Maps on elliptic curves · 2013-09-18 · q-isomorphism classes of elliptic curves over F q are...

$Page 1: Maps on elliptic curves · 2013-09-18 · q-isomorphism classes of elliptic curves over F q are parametrized by the j-line (\moduli space") There is essentially only one \degree of$
Maps on elliptic curves

Benjamin Smith

Team GRACE

INRIA Saclay–Ile-de-France

Laboratoire d’Informatique de l’Ecole polytechnique (LIX)

ECC “Summer” SchoolLeuven, September 11 2013

Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 1 / 28

0: Motivation


Metaphysics

/ ∼=: There is only one finite field with q elements.

When you want to do cryptography in a finite field,you just have to choose q.

When you want to do ECC, you need tochoose q and one of the many elliptic curves /Fq.

So you need to seriously think about your choice,and how it relates to all of the other curves

that you thought you didn’t choose.(No curve is an island, Entire of itself)


1: *omorphisms


Weierstrass models

Elliptic curves over Fq, with q a power of p, and p 6= 2, 3:

E : y 2 = FE(x) = x3 + Ax + B .

Function field:

Fq(E) = Fq(x)[y ]/(y 2 − FE(x))

Functions with coefficients in Fq:

Fq(E) = Fq(x)[y ]/(y 2 − FE(x))


What is a morphism?

Let E1 : y 21 = FE1(x1) and E2 : y 2

2 = FE2(x2) be elliptic curves over Fq.

A morphism φ : E1 → E2 is a mapping

φ : (x1, y1) 7−→ (x2, y2) = (φx(x1, y1), φy (x1, y1))

where φx and φy in Fq(E1) satisfy the equation of E2:

φ2y = FE2(φx).

Fqd -morphisms = morphisms φ with φx , φy ∈ Fqd (E)

Homomorphisms = morphisms respecting the group law

Isomorphisms = invertible homomorphisms

Endomorphisms = homomorphisms from a curve to itself

Automorphisms = invertible endomorphisms


Degree

Let φ : E1 → E2 be an Fq-morphism:

φ : (x1, y1) ∈ E1(Fq) 7−→ (φx(x1, y1), φy (x1, y1)) ∈ E2(Fq)

Induced extension of function fields Fq(E2)→ Fq(E1):

f (x2, y2) ∈ Fq(E2) 7−→ f (φx(x1, y1), φy (x1, y1)) ∈ Fq(E1)

The degree of φ is the degree of the induced field extension:

deg φ := [Fq(E1) : Fq(E2)].


Degree

Degree is multiplicative: deg φ1φ2 = deg φ1 deg φ2

(so isomorphisms and automorphisms have degree 1)

If φ is a constant morphism, then deg φ := 0.

Degree has an

inseparable part (essentially pth powering/Frobenius) and aseparable part (everything else)

If φ 6= 0 then degsep φ = #(ker φ)(Fq).

“Complexity” of the morphism ←→ separable degree


Examples

Multiplication-by-m: purely separable endomorphisms, degree m2.

[2] : (x , y) 7−→(

Φ2(x)

Ψ2(x),

y

2· d

dx

(Φ2(x)

Ψ2(x)

))where Ψ2(x) = 4(x3 + Ax + B) (the 2-division polynomial)

and Φ2(x) = x4 − 2Ax2 − 8Bx + A2.

Frobenius: purely inseparable endomorphism, degree q.

π : (x , y) 7−→ (xq, yq)

Factors into a series of n pth-powering homomorphisms

E p−→ E(p) p−→ E(p2) p−→ · · · p−→ E(pn−1) p−→ E

of Galois-conjugate curves Epi : y 2 = x3 + Api x + Bpi


Algebraic operations on morphisms

We can compose homomorphisms φ1 : E1 → E2 and φ2 : E2 → E3

We can also add homomorphisms φ : E1 → E2 and ψ : E1 → E2:

(φ+ ψ)(P) = φ(P)⊕ ψ(P)

algebraically, φ+ ψ := ⊕ ◦ (φ, ψ) really is a morphism

Automorphisms of E form a group Aut(E) under ◦,Homomorphisms E1 → E2 form a Z-module Hom(E1, E2) under +

Endomorphisms of E form a ring End(E) under +, ◦

We always have integer multiplications [m],m ∈ Z and Frobenius π, so

Z[π] ⊆ End(E)


Translations

For each T in E(Fq) we define a translation τT : E(Fq)→ E(Fq) by

τT (P) := P ⊕ T .

Translations are morphisms : the group law is defined by rational functions

Translations are invertible : τT ◦ τT = [1]

Translations are not homomorphisms : τT (OE) 6= OE

=⇒ Translations are automorphisms of the genus 1 curve underlying E ,but not of E as an elliptic curve.

This is a ridiculous amount of symmetry:if we forget OE then E has an infinite automorphism group.

Formally speaking, an elliptic curve is a pair (E ,OE).All of the visible structure on E is relative to OE .

...But it doesn’t matter which point you choose to be OE and send to infinity:

you can always change your mind with a translation.


Morphisms and homomorphisms

Theorem: Every morphism of elliptic curves isthe composition of a homomorphism and a translation.

In other words:

Any morphism E1 → E2 mapping OE1to OE2

must be a homomorphism.


2: Isomorphisms, Automorphisms,and Twists


Isomorphisms

For our purposes: isomorphisms look like changes of coordinates.

Example

The curves E1 : y 21 = x3

1 + 29x21 + 24x1 + 23 and E2 : y 2

2 = x32 + 7x2 + 6

over F31 are isomorphic via

(x1, y1) 7−→ (x2, y2) = (9x1 + 25, 4y1)

Fq-isomorphisms preserve DLPs on elliptic curves over Fq,

Fq-isomorphisms are also compatible with pairings

=⇒ Fq-isomorphic curves are cryptographically equivalent.

So how many non-isomorphic curves are there over Fq?


The j-invariant

If E : y 2 = x3 + Ax + B is an elliptic curve over Fq then its j -invariant is

j(E) =1728A3

A3 + 274 B2

.

(...can also be defined for other models of elliptic curves, over any field)

j(E) = j(E ′) ⇐⇒ E and E ′ are Fq-isomorphic.

The mapping j :{Elliptic curves over Fq}

Fq-isomorphism−→ Fq is a bijection.

=⇒ Fq-isomorphism classes of elliptic curves over Fq

are parametrized by the j-line (“moduli space”)

There is essentially only one “degree of freedom”when choosing a random elliptic curve over Fq.


Automorphisms

The automorphisms of an elliptic curve E form a group Aut(E) undercomposition. Aut(E) is finite, and generically Aut(E) = {[±1]}. But:

#AutFq(E) = 2 if j(E) /∈ {0, 1728}

#AutFq(E) = 4 if j(E) = 1728 and p /∈ {2, 3}

Ea : y 2 = x3 + ax has an Fq(i)-automorphism of order 4,(x , y) 7−→ (−x , iy) (where i2 = −1) for any a 6= 0 in Fq

#AutFq(E) = 6 if j(E) = 0 and p /∈ {2, 3}

E ′a : y 2 = x3 + a has an Fq(ζ3)-automorphism of order 3,(x , y) 7−→ (ζ3x , y) (where ζ3

3 = 1) for any a 6= 0 in Fq

#AutFq(E) = 12 if j(E) = 0 = 1728 and p = 3

(these E are supersingular)

#AutFq(E) = 24 if j(E) = 0 = 1728 and p = 2

(these E are supersingular)


Twists

If E/Fq and E ′/Fq are Fq-isomorphic but not Fq-isomorphic,then we say E and E ′ are twists.

For example: let δ be a nonsquare in Fq. Then

E : y 2 = x3 + Ax + B and Eδ : y ′2 = x ′3 + δ2Ax ′ + δ3B

are quadratic twists: the Fq(√δ)-isomorphism E → Eδ is

(x , y) 7−→ (x ′, y ′) = (δx , δ3/2y) .

Up to isomorphism, there is only one quadratic twist:If δ1 and δ2 are both nonsquares in Fq, then Eδ1 ∼= Eδ2 over Fq

(since δ1/δ2 must be square).

If j(E) 6= 0 or 1728, then the only twist of E is its quadratic twist.


More on twists

Twists have the same geometry (ie, the same behaviour over Fq)but different arithmetic (ie, they have different behaviour over Fq).

For example: if E and E ′ are quadratic twists,then E(Fq) and E ′(Fq) can have different cardinalities

(and wildly different cryptographic strengths).

However, the cardinalities are not independent:

#E(Fq) = q + 1− t and #E ′(Fq) = q + 1 + t

for some −2√

q ≤ t ≤ 2√

q, and

#E(Fq) + #E ′(Fq) = 2(q + 1) .

The quadratic twist is a sort of arithmetic mirror image.


3: Isogenies


Isogenies

An isogeny is a nonzero homomorphism.

Isogenies have two very important properties:

Isogenies are geometrically surjective(they are surjective over Fq , but not necessarily over finite extensions of Fq !)

Isogenies have finite kernel(they are almost isomorphisms)

Fq-isogenies φ : E1 → E2 map DLPs in E1(Fq) to DLPs in E2(Fq).

If G is a prime-order subgroup of E1(Fq), then either

ker φ ∩ G = {OE} and then φ(G ) ∼= G (the general case), or

G ⊂ ker φ, and then φ(G ) = OE (unlikely).

...Isogenies tend to give us isomorphisms between cyptographic problems.


General isogenies

What do isogenies look like in general?

φ : (x , y) 7−→

(φx(x)pi

,y pi

λφ′x(x)pi

)where

φx(x) is in Fq(x); its denominator defines the kernel of φ.

λ is a “twisting factor” in Fq. (φ is normalized if λ = 1.)

pi is the inseparable degree of φ.


Quotient isogenies

Theorem

Isogenies are determined (up to isomorphism) by their kernels:if φ : E → E ′ and ψ : E → E ′′ are isogenies with ker φ = kerψ,then E ′ and E ′′ are isomorphic (or twists).

If S ⊂ E is a finite subgroup defined over Fq,then there exists a quotient curve E/S over Fq,

and the quotient map E → E/S is an Fq-isogeny.

Velu’s formulæ compute the normalized quotient φ : E −→ E ′ = E/S .

Isogenies of degree d are often called d-isogenies.


Example: 2-isogenies and 3-isogenies

The curve E : y 2 = x(x2 + Cx + D) has a point (0, 0) of order 2.

Velu: E −→ E/〈(0, 0)〉 : y 2 = x(x2 − 2Cx + (C 2 − 4D)):

(x , y) 7−→(

x2 + Cx + D

x, y

x2 − D

x2

)

The curve E : y 2 = x3 + E (x + 1)2 has 3-torsion points (0,±√

E ).

Velu: E −→ E/〈(0,±√

E )〉 : y 2 = x3 + Ex2 − 18Ex − (16E 2 + 27E )

(x , y) 7−→(

x3 + 4Ex + 4E

x2, y

x3 − 4Ex − 8E

x3

)


Factorization of isogenies

Let φ : E → E ′ be an isogeny of degree d =∏n

i=1 di ,with each of the di prime (but not necessarily distinct).Theorem: there exist elliptic curves E1, . . . , En−1 and isogenies

φ1 : E =: E0 −→ E1,φ2 : E1 −→ E2,

... −→...

φn−1 : En−2 −→ En−1,φn : En−1 −→ En := E ′

such that each φi has degree di , and

φ = φn ◦ · · · ◦ φ1.

Caveats:

The Ei and φi are generally only defined over some extension of Fq;

The Ei and φi are not uniquely determined (even up to isomorphism)


The dual isogeny

If φ : E1 → E2 is an isogeny, thenthere exists a dual isogeny φ : E2 → E1 such that

φ ◦ φ = [deg φ].

ker φ = φ(E [deg φ])If φ is separable, then φ(P) =

∑φ(Q)=P Q

Existence of an isogeny between elliptic curves is an equivalence relation.

Symmetry there exists an isogeny E1 → E2 iff there exists an isogenyE2 → E1: use the dual (we say that E1 and E2 are isogenous)

Reflexivity there exists an isogeny E → E for all E : for example, [1]Transitivity if there exist isogenies E1 → E2 and E2 → E3, then there

exists an isogeny E1 → E3: use composition

The isogeny class of E is the set of all elliptic curves isogenous to E .


4: Metaphysics again


Endomorphisms and isogenies

Isogeny structures are deeply connectedto endomorphism structures.

For example:Frobenius satisfies a quadratic characteristic polynomial.

P(π) = 0 where P(X ) = X 2 − tEX + q with |tE | ≤ 2√

q .

(This is central to point counting, because P(1) = #E(Fq).)A priori, the trace tE depends on the curve.

Z[X ]/(X 2 − tEX + q) ∼= Z[πE ] ⊆ End(E) .

Tate’s theorem: E and E ′ are Fq-isogenous iff tE = tE ′ .The trace (and #EC (Fq)) is an isogeny class invariant


The class group structure

Isogenies from E to other curves (up to isomorphism)correspond to ideals in End(E).

If φ corresponds to (α1, α2) ⊂ End(E), then ker φ = kerα1 ∩ kerα2.

Endomorphisms of E (up to isomorphism)correspond to principal ideals in End(E).

The ideal class group of End(E) acts on the isogeny class of E .


Date post:	15-Aug-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Maps on elliptic curves · 2013-09-18 · q-isomorphism classes of elliptic curves over F q are...

Documents