ebook img

Isogenies and Endomorphism Rings of Abelian Varieties of Low Dimension PDF

221 Pages·2016·1.36 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Isogenies and Endomorphism Rings of Abelian Varieties of Low Dimension

vspace Isogenies and Endomorphism Rings of Abelian Varieties of Low Dimension Von der Fakult(cid:228)t f(cid:252)r Mathematik und Naturwissenschaften der Carl von Ossietzky Universit(cid:228)t Oldenburg zur Erlangung des Grades und Titels eines Doktors der Naturwissenschaften (Dr. rer. nat.) angenommene Dissertation von Frau Christina Delfs geboren am 04. April 1986 in Leer. Gutachter: Prof. Dr. Andreas Stein Zweitgutachter: Prof. Dr. Florian He(cid:255) Tag der Disputation: 16. Oktober 2015 Zusammenfassung Isogenien zwischen abelschen Variet(cid:228)ten (cid:252)ber endlichen K(cid:246)rpern spielen sowohl bei theoretischen Betrachtungen in der modernen Zahlentheorie als auch bei kryptographischen Anwendungen dieses Gebietes h(cid:228)u(cid:28)g eine bedeut- same Rolle. Daher ist es interessant, bei gegebenen isogenen Variet(cid:228)ten A 0 und A der selben Dimension g (cid:252)ber einem K(cid:246)rper K e(cid:30)ziente Methoden 1 zum Berechnen einer Isogenie φ : A → A zu (cid:28)nden. Die auftretenden Pro- 0 1 bleme werden mit zunehmender Dimension sehr komplex, daher konzentrieren wir uns zun(cid:228)chst auf den Fall von elliptischen Kurven (cid:252)ber einem endlichen K(cid:246)rper. Die bisherigen Algorithmen zum Berechnen von Isogenien bevorzugen ge- w(cid:246)hnliche Kurven wegen der Struktur ihrer Endomorphismenringe und haben f(cid:252)r supersingul(cid:228)re Kurven eine schlechtere Laufzeit. In dieser Arbeit entwi- ckeln wir theoretische Resultate, die insbesondere zu einem neuen Algorith- mus f(cid:252)hren. Dieser verbessert f(cid:252)r supersingul(cid:228)re elliptische Kurven (cid:252)ber F p die bisherigen Herangehensweisen deutlich und ist ebenso schnell wie die Al- gorithmen f(cid:252)r Isogenien gew(cid:246)hnlicher elliptischer Kurven. Daf(cid:252)r stellen wir mittels eingeschr(cid:228)nkter Endomorphismenringe eine neuartige Verbindung von solchen Kurven und F -rationalen Isogenien zu einer Idealklassengruppe her. p Wir verwenden (cid:228)hnliche Mittel wie bei dem bekannten Deuring Redukti- onstheorem mit Endomorphismenringen gew(cid:246)hnlicher elliptischer Kurven um dies zu erreichen. Au(cid:255)erdem zeigen wir, dass Isogenien unter dieser Reduktion immer (cid:252)ber F de(cid:28)niert sind. p Diese Resultate liefern eine einfache Beschreibung des Aufbaus der F - p rationalen Isogeniegraphen supersingul(cid:228)rer elliptischer Kurven in eine levelar- tige Struktur, welche (cid:228)hnlich der bereits bekannten gew(cid:246)hnlichen Isogenievul- kane die Grundlage der neuen Berechnungsmethode mit berechenbaren bidi- rektionalen Suchen ist. Implementationen des entstehenden Algorithmus und der klassischen Methode in MAGMA ergeben berechnete Ergebnisse, welche die vorhergehenden Komplexit(cid:228)tsanalysen best(cid:228)tigen. Zus(cid:228)tzlichzumelliptischenFalluntersuchenwirdiem(cid:246)glichenVerallgemei- nerungen auf h(cid:246)here Dimension und vorallem die Situation von Jacobischen hyperelliptischer Kurven von Geschlecht zwei. Besonders supersingul(cid:228)re abel- sche Variet(cid:228)ten stellen sich dabei als schwierig heraus, da Ans(cid:228)tze aus dem gew(cid:246)hnlichen Fall nicht greifen. Die verschiedenen theoretischen Hintergr(cid:252)nde beein(cid:29)ussen m(cid:246)gliche L(cid:246)sungen von Problemen der Isogenieberechnung und liefern gr(cid:246)(cid:255)ere Hindernisse als bei elliptischen Kurven. Abstract Isogenies between abelian varieties de(cid:28)ned over a (cid:28)nite (cid:28)eld play an im- portant role in theoretical considerations of modern number theory as well as in cryptographic applications of this area. Therefore it is interesting to (cid:28)nd e(cid:30)cient methods for computing an isogeny φ : A → A for given isogenous 0 1 varieties A and A of the same dimension g over a (cid:28)eld K. The occurring 0 1 problems become very complex with higher dimension, so we concentrate (cid:28)rst on the case of elliptic curves de(cid:28)ned over a (cid:28)nite (cid:28)eld. Existing algorithms for such elliptic curves so far favor ordinary curves due to their endomorphism ring structure and have a worse running time for supersingular curves. In this thesis we develop new structural results leading in particular to an algorithm which for supersingular elliptic curves de(cid:28)ned over F improves the previous approaches notably and which is as fast as p the algorithms for isogenies of ordinary elliptic curves. In order to achieve this, we (cid:28)nd out how to use restricted endomorphism rings to establish a connection of such elliptic curves and F -rational isogenies to an ideal class p group, using means analogous to the famous Deuring Reduction Theorem for the endomorphism rings of ordinary elliptic curves. We also show that isogenies under this reduction are de(cid:28)ned over F . p TheseresultsyieldasimpledescriptionofF -rationalsupersingularisogeny p graphsinanorderedlevel-structure, whichprovidesthebasisforthenewcom- putational method of feasible bi-directional searches like in the well-known or- dinary isogeny volcanoes. MAGMA implementations of the emerging algorithm and the classical method reveal computational results which validate the pre- ceding complexity analysis. In addition to the elliptic case, we also investigate the possible general- izations to higher dimension where we focus on Jacobians of hyperelliptic curves of genus two. Especially supersingular abelian varieties prove to be more di(cid:30)cult in this setting since successful approaches of the ordinary case cannotbegeneralizeddirectly. Divergingbackgroundtheoriesa(cid:27)ectthepossi- blesolutionofproblemsconcerningisogenycomputationandpresentobstacles which appear much harder to access than for elliptic curves. CONTENTS Contents Table of Contents I 1 Introduction III 2 Theoretical Foundations 1 2.1 Basic Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2.1.1 Algebraic Varieties and Isogenies . . . . . . . . . . . . . 2 2.1.2 Supersingular Elliptic Curves . . . . . . . . . . . . . . . 26 2.2 Endomorphism Rings of Abelian Varieties . . . . . . . . . . . . 36 2.2.1 General Concepts . . . . . . . . . . . . . . . . . . . . . . 36 2.2.2 Ordinary Elliptic Curves . . . . . . . . . . . . . . . . . . 42 2.2.3 Supersingular Elliptic Curves . . . . . . . . . . . . . . . 44 2.3 Graph Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.3.1 Basic Concepts . . . . . . . . . . . . . . . . . . . . . . . 46 2.3.2 Expander Graphs . . . . . . . . . . . . . . . . . . . . . . 51 3 Connection to Elliptic Curves over Number Fields 55 3.1 Complex Multiplication . . . . . . . . . . . . . . . . . . . . . . . 55 3.2 The Characteristic Zero Picture . . . . . . . . . . . . . . . . . . 58 3.2.1 Vertical Connections Between Levels . . . . . . . . . . . 60 3.2.2 Horizontal Links and the Ideal Class Group . . . . . . . 65 3.3 Lifting and Reduction . . . . . . . . . . . . . . . . . . . . . . . 70 3.3.1 Deuring’s Theorems . . . . . . . . . . . . . . . . . . . . 70 3.3.2 Reduction to Supersingular Elliptic Curves . . . . . . . . 73 4 Arithmetic Isogeny Problems 83 4.1 The Ordinary Elliptic Isogeny Problem . . . . . . . . . . . . . . 84 4.1.1 Ordinary Isogeny Graphs . . . . . . . . . . . . . . . . . . 85 4.1.2 Resulting Algorithms and Complexity Analysis . . . . . 87 4.2 The Supersingular Isogeny Problem . . . . . . . . . . . . . . . . 106 4.2.1 Supersingular Isogeny Graphs . . . . . . . . . . . . . . . 106 F 4.2.2 Restriction to -rational Elliptic Curves . . . . . . . . . 109 p 4.2.3 Resulting Algorithm and Complexity Analysis . . . . . . 116 4.2.4 Application on Arbitrary Supersingular Curves . . . . . 119 4.3 Isogenies between Abelian Varieties . . . . . . . . . . . . . . . . 121 4.3.1 Computing Isogenies with Given Kernel . . . . . . . . . 121 Christina Delfs I CONTENTS 4.3.2 Horizontal and Vertical Isogenies . . . . . . . . . . . . . 126 4.3.3 The Supersingular Case . . . . . . . . . . . . . . . . . . 132 5 Cryptography with Elliptic Curves and Isogenies 141 5.1 Cryptography Based on the ECDLP . . . . . . . . . . . . . . . 141 5.1.1 MOV Attack via Pairings . . . . . . . . . . . . . . . . . 143 5.1.2 Anomalous Elliptic Curves . . . . . . . . . . . . . . . . . 146 5.1.3 Weil Decent Attack . . . . . . . . . . . . . . . . . . . . 148 5.2 Supersingular Isogenies in Cryptography . . . . . . . . . . . . . 152 5.2.1 A Cryptographical Hash Function . . . . . . . . . . . . . 152 5.2.2 A Proposed Quantum Resistant Cryptosystem . . . . . . 155 6 Conclusion and Outlook XI List of Figures XV List of Tables XV List of Algorithms XV References XVII A MAGMA Program Codes XXVII B Computational Results XXXVII C Example Graphs XXXIX II Christina Delfs 1 Introduction Abelian varieties are important objects from algebraic geometry and number theory. They arise as algebraic varieties from a set of de(cid:28)ning polynomials and at the same time they build an abelian group. Thus they have much structure that can be worked with and they turn out to be the basis of an interesting (cid:28)eld of theory. Elliptic curves are abelian varieties of genus one and have been of theoretical interest for many years before they were discovered for cryptographic applications. By now they are of great signi(cid:28)cance in many areas of recent research and play an important role in modern number theory and cryptography. They contribute a fun- damental part in the proof of Fermat’s Last Theorem and can be used for integer factorization and several public key cryptosystems. When regarded from di(cid:27)erent sides of theory, elliptic curves can be described with either algebraic elements or provide a connection to analytical objects, so they prove to be a many-faceted (cid:28)eld of research. There are many standard references concerning the theory of elliptic curves (e.g. [38], [75], [91]) and their cryptographic applications (e.g. [13]) which provide a good overview. Isogenies are rational maps between abelian varieties over a (cid:28)eld K which have a (cid:28)nite kernel and are geometrically surjective. They appear in various applications of elliptic curves both in subjects of theoretical background and in cryptographic issues. Several properties ofellipticcurves can be mapped to otherelliptic curves via isogenies and thus problems for all elliptic curves in an isogeny class can be solved by showing them for a single representative. It is easy to (cid:28)nd out whether two given abelian varieties A and A which are 0 1 F de(cid:28)nedovera(cid:28)nite(cid:28)eld lieinthesameisogenyclass; thatis, whetherthereexists q a non-constant isogeny between them. We will see from Tate’s Isogeny Theorem in [86] that this is the case if and only if we have #A (F ) = #A (F ). But explicitly 0 q 1 q and e(cid:30)ciently computing such an isogeny in terms of a rational map turns out to be a more di(cid:30)cult matter, even for low dimension. Problem 1 (General Isogeny Problem). Given two isogenous abelian varieties A 0 and A of dimension g over a (cid:28)nite (cid:28)eld K, compute an isogeny φ : A → A . 1 0 1 For g = 1 and ordinary elliptic curves there are algorithms based on an idea of Galbraith [27] which solve this task in O(cid:101)(q1/4) (cid:28)eld operations and storage1, but for supersingular elliptic curves these ideas do not work due to di(cid:27)erent structures of their endomorphism rings. 1We will explain about complexity notation at the end of the Introduction chapter. Christina Delfs III 1 INTRODUCTION Eventhoughsupersingularellipticcurvesovera(cid:28)nite(cid:28)eldofprimecharacteristic p are always de(cid:28)ned over F or F , the fastest method dealing with the problem p p2 of computing isogenies there has a running time of O(cid:101)(p1/2) so far. There exist several cryptographic schemes (cid:21) presented in Section 5 (cid:21) supposedly relying on the hardness of computing such isogenies, so the question arises whether there are better methods for solving this problem. We explicitly pose this problem as follows. Problem 2 (Supersingular Elliptic Isogeny Problem). Given two supersingular elliptic curves E and E over a (cid:28)nite (cid:28)eld K, compute an isogeny φ : E → E 0 1 0 1 with an algorithm that has complexity similar to the ones in the ordinary case. In this work we answer this question for the case where the supersingular elliptic curves E and E are de(cid:28)ned over F , that is for K = F in the situation of the 0 1 p p problem. In order to accomplish this, we have to develop a modi(cid:28)ed version of the Deuring Reduction Theorem to establish a relation between the endomorphism F rings of elliptic curves over certain number (cid:28)elds and the -rational endomorphism p F rings of supersingular elliptic curves de(cid:28)ned over . p Deuring’s original theorem in [19] only preserves the endomorphism ring of ordinary elliptic curves after such a lifting and reduction process. We have shown with lifting theory, arithmetic of quadratic number (cid:28)elds and theory of ideal class groups that an analogous correspondence holds for supersingular curves when we restrict the endomorphism ring, see Theorem 3.18 for the details and the proof. Result. Let E be a supersingular elliptic curve de(cid:28)ned over F . Then there exists p an elliptic curve E(cid:101) de(cid:28)ned over a number (cid:28)eld which reduces to E modulo p and we have ∼ EndE(cid:101) = EndF E. p The correspondence via lifting and reduction between those curves is uniquely de- (cid:28)ned up to isomorphism. Furthermore we can also get a result as in Proposition 3.19 about the isogenies connecting such supersingular elliptic curves and their behavior under reduction. Result. Let E(cid:101) and E(cid:101) be elliptic curves over a number (cid:28)eld such that their 0 1 reductions E and E modulo p are supersingular elliptic curves de(cid:28)ned over F . 0 1 p Let further φ(cid:101): E(cid:101) → E(cid:101) be an isogeny. Then there is an isogeny φ : E → E which 0 1 0 1 is de(cid:28)ned over F such that φ(cid:101) reduces to φ. p IV Christina Delfs

Description:
It is easy to find out whether two given abelian varieties A0 and A1 which are defined over a finite field Fq O, so Λ can be regarded as a fractional ideal in O. Since every fractional ideal in imaginary with index calculus methods to get an ideal corresponding to a shorted isogeny path in the g
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.