Abstract
We revisit the ordinary isogenygraph based cryptosystems of Couveignes and Rostovtsev–Stolbunov, long dismissed as impractical. We give algorithmic improvements that accelerate key exchange in this framework, and explore the problem of generating suitable system parameters for contemporary pre and postquantum security that take advantage of these new algorithms. We also prove the sessionkey security of this key exchange in the Canetti–Krawczyk model, and the INDCPA security of the related publickey encryption scheme, under reasonable assumptions on the hardness of computing isogeny walks. Our systems admit efficient keyvalidation techniques that yield CCAsecure encryption, thus providing an important step towards efficient postquantum noninteractive key exchange (NIKE).
Keywords
 Postquantum cryptography
 Key exchange
 Elliptic curves
 Isogenies
Download conference paper PDF
1 Introduction
Isogenybased protocols form one of the youngest and leastexplored families of postquantum candidate cryptosystems. The bestknown isogenybased protocol is Jao and De Feo’s SIDH key exchange [36], from which the NIST candidate keyencapsulation mechanism SIKE was derived [4, 53]. SIDH was itself inspired by earlier keyexchange constructions by Couveignes [19] and Rostovtsev and Stolbunov [57, 61, 62], which were widely considered unwieldy and impractical.
Indeed, the origins of isogenybased cryptography can be traced back to Couveignes’ “Hard Homogeneous Spaces” manuscript, that went unpublished for ten years before appearing in [19]. A principal homogeneous space (PHS) for a group G is a set X with an action of G on X such that for any \(x,x'\in X\), there is a unique \(g\in G\) such that \(g\cdot x = x'\). Equivalently, the map \({\varphi }_x: g\mapsto g\cdot x\) is a bijection between G and X for any \(x\in X\). Couveignes defines a hard homogeneous space (HHS) to be a PHS where the action of G on X is efficiently computable, but inverting the isomorphism \({\varphi }_x\) is computationally hard for any x.
Any HHS X for an abelian group G can be used to construct a key exchange based on the hardness of inverting \(\varphi _x\), as shown in Algorithms 1 and 2. If Alice and Bob have keypairs \((g_A,x_A)\) and \((g_B,x_B)\), respectively, then the commutativity of G lets them derive a shared secret
The analogy with classic groupbased Diffie–Hellman is evident.
For example, if \(X=\langle {x}\rangle \) is cyclic of order p and \(G=(\mathbb {Z}/p\mathbb {Z})^*\) acts on \(X\setminus \{1\}\) by \(g{\cdot }x=x^g\), then inverting \({\varphi }_x\) is the discrete logarithm problem (DLP) in X. But inverting \({\varphi }_x\) for other homogeneous spaces may not be related to any DLP, and might resist attacks based on Shor’s quantum algorithm. Similar ideas have occasionally appeared in the literature in different forms [40, 48].
Couveignes viewed HHS chiefly as a general framework encompassing various Diffie–Hellmanlike systems. Nevertheless, he suggested using a specific HHS based on the theory of complex multiplication of elliptic curves, in a sense generalizing Buchmann and Williams’ classgroupbased Diffie–Hellman key exchange [10]. Independently, Rostovtsev and Stolbunov proposed in [57] a public key encryption scheme based on the same HHS. Later, Stolbunov [62] derived more protocols from this, including an interactive key exchange scheme similar to Algorithm 2. Rostovtsev and Stolbunov’s proposal deviates from the HHS paradigm in the way random elements of G are sampled, as we will explain in Sect. 3. This makes the primitive less flexible, but also more practical.
Rostovtsev and Stolbunov advertised their cryptosystems as potential postquantum candidates, leading Childs, Jao and Soukharev to introduce the first subexponential quantum algorithm capable of breaking them [13]. Hence, being already slow enough to be impractical in a classical security setting, their primitive appeared even more impractical in a quantum security setting.
But the Couveignes–Rostovtsev–Stolbunov primitive (CRS) has some important advantages over SIDH which make it worth pursuing. Unlike SIDH, CRS offers efficient and safe public key validation, making it suitable for noninteractive key exchange (NIKE). Further, CRS does not suffer from some of the potential cryptographic weaknesses that SIDH has, such as short paths and the publication of image points.
This paper aims to improve and modernize the CRS construction, borrowing techniques from SIDH and pointcounting algorithms, to the point of making it usable in a postquantum setting. Our main contributions are in Sects. 3, 4, where we present a new, more efficient way of computing the CRS group action, and in Sect. 5, where we give precise classic and quantum security estimates, formalize hardness assumptions, and sketch security proofs in stronger models than those previously considered. In Sect. 6 we present a proofofconcept implementation and measure its performance. While the final result is far from competitive, we believe it constitutes progress towards a valid isogenybased alternative to SIDH.
CSIDH. While preparing this paper we were informed of recent work by Castryck, Lange, Martindale, Panny, and Renes, introducing CSIDH, an efficient postquantum primitive based on CRS [12]. Their work builds upon the ideas presented in Sects. 3, 4, using them in a different homogeneous space where they apply effortlessly. Their breakthrough confirms that, if anything, our techniques were a fundamental step towards the first practical postquantum noninteractive key exchange protocol.
Side channel awareness. The algorithms we present here are not intended to provide any protection against basic sidechannel attacks. Uniform and constanttime algorithms for arbitrarydegree isogeny computations are an interesting open problem, but they are beyond the scope of this work.
2 Isogenies and Complex Multiplication
We begin by recalling some basic facts on isogenies of elliptic curves over finite fields. For an indepth introduction to these concepts, we refer the reader to [59]. For a general overview of isogenies and their use in cryptography, we suggest [21].
2.1 Isogenies Between Elliptic Curves
In what follows \(\mathbb {F}_q\) is a finite field of characteristic p with q elements, and \(\overline{\mathbb {F}}_q\) is its algebraic closure. Let E and \(E'\) be elliptic curves defined over \(\mathbb {F}_q\). A homomorphism \(\phi :E{\rightarrow }E'\) is an algebraic map sending \(0_E\) to \(0_{E'}\); it induces a group homomomorphism from \(E(\overline{\mathbb {F}}_q)\) to \(E'(\overline{\mathbb {F}}_q)\) [59, III.4]. An endomorphism is a homomorphism from a curve to itself. The endomorphisms of E form a ring \({{\mathrm{End}}}(E)\), with the group law on E for addition and composition for multiplication. The simplest examples of endomorphisms are the scalar multiplications [m] (mapping P to the sum of m copies of P) and the Frobenius endomorphism
As an element of \({{\mathrm{End}}}(E)\), Frobenius satisfies a quadratic equation \(\pi ^2 + q = t\pi \). The integer t (the trace) fully determines the order of E as \(\#E(\mathbb {F}_q)=q+1t\). A curve is called supersingular if p divides t, ordinary otherwise.
An isogeny is a nonzero homomorphism of elliptic curves. The degree of an isogeny is its degree as an algebraic map, so for example the Frobenius endomorphism \(\pi \) has degree q, and the scalar multiplication [m] has degree \(m^2\). Isogenies of degree \(\ell \) are called \(\ell \)isogenies. The kernel \(\ker {\phi }\) of \(\phi \) is the subgroup of \(E(\overline{\mathbb {F}}_q)\) that is mapped to \(0_{E'}\). An isogeny \({\phi }\) is cyclic if \(\ker {\phi }\) is a cyclic group.
An isomorphism is an isogeny of degree \(1\). An isomorphism class of elliptic curves is fully determined by their common jinvariant in \(\overline{\mathbb {F}}_q\). If any curve in the isomorphism class is defined over \(\mathbb {F}_q\), then its jinvariant is in \(\mathbb {F}_q\).
Any isogeny can be factored as a composition of a separable and a purely inseparable isogeny. Purely inseparable isogenies have trivial kernel, and degree a power of p. Separable isogenies include all isogenies of degree coprime to p. Up to isomorphism, separable isogenies are in onetoone correspondence with their kernels: for any finite subgroup \(G{\subset }E\) of order \(\ell \) there is an elliptic curve E / G and an \(\ell \)isogeny \(\phi : E \rightarrow E/G\) such that \(\ker \phi = G\), and the curve and isogeny are unique up to isomorphism. In particular, if \(\phi \) is separable then \(\deg {\phi }=\#\ker {\phi }\). It is convenient to encode \(\ker \phi \) as the polynomial whose roots are the xcoordinates of the points in \(\ker \phi \), called the kernel polynomial of \(\phi \).
For any \(\ell \)isogeny \({\phi }:E\rightarrow {E}'\), there is a unique \(\ell \)isogeny \(\hat{{\phi }}:E'\rightarrow {E}\) such that \({\phi }\circ \hat{{\phi }} = [\ell ]\) on \(E'\) and \(\hat{{\phi }}\circ {\phi } = [\ell ]\) on E. We call \(\hat{{\phi }}\) the dual of \({\phi }\). This shows that being \(\ell \)isogenous is a symmetric relation, and that being isogenous is an equivalence relation. Further, a theorem of Tate states that two curves are isogenous over \(\mathbb {F}_q\) if and only if they have the same number of points over \(\mathbb {F}_q\).
2.2 Isogeny Graphs
Isogenybased cryptosystems are based on isogeny graphs. These are (multi)graphs whose vertices are elliptic curves up to isomorphism, and whose edges are isogenies between them (again up to isomorphism). The use of isogeny graphs for algorithmic applications goes back to Mestre and Oesterlé [49], followed notably by Kohel [41], and has been continued by many authors [26, 29, 31, 37, 50].
We write \(E[\ell ]\) for the subgroup of \(\ell \)torsion points of \(E(\overline{\mathbb {F}}_q)\). If \(\ell \) is coprime to p, then \(E[\ell ]\) is isomorphic to \((\mathbb {Z}/\ell \mathbb {Z})^2\). Furthermore, if \(\ell \) is prime then \(E[\ell ]\) contains exactly \(\ell +1\) cyclic subgroups of order \(\ell \); it follows that, over \(\overline{\mathbb {F}}_q\), there are exactly \(\ell +1\) distinct (nonisomorphic) separable \(\ell \)isogenies from E to other curves. Generically, a connected component of the \(\ell \)isogeny graph over \(\overline{\mathbb {F}}_q\) will be an infinite \((\ell +1)\)regular graph (a notable exception is the finite connected component of supersingular curves, used in SIDH and related protocols).
We now restrict to isogenies defined over \(\mathbb {F}_q\). If E and \(E'\) are elliptic curves over \(\mathbb {F}_q\), then an isogeny \({\phi }:E{\rightarrow }E'\) is defined over \(\mathbb {F}_q\) (up to a twist of \(E'\)) if and only if the Frobenius endomorphism \(\pi \) on E stabilizes \(\ker {\phi }\). We emphasize that the points in \(\ker \phi \) need not be defined over \(\mathbb {F}_q\) themselves.
For the vertices of the \(\overline{\mathbb {F}}_q\)isogeny graph we use jinvariants, which classify elliptic curves up to \(\overline{\mathbb {F}}_q\)isomorphism; but in the sequel we want to work up to \(\mathbb {F}_q\)isomorphism, a stronger equivalence. If E and \(\tilde{E}\) are not \(\mathbb {F}_q\)isomorphic but \(j(E) = j(\tilde{E})\), then \(\tilde{E}\) is the quadratic twist of E (which is defined and unique up to \(\mathbb {F}_q\)isomorphism).^{Footnote 1} When E is ordinary, its quadratic twist has a different cardinality (if \(\#E(\mathbb {F}_q) = q + 1  t\), then \(\#\tilde{E}(\mathbb {F}_q) = q + 1 + t\)), so E and \(\tilde{E}\) are in different components of the isogeny graph. But every \(\mathbb {F}_q\)isogeny \(\phi : E \rightarrow E'\) corresponds to an \(\mathbb {F}_q\)isogeny \(\tilde{\phi }: \tilde{E} \rightarrow \tilde{E}'\) of the same degree between the quadratic twists. The component of the \(\mathbb {F}_q\)isogeny graph containing an ordinary curve and the component containing its twist are thus isomorphic; we are therefore justified in identifying them, using jinvariants in \(\mathbb {F}_q\) for vertices in the \(\mathbb {F}_q\)graph.^{Footnote 2} This is not just a mathematical convenience: we will see in Sect. 3 below that switching between a curve and its twist often allows a useful optimization in isogeny computations.
If an isogeny \({\phi }\) is defined over \(\mathbb {F}_q\) and cyclic, then \(\pi \) acts like a scalar on the points of \(\ker {\phi }\). Thus, for any prime \(\ell \ne p\), the number of outgoing \(\ell \)isogenies from E defined over \(\mathbb {F}_q\) can be completely understood by looking at how \(\pi \) acts on \(E[\ell ]\). Since \(E[\ell ]\) is a \(\mathbb {Z}/\ell \mathbb {Z}\)module of rank 2, the action of \(\pi \) is represented by a \(2 \times 2\) matrix with entries in \(\mathbb {Z}/\ell \mathbb {Z}\) and characteristic polynomial \(X^2tX+q\mod \ell \). We then have four possibilities:

(0)
\(\pi \) has no eigenvalues in \(\mathbb {Z}/\ell \mathbb {Z}\), i.e. \(X^2tX+q\) is irreducible modulo \(\ell \); then E has no \(\ell \)isogenies.

(1.1)
\(\pi \) has one eigenvalue of (geometric) multiplicity one, i.e. it is conjugate to a nondiagonal matrix \(\left( {\begin{matrix}\lambda &{}*\\ 0&{}\lambda \end{matrix}}\right) \); then there is one \(\ell \)isogeny from E.

(1.2)
\(\pi \) has one eigenvalue of multiplicity two, i.e. it acts like a scalar matrix \(\left( {\begin{matrix}\lambda &{}0\\ 0&{}\lambda \end{matrix}}\right) \); then there are \(\ell +1\) isogenies of degree \(\ell \) from E.

(2)
\(\pi \) has two distinct eigenvalues, i.e. it is conjugate to a diagonal matrix \(\left( {\begin{matrix}\lambda &{}0\\ 0&{}\mu \end{matrix}}\right) \) with \(\lambda \ne \mu \); then there are two \(\ell \)isogenies from E.
The primes \(\ell \) in Case (2) are called Elkies primes for E; these are the primes of most interest to us. Cases (1.x) are only possible if \(\ell \) divides \(\varDelta _pi = t^24q\), the discriminant of the characteristic equation of \(\pi \); for ordinary curves \(\varDelta _pi \ne 0\), so only a finite number of \(\ell \) will fall in these cases, and they will be mostly irrelevant to our cryptosystem. We do not use any \(\ell \) in Case (0).
Since all curves in the same isogeny class over \(\mathbb {F}_q\) have the same number of points, they also have the same trace t and discriminant \(\varDelta _\pi \). It follows that if \(\ell \) is Elkies for some E in \({{\mathrm{Ell}}}_q(\mathcal {O})\), then it is Elkies for every curve in \({{\mathrm{Ell}}}_q(\mathcal {O})\).
Hence, if \(\ell \) is an Elkies prime for a curve E, then the connected component of E in the \(\ell \)isogeny graph is a finite 2regular graph—that is, a cycle. In the next subsection we describe a group action on this cycle, and determine its size.
2.3 Complex Multiplication
In this subsection we focus exclusively on ordinary elliptic curves. If E is an ordinary curve with Frobenius \(\pi \), then \({{\mathrm{End}}}(E)\) is isomorphic to an order ^{Footnote 3} in the quadratic imaginary field \(\mathbb {Q}(\sqrt{\varDelta _\pi })\) (see [59, III.9]). A curve whose endomorphism ring is isomorphic to an order \(\mathcal {O}\) is said to have complex multiplication by \(\mathcal {O}\). For a detailed treatment of the theory of complex multiplication, see [45, 60].
The ring of integers \(\mathcal {O}_K\) of \(K=\mathbb {Q}(\sqrt{\varDelta _\pi })\) is its maximal order: it contains any other order of K. Hence \(\mathbb {Z}[\pi ]\subset {{\mathrm{End}}}(E)\subset \mathcal {O}_K\), and there is only a finite number of possible choices for \({{\mathrm{End}}}(E)\). If we write \(\varDelta _\pi =d^2\varDelta _K\), where \(\varDelta _K\) is the discriminant^{Footnote 4} of \(\mathcal {O}_K\), then the index \([\mathcal {O}_K:{{\mathrm{End}}}(E)]\) must divide \(d=[\mathcal {O}_K:\mathbb {Z}[\pi ]]\).
It turns out that isogenies allow us to navigate the various orders. If \({\phi }:E{\rightarrow }E'\) is an \(\ell \)isogeny, then one of the following holds [41, Prop. 21]:

\({{\mathrm{End}}}(E) = {{\mathrm{End}}}(E')\), and then \({\phi }\) is said to be horizontal;

\([{{\mathrm{End}}}(E):{{\mathrm{End}}}(E')] = \ell \), and then \({\phi }\) is said to be descending;

\([{{\mathrm{End}}}(E'):{{\mathrm{End}}}(E)] = \ell \), and then \({\phi }\) is said to be ascending.
Notice that the last two cases can only happen if \(\ell \) divides \(d^2=\varDelta _\pi /\varDelta _K\), and thus correspond to Cases (1.x) in the previous subsection. If \(\ell \) does not divide \(\varDelta _\pi \), then \({\phi }\) is necessarily horizontal.
We now present a group action on the set of all curves up to isomorphism having complex multiplication by a fixed order \(\mathcal {O}\); the key exchange protocol of Sect. 3 will be built on this action. Let \(\mathfrak a\) be an invertible ideal in \({{\mathrm{End}}}(E)\simeq \mathcal {O}\) of norm prime to p, and define the \({\mathfrak a}\)torsion subgroup of E as
This subgroup is the kernel of a separable isogeny \(\phi _{\mathfrak a}\).^{Footnote 5} The codomain \(E/E[\mathfrak a]\) of \(\phi _{\mathfrak a}\) is welldefined up to isomorphism and will be denoted \(\mathfrak a\cdot E\). The isogeny \(\phi _{\mathfrak a}\) is always horizontal—that is, \({{\mathrm{End}}}(\mathfrak a \cdot E) = {{\mathrm{End}}}(E)\)—and its degree is the norm of \(\mathfrak a\) as an ideal of \({{\mathrm{End}}}(E)\).
Let \({{\mathrm{Ell}}}_q(\mathcal {O})\) be the set of isomorphism classes over \(\overline{\mathbb {F}}_q\) of curves with complex multiplication by \(\mathcal {O}\), and assume it is nonempty. The construction above gives rise to an action of the group of fractional ideals of \(\mathcal {O}\) on \({{\mathrm{Ell}}}_q(\mathcal {O})\). Furthermore, the principal ideals act trivially (the corresponding isogenies are endomorphisms), so this action induces an action of the ideal class group \(\mathcal {C}(\mathcal {O})\) on \({{\mathrm{Ell}}}_q(\mathcal {O})\).
The main theorem of complex multiplication states that this action is simply transitive. In other terms, \({{\mathrm{Ell}}}_q(\mathcal {O})\) is a PHS under the group \(\mathcal {C}(\mathcal {O})\): if we fix a curve E as base point, then we have a bijection
The order of \(\mathcal {C}(\mathcal {O})\) is called the class number of \(\mathcal {O}\), and denoted by \(h(\mathcal {O})\). An immediate consequence of the theorem is that \(\#{{\mathrm{Ell}}}_q(\mathcal {O})=h(\mathcal {O})\).
As before, we work with \(\mathbb {F}_q\)isomorphism classes. Then \({{\mathrm{Ell}}}_q(\mathcal {O})\) decomposes into two isomorphic PHSes under \(\mathcal {C}(\mathcal {O})\), each containing the quadratic twists of the curves in the other. We choose one of these two components, that we will also denote \({{\mathrm{Ell}}}_q(\mathcal {O})\) in the sequel. (The choice is equivalent to a choice of isomorphism \({{\mathrm{End}}}(E) \cong \mathcal {O}\), and thus to a choice of sign on the image of \(\pi \) in \(\mathcal {O}\).)
Now let \(\ell \) be an Elkies prime for \(E\in {{\mathrm{Ell}}}_q(\mathcal {O})\). So far, we have seen that the connected component of E in the \(\ell \)isogeny graph is a cycle of horizontal isogenies. Complex multiplication tells us more. The restriction of the Frobenius to \(E[\ell ]\) has two eigenvalues \(\lambda \ne \mu \), to which we associate the prime ideals \(\mathfrak {a}=(\pi \lambda ,\ell )\) and \(\hat{\mathfrak a}=(\pi \mu ,\ell )\), both of norm \(\ell \). We see then that \(E[\mathfrak a]\) is the eigenspace of \(\lambda \), defining an isogeny \({\phi }_{\mathfrak {a}}\) of degree \(\ell \). Furthermore \(\mathfrak a\hat{\mathfrak a} = \hat{\mathfrak a}\mathfrak a = (\ell )\), implying that \(\mathfrak a\) and \(\hat{\mathfrak a}\) are the inverse of one another in \(\mathcal {C}(\mathcal {O})\), thus the isogeny \({\phi }_{\hat{\mathfrak a}}:\mathfrak a{\cdot }E{\rightarrow }E\) of kernel \((\mathfrak a{\cdot }E)[\hat{\mathfrak a}]\) is the dual of \({\phi }_{\mathfrak a}\) (up to isomorphism).
The eigenvalues \(\lambda \) and \(\mu \) define opposite directions on the \(\ell \)isogeny cycle, independent of the starting curve, as shown in Fig. 1. The size of the cycle is the order of \((\pi \lambda ,\ell )\) in \(\mathcal {C}(\mathcal {O})\), thus partitioning \({{\mathrm{Ell}}}_q(\mathcal {O})\) into cycles of equal size.
3 Key Exchange from Isogeny Graphs
We would like to instantiate the key exchange protocol of Algorithm 2 with the PHS \(X = {{\mathrm{Ell}}}_q(\mathcal {O})\) for the group \(G = \mathcal {C}(\mathcal {O})\), for some well chosen order \(\mathcal {O}\) in a quadratic imaginary field. However, given a generic element of \(\mathcal {C}(\mathcal {O})\), the best algorithm [38] to evaluate its action on \({{\mathrm{Ell}}}_q(\mathcal {O})\) has subexponential complexity in q, making the protocol infeasible. The solution, following Couveignes [19], is to fix a set S of small prime ideals in \(\mathcal {O}\), whose action on X can be computed efficiently, and such that compositions of elements of S cover the whole of G. The action of an arbitrary element of G is then the composition of a series of actions by small elements in S. As Rostovtsev and Stolbunov [57] observed, it is useful to visualise this decomposed action as a walk in an isogeny graph.
3.1 Walks in Isogeny Graphs
Let G be a group, X a PHS for G, and S a subset of G. The Schreier graph \(\mathcal {G}(G,S,X)\) is the labelled directed graph whose vertex set is X, and where an edge labelled by \({s}\in {S}\) links \(x_1\) to \(x_2\) if and only if \(s\cdot x_1 = x_2\). It is isomorphic to a Cayley graph for G. If S is symmetric (that is, \(S^{1}=S\)), then we associate the same label to s and \(s^{1}\), making the graph undirected.
A walk in \(\mathcal {G}(G,S,X)\) is a finite sequence \((s_1,\ldots ,s_n)\) of steps in S. We define the action of this walk on X as
In our application G is abelian, so the order of the steps \(s_i\) does not matter. We can use this action directly in the key exchange protocol of Algorithm 2, by simply taking private keys to be walks instead of elements in G.
Example 1
Figure 2 shows \(\mathcal {G}(G,S,X)\) where \(G=(\mathbb {Z}/13\mathbb {Z})^*\), \(S = \{2,3,5\}\cup \{2^{1},3^{1},5^{1}\}\), and \(X = \langle {x}\rangle \setminus \{1\}\) is a cyclic group of order 13, minus its identity element. The action of G on X is exponentiation: \(g{\cdot }x=x^g\). The action of 11, which takes \(x^k\) to \(x^{11k}\), can be expressed using the walks (2, 5, 5), or \((2^{1},3^{1})\), or (3, 5), for example. Note that 5 has order 4 modulo 13, thus partitioning \(\langle {x}\rangle \setminus \{1\}\) into 3 cycles of length 4.
Returning to the world of isogenies, we now take

\(X={{\mathrm{Ell}}}_q(\mathcal {O})\) as the vertex set, for some wellchosen q and \(\mathcal {O}\); in particular we require \(\mathcal {O}\) to be the maximal order (see Sect. 5).

\(G=\mathcal {C}(\mathcal {O})\) as the group acting on X;

S a set of ideals, whose norms are small Elkies primes in \(\mathcal {O}\).
The graph \(\mathcal {G}(G,S,X)\) is thus an isogeny graph, composed of many isogeny cycles (one for the norm of each prime in S) superimposed on the vertex set \({{\mathrm{Ell}}}_q(\mathcal {O})\). It is connected if S generates \(\mathcal {C}(\mathcal {O})\). Walks in \(\mathcal {G}(G,S,X)\) are called isogeny walks.
We compute the action of an ideal \(\mathfrak s\) (a single isogeny step) on an \(x{\in }{{\mathrm{Ell}}}_q(\mathcal {O})\) by choosing a representative curve E with \(x = j(E)\), and computing an isogeny \({\phi }_{\mathfrak s}:E{\rightarrow }E'\) from E corresponding to \(\mathfrak {s}\); the resulting vertex is \(\mathfrak s \cdot x = j(E')\). The action of an isogeny walk \((\mathfrak s_i)_i\) is then evaluated as the sequence of isogeny steps \({\phi }_{\mathfrak s_i}\). Algorithms for these operations are given in the next subsection.
Using this “smooth” representation of elements in \(\mathcal {C}(\mathcal {O})\) as isogeny walks lets us avoid computing \(\mathcal {C}(\mathcal {O})\) and \({{\mathrm{Ell}}}_q(\mathcal {O})\), and avoid explicit ideal class arithmetic; only isogenies between elliptic curves are computed. In practice, we reuse the elliptic curve \(E'\) from one step as the E in the next; but we emphasize that when isogeny walks are used for Diffie–Hellman, the resulting public keys and shared secrets are not the final elliptic curves, but their jinvariants.
3.2 Computing Isogeny Walks
Since \(\mathcal {C}(\mathcal {O})\) is commutative, we can break isogeny walks down into a succession of walks corresponding to powers of single primes \(\mathfrak {s} = (\ell ,\pi \lambda )\); that is, repeated applications of the isogenies \(\phi _{\mathfrak {s}}\). Depending on \(\mathfrak {s}\), we will compute each sequence of \(\phi _{\mathfrak s}\) using one of two different methods:

Algorithm 5 (ElkiesWalk) uses Algorithm 3 (ElkiesFirstStep) followed by a series of calls to Algorithm 4 (ElkiesNextStep), both which use the modular polynomial \(\varPhi _\ell (X, Y)\). This approach works for any \(\mathfrak s\).

Algorithm 7 (VéluWalk) uses a series of calls to Algorithm 6 (VéluStep). This approach, which uses torsion points on E, can only be applied when \(\lambda \) satisfies certain properties.
Rostovtsev and Stolbunov only used analogues of Algorithms 3 and 4. The introduction of VéluStep, inspired by SIDH and related protocols (and now a key ingredient in the CSIDH protocol [12]), speeds up our protocol by a considerable factor; this is the main practical contribution of our work.
Elkies steps. Algorithms 3 and 4 compute single steps in the \(\ell \)isogeny graph. Their correctness follows from the definition of the modular polynomial \(\varPhi _\ell \): a cyclic \(\ell \)isogeny exists between two elliptic curves E and \(E'\) if and only if \(\varPhi _\ell (j(E), j(E')) = 0\) (see [58, Sect. 6] and [24, Sect. 3] for the relevant theory). One may use the classical modular polynomials here, or alternative, lowerdegree modular polynomials (Atkin polynomials, for example) with minimal adaptation to the algorithms. In practice, \(\varPhi _\ell \) is precomputed and stored: several publicly available databases exist (see [42] and [8, 9, 66], for example).
Given a jinvariant j(E), we can compute its two neighbours in the \(\ell \)isogeny graph by evaluating \(P(X) = \varPhi _\ell (j(E),X)\) (a polynomial of degree \(\ell +1\)), and then computing its two roots in \(\mathbb {F}_q\). Using a Cantor–Zassenhaustype algorithm, this costs \(\tilde{O}(\ell \log q)\) \(\mathbb {F}_q\)operations.
We need to make sure we step towards the neighbour in the correct direction. If we have already made one such step, then this is easy: it suffices to avoid backtracking. Algorithm 4 (ElkiesNextStep) does this by removing the factor corresponding to the previous jinvariant in Line 4; this algorithm can be used for all but the first of the steps corresponding to \(\mathfrak {s}\).
It remains to choose the right direction in the first step for \(\mathfrak {s} = (\ell ,\pi \lambda )\). In Algorithm 3 we choose one of the two candidates for \(\phi _{\mathfrak s}\) arbitrarily, and compute its kernel polynomial. This costs \(\tilde{O}(\ell )\) \(\mathbb {F}_q\)operations using the Bostan–Morain–Salvy–Schost algorithm [7] with asymptotically fast polynomial arithmetic. We then compute an element Q of \(\ker \phi _\mathfrak {s}\) over an extension of \(\mathbb {F}_q\) of degree at most \(\frac{\ell 1}{2}\), then evaluate \(\pi (Q)\) and \([\lambda ]Q\). If they match, then we have chosen the right direction; otherwise we take the other root of P(X).
Algorithm 5 (ElkiesWalk) combines these algorithms to compute the iterated action of \(\mathfrak {s}\). Line 5 ensures that the curve returned is the the correct component of the \(\ell \)isogeny graph. Both ElkiesFirstStep and ElkiesNextStep cost \(\tilde{O}(\ell \log q)\) \(\mathbb {F}_q\)operations, dominated by the calculation of the roots of P(X).
Vélu steps. For some ideals \(\mathfrak {s} = (\ell ,\pi \lambda )\), we can completely avoid modular polynomials, and the costly computation of their roots, by constructing \(\ker \phi _{\mathfrak {s}}\) directly from \(\ell \)torsion points. Let r be the order of \(\lambda \) modulo \(\ell \); then \(\ker \phi _{\mathfrak s} \subseteq E(\mathbb {F}_{q^r})\). If r is not a multiple of the order of the other eigenvalue \(\mu \) of \(\pi \) on \(E[\ell ]\), then \(E[\ell ](\mathbb {F}_{q^r}) = \ker \phi _{\mathfrak s}\). Algorithm 6 (VéluStep) exploits this fact to construct a generator Q of \(\ker \phi _{\mathfrak s}\) by computing a point of order \(\ell \) in \(E(\mathbb {F}_{q^r})\). The roots of the kernel polynomial of \(\phi _{\mathfrak s}\) \(x(Q), \ldots , x([(\ell 1)/2]Q)\).^{Footnote 6}
Constructing a point Q of order \(\ell \) in \(E(\mathbb {F}_{q^r})\) is straightforward: we take random points and multiply by the cofactor \(C_r/\ell \), where \(C_r := \#E(\mathbb {F}_{q^r})\). Each trial succeeds with probability \(1  1/\ell \). Note that \(C_r\) can be easily (pre)computed from the Frobenius trace t: if we write \(C_r = q  t_r + 1\) for \(r > 0\) (so \(t_1 = t\)) and \(t_0 = 2\), then the \(t_r\) satisfy the recurrence \(t_r = t\cdot t_{r1}  q\cdot t_{r2}\).
We compute the quotient curve in Line 6 with Vélu’s formulæ [69] in \(O(\ell )\) \(\mathbb {F}_q\)operations. Since \(\log C_r\simeq r\log q\), provided \(\ell = O(\log q)\), the costly step in Algorithm 6 is the scalar multiplication at Line 3, which costs \(\tilde{O}(r^2\log q)\) \(\mathbb {F}_q\)operations.
Comparing the costs. To summarize:

Elkies steps cost \(\tilde{O}(\ell \log q)\) \(\mathbb {F}_q\)operations;

Vélu steps cost \(\tilde{O}(r^2\log q)\) \(\mathbb {F}_q\)operations, where r is the order of \(\lambda \) in \(\mathbb {Z}/\ell \mathbb {Z}\).
In general \(r = O(\ell )\), so Elkies steps should be preferred. However, when r is particularly small (and not a multiple of the order of the other eigenvalue), a factor of \(\ell \) can be saved using Vélu steps. The value of r directly depends on \(\lambda \), which is in turn determined by \(\#E(\mathbb {F}_p)\) mod \(\ell \). Thus, we see that better Step performances depend on the ability to find elliptic curves whose order satisfies congruence conditions modulo small primes. Unfortunately, we can only achieve this partially (see Sect. 4), so the most efficient solution is to use Vélu steps when we can, and Elkies steps for some other primes.
In practice, Algorithm 6 can be improved by using elliptic curve models with more efficient arithmetic. In our implementation (see Sect. 6), we used xonly arithmetic on Montgomery models [18, 51], which also have convenient Vélu formulæ [17, 56]. Note that we can also avoid computing ycoordinates in Algorithm 6 at Line 5 if \(\lambda \ne \pm \mu \): this is the typical case for Elkies steps, and we used this optimization for all Elkies primes in our implementation.
Remark 1
Note that, in principle, Algorithm 6, can only be used to walk in one direction \(\mathfrak {s}_{\lambda }=(\ell ,\pi {\lambda })\), and not in the opposite one \(\mathfrak s_\mu =(\ell ,\pi \mu )\). Indeed we have assumed that \(E[\mathfrak {s}_\lambda ]\) is in \(E(\mathbb {F}_{q^r})\), while \(E[\mathfrak s_\mu ]\) is not. However, switching to a quadratic twist \(\tilde{E}\) of E over \(\mathbb {F}_{q^r}\) changes the sign of the Frobenius eigenvalues, thus it may happen that \(\tilde{E}[\mathfrak s_{\mu }]\) is in \(\tilde{E}(\mathbb {F}_{q^r})\), while \(\tilde{E}[\mathfrak s_{\lambda }]\) is not. It is easy to force this behavior by asking that \(p \equiv 1\pmod {\ell }\), indeed then \(\lambda = 1/\mu \).
For these eigenvalue pairs we can thus walk in both directions using Vélu steps at no additional cost, following either the direction \(\lambda \) on E, or the direction \(\mu \) on a twist. In Algorithm 6, only the curve order and the random point sampling need to be modified when using quadratic twists.
3.3 Sampling Isogeny Walks for Key Exchange
We now describe how keys are generated and exchanged in our protocol. Since the cost of the various isogeny walks depends on the ideals chosen, we will use adapted, or skewed, smooth representations when sampling elements in \(\mathcal {C}(\mathcal {O})\) in order to minimize the total computational cost of a key exchange.
We take a (conjectural) generating set for \(\mathcal {C}(\mathcal {O})\) consisting of ideals over a set S of small Elkies primes, which we partition into three sets according to the step algorithms to be used. We maintain three lists of tuples encoding these primes:
 \(S_{VV}\) :

is a list of tuples \((\ell ,\lambda ,\mu )\) such that the ideal \((\ell ,\pi  \lambda )\) and its inverse \((\ell ,\pi \mu )\) are both amenable to VéluStep.
 \(S_{VE}\) :

is a list of tuples \((\ell ,\lambda )\) such that \((\ell ,\pi \lambda )\) is amenable to VéluStep but its inverse \((\ell ,\pi \mu )\) is not.
 \(S_{EE}\) :

is a list of tuples \((\ell ,\lambda ,\mu )\) such that neither \((\ell ,\pi  \lambda )\) nor \((\ell ,\pi \mu )\) are amenable to VéluStep.
In \(S_{VV}\) and \(S_{EE}\), the labelling of eigenvalues as \(\lambda \) and \(\mu \) is fixed once and for all (that is, the tuples \((\ell ,\lambda ,\mu )\) and \((\ell ,\mu ,\lambda )\) do not both appear). This fixes directions in each of the \(\ell \)isogeny cycles. Looking back at Fig. 1, for \(\ell \) associated with \(S_{EE}\) and \(S_{VV}\), both directions in the \(\ell \)isogeny graph will be available for use in walks; for \(S_{VE}\), only the Vélu direction will be used.
Each secret key in the cryptosystem is a walk in the isogeny graph. Since the class group \(\mathcal {C}(\mathcal {O})\) is commutative, such a walk is determined by the multiplicities of the primes \(\mathfrak {s}\) that appear in it. Algorithm 8 (KeyGen) therefore encodes privatekey walks as exponent vectors, with one integer exponent for each tuple in \(S_{VV}\), \(S_{VE}\), and \(S_{EE}\). For a tuple \((\ell ,\lambda ,\mu )\),

a positive exponent \(k_\ell \) indicates a walk of \(k_\ell \) \(\ell \)isogeny steps in direction \(\lambda \);

a negative exponent \(k_\ell \) indicates \(k_\ell \) \(\ell \)isogeny steps in direction \(\mu \).
For the tuples \((\ell ,\lambda )\) in \(S_{VE}\), where we do not use the slower \(\mu \)direction, we only allow nonnegative exponents. We choose bounds \(M_\ell \) on the absolute value of the exponents \(k_\ell \) so as to minimize the total cost of computing isogeny walks, while maintaining a large keyspace. As a rule, the bounds will be much bigger for the primes in \(S_{VV}\) and \(S_{VE}\), where Vélu steps can be applied.
The public keys are jinvariants in \(\mathbb {F}_q\), so they can be stored in \(\log _2 q\) bits; the private keys are also quite compact, but their precise size depends on the number of primes \(\ell \) and the choice of exponent bounds \(M_\ell \), which is a problem we will return to in Sect. 6.
Algorithm 9 completes a Diffie–Hellman key exchange by applying a combination of Elkies and Vélu walks (Algorithms 5 and 7, respectively).
4 Public Parameter Selection
It is evident that the choice of public parameters has a heavy impact on the execution time: smaller Elkies primes, and smaller multiplicative orders of the Frobenius eigenvalues, will lead to better performance. Since all of this information is contained in the value of \(\# E(\mathbb {F}_q)\), we now face the problem of constructing ordinary elliptic curves of prescribed order modulo small primes. Unfortunately, and in contrast with the supersingular case, no polynomialtime method to achieve this is known in general: the CM method [3, 64], which solves this problem when the corresponding class groups are small, is useless in our setting (see Sect. 5).
In this section we describe how to use the Schoof–Elkies–Atkin (SEA) point counting algorithm with early abort, combined with the use of certain modular curves, to construct curves whose order satisfies some constraints modulo small primes. This is faster than choosing curves at random and computing their orders completely until a convenient one is found, but it still does not allow us to use the full power of Algorithm VéluStep.
Earlyabort SEA. The SEA algorithm [52, 58] is the stateoftheart pointcounting algorithm for elliptic curves over largecharacteristic finite fields. In order to compute \(N = \# E(\mathbb {F}_p)\), it computes N modulo a series of small Elkies primes \(\ell \), before combining the results via the CRT to get the true value of N.
Cryptographers are usually interested in generating elliptic curves of prime or nearly prime order, and thus without small prime factors. While running SEA on random candidate curves, one immediately detects if \(N \equiv 0\pmod {\ell }\) for the small primes \(\ell \); if this happens then the SEA execution is aborted, and restarted with a new curve.
Here, the situation is the opposite: we want elliptic curves whose cardinality has many small prime divisors. To fix ideas, we choose the 512bit prime
Then, according to Remark 1, Algorithm VéluStep can be used for \(\ell \)isogenies in both directions for any prime \(\ell \le 380\), as soon as the order of its eigenvalues is small enough. We now proceed as follows:

Choose a smoothness bound B (we used \(B = 13\)).

Pick elliptic curves E at random in \(\mathbb {F}_p\), and use the SEA algorithm, aborting when any \(\ell \le B\) with \(\#E(\mathbb {F}_p) \not \equiv 0\pmod {\ell }\) is found.

For each E which passed the tests above, complete the SEA algorithm to compute \(\#E(\mathbb {F}_p)\), and estimate the key exchange running time using this curve as a public parameter (see Sect. 6).

The “fastest” curves now give promising candidates for \(\#E(\mathbb {F}_p)\).
In considering the efficiency of this procedure, it is important to remark that very few curves will pass the earlyabort tests. The bound B should be chosen to balance the overall cost of the first few tests with that of the complete SEA algorithm for the curves which pass them. Therefore, its value is somewhat implementationdependent.
Finding the maximal order. Once a “good” curve E has been computed, we want to find a curve \(E_0\) having the same number of points, but whose endomorphism ring is maximal, and to ensure that its discriminant is a large integer. Therefore, we attempt to factor the discriminant \(\varDelta _\pi \) of \(\mathbb {Z}[\pi ]\): if it is squarefree, then E already has maximal endomorphism ring, and in general the square factors of \(\varDelta _\pi \) indicate which ascending isogenies have to be computed in order to find \(E_0\).
Remark 2
Factoring random 512bit integers is not hard in general, and discriminants of quadratic fields even tend to be slightly smoother than random integers.
If a discriminant fails to be completely factored, a conservative strategy would be to discard it, but ultimately undetected large primesquare factors do not present a security issue because computing the possible corresponding largedegree isogenies is intractable (see Sect. 5).
Using the modular curve \(X_1(N)\). Since we are looking for curves with smooth cardinalities, another improvement to this procedure is available: instead of choosing elliptic curves uniformly at random, we pick random candidates using an equation for the modular curve \(X_1(N)\) [65], which guarantees the existence of a rational Ntorsion point on the sampled elliptic curve. This idea is used in the procedure of selecting elliptic curves in the Elliptic Curve Method for factoring [70, 71]. In our implementation we used \(N = 17\), and also incorporated the existence test in [54] for Montgomery models for the resulting elliptic curves.
Results. We implemented this search using the Sage computer algebra system. Our experiments were conducted on several machines running Intel Xeon E5520 processors at 2.27GHz. After 17,000 hours of CPU time, we found the Montgomery elliptic curve \( E : y^2 = x^3 + A x^2 + x \) over \(\mathbb {F}_p\) with p as above, and
The trace of Frobenius t of E is
There is a rational \(\ell \)torsion point on E, or its quadratic twist, for each \(\ell \) in
each of these primes is Elkies. Furthermore, \({{\mathrm{End}}}(E)\) is the maximal order, and its discriminant is a 511bit integer that has the following prime factorization:
In Sect. 6, we discuss the practical performance of our keyexchange protocol using these system parameters. Other proposals for parameters are given in [39].
5 Security
We now address the security of the CRS primitive, and derived protocols. Intuitively, these systems rely on two assumptions:

1.
given two curves E and \(E'\) in \({{\mathrm{Ell}}}_q(\mathcal {O})\), it is hard to find a (smooth degree) isogeny \({\phi }:E{\rightarrow }E'\); and

2.
the distribution on \({{\mathrm{Ell}}}_q(\mathcal {O})\) induced by the random walks sampled in Algorithm 8 is computationally undistinguishable from the uniform distribution.
We start by reviewing the known attacks for the first problem, both in the classical and the quantum setting. Then, we formalize security assumptions and give security proofs against passive adversaries. Finally, we discuss key validation and protection against active adversaries.
5.1 Classical Attacks
We start by addressing the following, more general, problem:
Problem 1
Given two ordinary elliptic curves \(E,E'\) defined over a finite field \(\mathbb {F}_q\), such that \(\#E(\mathbb {F}_q)=\#E'(\mathbb {F}_q)\), find an isogeny walk \((\phi _i)_{1\le {i}\le {n}}\) such that \(\phi _n\circ \cdots \circ {\phi }_1(E)=E'\).
The curves in Problem 1 are supposed to be sampled uniformly, though this is never exactly the case in practice. This problem was studied before the emergence of isogenybased cryptography [28, 29, 31], because of its applications to conventional ellipticcurve cryptography [31, 37, 67]. The algorithm with the best asymptotic complexity is due to Galbraith, Hess and Smart [31]. It consists of three stages:
 Stage 0.:

Use walks of ascending isogenies to reduce to the case where \({{\mathrm{End}}}(E)\cong {{\mathrm{End}}}(E')\) is the maximal order.
 Stage 1.:

Start two random walks of horizontal isogenies from E and \(E'\); detect the moment when they collide using a Pollardrho type of algorithm.
 Stage 2.:

Reduce the size of the obtained walk using indexcalculus techniques.
To understand Stage 0, recall that all isogenous elliptic curves have the same order, and thus the same trace t of the Frobenius endomorphism \(\pi \). We know that \({{\mathrm{End}}}(E)\) is contained in the ring of integers \(\mathcal {O}_K\) of \(K=\mathbb {Q}(\sqrt{\varDelta _\pi })\), where \(\varDelta _\pi =t^24q\) is the Frobenius discriminant. As before we write \(\varDelta _\pi =d^2\varDelta _K\), where \(\varDelta _K\) is the discriminant of \(\mathcal {O}_K\); then for any \(\ell \mid d\), the \(\ell \)isogeny graph of E contains ascending and descending \(\ell \)isogenies; these graphs are referred to as volcanoes [26] (see Fig. 3). Ascending isogenies go from curves with smaller endomorphism rings to curves with larger ones, and take us to a curve with \({{\mathrm{End}}}(E)\simeq {\mathcal {O}}_K\) in \(O(\log d)\) steps; they can be computed efficiently using the algorithms of [22, 26, 35, 41]. Assuming^{Footnote 7} all prime factors of d are in \(O(\log q)\), we can therefore compute Stage 0 in time polynomial in \(\log q\).
The set \({{\mathrm{Ell}}}_q(\mathcal {O}_K)\) has the smallest size among all sets \({{\mathrm{Ell}}}_q(\mathcal {O})\) for \(\mathcal {O}\subset \mathcal {O}_K\), so it is always interesting to reduce to it. This justifies using curves with maximal endomorphism ring in the definition of the protocol in Sect. 3. When \(\varDelta _\pi \) is squarefree, \(\mathbb {Z}[\pi ]\) is the maximal order, and the condition is automatically true.
The collision search in Stage 1 relies on the birthday paradox, and has a complexity of \(O(\sqrt{h(\mathcal {O}_K)})\).
It is known that, on average, \(h(\mathcal {O}_K)\approx {0.461}\cdots \sqrt{\varDelta _K}\) (see [15, 5.10]), and, assuming the extended Riemann hypothesis, we even have a lower bound (see [47])
Since \(\varDelta _K\sim q\), we expect Stage 1 to take time \(O(q^{1/4})\), which justifies a choice of q four times as large as the security parameter. Unfortunately, class numbers are notoriously difficult to compute, the current record being for a discriminant of 300 bits [5]. Computing class numbers for \({\sim 500}\)bit discriminants seems to be expensive, albeit feasible; thus, we can only rely on these heuristic arguments to justify the security of our proposed parameters.
The horizontal isogeny produced by Stage 1 is represented by an ideal constructed as a product of exponentially many small ideals. Stage 2 converts this into a sequence of small ideals of length polynomial in \(\log q\). Its complexity is bounded by that of Stage 1, so it has no impact on our security estimates.
Remark 3
The Cohen–Lenstra heuristic [16] predicts that the odd part of \(\mathcal {C}(\mathcal {O}_K)\) is cyclic with overwhelming probability, and other heuristics [33] indicate that \(h(\mathcal {O}_K)\) is likely to have a large prime factor. However, since there is no known way in which the group structure of \(\mathcal {C}(\mathcal {O}_K)\) can affect the security of our protocol, we can disregard this matter. No link between the group structure of \(E(\mathbb {F}_q)\) itself and the security is known, either.
5.2 Quantum Attacks
On a quantum computer, an attack with better asymptotic complexity is given by Childs, Jao and Soukharev in [13]. It consists of two algorithms:

1.
A (classical) algorithm that takes as input an elliptic curve \(E{\in }{{\mathrm{Ell}}}_q(\mathcal {O})\) and an ideal \(\mathfrak a{\in }\mathcal {C}(\mathcal {O})\), and outputs the curve \(\mathfrak a{\cdot }E\);

2.
A generic quantum algorithm for the dihedral hidden subgroup problem (dHSP), based upon previous work of Kuperberg [43, 44] and Regev [55].
The ideal evaluation algorithm has subexponential complexity \(L_q(\frac{1}{2},\frac{\sqrt{3}}{2})\). However, after a subexponentialtime classical precomputation, any adversary can know the exact class group structure; in that case, this ideal evaluation step could possibly be performed in polynomial time (and nonnegligible success probability) using LLLbased methods, as discussed in [63] and [19, Sect. 5].
The dHSP algorithm uses the ideal evaluation algorithm as a (quantum) black box, the number of queries depending on the variant. Childs–Jao–Soukharev gave two versions of this algorithm, Kuperberg’s [43] and Regev’s [55]. However, both are superseded by Kuperberg’s recent work [44]: his new algorithm solves the dHSP in any abelian group of order N using \(2^{O(\sqrt{\log N})}\) quantum queries and classical space, but only \(O(\log N)\) quantum space. Given this estimate, we expect the bit size of q to grow at worst like the square of the security parameter.
Unfortunately, the analysis of Kuperberg’s new algorithm is only asymptotic, and limited to N of a special form; it cannot be directly used to draw conclusions on concrete cryptographic parameters at this stage, especially since the value of the constant hidden by the O() in the exponent is unclear. Thus, it is hard to estimate the impact of this attack at concrete security levels such as those required by NIST [53].
Nevertheless, we remark that the first version of Kuperberg’s algorithm, as described in [55, Algorithm 5.1 and Remark 5.2] requires \(O(2^{3\sqrt{\log N}}\log N)\) blackbox queries and \(\sim 2^{3\sqrt{\log N}}\) qubits of memory. Although the quantum memory requirements of this algorithm are rather high, we will take its query complexity as a crude lower bound for the complexity of Kuperberg’s newer algorithm in the general case. Of course, this assumption is only heuristic, and should be validated by further study of quantum dHSP solvers; at present time, unfortunately, no precise statement can be made.
Table 1 thus proposes various parameter sizes, with associated numbers of quantum queries based on the observations above; we also indicate the estimated time to (classically) precompute the class group structure according to [5].^{Footnote 8} Whenever the quantum query complexity alone is enough to put a parameter in one of NIST’s security categories [53], we indicate it in the table. We believe that using query complexity alone is a very conservative choice, and should give more than enough confidence in the postquantum security properties of our scheme.
The system parameters we proposed in Sect. 4 correspond to the first line of Table 1, thus offering at least 56bit quantum and 128bit classical security.
5.3 Security Proofs
We now formalize the assumptions needed to prove the security of the key exchange protocol, and other derived protocols such as PKEs and KEMs, in various models. Given the similarity with the classical Diffie–Hellman protocol on a cyclic group, our assumptions are mostly modeled on those used in that context. Here we are essentially following the lead of Couveignes [19] and Stolbunov [62, 63]. However, we take their analyses a step further by explicitly modeling the hardness of distinguishing random walks on Cayley graphs from the uniform distribution: this yields stronger proofs and a better separation of security concerns.
For the rest of this section q is a prime power, \(\mathcal {O}\) is an order in a quadratic imaginary field with discriminant \(\varDelta \sim q\), \(\mathcal {C}(\mathcal {O})\) is the class group of \(\mathcal {O}\), \({{\mathrm{Ell}}}_q(\mathcal {O})\) is the (nonempty) set of elliptic curves with complex multiplication by \(\mathcal {O}\), and \(E_0\) is a fixed curve in \({{\mathrm{Ell}}}_q(\mathcal {O})\). Finally, S is a set of ideals of \(\mathcal {O}\) with norm polynomial in \(\log q\), and \(\sigma \) is a probability distribution on the set \(S^*\) of isogeny walks (i.e. finite sequences of elements in S) used to sample secrets in the key exchange protocol. We write \(x\overset{\sigma }{\in } X\) for an element taken from a set X according to \(\sigma \), and \(x\overset{R}{\in }X\) for an element taken according to the uniform distribution.
Our security proofs use four distributions on \({{\mathrm{Ell}}}_q(\mathcal {O})^3\):
The assumption needed to prove security of the protocols is the hardness of a problem analogous to the classic Decisional Diffie–Hellman (DDH) problem.
Definition 1
(Isogeny Walk DDH (IWDDH)). Given a triplet of curves \((E_a,E_b,E_{ab})\) sampled with probability \(\frac{1}{2}\) from \(\mathcal {R}_{q,\varDelta ,\sigma }\) and \(\frac{1}{2}\) from \(\mathcal {W}_{q,\varDelta ,\sigma }\), decide from which it was sampled.
We split this problem into two finergrained problems. The first is that of distinguishing between commutative squares sampled uniformly at random and commutative squares sampled from the distribution \(\sigma \).
Definition 2
(Isogeny Walk Distinguishing (IWD)). Given a triplet of curves \((E_a,E_b,E_{ab})\) sampled with probability \(\frac{1}{2}\) from \(\mathcal {W}_{q,\varDelta ,\sigma }\) and \(\frac{1}{2}\) from \(\mathcal {G}_{q,\varDelta }\), decide from which it was sampled.
The second problem is a groupaction analogue of DDH. It also appears in [19] under the name vectorization, and in [62, 63] under the name DDHAP.
Definition 3
(Class Group Action DDH (CGADDH)). Given a triplet of curves \((E_a,E_b,E_{ab})\) sampled with probability \(\frac{1}{2}\) from \(\mathcal {G}_{q,\varDelta }\) and \(\frac{1}{2}\) from \(\mathcal {U}_{q,\varDelta }\), decide from which it was sampled.
We want to prove the security of protocols based on the primitive of Sect. 3 under the CGADDH and IWD assumptions combined. To do this we give a lemma showing that CGADDH and IWD together imply IWDDH. The technique is straightforward: we use an IWDDH oracle to solve both the CGADDH and IWD problems, showing that at least one of the two must be solvable with nonnegligible advantage. The only technical difficulty is that we need an efficient way to simulate the uniform distribution on \({{\mathrm{Ell}}}_q(\mathcal {O})\); for this, we use another Cayley graph on \({{\mathrm{Ell}}}_q(\mathcal {O})\), with a potentially larger edge set, that is proven in [37] to be an expander under the generalized Riemann hypothesis (GRH).
We let \(\mathsf {Adv}^{A}_{\text {IWDDH}}\) be the advantage of an adversary A against IWDDH, defined as the probability that A answers correctly, minus 1 / 2:
We define \(\mathsf {Adv}^{A}_{\text {CGADDH}}\) and \(\mathsf {Adv}^{A}_{\text {IWD}}\) similarly. Switching answers if needed, we can assume all advantages are positive. We let \(\mathsf {Adv}^{}_{\text {X}}(t)\) denote the maximum of \(\mathsf {Adv}^{A}_{\text {X}}\) over all adversaries using at most t resources (running time, queries, etc.).
Lemma 1
Assuming GRH, for q large enough and for any bound t on running time, and for any \(\epsilon >0\),
Proof
(Sketch). We start with an adversary A for IWDDH, and we construct two simulators S and T for CGADDH and IWD respectively.

The simulator S simply passes its inputs to A, and returns A’s response.

The simulator T receives a triplet \((E_a,E_b,E_{ab})\) taken from \(\mathcal {G}_{q,\varDelta }\) or \(\mathcal {W}_{q,\varDelta ,\sigma }\), and flips a coin to decide which of the two following actions it will do:

forward \((E_a,E_b,E_{ab})\) to A, and return the bit given by A; or

generate a random curve \(E_c{\in }{{\mathrm{Ell}}}_q(\mathcal {O})\), forward \((E_a,E_b,E_c)\) to A, and return the opposite bit to the one given by A.

The curve \(E_c\) must be sampled from a distribution close to uniform for the simulator T to work. The only way at our disposal to sample \(E_c\) uniformly would be to sample a uniform \(\mathfrak c{\in }\mathcal {C}(\mathcal {O})\) and take \(E_c=\mathfrak c{\cdot }E_0\), but this would be too costly. Instead we use [37, Theorem 1.5], combined with standard results about random walks in expander graphs (for instance, an easy adaptation of the proof of [37, Lemma 2.1]), to sample \(E_c\) so that any curve in \({{\mathrm{Ell}}}_q(\mathcal {O})\) is taken with probability between \((1\epsilon )/h(\mathcal {O})\) and \((1+\epsilon )/h(\mathcal {O})\), using only \({{\mathrm{poly}}}(\log q, \log \epsilon )\) operations. We can consider this sampling as follows: with probability \(1\epsilon \), sample \(E_c\) uniformly, and with probability \(\epsilon \) sample it from an unknown distribution.
Now, if T forwarded \((E_a,E_b,E_{ab})\) untouched, then we immediately get
Averaging over the two outcomes concludes the proof. \(\square \)
Finally, we define an isogenywalk analogue of the classic Computational Diffie–Hellman (CDH) problem for groups. Using the same techniques as above, we can prove the security of the relevant protocols based only on CGACDH and IWD, without the generalized Riemann hypothesis.
Definition 4
(Class Group Action CDH (CGACDH)). Given \(E_a=\mathfrak a{\cdot }E_0\) and \(E_b=\mathfrak b{\cdot }E_0\) with \(\mathfrak a,\mathfrak b\overset{R}{\in }\mathcal {C}(\mathcal {O})\), compute the curve \(E_{ab}=\mathfrak {ab}{\cdot }E_0\).
Stolbunov proved the security of HHS Diffie–Hellman under the equivalent of CGADDH [62]. Repeating the same steps, we can prove the following theorem.
Theorem 1
If the CGADDH and IWD assumptions hold, assuming GRH, the keyagreement protocol defined by Algorithms 8 and 9 is sessionkey secure in the authenticatedlinks adversarial model of Canetti and Krawczyk [11].
Similarly, we can prove the INDCPA security of the hashed ElGamal protocol derived from Algorithm 8 by replicating the techniques of e.g. [30, Sect. 20.4.11].
Theorem 2
Assuming CGACDH and IWD, the hashed ElGamal protocol derived from Algorithms 8 and 9 is INDCPA secure in the random oracle model.
A heuristic discussion of the IWD assumption. From its very definition, the IWD problem depends on the probability distribution \(\sigma \) we use to sample random walks in the isogeny graph. In this paragraph, we provide heuristic arguments suggesting that the IWD instances generated by Algorithm 9 are hard, provided

1.
the keyspace size is at least \(\sqrt{\varDelta _K}\), and

2.
S is not too small, i.e. the number of isogeny degrees used is in \(\varOmega (\log q)\).
Proving rapid mixing of isogeny walks with such parameters seems out of reach at present, even under numbertheoretic hypotheses such as GRH. The best results available, like [37, Theorem 1.5] (used in the proof of Lemma 1), typically require isogeny degrees in \(\varOmega ((\log q)^B)\) for some \(B>2\), and fully random walks that are not, for example, skewed towards smallerdegree isogenies.
However, numerical evidence suggests that these theoretical results are too weak. In [37, 7.2], it is asked whether an analogue of the previous theorem would be true with the sole constraint \(B>1\). In [31, Sect. 3], it is mentioned that many fewer split primes are needed to walk in the isogeny graph than theoretically expected. Practical evidence also suggests that the rapid mixing properties are not lost with skewed random walks: such walks are used in [28] to accelerate an algorithm solving Problem 1. We believe that these experiments can bring some evidence in favor of relying on the IWD assumptions with more aggressive parameters than those provided by GRH, although further investigation is required.
5.4 Key Validation and Active Security
Modern practice in cryptography mandates the use of stronger security notions than INDCPA. From the DLP assumption, it is easy to construct protocols with strong security against active adversaries. For example, it is wellknown that the hashed ElGamal KEM achieves INDCCA security in the random oracle model under various assumptions [1, 2, 20].
All of these constructions crucially rely on key validation: that is, Alice must verify that the public data sent by Bob defines valid protocol data (e.g., valid elements of a cyclic group), or abort if this is not the case. Failure to perform key validation may result in catastrophic attacks, such as small subgroup [46], invalid point [6], and invalid curve attacks [14].
In our context, key validation amounts to verifying that the curve sent by Bob really is an element of \({{\mathrm{Ell}}}_q(\mathcal {O}_K)\). Failure to do so exposes Alice to an invalid graph attack, where Bob forces Alice onto an isogeny class with much smaller discriminant, or different Elkies primes, and learns something on Alice’s secret.
Fortunately, key validation is relatively easy for protocols based on the CRS primitive. All we need to check is that the received jinvariant corresponds to a curve with the right order, and with maximal endomorphism ring.
Verifying the curve order. Since we already know the trace t of the Frobenius endomorphism of all curves in \({{\mathrm{Ell}}}_q(\mathcal {O})\), we only need to check that the given E has order \(q+1t\). Assuming that E is cyclic, or contains a cyclic group of order larger than \(4\sqrt{q}\), a very efficient randomized algorithm consists in taking a random point P and verifying that it has the expected order. This task is easy if the factorization of \(q+1t\) is known.
Concretely, the curve given in Sect. 4 has order
and its group structure is \(\mathbb {Z}/2\mathbb {Z}\times \mathbb {Z}/\frac{N}{2}\mathbb {Z}\). To check that a curve is in the same isogeny class, we repeatedly take random points until we find one of order N / 2.
Verifying the endomorphism ring level. The curve order verification proves that \({{\mathrm{End}}}(E)\) is contained between \(\mathbb {Z}[\pi ]\) and \(\mathcal {O}_K\). We have already seen that there is only a finite number of possible rings: their indices in \(\mathcal {O}_K\) must divide d where \(d^2=\varDelta _\pi /\varDelta _K\). Ascending and descending isogenies connect curves with different endomorphism rings, thus we are left with the problem of verifying that E is on the crater of any \(\ell \)volcano for \(\ell \mid d\). Assuming no large prime divides d, this check can be accomplished efficiently by performing random walks in the volcanoes, as described in [41, Sect. 4.2] or [26]. Note that if we choose \(\varDelta _\pi \) squarefree, then the only possible endomorphism ring is \(\mathcal {O}_K\), and there is nothing to be done.
Concretely, for the curve of Sect. 4 we have \(\varDelta _\pi /\varDelta _K=2^2\), so there are exactly two possible endomorphism rings. Looking at the action of the Frobenius endomorphism, we see that \({{\mathrm{End}}}(E)=\mathcal {O}_K\) if and only if \(E[2]\simeq (\mathbb {Z}/2\mathbb {Z})^2\).
Example 2
Let p and \(\mathcal {O}\) be as in Sect. 4. Suppose we are given the value
in \(\mathbb {F}_p\). It is claimed that \(\alpha \) is in \({{\mathrm{Ell}}}_p(\mathcal {O})\); that is, it is a valid public key for the system with parameters defined in Sect. 4. Following the discussion above, to validate \(\alpha \) as a public key, it suffices to exhibit a curve with jinvariant \(\alpha \), full rational 2torsion, and a point of order N / 2. Using standard formulæ, we find that the two \(\mathbb {F}_p\)isomorphism classes of elliptic curves with jinvariant \(\alpha \) are represented by the Montgomery curve \(E_\alpha /\mathbb {F}_p: y^2 = x(x^2 + Ax + 1)\) with
and its quadratic twist \(E_\alpha '\). Checking the 2torsion first, we have \(E_\alpha [2](\mathbb {F}_p) \cong E_\alpha '[2](\mathbb {F}_p) \cong (\mathbb {Z}/2\mathbb {Z})^2\), because \(A^2  4\) is a square in \(\mathbb {F}_p\). Trying points on \(E_\alpha \), we find that \((23,\sqrt{23(23^2 + 23A + 1)})\) in \(E_\alpha (\mathbb {F}_p)\) has exact order N / 2. We conclude that \({{\mathrm{End}}}(E_\alpha ) = \mathcal {O}\), so \(\alpha \) is a valid public key. (In fact, \(E_\alpha \) is connected to the initial curve by a single 3isogeny step.)
Consequences for cryptographic constructions. Since both of the checks above can be done much more efficiently than evaluating a single isogeny walk, we conclude that key validation is not only possible, but highly efficient for protocols based on the CRS construction. This stands in stark contrast to the case of SIDH, where key validation is known to be problematic [32], and even conjectured to be as hard as breaking the system [68].
Thanks to this efficient key validation, we can obtain CCAsecure encryption from the CRS action without resorting to generic transforms such as Fujisaki–Okamoto [27], unlike the case of SIKE [4, 34]. This in turn enables applications such as noninteractive key exchange, for which no practical postquantum scheme was known prior to [12].
6 Experimental Results
In order to demonstrate that our protocol is usable at standard security levels, we implemented it in the Julia programming language. This proof of concept also allowed us to estimate isogeny step costs, which we needed to generate the initial curve in Sect. 4. We developed several Julia packages^{Footnote 9}, built upon the computer algebra package Nemo [25]. Experiments were conducted using Julia 0.6 and Nemo 0.7.3 on Linux, with an Intel Core i75600U cpu at 2.60 GHz.
Consider the time to compute one step for an ideal \(\mathfrak s = (\ell ,\pi \lambda )\). Using Elkies steps, this is approximately the cost of finding the roots of the modular polynomial: roughly \(0.017\cdot \ell \) seconds in our implementation. Using Vélu steps, the cost is approximately that of one scalar multiplication in \(E(\mathbb {F}_{q^r})\); timings for the extension degrees \(r\) relevant to our parameters appear in Table 2.
Using this data, finding efficient walk length bounds \(M_\ell \) offering a sufficient keyspace size is easily seen to be an integer optimization problem. We used the following heuristic procedure to find a satisfactory solution. Given a time bound T, let KeySpaceSize(T) be the keyspace size obtained when each \(M_\ell \) is the greatest such that the total time spent on \(\ell \)isogenies is less than T. Then, if n is the (classical) security parameter, we look for the least T such that \( \textsc {KeySpaceSize}(T)\ge 2^{2n} \) (according to Sect. 5), using binary search. While the \(M_\ell \) we obtain are most likely not the best possible, intuitively the outcome is not too far from optimal.
In this way, we obtain a proposal for the walk length bounds \(M_\ell \) to be used in Algorithm 8 along with the curve found in Sect. 4, to achieve 128bit classical security. Table 3 lists the isogeny degrees amenable to Algorithm 6, each with the corresponding extension degree r (a star denotes that the twisted curve allows us to use both directions in the isogeny graph, as in Remark 1). Table 4 lists other primes for which we apply Algorithm 5.
Using these parameters, we perform one isogeny walk in approximately 520 s. These timings are worstcase: the number of isogeny steps is taken to be exactly \(M_\ell \) for each \(\ell \). This is about as fast as Stolbunov’s largest parameter [62], which is for a prime of 428 bits and a keyspace of only 216 bits.
We stress that our implementation is not optimised. General gains in field arithmetic aside, optimised code could easily beat our proofofconcept implementation at critical points of our algorithms, such as the root finding steps in Algorithms 3 and 4.
For comparison, without Algorithm 6 the total isogeny walk time would exceed 2000 seconds. Our ideas thus yield an improvement by a factor of over 4 over the original protocol. A longer search for efficient public parameters would bring further improvement.
7 Conclusion
We have shown that the Couveignes–Rostovtsev–Stolbunov framework can be improved to become practical at standard pre and postquantum security levels; even more so if an optimized C implementation is made. The main obstacle to better performance is the difficulty of generating optimal system parameters: even with a lot of computational power, we cannot expect to produce ordinary curve parameters that allow us to use only Vélu steps. In this regard, the CSIDH protocol [12], which overcomes this problem using supersingular curves instead of ordinary ones, is promising.
One particularly nice feature of our protocol is its highly efficient key validation, which opens a lot of cryptographic doors. However, sidechannelresistant implementations remain an interesting problem for future work.
Notes
 1.
There is a slight technicality here for jinvariants 0 and 1728, where nonquadratic twists may exist. We ignore these special cases because these curves never appear in our cryptosystem: the class groups of their endomorphism rings are trivial, and keyspaces of size 1 are of limited utility in cryptography.
 2.
The situation is much more complicated for supersingular graphs, because the curve and its twist are in the same component of the graph; see [23, Sect. 2] for details.
 3.
An order is a subring which is a \(\mathbb {Z}\)module of rank 2.
 4.
\(\varDelta _K\) is a fundamental discriminant: \(\varDelta _K\equiv 0,1\pmod 4\), and \(\varDelta _K\) or \(\frac{\varDelta _K}{4}\) is squarefree.
 5.
In fact, one can define \(\phi _{\mathfrak a}\) for any invertible ideal \(\mathfrak a\), but it is not always separable.
 6.
If the order of \(\mu \) divides r, Algorithm 6 can be extended as follows: take \(P{\in }E[\ell ]\), and compute \(\pi (P)  [\mu ]P\); the result is either zero, or an eigenvector for \(\mu \). This is not necessary for any of the primes in our proposed parameters.
 7.
This is typical for isogenybased protocols. No counterexample has ever been constructed.
 8.
Computing the class group structure is an instance of the hidden subgroup problem, and thus can be solved in quantum polynomial time by Shor’s algorithm.
 9.
The main code is available at https://github.com/defeo/hhskeyex/, and the additional dependencies at https://github.com/defeo/EllipticCurves.jl/ and https://github.com/defeo/ClassPolynomials.jl/.
References
Abdalla, M., Bellare, M., Rogaway, P.: DHAES: an encryption scheme based on the DiffieHellman problem. Cryptology ePrint Archive, Report 1999/007 (1999), https://eprint.iacr.org/1999/007
Abdalla, M., Bellare, M., Rogaway, P.: The oracle diffiehellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CTRSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3540453539_12
Atkin, A.O.L., Morain, F.: Elliptic curves and primality proving. Math. Comp. 61(203), 29–68 (1993). https://doi.org/10.2307/2152935
Azarderakhsh, R., et al.: Supersingular Isogeny Key Encapsulation (2017). http://sike.org
Biasse, J.F., Jacobson, M.J., Silvester, A.K.: Security estimates for quadratic field based cryptosystems. In: Steinfeld, R., Hawkes, P. (eds.) Information Security and Privacy, pp. 233–247. Springer, Berlin, Heidelberg (2010). https://doi.org/10.1007/9783642140815_15
Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, Mihir (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). https://doi.org/10.1007/3540445986_8
Bostan, A., Morain, F., Salvy, B., Schost, É.: Fast algorithms for computing isogenies between elliptic curves. Math. Comput. 77(263), 1755–1778 (2008). https://doi.org/10.1090/S0025571808020668
Bröker, R., Lauter, K.E., Sutherland, A.V.: Modular polynomials via isogeny volcanoes. Math. Comput. 81(278), 1201–1231 (2012). https://doi.org/10.1090/S002557182011025081
Bruinier, J.H., Ono, K., Sutherland, A.V.: Class polynomials for nonholomorphic modular functions. J. Num. Theory 161, 204–229 (2016). https://doi.org/10.1016/j.jnt.2015.07.002
Buchmann, J., Williams, H.C.: A keyexchange system based on imaginary quadratic fields. J. Crypt. 1(2), 107–118 (1988). https://doi.org/10.1007/BF02351719
Canetti, R., Krawczyk, H.: Analysis of keyexchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3540449876_28
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient postquantum commutative group action. In: Galbraith, S.D., Peyrin, T. (eds.) ASIACRYPT 2018, LNCS, vol. 11274, pp. 380–411. Springer (2018)
Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Crypto. 8(1), 1–29 (2014)
Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Crypt. 36(1), 33–43 (2005). https://doi.org/10.1007/s1062300311608
Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, New York (1993). https://doi.org/10.1007/9783662029459
Cohen, H., Lenstra, H.W.: Heuristics on class groups of number fields. In: Jager, H. (ed.) Number Theory Noordwijkerhout 1983, pp. 33–62. Springer, Heidelberg (1984). https://doi.org/10.1007/BFb0099440
Costello, C., Hisil, H.: A simple and compact algorithm for SIDH with arbitrary degree isogenies. In: Takagi, T., Peyrin, T. (eds.) Advances in Cryptology  ASIACRYPT 2017, ASIACRYPT 2017. Lecture Notes in Computer Science, vol. 10625. Springer, Heidelberg (2017). https://doi.org/10.1007/9783319706979_11
Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Crypt. Eng. 8(3), 227–240 (2017). https://doi.org/10.1007/s1338901701576. hal.inria.fr/hal01483768
Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291
Cramer, R., Shoup, V.: Design and analysis of practical publickey encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003). https://doi.org/10.1137/S0097539702403773
De Feo, L.: Mathematics of isogeny based cryptography. CoRR abs/1711.04062 (2017). http://arxiv.org/abs/1711.04062
De Feo, L., Hugounenq, C., Plût, J., Schost, É.: Explicit isogenies in quadratic time in any characteristic. LMS J. Comput. Math. 19(A), 267–282 (2016)
Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptography 78(2), 425–440 (2016). https://doi.org/10.1007/s1062301400101
Serre, J.P.: A Course in Arithmetic. GTM, vol. 7. Springer, New York (1973). https://doi.org/10.1007/9781468498844
Fieker, C., Hart, W., Hofmann, T., Johansson, F.: Nemo/Hecke: computer algebra and number theory packages for the Julia programming language. In: Proceedings of the 2017 ACM on International Symposium on Symbolic and Algebraic Computation, ISSAC 2017, pp. 157–164. ACM, New York, (2017). https://doi.org/10.1145/3087604.3087611
Fouquet, M., Morain, F.: Isogeny volcanoes and the SEA algorithm. In: Fieker, C., Kohel, D.R. (eds.) Algorithmic Number Theory, ANTS 2002. Lecture Notes in Computer Science, vol. 2369. Springer, Heidelberg (2002). https://doi.org/10.1007/3540454551_23
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051_34
Galbraith, S., Stolbunov, A.: Improved algorithm for the isogeny problem for ordinary elliptic curves. Appl. Algebra Eng. Commun. Comput. 24(2), 107–131 (2013). https://doi.org/10.1007/s0020001301850
Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999). https://doi.org/10.1112/S1461157000000097
Galbraith, S.D.: Mathematics of public key cryptography. Cambridge University Press, Cambridge (2012). https://www.math.auckland.ac.nz/sgal018/cryptobook/cryptobook.html
Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002). https://doi.org/10.1007/3540460357_3
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876_3
Hamdy, S., Möller, B.: Security of cryptosystems based on class groups of imaginary quadratic orders. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 234–247. Springer, Heidelberg (2000). https://doi.org/10.1007/3540444483_18
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisakiokamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/9783319705002_12
Ionica, S., Joux, A.: Pairing the volcano. Math. Comput. 82(281), 581–603 (2013)
Jao, D., De Feo, L.: Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.Y. (ed.) PostQuantum Cryptography, PQCrypto 2011. Lecture Notes in Computer Science, vol. 7071. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642254055_2
Jao, D., Miller, S.D., Venkatesan, R.: Expander graphs based on GRH with an application to elliptic curve cryptography. J. Number Theory 129(6), 1491–1504 (2009). https://doi.org/10.1016/j.jnt.2008.11.006
Jao, D., Soukharev, V.: A subexponential algorithm for evaluating large degree isogenies. In: Hanrot, G., Morain, F., Thomé, E. (eds.) Algorithmic Number Theory, ANTS 2010. Lecture Notes in Computer Science, vol. 6197. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642145186_19
Kieffer, J.: Étude et accélération du protocole d’échange de clés de CouveignesRostovtsevStolbunov. Master’s thesis, Inria Saclay & Université Paris VI (2017)
Ko, K.H., Lee, S.J., Cheon, J.H., Han, J.W., Kang, J., Park, C.: New publickey cryptosystem using braid groups. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 166–183. Springer, Heidelberg (2000). https://doi.org/10.1007/3540445986_10
Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California at Berkley (1996)
Kohel, D.R.: Echidna databases (2018). http://iml.univmrs.fr/~kohel/dbs/
Kuperberg, G.: A subexponentialtime quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)
Kuperberg, G.: Another subexponentialtime quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandao, F. (eds.) 8th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2013), Leibniz International Proceedings in Informatics (LIPIcs), vol. 22, pp. 20–34. Schloss DagstuhlLeibnizZentrum fuer Informatik, Dagstuhl, Germany (2013). https://doi.org/10.4230/LIPIcs.TQC.2013.20, http://drops.dagstuhl.de/opus/volltexte/2013/4321
Lang, S.: Elliptic Functions Graduate Texts in Mathematics. Springer, New York (1987). https://doi.org/10.1007/9781461247524
Lim, C.H., Lee, P.J.: A key recovery attack on discrete logbased schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052240
Littlewood, J.E.: On the classnumber of the corpus \(p(\sqrt{k})\). Proc. London Math. Soc. 2(1), 358–372 (1928)
Maze, G., Monico, C., Rosenthal, J.: Public key cryptography based on semigroup actions. Adv. Math. Commun. 1(4), 489–507 (2007). https://doi.org/10.3934/amc.2007.1.489
Mestre, J.: La méthode des graphes. Exemples et applications. In: Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number Fields (Katata), pp. 217–242 (1986)
Miret, J.M., Moreno, R., Sadornil, D., Tena, J., Valls, M.: An algorithm to compute volcanoes of 2isogenies of elliptic curves over finite fields. Appli. Math. Comput. 176(2), 739–750 (2006)
Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. comput. 48(177), 243–264 (1987)
Morain, F.: Calcul du nombre de points sur une courbe elliptique dans un corps fini: aspects algorithmiques. J. Théor. Nombres Bordeaux 7(1), 255–282 (1995). http://jtnb.cedram.org/item?id=JTNB_1995__7_1_255_0, les Dixhuitièmes Journées Arithmétiques, Bordeaux (1993)
National institute of standards and technology: announcing request for nominations for publickey postquantum cryptographic algorithms (2016). https://www.federalregister.gov/d/201630615
Okeya, K., Kurumatani, H., Sakurai, K.: Elliptic curves with the montgomeryform and their cryptographic applications. In: Imai, H., Zheng, Y. (eds.) Public Key Cryptography, PKC 2000. Lecture Notes in Computer Science, vol. 1751. Springer, Heidelberg (2000). https://doi.org/10.1007/9783540465881_17
Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space June 2004. arXiv:quantph/0406151. http://arxiv.org/abs/quantph/0406151
Renes, J.: Computing isogenies between montgomery curves using the action of (0, 0). In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 229–247. Springer, Cham (2018). https://doi.org/10.1007/9783319790633_11
Rostovtsev, A., Stolbunov, A.: Publickey cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 April 2006. http://eprint.iacr.org/2006/145/
Schoof, R.: Counting points on elliptic curves over finite fields. J. de Théorie des Nombres de Bordeaux 7(1), 219–254 (1995)
Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (2009). https://doi.org/10.1007/9780387094946
Silverman, J.H.: Advanced Topics in the Arithmetic of Elliptic Curves Graduate Texts in Mathematics. Springer, New York (1994)
Stolbunov, A.: Reductionist security arguments for publickey cryptographic schemes based on group action. In: Mjølsnes, S.F., (ed.) Norsk informasjonssikkerhetskonferanse (NISK) (2009)
Stolbunov, A.: Constructing publickey cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)
Stolbunov, A.: Cryptographic schemes based on isogenies (2012)
Sutherland, A.V.: Accelerating the CM method. LMS J. Comput. Math. 15, 172–204 (2012). https://doi.org/10.1112/S1461157012001015
Sutherland, A.V.: Constructing elliptic curves over finite fields with prescribed torsion. Math. Comput. 81, 1131–1147 (2012)
Sutherland, A.V.: Modular polynomials (2018). https://math.mit.edu/~drew/ClassicalModPolys.html
Teske, E.: An elliptic curve trapdoor system. J. Crypt. 19(1), 115–133 (2006). https://doi.org/10.1007/s0014500403283
Urbanik, D., Jao, D.: SoK: The problem landscape of SIDH. Cryptology ePrint Archive, Report 2018/336 (2018). https://doi.org/10.1145/3197507.3197516, https://eprint.iacr.org/2018/336
Vélu, J.: Isogénies entre courbes elliptiques. C. R. Acad. Sci. Paris Sér. AB 273, A238–A241 (1971)
Zimmermann, P., Dodson, B.: 20 years of ECM. In: Hess, F., Pauli, S., Pohst, M. (eds.) Algorithmic Number Theory, ANTS 2006. Lecture Notes in Computer Science, vol. 4076, pp. 525–542. Springer, Heidelberg (2006). https://doi.org/10.1007/11792086_37
Zimmermann, P., et al.: GMPECM software (2018). http://ecm.gforge.inria.fr/
Acknowledgments
We would like to thank Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes for sharing a draft of their paper with us, and Alexandre Gélin and François Morain for fruitful discussions. De Feo acknowledges the support of the French Programme d’Investissements d’Avenir under the national project RISQ n\(^{\circ }\) P1415803069086/DOS0044212.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
De Feo, L., Kieffer, J., Smith, B. (2018). Towards Practical Key Exchange from Ordinary Isogeny Graphs. In: Peyrin, T., Galbraith, S. (eds) Advances in Cryptology – ASIACRYPT 2018. ASIACRYPT 2018. Lecture Notes in Computer Science(), vol 11274. Springer, Cham. https://doi.org/10.1007/9783030033323_14
Download citation
DOI: https://doi.org/10.1007/9783030033323_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030033316
Online ISBN: 9783030033323
eBook Packages: Computer ScienceComputer Science (R0)