Towards Practical Key Exchange from Ordinary Isogeny Graphs

  • Luca De FeoEmail author
  • Jean Kieffer
  • Benjamin Smith
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11274)


We revisit the ordinary isogeny-graph based cryptosystems of Couveignes and Rostovtsev–Stolbunov, long dismissed as impractical. We give algorithmic improvements that accelerate key exchange in this framework, and explore the problem of generating suitable system parameters for contemporary pre- and post-quantum security that take advantage of these new algorithms. We also prove the session-key security of this key exchange in the Canetti–Krawczyk model, and the IND-CPA security of the related public-key encryption scheme, under reasonable assumptions on the hardness of computing isogeny walks. Our systems admit efficient key-validation techniques that yield CCA-secure encryption, thus providing an important step towards efficient post-quantum non-interactive key exchange (NIKE).


Post-quantum cryptography Key exchange Elliptic curves Isogenies 



We would like to thank Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes for sharing a draft of their paper with us, and Alexandre Gélin and François Morain for fruitful discussions. De Feo acknowledges the support of the French Programme d’Investissements d’Avenir under the national project RISQ n\(^{\circ }\) P141580-3069086/DOS0044212.


  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: DHAES: an encryption scheme based on the Diffie-Hellman problem. Cryptology ePrint Archive, Report 1999/007 (1999),
  2. 2.
    Abdalla, M., Bellare, M., Rogaway, P.: The oracle diffie-hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). CrossRefGoogle Scholar
  3. 3.
    Atkin, A.O.L., Morain, F.: Elliptic curves and primality proving. Math. Comp. 61(203), 29–68 (1993). MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Azarderakhsh, R., et al.: Supersingular Isogeny Key Encapsulation (2017).
  5. 5.
    Biasse, J.F., Jacobson, M.J., Silvester, A.K.: Security estimates for quadratic field based cryptosystems. In: Steinfeld, R., Hawkes, P. (eds.) Information Security and Privacy, pp. 233–247. Springer, Berlin, Heidelberg (2010). CrossRefGoogle Scholar
  6. 6.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, Mihir (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  7. 7.
    Bostan, A., Morain, F., Salvy, B., Schost, É.: Fast algorithms for computing isogenies between elliptic curves. Math. Comput. 77(263), 1755–1778 (2008). MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Bröker, R., Lauter, K.E., Sutherland, A.V.: Modular polynomials via isogeny volcanoes. Math. Comput. 81(278), 1201–1231 (2012). MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Bruinier, J.H., Ono, K., Sutherland, A.V.: Class polynomials for nonholomorphic modular functions. J. Num. Theory 161, 204–229 (2016). MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Buchmann, J., Williams, H.C.: A key-exchange system based on imaginary quadratic fields. J. Crypt. 1(2), 107–118 (1988). MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). CrossRefGoogle Scholar
  12. 12.
    Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Galbraith, S.D., Peyrin, T. (eds.) ASIACRYPT 2018, LNCS, vol. 11274, pp. 380–411. Springer (2018)Google Scholar
  13. 13.
    Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Crypto. 8(1), 1–29 (2014)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Crypt. 36(1), 33–43 (2005). MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, New York (1993). CrossRefzbMATHGoogle Scholar
  16. 16.
    Cohen, H., Lenstra, H.W.: Heuristics on class groups of number fields. In: Jager, H. (ed.) Number Theory Noordwijkerhout 1983, pp. 33–62. Springer, Heidelberg (1984). CrossRefGoogle Scholar
  17. 17.
    Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) Advances in Cryptology - ASIACRYPT 2017, ASIACRYPT 2017. Lecture Notes in Computer Science, vol. 10625. Springer, Heidelberg (2017). CrossRefGoogle Scholar
  18. 18.
    Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Crypt. Eng. 8(3), 227–240 (2017). CrossRefGoogle Scholar
  19. 19.
    Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006).
  20. 20.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003). MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    De Feo, L.: Mathematics of isogeny based cryptography. CoRR abs/1711.04062 (2017).
  22. 22.
    De Feo, L., Hugounenq, C., Plût, J., Schost, É.: Explicit isogenies in quadratic time in any characteristic. LMS J. Comput. Math. 19(A), 267–282 (2016)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptography 78(2), 425–440 (2016). MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Serre, J.-P.: A Course in Arithmetic. GTM, vol. 7. Springer, New York (1973). CrossRefzbMATHGoogle Scholar
  25. 25.
    Fieker, C., Hart, W., Hofmann, T., Johansson, F.: Nemo/Hecke: computer algebra and number theory packages for the Julia programming language. In: Proceedings of the 2017 ACM on International Symposium on Symbolic and Algebraic Computation, ISSAC 2017, pp. 157–164. ACM, New York, (2017).
  26. 26.
    Fouquet, M., Morain, F.: Isogeny volcanoes and the SEA algorithm. In: Fieker, C., Kohel, D.R. (eds.) Algorithmic Number Theory, ANTS 2002. Lecture Notes in Computer Science, vol. 2369. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  27. 27.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). CrossRefGoogle Scholar
  28. 28.
    Galbraith, S., Stolbunov, A.: Improved algorithm for the isogeny problem for ordinary elliptic curves. Appl. Algebra Eng. Commun. Comput. 24(2), 107–131 (2013). MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999). MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Galbraith, S.D.: Mathematics of public key cryptography. Cambridge University Press, Cambridge (2012). CrossRefGoogle Scholar
  31. 31.
    Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  32. 32.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  33. 33.
    Hamdy, S., Möller, B.: Security of cryptosystems based on class groups of imaginary quadratic orders. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 234–247. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  34. 34.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisaki-okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). CrossRefzbMATHGoogle Scholar
  35. 35.
    Ionica, S., Joux, A.: Pairing the volcano. Math. Comput. 82(281), 581–603 (2013)MathSciNetCrossRefGoogle Scholar
  36. 36.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.Y. (ed.) Post-Quantum Cryptography, PQCrypto 2011. Lecture Notes in Computer Science, vol. 7071. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  37. 37.
    Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009). MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Jao, D., Soukharev, V.: A subexponential algorithm for evaluating large degree isogenies. In: Hanrot, G., Morain, F., Thomé, E. (eds.) Algorithmic Number Theory, ANTS 2010. Lecture Notes in Computer Science, vol. 6197. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  39. 39.
    Kieffer, J.: Étude et accélération du protocole d’échange de clés de Couveignes-Rostovtsev-Stolbunov. Master’s thesis, Inria Saclay & Université Paris VI (2017)Google Scholar
  40. 40.
    Ko, K.H., Lee, S.J., Cheon, J.H., Han, J.W., Kang, J., Park, C.: New public-key cryptosystem using braid groups. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 166–183. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  41. 41.
    Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkley (1996)Google Scholar
  42. 42.
    Kohel, D.R.: Echidna databases (2018).
  43. 43.
    Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)MathSciNetCrossRefGoogle Scholar
  44. 44.
    Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandao, F. (eds.) 8th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2013), Leibniz International Proceedings in Informatics (LIPIcs), vol. 22, pp. 20–34. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany (2013).,
  45. 45.
    Lang, S.: Elliptic Functions Graduate Texts in Mathematics. Springer, New York (1987). CrossRefGoogle Scholar
  46. 46.
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997). CrossRefGoogle Scholar
  47. 47.
    Littlewood, J.E.: On the class-number of the corpus \(p(\sqrt{k})\). Proc. London Math. Soc. 2(1), 358–372 (1928)MathSciNetCrossRefGoogle Scholar
  48. 48.
    Maze, G., Monico, C., Rosenthal, J.: Public key cryptography based on semigroup actions. Adv. Math. Commun. 1(4), 489–507 (2007). MathSciNetCrossRefzbMATHGoogle Scholar
  49. 49.
    Mestre, J.: La méthode des graphes. Exemples et applications. In: Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number Fields (Katata), pp. 217–242 (1986)Google Scholar
  50. 50.
    Miret, J.M., Moreno, R., Sadornil, D., Tena, J., Valls, M.: An algorithm to compute volcanoes of 2-isogenies of elliptic curves over finite fields. Appli. Math. Comput. 176(2), 739–750 (2006)MathSciNetCrossRefGoogle Scholar
  51. 51.
    Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. comput. 48(177), 243–264 (1987)MathSciNetCrossRefGoogle Scholar
  52. 52.
    Morain, F.: Calcul du nombre de points sur une courbe elliptique dans un corps fini: aspects algorithmiques. J. Théor. Nombres Bordeaux 7(1), 255–282 (1995)., les Dix-huitièmes Journées Arithmétiques, Bordeaux (1993)
  53. 53.
    National institute of standards and technology: announcing request for nominations for public-key post-quantum cryptographic algorithms (2016).
  54. 54.
    Okeya, K., Kurumatani, H., Sakurai, K.: Elliptic curves with the montgomery-form and their cryptographic applications. In: Imai, H., Zheng, Y. (eds.) Public Key Cryptography, PKC 2000. Lecture Notes in Computer Science, vol. 1751. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  55. 55.
    Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space June 2004. arXiv:quant-ph/0406151.
  56. 56.
    Renes, J.: Computing isogenies between montgomery curves using the action of (0, 0). In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 229–247. Springer, Cham (2018). CrossRefGoogle Scholar
  57. 57.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 April 2006.
  58. 58.
    Schoof, R.: Counting points on elliptic curves over finite fields. J. de Théorie des Nombres de Bordeaux 7(1), 219–254 (1995)MathSciNetCrossRefGoogle Scholar
  59. 59.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (2009). CrossRefzbMATHGoogle Scholar
  60. 60.
    Silverman, J.H.: Advanced Topics in the Arithmetic of Elliptic Curves Graduate Texts in Mathematics. Springer, New York (1994)CrossRefGoogle Scholar
  61. 61.
    Stolbunov, A.: Reductionist security arguments for public-key cryptographic schemes based on group action. In: Mjølsnes, S.F., (ed.) Norsk informasjonssikkerhetskonferanse (NISK) (2009)Google Scholar
  62. 62.
    Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)MathSciNetCrossRefGoogle Scholar
  63. 63.
    Stolbunov, A.: Cryptographic schemes based on isogenies (2012)Google Scholar
  64. 64.
    Sutherland, A.V.: Accelerating the CM method. LMS J. Comput. Math. 15, 172–204 (2012). MathSciNetCrossRefzbMATHGoogle Scholar
  65. 65.
    Sutherland, A.V.: Constructing elliptic curves over finite fields with prescribed torsion. Math. Comput. 81, 1131–1147 (2012)MathSciNetCrossRefGoogle Scholar
  66. 66.
    Sutherland, A.V.: Modular polynomials (2018).
  67. 67.
    Teske, E.: An elliptic curve trapdoor system. J. Crypt. 19(1), 115–133 (2006). MathSciNetCrossRefzbMATHGoogle Scholar
  68. 68.
    Urbanik, D., Jao, D.: SoK: The problem landscape of SIDH. Cryptology ePrint Archive, Report 2018/336 (2018).,
  69. 69.
    Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B 273, A238–A241 (1971)Google Scholar
  70. 70.
    Zimmermann, P., Dodson, B.: 20 years of ECM. In: Hess, F., Pauli, S., Pohst, M. (eds.) Algorithmic Number Theory, ANTS 2006. Lecture Notes in Computer Science, vol. 4076, pp. 525–542. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  71. 71.
    Zimmermann, P., et al.: GMP-ECM software (2018).

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.UVSQ, LMVUniversité Paris SaclayVersaillesFrance
  2. 2.École Normale SupérieureParisFrance
  3. 3.IMB - Institut de Mathématiques de Bordeaux, Inria Bordeaux - Sud-OuestTalenceFrance
  4. 4.Inria and École polytechniqueUniversité Paris SaclayPalaiseauFrance

Personalised recommendations