Using the Charlap-Coley-Robbins polynomials for computing isogenies
Fran\c{c}ois Morain (GRACE)

TL;DR
This paper explores the use of Charlap-Coley-Robbins polynomials for computing elliptic curve isogenies, providing properties, formulas, and addressing issues with derivatives in modular polynomial methods.
Contribution
It introduces properties and formulas for Charlap-Coley-Robbins polynomials to improve isogeny computations, and investigates alternative modular polynomial approaches.
Findings
Properties of Charlap-Coley-Robbins polynomials established
Formulas for computing isogenous curves derived
Analysis of alternative modular polynomial methods conducted
Abstract
The SEA algorithm for computing the cardinality of elliptic curves over finite fields in many characteristic uses modular polynomials. These polynomials come into different flavors, and methods to compute them flourished. Once equipped with some modular polynomials for prime , algebraic formulas are used to compute a curve that is -isogenous to the curve of interest . These formulas involve derivatives of the modular polynomial that may sometime vanish. One way to overcome this problem is to use alternative trivariate polynomials , , and introduced by Charlap, Coley and Robbins to overcome some difficulties in the first versions of Elkies's approach. We give properties of these polynomials, as well as formulas to compute the isogenous curve that were sketched by Atkin. Also we investigate another suggestion…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Residue Arithmetic · Coding theory and cryptography · Polynomial and algebraic computation
Using the Charlap-Coley-Robbins polynomials for computing isogenies
François Morain
LIX - Laboratoire d’informatique de l’École polytechnique and GRACE - Inria Saclay–Île-de-France
Abstract.
The SEA algorithm for computing the cardinality of elliptic curves over finite fields in many characteristic uses modular polynomials. These polynomials come into different flavors, and methods to compute them flourished. Once equipped with some modular polynomials for prime , algebraic formulas are used to compute a curve that is -isogenous to the curve of interest . These formulas involve derivatives of the modular polynomial that may sometime vanish. One way to overcome this problem is to use alternative trivariate polynomials , , and introduced by Charlap, Coley and Robbins to overcome some difficulties in the first versions of Elkies’s approach. We give properties of these polynomials, as well as formulas to compute the isogenous curve that were sketched by Atkin. Also we investigate another suggestion of Atkin using modular polynomials associated to a power product of Dedekind’s function.
The author is on leave from Délégation Générale pour l’Armement.
1. Introduction
Computing isogenies is the central ingredient of the Schoof-Elkies-Atkin (SEA) algorithm that computes the cardinality of elliptic curves over finite fields of large characteristic [20, 2, 10] and also [4]. More recently, it is used in post-quantum cryptography [8, 13, 6, 12] among others, as well as the cryptosystems [9, 19, 11].
Given a curve , we need to compute -isogenous curves for (small) prime ’s, starting from a root of some degree modular polynomial in . The coefficients of the isogenous curve together with the kernel polynomial of the isogeny are computed from partial derivatives of . This method works except in cases where one of the derivatives is zero. This is a theoretical as well as practical problem. An alternative to this is to use the original approach of Elkies [10], namely using algebraic relations for and . Another choice is to use the CCR polynomials introduced in [7], for the price of finding the roots of three degree polynomials instead of . Several methods for computing these polynomials, as well as rational representations of and are given in [15] (as well as the cited references in this article).
The aim of our work (which is closely related to [15]) is to give formulas to compute the necessary parameters for Elkies’s algorithms, using partial derivatives of , in the spirit of Atkin and following the suggestion in [2]. The same work is done for the alternate polynomial suggested by Atkin when .
The content is as follows. We review the SEA algorithm in Section 2, including formulas for Eisenstein series and introduce the CCR polynomials in Section 3. Section 4 is the central part of the article, working out the formulas giving the coefficients of the isogenous curve.
2. Schoof/Elkies/Atkin
2.1. Prerequisites
2.1.1. Division polynomials
For , multiplication of a point by positive on is given by
[TABLE]
where the polynomials satisfy
[TABLE]
and belong to . It is customary to simplify this using
[TABLE]
with first values
[TABLE]
[TABLE]
[TABLE]
The degree of is for odd and for even . If has weight , weight 2 and weight 3, all monomials in have the same weighted degree equal to the degree of .
2.1.2. Modular functions and such
Letting , one defines
[TABLE]
[TABLE]
[TABLE]
where denotes the sum of the -th powers of the divisors of . The series and are modular forms of weight and respectively. The function is not a modular form, but note that is a modular form of weight 2 for and trivial multiplier (see [18] and [3]).
When , we introduce the operator
[TABLE]
Several identities are classical:
[TABLE]
[TABLE]
to which we add the Ramanujan differential system:
[TABLE]
2.2. Schoof’s approach
Let be an elliptic curve of cardinality with by Hasse’s theorem. Schoof gave the first deterministic polynomial time algorithm to compute . The idea is to use the action of the Frobenius of on -division points to find via the characteristic equation modulo .
2.3. Using isogenies
Elkies and Atkin gave subsequent improvements to make Schoof’s algorithm efficient (and probabilistic) and usable in practice. Elkies described how to use isogenies to find factors of small degree of over a finite field, provided the Frobenius equation splits modulo . Using modular polynomials, Elkies worked out a procedure to compute all the parameters needed to build a degree isogeny from to some curve and the kernel polynomial of the isogeny, thereby giving the factor we need. Atkin designed his own route towards the same goal, putting the emphasis on the use of more modular equations for and its quotients.
One has (after renormalization):
[TABLE]
With a compatible scaling, we get
[TABLE]
More importantly, writing for the power sums of the roots of , we have
[TABLE]
Beyond this, Elkies proved that
[TABLE]
[TABLE]
together with an induction relation satisfied by other for . As a consequence and belong to since and do.
Given these quantities, there are several algorithms to get the isogeny. We refer to [5] for this.
3. The polynomials of Charlap-Coley-Robbins
3.1. Theory
We start from an elliptic curve and we fix some odd prime , putting . Our aim is to find the equation of an -isogenous curve .
Theorem 3.1**.**
There exist three polynomials , , in of degree in such that , respectively , .
Let us turn our attention to the properties of these polynomials.
Theorem 3.2**.**
When , the polynomials , , live in .
Proposition 3.3**.**
Assigning respective weights 1, 2, 3 to , , , the monomials in , and have generalized degree .
3.2. Computing isogenous curves over finite fields
When using , , , we need to find the roots of three polynomials of degree instead of . In general, if has rational roots (it should be 1, or ), then this is the case for each of , . For each triplet of solutions we need to test whether this leads to an isogeny or not. To speed up things, we may compute rational fractions for and as explained in [16] (see also [17, §7]). Another path was sketched by Atkin in [2], and this is what we describe next.
4. Revisiting CCR à la Atkin
The idea is to generalize the approach in [1, 2, 14], that is exploit -series identities to get the parameters , where we write for from now on.
4.1. Properties of
We write for readability and
[TABLE]
and propagate the notation to double derivatives.
The polynomial is homogeneous with weights, so that
[TABLE]
Note that partial derivatives of are also homogeneous polynomials and we find
[TABLE]
4.2. Getting the isogenous curve from CCR polynomials
4.2.1. Finding
Proposition 4.1**.**
The value of is given by
[TABLE]
Proof: We differentiate (using (1)) to get
[TABLE]
We differentiate leading to
[TABLE]
Replace by to get
[TABLE]
that we plug in (9) together with the expressions for and from equation (4) to get a polynomial of degree 1 in whose coefficient of is
[TABLE]
which we recognize in (5). Therefore, we get
[TABLE]
from which we deduce since .
4.2.2. Finding
Proposition 4.2**.**
The value of may be written
[TABLE]
where is some polynomial of degree 3 in and given at the end of the proof.
Proof: We differentiate (9).
[TABLE]
We compute in sequence
[TABLE]
[TABLE]
which give us the value
[TABLE]
to be used in (11). Differentiating relations of (4), we get
[TABLE]
to be used in lines (12) and (13) respectively. We replace by its value from (10), and using . This finally yields an expression as polynomial in :
[TABLE]
The unknown is to be found in only.
By luck(?)
Proposition 4.3**.**
The coefficients and vanish for a triplet such that .
Sketch of the proof: The strategy to prove this is the same in both cases. Replace , and by their values from (6). Factoring the resulting expressions yields the same factor , which cancels and . We add a SageMath script for the convenience of the reader as an appendix to this work.
We are left with
[TABLE]
where is a polynomial in degree 3 in
[TABLE]
The coefficient is heavy looking and we give slightly factored as a polynomial in :
[TABLE]
4.2.3. Numerical example
Consider over and . Using
[TABLE]
we select and compute
[TABLE]
from which , . After tedious computations, we find .
4.3. The case
In this case, Atkin suggests to replace with , where is Dedekind’s function. The corresponding modular polynomial can be computed using the techniques described in [15]. For instance (using the basis with , and ):
[TABLE]
[TABLE]
which is sparser than .
4.3.1. Some properties of
Let (resp. ) be the maximal power of (resp. ) of the coefficients of that we found experimentally
[TABLE]
It seems that should be a more sensible choice, leading to having integer coefficients.
We have formulas analogous to (6), due the corresponding homogeneous property
[TABLE]
4.3.2. Computing , and
Proposition 4.4**.**
The value of is
[TABLE]
Proof: Remark that and therefore we deduce the discriminant of the isogenous curve. We have also (using (3)):
[TABLE]
from which we deduce . Again, is homogeneous with weight , so that we have identities similar to those for . In particular
[TABLE]
Starting from , and replacing by the known values, we find
[TABLE]
which is
[TABLE]
and this gives us the result.
Proposition 4.5**.**
The value of is given by
[TABLE]
where is a polynomial given at the end of the proof.
Proof: We differentiate to obtain:
[TABLE]
We inject this together and the diagonal derivatives of (14) and into
[TABLE]
to get a polynomial of degree 2 in whose coefficients of degree 2 and 1 turn out to vanish. We are left with
[TABLE]
where
[TABLE]
Finally, we remark that satisfies
[TABLE]
the latter relation coming from applying the Atkin-Lehner involution to the modular form for . The gcd of these two polynomials should reveal . In the rare case where this gcd has degree 2 (which would imply two elliptic curves being isogenous to ), we would be forced to use higher differentials, which would look like a formidable task.
4.3.3. Numerical example
Consider over . The polynomial has two roots: and . We take . We first compute . Then . The gcd of the two polynomials in (21) has degree 1 and root .
5. Conclusions
We have completed the task suggested by Atkin for using the CCR polynomials in building isogenies. All these formulas require multiplications in the base field, due to the computation of partial derivatives of polynomials of degree . Note that this is the same cost as using the rational fractions giving and , but less storage is needed.
As a consequence, we have several algorithms and formulas to be used, depending on the practical problem to be solved.
Appendix A A script to check the computations
This SageMath [21] script can also be downloaded from the author’s web page.
# This script is devoted to the computation and verification of several
# identities related to CCR polynomials using the notations of the preprint.
# one ring to rule them all
R.<ell,E2,E4,E6,sigma,E4t,E6t,d4,d6,s,ds,ds4,ds6,d46,f,df,df4,df6>
=PolynomialRing(Rationals(),18)
########## The CCR case
# returns ell^-4 * ds^-1 * (-12ellE4^2d6 + …)*
def check_E4t():
E4p=(E2*E4 - E6)/3
E6p=(E2*E6-E4^2)/2
E2p=(E2^2-E4)/12
E2t=(E2+2*sigma/ell)/ell
sigp=ell/24*(4*sigma^2/ell^2+4*sigma/ell*E2-(ell^2*E4t-E4))
tmp=sigp*ds+E4p*d4+E6p*d6
tmp=tmp.numerator()
**print**(”degree(tmp,␣E2)=”, tmp.degree(E2))
*# check that coeff of E2 is zero*
c1=tmp.coefficient({E2:1})
*# is a multiple of (2*E4*d4 + 3*E6*d6 + f*df), hence 0*
**print**(”c1=”, c1.factor())
*# find sigma as a root of constant coefficient*
e4t=tmp.coefficient({E2:0})
e4t=-e4t.coefficient({E4t:0})/e4t.coefficient({E4t:1})
*# sig contains the value of sigma*
**return** e4t.factor()
# returns
# ell^-6 * ds^-3 * sigma^-1 * E6^-1 * E4^-1 * (-18ell^3E4^5E6d6^2ds+…)*
def check_E6t():
e4t=check_E4t()
E4p=(E2*E4 - E6)/3
E6p=(E2*E6-E4^2)/2
E2p=(E2^2-E4)/12
E2t=(E2+2*sigma/ell)/ell
sigp=ell*(4*sigma^2/ell^2+4*sigma/ell*E2-(ell^2*e4t-E4))/24
*# more derivatives*
E4pp=1/3*(E2p*E4+E2*E4p-E6p)
E6pp=1/2*(E2p*E6+E2*E6p-2*E4*E4p)
*# crucial values*
E4tp=1/3*(E2t*e4t-E6t)
E2tp=(E2t^2-e4t)/12
E2pp=1/12*(2*E2*E2p-E4p)
E2tpp=1/12*(2*E2t*E2tp-E4tp)
sigpp=ell*(ell^3*E2tpp-E2pp)/2
*# inject diagonal derivatives*
dss = (ell*ds -2*E4*ds4 -3*E6*ds6)/sigma
d44 = ((ell-1)*d4-sigma*ds4-3*E6*d46)/(2*E4)
d66 = ((ell-2)*d6-sigma*ds6-2*E4*d46)/(3*E6)
*# starting point*
tmp= sigpp*ds+sigp*(sigp*dss+E4p*ds4+E6p*ds6)
tmp=tmp + E4pp*d4+E4p*(sigp*ds4+E4p*d44+E6p*d46)
tmp=tmp + E6pp*d6+E6p*(sigp*ds6+E4p*d46+E6p*d66)
tmp=tmp.numerator()
c2=tmp.coefficient({E2:2})
**print**(”E6t.c2=”, c2.factor())
c1=tmp.coefficient({E2:1})
**print**(”E6t.c1=”, c1)
c0=tmp.coefficient({E2:0})
e6t=-c0.coefficient({E6t:0})/c0.coefficient({E6t:1})
**return** e6t.factor()
########## The case of ell = 11 mod 12, Atkin’s variant
def check11_sigma():
# R.<ell,E2,E4,E6,sigma,d4,d6,f,df>=PolynomialRing(Rationals(),9)
tmp=2*E4*d4+3*E6*d6+f*df
E4p=(E2*E4 - E6)/3
E6p=(E2*E6-E4^2)/2
E2p=(E2^2-E4)/12
E2t=(E2+2*sigma/ell)/ell
fp=f/12*(ell*E2t+E2)
tmp=fp*df+E4p*d4+E6p*d6
tmp=tmp.numerator()
*# check that coeff of E2 is zero*
c1=tmp.coefficient({E2:1})
*# is a multiple of (2*E4*d4 + 3*E6*d6 + f*df), hence 0*
**print**(”c1=”, c1.factor())
*# find sigma as a root of constant coefficient*
sig=tmp.coefficient({E2:0})
sig=-sig.coefficient({sigma:0})/sig.coefficient({sigma:1})
*# sig contains the value of sigma*
**return** sig.factor()
# returns
# (-1) * df^-3 * f^-2 * ell^-2 * E6^-1 * E4^-1 * (-36ellE4^5E6d6^2df+…)*
def check11_E4t():
sig=check11_sigma()
E4p=(E2*E4 - E6)/3
E6p=(E2*E6-E4^2)/2
E2p=(E2^2-E4)/12
E2t=(E2+2*sig/ell)/ell
fp=f/12*(ell*E2t+E2)
fpp=f/12^2*((ell*E2t+E2)^2+ell^2*(E2t^2-E4t)+(E2^2-E4))
E4pp=1/3*(E2p*E4+E2*E4p-E6p)
E6pp=1/2*(E2p*E6+E2*E6p-2*E4*E4p)
*# inject diagonal derivatives*
dff = ( ell*df-2*E4*df4 -3*E6*df6)/f
d44 = ((ell-1)*d4-f*df4-3*E6*d46)/(2*E4)
d66 = ((ell-2)*d6-f*df6-2*E4*d46)/(3*E6)
tmp= fpp*df+ fp*(fp*dff+E4p*df4+E6p*df6)
tmp=tmp + E4pp*d4+E4p*(fp*df4+E4p*d44+E6p*d46)
tmp=tmp + E6pp*d6+E6p*(fp*df6+E4p*d46+E6p*d66)
tmp=tmp.numerator()
**print**(”degree(tmp,␣E2)=”, tmp.degree(E2))
c2=tmp.coefficient({E2:2})
**print**(”E4t.c2=”, c2.factor())
c1=tmp.coefficient({E2:1})
**print**(”E4t.c1=”, c1)
c0=tmp.coefficient({E2:0})
e4t=-c0.coefficient({E4t:0})/c0.coefficient({E4t:1})
**return** e4t.factor()
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. O. L. Atkin. The number of points on an elliptic curve modulo a prime. Draft, 1988.
- 2[2] A. O. L. Atkin. The number of points on an elliptic curve modulo a prime (II). Draft. Available on http://listserv.nodak.edu/archives/nmbrthry.html , 1992.
- 3[3] Bruce C. Berndt. Ramanujan’s formulas for Eisenstein series. In Number theory and related topics (Bombay, 1988) , volume 12 of Tata Inst. Fund. Res. Stud. Math. , pages 23–29. Tata Inst. Fund. Res., Bombay, 1989.
- 4[4] I. Blake, G. Seroussi, and N. Smart. Elliptic curves in cryptography , volume 265 of London Math. Soc. Lecture Note Ser. Cambridge University Press, 1999.
- 5[5] A. Bostan, F. Morain, B. Salvy, and É. Schost. Fast algorithms for computing isogenies between elliptic curves. Math. Comp. , 77(263):1755–1778, 2008.
- 6[6] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes. CSIDH: an efficient post-quantum commutative group action. In Thomas Peyrin and Steven D. Galbraith, editors, Advances in Cryptology - ASIACRYPT 2018 - 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2-6, 2018, Proceedings, Part III , volume 11274 of Lecture Notes in Computer Science , pages 395–427. Springer, 2018.
- 7[7] L. S. Charlap, R. Coley, and D. P. Robbins. Enumeration of rational points on elliptic curves over finite fields. Draft; a copy is available at http://www.lix.polytechnique.fr/Labo/Francois.Morain/Introuvables/Drafts/ccr.pdf , 1991.
- 8[8] Denis Xavier Charles, Kristin E. Lauter, and Eyal Z. Goren. Cryptographic hash functions from expander graphs. J. Cryptol. , 22(1):93–113, 2009.
