Skip to main content
Book cover

Annual International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2020: Advances in Cryptology – EUROCRYPT 2020 pp 523–548Cite as

Rational Isogenies from Irrational Endomorphisms

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12106)

Abstract

In this paper, we introduce a polynomial-time algorithm to compute a connecting \(\mathcal {O}\)-ideal between two supersingular elliptic curves over \(\mathbb {F}_p\) with common \(\mathbb {F}_p\)-endomorphism ring \(\mathcal {O}\), given a description of their full endomorphism rings. This algorithm provides a reduction of the security of the CSIDH cryptosystem to the problem of computing endomorphism rings of supersingular elliptic curves. A similar reduction for SIDH appeared at Asiacrypt 2016, but relies on totally different techniques. Furthermore, we also show that any supersingular elliptic curve constructed using the complex-multiplication method can be located precisely in the supersingular isogeny graph by explicitly deriving a path to a known base curve. This result prohibits the use of such curves as a building block for a hash function into the supersingular isogeny graph.

Keywords

  • Isogeny-based cryptography
  • Endomorphism rings
  • CSIDH

Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported in part by the Commission of the European Communities through the Horizon 2020 program under project number 643161 (ECRYPT-NET) and by the Research Council KU Leuven grants C14/18/067 and STG/17/019, and by CyberSecurity Research Flanders with reference number VR20192203. The first listed author was affiliated with the Department of Mathematics at KU Leuven during part of the preparation of this paper.

Date of this document: 2020-02-20.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-45724-2_18
  • Chapter length: 26 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   119.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-45724-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   159.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.

Notes

  1. 1.

    Unless \(\beta = 0\).

  2. 2.

    After we posted a version of this paper online, we learned that this was observed independently and quasi-simultaneously in [27], with a more elaborate discussion.

  3. 3.

    One could handle the purely inseparable part—powers of \(\pi _E\)—in a unified way by working with scheme-theoretic kernels. Since this issue is only tangential to our work, we will for simplicity avoid this technical complication and deal with \(\pi _E\) explicitly.

  4. 4.

    Unfortunately, the statement of [25, Prop. 3.2] wrongly attributes this description to the quadratic twist of \(E_1\).

  5. 5.

    Here we deviate from our convention that \(\mathbf {i}^2 = -1\) as soon as \(p \equiv 3 \pmod {4}\).

  6. 6.

    Under GRH, Bach [2] proved that \({\text {cl}}(\mathcal {O})\) is generated by prime ideals of norm less than \(C(\log p)^2\) for an explicitly computable small constant C. It is not known unconditionally whether a polynomial bound on the norms suffices.

  7. 7.

    Note that this does not require any assumptions on the output distribution of \(\varDelta (\mathsf a)\), other than that the returned vectors are correct. (The algorithm still takes polynomial time if the oracle \(\varDelta \) only succeeds on an inverse polynomial fraction of inputs.).

References

  1. Arpin, S., et al.: Adventures in Supersingularland. Cryptology ePrint Archive 2019/1056 (2018). https://ia.cr/2019/1056

  2. Bach, E.: Explicit bounds for primality testing and related problems. Math. Comput. 55(191), 355–380 (1990)

    MathSciNet  CrossRef  Google Scholar 

  3. Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: ACM Conference on Computer and Communications Security, pp. 967–980. ACM (2013). https://ia.cr/2013/325

  4. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9

    CrossRef  Google Scholar 

  5. Bosma, W., Stevenhagen, P.: On the computation of quadratic 2-class groups. J. de Théorie des Nombres de Bordeaux 8(2), 283–313 (1996)

    MathSciNet  MATH  Google Scholar 

  6. Bröker, R.: Constructing supersingular elliptic curves. J. Comb. Number Theory 1(3), 273–469 (2009)

    MathSciNet  MATH  Google Scholar 

  7. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15

    CrossRef  Google Scholar 

  8. Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009). https://ia.cr/2006/021

  9. Conrad, K.: The conductor ideal. Expository paper. https://kconrad.math.uconn.edu/blurbs/gradnumthy/conductor.pdf

  10. Couveignes, J.-M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive 2006/291 (1997). https://ia.cr/2006/291

  11. Cox, D.A.: Primes of the Form \(x^2 + ny^2\): Fermat, Class Field Theory, and Complex Multiplication. Pure Applied Mathematics, 2nd edn. Wiley, Hoboken (2013)

    Google Scholar 

  12. Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptogr. 78(2), 425–440 (2016). https://arxiv.org/abs/1310.7789

  13. Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11

    CrossRef  Google Scholar 

  14. Galbraith, S., Panny, L., Smith, B., Vercauteren, F.: Quantum equivalence of the DLP and CDHP for group actions. Cryptology ePrint Archive 2018/1199 (2018). https://ia.cr/2018/1199

  15. Galbraith, S., Rotger, V.: Easy decision Diffie-Hellman groups. LMS J. Comput. Math. 7, 201–218 (2004). https://ia.cr/2004/070

  16. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3

    CrossRef  Google Scholar 

  17. Gross, B.H., Zagier, D.B.: On singular moduli. J. für die Reine und Angewandte Mathematik 355, 191–220 (1985)

    MathSciNet  MATH  Google Scholar 

  18. Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2, 837–850 (1989)

    MathSciNet  CrossRef  Google Scholar 

  19. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2

    CrossRef  MATH  Google Scholar 

  20. Kirschmer, M., Voight, J.: Algorithmic enumeration of ideal classes for quaternion orders. SIAM J. Comput. 39(5), 1714–1747 (2010). https://arxiv.org/abs/0808.3833

  21. Kitaev, A.Y.: Quantum measurements and the Abelian stabilizer problem. Electron. Colloquium Comput. Complex. (ECCC) 3(3) (1996). https://eccc.hpi-web.de/eccc-reports/1996/TR96-003

  22. Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(Suppl. A), 418–432 (2014). https://ia.cr/2014/505

  23. Lang, S.: Elliptic Functions. Graduate Texts in Mathematics, vol. 112. Springer, Heidelberg (1987). https://doi.org/10.1007/978-1-4612-4752-4. With an appendix by John Tate

  24. Marcus, D.A.: Number Fields. Universitext, 2nd edn. Springer, Heidelberg (2018). https://doi.org/10.1007/978-1-4684-9356-6. With a foreword by Barry Mazur

  25. McMurdy, K.: Explicit representation of the endomorphism rings of supersingular elliptic curves (2014). Preprint. https://phobos.ramapo.edu/~kmcmurdy/research/McMurdy-ssEndoRings.pdf

  26. National Institute of Standards and Technology: Post-Quantum Cryptography Standardization, December 2016. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization

  27. Onuki, H., Takagi, T.: On collisions related to an ideal class of order 3 in CSIDH. Cryptology ePrint Archive 2019/1202 (2019). https://ia.cr/2019/1202

  28. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)

    MathSciNet  CrossRef  Google Scholar 

  29. Schoof, R.: Elliptic curves over finite fields and the computation of square roots mod \(p\). Math. Comput. 44(170), 483–494 (1985)

    MathSciNet  MATH  Google Scholar 

  30. Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, Heidelberg (2009). https://doi.org/10.1007/978-0-387-09494-6

  31. Waterhouse, W.C.: Abelian varieties over finite fields. Annales scientifiques de l’École Normale Supérieure 2, 521–560 (1969)

    MathSciNet  CrossRef  Google Scholar 

Download references

Acknowledgements

The authors would like to thank Benjamin Wesolowski, Robert Granger, Christophe Petit, and Ben Smith for interesting discussions regarding this work, and Lixia Luo for pointing out an error in an earlier version of Lemma 22, as well as a few smaller mistakes. Thanks to Daniel J. Bernstein for providing key insights regarding the proof of Lemma 24.

Author information

Authors and Affiliations

  1. imec-COSIC, KU Leuven, Leuven, Belgium

    Wouter Castryck & Frederik Vercauteren

  2. Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, Eindhoven, The Netherlands

    Lorenz Panny

Authors
  1. Wouter Castryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lorenz Panny
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frederik Vercauteren
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Wouter Castryck , Lorenz Panny or Frederik Vercauteren .

Editor information

Editors and Affiliations

  1. Équipe-projet COSMIQ, Inria, Paris, France

    Anne Canteaut

  2. Computer Science Department, Technion, Haifa, Israel

    Yuval Ishai

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Castryck, W., Panny, L., Vercauteren, F. (2020). Rational Isogenies from Irrational Endomorphisms. In: Canteaut, A., Ishai, Y. (eds) Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT 2020. Lecture Notes in Computer Science(), vol 12106. Springer, Cham. https://doi.org/10.1007/978-3-030-45724-2_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-45724-2_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-45723-5

  • Online ISBN: 978-3-030-45724-2

  • eBook Packages: Computer ScienceComputer Science (R0)