Maps on elliptic curves · 2013-09-18 · q-isomorphism classes of elliptic curves over F q are...
Transcript of Maps on elliptic curves · 2013-09-18 · q-isomorphism classes of elliptic curves over F q are...
Maps on elliptic curves
Benjamin Smith
Team GRACE
INRIA Saclay–Ile-de-France
Laboratoire d’Informatique de l’Ecole polytechnique (LIX)
ECC “Summer” SchoolLeuven, September 11 2013
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 1 / 28
0: Motivation
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 2 / 28
Metaphysics
/ ∼=: There is only one finite field with q elements.
When you want to do cryptography in a finite field,you just have to choose q.
When you want to do ECC, you need tochoose q and one of the many elliptic curves /Fq.
So you need to seriously think about your choice,and how it relates to all of the other curves
that you thought you didn’t choose.(No curve is an island, Entire of itself)
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 3 / 28
1: *omorphisms
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 4 / 28
Weierstrass models
Elliptic curves over Fq, with q a power of p, and p 6= 2, 3:
E : y 2 = FE(x) = x3 + Ax + B .
Function field:
Fq(E) = Fq(x)[y ]/(y 2 − FE(x))
Functions with coefficients in Fq:
Fq(E) = Fq(x)[y ]/(y 2 − FE(x))
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 5 / 28
What is a morphism?
Let E1 : y 21 = FE1(x1) and E2 : y 2
2 = FE2(x2) be elliptic curves over Fq.
A morphism φ : E1 → E2 is a mapping
φ : (x1, y1) 7−→ (x2, y2) = (φx(x1, y1), φy (x1, y1))
where φx and φy in Fq(E1) satisfy the equation of E2:
φ2y = FE2(φx).
Fqd -morphisms = morphisms φ with φx , φy ∈ Fqd (E)
Homomorphisms = morphisms respecting the group law
Isomorphisms = invertible homomorphisms
Endomorphisms = homomorphisms from a curve to itself
Automorphisms = invertible endomorphisms
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 6 / 28
Degree
Let φ : E1 → E2 be an Fq-morphism:
φ : (x1, y1) ∈ E1(Fq) 7−→ (φx(x1, y1), φy (x1, y1)) ∈ E2(Fq)
Induced extension of function fields Fq(E2)→ Fq(E1):
f (x2, y2) ∈ Fq(E2) 7−→ f (φx(x1, y1), φy (x1, y1)) ∈ Fq(E1)
The degree of φ is the degree of the induced field extension:
deg φ := [Fq(E1) : Fq(E2)].
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 7 / 28
Degree
Degree is multiplicative: deg φ1φ2 = deg φ1 deg φ2
(so isomorphisms and automorphisms have degree 1)
If φ is a constant morphism, then deg φ := 0.
Degree has an
inseparable part (essentially pth powering/Frobenius) and aseparable part (everything else)
If φ 6= 0 then degsep φ = #(ker φ)(Fq).
“Complexity” of the morphism ←→ separable degree
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 8 / 28
Examples
Multiplication-by-m: purely separable endomorphisms, degree m2.
[2] : (x , y) 7−→(
Φ2(x)
Ψ2(x),
y
2· d
dx
(Φ2(x)
Ψ2(x)
))where Ψ2(x) = 4(x3 + Ax + B) (the 2-division polynomial)
and Φ2(x) = x4 − 2Ax2 − 8Bx + A2.
Frobenius: purely inseparable endomorphism, degree q.
π : (x , y) 7−→ (xq, yq)
Factors into a series of n pth-powering homomorphisms
E p−→ E(p) p−→ E(p2) p−→ · · · p−→ E(pn−1) p−→ E
of Galois-conjugate curves Epi : y 2 = x3 + Api x + Bpi
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 9 / 28
Algebraic operations on morphisms
We can compose homomorphisms φ1 : E1 → E2 and φ2 : E2 → E3
We can also add homomorphisms φ : E1 → E2 and ψ : E1 → E2:
(φ+ ψ)(P) = φ(P)⊕ ψ(P)
algebraically, φ+ ψ := ⊕ ◦ (φ, ψ) really is a morphism
Automorphisms of E form a group Aut(E) under ◦,Homomorphisms E1 → E2 form a Z-module Hom(E1, E2) under +
Endomorphisms of E form a ring End(E) under +, ◦
We always have integer multiplications [m],m ∈ Z and Frobenius π, so
Z[π] ⊆ End(E)
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 10 / 28
Translations
For each T in E(Fq) we define a translation τT : E(Fq)→ E(Fq) by
τT (P) := P ⊕ T .
Translations are morphisms : the group law is defined by rational functions
Translations are invertible : τT ◦ τT = [1]
Translations are not homomorphisms : τT (OE) 6= OE
=⇒ Translations are automorphisms of the genus 1 curve underlying E ,but not of E as an elliptic curve.
This is a ridiculous amount of symmetry:if we forget OE then E has an infinite automorphism group.
Formally speaking, an elliptic curve is a pair (E ,OE).All of the visible structure on E is relative to OE .
...But it doesn’t matter which point you choose to be OE and send to infinity:
you can always change your mind with a translation.
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 11 / 28
Morphisms and homomorphisms
Theorem: Every morphism of elliptic curves isthe composition of a homomorphism and a translation.
In other words:
Any morphism E1 → E2 mapping OE1to OE2
must be a homomorphism.
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 12 / 28
2: Isomorphisms, Automorphisms,and Twists
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 13 / 28
Isomorphisms
For our purposes: isomorphisms look like changes of coordinates.
Example
The curves E1 : y 21 = x3
1 + 29x21 + 24x1 + 23 and E2 : y 2
2 = x32 + 7x2 + 6
over F31 are isomorphic via
(x1, y1) 7−→ (x2, y2) = (9x1 + 25, 4y1)
Fq-isomorphisms preserve DLPs on elliptic curves over Fq,
Fq-isomorphisms are also compatible with pairings
=⇒ Fq-isomorphic curves are cryptographically equivalent.
So how many non-isomorphic curves are there over Fq?
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 14 / 28
The j-invariant
If E : y 2 = x3 + Ax + B is an elliptic curve over Fq then its j -invariant is
j(E) =1728A3
A3 + 274 B2
.
(...can also be defined for other models of elliptic curves, over any field)
j(E) = j(E ′) ⇐⇒ E and E ′ are Fq-isomorphic.
The mapping j :{Elliptic curves over Fq}
Fq-isomorphism−→ Fq is a bijection.
=⇒ Fq-isomorphism classes of elliptic curves over Fq
are parametrized by the j-line (“moduli space”)
There is essentially only one “degree of freedom”when choosing a random elliptic curve over Fq.
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 15 / 28
Automorphisms
The automorphisms of an elliptic curve E form a group Aut(E) undercomposition. Aut(E) is finite, and generically Aut(E) = {[±1]}. But:
#AutFq(E) = 2 if j(E) /∈ {0, 1728}
#AutFq(E) = 4 if j(E) = 1728 and p /∈ {2, 3}
Ea : y 2 = x3 + ax has an Fq(i)-automorphism of order 4,(x , y) 7−→ (−x , iy) (where i2 = −1) for any a 6= 0 in Fq
#AutFq(E) = 6 if j(E) = 0 and p /∈ {2, 3}
E ′a : y 2 = x3 + a has an Fq(ζ3)-automorphism of order 3,(x , y) 7−→ (ζ3x , y) (where ζ3
3 = 1) for any a 6= 0 in Fq
#AutFq(E) = 12 if j(E) = 0 = 1728 and p = 3
(these E are supersingular)
#AutFq(E) = 24 if j(E) = 0 = 1728 and p = 2
(these E are supersingular)
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 16 / 28
Twists
If E/Fq and E ′/Fq are Fq-isomorphic but not Fq-isomorphic,then we say E and E ′ are twists.
For example: let δ be a nonsquare in Fq. Then
E : y 2 = x3 + Ax + B and Eδ : y ′2 = x ′3 + δ2Ax ′ + δ3B
are quadratic twists: the Fq(√δ)-isomorphism E → Eδ is
(x , y) 7−→ (x ′, y ′) = (δx , δ3/2y) .
Up to isomorphism, there is only one quadratic twist:If δ1 and δ2 are both nonsquares in Fq, then Eδ1 ∼= Eδ2 over Fq
(since δ1/δ2 must be square).
If j(E) 6= 0 or 1728, then the only twist of E is its quadratic twist.
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 17 / 28
More on twists
Twists have the same geometry (ie, the same behaviour over Fq)but different arithmetic (ie, they have different behaviour over Fq).
For example: if E and E ′ are quadratic twists,then E(Fq) and E ′(Fq) can have different cardinalities
(and wildly different cryptographic strengths).
However, the cardinalities are not independent:
#E(Fq) = q + 1− t and #E ′(Fq) = q + 1 + t
for some −2√
q ≤ t ≤ 2√
q, and
#E(Fq) + #E ′(Fq) = 2(q + 1) .
The quadratic twist is a sort of arithmetic mirror image.
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 18 / 28
3: Isogenies
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 19 / 28
Isogenies
An isogeny is a nonzero homomorphism.
Isogenies have two very important properties:
Isogenies are geometrically surjective(they are surjective over Fq , but not necessarily over finite extensions of Fq !)
Isogenies have finite kernel(they are almost isomorphisms)
Fq-isogenies φ : E1 → E2 map DLPs in E1(Fq) to DLPs in E2(Fq).
If G is a prime-order subgroup of E1(Fq), then either
ker φ ∩ G = {OE} and then φ(G ) ∼= G (the general case), or
G ⊂ ker φ, and then φ(G ) = OE (unlikely).
...Isogenies tend to give us isomorphisms between cyptographic problems.
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 20 / 28
General isogenies
What do isogenies look like in general?
φ : (x , y) 7−→
(φx(x)pi
,y pi
λφ′x(x)pi
)where
φx(x) is in Fq(x); its denominator defines the kernel of φ.
λ is a “twisting factor” in Fq. (φ is normalized if λ = 1.)
pi is the inseparable degree of φ.
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 21 / 28
Quotient isogenies
Theorem
Isogenies are determined (up to isomorphism) by their kernels:if φ : E → E ′ and ψ : E → E ′′ are isogenies with ker φ = kerψ,then E ′ and E ′′ are isomorphic (or twists).
If S ⊂ E is a finite subgroup defined over Fq,then there exists a quotient curve E/S over Fq,
and the quotient map E → E/S is an Fq-isogeny.
Velu’s formulæ compute the normalized quotient φ : E −→ E ′ = E/S .
Isogenies of degree d are often called d-isogenies.
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 22 / 28
Example: 2-isogenies and 3-isogenies
The curve E : y 2 = x(x2 + Cx + D) has a point (0, 0) of order 2.
Velu: E −→ E/〈(0, 0)〉 : y 2 = x(x2 − 2Cx + (C 2 − 4D)):
(x , y) 7−→(
x2 + Cx + D
x, y
x2 − D
x2
)
The curve E : y 2 = x3 + E (x + 1)2 has 3-torsion points (0,±√
E ).
Velu: E −→ E/〈(0,±√
E )〉 : y 2 = x3 + Ex2 − 18Ex − (16E 2 + 27E )
(x , y) 7−→(
x3 + 4Ex + 4E
x2, y
x3 − 4Ex − 8E
x3
)
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 23 / 28
Factorization of isogenies
Let φ : E → E ′ be an isogeny of degree d =∏n
i=1 di ,with each of the di prime (but not necessarily distinct).Theorem: there exist elliptic curves E1, . . . , En−1 and isogenies
φ1 : E =: E0 −→ E1,φ2 : E1 −→ E2,
... −→...
φn−1 : En−2 −→ En−1,φn : En−1 −→ En := E ′
such that each φi has degree di , and
φ = φn ◦ · · · ◦ φ1.
Caveats:
The Ei and φi are generally only defined over some extension of Fq;
The Ei and φi are not uniquely determined (even up to isomorphism)
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 24 / 28
The dual isogeny
If φ : E1 → E2 is an isogeny, thenthere exists a dual isogeny φ : E2 → E1 such that
φ ◦ φ = [deg φ].
ker φ = φ(E [deg φ])If φ is separable, then φ(P) =
∑φ(Q)=P Q
Existence of an isogeny between elliptic curves is an equivalence relation.
Symmetry there exists an isogeny E1 → E2 iff there exists an isogenyE2 → E1: use the dual (we say that E1 and E2 are isogenous)
Reflexivity there exists an isogeny E → E for all E : for example, [1]Transitivity if there exist isogenies E1 → E2 and E2 → E3, then there
exists an isogeny E1 → E3: use composition
The isogeny class of E is the set of all elliptic curves isogenous to E .
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 25 / 28
4: Metaphysics again
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 26 / 28
Endomorphisms and isogenies
Isogeny structures are deeply connectedto endomorphism structures.
For example:Frobenius satisfies a quadratic characteristic polynomial.
P(π) = 0 where P(X ) = X 2 − tEX + q with |tE | ≤ 2√
q .
(This is central to point counting, because P(1) = #E(Fq).)A priori, the trace tE depends on the curve.
Z[X ]/(X 2 − tEX + q) ∼= Z[πE ] ⊆ End(E) .
Tate’s theorem: E and E ′ are Fq-isogenous iff tE = tE ′ .The trace (and #EC (Fq)) is an isogeny class invariant
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 27 / 28
The class group structure
Isogenies from E to other curves (up to isomorphism)correspond to ideals in End(E).
If φ corresponds to (α1, α2) ⊂ End(E), then ker φ = kerα1 ∩ kerα2.
Endomorphisms of E (up to isomorphism)correspond to principal ideals in End(E).
The ideal class group of End(E) acts on the isogeny class of E .
Smith (INRIA/LIX) Maps on elliptic curves Leuven, 11/09/2013 28 / 28