Computing supersingular isogenies on Kummer surfaces Craig Costello - PowerPoint PPT Presentation

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia

ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404

Alice 2 " -isogenies, Bob 3 $ -isogenies W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404

In a nutshell: 𝐹(𝔾 ( ) )

In a nutshell: 𝐾 , (𝔾 ( )

In a nutshell: 𝐿(𝔾 ( )

Why go hyperelliptic? 𝐹 ∶ 𝑧 1 = 𝑦 4 + ⋯ 𝐷: 𝑧 1 = 𝑦 9 + ⋯ #𝐹 𝔾 < ≈ #𝐷 𝔾 < 𝐻 ≈ 𝐷×𝐷 𝐻 = 𝐹 𝐻 = #𝐷 1 𝐻 = #𝐹

Why go Kummer? 𝐾(𝔾 ( ) 𝐿(𝔾 ( ) = 𝐾(𝔾 ( )/⟨±1⟩ 72 equations in ℙ @A 1 equation in ℙ 4 • Genus 2 analogue of elliptic curve 𝑦 -line • Extremely efficient arithmetic

… a few of my favourite things…

From elliptic to hyperelliptic Consider 𝐹/𝐿: 𝑧 1 = 𝑦 4 + 1 𝐷/𝐿: 𝑧 1 = 𝑦 9 + 1 Obvious map 𝜕 ∶ 𝐷 𝐿 → 𝐹 𝐿 𝑦, 𝑧 ↦ (𝑦 1 , 𝑧) But what about 𝜕 K@ ∶ 𝐹 𝐿 → 𝐷(? ) … 1: 2: Points on 𝐹 are group elements, points on 𝐷 are not… 3: Actually want map 𝐹 → 𝐾 , , but dim 𝐹 = 1 while dim 𝐾 , = 2 … Want general 𝜕, 𝜕 K@ between 𝑧 1 = 𝑦 4 + 𝐵𝑦 1 + 𝑦 to 𝑧 1 = 𝑦 9 + 𝐵𝑦 Q + 𝑦 1 ??? 4:

Proposition 1 𝔾 ( ) = 𝔾 ( (𝑗) with 𝑗 1 + 1 = 0 𝐹/𝔾 ( ) : 𝑧 1 = 𝑦 𝑦 − 𝛽 𝑦 − 1/𝛽 𝛽 = 𝛽 X + 𝛽 @ 𝑗 with 𝛽 X , 𝛽 @ ∈ 𝔾 ( 𝐷/𝔾 ( : 𝑧 1 = (𝑦 1 + 𝑛𝑦 − 1) 𝑦 1 − 𝑛𝑦 − 1 𝑦 1 − 𝑛𝑜𝑦 − 1 ) ]Z \ ) K@) 1Z [ (Z [ 𝑛 = Z \ , 𝑜 = ) ]@) both in 𝔾 ( (Z [ ]Z \ Then Res 𝔾 a) /𝔾 a (𝐹) is (2,2) -isogenous to 𝐾 , (𝔾 ( ) ker(𝜃) ≅ ker 𝜃̂ ≅ ℤ 1 ×ℤ 1 𝜃 𝜃 𝜃 ∘ 𝜃̂ = [2] Or, pictorially, 𝜃̂

Unpacking Proposition 1 Weil restriction turns 1 equation over 𝔾 ( ) into two equations over 𝔾 ( • Simple linear transform of 𝐹/𝔾 ( ) : 𝑧 1 = 𝑔 𝑦 = 𝑦 4 + 𝐵𝑦 1 + 𝑦 to • 𝜔 l/𝔾 ( ) : 𝑧 1 = 𝑕(𝑦) such that 𝐷/𝔾 ( ) : 𝑧 1 = 𝑕(𝑦 1 ) is non-singular 𝐹 Pullback 𝜕 ∗ of 𝜕 ∶ 𝑦, 𝑧 ↦ (𝑦 1 , 𝑧) gives 2 points in 𝐷 𝔾 ( o , • 𝜍 but composition with Abel-Jacobi map bring these to 𝐾 , (𝔾 ( ) ) Need to go from 𝐾 , (𝔾 ( ) ) to 𝐾 , (𝔾 ( ) ; cue good old Trace map, • 𝜐 t 𝜐: 𝑄 ↦ r 𝜏(𝑄) u∈vwx(𝔾 a) /𝔾 a ) 𝜃 ∶ Res 𝔾 a) /𝔾 a (𝐹) → 𝐾 , (𝔾 ( ) , 𝑄 ↦ (𝜐 ∘ 𝜍 ∘ 𝜔)(𝑄)

Matching 2 -kernels in 𝔾 ( ) with (2,2) -kernels in 𝔾 ( 𝐹 ≅ ℤ ((]@) ×ℤ ((]@) 𝐾 , ≅ ℤ ((]@)/1 ×ℤ ((]@)/1 ×ℤ 1 ×ℤ 1 𝐹 2 ≅ ℤ 1 ×ℤ 1 𝐾 , 2 ≅ ℤ 1 ×ℤ 1 ×ℤ 1 ×ℤ 1 𝑃 (0,0) • Fifteen (2,2) -kernels in 𝐾 , 𝔾 ( . Number of ways to split 𝐷 ’s sextic into three quadratic factors. ~ ↔ { 𝛽, 0 , 1/𝛽, 0 } mma 2 : identifies 𝑃 ↔ (0,0) and Υ, Υ • Le Lemma

Richelot isogenies in genus 2 Elliptic curve isogenies are easy/explicit/fast, thanks to Vélu. But beyond elliptic curves, far from true! • 2,2 -isogenies in genus 2 are exception, thanks to work beginning with Richelot in 1836 • Lessons learned from elliptic case: • (1) easiest to derive explicitly when the kernel is 𝑃 , i.e. the kernel we don’t want! (2) when kernel is Υ , precompose with isomorphism 𝜊 ‚ ∶ 𝐾 , → 𝐾 ,ƒ Υ ↦ 𝑃 ƒ (3) 𝜊 ‚ either requires a square root, or torsion “from above” (4) who cares about the full Jacobian group, let’s move the Kummer variety 𝜊 ‚ ≅ 𝑃 𝜊 ‚ (Υ)

Supersingular Kummer surfaces 1 ‡ˆ‰ : 𝐺 ⋅ 𝑌 @ 𝑌 1 𝑌 4 𝑌 Q = 𝑌 @ 1 + 𝑌 1 1 + 𝑌 4 1 + 𝑌 Q 1 − 𝐻 𝑌 @ + 𝑌 1 𝐿 „,…,† 𝑌 4 + 𝑌 Q − 𝐼 𝑌 @ 𝑌 1 + 𝑌 4 𝑌 Q Surface constants 𝐺, 𝐻, 𝐼 ∈ 𝔾 ( Points 𝑌 @ : 𝑌 1 : 𝑌 4 : 𝑌 Q ∈ ℙ 4 (𝔾 ( ) Theta constants 𝜈 @ : 𝜈 1 : 1: 1 ∼ (𝜇𝜈 @ : 𝜇𝜈 1 : 𝜇: 𝜇) Arithmetic constants 𝜌 @ : 𝜌 1 : 𝜌 4 : 𝜌 Q ; functions of 𝜈 @ , 𝜈 1 1 : ℓ 1 1 : ℓ 4 1 : ℓ Q 1 ) 𝑇: ℓ @ : ℓ 1 : ℓ 4 : ℓ Q ↦ (ℓ @ 𝐷: ℓ @ : ℓ 1 : ℓ 4 : ℓ Q ↦ (𝜌 @ ℓ @ : 𝜌 1 ℓ 1 : 𝜌 4 ℓ 4 : 𝜌 Q ℓ Q ) 𝐼: ℓ @ : ℓ 1 : ℓ 4 : ℓ Q ↦ (ℓ @ + ℓ 1 + ℓ 4 + ℓ Q : ℓ @ +ℓ 1 − ℓ 4 − ℓ Q : ℓ @ − ℓ 1 + ℓ 4 − ℓ Q : ℓ @ − ℓ 1 − ℓ 4 + ℓ Q ) ˜ ∘ 𝐼 ∘ 𝑇 ∘ 𝐷 ∘ 𝐼)(𝑄) Doubling 2 ” •–— : 𝑄 ↦ (𝑇 ∘ 𝐷 𝑃 2-isogeny (splitting [2] ) 𝜒 š : 𝑄 ↦ (𝑇 ∘ 𝐷 ∘ 𝐼)(𝑄)

Kummer isogenies for non-trivial kernels ~} . Write 𝐼 𝑄 = 𝑄 ƒ : 𝑄 1 ƒ : 𝑄 4 ƒ : 𝑄 ƒ 𝑄 point of order 2 on 𝐿 corresponding to G ∈ {Υ, Υ • @ Q ƒ : 𝑅 1 ƒ : 𝑅 4 ƒ : 𝑅 Q ƒ 𝑅 point of order 4 on 𝐿 such that 2 𝑅 = 𝑄 . Write 𝐼 𝑅 = 𝑅 @ • ƒ 𝑌 @ : 𝜌 1 ƒ 𝑌 1 : 𝜌 4 ƒ 𝑌 4 : 𝜌 Q ƒ 𝑌 Q Define 𝐷 •,ž ∶ 𝑌 @ : 𝑌 1 : 𝑌 4 : 𝑌 Q ↦ 𝜌 @ • ƒ 𝑅 Q ƒ : 𝑄 ƒ 𝑅 Q ƒ : 𝑄 1 ƒ 𝑅 @ ƒ : 𝑄 1 ƒ 𝑅 @ ƒ where 𝜌 @ : 𝜌 1 : 𝜌 4 : 𝜌 Q = 𝑄 1 @ Then 𝜒 ž : 𝐿 Ÿ< → 𝐿 Ÿ< /𝐻 , 𝑄 ↦ (𝑇 ∘ 𝐼 ∘ 𝐷 •,ž ∘ 𝐼)(𝑄) 4M+4S+16A •

Implications Theta constants map to theta constants: no special map needed to find image surface • Comparison in Table/paper very conservative. Kummer will win in aggressive impl.: • ) (scalars 4 x larger) - Recall Kummer over 𝔾 1 \)¡ K@ almost as fast as FourQ over 𝔾 1 \)¡ K@ - Recall that “doubling” and “2-isog. point” are bottlenecks in optimal tree strategy - Pushing points through 2 ℓ for small ℓ likely to be better on Kummer, don’t need to compute all intermediate surface constants

Related future work To use this right now, Alice need to map back-and-forth using 𝜃 and 𝜃̂ . Certainly not a • deal-breaker! Thus, , this is a call for r skilled implementers! But ideally we want Bob to be able to use the Kummer, too! Then uncompressed • SIDH/SIKE can be defined as Kummer everywhere! Thus, , this is a call for r fast (𝟒, 𝟒) -is isogenie ies on fas ast Kummers! Going further, general isogenies in Montgomery elliptic case have a nice explicit form (see • [C-Hisil, AsiaCrypt’17] and [Renes,PQCrypto’18]). Thus, r fast (ℓ, ℓ) - , this is a call for is isogenie ies on fas ast Kummers! Gut feeling is that there’s a better way to write down supersingular Kummers, and their • arithmetic. Thus, , this is a call for r smart rt geometers!

Cheers! https://eprint.iacr.org/2018/850.pdf https://www.microsoft.com/en-us/download/details.aspx?id=57309