Looking forward to AM-PQC 2026, the Workshop on Algebraic Methods in Post-Quantum Cryptography this August in Macedonia! pqcrypto.cs.ru.nl/ampqc/
Stipends for students are available. Apply before May 4th!
I am pretty sure this explains the "semi-reduced Tate pairing" from eprint.iacr.org/2023/549.pdf. See eq.(6) p.13. I am happy because I was wondering about a more conceptual explanation of this semi-reduced pairing for 3 years!
But $2nq(x)|A[n]$ is always trivial!
So this time for $P \in A[n]$ we get a $\mu_{2n}$-torsor as the obstruction, not necessarily induced by a $\mu_n$-torsor, and not coming from a self Tate pairing. (We can recover the self Tate pairing from this $\mu_{2n}$-torsor, but not the other way around.)
This is just (up to a square root), the self Tate pairing $T_n(P,P)$, because the Tate pairing is also defined as a $\mu_n$-torsor encoding the descent of trivialisations induced by $nb(x,y)=0$ over $A[n]xA$.
What's interesting is when $n$ is even. Then $nq(x)|A[n]$ is non trivial in general...
Then on the $n$-torsion, for $n$ odd, $nq(x) |A[n]=0$ means that for P in A[n], we can define an etale $\mu_n$-torsor, as the obstruction of the descent of the rigidification of L^n above P induced by "nq=0" to a trivialisation of L above P.
Ohh, and I have just realized that this "trivial quadratic form" has another cool application. This time I'll assume we have the roots of unity in the base field, unlike in the monodromy leak. Let q:A->BGm be the quadratic form associated to an ample line bundle L.
(I know I already made this joke in our other discussion channel, but I am very proud of it, so let me do it again here...)
No, of course not! An ∞-category is a category enriched in ∞-groupoids. That's perfectly non circular.
Ok, so then what is an ∞-groupoid? Well its simply a groupoid enriched in ∞-groupoids...
I'm beginning to feel more and more that the meaning of the ‘∞’ in “∞-categories” is that you can only explain what an ∞-category is to someone who already knows what an ∞-category is.
=> this gives explicit algorithms to compute isogenies
7) As I mentioned above, if n is odd, then Q(x):=nq(x) is trivial over A[n] => this gives the monodromy leak.
6) If f: A -> B is linear with kernel K, a quadratic form Q on A is of the form Q=f^* q for a quadratic form q on B, iff Q(k+x)=0 for all x in A and k in K, i.e.
a) Q(k)=Q(0) for each k in K and
b) If B is the symmetric bilinear form associated to Q, B(k,x)=0 for all k in K and x in A.
5) A quadratic form q is linear iff the associated bilinear form b is 0 => this gives the theta group arithmetic
4) If b is bilinear, B_1(x,y)=b(nx,y) and B_2(x,y)=b(x,ny) are both trivial on A[n]xA[n] => this gives the Weil pairing
3) If b is bilinear, B(x,y):=b(nx, y) is trivial on A[n] x A => this gives the Tate pairing
2) q quadratic gives a symmetric bilinear form b(x,y)=q(x+y)+q(0)-q(x)-q(y) => this gives the polarisation associated to a line bundle
Let me give some examples to illustrate this:
1) q is quadratic iff q(x+y+z)-q(x+y)-q(y+z)-q(x+z)+q(x)+q(y)+q(z)-q(0)=0.
Internalizing this gives the cubical arithmetic.
And these slides were an attempt to explain why this happens, and even to give a more or less systematic way to go from "an equality statement on quadratic forms" to "an arithmetic statement on abelian varieties", by internalizing the statement in "the internal logic of an \infty-topos".
Indeed! But beware that I don't really know what I am talking about in these slides... But the gist of it, which I find fascinating, is that every equality about quadratic/bilinear forms appear to give a non trivial arithmetic statement on elliptic curves/abelian varieties.
What's important is that we can compute $Q$ explicitly.
Now it is just a matter of DLPs in Gm and quadratic equation solving to solve the DLP in $E[n]$.
Now given any arithmetic computation above E[n] compatible with the cube structure for q_0, like is the case for a leak of the Montgomery ladder in (X,Z) coordinate, comparing with the above canonical descent, we obtain a genuine quadratic form $Q$ with value in Gm this time.
Internalizing this, if n is odd we see that q: E[n]->BGm is trivial, hence we have a trivial cube structure above E[n]. Now assume that \mu_n(k)=1, then étale \mu_n-torsors are trivial over k, so we can descend this from q to q_0.
Let E/k be an elliptic curve over a finite field, q_0: E_0 -> BG_m the quadratic form associated to $(0_E)$, and q(x)=q_0(nx)$.
The key fact is that a standard quadratic form G->G_m of the form q(x)=q_0(nx) is trivial if G is of exponent n and n is odd (resp exponent n/2 if n is even).
By the way as you know lately I have been thinking about cubical structures in terms of derived quadratic forms, and although a bit conceptual it is *amazing* for having a better understanding of what we can do with them.
For instance the monodromy leak can be explained in a paragraph:
Super cool write up, and very cool challenge (as the one from last year!. Although one might say I may be a bit biased on this topic :-)
Writeup of the crypto-challenge MonoDOOM ETERNAL from #KalmarCTF - A follow up from last-years MonoDOOM challenge, this time with botched side-channel protection!
jonathke.github.io/monoDOOM-ETE...
🔽 So, @jeanas.bsky.social and I are please to announce a new preprint in computability, in which we show that the Turing degrees can be embedded upside down in (what we call) the “Arthur-Nimue-Merlin degrees”.
The paper opens with a riddle, which I hope will be of interest!
At my age I am no longer ashamed to confess that I have absolutely zero intuition about what a Gorenstein ring looks like: mathoverflow.net/q/509373/17064
We still have a few spots left at MaGIC!
Registration closes this week... Hurry up if you want to be on top of all the latest news on Cryptographic Group Actions!
magic-workshop.github.io
Thomas and I looked at directed isogeny graphs!
In dim 1, we often ignore directedness, as there are only 2 "problematic" curves. Not so in dim 2: we analyze the action of automorphisms on level structures and the resulting directed graphs.
Crucial: Directed (2,2)-graphs looks Ramanujan after all!
