Fast algorithms for computing isogenies between ordinary elliptic curves in small characteristic

The problem of computing an explicit isogeny between two given elliptic curves over F_q, originally motivated by point counting, has recently awaken new interest in the cryptology community thanks to the works of Teske and Rostovstev & Stolbunov. While the large characteristic case is well understood, only suboptimal algorithms are known in small characteristic; they are due to Couveignes, Lercier, Lercier & Joux and Lercier & Sirvent. In this paper we discuss the differences between them and run some comparative experiments. We also present the first complete implementation of Couveignes' second algorithm and present improvements that make it the algorithm having the best asymptotic complexity in the degree of the isogeny.Comment: 21 pages, 6 figures, 1 table. Submitted to J. Number Theor

The arithmetic of hyperelliptic curves

We summarise recent advances in techniques for solving Diophantine problems on hyperelliptic curves; in particular, those for finding the rank of the Jacobian, and the set of rational points on the curve

Selmer groups as flat cohomology groups

Given a prime number $p$, Bloch and Kato showed how the $p^\infty$-Selmer group of an abelian variety $A$ over a number field $K$ is determined by the $p$-adic Tate module. In general, the $p^m$-Selmer group $\mathrm{Sel}_{p^m} A$ need not be determined by the mod $p^m$ Galois representation $A[p^m]$; we show, however, that this is the case if $p$ is large enough. More precisely, we exhibit a finite explicit set of rational primes $\Sigma$ depending on $K$ and $A$, such that $\mathrm{Sel}_{p^m} A$ is determined by $A[p^m]$ for all $p \not \in \Sigma$. In the course of the argument we describe the flat cohomology group $H^1_{\mathrm{fppf}}(O_K, \mathcal{A}[p^m])$ of the ring of integers of $K$ with coefficients in the $p^m$-torsion $\mathcal{A}[p^m]$ of the N\'{e}ron model of $A$ by local conditions for $p\not\in \Sigma$, compare them with the local conditions defining $\mathrm{Sel}_{p^m} A$, and prove that $\mathcal{A}[p^m]$ itself is determined by $A[p^m]$ for such $p$. Our method sharpens the known relationship between $\mathrm{Sel}_{p^m} A$ and $H^1_{\mathrm{fppf}}(O_K, \mathcal{A}[p^m])$ and continues to work for other isogenies $\phi$ between abelian varieties over global fields provided that $\mathrm{deg} \phi$ is constrained appropriately. To illustrate it, we exhibit resulting explicit rank predictions for the elliptic curve $11A1$ over certain families of number fields.Comment: 22 pages; final version, to appear in Journal of the Ramanujan Mathematical Societ

Relative Brauer groups of torsors of period two

We consider the problem of computing the relative Brauer group of a torsor of period 2 under an elliptic curve E. We show how this problem can be reduced to finding a set of generators for the group of rational points on E. This extends work of Haile and Han to the case of torsors with unequal period and index. Several numerical examples are given.Comment: V2: minor errors corrected; appendix adde

Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact that the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS