Hyperelliptic curves, Cartier - Manin matrices and Legendre polynomials Текст научной статьи по специальности «Физика»

2017 Теоретические основы прикладной дискретной математики №37

UDC 512.772.7 DOI 10.17223/20710410/37/2

HYPERELLIPTIC CURVES, CARTIER — MANIN MATRICES AND LEGENDRE POLYNOMIALS

S. A. Novoselov Immanuel Kant Baltic Federal University, Kaliningrad, Russia

Using hyperelliptic curves in cryptography requires the computation of the Jacobian order of a curve. This is equivalent to computing the characteristic polynomial of Frobenius x(A) e Z[A|. By calculating Cartier — Manin matrix, we can recover the polynomial x(A) modulo the characteristic of the base field. This information can further be used for recovering full polynomial in combination with other methods. In this paper, we investigate the hyperelliptic curves of the form C1 : y2 = x2g+1 + + ax9+1 + bx and C2 : y2 = x2g+2 + ax9+1 + b over the finite field Fq, q = pn, p > 2. We transform these curves to the form C1,p : y2 = x2g+1 — 2px9+1 + x and C2,p : y2 = x2g+2 — 2px9+1 +1, where p = —a/(2\/b), and prove that the coefficients of the corresponding Cartier — Manin matrices for the curves in this form are Legendre polynomials. As a consequence, the matrices are centrosymmetric and therefore, for finding the matrix, it's enough to compute a half of coefficients. Cartier — Manin matrices are determined up to a transformation of the form S(p)WS-1. It is known that centrosymmetric matrices can be transformed to the block-diagonal form by an orthogonal transformation. We prove that this transformation can be modified to have a form S(p)WS-1 and be defined over the base field of the curve. Therefore, Cartier — Manin matrices of curves C1,p and C2,p are equivalent to block-diagonal matrices. In the case of gcd(p,g) = 1, Miller and Lubin proved that the matrices of curves C1 and C2 are monomial. We prove that the polynomial x(A) (mod p) can be found in factored form in terms of Legendre polynomials by using permutation attached to the monomial matrix. As an application of our results, we list all possible polynomials x(A) (mod p) in the case of gcd(p,g) = 1, g is from 2 to 7 and the curve C1 is over Fp if Vb e Fp and over Fp2 if Vb <£ Fp.

Keywords: hyperelliptic curve cryptography, Cartier — Manin matrix, Legendre polynomials.

Introduction

Let Fq be a finite field, q = pn, p > 2. A hyperelliptic curve of a genus g over Fq is a nonsingular curve given by an equation

C : y2 = f (x),

where f e Fq [x], f is monic, deg f = 2g + 1 or deg f = 2g + 2.

Hyperelliptic curves were first proposed for use in cryptography by Koblitz [1]. Due to index-calculus attacks on hyperelliptic curves [2 - 4], only curves with a small genus are now considered in cryptography. In the more specific area of the cryptography on pairings, we are only interested in curves over prime and possibly medium or big characteristic fields, since in this case the security of cryptosystems relies on the discrete logarithm problem in finite fields, which has quasi-polynomial complexity for finite fields with a small characteristic [5].

The hyperelliptic curve C has an associated group —its Jacobian JC (Fq), where all computations take place. For applications in cryptography, we need to compute the order

of JC (Fq). Computing the order of Jacobian is equivalent to computing characteristic polynomial xq(A) of the Frobenius endomorphism of JC, which is determined by zeta function. If Nk = #C(Fqk), then zeta function is a generating function

Z(A)-exp( £ f Ak)

L(A)

(1 - A)(1 - qA) '

where L(A) E Z[A] is the L-polynomial, L(A) = A2gxq(1/A), and we have #JC(Fq) = xq(1) = = L(1).

(deg f )(p-1)/2

Let f (x)(p-1)/2 = £ Cxl. Then Cartier — Manin matrix of the hyperelliptic

i=0

curve C is a matrix

/ Cp-1 c»-2 .

W = (Wij ) =

-p— 1 ^p-c2p—1 c2p—2

\cgp— i cgp—2

CP—g \ c2p—g

cgp—g/

Manin [6] showed that the characteristic polynomial of the matrix W is connected with the polynomial xq(A) in the following way. Let Wp = W ■ W(p) ■ ... ■ W(pn ), where W(pk) = (wpj), then

' Xq (A) = (-1)g Ag |Wp - A/fl | (mod p).

Cartier — Manin matrices can in general be computed by optimized algorithms from [7, 8], which are faster than collecting coefficients after expansion of f (x)(p-1)/2. After computing the polynomial xq(A) mod p, we can use Hasse —Weil bound in combination with other methods to recover full polynomial xq(A).

In this work, we study hyperelliptic curves of the form

and

C1 : y2 = x2g+1 + axg+1 + bx

C2 : y2 = x2g+2 + axg+1 + b.

These curves are isomorphic to curves

Ci,p : y2 = x2g+1 - 2pxg+1 +

x

and

C2,p : y2 = x2g+2 - 2pxg+1 + 1

g+1

over the field K = Fq^v^b]. Therefore, we can restrict the discussion to the curves C1)P and C2,p and our results for polynomials x(A) hold over Fq if b is a square and over Fq2 if b is not a square in Fq. These forms of curves are motivated by Jacobi quartics investigated by N. Yui [9].

The curves C1 and C2 were first studied by Miller and Lubin [10, 11], who proved that the Cartier — Manin matrices of these curves are the generalized permutation (monomial) matrices.

F. Leprevost and F. Morain [12] expressed the number of points of these curves in terms of certain modular functions, which can be efficiently computed for some special instances of curves.

For g =1 these curves are elliptic ones. It is known that the number of points of elliptic curves in Legendre form for C1 and Jacobi form for C2 is congruent to Legendre polynomials

(see [9, 13] for details). Here, we show that this can be generalized to g > 1 case and prove that the number of points in JCl and JC2 is congruent to an expression in terms of Legendre polynomials.

The genus 2 case was investigated for use in cryptography in [14-16]. It was proved that the genus 2 curves of the forms C1 and C2 have Jacobian isogenous to direct product of elliptic curves. Some explicit formulas for zeta function and for xq(A) were found.

In this paper, we list all the possibilities for the polynomial xq(A) modulo prime p for genus g from 2 to 7, p > 2, gcd(p, g) = 1, and the curve C1 over Fp if b e Fp (Table 1) and over Fp2 if b e Fp (Table 2). Our methods can also be applied to any genus and finite field Fpn with gcd(p, g) = 1 and p > 2.

The rest of the paper is organized as follows. In section 1.1, we collect and prove preliminary results for monomial matrices and their permutations. In section 1.2, we prove necessary conditions for coefficients of Cartier — Manin matrices of C1 and C2 to be nonzero. From this, we also obtain conditions for the matrix to be diagonal or anti-diagonal.

In section 2.1, we prove that non-zero elements of Cartier — Manin matrix of the curve C1 are Legendre polynomials and, as consequence, that the matrix is centrosymmetric. Using this fact, we prove that Cartier — Manin matrix of the curve C1 is equivalent to a blockdiagonal matrix over the finite field Fq. In the case when the matrix is monomial with an attached permutation a, we show how the polynomial xq(A) (mod p) can be found in factored form by using this permutation and methods from Section 1.1. Section 2.2 contains analogous results for the curve C2.

Tables 1 and 2 contain all the possible variants of the polynomials x(A) (mod p) for the case of gcd(g,p) = 1, p > 2, and the curve C1 over the fields Fp and Fp2.

1. Preliminary results 1.1. Permutations specified by congruence

A matrix M of size n x n is a generalized permutation (or monomial) matrix if each its column as well as each its row contains exactly one non-vanishing element. Every such a matrix can be decomposed into the product of a diagonal matrix and a permutation matrix

M = diag(m1, m2,..., mn)P(J

for some permutation a e Sym(n). Consider the case when the permutation a is defined by a congruence modulo n.

Theorem 1. Let a,b,n be integers, n > 1, a = 1 (mod n), gcd(a,n) = 1, M = = diag(m1, m2,..., mn)P(J be a monomial matrix, and a be a permutation such that a(i) = = ai — b (mod n). Then

/as — 1\

1) as(i) = asi — b - (mod n);

Va — 1 J

2) ord(a) = ordn(a);

/ a j — 1 \

3) if dj = gcd(aj — 1,n) and bj = b I -— I, then the number of cycles in the

a — 1

decomposition of the permutation a into disjunct cycles equals

m = n + ^ dj , 1 ^ j ^ ordn (a) — 1;

ordn(a) V dj |bj

4) if a = a1a2 ... am is the disjunct cycles decomposition of a, then the characteristic polynomial xM(A) of the matrix M factors in the following way:

m

xm (A)= n(Akj|- m,), j=1

where is the product of all elements in the matrix M with indexes in the cycle aj. Proof.

1) Let s = 1. Then a(i) = ai — b ( a- ) (mod n). Let s + 1 > 1. Then

Va — V

as+1 (i) = a(as(i)) = a — b ) ) — b = as+1 i — b — ^ (mod n).

So the formula is true by induction.

2) Let r = ordn(a). Assume that there exists j < r such that aj(i) = i for all i. Then for all i, we have

(aj — 1)i = b ( a- ) (mod n).

a — 1

/ a j — 1 \

This congruence has solutions iff gcd(aj — 1, n) = dj |b - ; in this case, the number

V a — 1 J

of solutions is equal to dj.

Since r is the minimal integer such that ar = 1 (mod n), we have aj = 1 (mod n). Then dj < n and there exists integer j0 such that aj(j0) = j0 (mod n). This contradiction proves our statement.

3) Cycles in the disjunct decomposition of the permutation a correspond to orbits in the action of the group (a) on the set S = {1,..., n}.

The number of orbits can be calculated by Burnside's lemma:

1 IMI 1 / r-1 \

m = ^ £ #{i E S : aj(i) = i} = - n + E #{i E S : aj(i) = i} . |(a)| j=1 r\ j=1 )

The number of elements i such that aj (i) = i is equal to the number of solutions of the

/ a j — 1 \ | f a j — 1

congruence aji — b I -— I = i (mod n), which is dj = gcd(aj — 1,n) if dj |b

. — , v-----.„/; ---------- ^ ^ u 11 "ji- i

v a - 1 ) 1 V a - 1

and 0 otherwise. Therefore,

m = - In + Z dj

f \ dj |bj

4) See [17, Theorem 3]. ■

1.2. Hyperelliptic curves of the form y2 = X + axs + bxm The next lemma gives some necessary conditions for coefficients of the Cartier — Manin matrix of a named form curve to be zero.

Lemma 1. Let C : y2 = X + axs + bxm be a genus g hyperelliptic curve over finite field Fq, q = pn, p > 2, t E {2g + 2, 2g + 1}, m < s < t, m E {0,1} and d = gcd(t — m, s — m). Let W = (wj,j), 1 ^ i, j ^ g, be the Cartier — Manin matrix of the curve C. Then Wj,j = 0 for all i, j such that ip — j ^ m(p — 1)/2 (mod d).

Proof. We have

Wij = [xip-j ](x* + axs + bxm)(p-1)/2 = [xip-j-m(p-1)/2](xt-m + axs-m + b)(p-1)/2

Ap — 1)/2\ /(p — 1)/2\ afc2 bk3

fcl+fc2+fc3 = (p-1)/A k1, k2, k3 / fcl,fc2,fcA k1, k2, k3 /

where sum goes all k1, k2, k3, which satisfy the system of equations

+ k2 + k3 = (p — 1)/2,

(t — m)k1 + (s — m)k2 = ip — j — m(p — 1)/2.

The second equation has a solution in integers k1, k2 if and only if gcd(t — m, s — m) divides ip — j — m(p — 1)/2. Otherwise, the system has no solutions and we get Wj,j = 0. ■

From this lemma, we obtain some sufficient conditions for the Cartier — Manin matrix to be diagonal or anti-diagonal.

Theorem 2. Let C : y2 = x2g+1 + axg+1 + bx be a genus g hyperelliptic curve over the finite field Fq and W be the Cartier — Manin matrix of this curve. Then

1) W is a diagonal matrix if one of the following conditions holds:

a) g is even and p = 1 (mod 2g);

b) g is odd and p = 1 (mod g).

2) W is a anti-diagonal matrix if one of the following conditions holds:

a) g is even and p = — 1 (mod 2g);

b) g is odd and p = — 1 (mod g).

Proof.

1) Let g be even and p = 1 (mod 2g). Thenp = 1 + 2gm for some integer m. By Lemma 1 elements of matrix W can be non-zero only if g| (ip — j — (p — 1)/2) = i(1 + 2gm) — j — gm, i.e. should be i = j (mod g). Since 1 ^ i, j ^ g, we get i = j.

Let g be odd and p = 1 (mod g). Since gcd(g, 2) = 1, ip — j — (p — 1)/2 = i — j (mod g) and i = j (mod g) .

2) The proof is similar to 1. ■

2. Main results 2.1. Curves of the form y2 = x2g+1 + axg+1 + bx

The genus g hyperelliptic curves of the form C1 : y2 = x2g+1 + axg+1 + bx over the finite field Fq are isomorphic over

Fq [\/b] to

C1,p : y2 = x2g+1 — 2pxg+1 + x, p = — a

2^

via isomorphism

(x,y) ^ (b1/(2g)x,b(2g+1)/(4g)y) .

Let K = Fq [v^b]. If b is a square in Fq, then K = Fq, otherwise K = Fq2.

First, we proof that the coefficients of the Cartier — Manin matrix W of the curve C1)P correspond to the Legendre polynomials.

Theorem 3. Let C1)P : y2 = x2g+1 — 2pxg+1 + x be a genus g hyperelliptic curve over the finite field Fq and W = (wi;j) be the Cartier — Manin matrix of C1;P. Then

1) wi)j- = 0, if ip — j ^ (p — 1)/2 (mod g);

2) Wi,j = P(ip_j)/g_(p_i)/(2g)(p) (mod p), otherwise. Proof.

1) The statement follows from Lemma 1.

2) Let ip — j = (p — 1)/2 (mod g) and therefore g|(ip — j — (p — 1)/2). We have

Wi,j = [xip_j_(p_1)/^ (x2fl — 2pxfl + 1)(p_1)/2. Making substitution z = xg, we get

Wi,j = [z(ip_j)/g_(p_1)/(2g)] (z2—2pz+i)(p_1)/2 = [z(ip_j)/g_(p_1)/(2g)i 1 == (mod p).

yz2 — 2pz + 1

Note that the generating function of the Legendre polynomials has the form

ro 1

E Pfc(x)zk = =.

fc=o V z2 — 2xz + 1

From this, it follows that wi,j = P(ip_j-)/fl_(p_1)/(2fl)(p). ■

In many cases, the Cartier — Manin matrix of the curve C1,p has some special forms. We collect and prove these ones in the following theorem.

Theorem 4. Let y2 = x2g+1 — 2pxg+1 + x be a genus g hyperelliptic curve over the field Fq and W be the Cartier — Manin matrix of the curve. Then matrix W is

1) centrosymmetric in Fq;

2) monomial, if gcd(p,g) = 1;

3) diagonal, if one of the following conditions holds:

a) g is even and p = 1 (mod 2g);

b) g is odd and p = 1 (mod g);

4) antidiagonal, if one of the following conditions holds:

a) g is even and p = — 1 (mod 2g); a) g is odd and p = — 1 (mod g).

Proof.

1) By Theorem3, when g|(ip — j — (p — 1)/2) we have

w

»j

= P0-j)/g-(p-i)/(2g)(p) (mod p).

From congruence properties of the Legendre polynomials [18, (5.9)], we get

Pp_1_m(p) = Pm(p) (mod p), 0 ^ m ^ p — 1.

So

w.

= P(ip_j)/fl_(p_1)/(2fl) (P) = PP_1_(ip_j)/fl+(p_1)/(2g)(P) =

= P((fl_i+1)p_(fl_j+1))/fl_(p_1)/(2fl) (P) = Wg_i+1,g_j+1 (mod p).

2) If j is fixed and gcd(p,g) = 1, then the congruence ip — j = (p — 1)/2 (mod g) has only one solution for i and since 1 ^ i ^ g, there is only one j. Therefore, in every row, only one non-zero element is possible. Similarly, we can show that in every column, there can be only one non-zero element. From this, it follows that W is a monomial matrix.

3,4) See Theorem 2. ■

It's known that the set of centrosymmetric matrices and the set of monomial matrices are closed under multiplication of matrices. Note that if W is centrosymmetric (monomial), then W(pk) is also centrosymmetric (monomial). Therefore matrix Wp is centrosymmetric (monomial), if W is centrosymmetric (monomial).

For centrosymmetric matrices, there is an orthogonal transformation [19], which transforms such matrices to block-diagonal form. If the size of a centrosymmetric matrix is even, than this transformation is defined by the non-singular orthogonal matrix

Q

1 f1 -J

2 V J J

And for odd case

Q

11;

0

V2 0

Note that this transformation is defined over Fq [^/2] and a different transformation is required for Cartier — Manin matrices. The Cartier — Manin matrix W of any hyperelliptic curve is determined up to transformation of the form S(p)WS-1, where S is a non-singular matrix [20, Proposition 2.2]. The following theorem shows that, by modifying transformation for centrosymmetric matrices, we can choose S in such way that the resulting matrix is block-diagonal and defined over Fq.

Theorem 5. Let C1,p be a genus g hyperelliptic curve, defined by equation y2 = = x2g+1 — 2pxg+1 + x over the finite field Fq, char Fq = p > 2. Then the Cartier — Manin matrix W of C1,p is equivalent to a block-diagonal matrix.

W W3\ /W1 a

Proof. Let W = T_ w if g is even, and W = b c

VW I W2 e

W3 d

W,

if g is odd. Since,

W

W1 W2

JW2J JW1J

for even g and W =

by Theorem 4, the matrix W is centrosymmetric in Fq

'Wi a JW2J

b c bJ ^Wa Ja JWiJ Consider the transformation of the form S(p)WS-1. 1. If V2 e Fq, then we choose S = Q and have S(p)WS-1 that this transformation transforms matrix to the block-diagonal form.

• 1 \ (p-i)/2

2

then W can be written in the form

if g is odd.

Q(p)WQT. We need to show

If genus g is even, then Q(p)

Q and

Q(p)WQT = If genus g is odd, then Q(p) WQT

1\ (p-1)/V W1 — JW2

0

0 J (W1 + JW2)Jy'

(p-1)/2 /W1 — JW2 0

0

0 2(p-1)/2c v2pb 0 ^2Ja J (W1 + JW2) Jy

I 0 —JN 0 1 0 J 0 I

2. Let ^2 i Fq, choose S = I 0 1 0 I for odd g and S =

I —J J I

for even g.

1 / 1 0 J\ 1 / J j^

Then we have S(p) = S, since p > 2, and S-1 = - I 0 2 0 I or S-1 = - ( T T

2\ _J 0 J 2 V—J 1

Now, we have

/Wi - JW2 0 0

S(p)WS-1 = I 0 c bJ

\ 0 2Ja J(Wi + JW2J

for odd case and

S(p)WS-i = /Wi - JW2 0

0 J (Wi + JW2) Jy for even case.

Note that in this case the matrix S is not orthogonal. If the orthogonality of S is not required, this transformation can also be applied to the case \f2 G Fq. ■

Applying this transformation to Wp, we get a formula for the characteristic polynomial of the matrix Wp and therefore for xq(A).

Corollary 1. Let C1)P : y2 = x2g+1 — 2pxg+1 + x be a genus g hyperelliptic curve over the field Fq, q = pn, p > 2 and the matrix W be written in the above form. Then

1) if g is even,

Xq(A) = (—1)gAg|(Wi + JW2)p — AI||(Wi — JW2)p — AI| (mod p);

2) if g is odd and p|g,

Xq (A) = (—1)g Ag

P(p-i)/2(P) bJ . _

2Ja J (Wi + JW2) J 1 A1

p

|(Wi —JW2)p—AI| (mod p);

3) if g is odd and p | g,

Xq (A) = (—1)g Ag (NFq/fp (P(p_ 1)/2 (p))—A) | (W1+J W2 )p—A/ ||(W1—JW2)p—A/1 (mod p). If the matrix W is monomial, we can go further.

Theorem 6. Let W be the Cartier — Manin matrix of the curve C1,p over the finite field Fq, gcd(p,g) = 1; a be a permutation such that a(i) = ip — (p — 1)/2 (mod g), and P(a) be the permutation matrix for a. Then 1) if g is even,

W = diag(w1,CT(1), . . . ,Wд/2,a(д/2),Wд/2+1,д/2+1_a(д/2),Wд/2+2,д/2+1_a(д/2_1), . . . , Wg,g+1_CT(1))P(a);

2) if g is odd,

W = diаg(wl)CT(l), . . . , w(g-l)/2,ст((g-1)/2), w(g+1)/2,(g+1)/2, W(fl+i)/2+i,g+i—^((g+i)/2—i), . . . ,wg,g+1-CT(1))P

Proof. If gcd(p,g) = 1, then W is a monomial matrix, which can be factored in the product of diagonal and permutation matrix: W = diag(W1,CT(1),..., W^^P(a). By Lemma 1, for non-zero elements of W, we have ip — j = (p — 1)/2 (mod g). So the permutation a is defined as a(i) = ip — (p — 1)/2 (mod g). Since the matrix P(a) is also centrosymmetric, every i such that a(i) = ip — (p — 1)/2 (mod g) uniquely determines the value of a(g + 1 — i), as a(g + 1 — i) = g + 1 — a(i) (mod g). ■

If we know the decomposition of an into disjoint cycles, we can factor the polynomial Xq(A) in the following way.

Theorem 7. Let C1,p : y2 = x2g+1 — 2pxg+1 + x be a hyperelliptic curve over the finite field Fq, q = pn, gcd(p, g) = 1 and W be the Cartier — Manin matrix of this curve. Then W is the monomial matrix with the permutation a such that a(i) = ip — (p — 1)/2 (mod g) and Wp is a monomial matrix with the permutation an such that an(i) = ipn(pn — 1)/2 (mod g). If Wp = (wij) and an = a1a2 ... am is the decomposition of an into disjoint cycles, then

m I |

Xq(A) = Ag n (A|CTj 1 — n ) (mod p),

j=1 fc=1

where a^ = j for aj = j... , |).

Proof. If W is the monomial matrix with the permutation a, then, by multiplying matrices, we obtain

( n-1 n-2 k \

wp = ) = no (i),ak+i(i^ ,

where ak are permutations with ak(i) = ipk — (pk — 1)/2 (mod g) and wij = 0 for all j = = an(i). Therefore, Wp is a monomial matrix with the permutation an(i) = ipn — (pn — 1)/2 (mod g) and the result follows from the Theorem 1. ■

In the case of the diagonal matrix, the formula can be made simpler.

Theorem 8. Let C1,p : y2 = x2g+1 — 2pxg+1 + x be a genus g hyperelliptic curve over the finite field Fq, q = pn, p > 2. Then

1) if g is even and p = 1 (mod 2g),

g/2

Xq(A) = (A — NFq/Fp (P(2i-1)(p- 1)/(2g) (P)))2 (mod p); i=1

2) if g is odd and p = 1 (mod g),

(g-1)/2

Xq(A) = Ag(A—NFq/Fp (P(p-1)/2(P))) n (A —NFq/Fp (P(2i-1)(p-1)/(2g)(P)))2 (mod p).

j=1

2.2. Curves of the form y2 = x2g+2 + axg+1 + b The following curves of this form

C2 : y2 = x2g+2 + axg+1 + b, C2,p : y2 = x2g+2 — 2pxg+1 + 1

have the properties similar to the curves C1 and C1,p. We collect them in the following theorem.

Theorem 9. Let C2,p be a hyperelliptic curve defined by the equation y2 = x2g+2 — — 2pxg+1 + 1 over finite field Fq and W = (w^j) be the Cartier — Manin matrix of C2,p. Then

1) Wjj = 0 if ip = j (mod g + 1);

2) wi,j = P(ip-j)/(g+1)(P) (mod g +1);

3) W is a centrosymmetric matrix in Fq;

4) W is a monomial matrix if p / (g + 1);

5) W is a diagonal matrix if p / (g + 1) and p = 1 (mod g + 1);

6) W is an anti-diagonal matrix if p / (g + 1) and p = — 1 (mod g + 1);

7) there is a transformation of the form S(p)WS-1 where S is non-singular, which transforms W to a block-diagonal form;

8) if g is even,

Xq(A) = (—1)gAg|(Wi + JW2)p — A/||(Wi — JW2)p — A/1 (mod p);

9) if g is odd and p|g,

Xq (A) = (-1)g Ag

P(p-1)/2(P) bJ 1 _ A1

2Ja J (Wi + JW2) J 1 A1

|(Wi-JW2)p-A/1 (mod p);

10) if g is odd and p / g,

Xq(A) = (—1)gAg(NFq/Fp(P(p-i)/2(p))-A)|(W1+JW2)p-A/||(W1-JW2)p-A/1 (modp). Proof.

1) It follows from Lemma 1.

2) Let (g + 1) |(ip — j) and t = xg+1. Then

=[xip-j](x2g+2—2Pxg+1 + 1)(p-1)/2=[i(ip-j)/(g+1)](i2—2pi+1)(p-1)/2=P(ip-j)/(g+i)(p) (modp).

3) = P(ip-

(ip-j)/(g+i)

— Pp— 1— (ip—

1-(ip-j)/(g+1) = wg+1-i,g+1-j •

4) If gcd(p, g + 1) = 1, then the congruence ip = j (mod g + 1) has only one solution for each i, j, and since 1 ^ i, j ^ g it uniquely determines i, j.

5,6) These follow from congruences i = j (mod g + 1) and i = —j (mod g + 1) for 1 ^ ^ j ^ g.

7-10) The needed transformations are taken from the Theorem 5. ■

Conclusion

We have proved that the Cartier — Manin matrices W for the curves C1)P and C2,p have a very special form, namely, the coefficients of W are the Legendre polynomials, W is centrosymmetric and is equivalent to a block-diagonal matrix. In the case gcd(p,g) = 1, the matrices of C1 and C2 are monomial. Using this fact, we have proved (Theorem 7) that the polynomial xq(A) modulo p can be computed in a factored form in terms of the Legendre polynomials. The matrix symmetry can be used to speed up the algorithms for computing the Cartier — Manin matrices, because it is enough to compute half of coefficients to completely determine a matrix itself. As an application, we have listed all the possible variants of the polynomial xp(A) modulo p for the curve C1 over prime field (Table 1) and over Fp2 (Table 2).

Table 1

Hyperelliptic curves of the form CijP : y2 = x2g+1 + axg+1 + bx over the prime field Fp, p > 2, p / g, Pm := Pm(p) and b is a square

g Conditions Xp(A) (mod p)

2 p = 1 (mod 4) A2(A - p(p-i)/4)2

2 p = 3 (mod 4) A2(A2 - p(P_3)/4)

3 p = 1 (mod 3) a3(a - P(p-1)/2)(A - P(p-1)/6)2

3 p = 2 (mod 3) A3(A - P(P-1)/2)(A2 - P(2p—5)/6)

4 p = 1 (mod 8) A4(A - P(p— 1)/8)2(A - P(3p—3)/8)2

4 p = 3 (mod 8) a4(a2 - P(p—3)/8P(3p —1)/8)2

End of Table 1

g Conditions Xp(A) (mod p)

4 p = 5 (mod 8) A4(A2 - 5)/8P(3p-7)/8)2

4 p = 7 (mod 8) A4(A2 - 7)/8)(A2 - P(23p-5)/8)

5 p = 1 (mod 5) a5(a - 1)/2)(A - P(p-1)/10)2(A - P(3p-3)/10)2

5 p = 2 (mod 5) A (A - P(p-1)/2)(A - P(p-7)/10P(3p-1)/10)

5 p = 3 (mod 5) A5(A - P(p-1)/2)(A4 - P(p-3)/10P(23p-9)/10)

5 p = 4 (mod 5) A5(A - P(p-1)/2)(A2 - P(p-9)/10)(A2 - P(3p-7)/10)

6 p = 1 (mod 12) A6(A - P(p-1)/12)2(A - P(p-1)/4)2(A - P(5p-5)/12)2

6 p = 5 (mod 12) a6(a - p(p-1)/4)2(A2 - P(p-5)/12P(5p-1)/12)2

6 p = 7 (mod 12) a6(a2 - P(p-7)/12P(5p-11)/12)2(A2 - P(p-3)/4)

6 p = 11 (mod 12) a6(a2 - P(p-11)/12)(A2 - P(P-3)/4)(A2 - P(5p-7)/12)

7 p = 1 (mod 7) A7(A - P(p-1)/2)(A - P(p-1)/14)2(A - P(3p-3)/14)2(A - P(5p-5)/14)2

7 p = 2 (mod 7) A7(A - P(p-1)/2)(A3 - P(p-9)/14P(3p-13)/14P(5p-3)/14)2

7 p = 3 (mod 7) A7(A - P(p-1)/2)(A6 - P(p-3)/14P(23p-9)/14P(5p-1)/14)

7 p = 4 (mod 7) A7(A - P(p-1)/2)(A3 - P(p-11)/14P(3p-5)/14P(5p-13)/14)2

7 p = 5 (mod 7) A7(A - P(p-1)/2)(A6 - P(5p-11)/14P(23p-1)/14P(P-5)/14)

7 p = 6 (mod 7) A7(A - P(p-1)/2)(A2 - P(p-13)/14)(A2 - P(3p-11)/14)(A2 - P(5p-9)/14)

Table 2

Hyperelliptic curves of the form C1jP : y2 = x2g+1 + axg+1 + bx over the field Fp2, p > 2, p / g, Pm := Pm(p), b is a square in Fp2

g Conditions Xp2 (A) (mod p)

2 p = 1 (mod 4) a2(a - Pp+-11)/4)2

2 p = 3 (mod 4) A2(A - Pfp-3)/4)2

3 p = 1 (mod 3) A3(A - P(p-1)/2)(A - Pp+-1)/6)2

3 p = 2 (mod 3) A3(A - Ppp-11)/2)(A - Pfp-5)/6)2

4 p = 1 (mod 8) A4(A - P(p-1)/8)2 (A - P(3p-3)/8)2

4 p = 3 (mod 8) A4(A - Ppp-3)/8P(3p-1)/8)2 (A - P(3p-1)/8P(p-3)/8)2

4 p = 5 (mod 8) A4(A - PpP-5)/8P(3p-7)/8)2(A - P(3p-7)/8P(p-5)/8)2

4 p = 7 (mod 8) A4(A - Pfp-17)/8)2 (A - P(3+—5)/8)2

5 p = 1 (mod 5) A5(A - Pfp-11)/2)(A - Pp+-11)/10)2(A - P(3+-3)/10)2

5 p = 2 (mod 5) a5(a2 - P(P-7)/10P(23p-1)/10)(A2 - P(3p-1)/10PQo—7)/10)(A - PQj-1)/2)

5 p = 3 (mod 5) a5(a2 - P(P-3)/10P(23p-9)/10)(A2 - P(3p-9)/10P(p—3)/10)(A - P(Pp-1)/2)

5 p = 4 (mod 5) A5(A - Pfp-11)/2)(A - Pfp-19)/10)2(A - P(3+-7)/10)2

6 p = 1 (mod 12) A6(A - Pp+-11)/4)2(A - Pp+11)/12)2(A - P(5+-5)/12)2

6 p = 5 (mod 12) A6(A - P(p-5)/12P(5p-1)/12)2 (A - P(5p-1)/12P(p-5)/12)2(A - P(p+-11)/4)2

6 p = 7 (mod 12) A6(A - P(p-7)/12P(5p-11)/12)2 (A - P(5p-11)/12P(p-7)/12)2(A - Pp+-3)/4)2

6 p = 11 (mod 12) A6(A - Pp+-13)/4)2(A - Pfp-111)/12)2(A - P(5+-7)/12)2

7 p = 1 (mod 7) a7(A P P+1 )(A P P+1 )2 ( A P P+1 )2 ( A P P+1 )2 A (A - P(p-1)/2)(A - P(p-1)/14) (A - P(5p-5)/14) (A - P(3p-3)/14)

7 p = 2 (mod 7) A7(a p P+1 )(a3 p P+1 p P+1 p P+1 )2 A (A P(p-1)/2)(A P(p-9)/14P(5p-3)/14P(3p-13)/14)

7 p = 3 (mod 7) A7(a p P+1 )(a3 p P+1 p P+1 p P+1 )2 A (A P(p-1)/2)(A P(p-3)/14P(3p-9)/14P(5p-1)/14)

7 p = 4 (mod 7) A7(a p P+1 )(a3 p P+1 p P+1 p P+1 )2 A (A P(p-1)/2)(A P(p-11)/14P(3p-5)/14P(5p-13)/14)

7 p = 5 (mod 7) A7(a3 p P+1 p P+1 p P+1 )2 ( a p P+1 ) A (A P(p-5)/14P(3p-1)/14P(5p-11)/14) (A P(p-1)/2)

7 p = 6 (mod 7) A7(A - Ppp-1)/2)(A - P(p-13)/14)2 (A - P(3p-11)/14)2 (A - P(5p-9)/14)2

Our results were checked in Pari/GP and Sage.

A short information about these results were presented by the author on the conference Sibecrypt'17 [21].

REFERENCES

1. KoblitzN. Hyperelliptic cryptosystems. J. Cryptology, 1989, vol.1, no. 3, pp. 139-150.

2. Enge A. and Gaudry P. A general framework for subexponential discrete logarithm algorithms. Acta Arith., 2000, vol. 102, pp. 83-103.

3. Enge A., Gaudry P., and Thome E. An L(1/3) discrete logarithm algorithm for low degree curves. J. Cryptology, 2011, vol.24, no. 1, pp. 24-41.

4. Gaudry P., Thome E., Thériault N., and Diem C. A double large prime variation for small genus hyperelliptic index calculus. Math. Comput., 2007, vol.76, no. 257, pp. 475-492.

5. Barbulescu R., Gaudry P., JouxA., and Thome E. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. LNCS, 2014, vol.8441, pp. 1-16.

6. Manin Yu. I. O matritse Khasse — Vitta algebraicheskoy krivoy [The Hasse-Witt matrix of an algebraic curve]. Izv. Akad. Nauk SSSR, Ser. Mat., 1961, vol.25, no. 1, pp. 153-172. (in Russian)

7. Bostan A., Gaudry P., and Schost; E. Linear recurrences with polynomial coefficients and application to integer factorization and Cartier — Manin operator. SIAM J. Comput., 2007, vol. 36, no. 6, pp. 1777-1806.

8. Harvey D. and Sutherland A.V. Hasse — Witt matrices of hyperelliptic curves in average polynomial time. LMS J. Comput. Math., 2014, vol.17, no. A, pp. 257-273.

9. Yui N. Jacobi quartics, Legendre polynomials and formal groups. Lecture Notes in Mathematics, 1988, vol. 1326, pp. 182-215.

10. Miller L. The Hasse — Witt-matrix of special projective varieties. Pacific J. Math., 1972, vol.43, no. 2, pp. 443-455.

11. Miller L. Curves with invertible Hasse — Witt-matrix. Math. Ann., 1972, vol.197, pp.123-127.

12. Leprevost F. and Morain F. Revetements de courbes elliptiques à multiplication complexe par des courbes hyperelliptiques et sommes de caracteres. J. Number Theory, 1997, vol.64, no.2, pp. 165-182.

13. Brillhart J. and Morton P. Class numbers of quadratic fields, Hasse invariants of elliptic curves, and the supersingular polynomial. J. Number Theory, 2004, vol.106, no. 1, pp.79-111.

14. Satoh T. Generating genus two hyperelliptic curves over large characteristic finite fields. LNCS, 2009, vol. 5479, pp. 536-553.

15. Freeman D. M. and Satoh T. Constructing pairing-friendly hyperelliptic curves using Weil restriction. J. Number Theory, 2011, vol. 131, no. 5, pp. 959-983.

16. Guillevic A. and Vergnaud D. Genus 2 hyperelliptic curve families with explicit Jacobian order evaluation and pairing-friendly constructions. LNCS, 2012, vol.7708, pp.234-253.

17. Garcia-Planas M. I. and Magret M. D. Eigenvectors of permutation matrices. Adv. Pure Math., 2015, vol.5, no. 7, pp. 390-393.

18. Carlitz L. Congruence properties of the polynomials of Hermite, Laguerre and Legendre. Mathematische Zeitschrift, 1953, vol.59, pp. 474-483.

19. Weaver J. R. Centrosymmetric (cross-symmetric) matrices, their basic properties, eigenvalues, and eigenvectors. Amer. Math. Monthly, 1985, vol.92, no. 10, pp. 711-717.

20. Yui N. On the Jacobian varieties of hyperelliptic curves over fields of characteristic p > 2. J. Algebra, 1978, vol.52, no.2, pp.378-410.

21. Novoselov S. A. Hyperelliptic curves, Cartier — Manin matrices and Legendre polynomials. Prikladnaya Diskretnaya Matematika. Prilozhenie, 2017, no. 10, pp. 30-32.