The DLP on Curves with the same endomorphism ring: The genus 1 case

The DLP on Curves with the same Endomorphism Ring:The genus 1 case

Marios Magioladitis

Carl von Ossietzky Universität Oldenburg, Institute für Mathematik

May 19, 2009

M. Magioladitis (Uni Oldenburg) The DLP on Elliptic Curves May 19, 2009 1 / 48

Why move towards DH and RSA?


Some evidence

Security Level RSA and DH Key Size EC Key Size Ratio80 1024 160 3:1112 2048 224 6:1128 3072 256 10:1192 7680 384 32:1256 15360 521 64:1

Table: NIST Recommended Key Sizes and Ratio (bits)


Need more motives?


Are the Elliptic Curves used optimal?

1 NIST curves are widely used. Some users fear they maybe weaknesses.2 Can we do better?3 It is a general belief that elliptic curves with the same order have the

same difficulty in the DLP. Is that true?


Introducing isogenies

Let E and E ′ be two elliptic curves over a field k.

DefinitionAn isogeny

φ : E → E ′

is a nonzero morphism that maps OE to OE ′ . The isogeny induces a grouphomomorphism on rational points.The degree of an isogeny is its degree as a map.

An isogeny φ : E → E is an endomorphism.


Aim of the talk

Theorem of Tate (1966)Let E and E ′ be two elliptic curves over Fq.

E and E ′ are isogenous ⇔ |E | = |E ′|.

Main questionConsider E , E ′/Fq isogenous elliptic curves

DLP(E )?= DLP(E ′)


Aim of the talk II

We strict our problem in the same endomorphism ring

DefinitionLet E and E ′ be two isogenous elliptic curves /Fq.

E and E ′ are on the same level ⇔ End (E) = End (E′).

QuestionConsider E , E ′/Fq isogenous elliptic curves on the same level.

DLP(E )?= DLP(E ′)


What if...?


The g = 1 case

Jao, Miller, Venkatesan (2005)Consider E , E ′ isogenous elliptic curves on the same level.

DLP(E ) = DLP(E ′)

RemarksGeneralized Riemann hypothesis X

Restiction for the endomorphism ring is not important in practise X

The algorithm is random reducible


DLP is random reducible

Theorem (Assuming GRH)The DLP on elliptic curves is random reducible.Given any algorithm A that solves DLP on some fixed positive proportionof curves in a fixed level, then DLP can probabilistically solved on anygiven curve in the same level with polylog(q) expected queries to A withrandom inputs.


Sketch of the proof

DL[E]

isogeny graphwith short edges

ideal class graphwith small norms

λ ≤ O(kβ), β < 1k-regular graph

how costly is one step?O(l3) locally

how many steps?polylog(q) steps

whole cost

DL[E’]

Graph theory

random walk


Clasification of the endomorphism ring

DefinitionAn order O in a field K is a subset of K s.t.

1 O is a subring of K containing 1,2 O is a finitely generated Z-module,3 O contains a Q-basis of K .

Deuring (1941)End (E) is isomorphic to an order to the quaternion algebra or to an orderin an imaginary quadrartic field. In the first case we say E is supersingularand in the second case we say E is ordinary.

In the following, we strict ourselves in the ordinary case.


The supersingular case

Supersingular elliptic curves

|E (Fq)| = q + 1− t, t ≡ 0 mod p

A first remarkFor supersinular elliptic curves over Fp, p ≥ 5.

|E (Fp)| = p + 1


Supersingular ellipitc curves have low embedding degree

Menezes-Okamoto-Vanstone (1993)Use Weil pairing to map discrete logarithms of E (Fq) to discretelogarithms of Fqk where k is minimal s.t. |E (Fq)| | qk − 1.Supersingular elliptic curves have k ≤ 6.

1 k 6= 52 char = 2 ⇒ k ≤ 4,3 q = p, p ≥ 5 ⇒ k ≤ 2


The supersingular case II

XThe DLP for supersingular elliptic curves /Fq can be reduced to discretelog calculations in Fq2 .

Frey-Rück (1996)Tate-Lichtenbaum pairings

5 The difficulty on supersingular curves is always subexponential.


Relation between `-isogenous curves and theirendomorphism rings

Kohel (1996)Let φ : E1 → E2 be an isogeny of prime degree `. They are exactly threecases:

OK OK OK| | |

End (E1) End (E2) End (E1) ' End (E2)| ` | ` |

End (E2) End (E1) Z[π]| |

Z[π] Z[π]Descending case Ascending case Horizontal case


Number and type of isogenies E → E ′ of prime degree `

Kohel (1996)

Case # Subcase #` 6 |cπ

` 6 |cE 1 + (D` ) →

`|cπ `− (D` ) ↓

` 6 | cπcE

`|cE 1 ↑`| cπ

cE` ↓

1 ↓ [End (E) : End (E′)] = `

2 ↑ [End (E′) : End (E)] = `

3 → End (E) = End (E′)

cE = [OK : End (E )], cπ = [OK : Z[π]].


Computing the endomorphism ring explicitly

Kohel (1996)There exists a deterministic algorithm that given an elliptic curve E overthe field Fq, computes the isomorphism type of the endomorphism ring E .If GRH holds, for any ε > 0 the algorithm runs in time O(q1/3+ε).


OK vs. O

For simplicity, to the following we strict ourselves to the case that theendomorphism ring is OK . The OK case is easier than any other O 6= OK .

X OK is a Dedekind ring.5 O is not a Dedeking ring.X OK is integrally closed.X Spec(OK ) has the same properties with the ring of holomorphicfunctions of non-singular curves.5 Spec(O) has the same properties with the ring of holomorphic functionsof curves with singularities.

X OK = Z + ωZ, ω =

{ √d if d 6≡ 1 mod 4,√d+12 if d ≡ 1 mod 4.


Isogeny graphs

SN,q = be the set of all E/Fq, up to isomorphism, that have order N.

The isogeny graphAn isogeny graph is a graph whose nodes consist of all elements in SN,qbelonging to a fixed level.

Equivalent isogeniesIsogenies φ, φ′ : E1 → E2 are equivalent if ∃α ∈ Aut (E2) s.t. φ′ = αφ.


Isogeny graphs for small degree

We denote G the regular graph whose:- nodes are elements in SN,q- edges are equivalence classes of horizontal isogenies defined over Fq ofprime degree ≤ (log q)2+δ, for a fixed constant δ > 0.

Why this bound???1 We choose this degree bound because it must be small enough to

permit isogenies to be computed, but large enough to allow the graphto be connected and to have the rapid mixing properties we ’ll needlater.

2 It is proven that a constant δ > 0 that satisfies all the requirementsexists.


The modular polynomial

There is a way, given an elliptic curve E and a prime number ` toefficiently compute any curve E ′ which is connected to E with an isogenyof degree `. Let S` = {E ′ s.t. ∃`-isogenyE → E ′}.

TheoremThere exists a (symmetric) polynomial Φ`(X , Y ) ∈ Z[X , Y ] s.t.

Φ`(X , j(E )) =∏

E ′∈S`

(X − j(E ′)).


Computing isogenous curves

Step 1We find the j-invariants of E ′ be solving the modular polynomial relationΦ`(j(E ), j(E ′)) = 0. This can be done in O(`3) field operations.

Step 2We obtain the isogenies themselves by using an algorithm of Foquet andMorain. There also methods by Vélu, Elkies, Atkin, et al.


Translation to Number Theory


Deuring’s Lifting Theorem

Let E/Fq ordinary elliptic curve. It exists a unique ell. curve E definedover a number field K s.t.

1 End (~E) = End (E)

2 E mod q = E/Fq

The isogeny graph of E can be lifted to an isogeny graph of E .E has CM with field K and it is determined by the Hilbert class field of K .


Some CM Theory

1 Each invertible ideal a ⊂ O produces an elliptic curve C/a definedover the class field L of O. (Q ⊂ L ⊂ C).

2 The curve C/a has complex multiplication by O, and two differentideals yield isomorphic curves if and only if they belong to the sameideal class.

3 Each invertible ideal b ⊂ O defines an isogeny C/a → C/ab−1, andthe degree of this isogeny is N(b).

4 It can be proved that for any prime ideal P in L lying over p, thereductions mod P of the above elliptic curves and isogenies aredefined over Fq, and every elliptic curves and every horizontal isogenyin G arises in this way.


The isomorphic ideal class graphs

The isogeny graph revisitedThe isogeny graph G is isomorphic to the corresponging graph H whose-nodes are elliptic curves C/a with CM by O-edges are complex analytic isogenies represented by ideals b ⊂ O of primenorm ≤ (log q)2+δ, for a fixed constant δ > 0.

This isomorphism preserves the degrees of isogenies, in the sense that thedegree of any isogeny in G is equal to the norm of its corresponding ideal b

in H.

We can now create one additional isomorphic graph to the above.


The isomorphic ideal class graphs

By class field theory...

The ideal class graphThe isogeny graph G is isomorphic to the corresponging graph H′ whose- each node of H′ is an ideal class of O,- two ideal classes [a1], [a2] are connected by an edge ⇔ exists prime idealb with N(b) ≤ (log q)2+δ s.t. [a1b] = [a2].

G−→H−→H′

RemarkFor ordinary curves the isogeny graph G is symmetric and we can regard itas undirected.


A small example

Take K = Q(√−1453).

1 −1453 mod 4 = 3.2 hK = 14.3 OK = Z +

√−1453Z.

4 Pic (OK) = Z/14.5 I :=< 34, 3ω − 3 > generates OK .6 Calculate I i ,∀1 ≤ i ≤ 14.7 I ↔ QF (I )8 Reduce the QF9 Convert back to ideals10 Calculate its norm


A small example II

i Reduced QF Norm1 < 34, 6, 43 > 342 < 13,−8, 113 > 133 < 31,−4, 47 > 314 < 37, 16, 47 > 375 < 26, 18, 59 > 266 < 17,−6, 86 > 177 < 2, 2, 727 > 28 < 17, 6, 86 > 179 < 26, 18, 59 > 2610 < 37, 16, 41 > 3711 < 31, 4, 47 > 3112 < 13, 8, 113 > 1313 < 34,−6, 43 > 3414 < 1, 0, 1453 > 1


...and our graph


Some graph theory

G = (V, E) be a finite k-regular graph with h vertices. (k-regular =exactly k edges meet at each vertice).

1 Let V = {v1, ..., vh}. The adjacency matrix of G is the symmetrich × h matrix A = [Aĳ ], where Aĳ = #of edges between vi and vj

2 We can identify functions on V with vectors in Rh and think of A as aself-adjoint operation on L2(V). All the eigenvalues of A satisfy thebound |λ| ≤ k.

3 Constant vectors are eigenfunctions of A with eigenvalue k. This iscalled the trivial eigenvalue.


Ramanujan and nearly Ramanujan graphs

Ramanujan graphsA k-regular graph G is called a Ramanujan graph if all non-constanteigenvectors have eigenvalues |λ| ≤ 2

√k − 1 for any nontrivial eigenvalue

which is not equal −k.

Nearly Ramanujan graphsA "nearly Ramanujan" graph is a graph that all nontrivial eigenvalues ofits adjacency matrix satify O(kβ), β < 1.


A standard result from graph theory

PropositionLet G be a k-regular graph with h vertices. Suppose that the eigenvalue λof any non-constant eigenvector satisfies the bound |λ| ≤ c for somec < k. Let S be any subset of the vertices of G, and x be any vertex in G.Then a random walk of any length at least log 2h/|S|1/2

log k/c starting from x will

land in S with probability at least |S|2h .

Our aimProve that the isogeny graph (or its isomorphic ideal class graph) is nearlyRamanujan, then above proposition will give us the wanted result.


Storage problems

ProblemThe isogeny graph has O(

√q) vertices and this makes it too large to be

stored.

SolutionDon’t consider all the isogenies. Compute graph locally.


Sketch of the proof

1 Prove that the non-trivial eigenvalues are properly bounded2 Prove that the isogeny graph is nearly Ramanujan


Sketch of the proof - Step 1

RemarkThe H graph has one node for each ideal class of O i.e. h(O).

We denote the ideal class representatives with {α1, ..., αh}.The isomorphism between G and H implies that the generating functionfor degree n isogenies between the vertices αi and αj of G is given by

∞∑n=1

Mαi ,αj (n)qn :=1e

∑z∈α−1

i αj

qN(z)/N(α−1i αj ),

where e is the number of units in O (e = 2 for D > 4).The righthand side sum depends only in the ideal class of the fractionalideal α−1

i αj and in fact is a θ-series, which we can denote as θα−1i αj

(q).

∞∑n=1

Mαi ,αj (n)qn =1eθα−1

i αj(q)



We consider the simpler graph on V = {a1, ..., ah} whose edges representisogenies of degree exactly equal to n.

The adjacency matrix of V is the h × h matrix

M(n) =[Mαi ,αj (n)

]{1≤i ,j≤h}

We can do diagonilization to these adjacency matrices for all n’s at onceto get the eigenvalues.

In order to do this we define the matrix

Aq =∑n≥1

M(n)qn,

for any value q < 1 (where the sum converges absolutely).



Hence, we have that

Aq =

∑n≥1

Mαi ,αj (n)qn

=

[1eθα−1

i αj(q)

]{1≤i ,j≤h}

.

Let χ =

χ(a1)...

χ(ah)

to be a character of Cl (O), then the i-th entry of the

vector Aqχ, computed by matrix multiplication is

(Aqχ)(αi ) =1e

h∑j=1

θα−1i αj

(q)χ(αj),



i.e. (by reindexing αj 7→ αiαj)

(Aqχ)(αi ) =1e

h∑j=1

χ(αj)θαj (q)

χ(αi ).

i.e.

(eAq)

χ(a1)...

χ(ah)

=

∑αj∈Cl (O)

χ(αj)θαj (q)

χ(a1)

...χ(ah)

.

i.e.

(eAq)χ =

∑αj∈Cl (O)

χ(αj)θαj (q)

χ.



Hence, χ is an eigenvector of the matrix eAq with eigenvalue equal to thesum of θ-functions enclosed in parentheses (called the Hecke θ-function).

The L-functions of these Hecke characters can be written as

L(s, χ) =∑a⊂K

χ(a)(Na)−s



By settingan(χ) :=

∑a⊂K ,Na=n

χ(a)

we can write

L(s, χ) =∞∑

n=1

an(χ)n−s .

It is easy to check that an is the eigenvalue of eM(n) for the eigenvectorformed by the character χ as above.



Our isogeny graph is a superposition of the graphs M(n), where n is aprime bounded by m = (log q)2+δ for some fixed δ > 0.

We recall that this graph is isomorph to a graph on the elliptic curvesrepresented by ideal classes in O, where K = Q(

√d), whose edges are

isogenies of prime degree ≤ m.



The characters χ of Cl (O) are the common eigenvalues of the adjacencymatrices {M(p) | p ≤ m} of these graphs. So their eigenvalues are

λχ =1e

∑p≤m

ap(χ)

i.e.

λχ =1e

∑p≤m

∑a⊂K ,Na=p

χ(a)

.

Here comes the GRHLet χ is a nontrivial character of Cl (O). The GRH for L(s, χ) implies thatλχ is bounded by O(m1/2log |mD|) with an absolute implied constant.



When χ is the trivial character λtriv equals the degree of the regular graphG.

Since roughly half of rational primes p split in K , and those which do, splitinto two ideals of norm p we have that

λtriv ∼1eπ(m) ∼ m

elog m,

by the prime number theorem.

This eigenvalue is always the largest in absolute value, because |χ(a)|always equals 1 when χ is the trivial character.



There are only finitely many levels for q less than any given bound, so itsuffices to prove it for q large.

We have that λχ is bounded by O(m1/2log |mD|) with an absolute impliedconstant. On the other hand|D| ≤ 4q, λtriv ∼ m

elog m , m = (log q)2+δ, δ > 0. These imply that

λχ = O(λβtriv ),

for any β > 12 + 1

δ+2 .

This proves that our graphs are nearly Ramanujan graphs.


Main result

Theorem (Assuming GRH)Let E be an elliptic curve of order N over Fq. There exists a polynomialP(x), independent of N and q, s.t. for P(log q), the isogeny graph G oneach level is a nearly Ramanujan graph and any random walk on G willreach a subset of size h with probability at least h

2|G| after polylog(q) steps.


The DLP on Curves with the same endomorphism ring: The genus 1 case

Documents

Transcript of The DLP on Curves with the same endomorphism ring: The genus 1 case