Constructing genus 2 curves over finite fields
|
|
- Stanley Allen
- 5 years ago
- Views:
Transcription
1 Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, / 34
2 Curves and cryptography RSA: most widely used public key cryptosystem. Hardness assumption: - Factoring is hard. - Given N = p q for two secret primes p and q, hard to find p, q. Elliptic and hyperelliptic curve cryptography: alternative to RSA. Advantage: smaller key size than RSA. - have associated abelian groups. - want to control the group order. Hardness assumption: discrete log problem on the associated groups is hard. 2 / 34
3 Main Result: curves with a prescribed number of points This talk: joint work with Kristin Lauter (2009). Give an algorithm for the following problem (under certain conditions): Problem: Given (l, N 1, N 2 ) with l prime and N 1, N 2 positive integers: Construct a genus 2 curve C over F l such that #C(F l ) = N 1 and #C(F l 2) = N 2. For cryptographic applications: want to choose N 1, N 2 so that the number of points on the Jacobian of the curve C is prime. 3 / 34
4 Overview of Talk Part 1: Elliptic curves Explain use of elliptic curves in cryptography. Elliptic curves: easier case. For elliptic curves: problem reduces to computing Hilbert class polynomials. Explain CRT algorithm for computing them. Part 2: Genus 2 curves Generalize to genus 2 curves. Show that the problem reduces to computing Igusa class polynomials. Give an algorithm for computing them. 4 / 34
5 Part 1 Using elliptic curves for cryptography In 1985: N. Koblitz and V. Miller suggested using elliptic curves for cryptography. Approach uses the group structure of elliptic curves over finite fields. For crypto: want curves E over a field F p such that #E(F p ) is prime. Hardness assumption: discrete log problem on an elliptic curve is hard. 5 / 34
6 Elliptic Curves Over a field K of characteristic 2, consider the curve E : y 2 = x 3 + ax + b, (1) with a, b K and s.t. x 3 + ax + b has no repeated roots. Then E is an elliptic curve. Denote by E(K) the points (x, y) on E with coordinates in K, together with the point at infinity. E(K) is an abelian group. 6 / 34
7 The group law on elliptic curves Group law is given by equations. The point at infinity is the identity element of the group. Also have geometric interpretation of the group law: 7 / 34
8 Properties of elliptic curves over finite fields Let l be a prime. Let E be an elliptic curve defined over F l. #E(F l ) [l l, l l]. Frobenius endomorphism π is an element of the endomorphism ring End(E). π : (x, y) (x l, y l ). Characteristic polynomial of π: X 2 tx + l, where t is the trace of Frobenius. So π is an element of Q( D) with D = t 2 4l. Can show: when the trace of π is nonzero mod l, then End(E) is an order in Q( D) and D < 0. 8 / 34
9 Elliptic curves with prescribed group order GOAL: Let l be a prime. Given N [l l, l l], construct elliptic curve E 0 /F l with #E 0 (F l ) = N. Know: #E 0 (F l ) = N = l + 1 t where t is the trace of the Frobenius endomorphism π of E 0 over F l. Assume t 0. Since t 0 mod l, End(E 0 ) is an order in K := Q( D) with D = t 2 4l. Approach to construct E 0 : Find elliptic curve E defined over a number field with End(E) = O K and reduce it modulo l. 9 / 34
10 Approach for finding elliptic curves with prescribed group order GOAL: Given l, N as above: construct elliptic curve E 0 /F l with #E 0 (F l ) = N. Algorithm Sketch: Let π be the Frobenius endomorphism of E 0, t its trace ( 0), and D = t 2 4l. Let K := Q( D). Compute Hilbert class polynomial H D (X ) of K. Let j 0 be a root of H D modulo l. Take curve E 0 /F l with j-invariant j(e 0 ) = j 0. Then either E 0 or a quadratic twist of E 0 has N points over F l. 10 / 34
11 Complex multiplication Let K be a field of characteristic zero, E elliptic curve over K. Need to define complex multiplication to define the Hilbert class polynomial H D (X ). Let End(E) := endomorphism ring of E = {morphisms E E that are group homomorphisms}. For most elliptic curves in characteristic zero: End(E) = Z: For all m Z 0, we have the multiplication-by-m map: [m] : P P + + P (m times) Can also define multiplication-by-m map for negative m. For most curves (in characteristic zero): these are all endomorphisms. 11 / 34
12 Complex multiplication, continued CM case: End(E) is strictly larger than Z. Definition: E has complex multiplication (CM) by O if End(E) is an order O in Q( D) with D < 0. Example: E : y 2 = x 3 x over C has endomorphism ring End(E) strictly larger than Z since it contains a map φ : (x, y) ( x, iy). Easy to check: φ φ is [ 1] : P P. So E has CM by Z[i]. 12 / 34
13 The Hilbert class polynomial Now: ready to define j-invariant and Hilbert Class polynomial. Definition: The j-invariant of E : y 2 = x 3 + Ax + B is j(e) = A3 4A B 2 We have: j(e) = j(e ) E = E over the algebraic closure. Definition: Let K = Q( D) with D < 0. Let O K be the ring of integers. The Hilbert class polynomial H D (X ) of K is the polynomial whose roots are exactly the j-invariants of elliptic curves over C with CM by O K. 13 / 34
14 The Hilbert class polynomial, continued H D (X ) = E/C with End(E) =O K (X j(e)). Theorem: The polynomial H D (X ) has integer coefficients. This implies: Can reduce H D modulo l to find curves over F l whose endomorphism ring is O K. 14 / 34
15 Algorithms for Computing Hilbert class polynomials So to construct elliptic curves with a given number of points, enough to compute the Hilbert class polynomial. Several methods: analytic (Atkin-Morain, 1993) p-adic (Couveignes-Henocq, 2002, Bröker, 2007) Chinese Remainder Theorem method (Agashe-Lauter-Venkatesan, 2004) modified CRT method (Belding-Bröker-Enge-Lauter, 2008) Running for all of them: exponential in log( D ). This talk: will present the CRT method. 15 / 34
16 The Chinese Remainder Theorem (CRT) method CRT algorithm for computing the Hilbert class polynomial of a quadratic imaginary number field K (Agashe-Lauter-Venkatesan, 2004): 1 Compute upper bound B on the coefficients of H D (X ). 2 Compute H D (X ) modulo small primes p 1,..., p n which split completely in the Hilbert class field of K and such that p i > B. 3 Use the Chinese Remainder Theorem to find the coefficients of H D (X ). i 16 / 34
17 Step 2: Computing H D (X ) mod p for small primes p Can describe what H D (X ) (mod p) looks like for certain primes p: Let D < 0 be the discriminant of the maximal order O K of K := Q( D). Let p be a rational prime such that 4p = t 2 Du 2 for some integers u and t. Let Ell (D) be the set of F p isomorphism classes of elliptic curves over F p with End(E) = O K. Proposition: H D (X ) (mod p) = [E ] Ell (D) (X j(e )). 17 / 34
18 Step 2: Computing H D (X ) mod p for small primes p, continued Can compute the set Ell (D) when D = discriminant of the maximal order and p is a prime of the form 4p = t 2 D: Proposition: Suppose p is a prime and t 0 is an integer such that 4p = t 2 D. Let E be an elliptic curve over F p. Then [E ] Ell (D) if and only if #E (F p ) is either p + 1 t or p t. Algorithm for computing all factors of H D (X ) mod p: 1 For each j F p, create an elliptic curve E over F p with j(e ) = j. 2 If #E (F p ) is either p + 1 t or p t, then H D (X ) (mod p) has a factor of (X j(e )). 18 / 34
19 Recap of Part 1 Can use elliptic curves for cryptography. To do this: construct curves with a prescribed number of points. To construct an elliptic curve E 0 over F l with N points: 1 Compute the imaginary quadratic number field K = Q( D) with End(E 0 ) K. 2 Compute Hilbert class polynomial H D (X ) for K by computing H D (X ) (mod p) for many small primes p. (CRT step) 3 Find a root j 0 of H D (X ) modulo l. 4 Construct a curve modulo E 0 over F l with j(e 0 ) = j 0. This is easy. E 0 or twist of E 0 is the desired curve. 19 / 34
20 Part 2: Genus 2 curves Generalize elliptic curve construction to curves of genus 2. Advantage for crypto: can work over smaller prime field and get comparable group size. Definition: Let K be a field of characteristic 2. A curve of genus 2 is a smooth projective curve that has an affine model y 2 = f (x), deg(f ) = 5 or 6, with f K[x], f no double roots. 20 / 34
21 Group law on Jacobians of genus 2 curves Group elements: points on the Jacobian of the curve. The Jacobian of C is the quotient group Jac(C) = D 0 /P. D 0 = group of degree zero divisors on C P = subgroup of principal divisors on C. The curve C : y 2 = f (x) with degree(f ) = 5 has one point at infinity. Elements of Jacobian: represented by divisors r D = P i r with P i C and r 2. i=1 21 / 34
22 Genus 2 curves with a given number of points on the Jacobian Let C be a curve of genus 2 over F p. Let P(X ) be the characteristic polynomial of the Frobenius endomorphism π on Jac(C). P(X ) is monic of degree 4, has integer coefficients. Roots a 1,..., a 4 have absolute value p 1/2. P(X ) determines the number of points on C and on Jac(C): #C(F p m) = 1 4 1=1 am i + p m # Jac(C)(F p m) = 4 i=1 (1 am i ) # Jac(C)(F p ) = 1 2 #C(F p 2) #C(F p) p 22 / 34
23 Statement of Problem Algorithm (E-Lauter, 2009): Our algorithm solves the following problem (under certain conditions): Problem: Given (l, N 1, N 2 ) with l prime, N 1, N 2 positive integers: construct genus 2 curve C over F l such that #C(F l ) = N 1 and #C(F l 2) = N 2. For cryptographic applications: want # Jac(C)(F l ) to be prime. 23 / 34
24 Setup for genus 2 curves Want to generalize the algorithm for constructing elliptic curves (i.e. curves of genus 1) to genus 2 setting. Need an analogue of the j-invariant and the Hilbert class polynomial. Need notion of complex multiplication (CM) for genus 2 curves. 24 / 34
25 Complex multiplication for genus 2 curves Elliptic curves E have CM if End(E) is an order in an imaginary quadratic field K = Q( d). A curve C of genus 2 has CM if End(Jac(C)) is an order in a quartic CM field K, i.e. if K = K 0 ( d) with K 0 real quadratic and d K 0 totally negative. The genus 2 curves we construct will have CM. 25 / 34
26 Finding the quartic CM field Goal: Given (l, N 1, N 2 ) find a genus 2 curve C defined over F l such that #C(F l ) = N 1 and #C(F l 2) = N 2. First Step: Find the quartic CM field K such that End(Jac(C)) K. To do this: find quartic polynomial satisfied by Frobenius: Write N 1 = l + 1 s 1, N 2 = l s 2 s 2 1. Solve for s 1, s 2. (Assume gcd(s 2, l) = 1.) The quartic CM field K is generated over Q by a root of X 4 s 1 X 3 + s 2 X 2 ls 1 X + l / 34
27 Elliptic curves versus genus 2 curves Constructing curves with a given number of points: Approach for elliptic curve case: To construct the desired curve over F l : Find the (quadratic imaginary) CM field K, then find a root j 0 of the Hilbert class polynomial of K modulo l. Desired curve E 0 over F l is E 0 with j(e 0 ) = j 0. Approach for genus 2 case: To construct the desired curve over F l : Find the quartic CM field K. Construct analogue of the Hilbert class polynomial. What is this? 27 / 34
28 Igusa invariants For elliptic curves E, E over K: E is isomorphic to E j(e) = j(e ). Igusa invariants: genus 2 analogue of the j-invariant. For genus 2 curve y 2 = f (x) over K = K: Igusa defines invariants I 2, I 4, I 6, I 10. Gives bijection between isomorphism classes of genus 2 curves over K and points (I 2 : I 4 : I 6 : I 10 ) in weighted projective space with I From I 2, I 4, I 6, I 10 : can construct absolute Igusa invariants i 1 = I 2 5 I 10, i 2 = I 2 3I 4 I 10, i 3 = I 2 2I 6 I 10. They determine the K-isomorphism classes of curves. 28 / 34
29 Igusa class polynomials Let K be a primitive quartic CM field. Let A be a set of representatives for isomorphism classes Jacobians of genus 2 curves defined over C with CM by the maximal order O K. Given A A let (j 1 (A), j 2 (a), j 3 (A)) be its triple of absolute Igusa invariants. The Igusa class polynomials H 1, H 2, H 3 are defined to be H i (X ) = A A(X j i (A)) (i = 1, 2, 3). Difficulty: H i (X ) Q[X ], not Z[X ]. Need bound on denominators (Goren-Lauter, 2011). 29 / 34
30 Constructing genus 2 curves with a given number of points on its Jacobian To construct genus 2 curves with a given number of points: Step 1: Compute the quartic CM field K such that End(Jac(C)) K. Step 2: Compute the Igusa class polynomials H 1, H 2, H 3 for K. 30 / 34
31 Outline of CRT algorithm for genus 2 curves CRT algorithm for computing Igusa class polynomials: Theorem (E-Lauter): Given a primitive quartic CM field K, the following algorithm finds the Igusa class polynomials of K: 1 Produce a collection S of small primes such that p S satisfies certain splitting conditions in K and the reflex field of K. p S p > c, where c is a constant that depends on the coefficients of the Igusa class polynomials and their denominators. 2 Form the class polynomials H 1, H 2, H 3 modulo p for each p S. 3 (CRT Step) Form H i (X ) from the collection of H i modulo p. 31 / 34
32 Step 2: Computing Igusa class polynomials modulo p Can describe H i (X ) modulo p for primes that satisfy our splitting conditions: Proposition (E-Lauter): H i (X ) (mod p) = C T p (X j i (C)). Here T p = collection of F p isomorphism classes of genus 2 curves C over F p with End(Jac(C)) = O K. Use Proposition to compute H i (X ) (mod p) for p small: Loop through all possible triples of Igusa invariants (j 1, j 2, j 3 ). For each triple: construct curve C over F p with (j 1, j 2, j 3 ) = (j 1 (C), j 2 (C), j 3 (C)) using Mestre s algorithm. For each curve C check whether End(Jac(C)) = O K. 32 / 34
33 Computing the endomorphism ring of Jac(C) To compute the Igusa class polynomials: need to be able to test whether End(Jac(C)) = O K. First result by E-Lauter (2005): requires computation of action of Frobenius on torsion subgroups. Improvement on this by Freeman-Lauter (2007). Bisson (2015): General algorithm for computing the endomorphism of the Jacobian of a genus 2 curve: generalizes work of G. Bisson and D. Sutherland for elliptic curves. 33 / 34
34 Conclusion Can use elliptic curves and genus 2 curves for cryptography. Advantage over RSA: smaller key size To construct genus 2 curves with a given number of points: Compute Igusa class polynomials with a CRT algorithm. Open Problems: - Make CRT step more efficient by avoiding looping through all triples of Igusa invariants. - How to generalize to genus 3? 34 / 34
Igusa Class Polynomials
, supported by the Leiden University Fund (LUF) Joint Mathematics Meetings, San Diego, January 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomials.
More informationIgusa Class Polynomials
Genus 2 day, Intercity Number Theory Seminar Utrecht, April 18th 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomial. For each notion, I will 1. tell
More informationIgusa class polynomials
Number Theory Seminar Cambridge 26 April 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P P Q E is a commutative algebraic group Endomorphisms
More informationClass invariants for quartic CM-fields
Number Theory Seminar Oxford 2 June 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P E is a commutative algebraic group P Q Endomorphisms
More informationGenus 2 Curves of p-rank 1 via CM method
School of Mathematical Sciences University College Dublin Ireland and Claude Shannon Institute April 2009, GeoCrypt Joint work with Laura Hitt, Michael Naehrig, Marco Streng Introduction This talk is about
More informationCounting points on genus 2 curves over finite
Counting points on genus 2 curves over finite fields Chloe Martindale May 11, 2017 These notes are from a talk given in the Number Theory Seminar at the Fourier Institute, Grenoble, France, on 04/05/2017.
More informationCONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker
CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES Reinier Bröker Abstract. We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over F q with trace
More informationCOMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS
COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS DAVID FREEMAN AND KRISTIN LAUTER Abstract. We present probabilistic algorithms which, given a genus 2 curve C defined over
More informationHyperelliptic curves
1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic
More informationCOMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS
COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS DAVID FREEMAN AND KRISTIN LAUTER Abstract. We present algorithms which, given a genus 2 curve C defined over a finite field
More informationMappings of elliptic curves
Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves
More informationAbstracts of papers. Amod Agashe
Abstracts of papers Amod Agashe In this document, I have assembled the abstracts of my work so far. All of the papers mentioned below are available at http://www.math.fsu.edu/~agashe/math.html 1) On invisible
More informationClass polynomials for abelian surfaces
Class polynomials for abelian surfaces Andreas Enge LFANT project-team INRIA Bordeaux Sud-Ouest andreas.enge@inria.fr http://www.math.u-bordeaux.fr/~aenge LFANT seminar 27 January 2015 (joint work with
More informationClass invariants by the CRT method
Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest Massachusetts Institute of Technology ANTS IX Andreas Enge and Andrew Sutherland Class invariants by the CRT
More informationIsogeny graphs, modular polynomials, and point counting for higher genus curves
Isogeny graphs, modular polynomials, and point counting for higher genus curves Chloe Martindale July 7, 2017 These notes are from a talk given in the Number Theory Seminar at INRIA, Nancy, France. The
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More informationFast arithmetic and pairing evaluation on genus 2 curves
Fast arithmetic and pairing evaluation on genus 2 curves David Freeman University of California, Berkeley dfreeman@math.berkeley.edu November 6, 2005 Abstract We present two algorithms for fast arithmetic
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationComputing the endomorphism ring of an ordinary elliptic curve
Computing the endomorphism ring of an ordinary elliptic curve Massachusetts Institute of Technology April 3, 2009 joint work with Gaetan Bisson http://arxiv.org/abs/0902.4670 Elliptic curves An elliptic
More informationComputing modular polynomials with the Chinese Remainder Theorem
Computing modular polynomials with the Chinese Remainder Theorem Andrew V. Sutherland Massachusetts Institute of Technology ECC 009 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Computing modular
More informationarxiv: v2 [math.nt] 17 Jul 2018
arxiv:1803.00514v2 [math.nt] 17 Jul 2018 CONSTRUCTING PICARD CURVES WITH COMPLEX MULTIPLICATION USING THE CHINESE REMAINDER THEOREM SONNY ARORA AND KIRSTEN EISENTRÄGER Abstract. We give a new algorithm
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationConstructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002
Constructing Abelian Varieties for Pairing-Based Cryptography by David Stephen Freeman A.B. (Harvard University) 2002 A dissertation submitted in partial satisfaction of the requirements for the degree
More informationIntroduction to Elliptic Curves
IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting
More informationMathematics for Cryptography
Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1
More informationON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS
ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS GORA ADJ, OMRAN AHMADI, AND ALFRED MENEZES Abstract. We study the isogeny graphs of supersingular elliptic curves over finite fields,
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationModular polynomials and isogeny volcanoes
Modular polynomials and isogeny volcanoes Andrew V. Sutherland February 3, 010 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9 Isogenies An isogeny
More informationBad reduction of genus 3 curves with Complex Multiplication
Bad reduction of genus 3 curves with Complex Multiplication Elisa Lorenzo García Universiteit Leiden Joint work with Bouw, Cooley, Lauter, Manes, Newton, Ozman. October 1, 2015 Elisa Lorenzo García Universiteit
More informationCounting points on elliptic curves over F q
Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite
More informationIsogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem
Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Chloe Martindale 26th January, 2018 These notes are from a talk given in the Séminaire Géométrie et algèbre effectives
More informationIdentifying supersingular elliptic curves
Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, 2012 http://arxiv.org/abs/1107.1140 Andrew V. Sutherland (MIT) Identifying supersingular
More information14 Ordinary and supersingular elliptic curves
18.783 Elliptic Curves Spring 2015 Lecture #14 03/31/2015 14 Ordinary and supersingular elliptic curves Let E/k be an elliptic curve over a field of positive characteristic p. In Lecture 7 we proved that
More informationCOMPUTING MODULAR POLYNOMIALS
COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with an isogeny of degree l between them.
More informationA Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties
A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Department of Mathematics University of California, Berkeley Berkeley, CA 94720-3840, USA
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More information6 Ideal norms and the Dedekind-Kummer theorem
18.785 Number theory I Fall 2016 Lecture #6 09/27/2016 6 Ideal norms and the Dedekind-Kummer theorem Recall that for a ring extension B/A in which B is a free A-module of finite rank, we defined the (relative)
More informationComplex multiplication and canonical lifts
Complex multiplication and canonical lifts David R. Kohel Abstract The problem of constructing CM invariants of higher dimensional abelian varieties presents significant new challenges relative to CM constructions
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationCounting Points on Curves using Monsky-Washnitzer Cohomology
Counting Points on Curves using Monsky-Washnitzer Cohomology Frederik Vercauteren frederik@cs.bris.ac.uk Jan Denef jan.denef@wis.kuleuven.ac.be University of Leuven http://www.arehcc.com University of
More informationConstructing Permutation Rational Functions From Isogenies
Constructing Permutation Rational Functions From Isogenies Gaetan Bisson 1 and Mehdi Tibouchi 1 University of French Polynesia NTT Secure Platform Laboratories Abstract. A permutation rational function
More informationFast Cryptography in Genus 2
Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2 Recall that curves are much better than
More informationSome. Manin-Mumford. Problems
Some Manin-Mumford Problems S. S. Grant 1 Key to Stark s proof of his conjectures over imaginary quadratic fields was the construction of elliptic units. A basic approach to elliptic units is as follows.
More informationISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES
ERNEST HUNTER BROOKS DIMITAR JETCHEV BENJAMIN WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION
More informationThe Sato-Tate conjecture for abelian varieties
The Sato-Tate conjecture for abelian varieties Andrew V. Sutherland Massachusetts Institute of Technology March 5, 2014 Mikio Sato John Tate Joint work with F. Fité, K.S. Kedlaya, and V. Rotger, and also
More informationComputing modular polynomials in dimension 2 ECC 2015, Bordeaux
Computing modular polynomials in dimension 2 ECC 2015, Bordeaux Enea Milio 29/09/2015 Enea Milio Computing modular polynomials 29/09/2015 1 / 49 Computing modular polynomials 1 Dimension 1 : elliptic curves
More informationGENERATORS OF JACOBIANS OF GENUS TWO CURVES
GENERATORS OF JACOBIANS OF GENUS TWO CURVES CHRISTIAN ROBENHAGEN RAVNSHØJ Abstract. We prove that in most cases relevant to cryptography, the Frobenius endomorphism on the Jacobian of a genus two curve
More informationModern Number Theory: Rank of Elliptic Curves
Modern Number Theory: Rank of Elliptic Curves Department of Mathematics University of California, Irvine October 24, 2007 Rank of Outline 1 Introduction Basics Algebraic Structure 2 The Problem Relation
More informationGENUS 2 CURVES WITH COMPLEX MULTIPLICATION
GENUS 2 CURVES WITH COMPLEX MULTIPLICATION EYAL Z. GOREN & KRISTIN E. LAUTER 1. Introduction While the main goal of this paper is to give a bound on the denominators of Igusa class polynomials of genus
More informationElliptic Curves Spring 2015 Lecture #23 05/05/2015
18.783 Elliptic Curves Spring 2015 Lecture #23 05/05/2015 23 Isogeny volcanoes We now want to shift our focus away from elliptic curves over C and consider elliptic curves E/k defined over any field k;
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More informationL-Polynomials of Curves over Finite Fields
School of Mathematical Sciences University College Dublin Ireland July 2015 12th Finite Fields and their Applications Conference Introduction This talk is about when the L-polynomial of one curve divides
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationRiemann surfaces with extra automorphisms and endomorphism rings of their Jacobians
Riemann surfaces with extra automorphisms and endomorphism rings of their Jacobians T. Shaska Oakland University Rochester, MI, 48309 April 14, 2018 Problem Let X be an algebraic curve defined over a field
More informationApplications of Complex Multiplication of Elliptic Curves
Applications of Complex Multiplication of Elliptic Curves MASTER THESIS Candidate: Massimo CHENAL Supervisor: Prof. Jean-Marc COUVEIGNES UNIVERSITÀ DEGLI STUDI DI PADOVA UNIVERSITÉ BORDEAUX 1 Facoltà di
More informationAlgebra Homework, Edition 2 9 September 2010
Algebra Homework, Edition 2 9 September 2010 Problem 6. (1) Let I and J be ideals of a commutative ring R with I + J = R. Prove that IJ = I J. (2) Let I, J, and K be ideals of a principal ideal domain.
More informationConstructing Families of Pairing-Friendly Elliptic Curves
Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding
More informationOutline of the Seminar Topics on elliptic curves Saarbrücken,
Outline of the Seminar Topics on elliptic curves Saarbrücken, 11.09.2017 Contents A Number theory and algebraic geometry 2 B Elliptic curves 2 1 Rational points on elliptic curves (Mordell s Theorem) 5
More informationEquations for Hilbert modular surfaces
Equations for Hilbert modular surfaces Abhinav Kumar MIT April 24, 2013 Introduction Outline of talk Elliptic curves, moduli spaces, abelian varieties 2/31 Introduction Outline of talk Elliptic curves,
More informationIntroduction to Arithmetic Geometry
Introduction to Arithmetic Geometry 18.782 Andrew V. Sutherland September 5, 2013 What is arithmetic geometry? Arithmetic geometry applies the techniques of algebraic geometry to problems in number theory
More informationLECTURE 2 FRANZ LEMMERMEYER
LECTURE 2 FRANZ LEMMERMEYER Last time we have seen that the proof of Fermat s Last Theorem for the exponent 4 provides us with two elliptic curves (y 2 = x 3 + x and y 2 = x 3 4x) in the guise of the quartic
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationMath 547, Exam 2 Information.
Math 547, Exam 2 Information. 3/19/10, LC 303B, 10:10-11:00. Exam 2 will be based on: Homework and textbook sections covered by lectures 2/3-3/5. (see http://www.math.sc.edu/ boylan/sccourses/547sp10/547.html)
More informationCounting points on hyperelliptic curves
University of New South Wales 9th November 202, CARMA, University of Newcastle Elliptic curves Let p be a prime. Let X be an elliptic curve over F p. Want to compute #X (F p ), the number of F p -rational
More informationTC10 / 3. Finite fields S. Xambó
TC10 / 3. Finite fields S. Xambó The ring Construction of finite fields The Frobenius automorphism Splitting field of a polynomial Structure of the multiplicative group of a finite field Structure of the
More informationElliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography
Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret
More informationComputing the modular equation
Computing the modular equation Andrew V. Sutherland (MIT) Barcelona-Boston-Tokyo Number Theory Seminar in Memory of Fumiyuki Momose Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8 The
More informationDivisibility Sequences for Elliptic Curves with Complex Multiplication
Divisibility Sequences for Elliptic Curves with Complex Multiplication Master s thesis, Universiteit Utrecht supervisor: Gunther Cornelissen Universiteit Leiden Journées Arithmétiques, Edinburgh, July
More informationFully maximal and minimal supersingular abelian varieties
Fully maximal and minimal supersingular abelian varieties Valentijn Karemaker (University of Pennsylvania) Joint with R. Pries Arithmetic, Geometry, Cryptography, and Coding Theory, CIRM June 19, 2017
More informationLecture 2: Elliptic curves
Lecture 2: Elliptic curves This lecture covers the basics of elliptic curves. I begin with a brief review of algebraic curves. I then define elliptic curves, and talk about their group structure and defining
More informationMATH 361: NUMBER THEORY TENTH LECTURE
MATH 361: NUMBER THEORY TENTH LECTURE The subject of this lecture is finite fields. 1. Root Fields Let k be any field, and let f(x) k[x] be irreducible and have positive degree. We want to construct a
More informationIsogeny invariance of the BSD conjecture
Isogeny invariance of the BSD conjecture Akshay Venkatesh October 30, 2015 1 Examples The BSD conjecture predicts that for an elliptic curve E over Q with E(Q) of rank r 0, where L (r) (1, E) r! = ( p
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationFINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD
FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD D. BONEH, K. RUBIN, AND A. SILVERBERG Abstract. We apply the Cocks-Pinch method to obtain pairing-friendly composite order
More informationHeuristics. pairing-friendly abelian varieties
Heuristics on pairing-friendly abelian varieties joint work with David Gruenewald John Boxall john.boxall@unicaen.fr Laboratoire de Mathématiques Nicolas Oresme, UFR Sciences, Université de Caen Basse-Normandie,
More informationHOMEWORK 11 MATH 4753
HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question
More informationDedekind Domains. Mathematics 601
Dedekind Domains Mathematics 601 In this note we prove several facts about Dedekind domains that we will use in the course of proving the Riemann-Roch theorem. The main theorem shows that if K/F is a finite
More informationComputing the image of Galois
Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25 Elliptic curves Let E be an elliptic
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationFinite Fields and Elliptic Curves in Cryptography
Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem
More informationHONDA-TATE THEOREM FOR ELLIPTIC CURVES
HONDA-TATE THEOREM FOR ELLIPTIC CURVES MIHRAN PAPIKIAN 1. Introduction These are the notes from a reading seminar for graduate students that I organised at Penn State during the 2011-12 academic year.
More informationA p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker
A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL Reinier Bröker Abstract. Classicaly, the Hilbert class polynomial P Z[X] of an imaginary quadratic discriminant is computed using complex analytic
More informationQ N id β. 2. Let I and J be ideals in a commutative ring A. Give a simple description of
Additional Problems 1. Let A be a commutative ring and let 0 M α N β P 0 be a short exact sequence of A-modules. Let Q be an A-module. i) Show that the naturally induced sequence is exact, but that 0 Hom(P,
More informationMathematical Foundations of Cryptography
Mathematical Foundations of Cryptography Cryptography is based on mathematics In this chapter we study finite fields, the basis of the Advanced Encryption Standard (AES) and elliptical curve cryptography
More informationCongruent number elliptic curves of high rank
Michaela Klopf, BSc Congruent number elliptic curves of high rank MASTER S THESIS to achieve the university degree of Diplom-Ingenieurin Master s degree programme: Mathematical Computer Science submitted
More informationCOMPUTING MODULAR POLYNOMIALS
COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with a cyclic isogeny of degree l between
More informationExplicit isogenies and the Discrete Logarithm Problem in genus three
Explicit isogenies and the Discrete Logarithm Problem in genus three Benjamin Smith INRIA Saclay Île-de-France Laboratoire d informatique de l école polytechnique (LIX) EUROCRYPT 2008 : Istanbul, April
More informationOptimal curves of genus 1, 2 and 3
Optimal curves of genus 1, 2 and 3 Christophe Ritzenthaler Institut de Mathématiques de Luminy, CNRS Leuven, 17-21 May 2010 Christophe Ritzenthaler (IML) Optimal curves of genus 1, 2 and 3 Leuven, 17-21
More informationACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS
ACCELERATING THE SCALAR MULTIPLICATION ON GENUS 2 HYPERELLIPTIC CURVE CRYPTOSYSTEMS by Balasingham Balamohan A thesis submitted to the Faculty of Graduate and Postdoctoral Studies in partial fulfillment
More informationComputing endomorphism rings of abelian varieties of dimension two
Computing endomorphism rings of abelian varieties of dimension two Gaetan Bisson University of French Polynesia Abstract Generalizing a method of Sutherland and the author for elliptic curves [5, 1] we
More informationSchoof s Algorithm for Counting Points on E(F q )
Schoof s Algorithm for Counting Points on E(F q ) Gregg Musiker December 7, 005 1 Introduction In this write-up we discuss the problem of counting points on an elliptic curve over a finite field. Here,
More informationEvaluating Large Degree Isogenies between Elliptic Curves
Evaluating Large Degree Isogenies between Elliptic Curves by Vladimir Soukharev A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationNOTES ON FINITE FIELDS
NOTES ON FINITE FIELDS AARON LANDESMAN CONTENTS 1. Introduction to finite fields 2 2. Definition and constructions of fields 3 2.1. The definition of a field 3 2.2. Constructing field extensions by adjoining
More informationFinite Fields. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
1 / 25 Finite Fields Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay September 25, 2014 2 / 25 Fields Definition A set F together
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More information7 Orders in Dedekind domains, primes in Galois extensions
18.785 Number theory I Lecture #7 Fall 2015 10/01/2015 7 Orders in Dedekind domains, primes in Galois extensions 7.1 Orders in Dedekind domains Let S/R be an extension of rings. The conductor c of R (in
More informationGalois theory (Part II)( ) Example Sheet 1
Galois theory (Part II)(2015 2016) Example Sheet 1 c.birkar@dpmms.cam.ac.uk (1) Find the minimal polynomial of 2 + 3 over Q. (2) Let K L be a finite field extension such that [L : K] is prime. Show that
More informationc Copyright 2012 Wenhan Wang
c Copyright 01 Wenhan Wang Isolated Curves for Hyperelliptic Curve Cryptography Wenhan Wang A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy University
More information