Fact-checked by Grok 2 weeks ago

Isogeny

In mathematics, particularly algebraic geometry and number theory, an isogeny is a surjective homomorphism between abelian varieties (or more specifically, elliptic curves) defined over a field that has a finite kernel as a group morphism.^[1] This structure-preserving map maintains the algebraic group law while connecting varieties of the same dimension, with the degree of the isogeny defined as the cardinality of the kernel or equivalently the degree of the induced extension of function fields.^[2] Isogenies play a central role in the classification of abelian varieties over finite fields via the Honda-Tate theorem, which associates each simple isogeny class to a Weil q-number, enabling the study of their endomorphism rings and Frobenius actions.^[3] They also underpin modern cryptographic protocols, such as isogeny-based schemes for post-quantum security, where the hardness of computing isogenies between supersingular elliptic curves provides computational resistance.^[4] Key properties include the multiplicativity of degrees under composition and the unique factorization into separable and purely inseparable components, with the multiplication-by-n map serving as a fundamental example of degree n^2*g for dimension g.^[1]

Definitions

General Definition

In mathematics, particularly in algebraic geometry, an isogeny is a surjective homomorphism f: A \to B between algebraic groups over a field K with finite kernel.^[5] As a group homomorphism, it maps the identity element of A to the identity element of B.^[5] The term "isogeny" was introduced by André Weil in his 1948 work Sur les courbes algébriques et les variétés qui s'en déduisent, to extend the concept of isomorphism by emphasizing the finite kernel while generalizing mappings between varieties of the same dimension.^[3] A fundamental example is the multiplication-by-n map : A \to A on an algebraic group A, defined for a nonzero integer n (such as the nth power map on the multiplicative group \mathbb{G}_m), which yields a surjective homomorphism with finite kernel.^[6] An isogeny is separable if its kernel is étale, equivalently, if the induced map on tangent spaces is injective.^[5]

Definition for Abelian Varieties

In the context of abelian varieties, an isogeny is defined as a morphism f: A \to B between abelian varieties over a field k that is a homomorphism of algebraic groups, hence surjective with finite kernel, and consequently preserves the origin (the identity element of the group structure).^[3]^[7] This adaptation refines the general notion by leveraging the commutative group law inherent to abelian varieties, ensuring that f aligns the addition laws on A and B while maintaining the projective variety structure.^[8] Such a morphism is equivalent to a finite, flat, and surjective homomorphism of group schemes, provided the dimensions of A and B are equal, which follows from the finite kernel condition.^[3] This equivalence holds over any base field and underscores the role of flatness in preserving the geometric fibers, distinguishing isogenies from mere rational maps.^[7] A key property is that an isogeny f: A \to B induces an injective map on the étale cohomology groups H^1_{\ét}(A_{\bar{k}}, \mathbb{Z}_\ell) \to H^1_{\ét}(B_{\bar{k}}, \mathbb{Z}_\ell) for primes \ell not dividing the degree of f, with finite cokernel, yielding an isomorphism upon tensoring with \mathbb{Q}_\ell.^[3] This cohomological behavior reflects the finite étale nature of the kernel and is central to applications in arithmetic geometry. Unlike homomorphisms of general algebraic groups, which may lack surjectivity or finite kernels due to non-commutativity, isogenies of abelian varieties require the commutative structure to ensure compatibility between the group operation and the underlying variety, preventing pathological behaviors in higher dimensions.^[7]

Properties

Degree of an Isogeny

The degree of an isogeny f: A \to B between abelian varieties A and B over a field K is defined as the degree of the extension of function fields [K(A) : f^* K(B)], where f^* denotes the pullback map on function fields induced by f.^[9]^[1] This definition captures the "size" of the isogeny as a finite surjective homomorphism with finite kernel, and it equals the rank of the kernel group scheme \ker(f) as a finite group scheme over K.^[1] If f is separable—meaning the characteristic of K does not divide the degree—then the degree simplifies to the cardinality of the kernel as a finite group, \deg(f) = |\ker(f)|.^[9] In general, over fields of positive characteristic, the degree decomposes as \deg(f) = \deg_{\acute{e}t}(f) \cdot \deg_{\mathrm{insep}}(f), where \deg_{\acute{e}t}(f) is the étale degree (the order of the étale part of the kernel) and \deg_{\mathrm{insep}}(f) is the inseparable degree (related to the purely inseparable part of the function field extension).^[9] In characteristic zero, every isogeny is separable, so \deg(f) = |\ker(f)| and the inseparable degree is 1.^[9] The degree is multiplicative under composition: for composable isogenies f: A \to B and g: B \to C, \deg(g \circ f) = \deg(g) \cdot \deg(f).^[1] This property follows from the corresponding multiplicativity of the function field extensions and kernel ranks.^[1] A representative example occurs with the multiplication-by-n map : E \to E on an elliptic curve E (an abelian variety of dimension 1), where \deg() = n^2.^[9] This holds because the kernel consists of the n^2 points of order dividing n, assuming separability (i.e., \gcd(n, \mathrm{char}(K)) = 1).^[1]

Kernels and Dual Isogenies

The kernel of an isogeny \phi: A \to B between abelian varieties A and B over a field k is the finite subgroup scheme \ker(\phi) \subset A, which is flat over \operatorname{Spec}(k) and defines B as the quotient A / \ker(\phi).^[3] This kernel scheme is finite, with its degree equal to the degree of \phi, and it carries a natural group structure induced from A.^[3] In characteristic zero, \ker(\phi) is étale and reduced, hence isomorphic as a group scheme to the finite abelian group of its geometric points A(\bar{k})_{\ker(\phi)}, which has order \deg(\phi).^[3] Associated to any isogeny \phi: A \to B is its dual isogeny \hat{\phi}: B \to A, uniquely determined by the relations \hat{\phi} \circ \phi = [\deg(\phi)]_A and \phi \circ \hat{\phi} = [\deg(\phi)]_B, where $$ denotes the multiplication-by-n endomorphism.^[3] The degree of the dual satisfies \deg(\hat{\phi}) = \deg(\phi), and \hat{\phi} can be explicitly constructed via the universal property of the Poincaré bundle on A \times \hat{A}, where \hat{A} is the dual abelian variety parametrizing line bundles on A.^[3] This duality extends to compositions, with \widehat{\phi \circ \psi} = \hat{\psi} \circ \hat{\phi} for compatible isogenies \phi and \psi.^[3] In the special case of elliptic curves, which are one-dimensional abelian varieties isomorphic to their own duals via a principal polarization, Pontryagin duality identifies the n-torsion \ker(_E) with the dual torsion, yielding an isomorphism of group schemes \ker(\phi) \cong \ker(\hat{\phi}) for any isogeny \phi.^[3] This isomorphism arises from the nondegenerate Weil pairing on the torsion points, which is alternating and Galois-equivariant.^[3] The collection of abelian varieties over k with isogenies as morphisms forms a category, in which the dual operation \phi \mapsto \hat{\phi} acts as an involution, providing an adjunction-like structure by relating \operatorname{Hom}(A, B) to \operatorname{Hom}(B, A) through degree-multiplication compositions.^[3]

Isogenies of Elliptic Curves

Construction and Examples

Isogenies between elliptic curves can be constructed explicitly as quotients of an elliptic curve by a finite subgroup of its points. Specifically, for elliptic curves E_1 and E_2 defined over a field K, any separable isogeny \phi: E_1 \to E_2 arises uniquely as the quotient map E_1 \to E_1 / \Gamma, where \Gamma is a finite subgroup of E_1(\overline{K}) serving as the kernel of \phi, and E_2 \cong E_1 / \Gamma.^[10] This construction ensures that \phi is a group homomorphism sending the identity to the identity, with the degree of \phi equal to the order of \Gamma.^[10] A concrete example is the degree-2 isogeny obtained by quotienting an elliptic curve E: y^2 = x^3 + a x + b (with a, b \in K and characteristic not 2) by the subgroup \Gamma = \{ \mathcal{O}, T \}, where T = (e_1, 0) is a point of order 2 on E (one of the roots of x^3 + a x + b = 0). The codomain is the elliptic curve E': Y^2 = X^3 - 2 a X^2 + (a^2 - 4 b) X, and explicit formulas like Vélu's provide general rational expressions for the coordinates in terms of the kernel points.^[10]^[11] Torsion-based isogenies provide another systematic construction, starting with the multiplication-by-n map : E \to E, which sends P \mapsto nP and has kernel E = \{ P \in E(\overline{K}) \mid nP = \mathcal{O} \}, the n-torsion subgroup of order n^2.^[10] The $$ map, of degree n^2, can be computed via chains of cyclic prime-degree isogenies using division polynomials or Vélu's formulas to describe intermediate curves and maps.^[11] An isogeny \phi: E_1 \to E_2 is defined over the base field K (a rational isogeny) if its rational functions have coefficients in K, which is equivalent to the kernel \Gamma \subset E_1(\overline{K}) being stable under the action of \mathrm{Gal}(\overline{K}/K).^[10] In contrast, isogenies requiring field extensions arise when \Gamma consists of points not defined over K, such as certain torsion points in non-CM curves over \mathbb{Q}.^[10] Each separable isogeny \phi pairs with a dual isogeny \hat{\phi}: E_2 \to E_1 such that \phi \circ \hat{\phi} = [\deg \phi]_{E_2}.^[10]

Isogeny Classes and Graphs

Two elliptic curves E_1 and E_2 defined over a field K are said to be isogenous over K if there exists a non-constant isogeny \phi: E_1 \to E_2 defined over K. This relation is reflexive (via the identity morphism), symmetric (due to the existence of the dual isogeny \hat{\phi}: E_2 \to E_1), and transitive (as the composition of isogenies is an isogeny), making it an equivalence relation that partitions the set of elliptic curves over K (up to K-isomorphism) into disjoint isogeny classes.^[12] Each class consists of all curves over K that are connected by chains of isogenies defined over K, and the j-invariants of curves in the same class are algebraic integers that are conjugate over K.^[8] In characteristic zero, such as over \mathbb{Q}, isogeny classes can be infinite due to the abundance of elliptic curves, but over finite fields of characteristic p > 0, the classes are finite. A key distinction arises in positive characteristic: elliptic curves are classified as ordinary or supersingular based on their endomorphism rings. For an ordinary elliptic curve E over a field of characteristic p, the endomorphism ring \mathrm{End}(E) is an order in an imaginary quadratic field \mathbb{Q}(\sqrt{-d}) for some square-free positive integer d, containing \mathbb{Z} as a subring. In contrast, a supersingular elliptic curve has \mathrm{End}(E) isomorphic to a maximal order in a quaternion algebra over \mathbb{Q} that is ramified precisely at p and \infty, which is non-commutative and of dimension 4 over \mathbb{Q}.^[13] This dichotomy affects the structure of isogeny classes, with ordinary classes typically larger and more varied than the fewer supersingular ones (there are roughly p/12 supersingular j-invariants over \overline{\mathbb{F}}_p).^[14] Isogeny graphs provide a visual and structural representation of these classes, particularly useful for computational and theoretical analysis. For a fixed prime \ell \neq \mathrm{char}(K), the \ell-isogeny graph of an isogeny class over K has vertices corresponding to the K-isomorphism classes (or j-invariants) of elliptic curves in the class, with directed edges labeled by subgroups of order \ell representing \ell-isogenies (up to equivalence via automorphisms). Undirected versions treat dual isogenies symmetrically. Over finite fields, these graphs exhibit a "volcano" topology for ordinary classes: the base "rim" consists of curves with endomorphism ring \mathbb{Z}, connected horizontally by \ell-isogenies of equal "height" (related to the conductor of the endomorphism order); ascending "slopes" lead to higher levels with larger endomorphism rings (orders of higher conductor in the same quadratic field), forming tree-like structures that merge at the rim, while a central "crater" may exist for curves with full maximal endomorphism ring. The height of the volcano is determined by the discriminant of the endomorphism order, and the graph is regular of degree \ell + 1 on the rim (accounting for the Frobenius endomorphism). Supersingular \ell-isogeny graphs, by contrast, are more symmetric and expander-like, often Ramanujan graphs with strong mixing properties useful in cryptography.^[15]^[16] Over \mathbb{Q}, the 2-isogeny graph illustrates simpler structures tied to arithmetic invariants like conductor and class size. Since a degree-2 isogeny over \mathbb{Q} is equivalent to the existence of a rational point of order 2 (generating the kernel), the connected components often consist of isolated vertices or pairs of curves linked by a 2-isogeny, but can form larger graphs in cases with higher 2-power rational torsion. For instance, the smallest such conductor is N=15 for the class 15a, comprising curves y^2 + y = x^3 - x^2 - 10x - 20 and y^2 = x^3 - x^2 - 10x - 20, connected by a 2-isogeny whose kernel is the rational 2-torsion point (5,0); here, the conductor $15=3 \times 5 arises from bad reduction at 3 and 5, with the class structure determined by the modular curve X_0(2). In general, the size of isogeny classes over \mathbb{Q} is bounded (at most 8 curves per class overall, per Kenku's theorem), and their conductors correlate with the primes of potential multiplicative reduction accommodating the 2-torsion.^[17]

Isogenies of Abelian Varieties

General Framework

In the theory of abelian varieties, the isogeny category provides a fundamental framework for studying these objects up to isogeny over a field k. The objects of this category are abelian varieties over k, while the morphisms from an abelian variety A to B are isogenies modulo isomorphisms, equivalently represented by elements of \Hom(A, B) \otimes \mathbb{Q}.^[3] This category is semisimple, meaning every abelian variety decomposes uniquely (up to isomorphism) into a direct sum of simple abelian subvarieties, reflecting the structure of representations in semisimple algebras.^[3] Isogenies between abelian varieties induce isomorphisms on their rational Tate modules. Specifically, for a prime \ell not dividing the characteristic of k, an isogeny \phi: A \to B yields an isomorphism of \mathbb{Z}_\ell-modules V_\ell(A) \cong V_\ell(B), where V_\ell(A) = T_\ell(A) \otimes_{\mathbb{Z}_\ell} \mathbb{Q}_\ell is the rational Tate module of rank $2g for \dim A = g, provided the degree of \phi is coprime to \ell.^[3] This homological property underscores the equivalence of abelian varieties up to isogeny in terms of their \ell-adic cohomology. The endomorphism rings of abelian varieties play a central role in this framework, with isogenies corresponding to left ideals in the rational endomorphism algebra \End^0(A) = \End(A) \otimes \mathbb{Q}. For a simple abelian variety A, \End^0(A) is a division algebra over \mathbb{Q} equipped with a positive involution, and more generally, it forms a semisimple \mathbb{Q}-algebra isomorphic to a product of matrix rings over such division algebras.^[3] Consequently, two simple abelian varieties A and B over k are isogenous if and only if their endomorphism algebras \End^0(A) and \End^0(B) are isomorphic as \mathbb{Q}-algebras.^[3] The dual isogeny construction ensures that this category admits a rigid dualizing structure, facilitating the study of homological properties.^[3]

Connection to Complex Multiplication

Complex multiplication (CM) on an abelian variety A over a field k occurs when the endomorphism algebra \operatorname{End}^0(A) = \operatorname{End}(A) \otimes \mathbb{Q} contains a CM algebra E, a commutative semisimple \mathbb{Q}-algebra of degree $2 \dim A that is a product of CM fields, with an embedding i: E \hookrightarrow \operatorname{End}^0(A) such that \mathbb{Q} \cdot i(E) has reduced degree $2 \dim A over \mathbb{Q}.^[18] A CM type \Phi is a subset of embeddings \operatorname{Hom}_\mathbb{Q}(E, \mathbb{C}) satisfying certain compatibility conditions, ensuring the action on the tangent space preserves the complex structure.^[18] These varieties exhibit an enriched endomorphism structure beyond the generic case, where \operatorname{End}(A) \cong \mathbb{Z}, allowing endomorphisms to mimic multiplication by elements of imaginary quadratic fields or their products.^[18] In CM theory, isogenies between CM abelian varieties are intimately tied to the ideal theory of the CM order \mathcal{O} \subseteq \operatorname{End}(A). Specifically, a non-zero element \alpha \in \mathcal{O} defines an isogeny [\alpha]: A \to A/\ker(\alpha) of degree (\mathcal{O} : \alpha \mathcal{O}), and prime isogenies—those with prime degree—correspond to multiplication by generators of prime ideals in \mathcal{O}.^[18] For an E-isogeny \phi: A \to B between CM varieties of type (E, \Phi), there exists an ideal a \subseteq \mathcal{O}_E (the maximal order in E) such that \phi realizes a-multiplication, with \deg(\phi) = [ \mathcal{O}_E : a ], preserving the CM type \Phi under the embedding.^[18] This ideal-theoretic perspective classifies isogeny classes: two CM abelian varieties are isogenous if and only if their corresponding polarized CM types are isomorphic, linking the geometry to the arithmetic of the CM field.^[18] The isogeny class of a CM elliptic curve, which is a one-dimensional abelian variety, plays a central role in generating ray class fields over the reflex field E^* of the CM type. The j-invariants of the isogenous curves parametrize the Hilbert class field (for the maximal order) or more generally the ring class field (for non-maximal orders) of the imaginary quadratic field K = E \cap \mathbb{R}^c, obtained as the fixed field of the kernel of the Artin map from the idele class group to the ray class group modulo the conductor.^[18] This construction arises via the modular curve parametrizing elliptic curves with level structure corresponding to the order, where Galois action on torsion points induces the class field tower.^[18] A concrete example arises for elliptic curves with CM by the order \mathbb{Z} in the Gaussian integers, where E = \mathbb{Q}(i) and the CM type \Phi selects the embedding with positive imaginary part. Here, prime isogenies factor the multiplication-by-\pi map for \pi \in \mathbb{Z} with norm equal to a prime congruent to 1 modulo 4, splitting as (\pi) = \mathfrak{p} \overline{\mathfrak{p}} into prime ideals, yielding horizontal and vertical isogenies corresponding to the CM norms.^[18] The full isogeny class then generates the ring class field of \mathbb{Q}(i) over \mathbb{Q}, with class number determined by the conductor of the order.^[18]

Applications

In Number Theory

Isogenies play a central role in arithmetic geometry through their connection to modular curves. The modular curve X_0(N) serves as the moduli space parametrizing isomorphism classes of pairs (E, C), where E is an elliptic curve over \mathbb{C} and C \subset E is a cyclic subgroup of order N. This parametrization effectively classifies elliptic curves up to N-isogeny, as points on X_0(N) correspond to such isogeny data. The geometry of X_0(N) is intimately linked to modular forms, with the function field of X_0(N) generated by modular forms of level N, enabling the study of isogeny classes via analytic and algebraic properties of these forms.^[19] Within an isogeny class of elliptic curves over \mathbb{Q}, all curves share the same conductor N, but their minimal discriminants differ according to the degrees of connecting isogenies. Szpiro's conjecture posits that for any elliptic curve E over \mathbb{Q} with conductor N and minimal discriminant \Delta, there exists an absolute constant C > 0 such that |\Delta| \leq C N^6. For an isogeny \phi: E \to E' of prime degree p > 3, the minimal discriminants satisfy \Delta_E^p / \Delta_{E'} is a 12th power in \mathbb{Q}^\times, with analogous power relations for p=2 and p=3. These relations imply that large isogeny degrees would inflate discriminants relative to the fixed conductor, so Szpiro's conjecture bounds the possible degrees of isogenies within a class, thereby limiting the class size. Large isogeny classes are thus associated with curves exhibiting high Szpiro ratios, as explored in constructions involving torsion points.^[10]^[20] Isogenies facilitate descent procedures to probe the Mordell-Weil group of elliptic curves. In particular, 2-descent via isogenies applies when an elliptic curve E over \mathbb{Q} admits a rational 2-isogeny \phi: E \to E' to its 2-twist E'. The 2-Selmer group \mathrm{Sel}_2(E/\mathbb{Q}), which provides an upper bound on the 2-primary part of the rank, is computed using the long exact sequence from the cohomology of the isogeny kernel, yielding dimensions n_1, n_2 for the image of the connecting homomorphism and the kernel of the dual isogeny. This method, generalizable to higher-degree isogenies for odd primes \ell > 3, expresses the Selmer rank in terms of local conditions and Cassels-Tate pairing, enabling explicit rank computations and generator searches.^[21]^[22] A foundational historical contribution stems from André Weil's 1948 work, where he integrated isogenies with the Riemann-Roch theorem to advance genus computations on algebraic curves. In developing the Riemann hypothesis for curves over finite fields, Weil employed isogenies between elliptic curves to pair divisor classes and leverage Riemann-Roch for dimension counts in function fields, laying groundwork for modern arithmetic geometry and the Weil conjectures. This pairing illuminated the interplay between isogeny structures and geometric invariants like genus, influencing subsequent theories of abelian varieties.^[23]

In Cryptography

Isogeny-based cryptography leverages the computational difficulty of certain isogeny problems to construct post-quantum secure protocols, particularly for key exchange and digital signatures resistant to quantum attacks. A prominent example is the Supersingular Isogeny Diffie-Hellman (SIDH) protocol, which performs key exchange by simulating random walks on supersingular isogeny graphs. In SIDH, parties start with a shared supersingular elliptic curve and basis points, then each computes a secret isogeny chain of specified degrees (typically powers of distinct small primes like 2 and 3) to reach a public curve, publishing the resulting curve along with images of the basis under the isogeny. The shared secret is derived from the dual isogeny walk, exploiting the commutativity of isogeny compositions in the graph.^[24] The security of SIDH relies on the hardness of the supersingular isogeny problem: given two supersingular elliptic curves, computing an isogeny between them is computationally infeasible, analogous to finding short paths in a high-degree expander graph whose structure resists efficient isomorphism algorithms. This problem is believed to be quantum-resistant, with no known polynomial-time quantum attacks, making SIDH a candidate for post-quantum key encapsulation like SIKE, which advanced to NIST's third round before the protocol's vulnerability was exposed. In a typical SIDH instantiation, public keys consist of a pair (E, [P, Q]), where E is the public curve and P, Q are points generating the torsion subgroup; the private key is the isogeny chain, and key agreement proceeds via evaluating the opponent's isogeny on one's secret chain to compute the shared curve.^[24]^[25] Significant developments include the Commutative Supersingular Isogeny Diffie-Hellman (CSIDH) protocol, which replaces SIDH's non-commutative walks with a commutative group action from the ideal class group of a quadratic imaginary order, enabling efficient key exchange without torsion point validation. CSIDH operates on supersingular curves over prime fields, using complex multiplication theory to decompose the action into prime-degree isogenies, yielding smaller key sizes and faster computations compared to SIDH while maintaining post-quantum security under the commutative isogeny problem. Unlike SIDH, CSIDH's structure avoids the vulnerabilities exploited in recent attacks.^[26] In 2022, SIDH and its derivative SIKE were broken by efficient key recovery attacks, such as the glue-and-split method, which recovers private keys in polynomial time by embedding isogenies into higher-genus Jacobians and exploiting auxiliary information from starting curves. These attacks invalidated SIDH for practical use, prompting NIST to discontinue SIKE standardization. However, CSIDH remains resilient to such techniques due to its commutative nature and lack of explicit torsion subgroups in the protocol, with ongoing analysis confirming no analogous polynomial-time breaks as of 2025; quantum subexponential attacks via hidden subgroup methods pose the primary threat, but classical security levels exceed 128 bits for recommended parameters.^[27]^[25] Isogeny-based signatures, exemplified by SQISign, extend these ideas to authentication by signing messages via oriented isogeny paths in quaternion algebras over supersingular curves, producing compact signatures (around 10-20 kB) with fast verification. SQISign, submitted to NIST's 2023 post-quantum signature standardization, relies on the Fiat-Shamir paradigm with proofs of knowledge for isogeny secrets, offering security rooted in the indistinguishability of random walks in structured isogeny graphs. Unlike lattice- or hash-based alternatives, SQISign achieves smaller public keys (under 50 bytes) while providing EUF-CMA security, with implementations demonstrating signing times under 1 second on standard hardware.^[28]^[29]

References

[1]
[PDF] Chapter V. Isogenies. In this chapter we define the notion of an ...
Sep 15, 2011 · (5.3) Definition. A homomorphism f: X → Y of abelian varieties is called an isogeny if f satisfies the three equivalent conditions (a), (b) ...Missing: geometry | Show results with:geometry
[2]
[PDF] 5 Isogenies - MIT Mathematics
Feb 19, 2015 · An isogeny φ: E1 → E2 of elliptic curves defined over k is a surjective morphism of curves that induces a group homomorphism from E1(¯k) to E2(¯ ...
[3]
[PDF] Abelian Varieties - James Milne
Mar 16, 2008 · These notes are an introduction to the theory of abelian varieties, including the arithmetic of abelian varieties and Faltings's proof of ...
[4]
[PDF] Isogenies of Elliptic Curves: A Computational Approach - SageMath
An isogeny is a non-constant function, defined on an elliptic curve, that takes values on another elliptic curve and preserves point addition.
[5]
[PDF] Algebraic Groups - James Milne
Dec 20, 2015 · ... defined by the algebraic group. The advantages of the modern ... isogeny theorem: statements ...
[6]
[PDF] Basic Theory of Affine Group Schemes - James Milne
Mar 11, 2012 · When Borel first introduced algebraic geometry into the study of algebraic groups in the 1950s, Weil's ... algebraic groups is an isogeny if and ...
[7]
[PDF] Abelian Varieties
Dec 17, 2004 · Any homomorphism f : X → Y of abelian varieties satisfying the equivalent properties of. Proposition 2.2 will be called an isogeny. The degree ...
[8]
[PDF] 4 Isogenies - MIT Mathematics
Feb 9, 2022 · As abelian varieties, elliptic curves have both an algebraic structure (as an abelian group), and a geometric structure (as a smooth ...
[9]
[PDF] Basic Theory of Abelian Varieties 1. Definitions - James Milne
Algebraic Geometry”, and in 1948 his two books on abelian varieties and Jacobian ... that the isogeny class of an abelian variety A over K of dimension g and with ...
[10]
[PDF] Joseph H. Silverman - The Arithmetic of Elliptic Curves
The past two decades have witnessed tremendous progress in the study of elliptic curves. Among the many highlights are the proof by Merel [170] of uniform bound ...
[11]
[PDF] Isogenies of Elliptic Curves
Isogenies are a fundamental object of study in the theory of elliptic curves. The definition and basic properties were given in Sections 9.6 and 9.7.
[12]
[PDF] Isogenies of elliptic curves defined over Fp, Q, and their extensions
Dec 10, 2010 · An isogeny is a nonconstant morphism between elliptic curves, which among other interesting properties, respects the un- derlying additive group ...
[13]
[PDF] endomorphisms of elliptic curves - UGA math department
Definition: An elliptic curve over a field of positive characteristic is called super- singular if its endomorphism algebra is a quaternion algebra, and called ...
[14]
[PDF] 14 Ordinary and supersingular elliptic curves
Apr 1, 2019 · The endomorphism ring End(E) need not equal Z[π], but the fact that it contains Z[π] and is contained in OK constrains End(E) to a finite set of ...
[15]
[PDF] Endomorphism rings of elliptic curves over finite fields by David Kohel
This document is ostensibly concerned with the computational problem of deter- mining the isomorphism type of the endomorphism ring of an elliptic curve over a.
[16]
[PDF] 22 Isogeny volcanoes - MIT Mathematics
Nov 28, 2023 · We now want to shift our focus from elliptic curves over C to elliptic curves other fields, finite fields in particular.
[17]
A classification of isogeny-torsion graphs of $\mathbb{Q} - arXiv
Jan 16, 2020 · In this paper, we define an isogeny-torsion graph to be an isogeny graph where, in addition, we label each vertex with the abstract group ...
[18]
[PDF] Complex Multiplication
Abelian varieties with complex multiplication1 are special in that they have the largest pos- sible endomorphism rings. For example, the endomorphism ring ...Missing: download | Show results with:download<|control11|><|separator|>
[19]
[PDF] (Elliptic Modular Curves) JS Milne
This document introduces the arithmetic theory of modular functions and forms, with a focus on geometry, and covers elliptic modular curves as Riemann surfaces.
[20]
https://arxiv.org/abs/1208.5519
[21]
[PDF] Higher Descents on Elliptic Curves - John Cremona
In this talk we will rst give some generalities on descents, before specializing to the well-known case of descent via 2-isogeny. This will be called the rst.
[22]
[PDF] Explicit isogeny descent on elliptic curves
Abstract. In this note, we consider an `-isogeny descent on a pair of elliptic curves over Q. We assume that ` > 3 is a prime. The main result expresses.
[23]
[PDF] The Riemann Hypothesis over Finite Fields - James Milne
Sep 14, 2015 · In 1948 Weil didn't know that abelian varieties are projective, and he proved (1.27) first for jacobians, where the Rosati involution is obvious ...<|control11|><|separator|>
[24]
[PDF] Towards quantum-resistant cryptosystems from supersingular elliptic ...
[19] David Jao and Luca De Feo. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In. Bo-Yin Yang, editor, PQCrypto ...
[25]
[PDF] Supersingular Isogeny Key Encapsulation
Sep 15, 2022 · This document presents a detailed description of the Supersingular Isogeny Key Encapsulation (SIKE) protocol. This protocol is based on a key- ...
[26]
[PDF] CSIDH: An Efficient Post-Quantum Commutative Group Action
The. Diffie–Hellman scheme resulting from the group action allows for public- key validation at very little cost, runs reasonably fast in practice, and has ...
[27]
[PDF] An efficient key recovery attack on SIDH - Cryptology ePrint Archive
The attack is particularly fast and easy to implement if one of the parties uses 2-isogenies and the starting curve comes equipped with a non-scalar.
[28]
compact post-quantum signatures from quaternions and isogenies
Oct 9, 2020 · Paper 2020/1240. SQISign: compact post-quantum signatures from quaternions and isogenies. Luca De Feo, David Kohel, Antonin Leroux, ...Missing: original | Show results with:original
[29]
[PDF] https - SQIsign
Jun 1, 2023 · [BDLS20] Daniel J Bernstein, Luca De Feo, Antonin Leroux, and Benjamin Smith. Faster computation of isogenies of large prime degree. Open.