On the evaluation of modular polynomials Andrew V. Sutherland Massachusetts Institute of Technology ECC 2012 http://arxiv.org/abs/1202.3985 http://arxiv.org/abs/1208.5370 1 / 34 A brief journey through space-time... 2 / 34 Space and time In a universe with n dimensions, the amount of data that can be stored within a distance r of the CPU is O(rn ). 3 / 34 Space and time In a universe with n dimensions, the amount of data that can be stored within a distance r of the CPU is O(rn ). An algorithm with space complexity S is at an average distance Ω(S1/n ) from its data. The speed of light is bounded by a constant, thus the time to read or write a bit located at a distance r is Ω(r). 3 / 34 Space and time In a universe with n dimensions, the amount of data that can be stored within a distance r of the CPU is O(rn ). An algorithm with space complexity S is at an average distance Ω(S1/n ) from its data. The speed of light is bounded by a constant, thus the time to read or write a bit located at a distance r is Ω(r). Conclusion: an algorithm with space complexity S must have time complexity Ω(S1+1/n ). In particular, no algorithm implemented in the real world can actually achieve a quasi-linear time complexity (assuming our CPU is not allowed to move). 3 / 34 Space and time In a universe with n dimensions, the amount of data that can be stored within a distance r of the CPU is O(rn ). An algorithm with space complexity S is at an average distance Ω(S1/n ) from its data. The speed of light is bounded by a constant, thus the time to read or write a bit located at a distance r is Ω(r). Conclusion: an algorithm with space complexity S must have time complexity Ω(S1+1/n ). In particular, no algorithm implemented in the real world can actually achieve a quasi-linear time complexity (assuming our CPU is not allowed to move). On the other hand, if we are given an algorithm whose theoretical space and time complexity are quasi-linearly related, reducing the space complexity will actually speed up the real-world performance of the algorithm, often dramatically. 3 / 34 Isogenies of elliptic curves An elliptic curve E/k is a smooth projective curve of genus 1 with a distinguished k-rational point 0. An isogeny φ : E1 → E2 is a morphism of elliptic curves, a rational map that fixes the point 0. We shall assume φ 6= 0. 4 / 34 Isogenies of elliptic curves An elliptic curve E/k is a smooth projective curve of genus 1 with a distinguished k-rational point 0. An isogeny φ : E1 → E2 is a morphism of elliptic curves, a rational map that fixes the point 0. We shall assume φ 6= 0. The induced homomorphism φ : E1 (k̄) → E2 (k̄) has a finite kernel. Conversely, every finite subgroup of E1 (k̄) is the kernel of an isogeny. The degree of an isogeny is its degree as a rational map. For nonzero separable isogenies, deg φ = | ker φ|. We are primarily interested in isogenies of prime degree ` 6= char k, which are necessarily separable isogenies with cyclic kernels. 4 / 34 ̇-invariants The k̄-isomorphism classes of elliptic curves E/k are in bijection with the field k. For E : y2 = x3 + Ax + B, the ̇-invariant of E is ̇(E) = ̇(A, B) = 1728 4A3 ∈ k. 4A3 + 27B2 The ̇-invariants ̇(0, B) = 0 and ̇(A, 0) = 1728 are special. They correspond to elliptic curves with extra automorphisms. For j 6∈ {0, 1728}, we have j = ̇(A, B), where A = 3j(1728 − j) and B = 2j(1728 − j)2 . Note that ̇(E1 ) = ̇(E2 ) does not necessarily imply that E1 and E2 are isomorphic over k, only that they are isomorphic over k̄. 5 / 34 The modular equation Let ̇ : H → C be the classical modular function. For any τ ∈ H, the values ̇(τ ) and ̇(`τ ) are the ̇-invariants of elliptic curves Eτ /C and E`τ /C that are `-isogenous. The minimal polynomial Φ` (Y) of the function ̇(`z) over C(j) has coefficients that are integer polynomials in ̇(z). Replacing ̇(z) with X yields the modular polynomial Φ` ∈ Z[X, Y] that parameterizes pairs of `-isogenous elliptic curves E/C: Φ` ̇(E1 ), ̇(E2 ) = 0 ⇐⇒ ̇(E1 ) and ̇(E2 ) are `-isogenous. This moduli interpretation remains valid over any field whose characteristic is not equal to `. Φ` (X, Y) = 0 is a defining equation for the affine modular curve Y0 (`) = Γ0 (`)\H. 6 / 34 Isogenies make hard problems easier Isogenies play a key role in many applications: I The Schoof-Elkies-Atkin (SEA) point-counting algorithm. I Computing the endomorphism ring of an elliptic curve. I The elliptic curve discrete logarithm problem (?). I Computing Hilbert class polynomials HD (X). I Computing modular polynomials. 7 / 34 Isogenies make hard problems easier Isogenies play a key role in many applications: I The Schoof-Elkies-Atkin (SEA) point-counting algorithm. I Computing the endomorphism ring of an elliptic curve. I The elliptic curve discrete logarithm problem (?). I Computing Hilbert class polynomials HD (X). I Computing modular polynomials. Modular polynomials Φ` (X, Y) are used in all of these applications. Given an elliptic curve E/F, the roots of the univariate polynomial φ` (Y) = Φ` (̇(E), Y) ∈ F[Y] that lie in F are precisely the ̇-invariants of the elliptic curves Ẽ/F that are `-isogenous to E. 7 / 34 Modular polynomials are very large. . . Φ` ∈ Z[X, Y] is symmetric, with degree ` + 1 in both X and Y. Asymptotically, its size is O(`3 log `) bits. ` 127 251 503 1009 2003 3001 4001 5003 10007 coefficients largest average total 8258 31880 127262 510557 2009012 4507505 8010005 12522512 50085038 7.5kb 16kb 36kb 78kb 166kb 259kb 356kb 454kb 968kb 5.3kb 12kb 27kb 60kb 132kb 208kb 287kb 369kb 774kb 5.5MB 48MB 431MB 3.9GB 33GB 117GB 287GB 577GB 4.8TB Size of Φ` (X, Y) 8 / 34 . . . but instantiated modular polynomials are not. For an elliptic curve E over a finite field Fq , the size of the instantiated polynomial φ` (Y) = Φ` (̇(E), Y) is only O(` log q) bits. Even if q is quite large, say 4096 bits, for ` = 10007 the size of φ` (Y) is just 5MB, which is almost a million times smaller than Φ` (X, Y). 9 / 34 . . . but instantiated modular polynomials are not. For an elliptic curve E over a finite field Fq , the size of the instantiated polynomial φ` (Y) = Φ` (̇(E), Y) is only O(` log q) bits. Even if q is quite large, say 4096 bits, for ` = 10007 the size of φ` (Y) is just 5MB, which is almost a million times smaller than Φ` (X, Y). A quote from the former elliptic curve point-counting world record holder (at 2500 decimal digits): “Despite this progress, computing modular polynomials remains the stumbling block for new point counting records. Clearly, to circumvent the memory problems, one would need an algorithm that directly obtains the polynomial specialised in one variable.” INRIA Project TANC, 2007 9 / 34 Results Let E/Fq be an elliptic curve and let ` < q be a prime (` 6= char Fq ). Theorem Under the generalized Riemann hypothesis (GRH), one can compute the instantiated modular polynomial Φ` (̇(E), Y) using O(` log q) space in time quasi-linear in the size of Φ` (quasi-cubic in `). 10 / 34 Results Let E/Fq be an elliptic curve and let ` < q be a prime (` 6= char Fq ). Theorem Under the generalized Riemann hypothesis (GRH), one can compute the instantiated modular polynomial Φ` (̇(E), Y) using O(` log q) space in time quasi-linear in the size of Φ` (quasi-cubic in `). Applying this to SEA, we can compute #E(Fq ) in Õ(n4 ) time and O(n2 log n) space (n = log q), under standard heuristic assumptions. Previously, the SEA algorithm required Ω(n3 log n) space (or Ω(n4 ) if precomputed modular polynomials are used). This has led to a new elliptic curve point-counting record modulo a 5011-digit prime (and improvements in the range of practical interest). The new results also yield improved space complexity bounds (and better performance) for many other algorithms that use isogenies. 10 / 34 A volcano 11 / 34 A volcano 12 / 34 `-volcanoes For a prime `, an `-volcano is a connected undirected graph whose vertices are partitioned into levels V0 , . . . , Vd such that: 1. The subgraph on V0 (the surface) is a connected regular graph of degree 0, 1, or 2. 2. For i > 0, each v ∈ Vi has exactly one neighbor in Vi−1 . All edges not on the surface arise in this manner. 3. For i < d, each v ∈ Vi has degree `+1. We allow self-loops and multi-edges, but this can happen only on the surface. 13 / 34 A 3-volcano of depth 2 14 / 34 The graph of `-isogenies Definition The `-isogeny graph G` (k) has vertex set {̇(E) : E/k} = k and edges (j1 , j2 ) for each root j2 ∈ k of Φ` (j1 , Y) (with multiplicity). Except for j ∈ {0, 1728}, the in-degree of each vertex of G` is equal to its out-degree. Thus G` is a bi-directed graph on k\{0, 1728}, which we may regard as an undirected graph. It consists of ordinary and supersingular components. We have an infinite family of graphs G` (k) with vertex set k, one for each prime ` 6= char(k). An elliptic curve E over a field of characteristic p > 0 is supersingular iff E[p] = {0}. 15 / 34 Endomorphism rings Isogenies from an elliptic curve E to itself are endomorphisms. They form a ring End(E) under composition and point addition. We always have Z ⊆ End(E), due to scalar multiplication maps. If Z ( End(E), then E has complex multiplication (CM). For an elliptic curve E with complex multiplication: ( order in an imaginary quadratic field End(E) ' order in a quaternion algebra (ordinary), (supersingular). In characteristic p > 0, every elliptic curve has CM, since the p-power Frobenius endomorphism (x, y) 7→ (xp , yp ) does not lie in Z. 16 / 34 Horizontal and vertical isogenies Let ϕ : E1 → E2 by an `-isogeny of ordinary elliptic curves with CM. Let End(E1 ) ' O1 = [1, τ1 ] and End(E2 ) ' O2 = [1, τ2 ]. Then `τ2 ∈ O1 and `τ1 ∈ O2 . Thus one of the following holds: I O1 = O2 , in which case ϕ is horizontal; I [O1 : O2 ] = `, in which case ϕ is descending; I [O2 : O1 ] = `, in which case ϕ is ascending. In the latter two cases we say that ϕ is a vertical isogeny. 17 / 34 The theory of complex multiplication Let E/k have CM by an imaginary quadratic order O. For each invertible O-ideal a, the a-torsion subgroup E[a] = {P ∈ E(k̄) : α(P) = 0 for all α ∈ a} is the kernel of an isogeny ϕa : E → E0 of degree N(a) = [O : a]. We necessarily have End(E) ' End(E0 ), so ϕa is horizontal. If a is principal, then E0 ' E. This induces a cl(O)-action on the set EllO (k) = {̇(E) : E/k with End(E) ' O}. This action is faithful and transitive; thus EllO (k) is a principal homogeneous space, a torsor, for cl(O). One can decompose horizontal isogenies of large prime degree into an equivalent sequence of isogenies of small prime degrees, which makes them easy to compute; see [Bröker-Charles-Lauter 2008, Jao-Souhkarev ANTS IX]. 18 / 34 Isogeny volcanoes Theorem (Kohel) Let V be an ordinary connected component of G` (Fq ) that does not contain 0, 1728. Then V is an `-volcano in which the following hold: (i) Vertices in level Vi all have the same endomorphism ring Oi . (ii) ` - [OK : O0 ], and [Oi : Oi+1 ] = `. (iii) The subgraph on V0 has degree 1 + ( D` ), where D = disc(O0 ). (iv) If ( D` ) ≥ 0 then |V0 | is the order of [l] in cl(O0 ). (v) The depth of V is ord` (v), where 4q = t2 − v2 D. The term volcano is due to Fouquet and Morain (ANTS V). See http://arxiv.org/abs/1208.5370 for more on isogeny volcanoes. 19 / 34 Modular polynomials via isogeny volcanoes [BLS] Given an odd prime `, we may compute Φ` (X, Y) as follows: 1. Select a sufficiently large set of primes of the form 4p = t2 − `2 v2 D with ` - v, p ≡ 1 mod `, and h(D) > ` + 1. 2. For each prime p, compute Φ` (X, Y) mod p as follows: a. Compute EllO (Fp ) using HD (X) mod p. b. Map the `-volcanoes intersecting EllO (Fp ) (without using Φ` ). c. Interpolate Φ` (X, Y) mod p. 3. Use the CRT to recover Φ` over Z (or mod q via the explicit CRT). Under the GRH, the expected running time is O(`3 log3+ `) using O(`3 log `) space (or O(`2 log q) space to compute Φ` mod q). We can similarly compute modular polynomials for other modular functions. One can also use a CRT approach to compute ΦN for composite N [Ono-S in prog]. 20 / 34 Explicit Chinese Remainder Theorem Suppose c ≡ ci mod pi for k distinct primes pi . Then X c≡ ci ai Mi mod M, Q where M = pi , Mi = M/pi and ai = 1/Mi mod pi . If M > 2|c|, we can recover c ∈ Z. Montgomery-Silverman 1990, Bernstein 1995, S 2011. 21 / 34 Explicit Chinese Remainder Theorem Suppose c ≡ ci mod pi for k distinct primes pi . Then X c≡ ci ai Mi mod M, Q where M = pi , Mi = M/pi and ai = 1/Mi mod pi . If M > 2|c|, we can recover c ∈ Z. With M > 4|c|, the explicit CRT computes c mod q directly via X c= ci ai Mi − rM mod q, P where r = rnd( ai ci /pi ) is computed using O(log k) bits of precision. Montgomery-Silverman 1990, Bernstein 1995, S 2011. 21 / 34 Explicit Chinese Remainder Theorem Suppose c ≡ ci mod pi for k distinct primes pi . Then X c≡ ci ai Mi mod M, Q where M = pi , Mi = M/pi and ai = 1/Mi mod pi . If M > 2|c|, we can recover c ∈ Z. With M > 4|c|, the explicit CRT computes c mod q directly via X c= ci ai Mi − rM mod q, P where r = rnd( ai ci /pi ) is computed using O(log k) bits of precision. Using an online algorithm, this can be applied to N coefficients c in parallel, using O(log M + k log q + N(log q + log k)) ≈ O(N log q) space. Montgomery-Silverman 1990, Bernstein 1995, S 2011. 21 / 34 Mapping a volcano 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 1. Find a root of HD (X) 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 901 1. Find a root of HD (X): 901 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2 `0 6= `, ( `D ) = 1 0 901 2. Enumerate surface using the action of α`0 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 0 0 901 2. Enumerate surface using the action of α`0 2 2 2 2 2 2 2 901 −→ 1582 −→ 2501 −→ 351 −→ 701 −→ 2872 −→ 2215 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 901 0 0 351 2. Enumerate surface using the action of α`0 2 2 2 2 2 2 2 901 −→ 1582 −→ 2501 −→ 351 −→ 701 −→ 2872 −→ 2215 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 901 0 351 0 2215 2. Enumerate surface using the action of α`0 2 2 2 2 2 2 2 901 −→ 1582 −→ 2501 −→ 351 −→ 701 −→ 2872 −→ 2215 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 901 0 351 2215 0 2501 2. Enumerate surface using the action of α`0 2 2 2 2 2 2 2 901 −→ 1582 −→ 2501 −→ 351 −→ 701 −→ 2872 −→ 2215 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 0 0 2872 901 351 2215 2501 2. Enumerate surface using the action of α`0 2 2 2 2 2 2 2 901 −→ 1582 −→ 2501 −→ 351 −→ 701 −→ 2872 −→ 2215 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 1582 901 0 0 351 2872 2215 2501 2. Enumerate surface using the action of α`0 2 2 2 2 2 2 2 901 −→ 1582 −→ 2501 −→ 351 −→ 701 −→ 2872 −→ 2215 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 1582 701 901 0 0 351 2872 2215 2501 2. Enumerate surface using the action of α`0 2 2 2 2 2 2 2 901 −→ 1582 −→ 2501 −→ 351 −→ 701 −→ 2872 −→ 2215 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 1582 701 901 0 0 351 2872 2215 2501 3. Descend to the floor using Vélu’s formula 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 1582 701 901 0 0 351 2872 2501 2215 3188 5 3. Descend to the floor using Vélu’s formula: 901 −→ 3188 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 `0 6= `, ( `D ) = 1, α` = αk` 1582 701 901 0 0 351 2872 2215 2501 3188 4. Enumerate floor using the action of β`0 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 , `0 6= `, ( `D ) = 1, α` = αk` , β`2 = β`k β25 = β27 1582 701 901 0 0 351 0 0 2872 2215 2501 3188 4. Enumerate floor using the action of β`0 2 2 2 2 2 2 2 3144 −→ 3508 −→ 2843 −→ 1502 −→ 676 −→ 945 −→ 3188 −→ 2 2 2 2 2 2 2 2970 −→ 3497 −→ 1180 −→ 2464 −→ 4221 −→ 4228 −→ 2434 −→ 2 2 2 2 2 2 2 1478 −→ 3244 −→ 2255 −→ 2976 −→ 3345 −→ 1064 −→ 1868 −→ 2 2 2 2 2 2 2 3328 −→ 291 −→ 3147 −→ 2566 −→ 4397 −→ 2087 −→ 3341 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 , `0 6= `, ( `D ) = 1, α` = αk` , β`2 = β`k β25 = β27 1582 701 901 0 0 351 0 0 2872 2215 2501 3188 2970 1478 3328 4. Enumerate floor using the action of β`0 2 2 2 2 2 2 2 3144 −→ 3508 −→ 2843 −→ 1502 −→ 676 −→ 945 −→ 3188 −→ 2 2 2 2 2 2 2 2970 −→ 3497 −→ 1180 −→ 2464 −→ 4221 −→ 4228 −→ 2434 −→ 2 2 2 2 2 2 2 1478 −→ 3244 −→ 2255 −→ 2976 −→ 3345 −→ 1064 −→ 1868 −→ 2 2 2 2 2 2 2 3328 −→ 291 −→ 3147 −→ 2566 −→ 4397 −→ 2087 −→ 3341 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 , `0 6= `, ( `D ) = 1, α` = αk` , β`2 = β`k β25 = β27 1582 701 901 3188 2970 1478 3328 0 0 351 0 0 2872 2215 2501 3508 2464 2976 2566 4. Enumerate floor using the action of β`0 2 2 2 2 2 2 2 3144 −→ 3508 −→ 2843 −→ 1502 −→ 676 −→ 945 −→ 3188 −→ 2 2 2 2 2 2 2 2970 −→ 3497 −→ 1180 −→ 2464 −→ 4221 −→ 4228 −→ 2434 −→ 2 2 2 2 2 2 2 1478 −→ 3244 −→ 2255 −→ 2976 −→ 3345 −→ 1064 −→ 1868 −→ 2 2 2 2 2 2 2 3328 −→ 291 −→ 3147 −→ 2566 −→ 4397 −→ 2087 −→ 3341 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 , `0 6= `, ( `D ) = 1, α` = αk` , β`2 = β`k β25 = β27 1582 701 901 3188 2970 1478 3328 0 0 2872 351 3508 2464 2976 2566 0 0 2215 676 2501 2434 1868 3341 4. Enumerate floor using the action of β`0 2 2 2 2 2 2 2 3144 −→ 3508 −→ 2843 −→ 1502 −→ 676 −→ 945 −→ 3188 −→ 2 2 2 2 2 2 2 2970 −→ 3497 −→ 1180 −→ 2464 −→ 4221 −→ 4228 −→ 2434 −→ 2 2 2 2 2 2 2 1478 −→ 3244 −→ 2255 −→ 2976 −→ 3345 −→ 1064 −→ 1868 −→ 2 2 2 2 2 2 2 3328 −→ 291 −→ 3147 −→ 2566 −→ 4397 −→ 2087 −→ 3341 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 , `0 6= `, ( `D ) = 1, α` = αk` , β`2 = β`k β25 = β27 1582 701 901 3188 2970 1478 3328 0 0 2872 351 3508 2464 2976 2566 0 0 2215 676 2434 1868 3341 2501 3144 1180 2255 3147 4. Enumerate floor using the action of β`0 2 2 2 2 2 2 2 3144 −→ 3508 −→ 2843 −→ 1502 −→ 676 −→ 945 −→ 3188 −→ 2 2 2 2 2 2 2 2970 −→ 3497 −→ 1180 −→ 2464 −→ 4221 −→ 4228 −→ 2434 −→ 2 2 2 2 2 2 2 1478 −→ 3244 −→ 2255 −→ 2976 −→ 3345 −→ 1064 −→ 1868 −→ 2 2 2 2 2 2 2 3328 −→ 291 −→ 3147 −→ 2566 −→ 4397 −→ 2087 −→ 3341 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 , `0 6= `, ( `D ) = 1, α` = αk` , β`2 = β`k β25 = β27 1582 701 901 3188 2970 1478 3328 0 0 2872 351 3508 2464 2976 2566 0 0 2215 676 2434 1868 3341 2501 3144 1180 2225 3147 4. Enumerate floor using the action of β`0 2 2 2 2 2 2 2 3144 −→ 3508 −→ 2843 −→ 1502 −→ 676 −→ 945 −→ 3188 −→ 2 2 2 2 2 2 2 2970 −→ 3497 −→ 1180 −→ 2464 −→ 4221 −→ 4228 −→ 2434 −→ 2 2 2 2 2 2 2 1478 −→ 3244 −→ 2255 −→ 2976 −→ 3345 −→ 1064 −→ 1868 −→ 2 2 2 2 2 2 2 3328 −→ 291 −→ 3147 −→ 2566 −→ 4397 −→ 2087 −→ 3341 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 , `0 6= `, ( `D ) = 1, α` = αk` , β`2 = β`k β25 = β27 1582 701 901 3188 2970 1478 3328 0 0 2872 351 3508 2464 2976 2566 0 0 2215 676 2434 1868 3341 2501 3144 1180 2225 3147 4. Enumerate floor using the action of β`0 2 2 2 2 2 2 2 3144 −→ 3508 −→ 2843 −→ 1502 −→ 676 −→ 945 −→ 3188 −→ 2 2 2 2 2 2 2 2970 −→ 3497 −→ 1180 −→ 2464 −→ 4221 −→ 4228 −→ 2434 −→ 2 2 2 2 2 2 2 1478 −→ 3244 −→ 2255 −→ 2976 −→ 3345 −→ 1064 −→ 1868 −→ 2 2 2 2 2 2 2 3328 −→ 291 −→ 3147 −→ 2566 −→ 4397 −→ 2087 −→ 3341 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 , `0 6= `, ( `D ) = 1, α` = αk` , β`2 = β`k β25 = β27 1582 701 901 3188 2970 1478 3328 0 0 2872 351 3508 2464 2976 2566 0 0 2215 676 2434 1868 3341 2501 3144 1180 2225 3147 4. Enumerate floor using the action of β`0 2 2 2 2 2 2 2 3144 −→ 3508 −→ 2843 −→ 1502 −→ 676 −→ 945 −→ 3188 −→ 2 2 2 2 2 2 2 2970 −→ 3497 −→ 1180 −→ 2464 −→ 4221 −→ 4228 −→ 2434 −→ 2 2 2 2 2 2 2 1478 −→ 3244 −→ 2255 −→ 2976 −→ 3345 −→ 1064 −→ 1868 −→ 2 2 2 2 2 2 2 3328 −→ 291 −→ 3147 −→ 2566 −→ 4397 −→ 2087 −→ 3341 −→ 22 / 34 Mapping a volcano Example ` = 5, p = 4451, D = −151 t = 52, v = 2, h(D) = 7 General requirements 4p = t2 − v2 `2 D, p ≡ 1 mod ` ` - v, ( D` ) = 1, h(D) ≥ ` + 2 `0 = 2, α5 = α32 , `0 6= `, ( `D ) = 1, α` = αk` , β`2 = β`k β25 = β27 1582 701 901 3188 2970 1478 3328 0 0 2872 351 3508 2464 2976 2566 0 0 2215 676 2434 1868 3341 2501 3144 1180 2225 3147 22 / 34 Interpolating Φ` mod p 1582 701 901 3188 2970 1478 3328 2872 351 3508 2464 2976 2566 2215 676 2434 1868 3341 2501 3144 1180 2225 3147 Φ5 (X , 901) = (X − 701)(X − 351)(X − 3188)(X − 2970)(X − 1478)(X − 3328) Φ5 (X , 351) = (X − 901)(X − 2215)(X − 3508)(X − 2464)(X − 2976)(X − 2566) Φ5 (X , 2215) = (X − 351)(X − 2501)(X − 3341)(X − 1868)(X − 2434)(X − 676) Φ5 (X , 2501) = (X − 2215)(X − 2872)(X − 3147)(X − 2255)(X − 1180)(X − 3144) Φ5 (X , 2872) = (X − 2501)(X − 1582)(X − 1502)(X − 4228)(X − 1064)(X − 2087) Φ5 (X , 1582) = (X − 2872)(X − 701)(X − 945)(X − 3497)(X − 3244)(X − 291) Φ5 (X , 701) = (X − 1582)(X − 901)(X − 2843)(X − 4221)(X − 3345)(X − 4397) 23 / 34 Interpolating Φ` mod p 1582 701 901 3188 2970 1478 3328 2872 351 3508 2464 2976 2566 2215 676 2434 1868 3341 2501 3144 1180 2225 3147 Φ5 (X , 901) = X 6 + 1337X 5 + 543X 4 + 497X 3 + 4391X 2 + 3144X + 3262 Φ5 (X , 351) = X 6 + 3174X 5 + 1789X 4 + 3373X 3 + 3972X 2 + 2932X + 4019 Φ5 (X , 2215) = X 6 + 2182X 5 + 512X 4 + 435X 3 + 2844X 2 + 2084X + 2709 Φ5 (X , 2501) = X 6 + 2991X 5 + 3075X 5 + 3918X 3 + 2241X 2 + 3755X + 1157 Φ5 (X , 2872) = X 6 + 389X 5 + 3292X 4 + 3909X 3 + 161X 2 + 1003X + 2091 Φ5 (X , 1582) = X 6 + 1803X 5 + 794X 4 + 3584X 3 + 225X 2 + 1530X + 1975 Φ5 (X , 701) = X 6 + 515X 5 + 1419X 4 + 941X 3 + 4145X 2 + 2722X + 2754 23 / 34 Interpolating Φ` mod p 1582 701 901 3188 2970 1478 3328 2872 351 3508 2464 2976 2566 2215 676 2434 1868 3341 2501 3144 1180 2225 3147 Φ5 (X , Y ) = X 6 + (4450Y 5 + 3720Y 4 + 2433Y 3 + 3499Y 2 + 70Y + 3927)X 5 (3720Y 5 + 3683Y 4 + 2348Y 3 + 2808Y 2 + 3745Y + 233)X 4 (2433Y 5 + 2348Y 4 + 2028Y 3 + 2025Y 2 + 4006Y + 2211)X 3 (3499Y 5 + 2808Y 4 + 2025Y 3 + 4378Y 2 + 3886Y + 2050)X 2 ( 70Y 5 + 3745Y 4 + 4006Y 3 + 3886Y 2 + 905Y + 2091)X (Y 6 + 3927Y 5 + 233Y 4 + 2211Y 3 + 2050Y 2 + 2091Y + 2108) 23 / 34 The Weber function The Weber f-function is defined by η (τ + 1)/2 f(τ ) = , ζ48 η(τ ) and satisfies ̇(τ ) = (f(τ )24 − 16)3 /f(τ )24 . The coefficients of Φf` are roughly 72 times smaller. This means we need 72 times fewer primes. The polynomial Φf` is roughly 24 times sparser. This means we need 24 times fewer interpolation points. Overall, we get nearly a 1728-fold speedup using Φf` . 24 / 34 Modular polynomials for ` = 11 Classical: X 12 +Y 12 11 11 −X Y 11 10 + 8184X Y 11 9 11 8 − 28278756X Y + 53686822816X Y 11 7 11 6 11 5 − 61058988656490X Y + 42570393135641712X Y − 17899526272883039048X Y 11 4 11 3 11 2 + 4297837238774928467520X Y − 529134841844639613861795X Y + 27209811658056645815522600X Y 11 − 374642006356701393515817612X Y + 296470902355240575283200000X 11 . . . 8 pages omitted . . . + 3924233450945276549086964624087200490995247233706746270899364206426701740619416867392454656000 . . . 000 Atkin: X 12 11 − X Y + 744X 7 11 + 196680X 10 9 9 8 + 187X Y + 21354080X + 506X Y + 830467440X 7 6 6 8 5 − 11440X Y + 16875327744X − 57442X Y + 208564958976X + 184184X Y + 1678582287360X 4 4 3 3 2 5 + 1675784X Y + 9031525113600X + 1867712X Y + 32349979904000X − 8252640X Y + 74246810880000X 2 2 − 19849600XY + 98997734400000X + Y − 8720000Y + 58411072000000 Weber: X 12 + Y 12 − X 11 Y 11 + 11X 9 Y 9 − 44X 7 Y 7 + 88X 5 Y 5 − 88X 3 Y 3 + 32XY 25 / 34 Computational results Level records 1. 10009: Φ` 2. 20011: Φ` mod q 3. 60013: Φf` Speed records 1. 251: Φ` in 28s 2. 1009: Φ` in 2830s 3. 1009: Φf` Φ` mod q in 4.8s (vs 688s) Φ` mod q in 265s (vs 107200s) in 2.8s Effective throughput when computing Φ1009 mod q is 100Mb/s. Single core CPU times (AMD 3.0 GHz), using prime q ≈ 2256 . Polynomials Φf` for ` < 5000 available at http://math.mit.edu/˜drew. 26 / 34 Computing φ` (Y) with the CRT (naı̈ve approach) Strategy: lift ̇(E) from Fq to Z, compute Φ` (X, Y) mod p and evaluate φ` (Y) = Φ` (̇(E), Y) mod p for sufficiently many primes p. Obtain φ` mod q via the explicit CRT. Uses O(`2 log3+ p) expected time for each p, and O(`2 log p) space. 27 / 34 Computing φ` (Y) with the CRT (naı̈ve approach) Strategy: lift ̇(E) from Fq to Z, compute Φ` (X, Y) mod p and evaluate φ` (Y) = Φ` (̇(E), Y) mod p for sufficiently many primes p. Obtain φ` mod q via the explicit CRT. Uses O(`2 log3+ p) expected time for each p, and O(`2 log p) space. However, “sufficiently many” is now O(`n), where n = log q. Total expected time is O(`3 n log3+ `), using O(`n + `2 log `) space. This approach is not very useful: I If n is large (e.g. n ≈ `), it takes way too long (quartic in `). I It n is small (e.g. n ≈ log `), it doesn’t save any space. 27 / 34 Computing φ` (Y) with the CRT (Algorithm 1) Strategy: lift ̇(E), ̇(E)2 , ̇(E)3 , . . . , ̇(E)`+1 from Fq to Z and compute X φ` (Y) = cik ̇(E)i Y k mod p for sufficiently many primes p, where Φ` = Obtain φ` mod q via the explicit CRT. P cik X i Y k . 28 / 34 Computing φ` (Y) with the CRT (Algorithm 1) Strategy: lift ̇(E), ̇(E)2 , ̇(E)3 , . . . , ̇(E)`+1 from Fq to Z and compute X φ` (Y) = cik ̇(E)i Y k mod p for sufficiently many primes p, where Φ` = Obtain φ` mod q via the explicit CRT. P cik X i Y k . Now “sufficiently many” is O(` + n). For n = O(` log `), uses O(`3 log3+ `) expected time and O(`2 log `) space (under GRH). For n = Ω(` log `), the space bound is optimal. This algorithm can also evaluate the partial derivatives of Φ` needed to construct normalized equations for Ẽ (important for SEA). 28 / 34 Computing φ` (Y) with the CRT (Algorithm 2) Strategy: lift ̇(E) from Fq to Z and for sufficiently many primes p compute φ` mod p as follows: Q 1. For each of ` + 2 ̇-invariants yi , compute zi = k (̇(E) − jk ), where the jk range over ` + 1 neighbors of yi in G` (Fp ). 2. Interpolate φ` (Y) ∈ Fp as the unique polynomial of degree ` + 1 for which φ` (yi ) = zi . Obtain φ` mod q via the explicit CRT. 29 / 34 Computing φ` (Y) with the CRT (Algorithm 2) Strategy: lift ̇(E) from Fq to Z and for sufficiently many primes p compute φ` mod p as follows: Q 1. For each of ` + 2 ̇-invariants yi , compute zi = k (̇(E) − jk ), where the jk range over ` + 1 neighbors of yi in G` (Fp ). 2. Interpolate φ` (Y) ∈ Fp as the unique polynomial of degree ` + 1 for which φ` (yi ) = zi . Obtain φ` mod q via the explicit CRT. For n = O(`c ), uses O(`3 (n + log `) log1+ `) expected time and O(`n + ` log `) space (under GRH). For n = O(log2− q) the algorithm is faster than computing Φ` . For n = Ω(log `) the space bound is optimal. If n is Ω(log2 `) and O(` log `), one can use a hybrid approach. This yields an optimal space bound for all q > `. 29 / 34 Genus 1 point counting in large characteristic Algorithms to compute #E(Fq ) = q + 1 − t. Algorithm Totally naive Slightly less naive Baby-step giant-step Pollard kangaroo Schoof SEA∗ SEA (Φ` precomputed) ∗ Complexity Time 2n+ O(e ) O(en+ ) O(en/4+ ) O(en/4+ ) O(n5 llog n) O(n4 log3 n llog n) O(n4 llog n) Space O(n) O(n) O(en/4+ ) O(n2 ) O(n3 ) O(n3 log n) O(n4 ) estimates for SEA-based algorithms are heuristic expected times. 30 / 34 Genus 1 point counting in large characteristic Algorithms to compute #E(Fq ) = q + 1 − t. Algorithm Time 2n+ Space Totally naive Slightly less naive Baby-step giant-step Pollard kangaroo Schoof SEA∗ SEA (Φ` precomputed) O(e ) O(en+ ) O(en/4+ ) O(en/4+ ) O(n5 llog n) O(n4 log3 n llog n) O(n4 llog n) O(n) O(n) O(en/4+ ) O(n2 ) O(n3 ) O(n3 log n) O(n4 ) SEA with Algorithm 1 Amortized O(n4 log2 n llog n) O(n4 llog n) O(n2 log n) O(n2 log n) ∗ Complexity estimates for SEA-based algorithms are heuristic expected times. 30 / 34 Elliptic curve point-counting record The number of points on the elliptic curve E defined by y2 = x3 + 2718281828x + 3141592653, modulo the 5011 digit prime q = 16219299585 · 216612 − 1 islliptic curve point counting record Task Total CPU Time φf` Compute Find a root ̃ Compute g` Compute π mod g` , E Find λ` 32 days 995 days 3 days 326 days 22 days φf` (Y) = Φf` (̇(E), Y) was computed for ` from 5 to 11681. Exactly 700 of 1400 were found to be Elkies primes. Atkin primes were not used. The largest φf` was under 20MB in size and took about two hours to compute using 1 core. 32 / 34 Modular polynomial evaluation record For ` = 100019 and q = 286243 − 1 we computed φf` (Y) = Φf` (̇(E), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φf` is about 1 GB. 33 / 34 Modular polynomial evaluation record For ` = 100019 and q = 286243 − 1 we computed φf` (Y) = Φf` (̇(E), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φf` is about 1 GB. For comparison: I The size of Φf` mod q is about 2 TB. 33 / 34 Modular polynomial evaluation record For ` = 100019 and q = 286243 − 1 we computed φf` (Y) = Φf` (̇(E), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φf` is about 1 GB. For comparison: I The size of Φf` mod q is about 2 TB. I The size of Φ` mod q is about 50 TB. 33 / 34 Modular polynomial evaluation record For ` = 100019 and q = 286243 − 1 we computed φf` (Y) = Φf` (̇(E), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φf` is about 1 GB. For comparison: I The size of Φf` mod q is about 2 TB. I The size of Φ` mod q is about 50 TB. I The size of Φ` is more than 10 PB. 33 / 34 Improved space complexity of computing horizontal isogenies The algorithm of [Bisson-S 2011] for computing the endomorphism √ ring of an elliptic curve E/F runs in L[1/2, 3/2] expected time and q √ uses L[1/2, 1/ 3] space (under GRH). √ The space complexity can now be improved to L[1/2, 1/ 12]. A similar improvement applies to algorithms for computing horizontal isogenies of large degree [Jao-Soukharev 2010]. 34 / 34