Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes - PowerPoint PPT Presentation

Isogenies, Polarisations and Real Multiplication 2015/10/06 — Journées C2 — La Londe-Les-Maures Gaëtan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Outline 1 Isogenies on elliptic curves 2 Abelian varieties and polarisations 3 Maximal isotropic isogenies 4 Cyclic isogenies and Real Multiplication 5 Isogeny graphs in dimension 2

Isogenies on elliptic curves Abelian varieties and polarisations ordinary, any curve isogenous to E is also ordinary. Isogenies are surjective (on the geometric points). In particular, if E is Remark or the composition of a translation with an isogeny. trivial (i.e. constant) An algebraic map between two elliptic curves is either Corollary same number of points (Tate). Theorem Definition Isogenies between elliptic curves Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies An isogeny is a (non trivial) algebraic map f : E 1 → E 2 between two elliptic curves such that f ( P + Q ) = f ( P )+ f ( Q ) for all geometric points P , Q ∊ E 1 . An algebraic map f : E 1 → E 2 is an isogeny if and only if f ( 0 E 1 ) = 0 E 2 Two elliptic curves over � q are isogenous if and only if they have the

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Algorithmic aspect of isogenies Given a kernel K ⊂ E ( k ) compute the isogenous elliptic curve E / K ; Given a kernel K ⊂ E ( k ) and P ∊ E ( k ) compute the image of P under the isogeny E → E / K ; Given a kernel K ⊂ E ( k ) compute the map E → E / K ; Given an elliptic curve E / k compute all isogenous (of a certain degree d ) elliptic curves E ′ ; Given two elliptic curves E 1 and E 2 check if they are d -isogenous and if so compute the kernel K ⊂ E 1 ( k ) .

Isogenies on elliptic curves formulae [Vél71]); equation [Elk92; Bos+08]). Vélu’s formulae [Koh96]); Abelian varieties and polarisations computation over elliptic curves. Algorithmic aspect of isogenies Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Given a kernel K ⊂ E ( k ) compute the isogenous elliptic curve E / K (Vélu’s Given a kernel K ⊂ E ( k ) and P ∊ E ( k ) compute the image of P under the isogeny E → E / K (Vélu’s formulae [Vél71]); Given a kernel K ⊂ E ( k ) compute the map E → E / K (formal version of Given an elliptic curve E / k compute all isogenous (of a certain degree d ) elliptic curves E ′ (Modular polynomial [Eng09; BLS12]); Given two elliptic curves E 1 and E 2 check if they are d -isogenous and if so compute the kernel K ⊂ E 1 ( k ) (Elkie’s method via a differential ⇒ We have quasi-linear algorithms for all these aspects of isogeny

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Destructive cryptographic applications an efficient way to compute an isogeny to it). Example Extend attacks using Weil descent [GHS02] Transfert the DLP from the Jacobian of an hyperelliptic curve of genus 3 to the Jacobian of a quartic curve [Smi09]. An isogeny f : E 1 → E 2 transports the DLP from E 1 to E 2 . This can be used to attack the DLP on E 1 if there is a weak curve on its isogeny class (and

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Constructive cryptographic applications But by computing isogenies, one can work over a cyclic subgroup of Example The SEA point counting algorithm [Sch95; Mor95; Elk97]; The CRT algorithms to compute class polynomials [Sut11; ES10]; The CRT algorithms to compute modular polynomials [BLS12]. One can recover informations on the elliptic curve E modulo ℓ by working over the ℓ -torsion. cardinal ℓ instead. Since thus a subgroup is of degree ℓ , whereas the full ℓ -torsion is of degree ℓ 2 , we can work faster over it.

Isogenies on elliptic curves Abelian varieties and polarisations Construct a normal basis of a finite field [CL09]; Take isogenies to reduce the impact of side channel attacks [Sma03]; isogeny graph [RS06]; isogeny (the trapdoor) [Tes06], or by encoding informations in the Construct public key cryptosystems by hiding vulnerable curves by an construct secure hash functions [CLG09]; The isogeny graph of a supersingular elliptic curve can be used to [DIK06; Gau07]; Splitting the multiplication using isogenies can improve the arithmetic Further applications of isogenies Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies invariant by automorphisms [CL08]. Improve the discrete logarithm in � ∗ q by finding a smoothness basis

Isogenies on elliptic curves k so Given the equation h of the kernel Ker f, Vélu’s formula can compute the isogeny Theorem ([Vél71]) Abelian varieties and polarisations f in time linear in deg f. Computing explicit isogenies Cyclic isogenies Isogeny graphs in dimension 2 Maximal isotropic isogenies If E 1 and E 2 are two elliptic curves given by short Weierstrass equations y 2 = x 3 + a i x + b i an isogeny f : E 1 → E 2 is of the form f ( x , y ) = ( R 1 ( x ) , yR 2 ( x )) where R 1 and R 2 are rational functions. (Exercice: f ( 0 E 1 ) = 0 E 2 ; what does this implies on the degrees of R 1 and R 2 ?) Let w E = dx / 2 y be the canonical differential. Then f ∗ w E ′ = cw E , with c in � g ( x ) � g ( x ) � ′ � f ( x , y ) = h ( x ) , cy h ( x ) , � where h ( x ) = P ∊ Ker f \{ 0 E } ( x − x P ) .

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Modular polynomials Definition (Modular polynomial) Here k = k . The modular polynomial ϕ ℓ ( x , y ) ∊ � [ x , y ] is a bivariate polynomial such that ϕ ℓ ( x , y ) = 0 ⇔ x = j ( E 1 ) and y = j ( E 2 ) with E 1 and E 2 ℓ -isogeneous. Roots of ϕ ℓ ( j ( E 1 ) ,. ) ⇔ elliptic curves ℓ -isogeneous to E 1 . There are ℓ + 1 = # � 1 ( � ℓ ) such roots if ℓ is prime. ϕ ℓ is symmetric; The height of ϕ ℓ grows as � O ( ℓ ) ; ϕ ℓ has total size � O ( ℓ 3 ) .

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 A 3-isogeny graph in dimension 1 [Koh96; FM02]

Isogenies on elliptic curves Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Find elliptic curves with a prescribed number of points Abelian varieties and polarisations Let E / � q be an ordinary elliptic curve, χ π = X 2 − tX + q the characteristic polynomial of the Frobenius π ; # E ( � q ) = 1 − t + q . ∆ π = t 2 − 4 q < 0 (since t � 2 � q by Hasse) so End ( E ) ⊃ � [ π ] is an order in � K = � ( ∆ π ) a quadratic imaginary field; Write ∆ π = ∆ 0 f 2 , where ∆ is the discriminant of K , then f is the conductor of � [ π ] ⊂ O K . Conversely fix N in the Hasse-Weil interval, and let t = 1 + q − N and O K � be the maximal order in � ( ∆ π ) ; If E / � q has endomorphism ring O K (or an order in K containing � [ π ] ), then # E ( � q ) = N .

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Complex Multiplication Theorem (Fondamental theorem of Complex Multiplication) unramified abelian extension of K). p : Let K be a quadratic imaginary field, E / � an elliptic curve with End ( E ) = O K . j ( E ) is algebraic and K ( j ( E )) is the Hilbert class field H K of K (the maximal The minimal polynomial of j ( E ) is � � H K ( X ) = ( X − σ ( j ( E ))) = ( X − j ( E i )) ∊ � [ X ] σ ∊ Gal ( H K / K ) ≃ Cl ( K ) E i / � | End ( E i )= O K where for σ = [ I ] ∊ Gal ( H K / K ) ≃ Cl ( K ) , σ ( j ( E )) = j ( E / E [ I ]) ; If p = p 1 p 2 splits in K, and P is a prime above p in H K then E has good reduction at p and E � P is an ordinary elliptic curve over � P . The extension � P / � p has degree the order of [ p i ] ∊ Cl ( O K ) and End ( E � P ) = O K In particular if p splits completely in H K (or equivalently if p i is principal), then H K splits over � � H K ≡ ( X − j ( E )) mod p . p | End ( E )= O K E / �

Isogenies on elliptic curves 3 Go up in the volcano once a curve E in the right isogeny class is found; p ; Using isogenies in Step 3 to Theorem ([Bel+08; Sut11]) 4 Abelian varieties and polarisations yields a quasi-linear algorithm. Cyclic isogenies 2 1 Maximal isotropic isogenies The CRT method to compute the class polynomial H K Isogeny graphs in dimension 2 Find p completely split in H K ; Find all # Cl ( K ) elliptic curves E over � p with End ( E ) = O K ; � Recover H K mod p = p | End ( E )= O K ( X − j ( E )) ; E / � Iterate the process for several primes p i and use the CRT to recover H K from H K mod p i . Compute End ( E ) for a random E / � Once a curve E / � p is found with End ( E ) = O K compute all the others directly from the action of Cl ( K ) ;