Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen - PowerPoint PPT Presentation

Isogeny graphs in dimension 2 2014/12/17 — Cryptographic seminar — Caen Gaëtan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloë Martindale, Damien Robert

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Outline 1 Isogenies on elliptic curves 2 Abelian varieties and polarisations 3 Maximal isotropic isogenies 4 Cyclic isogenies 5 Isogeny graphs in dimension 2

Isogenies on elliptic curves 1 w 2 1 Abelian varieties and polarisations 1 elliptic curve 2 k . Complex elliptic curve Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Over � : an elliptic curve is a torus E = � / Λ , where Λ is a lattice Λ = � + τ � ( τ ∊ H 1 ). � � � Let ℘ ( z , Λ ) = ( z − w ) 2 − be the Weierstrass ℘ -function and w ∊ Λ \{ 0 E } � E 2 k ( Λ ) = λ k w ∊ Λ \{ 0 E } w 2 k be the (normalised) Eisenstein series of weight Then � / Λ → E , z �→ ( ℘ ′ ( z , Λ ) , ℘ ( z , Λ )) is an analytic isomorphism to the y 2 = 4 x 3 − 60 E 4 ( Λ ) − 140 E 6 ( Λ ) .

Isogenies on elliptic curves Abelian varieties and polarisations Isogenies are surjective (on the geometric points). In particular, if E is Remark or the composition of a translation with an isogeny. trivial (i.e. constant) An algebraic map between two elliptic curves is either Corollary Theorem Definition Isogenies between elliptic curves Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies ordinary, any curve isogenous to E is also ordinary. An isogeny is a (non trivial) algebraic map f : E 1 → E 2 between two elliptic curves such that f ( P + Q ) = f ( P )+ f ( Q ) for all geometric points P , Q ∊ E 1 . An algebraic map f : E 1 → E 2 is an isogeny if and only if f ( 0 E 1 ) = f ( 0 E 2 )

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Destructive cryptographic applications class (and an efficient way to compute an isogeny to it). Example extend attacks using Weil descent [GHS02] Transfert the DLP from the Jacobian of an hyperelliptic curve of genus 3 to the Jacobian of a quartic curve [Smi09]. An isogeny f : E 1 → E 2 transports the DLP problem from E 1 to E 2 . This can be used to attack the DLP on E 1 if there is a weak curve on its isogeny

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Constructive cryptographic applications But by computing isogenies, one can work over a cyclic subgroup of Example The SEA point counting algorithm [Sch95; Mor95; Elk97]; The CRT algorithms to compute class polynomials [Sut11; ES10]; The CRT algorithms to compute modular polynomials [BLS12]. One can recover informations on the elliptic curve E modulo ℓ by working over the ℓ -torsion. cardinal ℓ instead. Since thus a subgroup is of degree ℓ , whereas the full ℓ -torsion is of degree ℓ 2 , we can work faster over it.

Isogenies on elliptic curves Abelian varieties and polarisations Construct a normal basis of a finite field [CL09]; Take isogenies to reduce the impact of side channel attacks [Sma03]; isogeny graph [RS06]; isogeny (the trapdoor) [Tes06], or by encoding informations in the Construct public key cryptosystems by hiding vulnerable curves by an construct secure hash functions [CLG09]; The isogeny graph of a supersingular elliptic curve can be used to [DIK06; Gau07]; Splitting the multiplication using isogenies can improve the arithmetic Further applications of isogenies Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies invariant by automorphisms [CL08]. Improve the discrete logarithm in � ∗ q by finding a smoothness basis

Isogenies on elliptic curves (using the equation of the curve E 1 ). it prime to g ). This shows that f is of the form k . Abelian varieties and polarisations on x . Cyclic isogenies Computing explicit isogenies Maximal isotropic isogenies Isogeny graphs in dimension 2 If E 1 and E 2 are two elliptic curves given by Weierstrass equations, a morphism of curve f : E 1 → E 2 is of the form f ( x , y ) = ( R 1 ( x , y ) , R 2 ( x , y )) where R 1 and R 2 are rational functions, whose degree in y is less than 2 If f is an isogeny, f ( − P ) = − f ( P ) . If char k > 3 so we can assume that E 1 and E 2 are given by reduced Weierstrass forms, this mean that R 1 depends only on x , and R 2 is y time a rational function depending only Let w E = dx / 2 y be the canonical differential. Then f ∗ w E ′ = cw E , with c in � g ( x ) � g ( x ) � ′ � f ( x , y ) = h ( x ) , cy . h ( x ) h ( x ) gives (the x coordinates of the points in) the kernel of f (if we take If c = 1, we say that f is normalized.

Isogenies on elliptic curves Vélu’s formula Moreover by looking at the expression of X and Y in the formal group of Abelian varieties and polarisations The choices are made so that the formulas give a normalized isogeny. Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Let E / k be an elliptic curve. Let G = 〈 P 〉 be a rational finite subgroup of E . Vélu constructs the isogeny E → E / G as � X ( P ) = x ( P )+ ( x ( P + Q ) − x ( Q )) Q ∊ G \{ 0 E } � ( y ( P + Q ) − y ( Q )) . Y ( P ) = y ( P )+ Q ∊ G \{ 0 E } E , Vélu recovers the equations for E / G . For instance if E : y 2 = x 3 + ax + b = f E ( x ) then E / G is y 2 = x 3 +( a − 5 t ) x + b − 7 w � � � f ′ x ( Q ) f ′ where t = E ( Q ) , u = 2 f E ( Q ) and w = E ( Q ) . Q ∊ G \{ 0 E } Q ∊ G \{ 0 E } Q ∊ G \{ 0 E }

Isogenies on elliptic curves express everything in term of h . root. the points in the kernel). , with Abelian varieties and polarisations we have in k . Thus summing over the points in the kernel G can be expensive. Isogeny graphs in dimension 2 Even if G is rational, the points in G may live to an extension of degree Maximal isotropic isogenies Cyclic isogenies Complexity of Vélu’s formula up to # G − 1. � Let h ( x ) = Q ∊ G \{ 0 E } ( x − x ( Q )) . The symmetry of X and Y allows us to For instance is E is given by a reduced Weierstrass equation y 2 = f E ( x ) , � g ( x ) � g ( x ) � ′ � f ( x , y ) = h ( x ) , y h ( x ) � h ′ ( x ) � ′ E ( x ) h ′ ( x ) g ( x ) h ( x ) = # G . x − σ − f ′ h ( x ) − 2 f E ( x ) , h ( x ) where σ is the first power sum of h (i.e. the sum of the x -coordinates of When # G is odd, h ( x ) is a square, so we can replace it by its square The complexity of computing the isogeny is then O ( M (# G )) operations

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Modular polynomials Definition (Modular polynomial) Here k = k . The modular polynomial ϕ ℓ ( x , y ) ∊ � [ x , y ] is a bivariate polynomial such that ϕ ℓ ( x , y ) = 0 ⇔ x = j ( E 1 ) and y = j ( E 2 ) with E 1 and E 2 ℓ -isogeneous. Roots of ϕ ℓ ( j ( E 1 ) ,. ) ⇔ elliptic curves ℓ -isogeneous to E 1 . There are ℓ + 1 = # � 1 ( � ℓ ) such roots if ℓ is prime. ϕ ℓ is symmetric. The height of ϕ ℓ grows as O ( ℓ ) .

Isogenies on elliptic curves we recover the differential logarithms. Remark a b j 2 J 3 864 Abelian varieties and polarisations 48 given by the Weierstrass equation J 2 Cyclic isogenies Isogeny graphs in dimension 2 normalized isogenies. We first need to normalize E 2 . The explicit forms of isogenies are given by Vélu’s formula, which give Finding an isogeny between two isogenous elliptic curves Maximal isotropic isogenies Let E 1 and E 2 be ℓ -isogenous abelian varieties (we can check that ϕ ℓ ( j E 1 , j E 2 ) = 0). We want to compute the isogeny f : E 1 → E 2 . Over � , the equation of the normalized curve E 2 is given by the Eisenstein series E 4 ( ℓτ ) and E 6 ( ℓτ ) . We have j ′ ( ℓτ ) / j ( ℓτ ) = − E 6 ( ℓτ ) / E 4 ( ℓτ ) . By differencing the modular polynomial, We obtain that from E 1 : y 2 = x 3 + ax + b , a normalized model of E 2 is y 2 = x 3 + Ax + B ϕ ′ ( X ) ( j E 1 , j E 2 ) where A = − 1 j E 2 ( j E 2 − 1728 ) , B = − 1 E 2 ( j E 2 − 1728 ) and J = − 18 ℓ ℓ ϕ ′ ( Y ) ( j E 1 , j E 2 ) j E 1 . ℓ E 2 ( τ ) is the differential logarithm of the discriminant. Similar methods � allow to recover E 2 ( ℓτ ) , and from it σ = P ∊ K \{ 0 E } x ( K ) .

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Finding the isogeny between the normalized models (Elkie’s method) equation We need to find the rational function I ( x ) = g ( x ) / h ( x ) giving the isogeny f : ( x , y ) �→ ( I ( x ) , yI ′ ( x )) between E 1 and E 2 . Plugging f into the equation of E 2 shows that I satisfy the differential ( x 3 + ax + b ) I ′ ( x ) 2 = I ( x ) 3 + AI ( x )+ B . Using an asymptotically fast algorithm to solve this equation yields I ( x ) in time quasi-linear ( � O ( ℓ ) ). Knowing σ gains a logarithmic factor.

Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 A 3-isogeny graph in dimension 1