Computing endomorphism rings of elliptic curves under the GRH

We design a probabilistic algorithm for computing endomorphism rings of ordinary elliptic curves defined over finite fields that we prove has a subexponential runtime in the size of the base field, assuming solely the generalized Riemann hypothesis. Additionally, we improve the asymptotic complexity of previously known, heuristic, subexponential methods by describing a faster isogeny-computing routine.Comment: 11 pages, 1 figur

Computing endomorphism rings of abelian varieties of dimension two

Generalizing a method of Sutherland and the author for elliptic curves, we design a subexponential algorithm for computing the endomorphism rings of ordinary abelian varieties of dimension two over finite fields. Although its correctness and complexity analysis rest on several assumptions, we report on practical computations showing that it performs very well and can easily handle previously intractable cases.Comment: 14 pages, 2 figure

Constructing Permutation Rational Functions From Isogenies

A permutation rational function $f\in \mathbb{F}_q(x)$ is a rational function that induces a bijection on $\mathbb{F}_q$, that is, for all $y\in\mathbb{F}_q$ there exists exactly one $x\in\mathbb{F}_q$ such that $f(x)=y$. Permutation rational functions are intimately related to exceptional rational functions, and more generally exceptional covers of the projective line, of which they form the first important example. In this paper, we show how to efficiently generate many permutation rational functions over large finite fields using isogenies of elliptic curves, and discuss some cryptographic applications. Our algorithm is based on Fried's modular interpretation of certain dihedral exceptional covers of the projective line (Cont. Math., 1994)

On polarised class groups of orders in quartic CM-fields

We give an explicit necessary condition for pairs of orders in a quartic CM-field to have the same polarised class group. This generalises a simpler result for imaginary quadratic fields. We give an application of our results to computing endomorphism rings of abelian surfaces over finite fields, and we use our results to extend a completeness result of Murabayashi and Umegaki to a list of abelian surfaces over the rationals with complex multiplication by arbitrary orders.Comment: 19 pages, v2 strengthened results slightly and changed theorem numbering, v3 further strengthened results and added more details, v4 eased the presentation but changed notations and numbering, v5 updated references, v6 removes mistaken "transitivity" statemen

Empirical Risk Minimization with Relative Entropy Regularization: Optimality and Sensitivity Analysis

International audienceThe optimality and sensitivity of the empirical risk minimization problem with relative entropy regularization (ERM-RER) are investigated for the case in which the reference is a $\sigma$-finite measure instead of a probability measure. This generalization allows for a larger degree of flexibility in the incorporation of prior knowledge over the set of models. In this setting, the interplay of the regularization parameter, the reference measure, the risk function, and the empirical risk induced by the solution of the ERM-RER problem is characterized. This characterization yields necessary and sufficient conditions for the existence of regularization parameters that achieve arbitrarily small empirical risk with arbitrarily high probability. Additionally, the sensitivity of the expected empirical risk to deviations from the solution of the ERM-RER problem is studied. Dataset-dependent and dataset-independent upper bounds on the absolute value of the sensitivity are presented. In a special case, it is shown that the expectation (with respect to the datasets) of the absolute value of the sensitivity is upper bounded, up to a constant factor, by the square root of the lautum information between the models and the datasets

Computing the endomorphism ring of an ordinary elliptic curve over a finite field

We present two algorithms to compute the endomorphism ring of an ordinary elliptic curve E defined over a finite field F_q. Under suitable heuristic assumptions, both have subexponential complexity. We bound the complexity of the first algorithm in terms of log q, while our bound for the second algorithm depends primarily on log |D_E|, where D_E is the discriminant of the order isomorphic to End(E). As a byproduct, our method yields a short certificate that may be used to verify that the endomorphism ring is as claimed.Comment: 16 pages (minor edits

A low-memory algorithm for finding short product representations in finite groups

We describe a space-efficient algorithm for solving a generalization of the subset sum problem in a finite group G, using a Pollard-rho approach. Given an element z and a sequence of elements S, our algorithm attempts to find a subsequence of S whose product in G is equal to z. For a random sequence S of length d log_2 n, where n=#G and d >= 2 is a constant, we find that its expected running time is O(sqrt(n) log n) group operations (we give a rigorous proof for d > 4), and it only needs to store O(1) group elements. We consider applications to class groups of imaginary quadratic fields, and to finding isogenies between elliptic curves over a finite field.Comment: 12 page

Contributions aux aspects effectifs des variétés abéliennes et à leurs applications

Mémoire présenté à l'université de la Polynésie française en vue de l'obtention de l'habilitation à diriger les recherches, spécialité mathématiques. Soutenu publiquement le 19 juin 2023 devant le jury ci-après

"Endomorphism Rings in Cryptography"

Modern communications heavily rely on cryptography to ensure data integrity and privacy. Over the past two decades, very efficient, secure, and featureful cryptographic schemes have been built on top of abelian varieties defined over finite fields. This thesis contributes to several computational aspects of ordinary abelian varieties related to their endomorphism ring structure. This structure plays a crucial role in the construction of abelian varieties with desirable properties. For instance, pairings have recently enabled many advanced cryptographic primitives; generating abelian varieties endowed with efficient pairings requires selecting suitable endomorphism rings, and we show that more such rings can be used than expected. We also address the inverse problem, that of computing the endomorphism ring of a prescribed abelian variety, which has several applications of its own. Prior state-of-the-art methods could only solve this problem in exponential time, and we design several algorithms of subexponential complexity for solving it in the ordinary case. For elliptic curves, our algorithms are very effective and we demonstrate their practicality by solving large problems that were previously intractable. Additionally, we rigorously bound the complexity of our main algorithm assuming solely the extended Riemann hypothesis. As an alternative to one of our subroutines, we also consider a generalization of the subset sum problem in finite groups, and show how it can be solved using little memory. Finally, we generalize our method to higher-dimensional abelian varieties, for which we rely on further heuristic assumptions. Practically speaking, we develop a library enabling the computation of isogenies between abelian varieties; using this important building block in our main algorithm, we apply our generalized method to compute several illustrative and record examples.La cryptographie est devenue indispensable afin de garantir la sécurité et l'intégrité des données transitant dans les réseaux de communication modernes. Ces deux dernières décennies, des cryptosystèmes très efficaces, sûr et riches en fonctionnalités ont été construits à partir de variétés abéliennes définies sur des corps finis. Cette thèse contribue à certains aspects algorithmiques des variétés abéliennes ordinaires touchant à leurs anneaux d'endomorphismes. Cette structure joue un rôle capital dans la construction de variétés abéliennes ayant de bonnes propriétés. Par exemple, les couplages ont récemment permis de créer de nombreuses primitives cryptographiques avancées ; construire des variétés abéliennes munies de couplages efficaces nécessite de choisir des anneaux d'endomorphismes convenables, et nous montrons qu'un plus grand nombre de tels anneaux peut être utilisé qu'on ne pourrait croire. Nous nous penchons aussi le problème inverse qu'est celui du calcul de l'anneau d'endomorphisme d'une variété abélienne donnée, et qui possède en outre plusieurs applications pratiques. Précédemment, les meilleures méthodes ne résolvaient ce problème qu'en temps exponentiel ; nous concevons ici plusieurs algorithmes de complexité sous-exponentielle pour le résoudre dans le cas ordinaire. Pour les courbes elliptiques, nous algorithmes sont très efficaces, ce que nous démontrons en attaquant des problèmes de grande taille, insolvables jusqu'à ce jour. De plus, nous bornons rigoureusement la complexité de notre algorithme sous l'hypothèse de Riemann étendue. En tant que sous-routine alternative, nous nous considérons aussi une généralisation du problème du sac à dos dans les groupes finis, et montrons comment il peut être résolu en utilisant peu de mémoire. Enfin, nous généralisons notre méthode aux variétés abélienne de dimension supérieure, ce qui nécessite davantage d'hypothèses heuristiques. Concrètement, nous développons une bibliothèque qui permet d'évaluer des isogénies entre variétés abéliennes ; en utilisant cet outil important dans notre algorithme, nous appliquons notre méthode généralisée à des exemples illustratifs et de tailles jusqu'à présent inatteignables

Computing endomorphism rings of elliptic curves under the GRH, 2010

We design a probabilistic algorithm for computing endomorphism rings of ordinary elliptic curves defined over finite fields that we prove has a subexponential runtime in the size of the base field, assuming solely the generalized Riemann hypothesis. Additionally, we improve the asymptotic complexity of previously known, heuristic, subexponential methods by describing a faster isogenycomputing routine.