Guanju Xiao,Zijian Zhou,Yingpu Deng,Longjiang Qu

2024-04-23

Abstract:It is well known that there is a one-to-one correspondence between supersingular $j$-invariants up to the action of $\text{Gal}(\mathbb{F}_{p^2}/\mathbb{F}_p)$ and type classes of maximal orders in $B_{p,\infty}$ by Deuring's theorem. Interestingly, we establish a one-to-one correspondence between $\mathbb{F}_p$-isomorphism classes of supersingular elliptic curves and primitive reduced binary quadratic forms with discriminant $-p$ or $-16p$. Due to this correspondence and the fact that $\mathbb{F}_p$-isogenies between elliptic curves could be represented by quadratic forms, we show that operations of these isogenies on supersingular elliptic curves over $\mathbb{F}_p$ are compatible with the composition of quadratic forms. Based on these results, we could reduce the security of CSIDH cryptosystem to computing this correspondence explicitly.

Number Theory

Guanju Xiao,Zijian Zhou,Yingpu Deng,Longjiang Qu

DOI: https://doi.org/10.3934/amc.2024019

2024-05-09

Advances in Mathematics of Communications

Abstract:It is well known that there is a one-to-one correspondence between supersingular -invariants up to the action of and type classes of maximal orders in by Deuring's theorem. Interestingly, we establish a one-to-one correspondence between -isomorphism classes of supersingular elliptic curves and primitive reduced binary quadratic forms with discriminant or . Due to this correspondence and the fact that -isogenies between elliptic curves could be represented by quadratic forms, we show that actions of these isogenies on supersingular elliptic curves over are compatible with the composition of quadratic forms. Based on these results, we reduce the security of CSIDH cryptosystem to computing this correspondence explicitly.

computer science, theory & methods,mathematics, applied

Songsong Li,Yi Ouyang,Zheng Xu

DOI: https://doi.org/10.1016/j.ffa.2019.101619

IF: 1.655

2019-01-01

Finite Fields and Their Applications

Abstract:Let p>3 be a fixed prime. For a supersingular elliptic curve E over Fp, a result of Ibukiyama tells us that End(E) is a maximal order O(q) (resp. O′(q)) in End(E)⊗Q indexed by a (non-unique) prime q satisfying q≡3mod8 and the quadratic residue (pq)=−1 if 1+π2∉End(E) (resp. 1+π2∈End(E)), where π=((x,y)↦(xp,yp) is the absolute Frobenius. Let qj denote the minimal q for E whose j-invariant j(E)=j and M(p) denote the maximum of qj for all supersingular j∈Fp. Firstly, we determine the neighborhood of the vertex [E] with j∉{0,1728} in the supersingular ℓ-isogeny graph if 1+π2∉End(E) and p>qjℓ2 or 1+π2∈End(E) and p>4qjℓ2: there are either ℓ−1 or ℓ+1 neighbors of [E], each of which connects to [E] by one edge and at most two of which are defined over Fp. We also give examples to illustrate that our bounds are tight. Next, under GRH, we obtain explicit upper and lower bounds for M(p), which were not studied in the literature as far as we know. To make the bounds useful, we estimate the number of supersingular elliptic curves with qjp except p=11 or 23 and M(p)

Guanju Xiao,Zijian Zhou,Longjiang Qu

2023-12-14

Abstract:Let $p>3$ be a prime and $E$ be a supersingular elliptic curve defined over $\mathbb{F}_{p^2}$. Let $c$ be a prime with $c < 3p/16$ and $G$ be a subgroup of $E[c]$ of order $c$. The pair $(E,G)$ is called a supersingular elliptic curve with level-$c$ structure, and the endomorphism ring $\text{End}(E,G)$ is isomorphic to an Eichler order with level $c$. We construct two kinds of Eichler orders $\mathcal{O}_c(q,r)$ and $\mathcal{O}'_c(q,r')$ with level $c$. Interestingly, we can reduce each $\mathcal{O}_c(q,r)$ or $\mathcal{O}'_c(q,r')$ to a primitive reduced binary quadratic form with discriminant $-16cp$ or $-cp$ respectively. If the curve $E$ is $\mathbb{Z}[\sqrt{-cp}]$-oriented, then we prove that $\text{End}(E,G)$ is isomorphic to $\mathcal{O}_c(q,r)$ or $\mathcal{O}'_c(q,r')$. Due to the fact that $\mathbb{Z}[\sqrt{-cp}]$-oriented isogenies between $\mathbb{Z}[\sqrt{-cp}]$-oriented elliptic curves could be represented by quadratic forms, we show that these isogenies are reflected in the corresponding Eichler orders via the composition law for their corresponding quadratic forms.

Number Theory

Arthur Herlédan Le Merdy,Benjamin Wesolowski

2023-10-06

Abstract:Given a supersingular elliptic curve E and a non-scalar endomorphism $\alpha$ of E, we prove that the endomorphism ring of E can be computed in classical time about disc(Z[$\alpha$])^1/4 , and in quantum subexponential time, assuming the generalised Riemann hypothesis. Previous results either had higher complexities, or relied on heuristic assumptions. Along the way, we prove that the Primitivisation problem can be solved in polynomial time (a problem previously believed to be hard), and we prove that the action of smooth ideals on oriented elliptic curves can be computed in polynomial time (previous results of this form required the ideal to be powersmooth, i.e., not divisible by any large prime power). Following the attacks on SIDH, isogenies in high dimension are a central ingredient of our results.

Cryptography and Security,Number Theory

Jenny Fuselier,Annamaria Iezzi,Mark Kozek,Travis Morrison,Changningphaabi Namoijam

2023-06-06

Abstract:We give an algorithm for computing inseparable endomorphisms of a supersingular elliptic curve $E$ defined over $\mathbb F_{p^2}$, which, conditional on GRH, runs in expected $O(\sqrt{p}(\log p)^2(\log\log p)^3)$ time. With two calls to this algorithm, we compute a Bass suborder of $\text{End}(E)$, improving on the results of Eisenträger, Hallgren, Leonardi, Morrison, and Park (ANTSXIV) who only gave a heuristic algorithm for computing a Bass suborder. We further improve on the results of Eisenträger et al. by removing the heuristics involved in an algorithm for recovering $\text{End}(E)$ from a Bass suborder. We conclude with an argument that $O(1)$ endomorphisms generated by our algorithm along with negligible overhead suffice to compute $\text{End}(E)$, conditional on a heuristic assumption about the distribution of the discriminants of these endomorphisms.

Number Theory

Aurel Page,Benjamin Wesolowski

2023-10-16

Abstract:The supersingular Endomorphism Ring problem is the following: given a supersingular elliptic curve, compute all of its endomorphisms. The presumed hardness of this problem is foundational for isogeny-based cryptography. The One Endomorphism problem only asks to find a single non-scalar endomorphism. We prove that these two problems are equivalent, under probabilistic polynomial time reductions. We prove a number of consequences. First, assuming the hardness of the endomorphism ring problem, the Charles--Goren--Lauter hash function is collision resistant, and the SQIsign identification protocol is sound. Second, the endomorphism ring problem is equivalent to the problem of computing arbitrary isogenies between supersingular elliptic curves, a result previously known only for isogenies of smooth degree. Third, there exists an unconditional probabilistic algorithm to solve the endomorphism ring problem in time O~(sqrt(p)), a result that previously required to assume the generalized Riemann hypothesis. To prove our main result, we introduce a flexible framework for the study of isogeny graphs with additional information. We prove a general and easy-to-use rapid mixing theorem. The proof of this result goes via an augmented Deuring correspondence and the Jacquet-Langlands correspondence.

Cryptography and Security,Algebraic Geometry,Number Theory

Jonathan Love,Dan Boneh

DOI: https://doi.org/10.48550/arXiv.1910.03180

2020-06-24

Abstract:We introduce a special class of supersingular curves over $\mathbb{F}_{p^2}$, characterized by the existence of non-integer endomorphisms of small degree. A number of properties of this set is proved. Most notably, we show that when this set partitions into subsets in such a way that curves within each subset have small-degree isogenies between them, but curves in distinct subsets have no small-degree isogenies between them. Despite this, we show that isogenies between these curves can be computed efficiently, giving a technique for computing isogenies between certain prescribed curves that cannot be reasonably connected by searching on $\ell$-isogeny graphs.

Number Theory,Cryptography and Security

Kirsten Eisentraeger,Gabrielle Scullard

2024-02-08

Abstract:We give a deterministic polynomial time algorithm to compute the endomorphism ring of a supersingular elliptic curve in characteristic p, provided that we are given two noncommuting endomorphisms and the factorization of the discriminant of the ring $\mathcal{O}_0$ they generate. At each prime $q$ for which $\mathcal{O}_0$ is not maximal, we compute the endomorphism ring locally by computing a q-maximal order containing it and, when $q \neq p$, recovering a path to $\text{End}(E) \otimes \mathbb{Z}_q$ in the Bruhat-Tits tree. We use techniques of higher-dimensional isogenies to navigate towards the local endomorphism ring. Our algorithm improves on a previous algorithm which requires a restricted input and runs in subexponential time under certain heuristics. Page and Wesolowski give a probabilistic polynomial time algorithm to compute the endomorphism ring on input of a single non-scalar endomorphism. Beyond using techniques of higher-dimensional isogenies to divide endomorphisms by a scalar, our methods are completely different.

Number Theory,Cryptography and Security

Eyal Z. Goren,Jonathan R. Love

2024-10-08

Abstract:This paper contains a survey of supersingular isogeny graphs associated to supersingular elliptic curves and their various applications to cryptography. Within limitation of space, we attempt to address a broad audience and make this part widely accessible. For those graphs we also present three recent results and sketch their proofs. We then discuss a generalization to superspecial isogeny graphs associated to superspecial abelian varieties with real multiplication. These graphs were introduced by Charles, Goren and Lauter and so our discussion is brief. Motivated by their cryptographic applications, we prove a general theorem concerning generation of lattices over totally real fields by elements of specified norm. Throughout the paper we have attempted to clarify certain considerations that are either vaguely stated in the literature, or are folklore. We hope this paper will be useful both to a novice wishing to familiarize themselves with this very active area, and to the expert who may enjoy some vignettes and an overview of some new results.

Number Theory

Cédric Dion,Jishnu Ray

2024-07-04

Abstract:Let $p$ be a fixed odd prime and let $K$ be an imaginary quadratic field in which $p$ splits. Let $A$ be an abelian variety defined over $K$ with supersingular reduction at both primes above $p$ in $K$. Under certain assumptions, we give a growth estimate for the Mordell--Weil rank of $A$ over finite extensions inside the $\mathbb{Z}_p^2$-extension of $K$. In the last section, written by Chris Williams, he includes some speculative remarks on the $p$-adic $L$-functions for $\mathrm{GSp}(4)$ corresponding to the multi-signed Selmer groups constructed in this paper.

Number Theory,Representation Theory

Antonio Lei,Katharina Müller

2023-10-24

Abstract:Let $p$ and $q$ be distinct prime numbers, with $q\equiv 1\pmod{12}$. Let $N$ be a positive integer that is coprime to $pq$. We prove a formula relating the Hasse--Weil zeta function of the modular curve $X_0(qN)_{\mathbb{F}_q}$ to the Ihara zeta function of the $p$-isogeny graphs of supersingular elliptic curves defined over $\overline{\mathbb{F}_q}$ equipped with a $\Gamma_0(N)$-level structure. When $N=1$, this recovers a result of Sugiyama.

Number Theory,Combinatorics

Meng Fai Lim

2024-09-21

Abstract:Let $E$ be an elliptic curve over $\mathbb{Q}$. Greenberg has posed a question whether the structure of the fine Selmer group over the cyclotomic $\mathbb{Z}_p$-extension of $\mathbb{Q}$ can be described by cyclotomic polynomials in a certain precise manner. A recent work of Lei has made progress on this problem by proving that the fine Mordell-Weil group (in the sense of Wuthrich) does have this required property. The goal of this paper is study the analogous question of Greenberg over various $\mathbb{Z}_p$-extensions of an imaginary quadratic field $F$. In particular, when the elliptic curve has complex multiplication by the ring of integers of the imaginary quadratic field, we obtain analogous results of Lei over the cyclotomic $\mathbb{Z}_p$-extension and anti-cyclotomic $\mathbb{Z}_p$-extension of $F$. In the event that the elliptic curve has good ordinary reduction at the prime $p$, we further obtain a result over the $\mathbb{Z}_p$-extension of $F$ unramified outside precisely one of the prime of $F$ above $p$. Finally, we study the situation of an elliptic curve over the anticyclotomic $\mathbb{Z}_p$-extension under the generalized Heegner hypothesis. Along the way, we establish an analogous result for the BDP-Selmer group. This latter result is then applied to obtain a relation between the BDP $p$-adic $L$-function and the Mordell-Weil rank growth in the anticyclotomic $\mathbb{Z}_p$-extension which may be of independent interest.

Number Theory

Zhi-Wei Sun

2010-01-01

Abstract:In this paper we deduce some new supercongruences modulo powers of a prime $p>3$. Let $d\in\{0,1,\ldots,(p-1)/2\}$. We show that $$\sum_{k=0}^{(p-1)/2}\frac{\binom{2k}k\binom{2k}{k+d}}{8^k}\equiv 0 (\mbox{mod} p) \mbox{if} d\equiv \frac{p+1}2 (\mbox{mod} 2),$$ and $$\sum_{k=0}^{(p-1)/2}\frac{\binom{2k}k\binom{2k}{k+d}}{16^k} \equiv\left(\frac{-1}p\right)+p^2\frac{(-1)^d}4E_{p-3}\left(d+\frac12\right)\pmod{p^3},$$ where $E_{p-3}(x)$ denotes the Euler polynomial of degree $p-3$, and $(-)$ stands for the Legendre symbol. The paper also contains some other results such as $$\sum_{k=0}^{p-1}k^{(1+(\frac{-1}p))/2}\frac{\binom{6k}{3k}\binom{3k}k}{864^k}\equiv0\pmod{p^2}.$$

Chaoping Xing

DOI: https://doi.org/10.1006/ffta.1996.0024

IF: 1.655

1996-01-01

Finite Fields and Their Applications

Abstract:In this paper we study the characteristic polynomials and the rational point group structure of supersingular varieties of dimension two over finite fields. Meanwhile, we also list allL-functions of supersingular curves of genus two over F"2and determine the group structure of their divisor class groups over all finite algebraic extension of F"2.

Li-Tong Deng,Yong-Xiong Li,Shuai Zhai

2023-12-14

Abstract:Let $f$ be a positive definite integral quadratic form in $d$ variables. In the present paper, we establish a direct link between the genus representation number of $f$ and the order of higher even $K$-groups of the ring of integers of real quadratic fields, provided $f$ is diagonal and $d \equiv 1 \mod 4$, by applying the Siegel mass formula. When $d=3$, we derive an explicit formula of $r_f(n)$ in terms of the class number of the corresponding imaginary quadratic field and the central algebraic values of $L$-functions of quadratic twists of elliptic curves, by exploring a theorem of Waldspurger. Moreover, by the $2$-divisibility results on the algebraic $L$-values of quadratic twist of elliptic curves, we obtain a lower bound for the $2$-adic valuation of $r_f(n)$ for some odd integer $n$. The numerical results show our lower bound is optimal for certain cases. We also apply our main result to the quadratic form $f=x_1^2+\cdots+x^2_d$ to determine the order of the higher $K$-groups numerically.

Number Theory

Asimina S. Hamakiotes

2024-08-29

Abstract:Let $K$ be an imaginary quadratic field, and let $\mathcal{O}_{K,f}$ be an order in $K$ of conductor $f\geq 1$. Let $E$ be an elliptic curve with CM by $\mathcal{O}_{K,f}$, such that $E$ is defined by a model over $\mathbb{Q}(j_{K,f})$, where $j_{K,f}=j(E)$. It has been shown by the author and Lozano-Robledo that $\operatorname{Gal}(\mathbb{Q}(j_{K,f},E[N])/\mathbb{Q}(j_{K,f}))$ is only abelian for $N=2,3$, and $4$. Let $p$ be a prime and let $n\geq 1$ be an integer. In this article, we bound the commutator subgroups of $\operatorname{Gal}(\mathbb{Q}(E[p^n])/\mathbb{Q})$ and classify the maximal abelian extensions contained in $\mathbb{Q}(E[p^n])/\mathbb{Q}$.

Number Theory

Tian Wang

2024-04-21

Abstract:Let $A/K$ be an absolutely simple abelian surface defined over a number field $K$. We give unconditional upper bounds for the number of prime ideals $\mathfrak{p}$ of $K$ with norm up to $x$ such that $A$ has supersingular reduction at $\mathfrak{p}$ when $A$ has a trivial endomorphism ring, real multiplication, and quaternion multiplication, respectively. Particularly, in the real multiplication case and when $K=\mathbb{Q}$, the bound is related to an upper bound for the distribution of Frobenius traces of $A$. Also in the real multiplication case, we provide unconditional upper bounds for a variant of the problem, which concerns the number of prime ideals for which the reduction of $A$ at the prime has a particular Newton datum and is not simple.

Number Theory

Peiyi Cui,Thomas Lanard,Hengfei Lu

2024-04-04

Abstract:Let $F$ be a non-archimedean local field of characteristic different from 2 and residual characteristic $p$. This paper concerns the $\ell$-modular representations of a connected reductive group $G$ distinguished by a Galois involution, with $\ell$ an odd prime different from $p$. We start by proving a general theorem allowing to lift supercuspidal $\overline{\mathbb{F}}_{\ell}$-representations of $\mathrm{GL}_n(F)$ distinguished by an arbitrary closed subgroup $H$ to a distinguished supercuspidal $\overline{\mathbb{Q}}_{\ell}$-representation. Given a quadratic field extension $E/F$ and an irreducible $\overline{\mathbb{F}}_{\ell}$-representation $\pi$ of $\mathrm{GL}_n(E)$, we verify the Jacquet conjecture in the modular setting that if the Langlands parameter $\phi_\pi$ is irreducible and conjugate-self-dual, then $\pi$ is either $\mathrm{GL}_n(F)$-distinguished or $(\mathrm{GL}_n(F),\omega_{E/F})$-distinguished (where $\omega_{E/F}$ is the quadratic character of $F^\times$ associated to the quadratic field extension $E/F$ by the local class field theory), but not both, which extends one result of Sécherre to the case $p=2$. We give another application of our lifting theorem for supercuspidal representations distinguished by a unitary involution, extending one result of Zou to $p=2$.

Mathematics

Yongquan Hu,Haoran Wang

2024-05-28

Abstract:Let $F$ be a totally real field in which $p$ is unramified and $B$ be a quaternion algebra which splits at at most one infinite place. Let $\overline{r}:\mathrm{Gal}(\overline{F}/F)\to \mathrm{GL}_2(\overline{\mathbb{F}}_p)$ be a modular Galois representation which satisfies the Taylor-Wiles hypotheses. Assume that for some fixed place $v|p$, $B$ ramifies at $v$ and $F_v$ is isomorphic to $ \mathbb{Q}_p$ and $\overline{r}$ is generic at $v$. We prove that the admissible smooth representations of the quaternion algebra over $\mathbb{Q}_p$ coming from mod $p$ cohomology of Shimura varieties associated to $B$ have Gelfand-Kirillov dimension $1$. As an application we prove that the degree two Scholze's functor vanishes on supersingular representations of $\mathrm{GL}_2(\mathbb{Q}_p)$. We also prove some finer structure theorem about the image of Scholze's functor in the reducible case.

Number Theory,Representation Theory