ebook img

Non-Cyclic Subgroups of Jacobians of Genus Two Curves with Complex Multiplication PDF

0.21 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Non-Cyclic Subgroups of Jacobians of Genus Two Curves with Complex Multiplication

NON-CYCLIC SUBGROUPS OF JACOBIANS OF GENUS TWO CURVES WITH COMPLEX MULTIPLICATION 8 0 CHRISTIANROBENHAGENRAVNSHØJ 0 2 E an nAibanstarnad tK.obLliettzhabveeapnroevlleipdtti ha utrivfethdee(cid:28)ℓnthedrooovtesroaf(cid:28)unniittey(cid:28)µeℓldi.sBnoatla sµounℓbtraaimnead- J intheground(cid:28)eld,thena(cid:28)eldextensionoftheground(cid:28)eld ontains ifand ℓ E 8 onlyifthe -torsionpointsof arerationaloverthesame(cid:28)eldextension. We generalize thisresulttoJa obiansofgenustwo urveswith omplexmultipli- 1 ation. In parti ular, weshow that the Weil-and the Tate-pairing on su h a ] Ja obianarenon-degenerate overthesame(cid:28)eldextensionoftheground(cid:28)eld. G A . h 1. Introdu tion t a In [11℄, Koblitz des ribed how to use ellipti urves to onstru t a publi key m ryptosystem. To get a more general lass of urves, and possibly larger group [ orders, Koblitz [12℄ then proposed using Ja obians of hyperellipti urves. 1 In ellipti urve ryptography it is essential to know the number of points on v the urve. Cryptographi ally we are interested in ellipti urves with large y li 8 subgroups. Su h ellipti urves an be onstru ted. The onstru tion is based on 2 thetheoryof omplexmultipli ation,studiedindetailby[1℄. Itisreferredtoasthe 8 CM method. The CM method for onstru ting ellipti urves has been generalized 2 . togenustwo urvesby[22℄,ande(cid:30) ientalgorithmshavebeenproposedby[23℄and 1 K [9℄. Both algorithms take as input a primitive, quarti CM (cid:28)eld (see se tion 5), 0 C F p 8 and give as output a genus two urve de(cid:28)ned overa prime (cid:28)eld . 0 After Boneh and Franklin [3℄ proposed an identity based ryptosystem by us- : ing the Weil pairing on an ellipti urve, pairings have been of great interest to v i ryptography [7℄. The next natural step was to onsider pairings on Ja obians of X hyperellipti urves. Galbraith et al [8℄ survey the re ent resear h on pairings on r Ja obians of hyperellipti urves. a The pairing in question is usually the Weil- or the Tate-pairing; both pairings an be omputed with Miller's algorithm [14℄. The Tate-pairing an be omputed C moree(cid:30) ientlythantheWeil-pairing, f. [6℄. Let beasmooth urvede(cid:28)nedover F J C ℓ q C a(cid:28)nite(cid:28)eld , andlet betheJa obianof . Let beaprimenumberdividing F k q the number of -rational points on the Ja obian, and let be the multipli ative q ℓ JC(Fqk)[ℓ] orderof modulo . By [10℄, the Tate-pairingis non-degenerateon . By J [ℓ] J [ℓ] C C [21, Proposition8.1,p. 96℄,the Weil-pairingisnon-degenerateon . So if JC(Fqk) isnot ontainedin , thentheTatepairingisnon-degenerateoverapossible smaller (cid:28)eld extension than the Weil-pairing. For ellipti urves, in most ases relevantto ryptography,the Weil-pairingandtheTate-pairingarenon-degenerate 2000 Mathemati s Subje tClassi(cid:28) ation. Primary14H40;Se ondary 11G15,14Q05, 94A60. Key words and phrases. Ja obians,hyperellipti urves, embeddingdegree, omplexmultipli- ation, ryptography. Resear h supported inpartbyaPhDgrantfromCRYPTOMAThIC. 1 2 C.R.RAVNSHØJ E F p overthesame(cid:28)eld: let beanellipti urvede(cid:28)ned over , and onsideraprime ℓ F E p number dividing the number of -rational points on . Balasubramanian and Koblitz [2℄ proved that ℓ∤p−1 E[ℓ]⊆E(Fpk) ℓ|pk−1 (1) if , then if and only if . By Rubin and Silverberg [19℄, this result also holds for Ja obians of genus two ℓ ∤ p−1 urves in the following sense: if , then the Weil-pairing is non-degenerate U ×V U = J (F )[ℓ] V = ker(ϕ− p)∩J [ℓ] ϕ p C p C on , where , and is the -power J C Frobenius endomorphism on . ℓ∤p−1 E(Fpk)[ℓ] The result (1) an alsobe stated as: if , then is bi y li if and ℓ |pk−1 only if . In this paper, we show that in most ases, this result also holds forJa obiansof genus two urveswith omplex multipli ation. More pre isely, the following theorem is established. C F End(J )≃O p C K TheorKem 9. Consider a genus two urve de(cid:28)ned over withω pm , m where is a primitive, quarti CM (cid:28)eld ( f. se tion 5). Let be a -Weil J ℓ C number of the Ja obian . Let be an odd prime number dividing the number of F J ℓ K ℓ∤p ℓ ∤p−1 p p C -rational points on , and with unrami(cid:28)ed in , and . Let be k ℓ of multipli ative order modulo . Then the following holds. ωm2 6≡1 (mod ℓ) JC(Fpm)[ℓ] ℓ pm−1 (i) If , then is bi y li if and only if divides . JC(Fpk)[ℓ]×JC(Fpk)[ℓ] (ii) The Weil-pairing is non-degenerate on . FNotation and assumptions. In thisOpaper we only onsider smooth urFves. If F is an algebrai number (cid:28)eld, then denotes the ring of integers of , and F =F ∩R F 0 denotes the real sub(cid:28)eld of . 2. Genus two urves C ⊆ Pn A hyperellipti urve is a proje tive urve of genus at least two with a φ:C →P1 separable, degree two morphism . It is well known, that any genus two C urveishyperellipti . Throughoutthispaper,let bea urveofgenustwode(cid:28)ned F p q overa(cid:28)nite(cid:28)eld of hara teristi . BytheRiemann-Ro hTheoremthereexists ψ :C →P2 C a birational map , mapping to a urve given by an equation of the form y2+g(x)y =h(x), g,h∈F [x] deg(g)≤3 deg(h)≤6 q where are of degree and ; f. [4, hapter 1℄. P(C) C Thesetofprin ipaldivisors on onstitutesasubgroupofthedegreezero Div (C) J C 0 C divisors . The Ja obian of is de(cid:28)ned as the quotient J =Div (C)/P(C). C 0 ℓ 6= p ℓn J [ℓn] ⊆ J C C Let be aℓnprimeZn/uℓmnbZer. The -torsion subgroup of points of order dividing is a -module of rank four, i.e. J [ℓn]≃Z/ℓnZ×Z/ℓnZ×Z/ℓnZ×Z/ℓnZ; C f. [13, Theorem 6, p. 109℄. k q ℓ Themultipli ativeorder of modulo playsanimportantrolein ryptography, Fqk sin e the (redu ed) Tate-pairing is non-degenerate over ; f. [10℄. ℓ 6= p De(cid:28)nition 1 (Embedding degree). Consider a prime number dividing the F J J (F ) q C C q numberof -rationalpointsontheJa obian . Theembeddingdegreeof ℓ k qk ≡1 (mod ℓ) with respe t to is the least number , su h that . NON-CYCLIC SUBGROUPS OF JACOBIANS OF GENUS TWO CURVES WITH CM 3 Closely related to the embedding degree, we have the full embedding degree. ℓ 6= p De(cid:28)nition 2 (Full embedding degree). Consider a prime number dividing F J q C the number of -rational points on the Ja obian . The full embedding degree JC(Fq) ℓ κ JC[ℓ]⊆JC(Fqκ) of with respe t to is the least number , su h that . JC[ℓ]⊆JC(Fqκ) ℓ|qκ−1 Remark 3. If ,then ; f.[5,Corollary5.77,p.111℄. Hen e, the full embedding degree is a multiple of the embedding degree. Fqκ A priori, the Weil-pairing is only non-degenerate over . But in fa t, as we Fqk shall see, the Weil-pairing is also non-degenerate over . 3. The Weil- and the Tate-pairing F F x∈J (F)[ℓ] y = a P ∈J (F) Let beanalgebrai extensionof q. Let C and Pi i i C y¯∈J (F)/ℓJ (F) C C bedivisorswithdisjointsupports,andlet denotethedivisor lass y f ∈ F(C) C x ontaining thdeivd(ivfis)or= .ℓxFurtherfm(oyr)e,=let f(P )ai be a raetio(xn,ay¯l)fu=n ftio(ny)on with divisor x . Set x Qi i . Then ℓ x is a well-de(cid:28)ned pairing e :J (F)[ℓ]×J (F)/ℓJ (F)−→F×/(F×)ℓ, ℓ C C C |F×| it is alled the Tate-pairing; f. [7℄. µRa⊆isinF¯g the reℓstuhlt to the power ℓ gives a ℓ well-de(cid:28)ned element in the subgroup of the roots of unity. This pairing eˆ :J (F)[ℓ]×J (F)/ℓJ (F)−→µ ℓ C C C ℓ F ℓth is alled the redu ed Tate-pairing. If the (cid:28)eld is (cid:28)nite and ontains the roots of unity, then the Tate-pairing is bilinear and non-degenerate; f. [10℄. x,y ∈J [ℓ] C Now let be divisors with disjoint support. The Weil-pairing e :J [ℓ]×J [ℓ]→µ ℓ C C ℓ e (x,y) = eˆℓ(x,y¯) is then de(cid:28)ned by ℓ eˆℓ(y,x¯). The Weil-pairing is bilinear, anti-symmetri J [ℓ]×J [ℓ] C C and non-degenerate on ; f. [15℄. 4. Matrix representation of the endomorphism ring ψ : J → J ψ¯ : J [ℓ] → J [ℓ] C C C C An endomorphism indu es a linear map by ψ M ∈ Mat (Z/ℓZ) J [ℓ] 4 C restri tion. Hen e, is represented by a matrix on . Let f ∈ Z[X] ψ f¯∈(Z/ℓZ)b[Xe]the hara teristi polynomial of ψ(¯see [13,fpp. 109(cid:21)110℄), and let bethe hara teristi polynomialof . Then isamoni polynomial of degree four, and by [13, Theorem 3, p. 186℄, f(X)≡f¯(X) (mod ℓ). C F (x,y) 7→ (xq,yq) C q Sin e is de(cid:28)ned over , the mapping is a morphism on . q ϕ J C Thismorphismindu esthe -powerFrobeniusendomorphism ontheJa obian . P(X) ϕ P(X) Let bethe hara teristi polynomialof . is alledtheWeil polynomial J C of , and |J (F )|=P(1) C q P(X) F q by the de(cid:28)nition of (see [13, pp. 109(cid:21)110℄); i.e. the number of -rational P(1) points on the Ja obian is . 4 C.R.RAVNSHØJ P (X) m De(cid:28)nition 4 (Weilnumbeqrm). Letnotationbeasabove. Let ϕ bJethe hara - m C teristi polynomial of the -powerFrobenius endomorphism on . Consider ω ∈ C P (ω ) = 0 P (X) m m m m a number with . If is redu ible, assume furthermore ω ϕ P (X) ϕ m m m m that ω and areroωotsofqmthesameirredu iblJefa torof . Weidentify m m C with , and we all a -Weil number of . qm RPem(Xar)k 5. A -Weil number is noJt ne essarilyqumniquely determined. In general, m C is irredu ible, in whi h ase has four -Weil numbers. P (X) P (X) = f(X)g(X) f,g ∈ Z[X] m m Assume is redu ible. Write , where are P (ϕ ) = 0 f(ϕ ) = 0 g(ϕ ) = 0 m m m m of degree at least one. Sin e , either or ; if not, f(ϕ ) g(ϕ ) J m m C thenqemither or has in(cid:28)nite kernel, i.e. is not an endomorphism of . So a -Weil number is well-de(cid:28)ned. 5. CM fields E Z6=End(E) K An ellipti urve with issaidtohave omplex muOltipli Kation. Let K be an imaEgninda(rEy), q≃uOadrati numEber (cid:28)eld with ring of intOegers . is a CM K K (cid:28)eld, and if , then is said to have CM by . More generally a CM (cid:28)eld is de(cid:28)ned as follows. K K De(cid:28)nition6(CM(cid:28)eld). Anumber(cid:28)eld isaCM(cid:28)eld,if isatotallyimaginary, K 0 quadrati extension of a totally real number (cid:28)eld . [K : Q] = 4 In this paper only CM (cid:28)elds of degree are onsidered. Su h a (cid:28)eld is alledCa quarti CM (cid:28)eld. C O End(J )≃O K C K Let be a genus two urve. We say that has CM by , if . K J C The stru ture of determines whether is simple, i.e. does not ontains an {O} abeliansubvarietyotherthan anditself. Morepre isely, thefollowingtheorem holds. C End(J ) ≃ O K C K Theorem 7. Let be a genus two urve with , where is a J K/Q C quarti CM (cid:28)eld. Then is simple if and only if is Galois with Galois group Gal(K/Q)≃Z/2Z×Z/2Z . (cid:3) Proof. [20, proposition 26, p. 61℄. Theorem 7 motivates the following de(cid:28)nition. K De(cid:28)nition 8 (Primitive, quarti CM (cid:28)eld). A quarti CM (cid:28)eld is alled primi- K/Q K/Q tive if either is not Galois, or is Galois with y li Galois group. J C 6. Non- y li subgroups of K Let be a primitive, quarti CCM (cid:28)eldE.ndB(yJ t)he≃COM method (see [23, 9℄), we C K an onstru t a genus two urve with . The following theorem on erns su h a urve. NON-CYCLIC SUBGROUPS OF JACOBIANS OF GENUS TWO CURVES WITH CM 5 C F End(J )≃O p C K TheorKem 9. Consider a genus two urve de(cid:28)nωed over pmwith , m where is a primitive, quarti CM (cid:28)eld. Let be a -Weil number of the J ℓ F C p Ja obian . Let be an odd prime number dividing the number of -rational J ℓ K ℓ∤p ℓ∤p−1 p C pointson ,andwith unrami(cid:28)edin , and . Let beofmultipli ative k ℓ order modulo . Then the following holds. ωm2 6≡1 (mod ℓ) JC(Fpm)[ℓ] ℓ pm−1 (i) If , then is bi y li if and only if divides . JC(Fpk)[ℓ]×JC(Fpk)[ℓ] (ii) The Weil-pairing is non-degenerate on . P¯ ∈ (Z/ℓZ)[X] m In the following, let be the hara teristi polynomial of the ϕ J [ℓ] m C restri tion of to . The proof of Theorem 9 uses a number of lemmas. ı : O → K ELenmd(Jma) 10. Let notation and assumptions be asαin∈TOheoremk9e.r[ℓL]e⊆t ker(ı(α)n) C K be an isomorphism. Consider a number . If n∈N ker[ℓ]⊆ker(ı(α)) for some number , then . ker[ℓ]⊆ker(ı(α)n) ı(α)n =ℓβ˜ βP˜r∈ooEf.nSdi(nJ e) , it followsthat forβs˜o=meı(eαn)dno=moır(pβh)ism C ; βsee∈eO.g. [16, Remaαrkn 7=.12ℓβ, p∈. 3ℓ7O℄. Noti e thℓat ℓ Kfor K K some numbeαr ∈ℓO . Hkeenr [ℓe],⊆ker(ı(α)) . Sin e is unrami(cid:28)ed in , (cid:3)it K follows that . So . ω 6≡1 (mod ℓ) m Lemma11. LetnotationandassumptionsbeasinTheorem9. If , JC(Fpm)[ℓ] Z/ℓZ then is of rank at most two as a -module. ℓ | |J (F )| 1 P¯ 1 P¯ C p m m Proof. Sin eν , is a Pr¯oot of . Assu(mαe,ptmh/aαt) is aprmoot of of m Pm¯ultipli ity . Sin νe the roots of o ur in pairs , also is a root of m ofJCm(uFlqtmip)l[iℓ ]ity . Z/ℓZ ℓ qm −1 If is of rank three as a -module, then divides by [5, B J [ℓ] B ϕ C m Proposition 5.78, p. 111℄. Choose a basis of . With respe t to , is represented by a matrix of the form 1 0 0 m 1   0 1 0 m M = 2 . 0 0 1 m3   0 0 0 m4 m = detM ≡ degϕ = p2m ≡ 1 (mod ℓ) P¯ (X) = (X −1)4 ℓ 4 m m Now, , so . Sin e K ω ≡ 1 (mod ℓ) m is unrami(cid:28)ed in JC,(iFtpfmol)l[oℓw] s that ; fZ./ℓLZemma 10. This is(cid:3)a ontradi tion. So is of rank at most two as a -module. ω2 6≡1 (mod ℓ) m Lemma12. LetnotationandassumptionsbeasinTheorem9. If , P(X) then is irredu ible. J P (X) C m PPro(oXf.)T=hef(JXa )oebian issimplebey∈TZheorem7. Assume isredu ibfle∈. TZh[Xen] m for some integer and some irredu ible polynomial e ∈ {2,4} ω ∈/ R Q(ω ) ⊂ K m m by [17, Theorem 8, p. 58℄. Noti e that . If , then is K K Q(ω ) 0 m an imGaagli(nKa/ryQ,)quadrati number (cid:28)eld and is the ompoωsitio∈nRof anωd2 = pm, m m i.e.ω ∈ Q isfb(iX y) l≡i .XT−hi1s i(smaod oℓn)tradi tionP.¯ S(o1) = 0 , i.e. ω ≡ 1. m m m (Ifmod ℓ) , then ω ∈/bQe aeu=se2 f(X).=BXut2−thpenm m P¯ (X) .=T(hXis2i−s apm o)n2tradi tioPn¯. S(1o) = 0 , and ω2 = pm ≡ 1 (.mHoedn ℓe), m m m . SinP e (X) , it follows that (cid:3). m This is a ontradi tion. So is irredu ible. 6 C.R.RAVNSHØJ JC(Fpm)[ℓ] pm 6≡ 1 (mod ℓ) P1roof of TheorP¯em 9. Assume that P¯ (iXs)bi= y( Xli .−I1f)2(X −pm)2 P(,Xth)en m m is a root of of multipli ity two, i.e. . is ℓ irredu ibleKby Lemma 12. Hen e, by [18,pPmro≡po1sit(imonod8.ℓ3), p. 47ℓ℄|iptmfo−llo1ws that rami(cid:28)es in . This is a oℓnt|rpamdi −tio1n. So , i.e. . On the other hand, if , then the Tate pairing is non-degenerate on JC(Fpm)[ℓ] JC(Fpm)[ℓ] Z/ℓZ . So must be of rank at least two as a -module, sin e ℓ ∤ p−1 JC(Fpm)[ℓ] . Hen e, is bi y li by Lemma 11. The proof of Theorem 9, part (i) is established. m = k ωk ≡ 1 (mod ℓ) JC[ℓ] = JC(Fpk)[ℓ] Now let . If , then , and (ii) follows. ω 6≡1 (mod ℓ) U =J (F )[ℓ] V =ker(ϕ−p)∩J [ℓ] k C p C Assumethat . Let and ,where ϕ p JC V =JC(Fpk)[ℓ]\JC(Fp)[ℓ] is the -powerFrobenius endomorphismon . Then by Lemma 11, and JC(Fpk)[ℓ]≃U ⊕V ≃Z/ℓZ×Z/ℓZ. eW U×V x∈JC(Fpk)[ℓ] By[19℄,theWeil-pairing isnon-degenerateon . Nowlet be Fpk ℓ x=xU +xV xU ∈U an arbitrary -rational point of order . Write , where and x ∈ V y ∈ V z ∈ U e (x ,y) 6= 1 e (x ,z) 6= 1 V W U W V . Choose and , su h that and . e (x ,y)·e (x ,z)6= 1 z 2z W U W V We may assume that ; if not, repla e by . Sin e the e (x ,z)=e (x ,y)=1 W U W V Weil-pairing is anti-symmetri , . Hen e, e (x,y+z)=e (x ,y)·e (x ,z)6=1. W W U W V (cid:3) Referen es [1℄ A.O.L. Atkin and F. Morain. Ellipti urves and primality proving. Math. Comp., 61:29(cid:21)68,1993. [2℄ R. Balasubramanian and N. Koblitz. The improbability that an ellipti urve hassubexponential dis rete logproblemunder the menezes-okamoto-vanstone algorithm. J. Cryptology, 11:141(cid:21)145,1998. [3℄ D. Boneh and M. Franklin. Identity-based en ryption from the weil pairing. SIAM J. Computing, 32(3):586(cid:21)615,2003. [4℄ J.W.S. Cassels and E.V. Flynn. Prolegomena to a Middlebrow Arithmeti 2 of Curves of Genus . London Mathemati al So iety Le ture Note Series. Cambridge University Press, 1996. [5℄ G. Frey and T. Lange. Varieties over spe ial (cid:28)elds. In H. Cohen and G. Frey, editors, Handbook of Ellipti and Hyperellipti Curve Cryptography, pages87(cid:21) 113. Chapman & Hall/CRC, 2006. [6℄ S.D. Galbraith. Supersingular urves in ryptography. In Advan es in Cryp- tology (cid:21) Asia rypt 2001, volume 2248 of Le ture Notes in Computer S ien e, pages 495(cid:21)513.Springer, 2001. [7℄ S.D. Galbraith. Pairings. In I.F. Blake, G. Seroussi, and N.P. Smart, editors, Advan es in Ellipti Curve Cryptography, volume317ofLondon Mathemati al So iety Le tureNoteSeries,pages183(cid:21)213.CambridgeUniversityPress,2005. [8℄ S.D.Galbraith,F.Hess,andF.Ver auteren. Hyperellipti pairings. InPairing 2007, Le ture Notes in Computer S ien e, pages 108(cid:21)131.Springer, 2007. p [9℄ P.Gaudry,T.Houtmann,D.Kohel,C.Ritzenthaler,andA.Weng. The -adi m-method for genus 2, 2005. [10℄ F. Hess. A note on the tate pairing of urves over (cid:28)nite (cid:28)elds. Ar h. Math., 82:28(cid:21)32, 2004. NON-CYCLIC SUBGROUPS OF JACOBIANS OF GENUS TWO CURVES WITH CM 7 [11℄ N. Koblitz. Ellipti urve ryptosystems. Math. Comp., 48:203(cid:21)209,1987. [12℄ N. Koblitz. Hyperellipti ryptosystems. J. Cryptology, 1:139(cid:21)150,1989. [13℄ S. Lang. Abelian Varieties. Inters ien e, 1959. [14℄ V.S. Miller. Short programsfor fun tions on urves, 1986. Unpublished man- us ript, available at http:// rypto.stanford.edu/miller/miller.pdf. [15℄ V.S. Miller. The weil pairing, and its e(cid:30) ient al ulation. J. Cryptology, 17:235(cid:21)261,2004. [16℄ J.S. Milne. Abelian varieties, 1998. Available at http://www.jmilne.org. [17℄ J.S. Milne and W.C. Waterhouse. Abelian varieties over (cid:28)nite (cid:28)elds. Pro . Symp. Pure Math., 20:53(cid:21)64,1971. [18℄ J. Neukir h. Algebrai Number Theory. Springer, 1999. [19℄ K. Rubin and A. Silverberg. Using abelian varieties to im- prove pairing-based ryptography, 2007. Preprint, available at http://www.math.u i.edu/~asilverb/bibliography/. [20℄ G.Shimura. Abelian VarietieswithComplex Multipli ation andModularFun - tions. Prin eton University Press, 1998. [21℄ J.H. Silverman. The Arithmeti of Ellipti Curves. Springer, 1986. 2 [22℄ A.-M. Spallek. Kurven vom Ges hle ht und ihre Anwendung in Publi -Key- Kryptosystemen. PhDthesis,InstitutfürExperimentelleMathematik,Univer- sität GH Essen, 1994. [23℄ A. Weng. Constru ting hyperellipti urves of genus 2 suitable for ryptogra- phy. Math. Comp., 72:435(cid:21)458,2003. Department of Mathemati al S ien es, University of Aarhus, Ny Munkegade, Building1530, DK-8000 Aarhus C E-mail address: rimf.au.dk

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.