RU2541938C1 - Weber function cycle-based quantum attack-secure encryption method - Google Patents

Abstract

FIELD: radio engineering, communication.

SUBSTANCE: Weber function-based quantum attack-secure encryption method employs Weber function cycles for elliptical curves on a number comparable with 1 modulo 8, and the cycles are determined by low-order Elkies isogenies. The next value of the Weber function is found as a root of an integer-valued symmetrical multinomial. The secret key is a list of integers (N₁, …, N_k), where N_i is the number of steps performed per cycle of Weber functions for an Elkies isogeny of the order l_i, and the public key is a value of the Weber function of the last isogeny. A positive direction on the cycle is given during the first calculation of the Weber function for the isogeny of the order l. To this end, the isogeny core is selected as divider of the power of the (l-1)/2 l-th division polynomial which determines the minimum expansion ratio in which points of the core lie, and the three most-significant coefficients of the polynomial, which defines the core, are used to calculate coefficients of the isogenic image of the elliptical curve. Steps on the cycle are performed according to the sign of the number N_i.

EFFECT: protection from quantum attacks.

3 cl, 2 dwg

Description

The invention relates to telecommunications and computer engineering, in particular to the field of cryptographic protection of electronic data transmitted over telecommunication networks and computer networks using isogeny of elliptic curves, and can be used in data transmission systems. The specific terms used in this description are explained in Appendix 1.

Known systems of cryptographic protection - electronic digital signature (EDS) of an electronic document based on elliptic curves [GOST R 34.10-2001. Cryptographic information security. The processes of formation and verification of electronic digital signatures. Gosstandart of Russia, M., 2001]; [ANSI X9.62. Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), 2005, http://www.comms.scitech.susx.ac.uk/fft/crypto/ecdsa.pdf], which includes the formation and EDS checks. These EDS standards are essentially variants of El-Gamal EDS schemes [ElGamal T. A public-key cryptosystem and a signature scheme based on discrete logarithms // IEEE Transactions on Information Theory. 1985. Vol. IT-31. P.469-472.] And Schnorr [Schnorr C.P. Efficient identification and signatures for smart cards // Advances in Cryptology - CRYPTO ′89. Lecture Notes in Computer Science. Springer-Verlag. 1990. Vol. 435. P.239-252.]. There is also a method of cryptographic data protection, which consists in encryption with a public key based on elliptic curves [Rostovtsev AG, Makhovenko EB Theoretical cryptography, St. Petersburg, NPO Professional, 2005, available from http://progbook.net/seti/kriptograf/1568-teoreticheskava_kriptografiya.html].

A known method of data encryption using isogeny of elliptic curves [Zhao, Venkatesan. The use of isogeny for the development of cryptosystems, patent RU No. 2376651, US patent No. 7499544]. Here, isogeny is considered as a mapping of points of one elliptic curve to points of another elliptic curve.

The safety of the indicated technical solutions is based on the complexity of solving the discrete logarithm problem on an elliptic curve: for points P, Q of the elliptic curve, find an integer l such that P = lQ. It is known that a quantum computer of sufficiently large capacity (approximately 3000 qubits) can effectively solve such problems [http://en.wikipedia.org/wiki/Elliptic_curve_cryptography]. Therefore, the known methods do not provide security with respect to quantum attacks.

Other well-known public key cryptosystems (RSA, cryptosystem on a group of quadratic order classes, cryptosystems on hyperelliptic curves [A. Menezes, P. Van Oorchot, S. Vanstone. Handbook of applied cryptography, CRC press, 1996]) are also vulnerable to quantum attacks [Rostovtsev A.G., Makhovenko E.B. Theoretical cryptography, St. Petersburg, NPO Professional, 2005]. Such cryptosystems are also vulnerable to quantum attacks, for example, the Shor algorithm [Hughes R.J. Quantum computation. Technical report LA-UR-98-288, 1998].

The Canadian company D-wave has mastered the production of 128-qubit quantum computers [www.dwavesys.com/en/priducts-services.html] and is working to increase their bit depth. Thus, the security of known methods of cryptographic information protection is at risk. There is a need for new methods of cryptographic data protection that are resistant to quantum attacks.

In known EDS systems, the processed data is represented by a bit string or a set of bit strings. A bit string (BS) is understood as an electromagnetic signal in digital binary form, the parameter of which is the number of bits and the order of zero and single values. Bit strings allow concatenation, logical and arithmetic operations. Cryptographic data protection consists of performing operations with the BS (BS transformations and performing operations with the BS) and is performed using computing devices, such as personal computers or smart cards [available from http://www.aloaha.com/press_en/elliptic-curves -and-sha-256-support.php].

в случае D≡1 (mod 8).An elliptic curve over a finite field of p elements, where p is a prime number, consists of points defined by the equation y ² = x ³ + Ax + B (mod p) and the point P _∞ . The points of elliptic curves admit the addition operation with the zero element P _∞ = (0, 1, 0). The division polynomials f _l (x) turn to 0 if and only if the x-coordinate of a point of order l is the root of this polynomial. The elliptic curve is characterized by its invariant j, the Frobenius discriminant Dc ² for integer c and the corresponding number of classes (see Appendix 1), as well as the value of the Weber function g satisfying the equation $$j=\frac{{\left(g^{24}-16\right)}^3}{g^{24}}$$

in the case D≡1 (mod 8).

Isogeny of elliptic curves is a map E ₁ → E ₂ defined by rational functions, keeping the point P _∞ fixed and converting the sum of points on E ₁ to the sum of points on E ₂ , isogeny is characterized by its degree (coprime to p). Isogeny corresponds to a mapping of Weber functions g (E ₁ ) → g (E ₂ ). If the isogeny E ₁ → E ₂ exists, then the elliptic curves E ₁ , E ₂ have the same Frobenius discriminants.

There are integer symmetric modular polynomials Φ _l (U, V) turning to 0 if the variables take the value of j-invariants of elliptic curves between which there is an isogeny of degree l [US patent No. 7623655, H04L 9/14]. The disadvantage of these polynomials is the large length of the coefficients and the large number of terms, which complicates their use in information protection systems. An isogeny of prime odd degree l is an isogeny of Elkis if the Frobenius discriminant of the elliptic curve is a square modulo l.

The method [patent RU No. 2376651, G09C 1/00] "Using isogeny for the development of cryptosystems", duplicating the above US patent No. 7499544, was adopted as a prototype.

Essential features of the prototype.

A method for encrypting messages, comprising: generating an isogeny mapping a plurality of points of a first elliptic curve onto a second elliptic curve, publishing a public key corresponding to isogeny, encrypting the message using a key corresponding to isogeny, and decrypting the encrypted message with a decryption key corresponding to isogeny, wherein at least one of the keys is secret and is a dual isogeny to the initial isogeny (claim 1 of the formula).

A method for decrypting messages, comprising publishing a public key corresponding to isogeny that maps the set of points of the first elliptic curve to a second elliptic curve, and decrypting the encrypted message with the decryption key corresponding to isogeny, wherein the decryption key is a dual isogeny to said isogeny (claim 12 of the formula )

The method according to claim 1, further comprising forming a plurality of modular isogeny without disclosing intermediate curves, (claim 9 of the formula). Moreover, the modular isogeny is determined by the authors based on the modular curve X ₀ (l).

первой эллиптической кривой для дуальной изогении $$\hat{\varphi }$$

.Identification Encryption (IBE) using isogeny, in which the public key is the point T∈E _{2 of the} second elliptic curve, and the secret key is the point $$S=\hat{\varphi }(T)$$

first elliptic curve for dual isogeny $$\hat{\varphi }$$

.

The prototype considers isogeny as a map of the points of the first elliptic curve to the second elliptic curve. Here, isogeny is used to accelerate the known methods of cryptographic data protection - public key encryption on an elliptic curve and calculation of the Weil / Tate pairing. These known methods are based on the task of computing a discrete logarithm on an elliptic curve and are therefore vulnerable to quantum attacks, therefore, the prototype, as their accelerated version, does not provide security with respect to quantum attacks. This fact is the disadvantage of the prototype, which is eliminated in the claimed method.

The technical task of the proposed solution is to develop a public key encryption method that provides protection against quantum attacks.

The problem is achieved in that the data being processed are represented by Weber functions of isogenic elliptic curves over a finite field, and the data processing consists in displaying Weber functions by moving along the cycles of Weber functions, while the Frobenius discriminant of the elliptic curve is equal to the product of the square of an integer and a number comparable to 1 modulo 8.

Figure 1 shows a series of Weber functions for isogeny of degree l _1; figure 2 shows a cycle of Weber functions for isogeny of another degree l ₂ .

The claimed method considers a mapping of Weber functions, which is determined by isogeny of small simple powers l and integer symmetric polynomials W _l for the Weber function, which are analogues of the classical modular polynomials Φ _l for the function j. The amount of memory for storing the polynomial W _{l is} approximately 1000 times less than for storing the polynomial Φ _l , due to the reduction in the number of nonzero coefficients and their length. The information processing time using the polynomial Ф _l , W _{l is} proportional to the square of its length. Therefore, the speed of data processing using Weber functions is millions of times greater than when using classical modular polynomials.

The following are the essential features of the proposed method.

1. An encryption method with protection against quantum attacks based on Weber function cycles, in which the message is encrypted using the public key and the encrypted message is decrypted using a secret key containing the first elliptic curve and the second elliptic curve with the same Frobenius discriminants corresponding to the public key, and mapping the first elliptic curve into the second elliptic curve corresponding to the secret key, characterized in that the elliptic curves are set by the values of fun Weber’s relations, the secret key being defined as a chain of mappings of Weber functions corresponding to Elkis isogeny of degrees l_one, ..., l_kdefined by the set of integers N_one, ..., N_kwhere N_i is the number of steps along the cycle of Weber functions for the isogeny of the degree, with the next value of the Weber function g_{i + 1} defined as the root of the symmetric polynomial of two variables when replacing one variable with the previous value of the Weber function g_i, and upon transition to isogeny of the next degree, a positive direction on the cycle is set, for this a polynomial defining the core of isogeny is found, and steps along the cycle are performed in the direction corresponding to the sign of the number N_i.

2. The method according to claim 1, characterized in that the Frobenius discriminant is chosen equal to the product of the square of an integer by a number comparable to 1 modulo 8.

3. The method according to claim 1, characterized in that the core of isogeny is defined by a polynomial for which the points of the core lie in an extension of the minimum degree, and the Weber function corresponding to the positive direction is found from its coefficients.

The fundamental difference between the prototype and the claimed method is as follows.

- The prototype is vulnerable to quantum attacks, but no effective quantum attacks were found for the claimed method.

- In the prototype, the encrypted data is represented by the coordinates of the point of the elliptic curve, which complicates the encryption of arbitrary text, and in the claimed method by an arbitrary non-zero element.

- The security of the prototype is based on the discrete logarithm problem on an elliptic curve, for the solution of which there is an effective quantum algorithm, and the safety of the claimed method is based on the problem of computing isogeny between elliptic curves, which at present cannot be solved on a quantum computer.

These essential features of this method make it possible to build public-key cryptosystems by analogy with the well-known cryptosystem Diffie-Hellman and El-Gamal (see [A. Menezes, P. Van Oorchot, S. Vanstone. Handbook of applied cryptography, CRC press, 1996] ) Today, efficient algorithms for a conventional or quantum computer have not been created that violate the security of the proposed cryptosystem. This suggests that the proposed method provides resistance to quantum attacks.

The basis of the claimed method is the procedure for calculating a chain of N ≠ 0 mappings of a simple odd degree l of the Weber function for the initial elliptic curve E (F _p ) (the integer N can be positive and negative), which is performed as follows.

- For the elliptic curve E (F _p ) calculate the value of the Weber function g ₀ modulo p. The variable g is assigned the index i = 0 and the value g.

- To select a positive direction, perform the following steps.

- Determine the smallest degree of expansion n _{l of the} field F _p in which the core of the isogeny of degree l of the curve E (F _p ) lies and the smallest degree of expansion of m _{l of the} field in which the core of the isogeny of the twisted curve lies.

, и находят ядро изогении.- Find the divisors of the division polynomial f _l (x), the degree of which is a divisor of the number $$\frac{l-\mathrm{one}}{2}$$

, and find the core of isogeny.

- Based on the found isogeny core, the Weber function g ′ of the isogenic elliptic curve, which sets the positive direction, is calculated.

- If N = 1, then the result is g. If N = -1, then choose one of the two roots of the polynomial W _l (U, g), which is different from g ′.

- If N = ± 1, then the roots g ₀ , g _{2 of the} polynomial W _l (U, g ₁ ) (mod p) are found and the variable g is assigned index 2 and the value g ₂ .

- If N = ± 2, then the result is g ₂ , otherwise step 4 is repeated recurrently, with the next index being assigned to the variable g and the root g _{i of the} polynomial W _l (U, g _i-1 ) (mod p) is calculated until obtained i = N. Result: g _N.

If it is necessary to calculate the chain of mappings of Weber functions for isogenies of several degrees l ₁ , l ₂ , ..., l _k , consisting of N _i isogenies l _i , then for each isogeny the above calculations are performed, and the value found is used as the initial value g ₀ at the previous stage.

Since the product of isogeny is commutative and associative, the sequence of their calculations does not affect the result. For example, if you need to calculate a chain of mappings of Weber functions given by three isogenies of degree l ₁ and two isogenies of degree l ₂ , then the sequences (l ₁ , l ₁ , l ₁ , l ₂ , l ₂ ), (l ₂ , l ₁ , l ₁ , l ₂ , l ₁ ), (l ₁ , l ₂ , l ₂ , l ₁ , l ₁ ), etc. will give the same result.

When using isogeny of degree l _1, the Weber functions form a cycle whose length is a divisor of the number of classes, for example, for h = 7 (see Fig. 1).

We set the positive direction g ₁ → g ₂ clockwise, then the negative direction g ₁ → g ₇ corresponds to dual isogeny.

When using isogeny of a different degree l _2, the Weber functions also form a cycle, but the vertices are connected in a different order (see Fig. 2).

We define a positive direction by the map g ₁ → g ₄ . Then one step of isogeny of degree l ₂ corresponds to three steps of isogeny of degree l ₁ , and one step of isogeny of degree l ₁ corresponds to five steps of isogeny of degree l ₂ . When combining cycles specified by isogenes of degrees l ₁ and l ₂ , we get a star.

Thus, the Weber function loops used define the star. If the number of classes is very large (which takes place in cryptography), then the number of vertices of the star is boundless. Moreover, the step length on the star for the isogeny of one degree compared to another degree is difficult to compute.

The key exchange when using isogeny is built by analogy with the Diffie-Hellman system. Two users A, B agree on the use of the initial elliptic curve E (F _p ), for which the number of classes of the Frobenius discriminant is large. In addition, both users have a library of modular polynomials {W ₁ , ..., W _k } for the Weber function, consisting of polynomials W _l for odd simple l, modulo of which the Frobenius discriminant D is a square, a library of division polynomials f _l for the same l for each of k isogeny, while the degree of the polynomial defining the kernel is determined for the isogeny of each degree. If the expansion of the division polynomial contains several polynomials of the same degree, then the positive direction is given by the kernel for which the y-coordinate lies in the field of minimal degree of expansion.

To establish a session key, user A selects small random integers {N _l , ..., N _k } from the number of modular polynomials in his library. User A uses the value of the Weber function g _{0 of the} initial elliptic curve as the initial value. It calculates the chain as described above and sends the result g _{A to} user B.

User B selects independently random numbers {M ₁ , ..., M _k }, computes the isogeny chain for the initial value g _0, and sends the result g _B to user A.

User A, using g _B as the initial value, calculates a chain of isogenies of lengths {N ₁ , ..., N _k }, equivalent to the chain {M ₁ + N ₁ , ..., M _k + N _k } for the initial value of g ₀ and obtains the result g _AB . User B, using g _A as the initial value, calculates a chain of isogenies of lengths {M ₁ , ..., M _k }, equivalent to the chain {N ₁ + M ₁ , ..., N _k + M _k } for the initial value g ₀ and obtains the result is g _AB . Both users use the obtained value g _AB as a session key.

, полученное применением к эллиптической кривой цепочки изогений длин {N₁, …, N_k}. Секретным ключом является набор длин {N₁, …, N_k}.Public key encryption is performed as follows. The public key is the elliptic curve E (F _p ) with the value of the Weber function g ₀ , the set of isogenies {l _1, ..., l _k }, the value of the Weber function $${\underset{\_}{g}}_{\underset{\_}{A}}$$

obtained by applying to an elliptic curve a chain of isogenies of length {N ₁ , ..., N _k }. The secret key is a set of lengths {N ₁ , ..., N _k }.

To encrypt text m using the public key, the sender generates a random chain of isogeny lengths {M ₁ , ..., M _k }, calculates the chain of these isogenies for the initial value of g ₀ , obtains the value of g _B , calculates the chain of the same isogenies for the initial value of g _A , gets the result g _AB , calculates the value s≡m * g _AB (mod p). The ciphertext is the pair (g _B , s).

To decrypt the ciphertext, the owner of the secret key calculates a chain of isogenous degrees {N ₁ , ..., N _k } for the initial value g _B and obtains g _AB . Then it computes m≡s * g _AB ^-1 (mod p).

The claimed method allows you to authenticate messages according to the scheme without dialogue evidence with zero knowledge.

To calculate the coefficients of the isogenic image of an elliptic curve, you can use numerous well-known factorization algorithms. For example, the product of linear divisors of the polynomial F (U) is equal to the largest common divisor of polynomials: GCD (F (U), U ^p -U) and is quickly calculated by the Euclidean algorithm [A. Menezes, P. Van Oorchot, S. Vanstone. Handbook of applied cryptography, CRC press, 1996].

The division polynomials f _l (x) and the modular polynomials W _l (U, V) for Weber functions are computable, for example, [math.mit.edu/~drew/WeberModPolys.htm]. So, the modular polynomials W _l for isogenies of degree l = 5, 7, 11, 13, 17, 29 have the form:

W ₅ = U ⁶ + V ⁶ -U ⁵ V ⁵ + 4UV;

W ₇ = U ⁸ + V ⁸ -U ⁷ V ⁷ + ⁷ U ⁴ V ⁴ -8UV;

W ₁₁ = U ¹² + V ¹² -U ¹¹ V ¹¹ + 11U ⁹ V ⁹ -44U ⁷ V ⁷ + 88U ⁵ V ⁵ -88U ³ V ³ + 32UV;

W ₁₃ = U ¹⁴ + V ¹⁴ -U ¹³ V ¹³ + 13U ¹² V ² + 13U ² V ¹² + 52U ¹⁰ V ⁴ + 52U ⁴ V ¹⁰ + 78U ⁸ V ⁶ + 78U ⁶ V ⁸ + 64UV;

W ₁₇ = U ¹⁸ + V ¹⁸ -U ¹⁷ V ¹⁷ + 17U ¹⁶ V ¹⁰ + 17U ¹⁰ V ¹⁶ -34U ¹⁵ V ³ -34U ³ V ¹⁵ + 34U ¹³ V ¹³ + 119U ¹² V ⁶ + 119U ⁶ V ¹² + 340U ⁹ V ⁹ + 272U ⁸ V ² + 272U ² V ⁸ + 544U ⁵ V ⁵ -256UV;

W ₂₉ = U ³⁰ + V ³⁰ -U ²⁹ V ²⁹ + 29U ²⁹ V ⁵ + 29U ⁵ V ²⁹ + 261U ²⁸ V ¹⁰ + 261U ¹⁰ V ²⁸ + 783U ²⁷ V ¹⁵ + 783U ¹⁵ V ²⁷ + 667U ²⁷ V ²⁰ + 667U ²⁰ V ²⁷ -116U ²⁵ V-116UV ² + 203U ²⁵ V ²⁵ + 5365U ²⁴ V ⁶ + 5365U ⁶ V ²⁴ -5713U ²² V ¹⁶ -5713U ¹⁶ V ²² -1334U ²¹ V ²¹ + 4716U ²⁰ V ² + 4716U ² V ²⁰ + 37642U ¹⁸ V ¹² + 37642U ¹² V ¹⁸ + 12470U ¹⁷ V ¹⁷ -50112U ¹⁵ V ³ -50112U ³ V ¹⁵ -91408U ¹⁴ V ⁸ -91408U ⁸ V ¹⁴ -49880U ¹³ V ¹³ + 170752U ¹⁰ V ⁴ + 170752U ⁴ V ¹⁰ + 85376U ⁹ V ⁹ -207872U ⁵ V ⁵ + 16384UV

полинома деления f_l(x). Обозначим этот делительThe direction on the isogeny cycle is given by the following simplification of Velu's formulas. Let the initial elliptic curve be given by the equation y ² = x ³ + Ax + B, and its image for the isogeny of degree l be given by the equation y ² = x ³ + A ₁ x + B ₁ . x-coordinates of points of the core of the isogeny of degree l - are set by a divisor of degree $$d=\frac{l-\mathrm{one}}{2}$$

division polynomial f _l (x). Denote this divider

h _l (x) = x ^d + c ₁ x ^d-1 + c ₂ x ^d-2 + c ₃ x ^d-3 + ... + c _d

The coefficients A ₁ , B _{1 of the} isogenic image of the elliptic curve are equal to:

A ₁ ≡-A (10d-1) -30 (c ₁ ² + 2c ₂ ) (mod p);

B ₁ ≡-B (28d-1) +70 (s ₁ ³ + 3c ₁ c ₂ + 3c ₃ ) + 42Ac ₁ (mod p).

The positive direction on the isogeny cycle can be specified differently, for example, by choosing one of two possible values of the Frobenius map for a given isogeny kernel [Elkies N. Elliptic and modular curves over finite fields and related computational issues. Computational Perspectives on Number Theory: Proceedings of a Conference in Honor of A.O.L. Atkin (D. A. Buell and J. T. Teitelbaum, eds .; AMS / International Press, 1998), p.21-76]. These values are the same for all isogenic elliptic curves and can be determined in advance (be part of the software that implements the cryptosystem).

For practical applications, the number of classes h should be large enough so that enumeration of all isogenic elliptic curves is impossible, for example, h> 2 ²⁵⁶ . For this number p, D should have a length of approximately 500-550 bits.

, в общем случае N_max=(h*2^-k)^1/k. Если h≈2²⁵⁶, то при k=50 получаем N_max≈18, если K=80, то N_max≈5. Поскольку случайный дискриминант является квадратом по модулю l_i примерно для половины простых чисел l_i, а случайное число l является простым с вероятностью $$\frac{1}{\ln l}$$

, то при использовании 50 малых простых l_i получаем максимальную степень используемой степени изогении l_max≈547. Соответствующий симметрический полином W_l(U, V) имеет длину 869 килобайт.The number of isogeny k used and the maximum length N _max isogeny of each length is estimated from the condition that almost every value of the Weber function from h possible values can be obtained by changing the length of the chains. If the number of degrees of isogeny used is k = 1, then N _max = h / 2, if k = 2, then $$N_{\max }\sqrt{h/\mathrm{four}}$$

, in the general case, N _max = (h * 2 ^-k ) ^{1 / k} . If h≈2 ²⁵⁶ , then at k = 50 we get N _max ≈18, if K = 80, then N _max ≈5. Since the random discriminant is the square modulo l _i for about half of the primes l _i , and the random number l is prime with probability $$\frac{\mathrm{one}}{\ln l}$$

then using 50 small primes l _i we get the maximum degree of isogeny used l _max ≈547. The corresponding symmetric polynomial W _l (U, V) has a length of 869 kilobytes.

Consider examples of the implementation of the claimed method for small numbers p.

Example 1. Weber function cycles. The initial elliptic curve is given by the equation y ² = x ³ + x + 3 (mod 971) and has parameters D = -2588, j = 42, the number of classes h = 23, the Weber function is g = 466.

The discriminant D is a nonzero square modulo l = 7, 13, 17. We use the polynomials W ₇ , W ₁₃ , W ₁₇ .

For the isogeny of degree 7, the modular polynomial W ₇ (U, g) has two roots modulo p: 92 and 881. We substitute the value 881, the polynomial W ₇ (U, 881) has two roots: 466, corresponding to the previous value, and 701, the new cycle element. We continue this procedure further and obtain a cycle of Weber functions of degree 7 of length h for the direction given by the root 881: (466, 881, 701, 120, 300, 397, 952, 108, 697, 140, 411, 839, 812, 903, 171 , 374, 639, 963, 459, 613, 545, 71, 92).

For the isogeny of degree 13, the modular polynomial W ₁₃ (U, g) has two roots modulo p: 300 and 613. We construct a cycle of Weber functions of length h for the direction given by the root 613. We obtain a cycle (466, 613, 374, 839, 108, 120, 92, 459, 171, 411, 952, 701, 71, 963, 903, 140, 397, 881, 545, 639, 812, 697, 300).

For the isogeny of degree 17, the modular polynomial W ₁₇ (U, g) has two roots modulo p: 545 and 120. We construct a cycle of isogenies of degree 17 of length h for the direction given by the root 545. We obtain (466, 545, 963, 171, 839, 697, 397, 701, 92, 613, 639, 903, 411, 108, 300, 881, 71, 459, 374, 812, 140, 952, 120).

Example 2. Determination of the positive direction in the cycle of isogeny. The initial elliptic curve is given by the equation y ² = x ³ + x + 1 (mod 1187), has a trace value T = -12, the discriminant of the Frobenius map D _π = 4D where D = -1151, the value of the Weber function g ₀ = 123. The discriminant D is the square modulo primes l ₁ = 5, l ₂ = 7, l ₃ = 11, l ₄ = 29. These primes specify the degrees of isogeny used.

, $$\overline{\alpha }=-6-\sqrt{D}$$

. Находим, для каких наименьших степеней расширения d число точек эллиптической кривой над полем из p^d элементов, равное $$p^d+1+{\alpha }^d+{\overline{\alpha }}^d$$

, делится на l_i. Получаем для l₁=5 степень d=1; для l₂=7 степень d=1; для l₃=11 степень d=5; для l₄=29 степень d=7.The equation of the Frobenius map π ² -Tπ + p = 0 has roots $$\alpha =-6+\sqrt{D}$$

, $$\overline{\alpha }=-6-\sqrt{D}$$

. We find for which smallest degrees of expansion d the number of points of the elliptic curve over the field of p ^d elements equal to $$p^d+\mathrm{one}+{\alpha }^d+{\overline{\alpha }}^d$$

divided by l _i . We obtain for l ₁ = 5 the degree of d = 1; for l ₂ = 7 the degree of d = 1; for l ₃ = 11 the degree of d = 5; for l ₄ = 29, the degree of d = 7.

We set a positive direction on the isogeny cycle. For the isogeny of degree 5, the modular polynomial W ₅ (U, g ₀ ) has two roots: 487 and 486. We find h ₂ (x) = GCD (x ^p -x, f ₅ (x)) = 645 + 74x + x ² ( this is the product of two linear polynomials), hence A ₁ = 223, B ₁ = 348, the Weber function has two opposite values 487 and 700, the first of which coincides with one of the roots of the polynomial W ₅ (U, g ₀ ). The positive direction on the isogeny cycle for isogeny of degree 5 is given by g = 487, and the negative direction is given by the other root of the polynomial W ₅ (U, g ₀ ): g = 486.

For the isogeny of degree 7, the polynomial W ₇ (U, g ₀ ) has two roots: 529 and 576. To set a positive direction, we find h ₃ (x) = GCD (x ^p -x, f ₅ (x)) = 63 + 374x + 1121x ² + x ³ (this is the product of three linear polynomials), hence A ₁ = 935, B ₁ = 568, the Weber function has two opposite values 576 and 611, the first of which coincides with one of the roots of the Weber polynomial. The positive direction on the isogeny cycle for isogeny of degree 5 is given by g = 576, and the negative direction is given by the other root of the Weber polynomial g = 529.

и 100+523x+943x²+1158x³+1184x⁴+x⁵, задающие расширение степени 5. Расширенное поле K можно задавать любым неприводимым полиномом степени 5. Зададим поле K первым полиномом и обозначим t - корень первого полинома, y - координата точки ядра при x=t равна $$\sqrt{t^3+t+1}\in K$$

- обе координаты точки ядра лежат в поле степени расширения 5. Зададим поле K вторым полиномом и обозначим s - корень второго полинома, y - координата точки ядра при x=s равна $$\sqrt{s^3+s+1}\notin K$$

(она лежит в поле степени расширения 10). Для задания положительного направления выбираем первый делитель: h₅(x)=1146+922x+178x²+446x³+39x⁴+x⁵, отсюда A₁=73, B₁=758, функция Вебера имеет два противоположных значения 227 и 960, первое из них совпадает с одним из корней полинома Вебера. Положительное направление на цикле изогений для изогении степени 5 задается значением g=227, а отрицательное направление - другим корнем полинома Вебера g=84.For the isogeny of degree 11, the polynomial W ₁₁ (U, g ₀ ) has two roots: 227 and 84. The division polynomial f ₁₁ (x) has two irreducible divisors of degree 5, found as $$GCD\left(x^{p^5}-x,f_{\mathrm{eleven}}(x)\right):1146+922x+178x^2+446x^3+39x^{\mathrm{four}}+x^5$$

and 100 + 523x + 943x ² + 1158x ³ + 1184x ⁴ + x ⁵ , defining an extension of degree 5. The expanded field K can be defined by any irreducible polynomial of degree 5. We define the field K as the first polynomial and denote t is the root of the first polynomial, y is the coordinate of the point the kernel at x = t is equal to $$\sqrt{t^3+t+\mathrm{one}}\in K$$

- both coordinates of the core point lie in the field of degree of expansion 5. Define the field K as the second polynomial and denote s - the root of the second polynomial, y - the coordinate of the core point for x = s is $$\sqrt{s^3+s+\mathrm{one}}\notin K$$

(it lies in the field of degree of expansion 10). To set a positive direction, we choose the first divider: h ₅ (x) = 1146 + 922x + 178x ² + 446x ³ + 39x ⁴ + x ⁵ , hence A ₁ = 73, B ₁ = 758, the Weber function has two opposite values of 227 and 960 , the first of them coincides with one of the roots of the Weber polynomial. The positive direction on the isogeny cycle for isogeny of degree 5 is given by g = 227, and the negative direction is given by the other root of the Weber polynomial g = 84.

For the isogeny of degree 29, the polynomial W ₂₉ (U, g ₀ ) has two roots: 314 and 165. To specify a positive direction, we find the divisor of degree 14 of the polynomial f ₂₉ (x): h ₁₄ (x) = 668 + 657x + 1140x ² + 256x ³ + 131x ⁴ + 841x ⁵ + 483x ⁶ + 484x ⁷ + 667x ⁸ + 987x ⁹ + 48x ¹⁰ + 743x ¹¹ + 978x ¹² + 1079x ¹³ + x ¹⁴ (this is the product of two irreducible polynomials of degree 7), hence A ₁ = 623, B ₁ = 1128, the Weber function has two opposite values 165 and 1022, the first of which coincides with one of the roots of the Weber polynomial.

Explanation of terms used in the description and claims.

The notation a≡b (mod p) means that a-b is divisible by p.

, …, $$t^{p^{d-1}}\left(\mathrm{mod}f\left(t\right)\right)$$

. Присоединение корней всех неприводимых полиномов дает алгебраическое замыкание поля F_p.A finite field F _p of p elements, where p is a prime set {0, 1, ..., p-1}. Addition and multiplication in a finite field are carried out modulo p and denoted by a + b (mod p), ab (mod p) (see [Glukhov MM, Elizarov VP, Nechaev AA Algebra. - M .: Helios-ARV, 2003]), for example, 3 + 4≡0 (mod 7), 3 · 4≡5 (mod 7). For any nonzero element a, there is an inverse element a ^-1 such that aa ^-1 = 1. Element a ^-1 can be found by the extended Euclidean algorithm. The finite field F _p admits finite extensions obtained by joining the roots of irreducible polynomials. The degree of expansion is equal to the degree of the irreducible polynomial whose root is attached. If t is the root of an irreducible polynomial f of degree d, then the remaining roots are t ^p (mod f (t)), $$t^p{}^2\left(\mathrm{mod}f\left(t\right)\right)$$

, ..., $$t^{p^{d-\mathrm{one}}}\left(\mathrm{mod}f\left(t\right)\right)$$

. The addition of the roots of all irreducible polynomials gives the algebraic closure of the field F _p .

The projective plane is the set of points represented by nonzero triples (X, Y, Z), X, Y, Z∈F _p , taking into account the equivalence (X, Y, Z) = (cX, cY, cZ) for any c ≠ 0. The set of points of the projective plane of the form (X, Y, 0) defines an infinitely distant line. The remaining points of the projective plane, taking into account equivalence, are uniquely representable in the form of pairs (x, y) = (x, y, 1), where x = XZ ^-1 , y = YZ ^-1 .

Since at least one of the coordinates of any point on the projective plane is different from 0, this point is equivalent to a point for which the corresponding nonzero coordinate is 1.

An elliptic curve E (F _p ) over a field of p> 3 elements consists of points on the projective plane satisfying the homogeneous cubic equation f (X, Y, Z) = 0, and at any point on the curve all three partial derivatives of the polynomial f do not turn into 0 at the same time. For example, an equation in the form of Weierstrass Y ² Z = X ³ + AXZ ² + BZ ³ , where A, B∈F _p , 4A ³ + 27B ² ≠ 0 (mod p).

The points of the elliptic curve can be added: P ₁ + P ₂ = P ₃ for any P ₁ P ₂ , with P ₁ + P ₂ = P ₂ + P ₁ , P ₁ + (P ₂ + P ₃ ) = (P ₁ + P ₂ ) + P ₃ for any P ₁ , P, P ₃ . If the elliptic curve is given by an equation in the form of Weierstrass, then the point P _∞ = (0, 1, 0) is the zero element in addition. All other points satisfy the equation y ² = x ³ + Ax + B, x = X / Z, y = Y / Z. Opposite to the point (x, y) is the point (x, -y).

- целое число. Число точек r эллиптической кривой E(F_p) равно r=p+1-T. При переходе к конечным расширениям поля F_p число точек остается конечным. Скрученные эллиптические кривые обладают противоположными значениями T, одинаковым значением дискриминанта D_π, но различными числами точек. Дискриминант отображения Фробениуса может допускать разложение вида D_π=Dc² для целого c. Число приведенных квадратичных форм (a, b, c), 0<a≤c, -a<b≤a, b>0 при a=c, называется числом классов.The Frobenius map π (X, Y, Z) = (X ^p , Y ^p , Z ^p ), which maps the curve into itself, acts on the elliptic curve E (F _p ), while π (P ₁ + P ₂ ) = π (P ₁ ) + π (P ₂ ). The Frobenius map satisfies the equation π ² -Tπ + p = 0 with the discriminant D _π = T ² -4p <0, where $$\left|T\right|<2\sqrt{p}$$

is an integer. The number of points r of the elliptic curve E (F _p ) is r = p + 1-T. When passing to finite extensions of the field F _{p, the} number of points remains finite. Twisted elliptic curves have opposite values of T, the same value of the discriminant D _π , but different numbers of points. The discriminant of the Frobenius map can admit a decomposition of the form D _π = Dc ² for integer c. The number of reduced quadratic forms (a, b, c), 0 <a≤c, -a <b≤a, b> 0 for a = c, is called the number of classes.

- комплексные корни уравнения Фробениуса, то число точек эллиптической кривой над расширением степени n исходного поля $$F\underset{\_}{p}$$

равно $$p^n+1-{\alpha }^n-\overline{{\alpha }^n}$$

.If α, $$\overline{\alpha }$$

are the complex roots of the Frobenius equation, then the number of points of the elliptic curve over the extension of degree n of the original field $$F\underset{\_}{p}$$

equally $$p^n+\mathrm{one}-{\alpha }^n-\overline{{\alpha }^n}$$

.

. Скрученные кривые изоморфны над квадратичным расширением поля F_p.The isomorphism of elliptic curves is defined by a reversible linear change of variables. An elliptic curve, up to isomorphism over an algebraically closed field, is characterized by its j-invariant [Silverman J. The arithmetic of elliptic curves. - Springer-Verlag, 1986]. If an elliptic curve is given by an equation in the form of Weierstrass, then $$j=1728\frac{\mathrm{four}{A}^3}{\mathrm{four}{A}^3+27B^2}$$

. Twisted curves are isomorphic over a quadratic extension of the field F _p .

. Если D=D_π/c²≡1 (mod 8) для целого c, то по зависимость между j и g взаимно однозначная [N. Yui, D. Zagier. On the singular values of Weber modular functions // Mathematics of computation, 1997, v.66, 1645-1662].The invariant of the elliptic curve E (F _p ) with the discriminant D _π is equal to the modulo p reduced value of the modular function j (τ) of the complex variable τ for some value of τ related to the curve equation. There is a Weber function g (τ) related to the function j by the relation $$j(\tau )=\frac{(g{(\tau )}^{24}-16){\text{A.}}^3}{g{(\tau )}^{24}}$$

. If D = D _π / c ² ≡1 (mod 8) for integer c, then the dependence between j and g is one-to-one [N. Yui, D. Zagier. On the singular values ​​of Weber modular functions // Mathematics of computation, 1997, v.66, 1645-1662].

.If two elliptic Weierstrass-shaped curves E ₁ (F _p ), E ₂ (F _p ), having invariants j ₁ , j _2, respectively, have the same number of points over the field F _p or its quadratic extension, then there is an isogeny - the mapping of the first curve to the second and vice versa, given by fractions of polynomials with coefficients from F _p . The number of nonisomorphic elliptic curves having the same number of points is called the number of discriminant classes D _π and, in order of magnitude, is close to $$\sqrt{\left|D_{\pi }\right|}$$

.

: E₂→E₁ имеет такую же степень. Изогения степени l для эллиптической кривой E(F_p) существует, если число точек эллиптической кривой над некоторым конечным расширением поля F_p делится на l. Поэтому для изогении степени l существует наименьшая степень расширения поля F_p такая, что число точек эллиптической кривой над этим расширением делится на l.The core of the isogeny φ: E ₁ → E ₂ - points of the curve E ₁ considered over an algebraically closed field, which map to the zero element of the curve E ₂ , of course. Isogeny is completely determined by its core. The number of core points is also called the degree of isogeny φ: E ₁ → E ₂ . Dual isogeny $$\hat{\varphi }$$

: E ₂ → E ₁ has the same degree. An isogeny of degree l for an elliptic curve E (F _p ) exists if the number of points of the elliptic curve over some finite extension of the field F _p is divisible by l. Therefore, for the isogeny of degree l there exists the smallest degree of extension of the field F _p such that the number of points of the elliptic curve over this extension is divided by l.

Isogenies can be multiplied, the degree of the product of isogeny is equal to the product of the degrees of the initial isogeny, therefore it is sufficient to consider only the isogeny of simple degrees. The product of isogeny is commutative and associative: φ ₁ φ ₂ = φ ₂ φ ₁ , φ ₁ (φ ₂ φ ₃ ) = (φ ₁ φ ₂ ) φ ₃ .

Isogeny can be calculated using the Velu formulas [Velu J. Isogenies entre courbes elliptiques. CR Acad. Sc. Paris, 273 (1971), 238-241]. Let E ₁ (F _p ): y ² = x ³ + Ax + B; E ₂ (F _p ): ν ² = u ³ + A ₁ u + B ₁ , and (x _R , y _R ) ∈E ₁ (F _p ) is a point of odd order l. For a point Q from the core of isogeny we put

s _Q = 4x _Q ³ + 4Ax _Q + 4V, t _Q = 6x _Q ² + 4A.

The curve E ₂ (F _p ) is given by the coefficients

The isogeny kernel of a simple odd degree l for an elliptic curve in the Weierstrass form consists of l ² points of order l whose x-coordinates are the roots of the division polynomials f _l (x) of degree (l ² -1) / 2.

Division polynomials are defined recursively [J. Silverman. The arithmetic of elliptic curves. - Springer-Verlag, 1986]:

ψ ₀ = 0, ψ ₁ = 1, ψ ₂ = 2y,

ψ ₃ = 3x ⁴ + 6Ax ² + 12Bx-A ² ,

ψ ₄ = 4y (x ⁶ + 5Ax ⁴ + 20Bx ² -5A ² x ² -4ABx-8B ² -A ³ ),

2yψ _2n = ψ _n (ψ _{n + 2} ψ _n-1 ² -ψ _n-2 ψ _n-1 ² ), n> 2,

ψ _{2n + 1} = ψ _{n + 2} ψ _n ³ -ψ _{n + 1} ³ ψ _n-1 , n <1,

f _n (x) = ψ _n (x, y),

if n is odd, and

f _n (x) = ψ _n (x, y) / y,

if n is even.

The polynomials f _l are factorized. The coordinates of the points of the kernel of the isogeny of degree l are the roots of the same irreducible divisor of the division polynomial f _l (x).

There is a Chuf algorithm for calculating the number of points of an elliptic curve over a finite field and its improvement by Elkis [N. Elkies Elliptic and modular curves over finite fields and related issuses // Proceedings of a conference in honor of A.O.L. Atkin, AMS international press, 1998, pp.21-76]. Elkis isogeny is an isogeny, modulo the degree of which the Frobenius discriminant is a square. For the Elkis isogeny of degree l, the characteristic polynomial of the Frobenius map decomposes into linear factors modulo l. Dual isogenies correspond to different roots of the Frobenius mapping polynomial modulo l.

For the isogeny of Elkis of degree l and the curve E ₀ with the invariant j _0, there are exactly two isogenic images corresponding to two dual isogenies (for the initial and twisted curves). Moreover, there exists an integer symmetric modular polynomial Φ _l (U, V) such that Φ _l (U, j ₀ ) (mod p) has two roots corresponding to two dual isogenies. Denote one of the roots by j ₁ . Then we can construct an isogeny cycle of degree l of the form j ₀ → j ₁ → ... → j ₀ . The length of the loop is a divisor of the number of classes. When the degree of isogeny changes, the cycle consists of the same j-invariants, but rearranged. The set of points (U, V) such that Φ _l (U, V) = 0 is called the classical modular curve X ₀ (l).

. Это полиномы тоже симметрические, разреженные, имеют меньшие коэффициенты и позволяют строить аналогичные циклы для функции Вебера.In practice, if D≡1 (mod 8), then instead of the polynomials Φ _l it is more convenient to consider the polynomials W _l for the Weber function g satisfying the equation $$j=\frac{{(g^{24}-16)}^3}{g^{24}}$$

. These polynomials are also symmetric, sparse, have lower coefficients and allow you to build similar cycles for the Weber function.

A quantum attack is based on calculating a secret key using a quantum computer.

Claims (3)

1. An encryption method with protection against quantum attacks based on Weber function cycles, in which the message is encrypted using the public key and the encrypted message is decrypted using a secret key containing the first elliptic curve and the second elliptic curve with the same Frobenius discriminants corresponding to the public key, and mapping the first elliptic curve into the second elliptic curve corresponding to the secret key, characterized in that the elliptic curves specify the values of the functions Weber, moreover, the secret key is defined as a chain of mappings of Weber functions corresponding to Elkis isogeny of degrees l_one, ..., l_kdefined by the set of integers N_one, ..., N_kwhere N_i is the number of steps along the cycle of Weber functions for the isogeny of degree l_i, while the next value of the Weber function g_{i + 1} defined as the root of the symmetric polynomial of two variables when replacing one variable with the previous value of the Weber function g_i, and upon transition to isogeny of the next degree, a positive direction on the cycle is set, for this a polynomial defining the core of isogeny is found, and steps along the cycle are performed in the direction corresponding to the sign of the number N_i. 2. The method according to claim 1, characterized in that the Frobenius discriminant is chosen equal to the product of the square of an integer by a number comparable to 1 modulo 8. 3. The method according to claim 1, characterized in that the isogeny core is defined by a polynomial for which the core points of which lie in a minimum extension, and by its coefficients the Weber function corresponding to the positive direction is found.

Images