Isogeny graphs with real multiplication Sorina Ionica Ecole Normale - PowerPoint PPT Presentation

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Supérieure de Paris joint work with Emmanuel Thomé Sorina Ionica 1 / 24

Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all rational isogenies of degree ℓ between curves. Compute endomorphism rings locally at ℓ by depth first search. Other applications: class polynomial computations, solving the discrete logarithm problem, hash functions, public key cryptosystems. Sorina Ionica 2 / 24

The endomorphism ring of an ordinary elliptic curve An order O is a subring and Z -submodule of the ring of integers O K of a quadratic imaginary field K . Denote by f = [ O K : O ] the conductor. Then O = [ 1 , f ω K ] . O K ← ω K | f with g 2 d K = t 2 − 4 q End ( E ) ← f ω K | g f Z [ π ] ← g ω K Computing the endomorphism ring of an ordinary curve E / F q means locating it in the diagram. Sorina Ionica 3 / 24

Isogenies and endomorphism rings The ℓ -isogeny graph has vertices Ell t ( F q ) and edges ℓ -isogenies defined over F q . Let φ : E 1 → E 2 be an isogeny of degree ℓ . O K O K O K End ( E 1 ) End ( E 2 ) ℓ ℓ End ( E 1 ) = End ( E 2 ) End ( E 2 ) End ( E 1 ) Z [ π ] Z [ π ] Z [ π ] descending ascending horizontal Sorina Ionica 4 / 24

Isogenies and ℓ -volcanoes Let h be the ℓ -adic valuation of the conductor g of Z [ π ] . Kohel’s theorem Connected components of Ell t ( F q ) are ℓ -volcanoes of height h . Number of horizontal isogenies starting from given vertex depends on the splitting of ℓ in O K . Sorina Ionica 5 / 24

Isogenies and ℓ -volcanoes Let h be the ℓ -adic valuation of the conductor g of Z [ π ] . Kohel’s theorem Connected components of Ell t ( F q ) are ℓ -volcanoes of height h (assuming j � = 0 , 1728). ω K ℓω K Curves on a fixed level have the same endomorphism ring. ℓ h − 1 ω K ℓ h ω K Sorina Ionica 6 / 24

Depth first search Find a way to the floor. The number of steps in a short path gives the ℓ -adic valuation of the conductor. Sorina Ionica 7 / 24

The endomorphism ring of an ordinary jacobian Let K be a primitive quartic CM field and assume that K = Q ( γ ) with √ � a + b − 1 + d γ = i for d ≡ 1 mod 1 2 √ � γ = i a + b d for d ≡ 2 , 3 mod 4 Assume real multiplication O K 0 has class number 1. Let J be a jacobian of a genus 2 curve defined over F q . J is simple, ordinary, i.e. End ( J ) is an order of K . Z [ π, ¯ π ] ⊂ End ( J ) ⊂ O K Sorina Ionica 8 / 24

The ( ℓ, ℓ ) -isogeny graph Cosset-Robert 2011: algebraic equations for ( ℓ, ℓ ) -isogenies. 3 3 3 3 Sorina Ionica 9 / 24

Real multiplication sub-graphs C 2 / Λ 1 C 2 / Λ 1 ⊕ Λ 2 τ → µ ⊕ Λ 2 τ, O K 0 C 2 / Λ 1 ⊕ Λ 2 C 2 / Λ 1 ⊕ Λ 2 τ → µ ( τ + ( ρ, ρ )) ℓ O K 0 with Λ 1 and Λ 2 are lattices in K 0 , ρ ∈ O K 0 , τ ∈ H 2 1 . These isogenies preserve real multiplication O K 0 and one may descend polarization down to principal on the target variety. If µ generates is a degree 1 ideal in O K 0 , we get ℓ -isogenies! Thanks to John Boxall. Sorina Ionica 10 / 24

First attempts Take ℓ such that ℓ O K 0 = l 1 l 2 . It turns out all isogenies preserving RM are of this type. Pretty disappointing. To be or not to be bugged...? :( Sorina Ionica 11 / 24

A graph! [ A, B ] = [81 , 1181], p = 85201, ℓ = 3 Sorina Ionica 12 / 24

O K 0 -orders O K = O K 0 ⊕ O K 0 η An order which is a O K 0 -module is of the form O = O K 0 ⊕ O K 0 ( αη ) . The conductor is α O K , for α ∈ O K 0 . = { x ∈ O K | x O K ⊆ O} f O = { x ∈ O K | x η ∈ O} = f η, O . Sorina Ionica 13 / 24

The lattice of O K 0 -orders Computing the endomorphism ring locally means getting f = . . . l α 1 1 l α 2 2 . . . . O K µ 1 µ 2 µ 1 µ 2 µ 1 µ 2 Z [ π, ¯ π ] Sorina Ionica 14 / 24

Rational l -isogenies Let π ∈ O . We define v l , O ( θ ) := max a ∈O K 0 { m | θ + a ∈ l m O} Let π be the Frobenius and write √ √ π = a 1 + a 2 d + ( a 3 + a 4 d )( αη ) . Hence v l ( f η, End J ) = v l , O K ( π ) − v l , End ( J ) ( π ) . All l -isogenies are rational iff v l , End ( J ) ( π ) > 0. Sorina Ionica 15 / 24

Classification of isogenies No ℓ -isogeny between jacobians with distinct endomorphism rings lying on the same level in the lattice. Two types of isogenies: ascending/descending and horizontal O K µ 1 µ 2 µ 1 µ 2 µ 1 µ 2 Z [ π, ¯ π ] Sorina Ionica 16 / 24

Real multiplication isogeny graph [ A, B ] = [81 , 1181], p = 211, ℓ = 3 Sorina Ionica 17 / 24

Graph structure Let l be an ideal of norm ℓ in O K 0 . Assume that l O K is prime with f O . If l is split in O K , there are exactly two horizontal ℓ -isogenies of kernel in J [ l ] . If l is ramified in O K , there is exactly one horizontal ℓ -isogeny in J [ l ] . If l is inert in K , then there are no horizontal isogenies with kernel in J [ l ] . If l is not coprime to f O , then there is one ascending ℓ -isogeny with kernel in J [ l ] . Sorina Ionica 18 / 24

Real multiplication isogeny graph [ A, B ] = [81 , 1181], p = 211, ℓ = 3 l 1 (yellow) is split into O K l 2 (violet) is inert into O K Sorina Ionica 19 / 24

The Tate pairing J ( F q ) / mJ ( F q ) × J [ m ]( F q ) → µ m q − 1 ( P , Q ) → ( f m , P ( Q + R ) / f m , P ( R )) m with f m , P s.t. div ( f m , P ) ∼ m ( P ) . efficiently computable with Miller’s algorithm in O ( log m ) operations in F q . Sorina Ionica 20 / 24

Pairings on kernels Assume that J [ l n ] ⊆ J ( F q ) and J [ l n + 1 ] � J ( F q ) . k l , J := max P ∈ J [ l n ] { k | T ℓ n ( P , P ) ∈ µ ℓ k \ µ ℓ k − 1 } Let J be a jacobian whose endomorphism ring is locally maximal at ℓ . Assume that n is the largest integer s.t. J [ l n ] ⊆ J ( F q ) . The Tate pairing is non-degenerate on G × G if T ℓ n : G × G → µ ℓ k l , J is surjective. We say it is degenerate otherwise. Sorina Ionica 21 / 24

Theorem Let I be l -isogeny of kernel G . Take ¯ G ⊂ J [ l n ] such that ℓ n − 1 ¯ G = G . I is descending iff the Tate pairing is non-degenerate on ¯ G . I is horizontal or ascending iff the Tate pairing is degenerate on ¯ G . Sorina Ionica 22 / 24

Walking in the graph Theorem A ( ℓ, ℓ ) -isogeny preserving real multiplication is the composition of a l 1 -isogeny with a l 2 -isogeny. O K µ 2 µ 1 µ 2 µ 1 Z [ π, ¯ π ] Sorina Ionica 23 / 24

Algorithm Idea of the algorithm. Given J such that [ O K 0 : Z [ π + ¯ π ]] = 1. We want to compute End ( J ) . The algorithm computes v l i ( π ) , i = 1 , 2. Counter i ← 0, i := 1 , 2 1 Construct a chain ( ℓ, ℓ ) -isogenies until the floor is reached. 2 Each time a step I is taken in the graph 3 Counter i ← Counter i + 1, i = 1 , 2. Return Counter i , i = 1 , 2. 4 Sorina Ionica 24 / 24

Computing degenerate pairings Let P and Q be s.t. J [ l n ] = � P , Q � . Using bilinearity of the ℓ n -Tate pairing, we get T ℓ n ( aP + bQ , aP + bQ ) = T ℓ n ( P , P ) a 2 ( T ℓ n ( P , Q ) T ℓ n ( Q , P )) ab T ℓ n ( Q , Q ) b 2 a 2 log ( T ℓ n ( P , P )) + 2 ab log ( T ℓ n ( P , Q ) T ℓ n ( Q , P )) P ( a , b ) = + b 2 log ( T ℓ n ( Q , Q )) identically zero modulo ℓ n − k l , J − 1 and nonzero modulo ℓ n − k l , J . Degenerate self-pairings ↔ roots of P . Sorina Ionica 25 / 24

Computing endomorphism rings Eisenträger and Lauter’s algorithm (2005), Freeman-Lauter (2008) Idea: If α : J → J is an endomorphism, then α n is an endomorphism iff J [ n ] ⊂ Ker α . Check if an order O is contained in End ( J ) : Write down a basis for the order O : γ i = α i n i , with α i ∈ Z [ π ] . Check if γ i ∈ End ( J ) by checking if α i is zero on J [ n i ] . Since n i | [ O K : Z [ π, ¯ π ]] we end up working over large extension fields! Sorina Ionica 26 / 24

Complexity analysis Denote by F q r the smallest extension field such that J [ ℓ ] ⊂ J [ F q r ] . Let n ≥ 1 be the largest integer such that J [ ℓ n ] ⊂ J ( F q ) and u = v ℓ ([ O K : Z [ π, ¯ π ]]) . Let M ( r ) is the cost of a multiplication in F q r . Eisenträger-Lauter This work O (( r ℓ u − n + ℓ 2 u ) M ( r ℓ u − n ) log q ) O ( M ( r )( r log q + ℓ 2 n + n log ℓ )) (worst case) Sorina Ionica 27 / 24