elliptic curves and isogenies - boise state university · group structure of ecisogenies in...
TRANSCRIPT
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Elliptic Curves and Isogenies
L. Babinkostova, A. Gao, B. Kuehnert, G. Schlafly, Z. Yi
2019 REU CAD SymposiumBoise State University
August 1, 2019
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Group Structure of EC
Isogenies in Cryptography
CSIDH Graph: G (Fp, `)
SIDH Graph: G (Fp, `)
Smoothness of Non-Maximal Orders
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Elliptic Curve
An elliptic curve E defined over a field K with charK 6= 2, 3 is theset
E/K = {(x , y) ∈ K2
: y2 = x3 + Ax + B}
with A,B ∈ K such that 4A3 + 27B2 6= 0.
The K -rational pointsof E is the subset:
E (K ) = {(x , y) ∈ K 2 : y2 = x3 + Ax + B}.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Elliptic Curve
An elliptic curve E defined over a field K with charK 6= 2, 3 is theset
E/K = {(x , y) ∈ K2
: y2 = x3 + Ax + B}
with A,B ∈ K such that 4A3 + 27B2 6= 0. The K -rational pointsof E is the subset:
E (K ) = {(x , y) ∈ K 2 : y2 = x3 + Ax + B}.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Elliptic Curve Group Law
Both E/K and E (K ) are Abelian groups under this group law:
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Elliptic Curve Group
Theorem (Hasse)
Let E be an elliptic curve defined over Fpr . Then,
#E (Fpr ) = pr + 1− t
where |t| ≤ 2√pr .
We call an elliptic curve supersingular if p | t.
TheoremLet E be an elliptic curve defined over Fpr . Then,
E (Fpr∼= Z/n1Z⊕ Z/n2Z
where n1n2 = #E (Fpr ) and n1 | n2.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Elliptic Curve Group
Theorem (Hasse)
Let E be an elliptic curve defined over Fpr . Then,
#E (Fpr ) = pr + 1− t
where |t| ≤ 2√pr .
We call an elliptic curve supersingular if p | t.
TheoremLet E be an elliptic curve defined over Fpr . Then,
E (Fpr∼= Z/n1Z⊕ Z/n2Z
where n1n2 = #E (Fpr ) and n1 | n2.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Elliptic Curve Group
Theorem (Hasse)
Let E be an elliptic curve defined over Fpr . Then,
#E (Fpr ) = pr + 1− t
where |t| ≤ 2√pr .
We call an elliptic curve supersingular if p | t.
TheoremLet E be an elliptic curve defined over Fpr . Then,
E (Fpr∼= Z/n1Z⊕ Z/n2Z
where n1n2 = #E (Fpr ) and n1 | n2.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
j-invariants
The j-invariant will prove to be an important tool to classifyelliptic curves.
For an elliptic curve E : y2 = x3 + Ax + B,
j(E ) = 1728 · 4A3
4A3 + 27B2.
Notice,
• j(E ) = 0 if and only if A = 0.
• j(E ) = 1728 if and only if B = 0.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
j-invariants
The j-invariant will prove to be an important tool to classifyelliptic curves. For an elliptic curve E : y2 = x3 + Ax + B,
j(E ) = 1728 · 4A3
4A3 + 27B2.
Notice,
• j(E ) = 0 if and only if A = 0.
• j(E ) = 1728 if and only if B = 0.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
j-invariants
The j-invariant will prove to be an important tool to classifyelliptic curves. For an elliptic curve E : y2 = x3 + Ax + B,
j(E ) = 1728 · 4A3
4A3 + 27B2.
Notice,
• j(E ) = 0 if and only if A = 0.
• j(E ) = 1728 if and only if B = 0.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
j-invariants
The j-invariant will prove to be an important tool to classifyelliptic curves. For an elliptic curve E : y2 = x3 + Ax + B,
j(E ) = 1728 · 4A3
4A3 + 27B2.
Notice,
• j(E ) = 0 if and only if A = 0.
• j(E ) = 1728 if and only if B = 0.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
j-invariants
The j-invariant will prove to be an important tool to classifyelliptic curves. For an elliptic curve E : y2 = x3 + Ax + B,
j(E ) = 1728 · 4A3
4A3 + 27B2.
Notice,
• j(E ) = 0 if and only if A = 0.
• j(E ) = 1728 if and only if B = 0.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Isogenies
Let E ,E ′ be elliptic curves over K . An isogeny is a surjectivehomomorphism
φ : E (K )→ E ′(K ).
Isogenies are rational maps, so they are of the form
φ(x , y) =
(f1(x , y)
f2(x , y),f3(x , y)
f4(x , y)
)Isogenies come in two flavors
• Defined over K , so fi ∈ K [x , y ]
• Defined over K , so fi ∈ K [x , y ]
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Isogenies
Let E ,E ′ be elliptic curves over K . An isogeny is a surjectivehomomorphism
φ : E (K )→ E ′(K ).
Isogenies are rational maps, so they are of the form
φ(x , y) =
(f1(x , y)
f2(x , y),f3(x , y)
f4(x , y)
)
Isogenies come in two flavors
• Defined over K , so fi ∈ K [x , y ]
• Defined over K , so fi ∈ K [x , y ]
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Isogenies
Let E ,E ′ be elliptic curves over K . An isogeny is a surjectivehomomorphism
φ : E (K )→ E ′(K ).
Isogenies are rational maps, so they are of the form
φ(x , y) =
(f1(x , y)
f2(x , y),f3(x , y)
f4(x , y)
)Isogenies come in two flavors
• Defined over K , so fi ∈ K [x , y ]
• Defined over K , so fi ∈ K [x , y ]
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Isogenies
Let E ,E ′ be elliptic curves over K . An isogeny is a surjectivehomomorphism
φ : E (K )→ E ′(K ).
Isogenies are rational maps, so they are of the form
φ(x , y) =
(f1(x , y)
f2(x , y),f3(x , y)
f4(x , y)
)Isogenies come in two flavors
• Defined over K , so fi ∈ K [x , y ]
• Defined over K , so fi ∈ K [x , y ]
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Isogenies
Let E ,E ′ be elliptic curves over K . An isogeny is a surjectivehomomorphism
φ : E (K )→ E ′(K ).
Isogenies are rational maps, so they are of the form
φ(x , y) =
(f1(x , y)
f2(x , y),f3(x , y)
f4(x , y)
)Isogenies come in two flavors
• Defined over K , so fi ∈ K [x , y ]
• Defined over K , so fi ∈ K [x , y ]
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Isogeny Classes
TheoremFor every isogeny φ : E → E ′ there exists an isogeny called thedual isogeny φ̂ : E → E ′.
Corollary
E is isogenous to E ′ is an equivalence relation.
Theorem (Sato-Tate)
Let E1,E2 be elliptic curves over K . Then,
E1 is isogenous to E2 ⇐⇒ #E1(K ) = #E2(K ).
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
The Initial Research Question
Suppose E1 and E2 are elliptic curves over K that are isogenous.What can we say about the groups E1(K ) and E2(K )?
From Sato-Tate, we know #E1(K ) = #E2(K ). But, is it the casethat E1(K ) ∼= E2(K )?
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
The Initial Research Question
Suppose E1 and E2 are elliptic curves over K that are isogenous.What can we say about the groups E1(K ) and E2(K )?
From Sato-Tate, we know #E1(K ) = #E2(K ). But, is it the casethat E1(K ) ∼= E2(K )?
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Findings
Let E1 and E2 be ellptic curves defined over a finite field Fpr .
• If E1 and E2 are ordinary (not supersingular), then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
This was later found in [Cox].
• If j(E1) = j(E2) = 0, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
• If j(E1) = j(E2) = 1728 and r is even, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Findings
Let E1 and E2 be ellptic curves defined over a finite field Fpr .
• If E1 and E2 are ordinary (not supersingular), then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
This was later found in [Cox].
• If j(E1) = j(E2) = 0, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
• If j(E1) = j(E2) = 1728 and r is even, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Findings
Let E1 and E2 be ellptic curves defined over a finite field Fpr .
• If E1 and E2 are ordinary (not supersingular), then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
This was later found in [Cox].
• If j(E1) = j(E2) = 0, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
• If j(E1) = j(E2) = 1728 and r is even, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Findings
Let E1 and E2 be ellptic curves defined over a finite field Fpr .
• If E1 and E2 are ordinary (not supersingular), then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
This was later found in [Cox].
• If j(E1) = j(E2) = 0, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
• If j(E1) = j(E2) = 1728 and r is even, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Findings
Let E1 and E2 be ellptic curves defined over a finite field Fpr .
• If E1 and E2 are ordinary (not supersingular), then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
This was later found in [Cox].
• If j(E1) = j(E2) = 0, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
• If j(E1) = j(E2) = 1728 and r is even, then
E1 is isogenous to E2 ⇐⇒ E1(K ) ∼= E2(K )
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Isogenies in Crytography
CSIDH and SIDH are proposed isogeny-based post-quantumcryptosystems.
• security relies on the difficulty of finding the isogeny betweentwo supersingular elliptic curves
• represent isogeny as a path on a graph
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Isogenies in Crytography
CSIDH and SIDH are proposed isogeny-based post-quantumcryptosystems.
• security relies on the difficulty of finding the isogeny betweentwo supersingular elliptic curves
• represent isogeny as a path on a graph
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Isogenies in Crytography
CSIDH and SIDH are proposed isogeny-based post-quantumcryptosystems.
• security relies on the difficulty of finding the isogeny betweentwo supersingular elliptic curves
• represent isogeny as a path on a graph
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Two Graphs
Vertices are Fp or Fp isomorphism classes of supersingular ellipticcurves.
• CSIDH : G (Fp, `)
• SIDH : G (Fp, `)
Edges represent cyclic (seperable) `-isogenies over Fp or Fp up toequivalence.
• An `-isogeny is an isogeny φ with deg φ = # ker φ = `.
• Isogenies φ and ψ are equivalent if ker φ = kerψ.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Two Graphs
Vertices are Fp or Fp isomorphism classes of supersingular ellipticcurves.
• CSIDH : G (Fp, `)
• SIDH : G (Fp, `)
Edges represent cyclic (seperable) `-isogenies over Fp or Fp up toequivalence.
• An `-isogeny is an isogeny φ with deg φ = # ker φ = `.
• Isogenies φ and ψ are equivalent if ker φ = kerψ.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Two Graphs
Vertices are Fp or Fp isomorphism classes of supersingular ellipticcurves.
• CSIDH : G (Fp, `)
• SIDH : G (Fp, `)
Edges represent cyclic (seperable) `-isogenies over Fp or Fp up toequivalence.
• An `-isogeny is an isogeny φ with deg φ = # ker φ = `.
• Isogenies φ and ψ are equivalent if ker φ = kerψ.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Two Graphs
Vertices are Fp or Fp isomorphism classes of supersingular ellipticcurves.
• CSIDH : G (Fp, `)
• SIDH : G (Fp, `)
Edges represent cyclic (seperable) `-isogenies over Fp or Fp up toequivalence.
• An `-isogeny is an isogeny φ with deg φ = # ker φ = `.
• Isogenies φ and ψ are equivalent if ker φ = kerψ.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Two Graphs
Vertices are Fp or Fp isomorphism classes of supersingular ellipticcurves.
• CSIDH : G (Fp, `)
• SIDH : G (Fp, `)
Edges represent cyclic (seperable) `-isogenies over Fp or Fp up toequivalence.
• An `-isogeny is an isogeny φ with deg φ = # ker φ = `.
• Isogenies φ and ψ are equivalent if ker φ = kerψ.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Cycle Lengths of the Graph G (Fp, `)
According to Delfs and Galbraith, there are always two levels in thegraph G (Fp, `). We denote the subgraphs of surface level and floorlevel by G1 and G2.
TheoremLet m and n be the cycle length in G1 and G2, respectively.
• If p ≡ 1 mod 4, then m | h(−4p) and n = 0.
• If p ≡ 3 mod 8, then m | h(−p) and n | h(−p).
• If p ≡ 7 mod 8, then m, n | h(−p) and m = n.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Cycle Lengths of the Graph G (Fp, `)
According to Delfs and Galbraith, there are always two levels in thegraph G (Fp, `). We denote the subgraphs of surface level and floorlevel by G1 and G2.
TheoremLet m and n be the cycle length in G1 and G2, respectively.
• If p ≡ 1 mod 4, then m | h(−4p) and n = 0.
• If p ≡ 3 mod 8, then m | h(−p) and n | h(−p).
• If p ≡ 7 mod 8, then m, n | h(−p) and m = n.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Cycle Lengths of the Graph G (Fp, `)
According to Delfs and Galbraith, there are always two levels in thegraph G (Fp, `). We denote the subgraphs of surface level and floorlevel by G1 and G2.
TheoremLet m and n be the cycle length in G1 and G2, respectively.
• If p ≡ 1 mod 4, then m | h(−4p) and n = 0.
• If p ≡ 3 mod 8, then m | h(−p) and n | h(−p).
• If p ≡ 7 mod 8, then m, n | h(−p) and m = n.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Cycle Lengths of the Graph G (Fp, `)
According to Delfs and Galbraith, there are always two levels in thegraph G (Fp, `). We denote the subgraphs of surface level and floorlevel by G1 and G2.
TheoremLet m and n be the cycle length in G1 and G2, respectively.
• If p ≡ 1 mod 4, then m | h(−4p) and n = 0.
• If p ≡ 3 mod 8, then m | h(−p) and n | h(−p).
• If p ≡ 7 mod 8, then m, n | h(−p) and m = n.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Cycle Lengths of the Graph G (Fp, `)
According to Delfs and Galbraith, there are always two levels in thegraph G (Fp, `). We denote the subgraphs of surface level and floorlevel by G1 and G2.
TheoremLet m and n be the cycle length in G1 and G2, respectively.
• If p ≡ 1 mod 4, then m | h(−4p) and n = 0.
• If p ≡ 3 mod 8, then m | h(−p) and n | h(−p).
• If p ≡ 7 mod 8, then m, n | h(−p) and m = n.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Cycle Lengths of the Graph G (Fp, `)
According to Delfs and Galbraith, there are always two levels in thegraph G (Fp, `). We denote the subgraphs of surface level and floorlevel by G1 and G2.
TheoremLet m and n be the cycle length in G1 and G2, respectively.
• If p ≡ 1 mod 4, then m | h(−4p) and n = 0.
• If p ≡ 3 mod 8, then m | h(−p) and n | h(−p).
• If p ≡ 7 mod 8, then m, n | h(−p) and m = n.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Cycle Lengths of the Graph G (Fp, `)
Example
` Structure of G̃ (F10247, `)
3 five 21-cycles on both levels
7 one 105-cycle on both levels
11 seven 15-cycles on both levels
13 twenty one 5-cycles on both levels
17 three 35-cycles on both levels
23 thirty five 3-cycles on both levels
29 fifteen 7-cycles on both levels
Table: Structure of Isogeny Graph over F10247
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Cycle Lengths of the Graph G (Fp, `)
Example
` Structure of G̃ (F10247, `)
3 five 21-cycles on both levels
7 one 105-cycle on both levels
11 seven 15-cycles on both levels
13 twenty one 5-cycles on both levels
17 three 35-cycles on both levels
23 thirty five 3-cycles on both levels
29 fifteen 7-cycles on both levels
Table: Structure of Isogeny Graph over F10247
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Isogenies of Degree 2 and `
TheoremWhen p ≡ 7 mod 8 and h(−p) is prime, for vertices P,Q ondifferent levels, whenever there exist an isogeny of degree 2followed by an isogeny of degree ` from P to Q, there also exist anisogeny of degree ` followed by an isogeny of degree 2 from P to Q.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Isogenies of Degree 2 and `
TheoremWhen p ≡ 7 mod 8 and h(−p) is prime, for vertices P,Q ondifferent levels, whenever there exist an isogeny of degree 2followed by an isogeny of degree ` from P to Q, there also exist anisogeny of degree ` followed by an isogeny of degree 2 from P to Q.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Isogenies of Degree 2 and `
67’
143
101
148 148’
101’
143’
67
150
29’
124 124’
29
150’
Figure: Commutativity of G (F151, 2) and G (F151, 5)
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Isogenies of Degree 2 and `
67’
143
101
148 148’
101’
143’
67
150
29’
124 124’
29
150’
Figure: Commutativity of G (F151, 2) and G (F151, 5)
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Isogenies of Degree 2 and `
Theorem
• When p ≡ 3 mod 8 and h(−p) is prime not equal to 3, forvertices P,Q on different levels, whenever there exist anisogeny of degree 2 followed by an isogeny of degree ` from Pto Q, there also exist an isogeny of degree ` followed by anisogeny of degree 2 from P to Q.
• When p ≡ 1 mod 4, for any two vertices P,Q on the graph,whenever there exist an isogeny of degree 2 followed by anisogeny of degree ` from P to Q, there also exist an isogenyof degree ` followed by an isogeny of degree 2 from P to Q.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Isogenies of Degree 2 and `
Theorem
• When p ≡ 3 mod 8 and h(−p) is prime not equal to 3, forvertices P,Q on different levels, whenever there exist anisogeny of degree 2 followed by an isogeny of degree ` from Pto Q, there also exist an isogeny of degree ` followed by anisogeny of degree 2 from P to Q.
• When p ≡ 1 mod 4, for any two vertices P,Q on the graph,whenever there exist an isogeny of degree 2 followed by anisogeny of degree ` from P to Q, there also exist an isogenyof degree ` followed by an isogeny of degree 2 from P to Q.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Isogenies of Degree 2 and `
Theorem
• When p ≡ 3 mod 8 and h(−p) is prime not equal to 3, forvertices P,Q on different levels, whenever there exist anisogeny of degree 2 followed by an isogeny of degree ` from Pto Q, there also exist an isogeny of degree ` followed by anisogeny of degree 2 from P to Q.
• When p ≡ 1 mod 4, for any two vertices P,Q on the graph,whenever there exist an isogeny of degree 2 followed by anisogeny of degree ` from P to Q, there also exist an isogenyof degree ` followed by an isogeny of degree 2 from P to Q.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Adjacency Matrices
TheoremLet A2 and A` denote the adjacency matrices for the graphsG (Fp, 2) and G (Fp, `), respectively, where ` > 2 and (−p` ) = 1.
• If p ≡ 1 mod 4, then A2 · A` = A` · A2.
• If p ≡ 3 mod 8 and h(−p) 6= 3 is prime, then A2 ·A` = A` ·A2.
• If p ≡ 7 mod 8 and h(−p) is prime, then A2 · A` = A` · A2.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Adjacency Matrices
TheoremLet A2 and A` denote the adjacency matrices for the graphsG (Fp, 2) and G (Fp, `), respectively, where ` > 2 and (−p` ) = 1.
• If p ≡ 1 mod 4, then A2 · A` = A` · A2.
• If p ≡ 3 mod 8 and h(−p) 6= 3 is prime, then A2 ·A` = A` ·A2.
• If p ≡ 7 mod 8 and h(−p) is prime, then A2 · A` = A` · A2.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Adjacency Matrices
TheoremLet A2 and A` denote the adjacency matrices for the graphsG (Fp, 2) and G (Fp, `), respectively, where ` > 2 and (−p` ) = 1.
• If p ≡ 1 mod 4, then A2 · A` = A` · A2.
• If p ≡ 3 mod 8 and h(−p) 6= 3 is prime, then A2 ·A` = A` ·A2.
• If p ≡ 7 mod 8 and h(−p) is prime, then A2 · A` = A` · A2.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Commutativity of Adjacency Matrices
TheoremLet A2 and A` denote the adjacency matrices for the graphsG (Fp, 2) and G (Fp, `), respectively, where ` > 2 and (−p` ) = 1.
• If p ≡ 1 mod 4, then A2 · A` = A` · A2.
• If p ≡ 3 mod 8 and h(−p) 6= 3 is prime, then A2 ·A` = A` ·A2.
• If p ≡ 7 mod 8 and h(−p) is prime, then A2 · A` = A` · A2.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Graphs over Fp
G (Fp, `): supersingular `-isogeny graph over Fp
• vertex: j-invariant (same j-invariant iff Fp-isomorphic)
• edge: `-isogeny
Figure: The graph G (F103, 2)
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Graphs over Fp
G (Fp, `): supersingular `-isogeny graph over Fp
• vertex: j-invariant (same j-invariant iff Fp-isomorphic)
• edge: `-isogeny
Figure: The graph G (F103, 2)
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Graphs over Fp
G (Fp, `): supersingular `-isogeny graph over Fp
• vertex: j-invariant (same j-invariant iff Fp-isomorphic)
• edge: `-isogeny
Figure: The graph G (F103, 2)
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Graph and Adjacency Matrix Properties
Graph G (Fp, `):
• directed multigraph
• Ramanujan
• (`+ 1)-regular
Adjacency matrix A` of G (Fp, `):
• aij = number edges from vi to vj
• nonsymmetric square matrix
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Graph and Adjacency Matrix Properties
Graph G (Fp, `):
• directed multigraph
• Ramanujan
• (`+ 1)-regular
Adjacency matrix A` of G (Fp, `):
• aij = number edges from vi to vj
• nonsymmetric square matrix
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Composite Degree Adjacency Matrices
Let N =∏
i peii . We want AN in terms of Api .
Difficulties:
• each edge represents isogenies up to equivalence
• only want G (Fp,N) to include cyclic isogenies
So, AN 6=∏
i (Api )ei , because the matrix multiplication
over-counts.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Composite Degree Adjacency Matrices
Let N =∏
i peii . We want AN in terms of Api .
Difficulties:
• each edge represents isogenies up to equivalence
• only want G (Fp,N) to include cyclic isogenies
So, AN 6=∏
i (Api )ei , because the matrix multiplication
over-counts.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Composite Degree Adjacency Matrices
Let N =∏
i peii . We want AN in terms of Api .
Difficulties:
• each edge represents isogenies up to equivalence
• only want G (Fp,N) to include cyclic isogenies
So, AN 6=∏
i (Api )ei , because the matrix multiplication
over-counts.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Combining Prime Degree Matrices
TheoremIf m and n are distinct primes, then
Am · An = Amn = An · Am.
Proof.Every mn-isogeny φmn can be expressed as the composition ofisogenies of degree m and n,
φm ◦ φn = φmn = ψm ◦ ψn.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Combining Prime Degree Matrices
TheoremIf m and n are distinct primes, then
Am · An = Amn = An · Am.
Proof.Every mn-isogeny φmn can be expressed as the composition ofisogenies of degree m and n,
φm ◦ φn = φmn = ψm ◦ ψn.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Prime Powers
TheoremLet ` be a prime. Then,
(A`)2 − (`+ 1)A` = A`2 .
TheoremLet ` be a prime. Then,
(A`)3 − (2`+ 1)A` = A`3 .
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Prime Powers
TheoremLet ` be a prime. Then,
(A`)2 − (`+ 1)A` = A`2 .
TheoremLet ` be a prime. Then,
(A`)3 − (2`+ 1)A` = A`3 .
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
A Quick Callback to Cryptography
The problem on which CSIDH is based on:
1. Given P, Q elliptic curves over Fp in E``p(O, π). Compute[g] ∈∗ cl(O) such that [g] ? P = Q.
Side note: this is an analogous version of the discrete logarithmproblem!
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
A Quick Callback to Cryptography
The problem on which CSIDH is based on:
1. Given P, Q elliptic curves over Fp in E``p(O, π). Compute[g] ∈∗ cl(O) such that [g] ? P = Q.
Side note: this is an analogous version of the discrete logarithmproblem!
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
A Quick Callback to Cryptography
The problem on which CSIDH is based on:
1. Given P, Q elliptic curves over Fp in E``p(O, π). Compute[g] ∈∗ cl(O) such that [g] ? P = Q.
Side note: this is an analogous version of the discrete logarithmproblem!
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
A Quick Callback to Cryptography
The problem on which CSIDH is based on:
1. Given P, Q elliptic curves over Fp in E``p(O, π). Compute[g] ∈∗ cl(O) such that [g] ? P = Q.
Side note: this is an analogous version of the discrete logarithmproblem!
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Security
CSIDH achieves ”quantum secruity” since the computation of eachaction is hard.
“One of the main selling points is that quantum computers do notseem to make the isogeny-finding problem substantially easier...theset E``p(O) we are acting on does not form a group with efficientlycomputable operations” = quantum subexponential complexity
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Security
CSIDH achieves ”quantum secruity” since the computation of eachaction is hard.
“One of the main selling points is that quantum computers do notseem to make the isogeny-finding problem substantially easier...theset E``p(O) we are acting on does not form a group with efficientlycomputable operations” = quantum subexponential complexity
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
The Pohlig-Hellman Attack
But to add security, why don’t just blow up the size of #cl(O)?→ Is there a way some subgroup of cl(O) could be used to revealstructure about the whole?
The Pohlig-Hellman Attack uses the subgroup structure of cl(O)to solve the main problem in time
O(√
largest prime factor of#cl(O))
How often does #cl(O) have large prime factors?
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
The Pohlig-Hellman Attack
But to add security, why don’t just blow up the size of #cl(O)?→ Is there a way some subgroup of cl(O) could be used to revealstructure about the whole?
The Pohlig-Hellman Attack uses the subgroup structure of cl(O)to solve the main problem in time
O(√
largest prime factor of#cl(O))
How often does #cl(O) have large prime factors?
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
The Pohlig-Hellman Attack
But to add security, why don’t just blow up the size of #cl(O)?→ Is there a way some subgroup of cl(O) could be used to revealstructure about the whole?
The Pohlig-Hellman Attack uses the subgroup structure of cl(O)to solve the main problem in time
O(√
largest prime factor of#cl(O))
How often does #cl(O) have large prime factors?
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Our Results
TheoremLet D ∈ Z+, u > 1 ∈ R. Suppose H is an upper bound for allh(O∆), such that |∆| ≤ D. Let ∆ be a randomly chosennon-fundamental discriminant with |∆| ≤ D. If we set B = H1/u tobe the smoothness bound, then for any random integer x ∈ [1,H]
limD→∞
Pr[ h(∆) is B-smooth ]
Pr[ x is B-smooth ]> 1.
Namely, the probability the class number of a non-maximal order isB-smooth is larger than that of random integers in the same range.
Group Structure of EC Isogenies in Cryptography CSIDH Graph: G(Fp , `) SIDH Graph: G(Fp , `) Smoothness of Non-Maximal Orders
Acknowledgements
This research is sponsored by NSF grant DMS-1659872 and BoiseState University.