Abstract
We study the problem of generating the endomorphism ring of a supersingular elliptic curve by two cycles in ℓ-isogeny graphs. We prove a necessary and sufficient condition for the two endomorphisms corresponding to two cycles to be linearly independent, expanding on the work by Kohel in his thesis. We also give a criterion under which the ring generated by two cycles is not a maximal order. We give some examples in which we compute cycles which generate the full endomorphism ring. The most difficult part of these computations is the calculation of the trace of these cycles. We show that a generalization of Schoof’s algorithm can accomplish this computation efficiently.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Amir Jalali, David Jao, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev, and David Urbanik. Supersingular isogeny key encapsulation. Submission to the NIST Post-Quantum Standardization project, 2017. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions.
Jean-François Biasse, David Jao, and Anirudh Sankar. A quantum algorithm for computing isogenies between supersingular elliptic curves. In Progress in cryptology—INDOCRYPT 2014, volume 8885 of Lecture Notes in Comput. Sci., pages 428–442. Springer, Cham, 2014.
A. Bostan, F. Morain, B. Salvy, and É. Schost. Fast algorithms for computing isogenies between elliptic curves. Math. Comp., 77(263):1755–1778, 2008.
J. M. Cerviño. Supersingular elliptic curves and maximal quaternionic orders. In Mathematisches Institut, Georg-August-Universität Göttingen: Seminars Summer Term 2004, pages 53–60. Universitätsdrucke Göttingen, Göttingen, 2004.
Ilya Chevyrev and Steven D. Galbraith. Constructing supersingular elliptic curves with a given endomorphism ring. LMS J. Comput. Math., 17(suppl. A):71–91, 2014.
Denis X. Charles, Eyal Z. Goren, and Kristin Lauter. Cryptographic hash functions from expander graphs. J. Cryptology, 22(1):93–113, 2009.
Max Deuring. Die Typen der Multiplikatorenringe elliptischer Funktionenkörper. Abh. Math. Sem. Hansischen Univ., 14:197–272, 1941.
Luca De Feo, David Jao, and Jérôme Plût. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol., 8(3):209–247, 2014.
Christina Delfs and Steven D. Galbraith. Computing isogenies between supersingular elliptic curves over \(\mathbb {F}_p\). Des. Codes Cryptogr., 78(2):425–440, 2016.
Kirsten Eisenträger, Sean Hallgren, Kristin Lauter, Travis Morrison, and Christophe Petit. Supersingular isogeny graphs and endomorphism rings: reductions and solutions. Eurocrypt 2018, LNCS 10822, pages 329–368, 2018.
Steven D. Galbraith, Christophe Petit, and Javier Silva. Identification protocols and signature schemes based on supersingular isogeny problems. In Tsuyoshi Takagi and Thomas Peyrin, editors, Advances in Cryptology – ASIACRYPT 2017, pages 3–33, Cham, 2017. Springer International Publishing.
David Kohel, Kristin Lauter, Christophe Petit, and Jean-Pierre Tignol. On the quaternion l-isogeny path problem. LMS Journal of Computation and Mathematics, 17:418–432, 2014.
David Kohel. Endomorphism rings of elliptic curves over finite fields. PhD thesis, University of California, Berkeley, 1996.
Kristin Lauter and Ken McMurdy. Explicit generators of endomorphism rings of supersingular elliptic curves. Preprint, 2004.
Ken McMurdy. Explicit representation of the endomorphism rings of supersingular elliptic curves. https://phobos.ramapo.edu/~kmcmurdy/research/McMurdy-ssEndoRings.pdf, 2014.
J.-F. Mestre. La méthode des graphes. Exemples et applications. In Proceedings of the international conference on class numbers and fundamental units of algebraic number fields (Katata, 1986), pages 217–242. Nagoya Univ., Nagoya, 1986.
Gabriele Nebe. Finite quaternionic matrix groups. Represent. Theory, 2:106–223, 1998.
NIST. Post-quantum cryptography, 2016. csrc.nist.gov/Projects/Post-Quantum-Cryptography; accessed 30-September-2017.
Arnold Pizer. An algorithm for computing modular forms on Γ0(N). J. Algebra, 64(2):340–390, 1980.
René Schoof. Elliptic curves over finite fields and the computation of square roots mod p. Math. Comp., 44(170):483–494, 1985.
René Schoof. Counting points on elliptic curves over finite fields. J. Théor. Nombres Bordeaux, 7(1):219–254, 1995. Les Dix-huitièmes Journées Arithmétiques (Bordeaux, 1993).
J.H. Silverman. The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. Springer New York, 2009.
Igor E. Shparlinski and Andrew V. Sutherland. On the distribution of Atkin and Elkies primes for reductions of elliptic curves on average. LMS J. Comput. Math., 18(1):308–322, 2015.
Andrew V. Sutherland. Isogeny volcanoes. In ANTS X—Proceedings of the Tenth Algorithmic Number Theory Symposium, volume 1 of Open Book Ser., pages 507–530. Math. Sci. Publ., Berkeley, CA, 2013.
Jacques Vélu. Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B, 273:A238–A241, 1971.
John Voight. Quaternion Algebras. v.0.9.12, March 29, 2018.
William C. Waterhouse. Abelian varieties over finite fields. Ann. Sci. École Norm. Sup. (4), 2:521–560, 1969.
Youngho Yoo, Reza Azarderakhsh, Amir Jalali, David Jao, and Vladimir Soukharev. A post-quantum digital signature scheme based on supersingular isogenies. In Financial Cryptography and Data Security - 21st International Conference, FC 2017, Sliema, Malta, April 3–7, 2017, Revised Selected Papers, pages 163–181, 2017.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A: Modified Schoof’s Algorithm for Traces of Arbitrary Endomorphisms
Appendix A: Modified Schoof’s Algorithm for Traces of Arbitrary Endomorphisms
Let E be an elliptic curve over a finite field \(\mathbb {F}_q\) of characteristic p ≠ 2, 3. The Frobenius endomorphism \(\phi \in \operatorname {\mathrm {End}}_{\mathbb {F}_q}(E)\) takes any point \((x,y) \in E(\mathbb {F}_q)\) to (x q, y q); it satisfies the relation in \( \operatorname {\mathrm {End}}_{\mathbb {F}_q}(E)\), given by
Here, t is called the trace of the Frobenius endomorphism, and it is related to the number of \(\mathbb {F}_q\)-points on E via the relation
Schoof’s algorithm [20] computes the trace of the Frobenius endomorphism in \(O(\log ^9q)\) elementary operations (bit operations). This algorithm has been improved in [23] to be completed in \(O(\log ^5q \log \log q)\) operations.
Let E be a supersingular elliptic curve defined over \(\mathbb {F}_{p^2}\). Here we outline a modification of Schoof’s algorithm that computes the trace of any endomorphism \(\alpha \in \operatorname {\mathrm {End}}_{\mathbb {F}_q}(E)\) that corresponds to a cycle in the ℓ-isogeny graph, where ℓ ≠ p is a prime. That is, we assume that we are given a cycle of length e in the ℓ-isogeny graph; this path can be represented as a chain of e isogenies of degree ℓ, ϕ k : E k → E k+1 for k = 0, …, e − 1. Here E 0, …, E e are elliptic curves in short Weierstrass form, defined over \(\mathbb {F}_{p^2}\), and E 0 = E e. We assume the isogenies are specified by their rational maps. We remark that if this cycle is instead represented by a sequence of ℓ-isogenous elliptic curves, then one can compute a corresponding sequence of ℓ-isogenies in \(\tilde {O}(n^2)\) time by Theorem 2 of [3], where \(n=\max \{\lceil \log p \rceil , \ell , e\}.\) In the context we are interested in (where p is of cryptographic size, \(\ell =O(\log p)\), and we assume \(e = O(\log p)\)), we observe that finding a cycle in G(p, ℓ) could require time exponential in \(\log p\), so we may as well assume that we are given the isogenies.
More precisely then, we assume that the input to our algorithm is a cycle of isogenies, each given explicitly as in Proposition 4.1 of [3] which we record here.
Proposition A.1
Let E : y 2 = x 3 + Ax + B be an elliptic curve. Then every (normalized) ℓ-isogeny ψ : E → E ′ can be written as
where
and we define N(x) by the relation
Here, σ is the coefficient of x ℓ−1 in D(x), the sum of the abscissas of the nonzero points of the kernel of ψ.
Proof
This is Proposition 4.1 of [3]. □
By Corollary 2.5, if E is defined over \(\mathbb {F}_{p^2}\) we can take these isogenies to be defined over an extension of degree at most degree 6 of \(\mathbb {F}_{p^2}\). If \(\ell =O(\log p)\) and the path has length \(e=O(\log p)\), which are the parameters that are most interesting, we will show that the trace of this endomorphism can be computed in \(\tilde {O}(\log ^7 p)\) time by using a modified version of Schoof’s algorithm, where we use \(f(n)=\tilde {O}(g(n))\) to mean that there exists k such that \(f(n)=O(g(n)\log ^kn)\).
The naïve computation of the composition of the e isogenies via Vélu’s formula yields a formula for the ℓ e-isogeny that requires at least O(ℓ e) elementary operations; in order to cut down on the number of elementary operations required to compute the explicit formula for the isogeny, we note that the explicit isogeny formula is simpler on the set of m-torsion points for any m, by taking the quotient modulo the division polynomials. Thus, ℓ e-isogenies on E[m] can be computed much more quickly, and this is sufficient information to which one can apply Schoof’s idea. We remark that the algorithm will correctly compute the trace of an endomorphism of an ordinary curve \(E/\mathbb {F}_q\), but unlike in the supersingular case and without further assumptions on the cycle, not all of the isogenies are defined over \(\mathbb {F}_q\) (or an extension of \(\mathbb {F}_q\) of bounded degree).
1.1 A.1. Complexity of Computing Endomorphisms on m-Torsion
Let f k(X) denote the k-th division polynomial of E. It is the polynomial whose roots are the x-coordinates of the nonzero elements of the k-torsion subgroup of E. When k is coprime to p, the degree of f k is (k 2 − 1)∕2. The division polynomials can be defined recursively and the complexity of computing them is analyzed in [23].
Let M(n) denote the number of elementary operations required to multiply two n-bit integers. If we choose to multiply two n-bit integers via long multiplication, then M(n) = O(n 2); if we multiply two numbers using the Fast Fourier Transform (FFT), then \(M(n) = O(n \log n \log \log n)\).
Proposition A.2
Given a natural number m > 1, the division polynomials f 1, …, f m can be computed in \(O(m M(m^2\log q))\) time.
Proof
Using the recursive relations defining the division polynomials, f k can be computed in \(O(M(k^2\log q))\) time by using a double-and-add method. Thus f 1, …, f m can be computed in \(O(mM(m^2\log q))\) time; see [23, Section 5.1]. □
We continue to work over \(\mathbb {F}_{q}\); typically we will work over an extension of \(\mathbb {F}_{p^2}\) of degree at most 6.
Given an ℓ-isogeny ψ : E → E′ as well as a prime m ≠ 2, p, we are interested in the explicit formula for the induced isogeny on the m-torsion points ψ m : E[m] → E′[m]. If E is defined by the equation y 2 = x 3 + ax + b, and f m(x) is the m-th division polynomial for E, then \(E[m] = \operatorname {\mathrm {Spec}} \mathbb {F}_q[x,y]/I\), where I = 〈f m(x), y 2 − (x 3 + ax + b)〉. Thus we may reduce the coordinates of the explicit formula for the isogeny ψ given by (x, y)↦(X(x, y), Y (x, y)) modulo the ideal I, and the resulting map ψ m agrees with ψ on E[m]. Let \(d= \max {m, \ell }\).
Proposition A.3
Keeping the notation of the discussion in the above paragraph, deg ψ m = O(d), and ψ m can be computed in \(O(M(d^2\log q)\log d)\) elementary operations.
Proof
First we observe that by Proposition A.1, the rational functions which define ψ have degree O(ℓ). Next, reduce modulo f m(x), so that the degree of the resulting expression is bounded by deg f m = O(m 2). Then by [23, Lemma 9, p. 315], it takes \(O(M(d^2\log q)\log d)\) elementary operations to compute the reduction of the isogeny formula modulo f m. □
1.2 A.2. Computing the Trace on m-Torsion Points
To compute the trace of an endomorphism \(\psi \in \operatorname {\mathrm {End}}(E)\), where ψ appears as a cycle of length e in the supersingular ℓ-isogeny graph in characteristic p, we will compute \( \operatorname {\mathrm {tr}}(\psi ) \pmod {m}\) for several primes m and then recover the trace using the Chinese Remainder Theorem, as in Schoof’s algorithm.
The endomorphism ψ satisfies the equation \(x^2- \operatorname {\mathrm {tr}}(\psi )x+ \operatorname {\mathrm {norm}}(\psi )\). There is a simple relationship between \( \operatorname {\mathrm {tr}}(\psi )\) and \( \operatorname {\mathrm {norm}}(\psi )\):
Lemma A.4
Let \(\psi \in \operatorname {\mathrm {End}}(E)\). Then \(| \operatorname {\mathrm {tr}}(\psi )| \leq 2 \operatorname {\mathrm {norm}}(\psi )\).
Proof
If ψ is multiplication by some integer, then its characteristic polynomial is x 2 ± 2nx + n 2, with \(n \in \mathbb {N}\). Then \(| \operatorname {\mathrm {tr}}(\psi )| = 2n\), \( \operatorname {\mathrm {norm}}(\psi ) =n^2\), and the statement of the lemma holds.
If ψ is not multiplication by an integer, then \(\mathbb {Z}[\psi ]\) is an order in the ring of integers \(\mathcal {O}_K\) for some quadratic imaginary number field K. Hence we can fix an embedding \(\iota : \mathbb {Z}[\psi ] \hookrightarrow \mathcal {O}_K\). Since ι(ψ) is imaginary, its characteristic polynomial \(x^2 - \operatorname {\mathrm {tr}}(\psi )x + \operatorname {\mathrm {norm}}(\psi )\) must have discriminant < 0, so \(| \operatorname {\mathrm {tr}}(\psi )| \leq 2\sqrt { \operatorname {\mathrm {norm}}(\psi )}\). □
As in Schoof’s algorithm, we begin by looking for a bound L such that
where the last equality follows from the fact that the cycle corresponding to ψ in the isogeny graph has length e, so \( \operatorname {\mathrm {norm}}(\psi )=\ell ^e\). By the prime number theorem, we can take \(L=O(\log p)\) and there are \(O(\log p / \log \log p)\) many primes less than L.
Let m be a prime. Any \(\psi \in \operatorname {\mathrm {End}}(E)\) induces an endomorphism \(\psi _m \in \operatorname {\mathrm {End}}(E[m])\); if ψ m has characteristic polynomial x 2 − t mx + n m, then \(t_m \equiv \operatorname {\mathrm {tr}}(\psi ) \pmod {m}\). After computing t (mod m) for each m < L, we can compute t (mod N) using the Chinese Remainder Theorem. The bound in Lemma A.4 then lets us compute the value of \( \operatorname {\mathrm {tr}}(\psi )\). Now, fix one such prime m.
1.2.1 A.2.1. Computation of \( \operatorname {\mathrm {tr}}(\psi _m)\)
Let \(t_m \equiv \operatorname {\mathrm {tr}}(\psi ) \bmod m\). Then the relation \(\psi _{m}^{2}-t_{m}\psi _{m} + n_{m} = 0\) holds in \( \operatorname {\mathrm {End}}(E[m]):= \operatorname {\mathrm {End}}(E)/(m)\). Here, \(n_m \equiv \operatorname {\mathrm {norm}}(\psi _m) = \ell ^e \bmod m\), with 0 ≤ n m < m.
Furthermore, one has an explicit formula for ψ m : E[m] → E[m] by reducing the explicit coordinates for ψ modulo the ideal I (using the notation in the discussion before Proposition A.3), with deg ψ m = O(m 2). Using the addition formulas for E, we can compute the explicit formula for \(\psi _m^2 + n_m\), and reduce it to modulo I. The main modification to Schoof’s algorithm, as it is described in [23, 5.1], is to replace the Frobenius endomorphism on E[m] with ψ m. Having computed \(\psi _m^2+n_m\) and ψ m, for τ with 0 ≤ τ ≤ m − 1 we compute τψ m until
in \( \operatorname {\mathrm {End}}(E[m])\). Then τ = t m. Having computed t m for sufficiently many primes, we recover \( \operatorname {\mathrm {tr}} \psi \) using the Chinese Remainder Theorem.
1.2.2 A.2.2. Complexity Analysis for Computing the Trace
Proposition A.5
Let \(E/\mathbb {F}_q\) be a supersingular elliptic curve. Let ψ be an isogeny of E of degree ℓ e, specified as a chain ϕ 1, …, ϕ e of ℓ-isogenies, whose explicit formulas are given. The explicit formula for ψ m can be computed in \(O(edM(d\log q)\log d)\) time, where \(d \in \max \{\ell , m^2\}\).
Proof
The expression for ψ m can be computed by computing (ϕ k)m for k = 1, …, e, composing the rational maps, and reducing modulo I at each step. The calculation of f ∘ g mod h, where \(f, g, h\in \mathbb {F}_q[x]\) are polynomials of degree at most d, takes \(O(dM(d\log q))\) elementary operations using the naïve approach. Thus, computing e of these compositions, reducing modulo f m at each step, takes \(O(edM(d\log q) \log q)\) time. □
We now wish to compute the trace of an endomorphism of E corresponding to a cycle in G(p, ℓ). Since the diameter of G(p, ℓ) is \(O(\log p)\), we are interested in computing the trace of a cycle of length \(e=O(\log p)\) in G(p, ℓ). We are also interested in the case where ℓ is a small prime, so we will take \(\ell =O(\log p)\). The resulting generalization of Schoof’s algorithm runs in time polynomial in \(\log p\).
Theorem A.6
Let p > 3 be a prime and let ψ be an endomorphism of a supersingular elliptic curve \(E/\mathbb {F}_{p^2}\) given as a chain of ℓ-isogenies,
where each ϕ k is specified by its rational functions and is defined over \(\mathbb {F}_q\). We can take \(\mathbb {F}_q\) to be an extension of \(\mathbb {F}_{p^2}\) of degree at most 6. Let \(n= \lceil \log p\rceil \)and assume e, ℓ = O(n). Then the modified version of Schoof’s algorithm computes \( \operatorname {\mathrm {tr}} \psi \) in \(\tilde {O}(n^7)\) time.
Proof
We follow the steps in our modification of Schoof’s algorithm. Since \( \operatorname {\mathrm {norm}} \psi = \ell ^e\), we first choose a bound \(L = O(\log \ell ^e)\).
We can compute ψ m in time \(\tilde {O}(n^6)\) time by Proposition A.5. For a prime m < L, we compute \( \operatorname {\mathrm {tr}} \psi _m\), the trace of the induced isogeny ψ m on E[m], by reducing by the m-division polynomial f m whenever possible.
Having computed ψ m and \(\psi _m^2\), with the same argument as in the proof of Theorem 10 of [23], we can compute t m in \(O((m+\log q)(M(m^2\log q)))\) time. This is because once ψ m and \(\psi _m^2\) are computed, the algorithm proceeds the same way as Schoof’s original algorithm. We must repeat this \(L=O(\log p) = O( n )\) times.
Once we compute \( \operatorname {\mathrm {tr}} \psi _m\) for each prime m ≠ p less than L, we compute \( \operatorname {\mathrm {tr}} \psi \) using the Chinese Remainder Theorem. This step is dominated by the previous computations. Thus we have a total run time of \(\tilde {O}(n^7)\). □
Rights and permissions
Copyright information
© 2019 The Author(s) and The Association for Women in Mathematics
About this paper
Cite this paper
Bank, E., Camacho-Navarro, C., Eisenträger, K., Morrison, T., Park, J. (2019). Cycles in the Supersingular ℓ-Isogeny Graph and Corresponding Endomorphisms. In: Balakrishnan, J., Folsom, A., Lalín, M., Manes, M. (eds) Research Directions in Number Theory. Association for Women in Mathematics Series, vol 19. Springer, Cham. https://doi.org/10.1007/978-3-030-19478-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-19478-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-19477-2
Online ISBN: 978-3-030-19478-9
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)