Computing isogenies between Abelian Varieties

HAL Id: hal-00446062

https://hal.archives-ouvertes.fr/hal-00446062v3

Submitted on 21 Sep 2012

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

Computing isogenies between Abelian Varieties

David Lubicz, Damien Robert

To cite this version:

David Lubicz, Damien Robert.

Computing isogenies between Abelian Varieties.

Com-positio Mathematica, Foundation ComCom-positio Mathematica, 2012, 148 (05), pp.1483–1515.

�10.1112/S0010437X12000243�. �hal-00446062v3�

Computing Isogenies Between Abelian Varieties

David Lubicz

, Damien Robert

1_CÉLAR,

BP 7419, F-35174 Bruz

2_{IRMAR, Universté de Rennes 1,}

Campus de Beaulieu, F-35042 Rennes

3_{LORIA, Campus Scientifique, BP 239,}

F-54506 Vandœuvre-lès-Nancy

Abstract

We describe an efficient algorithm for the computation of separable isogenies between abelian varieties represented in the coordinate system given by algebraic theta functions. Our algorithm decomposes in two principal steps. First, from the knowledge of a subgroupK isotropic for the Weil pairing of an abelian varietyA, we explain how to compute the theta null point corresponding to the quotient abelian varietyA/K. Second, from the knowledge of the theta null point of A/K, we give an algorithm to obtain a rational expression for the isogeny fromA to A/K. The algorithm resulting as the combination of these two steps can be viewed as a higher dimensional analog of the well known algorithm of Vélu to compute isogenies between elliptic curves.

In order to improve the efficiency of our algorithms, we introduce a compressed representation that allows to encode a point of level4ℓ of a g dimensional abelian variety using only g(g +1)/2·4g

coordinates. We also give formulas to compute the Weil and commutator pairings given input points in theta coordinates. All the algorithms presented in this paper work in general for any abelian variety defined over a field of odd characteristic.

Contents

 Introduction 

 Modular correspondences and theta null points 

2.1 Theta structures . . . 8

2.2 Isogenies compatible with a theta structure . . . 10

2.3 The action of the theta group on the affine cone and isogenies . . . 11

 The addition relations  3.1 The canonical lift of the action ofK(L ) to the affine cone . . . 13

3.2 The general Riemann relations. . . 14

3.2.1 The casen= 2 . . . 18

Contents

 Application of the addition relations to isogenies 

4.1 Point compression . . . 25

4.1.1 Addition chains with compressed coordinates . . . 27

4.2 Computing the dual isogeny . . . 27

 The computation of a modular point  5.1 An analog of Vélu’s formulas . . . 29

5.2 Theta group andℓ-torsion . . . 31

5.3 Improving the computation of a modular point. . . 33

 Pairing computations  6.1 Weil pairing and commutator pairing . . . 36

6.2 Commutator pairing and addition chains . . . 38

 Conclusion  References 

List of Algorithms

4.10 The image of a point by the isogeny . . . 28

5.1 Vélu’s like formula . . . 30

5.6 Computing all modular points . . . 33

Glossary

List of Notations

Notation Description Page List

Z(n) Zg/nZg 8

Mn The moduli space of theta null points of leveln. 9

A_k (Ak, L , ΘAk) is a polarized abelian variety with a theta struc-ture of levelℓn.

8 B_k (B_k, L0,ΘBk) is an abelian variety ℓ-isogenous to Akwith a

theta structure of leveln.

10

ϑ_i (ϑ_i)_i∈Z(ℓn)are the canonical projective coordinates onA_k given by the theta structure.

9 0_A

k The theta null0Ak= ϑi(0Ak)i∈Z(ℓn). 9

0_B

k The theta null0Bk= ϑi(0Bk)i∈Z(n). 10

G(L ) The Theta group of(A_k, L ) 8

K(L ) K(L ) = K₁(L )⊕K₂(L ) is the decomposition of the kernel of the polarizationL induced by the Theta structure ΘA

8

H(δ) The Heisenberg group of typeδ. 8

s_{K(L )} The natural sectionK(L ) → G(L ) induced by the Theta structure.

8

e

ρ_L The affine action ofG(L ) on eA_k. 11

e

A_k The affine cone ofA_k. 11

e

B_k The affine cone ofB_k. 11

e

ϑ_i ( eϑ_i)_i∈Z(ℓn)are the affine coordinates on eA_k. 11 e

0_B

k An affine lift of0Bk. 13

e 0_A

k The affine lift of0Aksuch thatπ(e0e A_k) = e0B_k. 13

π Theℓ-isogeny π : A_k→ Bk. 10

e

π π( eeϑi(ex)_i∈Z(ℓn)) = eϑi(ex)i∈Z(n)is the affine lift ofπ to eAk→

e B_k. 11 e π_i πei=π ◦ (1, i,0) = ee ϑi+j(·)j ∈Z(n). 12 e P_i Pe_i= (1, i,0).e0_A k= (ϑi+j(e0Ak))j ∈Z(ℓn). 13 e R_i Re_i=π_ei(e0_A k) =π(ee Pi). 13 (e1, . . . ,eg) A basis ofZ(ℓn) 24 (d1, . . . ,dg) di= nei 24 S S = Z(ℓ) (When ℓ ∧ n = 1) 12 S S= {d₁,d₂, . . . ,d_g,d₁+ d₂, . . .d₁+ d_g,d₂+ d₃, . . .d_{g −1}+ d_g} (When ℓ ∧ n = 1) 25 e_Lℓ

0 The extended commutator pairing onBk[ℓ] 36

e_W The Weil pairing. 37

Glossary

Notation Description Page List

f

B_k′ the affine cone of(B_k, M0,ΘBk,M0) where M0= [ℓ]

∗_L 0

andΘ_B

k,M0is a theta structure on(Bk, M0) compatible with Θ_B k. 31 Ý [ℓ] [ℓ] : fÝ B_k ′

→ eB_kis the morphism lifting[ℓ] : B_k→ Bk. 31

chain_add An addition chain 15

1 Introduction

 Introduction

The general problem of computing separable isogenies between abelian varieties splits into different computational sub-problems depending on the expected input and output of the algorithm. These problems are:

• Given an abelian varietyA_kover a fieldk and an abstract finite abelian group K compute all the abelian varietiesB_ksuch that there exists an isogenyA_{k→ Bk}whose kernel is isomorphic toK, and give rational expressions for the corresponding isogenies.

• Given an abelian varietyA_kand a finite subgroupK of A_k, recover the quotient abelian variety B_k= A_k/K as well a rational expression for an isogeny A_k→ Bk.

• Given two isogenous abelian varieties,A_kandB_k, compute a rational expression for an isogeny A_k→ Bk.

In the present paper, we are concerned with the first two problems. In the case that the abelian variety is an elliptic curve, efficient algorithms have been described that solve all the aforementioned problems [Ler]. In particular, an algorithm proposed by Vélu [Vél71] takes as input a finite subgourpG of cardinalℓ of an elliptic curve E_k, and returns the equation of the quotientE_k/G at the cost of O(ℓ) additions inE_k. The algorithm of Vélu also gives a rational expression for the isogenyE_k→ Ek/G in

the coordinate system provided by the Weierstrass form of the elliptic curves.

For higher-dimensional abelian varieties much less is known. Richelot’s formulas [Ric36,Ric37] can be used to compute(2,2)-isogenies between abelian varieties of dimension 2. The paper [Smi09] also introduces a method to compute certain isogenies of degree8 between jacobian of curves of genus three. In this paper, we present an algorithm to compute(ℓ,...,ℓ)-isogenies between abelian varieties of dimensiong represented in the coordinate system provided by algebraic theta functions for any

ℓ ¾ 2 and g ¾ 1 when the characteristic of k is odd and relatively prime to ℓ.

Letn ∈ N be such that 2|n and n ¾ 4. Let n = (n, n, . . . , n) ∈ Zg_{, andZ(n) = Z}g_/nZg_{. We}

denote byMnthe modular space of marked abelian varieties(Ak, L , ΘAk) whereL is a totally symmetric ample line bundle onA_k andΘ_A

k is a symmetric theta structure of typeZ(n) for L (see [Mum66, sec. 2]). In the following, we will also call a theta structure of typeZ(n) a theta structure of leveln. The modular space Mnis well-suited for computing modular correspondences since the

algebraic systems which play the same role in this space as the classical modular polynomials have their coefficients in{1, −1}, and as a consequence are much more amenable to computations than their counterparts using thej -invariant in genus 1 or the Igusa invariants in genus 2 . In the article [FLR09], we have defined a modular correspondence:

ϕ : M_ℓn→ Mn× Mn,(ai)_i∈Z(ℓn)7→ ((ai)i∈Z(n),(

X

j ∈Z(ℓ)

a_{i+n j})_i∈Z(n))

forℓ ∈ N∗_{prime ton, which can be seen as a generalization of the classical modular correspondence}

X₀(ℓ) → X₀(1) × X₀(1) for elliptic curves (see for instance [Koh03]). To explain it, letp₁andp₂be respectively the first and second projectionsMn× Mn→ Mn, and letϕ1= p1◦ ϕ, ϕ2= p2◦ ϕ.

The mapϕ₁: M_ℓn→ Mnis such that(x,ϕ1(x)) for x ∈ M_ℓn(k) are modular points corresponding

1 Introduction

In fact, consider(a_i)_i∈Z(ℓn) ∈ ϕ₁−1((bi)i∈Z(n)). The modular point (ai)_i∈Z(ℓn) defines a triple

(A_k, L , ΘAk) and the classical isogeny theorem for algebraic theta functions [Mum66, th. 4] gives an explicit isogenyπ : A_k→ Bk. We denote byπ : Bˆ k→ Akthe isogeny that makes the following

diagram commutative: y ∈ Bk z ∈ Ak x ∈ Ak ˆ π π [ℓ]

The main result of this paper is: Theorem 1.1:

Let B_kbe a dimension g marked abelian variety. Let(T₁, . . . ,T_g) ⊂ B_k[ℓ] be a basis of a maximal subgroup K of B_k[ℓ] isotropic for the Weil pairing. Let ˆπ : B_k→ Bk/K be the corresponding isogeny.

One can compute the compressed coordinates of the modular point(a_i)_i∈Z(ℓn)corresponding toπ withˆ O(log(ℓ)) addition chains in Bkand O(1) ℓt h-roots of unity extractions.

Once we have(a_i)

i∈Z(ℓn), we can compute the compressed coordinates of the image of a point in Bkbyπˆ

with O(log(ℓ)) addition chains in B_k. Taking the generic point of B_k, we obtain in particular a rational expression for the isogenyπ.ˆ

The precise meaning of addition chain and compressed coordinates will be made clear in the course of the paper. A proof of this theorem is given in Section4.2and Section5.1. It should be remarked that this result constitute a higher dimensional analog of the classical Vélu’s algorithm since by combining the two conclusions of the theorem, we obtain an efficient algorithm which takes as input an abelian varietyB_kand a maximal subgroupK of B_k[ℓ] isotropic for the Weil pairing and computes a rational expression for the isogenyB_{k→ Bk}/K.

Note that the classical isogeny theorem for theta functions is not sufficient for our purpose of computing isogenies between abelian varieties. Although it is effective, the isogeny theorem can only be used to compute isogenies from a marked abelian variety of levelℓ to a marked abelian variety of leveln where n dividesℓ, so it only provides us with a way to compute isogenies by “going down” in the level of the theta structure. At some point, we need a way to compute isogenies by “going up” the level and this is precisely what gives Theorem1.1. We can then combine the two theorems: once we have computed an isogenyπ : Bˆ _k→ Ak, it is possible to composeπ with an isogeny πˆ 2:Ak→ Ck

given by the isogeny theorem such thatπ₂◦ ˆπ is an ℓ2_{-isogeny (see [FLR09, Sec 3] or Section2.2). In}

fact, letC_kbe the abelian variety associated to the modular point(c_i)_i∈Z(n)= ϕ₂(a_i)

i∈Z(ℓn)

 then we have the following diagram

1 Introduction B_k A_k B_k C_k [ℓ] ˆ π π π2

The isogenyπ₂◦ ˆπ is then an ℓ2_{isogeny betweenB}

kandCkwhich are two marked abelian varieties

with a theta structure of leveln. Possible applications of our algorithm includes:

• The transfer the discrete logarithm from an abelian variety to another abelian variety where the discrete logarithm is easy to solve [Smi08]

• The computation of isogeny graphs to obtain a description the endomorphism ring of an abelian variety.

• The computation of Hilbert class polynomials.

We end up the introduction with some general remarks about the algorithms presented in this paper. The assumption thatn is prime toℓ is inessential. There is nonetheless one noticeable difference if we drop this hypothesis. Suppose that we are givenB_k[ℓ]. Since B_kis given by a theta structure of level n, we can recover B_k[n] using the action of the theta group on the theta null point (b_i)_i∈Z(n). Ifℓ is prime ton, this gives us B_k[ℓn], and we can use the first assertion of Theorem1.1to obtain a modular point of typeZ(ℓn). If ℓ is not prime to n, we have to compute B_k[ℓn] directly.

Although we only consider the case of(ℓ,...,ℓ)-isogeny, it is also possible to compute more gen-eral types of isogenies with our algorithm. With the notations of Section2, letδ₀= (δ₁, . . . ,δ_g) be a sequence of integers such that2|δ1andδi|δi+1, and let(bi)i∈Z(δ0) ∈ Mδ0 be a modular point corresponding to an abelian varietyB_k. Letδ′ = (ℓ₁, . . . ,ℓ_g) (where ℓ_i|ℓ_i+1) and define

δ = (δ1ℓ1, . . . ,δgℓg). Let (ai)i∈Z(δ)∈ Mδbe such thatϕ1€(ai)i∈Z(δ)Š = (bi)i∈Z(δ0)whereϕ1is the natural inclusion ofZ(δ₀) into Z(δ). The theta null point (a_i)_i∈Z(δ)corresponds to an abelian varietyA_k, such that there is a(ℓ₁, · · · , ℓg)-isogeny π : Ak → Bk, which can be computed by the

isogeny theorem [Mum66, Th. 4] (see Section2.2). The isogeny we compute in Step 2 is the con-tragredient isogenyπ : Bˆ _k→ Akof type(ℓg/ℓ1,ℓg/ℓ2, · · · , 1, ℓg,ℓg, · · · , ℓg). Using the modular

correspondenceϕ₁to go back to a modular point of typeZ(δ₀) (see Section1) gives an isogeny of type(ℓ_g/ℓ₁,ℓ_g/ℓ₂, · · · , 1, ℓ1ℓg,ℓ2ℓg, · · · , ℓgℓg). For the clarity of the exposition, we will stick to

the caseδ₀= n and δ = ℓn and we leave to the reader the easy generalization.

For an actual implementation, we want to use the smallestn possible to get a compact representation of the points and a fast addition chain. In fact it is possible to tweak Theorem1.1to make it works with the casen= 2. This case is very important in practice: it allows a more compact representation of the points than forn= 4 (we gain a factor 2g_{in space), a faster addition chain (see Section4.1.1), but}

2 Modular correspondences and theta null points

most importantly it reduces the most consuming part of our algorithm, the computation of the points ofℓ-torsion, since there are half as much such points on the Kummer variety associated to an abelian variety. For each algorithm that we use, we give an explanation on how to adapt it for the typeZ(2) case: see Section3.2.1and the end of Sections4.2,5.1,5.3and6.2.

The paper is organized as follow. In Section2, we recall the isogeny theorem and we study the relationship between isogenies and the action of the theta group. We recall the addition relations, which play a central role in this paper in Section3. We then explain how to compute the isogeny associated to a modular point in Section4. If the isogeny is given by theta functions of typeZ(4ℓ), it requires(4ℓ)g coordinates. We give a point compression algorithm in Section4.1, showing how to express such an isogeny with onlyg(g +1)/2·4g_{coordinates. In Section5we give a full generalization}

of Vélu’s formulas that constructs an isogenous modular point with prescribed kernel. This algorithm is more efficient than the special Gröbner basis algorithm from [FLR09]. There is a strong connection between isogenies and pairings, and we use the above work to explain how one can compute the commutator pairing and how it relates to the usual Weil pairing in Section6.

 Modular correspondences and theta null points

In this section, we fix some notations that we use in the rest of the paper. In Section2.1, we recall the definition of a theta structure and the projective embedding [Mum66, Sec. 1] deduced from it. In Section2.2we recall the isogeny theorem, which relate the theta functions of two isogenous abelian varieties with compatible theta structures. In Section2.3we study the connection between isogenies and the action of the theta group on the affine cone of the projective embedding given by the theta structure.

LetA_kbe an abelian variety of dimensiong over a perfect field k and denote by K(A_k) its function field. An isogeny is a finite surjective map of abelian varietiesπ : A_k→ Bkand is said to be separable

if the function fieldK(A_k) is a finite separable extension of K(B_k). A separable isogeny is uniquely determined by its kernel, which is a finite subgroup ofA_k(k). In that case, the cardinality of the kernel is the degree of the isogeny. Since we will only consider isogenies of degree prime to the characteristic ofk, we will only deal with separable isogenies. In the rest of this paper, byℓ-isogeny for ℓ > 0, we always mean a(ℓ,··· ,ℓ)-isogeny where (ℓ,··· ,ℓ) ∈ Ng_.

. Theta structures

LetA_kbe ag dimensional abelian variety over a perfect field k. Let L be an ample totally symmetric line bundle of degreed on A_k. We suppose moreover thatd is prime to the characteristic of k. Denote byK(L ) the kernel of the isogeny ϕ_L:A_k→ ˆA_k, defined on geometric points byx 7→ τ∗

xL ⊗ L−1

whereτ_xis the translation byx. Letδ = (δ₁, . . . ,δ_g) be the sequence of integers satisfying δ_i|δ_i+1 such that, as group schemesK(L ) ≃ L_i=1g (Z/δ_iZ)2_k. We say thatδ is the type of L . In the following we letZ(δ) = L_i=1g (Z/δ_iZ)_k, ˆZ(δ) be the Cartier dual of Z(δ), and K(δ) = Z(δ) × ˆZ(δ). If x ∈ Z(δ) and ℓ ∈ ˆZ(δ), we denote 〈x,ℓ〉 := ℓ(x).

LetG(L ) and H (δ) be respectively the theta group of (A_k, L ) and the Heisenberg group of type

δ [Mum66, p. 294]. In this article, elements ofG(L ) will be written as (x,ψ_x) with x ∈ K(L ) and

ψ_x: L → τ∗

2 Modular correspondences and theta null points

andK(δ) by the multiplicative group Gm,k. By definition, a theta structureΘAkon(Ak, L ) is an isomorphism of central extensions fromH (δ) to G(L ). We denote by eL the commutator pairing

[Mum66, p. 203] onK(L ) and by e_δthe canonical pairing onK(δ) = Z(δ) × ˆZ(δ). We recall that if(x₁,x₂) and (y1,y2) are in K(δ) we have eδ((x1,x2),(y1,y2)) = 〈x1,y2〉/〈y1,x2〉. We remark that

a theta structureΘ_A

kinduces a symplectic isomorphismΘAkfrom(K(δ), eδ) to (K(L ), eL). Let K(L ) = K₁(L ) × K₂(L ) be the decomposition into maximal isotropic subspaces induced by Θ_A

k. The sectionK(δ) → H (δ) defined on geometric points by (x, y) 7→ (1, x, y) can be transported by the theta structure to obtain a natural section s_{K(L )} : K(L ) → G(L ) of the projection κ : G(L ) → K(L ). We note sK1(L )(resp.sK2(L )) the restriction of this section toK1(L ) (resp. K2(L )). Recall [Mum66, p. 291] that a level subgroup eK of G(L ) is a subgroup such that eK is isomorphic to its image byκ.

LetV = Γ(A_k, L ). There is an action of the theta group G(L ) on V by v 7→ ψ−1_x τ∗_x(v) for v ∈ V and (x, ψx) ∈ G(L ). This action can be transported via ΘAkto an action ofH (δ) on V . It can be shown that there is a unique (up to a scalar factor) basis(ϑ_i)_i∈Z(δ)ofV such that this action is given by:

(α, i, j).ϑΘAk

h = α.〈−i − h, j〉.ϑ Θ_Ak

h+i. (1)

If there is no ambiguity, in this paper, we will sometimes drop the superscriptΘ_A

kin the notation

ϑΘAk

k .

This basis gives a projective embeddingϕ_Θ

Ak:Ak→ P

d −1

k which is uniquely defined by the theta

structureΘ_A

k. The point(ai)i∈Z(δ)= ϕΘ_Ak(0Ak) is called the theta null point associated to the theta structure. Mumford proves [Mum66] that if4|δ, ϕ_Θ

Ak(Ak) is the closed subvariety of P

d −1 k defined

by the homogeneous ideal generated by the Riemann equations: Theorem 2.1 (Riemann equations):

For all x, y, u, v∈ Z(2δ) that are congruent modulo Z(δ), and all χ ∈ ˆZ(2), we have X

t ∈Z(2)

χ (t)ϑ_x+y+tϑ_x−y+t
. X

t ∈Z(2)

χ (t)a_u+v+ta_u−v+t
=

= X

t ∈Z(2)

χ (t)ϑ_x+u+tϑ_x−u+t
. X

t ∈Z(2)

χ (t)a_y+v+ta_y−v+t
. (2)

The data of a triple(A_k, L , ΘAk) is called a marked abelian variety of type Z(δ). We denote by Mδthe quasi-projective variety defined as the locus of all theta null points associated to marked

abelian varieties of typeZ(δ). We recall [Kem89, Th. 28] that ifn> 4, then M_nis an open subset in the projective variety described by the following equations in P(k(Z(n))):

X t ∈Z(2) χ (t)a_x+ta_x+t
. X t ∈Z(2) χ (t)au+tau+t
= X t ∈Z(2) χ (t)a_z−x+ta_z−y+t
. X t ∈Z(2) χ (t)a_z−u+ta_z−v+t
a_x= a_−x (3)

2 Modular correspondences and theta null points for allx, y, u, v, z ∈ Z(n), such that x + y + u + v = 2z and all χ ∈ ˆZ(2).

. Isogenies compatible with a theta structure

Let(a_i)_i∈Z(δ) ∈ M_δ be a theta null point associated to a triple(A_k, L , ΘAk). Let δ0 ∈ Z

g _be

such that4|δ0|δ, and write δ = δ0· δ′. In the following we considerZ(δ0) as a subgroup of Z(δ)

via the mapϕ : (x_i)_{i∈[1..g ]}∈ Z(δ0) 7→ (δi′xi)i∈[1..g ]∈ Z(δ). From now on, when considering

Z(δ₀) ⊂ Z(δ), we always refer to this map. Let K ⊂ K(L ) be any isotropic subgroup for e_Lsuch that we can writeK= K₁× K2withKi⊂ Ki(L ).

LetB_k= A_k/K and π : A_k→ Bkbe the associated isogeny. SinceK is isotropic, eK := sK(L )(K)

is a level subgroup, so by Grothendieck descent theory there exists a polarizationL0onBkand an

isomorphismL ≃ π∗

K(L0). The theta group G(L0) is isomorphic to Z ( eK)/ eK where Z ( eK) is

the centralizer of eK in G(L ) [Mum66, Prop. 2]. We say that a theta structureΘ_B

kon(Bk, L0) is

π-compatible with Θ_A

kif it respects this isomorphism. The isogeny theorem ([Mum66, Th. 4]) then gives a way to compute(π∗(ϑ_iΘBk))_i∈Z(n)given(ϑ_iΘAk)_i∈Z(ℓn). NoteΘ−1_A (K) = Z₁× Z2, we call

Z₁× Z2the type ofπ. If Z1= 0 we say that π is of type 1, and if Z2= 0 that π is of type 2. We note

Z⊥

1 = {x ∈ Z(δ) | 〈x,Z2〉 = 1}. Then there is a bijection between π-compatible theta structures on

(Bk, L0) and isomorphisms σ : Z1⊥/Z1→ Z(δ0) (see [Mum66, Th 4]).

Since we are mainly interested withℓ-isogenies, we now specialize to the case δ = ℓn, δ′= ℓ so thatδ₀= n. We take K = A_k[ℓ]₂, we then haveZ₁= 0, Z₂= ˆZ(ℓ) ⊂ ˆZ(ℓn) so that π : A_k→ Bk

is anℓ-isogeny of type 1. In this case we have Z⊥

1 = Z(n) ⊂ Z(ℓn), and we always consider the

compatible theta structure onB_kcorresponding toσ = Id [FLR09, Sec. 3]. We recall the following proposition [FLR09, Prop 4].

Proposition 2.2 (Isogeny theorem for compatible theta structures):

Let(a_i)_i∈Z(ℓn)be a theta null point associated to a triple(A_k, L , ΘAk) and (bi)i∈Z(n)a theta null point associated to(B_k, L0,ΘBk). Let ϕ : Z(n) → Z(ℓn) be the canonical embedding. Then (bi)i∈Z(δ′)=

ϕ1(ai)i∈Z(δ′₎if and only if there is anℓ-isogeny π of type 1 such that Θ_B

kisπ-compatible with ΘAk. In this case, let(ϑΘ_iAk)_i∈Z(ℓn)(resp.(ϑ_iΘBk)_i∈Z(n)) be the canonical basis ofL (resp. L0) associated toΘAk (resp.Θ_B

k). There exists someω ∈ k

∗

such that for all i∈ Z(n)

π∗ K(ϑ Θ_Ak i ) = ωϑ Θ_Bk ϕ(i). (4)

It is easy to describeℓ-isogenies of type 2 from Proposition2.2. In fact, letI₀be the automorphism of the Heisenberg groupH (ℓn) that permutes Z(ℓn) and ˆZ(ℓn):I₀(α, x, y) = (α, y, x). We define I_A

k= ΘAk◦I0◦Θ

−1

Ak, whereIAkis the automorphism of the Theta group ofAkthat permutesK1(L ) andK₂(L ). (There is a similar automorphismI_B

kof the theta group ofBk; we will usually note these automorphismsIsince the theta group is clear from the context.) Ifπ₂is a compatible isogeny of type 2 between(A_k, L , ΘAk) and (Bk, L0,ΘBk), then π2is a compatible isogeny of type 1 between

2 Modular correspondences and theta null points

(Ak, L ,IAk◦ ΘAk) and (Bk, L ,IB◦ ΘBk). Since the action ofIis given by [FLR09, Section 5]

ϑIAk◦ΘAk i = X j ∈ ˆZ(ℓn) e(i, j)ϑΘAk j , (5)

we see that we have for alli ∈ Z(n)

π∗_(ϑΘBk i ) = X j ∈Z(ℓ) ϑΘAk i+n j. (6)

Applying Equations (4) and (6) to e0_A

kyields the formulas for the modular correspondenceϕ : M_ℓn→ Mn× Mnfrom Section1.

. The action of the theta group on the affine cone and isogenies

Letπ : (A_k, L , ΘAk) → (Bk, L0,ΘBk) be an ℓ-isogeny of type 1 between compatible theta structures. The action by translationρ_LfromK(L ) on A_kdescends to an action onB_k: ifx ∈ K(L ),the induced action onB_kis simply the translation byπ(x). The situation is more interesting if we consider the action ofG(L ). Since G(L ) is a central extension of K(L ) by G_m,kit is natural to letG(L ) act on a central extension ofA_kby G_m,kMore precisely, letV= Γ(A_k, L ) and let pAk(V ): Ak(V ) → Pk(V ) be the canonical projection. Let eA_k= p−1

Ak(V )(Ak) be the affine cone of Akwhich is a central extension ofA_kby Gm,k The action ofG(L ) on V given by (1), induces an actionρe_L on eAk. This action

is compatible with the action ofK(L ) on A_k in the following way: ifκ : G(L ) → K(L ) is the projection,p_A

k(V )◦ρeL = ρL◦ κ. Similarly we note eBkthe affine cone ofBkandρeL₀the action of G(L₀) on eB_k.

We say that a coordinate system( eϑ_iΘAk)_i∈Z(ℓn)on eA_klifts the projective system(ϑ_iΘAk)_i∈Z(ℓn)on A_kif for all j ∈ Z(ℓn), on the principal open set defined by ϑΘ_jAk, we havep∗

Ak(V )(ϑ Θ_Ak i /ϑ Θ_Ak j ) = e ϑΘAk i / eϑ Θ_Ak

j . Obviously, such a coordinate system( eϑi)_i∈Z(ℓn)is defined up to an action of Gm,kand we

fix such a choice for the rest of the paper. In the same manner, we denote by( eϑ_iΘBk)_i∈Z(n)a coordinate system on eB_kthat lifts the coordinate system(ϑΘ_iBk)_i∈Z(n). We will usually replace( eϑ_iΘAk)_i∈Z(ℓn)(resp. ( eϑΘBk

i )i∈Z(n)) by( eϑi)_i∈Z(ℓn)(resp.( eϑi)i∈Z(n)) when no confusion is possible.

SinceL is symmetric, there is an action of the morphism [−1] on V given by f ∈ V 7→ Φ(ι∗_f)

whereι : A → A maps x to −x and Φ is the normalized isomorphism ι∗_{L → L . This action}

extends to an action on eA_k that we denote also by[−1] :ex ∈ eAk(k) 7→ −ex. Now since G(L ) is a symmetric theta structure we have[−1]∗ϑe_i = eϑ

−i [Mum66, p. 331] so ifex = (exi)_i∈Z(ℓn)then −ex= (ex_−i)

i∈Z(ℓn).

Letπ : ee Ak→ eBkbe the morphism such thatπe

∗_{( eϑ}ΘBk

i ) = eϑ Θ_Ak

i fori ∈ Z(n). Note thatπ is just ae lift to the affine cone of the isogenyπ : A_k→ Bk, so that the following diagram commutes:

2 Modular correspondences and theta null points e A_k A_k e B_k B_k p_A k p_B k e π π

We callπ the lift of π compatible with the choice of affine coordinates on ee Akand eBk.

We will now study the link between the actionρe_L ofG(L ) on eAk and the morphismπ. Toe simplify the notations, if(α, i, i) ∈ H (δ) andex is a geometric point of eAk, we will note(α, i, j).ex : =ρeL(ΘA_k((α, i, j))).ex. Let Kπ= ΘA_k( ˆZ(ℓ)) be the kernel of the isogeny π : Ak→ Bkand recall (see Section2.2) thatG(L₀) = Z ( eK_π)/ eK_π.

Proposition 2.3:

Let g∈ Z ( eK_π) and note g its image in Z ( eK_π)/ eK_π. We haveρeL₀(g) =π ◦e ρeL(g). Proof: This is an immediate consequence of the fact that the two theta structuresΘ_A

kandΘBkare

π-compatible. „

Fori ∈ H (ℓn), we can define a mappingπei : eAk → eBk given on geometric points byex 7→ e

π(ρe_L(ΘAk(i)).ex). If ΘAk(i) ∈ Z ( eKπ), Proposition2.3shows thatπei=ρeL0(ΘAk(i)) ◦π, hencee πei can be recovered fromπ and the actione ρe_L0. SinceZ ( eKπ) ⊃ sK(L )(K2(L )), the interesting mappings

to study are thenπei:=πe(1,i,0)fori ∈ Z(ℓn). They are given on geometric points by

e

πi(( eϑj(ex))_{j ∈Z(ℓn)}) = ( eϑi+ℓ.j(ex))j ∈Z(n).

Corollary 2.4:

Keeping the notations from above, we have

1. LetS be a subset of Z(ℓn), such that S + Z(n) = Z(ℓn). Thenex ∈ eAk(k) is uniquely determined by{πei(ex)}i∈S.

2. Letey ∈ eAk(k) be such thatπ(e ey) =π(e ex). Then there exists j ∈ ˆZ(ℓ) ⊂ ˆZ(ℓn) such that e

y= (1,0, j).ex and

e

πi(ey) = e_ℓn(i, j)πei(ex). In particularπei(ey) andπei(ex) differ by an ℓ

t h_{-root of unity.}

Proof:

1. Sinceπei(( eϑj(ex))_{j ∈Z(ℓn)}) = ( eϑi+ℓ.j(ex))j ∈Z(n), from{πei(ex)}i∈S one can obtain the values

n e

ϑj(ex)

o

3 The addition relations

2. Ifπ(e ey) =π(e ex), then pAk(ey) − pAk(ex) ∈ Kπ. So there existsj ∈ ˆZ(ℓ) and α ∈ k

∗

such that e

y= (α,0, j).ex. Hence eϑ_i(ey) = αe_ℓn(i, j) eϑ_i(ex). Sinceπ(_eex) =π(e ey), α = 1. Moreover, as j ∈ ˆZ(ℓ), e_ℓn(i + k, j) = e_ℓn(i, j) if k ∈ Z(n) so thatπei(ex) = e_ℓn(i, j)πei(ey). „ Corollary2.4shows thatρe_L descends to an action on eBk/µk(ℓ) where µk(ℓ) is the group scheme

ofℓ-roots of unity on k. Example 2.5:

• Ifℓ is prime to n, the canonical mappings Z(n) → Z(ℓn) and Z(ℓ) → Z(ℓn) induce an isomorphismZ(n) × Z(ℓ)→ Z(ℓn), and one can take S = Z(ℓ) in Corollary∼ 2.4. • Ifℓ is not prime to n, a possible choice for S is

S = { X

i∈[1..g ]

λiei|λi∈ [0..ℓ − 1]}.

 The addition relations

In this section we study the addition relations and introduce the notion of addition chain on the affine cone of an abelian variety. These addition chains will be a basic tool for the isogeny computation algorithm presented in Section4and Vélu’s like formulas of Section5.

In Section3.1we use the action ofG(L ) on the affine cone and the canonical lift s_{K(L )}:K(L ) → G(L ) to introduce some canonical affine lifts on the affine cone. In Section3.2we prove in the framework of Mumford’s theory a particular presentation of the Riemann relations, and we deduce from them the addition relations. In Section3.3we use the results of Section2.3to study the properties of the addition chain.

. The canonical lift of the action of

K

(L )

For the rest of this article we suppose that we are given a modular point(b_i)_i∈Z(n)corresponding to a triple(B_k, L0,ΘBk). We choose a coordinate system ( eϑ

Θ_Bk

i )i∈Z(n)on eBkand a e0Bk∈ p

−1

Bk(0Bk). We remark that a choice of e0_B

k∈ p

−1

Bk(0Bk) ⊂ eBkis nothing but a choice of an evaluation isomorphism:

ϵ0: L (0) ≃ k. In this Section and Section4we also suppose that we are given a modular point

(ai)_i∈Z(ℓn)corresponding to a triple(Ak, L , ΘAk) such that ϕ1((ai)i∈Z(ℓn)) = (bi)i∈Z(n)whereϕ1: M_ℓn → Mnis the modular correspondence introduced in Section1. By Proposition2.2we then

have anℓ-isogeny π of type 1 between A_kandB_k. We choose a coordinate system( eϑ_iΘAk)

i∈Z(ℓn)on

e

A_kand we denote by e0_A

kthe unique point inp

−1

Ak(0Ak) such that e0Bk=π(e0e Ak) whereπ is given bye e

π∗_{( eϑ}ΘBk

i ) = eϑ Θ_Ak

i fori ∈ Z(n).

We recall that the theta structureΘ_A

kdefine a sectionsK(L ):K(L ) → G(L ), so that the map x ∈ K(L ) 7→ sK(L )(x).e0A_k∈ eAkinduces a sectionK(L ) → eAkof the mappA_k: eAk→ Ak. (More

3 The addition relations Thus, once we have chosen e0_A

k, we have a canonical way to fix an affine lift for any geometric point in K(L ). For i ∈ Z(ℓn), let eP_i= (1, i,0).e0Ak, and forj ∈ ˆZ(ℓn), let eQj= (1,0, j).e0Ak. We also put

e

R_i=π(eePi) =πei(e0A_k), and Ri= pB_k(eRi). We remark that {Ri}_i∈Z(ℓ)is the kernelKπˆofπ whichˆ explains the important role the points eR_iwill play in the rest of this paper.

. The general Riemann relations

The Riemann relations (3) forM_ℓnand the Riemann equations (2) forA_kare all particular case of more general Riemann relations, which we will use to get the addition relations onA_k. An analytic proof of (a partial fourier transform) of these relations can be found in [Igu72, Th.1 p. 137].

Theorem 3.1 (Generalized Riemann Relations):

Let(Ak, L , ΘA_k) ∈ Mnand we suppose that 2|n. Let x1,y1,u1,v1,z ∈ Ak(k) be such that x1+

y₁+ u₁+ v₁ = 2z. Let x₂ = z − x₁, y2 = z − y1, u2 = z − u1and v2 = z − v1. Then there

existex1 ∈ p −1 A_k(x1),ey1 ∈ p −1 A_k(y1),eu1 ∈ p −1 A_k(u1),ve1 ∈ p −1 A_k(v1),ex2 ∈ p −1 A_k(x2),ey2 ∈ p −1 A_k(y2), e u₂∈ p−1 Ak(u2),ve2∈ p −1

Ak(v2) that satisfy the following relations: for any i, j, k, l, m ∈ Z(ℓn) such that i+ j + k + l = 2m, let i′_{= m − i, j}′_{= m − j, k}′_{= m − k and l}′_{= m − l, then for all χ ∈ ˆZ(2),}

we have X t ∈Z(2) χ (t) eϑ_i+t(ex₁) eϑ_j+t(ey₁)
. X t ∈Z(2) χ (t) eϑ_k+t(eu₁) eϑ_l+t(ev₁)
= X t ∈Z(2) χ (t) eϑi′_+t(ex₂) eϑ_j′_+t(ey₂)
. X t ∈Z(2) χ (t) eϑk′_+t(eu₂) eϑ_l′_+t(v_e2)
. (7)

Proof: If x= y = u = v = 0_A, the preceding result gives the algebraic Riemann relations, a proof of which can be found in [Mum66, p. 333]. We just need to adapt the proof of Mumford for the general case.

Letp₁andp₂be the first and second projections fromA_k×AktoAk. LetM = p1∗(L )⊗ p2∗(L ).

The theta structureΘ_A

kinduces a theta structureΘAk×Aksuch that for(i, j) ∈ Z(ℓn) × Z(ℓn) we haveϑΘA×A

i, j = ϑ Θ_Ak i ⊗ ϑ

Θ_Ak

j (see [Mum66, Lem. 1 p. 323]). Consider the isogenyξ : Ak× Ak →

A_k× Ak,(x, y) 7→ (x + y, x − y). We have ξ∗(M ) = M2. SinceΘAkis a symmetric theta structure ΘAk, there exists a theta structureΘ

L2

onL2_{such thatΘ}L2

andΘL _{are compatible in the sense}

of Mumford [Mum66, p. 317]. The theta structureΘL2

then induces a theta structureΘM2 onM2_.

One can check that this theta structure is compatible with the isogenyξ [Mum66, p. 325]. Applying the isogeny theorem (see [Mum66, p. 324]), we obtain that there existsλ ∈ k∗such that for all i, j ∈ Z(ℓn): ξ∗_(ϑL i ⊗ ϑLj ) = λ X u,v∈Z(2l n) u+v=i u−v= j (ϑL2 u ⊗ ϑL 2 v ). (8)

Considering this equation on the affine cone, we can always choose our affine lifts such that taking the evaluation at these lifts yieldλ = 1. In the following we assume this is the case. Using equation (8)

3 The addition relations

we compute for alli, j ∈ Z(2ℓn) which are congruent modulo Z(ℓn) andex,y ∈ Ae k(k): X t ∈Z(2) χ (t) eϑL i+j+t(àx+ y) eϑLi− j +t(àx − y) = X t ∈Z(2) u,v∈Z(2l n) u+v=i+j+t u−v=i− j +t χ (t) eϑL2 u (ex) eϑ L2 v (ey) = X t1,t2∈Z(2) χ (t1+ t2) eϑL 2 i+t1(ex) eϑ L2 j+t2(ey) =    X t ∈Z(2) χ (t) eϑL2 i+t(ex)    ·    X t ∈Z(2) χ (t) eϑL2 j+t(ey)   . (9) So we have: X t ∈Z(2) χ (t) eϑL i+j+t(àx+ y) eϑLi− j +t(àx − y)
. X t ∈Z(2) χ (t) eϑL k+l+t(uà+ v) eϑ_{k−l +t}L (àu − v)
= X t ∈Z(2) χ (t) eϑL2 g i+t(ex)
· X t ∈Z(2) χ (t) eϑL2 Þj+t (ey)
· X t ∈Z(2) χ (t) eϑL2 Þ k+t(eu)
· X t ∈Z(2) χ (t) eϑL2 Þl+t (ev)
= X t ∈Z(2) χ (t) eϑL i+l+t(àx+ v) eϑLi−l +t(àx − v)
. X t ∈Z(2) χ (t) eϑL k+j+t(àu+ y) eϑk− j +tL (àu − y)
. (10)

Now if we letx= x₀+ y₀,y= x₀− y0,u= u0+ v0andv= u0− v0, we havex+ y + u + v =

2(x₀+ u₀) so we can choose z = x₀+ u₀, so thatz − x = u0− y0,z − y = u0+ y0,z − u = x0− v0,

z − v = x0+ v0. By doing the same change of variable fori, j , k, l we see that the theorem is just a

restatement of Equation (10). (see [Mum66, p. 334]). „

From the generalized Riemann relations it is possible to derive addition relations. Theorem 3.2 (Addition Formulas):

We suppose that 4|ℓn. Let x, y ∈ Ak(k) and suppose that we are givenex ∈ p

−1 A_k(x),y ∈ pe −1 A_k(y), à x − y ∈ p_A−1

k(x − y), then there is a unique pointàx+ y ∈ eAk(k) such that for i, j, k, l, m ∈ Z(ℓn) verifying i+ j + k + l = 2m X t ∈Z(2) χ (t) eϑ_i+t(àx+ y) eϑ_j+t(àx − y)
. X t ∈Z(2) χ (t) eϑ_k+t(e0_A k) eϑl+t(e0Ak)
= X t ∈Z(2) χ (t) eϑ_−i′_+t(ey) eϑ_j′_+t(ey)
. X t ∈Z(2) χ (t) eϑk′_+t(ex) eϑ_l′_+t(ex)
, (11)

where i′_{, j}′_{, k}′_{, l}′_{are defined as in Theorem3.1. We have p}

Ak(àx+ y) = x + y.

Thus the addition law on A_kextends to a pseudo addition law on eA_k; we call it an addition chain and we note àx+ y = chain_add(ex,y,_eàx − y).

3 The addition relations

Proof: We apply the Riemann relations (7) tox+ y, x − y,0A, 0A. We have2x= (x + y) + (x −

y) + 0A+ 0A,−y = x − (x + y), y = x − (x − y), x = x − 0A,x = x − 0Aso Theorem3.1

shows that there exist a pointàx+ y ∈ eA_k(k) satisfying the addition relations (11). (Remember that (ϑi(−y))_i∈Z(ℓn)= (ϑ−i(y))i∈Z(ℓn), see Section2.3.)

It remains to show that this point is unique. For this, it is enough to prove that for alli, j , k, l , m ∈ Z(ℓn) such that i + j + k + l = 2m and all χ ∈ ˆZ(2) there exist k′_,l′_,m′ _{∈ Z(ℓn) such that}

i+ j + k′_{+ l}′_{= 2m}′_andP

t ∈Z(2)ϑek′_+t(e0_A

k) eϑl′+t(e0Ak) ̸= 0. Then, by summing over the characters the first bracket of the left hand side of equation (11) we obtain the products eϑ_i+t(àx+ y) eϑ_j+t(àx − y) fori, j ∈ Z(ℓn), from which we can recover the coordinates of the pointàx+ y.

Now, letk₁,l₁∈ Z(2ℓn) be such that k = k1+ l1andl= k1− l1. Using formula (9), we get:

X t ∈Z(2) χ (t) eϑL k1+l1(e0Ak) eϑ L k1−l1(e0Ak) =    X t ∈Z(2) χ (t) eϑL2 k1+l(e0Ak)   .    X t ∈Z(2) χ (t) eϑL2 l1+t(e0Ak)    (12)

Using [Mum66, p. 339 eq. (*)], we obtain that for allχ ∈ Z(2) there exists k₁′ ∈ k1+ Z(ℓn) and

l′ 1∈ l1+ Z(ℓn) such that:    X t ∈Z(2) χ (t) eϑL2 k1+l(e0Ak)   .    X t ∈Z(2) χ (t) eϑL2 l1+t(e0Ak)    ̸=0.

This complete the proof. „

In order to obtain an efficient algorithm to compute addition chain, we first we reformulate the addition formulas (see [Mum66, p. 334]). LetH= Z(ℓn) × ˆZ(2), and for (i,χ ) ∈ H define

e

u_i,χ(ex) = X

t ∈Z(2)

χ (t) eϑ_i+t(ex).

Then we have for alli, j , k, l , m ∈ H such that 2m = i + j + k + l

e

u_i(àx+ y)eu_j(àx − y)uek(e0A_k)eul(e0A_k) = 1

22g

X

ξ ∈H,2ξ =∈Z(2)×0

(m2+ ξ2)(2ξ1)uei−m+ξ(ey)eum− j +ξ(ey)eum−k+ξ(ex)uem−l +ξ(ex). (13)

It is easy to see that( eϑ_i(ex))

i∈Z(ℓn), is determined by(uei(ex))i∈H.

Algorithm 3.3 (Addition chain): Input _ex,ey andàx − y such that p_A

k(ex) − pAk(ey) = pAk(àx − y). Output àx+ y = chain_add(ex,ey,àx − y).

3 The addition relations

: _{For alli ∈ Z(ℓn), χ ∈ ˆZ(2) and X ∈ {àx+ y,} e x,ey,e0A_k}compute e ui,χ(X ) = X t ∈Z(2) χ (t) eϑ_i+t(X ).

: For all_{i ∈ Z(ℓn),}choose_{j , k, l ∈ Z(ℓn) such that i + j +k + l = 2m,}u_ej(àx − y) ̸= 0,euk(e0A_k) ̸= 0,

e

ul(e0A_k) ̸= 0 andcompute

e

ui(àx+ y) =

1

22geuj(àx − y)euk(e0A_k)uel(e0A_k)

X

ξ ∈H,2ξ =∈Z(2)×0

(m2+ ξ2)(2ξ1)eui−m+ξ(ey)uem− j +ξ(ey)uem−k+ξ(ex)eum−l +ξ(ex). (14)

: For all_{i ∈ Z(}ℓn),output e ϑi(àx+ y) = 1 2g X ξ ∈ ˆZ(2) e ui,χ(àx+ y). Complexity Analysis 3.4:

Asuei+t,χ= χ (t)eui,χwe only need to consider(ℓn)gcoordinates and the linear transformation betweenu ande e

ϑ can be computed at the cost of (2nℓ)g_{additions ink. We also have}

e

ui,χ(−ex) =eu−i,χ(ex).

Using the fact that fort ∈ Z(2) the right hand terms of (14) corresponding toξ = (ξ₁+ t,ξ₂) and to ξ = (ξ1,ξ2) are the same up to a sign, one can compute the left hand side of (14) with4 · 4gmultiplications and

4g_{additions ink. In total one can compute an addition chain in 4.(4ℓn)}g_{multiplications,(4ℓn)}g_{additions and}

(ℓn)g_{divisions ink. We remark that in order to compute several additions using the same point, there is no need}

to convert back to the eϑ at each step so we only need to perform Step 2.

The addition chain formula is a basic step for all the algorithms to be presented in the sequel of this paper and we will use it as an unit of time for all our running time analysis. In some cases it is possible to greatly speed up this computation. See for instance [Gau07] which uses the duplication formula between theta functions to speed up the addition chain of level two. See also Section4.1where it is explained how to use isogenies to compute the addition chain for a general level by using only addition chains of level two, so that we can use the speed up of [Gau07] in general whatever the level of the theta structure is.

Remark 3.5:

The addition formulas can also be used to compute the usual addition law inA_kby choosingj= 0 in Equation (14) for everyi.

The addition chain law on eA_k induces a multiplication by a scalar law which reduces via p_A k to the multiplication by a scalar deduced from the group law ofA_k. Letex,y ∈ ee Ak andàx+ y ∈

p−1

Ak(x + y), then we can compute â2x+ y := chain_add(àx+ y,ex,ey). More generally there is a recursive algorithm to compute for everym ¾ 2:

ä

3 The addition relations We put chain_multadd(n,àx+ y,ex,ey) :=ämx+ y and define

chain_mult(m,ex) := chain_multadd(m,ex,ex,e0A_k). We havep_A

k(chain_mult(m,ex)) = m.pAk(ex). We call chain_multadd a multiplication chain. Algorithm 3.6 (Multiplication chain):

Input m ∈ N, àx+ y,ex,y ∈ ee Ak.

Output chain_multadd(m,àx+ y,ex,ey).

: Computethe binary decomposition ofm := PI_i=0bi2i. Set m′ := 0, xy0 := ey, xy−1 :=

chain_add(ey, −ex,àx+ y), x0:= e0A_kand x1:=ex. : Foriin[I ..0]do Ifbi= 0then compute x_2m′:= chain_add(x_m′, x_m′, x₀) x_2m′₊₁:= chain_add(x_m′₊₁, x_m′, x₁) xy_2m′:= chain_add(xy_m′, x_m′, xy₀) m′_{:= 2m}′_. Else compute x_2m′₊₁:= chain_add(x_m′₊₁, x_m′, x₁) x_2m′₊₂:= chain_add(x_m′₊₁, x_m′₊₁, x₀) xy_2m′₊₁:= chain_add(xy_m′, x_m′, xy₋₁) m′_{:= 2m}′_{+ 1.} : Outputxy_m.

Correction and Complexity Analysis 3.7:

It is not completely trivial to see thatämx+ y does not depend on the Lucas sequence used to compute it. We prove this in Corollary3.13where we show that multiplication chains are associative. In order to do as few division as possible, we use a Montgomery ladder [CFA+06, Alg. 9.5] for our Lucas sequence, hence the algorithm.

We see that a multiplication chain requiresO(log(m)) addition chains.

.. The casen= 2

LetL0be a principal polarization associated to a symmetric irreductible divisorΘ. Then L = L02is

of degree2 and we have for alli ∈ Z(2), (−1)∗_ϑ

i= ϑi, where(−1) is the inverse automorphism on

A_k. As a consequence,L gives an embedding of the Kummer variety KA= Ak/ ± 1. Suppose that

the even theta nulls forΘ are non zero. Then the embedding given by L in the projective space is an immersion. (See [Kem88, Cor. 5] and [Kem92, Th. 1] or [Koi76, Cor. 4.5.2].)

There is no properly defined addition law onK_A: from±x ∈ KAand±y ∈ KA, we may compute

±x ± y which gives two points on KA. However, if we are also given±(x − y) ∈ KA, then we can

3 The addition relations

addition on the Kummer variety. With our hypothesis, by looking at the proof of Theorem11we see that we can use it to compute the pseudo addition law on the Kummer variety.

Letx, y ∈ KA. To compute±x ±y without ±(x −y) we can proceed as follows: let X = (Xi)i∈Z(2),

Y = (Y_i)_i∈Z(2)be the two projections of the generic point onK_A× KA. Then the addition

re-lationsX = chain_add(x, y,Y ) describe a system of degree 2 in K_A× KA, whose solutions are

(±(x + y),±(x − y)) and (±(x − y),±(x + y)). From this system, it is easy to recover the points {±(x + y), ±(x − y)}, but this involves a square root in k. (The preceding claims are proved in the preprint [LR10, Lemma 3].) We call this a normal addition, coming back to isogenies computations, it means that when working withn= 2, we have to avoid computing normal additions, since they require a square root and are much slower than addition chains.

Finally, to make our algorithms work withn= 2, we have to introduce the notion of compatible additions. Suppose that we are given±x, ±y, ±z ∈ KA, together with±(x + y), and ±(y + z). Using

a normal addition we can compute{±(x + z), ±(x − z)}; we want to find ±(x + z). If we apply the normal addition to±x + y and ±x + z we find {±(2x + y + z), ±(y − z)} while the normal addition applied to±x + y and ±x − z give {±(2x + y − z), ±(y + z)}. This allows us to identify ±(x + z) if we suppose 2x ̸= 0, 2y ̸= 0, 2z ̸= 0, and 2(x + y + z) ̸= 0. We call this the compatible addition±(x + z) with ±(x + y) and ±(y + z).

. Theta group and addition relations

In this Section, we study the action of the theta group on the addition relations. We also show that addition relations are compatible with isogenies between two abelian varieties with compatible theta structures. By combining this we find the addition relations linking the coordinates of the points { eR_i}_i∈Z(ℓn)on eB_k. By considering different modular point(a_i)_i∈Z(ℓn)∈ ϕ−1

1 ((bi)i∈Z(n)) and the

associated isogeniesπ : A_k→ Bk, we can then understand the addition chains between any isotropic

subgroup ofB_k[ℓ] (see Section1). In particular we exploit this to show that we can compute the chain multiplication byℓ in O(log(ℓ)) addition chains.

Given the way the addition relations are set up as a consequence of the isogeny theorem, there should be no surprise that they are compatible with the action of the theta group. Still, some care must be taken, if we haveex,y,eàx+ y andàx − y ∈ eA_k(k) such that

à

x+ y = chain_add(ex,ey,àx − y),

and we takeg₁,g₂∈ G(L ), then by looking at the projections in Akwe certainly have

(g₁◦ g2).àx+ y = λchain_add(g1.x, ge 2.ey,(g1◦ g2−1).àx − y)

whereλ ∈ k×. However for trivial reasons,λ ̸= 1 in general (See Lemma3.10), so we have to work a bit to determineλ.

We begin with two easy lemmas. Lemma 3.8:

Suppose thatxe1,ey1,ue1,ve1,ex2,ye2,ue2,ve2∈ eAk(k) satisfy the general Riemann relations (7).

• For every g ∈ G(L ), g .ex₁,g .ye1,g .eu1,g .ve1,g .ex2,g .ey2,g .eu2,g .ve2also satisfy the Riemann relations.

3 The addition relations • For everyℓ-isogeny of type 1 π : (A,L ,Θ_A

k) → (B,L0,ΘBk) such that ΘBk isπ-compatible withΘ_A

k, thenπ(e ex1),π(eye1),π(e eu1),π(e ve1),π(e xe2),π(e ey2),π(e ue2),π(e ve2) ∈ eBkalso satisfy the Riemann relations.

Proof: This is an immediate computation. „

Lemma 3.9:

Let(α, i, j) ∈ H (ℓn) andex ∈ eAk. Then we have−(α, i, j ).ex= (α,−i,−j).(−ex), andπ(−e ex) = −π(e ex).

In particular−(α, i, j ).e0Ak= (α,−i,−j).e0Ak.

Proof: Ifex= (xi)_i∈Z(ℓn), we recall that we have defined−ex= (x−i)i∈Z(ℓn). The fact than−(α, i, j ).ex=

(α,−i,−j).(−ex) is a direct consequence of the fact than the coordinates ( eϑ_i)_i∈Z(ℓn)ofex are the theta functions associated to a symmetric theta structure. We can also check this with a direct com-putation: Ifu ∈ Z(ℓn) we have by (1):((α, i, j).ex)u = α〈−u − i, j〉au+i,((α,−i,−j).ex)−u = α〈u + i,−j〉ex_−u−i= au+i= xu. The rest of the lemma is trivial. „

We now turn to the action ofH (ℓn) on eA_k. SinceH (ℓn) is generated by k∗_{,Z(ℓn) and ˆZ(ℓn)}

(where we embedZ(ℓn) and ˆZ(ℓn) in H (ℓn) with the usual sections), it is enough to study separately the action of these subgroup on the addition relation. The action ofk∗_{is immediate:}

Lemma 3.10: Forλx,λy,λx−y∈ k ∗ andex,ey ∈ Ak(k), we have: chain_add(λ_xex,λyey,λ_x−yàx − y) = λ2 xλ 2 y

λ_x−y chain_add(ex,ey,àx − y), (15)

chain_multadd(n,λ_x+yàx+ y,λ_xex,λyy) =e

λn(n−1) x λ n x+y λn−1 y chain_multadd(n,àx+ y,ex,ey), (16) chain_mult(n,λ_xex) = λ n2 x chain_mult(n,ex). (17)

Proof: Formula (15) is an immediate consequence of the addition formulas (11). The rest of the lemma

follows by an easy recursion. „

A more interesting result is the compatibility between the addition formulas and the action of Z(ℓn) on eA_k:

Proposition 3.11 (Compatibility of the pseudo-addition law): Forex,ey,àx − y ∈ eA_k(k), and i, j ∈ Z(ℓn), we have:

3 The addition relations In particular if we set eP_i= (1, i,0).e0_A

kwe have:

e

P_i+j= chain_add(eP_i, eP_j, eP_{i− j})

Proof: Let àx+ y = chain_add(ex,ey,àx − y). By Theorem3.2, we have for everya, b , c, d , e ∈ Z(ℓn) such thata+ b + c + d = 2e:

X t ∈Z(2) χ (t)ϑ_a+t(àx+ y)ϑ_b+t(àx − y)
. X t ∈Z(2) χ (t)ϑ_c+t(e0)ϑ_d+t(e0)
= X t ∈Z(2)

χ (t)ϑ_−e+a+t(ey)ϑ_{e−b +t}(ey)
. X

t ∈Z(2)

χ (t)ϑ_e−c+t(ex)ϑ_{e−d +t}(ex)
. (19)

Applying (19) toa′_{= a + i + j, b}′_{= b + i − j, c}′_{= c, d}′_{= d, e}′_{= e + i, it comes:}

X

t ∈Z(2)

χ (t)ϑ_i+j+a+t(àx+ y)ϑ_b+i−j+t(àx − y)
. X

t ∈Z(2)

χ (t)ϑ_c+t(e0)ϑd+t(e0)
=

X

t ∈Z(2)

χ (t)ϑ_{− j −e+a+t}(ey)ϑ_j+e−b(ey)
. X

t ∈Z(2)

χ (t)ϑ_i+e−c+t(ex)ϑ_i+e−d+t(ex)
. (20)

Thus(1, i+ j,0).àx+ y,(1, i,0).ex,(1, j,0).ey and(1, i− j,0).àx − y satisfy the additions relations.„ By applyingπ, we obtain the following corollary:e

Corollary 3.12:

Forex,ey,àx − y ∈ eA_k, and i , j∈ Z(ℓn), we have:

e

π_i+j(chain_add(ex,ey,àx − y)) = chain_add(π_ei(ex),π_ej(ey),π_{ei− j}(àx − y)).

Proof: Remember that by definitionπei(ex) =π((1, i,0).e ex). The lemma is then a trivial consequence

of Proposition3.11and Lemma3.8. „

We remark that by settingex=ey= e0A_kin Corollary3.12, we find

e

R_i+j= chain_add(eR_i, eR_j, eR_{i− j}).

By considering different isogeniesπ : A_k→ Bk, we can use Corollary3.12to study the associativity of

chain additions: Corollary 3.13:

3 The addition relations

1. For all n∈ N∗_{, we put}

f

nx= chain_mult(n,ex) andãnx+ y = chain_multadd(n,àx+ y,ex,y).e Then for all n1,n2∈ N∗such that n1> n2, we have

å

(n₁+ n₂)x = chain_add(gn₁x,ng2x, å(n1− n2)x), (21)

å

(n₁+ n₂)x + y = chain_add(än₁x+ y,ng2x,(n₁å− n₂)x + y). (22) In particular, we see that ãnx+ y andnx do not depend on the particular sequence of chain_addf used to compute them.

2. For all n∈ N∗_{,−ãnx+ y = chain_add(n,−(àx+ y),−ex, −ey)}

Proof: First we prove assertion 1. Let ˆK be a subgroup of B_k[ℓ] containing x which is maximal and isotropic for the Weil pairing. Consider the isogenyπ : Bˆ _k→ Dk= Bk/ ˆK and letπ : Dk→ Bkbe

the contragredient isogeny. We choose any theta structure on(D_k,π∗_L

0) compatible with π. There

existi, j ∈ Z(ℓ) and λi,λj∈ k ∗

such thatex= λiπei(e0D_k) andye= λjπej(e0D_k). If λi= λj= 1, then the assertion 1. of Corollary3.13is a consequence of Corollary3.12. But it is easy (see Lemma3.10) to see that (21) is homogeneous inλ_i, hence the result.

Next we prove assertion 2. Once again, leti ∈ Z(ℓ) be such thatex = λiπe€(1, i,0).e0D_k Š

, and letey′be any point inπe−1(ey). By homogeneity we may suppose that λi= 1. By Corollary3.12and Proposition3.11, we haveãnx+ y = π (1, n.i,0).e ye′
. Now by Lemma3.9, we have−ãnx+ y =

e

π −(1, n.i,0).ye

′

=π (1,−n.i,0). −e ye

′

= chain_add(n,−(àx+ y),−ex, −ey). „ The following remark concerning Corollary3.12is a useful fact to study the caseℓ not prime to n: Remark 3.14:

Letex ∈ eAk,i ∈ Z(ℓn) and letey=π(e ex). Let m ∈ Z be such that ℓ|m. By Proposition3.11and Corollary3.12, we have

e

π ((1, mi,0).ex) = chain_multadd(m,πei(ex), eRi,ey).

But ifℓ|m, then mi ∈ Z(n) ⊂ Z(ℓn). By Proposition2.3we haveπ ((1, mi,0).e ex) = (1, mi,0).ey, and(1, mi,0).ey can be computed with the formulas (1). Hence

(1, mi,0).ey= chain_multadd(m,πei(ex), eRi,y).e

♦ In order to have a complete picture of the action ofH (ℓn) on eA_k, we have yet to describe the action of ˆZ(ℓn) on eA_k. In order to do so, we recall from Section2.2thatIis the automorphism of the Theta group that permutesK₁andK₂. Sinces_K

2(L )=I◦ sK1(L )◦I, we just have to explain what is the action of ofIon the addition relations.

3 The addition relations Proposition 3.15:

Suppose that x, y, u, v, x′_,y′_,u′_,v′_{∈ eA}

k(k) satisfy the general Riemann equations (7). ThenI.x,I.y,

I.u,I.v,I.x′_,I.y′_,I.u′_,I.v′_{also satisfy (7).}

Proof: If x= (x_i)_i∈Z(ℓn)we recall (see (5)) that

I.x= ( X

j ∈Z(ℓn)

e(i, j)xj)_i∈Z(ℓn)

wheree= e_L is the commutator pairing.

By hypothesis, we have fori, j , k, l ∈ Z(ℓn) such that i + j + k + l = 2m: X t ∈Z(2) e ϑ_i+t(x) eϑ_j+t(y)
. X t ∈Z(2) e ϑ_k+t(u) eϑ_l+t(v)
= X t ∈Z(2) e ϑi′_+t(x′) eϑ_j′_+t(y′)
. X t ∈Z(2) e ϑk′_+t(u′) eϑ_l′_+t(v′)
. (23)

LetA_{χ ,x,y,i,j}= P_{t ∈Z(2)}χ (t) eϑ_i+t(x) eϑ_j+t(y)
. If I ,J ,K, L ∈ Z(ℓn) are such that I + J + K + L= 2M, we have: A_{χ ,I.x,I.y,I ,J}= X T ∈Z(2) χ (T ) X i∈Z(ℓn) e(I + T, i) eϑi(x)
X j ∈Z(ℓn) e(J + T, j) eϑj(x)
= X T ∈Z(2),i, j ∈Z(ℓn)

χ (T )e(T, i + j)e(I , i)e(J , j) eϑ_i(x) eϑ_j(y)

A_{χ ,I.x,I.y,I ,J}A_{χ ,I.u,I.v,K,L}= X

T1,T2∈Z(2)

i, j ,k,l ∈Z(ℓn)

χ (T1+T2)e(T1,i+ j)e(T2,k+ l)e(I , i)e(J , j)e(K, k)e(L, l) eϑi(x) eϑj(y) eϑk(u) eϑl(v)

= X

i, j ,k,l ∈Z(ℓn)

e(I , i)e(J , j)e(K, k)e(L, l) eϑi(x) eϑj(y) eϑk(u) eϑl(v)

X T1,T2∈Z(2) χ (T1+ T2)e(T1,i+ j)e(T2,k+ l)
But X T₁,T₂∈Z(2) χ (T1+ T2)e(T1,i+ j)e(T2,k+ l)
= ¨4g _{ife(·, i + j) = e(·, k + l) = χ} 0 otherwise

ande(·, i + j) = e(·, k + l) (as characters on Z(2)) if and only if there exists m ∈ Z(ℓn) such that i+ j + k + l = 2m. Now since I + J + K + L = 2M we have e(I + J ,·) = e(K + L,·) and as a

3 The addition relations consequence:

λ X

t1,t2∈Z(2)

e(I , i + t1)e(J , j + t1)e(K, k + t2)e(L, l + t2) eϑi+t1(x) eϑj+t1(y) eϑk+t2(u) eϑl+t2(v) =

λe(I , i)e(J , j)e(K, k)e(L, l) X

t1,t2∈Z(2) e

ϑ_i+t1(x) eϑ_j+t1(y) eϑ_k+t2(u) eϑl+t2(v) =

λe(I , i)e(J , j)e(K, k)e(L, l) X

t₁,t₂∈Z(2) e ϑi′_+t 1(x ′_{) eϑ} j′_+t 1(y ′_{) eϑ} k′_+t 2(u ′_{) eϑ} l′_+t 2(v) =

λe(I′_,i′_)e(J′_,j′_)e(K′_,k′_)e(L′_,l′₎ X

t1,t2∈Z(2) e ϑ_i′_+t 1(x ′_{) eϑ} j′_+t 1(y ′_{) eϑ} k′_+t 2(u ′_{) eϑ} l′_+t 2(v)

whereλ = 4g ifi+ j + k + l = 2m and λ = 0 otherwise. By combining these relations we find that A_{χ ,I.x,I.y,I ,J}A_{χ ,I.u,I.v,K,L}= A_{χ ,I.x}′_,I.y′_,I′_,J′A_{χ ,I.u}′_,I.v′_,K,L.

which concludes the proof. „

Corollary 3.16:

Letex,ey,àx − y ∈ eA_k(k), and let i, j ∈ Z(ℓn), k, l ∈ ˆZ(ℓn). Then we have: (1, i + j, k + l).chain_add(ex,ey,àx − y)

= chain_add((1, i, k).ex,(1, j, l).ey,(1, i − j, k − l).àx − y). (24) Proof: By Propositions3.11and3.15we have

(1,0, k + l).chain_add(ex,ey,àx − y) = chain_add((1, 0, k).ex,(1,0, l).ey,(1,0, k − l).àx − y) (25) Now since(1, i, k) = (1,0, k)(1, i,0), we conclude by combining Equations (18) and (25). „ Using Proposition3.15, we can prove that the addition relations are compatible with any isogeny. Corollary 3.17:

Suppose thatxe1,ye1,ue1,ve1,xe2,ye2,ue2,ve2∈ eAksatisfy the Riemann relations (7). Ifπ : (A,L ,ΘA_k) → (B,L0,ΘB_k) is an isogeny such that ΘB_kisπ-compatible with ΘA_k, thenπ(e xe1),π(e ye1),π(e ue1),π(e ve1),

e

π(xe2),π(eye2),π(e ue2),π(e ve2) ∈ eBk also satisfy the general Riemann Relations. In particular, for all e

x,ey,àx − y ∈ eA_k, we have

e

π(chain_add(ex,y,eàx − y) = chain_add(π(eex),π(eey),π(e àx − y)).

Proof: It is easy to see that Lemma3.8is valid for any compatible isogenies of type1 (it is not restricted toℓ-isogenies). By Proposition3.15, we can apply Lemma3.8also in the case of compatible isogenies of type2, which concludes since every compatible isogeny is a composition of isogenies of type 1 or 2.„

4 Application of the addition relations to isogenies

 Application of the addition relations to isogenies

In this Section we apply the results of Section3to the computation of isogenies (see Section4.2). More precisely, we present an algorithm to compute the isogenyπ : Bˆ _k→ Akfrom the knowledge of

the modular point e0_A

k. We give in Section5algorithms to compute e0Akfrom the kernel ofπ.ˆ But first, we remark that since the embedding ofA_kthat we consider is given by a theta structure of levelℓn, a point ˆπ(x) is given by (ℓn)g coordinates, which get impractical because of memory con-sumption whenℓ is big. In order to mitigate this problem, in Section4.1, we give a point compression algorithm such that the number of coordinates of a compressed point does not depend onℓ.

We recall that we have chosen in Section3.1e0_A

k= (ai)i∈Z(ℓn)such thatπ(e0e A_k) = e0B_k, and that we have defined fori ∈ Z(ℓn), eR_i= (a_i+j)_{j ∈Z(n)}∈ eB_k(k).

. Point compression

Suppose thatℓ is prime to n. We know thatex ∈ eAk(k) can be recovered from (πei(ex))_i∈Z(ℓ), by (ex)_ni+ℓj = (πei(ex))j. If(d1, · · · , dg) is a basis of Z(ℓ), we can prove thatex can be easily computed from just(πed_i(ex))i∈[1..g ]and(πed_i+d_j(ex))i, j ∈[1..g ]). If (e1, · · · , eg) is the canonical basis of Z(ℓn), in the following, we take(d_i= ne_i)_{i∈[1..g ]}as a basis ofZ(ℓ).

Proposition 4.1:

Letex ∈ eAk(k) and i, j ∈ Z(ℓn). We have

e

π_i+j(ex) = chain_add(πei(ex), eRj,πei− j(ex)).

Proof: We apply Corollary3.12withey= e0A_k,àx − y =ex, so that we have chain_add(ex,ey, áx − y) = e

x. We obtain:

e

π_i+j(ex) = chain_add(πei(ex),πej(e0A_k),πei− j(ex)). _„

Definition 4.2:

LetS ⊂ G be a subset of a finite abelian group G such that 0G∈ S. We denote by S′the smallest

subset ofG (for the inclusion) such that S′_{⊃ S and S}′_{= S}′_{S{x + y|x ∈ S}′_{,y ∈ S}′_{,x − y ∈ S}′_}.

We say thatS is a chain basis of G if S′_{= G.}

Example 4.3:

LetG= Z(ℓ). Let (e₁, · · · , eg) be the canonical basis of G. If ℓ is odd, a chain basis of G is given by

S= {0_G,e_i,e_i+ e_j}_{i, j ∈[1..g ],i< j}. Ifℓ is even, a chain basis of G is given by

S= {0G,ei1,ei1+ ei2, · · · , ei1+ ··· + eig}i1,··· ,ig∈[1..g ],i1<···<ig. In each case, the chain basisS is minimal, we call it the canonical chain basisS(G) of G.