Fast algorithms for computing isogenies between elliptic curves

We survey algorithms for computing isogenies between elliptic curves defined over a field of characteristic either 0 or a large prime. We introduce a new algorithm that computes an isogeny of degree $\ell$ ($\ell$ different from the characteristic) in time quasi-linear with respect to $\ell$. This is based in particular on fast algorithms for power series expansion of the Weierstrass $\wp$-function and related functions

Fast algorithms for computing isogenies between ordinary elliptic curves in small characteristic

The problem of computing an explicit isogeny between two given elliptic curves over F_q, originally motivated by point counting, has recently awaken new interest in the cryptology community thanks to the works of Teske and Rostovstev & Stolbunov. While the large characteristic case is well understood, only suboptimal algorithms are known in small characteristic; they are due to Couveignes, Lercier, Lercier & Joux and Lercier & Sirvent. In this paper we discuss the differences between them and run some comparative experiments. We also present the first complete implementation of Couveignes' second algorithm and present improvements that make it the algorithm having the best asymptotic complexity in the degree of the isogeny.Comment: 21 pages, 6 figures, 1 table. Submitted to J. Number Theor

Isogeny-based post-quantum key exchange protocols

The goal of this project is to understand and analyze the supersingular isogeny Diffie Hellman (SIDH), a post-quantum key exchange protocol which security lies on the isogeny-finding problem between supersingular elliptic curves. In order to do so, we first introduce the reader to cryptography focusing on key agreement protocols and motivate the rise of post-quantum cryptography as a necessity with the existence of the model of quantum computation. We review some of the known attacks on the SIDH and finally study some algorithmic aspects to understand how the protocol can be implemented

Computing cardinalities of Q-curve reductions over finite fields

We present a specialized point-counting algorithm for a class of elliptic curves over F\_{p^2} that includes reductions of quadratic Q-curves modulo inert primes and, more generally, any elliptic curve over F\_{p^2} with a low-degree isogeny to its Galois conjugate curve. These curves have interesting cryptographic applications. Our algorithm is a variant of the Schoof--Elkies--Atkin (SEA) algorithm, but with a new, lower-degree endomorphism in place of Frobenius. While it has the same asymptotic asymptotic complexity as SEA, our algorithm is much faster in practice.Comment: To appear in the proceedings of ANTS-XII. Added acknowledgement of Drew Sutherlan

Isogenies of Elliptic Curves: A Computational Approach

Isogenies, the mappings of elliptic curves, have become a useful tool in cryptology. These mathematical objects have been proposed for use in computing pairings, constructing hash functions and random number generators, and analyzing the reducibility of the elliptic curve discrete logarithm problem. With such diverse uses, understanding these objects is important for anyone interested in the field of elliptic curve cryptography. This paper, targeted at an audience with a knowledge of the basic theory of elliptic curves, provides an introduction to the necessary theoretical background for understanding what isogenies are and their basic properties. This theoretical background is used to explain some of the basic computational tasks associated with isogenies. Herein, algorithms for computing isogenies are collected and presented with proofs of correctness and complexity analyses. As opposed to the complex analytic approach provided in most texts on the subject, the proofs in this paper are primarily algebraic in nature. This provides alternate explanations that some with a more concrete or computational bias may find more clear.Comment: Submitted as a Masters Thesis in the Mathematics department of the University of Washingto

On the evaluation of modular polynomials

We present two algorithms that, given a prime ell and an elliptic curve E/Fq, directly compute the polynomial Phi_ell(j(E),Y) in Fq[Y] whose roots are the j-invariants of the elliptic curves that are ell-isogenous to E. We do not assume that the modular polynomial Phi_ell(X,Y) is given. The algorithms may be adapted to handle other types of modular polynomials, and we consider applications to point counting and the computation of endomorphism rings. We demonstrate the practical efficiency of the algorithms by setting a new point-counting record, modulo a prime q with more than 5,000 decimal digits, and by evaluating a modular polynomial of level ell = 100,019.Comment: 19 pages, corrected a typo in equation (8) and added equation (9