DOCSLIB.ORG

Optimized Supersingular Isogeny Key Encapsulation on Armv8 Processors

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Optimized Supersingular Isogeny Key Encapsulation on Armv8 Processors IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS–I: REGULAR PAPERS, VOL. 66, NO. 11, NOVEMBER 2019 4209 ARMv8 SIKE: Optimized Supersingular Isogeny Key Encapsulation on ARMv8 Processors Amir Jalali , Reza Azarderakhsh , Member, IEEE, Mehran Mozaffari Kermani , Senior Member, IEEE, Matthew Campagna, and David Jao Abstract— In this paper, we present highly-optimized constant- which would be catastrophic to the confidentiality and integrity time software libraries for supersingular isogeny key encapsu- of any secure communication. To counteract this problem, lation (SIKE) protocol on ARMv8 processors. Our optimized post-quantum cryptography protocols are required to preserve hand-crafted assembly libraries provide the most efficient timing results on 64-bit ARM-powered devices. Moreover, the presented the security in the presence of quantum adversaries. Regardless libraries can be integrated into any other cryptography primitives of whether we can estimate the exact time for the advent of the targeting the same finite field size. We design a new mixed quantum computing era, we must begin to prepare the security implementation of field arithmetic on 64-bit ARM processors by protocols to be resistant against potentially-malicious power of exploiting the A64 and Advanced SIMD processing units working quantum computing. Accordingly, NIST initiated a process to in parallel. Using these techniques, we are able to improve the performance of the entire protocol by the factor of 5× evaluate, and standardize one or more post-quantum public- compared to optimized C implementations on 64-bit ARM high- key cryptography primitives [1]. Recently, the first round of performance cores, providing 83-, 124-, and 159-bit quantum- submission of the post-quantum primitives is completed and security levels. Furthermore, we compare the performance of all the proposals are publicly available1 to evaluate in terms our proposed library with the previous highly-optimized ARMv8 of the proof of security and efficiency. assembly library available in the literature. The implementation results illustrate the overall 10% performance improvement in The submitted public-key post-quantum cryptography comparison with previous work, highlighting the benefit of using (PQC) proposals are based on five different hard problems mixed implementation over relatively-large finite field size. and they are categorized as code-based cryptography [2], Index Terms— ARM assembly, finite field, isogeny-based (ring) lattice-based cryptography [3], [4], hash-based cryptog- cryptosystems, key encapsulation mechanism, post-quantum raphy [5], multivariate cryptography [6], and isogeny-based cryptography. cryptography [7]. The isogeny-based cryptography is based on the hardness of computing the isogenies between two I. INTRODUCTION isomorphic elliptic curves and it provides a complete key N RECENT years, extensive amount of research has been encapsulation protocol. The proposed method is denoted as Idevoted to quantum computers. These machines are envi- Supersingular Isogeny Key Encapsulation (SIKE) [8], and con- sioned to be able to solve mathematical problems which are structed upon the initial Diffie-Hellman key-exchange scheme currently unsolvable for conventional computers, because of proposed by Jao and De Feo [7]. their exceptional computational power from quantum mechan- SIKE protocol provides a standard method of key-exchange ics. Therefore, if quantum computers are ever built in large between two parties, and it has been claimed to be secure scale, they will certainly be able to break many or almost all against large-scale quantum adversaries running the Shor’s of the currently in-use public-key cryptosystems, the threat of quantum algorithm [9]. Compared to other post-quantum can- Manuscript received March 23, 2019; revised May 17, 2019; accepted didates, supersingular isogeny problem is a much younger May 29, 2019. Date of publication July 22, 2019; date of current ver- scheme and its security and performance need to be inves- sion October 30, 2019. This work was supported in part by NSF under tigated more. In terms of performance, SIKE is not a fast Grant CNS-1801341, in part by NIST under Grant 60NANB16D246, in part by NSERC, CryptoWorks21, Public Works and Government Services Canada, protocol due to the extensive number of point arithmetic which in part by the Canada First Research Excellence Fund, and in part by the are required for computing large-degree isogenies. However, Royal Bank of Canada. This paper was recommended by Associate Editor because of its significant smaller size of secret-key and public- G. Masera. (Corresponding author: Amir Jalali.) A. Jalali and R. Azarderakhsh are with the Department of Computer and key compared to other PQC candidates, SIKE is a suitable Electrical Engineering and Computer Science, Florida Atlantic University, option for the applications where communication bandwidth Boca Raton, FL 33431 USA (e-mail: [email protected]; razarderakhsh@ is critical. Furthermore, since it is the only post-quantum fau.edu). M. Mozaffari Kermani is with the Department of Computer Science and cryptography protocol which is constructed on elliptic curves, Engineering, University of South Florida, Tampa, FL 33620 USA (e-mail: hybrid cryptography protocols can be derived from SIKE and [email protected]). classical elliptic curve cryptography (ECC) to make the transi- M. Campagna is with Amazon Web Services, Inc., Seattle, WA 98108-1207 USA (e-mail: [email protected]). tion towards post-quantum cryptography more convenient and D. Jao is with the Department of Mathematics, University of Waterloo, practical. Waterloo, ON N2L 3G1, Canada (e-mail: [email protected]). Color versions of one or more of the figures in this article are available online at http://ieeexplore.ieee.org. 1NIST Standardization Process (Accessed Feb. 2019): https://csrc.nist.gov/ Digital Object Identifier 10.1109/TCSI.2019.2920869 projects/post-quantum-cryptography/round-1-submissions 1549-8328 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. 4210 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS–I: REGULAR PAPERS, VOL. 66, NO. 11, NOVEMBER 2019 The initial idea of constructing cryptography schemes processors by adopting a novel engineering technique which from the isogenies of regular elliptic curves was intro- takes advantage of out-of-order execution pipeline on high- duced by Rostovtsev and Stolbunov [10] in 2006. Later, performance ARM cores. We compare the performance of our Charles et al. [11] presented a set of cryptography hash arithmetic libraries inside the SIKE reference implementation, functions constructed from Ramanujan graphs, i.e., the set of and conclude the benefits of using mixed implementation over F supersingular elliptic curves over p2 with -isogenies. The relatively-large finite fields. main breakthrough in constructing a post-quantum cryptogra- phy protocol based on the hardness of computing isogenies A. Contributions was proposed by Jao and De Feo [7]. Their proposed scheme In this work, we study different approaches of implementing presents a set of public-key cryptography schemes such as key- SIKE on 64-bit ARM. We engineer the finite field arithmetic exchange and encryption-decryption protocols with a coherent implementation accurately to provide the fastest timing records proof of security. Later, De Feo et al. [12] presented the first of the protocol on our target platforms. Our contributions can practical implementation of the Supersingular Isogeny Diffie- be categorized as follows: Hellman (SIDH) key-exchange protocol using optimized curve • We propose a new approach for implementing finite field arithmetic techniques such as Montgomery arithmetic. Since arithmetic on 64-bit ARM processors. We combine gen- the introduction of supersingular isogeny public-key protocol, eral register and vector limbs in an efficient way to reduce many different schemes and implementations such as digital the pipeline stalls and improve the overall performance. signature [13], [14], undeniable signature [15], [16], group To the best of our knowledge, this work is the first imple- key agreement [17], and static-static key agreement [18] have mentation of such a technique on ARMv8 processors. been proposed which are all built on the hardness of comput- • We implement different optimized versions of finite field ing isogenies. The fast hardware architectures for computing multiplication using Karatsuba multiplication method isogenies of elliptic curves proposed by Koziel et al. [19] which outperforms the previous implementation of the demonstrated that isogeny-based cryptography has the poten- field multiplication with the same size on ARMv8 target tial to be considered as a practical candidates on FPGAs. platform. The proposed implementations are constant- However, the initial performance evaluations in software were time and resistant to timing attacks. not promising compared to other post-quantum candidates. • Our optimized software provides a constant-time imple- In particular to those which are constructed over learning with mentation of the post-quantum SIKE protocol over three errors problem [20]–[22]. The SIDH projective formulas and different quantum security levels. We state that, this work implementation by Costello et al. [23] smashed the perfor- is the first implementation of SIKEp964 which provides mance bar of the protocol considerably by eliminating field
Load more

Recommended publications
  • On Abelian Subgroups of Finitely Generated Metabelian
    J. Group Theory 16 (2013), 695–705 DOI 10.1515/jgt-2013-0011 © de Gruyter 2013 On abelian subgroups of finitely generated metabelian groups Vahagn H. Mikaelian and Alexander Y. Olshanskii Communicated by John S. Wilson To Professor Gilbert Baumslag to his 80th birthday Abstract. In this note we introduce the class of H-groups (or Hall groups) related to the class of B-groups defined by P. Hall in the 1950s. Establishing some basic properties of Hall groups we use them to obtain results concerning embeddings of abelian groups. In particular, we give an explicit classification of all abelian groups that can occur as subgroups in finitely generated metabelian groups. Hall groups allow us to give a negative answer to G. Baumslag’s conjecture of 1990 on the cardinality of the set of isomorphism classes for abelian subgroups in finitely generated metabelian groups. 1 Introduction The subject of our note goes back to the paper of P. Hall [7], which established the properties of abelian normal subgroups in finitely generated metabelian and abelian-by-polycyclic groups. Let B be the class of all abelian groups B, where B is an abelian normal subgroup of some finitely generated group G with polycyclic quotient G=B. It is proved in [7, Lemmas 8 and 5.2] that B H, where the class H of countable abelian groups can be defined as follows (in the present paper, we will call the groups from H Hall groups). By definition, H H if 2 (1) H is a (finite or) countable abelian group, (2) H T K; where T is a bounded torsion group (i.e., the orders of all ele- D ˚ ments in T are bounded), K is torsion-free, (3) K has a free abelian subgroup F such that K=F is a torsion group with trivial p-subgroups for all primes except for the members of a finite set .K/.
    [Show full text]
  • Nearly Isomorphic Torsion Free Abelian Groups
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Elsevier - Publisher Connector JOURNAL OF ALGEBRA 35, 235-238 (1975) Nearly Isomorphic Torsion Free Abelian Groups E. L. LADY University of Kansas, Lawrence, Kansas 66044* Communicated by D. Buchsbaum Received December 7, 1973 Let K be the Krull-Schmidt-Grothendieck group for the category of finite rank torsion free abelian groups. The torsion subgroup T of K is determined and it is proved that K/T is free. The investigation of T leads to the concept of near isomorphism, a new equivalence relation for finite rank torsion free abelian groups which is stronger than quasiisomorphism. If & is an additive category, then the Krull-Schmidt-Grothendieck group K(d) is defined by generators [A], , where A E &, and relations [A]& = m-2 + [af? Pwhenever A w B @ C. It is well-known that every element in K(&‘) can be written in the form [A],cJ - [Bls/ , and that [A],, = [B], ifandonlyifA @L = B @LforsomeLE.&. We let ,F denote the category of finite rank torsion free abelian groups, and we write K = K(3). We will write [G] rather than [G],7 for the class of [G] in K. If G, H ~9, then Hom(G, H) and End(G) will have the usual significance. For any other category ~9’, &(G, H) and d(G) will denote the corresponding group of $Z-homomorphisms and ring of cpJ-endomorphisms. We now proceed to define categories M and NP, where p is a prime number or 0.
    [Show full text]
  • THE TORSION in SYMMETRIC POWERS on CONGRUENCE SUBGROUPS of BIANCHI GROUPS Jonathan Pfaff, Jean Raimbault
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Archive Ouverte en Sciences de l'Information et de la Communication THE TORSION IN SYMMETRIC POWERS ON CONGRUENCE SUBGROUPS OF BIANCHI GROUPS Jonathan Pfaff, Jean Raimbault To cite this version: Jonathan Pfaff, Jean Raimbault. THE TORSION IN SYMMETRIC POWERS ON CONGRUENCE SUBGROUPS OF BIANCHI GROUPS. Transactions of the American Mathematical Society, Ameri- can Mathematical Society, 2020, 373 (1), pp.109-148. 10.1090/tran/7875. hal-02358132 HAL Id: hal-02358132 https://hal.archives-ouvertes.fr/hal-02358132 Submitted on 11 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THE TORSION IN SYMMETRIC POWERS ON CONGRUENCE SUBGROUPS OF BIANCHI GROUPS JONATHAN PFAFF AND JEAN RAIMBAULT Abstract. In this paper we prove that for a fixed neat principal congruence subgroup of a Bianchi group the order of the torsion part of its second cohomology group with coefficients in an integral lattice associated to the m-th symmetric power of the standard 2 representation of SL2(C) grows exponentially in m . We give upper and lower bounds for the growth rate.
    [Show full text]
  • Math 521 – Homework 5 Due Thursday, September 26, 2019 at 10:15Am
    Math 521 { Homework 5 Due Thursday, September 26, 2019 at 10:15am Problem 1 (DF 5.1.12). Let I be any nonempty index set and let Gi be a group for each i 2 I. The restricted direct product or direct sum of the groups Gi is the set of elements of the direct product which are the identity in all but finitely many components, that is, the Q set of elements (ai)i2I 2 i2I Gi such that ai = 1i for all but a finite number of i 2 I, where 1i is the identity of Gi. (a) Prove that the restricted direct product is a subgroup of the direct product. (b) Prove that the restricted direct produce is normal in the direct product. (c) Let I = Z+, let pi denote the ith prime integer, and let Gi = Z=piZ for all i 2 Z+. Show that every element of the restricted direct product of the Gi's has finite order but the direct product Q G has elements of infinite order. Show that in this i2Z+ i example, the restricted direct product is the torsion subgroup of Q G . i2Z+ i Problem 2 (≈DF 5.5.8). (a) Show that (up to isomorphism), there are exactly two abelian groups of order 75. (b) Show that the automorphism group of Z=5Z×Z=5Z is isomorphic to GL2(F5), where F5 is the field Z=5Z. What is the size of this group? (c) Show that there exists a non-abelian group of order 75. (d) Show that there is no non-abelian group of order 75 with an element of order 25.
    [Show full text]
  • On the Growth of Torsion in the Cohomology of Arithmetic Groups
    ON THE GROWTH OF TORSION IN THE COHOMOLOGY OF ARITHMETIC GROUPS A. ASH, P. E. GUNNELLS, M. MCCONNELL, AND D. YASAKI Abstract. Let G be a semisimple Lie group with associated symmetric space D, and let Γ G be a cocompact arithmetic group. Let L be a lattice in- side a ZΓ-module⊂ arising from a rational finite-dimensional complex representa- tion of G. Bergeron and Venkatesh recently gave a precise conjecture about the growth of the order of the torsion subgroup Hi(Γk; L )tors as Γk ranges over a tower of congruence subgroups of Γ. In particular they conjectured that the ra- tio log Hi(Γk; L )tors /[Γ:Γk] should tend to a nonzero limit if and only if i = (dim(D|) 1)/2 and G| is a group of deficiency 1. Furthermore, they gave a precise expression− for the limit. In this paper, we investigate computationally the cohomol- ogy of several (non-cocompact) arithmetic groups, including GLn(Z) for n = 3, 4, 5 and GL2(O) for various rings of integers, and observe its growth as a function of level. In all cases where our dataset is sufficiently large, we observe excellent agree- ment with the same limit as in the predictions of Bergeron–Venkatesh. Our data also prompts us to make two new conjectures on the growth of torsion not covered by the Bergeron–Venkatesh conjecture. 1. Introduction 1.1. Let G be a connected semisimple Q-group with group of real points G = G(R). Suppose Γ G(Q) is an arithmetic subgroup and M is a ZΓ-module arising from a rational finite-dimensional⊂ complex representation of G.
    [Show full text]
  • 7 Torsion Subgroups and Endomorphism Rings
    18.783 Elliptic Curves Spring 2019 Lecture #7 02/27/2019 7 Torsion subgroups and endomorphism rings 7.1 The n-torsion subgroup E[n] Having determined the degree and separability of the multiplication-by-n map [n] in the previous lecture, we now want to determine the structure of its kernel, the n-torsion subgroup E[n], as a finite abelian group. Recall that any finite abelian group G can be written as a direct sum of cyclic groups of prime power order (unique up to ordering). Since #E[n] always divides deg[n] = n2, to determine the structure of E[n] it suffices to determine the structure of E[`e] for each prime power `e dividing n. Theorem 7.1. Let E=k be an elliptic curve and let p := char(k). For each prime `: ( =`e ⊕ =`e if ` 6= p; E[`e] ' Z Z Z Z e Z=` Z or f0g if ` = p: Proof. We first suppose ` 6= p. The multiplication-by-` map [`] is then separable, and we may apply Theorem 6.8 to compute #E[`] = # ker[`] = deg[`] = `2. Every nonzero element e of E[`] has order `, so we must have E[`] ' Z=`Z ⊕ Z=`Z. If E[` ] ' hP1i ⊕ · · · ⊕ hPri with e each Pi 2 E(k¯) of order ` i > 1, then e −1 e −1 r E[`] ' h` 1 P i ⊕ · · · ⊕ h` r P i ' (Z=`Z) ; and we must have r = 2; more generally, for any abelian group G the `-rank r of G[`e] e e e is the same as the `-rank of G[`].
    [Show full text]
  • 17 Torsion Subgroup Tg
    17 Torsion subgroup tG All groups in this chapter will be additive. Thus extensions of A by C can be written as short exact sequences: f g 0 ! A ¡! B ¡! C ! 0 which are sequences of homomorphisms between additive groups so that im f = ker g, ker f = 0 (f is a monomorphism) and coker g = 0 (g is an epimorphism). Definition 17.1. The torsion subgroup tG of an additive group G is defined to be the group of all elements of G of finite order. [Note that if x; y 2 G have order n; m then nm(x + y) = nmx + nmy = 0 so tG · G.] G is called a torsion group if tG = G. It is called torsion-free if tG = 0. Lemma 17.2. G=tG is torsion-free for any additive group G. Proof. This is obvious. If this were not true there would be an element of G=tG of finite order, say x + tG with order n. Then nx + tG = tG implies that nx 2 tG so there is an m > 0 so that m(nx) = 0. But then x has finite order and x + tG is zero in G=tG. Lemma 17.3. Any homomorphism f : G ! H sends tG into tH, i.e., t is a functor. Proof. If x 2 tG then nx = 0 for some n > 0 so nf(x) = f(nx) = 0 which implies that f(x) 2 tH. Lemma 17.4. The functor t commutes with direct sum, i.e., M M t G® = tG®: This is obvious.
    [Show full text]
  • Torsion Subgroups of Elliptic Curves Over Quadratic Cyclotomic Fields in Elementary Abelian 2-Extensions
    TORSION SUBGROUPS OF ELLIPTIC CURVES OVER QUADRATIC CYCLOTOMIC FIELDS IN ELEMENTARY ABELIAN 2-EXTENSIONS OZLEM¨ EJDER p Abstract. Let K denote the quadratic field Q( d) where d = −1 or −3 and let E be an elliptic curve defined over K. In this paper, we analyze the torsion subgroups of E in the maximal elementary abelian 2-extension of K. 1. Introduction Finding the set of rational points on a curve is one of the fundamental problems in number theory. Given a number field K and an algebraic curve C=K, the set, C(K), of points on C which are defined over K, has the following properties depending on the genus of the curve. (1) If C has genus 0, then C(Q) is either empty or infinite. (2) If C has genus greater than 1, then C(Q) is either empty or finite. (Faltings's theorem) Assume C has genus 1. If C(K) is not empty, then it forms a finitely generated abelian group, proven by Luis Mordell and Andr´eWeil. Thus, given an elliptic curve E=K, the group E(K) has the structure r E(K)tors ⊕ Z : Here E(K)tors is the finite part of this group E(K), called the torsion sub- group and the integer r is called the rank of E over the number field K. In this paper, we will study the elliptic curves over the quadratic cyclo- tomic fields and how their torsion subgroups grow in the compositum of all quadratic extensions of the base field. First, we summarize the results obtained so far on E(K)tors for a number field K.
    [Show full text]
  • The Torsion Index of the Spin Groups
    The torsion index of the spin groups Burt Totaro The torsion index is a positive integer associated by Grothendieck to any con- nected compact Lie group G [10]. As explained in section 1, knowing the torsion index of a group has direct consequences for the abelian subgroups of G, the inte- gral cohomology of the classifying space, the complex cobordism of the classifying space, the Chow ring of the classifying space [26], and the classification of G-torsors over fields [24]. Demazure [5], Marlin [14], and Tits [25] have given upper bounds for the torsion index. In this paper, we compute the torsion index exactly for all the spin groups Spin(n). In another paper, we will compute the torsion index of the exceptional group E8. As discussed below, this completes the calculation of the torsion index for all the simply connected simple groups. The topology of the spin groups becomes more and more complicated as the dimension increases, and so it was not at all clear that it would be possible to do the calculation in all dimensions. Indeed, the answer is rather intricate, and the proof in high dimensions requires some deep information from√ analytic number theory, Bauer and Bennett’s theorem on the binary expansion of 2 [1]. Theorem 0.1 Let l be a nonnegative integer. The groups Spin(2l+1) and Spin(2l+ 2) have the same torsion index, of the form 2u(l). For all l, u(l) is either l + 1 l − log + 1 2 2 or that expression plus 1. The second case arises only for certain numbers l (ini- tially: l = 8, 16, 32, 33,...) which are equal to or slightly larger than a power of 2.
    [Show full text]
  • PDF Hosted at the Radboud Repository of the Radboud University Nijmegen
    PDF hosted at the Radboud Repository of the Radboud University Nijmegen The following full text is a publisher's version. For additional information about this publication click this link. http://hdl.handle.net/2066/204182 Please be advised that this information was generated on 2021-09-24 and may be subject to change. Security on the Line: Modern Curve-based Cryptography Copyright c 2019 Joost Renes ISBN: 978–94–6323–695–9 Typeset using LATEX Cover design: Ilse Modder – www.ilsemodder.nl Printed by: Gildeprint – www.gildeprint.nl This work is part of the research programme TYPHOON with project number 13499, which is (partly) financed by the Netherlands Organisation for Scientific Research (NWO). Security on the Line: Modern Curve-based Cryptography Proefschrift ter verkrijging van de graad van doctor aan de Radboud Universiteit Nijmegen op gezag van de rector magnificus prof. dr. J.H.J.M. van Krieken, volgens besluit van het college van decanen in het openbaar te verdedigen op maandag 1 juli 2019 om 14.30 uur precies door Joost Roland Renes geboren op 26 juni 1991 te Harmelen Promotor Prof. dr. L. Batina Manuscriptcommissie Prof. dr. E.R. Verheul Prof. dr. S.D. Galbraith (University of Auckland, Nieuw-Zeeland) Prof. dr. A.J. Menezes (University of Waterloo, Canada) Dr. N. Heninger (University of California San Diego, Verenigde Staten) Dr. F. Vercauteren (KU Leuven, België) Acknowledgements A unique feature of doing a PhD is that by the end of it, one is expected to deliver a book detailing all personal contributions to the field of study. This inherently high- lights its individual nature, yet one would be wrong to think all these years are spent alone in a dark office (if anything, because no PhD student would ever be given their own office).
    [Show full text]
  • 4-Covering Maps on Elliptic Curves with Torsion Subgroup Z2 × Z8
    4-COVERING MAPS ON ELLIPTIC CURVES WITH TORSION SUBGROUP Z2 × Z8 SAMUEL IVY, BRETT JEFFERSON, MICHELE JOSEY, CHERYL OUTING, CLIFFORD TAYLOR, AND STACI WHITE Abstract. In this exposition we consider elliptic curves over Q with the tor- sion subgroup Z2 × Z8. In particular, we discuss how to determine the rank of the curve E : y2 = (1 − x2)(1 − k2 x2), where k = (t4 − 6t2 + 1)=(t2 + 1)2 and t = 9=296. We use a 4-covering map C0 ! C ! E in terms of homogeneous bd2 bd2 spaces for d2 2 {−1; 6477590; 2; 7; 37g. We provide a method to show that the 3 Mordell-Weil group is E(Q) ' Z2 × Z8 × Z , which would settle a conjecture of Flores-Jones-Rollick-Weigandt and Rathbun. 1. Introduction Given an elliptic curve E, we denote the set of Q-rational points as E(Q). Since E(Q) is finitely generated, there exists a finite group E(Q)tors and a nonnegative r integer r such that E(Q) ' E(Q)tors × Z , where r is called the (Mordell-Weil) rank. Those elliptic curves with E(Q)tors ' Z2 × Z8 are birationally equivalent to t4 − 6t2 + 1 y2 = (1 − x2)(1 − k2 x2) where k = for some t 2 : (t2 + 1)2 Q The highest known rank of curves with this torsion subgroup is r = 3. It is conjectured in [6] that this bound is obtained when t = 9=296; one knows that 2 ≤ r ≤ 3 for this particular t. In this exposition, we focus on determining the exact rank of this particular elliptic curve.
    [Show full text]
  • Homework Set 3
    HOMEWORK SET 3 Local Class Field Theory - Fall 2011 For questions, remarks or mistakes write me at [email protected]. Exercise 3.1. Suppose A is an abelian group which is torsion (every element has finite 1 ∼ order). Show that ExtZ(A, Z) = Hom(A, Q/Z). Hint: use an injective resolution of Z. Proof. We take the usual injective resolution (of abelian groups) of Z given by 0 /Z /Q /Q/Z /0 /.... The sequence is clearly exact and all the abelian groups involved (except Z of course) are injective, since they are divisible and we are working in the category of Z-modules. (Here Q is considered as a group under the additive law). 1 Thus to compute ExtZ(A, Z), we have to apply the left exact covariant functor Hom(A, −), getting d0 d1 Hom(A, Q) /Hom (A, Q/Z) /0 /.... Since A is a torsion group we see that Hom(A, Q) = 0, since Q has no torsion points (except 0). Finally, just by definition, we see that ker(d1) Ext1 (A, ) = ∼= Hom(A, / ). Z Z Im(d0) Q Z Exercise 3.2. Given a prime p. Explicitly list representatives of all isomorphism classes of extensions of the group Z/pZ by the group Z/pZ. Here an exension is an exact sequence of groups of the form 0 → Z/pZ → X → Z/pZ → 0, and two of these are said to be isomorphic if there is a morphism of short exact sequences between them, where the map on the outer two Z/pZ is the identity map.
    [Show full text]