialof . is alledtheWeil polynomial J C of , and |J (F )|=P(1) C q P(X) F q by the de(cid:28)nition of (see [13, pp. 109(cid:21)110℄); i.e. the number of -rational P(1) points on the Ja obian is . 4 C.R.RAVNSHØJ P (X) m De(cid:28)nition 4 (Weilnumbeqrm). Letnotationbeasabove. Let ϕ bJethe hara - m C teristi polynomial of the -powerFrobenius endomorphism on . Consider ω ∈ C P (ω ) = 0 P (X) m m m m a number with . If is redu ible, assume furthermore ω ϕ P (X) ϕ m m m m that ω and areroωotsofqmthesameirredu iblJefa torof . Weidentify m m C with , and we all a -Weil number of . qm RPem(Xar)k 5. A -Weil number is noJt ne essarilyqumniquely determined. In general, m C is irredu ible, in whi h ase has four -Weil numbers. P (X) P (X) = f(X)g(X) f,g ∈ Z[X] m m Assume is redu ible. Write , where are P (ϕ ) = 0 f(ϕ ) = 0 g(ϕ ) = 0 m m m m of degree at least one. Sin e , either or ; if not, f(ϕ ) g(ϕ ) J m m C thenqemither or has in(cid:28)nite kernel, i.e. is not an endomorphism of . So a -Weil number is well-de(cid:28)ned. 5. CM fields E Z6=End(E) K An ellipti urve with issaidtohave omplex muOltipli Kation. Let K be an imaEgninda(rEy), q≃uOadrati numEber (cid:28)eld with ring of intOegers . is a CM K K (cid:28)eld, and if , then is said to have CM by . More generally a CM (cid:28)eld is de(cid:28)ned as follows. K K De(cid:28)nition6(CM(cid:28)eld). Anumber(cid:28)eld isaCM(cid:28)eld,if isatotallyimaginary, K 0 quadrati extension of a totally real number (cid:28)eld . [K : Q] = 4 In this paper only CM (cid:28)elds of degree are onsidered. Su h a (cid:28)eld is alledCa quarti CM (cid:28)eld. C O End(J )≃O K C K Let be a genus two urve. We say that has CM by , if . K J C The stru ture of determines whether is simple, i.e. does not ontains an {O} abeliansubvarietyotherthan anditself. Morepre isely, thefollowingtheorem holds. C End(J ) ≃ O K C K Theorem 7. Let be a genus two urve with , where is a J K/Q C quarti CM (cid:28)eld. Then is simple if and only if is Galois with Galois group Gal(K/Q)≃Z/2Z×Z/2Z . (cid:3) Proof. [20, proposition 26, p. 61℄. Theorem 7 motivates the following de(cid:28)nition. K De(cid:28)nition 8 (Primitive, quarti CM (cid:28)eld). A quarti CM (cid:28)eld is alled primi- K/Q K/Q tive if either is not Galois, or is Galois with y li Galois group. J C 6. Non- y li subgroups of K Let be a primitive, quarti CCM (cid:28)eldE.ndB(yJ t)he≃COM method (see [23, 9℄), we C K an onstru t a genus two urve with . The following theorem on erns su h a urve. NON-CYCLIC SUBGROUPS OF JACOBIANS OF GENUS TWO CURVES WITH CM 5 C F End(J )≃O p C K TheorKem 9. Consider a genus two urve de(cid:28)nωed over pmwith , m where is a primitive, quarti CM (cid:28)eld. Let be a -Weil number of the J ℓ F C p Ja obian . Let be an odd prime number dividing the number of -rational J ℓ K ℓ∤p ℓ∤p−1 p C pointson ,andwith unrami(cid:28)edin , and . Let beofmultipli ative k ℓ order modulo . Then the following holds. ωm2 6≡1 (mod ℓ) JC(Fpm)[ℓ] ℓ pm−1 (i) If , then is bi y li if and only if divides . JC(Fpk)[ℓ]×JC(Fpk)[ℓ] (ii) The Weil-pairing is non-degenerate on . P¯ ∈ (Z/ℓZ)[X] m In the following, let be the hara teristi polynomial of the ϕ J [ℓ] m C restri tion of to . The proof of Theorem 9 uses a number of lemmas. ı : O → K ELenmd(Jma) 10. Let notation and assumptions be asαin∈TOheoremk9e.r[ℓL]e⊆t ker(ı(α)n) C K be an isomorphism. Consider a number . If n∈N ker[ℓ]⊆ker(ı(α)) for some number , then . ker[ℓ]⊆ker(ı(α)n) ı(α)n =ℓβ˜ βP˜r∈ooEf.nSdi(nJ e) , it followsthat forβs˜o=meı(eαn)dno=moır(pβh)ism C ; βsee∈eO.g. [16, Remaαrkn 7=.12ℓβ, p∈. 3ℓ7O℄. Noti e thℓat ℓ Kfor K K some numbeαr ∈ℓO . Hkeenr [ℓe],⊆ker(ı(α)) . Sin e is unrami(cid:28)ed in , (cid:3)it K follows that . So . ω 6≡1 (mod ℓ) m Lemma11. LetnotationandassumptionsbeasinTheorem9. If , JC(Fpm)[ℓ] Z/ℓZ then is of rank at most two as a -module. ℓ | |J (F )| 1 P¯ 1 P¯ C p m m Proof. Sin eν , is a Pr¯oot of . Assu(mαe,ptmh/aαt) is aprmoot of of m Pm¯ultipli ity . Sin νe the roots of o ur in pairs , also is a root of m ofJCm(uFlqtmip)l[iℓ ]ity . Z/ℓZ ℓ qm −1 If is of rank three as a -module, then divides by [5, B J [ℓ] B ϕ C m Proposition 5.78, p. 111℄. Choose a basis of . With respe t to , is represented by a matrix of the form 1 0 0 m 1   0 1 0 m M = 2 . 0 0 1 m3   0 0 0 m4 m = detM ≡ degϕ = p2m ≡ 1 (mod ℓ) P¯ (X) = (X −1)4 ℓ 4 m m Now, , so . Sin e K ω ≡ 1 (mod ℓ) m is unrami(cid:28)ed in JC,(iFtpfmol)l[oℓw] s that ; fZ./ℓLZemma 10. This is(cid:3)a ontradi tion. So is of rank at most two as a -module. ω2 6≡1 (mod ℓ) m Lemma12. LetnotationandassumptionsbeasinTheorem9. If , P(X) then is irredu ible. J P (X) C m PPro(oXf.)T=hef(JXa )oebian issimplebey∈TZheorem7. Assume isredu ibfle∈. TZh[Xen] m for some integer and some irredu ible polynomial e ∈ {2,4} ω ∈/ R Q(ω ) ⊂ K m m by [17, Theorem 8, p. 58℄. Noti e that . If , then is K K Q(ω ) 0 m an imGaagli(nKa/ryQ,)quadrati number (cid:28)eld and is the ompoωsitio∈nRof anωd2 = pm, m m i.e.ω ∈ Q isfb(iX y) l≡i .XT−hi1s i(smaod oℓn)tradi tionP.¯ S(o1) = 0 , i.e. ω ≡ 1. m m m (Ifmod ℓ) , then ω ∈/bQe aeu=se2 f(X).=BXut2−thpenm m P¯ (X) .=T(hXis2i−s apm o)n2tradi tioPn¯. S(1o) = 0 , and ω2 = pm ≡ 1 (.mHoedn ℓe), m m m . SinP e (X) , it follows that (cid:3). m This is a ontradi tion. So is irredu ible. 6 C.R.RAVNSHØJ JC(Fpm)[ℓ] pm 6≡ 1 (mod ℓ) P1roof of TheorP¯em 9. Assume that P¯ (iXs)bi= y( Xli .−I1f)2(X −pm)2 P(,Xth)en m m is a root of of multipli ity two, i.e. . is ℓ irredu ibleKby Lemma 12. Hen e, by [18,pPmro≡po1sit(imonod8.ℓ3), p. 47ℓ℄|iptmfo−llo1ws that rami(cid:28)es in . This is a oℓnt|rpamdi −tio1n. So , i.e. . On the other hand, if , then the Tate pairing is non-degenerate on JC(Fpm)[ℓ] JC(Fpm)[ℓ] Z/ℓZ . So must be of rank at least two as a -module, sin e ℓ ∤ p−1 JC(Fpm)[ℓ] . Hen e, is bi y li by Lemma 11. The proof of Theorem 9, part (i) is established. m = k ωk ≡ 1 (mod ℓ) JC[ℓ] = JC(Fpk)[ℓ] Now let . If , then , and (ii) follows. ω 6≡1 (mod ℓ) U =J (F )[ℓ] V =ker(ϕ−p)∩J [ℓ] k C p C Assumethat . Let and ,where ϕ p JC V =JC(Fpk)[ℓ]\JC(Fp)[ℓ] is the -powerFrobenius endomorphismon . Then by Lemma 11, and JC(Fpk)[ℓ]≃U ⊕V ≃Z/ℓZ×Z/ℓZ. eW U×V x∈JC(Fpk)[ℓ] By[19℄,theWeil-pairing isnon-degenerateon . Nowlet be Fpk ℓ x=xU +xV xU ∈U an arbitrary -rational point of order . Write , where and x ∈ V y ∈ V z ∈ U e (x ,y) 6= 1 e (x ,z) 6= 1 V W U W V . Choose and , su h that and . e (x ,y)·e (x ,z)6= 1 z 2z W U W V We may assume that ; if not, repla e by . Sin e the e (x ,z)=e (x ,y)=1 W U W V Weil-pairing is anti-symmetri , . Hen e, e (x,y+z)=e (x ,y)·e (x ,z)6=1. W W U W V (cid:3) Referen es [1℄ A.O.L. Atkin and F. Morain. Ellipti urves and primality proving. Math. Comp., 61:29(cid:21)68,1993. [2℄ R. Balasubramanian and N. Koblitz. The improbability that an ellipti urve hassubexponential dis rete logproblemunder the menezes-okamoto-vanstone algorithm. J. Cryptology, 11:141(cid:21)145,1998. [3℄ D. Boneh and M. Franklin. Identity-based en ryption from the weil pairing. SIAM J. Computing, 32(3):586(cid:21)615,2003. [4℄ J.W.S. Cassels and E.V. Flynn. Prolegomena to a Middlebrow Arithmeti 2 of Curves of Genus . London Mathemati al So iety Le ture Note Series. Cambridge University Press, 1996. [5℄ G. Frey and T. Lange. Varieties over spe ial (cid:28)elds. In H. Cohen and G. Frey, editors, Handbook of Ellipti and Hyperellipti Curve Cryptography, pages87(cid:21) 113. Chapman & Hall/CRC, 2006. [6℄ S.D. Galbraith. Supersingular urves in ryptography. In Advan es in Cryp- tology (cid:21) Asia rypt 2001, volume 2248 of Le ture Notes in Computer S ien e, pages 495(cid:21)513.Springer, 2001. [7℄ S.D. Galbraith. Pairings. In I.F. Blake, G. Seroussi, and N.P. Smart, editors, Advan es in Ellipti Curve Cryptography, volume317ofLondon Mathemati al So iety Le tureNoteSeries,pages183(cid:21)213.CambridgeUniversityPress,2005. [8℄ S.D.Galbraith,F.Hess,andF.Ver auteren. Hyperellipti pairings. InPairing 2007, Le ture Notes in Computer S ien e, pages 108(cid:21)131.Springer, 2007. p [9℄ P.Gaudry,T.Houtmann,D.Kohel,C.Ritzenthaler,andA.Weng. The -adi m-method for genus 2, 2005. [10℄ F. Hess. A note on the tate pairing of urves over (cid:28)nite (cid:28)elds. Ar h. Math., 82:28(cid:21)32, 2004. NON-CYCLIC SUBGROUPS OF JACOBIANS OF GENUS TWO CURVES WITH CM 7 [11℄ N. Koblitz. Ellipti urve ryptosystems. Math. Comp., 48:203(cid:21)209,1987. [12℄ N. Koblitz. Hyperellipti ryptosystems. J. Cryptology, 1:139(cid:21)150,1989. [13℄ S. Lang. Abelian Varieties. Inters ien e, 1959. [14℄ V.S. Miller. Short programsfor fun tions on urves, 1986. Unpublished man- us ript, available at http:// rypto.stanford.edu/miller/miller.pdf. [15℄ V.S. Miller. The weil pairing, and its e(cid:30) ient al ulation. J. Cryptology, 17:235(cid:21)261,2004. [16℄ J.S. Milne. Abelian varieties, 1998. Available at http://www.jmilne.org. [17℄ J.S. Milne and W.C. Waterhouse. Abelian varieties over (cid:28)nite (cid:28)elds. Pro . Symp. Pure Math., 20:53(cid:21)64,1971. [18℄ J. Neukir h. Algebrai Number Theory. Springer, 1999. [19℄ K. Rubin and A. Silverberg. Using abelian varieties to im- prove pairing-based ryptography, 2007. Preprint, available at http://www.math.u i.edu/~asilverb/bibliography/. [20℄ G.Shimura. Abelian VarietieswithComplex Multipli ation andModularFun - tions. Prin eton University Press, 1998. [21℄ J.H. Silverman. The Arithmeti of Ellipti Curves. Springer, 1986. 2 [22℄ A.-M. Spallek. Kurven vom Ges hle ht und ihre Anwendung in Publi -Key- Kryptosystemen. PhDthesis,InstitutfürExperimentelleMathematik,Univer- sität GH Essen, 1994. [23℄ A. Weng. Constru ting hyperellipti urves of genus 2 suitable for ryptogra- phy. Math. Comp., 72:435(cid:21)458,2003. Department of Mathemati al S ien es, University of Aarhus, Ny Munkegade, Building1530, DK-8000 Aarhus C E-mail address: rimf.au.dk

