Identifying supersingular elliptic curves

Transcription

1 Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

2 Supersingular elliptic curves Let F q be a finite field of characteristic p. Recall that elliptic curves over finite fields come in two flavors: ordinary and supersingular. ordinary E[p] = Z/pZ #E(F q ) 1 mod p End(E) is an order in an imaginary quadratic field supersingular E[p] is trivial #E(F q ) 1 mod p End(E) is an order in a quaternion algebra Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

3 Distribution of supersingular elliptic curves Whether a curve E is supersingular or not depends only on its j-invariant j(e), which identifies E up to isomorphism (over F q ). If E is supersingular then j(e) F p 2, so we assume q is p or p 2. There are p 12 + O(1) supersingular j-invariants in F p 2. Of these, O(h( p)) = Õ( p) lie in F p. In either case, the probability that a random elliptic curve E/F q is supersingular is Õ(1/ q), which makes them very rare. However, every elliptic curve over Q is supersingular modulo infinitely many primes p, by a theorem of Elkies. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

4 Identifying supersingular elliptic curves Problem: Given E : y 2 = f (x) = x 3 + Ax + B defined over F q, determine whether E is ordinary or supersingular. There is a fast Monte Carlo test that can prove E is ordinary. Pick a random point P on E(F q ). If q = p, test whether (p + 1)P 0. If q = p 2, test whether (p + 1)P 0 and (p 1)P 0. If the tested condition holds, then E must be ordinary. If E is in fact ordinary, each iteration of this test will succeed with probability 1 O(1/ q). But this test can never prove that E supersingular. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

5 Identifying supersingular elliptic curves Problem: Given E : y 2 = f (x) = x 3 + Ax + B defined over F q, determine whether E is ordinary or supersingular. Solution 1: Compute the coefficient of x p 1 in f (x) (p 1)/2. This takes time exponential in n = log p. Solution 2: Compute #E(F q ) using Schoof s algorithm. This takes Õ(n 5 ) time. Solution 3: Check that Φ l (j(e), Y) splits completely in F p 2 for sufficiently many primes l (similar to SEA). This takes Õ(n 4 ) expected time. This talk: Use isogeny graphs. This takes Õ(n 3 ) expected time. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

6 The graph of l-isogenies The classical modular polynomial Φ l Z[X, Y] parameterizes pairs of l-isogenous elliptic curves in terms of their j-invariants. Definition The graph G l (F q ) has vertex set F q and for each j 1 F q an edge (j 1, j 2 ) for each root j 2 F q of Φ l (j 1, Y), with multiplicity. Isogenous curves have the same number of rational points. Thus the vertices in each connected component of G l (F q ) are either all ordinary or all supersingular. As abstract graphs, the ordinary and supersingular components of G l (F q ) have distinctly different structures. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

7 Supersingular components of G l (F p 2) If j 1 is supersingular, then φ(y) = Φ l (j 1, Y) splits completely in F p 2, since every supersingular j-invariant lies in F p 2. Thus the supersingular vertices in G l (F p 2) all have degree l + 1, and each supersingular component is an (l + 1)-regular graph. There is in fact just one supersingular component (but we won t use this). Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

8 Ordinary components of G l (F q ) Let E be an ordinary elliptic curve. Then End(E) = O with Z[π] O O K. Here π is the Frobenius endomorphism and K = Q( D), where D is the fundamental imaginary quadratic discriminant satisfying 4q = tr(π) 2 v 2 D. Each ordinary component of G l (F q ) consists of levels V 0,..., V d. The vertex j(e) belongs to level V i, where i = ν l ([O K : O]). Note that l d divides v. Therefore d < log l 4q. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

9 l-volcanoes Vertices in level V d have degree at most 2. Vertices in level V i with i < d have degree l + 1. Ordinary components are not (l + 1)-regular graphs. They are l-volcanoes. The vertices in level V 0 form a (possibly trivial) cycle. All edges with origin in V 0 not in this cycle lead to V 1. Vertices in level V i with i > 0 have one edge up to V i 1, all other edges (0 or l of them) lead down to V i+1. Level V 0 is the surface and V d is the floor (possibly V 0 = V d ). Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

10 Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

11 A 3-volcano of depth 2 Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

12 Finding a shortest path to the floor Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

13 Algorithm Given an elliptic curve E over a field of characteristic p, determine whether E is ordinary or supersingular as follows: 1 If j(e) F p 2 then return ordinary. 2 If p 3 then return supersingular (resp. ordinary) if j(e) = 0 (resp. j(e) 0). 3 Attempt to find 3 roots of Φ 2 (j(e), Y) in F p 2. If this is not possible, return ordinary. 4 Walk 3 paths in parallel for up to log 2 p + 1 steps. If any of these paths hits the floor, return ordinary. 5 Return supersingular. Φ 2 (X, Y) = X 3 + Y 3 X 2 Y (X 2 Y + Y 2 X) (X 2 + Y 2 ) XY (X + Y) Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

14 Complexity analysis Proposition Let n = log p. We have a Las Vegas algorithm that runs in O(n 3 log n log log n) expected time, using O(n) space. Given quadratic and cubic non-residues in F p 2, we have a deterministic algorithm: O(n 3 log 2 n) time and O(n) space. For a random elliptic curve over F p or F p 2, the average running time is O(n 2 log n log log n). The average complexity is the same as a single iteration of the Monte Carlo test, and has better constant factors. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

15 Performance results (CPU milliseconds) ordinary supersingular Magma New Magma New b F p F p 2 F p F p 2 F p F p 2 F p F p Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16

16 Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM / 16