Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, - - PowerPoint PPT Presentation

Isogeny graphs in cryptography

Luca De Feo

Université Paris Saclay, UVSQ

July 29 – August 29, 2019 Cryptography meets Graph Theory Würzburg, Franken, Germany

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 1 / 82

Plan

1

Elliptic curves, isogenies, complex multiplication

2

Isogeny graphs

3

Key exchange

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 2 / 82

Projective space

Definition (Projective space)

Let ✖ k an algebraically closed field, the projective space Pn✭✖ k✮ is the set of non-null ✭n ✰ 1✮-tuples ✭x0❀ ✿ ✿ ✿ ❀ xn✮ ✷ ✖ k n modulo the equivalence relation ✭x0❀ ✿ ✿ ✿ ❀ xn✮ ✘ ✭✕x0❀ ✿ ✿ ✿ ❀ ✕xn✮ with ✕ ✷ ✖ k ♥ ❢0❣✿ A class is denoted by ✭x0 ✿ ✁ ✁ ✁ ✿ xn✮.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 3 / 82

Weierstrass equations

Let k be a field of characteristic ✻❂ 2❀ 3. An elliptic curve defined over k is the locus in P2✭✖ k✮ of an equation Y 2Z ❂ X 3 ✰ aXZ 2 ✰ bZ 3❀ where a❀ b ✷ k and 4a3 ✰ 27b2 ✻❂ 0. ❖ ❂ ✭ ✿ ✿ ✮ ❂ ✰ ✰

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 4 / 82

Weierstrass equations

Let k be a field of characteristic ✻❂ 2❀ 3. An elliptic curve defined over k is the locus in P2✭✖ k✮ of an equation Y 2Z ❂ X 3 ✰ aXZ 2 ✰ bZ 3❀ where a❀ b ✷ k and 4a3 ✰ 27b2 ✻❂ 0. ❖ ❂ ✭0 ✿ 1 ✿ 0✮ is the point at infinity; ❂ ✰ ✰

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 4 / 82

Weierstrass equations

Let k be a field of characteristic ✻❂ 2❀ 3. An elliptic curve defined over k is the locus in P2✭✖ k✮ of an equation Y 2Z ❂ X 3 ✰ aXZ 2 ✰ bZ 3❀ where a❀ b ✷ k and 4a3 ✰ 27b2 ✻❂ 0. ❖ ❂ ✭0 ✿ 1 ✿ 0✮ is the point at infinity; y2 ❂ x 3 ✰ ax ✰ b is the affine equation.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 4 / 82

The group law

Bezout’s theorem

Every line cuts E in exactly three points (counted with multiplicity). Define a group law such that any three colinear points add up to zero. ❖ P Q R P ✰ Q

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 5 / 82

The group law

Bezout’s theorem

Every line cuts E in exactly three points (counted with multiplicity). Define a group law such that any three colinear points add up to zero. The law is algebraic (it has formulas); ❖ P Q R P ✰ Q

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 5 / 82

The group law

Bezout’s theorem

Every line cuts E in exactly three points (counted with multiplicity). Define a group law such that any three colinear points add up to zero. The law is algebraic (it has formulas); The law is commutative; ❖ is the group identity; Opposite points have the same x-value. P Q R P ✰ Q

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 5 / 82

Group structure

Torsion structure

Let E be defined over an algebraically closed field ✖ k of characteristic p. E❬m❪ ✬ ❩❂m❩ ✂ ❩❂m❩ if p ✲ m, ❩❂pe❩

• rdinary case,

E❬pe❪ ✬

✭

❢❖❣ supersingular case.

Free part

Let E be defined over a number field k, the group of k-rational points E✭k✮ is finitely generated.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 6 / 82

Maps: isomorphisms

Isomorphisms

The only invertible algebraic maps between elliptic curves are of the form ✭x❀ y✮ ✼✦ ✭u2x❀ u3y✮ for some u ✷ ✖ k. They are group isomorphisms.

j -Invariant

Let E ✿ y2 ❂ x 3 ✰ ax ✰ b, its j -invariant is j ✭E✮ ❂ 1728 4a3 4a3 ✰ 27b2 ✿ Two elliptic curves E❀ E ✵ are isomorphic if and only if j ✭E✮ ❂ j ✭E ✵✮.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 7 / 82

Maps: isogenies

Theorem

Let ✣ ✿ E ✦ E ✵ be a map between elliptic curves. These conditions are equivalent: ✣ is a surjective group morphism, ✣ is a group morphism with finite kernel, ✣ is a non-constant algebraic map of projective varieties sending the point at infinity of E onto the point at infinity of E ✵. If they hold ✣ is called an isogeny. Two curves are called isogenous if there exists an isogeny between them.

Example: Multiplication-by-m

On any curve, an isogeny from E to itself (i.e., an endomorphism): ❬m❪ ✿ E ✦ E❀ P ✼✦ ❬m❪P✿

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 8 / 82

Isogenies: an example over ❋11

E ✿ y2 ❂ x 3 ✰ x E ✵ ✿ y2 ❂ x 3 4x ✣✭x❀ y✮ ❂

✥

x 2 ✰ 1 x ❀ y x 2 1 x 2

✦

✼✦ ❋✄

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 9 / 82

Isogenies: an example over ❋11

E ✿ y2 ❂ x 3 ✰ x E ✵ ✿ y2 ❂ x 3 4x ✣✭x❀ y✮ ❂

✥

x 2 ✰ 1 x ❀ y x 2 1 x 2

✦

✼✦ ❋✄

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 9 / 82

Isogenies: an example over ❋11

E ✿ y2 ❂ x 3 ✰ x E ✵ ✿ y2 ❂ x 3 4x ✣✭x❀ y✮ ❂

✥

x 2 ✰ 1 x ❀ y x 2 1 x 2

✦

✼✦ ❋✄

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 9 / 82

Isogenies: an example over ❋11

E ✿ y2 ❂ x 3 ✰ x E ✵ ✿ y2 ❂ x 3 4x ✣✭x❀ y✮ ❂

✥

x 2 ✰ 1 x ❀ y x 2 1 x 2

✦

Kernel generator in red. ✼✦ ❋✄

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 9 / 82

Isogenies: an example over ❋11

E ✿ y2 ❂ x 3 ✰ x E ✵ ✿ y2 ❂ x 3 4x ✣✭x❀ y✮ ❂

✥

x 2 ✰ 1 x ❀ y x 2 1 x 2

✦

Kernel generator in red. This is a degree 2 map. ✼✦ ❋✄

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 9 / 82

Isogenies: an example over ❋11

E ✿ y2 ❂ x 3 ✰ x E ✵ ✿ y2 ❂ x 3 4x ✣✭x❀ y✮ ❂

✥

x 2 ✰ 1 x ❀ y x 2 1 x 2

✦

Kernel generator in red. This is a degree 2 map. Analogous to x ✼✦ x 2 in ❋✄

q.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 9 / 82

Curves over finite fields

Frobenius endomorphism

Let E be defined over ❋q. The Frobenius endomorphism of E is the map ✙ ✿ ✭X ✿ Y ✿ Z✮ ✼✦ ✭X q ✿ Y q ✿ Z q✮✿

Hasse’s theorem

Let E be defined over ❋q, then ❥★E✭k✮ q 1❥ ✔ 2♣q✿

Serre-Tate theorem

Two elliptic curves E❀ E ✵ defined over a finite field k are isogenous over k if and only if ★E✭k✮ ❂ ★E ✵✭k✮.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 10 / 82

Complex tori

❈❂✄ ✦1 ✦2 ✰ ✰ Let ✦1❀ ✦2 ✷ ❈ be linearly independent complex

• numbers. Set

✄ ❂ ✦1❩ ✟ ✦2❩ ❈❂✄ is a complex torus.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 11 / 82

Complex tori

❈❂✄ ✦ ✦ a b ✰ ✰ Addition law induced by addition on ❈.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 11 / 82

Complex tori

❈❂✄ ✦ ✦ a b a ✰ b ✰ Addition law induced by addition on ❈.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 11 / 82

Complex tori

❈❂✄ ✦ ✦ a b a ✰ b ✰ Addition law induced by addition on ❈.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 11 / 82

Complex tori

❈❂✄ ✦ ✦ a b ✰ a ✰ b Addition law induced by addition on ❈.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 11 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

Homotheties

a Two lattices are homothetic if there exist ☛ ✷ ❈ such that ☛✄1 ❂ ✄2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

The j -invariant

We want to classify complex lattices/tori up to homothety.

Eisenstein series

Let ✄ be a complex lattice. For any integer k ❃ 0 define G2k✭✄✮ ❂

❳

✦✷✄♥❢0❣

✦2k✿ Also set g2✭✄✮ ❂ 60G4✭✄✮❀ g3✭✄✮ ❂ 140G6✭✄✮✿

Modular j -invariant

Let ✄ be a complex lattice, the modular j -invariant is j ✭✄✮ ❂ 1728 g2✭✄✮3 g2✭✄✮3 27g3✭✄✮2 ✿ Two lattices ✄❀ ✄✵ are homothetic if and only if j ✭✄✮ ❂ j ✭✄✵✮.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 13 / 82

Elliptic curves over ❈

Weierstrass ⑥ function

Let ✄ be a complex lattice, the Weierstrass ⑥ function associated to ✄ is the series ⑥✭z❀ ✄✮ ❂ 1 z 2 ✰

❳

✦✷✄♥❢0❣

✒

1 ✭z ✦✮2 1 ✦2

✓

✿ Fix a lattice ✄, then ⑥ and its derivative ⑥✵ are elliptic functions: ⑥✭z ✰ ✦✮ ❂ ⑥✭z✮❀ ⑥✵✭z ✰ ✦✮ ❂ ⑥✵✭z✮ for all ✦ ✷ ✄.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 14 / 82

Uniformization theorem

Let ✄ be a complex lattice. The curve E ✿ y2 ❂ 4x 3g2✭✄✮xg3✭✄✮ is an elliptic curve over ❈. The map ❈❂✄ ✦ E✭❈✮❀ 0 ✼✦ ✭0 ✿ 1 ✿ 0✮❀ z ✼✦ ✭⑥✭z✮ ✿ ⑥✵✭z✮ ✿ 1✮ is an isomorphism of Riemann surfaces and a group morphism. Conversely, for any elliptic curve E ✿ y2 ❂ x 3 ✰ ax ✰ b there is a unique complex lattice ✄ such that g2✭✄✮ ❂ 4a❀ g3✭✄✮ ❂ 4b✿ Moreover j ✭✄✮ ❂ j ✭E✮.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 15 / 82

Multiplication

a ❬ ❪ ❬ ❪

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 16 / 82

Multiplication

a ❬3❪a ❬ ❪

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 16 / 82

Multiplication

a ❬ ❪ ❬3❪a

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 16 / 82

Torsion subgroups

a b The ❵-torsion subgroup is made up by the points

✒i✦1

❵ ❀ j ✦2 ❵

✓

It is a group of rank two E❬❵❪ ❂ ❤a❀ b✐ ✬ ✭❩❂❵❩✮2

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 17 / 82

Isogenies

a p Let a ✷ ❈❂✄1 be an ❵-torsion point, and let ✄2 ❂ a❩ ✟ ✄1 Then ✄1 ✚ ✄2 and we define a degree ❵ cover ✣ ✿ ❈❂✄1 ✦ ❈❂✄2 ✣ is a morphism of complex Lie groups and is called an isogeny.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

Isogenies

a p Let a ✷ ❈❂✄1 be an ❵-torsion point, and let ✄2 ❂ a❩ ✟ ✄1 Then ✄1 ✚ ✄2 and we define a degree ❵ cover ✣ ✿ ❈❂✄1 ✦ ❈❂✄2 ✣ is a morphism of complex Lie groups and is called an isogeny.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

Isogenies

a p Let a ✷ ❈❂✄1 be an ❵-torsion point, and let ✄2 ❂ a❩ ✟ ✄1 Then ✄1 ✚ ✄2 and we define a degree ❵ cover ✣ ✿ ❈❂✄1 ✦ ❈❂✄2 ✣ is a morphism of complex Lie groups and is called an isogeny.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

Isogenies

b p Taking a point b not in the kernel of ✣, we obtain a new degree ❵ cover ❫ ✣ ✿ ❈❂✄2 ✦ ❈❂✄3 The composition ❫ ✣ ✍ ✣ has degree ❵2 and is homothetic to the multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

Isogenies

b p Taking a point b not in the kernel of ✣, we obtain a new degree ❵ cover ❫ ✣ ✿ ❈❂✄2 ✦ ❈❂✄3 The composition ❫ ✣ ✍ ✣ has degree ❵2 and is homothetic to the multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

Isogenies

b p Taking a point b not in the kernel of ✣, we obtain a new degree ❵ cover ❫ ✣ ✿ ❈❂✄2 ✦ ❈❂✄3 The composition ❫ ✣ ✍ ✣ has degree ❵2 and is homothetic to the multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

Isogenies: back to algebra

Let ✣ ✿ E ✦ E ✵ be an isogeny defined over a field k of characteristic p. k✭E✮ is the field of all rational functions from E to k; ✣✄k✭E ✵✮ is the subfield of k✭E✮ defined as ✣✄k✭E ✵✮ ❂ ❢f ✍ ✣ ❥ f ✷ k✭E ✵✮❣✿

Degree, separability

1

The degree of ✣ is ❞❡❣ ✣ ❂ ❬k✭E✮ ✿ ✣✄k✭E ✵✮❪. It is always finite.

2

✣ is said to be separable, inseparable, or purely inseparable if the extension of function fields is.

3

If ✣ is separable, then ❞❡❣ ✣ ❂ ★ ❦❡r ✣.

4

If ✣ is purely inseparable, then ❦❡r ✣ ❂ ❢❖❣ and ❞❡❣ ✣ is a power of p.

5

Any isogeny can be decomposed as a product of a separable and a purely inseparable isogeny.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 19 / 82

Isogenies: back to algebra

Let ✣ ✿ E ✦ E ✵ be an isogeny defined over a field k of characteristic p. k✭E✮ is the field of all rational functions from E to k; ✣✄k✭E ✵✮ is the subfield of k✭E✮ defined as ✣✄k✭E ✵✮ ❂ ❢f ✍ ✣ ❥ f ✷ k✭E ✵✮❣✿

Degree, separability

1

The degree of ✣ is ❞❡❣ ✣ ❂ ❬k✭E✮ ✿ ✣✄k✭E ✵✮❪. It is always finite.

2

✣ is said to be separable, inseparable, or purely inseparable if the extension of function fields is.

3

If ✣ is separable, then ❞❡❣ ✣ ❂ ★ ❦❡r ✣.

4

If ✣ is purely inseparable, then ❦❡r ✣ ❂ ❢❖❣ and ❞❡❣ ✣ is a power of p.

5

Any isogeny can be decomposed as a product of a separable and a purely inseparable isogeny.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 19 / 82

Isogenies: separable vs inseparable

Purely inseparable isogenies

Examples: The Frobenius endomorphism is purely inseparable of degree q. All purely inseparable maps in characteristic p are of the form ✭X ✿ Y ✿ Z✮ ✼✦ ✭X pe ✿ Y pe ✿ Z pe✮.

Separable isogenies

Let E be an elliptic curve, and let G be a finite subgroup of E. There are a unique elliptic curve E ✵ and a unique separable isogeny ✣, such that ❦❡r ✣ ❂ G and ✣ ✿ E ✦ E ✵. The curve E ✵ is called the quotient of E by G and is denoted by E❂G.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 20 / 82

The dual isogeny

Let ✣ ✿ E ✦ E ✵ be an isogeny of degree m. There is a unique isogeny ❫ ✣ ✿ E ✵ ✦ E such that ❫ ✣ ✍ ✣ ❂ ❬m❪E❀ ✣ ✍ ❫ ✣ ❂ ❬m❪E ✵✿ ❫ ✣ is called the dual isogeny of ✣; it has the following properties:

1

❫ ✣ is defined over k if and only if ✣ is;

2

❬ ✥ ✍ ✣ ❂ ❫ ✣ ✍ ❫ ✥ for any isogeny ✥ ✿ E ✵ ✦ E ✵✵;

3

❭ ✥ ✰ ✣ ❂ ❫ ✥ ✰ ❫ ✣ for any isogeny ✥ ✿ E ✦ E ✵;

4

❞❡❣ ✣ ❂ ❞❡❣ ❫ ✣;

5

❫ ❫ ✣ ❂ ✣.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 21 / 82

Algebras, orders

A quadratic imaginary number field is an extension of ◗ of the form Q❬ ♣ D❪ for some non-square D ❃ 0. A quaternion algebra is an algebra of the form ◗ ✰ ☛◗ ✰ ☞◗ ✰ ☛☞◗, where the generators satisfy the relations ☛2❀ ☞2 ✷ ◗❀ ☛2 ❁ 0❀ ☞2 ❁ 0❀ ☞☛ ❂ ☛☞✿

Orders

Let K be a finitely generated ◗-algebra. An order ❖ ✚ K is a subring of K that is a finitely generated ❩-module of maximal dimension. An order that is not contained in any other order of K is called a maximal order. Examples: ❩ is the only order contained in ◗, ❩❬i❪ is the only maximal order of ◗✭i✮, ❩❬ ♣ 5❪ is a non-maximal order of ◗✭ ♣ 5✮, The ring of integers of a number field is its only maximal order, In general, maximal orders in quaternion algebras are not unique.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 22 / 82

The endomorphism ring

The endomorphism ring ❊♥❞✭E✮ of an elliptic curve E is the ring of all isogenies E ✦ E (plus the null map) with addition and composition.

Theorem (Deuring)

Let E be an elliptic curve defined over a field k of characteristic p. ❊♥❞✭E✮ is isomorphic to one of the following: ❩, only if p ❂ 0 E is ordinary. An order ❖ in a quadratic imaginary field: E is ordinary with complex multiplication by ❖. Only if p ❃ 0, a maximal order in a quaternion algebraa: E is supersingular.

a(ramified at p and ✶) Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 23 / 82

The finite field case

Theorem (Hasse)

Let E be defined over a finite field. Its Frobenius endomorphism ✙ satisfies a quadratic equation ✙2 t✙ ✰ q ❂ 0 in ❊♥❞✭E✮ for some ❥t❥ ✔ 2♣q, called the trace of ✙. The trace t is coprime to q if and only if E is ordinary. Suppose E is ordinary, then D✙ ❂ t2 4q ❁ 0 is the discriminant of ❩❬✙❪. K ❂ ◗✭✙✮ ❂ ◗✭♣D✙✮ is the endomorphism algebra of E. Denote by ❖K its ring of integers, then ❩ ✻❂ ❩❬✙❪ ✚ ❊♥❞✭E✮ ✚ ❖K✿ In the supersingular case, ✙ may or may not be in ❩, depending on q.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 24 / 82

Endomorphism rings of ordinary curves

Classifying quadratic orders

Let K be a quadratic number field, and let ❖K be its ring of integers. Any order ❖ ✚ K can be written as ❖ ❂ ❩ ✰ f ❖K for an integer f , called the conductor of ❖, denoted by ❬❖k ✿ ❖❪. If dK is the discriminant of K, the discriminant of ❖ is f 2dK . If ❖❀ ❖✵ are two orders with discriminants d❀ d✵, then ❖ ✚ ❖✵ iff d✵❥d. ❖K ❩ ✰ 2❖K ❩ ✰ 3❖K ❩ ✰ 5❖K ❩ ✰ 6❖K ❩ ✰ 10❖K ❩ ✰ 15❖K ❩❬✙❪ ✬ ❩ ✰ 30❖K

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 25 / 82

Ideal lattices

Fractional ideals

Let ❖ be an order of a number field K. A (fractional) ❖-ideal a is a finitely generated non-zero ❖-submodule of K. When K is imaginary quadratic: Fractional ideals are complex lattices, Any lattice ✄ ✚ K is a fractional ideal, The order of a lattice ✄ is ❖✄ ❂ ❢☛ ✷ K ❥ ☛✄ ✚ ✄❣

Complex multiplication

Let ✄ ✚ K, the elliptic curve associated to ❈❂✄ has complex multiplication by ❖✄.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 26 / 82

The class group

Let ❊♥❞✭E✮ ❂ ❖ ✚ ◗✭ ♣ D✮. Define ■✭❖✮, the group of invertible fractional ideals, P✭❖✮, the group of principal ideals,

The class group

The class group of ❖ is ❈❧✭❖✮ ❂ ■✭❖✮❂P✭O✮✿ It is a finite abelian group. Its order h✭❖✮ is called the class number of ❖. It arises as the Galois group of an abelian extension of ◗✭ ♣ D✮.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 27 / 82

Complex multiplication

Fundamental theorem of CM

Let ❖ be an order of a number field K, and let a1❀ ✿ ✿ ✿ ❀ ah✭❖✮ be representatives of ❈❧✭❖✮. Then: K✭j ✭ai✮✮ is an Abelian extension of K; The j ✭ai✮ are all conjugate over K; The Galois group of K✭j ✭ai✮✮ is isomorphic to ❈❧✭❖✮; ❬◗✭j ✭ai✮✮ ✿ ◗❪ ❂ ❬K✭j ✭ai✮✮ ✿ K❪ ❂ h✭❖✮; The j ✭ai✮ are integral, their minimal polynomial is called the Hilbert class polynomial of ❖.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 28 / 82

Lifing

Deuring’s lifing theorem

Let E0 be an elliptic curve in characteristic p, with an endomorphism ✦o which is not trivial. Then there exists an elliptic curve E defined over a number field L, an endomorphism ✦ of E, and a non-singular reduction of E at a place p of L lying above p, such that E0 is isomorphic to E✭p✮, and ✦0 corresponds to ✦✭p✮ under the isomorphism.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 29 / 82

Executive summary

Elliptic curves are algebraic groups; Isogenies are the natural notion of morphism for EC: both group and projective variety morphism; We can understand most things about isogenies by looking only at endomorphisms; Isogenies of curves over ❈ are especially simple to describe; It is easy to construct curves over ❈ with prescribed complex multiplication; Most of what happens in positive characteristic can be understood by:

■ looking at the Frobenius endomorphism, and/or ■ looking at reductions of curves in characteristic 0. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 30 / 82

Plan

1

Elliptic curves, isogenies, complex multiplication

2

Isogeny graphs

3

Key exchange

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 31 / 82

Isogeny graphs

Serre-Tate theorem reloaded

Two elliptic curves E❀ E ✵ defined over a finite field are isogenous iff their endomorphism algebras ❊♥❞✭E✮ ✡ ◗ and ❊♥❞✭E ✵✮ ✡ ◗ are isomorphic. Isogeny graphs Vertices are curves up to isomorphism, Edges are isogenies up to isomorphism. Isogeny volcanoes Curves are ordinary, Isogenies all have degree a prime ❵.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 32 / 82

What do isogeny graphs look like?

Torsion subgroups (❵ prime)

In an algebraically closed field: E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 ✰ There are exactly ❵ ✰ 1 cyclic subgroups H ✚ E of order ❵: ❤P ✰ Q✐❀ ❤P ✰ 2Q✐❀ ✿ ✿ ✿ ❀ ❤P✐❀ ❤Q✐ ✰ There are exactly ❵ ✰ 1 distinct isogenies of degree ❵. (non-CM) 2-isogeny graph over ❈

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 33 / 82

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭P✮ ❂ ✙✭Q✮ ❂ aP ✰ bQ cP ✰ dQ

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ aP ✰ bQ cP ✰ dQ

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ aP ✰ bQ cP ✰ dQ

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ a ✰ b c ✰ d

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ a ✰ b c ✰ d

✥ ✦

✙ ✿ ♠♦❞ ❵ ✙❥ ❬❵❪

• ▲✭❩❂❵❩✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

What happens over a finite field ❋p?

Rational isogenies (❵ ✻❂ p)

In the algebraic closure ✖ ❋p E❬❵❪ ❂ ❤P❀ Q✐ ✬ ✭❩❂❵❩✮2 However, an isogeny is defined over ❋p only if its kernel is Galois invariant. Enter the Frobenius map ✙ ✿ E ✦ E ✭x❀ y✮ ✼ ✦ ✭x p❀ yp✮ E is seen here as a curve over ✖ ❋p.

The Frobenius action on E❬❵❪

✙✭ ✮ ❂ ✙✭ ✮ ❂ a ✰ b c ✰ d

✥ ✦

✙ ✿ ♠♦❞ ❵ We identify ✙❥E❬❵❪ to a conjugacy class in ●▲✭❩❂❵❩✮.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

What happens over a finite field ❋p?

Galois invariant subgroups of E❬❵❪ = eigenspaces of ✙ ✷ ●▲✭❩❂❵❩✮ = rational isogenies of degree ❵ ✙❥ ❬❵❪ ✘

✕

✕

✁

✦ ❵ ✰ ✙❥ ❬❵❪ ✘

✏

✕ ✖

✑

✕ ✻❂ ✖ ✦ ✙❥ ❬❵❪ ✘

✕ ✄

✕

✁

✦ ✙❥ ❬❵❪ ❩❂❵❩ ✦

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 35 / 82

What happens over a finite field ❋p?

Galois invariant subgroups of E❬❵❪ = eigenspaces of ✙ ✷ ●▲✭❩❂❵❩✮ = rational isogenies of degree ❵

How many Galois invariant subgroups?

✙❥E❬❵❪ ✘

✕ 0

0 ✕

✁

✦ ❵ ✰ 1 isogenies ✙❥E❬❵❪ ✘

✏

✕ 0 0 ✖

✑

with ✕ ✻❂ ✖ ✦ two isogenies ✙❥E❬❵❪ ✘

✕ ✄

0 ✕

✁

✦ one isogeny ✙❥E❬❵❪ is not diagonalizable over ❩❂❵❩ ✦ no isogeny

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 35 / 82

Volcanology (Kohel 1996)

Let E❀ E ✵ be curves with respective endomorphism rings ❖❀ ❖✵ ✚ K. Let ✣ ✿ E ✦ E ✵ be an isogeny of prime degree ❵, then: if ❖ ❂ ❖✵, ✣ is horizontal; if ❬❖✵ ✿ ❖❪ ❂ ❵, ✣ is ascending; if ❬❖ ✿ ❖✵❪ ❂ ❵, ✣ is descending. ❊♥❞✭E✮ ❖K ❩❬✙❪

Ordinary isogeny volcano of degree ❵ ❂ 3.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 36 / 82

Volcanology (Kohel 1996)

Let E be ordinary, ❊♥❞✭E✮ ✚ K. ❖K: maximal order of K, DK: discriminant of K. ❂

❵✭❬❖

✿ ❩❬✙❪❪✮

DK

❵

✁ ❂ 1 DK

❵

✁ ❂ 0 DK

❵

✁ ❂ ✰1

Horizontal Ascending Descending ❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵

✏

DK ❵

✑

❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ❵ ❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 37 / 82

Volcanology (Kohel 1996)

Let E be ordinary, ❊♥❞✭E✮ ✚ K. ❖K: maximal order of K, DK: discriminant of K. Height ❂ v❵✭❬❖K ✿ ❩❬✙❪❪✮.

DK

❵

✁ ❂ 1 DK

❵

✁ ❂ 0 DK

❵

✁ ❂ ✰1

Horizontal Ascending Descending ❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵

✏

DK ❵

✑

❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ❵ ❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 37 / 82

Volcanology (Kohel 1996)

Let E be ordinary, ❊♥❞✭E✮ ✚ K. ❖K: maximal order of K, DK: discriminant of K. Height ❂ v❵✭❬❖K ✿ ❩❬✙❪❪✮. How large is the crater?

DK

❵

✁ ❂ 1 DK

❵

✁ ❂ 0 DK

❵

✁ ❂ ✰1

Horizontal Ascending Descending ❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵ ✲ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ✰

✏

DK ❵

✑

❵

✏

DK ❵

✑

❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ❥ ❬❖ ✿ ❩❬✙❪❪ 1 ❵ ❵ ❥ ❬❖K ✿ ❖❪❪ ❵ ✲ ❬❖ ✿ ❩❬✙❪❪ 1

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 37 / 82

How large is the crater of a volcano?

Let ❊♥❞✭E✮ ❂ ❖ ✚ ◗✭ ♣ D✮. Define ■✭❖✮, the group of invertible fractional ideals, P✭❖✮, the group of principal ideals,

The class group

The class group of ❖ is ❈❧✭❖✮ ❂ ■✭❖✮❂P✭O✮✿ It is a finite abelian group. Its order h✭❖✮ is called the class number of ❖. It arises as the Galois group of an abelian extension of ◗✭ ♣ D✮.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 38 / 82

Complex multiplication

The a-torsion

Let a ✚ ❖ be an (integral invertible) ideal of ❖; Let E❬a❪ be the subgroup of E annihilated by a: E❬a❪ ❂ ❢P ✷ E ❥ ☛✭P✮ ❂ 0 for all ☛ ✷ a❣❀ Let ✣ ✿ E ✦ Ea, where Ea ❂ E❂E❬a❪. Then ❊♥❞✭Ea✮ ❂ ❖ (i.e., ✣ is horizontal).

Theorem (Complex multiplication)

The action on the set of elliptic curves with complex multiplication by ❖ defined by a ✄ j ✭E✮ ❂ j ✭Ea✮ factors through ❈❧✭❖✮, is faithful and transitive.

Corollary

Let ❊♥❞✭E✮ have discriminant D. Assume that

✏

D ❵

✑

❂ 1, then E is on a crater of size N of an ❵-volcano, and N❥h✭❊♥❞✭E✮✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 39 / 82

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). ❈❧✭❖ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). Edges are horizontal isogenies

• f

bounded prime degree. degree 2 ❈❧✭❖ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). Edges are horizontal isogenies

• f

bounded prime degree. degree 2 degree 3 ❈❧✭❖ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). Edges are horizontal isogenies

• f

bounded prime degree. degree 2 degree 3 degree 5 ❈❧✭❖ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

Complex multiplication graphs

E1 E2 E3 E4 E5 E6 E7 E8 E9 E10 E11 E12 Vertices are elliptic curves with complex multiplication by ❖K (i.e., ❊♥❞✭E✮ ✬ ❖K ✚ ◗✭ ♣ D✮). Edges are horizontal isogenies

• f

bounded prime degree. degree 2 degree 3 degree 5 Isomorphic to a Cayley graph of ❈❧✭❖K✮.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

Supersingular endomorphisms

Recall, a curve E over a field ❋q of characteristic p is supersingular iff ✙2 t✙ ✰ q ❂ 0 with t ❂ 0 ♠♦❞ p.

Case: t ❂ 0 ✮ D✙ ❂ 4q

Only possibility for E❂❋p, E❂❋p has CM by an order of ◗✭♣p✮, similar to the ordinary case.

Case: t ❂ ✝2♣q ✮ D✙ ❂ 0

General case for E❂❋q, when q is an even power. ✙ ❂ ✝♣q, hence no complex multiplication. We will ignore marginal cases: t ❂ ✝♣q❀ ✝♣2q❀ ✝♣3q.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 41 / 82

Supersingular complex multiplication

Let E❂❋p be a supersingular curve, then ✙2 ❂ p, and ✙ ❂

✏ ♣p

♣p

✑

♠♦❞ ❵ for any ❵ s.t.

✏

p ❵

✑

❂ 1.

Theorem (Delfs and Galbraith 2016)

Let ❊♥❞❋p✭E✮ denote the ring of ❋p-rational endomorphisms of E. Then ❩❬✙❪ ✚ ❊♥❞❋p✭E✮ ✚ ◗✭♣p✮✿

Orders of ◗✭♣p✮

If p ❂ 1 ♠♦❞ 4, then ❩❬✙❪ is the maximal order. If p ❂ 1 ♠♦❞ 4, then ❩❬✙✰1

2 ❪ is the maximal order,

and ❬❩❬✙✰1

2 ❪ ✿ ❩❬✙❪❪ ❂ 2.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 42 / 82

Supersingular CM graphs

2-volcanoes, p ❂ 1 ♠♦❞ 4

❩❬✙✰1

2 ❪

❩❬✙❪

2-graphs, p ❂ 1 ♠♦❞ 4

❩❬✙❪ All other ❵-graphs are cycles of horizontal isogenies iff

✏

p ❵

✑

❂ 1.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 43 / 82

The full endomorphism ring

Theorem (Deuring)

Let E be a supersingular elliptic curve, then E is isomorphic to a curve defined over ❋p2; Every isogeny of E is defined over ❋p2; Every endomorphism of E is defined over ❋p2; ❊♥❞✭E✮ is isomorphic to a maximal order in a quaternion algebra ramified at p and ✶. In particular: If E is defined over ❋p, then ❊♥❞❋p✭E✮ is strictly contained in ❊♥❞✭E✮. Some endomorphisms do not commute!

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 44 / 82

An example

The curve of j -invariant 1728 E ✿ y2 ❂ x 3 ✰ x is supersingular over ❋p iff p ❂ 1 ♠♦❞ 4.

Endomorphisms

❊♥❞✭E✮ ❂ ❩❤✓❀ ✙✐, with: ✙ the Frobenius endomorphism, s.t. ✙2 ❂ p; ✓ the map ✓✭x❀ y✮ ❂ ✭x❀ iy✮❀ where i ✷ ❋p2 is a 4-th root of unity. Clearly, ✓2 ❂ 1. And ✓✙ ❂ ✙✓.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 45 / 82

Class group action party

j ❂ 1728 ❈❧✭ ✮ ❈❧✭ ✮ ❂ ❈❧✭ ✮ ❈❧✭ ✮ ❈❧✭ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 46 / 82

Class group action party

j ❂ 1728 ❈❧✭4p✮ ❈❧✭ ✮ ❂ ❈❧✭ ✮ ❈❧✭ ✮ ❈❧✭ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 46 / 82

Class group action party

❂ ❈❧✭4p✮ ❈❧✭4✮ ❂ ❈❧✭ ✮ ❈❧✭ ✮ ❈❧✭ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 46 / 82

Class group action party

❂ ❈❧✭4p✮ ❈❧✭4✮ j ❂ 0 ❈❧✭ ✮ ❈❧✭ ✮ ❈❧✭ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 46 / 82

Class group action party

❂ ❈❧✭4p✮ ❈❧✭4✮ ❂ ❈❧✭3✮ ❈❧✭ ✮ ❈❧✭ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 46 / 82

Class group action party

❂ ❈❧✭4p✮ ❈❧✭4✮ ❂ ❈❧✭3✮ ❈❧✭23✮ ❈❧✭79✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 46 / 82

Quaternion algebra?! WTF?2

The quaternion algebra Bp❀✶ is: A 4-dimensional ◗-vector space with basis ✭1❀ i❀ j ❀ k✮. A non-commutative division algebra1 Bp❀✶ ❂ ◗❤i❀ j ✐ with the relations: i2 ❂ a❀ j 2 ❂ p❀ ij ❂ ji ❂ k❀ for some a ❁ 0 (depending on p). All elements of Bp❀✶ are quadratic algebraic numbers. Bp❀✶ ✡ ◗❵ ✬ ▼2✂2✭◗❵✮ for all ❵ ✻❂ p. I.e., endomorphisms restricted to E❬❵e❪ are just 2 ✂ 2 matrices ♠♦❞❵e. Bp❀✶ ✡ ❘ is isomorphic to Hamilton’s quaternions. Bp❀✶ ✡ ◗p is a division algebra.

1All elements have inverses. 2What The Field? Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 47 / 82

Supersingular graphs

Quaternion algebras have many maximal orders. For every maximal order type of Bp❀✶ there are 1 or 2 curves over ❋p2 having endomorphism ring isomorphic to it. There is a unique isogeny class of supersingular curves over ✖ ❋p of size ✙ p❂12. Lef ideals act on the set of maximal

• rders like isogenies.

The graph of ❵-isogenies is ✭❵ ✰ 1✮-regular.

Figure: 3-isogeny graph on ❋972.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 48 / 82

Graphs lexicon

Degree: Number of (outgoing/ingoing) edges. k-regular: All vertices have degree k. Connected: There is a path between any two vertices. Distance: The length of the shortest path between two vertices. Diamater: The longest distance between two vertices. ✕1 ✕ ✁ ✁ ✁ ✕ ✕n: The (ordered) eigenvalues of the adjacency matrix.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 49 / 82

Expander graphs

Proposition

If G is a k-regular graph, its largest and smallest eigenvalues satisfy k ❂ ✕1 ✕ ✕n ✕ k✿

Expander families

An infinite family of connected k-regular graphs on n vertices is an expander family if there exists an ✎ ❃ 0 such that all non-trivial eigenvalues satisfy ❥✕❥ ✔ ✭1 ✎✮k for n large enough. Expander graphs have short diameter (O✭❧♦❣ n✮); Random walks mix rapidly (afer O✭❧♦❣ n✮ steps, the induced distribution on the vertices is close to uniform).

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 50 / 82

Expander graphs from isogenies

Theorem (Pizer 1990, 1998)

Let ❵ be fixed. The family of graphs of supersingular curves over ❋p2 with ❵-isogenies, as p ✦ ✶, is an expander familya.

aEven better, it has the Ramanujan property.

Theorem (Jao, Miller, and Venkatesan 2009)

Let ❖ ✚ ◗✭ ♣ D✮ be an order in a quadratic imaginary field. The graphs of all curves over ❋q with complex multiplication by ❖, with isogenies of prime degree boundeda by ✭❧♦❣ q✮2✰✍, are expanders.

aMay contain traces of GRH. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 51 / 82

Executive summary

Separable ❵-isogeny = finite kernel = subgroup of E❬❵❪,

■ eigenspace of ✙ iff ❋q-rational, ■ distinct eigenvalues ✕ ✻❂ ✖ define distinct directions on the crater.

Isogeny graphs have j -invariants for vertices and “some” isogenies for edges. By varying the choices for the vertex and the isogeny set, we obtain graphs with different properties. ❵-isogeny graphs of ordinary curves are volcanoes, (full) ❵-isogeny graphs of supersingular curves are finite ✭❵ ✰ 1✮-regular. CM theory naturally leads to define graphs of horizontal isogenies (both in the ordinary and the supersingular case) that are isomorphic to Cayley graphs of class groups. CM graphs are expanders. Supseringular full ❵-isogeny graphs are Ramanujan.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 52 / 82

Plan

1

Elliptic curves, isogenies, complex multiplication

2

Isogeny graphs

3

Key exchange

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 53 / 82

Isogeny graphs taxonomy

Complex Multiplication (CM) graphs Ordinary / Supersingular (❋p) Superposition of isogeny cycles (one color per degree) Isomorphic to Cayley graph of a quadratic class group Large automorphism group Typical size O✭♣p✮ Used in: CSIDH Full supersingular graphs Supersingular (❋p2) One isogeny degree ✭❵ ✰ 1✮-regular Tiny automorphism group Size ✙ p❂12 Used in: SIDH

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 54 / 82

Diffie–Hellman key exchange

Goal: Alice and Bob have never met before. They are chatting over a public channel, and want to agree on a shared secret to start a private conversation. Setup: They agree on a (large) cyclic group G ❂ ❤g✐ of order N. Alice Bob pick random a ✷ ❩❂N❩ compute A ❂ ga pick random b ✷ ❩❂N❩ compute B ❂ gb A B Shared secret is Ba ❂ gab ❂ Ab

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 55 / 82

Brief history of DH key exchange

1976 Diffie & Hellman publish New directions in cryptography, suggest using G ❂ ❋✄

p.

1978 Pollard publishes his discrete logarithm algorithm (O✭♣★G✮ complexity). 1980 Miller and Koblitz independently suggest using elliptic curves G ❂ E✭❋p✮. 1994 Shor publishes his quantum discrete logarithm / factoring algorithm. 2005 NSA standardizes elliptic curve key agreement (ECDH) and signatures ECDSA. 2017 ✘ 70✪ of web traffic is secured by ECDH and/or ECDSA. 2017 NIST launches post-quantum competition, says “not to bother moving to elliptic curves, if you haven’t yet”.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 56 / 82

History of isogeny-based cryptography

1996 Couveignes introduces the Hard Homogeneous Spaces. His work stays unpublished for 10 years. 2006 Rostovtsev & Stolbunov independently rediscover Couveignes ideas, suggest isogeny-based Diffie–Hellman as a quantum-resistant primitive. 2006-2010 Other isogeny-based protocols by Teske and Charles, Goren & Lauter. 2011-2012 D., Jao & Plût introduce SIDH, an efficient post-quantum key exchange inspired by Couveignes, Rostovtsev, Stolbunov, Charles, Goren, Lauter. 2017 SIDH is submitted to the NIST competition (with the name SIKE, only isogeny-based candidate). 2018 D., Kieffer & Smith resurrect the Couveignes–Rostovtsev–Stolbunov protocol, Castryck, Lange, Martindale, Panny & Renes publish an efficient variant named CSIDH.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 57 / 82

Elliptic curves

Let E ✿ y2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... P Q R P ✰ Q

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 58 / 82

Elliptic curves

Let E ✿ y2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... ✰

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 58 / 82

Elliptic curves

Let E ✿ y2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... ✰

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 58 / 82

Elliptic curves

Let E ✿ y2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... ✰

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 58 / 82

Elliptic curves

Let E ✿ y2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... ✰

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 58 / 82

Elliptic curves

Let E ✿ y2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... ✰

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 58 / 82

Elliptic curves

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 59 / 82

The QUANTHOM Menace

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 60 / 82

Basically every isogeny-based protocol...

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 61 / 82

Basically every isogeny-based protocol...

Public curve Public curve

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 61 / 82

Basically every isogeny-based protocol...

Public curve Public curve Shared secret

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 61 / 82

Computing Isogenies

Vélu’s formulas

Input: A subgroup H ✚ E, Output: The isogeny ✣ ✿ E ✦ E❂H. Complexity: O✭❵✮ — Vélu 1971, ... Why? Evaluate isogeny on points P ✷ E; Walk in isogeny graphs. ❵ ✚ ❵ ⑦ ❖✭❵ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 62 / 82

Computing Isogenies

Vélu’s formulas

Input: A subgroup H ✚ E, Output: The isogeny ✣ ✿ E ✦ E❂H. Complexity: O✭❵✮ — Vélu 1971, ... Why? Evaluate isogeny on points P ✷ E; Walk in isogeny graphs.

Explicit Isogeny Problem

Input: Curve E, (prime) integer ❵ Output: All subgroups H ✚ E of order ❵. Complexity: ⑦ ❖✭❵2✮ — Elkies 1992 Why? List all isogenies of given degree; Count points of elliptic curves; Compute endomorphism rings of elliptic curves; Walk in isogeny graphs.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 62 / 82

Computing Isogenies

Explicit Isogeny Problem (2)

Input: Curves E❀ E ✵, isogenous of degree ❵. Output: The isogeny ✣ ✿ E ✦ E ✵ of degree ❵. Complexity: O✭❵2✮ — Elkies 1992; Couveignes 1996; Lercier and Sirvent 2008; De Feo 2011; De Feo, Hugounenq, Plût, and Schost 2016; Lairez and Vaccon 2016, ... Why? Count points of elliptic curves. ❀

✵

✣ ✿ ✦

✵

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 63 / 82

Computing Isogenies

Explicit Isogeny Problem (2)

Input: Curves E❀ E ✵, isogenous of degree ❵. Output: The isogeny ✣ ✿ E ✦ E ✵ of degree ❵. Complexity: O✭❵2✮ — Elkies 1992; Couveignes 1996; Lercier and Sirvent 2008; De Feo 2011; De Feo, Hugounenq, Plût, and Schost 2016; Lairez and Vaccon 2016, ... Why? Count points of elliptic curves.

Isogeny Walk Problem

Input: Isogenous curves E❀ E ✵. Output: An isogeny ✣ ✿ E ✦ E ✵ of smooth degree. Complexity: Generically hard — Galbraith, Hess, and Smart 2002, ... Why? Cryptanalysis (ECC); Foundational problem for isogeny-based cryptography.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 63 / 82

Random walks and hash functions (circa 2006)

Any expander graph gives rise to a hash function. v

1 1 1 1 1 1

v ✵ H✭010101✮ ❂ v ✵ Fix a starting vertex v; The value to be hashed determines a random path to v ✵; v ✵ is the hash.

(Charles, K. E. Lauter, and Goren 2009) hash function (CGL)

Use the expander graph of supersingular 2-isogenies; Collision resistance 2nd preimage resistance

✮

❂ hardness of finding cycles in the graph; Preimage resistance = hardness of finding a path from v to v ✵.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 64 / 82

Hardness of CGL

Finding cycles

Analogous to finding endomorphisms... ...very bad idea to start from a curve with known endomorphism ring! Translation algortihm: elements of Bp❀✶ ✩ isogeny loops Doable in ♣♦❧②❧♦❣✭p✮.a

aKohel, K. Lauter, Petit, and Tignol 2014; Eisenträger, Hallgren, K. Lauter,

Morrison, and Petit 2018.

Finding paths E ✦ E ✵

Analogous to finding connecting ideals between two maximal orders ❖❀ ❖✵ (i.e. a lef ideal I ✚ ❖ that is a right ideal of ❖✵). Poly-time equivalent to computing ❊♥❞✭E✮ and ❊♥❞✭E ✵✮.a Best known algorithm to compute ❊♥❞✭E✮ takes ♣♦❧②✭p✮.b

aEisenträger, Hallgren, K. Lauter, Morrison, and Petit 2018. bKohel 1996; Cerviño 2004. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 65 / 82

Expander graphs from groups

g2 g4 g8 g3 g6 g12 g11 g9 g5 g10 g7 g1 Let G ❂ ❤g✐ be a cyclic group of order p. ✚ ✭❩❂ ❩✮✂

✚

✭ ❀ ♥ ❢ ❣✮ ✼✦ ✼✦ ✼✦

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 66 / 82

Expander graphs from groups

g2 g4 g8 g3 g6 g12 g11 g9 g5 g10 g7 g1 Let G ❂ ❤g✐ be a cyclic group of order p. ✚ ✭❩❂ ❩✮✂

✚

✭ ❀ ♥ ❢ ❣✮ x ✼✦ x 2 ✼✦ ✼✦

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 66 / 82

Expander graphs from groups

g2 g4 g8 g3 g6 g12 g11 g9 g5 g10 g7 g1 Let G ❂ ❤g✐ be a cyclic group of order p. ✚ ✭❩❂ ❩✮✂

✚

✭ ❀ ♥ ❢ ❣✮ x ✼✦ x 2 x ✼✦ x 3 ✼✦

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 66 / 82

Expander graphs from groups

g2 g4 g8 g3 g6 g12 g11 g9 g5 g10 g7 g1 Let G ❂ ❤g✐ be a cyclic group of order p. ✚ ✭❩❂ ❩✮✂

✚

✭ ❀ ♥ ❢ ❣✮ x ✼✦ x 2 x ✼✦ x 3 x ✼✦ x 5

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 66 / 82

Expander graphs from groups

g2 g4 g8 g3 g6 g12 g11 g9 g5 g10 g7 g1 Let G ❂ ❤g✐ be a cyclic group of order p. Let S ✚ ✭❩❂p❩✮✂ s.t. S 1 ✚ S. The Schreier graph of ✭S❀ G ♥ ❢1❣✮ is (usually) an expander. x ✼✦ x 2 x ✼✦ x 3 x ✼✦ x 5

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 66 / 82

Key exchange from Schreier graphs

g ❂ Public parameters: A group G ❂ ❤g✐ of order p; A subset S ✚ ✭❩❂p❩✮✂. ✿ ✦ ✭❧♦❣ ✮

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 67 / 82

Key exchange from Schreier graphs

g gA ❂ Public parameters: A group G ❂ ❤g✐ of order p; A subset S ✚ ✭❩❂p❩✮✂.

1

Alice takes a secret random walk sA ✿ g ✦ gA of length O✭❧♦❣ p✮;

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 67 / 82

Key exchange from Schreier graphs

g gA gB ❂ Public parameters: A group G ❂ ❤g✐ of order p; A subset S ✚ ✭❩❂p❩✮✂.

1

Alice takes a secret random walk sA ✿ g ✦ gA of length O✭❧♦❣ p✮;

2

Bob does the same;

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 67 / 82

Key exchange from Schreier graphs

g gA gB ❂ Public parameters: A group G ❂ ❤g✐ of order p; A subset S ✚ ✭❩❂p❩✮✂.

1

Alice takes a secret random walk sA ✿ g ✦ gA of length O✭❧♦❣ p✮;

2

Bob does the same;

3

They publish gA and gB;

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 67 / 82

Key exchange from Schreier graphs

g gA gB gBA ❂ Public parameters: A group G ❂ ❤g✐ of order p; A subset S ✚ ✭❩❂p❩✮✂.

1

Alice takes a secret random walk sA ✿ g ✦ gA of length O✭❧♦❣ p✮;

2

Bob does the same;

3

They publish gA and gB;

4

Alice repeats her secret walk sA starting from gB.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 67 / 82

Key exchange from Schreier graphs

g gA gB gBA ❂ gAB Public parameters: A group G ❂ ❤g✐ of order p; A subset S ✚ ✭❩❂p❩✮✂.

1

Alice takes a secret random walk sA ✿ g ✦ gA of length O✭❧♦❣ p✮;

2

Bob does the same;

3

They publish gA and gB;

4

Alice repeats her secret walk sA starting from gB.

5

Bob repeats his secret walk sB starting from gA.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 67 / 82

Key exchange from Schreier graphs

g gA gB gBA ❂ gAB Why does this work? gA ❂ g2✁3✁2✁5❀ gB ❂ g32✁5✁2❀ gBA ❂ gAB ❂ g23✁33✁52❀ and gA❀ gB❀ gAB are uniformly distributed in G...

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 67 / 82

Key exchange from Schreier graphs

g gA gB gBA ❂ gAB Why does this work? gA ❂ g2✁3✁2✁5❀ gB ❂ g32✁5✁2❀ gBA ❂ gAB ❂ g23✁33✁52❀ and gA❀ gB❀ gAB are uniformly distributed in G... ...Indeed, this is just a twisted presentation of the classical Diffie-Hellman protocol!

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 67 / 82

Key exchange in graphs of ordinary isogenies3 (CRS)

Parameters: E❂❋p ordinary elliptic curve, with Frobenius endomorphism ✙ ✷ ❖. (small) primes ❵1,❵2,...such that

✏

D✙ ❵i

✑

❂ 1. elements f1 ❂ ✭❵1❀ ✙ ✕1✮, f2 ❂ ✭❵2❀ ✙ ✕2✮,...in ❈❧✭❖✮. Secret data: Random walks a❀ b ✷ ❈❧✭❖✮ in the isogeny graph.

E a ✄ E b ✄ E ab ✄ E ❂ ba ✄ E

fa1

1 fa2 2 ✁ ✁ ✁ ❂ a

b ❂ fb1

1 fb2 2 ✁ ✁ ✁

3Couveignes 2006; Rostovtsev and Stolbunov 2006. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 68 / 82

Computing the action of ❈❧✭❖✮

Input: An ideal class a ❂ fa1

1 fa2 2 ✁ ✁ ✁ .

Output: The elliptic curve a ✄ E. Algorithm: Let fn ❂ ✭❵❀ ✙ ✕✮n, repeat n times: Use Elkies’ algorithm to find all (two) curves isogenous to E of degree ❵, Choose the one such that ❦❡r ✣ ✚ ❦❡r✭✙ ✕✮.

Parameters size / performance

Adversary goal: Given E❀ a ✄ E, find a; Graph size: ★ ❈❧✭❖✮ ✙ ♣p; Best (classical) attack: Meet-in-the-middle / Random-walk in

♣

★ ❈❧✭❖✮; For 2128 security: choose ❧♦❣ p ✘ 512; Time to evaluate the isogeny actiona: Dozens of minutes!

aDe Feo, Kieffer, and Smith 2018. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 69 / 82

Vélu to the rescue?

Input: An ideal class a ❂ fa1

1 fa2 2 ✁ ✁ ✁ .

Output: The elliptic curve a ✄ E. Algorithm: Let fn ❂ ✭❵❀ ✙ ✕✮n. Why not: Presciently find H ❂ E❬❵❪ ❭ ❦❡r✭✙ ✕✮, Apply Vélu’s formulas to H.

Speeding up the class group action

Problem: H must be in E✭❋p✮ for Vélu’s formulas to be efficient. Ideaa: Force

✭

p ❂ 1 ♠♦❞ ❵❀ ✕ ❂ 1 ♠♦❞ ❵❀ so that E❬❵❪ ❂ H ✚ E✭❋p✮. ✕ ❂ ★ ❂

aDe Feo, Kieffer, and Smith 2018. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 70 / 82

Vélu to the rescue?

Input: An ideal class a ❂ fa1

1 fa2 2 ✁ ✁ ✁ .

Output: The elliptic curve a ✄ E. Algorithm: Let fn ❂ ✭❵❀ ✙ ✕✮n. Why not: Presciently find H ❂ E❬❵❪ ❭ ❦❡r✭✙ ✕✮, Apply Vélu’s formulas to H.

Speeding up the class group action

Problem: H must be in E✭❋p✮ for Vélu’s formulas to be efficient. Ideaa: Force

✭

p ❂ 1 ♠♦❞ ❵❀ ✕ ❂ 1 ♠♦❞ ❵❀ so that E❬❵❪ ❂ H ✚ E✭❋p✮. How to waste an internship: Forcing ✕ ❂ Forcing ★E ❂ Very hard!

aDe Feo, Kieffer, and Smith 2018. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 70 / 82

Vélu to the rescue?

Input: An ideal class a ❂ fa1

1 fa2 2 ✁ ✁ ✁ .

Output: The elliptic curve a ✄ E. Algorithm: Let fn ❂ ✭❵❀ ✙ ✕✮n. Why not: Presciently find H ❂ E❬❵❪ ❭ ❦❡r✭✙ ✕✮, Apply Vélu’s formulas to H.

Speeding up the class group action

Problem: H must be in E✭❋p✮ for Vélu’s formulas to be efficient. Ideaa: Force

✭

p ❂ 1 ♠♦❞ ❵❀ ✕ ❂ 1 ♠♦❞ ❵❀ so that E❬❵❪ ❂ H ✚ E✭❋p✮. How to waste an internship: Forcing ✕ ❂ Forcing ★E ❂ Very hard! Time to evaluate the isogeny action: Still 5 minutes!

aDe Feo, Kieffer, and Smith 2018. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 70 / 82

Supersingular to the rescue!

For all supersingular curves defined over ❋p, ✙ ❂

✥♣p

♣p

✦

♠♦❞ ❵

CSIDH (pron.: Seaside)

Choose p ❂ 1 ♠♦❞ ❵ for many primes ❵; Hence, ✕ ❂ 1 ♠♦❞ ❵. Win! Performance: Same security as CRS in less than 50ms!a

aCastryck, Lange, Martindale, Panny, and Renes 2018. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 71 / 82

Quantum security

Fact: Shor’s algorithm does not apply to Diffie-Hellman protocols from group actions.

Subexponential attack ❡①♣✭♣❧♦❣ p ❧♦❣ ❧♦❣ p✮

Reduction to the hidden shif problem by evaluating the class group action in quantum superspositiona (subexpoential cost); Well known reduction from the hidden shif to the dihedral (non-abelian) hidden subgroup problem; Kuperberg’s algorithmb solves the dHSP with a subexponential number of class group evaluations. Recent workc suggests that 264-qbit security is achieved somewhere in 512 ❁ ❧♦❣ p ❁ 1024.

aChilds, Jao, and Soukharev 2014. bKuperberg 2005; Regev 2004; Kuperberg 2013. cBonnetain and Naya-Plasencia 2018; Bonnetain and Schrottenloher 2018;

Biasse, Jacobson Jr, and Iezzi 2018; Jao, LeGrow, Leonardi, and Ruiz-Lopez 2018; Bernstein, Lange, Martindale, and Panny 2018.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 72 / 82

Key exchange with supersingular curves (2011)

Good news: there is no action of a commutative class group. Bad news: there is no action of a commutative class group. Idea: Let Alice and Bob walk in two different isogeny graphs on the same vertex set.

Figure: 2- and 3-isogeny graphs on ❋972.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 73 / 82

Key exchange with supersingular curves (2011)

Good news: there is no action of a commutative class group. Bad news: there is no action of a commutative class group. Idea: Let Alice and Bob walk in two different isogeny graphs on the same vertex set.

Figure: 2- and 3-isogeny graphs on ❋972.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 73 / 82

Key exchange with supersingular curves (2011)

Good news: there is no action of a commutative class group. Bad news: there is no action of a commutative class group. Idea: Let Alice and Bob walk in two different isogeny graphs on the same vertex set.

Figure: 2- and 3-isogeny graphs on ❋972.

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 73 / 82

Key exchange with supersingular curves (2011)

Fix small primes ❵A, ❵B; No canonical labeling of the ❵A- and ❵B-isogeny graphs; however... Walk of length eA ❂ Isogeny of degree ❵eA

A

❂ Kernel ❤P✐ ✚ E❬❵eA

A ❪

❦❡r ✣ ❂ ❤P✐ ✚ E❬❵eA

A ❪

❦❡r ✥ ❂ ❤Q✐ ✚ E❬❵eB

B ❪

❦❡r ✣✵ ❂ ❤✥✭P✮✐ ❦❡r ✥✵ ❂ ❤✣✭Q✮✐

E E❂❤P✐ E❂❤Q✐ E❂❤P❀ Q✐ ✣ ✣✵ ✥ ✥✵

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 74 / 82

Supersingular Isogeny Diffie-Hellman4

Parameters: Prime p such that p ✰ 1 ❂ ❵a

A❵b B;

Supersingular curve E ✬ ✭❩❂✭p ✰ 1✮❩✮2; E❬❵a

A❪ ❂ ❤PA❀ QA✐;

E❬❵b

B❪ ❂ ❤PB❀ QB✐.

Secret data: RA ❂ mAPA ✰ nAQA, RB ❂ mBPB ✰ nBQB,

E E❂❤RA✐

✣✭ ✮ ✣✭ ✮

E❂❤RB✐

✥✭ ✮ ✥✭ ✮

E❂❤RA✐ ✣✭RB✮ ✬

E❂❤RA❀ RB✐

✬ E❂❤RB✐

✥✭RA✮

✣ ✥ ✥✵ ✣✵

✣✭ ✮ ✥✭ ✮

4Jao and De Feo 2011; De Feo, Jao, and Plût 2014. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 75 / 82

Supersingular Isogeny Diffie-Hellman4

Parameters: Prime p such that p ✰ 1 ❂ ❵a

A❵b B;

Supersingular curve E ✬ ✭❩❂✭p ✰ 1✮❩✮2; E❬❵a

A❪ ❂ ❤PA❀ QA✐;

E❬❵b

B❪ ❂ ❤PB❀ QB✐.

Secret data: RA ❂ mAPA ✰ nAQA, RB ❂ mBPB ✰ nBQB,

E E❂❤RA✐

✣✭PB✮ ✣✭QB✮

E❂❤RB✐

✥✭PA✮ ✥✭QA✮

E❂❤RA✐ ✣✭RB✮ ✬

E❂❤RA❀ RB✐

✬ E❂❤RB✐

✥✭RA✮

✣ ✥ ✥✵ ✣✵

✣✭ ✮ ✥✭ ✮

4Jao and De Feo 2011; De Feo, Jao, and Plût 2014. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 75 / 82

Supersingular Isogeny Diffie-Hellman4

Parameters: Prime p such that p ✰ 1 ❂ ❵a

A❵b B;

Supersingular curve E ✬ ✭❩❂✭p ✰ 1✮❩✮2; E❬❵a

A❪ ❂ ❤PA❀ QA✐;

E❬❵b

B❪ ❂ ❤PB❀ QB✐.

Secret data: RA ❂ mAPA ✰ nAQA, RB ❂ mBPB ✰ nBQB,

E E❂❤RA✐

✣✭PB✮ ✣✭QB✮

E❂❤RB✐

✥✭PA✮ ✥✭QA✮

E❂❤RA✐ ✣✭RB✮ ✬

E❂❤RA❀ RB✐

✬ E❂❤RB✐

✥✭RA✮

✣ ✥ ✥✵ ✣✵

✣✭RB✮ ✥✭RA✮

4Jao and De Feo 2011; De Feo, Jao, and Plût 2014. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 75 / 82

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 76 / 82

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min)

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 76 / 82

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 SIDH (500ms) (Jao and D.)

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 76 / 82

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 SIDH (500ms) (Jao and D.) 2012 SIDH (50ms) (D., Jao, Plût)

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 76 / 82

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 SIDH (500ms) (Jao and D.) 2012 SIDH (50ms) (D., Jao, Plût) 2016 SIDH (30ms) (Costello, Longa, Naherig)

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 76 / 82

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 SIDH (500ms) (Jao and D.) 2012 SIDH (50ms) (D., Jao, Plût) 2016 SIDH (30ms) (Costello, Longa, Naherig) 2017 SIKE (10ms) (NIST candidate)

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 76 / 82

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 SIDH (500ms) (Jao and D.) 2012 SIDH (50ms) (D., Jao, Plût) 2016 SIDH (30ms) (Costello, Longa, Naherig) 2017 SIKE (10ms) (NIST candidate) 2018 CSIDH (50ms)

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 76 / 82

From 10 minutes to 10ms in 20 years

1996 Couveignes’ key exchange 2006 Rostovstev & Stolbunov (> 5 min) 2011 SIDH (500ms) (Jao and D.) 2012 SIDH (50ms) (D., Jao, Plût) 2016 SIDH (30ms) (Costello, Longa, Naherig) 2017 SIKE (10ms) (NIST candidate) 2018 CSIDH (50ms) 2019 CSIDH (35ms) (Meyer, Reith)

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 76 / 82

Generic attacks

Problem: Given E❀ E ✵, isogenous of degree ❵n, find ✣ ✿ E ✦ E ✵.

E E❂❤P0✐ Ei❂❤Pi✐ E❂❤P❵n❂2✐ . . . . . . E ✵

❵n❂2 ❵n❂2 With high probability ✣ is the unique collision (or claw) O✭❵n❂2✮. A quantum claw finding5 algorithm solves the problem in O✭❵n❂3✮.

5Tani 2009. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 77 / 82

Security

The SIDH problem

Given E, Alice’s public data E❂❤RA✐❀ ✣✭PB✮❀ ✣✭QB✮, and Bob’s public data E❂❤RB✐❀ ✥✭PA✮❀ ✥✭QA✮, find the shared secret E❂❤RA❀ RB✐. Under the SIDH assumption: The SIDH key exchange protocol is session-key secure. The derived El Gamal-type PKE is CPA secure.

Reductions

SIDH ✦ Isogeny Walk Problem; SIDH ✦ Computing the endomorphism rings of E and E❂❤RA✐.a

aKohel, K. Lauter, Petit, and Tignol 2014; Galbraith, Petit, Shani, and Ti 2016. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 78 / 82

Chosen ciphertext attack6

For simplicity, assume Alice’s prime is ❵ ❂ 2.

Evil Bob

Alice has a long-term secret R ❂ mP ✰ nQ ✷ E❬2e❪; Bob produces an ephemeral secret ✥; Bob sends to Alice ✥✭P✮❀ ✥✭Q ✰ 2e1P✮; Alice computes the shared secret correctly iff R ❂ mP ✰ nQ ❂ mP ✰ nQ ✰ n2e1P❀ i.e., iff n is even; Bob learns one bit of the secret key by checking that Alice gets the right shared secret. Bob repeats the queries in a similar fashion, learning one bit per query. Detecting Bob’s faulty key seems to be as hard as breaking SIDH.

6Galbraith, Petit, Shani, and Ti 2016. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 79 / 82

CSIDH vs SIDH

CSIDH SIDH Speed (NIST 1) ✘ 70ms ✘ 7ms Public key size (NIST 1) 64B 346B Key compression ✣ speed ✘ 13ms ✣ size 209B Constant time impl. 2✂slower

• k

Submitted to NIST no yes Best classical attack p1❂4 p1❂4 (p3❂8) Best quantum attack ⑦ ❖

✏

3 ♣

❧♦❣3 p✑

p1❂6 (p3❂8) Key size scales quadratically linearly Security assumption isogeny walk problem ad hoc CPA security yes yes CCA security yes Fujisaki-Okamoto Non-interactive key ex. yes no Signatures short but slooow! big and slow

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 80 / 82

SIKE: Supersingular Isogeny Key Encapsulation

Submission to the NIST PQ competition: SIKE.PKE: El Gamal-type system with IND-CPA security proof, SIKE.KEM: generically transformed system with IND-CCA security proof. NIST security levels 1, 2, 3 and 5. Smallest communication complexity among all proposals in each level. Slowest among all benchmarked proposals in each level. A team of 15 submitters, from 8 universities and companies. Head to https://sike.org. p

• cl. security

NIST cat. speed comm. SIKEp434 22163137 1 128 bits 1 7ms 346 B SIKEp503 22503159 1 152 bits 2 10ms 402 B SIKEp610 23053192 1 189 bits 3 19ms 486 B SIKEp751 23723239 1 256 bits 5 29ms 596 B

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 81 / 82

Thank you

http://defeo.lu/ @luca_defeo

Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 82 / 82