Faster computation of isogenies of large prime degree

International audienceLet $\mathcal{E}/\mathbb{F}_q$ be an elliptic curve, and $P$ a point in $\mathcal{E}(\mathbb{F}_q)$ of prime order $\ell$.Vélu's formulae let us compute a quotient curve $\mathcal{E}' = \mathcal{E}/\langle{P}\rangle$ and rational maps defining a quotient isogeny $\phi: \mathcal{E} \to \mathcal{E}'$ in $\tilde{O}(\ell)$ $\mathbb{F}_q$-operations, where the $\tilde{O}$ is uniform in $q$.This article shows how to compute $\mathcal{E}'$, and $\phi(Q)$ for $Q$ in $\mathcal{E}(\mathbb{F}_q)$, using only $\tilde{O}(\sqrt{\ell})$ $\mathbb{F}_q$-operations, where the $\tilde{O}$ is again uniform in $q$.As an application, this article speeds up some computations used in the isogeny-based cryptosystems CSIDH and CSURF

Fast algorithms for computing isogenies between elliptic curves

We survey algorithms for computing isogenies between elliptic curves defined over a field of characteristic either 0 or a large prime. We introduce a new algorithm that computes an isogeny of degree $\ell$ ($\ell$ different from the characteristic) in time quasi-linear with respect to $\ell$. This is based in particular on fast algorithms for power series expansion of the Weierstrass $\wp$-function and related functions

Isogeny-based post-quantum key exchange protocols

The goal of this project is to understand and analyze the supersingular isogeny Diffie Hellman (SIDH), a post-quantum key exchange protocol which security lies on the isogeny-finding problem between supersingular elliptic curves. In order to do so, we first introduce the reader to cryptography focusing on key agreement protocols and motivate the rise of post-quantum cryptography as a necessity with the existence of the model of quantum computation. We review some of the known attacks on the SIDH and finally study some algorithmic aspects to understand how the protocol can be implemented

Computing cardinalities of Q-curve reductions over finite fields

We present a specialized point-counting algorithm for a class of elliptic curves over F\_{p^2} that includes reductions of quadratic Q-curves modulo inert primes and, more generally, any elliptic curve over F\_{p^2} with a low-degree isogeny to its Galois conjugate curve. These curves have interesting cryptographic applications. Our algorithm is a variant of the Schoof--Elkies--Atkin (SEA) algorithm, but with a new, lower-degree endomorphism in place of Frobenius. While it has the same asymptotic asymptotic complexity as SEA, our algorithm is much faster in practice.Comment: To appear in the proceedings of ANTS-XII. Added acknowledgement of Drew Sutherlan

Modular polynomials via isogeny volcanoes

We present a new algorithm to compute the classical modular polynomial Phi_n in the rings Z[X,Y] and (Z/mZ)[X,Y], for a prime n and any positive integer m. Our approach uses the graph of n-isogenies to efficiently compute Phi_n mod p for many primes p of a suitable form, and then applies the Chinese Remainder Theorem (CRT). Under the Generalized Riemann Hypothesis (GRH), we achieve an expected running time of O(n^3 (log n)^3 log log n), and compute Phi_n mod m using O(n^2 (log n)^2 + n^2 log m) space. We have used the new algorithm to compute Phi_n with n over 5000, and Phi_n mod m with n over 20000. We also consider several modular functions g for which Phi_n^g is smaller than Phi_n, allowing us to handle n over 60000.Comment: corrected a typo in equation (14), 31 page

On the evaluation of modular polynomials

We present two algorithms that, given a prime ell and an elliptic curve E/Fq, directly compute the polynomial Phi_ell(j(E),Y) in Fq[Y] whose roots are the j-invariants of the elliptic curves that are ell-isogenous to E. We do not assume that the modular polynomial Phi_ell(X,Y) is given. The algorithms may be adapted to handle other types of modular polynomials, and we consider applications to point counting and the computation of endomorphism rings. We demonstrate the practical efficiency of the algorithms by setting a new point-counting record, modulo a prime q with more than 5,000 decimal digits, and by evaluating a modular polynomial of level ell = 100,019.Comment: 19 pages, corrected a typo in equation (8) and added equation (9

Fast algorithms for computing isogenies between ordinary elliptic curves in small characteristic

The problem of computing an explicit isogeny between two given elliptic curves over F_q, originally motivated by point counting, has recently awaken new interest in the cryptology community thanks to the works of Teske and Rostovstev & Stolbunov. While the large characteristic case is well understood, only suboptimal algorithms are known in small characteristic; they are due to Couveignes, Lercier, Lercier & Joux and Lercier & Sirvent. In this paper we discuss the differences between them and run some comparative experiments. We also present the first complete implementation of Couveignes' second algorithm and present improvements that make it the algorithm having the best asymptotic complexity in the degree of the isogeny.Comment: 21 pages, 6 figures, 1 table. Submitted to J. Number Theor