Faster Algorithms for Isogeny Problems Using Torsion Point Images

  • Christophe PetitEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10625)


There is a recent trend in cryptography to construct protocols based on the hardness of computing isogenies between supersingular elliptic curves. Two prominent examples are Jao-De Feo’s key exchange protocol and the resulting encryption scheme by De Feo-Jao-Plût. One particularity of the isogeny problems underlying these protocols is that some additional information is given as input, namely the image of some torsion points with order coprime to the isogeny. This additional information was used in several active attacks against the protocols but the current best passive attacks make no use of it at all.

In this paper, we provide new algorithms that exploit the additional information provided in isogeny protocols to speed up the resolution of the underlying problems. Our techniques lead to heuristic polynomial-time key recovery on two non-standard variants of De Feo-Jao-Plût’s protocols in plausible attack models. This shows that at least some isogeny problems are easier to solve when additional information is leaked.



We thank Bryan Birch, Jonathan Bootle, Luca De Feo, Steven Galbraith, Chloe Martindale, Lorenz Panny and Yan Bo Ti, as well as the anonymous reviewers of the Asiacrypt 2017 conference for their useful comments on preliminary versions of this paper. This work was developed while the author was at the Mathematical Institute of the University of Oxford, funded by a research grant from the UK government.


  1. 1.
    Ankeny, N.C.: The least quadratic non residue. Ann. Math. 55(1), 65–72 (1952)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Coggia, D.: Implémentation d’une variante du protocole de key-exchange SIDH (2017).
  4. 4.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  5. 5.
    Cremona, J.E., Rusin, D.: Efficient solution of rational conics. Math. Comput. 72(243), 1417–1441 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Crypt. 78(2), 425–440 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Feo, L.D., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  8. 8.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  9. 9.
    Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). Google Scholar
  10. 10.
    Gélin, A., Wesolowski, B.: Loop-abort faults on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 93–106. Springer, Cham (2017). CrossRefGoogle Scholar
  11. 11.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  12. 12.
    Kohel, D.: Endomorphism rings of elliptic curves over finite fields. PhD thesis, University of California, Berkeley (1996)Google Scholar
  13. 13.
    Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17A, 418–432 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Petit, C.: Faster algorithms for isogeny problems using torsion point images. IACR Cryptology ePrint Archive, 2017:571 (2017)Google Scholar
  15. 15.
    Petit, C., Lauter, K.: Hard and easy problems in supersingular isogeny graphs (2017)Google Scholar
  16. 16.
    Canfield, R., Erdös, P., Pomerance, C.: On a problem of Oppenheim concerning “factorisatio numerorum”. J. Number Theory 17, 1–28 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006).
  18. 18.
    Silverman, J.: The Arithmetic of Elliptic Curves. Springer Verlag, New York (1986)CrossRefzbMATHGoogle Scholar
  19. 19.
    Simon, D.: Quadratic equations in dimensions 4, 5 and more. Preprint (2005).
  20. 20.
    Ti, Y.B.: Fault attack on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 107–122. Springer, Cham (2017). CrossRefGoogle Scholar
  21. 21.
    Vignéras, M.-F.: Arithmétique des Algèbres de Quaternions. Springer, Heidelberg (2006). zbMATHGoogle Scholar
  22. 22.
    Fieker, C., Steel, A., Bosma, W., Cannon, J.J. (eds.): Handbook of Magma functions, edition 2.20 (2013).
  23. 23.
    Xi, S., Tian, H., Wang, Y.: Toward quantum-resistant strong designated verifier signature from isogenies. Int. J. Grid Util. Comput. 5(2), 292–296 (2012)Google Scholar
  24. 24.
    Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A post-quantum digital signature scheme based on supersingular isogenies. Financial Crypto (2017)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.School of Computer ScienceUniversity of BirminghamBirminghamUK

Personalised recommendations