Computing the modular equation
Size: px
Start display at page:

Download "Computing the modular equation"

Transcription

1 Computing the modular equation Andrew V. Sutherland (MIT) Barcelona-Boston-Tokyo Number Theory Seminar in Memory of Fumiyuki Momose Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8

2 The modular polynomial Let j(z) denote the classical modular function j : H C with q-expansion j(z) = 1/q q +... For a positive integer N, the minimal polynomial of the function j(nz) over the field C(j) is the modular polynomial of level N. Its coefficients actually lie in C[j], so we may regard it as a polynomial Φ N (X, Y ) in two variables. Its coefficients are algebraic integers, and they are rational. So they lie in Z. Andrew V. Sutherland (MIT) Computing the modular equation of 8

3 The modular equation Over C, elliptic curves E 1 and E are related by a cyclic isogeny of degree N if and only if Φ N (j(e 1 ), j(e )) = 0. Thus Φ N parameterizes pairs of N-isogenous elliptic curves. It (canonically) defines the modular curve Y 0 (N) = Γ 0 (N)\H. The moduli interpretation of Φ N remains valid over any field of characteristic prime to N. Andrew V. Sutherland (MIT) Computing the modular equation 3 of 8

4 Practical applications of modular polynomials Examples: Point-counting (SEA). Computing the endomorphism ring of an elliptic curve. Constructing elliptic curves with the CM method. Computing discrete logarithms. Constructing Ramanujan graphs. In most applications N is a prime l, and we actually wish to compute Φ l over a finite field F q. Andrew V. Sutherland (MIT) Computing the modular equation 4 of 8

5 Explicit computations History: level person (machine) year N = Smith 1878 N = 3 Smith 1879 N = 5 Berwick 1916 N = 7 Herrmann 1974 N = 11 Kaltofen-Yui (VAX ) 1984 Why is computing Φ N so difficult? Andrew V. Sutherland (MIT) Computing the modular equation 5 of 8

6 Explicit computations History: level person (machine) year N = Smith 1878 N = 3 Smith 1879 N = 5 Berwick 1916 N = 7 Herrmann 1974 N = 11 Kaltofen-Yui (VAX ) 1984 Why is computing Φ N so difficult? Φ l is big: O(l 3 log l) bits. Andrew V. Sutherland (MIT) Computing the modular equation 5 of 8

7 Example: Φ 11 (X, Y ) X 1 + Y 1 X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X pages omitted digits omitted Andrew V. Sutherland (MIT) Computing the modular equation 6 of 8

8 l coefficients largest average total kb 5.3kb 5.5MB kb 1kb 48MB kb 7kb 431MB kb 60kb 3.9GB kb 13kb 33GB kb 08kb 117GB kb 87kb 87GB kb 369kb 577GB kb 774kb 4.8TB* Size of Φ l (X, Y ) *Estimated Andrew V. Sutherland (MIT) Computing the modular equation 7 of 8

9 Algorithms to compute Φ l q-expansions: (Atkin?, Elkies 9, 98, LMMS 94, Ito 95, Morain 95, Müller 95, BCRS 99) Φ l : O(l 4 log 3+ɛ l) (via the CRT) Φ l mod q: O(l 3 log l log 1+ɛ q) (p > l + 1) Andrew V. Sutherland (MIT) Computing the modular equation 8 of 8

10 Algorithms to compute Φ l q-expansions: (Atkin?, Elkies 9, 98, LMMS 94, Ito 95, Morain 95, Müller 95, BCRS 99) Φ l : O(l 4 log 3+ɛ l) (via the CRT) Φ l mod q: O(l 3 log l log 1+ɛ q) (p > l + 1) isogenies: (Charles-Lauter 005) Φ l : O(l 5+ɛ ) (via the CRT) Φ l mod q: O(l 4+ɛ log +ɛ q) (q > 1l + 13) Andrew V. Sutherland (MIT) Computing the modular equation 8 of 8

11 Algorithms to compute Φ l q-expansions: (Atkin?, Elkies 9, 98, LMMS 94, Ito 95, Morain 95, Müller 95, BCRS 99) Φ l : O(l 4 log 3+ɛ l) (via the CRT) Φ l mod q: O(l 3 log l log 1+ɛ q) (p > l + 1) isogenies: (Charles-Lauter 005) Φ l : O(l 5+ɛ ) (via the CRT) Φ l mod q: O(l 4+ɛ log +ɛ q) (q > 1l + 13) evaluation-interpolation: (Enge 009) Φ l : O(l 3 log 4+ɛ l) (floating-point approx.) Φ l mod q: O(l 3 log 4+ɛ l) (reduces Φ l ) Andrew V. Sutherland (MIT) Computing the modular equation 8 of 8

12 A new algorithm to compute Φ l Bröker-Lauter-S (010), S (01) and Ono-S (in progress). We compute Φ l using isogenies and the CRT. Andrew V. Sutherland (MIT) Computing the modular equation 9 of 8

13 A new algorithm to compute Φ l Bröker-Lauter-S (010), S (01) and Ono-S (in progress). We compute Φ l using isogenies and the CRT. For suitable primes p we compute Φ l mod p in expected time O(l log 3+ɛ p). Andrew V. Sutherland (MIT) Computing the modular equation 9 of 8

14 A new algorithm to compute Φ l Bröker-Lauter-S (010), S (01) and Ono-S (in progress). We compute Φ l using isogenies and the CRT. For suitable primes p we compute Φ l mod p in expected time O(l log 3+ɛ p). Under the GRH, we find many suitable p with log p = O(log l). Φ l : O(l 3 log 3+ɛ l) (via the CRT) Φ l mod q: O(l 3 log 3+ɛ l) (via the explicit CRT) Computing Φ l mod q uses O(l log(lq)) space. Andrew V. Sutherland (MIT) Computing the modular equation 9 of 8

15 A new algorithm to compute Φ l Bröker-Lauter-S (010), S (01) and Ono-S (in progress). We compute Φ l using isogenies and the CRT. For suitable primes p we compute Φ l mod p in expected time O(l log 3+ɛ p). Under the GRH, we find many suitable p with log p = O(log l). Φ l : O(l 3 log 3+ɛ l) (via the CRT) Φ l mod q: O(l 3 log 3+ɛ l) (via the explicit CRT) Computing Φ l mod q uses O(l log(lq)) space. In practice the algorithm is much faster than other methods. It is probabilistic, but the output is unconditionally correct. Andrew V. Sutherland (MIT) Computing the modular equation 9 of 8

16 Some performance highlights Level records : Φ l. 0011: Φ l mod q : Φ f l Speed records 1. 51: Φ l in 8s Φ l mod q in 4.8s (vs 688s). 1009: Φ l in 830s Φ l mod q in 65s (vs 10700s) Single core CPU times (AMD 3.0 GHz), using prime q 56. Effective throughput when computing Φ 1009 mod q is 100Mb/s. Andrew V. Sutherland (MIT) Computing the modular equation 10 of 8

17 Isogenies For the rest of this talk l is a prime not equal to char F. Every l-isogeny φ : E 1 E is thus separable, and its kernel is a (cyclic) subgroup of E(F) of order l. Conversely, every subgroup of E(F) of order l is the kernel of an l-isogeny, which we may compute explicitly using Vélu s formulas (but this may be costly). Andrew V. Sutherland (MIT) Computing the modular equation 11 of 8

18 Isogenies For the rest of this talk l is a prime not equal to char F. Every l-isogeny φ : E 1 E is thus separable, and its kernel is a (cyclic) subgroup of E(F) of order l. Conversely, every subgroup of E(F) of order l is the kernel of an l-isogeny, which we may compute explicitly using Vélu s formulas (but this may be costly). We say that φ: E 1 E is horizontal if End(E 1 ) = End(E ). Otherwise φ is a vertical isogeny Horizontal isogenies are easy to compute. Vertical isogenies are not. Andrew V. Sutherland (MIT) Computing the modular equation 11 of 8

19 Complex multiplication Let E be an elliptic curve with End(E) O. For any (proper) O-ideal a, define the a-torsion subgroup E[a] = {P : αp = 0 for all α a}. E[a] is the kernel of an isogeny of degree N(a), and this yields a group action of the class group cl(o) on the set Ell O = {j(e) : End(E) O}. Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8

20 Complex multiplication Let E be an elliptic curve with End(E) O. For any (proper) O-ideal a, define the a-torsion subgroup E[a] = {P : αp = 0 for all α a}. E[a] is the kernel of an isogeny of degree N(a), and this yields a group action of the class group cl(o) on the set Ell O = {j(e) : End(E) O}. Horizontal l-isogenies are the action of an ideal with norm l. A horizontal isogeny of large degree may be equivalent to a product of isogenies of smaller degree, via relations in cl(o). Under the ERH, small is O(log D ), where D = disc(o). Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8

21

22 Isogeny graphs The l-isogeny graph G l has vertex set {j(e) : E/F q } and edges (j 1, j ) whenever Φ l (j 1, j ) = 0. The neighbors of j 1 F q are the roots of Φ l (j 1, Y ) that lie in F q. Andrew V. Sutherland (MIT) Computing the modular equation 13 of 8

23 Isogeny graphs The l-isogeny graph G l has vertex set {j(e) : E/F q } and edges (j 1, j ) whenever Φ l (j 1, j ) = 0. The neighbors of j 1 F q are the roots of Φ l (j 1, Y ) that lie in F q. Isogenous curves are either both ordinary or both supersingular, thus we may speak of the ordinary and supersingular components of G l. We will focus on the ordinary components of G l. We have an infinite family of graphs, one for each prime l, all with the same vertex set. Andrew V. Sutherland (MIT) Computing the modular equation 13 of 8

24 l-volcanoes An l-volcano is a connected undirected graph whose vertices are partitioned into levels V 0,..., V d. 1. The subgraph on V 0 (the surface) is a regular connected graph of degree at most. Andrew V. Sutherland (MIT) Computing the modular equation 14 of 8

25 l-volcanoes An l-volcano is a connected undirected graph whose vertices are partitioned into levels V 0,..., V d. 1. The subgraph on V 0 (the surface) is a regular connected graph of degree at most.. For i > 0, each v V i has exactly one neighbor in V i 1. All edges not on the surface arise in this manner. 3. For i < d, each v V i has degree l+1. Andrew V. Sutherland (MIT) Computing the modular equation 14 of 8

26 l-volcanoes An l-volcano is a connected undirected graph whose vertices are partitioned into levels V 0,..., V d. 1. The subgraph on V 0 (the surface) is a regular connected graph of degree at most.. For i > 0, each v V i has exactly one neighbor in V i 1. All edges not on the surface arise in this manner. 3. For i < d, each v V i has degree l+1. The integers l, d, and V 0 uniquely determine the shape. Andrew V. Sutherland (MIT) Computing the modular equation 14 of 8

27 The l-isogeny graph G l Some facts about G l (Kohel, Fouquet-Morain): The ordinary components of G l are l-volcanoes (provided they don t contain j = 0, 178). The curves in level V i of a given l-volcano all have the same endomorphism ring, isomorphic to an imaginary quadratic order O i. The order O 0 is maximal at l, and O i O 0 has index l i. Curves in the same l-volcano are necessarily isogenous, but isogenous curves need not lie in the same l-volcano. Andrew V. Sutherland (MIT) Computing the modular equation 15 of 8

28 A 3-volcano of depth Andrew V. Sutherland (MIT) Computing the modular equation 16 of 8

29 Running the rim

30 Running the rim

31 Running the rim

32 Running the rim

33 Running the rim

34 Running the rim

35 Running the rim

36

37 Mapping a volcano Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

38 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

39 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

40 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l 1. Find a root of H D (X) Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

41 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l Find a root of H D (X): 901 Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

42 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 = l 0 l, ( D ) = 1 l Enumerate surface using the action of α l0 Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

43 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

44 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

45 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

46 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

47 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

48 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

49 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

50 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Descend to the floor using Vélu s formula Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

51 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Descend to the floor using Vélu s formula: Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

52 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate floor using the action of β l0 Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

53 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

54 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

55 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

56 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

57 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

58 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

59 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

60 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

61 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Andrew V. Sutherland (MIT) Computing the modular equation 18 of 8

62 Interpolation Φ 5 (X, 901) = (X 701)(X 351)(X 3188)(X 970)(X 1478)(X 338) Φ 5 (X, 351) = (X 901)(X 15)(X 3508)(X 464)(X 976)(X 566) Φ 5 (X, 15) = (X 351)(X 501)(X 3341)(X 1868)(X 434)(X 676) Φ 5 (X, 501) = (X 15)(X 87)(X 3147)(X 55)(X 1180)(X 3144) Φ 5 (X, 87) = (X 501)(X 158)(X 150)(X 48)(X 1064)(X 087) Φ 5 (X, 158) = (X 87)(X 701)(X 945)(X 3497)(X 344)(X 91) Φ 5 (X, 701) = (X 158)(X 901)(X 843)(X 41)(X 3345)(X 4397) Andrew V. Sutherland (MIT) Computing the modular equation 19 of 8

63 Interpolation Φ 5 (X, 901) = X X X X X X + 36 Φ 5 (X, 351) = X X X X X + 93X Φ 5 (X, 15) = X X X X X + 084X Φ 5 (X, 501) = X X X X X X Φ 5 (X, 87) = X X X X X X Φ 5 (X, 158) = X X X X 3 + 5X X Φ 5 (X, 701) = X X X X X + 7X Andrew V. Sutherland (MIT) Computing the modular equation 19 of 8

64 Interpolation Φ 5 (X, Y ) = X 6 + (4450Y Y Y Y + 70Y + 397)X 5 (370Y Y Y Y Y + 33)X 4 (433Y Y Y Y Y + 11)X 3 (3499Y Y Y Y Y + 050)X ( 70Y Y Y Y + 905Y + 091)X (Y Y Y Y Y + 091Y + 108) Andrew V. Sutherland (MIT) Computing the modular equation 19 of 8

65 Computing Φ l (X, Y ) mod p Assume D and p are suitably chosen with D = O(l ) and log p = O(log l), and that H D (X) has been precomputed. 1. Find a root of H D (X) over F p. O(l log 3+ɛ l). Enumerate the surface(s) using cl(d)-action. O(l log +ɛ l) 3. Descend to the floor using Vélu. O(l log 1+ɛ l) 4. Enumerate the floor using cl(l D)-action. O(l log +ɛ l) 5. Build each Φ l (X, j i ) from its roots. O(l log 3+ɛ l) 6. Interpolate Φ l (X, Y ) mod p. O(l log 3+ɛ l) Time complexity is O(l log 3+ɛ l). Space complexity is O(l log l). Andrew V. Sutherland (MIT) Computing the modular equation 0 of 8

66 After computing Φ 5 (X, Y ) mod p for the primes: 4451, 6911, 9551, 8111, 54851, , 13491, , 11711, 80451, , , , , we apply the CRT to obtain Φ 5 (X, Y ) = X 6 + Y 6 X 5 Y (X 5 Y 4 + X 4 Y 5 ) (X 5 Y 3 + X 3 Y 5 ) (X 5 Y + X Y 5 ) (X 5 Y + XY 5 ) (X 5 + Y 5 ) X 4 Y (X 4 Y 3 + X 3 Y 4 ) (X 4 Y + X Y 4 ) (X 4 Y + XY 4 ) (X 4 + Y 4 ) (X 3 Y 5 + X 5 Y 3 ) X 3 Y (X 3 Y + X Y 3 ) (X 3 Y + XY 3 ) (X 3 + Y 3 ) X Y (X Y + XY ) (X + Y ) XY (X + Y ) Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8

67 After computing Φ 5 (X, Y ) mod p for the primes: 4451, 6911, 9551, 8111, 54851, , 13491, , 11711, 80451, , , , , we apply the CRT to obtain Φ 5 (X, Y ) = X 6 + Y 6 X 5 Y (X 5 Y 4 + X 4 Y 5 ) (X 5 Y 3 + X 3 Y 5 ) (X 5 Y + X Y 5 ) (X 5 Y + XY 5 ) (X 5 + Y 5 ) X 4 Y (X 4 Y 3 + X 3 Y 4 ) (X 4 Y + X Y 4 ) (X 4 Y + XY 4 ) (X 4 + Y 4 ) (X 3 Y 5 + X 5 Y 3 ) X 3 Y (X 3 Y + X Y 3 ) (X 3 Y + XY 3 ) (X 3 + Y 3 ) X Y (X Y + XY ) (X + Y ) XY (X + Y ) (but note that Φ f 5 (X, Y ) = X 6 + Y 6 X 5 Y 5 + 4XY ). Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8

68 The algorithm Given a prime l > and an integer q > 0: 1. Pick a discriminant D suitable for l.. Select a set of primes S suitable for l and D. 3. Precompute H D, cl(d), cl(l D), and CRT data. 4. For each p S, compute Φ l mod p and update CRT data. 5. Perform CRT postcomputation and output Φ l mod q. To compute Φ l over Z, just use q = p. For small q, use explicit CRT modq. For large q, standard CRT for large q. For q in between, use a hybrid approach. Andrew V. Sutherland (MIT) Computing the modular equation of 8

69 Explicit Chinese remainder theorem Suppose c c i mod p i for n distinct primes p i. Then c c i a i M i mod M, where M = p i, M i = M/p i and a i = 1/M i mod p i. If M > c, we can recover c Z. With M > 4 c, the explicit CRT computes c mod q directly via ( ) c = ci a i M i rm mod q, where r is the closest integer to c i a i /p i. Using an online algorithm, this can be applied to k coefficients c in parallel, using O ( log M + n log q + k(log q + log n) ) space. Montgomery-Silverman, Bernstein, S. Andrew V. Sutherland (MIT) Computing the modular equation 3 of 8

70 Complexity Theorem (GRH) For every prime l > there is a suitable discriminant D with D = O(l ) for which there are Ω(l 3 log 3 l) primes p = O(l 6 (log l) 4 ) that are suitable for l and D. Heuristically, p = O(l 4 ). In practice, lg p < 64. Theorem (GRH) The expected running time is O(l 3 log 3 l log log l). The space required is O(l log(lq)). Andrew V. Sutherland (MIT) Computing the modular equation 4 of 8

71 Complexity Theorem (GRH) For every prime l > there is a suitable discriminant D with D = O(l ) for which there are Ω(l 3 log 3 l) primes p = O(l 6 (log l) 4 ) that are suitable for l and D. Heuristically, p = O(l 4 ). In practice, lg p < 64. Theorem (GRH) The expected running time is O(l 3 log 3 l log log l). The space required is O(l log(lq)). The algorithm is trivial to parallelize. Andrew V. Sutherland (MIT) Computing the modular equation 4 of 8

72 An explicit height bound for Φ l Let l be a prime. Let h(φ l ) be the (natural) logarithmic height of Φ l. Asymptotic bound: h(φ l ) = 6l log l + O(l) (Paula Cohen 1984). Andrew V. Sutherland (MIT) Computing the modular equation 5 of 8

73 An explicit height bound for Φ l Let l be a prime. Let h(φ l ) be the (natural) logarithmic height of Φ l. Asymptotic bound: h(φ l ) = 6l log l + O(l) (Paula Cohen 1984). Explicit bound: h(φ l ) 6l log l + 18l (Bröker-S 009). Conjectural bound: h(φ l ) 6l log l + 1l (for l > 30). The explicit bound holds for all l. The conjectural bound is known to hold for 30 < l < Andrew V. Sutherland (MIT) Computing the modular equation 5 of 8

74 Other modular functions We can compute polynomials relating f (z) and f (lz) for other modular functions, including the Weber function f(τ) = η((τ + 1)/), ζ 48 η(τ) which satisfies j(τ) = (f(τ) 4 16) 3 /f(τ) 4. The coefficients of Φ f l are roughly 7 times smaller. This means we need 7 fewer primes. The polynomial Φ f l is roughly 4 times sparser. This means we need 4 times fewer interpolation points. Overall, we get nearly a 178-fold speedup using Φ f l. Andrew V. Sutherland (MIT) Computing the modular equation 6 of 8

75 Modular polynomials for l = 11 Classical: X 1 + Y 1 X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X pages omitted digits omitted Atkin: X 1 X 11 Y + 744X X X 9 Y X X 8 Y X X 7 Y X X 6 Y X X 5 Y X X 4 Y X X 3 Y X X Y X XY X + Y Y Weber: X 1 + Y 1 X 11 Y X 9 Y 9 44X 7 Y X 5 Y 5 88X 3 Y 3 + 3XY Andrew V. Sutherland (MIT) Computing the modular equation 7 of 8

76 Weber modular polynomials For l = 1009, the size of Φ f l is.3mb, versus 3.9GB for Φ l, and computing Φ f l takes.8s, versus 830s for Φ l. The current record is l = Working mod q, level l > has been achieved. The polynomials Φ f l for all l < 5000 are available for download: drew Andrew V. Sutherland (MIT) Computing the modular equation 8 of 8

Similar documents

Modular polynomials and isogeny volcanoes

Modular polynomials and isogeny volcanoes Modular polynomials and isogeny volcanoes Andrew V. Sutherland February 3, 010 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9 Isogenies An isogeny

More information

Computing modular polynomials with the Chinese Remainder Theorem

Computing modular polynomials with the Chinese Remainder Theorem Computing modular polynomials with the Chinese Remainder Theorem Andrew V. Sutherland Massachusetts Institute of Technology ECC 009 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Computing modular

More information

On the evaluation of modular polynomials

On the evaluation of modular polynomials On the evaluation of modular polynomials Andrew V. Sutherland Massachusetts Institute of Technology ANTS X July 10, 2012 http://math.mit.edu:/ drew 1 / 16 Introduction Let l be a prime and let F q be a

More information

Computing the endomorphism ring of an ordinary elliptic curve

Computing the endomorphism ring of an ordinary elliptic curve Computing the endomorphism ring of an ordinary elliptic curve Massachusetts Institute of Technology April 3, 2009 joint work with Gaetan Bisson http://arxiv.org/abs/0902.4670 Elliptic curves An elliptic

More information

Identifying supersingular elliptic curves

Identifying supersingular elliptic curves Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, 2012 http://arxiv.org/abs/1107.1140 Andrew V. Sutherland (MIT) Identifying supersingular

More information

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Elliptic Curves Spring 2015 Lecture #23 05/05/2015 18.783 Elliptic Curves Spring 2015 Lecture #23 05/05/2015 23 Isogeny volcanoes We now want to shift our focus away from elliptic curves over C and consider elliptic curves E/k defined over any field k;

More information

Class invariants by the CRT method

Class invariants by the CRT method Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest Massachusetts Institute of Technology ANTS IX Andreas Enge and Andrew Sutherland Class invariants by the CRT

More information

ON THE EVALUATION OF MODULAR POLYNOMIALS

ON THE EVALUATION OF MODULAR POLYNOMIALS ON THE EVALUATION OF MODULAR POLYNOMIALS ANDREW V. SUTHERLAND Abstract. We present two algorithms that, given a prime l and an elliptic curve E/F q, directly compute the polynomial Φ l (j(e), Y ) F q[y

More information

ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES

ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES ERNEST HUNTER BROOKS DIMITAR JETCHEV BENJAMIN WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION

More information

Explicit Complex Multiplication

Explicit Complex Multiplication Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,

More information

Counting points on elliptic curves over F q

Counting points on elliptic curves over F q Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite

More information

Isogeny graphs, modular polynomials, and point counting for higher genus curves

Isogeny graphs, modular polynomials, and point counting for higher genus curves Isogeny graphs, modular polynomials, and point counting for higher genus curves Chloe Martindale July 7, 2017 These notes are from a talk given in the Number Theory Seminar at INRIA, Nancy, France. The

More information

Isogenies in a quantum world

Isogenies in a quantum world Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal

More information

COMPUTING MODULAR POLYNOMIALS

COMPUTING MODULAR POLYNOMIALS COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with an isogeny of degree l between them.

More information

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret

More information

Counting points on genus 2 curves over finite

Counting points on genus 2 curves over finite Counting points on genus 2 curves over finite fields Chloe Martindale May 11, 2017 These notes are from a talk given in the Number Theory Seminar at the Fourier Institute, Grenoble, France, on 04/05/2017.

More information

arxiv: v3 [math.nt] 7 May 2013

arxiv: v3 [math.nt] 7 May 2013 ISOGENY VOLCANOES arxiv:1208.5370v3 [math.nt] 7 May 2013 ANDREW V. SUTHERLAND Abstract. The remarkable structure and computationally explicit form of isogeny graphs of elliptic curves over a finite field

More information

Mappings of elliptic curves

Mappings of elliptic curves Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves

More information

Genus 2 Curves of p-rank 1 via CM method

Genus 2 Curves of p-rank 1 via CM method School of Mathematical Sciences University College Dublin Ireland and Claude Shannon Institute April 2009, GeoCrypt Joint work with Laura Hitt, Michael Naehrig, Marco Streng Introduction This talk is about

More information

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Chloe Martindale 26th January, 2018 These notes are from a talk given in the Séminaire Géométrie et algèbre effectives

More information

14 Ordinary and supersingular elliptic curves

14 Ordinary and supersingular elliptic curves 18.783 Elliptic Curves Spring 2015 Lecture #14 03/31/2015 14 Ordinary and supersingular elliptic curves Let E/k be an elliptic curve over a field of positive characteristic p. In Lecture 7 we proved that

More information

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux Computing modular polynomials in dimension 2 ECC 2015, Bordeaux Enea Milio 29/09/2015 Enea Milio Computing modular polynomials 29/09/2015 1 / 49 Computing modular polynomials 1 Dimension 1 : elliptic curves

More information

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS GORA ADJ, OMRAN AHMADI, AND ALFRED MENEZES Abstract. We study the isogeny graphs of supersingular elliptic curves over finite fields,

More information

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES Reinier Bröker Abstract. We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over F q with trace

More information

COMPUTING MODULAR POLYNOMIALS

COMPUTING MODULAR POLYNOMIALS COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with a cyclic isogeny of degree l between

More information

Constructing genus 2 curves over finite fields

Constructing genus 2 curves over finite fields Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key

More information

Class polynomials for abelian surfaces

Class polynomials for abelian surfaces Class polynomials for abelian surfaces Andreas Enge LFANT project-team INRIA Bordeaux Sud-Ouest andreas.enge@inria.fr http://www.math.u-bordeaux.fr/~aenge LFANT seminar 27 January 2015 (joint work with

More information

Computing the image of Galois

Computing the image of Galois Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25 Elliptic curves Let E be an elliptic

More information

A Candidate Group with Infeasible Inversion

A Candidate Group with Infeasible Inversion A Candidate Group with Infeasible Inversion Salim Ali Altuğ Yilei Chen September 27, 2018 Abstract Motivated by the potential cryptographic application of building a directed transitive signature scheme,

More information

Graph structure of isogeny on elliptic curves

Graph structure of isogeny on elliptic curves Graph structure of isogeny on elliptic curves Université Versailles Saint Quentin en Yvelines October 23, 2014 1/ 42 Outline of the talk 1 Reminder about elliptic curves, 2 Endomorphism ring of elliptic

More information

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Elliptic Curves Spring 2013 Lecture #12 03/19/2013 18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring

More information

Igusa class polynomials

Igusa class polynomials Number Theory Seminar Cambridge 26 April 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P P Q E is a commutative algebraic group Endomorphisms

More information

Igusa Class Polynomials

Igusa Class Polynomials , supported by the Leiden University Fund (LUF) Joint Mathematics Meetings, San Diego, January 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomials.

More information

Igusa Class Polynomials

Igusa Class Polynomials Genus 2 day, Intercity Number Theory Seminar Utrecht, April 18th 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomial. For each notion, I will 1. tell

More information

You could have invented Supersingular Isogeny Diffie-Hellman

You could have invented Supersingular Isogeny Diffie-Hellman You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks

More information

Quaternions and Arithmetic. Colloquium, UCSD, October 27, 2005

Quaternions and Arithmetic. Colloquium, UCSD, October 27, 2005 Quaternions and Arithmetic Colloquium, UCSD, October 27, 2005 This talk is available from www.math.mcgill.ca/goren Quaternions came from Hamilton after his really good work had been done; and, though beautifully

More information

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013 18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and

More information

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019 18.783 Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019 Description These problems are related to the material covered in Lectures 13-14. Instructions: Solve problem 1 and then solve one of Problems

More information

20 The modular equation

20 The modular equation 18.783 Elliptic Curves Spring 2015 Lecture #20 04/23/2015 20 The modular equation In the previous lecture we defined modular curves as quotients of the extended upper half plane under the action of a congruence

More information

Elliptic Curves Spring 2015 Problem Set #10 Due: 4/24/2015

Elliptic Curves Spring 2015 Problem Set #10 Due: 4/24/2015 18.783 Elliptic Curves Spring 2015 Problem Set #10 Due: 4/24/2015 Description These problems are related to the material covered in Lectures 18-19. As usual, the first person to spot each non-trivial typo/error

More information

A gentle introduction to isogeny-based cryptography

A gentle introduction to isogeny-based cryptography A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch

More information

Evaluating Large Degree Isogenies between Elliptic Curves

Evaluating Large Degree Isogenies between Elliptic Curves Evaluating Large Degree Isogenies between Elliptic Curves by Vladimir Soukharev A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics

More information

arxiv: v3 [math.nt] 28 Jan 2015

arxiv: v3 [math.nt] 28 Jan 2015 . CLASS POLYNOMIALS FOR NONHOLOMORPHIC MODULAR FUNCTIONS JAN HENDRIK BRUINIER, KEN ONO, AND ANDREW V. SUTHERLAND arxiv:1301.5672v3 [math.nt] 28 Jan 2015 Abstract. We give algorithms for computing the singular

More information

arxiv: v1 [math.nt] 29 Oct 2013

arxiv: v1 [math.nt] 29 Oct 2013 COMPUTING ISOGENIES BETWEEN SUPERSINGULAR ELLIPTIC CURVES OVER F p CHRISTINA DELFS AND STEVEN D. GALBRAITH arxiv:1310.7789v1 [math.nt] 29 Oct 2013 Abstract. Let p > 3 be a prime and let E, E be supersingular

More information

20 The modular equation

20 The modular equation 18.783 Elliptic Curves Lecture #20 Spring 2017 04/26/2017 20 The modular equation In the previous lecture we defined modular curves as quotients of the extended upper half plane under the action of a congruence

More information

Abstracts of papers. Amod Agashe

Abstracts of papers. Amod Agashe Abstracts of papers Amod Agashe In this document, I have assembled the abstracts of my work so far. All of the papers mentioned below are available at http://www.math.fsu.edu/~agashe/math.html 1) On invisible

More information

On the Computation of Modular Polynomials for Elliptic Curves

On the Computation of Modular Polynomials for Elliptic Curves On the Computation of Modular Polynomials for Elliptic Curves Ian F. Blake 1, János A. Csirik 1, Michael Rubinstein 2, and Gadiel Seroussi 1 1 Hewlett-Packard Laboratories, 1501 Page Mill Road, Palo Alto,

More information

Tables of elliptic curves over number fields

Tables of elliptic curves over number fields Tables of elliptic curves over number fields John Cremona University of Warwick 10 March 2014 Overview 1 Why make tables? What is a table? 2 Simple enumeration 3 Using modularity 4 Curves with prescribed

More information

Computing L-series coefficients of hyperelliptic curves

Computing L-series coefficients of hyperelliptic curves Computing L-series coefficients of hyperelliptic curves Kiran S. Kedlaya and Andrew V. Sutherland Massachusetts Institute of Technology May 19, 2008 Demonstration The distribution of Frobenius traces Let

More information

Addition sequences and numerical evaluation of modular forms

Addition sequences and numerical evaluation of modular forms Addition sequences and numerical evaluation of modular forms Fredrik Johansson (INRIA Bordeaux) Joint work with Andreas Enge (INRIA Bordeaux) William Hart (TU Kaiserslautern) DK Statusseminar in Strobl,

More information

Efficient implementation of the Hardy-Ramanujan-Rademacher formula

Efficient implementation of the Hardy-Ramanujan-Rademacher formula Efficient implementation of the Hardy-Ramanujan-Rademacher formula or: Partitions in the quintillions Fredrik Johansson RISC-Linz July 10, 2013 2013 SIAM Annual Meeting San Diego, CA Supported by Austrian

More information

A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker

A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL Reinier Bröker Abstract. Classicaly, the Hilbert class polynomial P Z[X] of an imaginary quadratic discriminant is computed using complex analytic

More information

Elliptic Curve Primality Proving

Elliptic Curve Primality Proving Università degli Studi Roma Tre Facoltà di Scienze Matematiche, Fisiche e Naturali Corso di Laurea Magistrale in Matematica Tesi di Laurea Magistrale in Matematica Elliptic Curve Primality Proving SINTESI

More information

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen) Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen) Brown University Cambridge University Number Theory Seminar Thursday, February 22, 2007 0 Modular Curves and Heegner Points

More information

A quantum algorithm for computing isogenies between supersingular elliptic curves

A quantum algorithm for computing isogenies between supersingular elliptic curves A quantum algorithm for computing isogenies between supersingular elliptic curves Jean-François Biasse 1,2, David Jao 1, and Anirudh Sankar 1 1 Department of Combinatorics and Optimization 2 Institute

More information

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups Universiteit Leiden, Université Bordeaux 1 July 12, 2012 - UCSD - X - a Question Let K be a number field and G K = Gal(K/K) the absolute

More information

Pairing the volcano. 1 Introduction. Sorina Ionica 1 and Antoine Joux 1,2

Pairing the volcano. 1 Introduction. Sorina Ionica 1 and Antoine Joux 1,2 Pairing the volcano Sorina Ionica 1 and Antoine Joux 1,2 1 Université de Versailles Saint-Quentin-en-Yvelines, 45 avenue des États-Unis, 78035 Versailles CEDEX, France 2 DGA sorina.ionica,antoine.joux@m4x.org

More information

Computing isogeny graphs using CM lattices

Computing isogeny graphs using CM lattices Computing isogeny graphs using CM lattices David Gruenewald GREYC/LMNO Université de Caen GeoCrypt, Corsica 22nd June 2011 Motivation for computing isogenies Point counting. Computing CM invariants. Endomorphism

More information

Constructing Abelian Varieties for Pairing-Based Cryptography

Constructing Abelian Varieties for Pairing-Based Cryptography for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers

More information

Point counting and real multiplication on K3 surfaces

Point counting and real multiplication on K3 surfaces Point counting and real multiplication on K3 surfaces Andreas-Stephan Elsenhans Universität Paderborn September 2016 Joint work with J. Jahnel. A.-S. Elsenhans (Universität Paderborn) K3 surfaces September

More information

How many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May Noam D. Elkies, Harvard University

How many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May Noam D. Elkies, Harvard University How many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May 2013 Noam D. Elkies, Harvard University Review: Discriminant and conductor of an elliptic curve Finiteness

More information

Computing Hilbert Class Polynomials

Computing Hilbert Class Polynomials Computing Hilbert Class Polynomials Juliana Belding 1, Reinier Bröker 2, Andreas Enge 3, Kristin Lauter 2 1 Dept. of Mathematics, University of Maryland, College Park, MD 20742, USA 2 Microsoft Research,

More information

Class invariants for quartic CM-fields

Class invariants for quartic CM-fields Number Theory Seminar Oxford 2 June 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P E is a commutative algebraic group P Q Endomorphisms

More information

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

Elliptic Curves Spring 2015 Lecture #7 02/26/2015 18.783 Elliptic Curves Spring 2015 Lecture #7 02/26/2015 7 Endomorphism rings 7.1 The n-torsion subgroup E[n] Now that we know the degree of the multiplication-by-n map, we can determine the structure

More information

ABSTRACT. Professor Lawrence Washington Department of Mathematics

ABSTRACT. Professor Lawrence Washington Department of Mathematics ABSTRACT Title of dissertation: NUMBER THEORETIC ALGORITHMS FOR ELLIPTIC CURVES Juliana V. Belding, Doctor of Philosophy, 2008 Dissertation directed by: Professor Lawrence Washington Department of Mathematics

More information

Edwards Curves and the ECM Factorisation Method

Edwards Curves and the ECM Factorisation Method Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and

More information

Don Zagier s work on singular moduli

Don Zagier s work on singular moduli Don Zagier s work on singular moduli Benedict Gross Harvard University June, 2011 Don in 1976 The orbit space SL 2 (Z)\H has the structure a Riemann surface, isomorphic to the complex plane C. We can fix

More information

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26 MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26 1. Abelian Varieties of GL 2 -Type 1.1. Modularity Criteria. Here s what we ve shown so far: Fix a continuous residual representation : G Q GLV, where V is

More information

Hard Homogeneous Spaces

Hard Homogeneous Spaces Hard Homogeneous Spaces Jean-Marc Couveignes August 24, 2006 Abstract This note was written in 1997 after a talk I gave at the séminaire de complexité et cryptographie at the École Normale Supérieure After

More information

Even sharper upper bounds on the number of points on curves

Even sharper upper bounds on the number of points on curves Even sharper upper bounds on the number of points on curves Everett W. Howe Center for Communications Research, La Jolla Symposium on Algebraic Geometry and its Applications Tahiti, May 2007 Revised slides

More information

The powers of logarithm for quadratic twists

The powers of logarithm for quadratic twists 1 The powers of logarithm for quadratic twists Christophe Delaunay Institut Camille Jordan, Université Claude Bernard Lyon 1 Mark Watkins University of Bristol Abstract We briefly describe how to get the

More information

An introduction to supersingular isogeny-based cryptography

An introduction to supersingular isogeny-based cryptography An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular

More information

Counting points on elliptic curves: Hasse s theorem and recent developments

Counting points on elliptic curves: Hasse s theorem and recent developments Counting points on elliptic curves: Hasse s theorem and recent developments Igor Tolkov June 3, 009 Abstract We introduce the the elliptic curve and the problem of counting the number of points on the

More information

Outline of the Seminar Topics on elliptic curves Saarbrücken,

Outline of the Seminar Topics on elliptic curves Saarbrücken, Outline of the Seminar Topics on elliptic curves Saarbrücken, 11.09.2017 Contents A Number theory and algebraic geometry 2 B Elliptic curves 2 1 Rational points on elliptic curves (Mordell s Theorem) 5

More information

Material covered: Class numbers of quadratic fields, Valuations, Completions of fields.

Material covered: Class numbers of quadratic fields, Valuations, Completions of fields. ALGEBRAIC NUMBER THEORY LECTURE 6 NOTES Material covered: Class numbers of quadratic fields, Valuations, Completions of fields. 1. Ideal class groups of quadratic fields These are the ideal class groups

More information

ON THE DISTRIBUTION OF CLASS GROUPS OF NUMBER FIELDS

ON THE DISTRIBUTION OF CLASS GROUPS OF NUMBER FIELDS ON THE DISTRIBUTION OF CLASS GROUPS OF NUMBER FIELDS GUNTER MALLE Abstract. We propose a modification of the predictions of the Cohen Lenstra heuristic for class groups of number fields in the case where

More information

Non-generic attacks on elliptic curve DLPs

Non-generic attacks on elliptic curve DLPs Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith

More information

Hard and Easy Problems for Supersingular Isogeny Graphs

Hard and Easy Problems for Supersingular Isogeny Graphs Hard and Easy Problems for Supersingular Isogeny Graphs Christophe Petit and Kristin Lauter University of Birmingham, Microsoft Research February 21, 2018 Abstract We consider the endomorphism ring computation

More information

The Sato-Tate conjecture for abelian varieties

The Sato-Tate conjecture for abelian varieties The Sato-Tate conjecture for abelian varieties Andrew V. Sutherland Massachusetts Institute of Technology March 5, 2014 Mikio Sato John Tate Joint work with F. Fité, K.S. Kedlaya, and V. Rotger, and also

More information

Introduction to Elliptic Curves

Introduction to Elliptic Curves IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting

More information

Supersingular isogeny graphs and endomorphism rings: reductions and solutions

Supersingular isogeny graphs and endomorphism rings: reductions and solutions Supersingular isogeny graphs and endomorphism rings: reductions and solutions Kirsten Eisenträger 1, Sean Hallgren 2, Kristin Lauter 3, Travis Morrison 1, and Christophe Petit 4 1 The Pennsylvania State

More information

AN INTRODUCTION TO ELLIPTIC CURVES

AN INTRODUCTION TO ELLIPTIC CURVES AN INTRODUCTION TO ELLIPTIC CURVES MACIEJ ULAS.. First definitions and properties.. Generalities on elliptic curves Definition.. An elliptic curve is a pair (E, O), where E is curve of genus and O E. We

More information

A Course in Computational Algebraic Number Theory

A Course in Computational Algebraic Number Theory Henri Cohen 2008 AGI-Information Management Consultants May be used for personal purporses only or by libraries associated to dandelon.com network. A Course in Computational Algebraic Number Theory Springer

More information

Generation Methods of Elliptic Curves

Generation Methods of Elliptic Curves Generation Methods of Elliptic Curves by Harald Baier and Johannes Buchmann August 27, 2002 An evaluation report for the Information-technology Promotion Agency, Japan Contents 1 Introduction 1 1.1 Preface.......................................

More information

this to include the explicit maps, please do so!

this to include the explicit maps, please do so! Contents 1. Introduction 1 2. Warmup: descent on A 2 + B 3 = N 2 3. A 2 + B 3 = N: enriched descent 3 4. The Faltings height 5 5. Isogeny and heights 6 6. The core of the proof that the height doesn t

More information

Four-Dimensional GLV Scalar Multiplication

Four-Dimensional GLV Scalar Multiplication Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic

More information

PUBLIC-KEY CRYPTOSYSTEM BASED ON ISOGENIES

PUBLIC-KEY CRYPTOSYSTEM BASED ON ISOGENIES PUBLIC-KEY CRYPTOSYSTEM BASED ON ISOGENIES Alexander Rostovtsev and Anton Stolbunov Saint-Petersburg State Polytechnical University, Department of Security and Information Protection in Computer Systems,

More information

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS

COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS DAVID FREEMAN AND KRISTIN LAUTER Abstract. We present probabilistic algorithms which, given a genus 2 curve C defined over

More information

On elliptic curves in characteristic 2 with wild additive reduction

On elliptic curves in characteristic 2 with wild additive reduction ACTA ARITHMETICA XCI.2 (1999) On elliptic curves in characteristic 2 with wild additive reduction by Andreas Schweizer (Montreal) Introduction. In [Ge1] Gekeler classified all elliptic curves over F 2

More information

On the zeros of certain modular forms

On the zeros of certain modular forms On the zeros of certain modular forms Masanobu Kaneko Dedicated to Professor Yasutaka Ihara on the occasion of his 60th birthday. The aim of this short note is to list several families of modular forms

More information

Alberta Number Theory Days X th meeting (18w2226) May 11 13, 2018

Alberta Number Theory Days X th meeting (18w2226) May 11 13, 2018 Alberta Number Theory Days X th meeting (18w2226) May 11 13, 2018 May 12: Saturday Morning 9:00-9:10 Opening Remarks 9:10-10:00 Alice Silverberg Title: A leisurely tour through torus, abelian variety,

More information

A numerically explicit Burgess inequality and an application to qua

A numerically explicit Burgess inequality and an application to qua A numerically explicit Burgess inequality and an application to quadratic non-residues Swarthmore College AMS Sectional Meeting Akron, OH October 21, 2012 Squares Consider the sequence Can it contain any

More information

CLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES

CLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES CLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES FRANK GOUNELAS 1. Class Field Theory We ll begin by motivating some of the constructions of the CM (complex multiplication) theory for

More information

Cover Page. The handle holds various files of this Leiden University dissertation

Cover Page. The handle holds various files of this Leiden University dissertation Cover Page The handle http://hdl.handle.net/1887/37019 holds various files of this Leiden University dissertation Author: Brau Avila, Julio Title: Galois representations of elliptic curves and abelian

More information

1: Please compute the Jacobi symbol ( 99

1: Please compute the Jacobi symbol ( 99 SCORE/xx: Math 470 Communications Cryptography NAME: PRACTICE FINAL Please show your work write only in pen. Notes are forbidden. Calculators, all other electronic devices, are forbidden. Brains are encouraged,

More information

w d : Y 0 (N) Y 0 (N)

w d : Y 0 (N) Y 0 (N) Upper half-plane formulas We want to explain the derivation of formulas for two types of objects on the upper half plane: the Atkin- Lehner involutions and Heegner points Both of these are treated somewhat

More information

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago Prelude: finding denominators 87366 22322444 in R. Easily compute

More information

Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes

Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes Xavier Bonnetain 1,2 and André Schrottenloher 2 1 Sorbonne Université, Collège Doctoral, F-75005 Paris, France 2 Inria, France Abstract.

More information

Elliptic Curves over Finite Fields

Elliptic Curves over Finite Fields Elliptic Curves over Finite Fields Katherine E. Stange Stanford University Boise REU, June 14th, 2011 Consider a cubic curve of the form E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 If you intersect

More information

Explicit Representation of the Endomorphism Rings of Supersingular Elliptic Curves

Explicit Representation of the Endomorphism Rings of Supersingular Elliptic Curves Explicit Representation of the Endomorphism Rings of Supersingular Elliptic Curves Ken McMurdy August 20, 2014 Abstract It is well known from the work of Deuring that the endomorphism ring of any supersingular

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback