Anomalous curve generation with given order

Question

Anomalous curve generation with given order

VilhelminK opened this issue a year ago · comments

Hey,

I was trying to generate an anomalous curve with given order but the tool is replying that two generation options can not be active at the same time.
I would like to try and implement that function but am having a problem following the logic in the source code. Would you point me to where that limitation is set so I might submit a pull request.

Ján Jančár · Answer 1 · Mon Jun 26 2023 21:01:57 GMT+0800 (China Standard Time)

Hey, thanks for the interest.

Is it even possible to generate anomalous curves with a given order? I faintly remember that the method from the original anomalous curve paper needs primes of a certain form (for a given low CM discriminant). This is implemented in the file cm/anomalous.c and then the prime is just taken as the order.

VilhelminK · Answer 2 · Mon Jun 26 2023 22:19:05 GMT+0800 (China Standard Time)

That's a good point, I'll look at the papers too since it might be that I'm mixing up methods from different papers.
But I see that you had that as a feature on one of the branches, marked as WIP though.

Btw if anybody asks for windows support, ecgen compiles under wsl on win10 without issues.

Ján Jančár · Answer 3 · Mon Jun 26 2023 23:08:32 GMT+0800 (China Standard Time)

Hmmm, that is interesting. I do not remember what the plan was with the branch or why I stopped working on it.

If you want to look at the code there is the cm/anomalous.c file, but also cm/cm.c is important. The CM-based (and anomalous) generation method is hooked into ecgen in a kind of weird way. ecgen was mostly made to generate curves exhaustively (randomly with some constraints) piece-by-piece (field, a, b, curve, order, generators, points, metadata) and check their properties along the way, if something does not fit the constraints (e.g. not prime-order) then rewind back for a bit and retry. This is implemented in exhaustive/exhaustive.c, where during init function pointers of the generating and checking functions are setup and then in exhaustive_do and similar functions these actually get executed in order. The anomalous generation is hooked into this, in the cm/cm.c file.

The anomalous method implemented is from https://link.springer.com/chapter/10.1007/3-540-57220-1_86.
Which does not allow one to choose the prime (and thus the order) freely.

VilhelminK · Answer 4 · Thu Jun 29 2023 22:27:27 GMT+0800 (China Standard Time)

I've looked at the paper and the code and must say that it's quite challenging.
On the other hand there is this paper which gives a method of constructing a subgroup of a given order for allmost all primes, here I'am considerig that group and subgroup are equvivalent.
https://arxiv.org/abs/1403.7887
In any case it looks like agreat opportunity to brush up on both math and c programming even though I'am starting to consider that constructing an anomalous curve for a given prime/order might be a harder problem or even "impossible".

Gunpal Jain · Answer 5 · Sat Oct 14 2023 03:17:34 GMT+0800 (China Standard Time)

I was wondering the same if there's any chance of success?

Ján Jančár · Answer 6 · Sat Oct 14 2023 04:54:44 GMT+0800 (China Standard Time)

I had a quick look at the following: https://arxiv.org/abs/1403.7887 and I do not think this is possible.

A brute-force approach goes out of the window as for large $p$ the Hasse interval is large and thus hitting precisely the right $\lvert E(\mathbb{F}_p) \rvert = p$ is almost impossible.

A CM approach (as mentioned in the paper) may look like it works at first sight, but I think it doesn't. When we are trying to create a curve with $\lvert E(\mathbb{F}_p) \rvert = p$, we have $\lvert E(\mathbb{F}_p) \rvert = p + 1 - t$ where $t$ is the trace of Frobenius, so we are looking for a trace $1$ curve. So we are looking for a curve whose endomorphism ring is isomorphic to an order $\mathcal{O}$ in the ring of integers $\mathcal{O}_K$ of the imaginary quadratic field $K = \mathbb{Q}(\sqrt{t^2 - 4p}) = \mathbb{Q}(\sqrt{1 - 4p})$. Then, the prime, the trace and the discriminant $D$ satisfy the norm equation:

$$ 4p = t^2 - v^2 D $$

and so:

$$ 4p = 1 - v^2 D $$

To construct such a curve, one needs to construct the Hilbert class polynomial $H_D(X)$ whose degree is the class number of the discriminant $h(D)$. Here lies the problem, when you want to generate a curve of a given order (hence given prime $p$) you are fixing the values of $v$ and $D$ (which is equal to the squarefree part of $1 - 4p$). Almost always $D$ will be so large that there is no way to compute $H_D(X)$.

For all practical purposes, "almost always" means always and "almost impossible" means impossible here.

The anomalous method as implemented here goes the other way, starts from a suitable small discriminant $D$ and constructs the prime (and thus the order) from there.

Ján Jančár · Answer 7 · Sat Oct 14 2023 04:58:24 GMT+0800 (China Standard Time)

The constraint for both a given prime and a given order (thus the trace) is what stops you from constructing the curve as it stops you from minimizing the discriminant such that it is small enough to be practical.

Gunpal Jain · Answer 8 · Sat Oct 14 2023 08:43:30 GMT+0800 (China Standard Time)

@J08nY Thank you for quick reply.

I found a paper which describes a fast method to find roots of Hilbert polynomials using CRT. The paper also describes algorithms to compute the same. Please have a look and see if it makes sense to you.

https://arxiv.org/pdf/1009.1082.pdf

Ján Jančár · Answer 9 · Sat Oct 14 2023 15:32:35 GMT+0800 (China Standard Time)

That is a nice paper but for cryptographic sizes of $p$ it eill still not help you, the discriminant will just be too large.