 Hey everyone, welcome to VirtualAzureCrep 2020. My name is Thomas De Creux, and I'll be presenting our paper called Radical Isogenies, which is joint work with Walter Kostrik and Friedrich Frickauhtrin. I'll start with a brief introduction to give a sketch of the general framework that we're dealing with. We'll be working with elliptic curves E over some finite field FQ, and we'll be competing isogenies between elliptic curves of this kind. Now for our purposes, one of the most important properties of an isogenie is simply that it has a degree. And the degree of an isogenie is a degree as a morphism. Now isogenies of large degree are typically hard to compute, unless they also have a smooth degree, in which case they can be written as the concatenation of isogenies of small degree, and hence they are easier to compute. Now we'll be only dealing with cyclic separable isogenies, which means they can be identified by a point that generates the kernel. So during this talk we'll interchangeably use the terms isogenie or kernel generator or point that generates the kernel and so on. Now in an isogenie-based cryptography, there's a general hard problem as follows. Given two elliptic curves E and E prime, find an isogenie between them. Now this is a very general problem, and there are many specific instantiations of this problem. However, given the correct setting and parameters, this is assumed to be very hard. Now in a seaside setting, we use super singular elliptic curves over the prime field Fp, where P has a very specific form. More precisely, it's four times the bunch of small primes minus one. And furthermore, all the elliptic curves have this anamorphism ring. Now one of the reasons we use this setting is that it allows the easy computation of isogenies of degree L1 up until LR. More precisely, every prime Li has two easy to compute isogenies corresponding to the action of a specific ideal in the class group. If you don't know what this means exactly, it doesn't matter much. Just remember that for every prime Li there are two isogenies that are easy to compute, and they are each other's inverses in the following sense. If you would start from an elliptic curve and compute an isogenie of degree Li of the first type, immediately concatenated by an isogenie of the second type, you would end up at the elliptic curve E again. Now for seaside, the lowest security parameters are seaside 512. And there we have R equals 74, which means we have 74 distinct prime degrees ranging from 3 to 587. And for each of these primes Li, we will compute up to five isogenies. And this isogenie then corresponds to the action of this ideal in the class group, where all the exponents E1 up until E74 are integer samples from this interval. Now there are many ways to compute isogenies in general. However, I've already mentioned that they are easy to compute in the seaside setting. And typically the straightforward or trivial approach is as follows. We will just have a point P as a kernel generator and then apply Ville's formula. A small remark here that we silently assume that the exponents EI are larger than zero. However, a very similar argument can be made if the exponents are negative. Now Ville's formula are actually quite easy. They scale asymptotically with L, which is typically a small integer, so it's not too bad. However, we need a rational L torsion point to actually apply the formulas or to compute them. And how do you find that? Well, the amount of points on this curve over Fp is P plus one, which means if you take a random point, you use scalar multiplication with P plus one, then you'll always end up at zero. So if you take a random point Q and you multiply it with P plus one over L, then you end up with a point P that when you multiply this by L, you end up at zero. So this is an L torsion point. The only problem is you still have a probability of one over L that it's a trivial L torsion point. In that case, you sort of need to start over, because otherwise you have a trivial isogeny and the kernel generates just simply the trivial kernel. However, in the seaside setting, they do it a lot smarter. More precisely, they push points through isogenies. So instead of generating a rational L torsion point, they generate a point of order dividing L1 times L2 times and so on up until LR. Next, they compute an isogeny of degree L1, followed by an isogeny of degree L2, and so on as follows. In every step I, they only need to multiply the corresponding point by a small cofactor, and then you get a point of order Li. Next, they compute isogeny, again with Phyllis formula, rather straightforward, but they also compute the image of Ri minus one under the isogeny. That means on the isogenist curve, they already have a point of order Li plus one times and so on up until LR. This computation actually saves a lot of arithmetic, simply because we need to compute scalar multiplication with a lot smaller cofactor every time. However, this doesn't really get rid of the chance of failure. At every step along the way, you still have a probability of one over Li that you end up at a point zero, and then you need to start over again, for that prime at least, which is a bit unfortunate. For that reason, we suggest an alternative approach, which is a radical isogeny, instead of computing an isogeny of degree L1, followed by an isogeny of degree L2, and so on. We want to compute a chain of n isogenes. We want to fix one of the Li, and then compute an isogeny of degree Li to the power k. We will do this as follows. Let's say we start from an elliptic curve E. We already have given some kernel generator P determining an isogeny to an elliptic curve E prime, and then we will derive explicit formulas for point P prime on E prime, such that it gives rise to another isogeny of degree N, which furthermore does not backtrack. What do I mean by that? I mean that this next curve E prime quotiented out with a subgroup generated by P prime is not equal to E, so we do not have the dual isogeny. We did not just compute the dual isogeny. A smaller mark, though, that in general our P prime will not be defined over k, however, in the seaside setting that will be the case. The good thing is, this is not backtracked, so this is a cyclic isogeny, it's degree N squared. However, this also implies that we can keep doing this. We can go to N cubed, N to the fourth power, and so on, and we can just repeat it until we have a degree N to the power k isogeny. How we will do this with something called radical isogenes, and it's a three-step approach. First, we'll find a general curve model with a point of order N. This is the Tate normal form, and we'll use Filus formula to give the equation for the isogenous curve. The second step is the main contribution of our work. We'll find the field of definition for a point P prime on E prime that has order N as well. For this, we'll need to take pairing, and we'll also need simple radical extensions. In the third step, when we have the field of definition of P prime, we still need to determine the coordinates. And for this, we'll use the division polynomials. So step one is a Tate normal form. Every curve E, with a point P of order at least four, can be written in an isomorphic form, which looks like this, and where P is simply translated to the point zero zero. We want the discriminant to be non-zero, and we also need N to be at least four. Now, if N is two or three, you can make a very similar argument, just not with the Tate normal form. If you want to read the details of the cases N equal two or three, they are in our paper as well. Now, there's a unique form of this. However, for a given N, we can still derive a relation such that P has exact order N. Now, how do you do this? You can simply symbolically compute two P, three P, or minus P, minus two P, and then say it has exact order N. For example, if N is five, just say five times P equals zero, or simply alternatively three times P equals minus two P, which saves a lot of computations. If you actually would write this out, you can probably still do this by hand. By the way, you would find that the relation for N equals five is simply C minus B, which has to be zero. So you can just, for every time, for every occurrence of the parameter C, you can write B in this equation, and then the point P zero zero has order five exactly. Now, with this in mind, you can apply value with kernel generator P, and then we end up on E prime on this elliptic curve. So now, we already have the isogenous curve, and next we want to find a point of order exactly five on this isogenous curve. In order to do this, we'll use a Tate pairing as mentioned earlier. Now, the Tate pairing, as the name suggests, is a pairing, so it's a bilinear map of which you can see the domain here. Now, the exact definition is not that important. The only two things that are important for us is that, first of all, it's easy to compute. It's pretty similar in complexity to a scalar multiplication, and the codomain is the following coset. In particular, note that Tate pairing is only defined up to N's powers. We also need the notion of simple radical extension. Now, this is the exact definition, but in words, simple radical extension is just taking the ground field and then adding an Nth root of an element in that ground field. All right, with that in mind, we can formulate the main term of our paper. Recall that we wanted to find a point P prime on E prime, such that it has exact order N and can be concatenated to a degree N squared, as a journey. We can find such a point P prime always in a field extension, where you just simply add an Nth root of the Tate pairing of P with minus P. So you can always find a point P prime in a simple radical extension of degree N, and you can easily compute which radical extension it has to be as well. Why did we have to choose the Tate pairing of P with minus P? We didn't have to. You can also take the Tate pairing of P with itself. However, if you take the Tate pairing of P with minus P, it's slightly easier to work with. Okay, we'll not give the proof, but we'll continue the example of N equals 5. For N equals 5, the Tate pairing is simply B in the parameter of the Tate normal form. So P prime is defined over the base field where you join a fifth root of B. All right, so now that we have the field of definition, we still need to find a coordinates of P prime. And for this, we'll use the N division polynomials psi E prime N. These polynomials for every N are recursively defined, and in a sense, easy to compute. However, as they grow larger with larger N, it can become a bit of a bottleneck as well, which I'll expand upon in a bit. The main property is that they vanish exactly at those points that are N torsion. And we're looking for a point of that type. So we're looking for a P prime of this field, which is a root of this polynomial. Now note that you may wonder, why do you not find roots of this polynomial immediately? Why do you need to fill the definition? Because finding the field of definition is highly non trivial. In general, as soon as you have a degree 5 polynomial or higher, no radical expressions in general exist anymore to find roots of that polynomial. Okay, let's take a look at the example for N equals 5. This is a factorization of the 5 division polynomial over the general field, where we have not yet adjoined the fifth root of b. So it factors as a quadratic piece and two quintic pieces. This quadratic piece, we're not really interested in for the following. The roots of this are the x-coordinates that generate dualized origin. Recall that I said we want to go from E to E prime to a new curve. However, if we would use one of these roots as the x-coordinate of a kernel generator, you would end up at E again. Now, which one of the other two do we want to find a root for? It's pretty simple. It doesn't matter. The both will have a proper root over this for the following reason. Let's say we find the root here over the field that we know where it should have a root in. Then this will determine the x-coordinate of some point p prime. And since it's a 5 torsion point also of the point minus p prime, and if we define this as p prime, then the next quintic factor will simply have the x-coordinate of 2 times p prime, and hence also minus 2 times p prime. However, these points generate the same kernel since n equals 5. So it doesn't really matter which one we take. You can just pick one and stick to that. All right, let's say we want to take a look at the first quintic factor. If you try and find the root over the ground field where you join a fifth root of b, then you'll see that you have a fairly easy root. Now, a small note is that if you want to have all the other roots of the polynomial, you can scale alpha, so this fifth root, with the fifth roots of unity, and then we'll find all the roots of this quintic factor. And then simply filling in to the equation of the elliptic curve, you can find the y-coordinate of the p prime as well. So we're done, apart from some very minor step in the sense that we found a p prime. However, if we translate this back to zero zero, we obtain an isomorphic form that is in tate normal form again. Now it's just b prime instead of b, and b prime is a very simple rational expression in the fifth root of b, with coefficients no more than four. Now I said before, these division polynomials become sort of a bottleneck as well. The relation b minus c equals zero is very easy, but that's just for n equals five. As soon as you go to n equals 11, it's already not so easy anymore. The division polynomials also scale with n squared roughly, which means that the expressions become very large very quickly as well. Next, the tate pairing of the point p with minus p. This is also not simply going to be b, so this expression also becomes more complicated. If you then want to symbolically find a root of a very large polynomial and then even more so in an extension field, algebraic software packages already start struggling for n equals to 13. Anything more, you'll need some different approaches. Furthermore, these very simple expressions stop being the case after, let's say, n equals nine. I could still fit n equals nine pretty easily on the screen in the formula, but that's about it. n equals 11, you would just need to find to see the code for that. And we'll take a quick look at one of the applications for that, where it will be pretty obvious. We'll focus on the case where q minus one is coprime with n. Why is that? Well, first of all, it's just true in the c-side setting, so it's applicable, but also every element has a unique nth root. It's easy to prove, and furthermore, this nth root is actually a simple exponentiation. So if you want to compute the nth root of this, we simply have to do an exponentiation, which is pretty easy, which you can do with roughly one and a half log p multiplications with square n multiply. So this table gives us the clock cycle count. This last column is the radical isogenic one, as I predicted earlier. If you look at the tree isogenic four up until nine isogenes, the clock cycles don't really expand too much, but then there's like a rather huge gap to the 11 isogenes and the 13 isogenes. And starting from 17 onwards, they're not really practically anymore. Not practical in the sense if you compare them to naively doing c-side. As you can see here, sampling an n-torsion point is a lot more expensive than finding the isogenous curve with felu. And finding the image of a point for pushing true points is even more negligible. However, if we're just looking at the overall picture, if you want to chain n to the power k isogenes, then radical isogenes are faster by an order of magnitude for the smallest primes at least. Now to be fair, as said before, as well, there are other ways you can compute isogenes. You can do this with modular polynomials, for example as well. If you would do this for a tree isogenic, this method would simply boil down to finding a root of a degree tree polynomial over a finite field, which is a lot easier than sampling an n-torsion point, but still an order of magnitude slower than the radical isogenic part. As for the second application, let's take a look at c-side. We'll be using a c-ser-512 prime, which is based on c-side, but it's simply a slightly different setting where we can also use the two isogenes. But the same as before, we have 74 alt primes, but we'll also be using the prime 2 in this case. Now recall in c-side we had exponents ranging from minus 5 to 5, which meant we would do up to 5 isogenes of every small prime degree, but given that radical isogenes are so much faster, we found that it was a huge improvement if we did a lot of small isogenes. For the two isogenes, we compute up to 202 isogenes, for the three isogenes up to 170, and so on, up until 13 isogenes, of those we could compute up to 29. The remainder, starting from the prime 17, 19, and so on, up until the prime 389, we simply compute them with the classical c-side computation. Now note that this is a very skew box, and in particular we'll be using the four isogenes to compute the two isogenes. Next, after we've computed all the two isogenes, we'll use nine isogenes to compute the three isogenes, after that the five isogenes, then the seven isogenes, then the 11 isogenes, then the 13 isogenes, and only then we'll resort back to the c-side setting. Now using radical isogenes like this, we get an overall speedup of about 19 percent for the c-serif 512 parameter setting. A small remark here though is that if you go to higher security levels, the speedup will become less, for the simple reason that the small primes have less weight in that setting. Now we'll give some concluding thoughts. So we find a very efficient method to compute long chains of small degrees isogenes, and if we use a very skew exponent box in c-side, we can speed it up by about 19 percent. Now there's some interesting open problems that we can consider. First of all, as said before, the division polynomial is sort of bottlenecks, starting from l equals 17 already. Can we find roots of the division polynomial efficiently? And if we can find roots of that, the formulas are not unique. As mentioned earlier, we can use p prime or 2p prime. They generate the same kernel, which one gives us the most efficient expression. They are not all equal in terms of arithmetic complexity. The third point of to notice is that what's the impact of this on constant time implementations for the people aware with constant time implementations of c-side? They'll quickly realize that most of, if not all, of those rely on the fact that you first do an l1 isogeny, then an l2 isogeny, and so on up until lr, and then start over again with l1. And finally, what do we do with medium-sized primes? This talk, we talked about speeding up really small prime degree isogenies, and earlier this year Bernstein, Deveu, Lidu, and Smith have found asymptotically very good formulas for large degree isogenies, starting from l about 100. However, the medium-sized prime, we still have nothing better than the classical value formulas, so that could be a point of interest for research as well.