Pairing the volcano Sorina Ionica and Antoine Joux Universit de - PowerPoint PPT Presentation

Pairing the volcano Sorina Ionica and Antoine Joux Université de Versailles Saint-Quentin-en-Yvelines PR i SM, 45 avenue des États-Unis, F -78035, Versailles CEDEX , France DGA ANTS, Nancy, June 19 th , 2010 Sorina Ionica and Antoine Joux 1 / 22

Motivation An isogeny cycle is a sequence of isogenies E 1 − → E 2 − → E 3 − → . . . − → E n − 1 − → E 1 SEA algorithm (Couveignes and Morain) Hilbert polynomial computation (Couveignes and Henocq, Broker, Charles and Lauter, Belding et al., Sutherland) Question: How can we build isogeny cycles? Answer: Kohel’s work on the computation of the endomorphism ring (isogeny volcanoes) and pairings. Sorina Ionica and Antoine Joux 2 / 22

The endomorphism ring of an ordinary elliptic curve Let E be an ordinary elliptic curve defined over F q . Examples: multiplication by ℓ ∈ Z P → ℓ P Z [ π ] ⊆ End ( E ) π : ( x , y ) → ( x q , y q ) . End ( E ) is an order in a quadratic imaginary field K , i.e. a subring and Z -submodule of the ring of integers O K Denote by f = [ O K : End ( E )] the conductor and by d E = f 2 d K the discriminant O K ← d K | f d π = t 2 − 4 q = g 2 d K ← f 2 d K End ( E ) | g f ← g 2 d K Z [ π ] Sorina Ionica and Antoine Joux 3 / 22

Isogenies and endomorphism rings The ℓ -isogeny graph has vertices Ell t ( F q ) and edges ℓ -isogenies defined over F q . Let φ : E 1 → E 2 be an isogeny of degree ℓ . O K O K O K End ( E 1 ) End ( E 2 ) ℓ ℓ End ( E 1 ) = End ( E 2 ) End ( E 2 ) End ( E 1 ) Z [ π ] Z [ π ] Z [ π ] descending ascending horizontal Sorina Ionica and Antoine Joux 4 / 22

Isogenies and ℓ -volcanoes Let h be the ℓ -adic valuation of the conductor g of Z [ π ] . Kohel’s theorem Connected components of Ell t ( F q ) are ℓ -volcanoes of height h (assuming j � = 0 , 1728). Sorina Ionica and Antoine Joux 5 / 22

What is a ℓ -volcano? V 0 V 1 V h − 1 V h V 0 (the crater ) is regular connected of degree at most 2 For i > 0, each vertex in V i has one edge leading to a vertex in V i − 1 For i < h , each vertex in V i has degree ℓ + 1. Sorina Ionica and Antoine Joux 6 / 22

Isogenies and ℓ -volcanoes Let h be the ℓ -adic valuation of the conductor g of Z [ π ] . Kohel’s theorem Connected components of Ell t ( F q ) are ℓ -volcanoes of height h (assuming j � = 0 , 1728). d 0 ℓ 2 d 0 Curves on a fixed level have the same endomorphism ring. ℓ 2 ( h − 1 ) d 0 ℓ 2 h d 0 Sorina Ionica and Antoine Joux 7 / 22

Exploring the volcano (First method) Assume E has ℓ + 1 neighbours. Then E [ ℓ ]( F q r ) = < P , Q > with r < ℓ . Subgroups of order ℓ are: < P >, < Q >, < P + Q >, . . . , < P + ( ℓ − 1 ) Q > Use classical Vélu’s formulae O ( M ( r )( ℓ + log q )) with M ( r ) = r log r log log r Sorina Ionica and Antoine Joux 8 / 22

Exploring the volcano (Second method) The modular polynomial Φ ℓ ( X , Y ) ∈ Z [ X , Y ] is a symmetric polynomial of degree ℓ + 1 in each variable E and E ′ are ℓ -isogenous over F q ⇔ # E ( F q ) = # E ′ ( F q ) and Φ ℓ ( j ( E ) , j ( E ′ )) = 0. Roots of Φ ℓ ( X , j ( E )) in F q give curves ℓ -isogenous to E . O ( ℓ 2 + M ( ℓ ) log q ) with M ( ℓ ) = ℓ log ℓ log log ℓ Use modular polynomials E E Blind walking Sorina Ionica and Antoine Joux 9 / 22

Descending (Kohel 1996, Fouquet-Morain 2001) It is easy to detect the floor. From a given curve one ↑ or at most two → isogenies. No backtracking ⇒ gravity is our friend! Descent: Construct three paths in parallel. The first that reaches the floor is descending. O ( h ( ℓ 2 + M ( ℓ ) log q )) Sorina Ionica and Antoine Joux 10 / 22

Descending (Kohel 1996, Fouquet-Morain 2001) It is easy to detect the floor. From a given curve one ↑ or at most two → isogenies. No backtracking ⇒ gravity is our friend! Descent: Construct three paths in parallel. The first that reaches the floor is descending. O ( h ( ℓ 2 + M ( ℓ ) log q )) Sorina Ionica and Antoine Joux 11 / 22

Descending (Kohel 1996, Fouquet-Morain 2001) It is easy to detect the floor. From a given curve one ↑ or at most two → isogenies. No backtracking ⇒ gravity is our friend! Descent: Construct three paths in parallel. The first that reaches the floor is descending. O ( h ( ℓ 2 + M ( ℓ ) log q )) Sorina Ionica and Antoine Joux 12 / 22

Ascending or walking on the crater (Fouquet-Morain, 2001) Construct descending paths for the ℓ + 1 neighbours The curve with the longest path is either above or at the same level O ( h ( ℓ 3 + ℓ M ( ℓ ) log q ) Parallel walk: Construct ℓ + 1 paths in parallel and use multipoint evaluation to compute Φ ℓ ( X , j ( E )) O ( h ℓ M ( ℓ )( log ℓ + log q )) Sorina Ionica and Antoine Joux 13 / 22

Determining directions on a regular volcano Z Z ℓ n 1 Z × ℓ n 2 Z Miret et al. 2006 Z Z ℓ n 1 + 1 Z × Determine direction ℓ n 2 − 1 Z thanks to the ℓ -Sylow group structure ℓ n 1 + n 2 − 1 Z × Z Z ℓ Z Z ℓ n 1 + n 2 Z Our approach Construct a compass using self-pairings. Sorina Ionica and Antoine Joux 14 / 22

Self-pairings E [ ℓ ∞ ]( F q r ) ≃ Z /ℓ n 1 Z × Z /ℓ n 2 Z with n 1 ≥ n 2 ℓ n 2 | q r − 1 ⇒ E [ ℓ n 2 ]( F q r ) ≃ Z /ℓ n 2 Z × Z /ℓ n 2 Z The reduced Tate pairing is a bilinear, non-degenerate map T ℓ n 2 : E [ ℓ n 2 ] × E ( F q r ) /ℓ n 2 E ( F q r ) → µ ℓ n 2 � q − 1 � f ℓ n 2 , P ( Q + R ) ℓ n 2 ( P , Q ) → f ℓ n 2 , P ( R ) efficiently computable with Miller’s algorithm O ( n 2 log ℓ ) Sorina Ionica and Antoine Joux 15 / 22

Self-pairings For P , Q ∈ E [ ℓ n 2 ] define 1 2 ( Joux, Nguyen 2003 ) S ( P , Q ) = ( T ℓ n 2 ( P , Q ) T ℓ n 2 ( Q , P )) S symmetric ⇒ S ( P , P ) = T ℓ n 2 ( P , P ) If S � = 1 there is k > 0 such that S ( · , · ) : E [ ℓ n 2 ] × E [ ℓ n 2 ] → µ ℓ k ⊆ µ ℓ n 2 surjective We say P has non-degenerate self-pairing iff T ℓ n 2 ( P , P ) is a primitive ℓ k -th root of unity and degenerate otherwise. Sorina Ionica and Antoine Joux 16 / 22

How many degenerate self-pairings? (Joux-Nguyen/I.-Joux) Take P and Q generating E [ ℓ n 2 ] S ( aP + bQ , aP + bQ ) = S ( P , P ) a 2 S ( P , Q ) 2 ab S ( Q , Q ) b 2 Consider the polynomial log ( S ( P , P )) a 2 + log ( S ( Q , Q )) b 2 P E ,ℓ n 2 ( a , b ) = mod ℓ k − 1 + 2 log ( S ( P , Q )) ab subgroups of order ℓ in homogenous roots E [ ℓ n 2 ] / E [ ℓ n 2 − 1 ] ⇐ ⇒ of P E ,ℓ n 2 with degenerate pairing at most two subgroups with degenerate self-pairing ( modulo E [ ℓ n 2 − 1 ] ) Sorina Ionica and Antoine Joux 17 / 22

Our pairing compass Let P be a point of order ℓ n 2 on E and φ the isogeny of kernel < ℓ n 2 − 1 P > . Theorem If P has non-degenerate self-pairing then the isogeny is descending. If P has degenerate self-pairing, then the isogeny is ascending or horizontal. Corollary If P ℓ n 2 , E has two distinct roots, then E is on the crater of its ℓ -volcano. Sorina Ionica and Antoine Joux 18 / 22

Ascending and walking on the crater with a compass Regular volcanoes ℓ ≥ 3 E P E ,ℓ n 2 � = 0 Compute P and Q two generators of E [ ℓ n 2 ]( F q r ) . Compute P E , l n 2 , compute its roots and find a point aP + bQ with degenerate pairing. Compute vertical/horizontal isogenies via Vélu’s formulae O ( rM ( r )( 1 + log q )) Sorina Ionica and Antoine Joux 19 / 22

Walking on irregular volcanoes P E ,ℓ n 2 = 0 (second) stability level P E ,ℓ n 2 � = 0 In theory: Move to some finite extension F q ℓ s such that the polynomial P E ,ℓ n 2 corresponding to E / F q ℓ s is not zero. In practice: Use Kohel/Fouquet-Morain algorithms until the stability level is reached and our algorithms in the regular part of the volcano. Luckily, most volcanoes are regular! Sorina Ionica and Antoine Joux 20 / 22

Walking on the volcano: Cost per step Descending path Ascending/Horizontal h ( ℓ 2 + M ( ℓ ) log q ) h ( ℓ 3 + ℓ M ( ℓ ) log q ) Kohel, Fouquet-Morain Parallel evaluation - h ℓ M ( ℓ )( log ℓ + log q ) Regular volcanoes Regular volcanoes Best case ℓ + log q ℓ + log q Worst case r ≈ ℓ/ 2 rM ( r )( 1 + log q ) r M ( r )( 1 + log q ) Irregular volcanoes (worst case) No improvement implementation under MAGMA 2.15-15 on an Intel Core 2 Duo 2.66 GHz q ℓ -torsion length of crater time ℓ 100003 61900742833426666852501391 over F q 22 curves 154 sec. 1009 953202937996763 over F q r with r = 84 19 curves 20 min. Sorina Ionica and Antoine Joux 21 / 22

If you plan to go hiking this summer, you’d better get a compass! Questions? Sorina Ionica and Antoine Joux 22 / 22