Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure - PowerPoint PPT Presentation

Algorithms for isogeny graphs Sorina Ionica Ecole Normale Supérieure Paris Inria Bordeaux 5 février 2013 Sorina Ionica 1 / 35

Cryptographic motivation We need an abelian variety of small dimension (i.e. 1,2) defined over F q s.t. # A ( F q ) is divisible by a large prime number For pairing based cryptography, use the complex multiplication method to generate curves with prescribed number of points. − → needs precomputing the class polynomials Sorina Ionica 2 / 35

Class polynomials in cryptography Let J be a (simple) abelian surface over C . End ( J ) is an order of a (primitive) quartic CM field K (totally imaginary quadratic extension of a totally real number field). The class polynomials H 1 , H 2 , H 3 ∈ Q [ X ] parametrize the invariants of all abelian varieties A / C with End ( A ) ≃ O K . Assume p is a "good" prime � H i ( X ) = ( X − j i ( A )) End ( A ) ≃O K # J ( F p ) = N K / Q ( π − 1 ) , where π is the Frobenius endomorphism. Sorina Ionica 3 / 35

The CRT method for class polynomial computation Eisenträger, Freeman, Lauter, Bröker, Gruenewald, Robert : Select a "good" prime p . For each abelian surface J in the p 3 isomorphism classes Check if J is in the right isogeny class. Check if End ( J ) ≃ O K . Reconstruct H i mod p from jacobians with maximal endomorphism ring Compute class polynomials modulo small "good" primes and use the CRT to reconstruct H 1 , H 2 , H 3 . Sorina Ionica 4 / 35

Computing all abelian varieties with maximal order Eisenträger, Freeman, Lauter, Bröker, Gruenewald, Robert : Select a “good” prime p . For each abelian surface J in the p 3 isomorphism classes. Check if J is in the right isogeny class. Check if End ( J ) ≃ O K . Generate jacobians with CM by O K by computing horizontal isogenies ∗ from J . Reconstruct H i mod p from jacobians with maximal endomorphism ring ∗ An isogeny I : J 1 → J 2 is horizontal iff End J 1 ≃ End J 2 . Sorina Ionica 5 / 35

Pairings and endomorphism rings I.-Joux 2010 : algorithms for horizontal isogeny and endomorphism ring computation in genus 1 by using the Tate pairing F . Morain : “je suis sûr qu’il y a quelque chose à dire sur les matrices du Frobenius. De toute façon, tout est dans le Frobenius!” meaning “It’s all about the Frobenius!” Claim : Indeed, but from a computational point of view, using pairings is faster in many cases . End ( J ) ⊗ Z ℓ → End F q ( T ℓ ( J )) bijectively Sorina Ionica 6 / 35

The endomorphism ring of an ordinary jacobian Let K be a quartic CM field and assume that K = Q ( η ) with √ � a + b − 1 + d η = i for d ≡ 1 mod 1 2 √ � η = i a + b d for d ≡ 2 , 3 mod 4 Assume real multiplication O K 0 has class number 1. Let J be a jacobian of a genus 2 curve defined over F q . J is ordinary, i.e. End ( J ) is an order of K . Z [ π, ¯ π ] ⊂ End ( J ) ⊂ O K Sorina Ionica 7 / 35

Computing endomorphism rings Eisenträger and Lauter’s algorithm (2005), Freeman-Lauter (2008) Idea: If α : J → J is an endomorphism, then α n is an endomorphism iff J [ n ] ⊂ Ker α . Check if an order O is contained in End ( J ) : Write down a basis for the order O : γ i = α i n i , with α i ∈ Z [ π ] . Check if γ i ∈ End ( J ) by checking if α i is zero on J [ n i ] . Since n i | [ O K : Z [ π, ¯ π ]] we end up working over large extension fields! Sorina Ionica 8 / 35

Just to give an idea... The smallest extension field F q r s.t. J [ ℓ ] ⊂ J ( F q r ) has degree r at most ℓ 4 . If J [ ℓ 2 ] � J ( F q r ) , then J [ ℓ 2 ] ⊆ J ( F q r ℓ ) J [ ℓ 3 ] ⊆ J [ F q r ℓ 2 ] . . . Bottleneck: group structure computation = ⇒ ℓ is small Sorina Ionica 9 / 35

Computing the endomorphism ring For small ℓ , use Eisenträger-Lauter If ℓ is larger, use Bisson’s algorithm (2012) smooth relations in the class group of the order O corresponding smooth horizontal isogeny chains √ � log q log log q )) 2 3 + o ( 1 ) O (( exp under GRH and other heuristic assumptions Sorina Ionica 10 / 35

Notations Let θ ∈ O . We define v ℓ, O ( θ ) := max a ∈ Z { m | θ + a ∈ ℓ m O} How do we compute this? Consider a Z -basis 1 , δ, γ, η for O : Write θ = a 1 + a 2 δ + a 3 γ + a 4 η . Then v ℓ, O ( θ ) := v ℓ ( gcd ( a 2 , a 3 , a 4 )) . Sorina Ionica 11 / 35

Checking locally maximal orders at ℓ In general, v ℓ, O ( θ ) ≤ v ℓ, O K ( θ ) √ Take O K 0 = [ 1 , ω ] and η = i a + b ω , with ( b , ℓ ) = 1. Then θ = a 1 + a 2 ω + ( a 3 + a 4 ω ) η , a i ∈ Z . Lemma ∗ Let O be an order such that θ ∈ O and [ O K : O ] is divisible by a power of ℓ . If max ( v ℓ ( a 3 − a 4 ) , v ℓ ( ℓ a 3 − a 4 )) < min ( v ℓ ( a 3 ) , v ℓ ( a 4 )) ℓ 2 ℓ then v ℓ, O ( θ ) < v ℓ, O K ( θ ) . Let v ℓ ( π ) = v ℓ, End ( J ) ( π ) . A simple criterion: check if v ℓ ( π ) = v ℓ, O K ( π ) . Sorina Ionica 12 / 35

Checking locally maximal orders at ℓ How do we compute v ℓ ( π ) ? Proposition v ℓ ( π ) is the largest integer m such that the Frobenius action on T ℓ ( J ) is a multiple of the identity up to precision m . The matrix of the Frobenius is of the form   λ 0 0 0 0 λ 0 0  mod ℓ k , k ≤ m     0 0 λ 0  0 0 0 λ We could compute the action of the Frobenius on J [ ℓ ] , J [ ℓ 2 ] . . . This means working over large extension fields very quickly, so NO! Sorina Ionica 13 / 35

How do we compute v ℓ ( π ) ? 2006 Schmoyer : bring pairings into play! Sorina Ionica 14 / 35

The Weil pairing Let A be an abelian variety defined over a field K . A [ m ] is the m -torsion and ˆ A [ m ] ≃ Hom ( A [ m ] , µ m ) . Weil pairing e m : A [ m ] × ˆ A [ m ] → µ m is a bilinear, non-degenerate map. If A is a principally polarized variety e m : A [ m ] × A [ m ] → µ m ( P , Q ) → e m ( P , Q ) . Sorina Ionica 15 / 35

The Tate pairing We denote by G K = Gal ( ¯ K / K ) the Galois group. K ) m · Consider 0 → A [ m ] → A ( ¯ → A ( ¯ K ) → 0. Take Galois cohomology and get connecting morphism δ : A ( K ) / mA ( K ) = H 0 ( G K , A ) / mH 0 ( G K , A ) H 1 ( G K , A [ m ]) → P → F P , where we take ¯ P such that m ¯ P = P and define A ( ¯ F P ( σ ) : G K → K )[ m ] σ · ¯ P − ¯ σ → P . Sorina Ionica 16 / 35

The Tate pairing We get the map A ( K ) / mA ( K ) × ˆ H 1 ( G K , µ m ) A [ m ]( K ) → ( P , Q ) → [ σ → e m ( F P ( σ ) , Q )] bilinear, non-degenerate Sorina Ionica 17 / 35

The Tate pairing We get the map H 1 ( G K , µ m ) A ( K ) / mA ( K ) × A [ m ]( K ) → ( P , Q ) → [ σ → e m ( F P ( σ ) , Q )] bilinear, non-degenerate Sorina Ionica 18 / 35

The Tate pairing For a principally polarized abelian variety over a finite field F q s.t. µ m ⊂ F q H 1 ( G F q , µ m ) ≃ H 1 ( Gal ( F q m / F q ) , µ m ) ≃ µ m We take ¯ P ∈ A (¯ F q ) such that m ¯ P = P and define The Tate pairing A ( F q ) / mA ( F q ) × A [ m ]( F q ) → µ m e m ( π (¯ P ) − ¯ ( P , Q ) → P , Q ) Sorina Ionica 19 / 35

Pairings on kernels Assume there is n ≥ 1 is s.t. J [ ℓ n ] ⊆ J [ F q ] and J [ ℓ n + 1 ] � J [ F q ] , ℓ > 2 prime (or π − 1 is divisible exactly by ℓ n ) Let W be the set of subgroups G of rank 2 in J [ ℓ n ] which are maximal isotropic with respect to the Weil pairing. k ℓ, J := max G ∈W { k |∃ P , Q ∈ G s.t. T ℓ n ( P , Q ) ∈ µ ℓ k \ µ ℓ k − 1 } Sorina Ionica 20 / 35

One pairing, two formulae A ( F q ) /ℓ n A ( F q ) × A [ ℓ n ]( F q ) → µ ℓ n Tate ( P , Q ) → e ℓ n ( π (¯ P ) − ¯ P , Q ) with ℓ n ¯ P = P and ¯ ∈ J ( F q ) P / Sorina Ionica 21 / 35

One pairing, two formulae A ( F q ) /ℓ n A ( F q ) × A [ ℓ n ]( F q ) → µ ℓ n Lichtenbaum Tate q − 1 ( P , Q ) → e ℓ n ( π (¯ P ) − ¯ P , Q ) ( P , Q ) → ( f P ,ℓ n ( Q + R ) / f P ,ℓ n ( R )) ℓ n with ℓ n ¯ P = P and ¯ ∈ J ( F q ) P / with f P ,ℓ n s.t. div ( f P ,ℓ n ) ∼ ℓ n ( P ) compute in O ( n log ℓ + log q ) ⇐ op. in F q . Sorina Ionica 22 / 35

One pairing, two formulae A ( F q ) /ℓ n A ( F q ) × A [ ℓ n ]( F q ) → µ ℓ n Lichtenbaum Tate q − 1 ( P , Q ) → e ℓ n ( π (¯ P ) − ¯ P , Q ) ( P , Q ) → ( f P ,ℓ n ( Q + R ) / f P ,ℓ n ( R )) ℓ n with ℓ n ¯ P = P and ¯ ∈ J ( F q ) P / with f P ,ℓ n s.t. div ( f P ,ℓ n ) ∼ ℓ n ( P ) compute the Frobenius compute in O ( n log ℓ + log q ) ⇐ op. in F q . action up to precision ≥ n . Sorina Ionica 23 / 35

Computing v ℓ ( π ) Theorem Suppose π − 1 is exactly divisible by ℓ n and 0 < v ℓ, O K ( π ) < 2 n . Then v ℓ ( π ) = 2 n − k ℓ, J . Proof: Galois cohomology+linear algebra Corollary If 0 < v ℓ, O K ( π ) < 2 n and under the conditions of Lemma ∗ , then End ( J ) is a locally maximal order at ℓ iff k ℓ, J = 2 n − v ℓ, O K ( π ) . Sorina Ionica 24 / 35

Computational issues We need to get k ℓ, J = max G ∈W { k | T ℓ n : G × G → µ ℓ k surjective } . There are O ( ℓ 3 ) subgroups in W ! In practice, compute a symplectic basis { Q 1 , Q − 1 , Q 2 , Q − 2 } . Get k ℓ, J = max j � = − i { k | T ℓ n ( Q i , Q j ) is a ℓ k -th primitive root of unity } Sorina Ionica 25 / 35