1. Introduction
In recent years, computing the number of points on algebraic curves over finite fields is an important task for public key cryptography. In order to generate curves suitable for cryptosystems, we must determine the order of Jacobian of a curve over a finite field. It is required that the order of Jacobian is a prime or a small cofactor times a prime.
For elliptic curves, Schoof gave a polynomial time algorithm [7] and there are its improved algorithm for the time and space complexity [1,5,12]. Gaudry and Harley extended its algorithm to genus 2 curve [4]. For higher genus curves, there are several efficient counting points algorithms of Jacobian varieties [13,14,15]. In [9], authors suggest a fast point counting algorithm for genus 2 hyperelliptic curves of type y2 = x5+ ax over finite prime fields. Also, there are many efficient algorithms for algebraic varieties over finite fields of small characteristic, which is so called p-adic method [16,17,18]. Our approach follows l-adic method which is more useful for algebraic curve over large field characteristic.
In this paper, we provide an algorithm for computing the orders of the Jacobians on genus 3 hyperelliptic curves of type y2 = x7 + ax over finite prime fields. In particular, by using baby-step giant-step algorithm, we determine the order of the Jacobian of a curve defined over finite prime field with characteristic greater than the 54-bit. We also provide the explicit formula of the characteristic polynomial of the Frobenius endomorphism of the Jacobian of the hyperelliptic curves y2 = x7 + ax over with p ≡ 1 modulo 12. Furthermore, we present additional computational results using our algorithm.
2. Basic Facts on Hyperelliptic Curves
Let be a finite field of q = pn elements, where p is an odd prime. The hyperelliptic curve C of genus g over is given by
where f(x) is a polynomial in [x] of degree 2g + 1 without singular points. We denote the Jacobian variety of a hyperelliptic curve C by JC. Then, JC() is the group of -rational points on JC. A semi-reduced divisor is a divisor with k points and no two points in the opposite side. A reduced divisor is a semi-reduced divisor of k ≤ g.
In [11], every semi-reduced divisor on JC() can be uniquely represented by a pair of polynomials ⟨u(x), v(x)⟩, where u(x) = Πi(x − xi) is monic and v(x) is unique polynomial such that deg v(x) < deg u(x), v(xP ) = yP for all P = (xP , yP ) ∈ C() and u(x) divides f(x) − v(x)2. ⟨1, 0⟩ is the identity element of the addition law. Cantor’s algorithm can be used to compute the sum of two reduced divisors in JC() .
We consider the hyperelliptic curves of genus 3 defined over finite fields . The characteristic polynomial χq(t) of the q-th power Frobenius endomorphism of JC is given as follows:
where si ∈ ℤ. We also know that ♯JC( ) = χq(1). i.e.,
Let Mr = (qr +1)−Nr, where Nr is the number of points on C for r = 1, 2, 3. Then, we have
The following is a well-known inequality, the Hasse-Weil bound, that bounds ♯JC( ):
Then, we have
S. Haloui [19] presented the efficient bounds of the coefficients of characteristic polynomial of genus 3 abelian varieties over finite fields.
Theorem 2.1 ([19]). Let χ(t) = t6 −s1t5+s2t4−s3t3+qs2t2−q2s1t+q3 be a polynomial with integer coefficients. Then χ(t) is a Weil polynomial if and only if the following conditions hold
3. Hasse-Witt matrix
In this section, we recall the definition of the Hasse-Witt matrix in the case of hyperelliptic curves. It is a useful tool to compute the modulo characteristic p of ♯JC ). Yui’s made the following theorem [6].
Theorem 3.1. Let y2 = f(x) with deg f = 2g+1 be the equation of a genus g hyperelliptic curve. Denote by ci the coefficient of xi in the polynomial f(x)(p−1)/2. Then the Hasse-Witt matrix is given by
In [8], Manin showed that this matrix is related to the characteristic polynomial of the Frobenius endomorphism modulo p. For a matrix H = (aij ), let H(p) denote the elements raised to the power p, i.e., Then, we have the following theorem.
Theorem 3.2. Let C be a curve of genus g defined over a finite field Let H be the Hasse-Witt matrix of C and let Let κ(t) be the characteristic polynomial of the matrix Hπ and χ(t) the characteristic polynomial of the Frobenius endomorphism of the Jacobian of C. Then,
4. The Characteristic Polynomial of C
In this section, we present the explicit formula of the characteristic polynomial of the Frobenius endomorphism on hyperelliptic curves of type C : y2 = x7 +ax over finite fields with p ≡ 1 (mod 12), and show how to efficiently compute the Hasse-Witt matrix of C. The below theorem is a tool used to compute the Hasse-Witt matrix of C.
Corollary 4.1 ([3]). If p = 12f + 1 = A2 + B2 (A ≡ 1 (mod 4), B ≡ 0 (mod 2)) is prime then
Proof. See Corollary 4.2.2 in [3].
Theorem 4.2 ([3]). Let p = 12f + 1 = A2 + B2 = x2 + 3y2 be a prime with A ≡ 1 (mod 4), x ≡ 1 (mod 3). Then we have the following congruences modulo p:
where
Proof. See Theorem 15.1 in [3].
Theorem 4.3. Let C be a hyperelliptic curve defined by the equation y2 = x7+ax over with p ≡ 1 (mod 12) such that p = A2 + B2 (A ≡ 1 (mod 4), B ≡ 0 (mod 2)) and χ(t) the characteristic polynomial of the p-th power Frobenius endomorphism of C. Then s1, s2 and s3 in χ(t) are given as follows:
Proof. First, we compute the entities cip−j of the Hasse-Witt matrix H of the curve C. From Theorem 3.1, the entities cip−j are computed by an integer k, 0 ≤ k ≤ (p − 1)/2, for ip − j = p − 1 + 3k from Since the characteristic p with p ≡ 1 (mod 12), the Hasse-Witt matrix is
Then we have that On the other hand, the each si of χ(t) has the following congruence modulo p;
Let p = 12f + 1 be a prime. Then, since (p − 1)/2 + 6k = p − 1 for cp−1, we have k = (p − 1)/12 = f and For c2p−2, since (p − 1)/2 + 6k = 2p − 2, we have k = (3p − 3)/12 = 3f and For c3p−3, since (p − 1)/2 + 6k = 3p − 3, we have k = (5p − 5)/12 = 5f and Hence, since Theorem 4.2 and Corollary 4.1, we have the congruence values modulo p for s1, s2 and s3.
The equation of given curve gives us to some information about 2k-torsion subgroups of the Jacobian variety.
Lemma 4.4. Let p be a prime number such that p ≡ 1 (mod 12) and C : y2 = f(x) be a hyperelliptic curve over where f(x) = x7 + ax. If f(x) splits completely over (i.e.,a(p−1)/6 = 1), then 64 divide ♯JC(). If f(x) splits into four factors over (i.e, a(p−1)/3 = 1), then 8 divide ♯JC(). Otherwise, if f(x) splits into two factors of degree 3 and a factor of degree 1, or into two factors of degree 6 and 1, then 2 divide ♯JC().
Proof. Since 12 divide p−1, there are exists a primitive 12-th root of unity, ζ12, in . The points on C with vanishing y-coordinates correspond to (1−ζ12)-torsion points of the Jacobian. If f(x) splits completely over (i.e., a(p−1)/6 = 1), then JC[1 − ζ12] is defined over . Hence, (ℤ/2ℤ)6 is a subgroup in JC() and 64 divide ♯JC(). Moreover precisely, in this case, there exists an element b ∈ such that a = b6. Then we have
If f(x) splits four factors over (i.e., a(p−1)/3 = 1), then the three (1−ζ12)-torsion points arising from the roots of f(x) are linearly independent. Hence (ℤ/2ℤ)3 ≤ JC() and 8 divides ♯JC(). Moreover, in this case, there exists an element b ∈ such that a = b3. Then we have
Otherwise, JC() contains one non-trivial (1−ζ12)-torsion point. Moreover, in this case, there exists an element b ∈ such that a = b2. Then we have that
Throughout this paper, we consider the case of the prime p = A2 + B2 with A ≡ 1 (mod 4) and B ≡ 0 (mod 2).
Theorem 4.5. Let C be a hyperelliptic curve of the form y2 = x7 + ax defined over a finite field with p ≡ 1 (mod 12), p = A2 + B2. Then the characteristic polynomial χ(t) is as follows:
where A ≡ 1, 2 (mod 3) and B ≡ 0 (mod 3).
where A ≡ 0 (mod 3) and B ≡ 1, 2 (mod 3).
Proof. For the case (1), from a(p−1)/12 = 1 and Theorem 4.3, we have s1 ≡ 6A (mod p), s2 ≡ 12A2 (mod p), and s3 ≡ 8A3 (mod p). By the Definition of A, A2 < p and hence If p > 37, then s1 is uniquely determined by Hasse-Witt matrix. Hence we have that s1 = 6A.
Denote s2 = mp+12A2 for m ∈ ℤ. Since 0 < 12A2 < 12p and m is satisfied in −9 ≤ m ≤ 3. Now we determine the value m. We know that χ(t) splits into three factors hi(x) of degree 2, for i = 1, 2, 3. In particular, let πi be a complex roots of χ(t) in ℤ[t] for i = 1, 2, 3, and its complex conjugate. We denote for i = 1, 2, 3. Then we have that s1 = λ1 +λ2 +λ3, s2 = 3p+λ1λ2 +λ2λ3 +λ3λ1, and s3 = 2ps1 +λ1λ2λ3. Since we thus have m = 3.
We denote Since we have m′ = 12A. Then the characteristic polynomial χ(t) is
For the case (3), we have that s1 ≡ 2B2/A (mod p), s2 = −4B4/A2 (mod p), and s3 ≡ −8B6/A3 (mod p). Following as the above way, the characteristic polynomial χ(t) is
For the case (2),(4), we can derive the χ(t) in the same way.
Theorem 4.6. Let C be a hyperelliptic curve of the form y2 = x7 + ax defined over a finite field . If a(p−1)/6 = −1 (i.e, a(p−1)/3 = 1) and A ≡ 1, 2 (mod 3) and B ≡ 0 (mod 3), then the characteristic polynomial χ(t) has the form of the following as
where c1 is 2Aa(p−1)/12 or −p + 2Aa(p−1)/12, c2 = mp + 4A2 for −1 ≤ m ≤ 2, and c3 is an integer with c3 ≡ 0 (mod 2) for
Proof. From a(p−1)/6 = −1 and Theorem 4.3, we have that s1 ≡ 2Aa(p−1)/12 (mod p), s2 ≡ 4A2 (mod p) and s3 ≡ 8A3a9(p−1)/12 (mod p). Since Hasse-Weil bound of s1 and the coefficient s1 only have 2Aa(p−1)/12 or −p + 2Aa(p−1)/12.
Let s2 = mp + 4A2 for m ∈ ℤ. From the sharp bound of s2 in Theorem 2.1, −1 ≤ m ≤ 2. For s3 = m′p + 8A3a9(p−1)/12, m′ ∈ ℤ, we have s3 ≡ 0 (mod 2) since s1 ≡ 0 (mod 2) and ♯JC() ≡ 0 (mod 2).
Theorem 4.7. Let C be a hyperelliptic curve of the form y2 = x7 + ax defined over a finite field with p ≡ 1 (mod 12). Assume that A ≡ 1 (mod 4) and A ≡ 1, 2 (mod 3). If a(p−1)/3 ≠ 1 and f(x) splits three factors, then the χ(t) has the following form
where c3 is an integer for and c3 ≡ 0 (mod 2).
Proof. In this case, the prime satisfies p = A2 + B2 where A ≡ 1, 5 (mod 12) and B ≡ 0 (mod 6). We have a(p−1)/3 + a(p−1)/6 + 1 = 0. Then s1 ≡ 0 (mod p) and N1 = ♯C() = p+1. Hence s1 = 0. Since we have s2 = 0.
For the value s3, we denote s3 = mp+8A3a9(p−1)/12. From the bounds of s3 in theorem 2.1, we have Since ♯JC() ≡ 0 (mod 2),
Then we have c3 ≡ 0 (mod 2) for from Theorem 2.1 . Hence we have conclusion.
5. Implementation details
5.1. BSGS algorithm. Now, we show how to determine the order of the Jacobian of a hyperelliptic curve using the BSGS algorithm. We denote by Li (Ui) the lower (upper) bound of si for i = 1, 2, 3 in (3). According to Theorem 3.2, we denote that for i = 1, 2, 3
with Then each ti is bounded by
We substitute (2) into (1) and denote Then, the order of the Jacobian follows the equation
We should determine the values (t1, t2, t3) in order to get ♯JC(). Assume that N is a positive integer(to be specified). Let u and v be integers such that
Then, the boundary for v is
By substituting (4) into (3), we have
Hence, ♯JC() can be computed by finding the 4-tuple (t1, t2, u, v) such that
for all D ∈ JC() for the above each ranges. We search for a collision between the lhs and the rhs of (5) in the corresponding ranges. Moreover, we choose
Thus the algorithm require the computation of O(N) point multiples.
5.2. Speeding up algorithm. In this section, we discuss the some technique to speed up the algorithm during its implementation. First, we use the Cornacchia’s algorithm in order to compute the coefficients in (2) (see [10]). Then we can be easily calculated the binomial coefficients. Moreover, since if p > 37, then s1 is uniquely determined by sum of cp−1, c2p−2 and c3p−3.
In [2], Gonda et. al. provide the efficient arithmetic on Jacobian of genus 3 hyperelliptic curves over a finite field. Using this method, the addition operation in a Jacobian can be computed by performing 70 multiplications and 1 inversions and 113 additions. The doubling can be obtained as 71 multiplications, 1 inversion and 107 additions.
In (5) of section 5.1, the precomputation of p and the addition of a divisor pN times are needed, and an double-and-add method is used for these operations. When we search for a collision between them, the same divisors are repeatedly computed. So, we store them at first and subsequently execute the comparison test. Two divisors identical and therefore, their chord are the same. Hence, we can limit the boundary to 0 ≤ k ≤ ⌊U3/N⌋ and then avoid the computation for the inversion of a divisor.
Now, we consider an efficient value N for the case of Theorem 4.7. We let c3 = u + vN with 0 ≤ u < N and For the v, there are choices, and for u there are N choices. We also set the N as In (2) of Theorem 4.6, the s1 and s2 are easily determined. We similarly set the N as Therefore, the expected running time of our algorithm is
6. Computational results
In this section, we present our experimental results. We implemented our algorithm on a Pentium 2.13 GHz computer with less than 2 GB memory using Shoup’s NTL library.
Example 6.1. Let p = 12970096625951449 be a 54-bit prime and let curve C over be defined by
We compute the group order of the Jacobian:
Example 6.2. Let p = 26144785074025909 be a 55-bit prime and let C be the curve defined by C : y2 = x7 + 4857394849x. The group order of the Jacobian is given by:
The number of the Jacobian is of 163 bits and the total time is 259 s.
Table 1 has the implementation results for Jacobians with a quasiprime factor greater than 160 bits.
TABLE 1.Implementation results
7. Conclusions
In this paper, we have presented an algorithm for computing the orders of the Jacobian varieties of genus 3 hyperelliptic curves defined by y2 = x7 + ax over a finite prime field. By using the baby-step giant-step method, we determined the order of the Jacobian of a curve defined over a finite prime field bigger than 55 bit. Moreover, we also provided the explicit formula of the characteristic polynomial of the Frobenius endomorphism of the Jacobian of the hyperelliptic curves y2 = x7+ax over with p ≡ 1 modulo 12. Finally, we verified usefulness of the our algorithm by the simple examples.
References
- N. Elkies, Elliptic and modular curves over finite fields and related computational issues, Computational perspectives on number theory, AMS/IP Stud. Adv. Math. 7 (1998), Math. Soc., 21-76.
- M. Gonda, K. Matsuo, K. Aoki, and J. Chao, Improvements of Addition Algorithm on Genus 3 Hyperelliptic Curves and Their Implementation, IEICE TRANS. FUNDAMENTALS E88-A(1) (2005), 89-96. https://doi.org/10.1093/ietfec/E88-A.1.89
- R. H. Hudson and K. S. Williams, Binomial Coefficients and Jacobi Sums, Trans. Amer. Math. Soc. 281 (1984), 431-505. https://doi.org/10.1090/S0002-9947-1984-0722761-X
- P. Gaudry and R. Harley, Counting points on hyperelliptic curves over finite fields, ANTSIV, W. Bosma ed., LNCS 1838 (2000), Springer-Verlag, 297-312.
- I. Blake, G. Seroussi and N. Smart, Elliptic curves in cryptography, London Math. Soc. Lecture Note Series 265 (1999).
-
H. Yui. On the jacobian varieties of hyperelliptic curves over fields of characteristic
$p{\geq}2$ , J. Algebra 52 (1987), 378-410. - R. Schoof, Elliptic curves over finite fields and the computation of square roots mod p, Math. Comp. 44 (1985), 483-494.
- Yu. I. Manin, The Hasse-Witt matrix of an algebraic curve, AMS Trans. Ser. 2 45 (1965), 245-264.
-
E. Furukawa, M. Kawazoe, and T.Takahashi, Counting Points for Hyperelliptic Curves of Type
$y^2$ =$x^5$ + ax over Finite Prime Fields, LNCS 2004, 26-41. - J. Buhler and N. Koblitz, Lattics Basis Reduction, Jacobi Sums and Hyperelliptic Cryptosystems, Bull. Austral. Math. Soc. 58 (1998), 147-154. https://doi.org/10.1017/S000497270003207X
- D. Mumford, Tata Lectures on Theta II, Progress in Mathematics 43, Birkhauser, 1984.
- R. Lercier, Algorithmique des courbes elliptiques dans les corps finis. These, Ecole polytechnique, June 1997.
- L. Adleman and M. D. Huang, Counting points on curves and abelian varieties over finite fields, J. Symb. Comp. 32(3) (2001) pp. 171-189. https://doi.org/10.1006/jsco.2001.0470
- M. D. Huang and D. Ierardi, Counting points on curves over finite fields, J. Symb. Comp. 25(1), pp. 1-21 (1998) https://doi.org/10.1006/jsco.1997.0164
- J. Pila, Frobenius maps of abelian varieites and finding roots of unity in finite fields, Math. Comp. 55(192), pp. 745-763 (1990) https://doi.org/10.1090/S0025-5718-1990-1035941-X
- K.S. Kedlaya, Counting points on hyperelliptic curves using Monsky-Washnitzer cohomology, J. Ramanujan Math. Soc. 16 (2001), 323-338.
- T. Satoh, The canonical lift of an ordinary elliptic curve over a finite field and its point counting, J. Ramanujan Math. Soc. 15 (2000), 247-270.
- J. Denef and F. Vercauteren, An Extension of Kedlaya's Algorithm to Hyperelliptic Curves in Characteristic 2, J. Cryptology 19 (2006), 1-25. https://doi.org/10.1007/s00145-004-0231-y
- S. Haloui, The characteristic polynomials of abelain varieites of dimensions 3 over finite fields, J. number theory, 2011.