Explicit isogenies and implementation Luca De Feo Freelance - - PowerPoint PPT Presentation

Explicit isogenies and implementation

Luca De Feo

Freelance researcher, courtesy of ANR CHIC & Universit´ e de Rennes 1

June 23, 2011 Geocrypt, Bastia, France

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 1 / 13

A quick review of SEA

★❊✭❋q✮ ❂ q t ✰ ✶ where ✬✷ t✬ ✰ q ❂ ✵ ✷ ❊♥❞✭❊✮ Compute t ♠♦❞ ❵ for small primes ❵

For primes ❵ splitting in ◗ ✏♣ t✷ ✹q ✑ : Compute the ❵-th modular polynomial ✟❵✭❳ ❀ ❨ ✮ (or maybe one associated to a better invariant); Factor ✟❵✭❳ ❀ ❥❊✮ to obtain an isogenous curve ❊❵; Compute an explicit ❵-isogeny ■❵ ✿ ❊ ✦ ❊❵, let ❤❵ be its denominator; Compute ✭① q❀ ②q✮ over ❋q❬❳ ❪❂❤❵✭❳ ✮; Find t❵ such that ✭① q✷❀ ②q✷✮ ✰ ❬q ♠♦❞ ❵❪✭①❀ ②✮ ❂ ❬t❵❪✭① q❀ ②q✮.

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 2 / 13

State of the art

Various implementations of SEA:

Magma, Pari/GP,

• A. Enge / P. Gaudry / R. Lercier / F. Morain
• A. Sutherland,

. . .

BUT:

Not many of them are open source. We lack a complete system to play around with modular polynomials and explicit isogenies

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 3 / 13

Why compute explicit isogenies?

Didactic and research purpose: play with the underpinnings of SEA; Some cryptographic applications: transfer DLPs between curves, construct cryptosystems; Other applications: compute modular polynomials, endomorphism rings; It’s fun. . .

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 4 / 13

How to represent an isogeny?

When drawing isogeny graphs, an isogeny is two ❥ -invariants and a kernel. ❥✶ ✦ ❥✷ ❊✶ ✦ ❊✷ ❥✶ ❥✷

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13

How to represent an isogeny?

Any isogeny ❊✶ ✦ ❊✷ can be composed with the automorphisms of the curves; ❥✶ ❥✷

✭①❀ ②✮ ✼✦ ✭①❀ ②✮

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13

How to represent an isogeny?

Any isogeny ❊✶ ✦ ❊✷ can be composed with the automorphisms of the curves; If only ❥✶ and ❥✷ are specified, the isogeny can be composed with any isomorphism;

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13

How to represent an isogeny?

Any isogeny ❊✶ ✦ ❊✷ can be composed with the automorphisms of the curves; If only ❥✶ and ❥✷ are specified, the isogeny can be composed with any isomorphism; How to uniquely represent explicit isogenies?

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13

How to uniquely represent an isogeny?

Choose simplified models: ②✷ ❂ ① ✸ ✰ ❛① ✰ ❜, The only possible isomorphisms are ✭①❀ ②✮ ✼✦ ✭✉✷①❀ ✉✸②✮, Make a canonical choice for the scale factor ✉. For the multiplication-by-♠ endomorphism, the choice is classical:

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

How to uniquely represent an isogeny?

Choose simplified models: ②✷ ❂ ① ✸ ✰ ❛① ✰ ❜, The only possible isomorphisms are ✭①❀ ②✮ ✼✦ ✭✉✷①❀ ✉✸②✮, Make a canonical choice for the scale factor ✉. For the multiplication-by-♠ endomorphism, the choice is classical:

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

How to uniquely represent an isogeny?

Choose simplified models: ②✷ ❂ ① ✸ ✰ ❛① ✰ ❜, The only possible isomorphisms are ✭①❀ ②✮ ✼✦ ✭✉✷①❀ ✉✸②✮, Make a canonical choice for the scale factor ✉. For the multiplication-by-♠ endomorphism, the choice is classical:

❬✷❪

❬♠❪✄✦✄ ❂ ♠✦✄

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

How to uniquely represent an isogeny?

Choose simplified models: ②✷ ❂ ① ✸ ✰ ❛① ✰ ❜, The only possible isomorphisms are ✭①❀ ②✮ ✼✦ ✭✉✷①❀ ✉✸②✮, Make a canonical choice for the scale factor ✉. For the multiplication-by-♠ endomorphism, the choice is classical:

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

How to uniquely represent an isogeny?

Choose simplified models: ②✷ ❂ ① ✸ ✰ ❛① ✰ ❜, The only possible isomorphisms are ✭①❀ ②✮ ✼✦ ✭✉✷①❀ ✉✸②✮, Make a canonical choice for the scale factor ✉. For the multiplication-by-♠ endomorphism, the choice is classical: ❬♠❪✄✦ ✶

♠ ✄ ❂ ✦✄ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13

Normalized isogenies

Normalized isogenies

An isogeny ■ ✿ ❊ ✦ ❊ ✵ induces an action on the differentials: ■✄✦❊ ✵ ❂ ❝✦❊ with ❝ ✷ ❑. Then ✭❝②■①✭①✮✵✮✷ ❂ ■①✭①✮✸ ✰ ❛✵■①✭①✮ ✰ ❜✵✿ When ■✄✦❊ ✵ ❂ ✦❊, the isogeny is said to be normalized.

❊

❬♠❪

• ■

❊ ✵

❫ ■

• ❊

By the dual isogeny theorem ■✄❫ ■✄✦ ❂ ♠✦, but we are free to choose normalization factors ❝ and ❫ ❝ such that ❝❫ ❝ ❂ ♠. There is no canonical choice, V´ elu’s formulae pick ❝ ❂ ✶, ❫ ❝ ❂ ♠.

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 7 / 13

V´ elu’s formulae

Compute an isogeny with given kernel (V´ elu 1971)

Given the kernel ❍, computes ■ ✿ ❊ ✦ ❊❂❍ given by ■✭❖❊✮ ❂ ■✭❖❊❂❍ ✮, ■✭P✮ ❂ ✥ ①✭P✮ ✰ ❳

◗✷❍ ✄

①✭P ✰ ◗✮ ①✭◗✮❀ ②✭P✮ ✰ ❳

◗✷❍ ✄

②✭P ✰ ◗✮ ②✭◗✮ ✦ .

In practice, given ❤✭①✮, of degree ❵ ✶, vanishing on ❍

②✷ ❂ ❢ ✭①✮, ♣✶ ❂

❳

◗✷❍ ✄

①✭◗✮, ❣✭①✮ ❤✭①✮ ❂ ❵① ♣✶ ❢ ✵✭①✮ ❤✵✭①✮ ❤✭①✮ ✷❢ ✭①✮

✏❤✵✭①✮

❤✭①✮

✑✵ ■✭①❀ ②✮ ❂ ✥ ❣✭①✮ ❤✭①✮❀ ② ✒❣✭①✮ ❤✭①✮ ✓✵✦

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 8 / 13

Computing the kernel of an isogeny

SEA (Elkies 1998; Bostan, Morain, Salvy, and Schost 2008)

1

Factor ✟❵✭❳ ❀ ❥❊✮ to obtain an ❵-isogenous ❥ -invariant ❥❵; ⑦ ❖✭❵✸✮

2

Compute normalized models; ⑦ ❖✭❵✸✮

3

Solve the differential equation. ⑦ ❖✭❵✮ Note: Steps ✶ and ✷ can be replaced by an algorithm to evaluate large degree isogenies with complexity ❖ ✭▲q✭✶❂✷✮ ❧♦❣ ❵✮ (Jao and Soukharev 2010).

Compute normalized models

Let ✟❳ and ✟❨ be the partial derivatives of ✟❵. Let ❊ ✿ ②✷ ❂ ① ✸ ✰ ❛① ✰ ❜, then a normalized model for ❥❵ is given by ❊❵ ✿ ②✷ ❂ ① ✸ ✰ ⑦ ❛① ✰ ⑦ ❜, with ⑦ ❛ ❂ ✶ ✹✽ ❥ ✵✷ ❥❵✭❥❵ ✶✼✷✽✮❀ ⑦ ❜ ❂ ✶ ✽✻✹ ❥ ✵✸ ❥ ✷

❵ ✭❥❵ ✶✼✷✽✮❀

where ❥ ✵ ❂ ✶✽ ❵ ❜ ❛ ✟❳ ✭❥❊❀ ❥❵✮ ✟❨ ✭❥❊❀ ❥❵✮❥❊✿

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 9 / 13

Small characteristic

Problem: while solving the differential equation, divisions by the characteristic may occur.

Finite fields of small characteristic (Lercier and Sirvent 2008)

1

Factor ✟❵✭❳ ❀ ❥❊✮ in ❋q to obtain an ❵-isogenous ❥ -invariant ❥❊ ✵; ⑦ ❖✭❵✸✮

2

Lift ❥❊ and ❥❊ ✵ in ◗q so that ✟❵✭⑦ ⑤❊❀ ⑦ ⑤❊ ✵✮ ❂ ✵ ⑦ ❖✭❵✮

3

Compute a normalized model for the lift of ❊ ✵; ⑦ ❖✭❵✸✮

4

Solve the differential equation in ◗q; ⑦ ❖✭❵✮

5

Reduce in ❋q. ⑦ ❖✭❵✮

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 10 / 13

Algorithms independent from the degree

Computing ✟❵ is the most expensive step. Even if we are given ❊❀ ❊ ✵ ❵-isogenous, we still need ✟❵ to compute ❵-normalized models. Suppose we are given ❊❀ ❊ ✵ and a bound ♥ on the isogeny degree.

Couveignes’ algorithms (Couveignes 1994; Couveignes 1996)

Only for ordinary curves over finite fields:

1

Construct ❊❬♣❦❪ and ❊ ✵❬♣❦❪ for ♣❦ ✜ ♥,

2

Pick up generators P and P✵ of ❊❬♣❦❪ and ❊ ✵❬♣❦❪ respectively,

3

Interpolate the algebraic map ❢ ✿ ❊❬♣❦❪ ✦ ❊ ✵❬♣❦❪ ❬✐❪P ✼✦ ❬✐❪P✵

4

Test if ❢ is an isogeny ❊ ✦ ❊ ✵. If not, choose different P and P✵. The test can be done simultaneously for any ❵ ❁ ♥ using a fast XGCD algorithm (Khodadad and Monagan 2006).

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 11 / 13

Algorithms independent from the degree

Couveignes 1994

Works in the formal groups of ❊ and ❊ ✵; Mainly computations on power series; Implemented in (Lercier 1997); Complexity ❖✭❵✸✮. Possibly improvable to ⑦ ❖✭❵✷✮.

Couveignes 1996

Uses a ♣-descent in the Weierstrass model by Voloch 1990; Computations in towers of Artin-Schreier extensions over ❋q; Optimized and implemented in (De Feo and Schost 2009; De Feo 2011); Quasi-optimal complexity ⑦ ❖✭❵✷✮; Practical for ♣ ❂ ✷❀ ✸. Downside: both algorithms have an exponential dependency in ❧♦❣ ♣.

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 12 / 13

Implementations

Done

Arithmetics for Artin-Schreier towers: C++, GPL’ed, available at http://www.lix.polytechnique.fr/~defeo/FAAST. Couveignes 1996: C++; Bostan, Morain, Salvy, and Schost 2008; Lercier and Sirvent 2008: MAGMA.

Ongoing implementation in Sage

Already in: V´ elu formulae, Stark 1973. Thanks to D. Shumow. Bostan, Morain, Salvy, and Schost 2008 ready for review; Working on non-normalized isogenies; Lercier and Sirvent 2008 waits for some more functionality in the ♣-adics; Lattices of finite fields ready for review (thanks to D. Roe), implementation

• f Couveignes 1996 possible on top of this patch;

Considering a Sage port of FAAST; A lot more fun is awaiting. . .

Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 13 / 13