Computing isogeny graphs using CM lattices

Transcription

1 Computing isogeny graphs using CM lattices David Gruenewald GREYC/LMNO Université de Caen GeoCrypt, Corsica 22nd June 2011

2 Motivation for computing isogenies Point counting. Computing CM invariants. Endomorphism ring computations. Transporting discrete log problems. Visiting Corsica...

3 History of isogenies Genus 1, we have Vélu s formulae. Genus 2, from a computational perspective we had: Richelot (2, 2)-isogenies (3, 3)-isogenies (Carls-Kohel-Lubicz, Bröker-G.-Lauter) And, as the CHIC project has progressed: (l 2,l 2 )-isogenies for l 40 (Lubicz-Robert) (l,l)-isogenies for l 1000 now possible using the Magma package AVIsogenies (Bisson-Cosset-Robert)

4 Other types of isogenies: Explicit endomorphisms for RM families: 2 in genus 2 (Bending, Gaudry, Mestre,...) in genus 2 (Kohel-Smith, Takashima,...) ζ2g+1 + ζ2g+1 1 in genus g (Mestre, Smith, Tautz-Top-Verberkmoes,...) (2,2,2)-isogenies for generic genus 3 curves (Lehavi-Ritzenthaler) Ben Smith can tell you more and will undoubtedly find more!..

5 Lattices of elliptic curves isomorphisms Let E be an elliptic curve over C. E(C) = C/Λ, where Λ = α 1 Z + α 2 Z C is a lattice. In particular, {α 1,α 2 } C are R-linearly independent, so one of (α 1 /α 2 ) ±1 H 1 := {z C Im(z) > 0}. Order our basis α 1,α 2 so that α 1 /α 2 H 1.

6 The set of lattices Λ 0 with ordered bases such that C/Λ 0 = E(C) is given by the orbit C \Λ/SL 2 (Z) Left action : rescale basis by λ C λ α 1,α 2 = λα 1,λα 2 Right action: change basis by M = ( a b c d) SL2 (Z) α 1,α 2 M = aα 1 + bα 2,cα 1 + dα 2 In particular, τ,1 M = M τ,1 where M τ := aτ + b cτ + d From this, we see the usual SL 2 (Z)-action on the upper half plane.

7 Lattices of elliptic curves isogenies An isogeny C/Λ C/Λ is induced by a C-linear map ϕ : C C with ϕλ Λ. Fixing( a basis) for Λ we can represent this by a b R ϕ = M c d 2 (Z) with ad bc = n > 0. The degree/kernel of the isogeny is given by the elementary divisors of R ϕ. n = 1 = R ϕ SL 2 (Z) is an isomorphism, as expected.

8 Lattices of elliptic curves Isogeny graphs Usual definition of a T-isogeny graph: Vertices: isomorphism classes of elliptic curves Edges: isogenies of type T Equivalent definition: Vertices: lattices upto homothety Edges: T-isogenies between lattices

9 Example: 2-isogeny graphs For l prime, there are l + 1 cyclic l-isogenies R l = {( ) l x x SL2 (Z)/Γ 0 (l) } where Γ 0 (l) := { ( a b c d) SL2 (Z) c 0 (mod l)} Up to isomorphism, the 2-isogenies can be represented by: {( ) 2 0 R 2 =, 0 1 ( ) , ( )} For a generic τ H 1 (the case where End( τ,1 ) = Z) the isogeny graph is a 3-ary tree

10 For a CM point τ H 1 (the case where End( τ,1 ) = O is an order in Q( D)) the isogeny graph is determined by Pic(O) ϕ ker ϕ = a, [a 4 ] = [O] Pic(O)

11 Lattices of abelian surfaces isomorphisms Let A be a principally polarized (PP) abelian surface over C. A(C) = C 2 /Λ, where Λ = Z 4 is a PP lattice Such a lattice comes equipped with a symplectic basis (wrt the polarization). Using this basis we can then write Λ = ΠZ 4 where Π = Π 1 Π 2 Mat(2 4, C) called the period matrix. This matrix satisfies the Riemann relations: Π 2 t Π 1 Π 1 t Π 2 = 0 i(π 2 t Π 1 Π 1 t Π 2 ) > 0 (RR1) (RR2)

12 The set of PP lattices Λ 0 for which C/Λ 0 = A(C) as PPAS s is given by the orbit GL 2 (C)\Λ/Sp 4 (Z) Left action : λ GL 2 (C) sends Π to λπ Right action: M Sp 4 (Z) sends Π to Π t M (RR ) each orbit has a representative of the form τ I where τ H 2 := { Z M 2 (C) t Z = Z and Im Z > 0 } From this we derive the action of ( a b c d ) Sp4 (Z) on τ H 2 : M τ := (aτ + b)(cτ + d) 1

13 Lattices of abelian surfaces Isogenies Let A = (C 2 /Λ,χ) be a polarized abelian surface over C. An isogeny ϕ : C 2 /Λ C 2 /Λ induces a C-linear map ϕ : C 2 C 2 with ϕλ Λ. Fixing a basis of Λ we can represent this by R ϕ M 4 (Z), with deg ϕ = det R ϕ = n > 0. In fact, ϕ : (A,χ) C/Λ = (A,χ ) is an isogeny of PAS s, but not necessarily polarization preserving. (In general χ ϕ χ )

14 (l, l)-isogenies Isogenies ϕ : A A for which ker ϕ = (Z/lZ) 2 is a maximal Weil-isotropic l-subgroup of A[l] preserve the polarization class and are called (l,l)-isogenies. For l prime there are l 3 + l 2 + l + 1 (l,l)-isogenies up to isomorphism, represented by: { } R (2) l,l = diag(l,l,0,0)x x Sp 4 (Z)/Γ (2) 0 (l) where Γ (2) 0 (l) := {( a b c d) Sp4 (Z) c 0 (mod l)}.

15 Generic example For a generic τ H 2 (the case where End( τ,i ) = Z) the (2,2)-isogeny graph is a 15-ary tree

16 RM example - squiddy the 6-eyed octopus Here s part of the (2,2) isogeny graph of an RM lattice: End( τ,i ) = Z[ 2]

17 RM example - squiddy the 6-eyed octopus Here s part of the (2,2) isogeny graph of an RM lattice: End( τ,i ) = Z[ 2] = Jac(C) where C : y 2 = x 6 4x 5 12x 4 + 2x 3 + 8x 2 + 8x 7 over C

18 RM example - squiddy the 6-eyed octopus Here s part of the (2,2) isogeny graph of an RM lattice: End( τ,i ) = Z[ 2] = Jac(C) where C : y 2 = x 6 4x 5 12x 4 + 2x 3 + 8x 2 + 8x 7 over C part of graph with only (some) maximal RM points shown

19 CM example: a (3, 3)-isogeny graph K = Q[X]/(X X ), cyclic Galois group, class number 2. 3O K = p 2 the two CM lattices with O K -multiplication are connected by a (3,3)-isogeny. A 27,B 9,C 9,D 9,E 9,F 9 are the endomorphism rings of the nonmaximal leaf vertices (appearing with multiplicities 18,9,6,6,6,6 resp.) = 40 isogenous points.

20 Connection to isogeny graphs over finite fields An ordinary PPAS over F q is the reduction of an abelian surface over C having CM by an order in K = Q(π) where π is an ordinary Weil number of norm q 2. To obtain an (l,l)-isogeny graph for PPAS s over F q in the isogeny class given by π K, do the following:

21 Connection to isogeny graphs over finite fields An ordinary PPAS over F q is the reduction of an abelian surface over C having CM by an order in K = Q(π) where π is an ordinary Weil number of norm q 2. To obtain an (l,l)-isogeny graph for PPAS s over F q in the isogeny class given by π K, do the following: 1. Take a principally polarizable ideal class of O K : (a,ξ) where ξ K is purely imaginary and ξaa = D 1 K/Q, the inverse different. This is our starting point.

22 Connection to isogeny graphs over finite fields An ordinary PPAS over F q is the reduction of an abelian surface over C having CM by an order in K = Q(π) where π is an ordinary Weil number of norm q 2. To obtain an (l,l)-isogeny graph for PPAS s over F q in the isogeny class given by π K, do the following: 1. Take a principally polarizable ideal class of O K : (a,ξ) where ξ K is purely imaginary and ξaa = D 1 K/Q, the inverse different. This is our starting point. 2. Compute a Frobenius basis ΠZ 4 for the rank four Z-module a with respect to ξ; the symplectic form is E : (x,y) Tr K/Q (ξxy) and we want the matrix of E to be ( 0 I I 0 ).

23 3. Compute (l, l)-isogenous images: For each isogeny transformation M R (2) l,l : Compute the isogenous period matrix Π = Π t M. The principally polarized CM lattice is (a,ξ ) = (Π Z 4,l 1 ξ).

24 3. Compute (l, l)-isogenous images: For each isogeny transformation M R (2) l,l : Compute the isogenous period matrix Π = Π t M. The principally polarized CM lattice is (a,ξ ) = (Π Z 4,l 1 ξ). Test whether πa a. If true, this means that π,π End(a ) and that the reduction of this isogenous PPAS C 2 /Π Z 4 is defined over F q. Throw away the lattices which fail the test.

25 3. Compute (l, l)-isogenous images: For each isogeny transformation M R (2) l,l : Compute the isogenous period matrix Π = Π t M. The principally polarized CM lattice is (a,ξ ) = (Π Z 4,l 1 ξ). Test whether πa a. If true, this means that π,π End(a ) and that the reduction of this isogenous PPAS C 2 /Π Z 4 is defined over F q. Throw away the lattices which fail the test. Recursively run algorithm on unexplored isomorphism classes of CM lattices. Isomorphism test: { (a,ξ) = (a,ξ a = γa ) iff ξ = (γγ) 1 ( γ K) ξ

26 Disadvantages: We can compute complex approximations of absolute invariants for CM lattices, but constructing CM moduli over F q seems rather intractable. Slow Advantages:

27 Disadvantages: We can compute complex approximations of absolute invariants for CM lattices, but constructing CM moduli over F q seems rather intractable. Slow Advantages: Endomorphism rings of CM lattices are easy to compute (= multiplier ring of lattice) Generalisations: Use a different set R of isogeny transformations, not necessarily always polarization preserving (e.g. cyclic l-isogenies). Higher genus.

28 Example 1: our old friend K = Q[X]/(X X ) Gal(K/Q) = C 4 = σ and Cl(O K ) = Z/2Z. Let q = 127. We have K = Q(π) where π π π qπ + q 2 = 0 is an ordinary Weil number. A 27,B 9,C 9,D 9,E 9,F 9 are the endomorphism rings of the nonmaximal leaf vertices (appearing with multiplicities 18,9,6,6,6,6 resp.)

29 Example 1: our old friend K = Q[X]/(X X ) Gal(K/Q) = C 4 = σ and Cl(O K ) = Z/2Z. Let q = 127. We have K = Q(π) where π π π qπ + q 2 = 0 is an ordinary Weil number. A 27,B 9,C 9,D 9,E 9,F 9 are the endomorphism rings of the nonmaximal leaf vertices (appearing with multiplicities 18,9,6,6,6,6 resp.) Of the six proper suborders, only F 9 contains π.

30 Example 1: our old friend K = Q[X]/(X X ) Gal(K/Q) = C 4 = σ and Cl(O K ) = Z/2Z. Let q = 127. We have K = Q(π) where π π π qπ + q 2 = 0 is an ordinary Weil number. Lesson: graph structure alone is not sufficient information to determine the endomorphism ring.

31 Example 2: K = Q[X]/(X X + 73) (3,3)-isogeny graph over F 1609 Gal(K/Q) = dihedral group of order 8. Let q = We have K = Q(π) = Q(ψ) where π π π qπ + q 2 = 0 and ψ ψ 3 414ψ qψ + q 2 = 0 are ordinary Weil numbers.

32 Example 2: K = Q[X]/(X X + 73) (3,3)-isogeny graph over F 1609 Gal(K/Q) = dihedral group of order 8. Let q = We have K = Q(π) = Q(ψ) where π π π qπ + q 2 = 0 and ψ ψ 3 414ψ qψ + q 2 = 0 are ordinary Weil numbers. Lesson: we can have cycles involving nonmaximal points (invertible ideals of norm l 2 can exist in non l-maximal orders).

33 Example 3: K = Q[X]/(X X ) (1,2)-isogenies over F 3 7 Let q = 3 7. We have K = Q(π) where π π π qπ+ q 2 = 0 is an ordinary Weil number. (2, 2)-isogeny graph:

34 Example 3: K = Q[X]/(X X ) (1,2)-isogenies over F 3 7 Let q = 3 7. We have K = Q(π) where π π π qπ+ q 2 = 0 is an ordinary Weil number. (1, 2)-isogeny graph:

35 The end Genus 3 isogeny graphs?

36 The end Genus 3 isogeny graphs? Perhaps at GeoCrypt 2013 Thanks for your attention.