Drinfeld modules may not be for isogeny based cryptography

Elliptic curves play a prominent role in cryptography. For instance, the hardness of the elliptic curve discrete logarithm problem is a foundational assumption in public key cryptography. Drinfeld modules are positive characteristic function field analogues of elliptic curves. It is natural to ponder the existence/security of Drinfeld module analogues of elliptic curve cryptosystems. But the Drinfeld module discrete logarithm problem is easy even on a classical computer. Beyond discrete logarithms, elliptic curve isogeny based cryptosystems have have emerged as candidates for post-quantum cryptography, including supersingular isogeny Diffie-Hellman (SIDH) and commutative supersingular isogeny Diffie-Hellman (CSIDH) protocols. We formulate Drinfeld module analogues of these elliptic curve isogeny based cryptosystems and devise classical polynomial time algorithms to break these Drinfeld analogues catastrophically

Hard Homogeneous Spaces from the Class Field Theory of Imaginary Hyperelliptic Function Fields

We explore algorithmic aspects of a free and transitive commutative group action coming from the class field theory of imaginary hyperelliptic function fields. Namely, the Jacobian of an imaginary hyperelliptic curve defined over $\mathbb{F}_q$ acts on a subset of isomorphism classes of Drinfeld modules. We describe an algorithm to compute the group action efficiently. This is a function field analog of the Couveignes-Rostovtsev-Stolbunov group action. Our proof-of-concept C++/NTL implementation only requires a fraction of a second on a standard computer. Also, we state a conjecture — supported by experiments — which implies that the current fastest algorithm to solve its inverse problem runs in exponential time. This action is therefore a promising candidate for the construction of Hard Homogeneous Spaces, which are the building blocks of several post-quantum cryptographic protocols. This demonstrates the relevance of using imaginary hyperelliptic curves and Drinfeld modules as an alternative to the standard setting of imaginary quadratic number fields and elliptic curves for isogeny-based cryptographic applications. Moreover, our function field setting enables the use of Kedlaya\u27s algorithm and its variants for computing the order of the group in polynomial time when $q$ is fixed. No such polynomial-time algorithm for imaginary quadratic number fields is known. For $q=2$ and parameters similar to CSIDH-512, we compute this order more than 8500 times faster than the record computation for CSIDH-512 by Beullens, Kleinjung and Vercauteren

Algorithms for computing norms and characteristic polynomials on general Drinfeld modules

We provide two families of algorithms to compute characteristic polynomials of endomorphisms and norms of isogenies of Drinfeld modules. Our algorithms work for Drinfeld modules of any rank, defined over any base curve. When the base curve is $\mathbb P^1_{\mathbb F_q}$, we do a thorough study of the complexity, demonstrating that our algorithms are, in many cases, the most asymptotically performant. The first family of algorithms relies on the correspondence between Drinfeld modules and Anderson motives, reducing the computation to linear algebra over a polynomial ring. The second family, available only for the Frobenius endomorphism, is based on a new formula expressing the characteristic polynomial of the Frobenius as a reduced norm in a central simple algebra

Isogeny graphs of superspecial abelian varieties (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)

We define three different isogeny graphs of principally polarized superspecial abelian varieties, prove foundational results on them, and explain their role in number theory and geometry. This is background to joint work with Yevgeny Zaytman on properties of these isogeny graphs for dimension g > 1, especially the result that they are connected, but not in general Ramanujan

Koblitz's Conjecture for the Drinfeld Module

Let $E$ be an elliptic curve over the rationals without complex multiplication such that any elliptic curve $\mathbb{Q}$-isogenous to $E$ has trivial $\mathbb{Q}$-torsion. Koblitz conjectured that the number of primes less than $x$ for which $|E(\mathbb{F}_p)|$ is prime is asymptotic to $$C_E\frac{x}{(\log{x})^2}$$ for $C_E$ some constant dependent on $E.$ Miri and Murty showed that for infinitely many $p,$ $|E(\mathbb{F}_p)|$ has at most 16 prime factors using the lower bound sieve and assuming the Generalized Riemann Hypothesis. This thesis generalizes Koblitz's conjectures to a function field setting through Drinfeld modules. Let $\phi$ be a Drinfeld module of rank 2, and $\mathbb{F}_q$ a finite field with every $\mathbb{F}_q[t]$-isogeny having no $\mathbb{F}_q[t]$-torsion points and with $\text{End}_{\overline{k}}(\phi)=\mathbb{F}_q[t].$ Furthermore assume that for each monic irreducible $l\in \mathbb{F}_q[t],$ the extension generated by adjoining the $l$-torsion points of $\phi$ to $\mathbb{F}_q(t)$ is geometric. Then there exists a positive constant $C_{\phi}$ depending on $\phi$ such that there are more than $$C_{\phi}\frac{q^x}{x^2}$$ monic irreducible polynomials $P$ with degree less then $x$ such that $\chi_{\phi}(P)$ has at most 13 prime factors. To prove this result we develop the theory of Drinfeld modules and a translation of the lower bound sieve to function fields