## Computing endomorphism rings of Jacobians of genus 2 curves (2006)

### Cached

### Download Links

Venue: | Symposium on Algebraic Geometry and its Applications, Tahiti |

Citations: | 10 - 5 self |

### BibTeX

@TECHREPORT{Freeman06computingendomorphism,

author = {David Freeman and Kristin Lauter},

title = {Computing endomorphism rings of Jacobians of genus 2 curves},

institution = {Symposium on Algebraic Geometry and its Applications, Tahiti},

year = {2006}

}

### OpenURL

### Abstract

Abstract. We present probabilistic algorithms which, given a genus 2 curve C defined over a finite field and a quartic CM field K, determine whether the endomorphism ring of the Jacobian J of C is the full ring of integers in K. In particular, we present algorithms for computing the field of definition of, and the action of Frobenius on, the subgroups J[ℓ d] for prime powers ℓ d. We use these algorithms to create the first implementation of Eisenträger and Lauter’s algorithm for computing Igusa class polynomials via the Chinese Remainder Theorem [EL], and we demonstrate the algorithm for a few small examples. We observe that in practice the running time of the CRT algorithm is dominated not by the endomorphism ring computation but rather by the need to compute p 3 curves for many small primes p. 1.

### Citations

987 | A Course in Computational Algebraic Number Theory - Cohen - 1996 |

750 | Factoring polynomials with rational coefficients
- Lenstra, Jr, et al.
- 1982
(Show Context)
Citation Context ...for some integers a0, a1, a2, a3, n. We assume that a0, a1, a2, a3 have no common factor with n, so that n is the smallest integer such that nα ∈ Z[π]. Remark 3.1. The LLL lattice reduction algorithm =-=[LLL]-=-, as implemented by the MAGMA command LinearRelation, finds an expression of the form (3.2) for anys6 DAVID FREEMAN AND KRISTIN LAUTER α ∈ OK . Given as input the sequence [1, π, π 2 , π 3 , −α], the ... |

175 | Morain Elliptic curves and primality proving
- Atkin, F
- 1993
(Show Context)
Citation Context ...iant via the construction of the Hilbert class polynomial for a quadratic imaginary field. There are three different approaches to computing the Hilbert class polynomial: a complex-analytic algorithm =-=[AM]-=-, [Eng]; a Chinese Remainder Theorem algorithm [CNST], [ALV]; and a p-adic algorithm [CH], [Brö]. The best running time for these algorithms is Õ(|d|), where d is the discriminant of the quadratic ima... |

105 | A First Course - Ross |

99 | Abelian Varieties with Complex Multiplication and Modular Functions - Shimura - 1997 |

63 | Counting points on hyperelliptic curves over finite fields
- Gaudry, Harley
- 2000
(Show Context)
Citation Context ...of J(F p k) to decide whether J[n] ⊂ J(F p k). This is an exponential-time algorithm that is efficient only for very small k. Eisenträger and Lauter also suggested that the algorithm of Gaudry-Harley =-=[GH]-=- could be used to determine the field of definition of the n-torsion points. One of the primary purposes of this article is to present an efficient probabilistic algorithm to test the field of definit... |

54 |
Construction de courbes de genre 2 à partir de leur modules. Effective Methods in Algebraic Geometry
- Mestre
- 1991
(Show Context)
Citation Context ...STIN LAUTER (3) (Finding the curves.) Set T1, T2, T3 ← {}. For each (i1, i2, i3) ∈ F3 p , do the following: (a) Compute a curve C/Fp with Igusa invariants (i1, i2, i3), using the algorithms of Mestre =-=[Mes]-=- and Cardona-Quer [CQ]. (b) Run Algorithm 2.1 with inputs K, p, C. (i) If the algorithm outputs false, go to the next triple (i1, i2, i3). (ii) If the algorithm outputstrue, let π be one of the possib... |

40 | Construction of Secure Random Curves of Genus 2 over Prime Fields
- Gaudry, Schost
(Show Context)
Citation Context ...e of Õ(n6 ) field multiplications if fast polynomial arithmetic is used, and O(n 8 ) otherwise. Due to its large space requirements, the algorithm has only succeeded at handling inputs of size n ≤ 19 =-=[GS]-=-. 4.3. A probabilistic method. As usual, we let J be the Jacobian of a genus 2 curve over Fpk, and ℓ �= p be a prime. Let H be the ℓ-primary part of J(Fpk). Then H has the structure H = Z Z Z Z ℓα1Z ×... |

38 |
Kurven vom Geschlecht 2 und ihre Anwendung
- Spallek
- 1994
(Show Context)
Citation Context ...solutions rely on computing the curves’ Igusa invariants via the computation of Igusa class polynomials for quartic CM fields. Again there are three different approaches: a complex-analytic algorithm =-=[Spa]-=-, [vW], [W], [CL]; a Chinese Remainder Theorem algorithm [EL]; and a p-adic algorithm [GHKRW]. These algorithms are less extensively developed than their elliptic curve analogues, and to date there is... |

34 | The complexity of class polynomial computation via floating point approximations - Enge |

31 | Constructing hyperelliptic curves of genus 2 suitable for cryptography
- Weng
(Show Context)
Citation Context ...y on computing the curves’ Igusa invariants via the computation of Igusa class polynomials for quartic CM fields. Again there are three different approaches: a complex-analytic algorithm [Spa], [vW], =-=[W]-=-, [CL]; a Chinese Remainder Theorem algorithm [EL]; and a p-adic algorithm [GHKRW]. These algorithms are less extensively developed than their elliptic curve analogues, and to date there is no running... |

27 | Action of modular correspondences around CM points, in Algorithmic number theory (Sydney
- Couveignes, Henocq
- 2002
(Show Context)
Citation Context .... There are three different approaches to computing the Hilbert class polynomial: a complex-analytic algorithm [AM], [Eng]; a Chinese Remainder Theorem algorithm [CNST], [ALV]; and a p-adic algorithm =-=[CH]-=-, [Brö]. The best running time for these algorithms is Õ(|d|), where d is the discriminant of the quadratic imaginary field [Eng], [Brö]. Analogous methods exist for constructing genus 2 curves with a... |

23 | Principally polarized ordinary abelian varieties over finite fields - Howe - 1995 |

23 | A hyperelliptic smoothness test - Lenstra, Pila, et al. |

21 | A CRT algorithm for constructing genus 2 curves over finite fields
- Eisentraeger, Lauter
- 2004
(Show Context)
Citation Context ...J[ℓ d ] for prime powers ℓ d . We use these algorithms to create the first implementation of Eisenträger and Lauter’s algorithm for computing Igusa class polynomials via the Chinese Remainder Theorem =-=[EL]-=-, and we demonstrate the algorithm for a few small examples. We observe that in practice the running time of the CRT algorithm is dominated not by the endomorphism ring computation but rather by the n... |

20 | The 2-adic CM method for genus 2 curves with application to cryptography
- Gaudry, Houtmann, et al.
- 2006
(Show Context)
Citation Context ... polynomials for quartic CM fields. Again there are three different approaches: a complex-analytic algorithm [Spa], [vW], [W], [CL]; a Chinese Remainder Theorem algorithm [EL]; and a p-adic algorithm =-=[GHKRW]-=-. These algorithms are less extensively developed than their elliptic curve analogues, and to date there is no running time analysis for any of them. In this paper we study the implementation of Eisen... |

19 | Constructing elliptic curves with a known number of points over a prime field, High Primes and Misdemeanours: lectures in honour of the 60th birthday of H
- Agashe, Lauter, et al.
(Show Context)
Citation Context ...or a quadratic imaginary field. There are three different approaches to computing the Hilbert class polynomial: a complex-analytic algorithm [AM], [Eng]; a Chinese Remainder Theorem algorithm [CNST], =-=[ALV]-=-; and a p-adic algorithm [CH], [Brö]. The best running time for these algorithms is Õ(|d|), where d is the discriminant of the quadratic imaginary field [Eng], [Brö]. Analogous methods exist for const... |

14 | A p-adic algorithm to compute the Hilbert class polynomial
- Bröker
(Show Context)
Citation Context ...e are three different approaches to computing the Hilbert class polynomial: a complex-analytic algorithm [AM], [Eng]; a Chinese Remainder Theorem algorithm [CNST], [ALV]; and a p-adic algorithm [CH], =-=[Brö]-=-. The best running time for these algorithms is Õ(|d|), where d is the discriminant of the quadratic imaginary field [Eng], [Brö]. Analogous methods exist for constructing genus 2 curves with a given ... |

13 |
Wamelen, Examples of genus two CM curves defined over the rationals
- van
- 1999
(Show Context)
Citation Context ...ns rely on computing the curves’ Igusa invariants via the computation of Igusa class polynomials for quartic CM fields. Again there are three different approaches: a complex-analytic algorithm [Spa], =-=[vW]-=-, [W], [CL]; a Chinese Remainder Theorem algorithm [EL]; and a p-adic algorithm [GHKRW]. These algorithms are less extensively developed than their elliptic curve analogues, and to date there is no ru... |

9 |
Linearizing torsion classes in the Picard group of algebraic curves over finite fields
- Couveignes
(Show Context)
Citation Context ...rent for each Qi, this function does not define a group homomorphism, and thus the image of a set of points uniformly distributed in J(F p k)ℓ will not be uniformly distributed in J[ℓ d ]. Couveignes =-=[Cou]-=- has described a map that has the properties we want and is a group homomorphism. The idea is the following: if π k − 1 ∈ ℓ d End(J), then there is an endomorphism φ such that ℓ d φ = π k − 1. Since π... |

7 | Multidigit modular multiplication with the explicit chinese remainder theorem
- Bernstein
- 1995
(Show Context)
Citation Context ...the endomorphism ring is the full ring of integers OK. (c) Construct the Igusa class polynomials mod p from the triples collected in Step 2b. (3) Use the Chinese Remainder Theorem or the Explicit CRT =-=[Ber]-=- to construct the Igusa polynomials either with rational coefficients or modulo a prime of cryptographic size. One advantage of the CRT algorithm over other algorithms for computing Igusa class polyno... |

7 |
Relative integral bases for quartic fields over quadratic subfields
- SPEARMAN, WILLIAMS
- 1996
(Show Context)
Citation Context ...rve over Fp with Frobenius π σ for some σ ∈ Aut(K/Q) and End(J) = OK, this integer k is such that the n-torsion points of J are defined over F p k. (1) Compute a Z-basis B = (1, δ, γ, κ) of OK, using =-=[SW]-=- or [Coh, Algorithm 6.1.8], and write π = (a, b, c, d) in this basis. Set k ← 1. (2) Let ¯ B be the reduction of the elements of B modulo n. Let (a1, b1, c1, d1) = (a, b, c, d) (mod n). (3) Compute π ... |

7 | Construction of secure elliptic cryptosystems using CM tests and liftings
- Chao, Nakamura, et al.
- 1998
(Show Context)
Citation Context ...e three different approaches to computing the Hilbert class polynomial: a complex-analytic algorithm known as the Complex Multiplication (CM) method [AM], [Eng]; a Chinese Remainder Theorem algorithm =-=[CNST]-=-, [ALV]; and a p-adic algorithm [CH], [Brö]. The best running time for these algorithms is Õ(d), where d is the discriminant of the quadratic imaginary field [Eng], [Brö]. Analogous methods exist for ... |

7 | Class invariants of quartic CM fields
- Goren, Lauter
(Show Context)
Citation Context ...isfy this congruence is (1/pi+1) D+1 , so most likely we have that actually ri+1 = 0 for each coefficient. Remark 7.3. The λi input into the algorithm can be taken to be products of primes bounded in =-=[GL]-=-, raised to a power that will be made explicit in forthcoming work. In practice, the power can be taken to be a small multiple of 6. Since we check after every prime pi whether the algorithm is finish... |

5 |
E.: Class invariants of quartic CM fields, Annales de l’Institut Fourier
- Goren, Lauter
(Show Context)
Citation Context ...isfy this congruence is (1/pi+1) D+1 , so most likely we have that actually ri+1 = 0 for each coefficient. Remark 7.3. The λi input into the algorithm can be taken to be products of primes bounded in =-=[GL]-=-, raised to a power that will be made explicit in forthcoming work. In practice, the power can be taken to be a small multiple of 6. Since we check after every prime pi whether the algorithm is finish... |

4 |
Generating genus 2 curves with complex multiplication,” Microsoft Research Internal
- Cohn, Lauter
- 2001
(Show Context)
Citation Context ...computing the curves’ Igusa invariants via the computation of Igusa class polynomials for quartic CM fields. Again there are three different approaches: a complex-analytic algorithm [Spa], [vW], [W], =-=[CL]-=-; a Chinese Remainder Theorem algorithm [EL]; and a p-adic algorithm [GHKRW]. These algorithms are less extensively developed than their elliptic curve analogues, and to date there is no running time ... |

3 |
of moduli and field of definition for curves of genus 2, in “Computational aspects of algebraic curves
- Cardona, Quer, et al.
- 2005
(Show Context)
Citation Context ...g the curves.) Set T1, T2, T3 ← {}. For each (i1, i2, i3) ∈ F3 p , do the following: (a) Compute a curve C/Fp with Igusa invariants (i1, i2, i3), using the algorithms of Mestre [Mes] and Cardona-Quer =-=[CQ]-=-. (b) Run Algorithm 2.1 with inputs K, p, C. (i) If the algorithm outputs false, go to the next triple (i1, i2, i3). (ii) If the algorithm outputstrue, let π be one of the possible Frobenius elements ... |

3 | A new proof for the non-degeneracy of the Frey-Rück pairing and a connection to isogenies over the base field
- Schaefer
- 2005
(Show Context)
Citation Context ...d J(F p k), since φ(ℓ d P) = (π k − 1)(P) = 0 if P is defined over F p k. Thus we have a map φ : J(F p k)/ℓ d J(F p k) → J[ℓ d ]. Couveignes then uses the non-degeneracy of the Frey-Rück pairing (see =-=[Sch]-=-) to show that φ is a bijection. Thus for any Qi not in ℓJ(F p k), φ(Qi) has order exactly ℓ d . Since φ is a surjective group homomorphism, the image of a set of points uniformly distributed in J(F p... |

2 | Algebraic Number Theory, trans. Norbert Schappacher - Neukirch - 1999 |

1 |
Institut für Experimentelle Mathematik, Universität GH
- thesis
- 1994
(Show Context)
Citation Context ...benius π σ for some σ ∈ Aut(K/Q) and End(J) = OK, the algorithm determines an integer k such that the n-torsion points of J are defined over F p k. (1) Compute a Z-basis B = (1, δ, γ, κ) of OK, using =-=[SW]-=- or [Coh, Algorithm 6.1.8], and write π = (a, b, c, d) in this basis. Set k ← 1. (2) Let ¯ B be the reduction of the elements of B modulo n. Let (a1, b1, c1, d1) = (a, b, c, d) (mod n). (3) Compute π ... |