Isogeny graphs with real multiplication Sorina Ionica Ecole Normale - - PowerPoint PPT Presentation

▶

Dec 20, 2023 32 likes •307 views

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint work with Emmanuel Thom Sorina Ionica 1 / 24 Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all

SLIDE 1

Isogeny graphs with real multiplication

Sorina Ionica

Ecole Normale Supérieure de Paris

joint work with Emmanuel Thomé

Sorina Ionica 1 / 24

SLIDE 2

Isogeny graphs

Kohel 1996: Graph with vertices elliptic curves defined over Fq and edges all rational isogenies of degree ℓ between curves. Compute endomorphism rings locally at ℓ by depth first search. Other applications: class polynomial computations, solving the discrete logarithm problem, hash functions, public key cryptosystems.

Sorina Ionica 2 / 24

SLIDE 3

The endomorphism ring of an ordinary elliptic curve

An order O is a subring and Z-submodule of the ring of integers OK of a quadratic imaginary field K. Denote by f = [OK : O] the conductor. Then O = [1, fωK]. OK ← ωK | f End(E) ← fωK | g

f

Z[π] ← gωK with g2dK = t2 − 4q Computing the endomorphism ring of an ordinary curve E/Fq means locating it in the diagram.

Sorina Ionica 3 / 24

SLIDE 4

Isogenies and endomorphism rings

The ℓ-isogeny graph has vertices Ellt(Fq) and edges ℓ-isogenies defined over Fq. Let φ : E1 → E2 be an isogeny of degree ℓ. OK OK OK End(E1) End(E2) End(E1) = End(E2) ℓ ℓ End(E2) End(E1) Z[π] Z[π] Z[π] descending ascending horizontal

Sorina Ionica 4 / 24

SLIDE 5

Isogenies and ℓ-volcanoes

Let h be the ℓ-adic valuation of the conductor g of Z[π]. Kohel’s theorem Connected components of Ellt(Fq) are ℓ-volcanoes

f height h.

Number of horizontal isogenies starting from given vertex depends

n the splitting of ℓ in OK.

Sorina Ionica 5 / 24

SLIDE 6

Isogenies and ℓ-volcanoes

Let h be the ℓ-adic valuation of the conductor g of Z[π]. Kohel’s theorem Connected components of Ellt(Fq) are ℓ-volcanoes

f height h (assuming j = 0, 1728).

ωK ℓωK ℓh−1ωK ℓhωK Curves on a fixed level have the same endomorphism ring.

Sorina Ionica 6 / 24

SLIDE 7

Depth first search

Find a way to the floor. The number of steps in a short path gives the ℓ-adic valuation of the conductor.

Sorina Ionica 7 / 24

SLIDE 8

The endomorphism ring of an ordinary jacobian

Let K be a primitive quartic CM field and assume that K = Q(γ) with γ = i

a + b −1+

√ d 2

for d ≡ 1 mod 1 γ = i

a + b

√ d for d ≡ 2, 3 mod 4 Assume real multiplication OK0 has class number 1. Let J be a jacobian of a genus 2 curve defined over Fq. J is simple, ordinary, i.e. End(J) is an order of K. Z[π, ¯ π] ⊂ End(J) ⊂ OK

Sorina Ionica 8 / 24

SLIDE 9

The (ℓ, ℓ)-isogeny graph

Cosset-Robert 2011: algebraic equations for (ℓ, ℓ)-isogenies.

3 3 3 3 Sorina Ionica 9 / 24

SLIDE 10

Real multiplication sub-graphs

C2/Λ1 ⊕ Λ2τ → C2/Λ1 µ ⊕ Λ2τ, C2/Λ1 ⊕ Λ2τ → C2/Λ1 ⊕ Λ2 µ (τ + (ρ, ρ)) with Λ1 and Λ2 are lattices in K0, ρ ∈ OK0, τ ∈ H2

1. ℓOK0 OK0

These isogenies preserve real multiplication OK0 and one may descend polarization down to principal on the target variety. If µ generates is a degree 1 ideal in OK0, we get ℓ-isogenies! Thanks to John Boxall.

Sorina Ionica 10 / 24

SLIDE 11

First attempts

Take ℓ such that ℓOK0 = l1l2. It turns out all isogenies preserving RM are of this type. Pretty disappointing. To be or not to be bugged...? :(

Sorina Ionica 11 / 24

SLIDE 12

A graph!

[A, B] = [81, 1181], p = 85201, ℓ = 3

Sorina Ionica 12 / 24

SLIDE 13

OK0-orders

OK = OK0 ⊕ OK0η An order which is a OK0-module is of the form O = OK0 ⊕ OK0(αη). The conductor is αOK, for α ∈ OK0. fO = {x ∈ OK|xOK ⊆ O} = {x ∈ OK|xη ∈ O} = fη,O.

Sorina Ionica 13 / 24

SLIDE 14

The lattice of OK0-orders

Computing the endomorphism ring locally means getting f = . . . lα1

1 lα2 2 . . ..

OK µ2 µ1 µ1 µ2 µ1 µ2 Z[π, ¯ π]

Sorina Ionica 14 / 24

SLIDE 15

Rational l-isogenies

Let π ∈ O. We define vl,O(θ) := maxa∈OK0{m|θ + a ∈ lmO} Let π be the Frobenius and write π = a1 + a2 √ d + (a3 + a4 √ d)(αη). Hence vl(fη,End J) = vl,OK (π) − vl,End(J)(π). All l-isogenies are rational iff vl,End(J)(π) > 0.

Sorina Ionica 15 / 24

SLIDE 16

Classification of isogenies

No ℓ-isogeny between jacobians with distinct endomorphism rings lying on the same level in the lattice. Two types of isogenies: ascending/descending and horizontal

OK µ2 µ1 µ1 µ2 µ1 µ2 Z[π, ¯ π]

Sorina Ionica 16 / 24

SLIDE 17

Real multiplication isogeny graph

[A, B] = [81, 1181], p = 211, ℓ = 3

Sorina Ionica 17 / 24

SLIDE 18

Graph structure

Let l be an ideal of norm ℓ in OK0. Assume that lOK is prime with fO.

If l is split in OK, there are exactly two horizontal ℓ-isogenies of kernel in J[l] . If l is ramified in OK, there is exactly one horizontal ℓ-isogeny in J[l]. If l is inert in K, then there are no horizontal isogenies with kernel in J[l].

If l is not coprime to fO, then there is one ascending ℓ-isogeny with kernel in J[l].

Sorina Ionica 18 / 24

SLIDE 19

Real multiplication isogeny graph

[A, B] = [81, 1181], p = 211, ℓ = 3

l1 (yellow) is split into OK l2 (violet) is inert into OK

Sorina Ionica 19 / 24

SLIDE 20

The Tate pairing

J(Fq)/mJ(Fq) × J[m](Fq) → µm (P, Q) → (fm,P(Q + R)/fm,P(R))

q−1 m

with fm,P s.t. div(fm,P) ∼ m(P). efficiently computable with Miller’s algorithm in O(log m)

perations in Fq.

Sorina Ionica 20 / 24

SLIDE 21

Pairings on kernels

Assume that J[ln] ⊆ J(Fq) and J[ln+1] J(Fq). kl,J := maxP∈J[ln]{k|Tℓn(P, P) ∈ µℓk\µℓk−1} Let J be a jacobian whose endomorphism ring is locally maximal at ℓ. Assume that n is the largest integer s.t. J[ln] ⊆ J(Fq). The Tate pairing is non-degenerate on G × G if Tℓn : G × G → µℓkl,J is surjective. We say it is degenerate otherwise.

Sorina Ionica 21 / 24

SLIDE 22

Theorem Let I be l-isogeny of kernel G. Take ¯ G ⊂ J[ln] such that ℓn−1 ¯ G = G. I is descending iff the Tate pairing is non-degenerate on ¯ G. I is horizontal or ascending iff the Tate pairing is degenerate on ¯ G.

Sorina Ionica 22 / 24

SLIDE 23

Walking in the graph

Theorem A (ℓ, ℓ)-isogeny preserving real multiplication is the composition

f a l1-isogeny with a l2-isogeny.

OK

µ1 µ2 µ2 µ1

Z[π, ¯ π]

Sorina Ionica 23 / 24

SLIDE 24

Algorithm

Idea of the algorithm. Given J such that [OK0 : Z[π + ¯ π]] = 1. We want to compute End(J). The algorithm computes vli(π), i = 1, 2.

Counteri ← 0, i := 1, 2

Construct a chain (ℓ, ℓ)-isogenies until the floor is reached.

Each time a step I is taken in the graph Counteri ← Counteri + 1, i = 1, 2.

Return Counteri, i = 1, 2.

Sorina Ionica 24 / 24

SLIDE 25

Computing degenerate pairings

Let P and Q be s.t. J[ln] = P, Q. Using bilinearity of the ℓn-Tate pairing, we get

Tℓn(aP+bQ, aP+bQ) = Tℓn(P, P)a2(Tℓn(P, Q)Tℓn(Q, P))abTℓn(Q, Q)b2 P(a, b) = a2 log(Tℓn(P, P)) + 2ab log(Tℓn(P, Q)Tℓn(Q, P)) +b2 log(Tℓn(Q, Q)) identically zero modulo ℓn−kl,J−1 and nonzero modulo ℓn−kl,J. Degenerate self-pairings ↔ roots of P.

Sorina Ionica 25 / 24

SLIDE 26

Computing endomorphism rings

Eisenträger and Lauter’s algorithm (2005), Freeman-Lauter (2008) Idea: If α : J → J is an endomorphism, then α

n is an

endomorphism iff J[n] ⊂ Ker α. Check if an order O is contained in End(J): Write down a basis for the order O: γi = αi

ni , with αi ∈ Z[π].

Check if γi ∈ End(J) by checking if αi is zero on J[ni]. Since ni|[OK : Z[π, ¯ π]] we end up working over large extension fields!

Sorina Ionica 26 / 24

SLIDE 27

Complexity analysis

Denote by Fqr the smallest extension field such that J[ℓ] ⊂ J[Fqr ]. Let n ≥ 1 be the largest integer such that J[ℓn] ⊂ J(Fq) and u = vℓ([OK : Z[π, ¯ π]]). Let M(r) is the cost of a multiplication in Fqr . Eisenträger-Lauter This work O((rℓu−n + ℓ2u)M(rℓu−n) log q) O(M(r)(r log q + ℓ2n + n log ℓ)) (worst case)

Sorina Ionica 27 / 24