CC BY
10
известного результата о представлении произвольной перестановки в виде произведения транспозиций.
Элементарные и перестановочные сети являются примерами простейших биективных сетей и, как показывает следующая теорема, этих примитивов достаточно для реализации произвольной биективной сети постоянной ширины.
Теорема 1. Сеть S постоянной ширины является биективной для некоторого множества П, |П| ^ 2, в том и только в том случае, когда она эквивалентна произведению
Щ ■ SL,i ■ ... ■ SL,t (или Sr,i ■ ... ■ SR,t ■ Пд),
где nL (Пд) —перестановочная сеть; SL1,... , SL,t (SR1,... , SR,t) —элементарные сети. При этом длина произведения равна количеству вершин сети S со степенью захода 2 и соответственно не зависит от выбора представления.
Следствие 1. Если сеть S постоянной ширины является биективной для некоторого множества П, |П| ^ 2, то сеть S является биективной для всех множеств.
Указанные в теореме 1 представления биективной сети S в виде произведения элементарных сетей будем называть каноническими представлениями сети S. Количество вершин сети S со степенью захода 2 будем называть весом сети S и обозначать ||S||.
Биективную сеть S будем называть транзитивной для множества П, если множество отображений {SF : F G <2(П)} является транзитивным. Основным результатом работы можно считать разработанный автором аппарат разметки сетей, который позволяет проверить транзитивность произвольной биективной сети, а при отрицательном ответе определить особенности строения сети, противоречащие транзитивности. С помощью этого аппарата, например, доказывается следующая теорема.
Теорема 2. Если биективная сеть S постоянной ширины является транзитивной для некоторого множества П, |П| ^ ||S||, то сеть S является транзитивной для любого множества, мощность которого строго больше чем ||S||.
Стоит отметить, что аппарат разметки позволяет сформулировать и обосновать алгоритм модификации канонического представления произвольной биективной сети S постоянной ширины п. В результате применения алгоритма получается биективная сеть S веса ||Е|| ^ ||S|| + 4п, которая является транзитивной для большей части множеств.
Теорема 3. Модификация S произвольной сети S является транзитивной для любого множества, мощность которого строго больше чем ||S||.
Автор благодарит профессора А. В. Черемушкину за постановку задачи и внимание к проводимым исследованиям.
UDC 512.772.7 DOI 10.17223/2226308X/10/11
HYPERELLIPTIC CURVES, CARTIER — MANIN MATRICES AND LEGENDRE POLYNOMIALS
S.A. Novoselov
We investigate the hyperelliptic curves of the form C1 : y2 = x2g+1 + axg+1 + bx and C2 : y2 = x2g+2 + axg+1 + b over the finite field Fq, q = pn, p > 2. We transform these curves to the form C1,p : y2 = x2g+1 -2pxg+1 +x and C2,p : y2 = x2g+2 -2pxg+1 + 1 and
prove that the coefficients of corresponding Cartier — Manin matrices are Legendre polynomials. As a consequence, the matrices are centrosymmetric and, therefore, it's enough to compute a half of coefficients to compute the matrix. Moreover, they are equivalent to block-diagonal matrices under transformation of the form S(p) WS-1. In the case of gcd(p,g) = 1, the matrices are monomial, and we prove that characteristic polynomial of the Frobenius endomorphism %(A) (mod p) can be found in factored form in terms of Legendre polynomials by using permutation attached to the monomial matrix. As an application of our results, we list all the possible polynomials x(A) (mod p) for the case of gcd(p,g) = 1, g e {1,..., 7} and the curve C1 is over Fp or Fp2.
Keywords: hyperelliptic curve cryptography, Cartier — Manin matrix, Legendre polynomials.
Let Fq be a finite field, q = pn, p > 2. A hyperelliptic curve of genus g over Fq is a
q
nonsingular curve, given by equation
C : У2 = f (x),
where f e Fq[x], f — monic, deg f = 2g + 1 or deg f = 2g + 2.
Hyperelliptic curves were first proposed for use in cryptography by Koblitz [1]. Every hyperelliptic curve has an associated group — its Jacobian JC (Fq), where all computations take place. For applications in cryptography it is required to compute the order of JC(Fq), which is equivalent to computing of the characteristic polynomial of the Frobenius endomorphism x(A) of the JC.
(deg f )(p-1)/2
Let f (x)(p-1)/2 = Cjx\ Then the Cartier — Manin matrix of the hyperelliptic
i=0
curve C is a matrix W = (wij) = (cip-j) of the size g x g.
Manin [2] showed that the characteristic polynomial of the matrix W is connected with the polynomial x(A) in the following way. Let Wp = W • W(p) • ... • W(p" ), where W(Pk) = (wpj), then
, X(A) = (-1)gAg|WP - A/g| (mod p).
If the polynomial x(A) mod p is known, we can use Hasse — Weil bound in combination with other methods to recover the polynomial x(A).
The Cartier — Manin matrices in general can be computed by optimized algorithms from [3, 4]. In our work we show that for specific curves we only need to compute a half of elements to find all matrix. Moreover, in the case of gcd(p, g) = 1 we can find all the possible variants of the polynomial x(A) mod p in explicit form in terms of Legendre polynomials.
In this work we study hyperelliptic curves of the form
Ci : y2 = x2g+1 + axg+1 + bx and C2 : y2 = x2g+2 + axg+1 + b.
These curves are isomorphic to curves
C1,p : y2 = x2g+1 - 2pxg+1 + x and C2,p : y2 = x2g+2 - 2pxg+1 + 1
over the field K = Fq^v^b]. Therefore, we can restrict discussion to the case of C1,p, C2,p and our results for polynomials x(A) holds over Fq if b is square and over Fq2 if b is not square in Fq. These forms of curves are generalizations of Jacobi quartics [5].
The curves C1, C2 were first studied by Miller and Lubin [6], who proved that the Cartier — Manin matrices of these curves are generalized permutation (monomial) matrices. For
g =1 these curves are elliptic curves. It is known that number of points of elliptic curves is congruent to Legendre polynomials [5, 7]. In this work we generalize this to the g > 1 case. We prove first that coefficients of the Cartier — Manin matrix of C1,p are either zeroes or Legendre polynomials.
Theorem 1. Let W = (w^j) be a Cartier — Manin matrix of the curve C1,p. Then
1) Wi,j = 0, if ip — j = (p — 1)/2 (mod g);
2) Wi,j = P(ip-j)/g-(p-1)/(2g)(p) (mod p), otherwise.
Then using properties of Legendre polynomials [8] we get result.
Theorem 2. The Cartier — Manin matrix of the curve C1,p is centrosymmetric in Fq.
Therefore, it's sufficient to compute a half of coefficients for computation of this matrix.
The Cartier — Manin matrix W of any hyperelliptic curve is defined upto transformation of the form S(p)WS-1, where S is non-singular [9]. Since centrosymmetic matrices are orthogonally similar to block-diagonal matrices, we can prove theorem.
Theorem 3. The Cartier — Manin matrix W of C1,p is equivalent to a block-diagonal matrix via transformation of the form S(p)WS-1.
Analogous results can be proved for the curve C2,p.
Theorem 4. Let W = (wi,j) be a Cartier — Manin matrix of C2,p. Then
1) wi,j = 0, if ip = j (mod g + 1);
2) wi,j = P(ip-j)/(g+1)(P) (mod g +1);
3) W is a centrosymmetric matrix in Fq;
4) W is equivalent to block-diagonal matrix via transformation of the form S(p)WS-1.
In the case of gcd(p, g) = 1 the Cartier — Manin matrix of the curve C1,p is monomial and we get an explicit formula for x(A) mod p.
Theorem 5. Let the curve C1,p is defined over the finite field Fq, q = pn, gcd(p, g) = 1 and W be a Cartier — Manin matrix of C1,p. Then W is a monomial matrix with a permutation a, such that a(i) = ip — (p — 1)/2 (mod g) and Wp is a monomial matrix with permutation an, an(i) = ipn — (pn — 1)/2 (mod g). If Wp = (wi,j) and = a1a2 ... is a decomposition of into disjoint cycles, then
m ( kj | \
X(A) = Ag n ( Akj| — fcn w^j,fc^ifc+J (mod p),
where aj,fc = jfc for aj = (j'1,... , jjCTj.|).
Coefficients wi,j of Wp can be computed by using formula:
( n-1 n-2 k \
As application of our methods we found all the possible variants of polynomials x(A) mod p for the case of gcd(g,p) = 1, p > 2, and the curve C1 over fields Fp and Fp2.
REFERENCES
1. Koblitz N. Hyperelliptic cryptosystems. J. Cryptology, 1989, vol. 1, no.3, pp. 139-150.
2. Manin Y. I. O matritse Khasse — Vitta algebraicheskoy krivoy [The Hasse — Witt matrix of an algebraic curve]. Izv. Akad. Nauk USSR, Ser. Mat., 1961, vol.25, no. 1, pp. 153-172. (in Russian)
3. Bostan A., Gaudry P., and Schost; E. Linear recurrences with polynomial coefficients and application to integer factorization and Cartier — Manin operator. SIAM J. Comput., 2007, vol. 36, no. 6, pp. 1777-1806.
4. Harvey D. and Sutherland A.V. Hasse — Witt matrices of hyperelliptic curves in average polynomial time. LMS J. Comput. Math., 2014, vol.17, no. A, pp. 257-273.
5. Yui N. Jacobi quartics, Legendre polynomials and formal groups. Lecture Notes in Mathematics, 1988, vol. 1326, pp. 182-215.
6. Miller L. The Hasse — Witt matrix of special projective varieties. Pacific J. Math., 1972, vol. 43, no. 2, pp. 443-455.
7. Brillhart J. and Morton P. Class numbers of quadratic fields, Hasse invariants of elliptic curves, and the supersingular polynomial. J. Number Theory, 2004, vol. 106, no. 1, pp. 79-111.
8. Carlitz L. Congruence properties of the polynomials of Hermite, Laguerre and Legendre. Mathematische Zeitschrift, 1953, vol. 59, pp. 474-483.
9. Yui N. On the Jacobian varieties of hyperelliptic curves over fields of characteristic p > 2. J. Algebra, 1978, vol.52, no.2, pp.378-410.
