The Q-curve construction for endomorphism-accelerated elliptic curves

We give a detailed account of the use of $\mathbb{Q}$-curve reductions to construct elliptic curves over $\mathbb{F}\_{p^2}$ with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when $p$ is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over $\mathbb{F}\_{p^2}$ equipped with efficient endomorphisms for every p \textgreater{} 3, and exhibit examples of twist-secure curves over $\mathbb{F}\_{p^2}$ for the efficient Mersenne prime $p = 2^{127}-1$.Comment: To appear in the Journal of Cryptology. arXiv admin note: text overlap with arXiv:1305.540

A refinement of Koblitz's conjecture

Let E be an elliptic curve over the number field Q. In 1988, Koblitz conjectured an asymptotic for the number of primes p for which the cardinality of the group of F_p-points of E is prime. However, the constant occurring in his asymptotic does not take into account that the distributions of the |E(F_p)| need not be independent modulo distinct primes. We shall describe a corrected constant. We also take the opportunity to extend the scope of the original conjecture to ask how often |E(F_p)|/t is prime for a fixed positive integer t, and to consider elliptic curves over arbitrary number fields. Several worked out examples are provided to supply numerical evidence for the new conjecture

Families of fast elliptic curves from Q-curves

We construct new families of elliptic curves over \FF_{p^2} with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant-Lambert-Vanstone (GLV) and Galbraith-Lin-Scott (GLS) endomorphisms. Our construction is based on reducing \QQ-curves-curves over quadratic number fields without complex multiplication, but with isogenies to their Galois conjugates-modulo inert primes. As a first application of the general theory we construct, for every $p > 3$, two one-parameter families of elliptic curves over \FF_{p^2} equipped with endomorphisms that are faster than doubling. Like GLS (which appears as a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when $p$ is fixed. Unlike GLS, we also offer the possibility of constructing twist-secure curves. Among our examples are prime-order curves equipped with fast endomorphisms, with almost-prime-order twists, over \FF_{p^2} for $p = 2^{127}-1$ and $p = 2^{255}-19$

On singular moduli that are S-units

Recently Yu. Bilu, P. Habegger and L. K\"uhne proved that no singular modulus can be a unit in the ring of algebraic integers. In this paper we study for which sets S of prime numbers there is no singular modulus that is an S-units. Here we prove that when the set S contains only primes congruent to 1 modulo 3 then no singular modulus can be an S-unit. We then give some remarks on the general case and we study the norm factorizations of a special family of singular moduli.Comment: Version changed according to the referee's comments. The final version appears in Manuscripta Mathematica, https://doi.org/10.1007/s00229-020-01230-

Artin's primitive root conjecture -a survey -

This is an expanded version of a write-up of a talk given in the fall of 2000 in Oberwolfach. A large part of it is intended to be understandable by non-number theorists with a mathematical background. The talk covered some of the history, results and ideas connected with Artin's celebrated primitive root conjecture dating from 1927. In the update several new results established after 2000 are also discussed.Comment: 87 pages, 512 references, to appear in Integer

On singular moduli for arbitrary discriminants

Let d1 and d2 be discriminants of distinct quadratic imaginary orders O_d1 and O_d2 and let J(d1,d2) denote the product of differences of CM j-invariants with discriminants d1 and d2. In 1985, Gross and Zagier gave an elegant formula for the factorization of the integer J(d1,d2) in the case that d1 and d2 are relatively prime and discriminants of maximal orders. To compute this formula, they first reduce the problem to counting the number of simultaneous embeddings of O_d1 and O_d2 into endomorphism rings of supersingular curves, and then solve this counting problem. Interestingly, this counting problem also appears when computing class polynomials for invariants of genus 2 curves. However, in this application, one must consider orders O_d1 and O_d2 that are non-maximal. Motivated by the application to genus 2 curves, we generalize the methods of Gross and Zagier and give a computable formula for v_p(J(d1,d2)) for any distinct pair of discriminants d1,d2 and any prime p>2. In the case that d1 is squarefree and d2 is the discriminant of any quadratic imaginary order, our formula can be stated in a simple closed form. We also give a conjectural closed formula when the conductors of d1 and d2 are relatively prime.Comment: 33 pages. Changed the abstract and made small changes to the introduction. Reorganized section 3.2, 4, and proof of Proposition 8.1. Some remarks added to section