Trac #32744: composite elliptic-curve isogenies

This patch introduces two important improvements for isogeny-minded
users:

1. Implement `EllipticCurveHom_composite`, a type of elliptic-curve
morphism that's fundamentally a formal composite map, but designed to
behave almost exactly like `EllipticCurveIsogeny`. Leaving the isogeny
decomposed can be exponentially more efficient in some scenarios (such
as in cryptography).

2. Implement "factored" isogenies, that is, construction of an isogeny
from a smooth-order kernel subgroup in time logarithmic in the degree
(whereas `EllipticCurveIsogeny` is linear in the degree).

The new code is marked as experimental and not used anywhere by default,
but adventurous users can opt-in by calling
`EllipticCurveHom_composite.make_default()` or passing
`algorithm="factored"` to `E.isogeny()`. Changes to the existing
codebase are intentionally kept minimal.

Here's a diff without the dependency:

- https://git.sagemath.org/sage.git/diff?id2=444330c857ee57a22e7e7e974cb
63478b1535398&id=72ab0b8cdc18b15ea893a3db914419631252de23

Most of the algorithms are straightforward, except perhaps for equality
testing: This relies on the fact that distinct isogenies cannot act the
same on "too many" points (the bound is four times the degree). See also
#31850.

URL: https://trac.sagemath.org/32744
Reported by: lorenz
Ticket author(s): Lorenz Panny
Reviewer(s): John Cremona

Author: Release Manager

build/pkgs/configure/checksums.ini

@@ -1,4 +1,4 @@
 tarball=configure-VERSION.tar.gz
-sha1=90c6a61858cddd0d4e3b65b05d899c742356a82e
-md5=eddfeb607a50616c02ca39dbfaae91a5
-cksum=3731009361
+sha1=b0c428abfc3936a2418e105844b43e5a28b386ef
+md5=d9736cf1bb521bb49edfb60b056e652e
+cksum=2428638712

build/pkgs/configure/package-version.txt

@@ -1 +1 @@
-464e8c3d08cd20837a05fc6afa7386f89a309133
+f467c7383e24dfb6089500c5704298a404f3d546

src/doc/en/reference/arithmetic_curves/index.rst

@@ -21,6 +21,7 @@ Maps between them
    sage/schemes/elliptic_curves/weierstrass_morphism
    sage/schemes/elliptic_curves/ell_curve_isogeny
    sage/schemes/elliptic_curves/isogeny_small_degree
+   sage/schemes/elliptic_curves/hom_composite
 
 
 Elliptic curves over number fields

src/sage/schemes/elliptic_curves/ell_curve_isogeny.py

@@ -65,6 +65,8 @@
 
 from copy import copy
 
+from sage.structure.sequence import Sequence
+
 from sage.schemes.elliptic_curves.hom import EllipticCurveHom
 
 from sage.rings.all import PolynomialRing, Integer, LaurentSeriesRing
@@ -74,7 +76,8 @@
 
 from sage.rings.number_field.number_field_base import is_NumberField
 
-from sage.schemes.elliptic_curves.weierstrass_morphism import WeierstrassIsomorphism, isomorphisms
+from sage.schemes.elliptic_curves.weierstrass_morphism \
+        import WeierstrassIsomorphism, isomorphisms, baseWI
 
 from sage.sets.set import Set
 
@@ -1019,6 +1022,67 @@ def __init__(self, E, kernel, codomain=None, degree=None, model=None, check=True
 
         self.__perform_inheritance_housekeeping()
 
+    def _eval(self, P):
+        r"""
+        Less strict evaluation method for internal use.
+
+        In particular, this can be used to evaluate ``self`` at a
+        point defined over an extension field.
+
+        INPUT: a sequence of 3 coordinates defining a point on ``self``
+
+        OUTPUT: the result of evaluating ``self'' at the given point
+
+        EXAMPLES::
+
+            sage: E = EllipticCurve([1,0]); E
+            Elliptic Curve defined by y^2 = x^3 + x over Rational Field
+            sage: phi = E.isogeny(E(0,0))
+            sage: P = E.change_ring(QQbar).lift_x(QQbar.random_element())
+            sage: phi._eval(P).curve()
+            Elliptic Curve defined by y^2 = x^3 + (-4)*x over Algebraic Field
+
+        ::
+
+            sage: E = EllipticCurve(j=Mod(0,419))
+            sage: K = next(filter(bool, E(0).division_points(5)))
+            sage: psi = E.isogeny(K)
+            sage: Ps = E.change_ring(GF(419**2))(0).division_points(5)
+            sage: {psi._eval(P).curve() for P in Ps}
+            {Elliptic Curve defined by y^2 = x^3 + 140*x + 214 over Finite Field in z2 of size 419^2}
+        """
+        if self._domain.defining_polynomial()(*P):
+            raise ValueError(f'{P} not on {self._domain}')
+
+        if not P:
+            k = Sequence(tuple(P)).universe()
+            return self._codomain(0).change_ring(k)
+
+        Q = P.xy()
+        pre_iso = self.get_pre_isomorphism()
+        if pre_iso is not None:
+            Q = baseWI.__call__(pre_iso, Q)
+
+        if self.__algorithm == 'velu':
+            compute = self.__compute_via_velu
+        elif self.__algorithm == 'kohel':
+            compute = self.__compute_via_kohel
+        else:
+            raise NotImplementedError
+
+        try:
+            Q = compute(*Q)
+        except ZeroDivisionError:
+            Q = (0,1,0)
+
+        post_iso = self.get_post_isomorphism()
+        if post_iso is not None:
+            Q = baseWI.__call__(post_iso, Q)
+
+        k = Sequence(tuple(P) + tuple(Q)).universe()
+        return self._codomain.base_extend(k).point(Q)
+
+
     def _call_(self, P):
         r"""
         Function that implements the call-ability of elliptic curve
@@ -2534,17 +2598,10 @@ def __compute_via_kohel_numeric(self, xP, yP):
 
         """
         # first check if this point is in the kernel:
-
         if 0 == self.__inner_kernel_polynomial(x=xP):
             return self.__intermediate_codomain(0)
 
-        (xP_out, yP_out) = self.__compute_via_kohel(xP, yP)
-
-        # xP_out and yP_out do not always get evaluated to field
-        # elements but rather constant polynomials, so we do some
-        # explicit casting
-
-        return (self.__base_field(xP_out), self.__base_field(yP_out))
+        return self.__compute_via_kohel(xP, yP)
 
     def __compute_via_kohel(self, xP, yP):
         r"""
@@ -2571,9 +2628,7 @@ def __compute_via_kohel(self, xP, yP):
         a = self.__phi(xP)
         b = self.__omega(xP, yP)
         c = self.__psi(xP)
-        cc = self.__mpoly_ring(c)
-
-        return (a/c**2, b/cc**3)
+        return (a/c**2, b/c**3)
 
     def __initialize_rational_maps_via_kohel(self):
         r"""
@@ -2595,7 +2650,7 @@ def __initialize_rational_maps_via_kohel(self):
 
         """
         x = self.__poly_ring.gen()
-        y = self.__mpoly_ring.gen(1)
+        y = self.__xyfield.gen(1)
         return self.__compute_via_kohel(x,y)
 
     #

src/sage/schemes/elliptic_curves/ell_field.py

@@ -767,9 +767,9 @@ def descend_to(self, K, f=None):
             Elist = [E.minimal_model() for E in Elist]
         return Elist
 
-    def isogeny(self, kernel, codomain=None, degree=None, model=None, check=True):
+    def isogeny(self, kernel, codomain=None, degree=None, model=None, check=True, algorithm=None):
         r"""
-        Return an elliptic curve isogeny from self.
+        Return an elliptic-curve isogeny from this elliptic curve.
 
         The isogeny can be determined in two ways, either by a
         polynomial or a set of torsion points.  The methods used are:
@@ -785,6 +785,14 @@ def isogeny(self, kernel, codomain=None, degree=None, model=None, check=True):
           (little endian)) which will define the kernel of the
           isogeny.
 
+        - Factored Isogenies (*experimental* --- see
+          :mod:`sage.schemes.elliptic_curves.hom_composite`):
+          Given a list of points which generate a composite-order
+          subgroup, decomposes the isogeny into prime-degree steps.
+          This can be used to construct isogenies of extremely large,
+          smooth degree.
+          This algorithm is selected using ``algorithm="factored"``.
+
         INPUT:
 
         - ``E``         - an elliptic curve, the domain of the isogeny to
@@ -825,6 +833,11 @@ def isogeny(self, kernel, codomain=None, degree=None, model=None, check=True):
                           kernel polynomial, meaning that its roots
                           are the x-coordinates of a finite subgroup.
 
+        - ``algorithm`` (optional): When ``algorithm="factored"`` is
+          passed, decompose the isogeny into prime-degree steps.
+          The ``degree`` and ``model`` parameters are not supported by
+          ``algorithm="factored"``.
+
         OUTPUT:
 
         An isogeny between elliptic curves. This is a morphism of curves.
@@ -838,11 +851,15 @@ def isogeny(self, kernel, codomain=None, degree=None, model=None, check=True):
             sage: phi.rational_maps()
             ((x^2 + x + 1)/(x + 1), (x^2*y + x)/(x^2 + 1))
 
+        ::
+
             sage: E = EllipticCurve('11a1')
             sage: P = E.torsion_points()[1]
             sage: E.isogeny(P)
             Isogeny of degree 5 from Elliptic Curve defined by y^2 + y = x^3 - x^2 - 10*x - 20 over Rational Field to Elliptic Curve defined by y^2 + y = x^3 - x^2 - 7820*x - 263580 over Rational Field
 
+        ::
+
             sage: E = EllipticCurve(GF(19),[1,1])
             sage: P = E(15,3); Q = E(2,12);
             sage: (P.order(), Q.order())
@@ -852,6 +869,17 @@ def isogeny(self, kernel, codomain=None, degree=None, model=None, check=True):
             sage: phi(E.random_point()) # all points defined over GF(19) are in the kernel
             (0 : 1 : 0)
 
+        ::
+
+            sage: E = EllipticCurve(GF(2^32-5), [170246996, 2036646110])
+            sage: P = E.lift_x(2)
+            sage: E.isogeny(P, algorithm="factored")    # experimental
+            doctest:warning
+            ...
+            Composite morphism of degree 1073721825 = 3^4*5^2*11*19*43*59:
+              From: Elliptic Curve defined by y^2 = x^3 + 170246996*x + 2036646110 over Finite Field of size 4294967291
+              To:   Elliptic Curve defined by y^2 = x^3 + 272790262*x + 1903695400 over Finite Field of size 4294967291
+
         Not all polynomials define a finite subgroup (:trac:`6384`)::
 
             sage: E = EllipticCurve(GF(31),[1,0,0,1,2])
@@ -860,6 +888,8 @@ def isogeny(self, kernel, codomain=None, degree=None, model=None, check=True):
             ...
             ValueError: The polynomial x^3 + 4*x^2 + 27*x + 14 does not define a finite subgroup of Elliptic Curve defined by y^2 + x*y = x^3 + x + 2 over Finite Field of size 31.
 
+        TESTS:
+
         Until the checking of kernel polynomials was implemented in
         :trac:`23222`, the following raised no error but returned an
         invalid morphism.  See also :trac:`11578`::
@@ -873,6 +903,13 @@ def isogeny(self, kernel, codomain=None, degree=None, model=None, check=True):
             ...
             ValueError: The polynomial x^2 + (-396/5*a - 2472/5)*x + 223344/5*a - 196272/5 does not define a finite subgroup of Elliptic Curve defined by y^2 = x^3 + (-13392)*x + (-1080432) over Number Field in a with defining polynomial x^2 - x - 1.
         """
+        if algorithm == "factored":
+            if degree is not None:
+                raise TypeError('algorithm="factored" does not support the "degree" parameter')
+            if model  is not None:
+                raise TypeError('algorithm="factored" does not support the "model" parameter')
+            from sage.schemes.elliptic_curves.hom_composite import EllipticCurveHom_composite
+            return EllipticCurveHom_composite(self, kernel, codomain=codomain)
         try:
             return EllipticCurveIsogeny(self, kernel, codomain, degree, model, check=check)
         except AttributeError as e:

src/sage/schemes/elliptic_curves/hom.py

@@ -24,6 +24,8 @@
 
 from sage.categories.morphism import Morphism
 
+import sage.schemes.elliptic_curves.weierstrass_morphism as wm
+
 
 class EllipticCurveHom(Morphism):
     """
@@ -162,9 +164,11 @@ def degree(self):
         r"""
         Return the degree of this elliptic-curve morphism.
 
-        Implemented by child classes. For examples,
-        see :meth:`EllipticCurveIsogeny.degree` and
-        :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.degree`.
+        Implemented by child classes. For examples, see:
+
+        - :meth:`EllipticCurveIsogeny.degree`
+        - :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.degree`
+        - :meth:`sage.schemes.elliptic_curves.hom_composite.EllipticCurveHom_composite.degree`
 
         TESTS::
 
@@ -180,9 +184,11 @@ def kernel_polynomial(self):
         r"""
         Return the kernel polynomial of this elliptic-curve morphism.
 
-        Implemented by child classes. For examples,
-        see :meth:`EllipticCurveIsogeny.kernel_polynomial` and
-        :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.kernel_polynomial`.
+        Implemented by child classes. For examples, see:
+
+        - :meth:`EllipticCurveIsogeny.kernel_polynomial`
+        - :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.kernel_polynomial`
+        - :meth:`sage.schemes.elliptic_curves.hom_composite.EllipticCurveHom_composite.kernel_polynomial`
 
         TESTS::
 
@@ -198,9 +204,11 @@ def dual(self):
         r"""
         Return the dual of this elliptic-curve morphism.
 
-        Implemented by child classes. For examples,
-        see :meth:`EllipticCurveIsogeny.dual` and
-        :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.dual`.
+        Implemented by child classes. For examples, see:
+
+        - :meth:`EllipticCurveIsogeny.dual`
+        - :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.dual`
+        - :meth:`sage.schemes.elliptic_curves.hom_composite.EllipticCurveHom_composite.dual`
 
         TESTS::
 
@@ -218,9 +226,11 @@ def rational_maps(self):
         elliptic-curve morphism as fractions of bivariate
         polynomials in `x` and `y`.
 
-        Implemented by child classes. For examples,
-        see :meth:`EllipticCurveIsogeny.rational_maps` and
-        :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.rational_maps`.
+        Implemented by child classes. For examples, see:
+
+        - :meth:`EllipticCurveIsogeny.rational_maps`
+        - :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.rational_maps`
+        - :meth:`sage.schemes.elliptic_curves.hom_composite.EllipticCurveHom_composite.rational_maps`
 
         TESTS::
 
@@ -237,9 +247,11 @@ def x_rational_map(self):
         Return the `x`-coordinate rational map of this elliptic-curve
         morphism as a univariate rational expression in `x`.
 
-        Implemented by child classes. For examples,
-        see :meth:`EllipticCurveIsogeny.x_rational_map` and
-        :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.x_rational_map`.
+        Implemented by child classes. For examples, see:
+
+        - :meth:`EllipticCurveIsogeny.x_rational_map`
+        - :meth:`sage.schemes.elliptic_curves.weierstrass_morphism.WeierstrassIsomorphism.x_rational_map`
+        - :meth:`sage.schemes.elliptic_curves.hom_composite.EllipticCurveHom_composite.x_rational_map`
 
         TESTS::
 
@@ -448,7 +460,7 @@ def is_surjective(self):
             sage: phi.is_surjective()
             True
         """
-        return True
+        return bool(self.degree())
 
     def is_injective(self):
         r"""
@@ -477,9 +489,9 @@ def is_injective(self):
             sage: phi.is_injective()
             True
         """
-        # This will become wrong once purely inseparable isogenies
-        # are implemented. We should probably add something like a
-        # separable_degree() method then.
+        if not self.is_separable():
+            #TODO: should implement .separable_degree() or similar
+            raise NotImplementedError
         return self.degree() == 1
 
     def is_zero(self):
@@ -501,6 +513,25 @@ def is_zero(self):
         """
         return not self.degree()
 
+    def __neg__(self):
+        r"""
+        Return the negative of this elliptic-curve morphism. In other
+        words, return `[-1]\circ\varphi` where `\varphi` is ``self``
+        and `[-1]` is the negation automorphism on the codomain curve.
+
+        EXAMPLES::
+
+            sage: from sage.schemes.elliptic_curves.hom import EllipticCurveHom
+            sage: E = EllipticCurve(GF(1019), [5,5])
+            sage: phi = E.isogeny(E.lift_x(73))
+            sage: f,g = phi.rational_maps()
+            sage: psi = EllipticCurveHom.__neg__(phi)
+            sage: psi.rational_maps() == (f, -g)
+            True
+        """
+        a1,_,a3,_,_ = self.codomain().a_invariants()
+        return wm.WeierstrassIsomorphism(self.codomain(), (-1,0,-a1,-a3)) * self
+
     @cached_method
     def __hash__(self):
         """