You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a meta issue made from three encountered during Sage Days 123. It was noticed that there was ambiguous representation and failing group laws in certain scenarios. Issue #37093 noticed ambiguous representation and #37101 highlighted that the even degree model could not support the case for the even degree model due to a lack of data in the elements of the Jacobian.
Expected Behaviour
The proper fix for this is to rewrite the mumford coordinates and the arithmetic to allow for proper handling when there are two points at infinity. The Magma implementation of this follows: https://www.math.auckland.ac.nz/~sgal018/crypto-book/ch10.pdf and I think this is what SageMath should do too.
Issues
Group law fails when the model is even
For the even degree model, there are two points at infinity and the current implementation has no way of distinguishing between $P - (\infty_+)$ and $P - (\infty_-)$.
A proper fix for this would require refactoring how src/sage/schemes/hyperelliptic_curves/jacobian_morphism.py currently behaves for the even degree case. For instance some tuple of the form (u, v, ±). Magma handles this with a tuple (a, b, d).
I don't currently have a good idea on how to fix this, but I'll try and come up with a reasonable fix to propose. At the moment this issue is really a place holder.
At the moment there is no way to represent both $P - (\infty_+)$ and $P - (\infty_-)$. This means that if we randomly sample divisors on the Jacobian we will have H.count_points() elements missing.
sage: F=GF(7)
sage: R.<x>=PolynomialRing(F)
sage: f=x^6+x+1sage: H=HyperellipticCurve(f)
sage: J=H.jacobian()
sage: H.count_points()
[9]
sage: H.zeta_function().numerator()(1) # order of the Jacobian67sage: len(set(tuple(J.random_element()) for_inrange(2000)))
58sage: assert58+9==67
When summing divisors for even degree models, the cantor reduction sometimes does not finish the reduction process. This seems to be due to a TODO left in the code.
It seems that the reason is that $y^2 + h(x)y = f(x)$ can be transformed into $y^2 = f(x) + \frac{h(x)^2}{4}$ via completing the square (and similar models for char $2$), and if $\deg(h)$ is large then the curve will become a real hyperelliptic curve, which leads to the problem in #37101
GiacomoPope
changed the title
Cantor composition and reduction fails when deg(h) > g
Cantor composition and reduction can fail when deg(h) > g or def(f) is even
Jan 20, 2024
GiacomoPope
changed the title
Cantor composition and reduction can fail when deg(h) > g or def(f) is even
Arithmetic on Jacobians of Hyperelliptic curves fails when there are two points at infinity
Jan 21, 2024
Description
This is a meta issue made from three encountered during Sage Days 123. It was noticed that there was ambiguous representation and failing group laws in certain scenarios. Issue #37093 noticed ambiguous representation and #37101 highlighted that the even degree model could not support the case for the even degree model due to a lack of data in the elements of the Jacobian.
Expected Behaviour
The proper fix for this is to rewrite the mumford coordinates and the arithmetic to allow for proper handling when there are two points at infinity. The Magma implementation of this follows: https://www.math.auckland.ac.nz/~sgal018/crypto-book/ch10.pdf and I think this is what SageMath should do too.
Issues
Group law fails when the model is even
For the even degree model, there are two points at infinity and the current implementation has no way of distinguishing between$P - (\infty_+)$ and $P - (\infty_-)$ .
A proper fix for this would require refactoring how
src/sage/schemes/hyperelliptic_curves/jacobian_morphism.py
currently behaves for the even degree case. For instance some tuple of the form(u, v, ±)
. Magma handles this with a tuple(a, b, d)
.I don't currently have a good idea on how to fix this, but I'll try and come up with a reasonable fix to propose. At the moment this issue is really a place holder.
Thanks to @sabrinakunzweiler for bringing this to my attention.
At the moment there is no way to represent both$P - (\infty_+)$ and $P - (\infty_-)$ . This means that if we randomly sample divisors on the Jacobian we will have
H.count_points()
elements missing.Group law fails when degree of h is too large
Mumford coordinates are not uniquely represented
When summing divisors for even degree models, the cantor reduction sometimes does not finish the reduction process. This seems to be due to a TODO left in the code.
Environment
Checklist
The text was updated successfully, but these errors were encountered: