Efficient pairing computation on supersingular abelian varieties. Fully maximal and minimal supersingular abelian varieties. Here we study arbitrary supersingular abelian varieties. For standard elliptic curve cryptography, supersingular elliptic curves are known to be weak. We analyse the geometry of hilbert schemes of points on abelian surfaces and beauvilles generalized kummer varieties in positive characteristics. In this paper and 10, an elementary abelian variety means an abelian variety that is kisogenous to a power of a simple abelian variety. On small characteristic algebraic tori in pairingbased cryptography. Advances in cryptology crypto 2002 springer for research. Thus t2 4p2 mod 2 for each 2s, and therefore t 2 4p mod m2, by the chinese remainder theorem.
Moduli of supersingular abelian varieties springerlink. Supersingular elliptic curves university of auckland. Isogenies and endomorphism rings of elliptic curves ecc. Citeseerx document details isaac councill, lee giles, pradeep teregowda. Supersingular abelian varieties and modular forms microsoft. Then e is supersingular if and only if the coefficient of xyz p1 in f p1 is zero if the field k is a finite field of order q, then an elliptic curve. Abelian varieties and jacobians november 25, 20 1 abelian varieties and jacobians an abelian variety aover a eld kis an irreducible smooth projective group variety. Computational problems in supersingular elliptic curve isogenies. A quantum algorithm for computing isogenies between supersingular elliptic curves jeanfran. Cryptography and secure communication by richard e. Fully maximal and minimal supersingular abelian varieties valentijn karemaker university of pennsylvania joint with r.
Supersingular locus of moduli space of abelian varieties. Supersingular abelian variety sometimes defined to be an abelian variety isogenous to a product of supersingular elliptic curves, and sometimes defined to be an abelian variety of some rank g whose endomorphism ring has rank 2g 2. For special classes of varieties such as elliptic curves it is common to use various ad hoc definitions of supersingular, which are usually equivalent to the one given above. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Introduction the results of this paper show that it is the best of times and the worst of times for supersingular abelian varieties in cryptology. In positive characteristic the structure of the ptorsionstructure is an additional, useful tool. For a finite abelian group g we write g for its order. We give an approximate description of the structure of the group ak of krat. Abelian varieties and pairingbased cryptography constructing pairingfriendly abelian varieties. We investigate the decisional diffiehellman problem in the jacobian variety of supersingular curves of genus two over finite fields. The main result is that, in characteristic two, the addition map from the. I largest embedding degree for supersingular elliptic curves ef 2n is k 4, and for ef 3n is k 6. The best and worst of supersingular abelian varieties in. For example, it is well known that every supersingular elliptic curve over f padmits a model over f p2 which lies inside the isogeny class isogx.
This paper surveys some topics in algebraic curve cryptography, with an emphasis. Publickey cryptography, elliptic curves, tate pairing. We give a survey on old and new results on relations between geometric invariants of principally polarized supersingular abelian varieties and arithmetic invariants of quaternion hermitian forms such as the numbers of polarizations and irreducible. Pairingfriendly ordinary elliptic curves g 1 wellstudied. Let a be a supersingular abelian variety defined over a finite field k. In this paper we study the characteristic polynomials and the rational point group structure of supersingular varieties of dimension two over finite fields. Proceedings of the 22nd annual international cryptology. International association for cryptologic research international association for cryptologic research. Browse other questions tagged algebraicgeometry schemes sheafcohomology abelianvarieties or ask your own question. Jun 03, 2009 we give a survey on old and new results on relations between geometric invariants of principally polarized supersingular abelian varieties and arithmetic invariants of quaternion hermitian forms such as the numbers of polarizations and irreducible components of the supersingular locus, the field of definition, existence of curves with many rational points, class numbers, type numbers. Please join the simons foundation and our generous member organizations in supporting arxiv during our giving campaign september 2327. They show that for supersingular abelian varieties, the difference in the size of the exponent can be at most a factor of two, and they propose a security.
It may take any value from 0 to d, the dimension of a. Abelian varieties that have small embedding degree with respect to a large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Constructing abelian varieties for pairingbased cryptography. Our results in 7 imply that if a is a simple supersingular abelian variety over f. Supersingular abelian varieties are natural candidates for these. Meanwhile, we also list alllfunctions of supersingular curves of genus two over f 2 and determine the group structure of their divisor class groups over all finite algebraic extension of f 2. Isogenies on elliptic curves 3 66 outline 1 isogenies on elliptic curves definitions cryptographic applications of isogenies isomorphisms and twists algorithms for computing isogenies 2 endomorphisms 3 supersingular elliptic curves 4 abelian varieties 5. Bringing together a fascinating mixture of topics in engineering, mathematics, computer science, and informatics, this book presents the timeless mathematical theory underpinning cryptosystems both old and new. Silverberg, \ supersingular abelian varieties in cryptology, crypto 2002. For certain security applications, including identity based encryption and short signature schemes, it is useful to have abelian varieties with security parameters that are neither too small nor too large.
Supersingular abelian varieties are natural candidates for these applications. An introduction to pairingbased cryptography mathematics. This paper presents a novel method for designing compact yet efficient. Supersingular abelian varieties have already been proposed for pairingbased cryptography 9. If the curve e defined over the rational numbers, then a prime p is supersingular for e if the reduction of e modulo p is a supersingular elliptic curve over the residue field f p. A solution to this problem is useful in public key cryptography, for example in digital signatures and identitybased cryptography. Blackbox analysis of the blockcipherbased hashfunction constructions from pgv. This paper determines exactly which values can occur as the security parameters of supersingular abelian varieties in terms of the dimension of the abelian variety and the size of the. Endomorphism rings in cryptography eindhoven university of. Pries arithmetic, geometry, cryptography, and coding theory, cirm june 19, 2017. Newest abelianvarieties questions feed to subscribe to this rss.
In mathematics, particularly in algebraic geometry, complex analysis and number theory, an abelian variety is a projective algebraic variety that is also an algebraic group, i. I have seen the definition of supersingular elliptic curves on textbooks by hartshorne and silverman. Citeseerx supersingular abelian varieties in cryptology. If the curve e defined over the rational numbers, then a prime p is supersingular for e if the reduction of e modulo p is a supersingular elliptic curve over the residue field f p noam elkies showed that every elliptic curve over the rational numbers has. Supersingular abelian varieties are a special class of abelian varieties. Construct public key cryptosystems by hiding vulnerable curves by an isogeny the trapdoor tes06, or by encoding informations in the isogeny graph rs06. The isogeny graph of a supersingular elliptic curve can be used to construct secure hash functions clg09. Part of the lecture notes in computer science book series lncs, volume. Efficient pairing computation on supersingular abelian varietiesdesigns, codes, and cryptography. Galbraith, christophe petit and javier silva, identification protocols and signature schemes based on supersingular isogeny problems, journal of cryptology, volume 33, issue 1 2020 175.
Supersingular abelian varieties over finite fields. They provide a starting point for the fine description of various structures. This paper determines exactly which values can occur as the security parameters of supersingular abelian varieties in terms of the dimension of the abelian variety and the size of the finite field, and gives constructions of supersingular abelian varieties that are. Efficient algorithms for pairingbased cryptosystems. Optimal blackbox secret sharing over arbitrary abelian groups. For that structure supersingular abelian varieties can be considered the most special ones. Compact hardware for computing the tate pairing over. Dissertation, university of california, berkeley, may 2008 download. Newest abelianvarieties questions mathematics stack exchange. Of course, there are lots of nonsupersingular curves for which the freyruc. Book series about an australian adventurer with a metal arm. Buy physical book learn about institutional subscriptions. Sep, 2002 supersingular abelian varieties are natural candidates for these applications. Supersingular abelian varieties in cryptology 3 note that, since cryptographic security is based on the cyclic subgroups of af q, for purposes of cryptology it is only necessary to consider simple abelian varieties, i.
In other words, ais a smooth projective variety equipped with morphisms. Identifying supersingular elliptic curves 319 for all 2s. Such pairingfriendly abelian varieties are rare and thus require speci. Newest abelianvarieties questions mathematics stack. The main purpose of this survey is to give a complete account of the computational aspects of the isogenies of low dimensional abelian varieties and their use in cryptography. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype. On the decisional diffiehellman problem in genus 2 royal. Higher security levels require nonsupersingular usually, ordinary abelian vareities.
Efficient pairing computation on supersingular abelian varieties pslm barreto, sd galbraith, c oheigeartaigh, m scott designs, codes and cryptography 42 3, 239271, 2007. In algebraic number theory, a supersingular prime for a given elliptic curve is a prime number with a certain relationship to that curve. For example, one can obtain embedding degree 12 from a supersingular abelian surface in. On the decisional diffiehellman problem in genus 2. Part of the lecture notes in computer science book series. On supersingular abelian varieties of dimension two over. It is possible that a simple or absolutely simple abelian variety defined over a number field splits modulo every prime of good reduction. Advances in cryptology crypto 2002 book subtitle 22nd annual international cryptology conference santa barbara, california, usa. Advances in cryptology crypto 2002 22nd annual international cryptology conference santa barbara, california, usa, august 1822, 2002 proceedings.
Todays pervasive computing and communications networks have created an intense need for secure and reliable cryptographic systems. David freeman constructing abelian varieties for pairingbased cryptography. Langs book 72 is a standard reference for basic algebra. Steven galbraith 0000000171148377 orcid connecting. Constructing abelian varieties for pairingbased cryptography david freeman ph. Abelian varieties can be classified via their moduli. We begin by giving a single coherent framework that classi. The following statement comes from the book abelian varieties by mumford, at the very beginning of chapter 10. For certain cryptography applications, including identity based encryption schemes 1 and short signatures 2, it is important to have simple abelian varieties with security parameters that are. Silverberg, supersingular abelian varieties in cryptology. Postquantum cryptography from supersingular isogeny problems. The prank of an abelian variety a over a field k of characteristic p is the integer k for which the kernel ap of multiplication by p has p k points. A quantum algorithm for computing isogenies between.
Take isogenies to reduce the impact of side channel attacks sma03. Supersingular abelian varieties in cryptology uci math. Journal of cryptology transactions on symmetric cryptology transactions on ches. Supersingular abelian varieties in cryptology springerlink.
376 72 180 155 178 1008 1333 301 1419 1116 813 166 30 396 110 456 930 626 1274 1245 1487 106 745 1147 1493 280 1327 125 564 412 118 968 913 1138 118 475 572 34 1450 804 1183 1287 465 1185 1203