jean kie er · de ned over k. if an isogeny is given by rational fractions ... motivation an...
TRANSCRIPT
![Page 1: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/1.jpg)
Elliptic curves in Nemo
Jean Kieffer
Ecole normale superieure de Paris & INRIA
August 3, 2017
![Page 2: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/2.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
1 Motivation
2 An example in isogeny-based cryptographyBackgroundComputations
3 The EllipticCurves moduleContentsFurther development
4 Conclusion
![Page 3: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/3.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
1 Motivation
2 An example in isogeny-based cryptographyBackgroundComputations
3 The EllipticCurves moduleContentsFurther development
4 Conclusion
![Page 4: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/4.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Key exchange from hard homogeneous spaces
Let G be an abelian group acting on a set X with some givenpoint x0. If the action is
easy to compute (polynomial time),
hard to invert (exponential time),
then there is an analogue of the Diffie–Hellman key exchange(Couveignes 2006).
(ab) ? x0
a ? x0 b ? x0
x0
shared secret
public
b a
a b
![Page 5: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/5.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
The Couveignes–Rostovtsev–Stolbunov scheme
Question
Where can we find such an action?
Answer (Couveignes 2006, Rostovtsev–Stolbunov 2006)
Use the action of a class group on a set of isogenous ellipticcurves.
Goals
Explain what this means
Describe the computations needed
Discuss our EllipticCurves module in Nemo.
![Page 6: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/6.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
The Couveignes–Rostovtsev–Stolbunov scheme
Question
Where can we find such an action?
Answer (Couveignes 2006, Rostovtsev–Stolbunov 2006)
Use the action of a class group on a set of isogenous ellipticcurves.
Goals
Explain what this means
Describe the computations needed
Discuss our EllipticCurves module in Nemo.
![Page 7: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/7.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
The Couveignes–Rostovtsev–Stolbunov scheme
Question
Where can we find such an action?
Answer (Couveignes 2006, Rostovtsev–Stolbunov 2006)
Use the action of a class group on a set of isogenous ellipticcurves.
Goals
Explain what this means
Describe the computations needed
Discuss our EllipticCurves module in Nemo.
![Page 8: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/8.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
1 Motivation
2 An example in isogeny-based cryptographyBackgroundComputations
3 The EllipticCurves moduleContentsFurther development
4 Conclusion
![Page 9: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/9.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Elliptic curves over k
Elliptic curves over a field k are algebraic curves, e.g.
E : y 2 = x3 + ax + b.
They have an abelian group structure. The j-invariant
j(E ) = 17284a3
4a3 + 27b2
classifies such curves up to isomorphism.
Isogenies are nonzero morphisms. Our isogenies will bedefined over k . If an isogeny is given by rational fractionsof degree `, it is called an `-isogeny.
![Page 10: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/10.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Complex multiplication
From now on, k = Fp is a prime finite field.Let E/Fp be an ordinary elliptic curve.
The ring End(E ) is isomorphic to an order in a quadraticnumber field. The Frobenius endomorphism is adistinguished element in End(E ).
Ideals of O modulo principal ideals form the class groupof O.
Isogenies of degree ` starting from E correspond to ideals in Oof norm `.For example, in the generic case, there are either zero or twoisogenies of degree ` with domain E .
![Page 11: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/11.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Complex multiplication
From now on, k = Fp is a prime finite field.Let E/Fp be an ordinary elliptic curve.
The ring End(E ) is isomorphic to an order in a quadraticnumber field. The Frobenius endomorphism is adistinguished element in End(E ).
Ideals of O modulo principal ideals form the class groupof O.
Isogenies of degree ` starting from E correspond to ideals in Oof norm `.For example, in the generic case, there are either zero or twoisogenies of degree ` with domain E .
![Page 12: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/12.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Action of the class group
Proposition
There is an action of the class group on a set of ellipticcurves.
Ideals of norm ` act as `-isogenies.
This action is simply transitive.
Therefore, in our setting, isogeny graphs are just Cayleygraphs of a certain group.
![Page 13: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/13.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Our isogeny graphs
Isogeny graph over F173 with isogenies of degree 3 (blue) and7 (red):
2
16236
117
134
116167
This graph is much larger for cryptographic uses.
![Page 14: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/14.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Representing isogenies
Let E/k be an elliptic curve, and ` 6= p be an odd prime.Giving the following is equivalent:
An isogeny E → E ′ of degree `
Its kernel, which is a cyclic subgroup of E of order `
A polynomial of degree `−12
in x defining the kernel.
If we know this kernel polynomial, we can easily find E ′ usingVelu’s formulas.
![Page 15: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/15.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Representing ideals
We do not compute directly in the class group. Instead, weuse the following representation of ideals:
If the ideal l has norm `, we have a natural surjection
O/`O → O/lO ' Z/`Z.
The ideal ` is determined by the tuple (`, v), where v is theimage of the Frobenius under this surjection. We call v aFrobenius eigenvalue.
![Page 16: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/16.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
General algorithm
Problem
Given E/Fp and a prime `, how can we compute the action ofan ideal (`, v) on E ?
Idea
The j-invariant we want is one of the two roots of a polynomialequation, called modular equation: Φ`(j(E ),Y ) = 0.
Algorithm
Let E be a curve and (`, v) be an ideal.
compute and solve this equation: find j1, j2
compute the kernel polynomial K (x) of E → j1
check if the Frobenius acts on it as scalar mult. by v :
(xp, yp)?= [v ] · (x , y) mod K (x) and curve equation.
![Page 17: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/17.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
General algorithm
Problem
Given E/Fp and a prime `, how can we compute the action ofan ideal (`, v) on E ?
Idea
The j-invariant we want is one of the two roots of a polynomialequation, called modular equation: Φ`(j(E ),Y ) = 0.
Algorithm
Let E be a curve and (`, v) be an ideal.
compute and solve this equation: find j1, j2
compute the kernel polynomial K (x) of E → j1
check if the Frobenius acts on it as scalar mult. by v :
(xp, yp)?= [v ] · (x , y) mod K (x) and curve equation.
![Page 18: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/18.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
General algorithm
Problem
Given E/Fp and a prime `, how can we compute the action ofan ideal (`, v) on E ?
Idea
The j-invariant we want is one of the two roots of a polynomialequation, called modular equation: Φ`(j(E ),Y ) = 0.
Algorithm
Let E be a curve and (`, v) be an ideal.
compute and solve this equation: find j1, j2
compute the kernel polynomial K (x) of E → j1
check if the Frobenius acts on it as scalar mult. by v :
(xp, yp)?= [v ] · (x , y) mod K (x) and curve equation.
![Page 19: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/19.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Kernel computation
Question
How can we compute the kernel polynomial K (x) ofφ : E → j1 ?
Idea (Elkies)
The rational fraction defining φ satisfies a simple differentialequation. K (x) appears as the denominator.
Algorithm (Bostan–Morain–Salvy–Schost 2008)
Compute power series solutions of this ODE up to acertain precision with a Newton iteration
Recover K (x) using the Berlekamp–Massey rationalreconstruction algorithm.
![Page 20: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/20.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Kernel computation
Question
How can we compute the kernel polynomial K (x) ofφ : E → j1 ?
Idea (Elkies)
The rational fraction defining φ satisfies a simple differentialequation. K (x) appears as the denominator.
Algorithm (Bostan–Morain–Salvy–Schost 2008)
Compute power series solutions of this ODE up to acertain precision with a Newton iteration
Recover K (x) using the Berlekamp–Massey rationalreconstruction algorithm.
![Page 21: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/21.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Kernel computation
Question
How can we compute the kernel polynomial K (x) ofφ : E → j1 ?
Idea (Elkies)
The rational fraction defining φ satisfies a simple differentialequation. K (x) appears as the denominator.
Algorithm (Bostan–Morain–Salvy–Schost 2008)
Compute power series solutions of this ODE up to acertain precision with a Newton iteration
Recover K (x) using the Berlekamp–Massey rationalreconstruction algorithm.
![Page 22: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/22.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Using Velu’s formulas
Problem
Given E/Fp and a prime ` 6= p, how can we compute thecurves linked to E by an `-isogeny?
Finding roots of modular polynomials is costly : Φ`(X ,Y ) hasdegree ` + 1 in both variables.
Another solution
Suppose that K is a subgroup of order ` in E whose points aredefined over Fp.
Look for `-torsion points over Fp to find K , using scalarmultiplications
Compute the curve E/K using Velu’s formulas.
The isogeny E → E/K has degree `.
![Page 23: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/23.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Using Velu’s formulas
Problem
Given E/Fp and a prime ` 6= p, how can we compute thecurves linked to E by an `-isogeny?
Finding roots of modular polynomials is costly : Φ`(X ,Y ) hasdegree ` + 1 in both variables.
Another solution
Suppose that K is a subgroup of order ` in E whose points aredefined over Fp.
Look for `-torsion points over Fp to find K , using scalarmultiplications
Compute the curve E/K using Velu’s formulas.
The isogeny E → E/K has degree `.
![Page 24: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/24.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Using Velu’s formulas (2)
The previous condition may be relaxed when allowing fieldextensions. But. . .
Using Velu’s formulas is only efficient with small-degreeextensions.
Using efficient arithmetic on curves is important (useother models than Weierstrass equations)
Not every curve satisfies the previous conditions for many`’s and small d ’s: we have to look for adequate curves.
In practice, we have to use both the general algorithmand Velu’s formulas.
![Page 25: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/25.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Using Velu’s formulas (2)
The previous condition may be relaxed when allowing fieldextensions. But. . .
Using Velu’s formulas is only efficient with small-degreeextensions.
Using efficient arithmetic on curves is important (useother models than Weierstrass equations)
Not every curve satisfies the previous conditions for many`’s and small d ’s: we have to look for adequate curves.
In practice, we have to use both the general algorithmand Velu’s formulas.
![Page 26: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/26.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Using Velu’s formulas (2)
The previous condition may be relaxed when allowing fieldextensions. But. . .
Using Velu’s formulas is only efficient with small-degreeextensions.
Using efficient arithmetic on curves is important (useother models than Weierstrass equations)
Not every curve satisfies the previous conditions for many`’s and small d ’s: we have to look for adequate curves.
In practice, we have to use both the general algorithmand Velu’s formulas.
![Page 27: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/27.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Using Velu’s formulas (2)
The previous condition may be relaxed when allowing fieldextensions. But. . .
Using Velu’s formulas is only efficient with small-degreeextensions.
Using efficient arithmetic on curves is important (useother models than Weierstrass equations)
Not every curve satisfies the previous conditions for many`’s and small d ’s: we have to look for adequate curves.
In practice, we have to use both the general algorithmand Velu’s formulas.
![Page 28: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/28.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Using Velu’s formulas (2)
The previous condition may be relaxed when allowing fieldextensions. But. . .
Using Velu’s formulas is only efficient with small-degreeextensions.
Using efficient arithmetic on curves is important (useother models than Weierstrass equations)
Not every curve satisfies the previous conditions for many`’s and small d ’s: we have to look for adequate curves.
In practice, we have to use both the general algorithmand Velu’s formulas.
![Page 29: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/29.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
1 Motivation
2 An example in isogeny-based cryptographyBackgroundComputations
3 The EllipticCurves moduleContentsFurther development
4 Conclusion
![Page 30: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/30.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
What we would like to do
For the general method:
Define elliptic curves over finite fields and general rings
Define isogenies, scalar multiplication and isomorphisms
Have a database of modular polynomials
Find roots of polynomials over finite fields
BMSS: ODEs in power series with Newton iterations andBerlekamp–Massey.
For Velu’s formulas:
Define points on elliptic curves and arithmetic operationswith efficient models
Extensions of finite fields.
![Page 31: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/31.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
What we would like to do
For the general method:
Define elliptic curves over finite fields and general rings
Define isogenies, scalar multiplication and isomorphisms
Have a database of modular polynomials
Find roots of polynomials over finite fields
BMSS: ODEs in power series with Newton iterations andBerlekamp–Massey.
For Velu’s formulas:
Define points on elliptic curves and arithmetic operationswith efficient models
Extensions of finite fields.
![Page 32: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/32.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
What we would like to do
For the general method:
Define elliptic curves over finite fields and general rings
Define isogenies, scalar multiplication and isomorphisms
Have a database of modular polynomials
Find roots of polynomials over finite fields
BMSS: ODEs in power series with Newton iterations andBerlekamp–Massey.
For Velu’s formulas:
Define points on elliptic curves and arithmetic operationswith efficient models
Extensions of finite fields.
![Page 33: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/33.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Three ways to compute scalar multiplications
Sol. 1 (Nemo)E = Weierstrass(...)
Fext, = FiniteField(p, d, "alpha")
Eext = base extend(E, Fext)
P = rand(Eext)
pˆd * P
Sol. 2 (Nemo)E = Montgomery(...)
Fext, = FiniteField(p, d, "alpha")
Eext = base extend(E, Fext)
P = randXonly(Eext)
pˆd * P
Sol. 3 (Sage)E = EllipticCurve(...)
Fext = FiniteField(p**d, "alpha")
Eext = E.base extend(Fext)
P = Eext.random element()
C = p**d
C * P
![Page 34: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/34.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Three ways to compute scalar multiplications
Sol. 1 (Nemo)E = Weierstrass(...)
Fext, = FiniteField(p, d, "alpha")
Eext = base extend(E, Fext)
P = rand(Eext)
pˆd * P
Sol. 2 (Nemo)E = Montgomery(...)
Fext, = FiniteField(p, d, "alpha")
Eext = base extend(E, Fext)
P = randXonly(Eext)
pˆd * P
Sol. 3 (Sage)E = EllipticCurve(...)
Fext = FiniteField(p**d, "alpha")
Eext = E.base extend(Fext)
P = Eext.random element()
C = p**d
C * P
![Page 35: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/35.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Timing results
1 2 3 4 5 6 7 8 9 100
0.25
0.5
0.75
1
1.25
1.5
1.75
2
d
t (s)
Sage
Nemo (Montgomery)
Nemo (generic)
![Page 36: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/36.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Further possible development
Around the previous algorithms:
Call (system) PARI to compute the cardinality of curvesover finite fields
Have access to FLINT’s root finding algorithms modulo p
Have a decent system to handle field extensions
Have p-adic numbers to compute isogenies in smallcharacteristic?
Connections with Hecke to be able to compute inendomorphism rings?
![Page 37: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/37.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Further possible development
This module may also become useful to people learning aboutelliptic curves and elliptic curve cryptography:
Implement other models for curves
Add pairings
. . .
![Page 38: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/38.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
1 Motivation
2 An example in isogeny-based cryptographyBackgroundComputations
3 The EllipticCurves moduleContentsFurther development
4 Conclusion
![Page 39: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/39.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Conclusion
We implemented Couveigne’s proposal, but the heavycomputations needed makes it uncompetitive in practivewhen compared with other cryptosystems.
In order to use Velu’s formulas, we have to look foradequate curves, and this requires lots of computationalpower.
With the best curve we found so far, aiming at 128-bitsecurity, we reduced the computing time from 880 to 360seconds. Better curves would bring further improvement.
The EllipticCurves module is able to perform thesecomputations.
![Page 40: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/40.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Conclusion
We implemented Couveigne’s proposal, but the heavycomputations needed makes it uncompetitive in practivewhen compared with other cryptosystems.
In order to use Velu’s formulas, we have to look foradequate curves, and this requires lots of computationalpower.
With the best curve we found so far, aiming at 128-bitsecurity, we reduced the computing time from 880 to 360seconds. Better curves would bring further improvement.
The EllipticCurves module is able to perform thesecomputations.
![Page 41: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/41.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Conclusion
We implemented Couveigne’s proposal, but the heavycomputations needed makes it uncompetitive in practivewhen compared with other cryptosystems.
In order to use Velu’s formulas, we have to look foradequate curves, and this requires lots of computationalpower.
With the best curve we found so far, aiming at 128-bitsecurity, we reduced the computing time from 880 to 360seconds. Better curves would bring further improvement.
The EllipticCurves module is able to perform thesecomputations.
![Page 42: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/42.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Conclusion
We implemented Couveigne’s proposal, but the heavycomputations needed makes it uncompetitive in practivewhen compared with other cryptosystems.
In order to use Velu’s formulas, we have to look foradequate curves, and this requires lots of computationalpower.
With the best curve we found so far, aiming at 128-bitsecurity, we reduced the computing time from 880 to 360seconds. Better curves would bring further improvement.
The EllipticCurves module is able to perform thesecomputations.
![Page 43: Jean Kie er · de ned over k. If an isogeny is given by rational fractions ... Motivation An example in isogeny-based cryptography The EllipticCurves moduleConclusion Complex multiplication](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f4856c53777fc69b77180d2/html5/thumbnails/43.jpg)
Motivation An example in isogeny-based cryptography The EllipticCurves module Conclusion
Thank you!