Mappings of elliptic curves

Benjamin Smith
INRIA Saclay

Ile-de-France
& Laboratoire dInformatique de l

Ecole polytechnique (LIX)

Eindhoven, September 2008
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 1 / 28
Fields of Denition
Throughout this talk, k denotes some eld.
(In practice, k = F
q
).
An object is dened over k or k-rational if we can dene or represent it
using equations with coecients in k.
We will tend to avoid characteristic 2 and 3 in our examples.
We assume you know about Elliptic Curves and their basic arithmetic.
(We will use Weierstrass models for all of our examples).
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 2 / 28
Elliptic Curves
Be careful that you understand the distinction between the elliptic curve E
and the group E(k) of its k-rational points.
The group law is dened for the curve E, not just the points in E(k).
Example
The group law on E : y
2
= x
3
+ 1 is dened by the rational map
(x
1
, y
1
) + (x
2
, y
2
) = (X(x
1
, y
1
, x
2
, y
2
), Y(x
1
, y
1
, x
2
, y
2
))
where
X =
(x
2
1
x
2
+ x
1
x
2
2
y
1
y
2
+ 2)
(x
2
x
1
)
2
and
Y =
(3x
1
+ x
2
)x
2
2
y
1
(x
1
+ 3x
2
)x
2
1
y
2
4(y
2
y
1
)
(x
2
x
1
)
3
.
Observe that Y
2
= X
3
+ 1.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 3 / 28
The set of all elliptic curve over k
So far this week, weve dealt with individual elliptic curves in isolation.
Now we want to consider all the elliptic curves over k at the same time.
The geometers way of doing this is to consider the moduli space of
elliptic curves:
Each point in the space corresponds to a class of isomorphic curves
that is, curves that are related by a change of coordinates.
Remark
The moduli space of elliptic curves is really a line (ie one-dimensional).
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 4 / 28
Polynomial maps
Now we want to start looking at relationships between curves.
Geometric relationships are expressed by morphisms
For projective curves, a morphism : E E

is dened by a polynomial
mapping
: (X : Y : Z) (
0
(X, Y, Z) :
1
(X, Y, Z) :
2
(X, Y, Z)) ,
where the
i
are homogeneous polynomials of equal degree satisfying the
dening equation of E

.
In ane coordinates, will be a rational map (with denominators):
: (x, y)

0
(x, y, 1)

2
(x, y, 1)
,

1
(x, y, 1)

2
(x, y, 1)

.
This rational map extends automatically to a polynomial map
when we complete the curves in projective space.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 5 / 28
Morphisms
Non-constant morphisms express algebraic relationships between curves.
1
Given a curve E, what does its structure tell us about the collection
of morphisms from E to other curves (including E itself)?
2
Given a collection of morphisms
i
: E E
i
, what do they tell us
about the structure of E?
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 6 / 28
Degree of a morphism
Every morphism of curves has an integer degree.
Strictly speaking, the degree of : E E

is the degree of
the function eld extension k(E

)/k(E) induced by .
We dont have time to do this properly; but note that
most of the time, a morphism E E

has degree n
if it induces an n-to-1 mapping from E(k) to E

(k).
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 7 / 28
First examples
We have already met some examples of morphisms of elliptic curves:
Example
For every elliptic curve E and for every integer m, the multiplication-by-m
map [m] is a morphism from E to itself (an endomorphism).
Recall [m] sends all the points in E[m](k) to 0
E
.
If m is not divisible by char k, then E[m](k)

= (Z/mZ)
2
,
so [m] is m
2
-to-1, and the degree of [m] is m
2
.
Example
If E is dened over F
q
, then we also have a Frobenius endomorphism,
denoted
E
, mapping (x, y) to (x
q
, y
q
).
The degree of
E
is q.
Note that the set of xed points of
E
is E(F
q
).
Exercise
Why is [m] a morphism? Can you represent it as a rational map?
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 8 / 28
Translations
For each point P in E(k), we have a translation morphism
P
: E E
dened over k, mapping Q (P) = Q + P.
This is a polynomial map, since the group law is dened by polynomials.
Example
Consider the elliptic curve E : y
2
= x
3
+ 1 over Q.
If P is the point (2, 3) in E(Q), then the translation
P
is dened by

P
: (x, y)

2((x + 1)
2
3y)
(x 2)
2
,
3(x
3
+ 6x
2
+ 4 4(x + 1)y)
(x 2)
3

.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 9 / 28
Homomorphisms
A homomorphism is a morphism of elliptic curves
that respects the group structure of the curves.
Theorem
Every morphism E E

is a (unique) composition of a homomorphism

E E

and a translation on E

.
Corollary
Every morphism E E

mapping 0
E
to 0
E
is automatically a
homomorphism!
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 10 / 28
Warning
From now on,
we consider only morphisms sending 0
E
to 0
E

.
This isnt just convenient its also the right thing to do
(in a category-theoretical sense).
Strictly speaking, an elliptic curve dened over k is a pair (E, 0
E
),
where E is a curve of genus 1 over k and 0
E
is a distinguished k-rational
point on E (which becomes the zero of the group law).
So morphisms (E, 0
E
) (E

, 0
E
) should map E to E

and 0
E
to 0

E
.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 11 / 28
Endomorphisms
An endomorphism of an elliptic curve E is
a homomorphism from E to itself.
The set of all endomorphisms of E is denoted End(E).
The group structure on E makes End(E) into a ring.
Addition in End(E) is dened by ( + )(P) := (P) + (P)
Multiplication in End(E) is dened by := .
End(E) always contains a copy of Z, in the form of the
multiplication-by-m maps.
If E is dened over F
q
, then we also have the Frobenius endomorphism
E
.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 12 / 28
Isomorphisms
Denition
An isomorphism is a morphism of degree 1.
(Essentially, an isomorphism is a change of coordinate system.)
Example
Consider the curve E : y
2
+ y = x
3
over Q.
There is an isomorphism (x, y) (2
2
3
3
x, 2
2
3
3
(2y + 1))
from E to the Weierstrass model E

: y
2
= x
3
+ 11664.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 13 / 28
Twists
Note that we can have curves E and E

dened over k such that there is

an isomorphism E E

dened over k but not over k.

In this case, we say that E and E

are twists.
Example
Consider the curves E

: y
2
= x
3
+ 11664 and E

: y
2
= x
3
+ 1,
both dened over Q.
These curves cannot be isomorphic over Q:
E

(Q) has a point of order 2 (namely (1, 0)),

while E

(Q) has no point of order 2.

But over Q(

2), we have an isomorphism E

dened by (x, y) (2
3
3
6

2 x, 2
2
3
3
y).
We say that E

and E

are quadratic twists.

Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 14 / 28
The j -invariant
There exists a function
j : Elliptic curves over k k,
called the j -invariant, such that
j (E) = j (E

) E and E

are isomorphic over k.

In fact, j is surjective, so k is the moduli space we mentioned earlier:
each value of k corresponds to a distinct k-isomorphism class
of elliptic curves dened over k.
Example
The j -invariant of E : y
2
= x
3
+ f
2
x
2
+ f
1
x + f
0
is
j (E) =
64f
6
2
+ 576f
4
2
f
1
1728f
2
2
f
2
1
+ 1728f
3
1
f
3
2
f
0

1
4
f
2
2
f
2
1

9
2
f
2
f
1
f
0
+ f
3
1
+
27
4
f
2
0
.
Remark
All the twists of E have the same j -invariant as E.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 15 / 28
Automorphisms
An automorphism is an isomorphism from a curve to itself.
Every elliptic curve E : y
2
= f (x) has two obvious automorphisms:
1
the trivial one, [1] : (x, y) (x, y), and
2
the involution [1] : (x, y) (x, y).
Example
The curve y
2
= x
3
+ ax (for any choice of a = 0) has an automorphism
(x, y) (x, iy) (where i
2
= 1). These curves all have j -invariant 1728.
Example
The curve y
2
= x
3
+ a (for any choice of a = 0) has an automorphism
(x, y) (
3
x, y) (where
3
3
= 1). These curves all have j -invariant 0.
Remark
In these examples, the extra automorphisms may not be dened over k.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 16 / 28
The Automorphism group
The automorphisms of E form a group, denoted Aut(E).
Typically, the automorphism group is as small as possible.
Theorem
Let E/k be an elliptic curve. Then Aut(E) is nite, and its order is
2 if j (E) / 0, 1728
4 if j (E) = 1728 and char k / 2, 3
6 if j (E) = 0 and char k / 2, 3
12 if j (E) = 0 = 1728 and char k = 3
24 if j (E) = 0 = 1728 and char k = 2.
(In the last two cases, E is always supersingular.)
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 17 / 28
Automorphisms
An automorphism is a k-automorphism if it is dened over k.
Remark
The k-automorphism group of the underlying curve of E is a semidirect
product of Aut(E)(k) and E(k), where E(k) acts by translation.
This larger group is what you will get if you use AutomorphismGroup(E)
in Magma.
Remark
The number of twists of E can be calculated by looking at
the action of Galois on Aut(E).
Remark
There is a slightly faster Discrete Log algorithm for curves with larger
automorphism groups see Duursma, Gaudry, and Morain (1999)
for an overview.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 18 / 28
Isogenies
Denition
An isogeny is a (geometrically surjective) homomorphism with nite kernel.
This is the denition for general abelian varieties.
For elliptic curves, we can use the equivalent and simpler
Denition (elliptic-curve specic)
An isogeny is a nonzero homomorphism.
Isogenies are determined (up to isomorphism) by their kernels:
if : E E

and : E E

are isogenies
with the same kernel, then E

and E

are isomorphic (or twists).

Remark
Isogenies are almost isomorphisms.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 19 / 28
Quotient isogenies
Given any nite subgroup S of E, we may form a quotient isogeny
: E E

= E/S
with kernel S using Velus formulae.
Example
Consider E : y
2
= (x
2
+ b
1
x + b
0
)(x a).
The point (a, 0) on E has order 2; the quotient of E by '(a, 0)` gives an
isogeny : E E

, where
E

: y
2
= x
3
+(4a + 2b
1
)x
2
+ (b
2
1
4b
0
)x
and where maps (x, y) to

x
3
(a b
1
)x
2
(b
1
a b
0
)x b
0
a
x a
,
(x
2
(2a)x (b
1
a + b
0
))y
(x a)
2

.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 20 / 28
Rationality of isogenies
The quotient : E F = E/S is dened over k
if and only if S is dened over k (ie Galois-stable):
the points of S need not be dened over k themselves.
In the case k = F
q
, the quotient is dened over F
q
if and only if S is xed by Frobenius
that is, if the equations dening S are xed by Frobenius.
The elements of such an S may be dened over F
q
n
for some n,
in which case they will be permuted by Frobenius.
In particular, this means that there can be isogenies from E dened over k
even when the elements of their kernels are not visible over k.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 21 / 28
Tates theorem
Theorem
Let E and E

be elliptic curves over F

q
.
There exists an isogeny E E

dened over F
q
if and only if #E(F
q
) = #E

(F
q
).
Example
Consider E : y
2
= x
3
8x + 16 over F
101
.
We have E(F
101
) = Z/2Z Z/44Z, so #E(F
101
) = 88.
The point (5, 0) of E has order 2, and the quotient by '(5, 0)` is an isogeny
: E E

: y
2
= x
3
40x + 6.
Now E

(F
101
)

= Z/88Z, so #E

(F
101
) = #E(F
101
)
but note that E(F
101
)

= E

(F
101
).
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 22 / 28
Dual isogenies and isogeny classes
(Existence of an) isogeny is an equivalence relation.
Theorem
Let : E E

be an isogeny of degree m.
There exists a dual isogeny

: E

E such that

= [m]
E
(and

= [m]
E
). Further, (

= .
The set of curves that are isogenous to E is called the isogeny class of E.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 23 / 28
Isogenies and DLP subgroups
Isogenies induce isomorphisms on DLP subgroups
(cyclic subgroups of cryptographically interesting sizes).
We can therefore use isogenies to move DLPs between curves.
Example (may or may not be a good idea)
Teske has proposed a trapdoor system based on a hidden isogeny between
a weak elliptic curve E and a strong elliptic curve F

:
Here E and the sequence of isogenies is given to a key escrow agency,
and a DLP-based cryptosystem on F

is made public.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 24 / 28
Splitting multiplications with isogenies
If : E E

is an isogeny such that

= [m],
then we say that splits multiplication-by-m.
When gcd(m, q) = 1, what happens is that kills half the m-torsion,
and the image of the remaining m-torsion is then killed by

.
Example
When has low degree and can be computed very eciently,
then computing followed by

may be faster than computing [m] directly

so we can use the isogenies to speed up point multiplication
(see DocheIcartKohel, for example).
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 25 / 28
Frobenius isogenies
If q = p
n
, then we have an isogeny E E
p
: (x, y) (x
p
, y
p
),
where E
p
is the curve dened by the equation of E
with all its coecients raised to the p-th power.
This is called the p-power Frobenius isogeny.
The q-power Frobenius endomorphism
E
is
a composition of n successive p-power isogenies.
Theorem
Every isogeny : E E

may be expressed as a composition of

isogenies with prime-order cyclic kernels and p-power Frobenius isogenies.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 26 / 28
The characteristic polynomial of Frobenius
Let E be an elliptic curve over F
q
.
The Frobenius endomorphism
E
has a characteristic polynomial

E
(a polynomial with integer coecients such that

E
(
E
) = [0]).
We will look more closely at

E
on Friday, but for now note that

E
(X) = X
2
t
E
X + q for some t
E
with [t
E
[ 2

q, and

E
(1) = #E(F
q
);
so in particular, (q + 1) 2

q #E(F
q
) (q + 1) + 2

q.
The integer t
E
is called the trace of Frobenius.
Remark
If E and E

are quadratic twists (isomorphic over F

q
2 but not over F
q
),
then t
E
= t
E
.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 27 / 28
Supersingular elliptic curves
Theorem
Let E be an elliptic curve over F
q
, where q = p
n
. The following are
equivalent:
1
E[p
r
] = 0 for all r 1
2
t
E
is divisible by p
3
End(E) is not commutative
If these conditions hold, we say that E is supersingular.
Otherwise, we say E is ordinary, and E[p
r
]

= (Z/p
r
Z) for all r 1.
Remark
j -invariants of supersingular curves are isolated in the moduli space
and in fact, they are all in F
p
2 .
It is much easier to determine #E(F
q
) when E is supersingular.
If E over F
q
is supersingular, then the Discrete Logarithm in E is only
as hard as the Discrete Logarithm in F

q
n
for some smallish n.
Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven, September 2008 28 / 28