On the complexity of feasibility, connectivity, and $2^a$-isogeny computation

Abstract

Algebraic geometry has several real-world applications, including automation and robot motion planning, control theory, as well as in the foundations of certain post-quantum cryptosystems. For example, isogeny-based cryptography is built on the computational difficulty of finding isogenies between elliptic curves. This thesis investigates complexity in computational algebraic geometry, particularly bit-complexity questions in real algebraic geometry, and 2^a-isogeny computation on Legendre curves. Analyzing the bit complexity enables the development of modular extensions that manage the growth of intermediate expressions, making implementations more efficient in practice for real-world applications.

The main contributions are as follows.

1. We analyze the bit complexity of an algorithm that computes one point per connected component in a real algebraic set. The analysis is of an algorithm by Safey El Din and Schost (Polar varieties and computation of one point in each connected component of a smooth real algebraic set). This algorithm uses random changes of variables that are proven to generically ensure certain desirable geometric properties such as weak transversality and Noether position for polar varieties. The cost of the algorithm was given in an algebraic complexity model. We analyze the bit complexity and the error probability, and we provide a quantitative analysis of the genericity statements.

2. The Chinese Remainder Theorem (CRT) is used in developing modular algorithms, controlling the growth of intermediate expressions by performing computations modulo a number of small primes, and then reconstructing the output modulo the product of the primes. Some unlucky primes produce errors by returning incorrect results or no result. We can bound their number by finding a nonzero U in Z with the property that all unlucky primes divide U.

Without allowing for errors, the CRT-based modular algorithms requires all primes to be lucky, which typically results in larger primes. Error-correction techniques allow a small number of unlucky primes, therefore reducing the prime size. We provide a quantitative analysis that gives explicit sufficient conditions on the number and size of the primes to ensure a given success probability, when given a height bound H on the output and the integer U bounding the number of unlucky primes. We also demonstrate some applications.

3. We give bit-size estimates for computing roadmaps in smooth bounded real hypersurfaces. Roadmaps are used to decide if two points in a real algebraic set are continuously connected by a path from one point to the other, and therefore have applications in robot motion planning by deciding if paths exist between points.

To obtain our height estimates, we apply tools from intersection theory that involve the arithmetic Chow ring, developed by D’Andrea, Krick, and Sombra.

4. We introduce a method for efficiently computing 2^a-isogenies in Legendre form with applications in post-quantum cryptography. The majority of work on isogeny computation uses elliptic curves in Montgomery form. To the best of our knowledge at the time of writing, elliptic curves in Legendre form had not yet been explored for isogeny-based cryptography. Legendre form is an interesting family to study, having a very simple defining equation, and the simplest possible representation of the 2-torsion subgroup.