 And we're going to give them affine equations where each of them is going to be a pair, an a and a b, that's telling us what the map does to x and what the map does to y. And for the Frobenius endomorphism, it's very simple. We know it's supposed to be raising to q-th powers. So what is pi sub l going to do? Well, we should take x to the q and y to the q. What would the Frobenius endomorphism do with an affine point x comma y? It would send it to x to the q comma y to the q, which would also be an affine point. So I don't need to worry about projective points. Right now, we're sort of nailing everything down. Our pointed infinity is fixed. But we want to work in this quotient ring. So we're going to take x to the q. We need to reduce modulo this ideal. But in fact, since we only have an x here, it's enough to just reduce mod h. For our y to the q, we're going to first take advantage that y squared is equal to f of x in our quotient ring. And so we're going to replace y to the q. q is odd with f of x to the q minus 1 over 2 times y. And we can reduce our f of x to the q minus 1 over 2 mod h. And so we're then going to wind up with notice the form of our Frobenius endomorphism looks like some polynomial in x, which has a degree less than h comma another polynomial in x, which has a degree less than h, and just a single y that's just sitting there. And notice we can always get things down to just a single y, because we have a y squared equals f of x so we can use to kill any higher powers. OK, so that's Frobenius endomorphism. How about 1? Well, 1 is pretty simple. What does it do? It doesn't do anything. It sends x to x mod h. It sends y to y, the image of y in this ring, which if we want to represent it as some polynomial in x times y, it should be 1 mod h times y. Now you might worry about what about all, are we sure that every endomorphism can be represented in this way? Well, we actually care about the subring generated by 1 and pi sub l. As long as we know how to add and multiply, perform the ring operations in our endomorphism ring, and I can show you how to do that and always get an answer out that's in the same form. Some a of x comma b of xy will know that we can take this as our standard representation. But for now, I guess I'll just ask you to, in the lecture notes, I'll give more details on this, but I'll just ask you to accept for the moment that every element of our endomorphism ring restricted to the L-torsion has a unique representation of a form a of x comma b of xy, where a and b are both reduced mod h. It's not true that every pair I write down, I mean I can't just pick an a and b out of the air and throw a y in there and say, oh, that's an endomorphism. That's definitely not true. That's not what I'm claiming. What I'm claiming is that every endomorphism can be written uniquely in this form. And in particular, if I want to compare two endomorphisms, I can do so just by comparing the a's and the b's. Any question on this set up here, yeah? Yeah, for every L, we're gonna have to compute the division polynomials, but the good news is, L is only going up to log q in the division polynomial. So we're gonna get, so we think if n is our log q, L's going up to roughly n, O of n, division polynomial degree is gonna be on the order of n squared. Spoiler alert, the complexity is gonna come out to be n to the fifth. But that's not just polynomial time, that's a pre-reasonable polynomial. And actually computing division polynomials is very quick. We can compute them as fast as we can write them down. But they're big, they have size n cubed. If L is on the order of n, there's n squared coefficients and each of the coefficients has log q bits, but log q is n, so the size of the division polynomials is n cubed. And this is where the comment I made about multiplying big integers really comes in in spades where all of these polynomials of degree n squared over a finite field with n bits, whenever we wanna multiply two of them, we're gonna end up converting them into integers with n cubed bits in them. There's really no advantage because you can compute them as fast as you could read them off disk. Up to a log factor. And remember the division polynomials depend on E, so you would have to pre-compute them for every E you might ever be interested in, right? Yeah, they're not like the, say the classical modular polynomials, which will show up in the problem session where there is a lot of value to pre-computing because it takes, even though we can compute them as fast as we can read them off disk, the log factors and the constant factors make it somewhat annoying to do that. And they're universal. They work for every elliptic curve. Any other questions? Okay, all right. So let's suppose we have two arbitrary elements of our endomorphism ring that are already in the representation I claimed we were going to be using. So I have an alpha one, an alpha two that I'm thinking of as elements of the endomorphism ring of the L-torsion. And they're written in the form A1 of x, comma B1 of xy and A2 of x, comma B2 of xy. And notice the y is really just sort of a semantic place, mental placeholder. The algorithm itself never uses the y's because the y's always there. So we can make it implicit. We're really just going to be working with pairs of univariate polynomials. But there are going to be cases where we do need to convert to get back to a linear y and so we have to incorporate that computation. So that's why I want to keep them in all the slides. So it turns out contrary to what you might have expected multiplication in the endomorphism ring is a lot easier to do than addition. Multiplication is very easy. How do we multiply anamorphisms while we compose anamorphisms? We're just, we just want to compose the rational maps. So how do we compose the rational maps? Well, we want to compute alpha three in the form A3 of x, comma B3 of xy. Well, what's A3 of x? Well, I should just run x through A2 and A1. Note the, note the order, right? Because A3 is, I'm thinking of A1 applied to A2. So x is going into, sorry, alpha two, x is going into alpha two first and then alpha one. So x goes into A2 first and then A1. What about the y-coordinate? Well, we need to plug, so the y-coordinate, the function, the rational function for the y-coordinate depends on both x and y. So we need to plug both x and y in. OK, and so our, and this means that our B3 of x is going to end up getting replaced by B1 of A2 of x times B2 of x, and then there's a y at the end. And so this is literally just blindly plugging and chugging these xy pairs into the anamorphisms. Of course, we need to, after we do these polynomial compositions, we may get polynomials of degree greater than h, and so we should reduce the mod h. So we need to do a polynomial, a composition of univariate polynomials to perform the step that we're then going to reduce mod h. But this is something the computer algebra systems are really good at. They know how to do this. We don't have to think about it. So this slide will turn into basically one line of code. All right, let's talk about addition. So the slide only looks scary because I put the entire group law up here. I mean, I could have written this much more succinctly by just saying, well, add anamorphisms the same way where you would add points. In fact, you could think of this entire algorithm as working on an elliptic curve over this weird ring that we've defined. And the addition law is exactly the same as the addition law for every elliptic curve, with one exception. Our ring may have zero divisors. And so we do need to think about what will happen if we can't invert one of these denominators, invert the function of one of these denominators. But just because I don't want to assume that everybody has the group law for an elliptic curve memorized, of course, I hope you all do. Let's just recall it. All of these formulas can be derived from the rule I said, I think maybe in the very first or second lecture, three points on a line sum to zero. That's all you need to know if civilization were to end and the internet were to disappear and you were struggling to rebuild society. The only thing you'd need to remember to recover the group operation, group law and elliptic curve is three points on a line sum to zero and you're good to go. So when works out what those formulas imply, you need to compute, if you have two points, you need to compute the slope of the line between them. You need to figure out where it intersects and then that sums to zero. So to add them you want to then negate the y-coordinate. And so you go through that exercise and it spits out these formulas. And so m here is representing the slope of the line between two distinct points or the quote, slope of the tangent line, which for our curves in, well, it depends on the situation. But yeah, so I'll just say that's the slope of the tangent line. And we can write a sort of a not a uniform expression. This depends on when we're, if we're doubling points or rather if we're adding two points, we need to consider a special case where those points are actually the same or even if they have the same x-coordinate, we might need to do something special. Notice if they have the same x-coordinate, there's only two things that can happen. Either they have the same y-coordinate and we're doubling a point or they have opposite y-coordinates and we're going to get zero. But if one plugs through these formulas, which I don't ask you to try and do mentally, I'm not going to try and walk you through it, what you find is that you can compute exactly what a3 and b3 should be. And they're not that bad. a3 looks like r squared times f, where r is the rational function in this m of xy, minus a1 minus a2. And b3 is r times a1 minus a3 minus b1. So modulo, this r being potentially messy, the formulas are quite simple. And we'll see that the code to implement this slide actually takes up less space than the slide itself. So now I want to talk about the one potential issue that we need to be prepared to handle. And it sounds like the kind of thing that you might be tempted to think, oh, we should try to avoid this problem, maybe we should just skip that all if this ever happens, or just cross our fingers and hope we get lucky. No, no, we should be hoping this happens. Because what does it mean if we hit a zero divisor in our ring? It means we found a divisor of h. And if we found a divisor of h, we're going to be very happy, because all the computations I described, they were working in this ring with an ideal where we were modding out by h. If we find a divisor of h, which is generally going to either be one of two types, it's going to be the kernel of an isogeny, an isogeny kernel polynomial whose roots are the x-coordinates of points in an isogeny, or it's coming from an old torsion point, a rational torsion point on the elliptic curve. And in both cases, we can suddenly make the algorithm a lot faster. And the beautiful thing is, because of our lemma, we don't actually even need to be clever to do that. All we need to do is detect when we hit a divisor and restart the algorithm with a better h. And we'll see that happen in real life. So our strategy, as I summarize in the slide, if we encounter a zero divisor, so we find a denominator we can't invert, the first thing we should do is take the GCD of that denominator with h. And we're guaranteed to have a non-trivial factor of h, because if that didn't happen, we could invert it. And we can even be clever enough to take the smaller non-trivial factor, which we will do. And then we're going to replace h by our smaller polynomial and just restart the algorithm and say, I know I told you to use the division polynomial. Forget that. Here's a better h. And just do your thing. And as I noted, the lemma implies that this will still work, even if we're restricting our endomorphisms. So now what are we doing? We're doing something kind of crazy. We're restricting our endomorphisms to the action on the kernel of some isogeny, or even to their action on a single rational point, where of course it's very easy to compute the trace.