1 Introduction

This paper is primarily concerned with the Decisional Diffie–Hellman problem (DDH) for ideal class groups acting on oriented elliptic curves through isogenies. In order to state this problem precisely, we fix an order \({\mathcal {O}}\) in an imaginary quadratic number field K along with an algebraically closed field k. A (primitive) \({\mathcal {O}}\)-orientation on an elliptic curve E over k is an injective ring homomorphism \(\iota : {\mathcal {O}}\hookrightarrow {{\,\textrm{End}\,}}(E)\) that cannot be extended to a superorder \({\mathcal {O}}' \supsetneq {\mathcal {O}}\) in K. The set

$$\begin{aligned} {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k) = \{ \, (E, \iota ) \, | \, \text {E an elliptic curve over k and} \iota \text {an} {\mathcal {O}}-\text {orientation on E} \, \} / \cong , \end{aligned}$$

if non-empty, comes equipped with a free action

$$\begin{aligned} {{\,\textrm{cl}\,}}({\mathcal {O}}) \times {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k) \longrightarrow {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k) : ([{\mathfrak {a}}], (E, \iota )) \longmapsto [{\mathfrak {a}}](E, \iota ) \end{aligned}$$
(1)

by the ideal class group of \({\mathcal {O}}\), see Sect. 2 for details (including what it means for two \({\mathcal {O}}\)-oriented elliptic curves \((E, \iota )\) and \((E',\iota ')\) to be isomorphic). Now assume that a party, say Eve, has unlimited access to samples from \({\mathcal {E}}\ell \ell _{\mathcal {O}}(k)^3\) that are consistently of either of the following two forms:

$$\begin{aligned} \begin{array}{lll} \big ( \, [{\mathfrak {a}}](E, \iota ), \, [{\mathfrak {b}}](E, \iota ), \, [{\mathfrak {a}}][{\mathfrak {b}}](E, \iota ) \, \big ) &{} &{} [{\mathfrak {a}}], [{\mathfrak {b}}] {\mathop {\leftarrow }\limits ^{\$}} {{\,\textrm{cl}\,}}({\mathcal {O}}), \\ \big ( \, [{\mathfrak {a}}](E, \iota ), \, [{\mathfrak {b}}](E, \iota ), \, [{\mathfrak {c}}](E, \iota ) \, \big ) &{} &{} [{\mathfrak {a}}], [{\mathfrak {b}}], [{\mathfrak {c}}] {\mathop {\leftarrow }\limits ^{\$}} {{\,\textrm{cl}\,}}({\mathcal {O}}), \\ \end{array} \end{aligned}$$

for some fixed and publicly known \((E, \iota )\). Then Eve successfully solves DDH if she can guess, with non-negligible advantage, from which of these two distributions her triples were sampled.

The hardness of the decisional Diffie–Hellman problem is a natural security foundation for cryptographic constructions based on ideal class group actions, which trace back to the works of Couveignes [11] and Rostovtsev–Stolbunov [24, 28] and which have attracted much attention lately, in the context of post-quantum cryptography. Here, one lets k be an algebraic closure of a finite field, in which case all curves in \({\mathcal {E}}\ell \ell _{\mathcal {O}}(k)\) can be defined over a common finite subfield \(F \subseteq k\). While the initial focus was on ordinary elliptic curves, whose orientations \(\iota \) are just ring isomorphisms, most of the latest work is concerned with supersingular elliptic curves, whose endomorphism rings are orders in a quaternion algebra and therefore leave room for a wide range of orientations. Here, we highlight supersingular elliptic curves defined over a finite prime field \({\mathbb {F}}_p\), which are naturally oriented by an order in \({\mathbb {Q}}(\sqrt{-p})\). The corresponding ideal class group actions underpin CSIDH [6] and spin-offs such as [1, 2, 15, 20], and tend to yield more practical cryptosystems than in the ordinary case. More generally oriented supersingular elliptic curves made their first cryptographic appearance in the OSIDH protocol due to Colò and Kohel [10]. To date, this protocol remains largely theoretical, but it has attracted a good amount of recent interest, see e.g., [13, 22, 31].

Our paper revisits the recent work [8], which presents an efficient solution to DDH for essentially all ordinary elliptic curves over finite fields whose endomorphism ring has an even class number. In more detail, as soon as there exists a non-trivial assigned character \(\chi : {{\,\textrm{cl}\,}}({\mathcal {O}}) \rightarrow \{ \pm 1 \}\) of sufficiently small modulus m, the attack from [8] allows Eve to compute \(\chi ([{\mathfrak {a}}])\) merely from the knowledge of \((E, \iota )\) and \((E', \iota ') = [{\mathfrak {a}}](E, \iota )\), i.e., without knowing \([{\mathfrak {a}}]\) itself. This indeed suffices to break DDH, since it allows her to check whether \(\chi ([{\mathfrak {c}}]) = \chi ([{\mathfrak {a}}])\chi ([{\mathfrak {b}}])\), which is true for \([{\mathfrak {c}}] = [{\mathfrak {a}}][{\mathfrak {b}}]\), but for uniformly random \([{\mathfrak {c}}]\) it fails with probability 1/2.

Unfortunately, the method from [8] is specific to ordinary curves: the attack proceeds by extending the base field and navigating to the floors of the m-isogeny volcanoesFootnote 1 of \((E, \iota )\) and \((E, \iota ')\), with the goal of enforcing non-trivial cyclic rational \(m^\infty \)-torsion, and then recovering the character value using two Tate pairing computations. Beyond ordinary curves, it is generally impossible to turn the rational \(m^\infty \)-torsion cyclic using an isogeny walk, so this strategy fails. For supersingular elliptic curves over \({\mathbb {F}}_p\) with \(p \equiv 1 \bmod 4\) equipped with their natural \({\mathbb {Z}}[\sqrt{-p}]\)-orientation, where it suffices to consider the assigned character of modulus \(m = 4\), an ad-hoc fix was given in [8, Thm. 10], but it is unclear how this fix would generalize.

1.1 Contribution

We give an alternative method for computing assigned character values \(\chi ([{\mathfrak {a}}])\) purely from \((E, \iota )\) and \((E', \iota ') = [{\mathfrak {a}}](E, \iota )\), using the Weil pairing rather than the Tate pairing. Our approach deals with arbitrary orientations and works over arbitrary fields. Moreover, it simplifies and often speeds up the attack from [8] in the case of ordinary elliptic curves over finite fields, as it avoids the need for navigating through isogeny volcanoes. It also naturally incorporates the previously ad-hoc case of supersingular elliptic curves over prime fields.

The main result is easy enough to be stated right away; we recall that for an odd prime divisor \(m \mid {{\,\textrm{disc}\,}}({\mathcal {O}})\), the assigned character of modulus m is defined as

$$\begin{aligned} \chi _m : {{\,\textrm{cl}\,}}({\mathcal {O}}) \rightarrow \{ \pm 1 \} : [{\mathfrak {a}}] \mapsto \left( \frac{N({\mathfrak {a}})}{m} \right) \end{aligned}$$
(2)

where it is assumed that \([{\mathfrak {a}}]\) is represented by an ideal \({\mathfrak {a}}\) of norm coprime to m (see our conventions further down) and \(\left( \frac{\cdot }{m} \right) \) is the Legendre symbol.

Theorem 1

Let \({\mathcal {O}}\) be an imaginary quadratic order and let \((E, \iota ), (E', \iota ')\) be \({\mathcal {O}}\)-oriented elliptic curves connected by an ideal class \([{\mathfrak {a}}] \in {{\,\textrm{cl}\,}}({\mathcal {O}})\). Let \(m \mid {{\,\textrm{disc}\,}}({\mathcal {O}})\) be an odd prime divisor different from \({{\,\textrm{char}\,}}k\) and consider the assigned character \(\chi _m : {{\,\textrm{cl}\,}}({\mathcal {O}}) \rightarrow \{ \pm 1\}\) of modulus m. Then \({\mathcal {O}}\) admits a generator \(\sigma \) (i.e. \({\mathcal {O}}= {\mathbb {Z}}[\sigma ]\)) of norm coprime to m, and for any such \(\sigma \) there exist points \(P \in E[m]\), \(P' \in E'[m]\) such that \(\iota (\sigma )(P)\) is not a multiple of P, and likewise for \(P'\). Moreover

$$\begin{aligned} \chi _m([{\mathfrak {a}}]) = \left( \frac{a}{m} \right) \end{aligned}$$

with \(a = \log _{e_m(P,\iota (\sigma )(P))}e_m(P',\iota '(\sigma )(P'))\), regardless of the choice of such \(\sigma , P, P'\).

noindent The condition that \(\sigma \) be a generator of \({\mathcal {O}}\) can be relaxed to \(\sigma \in {\mathcal {O}}\setminus ( {\mathbb {Z}}+ m{\mathcal {O}})\). A proof of Theorem 1, along with its adaptations covering assigned characters with even modulus, can be found in Sect. 3. Since these results apply to arbitrary fields, they may be of independent theoretical interest.

1.2 Applications and implications

From a cryptographic viewpoint, the most important consequence is that DDH should be considered broken by classical computers for essentially all elliptic curves over finite fields that are oriented by an imaginary quadratic order \({\mathcal {O}}\) with even class number; see Sect. 4 for a more in-depth discussion.

As a more surprising application, we prove in Sect. 5 that the new method allows to significantly improve reductions between computational problems underlying isogeny-based cryptography. On one hand, we have the problem of computing endomorphism rings of supersingular elliptic curves. It is of foundational importance to the field, as its presumed hardness is necessary for the security of essentially all isogeny-based cryptosystems [7, 16, 17]. Oriented versions of this Endomorphism Ring Problem were introduced in [31]. On the other hand, many cryptosystems relate directly to the presumably hard inversion problem for the action of the class group \({{\,\textrm{cl}\,}}({\mathcal {O}})\) on oriented supersingular curves: the Vectorization Problem. It was proved in [31] that the vectorization problem reduces to the endomorphism ring problem in polynomial time in the length of the instance and in \(\# ({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\). Unfortunately, the dependence on \(\# ({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\) means that the reduction is, in the worst case, exponential in the size of the input, since \(\#({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\) could be as large as \(D^{1/\log \log D}\), where \(D = |{{\,\textrm{disc}\,}}({\mathcal {O}})|\). We improve this result, by proving in Sect. 5 that there is a reduction from the vectorization problem to the endomorphism ring problem that, in the worst case, is sub-exponential in the length of the input.

1.3 Conventions

Throughout, all ideal classes \([{\mathfrak {a}}] \in {{\,\textrm{cl}\,}}({\mathcal {O}})\) are assumed to be represented by an ideal \({\mathfrak {a}}\) of norm coprime to \(p {{\,\textrm{disc}\,}}({\mathcal {O}})\), where \(p = \max \{ 1, {{\,\textrm{char}\,}}k \}\). Such a representative always exists, see e.g., [12, Cor. 7.17]. For an \({\mathcal {O}}\)-oriented elliptic curve \((E, \iota )\) and a point \(P \in E\), we will sometimes write \(\sigma (P)\) instead of \(\iota (\sigma )(P)\) if \(\iota \) is clear from the context. Likewise, for \([{\mathfrak {a}}] \in {{\,\textrm{cl}\,}}({\mathcal {O}})\) we will sometimes write \([{\mathfrak {a}}]E\) for the first component of \([{\mathfrak {a}}](E, \iota )\).

1.4 Paper organization

Section 2 provides background: it gives the full list of assigned characters of an imaginary quadratic order and it recalls how its ideal class group acts on oriented elliptic curves. Our main Sect. 3 contains a proof of Theorem 1, as well as statements and proofs for the even-modulus counterparts. Section 4 discusses the algorithmic aspects of these results, along with their implications for the decisional Diffie–Hellman problem. Finally, in Sect. 5 we present our improved reduction from the vectorization problem for oriented elliptic curves to the endomorphism ring problem.

2 Background

2.1 Assigned characters

The following is a very brief summary of the relevant parts of [12, I., p. 3 & II., p. 7], to which we refer for more details. From genus theory, we know that each order \({\mathcal {O}}\) in an imaginary quadratic field comes equipped with an explicit list of group homomorphisms \({{\,\textrm{cl}\,}}({\mathcal {O}}) \rightarrow \{ \pm 1\}\), called the assigned characters, whose joint kernel is \({{\,\textrm{cl}\,}}({\mathcal {O}})^2\). Writing

$$\begin{aligned} {{\,\textrm{disc}\,}}({\mathcal {O}}) = -2^f d = -2^f m_1^{f_1} m_2^{f_2} \cdots m_r^{f_r} \end{aligned}$$

for distinct odd prime numbers \(m_1, \ldots , m_r\) and exponents \(f \ge 0\), \(f_1, \ldots , f_r \ge 1\), this list consists of

$$\begin{aligned} \begin{array}{ll} \chi _{m_1}, \ldots , \chi _{m_r} &{} \text {if} f = 0, \\ \chi _{m_1}, \ldots , \chi _{m_r}, \delta &{} \text {if} f = 2 \text {and} d \equiv 1 \bmod 4, \\ \chi _{m_1}, \ldots , \chi _{m_r} &{} \text {if} f = 2 \text {and} d \equiv 3 \bmod 4, \\ \chi _{m_1}, \ldots , \chi _{m_r}, \delta \epsilon &{} \text {if} f = 3 \text {and} d \equiv 1 \bmod 4, \\ \chi _{m_1}, \ldots , \chi _{m_r}, \epsilon &{} \text {if} f = 3 \text {and} d \equiv 3 \bmod 4, \\ \chi _{m_1}, \ldots , \chi _{m_r}, \delta &{} \text {if} f = 4, \\ \chi _{m_1}, \ldots , \chi _{m_r}, \delta , \epsilon &{} \text {if} f \ge 5 . \\ \end{array} \end{aligned}$$

Here \(\chi _{m_i}\) is defined as in (2) and

$$\begin{aligned} \delta : {{\,\textrm{cl}\,}}({\mathcal {O}}) \rightarrow \{\pm 1\} : [{\mathfrak {a}}] \mapsto (-1)^{\frac{N({\mathfrak {a}}) - 1}{2}}, \quad \epsilon : {{\,\textrm{cl}\,}}({\mathcal {O}}) \rightarrow \{\pm 1\} : [{\mathfrak {a}}] \mapsto (-1)^{\frac{N({\mathfrak {a}})^2 - 1}{8}}. \end{aligned}$$

Observe that \(\delta \epsilon \) can be described in one go as

$$\begin{aligned} \delta \epsilon : {{\,\textrm{cl}\,}}({\mathcal {O}}) \rightarrow \{ \pm 1 \} : [{\mathfrak {a}}] \mapsto (-1)^{\frac{(N({\mathfrak {a}}) + 2)^2 - 9}{2}}. \end{aligned}$$

We write \(\mu \in \{r, r+1, r+2\}\) for the total number of assigned characters.

Because the joint kernel is \({{\,\textrm{cl}\,}}({\mathcal {O}})^2\), any character of \({{\,\textrm{cl}\,}}({\mathcal {O}})\) whose order divides 2 can be written as a product of pairwise distinct assigned characters. As it turns out, there is a unique non-trivial combination that produces the trivial character:

$$\begin{aligned} \chi _{m_1}^{f_1 \bmod 2} \chi _{m_2}^{f_2 \bmod 2} \cdots \chi _{m_r}^{f_r \bmod 2} \delta ^{\frac{d+1}{2} \bmod 2} \epsilon ^{f \bmod 2} = 1. \end{aligned}$$
(3)

Therefore, by combining assigned characters we obtain \(2^{\mu - 1}\) distinct characters. Necessarily, this quantity equals the cardinality of \({{\,\textrm{cl}\,}}({\mathcal {O}}) / {{\,\textrm{cl}\,}}({\mathcal {O}})^2 \cong {{\,\textrm{cl}\,}}({\mathcal {O}})[2]\).

Example 1

For a prime number \(p \equiv 1 \bmod 4\), the ring \({\mathbb {Z}}[\sqrt{-p}]\) has two assigned characters: \(\delta \) and \(\chi _p\). By (3) these are in fact equal to each other, and non-trivial. If \(p \equiv 3 \bmod 4\) then \({\mathbb {Z}}[\sqrt{-p}]\) has only one assigned character, namely \(\chi _p\), and it is trivial.

We often make reference to the modulus m of an assigned character \(\chi \), which is an important complexity parameter for our attack. This is simply defined to be

$$\begin{aligned} \left\{ \begin{array}{ll} m_i &{} \text {if} \chi = \chi _{m_i}, \\ 4 &{} \text {if} \chi = \delta , \\ 8 &{} \text {if} \chi = \epsilon , \delta \epsilon . \\ \end{array} \right. \end{aligned}$$

Note that \(\chi ([{\mathfrak {a}}]) = \chi ([{\mathfrak {a}}'])\) as soon as \(N({\mathfrak {a}}) \equiv N({\mathfrak {a}}') \bmod m\). Typically m is the smallest positive integer with this property, but not always (e.g., as in the case of \(m_i = p\) in both examples above).

2.2 Class group action

We now recall how the ideal class group of \({\mathcal {O}}\) acts on \({\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\). This is part of the theory of complex multiplication, which is classical for \(k = {\mathbb {C}}\), while for k an algebraic closure of a finite field this was elaborated in [30, pp. 3.9–12]; see also [22] for the specifics of the supersingular case. For arbitrary k, we refer to Milne’s course notes [21, p. 7].

If \(\iota \) is an \({\mathcal {O}}\)-orientation on an elliptic curve E over k, then we can linearly extend it to a map \(K \hookrightarrow {{\,\textrm{End}\,}}^0(E)\), where \({{\,\textrm{End}\,}}^0(E) = {{\,\textrm{End}\,}}(E) \otimes _{\mathbb {Z}}{\mathbb {Q}}\) denotes the endomorphism algebra. To each isogeny \(\varphi : E \rightarrow E'\) we can naturally attach an embedding

$$\begin{aligned} \iota _{\mathbb {Q}}: K \hookrightarrow {{\,\textrm{End}\,}}^0(E') : \sigma \mapsto \frac{1}{\deg \varphi } \varphi \circ \iota (\sigma ) \circ {\hat{\varphi }}, \end{aligned}$$

whose restriction to the preimage \({\mathcal {O}}'\) of \({{\,\textrm{End}\,}}(E')\) is an orientation that is called the induced orientation, denoted by \(\varphi _*\iota \). We are primarily interested in isogenies \(\varphi \) for which \({\mathcal {O}}' = {\mathcal {O}}\), in which case \(\varphi \) is said to be horizontal with respect to \(\iota \). Two \({\mathcal {O}}\)-oriented elliptic curves \((E,\iota ), (E', \iota ')\) are called isomorphic, denoted \((E, \iota ) \cong (E', \iota ')\), if there exists an isomorphism \(\varphi : E \rightarrow E'\) such that \(\iota ' = \varphi _*\iota \).

The default way to construct a horizontal isogeny is by considering an invertible ideal \({\mathfrak {a}}\subseteq {\mathcal {O}}\) of norm coprime to \(\max \{ 1, {{\,\textrm{char}\,}}k \}\) and attaching to it the finite subgroup

$$\begin{aligned} E[{\mathfrak {a}}] = \bigcap _{\alpha \in {\mathfrak {a}}} \ker \iota (\alpha ). \end{aligned}$$

Then the separable degree-\(N({\mathfrak {a}})\) isogeny \(\varphi _{\mathfrak {a}}: E \rightarrow E'\) with kernel \(E[{\mathfrak {a}}]\) is horizontal. In particular \(E'\) comes naturally equipped with an \({\mathcal {O}}\)-orientation \(\iota ' = \varphi _{{\mathfrak {a}}*} \iota \). The pair \((E', \iota ')\) is well-defined up to isomorphism and only depends on the class of \({\mathfrak {a}}\) inside \({{\,\textrm{cl}\,}}({\mathcal {O}})\); we write \([{\mathfrak {a}}](E, \iota ) := (E', \iota ')\). This defines the map (1), which turns out to be a free group action.

Remark 1

In general the action is not transitive, where one subtlety is reflected in [22, Prop. 3.3]; see also the example in [22, p. 3.1] and the proof of [26, Thm. 4.5]. This has no consequences for the current paper, since we are working in a single orbit, namely that of the starting curve \((E, \iota )\).

3 Evaluating characters using the Weil pairing

In this section we prove Theorem 1 and discuss its analogues for the assigned characters \(\delta , \epsilon , \delta \epsilon \). In all cases it is assumed that \(p = \max \{ 1, {{\,\textrm{char}\,}}k\}\) is coprime to the modulus of the character under consideration. If p is an odd prime then \(\chi _p\), if it appears in the list of assigned characters, can be computed from the other characters using the relation (3); see for instance Example 1 where we had \(\chi _p = \delta \). If \(p = 2\) then the same conclusion holds for \(\delta \), \(\epsilon \) or \(\delta \epsilon \), because in even characteristic at most one of these three characters can appear in the list of assigned characters.Footnote 2

3.1 Preliminaries

Lemma 1

Let \({\mathcal {O}}\) be an imaginary quadratic order and let m be an odd prime number. Then \({\mathcal {O}}={\mathbb {Z}}[\sigma ]\) for some \(\sigma \in {\mathcal {O}}\) of norm coprime to m.

Proof

Let \(\tau \in {\mathcal {O}}\) be a generator of \({\mathcal {O}}\), suppose of norm divisible by m. Then for any \(k\in {\mathbb {Z}}\),

$$\begin{aligned} N(\tau +k)=N(\tau )+k({{\,\textrm{tr}\,}}(\tau )+k)\equiv k({{\,\textrm{tr}\,}}(\tau )+k) \bmod m. \end{aligned}$$

Since \(m \ge 3\) we can thus always find \(k\in {\mathbb {Z}}\) such that \(m\not \mid N(\tau +k)\). \(\square \)

Lemma 2

Let \({\mathcal {O}}\) be an imaginary quadratic order of even discriminant. Then \({\mathcal {O}}={\mathbb {Z}}[\sigma ]\) for some \(\sigma \in {\mathcal {O}}\) of odd norm.

Proof

Let \(\tau \in {\mathcal {O}}\) be a purely imaginary generator of \({\mathcal {O}}\), e.g. \(\tau =\sqrt{{{\,\textrm{disc}\,}}({\mathcal {O}})/4}\), where \({{\,\textrm{disc}\,}}({\mathcal {O}})\) is the discriminant of \({\mathcal {O}}\). Then \(N(\tau +1)=N(\tau )+{{\,\textrm{tr}\,}}(\tau )+1=N(\tau )+1\), hence we can take \(\sigma = \tau \) or \(\sigma = \tau + 1\). \(\square \)

Lemma 3

Let \({\mathcal {O}}\) be an imaginary quadratic order, let \((E,\iota )\) be an \({\mathcal {O}}\)-oriented elliptic curve over k, let \(m \ne {{\,\textrm{char}\,}}k\) be a prime number, and let \(\sigma \in {\mathcal {O}}\) be a generator. Then there exists a \(P\in E[m]\) such that \(\iota (\sigma )(P)\) is not a multiple of P.

Proof

The endomorphism \(\iota (\sigma )\) of E induces an \({\mathbb {F}}_m\)-linear map \(E[m]\rightarrow E[m]\). Suppose to the contrary that every \(P \in E[m]\) is an eigenvector. This can only happen if the map has the full m-torsion E[m] as an eigenspace. Thus there exists \(\lambda \in {\mathbb {Z}}\) such that \(E[m]\subseteq \ker (\iota (\sigma -\lambda ))\). It then follows that \(\iota _{{\mathbb {Q}}}((\sigma -\lambda )/m)\in {{\,\textrm{End}\,}}(E)\), and hence that \(\sigma -\lambda \in m{\mathcal {O}}\) by the fact that \(\iota \) is a primitive embedding, i.e. it cannot be extended to a strict superorder of \({\mathcal {O}}\). Since \({\mathbb {Z}}+m{\mathcal {O}}\subsetneq {\mathcal {O}}\) this contradicts the assumption that \(\sigma \) generates \({\mathcal {O}}\). \(\square \)

3.2 Evaluating the characters \(\chi _m\)

We now prove Theorem 1.

Proof of Theorem 1

The existence of \(\sigma , P, P'\) follows from Lemmas 1 and 3. The endomorphism \(\iota (\sigma )\) of E induces an \({\mathbb {F}}_m\)-linear map \(E[m]\rightarrow E[m]\). Since \(m\mid {{\,\textrm{disc}\,}}({\mathcal {O}}) = {{\,\textrm{tr}\,}}(\sigma )^2 - 4N(\sigma )\) and \(m \not \mid N(\sigma )\), its characteristic polynomial has a nonzero double root, say \(\alpha \in {\mathbb {F}}_m^{\times }\). Consequently, we can extend to a basis \(P_0,P\) of E[m] for which the matrix of \(\sigma \) is in upper-triangular form \(\left( \begin{array}{ll} \alpha &{} \beta \\ 0 &{} \alpha \end{array} \right) \) for some \(\beta \in {\mathbb {F}}_m^{\times }\). With respect to this basis any \(Q\in E[m]\) that is not an eigenvector of \(\sigma \) is of the form \(Q=\lambda P_0+\mu P\) where \(\mu \ne 0\). We see that

$$\begin{aligned} e_m(Q,\sigma (Q))=e_m(\lambda P_0+\mu P,(\alpha \lambda +\beta \mu )P_0+\alpha \mu P)=e_m(P,\beta P_0)^{\mu ^2} = e_m(P,\sigma (P))^{\mu ^2}, \end{aligned}$$

showing that \(e_m(P,\sigma (P))\) is independent of the choice of P, up to raising to powers that are nonzero squares modulo m. Then, of course, the same conclusion applies to \(e_m(P', \sigma (P'))\).

Recall our convention from the introduction, namely that we assume that the norm of \({\mathfrak {a}}\), which equals the degree of the corresponding isogeny \(\varphi =\varphi _{{\mathfrak {a}}}:E\rightarrow E'\), is coprime to m. In particular, \(P_0\not \in \ker \varphi \). By definition of the class group action, \(\iota ' = \varphi _*\iota \) satisfies

$$\begin{aligned} \iota '(\sigma )(\varphi (P))=\left( \frac{1}{\deg \varphi } \varphi \iota (\sigma ){\hat{\varphi }}\right) (\varphi (P))=\varphi (\iota (\sigma )(P)) =\beta \varphi (P_0)+\alpha \varphi (P), \end{aligned}$$

showing that \(\varphi (P)\) is not an eigenvector for \(\iota '(\sigma )\) acting on \(([{\mathfrak {a}}]E)[m]\). So we see that \(e_m(\varphi (P), \iota '(\sigma )(\varphi (P)))\) is obtained from \(e_m(P', \iota '(\sigma )(P'))\) by raising it to a nonzero square mod m. To conclude, we observe that

$$\begin{aligned} e_m(\varphi (P),\iota '(\sigma )(\varphi (P)))= & {} e_m(\varphi (P),\varphi (\iota (\sigma )(P)))\\= & {} e_m(P,\iota (\sigma )(P))^{\deg \varphi }. \end{aligned}$$

\(\square \)

3.3 Evaluating \(\delta \), \(\epsilon \) or \(\delta \epsilon \)

We now present the analogues of Theorem 1 for the even-modulus characters \(\delta \), \(\epsilon \) and \(\delta \epsilon \). We first focus on \(\delta \), which, as we saw in Sect. 2.1, is an assigned character if and only if we can write \({{\,\textrm{disc}\,}}({\mathcal {O}})=-4\cdot d\) for some \(d\equiv 0,1\bmod 4\).

Proposition 1

Assume \({{\,\textrm{char}\,}}k \ne 2\). Let \({\mathcal {O}}\) be an imaginary quadratic order of discriminant \(-4\cdot d\) where \(d\equiv 0,1\bmod 4\), and let \((E, \iota )\), \((E', \iota ')\) be \({\mathcal {O}}\)-oriented elliptic curves over k connected by an ideal class \([{\mathfrak {a}}] \in {{\,\textrm{cl}\,}}({\mathcal {O}})\). Then \({\mathcal {O}}\) admits an odd-norm generator \(\sigma \), and for any such \(\sigma \) there exist points \(P\in E[4]\), \(P' \in E'[4]\) such that \(\iota (\sigma )(2P)\ne 2P\) and \(\iota '(\sigma )(2P')\ne 2P'\). Moreover

$$\begin{aligned} \delta ([{\mathfrak {a}}]) = (-1)^{\frac{a - 1}{2}}, \end{aligned}$$

with \(a = \log _{e_4(P,\iota (\sigma )(P))}e_4(P',\iota '(\sigma )(P'))\), for any such choice of \(\sigma , P, P'\).

Proof

The existence of \(\sigma , P, P'\) follows from Lemmas 2 and 3. Note that the assumption on the discriminant of \({\mathcal {O}}\) shows that the character \(\delta \) indeed exists, and that this implies that \(N(\sigma )\equiv 1\bmod 4\) (since the principal ideal class \([(\sigma )]\) lies in the kernel of \(\delta \)). By upper-triangularizing the action of \(\sigma \) on E[2] as in the proof of Theorem 1, we see that there exists a \(P_0\in E[4]\) such that the matrix \(M_{\sigma }\) of \(\sigma \) acting on E[4] with respect to the basis \(P_0,P\) is of the form

$$\begin{aligned} M_{\sigma }\equiv \begin{pmatrix} 1 &{} 1\\ 0 &{} 1 \end{pmatrix} \bmod 2. \end{aligned}$$

Since \(N(\sigma )\equiv 1\bmod 4\) this means that \(M_{\sigma }\) is of the form either \(\left( \begin{array}{ll} \alpha &{}\beta \\ 0 &{}\alpha \end{array} \right) \) or \( \left( \begin{array}{ll} \alpha &{}\beta \\ 2 &{}-\alpha \end{array} \right) \), with \(\alpha ,\beta \) odd. Any Q with the property that \(\sigma (2Q) \ne 2Q\) is of the form \(\lambda P_0+\mu P\) where \(\mu \) is odd. If \(M_{\sigma }\) is of the first form we get

$$\begin{aligned} e_4(Q,\sigma (Q))=e_4(\lambda P_0+\mu P,(\alpha \lambda +\beta \mu )P_0+\alpha \mu P)=e_4(P,\beta P_0)^{\mu ^2} = e_4(P,\sigma (P))^{\mu ^2}. \end{aligned}$$

If \(M_{\sigma }\) is of the second form we again get

$$\begin{aligned} e_4(Q,\sigma (Q))= & {} e_4(\lambda P_0+\mu P,(\alpha \lambda +\beta \mu )P_0+(2\lambda -\alpha \mu )P) \\= & {} e_4(P,\beta P_0)^{\mu ^2}e_4(P,P_0)^{2(\lambda \alpha \mu -\lambda ^2)} = e_4(P,\sigma ( P))^{\mu ^2} \end{aligned}$$

where the last equality uses that \(\lambda , \mu , \alpha \) are odd. From \(\mu ^2 \equiv 1 \bmod 4\) it follows that \(e_4(P,\sigma (P))\) does not depend on the choice of P. Then, of course, the same is true for \(e_4(P', \sigma (P'))\).

By our convention we assume that the norm of \({\mathfrak {a}}\), and hence the degree of the corresponding isogeny \(\varphi =\varphi _{{\mathfrak {a}}}:E\rightarrow E'\), is odd. In particular, \(2P_0\not \in \ker \varphi \) and

$$\begin{aligned} \iota '(\sigma )(\varphi (2P))=\left( \frac{1}{\deg \varphi }\varphi \iota (\sigma ){\hat{\varphi }}\right) (\varphi (2P))=\varphi (\iota (\sigma )(2P))=\varphi (2P_0)+\varphi (2P) \end{aligned}$$

is different from \(\varphi (2P)\). Thus we find that \(e_4(P', \sigma (P'))\) equals

$$\begin{aligned} e_4(\varphi (P),\iota '(\sigma )(\varphi (P)))=e_4(\varphi (P),\varphi (\iota (\sigma )(P))) =e_4(P,\iota (\sigma )(P))^{\deg \varphi }, \end{aligned}$$

which concludes the proof. \(\square \)

Next, we discuss the modulus-8 characters \(\epsilon \) and \(\delta \epsilon \). Note that by Sect. 2.1, we have that \(\epsilon \) is an assigned character if and only if either \(2^5\mid {{\,\textrm{disc}\,}}({\mathcal {O}})\) or \({{\,\textrm{disc}\,}}({\mathcal {O}})=-2^3\cdot d\) with \(d\equiv 3\bmod 4\). Similarly, \(\delta \epsilon \) is an assigned character if and only if either \(2^5\mid {{\,\textrm{disc}\,}}({\mathcal {O}})\) or \({{\,\textrm{disc}\,}}({\mathcal {O}})=-2^3\cdot d\) with \(d\equiv 1\bmod 4\).

Proposition 2

Assume \({{\,\textrm{char}\,}}k \ne 2\), let \({\mathcal {O}}\) be an imaginary quadratic order of discriminant \({{\,\textrm{disc}\,}}({\mathcal {O}})\equiv -2^fd\) with d odd and \(f\ge 3\), and consider \({\mathcal {O}}\)-oriented elliptic curves \((E, \iota )\), \((E', \iota ')\) over k connected by an ideal class \([{\mathfrak {a}}] \in {{\,\textrm{cl}\,}}({\mathcal {O}})\). Assume that \(\epsilon \), resp. \(\delta \epsilon \), appears among the assigned characters of \({\mathcal {O}}\). Then \({\mathcal {O}}\) admits an odd-norm generator \(\sigma \), and for any such \(\sigma \) there exist points \(P\in E[8]\), \(P' \in E'[8]\) such that \(\iota (\sigma )(4P)\ne 4P\) and \(\iota '(\sigma )(4P')\ne 4P'\). Moreover \(\epsilon ([{\mathfrak {a}}])\), resp. \(\delta \epsilon ([{\mathfrak {a}}])\), can be computed as

$$\begin{aligned} \epsilon ([{\mathfrak {a}}]) = (-1)^{\frac{a^2 - 1}{8}}, \ \ resp.\ \ \delta \epsilon ([{\mathfrak {a}}]) = (-1)^{\frac{ \left( a + 2 \right) ^2 - 9}{8}}, \end{aligned}$$

with \(a = \log _{e_8(P,\iota (\sigma )(P))}e_8(P',\iota '(\sigma )(P'))\), and for any such choice of \(\sigma , P, P'\).

Proof

As in the previous proof, the existence of \(\sigma , P, P'\) follows from Lemmas 2 and 3. The main difference with the foregoing proofs is that if \(Q \in E[8]\) is another point satisfying \(\sigma (4Q) \ne 4Q\), then \(e_8(Q, \sigma (Q))\) relates more subtly to \(e_8(P, \sigma (P))\). Namely, we will argue that

$$\begin{aligned} e_8(Q, \sigma (Q)) \in \left\{ e_8(P, \sigma (P)), e_8(P, \sigma (P))^{N(\sigma )} \right\} , \end{aligned}$$
(4)

and then of course the same again applies to \(e_8(P', \sigma (P'))\). This will then lead to the conclusion that

$$\begin{aligned} e_8(P', \sigma (P')) \in \left\{ e_8(P, \sigma (P))^{\deg \varphi }, e_8(P, \sigma (P))^{N(\sigma ) \deg \varphi } \right\} , \end{aligned}$$

which is indeed sufficient, since the principal ideal class \([(\sigma )]\) has trivial character values. More explicitly, if \(\epsilon \) exists then we must have \(N(\sigma ) \bmod 8 \in \{1,7\}\), while if \(\delta \epsilon \) exists then we have \(N(\sigma ) \bmod 8 \in \{1, 3\}\).

In order to prove (4), note that, since \(N(\sigma ) \equiv 1 \bmod 2\),

$$\begin{aligned} {{\,\textrm{tr}\,}}(\sigma )^2+4 \equiv {{\,\textrm{tr}\,}}(\sigma )^2-4\cdot N(\sigma ) = {{\,\textrm{disc}\,}}({\mathcal {O}}) \equiv 0 \bmod 8, \end{aligned}$$

so that \({{\,\textrm{tr}\,}}(\sigma )\equiv 2\bmod 4\). It follows that the characteristic polynomial of \(\sigma \) modulo 4 is \(X^2+2X+N(\sigma )\), hence we can extend to a basis \(P_0,P\) of E[8] such that the matrix of \(\iota (\sigma )\) acting on E[8] is of the form

$$\begin{aligned} M_{\sigma } \equiv {\left\{ \begin{array}{ll} \begin{pmatrix} \alpha &{} \beta \\ 0 &{} \alpha \end{pmatrix} \bmod 4 \qquad \quad \text{ if } N(\sigma )\equiv 1\bmod 4,\\ \begin{pmatrix} \alpha &{} \beta \\ 2 &{} \alpha \end{pmatrix} \bmod 4 \qquad \quad \text{ if } N(\sigma )\equiv 3\bmod 4, \end{array}\right. } \end{aligned}$$

with \(\alpha ,\beta \) odd. It follows that

$$\begin{aligned} M_{\sigma }^2 \equiv {\left\{ \begin{array}{ll} \begin{pmatrix} 1 &{} 2\\ 0 &{} 1 \end{pmatrix} \bmod 4 \qquad \quad \text{ if } N(\sigma )\equiv 1\bmod 4,\\ \begin{pmatrix} 3 &{} 2\\ 0 &{} 3 \end{pmatrix} \bmod 4 \qquad \quad \text{ if } N(\sigma )\equiv 3\bmod 4. \end{array}\right. } \end{aligned}$$

In any case we can record that

$$\begin{aligned} e_8(P,\sigma ^2(P))^2 = e_8(P, P_0)^4 =-1. \end{aligned}$$
(5)

Now, with respect to the basis \(P,\sigma (P)\), the matrix of \(\iota (\sigma )\) acting on E[8] is congruent to \(\left( {\begin{matrix} 0 &{} 1 \\ 1 &{} 0 \end{matrix}} \right) \bmod 2\). Any other \(Q=\lambda P+\mu \sigma (P)\) such that \(\sigma (4Q)\ne 4Q\) thus has exactly one of \(\lambda ,\mu \) odd. We now proceed to showing (4). If \(\mu \) is odd then we can write \(\sigma (Q)=\lambda ' P+\mu '\sigma (P)\) with \(\lambda '\) odd, so since

$$\begin{aligned} e_8(Q,\sigma (Q))^{N(\sigma )}=e_8(\sigma (Q),\sigma ^2(Q)) \end{aligned}$$

we may reduce to the case where \(\lambda \) is odd (and \(\mu \) is even). For odd \(\lambda \), we have

$$\begin{aligned} e_8(Q,\sigma (Q))=e_8(\lambda ^{-1}Q,\sigma (\lambda ^{-1}Q))^{\lambda ^2}=e_8(\lambda ^{-1}Q,\sigma (\lambda ^{-1}Q)), \end{aligned}$$

hence we may further reduce to the case where \(\lambda =1\). Now note that

$$\begin{aligned} e_8(P+\mu \sigma (P),\sigma (P)+\mu \sigma ^2(P))= & {} e_8(P,\sigma (P))e_8(\sigma (P),\sigma ^2(P))^{\mu ^2}e_8(P,\sigma ^2(P))^\mu \\= & {} e_8(P,\sigma (P))e_8(P,\sigma (P))^{4\frac{\mu ^2}{4}N(\sigma )}e_8(P,\sigma ^2(P))^{2\frac{\mu }{2}}\\= & {} e_8(P,\sigma (P))\cdot (-1)^{\frac{\mu ^2}{4}}\cdot (-1)^{\frac{\mu }{2}}\\= & {} e_8(P,\sigma (P)), \end{aligned}$$

where in the third equality we used (5). \(\square \)

Remark 2

If \({\mathcal {O}}\) is an imaginary quadratic order of discriminant \({{\,\textrm{disc}\,}}({\mathcal {O}})\equiv 0\bmod 2^5\), then both \(\epsilon \) and \(\delta \epsilon \) and hence \(\delta = (\delta \epsilon )\epsilon \) exist, so that \(N(\sigma ) \equiv 1 \bmod 8\). In this case there is a well-defined group homomorphism \(\gamma :{{\,\textrm{cl}\,}}({\mathcal {O}})\rightarrow ({\mathbb {Z}}/8{\mathbb {Z}})^{\times }:[{\mathfrak {a}}]\mapsto N({\mathfrak {a}})\bmod 8\) through which \(\delta , \epsilon , \delta \epsilon \) factor. This is the only situation where one can get finer-than-binary modular information about \(N({\mathfrak {a}})\) from \([{\mathfrak {a}}]\); the above proof shows that we can recover \(\gamma ([{\mathfrak {a}}])\) at once as \(\log _{e_8(P,\iota (\sigma )(P))}e_8(P',\iota '(\sigma )(P'))\).

Remark 3

In the statements of Theorem 1, Propositions 1 and 2, the condition that \(\sigma \) be a generator of \({\mathcal {O}}\) can in fact be relaxed to\(\sigma \in {\mathcal {O}}\setminus ({\mathbb {Z}}+ m{\mathcal {O}})\) if m is odd and to \(\sigma \in {\mathcal {O}}\setminus ({\mathbb {Z}}+ 2{\mathcal {O}})\) if m is even, without modifying the proofs.

Wrapping up, we have given justification for Algorithm 1 below, evaluating an assigned character \(\chi : {{\,\textrm{cl}\,}}({\mathcal {O}}) \rightarrow \{ \pm 1 \}\) of modulus m coprime to \(\max \{ 1, {{\,\textrm{char}\,}}k\}\) in an unknown ideal class \([{\mathfrak {a}}]\) connecting two given \({\mathcal {O}}\)-oriented curves \((E, \iota )\) and \((E', \iota ')\). Here, by the field of definition of \((E, \iota )\), \((E',\iota ')\) we mean any (e.g., the smallest) subfield \(F \subseteq k\) over which the curves \(E, E'\) and the endomorphisms in \(\iota ({\mathcal {O}}), \iota '({\mathcal {O}})\) are defined.

figure a

4 Complexity and consequences for DDH

Running Algorithm (1) in practice comes with challenges that are specific to our field of definition F. Nevertheless, before going into a more detailed analysis of our main case of interest, namely where F is a finite field, let us add some general comments to its six numbered steps:

  1. 1.

    Very easy, by following the proof of Lemma 1 or Lemma 2.

  2. 2.

    The degree of \({\mathcal {F}}/ F\) is a divisor of the order of \({{\,\textrm{GL}\,}}_2({\mathbb {Z}}/ m{\mathbb {Z}})\), which is \(O(m^4)\).

  3. 3.–4.

    For m an odd prime, the proof of Theorem 1 shows that the set of m-torsion points that are independent of their image under \(\sigma \) has size \(m^2 - m\). So it suffices to try O(1) random points \(P \in E[m]\), compute \(\iota (\sigma )(P)\) and check whether \(e_m(P, \iota (\sigma )(P))\) is a primitive mth root of unity (i.e., not 1).Footnote 3

  4. 5.

    Pollard-\(\rho \) type algorithms allow us to compute the discrete logarithm using \(O(\sqrt{m})\) operations in \(\mu _m\).

  5. 6.

    Trivial.

The main bonus we get from working over a finite field lies in (2). In this case the degree of \({\mathcal {F}}/ F\) equals the order of the Frobenius endomorphism \(\pi _F\) acting on E[m]. While the order of \({{\,\textrm{GL}\,}}_2({\mathbb {Z}}/m{\mathbb {Z}})\) is \(O(m^4)\), the order of a single element is \(O(m^2)\).

Theorem 2

Let \({\mathcal {O}}= {\mathbb {Z}}[\sigma ]\) be an imaginary quadratic order and consider two \({\mathcal {O}}\)-oriented elliptic curves \((E, \iota )\) and \((E', \iota ')\) that belong to the same orbit under the action of \({{\,\textrm{cl}\,}}({\mathcal {O}})\), say given in Weierstrass form and connected by an unknown ideal class \([{\mathfrak {a}}]\). Assume that \(E, E', \iota ({\mathcal {O}}), \iota '({\mathcal {O}})\) are all defined over a finite field \({\mathbb {F}}_q\). Let \(\chi \) be an assigned character of \({\mathcal {O}}\) with modulus m coprime to q. There exists a randomized algorithm for computing \(\chi ([{\mathfrak {a}}])\) that is expected to use

$$\begin{aligned} {\widetilde{O}}(m^3 \log ^2 q) \end{aligned}$$
(6)

bit operations and O(1) calls to \(\iota (\sigma ), \iota '(\sigma )\).

Proof

If we write \(f_E(x,y)\) for the defining Weierstrass polynomial of E and \(\Psi _{E, m}(x)\) for its m-division polynomial, then the field \({\mathcal {F}}\) can be constructed as the splitting field of the resultant \(r_{E,m}(x) = {{\,\textrm{res}\,}}_y(f_E, \Psi _{E,m})\), whose degree is \(O(m^2)\). The division polynomial \(\Psi _{E,m}(x)\) can be computed recursively and the resultant \(r_{E, m}(x)\) can be factored using Kedlaya–Umans [19]. Using fast arithmetic, this takes a combined time of (6). Note that we obtain all points in E[m] as a by-product; once we know \({\mathcal {F}}\) we can sample points from \(E'[m]\) faster. The Weil pairings can be computed using Miller’s algorithm, taking \(O(\log m)\) operations in \({\mathcal {F}}\), and Pollard-\(\rho \) takes an expected \(O(\sqrt{m})\) operations in \({\mathcal {F}}\), so these costs are dominated by (6), again assuming fast arithmetic. Finally, while the norm of the given generator \(\sigma \) may not be coprime to m, from the proofs of Lemma 1 and Lemma 2 we see that we can instead work with \(\sigma + k\), for some positive integer k bounded by m. Since \(\iota (\sigma + k) = \iota (\sigma ) + [k]\), the overhead this causes is clearly absorbed by (6); and similarly for \(\iota '(\sigma + k)\). \(\square \)

The effectivity of this algorithm co-depends on how easy it is to evaluate \(\iota (\sigma )\) and \(\iota '(\sigma )\), which is a separate discussion that is captured by the notion of efficient representations, see Sect. 5.1 and [32] for more details. One special but interesting case is where \(\iota (\sigma )\) equals \(\pi _{{\mathbb {F}}_q}\), or is easily derived from it, whose cost is quasi-quadratic in \(m \log q\). So, in this case, the overall cost remains estimated by (6). This matches with the asymptotic runtime of the Tate pairing attack from [8], as estimated in [8, p. 5.1].Footnote 4

While the Weil pairing attack is conceptually simpler (no descent of the isogeny volcano needed), in general one should expect the Tate pairing attack to run faster in practice. The main reason is that there it suffices to work over a field \({\mathcal {F}}\) such that E admits an \({\mathcal {F}}\)-rational point of order m, rather than requiring all m-torsion to be \({\mathcal {F}}\)-rational (in turn, this is because the Tate pairing admits non-trivial self-pairing values, in contrast with the Weil pairing). The degree of such an extension field is bounded by O(m), rather than by \(O(m^2)\). But the comparison turns in favour of the Weil pairing as soon as \(E[m] \subseteq E({\mathbb {F}}_q)\), where no field extension is needed. Note that, here, it makes more sense to measure the cost of a call to \(\iota (\sigma ),\iota '(\sigma )\) by the cost of evaluating \((\pi _{{\mathbb {F}}_q} - 1)/m^s\), where s is maximal such that \(E[m^s] \subseteq E({\mathbb {F}}_q)\); see [25, Lem. 1]. For this we need s successive point divisions by m; the cost of such a division is dominated by that of finding a root of a polynomial of degree \(m^2\), which can be done in time

$$\begin{aligned} {\widetilde{O}}(m^2 \log ^2 q), \end{aligned}$$
(7)

see [23, p. 2]. This now becomes the dominant cost of the attack. The asymptotic cost of the Tate pairing also drops to (7) in this case, but the Weil pairing attack comes with less overhead.

All this aside, let us re-emphasize that the Weil pairing approach works in far greater generality: for arbitrary orientations and over any field admitting explicit computation. A proof-of-concept implementation of the new method can be found at https://github.com/KULeuven-COSIC/oriented_DDH. At the time of publication, this implementation handles the case of \({\mathbb {Z}}[\sqrt{-p}]\)-oriented elliptic curves in characteristic \(p \equiv 1 \bmod 4\). We intend to extend the repository in due course, by also covering the higher-degree group actions that were described in [9].

4.1 Consequences for DDH

If \({{\,\textrm{cl}\,}}({\mathcal {O}})\) admits a non-trivial assigned character whose modulus m is sufficiently small, say polynomially bounded by \(\log {{\,\textrm{disc}\,}}({\mathcal {O}})\), and if it satisfies \(\gcd (m,q) = 1\), then we can use this character to distinguish between random triples and Diffie–Hellman triples with probability 1/2, as explained in the introduction. So, in this case, we can consider the decisional Diffie–Hellman problem broken for \({\mathcal {O}}\)-oriented elliptic curves over \({\mathbb {F}}_q\). More generally, if \({{\,\textrm{cl}\,}}({\mathcal {O}})\) admits \(s \ge 1\) independent such characters (meaning that one cannot use the relation (3) to rewrite one of the characters in terms of the others), then we can distinguish with probability \(1 - 1/2^s\).

A sufficient condition for the existence of such a character is that \({{\,\textrm{disc}\,}}({\mathcal {O}})\) has at least two small odd prime factors different from \(p = {{\,\textrm{char}\,}}{\mathbb {F}}_q\).Footnote 5 Heuristically, we expect that this applies to a density 1 subset of all imaginary quadratic orders when ordered by the absolute value of their discriminant. This can be backed up using Mertens’ third theorem; or see [29, III, p. 6] for more dedicated tools.

As discussed in [8, p. 6], one can thwart the attack by restricting the class-group action to \({{\,\textrm{cl}\,}}({\mathcal {O}})^2\), or at least to a subgroup of \({{\,\textrm{cl}\,}}({\mathcal {O}})\) on which all assigned characters of small modulus have trivial evaluations. However, this may have practical consequences in terms of key generation and key validation. Moreover, we do not rule out that the attack can be modified to work for characters whose order is a larger power of 2, e.g., in view of [3, 27]. Quantumly, it is known that \(2^r\)-torsion subgroups, for any small fixed value of r, do not contribute to the hardness of the vectorization problem anyway [5]. Therefore, the cleanest way out is to follow the recommendation from [8, p. 6], namely to only work with orientations by imaginary quadratic orders whose class number is odd. There may be constructive reasons to deviate from this, e.g., as in the OSIDH protocol [10] where one uses orders of large prime power conductor in an imaginary quadratic field with class number one (such orders always have even class number).

Remark 4

It is interesting to view Theorem 2 against the classical decisional Diffie–Hellman problem, namely for exponentiation in a group \(G = \langle g \rangle \) of some large prime order m. Note that exponentiation defines a free and transitive action of \(({\mathbb {Z}}/ m{\mathbb {Z}})^\times \) on the set of generators of G. The Legendre symbol

$$\begin{aligned} \chi : ({\mathbb {Z}}/ m{\mathbb {Z}})^\times \rightarrow \{ \pm 1 \} : a \mapsto \left( \frac{a}{m} \right) \end{aligned}$$

is the unique quadratic character, of modulus m, and if one could cook up an efficient classical way for computing \(\chi (a)\) merely from the knowledge of g and \(g^a\), then this would break DDH in this setting. This would be a spectacular result; in general, to the best of our knowledge, we cannot do significantly better than computing a using Pollard-\(\rho \) and then evaluating \(\chi \) at a. This should be compared to steps 5. and 6. from Algorithm 1. In other words, one could say that classical DDH is not weakened by the existence of \(\chi \) because its modulus is large.

5 Reductions to endomorphism ring computation

In this section, we prove that our main result Theorem 1 allows to significantly improve reductions between computational problems underlying isogeny-based cryptography. It was proved in [31] that two such families of problems are tightly connected: there are computational reductions from action inversion problems (called \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Vectorization}}\) or \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Uber}}\)) to endomorphism ring computation problems (called \({{\mathcal {O}}}-{\textsc {EndRing}}\) and \({{\mathcal {O}}}-{\textsc {EndRing}}^*\)). However, these reductions are exponential in the worst case. In this section, we apply Theorem 1 to obtain reductions that are sub-exponential in the worst case, and even polynomial in many regimes of interest. All results in this section that start with (ERH), such as Theorem 3, assume the extended Riemann hypothesis—precisely, the Riemann hypothesis for Hecke L-functions.

5.1 The supersingular endomorphism ring problem

In this section, we assume that the field k is an algebraic closure of a finite field of characteristic p, and that p does not split in \({\mathcal {O}}\), nor does it divide the conductor of \({\mathcal {O}}\). Then, the set \({\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\) is non-empty and all curves in it are supersingular; this set is often denoted by \(\textsc {SS}_{{\mathcal {O}}}(p)\) in the literature [22, Prop. 3.2]. Recall that a curve E/k is supersingular if and only if its endomorphism ring \({{\,\textrm{End}\,}}(E)\) is isomorphic to a maximal order in the quaternion algebra

$$\begin{aligned} B_{p,\infty } = \left( \frac{-q,-p}{{\mathbb {Q}}}\right) = {\mathbb {Q}}+ {\mathbb {Q}}i + {\mathbb {Q}}j + {\mathbb {Q}}ij, \end{aligned}$$

with the multiplication rules \(i^2 = -q\), \(j^2 = -p\), and \(ji = -ij\), where q is a positive integer that depends on p.

Given a supersingular elliptic curve E over k, the endomorphism ring problem \({\textsc {EndRing}}\) consists in computing four endomorphisms that form a basis of \({{\,\textrm{End}\,}}(E)\). There is flexibility in how these endomorphisms can be represented, but we always assume that it is an efficient representation. As in [32], we say that an isogeny \(\varphi : E\rightarrow E'\) is given in an efficient representation if there is an algorithm to evaluate \(\varphi (P)\) for any \(P \in E({\mathbb {F}}_{p^r})\) in time polynomial in the length of the representation of \(\varphi \) and in \(r \log (p)\). We also assume that an efficient representation of \(\varphi \) has length \(\Omega (\log (\deg (\varphi )))\).

This endomorphism ring problem is of foundational importance to isogeny-based cryptography: it is presumed to be hard, and this hardness is necessary (and sometimes sufficient) for the security of essentially all isogeny-based protocols [7, 16, 17]. It does not, however, capture well the notion of orientation, which plays an important role in many protocols. Therefore, the following oriented variants were introduced in [31]. Computationally, an \({\mathcal {O}}\)-orientation \(\iota \) is represented by a generator \(\sigma \) of \({\mathcal {O}}\) (i.e., \({\mathcal {O}}= {\mathbb {Z}}[\sigma ]\)) together with an efficient representation of the endomorphism \(\iota (\sigma )\).

Problem 1

(\({{\mathcal {O}}}-{\textsc {EndRing}}\)) Given \((E,\iota ) \in {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\), find a basis of \({{\,\textrm{End}\,}}(E)\).

Problem 2

(\({{\mathcal {O}}}-{\textsc {EndRing}}^*\)) Given an \({\mathcal {O}}\)-orientable curve E, find a basis of \({{\,\textrm{End}\,}}(E)\), and an \({\mathcal {O}}\)-orientation of E expressed in this basis.

Clearly, \({{\mathcal {O}}}-{\textsc {EndRing}}\) reduces to \({{\mathcal {O}}}-{\textsc {EndRing}}^*\).

5.2 Action inversion problems

Many cryptosystems relate, directly or more subtly, to an inversion problem for the action of \({{\,\textrm{cl}\,}}({\mathcal {O}})\) on \({\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\). In essence, given \((E,\iota )\) and \((E',\iota ')\) in \({\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\), find a class \([{\mathfrak {a}}]\) such that \((E',\iota ') \cong [{\mathfrak {a}}] (E,\iota )\) (or decide that it does not exist). This is called the vectorization problem. It is too weak for many practical purposes, because knowledge of the class \([{\mathfrak {a}}]\) is not sufficient to efficiently apply its action on any other \({\mathcal {O}}\)-oriented curve. Therefore, the following stronger problem was introduced in [31].

Problem 3

(\({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Vectorization}}\)) Given three \({\mathcal {O}}\)-oriented supersingular curves \((E,\iota ),(E',\iota '),(F,\jmath ) \in {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\), find an \({\mathcal {O}}\)-ideal \({\mathfrak {a}}\) (or decide that it does not exist) such that \((E',\iota ') \cong [{\mathfrak {a}}] (E,\iota )\), and an efficient representation of \(\varphi _{\mathfrak {a}}: (F,\jmath ) \rightarrow [{\mathfrak {a}}] (F,\jmath )\).

The security of many cryptosystems directly reduces to this problem, such as CSIDH [6], CSI-FiSh [1], CSURF [4], or other generalizations [9].

One can define a similar problem where no orientation is provided for \(E'\). Then, one cannot require \((E',\iota ') \cong [{\mathfrak {a}}] (E,\iota )\) anymore, but one can still ask for \(E' \cong [{\mathfrak {a}}]E\). The resulting Uber isogeny problem was introduced in [14].

Problem 4

(\({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Uber}}\)) Given two \({\mathcal {O}}\)-oriented curves \((E,\iota ), (F,\jmath ) \in {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\) and an \({\mathcal {O}}\)-orientable curve \(E'\), find an \({\mathcal {O}}\)-ideal \({\mathfrak {a}}\) such that \(E' \cong [{\mathfrak {a}}]E\), and an efficient representation of \(\varphi _{\mathfrak {a}} : (F,\jmath ) \rightarrow [{\mathfrak {a}}] (F,\jmath )\).

This \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Uber}}\) problem is significantly harder than the \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Vectorization}}\) problem. In fact, most isogeny-based cryptosystems reduce to an instance of \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Uber}}\) [14], even cryptosystems such as SIDH [18] which, at first sight, do not seem to involve any orientation.

5.3 Action inversion reduces to endomorphism ring

Strengthening and generalizing a result of [7], it was proved in [31] that \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Vectorization}}\) reduces to \({{\mathcal {O}}}-{\textsc {EndRing}}\), and that \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Uber}}\) reduces to \({{\mathcal {O}}}-{\textsc {EndRing}}^*\). Both reductions are in polynomial time in the length of the instance, and in \(\# ({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\). Unfortunately, the dependence on \(\# ({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\) means that the reduction is, in the worst case, exponential in the size of the input, since \(\#({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\) could be as large as \(D^{1/\log \log D}\), where \(D = |{{\,\textrm{disc}\,}}({\mathcal {O}})|\). The issue is the following: given two oriented curves \((E,\iota )\) and \((E',\iota ')\) as in the definition of \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Vectorization}}\), the reductions first find a class \([{\mathfrak {a}}]^2\) such that \((E',\iota ') \cong [{\mathfrak {a}}] (E,\iota )\). Finding \([{\mathfrak {a}}]\) from \([{\mathfrak {a}}]^2\) is a square root computation. There are \(\#({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\) square roots of \([{\mathfrak {a}}]^2\), but only one is the correct class \([{\mathfrak {a}}]\). In [31], one simply does an exhaustive search. Now, thanks to Theorem 1, there is a much more efficient way to find the correct square root, which in the worst case is sub-exponential in \({{\,\textrm{disc}\,}}({\mathcal {O}})\). This is the following proposition. Recall the L-notation

$$\begin{aligned} L_x(\alpha ) = \exp \left( O\left( (\log x)^\alpha (\log \log x)^{1-\alpha }\right) \right) \end{aligned}$$

for sub-exponential complexities.

Proposition 3

Given \({\mathcal {O}}\) of discriminant \(-D\), the factorization \(D = \prod _{i = 1}^{\omega (D)}\ell _i^{e_i}\) (with \(\ell _i < \ell _{i+1}\)), two \({\mathcal {O}}\)-oriented elliptic curves \((E,\iota ),(E',\iota ')\in {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\), a basis of \({{\,\textrm{End}\,}}(E)\), and an ideal class \([{\mathfrak {c}}]^2\) such that \((E',\iota ') = [{\mathfrak {c}}] (E,\iota )\), one can find the ideal class \([{\mathfrak {c}}]\) in probabilistic polynomial time in the length of the input and inFootnote 6

$$\begin{aligned} \min \left( 2^{\omega (D)},\max _i\left( \ell _i \mid \ell _i \le 2^{\omega (D) - i}\right) \right) \ll \min \left( L_{D}(1/2),\#({{\,\textrm{cl}\,}}({\mathcal {O}})[2]),\ell _{\omega (D)}\right) . \end{aligned}$$

Before proving it, let us recall the following proposition from [31].

Proposition 4

[ERH, [31, Proposition 9]] Given \((E,\iota ) \in {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\), a basis of \({{\,\textrm{End}\,}}(E)\), and an \({\mathcal {O}}\)-ideal \({\mathfrak {a}}\), one can compute \([{\mathfrak {a}}] (E,\iota )\) and an efficient representation of \(\varphi _{{\mathfrak {a}}} : (E,\iota ) \rightarrow [{\mathfrak {a}}] (E,\iota )\) in probabilistic polynomial time in the length of the input.

Proof of Proposition 3

Let \(B > 0\) be a bound to be tuned later. Consider the sets of prime numbers

$$\begin{aligned} P_1&= \{\ell \mid \ell \text { is an odd prime factor of } {{\,\textrm{disc}\,}}({\mathcal {O}}) \text { and } \ell \le B\},\text { and}\\ P_2&= \{\ell \mid \ell \text { is an odd prime factor of } {{\,\textrm{disc}\,}}({\mathcal {O}}) \text { and } \ell > B\}. \end{aligned}$$

For each \(\ell \in P_1\), compute \(\chi _\ell ([{\mathfrak {c}}])\) in time \(\ell ^{O(1)}\) using Theorem 2 and the fact that \((E',\iota ') = [{\mathfrak {c}}] (E,\iota )\). Now, with [3], one can compute square roots in \({{\,\textrm{cl}\,}}({\mathcal {O}})\) in polynomial time, so we get an ideal \({\mathfrak {a}}\) such that \([{\mathfrak {a}}]\) and \([{\mathfrak {c}}]\) differ by a two-torsion factor. From [3], one also gets a basis of \({{\,\textrm{cl}\,}}({\mathcal {O}})[2]\), so we can ensure that \(\chi _\ell ([{\mathfrak {a}}]) = \chi _\ell ([{\mathfrak {c}}])\) for each \(\ell \in P_1\). The solution is now of the form \([{\mathfrak {c}}] = [{\mathfrak {a}}][{\mathfrak {b}}]\) where \([{\mathfrak {b}}]\) is in the subgroup G of \({{\,\textrm{cl}\,}}({\mathcal {O}})[2]\) of classes such that \(\chi _\ell ([{\mathfrak {b}}]) = 1\) for all \(\ell \in P_1\). Therefore, the number of remaining candidates for the class \([{\mathfrak {c}}]\) is \(\#G \le 2^{\#P_2+1}\). These can be enumerated (from the basis of \({{\,\textrm{cl}\,}}({\mathcal {O}})[2]\), deduce a basis of the subgroup G) and checked for correctness in polynomial time using Proposition 4 and the provided basis of \({{\,\textrm{End}\,}}(E)\). Overall, the running time is polynomial in \(\log p\), \(\log {{\,\textrm{disc}\,}}({\mathcal {O}})\), B, and \(2^{\#P_2}\). The running time follows by choosing \(B = \min \left( 2^{\omega (D)},\max _i\left( \ell _i \mid \ell _i \le 2^{\omega (D) - i}\right) \right) \).

Let us prove the last inequality. First, \(2^{\omega (D)} \ll \#({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\), so \(B \ll \#({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\). Second, if \(\{\ell _i \mid \ell _i \le 2^{\omega (D) - i}\}\) is empty, then \(2^{\omega (D) - 1} < \ell _1 \le \ell _{\omega (D)}\) so \(2^{\omega (D)} \ll \ell _{\omega (D)}\). If it is not empty, clearly \(\max _i\left( \ell _i \mid \ell _i \le 2^{\omega (D) - i}\right) \ll \ell _{\omega (D)}\). In both cases, we deduce \(B \ll \ell _{\omega (D)}\). Lastly, it remains to see that \(B \ll L_{D}(1/2).\) Suppose there exists j such that \(\ell _j = \max _i\left( \ell _i \mid \ell _i \le 2^{\omega (D) - i}\right) \). We have \(\log _2(\ell _j) \le \omega (D) - j\), and

$$\begin{aligned} \log _2(D) \ge \sum _{i = j+1}^{\omega (D)} \log _2(\ell _i) \ge (\omega (D) - j)\log _2(\ell _j) \ge \log _2(\ell _j)^2. \end{aligned}$$

We deduce that \(\ell _j \le 2^{\log _2(D)^{1/2}}\), hence \(B \ll L_{D}(1/2)\). If there exists no such j, then

$$\begin{aligned} \log _2(D) \ge \sum _{i = 1}^{\omega (D)} \log _2(\ell _i) \ge \sum _{i = 1}^{\omega (D)} (\omega (D) - i) = \Theta (\omega (D)^2), \end{aligned}$$

so \(2^{\omega (D)} = L_D(1/2)\), hence \(B \ll L_{D}(1/2)\). \(\square \)

The main result of this section is the following theorem.

Theorem 3

(ERH, reduction of \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Vectorization}}\) to \({{\mathcal {O}}}-{\textsc {EndRing}}\)) Given an order \({\mathcal {O}}\) of discriminant \(-D\), the factorization \(D = \prod _{i = 1}^{\omega (D)}\ell _i^{e_i}\) (with \(\ell _i < \ell _{i+1}\)), three \({\mathcal {O}}\)-oriented elliptic curves \((E,\iota )\), \((E',\iota ')\), \((F,\jmath )\in {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\), together with bases of \({{\,\textrm{End}\,}}(E)\), \({{\,\textrm{End}\,}}(E')\) and \({{\,\textrm{End}\,}}(F)\), one can compute (or assert that it does not exist) an \({\mathcal {O}}\)-ideal \({\mathfrak {c}}\) such that \((E',\iota ') = [{\mathfrak {c}}] (E,\iota )\) and an efficient representation of \(\varphi _{\mathfrak {c}} : (F,\jmath ) \rightarrow [{\mathfrak {c}}] (F,\jmath )\) in probabilistic polynomial time in the length of the input and in

$$\begin{aligned} \min \left( 2^{\omega (D)},\max _i\left( \ell _i \mid \ell _i \le 2^{\omega (D) - i}\right) \right) \ll \min \left( L_{D}(1/2),\#({{\,\textrm{cl}\,}}({\mathcal {O}})[2]),\ell _{\omega (D)}\right) . \end{aligned}$$

Remark 5

This improves the result of [31, Thm. 2] in two ways. First, the worst case is now sub-exponential: when D is primorial, the running time of [31, Thm. 2] could reach about \(D^{1/\log \log D}\), while it is now always at most \(L_D(1/2)\). Second, Theorem 3 is now very efficient for a new important family of discriminants: when almost all prime divisors of D are small, no matter how many there are. In particular, primorial numbers (the worst case of [31, Thm. 2]) now benefit from a polynomial time algorithm.

Proof

Thanks to Proposition 3, the proof is a straightforward adaptation of the proof of [31, Thm. 2]. Suppose we are given \((E,\iota ),(E',\iota ')\in {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\), together with \({{\,\textrm{End}\,}}(E)\) and \({{\,\textrm{End}\,}}(E')\). Consider the involution \(\tau _p : {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\rightarrow {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\) defined in [31, Def. 7] as \(\tau _p(E,\iota ) = (E^{(p)},(\phi _p)_*{{\bar{\iota }}})\), where \({{\bar{\iota }}}\) is the conjugate of \(\iota \) (i.e., \({{\bar{\iota }}}(\alpha ) = \iota ({\overline{\alpha }})\) for any \(\alpha \in {\mathcal {O}}\)), and \(\phi _p : E\rightarrow E^{(p)}\) is the Frobenius isogeny.

Then, per [31, Prop. 11], one can compute \({\mathfrak {a}}\) and \({\mathfrak {b}}\) such that \(\tau _p(E,\iota ) = [{\mathfrak {a}}] (E,\iota )\) and \(\tau _p(E',\iota ') = [{\mathfrak {b}}] (E',\iota ')\) in polynomial time. From [31, Lem. 10], the ideal class of \({\mathfrak {c}}\) is one of the \(\#({{\,\textrm{cl}\,}}({\mathcal {O}})[2])\) square roots of \([{\mathfrak {a}}\overline{{\mathfrak {b}}}]\). Therefore, the ideal \({\mathfrak {c}}\) can be found by Proposition 3 within the claimed running time. Finally, compute an efficient representation of \(\varphi _{{\mathfrak {c}}} : (F,\jmath ) \rightarrow [{\mathfrak {c}}] (F,\jmath )\) in polynomial time with Proposition 4. \(\square \)

Corollary 1

Given an order \({\mathcal {O}}\) of discriminant \(-D\), and the factorization \(D = \prod _{i = 1}^{\omega (D)}\ell _i^{e_i}\) (with \(\ell _i < \ell _{i+1}\)), \({\textsc {Effective}}\text { }{{\mathcal {O}}}-{\textsc {Uber}}\) reduces to \({{\mathcal {O}}}-{\textsc {EndRing}}^*\) in probabilistic polynomial time in the length of the instance and in

$$\begin{aligned} \min \left( 2^{\omega (D)},\max _i\left( \ell _i \mid \ell _i \le 2^{\omega (D) - i}\right) \right) \ll \min \left( L_{D}(1/2),\#({{\,\textrm{cl}\,}}({\mathcal {O}})[2]),\ell _{\omega (D)}\right) . \end{aligned}$$

Proof

Again, this is a straightforward adaptation of [31, Cor. 4]. Suppose we are given \((E,\iota ),(F,\jmath ) \in {\mathcal {E}}\ell \ell _{{\mathcal {O}}}(k)\) and an \({\mathcal {O}}\)-orientable elliptic curve \(E'\). Solving \({{\mathcal {O}}}-{\textsc {EndRing}}^*\), one can find \(\varepsilon \)-bases of \({{\,\textrm{End}\,}}(E)\), \({{\,\textrm{End}\,}}(F)\) and \({{\,\textrm{End}\,}}(E')\), and an \({\mathcal {O}}\)-orientation \(\iota '\) of \(E'\). The result follows from Theorem 3. \(\square \)