Keywords

1 Introduction

Let C and \(C'\) be genus 2 curves with superspecial Jacobians. The general dimension 2 superspecial isogeny problem asks us to find an isogeny

$$\phi :{{\,\textrm{Jac}\,}}(C) \rightarrow {{\,\textrm{Jac}\,}}(C'),$$

of principally polarised (p.p.) abelian surfaces, where \({{\,\textrm{Jac}\,}}(C)\) and \({{\,\textrm{Jac}\,}}(C')\) are the Jacobians of C and \(C'\) respectively.

We say that the Jacobian \({{\,\textrm{Jac}\,}}(C)\) of a genus 2 curve C is split (over K) if there exists a separable (polarised) K-isogeny of p.p. abelian surfaces \({{\,\textrm{Jac}\,}}(C) \rightarrow E_1 \times E_2\) where \(E_1/K\) and \(E_2/K\) are elliptic curves.

The best known algorithm for solving the superspecial isogeny problem is due to Costello and Smith [13]. It consists of two stages. The first stage computes pseudorandom walks away from the two input Jacobians to find paths to products of two supersingular elliptic curves, i.e., \(\varphi :{{\,\textrm{Jac}\,}}(C) \rightarrow E_1 \times E_2\) and \(\varphi ^\prime :{{\,\textrm{Jac}\,}}(C') \rightarrow E_1^\prime \times E_2^\prime \). Assuming the pseudorandom walks quickly converge to the uniform distribution, the first stage runs in \(\widetilde{O}(p)\) classical bit operations, since the proportion of superspecial abelian surfaces that are isomorphic to a product of elliptic curves is O(1/p). The second stage calls the \(\widetilde{O}(p^{1/2})\) Delfs-Galbraith algorithm [16] to find paths between \(E_1\) and \(E_1^\prime \) and between \(E_2\) and \(E_2^\prime \). These are then glued together to obtain the path \(\pi :E_1 \times E_2 \rightarrow E_1^\prime \times E_2^\prime \) connecting \(\varphi \) and \(\varphi ^\prime \) in order to output the full solution \(\phi :=\widehat{\varphi ^\prime } \circ \pi \circ \varphi \). It follows that the entire algorithm runs in \(\widetilde{O}(p)\) classical bit operations on average, with the cost dominated by the first step: finding paths to products of elliptic curves.

Isogeny-based cryptography in dimension 2. The product-finding algorithm [13] that we accelerate in this work solves the general superspecial isogeny problem, which underlies the security of various isogeny-based protocols in dimension 2. An example of such a scheme is the dimension 2 analogue of the Charles-Goren-Lauter hash function [10], which was proposed by Takashima [52] and later extended by Castryck, Decru and Smith [9].

The 2022 breaks of SIDH and SIKE [8, 41, 44] revealed that understanding higher dimensional isogenies is essential to navigate the isogeny graphs in dimension 1. More recently, there has been a line of works leveraging the techniques used in the attacks to propose new cryptosystems that exploit isogeny computations in higher dimensions [1, 11, 15]. Although the hard problems underlying these schemes are not directly impacted by the algorithm that is optimised in this paper, we believe the trend towards instantiating schemes in higher dimensions will only make the dimension 2 supersingular isogeny problem more relevant to practitioners as the field of isogeny-based cryptography continues to mature.

Based on the present knowledge of attacks in dimension 2, we believe it is reasonable to speculate that the complexity of the product-finding algorithm may eventually be used as an upper-bound on the classical hardness of attacking many schemes that are currently conceivable, even when the underlying instances of the isogeny problem are special cases of its general formulation (provided no superior algorithm for the special problem is found, of course). For example, consider the dimension 2 analogue of the Sigma protocol that proves knowledge of an isogeny of a specified degree (see [19] for the latest on this protocol). In dimension 1, the best known classical attack on this protocol is the van Oorschot–Wiener (vOW) meet-in-the-middle algorithm [54]. In dimension 2, however, the \(\widetilde{O}(p)\) product-finding algorithm will solve the general problem at least as fast as the van Oorschot–Wiener meet-in-the-middle algorithm [54], and is likely to become the preferred algorithmFootnote 1 for large enough p.

Contributions. We begin with an implementation of the algorithm described above for finding paths to products of elliptic curves. This includes a streamlined version of the Takashima–Yoshida algorithm [53, §5.5] for computing chains of Richelot isogenies. With this optimised algorithm, we provide a toolbox for exploring the (2, 2)-isogeny graph. The expansion properties of the (2, 2)-isogeny graph are not well understood and our implementation is well suited to exploring this. For example, one could hope to provide evidence towards [23, Conj. 4.10]. Understanding the expansion properties of this graph is crucial to gaining a deeper insight into the hardness of the general isogeny problem in dimension 2.

This lays the foundation for the main contribution of this work: a new algorithm that speeds up the search for paths to products of elliptic curves. At the heart of our algorithm is the work of Kumar [36], who gives explicit parametrisations of the moduli space of genus 2 curves whose Jacobians are split by an (NN)-isogeny. When we step to a new node in the Richelot isogeny graph, these parametrisations allow us to efficiently test whether any of the (NN)-isogenous neighbours are isomorphic to a product of supersingular elliptic curves without computing any expensive (NN)-isogenies. For example, over a field whose characteristic is a 100-bit prime, an optimised Richelot isogeny (see Sect. 3) requires 1176 \(\mathbb {F}_p\)-multiplications. This is the cost of taking a single step in the Richelot isogeny graph, which reveals only one neighbour and is thus the per-node cost of running the attack described in [13]. However, using the new algorithm we describe in Sect. 5 with \(N=3\), we are able to test whether any of the (3, 3)-isogenous neighbours are split with a total of 767 \(\mathbb {F}_p\)-multiplications. Since there are 40 such neighbours, the per-node cost of simultaneously searching these neighbours is less than 20 \(\mathbb {F}_p\)-multiplications each. The upshot is that when attacking an instance of the superspecial isogeny problem, we can sift through a larger proportion of superspecial Jacobians per unit time, thus reaching an elliptic curve product with fewer \(\mathbb {F}_p\)-multiplications.

In Sect. 7 we report on a number of experiments conducted over both small primes (where instances of the superspecial isogeny problem can be solved) and large primes of cryptographic size. Applying our accelerated algorithm to find paths to elliptic products when \(p=2^{31}-1\), we solve 10 instances of the problem using an average of \(2^{33.0}\) multiplications in \(\mathbb {F}_p\) for an average wall time of \(2^{16.3}\) seconds. Our optimised version of the original algorithm from [13] requires an average of \(2^{36.8}\) multiplications in \(\mathbb {F}_p\) for an average runtime of \(2^{20.5}\) seconds to solve the same 10 instances. In Table 1 we give a snapshot of the improvements that were observed in our implementation for a number of large primes of varying bitlength. We see that the relative speedup improves as the prime p grows in size (see Sect. 7 for more details).

Table 1. An abbreviated version of Table 5. See Sect. 7 for further explanation.
Full size table

Indeed, for primes of at least 150 bits, we argue in Sect. 6.3 that (heuristically) Algorithm 4 requires an expected number of

$$\begin{aligned} \left( \frac{14 \log _2(p) + 34490}{5 \cdot 664} \right) p + O(\log _2 (p)) \end{aligned}$$

\(\mathbb {F}_p\)-multiplications before encountering a product of elliptic curves. Under the same heuristics, our optimised version of the algorithm in [13] would require a larger expected \(\left( \frac{12 \log _2(p) + 129}{5} \right) p + O(\log _2 (p))\) \(\mathbb {F}_p\)-multiplications.

All of the source code accompanying this paper is written in Magma [2] and can be found at

https://github.com/mariascrs/SplitSearcher.

Finally, we note that our algorithm for detecting (NN)-splittings may be of interest outside of our target application of the dimension 2 superspecial isogeny problem. For example, it answers a question posed by Castryck and Decru [8, §11] for \(N \le 11\).

Related work. At a high level, our improvements to the dimension 2 superspecial isogeny attack can be viewed as an analogue of those recently given by Corte-Real Santos, Costello and Shi [12] to the Delfs–Galbraith attack [16] in dimension 1. Indeed, both attacks use random walks to find special nodes in the graph to reduce the (remainder of the) algorithm to a comparatively easier isogeny problem: the special nodes in the Delfs–Galbraith algorithm are the isomorphism classes of elliptic curves defined over \(\mathbb {F}_p\), while the special nodes in the Costello–Smith algorithm are the isomorphism classes of products of elliptic curves. The key to the improvements in [12] was an efficient method for determining whether modular polynomials have subfield roots without computing any such roots explicitly. This allows many nodes to be simultaneously searched over without being visited by means of expensive isogeny computations. The key to the improvements in this paper stem from Kumar’s parametrisations of the moduli space of genus 2 curves whose Jacobians are split by an (NN)-isogeny [36]. In a similar vein to [12], we show that these can be used to simultaneously search over many neighbours without visiting the corresponding nodes in the isogeny walks.

It is worth noting that, relatively speaking, the improvements found in this work are significantly larger than the improvements reported in [12] in the dimension 1 case. At first glance of Sect. 5, it seems our batch (NN)-split searching requires a lot more computation than the analogous batch N-isogenous subfield curve searching in [12]. However, in dimension 2 we are processing \(O(N^3)\) neighbours simultaneously (see Equation (1)), while the subfield search in dimension 1 is batch testing O(N) neighbours each time. For primes of size 50 to 800 bits, [12, Table 6] report speedups ranging from 3.2\(\times \) to 17.6\(\times \), while the speedups we found for primes of these same sizes (see Table 5) range from 16.5\(\times \) to 116.3\(\times \).

Outline. After giving the necessary background in Sect. 2, we detail our optimised version of the original \(\varGamma _2(2; p)\) walk from [13] in Sect. 3. In Sect. 4 we recall standard results concerning moduli spaces for genus 2 curves with split Jacobians and Kumar’s formulae [36]. In Sect. 5 we present the main contribution of this work: an efficient algorithm to detect (NN)-splittings. We give the full algorithm and discuss our implementation in Sect. 6. Finally, we present the experimental results in Sect. 7 before we conclude by mentioning some possible avenues for improving the algorithm.

2 Background

We give a brief account of abelian surfaces and fix notation. Readers looking for an in-depth discussion of higher dimensional abelian varieties and their application in isogeny based cryptography are encouraged to consult [9, 13], and [24].

Let A be an abelian surface (i.e., an abelian variety of dimension 2) defined over a field K and write \(\widehat{A}\) for the dual abelian variety. A pair \((A, \lambda )\) is said to be a polarised abelian surface if \(\lambda :A \rightarrow \widehat{A}\) is an isogeny (i.e., a surjective finite morphism of group varieties). We say that \((A, \lambda )\) is principally polarised (p.p.) if \(\lambda \) is an isomorphism.

If C/K is a smooth projective curve we write \({{\,\textrm{Jac}\,}}(C)/K\) for the Jacobian of C, the abelian variety whose points parametrise degree zero divisors on C up to linear equivalence. Throughout the article we will suppress the implicit choice of (principal) polarisation on A. In particular, when \(A = {{\,\textrm{Jac}\,}}(C)\) is the Jacobian of a (smooth projective) curve then A is equipped with the (canonical) principal polarisation arising from the theta divisor and when \(A = E_1 \times E_2\) is a product of elliptic curves then A is equipped with the product polarisation.

Let \((A, \lambda )\) and \((A', \lambda ')\) be p.p. abelian surfaces. An isogeny \(\phi :A \rightarrow A'\) is said to be an isogeny of p.p. abelian surfaces if there exists an integer \(m \ge 1\) such that \(\widehat{\phi } \circ \lambda ' \circ \phi = [m] \lambda \). If \(N \ge 2\) is an integer coprime to the characteristic of K, then for any abelian variety A we have the N-Weil pairing \(A[N] \times \widehat{A}[N] \rightarrow \mu _N\). When A is equipped with a principal polarisation this gives rise to the N-Weil pairing

$$\begin{aligned} e_N :A[N] \times {A}[N] \rightarrow \mu _N. \end{aligned}$$

We say that a subgroup \(G \subseteq A[N]\) is isotropic (with respect to the N-Weil pairing) if \(e_N(P, Q) = 1\) for all \(P,Q \in G\). We say G is maximal isotropic if moreover there is no isotropic subgroup \(G^\prime \) with \(G \subsetneq G^\prime \subseteq A[N]\).

Given a maximal isotropic subgroup \(G \subseteq A[N]\), the abelian surface \(A^\prime = A/G\) comes equipped with a principal polarisation \(\lambda '\) such that \(\phi :A \rightarrow A^\prime \) is an isogeny of p.p. abelian surfaces and \(\phi ^*\lambda ' = [m]\lambda \) for some integer m. We say that a subgroup \(G \subseteq A[N]\) is an (NN)-subgroup if it is maximal isotropic (with respect to \(e_N\)) and isomorphic (as an abstract group) to \((\mathbb {Z}/N\mathbb {Z})^{2}\). In this case we say that \(\phi \) is an (NN)-isogeny. The number of (NN)-subgroups of A[N] is equal to

$$\begin{aligned} D_N :=N^3 \prod _{\begin{array}{c} \text {primes } \\ \ell \mid N \end{array}} \frac{1}{\ell ^3}(\ell + 1)(\ell ^2 + 1). \end{aligned}$$
(1)

In particular, when N is prime we have \(D_N = (N^2+1)(N+1)\). See e.g., [7, Lemma 2] (see also [13, Lemma 2] and [24, Proposition 3(2)] when N is a prime or prime power, respectively).

2.1 Superspecial Abelian Surfaces

As discussed by Castryck, Decru, and Smith [9, §2], for cryptographic applications the most natural generalisation of the set of supersingular elliptic curves to dimension 2 is the set of superspecial p.p. abelian surfaces.

Definition 1

We say a p.p. abelian surface \(A/\overline{\mathbb {F}}_p\) is supersingular if the Newton polygon of A is a line of slope \(\frac{1}{2}\). We say A is superspecial if the Hasse-Witt matrix \(M \in \mathbb {F}_p^{2\times 2}\) vanishes identically.

If A is superspecial, then it is supersingular. The converse is not necessarily true when \(\dim (A) \ge 2\). The condition for superspeciality is a natural generalisation of the fact that when \(p > 3\) an elliptic curve is supersingular if and only if it has trace of Frobenius congruent to 0 modulo p. An alternative characterisation is that A is isomorphic (as an abstract abelian variety) to a product of supersingular elliptic curves.

It can be shown that every superspecial p.p. abelian surface \(A/\overline{\mathbb {F}}_p\) is \(\overline{\mathbb {F}}_p\)-isomorphic (as a p.p. abelian variety) to a p.p. abelian surface defined over \(\mathbb {F}_{p^2}\) (see [29, Theorem 1]) and moreover this abelian surface may be chosen to have full \(\mathbb {F}_{p^2}\)-rational 2-torsion when p is odd (see [9, §2]).

The dimension 2 superspecial isogeny problem may be stated precisely as:

Problem 1

(Dimension 2 superspecial isogeny problem). Given a pair of superspecial p.p. abelian surfaces A and \(A'\) defined over \(\mathbb {F}_{p^2}\), find an \(\overline{\mathbb {F}}_p\)-isogeny \(A \rightarrow A'\).

2.2 The Superspecial Isogeny Graph

We now describe the superspecial isogeny graph, and re-frame Problem 1 as a path finding problem.

Let \(\mathcal {S}_2(p)\) denote the set of \(\overline{\mathbb {F}}_p\)-isomorphism classes of superspecial p.p. abelian surfaces. Since every superspecial p.p. abelian surface admits a model over \(\mathbb {F}_{p^2}\), the set \(\mathcal {S}_2(p)\) is finite. In fact, it can be shown that it has size \(O(p^{3})\) [9, Theorem 1]. For each integer N coprime to p, we define \(\varGamma _2(N; p)\) as the directed weighted multigraph on vertex set \(\mathcal {S}_2(p)\), whose edges are \(\overline{\mathbb {F}}_p\)-isomorphism classes of (NN)-isogenies (weighted by the number of distinct kernels yielding isogenies in the class). The graph \(\varGamma _2(N; p)\) is \(D_N\)-regular, where \(D_N\) is given by Equation (1) (taking into account multiplicities of each edge).

Though primitives constructed using superspecial p.p. abelian surfaces, such as the Castryck–Decru–Smith hash function [9], assume the rapid convergence of random walks in the graphs \(\varGamma _2(N; p)\) to the uniform distribution, it is important to note that these expansion properties are not well understood. The superspecial isogeny graph is connected (see e.g., [33, 43]), however, as discussed by Florit and Smith [23, §4.3], the graphs \(\varGamma _2(N; p)\) do not fit into the definition of an expander graph as they are directed multigraphs. However, one can still obtain upper bounds on the eigenvalues of these graphs to determine whether \(\varGamma _2(N; p)\) is Ramanujan, i.e., has optimal expansion. Jordan–Zaytman [33] give the first counterexample: \(\varGamma _2(2; 11)\) is not Ramanujan. Florit–Smith provide evidence that the same behaviour occurs for \(\varGamma _2(2; p)\) where \(11 \le p \le 201\), therefore suggesting that the superspecial (2, 2)-isogeny graph fails to be Ramanujan [23, Appendix A]. It would also be interesting to study the expansion properties of \(\varGamma _2(N; p)\) for \(N > 2\). Despite the lack of optimal expansion, Florit–Smith conjecture [23, Conjecture 4.10] that \(\varGamma _2(N; p)\) still has good enough expansion for cryptographic purposes.

Every p.p. abelian surface is isomorphic to either the Jacobian of a curve of genus 2, or to a product of two elliptic curves with the product polarisation. In the latter case, if the abelian surface is superspecial, then the elliptic curves will be supersingular. Therefore, \(\mathcal {S}_2(p)\) is equal to the disjoint union of the following two sets:

$$\begin{aligned} \mathcal {J}_2(p) &:=\{A \in \mathcal {S}_2(p) \ : \ A \cong {{\,\textrm{Jac}\,}}(C) \text { for some genus } 2 \text { curve } C \} \text { and } \\ \mathcal {E}_2(p) &:=\{A \in \mathcal {S}_2(p) \ : \ A \cong E_1 \times E_2 \text { for some } E_1, E_2 \in \mathcal {S}_1(p) \}, \end{aligned}$$

where the isomorphisms are of p.p. abelian varieties over \(\overline{\mathbb {F}}_p\). It can be shown that \(\#\mathcal {J}_2(p) = \frac{1}{2880}p^3 + O(p^2)\) and \(\#\mathcal {E}_2(p) = \frac{1}{288}p^2 + O(p)\) (combine [51, Theorem V.4.1(c)] with [3, Theorem 3.10(b)] or [30, Theorem 3.3], see [9, Theorem 1] for details). In particular \(\#\mathcal {E}_2(p)/\#\mathcal {S}_2(p) = 10/p + O(1/p^2)\).

Important to our work will be the ratio of nodes \(A \in \mathcal {E}_2(p)\) to nodes visited while performing a random walk on \(\varGamma _2(N; p)\). A natural first guess would be that this ratio matches the proportion of such nodes in the entire graph, i.e., \(\sim 10/p\). However, Florit–Smith show that all but O(p) of the products of elliptic curves have reduced automorphism group of order 2, and deduce that the expected proportion of products in a random walk is \(\sim \frac{1}{2} \cdot \frac{10}{p} = \frac{5}{p}\) [23, §6.2].

As in the dimension 1 case, we can view the dimension 2 isogeny problem as a path finding problem in the superspecial isogeny graph.

Problem 2

Given superspecial p.p. abelian surfaces A and \(A^\prime \) defined over \(\mathbb {F}_{p^2}\), find a walk in \(\varGamma _2(N; p)\) connecting them (when \(p \not \mid N\)).

2.3 Attacking the General Isogeny Problem in Dimension 2

The best known algorithm for solving Problem 2 exploits the properties of the subset \(\mathcal {E}_2(p) \subseteq \mathcal {S}_2(p)\) and is depicted in Algorithm 1. Given two (\(\overline{\mathbb {F}}_p\)-isomorphism classes of) p.p. abelian surfaces A and \(A^\prime \in \mathcal {J}_2(p)\), Steps 1 and 2 find paths \(\varphi :A \rightarrow E_1 \times E_2\) and \(\varphi ^\prime :A^\prime \rightarrow E^\prime _1 \times E^\prime _2\), where both \(E_1 \times E_2 \in \mathcal {E}_2(p)\) and \(E^\prime _1 \times E^\prime _2 \in \mathcal {E}_2(p)\). As \(\# \mathcal {J}_2(p) = O(p^3)\) and \(\# \mathcal {E}_2(p) = O(p^2)\), we expect to complete both of these steps using \(\widetilde{O}(p)\) operations in \(\mathbb {F}_p\). Steps 3 and 4 then solve the dimension 1 isogeny problem on input of \(E_1\) and \(E_1^\prime \) and on input of \(E_2\) and \(E^\prime _2\) to output the paths \(\psi _1 :E_1 \rightarrow E_1^\prime \) and \(\psi _2 :E_2 \rightarrow E_2^\prime \) in the supersingular elliptic curve N-isogeny graph. Both of these steps terminate using on average \(\widetilde{O}(\sqrt{p})\) operations in \(\mathbb {F}_p\) [16]. If \(\text {length}(\psi _1) \equiv \text {length}(\psi _2) \bmod 2\), we can use these to construct a product path \(\pi :E_1 \times E_2 \rightarrow E_1^\prime \times E_2^\prime \), as described in [13, Lemma 3]. The desired path between A and \(A^\prime \) is then \(\phi :=\widehat{\varphi ^\prime } \circ \pi \circ \varphi \).Footnote 2 Overall, the cost of the algorithm is \(\widetilde{O}(p)\) bit operations.

For the rest of this paper we focus on improving the concrete complexity of Steps 1 and 2 of this attack, i.e., on finding paths to the product surfaces, since this is the bottleneck step that determines the concrete complexity of Algorithm 1.

Algorithm 1
figure a

. Computing isogeny paths in \(\varGamma _2(N; p)\) [13]

Full size image

Applications to cryptanalysis. In the security analysis of their hash function [9], Castryck–Decru–Smith correctly argue that, since the steps taken by their hash function correspond entirely to “good extensions” (see Sect. 3.2), the path returned by [13, Algorithm 1] (which does not only consist of good extensions) is therefore not a valid preimage [9, Footnote 11]. However, more recent work by Florit and Smith [23, §6.2 - 6.4] shows that collisions in the Castryck–Decru–Smith hash function can be constructed once a walk to an elliptic product is known. So long as we assume our walks approximate the random distribution on \(\varGamma _2(2 ; p)\) (more on this in Remark 1), then we consider it prudent to use the complexity of the product-finding algorithms to classify the security of a given instance of the CDS hash function, even if preimage resistance is the governing security property.

As will become apparent in Sect. 6, our acceleration of the Costello–Smith algorithm will return a \((2^nN, 2^nN)\)-isogeny (for some n). However, for many cryptographic protocols in isogeny-based cryptography, the secret isogeny will be of a specified degree, usually a prime power \(\ell ^k\). Though an algorithm that transforms a \((2^nN, 2^nN)\)-isogeny to a \((\ell ^k, \ell ^k)\)-isogeny has yet to be developed, for example by generalising the KLPT algorithm [34] to dimension 2, we find it prudent to conjecture such an algorithm exists, rather than betting the security of primitives on the converse.

3 Optimised Product Finding in \(\varGamma _2(2; p)\)

In this section we describe an optimised instantiation of the product finding algorithm from [13] in the case of dimension 2.

Our instantiation uses pseudo-random walks in the superspecial subgraph of the Richelot isogeny graph [22, Definition 1] and exploits a streamlined version of Takashima and Yoshida’s Richelot isogeny algorithm [53] to take efficient steps therein.

3.1 Taking a Step in \(\varGamma _2(2; p)\)

We start by deriving a streamlined version of Takashima and Yoshida’s Richelot isogeny algorithm [53, Algorithm 2] that will be used as the basis for pseudo-random walks in the superspecial subgraph of \(\varGamma _2(2; p)\). On input of the six-tuple \(\boldsymbol{a}=(a_0, \dots , a_5) \in (\mathbb {F}_{p^2})^6\) definingFootnote 3 the genus 2 curve

$$\begin{aligned} C/\mathbb {F}_{p^2} :y^2=(x-a_0) \cdots (x-a_5), \end{aligned}$$

the algorithm outputs the six-tuple \(\boldsymbol{a'}=(a_0', \dots , a_5') \in (\mathbb {F}_{p^2})^6\) that defines

$$\begin{aligned} C'/\mathbb {F}_{p^2} :y^2=(x-a_0')\cdots (x-a_5'), \end{aligned}$$

where \(\phi :{{\,\textrm{Jac}\,}}(C) \rightarrow {{\,\textrm{Jac}\,}}(C')\) is the Richelot isogeny whose non-trivial kernel is precisely the three points \(\left( (x-a_i)(x-a_{i+1}),0\right) \) in \({{\,\textrm{Jac}\,}}(C)\) with \(i \in \{0,2,4\}\).

The main modifications we have made to their algorithm are:

  • We assume that both the equations for C and \(C'\) are indeed given by the sextic polynomials whose six roots are rational elements of \(\mathbb {F}_{p^2}\). This avoids the case distinctions made by Takashima and Yoshida that allow for quintic inputs and outputs (i.e., one of the \(a_i\) and/or \(a_j'\) being at infinity), which are unnecessary for our purposes (they occur with negligible probability, and after a change of coordinates we may assume that C and \(C'\) are defined by sextics).

  • We do not keep track of the leading coefficient of the sextic, since this merely determines which quadratic twist we are on, which is irrelevant for our application because twists correspond to the same node in \(\varGamma _2(2; p)\). This means we avoid the final inversion in Line 33 of [53, Algorithm 2].

  • Each of the three iterations of their main loop involve separate inversion and square root computations. In each case we merge the inversion and square root into one combined inverse-and-square-root computation (see Line 7 of Algorithm 2) using the trick described in [45].

On top of a small, fixed, number of field multiplications, Algorithm 2 computes a Richelot isogeny using 3 calls to \(\textsf{InvSqrt}\), which is essentially the same cost as a square root in \(\mathbb {F}_{p^2}\) (i.e., 2 exponentiations in \(\mathbb {F}_p\)). This means our streamlined version saves all of the four additional \(\mathbb {F}_{p^2}\) inversions reported by Takashima and Yoshida [53, §5.5]. Otherwise, the notation and description of the algorithm is essentially unchanged: the indices in Line 3 of Algorithm 2 are taken modulo 6, and the indices in Line 5 are taken modulo 3.

Algorithm 2
figure b

. RIsog(): A Richelot isogeny in the general case

Full size image

Alternatives for computing \((2^n,2^n)\)-isogenies. There are numerous ways to compute chains of (2, 2)-isogenies that would be fit for our purposes, but we are yet to find one that can appreciably outperform repeated calls to Algorithm 2. Recall that each such call computes a (2, 2)-isogeny using a fixed number of \(\mathbb {F}_p\)-multiplications on top of three calls to the merged inversion-and-square root computation (i.e., InvSqrt). Castryck and Decru’s multiradical variant of a Richelot isogeny also requires at least three square root computations in \(\mathbb {F}_{p^2}\) [7, §4.2], so the most we could expect to gain using their formulae is in the constant number of additional \(\mathbb {F}_p\)-operations (assuming any field inversions required in their case can also be absorbed into the square root calls). Kunzweiler’s efficient \((2^n,2^n)\)-isogeny algorithm [37] could also be used in our scenario, but in testing this algorithm against ours we observed that, on average, ours performs between 3x and 5x faster for the two primes considered by Kunzweiler. Note, Kunzweiler’s formulae were derived with a different target application (i.e., G2SIDH) in mind, meaning computing a chain of (2, 2)-isogenies of fixed length n is most efficient when \(2^n \mid p+1\). In our algorithm, we compute chains of length much larger than any such n and, as a result, this comparison is unfair to [37]. Our comparison is to ensure that we are not sacrificing efficiency in our context.

3.2 Walking in the Superspecial Subgraph of \(\varGamma _2(2; p)\)

We now turn to describing walks in the superspecial subgraph of \(\varGamma _2(2; p)\) that take steps using the RIsog algorithm developed above. To ensure that these walks are non-backtracking and avoid short cycles, the output of RIsog must first be permuted so that the quadratic splitting implicit to its ordering (see §3.1) corresponds to a good extension of the previous (2, 2)-isogeny (i.e., a (2, 2)-isogeny whose kernel intersects trivially with the kernel of the dual of the previous (2, 2)-isogeny).

Kernel permutations corresponding to good extensions. Following Castryck, Decru and Smith [9], there are 8 non-equivalent permutations of our \(a_i\) which correspond to good extensions of the previous (2, 2)-isogeny. Our walks are deterministically defined by pseudorandom bitstrings. Each step uses three bits to choose which of the 8 good extensions defines our next (2, 2)-isogeny. Using [9, Proposition 3], we define the function \(\textbf{a}\leftarrow \textsf{PermuteKernel}(\textbf{a},\texttt {bits})\) by

$$ \textbf{a} \leftarrow \left\{ \begin{array}{ll} \left( \textbf{a}[0],\textbf{a}[2],\textbf{a}[1],\textbf{a}[4],\textbf{a}[3],\textbf{a}[5] \right) , &{}\quad \quad \quad \quad \texttt {bits} = 0|0|0; \\ \left( \textbf{a}[0],\textbf{a}[2],\textbf{a}[1],\textbf{a}[5],\textbf{a}[3],\textbf{a}[4] \right) , &{}\quad \quad \quad \quad \texttt {bits} = 0|0|1; \\ \left( \textbf{a}[0],\textbf{a}[3],\textbf{a}[1],\textbf{a}[4],\textbf{a}[2],\textbf{a}[5] \right) , &{}\quad \quad \quad \quad \texttt {bits} = 0|1|0 ;\\ \left( \textbf{a}[0],\textbf{a}[3],\textbf{a}[1],\textbf{a}[5],\textbf{a}[2],\textbf{a}[4] \right) , &{}\quad \quad \quad \quad \texttt {bits} = 0|1|1 ;\\ \left( \textbf{a}[0],\textbf{a}[4],\textbf{a}[1],\textbf{a}[2],\textbf{a}[3],\textbf{a}[5] \right) , &{}\quad \quad \quad \quad \texttt {bits} = 1|0|0 ;\\ \left( \textbf{a}[0],\textbf{a}[4],\textbf{a}[1],\textbf{a}[3],\textbf{a}[2],\textbf{a}[5] \right) , &{}\quad \quad \quad \quad \texttt {bits} = 1|0|1 ;\\ \left( \textbf{a}[0],\textbf{a}[5],\textbf{a}[1],\textbf{a}[3],\textbf{a}[2],\textbf{a}[4] \right) , &{}\quad \quad \quad \quad \texttt {bits} = 1|1|0 ;\\ \left( \textbf{a}[0],\textbf{a}[5],\textbf{a}[1],\textbf{a}[2],\textbf{a}[3],\textbf{a}[4] \right) , &{}\quad \quad \quad \quad \texttt {bits} = 1|1|1 .\\ \end{array} \right. $$

Remark 1

Under a mild conjecture on the associated eigenvalues, Florit and Smith [23] show that despite Richelot isogeny graphs not having optimal expansion, walks of length \(O(\log p)\) still approximate the stationary distribution on \(\varGamma _2(2;p)\) [23, Theorem 6.1]. This statement is implicitly assuming that walks are unrestricted, i.e., that each step can take any one of the 15 outgoing Richelot isogenies. In choosing to restrict each step in \(\varGamma _2(2; p)\) to the 8 good edges with the aim of avoiding fruitless cycles, we are under the implicit assumption that these walks also rapidly approximate the stationary distribution. All of our experiments over small primes produced results that support this assumption (see Sect. 7), and Florit and Smith also comment in its favour [23, §6.4]. Nevertheless, if future research provides evidence to the contrary, modifying our walks to include the 6 other extensions is straightforward. In this case we could either aim to prohibit certain sequences of isogenies that cycle back to prior nodes, or (since we abandon walks after a small number of steps – see below) simply tolerate the possibility of revisiting prior nodes. Even if a walk did cycle back and hit a prior node, in general we would have a \(14^{-n}\) chance of continuing along the same path for n steps thereafter.

Pseudorandom walks in the superspecial subgraph of \(\varGamma _2(2; p)\). A given step of our pseudorandom walk can now be defined as \(\textbf{a}\leftarrow \textsf{Step}(\textbf{a},\texttt {bits})\), where the function \(\textsf{Step}\) is simply given by

$$ \textsf{Step}(\textbf{a},\texttt {bits})=\textsf {RIsog}(\textsf{PermuteKernel}(\textbf{a},\texttt {bits})). $$

Recall (from Lines 1 and 2 of Algorithm 1) that our goal is to find a path \(\varphi \) from \(A\in \mathcal {S}_2(p)\) to some \(E_1 \times E_2 \in \mathcal {E}_2(p)\). In principle, one could continue walking deterministically from the input node \(A\in \mathcal {S}_2(p)\) for as long as it takes to find the splitting \(E_1 \times E_2 \in \mathcal {E}_2(p)\), but the length of this path would be O(p). To ensure a compact description of the solution, we instead take a relatively small number of steps from \(A\in \mathcal {S}_2(p)\) before abandoning a walk, returning back to \(A\in \mathcal {S}_2(p)\), and starting again.

Our implementation uses Magma’s inbuilt function \(\textsf{SHA1} :\{ 0, 1\}^* \rightarrow \{0,1\}^{160}\) to generate pseudorandom walks consisting of 160 Richelot isogeny steps as follows. We start by setting \(H_0 := \textsf{StartingSeed}(\textbf{a})\), where \(\textbf{a} \in (\mathbb {F}_{p^2})^6\) defines the input node \(A\in \mathcal {S}_2(p)\), and where StartingSeed merely concatenates and parses the 12 \(\mathbb {F}_p\) components of \(\textbf{a}\) in order to be fed as input into \(\textsf{SHA1}\). We then define the function \(\textsf{Hash}:\{0,1\}^{*} \rightarrow \{0,1\}^{480}\) as \(\textsf{Hash}:s \mapsto \textsf{SHA1}(s) || \textsf{SHA1}^2(s) || \textsf{SHA1}^3(s)\), where \(\textsf{SHA1}^2(s)\) denotes \(\textsf{SHA1}(\textsf{SHA1}(s))\), etc. Our first walk in \(\varGamma _2(2; p)\) is defined by \(H_1 = \textsf{Hash}(H_0)\); these 480 bits are used (three bits at a time) to give 160 steps away from \(A\in \mathcal {S}_2(p)\), at which point we return back to \(A\in \mathcal {S}_2(p)\) and repeat the process by using \(H_{i+1}=\textsf{Hash}(H_i)\) for \(i =1,2, \dots \), until one of our calls to RIsog returns \(\texttt {split}=\texttt {true}\), at which point our walks have hit a node in \(\mathcal {E}_2(p)\). To proceed to the elliptic curve path finding in Steps 3 and 4 of Algorithm 1, the j-invariants of the elliptic curves in the product of the final (2, 2)-isogeny are determined using [9, §6.2]. This concludes the description of our implementation of the generic product finding algorithm from [13] that works entirely in \(\varGamma _2(2; p)\).

Choice of Optimisations. In our search for product curves we use optimised walks in \(\varGamma _2(2; p)\), rather than adopting Castryck and Decru’s multiradical isogenies [7] to walk in \(\varGamma _2(3;p)\). Indeed, their hash function built from multiradical (3, 3)-isogenies between superspecial genus 2 Jacobians outperforms its (2, 2)-counterpart by a factor \(\approx 9\). We first note that the bulk of the Castryck–Decru speedup comes from their hash function processing 3 trits of entropy per (3, 3)-isogeny, rather than 3 bits of entropy processed by a (2, 2)-isogeny. In our application, however, entropy is irrelevant and we are only interested in the raw cost of taking one step in the graph. Nevertheless, Castryck and Decru still report a \(\approx 2.7{\times }\) speedup for a multiradical (3, 3)-isogeny (which is dominated by 3 cube roots over \(\mathbb {F}_{p^2}\)) compared to a multiradical (2, 2)-isogeny (which is dominated by 3 square roots over \(\mathbb {F}_{p^2}\)), with this factor coming directly from the relative performance of cube roots and square roots in \(\mathbb {F}_{p^2}\) in Magma. In our implementation, we optimised explicit computation of the square roots in \(\mathbb {F}_{p^2}\) in terms of \(\mathbb {F}_p\) exponentiations and multiplications using the tricks in [45, §5.3], and we are unaware of analogous (or any) tricks in the cube root case that could outperform the square root computation.

Furthermore, we use walks in \(\varGamma _2(2;p)\) that do not store or recycle any information from previous steps. Indeed, we could not see an obvious way to (re)use any of the three square roots in Line 7 of Algorithm 2 to compute the other 7 good extensions. We remark that this is a feature of our choice to walk using only good extensions, and we could in fact recycle these square roots to compute some of the bad extensions. If it turns out that there is a way to compute all 8 of the image tuples \(\textbf{a}\) in appreciably fewer operations than calling the \(\textsf{RIsog}\) algorithm on all 8 kernels individually, then one could define an octonary tree in an analogous fashion to the binary tree from [12].

4 Explicit Moduli Spaces for Genus 2 Curves with Split Jacobians

We give a brief review of some well known facts about genus 2 curves with split Jacobians and their moduli. The reader wishing for a more in-depth discussion is encouraged to consult e.g., [5, §2], [26, 35], or [36].

4.1 The Igusa–Clebsch Invariants of a Genus 2 Curve

Let K be a field of characteristic not equal to 2. Let \(\mathcal {M}_2\) denote the variety whose points \([C] \in \mathcal {M}_2(\overline{K})\) correspond to the \(\overline{K}\)-isomorphism classes of genus 2 curves \(C/\overline{K}\).

From the invariant theory of the binary sextic, we may associate to any genus 2 curve C/K its Igusa–Clebsch invariants \(I_2(C)\), \(I_4(C)\), \(I_6(C)\), and \(I_{10}(C)\) (here the subscript denotes the weight of the invariant). Moreover the isomorphism class of \(C/\overline{K}\) is uniquely determined by its Igusa–Clebsch invariants (see e.g., [31, 42]).

This induces a birational K-morphism \(\mathcal {M}_2\hookrightarrow \mathbb {P}(2, 4, 6, 10)\) given by associating to a class [C] its Igusa–Clebsch invariants \({[I_2(C) : I_4(C) : I_6(C) : I_{10}(C)]}\).

Explicitly, if C/K is a genus 2 curve given by a Weierstrass equation

$$C :y^2=(x-a_0) \cdots (x-a_5)$$

where \(a_0, \dots a_5 \in K\), we define:

$$\begin{aligned} &I_2(C) :=\sum _{15}(01)^2(23)^2(45)^2 , \quad I_4(C) :=\sum _{10}(01)^2(12)^2(20)^2(34)^2(45)^2(53)^2, \quad \quad \quad \quad \nonumber \\ & I_6(C) :=\sum _{60}(01)^2(12)^2(20)^2(34)^2(45)^2(53)^2(03)^2(14)^2(25)^2, \quad \textrm{and} \nonumber \\ & I_{10}(C) :=\prod _{i<j}(a_i-a_j)^2, \end{aligned}$$

where, for any permutation \(\sigma \in S_6\), we let (ij) denote the difference \((a_{\sigma (i)}-a_{\sigma (j)})\). Here the sums are taken over all distinct expressions in the \(a_i\) as \(\sigma \) ranges over \(S_6\); the subscripts denote the number of expressions in each sum.

4.2 Optimal Splittings of Jacobians of a Genus 2 Curves

Let C be a curve of genus 2 defined over a field K. Recall that we say the Jacobian \({{\,\textrm{Jac}\,}}(C)\) of C is split (over K) if there exists a (polarised) separable K-isogeny \(\phi :{{\,\textrm{Jac}\,}}(C) \rightarrow E_1 \times E_2\) where \(E_1/K\) and \(E_2/K\) are elliptic curvesFootnote 4.

To work explicitly with subvarieties of \(\mathcal {M}_2\) which parametrise genus 2 curves with split Jacobians, we will restrict our focus to Jacobians which are split by an (NN)-isogeny. However, without imposing further conditions on the isogeny, our subvarieties will not be irreducible. Following Bruin–Doerksen [5, §2], we make the following definition:

Definition 2

Let K be a field, C/K be a curve of genus 2, and E/K be an elliptic curve. We say that a cover \(\psi :C \rightarrow E\) of degree N is optimal if N is coprime to the characteristic of K and \(\psi \) does not factor through a non-trivial unramified covering.

We say that a polarised separable isogeny \(\phi :{{\,\textrm{Jac}\,}}(C) \rightarrow E_1 \times E_2\) is an optimal (polarised) (NN)-splitting if \(\phi \) is an (NN)-isogeny and the covering \(C \rightarrow E_1\) induced by \(\phi \) and the Abel–Jacobi map is optimal. In this case \({{\,\textrm{Jac}\,}}(C)\) is said to be optimally (NN)-split.

In our application N will be an integer \(\le 11\) and K will be the finite field \(\mathbb {F}_{p^2}\) for some prime number \(p \gg 11\), so the assumption that \(\phi \) is separable will be automatically satisfied.

In fact every splitting factors through an optimal (NN)-splitting, more precisely:

Proposition 1

If \({{\,\textrm{Jac}\,}}(C)\) is split (over K) then there exists an integer \(N \ge 2\) such that \({{\,\textrm{Jac}\,}}(C)\) is optimally (NN)-split (over K).

Proof

We closely follow [5, Proposition 2.8]. Since \({{\,\textrm{Jac}\,}}(C)\) is split, there exists a separable K-isogeny \(\phi :{{\,\textrm{Jac}\,}}(C) \rightarrow E_1 \times E_2\) where \(E_1/K\) and \(E_2/K\) are elliptic curves. Since \(\phi \) is separable, there exists an elliptic curve \(D_1/K\) such that the morphism \(C \rightarrow E_1\) induced by the Abel–Jacobi map and \(\phi \) factors through an optimal cover \(\psi :C \rightarrow D_1\). By [5, Lemma 2.6], \(\psi \) gives rise to an optimal (NN)-splitting \({{\,\textrm{Jac}\,}}(C) \rightarrow D_1 \times D_2\), where \(D_2\) is an elliptic curve and N is the degree of \(\psi \).    \(\square \)

4.3 The Surfaces \(\widetilde{\mathcal {L}}_N\) and \(\mathcal {L}_N\)

We write \(\widetilde{\mathcal {L}}_N\) for the surface whose K-points parametrise (\(\overline{K}\)-isomorphism classes of) pairs \((C, \phi )\) where C is a curve of genus 2 and \(\phi :{{\,\textrm{Jac}\,}}(C) \rightarrow E_1 \times E_2\) is an optimal (NN)-splitting.

Replacing \(\phi \) with its composition with the natural isomorphism \(E_1 \times E_2 \rightarrow E_2 \times E_1\) gives an involution on \(\widetilde{\mathcal {L}}_N\). We write \(\mathcal {L}_N\) for the quotient of \(\widetilde{\mathcal {L}}_N\) by this involution. The natural map \(\widetilde{\mathcal {L}}_N \longrightarrow \mathcal {M}_2\), given by \((C, \phi ) \longmapsto [C]\), factors via \(\widetilde{\mathcal {L}}_N \rightarrow \mathcal {L}_N\).

Kumar [36] gave explicit models of the surface \(\widetilde{\mathcal {L}}_N\) for each integer \(N \le 11\). In this range the surfaces \(\mathcal {L}_N\) are rational (i.e., birational to \(\mathbb {A}^2\)), and they give an explicit model for the surface \(\widetilde{\mathcal {L}}_N\) as a double cover of \(\mathcal {L}_N\) together with the moduli interpretation of \(\mathcal {L}_N\). More specifically, they compute rational functions \(\mathcal {I}_2(r,s)\), \(\mathcal {I}_4(r, s)\), \(\mathcal {I}_6(r, s)\), \(\mathcal {I}_{10}(r, s)\) which (after an appropriate projective rescaling) may be taken to lie in \(\mathbb {Z}[r,s]\) and for which the following diagram commutes

figure c

Here the maps on the left and right are birational and the rational map \(\varphi _N\) is given by \((r,s) \mapsto [\mathcal {I}_2(r,s) : \mathcal {I}_4(r,s) : \mathcal {I}_6(r,s) : \mathcal {I}_{10}(r,s)]\).

We will employ the following lemma to detect whether a Jacobian \({{\,\textrm{Jac}\,}}(C)\) is optimally (NN)-split over \(\overline{K}\).

Lemma 1

The Jacobian of a genus 2 curve C/K is split over \(\overline{K}\) if and only if there exists an integer \(N \ge 2\) such that the point \([C] \in \mathcal {M}_2(\overline{K})\) lies in the image of \(\mathcal {L}_N \rightarrow \mathcal {M}_2\).

Proof

If \({{\,\textrm{Jac}\,}}(C)\) is split, then it is optimally (NN)-split for some integer \(N \ge 2\) by Proposition 1. In this case, the corresponding point on \(\widetilde{\mathcal {L}}_N\) maps to [C] on \(\mathcal {M}_2\). Conversely, suppose [C] lies in the image of \(\mathcal {L}_N \rightarrow \mathcal {M}_2\). Since the morphism \(\widetilde{\mathcal {L}}_N \rightarrow \mathcal {L}_N\) is a surjection on \(\overline{K}\)-points, there exists an optimal degree N cover \(\phi :C \rightarrow E\) such that the preimage of [C] under this morphism is \((C, \phi ) \in \widetilde{\mathcal {L}}_N(\overline{K})\). Hence \({{\,\textrm{Jac}\,}}(C)\) is split.    \(\square \)

Remark 2

Genus 2 curves C/K with split Jacobians have appeared many times elsewhere in the literature. Indeed when \(N \le 4\) generic families were known classically from work of Legendre, Jacobi, Hermite, Grousat, Burkhardt, Brioschi, and Bolza (as discussed in [36]). More recently, Shaska [46] gave a method for general N for computing the surface \(\widetilde{\mathcal {L}}_N\) together with a curve \(C/K(\widetilde{\mathcal {L}}_N)\) such that \({{\,\textrm{Jac}\,}}(C)\) is (NN)-isogenous to a product \(E_1 \times E_2\). Explicit computations have been performed for \(2 \le N \le 5\) by Shaska, Magaard, Volklein, Wijesiri, Wolf, and Woodland [40, 47,48,49,50] and by Gaudry–Schost [27], Bröker–Lauter–Howe–Stevenhagen [4], Bruin–Doerksen [5], and Djukanović [17, 18]. If \({{\,\textrm{Jac}\,}}(C)\) is (NN)-isogenous over K to a product of elliptic curves \(E_1 \times E_2\) there exists an anti-symplectic Galois equivariant isomorphism \(E_1[N] \cong E_2[N]\) (see e.g., [5, Proposition 2.8]). For \(N > 11\) this has been considered by Fisher when \(N = 13, 17\) [20, 21] and Frengley when \(N = 12\) [25]. However, while they give the generic elliptic curves \(E_1\) and \(E_2\), they do not give the genus 2 curve C.

4.4 The Image of the Morphism \(\mathcal {L}_N \rightarrow \mathcal {M}_2\)

Recall that we have a map \(\mathcal {L}_N \rightarrow \mathcal {M}_2 \rightarrow \mathbb {P}(2, 4, 6, 10)\) given by the Igusa–Clebsch invariants. The (Zariski closure of) the image of this map is a projective surface given by the vanishing of a polynomial \(F_N \in \mathbb {Z}[I_2, I_4, I_6, I_{10}]\) which is homogeneous with respect to the weights.

If K is a field of characteristic coprime to 2N, the Jacobian of a genus 2 curve C/K is optimally (NN)-split over \(\overline{K}\) if and only if

$$\begin{aligned} F_N(I_2(C), I_4(C), I_6(C), I_{10}(C)) = 0. \end{aligned}$$

For \(2 \le N \le 5\) the polynomial \(F_N\) was computed by Bruin–Doerksen [5, 6, Theorem 1.2] and Shaska, Magaard, Volklein, Wijesiri, Wolf, and Woodland [40, 48, 50].

Such equations may be computed from Kumar’s formulae [36]. For each \(N \le 5\) we interpolate the image of \(\varphi _N\) modulo a small number of primes of approximately 128 bits. Lifting these equations to characteristic zero with the LLL algorithm gives a candidate for \(F_N\).

Since \(F_N\) is an irreducible polynomial and the image of \(\varphi _N\) is an irreducible variety, we verify the result in Magma by checking that \(F_N\) vanishes at the equations defining \(\varphi _N\). These polynomials are available in the code accompanying this article, and their properties are summarised in Table 2.

Table 2. The number of monomials in the defining equation \(F_N\) for the image of \(\mathcal {L}_N\) in \(\mathbb {P}(2, 4, 6, 10)\) and the total number of bytes required to (naively) store the coefficients of each \(F_N\).
Full size table

5 Efficient Detection of (NN)-Splittings

In this section we present an algorithm to efficiently detect whether, at each step, the p.p. abelian surface \({{\,\textrm{Jac}\,}}(C)\) is (NN)-isogenous (over \(\overline{\mathbb {F}}_p\)) to a product of elliptic curves, without ever computing an (NN)-isogeny. In this way we are able to use resultants and \(\gcd \) computations, rather than inefficient computations of (NN)-isogenies, therefore avoiding all \(N^{\text {th}}\)-root calculations and the need to work in extension fields when the N-torsion is not fully \(\mathbb {F}_{p^2}\)-rational.

A natural starting point to perform this detection is to exploit the equations \(F_N\) for the image of the morphism \(\mathcal {L}_N \rightarrow \mathbb {P}(2,4,6,10)\) (see Sect. 4.4). Indeed, if a genus 2 curve \(C/\mathbb {F}_{p^2}\) is (NN)-split, then \(F_N(I_2(C),I_4(C),I_6(C),I_{10}(C)) = 0\). However, as demonstrated in Table 2, both the number of monomials in \(F_N\) and the bitlength of its coefficients grow rapidly with N. As a result, computing and storing \(F_N\) for \(N > 5\) is challenging. Instead, we will use techniques in elimination theory to determine whether [C] lies on the (Zariski closure of) the image of \(\varphi _N\). Indeed, even for \(N \le 5\), evaluating the image at the Igusa–Clebsch invariants of C will not outperform this method.

Lemma 2

Let \(N \ge 2\) be an integer and C/K be a genus 2 curve defined over a field K of characteristic not dividing 2N. Suppose that the Igusa–Clebsch invariants \(I_2(C)\), \(I_4(C)\), \(I_6(C)\), and \(I_{10}(C)\) are non-zero. Write \(\alpha _1(C) = \frac{I_4(C)}{I_2(C)^2}\), \(\alpha _2(C) = \frac{I_2(C)I_4(C)}{I_6(C)}\), and \(\alpha _3(C) = \frac{I_4(C)I_6(C)}{I_{10}(C)}\). If there exist \(r_0 \in \overline{K}\cup \{\infty \}\) and \(s_0 \in \overline{K}\) satisfying

$$ \left\{ \begin{array}{l} \alpha _1(C) = \frac{\mathcal {I}_4(r_0, s_0)}{\mathcal {I}_2(r_0, s_0)^2} , \\ \alpha _2(C) = \frac{\mathcal {I}_2(r_0, s_0) \mathcal {I}_4(r_0, s_0)}{\mathcal {I}_6(r_0, s_0)}, \\ \alpha _3(C) = \frac{\mathcal {I}_4(r_0, s_0)\mathcal {I}_6(r_0, s_0)}{\mathcal {I}_{10}(r_0, s_0)} \end{array} \right. $$

then \({{\,\textrm{Jac}\,}}(C)\) is optimally (NN)-split over \(\overline{K}\). Here \(\mathcal {I}_w(r,s)\) are as in Sect. 4.3.

Proof

The rational map \(\psi :\mathbb {P}(2, 4, 6, 10) \dashrightarrow \mathbb {A}^3\) given by \([I_2 : I_4 : I_6 : I_{10}] \mapsto \left( \frac{I_4}{I_2^2}, \frac{I_2 I_4}{I_6}, \frac{I_4 I_6}{I_{10}} \right) \) is birational with inverse \((\alpha _1, \alpha _2, \alpha _3) \mapsto \left[ 1 : \alpha _1 : \frac{\alpha _1}{\alpha _2} : \frac{\alpha _1^2}{\alpha _2 \alpha _3} \right] \). Moreover on the open subvariety of \(\mathbb {P}(2, 4, 6, 10)\) where \(I_2\), \(I_4\), \(I_6\), and \(I_{10}\) are nonzero the map \(\psi \) restricts to an isomorphism onto its image. The claim follows from the discussion preceding the lemma.    \(\square \)

Remark 3

It is common in the literature (e.g., [5, 32]) to choose the affine patch with coordinates the absolute invariants \(\frac{6(I_2^2-16I_4)}{I_2^2}\), \(\frac{-12(5I_2^3 - 176I_2I_4 + 384I_6) }{I_2^3}\), and \(\frac{3888I_{10}}{I_2^5}\). Our choice is ad hoc and made to optimise the algorithms in Sect. 5.2. In particular, the choice in Lemma 2 yields polynomials \(P_{i,j}\) in Lemma 3 of smaller degree. Choosing an affine patch of \(\mathbb {P}(2,4,6,10)\) so that the analogous polynomials to \(P_{i,j}\) in Lemma 3 have minimal degree would likely lead to improved performance of our algorithm.

Remark 4

In the code accompanying this article we provide a function InvariantsFromWeierstrassPoints that, on input of the 6-tuple \(\textbf{a}=(a_0, \dots , a_5) \in (\mathbb {F}_{p^2})^6\) of Weierstrass points, computes the 3-tuple \(\boldsymbol{\alpha }(C) = \left( {\alpha }_1(C), {\alpha }_2(C), {\alpha }_3(C) \right) \in (\mathbb {F}_{p^2})^3\) using a total of 291 multiplications and one (merged) inversion in \(\mathbb {F}_p\). This is the first step of Algorithm 4.

Define polynomials \(f_k(r,s) \in \mathbb {Z}[\alpha _1, \alpha _2, \alpha _3][r,s]\) by

$$\begin{aligned} f_1(r,s) &= \mathcal {I}_4(r,s) - \alpha _1 \mathcal {I}_2(r,s)^2, \\ f_2(r,s) &= \mathcal {I}_2(r,s) \mathcal {I}_4(r,s) - \alpha _2 \mathcal {I}_6(r,s), \\ f_3(r,s) &= \mathcal {I}_4(r,s) \mathcal {I}_6(r,s) - \alpha _3 \mathcal {I}_{10}(r,s). \end{aligned}$$

The following proposition follows immediately from Lemma 2.

Proposition 2

Suppose that C/K is a genus 2 curve with non-zero Igusa–Clebsch invariants. If there exist \(r_0 \in \overline{K}\cup \{\infty \}\) and \(s_0 \in \overline{K}\) such that for each \(w \in \{2,4,6,10\}\) we have \(\mathcal {I}_{w}(r_0, s_0) \ne 0\) and \(f_k(r_0,s_0) = 0\), then \({{\,\textrm{Jac}\,}}(C)\) is optimally (NN)-split over \(\overline{K}\).

In Sect. 5.2 we describe a method for determining whether, given a genus 2 curve \(C/\overline{\mathbb {F}}_p\) with superspecial Jacobian, there exists a point \(P \in \mathbb {A}^2(\overline{\mathbb {F}}_p)\) such that the polynomials \(f_k(r,s)\) vanish at P. Moreover, we determine lower bounds on their costs in terms of \(\mathbb {F}_p\)-multiplications for each \(N \in \{ 2, 3, \dots , 11 \}\).

5.1 The Resultants of \(f_j\) and \(f_k\)

Fix an integer \(2 \le N \le 11\). For each distinct pair \(i,j \in \{1,2,3\}\), define polynomialsFootnote 5

$$\begin{aligned} R_{i,j}(s) :={{\,\textrm{res}\,}}_r(f_i(r,s), f_j(r,s)) \in \mathbb {Z}[\alpha _1, \alpha _2, \alpha _3][s]. \end{aligned}$$

If C/K is a genus 2 curve then, since resultants are invariant under ring homomorphisms, by the elimination property of the resultant (see e.g., [14, §3.6 Lemma 1]) the specialisations \((R_{i,j})_{[C]}(s) \in K[s]\), given by evaluating the coefficients of \(R_{i,j}(s)\) at \(\alpha _1(C)\), \(\alpha _2(C)\), and \(\alpha _3(C)\), vanish at the s-coordinate of any common solution to the specialised polynomials \((f_j)_{[C]}(r,s)\).

However, these resultants (generically) have factors which correspond to unwanted solutions (i.e., where one of the polynomials \(\mathcal {I}_w\) vanishes). We make this more precise in the following lemma.

Lemma 3

Let \(L = \mathbb {Q}(\alpha _1, \alpha _2, \alpha _3)\). When \(i \ne j\), there exist polynomials \(Q_{i,j} \in \mathbb {Z}[\alpha _1, \alpha _2, \alpha _3][s]\) dividing \(R_{i,j}\) with the following property: for each pair \(r_0, s_0 \in \overline{L}\) such that \(f_k(r_0, s_0) = 0\) for \(k = 1, 2, 3\) and \(Q_{i,j}(s_0) = 0\), then \(\mathcal {I}_w(r_0,s_0) = 0\) for some \(w \in \{2,4,6,10\}\).

Moreover, the polynomials \(P_{i,j} = \frac{R_{i,j}}{Q_{i,j}} \in \mathbb {Z}[\alpha _1, \alpha _2, \alpha _3][s]\) are coprime.

Proof

This follows from a direct calculation in Magma.    \(\square \)

Applying [14, §3.6 Corollary 7] we have:

Proposition 3

Let C/K be a genus 2 curve such that \(I_w(C) \ne 0\) for each \(w \in \{2,4,6,10\}\). If there exist \(r_0, s_0 \in \overline{K}\) such that \((f_i)_{[C]}(r_0, s_0) = 0\) for each \(i = 1, 2, 3\) then the degree of \(\gcd ((P_{1,2})_{[C]}, (P_{2,3})_{[C]})\) is at least 1.

Conversely if \(s_0 \in \overline{K}\) is a root of \(\gcd ((P_{1,2})_{[C]}, (P_{2,3})_{[C]})\) then there exist \(r_0, r_0' \in \overline{K}\cup \{\infty \}\) such that \((f_1)_{[C]}(r_0, s_0) = (f_2)_{[C]}(r_0, s_0) = 0\) and \((f_1)_{[C]}(r_0', s_0) = (f_2)_{[C]}(r_0', s_0) = 0\).

5.2 An Algorithm to Detect (NN)-Split Jacobians

We now present our algorithm to efficiently detect whether the Jacobian of a genus 2 curve \(C/\mathbb {F}_{p^2}\) is (NN)-split for some integer \(2 \le N \le 11\). In Proposition 4 we then give an upper bound on the number of \(\mathbb {F}_p\)-multiplications required by the algorithm.

Precomputation step. We reduce the coefficients of the polynomials \(P_{1,2}, P_{2,3} \in \mathbb {Z}[\alpha _1, \alpha _2, \alpha _3][s]\) from Lemma 3 modulo p to obtain polynomials \(\widetilde{P}_{1,2}, \widetilde{P}_{2,3} \in \mathbb {F}_p[\alpha _1, \alpha _2, \alpha _3][s]\), which are stored.

Evaluation and gcd step. Our approach is summarised in Algorithm 3. To test a given genus 2 curve \(C/\mathbb {F}_{p^2}\) with superspecial Jacobian, we specialise the coefficients of \(\widetilde{P}_{1,2}, \widetilde{P}_{2,3}\) at \(\boldsymbol{\alpha }(C) = (\alpha _1(C), \alpha _2(C), \alpha _3(C))\), by running the algorithm EvalCoeffs, to obtain the polynomials \((\widetilde{P}_{1,2})_{[C]}, (\widetilde{P}_{2,3})_{[C]} \in \mathbb {F}_{p^2}[s]\). The EvalCoeffs algorithm takes as input \(\widetilde{P}_{i,j}\) and the invariants \(\boldsymbol{\alpha }(C)\), and evaluates the coefficients of the polynomial at these invariants (see the proof of Proposition 4 for more details).

We then compute the \(\gcd \) of \((\widetilde{P}_{1,2})_{[C]}\) and \((\widetilde{P}_{2,3})_{[C]}\) using the “inversion-free \(\gcd \)” algorithm InvFreeGCD from [12, Algorithm 1], modified to output the \(\gcd \) explicitly, rather than a boolean.

If this \(\gcd \) has degree \(\ge 1\) then it has a root \(s_0 \in \overline{\mathbb {F}}_p\) and (by Proposition 3) there exist \(r_0, r_0' \in \overline{\mathbb {F}}_p\cup \{\infty \}\) such that \((f_1)_{[C]}(r_0, s_0) = (f_2)_{[C]}(r_0, s_0) = 0\) and \((f_1)_{[C]}(r_0', s_0) = (f_2)_{[C]}(r_0', s_0) = 0\). By Proposition 2 to verify that \({{\,\textrm{Jac}\,}}(C)\) is (NN)-split it suffices to show that we may take \(r_0 = r_0'\) such that \(\mathcal {I}_w(r_0,s_0) \ne 0\) for each \(w \in \{2,4,6,10\}\). We verify the first condition by computing the \(\gcd \) of \((f_1)_{[C]}(r, s_0), (f_2)_{[C]}(r, s_0), (f_3)_{[C]}(r, s_0)\), and if it has degree \(\ge 1\) computing a root \(r_0 \in \overline{\mathbb {F}}_p\). We verify the second condition by checking that \(\mathcal {I}_w(r_0, s_0) \ne 0\) for each \(w \in \{2, 4, 6, 10\}\) – we abbreviate this to the function IgNonzero.

Remark 5

If \({{\,\textrm{Jac}\,}}(C)\) is optimally (NN)-split then Algorithm 3 will return true with high probability. In this case [C] is an \(\mathbb {F}_{p^2}\)-point on \(\mathcal {L}_N\). Since \(\varphi _N :\mathbb {A}^2 \dashrightarrow \mathcal {L}_N\) is birational (over \(\mathbb {F}_p\)) it is an isomorphism outside a closed \(\mathbb {F}_p\)-subvariety \(X \subseteq \mathcal {L}_N\) of dimension 1. But from the Weil conjectures \(\# \mathcal {L}_N(\mathbb {F}_{p^2}) = O(p^4)\) and \(\# X(\mathbb {F}_{p^2}) = O(p^2)\). In particular except in \(O(1/p^2)\) of cases there exist \(r_0, s_0 \in \overline{\mathbb {F}}_p\) satisfying the conditions of Proposition 3.

Algorithm 3
figure d

. IsSplit(\(\boldsymbol{\alpha }(C), \widetilde{P}_{1,2}, \widetilde{P}_{2,3}, N\)):

Full size image

The cost of Algorithm 3. We now determine an upper bound for the number of \(\mathbb {F}_p\)-multiplications required for the online part of this method (i.e., ignoring the cost of precomputation). In the analysis that follows we assume that Karatsuba multiplication is used in \(\mathbb {F}_{p^2}\), hence we cost one \(\mathbb {F}_{p^2}\)-multiplication as three \(\mathbb {F}_p\)-multiplications.

Proposition 4

Let \(N \in \{2,\dots ,11\}\) be an integer, and let mons(N) be the set of monomials in \(\alpha _1, \alpha _2, \alpha _3\) appearing in the coefficients of \(\widetilde{P}_{1,2}\) and \(\widetilde{P}_{2,3}\) (which lie in \( \mathbb {F}_{p}[\alpha _1,\alpha _2,\alpha _3]\)). For each \(i=1,2,3\), let

$$\begin{aligned} d_i(N) = \max (\{ \text {degree of } \alpha _i \text { in } m \ | \ m \in \textsf{mons}(N) \} ). \end{aligned}$$

The cost of steps 1–3 in Algorithm 3 (with input N) is at most

$$\begin{aligned} 3(d_1(N) + d_2(N) + d_3(N)) + 6m(N) + 2M(N) + \frac{3}{2}(d_P(N)+2)(d_P(N)+3) - 27 \end{aligned}$$

\(\mathbb {F}_p\)-multiplications, where \(d_P(N) = \deg {\widetilde{P}_{1,2}}+\deg {\widetilde{P}_{2,3}}\), \(m(N) = \# \textsf{mons}(N)\), and M(N) is the number of monomials in \(\alpha _1, \alpha _2, \alpha _3\) appearing in the coefficients of \(\widetilde{P}_{1,2}\) and \(\widetilde{P}_{2,3}\) counting repetitions.

Proof

We first evaluate the coefficients of \(\widetilde{P}_{1,2},\widetilde{P}_{2,3}\in \mathbb {F}_{p^2}[\alpha _1, \alpha _2, \alpha _3][s]\) at the normalised invariants \(\alpha _1(C), \alpha _2(C), \alpha _3(C) \in \mathbb {F}_{p^2}\) using our evaluation algorithm EvalCoeffs on each polynomial. This runs as follows. We first compute powers \(\alpha _1(C)^2\), ..., \(\alpha _1(C)^{d_1(N)}\) where \(d_1(N)\) is the maximum degree of \(\alpha _1\) appearing in mons(N) (as defined in the statement of the proposition). Similarly we compute powers of \(\alpha _2(C)\) and \(\alpha _3(C)\) up to \(d_2(N)\) and \(d_3(N)\) respectively. This step is performed using \(d_1(N) + d_2(N) + d_3(N) - 3\) multiplications in \(\mathbb {F}_{p^2}\).

From these powers, we obtain the monomials appearing in the coefficients of \((\widetilde{P}_{1,2})_{[C]}(s)\) and \((\widetilde{P}_{2,3})_{[C]}(s)\) in at most 2m(N) \(\mathbb {F}_{p^2}\)-multiplications, where \(m(N) = \# \textsf{mons}(N)\). We then require 2M(N) \(\mathbb {F}_p\)-multiplications (and 2M(N) additions) to construct the coefficients of \((\widetilde{P}_{1,2})_{[C]}\) and \((\widetilde{P}_{2,3})_{[C]}\).

The final step computes the \(\gcd \) of \((\widetilde{P}_{1,2})_{[C]}\) and \((\widetilde{P}_{2,3})_{[C]}\) using InvFreeGCD. This requires \(\frac{3}{2}(d_P(N)+2)(d_P(N)+3) - 18\) \(\mathbb {F}_p\)-multiplications by [12, Proposition 2].   \(\square \)

The cost from Proposition 4 depends only on N. Therefore, for each \(2 \le N \le 11\), we can determine the total number of \(\mathbb {F}_{p}\)-multiplications required for the detection per node revealed in \(\mathcal {S}_2(p)\) for any prime p. We give these costs in Table 3.

Noting that, when \(N \ne N^\prime \) we may have non-empty intersection \(\textsf{mons}(N) \cap \textsf{mons}(N^\prime )\), our implementation of Algorithm 4 stores all evaluated monomials to avoid repeated computations. In particular, the upper bound in Proposition 4 is often not sharp.

Table 3. Values of \(d_1(N), d_2(N), d_3(N)\), m(N), M(N), and \(d_P(N)\) for \(N \in \{2, \dots , 11\}\). The final columns respectively list the number of \(\mathbb {F}_p\)-multiplications in Proposition 4 and the ratio of multiplications to the number of (NN)-isogenous p.p. abelian surfaces.
Full size table

Remark 6

We note that, in practice, when our algorithm enters the if loop on Line 4 in Algorithm 3, we have yet to encounter a case where Steps 5–14 fail to return true. In these cases the bound in Proposition 4 yields a bound on the cost of Algorithm 3. It is however possible to construct examples of polynomials for which they would be necessary – e.g., \(f_1(r,s) = r - 1\), \(f_2(r,s) = s - r(r + 1)(r - 1)\), and \(f_3(r,s) = r + 1\). It would be interesting to put this observation on rigorous footing by showing that with overwhelming probability the roots \(r_0\) and \(r_0'\) guaranteed by Proposition 3 are equal.

Alternative approach for \(N=10\) and 11. When \(N = 10, 11\), several megabytes are required to store the coefficients of the polynomials \(\widetilde{P}_{i,j}\). Rather than computing the resultants \(R_{1,2}\) and \(R_{2,3}\) and dividing out by the generic factors described in Lemma 3 to obtain \(P_{1,2}\), \(P_{2,3}\) as a precomputation, the approach we pursued was to instead perform these two steps during the online phase. Even still, our experiments (which were reinforced by the cost analysis above) revealed that performing the detection for \(N = 10, 11\) is suboptimal in our application to SplitSearcher (shown in Algorithm 4) and slows the overall search down, even when the characteristic of the field is very large. Thus, we leave the further optimisation of these computations as future work.

6 The Full Algorithm

In Sect. 3 we discussed our optimised implementation of the product-finding attack [13] that works entirely in the Richelot isogeny graph \(\varGamma _2(2; p)\). In this section, we present SplitSearcher, which leverages our efficient detection of (NN)-splittings from Sect. 5.2 to improve on the concrete complexity of product-finding when solving the dimension 2 isogeny problem.

6.1 SplitSearcher

Each time we take a step using a Richelot isogeny, we will use the methods from the previous section to detect whether the current node is (NN)-isogenous to a product of elliptic curves, for some subset of integers in \(2 \le N \le 11\). Using the algorithm from Sect. 5.2 makes this check much more efficient than, say, walking in \(\varGamma _2(N; p)\); each node we step to would require computing an (NN)-isogeny which, at minimum, requires three N-th roots in \(\mathbb {F}_{p^2}\) [7].

Each time we take a step and arrive at a new abelian surface, A, we are in one of two cases: either A is isomorphic to a product of elliptic curves, in which case the algorithm terminates, or A is isomorphic to the Jacobian of a genus 2 curve \(C/\mathbb {F}_{p^2}\). In the latter case, SplitSearcher calls Algorithm 3 to detect whether A is (NN)-split for certain \(2 \le N \le 11\). The set of N’s for which this detection is performed is chosen to minimise the number of \(\mathbb {F}_p\)-multiplications per node revealed (either by stepping on them in \(\varGamma _2(2;p)\) or inspecting them via our splitting detection) in \(\mathcal {S}_2(p)\). Since it only depends on the prime p, determining this optimal list of N’s is performed during precomputation.

If Algorithm 3 determines that A is (NN)-split, the elliptic curves \(E_1\) and \(E_2\) can be recovered by applying [39, Algorithm 4] to compute all (NN)-isogenies from A (alternatively, \(E_1\) and \(E_2\) may be recovered from Kumar’s equations [36] by solving for \(r_0\) and \(s_0\) in Proposition 2). As both of these costs are negligible and do not affect the cost of finding such a splitting, we may view this as a post-computation step and exclude it from our multiplication counts.

A precise formulation of the full algorithm for finding paths to elliptic curve products is given by Algorithm 4. Along with the target abelian surface \(A \in \mathcal {S}_2(p)\), the auxiliary inputs into the algorithm are the polynomials \(\widetilde{P}_{1,2}, \widetilde{P}_{2,3} \in \mathbb {F}_p[\alpha _1, \alpha _2, \alpha _3][r]\) (see Lemma 3), and the optimal set \(\mathcal {N} \subseteq \{2,\dots ,11\}\) (see Sect. 6.2). The hash function on Line 4 is assumed to be of the form \(\textsf{Hash} :\{0,1\}^* \rightarrow \{0,1\}^{3\ell }\), where \(\ell \) is a positive integer, since we use three bits of entropy each time we call the Richelot isogeny (i.e., \(\textsf{Step}\) algorithm) in Line 13. In practice we choose \(\ell \) to be large enough that we can expect to find an elliptic product in walks of \(\ell \) steps, but not too large, since storing walks of up to \(\ell \) steps requires more storage on average. Once the \(3\ell \) bits of entropy have been consumed, the hash function is called again and the walk is restarted from \(\boldsymbol{a}_\textrm{start}\) (more on this in Remark 7). The output returned by Algorithm 4 is of the form \((\texttt {path},N)\), where \(\texttt {path}\) is a sequence of 3k bits (with \(k \le \ell \)) and N is an integer: the 3k bits define a sequence of k Richelot isogenies and the integer N specifies the final (NN)-isogeny whose image is in \(\mathcal {E}_2(p)\).

Algorithm 4
figure e

. SplitSearcher: finding paths to elliptic curve products

Full size image

Remark 7

In a real-world attack, we would expect to return to Line 4 of Algorithm 4 an exponential number of times before the algorithm terminates. Thus, there are a number of ways one could recycle information computed in the early stages of each walk to avoid recomputing them over and over again. One solution that is easy to implement in view of Algorithm 4 would be to store a hash table whose entries each correspond to the (hash of the) Igusa–Clebsch invariants of any node that is visited and checked for (NN)-splittings. Upon returning to a given node and finding a collision in the hash table, the walk could simply avoid the tests for (NN)-splittings between Lines 8 and 11. Another approach would be to build a table of the six-tuples \(\boldsymbol{a}\) that are computed after the first t Richelot steps have been taken, alongside the label of the 3t-bit string that took us there. Each time we return back to Line 4 and iterate the hash function, we simply check to see if the first 3t bits are already in the table and, if so, we can skip straight to \(\boldsymbol{a}\).

Finally, as is mentioned in [13], parallelising the search for product curves is trivial. For P processors, we would simply compute P unique short walks from our target surface \(A \in \mathcal {S}_2(p)\) and send each of the corresponding image surfaces \(A_1,\dots ,A_P\) to a unique processor as its assigned input surface.

6.2 Determining the Optimal Set \(\mathcal {N}\)

Recall that, when we step to a new p.p. abelian surface \(A \in \mathcal {S}_2(p)\), we want to determine if it is (NN)-split for a set \(\mathcal {N} \subseteq \{2, \dots , 11\}\) of N. We wish to determine the optimal subset \(\mathcal {N} \subseteq \{2, \dots , 11\}\), i.e., the subset which minimises the number of \(\mathbb {F}_p\)-multiplications per node revealed in the graph. The first step towards determining this ‘multiplications-per-node’ ratio is to count the number of nodes in \(\mathcal {S}_2(p)\) that are inspected inside the for loop of Algorithm 4 with a finite set of integers \(\mathcal {N} \subseteq \mathbb {Z}_{\ge 2}\). A first attempt would be to simply count the number of neighbours a node \(A\in \mathcal {S}_2(p)\) has in \(\varGamma (N;p)\), i.e., \(D_N\) given by Equation (1) in Sect. 2. However, this is an overcount as we now detail.

Suppose we take a non-backtracking walk

$$\begin{aligned} A_0 \xrightarrow {\phi _0} A_1 \xrightarrow {\phi _1} \cdots \xrightarrow {\phi _{n-1}} A_n \xrightarrow {\phi _n} \cdots \end{aligned}$$
(2)

in \(\varGamma _2(2;p)\) and we inspect (NN)-splittings for \(N \in \mathcal {N}\). If \(0 \le m \le n\) are integers, let \(\phi _{m,n}\) denote the \((2^{n-m}, 2^{n-m})\)-isogeny \(\phi _{m-1} \circ \cdots \circ \phi _{n}\) and let \(\phi _{n,m}\) denote \(\widehat{\phi _{m,n}}\).

Firstly, if both N and \(2^kN\) are contained in \(\mathcal {N}\) (for \(k \ge 1\)), then any abelian surfaces (NN)-isogenous to \(A_n\) are automatically \((2^kN,2^kN)\)-isogenous to \(A_{n+k}\). Therefore, we restrict to only considering subsets \(\mathcal {N}\) which do not contain pairs of integers \(M \ne N\) with \(N = 2^kM\).

This restriction is not sufficient to stop double-counting nodes. Indeed, suppose \(N \in \mathcal {N}\) with \(N= 2M\). Then any abelian surface (NN)-isogenous to \(A_n\) will be (MM)-isogenous to \(A_{n+1}\). In particular such an abelian surface will also be (NN)-isogenous to \(A_{n+2}\). To rule out such scenarios, we introduce the following restriction on our paths.

Definition 3

Let \(\mathcal {N} \subseteq \mathbb {Z}_{\ge 2}\) be a finite set of integers and let \(\mathcal {P}\) be a walk of (2, 2)-isogenies in \(\varGamma _2(2;p)\) as in (2).

Let \(M, N \in \mathcal {N}\) and suppose that there exist integers \(m,n \ge 0\) and (MM)- and (NN)-isogenies \(\psi _M :A_m \rightarrow B\) and \(\psi _N :A_n \rightarrow B\). We say that \(\mathcal {P}\) resists collisions for MN if there exists an integer \(i \ge 0\) and an isogeny \(\varPsi :A_i \rightarrow B\) such that \(\psi _M = \varPsi \circ \phi _{m,i}\) and \(\psi _N = \varPsi \circ \phi _{n,i}\).

We say that \(\mathcal {P}\) resists collisions for \(\mathcal {N}\) if it resists collisions for every pair \(M,N \in \mathcal {N}\).

We are now able to state precisely the number of nodes checked between Lines 8–11 of Algorithm 4, assuming our paths resist collisions for the set \(\mathcal {N}\).

Lemma 4

Let \(\mathcal {N} \subseteq \mathbb {Z}_{\ge 2}\) be a finite set of integers such that if \(\mathcal {N}\) is non-empty, then there do not exist distinct \(M,N \in \mathcal {N}\) with \(N = 2^k M\) for any \(k \ge 1\).

Let \(\mathcal {P}\) be a path in \(\varGamma _2(2;p)\) which resists collisions for \(\mathcal {N}\). The number of nodes inspected per step by running Algorithm 4 in \(\mathcal {P}\) is at least

$$\begin{aligned} \text {nodes}_{\mathcal {N}} :={\left\{ \begin{array}{ll} \sum _{N \in \mathcal {N}} D'_N &{}\text {if } \mathcal {N} \text { contains a power of }2,\\ \sum _{N \in \mathcal {N}} D'_N + 1 &{}\text {otherwise} \end{array}\right. } \end{aligned}$$

where

$$\begin{aligned} D'_N = D_N - \sum _{\begin{array}{c} 1 \le k \\ 2^k \vert N \end{array}} D_{N/2^k} \end{aligned}$$

and \(D_N\) is the number of neighbours of a node in \(\varGamma _2(N;p)\), given in Equation (1). Equality holds for steps taken after \(\max _{{N \in \mathcal {N}}} (2 \log _2 (N))\) steps.

Remark 8

It is important to note that the assumption that \(\mathcal {P}\) resists collisions for \(\mathcal {N}\) is mild in practice. Indeed, when \(\mathcal {N}\) contains only odd integers the assumption simplifies to requiring that, in a walk in the (2, 2)-isogeny graph, any abelian surface (NN)-isogenous to \(A_n\) is not (MM)-isogenous to \(A_m\) for some m. The set \(\mathcal {N}\) will consist only of integers \( \le 11\) and our walks have length \(O(\log (p))\). A collision of this sort therefore implies that \(A_n\) has an endomorphism of degree \(O(\log (p))\). Heuristically there should be very few such abelian surfaces. Indeed in the dimension 1 case, by Proposition B.3 in the unpublished appendix to [38], the proportion of supersingular elliptic curves with an endomorphism of degree at most \(O(\log (p))\) is \(O(\log (p)^{3/2} / p)\).

Proof

Suppose we have taken the following walk in \(\varGamma _2(2;p)\)

$$A_0 \rightarrow A_1 \rightarrow \cdots \rightarrow A_{n} \rightarrow A_{n+1} \rightarrow \cdots , $$

applying Algorithm 4.

First note that if \(\mathcal {N}\) contains a power of 2, then each successive p.p. abelian surface \(A_i\) is known not to be a product of elliptic curves. By hypothesis, there do not exist distinct \(M,N \in \mathcal {N}\) with \(N = 2^k M\) for any \(k \ge 1\). Therefore, since \(\mathcal {P}\) resists collisions for \(\mathcal {N}\), for each distinct \(M, N \in \mathcal {N}\) the p.p. abelian surfaces (MM)-isogenous to \(A_m\) are not (NN)-isogenous to \(A_n\) for all \(m,n \ge 0\). In particular it suffices to show that the number of p.p. abelian surfaces (NN)-isogenous to \(A_i\), but not (NN)-isogenous to \(A_j\) for each \(j < i\), is equal to \(D_N'\).

The claim follows immediately when N is odd, since the walk takes place in \(\varGamma _2(2;p)\). If N is even, write \(N = 2^\ell M\) where \(\ell \ge 1\) and M is odd. In this case, for each \(1 \le k \le \ell \), any p.p. abelian surface \((2^{\ell -k}M, 2^{\ell -k}M)\)-isogenous to \(A_{n-k}\) is (NN)-isogenous to both \(A_{n-2k}\) and \(A_{n}\). Therefore, \(D_{N/2^k}\) surfaces (NN)-isogenous to \(A_{n}\) are (NN)-isogenous to \(A_{n-2k}\).

The claim follows by summing over \(1 \le k \le \ell \). Note that equality holds if \(n - 2k \ge 0\) for each \(1 \le k \le \ell \), i.e., we have taken at least \(2\ell \) steps.    \(\square \)

We use the lemma above to determine, for each prime p, an optimal set \(\mathcal {N}\) for which we perform the detection of (NN)-splittings during Algorithm 4.

Let \(c_{\text {step}}\) be the number of \(\mathbb {F}_p\)-multiplications required to take a step in \(\varGamma _2(2;p)\) using Algorithm 2, and let \(c_{\text {ig}}\) be the number of \(\mathbb {F}_p\)-multiplications required to compute \(\boldsymbol{\alpha }(C)\) using InvariantsFromWeierstrassPoints (see Remark 4). Finally, letting \(c_{\text {split}}(N)\) be the total number of \(\mathbb {F}_p\)-multiplications required by Algorithm 3 (see Proposition 4 and Remark 6), we obtain the following lemma.

Lemma 5

For a subset \(\mathcal {N} \subseteq \{2,3,\dots ,11\}\), the number of \(\mathbb {F}_p\)-multiplications required to run Steps 7–15 of Algorithm 4 is at most

$$\begin{aligned} \text {cost}_{\mathcal {N}} :={\left\{ \begin{array}{ll} c_{\text {step}} + c_{\text {ig}} + \sum _{N \in \mathcal {N}} c_{\text {split}}(N) &{} \text { if } \mathcal {N} \ne \emptyset ,\\ c_{\text {step}} &{} \text { otherwise. } \end{array}\right. } \end{aligned}$$

Proof

Given input defining a genus 2 curve \(C/\mathbb {F}_{p^2}\) if \(\mathcal {N} = \emptyset \) then Steps 7–15 of Algorithm 4 require a single call to \(\textsf{Step}(\boldsymbol{a}, \textsf{bits})\), taking \(c_{\text {step}}\) \(\mathbb {F}_p\)-multiplications.

Otherwise, Step 7 calls InvariantsFromWeierstrassPoints taking \(c_{\text {ig}}\) multiplications in \(\mathbb {F}_p\). For each \(N \in \mathcal {N}\), the contents of the for-loop (i.e., Steps 8–11) require \(c_{\text {split}}(N)\) multiplications in \(\mathbb {F}_p\). Finally Steps 12–15 call \(\textsf{Step}(\boldsymbol{a}, \textsf{bits})\), again requiring \(c_{\text {step}}\) \(\mathbb {F}_p\)-multiplications.    \(\square \)

We consider subsets of \(\{2, \dots , 11\}\) satisfying the hypotheses of Lemma 4. As a precomputation, amongst these subsets we determine the optimal set \(\mathcal {N}\) for Algorithm 4 by choosing \(\mathcal {N}\) to minimise the number of \(\mathbb {F}_p\)-multiplications per node revealed (either visited by the Richelot walk or revealed by IsSplit). That is, we choose the \(\mathcal {N}\) that minimises the ratio \(\frac{\text {cost}_{\mathcal {N}}}{\text {nodes}_{\mathcal {N}}}.\)

6.3 A Bound on the Cost of the SplitSearcher Algorithm

We now discuss a heuristic upper bound for the concrete cost of finding a splitting of a genus 2 Jacobian using the SplitSearcher algorithm combined with an optimised walk in \(\varGamma _2(2;p)\).

First recall that our function InvariantsFromWeierstrassPoints terminates with 291 \(\mathbb {F}_p\)-multiplications and 1 \(\mathbb {F}_p\) inversion. Bounding this inversion by \(2\log _2(p)\) \(\mathbb {F}_p\)-multiplications (i.e., by the worst case where the binary expansion of the exponent consists only of 1’s), we have \(c_{\text {ig}} \le 291 + 2\log _2(p)\).

We now assume that the cost of IsSplit is bounded by the cost of its first 3 steps (see Proposition 4 and Table 3 bounds depending only on N, and Remark 6 for a justification). Finally RIsog requires 63 \(\mathbb {F}_p\)-multiplications and 3 calls to InvSqrt which costs at most \(22 + 4 \log _2(p)\) \(\mathbb {F}_p\)-multiplications (with the \(\log _2(p)\) terms arising from 2 exponentiations). In particular, RIsog costs at most \(129 + 12 \log _2(p)\) \(\mathbb {F}_p\)-multiplications.

For primes of at least 150 bits, the set \(\mathcal {N} = \{4, 6\}\) is the optimal set discussed in Sect. 6.2, and we obtain an upper bound of

$$\begin{aligned} \frac{14 \log _2(p) + 34490}{664} \end{aligned}$$
(3)

\(\mathbb {F}_p\)-multiplications per node revealed (assuming the heuristics from Remarks 5 and 8). If we assume that the proportion of product nodes (among nodes inspected by Algorithm 4) is equalFootnote 6 to 5/p we would expect that Algorithm 4 requires

$$\begin{aligned} \left( \frac{14 \log _2(p) + 34490}{5 \cdot 664} \right) p + O(\log _2(p)) \end{aligned}$$
(4)

\(\mathbb {F}_p\)-multiplications before encountering a product node.

7 Experimental Results

We conducted experiments over both small and large primes, and the results are reported in Tables 4 and 5, respectively.

The small prime experiments were conducted so that we could run multiple instances of the full \(\widetilde{O}(p)\) search for product curves to completion. The four Mersenne primes of the form \(p=2^m-1\) with \(m\in \{13,17,19,31\}\) were chosen as the field characteristics, and instances of the product-finding problem were generated by taking a chain of 40 randomised Richelot isogenies away from the superspecial abelian surfaceFootnote 7 corresponding to \(C/\mathbb {F}_p :y^2=x^5+x\). For the three smaller primes, 256 instances were generated, while for \(p=2^{31}-1\), we generated 10 such instances; each instance is specified by a 6-tuple of Weierstrass points (see Sect. 3.1). All of the instances were solved once using the original walk in \(\varGamma _2(2;p)\) described in Sect. 3. and again using our improved SplitSearcher algorithm described in Sect. 6. For all four of these primes, the set \(\mathcal {N}=\{2,3\}\) was optimal for use in SplitSearcher. In Table 4 we report the average number of steps taken in \(\varGamma _2(2;p)\) for both algorithms, as well as the average number of \(\mathbb {F}_p\)-multiplications required to solve the problem. In the case of SplitSearcher, we additionally report the average number of nodes searched. This includes both the nodes that were walked on and those that were inspected using our (NN)-splitting detectionFootnote 8. As we might expect, this is always relatively close to the number of steps taken in the Richelot-only walk.

Table 4. Solving the product-finding problem using Richelot isogeny walks in \(\varGamma _2(2;p)\) only (left) vs. using Richelot isogeny walks in \(\varGamma _2(2;p)\) together with SplitSearcher in \(\varGamma _2(N;p)\) (right).
Full size table

For cryptographically sized primes, we are unable to solve the product-finding problem, which is why Table 5 instead reports the number of nodes that were searched when the number of \(\mathbb {F}_p\)-multiplications was bounded at \(10^8\). The main trend to highlight (in both tables) is that the speedup is increasing steadily as the prime grows in size: the number of \(\mathbb {F}_p\)-multiplications required for a single Richelot isogeny is proportional to the bitlength of p (due to the square root computations), while the number of \(\mathbb {F}_p\)-multiplications required to inspect the (NN)-isogenous neighbours (after computing the Igusa–Clebsch invariants) remains fixed as p grows. This is also predicted by Eq. 3, where the coefficient of the dominating \(\log _2(p)\) term is 14/664 versus 12.

Table 5. The approximate number of multiplications required to search a single node using Richelot isogeny walks in \(\varGamma _2(2;p)\) only (left) vs. using Richelot isogeny walks in \(\varGamma _2(2;p)\) together with SplitSearcher in \(\varGamma _2(N;p)\) (right). Note that the shape of the primes chosen has little effect on the multiplication counts since we expect to never find a splitting.
Full size table

Interestingly, as shown in Table 5 the set \(\mathcal {N} = \{2,3\}\) is optimal for the 50- and 100-bit primes, the set \(\mathcal {N} = \{3,4\}\) is optimal for the 150-bit prime, while the set \(\mathcal {N} = \{4,6\}\) takes over and reigns supreme for all other reported bitlengths. Our implementation can be used to obtain the same data for any other prime of interest, and the number of \(\mathbb {F}_p\)-multiplications used per node can be combined with the (average) number of nodes one expects to search through in order to get a very precise estimate on the concrete classical security of the superspecial isogeny problem.

Possible Improvements. There have been a number of choices made throughout this paper which open up possible avenues for improvement. We conclude by giving a non-exhaustive list of such improvements.

  1. 1.

    The parametrisation of \(\mathcal {L}_N\) given by Kumar [36] may be altered through composition with a birational transformation of \(\mathbb {A}^2\). There may be better choices of parametrisations for our purposes, i.e., ones which minimise the degree of \(P_{i,j}\). Furthermore, as detailed in Remark 3, there are many ways to normalise the Igusa–Clebsch invariants, though it is unclear to us which normalisations minimise the degrees that arise in the resultant computations.

  2. 2.

    Since the Weierstrass points of genus 2 curve with superspecial Jacobian are all \(\mathbb {F}_{p^2}\)-rational, it may be desirable to work with the Rosenhain invariants which may be computed more efficiently. To use our methods one would need to compute a birational model for the surface \(\mathcal {L}_N(2)\) whose points parametrise optimally (NN)-split Jacobians with full level 2 structure. One approach is described in [28].

  3. 3.

    It may be possible to improve the complexity of the evaluations performed by EvalCoeffs (see Sect. 5.2) by taking longer walks in the (2, 2)-graph and then batching the evaluations using multi-point evaluation.

  4. 4.

    Knowledge of explicit equations for the surface \(\mathcal {L}_N\) for larger N would allow us to perform efficient detection of (NN)-splittings beyond \(N=11\). It may be possible to derive these from the pre-existing equations for the surfaces \(Z(N, -1)\) (which parametrise pairs of elliptic curves (NN)-isogenous to a genus 2 Jacobian) in [20, Theorem 2.4], [21, Theorem 1.2], and [25, Theorem 1.1], or by extending Kumar’s computations.

  5. 5.

    It is possible to detect (2N, 2N)-splittings more efficiently by taking partial steps in the (2, 2)-isogeny graph. Let \(C/\mathbb {F}_{p^2}\) be a genus 2 curve given by a Weierstrass equation \(y^2 = (x-a_0) \cdots (x-a_5)\). While we cannot take a full step in \(\varGamma _2(2;p)\) (recovering the factorisation of the Weierstrass sextic for each of the (2, 2)-isogenous curves) without computing square roots, we can compute the Igusa–Clebsch invariants of all the neighbours of \({{\,\textrm{Jac}\,}}(C)\) using only a small number of \(\mathbb {F}_p\)-multiplications and a single batched inversion. In this case we may detect (2N, 2N)-splittings of \({{\,\textrm{Jac}\,}}(C)\) by applying IsSplit to each of the (2, 2)-neighbours of \({{\,\textrm{Jac}\,}}(C)\). In the code attached to this article, this optimisation can be enabled by setting split_after_22_flag = true. In our implementation of this idea, and for the primes ranging between 50 and 1000 bits reported in Table 5, we observed additional improvement factors ranging between 1.3-1.6.