Isolated Curves and Cryptography

Travis Scholl

University of California, Irvine

March 23, 2019

Elliptic Curve Discrete Log Problem (ECDLP)

Given an elliptic curve E/Fp and points P,Q ∈ E(Fp), find k ∈ Zsuch that Q = kP .

If ϕ : E → E′ is an isogeny of elliptic curves and P,Q ∈ E(Fp),then

Q = kP ⇒ ϕ(Q) = kϕ(P ).

• E

Isogeny Class

•

•

•

••

••

•

•

•

• E

Isogeny Class

Weak Curves

•

•

•

••

••

•

•

•

• E

Isogeny Class

Weak Curves

E′•

•

•

••

••

•

•

•

ϕ

Isogeny Class

• E

DefinitionE is super-isolated if its isogeny class contains only E.

GoalFind super-isolated curves.

Introduction

Background

Construction

Generalization

Let I be the isogeny class of E/Fp, and assume that E is ordinary.

Facts

• EndE is an order O in a quadratic imaginary field K.

• O ⊇ Z[π] where π is the Frobenius endomorphism.

• # {E′ ∈ I : EndE′ ∼= O} is the class number of O.

Example

I

Z[i]Z[3i] Z[2i]

Z[6i]

E •

• • •

• • • •

Figure: The isogeny class of E : y2 = x3 + x over F37 partitioned intoendomorphism classes. Here π = 1 + 6i.

TheoremE is super-isolated if and only if Z[π] = OK and h(K) = 1.

Example

Let E/F5 be the curve y2 = x3 + 2x. Then π = 2 + i, so E issuper-isolated.

TheoremE is super-isolated if and only if Z[π] = OK and h(K) = 1.

Example

Let E/F5 be the curve y2 = x3 + 2x. Then π = 2 + i, so E issuper-isolated.

Introduction

Background

Construction

Generalization

Complex Multiplication (CM) Method

(1) Find an integer A ∈ Z such that p = A2 + 1 is a large prime.

(2) Choose λ ∈ Fp such that the elliptic curve E given by y2 =x3 + λx over Fp has A2 − 2A+ 2 points.

This works because the Frobenius of E is π = A+ i so Z[π] = Z[i].

QuestionHow many A are there?

Complex Multiplication (CM) Method

(1) Find an integer A ∈ Z such that p = A2 + 1 is a large prime.

(2) Choose λ ∈ Fp such that the elliptic curve E given by y2 =x3 + λx over Fp has A2 − 2A+ 2 points.

This works because the Frobenius of E is π = A+ i so Z[π] = Z[i].

QuestionHow many A are there?

Complex Multiplication (CM) Method

(1) Find an integer A ∈ Z such that p = A2 + 1 is a large prime.

(2) Choose λ ∈ Fp such that the elliptic curve E given by y2 =x3 + λx over Fp has A2 − 2A+ 2 points.

This works because the Frobenius of E is π = A+ i so Z[π] = Z[i].

QuestionHow many A are there?

Open Question

#{A ∈ Z : A2 + 1 is prime

} ?=∞.

Conjecture

#{A ∈ Z : A2 + 1 is prime, A ≤M

}= Θ

( √M

logM

).

Heuristic

{E/Fp : E super-isolated, p ≤M

}= Θ

( √M

logM

).

Open Question

#{A ∈ Z : A2 + 1 is prime

} ?=∞.

Conjecture

#{A ∈ Z : A2 + 1 is prime, A ≤M

}= Θ

( √M

logM

).

Heuristic

{E/Fp : E super-isolated, p ≤M

}= Θ

( √M

logM

).

Open Question

#{A ∈ Z : A2 + 1 is prime

} ?=∞.

Conjecture

#{A ∈ Z : A2 + 1 is prime, A ≤M

}= Θ

( √M

logM

).

Heuristic

{E/Fp : E super-isolated, p ≤M

}= Θ

( √M

logM

).

Introduction

Background

Construction

Generalization

DefinitionAn abelian variety A/Fq is super-isolated if #I = 1.

Theorem ([Wat69])

Let A/Fq be a simple ordinary abelian variety, π a root of thecharacteristic polynomial of the Frobenius endomorphism, and letK = Q(π). Then A is super-isolated if and only if OK = Z[π, π]and K has class number 1.

DefinitionAn abelian variety A/Fq is super-isolated if #I = 1.

Theorem ([Wat69])

Let A/Fq be a simple ordinary abelian variety, π a root of thecharacteristic polynomial of the Frobenius endomorphism, and letK = Q(π). Then A is super-isolated if and only if OK = Z[π, π]and K has class number 1.

Example (Dimension 4)

The Jacobian of the genus 4 hyperelliptic curve over F2 given by

y2 + (x5 + x3 + 1)y = x9 + x6

is super-isolated. The minimal polynomial of π is

x8 + 3x7 + 7x6 + 13x5 + 19x4 + 26x3 + 28x2 + 24x+ 16.

http://www.lmfdb.org/Variety/Abelian/Fq/4/2/d_h_n_t

Heuristic (S.)

Let S(M) denote the number of simple ordinary super-isolatedabelian varieties of dimension g over Fq with q ≤M . Then

S(M) =

{Θ( √

MlogM

), if g = 1 (related to [BH62])

Θ (log logM) , if g = 2 (related to [CP05]).

Theorem (S.)

If g ≥ 3, then S(M) = O(1).

IdeasLooking for super-isolated curves reduces to finding Weilq-numbers π such that Z[π, π] is maximal. We instead count Weilgenerators in a CM field K, which are π ∈ K such that

• ππ ∈ Z• Z[π, π] = OK

To count Weil generators in a CM field K of degree 2g, we splitinto cases by g.

g = 1

Here OK = Z[ω], and we are counting a ∈ Z with h(a± ω) ≤ N .

g = 2

Here W corresponds to some proportion of O×F .

g ≥ 3

Here W essentially corresponds to integer points on a degree gcurve with g distinct points at infinity, so we may apply Siegel’stheorem.

Theorem (S.)

Let K be a CM field of degree 2g, and let W be the set of Weilgenerators in K. Then

# {α ∈W : h(α) ≤ N} =

4N +O(1) g = 1

ρ logN +O(1) g = 2 and W 6= ∅O(1) g ≥ 3.

NoteThis is a theorem because it does not include the word “prime”.

Thank you for listening.

References I

Paul T. Bateman and Roger A. Horn. A heuristic asymptoticformula concerning the distribution of prime numbers. Math.Comp., 16:363–367, 1962.

Richard Crandall and Carl Pomerance. Prime numbers. Springer,New York, second edition, 2005. A computational perspective.

The LMFDB Collaboration. The l-functions and modular formsdatabase. http://www.lmfdb.org, 2013. [Online; accessed 16September 2013].

William C. Waterhouse. Abelian varieties over finite fields. Ann.Sci. Ecole Norm. Sup. (4), 2:521–560, 1969.