Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM - PowerPoint PPT Presentation

Isogenies, Polarisations and Real Multiplication 2015/09/29 — ICERM — Providence Gaëtan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Outline 1 Isogenies on elliptic curves 2 Abelian varieties and polarisations 3 Maximal isotropic isogenies 4 Cyclic isogenies and Real Multiplication 5 Isogeny graphs in dimension 2

Isogenies on elliptic curves Abelian varieties and polarisations Isogenies are surjective (on the geometric points). In particular, if E is Remark or the composition of a translation with an isogeny. trivial (i.e. constant) An algebraic map between two elliptic curves is either Corollary Theorem Definition Isogenies between elliptic curves Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies ordinary, any curve isogenous to E is also ordinary. An isogeny is a (non trivial) algebraic map f : E 1 → E 2 between two elliptic curves such that f ( P + Q ) = f ( P )+ f ( Q ) for all geometric points P , Q ∊ E 1 . An algebraic map f : E 1 → E 2 is an isogeny if and only if f ( 0 E 1 ) = f ( 0 E 2 )

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Algorithmic aspect of isogenies Given a kernel K ⊂ E ( k ) compute the isogenous elliptic curve E / K ); Given a kernel K ⊂ E ( k ) and P ∊ E ( k ) compute the image of P under the isogeny E → E / K ; Given a kernel K ⊂ E ( k ) compute the map E → E / K ; Given an elliptic curve E / k compute all isogenous (of a certain degree d ) elliptic curves E ′ ; ); Given two elliptic curves E 1 and E 2 check if they are d -isogenous and if so compute the kernel K ⊂ E 1 ( k ) .

Isogenies on elliptic curves formulae [Vél71]); equation [Elk92; Bos+08]). Vélu’s formulae [Koh96]); Abelian varieties and polarisations computation over elliptic curves. Algorithmic aspect of isogenies Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Given a kernel K ⊂ E ( k ) compute the isogenous elliptic curve E / K (Vélu’s Given a kernel K ⊂ E ( k ) and P ∊ E ( k ) compute the image of P under the isogeny E → E / K (Vélu’s formulae [Vél71]); Given a kernel K ⊂ E ( k ) compute the map E → E / K (formal version of Given an elliptic curve E / k compute all isogenous (of a certain degree d ) elliptic curves E ′ ; (Modular polynomial [Eng09; BLS12]); Given two elliptic curves E 1 and E 2 check if they are d -isogenous and if so compute the kernel K ⊂ E 1 ( k ) (Elkie’s method via a differential ⇒ We have quasi-linear algorithms for all these aspects of isogeny

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Destructive cryptographic applications class (and an efficient way to compute an isogeny to it). Example extend attacks using Weil descent [GHS02] Transfert the DLP from the Jacobian of an hyperelliptic curve of genus 3 to the Jacobian of a quartic curve [Smi09]. An isogeny f : E 1 → E 2 transports the DLP problem from E 1 to E 2 . This can be used to attack the DLP on E 1 if there is a weak curve on its isogeny

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Constructive cryptographic applications But by computing isogenies, one can work over a cyclic subgroup of Example The SEA point counting algorithm [Sch95; Mor95; Elk97]; The CRT algorithms to compute class polynomials [Sut11; ES10]; The CRT algorithms to compute modular polynomials [BLS12]. One can recover informations on the elliptic curve E modulo ℓ by working over the ℓ -torsion. cardinal ℓ instead. Since thus a subgroup is of degree ℓ , whereas the full ℓ -torsion is of degree ℓ 2 , we can work faster over it.

Isogenies on elliptic curves Abelian varieties and polarisations Construct a normal basis of a finite field [CL09]; Take isogenies to reduce the impact of side channel attacks [Sma03]; isogeny graph [RS06]; isogeny (the trapdoor) [Tes06], or by encoding informations in the Construct public key cryptosystems by hiding vulnerable curves by an construct secure hash functions [CLG09]; The isogeny graph of a supersingular elliptic curve can be used to [DIK06; Gau07]; Splitting the multiplication using isogenies can improve the arithmetic Further applications of isogenies Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies invariant by automorphisms [CL08]. Improve the discrete logarithm in � ∗ q by finding a smoothness basis

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 A 3-isogeny graph in dimension 1 [Koh96; FM02]

Isogenies on elliptic curves 0 The product Abelian varieties and polarisations Such an Hermitian form H is called a polarisation on A . Conversely, any A complex vector space V of dimension g ; 0 A complex abelian variety A of dimension g is isomorphic to a compact Lie Definition Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Polarised abelian varieties over � group V / Λ with A � -lattice Λ in V (of rank 2 g ); such that there exists an Hermitian form H on V with E ( Λ , Λ ) ⊂ � where E = Im H is symplectic. symplectic form E on V such that E ( Λ , Λ ) ⊂ � and E ( ix , iy ) = E ( x , y ) for all x , y ∊ V gives a polarisation H with E = Im H . Over a symplectic basis of Λ , E is of the form. � � D δ − D δ where D δ is a diagonal positive integer matrix δ = ( δ 1 , δ 2 ,..., δ g ) , with δ 1 | δ 2 |··· | δ g . � δ i is the degree of the polarisation; H is a principal polarisation if this degree is 1.

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Isogenies Definition kernel. Two abelian varieties over a finite field are isogenous iff they have the same zeta function (Tate); Let A = V / Λ and B = V ′ / Λ ′ . An isogeny f : A → B is a bijective linear map f : V → V ′ such that f ( Λ ) ⊂ Λ ′ . The kernel of the isogeny is f − 1 ( Λ ′ ) / Λ ⊂ A and its degree is the cardinal of the A morphism of abelian varieties f : A → B (seen as varieties) is a group morphism iff f ( 0 A ) = 0 B .

Isogenies on elliptic curves A . Moreover, A (the Poincaré bundle): Remark degree. A of the same Abelian varieties and polarisations A : Definition Cyclic isogenies Maximal isotropic isogenies The dual abelian variety Isogeny graphs in dimension 2 If A = V / Λ is an abelian variety, its dual is � A = Hom � ( V , � ) / Λ ∗ . Here Hom � ( V , � ) is the space of anti-linear forms and Λ ∗ = { f | f ( Λ ) ⊂ � } is the orthogonal of Λ . If H is a polarisation on A , its dual H ∗ is a polarisation on � there is an isogeny Φ H : A → � x �→ H ( x , · ) of degree deg H . We note K ( H ) its kernel. If f : A → B is an isogeny, then its dual is an isogeny � f : � B → � The canonical pairing A × � A → � , ( x , f ) �→ f ( x ) induces a canonical principal polarisation on A × � E P (( x 1 , f 1 ) , ( x 2 , f 2 )) = f 1 ( x 2 ) − f 2 ( x 1 ) . The pullback ( Id , ϕ H ) ∗ E P = 2 E .

Isogenies on elliptic curves B A f B A diagram commutes Abelian varieties and polarisations f isogeny such that Definition Isogenies and polarisations Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies An isogeny f : ( A , H 1 ) → ( B , H 2 ) between polarised abelian varieties is an f ∗ H 2 := H 2 ( f ( · ) , f ( · )) = H 1 . f is an ℓ -isogeny between principally polarised abelian varieties if H 1 and H 2 are principal and f ∗ H 2 = ℓ H 1 . An isogeny f : ( A , H 1 ) → ( B , H 2 ) respect the polarisations iff the following � Φ H 1 Φ H 2 � �

Isogenies on elliptic curves varieties iff the following diagram commutes f f B A A B Abelian varieties and polarisations A Definition isogeny such that Isogenies and polarisations Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies An isogeny f : ( A , H 1 ) → ( B , H 2 ) between polarised abelian varieties is an f ∗ H 2 := H 2 ( f ( · ) , f ( · )) = H 1 . f is an ℓ -isogeny between principally polarised abelian varieties if H 1 and H 2 are principal and f ∗ H 2 = ℓ H 1 . f : ( A , H 1 ) → ( B , H 2 ) is an ℓ -isogeny between principally polarised abelian [ ℓ ] Φ ℓ H 1 Φ H 2 � � � Φ H 1