Efficient algorithms for pairing-based cryptosystems

We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics.We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairing-based cryptography

Horizontal isogeny graphs of ordinary abelian varieties and the discrete logarithm problem

Fix an ordinary abelian variety defined over a finite field. The ideal class group of its endomorphism ring acts freely on the set of isogenous varieties with same endomorphism ring, by complex multiplication. Any subgroup of the class group, and generating set thereof, induces an isogeny graph on the orbit of the variety for this subgroup. We compute (under the Generalized Riemann Hypothesis) some bounds on the norms of prime ideals generating it, such that the associated graph has good expansion properties. We use these graphs, together with a recent algorithm of Dudeanu, Jetchev and Robert for computing explicit isogenies in genus 2, to prove random self-reducibility of the discrete logarithm problem within the subclasses of principally polarizable ordinary abelian surfaces with fixed endomorphism ring. In addition, we remove the heuristics in the complexity analysis of an algorithm of Galbraith for explicitly computing isogenies between two elliptic curves in the same isogeny class, and extend it to a more general setting including genus 2.Comment: 18 page

Explicit CM-theory for level 2-structures on abelian surfaces

For a complex abelian variety $A$ with endomorphism ring isomorphic to the maximal order in a quartic CM-field $K$, the Igusa invariants $j_1(A), j_2(A),j_3(A)$ generate an abelian extension of the reflex field of $K$. In this paper we give an explicit description of the Galois action of the class group of this reflex field on $j_1(A),j_2(A),j_3(A)$. We give a geometric description which can be expressed by maps between various Siegel modular varieties. We can explicitly compute this action for ideals of small norm, and this allows us to improve the CRT method for computing Igusa class polynomials. Furthermore, we find cycles in isogeny graphs for abelian surfaces, thereby implying that the `isogeny volcano' algorithm to compute endomorphism rings of ordinary elliptic curves over finite fields does not have a straightforward generalization to computing endomorphism rings of abelian surfaces over finite fields

Cycles of Quadratic Polynomials and Rational Points on a Genus-Two Curve

It has been conjectured that for $N$ sufficiently large, there are no quadratic polynomials in $\bold Q[z]$ with rational periodic points of period $N$. Morton proved there were none with $N=4$, by showing that the genus~$2$ algebraic curve that classifies periodic points of period~4 is birational to $X_1(16)$, whose rational points had been previously computed. We prove there are none with $N=5$. Here the relevant curve has genus~$14$, but it has a genus~$2$ quotient, whose rational points we compute by performing a~$2$-descent on its Jacobian and applying a refinement of the method of Chabauty and Coleman. We hope that our computation will serve as a model for others who need to compute rational points on hyperelliptic curves. We also describe the three possible Gal$_{\bold Q}$-stable $5$-cycles, and show that there exist Gal$_{\bold Q}$-stable $N$-cycles for infinitely many $N$. Furthermore, we answer a question of Morton by showing that the genus~$14$ curve and its quotient are not modular. Finally, we mention some partial results for $N=6$

The Q-curve construction for endomorphism-accelerated elliptic curves

We give a detailed account of the use of $\mathbb{Q}$-curve reductions to construct elliptic curves over $\mathbb{F}\_{p^2}$ with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when $p$ is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over $\mathbb{F}\_{p^2}$ equipped with efficient endomorphisms for every p \textgreater{} 3, and exhibit examples of twist-secure curves over $\mathbb{F}\_{p^2}$ for the efficient Mersenne prime $p = 2^{127}-1$.Comment: To appear in the Journal of Cryptology. arXiv admin note: text overlap with arXiv:1305.540