Counting points on hyperelliptic curves of type $y^2=x^{2g+1} + ax^{g+1} + bx$
Semyon Novoselov

TL;DR
This paper develops efficient algorithms for counting points on hyperelliptic curves of specific types over finite fields, providing both computational methods and characteristic polynomial classifications for various genera.
Contribution
It introduces new algorithms with sub-polynomial complexity for point counting on certain hyperelliptic curves and classifies Frobenius polynomials for genus 2 to 7.
Findings
Algorithms for genus 3 and 4 with complexity $ ilde{O}( ext{log}^4 p)$ and $ ilde{O}( ext{log}^8 p)$
Complete list of Frobenius characteristic polynomials for genus 2-7 curves
Enhanced understanding of point counting on hyperelliptic curves of specific forms
Abstract
In this work, we investigate hyperelliptic curves of type over the finite field . For the case of and we propose algorithms to compute the number of points on the Jacobian of the curve with complexity and . For curves of genus we give a complete list of the characteristic polynomials of Frobenius endomorphism modulo .
| conditions | ||||
|---|---|---|---|---|
| 2 | ||||
| 2 | ||||
| 3 | ||||
| 3 | ||||
| 4 | ||||
| 4 | ||||
| 4 | ||||
| 4 | ||||
| 5 | ||||
| 5 | ||||
| 5 | ||||
| 5 | ||||
| 6 |
|
|||
| 6 | ||||
| 6 | ||||
| 6 | ||||
| 7 |
|
|||
| 7 | ||||
| 7 | ||||
| 7 | ||||
| 7 | ||||
| 7 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Counting points on hyperelliptic curves of type
Novoselov S. A.111The reported study was funded by RFBR according to the research project 18-31-00244.
Immanuel Kant Baltic Federal University
Abstract
In this work, we investigate hyperelliptic curves of type over the finite field . For the case of and we propose algorithms to compute the number of points on the Jacobian of the curve with complexity and . For curves of genus we give a complete list of the characteristic polynomials of Frobenius endomorphism modulo .
Introduction
Let be a finite field of size and characteristic .
Let be a genus hyperelliptic curve defined over by equation
[TABLE]
For genus case it is known [1] that the Jacobian of the curve splits into product of certain explicitly given elliptic curves over some extension of base field. There are also explicit formulae [2] expressing the number of points on the Jacobian of the curve in terms of traces of Frobenius of the elliptic curves.
The purpose of this note is to generalize results for to the higher genera () and derive algorithms for counting points on in this case. To speed up point counting, where it is possible, we use connection of the Cartier-Manin matrix of the curve with Legendre polynomials from [3]. On the other side, this connection is also used to obtain new congruences for Legendre polynomials extending the results from the works [4, 5, 6, 7].
Background and notation. Let be a genus hyperelliptic curve defined over finite field . A zeta-function of the curve is given by
[TABLE]
The polynomial has a form
[TABLE]
where and . Coefficients of the polynomial are denoted by .
Let be the Jacobian of the curve over finite field and let be the characteristic polynomial of the Frobenius endomorphism on . Then we have and . Because of that, point-counting on the Jacobian is equivalent to determining of (or ).
The order of the Jacobian satisfies Hasse-Weil bounds
[TABLE]
For more details on curves over finite fields and their Jacobians we refer to [8, §5.2].
Organization of the paper. In Section 1 we obtain a decomposition of over for odd and over in case of is even. For curves and , we provide explicit equations in terms of Dickson polynomials. This is done by using results and methods from [9, 10, 11, 12].
Section 2 is devoted to the study of Cartier-Manin matrix of the curve . We obtain a complete list of possible polynomials . This fills missing cases in our previous work [3]. We use this list to derive a point-counting algorithm in genus case and to find new congruences for Legendre polynomials connected with genus curves.
Section 3 contains description of a general method for counting points on using decomposition from Section 1 and results from Section 2. Sections 4, 5 contain algorithms and implementation details for .
1 Decomposition of the .
The curve is isomorphic to curve
[TABLE]
over finite field via isomorphism . Because of that, we can get decomposition for over from decomposition of . Since the curve has automorphisms, we can decompose by using method of Kani and Rosen[13]. In the work of Paulhus[9] there is decomposition for the curve over algebraically closed field. But the method works over any field as long as we know the group of automorphisms or its subgroups. Thus, we need to obtain information about subgroups of this group over finite field.
Denote by an automorphism group of curve over the finite field , a cyclic group of order and by a dihedral group of order . Let also be a primitive -root of unity. Every hyperelliptic curve has hyperelliptic involution, denote it by .
All possible groups of automorphisms for hyperelliptic curve over algebraically closed field are known [14, 15]. In [11] there are explicit automorphisms for curve . We collect them in the following proposition.
Proposition 1**.**
Let be a genus hyperelliptic curve defined over a finite field .
* contains a non-hyperelliptic involution*
[TABLE]
and subgroup . 2. 2.
If and then contains an automorphism
[TABLE]
of order and subgroup .
Decomposition for the Jacobian of the curve in case of follows from Proposition 1 and [10, Th. 4]:
- •
(genus 3) if and if
- •
(genus 4) if and if
Note that condition holds in any field, therefore we always have corresponding decomposition. But holds in the field , so we should work in an extension of of degree upto to get decomposition. The degree of this extension is the smallest integer such that .
Since the group of automorphisms contains the Jacobian splits as
[TABLE]
To find equations for quotients of the curve , we can use the following theorem.
Theorem 1**.**
Let be a genus hyperelliptic curve defined over a finite field where , , . Denote by and a Dickson polynomial of degree . Then
the quotient of the curve modulo the involution is given by
[TABLE]
if is odd and by
[TABLE]
if is even. 2. 2.
the quotient of the curve modulo the involution is given by
[TABLE]
if is odd and by
[TABLE]
if is even.
Proof.
- From [11, Prop.3] we have that the quotient is given by
[TABLE]
if is odd and
[TABLE]
in case of is even. The polynomial is the monic polynomial whose roots are all the numbers for .
In the work [12, §7.3] it was shown that for odd we have .
The result for even follows from the factorization of the Dickson polynomial [16, Th.1] over
[TABLE]
where is a primitive -root of unity.
- The proof is similar to the proof in [11, Prop.2] with addition of Dickson polynomials. We use relations
[TABLE]
for odd and
[TABLE]
for even .
A function field of is a field of -invariant functions from function field of . It’s generated by , in the case of odd and by when is even.
Using the relations and a property of Dickson polynomials:
[TABLE]
we find an equation
[TABLE]
for odd and
[TABLE]
for even . ∎
Theorem 1 allows us to find explicit equations for quotient curves in the decomposition of over finite field . Since we obtain decomposition for the curve :
[TABLE]
The theorem can be generalized to the more general class of curves using results from [12, §7.3]. It gives us better decomposition for , which occurs over the field in the case of odd and over when is even.
Theorem 2**.**
Let be a genus hyperelliptic curve defined over the finite field . Let be a hyperelliptic involution. Then the curve has a non-hyperelliptic involution and equations for quotients of the curve modulo involutions and are following.
If is odd then
[TABLE]
and
[TABLE]
where is a Dickson polynomial of degree . 2. 2.
If is even then
[TABLE]
and
[TABLE]
Proof.
The case of equation (1) is proved in [12, §7.3]. The case of for equations (1) and (3) is proved in [11], but without using Dickson polynomials. We use a similar approach to prove the remaining cases.
Dickson polynomials have a property . This allows us to write the equation of in a form
[TABLE]
The function field of the curve is a field of -invariant functions on . It is generated by the functions and in the case of odd and by and when is odd.
By using the property of Dickson polynomials, we find
[TABLE]
for odd and
[TABLE]
when is even. This proves (2) and (4).
The case (3) can be proved in the same way by taking and . ∎
In the case of (3) and (4) the automorphism is defined over , so the quotient maps and quotient curves are defined over this field. A map is an isomorphism of the curves. Therefore, the curves are twists of degree to each other.
Since the curve has the non-hyperelliptic involution , we can split the Jacobian by using the method of Kani-Rosen [13, 9]:
[TABLE]
The equations for quotients are known from the Theorem 2. Therefore, the problem of point counting on the curve is reduced to counting points on the quotients.
The curve is a curve with . Automorphisms are defined over the field or , therefore we have decomposition
[TABLE]
for odd and
[TABLE]
in case of even .
In addition, for odd genus we have a map given by , where is an elliptic curve with equation
[TABLE]
This map is in fact a quotient map by automorphism for from Proposition 1. So, the Jacobian is always split in this case and we have , where is an abelian variety. Therefore, counting points on the curves of odd genus is reduced to counting points on the abelian variety .
In case of the decomposition is similar to the decomposition by Satoh [1], but it obtained with different method.
It remains to compute from for odd and from in the even case.
We present a method to compute in Section 3.
2 Cartier-Manin matrix of the curve
Let and be a genus hyperelliptic curve defined by equation
[TABLE]
where is monic and . Denote by coefficients in expansion of . A matrix
[TABLE]
is called Cartier-Manin matrix of the curve . Let
[TABLE]
where denotes a matrix obtained from by raising each of its elements to -th power. Then we have a formula [17, 18]:
[TABLE]
In this section we show how to compute this matrices for finite fields of big characteristic, i.e. for finite fields with .
It is known that the number of points on certain elliptic curves can be expressed through Legendre polynomials. Therefore, some instances of the polynomials from [3, Table 1,2] can be computed for finite fields of big characteristic using the Schoof-Elkies-Atkin algorithm (see [19] and [8, §17.2.2]). We collect such cases in the following theorem.
Theorem 3** ([5, 6, 7]).**
Let . Then
, where is a trace of Frobenius of an elliptic curve:
[TABLE] 2. 2.
, where is a trace of Frobenius of an elliptic curve
[TABLE] 3. 3.
, where is a trace of Frobenius of an elliptic curve
[TABLE] 4. 4.
, where and is a trace of Frobenius of an elliptic curve
[TABLE]
Using this theorem we can compute Cartier-Manin matrix of curve of genus completely. For the case of we get partial information. For example, the polynomial appears in formulae for in [3, Table 1,2]. Also, we can obtain new congruences for Legendre polynomials using tables from [3] and decomposition of from Section 1.
To find a Cartier-Manin matrix of the curve , we connect this matrix with the matrix of the curve using a theorem.
Theorem 4**.**
Let be a genus hyperelliptic curve defined over a finite field and let be a Cartier-Manin matrix of , and . Then
* for and* 2. 2.
, otherwise.
Proof.
[TABLE]
where the sum goes all integers such that
[TABLE]
Therefore,
[TABLE]
By Theorem 3 from [3] we have for ∎
This theorem allows us to compute Cartier-Manin matrix for the curve from the matrix of the curve . Note that we should work in the field in the case of , but the result belongs to .
The curves and are isomorphic over the field , but the theorem works even in the case when the curves are not isomorphic over .
Now, we can derive all possibilities for using the same method as in [3]. First, it follows from Theorem 4 that Cartier-Manin matrix of is (generalized) permutation matrix with permutation defined by
[TABLE]
A decomposition of into disjoint cycles corresponds to factorization of the characteristic polynomial of the matrix :
[TABLE]
The same result holds for the matrix if we take .
By formula (5), we have
[TABLE]
By combining (7) with Theorem 4 we can now express in terms of Legendre polynomials.
Fixing genus and a number , such that for odd genus and in case of is even, we fix permutation . So, for each genus we have variants for . We enumerate them all in Table 1 for . The polynomials are given in factored form (over extension of ), but all coefficients belong to after expansion.
Congruences for Legendre polynomials. From Section 1, we have . Therefore,
[TABLE]
Combining this with (7) we obtain
[TABLE]
A number of congruences for Legendre polynomials can be found by comparing coefficients of polynomials from two sides of this equation. We give an example of such congruences in Section 5.
The Jacobians and are ”generically” absolutely simple [11, Cor.6]. So, we have obtained a connection of characteristic polynomials of absolutely simple abelian varieties with Legendre polynomials.
Previous results [4, 5, 6, 7] connect Legendre polynomials with elliptic curves. But transition to hyperelliptic curves gives us more results.
3 Computing the order of .
Since we know the decomposition of Jacobian over the extension of finite field, it remains to compute from , where such that for odd and for even .
We do this by using a formula for -polynomials from [20, p.195]:
[TABLE]
By comparing coefficients, we obtain a system of equations of unknowns .
This system is big in general, so to optimize process we adopt a step-by-step method for genus case from [2]. This gives us an Algorithm 1.
The system of equations in the step 1 can be precomputed for fixed genus. It contains at most equations with unknowns of degree .
To solve the system, we use resultants to eliminate variables . This gives us one polynomial in variable . To find roots of this polynomial, we factor it over (for prime ) in the same way as it is done in [1] (for ). For each solution we substitute it in previous equation which depends only on and some other variable . Then we factor resulting polynomial to find possible solutions for and so on. In the end, we obtain a list of possible tuples . To exclude extra solutions, we first use Hasse-Weil bound and after that we eliminate remaining solutions by choosing random points on and multiplying candidates for by it.
For curves with simple Jacobians this gives us an unique solution in the end of algorithm. For curves with non-simple Jacobian the algorithm returns result up to twists of factors in the Jacobian decomposition.
Twists. To compute and in step 1, we first compute characteristic polynomials for the twists of , defined over . After that, we determine and from characteristic polynomials of twists using precomputed systems of equations for the step 1.
The twists for even are given by equations
[TABLE]
For odd , we have
[TABLE]
and
[TABLE]
Remark 1*.*
The curve is a curve with explicit real multiplication [21, §7.1.1]. Due to recent result of Abelard [22] the problem of counting points on this curve has complexity for any fixed genus .
We provide implementation of the Algorithm 1 for the case of in Section 5. The algorithm for in Section 4 uses Cartier-Manin matrices instead.
4 Genus 3
In this case, we have for some abelian variety of dimension and to determine we have to find a characteristic polynomial of . Let
[TABLE]
To find coefficients , we compute by using results from Section 2. After that, we determine coefficients by using inequalities and in the same way as in [23, Alg.1]. To do this, we make a list of candidates for and determine the right one by multiplying random point in by candidate for .
The computation of is as follows. From Table 1 we have
[TABLE]
for and
[TABLE]
for . Computation of Legendre polynomials in case of can be done by Theorem 3 using SEA-algorithm.
In case of values of our Legendre polynomials are not in . So in this case, we compute and restore from this polynomial by solving system
[TABLE]
By using method described in Section 2, we obtain
[TABLE]
for and
[TABLE]
in case of .
The computation of is equivalent to computing of Frobenius traces for elliptic curves over . It can be done using SEA-algorithm. After solving (9) the determination of from is the same as for the case . However, in this case we have more possible candidates.
The described method leads to Algorithm 2.
Complexity. The most time-consuming part of the algorithm is the computation of traces of Frobenius . It can be done with Schoof-Elkies-Atkin algorithm. Therefore, the complexity of Algorithm 2 is .
We implemented this algorithm in Sage [24]. In the case of split abelian variety there can be many candidates for coefficients which pass the test by multiplying by random point of . So in this case, we return the list of polynomials. This situation occurs because solutions of system of equations correspond to twists of elliptic curves in decomposition of and therefore polynomials are expected to have a common factor.
Example 4.1**.**
Let (128-bit),
,
.
By applying the algorithm, we obtain
,
,
.
The computation took sec. on laptop with Core i7-4700HQ CPU clocked at 2.40GHz.
We have -irreducible polynomials and . Therefore, is simple over and . The number of points on is
[TABLE]
It has a large divisor of cryptographic size bit. Thus, abelian variety is suitable for cryptography based on discrete logarithm problem.
Another way for point-counting in genus case is to derive an explicit formulae for the as it is done in [2] for genus . A complete list of the characteristic polynomials for the genus curves to appear in [25].
5 Genus 4
In this case from the results of Section 1, we have
[TABLE]
where
[TABLE]
and
[TABLE]
To compute the order of Jacobian , we compute characteristic polynomials of the genus curves over and determine from them. Since the curves are isomorphic over , it’s enough to compute one of the characteristic polynomials and choose the sign in coefficients of second one depending on whether is a square in or not. For fast calculation of over , we use twist of defined over by equation
[TABLE]
We compute the characteristic polynomial of over and determine the characteristic polynomial of over by using formulae from [2, p.5]:
[TABLE]
[TABLE]
After computation of characteristic polynomial of over we compute step-by-step the characteristic polynomial descending over quadratic extensions. We do this by solving following system of equations obtained from (8):
[TABLE]
[TABLE]
[TABLE]
[TABLE]
From (10) and (11) we have for :
[TABLE]
[TABLE]
By substituting (15) to (12) and (13), we obtain
[TABLE]
and
[TABLE]
After substituting (14) in above equations, eliminating by taking resultant, and dividing by , we obtain degree polynomial in
[TABLE]
where coefficients are given in Appendix A.
From this, we have at most possible values for . To find them, we use the same technique as in [1, §4]. We factor this polynomial over for and exclude solutions which does not satisfy the bound . For each there are at most possible tuples . So, we have obtained candidates for . The right one can be found by taking random points on Jacobian and multiplying it by candidate for the Jacobian order. The described method leads to Algorithm 3.
Complexity. The factorization of polynomial over finite field in Algorithm 3 takes time (see [26, Th.14.14, p.390]). Computation of the characteristic polynomial of genus curve can be done in time using Gaudry-Schost algorithm [27]. Therefore, the Algorithm 3 has complexity .
Note that the algorithm is less efficient than SEA algorithm with complexity , but still more efficient than general algorithms [28, 29] for point-counting on genus curves.
Implementation of algorithm. We implemented the algorithm in Sage[24] computer algebra system.
Example 5.1**.**
Let , , . Applying the algorithm we obtained coefficients of :
[TABLE]
and
[TABLE]
The polynomial is -irreducible and therefore is simple.
The order of Jacobian
[TABLE]
has size bit.
The computation took min. sec. on laptop with Core i7-4700HQ CPU clocked at 2.40GHz.
New congruences for Legendre polynomials. From decomposition of the curve and results for genus from [3, Table 1,2] or Table 1 we obtain new congruences for Legendre polynomials:
[TABLE]
[TABLE]
Where , , are coefficients of the Frobenius polynomial of the curve with .
Example 5.2**.**
It is easy to find an example where the curve has absolutely simple Jacobian. If and we have . This polynomial is -irreducible, therefore is simple. By result of [30] if a simple ordinary abelian surface is geometrically split, then it splits over an extension of base field of degree at most . By straightforward check, we can see that all for are -irreducible. Therefore, the curve with has absolutely simple Jacobian. Thus, we have obtained congruences for Legendre polynomials which connect them with genus curves that have absolutely simple Jacobians.
Conclusion
In this paper, we have derived two algorithms to compute the number of points on the Jacobian of hyperelliptic curves in case of and with complexity and . We obtained a complete list of (Table 1).
The method for deriving new congruences for Legendre polynomials were obtained in Section 2. And new congruences for Legendre polynomials and were found by using this method in Section 5.
This work is an extended and refined version of preliminary results presented by author on the conference SibeCrypt’18 [31].
Appendix A Genus 4. Equation for .
[TABLE]
[TABLE]
[TABLE]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] T. Satoh, Generating genus two hyperelliptic curves over large characteristic finite fields, in: Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 2009, pp. 536–553.
- 2[2] A. Guillevic, D. Vergnaud, Genus 2 hyperelliptic curve families with explicit jacobian order evaluation and pairing-friendly constructions, in: International Conference on Pairing-Based Cryptography, Springer, 2012, pp. 234–253.
- 3[3] S. A. Novoselov, Hyperelliptic curves, cartier–manin matrices and legendre polynomials, Prikladnaya Diskretnaya Matematika (37) (2017) 20–31.
- 4[4] J. Brillhart, P. Morton, Class numbers of quadratic fields, hasse invariants of elliptic curves, and the supersingular polynomial, Journal of Number Theory 106 (1) (2004) 79–111.
- 5[5] Z.-H. Sun, Congruences concerning legendre polynomials ii, Journal of Number Theory 133 (6) (2013) 1950–1976.
- 6[6] Z.-H. Sun, Congruences involving ( 2 k k ) 2 ( 3 k k ) superscript binomial 2 𝑘 𝑘 2 binomial 3 𝑘 𝑘 \binom{2k}{k}^{2}\binom{3k}{k} , Journal of Number Theory 133 (5) (2013) 1572–1595.
- 7[7] Z.-H. Sun, Legendre polynomials and supercongruences, Acta Arith 159 (2) (2013) 169–200.
- 8[8] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, F. Vercauteren, Handbook of elliptic and hyperelliptic curve cryptography, CRC press, 2005.
