isolated curves and cryptographyreferencesi paul t. bateman and roger a. horn.a heuristic asymptotic...

Isolated Curves and Cryptography

Travis Scholl

University of California, Irvine

March 23, 2019

Elliptic Curve Discrete Log Problem (ECDLP)

Given an elliptic curve E/Fp and points P,Q ∈ E(Fp), find k ∈ Zsuch that Q = kP .

If ϕ : E → E′ is an isogeny of elliptic curves and P,Q ∈ E(Fp),then

Q = kP ⇒ ϕ(Q) = kϕ(P ).

• E

Isogeny Class

•

•

•

••

••

•

•

•

• E

Isogeny Class

Weak Curves

•

•

•

••

••

•

•

•

• E

Isogeny Class

Weak Curves

E′•

•

•

••

••

•

•

•

ϕ

Isogeny Class

• E

DefinitionE is super-isolated if its isogeny class contains only E.

GoalFind super-isolated curves.

Introduction

Background

Construction

Generalization

Let I be the isogeny class of E/Fp, and assume that E is ordinary.

Facts

• EndE is an order O in a quadratic imaginary field K.

• O ⊇ Z[π] where π is the Frobenius endomorphism.

• # {E′ ∈ I : EndE′ ∼= O} is the class number of O.

Example

I

Z[i]Z[3i] Z[2i]

Z[6i]

E •

• • •

• • • •

Figure: The isogeny class of E : y2 = x3 + x over F37 partitioned intoendomorphism classes. Here π = 1 + 6i.

TheoremE is super-isolated if and only if Z[π] = OK and h(K) = 1.

Example

Let E/F5 be the curve y2 = x3 + 2x. Then π = 2 + i, so E issuper-isolated.

TheoremE is super-isolated if and only if Z[π] = OK and h(K) = 1.

Example

Let E/F5 be the curve y2 = x3 + 2x. Then π = 2 + i, so E issuper-isolated.

Introduction

Background

Construction

Generalization

Complex Multiplication (CM) Method

(1) Find an integer A ∈ Z such that p = A2 + 1 is a large prime.

(2) Choose λ ∈ Fp such that the elliptic curve E given by y2 =x3 + λx over Fp has A2 − 2A+ 2 points.

This works because the Frobenius of E is π = A+ i so Z[π] = Z[i].

QuestionHow many A are there?

Complex Multiplication (CM) Method

(1) Find an integer A ∈ Z such that p = A2 + 1 is a large prime.

(2) Choose λ ∈ Fp such that the elliptic curve E given by y2 =x3 + λx over Fp has A2 − 2A+ 2 points.

This works because the Frobenius of E is π = A+ i so Z[π] = Z[i].

QuestionHow many A are there?

Complex Multiplication (CM) Method

(1) Find an integer A ∈ Z such that p = A2 + 1 is a large prime.

(2) Choose λ ∈ Fp such that the elliptic curve E given by y2 =x3 + λx over Fp has A2 − 2A+ 2 points.

This works because the Frobenius of E is π = A+ i so Z[π] = Z[i].

QuestionHow many A are there?

Open Question

#{A ∈ Z : A2 + 1 is prime

} ?=∞.

Conjecture

#{A ∈ Z : A2 + 1 is prime, A ≤M

}= Θ

( √M

logM

).

Heuristic

{E/Fp : E super-isolated, p ≤M

}= Θ

( √M

logM

).

Open Question

#{A ∈ Z : A2 + 1 is prime

} ?=∞.

Conjecture

#{A ∈ Z : A2 + 1 is prime, A ≤M

}= Θ

( √M

logM

).

Heuristic

{E/Fp : E super-isolated, p ≤M

}= Θ

( √M

logM

).

Open Question

#{A ∈ Z : A2 + 1 is prime

} ?=∞.

Conjecture

#{A ∈ Z : A2 + 1 is prime, A ≤M

}= Θ

( √M

logM

).

Heuristic

{E/Fp : E super-isolated, p ≤M

}= Θ

( √M

logM

).

Introduction

Background

Construction

Generalization

DefinitionAn abelian variety A/Fq is super-isolated if #I = 1.

Theorem ([Wat69])

Let A/Fq be a simple ordinary abelian variety, π a root of thecharacteristic polynomial of the Frobenius endomorphism, and letK = Q(π). Then A is super-isolated if and only if OK = Z[π, π]and K has class number 1.

DefinitionAn abelian variety A/Fq is super-isolated if #I = 1.

Theorem ([Wat69])

Let A/Fq be a simple ordinary abelian variety, π a root of thecharacteristic polynomial of the Frobenius endomorphism, and letK = Q(π). Then A is super-isolated if and only if OK = Z[π, π]and K has class number 1.

Example (Dimension 4)

The Jacobian of the genus 4 hyperelliptic curve over F2 given by

y2 + (x5 + x3 + 1)y = x9 + x6

is super-isolated. The minimal polynomial of π is

x8 + 3x7 + 7x6 + 13x5 + 19x4 + 26x3 + 28x2 + 24x+ 16.

http://www.lmfdb.org/Variety/Abelian/Fq/4/2/d_h_n_t

Heuristic (S.)

Let S(M) denote the number of simple ordinary super-isolatedabelian varieties of dimension g over Fq with q ≤M . Then

S(M) =

{Θ( √

MlogM

), if g = 1 (related to [BH62])

Θ (log logM) , if g = 2 (related to [CP05]).

Theorem (S.)

If g ≥ 3, then S(M) = O(1).

IdeasLooking for super-isolated curves reduces to finding Weilq-numbers π such that Z[π, π] is maximal. We instead count Weilgenerators in a CM field K, which are π ∈ K such that

• ππ ∈ Z• Z[π, π] = OK

To count Weil generators in a CM field K of degree 2g, we splitinto cases by g.

g = 1

Here OK = Z[ω], and we are counting a ∈ Z with h(a± ω) ≤ N .

g = 2

Here W corresponds to some proportion of O×F .

g ≥ 3

Here W essentially corresponds to integer points on a degree gcurve with g distinct points at infinity, so we may apply Siegel’stheorem.

Theorem (S.)

Let K be a CM field of degree 2g, and let W be the set of Weilgenerators in K. Then

# {α ∈W : h(α) ≤ N} =

4N +O(1) g = 1

ρ logN +O(1) g = 2 and W 6= ∅O(1) g ≥ 3.

NoteThis is a theorem because it does not include the word “prime”.

Thank you for listening.

References I

Paul T. Bateman and Roger A. Horn. A heuristic asymptoticformula concerning the distribution of prime numbers. Math.Comp., 16:363–367, 1962.

Richard Crandall and Carl Pomerance. Prime numbers. Springer,New York, second edition, 2005. A computational perspective.

The LMFDB Collaboration. The l-functions and modular formsdatabase. http://www.lmfdb.org, 2013. [Online; accessed 16September 2013].

William C. Waterhouse. Abelian varieties over finite fields. Ann.Sci. Ecole Norm. Sup. (4), 2:521–560, 1969.