Classifying and generating exact coset representatives of PGL2(Fq) in PGL2(Fq2)

Classifying and generating exact coset representatives of PGL2(Fq) in PGL2(Fq2)

Finite Fields and Their Applications 42 (2016) 118–127 Contents lists available at ScienceDirect Finite Fields and Their Applications www.elsevier.c...
Download PDF
297KB Sizes 0 Downloads 17 Views
Report

Finite Fields and Their Applications 42 (2016) 118–127

Contents lists available at ScienceDirect

Finite Fields and Their Applications www.elsevier.com/locate/ffa

Classifying and generating exact coset representatives of PGL2 (Fq ) in PGL2 (Fq2 ) Yuqing Zhu a,b , Jincheng Zhuang a,c,∗ , Chang Lv a , Dongdai Lin a a

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China b University of Chinese Academy of Sciences, Beijing 100049, China c State Key Laboratory of Mathematical Engineering and Advanced Computing, Wuxi 214125, China

a r t i c l e

i n f o

Article history: Received 16 December 2015 Received in revised form 2 June 2016 Accepted 26 July 2016 Available online 8 August 2016 Communicated by Olga Polverino MSC: 11Y16 15A33

a b s t r a c t Generating coset representatives of PGL2 (Fq ) in PGL2 (Fq2 ) is a key ingredient in certain algorithms of determining primitive elements and computing discrete logarithms in finite fields of small characteristic. In this paper, we describe a simple classification of the right cosets of PGL2 (Fq ) in PGL2 (Fq2 ). Based on the classification, we design a deterministic algorithm that generates the exact coset representatives of PGL2 (Fq ) in PGL2 (Fq2 ) with O(q 3 ) field operations. © 2016 Elsevier Inc. All rights reserved.

Keywords: Projective general linear groups Cosets Discrete logarithm Primitive elements

* Correspondence to: State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China. E-mail addresses: [email protected] (Y. Zhu), [email protected] (J. Zhuang), [email protected] (C. Lv), [email protected] (D. Lin). http://dx.doi.org/10.1016/j.ffa.2016.07.010 1071-5797/© 2016 Elsevier Inc. All rights reserved.

Y. Zhu et al. / Finite Fields and Their Applications 42 (2016) 118–127

119

1. Introduction Let G = α be a cyclic finite group and β ∈ G. The discrete logarithm problem (DLP) over G is to determine the integer e such that β = αe . The DLP has important applications in cryptography, such as Diffie–Hellman key exchange protocol [4] and ElGamal cryptosystem [5]. Although DLP over finite fields of large characteristic is still conjectured to be hard, the version over small characteristic is vulnerable to certain algorithms developed recently [11,12,6,2,7,8,3,9]. In particular, Joux [12] designed the first algorithm which achieved heuristic L(1/4 + o(1))1 complexity for solving DLP over finite fields of small characteristic, where the complexity of previous best algorithm is L(1/3). He used an ingenious method to generate relations. Subsequently, Barbulescu, Gaudry, Joux and Thomé [2] modified this relation generation method to apply in the individual logarithm phase. With this improvement, the DLP over finite fields of small characteristic can be solved in heuristic quasi-polynomial2 time. Besides, Joux’s relation generation method can also be used to find primitive elements in finite fields, which is another important open problem. By applying this method to find enough relations among linear factors, Huang and Narayanan [10] described a new algorithm to construct a primitive element of the finite field of small characteristic in time polynomial in p and n, where the finite field is Fpn . Our motivation of classifying and generating exact coset representatives of PGL2 (Fq ) in PGL2 (Fq2 ) stems from the important role it plays in certain relation generation method [12,2]. In such method, a key idea is to obtain a plenty of relations from one relation by Möbius transformations. Each transformation corresponds to a matrix in PGL2 (Fq2 ), where PGL2 (Fq2 ) is the projective general linear group over Fq2 . Following the notation in [2], we let Pq denote the set of the right cosets of PGL2 (Fq ) in PGL2 (Fq2 ), namely, Pq = {PGL2 (Fq )A|A ∈ PGL2 (Fq2 )}. In [12,2], the authors showed that matrices in the same right coset produce the same relation. Note that the cardinality of Pq is q 3 + q. Some results about generating Pq or a subset of Pq have been obtained, such as [12,2,10,13]. In this paper, we explicitly describe and design an efficient algorithm to generate the exact coset representatives of PGL2 (Fq ) in PGL2 (Fq2 ). In other words, we can efficiently find q 3 + q elements to cover Pq . The rest of the paper is organized as follows. In Section 2, we introduce Joux’s relation generation method and a previous result generating Pq . In Section 3, we show a simple classification of Pq and present the main theorems. In Section 4, we give the proof of the classification. In Section 5, we give another proof of the classification using the 1 Lqn (α, c) = exp((c+o(1))(log q n )α (log log q n )1−α ), where q n is the cardinality of the field. For simplicity, we sometimes omit q n and c. 2 Quasi-polynomial means lO(log l) , where l is the bit-size of the cardinality of the finite field.

120

Y. Zhu et al. / Finite Fields and Their Applications 42 (2016) 118–127

correspondence between the coset representatives and some projective polynomials. In Section 6, we design an algorithm of generating Pq . In Section 7, we conclude the paper. 2. Preliminaries Let’s first recall the relation generation method in Joux’s L(1/4 +o(1)) algorithm. The goal is to generate relations among linear polynomials in the finite field Fq2 [X]/(I(X)), where I(X) is an irreducible factor of h1 (X)X q − h0 (X). One starts from the well known fact  (X − α) = X q − X. α∈Fq

In order to amplify relations, one applies the Möbius transformation f : X →

aX + b , cX + d

where a, b, c, d ∈ Fq2 . After substitution and simplification, one obtains (cX + d)



((a − αc)X + (b − αd))

α∈Fq

= (aq c − acq )X q+1 + (aq d − bcq )X q + (bq c − adq )X + (bq d − bdq ).

(1)

If the right-hand side can factor into a product of linear factors in Fq2 [X]/(I(X)), we obtain a relation among the linear factors. In [13], the authors exploited the structure of Pq and gave the following result. Theorem 1 ([13]). There exists a deterministic algorithm that requires O(q 3 log q) field operations to compute a set Q ⊆ PGL2 (Fq2 ) such that 1. |Q| ≤ q 3 + 2q 2 − q + 2; 2. Pq = {PGL2 (Fq )A|A ∈ Q}. 3. Our results Firstly, we show an exact classification of Pq . Theorem 2. Let g be an element in Fq2 \Fq . Any coset in Pq has a representative belonging to one of the following three types:   1 b1 , where b1 ∈ Fq . I. 0 g   1 b2 g , where b2 , d2 ∈ Fq . II. 0 1 + d2 g

Y. Zhu et al. / Finite Fields and Their Applications 42 (2016) 118–127

 III.

1 g

121

 b , where (b, d) ∈ Fq2 × Fq2 is one pair of the solutions to the equation d 

(x − t)q+1 = tq+1 − s, y = (g − g q )t + xg q ,

for given (s, t) ∈ Fq × Fq2 such that s = tq+1 . Based on the classification, we show the following result. Theorem 3. There exists a deterministic algorithm that requires O(q 3 ) field operations to compute a set Q ⊆ PGL2 (Fq2 ) such that 1. |Q| = q 3 + q; 2. Pq = {PGL2 (Fq )A|A ∈ Q}. The features of our algorithm are the following. • The output of the algorithm is a set with q 3 + q elements, which is equal to the cardinality of Pq . • After O(q 3 ) field operations, the algorithm will halt and output the desired set. 4. The classification In this section, we give a direct proof of Theorem 2, which consists of two steps. Firstly, we show a weak classification. Then we proceed to improve it to get the exact version. We start with a weak version of the classification as follows. Proposition 4. Let g be an element in Fq2 \Fq . Each right coset of PGL2 (Fq ) in PGL2 (Fq2 ) has a representative belonging to the following three disjoint types: 

1 (1) 0  1 (2) 0  1 (3) g

 b1 , where b1 ∈ Fq . g  b2 g , where b2 , d2 ∈ Fq . 1 + d2 g  b , where b, d ∈ Fq2 and d = bg. d 

 a b be a representative of a right coset of PGL2 (Fq ) in PGL2 (Fq2 ). c d Since it is nonsingular, a and c are not equal to 0 at the same time. Without loss of generality, let a = 0 and divide the matrix by a. The matrix becomes the following form

Proof. Let

122

Y. Zhu et al. / Finite Fields and Their Applications 42 (2016) 118–127



1 c1 + c2 g

b1 + b2 g d 1 + d2 g

 ,

where bi , ci , di ∈ Fq for i = 1, 2. By adding the −c1 times of the first row to the second, we get the matrix of the form 

1 c2 g

b1 + b2 g d1 + d2 g

 .

• If c2 = 0 and d1 = 0, then d2 = 0. We divide the second row by d2 and add the −b2 times of the second row to the first. It reduces to the first case. • If c2 = 0 and d1 = 0, we divide the second row by d1 and add −b1 times of the second row to the first. Then it reduces to the second case. • If c2 = 0, we divide the second row by c2 and it reduces to the last case. 2 Remark 1. It is easy to determine that there are q and q 2 different cosets with representatives of type (1) and type (2) respectively. Next, we reduce the cardinality of cosets with representatives of type (3) to q 3 − q 2 following an approach similar with [13]. The idea is to make use of Joux’s method ofgenerating relations.   Recall the Equaa b 1 b tion (1) appeared in Joux’s method. Substitute with in the equation. c d g d The right-hand side becomes   d − bg q q gbq − dq bq d − bdq . (g − g q ) X q+1 + X + X + g − gq g − gq g − gq q

q

d−bd Note that, b g−g ∈ Fq and the coefficient of X q and X inside the parentheses are q conjugate to each other. The formula of this form inspires us to get the following result.

Proposition 5. Let (s, t) ∈ Fq × Fq2 such that s = tq+1 , and (b1 , d1 ) and (b2 , d2 ) be two distinct pairs of solutions to the following equation ⎧ xq y − xy q ⎪ = s, ⎨ g − gq q ⎪ ⎩ y − xg = t. g − gq

(2)

Suppose  A1 =

1 g

b1 d1



 , A2 =

1 g

b2 d2

 .

Then A1 and A2 are in the same right coset of PGL2 (Fq ) in PGL2 (Fq2 ).

Y. Zhu et al. / Finite Fields and Their Applications 42 (2016) 118–127

 Proof. Firstly, we will show that the matrix

1 g

b d

123

 is singular if and only if s is equal

to tq+1 . That is to prove d = bg ⇔ s = tq+1 where b, d ∈ Fq2 and (s, t) ∈ Fq × Fq2 . On one hand, if d = bg, then

t= s=

bg−bg q g−g q q+1

b

= b,

g−bq+1 g q g−g q

= bq+1 .

Thus s = tq+1 . On the other hand, if s = tq+1 , then d − bg q q+1 bq d − bdq =( ) . q g−g g − gq After simplification, we obtain (d − bg)q+1 = 0. Since the map of taking (q + 1)-th power is a nontrivial homomorphism from Fq2 to Fq , we have d = bg. Now we want to show that A1 , A2 are in the same coset in Pq . For this purpose, q we will simplify the expression of Equation (2) first. Since y−xg g−g q = t, we obtain y = (g − g q )t + xg q . Substituting y with (g − g q )t + xg q in the first line of Equation (2), we obtain the following equation xq (g − g q )t + xq+1 g q − x((g q − g)tq + xq g) = s(g − g q ). Dividing the nonzero element g q − g and adding tq+1 on both sides, we obtain (x − t)q+1 = tq+1 − s. As tq+1 − s ∈ Fq , x is in Fq2 . Hence, we obtain 

(x − t)q+1 = tq+1 − s, y = (g − g q )t + xg q .

Let r be one of the (q + 1)-th roots of tq+1 − s. Suppose b1 = t + ζ1 r, b2 = t + ζ2 r, where ζ1 , ζ2 are two distinct (q + 1)-th roots of unity. Then

(3)

Y. Zhu et al. / Finite Fields and Their Applications 42 (2016) 118–127

124

d1 = (g − g q )t + b1 g q = gt + g q ζ1 r, d2 = (g − g q )t + b2 g q = gt + g q ζ2 r, and  A1 =

1 g

t + ζ1 r gt + g q ζ1 r



 , A2 =

1 g

t + ζ2 r gt + g q ζ2 r

 .

It suffices to prove A1 · A−1 2 is in PGL2 (Fq ) up to a multiple in Fq 2 . A1 · A−1 2 =

1 det A2

 

1 g

t + ζ1 r gt + g q ζ1 r



g q ζ2 − gζ1 g q+1 ζ2 − g q+1 ζ1   r m11 m12 = . det A2 m21 m22 r = det A2

q+1 21 Since m ∈ Fq and m12 = −g We have

(

m22 −m11 m12

gt + g q ζ2 r −g ζ1 − ζ2 g q ζ1 − gζ2



−t − ζ2 r 1



= g q + g ∈ Fq , it is sufficient to prove

m22 m12

∈ Fq .

m22 q (g q ζ1 − gζ2 )q gζ1q − g q ζ2q gζ1−1 − g q ζ2−1 gζ2 − g q ζ1 m22 ) = = = = = . q q −1 −1 q m12 (ζ1 − ζ2 ) ζ1 − ζ2 ζ2 − ζ1 m12 ζ1 − ζ2

It belongs to Fq since its q-th power is equal to itself. Then we complete the proof. 2 Remark 2. By Proposition 5, for each pair (s, t), we can find a pair (b, d) by solving Equation (3). On one hand, the number of pairs (b, d) is no more than that of pairs (s, t). Since there are q 3 − q 2 distinct pairs of (s, t), the cardinality of cosets with representative of type (3) in Proposition 4 is no more than q 3 − q 2 . On the other hand, the total cardinality of type (1), (2) and (3) is q 3 + q. Thus there is a one-to-one map between different coset representatives of type (3) and the pairs of (s, t). Thus Theorem 2 follows from the combination of Proposition 4, Proposition 5 and Remark 2. 5. Another perspective In this section, we view the problem in a more geometric way (as in [12,2]) to directly achieve the result of Proposition 5 and shorten the proof of Theorem 2. We take the projective form of Equation (1), namely 

((βa − αc)X + (βb − αd)Y )

[α:β]∈P1 (Fq )

= (aq c − acq )X q+1 + (aq d − bcq )X q Y + (bq c − adq )XY q + (bq d − bdq )Y q+1 .

Y. Zhu et al. / Finite Fields and Their Applications 42 (2016) 118–127

125

The linear factors on the left-hand side can be seen as projective points on P1(Fq2 ). And these q + 1 points are the images of P1 (Fq ) by the map f ∈ PGL2 (Fq2 ). It is well known that the image set of P1 (Fq ) by f is itself if and only if f ∈ PGL2 (Fq ). Thus there is a one-to-one correspondence between the elements in Pq and all the possible polynomials on the right-hand side of Equation (1). We remark that the one-toone correspondence also holds for PGL2 (Fqn ), where n ≥ 2. It may be helpful to some work, for example, see [1]. Based on the correspondence above, we can give the following proof. 

 a b Proof. (Another proof of Theorem 2.) Let be a representative of a right coset c d of PGL2 (Fq ) in PGL2 (Fq2 ). Without loss of generality, we can assume a = 1. We consider elements of type (III). When c ∈ Fq2 \ Fq , the right-hand side of Equation (1) is equivalent to X q+1 + tX q + tq X + s, q

q

q

b d−bd q+1 and t = d−bc . The inequality c−cq . Note that s ∈ Fq and s = t  c−cq  a b is nonsingular. So there are q 3 − q 2 different projective polynomials holds since c d of this form. Using the correspondence above, we conclude that all the probable pairs of (s, t) uniquely determine all the q 3 − q 2 different right cosets in this case. To find representatives of this type, we can let c be g and pick (b, d) by solving Equation (2). Hence Proposition 5 holds and thus Theorem 2 holds. 2

where s =

6. The algorithm Based on the explicit description of elements in Pq , we design an algorithm to generate Pq efficiently in this section. The framework of the algorithm is as follows. Firstly, we find one (q + 1)-th root for each element in F∗q . Then, we determine elements in Pq following Theorem 2. The algorithm is detailed in Algorithm 1. From line 1 to line 9, we construct one (q + 1)-th root for each element in F∗q . This step can be done with O(q 2 log q) field operations. From line 10 to the end, we add three types of coset representatives to Q respectively. This step can be done with O(q 3 ) field operations. In total, the algorithm takes O(q 3 ) field operations to generate exact coset representatives. Compared to the algorithm in [13], the most important improvement of our algorithm is that we reduce the complexity from O(q 3 log q) to O(q 3 ) based on a simpler classification. Another improvement is that in the first step, we only compute one (q + 1)-th root for each element in F∗q instead of five in [13].

126

Y. Zhu et al. / Finite Fields and Their Applications 42 (2016) 118–127

Algorithm 1 An algorithm of generating Pq . Input: A prime power q and an element g ∈ Fq2 \ Fq Output: A set Q including all the right coset representatives of PGL2 (Fq ) in PGL2 (Fq2 ) such that Pq = {PGL2 (Fq )A|A ∈ Q}. 1: for α ∈ F∗ q do 2: R[α] ← ∅ 3: end for 4: for β ∈ F∗ q 2 do 5: α ← β q+1 6: if the cardinality of R[α] is < 1 then 7: R[α] ← R[α] ∪ {β} 8: end if 9: end for  Now R[α] is a set consisting of one (q + 1)-th root of α 10: Q ← ∅  Initialize Q 11: for b1 ∈ Fq do  Adding elements of type (I) in Theorem 2  1 b1 12: Q←Q∪ 0 g 13: end for 14: for (b2 , d2 ) ∈ Fq × Fq do  Adding elements of type (II) in Theorem 2  1 b2 g 15: Q←Q∪ 0 1 + d2 g 16: end for 17: for t ∈ Fq2 do  Adding elements of type (III) in Theorem 2 18: T ← tq+1 19: for s ∈ Fq do 20: if s = T then 21: x ← t + R[T − s] q q 22: y ← (g − g )t + xg 1 x 23: Q←Q∪ g y 24: end if 25: end for 26: end for 27: return Q

7. Conclusion In this paper, we give an explicit description of the right coset representatives of PGL2 (Fq ) in PGL2 (Fq2 ). Based on the classification, we design a deterministic algorithm to generate the exact coset representatives of PGL2 (Fq ) in PGL2 (Fq2 ) with O(q 3 ) field operations. Acknowledgments The authors are thankful for the helpful comments from anonymous reviewers. This work was partially supported by the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDA06010701), National Natural Science Foundation of China (No. 61502481), and the Open Project Program of the State Key Laboratory of Mathematical Engineering and Advanced Computing. References [1] G. Adj, A. Menezes, T. Oliveira, F. Rodríguez-Henríquez, Computing discrete logarithms in F36·137 and F36·163 using Magma, in: Arithmetic of Finite Fields – 5th International Workshop, WAIFI 2014, Gebze, Turkey, September 27–28, 2014, pp. 3–22, revised selected papers.

Y. Zhu et al. / Finite Fields and Their Applications 42 (2016) 118–127

127

[2] R. Barbulescu, P. Gaudry, A. Joux, E. Thomé, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in: Advances in Cryptology – EUROCRYPT 2014, 2014, pp. 1–16. [3] Q. Cheng, D. Wan, J. Zhuang, Traps to the BGJT-algorithm for discrete logarithms, LMS J. Comput. Math.: Special issue for ANTS 2014 17 (2014) 218–229. [4] W. Diffie, M.E. Hellman, New directions in cryptogrphy, IEEE Trans. Inf. Theory 22 (6) (1976) 644–654. [5] T. ElGamal, A public-key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inf. Theory 31 (4) (1985) 469–472. [6] F. Göloglu, R. Granger, G. McGuire, J. Zumbrägel, On the function field sieve and the impact of higher splitting probabilities, in: CRYPTO, in: Lecture Notes in Computer Science, vol. 8043, 2013, pp. 109–128. [7] R. Granger, T. Kleinjung, J. Zumbrägel, Breaking a ‘128-bit secure’ supersingular binary curves (or how to solve discrete logarithms in F24∗1223 and F212∗367 ), in: Advances in Cryptology-CRYPTO 2014, 2014, pp. 126–145. [8] R. Granger, T. Kleinjung, J. Zumbrägel, On the powers of 2, Cryptology eprint archive, report 2014/300, http://eprint.iacr.org/, 2014. [9] R. Granger, T. Kleinjung, J. Zumbrägel, On the discrete logarithm problem in finite fields of fixed characteristic, arXiv:1507.01495v1, 2015. [10] M. Huang, A.K. Narayanan, Finding primitive elements in finite fields of small characteristic, in: Proc. 11th Int. Conf. on Finite Fields and Their Applications, Topics in Finite Fields, in: AMS Contemporary Mathematics Series, 2013. [11] A. Joux, Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields, in: EUROCRYPT, 2013, pp. 177–193. [12] A. Joux, A new index calculus algorithm with complexity L(1/4 + o(1)) in small characteristic, in: Selected Areas in Cryptography – SAC 2013, 2014, pp. 355–379. [13] J. Zhuang, Q. Cheng, On generating coset representatives of PGL2 (Fq ) in PGL2 (Fq2 ), in: Information Security and Cryptology – Inscrypt 2015, Springer, 2015, pp. 65–75.