On the evaluation of modular polynomials
|
|
- Jack Simpson
- 5 years ago
- Views:
Transcription
1 On the evaluation of modular polynomials Andrew V. Sutherland Massachusetts Institute of Technology ANTS X July 10, drew 1 / 16
2 Introduction Let l be a prime and let F q be a finite field (assume q is prime). Problem: Given an elliptic curve E/F q, identify any and all curves E /F q that are l-isogenous to E. This problem arises in many applications, and it is often the computationally dominant step. 2 / 16
3 Introduction Let l be a prime and let F q be a finite field (assume q is prime). Problem: Given an elliptic curve E/F q, identify any and all curves E /F q that are l-isogenous to E. This problem arises in many applications, and it is often the computationally dominant step. Solution: Compute the polynomial φ l (Y) = Φ l (j(e), Y), and find its roots in F q. Here Φ l Z[X, Y] is the classical modular polynomial that parameterizes pairs of l-isogenous elliptic curves. If l is at all large, say l = Ω(log q), the hard part is computing φ l. Finding its roots is easy by comparison. 2 / 16
4 The Modular Polynomial Φ l (X, Y) Φ l Z[X, Y] is symmetric, with degree l + 1 in both X and Y. Its total size is O(l 3 log l) bits. l coefficients largest average total kb 5.3kb 5.5MB kb 12kb 48MB kb 27kb 431MB kb 60kb 3.9GB kb 132kb 33GB kb 208kb 117GB kb 287kb 287GB kb 369kb 577GB kb 774kb 4.8TB Size of Φ l (X, Y) 3 / 16
5 The Modular Polynomial Φ l (X, Y) Φ l Z[X, Y] is symmetric, with degree l + 1 in both X and Y. Its total size is O(l 3 log l) bits. l coefficients largest average total kb 5.3kb 5.5MB kb 12kb 48MB kb 27kb 431MB kb 60kb 3.9GB kb 132kb 33GB kb 208kb 117GB kb 287kb 287GB kb 369kb 577GB kb 774kb 4.8TB Size of Φ l (X, Y) But for l = and q 2 256, the size of φ l is just 320KB! Even with log q l = it is under 20MB. 3 / 16
6 Point-counting at 2500 digits... Despite this progress, computing modular polynomials remains the stumbling block for new point counting records. Clearly, to circumvent the memory problems, one would need an algorithm that directly obtains the polynomial specialised in one variable. INRIA Project-Team TANC Report This record was set in December / 16
7 Computing Φ l with the CRT Strategy: compute Φ l mod p for sufficiently many primes p and use the CRT to compute Φ l (or Φ l mod q). For suitable primes p we can compute Φ l mod p in time O(l 2 log 3 p llog p) using isogeny volcanoes [BLS 2011]. Assuming the GRH, we can efficiently find sufficiently many such primes with log p = O(log l). Sufficiently many is O(l). Henceforth we assume the GRH. 5 / 16
8 Computing Φ l with the CRT Strategy: compute Φ l mod p for sufficiently many primes p and use the CRT to compute Φ l (or Φ l mod q). For suitable primes p we can compute Φ l mod p in time O(l 2 log 3 p llog p) using isogeny volcanoes [BLS 2011]. Assuming the GRH, we can efficiently find sufficiently many such primes with log p = O(log l). Sufficiently many is O(l). Uses O(l 3 log 3 l llog l) expected time and O(l 3 log l) space. Using the explicit CRT, we can directly compute Φ l mod q using O(l 2 (n + log l)) space, where n = log q. But the size of φ l is O(ln). Henceforth we assume the GRH. 5 / 16
9 Computing φ l (Y) with the CRT (naïve approach) Strategy: lift j(e) from F q to Z, compute Φ l (X, Y) mod p and evaluate φ l (Y) = Φ l (j(e), Y) mod p for sufficiently many primes p. Obtain φ l mod q via the explicit CRT. Uses O(l 2 log 3+ɛ p) expected time for each p, and O(l 2 log p) space. 6 / 16
10 Computing φ l (Y) with the CRT (naïve approach) Strategy: lift j(e) from F q to Z, compute Φ l (X, Y) mod p and evaluate φ l (Y) = Φ l (j(e), Y) mod p for sufficiently many primes p. Obtain φ l mod q via the explicit CRT. Uses O(l 2 log 3+ɛ p) expected time for each p, and O(l 2 log p) space. However, sufficiently many is now O(ln), where n = log q. Total expected time is O(l 3 n log 3+ɛ l), using O(ln + l 2 log l) space. This approach is not very useful: If n is large (e.g. n l), it takes way too long (quartic in l). It n is small (e.g. n log l), it doesn t save any space. 6 / 16
11 Computing φ l (Y) with the CRT (Algorithm 1) Strategy: lift j, j 2, j 3,..., j l+1 from F q to Z and then compute φ l (Y) = c ik j i Y k mod p for sufficiently many primes p, where Φ l = c ik X i Y k. Obtain φ l mod q via the explicit CRT. 7 / 16
12 Computing φ l (Y) with the CRT (Algorithm 1) Strategy: lift j, j 2, j 3,..., j l+1 from F q to Z and then compute φ l (Y) = c ik j i Y k mod p for sufficiently many primes p, where Φ l = c ik X i Y k. Obtain φ l mod q via the explicit CRT. Now sufficiently many is O(l + n). For n = O(l log l), uses O(l 3 log 3+ɛ l) expected time and O(l 2 log l) space (under GRH). For n = Ω(l log l), the space bound is optimal. This algorithm can also evaluate the partial derivatives of Φ l needed to construct normalized equations for Ẽ (important for SEA). 7 / 16
13 Computing φ l (Y) with the CRT (Algorithm 2) Strategy: lift j(e) from F q to Z and for sufficiently many primes p compute φ l mod p as follows: 1. For each of l + 2 j-invariants y i, compute z i = k (j(e) j k), where the j k range over l + 1 neighbors of y i in G l (F p ). 2. Interpolate φ l (Y) F p as the unique polynomial of degree l + 1 for which φ l (y i ) = z i. Obtain φ l mod q via the explicit CRT. 8 / 16
14 Computing φ l (Y) with the CRT (Algorithm 2) Strategy: lift j(e) from F q to Z and for sufficiently many primes p compute φ l mod p as follows: 1. For each of l + 2 j-invariants y i, compute z i = k (j(e) j k), where the j k range over l + 1 neighbors of y i in G l (F p ). 2. Interpolate φ l (Y) F p as the unique polynomial of degree l + 1 for which φ l (y i ) = z i. Obtain φ l mod q via the explicit CRT. For n = O(l c ), uses O(l 3 (n + log l) log 1+ɛ l) expected time and O(ln + l log l) space (under GRH). For n = O(log 2 ɛ q) the algorithm is faster than computing Φ l. For n = Ω(log l) the space bound is optimal. 8 / 16
15 Genus 1 point counting in large characteristic Algorithms to compute #E(F q ) = q + 1 t. Algorithm Time Space Totally naive O(e 2n+ɛ ) O(n) Slightly less naive O(e n+ɛ ) O(n) Baby-step giant-step O(e n/4+ɛ ) O(e n/4+ɛ ) Pollard kangaroo O(e n/4+ɛ ) O(n 2 ) Schoof O(n 5 llog n) O(n 3 ) SEA O(n 4 log 3 n llog n) O(n 3 log n) SEA (Φ l precomputed) O(n 4 llog n) O(n 4 ) Complexity estimates for SEA-based algorithms are heuristic expected times. 9 / 16
16 Genus 1 point counting in large characteristic Algorithms to compute #E(F q ) = q + 1 t. Algorithm Time Space Totally naive O(e 2n+ɛ ) O(n) Slightly less naive O(e n+ɛ ) O(n) Baby-step giant-step O(e n/4+ɛ ) O(e n/4+ɛ ) Pollard kangaroo O(e n/4+ɛ ) O(n 2 ) Schoof O(n 5 llog n) O(n 3 ) SEA O(n 4 log 3 n llog n) O(n 3 log n) SEA (Φ l precomputed) O(n 4 llog n) O(n 4 ) SEA with Algorithm 1 O(n 4 log 2 n llog n) O(n 2 log n) Amortized O(n 4 llog n) O(n 2 log n) Complexity estimates for SEA-based algorithms are heuristic expected times. 9 / 16
17 Alternative modular polynomials In practice, the modular polynomials Φ l are not used in SEA. There are alternatives (due to Atkin, Müller, and others) that are smaller by a large constant factor (100x to 1000x is typical). The isogeny-volcano approach of [BLS 2010] can compute many types of (symmetric) modular polynomials derived from modular functions other than j(z), but these do not include the modular polynomials commonly used with SEA. 10 / 16
18 Alternative modular polynomials In practice, the modular polynomials Φ l are not used in SEA. There are alternatives (due to Atkin, Müller, and others) that are smaller by a large constant factor (100x to 1000x is typical). The isogeny-volcano approach of [BLS 2010] can compute many types of (symmetric) modular polynomials derived from modular functions other than j(z), but these do not include the modular polynomials commonly used with SEA. They do include modular polynomials Φ f l derived from the Weber function f(z), but these have never (?) been used with SEA before. Provided End(E) has discriminant D 1 mod 8 with 3 D, the polynomial φ f l (Y) = Φf l (f(e), Y) parameterizes l-isogenies from E. This condition is easily checked (without knowing D). If it fails, powers of f, or other modular functions may be used. 10 / 16
19 The Weber function The Weber f-function is defined by f(τ) = η( (τ + 1)/2 ), ζ 48 η(τ) and satisfies j(τ) = (f(τ) 24 16) 3 /f(τ) 24. The coefficients of Φ f l are roughly 72 times smaller. This means we need 72 times fewer primes. The polynomial Φ f l is roughly 24 times sparser. This means we need 24 times fewer interpolation points. Overall, we get nearly a 1728-fold speedup using Φ f l. 11 / 16
20 Modular polynomials for l = 11 Classical: X 12 + Y 12 X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X pages omitted Atkin: X 12 X 11 Y + 744X X X 9 Y X X 8 Y X X 7 Y X X 6 Y X X 5 Y X X 4 Y X X 3 Y X X 2 Y X XY X + Y Y Weber: X 12 + Y 12 X 11 Y X 9 Y 9 44X 7 Y X 5 Y 5 88X 3 Y XY 12 / 16
21 Elliptic curve point counting record The number of points on the elliptic curve E defined by y 2 = x x , modulo the 5011 digit prime q = is / 16
22 Elliptic curve point counting record Task Compute φ f l Find a root j Compute g l Compute π mod g l, E Find λ l Total CPU Time 32 days 995 days 3 days 326 days 22 days φ f l (Y) = Φf l ( j(e), Y) was computed for l from 5 to Exactly 700 of 1400 were found to be Elkies primes. Atkin primes were not used. The largest φ f l was under 20MB in size and took about two hours to compute using 1 core. 14 / 16
23 Modular polynomial evaluation record For l = and q = we computed φ f l (Y) = Φf l (j(e), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φ f l is about 1 GB. 15 / 16
24 Modular polynomial evaluation record For l = and q = we computed φ f l (Y) = Φf l (j(e), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φ f l is about 1 GB. For comparison: The size of Φ f l mod q is about 2 TB. 15 / 16
25 Modular polynomial evaluation record For l = and q = we computed φ f l (Y) = Φf l (j(e), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φ f l is about 1 GB. For comparison: The size of Φ f l mod q is about 2 TB. The size of Φ l mod q is about 50 TB. 15 / 16
26 Modular polynomial evaluation record For l = and q = we computed φ f l (Y) = Φf l (j(e), Y). This is much larger than one would need to set a 25,000 digit point-counting record. The size of φ f l is about 1 GB. For comparison: The size of Φ f l mod q is about 2 TB. The size of Φ l mod q is about 50 TB. The size of Φ l is more than 10 PB. 15 / 16
27 Improved space complexity of computing horizontal isogenies The algorithm of [Bisson-S 2011] for computing the endomorphism ring of an elliptic curve E/F q runs in L[1/2, 3/2] expected time and uses L[1/2, 1/ 3] space (under GRH). The space complexity can now be improved to L[1/2, 1/ 12]. A similar improvement applies to algorithms for computing horizontal isogenies of large degree [Jao-Soukharev ANTS IX]. 16 / 16
Computing modular polynomials with the Chinese Remainder Theorem
Computing modular polynomials with the Chinese Remainder Theorem Andrew V. Sutherland Massachusetts Institute of Technology ECC 009 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Computing modular
More informationModular polynomials and isogeny volcanoes
Modular polynomials and isogeny volcanoes Andrew V. Sutherland February 3, 010 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9 Isogenies An isogeny
More informationComputing the modular equation
Computing the modular equation Andrew V. Sutherland (MIT) Barcelona-Boston-Tokyo Number Theory Seminar in Memory of Fumiyuki Momose Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8 The
More informationClass invariants by the CRT method
Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest Massachusetts Institute of Technology ANTS IX Andreas Enge and Andrew Sutherland Class invariants by the CRT
More informationIdentifying supersingular elliptic curves
Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, 2012 http://arxiv.org/abs/1107.1140 Andrew V. Sutherland (MIT) Identifying supersingular
More informationComputing the endomorphism ring of an ordinary elliptic curve
Computing the endomorphism ring of an ordinary elliptic curve Massachusetts Institute of Technology April 3, 2009 joint work with Gaetan Bisson http://arxiv.org/abs/0902.4670 Elliptic curves An elliptic
More informationON THE EVALUATION OF MODULAR POLYNOMIALS
ON THE EVALUATION OF MODULAR POLYNOMIALS ANDREW V. SUTHERLAND Abstract. We present two algorithms that, given a prime l and an elliptic curve E/F q, directly compute the polynomial Φ l (j(e), Y ) F q[y
More informationCounting points on elliptic curves over F q
Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite
More informationClass polynomials for abelian surfaces
Class polynomials for abelian surfaces Andreas Enge LFANT project-team INRIA Bordeaux Sud-Ouest andreas.enge@inria.fr http://www.math.u-bordeaux.fr/~aenge LFANT seminar 27 January 2015 (joint work with
More informationOn the Computation of Modular Polynomials for Elliptic Curves
On the Computation of Modular Polynomials for Elliptic Curves Ian F. Blake 1, János A. Csirik 1, Michael Rubinstein 2, and Gadiel Seroussi 1 1 Hewlett-Packard Laboratories, 1501 Page Mill Road, Palo Alto,
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationComputing the image of Galois
Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25 Elliptic curves Let E be an elliptic
More informationCounting points on smooth plane quartics
Counting points on smooth plane quartics David Harvey University of New South Wales Number Theory Down Under, University of Newcastle 25th October 2014 (joint work with Andrew V. Sutherland, MIT) 1 / 36
More informationComputing modular polynomials in dimension 2 ECC 2015, Bordeaux
Computing modular polynomials in dimension 2 ECC 2015, Bordeaux Enea Milio 29/09/2015 Enea Milio Computing modular polynomials 29/09/2015 1 / 49 Computing modular polynomials 1 Dimension 1 : elliptic curves
More informationCounting points on genus 2 curves over finite
Counting points on genus 2 curves over finite fields Chloe Martindale May 11, 2017 These notes are from a talk given in the Number Theory Seminar at the Fourier Institute, Grenoble, France, on 04/05/2017.
More informationCOMPUTING MODULAR POLYNOMIALS
COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with an isogeny of degree l between them.
More informationIsogeny graphs, modular polynomials, and point counting for higher genus curves
Isogeny graphs, modular polynomials, and point counting for higher genus curves Chloe Martindale July 7, 2017 These notes are from a talk given in the Number Theory Seminar at INRIA, Nancy, France. The
More informationDiscrete Logarithm Computation in Hyperelliptic Function Fields
Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University
More informationCOMPUTING MODULAR POLYNOMIALS
COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with a cyclic isogeny of degree l between
More information20 The modular equation
18.783 Elliptic Curves Lecture #20 Spring 2017 04/26/2017 20 The modular equation In the previous lecture we defined modular curves as quotients of the extended upper half plane under the action of a congruence
More informationFinite Fields and Elliptic Curves in Cryptography
Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem
More informationCounting points on hyperelliptic curves
University of New South Wales 9th November 202, CARMA, University of Newcastle Elliptic curves Let p be a prime. Let X be an elliptic curve over F p. Want to compute #X (F p ), the number of F p -rational
More informationElliptic Curves Spring 2015 Lecture #23 05/05/2015
18.783 Elliptic Curves Spring 2015 Lecture #23 05/05/2015 23 Isogeny volcanoes We now want to shift our focus away from elliptic curves over C and consider elliptic curves E/k defined over any field k;
More informationGenus 2 Curves of p-rank 1 via CM method
School of Mathematical Sciences University College Dublin Ireland and Claude Shannon Institute April 2009, GeoCrypt Joint work with Laura Hitt, Michael Naehrig, Marco Streng Introduction This talk is about
More information20 The modular equation
18.783 Elliptic Curves Spring 2015 Lecture #20 04/23/2015 20 The modular equation In the previous lecture we defined modular curves as quotients of the extended upper half plane under the action of a congruence
More informationComputing L-series coefficients of hyperelliptic curves
Computing L-series coefficients of hyperelliptic curves Kiran S. Kedlaya and Andrew V. Sutherland Massachusetts Institute of Technology May 19, 2008 Demonstration The distribution of Frobenius traces Let
More informationElliptic curves: Theory and Applications. Day 3: Counting points.
Elliptic curves: Theory and Applications. Day 3: Counting points. Elisa Lorenzo García Université de Rennes 1 13-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 1 / 26 Counting points:
More informationIgusa class polynomials
Number Theory Seminar Cambridge 26 April 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P P Q E is a commutative algebraic group Endomorphisms
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More informationEvaluating Large Degree Isogenies between Elliptic Curves
Evaluating Large Degree Isogenies between Elliptic Curves by Vladimir Soukharev A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationPoint counting and real multiplication on K3 surfaces
Point counting and real multiplication on K3 surfaces Andreas-Stephan Elsenhans Universität Paderborn September 2016 Joint work with J. Jahnel. A.-S. Elsenhans (Universität Paderborn) K3 surfaces September
More informationComputing L-series of geometrically hyperelliptic curves of genus three. David Harvey, Maike Massierer, Andrew V. Sutherland
Computing L-series of geometrically hyperelliptic curves of genus three David Harvey, Maike Massierer, Andrew V. Sutherland The zeta function Let C/Q be a smooth projective curve of genus 3 p be a prime
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationHow many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May Noam D. Elkies, Harvard University
How many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May 2013 Noam D. Elkies, Harvard University Review: Discriminant and conductor of an elliptic curve Finiteness
More informationComputing Hilbert Class Polynomials
Computing Hilbert Class Polynomials Juliana Belding 1, Reinier Bröker 2, Andreas Enge 3, Kristin Lauter 2 1 Dept. of Mathematics, University of Maryland, College Park, MD 20742, USA 2 Microsoft Research,
More informationON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS
ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS GORA ADJ, OMRAN AHMADI, AND ALFRED MENEZES Abstract. We study the isogeny graphs of supersingular elliptic curves over finite fields,
More informationDistributed computation of the number. of points on an elliptic curve
Distributed computation of the number of points on an elliptic curve over a nite prime eld Johannes Buchmann, Volker Muller, Victor Shoup SFB 124{TP D5 Report 03/95 27th April 1995 Johannes Buchmann, Volker
More informationinv lve a journal of mathematics 2009 Vol. 2, No. 3 Numerical evidence on the uniform distribution of power residues for elliptic curves
inv lve a journal of mathematics Numerical evidence on the uniform distribution of power residues for elliptic curves Jeffrey Hatley and Amanda Hittson mathematical sciences publishers 29 Vol. 2, No. 3
More informationJournal of Number Theory
Journal of Number Theory 131 (2011) 815 831 Contents lists available at ScienceDirect Journal of Number Theory www.elsevier.com/locate/jnt Special Issue: Elliptic Curve Cryptography Computing the endomorphism
More informationarxiv: v3 [math.nt] 7 May 2013
ISOGENY VOLCANOES arxiv:1208.5370v3 [math.nt] 7 May 2013 ANDREW V. SUTHERLAND Abstract. The remarkable structure and computationally explicit form of isogeny graphs of elliptic curves over a finite field
More information14 Ordinary and supersingular elliptic curves
18.783 Elliptic Curves Spring 2015 Lecture #14 03/31/2015 14 Ordinary and supersingular elliptic curves Let E/k be an elliptic curve over a field of positive characteristic p. In Lecture 7 we proved that
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationElliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography
Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationAddition sequences and numerical evaluation of modular forms
Addition sequences and numerical evaluation of modular forms Fredrik Johansson (INRIA Bordeaux) Joint work with Andreas Enge (INRIA Bordeaux) William Hart (TU Kaiserslautern) DK Statusseminar in Strobl,
More informationFaster computation of Heegner points on elliptic curves over Q of rank 1
Faster computation of Heegner points on elliptic curves over Q of rank 1 B. Allombert IMB CNRS/Université Bordeaux 1 11/09/2014 Lignes directrices Introduction Heegner points Quadratic surd Shimura Reciprocity
More informationElliptic and modular curves over finite fields and related computational issues
Elliptic and modular curves over finite fields and related computational issues Noam D. Elkies March, 1997 Based on a talk given at the conference Computational Perspectives on Number Theory in honor of
More informationThe Sato-Tate conjecture for abelian varieties
The Sato-Tate conjecture for abelian varieties Andrew V. Sutherland Massachusetts Institute of Technology March 5, 2014 Mikio Sato John Tate Joint work with F. Fité, K.S. Kedlaya, and V. Rotger, and also
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationElliptic Curve Primality Proving
Università degli Studi Roma Tre Facoltà di Scienze Matematiche, Fisiche e Naturali Corso di Laurea Magistrale in Matematica Tesi di Laurea Magistrale in Matematica Elliptic Curve Primality Proving SINTESI
More informationA Candidate Group with Infeasible Inversion
A Candidate Group with Infeasible Inversion Salim Ali Altuğ Yilei Chen September 27, 2018 Abstract Motivated by the potential cryptographic application of building a directed transitive signature scheme,
More informationComputing the cardinality of CM elliptic curves using torsion points
Journal de Théorie des Nombres de Bordeaux 19 (2007), 663 681 Computing the cardinality of CM elliptic curves using torsion points par François MORAIN Résumé. Soit E/Q une courbe elliptique avec multiplications
More informationCounting Points on Genus 2 Curves with Real Multiplication
Counting Points on Genus 2 Curves with Real Multiplication Pierrick Gaudry 1, David Kohel 2, and Benjamin Smith 3 1 LORIA, CNRS / INRIA / Nancy Université Campus Scientifique, BP 239 54500 Vandoeuvre lès
More informationA quantum algorithm for computing isogenies between supersingular elliptic curves
A quantum algorithm for computing isogenies between supersingular elliptic curves Jean-François Biasse 1,2, David Jao 1, and Anirudh Sankar 1 1 Department of Combinatorics and Optimization 2 Institute
More informationCONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker
CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES Reinier Bröker Abstract. We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over F q with trace
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More informationClass invariants for quartic CM-fields
Number Theory Seminar Oxford 2 June 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P E is a commutative algebraic group P Q Endomorphisms
More informationA p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker
A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL Reinier Bröker Abstract. Classicaly, the Hilbert class polynomial P Z[X] of an imaginary quadratic discriminant is computed using complex analytic
More informationMA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26
MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26 1. Abelian Varieties of GL 2 -Type 1.1. Modularity Criteria. Here s what we ve shown so far: Fix a continuous residual representation : G Q GLV, where V is
More informationElliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019
18.783 Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019 Description These problems are related to the material covered in Lectures 13-14. Instructions: Solve problem 1 and then solve one of Problems
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationGeneration Methods of Elliptic Curves
Generation Methods of Elliptic Curves by Harald Baier and Johannes Buchmann August 27, 2002 An evaluation report for the Information-technology Promotion Agency, Japan Contents 1 Introduction 1 1.1 Preface.......................................
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationSchoof s Algorithm for Counting Points on E(F q )
Schoof s Algorithm for Counting Points on E(F q ) Gregg Musiker December 7, 005 1 Introduction In this write-up we discuss the problem of counting points on an elliptic curve over a finite field. Here,
More informationEven sharper upper bounds on the number of points on curves
Even sharper upper bounds on the number of points on curves Everett W. Howe Center for Communications Research, La Jolla Symposium on Algebraic Geometry and its Applications Tahiti, May 2007 Revised slides
More informationarxiv: v1 [math.nt] 29 Oct 2013
COMPUTING ISOGENIES BETWEEN SUPERSINGULAR ELLIPTIC CURVES OVER F p CHRISTINA DELFS AND STEVEN D. GALBRAITH arxiv:1310.7789v1 [math.nt] 29 Oct 2013 Abstract. Let p > 3 be a prime and let E, E be supersingular
More informationPublic Key Encryption
Public Key Encryption 3/13/2012 Cryptography 1 Facts About Numbers Prime number p: p is an integer p 2 The only divisors of p are 1 and p s 2, 7, 19 are primes -3, 0, 1, 6 are not primes Prime decomposition
More informationISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES
ERNEST HUNTER BROOKS DIMITAR JETCHEV BENJAMIN WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION
More informationIntroduction to Elliptic Curves
IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting
More informationImplementing the Schoof-Elkies-Atkin Algorithm with NTL
Implementing the Schoof-Elkies-Atkin Algorithm with NTL by Yik Siong Kok A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationAN INTRODUCTION TO ELLIPTIC CURVES
AN INTRODUCTION TO ELLIPTIC CURVES MACIEJ ULAS.. First definitions and properties.. Generalities on elliptic curves Definition.. An elliptic curve is a pair (E, O), where E is curve of genus and O E. We
More informationDon Zagier s work on singular moduli
Don Zagier s work on singular moduli Benedict Gross Harvard University June, 2011 Don in 1976 The orbit space SL 2 (Z)\H has the structure a Riemann surface, isomorphic to the complex plane C. We can fix
More informationOn the zeros of certain modular forms
On the zeros of certain modular forms Masanobu Kaneko Dedicated to Professor Yasutaka Ihara on the occasion of his 60th birthday. The aim of this short note is to list several families of modular forms
More informationToward High Performance Matrix Multiplication for Exact Computation
Toward High Performance Matrix Multiplication for Exact Computation Pascal Giorgi Joint work with Romain Lebreton (U. Waterloo) Funded by the French ANR project HPAC Séminaire CASYS - LJK, April 2014 Motivations
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationA Course in Computational Algebraic Number Theory
Henri Cohen 2008 AGI-Information Management Consultants May be used for personal purporses only or by libraries associated to dandelon.com network. A Course in Computational Algebraic Number Theory Springer
More informationApplications of Complex Multiplication of Elliptic Curves
Applications of Complex Multiplication of Elliptic Curves MASTER THESIS Candidate: Massimo CHENAL Supervisor: Prof. Jean-Marc COUVEIGNES UNIVERSITÀ DEGLI STUDI DI PADOVA UNIVERSITÉ BORDEAUX 1 Facoltà di
More informationarxiv: v3 [math.nt] 28 Jan 2015
. CLASS POLYNOMIALS FOR NONHOLOMORPHIC MODULAR FUNCTIONS JAN HENDRIK BRUINIER, KEN ONO, AND ANDREW V. SUTHERLAND arxiv:1301.5672v3 [math.nt] 28 Jan 2015 Abstract. We give algorithms for computing the singular
More informationAn unusual cubic representation problem
Annales Mathematicae et Informaticae 43 (014) pp. 9 41 http://ami.ektf.hu An unusual cubic representation problem Andrew Bremner a, Allan Macleod b a School of Mathematics and Mathematical Statistics,
More informationECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA
ECM at Work Joppe W. Bos 1 and Thorsten Kleinjung 2 1 Microsoft Research, Redmond, USA 2 Laboratory for Cryptologic Algorithms, EPFL, Lausanne, Switzerland 1 / 18 Security assessment of public-key cryptography
More informationExtending the GHS Weil Descent Attack
Extending the GHS Weil Descent Attac S. D. Galbraith 1, F. Hess 2 and N. P. Smart 2 1 Mathematics Department, Royal Holloway University of London, Egham, Surrey TW20 0EX, United Kingdom. 2 Department of
More informationBad reduction of genus 3 curves with Complex Multiplication
Bad reduction of genus 3 curves with Complex Multiplication Elisa Lorenzo García Universiteit Leiden Joint work with Bouw, Cooley, Lauter, Manes, Newton, Ozman. October 1, 2015 Elisa Lorenzo García Universiteit
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms
More informationLattice methods for algebraic modular forms on orthogonal groups
Lattice methods for algebraic modular forms on orthogonal groups John Voight Dartmouth College joint work with Matthew Greenberg and Jeffery Hein and Gonzalo Tornaría Computational Challenges in the Theory
More informationAn Introduction to Supersingular Elliptic Curves and Supersingular Primes
An Introduction to Supersingular Elliptic Curves and Supersingular Primes Anh Huynh Abstract In this article, we introduce supersingular elliptic curves over a finite field and relevant concepts, such
More informationIsolated Curves and the MOV Attack
Isolated Curves and the OV Attack Travis Scholl October, 207 Abstract We present a variation on the C method that produces elliptic curves over prime fields with nearly prime order that do not admit many
More informationThe Inverse Galois Problem David P. Roberts University of Minnesota, Morris
The Inverse Galois Problem David P. Roberts University of Minnesota, Morris 1. Polynomials, fields, and their invariants: A degree n number field K has a discriminant D Z and a Galois group G S n. 2. The
More informationConstructing Class invariants
Constructing Class invariants Aristides Kontogeorgis Department of Mathematics University of Athens. Workshop Thales 1-3 July 2015 :Algebraic modeling of topological and computational structures and applications,
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationIsogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem
Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Chloe Martindale 26th January, 2018 These notes are from a talk given in the Séminaire Géométrie et algèbre effectives
More informationOn elliptic curves in characteristic 2 with wild additive reduction
ACTA ARITHMETICA XCI.2 (1999) On elliptic curves in characteristic 2 with wild additive reduction by Andreas Schweizer (Montreal) Introduction. In [Ge1] Gekeler classified all elliptic curves over F 2
More informationError-free protection of EC point multiplication by modular extension
Error-free protection of EC point multiplication by modular extension Martin Seysen February 21, 2017 Giesecke & Devrient GmbH, Prinzregentenstraße 159, D-81677 München, e-mail: m.seysen@gmx.de Abstract
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationWEIL DESCENT ATTACKS
WEIL DESCENT ATTACKS F. HESS Abstract. This article is to appear as a chapter in Advances in Elliptic Curve Cryptography, edited by I. Blake, G. Seroussi and N. Smart, Cambridge University Press, 2004.
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi #2 - Discrete Logs, Modular Square Roots, Polynomials, Hensel s Lemma & Chinese Remainder
More informationRamanujan s first letter to Hardy: 5 + = 1 + e 2π 1 + e 4π 1 +
Ramanujan s first letter to Hardy: e 2π/ + + 1 = 1 + e 2π 2 2 1 + e 4π 1 + e π/ 1 e π = 2 2 1 + 1 + e 2π 1 + Hardy: [These formulas ] defeated me completely. I had never seen anything in the least like
More informationElliptic Curves Spring 2013 Lecture #8 03/05/2013
18.783 Elliptic Curves Spring 2013 Lecture #8 03/05/2013 8.1 Point counting We now consider the problem of determining the number of points on an elliptic curve E over a finite field F q. The most naïve
More informationPoint counting on elliptic curves
UAM (Madrid) May 2009 Point counting on elliptic curves By Christophe RITZENTHALER 2 Contents 1 Introduction 5 1.1 The discrete logarithm problem....................... 5 1.1.1 General setting............................
More information