Scribd
Upload
51 views

Satoh's Algorithm: A P-Adic Method For Point Counting: Darcie Milliken

Satoh's algorithm uses p-adic arithmetic to count the number of points on an elliptic curve over a finite field. It lifts the curve and its Frobenius morphism to high p-adic precision using Newton's method. It then computes the trace of Frobenius by lifting the dual Verschiebung operator and finding its leading coefficients modulo p-power roots of unity.

Uploaded by

derushie
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
51 views

Satoh's Algorithm: A P-Adic Method For Point Counting: Darcie Milliken

Satoh's algorithm uses p-adic arithmetic to count the number of points on an elliptic curve over a finite field. It lifts the curve and its Frobenius morphism to high p-adic precision using Newton's method. It then computes the trace of Frobenius by lifting the dual Verschiebung operator and finding its leading coefficients modulo p-power roots of unity.

Uploaded by

derushie
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Satohs Algorithm: a p-adic method for point counting

Darcie Milliken

PMAT 527 December 5, 2012

Satohs Algorithm: a p-adic method for point counting

Goal
We want use p-adic arithmetic to count #E (Fq ) where q = p N

Satohs Algorithm: a p-adic method for point counting

Goal
We want use p-adic arithmetic to count #E (Fq ) where q = p N

The Plan:
1 Introduction to the p-adic numbers 2 The big idea: the canonical lift 3 Modular Polynomials 4 Isogeny Cycles 5 The Verschiebung 6 Satohs algorithm

Satohs Algorithm: a p-adic method for point counting

What is a p-adic number?


Qp is the completion of Q with this norm:

Denition (p-adic norm)

g Fix a prime p. Write = p n . h ||p = p n with |0|p = 0

Satohs Algorithm: a p-adic method for point counting

What is a p-adic number?


Qp is the completion of Q with this norm:

Denition (p-adic norm)

g Fix a prime p. Write = p n . h ||p = p n with |0|p = 0

Example (p = 3)
= Qp :
m

486 2 = 35 , then ||p = 35 5 5

ai p i ,

ai {0, 1, ...p 1},

mZ

Zp is the ring with |x| 1 or, m 0

Satohs Algorithm: a p-adic method for point counting

What do the p-adic numbers look like?

Example (p = 3)
2 3 + 2 32 24 = = 3 + 33 + 2 35 + 37 + 38 + ... 17 2 + 2 3 + 32 We dene distance in the usual way, d(x, y ) = |x y |p , then =

Example
|3 2|3 = 1, and |244 4|3 =
1 3

means that d(244, 4) < d(2, 3).

Satohs Algorithm: a p-adic method for point counting

Picturing Z3

Satohs Algorithm: a p-adic method for point counting

What does this have to do with point counting?

Think of p-adic numbers as innite power series or sequences: Like R, choose a level of precision, M. Then do arithmetic mod p M . Compute the p-adic approximation of the canonical lift of Frobenius, use it to get t mod p M . If p M > 4 q, then t is unique.

Satohs Algorithm: a p-adic method for point counting

The canonical lift


The canonical lift of E (Fq ) is another elliptic curve E (Qq ) satisfying: 1. The reduction of E modulo p is E 2. End(E ) End (E ) = E
mod p

Theorem (Deuring)
The canonical lift always exists, and is unique up to isomorphism. Idea: Tr ( ) = Tr () = t, where #E (Fq ) = q + 1 t
Satohs Algorithm: a p-adic method for point counting

Modular Polynomials

The p-th modular polynomial p (X , Y ) Z[X , Y ] Property: p (j(E1 ), j(E2 )) = 0 E1 , E2 are isogenous.

Satohs Algorithm: a p-adic method for point counting

Modular Polynomials

The p-th modular polynomial p (X , Y ) Z[X , Y ] Property: p (j(E1 ), j(E2 )) = 0 E1 , E2 are isogenous.

Example
Using sage, we can nd the 3rd modular polynomial: 3 (j0 , j1 ) = j03 j13 + 2232 j03 j12 + 2232 j02 j13 + j04 1069956 j03 j1 + 2587918086 j02 j12 1069956 j0 j13 + j14 + ... + 1855425871872000000000 j1

Satohs Algorithm: a p-adic method for point counting

Doing some power lifting...

Congugate of E: p : E E apply to every coecient of the curve equation E. Lifts to an isogeny q : E E

An unramied extension Qq \Qp is Galois and its Galois group is generated by an element that reduces to frobenius in the residue eld. is called the Frobenius substitution on Qq .

Satohs Algorithm: a p-adic method for point counting

Isogeny Cycles
For each 0 < i < N, we have a congugate Ei = E , and p,i : Ei Ei+1 (p-powering). q = p,N1 p,N2 p,0 E0
p,0
i

/ E1

p,1

/ EN1 p,N1 / E0

Satohs Algorithm: a p-adic method for point counting

Isogeny Cycles
For each 0 < i < N, we have a congugate Ei = E , and p,i : Ei Ei+1 (p-powering). q = p,N1 p,N2 p,0 E0 Lifting the cycle: E0

p,0 p,0
i

/ E1

p,1

/ EN1 p,N1 / E0

/E 1

p,1

p,N2

/E

p,N1 N1

/E 0

E0

p,0

   / E1 p,1 / p,N2EN1 p,N1 / E0 /

Satohs Algorithm: a p-adic method for point counting

Computing the Canonical Lift


The j-invariants of the canonical lift E satisfy p (j(Ei+1 ), j(Ei )) = 0 j(Ei ) j(Ei ) mod p We use Netwons Method and some linear algebra to lift the cycle of j-invariants to any precision M.

Satohs Algorithm: a p-adic method for point counting

Computing the Canonical Lift


The j-invariants of the canonical lift E satisfy p (j(Ei+1 ), j(Ei )) = 0 j(Ei ) j(Ei ) mod p We use Netwons Method and some linear algebra to lift the cycle of j-invariants to any precision M.

Example
If p = 7, N = 5, M = 10, dene the eld extension Fpn with t 5 + t + 4. The j-invariant j = 3x 4 + 6x 3 + 2x lifts to J = 249888299x 4 + ... + 169542361x + 26531974 mod 710

Satohs Algorithm: a p-adic method for point counting

When life gives you lemmas...


Problem: q is inseperable, so we lift the dual of , the Verschiebung V to V

Satohs Algorithm: a p-adic method for point counting

When life gives you lemmas...


Problem: q is inseperable, so we lift the dual of , the Verschiebung V to V 2 V (2 ) = c0 1 + c1 1 + ... lc(V ) = c0

Satohs Algorithm: a p-adic method for point counting

When life gives you lemmas...


Problem: q is inseperable, so we lift the dual of , the Verschiebung V to V 2 V (2 ) = c0 1 + c1 1 + ... lc(V ) = c0

Lemma
Tr (q ) = Tr (V )

Satohs Algorithm: a p-adic method for point counting

When life gives you lemmas...


Problem: q is inseperable, so we lift the dual of , the Verschiebung V to V 2 V (2 ) = c0 1 + c1 1 + ... lc(V ) = c0

Lemma
Tr (q ) = Tr (V )

And Vq = Vp,0 Vp,1 Vp,N1 , then Tr (q )


0id

lc(Vp,i ) NormQq \Qp (c0 )

mod q

Satohs Algorithm: a p-adic method for point counting

How do we get these leading coecients?

Satoh: Use the division polynomial p (x) of E over Zq \p M Zq to lift the kernel of V . This kernel is described by a factor H(x) of p (x).

Satohs Algorithm: a p-adic method for point counting

How do we get these leading coecients?

Satoh: Use the division polynomial p (x) of E over Zq \p M Zq to lift the kernel of V . This kernel is described by a factor H(x) of p (x).

Example
See Cohen-Frey, p 428.

Satohs Algorithm: a p-adic method for point counting

The Algorithm(sketch)
1 Let M be minimal satisfying p M > 4 q 2 For each 0 < i < M, compute the canonical lifts of the j-invariants 3 Lift the kernel of V and factor p (x) 4 compute the leading coecient c = lc(V ) 5 compute t = NK /Qp (c) 6 return t Z satisfying t t mod p M where |t| < 2 q

Satohs Algorithm: a p-adic method for point counting

Remarks

Small characteristic p 5 Runtime: O(N 3+ ) Memory: O(N 3 ). Has been improved to O(N 2 ).

Satohs Algorithm: a p-adic method for point counting

References
Cohen, Henri and Gerhard Frey, 2006. Handbook of Elliptic and Hyperelliptic Curve Crytography: Theory and Practice. CRC Press, 808 p. Gouvea, Fernando Q. 2003. p-adic numbers : an introduction. Springer, 302 p. Satoh, Takakazu, 2002. On p-adic Point Counting Algorithms for Elliptic Curves over Finite Fields. Algorithmic number theory, Lecture Notes in Comput. Sci. pp. 43-66. Springer. Vercauteren, Frederik; Preneel, Bart; Vandewalle, Joos, 2001. A memory ecient version of Satohs algorithm. Advances in cryptology: EUROCRYPT 2001 (Innsbruck), 1 - 13, Lecture Notes in Comput. Sci, 2045, Springer, Berlin. Photo Credit: Dr. Katrin Tent, University of Munster, http://wwwmath.uni-muenster.de/u/tent/
Satohs Algorithm: a p-adic method for point counting

You might also like