On Jacobian group arithmetic for typical divisors on curves

Abstract

In a previous joint article with Abu Salem, we gave efficient algorithms for Jacobian group arithmetic of “typical” divisor classes on \(C_{3,4}\) curves, improving on similar results by other authors. At that time, we could only state that a general divisor was typical, and hence unlikely to be encountered if one implemented these algorithms over a very large finite field. This article pins down an explicit characterization of these typical divisors, for an arbitrary smooth projective curve of genus \(g \ge 1\) having at least one rational point. We give general algorithms for Jacobian group arithmetic with these typical divisors, and prove not only that the algorithms are correct if various divisors are typical, but also that the success of our algorithms provides a guarantee that the resulting output is correct and that the resulting input and/or output divisors are also typical. These results apply in particular to our earlier algorithms for \(C_{3,4}\) curves. As a byproduct, we obtain a further speedup of approximately 15% on our previous algorithms for \(C_{3,4}\) curves.

Appendix: Speedup of the algorithms for \(C_{3,4}\) curves

In this appendix, we describe a method to combine the computations of Sects. 8, 9, and 10 of [1] into a single more efficient computation. The context here is that we currently know \(s,t \in W^{10}_{D+D'}\) (where D might equal \(D'\), and we know that \(D+D'\) is semi-typical). In our previous algorithms, we did two flips to the pair \(\{s,t\}\) to obtain first \(D''\) and then \(D'''\). By a modification of Propositions 3.14 and 3.18, we can combine these two flips into one computation. We do not know whether these techniques generalize to give a certifiably correct result for other curves, even though they will work generically. In the setting of \(C_{3,4}\) curves, however, it is easy to analyze when a divisor is typical, and we can show that the results obtained are correct.

To start, let us change notation to write \((\tilde{D},D,A)\) in this appendix, instead of the notation \((D+D',D'',D''')\) from [1]. Thus we have elements \(s \in W^9_{\tilde{D}}, t \in W^{10}_{\tilde{D}}\) of the form

$$\begin{aligned} s&= x^3 + s_1 y^2 + s_2 xy + s_3 x^2 + s_4 y + s_5 x + s_6,\nonumber \\ t&= x^2 y + t_1 y^2 + t_2 xy + t_3 x^2 + t_4 y + t_5 x + t_6,\nonumber \\&\text {with } {{\mathrm{div}}}s = \tilde{D} + D, \quad {{\mathrm{div}}}t = \tilde{D} + E,\nonumber \\&\deg \tilde{D} = 6, \quad \deg D = 3, \quad \text {and} \quad \deg E = 4. \end{aligned}$$

(A.1)

Our goal is to find the “flip” A of D. Thus A is a divisor with \(\deg A = 3\), and we wish to compute \(F \in W^6_{A+D}, G_0 \in W^7_{A+E}\) for which \(F t + G_0 s = 0\). We want to do so while certifying in the process that \(\{s,t\}\) is an IGS for \(\tilde{D}\) (i.e., D and E are disjoint) and that \(\tilde{D}\) is typical, whence so is A. (The reason for writing \(G_0\) is that the final \(G \in W^7_A\) will be a slight modification.) As usual, we will compute with the apparently weaker system of equations \(Ft + G_0 s \equiv 0 \bmod W^8\). This amounts to finding a linear combination of \(t,xt,yt,x^2 t\) and \(s,xs,ys,x^2 s, xys\) that vanishes when viewed in the quotient space \(W^{16}/W^8\). We represent elements of this quotient space as column vectors with respect to the basis \(\{x^3, x^2 y, xy^2, y^3, x^3 y, x^2 y^2, xy^3, y^4\}\), analogously to Eq. (17) of [1]. Adapting the entries of the matrix N in Lemma 8.1 of that article, we have that our desired images of \(t,xt,yt,x^2 t, s,xs,ys,x^2 s, xys\) are the columns \(C_1, \dots , C_9\) of the matrix

$$\begin{aligned} \begin{pmatrix} 0 &{}\quad t_3 &{}\quad 0 &{}\quad t_5 &{}\quad 1 &{}\quad s_3 &{}\quad 0 &{}\quad s_5+q_2 &{}\quad 0 \\ 1 &{}\quad t_2 &{}\quad t_3 &{}\quad t_4+q_2+t_3p_2 &{}\quad 0 &{}\quad s_2+p_2 &{}\quad s_3 &{}\quad s_4+p_1+s_3p_2 &{}\quad s_5+q_2 \\ 0 &{}\quad t_1 &{}\quad t_2 &{}\quad p_1 &{}\quad 0 &{}\quad s_1 &{}\quad s_2 &{}\quad 0 &{}\quad s_4+p_1 \\ 0 &{}\quad 0 &{}\quad t_1 &{}\quad t_3 &{}\quad 0 &{}\quad 1 &{}\quad s_1 &{}\quad s_3 &{}\quad 0 \\ 0 &{}\quad 1 &{}\quad 0 &{}\quad t_2 &{}\quad 0 &{}\quad 0 &{}\quad 1 &{}\quad s_2+p_2 &{}\quad s_3 \\ 0 &{}\quad 0 &{}\quad 1 &{}\quad t_1+p_2 &{}\quad 0 &{}\quad 0 &{}\quad 0 &{}\quad s_1 &{}\quad s_2+p_2 \\ 0 &{}\quad 0 &{}\quad 0 &{}\quad 0 &{}\quad 0 &{}\quad 0 &{}\quad 0 &{}\quad 1 &{}\quad s_1 \\ 0 &{}\quad 0 &{}\quad 0 &{}\quad 1 &{}\quad 0 &{}\quad 0 &{}\quad 0 &{}\quad 0 &{}\quad 1 \\ \end{pmatrix} \end{aligned}$$

(A.2)

Note that these columns are different from those in Sect. 9 of [1], where we had 11 columns representing elements of \(W^{17}/W^9\). The \(p_i\) and \(q_i\) are constants arising from the equation of the curve C. We emphasize that we do not compute the above matrix directly, since this would involve the two products \(t_3 p_2\) and \(s_3 p_2\), which we do not need separately, but can fold into other parts of the computation.

As in our earlier article, we count the complexity of a computation in terms of the number of multiplications M and inversions I it takes in the field \(\mathbb {K}\). We ignore additions and subtractions, as well as multiplications and divisions by 2 in \(\mathbb {K}\); recall that we assume in [1] that \(\mathbb {K}\) does not have characteristic 2 or 3.

The first stage of the computation is to compute three quantities \(\ell _1, \ell _2, \ell _3\) that will be useful later, for which nonvanishing of \(\ell _1\) is equivalent to \(\tilde{D}\) (and hence A) being typical:

Lemma A.1

Using 3M, we can compute

$$\begin{aligned} \ell _1 = t_1 - s_2 + s_1^2, \qquad \ell _2 = t_2 - s_3 + s_1(s_2 + p_2), \qquad \ell _3 = t_3 + s_1 s_3. \end{aligned}$$

(A.3)

We then have:

1. (1)

   The combination of columns \(C'_2 = C_2 - C_7 + s_1 C_6\), which represents \(xt - ys + s_1 xs\), is equal to the column vector \((\ell _3, \ell _2, \ell _1, 0, 0, 0, 0, 0)^\mathbf {T}\);

2. (2)

   Similarly, \(C'_4 = C_4 - C_9 + s_1 C_8\), which represents \(x(xt - ys + s_1 xs)\), has the form \((*,*,*,\ell _3, \ell _2, \ell _1, 0, 0)^\mathbf {T}\);

3. (3)

   The divisor \(\tilde{D}\) is typical if and only if \(\ell _1 \ne 0\).

Proof

Statements (1) and (2) are direct computations. Only statement (3), about typicality, needs proof. Now \(\tilde{D}\) is typical if and only if we have invertibility of the \(7\times 7\) submatrix of (A.2) obtained from the columns corresponding to \(\{t, xt, yt, s, xs, ys, x^2s\}\) and the first seven rows, since this corresponds to having \(sW^6 + tW^5 + W^8 = W^{15}\). The columns in question are all except \(C_4\) and \(C_9\), and we can further replace \(C_2\) by \(C'_2\), as given above, without affecting the invertibility; but in that case the columns can be rearranged to form a triangular matrix with diagonal entries all 1, except for a single \(\ell _1\). This proves our result. \(\square \)

We now define four more quantities \(m_0, m_1, m_2, m_3\) by:

$$\begin{aligned} m_0&= \ell _3 - \ell _1 t_1,\nonumber \\ m_1&= -s_4 - (\ell _1 t_2 + \ell _2 t_1) - m_0 s_1,\nonumber \\ m_2&= t_4 - s_5 + s_1 (s_4 + p_1) + p_2 \ell _3 - (\ell _1 t_3 + \ell _2 t_2) - m_0 (s_2 + p_2), \nonumber \\ m_3&= t_5 + s_1(s_5 + q_2) - \ell _2 t_3 - m_0 s_3. \end{aligned}$$

(A.4)

The motivation for the above quantities is that \(C''_4 = C'_4 - \ell _1 C_3 - \ell _2 C_2\) has the form \((*,*,*,m_0,0,0,0,0)^\mathbf {T}\), while \(C'''_4 = C''_4 - m_0 C_6 = (m_3, m_2, m_1, 0,0,0,0,0)^\mathbf {T}\). However, this fact is not needed to verify our proof below.

Lemma A.2

One can compute \(m_0, \dots , m_3\) using only 10M, as opposed to the 12M apparent in (A.4).

Proof

The point is that the four expressions \(\alpha = \ell _1 t_1, \beta = \ell _1 t_2 + \ell _2 t_1, \gamma = \ell _1 t_3 + \ell _2 t_2, \delta = \ell _2 t_3\) can be computed using just 4M instead of the apparent 6M. This is equivalent to Toom–Cook multiplication of polynomials via interpolation at 0, 1, \(-1\), and “\(\infty \)”. Explicitly, use 4M to compute \(t_1 \ell _1\), \(\ell _2 t_3\), \((t_1 + t_2 + t_3)(\ell _1 + \ell _2)\), and \((t_1 - t_2 + t_3)(\ell _1 - \ell _2)\). Thus we know the quantities \(\alpha , \delta , \alpha +\beta +\gamma +\delta , \alpha - \beta + \gamma - \delta \). Hence we also know \(\beta \pm \gamma \) at no extra cost (of multiplications M), and can determine \(\beta , \gamma \) at no further cost, because division by 2 is also “free” in our model. \(\square \)

Proposition A.3

Given \(\ell _1, \ell _2, \ell _3, m_0, m_1, m_2, m_3\) as above, one can at a further cost of 1I, 4M compute \(\ell _1^{-1}, m_1/\ell _1, (m_1/\ell _1)\ell _2, (m_1/\ell _1)\ell _3, (m_1/\ell _1)s_1\), thereby obtaining the following values of \(F, G_0\):

$$\begin{aligned} F&= x^2 - \ell _1 y - \left( \frac{m_1}{\ell _1} + \ell _2\right) x + \left( \frac{m_1}{\ell _1}\right) \ell _2 - m_2,\nonumber \\ G_0&= -xy + s_1 x^2 + \left( \frac{m_1}{\ell _1}\right) y - \left( m_0 + \left( \frac{m_1}{\ell _1}\right) s_1\right) x + \left( \frac{m_1}{\ell _1}\right) \ell _3 - m_3. \end{aligned}$$

(A.5)

Being able to invert \(\ell _1\) certifies that \(\tilde{D}\) is typical, and that the above computation correctly finds \(F \in W^6_{D}\). Writing \({{\mathrm{div}}}F = D+A\), we also obtain that \({{\mathrm{div}}}G_0 = A+E\), and that the pair (F, G) with \(G = -G_0 + s_1 F\) is an IGS for the typical divisor A. It costs a further 3M to compute the coefficients of G from F and \(G_0\). Thus the total cost of this proposition is 1I, 7M, if done in two stages. However, it is possible to bring the total cost down to 1I, 6M, by combining both parts of the computation to yield F and G directly.

Proof

One can check that \(F t + G_0 s \equiv 0 \bmod W^8\) by a lengthy calculation (preferably using a computer); this amounts to checking that the appropriate linear combination of columns of (A.2) vanishes. We have already shown that invertibility of \(\ell _1\) implies that \(\tilde{D}\) is typical. This implies that the divisors D and E from (A.1) are disjoint, and that \(W^8_{\tilde{D}} = 0\), so we obtain as usual that \(F t + G_0 s = 0\), and that \(F \in W^6_D\). The statement about \({{\mathrm{div}}}G_0\) follows. Computing G from \(G_0\) involves 3M because we need to multiply \(s_1\) by each of the coefficients \(\ell _1, (\frac{m_1}{\ell _1} + \ell _2), ((\frac{m_1}{\ell _1}) \ell _2 - m_2)\) of F. We thus obtain a pair (F, G) in \(W^7_A\) whose F has a coefficient \(-\ell _1\) for the y monomial. Thus we have obtained a description of the divisor A as in [1], with the equivalent of \(a\ne 0\) from Proposition 2.12, and no added cost to compute \(a^{-1} = -\ell _1^{-1}\).

We now explain the extra saving of 1M from folding the computations together. This comes from the coefficient of x in G. As currently stated, it appears to take 2M to compute this coefficient: (i) the first M comes from the multiplication \((m_1/\ell _1)\cdot s_1\), to compute the coefficient of x in \(G_0\), which is \(-(m_0 + (m_1/\ell _1)s_1)\); (ii) the second M comes when we compute \(G = -G_0 + s_1 F\), since we multiply \(s_1\) by the coefficient of x in F, which is \(-((m_1/\ell _1) + \ell _2)\). However it is immediate that the coefficient of x in G that results from this is

$$\begin{aligned} -(-(m_0 + (m_1/\ell _1)s_1)) + s_1(-((m_1/\ell _1) + \ell _2)) = m_0 - s_1 \ell _2, \end{aligned}$$

(A.6)

which can naturally be computed using the single M of \(s_1 \cdot \ell _2\). This concludes the proof. \(\square \)

Combining Lemmas A.1 and A.2 with Proposition A.3, we obtain the following result:

Theorem A.4

The above procedure produces the same effect as Proposition 9.3 and Proposition 10.1(i) of [1]. This means that we can use a total of 19M, 1I to replace what took us 38M, 1I in [1]. Consequently, the cost of Jacobian operations in a \(C_{3,4}\) curve can be reduced by 19M to obtain that addition of typical elements can be carried out using 98M, 2I while doubling can be carried out using 110M, 2I. The results are certified to be correct and typical, provided all inverses can be computed. This represents a further speedup of approximately 15% over the results of that article.

Competing interests

The author declares that he has no competing interests.

Ethics approval and consent to participate

Not applicable.