A gentle introduction to isogeny-based...

Post on 15-Mar-2020

1 views 0 download

transcript

Craig Costello

A gentle introduction to isogeny-based cryptography

Tutorial at SPACE 2016December 15, 2016

CRRao AIMSCS, Hyderabad, India

Part 1: Motivation

Part 2: Preliminaries

Part 3: Brief SIDH sketch

Diffie-Hellman key exchange (circa 1976)

π‘Ž =685408003627063761059275919665781694368639459527871881531452

𝑔 = 123456789

π‘ž = 1606938044258990275541962092341162602522202993782792835301301

𝑏 =362059131912941987637880257325269696682836735524942246807440

π‘”π‘Ž mod π‘ž = 78467374529422653579754596319852702575499692980085777948593

π‘”π‘Žπ‘ mod π‘ž = 437452857085801785219961443000845969831329749878767465041215

560048104293218128667441021342483133802626271394299410128798 = 𝑔𝑏 mod π‘ž

Diffie-Hellman key exchange (circa 2016)

𝑔 = 123456789

π‘ž =5809605995369958062859502533304574370686975176362895236661486152287203730997110225737336044533118407251326157754980517443990529594540047121662885672187032401032111639706440498844049850989051627200244765807041812394729680540024104827976584369381522292361208779044769892743225751738076979568811309579125511333093243519553784816306381580161860200247492568448150242515304449577187604136428738580990172551573934146255830366405915000869643732053218566832545291107903722831634138599586406690325959725187447169059540805012310209639011750748760017095360734234945757416272994856013308616958529958304677637019181594088528345061285863898271763457294883546638879554311615446446330199254382340016292057090751175533888161918987295591531536698701292267685465517437915790823154844634780260102891718032495396075041899485513811126977307478969074857043710

716150121315922024556759241239013152919710956468406379442914941614357107914462567329693649

π‘”π‘Žπ‘ =330166919524192149323761733598426244691224199958894654036331526394350099088627302979833339501183059198113987880066739419999231378970715307039317876258453876701124543849520979430233302777503265010724513551209279573183234934359636696506968325769489511028943698821518689496597758218540767517885836464160289471651364552490713961456608536013301649753975875610659655755567474438180357958360226708742348175045563437075840969230826767034061119437657466993989389348289599600338950372251336932673571743428823026014699232071116171392219599691096846714133643382745709376112500514300983651201961186613464267685926563624589817259637248558104903657371981684417053993082671827345252841433337325420088380059232089174946086536664984836041334031650438692639106287627157575758383128971053401037407031731509582807639509448704617983930135028

7596589383292751993079161318839043121329118930009948197899907586986108953591420279426874779423560221038468

π‘Ž =7147687166405; 9571879053605547396582692405186145916522354912615715297097100679170037904924330116019497881089087696131592831386326210951294944584400497488929803858493191812844757232102398716043906200617764831887545755623377085391250529236463183321912173214641346558452549172283787727566955898452199622029450892269665074265269127802446416400\90259271040043389582611419862375878988193612187945591802864062679\86483957813927304368495559776413009721221824915810964579376354556\65546298837778595680891578821511273574220422646379170599917677567\30420698422392494816906777896174923072071297603455802621072109220\54662739697748553543758990879608882627763290293452560094576029847\39136138876755438662247926529997805988647241453046219452761811989\97464772529088780604931795419514638292288904557780459294373052654\10485180264002079415193983851143425084273119820368274789460587100\30497747706924427898968991057212096357725203480402449913844583448

𝑏 =655456209464694; 93360682685816031704969423104727624468251177438749706128879957701\93698826859762790479113062308975863428283798589097017957365590672\8357138638957122466760949930089855480244640303954430074800250796203638661931522988606354100532244846391589798641210273772558373965\48653931285483865070903191974204864923589439190352993032676961005\08840431979272991603892747747094094858192679116146502863521484987\08623286193422239171712154568612530067276018808591500424849476686\706784051068715397706852664532638332403983747338379697022624261377163163204493828299206039808703403575100467337085017748387148822224875309641791879395483731754620034884930540399950519191679471224\05558557093219350747155777569598163700850920394705281936392411084\43600686183528465724969562186437214972625833222544865996160464558\54629937016589470425264445624157899586972652935647856967092689604\42796501209877036845001246792761563917639959736383038665362727158

1974966481832271932862620186142505559719097997625337606540081479948757754456670542185781051331382174972068905995549284294506678994768546685955940340934936375624510789382969603134886961788481424913516872530546022029662470461057707715772483216821171742461283211956785376315202786494034647973536919967369935770926871783856022988735589541210564305228996197614537270822178234757462238037900142350513967990494465082246618501681499574014746384567166244019067013944724470150525694177463721850933025357393837919800705723814217290296516393042343612687649717077634843006689239728687091216655686698309786578047401579166115635085698868474877726766712073860961529476071145597063402090591037030181826355218987380945462945580355697525966763466146993277420884712557411847558661178122098955149524361601993365326052422101474898256696660124195726100495725510022002932814218768060112310763455404567248761396399633344901857872119208518550803791724

π‘”π‘Ž

(mod q)=

4116046620695933066832285256534418724107779992205720799935743972371563687620383783327424719396665449687938178193214952698336131699379861648113207956169499574005182063853102924755292845506262471329301240277031401312209687711427883948465928161110782751969552580451787052540164697735099369253619948958941630655511051619296131392197821987575429848264658934577688889155615145050480918561594129775760490735632255728098809700583965017196658531101013084326474277865655251213287725871678420376241901439097879386658420056919119973967264551107584485525537442884643379065403121253975718031032782719790076818413945341143157261205957499938963479817893107541948645774359056731729700335965844452066712238743995765602919548561681262366573815194145929420370183512324404671912281455859090458612780918001663308764073238447199488070126873048860279221761629281961046255219584327714817248626243962413613075956770018017385724999495117779149416882188

=𝑔𝑏

(mod q)

ECDH key exchange (1999 – nowish)

𝑃 = (48439561293906451759052585252797914202762949526041747995844080717082404635286,36134250956749795798585127919587881956611106672985015071877198253568414405109)

𝑝 = 2256 βˆ’ 2224 + 2192 + 296 βˆ’ 1𝑝 = 115792089210356248762697446949407573530086143415290314195533631308867097853951

π‘Ž =891306445912460335776397706414628550231450284928352556031837219223173

24614395

𝐸/𝐅𝑝: 𝑦2 = π‘₯3 βˆ’3π‘₯ +𝑏

𝑏 =100955574639327864188069383161907080327719109190584053916797810821934

05190826

[a]𝑃 = (84116208261315898167593067868200525612344221886333785331584793435449501658416,102885655542185598026739250172885300109680266058548048621945393128043427650740)

[b]𝑃 = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)

[ab]𝑃 = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)

#𝐸 = 115792089210356248762697446949407573529996955224135760342422259061068512044369

β€’ Quantum computers break elliptic curves, finite fields, factoring, everything currently used for PKC

β€’ Aug 2015: NSA announces plans to transition to quantum-resistant algorithms

β€’ Feb 2016: NIST calls for quantum-secure submissions

Quantum computers ↔ Cryptopocalypse

Post-quantum key exchange

This talk + Sunday’s: isogenies

What hard problem(s) do we use now???

Diffie-Hellman instantiations

DH ECDH R-LWE[BCNS’15, newhope, NTRU]

LWE[Frodo]

SIDH[DJP14, CLN16]

elements integers 𝑔modulo prime

points 𝑃 in

curve group

elements π‘Ž in ring

𝑅 = β„€π‘ž π‘₯ /βŸ¨Ξ¦π‘› π‘₯ ⟩matrices 𝐴 in

β„€π‘žπ‘›Γ—π‘›

curves 𝐸 in

isogeny class

secrets exponents π‘₯ scalars π‘˜ small errors 𝑠, 𝑒 ∈ 𝑅 small 𝑠, 𝑒 ∈ β„€π‘žπ‘› isogenies πœ™

computations 𝑔, π‘₯ ↦ 𝑔π‘₯ π‘˜, 𝑃 ↦ π‘˜ 𝑃 π‘Ž, 𝑠, 𝑒 ↦ π‘Žπ‘  + 𝑒 𝐴, 𝑠, 𝑒 ↦ 𝐴𝑠 + 𝑒 πœ™, 𝐸 ↦ πœ™(𝐸)

hard problem given 𝑔, 𝑔π‘₯

find π‘₯given 𝑃, π‘˜ 𝑃

find π‘˜given π‘Ž, π‘Žπ‘  + 𝑒

find 𝑠given 𝐴, 𝐴𝑠 + 𝑒

find 𝑠given 𝐸, πœ™(𝐸)

find πœ™

Part 1: Motivation

Part 2: Preliminaries

Part 3: Brief SIDH sketch

To construct degree 𝑛 extension field π”½π‘žπ‘› of a finite field π”½π‘ž, take π”½π‘žπ‘› = π”½π‘ž(𝛼)where 𝑓 𝛼 = 0 and 𝑓(π‘₯) is irreducible of degree 𝑛 in π”½π‘ž[π‘₯].

Extension fields

Example: for any prime 𝑝 ≑ 3 mod 4, can take 𝔽𝑝2 = 𝔽𝑝 𝑖 where 𝑖2 + 1 = 0

β€’ Recall that every elliptic curve 𝐸 over a field 𝐾 with char 𝐾 > 3 can be defined by

𝐸 ∢ 𝑦2 = π‘₯3 + π‘Žπ‘₯ + 𝑏,

where π‘Ž, 𝑏 ∈ 𝐾, 4π‘Ž3 + 27𝑏2 β‰  0

β€’ For any extension 𝐾′/𝐾, the set of 𝐾′-rational points forms a group with identity

β€’ The 𝑗-invariant 𝑗 𝐸 = 𝑗 π‘Ž, 𝑏 = 1728 β‹…4π‘Ž3

4π‘Ž3+27𝑏2determines isomorphism

class over ΰ΄₯𝐾

β€’ E.g., 𝐸′: 𝑦2 = π‘₯3 + π‘Žπ‘’2π‘₯ + 𝑏𝑒3 is isomorphic to 𝐸 for all 𝑒 ∈ πΎβˆ—

β€’ Recover a curve from 𝑗: e.g., set π‘Ž = βˆ’3𝑐 and 𝑏 = 2𝑐 with 𝑐 = 𝑗/(𝑗 βˆ’ 1728)

Elliptic Curves and 𝑗-invariants

Over 𝔽13, the curves 𝐸1 ∢ 𝑦

2 = π‘₯3 + 9π‘₯ + 8and

𝐸2 ∢ 𝑦2 = π‘₯3 + 3π‘₯ + 5

are isomorphic, since

𝑗 𝐸1 = 1728 β‹…4β‹…93

4β‹…93+27β‹…82= 3 = 1728 β‹…

4β‹…33

4β‹…33+27β‹…52= 𝑗(𝐸2)

An isomorphism is given by πœ“ ∢ 𝐸1 β†’ 𝐸2 , π‘₯, 𝑦 ↦ 10π‘₯, 5𝑦 ,πœ“βˆ’1: 𝐸2 β†’ 𝐸1, π‘₯, 𝑦 ↦ 4π‘₯, 8𝑦 ,

noting that πœ“ ∞1 = ∞2

Example

β€’ The multiplication-by-𝑛 map: 𝑛 ∢ 𝐸 β†’ 𝐸, 𝑃 ↦ 𝑛 𝑃

β€’ The 𝑛-torsion subgroup is the kernel of 𝑛𝐸 𝑛 = 𝑃 ∈ 𝐸 ΰ΄₯𝐾 ∢ 𝑛 𝑃 = ∞

β€’ Found as the roots of the π‘›π‘‘β„Ž division polynomial πœ“π‘›

β€’ If char 𝐾 doesn’t divide 𝑛, then 𝐸 𝑛 ≃ ℀𝑛 Γ— ℀𝑛

Torsion subgroups

β€’ Consider 𝐸/𝔽11: 𝑦2 = π‘₯3 + 4 with #𝐸(𝔽11) = 12

β€’ 3-division polynomial πœ“3(π‘₯) = 3π‘₯4 + 4π‘₯ partiallysplits as πœ“3 π‘₯ = π‘₯ π‘₯ + 3 π‘₯2 + 8π‘₯ + 9

β€’ Thus, π‘₯ = 0 and π‘₯ = βˆ’3 give 3-torsion points.The points (0,2) and (0,9) are in 𝐸 𝔽11 , but the rest lie in 𝐸(𝔽112)

β€’ Write 𝔽112 = 𝔽11(𝑖) with 𝑖2 + 1 = 0. πœ“3 π‘₯ splits over 𝔽112 as πœ“3 π‘₯ = π‘₯ π‘₯ + 3 π‘₯ + 9𝑖 + 4 (π‘₯ + 2𝑖 + 4)

β€’ Observe 𝐸 3 ≃ β„€3 Γ— β„€3 , i.e., 4 cyclic subgroups of order 3

Example

Isogenies

β€’ Isogeny: morphism (rational map)πœ™ ∢ 𝐸1 β†’ 𝐸2that preserves identity, i.e. πœ™ ∞1 = ∞2

β€’ Degree of (separable) isogeny is number of elements in kernel, same as its degree as a rational map

β€’ Given finite subgroup 𝐺 ∈ 𝐸1, there is a unique curve 𝐸2 and isogeny πœ™ ∢ 𝐸1 β†’ 𝐸2 (up to isomorphism) having kernel 𝐺. Write 𝐸2 = πœ™(𝐸1) = 𝐸1/⟨𝐺⟩.

Isogenies

β€’ Isomorphisms are a special case of isogenies where the kernel is trivial πœ™ ∢ 𝐸1 β†’ 𝐸2, ker πœ™ = ∞1

β€’ Endomorphisms are a special case of isogenies where the domain and co-domain are the same curve

πœ™ ∢ 𝐸1 β†’ 𝐸1, ker πœ™ = 𝐺, |𝐺| > 1

β€’ Perhaps think of isogenies as a generalization of either/both: isogenies allow non-trivial kernel and allow different domain/co-domain

β€’ Isogenies are *almost* isomorphisms

Velu’s formulasGiven any finite subgroup of 𝐺 of 𝐸, we may form a quotient isogeny

πœ™: 𝐸 β†’ 𝐸′ = 𝐸/𝐺

with kernel 𝐺 using Velu’s formulas

Example: 𝐸 ∢ 𝑦2 = (π‘₯2 + 𝑏1π‘₯ + 𝑏0)(π‘₯ βˆ’ π‘Ž). The point (π‘Ž, 0) has order 2; the quotient of 𝐸 by ⟨ π‘Ž, 0 ⟩ gives an isogeny

πœ™ ∢ 𝐸 β†’ 𝐸′ = 𝐸/⟨ π‘Ž, 0 ⟩,where

𝐸′ ∢ y2 = x3 + βˆ’ 4a + 2b1 x2 + b12 βˆ’ 4b0 x

And where πœ™ maps π‘₯, 𝑦 to π‘₯3βˆ’ π‘Žβˆ’π‘1 π‘₯2βˆ’ 𝑏1π‘Žβˆ’π‘0 π‘₯βˆ’π‘0π‘Ž

π‘₯βˆ’π‘Ž,x2βˆ’ 2a xβˆ’ b1a+b0 y

xβˆ’a 2

Velu’s formulas

Given curve coefficients π‘Ž, 𝑏 for 𝐸, and all of the π‘₯-coordinates π‘₯𝑖 of the subgroup 𝐺 ∈ 𝐸, Velu’s formulas output π‘Žβ€², 𝑏′ for 𝐸′, and the map

πœ™ ∢ 𝐸 β†’ 𝐸′,

π‘₯, 𝑦 ↦𝑓1 π‘₯,𝑦

𝑔1 π‘₯,𝑦,𝑓2 π‘₯,𝑦

𝑔2 π‘₯,𝑦

β€’ Recall 𝐸/𝔽11: 𝑦2 = π‘₯3 + 4 with #𝐸(𝔽11) = 12

β€’ Consider 3 ∢ 𝐸 β†’ 𝐸, the multiplication-by-3 endomorphism

β€’ 𝐺 = ker 3 , which is not cyclic

β€’ Conversely, given the subgroup 𝐺,the unique isogeny πœ™ with ker πœ™ = 𝐺 turns out to be the endormorphism πœ™ = [3]

β€’ But what happens if we instead take 𝐺 as one of the cyclic subgroups of order 3?

𝐺 = 𝐸[3]Example, cont.

Example, cont. 𝐸/𝔽11: 𝑦2= π‘₯3 + 4

πœ™2

πœ™4

πœ™1

πœ™3

𝐸2/𝔽11: 𝑦2= π‘₯3 + 5π‘₯

𝐸4/𝔽112: 𝑦2= π‘₯3 + (4𝑖 + 3)π‘₯

𝐸1/𝔽11: 𝑦2= π‘₯3 + 2

𝐸3/𝔽112: 𝑦2= π‘₯3 + 7𝑖 + 3 π‘₯

𝐸1, 𝐸2, 𝐸3, 𝐸4 all 3-isogenous to 𝐸, but what’s the relation to each other?

For every isogeny πœ“: 𝐸1 β†’ 𝐸2 of degree 𝑛, there exists (unique, up to isomorphism) dual isogeny πœ“ : 𝐸2 β†’ 𝐸1 of degree 𝑛, such that

πœ“ ∘ πœ“ = 𝑛 𝐸1

and

πœ“ ∘ πœ“ = 𝑛 𝐸2

The dual isogeny

β€’ 𝐸/π”½π‘ž with π‘ž = 𝑝𝑛 supersingular iff 𝐸 𝑝 = {∞}

β€’ Fact: all supersingular curves can be defined over 𝔽𝑝2

β€’ Let 𝑆𝑝2 be the set of supersingular 𝑗-invariants

Supersingular curves

Theorem: #𝑆𝑝2 =𝑝

12+ 𝑏, 𝑏 ∈ {0,1,2}

β€’ We are interested in the set of supersingular curves (up to isomorphism) over a specific field

β€’ Thm (Tate): 𝐸1 and 𝐸2 isogenous if and only if #𝐸1 = #𝐸2β€’ Thm (Mestre): all supersingular curves over 𝔽𝑝2 in same isogeny class

β€’ Fact (see previous slides): for every prime β„“ not dividing 𝑝, there existsβ„“ + 1 isogenies of degree β„“ originating from any supersingular curve

β€’ Previous example actually had 𝐸2 β‰… 𝐸3 β‰… 𝐸4, so let’s increase the size a little to get a picture of how this all pans out…

The supersingular isogeny graph

Upshot: immediately leads to (β„“ + 1) directed regular graph 𝑋(𝑆𝑝2 , β„“)

β€’ Let 𝑝 = 241, 𝔽𝑝2 = 𝔽𝑝 𝑀 = 𝔽𝑝 π‘₯ /(π‘₯2 βˆ’ 3π‘₯ + 7)

β€’ #𝑆𝑝2 = 20

β€’ 𝑆𝑝2 = {93, 51𝑀 + 30, 190𝑀 + 183, 240, 216, 45𝑀 + 211, 196𝑀 +105, 64, 155𝑀 + 3, 74𝑀 + 50, 86𝑀 + 227, 167𝑀 + 31, 175𝑀 + 237,66𝑀 + 39, 8, 23𝑀 + 193, 218𝑀 + 21, 28, 49𝑀 + 112, 192𝑀 + 18}

E.g. a supersingular isogeny graph

Credit to Fre Vercauteren for example and picture…

Supersingular isogeny graph for β„“ = 2: 𝑋(𝑆2412, 2)

Supersingular isogeny graph for β„“ = 3: 𝑋(𝑆2412, 3)

Rapid mixing property: Let 𝑆 be any subset of the vertices of the graph 𝐺, and π‘₯ be any vertex in 𝐺. A β€œlong enough” random

walk will land in 𝑆 with probability at least 𝑆

2|𝐺|.

Supersingular isogeny graphs are Ramanujan graphs

See De Feo, Jao, Plut (Prop 2.1) for precise formula describing what’s β€œlong enough”

Part 1: Motivation

Part 2: Preliminaries

Part 3: Brief SIDH sketch

𝐸0 𝐸𝐴 = 𝐸0/⟨𝐴⟩

𝐸0/⟨𝐡⟩ = 𝐸𝐡 𝐸𝐴𝐡 = 𝐸0/⟨𝐴, 𝐡⟩

πœ™π΄

πœ™π΅

πœ™π΄β€²

πœ™π΅β€²

params public private

𝐸’s are isogenous curves

𝑃’s, 𝑄’s, 𝑅’s, 𝑆’s are points

SIDH: in a nutshell

β€’ Non-commutative, so πœ™π΅πœ™π΄ β‰  πœ™π΄πœ™π΅ (can’t even multiply), hence πœ™π΄β€² and πœ™π΅

β€²

β€’ Alice can’t just take 𝐸𝐡/⟨𝐴⟩, 𝐴 doesn’t lie on 𝐸𝐡

𝐸0 𝐸𝐴 = 𝐸0/βŸ¨π‘ƒπ΄ + 𝑠𝐴 π‘„π΄βŸ©

𝐸0/βŸ¨π‘ƒπ΅ + 𝑠𝐡 π‘„π΅βŸ© = 𝐸𝐡 𝐸𝐴𝐡 = 𝐸0/⟨𝐴, 𝐡⟩

πœ™π΄

πœ™π΅

πœ™π΄β€²

πœ™π΅β€²

params public private

𝐸’s are isogenous curves

𝑃’s, 𝑄’s, 𝑅’s, 𝑆’s are points

SIDH: in a nutshell

(πœ™π΅(𝑃𝐴), πœ™π΅(𝑄𝐴)) = (𝑅𝐡 , 𝑆𝐡)

(𝑅𝐴, 𝑆𝐴) = (πœ™π΄(𝑃𝐡), πœ™π΄(𝑄𝐡))

𝐸𝐴/βŸ¨π‘…π΄ + 𝑠𝐡 π‘†π΄βŸ© β‰… 𝐸0/βŸ¨π‘ƒπ΄ + 𝑠𝐴 𝑄𝐴 , 𝑃𝐡 + 𝑠𝐡 π‘„π΅βŸ© β‰… 𝐸𝐡/βŸ¨π‘…π΅ + 𝑠𝐴 π‘†π΅βŸ©

Key: Alice sends her isogeny evaluated at Bob’s generators, and vice versa

β€’ Why 𝐸′ = 𝐸/βŸ¨π‘ƒ + 𝑠 π‘„βŸ© , etc?

β€’ Why not just 𝐸′ = 𝐸/⟨ 𝑠 π‘„βŸ© ?... because here 𝐸′ is β‰ˆ independent of 𝑠

β€’ Need two-dimensional basis to span two-dimensional torsion

β€’ Every different 𝑠 now gives a different order 𝑛 subgroup, i.e., kernel, i.e. isogeny

β€’ Composite same thing, just uglier picture

𝐸 𝑛 β‰… ℀𝑛 Γ— ℀𝑛(𝑛 prime depicted below)

𝑛 + 1 cyclic subgroups order n

𝑃

[𝑠]𝑄𝑄

β€’ Why 𝐸′ = 𝐸/βŸ¨π‘ƒ + 𝑠 π‘„βŸ© , etc?

β€’ Why not just 𝐸′ = 𝐸/⟨ 𝑠 π‘„βŸ© ?... because here 𝐸′ is β‰ˆ independent of 𝑠

β€’ Need two-dimensional basis to span two-dimensional torsion

β€’ Every different 𝑠 now gives a different order 𝑛 subgroup, i.e., kernel, i.e. isogeny

β€’ Composite same thing, just uglier picture

𝐸 𝑛 β‰… ℀𝑛 Γ— ℀𝑛(𝑛 prime depicted below)

𝑛 + 1 cyclic subgroups order n

𝑃

[𝑠]𝑄

𝑄

β€’ Why 𝐸′ = 𝐸/βŸ¨π‘ƒ + 𝑠 π‘„βŸ© , etc?

β€’ Why not just 𝐸′ = 𝐸/⟨ 𝑠 π‘„βŸ© ?... because here 𝐸′ is β‰ˆ independent of 𝑠

β€’ Need two-dimensional basis to span two-dimensional torsion

β€’ Every different 𝑠 now gives a different order 𝑛 subgroup, i.e., kernel, i.e. isogeny

β€’ Composite same thing, just uglier picture

𝐸 𝑛 β‰… ℀𝑛 Γ— ℀𝑛(𝑛 prime depicted below)

𝑛 + 1 cyclic subgroups order n

𝑃

[𝑠]𝑄𝑄

β€’ Why 𝐸′ = 𝐸/βŸ¨π‘ƒ + 𝑠 π‘„βŸ© , etc?

β€’ Why not just 𝐸′ = 𝐸/⟨ 𝑠 π‘„βŸ© ?... because here 𝐸′ is β‰ˆ independent of 𝑠

β€’ Need two-dimensional basis to span two-dimensional torsion

β€’ Every different 𝑠 now gives a different order 𝑛 subgroup, i.e., kernel, i.e. isogeny

β€’ Composite same thing, just uglier picture

𝐸 𝑛 β‰… ℀𝑛 Γ— ℀𝑛(𝑛 prime depicted below)

𝑛 + 1 cyclic subgroups order n

𝑃

𝑄

β€’ Computing isogenies of prime degree β„“ at least 𝑂 β„“ , e.g., Velu’sformulas need the whole kernel specified

β€’ We (obviously) need exp. set of kernels, meaning exp. sized isogenies, which we can’t compute unless they’re smooth

β€’ Here (for efficiency/ease) we will only use isogenies of degree ℓ𝑒

for β„“ ∈ {2,3}

Exploiting smooth degree isogenies

Exploiting smooth degree isogenies

(credit DJP’14 for picture, and for a much better way to traverse the tree)

β€’ Suppose our secret point 𝑅0 has order β„“5 with, e.g., β„“ ∈ {2,3}, we need πœ™ ∢ 𝐸 β†’ 𝐸/βŸ¨π‘…0⟩

β€’ Could compute all β„“5 elements in kernel (but only because exp is 5)

β€’ Better to factor πœ™ = πœ™4πœ™3πœ™2πœ™1πœ™0, where all πœ™π‘– have degree β„“, and

πœ™0 = 𝐸0 β†’ 𝐸0/⟨ β„“4 𝑅0⟩ , 𝑅1 = πœ™0 𝑅0 ;

πœ™1 = 𝐸1 β†’ 𝐸1/⟨ β„“3 𝑅1⟩ , 𝑅2 = πœ™1(𝑅1);

πœ™2 = 𝐸2 β†’ 𝐸2/⟨ β„“2 𝑅2⟩ , 𝑅3 = πœ™2(𝑅2);

πœ™3 = 𝐸3 β†’ 𝐸3/⟨ β„“1 𝑅3⟩ , 𝑅4 = πœ™3(𝑅3);

πœ™4 = 𝐸4 β†’ 𝐸4/βŸ¨π‘…4⟩ .

Questions?