Isogeny graphs, algorithms and applications

Transcription

1 Isogeny graphs, algorithms and applications University of Auckland, New Zealand Reporting on joint work with Christina Delfs (Oldenburg). Thanks: David Kohel, Drew Sutherland, Marco Streng.

2 Plan Elliptic curves and isogenies Isogeny graphs and applications Ordinary case Supersingular case New work with Christina Delfs: improved algorithms for computing isogenies between supersingular elliptic curves. Please ask questions at any time.

3 Isogenies An elliptic curve over a eld k is a non-singular projective cubic curve. The set of k-rational points is a group. An isogeny φ : E 1 E 2 of elliptic curves is a morphism that is a group homomorphism. Examples of isogenies include: [n] : E E and Frobenius map when k is a nite eld. An isogeny has nite kernel G E 1 (k). If the isogeny is separable then #G = deg(φ). Tate's isogeny theorem: Let E 1, E 2 be elliptic curves over a nite eld F q. Then #E 1 (F q ) = #E 2 (F q ) i there is an isogeny φ : E 1 E 2 over F q.

4 Isogenies Given a nite subgroup G E 1 (k) there exists an elliptic curve E 2 and a separable isogeny φ : E 1 E 2 with ker(φ) = G. The pair (E 2, φ) can be computed using Vélu's formulae. Two isogenies φ : E 1 E 2 and φ : E 1 E 2 are equivalent if they have the same kernel. Let l be prime. Let E 1 be an elliptic curve. Then over k there are l + 1 non-equivalent isogenies of degree l from E 1. There exists an isogeny φ : E 1 E 2 dened over k of degree n if and only if Φ n (j(e 1 ), j(e 2 )) = 0 where Φ n is the n-th modular polynomial. Conversely, each root of Φ n (j(e 1 ), y) in k determines an equivalence class of isogenies of degree n. An isogeny of degree n over k can be factored as a composition of isogenies over k of prime degree.

5 If you want to learn more about isogenies...

6 Applications of isogenies Schoof-Elkies-Atkin (Lercier, Couveignes) point-counting algorithm. Kohel's thesis (computing End(E) using volcanos). Relating the discrete logarithm problem on elliptic curves with the same number of points (Galbraith, Jao-Miller-Venkatesan). Charles-Goren-Lauter hash function. Stolbunov cryptosystem. Jao-de-Feo cryptosystem. Computing class polynomials and modular polynomials (Sutherland). There is also interesting work in genus 2 that I do not discuss in this talk.

7 Isogeny graph X (k, E, L) Let k be a eld of characteristic p, E an elliptic curve over k, and L a set of small primes l p. The vertices of the isogeny graph are k-isomorphism classes of elliptic curves k-isogenous to E. Usually we label the vertices with j-invariants. The edges are l-isogenies from φ : E 1 E 2 over k, for some l L, for elliptic curves E 1, E 2 in the vertex set. The graph can be constructed using modular polynomials or Vélu's formulae.

8 Isogeny graphs An elliptic curve E over F p n is supersingular if E[p] = {0} (equiv End(E) non-commutative). Otherwise it is called ordinary. When E/F p is supersingular then X (F p, E, {l}) is connected for any prime l p. We omit the mention of E in the supersingular case. The supersingular graph has around p/12 vertices. The ordinary isogeny graph for an elliptic curve over F q has O( q) vertices. When E is supersingular, or when E is ordinary and L is big enough (in particular, so the graph is connected), then the isogeny graph is an expander graph.

9 Example 0 α ᾱ 2 68 Supersingular Isogeny Graph X (F 83, {2})

10 Example 0 3 α ᾱ Supersingular Isogeny Graph X (F 101, {2})

11 Charles-Goren-Lauter hash function Consider the supersingular graph X (F p, {2}). Fix a pair of initial vertices j 1 and j 0. Given an input string of bits b 1 b 2 one computes a non-backtracking path through the graph by choosing at each stage one of the two neighbours that does not go back to the previous j-invariant. In other words, compute the two roots of Φ 2 (j i, y)/(y j i 1), order them, and use the current bit b i to deterministically choose the next step in the walk. The hash value is the nal j-invariant. Finding a collision in the hash function is equivalent to nding a non-trivial cycle in the isogeny graph. Inverting the hash function is nding a path in the graph between two given vertices.

12 Computational Problems and Algorithms in Graph Theory Find a path between two vertices (= nd an isogeny between two given elliptic curves). Find a non-trivial cycle in the graph. Dijsktra algorithm. Pohl's bi-directional search (details on following slide).

13 Local view only

14 Pohl bi-directional search Start with two vertices. Grow trees outwards from each vertex (breadth-rst search) and store every vertex. When there is a vertex visited by both trees then get a path. By the birthday paradox, expect a match after around πn trials, where N is the size of the graph. Storage and running time therefore O( N) eld elements/operations. The use of this algorithm for the isogeny problem was detailed in a 1999 paper of mine. Would prefer an algorithm that requires low storage and can be distributed.

15 Ordinary case: CM Theory (briey) Let E/F q be ordinary, so #E(F q ) = q + 1 t for some non-zero t. Let π q be the q-power Frobenius: π 2 q tπ q + q = 0. Let d = t 2 4q < 0 and K = Q( d). Then Z[π q ] End(E) O K. An isomorphism class E of elliptic curves in the isogeny class of E corresponds to an ideal class of some order O such that Z[π q ] O O K. Further, isogenies out of E correspond to invertible O-modules. The isogeny graph is equal to a graph of ideal classes. The graph has a regular structure.

16 Volcanoes Kohel: Let E 1, E 2 be ordinary elliptic curves over F q and let [End(E 1 ) : End(E 2 )] = l. Then every isogeny φ : E 1 E 2 has degree divisible by l. The structure of orders Z[ d] O O K is reected in the isogeny graph and there is a notion of level. One can detect when one is on the oor, at which point one can climb to the crater.

17 Ordinary case: CM Theory We consider the graph X (F q, E, L) of F q -isomorphism classes of elliptic curves over F q isogenous to E, and L is a set of primes that split or ramify in Q( d). Computations in class groups are easy. There is a compact representation for ideal classes. One can compute the structure of the ideal class group in subexponential time. See very recent article by Franz Lemmermeyer in LMS JCM about Václav imerka for some interesting history about index calculus algorithms in ideal class groups.

18 Ordinary case Galbraith-Hess-Smart gave a low-storage and distributed algorithm for the ordinary isogeny problem. Idea is to use Pollard-style random walks in the graph. Isogenies correspond to ideals (a, b + d) in imaginary quadratic elds, so can represent an isogeny compactly as the pair (a, b) of integers. Designate distinguished points in the graph. Clients run deterministic pseudorandom walks (like used in Pollard rho) from randomised initial vertices. When walk hits a distinguished point then the data is sent to the server. When the server receives the same distinguished point but from walks starting from dierent initial vertices then the path is found.

19 Ordinary case As with any Pollard-type method it is necessary to handle short cycles in the walk. There is a method to smooth a long path in the graph into a shorter path, using ideas from subexponential algorithms for ideal class groups. By making distinguished points common enough one can also ensure that paths are relatively short, but the storage requirements become large. Algorithm improved greatly by Anton Stolbunov in his PhD thesis. A full discussion is given in a joint paper by Stolbunov and me.

20 Supersingular case In principle could also use Pollard-style pseudorandom walks to solve the supersingular isogeny problem in X (F p, {2}). Problem is that there are only 3 directions from each point, so the probability of falling into a short cycle is high. Can minimise this by using more primes, but then we are not solving the problem in the original graph. It also seems to be non-trivial to compactly represent the isogeny or to shorten a long isogeny. Hence, implementing the algorithm is irksome.

21 Question: What about the supersingular isogeny problem restricted to curves over F p? The number of supersingular elliptic curves in F p is approximately p/12, but there are only O( p) supersingular elliptic curves over F p. So nding a path between two supersingular elliptic curves over F p should be easier than the general problem.

22 Full supersingular isogeny graph 0 α ᾱ 2 68 Supersingular Isogeny Graph X (F 83, 2)

23 Subgraph Subgraph consisting j F 83

24 Not quite a subgraph Recall that X (F p, L) is a graph whose vertices are F p -isomorphism classes of elliptic curves. In turns out to be better to consider not the subgraph of F p -isomorphism classes of curves over F p, but the graph of F p -isomorphism classes of curves over F p. If E/F p is a supersingular elliptic curve and p > 3 then #E(F p ) = p + 1 and any quadratic twist of E also has p + 1 points. Hence, in general each j(e) F p appears twice in the graph. In the ordinary case the quadratic twists belong to a distinct but isomorphic graph.

25 Not quite a subgraph Since a vertex is no longer determined uniquely by its j-invariant we need to be more careful to construct the graph. For example, use Vélu. It also turns out to be better to consider not all isogenies over F p, but only isogenies over F p. In small examples this means missing some edges between curves over F p, but in larger graphs the isogenies not over F p are usually to curves not over F p.

26 Subgraph X (F 83, 2) F 83

27 New graph X (F 83, 2)

28 Structure Let E be a supersingular elliptic curve over F p, where p > 3. End(E) is a maximal order in a quaternion algebra, but forget about that. Frobenius π p End Fp (E) satises π 2 p + p = 0. Hence Z[ p] End Fp (E) is an order in K = Q( p). If p 1 (mod 4) then O K = Z[ p], while if p 3 (mod 4) then there are two possible orders, O K = Z[(1 + p)/2] and O 2 = Z[ p]. By Deuring lifting, E corresponds to an ideal class for O K or O 2. Further, F p -rational isogenies of degree l out of E correspond to invertible O-modules corresponding to the splitting of the prime l.

29 Structure theorem (p > 3 prime) 1. p 1 (mod 4): There are h( 4p) F p -isomorphism classes of supersingular elliptic curves over F p, all having the same endomorphism ring Z[ p]. From every one there is one outgoing F p -rational horizontal 2-isogeny as well as two horizontal l-isogenies for every prime l > 2 with ( ) p l = p 3 (mod 4): There are two levels in the supersingular isogeny graph. From each vertex there are two horizontal l-isogenies for every prime l > 2 with ( ) p = 1. l 2.1 If p 7 (mod 8), on each level h( p) vertices are situated. Surface and oor are connected 1:1 with 2-isogenies and on the surface we also have two horizontal 2-isogenies from each vertex. 2.2 If p 3 (mod 8), we have h( p) vertices on the surface and 3h( p) on the oor. Surface and oor are connected 1:3 with 2-isogenies, and there are no horizontal 2-isogenies.

30 Example 1: p = (mod 4) Supersingular Isogeny Graph X (F 101, 2)

31 New X (F 101, 2)

32 Example 2: p = (mod 8) α ᾱ β β Supersingular Isogeny Graph X (F 103, 2)

33 New X (F 103, 2)

34 Algorithmic applications To ensure the graph is connected we need to use a set of primes L such that the ideals above l L generate the ideal class group. One can use the 2-isogeny volcano structure to reduce to the case of the maximal order. One can perform the Galbraith-Hess-Smart algorithm verbatim to nd an isogeny between two supersingular curves with j-invariants in F p. This algorithm is easily distributed, and the techniques of Stolbunov can be employed. This also leads to an improved algorithm for the general supersingular isogeny problem. In practice one goes back to F p -isomorphism classes.

35 Bibliography S. D. Galbraith, Constructing isogenies between elliptic curves over nite elds, London Math. Soc., Journal of Computational Mathematics, Vol. 2 (1999) S. D. Galbraith, F. Hess, N. P. Smart, Extending the GHS Weil descent attack, EUROCRYPT 2002, Springer LNCS 2332 (2002) S. D. Galbraith and A. Stolbunov, Improved algorithm for the isogeny problem for ordinary elliptic curves, Applicable Algebra in Engineering, Communication and Computing, Vol. 24, No. 2 (2013) C. Delfs and S. D. Galbraith, Computing Isogenies between Supersingular Elliptic Curves over F p (preprint).

36 Challenges Random walks lead to long chains of isogenies: How to get short ones? How to convert isogeny chains to new chains comprising isogenies of dierent degrees (e.g., convert to chains of 2-isogenies)? Can you smell the subgraph of supersingular j-invariants in F p? (e.g., Ionica-Joux) Eciently compute End(E) for all curves in the graph. Give an ecient algorithm that, given a maximal order O in the quaternion algebra ramied only at and p, constructs an elliptic curve E/F p such that End(E) = O. See I. Chevyrev and S. D. Galbraith, Distinguishing Maximal Orders of Quaternion Algebras by their Short Elements, arxiv:

37 Thank You