# Computing isogenies in dimension 1 and 2

## Tutorial: isogenies of elliptic curves

Construct an isogeny from a generator of the kernel

In [1]:
E = EllipticCurve(GF(11), [1, 0])
g = E.gens()[0]
g.order()

12

In [2]:
kernel = 6*g
kernel

(0 : 0 : 1)

In [3]:
I = E.isogeny(kernel)
I

Isogeny of degree 2 from Elliptic Curve defined by y^2 = x^3 + x over Finite Field of size 11 to Elliptic Curve defined by y^2 = x^3 + 7*x over Finite Field of size 11

In [4]:
%display latex

In [5]:
I.rational_maps()

In [6]:
F = I.codomain()
F

We observe that the image curve has the same number of points, but not the same group structure

In [7]:
F.abelian_group()

In [8]:
E.abelian_group()

In [9]:
%display plain

The same example over the rationals

In [10]:
E = EllipticCurve([1,0])
E

Elliptic Curve defined by y^2 = x^3 + x over Rational Field

In [11]:
P = E.lift_x(0)
P

(0 : 0 : 1)

In [12]:
P.order()

2

In [13]:
J = E.isogeny(P)
F = J.codomain()
F

Elliptic Curve defined by y^2 = x^3 - 4*x over Rational Field

In (very) limited cases, Sage can compute the isogeny given the image curve and the degree

In [14]:
JJ = E.isogeny(None, codomain=F, degree=2)
J == JJ

True

## Exercises

### Exercise 1

Consider the curve

In [15]:
E = EllipticCurve(GF(127), [97, 46])

List all isogenies with kernel of size 43 (i.e., of degree 43) defined over $ùîΩ_{127}$.

### Exercise 2: SIDH

Find a prime of the form $p = c¬∑2^a¬∑3^b - 1$, for "reasonable" values of $a,b,c$

Find a supersingular curve over $\mathbb{F}_p$

Compute an isogeny $\phi_2:E\to E_2$ of degree $2^a$

Compute an isogeny $\phi_3 : E\to E_3$ of degree $3^b$

Compute the unique isogeny $\phi : E\to E'$ of kernel $\ker\phi_2 \oplus \ker\phi_3$

Compute the push-forward of $\phi_3$ by $\phi_2$, i.e., the unique isogeny $\phi_3' : E_2\to E'$ such that $\phi = \phi_3'\circ\phi_2$

Compute the pushforward $\phi_2'$ of $\phi_2$ by $\phi_3$. Check that $\phi,\phi_2',\phi_3'$ all have isomorphic codomain

## Isogenies between products of elliptic curves

To download and install a library for computing $(2,2)$-isogenies, execute the cell below

In [16]:
import zipfile, sys, urllib.request
ar, res = urllib.request.urlretrieve('https://github.com/ThetaIsogenies/two-isogenies/archive/refs/heads/main.zip')
with zipfile.ZipFile(ar, 'r') as zip_ref:
    zip_ref.extractall()
sys.path.append('./two-isogenies-main/Theta-SageMath')

The full documentation of the library is [here](https://github.com/ThetaIsogenies/two-isogenies/blob/main/Theta-SageMath/README.md). 

To use it, you need a product of elliptic curves, for example:

In [17]:
p = 2^11 * 3^5 - 1
F.<i> = GF(p^2, modulus=[1,0,1])

A1 = F(0)
A2 = 129143*i + 235488
E1 = EllipticCurve(F, [0, A1, 0, 1, 0])
E2 = EllipticCurve(F, [0, A2, 0, 1, 0])

The following points have been chosen because they define a $(2^11,2^11)$-isogeny

In [18]:
P1 = E1(67757*i + 198628, 239152*i + 223924)
Q1 = E1(310218*i + 204034, 415411*i + 261911)
P2 = E2(59303*i + 471250, 86033*i + 368242)
Q2 = E2(481566*i + 29262, 313474*i + 465594)
P1.order(), P2.order(), Q1.order(), Q2.order()

(2048, 2048, 2048, 2048)

Once we have the points, we form a point of the product curve using `theta_structures.couple_point.CouplePoint`

In [19]:
from theta_structures.couple_point import CouplePoint
P = CouplePoint(P1, P2)
Q = CouplePoint(Q1, Q2)

To evaluate the isogeny of $E_1√óE_2$, use `theta_isogenies.product_isogeny_sqrt.EllipticProductIsogenySqrt`

In [20]:
from theta_isogenies.product_isogeny_sqrt import EllipticProductIsogenySqrt
kernel = (P, Q)
length = 11
Phi = EllipticProductIsogenySqrt(kernel, length)
Phi.codomain()

(Elliptic Curve defined by y^2 = x^3 + 256695*x^2 + x over Finite Field in i of size 497663^2,
 Elliptic Curve defined by y^2 = x^3 + (375999*i+496857)*x^2 + x over Finite Field in i of size 497663^2)

We can evaluate the (2,2)-isogeny chain on arbitrary `CouplePoint`s

In [21]:
R1 = E1.random_point()
R2 = E2.random_point()
R = CouplePoint(R1, R2)
Phi(R)

[(100890*i + 65667 : 112206*i + 296074 : 1),(154640*i + 193073 : 112088*i + 252774 : 1)]

## Exercises

### Exercise 3: WHATSTHIS (Wouter and Hiroshi's Amazing Tentative Signature That Hijacked the Isogeny School)

#### Public parameters

Generate a prime $p = c¬∑2^a¬∑3^b - 1$ with $a ‚â• 2b$

Let $E_0 : y^2 = x^3 + x / \mathbb{F}_{p^2}$. Compute a basis $(P_0, Q_0)$ of $E_0[2^a]$

#### Secret key
Compute a random point $P$ of order $3^b$

#### Public key
Evaluate the isogeny $œÑ : E_0 \to E_0/‚å©P‚å™$, let $E := E_0/‚å©P‚å™$ be the public key

#### Signing

Construct the maximal quaternion order $\mathrm{End}(E_0) \simeq ‚Ñ§‚å©1,i,(i+j)/2,(1+k)/2‚å™$

Let $m \in (1, 2^{\lfloor a/2\rfloor})$ and **odd** be the "message" we want to sign.

Let $\ell = 2^a - m^2$. Find $Œ± ‚àà \mathrm{End}(E_0)$ of norm/degree $\ell(2^a - \ell) = m^2(2^a - m^2)$

**Hint:** read the doc of the `sum_of_k_squares` function

In [None]:
sum_of_k_squares?

Use the (2,2)-isogeny code you installed previously to implement the Nakagawa-Onuki method and generate interpolation data $œÜ(P_0),œÜ(Q_0)$ for a degree-$‚Ñì$ isogeny $œÜ:E_0\to F$

**Trouble:** The (2,2)-isogeny code will most likely not work here, because of some missing cases. There is a workaround, and we can look at it together.

Push-forward $œÑ:E_0\to E$ under $œÜ:E_0\to F$, call $œÑ':F\to F'$ this isogeny

Sample a random matrix $M \overset{\$}{\gets} \mathrm{GL}_2(‚Ñ§/2^a‚Ñ§)$

The signature contains the data:
- The message $m$,
- The curve, $F'$
- $M ¬∑ \left(\matrix{œÑ(P_0)\\œÑ(Q_0)}\right)$, a basis of $E[2^a]$
- $M ¬∑ \left(\matrix{œÑ'(P_0)\\œÑ'(Q_0)}\right)$, a basis of $F[2^a]$

#### Verification

You only use data that is part of the signature to solve this part, refrain from using secret data such as $œÑ$, $œÑ'$, etc.

From the knowledge of $m$, recompute $‚Ñì = 2^a - m^2$.

Letting $œÜ':E\to F'$ be the push-forward of $œÜ$ through $œÑ$ (remember you can't actually compute $œÜ'$), let

$$Œ¶ : E√óF' \to E√óF'$$

be the Kani isogeny defined by the matrix $\pmatrix{a&\hatœÜ'\\-œÜ'&a}$, of kernel

$$\ker Œ¶ = \{ (aP, œÜ'(P)) \;|\; P ‚àà E[2^a] \}$$

Compute and check that this isogeny is well defined.