Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies

  • David Jao
  • Luca De Feo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7071)


We present new candidates for quantum-resistant public-key cryptosystems based on the conjectured difficulty of finding isogenies between supersingular elliptic curves. The main technical idea in our scheme is that we transmit the images of torsion bases under the isogeny in order to allow the two parties to arrive at a common shared key despite the noncommutativity of the endomorphism ring. Our work is motivated by the recent development of a subexponential-time quantum algorithm for constructing isogenies between ordinary elliptic curves. In the supersingular case, by contrast, the fastest known quantum attack remains exponential, since the noncommutativity of the endomorphism ring means that the approach used in the ordinary case does not apply. We give a precise formulation of the necessary computational assumption along with a discussion of its validity. In addition, we present implementation results showing that our protocols are multiple orders of magnitude faster than previous isogeny-based cryptosystems over ordinary curves.


elliptic curves isogenies quantum-resistant public-key cryptosystems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bostan, A., Morain, F., Salvy, B., Schost, É.: Fast algorithms for computing isogenies between elliptic curves. Math. Comp. 77(263), 1755–1778 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Bröker, R.: Constructing supersingular elliptic curves. J. Comb. Number Theory 1(3), 269–273 (2009)MathSciNetzbMATHGoogle Scholar
  3. 3.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Charles, D., Lauter, K., Goren, E.: Cryptographic hash functions from expander graphs. Journal of Cryptology 22, 93–113 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time (2010),
  6. 6.
    Couveignes, J.: Hard homogeneous spaces (2006),
  7. 7.
    Galbraith, S.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil Descent Attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Galbraith, S., Stolbunov, A.: Improved algorithm for the isogeny problem for ordinary elliptic curves (2011),
  10. 10.
    Joux, A.: The Weil and Tate Pairings as Building Blocks for Public Key Cryptosystems. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 20–32. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Lagarias, J., Odlyzko, A.: Effective versions of the Chebotarev density theorem. In: Proc. Sympos. on Algebraic Number Fields: L-functions and Galois Properties, Univ. Durham, Durham, 1975, pp. 409–464. Academic Press, London (1977)Google Scholar
  12. 12.
    Montgomery, P.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Petit, C., Lauter, K., Quisquater, J.-J.: Full Cryptanalysis of LPS and Morgenstern Hash Functions. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 263–277. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies (2006),
  15. 15.
    Silverman, J.: The arithmetic of elliptic curves. Graduate Texts in Mathematics, vol. 106. Springer, New York (1992); Corrected reprint of the 1986 originalGoogle Scholar
  16. 16.
    Stebila, D., Mosca, M., Lütkenhaus, N.: The Case for Quantum Key Distribution. In: Sergienko, A., Pascazio, S., Villoresi, P. (eds.) QuantumComm 2009. LNICS, vol. 36, pp. 283–296. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Stein, W., et al.: Sage Mathematics Software (Version 4.6.2). The Sage Development Team (2011),
  18. 18.
    Stolbunov, A.: Reductionist security arguments for public-key cryptographic schemes based on group action. In: Mjølsnes, S.F. (ed.) Norsk informasjonssikkerhetskonferanse (NISK), pp. 97–109 (2009)Google Scholar
  19. 19.
    Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Tani, S.: Claw Finding Algorithms Using Quantum Walk. arXiv:0708.2584 (March 2008)Google Scholar
  21. 21.
    Tate, J.: Endomorphisms of abelian varieties over finite fields. Invent. Math. 2, 134–144 (1966)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Teske, E.: The Pohlig-Hellman method generalized for group structure computation. Journal of Symbolic Computation 27(6), 521–534 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    The PARI Group, Bordeaux. PARI/GP, version 2.4.3 (2008)
  24. 24.
    Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. A-B 273, A238–A241 (1971)zbMATHGoogle Scholar
  25. 25.
    Zhang, S.: Promised and Distributed Quantum Search. In: Wang, L. (ed.) COCOON 2005. LNCS, vol. 3595, pp. 430–439. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • David Jao
    • 1
  • Luca De Feo
    • 2
  1. 1.Department of Combinatorics and OptimizationUniversity of WaterlooWaterlooCanada
  2. 2.Laboratoire PRiSMUniversité de VersaillesVersaillesFrance

Personalised recommendations