Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo - - PowerPoint PPT Presentation

Exploring Isogeny Graphs

Around the Volcano in 280 Days Luca De Feo

hand drawings by Rachel Deyts

Université Paris Saclay – UVSQ

Dec 14, 2018, UVSQ, Versailles

Elliptic curves

Let E ✿ y2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... An algebraic curve, ✰

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 2 / 38

Elliptic curves

Let E ✿ y2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... An algebraic curve, A group. P Q R P ✰ Q

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 2 / 38

Why should I care? (Diffie–Hellman key exchange)

Goal: Alice and Bob have never met before. They are chatting over a public channel, and want to agree on a shared secret to start a private conversation. Setup: They agree on a (large) cyclic group E✭❋p✮ ❂ ❤P✐ of (prime)

• rder q.

Alice Bob pick random a ✷ ❩❂q❩ compute A ❂ ❬a❪P pick random b ✷ ❩❂q❩ compute B ❂ ❬b❪P A B Shared secret is ❬a❪B ❂ ❬ab❪P ❂ ❬b❪A

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 3 / 38

Why should I care?

But, also:

Elliptic Curve Factoring Method (Lenstra ’85); Elliptic Curve Primality Proving (Atkin, Morain ’86-’93); Efficient normal bases for finite fields (Couveignes, Lercier ’10); ...

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 4 / 38

Why should I care?

P Q R P ✰ Q

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 5 / 38

Why should I care?

✰

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 5 / 38

Why should I care?

✰

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 5 / 38

Why should I care?

✰

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 5 / 38

Why should I care?

✰

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 5 / 38

Why should I care?

✰

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 5 / 38

Elliptic curves I power 70% of WWW traffic!

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 6 / 38

What is scalar multiplication? ❬n❪ ✿ P ✼✦ P ✰ P ✰ ✁ ✁ ✁ ✰ P

⑤ ④③ ⑥ n times

A map E ✦ E , a group morphism, with finite kernel (the torsion group E❬n❪ ✬ ✭❩❂n❩✮2), surjective (in the algebraic closure), given by rational maps of degree n2. ✱

• ✦
• ✦

✣

• ✦

✵ ✦ ✵

❂ ❂

✵✿

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 7 / 38

What is /////// scalar///////////////// multiplication an isogeny? ❬n❪ ✿ P ✼✦ P ✰ P ✰ ✁ ✁ ✁ ✰ P

⑤ ④③ ⑥ n times

A map E ✦ E , a group morphism, with finite kernel (the torsion group E❬n❪ ✬ ✭❩❂n❩✮2), surjective (in the algebraic closure), given by rational maps of degree n2. ✱

• ✦
• ✦

✣

• ✦

✵ ✦ ✵

❂ ❂

✵✿

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 7 / 38

What is /////// scalar///////////////// multiplication an isogeny? ✣ ✿ P ✼✦ ✣✭P✮

A map E ✦ E , a group morphism, with finite kernel (the torsion group E❬n❪ ✬ ✭❩❂n❩✮2), surjective (in the algebraic closure), given by rational maps of degree n2. ✱

• ✦
• ✦

✣

• ✦

✵ ✦ ✵

❂ ❂

✵✿

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 7 / 38

What is /////// scalar///////////////// multiplication an isogeny? ✣ ✿ P ✼✦ ✣✭P✮

A map E ✦ E //E ✵, a group morphism, with finite kernel (the torsion group E❬n❪ ✬ ✭❩❂n❩✮2), surjective (in the algebraic closure), given by rational maps of degree n2. ✱

• ✦
• ✦

✣

• ✦

✵ ✦ ✵

❂ ❂

✵✿

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 7 / 38

What is /////// scalar///////////////// multiplication an isogeny? ✣ ✿ P ✼✦ ✣✭P✮

A map E ✦ E //E ✵, a group morphism, with finite kernel (//// the///////// torsion//////// group ///////////////////// E❬n❪ ✬ ✭❩❂n❩✮2 any finite subgroup H ✚ E), surjective (in the algebraic closure), given by rational maps of degree n2. ✱

• ✦
• ✦

✣

• ✦

✵ ✦ ✵

❂ ❂

✵✿

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 7 / 38

What is /////// scalar///////////////// multiplication an isogeny? ✣ ✿ P ✼✦ ✣✭P✮

A map E ✦ E //E ✵, a group morphism, with finite kernel (//// the///////// torsion//////// group ///////////////////// E❬n❪ ✬ ✭❩❂n❩✮2 any finite subgroup H ✚ E), surjective (in the algebraic closure), given by rational maps of degree/// n2 ★H. ✱

• ✦
• ✦

✣

• ✦

✵ ✦ ✵

❂ ❂

✵✿

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 7 / 38

What is /////// scalar///////////////// multiplication an isogeny? ✣ ✿ P ✼✦ ✣✭P✮

A map E ✦ E //E ✵, a group morphism, with finite kernel (//// the///////// torsion//////// group ///////////////////// E❬n❪ ✬ ✭❩❂n❩✮2 any finite subgroup H ✚ E), surjective (in the algebraic closure), given by rational maps of degree/// n2 ★H. (Separable) isogenies ✱ finite subgroups: ✦ H ✦ E

✣

• ✦ E ✵ ✦ 0

The kernel H determines the image curve E ✵ up to isomorphism E❂H

def

❂ E ✵✿

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 7 / 38

Isogenies: an example over ❋11

E ✿ y2 ❂ x 3 ✰ x E ✵ ✿ y2 ❂ x 3 4x ✣✭x❀ y✮ ❂

✥

x 2 ✰ 1 x ❀ y x 2 1 x 2

✦

✼✦ ❋✄

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 8 / 38

Isogenies: an example over ❋11

E ✿ y2 ❂ x 3 ✰ x E ✵ ✿ y2 ❂ x 3 4x ✣✭x❀ y✮ ❂

✥

x 2 ✰ 1 x ❀ y x 2 1 x 2

✦

Kernel generator in red. This is a degree 2 map. Analogous to x ✼✦ x 2 in ❋✄

q.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 8 / 38

Computing Isogenies

Vélu’s formulas

Input: A subgroup H ✚ E, Output: The isogeny ✣ ✿ E ✦ E❂H. Complexity: O✭❵✮ — Vélu 1971, ... Why? Evaluate isogeny on points P ✷ E; Walk in isogeny graphs. ❵ ✚ ❵ ⑦ ✭❵ ✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 9 / 38

Computing Isogenies

Vélu’s formulas

Input: A subgroup H ✚ E, Output: The isogeny ✣ ✿ E ✦ E❂H. Complexity: O✭❵✮ — Vélu 1971, ... Why? Evaluate isogeny on points P ✷ E; Walk in isogeny graphs.

Explicit Isogeny Problem

Input: Curve E, (prime) integer ❵ Output: All subgroups H ✚ E of order ❵. Complexity: ⑦ O✭❵2✮ — Elkies 1992 Why? List all isogenies of given degree; Count points of elliptic curves; Compute endomorphism rings of elliptic curves; Walk in isogeny graphs.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 9 / 38

Computing Isogenies

Explicit Isogeny Problem (2)

Input: Curves E❀ E ✵, isogenous of degree ❵. Output: The isogeny ✣ ✿ E ✦ E ✵ of degree ❵. Complexity: O✭❵2✮ — Elkies 1992; Couveignes 1996; Lercier and Sirvent 2008; De Feo 2011; De Feo, Hugounenq, Plût, and Éric Schost 2016; Lairez and Vaccon 2016, ... Why? Count points of elliptic curves. ❀

✵

✣ ✿ ✦

✵

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 10 / 38

Computing Isogenies

Explicit Isogeny Problem (2)

Input: Curves E❀ E ✵, isogenous of degree ❵. Output: The isogeny ✣ ✿ E ✦ E ✵ of degree ❵. Complexity: O✭❵2✮ — Elkies 1992; Couveignes 1996; Lercier and Sirvent 2008; De Feo 2011; De Feo, Hugounenq, Plût, and Éric Schost 2016; Lairez and Vaccon 2016, ... Why? Count points of elliptic curves.

Isogeny Walk Problem

Input: Isogenous curves E❀ E ✵. Output: An isogeny ✣ ✿ E ✦ E ✵ of smooth degree. Complexity: Generically hard — Galbraith, Hess, and Smart 2002, ... Why? Cryptanalysis (ECC); Foundational problem for isogeny-based cryptography.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 10 / 38

Isogeny graphs

We look at the graph of elliptic curves with isogenies up to isomorphism. We say two isogenies ✣❀ ✣✵ are isomorphic if: E E ✵ E ✵

✣ ✣✵

❡

Example: Finite field, ordinary case, graph of isogenies of degree 3.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 11 / 38

What do isogeny graphs look like?

Torsion subgroups (❵ prime)

In an algebraically closed field: E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 ✰ There are exactly ❵ ✰ 1 cyclic subgroups H ✚ E of order ❵: ❤P✐❀ ❤P ✰ Q✐❀ ✿ ✿ ✿ ❤P ✰ ✭❵ 1✮Q✐ ✰ There are exactly ❵ ✰ 1 distinct isogenies of degree ❵. (non-CM) 2-isogeny graph over ❈

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 12 / 38

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭P✮ ❂ ✙✭Q✮ ❂ aP ✰ bQ cP ✰ dQ

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 13 / 38

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ aP ✰ bQ cP ✰ dQ

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 13 / 38

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ aP ✰ bQ cP ✰ dQ

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 13 / 38

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ a ✰ b c ✰ d

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 13 / 38

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ a ✰ b c ✰ d

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 13 / 38

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ a ✰ b c ✰ d

✥ ✦

✙ ✿ ♠♦❞ ❵ We identify ✙❥E❬❵❪ to a conjugacy class in ●▲✭❩❂❵❩✮.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 13 / 38

What happens over a finite field ❋p?

Galois invariant subgroups of E❬❵❪ = eigenspaces of ✙ ✷ ●▲✭❩❂❵❩✮ = rational isogenies of degree ❵ ✙❥ ❬❵❪ ✘

✕

✕

✁

✦ ❵ ✰ ✙❥ ❬❵❪ ✘

✏

✕ ✖

✑

✕ ✻❂ ✖ ✦ ✙❥ ❬❵❪ ✘

✕ ✄

✕

✁

✦ ✙❥ ❬❵❪ ✦

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 14 / 38

What happens over a finite field ❋p?

Galois invariant subgroups of E❬❵❪ = eigenspaces of ✙ ✷ ●▲✭❩❂❵❩✮ = rational isogenies of degree ❵

How many Galois invariant subgroups?

✙❥E❬❵❪ ✘

✕ 0

0 ✕

✁

✦ ❵ ✰ 1 isogenies ✙❥E❬❵❪ ✘

✏

✕ 0 0 ✖

✑

with ✕ ✻❂ ✖ ✦ two isogenies ✙❥E❬❵❪ ✘

✕ ✄

0 ✕

✁

✦ one isogeny ✙❥E❬❵❪ is not diagonalizable ✦ no isogeny

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 14 / 38

What happens over a finite field ❋p?

Endomorphisms

An isogeny E ✦ E is also called an endomorphism. Examples: scalar multiplication ❬n❪, Frobenius map ✙. With addition and composition, the endomorphisms form a ring ❊♥❞✭E✮. Theorem (Deuring): ❊♥❞✭E✮ is isomorphic to one of the following: An order ❖ in a quadratic imaginary field K ❂ ◗✭ ♣ D✮: E is ordinary with complex multiplication by ❖. A maximal order in a quaternion algebra E is supersingular. Theorem (Serre-Tate): E❀ E ✵ are isogenous iff ❊♥❞✭E✮ ✡ ◗ ✬ ❊♥❞✭E ✵✮ ✡ ◗. Corollary: E❂❋p and E ✵❂❋p are isogenous iff ★E✭❋p✮ ❂ ★E ✵✭❋p✮.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 15 / 38

Volcanology (Kohel 1996)

Let E❀ E ✵ be curves with respective endomorphism rings ❖❀ ❖✵ ✚ K. Let ✣ ✿ E ✦ E ✵ be an isogeny of prime degree ❵, then: if ❖ ❂ ❖✵, ✣ is horizontal; if ❬❖✵ ✿ ❖❪ ❂ ❵, ✣ is ascending; if ❬❖ ✿ ❖✵❪ ❂ ❵, ✣ is descending. ❊♥❞✭E✮ ❖K ❩❬✙❪

Ordinary isogeny volcano of degree ❵ ❂ 3.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 16 / 38

Volcanology (Kohel 1996)

Let E be ordinary, ❊♥❞✭E✮ ✚ K. ❖K: maximal order of K, DK: discriminant of K. ❂

❵✭❬❖

✿ ❩❬✙❪❪✮

DK

❵

✁ ❂ 1 DK

❵

✁ ❂ 0 DK

❵

✁ ❂ ✰1

Horizontal Ascending Descending ❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵

✏

DK ❵

✑

❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ❵ ❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 17 / 38

Volcanology (Kohel 1996)

Let E be ordinary, ❊♥❞✭E✮ ✚ K. ❖K: maximal order of K, DK: discriminant of K. Height ❂ v❵✭❬❖K ✿ ❩❬✙❪❪✮.

DK

❵

✁ ❂ 1 DK

❵

✁ ❂ 0 DK

❵

✁ ❂ ✰1

Horizontal Ascending Descending ❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵

✏

DK ❵

✑

❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ❵ ❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 17 / 38

Volcanology (Kohel 1996)

Let E be ordinary, ❊♥❞✭E✮ ✚ K. ❖K: maximal order of K, DK: discriminant of K. Height ❂ v❵✭❬❖K ✿ ❩❬✙❪❪✮. How large is the crater?

DK

❵

✁ ❂ 1 DK

❵

✁ ❂ 0 DK

❵

✁ ❂ ✰1

Horizontal Ascending Descending ❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵

✏

DK ❵

✑

❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ❵ ❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 17 / 38

Exploring isogeny graphs

Detecting the structure of a graph ✙❥E❬❵1❪ ✿

✥

a b c d

✦

♠♦❞ ❵1 ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥

❵✭

✮ ✿

✥ ✦

✷ ●▲✭❩❵✮

❵✭

✮ ❂ ❧✐♠ ✥

• ❬❵ ❪ ✬ ✭❩❵✮

❍♦♠❋ ✭ ❀

✵✮ ✡ ❩❵

✬ ❍♦♠●❛❧✭✖

❋ ❂❋ ✮✭ ❵✭

✮❀

❵✭ ✵✮✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 18 / 38

Exploring isogeny graphs

Detecting the structure of a graph ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥E❬❵2❪ ✿

✥

a b c d

✦

♠♦❞ ❵2 ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥

❵✭

✮ ✿

✥ ✦

✷ ●▲✭❩❵✮

❵✭

✮ ❂ ❧✐♠ ✥

• ❬❵ ❪ ✬ ✭❩❵✮

❍♦♠❋ ✭ ❀

✵✮ ✡ ❩❵

✬ ❍♦♠●❛❧✭✖

❋ ❂❋ ✮✭ ❵✭

✮❀

❵✭ ✵✮✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 18 / 38

Exploring isogeny graphs

Detecting the structure of a graph ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥E❬❵3❪ ✿

✥

a b c d

✦

♠♦❞ ❵3 ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥

❵✭

✮ ✿

✥ ✦

✷ ●▲✭❩❵✮

❵✭

✮ ❂ ❧✐♠ ✥

• ❬❵ ❪ ✬ ✭❩❵✮

❍♦♠❋ ✭ ❀

✵✮ ✡ ❩❵

✬ ❍♦♠●❛❧✭✖

❋ ❂❋ ✮✭ ❵✭

✮❀

❵✭ ✵✮✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 18 / 38

Exploring isogeny graphs

Detecting the structure of a graph ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥E❬❵4❪ ✿

✥

a b c d

✦

♠♦❞ ❵4 ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥

❵✭

✮ ✿

✥ ✦

✷ ●▲✭❩❵✮

❵✭

✮ ❂ ❧✐♠ ✥

• ❬❵ ❪ ✬ ✭❩❵✮

❍♦♠❋ ✭ ❀

✵✮ ✡ ❩❵

✬ ❍♦♠●❛❧✭✖

❋ ❂❋ ✮✭ ❵✭

✮❀

❵✭ ✵✮✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 18 / 38

Exploring isogeny graphs

Detecting the structure of a graph ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥E❬❵5❪ ✿

✥

a b c d

✦

♠♦❞ ❵5 ✙❥

❵✭

✮ ✿

✥ ✦

✷ ●▲✭❩❵✮

❵✭

✮ ❂ ❧✐♠ ✥

• ❬❵ ❪ ✬ ✭❩❵✮

❍♦♠❋ ✭ ❀

✵✮ ✡ ❩❵

✬ ❍♦♠●❛❧✭✖

❋ ❂❋ ✮✭ ❵✭

✮❀

❵✭ ✵✮✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 18 / 38

Exploring isogeny graphs

Detecting the structure of a graph ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥ ❬❵ ❪ ✿

✥ ✦

♠♦❞ ❵ ✙❥T❵✭E✮ ✿

✥

a b c d

✦

✷ ●▲✭❩❵✮

The Tate module

Projective limit of the torsion: T❵✭E✮ ❂ ❧✐♠ ✥ E❬❵n❪ ✬ ✭❩❵✮2 Tate’s isogeny theorem: ❍♦♠❋p✭E❀ E ✵✮ ✡ ❩❵ ✬ ❍♦♠●❛❧✭✖

❋p❂❋p✮✭T❵✭E✮❀ T❵✭E ✵✮✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 18 / 38

Bathymetry

Theorem (De Feo, Hugounenq, Plût, and Éric Schost 2016)

Let E❂❋p be an ordinary elliptic curve with Frobenius endomorphism ✙. Assume that the characteristic polynomial of ✙ has two distinct roots ✕❀ ✖ in ❩❵, and let h ❂ v❵✭✕ ✖✮ ❂ v❵✭

♣

✁✙❂✁K✮. Then there exists a unique e ✷ ❢0❀ h❣ such that ✙❥T❵✭E✮ is conjugate, over ❩❵, to the matrix

✏

✕ ❵e 0 ✖

✑

. Moreover, h ❂ v❵✭❬❖K ✿ ❩❬✙❪❪✮ is the height of the graph of E; if E lies at the surface, then e ❂ h, otherwise h e is the depth of E. Computing ✙❥T❵✭E✮ lets us: Determine the height of the ❵-volcano, Determine the level of E in the volcano, Associate the eigenvalues ✕❀ ✖ to two opposite directions on the crater. Application: best known algorithm for the Explicit Isogeny Problem (2).

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 19 / 38

Computing T❵✭E✮ to finite precision

T❵✭E✮ “modulo” ❵n is just E❬❵n❪: ✙ ✿

a b

c d

✁

♠♦❞ ❵n

Problem: fields of definition get increasingly large

E❬❵❪ ✚ E❬❵2❪ ✿ ✿ ✿ E❬❵n❪ ... ❭ ❭ ❭ E✭❋p✮ ✚ E✭❋p❵1✮ ✚ E✭❋p❵✭❵1✮✮ ✿ ✿ ✿ E✭❋p❵n1✭❵1✮✮ ...

Solution: fast arithmetic in towers of finite fields

What: tower of fields ❋p ✚ ❋pa ✚ ❋pab ✚ ✁ ✁ ✁ ; Wanted: Optimal representation of each field; Fast algorithms for ✰❀ ✂❀ 1 in each field; Fast algorithms to convert between two adjacent fields. Solutions: Lenstra 1991; Lübeck 2008; Bosma, Cannon, and Steel 1997; Allombert 2002; De Feo, Doliskani, and Éric Schost 2013, 2014; Brieulle, De Feo, Doliskani, Flori, and Éric Schost 2018; van der Hoeven, and Lecerf 2018, ...

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 20 / 38

Why stop at towers?

❋p ❋p2 ❋p4 ❋✭2✮

p

❋p3 ❋p9 ❋✭3✮

p

❋p5 ❋p25 ❋✭5✮

p

❋p❵ ❋p❵2 ❋✭❵✮

p

❋✭❵✮

p

❂ ❬

i✕0

❋p❵i ❀ ✖ ❋p ✬ ❖

❵ prime

❋✭❵✮

p

Work in progress with: H.Randriam, É. Rousseau, É. Schost. Demo.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 21 / 38

Let’s get back to elliptic curves I make the world a safer place!

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 22 / 38

The QUANTOM Menace

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 23 / 38

Post-quantum cryptographer?

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 24 / 38

Elliptic curves of the world, UNITE!

QUOUSQUE QUANTUM? QUANTUM SUFFICIT!

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 25 / 38

And so, they found a way around the QUANTOM

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 26 / 38

And so, they found a way around the QUANTOM

Public curve Public curve

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 26 / 38

And so, they found a way around the QUANTOM

Public curve Public curve Shared secret

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 26 / 38

How large is the crater of a volcano?

Let ❊♥❞✭E✮ ❂ ❖ ✚ ◗✭ ♣ D✮. Define ■✭❖✮, the group of invertible fractional ideals, P✭❖✮, the group of principal ideals,

The class group

The class group of ❖ is ❈❧✭❖✮ ❂ ■✭❖✮❂P✭O✮✿ It is a finite abelian group. Its order h✭❖✮ is called the class number of ❖. It arises as the Galois group of an abelian extension of ◗✭ ♣ D✮.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 27 / 38

Complex multiplication

The a-torsion

Let a ✚ ❖ be an (integral invertible) ideal of ❖; Let E❬a❪ be the subgroup of E annihilated by a: E❬a❪ ❂ ❢P ✷ E ❥ ☛✭P✮ ❂ 0 for all ☛ ✷ a❣❀ Let ✣ ✿ E ✦ Ea, where Ea ❂ E❂E❬a❪. Then ❊♥❞✭Ea✮ ❂ ❖ (i.e., ✣ is horizontal).

Theorem (Complex multiplication)

The action on the set of elliptic curves with complex multiplication by ❖ defined by a ✄ j ✭E✮ ❂ j ✭Ea✮ factors through ❈❧✭❖✮, is faithful and transitive.

Corollary

Let ❊♥❞✭E✮ have discriminant D. Assume that

✏

D ❵

✑

❂ 1, then E is on a crater of an ❵-volcano, and the crater contains h✭❊♥❞✭E✮✮ curves.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 28 / 38

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). ❈❧✭❖ ✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 29 / 38

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). Edges are horizontal isogenies

• f

bounded prime degree. degree 2 ❈❧✭❖ ✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 29 / 38

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). Edges are horizontal isogenies

• f

bounded prime degree. degree 2 degree 3 ❈❧✭❖ ✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 29 / 38

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). Edges are horizontal isogenies

• f

bounded prime degree. degree 2 degree 3 degree 5 ❈❧✭❖ ✮

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 29 / 38

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). Edges are horizontal isogenies

• f

bounded prime degree. degree 2 degree 3 degree 5 Isomorphic to a Cayley graph of ❈❧✭❖K✮.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 29 / 38

Couveignes–Rostovtsev–Stolbunov key exchange

E ✄ ✄ ✄ ❂ ✄ Public parameters: A starting curve E❂❋p with CM by ❖K; A set of ideals of small norm S ✚ ❈❧✭❖K✮. ❂ ◗

✷

✦ ✄ ✄ ✄ ✄ ✄

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 30 / 38

Couveignes–Rostovtsev–Stolbunov key exchange

E a ✄ E ✄ ✄ ❂ ✄ Public parameters: A starting curve E❂❋p with CM by ❖K; A set of ideals of small norm S ✚ ❈❧✭❖K✮.

1

Alice takes a secret random walk a ❂ ◗

s✷S ses defining

an isogeny E ✦ a ✄ E; ✄ ✄ ✄ ✄

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 30 / 38

Couveignes–Rostovtsev–Stolbunov key exchange

E a ✄ E b ✄ E ✄ ❂ ✄ Public parameters: A starting curve E❂❋p with CM by ❖K; A set of ideals of small norm S ✚ ❈❧✭❖K✮.

1

Alice takes a secret random walk a ❂ ◗

s✷S ses defining

an isogeny E ✦ a ✄ E;

2

Bob does the same; ✄ ✄ ✄ ✄

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 30 / 38

Couveignes–Rostovtsev–Stolbunov key exchange

E a ✄ E b ✄ E ✄ ❂ ✄ Public parameters: A starting curve E❂❋p with CM by ❖K; A set of ideals of small norm S ✚ ❈❧✭❖K✮.

1

Alice takes a secret random walk a ❂ ◗

s✷S ses defining

an isogeny E ✦ a ✄ E;

2

Bob does the same;

3

They publish a ✄ E and b ✄ E; ✄ ✄

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 30 / 38

Couveignes–Rostovtsev–Stolbunov key exchange

E a ✄ E b ✄ E ab ✄ E ❂ ✄ Public parameters: A starting curve E❂❋p with CM by ❖K; A set of ideals of small norm S ✚ ❈❧✭❖K✮.

1

Alice takes a secret random walk a ❂ ◗

s✷S ses defining

an isogeny E ✦ a ✄ E;

2

Bob does the same;

3

They publish a ✄ E and b ✄ E;

4

Alice repeats her secret walk a starting from b ✄ E. ✄

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 30 / 38

Couveignes–Rostovtsev–Stolbunov key exchange

E a ✄ E b ✄ E ab ✄ E ❂ ba ✄ E Public parameters: A starting curve E❂❋p with CM by ❖K; A set of ideals of small norm S ✚ ❈❧✭❖K✮.

1

Alice takes a secret random walk a ❂ ◗

s✷S ses defining

an isogeny E ✦ a ✄ E;

2

Bob does the same;

3

They publish a ✄ E and b ✄ E;

4

Alice repeats her secret walk a starting from b ✄ E.

5

Bob repeats his secret walk b starting from a ✄ E.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 30 / 38

Key exchange with supersingular curves (2011)

Good news: there is no action of a commutative class group. Bad news: there is no action of a commutative class group. Idea: Let Alice and Bob walk in two different isogeny graphs on the same vertex set.

Figure: 2- and 3-isogeny graphs on ❋972.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 31 / 38

Key exchange with supersingular curves (2011)

Good news: there is no action of a commutative class group. Bad news: there is no action of a commutative class group. Idea: Let Alice and Bob walk in two different isogeny graphs on the same vertex set.

Figure: 2- and 3-isogeny graphs on ❋972.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 31 / 38

Key exchange with supersingular curves (2011)

Good news: there is no action of a commutative class group. Bad news: there is no action of a commutative class group. Idea: Let Alice and Bob walk in two different isogeny graphs on the same vertex set.

Figure: 2- and 3-isogeny graphs on ❋972.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 31 / 38

Key exchange with supersingular curves (2011)

Fix small primes ❵A, ❵B; No canonical labeling of the ❵A- and ❵B-isogeny graphs; however... Walk of length eA ❂ Isogeny of degree ❵eA

A

❂ Kernel ❤P✐ ✚ E❬❵eA

A ❪

❦❡r ✣ ❂ ❤P✐ ✚ E❬❵eA

A ❪

❦❡r ✥ ❂ ❤Q✐ ✚ E❬❵eB

B ❪

❦❡r ✣✵ ❂ ❤✥✭P✮✐ ❦❡r ✥✵ ❂ ❤✣✭Q✮✐

E E❂❤P✐ E❂❤Q✐ E❂❤P❀ Q✐ ✣ ✣✵ ✥ ✥✵

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 32 / 38

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 33 / 38

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min)

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 33 / 38

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 Jao and D.’s SIDH (500ms)

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 33 / 38

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 Jao and D.’s SIDH (500ms) 2012 D., Jao and Plût’s SIDH (50ms)

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 33 / 38

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 Jao and D.’s SIDH (500ms) 2012 D., Jao and Plût’s SIDH (50ms) 2016 Costello, Longa, Naherig’s SIDH (30ms)

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 33 / 38

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 Jao and D.’s SIDH (500ms) 2012 D., Jao and Plût’s SIDH (50ms) 2016 Costello, Longa, Naherig’s SIDH (30ms) 2017 SIKE NIST candidate (10ms)

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 33 / 38

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 Jao and D.’s SIDH (500ms) 2012 D., Jao and Plût’s SIDH (50ms) 2016 Costello, Longa, Naherig’s SIDH (30ms) 2017 SIKE NIST candidate (10ms) 2018 CSIDH (100ms)

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 33 / 38

CSIDH (pron.: sea-side)

Speeding up the CRS key exchange (De Feo, Kieffer, and Smith 2018)

Choose p such that ❵ ❥ ✭p ✰ 1✮ for many small primes ❵; Look for random ordinary curves such that: HARD!

■ ❵ ❥ E✭❋p✮, ■ technical condition;

Use Vélu’s formulas for those primes ❵. ✘5 minutes for a 128-bit secure key exchange

CSIDH (Castryck, Lange, Martindale, Panny, and Renes 2018)

Choose p such that ❵ ❥ ✭p ✰ 1✮ for many small primes ❵; Select a supersingular curve E❂❋p, automatically EASY!

■ ★E✭❋p✮ ❂ p ✰ 1, ■ technical condition always satisfied;

✘100ms for a 128 bits secure key exchange

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 34 / 38

Research perspectives

Fundamentals

Generalizations to other isogeny graphs (e.g., graphs of abelian varieties of higher dimension). Attacks on the primitives: solving isogeny problems, computing endomorphism rings of supersingular isogenies, computations in quaternion algebras. Security proofs: proving properties of sampling in Cayley graphs.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 35 / 38

Research perspectives

Quantum

Fundamental algorithms: Kuperberg’s algorithm (CSIDH), claw finding (SIDH). Ad hoc algorithms: exploiting the non-generic structure in SIDH, CSIDH. Constructive algorithms: SeaSign can be considerably sped up by a quantum pre-computation. Security proofs in the QROM.

Protocols

Efficient signatures. New primitives/properties, mix and match CSIDH/SIDH/pairings. More uses of CSIDH as a Diffie–Hellman replacement (e.g., NIKE).

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 36 / 38

Research perspectives

Implementations

Constrained devices: SIDH still very slow on IOT gear, high memory footprint. Side-channel resistance: constant time (lacking for CISDH), analysis of proposed hardware attacks, countermeasures.

Tools

Develop tools for educational/prototyping purposes: lower the entry barrier to isogenies. SageMath most popular (open source) platform for number theory/computer algebra. Improve functionality for elliptic curves / pairings / isogenies.

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 37 / 38

Thank you

https://defeo.lu/ @luca_defeo

Luca De Feo (UVSQ) Exploring Isogeny Graphs Dec 14, 2018, UVSQ, Versailles 38 / 38