Constructing genus 2 curves over finite fields

Size: px
Start display at page:

Download "Constructing genus 2 curves over finite fields"

Transcription

1 Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, / 34

2 Curves and cryptography RSA: most widely used public key cryptosystem. Hardness assumption: - Factoring is hard. - Given N = p q for two secret primes p and q, hard to find p, q. Elliptic and hyperelliptic curve cryptography: alternative to RSA. Advantage: smaller key size than RSA. - have associated abelian groups. - want to control the group order. Hardness assumption: discrete log problem on the associated groups is hard. 2 / 34

3 Main Result: curves with a prescribed number of points This talk: joint work with Kristin Lauter (2009). Give an algorithm for the following problem (under certain conditions): Problem: Given (l, N 1, N 2 ) with l prime and N 1, N 2 positive integers: Construct a genus 2 curve C over F l such that #C(F l ) = N 1 and #C(F l 2) = N 2. For cryptographic applications: want to choose N 1, N 2 so that the number of points on the Jacobian of the curve C is prime. 3 / 34

4 Overview of Talk Part 1: Elliptic curves Explain use of elliptic curves in cryptography. Elliptic curves: easier case. For elliptic curves: problem reduces to computing Hilbert class polynomials. Explain CRT algorithm for computing them. Part 2: Genus 2 curves Generalize to genus 2 curves. Show that the problem reduces to computing Igusa class polynomials. Give an algorithm for computing them. 4 / 34

5 Part 1 Using elliptic curves for cryptography In 1985: N. Koblitz and V. Miller suggested using elliptic curves for cryptography. Approach uses the group structure of elliptic curves over finite fields. For crypto: want curves E over a field F p such that #E(F p ) is prime. Hardness assumption: discrete log problem on an elliptic curve is hard. 5 / 34

6 Elliptic Curves Over a field K of characteristic 2, consider the curve E : y 2 = x 3 + ax + b, (1) with a, b K and s.t. x 3 + ax + b has no repeated roots. Then E is an elliptic curve. Denote by E(K) the points (x, y) on E with coordinates in K, together with the point at infinity. E(K) is an abelian group. 6 / 34

7 The group law on elliptic curves Group law is given by equations. The point at infinity is the identity element of the group. Also have geometric interpretation of the group law: 7 / 34

8 Properties of elliptic curves over finite fields Let l be a prime. Let E be an elliptic curve defined over F l. #E(F l ) [l l, l l]. Frobenius endomorphism π is an element of the endomorphism ring End(E). π : (x, y) (x l, y l ). Characteristic polynomial of π: X 2 tx + l, where t is the trace of Frobenius. So π is an element of Q( D) with D = t 2 4l. Can show: when the trace of π is nonzero mod l, then End(E) is an order in Q( D) and D < 0. 8 / 34

9 Elliptic curves with prescribed group order GOAL: Let l be a prime. Given N [l l, l l], construct elliptic curve E 0 /F l with #E 0 (F l ) = N. Know: #E 0 (F l ) = N = l + 1 t where t is the trace of the Frobenius endomorphism π of E 0 over F l. Assume t 0. Since t 0 mod l, End(E 0 ) is an order in K := Q( D) with D = t 2 4l. Approach to construct E 0 : Find elliptic curve E defined over a number field with End(E) = O K and reduce it modulo l. 9 / 34

10 Approach for finding elliptic curves with prescribed group order GOAL: Given l, N as above: construct elliptic curve E 0 /F l with #E 0 (F l ) = N. Algorithm Sketch: Let π be the Frobenius endomorphism of E 0, t its trace ( 0), and D = t 2 4l. Let K := Q( D). Compute Hilbert class polynomial H D (X ) of K. Let j 0 be a root of H D modulo l. Take curve E 0 /F l with j-invariant j(e 0 ) = j 0. Then either E 0 or a quadratic twist of E 0 has N points over F l. 10 / 34

11 Complex multiplication Let K be a field of characteristic zero, E elliptic curve over K. Need to define complex multiplication to define the Hilbert class polynomial H D (X ). Let End(E) := endomorphism ring of E = {morphisms E E that are group homomorphisms}. For most elliptic curves in characteristic zero: End(E) = Z: For all m Z 0, we have the multiplication-by-m map: [m] : P P + + P (m times) Can also define multiplication-by-m map for negative m. For most curves (in characteristic zero): these are all endomorphisms. 11 / 34

12 Complex multiplication, continued CM case: End(E) is strictly larger than Z. Definition: E has complex multiplication (CM) by O if End(E) is an order O in Q( D) with D < 0. Example: E : y 2 = x 3 x over C has endomorphism ring End(E) strictly larger than Z since it contains a map φ : (x, y) ( x, iy). Easy to check: φ φ is [ 1] : P P. So E has CM by Z[i]. 12 / 34

13 The Hilbert class polynomial Now: ready to define j-invariant and Hilbert Class polynomial. Definition: The j-invariant of E : y 2 = x 3 + Ax + B is j(e) = A3 4A B 2 We have: j(e) = j(e ) E = E over the algebraic closure. Definition: Let K = Q( D) with D < 0. Let O K be the ring of integers. The Hilbert class polynomial H D (X ) of K is the polynomial whose roots are exactly the j-invariants of elliptic curves over C with CM by O K. 13 / 34

14 The Hilbert class polynomial, continued H D (X ) = E/C with End(E) =O K (X j(e)). Theorem: The polynomial H D (X ) has integer coefficients. This implies: Can reduce H D modulo l to find curves over F l whose endomorphism ring is O K. 14 / 34

15 Algorithms for Computing Hilbert class polynomials So to construct elliptic curves with a given number of points, enough to compute the Hilbert class polynomial. Several methods: analytic (Atkin-Morain, 1993) p-adic (Couveignes-Henocq, 2002, Bröker, 2007) Chinese Remainder Theorem method (Agashe-Lauter-Venkatesan, 2004) modified CRT method (Belding-Bröker-Enge-Lauter, 2008) Running for all of them: exponential in log( D ). This talk: will present the CRT method. 15 / 34

16 The Chinese Remainder Theorem (CRT) method CRT algorithm for computing the Hilbert class polynomial of a quadratic imaginary number field K (Agashe-Lauter-Venkatesan, 2004): 1 Compute upper bound B on the coefficients of H D (X ). 2 Compute H D (X ) modulo small primes p 1,..., p n which split completely in the Hilbert class field of K and such that p i > B. 3 Use the Chinese Remainder Theorem to find the coefficients of H D (X ). i 16 / 34

17 Step 2: Computing H D (X ) mod p for small primes p Can describe what H D (X ) (mod p) looks like for certain primes p: Let D < 0 be the discriminant of the maximal order O K of K := Q( D). Let p be a rational prime such that 4p = t 2 Du 2 for some integers u and t. Let Ell (D) be the set of F p isomorphism classes of elliptic curves over F p with End(E) = O K. Proposition: H D (X ) (mod p) = [E ] Ell (D) (X j(e )). 17 / 34

18 Step 2: Computing H D (X ) mod p for small primes p, continued Can compute the set Ell (D) when D = discriminant of the maximal order and p is a prime of the form 4p = t 2 D: Proposition: Suppose p is a prime and t 0 is an integer such that 4p = t 2 D. Let E be an elliptic curve over F p. Then [E ] Ell (D) if and only if #E (F p ) is either p + 1 t or p t. Algorithm for computing all factors of H D (X ) mod p: 1 For each j F p, create an elliptic curve E over F p with j(e ) = j. 2 If #E (F p ) is either p + 1 t or p t, then H D (X ) (mod p) has a factor of (X j(e )). 18 / 34

19 Recap of Part 1 Can use elliptic curves for cryptography. To do this: construct curves with a prescribed number of points. To construct an elliptic curve E 0 over F l with N points: 1 Compute the imaginary quadratic number field K = Q( D) with End(E 0 ) K. 2 Compute Hilbert class polynomial H D (X ) for K by computing H D (X ) (mod p) for many small primes p. (CRT step) 3 Find a root j 0 of H D (X ) modulo l. 4 Construct a curve modulo E 0 over F l with j(e 0 ) = j 0. This is easy. E 0 or twist of E 0 is the desired curve. 19 / 34

20 Part 2: Genus 2 curves Generalize elliptic curve construction to curves of genus 2. Advantage for crypto: can work over smaller prime field and get comparable group size. Definition: Let K be a field of characteristic 2. A curve of genus 2 is a smooth projective curve that has an affine model y 2 = f (x), deg(f ) = 5 or 6, with f K[x], f no double roots. 20 / 34

21 Group law on Jacobians of genus 2 curves Group elements: points on the Jacobian of the curve. The Jacobian of C is the quotient group Jac(C) = D 0 /P. D 0 = group of degree zero divisors on C P = subgroup of principal divisors on C. The curve C : y 2 = f (x) with degree(f ) = 5 has one point at infinity. Elements of Jacobian: represented by divisors r D = P i r with P i C and r 2. i=1 21 / 34

22 Genus 2 curves with a given number of points on the Jacobian Let C be a curve of genus 2 over F p. Let P(X ) be the characteristic polynomial of the Frobenius endomorphism π on Jac(C). P(X ) is monic of degree 4, has integer coefficients. Roots a 1,..., a 4 have absolute value p 1/2. P(X ) determines the number of points on C and on Jac(C): #C(F p m) = 1 4 1=1 am i + p m # Jac(C)(F p m) = 4 i=1 (1 am i ) # Jac(C)(F p ) = 1 2 #C(F p 2) #C(F p) p 22 / 34

23 Statement of Problem Algorithm (E-Lauter, 2009): Our algorithm solves the following problem (under certain conditions): Problem: Given (l, N 1, N 2 ) with l prime, N 1, N 2 positive integers: construct genus 2 curve C over F l such that #C(F l ) = N 1 and #C(F l 2) = N 2. For cryptographic applications: want # Jac(C)(F l ) to be prime. 23 / 34

24 Setup for genus 2 curves Want to generalize the algorithm for constructing elliptic curves (i.e. curves of genus 1) to genus 2 setting. Need an analogue of the j-invariant and the Hilbert class polynomial. Need notion of complex multiplication (CM) for genus 2 curves. 24 / 34

25 Complex multiplication for genus 2 curves Elliptic curves E have CM if End(E) is an order in an imaginary quadratic field K = Q( d). A curve C of genus 2 has CM if End(Jac(C)) is an order in a quartic CM field K, i.e. if K = K 0 ( d) with K 0 real quadratic and d K 0 totally negative. The genus 2 curves we construct will have CM. 25 / 34

26 Finding the quartic CM field Goal: Given (l, N 1, N 2 ) find a genus 2 curve C defined over F l such that #C(F l ) = N 1 and #C(F l 2) = N 2. First Step: Find the quartic CM field K such that End(Jac(C)) K. To do this: find quartic polynomial satisfied by Frobenius: Write N 1 = l + 1 s 1, N 2 = l s 2 s 2 1. Solve for s 1, s 2. (Assume gcd(s 2, l) = 1.) The quartic CM field K is generated over Q by a root of X 4 s 1 X 3 + s 2 X 2 ls 1 X + l / 34

27 Elliptic curves versus genus 2 curves Constructing curves with a given number of points: Approach for elliptic curve case: To construct the desired curve over F l : Find the (quadratic imaginary) CM field K, then find a root j 0 of the Hilbert class polynomial of K modulo l. Desired curve E 0 over F l is E 0 with j(e 0 ) = j 0. Approach for genus 2 case: To construct the desired curve over F l : Find the quartic CM field K. Construct analogue of the Hilbert class polynomial. What is this? 27 / 34

28 Igusa invariants For elliptic curves E, E over K: E is isomorphic to E j(e) = j(e ). Igusa invariants: genus 2 analogue of the j-invariant. For genus 2 curve y 2 = f (x) over K = K: Igusa defines invariants I 2, I 4, I 6, I 10. Gives bijection between isomorphism classes of genus 2 curves over K and points (I 2 : I 4 : I 6 : I 10 ) in weighted projective space with I From I 2, I 4, I 6, I 10 : can construct absolute Igusa invariants i 1 = I 2 5 I 10, i 2 = I 2 3I 4 I 10, i 3 = I 2 2I 6 I 10. They determine the K-isomorphism classes of curves. 28 / 34

29 Igusa class polynomials Let K be a primitive quartic CM field. Let A be a set of representatives for isomorphism classes Jacobians of genus 2 curves defined over C with CM by the maximal order O K. Given A A let (j 1 (A), j 2 (a), j 3 (A)) be its triple of absolute Igusa invariants. The Igusa class polynomials H 1, H 2, H 3 are defined to be H i (X ) = A A(X j i (A)) (i = 1, 2, 3). Difficulty: H i (X ) Q[X ], not Z[X ]. Need bound on denominators (Goren-Lauter, 2011). 29 / 34

30 Constructing genus 2 curves with a given number of points on its Jacobian To construct genus 2 curves with a given number of points: Step 1: Compute the quartic CM field K such that End(Jac(C)) K. Step 2: Compute the Igusa class polynomials H 1, H 2, H 3 for K. 30 / 34

31 Outline of CRT algorithm for genus 2 curves CRT algorithm for computing Igusa class polynomials: Theorem (E-Lauter): Given a primitive quartic CM field K, the following algorithm finds the Igusa class polynomials of K: 1 Produce a collection S of small primes such that p S satisfies certain splitting conditions in K and the reflex field of K. p S p > c, where c is a constant that depends on the coefficients of the Igusa class polynomials and their denominators. 2 Form the class polynomials H 1, H 2, H 3 modulo p for each p S. 3 (CRT Step) Form H i (X ) from the collection of H i modulo p. 31 / 34

32 Step 2: Computing Igusa class polynomials modulo p Can describe H i (X ) modulo p for primes that satisfy our splitting conditions: Proposition (E-Lauter): H i (X ) (mod p) = C T p (X j i (C)). Here T p = collection of F p isomorphism classes of genus 2 curves C over F p with End(Jac(C)) = O K. Use Proposition to compute H i (X ) (mod p) for p small: Loop through all possible triples of Igusa invariants (j 1, j 2, j 3 ). For each triple: construct curve C over F p with (j 1, j 2, j 3 ) = (j 1 (C), j 2 (C), j 3 (C)) using Mestre s algorithm. For each curve C check whether End(Jac(C)) = O K. 32 / 34

33 Computing the endomorphism ring of Jac(C) To compute the Igusa class polynomials: need to be able to test whether End(Jac(C)) = O K. First result by E-Lauter (2005): requires computation of action of Frobenius on torsion subgroups. Improvement on this by Freeman-Lauter (2007). Bisson (2015): General algorithm for computing the endomorphism of the Jacobian of a genus 2 curve: generalizes work of G. Bisson and D. Sutherland for elliptic curves. 33 / 34

34 Conclusion Can use elliptic curves and genus 2 curves for cryptography. Advantage over RSA: smaller key size To construct genus 2 curves with a given number of points: Compute Igusa class polynomials with a CRT algorithm. Open Problems: - Make CRT step more efficient by avoiding looping through all triples of Igusa invariants. - How to generalize to genus 3? 34 / 34

Igusa Class Polynomials

Igusa Class Polynomials , supported by the Leiden University Fund (LUF) Joint Mathematics Meetings, San Diego, January 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomials.

More information

Igusa Class Polynomials

Igusa Class Polynomials Genus 2 day, Intercity Number Theory Seminar Utrecht, April 18th 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomial. For each notion, I will 1. tell

More information

Igusa class polynomials

Igusa class polynomials Number Theory Seminar Cambridge 26 April 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P P Q E is a commutative algebraic group Endomorphisms

More information

Class invariants for quartic CM-fields

Class invariants for quartic CM-fields Number Theory Seminar Oxford 2 June 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P E is a commutative algebraic group P Q Endomorphisms

More information

Genus 2 Curves of p-rank 1 via CM method

Genus 2 Curves of p-rank 1 via CM method School of Mathematical Sciences University College Dublin Ireland and Claude Shannon Institute April 2009, GeoCrypt Joint work with Laura Hitt, Michael Naehrig, Marco Streng Introduction This talk is about

More information

Counting points on genus 2 curves over finite

Counting points on genus 2 curves over finite Counting points on genus 2 curves over finite fields Chloe Martindale May 11, 2017 These notes are from a talk given in the Number Theory Seminar at the Fourier Institute, Grenoble, France, on 04/05/2017.

More information

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES Reinier Bröker Abstract. We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over F q with trace

More information

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS DAVID FREEMAN AND KRISTIN LAUTER Abstract. We present probabilistic algorithms which, given a genus 2 curve C defined over

More information

Hyperelliptic curves

Hyperelliptic curves 1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic

More information

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS DAVID FREEMAN AND KRISTIN LAUTER Abstract. We present algorithms which, given a genus 2 curve C defined over a finite field

More information

Mappings of elliptic curves

Mappings of elliptic curves Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves

More information

Abstracts of papers. Amod Agashe

Abstracts of papers. Amod Agashe Abstracts of papers Amod Agashe In this document, I have assembled the abstracts of my work so far. All of the papers mentioned below are available at http://www.math.fsu.edu/~agashe/math.html 1) On invisible

More information

Class polynomials for abelian surfaces

Class polynomials for abelian surfaces Class polynomials for abelian surfaces Andreas Enge LFANT project-team INRIA Bordeaux Sud-Ouest andreas.enge@inria.fr http://www.math.u-bordeaux.fr/~aenge LFANT seminar 27 January 2015 (joint work with

More information

Class invariants by the CRT method

Class invariants by the CRT method Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest Massachusetts Institute of Technology ANTS IX Andreas Enge and Andrew Sutherland Class invariants by the CRT

More information

Isogeny graphs, modular polynomials, and point counting for higher genus curves

Isogeny graphs, modular polynomials, and point counting for higher genus curves Isogeny graphs, modular polynomials, and point counting for higher genus curves Chloe Martindale July 7, 2017 These notes are from a talk given in the Number Theory Seminar at INRIA, Nancy, France. The

More information

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Curves, Cryptography, and Primes of the Form x 2 + y 2 D Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.

More information

Explicit Complex Multiplication

Explicit Complex Multiplication Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,

More information

Fast arithmetic and pairing evaluation on genus 2 curves

Fast arithmetic and pairing evaluation on genus 2 curves Fast arithmetic and pairing evaluation on genus 2 curves David Freeman University of California, Berkeley dfreeman@math.berkeley.edu November 6, 2005 Abstract We present two algorithms for fast arithmetic

More information

Constructing Abelian Varieties for Pairing-Based Cryptography

Constructing Abelian Varieties for Pairing-Based Cryptography for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers

More information

Computing the endomorphism ring of an ordinary elliptic curve

Computing the endomorphism ring of an ordinary elliptic curve Computing the endomorphism ring of an ordinary elliptic curve Massachusetts Institute of Technology April 3, 2009 joint work with Gaetan Bisson http://arxiv.org/abs/0902.4670 Elliptic curves An elliptic

More information

Computing modular polynomials with the Chinese Remainder Theorem

Computing modular polynomials with the Chinese Remainder Theorem Computing modular polynomials with the Chinese Remainder Theorem Andrew V. Sutherland Massachusetts Institute of Technology ECC 009 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Computing modular

More information

arxiv: v2 [math.nt] 17 Jul 2018

arxiv: v2 [math.nt] 17 Jul 2018 arxiv:1803.00514v2 [math.nt] 17 Jul 2018 CONSTRUCTING PICARD CURVES WITH COMPLEX MULTIPLICATION USING THE CHINESE REMAINDER THEOREM SONNY ARORA AND KIRSTEN EISENTRÄGER Abstract. We give a new algorithm

More information

Public-key Cryptography: Theory and Practice

Public-key Cryptography: Theory and Practice Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues

More information

Constructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002

Constructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002 Constructing Abelian Varieties for Pairing-Based Cryptography by David Stephen Freeman A.B. (Harvard University) 2002 A dissertation submitted in partial satisfaction of the requirements for the degree

More information

Introduction to Elliptic Curves

Introduction to Elliptic Curves IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting

More information

Mathematics for Cryptography

Mathematics for Cryptography Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1

More information

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS GORA ADJ, OMRAN AHMADI, AND ALFRED MENEZES Abstract. We study the isogeny graphs of supersingular elliptic curves over finite fields,

More information

Isogenies in a quantum world

Isogenies in a quantum world Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal

More information

Modular polynomials and isogeny volcanoes

Modular polynomials and isogeny volcanoes Modular polynomials and isogeny volcanoes Andrew V. Sutherland February 3, 010 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9 Isogenies An isogeny

More information

Bad reduction of genus 3 curves with Complex Multiplication

Bad reduction of genus 3 curves with Complex Multiplication Bad reduction of genus 3 curves with Complex Multiplication Elisa Lorenzo García Universiteit Leiden Joint work with Bouw, Cooley, Lauter, Manes, Newton, Ozman. October 1, 2015 Elisa Lorenzo García Universiteit

More information

Counting points on elliptic curves over F q

Counting points on elliptic curves over F q Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite

More information

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Chloe Martindale 26th January, 2018 These notes are from a talk given in the Séminaire Géométrie et algèbre effectives

More information

Identifying supersingular elliptic curves

Identifying supersingular elliptic curves Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, 2012 http://arxiv.org/abs/1107.1140 Andrew V. Sutherland (MIT) Identifying supersingular

More information

14 Ordinary and supersingular elliptic curves

14 Ordinary and supersingular elliptic curves 18.783 Elliptic Curves Spring 2015 Lecture #14 03/31/2015 14 Ordinary and supersingular elliptic curves Let E/k be an elliptic curve over a field of positive characteristic p. In Lecture 7 we proved that

More information

COMPUTING MODULAR POLYNOMIALS

COMPUTING MODULAR POLYNOMIALS COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with an isogeny of degree l between them.

More information

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Department of Mathematics University of California, Berkeley Berkeley, CA 94720-3840, USA

More information

Introduction to Elliptic Curve Cryptography. Anupam Datta

Introduction to Elliptic Curve Cryptography. Anupam Datta Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups

More information

6 Ideal norms and the Dedekind-Kummer theorem

6 Ideal norms and the Dedekind-Kummer theorem 18.785 Number theory I Fall 2016 Lecture #6 09/27/2016 6 Ideal norms and the Dedekind-Kummer theorem Recall that for a ring extension B/A in which B is a free A-module of finite rank, we defined the (relative)

More information

Complex multiplication and canonical lifts

Complex multiplication and canonical lifts Complex multiplication and canonical lifts David R. Kohel Abstract The problem of constructing CM invariants of higher dimensional abelian varieties presents significant new challenges relative to CM constructions

More information

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /

More information

Counting Points on Curves using Monsky-Washnitzer Cohomology

Counting Points on Curves using Monsky-Washnitzer Cohomology Counting Points on Curves using Monsky-Washnitzer Cohomology Frederik Vercauteren frederik@cs.bris.ac.uk Jan Denef jan.denef@wis.kuleuven.ac.be University of Leuven http://www.arehcc.com University of

More information

Constructing Permutation Rational Functions From Isogenies

Constructing Permutation Rational Functions From Isogenies Constructing Permutation Rational Functions From Isogenies Gaetan Bisson 1 and Mehdi Tibouchi 1 University of French Polynesia NTT Secure Platform Laboratories Abstract. A permutation rational function

More information

Fast Cryptography in Genus 2

Fast Cryptography in Genus 2 Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2 Recall that curves are much better than

More information

Some. Manin-Mumford. Problems

Some. Manin-Mumford. Problems Some Manin-Mumford Problems S. S. Grant 1 Key to Stark s proof of his conjectures over imaginary quadratic fields was the construction of elliptic units. A basic approach to elliptic units is as follows.

More information

ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES

ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES ERNEST HUNTER BROOKS DIMITAR JETCHEV BENJAMIN WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION

More information

The Sato-Tate conjecture for abelian varieties

The Sato-Tate conjecture for abelian varieties The Sato-Tate conjecture for abelian varieties Andrew V. Sutherland Massachusetts Institute of Technology March 5, 2014 Mikio Sato John Tate Joint work with F. Fité, K.S. Kedlaya, and V. Rotger, and also

More information

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux Computing modular polynomials in dimension 2 ECC 2015, Bordeaux Enea Milio 29/09/2015 Enea Milio Computing modular polynomials 29/09/2015 1 / 49 Computing modular polynomials 1 Dimension 1 : elliptic curves

More information

GENERATORS OF JACOBIANS OF GENUS TWO CURVES

GENERATORS OF JACOBIANS OF GENUS TWO CURVES GENERATORS OF JACOBIANS OF GENUS TWO CURVES CHRISTIAN ROBENHAGEN RAVNSHØJ Abstract. We prove that in most cases relevant to cryptography, the Frobenius endomorphism on the Jacobian of a genus two curve

More information

Modern Number Theory: Rank of Elliptic Curves

Modern Number Theory: Rank of Elliptic Curves Modern Number Theory: Rank of Elliptic Curves Department of Mathematics University of California, Irvine October 24, 2007 Rank of Outline 1 Introduction Basics Algebraic Structure 2 The Problem Relation

More information

GENUS 2 CURVES WITH COMPLEX MULTIPLICATION

GENUS 2 CURVES WITH COMPLEX MULTIPLICATION GENUS 2 CURVES WITH COMPLEX MULTIPLICATION EYAL Z. GOREN & KRISTIN E. LAUTER 1. Introduction While the main goal of this paper is to give a bound on the denominators of Igusa class polynomials of genus

More information

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Elliptic Curves Spring 2015 Lecture #23 05/05/2015 18.783 Elliptic Curves Spring 2015 Lecture #23 05/05/2015 23 Isogeny volcanoes We now want to shift our focus away from elliptic curves over C and consider elliptic curves E/k defined over any field k;

More information

Edwards Curves and the ECM Factorisation Method

Edwards Curves and the ECM Factorisation Method Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and

More information

L-Polynomials of Curves over Finite Fields

L-Polynomials of Curves over Finite Fields School of Mathematical Sciences University College Dublin Ireland July 2015 12th Finite Fields and their Applications Conference Introduction This talk is about when the L-polynomial of one curve divides

More information

SM9 identity-based cryptographic algorithms Part 1: General

SM9 identity-based cryptographic algorithms Part 1: General SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...

More information

Riemann surfaces with extra automorphisms and endomorphism rings of their Jacobians

Riemann surfaces with extra automorphisms and endomorphism rings of their Jacobians Riemann surfaces with extra automorphisms and endomorphism rings of their Jacobians T. Shaska Oakland University Rochester, MI, 48309 April 14, 2018 Problem Let X be an algebraic curve defined over a field

More information

Applications of Complex Multiplication of Elliptic Curves

Applications of Complex Multiplication of Elliptic Curves Applications of Complex Multiplication of Elliptic Curves MASTER THESIS Candidate: Massimo CHENAL Supervisor: Prof. Jean-Marc COUVEIGNES UNIVERSITÀ DEGLI STUDI DI PADOVA UNIVERSITÉ BORDEAUX 1 Facoltà di

More information

Algebra Homework, Edition 2 9 September 2010

Algebra Homework, Edition 2 9 September 2010 Algebra Homework, Edition 2 9 September 2010 Problem 6. (1) Let I and J be ideals of a commutative ring R with I + J = R. Prove that IJ = I J. (2) Let I, J, and K be ideals of a principal ideal domain.

More information

Constructing Families of Pairing-Friendly Elliptic Curves

Constructing Families of Pairing-Friendly Elliptic Curves Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding

More information

Outline of the Seminar Topics on elliptic curves Saarbrücken,

Outline of the Seminar Topics on elliptic curves Saarbrücken, Outline of the Seminar Topics on elliptic curves Saarbrücken, 11.09.2017 Contents A Number theory and algebraic geometry 2 B Elliptic curves 2 1 Rational points on elliptic curves (Mordell s Theorem) 5

More information

Equations for Hilbert modular surfaces

Equations for Hilbert modular surfaces Equations for Hilbert modular surfaces Abhinav Kumar MIT April 24, 2013 Introduction Outline of talk Elliptic curves, moduli spaces, abelian varieties 2/31 Introduction Outline of talk Elliptic curves,

More information

Introduction to Arithmetic Geometry

Introduction to Arithmetic Geometry Introduction to Arithmetic Geometry 18.782 Andrew V. Sutherland September 5, 2013 What is arithmetic geometry? Arithmetic geometry applies the techniques of algebraic geometry to problems in number theory

More information

LECTURE 2 FRANZ LEMMERMEYER

LECTURE 2 FRANZ LEMMERMEYER LECTURE 2 FRANZ LEMMERMEYER Last time we have seen that the proof of Fermat s Last Theorem for the exponent 4 provides us with two elliptic curves (y 2 = x 3 + x and y 2 = x 3 4x) in the guise of the quartic

More information

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013 18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and

More information

Math 547, Exam 2 Information.

Math 547, Exam 2 Information. Math 547, Exam 2 Information. 3/19/10, LC 303B, 10:10-11:00. Exam 2 will be based on: Homework and textbook sections covered by lectures 2/3-3/5. (see http://www.math.sc.edu/ boylan/sccourses/547sp10/547.html)

More information

Counting points on hyperelliptic curves

Counting points on hyperelliptic curves University of New South Wales 9th November 202, CARMA, University of Newcastle Elliptic curves Let p be a prime. Let X be an elliptic curve over F p. Want to compute #X (F p ), the number of F p -rational

More information

TC10 / 3. Finite fields S. Xambó

TC10 / 3. Finite fields S. Xambó TC10 / 3. Finite fields S. Xambó The ring Construction of finite fields The Frobenius automorphism Splitting field of a polynomial Structure of the multiplicative group of a finite field Structure of the

More information

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret

More information

Computing the modular equation

Computing the modular equation Computing the modular equation Andrew V. Sutherland (MIT) Barcelona-Boston-Tokyo Number Theory Seminar in Memory of Fumiyuki Momose Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8 The

More information

Divisibility Sequences for Elliptic Curves with Complex Multiplication

Divisibility Sequences for Elliptic Curves with Complex Multiplication Divisibility Sequences for Elliptic Curves with Complex Multiplication Master s thesis, Universiteit Utrecht supervisor: Gunther Cornelissen Universiteit Leiden Journées Arithmétiques, Edinburgh, July

More information

Fully maximal and minimal supersingular abelian varieties

Fully maximal and minimal supersingular abelian varieties Fully maximal and minimal supersingular abelian varieties Valentijn Karemaker (University of Pennsylvania) Joint with R. Pries Arithmetic, Geometry, Cryptography, and Coding Theory, CIRM June 19, 2017

More information

Lecture 2: Elliptic curves

Lecture 2: Elliptic curves Lecture 2: Elliptic curves This lecture covers the basics of elliptic curves. I begin with a brief review of algebraic curves. I then define elliptic curves, and talk about their group structure and defining

More information

MATH 361: NUMBER THEORY TENTH LECTURE

MATH 361: NUMBER THEORY TENTH LECTURE MATH 361: NUMBER THEORY TENTH LECTURE The subject of this lecture is finite fields. 1. Root Fields Let k be any field, and let f(x) k[x] be irreducible and have positive degree. We want to construct a

More information

Isogeny invariance of the BSD conjecture

Isogeny invariance of the BSD conjecture Isogeny invariance of the BSD conjecture Akshay Venkatesh October 30, 2015 1 Examples The BSD conjecture predicts that for an elliptic curve E over Q with E(Q) of rank r 0, where L (r) (1, E) r! = ( p

More information

Cyclic Groups in Cryptography

Cyclic Groups in Cryptography Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic

More information

FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD

FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD D. BONEH, K. RUBIN, AND A. SILVERBERG Abstract. We apply the Cocks-Pinch method to obtain pairing-friendly composite order

More information

Heuristics. pairing-friendly abelian varieties

Heuristics. pairing-friendly abelian varieties Heuristics on pairing-friendly abelian varieties joint work with David Gruenewald John Boxall john.boxall@unicaen.fr Laboratoire de Mathématiques Nicolas Oresme, UFR Sciences, Université de Caen Basse-Normandie,

More information

HOMEWORK 11 MATH 4753

HOMEWORK 11 MATH 4753 HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question

More information

Dedekind Domains. Mathematics 601

Dedekind Domains. Mathematics 601 Dedekind Domains Mathematics 601 In this note we prove several facts about Dedekind domains that we will use in the course of proving the Riemann-Roch theorem. The main theorem shows that if K/F is a finite

More information

Computing the image of Galois

Computing the image of Galois Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25 Elliptic curves Let E be an elliptic

More information

Non-generic attacks on elliptic curve DLPs

Non-generic attacks on elliptic curve DLPs Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith

More information

Finite Fields and Elliptic Curves in Cryptography

Finite Fields and Elliptic Curves in Cryptography Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem

More information

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

HONDA-TATE THEOREM FOR ELLIPTIC CURVES HONDA-TATE THEOREM FOR ELLIPTIC CURVES MIHRAN PAPIKIAN 1. Introduction These are the notes from a reading seminar for graduate students that I organised at Penn State during the 2011-12 academic year.

More information

A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker

A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL Reinier Bröker Abstract. Classicaly, the Hilbert class polynomial P Z[X] of an imaginary quadratic discriminant is computed using complex analytic

More information

Q N id β. 2. Let I and J be ideals in a commutative ring A. Give a simple description of

Q N id β. 2. Let I and J be ideals in a commutative ring A. Give a simple description of Additional Problems 1. Let A be a commutative ring and let 0 M α N β P 0 be a short exact sequence of A-modules. Let Q be an A-module. i) Show that the naturally induced sequence is exact, but that 0 Hom(P,

More information

Mathematical Foundations of Cryptography

Mathematical Foundations of Cryptography Mathematical Foundations of Cryptography Cryptography is based on mathematics In this chapter we study finite fields, the basis of the Advanced Encryption Standard (AES) and elliptical curve cryptography

More information

Congruent number elliptic curves of high rank

Congruent number elliptic curves of high rank Michaela Klopf, BSc Congruent number elliptic curves of high rank MASTER S THESIS to achieve the university degree of Diplom-Ingenieurin Master s degree programme: Mathematical Computer Science submitted

More information

COMPUTING MODULAR POLYNOMIALS

COMPUTING MODULAR POLYNOMIALS COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with a cyclic isogeny of degree l between

More information

Explicit isogenies and the Discrete Logarithm Problem in genus three

Explicit isogenies and the Discrete Logarithm Problem in genus three Explicit isogenies and the Discrete Logarithm Problem in genus three Benjamin Smith INRIA Saclay Île-de-France Laboratoire d informatique de l école polytechnique (LIX) EUROCRYPT 2008 : Istanbul, April

More information

Optimal curves of genus 1, 2 and 3

Optimal curves of genus 1, 2 and 3 Optimal curves of genus 1, 2 and 3 Christophe Ritzenthaler Institut de Mathématiques de Luminy, CNRS Leuven, 17-21 May 2010 Christophe Ritzenthaler (IML) Optimal curves of genus 1, 2 and 3 Leuven, 17-21

More information

ACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS

ACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS ACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS by Balasingham Balamohan A thesis submitted to the Faculty of Graduate and Postdoctoral Studies in partial fulfillment

More information

Computing endomorphism rings of abelian varieties of dimension two

Computing endomorphism rings of abelian varieties of dimension two Computing endomorphism rings of abelian varieties of dimension two Gaetan Bisson University of French Polynesia Abstract Generalizing a method of Sutherland and the author for elliptic curves [5, 1] we

More information

Schoof s Algorithm for Counting Points on E(F q )

Schoof s Algorithm for Counting Points on E(F q ) Schoof s Algorithm for Counting Points on E(F q ) Gregg Musiker December 7, 005 1 Introduction In this write-up we discuss the problem of counting points on an elliptic curve over a finite field. Here,

More information

Evaluating Large Degree Isogenies between Elliptic Curves

Evaluating Large Degree Isogenies between Elliptic Curves Evaluating Large Degree Isogenies between Elliptic Curves by Vladimir Soukharev A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics

More information

NOTES ON FINITE FIELDS

NOTES ON FINITE FIELDS NOTES ON FINITE FIELDS AARON LANDESMAN CONTENTS 1. Introduction to finite fields 2 2. Definition and constructions of fields 3 2.1. The definition of a field 3 2.2. Constructing field extensions by adjoining

More information

Finite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Finite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay 1 / 25 Finite Fields Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 25, 2014 2 / 25 Fields Definition A set F together

More information

Definition of a finite group

Definition of a finite group Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *

More information

Aspects of Pairing Inversion

Aspects of Pairing Inversion Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear

More information

7 Orders in Dedekind domains, primes in Galois extensions

7 Orders in Dedekind domains, primes in Galois extensions 18.785 Number theory I Lecture #7 Fall 2015 10/01/2015 7 Orders in Dedekind domains, primes in Galois extensions 7.1 Orders in Dedekind domains Let S/R be an extension of rings. The conductor c of R (in

More information

Galois theory (Part II)( ) Example Sheet 1

Galois theory (Part II)( ) Example Sheet 1 Galois theory (Part II)(2015 2016) Example Sheet 1 c.birkar@dpmms.cam.ac.uk (1) Find the minimal polynomial of 2 + 3 over Q. (2) Let K L be a finite field extension such that [L : K] is prime. Show that

More information

c Copyright 2012 Wenhan Wang

c Copyright 2012 Wenhan Wang c Copyright 01 Wenhan Wang Isolated Curves for Hyperelliptic Curve Cryptography Wenhan Wang A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy University

More information