isogenies polarisations and real multiplication
play

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM - PowerPoint PPT Presentation

Nov 15, 2023 •99 likes •896 views

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

  1. Isogenies, Polarisations and Real Multiplication 2015/09/29 — ICERM — Providence Gaëtan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng

  2. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Outline 1 Isogenies on elliptic curves 2 Abelian varieties and polarisations 3 Maximal isotropic isogenies 4 Cyclic isogenies and Real Multiplication 5 Isogeny graphs in dimension 2

  3. Isogenies on elliptic curves 1 w 2 1 Abelian varieties and polarisations 1 elliptic curve 2 k . Complex elliptic curve Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Over � : an elliptic curve is a torus E = � / Λ , where Λ is a lattice Λ = � + τ � ( τ ∊ H 1 ). � � � Let ℘ ( z , Λ ) = ( z − w ) 2 − be the Weierstrass ℘ -function and w ∊ Λ \{ 0 E } � E 2 k ( Λ ) = λ k w ∊ Λ \{ 0 E } w 2 k be the (normalised) Eisenstein series of weight Then � / Λ → E , z �→ ( ℘ ( z , Λ ) , ℘ ′ ( z , Λ )) is an analytic isomorphism to the y 2 = 4 x 3 − 60 E 4 ( Λ ) − 140 E 6 ( Λ ) .

  4. Isogenies on elliptic curves Abelian varieties and polarisations Isogenies are surjective (on the geometric points). In particular, if E is Remark or the composition of a translation with an isogeny. trivial (i.e. constant) An algebraic map between two elliptic curves is either Corollary Theorem Definition Isogenies between elliptic curves Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies ordinary, any curve isogenous to E is also ordinary. An isogeny is a (non trivial) algebraic map f : E 1 → E 2 between two elliptic curves such that f ( P + Q ) = f ( P )+ f ( Q ) for all geometric points P , Q ∊ E 1 . An algebraic map f : E 1 → E 2 is an isogeny if and only if f ( 0 E 1 ) = f ( 0 E 2 )

  5. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Algorithmic aspect of isogenies Given a kernel K ⊂ E ( k ) compute the isogenous elliptic curve E / K ); Given a kernel K ⊂ E ( k ) and P ∊ E ( k ) compute the image of P under the isogeny E → E / K ; Given a kernel K ⊂ E ( k ) compute the map E → E / K ; Given an elliptic curve E / k compute all isogenous (of a certain degree d ) elliptic curves E ′ ; ); Given two elliptic curves E 1 and E 2 check if they are d -isogenous and if so compute the kernel K ⊂ E 1 ( k ) .

  6. Isogenies on elliptic curves formulae [Vél71]); equation [Elk92; Bos+08]). Vélu’s formulae [Koh96]); Abelian varieties and polarisations computation over elliptic curves. Algorithmic aspect of isogenies Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Given a kernel K ⊂ E ( k ) compute the isogenous elliptic curve E / K (Vélu’s Given a kernel K ⊂ E ( k ) and P ∊ E ( k ) compute the image of P under the isogeny E → E / K (Vélu’s formulae [Vél71]); Given a kernel K ⊂ E ( k ) compute the map E → E / K (formal version of Given an elliptic curve E / k compute all isogenous (of a certain degree d ) elliptic curves E ′ ; (Modular polynomial [Eng09; BLS12]); Given two elliptic curves E 1 and E 2 check if they are d -isogenous and if so compute the kernel K ⊂ E 1 ( k ) (Elkie’s method via a differential ⇒ We have quasi-linear algorithms for all these aspects of isogeny

  7. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Destructive cryptographic applications class (and an efficient way to compute an isogeny to it). Example extend attacks using Weil descent [GHS02] Transfert the DLP from the Jacobian of an hyperelliptic curve of genus 3 to the Jacobian of a quartic curve [Smi09]. An isogeny f : E 1 → E 2 transports the DLP problem from E 1 to E 2 . This can be used to attack the DLP on E 1 if there is a weak curve on its isogeny

  8. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Constructive cryptographic applications But by computing isogenies, one can work over a cyclic subgroup of Example The SEA point counting algorithm [Sch95; Mor95; Elk97]; The CRT algorithms to compute class polynomials [Sut11; ES10]; The CRT algorithms to compute modular polynomials [BLS12]. One can recover informations on the elliptic curve E modulo ℓ by working over the ℓ -torsion. cardinal ℓ instead. Since thus a subgroup is of degree ℓ , whereas the full ℓ -torsion is of degree ℓ 2 , we can work faster over it.

  9. Isogenies on elliptic curves Abelian varieties and polarisations Construct a normal basis of a finite field [CL09]; Take isogenies to reduce the impact of side channel attacks [Sma03]; isogeny graph [RS06]; isogeny (the trapdoor) [Tes06], or by encoding informations in the Construct public key cryptosystems by hiding vulnerable curves by an construct secure hash functions [CLG09]; The isogeny graph of a supersingular elliptic curve can be used to [DIK06; Gau07]; Splitting the multiplication using isogenies can improve the arithmetic Further applications of isogenies Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies invariant by automorphisms [CL08]. Improve the discrete logarithm in � ∗ q by finding a smoothness basis

  10. Isogenies on elliptic curves This shows that f is of the form Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Computing explicit isogenies (using the equation of the curve E 1 ). Abelian varieties and polarisations it prime to g ). k . If E 1 and E 2 are two elliptic curves given by Weierstrass equations, a morphism of curve f : E 1 → E 2 is of the form f ( x , y ) = ( R 1 ( x , y ) , R 2 ( x , y )) where R 1 and R 2 are rational functions, whose degree in y is less than 2 If f is an isogeny, f ( − P ) = − f ( P ) . If char k > 3, we can assume that E 1 and E 2 are given by reduced Weierstrass forms, this mean that R 1 depends only on x , and R 2 is y time a rational function depending only on x . Let w E = dx / 2 y be the canonical differential. Then f ∗ w E ′ = cw E , with c in � g ( x ) � g ( x ) � ′ � f ( x , y ) = h ( x ) , cy h ( x ) . h ( x ) gives (the x coordinates of the points in) the kernel of f (if we take If c = 1, we say that f is normalized.

  11. Isogenies on elliptic curves Vélu’s formula Moreover by looking at the expression of X and Y in the formal group of Abelian varieties and polarisations The choices are made so that the formulas give a normalized isogeny. Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Let E / k be an elliptic curve. Let G = 〈 P 〉 be a rational finite subgroup of E . Vélu constructs the isogeny E → E / G as � X ( P ) = x ( P )+ ( x ( P + Q ) − x ( Q )) Q ∊ G \{ 0 E } � ( y ( P + Q ) − y ( Q )) . Y ( P ) = y ( P )+ Q ∊ G \{ 0 E } E , Vélu recovers the equations for E / G . For instance if E : y 2 = x 3 + ax + b = f E ( x ) then E / G is y 2 = x 3 +( a − 5 t ) x + b − 7 w � � � f ′ x ( Q ) f ′ where t = E ( Q ) , u = 2 f E ( Q ) and w = E ( Q ) . Q ∊ G \{ 0 E } Q ∊ G \{ 0 E } Q ∊ G \{ 0 E }

  12. Isogenies on elliptic curves express everything in term of h . root. of the points in the kernel). , with Abelian varieties and polarisations we have [Koh96] in k . Thus summing over the points in the kernel G can be expensive. Isogeny graphs in dimension 2 Even if G is rational, the points in G may live to an extension of degree Maximal isotropic isogenies Cyclic isogenies Complexity of Vélu’s formula up to # G − 1. � Let h ( x ) = Q ∊ G \{ 0 E } ( x − x ( Q )) . The symmetry of X and Y allows us to For instance is E is given by a reduced Weierstrass equation y 2 = f E ( x ) , � g ( x ) � g ( x ) � ′ � f ( x , y ) = h ( x ) , y h ( x ) � h ′ ( x ) � ′ E ( x ) h ′ ( x ) g ( x ) h ( x ) = # G . x − σ − f ′ h ( x ) − 2 f E ( x ) h ( x ) , where σ is the first power sum of h (i.e. the sum of the x -coordinates When # G is odd, h ( x ) is a square, so we can replace it by its square The complexity of computing the isogeny is then O ( M (# G )) operations

  13. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Modular polynomials Definition (Modular polynomial) Here k = k . The modular polynomial ϕ ℓ ( x , y ) ∊ � [ x , y ] is a bivariate polynomial such that ϕ ℓ ( x , y ) = 0 ⇔ x = j ( E 1 ) and y = j ( E 2 ) with E 1 and E 2 ℓ -isogeneous. Roots of ϕ ℓ ( j ( E 1 ) ,. ) ⇔ elliptic curves ℓ -isogeneous to E 1 . There are ℓ + 1 = # � 1 ( � ℓ ) such roots if ℓ is prime. ϕ ℓ is symmetric. The height of ϕ ℓ grows as O ( ℓ ) .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

952 views • 67 slides
Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La

Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La

Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La Londe-Les-Maures Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco

867 views • 49 slides
Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz, Damien Robert Damien Robert Rational isogenies 2 1 Theta functions Complex abelian varieties Quasi-periodicity: Damien Robert Rational

734 views • 23 slides
Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof

Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof complexity BSGS Pierrick Gaudry, David Kohel, Benjamin Smith Real multiplication

550 views • 20 slides
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 " -isogenies, Bob 3 $

766 views • 19 slides
lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in binary ? Sequential circuits 3 multiplicand - integer multiplication and division multiplier - floating point arithmetic product - finite

183 views • 3 slides
Lecture 5 Multiplication and Division 1 Multiplication More complicated than addition A

Lecture 5 Multiplication and Division 1 Multiplication More complicated than addition A

ECE 0142 Computer Organization Lecture 5 Multiplication and Division 1 Multiplication More complicated than addition A straightforward implementation will involve shifts and adds More complex operation can lead to More area (on

408 views • 20 slides
Maths Multiplication and Division Maths | Year 2 | Multiplication and Division | Solve

Maths Multiplication and Division Maths | Year 2 | Multiplication and Division | Solve

Maths Multiplication and Division Maths | Year 2 | Multiplication and Division | Solve Multiplication and Division Problems | Lesson 1 of 2: Leftovers Aim I can find a leftover when dividing. Success Criteria I can make a prediction about

592 views • 20 slides
MULTIPLICATION TABLES CHECK (MTC) WHAT WE KNOW The Multiplication Tables Check (MTC) was

MULTIPLICATION TABLES CHECK (MTC) WHAT WE KNOW The Multiplication Tables Check (MTC) was

MULTIPLICATION TABLES CHECK (MTC) WHAT WE KNOW The Multiplication Tables Check (MTC) was officially announced by the Department for Education (DfE) in September 2017. It will be administered for children in Year 4, starting in the

526 views • 7 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
Matrix Multiplication Matrix multiplication is an operation with properties quite different from

Matrix Multiplication Matrix multiplication is an operation with properties quite different from

Matrix Multiplication Matrix multiplication is an operation with properties quite different from its scalar counterpart. To begin with, order matters in matrix multiplication. That is, the matrix product AB need not be the same as the matrix

695 views • 58 slides
Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels

Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels Schoof complexity Pierrick Gaudry, David Kohel, Benjamin Smith BSGS Real

407 views • 18 slides
Efficient multiplication 2 Matrix multiplication If you have square matrices A and B, then C =

Efficient multiplication 2 Matrix multiplication If you have square matrices A and B, then C =

1 Efficient multiplication 2 Matrix multiplication If you have square matrices A and B, then C = A*B is defined as: Takes O(n 3 ) time 3 Matrix multiplication Can we do better? What is the theoretical lowest running time possible? 4

622 views • 18 slides
Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint work with Emmanuel Thom Sorina Ionica 1 / 24 Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all

302 views • 27 slides
CS 401 Integer Multiplication / Matrix Multiplication Xiaorui Sun 1 Integer Multiplication

CS 401 Integer Multiplication / Matrix Multiplication Xiaorui Sun 1 Integer Multiplication

CS 401 Integer Multiplication / Matrix Multiplication Xiaorui Sun 1 Integer Multiplication Integer Arithmetic 1 1 1 1 1 1 0 1 Add: Given two ! -bit integers 1 1 0 1 0 1 0 1 " and # , compute " + # . Add + 0 1 1 1

468 views • 19 slides
EE 457 Unit 2c Fast Multipliers 2 Multiplication Overview Multiplication approaches:

EE 457 Unit 2c Fast Multipliers 2 Multiplication Overview Multiplication approaches:

1 EE 457 Unit 2c Fast Multipliers 2 Multiplication Overview Multiplication approaches: Sequential: Shift-and-Add produces one product bit per clock cycle time (usually slow) Combinational: Array multiplier uses an array of adders

407 views • 15 slides
Modeling comprehension of deictic personal pronouns: What are French children capable of?

Modeling comprehension of deictic personal pronouns: What are French children capable of?

1 Modeling comprehension of deictic personal pronouns: What are French children capable of? Graldine Legendre & Paul Smolensky Johns Hopkins University, Baltimore legendre@jhu.edu; smolensky@jhu.edu Tandem Workshop on Optimality in

262 views • 11 slides
Quantum Combinatorial Designes and multipartite entanglement Karol Zyczkowski Jagiellonian

Quantum Combinatorial Designes and multipartite entanglement Karol Zyczkowski Jagiellonian

Quantum Combinatorial Designes and multipartite entanglement Karol Zyczkowski Jagiellonian University (Cracow) & Polish Academy of Sciences (Warsaw) in collaboration with Dardo Goyeneche (Concepcion/ Cracow/ Gdansk) Sara Di Martino

640 views • 46 slides
Multipartite Entanglement: Combinatorics, Topology and Astronomy Karol Zyczkowski

Multipartite Entanglement: Combinatorics, Topology and Astronomy Karol Zyczkowski

Multipartite Entanglement: Combinatorics, Topology and Astronomy Karol Zyczkowski Jagiellonian University (Cracow) Polish Academy of Sciences (Warsaw) & KCIK (Sopot) in collaboration with Dardo Goyeneche (Antofagasta), Zahra Raissi

529 views • 41 slides
Large Graphs Mining Theory and Applications Cdric Gouy-Pailler cedric.gouy-pailler@cea.fr

Large Graphs Mining Theory and Applications Cdric Gouy-Pailler cedric.gouy-pailler@cea.fr

Large Graphs Mining Theory and Applications Cdric Gouy-Pailler cedric.gouy-pailler@cea.fr Organisation du cours (1/2) 28/11/2018 : Introduction Bases de thorie des graphes Statistiques globales et analyse des liens

996 views • 83 slides
Logiciels libres et web radios Indice : cest la merde... Augier Full Mdias Inc. (

Logiciels libres et web radios Indice : cest la merde... Augier Full Mdias Inc. (

1 Enregistrement et traitement du son Logiciel Matriel 2 Automation 3 Diffusion et live Logiciels libres et web radios Indice : cest la merde... Augier Full Mdias Inc. ( www.FullMediasInc.fr ) Full Radios ( www.full-radios.fr ) 23

976 views • 56 slides
Is Your Radio Station Ready for License Renewal? Hosted by: The New York State Broadcasters

Is Your Radio Station Ready for License Renewal? Hosted by: The New York State Broadcasters

Is Your Radio Station Ready for License Renewal? Hosted by: The New York State Broadcasters Association, Inc. October 23, 2013 Presenters David L. Donovan, President of the NYSBA, Moderator Peter H. Doyle, Chief, Audio Division,

250 views • 14 slides
UNIVERSITY OF CALIFORNIA, SAN FRANCISCO AUDIOLOGY XIII Marcia Raggio, PhD Vice-Chair, SLPAHADB

UNIVERSITY OF CALIFORNIA, SAN FRANCISCO AUDIOLOGY XIII Marcia Raggio, PhD Vice-Chair, SLPAHADB

10/16/2018 UNIVERSITY OF CALIFORNIA, SAN FRANCISCO AUDIOLOGY XIII Marcia Raggio, PhD Vice-Chair, SLPAHADB OCTOBER 20, 2018 THE SLPAHADB Who Are We? Part of the Department of Consumer Affairs Responsible for regulating the practices

267 views • 16 slides
P-5 Statewide Rule 15 Inactive Wells Jennifer Gilmore July 2020 1 Railroad Commission of Texas

P-5 Statewide Rule 15 Inactive Wells Jennifer Gilmore July 2020 1 Railroad Commission of Texas

P-5 Statewide Rule 15 Inactive Wells Jennifer Gilmore July 2020 1 Railroad Commission of Texas | June 27, 2016 (Change Date In First Master Slide) Topics Overview of Oil & Gas Statewide Rule 15 The process of obtaining a plugging

583 views • 29 slides

More recommend