Elliptic curves with j = 0, 1728 and low embedding degree

Elliptic curves over a finite field Fq with j-invariant 0 or 1728, both supersingular and ordinary, whose embedding degree k is low are studied. In the ordinary case we give conditions characterizing such elliptic curves with fixed embedding degree with respect to a subgroup of prime order . For k = 1, 2, these conditions give parameterizations of q in terms of and two integers m, n. We show several examples of families with infinitely many curves. Similar parameterizations for k ? 3 need a fixed kth root of the unity in the underlying field. Moreover, when the elliptic curve admits distortion maps, an example is provided

Mazur's Conjecture and An Unexpected Rational Curve on Kummer Surfaces and their Superelliptic Generalisations

We prove the following special case of Mazur's conjecture on the topology of rational points. Let $E$ be an elliptic curve over $\mathbb{Q}$ with $j$-invariant $1728$. For a class of elliptic pencils which are quadratic twists of $E$ by quartic polynomials, the rational points on the projective line with positive rank fibres are dense in the real topology. This extends results obtained by Rohrlich and Kuwata-Wang for quadratic and cubic polynomials. For the proof, we investigate a highly singular rational curve on the Kummer surface $K$ associated to a product of two elliptic curves over $\mathbb{Q}$, which previously appeared in publications by Mestre, Kuwata-Wang and Satg\'e. We produce this curve in a simpler manner by finding algebraic equations which give a direct proof of rationality. We find that the same equations give rise to rational curves on a class of more general surfaces extending the Kummer construction. This leads to further applications apart from Mazur's conjecture, for example the existence of rational points on simultaneous twists of superelliptic curves. Finally, we give a proof of Mazur's conjecture for the Kummer surface $K$ without any restrictions on the $j$-invariants of the two elliptic curves.Comment: 14 pages, same content as published version except for added remark acknowledging overlap with prior work by Ula

Computing Hilbert class polynomials with the Chinese Remainder Theorem

We present a space-efficient algorithm to compute the Hilbert class polynomial H_D(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D|^(1/2+o(1))log P) space and has an expected running time of O(|D|^(1+o(1)). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D| as large as 10^13 and h(D) up to 10^6. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.Comment: 37 pages, corrected a typo that misstated the heuristic complexit

K3 surfaces with non-symplectic automorphisms of 2-power order

This paper concerns complex algebraic K3 surfaces with an automorphism which acts trivially on the Neron-Severi group. Complementing a result by Vorontsov and Kondo, we determine those K3 surfaces where the order of the automorphism is a 2-power and equals the rank of the transcendental lattice. We also study the arithmetic of these K3 surfaces and comment on mirror symmetryComment: 19 pages, 1 figure; v3: exposition improved thanks to referee's comment

Hard isogeny problems over RSA moduli and groups with infeasible inversion

We initiate the study of computational problems on elliptic curve isogeny graphs defined over RSA moduli. We conjecture that several variants of the neighbor-search problem over these graphs are hard, and provide a comprehensive list of cryptanalytic attempts on these problems. Moreover, based on the hardness of these problems, we provide a construction of groups with infeasible inversion, where the underlying groups are the ideal class groups of imaginary quadratic orders. Recall that in a group with infeasible inversion, computing the inverse of a group element is required to be hard, while performing the group operation is easy. Motivated by the potential cryptographic application of building a directed transitive signature scheme, the search for a group with infeasible inversion was initiated in the theses of Hohenberger and Molnar (2003). Later it was also shown to provide a broadcast encryption scheme by Irrer et al. (2004). However, to date the only case of a group with infeasible inversion is implied by the much stronger primitive of self-bilinear map constructed by Yamakawa et al. (2014) based on the hardness of factoring and indistinguishability obfuscation (iO). Our construction gives a candidate without using iO.Comment: Significant revision of the article previously titled "A Candidate Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the constructions by giving toy examples, added "The Parallelogram Attack" (Sec 5.3.2). 54 pages, 8 figure