>>: Okay. So you have excellent eyes. That's very good. I will announce the first speaker, who is David Kohel from University of Marseille, and he will speak on endomorphisms, isogeny graphs, and moduli.
>> David Kohel: Okay. Thank you, Peter. And thanks to the organizers for inviting me here.
So this is really a story of the history of my thesis. I was asked not to speak about any current research but about something that I wrote 14 years ago and other people have done more with than me in subsequent time.
So my -- so a bit of history. My thesis, it was published in 1966 -- 1996 [laughter].
>>: That was yesterday.
>> David Kohel: Yeah.
The context was -- well, first of all, [inaudible] thesis or Schoef's [phonetic] algorithm, which -- sorry, let me get the pen in the right direction to make it more legible -- which we saw at least appeared in 1985, and -- but more directly, making it interesting was the work of Elkies around 1991, Atkin around the -- well, the same, early 1990s. There was an interplay between the two. I mean, I'm not meaning to distinguish them. And then
Couveignes in 1994 treated -- used formal groups to treat small characteristic, and
Lessier [phonetic] particularly treated characteristic k equal to 2.
So this was all treating the problem of point counting on an elliptic curve over k, which is defined over a finite field. Okay.
So with that in mind, I was trying to follow all of these new developments, and, well, thinking what I could possibly do or say about the subject, and the best answer I could come up was it was better to avoid it because there was way too much activity.
Probably by the time I could say anything about the problem there would be -- well, there were subsequent results.
Also, this is a polynomial time algorithm. There's a cryptographic motivation. It was just happening very fast. So let me just -- so the endomorphism ring, though, is a geometric invariant which contains, with a large index -- well, with a finite index in the case of an ordinary elliptic curve, a ring which is isomorphic to zed x modulo x squared minus tx plus q. So the problem of determining the number of points is the problem of determining an abstract subring of the endomorphism ring, and then you can ask, well, what is the exact endomorphism ring in between the maximal order in this one. So let me just state when e is ordinary.
And this is basically -- I treated this problem, and this was basically the first half of my thesis, and I probably have no time to say anything about the second half which deals with the super singular, but the methods and ideas are quite similar.
So we know this problem is polynomial time, as we knew from 1985 and Schoef's thesis, but this problem requires us to know exactly what this index is in order to

address where you sit between the two. So this requires, to the best of our knowledge, a factorization of the discriminant in order to know what this index is between the maximal order and zed Pi, so I know no better way than factoring a number than to determine the largest square part of it up to remaining congruent to zero 1 mod4.
And so -- and then in order to actually determine where you sit between there, you certainly need the factorization of m.
So this is -- this endomorphism ring, it's sort of a different flavor, because the -- the trace of [inaudible] is arithmetic invariant, but the endomorphism ring is a geometric invariant. And as a thesis problem, this certainly has advantages. We have to factor it, which requires at least a sub exponential time. So it's clearly out of the realm of cryptography or of any practical interest, which is a good problem to work on for a thesis.
So it's almost certainly hard. And it was just a beautiful problem. It let's me learn all the background material about point counting, all the methods, theory of complex multiplication, et cetera, and then I get back to this beautiful garden, as was quoted earlier.
Okay. On the other hand, it has lots of explicit in computational details, and I think of my thesis in some sense as just a tool kit for understanding this problem.
So that's just some comments.
So to specify an elliptic curve for computational reasons, an elliptic curve is given by -- well, what is an elliptic curve? Well, I hope I don't have to define it on day two of a conference, but it's a genus -- on elliptic curves, it's a genus 1 curve with a distinguished rational point, but in order to specify it, normally you can give affine curve determining e that is whose non-singular -- admits non-singular projective model to which this is bi rational, then we need plus some data if we want to actually work with it computationally for point set infinity, that is, those points outside of the affine patch that you've chosen here, and plus some data for resolution of singularities, if you have any.
Okay. Well, the second possible approach is a projective non-singular model, and I'm going to take e inside of p to r, some iota to denote the embedding, and I'm going to assume plus some additional nice properties.
So I'm going to assume that this is more of a definition, but I want this curve to be projectively normal, which basically means that I take a complete linear system to define this embedding. For an elliptic curve, this means that the space of sections of the gamma pr opr1, well, what is this? This is basically the vector space spanned by the coordinate functions surjects on this space of sections of the line bundle determined here where l is the pull-back of that.
So here we have an embedding, and we basically -- the idea is that we want to reduce questions about this curve to questions about sections of global sheaves. So I'll give an example of where this is and isn't satisfied in a moment.

And we also want a property which is -- we want this l to be symmetric. There are actually some pathological embeddings that you could define. You could write one even for degree 3, an embedding in p2 where minus 1 is non-linear on the action on the elliptic curve. So you want certainly minus 1 to be a projective linear automorphism.
The definition of being symmetric is that the pull-back by minus one is isomorphic to l, and I'm actually using the first hypothesis that is that this pull-back means that you induce automorphism of this, and this is surjective on the space of coordinate functions, so just a linear change of variable of the coordinate functions gives me such a thing.
So what sort of devisers can we use to embed -- let me write down just a lemma, every line bundle on an elliptic curve is isomorphic to the line bundle defined by a deviser, d minus 1 times the distinguished point at infinity plus some other point. Okay. I'm going to put parentheses around the point to indicate that this is a deviser and that's not a sum on the curve where the degree of l is equal to d for a unique t in the d of k. So let's say -- okay, l is a deviser defined over k, and to relate it to this property of symmetric, l is symmetric if and only if that t is in fact a two-torsion point.
Okay. So if you don't have any two-torsion points at your disposal, then -- rational two-torsion points, then basically multiples of the identity are the only thing that you can put there, but the -- but you could also have two times o plus the two-torsion point if you like.
>>: So o is also part of your data, right?
>> David Kohel: Yes. So -- yes. So the elliptic curve has an o. So in any of these models we need, whether it's projective or affine plus o, which is inside of this set of rational points which might be -- okay, e is the projective non-singular curve.
Okay. So let me write down one other statement here. Just that if l is equal to l of d and that d is of the form summation pi, so in particular effective, then t is the sum of the pi on e. These points now may be in an extension.
And examples -- well, that's just a comment. And the [inaudible] equation or model uses l of 3o, and the Jacoby model, l of 4o. I'm going to go give some examples to indicate where -- well, where I would think about my thesis differently and I were looking at the current range of models that are becoming popular in cryptography.
And another example -- now, these two models, if you look at the [inaudible] model, it doesn't really distinguish between these two. Out of laziness we tend to write down this y squared equal -- in y squared plus a1x plus a3 times y equal to cubic, but it's essentially a representation for that projective model.
Similarly, if we look at the intersection of two quadratics in p3 or in a3, it's -- the inclusion of a3 and p3 gives me this model. So another example is that of Edwards, and I will -- uses l isomorphic to 3o plus t where t is two-torsion. And so this is actually a different beast from that.
So let me write down the twisted -- the twisted Edwards model as I define it -- well, I write it. Well, first of all, the affine model is the following, but in order to have a -- that's

the specification in terms of 1. To give the correct specification in terms of a projective normal model, we need to embed it in p3, not p2. So let me explain that.
And xox3 equal to x1x2, and then xy here goes to 1xy and x times y. And since this is a cortic model, the space of global sections on this e for l is the span of 1xy. And these two have independent degree 2 poles at infinity with no common points, so the
Riemann-Roch space is spanned by 1xy and x times y. And we really need that in order to have nice properties of the addition law, et cetera, even if you, behind the scenes, are just representing it as a product x times y in your algorithms without actually writing down the third coordinate.
And, also, just to give a relative notion, a definition of this Jacoby model is -- I prefer to write it -- I write ax squared plus x1 squared equal to x2 squared, bx0 squared plus x2 squared equal to x3 squared and c, and we want the sum of this to be 0 equal to zero, which means that we have a plus b plus c equal to 0. This equation here is completely redundant, but it shows the symmetries intrinsic in this, and the point o will just be -- that is, the identity element -- will be 111.
So this model has a full two-torsion subgroup. This model has a cyclic subgroup of order 4. And those will play a role in looking at isogenies.
So just -- I probably started out a bit too -- in a high-brow language. Let me just state that l -- if we have an effective deviser, the sheaf determined by d has global sections which is sometimes written -- I'm going to use Roman l of d -- as just the Riemann-Roch space, f in ke star such that the deviser of f is greater than or equal to minus d union the zero point. When I write something like this, you should just think of the functions which span -- which have poles, at worst, d. So here we allow our functions to have poles at the two-torsion point and up to three times the point at -- well, the identity point here, we have functions which have poles up to degree 4.
Okay. So I had some questions when doing computations because I didn't treat these different models. As soon as you start writing them down to represent particular curves, you can ask when is an automorphism, phi, induced by -- I put it in parentheses because -- afterwards I'm just going to call it linear. Okay.
So if you have, for instance, minus 1, that's the condition of being symmetric. When is translation, so tau of t linear. For t in here I'll allow t to be a point over the algebraic closure. The property of being linear is not dependent upon the base field. And, third, more generally, when is an isogeny phi of e1 to e2 of degree l represented by polynomials of that degree.
Okay. Here assume -- well, let's assume that we use a projective non-singular model with all of the nice properties that we can imagine.
So the answers are clear if we do use a model of type 2 with the condition of being projective normal. So in particular let's say for l equal to l of d, so the answer to question 1, if and only if d is equivalent to the pull-back of d or, equivalently, if in the language of line bundles, that's an isomorphism of line bundles.

2 has an interesting characterization. If and only if the degree -- no -- yeah, the degree of l, which is the degree of this effective deviser which defines it, times t is the point at infinity or the identity element, and, third, this is if and only if -- I hope this is visible. I'll try to avoid writing in the back -- but l to the power little l is isomorphic to the pull-back of l. And here I should put a 1 and 2 for the respective embeddings, the line bundles defining the embeddings of e1 and e2.
Okay. So when thinking about this talk, particularly this third question, I work out explicit formulas in my thesis for the Weierstrass model. Well, Velieu [phonetic] worked out formulas and -- well, both -- well, I think there was a French master's thesis which did a similar thing around the same time, but you can define an isogeny of the Weierstrass model just by polynomials of degree l in the numerator/denominator, and suddenly I realized that wasn't even true if you don't impose some condition on the embedding.
And worse yet, I mean, you can have minus 1 not even be linear.
Okay. So that at least gives a clear condition what you can look for. And, moreover, and we have existence of -- for instance, in No. 3, when you have existence of such a thing, this isomorphism is carried by a rational function which translates between l1 and -- l1 to the l and phi star of l, and so these polynomials are, in some sense, unique.
So they're unique modulo the defining ideal.
Okay. Well, so let me just write that down. Uniqueness comes from a polynomial map by which I mean homogenous projective can be identified with an element of [inaudible] l1 to the l phi star l2, which is just isomorphic to the space of global sections on e1 of l1 to the minus l10 [inaudible] l2 -- or, no, phi star l2. And this is isomorphic to either k times some function or it's just zero. So that's the uniqueness. Up to a scaler, we can just write it down in one way.
Okay. So, here, let me take a modulo pause just because I'm going to need some of these definitions. Let l be a prime and consider the modulo curve x of l -- well, I'm going to -- I need to find -- give a rough or intuitive definition of these.
So for a given elliptic curve, it's isomorphism class, so I'll denote it by bracket e, is basically determined by a j invariant. So this j invariant you should think of as just a point on x of 1, which is called the j line. It's a rational curve isomorphic, so it's p1, and j is just the coordinate on that curve.
X0 of l classifies cyclic subgroups of order l. Well, if l is really prime, then I don't have to impose the condition of it being cyclic. It's automatically cyclic. X1 of l classifies isomorphism classes of e and a point where p has order l. The natural maps here are just -- forgetting structure, I pass from p to the subgroup generated from it and e to just the isomorphism class, and here I'll -- there's probably a better way to describe it, but intuitively it's a basis for the full l torsion such that the [inaudible] pairing is equal to a fixed value, and then we can throw away the q to get down here.
So this is parameterized by -- this classifies lines in the l torsion. So this is -- so the lines are here. The relevant extension here chooses some generator for the subgroup.
So here we have zed modulo l zed star, and for technical reasons we quotient out by

plus or minus 1 because e, comma, p is isomorphic to e, comma, minus p. So we can't distinguish p in its inverse.
And then, finally, we take -- this is an additive extension here generating that. So the isogeny graphs that I will be looking at will rely heavily on this.
Okay. So let me now do -- so as an example of two isogeny graphs, let me give generically a name j to such a model for a Jacoby. If we have this elliptic curve with full two-torsion, there are three possible subgroups. So in this picture that corresponds to three possible cyclic subgroups, they're just three non-zero torsion points, so there's a p1 of f2 of points. If we pass by isogeny by quotienting out by that subgroup, we get new curves. And there's always a dual isogeny.
So this model here naturally sits inside of such a diagram. There are three isogenous curves, and in fact you can -- these now, if you look at the dual, compose it with another map, you see that they each have a cyclic subgroup of order 4. And I think people who have worked with Edwards curves no very well that any elliptic curve with a cyclic subgroup of order 4 can be put in Edwards forms.
So the question is what do these -- well, what do these look like. In some sense this
Jacoby model rigidifies such a diagram -- well, okay, so this is -- well, let me write it down explicitly.
The Jacoby model -- a, b, c -- I'll take one particular one -- is isogenous to an Edwards model with c and minus a, taking x0, x1, x2, and 3 to -- well, before I do this, let's look at my questions.
What degree do I expect for the defining polynomials go from this curve to an Edwards model with -- well, my a and d here are now c and minus a. So my question here was when is a degree l -- degree 2 isogeny represented by polynomials of degree 2. Well, if and only if this is satisfied.
But in fact, if you take the square of either of these devisers, this deviser or the other one, you actually get l of amount of time is isomorphic to l of a times o. And, similarly, if you check pulling back the line bundle on the Edwards curves give you something l isomorphic to l times a times o. So, indeed, we get degree 2 maps. And here they are.
Okay. So -- and, similarly, there is a map going back which I won't write down just now, and any odd degree isogeny of j or e can be -- can be expressed -- let me put these in parentheses -- by odd degree n by degree n polynomials to another Jacoby model or
Edwards model.
And here I should include twisted, because we don't necessarily have a rational 4 point,
4-torsion point.
So perhaps the more interesting thing is we -- there is no linear isomorphism even over k bar between a curve in Jacoby or Edwards model because the devisers -- the devisers are not linearly equivalent so we get no such isomorphism.

Okay. So one of the themes of my thesis was explicit isogenies, and by that term, there are sort of two interpretations or topics that could be treated for a Weierstrass model e with the x function to p1. So I call this the Kumar [phonetic] curve. A Kumar variety is a quotient of a [inaudible] variety by a finite automorphism group, and a finite k rational subgroup g can be defined by a polynomial -- well, I'm going to call it a kernel polynomial phi of x which cuts out the x torsion points on the Kumar curve, but since this curve, p1, is just equal to the quotient of e by plus or minus 1 and the subgroup g is defined by -- is invariant under plus or minus 1, then it suffices -- the kernel g is just the pull-back of such a polynomial.
So in explicit isogenies, one possible interpretation or meaning of that is -- comes from
Elkies in 1991. Given a point p in x0 of l with -- let me call this map here Pi 1 -- Pi 1 of p equal to -- well, I'll just say the j invariant, so j invariant of a given curve, write down the associated kernel polynomial. So this was one of the crucial steps in the [inaudible]
Atkin instruction, and then the second one is Velieu's formula, which is much older. As input here we have g enumerated as a set of points, and then as an output we get e2 -- first he writes down e prime and defining polynomials of the form 5x [inaudible] of x.
Just for simplicity, I assume that l is odd so that I can write it in this form. So a challenge question for you is -- and I think there's so the graduate students already thinking about this -- is what is the similar form and structure for these two algorithms in higher genus?
So Velieu expressed this in terms of what is essentially a gamma 1 structure. In my thesis and in the paper of [inaudible] we worked out exactly this formulation, how to write in terms of input [inaudible] the form for the isogeny. They attribute it to a master's or [inaudible] thesis.
Okay. So -- and so exercise. Find such formulas for twisted Edwards, Jacoby and
Hessian models. So for each of these -- well, okay, here we have p. We would need as input p in the modular curve x of gamma 04 intersect gamma 0l. I assume l2 is equal to
1 in the first case. In the second case of Jacoby models, the input for Elkies algorithm would be a point on the modular curve, gamma 2 intersect x0l. And for three we'd have a point in x of 3 -- well, gamma 03. Gamma 0l intersect of 3 and for 3l equal to 1.
Okay. So now let me define an isogeny graph to try to understand how you look at endomorphism rings. So the isogeny graph here for l equal to 2 looks something like this. I'll call this the universal l isogeny graph.
And the way I think -- the way I define it, given an elliptic curve -- so I'll call this gl or g2 lift of e -- the edges are then -- are cyclic subgroups are e and a cyclic subgroup or equivalently the quotient such that gi is isomorphic to zed mod li zed. And the existence of an edge is the inclusion g1 in g2.
So we can construct this universal model, but in practice, when we take these quotients, we might find some collisions. So let me take the following.
Suppose e is over f11 with j invariant zero. Then you come up with the following. If this is -- well, let me cover this.

>>: [inaudible].
>> David Kohel: There are two reasons -- yes. You can take the -- you can undirect it in order to -- well, each isogeny is in one direction, and so to get it undirected we need to take duals, which in sense is just defining every arrow to have an inverse. But the picture that I'm going to draw indicates -- well, shows a certain pathology.
Here the dual is unique. For every arrow there's a unique arrow so we might as well draw it undirected. But in fact this -- if we have j equal to -- well, 1728, but that's 1 mod
11 has one self-isogeny, two cyclic subgroups which go to another curve, the j equal to zero one, and then there are three isogenies which go back to this one, and this is an example of a super singular curve -- super singular reduction. There are only two vertices, and we get a morphism of graphs here from the universal graph to this one associated to every triangle. So that is j invariant zero. We have three circles. One of them, the isogeny here is to an object which is isomorphic and then we get triangles everywhere else.
So this was just an example to show that what we really want is something which is a weighted directed -- well, a multi-graph, a weight 2 and a weight 3 here, weight 1, and the definition of this modular graph -- so l isogeny graph -- is a collection of vertices in x1 of k bar. So notice this is an infinite graph, so I haven't imposed any rationality conditions.
And the edges are points in x0l k bar which represent isogenies. There are two maps,
Pi 1, which was just throwing away the cyclic subgroup, Pi 2, which goes to the co-domain curve and that defines the edge between the j invariant of e and the j invariant of e1, and the weight associated to a given graph -- so I can define this to be one arrow, but there's a weight 2 and a weight 3 here, and those are just the ramification indices of the graph.
And, well, this model, especially in the light of the Jacoby-Edwards-Hessian models, it would be very natural to instead of viewing this isogeny graph on x1, map the universal curve to some new curve over some arbitrary x0, take l isogenies between -- which are in essence commutative diagrams and construct the associated object.
So I think William spoke about something like this. The adjacency matrix of this is actually a representation for a Hecke operator. If we had add a level structure, then we get a similar representation. But the isogeny graphs for the ordinary case are very close to remaining trees.
So let me just say -- so I think of the directed paths starting at e, so off to infinity, as -- well, this is in sense an element of the tape group. So an infinite path defines an element of the projectivized tape module. These are cyclic subgroups. Up to isomorphism we can quotient out by zed l star, and then every element of here can be quotiented to a particular cyclic subgroup and then we get an infinite -- so this is the -- if we start with a maximal order, we get a descending graph this way with associated
Gowa action coming from cm theory, and that's -- well, that's what -- well, that's how I think of it.

And then you get an idyllic action on these -- on the tape module or on the l torsion point which corresponds to [inaudible] theory. So I think I need to wrap it up. So I'm quickly going to just give the idea of the endomorphism rings of my thesis.
So the local determination of o, which is the endomorphism ring, so once you think of this as just the intersection of all the local endomorphism rings, so take the 10
[inaudible] product with zed l and the -- for small l dividing the index, okay in zed Pi, we look at the isogeny graph. And here, in fact, we can assume it's undirected if we don't have one of these two points of 12 cubed or j equals zero. For every isogeny there's a dual.
And the idea in the local analysis is to traverse the isogeny graph down to what I call the floor of rationality. At the surface we have the endomorphism ring of e -- well, e0l being an l maximal order, and the question is really how far are we between the minimal, l minimal endomorphism ring, and the maximum one.
So by traversing the graph we construct paths, and most paths go down, and so we just probe down to the floor of rationality. Of course, this is an infinite graph, but at some point we get stuck by the Gowa action. And that tells us exactly what the -- this distance here is the l valuation of the index of zed Pi in o.
The second analysis is a global one. So for large L, well, never mind the fact that they don't exist, we look at the following. We take the class group of zed Pi, we hit it with e.
So if we take isogenies co-prime to L, we'll end up going around in the isogeny the endomorphism class, we -- as long as we don't -- so if there's no depth, we can change here within the endomorphism class. So this class group acts by CM theory, it acts by isogenies, and this is actually acting through the quotient. And we just need to measure what is the size of the orbit of hitting e by this class group inside of our x1 of k, just avoiding primes dividing the index.
And then, finally, putting these two together, we need to balance easy primes, which are small, and larger primes, and in my thesis I wanted a deterministic polynomial-time algorithm, and for that reason I didn't want to assume grh or other assumptions, so the small l, the crossover point between these two methods was, I think, l around q to the 1 fourth. In the worst case this index can be o of q squared -- q one half, sorry -- and so -- yeah, that's the index. So basically the square root of this was the cutoff point for where to balance enumeration.
And, see, if you -- as Neal Koblitz [phonetic] described, if you're in the l maximal case, which you'll never get to by a random -- you'll never find by random curve construction, then you'll have a tiny orbit here. In the non-maximal case you just numerate until you exclude the possibility of being in the maximal case, and that's how you come up with the complexity result that I had.
Now, if you're willing to assume grh and use probabilistic algorithms, the complexity analysis, it's interesting, is completely different. You have sub-exponential class group algorithms. You can find generators or relations. You can determine the kernel of this action, and they find a probabilistic -- conditional probabilistic sub-exponential time which agrees with the problem that you have to factor this index and everything sort of

coincides. So that was the discrepancy between reality and practice which appears in -- which [inaudible] and Sutherland [phonetic] described in a recent paper.
So I think I have to stop here. So the other use of this isogeny analysis, isogeny graphs, there have been a lot of -- well, surprising to me who I thought -- this is beautiful mathematics, but no practical application, especially Sutherland and [inaudible] has been advocating CRT methods for a while. CRT methods for class polynomials and for modular equations are phenomenally successful and one of the things is to use a lot of dirty tricks in these graphs to rapidly classify exactly what your endomorphism ring, find precisely those at the surface. So by the surface I -- I took a -- I had an aquatic or metaphor in mind, you but [inaudible] introduced the isogeny volcano, which is the more terrestrial one. So that's your choice what metaphor you want to use.
So I'll stop here.
[applause].
>>: Are there any questions?
>>: What was the extraterrestrial metaphor [laughter]?
>> David Kohel: There hasn't been an extraterrestrial -- no, actually, there was in
Sutherland -- in Drew's talk, you did have a moon surface with craters, right, which is now an extraterrestrial.
They had a terrestrial volcano metaphor which was a very successful selling point for my thesis for which I thank them. And it's widely quoted. But I took an aquatic metaphor, they had a terrestrial one, and it's true that Drew has an extraterrestrial one.
>>: Okay. Are there more questions? If not, we'll have a coffee break until 2:30. And let's thank the speaker again.
[applause]