Skip to main content
SpringerLink
Log in

Proving knowledge of isogenies: a survey

Designs, Codes and Cryptography volume 91pages 3425–3456 (2023)Cite this article

Abstract

Isogeny-based cryptography is an active area of research in post-quantum public key cryptography. The problem of proving knowledge of an isogeny is a natural problem that has several applications in isogeny-based cryptography, such as allowing users to demonstrate that they are behaving honestly in a protocol. It is also related to isogeny-based digital signatures. Over the last few years, there have been a number of advances in this area, but there are still many open problems. This paper aims to give an overview of the topic and highlight some open problems and directions for future research.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Notes

  1. The structure of a class group can be computed in quantum polynomial time, so this protocol could be used with large class groups if anyone with access to a quantum computer is willing to compute a class group and publish the result (which can be verified efficiently with classical algorithms). However, unlike SeaSign, the asymptotic performance is not thought to be polynomial time.

  2. All the results generalize to the more general case where the class group is not necessarily cyclic.

  3. Such a commitment scheme can be easily instantiated as \(\textsf{C}(m;r) = H(m \Vert r)\), where H is a hash function and r is a sufficiently long random string.

  4. Additionally, both isogenies can in fact be mapped to the same “canonical” one (for example, using LLL to compute a minimal norm ideal in the ideal class, followed if needed by some deterministic version of KLPT to get a powersmooth norm ideal).

  5. A similar approach in the case of graph isomorphism would provide the extractor with an automorphism of one graph. This does not immediately solve the graph isomorphism problem.

References

  1. Adams C., Farrell S., Kause T., Mononen T.: Internet X.509 public key infrastructure Certificate Management Protocol (CMP). https://www.rfc-editor.org/rfc/rfc4210 (2005).

  2. Andrea B.: A post-quantum round-optimal oblivious PRF from isogenies. eprint 2023/225 (2023).

  3. Basso A., Codogni G., Connolly D., De Feo L., Fouotsa T.B., Lido G.M., Morrison T., Panny L., Patranabis S., Wesolowski B.: Supersingular curves you can trust. In: Hazay C., Stam M. (eds.) EUROCRYPT 2023, vol. 14005 of Lecture Notes in Computer Science, pp. 405–437. Springer (2023).

  4. Ben-Sasson E., Chiesa A., Riabzev M., Spooner N., Virza M., Ward N.P.: Aurora: transparent succinct arguments for R1CS. In: Ishai Y., Rijmen V. (eds.) Advances in Cryptology - EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part I, vol. 11476 of Lecture Notes in Computer Science, pp. 103–128. Springer (2019).

  5. Bernstein D.J., De Feo L., Leroux A., Smith B.: Faster computation of isogenies of large prime degree. The Open Book Series 4(1), 39–55 (2020).

    Article  MathSciNet  MATH  Google Scholar 

  6. Boldyreva A., Fischlin M., Palacio A., Warinschi B.: A closer look at PKI: Security and efficiency. In: Okamoto T., Wang X. (eds.) PKC 2007, vol. 4450 of LNCS, pp. 458–475. Springer (2007).

  7. Beullens W., Kleinjung T., Vercauteren F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith S.D., Moriai S. (eds.) ASIACRYPT 2019, vol. 11921 of Lecture Notes in Computer Science, pp. 227–247. Springer (2019).

  8. Boneh D., Kogan D., Woo K.: Oblivious pseudorandom functions from isogenies. In: Moriai S., Wang H. (eds.) ASIACRYPT 2020, Part II, vol. 12492 of Lecture Notes in Computer Science, pp. 520–550. Springer (2020).

  9. Castryck W., Decru T.: CSIDH on the surface. In: Ding J., Tillich J.-P. (eds.) PQCrypto 2020, vol. 12100 of Lecture Notes in Computer Science, pp. 111–129. Springer (2020).

  10. Castryck W., Decru T.: An efficient key recovery attack on SIDH. In: Hazay C., Stam M. (eds.) EUROCRYPT 2023, vol. 14008 of Lecture Notes in Computer Science, pp. 423–447. Springer, Cham (2023).

  11. Charles D.X., Lauter K.E., Goren E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009).

    Article  MathSciNet  MATH  Google Scholar 

  12. Cong K., Lai Y.F., Levin S.: Efficient isogeny proofs using generic techniques. In: Tibouchi M., Wang X. (eds.) ACNS 2023, LNCS. Springer, eprint 2023/037 (2023).

  13. Castryck W., Lange T., Martindale C., Panny L., Renes J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin T., Galbraith S.D. (eds.) ASIACRYPT 2018, vol. 11274 of Lecture Notes in Computer Science, pp. 395–427. Springer, Cham (2018).

  14. Costello C.: B-SIDH: Supersingular Isogeny Diffie-Hellman using twisted torsion. In: Moriai S., Wang H. (eds.) ASIACRYPT 2020, vol. 12492 of Lecture Notes in Computer Science, pp. 440–463. Springer, Cham (2020).

  15. Couveignes J.-M.: Hard homogeneous spaces. eprint 2006/291 (2006).

  16. Chavez-Saab J., Rodríguez-Henríquez F., Tibouchi M.: Verifiable isogeny walks: towards an isogeny-based postquantum VDF. In: Altawy R., Hülsing A. (eds.) Selected Areas in Cryptography, pp. 441–460. Springer, Cham (2022).

    Chapter  Google Scholar 

  17. De Feo L., Dobson S., Galbraith S.D., Zobernig L.: SIDH proof of knowledge. In: Agrawal S., Lin D. (eds.) ASIACRYPT 2022, Proceedings, Part II, vol. 13792 of Lecture Notes in Computer Science, pp. 310–339. Springer (2022).

  18. De Feo L., Galbraith S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai Y., Rijmen V. (eds.) EUROCRYPT 2019, vol. 11478 of Lecture Notes in Computer Science, pp. 759–789. Springer (2019).

  19. De Feo L., Jao D., Plût J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014).

    Article  MathSciNet  MATH  Google Scholar 

  20. De Feo L., Kohel D., Leroux A., Petit C., Wesolowski B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai S., Wang H. (eds.) ASIACRYPT 2020, vol. 12491 of Lecture Notes in Computer Science, pp. 64–93. Springer (2020).

  21. De Feo L., Kieffer J., Smith B.: Towards practical key exchange from ordinary isogeny graphs. In: Peyrin T., Galbraith S.D. (eds.) Advances in Cryptology - ASIACRYPT 2018 - 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2–6, 2018, Proceedings, Part III, vol. 11274 of Lecture Notes in Computer Science, pp. 365–394. Springer (2018).

  22. De Feo L., Leroux A., Longa P., Wesolowski B.: New algorithms for the Deuring correspondence—towards practical and secure SQISign signatures. In: Hazay C., Stam M. (eds.) EUROCRYPT 2023 Proceedings, Part V, vol. 14008 of Lecture Notes in Computer Science, pp. 659–690. Springer (2023).

  23. Decru T., Panny L., Vercauteren F.: Faster SeaSign signatures through improved rejection sampling. In: Ding J., Steinwandt R. (eds.) PQCrypto 2019, vol. 11505 of Lecture Notes in Computer Science, pp. 271–285. Springer (2019).

  24. Eisenträger K., Hallgren S., Lauter K.E., Morrison T., Petit C.: Supersingular isogeny graphs and endomorphism rings: Reductions and solutions. In: Nielsen J.B., Rijmen V. (eds.) EUROCRYPT 2018, vol. 10822 of Lecture Notes in Computer Science, pp. 329–368 (2018).

  25. Eisenträger K., Hallgren S., Leonardi C., Morrison T., Park J.: Computing endomorphism rings of supersingular elliptic curves and connections to path-finding in isogeny graphs. In: Proceedings of the Fourteenth Algorithmic Number Theory Symposium, vol. 4 of Open Book Ser. , pp. 215–232. Math. Sci. Publ., Berkeley (2020).

  26. Fouotsa T.B., Moriya T., Petit C.: M-SIDH and MD-SIDH: countering SIDH attacks by masking information. In: Hazay C., Stam M. (eds.) EUROCRYPT 2023, vol. 14008 of Lecture Notes in Computer Science, pp. 282–309. Springer, Cham (2023).

  27. Fouotsa T.B., Petit C. (eds.) A new adaptive attack on SIDH. In: Galbraith S.D. (eds.) Topics in Cryptology – CT-RSA 2022, vol. 13161 of Lecture Notes in Computer Science, pp. 322–344. Springer, Cham (2022).

  28. Galbraith S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012).

    Book  MATH  Google Scholar 

  29. Goldreich O., Micali S., Wigderson A.: Proofs that yield nothing but their validity for all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991).

    Article  MathSciNet  MATH  Google Scholar 

  30. Goldreich O.: Foundations of Cryptography: Basic Tools. Cambridge University Press, Cambridge (2001).

    Book  MATH  Google Scholar 

  31. Galbraith S.D., Petit C., Silva J.: Identification protocols and signature schemes based on supersingular isogeny problems. J. Cryptol. 33(1), 130–175 (2020).

    Article  MathSciNet  MATH  Google Scholar 

  32. Galbraith S.D., Petit C., Shani B., Ti Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon J.H., Takagi T. (eds.) ASIACRYPT 2016, vol. 10031 of Lecture Notes in Computer Science, pp. 63–91 (2016).

  33. Ghantous W., Katsumata S., Pintore F., Veroni M.: Collisions in supersingular isogeny graphs and the SIDH-based identification protocol. Cryptology ePrint Archive, Report 2021/1051 (2021). https://eprint.iacr.org/2021/1051

  34. Jao D., Azarderakhsh R., Campagna M., Costello C., De Feo L., Hess B., Jalali A., Koziel B., LaMacchia B., Longa P., Naehrig M., Renes J., Soukharev V., Urbanik D., Pereira G., Karabina K., Hutchinson A.: Supersingular isogeny key encapsulation. Submission to the NIST Post-Quantum Standardization project (2017).

  35. Jao D., De Feo L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang B.-Y. (eds.) Post-Quantum Cryptography, vol. 7071 of Lecture Notes in Computer Science, pp. 19–34. Springer, Berlin (2011).

  36. Kohel D., Lauter K., Petit C., Tignol J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17A, 418–432 (2014).

    Article  MathSciNet  MATH  Google Scholar 

  37. Kiltz E., Lyubashevsky V., Schaffner C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen J.B., Rijmen V. (eds.) EUROCRYPT 2018, vol. 10822 of Lecture Notes in Computer Science, pp. 552–586. Springer (2018).

  38. Kate A., Zaverucha G.M., Goldberg I.: Constant-size commitments to polynomials and their applications. In: Abe M. (ed.) ASIACRYPT 2010, pp. 177–194. Springer, Berlin (2010).

    Chapter  Google Scholar 

  39. Lund C., Fortnow L., Karloff H., Nisan N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992).

    Article  MathSciNet  MATH  Google Scholar 

  40. Lyubashevsky V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: ASIACRYPT, vol. 5912 of Lecture Notes in Computer Science, pp. 598–616. Springer (2009).

  41. Micali S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000).

    Article  MathSciNet  MATH  Google Scholar 

  42. Maino L., Martindale C., Panny L., Pope G., Wesolowski B.: A direct key recovery attack on SIDH. In: Hazay C., Stam M. (eds.) EUROCRYPT 2023, vol. 14008 of Lecture Notes in Computer Science, pp. 448–471. Springer, Cham (2023).

  43. Petit C., Smith S.: An improvement to the quaternion analogue of the l-isogeny path problem. Poster Presentation at MathCrypt2018 (2018).

  44. Robert D.: Breaking SIDH in polynomial time. In: Hazay C., Stam M. (eds.) EUROCRYPT 2023, vol. 14008 of Lecture Notes in Computer Science, pp. 472–503. Springer, Cham (2023).

  45. Rostovtsev A., Stolbunov A.: Public-key cryptosystem based on isogenies. IACR Cryptol. ePrint Arch., 145 (2006).

  46. Silverman J.H.: The Arithmetic of Elliptic Curves, vol. 106 of Graduate Texts in Mathematics, 2nd ed. Springer, Dordrecht (2009).

  47. Unruh D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald E., Fischlin M. (eds.) EUROCRYPT 2015, vol. 9057 of Lecture Notes in Computer Science, pp. 755–784. Springer (2015).

  48. Vélu J.: Isogénies entre courbes elliptiques. Comptes Rendus de l’Académie des Sciences de Paris 273, A238–A241 (1971).

    MATH  Google Scholar 

  49. Voight J.: Quaternion Algebras, vol. 288. Springer Graduate Text Math. (2021).

  50. Washington L.C.: Elliptic Curves: Number Theory and Cryptography, 2nd edn CRC Press, Boca Raton (2008).

    Book  MATH  Google Scholar 

  51. Waterhouse W.C.: Abelian varieties over finite fields. Annales scientifiques de l’École Normale Supérieure, Ser. 4 2(4), 521–560 (1969).

  52. Wesolowski B.: The supersingular isogeny path and endomorphism ring problems are equivalent. In: 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 1100–1111 (2022).

  53. Yoo Y., Azarderakhsh R., Jalali A., Jao D., Soukharev V.: A post-quantum digital signature scheme based on supersingular isogenies. In: International Conference on Financial Cryptography and Data Security, vol. 10322 of Lecture Notes in Computer Science, pp. 163–181. Springer, New York (2017).

Download references

Acknowledgements

Steven Galbraith is funded by NZ Government MBIE Catalyst Fund UOAX1933. Ward Beullens holds a Junior Post-Doctoral fellowship 1S95620N from the Research Foundation Flanders (FWO). Christophe Petit was supported by EPSRC award EP/V011324/1.

Author information

Authors and Affiliations

  1. IBM Research Europe, Zurich, Switzerland

    Ward Beullens & Luca De Feo

  2. University of Auckland, Auckland, New Zealand

    Steven D. Galbraith

  3. University of Birmingham, Birmingham, UK

    Christophe Petit

  4. Université libre de Bruxelles, Brussels, Belgium

    Christophe Petit

Authors
  1. Ward Beullens
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luca De Feo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Steven D. Galbraith
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christophe Petit
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steven D. Galbraith.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue: Mathematics of Zero Knowledge”.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and Permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Beullens, W., De Feo, L., Galbraith, S.D. et al. Proving knowledge of isogenies: a survey. Des. Codes Cryptogr. 91, 3425–3456 (2023). https://doi.org/10.1007/s10623-023-01243-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-023-01243-3

Keywords

Mathematics Subject Classification

search

Navigation