Abstract
We study two important families of problems in isogeny-based cryptography and how they relate to each other: computing the endomorphism ring of supersingular elliptic curves, and inverting the action of class groups on oriented supersingular curves. We prove that these two families of problems are closely related through polynomial-time reductions, assuming the generalised Riemann hypothesis.
We identify two classes of essentially equivalent problems. The first class corresponds to the problem of computing the endomorphism ring of oriented curves. The security of a large family of cryptosystems (such as CSIDH) reduces to (and sometimes from) this class, for which there are heuristic quantum algorithms running in subexponential time. The second class corresponds to computing the endomorphism ring of orientable curves. The security of essentially all isogeny-based cryptosystems reduces to (and sometimes from) this second class, for which the best known algorithms are still exponential.
Some of our reductions not only generalise, but also strengthen previously known results. For instance, it was known that in the particular case of curves defined over \(\mathbf {F}_p\), the security of CSIDH reduces to the endomorphism ring problem in subexponential time. Our reductions imply that the security of CSIDH is actually equivalent to the endomorphism ring problem, under polynomial time reductions (circumventing arguments that proved such reductions unlikely).
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bach, E.: Explicit bounds for primality testing and related problems. Math. Comput. 55(191), 355–380 (1990)
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9
Bosma, W., Stevenhagen, P.: On the computation of quadratic \(2 \)-class groups. J. de théorie des nombres de Bordeaux 8(2), 283–313 (1996)
Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Krauthgamer, R. (ed.) Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms - SODA 2016, pp. 893–902. SIAM (2016)
Castryck, W., Decru, T.: CSIDH on the surface. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 111–129. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_7
Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)
Colò, L., Kohel, D.: Orienting supersingular isogeny graphs. J. Math. Cryptol. 14(1), 414–437 (2020)
Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009)
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Coron, J.-S., Naccache, D.: Security analysis of the gennaro-halevi-rabin signature scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 91–101. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_7
Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive, Report 2006/291 (2006). https://eprint.iacr.org/2006/291
Cox, D.A.: Primes of the Form x2+ ny2: Fermat, Class Field Theory, and Complex Multiplication, vol. 34. John Wiley & Sons, Hoboken (2011)
Castryck, W., Panny, L., Vercauteren, F.: Rational isogenies from irrational endomorphisms. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 523–548. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_18
Chenu, M., Smith, B.: Higher-degree supersingular group actions. In: MathCrypt 2021 - Mathematical Cryptology (2021)
De Feo, L.: Séta: supersingular encryption from torsion attacks. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 249–278. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_9
Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \({\mathbb{F}}_p\). Designs Codes Cryptogr. 78(2), 425–440 (2014). https://doi.org/10.1007/s10623-014-0010-1
Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11
Eisenträger, K., Hallgren, S., Leonardi, C., Morrison, T., Park, J.: Computing endomorphism rings of supersingular elliptic curves and connections to path-finding in isogeny graphs. Open Book Series 4(1), 215–232 (2020)
Fouotsa, T.B., Kutas, P., Merz, S.-P.: On the isogeny problem with torsion point information. IACR Cryptology ePrint Archive, Report 2021/153 (2021). https://eprint.iacr.org/2021/153
Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. J. Cryptol. 33(1), 130–175 (2020)
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3
Galbraith, S., Panny, L., Smith, B., Vercauteren, F.: Quantum equivalence of the DLP and CDHP for group actions. Math. Cryptol. 1(1), 40–44 (2021)
Jao, D., et al. SIKE: Supersingular isogeny key encapsulation (2017)
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Kaneko, M.: Supersingular \(j\)-invariants as singular moduli mod \(p\). Osaka J. Math. 26(4), 849–855 (1989)
Kitaev, A.Y.: Quantum measurements and the abelian stabilizer problem. arXiv preprint quant-ph/9511026 (1995)
Kohel, D., Lauter, K., Petit, C., Tignol, J.A.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014)
Kutas, P., Martindale, C., Panny, L., Petit, C., Stange, E.: Weak instances of SIDH variants under improved torsion-point attacks. In: To appear in Advances in Cryptology - CRYPTO 2021, Lecture Notes in Computer Science (2021)
Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comp. 35(1), 170–188 (2005)
Love, J., Boneh, D.: Supersingular curves with small noninteger endomorphisms. Open Book Series 4(1), 7–22 (2020)
Lagarias, J.C., Odlyzko, A.M.: Effective versions of the Chebotarev density theorem. In: Algebraic number fields: \(L\)-functions and Galois properties (Proceedings of Symposium, University of Durham, Durham, 1975), pp. 409–464. Academic Press, London (1977)
Onuki, H.: On oriented supersingular elliptic curves. Finite Fields and Their Appl. 69, 101777 (2021)
Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_12
Pizer, A.: An algorithm for computing modular forms on \(\gamma _0(n)\). J. Algebra 64(2), 340–390 (1980)
Rónyai, L.: Algorithmic properties of maximal orders in simple algebras over \(\mathbf{Q}\). Comput. Compl. 2(3), 225–243 (1992)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Silverman, J.H.: The Arithmetic of Elliptic Curves, volume 106 of Gradute Texts in Mathematics. Springer, Heidelberg (1986)
Simon, D.: Quadratic equations in dimensions 4, 5 and more. Preprint (2006). See [?] for a published review
Vignéras, M.-F.: Arithmétique des algèbres de quaternions, vol. 800. Springer, Heidelberg (2006)
Voight, J.: Quaternion algebras. In: Graduate Texts in Mathematics, no. 288. Springer, Heidelberg (2021)
Wesolowski, B.: The supersingular isogeny path and endomorphism ring problems are equivalent. In: FOCS 2021–62nd Annual IEEE Symposium on Foundations of Computer Science (2022)
Acknowledgements
This work was supported by the Agence Nationale de la Recherche under grants ANR MELODIA (ANR-20-CE40-0013) and ANR CIAO (ANR-19-CE48-0008). The author would like to thank Katherine E. Stange and Jean-François Biasse for valuable discussions, feedback and corrections, that helped improve the quality of this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Wesolowski, B. (2022). Orientations and the Supersingular Endomorphism Ring Problem. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13277. Springer, Cham. https://doi.org/10.1007/978-3-031-07082-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-07082-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07081-5
Online ISBN: 978-3-031-07082-2
eBook Packages: Computer ScienceComputer Science (R0)
-
Published in cooperation with
https://iacr.org/
