Team tanc

Members
Overall Objectives
Scientific Foundations
Application Domains
Software
Contracts and Grants with Industry
Other Grants and Activities
Bibliography
Inria / Raweb 2004
Project: tanc

Project : tanc

Section: New Results

Complex multiplication

Genus 1

Participants : Régis Dupont, Andreas Enge, François Morain.

Elliptic curves with complex multiplication (e.g., the curve of equation ${y}^{2}={x}^{3}+x$) are the main component of the ECPP algorithm developed by F. Morain, whose aim is to give a primality proof for an arbitrary integer. Though the decision problem isPrime? was recently shown to be in P (by the work of Agrawal, Kayal, Saxena), practical primality proving is done only with ECPP. This work of AKS has motivated the work of F. Morain on a fast variant of ECPP, called fastECPP, who led him to gain one order of magnitude in the complexity of the problem. The complexity of this variant is heuristically $O\left(\left(logN{\right)}^{4+ϵ}\right)$. By comparison, the best proven version of AKS has complexity $O\left(\left(logN{\right)}^{6+ϵ}\right)$ and has not been implemented so far (see [13]). F. Morain implemented fastECPP and was able to prove the primality of $10,000$ decimal digit numbers [35], as opposed to $5,000$ for the basic (historical) version. Continuously improving this algorithm, this led to new records in primality proving, some of which obtained with his co-authors J. Franke, T. Kleinjung and T. Wirth [16] who developed their own programs. The current world record was set to 15071 decimal digits early july this year, as opposed to 8000 a year ago.

Curves with complex multiplication are very interesting in cryptography, since computing their cardinality is easy. This is in contrast with random curves, for which this task is still cumbersome. These CM curves enabled A. Enge, R. Dupont and F. Morain to give an algorithm for building good curves that can be used in identity based cryptosystems (cf. infra).

CM curves are defined by algebraic integers, whose minimal polynomial has to be computed exactly, its coefficients being exact integers. The fastest algorithm to perform these computations requires a floating point evaluation of the roots of the polynomial to a high precision. F. Morain on the one hand and A. Enge (together with R. Schertz) on the other, have developed the use of new class invariants that characterize the CM curves. The union of these two families is actually the best that can be done in the field (see [29]). More recently, F. Morain and A. Enge have designed a fast method for the computation of the roots of this polynomial over a finite field using Galois theory [30]. These invariants, together with this new algorithm, are incorporated in the working version of the program ECPP.

A. Enge has been able to analyse precisely the complexity of class polynomial computations via complex floating point approximations. In fact, this approach has recently been challenged by algorithms using p-adic liftings, that achieve a running time that is (up to logarithmic factors) linear in the output size. He has shown that the algorithm using complex numbers, in its currently implemented form, has a slightly worse asymptotic complexity (polynomial with exponent $1.25$). Using techniques from fast symbolic computation, namely multievaluation of polynomials, he has obtained an asymptotically optimal (up to logarithmic factors) algorithm with floating point approximations. The implementation has shown, however, that in the currently practical range, the asymptotically fast algorithm is slower than the previous one. This is due, on the one hand, to the multitude of algorithmic improvements introduced in [29], on the other hand, to the lack of logarithmic factors and better constants. A publication is in preparation.

R. Dupont has investigated the complexity of the evaluation of some modular functions and forms (such as the elliptic modular function j or the Dedekind eta function for example). High precision evaluation of such functions is at the core of algorithms to compute class polynomials (used in complex multiplication) or modular polynomials (used in the SEA elliptic curve point counting algorithm).

Exploiting the deep connection between the arithmetic-geometric mean (AGM) and a special kind of modular forms known as theta constants, he devised an algorithm based on Newton iterations and the AGM that has quasi-optimal complexity. In order to certify the correctness of the result to a specified precision, a fine analysis of the algorithm and its complexity was necessary [27].

Genus 2

Participants : Pierrick Gaudry, Thomas Houtmann, Régis Dupont, Annegret Weng.

The theory of Complex Multiplication also exists for non-elliptic curves, but is more intricate. P. Gaudry, T. Houtmann, D. Kohel, C. Ritzenthaler and A. Weng [33] have designed a new approach for constructing class polynomials of genus 2 curves having CM. The main feature of their method is the use of p-adic numbers instead of complex floating point approximations. Although not always applicable, the corresponding algorithm is very efficient compared to previous approaches.

Building upon his work in genus 1, R. Dupont is developping a similar algorithm in genus $g=2$, aiming at computing class polynomials and modular polynomials, using complex floating point evaluations. His algorithm uses what is known as Borchardt's mean (it can be seen as a generalization of the AGM). A byproduct of that work is an algorithm to compute the Riemann matrix of a given genus 2 curve: given the equation of a such a curve, it computes a lattice L such that the jacobian of the curve is isomorphic to $ℂ/L$. The algorithms obtained both for the computation of Riemann matrices and for the evaluation of genus 2 modular forms such as the theta constants are quasi-optimal.

Logo Inria