Let denote a finite group written multiplicatively. The discrete-log problem asks to find the exponent given and . In the groups traditionally used in the discrete-log-based cryptosystems, such as [DH76], the elliptic curve group [Mil85, Kob87], and the class group [BW88, McC88], computing the inverse given is easy. We say is a group with infeasible inversion if computing inverses of elements is hard, while performing the group operation is easy (i.e. given , , , computing is easy).
The search for a group with infeasible inversion was initiated in the theses of Hohenberger [Hoh03] and Molnar [Mol03], motivated with the potential cryptographic application of constructing a directed transitive signature. It was also shown by Irrer et al. [ILOP04] to provide a broadcast encryption scheme. However, the only existing candidate of such a group is implied by the much stronger primitive of self-bilinear maps constructed by Yamakawa et al. [YYHK14], assuming the hardness of integer factorization and indistinguishability obfuscation (iO) [BGI01, GGH13].
We propose a candidate trapdoor group with infeasible inversion without using iO. The underlying group is isomorphic to the ideal class group of an imaginary quadratic order (henceforth abbreviated as the class group). In the standard representation111By emphasizing the “representation”, we would like to remind the readers that the hardness of group theoretical problems (like the discrete-log problem) depends on the group representation rather than the group structure. After all, most of the cryptographically interesting finite groups are chosen to be isomorphic to the innocent looking additive group , . However, the isomorphism is typically hard to compute. of the class group, computing the inverse of a group element is straightforward. The representation we propose uses the volcano-like structure of the isogeny graphs of ordinary elliptic curves. In fact, the initiation of this work was driven by the desire to explore the computational problems on isogeny volcanoes defined over composite moduli with unknown factorization.
1.1 Elliptic curve isogenies in cryptography
An isogeny is a morphism of elliptic curves that preserves the identity. Given two isogenous elliptic curves , over a finite field, finding an explicit rational polynomial that represents the isogeny from to is traditionally called the computational isogeny problem.
The study of computing explicit isogenies began with a rather technical motivation of improving Schoof’s polynomial time algorithm [Sch85] of computing the number of points on an elliptic curve over a finite field (the improved algorithm is usually called Schoof-Elkies-Atkin algorithm, cf. [CM94, Sch95, E98] and references therein). A more straightforward use of computing explicit isogenies is to transfer the elliptic curve discrete-log problem from one curve to the other [Gal99, GHS02, JMV05]. If for any two isogenous elliptic curves computing an isogeny from one to the other is efficient, then it means the discrete-log problem is equally hard among all the isogenous elliptic curves.
The best way of understanding the nature of the isogeny problem is to look at the isogeny graphs. Fix a finite field and a prime different than the characteristic of . Then the isogeny graph is defined as follows: each vertex in contains a -invariant of an isomorphism class of curves (and their twists); two vertices are connected by an edge if there is an isogeny of degree over that maps one curve to another. The structure of the isogeny graph is described in the PhD thesis of Kohel [Koh96]. Roughly speaking, a connected component of an isogeny graph containing ordinary elliptic curves looks like a volcano (termed in [FM02]). The connected component containing supersingular elliptic curves, on the other hand, has a different structure. In this article we will focus only on the ordinary case.
A closer look at the algorithms of computing isogenies.
As above, let be a finite field of elements, and an integer such that . Given the -invariant of an elliptic curve , there are at least two different ways to find all the -invariants of the curves that are -isogenous to (or to a twist of ) and to find the corresponding rational polynomials that represent the isogenies:
To compute kernel subgroups of of size , then to apply Vélu’s formulae to obtain the explicit isogenies and the -invariants of the image curves.
To obtain the -invariants of the image curves by solving the modular polynomial over , then to construct the explicit isogenies from these -invariants.
Both methods are able to find all the -isogenous neighbors over in time . In other words, over a finite field, one can take a stroll around the polynomial-degree isogenous neighbors of a given elliptic curve efficiently.
However, for two random isogenous curves over a sufficiently large field, finding an explicit isogeny between them seems to be hard, even for quantum computers. The conjectured hardness of computing isogenies was used in a key-exchange and a public-key cryptosystem by Couveignes [Cou06] (written in 1997 but not published until 2006) and independently by Rostovtsev and Stolbunov [RS06]. Moreover, a hash function and a key exchange scheme were proposed based on the hardness of computing isogenies over supersingular curves [CLG09, JF11]. Isogeny-based cryptography is attracting attention partially due to their conjectured post-quantum security.
1.2 Isogeny volcanoes over a composite modulus with unknown factorization
Let be primes and let . In this work we consider computational problems related to elliptic curve isogeny graphs defined over , where the prime factors , of are unknown. An isogeny graph over is defined first by fixing the isogeny graphs over and
, then taking a graph tensor product; obtaining the-invariants in the vertices of the graph over by the Chinese remainder theorem. Working over the ring without the factors of creates new sources of computational hardness from the isogeny problems. Of course, by assuming the hardness of factorization, we immediately lose the post-quantum privilege of the “traditional” isogeny problems. From now on all the discussions of hardness are with respect to the polynomial time classical algorithms.
Basic neighbor search problem over .
When the factorization of is unknown, it is not clear how to solve the basic problem of finding (even one of) the -isogenous neighbors of a given elliptic curve. The two algorithms over finite fields we mentioned seem to fail over since both of them require solving polynomials over , which is hard in general when the factorization of is unknown. In fact, we show that if it is feasible to find all the -isogenous neighbors of a given elliptic curve over , then it is feasible to factorize .
Joint-neighbor search problem over .
Suppose we are given several -invariants over that are connected by polynomial-degree isogenies, we ask whether it is feasible to compute their joint isogenous neighbors. For example, in the isogeny graph on the LHS of Figure 2, suppose we are given , , , and the degrees between and , and between and such that . Then we can find which is -isogenous to and -isogenous to , by computing the polynomial over . When the polynomial turns out to be linear with its only root being , hence computing the neighbor in this case is feasible.
However, not all the joint-isogenous neighbors are easy to find. As an example, consider the following -joint neighbor problem illustrated on the RHS of Figure 2. Suppose we are given and that are -isogenous, and asked to find which is -isogenous to and -isogenous to . The natural way is to take the gcd of and , but in this case the resulting polynomial is of degree and we are left with the problem of finding a root of it over , which is believed to be computationally hard without knowing the factors of .
Besides the method described above, currently we do not know of another way of solving the -joint neighbor problem. Neither do we know if solving this problem is as hard as factoring . We will list a few attempts we have made in solving or showing the hardness of this problem.
The conjectured computational hardness of the -joint neighbor problem is fundamental to the infeasibility of computing group inversion in the group we construct.
1.3 Representing ideal class groups by isogeny volcanoes
To explain the construction of the trapdoor group with infeasible inversion, it is necessary to recall the connection of the ideal class groups and elliptic curve isogenies. Let be a finite field as before and let be an elliptic curve over whose endomorphism ring is isomorphic to an imaginary quadratic order . The group of invertible -ideals acts on the set of elliptic curves with endomorphism ring . The ideal class group acts faithfully and transitively on the set
In other words, there is a map
such that for all and ; and for any , there is a unique such that . The cardinality of is equal to the class number .
To represent the ideal class group of an imaginary quadratic order , we choose curves over and over such that their endomorphism rings over and are both isomorphic to . From now on, by abuse of notation, we will be referring to both and as unless we explicitly need to distinguish between the two curves. We hope that the individual curve under discussion will be clear from the context. We further remark that we can also start with a single curve over and go through the whole construction by simply reducing the curve modulo and modulo .
Let and let be the -invariant of over defined by the CRT composition of the -invariants of and . The public parameter of the group is then , where represents the identity of . An element is canonically represented by the -invariant (once again, obtained over and then composed by CRT).
As in the -joint neighbor search problem of §1.2, given two class group elements represented by coprime degree isogenies, the group operation can be performed efficiently by taking the gcd of two modular polynomials. On the other hand, given a group element represented by a -invariant that is -isogenous to , computing an encoding of the group inversion is equivalent to computing a -invariant that is -isogenous to and -isogenous to , and lies in the same endomorphism ring with and . It is one of the solutions of the -isogenous neighbor problem.
Let us remark that the actual instantiation of the trapdoor group with infeasible inversion (TGII) is rather involved. A serious amount of challenges arise solely from working with the ideal class groups of imaginary quadratic orders. To give a simple example of the challenges we face, efficiently generating a class group with a known large prime class number is an open problem. Our construction, however, requires more than knowing the class number to support an efficient encoding algorithm. Due to various constraints, currently we can only choose the parameters from a narrow range so as to support an efficient parameter generation algorithm, an efficient encoding algorithm, and to preserve the plausible security of the TGII. Extending the working parameters regime seems to require the solutions of several open problems concerning ideal class groups of imaginary quadratic orders.
We also note that our concrete instantiation deviates in several places from the ideal interface of a TGII. One of the deviations is that computing the self-composition of a group element is inefficient, due exactly to the hardness of the -joint neighbor problem.
As a result of the complication from the class groups and all the deviations, additional engineering efforts have to be made when instantiating the applications of a TGII from their designs under the ideal interface. In the instantiations of a directed transitive signature and a broadcast encryption scheme, we will specify the choices of parameters so as to provide both the functionality and plausible security. The hardness of the -joint neighbor problem is merely a necessary condition for security. We will mention our cryptanalysis attempts and list the other problems related to the security of our TGII candidate.
1.4 Further discussions
Note that given and over the ring , computing is feasible for any . On the other hand, computing is infeasible for suitable subgroup of . However, in general, it is not clear how to efficiently perform the multiplicative operation “in the exponent”.
The only existing candidate of (T)GII that supports a large number of group operations is implied by the self-bilinear maps constructed by Yamakawa et al. [YYHK14] using general purpose indistinguishability obfuscation [BGI01]. The existence of iO is currently considered a strong assumption in the cryptography community. Over the past five years many candidates (since [GGH13]) and attacks (since [CHL15]) were proposed for iO. Basing iO on a clearly stated hard mathematical problem is still an open research area.
Nevertheless, the self-bilinear maps construction from iO is conceptually simple. Here we sketch the idea. Given an integer with unknown factorization, a group element is represented by ( denotes the signed group of quadratic residues), together with an obfuscation of the circuit :
Given , , , , everyone is able to compute . [YYHK14] proves that under the hardness of factoring and assuming that the obfuscator satisfy the security of indistinguishable obfuscation, it is infeasible for the adversary to compute . Such a result implies that under the same assumption, it is infeasible to compute given and .
The obfuscated circuit is referred to as “auxiliary input” in [YYHK14], so what [YYHK14] constructed is precisely called “self-bilinear maps with auxiliary input”. The downside of having auxiliary inputs is that the encodings of the group elements keep growing after the compositions. Self-bilinear maps without auxiliary input is recently investigated by [YYHK18] in the context of rings with infeasible inversion, but constructing them is still open even assuming iO.
The thesis of Hohenberger.
Hohenberger [Hoh03] studies the sufficient and necessary conditions of constructing a group with infeasible inversion. Given that our construction deviates in several places from the ideal interface of a (T)GII, not all the conditions from [Hoh03] hold for our construction. For example, it is mentioned in [Hoh03] that the group order cannot be released in a GII, since the group inversion can be trivially computed by making self-compositions once the group order is known. But the reason does not apply to our construction since our construction does not support self-composition. However, we still need to hide the group order because the group order is chosen to be polynomially smooth, and revealing the group order allows the adversary to solve the discrete-log problem efficiently.
[Hoh03] also studies the relations of (T)GII to the other cryptographic primitives such as associative one-way functions. Again, due to the deviation of our candidate from the ideal interface of a (T)GII, the relations or implications do not necessary hold for our candidate.
Notations and terminology.
Let be the set of complex numbers, reals, rationals, integers, and positive integers. For any field we denote its algebraic closure by . For , let . For , an integer is called -smooth if all the prime factors of are less than or equal to . An
-dimensional vector is written as a bold lower-case letter, e.g.. For an index , distinct prime numbers for , and we will let to denote the integer such that , for .
In cryptography, the security parameter (denoted by
) is a variable that is used to parameterize the computational complexity of the cryptographic algorithm or protocol, and the adversary’s probability of breaking security. In theory and by default, an algorithm is called “efficient” if it runs in probabilistic polynomial time over. Exceptions may occur in reality and we will explicitly discuss them when they come up in our applications.
An -dimensional lattice is a discrete additive subgroup of that generate it as a vector space over . Given linearly independent vectors , the lattice generated by is
Let denote the Gram-Schmidt orthogonalization of .
Let denote a finite abelian group, and let the prime factorization of its order be . For each , let , and . We have the isomorphism
For a cyclic group , the discrete-log problem asks to find the exponent given a generator and a group element . The Pohlig-Hellman algorithm [PH78] solves the discrete-log problem in time if the factorization of is known.
Over a possibly non-cyclic group , the discrete-log problem is defined as follows: given a set of elements and a group element , output a vector such that , or decide that is not in the subgroup generated by . A generalization of the Pohlig-Hellman algorithm works for non-cyclic groups with essentially the same cost plus an factor (the algorithm is folklore [PH78] and is explicitly given in [Tes99]). A further improvement removing the factor is given by Sutherland [Sut11b].
2.1 Ideal class groups of imaginary quadratic orders
There are two equivalent ways of describing ideal class groups of imaginary quadratic orders: via the theory of ideals or quadratic forms. We will be using these two view points interchangeably. The main references for these are [McC88, Coh95, Cox11].
Let be an imaginary quadratic field. An order in is a subset of such that
is a subring of containing 1,
is a finitely generated -module,
contains a -basis of .
The ring of integers of is always an order. For any order , we have , in other words is the maximal order of with respect to inclusion.
The ideal class group (or class group) of is the quotient group where denotes the group of proper (i.e. invertible) fractional -ideals of, and is its subgroup of principal -ideals. Let be the discriminant of . Note that since is quadratic imaginary we have . Sometimes we will denote the class group as , and the class number (the group order of ) as or .
Let , where is the fundamental discriminant and is the conductor of (or ). The following well-known formula relates the class number of an non-maximal order to that of the maximal one:
where if , if , and if . Let us also remark that the Brauer-Siegel theorem implies that as .
The standard representation of an -ideal of discriminant uses binary quadratic forms. A binary quadratic form of discriminant is a polynomial with . We denote a binary quadratic form by . The group acts on the set of binary quadratic forms and preserves the discriminant. We shall always be assuming that our forms are positive definite, i.e. . Recall that a form is called primitive if , and a primitive form is called reduced if or . Reduced forms satisfy .
A fundamental fact, which goes back to Gauss, is that in each equivalence class, there is a unique reduced form (see Corollary 5.2.6 of [Coh95]). Given a form , denote as its equivalence class. Note that when is fixed, we can denote a class simply by . Efficient algorithms of composing forms and computing the reduced form can be found in [McC88, Page 9].
Computing and solving discrete-log problem over .
The problem of computing the class number (namely, given the discriminant of an imaginary quadratic order, computing ) is only known to have polynomial-size witnesses under the Generalized Riemann Hypothesis (GRH) [McC88]. It follows from the existence of a polynomial-size generation set of the class group under GRH.
Lemma 2.1 ([Sch82] Corollary 6.2).
Let be an imaginary quadratic order of discriminant . Let be the prime with , and let . Assuming GRH there exists a constant such that the classes , generate where .
Let . Let be the set of primes s.t. . Let the corresponding reduced forms be . From Lemma 2.1 it follows that if then the map
is a surjective group homomorphism. Hence the kernel of is a sublattice of , and and . is also called the relation lattice.
Assuming GRH, there exists a Las Vegas algorithm that computes the invariants (a basis of , , and the group structure) of in an expected running time of , where .
Once we have the class group invariants, solving the discrete-log problem over takes time per instance [BD90].
2.2 Elliptic curves and their isogenies
Let be an elliptic curve defined over a finite field of characteristic with elements, given by its Weierstrass form where . By the Hasse bound we know that the order of the -rational points satisfies
Here, is the trace of Frobenius endomorphism . Let us also recall that Schoof’s algorithm [Sch85] takes as inputs and , computes , and hence , in time .
The -invariant of is defined as
The values or are special and we will choose to avoid these two values throughout the paper. Two elliptic curves are isomorphic over the algebraic closure if and only if their -invariants are the same. Note that this isomorphism may not be defined over the base field , in which case the curves are called twists of each other. It will be convenient for us to use -invariants to represent isomorphism classes of elliptic curves (including their twists). In many cases, with abuse of notation, a -invariant will be treated as the same to an elliptic curve over in the corresponding isomorphism class.
An isogeny is a morphism of elliptic curves that preserves the identity. Every nonzero isogeny induces a surjective group homomorphism from to with a finite kernel. Elliptic curves related by a nonzero isogeny are said to be isogenous. By the Tate isogeny theorem [Tat66, pg.139] two elliptic curves and are isogenous over if and only if .
The degree of an isogeny is its degree as a rational map. An isogeny of degree is called an -isogeny. When , the kernel of an -isogeny has cardinality . Two isogenies and are considered equivalent if for isomorphisms and . Every -isogeny has a unique dual isogeny of the same degree such that , where is the multiplication by map. The kernel of the multiplication-by- map is the -torsion subgroup
When we have . For a prime , there are cyclic subgroups in of order , each corresponding to the kernel of an -isogeny from . An isogeny from is defined over if and only if its kernel subgroup is defined over (namely, for and , ; note that this does not imply ). If and or , then up to isomorphism the number of -isogenies from defined over is , or .
Let , let denote the upper half plane and . Let be the classical modular function defined on . For any , the complex numbers and are the -invariants of elliptic curves defined over that are related by an isogeny whose kernel is a cyclic group of order . The minimal polynomial of the function over the field has coefficients that are polynomials in with inter coefficients. Replacing with a variable gives the modular polynomial , which is symmetric in and . It parameterizes pairs of elliptic curves over related by a cyclic -isogeny (an isogeny is said to be cyclic if its kernel is a cyclic group; when is a prime every -isogeny is cyclic). The modular equation is a canonical equation for the modular curve , where is the congruence subgroup of defined by
The time and space required for computing the modular polynomial are polynomial in , cf. [E98, § 3] or [Coh95, Page 386]. In this article we will only use , so we might as well assume that the modular polynomials are computed ahead of time222The modular polynomials for are available at https://math.mit.edu/~drew/ClassicalModPolys.html. . In reality the coefficients of over grow significantly with , so computing over directly is preferable using the improved algorithms of [CL05, BLS12], or even over using [Sut13b].
2.3 Isogeny volcanoes and the class groups
An isogeny from an elliptic curve to itself is called an endomorphism. Over a finite field , is isomorphic to an imaginary quadratic order when is ordinary, or an order in a definite quaternion algebra when is supersingular. In this paper we will be focusing on the ordinary case.
These are graphs capturing the relation of being -isogenous among elliptic curves over a finite field .
Definition 2.3 (-isogeny graph).
Fix a prime and a finite field such that . The -isogeny graph has vertex set . Two vertices have a directed edge (from to ) with multiplicity equal to the multiplicity of as a root of . The vertices of are -invariants and each edge corresponds to an (isomorphism classes of an) -isogeny.
For , an edge occurs with the same multiplicity as and thus the subgraph of on can be viewed as an undirected graph. Every curve in the isogeny class of a supersingular curve is supersingular. Accordingly, has super singular and ordinary components. The ordinary components of look like -volcanoes:
Definition 2.4 (-volcano).
Fix a prime . An -volcano is a connected undirected graph whose vertices are partitioned into one or more levels , …, such that the following hold:
The subgraph on (the surface, or the crater) is a regular graph of degree at most .
For , each vertex in has exactly one neighbor in level .
For , each vertex in has degree .
Let by an -isogeny of elliptic curves with endomorphism rings and respectively. Then, there are three possibilities for and :
If , then is called horizontal,
If , then is called descending,
If , then is called ascending.
Let be an elliptic curve over whose endomorphism ring is isomorphic to an imaginary quadratic order . Then, the set
is naturally a -torsor as follows: For an invertible -ideal the -torsion subgroup
is the kernel of a separable isogeny . If the norm is not divisible by , then the degree of is . Moreover, if and are two invertible -ideals, then , and if is principal then is an isomorphism. This gives a faithful and transitive action of on .
Every horizontal -isogeny arises this way from the action of an invertible -ideal of norm . Let denote the fraction field of and be its ring of integers. If then no such ideal exists. Otherwise, is said to be maximal at and there are horizontal -isogenies.
Remark 2.5 (Linking ideals and horizontal isogenies).
When splits in we have .
Fix an elliptic curve with , the two horizontal isogenies and can be efficiently associated with the two ideals and when (cf. [Sch95]).
To do so, factorize the characteristic polynomial of Frobenius as , where . Given an -isogeny from to , the eigenvalue (say ) corresponding to the eigenspace
, the eigenvalue (say
) corresponding to the eigenspacecan be verified by picking a point , then check whether module . If so then corresponds to .
The following fundamental result of Kohel summarizes the above discussion and more.
Lemma 2.6 ([Koh96]).
Let be a prime. Let be an ordinary component of that does not contain or . Then is an -volcano for which the following hold:
The vertices in level all have the same endomorphism ring .
The subgraph on has degree , where .
If , then is the order of in ; otherwise .
The depth of is , where is the largest power of dividing , and for .
and for .
Let be the regular graph whose vertices are the elements of , and whose edges are the equivalence classes of horizontal isogenies defined over of prime degrees . The following result states that under suitable assumptions is an expander graph.
Lemma 2.7 ([Jmv05]).
Let and be a fixed constant. Let be such that . Assuming GRH, a random walk on will reach a subset of size with probability at least after many steps.
More about the endomorphism ring from a computational perspective.
Given an ordinary curve over , its endomorphism ring can be determined by first computing the trace of Frobenius endomorphism , then computing , where is the discriminant of , , and . The discriminant of is then for some . When has only few small factors, determining the endomorphism ring can be done in time polynomial in [Koh96]. In general it can take up to subexponential time in under GRH [BS11, Bis11].
Let be an imaginary quadratic order of discriminant . Let be the Hilbert class polynomial defined by
has integer coefficients and is of degree . Furthermore, it takes bits of storage. Under GRH, computing mod takes time and space [Sut11a]. In reality is only feasible for small since it takes a solid amount of space to store . Over , [Sut11a] is able to compute for and . Over , [Sut12] is able to compute for with .
3 Isogeny volcanoes over composite moduli
Let be distinct primes and set . We will be using elliptic curves over the ring . We will not be needing a formal treatment of elliptic curves over rings as such a discussion would take us too far afield. Instead, we will be defining objects and quantities over by taking the of the corresponding ones over and , which will suffice for our purposes. This follows the treatment given in [Len87].
Since the underlying rings will matter, we will denote an elliptic curve over a ring by . If is clear from the context we shall omit it from the notation. To begin, let us remark that the number of points is equal to , and the -invariant of is .
3.1 Isogeny graphs over
Let be as above. For every prime the isogeny graph can be defined naturally as the graph tensor product of and .
Definition 3.1 (-isogeny graph over ).
Let , , and be distinct primes and let . The -isogeny graph has
The vertex set of is , identified with by ,
Two vertices and are connected if and only if is connected to in and is connected to in .
Let us make a remark for future consideration. In the construction of groups with infeasible inversion, we will be working with special subgraphs of , where the vertices over and correspond to -invariants of curves whose endomorphism rings are the same imaginary quadratic order . Nevertheless, this is a choice we made for convenience, and it does not hurt to define the computational problems over the largest possible graph and to study them first.
3.2 The -isogenous neighbors problem over
Definition 3.2 (The -isogenous neighbors problem).
Let be two distinct primes and let . Let be a polynomially large prime s.t. . The input of the -isogenous neighbor problem is and an integer such that there exists (possibly more than) one integer that over . The problem asks to find such integer(s) .
The following theorem shows that the problem of finding all of the -isogenous neighbors is at least as hard as factoring .
If there is a probabilistic polynomial time algorithm that finds all the -isogenous neighbors in Problem 3.2, then there is a probabilistic polynomial time algorithm that solves the integer factorization problem.
The idea behind the reduction is as follows. Suppose it is efficient to pick a curve over333The choice of over , obviously, does not matter. such that the vertex has at least two distinct neighbors. If we are able to find all the integer solutions such that over , then there exist two distinct integers and among the solutions such that . One can also show that finding one of the integer solutions is hard using a probabilistic argument, assuming the underlying algorithm outputs a random solution when there are multiple ones.
In the reduction we pick the elliptic curve randomly, so we have to make sure that for a non-negligible fraction of the elliptic curves over ,
has at least two neighbors. The estimate for this relies on the following lemma:
Lemma 3.4 ([Len87] (1.9)).
There exists an efficiently computable positive constant such that for each prime number , for a set of integers , we have
where denotes the number of isomorphism classes of elliptic curves over , each counted with weight .
Let be primes such that . Then, there exists a constant such that the probability that for a random elliptic curve over (i.e. a random pair such that ) having at least two neighbors is .
Proof of Theorem 3.5.
We first give a lower bound on the number of ordinary elliptic curves over whose endomorphism ring has discriminant such that . If for some pair of there are not enough elliptic curves over with two horizontal -isogenies then we count the elliptic curves with vertical -isogenies.
We start with estimating the portion of that satisfies :
where the last two equations follows the identity444Derived from Theorem 19 in http://www.imomath.com/index.php?options=328&lmm=0. . Hence for or and , no less than of the satisfy .
We now estimate the number of elliptic curves over whose discriminant of the endomorphism ring satisfies . To do so we set , and use Lemma 3.4 by choosing the set as