ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COLÒ & DAVID KOHEL Institut de Mathématiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Université, Institut de Mathématiques de Jussieu Paris, 26 June 2019 Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019
̄ ISOGENY GRAPHS Introduction Isogeny Graphs Definition Given an elliptic curve 𝐹 over 𝑙 , and a finite set of primes 𝑇 , we can associate an isogeny graph Γ = (𝐹, 𝑇) ▶ whose vertices are elliptic curves isogenous to E over ̄ 𝑙 , and ▶ whose edges are isogenies of degree ℓ ∈ 𝑇 . The vertices are defined up to ̄ 𝑙 -isomorphism (therefore represented by 𝑘 -invariants), and the edges from a given vertex are defined up to a 𝑙 -isomorphism of the codomain. If 𝑇 = {ℓ} , then we call Γ an ℓ -isogeny graph. For an elliptic curve 𝐹/𝑙 and prime ℓ ≠ char (𝑙) , the full ℓ -torsion subgroup is a 2 -dimensional 𝔾 ℓ -vector space. Consequently, the set of cyclic subgroups is in bijection with ℙ 1 (𝔾 ℓ ) , which in turn are in bijection with the set of ℓ -isogenies from 𝐹 . Thus the ℓ -isogeny graph of 𝐹 is (ℓ + 1) -regular (as a directed multigraph). In characteristic 0 , if End (𝐹) = ℤ , then this graph is a tree. Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 1 / 25
ORDINARY ISOGENY GRAPHS: VOLCANOES 𝐹 ⟶ 𝐹/𝐹[𝔟] 𝐹[𝔟] = {𝑄 ∈ 𝐹 | 𝛽(𝑄) = 0 ∀𝛽 ∈ 𝔟} Introduction Isogeny Graphs Let End (𝐹) = 𝒫 ⊆ 𝐿 . The class group Cl (𝒫) (finite abelian group) acts faithfully and transitively on the set of elliptic curves with endomorphism ring 𝒫 : Thus, the CM isogeny graphs can be modelled by an equivalent category of fractional ideals of 𝐿 . End( E ) O K Z [ π ] Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 2 / 25
SUPERSINGULAR ISOGENY GRAPHS Introduction Isogeny Graphs The supersingular isogeny graphs are remarkable because the vertex sets are finite : there are [𝑞/12] + 𝜗 𝑞 curves. Moreover ▶ every supersingular elliptic curve can be defined over 𝔾 𝑞 2 ; ▶ all ℓ -isogenies are defined over 𝔾 𝑞 2 ; ▶ every endomorphism of 𝐹 is defined over 𝔾 𝑞 2 . The lack of a commutative group acting on the set of supersingular elliptic curves /𝔾 𝑞 2 makes the isogeny graph more complicated. For this reason, supersingular isogeny graphs have been proposed for ▶ cryptographic hash functions (Goren–Lauter), ▶ post-quantum SIDH key exchange protocol. Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 3 / 25
MOTIVATING OSIDH OSIDH Motivation A new key exchange protocol, CSIDH, analogous to SIDH, uses only 𝔾 𝑞 -rational elliptic curves (up to 𝔾 𝑞 -isomorphism), and 𝔾 𝑞 -rational isogenies. The constraint to 𝔾 𝑞 -rational isogenies can be interpreted as an orientation of the supersingular graph by the subring ℤ[𝜌] of End (𝐹) generated by the Frobenius endomorphism 𝜌 . We introduce a general notion of orienting supersingular elliptic curves. Motivation ▶ Generalize CSIDH. ▶ Key space of SIDH: in order to have the two key spaces of similar size, we need to take ℓ 𝑓 𝐵 𝐶 ≈ √𝑞 . This implies that the space of choices 𝐵 ≈ ℓ 𝑓 𝐶 for the secret key is limited to a fraction of the whole set of supersingular 𝑘 -invariants over 𝔾 𝑞 2 . ▶ A feature shared by SIDH and CSIDH is that the isogenies are constructed as quotients of rational torsion subgroups. The need for rational points limits the choice of the prime 𝑞 Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 4 / 25
̂ ORIENTATIONS 𝜚. OSIDH Orientations Let 𝒫 be an order in an imaginary quadratic field. An 𝒫 - orientation on a supersingular elliptic curve 𝐹 is an inclusion 𝜅 ∶ 𝒫 ↪ End (𝐹) , and a 𝐿 - orientation is an inclusion 𝜅 ∶ 𝐿 ↪ End 0 (𝐹) = End (𝐹) ⊗ ℤ ℚ . An 𝒫 -orientation is primitive if 𝒫 ≃ End (𝐹) ∩ 𝜅(𝐿) . Theorem The category of 𝐿 -oriented supersingular elliptic curves (𝐹, 𝜅) , whose mor- phisms are isogenies commuting with the 𝐿 -orientations, is equivalent to the category of elliptic curves with CM by 𝐿 . Let 𝜚 ∶ 𝐹 → 𝐺 be an isogeny of degree ℓ . A 𝐿 -orientation 𝜅 ∶ 𝐿 ↪ End 0 (𝐹) determines a 𝐿 -orientation 𝜚 ∗ (𝜅) ∶ 𝐿 ↪ End 0 (𝐺) on 𝐺 , defined by 𝜚 ∗ (𝜅)(𝛽) = 1 ℓ 𝜚 ∘ 𝜅(𝛽) ∘ Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 5 / 25
ℓ(𝒫) 𝒟 CLASS GROUP ACTION [𝔟] [𝔟] ⋅ 𝐹 [𝔟] ⋅ 𝐹 = 𝐹/𝐹[𝔟] ([𝔟] , 𝐹) 𝒟 OSIDH Action of the class group ▶ SS (𝑞) = { supersingular elliptic curves over 𝔾 𝑞 up to isomorphism } . ▶ SS 𝒫 (𝑞) = {𝒫 -oriented s.s. elliptic curves over 𝔾 𝑞 up to 𝐿 -isomorphism } . ▶ SS 𝑞𝑠 𝒫 (𝑞) = subset of primitive 𝒫 -oriented curves. The set SS 𝒫 (𝑞) admits a transitive group action: ℓ(𝒫) × SS 𝒫 (𝑞) SS 𝒫 (𝑞) Proposition The class group 𝒟 ℓ(𝒫) acts faithfully and transitively on the set of 𝒫 - isomorphism classes of primitive 𝒫 -oriented elliptic curves. In particular, for fixed primitive 𝒫 -oriented 𝐹 , we obtain a bijection of sets: SS 𝑞𝑠 𝒫 (𝑞) Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 6 / 25
VORTEX OSIDH Action of the class group We define a vortex to be the ℓ -isogeny subgraph whose vertices are isomorphism classes of 𝒫 -oriented elliptic curves with ℓ -maximal endomorphism ring, equipped with an action of 𝒟 ℓ(𝒫) . C ℓ ( O ) Instead of considering the union of different isogeny graphs, we focus on one single crater and we think of all the other primes as acting on it: the resulting object is a single isogeny circle rotating under the action of 𝒟 ℓ(𝒫) . Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 7 / 25
ℓ(𝒫) → 𝒟 WHIRLPOOL OSIDH Action of the class group The action of 𝒟 ℓ(𝒫) extends to the union ⋃ 𝑗 𝑇𝑇 𝒫 𝑗 (𝑞) over all superorders 𝒫 𝑗 containing 𝒫 via the surjections 𝒟 ℓ(𝒫 𝑗 ) . We define a whirlpool to be a complete isogeny volcano acted on by the class group. We would like to think at isogeny graphs as moving objects. Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 8 / 25
WHIRLPOOL OSIDH Action of the class group Actually, we would like to take the ℓ -isogeny graph on the full 𝒟 ℓ(𝒫 𝐿 ) -orbit. This might be composed of several ℓ -isogeny orbits (craters), although the class group is transitive. Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 8 / 25
𝐹 0 ISOGENY CHAINS 𝜚 0 ⟶ 𝐹 1 𝜚 1 ⟶ 𝐹 2 𝜚 2 ⟶ … 𝜚 𝑜−1 OSIDH Isogeny chains and ladders Definition An ℓ -isogeny chain of length 𝑜 from 𝐹 0 to 𝐹 is a sequence of isogenies of degree ℓ : ⟶ 𝐹 𝑜 = 𝐹. The ℓ -isogeny chain is without backtracking if ker (𝜚 𝑗+1 ∘ 𝜚 𝑗 ) ≠ 𝐹 𝑗 [ℓ], ∀𝑗 . The isogeny chain is descending (or ascending, or horizontal) if each 𝜚 𝑗 is descending (or ascending, or horizontal, respectively). Suppose that (𝐹 𝑗 , 𝜚 𝑗 ) is a descending ℓ -isogeny chain with 𝒫 𝐿 ⊆ End (𝐹 0 ), … , 𝒫 𝑜 = ℤ + ℓ 𝑜 𝒫 𝐿 ⊆ End (𝐹 𝑜 ) If 𝔯 is a split prime in 𝒫 𝐿 over 𝑟 ≠ ℓ, 𝑞 , and then the isogeny 𝜔 0 ∶ 𝐹 0 → 𝐺 0 = 𝐹 0 /𝐹 0 [𝔯] , can be extended to the ℓ -isogeny chain by pushing forward the cyclic group 𝐷 0 = 𝐹 0 [𝔯] : 𝐷 0 = 𝐹 0 [𝔯] , 𝐷 1 = 𝜚 0 (𝐷 0 ), … , 𝐷 𝑜 = 𝜚 𝑜−1 (𝐷 𝑜−1 ) and defining 𝐺 𝑗 = 𝐹 𝑗 /𝐷 𝑗 . Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 9 / 25
LADDERS OSIDH Isogeny chains and ladders Definition An ℓ -ladder of length 𝑜 and degree 𝑟 is a commutative diagram of ℓ -isogeny chains (𝐹 𝑗 , 𝜚 𝑗 ) , (𝐺 𝑗 , 𝜚 ′ 𝑗 ) of length 𝑜 connected by 𝑟 -isogenies 𝜔 𝑗 ∶ 𝐹 𝑗 → 𝐺 𝑗 E 0 E 1 E 2 E n φ 0 φ 1 φ 2 φ n − 1 ψ 0 ψ 1 ψ 2 ψ n φ ′ φ ′ φ ′ φ ′ F 0 F 1 F 2 F n 0 1 2 n − 1 We also refer to an ℓ -ladder of degree 𝑟 as a 𝑟 -isogeny of ℓ -isogeny chains. We say that an ℓ -ladder is ascending (or descending, or horizontal) if the ℓ -isogeny chain (𝐹 𝑗 , 𝜚 𝑗 ) is ascending (or descending, or horizontal, respectively). We say that the ℓ -ladder is level if 𝜔 0 is a horizontal 𝑟 -isogeny. If the ℓ -ladder is descending (or ascending), then we refer to the length of the ladder as its depth (or, respectively, as its height). Leonardo COLÒ (I2M-AMU) OSIDH NuTMiC - 26 June 2019 10 / 25
Recommend
More recommend
