Post on 04-Jul-2020
Isolated Curves and Cryptography
Travis Scholl
University of California, Irvine
March 23, 2019
Elliptic Curve Discrete Log Problem (ECDLP)
Given an elliptic curve E/Fp and points P,Q ∈ E(Fp), find k ∈ Zsuch that Q = kP .
If ϕ : E → E′ is an isogeny of elliptic curves and P,Q ∈ E(Fp),then
Q = kP ⇒ ϕ(Q) = kϕ(P ).
• E
Isogeny Class
•
•
•
••
••
•
•
•
• E
Isogeny Class
Weak Curves
•
•
•
••
••
•
•
•
• E
Isogeny Class
Weak Curves
E′•
•
•
••
••
•
•
•
ϕ
Isogeny Class
• E
DefinitionE is super-isolated if its isogeny class contains only E.
GoalFind super-isolated curves.
Introduction
Background
Construction
Generalization
Let I be the isogeny class of E/Fp, and assume that E is ordinary.
Facts
• EndE is an order O in a quadratic imaginary field K.
• O ⊇ Z[π] where π is the Frobenius endomorphism.
• # {E′ ∈ I : EndE′ ∼= O} is the class number of O.
Example
I
Z[i]Z[3i] Z[2i]
Z[6i]
E •
• • •
• • • •
Figure: The isogeny class of E : y2 = x3 + x over F37 partitioned intoendomorphism classes. Here π = 1 + 6i.
TheoremE is super-isolated if and only if Z[π] = OK and h(K) = 1.
Example
Let E/F5 be the curve y2 = x3 + 2x. Then π = 2 + i, so E issuper-isolated.
TheoremE is super-isolated if and only if Z[π] = OK and h(K) = 1.
Example
Let E/F5 be the curve y2 = x3 + 2x. Then π = 2 + i, so E issuper-isolated.
Introduction
Background
Construction
Generalization
Complex Multiplication (CM) Method
(1) Find an integer A ∈ Z such that p = A2 + 1 is a large prime.
(2) Choose λ ∈ Fp such that the elliptic curve E given by y2 =x3 + λx over Fp has A2 − 2A+ 2 points.
This works because the Frobenius of E is π = A+ i so Z[π] = Z[i].
QuestionHow many A are there?
Complex Multiplication (CM) Method
(1) Find an integer A ∈ Z such that p = A2 + 1 is a large prime.
(2) Choose λ ∈ Fp such that the elliptic curve E given by y2 =x3 + λx over Fp has A2 − 2A+ 2 points.
This works because the Frobenius of E is π = A+ i so Z[π] = Z[i].
QuestionHow many A are there?
Complex Multiplication (CM) Method
(1) Find an integer A ∈ Z such that p = A2 + 1 is a large prime.
(2) Choose λ ∈ Fp such that the elliptic curve E given by y2 =x3 + λx over Fp has A2 − 2A+ 2 points.
This works because the Frobenius of E is π = A+ i so Z[π] = Z[i].
QuestionHow many A are there?
Open Question
#{A ∈ Z : A2 + 1 is prime
} ?=∞.
Conjecture
#{A ∈ Z : A2 + 1 is prime, A ≤M
}= Θ
( √M
logM
).
Heuristic
{E/Fp : E super-isolated, p ≤M
}= Θ
( √M
logM
).
Open Question
#{A ∈ Z : A2 + 1 is prime
} ?=∞.
Conjecture
#{A ∈ Z : A2 + 1 is prime, A ≤M
}= Θ
( √M
logM
).
Heuristic
{E/Fp : E super-isolated, p ≤M
}= Θ
( √M
logM
).
Open Question
#{A ∈ Z : A2 + 1 is prime
} ?=∞.
Conjecture
#{A ∈ Z : A2 + 1 is prime, A ≤M
}= Θ
( √M
logM
).
Heuristic
{E/Fp : E super-isolated, p ≤M
}= Θ
( √M
logM
).
Introduction
Background
Construction
Generalization
DefinitionAn abelian variety A/Fq is super-isolated if #I = 1.
Theorem ([Wat69])
Let A/Fq be a simple ordinary abelian variety, π a root of thecharacteristic polynomial of the Frobenius endomorphism, and letK = Q(π). Then A is super-isolated if and only if OK = Z[π, π]and K has class number 1.
DefinitionAn abelian variety A/Fq is super-isolated if #I = 1.
Theorem ([Wat69])
Let A/Fq be a simple ordinary abelian variety, π a root of thecharacteristic polynomial of the Frobenius endomorphism, and letK = Q(π). Then A is super-isolated if and only if OK = Z[π, π]and K has class number 1.
Example (Dimension 4)
The Jacobian of the genus 4 hyperelliptic curve over F2 given by
y2 + (x5 + x3 + 1)y = x9 + x6
is super-isolated. The minimal polynomial of π is
x8 + 3x7 + 7x6 + 13x5 + 19x4 + 26x3 + 28x2 + 24x+ 16.
http://www.lmfdb.org/Variety/Abelian/Fq/4/2/d_h_n_t
Heuristic (S.)
Let S(M) denote the number of simple ordinary super-isolatedabelian varieties of dimension g over Fq with q ≤M . Then
S(M) =
{Θ( √
MlogM
), if g = 1 (related to [BH62])
Θ (log logM) , if g = 2 (related to [CP05]).
Theorem (S.)
If g ≥ 3, then S(M) = O(1).
IdeasLooking for super-isolated curves reduces to finding Weilq-numbers π such that Z[π, π] is maximal. We instead count Weilgenerators in a CM field K, which are π ∈ K such that
• ππ ∈ Z• Z[π, π] = OK
To count Weil generators in a CM field K of degree 2g, we splitinto cases by g.
g = 1
Here OK = Z[ω], and we are counting a ∈ Z with h(a± ω) ≤ N .
g = 2
Here W corresponds to some proportion of O×F .
g ≥ 3
Here W essentially corresponds to integer points on a degree gcurve with g distinct points at infinity, so we may apply Siegel’stheorem.
Theorem (S.)
Let K be a CM field of degree 2g, and let W be the set of Weilgenerators in K. Then
# {α ∈W : h(α) ≤ N} =
4N +O(1) g = 1
ρ logN +O(1) g = 2 and W 6= ∅O(1) g ≥ 3.
NoteThis is a theorem because it does not include the word “prime”.
Thank you for listening.
References I
Paul T. Bateman and Roger A. Horn. A heuristic asymptoticformula concerning the distribution of prime numbers. Math.Comp., 16:363–367, 1962.
Richard Crandall and Carl Pomerance. Prime numbers. Springer,New York, second edition, 2005. A computational perspective.
The LMFDB Collaboration. The l-functions and modular formsdatabase. http://www.lmfdb.org, 2013. [Online; accessed 16September 2013].
William C. Waterhouse. Abelian varieties over finite fields. Ann.Sci. Ecole Norm. Sup. (4), 2:521–560, 1969.