Explicit isogenies and implementation Luca De Feo Freelance researcher, courtesy of ANR CHIC & Universit´ e de Rennes 1 June 23, 2011 Geocrypt, Bastia, France Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 1 / 13
A quick review of SEA ✬ ✷ � t ✬ ✰ q ❂ ✵ ✷ ❊♥❞✭ ❊ ✮ ★ ❊ ✭ ❋ q ✮ ❂ q � t ✰ ✶ where Compute t ♠♦❞ ❵ for small primes ❵ ✏♣ ✑ t ✷ � ✹ q For primes ❵ splitting in ◗ : Compute the ❵ -th modular polynomial ✟ ❵ ✭ ❳ ❀ ❨ ✮ (or maybe one associated to a better invariant); Factor ✟ ❵ ✭ ❳ ❀ ❥ ❊ ✮ to obtain an isogenous curve ❊ ❵ ; Compute an explicit ❵ -isogeny ■ ❵ ✿ ❊ ✦ ❊ ❵ , let ❤ ❵ be its denominator; Compute ✭ ① q ❀ ② q ✮ over ❋ q ❬ ❳ ❪ ❂ ❤ ❵ ✭ ❳ ✮ ; Find t ❵ such that ✭ ① q ✷ ❀ ② q ✷ ✮ ✰ ❬ q ♠♦❞ ❵ ❪✭ ① ❀ ② ✮ ❂ ❬ t ❵ ❪✭ ① q ❀ ② q ✮ . Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 2 / 13
State of the art Various implementations of SEA: Magma, Pari/GP, A. Enge / P. Gaudry / R. Lercier / F. Morain A. Sutherland, . . . BUT: Not many of them are open source. We lack a complete system to play around with modular polynomials and explicit isogenies Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 3 / 13
Why compute explicit isogenies? Didactic and research purpose: play with the underpinnings of SEA; Some cryptographic applications: transfer DLPs between curves, construct cryptosystems; Other applications: compute modular polynomials, endomorphism rings; It’s fun. . . Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 4 / 13
❊ ✶ ✦ ❊ ✷ ❥ ✶ ❥ ✷ How to represent an isogeny? When drawing isogeny graphs, an isogeny is two ❥ -invariants and a kernel. ❥ ✶ � ✦ ❥ ✷ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13
❥ ✶ ❥ ✷ How to represent an isogeny? Any isogeny ❊ ✶ ✦ ❊ ✷ can be composed with the automorphisms of the curves; ✭ ① ❀ ② ✮ ✼✦ ✭ ① ❀ � ② ✮ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13
How to represent an isogeny? Any isogeny ❊ ✶ ✦ ❊ ✷ can be composed with the automorphisms of the curves; If only ❥ ✶ and ❥ ✷ are specified, the isogeny can be composed with any isomorphism; Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13
How to represent an isogeny? Any isogeny ❊ ✶ ✦ ❊ ✷ can be composed with the automorphisms of the curves; If only ❥ ✶ and ❥ ✷ are specified, the isogeny can be composed with any isomorphism; How to uniquely represent explicit isogenies? Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 5 / 13
How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13
How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13
How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: ❬ ♠ ❪ ✄ ✦ ✄ ❂ ♠ ✦ ✄ ❬✷❪ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13
How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13
How to uniquely represent an isogeny? Choose simplified models: ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , The only possible isomorphisms are ✭ ① ❀ ② ✮ ✼✦ ✭ ✉ ✷ ① ❀ ✉ ✸ ② ✮ , Make a canonical choice for the scale factor ✉ . For the multiplication-by- ♠ endomorphism, the choice is classical: ❬ ♠ ❪ ✄ ✦ ✶ ♠ ✄ ❂ ✦ ✄ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 6 / 13
� Normalized isogenies Normalized isogenies An isogeny ■ ✿ ❊ ✦ ❊ ✵ induces an action on the differentials: ■ ✄ ✦ ❊ ✵ ❂ ❝ ✦ ❊ with ❝ ✷ ❑ . Then ✭ ❝② ■ ① ✭ ① ✮ ✵ ✮ ✷ ❂ ■ ① ✭ ① ✮ ✸ ✰ ❛ ✵ ■ ① ✭ ① ✮ ✰ ❜ ✵ ✿ When ■ ✄ ✦ ❊ ✵ ❂ ✦ ❊ , the isogeny is said to be normalized. ■ � ❊ ✵ ❊ � � � ❬ ♠ ❪ � � � ❫ ■ � � � ❊ By the dual isogeny theorem ■ ✄ ❫ ■ ✄ ✦ ❂ ♠ ✦ , but we are free to choose normalization factors ❝ and ❫ ❝ such that ❝ ❫ ❝ ❂ ♠ . There is no canonical choice, V´ elu’s formulae pick ❝ ❂ ✶ , ❫ ❝ ❂ ♠ . Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 7 / 13
V´ elu’s formulae Compute an isogeny with given kernel (V´ elu 1971) Given the kernel ❍ , computes ■ ✿ ❊ ✦ ❊ ❂ ❍ given by ■ ✭ ❖ ❊ ✮ ❂ ■ ✭ ❖ ❊ ❂ ❍ ✮ , ✥ ✦ ❳ ❳ ■ ✭ P ✮ ❂ ① ✭ P ✮ ✰ ① ✭ P ✰ ◗ ✮ � ① ✭ ◗ ✮ ❀ ② ✭ P ✮ ✰ ② ✭ P ✰ ◗ ✮ � ② ✭ ◗ ✮ . ◗ ✷ ❍ ✄ ◗ ✷ ❍ ✄ In practice, given ❤ ✭ ① ✮ , of degree ❵ � ✶ , vanishing on ❍ ✑ ✵ ❤ ✭ ① ✮ ❂ ❵ ① � ♣ ✶ � ❢ ✵ ✭ ① ✮ ❤ ✵ ✭ ① ✮ ❣ ✭ ① ✮ ✏ ❤ ✵ ✭ ① ✮ ❳ ② ✷ ❂ ❢ ✭ ① ✮ , ♣ ✶ ❂ ① ✭ ◗ ✮ , ❤ ✭ ① ✮ � ✷ ❢ ✭ ① ✮ ❤ ✭ ① ✮ ◗ ✷ ❍ ✄ ✥ ✓ ✵ ✦ ❣ ✭ ① ✮ ✒ ❣ ✭ ① ✮ ■ ✭ ① ❀ ② ✮ ❂ ❤ ✭ ① ✮ ❀ ② ❤ ✭ ① ✮ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 8 / 13
Computing the kernel of an isogeny SEA (Elkies 1998; Bostan, Morain, Salvy, and Schost 2008) ❖ ✭ ❵ ✸ ✮ ⑦ Factor ✟ ❵ ✭ ❳ ❀ ❥ ❊ ✮ to obtain an ❵ -isogenous ❥ -invariant ❥ ❵ ; 1 ❖ ✭ ❵ ✸ ✮ ⑦ Compute normalized models; 2 ⑦ Solve the differential equation. ❖ ✭ ❵ ✮ 3 Note: Steps ✶ and ✷ can be replaced by an algorithm to evaluate large degree isogenies with complexity ❖ ✭ ▲ q ✭✶ ❂ ✷✮ ❧♦❣ ❵ ✮ (Jao and Soukharev 2010). Compute normalized models Let ✟ ❳ and ✟ ❨ be the partial derivatives of ✟ ❵ . Let ❊ ✿ ② ✷ ❂ ① ✸ ✰ ❛① ✰ ❜ , then a normalized model for ❥ ❵ is given by ❊ ❵ ✿ ② ✷ ❂ ① ✸ ✰ ⑦ ❛① ✰ ⑦ ❜ , with ❥ ✵ ✷ ❥ ✵ ✸ ❛ ❂ � ✶ ❜ ❂ � ✶ ⑦ ⑦ ❥ ❵ ✭ ❥ ❵ � ✶✼✷✽✮ ❀ ❵ ✭ ❥ ❵ � ✶✼✷✽✮ ❀ ❥ ✷ ✹✽ ✽✻✹ where ❥ ✵ ❂ � ✶✽ ❜ ✟ ❳ ✭ ❥ ❊ ❀ ❥ ❵ ✮ ✟ ❨ ✭ ❥ ❊ ❀ ❥ ❵ ✮ ❥ ❊ ✿ ❵ ❛ Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 9 / 13
Small characteristic Problem: while solving the differential equation, divisions by the characteristic may occur. Finite fields of small characteristic (Lercier and Sirvent 2008) ❖ ✭ ❵ ✸ ✮ ⑦ Factor ✟ ❵ ✭ ❳ ❀ ❥ ❊ ✮ in ❋ q to obtain an ❵ -isogenous ❥ -invariant ❥ ❊ ✵ ; 1 ⑦ Lift ❥ ❊ and ❥ ❊ ✵ in ◗ q so that ✟ ❵ ✭⑦ ⑤ ❊ ❀ ⑦ ⑤ ❊ ✵ ✮ ❂ ✵ ❖ ✭ ❵ ✮ 2 ❖ ✭ ❵ ✸ ✮ ⑦ Compute a normalized model for the lift of ❊ ✵ ; 3 ⑦ Solve the differential equation in ◗ q ; ❖ ✭ ❵ ✮ 4 ⑦ Reduce in ❋ q . ❖ ✭ ❵ ✮ 5 Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June 23, 2011 10 / 13
Recommend
More recommend
