isogenies polarisations and real multiplication
play

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM - PowerPoint PPT Presentation

Nov 15, 2023 •99 likes •896 views

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

  1. Isogenies, Polarisations and Real Multiplication 2015/09/29 — ICERM — Providence Gaëtan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng

  2. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Outline 1 Isogenies on elliptic curves 2 Abelian varieties and polarisations 3 Maximal isotropic isogenies 4 Cyclic isogenies and Real Multiplication 5 Isogeny graphs in dimension 2

  3. Isogenies on elliptic curves 1 w 2 1 Abelian varieties and polarisations 1 elliptic curve 2 k . Complex elliptic curve Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Over � : an elliptic curve is a torus E = � / Λ , where Λ is a lattice Λ = � + τ � ( τ ∊ H 1 ). � � � Let ℘ ( z , Λ ) = ( z − w ) 2 − be the Weierstrass ℘ -function and w ∊ Λ \{ 0 E } � E 2 k ( Λ ) = λ k w ∊ Λ \{ 0 E } w 2 k be the (normalised) Eisenstein series of weight Then � / Λ → E , z �→ ( ℘ ( z , Λ ) , ℘ ′ ( z , Λ )) is an analytic isomorphism to the y 2 = 4 x 3 − 60 E 4 ( Λ ) − 140 E 6 ( Λ ) .

  4. Isogenies on elliptic curves Abelian varieties and polarisations Isogenies are surjective (on the geometric points). In particular, if E is Remark or the composition of a translation with an isogeny. trivial (i.e. constant) An algebraic map between two elliptic curves is either Corollary Theorem Definition Isogenies between elliptic curves Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies ordinary, any curve isogenous to E is also ordinary. An isogeny is a (non trivial) algebraic map f : E 1 → E 2 between two elliptic curves such that f ( P + Q ) = f ( P )+ f ( Q ) for all geometric points P , Q ∊ E 1 . An algebraic map f : E 1 → E 2 is an isogeny if and only if f ( 0 E 1 ) = f ( 0 E 2 )

  5. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Algorithmic aspect of isogenies Given a kernel K ⊂ E ( k ) compute the isogenous elliptic curve E / K ); Given a kernel K ⊂ E ( k ) and P ∊ E ( k ) compute the image of P under the isogeny E → E / K ; Given a kernel K ⊂ E ( k ) compute the map E → E / K ; Given an elliptic curve E / k compute all isogenous (of a certain degree d ) elliptic curves E ′ ; ); Given two elliptic curves E 1 and E 2 check if they are d -isogenous and if so compute the kernel K ⊂ E 1 ( k ) .

  6. Isogenies on elliptic curves formulae [Vél71]); equation [Elk92; Bos+08]). Vélu’s formulae [Koh96]); Abelian varieties and polarisations computation over elliptic curves. Algorithmic aspect of isogenies Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Given a kernel K ⊂ E ( k ) compute the isogenous elliptic curve E / K (Vélu’s Given a kernel K ⊂ E ( k ) and P ∊ E ( k ) compute the image of P under the isogeny E → E / K (Vélu’s formulae [Vél71]); Given a kernel K ⊂ E ( k ) compute the map E → E / K (formal version of Given an elliptic curve E / k compute all isogenous (of a certain degree d ) elliptic curves E ′ ; (Modular polynomial [Eng09; BLS12]); Given two elliptic curves E 1 and E 2 check if they are d -isogenous and if so compute the kernel K ⊂ E 1 ( k ) (Elkie’s method via a differential ⇒ We have quasi-linear algorithms for all these aspects of isogeny

  7. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Destructive cryptographic applications class (and an efficient way to compute an isogeny to it). Example extend attacks using Weil descent [GHS02] Transfert the DLP from the Jacobian of an hyperelliptic curve of genus 3 to the Jacobian of a quartic curve [Smi09]. An isogeny f : E 1 → E 2 transports the DLP problem from E 1 to E 2 . This can be used to attack the DLP on E 1 if there is a weak curve on its isogeny

  8. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Constructive cryptographic applications But by computing isogenies, one can work over a cyclic subgroup of Example The SEA point counting algorithm [Sch95; Mor95; Elk97]; The CRT algorithms to compute class polynomials [Sut11; ES10]; The CRT algorithms to compute modular polynomials [BLS12]. One can recover informations on the elliptic curve E modulo ℓ by working over the ℓ -torsion. cardinal ℓ instead. Since thus a subgroup is of degree ℓ , whereas the full ℓ -torsion is of degree ℓ 2 , we can work faster over it.

  9. Isogenies on elliptic curves Abelian varieties and polarisations Construct a normal basis of a finite field [CL09]; Take isogenies to reduce the impact of side channel attacks [Sma03]; isogeny graph [RS06]; isogeny (the trapdoor) [Tes06], or by encoding informations in the Construct public key cryptosystems by hiding vulnerable curves by an construct secure hash functions [CLG09]; The isogeny graph of a supersingular elliptic curve can be used to [DIK06; Gau07]; Splitting the multiplication using isogenies can improve the arithmetic Further applications of isogenies Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies invariant by automorphisms [CL08]. Improve the discrete logarithm in � ∗ q by finding a smoothness basis

  10. Isogenies on elliptic curves This shows that f is of the form Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Computing explicit isogenies (using the equation of the curve E 1 ). Abelian varieties and polarisations it prime to g ). k . If E 1 and E 2 are two elliptic curves given by Weierstrass equations, a morphism of curve f : E 1 → E 2 is of the form f ( x , y ) = ( R 1 ( x , y ) , R 2 ( x , y )) where R 1 and R 2 are rational functions, whose degree in y is less than 2 If f is an isogeny, f ( − P ) = − f ( P ) . If char k > 3, we can assume that E 1 and E 2 are given by reduced Weierstrass forms, this mean that R 1 depends only on x , and R 2 is y time a rational function depending only on x . Let w E = dx / 2 y be the canonical differential. Then f ∗ w E ′ = cw E , with c in � g ( x ) � g ( x ) � ′ � f ( x , y ) = h ( x ) , cy h ( x ) . h ( x ) gives (the x coordinates of the points in) the kernel of f (if we take If c = 1, we say that f is normalized.

  11. Isogenies on elliptic curves Vélu’s formula Moreover by looking at the expression of X and Y in the formal group of Abelian varieties and polarisations The choices are made so that the formulas give a normalized isogeny. Isogeny graphs in dimension 2 Cyclic isogenies Maximal isotropic isogenies Let E / k be an elliptic curve. Let G = 〈 P 〉 be a rational finite subgroup of E . Vélu constructs the isogeny E → E / G as � X ( P ) = x ( P )+ ( x ( P + Q ) − x ( Q )) Q ∊ G \{ 0 E } � ( y ( P + Q ) − y ( Q )) . Y ( P ) = y ( P )+ Q ∊ G \{ 0 E } E , Vélu recovers the equations for E / G . For instance if E : y 2 = x 3 + ax + b = f E ( x ) then E / G is y 2 = x 3 +( a − 5 t ) x + b − 7 w � � � f ′ x ( Q ) f ′ where t = E ( Q ) , u = 2 f E ( Q ) and w = E ( Q ) . Q ∊ G \{ 0 E } Q ∊ G \{ 0 E } Q ∊ G \{ 0 E }

  12. Isogenies on elliptic curves express everything in term of h . root. of the points in the kernel). , with Abelian varieties and polarisations we have [Koh96] in k . Thus summing over the points in the kernel G can be expensive. Isogeny graphs in dimension 2 Even if G is rational, the points in G may live to an extension of degree Maximal isotropic isogenies Cyclic isogenies Complexity of Vélu’s formula up to # G − 1. � Let h ( x ) = Q ∊ G \{ 0 E } ( x − x ( Q )) . The symmetry of X and Y allows us to For instance is E is given by a reduced Weierstrass equation y 2 = f E ( x ) , � g ( x ) � g ( x ) � ′ � f ( x , y ) = h ( x ) , y h ( x ) � h ′ ( x ) � ′ E ( x ) h ′ ( x ) g ( x ) h ( x ) = # G . x − σ − f ′ h ( x ) − 2 f E ( x ) h ( x ) , where σ is the first power sum of h (i.e. the sum of the x -coordinates When # G is odd, h ( x ) is a square, so we can replace it by its square The complexity of computing the isogeny is then O ( M (# G )) operations

  13. Isogenies on elliptic curves Abelian varieties and polarisations Maximal isotropic isogenies Cyclic isogenies Isogeny graphs in dimension 2 Modular polynomials Definition (Modular polynomial) Here k = k . The modular polynomial ϕ ℓ ( x , y ) ∊ � [ x , y ] is a bivariate polynomial such that ϕ ℓ ( x , y ) = 0 ⇔ x = j ( E 1 ) and y = j ( E 2 ) with E 1 and E 2 ℓ -isogeneous. Roots of ϕ ℓ ( j ( E 1 ) ,. ) ⇔ elliptic curves ℓ -isogeneous to E 1 . There are ℓ + 1 = # � 1 ( � ℓ ) such roots if ℓ is prime. ϕ ℓ is symmetric. The height of ϕ ℓ grows as O ( ℓ ) .

Recommend

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

952 views • 67 slides
Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La

Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La

Isogenies, Polarisations and Real Multiplication 2015/10/06 Journes C2 La Londe-Les-Maures Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco

867 views • 49 slides
Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz, Damien Robert Damien Robert Rational isogenies 2 1 Theta functions Complex abelian varieties Quasi-periodicity: Damien Robert Rational

734 views • 23 slides
Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof

Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point Counting for Genus 2 Curves Division polys with Real Multiplication Kernels Schoof complexity BSGS Pierrick Gaudry, David Kohel, Benjamin Smith Real multiplication

550 views • 20 slides
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 " -isogenies, Bob 3 $

766 views • 19 slides
lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in binary ? Sequential circuits 3 multiplicand - integer multiplication and division multiplier - floating point arithmetic product - finite

183 views • 3 slides
Lecture 5 Multiplication and Division 1 Multiplication More complicated than addition A

Lecture 5 Multiplication and Division 1 Multiplication More complicated than addition A

ECE 0142 Computer Organization Lecture 5 Multiplication and Division 1 Multiplication More complicated than addition A straightforward implementation will involve shifts and adds More complex operation can lead to More area (on

408 views • 20 slides
Maths Multiplication and Division Maths | Year 2 | Multiplication and Division | Solve

Maths Multiplication and Division Maths | Year 2 | Multiplication and Division | Solve

Maths Multiplication and Division Maths | Year 2 | Multiplication and Division | Solve Multiplication and Division Problems | Lesson 1 of 2: Leftovers Aim I can find a leftover when dividing. Success Criteria I can make a prediction about

592 views • 20 slides
MULTIPLICATION TABLES CHECK (MTC) WHAT WE KNOW The Multiplication Tables Check (MTC) was

MULTIPLICATION TABLES CHECK (MTC) WHAT WE KNOW The Multiplication Tables Check (MTC) was

MULTIPLICATION TABLES CHECK (MTC) WHAT WE KNOW The Multiplication Tables Check (MTC) was officially announced by the Department for Education (DfE) in September 2017. It will be administered for children in Year 4, starting in the

526 views • 7 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
Matrix Multiplication Matrix multiplication is an operation with properties quite different from

Matrix Multiplication Matrix multiplication is an operation with properties quite different from

Matrix Multiplication Matrix multiplication is an operation with properties quite different from its scalar counterpart. To begin with, order matters in matrix multiplication. That is, the matrix product AB need not be the same as the matrix

695 views • 58 slides
Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels

Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels

Genus 2, faster Gaudry, Kohel, Smith Genus 1 and 2 Point counting Point counting for genus 2 curves SchoofPila with real multiplication Division polys Kernels Schoof complexity Pierrick Gaudry, David Kohel, Benjamin Smith BSGS Real

407 views • 18 slides
Efficient multiplication 2 Matrix multiplication If you have square matrices A and B, then C =

Efficient multiplication 2 Matrix multiplication If you have square matrices A and B, then C =

1 Efficient multiplication 2 Matrix multiplication If you have square matrices A and B, then C = A*B is defined as: Takes O(n 3 ) time 3 Matrix multiplication Can we do better? What is the theoretical lowest running time possible? 4

622 views • 18 slides
Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint work with Emmanuel Thom Sorina Ionica 1 / 24 Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all

302 views • 27 slides
CS 401 Integer Multiplication / Matrix Multiplication Xiaorui Sun 1 Integer Multiplication

CS 401 Integer Multiplication / Matrix Multiplication Xiaorui Sun 1 Integer Multiplication

CS 401 Integer Multiplication / Matrix Multiplication Xiaorui Sun 1 Integer Multiplication Integer Arithmetic 1 1 1 1 1 1 0 1 Add: Given two ! -bit integers 1 1 0 1 0 1 0 1 " and # , compute " + # . Add + 0 1 1 1

468 views • 19 slides
EE 457 Unit 2c Fast Multipliers 2 Multiplication Overview Multiplication approaches:

EE 457 Unit 2c Fast Multipliers 2 Multiplication Overview Multiplication approaches:

1 EE 457 Unit 2c Fast Multipliers 2 Multiplication Overview Multiplication approaches: Sequential: Shift-and-Add produces one product bit per clock cycle time (usually slow) Combinational: Array multiplier uses an array of adders

407 views • 15 slides
Explicit isogenies and implementation Luca De Feo Freelance researcher, courtesy of ANR CHIC

Explicit isogenies and implementation Luca De Feo Freelance researcher, courtesy of ANR CHIC

Explicit isogenies and implementation Luca De Feo Freelance researcher, courtesy of ANR CHIC & Universit e de Rennes 1 June 23, 2011 Geocrypt, Bastia, France Luca De Feo (ANR CHIC) Explicit isogenies and implementation GeoCrypt, June

590 views • 20 slides
Multiplication Overview Multiplication approaches: Sequential: Shift-and-Add produces one

Multiplication Overview Multiplication approaches: Sequential: Shift-and-Add produces one

2c.1 2c.2 Multiplication Overview Multiplication approaches: Sequential: Shift-and-Add produces one product bit per clock cycle time (usually slow) EE 457 Unit 2c Combinational: Array multiplier uses an array of adders Can be

257 views • 4 slides
Shared Memory with Cilk++ Matrix-matrix multiplication Matrix-vector multiplication

Shared Memory with Cilk++ Matrix-matrix multiplication Matrix-vector multiplication

CS 140 : Numerical Examples on Shared Memory with Cilk++ Matrix-matrix multiplication Matrix-vector multiplication Hyperobjects Thank nks to Charles E. L Leiserson on for some of t these slides 1 Work and Span (Recap) T P =

449 views • 29 slides
Pre- and post-quantum DiffieHellman from groups, actions, and isogenies Benjamin Smith

Pre- and post-quantum DiffieHellman from groups, actions, and isogenies Benjamin Smith

Pre- and post-quantum DiffieHellman from groups, actions, and isogenies Benjamin Smith CARAMBA Seminar // LORIA, Nancy // May 14, 2019 Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Key exchange Lets talk about

964 views • 52 slides
Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao Paulo da Silva , Ricardo Dahab, Julio L opez Institute of Computing University of Campinas Latin American Week on Coding and Information

558 views • 32 slides
Multiplication and Division Instructions Multiplication and Division Instructions MUL

Multiplication and Division Instructions Multiplication and Division Instructions MUL

Multiplication and Division Instructions Multiplication and Division Instructions MUL Instruction IMUL Instruction DIV Instruction Signed Integer Division Implementing Arithmetic Expressions 1 Irvine, Kip R. Assembly

746 views • 36 slides
Relate Multiplication to Addition Multiplication Table Activity Multiply by 3 Multiply by 4

Relate Multiplication to Addition Multiplication Table Activity Multiply by 3 Multiply by 4

Slide 1 / 234 Slide 2 / 234 3rd Grade Multiplication 2015-12-30 www.njctl.org Slide 3 / 234 Slide 4 / 234 Table of Contents Relate addition to multiplication click on the topic to go Arrays to that section Multiply by 1 and 0 Multiply

650 views • 61 slides
Relate Multiplication to Addition Multiplication Table Activity Multiply by 3 Multiply by 4

Relate Multiplication to Addition Multiplication Table Activity Multiply by 3 Multiply by 4

Slide 1 / 234 Slide 2 / 234 3rd Grade Multiplication 2015-12-30 www.njctl.org Slide 3 / 234 Slide 4 / 234 Table of Contents Relate addition to multiplication click on the topic to go Arrays to that section Multiply by 1 and 0 Multiply

612 views • 39 slides

More recommend