Working on effective Deuring

poly.tex

@@ -1569,6 +1569,7 @@ \section{The endomorphism ring}
 Sections~\ref{sec:ell-isogeny-graphs} and~\ref{sec:sqisign}.
 
 \begin{example}
+  \label{ex:1728}
   The elliptic curve $y^2=x^3+x$ has supersingular reduction at all
   primes $p=3\bmod 4$. %
   Its ring of $\F_p$-rational endomorphisms is generated by
@@ -4039,15 +4040,98 @@ \section{Quaternionic multiplication aka the Deuring correspondence}
 \section{The effective Deuring correspondence}
 \label{sec:eff-deuring}
 
-The correspondence between ideals classes and isogenies let us
-efficiently evaluate the CM action and construct isogeny-based
-cryptographic schemes, as described in
+The correspondence between ideal classes of quadratic orders and
+isogenies let us efficiently evaluate the CM action and construct
+isogeny-based cryptographic schemes, as described in
 Part~\ref{part:crypt-group-acti}. %
-It is natural to ask whether the same can be done with the Deuring
-correspondence.
+We would like to have an analogous collection of algorithms for the
+Deuring correspondence.
+
+The first step is to establish a correspondence between endomorphisms
+and quaternions. %
+Concretely, we seek a \emph{quaternion representation} of $\End(E)$,
+i.e.\ an integral basis $(1,α,β,γ)$ of an order $\O ≃ \End(E)$,
+together with \emph{efficiently computable} endomorphisms of $E$
+corresponding to $α$, $β$ and $γ$.
+
+This is easier said than done: ordinary curves have an obvious
+endomorphism generating the endomorphism algebra, the Frobenius
+endomorphism, and finding a corresponding algebraic integer amounts to
+computing its minimal polynomial, or equivalently to counting the
+number of points of the curve (see
+Appendix~\ref{sec:appl-point-count}). %
+For supersingular curves, on the other hand, it is in general
+difficult to find even a single endomorphism. %
+Luckily, some curves have a natural quaternion representation.
+
+\begin{theorem}
+  Let $p > 2$ and denote by $B_{p,∞}$ the quaternion algebra ramified
+  at $p$ and infinity. %
+  If $p = 3 \mod 4$ set $q = 1$, otherwise set $q$ to the smallest
+  prime congruent to $3 \mod 4$ such that
+  $\left(\frac{-q}{p}\right) = -1$. %
+  Then $B_{p,∞}$ is isomorphic to $\left(\frac{-q,-p}{ℚ}\right)$.
+
+  If $p = 3 \mod 4$ let $\O$ be the order having
+  $\bigl(1,i,(1+j)/2,(i+ij)/2\bigr)$ for integral basis; otherwise let
+  $\O$ have basis $\bigl(1,(i+1)/2,j,(ci+ij)/q\bigr)$ with
+  $c^2 = -p \mod q$. %
+  Then $\O$ is a maximal order of $B_{p,∞}$ and, assuming the
+  generalized Riemann hypothesis (GRH), there exists a supersingular
+  curve $E$ with a quaternion representation of $\End(E)≃\O$.
+\end{theorem}
+\begin{proof}
+  See~\cite[Lemmas~2-4]{kohel2014quaternion} for the fact that $\O$ is
+  a maximal order. %
+  If $p=3 \mod 4$, then $E$ is the curve $y^2 = x^3 + x$ with
+  $j$-invariant 1728 (see Example~\ref{ex:1728}). %
+  Consider the maximal order $\O$ of $ℚ(\sqrt{-q})$: because
+  $q = 3 \mod 4$, its class number must be odd
+  (see~\cite{mordell61}). %
+  By Theorem~\ref{th:deuring-red} all curves over $ℂ$ with CM by $\O$
+  have supersingular reduction modulo $p$, and because they are odd in
+  number at least one of them must be defined over $\F_p$. %
+  Let $E$ be this curve and let $ι$ be one of its endomorphisms such
+  that $ι^2 = -q$, then the quaternion $i$ corresponds to $ι$ and $j$
+  corresponds to the $\F_p$-Frobenius endomorphism.
+
+  Assuming GRH, the smallest $q$ satisfying the conditions of the
+  theorem is in $O(\log(p)^2)$. %
+  Then all the computations above can be done in time polynomial in
+  $q$, which fits within our ``efficiently computable'' budget.
+\end{proof}
+
+From now on we shall call \emph{special} a supersingular curve
+produced by the theorem. %
+In practice, virtually all supersingular isogeny based cryptography
+uses $p = 3 \mod 4$ and chooses $y^2 = x^3 + x$ as special curve. %
+We shall thus only focus on this case in the rest of the manuscript.
+
+Now that we have at least one quaternion representation, we can extend
+it to any supersingular curve by walking in the $\ell$-isogeny
+graph. %
+Let $E_0$ be a special curve and let $ω_0$ be one of its
+endomorphisms. %
+Let $ϕ : E_0 → E$ be a walk in the $ℓ$-isogeny graph, i.e.\ an
+$ℓ^n$-isogeny. %
+Consider the map $\omega = ϕ∘ω∘\hat{ϕ}$, represented by the diagram
+\begin{equation*}
+  \begin{tikzpicture}
+    \node (E0) at (0,0) {\(E_0\)};
+    \node (E) at (2,0) {\(E\)};
+
+    \draw[-latex]
+    (E0) edge[transform canvas={yshift=1mm}] node[above]{\(ϕ\)} (E)
+    (E)  edge[transform canvas={yshift=-1mm}] node[below]{\(\hat{ϕ}\)} (E0)
+    (E0) edge[loop left,in=135,out=215,looseness=8] node[left]{\(ω\)} (E0);
+  \end{tikzpicture}
+\end{equation*}
+It is an endomorphism of $E$ of degree $ℓ^{2n}\deg ω$.
+
+%$
+\footnote{The endomorphism $ω$ is sometimes called a ``lollipop'' in
+  the cryptographic literature, for obvious reasons.}
 
-We already know how to efficiently compute with elliptic curves and
-isogenies. %
 
 Figure~\ref{fig:CM-eval}
 

refs.bib

@@ -3624,3 +3624,17 @@ @article{waterhouse69
     volume = {2},
     year = {1969}
 }
+
+@article{mordell61,
+  title =	 {Mathematical Notes: The congruence $(p-1/2)! \equiv \pm 1 \mod p$},
+  volume =	 {68},
+  ISSN =	 {1930-0972},
+  DOI =		 {10.1080/00029890.1961.11989636},
+  number =	 {2},
+  journal =	 {The American Mathematical Monthly},
+  publisher =	 {Informa UK Limited},
+  author =	 {Mordell, Louis J.},
+  year =	 {1961},
+  month =	 {Feb},
+  pages =	 {131--149}
+}