-
Notifications
You must be signed in to change notification settings - Fork 4
/
poly.tex
5126 lines (4487 loc) · 205 KB
/
poly.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
\documentclass[10pt]{article}
\usepackage[a4paper]{geometry}
\usepackage[english]{babel}
\usepackage{array}
\usepackage{amsmath,amsthm,amsfonts,amssymb}
\usepackage{unicode}
\usepackage{subcaption}
\usepackage[pdfusetitle]{hyperref}
\hypersetup{
unicode=true,
colorlinks=true,
citecolor=blue!70!black,
filecolor=black,
linkcolor=red!70!black,
urlcolor=blue,
pdfstartview={FitH},
pdfauthor={Luca De Feo},
pdfsubject={Mathematics},
pdfkeywords={Cryptography, Number theory, Elliptic curves, Isogenies},
}
\usepackage[type={CC},modifier={by-nc},imagemodifier={-eu},version={4.0},imagewidth=5em]{doclicense}
\usepackage{fancyhdr}
\usepackage{tabularx}
\usepackage{comment}
\usepackage{algorithmic}
\renewcommand{\algorithmicrequire}{\textbf{Input:}}
\renewcommand{\algorithmicensure}{\textbf{Output:}}
\algsetup{linenodelimiter=.}
\usepackage{tikz}
\usetikzlibrary{arrows,matrix,decorations,decorations.text,decorations.pathmorphing,calc}
\pgfkeys{/triangle/.code=\tikzset{x={(-0.5cm,-0.866cm)},y={(1cm,0cm)}}}
\pgfkeys{/lattice/.code n args={4}{\tikzset{cm={#1,#2,#3,#4,(0,0)}}}}
\newcommand{\axes}[4]{
\clip (#1,#3) rectangle (#2,#4);
\draw [thin, gray, -latex] (#1,0) -- (#2,0);% Draw x axis
\draw [thin, gray, -latex] (0,#3) -- (0,#4);% Draw y axis
}
\newcommand{\lattice}[3][2pt]{
\draw[style=help lines,dashed] (#2-1,#2-1) grid[step=1] (#3+1,#3+1);
\foreach \x in {#2,...,#3}{
\foreach \y in {#2,...,#3}{
\node[draw,circle,inner sep=#1,fill] at (\x,\y) {};
% Places a dot at those points
}
}
}
% theorem environments
\theoremstyle{plain}
\newtheorem{theorem}{Theorem}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{corollary}[theorem]{Corollary}
\newtheorem{proposition}[theorem]{Proposition}
\theoremstyle{definition}
\newtheorem{definition}[theorem]{Definition}
\newtheorem{example}[theorem]{Example}
\newtheorem{problem}{Problem}
\newtheorem{remark}[theorem]{Remark}
\newtheorem{exercise}{Exercise}[part]
\DeclareMathOperator{\Aut}{Aut} % automorphism group
\DeclareMathOperator{\End}{End} % endomorphism ring
\DeclareMathOperator{\Hom}{Hom} % homset
\DeclareMathOperator{\Tr}{Tr} % finite field trace
\DeclareMathOperator{\Gal}{Gal} % Galois group
\DeclareMathOperator{\ord}{ord} % order of an element
\DeclareMathOperator{\lcm}{lcm} % least common multiple
\DeclareMathOperator{\norm}{N} % norm
\DeclareMathOperator{\nrd}{nrd} % reduced norm
\DeclareMathOperator{\discrd}{discrd} % reduced discriminant
\DeclareMathOperator{\loglog}{loglog}
\DeclareMathOperator{\poly}{poly}
\DeclareMathOperator{\polylog}{polylog}
\DeclareMathOperator{\im}{Im} % imaginary part
\DeclareMathOperator{\re}{Re} % real part
\DeclareMathOperator{\GL}{GL}
\DeclareMathOperator{\PGL}{PGL}
\DeclareMathOperator{\SL}{SL}
\DeclareMathOperator{\Cl}{Cl}
\DeclareMathOperator{\Ell}{Ell}
\DeclareMathOperator{\rk}{rk} % rank
\DeclareMathOperator{\Pic}{Pic} %Picard group
\def\A{\ensuremath{\mathbb{A}}}
\def\P{\ensuremath{\mathbb{P}}}
\def\F{\ensuremath{\mathbb{F}}}
\def\Q{\ensuremath{\mathbb{Q}}}
\def\Z{\ensuremath{\mathbb{Z}}}
\def\O{\ensuremath{\mathcal{O}}}
\def\tildO{\ensuremath{\tilde{O}}}
\def\euler{\ensuremath{\varphi}}
\def\a{\ensuremath{\mathfrak{a}}}
\def\mat#1{\left(\begin{smallmatrix}#1\end{smallmatrix}\right)}
\newcommand{\leg}[2]{\left(\frac{#1}{#2}\right)}
\newcommand{\IR}[1][]{\ensuremath{{\mathcal{E}\texttt{#1}}}}
\newcommand{\bl}[1]{\textcolor{blue}{#1}}
\newcommand{\rd}[1]{\textcolor{red}{#1}}
\title{Mathematics of Isogeny Based Cryptography}
\usepackage[blocks]{authblk}
\renewcommand\Affilfont{\normalsize}
\author{Luca De Feo}
\affil{
\textcolor{gray}{Université de Versailles, France}\\
\textcolor{gray}{Inria Saclay, Palaiseau, France}\\
IBM Research Europe, Z\"urich, Switzerland\\
\url{https://defeo.lu/}
}
\author{Marc Houben}
\affil{
Universiteit Leiden, Netherlands\\
KU Leuven, Belgium
}
\date{}
\begin{document}
\maketitle
\begin{center}
\begin{tabular}{r @{~--~} l}
\color{gray}v1 & \color{gray}May 2017, Thi\`es, Senegal\\
\color{gray}v2 & \color{gray}August 2019, W\"urzburg, Germany\\
v3 & September 2024, Popayan, Colombia \& Rabat, Morocco \& Cargèse, France
\end{tabular}
\end{center}
\thispagestyle{fancy}
\renewcommand{\headrulewidth}{0pt}
\renewcommand{\footrulewidth}{0.4pt}
\cfoot{}
\lfoot{Stable version of these notes permanently hosted at
\url{https://arxiv.org/abs/1711.04062}. \LaTeX{} source code
available at \url{https://github.com/defeo/MathematicsOfIBC/}.
\doclicenseThis}
\section*{Preface}
These lecture notes were first written in 2017 for a summer school on
\emph{Mathematics for post-quantum cryptography} held in Thiès,
Senegal, under the patronage of the \emph{\'Ecoles Math\'ematiques
Africaines} program and of \href{https://www.cimpa.info/}{CIMPA}.
This version is archived as~\cite{defeo2017isogenybased}.
The second revision~\cite{defeo2017isogenybased} appeared in 2019 at
the summer school
\href{https://ifm.mathematik.uni-wuerzburg.de/summerschool2019/}{\emph{Graph
Theory Meets Cryptography}} in W\"urzburg, Germany. %
It largely reorganized contents and added material on the newly
discovered CSIDH. %
This third revision was written between 2022 and 2024 for four summer
schools:
\begin{itemize}
\item \href{https://cryptabit.bit.uni-bonn.de/2022}{crypt@b-it} in
Bonn, Germany;
\item The \href{https://www.cimpa.info/}{CIMPA} research school on
\href{http://www.rnta.eu/Popayan2023/}{``Isogenies of elliptic
curves and their applications to cryptography''} in Popayan,
Colombia;
\item The \href{https://www.cimpa.info/}{CIMPA} research school on
\href{http://cimpa.c2si-conference.org/}{``Mathematical aspects of
post-quantum cryptography''} in Rabat, Morocco; and
\item The introductory summer school to the
\href{https://www.ihp.fr/}{IHP} thematic trimester on
\href{https://sites.google.com/york.ac.uk/ihp-pqc-trimester-24/}{Post-Quantum
Algebraic Cryptography}.
\end{itemize}
Coming after the discovery of polynomial-time attacks on SIDH and a
major reshaping of the entire field, it features several important
changes and the addition of Part~\ref{part:ssingular}. %
It also welcomes a new co-author in Marc Houben, who was first a
student in Bonn and then a lecturer in Popayan.
Over the course of these 7 years, isogeny based cryptography has
evolved from a niche topic into a respectable subfield of public-key
cryptography, going through phases of excitement and of existential
doubt. %
Today isogeny based cryptography is too vast to be taught in a single
week of lectures, hence these notes do not attempt at covering the
entirety of known protocols and attacks. %
Instead, they are meant to give the bases to enter the field and,
hopefully, start doing exciting research.
\paragraph{Acknowledgments.}
These notes wouldn't have existed if not for the summer schools
mentioned above. %
For having organized such wonderful events and supported our lectures,
we would like to thank CIMPA, the Écoles Mathématiques Africaines, the
École Polytechnique de Thiès, and their personnel. %
Jörn Steuding, Katja Mönius, Pascal Stumpf, Steffen Reith, Michael
Meyer, the RheinMain University of Applied Sciences and the University
of Würzburg. %
Michael Nüsken, Sophia Grundner-Culemann, Marcel Tiepelt, Daniel
Loebenberger, Jonathan Lennartz, the b-it (Bonn-Aachen International
Center for Information Technology), CASA (Cyber Security in the Age of
Large-Scale Adversaries), the Fachgruppe KRYPTO and the smashHit
project. %
Marusia Rebolledo, Valerio Talamanca, Carlos Trujillo Solarte, Jhon
Jairo Bravo Grijalba, Cristian Angulo and the Universidad del Cauca. %
Souidi El Mamoun, Damien Stehlé and the University Mohammed V of
Rabbat. Delaram Kahrobaei, Ludovic Perret and the Institut Henri
Poincaré.
Many students have contributed by pointing out mistakes and helping
fixing them. %
We would like to thank, in particular, Simon Masson, Marcel Müller,
Martin Strand, Vadym Fedyukovych, Tomáš Novotny, Sina Schaeffler,
Val\'erien Hatey, Mehdi Kermaoui, Ryan Rueger, and apologize to all
those students whose name we've forgot.
\clearpage
{
\hypersetup{linkcolor=black}
\setcounter{tocdepth}{1}
\tableofcontents
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\clearpage
\part{Elliptic curves and isogenies}
In this part, we review the basic and not-so-basic theory of elliptic
curves. %
Our goal is to summarize the fundamental theorems necessary to
understanding the foundations of isogeny based cryptography. %
A proper treatment of the material covered here would require more
than one book, we thus skip proofs and lots of details to go straight
to the useful theorems. %
The reader in search of a more comprehensive treatment will find more
details~\cite{silverman:elliptic,silverman:advanced,lang1987elliptic,neukirch2013algebraic}. %
Throughout this part we let $k$ be a field, and we denote by $\bar{k}$
its algebraic closure. %
\section{Elliptic curves}
\label{sec:elliptic-curves}
Elliptic curves are smooth projective curves of genus 1 with a
distinguished point. %
Projective space initially appeared through the process of adding
\emph{points at infinity}, as a method to understand the geometry of
projections (also known as \emph{perspective} in classical
painting). %
In modern terms, we define projective space as the collection of all
lines in affine space passing through the origin.
\begin{definition}[Projective space]
The \emph{projective space of dimension $n$}, denoted by $\P^n$ or
$\P^n(\bar{k})$, is the set of all $(n+1)$-tuples
\[(x_0,\dots,x_n) ∈ \bar{k}^{n+1}\] %
such that $(x_0,\dots,x_n) ≠ (0,\dots,0)$, taken modulo the
equivalence relation
\[(x_0,\dots,x_n) \sim (y_0,\dots,y_n)\] %
if and only if there exists $λ\in\bar{k}$ such that
$x_i=λy_i$ for all $i$.
\end{definition}
The equivalence class of $(x_0,\dots,x_n)$ is customarily denoted by
$(x_0:\cdots:x_n)$ and called a \emph{projective point}. %
The set of the \emph{$k$-rational points}, denoted by $\P^n(k)$, is
defined as
\[\P^n(k) = \left\{(x_0:\cdots:x_n)∈\P^n\;\middle|\; x_i ∈ k \text{ for all $i$}\right\}.\] %
By fixing arbitrarily the coordinate $x_n=0$, we define a projective
space of dimension $n-1$, which we call the \emph{hyperplane at
infinity}; its points are called \emph{points at infinity}.
From now on we suppose that the field $k$ has characteristic different
from $2$ and $3$. %
This has the merit of greatly simplifying the representation of an
elliptic curve. %
For a general definition, see~\cite[Chap.~III]{silverman:elliptic}.
\begin{definition}[Weierstrass equation]
An \emph{elliptic curve} defined over $k$ is the locus in
$\P^2(\bar{k})$ of an equation
\begin{equation}
\label{eq:weierstrass}
Y^2Z = X^3 + aXZ^2 + bZ^3,
\end{equation}
with $a,b∈k$ and $4a^3+27b^2\ne0$.
The point $(0:1:0)$ is the only point on the line $Z=0$; it is
called the \emph{point at infinity} of the curve.
\end{definition}
It is customary to write Eq.~\eqref{eq:weierstrass} in \emph{affine
form}. %
By defining the coordinate functions $x=X/Z$ and $y=Y/Z$, we
equivalently define the elliptic curve as the locus of the equation
\[y^2 = x^3 + ax +b,\]
plus the point at infinity $\O=(0:1:0)$.
In characteristic different from $2$ and $3$, we can show that any
smooth projective curve of genus $1$ with a distinguished point $\O$
is isomorphic to a Weierstrass equation by sending $\O$ onto the point
at infinity $(0:1:0)$.
\begin{figure}
\centering
\hfill
%%
\begin{tikzpicture}[domain=-2.4566:4,samples=100,yscale=3/8,xscale=3/4]
\draw plot (\x,{sqrt(\x*\x*\x-4*\x+5)});
\draw plot (\x,{-sqrt(\x*\x*\x-4*\x+5)});
\draw[thin,gray,-latex] (0,-7) -- (0,7);
\draw[thin,gray,-latex] (-3,0) -- (4,0);
\draw (-3,1) -- (4,8/3+3);
\begin{scope}[every node/.style={draw,circle,inner sep=1pt,fill},cm={1,2/3,0,0,(0,3)}]
\node at (-2.287980,0) {};
\node at (-0.535051,0) {};
\node at (3.267475,0) {};
\end{scope}
\begin{scope}[every node/.style={yshift=0.3cm},cm={1,2/3,0,0,(0,3)}]
\node at (-2.287980,0) {$P$};
\node at (-0.535051,0) {$Q$};
\node at (3.267475,0) {$R$};
\end{scope}
\draw[dashed] (3.267475,3.267475*2/3+3) -- (3.267475,-3.267475*2/3-3)
node[draw,circle,inner sep=1pt,fill] {}
node[xshift=-0.1cm,anchor=east] {$P+Q$};
\end{tikzpicture}
%%
\hfill
%%
\begin{tikzpicture}[domain=-2.4566:4,samples=100,yscale=3/8,xscale=3/4]
\draw plot (\x,{sqrt(\x*\x*\x-4*\x+5)});
\draw plot (\x,{-sqrt(\x*\x*\x-4*\x+5)});
\draw[thin,gray,-latex] (0,-7) -- (0,7);
\draw[thin,gray,-latex] (-3,0) -- (4,0);
\def\c{3.269524}
\def\P{-1.398674}
\def\R{2.908459}
\draw (-3,-1+\c) -- (4,4/3+\c);
\begin{scope}[every node/.style={draw,circle,inner sep=1pt,fill},cm={1,1/3,0,0,(0,3.269524)}]
\node at (\P,0) {};
\node at (\R,0) {};
\end{scope}
\begin{scope}[every node/.style={yshift=0.3cm},cm={1,1/3,0,0,(0,3.269524)}]
\node at (\P,0) {$P$};
\node at (\R,0) {$R$};
\end{scope}
\draw[dashed] (\R,\R/3+\c) -- (\R,-\R/3-\c)
node[draw,circle,inner sep=1pt,fill] {}
node[xshift=-0.1cm,anchor=east] {$[2]P$};
\end{tikzpicture}
%%
\hfill
\strut
\caption{An elliptic curve defined over $ℝ$, and the geometric
representation of its group law.}
\label{fig:weierstrass}
\end{figure}
Now, since any elliptic curve is defined by a cubic equation, Bézout's
theorem tells us that any line in $\P^2$ intersects the curve in
exactly three points, taken with multiplicity. %
We define a group law by requiring that three co-linear points sum to
zero. %
\begin{definition}
Let $E\;:\;y^2=x^3+ax+b$ be an elliptic curve. Let $P_1=(x_1,y_1)$
and $P_2=(x_2,y_2)$ be two points on $E$ different from the point at
infinity, then we define a composition law $⊕$ on $E$ as
follows:
\begin{itemize}
\item $P ⊕ \O = \O ⊕ P = P$ for any point $P∈E$;
\item If $x_1=x_2$ and $y_1=-y_2$, then $P_1⊕P_2 = \O$;
\item Otherwise set
\[λ =
\begin{cases}
\frac{y_2-y_1}{x_2-x_1} &\text{if $P≠Q$,}\\
\frac{3x_1^2+a}{2y_1} &\text{if $P=Q$,}
\end{cases}
\]
then the point $(P_1⊕P_2)=(x_3,y_3)$ is defined by
\begin{align*}
x_3 &= λ^2 - x_1 - x_2,\\
y_3 &= -λx_3 - y_1 + λx_1.
\end{align*}
\end{itemize}
\end{definition}
It can be shown that the above law defines an Abelian group, thus we
will simply write $+$ for $⊕$. %
The $n$-th scalar multiple of a point $P$ will be denoted by $[n]P$. %
When $E$ is defined over $k$, the subgroup of its \emph{rational
points over $k$} is customarily denoted $E(k)$. %
Figure~\ref{fig:weierstrass} shows a graphical depiction of the group
law on an elliptic curve defined over $ℝ$.
We now turn to the group structure of elliptic curves. %
The torsion part is easily characterized.
\begin{proposition}
Let $E$ be an elliptic curve defined over an algebraically closed
field $k$, and let $m≠0$ be an integer. %
The $m$-torsion group of $E$, denoted by $E[m]$, has the following
structure:
\begin{itemize}
\item $E[m] ≃ (ℤ/mℤ)^2$ if the characteristic of $k$ does not divide
$m$;
\item If $p>0$ is the characteristic of $k$, then
\[E[p^i] ≃
\begin{cases}
ℤ/p^iℤ & \text{for any $i≥0$, or}\\
\{\O\} & \text{for any $i≥0$.}
\end{cases}
\]
\end{itemize}
\end{proposition}
\begin{proof}
See~\cite[Coro.~6.4]{silverman:elliptic}. For the characteristic $0$
case see also Section~\ref{sec:elliptic-curves-over}.
\end{proof}
When $k$ is not algebraically closed, we write $E[m]$ for the
$m$-torsion subgroup of $E(\bar{k})$, i.e.\ the torsion points in the
algebraic closure. %
$E[m]$ may or may not be fully contained in $E(k)$, it is easy to see,
however, that it will always be contained in a finite extension of
$k$ of degree less than $m^2$.
For curves defined over a field of positive characteristic $p$, the
case $E[p]≃ℤ/pℤ$ is called \emph{ordinary}, while the case
$E[p]≃\{\O\}$ is called \emph{supersingular}. %
We shall see alternative characterizations of supersingularity in
Sections~\ref{sec:ec-over-ff} and~\ref{sec:end(E)}.
The free part of the group is much harder to characterize. %
We have some partial results for elliptic curves over number fields.
\begin{theorem}[Mordell-Weil]
Let $k$ be a number field, the group $E(k)$ is finitely generated.
\end{theorem}
However the exact determination of the rank of $E(k)$ is somewhat
elusive: we have algorithms to compute the rank of most elliptic
curves over number fields; however, an exact formula for such rank is
the object of the
\href{https://en.wikipedia.org/wiki/Birch_and_Swinnerton-Dyer_conjecture}{\it
Birch and Swinnerton-Dyer conjecture}, one of the
\href{https://en.wikipedia.org/wiki/Millennium_Prize_Problems}{\it
Clay Millenium Prize Problems}.
\section{Maps between elliptic curves}
We now focus on maps between elliptic curves. %
We are mostly interested in maps that preserve both facets of elliptic
curves: as projective varieties, and as groups. %
We first look into invertible algebraic maps, that is linear changes
of coordinates that preserve the Weierstrass form of the equation. %
Because linear maps preserve lines, it is immediate that they also
preserve the group law. %
It is easily verified that the only such maps take the form
\[(x,y) \mapsto (u^2x', u^3y')\] %
for some $u∈\bar{k}$, thus defining an \emph{isomorphism} between the
curve $y^2=x^3+au^4x+bu^6$ and the curve $(y')^2 = (x')^3 + ax' +
b$. %
Isomorphism classes are traditionally encoded by an invariant, whose
origins can be traced back to complex analysis.
\begin{proposition}[$j$-invariant]
\label{th:j}
Let $E:y^2=x^3+ax+b$ be an elliptic curve, and define the
\emph{$j$-invariant} of $E$ as
\[j(E) = 1728\frac{4a^3}{4a^3+27b^2}.\] %
Two curves are isomorphic over the algebraic closure $\bar{k}$ if
and only if they have the same $j$-invariant.
\end{proposition}
Note that if two curves defined over $k$ are isomorphic over
$\bar{k}$, they are so over an extension of $k$ of degree at most
$6$. %
An isomorphism between two elliptic curves defined over $k$, that is
itself not defined over $k$ is called a \emph{twist}. %
Any curve defined over a non-quadratically-closed field\footnote{A
field is quadratically closed if every element has square root.} has
\emph{quadratic twists} obtained by taking $u∉k$ such that $u^2∈k$. %
The two curves of $j$-invariant $0$ and $1728$ also have \emph{cubic},
\emph{sextic} and \emph{quartic twists}.
More general algebraic maps, i.e.\ non-linear (and thus not
necessarily invertible) changes of coordinates, between elliptic
curves are called \emph{isogenies}.
\begin{definition}
Let $E,E'$ be two elliptic curves. %
An isogeny $\phi:E→E'$ is a non-constant algebraic map of projective
varieties sending the point at infinity of $E$ onto the point at
infinity of $E'$.
\end{definition}
Somewhat surprisingly, being algebraic and preserving the point at
infinity is sufficient to make them group morphisms.
\begin{theorem}
Let $E,E'$ be elliptic curves defined over a field $k$ and let
$\phi:E→E'$ be an isogeny between them. %
Then:
\begin{itemize}
\item $\phi$ is a group morphism;
\item $\phi$ has finite kernel;
\item If $k$ is algebraically closed, $\phi$ is surjective.
\end{itemize}
\end{theorem}
\begin{proof}
See~\cite[III, Th.~4.8]{silverman:elliptic}.
\end{proof}
Two curves are called \emph{isogenous} if there exists an isogeny
between them. %
We shall see later that this is an equivalence relation.
Isogenies from a curve to itself are called \emph{endomorphisms}. %
The prototypical endomorphism is the multiplication-by-$m$
endomorphism defined by
\[[m]\;:\; P \mapsto [m]P.\] %
Its kernel is, by definition, the $m$-th torsion subgroup $E[m]$. %
Since they are algebraic group morphisms, we can define addition of
isogenies by $(ϕ+ψ)(P) = ϕ(P)+ψ(P)$, and the resulting map is still an
isogeny. %
Adding to the set of isogenies $E\to E'$ the constant map that sends
every point of $E$ to the point at infinity of $E'$, we thus obtain a
group, denoted by $\Hom(E,E')$. %
Additionally, endomorphisms $E\to E$ support composition, distributing
over addition, hence the set of all endomorphisms forms a ring,
denoted by $\End(E)$.%
\footnote{In short, isogenies are the morphisms in the Abelian
category of elliptic curves.}
Since each $m∈ℤ$ defines a different multiplication-by-$m$
endomorphism, clearly $ℤ \hookrightarrow \End(E)$. %
But can $\End(E)$ be larger than $ℤ$? %
The reader will have to wait until Section~\ref{sec:end(E)} to know
the answer to this riddle.
\section{Elliptic curves over $ℂ$}
\label{sec:elliptic-curves-over}
To better understand elliptic curves and their morphisms, we take a
moment now to specialize them to the complex numbers.
\begin{definition}[Complex lattice]
A \emph{complex lattice} $Λ$ is a discrete subgroup of $ℂ$ that
contains an $ℝ$-basis of $ℂ$.
\end{definition}
Explicitly, a complex lattice is generated by a \emph{basis}
$(ω_1,ω_2)$, such that $ω_1≠λω_2$ for all $λ∈ℝ$, as
\[Λ = ω_1ℤ + ω_2ℤ.\] %
Up to exchanging $ω_1$ and $ω_2$, we can assume that $\im(ω_1/ω_2)>0$;
we then say that the basis has \emph{positive orientation}. %
A positively oriented basis is obviously not unique, though.
\begin{proposition}
\label{th:basis-change}
Let $Λ$ be a complex lattice, and let $(ω_1,ω_2)$ be a positively
oriented basis, then any other positively oriented basis
$(ω_1',ω_2')$ is of the form
\begin{align*}
ω_1' &= aω_1 + bω_2,\\
ω_2' &= cω_1 + dω_2,
\end{align*}
for some matrix
$\left(\begin{smallmatrix}a&b\\c&d\end{smallmatrix}\right)∈\SL_2(ℤ)$.
\end{proposition}
\begin{proof}
See~\cite[I, Lem.~2.4]{silverman:advanced}.
\end{proof}
\begin{definition}[Complex torus]
Let $Λ$ be a complex lattice, the quotient $ℂ/Λ$ is called a
\emph{complex torus}.
\end{definition}
\begin{figure}
\centering
\begin{tikzpicture}[scale=2]
\axes{-1}{3.5}{-0.5}{3}
\begin{scope}[/lattice={1}{0.2}{0.4}{0.7}]
\draw[fill,black!10] (0,0) -- (1,0) -- (1,1) -- (0,1) -- (0,0);
\node at (0.5,0.5) {$ℂ/Λ$};
\node at (0.9,-0.1) {$ω_2$};
\node at (-0.1,0.9) {$ω_1$};
\lattice{-3}{4}
\end{scope}
\end{tikzpicture}
\caption{A complex lattice (black dots) and its associated complex
torus (grayed \emph{fundamental domain}).}
\label{fig:lattice}
\end{figure}
A convex set of class representatives of $ℂ/Λ$ is called a
\emph{fundamental parallelogram}. %
Figure~\ref{fig:lattice} shows a complex lattice generated by a
(positively oriented) basis $(ω_1,ω_2)$, together with a fundamental
parallelogram for $ℂ/(ω_1,ω_2)$. %
The additive group structure of $ℂ$ carries over to $ℂ/Λ$, and can be
graphically represented as operations on points inside a fundamental
parallelogram. %
This is illustrated in Figure~\ref{fig:lattice-arith}.
\begin{figure}
\centering
\begin{tikzpicture}[scale=1.8]
\axes{-0.5}{3.5}{-0.5}{3}
\begin{scope}[/lattice={1}{0.2}{0.4}{0.7}]
\lattice{-3}{4}
\node[red] at (0.7,0.65) {$a$};
\node[draw,circle,inner sep=1pt,fill,red] at (0.8,0.5) {};
\node[red] at (0.2,0.9) {$b$};
\node[draw,circle,inner sep=1pt,fill,red] at (0.3,0.7) {};
\node[draw,circle,inner sep=1pt,fill,red] at (1.1,1.2) {};
\draw[red,thin,dotted] (0,0) -- (0.8,0.5) -- (1.1,1.2)
(0,0) -- (0.3,0.7) -- (1.1,1.2);
\node[red] at (0.2,0.3) {$a+b$};
\node[draw,circle,inner sep=1pt,fill,red] at (0.1,0.2) {};
\end{scope}
\end{tikzpicture}
%%
\hfill
%%
\begin{tikzpicture}[scale=1.8]
\axes{-0.5}{3.5}{-0.5}{3}
\begin{scope}[/lattice={1}{0.2}{0.4}{0.7}]
\lattice{-3}{4}
\node[red,yshift=0.2cm] at (0.8,0.6) {$a$};
\draw[red] (0.8,0.6) node[fill,circle,inner sep=1pt] {};
\draw[red,dotted] (0,0) -- (1.6,1.2) node[fill,circle,inner sep=1pt] {}
-- (2.4,1.8) node[fill,circle,inner sep=1pt] {};
\node[red,yshift=0.3cm] at (0.4,0.8) {$[3]a$};
\draw[red] (0.4,0.8) node[fill,circle,inner sep=1pt] {};
\end{scope}
\end{tikzpicture}
\caption{Addition (left) and scalar multiplication (right) of points
in a complex torus $ℂ/Λ$.}
\label{fig:lattice-arith}
\end{figure}
\begin{definition}[Homothetic lattices]
Two complex lattices $Λ$ and $Λ'$ are said to be \emph{homothetic}
if there is a complex number $α∈ℂ^{×}$ such that $Λ=αΛ'$.
\end{definition}
Geometrically, applying a homothety to a lattice corresponds to zooms
and rotations around the origin. %
We are only interested in complex tori up to homothety; to classify
them, we introduce the \emph{Eisenstein series of weight $2k$},
defined as
\[G_{2k}(Λ) = \sum_{ω∈Λ\setminus\{0\}}ω^{-2k}.\]
It is customary to set
\[g_2(Λ) = 60G_4(Λ), \quad g_3(Λ) = 140G_6(Λ);\] %
when $Λ$ is clear from the context, we simply write $g_2$ and $g_3$.
\begin{theorem}[Modular $j$-invariant]
\label{th:modular-j}
The \emph{modular $j$-invariant} is the function on complex lattices
defined by
\[j(Λ) = 1728 \frac{g_2(Λ)^3}{g_2(Λ)^3 - 27g_3(Λ)^2}.\] %
Two lattices are homothetic if and only if they have the same
modular $j$-invariant.
\end{theorem}
\begin{proof}
See~\cite[I, Th.~4.1]{silverman:advanced}.
\end{proof}
It is no chance that the invariants classifying elliptic curves and
complex tori look very similar. %
Indeed, we can prove that the two are in one-to-one correspondence.
\begin{definition}[Weierstrass $℘$ function]
Let $Λ$ be a complex lattice, the \emph{Weierstrass $℘$ function}
associated to $Λ$ is the series
\[℘(z;Λ) = \frac{1}{z^2} + \sum_{ω∈Λ\setminus\{0\}} \left(\frac{1}{(z-ω)^2} - \frac{1}{ω^2}\right).\]
\end{definition}
\begin{theorem}
\label{th:weierstrass-p}
The Weierstrass function $℘(z;Λ)$ has the following properties:
\begin{enumerate}
\item It is an \emph{elliptic function} for $Λ$, i.e.
$℘(z) = ℘(z+ω)$ for all $z∈ℂ$ and $ω∈Λ$.
\item Its Laurent series around $z=0$ is
\[℘(z) = \frac{1}{z^2} + \sum_{k=1}^∞(2k+1)G_{2k+2}z^{2k}.\]
\item It satisfies the differential equation
\[℘'(z)^2 = 4℘(z)^3 - g_2℘(z) - g_3\]
for all $z∉Λ$.
\item The curve
\[E\;:\;y^2=4x^3 - g_2x - g_3\]
is an elliptic curve over $ℂ$. The map
\begin{align*}
ℂ/Λ &\to E(ℂ),\\
0 &\mapsto (0:1:0),\\
z &\mapsto (℘(z):℘'(z):1)
\end{align*}
is an isomorphism of Riemann surfaces and a group morphism.
\end{enumerate}
\end{theorem}
\begin{proof}
See~\cite[VI, Th.~3.1, Th.~3.5, Prop.~3.6]{silverman:elliptic}.
\end{proof}
By comparing the two definitions for the $j$-invariants, we see that
$j(Λ)=j(E)$. %
So, for any homothety class of complex tori, we have a corresponding
isomorphism class of elliptic curves. %
The converse is also true.
\begin{theorem}[Uniformization theorem]
Let $a,b∈ℂ$ be such that $4a^3+27b^2≠0$, then there is a unique
complex lattice $Λ$ such that $g_2(Λ) = -4a$ and $g_3(Λ) = -4b$.
\end{theorem}
\begin{proof}
See~\cite[I, Coro.~4.3]{silverman:advanced}.
\end{proof}
Using the correspondence between elliptic curves and complex tori, we
now have a new perspective on their group structure. %
Looking at complex tori, it becomes immediately evident why the
torsion part has rank $2$, i.e.\ why $E[m]≃(ℤ/mℤ)^2$. %
This is illustrated in Figure~\ref{fig:torsion}; in the picture we see
two lattices $Λ$ and $Λ'$, generated respectively by the black and the
red dots. %
We already defined the multiplication-by-$m$ map of $Λ$ as
$[m]:z \mapsto mz \bmod Λ$. %
This map is the same as reducing
\begin{align*}
ℂ/Λ &\to ℂ/Λ',\\
z &\mapsto z \bmod Λ'
\end{align*}
first, and then composing with the homothety $Λ = mΛ'$.
\begin{figure}
\begin{subfigure}{.45\textwidth}
\centering
\begin{tikzpicture}[scale=1.2]
\axes{-0.3}{4.5}{-0.5}{4};
\begin{scope}[/lattice={3}{0.6}{1.2}{2.1}]
\lattice{-1}{2}
\foreach \i in {0,...,2} {
\foreach \j in {0,...,2} {
\draw[red] (\i/3,\j/3) node[fill,circle,inner sep=1pt] {};
}
}
\draw[red] (0,0) -- (1/3,0) node[yshift=0.2cm] {$a$};
\draw[red] (0,0) -- (0,1/3) node[yshift=0.2cm] {$b$};
\draw[blue] (0.8,0.5) node[fill,circle,inner sep=1pt] {}
node[yshift=0.2cm] {\scriptsize $z$}
(2/15,1/6) node[fill,circle,inner sep=1pt] {}
node[anchor=west,xshift=-0.2cm,yshift=0.2cm] {\scriptsize $z \bmod aℤ+bℤ$}
(0.4,0.5) node[fill,circle,inner sep=1pt] {}
node[yshift=0.2cm] {\scriptsize $3z$};
\end{scope}
\end{tikzpicture}
\caption{$3$-torsion group on a complex torus (red
points), with two generators $a$ and $b$, and action of the
multiplication-by-$3$ map (blue dots).}
\label{fig:torsion}
\end{subfigure}
%%
\hfill
%%
\begin{subfigure}{.45\textwidth}
\centering
\begin{tikzpicture}[scale=1.2]
\axes{-0.3}{4.5}{-0.5}{4};
\begin{scope}[/lattice={3}{0.6}{1.2}{2.1}]
\lattice{-1}{2}
\draw[red] (0,0) -- (1/3,0) node[yshift=0.3cm] {$a$};
\draw[green] (0,0) -- (0,1/3) node[fill,circle,inner sep=1pt] {}
node[yshift=0.3cm] {$b$};
\draw[blue] (0.8,0.5) node[fill,circle,inner sep=1pt] {}
node[yshift=0.3cm] {$z$};
\end{scope}
\begin{scope}[/lattice={1}{0.2}{1.2}{2.1}]
\begin{scope}[opacity=0.5,red]
\lattice[1pt]{-3}{5}
\end{scope}
\draw[blue] (0.4,0.5) node[fill,circle,inner sep=1pt] {}
node[yshift=0.3cm] {$ϕ(z)$};
\end{scope}
\end{tikzpicture}
\caption{Isogeny from $ℂ/Λ$ (black dots) to $ℂ/Λ'$ (red dots)
defined by $ϕ(z)=z \bmod Λ'$. The kernel of $ϕ$ is contained
in $(ℂ/Λ)[3]$ and is generated by $a$. The kernel of the dual
isogeny $\hat{ϕ}$ is generated by the vector $b$ in $Λ'$.}
\label{fig:isogeny}
\end{subfigure}
\caption{Maps between complex tori.}
\end{figure}
Within this new perspective, isogenies are a mild generalization of
scalar multiplications. %
Whenever two lattices $Λ,Λ'$ verify $αΛ⊂Λ'$, there is a well defined
map
\begin{align*}
ϕ_α : ℂ/Λ &\to ℂ/Λ',\\
z &\mapsto αz \bmod Λ'
\end{align*}
that is holomorphic and also a group morphism. %
One example of such maps is given in Figure~\ref{fig:isogeny}: there,
$α=1$ and the red lattice strictly contains the black one; the map is
simply defined as reduction modulo $Λ'$. %
It turns out that these maps are exactly the isogenies of the
corresponding elliptic curves.
\begin{theorem}
Let $E,E'$ be elliptic curves over $ℂ$, with corresponding lattices
$Λ,Λ'$. %
There is a bijection between the set of isogenies from $E$ to $E'$
and the set of maps $ϕ_α$ for all $α$ such that $αΛ⊂Λ'$.
\end{theorem}
\begin{proof}
See~\cite[VI, Th.~4.1]{silverman:elliptic}.
\end{proof}
Looking again at Figure~\ref{fig:isogeny}, we see that there is a
second isogeny $\hat{ϕ}$ from $Λ'$ to $Λ/3$, whose kernel is generated
by $b∈Λ'$. %
The composition $\hat{ϕ}∘ϕ$ is an endomorphism of $ℂ/Λ$, up to the
homothety sending $Λ/3$ to $Λ$, and we verify that it corresponds to
the multiplication-by-$3$ map. %
In this example, the kernels of both $ϕ$ and $\hat{ϕ}$ contain $3$
elements, and we say that $ϕ$ and $\hat{ϕ}$ have \emph{degree} $3$. %
Although not immediately evident from the picture, this same
construction can be applied to any isogeny. %
The isogeny $\hat{ϕ}$ is called the \emph{dual} of $ϕ$. %
Dual isogenies exist not only in characteristic $0$, but also for any
base field, as we shall see in Section~\ref{sec:isogenies}.
Under which conditions does an isogeny become an endomorphism? By
virtue of the last theorem, there is a one-to-one correspondence
between the endomorphisms $E\to E$ and the complex numbers $α$ such
that $αΛ⊂Λ$. %
In general, the only possible choices are given by $α$ an integer,
corresponding to scalar multiplications. %
For some lattices, however, something ``special'' happens; we shall
study this case in Sections~\ref{sec:end(E)} and~\ref{sec:compl-mult}.
\section{Elliptic curves over finite fields}
\label{sec:ec-over-ff}
In this section we shift our attention to elliptic curves defined over
a finite field, which are the main objects manipulated in
cryptography. %
From now on we will use $q$ to denote a power of a prime $p$, and
$\F_q$ do denote a finite field with $q$ elements.
Obviously, the group of rational points of a curve defined over a
finite field is finite. %
Because every element of $\bar{\F}_q$ is defined over a finite
extension of $\F_q$, the algebraic group $E(\bar{\F}_q)$ only contains
torsion elements, and we have already characterized precisely the
structure of the torsion part of $E$.
For curves over finite fields, the Frobenius endomorphism plays a very
special role, and governs much of their structure.
\begin{definition}[Frobenius endomorphism]
Let $E$ be an elliptic curve defined over a field with $q$ elements,
its \emph{Frobenius endomorphism}, denoted by $π$, is the map that
sends
\[(X:Y:Z) \mapsto (X^q:Y^q:Z^q).\]
\end{definition}
\begin{proposition}
\label{th:frob}
Let $π$ be the Frobenius endomorphism of $E$. Then:
\begin{itemize}
\item $\ker π = \{\O\}$;
\item $\ker (π-1) = E(k)$.
\end{itemize}
\end{proposition}
\begin{theorem}[Hasse]
\label{th:hasse}
Let $E$ be an elliptic curve defined over a finite field with $q$
elements. %
Its Frobenius endomorphism $π$ satisfies a quadratic equation
\begin{equation}
\label{eq:frob}
π^2 - tπ + q = 0,
\end{equation}
for some $|t|≤2\sqrt{q}$.
\end{theorem}
\begin{proof}
See~\cite[V, Th.~2.3.1]{silverman:elliptic}.
\end{proof}
The coefficient $t$ in the equation is called the \emph{trace} of
$π$. %
It gives an alternative characterization of supersingularity.
\begin{proposition}
An elliptic curve $E$ defined over a finite field of characteristic
$p$ is supersingular if and only if $p$ divides the trace of its
Frobenius endomorphism.
\end{proposition}
By replacing $π=1$ in eq.~\eqref{eq:frob}, we immediately obtain the
cardinality of $E$ as $\#E(k) = \#\ker(π-1) = q+1-t$. %
\begin{corollary}
Let $E$ be an elliptic curve defined over a finite field $k$ with $q$
elements, then
\[|\#E(k) - q - 1| ≤ 2\sqrt{q}.\]
\end{corollary}
It turns out that the cardinality of $E$ over its \emph{base field}
$k$ determines its cardinality over any finite extension of it. %
This is a special case of Weil's famous conjectures, proven by Weil
himself in 1949 for Abelian varieties, and more generally by Deligne
in 1973.
\begin{definition}
Let $V$ be a projective variety defined over a finite field $\F_q$,
its \emph{zeta function} is the power series
\[Z(V/\F_q; T) = \exp\left(\sum_{n=1}^∞\#V(\F_{q^n})\frac{T^n}{n}\right).\]
\end{definition}
\begin{theorem}
\label{th:weil}
Let $E$ be an elliptic curve defined over a finite field
$\F_q$, and let $\#E(\F_q)=q+1-a$. Then
\[Z(E/\F_q;T) = \frac{1-aT+qT^2}{(1-T)(1-qT)}.\]
\end{theorem}
\begin{proof}
See~\cite[V, Th.~2.4]{silverman:elliptic}.
\end{proof}
\section{Isogenies}
\label{sec:isogenies}
We now look more in detail at isogenies of elliptic curves. %
We start with some basic definitions.
\begin{definition}[Degree, separability]\label{def:degsep}
Let $ϕ:E\to E'$ be an isogeny defined over a field $k$, and let
$k(E),k(E')$ be the function fields of $E,E'$. %
By composing $\phi$ with the functions of $k(E')$, we obtain a
subfield of $k(E)$ that we denote by $ϕ^\ast(k(E'))$.
\begin{enumerate}
\item The \emph{degree} of $ϕ$ is defined as
$\deg ϕ = [k(E):ϕ^\ast(k(E'))]$; it is always finite.
\item $ϕ$ is said to be \emph{separable}, \emph{inseparable}, or