Generalizing Vlus formulas and some applications ECC 2010 Romain - PowerPoint PPT Presentation

Generalizing Vélu’s formulas and some applications ECC 2010 Romain Coss et 1 , David L ubicz 2,3 , Damien Robert 4 1 Nancy Université, CNRS, Inria Nancy Grand Est 2 CÉLAR 3 IRMAR, Université de Rennes 1 4 Inria Bordeaux Sud-Ouest 21/10/2010 (Redmond)

Isogenies Theory Implementation Examples and Applications Outline Isogenies 1 Tieory 2 3 Implementation 4 Examples and Applications

Isogenies Theory Implementation Examples and Applications Abelian varieties Defjnition An Abelian variety is a complete connected group variety over a base fjeld k . (Polarised) abelian varieties = higher dimensional equivalent of elliptic curves. If C is a curve of genus  , it’s Jacobian is a (principally polarised) abelian variety of dimension  . For C ∶ y 2 ≙ f ( x ) (deg f ≙ 2  − 1) hyperelliptic curve, Mumford coordinates: k D ≙ ∑ ( P i − P ∞ ) k ⩽  , − P i ≠ P j i ≙ 1 ≙ ( u , v ) with u ≙ ∏( x − x i ) , v ( x i ) ≙ y i .

Isogenies Theory Implementation Examples and Applications Isogenies Defjnition A (separable) isogeny is a fjnite surjective (separable) morphism between two Abelian varieties. Isogenies ⇔ Finite subgroups. ( f ∶ A → B ) ↦ Ker f ( A → A / H ) ↤ H Tie kernel of the dual isogeny ̂ f is the Cartier dual of the kernel of f ⇒ pairings! We want isogenies compatible with the polarizations ⇒ isotropic kernels.

Isogenies Theory Implementation Examples and Applications Cryptographic usage of isogenies Transfer the DLP from one Abelian variety to another. Point counting algorithms ( ℓ -adic or p -adic) ⇒ Verify a curve is secure. Compute the class fjeld polynomials (CM-method) ⇒ Construct a secure curve. Compute the modular polynomials ⇒ Compute isogenies. Determine End ( A ) ⇒ CRT method for class fjeld polynomials.

Isogenies Theory Implementation Examples and Applications Explicit isogeny computation Given an isotropic subgroup K ⊂ A ( k ) compute the isogeny A ↦ A / K . (Vélu’s formula.) Given an abelian variety compute all the isogeneous varieties. (Modular polynomials.) Given two isogeneous abelian variety A and B fjnd the isogeny A ↦ B . (‘‘Inverse Vélu’s formula’’ ⇒ SEA algorithm).

Isogenies Theory Implementation Examples and Applications Explicit isogeny computation Given an isotropic subgroup K ⊂ A ( k ) compute the isogeny A ↦ A / K . (Vélu’s formula.) Given an abelian variety compute all the isogeneous varieties. (Modular polynomials.) Given two isogeneous abelian variety A and B fjnd the isogeny A ↦ B . (‘‘Inverse Vélu’s formula’’ ⇒ SEA algorithm).

Isogenies Theory Implementation Examples and Applications Explicit isogeny computation Given an isotropic subgroup K ⊂ A ( k ) compute the isogeny A ↦ A / K . (Vélu’s formula.) Given an abelian variety compute all the isogeneous varieties. (Modular polynomials.) Given two isogeneous abelian variety A and B fjnd the isogeny A ↦ B . (‘‘Inverse Vélu’s formula’’ ⇒ SEA algorithm).

Isogenies Theory Implementation Examples and Applications Explicit isogeny computation Given an isotropic subgroup K ⊂ A ( k ) compute the isogeny A ↦ A / K . (Vélu’s formula.) Given an abelian variety compute all the isogeneous varieties. (Modular polynomials.) Given two isogeneous abelian variety A and B fjnd the isogeny A ↦ B . (‘‘Inverse Vélu’s formula’’ ⇒ SEA algorithm).

Isogenies Theory Implementation Examples and Applications Vélu’s formula Tieorem Let E ∶ y 2 ≙ f ( x ) be an elliptic curve and G ⊂ E ( k ) a fjnite subgroup. Tien E / G is given by Y 2 ≙  ( X ) where X ( P ) ≙ x ( P ) + ( x ( P + Q ) − x ( Q )) ∑ Q ∈ G ∖{ 0 E } Y ( P ) ≙ y ( P ) + ( y ( P + Q ) − y ( Q )) . ∑ Q ∈ G ∖{ 0 E } Uses the fact that x and y are characterised in k ( E ) by v 0 E ( x ) ≙ − 2 v P ( x ) ⩾ 0 if P ≠ 0 E v 0 E ( y ) ≙ − 3 v P ( y ) ⩾ 0 if P ≠ 0 E y 2 / x 3 ( 0 E ) ≙ 1 No such characterisation in genus  ⩾ 2 for Mumford coordinates.

Isogenies Theory Implementation Examples and Applications Tie modular polynomial Defjnition Modular polynomial ϕ n ( x , y ) ∈ Z ∥ x , y ∥ : ϕ n ( x , y ) ≙ 0 ⇔ x ≙ j ( E ) and y ≙ j ( E ′ ) with E and E ′ n -isogeneous. If E ∶ y 2 ≙ x 3 + ax + b is an elliptic curve, the j -invariant is 4 a 3 j ( E ) ≙ 1728 4 a 3 + 27 b 2 Roots of ϕ n ( j ( E ) , . ) ⇔ elliptic curves n -isogeneous to E . In genus 2, modular polynomials use Igusa invariants. Tie height explodes. ⇒ Genus 2 : ( 2, 2 ) -isogenies [Richelot]. Genus 3 : ( 2, 2, 2 ) -isogenies [Smi09]. ⇒ Moduli space given by invariants with more structure. ⇒ Fix the form of the isogeny and look for compatible coordinates.

Isogenies Theory Implementation Examples and Applications Tie modular polynomial Defjnition Modular polynomial ϕ n ( x , y ) ∈ Z ∥ x , y ∥ : ϕ n ( x , y ) ≙ 0 ⇔ x ≙ j ( E ) and y ≙ j ( E ′ ) with E and E ′ n -isogeneous. If E ∶ y 2 ≙ x 3 + ax + b is an elliptic curve, the j -invariant is 4 a 3 j ( E ) ≙ 1728 4 a 3 + 27 b 2 Roots of ϕ n ( j ( E ) , . ) ⇔ elliptic curves n -isogeneous to E . In genus 2, modular polynomials use Igusa invariants. Tie height explodes. ⇒ Genus 2 : ( 2, 2 ) -isogenies [Richelot]. Genus 3 : ( 2, 2, 2 ) -isogenies [Smi09]. ⇒ Moduli space given by invariants with more structure. ⇒ Fix the form of the isogeny and look for compatible coordinates.

Isogenies Theory Implementation Examples and Applications Complex abelian varieties and theta functions of level n ( ϑ i ) i ∈ Z ( n ) : basis of the theta functions of level n . ( Z ( n ) : ≙ Z  / n Z  ) ⇔ A ∥ n ∥ ≙ A 1 ∥ n ∥ ⊕ A 2 ∥ n ∥ : symplectic decomposition. n ⩾ 3 ( ϑ i ) i ∈ Z ( n ) ≙ { coordinates system coordinates on the Kummer variety A / ± 1 n ≙ 2 Tieta null point: ϑ i ( 0 ) i ∈ Z ( n ) ≙ modular invariant. Example ( k ≙ C ) Abelian variety over C : A ≙ C  /( Z  + Ω Z  ) ; Ω ∈ H  ( C ) the Siegel upper half space (Ω symmetric, Im Ω positive defjnite). ϑ i : ≙ Θ [ 0 i / n ]( z , Ω / n ) .

Isogenies Theory Implementation Examples and Applications Tie difgerential addition law (k ≙ C ) ( ∑ χ ( t ) ϑ i + t ( x + y ) ϑ j + t ( x − y )) . ( ∑ χ ( t ) ϑ k + t ( 0 ) ϑ l + t ( 0 )) ≙ t ∈ Z ( 2 ) t ∈ Z ( 2 ) ( ∑ χ ( t ) ϑ − i ′ + t ( y ) ϑ j ′ + t ( y )) . ( ∑ χ ( t ) ϑ k ′ + t ( x ) ϑ l ′ + t ( x )) . t ∈ Z ( 2 ) t ∈ Z ( 2 ) χ ∈ ˆ Z ( 2 ) , i , j , k , l ∈ Z ( n ) where ( i ′ , j ′ , k ′ , l ′ ) ≙ A ( i , j , k , l ) 1 1 1 1 ⎛ ⎞ − 1 − 1 A ≙ 1 ⎜ ⎟ 1 1 ⎜ ⎟ ⎜ ⎟ − 1 − 1 1 1 2 ⎝ ⎠ − 1 − 1 1 1

Isogenies Theory Implementation Examples and Applications Tie isogeny theorem Tieorem Let ℓ ∧ n ≙ 1 , and ϕ ∶ Z ( n ) → Z ( ℓn ) , x ↦ ℓ . x be the canonical embedding. Let K 0 ≙ A ∥ ℓ ∥ 2 ⊂ A ∥ ℓn ∥ 2 . Let ( ϑ A i ) i ∈ Z ( ℓn ) be the theta functions of level ℓn on A ≙ C  /( Z  + Ω Z  ) . Let ( ϑ B i ) i ∈ Z ( n ) be the theta functions of level n of B ≙ A / K 0 ≙ C  /( Z  + Ω ℓ Z  ) . We have: ( ϑ B i ( x )) i ∈ Z ( n ) ≙ ( ϑ A ϕ ( i ) ( x )) i ∈ Z ( n ) Example π ∶ ( x 0 , x 1 , x 2 , x 3 , x 4 , x 5 , x 6 , x 7 , x 8 , x 9 , x 10 , x 11 ) ↦ ( x 0 , x 3 , x 6 , x 9 ) is a 3-isogeny between elliptic curves.

Isogenies Theory Implementation Examples and Applications Tie modular space of theta null points of level n ( car k ∤ n) Defjnition Tie modular space M n of theta null points is: a u + t a v + t ≙ ∑ ∑ a x + t a y + t ∑ a x ′ + t a y ′ + t ∑ a u ′ + t a v ′ + t , t ∈ Z ( 2 ) t ∈ Z ( 2 ) t ∈ Z ( 2 ) t ∈ Z ( 2 ) with the relations of symmetry a x ≙ a − x . Abelian varieties with a n -structure = open locus of M n .

Isogenies Theory Implementation Examples and Applications Isogenies and modular correspondence [ FLR 09] A k , A k ∥ ℓn ∥ ≙ A k ∥ ℓn ∥ 1 ⊕ A k ∥ ℓn ∥ 2 ( a i ) i ∈ Z ( ℓn ) ∈ M ℓn ( k ) determines ̂ π π ϕ 1 B k , B k ∥ n ∥ ≙ B k ∥ n ∥ 1 ⊕ B k ∥ n ∥ 2 ( b i ) i ∈ Z ( n ) ∈ M n ( k ) Every isogeny (with isotropic kernel K ) comes from a modular solution. We can detect degenerate solutions.

Isogenies Theory Implementation Examples and Applications Isogenies and modular correspondence [ FLR 09] A k , A k ∥ ℓn ∥ ≙ A k ∥ ℓn ∥ 1 ⊕ A k ∥ ℓn ∥ 2 ( a i ) i ∈ Z ( ℓn ) ∈ M ℓn ( k ) determines ̂ π π ϕ 1 B k , B k ∥ n ∥ ≙ B k ∥ n ∥ 1 ⊕ B k ∥ n ∥ 2 ( b i ) i ∈ Z ( n ) ∈ M n ( k ) Every isogeny (with isotropic kernel K ) comes from a modular solution. We can detect degenerate solutions.

Isogenies Theory Implementation Examples and Applications Isogenies and modular correspondence [ FLR 09] A k , A k ∥ ℓn ∥ ≙ A k ∥ ℓn ∥ 1 ⊕ A k ∥ ℓn ∥ 2 ( a i ) i ∈ Z ( ℓn ) ∈ M ℓn ( k ) determines ̂ π π ϕ 1 B k , B k ∥ n ∥ ≙ B k ∥ n ∥ 1 ⊕ B k ∥ n ∥ 2 ( b i ) i ∈ Z ( n ) ∈ M n ( k ) Every isogeny (with isotropic kernel K ) comes from a modular solution. We can detect degenerate solutions.

Isogenies Theory Implementation Examples and Applications Tie contragredient isogeny [ LR 10a] ∥ ℓ ∥ x ∈ A z ∈ A Let π ∶ A → B be the isogeny associated to ( a i ) i ∈ Z ( ℓn ) . Let y ∈ B and x ∈ A be one of the ℓ  antecedents. Tien ̂ π π ̂ π ( y ) ≙ ℓ . x y ∈ B