SLIDE 1
- W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404
Computing supersingular isogenies on Kummer surfaces Craig Costello - - PowerPoint PPT Presentation
Computing supersingular isogenies on Kummer surfaces Craig Costello - - PowerPoint PPT Presentation
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 " -isogenies, Bob 3 $
SLIDE 2
SLIDE 3
Alice 2"-isogenies, Bob 3$-isogenies
- W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404
SLIDE 4
In a nutshell: πΉ(πΎ())
SLIDE 5
In a nutshell: πΎ,(πΎ()
SLIDE 6
In a nutshell: πΏ(πΎ()
SLIDE 7
Why go hyperelliptic?
πΉ βΆ π§1 = π¦4 + β― π·: π§1 = π¦9 + β―
π» = πΉ π» = #πΉ
#πΉ πΎ< β #π· πΎ<
π» β π·Γπ· π» = #π· 1
SLIDE 8
Why go Kummer? πΎ(πΎ() 72 equations in β@A πΏ(πΎ() = πΎ(πΎ()/β¨Β±1β© 1 equation in β4
- Genus 2 analogue of elliptic curve π¦-line
- Extremely efficient arithmetic
SLIDE 9
β¦ a few of my favourite thingsβ¦
SLIDE 10
From elliptic to hyperelliptic
πΉ/πΏ: π§1 = π¦4 + 1 π·/πΏ: π§1 = π¦9 + 1
Consider Obvious map
π βΆ π· πΏ β πΉ πΏ π¦, π§ β¦ (π¦1, π§)
1: But what about πK@ βΆ πΉ πΏ β π·(? )β¦ 2: Points on πΉ are group elements, points on π· are notβ¦ 3: Actually want map πΉ β πΎ,, but dim πΉ = 1 while dim πΎ, = 2β¦ 4: Want general π, πK@ between π§1 = π¦4 + π΅π¦1 + π¦ to π§1 = π¦9 + π΅π¦Q + π¦1 ???
SLIDE 11
πΎ() = πΎ((π) with π1 + 1 = 0
Proposition 1
πΉ/πΎ(): π§1= π¦ π¦ β π½ π¦ β 1/π½
π·/πΎ(: π§1= (π¦1 + ππ¦ β 1) π¦1 β ππ¦ β 1 π¦1 β πππ¦ β 1
π½ = π½X + π½@π with π½X, π½@ β πΎ( π =
1Z[ Z\ , π = (Z[
)]Z\ )K@)
(Z[]Z\
)]@) both in πΎ(
Then ResπΎa)/πΎa(πΉ) is (2,2)-isogenous to πΎ,(πΎ() Or, pictorially,
π π πΜ
ker(π) β ker πΜ β β€1Γβ€1 π β πΜ = [2]
SLIDE 12
- Weil restriction turns 1 equation over πΎ() into two equations over πΎ(
- Simple linear transform of πΉ/πΎ(): π§1 = π π¦ = π¦4 + π΅π¦1 + π¦ to
πΉ l/πΎ(): π§1 = π(π¦) such that π·/πΎ(): π§1 = π(π¦1) is non-singular
- Pullback πβ of π βΆ π¦, π§ β¦ (π¦1, π§) gives 2 points in π· πΎ(o ,
but composition with Abel-Jacobi map bring these to πΎ,(πΎ())
- Need to go from πΎ,(πΎ()) to πΎ,(πΎ(); cue good old Trace map,
π: π β¦ r π(π)
t uβvwx(πΎa)/πΎa)
Unpacking Proposition 1
π π π
π βΆ ResπΎa)/πΎa(πΉ) β πΎ,(πΎ(), π β¦ (π β π β π)(π)
SLIDE 13
Matching 2-kernels in πΎ() with (2,2)-kernels in πΎ(
(0,0)
πΎ, 2 β β€1Γβ€1Γβ€1Γβ€1 πΉ 2 β β€1Γβ€1
π
πΎ, β β€((]@)/1Γβ€((]@)/1Γβ€1Γβ€1 πΉ β β€((]@)Γβ€((]@)
- Fifteen (2,2)-kernels in πΎ, πΎ( . Number of ways to split π·βs sextic into
three quadratic factors.
- Le
Lemma mma 2: identifies π β (0,0) and Ξ₯, Ξ₯ ~ β { π½, 0 , 1/π½, 0 }
SLIDE 14
- Elliptic curve isogenies are easy/explicit/fast, thanks to VΓ©lu. But beyond elliptic curves, far from true!
- 2,2 -isogenies in genus 2 are exception, thanks to work beginning with Richelot in 1836
- Lessons learned from elliptic case:
(1) easiest to derive explicitly when the kernel is π, i.e. the kernel we donβt want! (2) when kernel is Ξ₯, precompose with isomorphism πβ βΆ πΎ, β πΎ,Ζ Ξ₯ β¦ πΖ (3) πβ either requires a square root, or torsion βfrom aboveβ (4) who cares about the full Jacobian group, letβs move the Kummer variety
Richelot isogenies in genus 2
π πβ(Ξ₯)
πβ β
SLIDE 15
πΏβ,β¦,β
β‘Λβ° : πΊ β π@π1π4πQ = π@ 1 + π1 1 + π4 1 + πQ 1 β π» π@ + π1
π4 + πQ β πΌ π@π1 + π4πQ
1
Supersingular Kummer surfaces
πΌ: β@: β1: β4: βQ β¦ (β@ + β1 + β4 + βQ: β@+β1 β β4 β βQ: β@ β β1 + β4 β βQ: β@ β β1 β β4 + βQ) π: β@: β1: β4: βQ β¦ (β@
1: β1 1: β4 1: βQ 1)
π·: β@: β1: β4: βQ β¦ (π@β@: π1β1: π4β4: πQβQ)
Points π@: π1: π4: πQ β β4(πΎ() Theta constants π@: π1: 1: 1 βΌ (ππ@: ππ1: π: π) Arithmetic constants π@: π1: π4: πQ ; functions of π@, π1 Surface constants πΊ, π», πΌ β πΎ( Doubling 2 ββ’ββ: π β¦ (π β π· Λ β πΌ β π β π· β πΌ)(π) 2-isogeny (splitting [2]) πΕ‘: π β¦ (π β π· β πΌ)(π)
π
SLIDE 16
Kummer isogenies for non-trivial kernels
- π point of order 2 on πΏ corresponding to G β {Ξ₯, Ξ₯
~}. Write πΌ π = π
@ Ζ: π1 Ζ: π4 Ζ: π Q Ζ
- π point of order 4 on πΏ such that 2 π = π.
Write πΌ π = π @
Ζ: π 1 Ζ: π 4 Ζ: π Q Ζ
- Define π·β’,ΕΎ βΆ π@: π1: π4: πQ β¦ π@
Ζπ@: π1 Ζπ1: π4 Ζπ4: πQ ΖπQ
where π@: π1: π4: πQ = π1
Ζπ Q Ζ: π @ Ζπ Q Ζ: π1 Ζπ @ Ζ: π1 Ζπ @ Ζ
- Then πΕΎ: πΏΕΈ< β πΏΕΈ< /π» ,
π β¦ (π β πΌ β π·β’,ΕΎ β πΌ)(π) 4M+4S+16A
SLIDE 17
- Theta constants map to theta constants: no special map needed to find image surface
- Comparison in Table/paper very conservative. Kummer will win in aggressive impl.:
- Recall Kummer over πΎ1\)Β‘K@ almost as fast as FourQ over πΎ 1\)Β‘K@
) (scalars 4 x larger)
- Recall that βdoublingβ and β2-isog. pointβ are bottlenecks in optimal tree strategy
- Pushing points through 2β for small β likely to be better on Kummer, donβt need to
compute all intermediate surface constants
Implications
SLIDE 18
- To use this right now, Alice need to map back-and-forth using π and πΜ. Certainly not a
deal-breaker! Thus, , this is a call for r skilled implementers!
- But ideally we want Bob to be able to use the Kummer, too! Then uncompressed
SIDH/SIKE can be defined as Kummer everywhere! Thus, , this is a call for r fast (π, π)-is isogenie ies on fas ast Kummers!
- Going further, general isogenies in Montgomery elliptic case have a nice explicit form (see
[C-Hisil, AsiaCryptβ17] and [Renes,PQCryptoβ18]). Thus, , this is a call for r fast (β, β)- is isogenie ies on fas ast Kummers!
- Gut feeling is that thereβs a better way to write down supersingular Kummers, and their
- arithmetic. Thus,
, this is a call for r smart rt geometers!
Related future work
SLIDE 19