Supersingular abelian varieties are a special class of abelian varieties. We give a survey on old and new results on relations between geometric invariants of principally polarized supersingular abelian varieties and arithmetic invariants of quaternion hermitian forms such as the numbers of polarizations and irreducible. Supersingular abelian varieties in cryptology 3 note that, since cryptographic security is based on the cyclic subgroups of af q, for purposes of cryptology it is only necessary to consider simple abelian varieties, i. Take isogenies to reduce the impact of side channel attacks sma03. Introduction the results of this paper show that it is the best of times and the worst of times for supersingular abelian varieties in cryptology. Fully maximal and minimal supersingular abelian varieties valentijn karemaker university of pennsylvania joint with r. Newest abelianvarieties questions mathematics stack. On small characteristic algebraic tori in pairingbased cryptography. Compact hardware for computing the tate pairing over. It is possible that a simple or absolutely simple abelian variety defined over a number field splits modulo every prime of good reduction. Todays pervasive computing and communications networks have created an intense need for secure and reliable cryptographic systems. Silverberg, supersingular abelian varieties in cryptology.
Meanwhile, we also list alllfunctions of supersingular curves of genus two over f 2 and determine the group structure of their divisor class groups over all finite algebraic extension of f 2. For standard elliptic curve cryptography, supersingular elliptic curves are known to be weak. Supersingular locus of moduli space of abelian varieties. Journal of cryptology transactions on symmetric cryptology transactions on ches. Supersingular abelian varieties and modular forms microsoft. Fully maximal and minimal supersingular abelian varieties.
Supersingular abelian varieties are natural candidates for these applications. Abelian varieties and pairingbased cryptography constructing pairingfriendly abelian varieties. Supersingular abelian varieties are natural candidates for these. Galbraith and lukas zobernig, obfuscated fuzzy hamming distance and conjunctions from subset product problems, in d. This paper determines exactly which values can occur as the security parameters of supersingular abelian varieties in terms of the dimension of the abelian variety and the size of the finite field, and gives constructions of supersingular abelian varieties that are. Buy physical book learn about institutional subscriptions.
A solution to this problem is useful in public key cryptography, for example in digital signatures and identitybased cryptography. Isogenies and endomorphism rings of elliptic curves ecc. In positive characteristic the structure of the ptorsionstructure is an additional, useful tool. Postquantum cryptography from supersingular isogeny problems.
In mathematics, particularly in algebraic geometry, complex analysis and number theory, an abelian variety is a projective algebraic variety that is also an algebraic group, i. For special classes of varieties such as elliptic curves it is common to use various ad hoc definitions of supersingular, which are usually equivalent to the one given above. Such pairingfriendly abelian varieties are rare and thus require speci. Supersingular abelian varieties in cryptology springerlink. Efficient pairing computation on supersingular abelian varietiesdesigns, codes, and cryptography. The isogeny graph of a supersingular elliptic curve can be used to construct secure hash functions clg09. It may take any value from 0 to d, the dimension of a. Efficient pairing computation on supersingular abelian varieties pslm barreto, sd galbraith, c oheigeartaigh, m scott designs, codes and cryptography 42 3, 239271, 2007. Please join the simons foundation and our generous member organizations in supporting arxiv during our giving campaign september 2327.
Optimal blackbox secret sharing over arbitrary abelian groups. A quantum algorithm for computing isogenies between supersingular elliptic curves jeanfran. Then e is supersingular if and only if the coefficient of xyz p1 in f p1 is zero if the field k is a finite field of order q, then an elliptic curve. David freeman constructing abelian varieties for pairingbased cryptography. Supersingular abelian varieties have already been proposed for pairingbased cryptography 9. Supersingular elliptic curves university of auckland.
On the decisional diffiehellman problem in genus 2. Here we study arbitrary supersingular abelian varieties. Efficient algorithms for pairingbased cryptosystems. We begin by giving a single coherent framework that classi.
Construct public key cryptosystems by hiding vulnerable curves by an isogeny the trapdoor tes06, or by encoding informations in the isogeny graph rs06. Thus t2 4p2 mod 2 for each 2s, and therefore t 2 4p mod m2, by the chinese remainder theorem. This paper surveys some topics in algebraic curve cryptography, with an emphasis. The prank of an abelian variety a over a field k of characteristic p is the integer k for which the kernel ap of multiplication by p has p k points. Citeseerx supersingular abelian varieties in cryptology. The main result is that, in characteristic two, the addition map from the. Advances in cryptology crypto 2002 22nd annual international cryptology conference santa barbara, california, usa, august 1822, 2002 proceedings. Abelian varieties and jacobians november 25, 20 1 abelian varieties and jacobians an abelian variety aover a eld kis an irreducible smooth projective group variety. Cryptography and secure communication by richard e. Pries arithmetic, geometry, cryptography, and coding theory, cirm june 19, 2017. Isogenies on elliptic curves 3 66 outline 1 isogenies on elliptic curves definitions cryptographic applications of isogenies isomorphisms and twists algorithms for computing isogenies 2 endomorphisms 3 supersingular elliptic curves 4 abelian varieties 5.
In this paper we study the characteristic polynomials and the rational point group structure of supersingular varieties of dimension two over finite fields. The following statement comes from the book abelian varieties by mumford, at the very beginning of chapter 10. Let a be a supersingular abelian variety defined over a finite field k. In algebraic number theory, a supersingular prime for a given elliptic curve is a prime number with a certain relationship to that curve. Our results in 7 imply that if a is a simple supersingular abelian variety over f. Constructing abelian varieties for pairingbased cryptography david freeman ph. For example, one can obtain embedding degree 12 from a supersingular abelian surface in. For certain cryptography applications, including identity based encryption schemes 1 and short signatures 2, it is important to have simple abelian varieties with security parameters that are. Publickey cryptography, elliptic curves, tate pairing.
Supersingular abelian varieties over finite fields. Dissertation, university of california, berkeley, may 2008 download. Sep, 2002 supersingular abelian varieties are natural candidates for these applications. Supersingular prime algebraic number theory wikipedia. This paper presents a novel method for designing compact yet efficient.
A quantum algorithm for computing isogenies between. Advances in cryptology crypto 2002 book subtitle 22nd annual international cryptology conference santa barbara, california, usa. In this paper and 10, an elementary abelian variety means an abelian variety that is kisogenous to a power of a simple abelian variety. Of course, there are lots of nonsupersingular curves for which the freyruc.
For that structure supersingular abelian varieties can be considered the most special ones. Part of the lecture notes in computer science book series lncs, volume. Moduli of supersingular abelian varieties springerlink. Identifying supersingular elliptic curves 319 for all 2s. Pairingfriendly ordinary elliptic curves g 1 wellstudied. We discuss how to apply gaudrys index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. Langs book 72 is a standard reference for basic algebra.
In other words, ais a smooth projective variety equipped with morphisms. This paper determines exactly which values can occur as the security parameters of supersingular abelian varieties in terms of the dimension of the abelian variety and the size of the. Efficient pairing computation on supersingular abelian varieties. Galbraith, christophe petit and javier silva, identification protocols and signature schemes based on supersingular isogeny problems, journal of cryptology, volume 33, issue 1 2020 175. Silverberg, \ supersingular abelian varieties in cryptology, crypto 2002. Abelian varieties can be classified via their moduli. The main purpose of this survey is to give a complete account of the computational aspects of the isogenies of low dimensional abelian varieties and their use in cryptography. On supersingular abelian varieties of dimension two over. Abelian varieties that have small embedding degree with respect to a large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems.
Steven galbraith 0000000171148377 orcid connecting. International association for cryptologic research international association for cryptologic research. If the curve e defined over the rational numbers, then a prime p is supersingular for e if the reduction of e modulo p is a supersingular elliptic curve over the residue field f p noam elkies showed that every elliptic curve over the rational numbers has. The papers are organized in topical sections on block ciphers, multiuser oriented cryptosystems, foundations and methodology, security and practical protocols, secure multiparty computation, public key encryption, information theory and secret sharing, cipher design and analysis, elliptic curves and abelian varieties, authentication. For example, it is well known that every supersingular elliptic curve over f padmits a model over f p2 which lies inside the isogeny class isogx. We investigate the decisional diffiehellman problem in the jacobian variety of supersingular curves of genus two over finite fields. If the curve e defined over the rational numbers, then a prime p is supersingular for e if the reduction of e modulo p is a supersingular elliptic curve over the residue field f p. They show that for supersingular abelian varieties, the difference in the size of the exponent can be at most a factor of two, and they propose a security. On the decisional diffiehellman problem in genus 2 royal. I have seen the definition of supersingular elliptic curves on textbooks by hartshorne and silverman.
Newest abelianvarieties questions mathematics stack exchange. Computational problems in supersingular elliptic curve isogenies. We analyse the geometry of hilbert schemes of points on abelian surfaces and beauvilles generalized kummer varieties in positive characteristics. They provide a starting point for the fine description of various structures. Browse other questions tagged algebraicgeometry schemes sheafcohomology abelianvarieties or ask your own question. Supersingular abelian variety sometimes defined to be an abelian variety isogenous to a product of supersingular elliptic curves, and sometimes defined to be an abelian variety of some rank g whose endomorphism ring has rank 2g 2.
Part of the lecture notes in computer science book series. Advances in cryptology crypto 2002 springer for research. Endomorphism rings in cryptography eindhoven university of. Book series about an australian adventurer with a metal arm. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Blackbox analysis of the blockcipherbased hashfunction constructions from pgv. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype. Proceedings of the 22nd annual international cryptology. Jun 03, 2009 we give a survey on old and new results on relations between geometric invariants of principally polarized supersingular abelian varieties and arithmetic invariants of quaternion hermitian forms such as the numbers of polarizations and irreducible components of the supersingular locus, the field of definition, existence of curves with many rational points, class numbers, type numbers. Using this formula, one can show that there are only finitely many supersingular elliptic curves over k up to isomorphism suppose e is given as a cubic curve in the projective plane given by a homogeneous cubic polynomial fx,y,z. Supersingular abelian varieties in cryptology uci math.
The best and worst of supersingular abelian varieties in. Bringing together a fascinating mixture of topics in engineering, mathematics, computer science, and informatics, this book presents the timeless mathematical theory underpinning cryptosystems both old and new. Constructing abelian varieties for pairingbased cryptography. For certain security applications, including identity based encryption and short signature schemes, it is useful to have abelian varieties with security parameters that are neither too small nor too large. Citeseerx document details isaac councill, lee giles, pradeep teregowda. An introduction to pairingbased cryptography mathematics.
I largest embedding degree for supersingular elliptic curves ef 2n is k 4, and for ef 3n is k 6. Higher security levels require nonsupersingular usually, ordinary abelian vareities. For a finite abelian group g we write g for its order. Newest abelianvarieties questions feed to subscribe to this rss. We give an approximate description of the structure of the group ak of krat.
1036 1361 1272 114 83 807 1036 466 1213 1304 71 475 517 1069 1137 1359 500 396 588 750 6 1411 1331 1308 1464 504 97 94 1188 598 1495 1165