Explicit CM-theory for level 2-structures on abelian surfaces

For a complex abelian variety $A$ with endomorphism ring isomorphic to the maximal order in a quartic CM-field $K$, the Igusa invariants $j_1(A), j_2(A),j_3(A)$ generate an abelian extension of the reflex field of $K$. In this paper we give an explicit description of the Galois action of the class group of this reflex field on $j_1(A),j_2(A),j_3(A)$. We give a geometric description which can be expressed by maps between various Siegel modular varieties. We can explicitly compute this action for ideals of small norm, and this allows us to improve the CRT method for computing Igusa class polynomials. Furthermore, we find cycles in isogeny graphs for abelian surfaces, thereby implying that the `isogeny volcano' algorithm to compute endomorphism rings of ordinary elliptic curves over finite fields does not have a straightforward generalization to computing endomorphism rings of abelian surfaces over finite fields

Modular polynomials for genus 2

Modular polynomials are an important tool in many algorithms involving elliptic curves. In this article we investigate their generalization to the genus 2 case following pioneering work by Gaudry and Dupont. We prove various properties of these genus 2 modular polynomials and give an improved way to explicitly compute them

Computing Hilbert class polynomials with the Chinese Remainder Theorem

We present a space-efficient algorithm to compute the Hilbert class polynomial H_D(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D|^(1/2+o(1))log P) space and has an expected running time of O(|D|^(1+o(1)). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D| as large as 10^13 and h(D) up to 10^6. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.Comment: 37 pages, corrected a typo that misstated the heuristic complexit

Hard isogeny problems over RSA moduli and groups with infeasible inversion

We initiate the study of computational problems on elliptic curve isogeny graphs defined over RSA moduli. We conjecture that several variants of the neighbor-search problem over these graphs are hard, and provide a comprehensive list of cryptanalytic attempts on these problems. Moreover, based on the hardness of these problems, we provide a construction of groups with infeasible inversion, where the underlying groups are the ideal class groups of imaginary quadratic orders. Recall that in a group with infeasible inversion, computing the inverse of a group element is required to be hard, while performing the group operation is easy. Motivated by the potential cryptographic application of building a directed transitive signature scheme, the search for a group with infeasible inversion was initiated in the theses of Hohenberger and Molnar (2003). Later it was also shown to provide a broadcast encryption scheme by Irrer et al. (2004). However, to date the only case of a group with infeasible inversion is implied by the much stronger primitive of self-bilinear map constructed by Yamakawa et al. (2014) based on the hardness of factoring and indistinguishability obfuscation (iO). Our construction gives a candidate without using iO.Comment: Significant revision of the article previously titled "A Candidate Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the constructions by giving toy examples, added "The Parallelogram Attack" (Sec 5.3.2). 54 pages, 8 figure

Isogeny graphs of ordinary abelian varieties

Fix a prime number $\ell$. Graphs of isogenies of degree a power of $\ell$ are well-understood for elliptic curves, but not for higher-dimensional abelian varieties. We study the case of absolutely simple ordinary abelian varieties over a finite field. We analyse graphs of so-called $\mathfrak l$-isogenies, resolving that they are (almost) volcanoes in any dimension. Specializing to the case of principally polarizable abelian surfaces, we then exploit this structure to describe graphs of a particular class of isogenies known as $(\ell, \ell)$-isogenies: those whose kernels are maximal isotropic subgroups of the $\ell$-torsion for the Weil pairing. We use these two results to write an algorithm giving a path of computable isogenies from an arbitrary absolutely simple ordinary abelian surface towards one with maximal endomorphism ring, which has immediate consequences for the CM-method in genus 2, for computing explicit isogenies, and for the random self-reducibility of the discrete logarithm problem in genus 2 cryptography.Comment: 36 pages, 4 figure

Counting Points on Genus 2 Curves with Real Multiplication

We present an accelerated Schoof-type point-counting algorithm for curves of genus 2 equipped with an efficiently computable real multiplication endomorphism. Our new algorithm reduces the complexity of genus 2 point counting over a finite field (\F_{q}) of large characteristic from (\widetilde{O}(\log^8 q)) to (\widetilde{O}(\log^5 q)). Using our algorithm we compute a 256-bit prime-order Jacobian, suitable for cryptographic applications, and also the order of a 1024-bit Jacobian

On polarised class groups of orders in quartic CM-fields

We give an explicit necessary condition for pairs of orders in a quartic CM-field to have the same polarised class group. This generalises a simpler result for imaginary quadratic fields. We give an application of our results to computing endomorphism rings of abelian surfaces over finite fields, and we use our results to extend a completeness result of Murabayashi and Umegaki to a list of abelian surfaces over the rationals with complex multiplication by arbitrary orders.Comment: 19 pages, v2 strengthened results slightly and changed theorem numbering, v3 further strengthened results and added more details, v4 eased the presentation but changed notations and numbering, v5 updated references, v6 removes mistaken "transitivity" statemen