Modular polynomials and isogeny volcanoes
|
|
- Godfrey Collins
- 5 years ago
- Views:
Transcription
1 Modular polynomials and isogeny volcanoes Andrew V. Sutherland February 3, 010 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9
2 Isogenies An isogeny φ : E 1 E is a morphism of elliptic curves, a nonzero rational map that preserves the identity. Over a finite field, E 1 and E are isogenous if and only if #E 1 (F q ) = #E (F q ). Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes of 9
3 Some applications of isogenies Isogenies make hard problems easier: Counting the points on E. Polynomial time (Schoof-Elkies-Atkin). Constructing E with the CM method. D > (BBEL, S, Enge-S). Computing the endomorphism ring of E. Heuristically subexponential time (Bisson-S). These algorithms all rely on modular polynomials Φ l (X, Y ). Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 3 of 9
4 Properties of isogenies Degree The kernel of φ : E 1 E is a finite subgroup of E 1 (F). When φ is separable, we have ker φ = deg φ. An l-isogeny is a (separable) isogeny of degree l. For prime l, the kernel is necessarily cyclic. Orientation We say that φ : E 1 E is horizontal if End(E 1 ) = End(E ). Otherwise φ is vertical. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 4 of 9
5 Isogenies from kernels Any finite subgroup G of E(F) determines a separable isogeny with G as its kernel Given G, we can compute φ explicitly using Vélu s formula. The complexity depends both on the size of ker φ, and the field in which the points of ker φ are defined. If E is defined over F, so is φ, but the points in ker φ may have coordinates in an extension of degree up to l 1. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 5 of 9
6 The classical modular polynomial Φ l The modular function j : H C is a complex analytic function j(z) = 1/q q q +..., where q = e πiz. The function j(lz) is algebraic over C(j), and its minimal polynomial Φ l (X) has coefficients in Z[j]. Φ l (X, Y ) = Φ l (Y, X); deg X Φ l = l + 1. The modular equation Φ l (X, Y ) = 0 parameterizes pairs of elliptic curves related by a cyclic l-isogeny. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 6 of 9
7 Parametrizing isogenies Assuming char F l, for all elliptic curves E 1 /F and E /F: Φ l ( j(e1 ), j(e ) ) = 0 E 1 and E are l-isogenous. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 7 of 9
8 Parametrizing isogenies Assuming char F l, for all elliptic curves E 1 /F and E /F: Φ l ( j(e1 ), j(e ) ) = 0 E 1 and E are l-isogenous. The l-isogeny graph G l has vertex set {j(e) : E/F}, and edges (j 1, j ) whenever Φ l (j 1, j ) = 0. The neighbors of j 0 are the roots of Φ l (X, j 0 ) that lie in F. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 7 of 9
9 Parametrizing isogenies Assuming char F l, for all elliptic curves E 1 /F and E /F: Φ l ( j(e1 ), j(e ) ) = 0 E 1 and E are l-isogenous. The l-isogeny graph G l has vertex set {j(e) : E/F}, and edges (j 1, j ) whenever Φ l (j 1, j ) = 0. The neighbors of j 0 are the roots of Φ l (X, j 0 ) that lie in F. Φ l is big: O(l 3 log l) bits. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 7 of 9
10 l coefficients largest average total kb 5.3kb 5.5MB kb 1kb 48MB kb 7kb 431MB kb 60kb 3.9GB kb 13kb 33GB kb 08kb 117GB kb 87kb 87GB kb 369kb 577GB kb 774kb 4.8TB Mb 1.6Mb 40TB* Size of Φ l (X, Y ) *Estimated Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 8 of 9
11 Algorithms to compute Φ l q-expansions: (Atkin?, Elkies 9, 98, LMMS 94, Morain 95, Müller 95, BCRS 99) Φ l : O(l 4 log 3+ɛ l) (via the CRT) Φ l mod p: O(l 3 log l log 1+ɛ p) (p > l + 1) Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 9 of 9
12 Algorithms to compute Φ l q-expansions: (Atkin?, Elkies 9, 98, LMMS 94, Morain 95, Müller 95, BCRS 99) Φ l : O(l 4 log 3+ɛ l) (via the CRT) Φ l mod p: O(l 3 log l log 1+ɛ p) (p > l + 1) isogenies: (Charles-Lauter 005) Φ l : O(l 5+ɛ ) (via the CRT) Φ l mod p: O(l 4+ɛ log +ɛ p) (p > 1l + 13) Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 9 of 9
13 Algorithms to compute Φ l q-expansions: (Atkin?, Elkies 9, 98, LMMS 94, Morain 95, Müller 95, BCRS 99) Φ l : O(l 4 log 3+ɛ l) (via the CRT) Φ l mod p: O(l 3 log l log 1+ɛ p) (p > l + 1) isogenies: (Charles-Lauter 005) Φ l : O(l 5+ɛ ) (via the CRT) Φ l mod p: O(l 4+ɛ log +ɛ p) (p > 1l + 13) evaluation-interpolation: (Enge 009) Φ l : O(l 3 log 4+ɛ l) (floating-point) Φ l mod m: O(l 3 log 4+ɛ l) (reduces Φ l ) Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 9 of 9
14 A new algorithm to compute Φ l We compute Φ l using isogenies and the CRT. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 10 of 9
15 A new algorithm to compute Φ l We compute Φ l using isogenies and the CRT. For certain p we can compute Φ l mod p in expected time O(l log 3+ɛ p). Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 10 of 9
16 A new algorithm to compute Φ l We compute Φ l using isogenies and the CRT. For certain p we can compute Φ l mod p in expected time O(l log 3+ɛ p). Under the GRH, we find many such p with log p = O(log l). Φ l : O(l 3 log 3+ɛ l) (via the CRT) Φ l mod m: O(l 3 log 3+ɛ l) (via the explicit CRT) Computing Φ l mod m uses O(l log(lm)) space. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 10 of 9
17 A new algorithm to compute Φ l We compute Φ l using isogenies and the CRT. For certain p we can compute Φ l mod p in expected time O(l log 3+ɛ p). Under the GRH, we find many such p with log p = O(log l). Φ l : O(l 3 log 3+ɛ l) (via the CRT) Φ l mod m: O(l 3 log 3+ɛ l) (via the explicit CRT) Computing Φ l mod m uses O(l log(lm)) space. In practice the algorithm is much faster than other methods. It is probabilistic, but its output is unconditionally correct. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 10 of 9
18 Explicit Chinese Remainder Theorem Suppose c c i mod p i for distinct primes p i,..., p n. Then c c i a i M i mod M, where M = p i, M i = M/p i and a i = 1/M i mod p i. With M > 4c, the explicit CRT computes c mod m directly via ( ) c ci a i M i rm mod m, where the integer r a i c i /p i (use O(log n) bits of precision). Using an online algorithm, this can be applied to N coefficients c in parallel, using O ( log M + n log m + N(log m + log n) ) space. Montgomery-Silverman, Bernstein, S. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 11 of 9
19 Some performance highlights Level records : Φ l. 0011: Φ l mod m : Φ f l Speed records 1. 51: Φ l in 8s Φ l mod m in 4.8s (vs 688s). 1009: Φ l in 830s Φ l mod m in 65s (vs s) Single core CPU times (AMD 3.0 GHz), using m 56. Effective throughput when computing Φ 1009 mod m is over 100 Mb/s. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9
20
21 A 3-volcano of depth Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 14 of 9
22 l-volcanoes An l-volcano is a connected undirected graph whose vertices are partitioned into levels V 0,..., V d, such that: 1. The subgraph on V 0 (the surface) is a regular connected graph of degree at most.. For i > 0, each v V i has exactly one neighbor in V i 1. All edges not on the surface arise in this manner. 3. For i < d, each v V i has degree l+1. The integers l, d, and V 0 uniquely determine the shape. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 15 of 9
23 The l-isogeny graph G l Some facts about G l (Kohel, Fouquet-Morain): The ordinary components of G l are l-volcanoes (provided they don t contain j = 0, 178). The curves in level V i of a given l-volcano all have the same endomorphism ring, isomorphic to an imaginary quadratic order O i. The order O 0 is maximal at l, and [O 0 : O i ] = l i. Curves in the same l-volcano are necessarily isogenous, but isogenous curves need not lie in the same l-volcano. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 16 of 9
24 The CM action Let E/F q be an ordinary elliptic curve with End(E) = O. The class group cl(o) acts on the set {j(e/f q ) : End(E) = O}. Horizontal l-isogenies are the action of an ideal with norm l. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 17 of 9
25 The CM action Let E/F q be an ordinary elliptic curve with End(E) = O. The class group cl(o) acts on the set {j(e/f q ) : End(E) = O}. Horizontal l-isogenies are the action of an ideal with norm l. The cardinality of V 0 is the order of the cyclic subgroup of cl(o) generated by an ideal with norm l. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 17 of 9
26 The CM action Let E/F q be an ordinary elliptic curve with End(E) = O. The class group cl(o) acts on the set {j(e/f q ) : End(E) = O}. Horizontal l-isogenies are the action of an ideal with norm l. The cardinality of V 0 is the order of the cyclic subgroup of cl(o) generated by an ideal with norm l. A horizontal isogeny of large degree may be equivalent to a sequence of isogenies of small degree, via relations in cl(o). Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 17 of 9
27 The CM action Let E/F q be an ordinary elliptic curve with End(E) = O. The class group cl(o) acts on the set {j(e/f q ) : End(E) = O}. Horizontal l-isogenies are the action of an ideal with norm l. The cardinality of V 0 is the order of the cyclic subgroup of cl(o) generated by an ideal with norm l. A horizontal isogeny of large degree may be equivalent to a sequence of isogenies of small degree, via relations in cl(o). Under the ERH this is always true, and small = O(log D ). Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 17 of 9
28 Running the rim Φ (X, Y ) = X 3 + Y 3 X Y X Y 16000X XY XY X 16000Y Y
29 Running the rim Φ (X, Y ) = X 3 + Y 3 X Y X Y 16000X XY XY X 16000Y Y
30 Running the rim Φ (X, Y ) = X 3 + Y 3 X Y X Y 16000X XY XY X 16000Y Y
31 Running the rim Φ (X, Y ) = X 3 + Y 3 X Y X Y 16000X XY XY X 16000Y Y
32 Running the rim Φ (X, Y ) = X 3 + Y 3 X Y X Y 16000X XY XY X 16000Y Y
33 Running the rim Φ (X, Y ) = X 3 + Y 3 X Y X Y 16000X XY XY X 16000Y Y
34 Running the rim Φ (X, Y ) = X 3 + Y 3 X Y X Y 16000X XY XY X 16000Y Y
35
36 Mapping a volcano Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
37 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
38 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
39 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l 1. Find a root of H D (X) Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
40 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l Find a root of H D (X): 901 Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
41 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 = l 0 l, ( D ) = 1 l Enumerate surface using the action of α l0 Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
42 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
43 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
44 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
45 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
46 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
47 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
48 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate surface using the action of α l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
49 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Descend to the floor using Vélu s formula Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
50 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Descend to the floor using Vélu s formula: Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
51 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3 l 0 l, ( D l 0 ) = 1, α l = α k l Enumerate floor using the action of β l0 Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
52 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
53 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
54 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
55 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
56 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
57 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
58 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
59 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Enumerate floor using the action of β l Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
60 Mapping a volcano Example General requirements l = 5, p = 4451, D = 151 4p = t v l D, p 1 mod l t = 5, v =, h(d) = 7 l v, ( D ) = 1, h(d) l + l l 0 =, α 5 = α 3, β 5 = β 7 l 0 l, ( D ) = 1, α l l = α k 0 l, β 0 l = βl k Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 0 of 9
61 Interpolation Φ 5 (X, 901) = (X 701)(X 351)(X 3188)(X 970)(X 1478)(X 338) Φ 5 (X, 351) = (X 901)(X 15)(X 3508)(X 464)(X 976)(X 566) Φ 5 (X, 15) = (X 351)(X 501)(X 3341)(X 1868)(X 434)(X 676) Φ 5 (X, 501) = (X 15)(X 87)(X 3147)(X 55)(X 1180)(X 3144) Φ 5 (X, 87) = (X 501)(X 158)(X 150)(X 48)(X 1064)(X 087) Φ 5 (X, 158) = (X 87)(X 701)(X 945)(X 3497)(X 344)(X 91) Φ 5 (X, 701) = (X 158)(X 901)(X 843)(X 41)(X 3345)(X 4397) Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9
62 Interpolation Φ 5 (X, 901) = X X X X X X + 36 Φ 5 (X, 351) = X X X X X + 93X Φ 5 (X, 15) = X X X X X + 084X Φ 5 (X, 501) = X X X X X X Φ 5 (X, 87) = X X X X X X Φ 5 (X, 158) = X X X X 3 + 5X X Φ 5 (X, 701) = X X X X X + 7X Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9
63 Interpolation Φ 5 (X, Y ) = X 6 + (4450Y Y Y Y + 70Y + 397)X 5 (370Y Y Y Y Y + 33)X 4 (433Y Y Y Y Y + 11)X 3 (3499Y Y Y Y Y + 050)X ( 70Y Y Y Y + 905Y + 091)X (Y Y Y Y Y + 091Y + 108) Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 1 of 9
64 Computing Φ l (X, Y ) mod p Assume D and p are suitably chosen with D = O(l ) and log p = O(log l), and that H D (X) has been precomputed. 1. Find a root of H D (X) over F p. O(l log 3+ɛ l). Enumerate the surface(s) using cl(d)-action. O(l log +ɛ l) 3. Descend to the floor using Vélu. O(l log 1+ɛ l) 4. Enumerate the floor using cl(l D)-action. O(l log +ɛ l) 5. Build each Φ l (X, j i ) from its roots. O(l log 3+ɛ l) 6. Interpolate Φ l (X, Y ) mod p. O(l log 3+ɛ l) Time complexity is O(l log 3+ɛ l). Space complexity is O(l log l). Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes of 9
65 After computing Φ 5 (X, Y ) mod p for the primes: 4451, 6911, 9551, 8111, 54851, , 13491, , 11711, 80451, , , , , we apply the CRT to obtain Φ 5 (X, Y ) = X 6 + Y 6 X 5 Y (X 5 Y 4 + X 4 Y 5 ) (X 5 Y 3 + X 3 Y 5 ) (X 5 Y + X Y 5 ) (X 5 Y + XY 5 ) (X 5 + Y 5 ) X 4 Y (X 4 Y 3 + X 3 Y 4 ) (X 4 Y + X Y 4 ) (X 4 Y + XY 4 ) (X 4 + Y 4 ) (X 3 Y 5 + X 5 Y 3 ) X 3 Y (X 3 Y + X Y 3 ) (X 3 Y + XY 3 ) (X 3 + Y 3 ) X Y (X Y + XY ) (X + Y ) XY (X + Y ) Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 3 of 9
66 After computing Φ 5 (X, Y ) mod p for the primes: 4451, 6911, 9551, 8111, 54851, , 13491, , 11711, 80451, , , , , we apply the CRT to obtain Φ 5 (X, Y ) = X 6 + Y 6 X 5 Y (X 5 Y 4 + X 4 Y 5 ) (X 5 Y 3 + X 3 Y 5 ) (X 5 Y + X Y 5 ) (X 5 Y + XY 5 ) (X 5 + Y 5 ) X 4 Y (X 4 Y 3 + X 3 Y 4 ) (X 4 Y + X Y 4 ) (X 4 Y + XY 4 ) (X 4 + Y 4 ) (X 3 Y 5 + X 5 Y 3 ) X 3 Y (X 3 Y + X Y 3 ) (X 3 Y + XY 3 ) (X 3 + Y 3 ) X Y (X Y + XY ) (X + Y ) XY (X + Y ) (but note that Φ f 5 (X, Y ) = X 6 + Y 6 X 5 Y 5 + 4XY ). Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 3 of 9
67 Computing Φ l mod m Given a prime l > and an integer m > 0: 1. Pick a discriminant D suitable for l.. Select a set of primes S suitable for l and D. 3. Precompute H D, cl(d), cl(l D), and CRT data. 4. For each p S, compute Φ l mod p and update CRT data. 5. Perform CRT postcomputation and output Φ l mod m. To compute Φ l over Z, just use m = p. For small m, use explicit CRT modm. For large m, standard CRT for large m. For m in between, use a hybrid approach. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 4 of 9
68 Complexity Theorem (GRH) For every prime l > there is a suitable discriminant D with D = O(l ) for which there are Ω(l 3 log 3 l) primes p = O(l 6 (log l) 4 ) that are suitable for l and D. Heuristically, p = O(l 4 ). In practice, lg p < 64. Theorem (GRH) The expected running time is O(l 3 log 3 l log log l). The space required is O(l log(lm)). Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 5 of 9
69 An explicit height bound for Φ l Let l be a prime. Let h(φ l ) be the (natural) logarithmic height of Φ l. Asymptotic bound: h(φ l ) = 6l log l + O(l) (Paula Cohen 1984). Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 6 of 9
70 An explicit height bound for Φ l Let l be a prime. Let h(φ l ) be the (natural) logarithmic height of Φ l. Asymptotic bound: h(φ l ) = 6l log l + O(l) (Paula Cohen 1984). Explicit bound: h(φ l ) 6l log l + 17l (Bröker-S 009). Conjectural bound: h(φ l ) 6l log l + 1l (for l > 30). The explicit bound holds for all l. The conjectural bound is known to hold for 30 < l < Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 6 of 9
71 Other modular functions We can compute polynomials relating f (z) and f (lz) for other modular functions, including the Weber f-function. The coefficients of Φ f l are roughly 7 times smaller. This means we need 7 fewer primes. The polynomial Φ f l is roughly 4 times sparser. This means we need 4 times fewer interpolation points. We get a better than 178-fold speedup using Φ f l. Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 7 of 9
72 Modular polynomials for l = 11 Classical: X 1 + Y 1 X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X 11 Y X pages omitted digits omitted Atkin: X 1 X 11 Y + 744X X X 9 Y X X 8 Y X X 7 Y X X 6 Y X X 5 Y X X 4 Y X X 3 Y X X Y X XY X + Y Y Weber: X 1 + Y 1 X 11 Y X 9 Y 9 44X 7 Y X 5 Y 5 88X 3 Y 3 + 3XY Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 8 of 9
73 Weber modular polynomials For l = 1009, the size of Φ f l is.3mb, versus 3.9GB for Φ l, and computing Φ f l takes 1.5s, versus 840s for Φ l. The current record is l = Working mod m, level l > is feasible. The polynomials Φ f l for all l < 5000 are available for download: drew Andrew V. Sutherland (MIT) Modular polynomials and isogeny volcanoes 9 of 9
Computing modular polynomials with the Chinese Remainder Theorem
Computing modular polynomials with the Chinese Remainder Theorem Andrew V. Sutherland Massachusetts Institute of Technology ECC 009 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Computing modular
More informationComputing the modular equation
Computing the modular equation Andrew V. Sutherland (MIT) Barcelona-Boston-Tokyo Number Theory Seminar in Memory of Fumiyuki Momose Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8 The
More informationOn the evaluation of modular polynomials
On the evaluation of modular polynomials Andrew V. Sutherland Massachusetts Institute of Technology ANTS X July 10, 2012 http://math.mit.edu:/ drew 1 / 16 Introduction Let l be a prime and let F q be a
More informationComputing the endomorphism ring of an ordinary elliptic curve
Computing the endomorphism ring of an ordinary elliptic curve Massachusetts Institute of Technology April 3, 2009 joint work with Gaetan Bisson http://arxiv.org/abs/0902.4670 Elliptic curves An elliptic
More informationClass invariants by the CRT method
Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest Massachusetts Institute of Technology ANTS IX Andreas Enge and Andrew Sutherland Class invariants by the CRT
More informationIdentifying supersingular elliptic curves
Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, 2012 http://arxiv.org/abs/1107.1140 Andrew V. Sutherland (MIT) Identifying supersingular
More informationElliptic Curves Spring 2015 Lecture #23 05/05/2015
18.783 Elliptic Curves Spring 2015 Lecture #23 05/05/2015 23 Isogeny volcanoes We now want to shift our focus away from elliptic curves over C and consider elliptic curves E/k defined over any field k;
More informationON THE EVALUATION OF MODULAR POLYNOMIALS
ON THE EVALUATION OF MODULAR POLYNOMIALS ANDREW V. SUTHERLAND Abstract. We present two algorithms that, given a prime l and an elliptic curve E/F q, directly compute the polynomial Φ l (j(e), Y ) F q[y
More informationISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES
ERNEST HUNTER BROOKS DIMITAR JETCHEV BENJAMIN WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationElliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography
Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret
More informationIsogeny graphs, modular polynomials, and point counting for higher genus curves
Isogeny graphs, modular polynomials, and point counting for higher genus curves Chloe Martindale July 7, 2017 These notes are from a talk given in the Number Theory Seminar at INRIA, Nancy, France. The
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More informationCOMPUTING MODULAR POLYNOMIALS
COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with an isogeny of degree l between them.
More informationCounting points on elliptic curves over F q
Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite
More information14 Ordinary and supersingular elliptic curves
18.783 Elliptic Curves Spring 2015 Lecture #14 03/31/2015 14 Ordinary and supersingular elliptic curves Let E/k be an elliptic curve over a field of positive characteristic p. In Lecture 7 we proved that
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationarxiv: v3 [math.nt] 7 May 2013
ISOGENY VOLCANOES arxiv:1208.5370v3 [math.nt] 7 May 2013 ANDREW V. SUTHERLAND Abstract. The remarkable structure and computationally explicit form of isogeny graphs of elliptic curves over a finite field
More informationIsogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem
Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem Chloe Martindale 26th January, 2018 These notes are from a talk given in the Séminaire Géométrie et algèbre effectives
More informationEvaluating Large Degree Isogenies between Elliptic Curves
Evaluating Large Degree Isogenies between Elliptic Curves by Vladimir Soukharev A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationCounting points on genus 2 curves over finite
Counting points on genus 2 curves over finite fields Chloe Martindale May 11, 2017 These notes are from a talk given in the Number Theory Seminar at the Fourier Institute, Grenoble, France, on 04/05/2017.
More informationON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS
ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS GORA ADJ, OMRAN AHMADI, AND ALFRED MENEZES Abstract. We study the isogeny graphs of supersingular elliptic curves over finite fields,
More informationCOMPUTING MODULAR POLYNOMIALS
COMPUTING MODULAR POLYNOMIALS DENIS CHARLES AND KRISTIN LAUTER 1. Introduction The l th modular polynomial, φ l (x, y), parameterizes pairs of elliptic curves with a cyclic isogeny of degree l between
More informationComputing modular polynomials in dimension 2 ECC 2015, Bordeaux
Computing modular polynomials in dimension 2 ECC 2015, Bordeaux Enea Milio 29/09/2015 Enea Milio Computing modular polynomials 29/09/2015 1 / 49 Computing modular polynomials 1 Dimension 1 : elliptic curves
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationComputing the image of Galois
Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25 Elliptic curves Let E be an elliptic
More informationA Candidate Group with Infeasible Inversion
A Candidate Group with Infeasible Inversion Salim Ali Altuğ Yilei Chen September 27, 2018 Abstract Motivated by the potential cryptographic application of building a directed transitive signature scheme,
More informationCONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker
CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES Reinier Bröker Abstract. We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over F q with trace
More informationGraph structure of isogeny on elliptic curves
Graph structure of isogeny on elliptic curves Université Versailles Saint Quentin en Yvelines October 23, 2014 1/ 42 Outline of the talk 1 Reminder about elliptic curves, 2 Endomorphism ring of elliptic
More informationClass polynomials for abelian surfaces
Class polynomials for abelian surfaces Andreas Enge LFANT project-team INRIA Bordeaux Sud-Ouest andreas.enge@inria.fr http://www.math.u-bordeaux.fr/~aenge LFANT seminar 27 January 2015 (joint work with
More informationIgusa class polynomials
Number Theory Seminar Cambridge 26 April 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P P Q E is a commutative algebraic group Endomorphisms
More informationMappings of elliptic curves
Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves
More informationComputing L-series coefficients of hyperelliptic curves
Computing L-series coefficients of hyperelliptic curves Kiran S. Kedlaya and Andrew V. Sutherland Massachusetts Institute of Technology May 19, 2008 Demonstration The distribution of Frobenius traces Let
More informationIndependence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)
Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen) Brown University Cambridge University Number Theory Seminar Thursday, February 22, 2007 0 Modular Curves and Heegner Points
More informationGenus 2 Curves of p-rank 1 via CM method
School of Mathematical Sciences University College Dublin Ireland and Claude Shannon Institute April 2009, GeoCrypt Joint work with Laura Hitt, Michael Naehrig, Marco Streng Introduction This talk is about
More informationarxiv: v1 [math.nt] 29 Oct 2013
COMPUTING ISOGENIES BETWEEN SUPERSINGULAR ELLIPTIC CURVES OVER F p CHRISTINA DELFS AND STEVEN D. GALBRAITH arxiv:1310.7789v1 [math.nt] 29 Oct 2013 Abstract. Let p > 3 be a prime and let E, E be supersingular
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationIgusa Class Polynomials
, supported by the Leiden University Fund (LUF) Joint Mathematics Meetings, San Diego, January 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomials.
More informationComputing isogeny graphs using CM lattices
Computing isogeny graphs using CM lattices David Gruenewald GREYC/LMNO Université de Caen GeoCrypt, Corsica 22nd June 2011 Motivation for computing isogenies Point counting. Computing CM invariants. Endomorphism
More informationA quantum algorithm for computing isogenies between supersingular elliptic curves
A quantum algorithm for computing isogenies between supersingular elliptic curves Jean-François Biasse 1,2, David Jao 1, and Anirudh Sankar 1 1 Department of Combinatorics and Optimization 2 Institute
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationPairing the volcano. 1 Introduction. Sorina Ionica 1 and Antoine Joux 1,2
Pairing the volcano Sorina Ionica 1 and Antoine Joux 1,2 1 Université de Versailles Saint-Quentin-en-Yvelines, 45 avenue des États-Unis, 78035 Versailles CEDEX, France 2 DGA sorina.ionica,antoine.joux@m4x.org
More information20 The modular equation
18.783 Elliptic Curves Lecture #20 Spring 2017 04/26/2017 20 The modular equation In the previous lecture we defined modular curves as quotients of the extended upper half plane under the action of a congruence
More informationMA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26
MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26 1. Abelian Varieties of GL 2 -Type 1.1. Modularity Criteria. Here s what we ve shown so far: Fix a continuous residual representation : G Q GLV, where V is
More informationTables of elliptic curves over number fields
Tables of elliptic curves over number fields John Cremona University of Warwick 10 March 2014 Overview 1 Why make tables? What is a table? 2 Simple enumeration 3 Using modularity 4 Curves with prescribed
More informationJournal of Number Theory
Journal of Number Theory 131 (2011) 815 831 Contents lists available at ScienceDirect Journal of Number Theory www.elsevier.com/locate/jnt Special Issue: Elliptic Curve Cryptography Computing the endomorphism
More informationElliptic Curves Spring 2015 Lecture #7 02/26/2015
18.783 Elliptic Curves Spring 2015 Lecture #7 02/26/2015 7 Endomorphism rings 7.1 The n-torsion subgroup E[n] Now that we know the degree of the multiplication-by-n map, we can determine the structure
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationHow many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May Noam D. Elkies, Harvard University
How many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May 2013 Noam D. Elkies, Harvard University Review: Discriminant and conductor of an elliptic curve Finiteness
More informationElliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019
18.783 Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019 Description These problems are related to the material covered in Lectures 13-14. Instructions: Solve problem 1 and then solve one of Problems
More informationComputing Hilbert Class Polynomials
Computing Hilbert Class Polynomials Juliana Belding 1, Reinier Bröker 2, Andreas Enge 3, Kristin Lauter 2 1 Dept. of Mathematics, University of Maryland, College Park, MD 20742, USA 2 Microsoft Research,
More informationA p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker
A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL Reinier Bröker Abstract. Classicaly, the Hilbert class polynomial P Z[X] of an imaginary quadratic discriminant is computed using complex analytic
More informationIgusa Class Polynomials
Genus 2 day, Intercity Number Theory Seminar Utrecht, April 18th 2008 Overview Igusa class polynomials are the genus 2 analogue of the classical Hilbert class polynomial. For each notion, I will 1. tell
More informationarxiv: v3 [math.nt] 28 Jan 2015
. CLASS POLYNOMIALS FOR NONHOLOMORPHIC MODULAR FUNCTIONS JAN HENDRIK BRUINIER, KEN ONO, AND ANDREW V. SUTHERLAND arxiv:1301.5672v3 [math.nt] 28 Jan 2015 Abstract. We give algorithms for computing the singular
More informationComputing endomorphism rings of abelian varieties of dimension two
Computing endomorphism rings of abelian varieties of dimension two Gaetan Bisson University of French Polynesia Abstract Generalizing a method of Sutherland and the author for elliptic curves [5, 1] we
More information20 The modular equation
18.783 Elliptic Curves Spring 2015 Lecture #20 04/23/2015 20 The modular equation In the previous lecture we defined modular curves as quotients of the extended upper half plane under the action of a congruence
More informationHard Homogeneous Spaces
Hard Homogeneous Spaces Jean-Marc Couveignes August 24, 2006 Abstract This note was written in 1997 after a talk I gave at the séminaire de complexité et cryptographie at the École Normale Supérieure After
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationAbstracts of papers. Amod Agashe
Abstracts of papers Amod Agashe In this document, I have assembled the abstracts of my work so far. All of the papers mentioned below are available at http://www.math.fsu.edu/~agashe/math.html 1) On invisible
More informationElliptic Curve Primality Proving
Università degli Studi Roma Tre Facoltà di Scienze Matematiche, Fisiche e Naturali Corso di Laurea Magistrale in Matematica Tesi di Laurea Magistrale in Matematica Elliptic Curve Primality Proving SINTESI
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationHard and Easy Problems for Supersingular Isogeny Graphs
Hard and Easy Problems for Supersingular Isogeny Graphs Christophe Petit and Kristin Lauter University of Birmingham, Microsoft Research February 21, 2018 Abstract We consider the endomorphism ring computation
More informationEven sharper upper bounds on the number of points on curves
Even sharper upper bounds on the number of points on curves Everett W. Howe Center for Communications Research, La Jolla Symposium on Algebraic Geometry and its Applications Tahiti, May 2007 Revised slides
More informationCounting points on elliptic curves: Hasse s theorem and recent developments
Counting points on elliptic curves: Hasse s theorem and recent developments Igor Tolkov June 3, 009 Abstract We introduce the the elliptic curve and the problem of counting the number of points on the
More informationThe Sato-Tate conjecture for abelian varieties
The Sato-Tate conjecture for abelian varieties Andrew V. Sutherland Massachusetts Institute of Technology March 5, 2014 Mikio Sato John Tate Joint work with F. Fité, K.S. Kedlaya, and V. Rotger, and also
More informationElliptic Curves Spring 2015 Problem Set #10 Due: 4/24/2015
18.783 Elliptic Curves Spring 2015 Problem Set #10 Due: 4/24/2015 Description These problems are related to the material covered in Lectures 18-19. As usual, the first person to spot each non-trivial typo/error
More informationClass invariants for quartic CM-fields
Number Theory Seminar Oxford 2 June 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P E is a commutative algebraic group P Q Endomorphisms
More informationFinding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago
The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago Prelude: finding denominators 87366 22322444 in R. Easily compute
More informationGeneration Methods of Elliptic Curves
Generation Methods of Elliptic Curves by Harald Baier and Johannes Buchmann August 27, 2002 An evaluation report for the Information-technology Promotion Agency, Japan Contents 1 Introduction 1 1.1 Preface.......................................
More informationPUBLIC-KEY CRYPTOSYSTEM BASED ON ISOGENIES
PUBLIC-KEY CRYPTOSYSTEM BASED ON ISOGENIES Alexander Rostovtsev and Anton Stolbunov Saint-Petersburg State Polytechnical University, Department of Security and Information Protection in Computer Systems,
More informationAddition sequences and numerical evaluation of modular forms
Addition sequences and numerical evaluation of modular forms Fredrik Johansson (INRIA Bordeaux) Joint work with Andreas Enge (INRIA Bordeaux) William Hart (TU Kaiserslautern) DK Statusseminar in Strobl,
More informationCOMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS
COMPUTING ENDOMORPHISM RINGS OF JACOBIANS OF GENUS 2 CURVES OVER FINITE FIELDS DAVID FREEMAN AND KRISTIN LAUTER Abstract. We present probabilistic algorithms which, given a genus 2 curve C defined over
More informationMaterial covered: Class numbers of quadratic fields, Valuations, Completions of fields.
ALGEBRAIC NUMBER THEORY LECTURE 6 NOTES Material covered: Class numbers of quadratic fields, Valuations, Completions of fields. 1. Ideal class groups of quadratic fields These are the ideal class groups
More informationA numerically explicit Burgess inequality and an application to qua
A numerically explicit Burgess inequality and an application to quadratic non-residues Swarthmore College AMS Sectional Meeting Akron, OH October 21, 2012 Squares Consider the sequence Can it contain any
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #2 09/10/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture # 09/10/013.1 Plane conics A conic is a plane projective curve of degree. Such a curve has the form C/k : ax + by + cz + dxy + exz + fyz with
More informationConstructing Permutation Rational Functions From Isogenies
Constructing Permutation Rational Functions From Isogenies Gaetan Bisson 1 and Mehdi Tibouchi 1 University of French Polynesia NTT Secure Platform Laboratories Abstract. A permutation rational function
More informationpart 2: detecting smoothness part 3: the number-field sieve
Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness Integer factorization, part 3: the number-field sieve D. J. Bernstein Problem: Factor 611. The Q sieve forms
More informationWEIL DESCENT ATTACKS
WEIL DESCENT ATTACKS F. HESS Abstract. This article is to appear as a chapter in Advances in Elliptic Curve Cryptography, edited by I. Blake, G. Seroussi and N. Smart, Cambridge University Press, 2004.
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationElliptic Curves Spring 2013 Lecture #14 04/02/2013
18.783 Elliptic Curves Spring 2013 Lecture #14 04/02/2013 A key ingredient to improving the efficiency of elliptic curve primality proving (and many other algorithms) is the ability to directly construct
More informationON THE DISTRIBUTION OF CLASS GROUPS OF NUMBER FIELDS
ON THE DISTRIBUTION OF CLASS GROUPS OF NUMBER FIELDS GUNTER MALLE Abstract. We propose a modification of the predictions of the Cohen Lenstra heuristic for class groups of number fields in the case where
More informationOn the Computation of Modular Polynomials for Elliptic Curves
On the Computation of Modular Polynomials for Elliptic Curves Ian F. Blake 1, János A. Csirik 1, Michael Rubinstein 2, and Gadiel Seroussi 1 1 Hewlett-Packard Laboratories, 1501 Page Mill Road, Palo Alto,
More informationQuaternions and Arithmetic. Colloquium, UCSD, October 27, 2005
Quaternions and Arithmetic Colloquium, UCSD, October 27, 2005 This talk is available from www.math.mcgill.ca/goren Quaternions came from Hamilton after his really good work had been done; and, though beautifully
More informationCryptographic Hash Functions from Expander Graphs
J. Cryptol. (2009) 22: 93 113 DOI: 10.1007/s00145-007-9002-x Cryptographic Hash Functions from Expander Graphs Denis X. Charles and Kristin E. Lauter Microsoft Research, Redmond, WA 98052, USA klauter@microsoft.com
More informationA Course in Computational Algebraic Number Theory
Henri Cohen 2008 AGI-Information Management Consultants May be used for personal purporses only or by libraries associated to dandelon.com network. A Course in Computational Algebraic Number Theory Springer
More information8 Point counting. 8.1 Hasse s Theorem. Spring /06/ Elliptic Curves Lecture #8
18.783 Elliptic Curves Lecture #8 Spring 2017 03/06/2017 8 Point counting 8.1 Hasse s Theorem We are now ready to prove Hasse s theorem. Theorem 8.1 (Hasse). Let E/ be an elliptic curve over a finite field.
More informationDistributed computation of the number. of points on an elliptic curve
Distributed computation of the number of points on an elliptic curve over a nite prime eld Johannes Buchmann, Volker Muller, Victor Shoup SFB 124{TP D5 Report 03/95 27th April 1995 Johannes Buchmann, Volker
More informationIntroduction to Elliptic Curves
IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting
More informationElliptic Curves over Finite Fields
Elliptic Curves over Finite Fields Katherine E. Stange Stanford University Boise REU, June 14th, 2011 Consider a cubic curve of the form E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 If you intersect
More informationCLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES
CLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES FRANK GOUNELAS 1. Class Field Theory We ll begin by motivating some of the constructions of the CM (complex multiplication) theory for
More informationIsolated Curves and the MOV Attack
Isolated Curves and the OV Attack Travis Scholl October, 207 Abstract We present a variation on the C method that produces elliptic curves over prime fields with nearly prime order that do not admit many
More informationSupersingular isogeny graphs and endomorphism rings: reductions and solutions
Supersingular isogeny graphs and endomorphism rings: reductions and solutions Kirsten Eisenträger 1, Sean Hallgren 2, Kristin Lauter 3, Travis Morrison 1, and Christophe Petit 4 1 The Pennsylvania State
More informationQuantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes
Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes Xavier Bonnetain 1,2 and André Schrottenloher 2 1 Sorbonne Université, Collège Doctoral, F-75005 Paris, France 2 Inria, France Abstract.
More informationDiscrete Logarithm Computation in Hyperelliptic Function Fields
Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More informationSOME REMARKS ON PRIMALITY PROVING AND ELLIPTIC CURVES. Alice Silverberg. (Communicated by Neal Koblitz)
Advances in Mathematics of Communications Volume 8, No. 4, 014, 47 436 doi:10.3934/amc.014.8.47 SOME REMARKS ON PRIMALITY PROVING AND ELLIPTIC CURVES Alice Silverberg Department of Mathematics University
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationFinite Fields and Elliptic Curves in Cryptography
Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem
More information