Computing the endomorphism ring of an ordinary elliptic curve

Similar documents
Modular polynomials and isogeny volcanoes

Computing modular polynomials with the Chinese Remainder Theorem

Computing the modular equation

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Identifying supersingular elliptic curves

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

Explicit Complex Multiplication

14 Ordinary and supersingular elliptic curves

Isogenies in a quantum world

On the evaluation of modular polynomials

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Constructing genus 2 curves over finite fields

Mappings of elliptic curves

Computing the image of Galois

arxiv: v3 [math.nt] 7 May 2013

Class invariants by the CRT method

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

Genus 2 Curves of p-rank 1 via CM method

Isogeny graphs, modular polynomials, and point counting for higher genus curves

A Candidate Group with Infeasible Inversion

COMPUTING MODULAR POLYNOMIALS

Journal of Number Theory

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

Graph structure of isogeny on elliptic curves

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES

Introduction to Elliptic Curves

You could have invented Supersingular Isogeny Diffie-Hellman

Non-generic attacks on elliptic curve DLPs

Section II.1. Free Abelian Groups

Counting points on elliptic curves over F q

ON THE EVALUATION OF MODULAR POLYNOMIALS

Counting points on genus 2 curves over finite

The Sato-Tate conjecture for abelian varieties

AVERAGE RECIPROCALS OF THE ORDER OF a MODULO n

w d : Y 0 (N) Y 0 (N)

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26

Evaluating Large Degree Isogenies between Elliptic Curves

Igusa Class Polynomials

How many elliptic curves can have the same prime conductor? Alberta Number Theory Days, BIRS, 11 May Noam D. Elkies, Harvard University

Frobenius Distributions

Computing isogeny graphs using CM lattices

arxiv: v1 [math.nt] 29 Oct 2013

A gentle introduction to isogeny-based cryptography

WEIL DESCENT ATTACKS

Pairing the volcano. 1 Introduction. Sorina Ionica 1 and Antoine Joux 1,2

2,3,5, LEGENDRE: ±TRACE RATIOS IN FAMILIES OF ELLIPTIC CURVES

Isogeny invariance of the BSD conjecture

PUBLIC-KEY CRYPTOSYSTEM BASED ON ISOGENIES

COMPUTING MODULAR POLYNOMIALS

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

Elliptic Curves Spring 2013 Lecture #14 04/02/2013

On elliptic curves in characteristic 2 with wild additive reduction

A p-adic ALGORITHM TO COMPUTE THE HILBERT CLASS POLYNOMIAL. Reinier Bröker

Hard Homogeneous Spaces

20 The modular equation

Torsion subgroups of rational elliptic curves over the compositum of all cubic fields

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)

An introduction to supersingular isogeny-based cryptography

Igusa Class Polynomials

Constructing Abelian Varieties for Pairing-Based Cryptography

TC10 / 3. Finite fields S. Xambó

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Modular forms and the Hilbert class field

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux

ON THE HARDNESS OF COMPUTING ENDOMORPHISM RINGS OF SUPERSINGULAR ELLIPTIC CURVES

L-Polynomials of Curves over Finite Fields

Bad reduction of genus 3 curves with Complex Multiplication

COMPLEX MULTIPLICATION: LECTURE 14

ALGORITHMS FOR ALGEBRAIC CURVES

Classical and Quantum Algorithms for Isogeny-based Cryptography

Computing endomorphism rings of abelian varieties of dimension two

An Introduction to Supersingular Elliptic Curves and Supersingular Primes

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Divisibility Sequences for Elliptic Curves with Complex Multiplication

LECTURE 2 FRANZ LEMMERMEYER

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

The Kummer Pairing. Alexander J. Barrios Purdue University. 12 September 2013

Lecture 2: Elliptic curves

VARIETIES WITHOUT EXTRA AUTOMORPHISMS II: HYPERELLIPTIC CURVES

13 Endomorphism algebras

Constructing Permutation Rational Functions From Isogenies

Elliptic Curve Primality Proving

Elliptic curves and modularity

c Copyright 2012 Wenhan Wang

FINITE GROUPS AND EQUATIONS OVER FINITE FIELDS A PROBLEM SET FOR ARIZONA WINTER SCHOOL 2016

8 Point counting. 8.1 Hasse s Theorem. Spring /06/ Elliptic Curves Lecture #8

6 Ideal norms and the Dedekind-Kummer theorem

Counting points on elliptic curves: Hasse s theorem and recent developments

Constructing Families of Pairing-Friendly Elliptic Curves

Even sharper upper bounds on the number of points on curves

Igusa class polynomials

REDUCTION OF ELLIPTIC CURVES OVER CERTAIN REAL QUADRATIC NUMBER FIELDS

Riemann surfaces with extra automorphisms and endomorphism rings of their Jacobians

Point counting and real multiplication on K3 surfaces

Hyperelliptic curves

Elliptic Curves, Group Schemes,

EXTENSIONS OF CM ELLIPTIC CURVES AND ORBIT COUNTING ON THE PROJECTIVE LINE

Γ 1 (N) given by the W -operator W =. It would be interesting to show

Transcription:

Computing the endomorphism ring of an ordinary elliptic curve Massachusetts Institute of Technology April 3, 2009 joint work with Gaetan Bisson http://arxiv.org/abs/0902.4670

Elliptic curves An elliptic curve E/F is a smooth projective curve of genus 1 with a distinguished rational point 0. The set E(F) of rational points on E form an abelian group. For char(f) 2, 3 we define E with an affine equation y 2 = x 3 + Ax + B, where 4A 3 + 27B 2 0. The j-invariant of E is j(e) = 12 3 4A 3 4A 3 + 27B 2. If F = F then j(e) uniquely identifies E (but not in F q ).

Elliptic curves over finite fields Consider F = F q. The size of the group E(F q ) is #E(F q ) = q + 1 t, for some integer t with t 2 q. The SEA algorithm computes t in polynomial time (very fast in practice). Typically t is nonzero in F q, in which case E is called ordinary. Some useful facts about t = t(e): 1. t(e 1 ) = t(e 2 ) E 1 and E 2 are isogenous. 2. j(e 1 ) = j(e 2 ) and t(e 1 ) = t(e 2 ) E 2 = E2. 3. j(e 1 ) = j(e 2 ) = t(e 1 ) = t(e 2 ) for j(e 1 ) / {0, 12 3 }.

Maps between elliptic curves An isogeny φ : E 1 E 2 is a rational map (defined over F) with φ(0) = 0. It induces a homomorphism from E 1 (F) to E 2 (F). The endomorphism ring End(E) contains all φ : E E. We have Z End E, but for F = F q, equality never holds. If E/F q is ordinary, then End(E) = O(D) where O(D) = Z + D + D Z 2 is the imaginary quadratic order of some discriminant D. We want to compute D.

The Frobenius endomorphism The endomorphism π : (x, y) (x q, y q ) on E(F q ) satisfies π 2 tπ + q = 0. If we set D π = t 2 4q and fix an isomorphism End E = O(D) we may regard π = t+ D π 2 as an element of O(D). Thus O(D π ) O(D), which implies D D π and that D and D π have the same fundamental discriminant D K. By factoring D π = v 2 D K we may determine D K and v. We then have D = u 2 D K for some u v. We want to compute u. This is easy if v is small (or smooth), but may be hard if not.

Computing isogenies We call a (separable) isogeny φ an l-isogeny if # ker φ = l. We restrict to prime l, in which case ker φ is cyclic. The classical modular polynomial Φ l Z[X, Y ] has the property Φ l ( j(e1 ), j(e 2 ) ) = 0 E 1 and E 2 are l-isogenous. The l-isogeny graph G l (F q ) has vertex set E(F q ) = {j(e/f q )} = F q, and edges (j 1, j 2 ) for Φ l (j 1, j 2 ) = 0 (note Φ l is symmetric). Φ l is big: O(l 3+ɛ ) bits.

The structure of the l-isogeny graph [Kohel] The connected components of G l (F q ) are l-volcanoes. An l-volcano of height h has vertices in level V 0,..., V h. Vertices in V 0 have endomorphism ring O(D 0 ) with l u 0. Vertices in V k have endomorphism ring O(l 2k D 0 ). 1. The subgraph on V 0 is a cycle (the surface). All other edges lie between V k and V k+1 for some k. 2. For k > 0 each vertex in V k has one neighbor in V k 1. 3. For k < h every vertex in V k has degree l + 1. See [Kohel 1996], [Fouquet-Morain 2002], or [S 2009] for more details.

A 3-volcano of height 2 with a 4-cycle

Algorithms to compute u Isogeny climbing: computes l-isogenies for prime l v to determine the power of l dividing u in. Probabilistic complexity O(q 3/2+ɛ ). Kohel s algorithm: computes the kernel of n-isogenies, where n = O(q 1/6 ) need not be a divisor of v. Deterministic complexity O(q 1/3+ɛ ) (GRH). New algorithm: computes the cardinality of smooth relations using isogenies of subexponential degree. Probabilistic complexity L[1/2, 3/2](q) (GRH+). ( L [α, c] (x) = exp (c + o(1)) (log x) α (log log x) 1 α). All algorithms have unconditionally correct output.

The action of the class group [CM theory] For an invertible ideal a O D = End(E), let E[a] be the subgroup of points annihilated by all a a. The map j(e) j(e/e[a]) corresponds to an isogeny of degree N(a). This defines a group action by the ideal group on the set {j(e/f q ) : End(E) = O(D)}. This action factors through the class group cl(o(d)) = cl(d). The action is faithful and transitive. See the books of [Cox], [Lang], or [Silverman] for more on CM theory.

Walking isogeny cycles ( ) If l v and D l = 1, the l-volcano containing j(e) is a cycle of length α, where α cl(d) contains an ideal of norm l. We can compute α (without knowing D) by walking a path j 0, j 1,... in G l (F q ) starting from j 0 = j(e): 1. Let j 1 be one of the two roots of Φ l ( X, j0 ) in Fq. 2. Let j k+1 be the unique root of Φ l ( X, jk ) /(X jk 1 ) in F q. The choice of j 1 is arbitrary (we cannot distinguish α and α 1 ). In either case, α (and α 1 ) is the least n for which j n = j 0. Step 2 finds the unique root of a degree l polynomial f (X) over F q. Complexity is T (l) = O(l 2 + M(l) log q) operations in F q.

Computing End(E) with class groups (naïvely) Given E/F q, let #E = q + 1 t and 4q = t 2 v 2 D K, so that End(E) = O(D) where D = u 2 D K for some u v. If u 1,..., u m are the divisors of v, then u = u i for some i. Pick any l v satisfying ( DK l ) = 1. For each D i = u 2 i D K there is an element α i cl(d i ) containing an ideal of norm l, but α i typically varies with i. We can compare α i to the length of the l-isogeny cycle containing j(e). These must be equal if u = u i. This is too slow, but we can exploit this idea.

Relations A relation R is a pair of vectors (l 1,..., l k ) and (e 1,..., e k ). We say R holds in cl(d) if for each i there is an α i cl(d) containing an ideal of norm l i such that α e 1 1 αe k k = 1. More generally, we define the cardinality of R in cl(d) by { #R/D = # τ {±1} k : } α τ i e i i = 1 in cl(d). #R/D does not depend on the choice of α i.

Counting relations Given a relation R with (l 1,..., l k ) and (e 1,..., e k ): 1. Set J 0 be a list containing the single element j(e). 2. For each element in J i walk e i steps in both directions of the l i cycle and append the two end points to the list J i+1. 3. #R/E is the number of times j(e) appears in the list J k. The complexity is k i=1 2i e i T (l i ) operations in F q.

The key lemma Lemma: If O(D 1 ) O(D 2 ) then #R/D 1 #R/D 2. Proof: There is a norm-preserving map from O(D 1 ) to O(D 2 ) that induces a group homomorphism from cl(d 1 ) to cl(d 2 ). Corollary: Let p v and set D 1 = (v/p) 2 D K and D 2 = p 2 D K. Let R be a relation with #R/D 1 > #R/D 2. If u is the conductor of O(D) = End(E) then Theorem: Such an R exists. p u #R/E < #R/D 1. Conjecture: Almost all R that hold in cl(d 1 ) don t hold in cl(d 2 ).

Algorithm to compute End(E) Given E/F q, the following algorithm computes D = u 2 D K, the discriminant of the order isomorphic to End(E). 1. Compute t = q + 1 #E, v, and D k, with 4q = t 2 v 2 D K. 2. For primes p v, find a relation R satisfying the corollary. Count #R/E in the isogeny graph to test whether p u. 3. Output u 2 D K. The algorithm above assumes v is square-free.

Finding smooth relations The following algorithm is adapted from Hafner/McCurley. We seek a smooth relation in cl(d 1 ). Pick a smoothness bound B and a small constant k 0 (say 3). 1. Let l 1,..., l n be the primes up to B with ( D1 l i ) = 1, and let α i cl(d 1 ) contain an ideal of norm l i. 2. Generate β = α x i i where all but k 0 of the x i are zero and the other x i are suitably bounded. 3. For each β, test whether N(b) is B-smooth, where b is a the reduced representative of β. 4. If so write α x i i = α y i i and compute R. Verify that #R/D 1 > #R/D 2 (almost always true). For suitable B, the complexity is L[1/2, 3/2]( D )

An example of cryptographic size (200 bits) We have 4q = t 2 v 2 D K where t = 212, D K = 7 and v = 2 127 524287 }{{} 7195777666870732918103 }{{} p 1 p 2. After finding 2 u and 127 u we test p 1 u by computing R 1 = (2 2533, 11 752, 29 2, 37 47, 79 1, 113 1, 149 1, 151 2, 347 1, 431 1 ), which holds in cl(p 2 2 D K ) but not cl(p 2 1 D K ).We test p 2 u using R 2 = (2 23, 11 5, 43 1, 71 2 ), which holds in cl(p 2 1 D K ) but not in cl(p 2 2 D K ). Total time to compute End(E) is under 30 minutes

Certifying the endomorphism ring To verify a claimed value of u, it suffices to have a relation R p for each prime divisor of v such that: 1. For each prime p (v/u), we have #R p /E > #R p /p 2 D K. 2. For each prime p u, we have #R p /(u/p) 2 D K > #R p /E. Certificate size is O(log 2+ɛ q). Note that either D 1 u 2 D K or D 1 = (u/p) 2 D K. We always have D 1 D. Very useful when D D π. This yields an algorithm to compute u with complexity L [1/2 + o(1), 1] ( D ) + L [1/3, c] (q) which depends primarily on D, not q.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback