Quartic point group operation: Difference between revisions

The point group operation over quartic (or hyperelliptic ^[1]) curves (of degree four) is defined geometrically as follows. Let

${\displaystyle y^{2}=q_{4}x^{4}+q_{3}x^{3}+q_{2}x^{2}+q_{1}x+q_{0}}$

be a quartic curve on the x-y plane of real numbers, the polynomial in x on the right having either the coefficient q₄>0 or at least two real roots counting multiplicity.

Preparing the equations for solution in general form

When the degree of a solvend equation is even and at least four, its resolvent is a generic polynomial exactly half of it in degree, and the resolvent is squared so that it “rises to meet” the solvend. The resultant is the difference, when the solvend is subtracted from the squared resolvent equation.

The general objective is to find rational points (x,y) on the curve which satisfy the solvend equation. Any four points on the curve, counting multiplicity, which simultaneously satify the same resolvent equation, are considered to “sum” to an additional point at infinity O, which serves as the identity for a certain abstract Abelian group operation which we denote by the symbol ⨁.

In any case we would start from at least one known point (x₁,y₁), and as a first step reduce the resultant equation to a cubic by factoring out x – x₁, in order to eventually solve for the unknown coefficients of the resolvent equation and the coördinates of the unknown point in terms of known points.

${\displaystyle {\begin{array}{r|rrrr}&&(a^{2}-q_{4})x^{3}&{}+{2ab-q_{3}+ \choose a^{2}x_{1}-q_{4}x_{1}}x^{2}&{}+{b^{2}+2ac-q_{2}+2abx_{1} \choose {}-q_{3}x_{1}+a^{2}x_{1}^{2}-q_{4}x_{1}^{2}}x&{}+{2bc-q_{1}+b^{2}x_{1}+2acx_{1}-q_{2}x_{1} \choose +2abx_{1}^{2}-q_{3}x_{1}^{2}+a^{2}x_{1}^{3}-q_{4}x_{1}^{3}}\\\hline x-x_{1}&(a^{2}-q_{4})x^{4}&{}+(2ab-q_{3})x^{3}&{}+(b^{2}+2ac-q_{2})x^{2}&{}+(2bc-q_{1})x&{}+c^{2}-q_{0}\\&(a^{2}-q_{4})x^{4}&{}-(a^{2}-q_{4})x_{1}x^{3}\\\hline &&{2ab-q_{3}+ \choose a^{2}x_{1}-q_{4}x_{1}}x^{3}&{}+(b^{2}+2ac-q_{2})x^{2}\\&&{2ab-q_{3}+ \choose a^{2}x_{1}-q_{4}x_{1}}x^{3}&{}-{2abx_{1}-q_{3}x_{1} \choose {}+a^{2}x_{1}^{2}-q_{4}x_{1}^{2}}x^{2}\\\hline &&&{b^{2}+2ac-q_{2}+2abx_{1} \choose {}-q_{3}x_{1}+a^{2}x_{1}^{2}-q_{4}x_{1}^{2}}x^{2}&{}+(2bc-q_{1})x\\&&&{b^{2}+2ac-q_{2}+2abx_{1} \choose {}-q_{3}x_{1}+a^{2}x_{1}^{2}-q_{4}x_{1}^{2}}x^{2}&{}-{b^{2}x_{1}+2acx_{1}-q_{2}x_{1}+2abx_{1}^{2} \choose -q_{3}x_{1}^{2}+a^{2}x_{1}^{3}-q_{4}x_{1}^{3}}x\\\hline &&&&{2bc-q_{1}+b^{2}x_{1}+2acx_{1}-q_{2}x_{1} \choose +2abx_{1}^{2}-q_{3}x_{1}^{2}+a^{2}x_{1}^{3}-q_{4}x_{1}^{3}}x&{}+c^{2}-q_{0}\\&&&&{2bc-q_{1}+b^{2}x_{1}+2acx_{1}-q_{2}x_{1} \choose +2abx_{1}^{2}-q_{3}x_{1}^{2}+a^{2}x_{1}^{3}-q_{4}x_{1}^{3}}x&{}-{2bcx_{1}-q_{1}x_{1}+b^{2}x_{1}^{2}+2acx_{1}^{2}-q_{2}x_{1}^{2} \choose +2abx_{1}^{3}-q_{3}x_{1}^{3}+a^{2}x_{1}^{4}-q_{4}x_{1}^{4}}\\\hline R=&&&&&{c^{2}-q_{0}+2bcx_{1}-q_{1}x_{1}+b^{2}x_{1}^{2}+2acx_{1}^{2} \choose -q_{2}x_{1}^{2}+2abx_{1}^{3}-q_{3}x_{1}^{3}+a^{2}x_{1}^{4}-q_{4}x_{1}^{4}}\end{array}}}$

A quartic square dance

Every operation over a quartic curve will be defined geometrically by a “square dance” of the four points of intersection of the quartic curve and a parabola ^[2] whose axis is parallel to the y-axis, and otherwise to be determined.

Namely if P, Q, R, and S are four points of the quartic curve, through which a parabola with an axis parallel to the y-axis passes, then we will say that

${\displaystyle P\oplus Q\oplus R\oplus S=O}$

where O is the additional “point at infinity” which serves as the additive group identity.

Fitting the curves

When the resolvent quadratic equation

${\displaystyle y=ax^{2}+bx+c}$

is squared and diminished by the solvend equation of the quartic curve

${\displaystyle y^{2}=q_{4}x^{4}+q_{3}x^{3}+q_{2}x^{2}+q_{1}x+q_{0}}$,

and the leading coefficient of the resultant equation

${\displaystyle {\begin{array}{rcl}(a^{2}-q_{4})x^{4}\\{}+(2ab-q_{3})x^{3}\\{}+(b^{2}+2ac-q_{2})x^{2}\\{}+(2bc-q_{1})x\\{}+c^{2}-q_{0}&=&0\end{array}}}$

is set to one, then, after performing a partial fractions decomposition, we can start building a system of equations to determine the coefficients of the resolvent. The leading coefficient a is immediately determined, and at least one point x₁ is known in every case, while the resolvent coefficients b and c may be determined possibly with the assistance of a method of least squares.

Equations to be solved simultaneously may include but are not limited to the following system.

${\displaystyle {\begin{array}{rcl}a^{2}-q_{4}&=&1\\-2ab+q_{3}&=&x_{1}+x_{2}+x_{3}+x_{4}\\{\bar {x}}&=&{\frac {x_{1}+x_{2}+x_{3}+x_{4}}{4}}\\{\mathcal {Var}}(x)&=&{\frac {1}{4}}\sum _{i=1}^{4}(x_{i}-{\bar {x}})^{2}\\{\bar {y}}&=&a{\bar {x}}^{2}+b{\bar {x}}+c+a\cdot {\mathcal {Var}}(x)\\{\bar {y}}&=&{\frac {1}{4}}\sum _{i=1}^{4}(ax_{i}^{2}+bx_{i}+c)\\{\bar {y}}&=&{\frac {1}{4}}\sum _{i=1}^{4}(\pm ){\sqrt {q_{4}x_{i}^{4}+q_{3}x_{i}^{3}+q_{2}x_{i}^{2}+q_{1}x_{i}+q_{0}}}\end{array}}}$

Additive inverses

If P is a point on the quartic curve, then its inverse is found by solving for ${\displaystyle Q=-P}$ in this “square dance” equation

${\displaystyle P\oplus P\oplus Q\oplus Q=O}$

where the resolvent parabola ${\displaystyle y=ax^{2}+bx+c}$ is required to be tangent ^[3] to the original curve both at the point P = (x₁,y₁) and at the unknown point Q = (x,y). The “square dance” equation for the quartic point group additive inverse is solved on a computer algebra system, as pictured here on wxMaxima.

The solution is not as terrible as it appears at first glance. There are no nested radicals, and the one radical that does appear appears identically six times over in the two possible solutions for b, c, and x presented, after solving for a by fixing the leading coefficient of the resultant ${\displaystyle a^{2}-q_{4}=1}$.

And in fact, upon further consideration, the radicals may be eliminated entirely, which is, after all, the “point” of performing a point group operation that maps rational points to rational points for cryptographic purposes.

And be that as it may, we are still not getting quite the right answer from this modern equation solver, and our other option seems to be a master’s thesis by a Colorado schoolteacher over a century ago on the subject of solving systems of quadratic equations such as we have left here after performing the partial fractions decomposition on the resolvent, and substituting to eliminate any strictly linear dependencies.

File:Denis-DiscussionCasesTwo-1903-9-jam8-join.pdf

However by now we are at the point of dispensing entirely with the computer algebra system and doing our own long division to verify the partial fractions decomposition and derive the symbolic solutions.

To be verified very thoroughly:

${\displaystyle {\begin{array}{r|rrrr}&&(a^{2}-q_{4})x^{2}&{}+{2ab-q_{3}+a^{2}x_{1} \choose -q_{4}x_{1}+a^{2}x_{1}-q_{4}x_{1}}x&{}+{b^{2}+2ac-q_{2}+4abx_{1} \choose -2q_{3}x_{1}+2a^{2}x_{1}^{2}-2q_{4}x_{1}^{2}}\\\hline x-x_{1}&(a^{2}-q_{4})x^{3}&{}+{2ab-q_{3}+ \choose a^{2}x_{1}-q_{4}x_{1}}x^{2}&{}+{b^{2}+2ac-q_{2}+2abx_{1} \choose {}-q_{3}x_{1}+a^{2}x_{1}^{2}-q_{4}x_{1}^{2}}x&{}+{2bc-q_{1}+b^{2}x_{1}+2acx_{1}-q_{2}x_{1} \choose +2abx_{1}^{2}-q_{3}x_{1}^{2}+a^{2}x_{1}^{3}-q_{4}x_{1}^{3}}\\&(a^{2}-q_{4})x^{3}&{}-(a^{2}x_{1}-q_{4}x_{1})x^{2}\\\hline &&{2ab-q_{3}+a^{2}x_{1} \choose -q_{4}x_{1}+a^{2}x_{1}-q_{4}x_{1}}x^{2}&{}+{b^{2}+2ac-q_{2}+2abx_{1} \choose {}-q_{3}x_{1}+a^{2}x_{1}^{2}-q_{4}x_{1}^{2}}x\\&&{2ab-q_{3}+a^{2}x_{1} \choose -q_{4}x_{1}+a^{2}x_{1}-q_{4}x_{1}}x^{2}&{}-{2abx_{1}-q_{3}x_{1}+a^{2}x_{1}^{2} \choose -q_{4}x_{1}^{2}+a^{2}x_{1}^{2}-q_{4}x_{1}^{2}}x\\\hline &&&{b^{2}+2ac-q_{2}+4abx_{1} \choose -2q_{3}x_{1}+2a^{2}x_{1}^{2}-2q_{4}x_{1}^{2}}x&{}+{2bc-q_{1}+b^{2}x_{1}+2acx_{1}-q_{2}x_{1} \choose +2abx_{1}^{2}-q_{3}x_{1}^{2}+a^{2}x_{1}^{3}-q_{4}x_{1}^{3}}\\&&&{b^{2}+2ac-q_{2}+4abx_{1} \choose -2q_{3}x_{1}+2a^{2}x_{1}^{2}-2q_{4}x_{1}^{2}}x&{}-{b^{2}x_{1}+2acx_{1}-q_{2}x_{1}+4abx_{1}^{2} \choose -2q_{3}x_{1}^{2}+2a^{2}x_{1}^{3}-2q_{4}x_{1}^{3}}\\\hline R=&&&&{2bc-q_{1}+2b^{2}x_{1}+4acx_{1}-2q_{2}x_{1} \choose +6abx_{1}^{2}-3q_{3}x_{1}^{2}+3a^{2}x_{1}^{2}-3q_{4}x_{1}^{3}}\end{array}}}$

${\displaystyle (x-x_{2})^{2}=x^{2}+\left({\frac {2ab-q_{3}}{a^{2}-q_{4}}}+2x_{1}\right)x+{\frac {b^{2}+2ac-q_{2}+4abx_{1}-2q_{3}x_{1}}{a^{2}-q_{4}}}+3x_{1}^{2}}$

${\displaystyle {\begin{array}{rcl}-2x_{2}&=&{\dfrac {2ab-q_{3}}{a^{2}-q_{4}}}+2x_{1}\\x_{2}^{2}&=&{\dfrac {b^{2}+2ac-q_{2}+4abx_{1}-2q_{3}x_{1}}{a^{2}-q_{4}}}+3x_{1}^{2}\end{array}}}$

Point averaging

The average or “mean” of two points P and Q may be found by solving the square dance equation

${\displaystyle P\oplus Q\oplus R\oplus R=O}$

Here let the parabola pass through the points P and Q and be tangent to the quartic curve at R. Take the inverse to find the mean: ${\displaystyle {\frac {P\oplus Q}{2}}=-R}$.

Point trebling

To treble a point P, solve the “square dance” equation

${\displaystyle P\oplus P\oplus P\oplus Q=O}$

and then take the inverse of Q to find ${\displaystyle 3P=-Q}$. Here the parabola is required to osculate ^[4] the quartic curve at the point P which appears with a multiplicity of three in the equation, and intersect simply at the point Q.

Point trisection

Trisecting a point is exactly the same as trebling, except that it is at the unknown point Q where the parabola and the quartic curve are required to osculate, and a simple intersection is permitted at the point P.

${\displaystyle P\oplus Q\oplus Q\oplus Q=O}$.

Now take the inverse of Q to find ${\displaystyle {\frac {P}{3}}=-Q}$.

Point doubling

Point doubling is performed by trebling and then averaging

${\displaystyle 2P={\frac {P\oplus 3P}{2}}}$.

Point bisection

Point bisection or “halving” is performed by doubling a point and averaging with its additive inverse.

${\displaystyle {\frac {1}{2}}P={\frac {2P\oplus (-P)}{2}}}$

Point group addition

${\displaystyle P\oplus Q={\dfrac {\left({\dfrac {P\oplus Q}{2}}\right)\oplus 3\left({\dfrac {P\oplus Q}{2}}\right)}{2}}}$

The most essential and basic operation of “adding” two points, which should serve as the point group operation for cryptographic purposes, is now derived at the end of a long, roundabout square dance routine by calculating the mean of two points, and then doubling by means of trebling and averaging.

The algebra and calculus equations should be simplified, and made as efficient as possible. The operation has been suitably defined, and nothing has been introduced here that should violate the axioms of an Abelian group.

Next steps

Once you have mastered the quartic point group operation, the proof of Mordell’s theorem by infinite descent, methods of bounding heights of rational numbers, and the theory of numerical and floating point approximations for curve fitting, you may move on to the quintic point group operation.

Appendix: R code for example curve plot

#! /usr/bin/R -f

H <- function(x){
    sqrt((5/17)*(11-2*x^2/3)*(x+2/7)^2)
}

xvals <- seq(0,sqrt(16.5),0.0001)

plot(x=c(xvals,rev(xvals),-xvals,-rev(xvals)),
    y=c(H(xvals),-H(rev(xvals)),-H(-xvals),H(-rev(xvals))),
    type="l", lwd=3, col="brown",
    xlab="x", ylab="y", asp="1",
    main=expression(17*y^2 == 5*(11-2*x^2/3)*(x+2/7)^2)
)
abline(0,0)