Isogeny Volcanoes of Elliptic Curves and Sylow Subgroups [chapter]

Mireille Fouquet, Josep M. Miret, Javier Valera
2015 Lecture Notes in Computer Science  
Given an ordinary elliptic curve over a finite field located in the floor of its volcano of ℓ-isogenies, we present an efficient procedure to take an ascending path from the floor to the level of stability and back to the floor. As an application for regular volcanoes, we give an algorithm to compute all the vertices of their craters. In order to do this, we make use of the structure and generators of the ℓ-Sylow subgroups of the elliptic curves in the volcanoes. of ordinary elliptic curves
more » ... F q with group order N = q + 1 − t, |t| ≤ 2 √ q, can be represented as a directed graph, whose vertices are the isomorphism classes and its arcs represent the ℓ-isogenies between curves in two vertices. It is worth remarking that if two vertices are connected by an arc, the corresponding dual ℓ-isogeny is represented as an arc in the other direction. Each connected component of this graph is called volcano of ℓ-isogenies due to its peculiar shape. Indeed, it consists of a cycle that can be reduced to one point, called crater, where from its vertices hang ℓ + 1 − m complete ℓ-ary trees being m the number of horizontal ℓ-isogenies. Then, the vertices can be stratified into levels in such a way that the curves in each level have the same endomorphism ring. The bottom level is called the floor of the volcano. Knowing the cardinality of an elliptic curve, Kohel [9] and recently Bisson and Sutherland [1] describe algorithms to determine its endomorphism ring taking advantage of the relationship between the levels of its volcano and the endomorphism rings at those levels. When the cardinality is unknown, Fouquet and Morain [6] give an algorithm to determine the height (or depth) of a volcano using exhaustive search over several paths on the volcano to detect the crater and the floor levels. As a consequence, they obtain computational simplifications for the SEA algorithm, since they extend the moduli ℓ in the algorithm to prime powers ℓ s . In [15] , Miret et al. showed the relationship between the levels of a volcano of ℓ-isogenies and the ℓ-Sylow subgroups of the curves. All curves in a fixed level have the same ℓ-Sylow subgroup. At the floor, the ℓ-Sylow subgroup is cyclic. When ascending by the volcanoside, that is, by the levels which are between the floor and the crater, the ℓ-Sylow subgroup structure is becoming balanced. The first level, if it exists, where the ℓ-Sylow subgroup is balanced, is called stability level. If this level does not exist, the stability level is the crater of the volcano. Recently, Ionica and Joux [7] have developed a method to decide whether the isogeny with kernel a subgroup generated by a point of order ℓ is an ascending, horizontal or descending ℓ-isogeny using a symmetric pairing over the ℓ-Sylow subgroup of a curve [8] . Volcanoes of ℓ-isogenies have also been used by Sutherland [20] to compute the Hilbert class polynomials. Another application has been provided by Bröker, Lauter and Sutherland [2] in order to compute modular polynomials. To reach these goals, in both works, it is necessary to determine the vertices of the craters of the volcanoes. On the other hand, some specific side channel attacks, the socalled Zero Value Point attacks, can be avoided using isogenies or more precisely volcanoes of ℓ-isogenies [16] . In this paper, given an ordinary elliptic curve E/F q , the structure Z/ℓ r Z × Z/ℓ s Z, r > s, of its ℓ-Sylow subgroup and a point P r of order ℓ r , we construct a chain of ℓ-isogenies starting from E and ending at a curve at the floor of the volcano. This chain first is ascending, then horizontal and finally descending. When h ≥ 1 and 2h < r + s, being h the height of the volcano, all the vertices of its crater can be obtained by using repeatedly this sort of chains. Therefore we present an algorithm to perform this task.
doi:10.1007/978-3-319-16295-9_9 fatcat:rjcrzq7b25gfrj7rja2rmwftum