Skip to main content

Rational Isogenies from Irrational Endomorphisms

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12106)


In this paper, we introduce a polynomial-time algorithm to compute a connecting \(\mathcal {O}\)-ideal between two supersingular elliptic curves over \(\mathbb {F}_p\) with common \(\mathbb {F}_p\)-endomorphism ring \(\mathcal {O}\), given a description of their full endomorphism rings. This algorithm provides a reduction of the security of the CSIDH cryptosystem to the problem of computing endomorphism rings of supersingular elliptic curves. A similar reduction for SIDH appeared at Asiacrypt 2016, but relies on totally different techniques. Furthermore, we also show that any supersingular elliptic curve constructed using the complex-multiplication method can be located precisely in the supersingular isogeny graph by explicitly deriving a path to a known base curve. This result prohibits the use of such curves as a building block for a hash function into the supersingular isogeny graph.


  • Isogeny-based cryptography
  • Endomorphism rings

Author list in alphabetical order; see This work was supported in part by the Commission of the European Communities through the Horizon 2020 program under project number 643161 (ECRYPT-NET) and by the Research Council KU Leuven grants C14/18/067 and STG/17/019, and by CyberSecurity Research Flanders with reference number VR20192203. The first listed author was affiliated with the Department of Mathematics at KU Leuven during part of the preparation of this paper.

Date of this document: 2020-02-20.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-45724-2_18
  • Chapter length: 26 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   119.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-45724-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   159.99
Price excludes VAT (USA)
Fig. 1.


  1. 1.

    Unless \(\beta = 0\).

  2. 2.

    After we posted a version of this paper online, we learned that this was observed independently and quasi-simultaneously in [27], with a more elaborate discussion.

  3. 3.

    One could handle the purely inseparable part—powers of \(\pi _E\)—in a unified way by working with scheme-theoretic kernels. Since this issue is only tangential to our work, we will for simplicity avoid this technical complication and deal with \(\pi _E\) explicitly.

  4. 4.

    Unfortunately, the statement of [25, Prop. 3.2] wrongly attributes this description to the quadratic twist of \(E_1\).

  5. 5.

    Here we deviate from our convention that \(\mathbf {i}^2 = -1\) as soon as \(p \equiv 3 \pmod {4}\).

  6. 6.

    Under GRH, Bach [2] proved that \({\text {cl}}(\mathcal {O})\) is generated by prime ideals of norm less than \(C(\log p)^2\) for an explicitly computable small constant C. It is not known unconditionally whether a polynomial bound on the norms suffices.

  7. 7.

    Note that this does not require any assumptions on the output distribution of \(\varDelta (\mathsf a)\), other than that the returned vectors are correct. (The algorithm still takes polynomial time if the oracle \(\varDelta \) only succeeds on an inverse polynomial fraction of inputs.).


  1. Arpin, S., et al.: Adventures in Supersingularland. Cryptology ePrint Archive 2019/1056 (2018).

  2. Bach, E.: Explicit bounds for primality testing and related problems. Math. Comput. 55(191), 355–380 (1990)

    MathSciNet  CrossRef  Google Scholar 

  3. Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: ACM Conference on Computer and Communications Security, pp. 967–980. ACM (2013).

  4. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019).

    CrossRef  Google Scholar 

  5. Bosma, W., Stevenhagen, P.: On the computation of quadratic 2-class groups. J. de Théorie des Nombres de Bordeaux 8(2), 283–313 (1996)

    MathSciNet  MATH  Google Scholar 

  6. Bröker, R.: Constructing supersingular elliptic curves. J. Comb. Number Theory 1(3), 273–469 (2009)

    MathSciNet  MATH  Google Scholar 

  7. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018).

    CrossRef  Google Scholar 

  8. Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009).

  9. Conrad, K.: The conductor ideal. Expository paper.

  10. Couveignes, J.-M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive 2006/291 (1997).

  11. Cox, D.A.: Primes of the Form \(x^2 + ny^2\): Fermat, Class Field Theory, and Complex Multiplication. Pure Applied Mathematics, 2nd edn. Wiley, Hoboken (2013)

    Google Scholar 

  12. Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptogr. 78(2), 425–440 (2016).

  13. Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018).

    CrossRef  Google Scholar 

  14. Galbraith, S., Panny, L., Smith, B., Vercauteren, F.: Quantum equivalence of the DLP and CDHP for group actions. Cryptology ePrint Archive 2018/1199 (2018).

  15. Galbraith, S., Rotger, V.: Easy decision Diffie-Hellman groups. LMS J. Comput. Math. 7, 201–218 (2004).

  16. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016).

    CrossRef  Google Scholar 

  17. Gross, B.H., Zagier, D.B.: On singular moduli. J. für die Reine und Angewandte Mathematik 355, 191–220 (1985)

    MathSciNet  MATH  Google Scholar 

  18. Hafner, J.L., McCurley, K.S.: A rigorous subexponential algorithm for computation of class groups. J. Am. Math. Soc. 2, 837–850 (1989)

    MathSciNet  CrossRef  Google Scholar 

  19. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011).

    CrossRef  MATH  Google Scholar 

  20. Kirschmer, M., Voight, J.: Algorithmic enumeration of ideal classes for quaternion orders. SIAM J. Comput. 39(5), 1714–1747 (2010).

  21. Kitaev, A.Y.: Quantum measurements and the Abelian stabilizer problem. Electron. Colloquium Comput. Complex. (ECCC) 3(3) (1996).

  22. Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(Suppl. A), 418–432 (2014).

  23. Lang, S.: Elliptic Functions. Graduate Texts in Mathematics, vol. 112. Springer, Heidelberg (1987). With an appendix by John Tate

  24. Marcus, D.A.: Number Fields. Universitext, 2nd edn. Springer, Heidelberg (2018). With a foreword by Barry Mazur

  25. McMurdy, K.: Explicit representation of the endomorphism rings of supersingular elliptic curves (2014). Preprint.

  26. National Institute of Standards and Technology: Post-Quantum Cryptography Standardization, December 2016.

  27. Onuki, H., Takagi, T.: On collisions related to an ideal class of order 3 in CSIDH. Cryptology ePrint Archive 2019/1202 (2019).

  28. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)

    MathSciNet  CrossRef  Google Scholar 

  29. Schoof, R.: Elliptic curves over finite fields and the computation of square roots mod \(p\). Math. Comput. 44(170), 483–494 (1985)

    MathSciNet  MATH  Google Scholar 

  30. Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, Heidelberg (2009).

  31. Waterhouse, W.C.: Abelian varieties over finite fields. Annales scientifiques de l’École Normale Supérieure 2, 521–560 (1969)

    MathSciNet  CrossRef  Google Scholar 

Download references


The authors would like to thank Benjamin Wesolowski, Robert Granger, Christophe Petit, and Ben Smith for interesting discussions regarding this work, and Lixia Luo for pointing out an error in an earlier version of Lemma 22, as well as a few smaller mistakes. Thanks to Daniel J. Bernstein for providing key insights regarding the proof of Lemma 24.

Author information

Authors and Affiliations


Corresponding authors

Correspondence to Wouter Castryck , Lorenz Panny or Frederik Vercauteren .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Castryck, W., Panny, L., Vercauteren, F. (2020). Rational Isogenies from Irrational Endomorphisms. In: Canteaut, A., Ishai, Y. (eds) Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT 2020. Lecture Notes in Computer Science(), vol 12106. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-45723-5

  • Online ISBN: 978-3-030-45724-2

  • eBook Packages: Computer ScienceComputer Science (R0)