Tieta functions and applications in cryptography Fonctions thta et - - PowerPoint PPT Presentation

Tieta functions and applications in cryptography Fonctions thêta et applications en cryptographie

Tièse d’informatique Damien Robert1

1Caramel team, Nancy Universités, CNRS, INRIA Nancy Grand Est

21/07/2010 (Nancy)

Outline

1

Public-key cryptography

2

Abelian varieties

3

Tieta functions

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 2 / 40

Public-key cryptography

Outline

1

Public-key cryptography

2

Abelian varieties

3

Tieta functions

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 3 / 40

Public-key cryptography Public-key systems

A brief history of public-key cryptography

Secret-key cryptography: Vigenère (1553), One time pad (1917), AES (NIST, 2001). Public-key cryptography:

Diffje–Hellman key exchange (1976). RSA (1978): multiplication/factorisation. ElGamal: exponentiation/discrete logarithm in G ≙ F∗

q.

ECC/HECC (1985): discrete logarithm in G ≙ A(Fq). Lattices, NTRU (1996), Ideal Lattices (2006): perturbate a lattice point/Closest Vector Problem, Bounded Distance Decoding. Polynomial systems, HFE (1996): evaluating polynomials/fjnding roots. Coding-based cryptography, McEliece (1978): Matrix.vector/decoding a linear code. ⇒ Encryption, Signature (+Pseudo Random Number Generator, Zero Knowledge).

Pairing-based cryptography (2000–2001). Homomorphic cryptography (2009).

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 4 / 40

Public-key cryptography Public-key systems

RSA versus (H)ECC

Security RSA ECC (bits level) 72 1008 144 80 1248 160 96 1776 192 112 2432 224 128 3248 256 256 15424 512

Key length comparison between RSA and ECC

Factorisation of a 768-bit RSA modulus [Kle+10]. Currently: attempt to attack a 130-bit Koblitz elliptic curve.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 5 / 40

Public-key cryptography Discrete logarithm in cryptography

Discrete logarithm

Defjnition (DLP)

Let G ≙ ⟨⟩ be a cyclic group of prime order. Let x ∈ N and h ≙ x. Tie discrete logarithm log(h) is x. Exponentiation: O(log p). DLP: ̃ O(√p) (in a generic group). G ≙ F∗

p : sub-exponential attacks.

⇒ Find secure groups with effjcient law, compact representation.

Protocol [Diffje–Hellman Key Exchange]

Alice sends a, Bob sends b, the common key is ab ≙ (b)a ≙ (a)b.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 6 / 40

Public-key cryptography Discrete logarithm in cryptography

Pairing-based cryptography

Defjnition

A pairing is a bilinear application e ∶ G1 × G1 → G2. Identity-based cryptography [BF03]. Short signature [BLS04]. One way tripartite Diffje–Hellman [Jou04]. Self-blindable credential certifjcates [Ver01]. Attribute based cryptography [SW05]. Broadcast encryption [Goy+06].

Tripartite Diffje–Helman

Alice sends a, Bob sends b, Charlie sends c. Tie common key is e(, )abc ≙ e(b, c)a ≙ e(c, a)b ≙ e(a, b)c ∈ G2.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 7 / 40

Abelian varieties

Outline

1

Public-key cryptography

2

Abelian varieties

3

Tieta functions

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 8 / 40

Abelian varieties Jacobian of curves

Abelian varieties

Defjnition

An Abelian variety is a complete connected group variety over a base fjeld k. Abelian variety = points on a projective space (locus of homogeneous polynomials) + an abelian group law given by rational functions. ⇒ Use G ≙ A(k) with k ≙ Fq for the DLP. ⇒ Pairing-based cryptography with the Weil or Tate pairing. (Only available on abelian varieties.)

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 9 / 40

Abelian varieties Jacobian of curves

Elliptic curves

Defjnition (car k ≠ 2, 3)

E ∶ y2 ≙ x3 + ax + b. 4a3 + 27b2 ≠ 0. An elliptic curve is a plane curve of genus 1. Elliptic curves = Abelian varieties of dimension 1.

• 4
• 3
• 2
• 1

1 2 3

• 2
• 1

1 2 3 P Q R

• R

P + Q ≙ −R ≙ (xR, −yR) λ ≙ yQ − yP xQ − xP xR ≙ λ2 − xP − xQ yR ≙ yP + λ(xR − xP)

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 10 / 40

Abelian varieties Jacobian of curves

Jacobian of hyperelliptic curves

C ∶ y2 ≙ f (x), hyperelliptic curve of genus . (deg f ≙ 2 − 1) Divisor: formal sum D ≙ ∑ niPi, deg D ≙ ∑ ni. Pi ∈ C(k). Principal divisor: ∑P∈C(k) vP(f ).P; f ∈ k(C). Jacobian of C = Divisors of degree 0 modulo principal divisors = Abelian variety of dimension . Divisor class D ⇒ unique representative (Riemann–Roch): D ≙

k

∑

i≙1

(Pi − P∞) k ⩽ , symmetric Pi ≠ Pj Mumford coordinates: D ≙ (u, v) ⇒ u ≙ ∏(x − xi), v(xi) ≙ yi. Cantor algorithm: addition law.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 11 / 40

Abelian varieties Jacobian of curves

Example of the addition law in genus 2

D = P1 + P2 − 2∞ D′ = Q1 + Q2 − 2∞

b

P1

b P2 b

Q1

b Q2 b b b b

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 12 / 40

Abelian varieties Jacobian of curves

Example of the addition law in genus 2

D = P1 + P2 − 2∞ D′ = Q1 + Q2 − 2∞

b

P1

b P2 b

Q1

b Q2 b

R′

1

bR′

2

b b

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 12 / 40

Abelian varieties Jacobian of curves

Example of the addition law in genus 2

D = P1 + P2 − 2∞ D′ = Q1 + Q2 − 2∞

b

P1

b P2 b

Q1

b Q2 b

R′

1

bR′

2

bR1 bR2

D + D′ = R1 + R2 − 2∞

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 12 / 40

Abelian varieties Jacobian of curves

Security of Jacobians

 # points DLP 1 O(q) ̃ O(q1/2) 2 O(q2) ̃ O(q) 3 O(q3) ̃ O(q4/3) (Jacobian of hyperelliptic curve) ̃ O(q) (Jacobian of non hyperelliptic curve)  O(q) ̃ O(q2−2/)  > log(q) L1/2(q)≙ exp(O(1)log(x)1/2 loglog(x)1/2)

Security of the DLP

Weak curves (MOV attack, Weil descent, anomal curves). ⇒ Public-key cryptography with the DLP: Elliptic curves, Jacobian of hyperelliptic curves of genus 2. ⇒ Pairing-based cryptography: Abelian varieties of dimension  ⩽ 4.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 13 / 40

Abelian varieties Jacobian of curves

Security of Jacobians

 # points DLP 1 O(q) ̃ O(q1/2) 2 O(q2) ̃ O(q) 3 O(q3) ̃ O(q4/3) (Jacobian of hyperelliptic curve) ̃ O(q) (Jacobian of non hyperelliptic curve)  O(q) ̃ O(q2−2/)  > log(q) L1/2(q)≙ exp(O(1)log(x)1/2 loglog(x)1/2)

Security of the DLP

Weak curves (MOV attack, Weil descent, anomal curves). ⇒ Public-key cryptography with the DLP: Elliptic curves, Jacobian of hyperelliptic curves of genus 2. ⇒ Pairing-based cryptography: Abelian varieties of dimension  ⩽ 4.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 13 / 40

Abelian varieties Isogenies

Isogenies

Defjnition

A (separable) isogeny is a fjnite surjective (separable) morphism between two Abelian varieties. Isogenies = Rational map + group morphism + fjnite kernel. Isogenies ⇔ Finite subgroups. (f ∶ A → B) ↦ Ker f (A → A/H) ↤ H Example: Multiplication by ℓ (⇒ ℓ-torsion), Frobenius (non separable).

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 14 / 40

Abelian varieties Isogenies

Cryptographic usage of isogenies

Transfer the DLP from one Abelian variety to another. Point counting algorithms (ℓ-adic or p-adic) ⇒ Verify a curve is secure. Compute the class fjeld polynomials (CM-method) ⇒ Construct a secure curve. Compute the modular polynomials ⇒ Compute isogenies. Determine End(A) ⇒ CRT method for class fjeld polynomials.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 15 / 40

Abelian varieties Computing isogenies in genus 1

Vélu’s formula

Tieorem

Let E ∶ y2 ≙ f (x) be an elliptic curve and G ⊂ E(k) a fjnite subgroup. Tien E/G is given by Y 2 ≙ (X) where X(P) ≙ x(P) + ∑

Q∈G∖{0E}

(x(P + Q) − x(Q)) Y(P) ≙ y(P) + ∑

Q∈G∖{0E}

(y(P + Q) − y(Q)) . Uses the fact that x and y are characterised in k(E) by v0E(x) ≙ −2 vP(x) ⩾ 0 if P ≠ 0E v0E(y) ≙ −3 vP(y) ⩾ 0 if P ≠ 0E y2/x3(0E) ≙ 1 No such characterisation in genus  ⩾ 2.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 16 / 40

Abelian varieties Computing isogenies in genus 1

Tie modular polynomial

Defjnition

Modular polynomial ϕn(x, y) ∈ Z∥x, y∥: ϕn(x, y) ≙ 0 ⇔ x ≙ j(E) and y ≙ j(E′) with E and E′ n-isogeneous. If E ∶ y2 ≙ x3 + ax + b is an elliptic curve, the j-invariant is j(E) ≙ 1728 4a3 4a3 + 27b2 Roots of ϕn(j(E), .) ⇔ elliptic curves n-isogeneous to E. In genus 2, modular polynomials use Igusa invariants. Tie height explodes. ⇒ Genus 2: (2, 2)-isogenies [Richelot]. Genus 3: (2, 2, 2)-isogenies [Smi09]. ⇒ Moduli space given by invariants with more structure. ⇒ Fix the form of the isogeny and look for compatible coordinates.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 17 / 40

Abelian varieties Computing isogenies in genus 1

Tie modular polynomial

Defjnition

Modular polynomial ϕn(x, y) ∈ Z∥x, y∥: ϕn(x, y) ≙ 0 ⇔ x ≙ j(E) and y ≙ j(E′) with E and E′ n-isogeneous. If E ∶ y2 ≙ x3 + ax + b is an elliptic curve, the j-invariant is j(E) ≙ 1728 4a3 4a3 + 27b2 Roots of ϕn(j(E), .) ⇔ elliptic curves n-isogeneous to E. In genus 2, modular polynomials use Igusa invariants. Tie height explodes. ⇒ Genus 2: (2, 2)-isogenies [Richelot]. Genus 3: (2, 2, 2)-isogenies [Smi09]. ⇒ Moduli space given by invariants with more structure. ⇒ Fix the form of the isogeny and look for compatible coordinates.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 17 / 40

Theta functions

Outline

1

Public-key cryptography

2

Abelian varieties

3

Tieta functions

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 18 / 40

Theta functions Theta coordinates

Complex abelian varieties and theta functions of level n

(ϑi)i∈Z(n): basis of the theta functions of level n. (Z(n) :≙ Z/nZ) ⇔ A∥n∥ ≙ A1∥n∥ ⊕ A2∥n∥: symplectic decomposition. (ϑi)i∈Z(n) ≙ {coordinates system n ⩾ 3 coordinates on the Kummer variety A/ ± 1 n ≙ 2 Tieta null point: ϑi(0)i∈Z(n) ≙ modular invariant.

Example (k ≙ C)

Abelian variety over C: A ≙ C/(Z + ΩZ); Ω ∈ H(C) the Siegel upper half space (Ω symmetric, Im Ω positive defjnite). ϑi :≙ Θ [ 0

i/n ](z, Ω/n).

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 19 / 40

Theta functions Theta coordinates

Tie difgerential addition law (k ≙ C)

( ∑

t∈Z(2)

χ(t)ϑi+t(x + y)ϑ j+t(x − y)).( ∑

t∈Z(2)

χ(t)ϑk+t(0)ϑl+t(0)) ≙ ( ∑

t∈Z(2)

χ(t)ϑ−i′+t(y)ϑ j′+t(y)).( ∑

t∈Z(2)

χ(t)ϑk′+t(x)ϑl ′+t(x)). where χ ∈ ˆ Z(2), i, j, k, l ∈ Z(n) (i′, j′, k′, l′) ≙ A(i, j, k, l) A ≙ 1 2 ⎛ ⎜ ⎜ ⎜ ⎝ 1 1 1 1 1 1 −1 −1 1 −1 1 −1 1 −1 −1 1 ⎞ ⎟ ⎟ ⎟ ⎠

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 20 / 40

Theta functions Fast arithmetic with theta functions

Arithmetic with low level theta functions (car k ≠ 2)

Mumford Level 2 Level 4 [Lan05] [Gau07] Doubling 34M + 7S 7M + 12S + 9m0 49M + 36S + 27m0 Mixed Addition 37M + 6S Multiplication cost in genus 2 (one step). Montgomery Level 2 Jacobians Level 4 Doubling 5M + 4S + 1m0 3M + 6S + 3m0 3M + 5S 9M + 10S + 5m0 Mixed Addition 7M + 6S + 1m0 Multiplication cost in genus 1 (one step).

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 21 / 40

Theta functions Fast arithmetic with theta functions

Arithmetic with high level theta functions [LR10a]

Algorithms for

Additions and difgerential additions in level 4. Computing P ± Q in level 2 (need one square root). [LR10b] Fast difgerential multiplication.

Compressing coordinates O(1):

Level 2n theta null point ⇒ 1 + ( + 1)/2 level 2 theta null points. Level 2n ⇒ 1 +  level 2 theta functions.

Decompression: n difgerential additions.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 22 / 40

Pairings

Outline

1

Public-key cryptography

2

Abelian varieties

3

Tieta functions

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 23 / 40

Pairings Miller algorithm

Pairings on abelian varieties

E/k: elliptic curve. Weil pairing: E∥ℓ∥ × E∥ℓ∥ → µℓ. P, Q ∈ E∥ℓ∥. ∃fℓ,P ∈ k(E), (fℓ,P) ≙ ℓ(P − 0E). eW,ℓ(P, Q) ≙ fℓ,P(Q − 0E) fℓ,Q(P − 0E) . Tate pairing: eT,ℓ(P, Q) ≙ fℓ,P(Q − 0E). Miller algorithm: pairing with Mumford coordinates.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 24 / 40

Pairings Pairings with theta coordinates

Tie Weil and Tate pairing with theta coordinates [LR10b]

P and Q points of ℓ-torsion. 0A P 2P . . . ℓP ≙ λ0

P0A

Q P ⊕ Q 2P + Q . . . ℓP + Q ≙ λ1

PQ

2Q P + 2Q . . . . . . ℓQ ≙ λ0

Q0A

P + ℓQ ≙ λ1

QP

eW,ℓ(P, Q) ≙

λ1

P λ0 Q

λ0

P λ1 Q .

eT,ℓ(P, Q) ≙ λ1

P

λ0

P . Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 25 / 40

Pairings Pairings with theta coordinates

Comparison with Miller algorithm

 ≙ 1 7M + 7S + 2m0  ≙ 2 17M + 13S + 6m0

Tate pairing with theta coordinates, P, Q ∈ A∥ℓ∥(Fqd ) (one step)

Miller Tieta coordinates Doubling Addition One step  ≙ 1 d even 1M + 1S + 1m 1M + 1m 1M + 2S + 2m d odd 2M + 2S + 1m 2M + 1m  ≙ 2 Q degenerate + denominator elimination 1M + 1S + 3m 1M + 3m 3M + 4S + 4m General case 2M + 2S + 18m 2M + 18m

P ∈ A∥ℓ∥(Fq), Q ∈ A∥ℓ∥(Fqd ) (counting only operations in Fqd ).

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 26 / 40

Isogenies

Outline

1

Public-key cryptography

2

Abelian varieties

3

Tieta functions

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 27 / 40

Isogenies Isogenies by going down in the level

Tie isogeny theorem

Tieorem

Let ℓ ∧ n ≙ 1, and ϕ ∶ Z(n) → Z(ℓn), x ↦ ℓ.x be the canonical embedding. Let K0 ≙ A∥ℓ∥2 ⊂ A∥ℓn∥2. Let (ϑA

i )i∈Z(ℓn) be the theta functions of level ℓn on A ≙ C/(Z + ΩZ).

Let (ϑB

i )i∈Z(n) be the theta functions of level n of B ≙ A/K0 ≙ C/(Z + Ω ℓ Z).

We have: (ϑB

i (x))i∈Z(n) ≙ (ϑA ϕ(i)(x))i∈Z(n)

Example

π ∶ (x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11) ↦ (x0, x3, x6, x9) is a 3-isogeny between elliptic curves.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 28 / 40

Isogenies Isogenies by going down in the level

Tie modular space of theta null points of level n (car k ∤ n)

Defjnition

Tie modular space Mn of theta null points is: ∑

t∈Z(2)

ax+tay+t ∑

t∈Z(2)

au+tav+t ≙ ∑

t∈Z(2)

ax′+tay′+t ∑

t∈Z(2)

au′+tav′+t, with the relations of symmetry ax ≙ a−x. Abelian varieties with a n-structure = open locus of Mn.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 29 / 40

Isogenies Isogenies by going up in the level

Isogenies and modular correspondence [FLR09]

(ai)i∈Z(ℓn) ∈ Mℓn(k) Ak, Ak∥ℓn∥ ≙ Ak∥ℓn∥1 ⊕ Ak∥ℓn∥2 determines Bk, Bk∥n∥ ≙ Bk∥n∥1 ⊕ Bk∥n∥2 π (bi)i∈Z(n) ∈ Mn(k) ϕ1 ̂ π Every isogeny (with isotropic kernel K) comes from a modular solution. We can detect degenerate solutions.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 30 / 40

Isogenies Isogenies by going up in the level

Isogenies and modular correspondence [FLR09]

(ai)i∈Z(ℓn) ∈ Mℓn(k) Ak, Ak∥ℓn∥ ≙ Ak∥ℓn∥1 ⊕ Ak∥ℓn∥2 determines Bk, Bk∥n∥ ≙ Bk∥n∥1 ⊕ Bk∥n∥2 π (bi)i∈Z(n) ∈ Mn(k) ϕ1 ̂ π Every isogeny (with isotropic kernel K) comes from a modular solution. We can detect degenerate solutions.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 30 / 40

Isogenies Isogenies by going up in the level

Isogenies and modular correspondence [FLR09]

(ai)i∈Z(ℓn) ∈ Mℓn(k) Ak, Ak∥ℓn∥ ≙ Ak∥ℓn∥1 ⊕ Ak∥ℓn∥2 determines Bk, Bk∥n∥ ≙ Bk∥n∥1 ⊕ Bk∥n∥2 π (bi)i∈Z(n) ∈ Mn(k) ϕ1 ̂ π Every isogeny (with isotropic kernel K) comes from a modular solution. We can detect degenerate solutions.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 30 / 40

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 31 / 40

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 31 / 40

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 31 / 40

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x 1 Ω 3Ω R0 R1 R2 y

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 31 / 40

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x 1 Ω 3Ω R0 R1 R2 y

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 31 / 40

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x 1 Ω 3Ω R0 R1 R2 y

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 31 / 40

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x 1 Ω 3Ω R0 R1 R2 y x

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 31 / 40

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x

Explicit isogenies algorithm

(Compressed) modular point from K: ( + 1)/2 ℓth-roots and ( + 1)/2 ⋅ O(log(ℓ)) chain additions. ⇒ (Compressed) isogeny:  ⋅ O(log(ℓ)) chain additions.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 31 / 40

Isogenies Isogenies by going up in the level

Example

B: elliptic curve y2 ≙ x3 + 23x + 3 over k ≙ F31 ⇒ Tieta null point of level 4: (3 ∶ 1 ∶ 18 ∶ 1) ∈ M4(F31). K ≙ {(3 ∶ 1 ∶ 18 ∶ 1), (22 ∶ 15 ∶ 4 ∶ 1), (18 ∶ 29 ∶ 23 ∶ 1)} ⇒ modular solution: (3, η14233, η2317, 1, η1324, η5296, 18, η5296, η1324, 1, η2317, η14233) (η3 + η + 28 ≙ 0). y ≙ (η19406, η19805, η10720, 1); ̂ π(y)?

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 32 / 40

Isogenies Isogenies by going up in the level

Example

R1 ≙ (η1324, η5296, η2317, η14233) y ≙ (η19406, η19805, η10720, 1) y ⊕ R1 ≙ λ1(η2722, η28681, η26466, η2096)

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 32 / 40

Isogenies Isogenies by going up in the level

Example

R1 ≙ (η1324, η5296, η2317, η14233) y ≙ (η19406, η19805, η10720, 1) y ⊕ R1 ≙ λ1(η2722, η28681, η26466, η2096) y + 2R1 ≙ λ2

1 (η28758, η11337, η27602, η22972)

y + 3R1 ≙ λ3

1(η18374, η18773, η9688, η28758) ≙ y/η1032

so λ3

1 ≙ η28758

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 32 / 40

Isogenies Isogenies by going up in the level

Example

R1 ≙ (η1324, η5296, η2317, η14233) y ≙ (η19406, η19805, η10720, 1) y ⊕ R1 ≙ λ1(η2722, η28681, η26466, η2096) y + 2R1 ≙ λ2

1 (η28758, η11337, η27602, η22972)

y + 3R1 ≙ λ3

1(η18374, η18773, η9688, η28758) ≙ y/η1032

so λ3

1 ≙ η28758

2y + R1 ≙ λ2

1 (η17786, η12000, η16630, η365)

3y + R1 ≙ λ3

1(η7096, η11068, η8089,η20005) ≙ η5772R1

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 32 / 40

Isogenies Isogenies by going up in the level

Example

R1 ≙ (η1324, η5296, η2317, η14233) y ≙ (η19406, η19805, η10720, 1) y ⊕ R1 ≙ λ1(η2722, η28681, η26466, η2096) y + 2R1 ≙ λ2

1 (η28758, η11337, η27602, η22972)

y + 3R1 ≙ λ3

1(η18374, η18773, η9688, η28758) ≙ y/η1032

so λ3

1 ≙ η28758

2y + R1 ≙ λ2

1 (η17786, η12000, η16630, η365)

3y + R1 ≙ λ3

1(η7096, η11068, η8089,η20005) ≙ η5772R1

̂ π(y) ≙ (3, η21037, η15925, 1, η8128, η18904, 18, η12100, η14932, 1, η9121, η27841)

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 32 / 40

Isogenies Isogenies in the same level

Changing level by taking an isogeny

B A, A∥ℓ∥ ≙ A∥ℓ∥1 ⊕ A∥ℓ∥2 B ≙ A/A∥ℓ∥2 A C ≙ A/A∥ℓ∥1 ∥ℓ∥ ̂ π π π2 π2 ○ ̂ π: ℓ2 isogeny in level n. Modular points (corresponding to K) ⇔ A∥ℓ∥ ≙ A∥ℓ∥1 ⊕ ̂ π(B∥ℓ∥) ⇔ ℓ2-isogenies B → C. Isogeny graphs: B∥ℓ∥ ⇒ ℓ2 difgerential additions.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 33 / 40

Isogenies Isogenies in the same level

Changing level by taking an isogeny

B A, A∥ℓ∥ ≙ A∥ℓ∥1 ⊕ A∥ℓ∥2 B ≙ A/A∥ℓ∥2 A C ≙ A/A∥ℓ∥1 ∥ℓ∥ ̂ π π π2 π2 ○ ̂ π: ℓ2 isogeny in level n. Modular points (corresponding to K) ⇔ A∥ℓ∥ ≙ A∥ℓ∥1 ⊕ ̂ π(B∥ℓ∥) ⇔ ℓ2-isogenies B → C. Isogeny graphs: B∥ℓ∥ ⇒ ℓ2 difgerential additions.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 33 / 40

Isogenies Isogenies in the same level

Changing level without taking isogenies

Tieorem (Koizumi-Kempf)

Let L be the space of theta functions of level ℓn and L′ the space of theta functions of level n. Let F ∈ Mr(Z) be such that tFF ≙ ℓ Id, and f ∶ Ar → Ar the corresponding isogeny. We have L ≙ f ∗L′ and the isogeny f is given by f ∗(ϑL′

i1 ⋆ . . . ⋆ ϑL′ ir ) ≙ λ

∑

(j1,..., jr)∈K1(L′)×...×K1(L′) f (j1,..., jr)≙(i1,...,ir)

ϑL

j1 ⋆ . . . ⋆ ϑL jr

F ≙ ( 1 −1

−1 1 ) gives the Riemann relations. (For general ℓ, use the quaternions.)

⇒ Go up and down in level without taking isogenies [Cosset+R].

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 34 / 40

Isogenies Isogenies in the same level

A complete generalisation of Vélu’s algorithm [Cosset+R]

Compute the isogeny B → A while staying in level n. No need of ℓ-roots. Need only O(#K) difgerential additions in B + O(ℓ) or O(ℓ2) multiplications ⇒ fast. Tie formulas are rational if the kernel K is rational. Blocking part: compute K ⇒ compute all the ℓ-torsion on B.  ≙ 2: ℓ-torsion, ̃ O(ℓ6) vs O(ℓ2) for the isogeny. ⇒ Work in level 2. ⇒ Convert back and forth to Mumford coordinates: B A Jac(C1) Jac(C2) ̂ π

Example

Tie Igusa j-invariants (3908, 2195, 648) correspond to an hyperelliptic curve over F4217 1069-isogeneous to itself.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 35 / 40

Perspectives

Outline

1

Public-key cryptography

2

Abelian varieties

3

Tieta functions

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 36 / 40

Perspectives Faster isogenies

An improved modular correspondence?

Mℓn Mℓn/H1 Mn Mℓn/H ≃ Mn(ℓ) Mn Mn ϕ1 ϕ2 Forget #Bk∥ℓ∥ ≙ ℓ2. Isotropic subspaces: O(ℓ(+1)/2). Modular solutions #ϕ−1

1 ((bi)i∈Z(n)) ≙ O(ℓ22+).

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 37 / 40

Perspectives A better dictionary

Linking theta null points and Jacobians

Tiomae formulas ⇒ link between Jacobian of hyperelliptic curves and theta functions. Equivalent for non hyperelliptic curves [She08]?

Application

Extends [Smi09] attack on hyperelliptic genus 3 curves.

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 38 / 40

Perspectives And a lot more!

Some more applications

Explicit isogeny computation ⇒ endomorphism ring, Hilbert class polynomials. Modular space in level 2 and equations for the Kummer varieties. Improve the algorithm [CL08] for computing theta null points of the canonical lifu

• f an ordinary abelian variety ⇒ point counting in small characteristic.

Improve the pairing algorithm (Ate pairing). Faster additions law (level 3 theta functions, level (2, 4) in genus 2). Characteristic 2 [GL09].

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 39 / 40

Perspectives And a lot more!

Tie end

Tiank you for your attention!

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 40 / 40

References

Bibliography

[BF03]

• D. Boneh and M. Franklin. “Identity-based encryption from the Weil pairing”. In: SIAM Journal
• n Computing 32.3 (2003), pp. 586–615. (Cit. on p. 7).

[BLS04]

• D. Boneh, B. Lynn, and H. Shacham. “Short signatures from the Weil pairing”. In: Journal of

Cryptology 17.4 (2004), pp. 297–319. (Cit. on p. 7). [CL08]

• R. Carls and D. Lubicz. “A p-adic quasi-quadratic time and quadratic space point counting

algorithm”. In: International Mathematics Research Notices (2008). (Cit. on p. 57). [FLR09] Jean-Charles Faugère, David Lubicz, and Damien Robert. Computing modular correspondences for abelian varieties. May 2009. arXiv: 0910.4668. (Cit. on pp. 34–36). [Gau07]

• P. Gaudry. “Fast genus 2 arithmetic based on Theta functions”. In: Journal of Mathematical

Cryptology 1.3 (2007), pp. 243–265. (Cit. on p. 25). [GL09]

• P. Gaudry and D. Lubicz. “The arithmetic of characteristic 2 Kummer surfaces and of elliptic

Kummer lines”. In: Finite Fields and Their Applications 15.2 (2009), pp. 246–260. (Cit. on p. 57). [Goy+06]

• V. Goyal et al. “Attribute-based encryption for fine-grained access control of encrypted data”. In:

Proceedings of the 13th ACM conference on Computer and communications security. ACM. 2006,

• p. 98. (Cit. on p. 7).

[Jou04]

• A. Joux. “A one round protocol for tripartite Diffie–Hellman”. In: Journal of Cryptology 17.4

(2004), pp. 263–276. (Cit. on p. 7). [Kle+10]

• T. Kleinjung et al. “Factorization of a 768-bit RSA modulus”. In: (2010). (Cit. on p. 5).

[Lan05]

• T. Lange. “Formulae for arithmetic on genus 2 hyperelliptic curves”. In: Applicable Algebra in

Engineering, Communication and Computing 15.5 (2005), pp. 295–328. (Cit. on p. 25). [LR10a] David Lubicz and Damien Robert. Computing isogenies between abelian varieties. Jan. 2010. arXiv:

1001.2016. (Cit. on pp. 26, 37–44).

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 40 / 40

Perspectives Bibliography

[LR10b] David Lubicz and Damien Robert. Efficient pairing computation with theta functions. Ed. by Guillaume Hanrot, François Morain, and Emmanuel Thomé. 9th International Symposium, Nancy, France, ANTS-IX, July 19-23, 2010, Proceedings. Jan. 2010. url:

http://www.normalesup.org/~robert/pro/publications/articles/pairings.pdf. (Cit. on

• pp. 26, 29).

[SW05]

• A. Sahai and B. Waters. “Fuzzy identity-based encryption”. In: Advances in

Cryptology–EUROCRYPT 2005 (2005), pp. 457–473. (Cit. on p. 7). [She08]

• N. Shepherd-Barron. “Thomae’s formulae for non-hyperelliptic curves and spinorial square roots
• f theta-constants on the moduli space of curves”. In: (2008). (Cit. on p. 56).

[Smi09] Benjamin Smith. Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves. Feb. 2009. arXiv: 0806.2995. (Cit. on pp. 20, 21, 56). [Ver01]

• E. Verheul. “Self-blindable credential certificates from the Weil pairing”. In: Advances in

Cryptology—ASIACRYPT 2001 (2001), pp. 533–551. (Cit. on p. 7).

Damien Robert (Caramel, LORIA) Theta functions and cryptography 21/07/2010 (Nancy) 40 / 40