Identifying supersingular elliptic curves

Similar documents
14 Ordinary and supersingular elliptic curves

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Computing the endomorphism ring of an ordinary elliptic curve

Computing the modular equation

Computing modular polynomials with the Chinese Remainder Theorem

Modular polynomials and isogeny volcanoes

Explicit Complex Multiplication

On the evaluation of modular polynomials

Counting points on elliptic curves over F q

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

Graph structure of isogeny on elliptic curves

Counting points on genus 2 curves over finite

Isogeny graphs, modular polynomials, and point counting for higher genus curves

Class invariants by the CRT method

COMPUTING MODULAR POLYNOMIALS

Introduction to Elliptic Curves

Computing the image of Galois

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Constructing genus 2 curves over finite fields

Mappings of elliptic curves

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

A gentle introduction to isogeny-based cryptography

On elliptic curves in characteristic 2 with wild additive reduction

Genus 2 Curves of p-rank 1 via CM method

Point counting and real multiplication on K3 surfaces

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

Frobenius Distributions

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

An Introduction to Supersingular Elliptic Curves and Supersingular Primes

Computing L-series coefficients of hyperelliptic curves

Isogenies in a quantum world

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

arxiv: v3 [math.nt] 7 May 2013

Igusa Class Polynomials

Tables of elliptic curves over number fields

arxiv: v1 [math.nt] 29 Oct 2013

Igusa Class Polynomials

Constructing Abelian Varieties for Pairing-Based Cryptography

ON THE EVALUATION OF MODULAR POLYNOMIALS

Non-generic attacks on elliptic curve DLPs

Zeta functions of buildings and Shimura varieties

NUNO FREITAS AND ALAIN KRAUS

You could have invented Supersingular Isogeny Diffie-Hellman

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Even sharper upper bounds on the number of points on curves

On some congruence properties of elliptic curves

COMPUTING MODULAR POLYNOMIALS

TORSION AND TAMAGAWA NUMBERS

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

A Candidate Group with Infeasible Inversion

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

An introduction to supersingular isogeny-based cryptography

A quantum algorithm for computing isogenies between supersingular elliptic curves

Quasi-reducible Polynomials

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux

Classical and Quantum Algorithms for Isogeny-based Cryptography

Hard Homogeneous Spaces

Evaluating Large Degree Isogenies between Elliptic Curves

AN INTRODUCTION TO ELLIPTIC CURVES

20 The modular equation

IN POSITIVE CHARACTERISTICS: 3. Modular varieties with Hecke symmetries. 7. Foliation and a conjecture of Oort

The Sato-Tate conjecture for abelian varieties

Equations for Hilbert modular surfaces

arxiv: v1 [cs.cr] 11 Nov 2017

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

ELLIPTIC CURVES WITH ABELIAN DIVISION FIELDS

Material covered: Class numbers of quadratic fields, Valuations, Completions of fields.

Equidistributions in arithmetic geometry

Common Core Algebra 2 Review Session 1

Igusa class polynomials

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

On the equality case of the Ramanujan Conjecture for Hilbert modular forms

Counting points on elliptic curves: Hasse s theorem and recent developments

L-Polynomials of Curves over Finite Fields

ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES

Applications of Complex Multiplication of Elliptic Curves

Torsion subgroups of rational elliptic curves over the compositum of all cubic fields

Does There Exist an Elliptic Curve E/Q with Mordell-Weil Group Z 2 Z 8 Z 4?

An introduction to the algorithmic of p-adic numbers

20 The modular equation

Elliptic Curves Spring 2017 Lecture #5 02/22/2017

Class polynomials for abelian surfaces

2-ADIC ARITHMETIC-GEOMETRIC MEAN AND ELLIPTIC CURVES

COMPLEX MULTIPLICATION: LECTURE 14

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26

Evitando ataques Side-Channel mediante el cálculo de curvas isógenas e isomorfas

2,3,5, LEGENDRE: ±TRACE RATIOS IN FAMILIES OF ELLIPTIC CURVES

Counting points on smooth plane quartics

Some algebraic number theory and the reciprocity map

Elliptic curves and modularity

Introduction to Arithmetic Geometry Fall 2013 Lecture #2 09/10/2013

How many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May Noam D. Elkies, Harvard University

LECTURE 7, WEDNESDAY

Elliptic Curves, Group Schemes,

On Orders of Elliptic Curves over Finite Fields

UNIVERSITY OF CALGARY. An Elliptic Curve Over Q has an Isogenous Quadratic Twist if and Only if it has Complex. Multiplication

SOLUTIONS FOR PROBLEMS 1-30

ALGORITHMS FOR ALGEBRAIC CURVES

Transcription:

Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, 2012 http://arxiv.org/abs/1107.1140 Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 1 / 16

Supersingular elliptic curves Let F q be a finite field of characteristic p. Recall that elliptic curves over finite fields come in two flavors: ordinary and supersingular. ordinary E[p] = Z/pZ #E(F q ) 1 mod p End(E) is an order in an imaginary quadratic field supersingular E[p] is trivial #E(F q ) 1 mod p End(E) is an order in a quaternion algebra Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 2 / 16

Distribution of supersingular elliptic curves Whether a curve E is supersingular or not depends only on its j-invariant j(e), which identifies E up to isomorphism (over F q ). If E is supersingular then j(e) F p 2, so we assume q is p or p 2. There are p 12 + O(1) supersingular j-invariants in F p 2. Of these, O(h( p)) = Õ( p) lie in F p. In either case, the probability that a random elliptic curve E/F q is supersingular is Õ(1/ q), which makes them very rare. However, every elliptic curve over Q is supersingular modulo infinitely many primes p, by a theorem of Elkies. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 3 / 16

Identifying supersingular elliptic curves Problem: Given E : y 2 = f (x) = x 3 + Ax + B defined over F q, determine whether E is ordinary or supersingular. There is a fast Monte Carlo test that can prove E is ordinary. Pick a random point P on E(F q ). If q = p, test whether (p + 1)P 0. If q = p 2, test whether (p + 1)P 0 and (p 1)P 0. If the tested condition holds, then E must be ordinary. If E is in fact ordinary, each iteration of this test will succeed with probability 1 O(1/ q). But this test can never prove that E supersingular. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 4 / 16

Identifying supersingular elliptic curves Problem: Given E : y 2 = f (x) = x 3 + Ax + B defined over F q, determine whether E is ordinary or supersingular. Solution 1: Compute the coefficient of x p 1 in f (x) (p 1)/2. This takes time exponential in n = log p. Solution 2: Compute #E(F q ) using Schoof s algorithm. This takes Õ(n 5 ) time. Solution 3: Check that Φ l (j(e), Y) splits completely in F p 2 for sufficiently many primes l (similar to SEA). This takes Õ(n 4 ) expected time. This talk: Use isogeny graphs. This takes Õ(n 3 ) expected time. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 5 / 16

The graph of l-isogenies The classical modular polynomial Φ l Z[X, Y] parameterizes pairs of l-isogenous elliptic curves in terms of their j-invariants. Definition The graph G l (F q ) has vertex set F q and for each j 1 F q an edge (j 1, j 2 ) for each root j 2 F q of Φ l (j 1, Y), with multiplicity. Isogenous curves have the same number of rational points. Thus the vertices in each connected component of G l (F q ) are either all ordinary or all supersingular. As abstract graphs, the ordinary and supersingular components of G l (F q ) have distinctly different structures. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 6 / 16

Supersingular components of G l (F p 2) If j 1 is supersingular, then φ(y) = Φ l (j 1, Y) splits completely in F p 2, since every supersingular j-invariant lies in F p 2. Thus the supersingular vertices in G l (F p 2) all have degree l + 1, and each supersingular component is an (l + 1)-regular graph. There is in fact just one supersingular component (but we won t use this). Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 7 / 16

Ordinary components of G l (F q ) Let E be an ordinary elliptic curve. Then End(E) = O with Z[π] O O K. Here π is the Frobenius endomorphism and K = Q( D), where D is the fundamental imaginary quadratic discriminant satisfying 4q = tr(π) 2 v 2 D. Each ordinary component of G l (F q ) consists of levels V 0,..., V d. The vertex j(e) belongs to level V i, where i = ν l ([O K : O]). Note that l d divides v. Therefore d < log l 4q. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 8 / 16

l-volcanoes Vertices in level V d have degree at most 2. Vertices in level V i with i < d have degree l + 1. Ordinary components are not (l + 1)-regular graphs. They are l-volcanoes. The vertices in level V 0 form a (possibly trivial) cycle. All edges with origin in V 0 not in this cycle lead to V 1. Vertices in level V i with i > 0 have one edge up to V i 1, all other edges (0 or l of them) lead down to V i+1. Level V 0 is the surface and V d is the floor (possibly V 0 = V d ). Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 9 / 16

Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 10 / 16

A 3-volcano of depth 2 Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 11 / 16

Finding a shortest path to the floor Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 12 / 16

Algorithm Given an elliptic curve E over a field of characteristic p, determine whether E is ordinary or supersingular as follows: 1 If j(e) F p 2 then return ordinary. 2 If p 3 then return supersingular (resp. ordinary) if j(e) = 0 (resp. j(e) 0). 3 Attempt to find 3 roots of Φ 2 (j(e), Y) in F p 2. If this is not possible, return ordinary. 4 Walk 3 paths in parallel for up to log 2 p + 1 steps. If any of these paths hits the floor, return ordinary. 5 Return supersingular. Φ 2 (X, Y) = X 3 + Y 3 X 2 Y 2 + 1488(X 2 Y + Y 2 X) 162000(X 2 + Y 2 ) + 40773375XY + 8748000000(X + Y) 157464000000000. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 13 / 16

Complexity analysis Proposition Let n = log p. We have a Las Vegas algorithm that runs in O(n 3 log n log log n) expected time, using O(n) space. Given quadratic and cubic non-residues in F p 2, we have a deterministic algorithm: O(n 3 log 2 n) time and O(n) space. For a random elliptic curve over F p or F p 2, the average running time is O(n 2 log n log log n). The average complexity is the same as a single iteration of the Monte Carlo test, and has better constant factors. Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 14 / 16

Performance results (CPU milliseconds) ordinary supersingular Magma New Magma New b F p F p 2 F p F p 2 F p F p 2 F p F p 2 64 1 25 0.1 0.1 226 770 2 8 128 2 60 0.1 0.1 2010 9950 5 13 192 4 99 0.2 0.1 8060 41800 8 33 256 7 140 0.3 0.2 21700 148000 20 63 320 10 186 0.4 0.3 41500 313000 39 113 384 14 255 0.6 0.4 95300 531000 66 198 448 19 316 0.8 0.5 152000 789000 105 310 512 24 402 1.0 0.7 316000 2280000 164 488 576 30 484 1.3 0.9 447000 3350000 229 688 640 37 595 1.6 1.0 644000 4790000 316 945 704 46 706 2.0 1.2 847000 6330000 444 1330 768 55 790 2.4 1.5 1370000 8340000 591 1770 832 66 924 3.1 1.9 1850000 10300000 793 2410 896 78 1010 3.2 2.1 2420000 12600000 1010 3040 960 87 1180 4.0 2.5 3010000 16000000 1280 3820 1024 101 1400 4.8 3.1 5110000 35600000 1610 4880 Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 15 / 16

Identifying supersingular elliptic curves Andrew V. Sutherland Massachusetts Institute of Technology January 6, 2012 http://arxiv.org/abs/1107.1140 Andrew V. Sutherland (MIT) Identifying supersingular elliptic curves JMM 2012 16 / 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback