Explicit Complex Multiplication

Similar documents
Mappings of elliptic curves

Fast, twist-secure elliptic curve cryptography from Q-curves

Non-generic attacks on elliptic curve DLPs

14 Ordinary and supersingular elliptic curves

Identifying supersingular elliptic curves

Computing the endomorphism ring of an ordinary elliptic curve

Constructing genus 2 curves over finite fields

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Counting points on elliptic curves over F q

Explicit isogenies and the Discrete Logarithm Problem in genus three

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

Computing the modular equation

Graph structure of isogeny on elliptic curves

Introduction to Elliptic Curves

Modular polynomials and isogeny volcanoes

Class invariants by the CRT method

Constructing Abelian Varieties for Pairing-Based Cryptography

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Genus 2 Curves of p-rank 1 via CM method

Isogeny graphs, modular polynomials, and point counting for higher genus curves

Igusa Class Polynomials

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Isogenies in a quantum world

Counting points on genus 2 curves over finite

13 Endomorphism algebras

A gentle introduction to isogeny-based cryptography

An Introduction to Supersingular Elliptic Curves and Supersingular Primes

Igusa Class Polynomials

13 Endomorphism algebras

Four-Dimensional GLV Scalar Multiplication

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

Families of fast elliptic curves from Q-curves

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

Computing modular polynomials with the Chinese Remainder Theorem

Elliptic Curves Spring 2013 Lecture #14 04/02/2013

COMPLEX MULTIPLICATION: LECTURE 15

Page Points Possible Points. Total 200

NUNO FREITAS AND ALAIN KRAUS

EXERCISES IN MODULAR FORMS I (MATH 726) (2) Prove that a lattice L is integral if and only if its Gram matrix has integer coefficients.

CLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

You could have invented Supersingular Isogeny Diffie-Hellman

Hyperelliptic curves

Applications of Complex Multiplication of Elliptic Curves

Elliptic Curves as Complex Tori

Evaluating Large Degree Isogenies between Elliptic Curves

w d : Y 0 (N) Y 0 (N)

Computing the image of Galois

NOTES ON FINITE FIELDS

Classical and Quantum Algorithms for Isogeny-based Cryptography

Computing isogeny graphs using CM lattices

Modular forms and the Hilbert class field

Homework problems from Chapters IV-VI: answers and solutions

Tables of elliptic curves over number fields

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES

On elliptic curves in characteristic 2 with wild additive reduction

Equations for Hilbert modular surfaces

Mathematical analysis of the computational complexity of integer sub-decomposition algorithm

ALGEBRA PH.D. QUALIFYING EXAM September 27, 2008

Abstracts of papers. Amod Agashe

COMPLEX MULTIPLICATION: LECTURE 14

ON THE HARDNESS OF COMPUTING ENDOMORPHISM RINGS OF SUPERSINGULAR ELLIPTIC CURVES

AN INTRODUCTION TO ELLIPTIC CURVES

An Alternate Decomposition of an Integer for Faster Point Multiplication on Certain Elliptic Curves

TOTALLY RAMIFIED PRIMES AND EISENSTEIN POLYNOMIALS. 1. Introduction

Katherine Stange. ECC 2007, Dublin, Ireland

GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2)

Outline of the Seminar Topics on elliptic curves Saarbrücken,

Modern Algebra Prof. Manindra Agrawal Department of Computer Science and Engineering Indian Institute of Technology, Kanpur

Loop-abort faults on supersingular isogeny cryptosystems

L-Polynomials of Curves over Finite Fields

ALGORITHMS FOR ALGEBRAIC CURVES

MA 162B LECTURE NOTES: THURSDAY, FEBRUARY 26

COMPUTING MODULAR POLYNOMIALS

SPECIAL CASES OF THE CLASS NUMBER FORMULA

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

Public-key Cryptography: Theory and Practice

IN POSITIVE CHARACTERISTICS: 3. Modular varieties with Hecke symmetries. 7. Foliation and a conjecture of Oort

Counting points on elliptic curves: Hasse s theorem and recent developments

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Point counting and real multiplication on K3 surfaces

Elliptic Curves Spring 2019 Problem Set #7 Due: 04/08/2019

Generation Methods of Elliptic Curves

6]. (10) (i) Determine the units in the rings Z[i] and Z[ 10]. If n is a squarefree

Isogeny invariance of the BSD conjecture

An introduction to supersingular isogeny-based cryptography

A Candidate Group with Infeasible Inversion

Some algebraic number theory and the reciprocity map

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Constructing Families of Pairing-Friendly Elliptic Curves

PUBLIC-KEY CRYPTOSYSTEM BASED ON ISOGENIES

Explicit Representation of the Endomorphism Rings of Supersingular Elliptic Curves

arxiv: v1 [math.nt] 29 Oct 2013

Hard and Easy Problems for Supersingular Isogeny Graphs

φ(xy) = (xy) n = x n y n = φ(x)φ(y)

20 The modular equation

[06.1] Given a 3-by-3 matrix M with integer entries, find A, B integer 3-by-3 matrices with determinant ±1 such that AMB is diagonal.

Transcription:

Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 1 / 20

So, where were we? In the last lecture, we saw that if E is an elliptic curve and End(E) is its endomorphism ring, then End(E) contains the multiplication-by-m map for every m in Z; over F q, we also have the Frobenius endomorphism; we also have Aut(E) End(E) (but generically Aut(E) = {[±1]}, so this doesn t give anything new.) In this lecture, we want to explore the structure of End(E). We use End(E) to denote the ring of endomorphisms of E defined over k, while End k (E) denotes the endomorphisms of E defined over k. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 2 / 20

More on the j-invariant First, let s talk a bit more about the j-invariant... The idea is that there is essentially only one degree of freedom when choosing an elliptic curve over F q. Choosing a j-invariant and a twist determines your curve and your security. Choosing the model of your curve makes a difference to your speed, but not your essential cryptographic efficiency. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 3 / 20

The structure of End(E) There are only three kinds of rings that End(E) can be isomorphic to. Theorem Let E be an elliptic curve over k. One of the following holds: 1 End(E) = End k (E) = Z. 2 End k (E) = an order in a quadratic imaginary extension of Q. 3 End k (E) = an order in a quaternion algebra over Q. If char k = 0, then (3) cannot occur (for slightly tricky reasons). If char k 0, then (1) cannot occur (because π E is not an integer). Further, (3) occurs if and only if E is supersingular. If End(E) Z, then we say that E has complex multiplication (CM). You should recognise Z, but what about the other rings? Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 4 / 20

Orders in quadratic imaginary fields Suppose K = Q(α) is a quadratic imaginary field (so α satisfies a quadratic minimal polynomial with negative discriminant.) The ring of integers (or maximal order) of K is O K = {β K : m(β) = 0 for some monic integer polynomial m}. The orders of K are the subrings O of K satisfying O is a finitely generated Z-module, and O Q = K (that is, K is like O with (rational) denominators ). These orders are precisely the subrings of K of the form O = Z + f O K where f 2 divides K (the discriminant of K). Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 5 / 20

Orders in quadratic imaginary fields Example If K = Q( 3), then (1 + 3)/2 has minimal polynomial X 2 X + 1, so (1 + 3)/2 is in O K. In fact O K = Z[(1 + 3)/2], and K = 12 = 2 2 3. The orders of K are therefore Z + 1 O K = O K and Z + 2 O K = Z[ 3]. Note that Z[ 3] has index 2 in O K. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 6 / 20

Orders in quaternion algebras A quaternion algebra is an algebra of the form K = Q + Qα + Qβ + Qαβ where α 2 and β 2 are negative rational numbers, and αβ = βα. An order O of K is a subring of K such that O is finitely generated as a Z-module, and O Q = K (that is, K is like O with denominators ). We won t be needing these today, since we will be concentrating on ordinary curves. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 7 / 20

Frobenius Let E be an elliptic curve over F q, with Frobenius endomorphism π E. Recall that π E has a characteristic polynomial χ E (X ) = X 2 t E X + q with t E 2 q such that χ E (π E ) = 0. The discriminant of χ E is = te 2 4q < 0, so Q(π E ) = Q[X ]/(χ E (X )) is a quadratic imaginary field, and End(E) is an order in Q(π E ). We have Z[π E ] End(E) End k (E) O Q(πE ). Remark Determining End(E) (and End k (E)) is a nontrivial matter, which is addressed by Kohel s algorithm. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 8 / 20

Isogenies and endomorphism rings Suppose φ : E F is an isogeny. How are End(E) and End(F ) related? Definition If E is an elliptic curve, then we define End 0 (E) := End(E) Q. We call End 0 (E) the endomorphism algebra of E. For each ψ in End(F ), we have an endomorphism φ ψφ of E. Exercise Show that the map ψ 1 deg(φ) φ ψφ defines an isomorphism End 0 (F ) End 0 (E). Theorem End 0 (E) is an isogeny class invariant. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 9 / 20

Isogenies and endomorphism rings Corollary If k = F q, then Q(π E ) = Q(π F ). Corollary The set of supersingular elliptic curves over F p is an isogeny class. If φ : E F is an isogeny, then End 0 (E) = End 0 (F ), but we can still have End(E) = End(F ). In particular, End(E) and End(F ) can be different orders in End 0 (E). However, if φ is an l-isogeny (that is, it has degree l), then either End(E) = End(F ), or End(E) has index l in End(F ), or End(F ) has index l in End(E). So an isogeny φ can change the size of the endomorphism, but only by an index depending on the degree of φ. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 10 / 20

A (very) brief look at Kohel s algorithm Suppose we want to determine End(E) for some ordiary E over F q. First, we compute t E = (q + 1) #E(F q ); then χ E = X 2 t E X + q, so End(E) = Z + f O Q(πE ) for some f dividing the conductor m of Z[π E ] in O Q(πE ). Next, we factor m (which is likely to be smooth, hence easy to factor). For each prime l dividing m, we construct the l-isogeny graph containing j(e) in the moduli space, which looks something like this: Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 11 / 20

Kohel s algorithm (continued) The idea is that the j-invariants in the cycle correspond to curves F with endomorphism ring End(F ) = O Q(πE ), while each step away from the cycle reduces the endomorphism ring by an index l. The largest power of l dividing f is the distance from j(e) to the cycle. Morain and Fouquet use these ideas in reverse to speed up the Schoof point counting algorithm. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 12 / 20

CM in characteristic zero What is the situation for elliptic curves over Q? If E is an elliptic curve over Q (or C for that matter), then either End(E) = Z (the generic situation), or End(E) = an order in a quadratic imaginary field (the exceptional case). Remark Over C, elliptic curves are isomorphic to complex tori: that is, each curve is a quotient of C by a lattice Λ = 1, τ. The endomorphisms of C/Λ are the elements z C such that zλ = Λ. Noninteger endomorphisms can only exist if τ is an algebraic integer, and in fact all of these endomorphisms must lie in Q(τ). Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 13 / 20

Reduction of curves and endomorphisms Recall that if E : y 2 = f (x) is an elliptic curve defined over Q and p is a prime of good reduction for E, then reducing the equation of E modulo p defines an elliptic curve E : y 2 = f (x) over F p. If φ is an endomorphism of E, then we can reduce the coefficients of its rational map modulo p to give an endomorphism φ of E. Theorem The map End(E) End(E) induced by reducing modulo p is an injective homomorphism. Many curves over Q reduce to the same E modulo p, and End(E) contains the endomorphism ring of every one of them. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 14 / 20

The endomorphism algebra of a reduction Corollary Let E be an elliptic curve over Q such that End(E) is an order O in a quadratic imaginary field K, and let p be any prime of good reduction for E. Then End(E) contains a subring isomorphic to O. Note that End 0 (E) need not be isomorphic to K. If E is ordinary then End 0 (E) = K, but if E is supersingular then K is only the center of End 0 (E). Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 15 / 20

The CM method for curve construction One application of this result is the CM method (of which we will only give a very rough sketch). Suppose we have an algorithm that, given a quadratic imaginary field K, together with an element α of K of norm p, constructs an elliptic curve E over Q such that End 0 (E) = K with α representing π E. Suppose now that we want a curve F over F p such that #F (F p ) = N. We know that t E = p + 1 N, so End 0 (F ) must contain the field K = Q[X ]/(X 2 (p + 1 N)X + p). Applying the algorithm we compute a curve E over Q with End 0 (E) = K. Then we reduce E modulo p to obtain a curve F = E over F p with the required number of points. (More generally, E could be defined over a number field.) Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 16 / 20

Class polynomials It remains to determine a way to compute an E over Q. It is enough to compute the j-invariant of E, since this is enough to reconstruct E (though we may need to check the right twist of E.) The conventional solution uses the class polynomial of K: that is, a polynomial H K (X ) whose roots are the j-invariants of curves over Q whose endomorphism ring is equal to O K. These class polynomials can be precomputed relatively easily: Enge s algorithm runs in essentially linear time in size of K. The hard part is finding enough disk space to write down the polynomial. In Magma, you can compute class polynomials using HilbertClassPolynomial(Discriminant(K)); Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 17 / 20

Examples of class polynomials Example Let K = Q(i) = Q[X ]/(X 2 + 1). The maximal order of K is Z[i]. The field K has discriminant 4. The class polynomial of K is H 4 (X ) = X 1728; so only curves with j-invariant 1728 can have endomorphism ring isomorphic to Z[i]. Recall that these curves are all Q-isomorphic to E : y 2 = x 3 + x. Example Some examples of other class polynomials include H 20 (X ) = X 2 1264000X 681472000 H 52 (X ) = X 2 6896880000X 567663552000000 H 31 (X ) = X 3 + 39491307X 2 58682638134X + 1566028350940383 Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 18 / 20

Eigenvalues of endomorphisms Let E be an elliptic curve over F q, and suppose E(F q ) has a subgroup G of large prime order N (so N 2 does not divide #E(F q )). For cryptography, we need to do a lot of scalar multiplication in G. Suppose we can efficiently compute a non-integer endomorphism φ of E; let m φ (X ) be its (quadratic) minimal polynomial. We have φ(g) = G; but G is cyclic, so its endomorphisms are all integer multiplications; so φ acts like an integer eigenvalue on G. Indeed, φ acts like [λ] on G, where λ is one of the roots of m φ (X ) mod N. Given an integer m, we can write [m] = [a] + [λ][b] with a and b about half the size of m. For any P in G, we can then compute [m]p more efficiently by using [m]p = [a]p + φ([b]p). This is the basis of Gallant Lambert Vanstone (GLV) multiplication. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 19 / 20

Other fast multiplication techniques Endomorphisms also appear in other fast multiplication techniques. Example (Multiplication with Frobenius expansions) Let E be an elliptic curve defined over F p, but viewed as an elliptic curve over F q where q = p n. The p-power Frobenius isogeny is then an endomorphism π p of E. Again, π p (G) = G, so π p has an eigenvalue λ on G. When we want to multiply by an integer m, we can expand m in base λ, writing m = m 0 + m 1 λ + m 2 λ 2 + and then evaluate [m]p = [m 0 ]P + π p ([m 1 ]P) + π 2 p([m 2 ]P) +. During ECC you will see Galbraith Scott multiplication, which also uses a fast explicit endomorphism to speed up scalar multiplication on elliptic curves defined over F q 2. Smith (INRIA & LIX) Explicit CM Eindhoven, September 2008 20 / 20

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback