isogeny graphs in cryptography
play

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, - PowerPoint PPT Presentation

Aug 24, 2023 •242 likes •1.99k views

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

  1. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  2. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  3. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  4. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  5. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  6. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  7. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  8. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  9. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  10. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ such that a ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  11. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  12. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  13. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  14. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  15. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  16. Homotheties Two lattices are homothetic if there exist ☛ ✷ ❈ a such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  17. Homotheties Two lattices are homothetic if a there exist ☛ ✷ ❈ such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  18. Homotheties Two lattices are homothetic if a there exist ☛ ✷ ❈ such that ☛ ✄ 1 ❂ ✄ 2 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 12 / 82

  19. The j -invariant We want to classify complex lattices/tori up to homothety. Eisenstein series Let ✄ be a complex lattice. For any integer k ❃ 0 define ❳ ✦ � 2 k ✿ G 2 k ✭✄✮ ❂ ✦ ✷ ✄ ♥❢ 0 ❣ Also set g 2 ✭✄✮ ❂ 60 G 4 ✭✄✮ ❀ g 3 ✭✄✮ ❂ 140 G 6 ✭✄✮ ✿ Modular j -invariant Let ✄ be a complex lattice, the modular j -invariant is g 2 ✭✄✮ 3 j ✭✄✮ ❂ 1728 g 2 ✭✄✮ 3 � 27 g 3 ✭✄✮ 2 ✿ Two lattices ✄ ❀ ✄ ✵ are homothetic if and only if j ✭✄✮ ❂ j ✭✄ ✵ ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 13 / 82

  20. Elliptic curves over ❈ Weierstrass ⑥ function Let ✄ be a complex lattice, the Weierstrass ⑥ function associated to ✄ is the series ⑥ ✭ z ❀ ✄✮ ❂ 1 ✒ ✭ z � ✦ ✮ 2 � 1 1 ✓ ❳ z 2 ✰ ✿ ✦ 2 ✦ ✷ ✄ ♥❢ 0 ❣ Fix a lattice ✄ , then ⑥ and its derivative ⑥ ✵ are elliptic functions: ⑥ ✵ ✭ z ✰ ✦ ✮ ❂ ⑥ ✵ ✭ z ✮ ⑥ ✭ z ✰ ✦ ✮ ❂ ⑥ ✭ z ✮ ❀ for all ✦ ✷ ✄ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 14 / 82

  21. Uniformization theorem Let ✄ be a complex lattice. The curve E ✿ y 2 ❂ 4 x 3 � g 2 ✭✄✮ x � g 3 ✭✄✮ is an elliptic curve over ❈ . The map ❈ ❂ ✄ ✦ E ✭ ❈ ✮ ❀ 0 ✼✦ ✭ 0 ✿ 1 ✿ 0 ✮ ❀ z ✼✦ ✭ ⑥ ✭ z ✮ ✿ ⑥ ✵ ✭ z ✮ ✿ 1 ✮ is an isomorphism of Riemann surfaces and a group morphism. Conversely, for any elliptic curve E ✿ y 2 ❂ x 3 ✰ ax ✰ b there is a unique complex lattice ✄ such that g 2 ✭✄✮ ❂ � 4 a ❀ g 3 ✭✄✮ ❂ � 4 b ✿ Moreover j ✭✄✮ ❂ j ✭ E ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 15 / 82

  22. ❬ ❪ ❬ ❪ Multiplication a Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 16 / 82

  23. ❬ ❪ Multiplication ❬ 3 ❪ a a Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 16 / 82

  24. ❬ ❪ Multiplication ❬ 3 ❪ a a Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 16 / 82

  25. Torsion subgroups The ❵ -torsion subgroup is made up by the points ✒ i ✦ 1 ❵ ❀ j ✦ 2 ✓ ❵ It is a group of rank two E ❬ ❵ ❪ ❂ ❤ a ❀ b ✐ b ✬ ✭ ❩ ❂❵ ❩ ✮ 2 a Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 17 / 82

  26. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree p ❵ cover ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

  27. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree p ❵ cover ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

  28. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

  29. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 p and is homothetic to the b multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

  30. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 p and is homothetic to the b multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

  31. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 and is homothetic to the b multiplication by ❵ p map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 18 / 82

  32. Isogenies: back to algebra Let ✣ ✿ E ✦ E ✵ be an isogeny defined over a field k of characteristic p . k ✭ E ✮ is the field of all rational functions from E to k ; ✣ ✄ k ✭ E ✵ ✮ is the subfield of k ✭ E ✮ defined as ✣ ✄ k ✭ E ✵ ✮ ❂ ❢ f ✍ ✣ ❥ f ✷ k ✭ E ✵ ✮ ❣ ✿ Degree, separability The degree of ✣ is ❞❡❣ ✣ ❂ ❬ k ✭ E ✮ ✿ ✣ ✄ k ✭ E ✵ ✮❪ . It is always finite. 1 ✣ is said to be separable, inseparable, or purely inseparable if the 2 extension of function fields is. If ✣ is separable, then ❞❡❣ ✣ ❂ ★ ❦❡r ✣ . 3 If ✣ is purely inseparable, then ❦❡r ✣ ❂ ❢❖❣ and ❞❡❣ ✣ is a power of p . 4 Any isogeny can be decomposed as a product of a separable and a 5 purely inseparable isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 19 / 82

  33. Isogenies: back to algebra Let ✣ ✿ E ✦ E ✵ be an isogeny defined over a field k of characteristic p . k ✭ E ✮ is the field of all rational functions from E to k ; ✣ ✄ k ✭ E ✵ ✮ is the subfield of k ✭ E ✮ defined as ✣ ✄ k ✭ E ✵ ✮ ❂ ❢ f ✍ ✣ ❥ f ✷ k ✭ E ✵ ✮ ❣ ✿ Degree, separability The degree of ✣ is ❞❡❣ ✣ ❂ ❬ k ✭ E ✮ ✿ ✣ ✄ k ✭ E ✵ ✮❪ . It is always finite. 1 ✣ is said to be separable, inseparable, or purely inseparable if the 2 extension of function fields is. If ✣ is separable, then ❞❡❣ ✣ ❂ ★ ❦❡r ✣ . 3 If ✣ is purely inseparable, then ❦❡r ✣ ❂ ❢❖❣ and ❞❡❣ ✣ is a power of p . 4 Any isogeny can be decomposed as a product of a separable and a 5 purely inseparable isogeny. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 19 / 82

  34. Isogenies: separable vs inseparable Purely inseparable isogenies Examples: The Frobenius endomorphism is purely inseparable of degree q . All purely inseparable maps in characteristic p are of the form ✭ X ✿ Y ✿ Z ✮ ✼✦ ✭ X p e ✿ Y p e ✿ Z p e ✮ . Separable isogenies Let E be an elliptic curve, and let G be a finite subgroup of E . There are a unique elliptic curve E ✵ and a unique separable isogeny ✣ , such that ❦❡r ✣ ❂ G and ✣ ✿ E ✦ E ✵ . The curve E ✵ is called the quotient of E by G and is denoted by E ❂ G . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 20 / 82

  35. The dual isogeny Let ✣ ✿ E ✦ E ✵ be an isogeny of degree m . There is a unique isogeny ✣ ✿ E ✵ ✦ E such that ❫ ❫ ✣ ✍ ❫ ✣ ✍ ✣ ❂ ❬ m ❪ E ❀ ✣ ❂ ❬ m ❪ E ✵ ✿ ❫ ✣ is called the dual isogeny of ✣ ; it has the following properties: ❫ ✣ is defined over k if and only if ✣ is; 1 ✥ for any isogeny ✥ ✿ E ✵ ✦ E ✵✵ ; ❬ ✥ ✍ ✣ ❂ ❫ ✣ ✍ ❫ 2 ✥ ✰ ✣ ❂ ❫ ❭ ✥ ✰ ❫ ✣ for any isogeny ✥ ✿ E ✦ E ✵ ; 3 ❞❡❣ ✣ ❂ ❞❡❣ ❫ ✣ ; 4 ❫ ❫ ✣ ❂ ✣ . 5 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 21 / 82

  36. Algebras, orders A quadratic imaginary number field is an extension of ◗ of the form ♣ Q ❬ � D ❪ for some non-square D ❃ 0 . A quaternion algebra is an algebra of the form ◗ ✰ ☛ ◗ ✰ ☞ ◗ ✰ ☛☞ ◗ , where the generators satisfy the relations ☛ 2 ❀ ☞ 2 ✷ ◗ ❀ ☛ 2 ❁ 0 ❀ ☞ 2 ❁ 0 ❀ ☞☛ ❂ � ☛☞✿ Orders Let K be a finitely generated ◗ -algebra. An order ❖ ✚ K is a subring of K that is a finitely generated ❩ -module of maximal dimension. An order that is not contained in any other order of K is called a maximal order. Examples: ❩ is the only order contained in ◗ , ❩ ❬ i ❪ is the only maximal order of ◗ ✭ i ✮ , ♣ ♣ ❩ ❬ 5 ❪ is a non-maximal order of ◗ ✭ 5 ✮ , The ring of integers of a number field is its only maximal order, In general, maximal orders in quaternion algebras are not unique. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 22 / 82

  37. The endomorphism ring The endomorphism ring ❊♥❞✭ E ✮ of an elliptic curve E is the ring of all isogenies E ✦ E (plus the null map) with addition and composition. Theorem (Deuring) Let E be an elliptic curve defined over a field k of characteristic p . ❊♥❞✭ E ✮ is isomorphic to one of the following: ❩ , only if p ❂ 0 E is ordinary. An order ❖ in a quadratic imaginary field: E is ordinary with complex multiplication by ❖ . Only if p ❃ 0 , a maximal order in a quaternion algebra a : E is supersingular. a (ramified at p and ✶ ) Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 23 / 82

  38. The finite field case Theorem (Hasse) Let E be defined over a finite field. Its Frobenius endomorphism ✙ satisfies a quadratic equation ✙ 2 � t ✙ ✰ q ❂ 0 in ❊♥❞✭ E ✮ for some ❥ t ❥ ✔ 2 ♣ q , called the trace of ✙ . The trace t is coprime to q if and only if E is ordinary. Suppose E is ordinary, then D ✙ ❂ t 2 � 4 q ❁ 0 is the discriminant of ❩ ❬ ✙ ❪ . K ❂ ◗ ✭ ✙ ✮ ❂ ◗ ✭ ♣ D ✙ ✮ is the endomorphism algebra of E . Denote by ❖ K its ring of integers, then ❩ ✻ ❂ ❩ ❬ ✙ ❪ ✚ ❊♥❞✭ E ✮ ✚ ❖ K ✿ In the supersingular case, ✙ may or may not be in ❩ , depending on q . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 24 / 82

  39. Endomorphism rings of ordinary curves Classifying quadratic orders Let K be a quadratic number field, and let ❖ K be its ring of integers. Any order ❖ ✚ K can be written as ❖ ❂ ❩ ✰ f ❖ K for an integer f , called the conductor of ❖ , denoted by ❬ ❖ k ✿ ❖ ❪ . If d K is the discriminant of K , the discriminant of ❖ is f 2 d K . If ❖ ❀ ❖ ✵ are two orders with discriminants d ❀ d ✵ , then ❖ ✚ ❖ ✵ iff d ✵ ❥ d . ❖ K ❩ ✰ 2 ❖ K ❩ ✰ 3 ❖ K ❩ ✰ 5 ❖ K ❩ ✰ 6 ❖ K ❩ ✰ 10 ❖ K ❩ ✰ 15 ❖ K ❩ ❬ ✙ ❪ ✬ ❩ ✰ 30 ❖ K Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 25 / 82

  40. Ideal lattices Fractional ideals Let ❖ be an order of a number field K . A (fractional) ❖ -ideal a is a finitely generated non-zero ❖ -submodule of K . When K is imaginary quadratic: Fractional ideals are complex lattices, Any lattice ✄ ✚ K is a fractional ideal, The order of a lattice ✄ is ❖ ✄ ❂ ❢ ☛ ✷ K ❥ ☛ ✄ ✚ ✄ ❣ Complex multiplication Let ✄ ✚ K , the elliptic curve associated to ❈ ❂ ✄ has complex multiplication by ❖ ✄ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 26 / 82

  41. The class group ♣ Let ❊♥❞✭ E ✮ ❂ ❖ ✚ ◗ ✭ � D ✮ . Define ■ ✭ ❖ ✮ , the group of invertible fractional ideals, P ✭ ❖ ✮ , the group of principal ideals, The class group The class group of ❖ is ❈❧✭ ❖ ✮ ❂ ■ ✭ ❖ ✮ ❂ P ✭ O ✮ ✿ It is a finite abelian group. Its order h ✭ ❖ ✮ is called the class number of ❖ . ♣ It arises as the Galois group of an abelian extension of ◗ ✭ � D ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 27 / 82

  42. Complex multiplication Fundamental theorem of CM Let ❖ be an order of a number field K , and let a 1 ❀ ✿ ✿ ✿ ❀ a h ✭ ❖ ✮ be representatives of ❈❧✭ ❖ ✮ . Then: K ✭ j ✭ a i ✮✮ is an Abelian extension of K ; The j ✭ a i ✮ are all conjugate over K ; The Galois group of K ✭ j ✭ a i ✮✮ is isomorphic to ❈❧✭ ❖ ✮ ; ❬ ◗ ✭ j ✭ a i ✮✮ ✿ ◗ ❪ ❂ ❬ K ✭ j ✭ a i ✮✮ ✿ K ❪ ❂ h ✭ ❖ ✮ ; The j ✭ a i ✮ are integral, their minimal polynomial is called the Hilbert class polynomial of ❖ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 28 / 82

  43. Lifing Deuring’s lifing theorem Let E 0 be an elliptic curve in characteristic p , with an endomorphism ✦ o which is not trivial. Then there exists an elliptic curve E defined over a number field L , an endomorphism ✦ of E , and a non-singular reduction of E at a place p of L lying above p , such that E 0 is isomorphic to E ✭ p ✮ , and ✦ 0 corresponds to ✦ ✭ p ✮ under the isomorphism. Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 29 / 82

  44. Executive summary Elliptic curves are algebraic groups; Isogenies are the natural notion of morphism for EC: both group and projective variety morphism; We can understand most things about isogenies by looking only at endomorphisms; Isogenies of curves over ❈ are especially simple to describe; It is easy to construct curves over ❈ with prescribed complex multiplication; Most of what happens in positive characteristic can be understood by: ■ looking at the Frobenius endomorphism, and/or ■ looking at reductions of curves in characteristic 0 . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 30 / 82

  45. Plan Elliptic curves, isogenies, complex multiplication 1 Isogeny graphs 2 Key exchange 3 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 31 / 82

  46. Isogeny graphs Serre-Tate theorem reloaded Two elliptic curves E ❀ E ✵ defined over a finite field are isogenous iff their endomorphism algebras ❊♥❞✭ E ✮ ✡ ◗ and ❊♥❞✭ E ✵ ✮ ✡ ◗ are isomorphic. Isogeny graphs Vertices are curves up to isomorphism, Edges are isogenies up to isomorphism. Isogeny volcanoes Curves are ordinary, Isogenies all have degree a prime ❵ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 32 / 82

  47. What do isogeny graphs look like? Torsion subgroups ( ❵ prime) In an algebraically closed field: E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 ✰ There are exactly ❵ ✰ 1 cyclic subgroups H ✚ E of order ❵ : ❤ P ✰ Q ✐ ❀ ❤ P ✰ 2 Q ✐ ❀ ✿ ✿ ✿ ❀ ❤ P ✐ ❀ ❤ Q ✐ ✰ There are exactly ❵ ✰ 1 distinct (non-CM) 2 -isogeny graph over ❈ isogenies of degree ❵ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 33 / 82

  48. ✥ ✦ ✙ ✿ ♠♦❞ ❵ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map ✙ ✭ P ✮ ❂ aP ✰ bQ ✙ ✿ E � ✦ E ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� ✙ ✭ Q ✮ ❂ cP ✰ dQ E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

  49. ✙ ✭ ✮ ❂ ✥ ✦ ✙ ✿ ♠♦❞ ❵ ✙ ✭ ✮ ❂ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map aP ✰ bQ ✙ ✿ E � ✦ E ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� cP ✰ dQ E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

  50. ✙ ✭ ✮ ❂ ✙ ✿ ♠♦❞ ❵ ✙ ✭ ✮ ❂ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map aP ✰ bQ ✥ ✦ ✙ ✿ E � ✦ E ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� cP ✰ dQ E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

  51. ✙ ✭ ✮ ❂ ✰ ✙ ✿ ♠♦❞ ❵ ✙ ✭ ✮ ❂ ✰ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map ✥ a b ✦ ✙ ✿ E � ✦ E ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� c d E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

  52. ✙ ✭ ✮ ❂ ✰ ✙ ✭ ✮ ❂ ✰ ✙ ❥ ❬ ❵ ❪ ●▲✭ ❩ ❂❵ ❩ ✮ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map ✥ a b ✦ ✙ ✿ E � ✦ E ✙ ✿ ♠♦❞ ❵ ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� c d E is seen here as a curve over ✖ ❋ p . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

  53. ✙ ✭ ✮ ❂ ✰ ✙ ✭ ✮ ❂ ✰ What happens over a finite field ❋ p ? Rational isogenies ( ❵ ✻ ❂ p ) In the algebraic closure ✖ ❋ p E ❬ ❵ ❪ ❂ ❤ P ❀ Q ✐ ✬ ✭ ❩ ❂❵ ❩ ✮ 2 However, an isogeny is defined over ❋ p only if its kernel is Galois invariant. The Frobenius action on E ❬ ❵ ❪ Enter the Frobenius map ✥ a b ✦ ✙ ✿ E � ✦ E ✙ ✿ ♠♦❞ ❵ ✦ ✭ x p ❀ y p ✮ ✭ x ❀ y ✮ ✼� c d We identify ✙ ❥ E ❬ ❵ ❪ to a conjugacy E is seen here as a curve over ✖ ❋ p . class in ●▲✭ ❩ ❂❵ ❩ ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 34 / 82

  54. � ✕ ✙ ❥ ❬ ❵ ❪ ✘ ✁ ✦ ❵ ✰ ✕ ✏ ✑ ✕ ✙ ❥ ❬ ❵ ❪ ✘ ✕ ✻ ❂ ✖ ✦ ✖ � ✕ ✄ ✁ ✙ ❥ ❬ ❵ ❪ ✘ ✦ ✕ ❩ ❂❵ ❩ ✙ ❥ ❬ ❵ ❪ ✦ What happens over a finite field ❋ p ? Galois invariant subgroups of E ❬ ❵ ❪ = eigenspaces of ✙ ✷ ●▲✭ ❩ ❂❵ ❩ ✮ = rational isogenies of degree ❵ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 35 / 82

  55. What happens over a finite field ❋ p ? Galois invariant subgroups of E ❬ ❵ ❪ = eigenspaces of ✙ ✷ ●▲✭ ❩ ❂❵ ❩ ✮ = rational isogenies of degree ❵ How many Galois invariant subgroups? � ✕ 0 ✁ ✦ ❵ ✰ 1 isogenies ✙ ❥ E ❬ ❵ ❪ ✘ 0 ✕ ✏ ✑ ✕ 0 with ✕ ✻ ❂ ✖ ✦ two isogenies ✙ ❥ E ❬ ❵ ❪ ✘ 0 ✖ � ✕ ✄ ✁ ✙ ❥ E ❬ ❵ ❪ ✘ ✦ one isogeny 0 ✕ ✙ ❥ E ❬ ❵ ❪ is not diagonalizable over ❩ ❂❵ ❩ ✦ no isogeny Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 35 / 82

  56. Volcanology (Kohel 1996) Let E ❀ E ✵ be curves with respective if ❖ ❂ ❖ ✵ , ✣ is horizontal; endomorphism rings ❖ ❀ ❖ ✵ ✚ K . if ❬ ❖ ✵ ✿ ❖ ❪ ❂ ❵ , ✣ is ascending; Let ✣ ✿ E ✦ E ✵ be an isogeny of if ❬ ❖ ✿ ❖ ✵ ❪ ❂ ❵ , ✣ is descending. prime degree ❵ , then: ❊♥❞✭ E ✮ ❖ K ❩ ❬ ✙ ❪ Ordinary isogeny volcano of degree ❵ ❂ 3 . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 36 / 82

  57. ✿ ❩ ❬ ✙ ❪❪✮ ❂ ❵ ✭❬ ❖ Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K � D K ✁ ✁ ❂ � 1 ❂ 0 ❖ K : maximal order of K , ❵ ❵ D K : discriminant of K . � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ 1 ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 37 / 82

  58. Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K � D K ✁ ✁ ❂ � 1 ❂ 0 ❖ K : maximal order of K , ❵ ❵ D K : discriminant of K . Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . � D K ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ 1 ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 37 / 82

  59. Volcanology (Kohel 1996) Let E be ordinary, ❊♥❞✭ E ✮ ✚ K . � D K � D K ✁ ✁ ❂ � 1 ❂ 0 ❖ K : maximal order of K , ❵ ❵ D K : discriminant of K . Height ❂ v ❵ ✭❬ ❖ K ✿ ❩ ❬ ✙ ❪❪✮ . � D K How large is the crater? ✁ ❂ ✰ 1 ❵ Horizontal Ascending Descending ✏ ✑ D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ ✏ ✑ ✏ ✑ D K D K ❵ ✲ ❬ ❖ K ✿ ❖ ❪❪ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 ✰ ❵ � ❵ ❵ ❵ ❥ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ 1 ❵ ❥ ❬ ❖ K ✿ ❖ ❪❪ ❵ ✲ ❬ ❖ ✿ ❩ ❬ ✙ ❪❪ 1 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 37 / 82

  60. How large is the crater of a volcano? ♣ Let ❊♥❞✭ E ✮ ❂ ❖ ✚ ◗ ✭ � D ✮ . Define ■ ✭ ❖ ✮ , the group of invertible fractional ideals, P ✭ ❖ ✮ , the group of principal ideals, The class group The class group of ❖ is ❈❧✭ ❖ ✮ ❂ ■ ✭ ❖ ✮ ❂ P ✭ O ✮ ✿ It is a finite abelian group. Its order h ✭ ❖ ✮ is called the class number of ❖ . ♣ It arises as the Galois group of an abelian extension of ◗ ✭ � D ✮ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 38 / 82

  61. Complex multiplication The a -torsion Let a ✚ ❖ be an (integral invertible) ideal of ❖ ; Let E ❬ a ❪ be the subgroup of E annihilated by a : E ❬ a ❪ ❂ ❢ P ✷ E ❥ ☛ ✭ P ✮ ❂ 0 for all ☛ ✷ a ❣ ❀ Let ✣ ✿ E ✦ E a , where E a ❂ E ❂ E ❬ a ❪ . Then ❊♥❞✭ E a ✮ ❂ ❖ (i.e., ✣ is horizontal). Theorem (Complex multiplication) The action on the set of elliptic curves with complex multiplication by ❖ defined by a ✄ j ✭ E ✮ ❂ j ✭ E a ✮ factors through ❈❧✭ ❖ ✮ , is faithful and transitive. Corollary ✏ ✑ D Let ❊♥❞✭ E ✮ have discriminant D . Assume that ❂ 1 , then E is on a ❵ crater of size N of an ❵ -volcano, and N ❥ h ✭❊♥❞✭ E ✮✮ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 39 / 82

  62. ❈❧✭ ❖ ✮ Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ ◗ ✭ � D ✮ ). E 5 E 1 E 6 E 12 E 7 E 11 E 8 E 10 E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

  63. ❈❧✭ ❖ ✮ Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ ◗ ✭ � D ✮ ). Edges are horizontal E 5 E 1 isogenies of bounded prime degree. degree 2 E 6 E 12 E 7 E 11 E 8 E 10 E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

  64. ❈❧✭ ❖ ✮ Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ ◗ ✭ � D ✮ ). Edges are horizontal E 5 E 1 isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 E 8 E 10 E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

  65. ❈❧✭ ❖ ✮ Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ ◗ ✭ � D ✮ ). Edges are horizontal E 5 E 1 isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 degree 5 E 8 E 10 E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

  66. Complex multiplication graphs Vertices are elliptic curves with complex E 3 multiplication by ❖ K E 4 E 2 (i.e., ❊♥❞✭ E ✮ ✬ ❖ K ✚ ♣ ◗ ✭ � D ✮ ). Edges are horizontal E 5 E 1 isogenies of bounded prime degree. degree 2 E 6 E 12 degree 3 E 7 E 11 degree 5 Isomorphic to a Cayley E 8 E 10 graph of ❈❧✭ ❖ K ✮ . E 9 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 40 / 82

  67. Supersingular endomorphisms Recall, a curve E over a field ❋ q of characteristic p is supersingular iff ✙ 2 � t ✙ ✰ q ❂ 0 with t ❂ 0 ♠♦❞ p . Case: t ❂ 0 ✮ D ✙ ❂ � 4 q Only possibility for E ❂ ❋ p , E ❂ ❋ p has CM by an order of ◗ ✭ ♣� p ✮ , similar to the ordinary case. t ❂ ✝ 2 ♣ q Case: ✮ D ✙ ❂ 0 General case for E ❂ ❋ q , when q is an even power. ✙ ❂ ✝♣ q , hence no complex multiplication. We will ignore marginal cases: t ❂ ✝♣ q ❀ ✝♣ 2 q ❀ ✝♣ 3 q . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 41 / 82

  68. Supersingular complex multiplication Let E ❂ ❋ p be a supersingular curve, then ✙ 2 ❂ � p , and ✏ ♣� p ✑ 0 ✙ ❂ ♠♦❞ ❵ �♣� p 0 ✏ ✑ � p for any ❵ s.t. ❂ 1 . ❵ Theorem (Delfs and Galbraith 2016) Let ❊♥❞ ❋ p ✭ E ✮ denote the ring of ❋ p -rational endomorphisms of E . Then ❩ ❬ ✙ ❪ ✚ ❊♥❞ ❋ p ✭ E ✮ ✚ ◗ ✭ ♣� p ✮ ✿ Orders of ◗ ✭ ♣� p ✮ If p ❂ 1 ♠♦❞ 4 , then ❩ ❬ ✙ ❪ is the maximal order. If p ❂ � 1 ♠♦❞ 4 , then ❩ ❬ ✙ ✰ 1 2 ❪ is the maximal order, and ❬ ❩ ❬ ✙ ✰ 1 2 ❪ ✿ ❩ ❬ ✙ ❪❪ ❂ 2 . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 42 / 82

  69. Supersingular CM graphs 2 -volcanoes, p ❂ � 1 ♠♦❞ 4 ❩ ❬ ✙ ✰ 1 2 ❪ ❩ ❬ ✙ ❪ 2 -graphs, p ❂ 1 ♠♦❞ 4 ❩ ❬ ✙ ❪ ✏ ✑ � p All other ❵ -graphs are cycles of horizontal isogenies iff ❂ 1 . ❵ Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 43 / 82

  70. The full endomorphism ring Theorem (Deuring) Let E be a supersingular elliptic curve, then E is isomorphic to a curve defined over ❋ p 2 ; Every isogeny of E is defined over ❋ p 2 ; Every endomorphism of E is defined over ❋ p 2 ; ❊♥❞✭ E ✮ is isomorphic to a maximal order in a quaternion algebra ramified at p and ✶ . In particular: If E is defined over ❋ p , then ❊♥❞ ❋ p ✭ E ✮ is strictly contained in ❊♥❞✭ E ✮ . Some endomorphisms do not commute! Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 44 / 82

  71. An example The curve of j -invariant 1728 E ✿ y 2 ❂ x 3 ✰ x is supersingular over ❋ p iff p ❂ � 1 ♠♦❞ 4 . Endomorphisms ❊♥❞✭ E ✮ ❂ ❩ ❤ ✓❀ ✙ ✐ , with: ✙ the Frobenius endomorphism, s.t. ✙ 2 ❂ � p ; ✓ the map ✓ ✭ x ❀ y ✮ ❂ ✭ � x ❀ iy ✮ ❀ where i ✷ ❋ p 2 is a 4-th root of unity. Clearly, ✓ 2 ❂ � 1 . And ✓✙ ❂ � ✙✓ . Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 45 / 82

  72. ❈❧✭ � ✮ ❂ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ ❈❧✭ � ✮ Class group action party j ❂ 1728 Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29–Aug 2, 2019 — Würzburg 46 / 82

Recommend

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

1.87k views • 144 slides
Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles & Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

1.01k views • 73 slides
Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint work with Emmanuel Thom Sorina Ionica 1 / 24 Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all

302 views • 27 slides
BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

ERNEST HUNTER DIMITAR BENJAMIN BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION TO ISOGENY GRAPHS

770 views • 63 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain

Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain

Isogeny graphs in dimension 2 2014/12/17 Cryptographic seminar Caen Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chlo Martindale, Damien Robert Isogenies on elliptic curves Abelian

598 views • 44 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel

Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel

Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel Deyts Universit Paris Saclay UVSQ Dec 14, 2018, UVSQ, Versailles Elliptic curves Let E y 2 x 3 ax b be an elliptic curve...

1.02k views • 85 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de Mathmatiques de Marseille Journes Nationales de Calcul Formel 2019 CIRM, Luminy, 7 February 2019 Leonardo COL ( I2M-AMU ) OSIDH 7 February 2019 2

966 views • 73 slides
Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr ager (Penn State), Sean Hallgren (Penn State), Kristin Lauter (Microsoft Research), Travis Morrison (Penn State), Christophe Petit (Birmingham)

427 views • 38 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Universit, Institut de Mathmatiques de Jussieu Paris, 26 June 2019 Leonardo

739 views • 53 slides
Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure Paris Inria Bordeaux 5

Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure Paris Inria Bordeaux 5

Algorithms for isogeny graphs Sorina Ionica Ecole Normale Suprieure Paris Inria Bordeaux 5 fvrier 2013 Sorina Ionica 1 / 35 Cryptographic motivation We need an abelian variety of small dimension (i.e. 1,2) defined over F q s.t. # A ( F q

833 views • 35 slides
Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4

Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4

Towards practical key exchange from ordinary isogeny graphs Luca De Feo 1,3 Jean Kieffer 2,3,4 Benjamin Smith 3 1 UVSQ, Universit Paris Saclay 2 cole normale suprieure, Paris 3 Inria and cole polytechnique, Universit Paris Saclay 4 Inria

882 views • 74 slides

More recommend