Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Philosophy

17016 >> Christine: Okay. So today we're very pleased...

advertisement 
17016
>> Christine: Okay. So today we're very pleased to have Francois Morain visiting us from Ecole
Polytechnique. He'll speak to us on advances in the CM method for elliptic curves. Francois is
well known for his work in computational number theory over the last several decades. He's one
of the first implementers of the CM method for generating elliptic curves for various purposes,
including, in the elliptic curve primality proving algorithm, and he holds the world record for largest
provable prime proved [chuckling].
>> Francois Morain: Thanks, Christine. So you see I've put all of my sponsors here. In France
we are forced to have many sponsors. This change we look good with time.
>>: Can we sponsor you?
>> Francois Morain: No, I'm just visiting. You want to sponsor me, we can discuss. I'm currently
at sabbatical at University of Waterloo.
So I'd like to give you an overview what the CM method is and what it's useful for and what are
some recent subalgorithms which can be used to speed that method.
And I ask some questions, and then we'll briefly describe what I have no time to tell you about.
So this is just -- so it's several decades, at the most two decades for me. That's okay. Two
decades. We'll have to make a party with. Anyway [inaudible] so elliptic curves exist. Have the
longest (inaudible). And computational is we'll just all believe that when this whole algorithm for
computing the cardinality for elliptic curveses over [inaudible] is the start of all this business.
So this algorithm was kind of new at the time and maybe the thing that started the use of elliptic
curves, encrypto and so on, Linstra's factorization algorithm, which is this was the first real use of
elliptic curves in that area. And you'll see around '95 -- sorry, '85, '86, many people were aware
of these two works. And not very surprisingly which led to this idea about maybe they could be
used in crypto also. And two people independently invented, so to speak, elliptic curves
cryptography.
Victor Meter and Niko Bitz, not too far from here, in University of Washington. At the same time
there were many people trying to do primality proving. So here I listed some names. Chudnosky
brothers were in fact the first to try to do some primality, some big primes, like Mercer primes,
with simple, most simple cases of CM curves. Bosma, he began also by studying the first two
cases of primality proving.
And then Atkin gave a general method to do that and then joined after that. At the same time it
was realized that maybe this problem, this complexity problem determining however given integer
is prime or not could be proven in RP. It cannot be done directly with elliptic curves because we
cannot prove things.
It's true. Everybody knows it's true, but we cannot prove it. And the first real proof that this
problem is in RP was done by Adleman and Huang and using hyper curves rather than elliptic
curves. This is the theoretical part.
At the same time so we were doing primality proving and there was the connect problem which is
trying to compute the cardinality of an elliptic curve or finite field from a practical point of view, but
attracted many people and came up with ideas by Elchist and Atkin and Cycle and Vergin and
whatever and after that. So that we can now compute some cardinality of some elliptic curves.
So you see this kind of mixing between crypto and pure, so to speak, computational number
theory and nowadays most uses are in crypto. We can use [inaudible] curve and build the CM
curves and there are many overapplications. And the most recent is the use of parings. Yes, first
question.
>>: What about volcano?
>> Francois Morain: You'll see volcano at the end of my talk. So it's incentive for you to stay.
So for ease of presentation I will stick to things being defined over some large prime finite field.
So most of what I will be talking about can be generalized to say characteristic, too, but I'll stick to
this, which is the case for primality proving anew.
So what's the problem? The problem is that sometimes when you run algorithms to build special
objects for crypto, you need a lot of elliptic curves and a lot of their properties. And it's not
obvious to compute.
So cardinality of an elliptic curve. We have basically for the large prime case this hopes algorithm
and it's too slow. Just too slow. So the right curve for this is 2,500 decimal digits. We don't do
that for crypto, but if you look at crypto sizes that's too slow. Imagine you have to find a curve
whose cardinality is prime. And then you have to select the curve, compute its cardinality and at
the end say, oh, no it's not prime and come back.
So that takes too long. So the idea is to use CM curves, which are very special. So let's make a
degradation. In what circumstances can I write a prime P as the sum of two squares, for
instance? So we answer it's back to -- it says, please, congruent month four. Now suppose I
generalize this, when can I write a prime of this form? So it's a theoretical problem that will solve
only at the end of 19th century. And it's not obvious. And yet it does connection with elliptic
curves. Maybe some 50 years later it was shown that if your prime can be written like this, then
you can associate to it an elliptic curve over the same finite field which has this cardinality.
So you see you replace some random curves for which you cannot compute a cardinality by
some conditions on P, your favorite prime, and you say if I can write it like this, I can have an
elliptic curve whose cardinality I know.
So this is a sense of the CM method is exploit this, use the results of Cornacchia [inaudible] all
these peoples and all these people and try to use it for doing the construction, this construction of
curves.
So what are the applications of this? So the first one was primality proving which was invented
by Atkin for this reason. So I don't know if it used to be a killer application as you might say. It's
probably no longer a killer application. Nobody cares about primes anyway.
So that's fine. Now you can make records and blah, blah, blah. But now you cannot make
money out of it, which was one of my dreams. But I'm still poor anyway. But I can write papers,
which is interesting.
So primality proving, CPP, and apparently so the user elliptic version of AKS which is called X or
whatever and the practicality of which is not very clear at that moment. Still less slower than
ECPP but as usual [inaudible] they all have this property that you can prove it works.
I cannot prove that ECPP works but it works. So it's not the first time in computational number
theory where you have two kinds of algorithms, one which is proven [inaudible] polynomial and
doesn't work in practice and the other one you know nothing about it but it works.
So that's life. So I guess applications outside the primality proving a long time ago, 1981, an
uninteresting problem except that it was an example where a similar method could be used
without any reference to primality proving.
So we have an application by linear that says, okay, give me a cardinality and I'll build you a finite
field and give you the curve with this cardinality.
Cannot be used as is in primality proving but in some cases. Now that was the key to the
application, that's it. Building paring friendly curves for crypto applications. So I won't tell you
about a single thing about this. There's a huge survey paper on paring-friendly curves by
Freeman Scott Teske, so everything is there, all discussions. And they all meet at some point,
the CM miss. So just a few remarks. So now remember there are two different contexts.
However I do ECPP or I do crypto. For crypto you see primes are smaller. But there are primes
in the sense that you give me as an input the number that is prime.
In the CPP, I want to prove that N is prime, but I'm not sure it's prime. So it does some -- it
causes some problems here and there, and you have to prove everything you do, basically.
Here you can just do the computations and say, okay, that's a field I don't need to prove.
So apart from this, the size is your encrypto to bits, CPP at least 30,000 bits. So arithmetic you
need here and enter the performance of your program. So you are to be careful. And also
difference here basically, D, the discriminate that will appear next is given. I cannot do -- I have
to do with it. In CPP I can choose my discriminant. But maybe just technical remarks but
sometimes I will say CM this will happen and CPP this will happen and we see the differences.
So now we have to do some math to just give you an idea of what's going on. So suppose I want
to represent my prime as the sum of two squares, which means I have to study this field, Q of I,
where I is the root of unity.
And when you have [inaudible] of K discriminant, for instance, minus 4 here, you can play with
orders. Orders are just generated by, generator of ring of integers. So you don't need to know
this but just to fix ideas, something like this, for instance, if you want.
And all those are described by discriminants or by the conductor, and so this amounts to
[inaudible] as N squared times DK where DK is discriminant of the feed. So take this example
just for the record. I have here discriminant minus 4. And the ring of integers of this is in principal
order. So I ask a question: When is P representable by the form U squared minus DV squared?
And the answer is given by class of fury, which is the result of many work in the 19th century.
It tells you that P is representable as a want, if and only if it splits in some extension field K. And
this K here can be generated by the junction of the value of this singular invariant here.
You have some prescribed series, which is called a modular invariant. And you plug in it this
value Q. This gives you an algebraic integer. It does some miraculous properties and you can
use it to represent your field here.
So translated, and still program like I want to represent my prime as the sum of two squares and
something everybody understands which is building this conductance class. Any way we know
how to compute J. And that's what we show here. This form here, what I represent here is you
can represent P as this expression here. If and only if this is square might be and over
miraculous polynomial H splits.
So I have now an answer, and even an algorithmic answer. If I can represent P like this and this I
can detect by this and over methods, then I can build an analytic curve, maybe, which has the
required cardinality.
So just to stick with our easy example. 4P can be returned the sum of squares here. There's a
special case of two, which doesn't, which is not important for us. Or P when we're 1 to 1-4. And
obviously this was very brief, so there are many standard books containing results about complex
multiplication and so on.
So there's a famous book by Cox. And if you want you can go back to one of the first early notes
in math, 21, describing many more fields. So just to give you examples of what happens, so we
have to understand this polynomial here. There are some algorithms computed. And I give you
here the first, some first values of these polynomials.
So you see that everything is okay. It's simple. For minus 6 it's X. For minus 4 it's X minus 12
cubed, and rapidly you have big polynomials.
And each time -- so you see 23 small. The height here is very large. So that's a problem. We
have to -- we will have to fight against this. And then we come back to this later.
So now let's describe what the CM method could be. There's probably many variances of this.
I've just described two of them. Let's say what maybe is important for crypto input is a field,
discriminant. And two integers, U and V, such that P is equal to this. And I want to cure these
cardinalities and I have the sense, the proof of correctness.
So proofs are becoming to be important in our field. So sometimes we need proofs. Or at least
certificates, which is a variant of proofs.
So I'm trying to convince you that it's true. If you think about it, it's not easy. Because okay I can
do all the computations and tell you okay this is your answer. How do you check it? So here it's
not completely possible to check because you see you know elliptic curve.
You're supposed to know how to compute fine points, multiplied points on an elliptic curve. And
at least I want that if I take a point I trend them here. Multiplied by M. That's 0. That's a good
start for number to be cardinality of some group that satisfies Lemna [phonetic] theory. If you do
this, how do I prove that the group it's a given cardinality. And the classical answer to this is you
have to find some number form of matrix related to E or you have to find generators of this kind.
And you can't enter unless trouble because here I have no clue what M can be factored; if I
cannot factor M, then I cannot find generators. Even if I can factor M I'm not sure I can find
generators.
If you want complexity there I cannot prove but I can find generators in an elliptic curve in, I don't
know, polynomial time. I cannot prove it. So even sometimes the structure of the group is not as
easy as one could think of. Maybe it's not cyclic, for instance. So we need two generators. So
you have to prove two generators are independent. So you can have a lot of trouble here. In
primality proving what happens is you build a huge elliptic curve and in fact the primality proof
gives you the proof that the cardinality is what you say it is.
Okay. So that might not be true here. A variant of this -- this is not satisfactory from a theoretical
point of view. It's not well-defined. This in particular. Those of you who know about isogonies, I
can give you a curve which is isogenous. So the output is not clearly defined.
So maybe the most precise variant would be this one. Input the same thing but now I want the
proof that the curve here I give you has complex multiplication by the order I told you it has.
And so, again, this is not completely obvious. And, again, volcanos. And I'll come back to
volcanos later on.
>>:: Francois, on the previous slide the last one, the correctness that you're trying to prove, is
that the E that you output actually has order M?
>>: Francois Morain: Yes.
>>:: So did you think about that trick of Mastra that tried to prove it from there?
>>: Francois Morain: Sure. You need some -- you have to know something about the factors of
M at some point. And the mass algorithm is not guaranteed to terminate.
>>:: Factorization.
>>: Francois Morain: Does not really use factorization? You cannot prove -- it works in
polynomial time. If you don't have luck, you can spend quite a lot of time finding points. I'm not
sure what mass algorithms give you. It's absolutely not deterministic anyway. And polynomials, I
am not sure.
I mean, the best proof is I give you the generators. Except if the curve is not cyclic, then I have to
prove you two points are independent. Okay. So you can do that with paring.
>>:: Why two points? You're just talking about the cardinality of the curve, right?
>>: Francois Morain: Depends. You cannot prove that M is good, if you cannot prove the
structure of it.
>>:: You mean like a point on the curve, a point on its twist or something like that?
>>: Francois Morain: If the order is large enough. Okay? I mean, if I can -- okay. We can
discuss that later, because otherwise -- okay. There's some more work to be done. Okay. So
what is CM function that implements more or less what I've told you about? First thing is that
there is this polynomial HD of X. You have to compute it in some ways. You have to find the root
of it math P. Once you have a root, you have to find an equation for E. And maybe there are
some twists to consider.
And you have to prove that E has a good cardinality. So this is a basic scheme. So what can we
say? I won't tell you about this, because, ask questions, and you also had the talk by Andrew
[inaudible] the last year. So no need to repeat it. It's supposed to be fast in the sense that the
height of this guy is almost D. You have a method in O epsilon. It's supposed to be optimal and
the result I don't know. For my talk it's solved.
Okay. Find the root of this. Obviously a classical problem in computational theory, give me a
polynomial finite field. Many tricks for doing this. And I'm using also [inaudible] theory because I
know the [inaudible] group. I can split the extension into smaller subextensions and to speed up
things. But it's already described in many papers. So I don't want to insist on that. And thus, so
to speak, standard.
So like you see things like -- controls analysis algorithm and a few things.
Here there's a technical problem to get rid of twists. There's a recent paper by Rubin and
Silverberg. Not completely convinced it can be used easily. I'm still working on this. I could
comment later on on this. But I have no definite answer. And here you can have
parameterizations. You can look for different parameterizations of elliptic curve to have a fast
verification of this key equation, so to speak.
So we insist basically on something which replaces one or at least which replaces J here by
something else, and comment on step four later. So I told you that we have a problem with this
huge class polynomials because they just have two big coefficients. So the idea is to try to
replace J by something smaller. So typical example, I start with the value of J at square root of
minus 2 can be computed to be 8,000. And if I select an equation [inaudible] equation, at random
like this one, and then I can find a root here which is smaller.
So, of course, this is not a random equation. And I have to show you it's not random and that it
can be used. But at least 64 is less than this guy. So there's hope I can do something. So this is
not a random equation because it has something to do with modular equations and modular
curves. And this is a model for X is 0 of 2. So the idea, from a very high point of view, is say,
okay, I place 2 by something else and it works the same.
This is what we're going to do. So just to put it more simple, you define this [inaudible] subgroup
and you look for functions that are more or less invariant by all matrices mod N defined by this
relation.
So this white thing here means what I consider all, 2 by 2 matrices of this determinant 1, for which
this coefficient is 0 mod N for some fixed N.
And what is interesting -- what's interesting here is this the results here that each time you have a
function for this subgroup gamma 0 of N there's a modular equation which relates the function to
J.
So you see we just want to generalize this. This is the modular equation and this is for gamma 0
of 2. So question: How can I find functions that are defined over -- I mean, the modular functions
for this subgroup, work out the modular equation, and what is the relationship with my original
problem?
So, first of all, I cannot solve the question what is a small invariant, as we call them? So suppose
I give you a polynomial in two variables. I know some value and I want to say something on the
other root. Just to be a little more precise here. I give you a polynomial in two variables and I
instantiate one of them.
So I know why 0, what's the size of X. So rule of thumb here is you write the dominant term here
and there is some term with Y-0 maybe. If you want all these guys to conserve, the largest solver
here must match to a certain point some power here. This is what is made precise by the
theorem of Andry and Silverman, which tells you that the size of the solution of this equation, call
it X0, is kind of proportional to the size of your input root Y0. And the coefficient of proportionality
is a ratio of the two degrees, but to some fudge factor here.
So the equality of an invariant of its size will be given by this continuity here. So take J, for
instance, when you have a ratio of 1. If you come back to my expression here, you have degree
three here or degree one here. So the coefficient is one-third. So one-third is good. And maybe
we can do better.
So now it's time to give you functions that can be used. And in general, when you play this game,
you always lose some combination of edit functions. So edit functions here is a [inaudible]
function which has this expression. You can write it as a sum if you want.
And you multiply all these guys together. So define this function G of Z as a product of this
quantity 0 and N is 0 parameter. This symbol means division by -- sorry. Group of devisors of N
and we have this function and provided all these here which are integers satisfy these
arithmetical conditions, when you get a good function that can be used.
So you can work out a theory for all these guys. We spend a lot of time on sub families, like the
one of Enge and Schertz, some parameters here and generalize the functions which is just this
with S some parameter which has to be carefully chosen.
So we have a general family plus sub families that are different properties. So what is interesting
here are the functions which have the smallest of this coefficient C and one way to have this is to
stick to a degree in J which is 1. And it has something to do with modular curve of zero, finite list
of this. And basically you can take this model for these cases. So you see my first modular
equation is one I showed you before is this one. You have the same thing for index 3, index 4.
And if you end up looking at tables and doing computations you find this data quotients for all
cases of general 0. And here I put the value of my coefficients.
So particularly this tells you if I can use this function then I have a very good ratio here which is
one of 36.
Okay. So what is missing now is I go from these modular equations here to numbers that I can
use to replace J in this class polynomial stuff. So the missing link is something complex, which is
called Shimura's reciprocity law. You can try to use it directly, but it's a case-to-case use of it. It's
not simple at all.
So you can have examples of this in the papers by Stevenhagen and Gee. And there's
simplifications of this law that are easier to use and they are two streams, so to speak, in this. So
one by Stark and Hajir and Villegas or the one by Schertz. And so we can use all of this. And in
fact Schertz' variant is easier to use and this is what we did.
So what is a typical theorem on this. Suppose I give you what I call Newman functions, the
product of this stuff. And B satisfies this equation by N. And then the value of F at the point
minus B plus square root of G over 2 is a class invariant, which means that it can be used in
place of J in the same algorithm.
So what we did this winter is apply this and more because we, this is a general result, and we will
extend it to all of these invariants here, like multiply generalizable function and put it to some
power, multiplied by 24 foot of linearity and you ask when is this a good candidate.
So typical results. I mean, the paper is on my web page. It's a long paper because there are
many cases. In fact, here are some simple results. For instance, and what we wanted is a
uniform proof for all Ns and all Es and whatever.
So, for instance, if N is 5 mod 12 and is not devisable by three then I can use this invariant WN
squared. And you also have a result for four foot afinity and you have the polynomial here to
show that it works.
Okay. So this will illustrate my work. So obviously if you are trying to prove invariance of, to write
mathematical conditions for Galois theory you need to have some time. So a good time is
shoveling snow, or after shoveling snow anyway. So that's a very particular shovel here. But not
here to give you a talk on shovels. Interesting, but not the point.
Okay. So you have more examples like this like the W 3 squared here and you have very sparse
polynomials. Okay. So you cannot dream of having smaller height here at just 1 and 1. So it
shows what we arrive at something. I cannot -- I'm always happy to see numbers. That's okay to
make sure. But numbers are more important.
So here are some of my computations. So you see just to fix ideas. If you -- already I gave you
H minus 75 of J, this guy, and when you see it can have a very small one here instead.
Okay. Now we can compare invariants. Like, okay, I have all these families of invariants. What's
the best one? So you have to work out all formulas for the constants there. And you end up with
this kind of table. You don't have to read. And you can say something like, okay, if I can use L
then I can use L squared and that's better. And so everything has to be used after that in
programs to see if it works really or not.
So in answer 5, we've already gave a list of the best invariants. And so we had this one, for
instance, the value 4 can be used whenever D is the one with 8. And see we have 48, which is
half of 96. So we should look at this.
And you have new guess, and for instance you remember your huge function, Newman 18, all
these data quotients is 36. So here I put the inverse of C because it's more easily readable. And
to record actually is currently 72. So remember me, reminded me that he proved that cannot be
larger than 96. But we have no 96 examples yet.
And, okay, you see that 72 is much better than 1 by a factor of 72. And here you have gamma 2
and gamma 3 and all these functions can be used later on. These are bad functions. So we
prefer to use functions here.
So does it work in practice. So just to give you an idea what happens in primality proving, it will
give you all this stuff which is a bit fast. So I told you that primality proving is not a killer
application but there are still crazy people wanting to prove numbers to be prime.
So what they do is we take some implementation of ECPP and when it fails then these are the
numbers. So I do that with my programs, sometimes. Depends on my mood and [inaudible] I
have.
And just to fix the idea I did recently -- my computers did, three say large numbers with
approximately 10,000 decimal digits each. So it's interesting to compare things and the version
of the program. So this is the most recent one. This is not too far away and this is an old
example and the timings are strange here. So, okay, these two are current and this is not. So
either this number is hard or I did something wrong in my script measuring time because it's well
known and complete problem to measure the time spent by your programs using a distributed
way on computers you don't control.
So it's an approximation anyway. So you see that the typical proof 10,000 decimal digit number
on cluster MD64 whatever processor, takes you something like 62 to 70 days. Forget about this
one. And so there are two faces in primality proving. First you have to find good candidates
discriminate and so on. Takes you 49 days. And the proving part, which is computing all these
polynomials and solving P and proving E, 15.
So whenever you have an issue of three between the two phases. Here I put some statistics.
Okay. Here are large D and H. This is more what we were discussing at lunch. You see for this
guy I had to, these are two typical examples. And this is the one of the larger class number and
another one, class number. You see here examples for this guy and this guy here. So you see
this is not infrequent to have large trust numbers. So this means we have to deal with
polynomials of that degree, big coefficients. I didn't put it ahead. That's comfortable. And in that
part I listed some invariants. Invariants that were used to compute more class polynomials, and I
order this by the number of times that they were used.
Okay. So I had to compute minimal polynomials. And you see when I can use invariant W 25
then I do it and it's smaller invariant. Afterwards you have angles shared and you have Newman
18 and all this stuff. So almost all of these are new invariants, so to speak, and there are old
ones here. The same for this version of my program and here it was a version without all the new
fancy invariants.
And that tells you something on the use of Enge Schertz and classical stuff, so on and so on.
You see new invariants are very, very useful in fact.
And as a last example, numerical example, I give you timings. Okay. For this discriminate, which
is taken here, the Galois approach means computing all the roots of the class polynomial and
computing the Galois group, so on and so on, and cutting that into pieces takes you less than
three halves.
And when looking -- sorry, looking for root of all these guys mod P which means solving all this
degree equations it takes you like 51,000 seconds. So you see the mod P part takes a lot more
than complex parts.
Not always not to penalize this, but in any case I should do something about this, but I already did
a lot. And here this is the time needed to check the key equation of primality [inaudible] and you
see this is 300 seconds. So okay I can optimize this also.
>>:: So the difference in these columns, is it you say you don't use the new invariance in the third
column, does that account for the number of difference in days?
>>: Francois Morain: No, because you see the difference -- here I don't know really what
happened. I have to check, because it's very bizarre. I don't understand. I mean, we still have
this one-third ratio. I'm pretty sure not. But I will have to check. Because I mean you see here
the difference between this invariant, for instance, and this one is not that important. And you see
the time needed here to compute just the biggest polynomial here is nothing. So this cannot
account for 16 or 15 days. So we have to check this.
So that's a good question, I would check. It would be a nightmare, it's a nightmare going for log
files and trying to understand why it's slow.
Okay. So too bad Peter is not here anywhere. You tell him that I talk about Montgomery forms,
but probably he knows. Okay. So this part, the last one, concerns the fact that maybe the
standard elliptic curve equation, which is the [inaudible] form is not the optimal one to perform
group operations, which is not really a new topic, and these are the newcomers, [inaudible]
twisted Edwards curves. And since I will [inaudible], I say to myself why not try to understand all
this stuff about Edwards curves. So I thought it would take me three days. It took me one month.
And obviously I hope somebody will make, write a paper explaining why it should not take one
month.
Anyway, so you may not recognize elliptic curve. This is not what you find in textbooks. I was
discussing that with Steven [inaudible] and he told me, oh, there's some guys who want to rewrite
or write basic elliptic curve now starting with that equation as a definition of an elliptic curve,
which is from, I guess, the point of view of maybe a first completely crazy. But it's not the first
crazy thing we would see in crypto anyway.
So you have instead of having something looking like this, which is a Montgomery form, which is
close to a various Straus form you would have this. And the interest of this is that you have a fast
group operation or fast formulas for group operations, and you have what are called by Denstein
and Longer, unified laws, additional laws. Sorry, unified operations, which means that if you do
the addition of two distinct points doubling of points it's the same laws. And complete means that
we are no singular points. At someplace in the code and that's better. And the complete form
corresponds to G being not a square. And so in the research I will show you the Montgomery
form invented by Peter for doing some special operation in factorization for ECMF.
So there are at least two actors here. And the first being -- not the first thing, one of the last
things that we're, last things that were invented by -- so the first one is Denstein and [inaudible]
here, Mark [inaudible]. Move it over here so you can find it on the web. In fact, you have
equivalence between these two forms.
And in fact we can prove also that one of these two forms is possible if and only if your elliptic
curve has a point of other four on your base.
So I took some series of papers to arrive at this conclusion, and so you can draw now your own
conclusions about this, to which I cannot -- it's really an interesting thing, one of the things I had
recently is that suppose I ask you give me a parameterization of curves with points of order 4. So
the standard thing is to go to the model of X 0-4, take the invariant. And that's it. So this is a
parameterization in Viras Strauss form of a cube. You looking for so parameterized by B. And if
you can put your curve on this Kubert form then you have many miraculous properties and you
can go to Montgomery if you want or Edward if you wanted.
So what are the miracles here? Here I can spot points of order 2. This is not a miracle. It's more
interesting is that we have close formulas for the axis of the four rational points I can factor out
the fourth degree divisional polynomial. There are two obvious roots, as we say. 0 and this guy
here. And you see that there are two rational points. Here and maybe or maybe not over rational
points depending on the fact that 16 B plus 1 is a square or not. So when it's not a square, then
you have a complete Edwards curves and that's interesting.
And if you want relation between the two parts of my talk, here's one. You can compute between
invariant of this curve here and find this formula, and you put -- you make this change a variable
which is very clever. W 1 over B. You end up here. And this is a modular equation for the very
generalized, this one.
And I start the other way around, I started from this. I can put it in Edwards curves and go on.
Anyway, so now coming to using CM curves. So you see at one point I thought that it was good
to have curves in Edwards form, and I wanted to use that for primality proving. So computed
curve as again one point of order 2, and which is arsenal, and one point of order 4 which is
rational. So I tried to use that in the CM method to discover that it was almost impossible to use
in the following sense.
Suppose -- so this is a volcano, by the way, at least a part of the volcano. You have to rotate and
it's a volcano.
So if you think about it, there's a direct relationship between being a two torsion point or having a
two torsion point and being a two rational isogeny and volcanos are concerned with isogonies.
Suppose two splits in my field, then you have the quarter of the volcano here and you have
isogeny. So you should start from a point here. It has two neighbors, and one descendant, so to
speak, and so this guy has three -- two rational points. So it cannot be completed Edward
curves. But if you go down to the bottom of the volcano, then you end up here on some points
here and these guys would just have one isogeny going out. So there's just one -- two rational
torsion point and maybe they can be of computed words type.
And we can prove results about this. So with all the sequences of this in primality proving,
generally speaking we use curves that are here. We build curves that are here. So we cannot be
used as is in Edwards parameterizations, and, okay, we can go down here if we want to recover
good parameterizations and this tells you where you have to find your good examples when doing
crypto-related things if you insist.
So it's funny because a lot of elliptical curves of ECM are not here. I mean, they are mostly here
or here. And so you can prove it if you use some invariants and some discriminates and so on.
But this phenomenon here is very frequent.
Okay. This is all I wanted to say about this. So conclusion. Take it away, as I would say,
yesterday morning. New invariants are good, useful and practical, and this is a work formula to
make them work in a context of parameteric method and [inaudible] has the same kind of
problems but they are useful. You end up with very small objects.
New parameterizations, okay, can be used mainly in the CM context. Maybe it's more useful
because you know P's prime, you can replace with things, so on and so on. So I don't say
Edward curves are useless, I say you have to be careful when you use it within the CM context.
And also the obvious conclusion is that everything is trivial in Genus-1. Nothing is known
however, almost nothing, in Genus-2. I don't speak of higher generals, but it's more work for
people to do.
And I've put two recent preprints on this topic on my web page. One with Andre and the other
one with myself so that you can look at them.
And thank you for your attention. I can answer more questions if needed.
[applause]
>> Christine: Questions?
>>: I had one question. A few slides back you recognized this one, W-4 to the 8th. So then
would this, does this lead you to start from an invariant like this, W-4 to the 8, and recover ->>: Francois Morain: Yes.
>>: -- an Edwards curve without worrying about a twist? Or do you still have to worry ->>: Francois Morain: Aha, good question. Twists are boring. I mean, in theory, twisted Edward
curves, so to speak, are related to replacing the ratio A over D by some other thing.
So, yeah, when you look -- when you just consider invariants, I agree you forget about twists. So
the last thing I was a bit lazy to describe is how do you get the good twist in this. So it might be
tricky. And so discussed that with Steven [inaudible] has written a paper on Edwards twists. I
mean, a page on this. It's not completely obvious. But, I mean, if you compare this to the
traditional reports you also have to deal with twists. So maybe you will have to test two curves.
So same problems arises.
>>: [inaudible].
>>: Francois Morain: No, no, here I only work in terms of modularity. So twist is somewhere
else. So it's the same problems that will arise and that's it.
>> Christine: Any questions? So let's thank Francois again.
[applause]
Related documents
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
RANKIN-SELBERG L–FUNCTIONS AND THE REDUCTION OF CM ELLIPTIC CURVES
RANKIN-SELBERG L–FUNCTIONS AND THE REDUCTION OF CM ELLIPTIC CURVES
M360 Mathematics of Information Security
M360 Mathematics of Information Security
MATH 360 Mathematics of Information Security
MATH 360 Mathematics of Information Security
Econ Chapter 1
Econ Chapter 1
Download
advertisement