EXTENDING THE GHS ATTACK USING ISOGENIES 171 the reduction of random walks to I and combining this with the isogenies from

the precomputation (and their duals) finally yields a short chain of isogenies

E → E_.

In many cases Z[π] =Omax, so that the complications with intermediate orders in Isogeny Strategy 1 and Isogeny Strategy 2 do not occur.

Theorem _VIII.14. _{Let E and E be two ordinary isogenous elliptic curves}

such that#E(K) = #E(K) =qn_{+ 1−t, and letlbe the largest prime or one} withl2_dividing(4qn_−t2_{). Under the GRH and further reasonable assumptions}

there is a probabilistic algorithm which computes O(nlog(q)) isogenies φi :

Ei→ Ei+1 of degreeO(max{(nlog(q))2, l})such thatφ=

iφi is an isogeny between E andE. The expected running time is O(max{qn/4+ε_{, l}3+ε_}).

The theorem follows from [129], [134] along the lines explained above. The algorithm involves some not rigorously proven steps from index-calculus in imaginary quadratic orders which accounts for the GRH and further “rea- sonable” assumptions. In most caseslwill be fairly small, so that the running time of the algorithm is essentiallyO(qn/4+ε_{). A worse running time can only}

occur when lis large since potentially some isogeniesφiof degreel could be

required. If End(E) and End(E) are equal, then using isogenies of degree l can be circumvented; but if the mutual index contains a large primel, isoge- nies of degreel cannot be avoided. The algorithm is particularly efficient if 4qn_−t2_{is small or ifO}

max has a small class number #Pic(Omax) and smooth index (Omax:Z[π]).

IfE is our target curve andE∈Sm₁(t),m₂(t)is isogenous toE we can hence compute the isogenyφbetweenE andEin (much) less time than the Pollard methods require for solving the DLP on E, assuming that 4qn_−t2 _{is only} divisible by squares of primesl=O(qn/6−ε_{) or that End(E) = End(E). Then}

φis given in the product form φ=_iφi and imagesφ(P) are computed in

time about O(max{(nlog(q))7_,(nlog(q))l3_{}). Furthermore, also due to the} degree bounds for theφi, the order of the kernel of φcannot be divisible by

the large prime factor of #E(K) and hence the DLP is preserved underφ.

VIII.3.4. Implications fornOdd Prime. We now combine the previous observations with the results of Sections VIII.2.3–VIII.2.5 and Table VIII.1 for n an odd prime. Since the 2-power Frobenius has order nr on K, the cardinalities of the representative sets S_hi,hi, S_t−1,hi and S_{t−1,(t−1)hi} are at least 1/(nr) times the cardinalities of the sets Shi,hi, St−1,hi and St−1,(t−1)hi.

If we takeN pairwise distinct elliptic curvesEifrom these representative sets

withN$%qn/2_{, we expect by Lemma VIII.13 and the discussion thereafter} that a randomly and uniformly chosen elliptic curve E will be isogenous to one of theEi with probability at least min{1, N/(2qn/2)} or min{1, N/qn/2}

if the considered elliptic curves have a= 0.

Following Isogeny Strategy 1, we need to actually compute theEi. Some

each curveEiwe check #E(K)·P =Ofor some random pointsP ∈ Ei(K). If

the check fails,Eiis not isogenous toE. Otherwise it is quite likely that it is

and we check #Ei(K) = #E(K) using fast point counting techniques. If we

findEi such that #Ei(K) = #E(K), we are left to apply the algorithm from

Theorem VIII.14. This strategy requires a time linear in N, plus a time of aboutO(qn/4_{) for the isogeny computation.}

Following Isogeny Strategy 2, we need to sample random and uniformly distributed elliptic curves E from the isogeny class ofE as described in Sec- tion VIII.3.3. We expect to compute approximatelyqn_/#S

hi,hi, 2qn/#St−1,hi

and 2qn_/#S

t−1,(t−1)hi curvesEand isogeniesE → EuntilEis isomorphic to

one of the curves inShi,hi,St−1,hi andSt−1,(t−1)hi, respectively. Table VIII.2

contains a summary.

Table VIII.2. Expected Probabilities that a Random E is Isogenous to a Curve E in Smγ,mβ and Runtimes for Isogeny

Strategy 1 (Excluding the O(qn/4_{) Contribution) and Isogeny} Strategy 2, fornOdd Prime

mγ mβ Pr(E ∼ E∈Smγ,mβ) Strat 1 Strat 2

hi hi min{1, sq2d−1−n/2/(2nr)} sq2d−1/(2nr) 2qn−2d+1/s

t−1 hi min{1, sqd−n/2/(nr)} 2sqd/(nr) qn−d/s

t−1 (t−1)hi min{1, s(q−1)qd−n/2/(nr)} 2sqd+1/(nr) qn−d−1/s

Example 6: Consider n= 7. By Example 5, a proportion of about q−2 _of all elliptic curves over Fq7 withα= 0 leads to an efficiently computable, not

necessarily hyperellipticC0_{of genus 7. Using Isogeny Strategy 2 and the first} row of Table VIII.2, we thus expect that sampling of the order of q2 _many random elliptic curves from the isogeny class of the target curveEyields such a C0_.

Example 7: Considern= 31. The factorization oft31_{−1 modulo 2 consists} oft−1 ands= 6 irreducible polynomialshi(t) of degreed= 5, two of which

are of the trinomial form of Lemma VIII.11. Using Table VIII.1 there are hence about 3q9_{, 12q}5 _{and 12q}6_{elliptic curves which lead to non-hyperelliptic} and hyperelliptic curves C0 _{of genus 31, 31 and 32, respectively. Using Ta-} ble VIII.2 the probability that a random elliptic curve lies in the isogeny class of one of these curves is 3q−13/2_{/(31r), 6q}−21/2_{/(31r) and 6q}−19/2_{/(31r), re-} spectively. Since the above cardinalities are much smaller thanq31/2 _Isogeny Strategy 1 is more efficient and requires a run time of 3q9_{/(31r), 12q}5_/(31r)

VIII.4. SUMMARY OF PRACTICAL IMPLICATIONS 173