Isogeny graphs with maximal real multiplication

An isogeny graph is a graph whose vertices are principally polarized abelian varieties and whose edges are isogenies between these varieties. In his thesis, Kohel described the structure of isogeny graphs for elliptic curves and showed that one may compute the endomorphism ring of an elliptic curve defined over a finite field by using a depth first search algorithm in the graph. In dimension 2, the structure of isogeny graphs is less understood and existing algorithms for computing endomorphism rings are very expensive. Our setting considers genus 2 jacobians with complex multiplication, with the assumptions that the real multiplication subring is maximal and has class number one. We fully describe the isogeny graphs in that case. Over finite fields, we derive a depth first search algorithm for computing endomorphism rings locally at prime numbers, if the real multiplication is maximal. To the best of our knowledge, this is the first DFS-based algorithm in genus 2

Pairing the Volcano

Isogeny volcanoes are graphs whose vertices are elliptic curves and whose edges are $\ell$-isogenies. Algorithms allowing to travel on these graphs were developed by Kohel in his thesis (1996) and later on, by Fouquet and Morain (2001). However, up to now, no method was known, to predict, before taking a step on the volcano, the direction of this step. Hence, in Kohel's and Fouquet-Morain algorithms, many steps are taken before choosing the right direction. In particular, ascending or horizontal isogenies are usually found using a trial-and-error approach. In this paper, we propose an alternative method that efficiently finds all points $P$ of order $\ell$ such that the subgroup generated by $P$ is the kernel of an horizontal or an ascending isogeny. In many cases, our method is faster than previous methods. This is an extended version of a paper published in the proceedings of ANTS 2010. In addition, we treat the case of 2-isogeny volcanoes and we derive from the group structure of the curve and the pairing a new invariant of the endomorphism class of an elliptic curve. Our benchmarks show that the resulting algorithm for endomorphism ring computation is faster than Kohel's method for computing the $\ell$-adic valuation of the conductor of the endomorphism ring for small $\ell$

Pairing-based algorithms for jacobians of genus 2 curves with maximal endomorphism ring

Using Galois cohomology, Schmoyer characterizes cryptographic non-trivial self-pairings of the $\ell$-Tate pairing in terms of the action of the Frobenius on the $\ell$-torsion of the Jacobian of a genus 2 curve. We apply similar techniques to study the non-degeneracy of the $\ell$-Tate pairing restrained to subgroups of the $\ell$-torsion which are maximal isotropic with respect to the Weil pairing. First, we deduce a criterion to verify whether the jacobian of a genus 2 curve has maximal endomorphism ring. Secondly, we derive a method to construct horizontal $(\ell,\ell)$-isogenies starting from a jacobian with maximal endomorphism ring

Constructing genus 3 hyperelliptic Jacobians with CM

Given a sextic CM field $K$, we give an explicit method for finding all genus 3 hyperelliptic curves defined over $\mathbb{C}$ whose Jacobians are simple and have complex multiplication by the maximal order of this field, via an approximation of their Rosenhain invariants. Building on the work of Weng, we give an algorithm which works in complete generality, for any CM sextic field $K$, and computes minimal polynomials of the Rosenhain invariants for any period matrix of the Jacobian. This algorithm can be used to generate genus 3 hyperelliptic curves over a finite field $\mathbb{F}_p$ with a given zeta function by finding roots of the Rosenhain minimal polynomials modulo $p$.Comment: 20 pages; to appear in ANTS XI

Constructions of new matroids and designs over GF(q)

A perfect matroid design (PMD) is a matroid whose flats of the same rank all have the same size. In this paper we introduce the q-analogue of a PMD and its properties. In order to do that, we first establish a new cryptomorphic definition for q-matroids. We show that q-Steiner systems are examples of q-PMD's and we use this q-matroid structure to construct subspace designs from q-Steiner systems. We apply this construction to S(2, 3, 13; q) q-Steiner systems and hence establish the existence of subspace designs with previously unknown parameters

Pairing computation on elliptic curves with efficiently computable endomorphism and small embedding degree

Scott uses an efficiently computable isomorphism in order to optimize pairing computation on a particular class of curves with embedding degree 2. He points out that pairing implementation becomes thus faster on these curves than on their supersingular equivalent, originally recommended by Boneh and Franklin for Identity Based Encryption. We extend Scott\u27s method to other classes of curves with small embedding degree and efficiently computable endomorphism

A note on the construction of pairing-friendly elliptic curves for composite order protocols

In pairing-based cryptography, the security of protocols using composite order groups relies on the difficulty of factoring a composite number $N$. Boneh~\etal~proposed the Cocks-Pinch method to construct ordinary pairing-friendly elliptic curves having a subgroup of composite order $N$. Displaying such a curve as a public parameter implies revealing a square root $s$ of the complex multiplication discriminant $-D$ modulo $N$. We exploit this information leak and the structure of the endomorphism ring of the curve to factor the RSA modulus, under certain conditions. Our conclusion is that the values of $s$ modulo each prime in the factorization of $N$ should be chosen as high entropy input parameters when running the Cocks-Pinch algorithm

Another approach to pairing computation in Edwards coordinates

The recent introduction of Edwards curves has significantly reduced the cost of addition on elliptic curves. This paper presents new explicit formulae for pairing implementation in Edwards coordinates. We prove our method gives performances similar to those of Miller\u27s algorithm in Jacobian coordinates and is thus of cryptographic interest when one chooses Edwards curve implementations of protocols in elliptic curve cryptography. The method is faster than the recent proposal of Das and Sarkar for computing pairings on supersingular curves using Edwards coordinates

Isogeny graphs with maximal real multiplication

An isogeny graph is a graph whose vertices are principally polarizable abelian varieties and whose edges are isogenies between these varieties. In his thesis, Kohel describes the structure of isogeny graphs for elliptic curves and shows that one may compute the endomorphism ring of an elliptic curve defined over a finite field by using a depth-first search (DFS) algorithm in the graph. In dimension 2, the structure of isogeny graphs is less understood and existing algorithms for computing endomorphism rings are very expensive. In this article, we show that, under certain circumstances, the problem of determining the endomorphism ring can also be solved in genus 2 with a DFS-based algorithm. We consider the case of genus-2 Jacobians with complex multiplication, with the assumptions that the real multiplication subring is maximal and has class number one. We describe the isogeny graphs in that case, locally at prime numbers which split in the real multiplication subfield. The resulting algorithm is implemented over finite fields, and examples are provided. To the best of our knowledge, this is the first DFS-based algorithm in genus 2